Académique Documents
Professionnel Documents
Culture Documents
70-642 Page 1
Curriculo - 70-642
segunda-feira, 7 de maio de 2012 21:12
Configuring Addressing and Services (21 percent) Configure IPv4 and IPv6 addressing. May include but is not limited to: configure IP address options; subnetting; supernetting; multihomed; interoperability between IPv4 and IPv6 Configure Dynamic Host Configuration Protocol (DHCP). May include but is not limited to: DHCP options; creating new options; PXE boot; default user profiles; DHCP relay agents; exclusions; authorize server in Active Directory; scopes; DHCPv6 Configure routing. May include but is not limited to: static routing; persistent routing; Routing Internet Protocol (RIP); metrics; choosing a default gateway; maintaining a routing table; demand-dial routing; IGMP proxy Configure Windows Firewall with Advanced Security. May include but is not limited to: inbound and outbound rules; custom rules; authorized users; authorized computers; configure firewall by using Group Policy; network location profiles; service groups; import/export policies; isolation policy; IPsec group policies; Connection Security Rules Recursos - Estudado http://www.learntcpip.com/ www.learntosubnet.com http://Gogonet.gogo6.com
Subnetting in 6 easy steps - part 1 - http://www.youtube.com/watch?v=wl5 _J0UtINg&feature=fvwrel IP Addressing and Subnetting pt 1 - http://www.youtube.com/watch?v=blkuQPvu2T8 &feature=related 70-642 11 hour free training course all on you tube - http://www.youtube.com/playlist? list=PL0508D3F0057D1D5F SVRHOL301 Adding IPv6 services to your IPv4 Network https://tr14.mytechready.com/ViewTracker.aspx?topicid=d036dd18-4a7c-e011b237-001ec953730b&viewtype=vlab
Configuring Names Resolution (22 percent) Configure a Domain Name System (DNS) server.
70-642 Page 2
Configure a Domain Name System (DNS) server. May include but is not limited to: conditional forwarding; external forwarders; root hints; cacheonly; socket pooling; cache locking Configure DNS zones. May include but is not limited to: zone scavenging; zone types; Active Directory integration; Dynamic Domain Name System (DDNS); Secure DDNS; GlobalNames; zone delegation; DNS Security Extensions (DNSSEC); reverse lookup zones Configure DNS records. May include but is not limited to: record types; Time to live (TTL); weighting records; registering records; netmask ordering; DnsUpdateProxy group; round robin; DNS record security; auditing Configure DNS replication. May include but is not limited to: DNS secondary zones; DNS stub zones; Active Directory Integrated replication scopes; securing zone transfer; SOA refresh; auditing Configure name resolution for client computers. May include but is not limited to: configuring HOSTS file; Link-Local Multicast Name Resolution (LLMNR); broadcasting; resolver cache; DNS server list; Suffix Search order; DNS devolution Estudado Configuring Network Access (18 percent) Configure remote access. May include but is not limited to: dial-up; Remote Access Policy; Network Address Translation (NAT); VPN protocols, such as Secure Socket Tunneling Protocol (SSTP) and IKEv2; Routing and Remote Access Services (RRAS); packet filters; Connection Manager; VPN reconnect; RAS authentication by using MS-CHAP, MS-CHAP v2, and EAP Configure Network Access Protection (NAP). May include but is not limited to: network layer protection; DHCP enforcement; VPN enforcement; RDS enforcement; configure NAP health policies; IPsec enforcement; 802.1x enforcement; flexible host isolation; multi-configuration System Health Validator (SHV) Configure DirectAccess. May include but is not limited to: IPv6; IPsec; server requirements; client requirements; perimeter network; name resolution policy table Configure Network Policy Server (NPS). May include but is not limited to: IEEE 802.11 wireless; IEEE 802.3 wired; group policy for wireless; RADIUS accounting; Connection Request policies; RADIUS proxy; NPS templates Estudado
Configuring File and Print Services (20 percent) Configure a file server. May include but is not limited to: file share publishing; Offline Files; share permissions; NTFS permissions; encrypting file system (EFS); BitLocker; Access-Based Enumeration (ABE); branch cache; Share and Storage Management console Configure Distributed File System (DFS). May include but is not limited to: DFS namespace; DFS configuration and application; creating and configuring targets; DFS replication; read-only replicated folder; failover cluster support; health reporting Configure backup and restore. May include but is not limited to: backup types; backup schedules; managing remotely; restoring data; shadow copy services; volume snapshot services (VSS); bare metal restore; backup to remote file share Manage file server resources. May include but is not limited to: FSRM; quota by volume or quota by user; quota entries; quota
70-642 Page 3
May include but is not limited to: FSRM; quota by volume or quota by user; quota entries; quota templates; file classification; Storage Manager for SANs; file management tasks; file screening Configure and monitor print services. May include but is not limited to: printer share; publish printers to Active Directory; printer permissions; deploy printer connections; install printer drivers; export and import print queues and printer settings; add counters to Performance Monitor to monitor print servers; print pooling; print priority; print driver isolation; location-aware printing; print management delegation
Estudado
Monitoring and Managing a Network Infrastructure (20 percent) Configure Windows Server Update Services (WSUS) server settings. May include but is not limited to: update type selection; client settings; Group Policy object (GPO); client targeting; software updates; test and approval; disconnected networks Configure performance monitoring. May include but is not limited to: Data Collector Sets; Performance Monitor; Reliability Monitor; monitoring System Stability Index; page files; analyze performance data Configure event logs. May include but is not limited to: custom views; application and services logs; subscriptions; attaching tasks to events find and filter Gather network data. May include but is not limited to: Simple Network Management Protocol (SNMP); Network Monitor; Connection Security Rules monitoring Estudado
Informaes Adicionais Preparation Tools and ResourcesTo help you prepare for this exam, Microsoft Learning recommends that you have hands-on experience with the product and that you use the following training resources. These training resources do not necessarily cover all of the topics listed in the "Skills Measured" tab. Learning Plans and Classroom Training 6421B: Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure (5 Days) Microsoft E-Learning 6421BE: Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure (16 Hours) Microsoft Press Books MCTS Self-Paced Training Kit (Exam 70-642): Configuring Windows Server 2008 Network Infrastructure (2nd Edition) Practice Tests MeasureUp(Measureup.com)Self Test Software(Selftestsoftware.com)
Microsoft Online ResourcesWindows Server 2008 Learning Portal: Find special offers and information on training and certification.Product information: Visit the Windows Server 2008 Web site for detailed technology information.Microsoft Learning Community: Join newsgroups and visit community forums to connect with your peers for suggestions on training resources and advice on your certification path and studies.TechNet: Designed for IT professionals, this site includes how-to instructions, best practices, downloads, technical resources, newsgroups, and chats.MSDN: Designed for developers, the Microsoft Developer Network (MSDN) features code samples, technical articles, downloads, newsgroups, and chats.
Have Questions? For advice about training and certification, connect with peers: Visit the training and certification forumFor questions about a specific certification, chat with a Microsoft Certified
70-642 Page 4
and certification forumFor questions about a specific certification, chat with a Microsoft Certified Professional (MCP): Visit our MCP newsgroupsTo find out about recommended blogs, Web sites, and upcoming Live Meetings on popular topics, visit our community site: Visit the Microsoft Learning community
70-642 Page 5
SVRHOL313 iSCSI Software Target 3.3 enabling Hyper-V storage on Windows Server 2008 R2 https://tr14.mytechready.com/ViewTracker.aspx?topicid=fef79803-8c81-e011b237-001ec953730b&viewtype=vlab
70-642 Page 6
Partner Exam Academy: Prepare for Certification (treinamentos online gratuitos. https://partner.microsoft.com/global/40169642
http://www.atillaarruda.com.br/2011/11/18/estudo-chuck-norris-para-a-certificacao-70-693/ Dicas exame 70-693 http://blogs.technet.com/b/gbanin/archive/2010/12/16/dicas-para-exame-70-693.aspx http://www.atillaarruda.com.br/2011/11/18/estudo-chuck-norris-para-a-certificacao-70-693/ http://www.mcsesolution.com/Certifica%C3%A7%C3%A3o-Microsoft/mcitp-windows-server-2008-r2-virtualizationadministrator.html
Ler ebook http://download.microsoft.com/download/5/B/4/5B46A838-67BB-4F7C-92CB-EABCA285DFDD/693821ebook.pdf Microsoft Learning http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-693&locale=en-us#tab2 Skills Being MeasuredThis exam measures your ability to accomplish the technical tasks listed below.The percentages indicate the relative weight of each major topic area on the exam. Designing a Virtualization Strategy Recommend a virtualization technology. This objective may include but is not limited to: server virtualization, Application Virtualization (App-V), virtual desktop infrastructure (VDI), Remote Desktop Services (RDS), Microsoft Enterprise Desktop Virtualization (MED-V), Microsoft Virtual PC Plan capacity. Plan licensing. This objective may include but is not limited to: operating system editions Design solutions for integration with third-party products. This objective may include but is not limited to: hypervisors, VDIs, and management tools Designing the Physical and Virtual Infrastructure Plan hardware and virtual resource requirements. This objective may include but is not limited to: CPUs, memory, disk, host, parent, child, performance, networking, Second Level Address Translation (SLAT), CPU Core Parking Design storage. This objective may include but is not limited to: dynamic, fixed, differential, pass-through; logical unit number (LUN) considerations Design networking. This objective may include but is not limited to: virtual network type, host NIC configuration, VLAN, TCP chimney, jumbo frames, Virtual Machine Queue (VMQ) Plan snapshots and checkpoints. Designing a Highly Available Virtual Environment Design parent for high availability. This objective may include but is not limited to: Windows Server 2008 Failover Clustering, migration types, Cluster Shared Volumes (CSV) Design child for high availability. This objective may include but is not limited to: Windows Server 2008 Failover Clustering, Network Load Balancing (NLB), shared storage Design for migration type. This objective may include but is not limited to: quick migration, live migration, storage area network (SAN) migration, network migration Designing a Deployment Strategy Design a virtual machine deployment. This objective may include but is not limited to: Virtual Machine Manager, Self-Service Portal (SSP), Windows PowerShell, scripting, Configuration Manager Plan a virtual machine conversion. This objective may include but is not limited to: physical to virtual (P2V), virtual to virtual (V2V ) Design a virtual desktop infrastructure (VDI) deployment. This objective may include but is not limited to: broker, profile management, applications, methods of access, static and dynamic deployment Design an App-V deployment. This objective may include but is not limited to: server roles, server role placement, application compatibility
70-693 Page 7
TESTE
This objective may include but is not limited to: server roles, server role placement, application compatibility Designing a Management Strategy Plan backup and recovery for parent and child partitions. Design a monitoring strategy. This objective may include but is not limited to: design for a parent, design for a child; integration with Operations Manager Plan updates and maintenance. This objective may include but is not limited to: offline image maintenance, hardware maintenance, integration services Design an administrative strategy. This objective may include but is not limited to: management networks, remote administration, Virtual Machine Manager, Authorization Manager Preparation Tools and ResourcesTo help you prepare for this exam, Microsoft Learning recommends that you have hands-on experience with the product and that you use the following training resources. These training resources do not necessarily cover all of the topics listed in the "Skills Measured" tab.
Classroom Training 50273A: Planning and Designing Microsoft Virtualization Solutions (5 Days) Microsoft E-Learning There is no Microsoft E-Learning training currently available. Microsoft Press Books There are no Microsoft Press books currently available.
Practice Tests There are no practice tests currently available. Microsoft Online Resources Learning Plan: Get started with a step-by-step study guide that is based on recommended resources for this exam. Windows Server 2008 Learning Portal: Find special offers and information on training and certification. Product information: Visit the Windows Server 2008 Web site for detailed product information. TechNet: Designed for IT professionals, this site includes how-to instructions, best practices, downloads, technical resources, newsgroups, and chats. MSDN: Designed for developers, the Microsoft Developer Network (MSDN) features code samples, technical articles, downloads, newsgroups, and chats. Microsoft Learning Community: Join newsgroups and visit community forums to connect with your peers for suggestions on training resources and advice on your certification path and studies. Have Questions? For advice about training and certification, connect with peers: Visit the training and certification forum For questions about a specific certification, chat with a Microsoft Certified Professional (MCP): Visit our MCP newsgroups To find out about recommended blogs, Web sites, and upcoming Live Meetings on popular topics, visit our community site: Visit the Microsoft Learning community
Pasted from <http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-693&locale=en-us>
70-693 Page 8
VDI
Monday, November 21, 2011 2:56 AM
http://technet.microsoft.com/en-us/edge/video/ff955830
Desktop Virtualization
Visible: The user sees a window that displays the desktop of the virtualized client Operating System (Virtual Machine). Invisible: Virtualized applications are displayed on the host compuster's desktop as local, even though these applications are running within the guest operating system (Virtual Machine). This scenario is sometimes known as Application Virtualization.
Desktop Virtualization can be either Local or Remote
Three Local Desktop Virtualization Technologies: 1. Windows Virtual PC and the Windows XP Mode Environment: Component to be installed optionally. Windows XP is a preconfigured VM with WinXP SP3 that is installed. Used Scenario: Used for small businesses to address applications incompatibility issues. 2. Microsoft Enterprise Desktop Virtualization (MED-V): is an enterprise solution for desktop virtualization that allows administrators to create, deliver, and manage corporate Virtual PC images on any Windows-based desktop. Used Scenario: Used for medium to large businesses to address applications incompatibility issues, in a centralized way by administrators.
3. Microsoft Application Virtualization (App-V): App-V lets administrators transform applications into centrally managed virtual services to reduce the cost of application deployment, eliminate application conflicts and reboots, simplify your base image footprint to expedite PC provisioning, and increase user productivity. Used Scenarios: Full Infrastructure This scenario uses the App-V Management Server, which provides full streaming capabilities, Desktop Configuration Service, active/package upgrade, and basic licensing and metering. This infrastructure requires Active Directory and SQL Server and is an update to the existing SoftGrid Virtual Application Server that version 4.2 customers are familiar with using. Lightweight Infrastructure: This scenario uses the App-V Streaming Server, which includes streaming capabilities such as active/package upgrade without the Active Directory or SQL Server requirements. However, it does not have a Desktop Configuration Service or licensing or metering capabilities. This service relies on the manual or scripted addition of a manifest file for virtual application configuration. The Desktop Configuration Service of the App-V Management Server can also be used in conjunction with the App-V Streaming Server such that the Management Server configures the application but the Streaming Server delivers it. Standalone mode: The App-V Sequencer has an option to create an .msi file that automates the addition of the virtual application. The .msi contains metadata so that an ESD system can recognize it and control the virtualized applications. Standalone mode requires the App-V Client to go into Standalone mode, which allows only .msi-based updates of the virtual applications. (Streaming is not allowed while in Standalone mode.) This mode is meant for rarely connected users that need the power of virtualized applications but do not have access to a server.
Deploying Virtual Desktop Pools by Using Remote Desktop Web Access Step-by-Step Guide
Pasted from <http://technet.microsoft.com/enus/library/dd883265(WS.10).aspx>
Desktop Virtualization
Pasted from <http://technet.microsoft.com/en-us/windows/gg276319.aspx>
User State Virtualization: allows application and desktop users to virtualize their user settings and data by storing them on the network. Three Microsoft technologies make user state virtualization possible: roaming user profiles, Folder Redirection, and Offline Files.
environment.
Understanding Microsofts VDI Architecture At a high level, Microsofts VDI architecture consists of three components: Hardware layer This layer includes one or more datacenter servers that support hardware virtualization and shared storage such as a SAN, where the virtual machines can be stored. Client access points This component includes client computing devices, which can be either rich clients (Windows PCs) or thin clients (Windows terminal devices) connected to the datacenter over an internal private network or even over the Internet. Licensing There are two types of licensing requirements for implementing a Microsoft VDI solution: - VDI suite licensing The use rights for technology developed by Microsoft that provides virtualization, management, desktop-delivery, and application-delivery capabilities you can use to deploy a VDI infrastructure within your organization. - Additional licensing In addition to the use rights for the server and management infrastructure included in the VDI suite, you also need to purchase licenses to run virtual copies of Windows client operating systems on your servers so that your users can legally access the virtual desktops. These licenses are known as Windows Virtual Enterprise Centralized Desktop (Windows VECD).
70-693 Page 10
MED-V
Monday, November 21, 2011 2:56 AM
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=5924 http://www.microsoft.com/en-us/showcase/details.aspx?uuid=1ed566b5-5514-464b-aa46-fed855c2a000
MED-V
Setup manager is used to create na answer file as part of Sysprep of the Virtual Machine image.
Welcome to Microsoft Enterprise Desktop Virtualization (MED -V) 2.0. MED-V 2.0 uses Windows Virtual PC to provide an enterprise solution for desktop virtualization. By using MED-V, you can easily create, deliver, and manage corporate Windows Virtual PC images on any Windows-based desktop running Windows 7 Professional, Enterprise, or Windows 7 Ultimate. MED-V is an integral component of the Microsoft Desktop Optimization Pack, a dynamic solution available to Software Assurance customers, which helps reduce software installation costs, enables delivery of applications as services, and helps manage and control enterprise desktop environments.
For more information about how to perform MED-V tasks, use the following sections. In This Section Getting Started with MED-V
Planning for MED-V
70-693 Page 11
MEDV Architectu...
70-693 Page 12
70-693 Page 13
70-693 Page 14
70-693 Page 15
70-693 Page 16
70-693 Page 17
70-693 Page 18
70-693 Page 19
70-693 Page 20
70-693 Page 21
70-693 Page 22
70-693 Page 23
70-693 Page 24
70-693 Page 25
70-693 Page 26
70-693 Page 27
70-693 Page 28
70-693 Page 29
70-693 Page 30
APP-V
Monday, November 21, 2011 3:13 AM
Microsoft Applicatio...
Applications that are App-V enabled are never allowed to install or modify the local file system or local registry. When an application is App-V enabled, it is made to run inside its own virtual environment.
When the application is deployed, it is isolated from any other applications that were sequenced or that are still locally installed on the client, guaranteeing a conflict-free environment. A sequenced application package contains four types of files that make up a virtual application and allow the virtual application to run. These files are created after sequencing and include the following types of files: .ico file This is the type of file for the icon on the clients desktop used to launch a sequenced application. .osd file This is an XML-based Open Software Descriptor file that instructs the client on how to retrieve the sequenced application from the App-V Management Server or Streaming Server and how to run the sequenced application in its virtual environment. .sft file This type of file contains one or more sequenced applications that the Sequencer has packaged into streaming blocks, as well as the associated delivery information. An .sft file is stored on each server that must stream the packaged applications to a client. .sprj file This is an XML-based Sequencer Project file in which the Sequencer stores its Exclusion Items and Parse Items information. An .sprj file is used in the creation of application records and when upgrading a package.
70-693 Page 31
In addition, a sequenced application package can also contain a Microsoft Windows Installer (.msi) file that can be used for standalone distribution of virtual applications, for publishing application packages using an electronic software distribution (ESD) system such as Microsoft System Center Configuration Manager 2007, or for both purposes.
Publishing Applications
There are three publishing delivery methods supported by App-V: Using the App-V Management Server Using an ESD system such as System Center Configuration Manager 2007 Standalone delivery
Streaming Packages
After an application has been published and its .ico and .osd files have been streamed to the client, the virtual application package content file (.sft file) must be delivered to the client. App-V supports various ways of doing this, including using the App-V Management Server, an Internet Information Services (IIS) Web server, a file server, standalone delivery, or a distribution point running IIS within a System Center Configuration Manager 2007 environment. The first time a user double-clicks on an application icon that has been placed on a computer via the publishing process, the App-V Client first performs authorization and license checking. The client then begins streaming the virtual application package content (.sft file) from the configured streaming source location. The way this works is that the .sft file is mounted in RAM on the streaming server, which then delivers the application in blocks of 32 KB size by default over the wire to the client. The streaming source location is typically a server that is local to (accessible over a well-connected network) the users computer, but some electronic distribution systems such as System Center Configuration Manager 2007 can distribute .sft files to a folder on the users computer and then stream the package from that local folder. A streaming source location for virtual application packages can even be set up on a computer that is not a serverthat is, on a workstation. This type of solution can be especially useful in a small branch office location that has no server.
App-V Components
The App-V environment consists of the following components: App-V Management Server - Used for streaming the virtual application package. Should be installed on a dedicated server. Need to access a SQL database and to the Content Folder. It can use RTSP, RTSPS, HTTP or HTTPS stream application data to authorized users App-V Management Web Service - Responsible for communicating read/write requests to the App-V Data Store. Functions as intermediary between the Management Console and the Data Store. Can be installed on either the Management Server or on a separate server that has IIS 6.0 or higher installed. App-V Data Store - Is a required component when you deploy an App-V Management Server. Responsible for storing all information related to the App-V infrastrucure, such as : Configuration info, reporting, application records, application assignments, licensing info, logging. Can be installed on SQL 2005 or SQL 2008. App-V Streaming Server - Responsible for hosting an streaming virtual application packages to App-V clients. It is like a lightweight version of the Management Server that includes only the streaming functionality. Doesn't include the App-V Web Service and doesn't require using a SQL database. Instead, it uses access control lists (ACLs) for granting user access to the package files. App-V Management Console - Is a MMC snap-in you can use to manage your App-V environment. Many management tasks can be done such as: import applications, manage file type associations, manage application licenses, create and manage server groups, generate reports, etc.
App-V Sequencer - Is a wizard-based tool that can be used to monitor and capture the installation of an application to create a virtual application package. After an application has been sequenced , the resulting App-V enabled application package can be delivered to users on demand. After the sequencing process is finished, its files must be copied to the Content folder before they can be streamed. The sequencer component must be installed on a separate computer from other App-V components.
70-693 Page 32
Tip Some applications cannot be sequenced, including Internet Explorer, device drivers, applications that start services at boot time, and some other parts of the Windows operating system.
App-V Client - is the software component that resides on the client computer. It also handles the streaming of the application from a Management Server or from a Streaming Server. There are two kinds of App-V client Software: - App-V Desktop Client - App-V Terminal Services Client
70-693 Page 33
RDS
Monday, November 21, 2011 3:17 AM
Assess What's New in Remote Desktop Services Getting Started Step-by-Step Guides
Plan Infrastructure Planning and Design (IPD) Guides for Virtualization
Deploy Remote Desktop Services Deployment Guide Remote Desktop Services Migration Guide
Troubleshoot Troubleshooting RD Licensing Issues Remote Desktop Services Event-Based Troubleshooting
Pasted from <http://technet.microsoft.com/en-us/windowsserver/ee236407>
Terminal Services
TS RemoteAp...
Remote Desktop Services in Windows Server 2008 R2 Updated: November 11, 2011
Windows_S erver_200...
Applies To: Windows Server 2008 R2 Remote Desktop Services in Windows Server 2008 R2 provides technologies that enable users to access Windows-based programs that are installed on a Remote Desktop Session Host (RD Session Host) server, or to access the full Windows desktop. With Remote Desktop Services, users can access an RD Session Host server from within a corporate network or from the Internet.
In this section Step 1: Assess
Product Evaluation: Remote Desktop Services: Whats new in Remote Desktop Services Getting Started: Remote Desktop Services: Step-by-step guides for installing and deploying Remote Desktop Services role services and features
Step 2: Plan Planning and Architecture: Remote Desktop Services: Hardware considerations and capacity planning guides
Step 3: Deploy Deployment: Remote Desktop Services: Design Guide, Deployment Guide, Migration Guide
Step 4: Manage Operations: Remote Desktop Services: Managing and operating Remote Desktop Services Technical Reference: Remote Desktop Services: Group Policy settings and RDP settings
Step 5: Troubleshoot
Troubleshooting: Event messages, licensing issues, RDP Related resources Remote Desktop Services Component Architecture Poster This poster provides a visual reference for understanding key Remote Desktop Services technologies in Windows Server 2008 R2. Remote Desktop Services Script Center
The Remote Desktop Services Script Center contains a collection of scripts to help configure and deploy Remote Desktop Services. Remote Desktop Services (Terminal Services) on the Windows Server TechCenter TechCenters provide links to content outside of the Technical Library, including downloads, Knowledge Base articles, community (blogs and forums), and other resources. Terminal Services in Windows Server 2008
Pasted from <http://technet.microsoft.com/en-us/library/dd647502(WS.10).aspx>
Configure Client Experience page Adds a new wizard page to the Add Roles Wizard when installing the RD Session Host role service of the Remote Desktop Services role. This new wizard page lets you enable the following advanced experiences for RD Session Host session users: Audio and video playback redirection Lets users redirect audio and video output from their computer to an RD Session Host session. Audio recording redirection Lets users redirect the output of an audio recording device, such as a microphone, from their computer to an RD Session Host session. Desktop composition Provides Windows Aero user interface elements within an RD Session Host session. Per-user RemoteApp filtering Lets you filter the list of RemoteApp programs available to a user account when logged on using RD Web Access. Fair-share CPU scheduling Dynamically distributes processor time across RD Session Host sessions based on the number of active sessions and the load on those sessions using the kernel-level scheduling mechanism of Windows Server 2008 R2. Windows Installer RDS compatibility Allows per-user application installations to be queued by the RD Session Host server and then handled by the Windows Installer. Roaming user profile cache management Lets you limit the size of the overall profile cache for users of your RD Session Host server. Remote Desktop IP Virtualization Lets IP addresses be assigned to Remote Desktop connections on either a per-session or per-program basis.
70-693 Page 34
Obs.: You can install the RD Session Host role service on the Standard, Enterprise, or Datacenter edition of Windows Server 2008 R2, with the Standard edition limited to 250 Remote Desktop Services connections.
All Group Policy Settings for Remote Desktop Services in Windows Server 2008 R2
Pasted from <http://technet.microsoft.com/en-us/library/ee791756(WS.10).aspx>
For larger deployments, you might install RD Web Access on a front-end Web server to service multiple RD Session Host servers on the back end. You can then configure RD Web Access to populate its list of RemoteApp programs from all your RD Session Host servers, including servers that belong to an RD Session Host farm. To connect to the RD Web Access server, a user opens a Web browser such as Internet Explorer and types https://<server_name>/rdweb in the address bar as described in the next section.
RD Connection Broker
The administrator can create a Workspace Configuration (.wcx) file using an RD Connection Broker server and distribute it to Windows 7 users so that RemoteApp and Desktop Connection can be configured without the need of having the user manually configure the RemoteApp and Desktop Connections Control Panel item.
The administrator can create a .wcx file and use Group Policy to silently run a script on Windows 7 computers so that RemoteApp and Desktop Connection is set up automatically when users log on to their computers.
After the client side of RemoteApp and Desktop Connections has been configured, Windows 7 users will see a new RemoteApp and Desktop Connections program group on their Start menu, which they can use to launch RemoteApp programs, session-based desktops, and virtual desktops that have been published for them to use. (See Figure 4-14.)
To pull a feed of available RemoteApp programs, session-based desktops, and virtual desktops from your RD Web Access server.
70-693 Page 35
The user needs to type the URL for the RD Web Access Web site, which is always in the following form: https://<server_name>/RDWeb/Feed/webfeed.aspx , where <server_name> is the FQDN of the RD Web Access server.
* For an RD Web Access server to provide RemoteApp and Desktop Connection information from an RD Connection Broker server, you
must add the computer account for the RD Web Access server to the RD Web Access Computers security group on the RD Connection Broker server. You must be a member of the local Administrators group on the RD Connection Broker server to do this.
* For an RD Session Host server to provide redirection to virtual desktops, you must add the computer account for the RD Session Host
server to the Session Broker Computers security group on the RD Connection Broker server. And if you have deployed a load-balanced RD Session Host server farm to provide RemoteApp programs to users through RemoteApp and Desktop Connection, you must add the computer account for each RD Session Host server in the farm to the Session Broker Computers security group.
Step-by-Step and Capacity Planning Guides for Remote Desktop ServicesSP1 updated
Pasted from <http://ramazancan.wordpress.com/tag/rd-gateway/>
With RD Gateway, however, you can safely place your RD Session Host and RD Virtualization Host servers inside the corporate network; only the RD Gateway server itself needs to reside on a screened subnet of the perimeter network. This means that only the RD Gateway server is directly exposed to outside attack. And the attack surface of the RD Gateway server is lower than that of an RD Session Host and RD Virtualization Host server placed in a similar location because the only external port that needs to be open on the RD Gateway server is TCP port 443.
Deploying Remote Desktop Connection Broker with High Availability Step-by-Step Guide
<http://technet.microsoft.com/en-us/library/ff686148(WS.10).aspx>
Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide, found at http://go.microsoft.com/fwlink/?LinkId=154801. Deploying Virtual Desktop Pools by Using RemoteApp and Desktop Connection Step-by-Step Guide, found at http://go.microsoft.com/fwlink/?LinkId=154802. Deploying Personal Virtual Desktops by Using Remote Desktop Web Access Step-by-Step Guide, found at http://go.microsoft.com/fwlink/? LinkId=147909. Deploying Virtual Desktop Pools by Using Remote Desktop Web Access Step-by-Step Guide, found at http://go.microsoft.com/fwlink/? LinkId=147906.
70-693 Page 36
Hyper-V
Tuesday, November 22, 2011 3:16 AM
Designing the Physical and Virtual Infrastructure Plan hardware and virtual resource requirements. This objective may include but is not limited to: CPUs, memory, disk, host, parent, child, performance, networking, Second Level Address Translation (SLAT), CPU Core Parking Design storage. This objective may include but is not limited to: dynamic, fixed, differential, pass-through; logical unit number (LUN) considerations Design networking. This objective may include but is not limited to: virtual network type, host NIC configuration, VLAN, TCP chimney, jumbo frames, Virtual Machine Queue (VMQ) Plan snapshots and checkpoints.
Note There is no way to upgrade from a Server Core installation to a full installation of Windows Server 2008. If you need the Windows user interface or a server role that is not supported in a Server Core installation, install a full installation of Windows Server 2008. To remotely manage Hyper-V on a Server Core installation, use the Hyper -V management tools for Windows Server 2008 and Windows Vista Service Pack 1 (SP1). For more information, see article 950050 (http://go.microsoft.com/fwlink/?LinkId=122188 ) and article 952627 (http://go.microsoft.com/fwlink/?LinkID= 122189) in the Microsoft Knowledge Base. For more information about configuring tools for remote management of Hyper-V, see Install and Configure Hyper-V Tools for Remote Administration.
Do not run any applications in the management operating system run all applications on virtual
Designing a Highly Available Virtual Environment Design parent for high availability. This objective may include but is not limited to: Windows Server 2008 Failover Clustering, migration types, Cluster Shared Volumes (CSV) Design child for high availability. This objective may include but is not limited to: Windows Server 2008 Failover Clustering, Network Load Balancing (NLB), shared storage Design for migration type. This objective may include but is not limited to: quick migration, live migration, storage area network (SAN) migration, network migration Hyper-V Supportability: http://technet.microsoft.com/en-us/library/ee405267(WS.10).aspx
machines. By keeping the management operating system free of applications and running a Windows Server 2008 core installation, you will need fewer updates to the management operating system because nothing requires software updates except the Server Core installation, the Hyper -V service components, and the hypervisor.
Note
If you run programs in the management operating system, you should run your antivirus solution there and add the following to the antivirus exclusions:
Virtual machine configuration files directory. By default, it is C:\ProgramData\Microsoft\Windows\Hyper-V. Virtual machine virtual hard disk files directory. By default, it is C:\Users\Public\Documents\Hyper-V\Virtual Hard
Disks.
Estudar:
Using Authorization Manager for Hyper-V Security
Pasted from <http://technet.microsoft.com/en-us/library/dd283030(WS.10).aspx>
Perf-tun-srv
When VMQ is enabled, a dedicated queue is established on the physical network adapter for each virtual network adapter that has requested a queue. As packets arrive for a virtual network adapter, the physical network adapter places them in that network adapters queue. When packets are indicated up, all the packet data in the queue is delivered directly to the virtual network adapter. Packets arriving for virtual network adapters that dont have a dedicated queue, as well as all multicast and broadcast packets, are delivered to the virtual network in the default queue. The virtual network handles routing of these packets to the appropriate virtual network adapters as it normally would. Note: Because queues are allocated to virtual machines on a first-come, first-served basis, making all virtual machines eligible for a queue may result in some queues being given to virtual machines with light traffic instead of those with heavier traffic. Enable VMQ only for those virtual machines with the heaviest inbound traffic.
How to enable VMQ: http://download.microsoft.com/download/8/E/D/8EDE21BC-0E3B-4E14AAEA-9E2B03917A09/HSN_Deployment_Guide.doc http://technet.microsoft.com/en-us/library/gg162680(WS.10).aspx
Network_De ployment_...
Avoid Mixing Virtual Machines That Can Use Integration Services with Those That Cannot Do not mix on the same physical server virtual machines that can take advantage of Hyper -V Integration Services with those that cannot. Virtual machines that cannot use Integration Services must use legacy network adapters to gain access to the physical network. To accommodate legacy network adapters, you might need to disable some high-end features on the network interface, which can unnecessarily limit the functionality of the synthetic devices. Additionally, using emulated devices places an extra workload on the Hyper-V server.
SLAT
In Hyper-V R2, the processor handles address translations across virtual machines instead of the Hyper-V code doing page table remapping in software. This means that SLAT adds a second level of paging below the architectural x86/x64 paging tables found in x86/x64 processors by providing an indirection layer from virtual machine memory access to physical memory access. Chapter 2 Server Virtualization 39 With the right processor, such as an Intel processor with Extended Page Tables (EPT, first introduced with i7) or an AMD processor with Nested Page Tables (NPT, which most current AMD processors have), Hyper-V R2 can provide significant performance gains in many scenarios. These gains are a result of the improved memory management and reduction in memory copies needed when these processor features are used, and the gains are especially significant with large working sets (for example, with Microsoft SQL Server). In fact, the memory usage for the Microsoft Hypervisor can shrink from 5 percent to 1 percent of the total physical memory. This means that more memory can be available for child partitions, which in turn can mean higher consolidation ratios.
Network Adapters in Hyper-V The legacy network adapter is an emulated adapter (Intel 21140 PCI) that is available to guests who either cannot take advantage of Integration Services. ( E.g. Windows XP Professional x86 must download and install Service Pack 3).
A network adapter is a synthetic device that can be used only after Integration Services are installed in on enlightened guests. Enlightened guests already have the necessary components installed in the operating system to begin taking advantage of this type of network adapter.
Note: If a guest operating system is going to be installed using PXE boot to download an image, a legacy network adapter must be used and the boot order must be modified in the virtual machine settings. Virtual Machine Disks VHD Limit: 2040 gigabytes (2 terabytes). Passthrough Disk Limit: No size Limit Before configuring a guest with a passthrough disk, the disk must be placed in an offline state so that there is no contention between the virtual machine and the Hyper-V server. This is accomplished in the Windows Disk Management snap-in or by using the Diskpart.exe command-line interface (CLI).
When using passthrough disks, the virtual machine configuration files need to be relocated to either another hard disk or a file share. Additionally, you lose snapshot functionality when using passthrough disks, and they are not portable like a file (VHD). Ensure File Share High Availability If a file share is being used to store virtual machine configuration data, it is a best practice to ensure the file share is highly available (for example, a file share being hosted in a failover cluster). You also need to modify the security on the file share to allow the Hyper-V server (all nodes of it if its in a failover cluster) write access to the share.
70-693 Page 37
SCSI: The Hyper-V SCSI controller is a synthetic device and therefore cannot be added to a guest configuration until after Integrated Services have been installed. Can connect up to 4 SCSI controllers with 64 disks each (Total of 256 disks)
iSCSI: Guests can connect directly to iSCSI storage over an iSCSI network, completely bypassing the Hyper-V server itself. There are no limits to the number of iSCSI disks that can be supported on the guest
Tip You can bypass the 2048-GB size limitation for IDE and SCSI virtual disks by using passthrough disks. Configuration Files The default path of Configuration Files (.xml) is \ProgramData\Microsoft\Windows\Hyper-V in a folder corresponding to the name given to the virtual machine in the New Virtual Machine Wizard
Snapshot By default, all snapshot files are stored in the following folder on your Hyper-V server: %SystemRoot%\ProgramData\Microsoft\Windows\HyperV\Snapshots
Taking a snapshot of a virtual machine creates the following types of snapshot files: Virtual machine configuration (.xml) file Virtual machine saved state (.vsv) files Virtual machine memory contents (.bin) files Snapshot differencing disk (.avhd) files
Tip When you delete an entire snapshot tree, the result will be the last snapshot applied to the running virtual machine. If your intention, instead, is to have the result be the pristine installation of your virtual machine, your first snapshot should be taken after your virtual machine is configured and before you make any alterations for testing your configuration. That way, you can apply your first snapshot (the root snapshot) before deleting the snapshot tree, and the result is that your virtual machines configuration will return to where you started before you made your alterations.
Change Default Locations for Virtual Hard Disk and Machine Configuration Files Change the default locations for storing the virtual hard disks and the virtual machine configuration files. By default, they are stored on the drive where the operating system is installed. For better performance, move the location to another disk on a SAN, if possible. If no SAN storage is configured, use another internal, fault-tolerant drive or drives that can be dedicated to storing virtual machine data and are not supporting the operating system.
Install Integration Services The first, and probably most important, best practice for virtual machines is to install Integration Services, which comes with Hyper-V, as soon as possible if the operating system running in the virtual machine is supported. Then update Integration Services as needed. Uninstall VM Additions and Compact VHDs When migrating virtual machines from Virtual PC or Virtual Server 2005 R2, uninstall the VM Additions and compact the virtual hard disk before moving the disk to the Hyper-V server.
Set Display for Best Performance For the best display in a virtual machine, ensure the display interface is set for Best Performance. This ensures the hardware acceleration is set to Full.
Configure Fixed-Size VHDs Choose to configure fixed-size virtual hard disks rather than dynamically expanding disks. Performance is faster, the file system is less likely to fragment, and managing space on the physical disk is easier. Always defragment a physical disk before creating a virtual hard disk. Use SCSI Virtual Adapters for Data Drives Hyper-V requires the virtual machine to boot from a virtual IDE controller; however, SCSI virtual adapters can be used after that for mounting additional virtual hard disks. Although performance differences between a virtual IDE controller and a virtual SCSI controller in Hyper-V is negligible (with Integration Services installed), more and larger capacity virtual hard disks can be attached to a virtual SCSI controller (4 controllers with 64 virtual disks each, for a total of 256). So, if you need more than four virtual hard disks attached to a virtual machine, use a virtual SCSI controller. Allocate CPU Resources Based on Anticipated Usage It is also important to determine virtual machine performance to ensure CPU resource allocation on the physical server is adequate to support the workload inside the virtual machine. The default in Hyper-V server is to treat all virtual machines equally. In reality, this might not be a practical or wise business decision. When allocating physical machine CPU resources to a virtual machine, it is important not to over-subscribethat is, trying to allocate more physical machine resources than are really available. The next version of System Center Virtual Machine Manger (SCVMM 2008) will play a key role in monitoring virtual machine performance.
70-693 Page 38
Virtual PC Architecture
Host-Side Components The UI components of the Windows Virtual PC host include the following: VPC Settings dialog Lets you modify configuration options such as networking, memory, integration features, and virtual hard disks for each virtual machine. VPC Wizard Walks you through the steps of creating new virtual machines. VM Window (VMWindow.exe) When you start a virtual machine (VM), an instance of VMWindow.exe is launched to manage the display window that you use to interact with that VM. VMWindow.exe also loads MSTSCAX.dll, which functions as a Remote Desktop Protocol (RDP) client and is essentially the same ActiveX control that is used to run RemoteApps and Remote Desktops from a Remote Desktop Web Access server in Windows Server 2008 R2. One unique instance of VMWindow.exe is launched for each running VM, except for VMs running virtual applications, which is discussed in the next bullet. VM SAL (VMSAL.exe) When you launch a virtual application from the host, an instance of the Virtual Machine Seamless Application Launcher is launched to initiate, monitor, and control the application. As with VMWindow.exe, the in-process ActiveX control MSTSCAX.dll acts as the RDP client.
The user-mode engine components of the Windows Virtual PC Host include the following: VPC (VPC.exe) The core Virtual PC engine that manages virtual machines and provides services for them. VPC.exe includes the following subcomponents that provide specialized services for virtual machines: RDP Encoder Technology, device emulators, COM servers, Network Address Translation (NAT), and Integration Components (ICs). VPC.exe also provides a set of COM APIs you can use to develop custom applications for performing tasks such as creating and managing virtual machines, creating and managing virtual hard drive (VHD) images, and modifying the configuration settings of VMs. RDP ET (RDP Encoder Technology) A group of components that uses RDP to provide the console experience for accessing a virtual machine and converts keyboard, mouse, and video actions between the RDP format and the format used by the VM device emulators. Devices Device emulators for devices such as virtual hard drives, COM ports, and network interfaces. COM port redirector Provides access for the virtual machine to remote serial devices such as modems. NAT Allows a virtual machine to use the physical network adapter for network connectivity. Integration Components (ICs) Provides advanced features such as video resizing and audio redirection within virtual machines. The kernel-mode engine components of the Windows Virtual PC Host include the following: Virtualization Server Provider (VSP) Provides I/O device-related resources to Virtualization Service Clients (VSCs) running in virtual machines. VPCBus.sys A kernel-mode bus driver used by the VSP to communicate between the host and guests. VMM.sys The Virtual Machine Monitor, which virtualizes the physical processing resources across the host and virtual machines and provides resource management, including memory and interrupts. USB Connector (vpcusb.sys) Provides USB virtualization to the guest operating systems, and manages the virtual root hubs for connected USB devices. Each virtual machine has one virtual hub that can be assigned between zero and eight devices. USB Stub Driver (vpcuxd.sys) A stub driver that is loaded by the operating system in lieu of the normal USB client driver.
Guest-Side Components The architecture of the guest side of Windows Virtual PC can be further broken down into Integration Components, RAIL (Remote Applications Installed Locally)/RDP components, and kernel-mode components.
The Integration Components of a Windows Virtual PC guest include the following two services, which provide Integration Component services to the guest: Virtual PC Integration Components Services Application service (VMSrvc.exe) n Virtual Machine User
70-693 Page 39
Virtual PC Integration Components Services Application service (VMSrvc.exe) n Virtual Machine User Services (VMUSrvc.exe) The RAIL/RDP components of a Windows Virtual PC guest include the following: RDP Server service Listens for RDP connections from the RDP clients running in a virtual machine window or application. RDP Shell (RDPShell.exe) A shell designed to present virtual applications as if they are running locally on the host and to make the seamless running of virtual applications possible. The kernel mode of a Windows Virtual PC guest includes the following: VSC Consumes resources provided to it by the VSP running on the host. VMX/SVM Root Kernel Built upon the Virtual Machine Extensions (VMX) of Intel Virtualization Technology (Intel VT) technology. It includes the Virtual Machine Monitor (VMM) runtime layer, which provides support for virtual machine execution, memory management, intercept and exception handling, and routing of interrupts raised by virtual machines. For more information, see the sidebar titled Direct from the Source: Windows Virtual PC vs. Hyper-V later in this section.
Windows XP Mode
When Windows XP Mode is installed, two virtual hard disks are created on the host computer: A parent virtual hard disk named Windows XP Mode base.vhd located in the %SystemDrive%\Program Files\Windows XP Mode folder. This parent disk is write-protected and approximately 1.2 GB in size. A differencing virtual hard disk named VM_name.vhd, where VM_Name is the name of the virtual machine. This differencing disk varies with size (it grows as needed) and is located in the hidden %SystemDrive%\Users\username\AppData\Local\Microsoft\Windows Virtual PC\Virtual Machines folder, where username is the users profile folder. The virtual machine configuration file (.vmc file) for the virtual machine is also located in this folder. Tips: You should back up the parent disk in case it becomes corrupted, because the differencing disk wont work without the parent. You should install antivirus and antimalware software on your Windows XP Mode virtual machine. You should also make sure that Automatic Updates is enabled on the virtual machine.
70-693 Page 40
Pag 175(RDS)
https://training.partner.microsoft.com/learning/app/manage ment/LMS_LearnerHome.aspx
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-659&locale=en-us#tab2 Skills Being MeasuredThis exam measures your ability to accomplish the technical tasks listed below.The percentages indicate the relative weight of each major topic area on the exam. Installing and Configuring Host and Parent Settings Add the Hyper-V role on Windows Server 2008 R2. This objective may include but is not limited to: installing and configuring Hyper-V on Server Core, verifying BIOS settings (i.e. DEP), adding the Hyper-V role using Virtual Machine Manager, configuring Hyper-V Server R2, identifying hardware requirements Enable remote management. This objective may include but is not limited to: deploying Virtual Machine Manager Agent, configuring firewall rules, configuring Virtual Network Manager settings Configure virtual networks and VLAN security. This objective may include but is not limited to: configuring Media Access Control (MAC) address pools, configuring network locations, configuring VLAN tags, configuring VLAN security, configuring virtual networks Configure storage. This objective may include but is not limited to: configuring Multi Path Input Output (MPIO), executing the mpiocpl.exe command, dynamic I/O redirection, iSCSI initiator, executing the iscsicli.exe command Configuring Child Settings Configure child resources. This objective may include but is not limited to: configuring disks, networks, CPU, and memory Configure child storage. This objective may include but is not limited to: configuring Dynamic VM storage, creating differencing disks, configuring pass-through disks, taking snapshots, managing GUIDs, managing logical unit numbers (LUNs), editing VHDs, copying physical disks to VHDs Configure child network adapters. This objective may include but is not limited to: creating synthetic and emulated network adapters, configuring MAC spoofing, configuring VLAN ID, configuring Jumbo frame, configuring TCP Offloading Engine (TOE) Create and deploy virtual machines. This objective may include but is not limited to: creating, cloning, deploying, and saving virtual machines using Virtual Machine Manager; creating virtual machines using Hyper-V Manager, configuring Self-Service Portal, scripting and deploying virtual machines using Windows PowerShell Managing and Monitoring Virtual Environments Solve performance and resource issues. This objective may include but is not limited to: configuring Performance and Resource Optimization (PRO), monitoring the environment by using System Center Operations Manager 2007 R2, configuring event triggers, allocating resources by using Virtual Machine Manager, monitoring performance and diagnosing issues by using Performance Monitor or Resource Monitor Configure delegation of rights. This objective may include but is not limited to: creating user policies for Self Service Portal, creating and managing templates, managing and replicating libraries in Virtual Machine Manager Create roles and configure authorization rights. This objective may include but is not limited to: creating roles and delegating rights using Authorization Manager (AzMan), delegating rights manually Manage non-Hyper-V-aware virtualization hosts. This objective may include but is not limited to: managing ESX/VI3 VMware hosts by using Virtual Machine Manager, managing Virtual Server 2005 R2 hosts using Virtual Machine Manager Ensuring High Availability and Recoverability Manage snapshots. This objective may include but is not limited to: taking, reverting, merging, deleting, and applying snapshots; configuring storage locations Manage backups. This objective may include but is not limited to: managing online and offline backups by using DPM, Windows Server Backup, or Volume Shadow Copy Service (VSS) Perform non-clustered migrations. This objective may include but is not limited to: performing a SAN migration of child partitions, performing a network migration of child partitions Configure quick and live migrations. This objective may include but is not limited to: configuring network and storage for clustered Hyper-V setup, enabling Cluster Shared Volumes (CSV), configuring dynamic I/0 redirection Performing Migration Perform physical-to-virtual (P2V) migration. This objective may include but is not limited to: configuring Virtual Machine Manager Intelligent Placement, performing online and offline migrations Perform virtual-to-virtual (V2V) migration. This objective may include but is not limited to: configuring Virtual Machine Manager Intelligent Placement, performing online and offline migrations Perform import/export migration. This objective may include but is not limited to: migrating virtual machines between Hyper-V hosts using the Export/Import feature in Hyper-V Configuring Remote Desktop (RD) Role Services Infrastructure Configure RD session host. This objective may include but is not limited to: configuring session host settings, network-level authentication settings, license settings; restricting users to single remote session; allowing time zone redirection; configuring resource redirection, configuring encryption, configuring multi-monitor support Configure RD licensing. This objective may include but is not limited to: activating and deactivating Remote Desktop License Service, installing and revoking client access licenses (CALs), reporting on CAL usage Configure RD Connection Broker. This objective may include but is not limited to: installing the RD Connection Broker, configuring DNS for
70-659 Page 41
This objective may include but is not limited to: installing the RD Connection Broker, configuring DNS for Connection Broker, configuring Connection Broker farms, integrating with RD Virtualization Host role service Configure RD Gateway. This objective may include but is not limited to: configuring RD Gateway, integrating RD Gateway with network access protection (NAP), configuring authentication authorization Configure RD Web Access. This objective may include but is not limited to: configuring RD Web Access, configuring authentication options (forms, single sign-on), configuring per-user RemoteApp program filtering, configuring public and private computer options Preparation Tools and ResourcesTo help you prepare for this exam, Microsoft Learning recommends that you have hands-on experience with the product and that you use the following training resources. These training resources do not necessarily cover all of the topics listed in the "Skills Measured" tab. Classroom Training 10215A: Implementing and Managing Microsoft Server Virtualization (5 Days) Microsoft E-Learning 10215AE: Implementing and Managing Microsoft Server Virtualization (15 Hours) Microsoft Press Books There are no Microsoft Press books currently available. Practice Tests There are no practice tests currently available. Microsoft Online Resources Product information: Visit the Windows Server 2008 Web site for detailed product information. TechNet: Designed for IT professionals, this site includes how-to instructions, best practices, downloads, technical resources, newsgroups, and chats. MSDN: Designed for developers, the Microsoft Developer Network (MSDN) features code samples, technical articles, downloads, newsgroups, and chats. Microsoft Learning Community: Join newsgroups and visit community forums to connect with your peers for suggestions on training resources and advice on your certification path and studies. Have Questions? For advice about training and certification, connect with peers: Visit the training and certification forum For questions about a specific certification, chat with a Microsoft Certified Professional (MCP): Visit our MCP newsgroups To find out about recommended blogs, Web sites, and upcoming Live Meetings on popular topics, visit our community site: Visit the Microsoft Learning community
Pasted from <http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-659&locale=en-us>
70-659 Page 42
RDS
Monday, November 21, 2011 3:17 AM
Pg 381
Assess What's New in Remote Desktop Services Getting Started Step-by-Step Guides
Plan Infrastructure Planning and Design (IPD) Guides for Virtualization
Deploy Remote Desktop Services Deployment Guide Remote Desktop Services Migration Guide
Troubleshoot Troubleshooting RD Licensing Issues Remote Desktop Services Event-Based Troubleshooting
Pasted from <http://technet.microsoft.com/en-us/windowsserver/ee236407>
Terminal Services
TS RemoteAp...
Remote Desktop Services in Windows Server 2008 R2 Updated: November 11, 2011
Windows_S erver_200...
Applies To: Windows Server 2008 R2 Remote Desktop Services in Windows Server 2008 R2 provides technologies that enable users to access Windows-based programs that are installed on a Remote Desktop Session Host (RD Session Host) server, or to access the full Windows desktop. With Remote Desktop Services, users can access an RD Session Host server from within a corporate network or from the Internet.
In this section Step 1: Assess
Product Evaluation: Remote Desktop Services: Whats new in Remote Desktop Services Getting Started: Remote Desktop Services: Step-by-step guides for installing and deploying Remote Desktop Services role services and features
Step 2: Plan Planning and Architecture: Remote Desktop Services: Hardware considerations and capacity planning guides
Step 3: Deploy Deployment: Remote Desktop Services: Design Guide, Deployment Guide, Migration Guide
Step 4: Manage Operations: Remote Desktop Services: Managing and operating Remote Desktop Services Technical Reference: Remote Desktop Services: Group Policy settings and RDP settings
Step 5: Troubleshoot
Troubleshooting: Event messages, licensing issues, RDP Related resources Remote Desktop Services Component Architecture Poster This poster provides a visual reference for understanding key Remote Desktop Services technologies in Windows Server 2008 R2. Remote Desktop Services Script Center
The Remote Desktop Services Script Center contains a collection of scripts to help configure and deploy Remote Desktop Services. Remote Desktop Services (Terminal Services) on the Windows Server TechCenter TechCenters provide links to content outside of the Technical Library, including downloads, Knowledge Base articles, community (blogs and forums), and other resources. Terminal Services in Windows Server 2008
Pasted from <http://technet.microsoft.com/en-us/library/dd647502(WS.10).aspx>
Configure Client Experience page Adds a new wizard page to the Add Roles Wizard when installing the RD Session Host role service of the Remote Desktop Services role. This new wizard page lets you enable the following advanced experiences for RD Session Host session users: Audio and video playback redirection Lets users redirect audio and video output from their computer to an RD Session Host session. Audio recording redirection Lets users redirect the output of an audio recording device, such as a microphone, from their computer to an RD Session Host session. Desktop composition Provides Windows Aero user interface elements within an RD Session Host session. Per-user RemoteApp filtering Lets you filter the list of RemoteApp programs available to a user account when logged on using RD Web Access. Fair-share CPU scheduling Dynamically distributes processor time across RD Session Host sessions based on the number of active sessions and the load on those sessions using the kernel-level scheduling mechanism of Windows Server 2008 R2. Windows Installer RDS compatibility Allows per-user application installations to be queued by the RD Session Host server and then handled by the Windows Installer. Roaming user profile cache management Lets you limit the size of the overall profile cache for users of your RD Session Host server. Remote Desktop IP Virtualization Lets IP addresses be assigned to Remote Desktop connections on either a per-session or per-program basis.
70-659 Page 43
Obs.: You can install the RD Session Host role service on the Standard, Enterprise, or Datacenter edition of Windows Server 2008 R2, with the Standard edition limited to 250 Remote Desktop Services connections.
All Group Policy Settings for Remote Desktop Services in Windows Server 2008 R2
Pasted from <http://technet.microsoft.com/en-us/library/ee791756(WS.10).aspx>
For larger deployments, you might install RD Web Access on a front-end Web server to service multiple RD Session Host servers on the back end. You can then configure RD Web Access to populate its list of RemoteApp programs from all your RD Session Host servers, including servers that belong to an RD Session Host farm. To connect to the RD Web Access server, a user opens a Web browser such as Internet Explorer and types https://<server_name>/rdweb in the address bar as described in the next section.
RD Connection Broker
The administrator can create a Workspace Configuration (.wcx) file using an RD Connection Broker server and distribute it to Windows 7 users so that RemoteApp and Desktop Connection can be configured without the need of having the user manually configure the RemoteApp and Desktop Connections Control Panel item.
The administrator can create a .wcx file and use Group Policy to silently run a script on Windows 7 computers so that RemoteApp and Desktop Connection is set up automatically when users log on to their computers.
After the client side of RemoteApp and Desktop Connections has been configured, Windows 7 users will see a new RemoteApp and Desktop Connections program group on their Start menu, which they can use to launch RemoteApp programs, session-based desktops, and virtual desktops that have been published for them to use. (See Figure 4-14.)
To pull a feed of available RemoteApp programs, session-based desktops, and virtual desktops from your RD Web Access server.
70-659 Page 44
The user needs to type the URL for the RD Web Access Web site, which is always in the following form: https://<server_name>/RDWeb/Feed/webfeed.aspx , where <server_name> is the FQDN of the RD Web Access server.
* For an RD Web Access server to provide RemoteApp and Desktop Connection information from an RD Connection Broker server, you
must add the computer account for the RD Web Access server to the RD Web Access Computers security group on the RD Connection Broker server. You must be a member of the local Administrators group on the RD Connection Broker server to do this.
* For an RD Session Host server to provide redirection to virtual desktops, you must add the computer account for the RD Session Host
server to the Session Broker Computers security group on the RD Connection Broker server. And if you have deployed a load-balanced RD Session Host server farm to provide RemoteApp programs to users through RemoteApp and Desktop Connection, you must add the computer account for each RD Session Host server in the farm to the Session Broker Computers security group.
Step-by-Step and Capacity Planning Guides for Remote Desktop ServicesSP1 updated
Pasted from <http://ramazancan.wordpress.com/tag/rd-gateway/>
With RD Gateway, however, you can safely place your RD Session Host and RD Virtualization Host servers inside the corporate network; only the RD Gateway server itself needs to reside on a screened subnet of the perimeter network. This means that only the RD Gateway server is directly exposed to outside attack. And the attack surface of the RD Gateway server is lower than that of an RD Session Host and RD Virtualization Host server placed in a similar location because the only external port that needs to be open on the RD Gateway server is TCP port 443.
Deploying Remote Desktop Connection Broker with High Availability Step-by-Step Guide
<http://technet.microsoft.com/en-us/library/ff686148(WS.10).aspx>
Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide, found at http://go.microsoft.com/fwlink/?LinkId=154801. Deploying Virtual Desktop Pools by Using RemoteApp and Desktop Connection Step-by-Step Guide, found at http://go.microsoft.com/fwlink/?LinkId=154802. Deploying Personal Virtual Desktops by Using Remote Desktop Web Access Step-by-Step Guide, found at http://go.microsoft.com/fwlink/? LinkId=147909. Deploying Virtual Desktop Pools by Using Remote Desktop Web Access Step-by-Step Guide, found at http://go.microsoft.com/fwlink/? LinkId=147906.
MEMORY MANAGEMENT
BEST PRACTICES Microsofts best practices for RD Session Host servers suggest that your page file should be two to three times the size
of the installed RAM to support all the individual user-mode memory areas for each process. The reasoning is that process creation is expensivetwo or three times more so than maintaining the process in memory. Because many people are using the same computer, its likely that the computer will be creating a lot of processes for all those people. Therefore, every time users start an application, theyre engaging in this expensive activity. To keep the RD Session Host server running smoothly, you need more memory than just enough to keep the processes running.
70-659 Page 45
All 32-bit operating systems have a 4-GB virtual memory address space; 64-bit operating systems have a 16-terabyte virtual memory address space 8 terabytes for user-mode processes and 8 terabytes for kernel mode.
Note that 64-bit Windows has another advantage: Its got a lot more room to store System PTEs (the PTEs used to map the location of memory the system is using). The amount of storage in 32-bit Windows is 660 MB; 64-bit Windows has 128 GB.
Like other key structures, the page file is larger in 64-bit Windows than 32-bit Windows; 64-bit Windows supports a 256-terabyte page file, and for 32-bit Windows, the maximum size is 16 terabytes.
Not all data can be paged to disk. Some important data (important to the functioning of the operating system, not important to a user) must be maintained in RAM at all times. Data that never gets paged is stored in an area of kernel-mode memory called the non-paged pool. Kernel-mode processes that store data that can be paged to disk store it in the paged pool. In previous versions of Windows, paged pools and non-paged pools had fixed sizes depending on the amount of RAM installed on the server; beginning with Windows Server 2008, these memory areas had no fixed size but could fluctuate depending on the needs of the operating system.
On 64-bit Windows, the maximum size of the non-paged pool is 128 GB, as opposed to 256 MB for 32-bit Windows.
CAPACITY PLANNING
Baseline RD Session Host Requirements
The base operating system uses more memory now, for reasons that have nothing to do with RDS. First, the server operating system runs Windows Internet Explorer 8, which uses more memory than Microsoft Internet Explorer 6. Any scenarios that require the Microsoft native browser will be affected by this. Second, the shell in Windows Server 2008 R2 and Windows 7 is more memory-intensive than that in Windows Server 2003 and Windows XP. And with Windows Server 2008, these additional memory consumers will affect an RD Session Host server in particular, because these programs are all about the user experience. Remember that 64-bit Windows uses more memory than 32-bit; a lot of the standard processes use more memory in the 64-bit version than they do in the 32-bit version. You need about 8 GB of RAM in an RD Session Host Server to bring it to parity with a 32-bit terminal server with 4 GB. However, at 16 GB, the RD Session Host server will start being able to support more users than the 32-bit server can.
DISK Split data among multiple hard disks (20 to 30 users to a disk spindle, as a guideline) for best performance and use hardware RAID 1 for disk fault tolerance. Allocate a disk spindle for every 20 users for best performance. User profiles, page files, and system and application files should be on separate physical volumes as far from each other as possible to avoid I/O bottlenecks.
NETWORK Of course, network speed is important to a centralized computing environment. Inhouse, bandwidth should not be a problem, although you might consider a multi-homed server so you can dedicate one network card to Remote Desktop Protocol (RDP) traffic and one to serving file and print requests.
MEMORY Allocate a working set amount of x MB per user. You can approximate the value of x by starting the applications that you expect your users to open, working through a normal scenario, and noting the value of Peak Working Set from Task Manager. If this is not possible, make an estimate starting with a minimum of 100 MB per session for a 64-bit operating system. Always make sure that the paging file is three times the size of RAM (for example, if the RD Session Host server has 16 GB of RAM, plan on a 48-GB page file).
PROCESSOR Processor speed was unlikely to be your biggest bottleneck when running the 32-bit version of Windows Server 2008, but its more important in 64-bit Windows where memory is no longer constrained. Quad-core processors are common these days; get a motherboard that has additional sockets. The amount of cache is more critical to processor responsiveness than the processors speed. More cache provides more space to store instructions that are quickly available to the processor to execute. Incremental changes in megahertz (MHz) made a lot more difference when you were moving from 66 MHz to 100 MHz. DFSS, introduced in Windows Server 2008 R2, automatically apportions processor time evenly among sessions. RD Session Host servers spread processor time among individual sessions by prioritizing all user application processes in the same way and using DFSS to ensure that no one session uses up all the processor time just because its running demanding applications.
NOTE You might have multiple processors in your RD Session Host server. Be aware that two processors dont render twice the power of one. Instead, there is a sliding scale. Approximately 1.8:1 when going from one to two processors Approximately 1.65:1 when going from two to four processors Therefore, if you have four processors in your RD Session Host server, you would use the following calculations to compute Max Users. 100 percent divided by 5 percent = 10 users. Now take into account the other three processors: 10*1.8*1.65 = 30 users at full load. If detailed information about user activity on the RD Session Host or RD Virtualization Host server is not available, then you can make some estimates about how many resources each session will need as follows. Allocate a percentage of a processor to a user based on how much CPU you expect users to need for running their tasks. For example, if you expect your users to need approximately 5 percent of the CPUs capacity for their work, expect to have about 20 users per CPU.
Each of these points will allow you to compute a number of supported users per specific resource. For example, if 5 percent of CPU
70-659 Page 46
Each of these points will allow you to compute a number of supported users per specific resource. For example, if 5 percent of CPU capacity per user means 20 users per CPU, to compute the number of users that four processors will support, the equation is 20 1.8 1.65 = 60 users at full load, for a margin of 50 percent of the maximum CPU usage, or 30 users. Youll likely end up with different results when calculating for different resources. Always use the lowest numbers to avoid overstressing the servers. And of course, keep in mind that this is just an approximate process. There is no guarantee that the system will not run out of resources.
NTFS File System Setting Under HKLM\System\CurrentControlSet\Control\FileSystem\ is NtfsDisableLastAccessUpdate (REG_DWORD) 1. This system-global switch reduces disk I/O load and latencies by disabling the updating of the date and time stamp for the last file or directory access. This key is set to 1 by default. Clean installations of Windows Server 2008 and Windows Server 2008 R2 set this key by default and you do not need to adjust it. Earlier versions of Windows operating systems did not set this key. If your server is running an earlier version of Windows or was upgraded to Windows Server 2008 or Windows Server 2008 R2, you should set this key to 1. Disabling the updates is effective when you are using large data sets (or many hosts) that contain thousands of directories. We recommend that you use IIS logging instead if you maintain this information only for Web administration. Caution: Some applications such as incremental backup utilities rely on this update information and do not function correctly without it.
Connection Broker
Discovering a VM The first step of using a VM is discovering that a VM exists. To allow users to discover VMs, the administrator assigns a personal desktop or creates a VM pool from the RemoteApp and Desktop Connections Manager on the RD Connection Broker. When an administrator assigns a personal VM, this assignment is recorded in the user account properties in AD DS. (Active Directory in both Windows Server 2008 and Windows Server2008 R2 support this user account property.) Both personal and pooled VMs are added to the publishing feed that populates both Remote Desktop Web Access and RemoteApp and Desktop Connections on clients running Windows 7. This publishing feed is customized for each users security credentials, so that one user does not see anothers personal desktop. RemoteApp program display is also filtered according to which users have permission to use which applications. That said, all VM pools are visible to all consumers of the feed.
Brokering connections Kim initiates the brokering phase by clicking the personal desktop or pooled VM icon. At this point, shes requested a type of resource, like access to a VM pool, and the brokering must get her to the most appropriate location based on the server load and what shes asked for. The RD Connection Broker is built to be flexible both in terms of determining what kind of resource Kim wants to connect to (a VM or a session) and the rules governing which connection is most appropriate. It does this by using a couple of different kinds of plug-ins: resource plug-ins, which are used for a specific kind of resource, and filter plug-ins, which are used in combination with a particular resource plug-in to tweak the rules governing which resource is chosen and what happens to prepare it for a connection.
RD Connection Broker comes with two resource plug-ins: a session plug-in used for connecting to RD Session Host servers and a VM plugin used to connect to personal and pooled VMs. Each of these resource plug-ins comes with built-in internal logic that the RD Connection Broker uses to determine where a connection should go and how its made ready to accept connections. By default, the VM plug-in will distribute VM requests evenly among all RD Virtualization Host servers available. Because our basic scenario includes only a single server, all connections will go there, but if more were available, then it would use a round-robin technique to distribute the VM requests. Resource plug-ins are stored on the RD Connection Broker in HKLM/System/CurrentControlSet/Services/Tssdis/Parameters/Resource. Figure 4-5 shows the settings for the VM resource plug-in. (This RD Connection Broker has only the VM Resource plug-in because there are currently no RD Session Host farms configured on it.) The value for IsEnabled must be 1 for the plug-in to function, and the system must be able to identify the plug-in by name, class ID (the unique identifier for a COM object), and provider.
Orchestrating a VM Discovery and brokering get a user 95 percent of the way to a working VM, but not 100 percent. The final stage is orchestration, which means to make the VM ready for connections. Orchestration is an important step. Without it, the VM would have to be constantly on, waiting for a connection. Orchestration makes it possible to put a VM to sleep and wake it up on demand, saving hardware resources on the host.
As shown in Figure 4-6, during orchestration, the VM Host Agent finds a VM on the RD Virtualization Host that doesnt already have a connection and wakes it. You can watch this from Hyper-V Manager. A sleeping VM will wake up and be ready to accept incoming connections. The key part of this is the VM Host agentwithout that, the hypervisor has no way to know that it needs to wake up the VM. The WTS application programming interface (API) shown here is for managing the VM sessions. In Chapter 11, Managing Remote Desktop Sessions, you will learn more about how you can use tools built on this API to interact with sessions and VMs.
70-659 Page 47
In addition to loading HKCU with the contents of your profile, logging on to an RD Session Host server updates two parts of HKLM, the computer-wide section of the registry. HKLM\ Software\Microsoft\Windows NT\CurrentVersion\Profile List (Figure 5-2) contains a list of all profiles cached on the computer. It also lists the profiles used by the System account, Network Service account, and the Local Service account. As you can see, machine accounts have profiles just like user accounts do. The users are identified by security identifiers (SIDs), but you can distinguish them by browsing the keys. The values show the path to both the local cache (the ProfileImagePath key value shown in Figure 5-2) and to the roaming profile folder share (the CentralProfile key value shown in Figure 5-2), so its not hard to map user names to profiles.
70-659 Page 48
Managing Roaming User Data Deployment Guide located at http://technet.microsoft.com/en-us/library/cc766489(WS.10).aspx Because V1 profiles and V2 profiles are so different, you cant use the same profiles for Windows Server 2008 R2 RD Session Host servers that you did for terminal servers running Windows Server 2003or Windows XP VMs. The structures of the profiles dont match. (See the section entitled Sharing Folders Between Windows Server 2003 and Windows Server 2008 Roaming Profiles later in thi s chapter.) This is important both for supporting mixed deployments of terminal servers running Windows Server 2003 and Windows Server 2008 R2 RD Session Hosts, and for supporting Windows 7 VM pools and Windows XP VM pools. ( The changes to the profile structure between the operating systems are one reason why you should not combine Windows 7 and Windows XP VMs in the same pool. )
70-659 Page 49
Virtual Machines
Pooled and personal VMs do not use Remote Desktop Services profiles. A pooled or personal VM is really a virtualized client d esktop and acts accordinglythat is, it uses regular profiles. For these VM scenarios, enter the profile shares UNC path on the Profiles tab of the user account Properties dialog box, sho wn in Figure 5-7.
The following is example code for a 64-bit version Unattend.xml file with the extra line of code added. <?xml version="1.0" encoding="utf-8"?> <unattend xmlns="urn:schemas-microsoft-com:unattend"> <settings pass="specialize"> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <CopyProfile>true</CopyProfile> </component> </settings> <cpi:offlineImage cpi:source="catalog:e:/clg files/64-bit/install_windows 7 ultimate.clg" xmlns:cpi="urn:schemas-microsoft-com:cpi" /> </unattend>
3. Save this Unattend.xml file to C:\Windows\System32\Sysprep. 4. After you have the Unattend.xml file in place, open a command prompt and type the following command. sysprep.exe /oobe /reboot /generalize /unattend:unattend.xml
70-659 Page 50
NOTE The article at http://support.microsoft.com/kb/973289 explains how to do this, but at the time of this writing, the syntax is incorrect. Use the one provided here.
Creating a Default Network Profile Assuming that you can use a network default profile for all your scenarios, on Windows 2008 (and Windows 7) you can copy a lo cal default profile to the NETLOGON share on a domain controller, following these steps. 1. Log on to the server with an admin account. 2. From the Run box, browse to the domain controller: \\DOMAIN CONTROLLER\NETLOGON 3. Create a folder in the NETLOGON share and name it Default User.v2. 4. From Server Manager, click Change System Properties, navigate to the Advanced tab, and then click the Settings button in t he User Profiles section. 5. Select the Default Profile from the list of profiles stored on the server and click Copy To. 6. Browse to or type the network path \\DOMAIN CONTROLLER\NETLOGON Default User.v2.
Enable Loopback Prolicy Processing When the RD Session Host server starts, computer GPOs are applied. When the user logs on to the RD Session Host server, the U ser GPOs are applied to the session. Then, because loopback policy processing is enabled, User GPOs that are applied to the RD Session Host server OU are applied last. In addition, if you have blocked inheritance, its possible that the only GPOs that will be applied are computer and user GPOs t hat are placed specifically on the OU. To enable Loopback Processing, right-click the Computer GPO applied to the RD Session Host server OU and choose Edit. The Group Policy Management Editor opens the GPO. Go to Computer Configuration, Policies, Administrative Templates, System, and Group Policy a nd find the User Group Policy Loopback Policy Processing Mode node in the pane on the right. Double-click it and you will see the dialog box shown in Figure 5 -14.
Using Group Policy to Define the Roaming Profile Share After you have a Group Policy infrastructure set up, you can create a policy to create roaming profile folders in the proper folder share location automatically. The Group Policy setting to set the path for RDS roaming profiles is a computer setting. Right-click your Computer Policy GPO and choose Edit. Expand the GPO to Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Profiles . In the pane at right, double-click Set Path For Remote Desktop Services Roaming User Profile, shown in Figure 5 -16.
70-659 Page 51
Select the Enabled option and type the RDS roaming profile share location in the Profile Path text box. If you use Group Poli cy to set the RDS roaming profile path, then the profile folders that are created take the form of username.domainname.V2; you do not need to add the %username% variable, the domain name, or the .V2 extension. This is in contrast to defining the path to the Remote Desktop Services profile folder by editing the user account properties through scripting or through Active Directory Users And Computers, where you must specify the username and domainname variables to create the folder properly. If the profile folders are created automatically when the user logs on, then the user gets sole access to the profile and is also set as the owner of the profile folder. To permit administrators to access the profile , enable the following GPO setting: Computer Configuration | Policies | Administrative Templates | System | User Profiles | Add The Administrators Security Group To Roaming User Profiles. With this GPO setting enabled, the following permissions are placed on newly created user folders. User Full Control, owner of folder SYSTEM Full Control Administrators Full Control (This is the local administrators group of the server where the profiles are stored, which also contains the Domain Admins group.)
Limit the size of profiles folder Another way to make sure that your servers do not run out of disk space due to an overgrown profile cache is to put a cap on the cache size. If the size of the entire cache exceeds the limit set by this policy, the server will delete the oldest profile in the cache until the ov erall size drops below the threshold you set. The GPO setting is located at Computer Configuration | Administrative Templates | Windows Components | Remote Desktop Services | RD Session Host | Profiles | Limit The Size Of The Entire Roaming User Profile Cache . Enable this setting and enter the following numbers. A monitoring Interval (in minutes): The interval at which the profile cache size is checked. Maximum cache size (in GB): This is the threshold. If the cache grows beyond this number, the oldest profiles start getting deleted.
DELETING CACHED PROFILES MANUALLY The problem is that cleaning up old profiles isnt just a matter of deleting some old directories. The registry maintains a list of profiles in HKLM\Software\Microsoft\Windows NT\ CurrentVersion\ProfileList. Sort through that key (see Figure 5-17), and youll see entries for everyone who currently has a profile cached on the server. Although the keys themselves are i dentified by the SIDs of the user accounts, you can see the names of the profile paths by examining the contents of the keys.
Not all 13 folders that can be redirected in Windows Server 2008 R2 can be redirected in Windows Server 2003, but some can. Y ou can share the data in these folders between the 2003 profiles and the 2008 profiles. On the Settings tab of each folder in the Folder Redirectio n container is an option called Also Apply Redirection Policy To Windows 2000, Windows 2000 Server, Windows XP And Windows Server 2003 Operating Systems. For some folders, this option is available, but on others (the ones that will not redirect for downlevel operating systems), it appear s dimmed and is unavailable.
70-659 Page 52
folders, this option is available, but on others (the ones that will not redirect for downlevel operating systems), it appear s dimmed and is unavailable.
Managing Roaming User Data Deployment Guide, available online at http://technet.microsoft.com/en-us/library/cc766489%28WS.10%29.aspx and for download from http://go.microsoft.com/fwlink/?LinkId=73760
Compressing RDP Data RDP supports two kinds of bulk compression (compression done on all virtual channels, as opposed to compressing individual ch annels). Both compress only when sent from server to client, not from client to server. Standard bulk compression compresses all the data going thro ugh RDP channels using a lossless technique known as Huffman compression. (Lossless compression doesnt lose any data during the compression/decompres sion process.) Windows Server 2008 added a new codec, called NSCodec, for improving graphics compression over the wide area network (WAN) fo r 32-bit and 24-bit graphics (used only with RDC 5.1). This lossy compression algorithm is controlled by the following Group Policy object (GPO). Computer Configuration | Administrative Templates | Windows Components | Remote Desktop Services | RD Session Host | Remote S ession Environment | Set Compression Algorithm For RDP Data
Which Client Devices Can You Add to the Remote Session? Most supported client devices require little setup to use in a remote session, as long as you meet the system requirements. F or PnP redirection, make sure that youve installed the Desktop Experience feature on each RD Session Host server or Windows 7 computer. For RD Easy P rint, make sure that youve installed RDP 6.1 or later on each client. RDP 7.0 is best as it does not require the Microsoft .NET Framework on the client, whereas RDP 6.1 does. You can configure device and resource redirection in one of four ways. Using Group Policy (highest priority) Using Active Directory Users And Computers on a per -user basis (printer redirection only; second priority) Using the Remote Desktop Session Host Configuration on a per-server basis (third priority) Using the RDC on a per-connection basis (fourth priority)
You can also disable redirection of specific types of supported plug and play devices with GPOs located at Computer Configuration | Administrative Templates | System | Device Installation | Device Installation Restrictions , but you need to know the Device IDs or Device globally unique identifiers (GUIDs) of the devices for which you wanted to disable redirection. For example, to block redirection of a camera, enable the GPO called Prevent Installation Of Devices Using Drivers That Match These Device Setup Classes and input the Device Class of the specific device for which you want to block redirection. To find out what a devices GUID is, open Computer Management, select Device Manager, right -click a device, select Properties, select the Details tab, and in the Properties drop-down box, choose Device Class GUID. Right-click the value and choose Copy. You can also alert the user that the device redirection has been blocked by policy restrictions by sending a pop -up message to the remote session. Enable either of these two GPOS and add a text message. Display A Custom Message When Installation Is Prevented By A Policy Setting Display A Custom Message Title When Device Installation Is Prevented By A Policy Setting By default, device redirection is allowed on a per RD Session Host server (except for audio and video playback). To disable s pecific device redirections, open the Remote Desktop Session Host Configuration on the server, double -click RDP-Tcp, select the Client Settings tab, and select the check box next to any of the following devices that you do not want to redirect. Drive Windows Printer LPT Port COM Port Clipboard Audio And Video Playback (disabled in RD Configuration by default) Audio Recording Support Plug And Play Devices Default To Main Client Printer
The following resources contain additional information and tools related to this chapter. Want more information about RDP performance? See the white paper linked at http://blogs.msdn.com/rds/archive/2010/02/05/announcing -the-remote-desktopprotocolperformance-improvements-in-windows-server-2008-r2-and-windows-7white-paper.aspx. Download RDC 7 for Windows Vista SP1+ and Windows XP SP3 at http://blogs.msdn.com/rds/archive/2009/10/28/announcing -the-availability-of-remotedesktopconnection-7-0-for-windows-xp-sp3-windows-vista-sp1-and-windows-vistasp2. aspx. You can download the Remote Desktop client for Macintosh at http://www.microsoft.com/mac/products/remote-desktop/default.mspx. New Windows 7 printing architecture can be downloaded at http://download.microsoft.com/download/5/E/6/5E66B27B -988B-4F50-AF3AC2FF1E62180F/ CON-T572_WH08.pptx. Microsoft Most Valuable Professional Emeritus Vera Noest has put together a great list of hotfixes and updates pertaining to printing, which can be found at http://ts.veranoest.net/ts_printing.asp.
70-659 Page 53
Using AppLocker
Although older operating systems will continue to rely on SRP to control software access, AppLocker, which is new to Windows Server 2008 R2 and Windows 7 (Ultimate and Enterprise editions), supersedes SRP for these new operating systems and provides an enhanced softwar e restriction feature set. In fact, while AppLocker has some similarities to Software Restriction Policies, it is actually a completely new feature built using different technology. You can still use SRPs with Windows 7 and Windows Server 2008 R2, but if AppLocker rules and SRPs exist in the same GPO, AppL ocker rules policies will supersede any SRP policies for Windows 7 and Windows Server 2008 R2. Older operating systems will use only the Software Restr iction Policies. AppLocker is similar to SRP in that you create whitelists (rules that specifically allow access to files) and block lists (ru les that specifically deny access to files) to control access to files and folders on computers. You create rules as needed, for four predefined file categories ( collections): executables, scripts, installers, and DLLs.
AppLocker Underlying Philosophy: Admit Nothing, Deny Everything AppLockers basic approach is one of extreme control: Do exac tly what the rules dictate, and deny all other access for executables in that collection. It does this indiscriminately for both whitelists and block lists. In other words, if no rules are set for a specific collection, then all access is allowed. The minute that you create a rule for a collection, only what is allowed in that rule is applied, and all other access is denied. AppLocker Rule Conditions Again, the four collections are executables, installers, scripts, and DLLs. AppLocker rules for these four collections are ba sed on the following three conditions. Publisher The rule is based on the files digital signature and the extended attributes of that signature. A digital signature contains the following specific information (attributes) about the file. Publisher Example: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US Product Name Example: WINDOWS INTERNET EXPLORER File Name Example: IEXPLORE.EXE File Version Example: 8.0.7600.16385 When you create an AppLocker rule based on a files publisher, you browse and select the signed file, and the publisher attri butes retrieved from the files digital signature. By default, all four of these attributes are used to determine access eligibility, but you can choose how detailed the rule i s applied by moving the slider in the graphical user interface (GUI) to include or exclude certain attributes, as shown in Figure 7 -3.
Path The rule will affect a specific file or all files in a specific folder. Both of these options are set by specifying (by typing or browsing to) the path of the file or folder. File Hash File Hash rules are based on a digital fingerprint of a file. Using the file (an executable, script, installer, or DLL) as an input, an algorithm generates a representation (a hash) of the file. If you change anything about the file, its hash is no longer valid, and allo w rules will no longer work.
70-659 Page 54
In this example, you will see how to create policies directly on a farm member (the RD Session Host servers name is FUJI) th at is currently not accepting connections. Then you will see how to export the rules to an XML file and import them into a GPO that will be applied to an R D Session Host farm in Audit mode. When its clear that the AppLocker policies accomplish the intended goals but do not affect the users negatively, its safe to change the GPO to Enforce mode.
First, create and export the AppLocker policies by completing these steps. 1. On RD Session Host server FUJI, open the Local Security Policy, browse to the Application Control Policies folder, and exp and the AppLocker folder. 2. Right-click Executable Rules and choose Create Default Rules. Three executable rules will appear in the right pane, as shown in Fig ure 7-4. By creating the default rules, you have already given the BUILTIN/Administrators group full access to all files on the machine, because t his is one of the default rules.
3. Adjust the first rule to allow a specific user group ASH_Users (instead of Everyone) to access the Office executables, exc ept for Excel, as follows. a. Double-click the first rule highlighted in Figure 7-4. On the General tab, select the user group that you want to affect (in our example, ASH_Users). Keep the Allow option selected.
70-659 Page 55
Dicas
Monday, November 21, 2011 3:04 AM
http://virtualizationbrazil.wordpress.com/2010/12/30/dicas-e-truques-para-o-exame-70-659-tswindows-server-2008-r2-server-virtualization/
Dicas e Truques para o Exame 70-659: TS: Windows Server 2008 R2, Server Virtualization
Posted: 30 30UTC dezembro 30UTC 2010 in Hyper-V 0 1 Votes Sobre este Exame: Este exame voltado para validar as suas competncias em torno das reas de produtos de servidor da Microsoft e tecnologias de virtualizao. Perfil do Candidato: Os candidatos para esse exame devem ter mais de um ano e meio de experincia de trabalho com o Windows Server 2008, incluindo o Windows Server 2008 R2, Microsoft Hyper-V Server 2008 e o Hyper-V 2008 R2. Alm disso, os candidatos deve ter experincia com os produtos de virtualizao de servidores e tecnologias, incluindo System Center Virtual Machine Manager 2008, o Virtual Machine Manager 2008 R2, o System Center Operations Manager 2007 R2, Windows PowerShell 2.0 e o System Center Data Protection Manager (DPM) 2007. Materiais Preparatrios: Para ajudar voc a se preparar para este exame, a Microsoft learning recomenda que voc tenha experincia prtica com o produto e que voc use os recursos de formao a seguir. Este recurso de formao no abrange necessariamente todos os tpicos listados na seo habilidades avaliadas Treinamento em Classe: 10215AD: Implementing and Managing Microsoft Server Virtualization (5 Days) 10215A: Implementing and Managing Microsoft Server Virtualization (5 Days) Microsoft Press Books: MCTS selft-Paced Training Kit (Exam 70-652): Configuring Windows Server Virtualization Recursos de Canais Online: Technet MSDN Nota: Este exame j est disponvel em portugus (brasil); Habilidades que est sendo medida: Este exame mede a sua capacidade para realizar as tarefas tcnicas listas abaixo. As percentagens indicam o peso relativo de cada tpico importante no exame. Installing and Configuring Host and Parent Settings Adicionando o Hyper-V role no Windows Server 2008 R2 - Este objetivo pode incluir, mas no est limitado a: instalao e configurao do Hyper-V no Server Core, verificando as configuraes da Bios (ou seja DEP), acrescentando a funo Hyper-V usando o Virtual Machine Manager, a configurao do Hyper-V Server R2, identificando os requisitos de hardware. Habilitando o gerenciamento Remoto. - Este objetivo pode incluir, mas no est limitado a: Implantao do Virtual Machine Manager Agent, configuraes de regras do firewall, configurar as definies do virtual machine manager. Configurar redes virtuais e segurana das VLAN. - Este objetivo pode incluir, mas no est limitado a: Configurar Media Access Control (MAC) address pools, configurar as localizaes das redes, configurar VLAN tags, configurar seguranas das VLANs, configurar redes virtuais. Configurar Storage. - Este objetivo pode incluir, mas no est limitado a: configurar Multi Path Input Output (MPIO), executando o comando mpiocpl.exe, dynamics I/O redirection, iSCSI initiator, executando o comando iscsicli.exe.
70-659 Page 56
comando iscsicli.exe. Configurando Child Settings Configurando recursos filho. - Este objetivo pode incluir, mas no est limitado a: configurar discos, redes, CPU, e memoria. Configurar o armazenamento filho. - Este objetivo pode incluir, mas no est limitado a: configurando dynamic VM storage, criando discos diferencias, configurando pass-through disks, snapshots, gerenciando GUIDs, gerenciando logical unit numbers (LUNs), editando VHDs, copiando discos fsicos para VHDs. Configurando adaptadores de rede filho. - Este objetivo pode incluir, mas no est limitado a: criando adaptadores de rede sinttico e adaptadores de rede emulados, Configurando MAC spoofing, configurando VLAN ID, configurando jumbo frame, configurando TCP Offloading Engine (TOE). Criando e implantando mquinas virtuais. - Este objetivo pode incluir, mas no est limitado a: criar, clonar, implantar, e salvar a mquina virtual usando o Virtual Machine Manager; criar mquinas virtuais usando o Hyper-V Manager, configurar Self-Service Portal, scripting e implantao de mquinas virtuais usando Windows PowerShell Gerenciando e Monitorando ambiente virtuais Resolvendo questes de performance e recursos. - Este objetivo pode incluir, mas no est limitado a: configurando performance e resources optimization (PRO), monitorando o ambiente virtual usando o System Center Operations manager 2207 R2, configurando event triggers, alocando recursos para usar o Virtual Machine Manager, acompanhando o desempenho e diagnostico de problemas usando o Monitor de Desempenho ou Monitor de recursos. Configurando delegation of rights. - Este objetivo pode incluir, mas no est limitado a: criar politicas de usurio pelo Self Service Portal, criando e gerenciando templates, gerenciando e replicando libraries no Virtual Machine Manager. Criando regras e configurando authorization rights. - Este objetivo pode incluir, mas no est limitado a: criar regras e delegar permisso usando o Authorization Manager (AzMan), delegando permisso manualmente. Gerenciando non-Hyper-V-aware virtualization hosts. Este objetivo pode incluir, mas no est limitado a: gerenciar ESX/VI3 VMware host usando Virtual Machine Manager, gerenciando Virtual Server 2005 R2 hosts usando Virtual Machine Manager. Assegurando HA e Recover Gerenciando snapshots. - Este objetivo pode incluir, mas no est limitado a: criar, reverter, merge, deletar, e aplicar snapshots; configurando os locais de armazenamento. Gerenciando bakups. - Este objetivo pode incluir, mas no est limitado a: gerenciar backups online e off-line usando o DPM, Windows Server Backup, ou Volume Shadow Copy Service (VSS) Executando non-clustered migrations - Este objetivo inclui, mas no est limitado a: executar a SAN migration de uma partio filha, executar a migrao de rede de uma partio filha. Configurar o quick e o live Migrations. - Este objetivo pode incluir, mas no est limitado a: configurar a rede e storage para clustered Hyper-V setup, habilitar Cluster Shared Volumes (CSV), configurando dynamic I/O redirection Executando Migrao Executando physical-to-virtual (P2V) migration. - Este objetivo pode incluir, mas no est limitado a: configurar Virtual Machine Manager Intelligent Placement, executando migrao online e off-line . Executando a migrao atravs do import/export. - Este objetivo pode incluir, mas no est limitado a: configuraes de sesso do host, as configuraes de autenticao no nvel de rede, as configuraes de licena; restringir os usurios a nica sesso remota, que permite o redirecionamento de fuso horrio; configurar redirecionamento de recursos, a configurao de criptografia, configurarem o suporte multi-monitor. Configurando a Licena do RD. - Este objetivo pode incluir, mas no est limitado a: ativando e desativando o remote desktop
70-659 Page 57
- Este objetivo pode incluir, mas no est limitado a: ativando e desativando o remote desktop license servisse, instalando e revogando cliente access licenses (CALs), relatrios de uso da CAL. Configurando RD Connection Broker. - Este objetivo pode incluir, mas no est limitado a: instalando o RD Connection Broker, configurando DNS para o connection broker, configurando connection broker farms, integrando com RD Virtualization Host role service. Configurando RD Gateway. - Este objetivo pode incluir, mas no est limitado a: configurar RD gateway, integrando RD gateway com network access protection (NAP), configurando authentication authorization. Configurando RD Web Access. - Este objetivo pode incluir, mas no est limitado a: configurando RD web Access, configurando opes de autenticao (forms, single sign-on), configurando per-user RemoteApp program filtering, configurar as opes de computador publico e privado. Nota: Este exame tem durao de 02:45 (hh:mm) Questo 1 Na sua empresa tem um Servidor com Microsoft Hyper-V Server 2008 R2 no ambiente. Voc precisa fazer o backup manual de uma partio filha enquanto ela est desligada. Quais so os dois elementos que voc deve fazer o backup? O arquivo .vhd O arquivo de configurao .XML Dicas: O que um arquivo .vhd Basicamente um arquivo . vhd um disco rgido virtual que uma representao baseada em arquivos de um disco rgido fsico, com repetio completa de uma estrutura de header do disco. capaz de gerar uma cpia idntica (1:1) de um disco rgido, sem compactao. As mquinas virtuais exige o mesmo hardware bsico do que uma mquina fsica precisa para iniciar uma operao: uma placa-me, BIOS, memria, placa de rede, teclado, mouse, monitor e um disco rgido. A arquitetura do Hyper-V garante que as mquinas virtuais tenham a maior portabilidade possvel. Um desafio do projeto de portabilidade foi como fazer uma mquina virtual em um disco rgido porttil e acessvel ao mesmo tempo proporcionando um desempenho aceitvel. Existem cinco tipos de virtual hard disk: Fixed hard disk; Dynamically expanding hard disk. Differencing hard disk; Undo hard disk (no usado pelo Hyper-V); Automatic virtual hard disk O que um arquivo .xml Quando a informao do assistente submetida ao Hyper-V, um novo arquivo de configurao da mquina virtual (.xml) que contm as informaes de configurao criado. Para mais informaes consulte: http://technet.microsoft.com/en-us/library/cc708315(WS.10).aspx http://blogs.technet.com/b/puneetvig/ http://download.microsoft.com/download/0/7/7/0778C0BB-5281-4390-92CD-EC138A18F2F9/WS08 _R2_VHD_Performance_WhitePaper.docx Questo 2 Voc instala o Windows Server 2008 R2 (server core) em um servidor. Voc precisa habilitar o gerenciamento remoto para os discos no servidor usando o Disk Manager. O que voc deve fazer? Execute o seguinte comando: Netsh advfirewall Firewall set rule group=Remote Volume Management new enable=yes command. Dicas: http://blogs.technet.com/b/server_core/archive/2008/01/14/configuring-the-firewall-forremote-management-of-a-workgroup-server-core-installation.aspx Questo 3 Todos os servidores na sua rede executa o Windows Server 2008 R2. Voc implanta o Remote Desktop Services (RDS). Voc est configurando o Remote Desktop Session Host (RD Session Host). Voc precisa assegurar que os programas que esto sendo executado continuem em execuo quando os usurios no esto mais ativos no RD Sessions. Qual a configurao voc deve habilitar? Finalizar uma sesso desconectada (End a disconnected session) Dicas: http://technet.microsoft.com/pt-br/library/cc754272.aspx Questo 4 Voc est configurando seu Microsoft System Center Virtual Machine Manager (VMM) 2008 R2 no ambiente. O VMware ESX 3.5 chamado de Host1 est adicionado em uma infra-estrutura existente do VMware Infrastructure 3 (VI3), para que voc gerencie usando o VMM. Voc precisa
70-659 Page 58
existente do VMware Infrastructure 3 (VI3), para que voc gerencie usando o VMM. Voc precisa adicionar o Host1 no seu ambiente que tem o VMM. O que voc deve fazer? Voc deve usar o Add host Wizard, selecionar o VMware ESX Server (qualquer localizao). No campo nome do computador, coloque tipo o Fully qualified domain name (FQDN) do Host1. Dicas: http://technet.microsoft.com/en-us/library/cc917961.aspx Questo 5 Na sua companhia usa o Remote Desktop Services (RDS). Voc instala e configura o Remote Desktop Gateway (RD Gateway) em um servidor que executa o Windows Server 2008 R2. Os funcionrios se conectam ao RDS de computadores remotos no gerenciados. Os empregados no so capazes de acessar o servidor gateway, a partir dos computadores no gerenciados remotos. Voc precisa garantir que os funcionrios possam acessar o RD Gateway server. Voc deve criar um Remote desktop connection authorization policy (RD CAP). Dicas: http://technet.microsoft.com/pt-br/library/cc753324(WS.10).aspx Questo 6 Voc usa o Microsoft System Center Virtual Machine Manager (VMM) 2008 R2, para criar e gerenciar as mquinas virtuais (VMs). Voc est tentando criar a primeira VM no Hyper-V usando o Windows Powershel. Voc recebe uma mensagem de erro informando que a New-VM PowerShell cmdlet no reconhecida. Voc precisa ser capaz de criar a VM usando o PowerShell. O que voc deve fazer? No Windows PowerShell, execute o seguinte cmdlet: Add-PSSnapin Microsoft.SystemCenter.VirtualmachineManager. Dicas: http://pshyperv.codeplex.com/releases/view/38769 http://blogs.technet.com/b/scvmm/, http://blogs.msdn.com/b/powershell/ Questo 7 Voc usa o Microsoft System Center Virtual Machine Manager (VMM) 2008 R2 para gerenciar seu ambiente virtual. Falhas ocorrem quando voc executa a converso P2V off-line usando o VMM. Voc precisa assegurar que voc est com as informaes necessrias para fazer um troubleshoot do problema. O que voc deve fazer? Crie o arquivo scvmm_winpe_tracing.txt. Dicas: http://technet.microsoft.com/en-us/library/bb963740.aspx Questo 8 Seu ambiente virtual inclui um Windows Server 2008 R2 Hyper-V failover. Voc gerencia o ambiente usando o Microsoft System Center Virtual Machine Manager (VMM) 2008 R2. Voc precisa configurar o live migration para as mquinas virtuais (VMs). O que voc deve fazer? No Failover Cluster Manager, edite as propriedades da VM. Questo 9 Voc usa o Hyper-V Manager para ciar uma nova Mquina virtual chamada Skate1. Skate1 tem a seguinte configurao:
Voc inicia skate1 e inicia a instalao do Windows Server 2008 R2 a partir do DVD. Uma mensagem de erro ocorre, e voc est impossibilitado de instalar o Windows. O que voc precisa fazer para instalar o Windows Server 2008 R2 no Skate1?
70-659 Page 59
instalar o Windows Server 2008 R2 no Skate1? Adicione o skate1.vhd no IDE Controller 0 Questo 10- Seu Hyper-V servers roda Windows Server 2008 R2 Standard. Voc gerencia o ambiente virtual usando o Microsoft System Center Virtual Machine Mananger (VMM) 2008 R2. Voc precisa assegurar que voc consiga migrar as parties filhas entre os servidores. O que voc precisa fazer? SAN Migration Network Migration Dicas: http://www.gilham.org/Blog/Lists/Posts/Post.aspx?List=aab85845%2D88d2%2D4091% 2D8088%2Da6bbce0a4304&ID=119 Questo 11 Voc instala o Windows Server 2008 R2 Enterprise (verso Full). Voc precisa habilitar a role do Hyper-V no servidor. Start /w ocsetup Microsoft-Hyper-V Add-WindowsFeature Hyper-V (commando powershell) Dicas: http://technet.microsoft.com/en-us/library/cc732470(WS.10).aspx http://technet.microsoft.com/pt-br/library/cc732263(WS.10).aspx Questo 12 Voc est com o Windows Server 2008 R2 Hyper-V server. Voc precisa assegurar que voc ser solicitado a especificar um nome para quando criar o snapshot. Essa opo ser apresentada no Virtual Machine Connection Questo 13 Voc instala Windows Server 2008 R2 (Server Core) em um servidor. O servidor est armazenando uma mquina virtual (VMs) em um volume que est conectado no servidor por meio de uma conexo iSCSI. Voc precisa configurar o servidor para que as mquinas virtuais possam ser armazenadas no volume iSCSI. iscsi qaddTarget iscsi qloginTarget Dicas: http://blogs.technet.com/b/daven/archive/2008/06/19/iscsi.aspx http://www.virtualizationteam.com/microsoft/hyper-v/building-a-cluster-with-hyper-v-and-servercore-part-2-and-creating-a-windows-server-2008-cluster.html http://blogs.msdn.com/b/san/archive/2008/09/18/iscsicli-batch-file-to-quickly-connect-to-an-iscsitarget.aspx Questo 14 Voc est com o Windows Server 2008 R2 Hyper-V Server com um nico adaptador de rede que est conectado na rede. A rede virtual est configurada como Externa. As Mquinas virtuais (VMs) em execuo no servidor no so capazes de se comunicar com o servidor host na rede. Voc precisa se certificar que a VM que est sendo executada no servidor so capazes de se comunicar com o servidor host na rede. O que voc precisa fazer? Selecione a opo Permitir gerenciamento do sistema operacional para compartilhar este adaptador de rede. Questo 15 Sua empresa tem um Active Directory que inclui um grupo de segurana chamado Desenvolvedores. Voc tem um member server que roda Windows Server 2008 R2 com o Hyper-V. Voc precisa assegurar que os membros do grupo de Desenvolvimento possa s gerenciar as Mquinas Virtuais (VMs). Os membros desse grupo no devem ter privilgios administrativos sobre o servidor host. Voc deve usar o Authorization Manager Dicas: http://technet.microsoft.com/en-us/library/cc754509.aspx Questo 16 Voc esta configurando uma mquina virtual que est sendo executada em um servidor com Windows Server 2008 R2. O primeiro disco virtual est conectado ao IDE 0. Voc precisa adicionar discos virtuais na VM sem deslig-la. O que voc deve fazer? Adicione os discos virtuais a uma controladora SCSI existente. Questo 17 Voc usa o System Center Virtual Machine Manager (VMM) 2008 R2 para gerenciar o seu Hyper-V. Voc tem uma aplicao legada que no suportada no Windows Server 2008 R2. A aplicao roda em um servidor que tem a seguinte configurao: Um disco de 12GB, formatado com FAT 512 de RAM Voc precisa assegurar que voc possa executar o P2V do servidor. O que voc precisa fazer? Use o off-line P2V. Questo 18 Voc est com uma Microsoft Hyper-V Server 2008. Voc precisa ingressar o servidor em um domnio existente do Active Directory. Use o hvconfig. Complementos:
70-659 Page 60
Complementos: Anncio Oficial do E-Book : http://blogs.msdn.com/b/microsoft_press/archive/2010/02/16/free-ebookunderstanding-microsoft-virtualization-r2-solutions.aspx Download em formato XPS : http://download.microsoft.com/download/5/B/4/5B46A838-67BB-4F7C-92CBEABCA285DFDD/693821ebook.xps Download em format PDF : http://download.microsoft.com/download/5/B/4/5B46A838-67BB-4F7C-92CBEABCA285DFDD/693821ebook.pdf Boa Prova a todos; Dicas e Sugestes: wilstermanfernandes@hotmail.com Wilsterman Fernandes
Pasted from <http://virtualizationbrazil.wordpress.com/2010/12/30/dicas-e-truques-para-o-exame-70-659-ts-windowsserver-2008-r2-server-virtualization/>
70-659 Page 61
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-669&locale=en-us#tab2 http://www.techexams.net/forums/virtualization/51260-70-669-resources.html Skills Being MeasuredThis exam measures your ability to accomplish the technical tasks listed below.The percentages indicate the relative weight of each major topic area on the exam. Deploying and Managing an Enterprise Desktop Virtualization Environment Install and configure Windows Virtual PC. This objective may include but it is not limited to: installing Windows Virtual PC on various platforms (32-bit, 64-bit), creating and managing virtual hard disks, configuring virtual machine resources including network resources, preparing host machines Enable and manage Windows XP Mode. This objective may include but it is not limited to: enable Windows XP Mode for Windows 7; publish applications to a host OS through Windows XP Mode; configure the BIOS to support hardware virtualization; create, deploy, and maintain Windows XP Mode images Create a MED-V infrastructure. This objective may include but it is not limited to: installing and managing server components (Image Repository, MED-V Instances), installing the MED-V client, configuring server settings Administer a MED-V environment. This objective may include but it is not limited to: managing workspaces, creating policies, publishing applications and menus, configuring reporting, customizing user and device settings in a virtual machine Create and deploy virtual desktop images. This objective may include but it is not limited to: using various tools to create or prepare images for deployment, deploying a workspace image by using a Web page, pre-staging images Deploying and Managing a Presentation Virtualization Environment Prepare and manage remote applications. This objective may include but it is not limited to: configuring application sharing, package applications for deployment by using RemoteApp, installing and configuring the RD Session Host Role Service on the server. Access published applications. This objective may include but it is not limited to: configuring Remote Desktop Web Access, configuring internal and external application access, configuring role-based application provisioning, configuring Remote Desktop client connections Configure client settings to access virtualized desktops. This objective may include but it is not limited to: configuring client settings, managing user home folders, identifying minimum client requirements Deploying and Managing an Application Virtualization (App-V) Environment Prepare virtual applications. This objective may include but is not limited to: sequencing applications, installing and configuring the sequencer, preparing applications for deployment in different environments, configuring virtual application interaction and sharing, choosing a method to deploy virtual applications Install and configure application virtualization environments. This objective may include but is not limited to: configuring App-V modes (stand-alone, lightweight, enterprise); install an App-V infrastructure including servers, management consoles, and clients Manage application virtualization environments. This objective may include but is not limited to: enabling and monitoring offline application
70-669 Page 62
This objective may include but is not limited to: enabling and monitoring offline application usage, enabling and monitoring real-time sessions, managing application cache, configuring branch cache functionality Managing a Virtual Desktop Infrastructure Environment Configure user state virtualization. This objective may include but is not limited to: configuring roaming profiles, configuring folder redirection Manage virtual desktops remotely. This objective may include but is not limited to: working with Virtual Machine Manager SelfService Portal (SSP) to log in to, control, restart, or resume a desktop virtual machine, working with Remote Desktop Manager, working with Remote Desktop Licensing Manager, troubleshooting client Key Management Server (KMS) issues, configuring firewall exceptions on the client
Pasted from <http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-669&locale=en-us>
http://www.marcelosincic.com.br/blog/post/Exame-70-669e28093Microsoft-DesktopVirtualization.aspx
70-669 Page 63
Dicas
Monday, November 21, 2011 2:45 AM
http://blogs.msdn.com/b/microsoft_press/archive/2010/02/16/free-ebook-understanding-microsoft-virtualizationr2-solutions.aspx que detalha a parte conceitual das tecnologias de virtualizao da Microsoft Leia os IPDs (Infrastructure Planning and Design) das tecnologias envolvidas em http://technet.microsoft.com/en-us/library/cc196387.aspx Consulte todos os tpicos do conteudo do exame para no deixar nenhum tpico descoberto http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-669#tab2
O MED-V nada mais do que um automatizador e gerenciador de imagens para o Windows Virtual PC do Windows 7, e formado pelo gerenciador e pelo MED-V Workspace que fica no desktop. Esta ferramenta ir permitir que as imagens de Windows XP criadas com aplicativos sejam distribuidas entre os usuarios. Por exemplo, imagine que duas determinadas aplicaes no executem no Windows 7 e seja necessrio usar o XP Mode. O MED-V ajudar a distribuir, atualizar e controlar estas VMs. Exemplos de perguntas sobre o MED-V: Como fazer para converter o MED-V j existente para Cluster? Como otimizar a distribuio de imagens do MED-V pela rede? Como evitar que o MED-V consuma muito espao em disco no servidor? Portal TechNet: http://technet.microsoft.com/en-us/windows/bb899442 e http://technet.microsoft.com/ptbr/windows/gg276319.aspx
Como fazer com que um atalho aparea para todos os usurios? Portal TechNet: http://technet.microsoft.com/en-us/edge/ff945049
Pasted from <http://www.marcelosincic.com.br/blog/post/Exame-70-669e28093Microsoft-Desktop-Virtualization.aspx>
Detalhes do Exame: http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-669#tab2 Vdeos sobre RDS e VDI: http://technet.microsoft.com/en-us/edge/video/ff955830 Srie de Vdeos sobre MED-V: http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID= 1f0d3e54-25d1-4ec1-a844-3b508bd63ffa
Pasted from <http://www.profissionaisti.com.br/2011/02/dicas-para-o-exame-70-669-windows-server-2008-r2-virtualization-desktop/>
70-669 Page 65
Materiais
Monday, November 21, 2011 2:48 AM
http://www.ucertify.com/exams/Microsoft/70-669.html
70-669 Page 66
Microsoft Enterprise Desktop Virtualization (MED-V) Overview Optimised Desktop Series : Med-V
70-669 Page 67
Roaming User Profiles Folder Redirection Manage virtual desktops remotely. How Do I: Configure the Virtual machine Manager 2008 self service portal
70-669 Page 68
70-680 Page 69
Pgina 130
Readiness Virtualizati...
https://www.microsoftvirtualacademy.com/tracks/office -365-for-the-it-pro-platform
Access Exam Prep here Office 365 Jump Start (01): Microsoft Office 365 Overview for IT Pros Office 365 Jump Start (02): Deploying Clients For Office 365 Office 365 Jump Start (03): Microsoft Office 365 Administration & Automation Using Windows PowerShell Office 365 Jump Start (04): Microsoft Office 365 Identity and Access Solutions Office 365 Jump Start (05): Microsoft Office 365 Directory Synchronization Office 365 Jump Start (06): Exchange Online Overview for IT Pros Office 365 Jump Start (07): Microsoft Exchange Online Administration Office 365 Jump Start (08): Microsoft Staged Exchange Online Migration Office 365 Jump Start (09): Hybrid Options with Exchange Server & Exchange Online Office 365 Jump Start (10): Exchange Online Archiving & Compliance Office 365 Jump Start (11): Lync Online Overview & Configuration for IT Pros Office 365 Jump Start (12): SharePoint Online Overview Office 365 Jump Start (13): SharePoint Online Administration Office 365 Jump Start (14): SharePoint Online Extensibility & Customization Office 365 Jump Start (15): Office 365 Deployment Overview
Pasted from <http://technet.microsoft.com/en-us/edge/office-365-jump-start-01-microsoft-office-365-overview-for-it-pros>
Exchange Hybrid Deployment and Migration with Office 365 Office 365 is available in three different versions that are designed to give you just what you needno more, and no less. Heres the quick rundown: Office 365 for Small Business (which is the focus of this book) includes access to Office Web Apps, up to 50 user accounts, a 25-GB mailbox for each user, mobile support, the ability to stay in touch with instant messaging, presence technology, audio and video, and team sites with SharePoint Online. The subscription cost for Office 365 for Small Business is $6 per user. Office 365 Enterprise includes all the features of Small Business as well as the full Office Professional Desktop software and pay -as-you-go pricing options. Enterprise users can also add kiosk plans that offer access to email, documents, and team sites in Office 365. Enterprise users can choose from two different subscriptions: existing Business Productivity Online Suite (BPOS) customers pay $10 per month; enterprise users who want to purchase the pay -as-you-go Microsoft Office Professional Plus 2010 service pay $24 per month. Office 365 for Education provides students with access to the Office 365 services Office Web Apps, instant messaging, audio and video, and team sites plus the latest version of Microsoft Live@edu, an online community of thousands of schools. Pricing for Office 365 for Education is $10 for educators and staff; the service is free for students. Install Desktop Updates Manually http://community.office365.com/en-us/w/administration/manually-install-office-365-desktop-updates.aspx
Pasted from <http://help.outlook.com/en-us/140/ff633682.aspx>
PS C:\Users\v-62doz> Import-Module MsOnline PS C:\Users\v-62doz> Get-Module MsOnline ModuleType Name ExportedCommands ---------- ------------------Binary MsOnline {Add-MsolRoleMember, Remove-MsolContact, GetMsolDomainFederationSetting...
PS C:\Users\v-62doz> Connect-MsolService
PS C:\Users\v-62doz> Get-MsolUser UserPrincipalName DisplayName --------------------------douglas.zan@dzan.onmicrosoft.com Douglas Zan teste1@dzan.onmicrosoft.com Teste1 teste2@dzan.onmicrosoft.com teste2 chris@dzan.onmicrosoft.com Chris Green roberto@dzan.onmicrosoft.com Roberto Almeida ben@dzan.onmicrosoft.com Ben Andrews cynthia@dzan.onmicrosoft.com Cynthia Carey melissa@dzan.onmicrosoft.com Melissa MacBeth maria@dzan.onmicrosoft.com Maria Jose jose@dzan.onmicrosoft.com Jose Rodrigues david@dzan.onmicrosoft.com David Longmuir isLicensed ---------True True True True True True True True True True True
Office365 Page 70
To change a single user: Set-MsolUser -UserPrincipalName <username> -PasswordNeverExpires $True To change all users at once: Get-MsolUser | Set-MsolUser -PasswordNeverExpires $True
Thats it. You can control the result with the following command: Get-MsolUser | fl
Pasted from <http://community.office365.com/en -us/b/office_365_technical_blog/archive/2011/11/01/how -to-disable-passwordpolicy-settings-in-bpos-and-office-365-with-powershell-grid-user-post.aspx>
MOSDAL is a tool that is used for gathering data to troubleshoot customer issues. The purpose of the
MOSDAL toolkit is pretty much the same as the MPS Reports. It is nothing more than a utility that can be used to gather data from the customers environment and local system to assist in troubleshooting there scenarios. Just like the MPS reports the actually utilities and logs that are gathered are familiar to us and the MPS reports were just a wrapper to allow the customer to gather data for us easily and with minimal interaction. You will most likely end up collecting much more information that what you actually need but for the most part it is better to have too much rather than not enough data.
Office365 Page 71
Exchange Online
Friday, January 20, 2012 12:33 AM
Mailbox Archiving is available for users and can be deployed in a very flexible way. The users main Mailbox
and Archive mailbox can be in separate databases or locations. The Archive can be located in Exchange Online and the users main mailbox could be On-Premise. This also alleviates the issues with having PSTs on the network or not having access to the PST from OWA or Outlook on different machines. Now the users can save their mail to the Archive mailbox and have access to this data from all of their supported Outlook and OWA clients. With the introduction of a native archiving feature in Exchange Online, customers can move easily from an unmanaged to a managed solution. Now there data is stored and accessible from Exchange Online similar to the way their Mailbox is. The archive is a separate mailbox, managed and controlled by the administrator. The users will no longer have to worry about backup and restore of PST. The Archive Mailbox is searchable and accessible to the users. Users can drag and drop PSTs to an archive folder within their inbox or schedule auto-move of messages to archive through Folder or Item policy tags PSTs are now discoverable; legal holds can be easily applied and performance is not compromised for large mailboxes (10-100 GB)
Retention Policies have become an important part of our customers Exchange solution. Regulatory compliance
and corporate governance requirements has made it challenging for e-mail administrators and compliance officers to provide end users with simple tools for managing retention policies of the high volume of e-mail messages being sent and received daily. It is impractical for a small group of people to police e-mail to this end directly, so tools which enable end users to apply retention policies which are defined by the organization and tools which automatically apply such policies without IT intervention are required to effectively mitigate the risk associated with compliance and governance. These tools were built into Exchange 2010 and are included in Exchange Online. Retention policies can now be applied to any individual e-mail or folder rather than just a restricted set of managed folders. This gives Administrators much more granular control. Policies are defined centrally and pushed to the client, exposed directly to users in the UI for selection or notification Transport rules can be designed to automatically apply default policies for select groups of users or based on select attributes of e-mail Legal hold allows you to lock down the mailboxes of certain users, typically those involved in a lawsuit, so that they cannot permanently delete messages. Deleted messages are hidden from the users view, but they are still searchable
Exchange Control Panel (ECP) With Exchange 2010 one of the main tools for managing Exchange is the Exchange Control Panel. There is one big difference between the on-premise and the Exchange Online implementation of the ECP. For an Administrator to have access to the management tools with Exchange on-premise the Administrator needs to have a mailbox which is not really a big deal for an on-premise environment because there is no additional cost associated with that mailbox. With Exchange Online there is now no need to have a mailbox for the Administrator which is good for the fact that there will be no license wasted on the Administrators mailbox. The Exchange Control Panel allows the Users to configure their personal settings in an easy familiar way. Users will either log in to OWA then click on the Options from within OWA just as it works with the Exchange 2010 OnPremise or if the user has administrative privileges they can login to MOP and Access the ECP from there through OWA as well.
The following demonstrates how to connect with the EMC On-Premise to Exchange Online service. 1. Install the service connector as described earlier in this module on the Exchange 2010 server that you plan to connect from 2. Open the EMC and right click the Microsoft Exchange node at the very top of the hierarchy, select the Add Exchange Forest option
3. Then provide a friendly name such as "cloud" and select Exchange Online from the dropdown menu and select the OK option
Office365 Page 72
4. This will prompt you for your Online Company Admin account, providing something like admin@exchcloud.onmicrosoft.com and the tenant admin password and select OK again
5. You will then see the Exchange Online Organization listed in the tree view along with your on-premise exchange server
1. Ensure that the Service Connector is installed on the system that you intend to make the connection from 2. Open Windows Powershell from the start menu 3. Store the Credential for the Exchange Online Administrator account a. $Cred = Get-Credential b. You will then be prompted for credentials you should provide the credentials for the Exchange Online administrator account such as:
4. Then we need to create a new Remote Powershell Session a. $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic AllowRedirection
5. a.
A estudar
Office365 Page 73
A estudar
Create Exclusive Write Scopes
Pasted from <http://help.outlook.com/en-us/140/Ff852814.aspx>
What happens during a cutover Exchange migration When you migrate Exchange mailboxes to the cloud in a cutover Exchange migration: The migration service provisions new mailboxes in your cloud-based organization. It creates a cloud-based mailbox for each user account in your on-premises Exchange organization. On-premises distribution groups and contacts are also migrated to the cloud.
After the new cloud-based mailboxes are created, the migration service migrates e-mail messages, contacts, and calendar items from the Exchange mailboxes to the corresponding cloud-based mailboxes. After the initial migration, the Exchange and cloud-based mailboxes are synchronized every 24 hours, so that new e-mail sent to the Exchange mailbox is copied to the corresponding cloud-based mailbox. When you're ready, you can route e-mail directly to the cloud-based mailboxes, complete the migration, and then remove your on-premises Exchange organization.
Requirements: - Install and configure a directory synchronization tool for your cloud-based organization - Configure Outlook Anywhere on your on-premises Exchange server - Outlook Anywhere can't be configured with a self-signed certificate - Verify that you can connect to your Exchange organization using Outlook Anywhere - Prepare the CSV file Identify the group of users whose on-premises mailboxes you want to migrate to the cloud. Include these users in the CSV file that will make up the migration batch. Important The CSV file for a staged Exchange migration batch can contain a maximum of 1,000 rows. To migrate more than a 1,000 mailboxes, you have to submit additional CSV files. - Assign the migration administrator permissions to access mailboxes in your Exchange organization - Add your Exchange organization as an accepted domain of your cloud-based e-mail organization - Disable unified messaging
What happens during a staged Exchange migration When you use a staged Exchange migration and CSV file to migrate on-premises Exchange mailboxes to the cloud, the migration service does the following: It verifies that OLSync or the Microsoft Online Services Directory Synchronization tool is enabled for your cloud-based organization.
It checks that a mail-enabled user (MEU) exists in the cloud-based e-mail organization for each entry in the CSV file.
It converts the MEU to a mailbox. It configures mail forwarding by populating the TargetAddress property on the on-premises mailbox with the e-mail address of the cloud-based mailbox. This enables e-mail sent to an on-premises mailbox to be forwarded to the corresponding cloud-based mailbox. It e-mails a report that lists the cloud-based mailboxes that were successfully created and for which e-mail forwarding was configured. At this point, you can tell users to start using their new cloud-based mailbox. This report also lists any migration errors.
It migrates e-mail messages, contacts, and calendar items from the Exchange mailboxes to the corresponding cloud-based mailboxes. After the initial migration, the Exchange and cloud-based mailboxes aren't synchronized. New e-mail sent to the Exchange mailbox is forwarded to the corresponding cloud-based mailbox. It e-mails a final report when the data migration is complete. Obs: User on-premises cannot see free-busy status of migrated mailboxes on the cloud and vice-versa.
Office365 Page 74
Obs: User on-premises cannot see free-busy status of migrated mailboxes on the cloud and vice-versa.
MRS
The Microsoft Exchange Mailbox Replication Service (MRS), which resides on all Exchange 2010 Client Access servers, is the service responsible for mailbox moves, importing and exporting .pst files, and restoring disabled and soft-deleted mailboxes. Move requests require a hybrid deployment. Move requests let you move mailboxes back and forth between your onpremises Exchange organization and the cloud. You do this in the Exchange Management Console.
Office365 Page 75
PowerShell
Sunday, January 22, 2012 2:04 AM
DirSync PowerShell
- Forar sincronizao: Start-OnlineCoexistenceSync
Requirements to use Power Shell on Office 365 - Windows 7 or Windows 2008 R2 - .NET Framework 3.5 and PowerShell 2.0 installed - Microsoft Online Sign-in Assistant (http://onlinehelp.microsoft.com/en-us/office365enterprises/hh124998.aspx) - Microsoft Online PowerShell module To connect to the service: Connect-MsolService (It will pop up the credential window) Or Connect-MsolService -Credential $cred Or Connect-MsolService -Currentuser
Windows PowerShell
Pasted from <http://onlinehelp.microsoft.com/en-us/office365-enterprises/hh125001.aspx>
Office365 Page 76
Sharepoint
Monday, January 23, 2012 2:19 AM
Office365 Page 77
DirSync
Tuesday, January 24, 2012 6:15 AM
Requirements: - Windows 2003 SP2 or higher - Installs SQL Server 2008 R2 Express (should use SQL full version - 2005/ 2008 servers for larger customers - more than 50.000 objects . 10GB DB size limit of SQL Server Express edition. - Microsoft Online ID components for authentication to Office 365 - It must be joined to Active Directory. - It cannot be a domain controller. - It must run Microsoft .NET Framework 3.x.
Hardware recommendations
To set up Active Directory synchronization, you must designate one computer as your directory synchronization computer, and then install the Microsoft Online Services Directory Synchronization tool on that computer. The following table shows the minimum recommended hardware requirements for the directory synchronization computer (32-bit) in relation to how many objects you have in your on-premises Active Directory.
CPU
Memory
100,000300,000
300,000600,000 More than 600,000
1.6 GHz 32 GB
1.6 GHz 32 GB 1.6 GHz 32 GB
300 GB
450 GB 500 GB
Sync Object Limits - All customers initially subject to 10.000 object limit - Contact support to increase object limit. - Larger customer with 20.000 or more have to sign up to special subscription type. Attribute Validations UPN: - Cannot have dot "." immediately preceding "@" - Maximum 113 chars (64 for username, 48 for domain) - Cannot contain !#$%&\*+-/=?^_`{}|~<>() - Cannot have duplicate UPNs samAccountName: - Cannot contain "\/[]:|<>+=;?, - Cannot end with dot "." - Cannot be more than 20 chars - Cannot be empty ProxyAddresses: - Cannot contain smtp addresses with domains that are not registered for the tenant - Cannot have duplicate proxy addresses.
Office365 Page 78
- Cannot have duplicate proxy addresses. Obs: All errors are reported to Technical Notification Contact by email.
respective directories (your on-premises Active Directory versus the cloud directory) Its important to understand these variables so that you can prepare your environment for the source of authority transfer, helping you to minimize directory data loss. Specifically, data loss around email proxy addresses can create mail flow and logon issues for users. Therefore, the focus of your preparation should be on evaluating how you use proxy addresses for mail routing in your current messaging implementation. Matching functionality 1GUID match logic: When you reactivate directory synchronization, objects in the on-premises Active Directory are matched with objects in the cloud according to previous directory synchronization GUID (objectGUID) on the cloud objects. When such a match is found, the directory synchronization process makes a GUID match and overwrites the target object data in the cloud objects with the data from the corresponding on-premises objects. Matching functionality 2SMTP match logic: If directory synchronization does not find a GUID match in the cloud, a process called SMTP match is used. In this process, directory synchronization matches corresponding objects, according to the primary SMTP address. If a target (cloud) objects primary SMTP address matches a primary SMTP address of an object in the on-premises organization, the data for the on-premises object is used to overwrite the data for the corresponding cloud object. If a GUID or an SMTP match cannot be made, the directory synchronization process creates a new object in the cloud that is mastered from within the on-premises Active Directory. User property delta: The degree and nature of the difference between corresponding user objects in the on-premises and cloud directories are important considerations. If you have made no changes or have made only minimal changes to the user objects during the time the source of authority was in the cloud, the risk of mail-flow failure is low. If, on the other hand, you have made changes to SMTP addresses (primary, secondary, proxy, target address, and so on) to enable cross-premises routing, you must make sure that reactivating directory synchronization does not interrupt mail flow. Before you reactivate directory synchronization, we strongly recommend that you back up the existing cloud object data, and then evaluate how youve configured SMTP addressing in the cloud. Back up your cloud user object data: Before you reactivate directory synchronization, it is best practice to back up your cloud user object data. You should make a backup even if you have made minimal changes to user objects since you last deactivated directory synchronization. To make a backup of cloud user object data: 1. Connect to the cloud by using Windows PowerShell for Exchange. For more information about installing and connecting with remote Windows PowerShell, see Use Windows PowerShell in Exchange Online. 2. After you connect to the cloud, run the following cmdlet:
This cmdlet extracts all user data into Userlist.csv. This file is in the Export directory. If you want to roll back the reactivation, Userlist.csv helps you to recover user objects to their current state. But it is important to know that rolling back reactivation is a manual, and potentially lengthy, process. Youll need the help of Microsoft Support.
To verify that directory synchronization was deactivated, run the following cmdlet: (Get-MsolCompanyInformation).DirectorySynchronizationEnabled When this command returns False, directory synchronization has been disabled. It may take 72 hours for deactivation to be completed. The time depends on the number of objects that are in your Office 365 subscription account.
Office365 Page 81
ADFS 2.0
quarta-feira, 25 de janeiro de 2012 15:27
Plan for and deploy Active Directory Federation Services 2.0 for use with single sign-on
Pasted from <http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx>
Office365 Page 82
Support
domingo, 25 de maro de 2012 04:33
- SWT - Service Workflow Tool-> Act as a fornt-end to Product Studio, allowing frontline engineers to collect allrequired information for a Microsoft Online Directory Services (MSODS) PSID without opening Product Sutdio. - Product Studio - is a tool where you create a PSID for registering of a (SIE) - Service Interrupting Events, and to monitor the status of PSIDs assigned to them. You can create, edit, search for PSIDs, also to add attachments to PSIDs. Once created the PSID can only be opened within Product Studio. - Mos t of PSID are escalated or redirected to the right Team; - Microsoft Online Directory Services (MSODS) team is responsible for supporting the core directory and provisioning platform for Office 365; Escalations responsible for the creation of MSODS-related PSIDs fall into 4 categories: Break/Fix DCR/CDCR Known Issues SIE (multi-tenant outage
- Break/Fix - is a customer problem that cannot be resolved using documented troubleshooting steps. All break/fix issue should be escalated to the apropriate Escalation ServicesTeam (CTS) using CAP or MSSolve) KB2523463 - DCR/CDCR - Design Change Request or Critical Design Change Request, should be escalated to the apropriate Escalation Services Team. KB2523463 - Known Issue - Its a known behavior of the product. It is na issue requiring a customer to contact Microsoft Online Services Suppot for resolution to their issue. It is a service limitation. - SIE (multi-tenant outage) - Service Interrupting Event , replaces the term "service outage". SIE procedures are specific to the associated Ops/Engineering team. Criteria to Determine a Sev A and Sev 1 to be accepted when creating a PSID Tenant that has more than 350 paid seats and one of the following is true: Customer is threatening to leave the service and more than 20 users are already impacted. Customer or field has indicated that we may loose customer to Google. CEO or Vice-President is impacted. Sev 1 is only assigned if more than one tenant is impacted.
Office365 Page 83
VMM08R2...
http://technet.microsoft.com/en-us/library/ee441285.aspx
http://technet.microsoft.com/pt-br/evalcenter/cc793138
http://technet.microsoft.com/pt-br/virtualization/default.aspx
Cloud Computing
Sunday, January 22, 2012 12:55 AM
Definition: At its essence, cloud computing is the aggregation of resources (compute, storage and network) so that capacity requirements can be dynamically modified to match fluctuation in system workloads. This resource matching can be automated, or self-provisioned by line of business (LoB) resources interacting with the cloud environment in business terms (# of transactions, concurrent users, time to result).
Advantages - You can reduce overhead by consolidating resources into large shared datacenters. This creates efficiencies inn staffing and power consumption. You can scale your service usage up or down as you need - no overcapacity and no lost opportunity. - After consuming cloud services, you are billed on a monthly basis. So the cloud computing services are considered an operacional expense, not a capital expense .
Hint: An operating expense, operating expenditure, operational expense, operational expenditure or OPEX is an ongoing cost for running a product, business, or system.[1] Its counterpart, a capital expenditure (CAPEX), is the cost of developing or providing nonconsumable parts for the product or system. For example, the purchase of a photocopier involves CAPEX, and the annual paper, toner, power and maintenance costs represents OPEX.[2] For larger systems like businesses, OPEX may also include the cost of workers and facility expenses such as rent and utilities.
Pasted from <http://en.wikipedia.org/wiki/Operating_expen se>
Points to consider when planning migrate to the cloud: 1. Authentication for both public and private (enterprise) users. 2. Security threats and mitigations when using the public cloud. 3. Compliance regulations, and how to simplify them with the right architecture.
Private Cloud Jump Start (01): Introduction to the Microsoft Private Cloud with System Center 2012
tera-feira, 24 de abril de 2012 14:27
Private Cloud Jump Start (01): Introduction to the Microsoft Private Cloud with System Center 2012
Pasted from <http://technet.microsoft.com/en-us/edge/private-cloud-jump-start-01-introduction-to-the-microsoftprivate-cloud-with-system-center-2012>
Private Cloud
Pasted from <https://www.microsoftvirtualacademy.com/LandingPageHandler.ashx?lPage=PrivateCloud&cID=8>
Hyper-V Page 88
DNS
quinta-feira, 26 de abril de 2012 17:41
DNS consists of a hierarchical namespace, a collections of name servers and DNS clients called resolvers. Each name server is the authoritative source for a small part of the namespace. When DNS server receives name resolution requests from resolvers, it checks its own records for the IP address associated with the requested name . If the server does not have the information needed , it passes the request to other DNS servers until it reaches the authoritative server for that name. The authoritative server is the ultimate source for information about that name. The namespace is divided amoung many servers. Domain is an administrative entity that consists of a group of hosts When a DNS server is the authoritative source for a domain, it possessses information about the hosts in that domain in the form of resource records. The domain namespace takes the form of a tree that, much like a file system, and has its root at the top.
On the Internet, domains at each level are responsible for maintaining the information about domains at the next lower level. For Instance, a DNS that is owns a top-level domain ".com" has information about DNS servers that own second-level domains like "frabrikan.com" The Root Name Servers are the highest level DNS servers in the namespace. They maintain information about the Top-level Domains .
DNS QUERY TYPES Recursive Queries When a DNS server receives a recursive query, it takes full responsibility for resolving the name. If the server possesses the information about the requested name, it replies immediately to the requestor. If the server does not have the information, it sends referrals to other DNS servers until it obtains the information. Client computers use recursive queries to their designated DNS servers. The only acceptable replies to a recursive query are a successfully resolved name or name resolution failure.
Iterative Queries When a DNS server receives an Iterative Query, it replies with the best information it possesses at the time. This information could be the fully resolved name or a reference to another DNS server. DNS servers use Iterative queries when communicating with each other.
Caching-Only Servers Can resolve Internet DNS names for clients immediately after its installation. It has no zones or domains hosted on it. Used to simply resolve Internet names for clients. Keeps a cache of previously resolved queries. Using Forwarders A forwarder is a DNS server that receives queries from other DNS servers that are explicitly configured to send them. With Windows Server 2003 DNS servers, the forwarder requires no special configuration. However, you must configure the other DNS servers to send queries to the forwarder. To do this, from the Action menu in the DNS console, click Properties to display the servers Properties dialog box, click the Forwarders tab, and then supply the IP address of the DNS server that will act as a forwarder (see Figure 4-5). You can also specify multiple forwarder IP addresses, to provide fault tolerance.
You can also use forwarders to limit the number of servers that transmit name resolution queries through the firewall to the Internet. If you have five DNS servers on your network, all of which provide both internal and Internet name resolution services, you have five points where your network is vulnerable to attacks from the Internet. By configuring four of the DNS servers to send all their Internet queries to the fifth server, you create only one point of vulnerability.
Conditional Forwarders When you configure DNS server (Forwarders TAB) to forward queries of a specific domain to specific DNS servers. This speeds up the name resolution directing the queries of a specific domain to the authoritative server.
ZONE TYPES
Primary Zones Contains the master copy of the zone database All changes on zone's resource records are done on the primary zone and then replicated to the Secondary zone. If it is not integrated with Active Directory, it is stored in a simple text file on the local drive. (%Systemroot%\System32\DNS)
DNS Page 90
(%Systemroot%\System32\DNS) Secondary Zones It is a replica of a primary zone on another server. Contains a backup of the primary master zone database file, stored identically in a text file on local drive. A Secondary Zone can perform authoritative name resolutions for domains in the zone. You cannot modify resource records manually in a secondary zone. You can only update them by replicating from the primary zone using the process called Zone Transfer. Stub Zones A copy of the Primary Zone that contains only the Start Of Authority (SOA) and Name Server (NS) resource records , plus the Host (A) resource records that identify the SOA for the Zone. When a server hosting a Stub Zone receives a query for a name in that zone, it either forwards the request to the host of the zone or replies with a referral to that host, depending on whether the query is recursive or iterative. When you create a primary and secondary zones, you must configure Zone Transfer to allow the automatic replication from primary to secondary zone servers.
Active Directory-Integrated Zones Is when you select the "Store The Zone In Active Directory" (available if the server is a Domain Contoller) checkbox while creating a zone in the New Zone Wizard. The DNS resource records are stored in the Active Directory database. It is replicated along with the Active Directory data. Increases security because DCs perform a mutual authentication procedure before they exchange data and all data is encrypted You do not have to create Secondary Zones, since Active Directory uses a Multi-Master replication System. Conserves Network Bandwidth by replicating only the data that has changed and compressing it before transmitting it over the network.
With Windows 2000, zones were stored in the domain naming context (domain partition) meaning that zone information was replicated to every DC in the domain. Even if the DNS component had not been installed and running on a specific DC, this same DC would still have DNS zone information replicated to its domain partition. Windows 2003 introduced the concept of an application partition that facilitated two unique places where DNS zones can be stored. Windows 2003 and Windows Server 2008 store zone information in either the DomainDNSZones or ForestDNSZones of an application directory partition. Zone data stored in DomainDNSZones is replicated to every DNS server in the domain. DNS zone data stored in ForestDNSZone is replicated to every DNS server in the contiguous AD forest.
IMPLEMENTING DNS SERVERS Provide Redundancy: In order to avoid redundancy, you should have at least two copies of every zone online in the network. Improve performance and reduce bandwidth: when you have large network with many subnets and sites, the best practice is to keep a DNS server on each subnet and at least one on each site in order to avoid high traffic load amoung different subnets and also over WAN links that connect sites. A nearer DNS improves name resolution performance. Delegate Authority: In a large organization, a better solution to improve administration could be spliting the namespace into several subdomains for different office locations and administrative staff to maintain their own DNS resource records.
DNS Page 91
Typically, a Windows Server 2003 and later DNS namespace is deployed to mirror an Active Directory forest and domain infrastructure. In such a deployment, a partition of the DNS namespace is set aside for Active Directory, where a DNS domain name such as corp.contoso.com is used support the Active Directory forest root domain, and then subdomains of this name are created to suit additional Active Directory domains as needed. DNS Support for Active Directory Architecture
Active Directory is dependent on DNS as a domain controller location mechanism and uses DNS domain naming conventions in the architecture of Active Directory domains. There are three components in the dependency of Active Directory on DNS: Domain controller locator (Locator) - Implemented in the Netlogon service, enables a client to locate a domain controller. Active Directory domain names in DNS - Every Active Directory domain has a DNS domain name and every windows 2003 computers or later has a DNS name. Domains and computers on AD is represented by objects and in DNS are represented as nodes Active Directory DNS objects - When DNS data is stored in Active directory, each DNS zone is na Active Directory container object (class dnsZone). The dnsZone object contains a DNS node object (class dnsNode)for every unique name within that zone. The dnsNode object has a dnsRecord multivalue attribute that contains a value for every resource record that is associated with an objects name.
DNS Page 92
Active Directory
quinta-feira, 26 de abril de 2012 17:41
Troubleshooting WEBCasts:
Directory Services provides the means to organize, simplify and control access to resources of a network. Directory is a list of objects that represents network resources.
Active Directory Services offers the Following Features: Centralized Data Store: All data stored in Active Directory resides in a single, distributed data repository. Scalability: Enables you to scale the directory to meet business and network requirements through the configuration of domains na trees and the placement of domain controllers. Manageability: is based on hierarchical organization structures that makes the control of the resources privileges and other security settings. Makes it easier to locate network resources such as files and printers. Intregration with DNS Policy-based Administration: Policy are used to define the permited actions and settings for users and computers across a given site, domain or organization unit. Replication of information Active Directory provides multimaster replication technology to ensure information availability, fault tolerance, load balancing, and other performance benefits. Multimaster replication enables you to update the directory at any domain controller and replicates directory changes to any other domain controller. Flexible, secure authentication and authorization: Active Directory supports multiple authentication protocols, such as the Kerberos version 5 protocol, Secure Sockets Layer (SSL) version 3, and Transport Layer Security (TLS) using X.509 version 3 certificates. In addition, Active Directory provides security groups that span domains.
TechNet Support WebCast: Troubleshooting DNS configuration issues on domain controllers by using the DNS test in the Windows Server 2003 SP1-based version of the DCDIAG tool
Pasted from <http://support.microsoft.com/kb/905900/enus>
TechNet Support WebCast: Troubleshooting Active Directory replication using the Repadmin tool: A look into the inner workings
Pasted from <http://support.microsoft.com/kb/905739/enus>
TechNet Support WebCast: Operations guide for Microsoft Windows Server Update Services
Pasted from <http://support.microsoft.com/kb/913103/enus>
TechNet Support WebCast: How to analyze and troubleshoot the Cancelable RPC dialog box
Pasted from <http://support.microsoft.com/kb/899618/enus>
Trees A tree is a grouping or hierarchical arrangement of one or more Windows Server 2003 domains that you create by adding one or more child domains to an existing parent domain. Domains in a tree share a contiguous namespace and a hierarchical naming structure.
Forests A forest is a grouping or hierarchical arrangement of one or more separate, completely independent domain trees. As such, forests have the following characteristics: All domains in a forest share a common schema. All domains in a forest share a common global catalog. All domains in a forest are linked by implicit two-way transitive trusts. Trees in a forest have different naming structures, according to their domains. Domains in a forest operate independently, but the forest enables communication across the entire organization.
You receive an error message when Rendom.exe changes the DNS or NetBIOS name of a domain in Windows Server 2003
Pasted from <http://support.microsoft.com/kb/891370/enus>
Windows 2000 DNS and Active Directory information and technical resources
Pasted from <http://support.microsoft.com/kb/298448/enus>
GLOBAL CATALOG Is the central repository of information about objects in a tree or forest. By default a Global Catalog is created automatically on the initial Domain Controller in the first domain of the forest.
The Global Catalog holds a full replica of all objects in its domain and a partial replica of all objects attributes of every domain in the forest. The partial replica stores attributes most frequently used in search operations. When a user logs on to the network, the global catalog provides universal group membership information for the account to the domain controller processing the user logon information. If there is only one domain controller in a domain, the domain controller holds the global catalog server. If there are multiple domain controllers in the network, one domain controller is configured to hold the global catalog. Because a single global catalog contains information about all objects in all domains in the forest, a query about an object that is not contained in the local domain can be resolved by a global catalog server in the domain in which the query is initiated. Thus, finding information in the directory does not produce unnecessary query traffic across domain boundaries. The global catalog performs three key functions: It enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated. It enables finding directory information regardless of which domain in the forest actually contains the data. It resolves user principal names (UPNs) when the authenticating domain controller does not have knowledge of the account.
Active Directory
Pasted from <http://technet.microsoft.com/library/Cc977985>
It enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated. It enables finding directory information regardless of which domain in the forest actually contains the data. It resolves user principal names (UPNs) when the authenticating domain controller does not have knowledge of the account. A global catalog server stores one domain directory partition that has writable objects with a full complement of writable attributes. In its role as global catalog server, it also stores the objects of all other domain directory partitions in a multidomain forest as read-only objects with a partial set of attributes. The set of attributes that are marked for inclusion in the global catalog are called the partial attribute set (PAS). An attribute is marked for inclusion in the PAS as part of its schema definition. How the Global Catalog Works <http://technet.microsoft.com/en-us/library/how-global-catalog-serverswork(v=ws.10).aspx>
Office Environments
Pasted from <http://technet.microsoft.com/enus/library/cc749916.aspx>
The Query Process A query is a specific request made by a user to the global catalog in order to retrieve, modify, or delete Active Directory data. The following steps, describe the query process: 1. The client queries its DNS server for the location of the global catalog server. 2. The DNS server searches for the global catalog server location and returns the IP address of the domain controller designated as the global catalog server. 3. The client queries the IP address of the domain controller designated as the global catalog server. The query is sent to port 3268 on the domain controller; standard Active Directory queries are sent to port 389. 4. The global catalog server processes the query. If the global catalog contains the attribute of the object being searched for, the global catalog server provides a response to the client. If the global catalog does not contain the attribute of the object being searched for, the query is referred to Active Directory.
JSI Tip 8684. TechNet Support WebCast: Volume Shadow Copy service Requestor API and Writer API overview AND TechNet Support WebCast: Volume Shadow Copy service Provider API and System Provider overview.
Pasted from <http://www.windowsitpro.com/article/tips/jsitip-8684-technet-support-webcast-volume-shadow-copyservice-requestor-api-and-writer-api-overview-and-technetsupport-webcast-volume-shadow-copy-service-provider-apiand-system-provider-overview->
Active Directory replication uses Multimaster Replication, which means that replication can start from any Domain Controller. Each server keeps track of which updates it has received from which servers, and can intelligently request only necessary updates in case of a failure.
How replication works Each update is assigned with its own 64-bit Unique Sequence Number (USN). At each update the USN is incremented. When a server replicates an update it sends the USN along with the change. Each server keeps an internal list of replication partners and the highest USN received from them. The server receiving the updates, only accepts those changes with a USN higher than previously received. The updates are transported over Internet Protocol (IP) as packaged by the replication remote procedure call (RPC) protocol. Simple Mail Transfer Protocol (SMTP) can also be used to prepare non -domain updates for Transmission Control Protocol (TCP) transport over IP.
Protocol LDAP
Description The primary directory access protocol for Active Directory. Windows Server 2003 family, Windows XP, Windows 2000 Server family, and Windows 2000 Professional clients, as well as Windows 98, Windows 95, and Windows NT 4.0 clients that have the Active Directory client components installed, use LDAP v3 to connect to Active Directory.
IP
Replication RPC
Routable protocol that is responsible for the addressing, routing, and fragmenting of packets by the sending node. IP is required for Active Directory replication.
The Directory Replication Service (Drsuapi) RPC protocol, used in the enabling of administration and monitoring of Active Directory replication, to communicate replication status and topology and network topology from a client running administrative tools to a domain controller. RPC is required by Active Directory replication.
Replication Simple Replication protocol that can be used by Active Directory replication over IP network transport Mail Transfer for message-based replication between sites only and for non-domain replication only. Protocol (SMTP) What Information is Replicated The information stored in the directory (Ntds.dit file on \Windows\NTDS) is logically partitioned into four categories, called Directory Partitions The Directory Partitions are the units of replication. The Partitions are: Schema Partition: Defines the objects that can be created in the directory and the attributes those objects can have. This data is common to all domains in a forest and is replicated to Domain Contollers in a Forest. Configuration Partition: This partition describes the logical structure of the deployment , including data such as domain structure or replication topology. This data is common to all domains in a forest and is replicated to Domain Contollers in a Forest. Domain Partition: Describe all of the objects in a domain (Contain Domain objects and properties). This data is domain specific and is not replicated to any other domain. It is replicated to all Domain Controllers of that domain. Application Partition: This partition stores dynamic application-specific data in Active Directory. It allows you to control the scope of replication and the placement of replicas. The Application Partition can contain any type of object except security principals (user, groups and computers). The administrator can specify the scope of replication: specified Domain Controllers, All DCs in the domain or all DCs in the Forest.
Intrasite Replication Within a site, a Windows 2003 service known as Knowledge Consistency Checker ( KCC) automatically generates a topology for replication amoung Domain Contollers in the same domain using a ring structure. The KCC defines which server is best suited to replicate with each other, and builds connection objects. The KCC ensures that there are at least two replication paths fom one DC to another. The KCC analyzes the replication topology every 15 minute s to ensure that it still works. When more than seven DCs are added to a site, the KCC creates additional connection objects across the ring structure, to ensure that no Doman Controller is more than three hops from another Domain Controller (Called Propagation Dampening, to avoid loopping).
The KCC analyzes the replication topology every 15 minute s to ensure that it still works. When more than seven DCs are added to a site, the KCC creates additional connection objects across the ring structure, to ensure that no Doman Controller is more than three hops from another Domain Controller (Called Propagation Dampening, to avoid loopping). Intrasite replication is done through RPC protocol. When a domain controller writes a change to its local copy of the Active Directory, a timer is started that determines when the domain controller's replication partners should be notified of the change. By default, this interval is 15 seconds in Windows Server 2003 and later; it was 300 seconds (5 minutes) in Windows 2000. When this interval elapses, the domain controller initiates a notification to each intra -site replication partner that it has changes that need to be propagated. Another configurable parameter determines the number of seconds to pause between notification. This parameter prevents simultaneous replies by the replication partners. By default, this interval is 30 seconds. Both of these intervals can be modified by editing the registry.
Conflict Resolution In order to avoid conflicts of object changes in AD, the replication occurs at attributes level. AD uses three components on change responses: - Version number of the attribute; - Originating time (time stamp) of the attribute; - DC ID that originated the change notification. Intersite Replication To ensure replication between sites, you must create site links which are logical connections. The KCC generates the connections between sites. You provide information about replication transport used, cost of a site link, times when the link is available for use and how often the link should be used. One domain controller in each site is selected as the Intersite Topology Generator (ISTG). To enable replication across site links, the ISTG automatically designates one or more servers to perform site -to-site replication. These servers are called bridgehead servers. A bridgehead is a point where a connection leaves or enters a site. The ISTG creates a view of the replication topology for all sites , including existing connection objects between all domain controllers that are acting as bridgehead servers. The ISTG then creates inbound connection objects for servers in its site that it determines will act as bridgehead servers and for which connection objects do not already exist. Thus, the scope of operation for the KCC is the local server only, and the scope of operation for the ISTG is a single site. Intersite replication can be done through SMTP protocol only to replicate the schema , configuration partitions and global catalog . It cannot be used to replicate the domain directory partitions. Replication between sites over SMTP is supported for only domain controllers of different domains. Domain controllers of the same domain must replicate by using the RPC over IP transport.
Guia de Sobrevivncia: Active Directory no Windows Server 2008 e Windows Server 2008 R2
<http://social.technet.microsoft.com/wiki/ptbr/contents/articles/9720.guia-de-sobrevivencia-active-directory-nowindows-server-2008-e-windows-server-2008-r2.aspx>
Note You can identify a KCC-selected bridgehead server in Active Directory Sites and Services by viewing connection objects for the server (select the NTDS Settings object below the server object); if there are connections from servers in a different site or sites, the server represented by the selected NTDS Settings object is a bridgehead server. If you have Windows Support Tools installed, you can see all bridgehead servers by using the command repadmin /bridgeheads. In sites that have at least one domain controller that is running Windows Server 2003, the ISTG can select bridgehead servers from all eligible domain controllers for each directory partition that is represented in the site.
In Windows 2000 forests, a single bridgehead server per directory partition and per transport is designated as the bridgehead server that is responsible for intersite replication of that directory partition. Compression of Replication Data Intersite replication is compressed by default. Compressing replication data allows the data to be transferred over WAN links more quickly, thereby conserving network bandwidth. The cost of this benefit is an increase in CPU utilization on bridgehead servers. By default, replication data is compressed under the following conditions: Replication of updates between domain controllers in different sites. Replication of Active Directory to a newly created domain controller.
An interval in minutes that determines how often replication can occur (default is every 180 minutes, or 3 hours). The minimum interval is 15 minutes. If the interval exceeds the time allowed by the schedule, replication occurs once at the scheduled time Synchronous Replication Over IP The IP transport (RPC over IP) provides synchronous inbound replication. In the context of Active Directory replication, synchronous communication implies that after the destination domain controller sends the request for data, it waits for the source domain controller to receive the request, construct the reply, and send the reply before it requests changes from any other domain controllers; that is, inbound replication is sequential. Thus in synchronous transmission, the reply is received within a short time. The IP transport is appropriate for linking sites in fully routed networks.
Asynchronous Replication Over SMTP The SMTP transport (SMTP over IP) provides asynchronous replication. In asynchronous replication, the destination domain controller does not wait for the reply and it can have multiple asynchronous requests outstanding at any particular time. Thus in asynchronous transmission, the reply is not necessarily received within a short time. Asynchronous transport is appropriate for linking sites in networks that are not fully routed and have particularly
Asynchronous transport is appropriate for linking sites in networks that are not fully routed and have particularly slow WAN links. Note Although asynchronous replication can send multiple replication requests in parallel, the received replication packets are queued on the destination domain controller and the changes applied for only one partner and directory partition at a time. Replication Packet Size Replication packet sizes are computed on the basis of memory size unless you have more than 1 gigabyte (GB). By default, the system limits the packet size as follows: The packet size in bytes is 1/100th the size of RAM, with a minimum of 1 MB and a maximum of 10 MB. The packet size in objects is 1/1,000,000th the size of RAM, with a minimum of 100 objects and a maximum of 1,000 objects. For general estimates when this entry is not set, assume an approximate packet size of 100 objects.
Setting the maximum packet size requires adding or modifying entries in the following registry path with the REG_DWORD data type: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters. These entries can be used to determine the maximum number of objects per packet and maximum size of the packets. The minimum values are indicated as the lowest value in the range.
Bridgehead Servers When domain controllers for the same domain are located in different sites, at least one bridgehead server per directory partition and per transport (IP or SMTP) replicates changes from one site to a bridgehead server in another site. A single bridgehead server can serve multiple partitions per transport and multiple transports. Replication within the site allows updates to flow between the bridgehead servers and the other domain controllers in the site. Note You can identify a KCC-selected bridgehead server in Active Directory Sites and Services by viewing connection objects for the server (select the NTDS Settings object below the server object); if there are connections from servers in a different site or sites, the server represented by the selected NTDS Settings object is a bridgehead server. If you have Windows Support Tools installed, you can see all bridgehead servers by using the command repadmin /bridgeheads. How Intersite Replication Works The following steps, illustrated in Figure 5-2, show how intersite replication works: 1. At the interval determined by the selected replication frequency, the bridgehead server in the Zurich site polls the bridgehead server in the Lucerne site for any updated data. 2. If the bridgehead server in the Lucerne site finds that it has updated Active Directory data, it compresses the data (if larger than 50 KB) and sends it to the bridge-head server in the Zurich site. 3. When the bridgehead server in the Zurich site has received all of the data, it then replicates the data to the other domain controllers in the site, without compressing the information.
Using the BurFlags registry key to reinitialize File Replication Service replica sets
Pasted from <http://support.microsoft.com/kb/290762/en-us>
How to force a non-authoritative restore of the data in the Sysvol folder on a domain controller in Windows 2000 Server and in Windows Server 2003
Pasted from <http://support.microsoft.com/kb/840674/en-us>
How to configure Active Directory diagnostic event logging in Windows Server 2003 and in Windows 2000 Server
Pasted from <http://support.microsoft.com/default.aspx?scid=kb;en-us;314980>
Ultrasound - Monitoring and Troubleshooting Tool for File Replication Service (FRS)
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=61acb9b9-c354-4f98-a823-24cc0da73b50 &DisplayLang=en
Connection Schedule Each connection object has a schedule that is set automatically by the KCC. The connection schedule controls the frequency of intrasite replication on the connection, with a minimum increment of 15 minutes. The default intrasite replication schedule for automatically generated connection objects is once per hour , which is set in the NTDS Site Settings object, available at the site level. Here you can set a default schedule of None (no replication), Once Per Hour (default), Twice Per Hour, or Four Times Per Hour.
Network Ports Used by Replication Topology By default, RPC-based replication uses dynamic port mapping. When connecting to an RPC endpoint during Active Directory replication, the RPC run time on the client contacts the RPC endpoint mapper on the server at a well known port (port 135). The server queries the RPC endpoint mapper on this port to determine what port has been assigned for Active Directory replication on the server. This query occurs whether the port assignment is dynamic (the default) or fixed. The client never needs to know which port to use for Active Directory replication. Note An endpoint comprises the protocol, local address, and port address. In addition to the dynamic port 135, other ports that are required for replication to occur are listed in the following table. Port Assignments for Active Directory Replication
Service Name
LDAP LDAP LDAP Kerberos DNS SMB over IP
UDP
389
TCP
389 3268 636 (Secure Sockets Layer [SSL])
88 53 445
88 53 445
Replication within a domain also requires FRS using a dynamic RPC port.
Setting Fixed Replication Ports Across a Firewall For each service that needs to communicate across a firewall, there is a fixed port and protocol. Normally, the directory service and FRS use dynamically allocated ports that require a firewall to have a wide range of ports open. Although FRS cannot be restricted to a fixed port, you can edit the registry to restrict the directory service to communicate on a static port.
Restricting the directory service to using a fixed port requires editing the TCP/IP Port registry entry (REG_DWORD), located in:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters Changing this registry entry on a domain controller and restarting it causes the directory service to use the TCP port named in the registry entry. For example, port 49152 is DWORD=0000c000 (hexadecimal).
PDC emulator. This role is held by only one domain controller per domain. This role is the central authority for time synchronization within a domain, and emulates the functionality of a Windows NT 4.0 Primary Domain Controller (PDC). Any NT Backup Domain Controllers (BDCs) in a domain replicate from the PDC emulator. Pre Windows 2000 (Win2K) clients without the Microsoft Directory Services Client (DSClient) contact the PDC emulator to change user and computer passwords. The PDC emulator is also responsible for processing account lockouts. Finally, any failed logon attempts are first forwarded to the PDC emulator before returning a bad logon message to the client.
TRUST RELATIONSHIPS
Tree-root Trust The Tree-root trust is implicitly established between different Tree root domains in the same Forest. It can be set up only between the roots of two trees in the same forest. The trust is transitive and two -way.
Parent-child trust Implicitly established when you create a new child domain in a tree. These trust makes all objects in the domains of the tree available to all other domains in that tree. This trust is transitive and two-way.
Shortcut trust Must be explicitly (manually) by the administrator between two domains in a forest. Used to improve user logon times, which can be slow when two domains are logically distant from each other. This trust is transitive and can be one-way or two-way. External Trust Must be explicitly created by the administrator between windows 2003 domains that are in different forests, or between a Windows 2003 domain and a domain whose domain controller is running Windows NT4 r earlier. Is used when users need to access resources located in a windows NT 4 domain or in a domain located in a separate forest, which cannot be joined by a forest trust. The trust is nontransitive and can be one -way or two-way. Forest Trust Must be explicitly created by the system administrator between two forest root domains. This trust allows all domains in a forest to transitively trust all domains in another forest. The forest trust is not transitive across trees or more forests. EX.: If forest A trusts forest B and forest B trusts forest C. There is no trensitive trust between forest A and forest C . Realm Trust Must be explicitly created between a non-Windows Kerberos realm and a Windows Server 2003 domain. This trust provides interoperability between a Windows 2003 domain and any realm in Kerberos version 5 implementations. The trust can be transitive or nontransitive and one -way or two-way.
Location of the Shared System Volume Folder Installing Active Directory creates the shared system volume, a folder structure that exists on all Windows Server 2003 domain controllers. It stores public files that must be replicated to other domain controllers, such as logon scripts and some of the Group Policy Objects (GPOs), for both the current domain and the enterprise. The default location for the shared system volume is %Systemroot%\Sysvol. However, you can specify a different location during Active Directory installation. The shared system volume must be located on a partition or volume formatted
during Active Directory installation. The shared system volume must be located on a partition or volume formatted with NTFS. The following table summarizes how to determine whether a domain controller's SYSVOL folder is being replicated by DFSR or FRS. If the domain controller is running Windows Server 2008 + domain functional level of Windows Server 2008 + SYSVOL migration completed Windows Server 2008 + domain functional level below Windows Server 2008 Windows Server 2003 Windows 2000 Server SYSVOL is replicated by DFSR FRS FRS FRS
If the domain's functional level is Windows Server 2008 and the domain has undergone SYSVOL migration, DFSR will be used to replicate the SYSVOL folder. If the first domain controller in the domain was promoted directly into the Windows Server 2008 functional level, DFSR is automatically used for SYSVOL replication. In such cases, there is no need for migration of SYSVOL replication from FRS to DFSR. If the domain was upgraded to Windows Server 2008 functional level, FRS is used for SYSVOL replication until the migration process from FRS to DFSR is complete. To determine whether DFSR or FRS is being used on a domain controller that is running Windows Server 2008, check the value of the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating Sysvols\LocalState registry subkey. If this registry subkey exists and its value is set to 3 (ELIMINATED), DFSR is being used. If the subkey does not exist, or if it has a different value, FRS is being used.
Pasted from <http://msdn.microsoft.com/en-us/library/windows/desktop/cc507518%28v=vs.85%29.aspx >
REQUIRED DNS RESOURCE RECORDS FOR DOMAIN CONTROLLERS To verify the presence of DNS resource records needed to join an Active Directory domain, complete the following steps: 1. Click Start, and then click Command Prompt. 2. Type nslookup and press Enter. 3. At the Nslookup (>) prompt, type q=srv and press Enter. 4. At the next prompt, type _ldap._tcp.dc._msdcs.DNSDomainName. The DNS query for resource records specified in the Nslookup command set q=srv returns both SRV and A resource records. 5. Review the output and determine if all domain controllers in the Active Directory domain that this computer is attempting to join are included and registered using valid IP addresses. In some cases, you might need to manually add or verify registration of the service (SRV) resource records used to support Windows Server 2003 domain controllers. 6. If you need to add the SRV resource records that have been created for a domain controller, open and view the Netlogon.dns file, created by the Active Directory Installation Wizard when a server computer is promoted to a domain controller. Netlogon.dns can be found at the following location on a domain controller: %Systemroot% \System32\Config\Netlogon.dns. If you have installed DNS manually or if your DNS solution does not support dynamic update, you must manually enter these records on your DNS server(s).
How to verify that SRV DNS records have been created for a domain controller
Pasted from <http://support.microsoft.com/kb/816587/enus>
- To install a Domain Controller you can run the command "DCPROMO /ADV:filepath". The filepath is the where you restored a backup took from an existing Domain Contoller in the domain.
- To install a Windows 2008 DC on a Windows 2003 forest you need to do the following: System State Backup on DCs; On Schema Master DC, with Windows 2008 media on it, run the command ADPREP/Forestprep; (schema, enterprise admin) On Infrastructure Master DC, run the command adprep /domainprep /gpprep; (domain admin, enterprise admin) If you are installing the first read-only domain controller (RODC) in the domain, run the adprep /rodcprep command on any computer in the forest. Wait for 15 minutes for replication to finish; Add the new Windows 2008 DC in the domain.
Pag. 104
Directory System Agent Directory System Agent (DSA) is the process that provides access to the store of the directory. DSA manages the Directory and understands what each directory object represents. For example, when you create objects, the DSA knows how to check the Active Directory Schema to identify the mandatory and optional attributes for that particular object. The DSA also manages other relationships, such as replication topology. Clients gain access to the directory by using one of the following mechanisms supported by the DSA:
LDAP Clientes connects to DSA by using LDAP protocol; Exchange and Outlook uses MAPI remote procedure call (RPC) interface to connect to DSA; Active Directory Domain Controllers connect to each other to perform replication by using RPC.
Directory system agent. Builds a hierarchy from the parent-child relationships stored in the directory. Provides APIs for directory access calls. Is a directory service component that runs as Ntdsa.dll
Database layer. Provides an abstraction layer between applications and the database. Calls from applications are never made directly to the database; they go through the database layer.
Extensible storage engine. Communicates directly with individual records in the directory data store on the basis of the object's relative distinguished name attribute. Data store (the database file Ntds.dit). This file is manipulated only by the extensible storage engine database engine. You can administer the file by using the Ntdsutil command-line tool. (To use Ntdsutil, install the Support Tools that are located in the Support\Tools folder on the Windows 2000 Server operating system CD. To install the tools, double-click the Setup icon in that folder. For information about installing and using the Windows 2000 Support Tools and Support Tools Help, see the file Sreadme.doc in the Support\Tools folder of the Windows 2000 operating system CD.) http://technet.microsoft.com/en-us/library/cc961767.aspx
Extensible Storage Engine (ESE) The directory service component that runs as Esent.dll. ESE manages the tables of records that comprise the directory database.
KCC
sbado, 5 de maio de 2012 06:15
The Knowledge Consistency Checker (KCC) is a dynamic-link library (DLL) that runs as a distributed application on every domain controller. The KCC on each domain controller modifies data in its local instance of the directory in response to forest-wide changes, which are made known to the KCC by changes to data in the configuration directory partition. The KCC generates and maintains the replication topology for replication within sites and between sites by converting KCC-defined and administrator-defined (if any) connection objects into a configuration that is understood by the directory replication engine. By default, the KCC reviews and makes modifications to the Active Directory replication topology every 15 minutes to ensure propagation of data, either directly or transitively, by creating and deleting connection objects as needed. The KCC recognizes changes that occur in the environment and ensures that domain controllers are not orphaned in the replication topology. Operating independently, the KCC on each domain controller uses its own view of the local replica of the configuration directory partition to arrive at the same intrasite topology. One KCC per site, the ISTG, determines the intersite replication topology for the site. Like the KCC that runs on each domain controller within a site, the instances of the ISTG in different sites do not communicate with each other. They independently use the same algorithm to produce a consistent, well-formed spanning tree of connections. Each site constructs its own part of the tree and, when all have run, a working replication topology exists across the enterprise.
The predictability of all KCCs allows scalability by reducing communication requirements between KCC instances. All KCCs agree on where connections will be formed, ensuring that redundant replication does not occur and that all parts of the enterprise are connected.
The KCC performs two major functions: Configures appropriate replication connections (connection objects) on the basis of the existing cross-reference, server, NTDS settings, site, site link, and site link bridge objects and the current status of replication.
Converts the connection objects that represent inbound replication to the local domain controller into the replication agreements that are actually used by the replication engine. These agreements, called replica links, accommodate replication of a single directory partition from the source to the destination domain controller.
Intervals at Which the KCC Runs By default, the KCC runs its first replication topology check five minutes after the domain controller starts. The domain controller then attempts initial replication with its intrasite replication partners. If a domain controller is being used for multiple other services, such as DNS, WINS, or DHCP, extending the replication topology check interval can ensure that all services have started before the KCC begins using CPU resources. You can edit the registry to modify the interval between startup and the time the domain controller first checks the replication topology. Note If you must edit the registry, use extreme caution. Registry information is provided here as a
Active Directory Page 100
If you must edit the registry, use extreme caution. Registry information is provided here as a reference for use by only highly skilled directory service administrators. It is recommended that you do not directly edit the registry unless, as in this case, there is no Group Policy or other Windows tools to accomplish the task. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. Storage of incorrect values can result in unrecoverable errors in the system.
Modifying the interval between startup and the time the domain controller first checks the replication topology requires changing the Repl topology update delay (secs) entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters as appropriate: Value: Number of seconds to wait between the time Active Directory starts and the KCC runs for the first time.
Thereafter, as long as services are running, the KCC on each domain controller checks the replication topology every 15 minutes and makes changes as necessary. Modifying the interval at which the KCC performs topology review requires changing the Repl topology update period (secs) entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\NTDS\Parameters as appropriate: Value: Number of seconds between KCC topology updates
Objects that the KCC Requires to Build the Replication Topology The following objects, which are stored in the configuration directory partition, provide the information required by the KCC to create the replication topology: Cross-reference. Each directory partition in the forest is identified in the Partitions container by a cross-reference object. The attributes of this object are used by the replication system to locate the domain controllers that store each directory partition. Server. Each domain controller in the forest is identified as a server object in the Sites container. NTDS Settings. Each server object that represents a domain controller has a child NTDS Settings object. Its presence identifies the server as having Active Directory installed. The NTDS Settings object must be present for the server to be considered by the KCC for inclusion in the replication topology. Site. The presence of the above objects also indicates to the KCC the site in which each domain controller is located for replication. For example, the distinguished name of the NTDS Settings object contains the name of the site in which the server object that represents the domain controller exists. Site link. A site link must be available between any set of sites and its schedule and cost properties
Active Directory Page 101
Site link. A site link must be available between any set of sites and its schedule and cost properties evaluated for routing decisions. Site link bridge. If they exist, site link bridge objects and properties are evaluated for routing decisions.
Simplified Ring Topology Generation A simplified process for creating the topology for replication within a site begins as follows: The KCC generates a list of all servers in the site that hold that directory partition. These servers are connected in a ring. For each neighboring server in the ring from which the current domain controller is to replicate, the KCC creates a connection object if one does not already exist. This simple approach guarantees a topology that tolerates a single failure. If a domain controller is not available, it is not included in the ring that is generated by the list of servers. However, this topology, with no other adjustments, accommodates only seven servers. Beyond this number, the ring would require more than three hops for some servers. The simplest case scenario seven or fewer domain controllers, all in the same domain and site would result in the replication topology shown in the following diagram. The only directory partitions to replicate are a single domain directory partition, the schema directory partition, and the configuration directory partition. Those topologies are generated first, and at that point, sufficient connections to replicate each directory partition have already been created. In the next series of diagrams, the arrows indicate one-way or two-way replication of the type of directory partitions indicated in the Legend. Simple Ring Topology that Requires No Optimization
Because a ring topology is created for each directory partition, the topology might look different if domain controllers from a second domain were present in the site. The next diagram illustrates the
Active Directory Page 102
domain controllers from a second domain were present in the site. The next diagram illustrates the topology for domain controllers from two domains in the same site with no global catalog servers defined in the site. Ring Topology for Two Domains in a Site that Has No Global Catalog Server
The next diagram illustrates replication between a global catalog server and three domains to which the global catalog server does not belong. When a global catalog server is added to the site in DomainA, additional connections are required to replicate updates of the other domain directory partitions to the global catalog server. The KCC on the global catalog server creates connection objects to replicate from domain controllers for each of the other domain directory partitions within the site, or from another global catalog server, to update the read-only partitions. Wherever a domain directory partition is replicated, the KCC also uses the connection to replicate the schema and configuration directory partitions. Note Connection objects are generated independently for the configuration and schema directory partitions (one connection) and for the separate domain and application directory partitions, unless a connection from the same source to destination domain controllers already exists for one directory partition. In that case, the same connection is used for all (duplicate connections are not created). Intrasite Topology for Site with Four Domains and a Global Catalog Server
Intersite Topology Generator The KCC on the domain controller that has the ISTG role creates the inbound connections on all domain controllers in its site that require replication with domain controllers in other sites. The sum of these connections for all sites in the forest forms the intersite replication topology. A fundamental concept in the generation of the topology within a site is that each server does its part to create a site-wide topology. In a similar manner, the generation of the topology between sites depends on each site doing its part to create a forest-wide topology between sites.
ISTG Role Ownership and Viability The owner of the ISTG role is communicated through normal Active Directory replication. Initially, the first domain controller in the site is the ISTG role owner. It communicates its role ownership to other domain controllers in the site by writing the distinguished name of its child NTDS Settings object to the interSiteTopologyGenerator attribute of the NTDS Site Settings object for the site. As a change to the configuration directory partition, this value is replicated to all domain controllers in the forest. The ISTG role owner is selected automatically. The role ownership does not change unless: The current ISTG role owner becomes unavailable. All domain controllers in the site are running Windows 2000 and one of them is upgraded to Windows Server 2003. If at least one domain controller in a site is running Windows Server 2003, the ISTG role is assumed by a domain controller that is running Windows Server 2003. The viability of the current ISTG is assessed by all other domain controllers in the site. The need for a new ISTG in a site is established differently, depending on the forest functional level that is in effect.
Troubleshooting
segunda-feira, 7 de maio de 2012 03:32
DCDIAG
http://support.microsoft.com/kb/905900/en-us
DCDIAG /TEST:DNS /v /e Executa testes completos (/v) referentes a configurao do DNS , inclusive verifica se os registros SRV e SOA esto corretos. O paremetro (/e) indica que o teste ser executado em todos os DCs da Floresta. No aconselhvel utilizar o parametro /e em uma floresta com mais de 200 DCs.
O parametro (/f:file.txt) envia os resultados para um arquivo txt O servio DHCP client necessrio estar rodando para registrar o registro Host (A) necessrios para os DCs.
Para registrar novamente os registros (SRV) reiniciar o servio de Netlogon ou rodar o comando NETDIAG /fix
REPADMIN
http://support.microsoft.com/kb/905739/en-us http://searchwindowsserver.techtarget.com/tip/Repadmin-diagnoses-Active-Directory-replication-issues-in-Windows Repadmin /showrepl (showreps) mostra os parceiros de replicao e o status da replicao de cada AD Partition (naming context). repadmin /showrepl DC_NAME /csv > Repl.csv envia o resultado para um arquivo CSV para organizarmos melhor a visualizao atravs do Excel.
Repadmin /showconn DC_NAME mostra as conexes (Intrasite e intersite) criadas pelo KCC para cada AD Partition. Pode ser usado o parametro (/v) para mais detalhes.
Repadmin /replsummary DC_LIST /bysrc /bydest /sort:delta usado para monitorar a sade da replicao. O parametro (DC_LIST) pode ser usado para definir um DC ou uma lista de DCs , separado por espao. Repadmin /showobjmeta DC_NAME ObjectDN mostra os atributos de um objeto do AD (metadados) e a verso da ltima alterao (USN), bem como o time stamp da alterao. recomendado quando se quer verificar a consistencia dos dados entre 2 DCs.
Repadmin /rebuildgc recria todos os Global Catalogs da Floresta, limpa todos os links temporrios e recria a topologia (em um ambiente muito grande pode causar sobrecarga na rede)
DNSLINT Ferramenta que faz parte do Support Tools. dnslint /s IPaddr /ad IPaddr /v auxilia no diagnstico the problemas de resoluo de DNS. http://technet.microsoft.com/en-us/library/replication-error-1722-the-rpc-server-is-unavailable(v=ws.10).aspx NETDOM NETDOM query fsmo apresenta quais DCs possuem as FSMOs. Esta ferramenta parte do Support Tools Windows 2003 dsquery server hasfsmo pdc Outra alternativa para encontrar os DCs com as FSMOs.
Verify Installation - Verify AD Users and computers, on domain controllers OU if the computer object is there; - On %systemroot% if the folder Sysvol exists with some subfolders and if the share is enabled on it; - Verify the DNS if the the zone of the AD namespace was created along with the _msdcs zone ; Troubleshooting Installation
- Check DNS name is registered properly; - Verify Directory Service Logs and look for erros; - Use Netdiag and Dcdiag, Repadmin and NTDSUtil tools; - Verify Log files on %Systemroot%\Debug "DCPromoUI.log" and "DCPROMO.log and look for errors; Active Directory Backup and Restore - Create a System State Backup
Non-Authoritative Restore
Restore AD from the last backup state. All changes madeafter the last backup are replicated from other domain controllers. To perform a non-authoritative restore: 1. Restart system in "Directory Services Restore Mode"
Active Directory Page 105
1. Restart system in "Directory Services Restore Mode" 2. Use backup wizard to restore the data from system state backup. 3. Restart the server. (It will get changes since the last backup through network synchronization).
Authoritative Restore
Restore the whole domain structure and objects or only a selected object or container and bring it the state as it was at the backup. Changes made after the backup will be discarded. To perform an authoritative restore: 1. Perform a non-authoritative restore. 2. Run Ntdsutil (Do not restart the server after performing the non-authoritative restore) to mark objects as authoritative. 3. Restart the server. - If you restore the entire AD database Copy sysvol from an alternative location over the existing one (after the sysvol share is published. - If you restore specific objects, copy only the policy folders corresponding to the restored policy objects from an alternative location (after sysvol is published). - You cannot authoritatively restore the schema and the Configuration Naming Context. - Attempts to authoritatively restore a complete naming context will always include objects that can disrupt the proper functionality of crucial parts of Active Directory. Also in the entire Domain namespace restore, the passwords are restored to the time at the backup was taken.You should always try to authoritatively restore a minimal set of objects.
1. Type ntdsutil and press ENTER; 2. Type authoritative restore, and then press ENTER 3. Type restore subtree ou=OU_Name,dc=Domain_Name,dc=xxx or type restore object U=bosses,DC=ourdom,DC=com to restore a single object. 4. Type quit, press ENTER, type quit, and then press ENTER 5. Restart the domain controller http://support.microsoft.com/kb/241594/en-us http://technet.microsoft.com/en-us/library/cc779573(v=ws.10).aspx
DHCP
quarta-feira, 2 de maio de 2012 17:12
How it Works?
Automatic IP Configuration
DHCP supports Automatic Private IP Addressing (APIPA), which enables computers running Windows 2000, Windows XP, and Windows Server 2003 to configure an IP address and subnet mask if a DHCP server is unavailable at system startup and the Automatic private IP address Alternate Configuration setting is selected. This feature is useful for clients on small private networks, such as a small-business office or a home office. The DHCP Client service on a computer running Windows XP and Windows Server 2003 uses the following process to auto-configure the client: 1. The DHCP client attempts to locate a DHCP server and obtain an IP address and configuration. 2. If a DHCP server cannot be found or does not respond after one minute, the DHCP client checks the settings on the Alternate Configuration tab of the properties of the TCP/IP protocol.
If Automatic private IP address is selected, the DHCP client auto-configures its IP address and subnet mask by using a selected address from the Microsoft-reserved Class B network, 169.254.0.0, with the subnet mask 255.255.0.0. The DHCP client tests for an address conflict to ensure that the IP address is not in use on the network. If a conflict is found, the client selects another IP address. The client retries auto-configuration up to 10 times. If User Configured is selected, the DHCP client configures a static IP address configuration. The DHCP client tests for an address conflict to ensure that the IP address is not already in use on the network. If a conflict is found, the DHCP client indicates the error condition to the user. 3. When the DHCP client succeeds in self-selecting an address, it configures its network interface with the IP address. The client then continues to check for a DHCP server in the background every five minutes. If a DHCP server responds, the DHCP client abandons its self-selected IP address and uses the address offered by the DHCP server (and any other DHCP option information that the server provides) to update its IP configuration settings. If the DHCP client obtained a lease from a DHCP server on a previous occasion, and the lease is still valid (not expired) at system startup, the client tries to renew its lease. If, during the renewal attempt, the client fails to locate any DHCP server, it attempts to ping the default gateway listed in the lease, and proceeds in one of the following ways: If the ping is successful, the DHCP client assumes that it is still located on the same network where it obtained its current lease, and continues to use the lease as long as the lease is still valid. By default the client then attempts, in the background, to renew its lease when 50 percent of its assigned lease time has expired. If the ping fails, the DHCP client assumes that it has been moved to a network where a DHCP server is not available. The client then auto-configures its IP address by using the settings on the Alternate Configuration tab. When the client is auto-configured, it attempts to locate a DHCP server and obtain a lease every five minutes.
Scopes A scope must be properly defined and activated before DHCP clients can use the DHCP server for automatic TCP/IP configuration. A DHCP scope is an administrative collection of IP addresses and TCP/IP configuration parameters that are available for lease to DHCP clients of a specific subnet. The network administrator creates a scope for each subnet. DHCP Messages The following list includes the eight types of messages that can be sent between DHCP clients and servers. For more information about the structure and specifics of each of these packets, see DHCP Message Format later in this section.
DHCPDiscover Broadcast by a DHCP client when it first attempts to connect to the network. The DHCPDiscover message requests IP address information from a DHCP server. DHCPOffer Broadcast by each DHCP server that receives the client DHCPDiscover message and has an IP address configuration to offer to the client. The DHCPOffer message contains an unleased IP address and additional TCP/IP configuration information, such as the subnet mask and default gateway. More than one DHCP server can respond with a DHCPOffer message. The client accepts the best offer, which for a Windows DHCP client is the first DHCPOffer message that it receives. DHCPRequest Broadcast by a DHCP client after it selects a DHCPOffer. The DHCPRequest message contains the IP address from the DHCPOffer that it selected. If the client is renewing or rebinding to a previous lease, this packet might be unicast directly to the server. DHCPAck Broadcast by a DHCP server to a DHCP client acknowledging the DHCPRequest message. At this time, the server also forwards any options.
DHCP Page 107
Broadcast by a DHCP server to a DHCP client acknowledging the DHCPRequest message. At this time, the server also forwards any options. Upon receipt of the DHCPAck, the client can use the leased IP address to participate in the TCP/IP network and complete its system startup. This message is typically broadcast, because the DHCP client does not officially have an IP address that it can use at this point. If the DHCPAck is in response to a DHCPInform, then the message is unicast directly to the host that sent the DHCPInform message.
DHCPNack Broadcast by a DHCP server to a DHCP client denying the clients DHCPRequest message. This might occur if the requested address is incorrect because the client moved to a new subnet or because the DHCP clients lease has expired and cannot be renewed. DHCPDecline Broadcast by a DHCP client to a DHCP server, informing the server that the offered IP address is declined because it appears to be in use by another computer. DHCPRelease Sent by a DHCP client to a DHCP server, relinquishing an IP address and canceling the remaining lease. This is unicast to the server that provided the lease. DHCPInform Sent from a DHCP client to a DHCP server, asking only for additional local configuration parameters; the client already has a configured IP address. This message type is also used by DHCP servers running Windows Server 2003 to detect unauthorized DHCP servers. DHCP Lease Process A DHCP-enabled client obtains a lease for an IP address from a DHCP server. Before the lease expires, the DHCP client must renew the lease or obtain a new lease. Leases are retained in the DHCP server database for a period of time after expiration. By default, this grace period is four hours and cleanup occurs once an hour for a DHCP server running Windows Server 2003. This protects a clients lease in case the client and server are in different time zones, the internal clocks of the client and server computers are not synchronized, or the client is off the network when the lease expires.
Obtaining a New Lease A DHCP client initiates a conversation with a DHCP server when it is seeking a new lease, renewing a lease, rebinding, or restarting. The DHCP conversation consists of a series of DHCP messages passed between the DHCP client and DHCP servers. The following figure shows an overview of this process when the DHCP server and DHCP client are on the same subnet. DHCP Lease Process Overview 1. The DHCP client requests an IP address by broadcasting a DHCPDiscover message to the local subnet.
2. The client is offered an address when a DHCP server responds with a DHCPOffer message containing an IP address and configuration information for lease to the client. If no DHCP server responds to the client request, the client sends DHCPDiscover messages at intervals of 0, 4, 8, 16, and 32 seconds, plus a random interval of between -1 second and 1 second. If there is no response from a DHCP server after one minute, the client can proceed in one of two ways: If the client is using the Automatic Private IP Addressing (APIPA) alternate configuration, the client self-configures an IP address for its interface.
If the client does not support alternate configuration, such as APIPA, or if IP auto-configuration has been disabled, the client network initialization fails.
In both cases, the client begins a new cycle of DHCPDiscover messages in the background every five minutes, using the same intervals as before (0, 4, 8, 16, and 32 seconds), until it receives a DHCPOffer message from a DHCP server.
3. The client indicates acceptance of the offer by selecting the offered address and broadcasting a DHCPRequest message in response.
4. The client is assigned the address and the DHCP server broadcasts a DHCPAck message in response, finalizing the terms of the lease.