Dicas - Recursos

tera-feira, 24 de abril de 2012 19:21

Exame 70-642 - Aprovado [DICA]

Pasted from <http://social.technet.microsoft.com/Forums/pt/cermicrosoftpt/thread/604a5747-2de1-403ab1e8-9772100e7a5c>

70-642 Page 1

Curriculo - 70-642
segunda-feira, 7 de maio de 2012 21:12

Configuring Addressing and Services (21 percent) Configure IPv4 and IPv6 addressing. May include but is not limited to: configure IP address options; subnetting; supernetting; multihomed; interoperability between IPv4 and IPv6 Configure Dynamic Host Configuration Protocol (DHCP). May include but is not limited to: DHCP options; creating new options; PXE boot; default user profiles; DHCP relay agents; exclusions; authorize server in Active Directory; scopes; DHCPv6 Configure routing. May include but is not limited to: static routing; persistent routing; Routing Internet Protocol (RIP); metrics; choosing a default gateway; maintaining a routing table; demand-dial routing; IGMP proxy Configure Windows Firewall with Advanced Security. May include but is not limited to: inbound and outbound rules; custom rules; authorized users; authorized computers; configure firewall by using Group Policy; network location profiles; service groups; import/export policies; isolation policy; IPsec group policies; Connection Security Rules Recursos - Estudado http://www.learntcpip.com/ www.learntosubnet.com http://Gogonet.gogo6.com

Subnetting in 6 easy steps - part 1 - http://www.youtube.com/watch?v=wl5 _J0UtINg&feature=fvwrel IP Addressing and Subnetting pt 1 - http://www.youtube.com/watch?v=blkuQPvu2T8 &feature=related 70-642 11 hour free training course all on you tube - http://www.youtube.com/playlist? list=PL0508D3F0057D1D5F SVRHOL301 Adding IPv6 services to your IPv4 Network https://tr14.mytechready.com/ViewTracker.aspx?topicid=d036dd18-4a7c-e011b237-001ec953730b&viewtype=vlab

Configuring Names Resolution (22 percent) Configure a Domain Name System (DNS) server.
70-642 Page 2

Configure a Domain Name System (DNS) server. May include but is not limited to: conditional forwarding; external forwarders; root hints; cacheonly; socket pooling; cache locking Configure DNS zones. May include but is not limited to: zone scavenging; zone types; Active Directory integration; Dynamic Domain Name System (DDNS); Secure DDNS; GlobalNames; zone delegation; DNS Security Extensions (DNSSEC); reverse lookup zones Configure DNS records. May include but is not limited to: record types; Time to live (TTL); weighting records; registering records; netmask ordering; DnsUpdateProxy group; round robin; DNS record security; auditing Configure DNS replication. May include but is not limited to: DNS secondary zones; DNS stub zones; Active Directory Integrated replication scopes; securing zone transfer; SOA refresh; auditing Configure name resolution for client computers. May include but is not limited to: configuring HOSTS file; Link-Local Multicast Name Resolution (LLMNR); broadcasting; resolver cache; DNS server list; Suffix Search order; DNS devolution Estudado Configuring Network Access (18 percent) Configure remote access. May include but is not limited to: dial-up; Remote Access Policy; Network Address Translation (NAT); VPN protocols, such as Secure Socket Tunneling Protocol (SSTP) and IKEv2; Routing and Remote Access Services (RRAS); packet filters; Connection Manager; VPN reconnect; RAS authentication by using MS-CHAP, MS-CHAP v2, and EAP Configure Network Access Protection (NAP). May include but is not limited to: network layer protection; DHCP enforcement; VPN enforcement; RDS enforcement; configure NAP health policies; IPsec enforcement; 802.1x enforcement; flexible host isolation; multi-configuration System Health Validator (SHV) Configure DirectAccess. May include but is not limited to: IPv6; IPsec; server requirements; client requirements; perimeter network; name resolution policy table Configure Network Policy Server (NPS). May include but is not limited to: IEEE 802.11 wireless; IEEE 802.3 wired; group policy for wireless; RADIUS accounting; Connection Request policies; RADIUS proxy; NPS templates Estudado

Configuring File and Print Services (20 percent) Configure a file server. May include but is not limited to: file share publishing; Offline Files; share permissions; NTFS permissions; encrypting file system (EFS); BitLocker; Access-Based Enumeration (ABE); branch cache; Share and Storage Management console Configure Distributed File System (DFS). May include but is not limited to: DFS namespace; DFS configuration and application; creating and configuring targets; DFS replication; read-only replicated folder; failover cluster support; health reporting Configure backup and restore. May include but is not limited to: backup types; backup schedules; managing remotely; restoring data; shadow copy services; volume snapshot services (VSS); bare metal restore; backup to remote file share Manage file server resources. May include but is not limited to: FSRM; quota by volume or quota by user; quota entries; quota
70-642 Page 3

May include but is not limited to: FSRM; quota by volume or quota by user; quota entries; quota templates; file classification; Storage Manager for SANs; file management tasks; file screening Configure and monitor print services. May include but is not limited to: printer share; publish printers to Active Directory; printer permissions; deploy printer connections; install printer drivers; export and import print queues and printer settings; add counters to Performance Monitor to monitor print servers; print pooling; print priority; print driver isolation; location-aware printing; print management delegation

Estudado

Monitoring and Managing a Network Infrastructure (20 percent) Configure Windows Server Update Services (WSUS) server settings. May include but is not limited to: update type selection; client settings; Group Policy object (GPO); client targeting; software updates; test and approval; disconnected networks Configure performance monitoring. May include but is not limited to: Data Collector Sets; Performance Monitor; Reliability Monitor; monitoring System Stability Index; page files; analyze performance data Configure event logs. May include but is not limited to: custom views; application and services logs; subscriptions; attaching tasks to events find and filter Gather network data. May include but is not limited to: Simple Network Management Protocol (SNMP); Network Monitor; Connection Security Rules monitoring Estudado

Informaes Adicionais Preparation Tools and ResourcesTo help you prepare for this exam, Microsoft Learning recommends that you have hands-on experience with the product and that you use the following training resources. These training resources do not necessarily cover all of the topics listed in the "Skills Measured" tab. Learning Plans and Classroom Training 6421B: Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure (5 Days) Microsoft E-Learning 6421BE: Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure (16 Hours) Microsoft Press Books MCTS Self-Paced Training Kit (Exam 70-642): Configuring Windows Server 2008 Network Infrastructure (2nd Edition) Practice Tests MeasureUp(Measureup.com)Self Test Software(Selftestsoftware.com)

Microsoft Online ResourcesWindows Server 2008 Learning Portal: Find special offers and information on training and certification.Product information: Visit the Windows Server 2008 Web site for detailed technology information.Microsoft Learning Community: Join newsgroups and visit community forums to connect with your peers for suggestions on training resources and advice on your certification path and studies.TechNet: Designed for IT professionals, this site includes how-to instructions, best practices, downloads, technical resources, newsgroups, and chats.MSDN: Designed for developers, the Microsoft Developer Network (MSDN) features code samples, technical articles, downloads, newsgroups, and chats.
Have Questions? For advice about training and certification, connect with peers: Visit the training and certification forumFor questions about a specific certification, chat with a Microsoft Certified
70-642 Page 4

and certification forumFor questions about a specific certification, chat with a Microsoft Certified Professional (MCP): Visit our MCP newsgroupsTo find out about recommended blogs, Web sites, and upcoming Live Meetings on popular topics, visit our community site: Visit the Microsoft Learning community

70-642 Page 5

Outros Treinamentos - Lanar no Thrive

segunda-feira, 7 de maio de 2012 22:37

SVRHOL313 iSCSI Software Target 3.3 enabling Hyper-V storage on Windows Server 2008 R2 https://tr14.mytechready.com/ViewTracker.aspx?topicid=fef79803-8c81-e011b237-001ec953730b&viewtype=vlab

70-642 Page 6

70-693 Pro: Windows Server 2008 R2, Virtualization Administrator

Monday, November 21, 2011 2:29 AM

Virtualization Team Blog http://blogs.technet.com/b/virtualization/ http://virtualizationbrazil.wordpress.com/

Partner Exam Academy: Prepare for Certification (treinamentos online gratuitos. https://partner.microsoft.com/global/40169642
http://www.atillaarruda.com.br/2011/11/18/estudo-chuck-norris-para-a-certificacao-70-693/ Dicas exame 70-693 http://blogs.technet.com/b/gbanin/archive/2010/12/16/dicas-para-exame-70-693.aspx http://www.atillaarruda.com.br/2011/11/18/estudo-chuck-norris-para-a-certificacao-70-693/ http://www.mcsesolution.com/Certifica%C3%A7%C3%A3o-Microsoft/mcitp-windows-server-2008-r2-virtualizationadministrator.html

Selecting the Right ...

Ler ebook http://download.microsoft.com/download/5/B/4/5B46A838-67BB-4F7C-92CB-EABCA285DFDD/693821ebook.pdf Microsoft Learning http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-693&locale=en-us#tab2 Skills Being MeasuredThis exam measures your ability to accomplish the technical tasks listed below.The percentages indicate the relative weight of each major topic area on the exam. Designing a Virtualization Strategy Recommend a virtualization technology. This objective may include but is not limited to: server virtualization, Application Virtualization (App-V), virtual desktop infrastructure (VDI), Remote Desktop Services (RDS), Microsoft Enterprise Desktop Virtualization (MED-V), Microsoft Virtual PC Plan capacity. Plan licensing. This objective may include but is not limited to: operating system editions Design solutions for integration with third-party products. This objective may include but is not limited to: hypervisors, VDIs, and management tools Designing the Physical and Virtual Infrastructure Plan hardware and virtual resource requirements. This objective may include but is not limited to: CPUs, memory, disk, host, parent, child, performance, networking, Second Level Address Translation (SLAT), CPU Core Parking Design storage. This objective may include but is not limited to: dynamic, fixed, differential, pass-through; logical unit number (LUN) considerations Design networking. This objective may include but is not limited to: virtual network type, host NIC configuration, VLAN, TCP chimney, jumbo frames, Virtual Machine Queue (VMQ) Plan snapshots and checkpoints. Designing a Highly Available Virtual Environment Design parent for high availability. This objective may include but is not limited to: Windows Server 2008 Failover Clustering, migration types, Cluster Shared Volumes (CSV) Design child for high availability. This objective may include but is not limited to: Windows Server 2008 Failover Clustering, Network Load Balancing (NLB), shared storage Design for migration type. This objective may include but is not limited to: quick migration, live migration, storage area network (SAN) migration, network migration Designing a Deployment Strategy Design a virtual machine deployment. This objective may include but is not limited to: Virtual Machine Manager, Self-Service Portal (SSP), Windows PowerShell, scripting, Configuration Manager Plan a virtual machine conversion. This objective may include but is not limited to: physical to virtual (P2V), virtual to virtual (V2V ) Design a virtual desktop infrastructure (VDI) deployment. This objective may include but is not limited to: broker, profile management, applications, methods of access, static and dynamic deployment Design an App-V deployment. This objective may include but is not limited to: server roles, server role placement, application compatibility
70-693 Page 7

Windows Server Virt...

TESTE

 This objective may include but is not limited to: server roles, server role placement, application compatibility Designing a Management Strategy Plan backup and recovery for parent and child partitions. Design a monitoring strategy. This objective may include but is not limited to: design for a parent, design for a child; integration with Operations Manager Plan updates and maintenance. This objective may include but is not limited to: offline image maintenance, hardware maintenance, integration services Design an administrative strategy. This objective may include but is not limited to: management networks, remote administration, Virtual Machine Manager, Authorization Manager Preparation Tools and ResourcesTo help you prepare for this exam, Microsoft Learning recommends that you have hands-on experience with the product and that you use the following training resources. These training resources do not necessarily cover all of the topics listed in the "Skills Measured" tab.
Classroom Training 50273A: Planning and Designing Microsoft Virtualization Solutions (5 Days) Microsoft E-Learning There is no Microsoft E-Learning training currently available. Microsoft Press Books There are no Microsoft Press books currently available.

Practice Tests There are no practice tests currently available. Microsoft Online Resources Learning Plan: Get started with a step-by-step study guide that is based on recommended resources for this exam. Windows Server 2008 Learning Portal: Find special offers and information on training and certification. Product information: Visit the Windows Server 2008 Web site for detailed product information. TechNet: Designed for IT professionals, this site includes how-to instructions, best practices, downloads, technical resources, newsgroups, and chats. MSDN: Designed for developers, the Microsoft Developer Network (MSDN) features code samples, technical articles, downloads, newsgroups, and chats. Microsoft Learning Community: Join newsgroups and visit community forums to connect with your peers for suggestions on training resources and advice on your certification path and studies. Have Questions? For advice about training and certification, connect with peers: Visit the training and certification forum For questions about a specific certification, chat with a Microsoft Certified Professional (MCP): Visit our MCP newsgroups To find out about recommended blogs, Web sites, and upcoming Live Meetings on popular topics, visit our community site: Visit the Microsoft Learning community
Pasted from <http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-693&locale=en-us>

Pag. 310 Virtualization

70-693 Page 8

VDI
Monday, November 21, 2011 2:56 AM

http://technet.microsoft.com/en-us/edge/video/ff955830

Desktop Virtualization
Visible: The user sees a window that displays the desktop of the virtualized client Operating System (Virtual Machine). Invisible: Virtualized applications are displayed on the host compuster's desktop as local, even though these applications are running within the guest operating system (Virtual Machine). This scenario is sometimes known as Application Virtualization.
Desktop Virtualization can be either Local or Remote

Microsoft Virtual Desktop Infrastructure (VDI) Explained

Pasted from <http://blogs.technet.com/b/yungchou/archive/2010/01/06/microsoftvirtual-desktop-infrastructure-vdi-explained.aspx>

Three Local Desktop Virtualization Technologies: 1. Windows Virtual PC and the Windows XP Mode Environment: Component to be installed optionally. Windows XP is a preconfigured VM with WinXP SP3 that is installed. Used Scenario: Used for small businesses to address applications incompatibility issues. 2. Microsoft Enterprise Desktop Virtualization (MED-V): is an enterprise solution for desktop virtualization that allows administrators to create, deliver, and manage corporate Virtual PC images on any Windows-based desktop. Used Scenario: Used for medium to large businesses to address applications incompatibility issues, in a centralized way by administrators.
3. Microsoft Application Virtualization (App-V): App-V lets administrators transform applications into centrally managed virtual services to reduce the cost of application deployment, eliminate application conflicts and reboots, simplify your base image footprint to expedite PC provisioning, and increase user productivity. Used Scenarios: Full Infrastructure This scenario uses the App-V Management Server, which provides full streaming capabilities, Desktop Configuration Service, active/package upgrade, and basic licensing and metering. This infrastructure requires Active Directory and SQL Server and is an update to the existing SoftGrid Virtual Application Server that version 4.2 customers are familiar with using. Lightweight Infrastructure: This scenario uses the App-V Streaming Server, which includes streaming capabilities such as active/package upgrade without the Active Directory or SQL Server requirements. However, it does not have a Desktop Configuration Service or licensing or metering capabilities. This service relies on the manual or scripted addition of a manifest file for virtual application configuration. The Desktop Configuration Service of the App-V Management Server can also be used in conjunction with the App-V Streaming Server such that the Management Server configures the application but the Streaming Server delivers it. Standalone mode: The App-V Sequencer has an option to create an .msi file that automates the addition of the virtual application. The .msi contains metadata so that an ESD system can recognize it and control the virtualized applications. Standalone mode requires the App-V Client to go into Standalone mode, which allows only .msi-based updates of the virtual applications. (Streaming is not allowed while in Standalone mode.) This mode is meant for rarely connected users that need the power of virtualized applications but do not have access to a server.

Deploying Virtual Desktop Pools by Using Remote Desktop Web Access Step-by-Step Guide
Pasted from <http://technet.microsoft.com/enus/library/dd883265(WS.10).aspx>

VDI Day: Hyper-V and VMM as a platform for VDI

Pasted from <http://technet.microsoft.com/en-us/edge/Video/hh134257>

VDI Day: Designing your VDI Implementation

Pasted from <http://technet.microsoft.com/en-us/edge/video/tdbe11-vdiday-designing-your-vdi-implementation>

Desktop Virtualization
Pasted from <http://technet.microsoft.com/en-us/windows/gg276319.aspx>

User State Virtualization: allows application and desktop users to virtualize their user settings and data by storing them on the network. Three Microsoft technologies make user state virtualization possible: roaming user profiles, Folder Redirection, and Offline Files.

Part 7- Building VDI using Remote Desktop Services (RDS)

<http://www.ms4u.info/2010/09/part-7-building-vdi-using-remote.html>

Understanding Microsoft Virtual Desktop Infrastructure

Whereas Remote Desktop Services is an installable feature of Windows Server platforms and App-V for RDS is a downloadable client application, Microsoft Virtual Desktop Infrastructure (VDI) is much more than a feature or application. Microsoft VDI, in fact, is an architectural model that enables entire desktop operating systems, such as Windows 7 Enterprise edition, to run on a server located in a datacenter.
In a typical VDI deployment, hundreds or even thousands of desktop virtual machines run on a small number of centralized servers using shared storage such as a storage area network (SAN). With VDI, administrators can dynamically provision virtual desktops as needed, move them across different hardware and storage platforms, back up running and stored virtual machines, reassign user rights to another device in case of endpoint failure, and manage other aspects of the virtualization environment.
70-693 Page 9

environment.

Understanding Microsofts VDI Architecture At a high level, Microsofts VDI architecture consists of three components: Hardware layer This layer includes one or more datacenter servers that support hardware virtualization and shared storage such as a SAN, where the virtual machines can be stored. Client access points This component includes client computing devices, which can be either rich clients (Windows PCs) or thin clients (Windows terminal devices) connected to the datacenter over an internal private network or even over the Internet. Licensing There are two types of licensing requirements for implementing a Microsoft VDI solution: - VDI suite licensing The use rights for technology developed by Microsoft that provides virtualization, management, desktop-delivery, and application-delivery capabilities you can use to deploy a VDI infrastructure within your organization. - Additional licensing In addition to the use rights for the server and management infrastructure included in the VDI suite, you also need to purchase licenses to run virtual copies of Windows client operating systems on your servers so that your users can legally access the virtual desktops. These licenses are known as Windows Virtual Enterprise Centralized Desktop (Windows VECD).

Getting Started: Remote Desktop Services

Pasted from <http://technet.microsoft.com/enus/library/dd736539(WS.10).aspx>

Understanding Microsoft VDI Suites

Microsoft offers two packaged VDI solutions that include server and management platforms and tools together with licensing (as shown in Figure 4-21): VDI Standard suite This VDI offering is designed to help organizations deploy the basic infrastructure for VDI and includes the following components: - Hyper-V Server 2008 R2 as the virtualization; - An integrated management suite consisting of System Center Virtual Machine Manager 2008 R2, System Center Operations Manager 2007 R2, and System Center Configuration Manager 2007 R2; - Microsoft Desktop Optimization Pack (MDOP); - Connection Brokering capability through Windows Server 2008 R2 Remote Desktop Services Note that the use rights for Remote Desktop Services in the Standard VDI suite are restricted. This means that delivery of session-based desktops or RemoteApp programs using RD Session Host servers is not allowed for this VDI offeringRD Session Host servers can be used only for VDI-specific purposesthat is, they can run only in redirection mode. VDI Premium suite This VDI offering is designed for customers who want additional flexibility in their VDI deployment and includes everything the Standard Suite includes plus the following: - Full (unrestricted) Remote Desktop Services capability, including the option to deploy session-based desktops in addition to VDI desktops. - Microsoft Application Virtualization for Remote Desktop Services (App-V for RDS)

70-693 Page 10

MED-V
Monday, November 21, 2011 2:56 AM

Microsoft Enterprise Desktop Virtualization (MED-V) Administration Video Series

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=5924 http://www.microsoft.com/en-us/showcase/details.aspx?uuid=1ed566b5-5514-464b-aa46-fed855c2a000

MED-V Trial Guide

Pasted from <http://www.microsoft.com/download/en/details.aspx?displayLang=en&id=21677 >

MED-V

Microsoft Enterprise Desktop Virtualization 2.0 Updated: March 10, 2011

Applies To: Microsoft Enterprise Desktop Virtualization 2.0

Setup manager is used to create na answer file as part of Sysprep of the Virtual Machine image.

Inserted from: <file://C:\Users\v-62doz\Desktop\MCITP Virtualization\MEDV Architecture June09.pdf>

Welcome to Microsoft Enterprise Desktop Virtualization (MED -V) 2.0. MED-V 2.0 uses Windows Virtual PC to provide an enterprise solution for desktop virtualization. By using MED-V, you can easily create, deliver, and manage corporate Windows Virtual PC images on any Windows-based desktop running Windows 7 Professional, Enterprise, or Windows 7 Ultimate. MED-V is an integral component of the Microsoft Desktop Optimization Pack, a dynamic solution available to Software Assurance customers, which helps reduce software installation costs, enables delivery of applications as services, and helps manage and control enterprise desktop environments.

For more information about how to perform MED-V tasks, use the following sections. In This Section Getting Started with MED-V
Planning for MED-V

Deployment of MED-V Operations for MED-V

Troubleshooting MED-V

Security and Protection for MED-V Technical Reference for MED-V

Pasted from <http://technet.microsoft.com/en-us/library/gg548505.aspx>

70-693 Page 11

MEDV Architectu...

70-693 Page 12

70-693 Page 13

70-693 Page 14

70-693 Page 15

70-693 Page 16

70-693 Page 17

70-693 Page 18

70-693 Page 19

70-693 Page 20

70-693 Page 21

70-693 Page 22

70-693 Page 23

70-693 Page 24

70-693 Page 25

70-693 Page 26

70-693 Page 27

70-693 Page 28

70-693 Page 29

70-693 Page 30

APP-V
Monday, November 21, 2011 3:13 AM

Microsoft Applicatio...

Application Virtualization Whitepapers

Pasted from <http://technet.microsoft.com/en-us/appvirtualization/cc843994.aspx>

Microsoft Application Virtualization (App-V) Documentation Resources Download Page

Pasted from <http://www.microsoft.com/download/en/details.aspx?id=27760>

The process of creating the virtual environment is known as sequencing.

Screen clipping taken: 08/12/2011 19:00

Applications that are App-V enabled are never allowed to install or modify the local file system or local registry. When an application is App-V enabled, it is made to run inside its own virtual environment.
When the application is deployed, it is isolated from any other applications that were sequenced or that are still locally installed on the client, guaranteeing a conflict-free environment. A sequenced application package contains four types of files that make up a virtual application and allow the virtual application to run. These files are created after sequencing and include the following types of files: .ico file This is the type of file for the icon on the clients desktop used to launch a sequenced application. .osd file This is an XML-based Open Software Descriptor file that instructs the client on how to retrieve the sequenced application from the App-V Management Server or Streaming Server and how to run the sequenced application in its virtual environment. .sft file This type of file contains one or more sequenced applications that the Sequencer has packaged into streaming blocks, as well as the associated delivery information. An .sft file is stored on each server that must stream the packaged applications to a client. .sprj file This is an XML-based Sequencer Project file in which the Sequencer stores its Exclusion Items and Parse Items information. An .sprj file is used in the creation of application records and when upgrading a package.

70-693 Page 31

In addition, a sequenced application package can also contain a Microsoft Windows Installer (.msi) file that can be used for standalone distribution of virtual applications, for publishing application packages using an electronic software distribution (ESD) system such as Microsoft System Center Configuration Manager 2007, or for both purposes.

Publishing Applications
There are three publishing delivery methods supported by App-V: Using the App-V Management Server Using an ESD system such as System Center Configuration Manager 2007 Standalone delivery

Streaming Packages
After an application has been published and its .ico and .osd files have been streamed to the client, the virtual application package content file (.sft file) must be delivered to the client. App-V supports various ways of doing this, including using the App-V Management Server, an Internet Information Services (IIS) Web server, a file server, standalone delivery, or a distribution point running IIS within a System Center Configuration Manager 2007 environment. The first time a user double-clicks on an application icon that has been placed on a computer via the publishing process, the App-V Client first performs authorization and license checking. The client then begins streaming the virtual application package content (.sft file) from the configured streaming source location. The way this works is that the .sft file is mounted in RAM on the streaming server, which then delivers the application in blocks of 32 KB size by default over the wire to the client. The streaming source location is typically a server that is local to (accessible over a well-connected network) the users computer, but some electronic distribution systems such as System Center Configuration Manager 2007 can distribute .sft files to a folder on the users computer and then stream the package from that local folder. A streaming source location for virtual application packages can even be set up on a computer that is not a serverthat is, on a workstation. This type of solution can be especially useful in a small branch office location that has no server.

App-V Components
The App-V environment consists of the following components: App-V Management Server - Used for streaming the virtual application package. Should be installed on a dedicated server. Need to access a SQL database and to the Content Folder. It can use RTSP, RTSPS, HTTP or HTTPS stream application data to authorized users App-V Management Web Service - Responsible for communicating read/write requests to the App-V Data Store. Functions as intermediary between the Management Console and the Data Store. Can be installed on either the Management Server or on a separate server that has IIS 6.0 or higher installed. App-V Data Store - Is a required component when you deploy an App-V Management Server. Responsible for storing all information related to the App-V infrastrucure, such as : Configuration info, reporting, application records, application assignments, licensing info, logging. Can be installed on SQL 2005 or SQL 2008. App-V Streaming Server - Responsible for hosting an streaming virtual application packages to App-V clients. It is like a lightweight version of the Management Server that includes only the streaming functionality. Doesn't include the App-V Web Service and doesn't require using a SQL database. Instead, it uses access control lists (ACLs) for granting user access to the package files. App-V Management Console - Is a MMC snap-in you can use to manage your App-V environment. Many management tasks can be done such as: import applications, manage file type associations, manage application licenses, create and manage server groups, generate reports, etc.
App-V Sequencer - Is a wizard-based tool that can be used to monitor and capture the installation of an application to create a virtual application package. After an application has been sequenced , the resulting App-V enabled application package can be delivered to users on demand. After the sequencing process is finished, its files must be copied to the Content folder before they can be streamed. The sequencer component must be installed on a separate computer from other App-V components.
70-693 Page 32

other App-V components.

Tip Some applications cannot be sequenced, including Internet Explorer, device drivers, applications that start services at boot time, and some other parts of the Windows operating system.
App-V Client - is the software component that resides on the client computer. It also handles the streaming of the application from a Management Server or from a Streaming Server. There are two kinds of App-V client Software: - App-V Desktop Client - App-V Terminal Services Client

70-693 Page 33

RDS
Monday, November 21, 2011 3:17 AM

Remote Desktop Services

Pasted from <http://technet.microsoft.com/en-us/windowsserver/ee236407>

Assess What's New in Remote Desktop Services Getting Started Step-by-Step Guides
Plan Infrastructure Planning and Design (IPD) Guides for Virtualization

Deploy Remote Desktop Services Deployment Guide Remote Desktop Services Migration Guide
Troubleshoot Troubleshooting RD Licensing Issues Remote Desktop Services Event-Based Troubleshooting
Pasted from <http://technet.microsoft.com/en-us/windowsserver/ee236407>

Remote Desktop S... 871

Terminal Services

TS RemoteAp...

Windows Server 200...

Windows Server 200...

Remote Desktop Services in Windows Server 2008 R2 Updated: November 11, 2011

Windows_S erver_200...

Applies To: Windows Server 2008 R2 Remote Desktop Services in Windows Server 2008 R2 provides technologies that enable users to access Windows-based programs that are installed on a Remote Desktop Session Host (RD Session Host) server, or to access the full Windows desktop. With Remote Desktop Services, users can access an RD Session Host server from within a corporate network or from the Internet.
In this section Step 1: Assess

Remote Desktop Services (RDS) Architecture Explained

Pasted from <http://blogs.technet.com/b/yungchou/archive/2010/01/04/remote -desktop-services-rds-architecture-explained.aspx>

Product Evaluation: Remote Desktop Services: Whats new in Remote Desktop Services Getting Started: Remote Desktop Services: Step-by-step guides for installing and deploying Remote Desktop Services role services and features
Step 2: Plan Planning and Architecture: Remote Desktop Services: Hardware considerations and capacity planning guides

Getting Started: Remote Desktop Services - Step-by-Step Guides

Pasted from <http://technet.microsoft.com/enus/library/dd736539(WS.10).aspx>

Step 3: Deploy Deployment: Remote Desktop Services: Design Guide, Deployment Guide, Migration Guide
Step 4: Manage Operations: Remote Desktop Services: Managing and operating Remote Desktop Services Technical Reference: Remote Desktop Services: Group Policy settings and RDP settings

Step 5: Troubleshoot
Troubleshooting: Event messages, licensing issues, RDP Related resources Remote Desktop Services Component Architecture Poster This poster provides a visual reference for understanding key Remote Desktop Services technologies in Windows Server 2008 R2. Remote Desktop Services Script Center

The Remote Desktop Services Script Center contains a collection of scripts to help configure and deploy Remote Desktop Services. Remote Desktop Services (Terminal Services) on the Windows Server TechCenter TechCenters provide links to content outside of the Technical Library, including downloads, Knowledge Base articles, community (blogs and forums), and other resources. Terminal Services in Windows Server 2008
Pasted from <http://technet.microsoft.com/en-us/library/dd647502(WS.10).aspx>

REMOTE DESKTOP SESSION HOST

This role enables RemoteApp and Remote Desktop sessions New features of the RD Session Host role service introduced in Windows Server 2008 R2 include the following:

Configure Client Experience page Adds a new wizard page to the Add Roles Wizard when installing the RD Session Host role service of the Remote Desktop Services role. This new wizard page lets you enable the following advanced experiences for RD Session Host session users: Audio and video playback redirection Lets users redirect audio and video output from their computer to an RD Session Host session. Audio recording redirection Lets users redirect the output of an audio recording device, such as a microphone, from their computer to an RD Session Host session. Desktop composition Provides Windows Aero user interface elements within an RD Session Host session. Per-user RemoteApp filtering Lets you filter the list of RemoteApp programs available to a user account when logged on using RD Web Access. Fair-share CPU scheduling Dynamically distributes processor time across RD Session Host sessions based on the number of active sessions and the load on those sessions using the kernel-level scheduling mechanism of Windows Server 2008 R2. Windows Installer RDS compatibility Allows per-user application installations to be queued by the RD Session Host server and then handled by the Windows Installer. Roaming user profile cache management Lets you limit the size of the overall profile cache for users of your RD Session Host server. Remote Desktop IP Virtualization Lets IP addresses be assigned to Remote Desktop connections on either a per-session or per-program basis.

70-693 Page 34

Obs.: You can install the RD Session Host role service on the Standard, Enterprise, or Datacenter edition of Windows Server 2008 R2, with the Standard edition limited to 250 Remote Desktop Services connections.

All Group Policy Settings for Remote Desktop Services in Windows Server 2008 R2
Pasted from <http://technet.microsoft.com/en-us/library/ee791756(WS.10).aspx>

Understanding Remote Desktop Web Access

The Remote Desktop Web Access (RD Web Access) role service of Windows Server 2008 R2 was formerly called Terminal Services Web Access (TS Web Access) in Windows Server 2008. Installing the Remote Desktop Web Access role service lets you use Internet Information Services (IIS) to simplify the deploy ment of RemoteApp programs, session-based desktops, and virtual desktops to users on your network. Per user RemoteApp program filtering using RemoteApp and Desktop Connections: This enables RD Web Access to filter the view on a per-user basis so that each user logging on to RD Web Access sees only the programs that the administrator has configured for them to see. Single sign-on between RD Session Host and RD Web Access: This enhancement allows users to enter their user name and password only once when connecting to a RemoteApp program by using RD Web Access. Public and private computer option There are now two ways for users to access the RD Web Access Web page: public and private mode. When a user selects public mode, her user name is not remembered in the Web browser and RD Web Access cookies storing her user name time out in 20 minutes. When the user selects private mode, cookies storing her user name remain available for four hours. In either mode, passwords are not stored. Forms-based authentication This enables applications to provide their own logon page and perform their own credentials verification, and it uses ASP.NET to authenticate users, redirect unauthenticated users to the logon page, and perform all the necessary cookie management.

How RD Web Access Works

RD Web Access is implemented as a separate role service of the Remote Desktop Services role of Windows Server 2008 R2. Installing the RD Web Access role service on a server also installs the Web Server (IIS) role along with some of its components, which is needed to host the Web site that users connect to using their Web browsers to launch RemoteApp programs. Both the RD Web Access and RD Session Host role services must be present for RD Web Access to work. The simplest configuration is to install both the RD Web Access and RD Session Host role services on a single server. The RD Web Access and RD Session Host role services can also be installed on separate servers if needed. If this is done, however, you must add the computer account of the RD Web Access server to the RD Web Access Computers security group on your RD Session Host.

For larger deployments, you might install RD Web Access on a front-end Web server to service multiple RD Session Host servers on the back end. You can then configure RD Web Access to populate its list of RemoteApp programs from all your RD Session Host servers, including servers that belong to an RD Session Host farm. To connect to the RD Web Access server, a user opens a Web browser such as Internet Explorer and types https://<server_name>/rdweb in the address bar as described in the next section.

RD Connection Broker
The administrator can create a Workspace Configuration (.wcx) file using an RD Connection Broker server and distribute it to Windows 7 users so that RemoteApp and Desktop Connection can be configured without the need of having the user manually configure the RemoteApp and Desktop Connections Control Panel item.
The administrator can create a .wcx file and use Group Policy to silently run a script on Windows 7 computers so that RemoteApp and Desktop Connection is set up automatically when users log on to their computers.

After the client side of RemoteApp and Desktop Connections has been configured, Windows 7 users will see a new RemoteApp and Desktop Connections program group on their Start menu, which they can use to launch RemoteApp programs, session-based desktops, and virtual desktops that have been published for them to use. (See Figure 4-14.)

To pull a feed of available RemoteApp programs, session-based desktops, and virtual desktops from your RD Web Access server.

70-693 Page 35

The user needs to type the URL for the RD Web Access Web site, which is always in the following form: https://<server_name>/RDWeb/Feed/webfeed.aspx , where <server_name> is the FQDN of the RD Web Access server.

How RD Connection Broker Works

Similar to the TS Session Broker role service of Windows Server 2008, the RD Connection Broker role service allows a user to reconnect to an existing session of a load-balanced RD Session Host server farm. RD Connection Broker does this by storing session state information, including session IDs and their associated user names, and the name of the RD Session Host server where each session resides. When a user having an existing session connects to an RD Session Host server in a load-balanced farm, the RD Connection Broker server redirects the user to the RD Session Host server where the users session resides, preventing the user from being connected to a different server in the farm and thus having to start a new session. And if you enable the RD Connection Broker Load Balancing feature, the RD Connection Broker server can also do the following: Evenly distribute the session load between RD Session Host servers in a load-balanced RD Session Host server farm. Track the number of user sessions on each RD Session Host server in the farm. Redirect users who dont have an existing session to the RD Session Host server that has the fewest sessions.

* For an RD Web Access server to provide RemoteApp and Desktop Connection information from an RD Connection Broker server, you
must add the computer account for the RD Web Access server to the RD Web Access Computers security group on the RD Connection Broker server. You must be a member of the local Administrators group on the RD Connection Broker server to do this.

* For an RD Session Host server to provide redirection to virtual desktops, you must add the computer account for the RD Session Host
server to the Session Broker Computers security group on the RD Connection Broker server. And if you have deployed a load-balanced RD Session Host server farm to provide RemoteApp programs to users through RemoteApp and Desktop Connection, you must add the computer account for each RD Session Host server in the farm to the Session Broker Computers security group.

Deploying RD Gateway R2 server with NAP <http://blogs.msdn.com/b/rds/archive/2009/08/17/deploying-rdgateway-r2-server-with-nap.aspx>

Understanding Remote Desktop Gateway

The Remote Desktop Gateway (RD Gateway) role service in Windows Server 2008 R2 was formerly called Terminal Services Gateway (TS Gateway) in Windows Server 2008. Installing the RD Gateway role service enables users to securely connect over the Internet to RD Session Host servers or RD Virtualization Host behind the corporate firewall to access session-based desktops or virtual desktops, run RemoteApp programs, and access client computers that have Remote Desktop enabled. The resources that external users can connect to via RD Gateway include: RD Session Host servers running RemoteApp programs and session-based desktops RD Virtualization Host servers running virtual desktops Client computers that have Remote Desktop enabled

RD Gateway deployment in a perimeter network & Firewall rules

<http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx>

Configuring the TS Gateway NAP Scenario <http://technet.microsoft.com/en-us/library/cc732172(WS.10).aspx>

Microsoft VDI High Availability Deployment Options

<http://blogs.msdn.com/b/rds/archive/2010/03/01/microsoft-vdi-high-availability-deployment-options.aspx>

Step-by-Step and Capacity Planning Guides for Remote Desktop ServicesSP1 updated
Pasted from <http://ramazancan.wordpress.com/tag/rd-gateway/>

With RD Gateway, however, you can safely place your RD Session Host and RD Virtualization Host servers inside the corporate network; only the RD Gateway server itself needs to reside on a screened subnet of the perimeter network. This means that only the RD Gateway server is directly exposed to outside attack. And the attack surface of the RD Gateway server is lower than that of an RD Session Host and RD Virtualization Host server placed in a similar location because the only external port that needs to be open on the RD Gateway server is TCP port 443.

Deploying Remote Desktop Connection Broker with High Availability Step-by-Step Guide
<http://technet.microsoft.com/en-us/library/ff686148(WS.10).aspx>

Improving TS Gateway availability using NLB

<http://blogs.msdn.com/b/rds/archive/2009/03/24/improving-ts-gateway-availability-using-nlb.aspx>

Understanding Remote Desktop Virtualization Host

Remote Desktop Virtualization Host (RD Virtualization Host) is a completely new role service of the Remote Desktop Services role in Windows Server 2008 R2. Similar to how the RD Session Host role service allows users to run RemoteApp programs and access session-based desktops, the RD Virtualization Host service allows them to access virtual desktops (the desktops of virtual machines) through Remote Desktop Services. These virtual machines that Users access using the RD Virtualization Host role service must be running on a server running Windows Server 2008 R2 that has the Hyper-V server role installed.

How RD Virtualization Host Works

The RD Virtualization Host role service integrates with the Hyper-V server role of Windows Server 2008 R2 and must be installed on a server that has the Hyper-V server role installed.
You can use your RD Virtualization Host server to make virtual desktops available to your users in two forms: Personal virtual desktops In this scenario, you assign a single virtual machine to a single domain user account. Only one virtual machine can be assigned to each user, and only that particular user can remotely access that specific virtual machine. Each time the user establishes a Remote Desktop connection to the RD Virtualization Host server, the user is connected to the same virtual machine. Any customizations the user makes to her virtual desktop during a session are saved so that they can be available the next time the user accesses her virtual machine. Virtual desktop pools In this scenario, you begin by creating a pool of identically configured virtual machines. These virtual machines must have the same operating system and applications installed, the same service packs and updates applied, the same configuration settings, and so on. These virtual machines must also not have already been assigned to users as personal virtual desktops. When the user establishes a Remote Desktop Connection to the RD Virtualization Host server, he is connected to any of the virtual machines in the pool. Because all virtual machines in the pool are configured identically, the user experience is the same regardless of which virtual desktop he connects to. By default in this scenario, any customizations the user makes to his virtual desktop during a session are not saved and are discarded when the user logs off of his Remote Desktop session. However, by combining roaming user profiles with Folder Redirection and storing the roaming profiles and redirected folders on a separate server, any changes that the user makes to his virtual desktop can be saved so that they will be available the next time the user accesses a virtual desktop from the pool. Personal virtual desktops and virtual desktop pools can also be provisioned to users in one of two possible ways: By using RemoteApp and Desktop Connection. By using RD Web Access .

Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide, found at http://go.microsoft.com/fwlink/?LinkId=154801. Deploying Virtual Desktop Pools by Using RemoteApp and Desktop Connection Step-by-Step Guide, found at http://go.microsoft.com/fwlink/?LinkId=154802. Deploying Personal Virtual Desktops by Using Remote Desktop Web Access Step-by-Step Guide, found at http://go.microsoft.com/fwlink/? LinkId=147909. Deploying Virtual Desktop Pools by Using Remote Desktop Web Access Step-by-Step Guide, found at http://go.microsoft.com/fwlink/? LinkId=147906.

App-V Terminal S...

70-693 Page 36

Hyper-V
Tuesday, November 22, 2011 3:16 AM

Designing the Physical and Virtual Infrastructure Plan hardware and virtual resource requirements. This objective may include but is not limited to: CPUs, memory, disk, host, parent, child, performance, networking, Second Level Address Translation (SLAT), CPU Core Parking Design storage. This objective may include but is not limited to: dynamic, fixed, differential, pass-through; logical unit number (LUN) considerations Design networking. This objective may include but is not limited to: virtual network type, host NIC configuration, VLAN, TCP chimney, jumbo frames, Virtual Machine Queue (VMQ) Plan snapshots and checkpoints.

Note There is no way to upgrade from a Server Core installation to a full installation of Windows Server 2008. If you need the Windows user interface or a server role that is not supported in a Server Core installation, install a full installation of Windows Server 2008. To remotely manage Hyper-V on a Server Core installation, use the Hyper -V management tools for Windows Server 2008 and Windows Vista Service Pack 1 (SP1). For more information, see article 950050 (http://go.microsoft.com/fwlink/?LinkId=122188 ) and article 952627 (http://go.microsoft.com/fwlink/?LinkID= 122189) in the Microsoft Knowledge Base. For more information about configuring tools for remote management of Hyper-V, see Install and Configure Hyper-V Tools for Remote Administration.

Do not run any applications in the management operating system run all applications on virtual

Designing a Highly Available Virtual Environment Design parent for high availability. This objective may include but is not limited to: Windows Server 2008 Failover Clustering, migration types, Cluster Shared Volumes (CSV) Design child for high availability. This objective may include but is not limited to: Windows Server 2008 Failover Clustering, Network Load Balancing (NLB), shared storage Design for migration type. This objective may include but is not limited to: quick migration, live migration, storage area network (SAN) migration, network migration Hyper-V Supportability: http://technet.microsoft.com/en-us/library/ee405267(WS.10).aspx

machines. By keeping the management operating system free of applications and running a Windows Server 2008 core installation, you will need fewer updates to the management operating system because nothing requires software updates except the Server Core installation, the Hyper -V service components, and the hypervisor.

Note
If you run programs in the management operating system, you should run your antivirus solution there and add the following to the antivirus exclusions:

Virtual machine configuration files directory. By default, it is C:\ProgramData\Microsoft\Windows\Hyper-V. Virtual machine virtual hard disk files directory. By default, it is C:\Users\Public\Documents\Hyper-V\Virtual Hard
Disks.

Snapshot files directory. By default, it is %systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots. Vmms.exe Vmwp.exe

If you need to use the full version of Windows Server 2008 and run applications in the management operating system, then you should run an antivirus program there.
Pasted from <http://technet.microsoft.com/en -us/library/dd283088(WS.10).aspx>

TCP Chimney Offload

TCP Chimney Offload transfers Transmission Control Protocol (TCP) traffic processing, such as packet segmentation and reassembly processing tasks, from a computers CPU to a network adapter that supports TCP Chimney Offload. Moving TCP/IP processing from the CPU to the network adapter can free the CPU to perform more application-level functions. TCP Chimney Offload can offload the processing for both TCP/IPv4 and TCP/IPv6 connections if supported by the network adapter.

Estudar:
Using Authorization Manager for Hyper-V Security
Pasted from <http://technet.microsoft.com/en-us/library/dd283030(WS.10).aspx>

How to enable TCP Chimney Offload: http://support.microsoft.com/kb/951037/en-us

Virtual Machine Queue (VMQ) Virtual machine queue (VMQ) is a feature available to computers running Windows Server 2008 R2 with the HyperV server role installed, that have VMQ-capable network hardware. VMQ uses hardware packet filtering to deliver packet data from an external virtual machine network directly to virtual machines, which reduces the overhead of routing packets and copying them from the management operating system to the virtual machine.

Authorization Manager How To...

Pasted from <http://technet.microsoft.com/en-us/library/cc778066(WS.10).aspx>

Perf-tun-srv

When VMQ is enabled, a dedicated queue is established on the physical network adapter for each virtual network adapter that has requested a queue. As packets arrive for a virtual network adapter, the physical network adapter places them in that network adapters queue. When packets are indicated up, all the packet data in the queue is delivered directly to the virtual network adapter. Packets arriving for virtual network adapters that dont have a dedicated queue, as well as all multicast and broadcast packets, are delivered to the virtual network in the default queue. The virtual network handles routing of these packets to the appropriate virtual network adapters as it normally would. Note: Because queues are allocated to virtual machines on a first-come, first-served basis, making all virtual machines eligible for a queue may result in some queues being given to virtual machines with light traffic instead of those with heavier traffic. Enable VMQ only for those virtual machines with the heaviest inbound traffic.
How to enable VMQ: http://download.microsoft.com/download/8/E/D/8EDE21BC-0E3B-4E14AAEA-9E2B03917A09/HSN_Deployment_Guide.doc http://technet.microsoft.com/en-us/library/gg162680(WS.10).aspx

Authorization Manager Concepts

Pasted from <http://technet.microsoft.com/en-us/library/cc782016(WS.10).aspx>

Network_De ployment_...

Avoid Mixing Virtual Machines That Can Use Integration Services with Those That Cannot Do not mix on the same physical server virtual machines that can take advantage of Hyper -V Integration Services with those that cannot. Virtual machines that cannot use Integration Services must use legacy network adapters to gain access to the physical network. To accommodate legacy network adapters, you might need to disable some high-end features on the network interface, which can unnecessarily limit the functionality of the synthetic devices. Additionally, using emulated devices places an extra workload on the Hyper-V server.

SLAT
In Hyper-V R2, the processor handles address translations across virtual machines instead of the Hyper-V code doing page table remapping in software. This means that SLAT adds a second level of paging below the architectural x86/x64 paging tables found in x86/x64 processors by providing an indirection layer from virtual machine memory access to physical memory access. Chapter 2 Server Virtualization 39 With the right processor, such as an Intel processor with Extended Page Tables (EPT, first introduced with i7) or an AMD processor with Nested Page Tables (NPT, which most current AMD processors have), Hyper-V R2 can provide significant performance gains in many scenarios. These gains are a result of the improved memory management and reduction in memory copies needed when these processor features are used, and the gains are especially significant with large working sets (for example, with Microsoft SQL Server). In fact, the memory usage for the Microsoft Hypervisor can shrink from 5 percent to 1 percent of the total physical memory. This means that more memory can be available for child partitions, which in turn can mean higher consolidation ratios.

Network Adapters in Hyper-V The legacy network adapter is an emulated adapter (Intel 21140 PCI) that is available to guests who either cannot take advantage of Integration Services. ( E.g. Windows XP Professional x86 must download and install Service Pack 3).
A network adapter is a synthetic device that can be used only after Integration Services are installed in on enlightened guests. Enlightened guests already have the necessary components installed in the operating system to begin taking advantage of this type of network adapter.

Note: If a guest operating system is going to be installed using PXE boot to download an image, a legacy network adapter must be used and the boot order must be modified in the virtual machine settings. Virtual Machine Disks VHD Limit: 2040 gigabytes (2 terabytes). Passthrough Disk Limit: No size Limit Before configuring a guest with a passthrough disk, the disk must be placed in an offline state so that there is no contention between the virtual machine and the Hyper-V server. This is accomplished in the Windows Disk Management snap-in or by using the Diskpart.exe command-line interface (CLI).
When using passthrough disks, the virtual machine configuration files need to be relocated to either another hard disk or a file share. Additionally, you lose snapshot functionality when using passthrough disks, and they are not portable like a file (VHD). Ensure File Share High Availability If a file share is being used to store virtual machine configuration data, it is a best practice to ensure the file share is highly available (for example, a file share being hosted in a failover cluster). You also need to modify the security on the file share to allow the Hyper-V server (all nodes of it if its in a failover cluster) write access to the share.

70-693 Page 37

Connecting Storage Guests

IDE: Allows disks up to 2048 Gigabytes. Supports either VHD or passthrough disks and can connect up to 4 disks (2 controllers with 2 disks each).

SCSI: The Hyper-V SCSI controller is a synthetic device and therefore cannot be added to a guest configuration until after Integrated Services have been installed. Can connect up to 4 SCSI controllers with 64 disks each (Total of 256 disks)
iSCSI: Guests can connect directly to iSCSI storage over an iSCSI network, completely bypassing the Hyper-V server itself. There are no limits to the number of iSCSI disks that can be supported on the guest

Tip You can bypass the 2048-GB size limitation for IDE and SCSI virtual disks by using passthrough disks. Configuration Files The default path of Configuration Files (.xml) is \ProgramData\Microsoft\Windows\Hyper-V in a folder corresponding to the name given to the virtual machine in the New Virtual Machine Wizard
Snapshot By default, all snapshot files are stored in the following folder on your Hyper-V server: %SystemRoot%\ProgramData\Microsoft\Windows\HyperV\Snapshots

Taking a snapshot of a virtual machine creates the following types of snapshot files: Virtual machine configuration (.xml) file Virtual machine saved state (.vsv) files Virtual machine memory contents (.bin) files Snapshot differencing disk (.avhd) files
Tip When you delete an entire snapshot tree, the result will be the last snapshot applied to the running virtual machine. If your intention, instead, is to have the result be the pristine installation of your virtual machine, your first snapshot should be taken after your virtual machine is configured and before you make any alterations for testing your configuration. That way, you can apply your first snapshot (the root snapshot) before deleting the snapshot tree, and the result is that your virtual machines configuration will return to where you started before you made your alterations.

Best Practices for Configuring Virtual Machines

Virtual machine performance is affected not only by how the physical server is configured but also by the selections made when configuring the virtual machine itself. The following sections discuss best practices that should be considered when configuring virtual machines in Hyper-V.

Change Default Locations for Virtual Hard Disk and Machine Configuration Files Change the default locations for storing the virtual hard disks and the virtual machine configuration files. By default, they are stored on the drive where the operating system is installed. For better performance, move the location to another disk on a SAN, if possible. If no SAN storage is configured, use another internal, fault-tolerant drive or drives that can be dedicated to storing virtual machine data and are not supporting the operating system.
Install Integration Services The first, and probably most important, best practice for virtual machines is to install Integration Services, which comes with Hyper-V, as soon as possible if the operating system running in the virtual machine is supported. Then update Integration Services as needed. Uninstall VM Additions and Compact VHDs When migrating virtual machines from Virtual PC or Virtual Server 2005 R2, uninstall the VM Additions and compact the virtual hard disk before moving the disk to the Hyper-V server.

Set Display for Best Performance For the best display in a virtual machine, ensure the display interface is set for Best Performance. This ensures the hardware acceleration is set to Full.
Configure Fixed-Size VHDs Choose to configure fixed-size virtual hard disks rather than dynamically expanding disks. Performance is faster, the file system is less likely to fragment, and managing space on the physical disk is easier. Always defragment a physical disk before creating a virtual hard disk. Use SCSI Virtual Adapters for Data Drives Hyper-V requires the virtual machine to boot from a virtual IDE controller; however, SCSI virtual adapters can be used after that for mounting additional virtual hard disks. Although performance differences between a virtual IDE controller and a virtual SCSI controller in Hyper-V is negligible (with Integration Services installed), more and larger capacity virtual hard disks can be attached to a virtual SCSI controller (4 controllers with 64 virtual disks each, for a total of 256). So, if you need more than four virtual hard disks attached to a virtual machine, use a virtual SCSI controller. Allocate CPU Resources Based on Anticipated Usage It is also important to determine virtual machine performance to ensure CPU resource allocation on the physical server is adequate to support the workload inside the virtual machine. The default in Hyper-V server is to treat all virtual machines equally. In reality, this might not be a practical or wise business decision. When allocating physical machine CPU resources to a virtual machine, it is important not to over-subscribethat is, trying to allocate more physical machine resources than are really available. The next version of System Center Virtual Machine Manger (SCVMM 2008) will play a key role in monitoring virtual machine performance.

70-693 Page 38

Virtual PC/ Windows XP Mode

Monday, November 28, 2011 6:05 AM

Virtual PC Architecture
Host-Side Components The UI components of the Windows Virtual PC host include the following: VPC Settings dialog Lets you modify configuration options such as networking, memory, integration features, and virtual hard disks for each virtual machine. VPC Wizard Walks you through the steps of creating new virtual machines. VM Window (VMWindow.exe) When you start a virtual machine (VM), an instance of VMWindow.exe is launched to manage the display window that you use to interact with that VM. VMWindow.exe also loads MSTSCAX.dll, which functions as a Remote Desktop Protocol (RDP) client and is essentially the same ActiveX control that is used to run RemoteApps and Remote Desktops from a Remote Desktop Web Access server in Windows Server 2008 R2. One unique instance of VMWindow.exe is launched for each running VM, except for VMs running virtual applications, which is discussed in the next bullet. VM SAL (VMSAL.exe) When you launch a virtual application from the host, an instance of the Virtual Machine Seamless Application Launcher is launched to initiate, monitor, and control the application. As with VMWindow.exe, the in-process ActiveX control MSTSCAX.dll acts as the RDP client.
The user-mode engine components of the Windows Virtual PC Host include the following: VPC (VPC.exe) The core Virtual PC engine that manages virtual machines and provides services for them. VPC.exe includes the following subcomponents that provide specialized services for virtual machines: RDP Encoder Technology, device emulators, COM servers, Network Address Translation (NAT), and Integration Components (ICs). VPC.exe also provides a set of COM APIs you can use to develop custom applications for performing tasks such as creating and managing virtual machines, creating and managing virtual hard drive (VHD) images, and modifying the configuration settings of VMs. RDP ET (RDP Encoder Technology) A group of components that uses RDP to provide the console experience for accessing a virtual machine and converts keyboard, mouse, and video actions between the RDP format and the format used by the VM device emulators. Devices Device emulators for devices such as virtual hard drives, COM ports, and network interfaces. COM port redirector Provides access for the virtual machine to remote serial devices such as modems. NAT Allows a virtual machine to use the physical network adapter for network connectivity. Integration Components (ICs) Provides advanced features such as video resizing and audio redirection within virtual machines. The kernel-mode engine components of the Windows Virtual PC Host include the following: Virtualization Server Provider (VSP) Provides I/O device-related resources to Virtualization Service Clients (VSCs) running in virtual machines. VPCBus.sys A kernel-mode bus driver used by the VSP to communicate between the host and guests. VMM.sys The Virtual Machine Monitor, which virtualizes the physical processing resources across the host and virtual machines and provides resource management, including memory and interrupts. USB Connector (vpcusb.sys) Provides USB virtualization to the guest operating systems, and manages the virtual root hubs for connected USB devices. Each virtual machine has one virtual hub that can be assigned between zero and eight devices. USB Stub Driver (vpcuxd.sys) A stub driver that is loaded by the operating system in lieu of the normal USB client driver.

Guest-Side Components The architecture of the guest side of Windows Virtual PC can be further broken down into Integration Components, RAIL (Remote Applications Installed Locally)/RDP components, and kernel-mode components.
The Integration Components of a Windows Virtual PC guest include the following two services, which provide Integration Component services to the guest: Virtual PC Integration Components Services Application service (VMSrvc.exe) n Virtual Machine User
70-693 Page 39

 Virtual PC Integration Components Services Application service (VMSrvc.exe) n Virtual Machine User Services (VMUSrvc.exe) The RAIL/RDP components of a Windows Virtual PC guest include the following: RDP Server service Listens for RDP connections from the RDP clients running in a virtual machine window or application. RDP Shell (RDPShell.exe) A shell designed to present virtual applications as if they are running locally on the host and to make the seamless running of virtual applications possible. The kernel mode of a Windows Virtual PC guest includes the following: VSC Consumes resources provided to it by the VSP running on the host. VMX/SVM Root Kernel Built upon the Virtual Machine Extensions (VMX) of Intel Virtualization Technology (Intel VT) technology. It includes the Virtual Machine Monitor (VMM) runtime layer, which provides support for virtual machine execution, memory management, intercept and exception handling, and routing of interrupts raised by virtual machines. For more information, see the sidebar titled Direct from the Source: Windows Virtual PC vs. Hyper-V later in this section.

Enabling Support for Virtual Applications

Any virtual machine installed on Windows Virtual PC can run virtual applications if the guest operating system has RemoteApp support enabled. Windows 7 supports RemoteApp by default Windows XP Mode virtual machine is preconfigured to support virtual applications, but for earlier O.S. versions you need to download and install the KB961742 (Windows XP) to provide RemoteApp support. For Windows Vista SP1 or later, kb961741. Install Integration Components on virtual machine; Enable Auto Publish setting on virtual machine.

Windows XP Mode
When Windows XP Mode is installed, two virtual hard disks are created on the host computer: A parent virtual hard disk named Windows XP Mode base.vhd located in the %SystemDrive%\Program Files\Windows XP Mode folder. This parent disk is write-protected and approximately 1.2 GB in size. A differencing virtual hard disk named VM_name.vhd, where VM_Name is the name of the virtual machine. This differencing disk varies with size (it grows as needed) and is located in the hidden %SystemDrive%\Users\username\AppData\Local\Microsoft\Windows Virtual PC\Virtual Machines folder, where username is the users profile folder. The virtual machine configuration file (.vmc file) for the virtual machine is also located in this folder. Tips: You should back up the parent disk in case it becomes corrupted, because the differencing disk wont work without the parent. You should install antivirus and antimalware software on your Windows XP Mode virtual machine. You should also make sure that Automatic Updates is enabled on the virtual machine.

70-693 Page 40

70-659 TS: Windows Server 2008 R2, Server Virtualization

Monday, November 21, 2011 2:58 AM

Pag 175(RDS)

https://training.partner.microsoft.com/learning/app/manage ment/LMS_LearnerHome.aspx

http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-659&locale=en-us#tab2 Skills Being MeasuredThis exam measures your ability to accomplish the technical tasks listed below.The percentages indicate the relative weight of each major topic area on the exam. Installing and Configuring Host and Parent Settings Add the Hyper-V role on Windows Server 2008 R2. This objective may include but is not limited to: installing and configuring Hyper-V on Server Core, verifying BIOS settings (i.e. DEP), adding the Hyper-V role using Virtual Machine Manager, configuring Hyper-V Server R2, identifying hardware requirements Enable remote management. This objective may include but is not limited to: deploying Virtual Machine Manager Agent, configuring firewall rules, configuring Virtual Network Manager settings Configure virtual networks and VLAN security. This objective may include but is not limited to: configuring Media Access Control (MAC) address pools, configuring network locations, configuring VLAN tags, configuring VLAN security, configuring virtual networks Configure storage. This objective may include but is not limited to: configuring Multi Path Input Output (MPIO), executing the mpiocpl.exe command, dynamic I/O redirection, iSCSI initiator, executing the iscsicli.exe command Configuring Child Settings Configure child resources. This objective may include but is not limited to: configuring disks, networks, CPU, and memory Configure child storage. This objective may include but is not limited to: configuring Dynamic VM storage, creating differencing disks, configuring pass-through disks, taking snapshots, managing GUIDs, managing logical unit numbers (LUNs), editing VHDs, copying physical disks to VHDs Configure child network adapters. This objective may include but is not limited to: creating synthetic and emulated network adapters, configuring MAC spoofing, configuring VLAN ID, configuring Jumbo frame, configuring TCP Offloading Engine (TOE) Create and deploy virtual machines. This objective may include but is not limited to: creating, cloning, deploying, and saving virtual machines using Virtual Machine Manager; creating virtual machines using Hyper-V Manager, configuring Self-Service Portal, scripting and deploying virtual machines using Windows PowerShell Managing and Monitoring Virtual Environments Solve performance and resource issues. This objective may include but is not limited to: configuring Performance and Resource Optimization (PRO), monitoring the environment by using System Center Operations Manager 2007 R2, configuring event triggers, allocating resources by using Virtual Machine Manager, monitoring performance and diagnosing issues by using Performance Monitor or Resource Monitor Configure delegation of rights. This objective may include but is not limited to: creating user policies for Self Service Portal, creating and managing templates, managing and replicating libraries in Virtual Machine Manager Create roles and configure authorization rights. This objective may include but is not limited to: creating roles and delegating rights using Authorization Manager (AzMan), delegating rights manually Manage non-Hyper-V-aware virtualization hosts. This objective may include but is not limited to: managing ESX/VI3 VMware hosts by using Virtual Machine Manager, managing Virtual Server 2005 R2 hosts using Virtual Machine Manager Ensuring High Availability and Recoverability Manage snapshots. This objective may include but is not limited to: taking, reverting, merging, deleting, and applying snapshots; configuring storage locations Manage backups. This objective may include but is not limited to: managing online and offline backups by using DPM, Windows Server Backup, or Volume Shadow Copy Service (VSS) Perform non-clustered migrations. This objective may include but is not limited to: performing a SAN migration of child partitions, performing a network migration of child partitions Configure quick and live migrations. This objective may include but is not limited to: configuring network and storage for clustered Hyper-V setup, enabling Cluster Shared Volumes (CSV), configuring dynamic I/0 redirection Performing Migration Perform physical-to-virtual (P2V) migration. This objective may include but is not limited to: configuring Virtual Machine Manager Intelligent Placement, performing online and offline migrations Perform virtual-to-virtual (V2V) migration. This objective may include but is not limited to: configuring Virtual Machine Manager Intelligent Placement, performing online and offline migrations Perform import/export migration. This objective may include but is not limited to: migrating virtual machines between Hyper-V hosts using the Export/Import feature in Hyper-V Configuring Remote Desktop (RD) Role Services Infrastructure Configure RD session host. This objective may include but is not limited to: configuring session host settings, network-level authentication settings, license settings; restricting users to single remote session; allowing time zone redirection; configuring resource redirection, configuring encryption, configuring multi-monitor support Configure RD licensing. This objective may include but is not limited to: activating and deactivating Remote Desktop License Service, installing and revoking client access licenses (CALs), reporting on CAL usage Configure RD Connection Broker. This objective may include but is not limited to: installing the RD Connection Broker, configuring DNS for

70-659 Page 41

 This objective may include but is not limited to: installing the RD Connection Broker, configuring DNS for Connection Broker, configuring Connection Broker farms, integrating with RD Virtualization Host role service Configure RD Gateway. This objective may include but is not limited to: configuring RD Gateway, integrating RD Gateway with network access protection (NAP), configuring authentication authorization Configure RD Web Access. This objective may include but is not limited to: configuring RD Web Access, configuring authentication options (forms, single sign-on), configuring per-user RemoteApp program filtering, configuring public and private computer options Preparation Tools and ResourcesTo help you prepare for this exam, Microsoft Learning recommends that you have hands-on experience with the product and that you use the following training resources. These training resources do not necessarily cover all of the topics listed in the "Skills Measured" tab. Classroom Training 10215A: Implementing and Managing Microsoft Server Virtualization (5 Days) Microsoft E-Learning 10215AE: Implementing and Managing Microsoft Server Virtualization (15 Hours) Microsoft Press Books There are no Microsoft Press books currently available. Practice Tests There are no practice tests currently available. Microsoft Online Resources Product information: Visit the Windows Server 2008 Web site for detailed product information. TechNet: Designed for IT professionals, this site includes how-to instructions, best practices, downloads, technical resources, newsgroups, and chats. MSDN: Designed for developers, the Microsoft Developer Network (MSDN) features code samples, technical articles, downloads, newsgroups, and chats. Microsoft Learning Community: Join newsgroups and visit community forums to connect with your peers for suggestions on training resources and advice on your certification path and studies. Have Questions? For advice about training and certification, connect with peers: Visit the training and certification forum For questions about a specific certification, chat with a Microsoft Certified Professional (MCP): Visit our MCP newsgroups To find out about recommended blogs, Web sites, and upcoming Live Meetings on popular topics, visit our community site: Visit the Microsoft Learning community
Pasted from <http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-659&locale=en-us>

How SLAT Reduces Overhead on Virtualized RD Session Hosts

With respect to memory management, Windows Server 2008 R2 Hyper-V supports a new feature named Second-Level Address Translation (SLAT). SLAT uses AMD-V Rapid Virtualization Indexing (RVI) and Intel VT Extended Page Tables (EPT) technology to reduce the overhead incurred during virtual to physical address mapping performed for VMs. Through RVI or EPT respectively, AMD-V and Intel VT processors maintain address mappings and perform (in hardware) the two levels of address space translations required for each VM, reducing the complexity of the Windows hypervisor and the context switches needed to manage VM page faults. With SLAT, the Windows hypervisor does not need to shadow the guest operating system page mappings. The reduction in processor and memory overhead associated with SLAT improves scalability with respect to the number of VMs that can be concurrently executed on a single Hyper-V server. As an example, the Microsoft RDS team recently blogged about performance tests conducted using an internal simulation tool on a Windows Server 2008 Terminal Services configuration running as a VM on Windows Server 2008 R2 Hyper-V. The results showed that a SLAT-enabled processor platform increased the number of supported sessions by a factor of 1.6 to 2.5 when compared with a non-SLAT processor platform. Overall, Microsoft reports that with SLAT-enabled processors, the Windows hypervisor processor overhead drops from about 10 percent to about 2 percent and reduces memory usage by about 1 MB for each VM. Although RVI is not required to support workloads running on Windows Server 2008 R2 Hyper-V, if you intend to run memory-intensive workloads like RDS, Microsoft SQL Server, or web services, you should strongly consider using a SLATenabled AMD-V or Intel VT platform to take advantage of the performance improvements provided for your virtualized workloads.

70-659 Page 42

RDS
Monday, November 21, 2011 3:17 AM

Pg 381

Remote Desktop Services

Pasted from <http://technet.microsoft.com/en-us/windowsserver/ee236407>

Assess What's New in Remote Desktop Services Getting Started Step-by-Step Guides
Plan Infrastructure Planning and Design (IPD) Guides for Virtualization

Deploy Remote Desktop Services Deployment Guide Remote Desktop Services Migration Guide
Troubleshoot Troubleshooting RD Licensing Issues Remote Desktop Services Event-Based Troubleshooting
Pasted from <http://technet.microsoft.com/en-us/windowsserver/ee236407>

Remote Desktop S... 871

Terminal Services

TS RemoteAp...

Windows Server 200...

Windows Server 200...

Remote Desktop Services in Windows Server 2008 R2 Updated: November 11, 2011

Windows_S erver_200...

Applies To: Windows Server 2008 R2 Remote Desktop Services in Windows Server 2008 R2 provides technologies that enable users to access Windows-based programs that are installed on a Remote Desktop Session Host (RD Session Host) server, or to access the full Windows desktop. With Remote Desktop Services, users can access an RD Session Host server from within a corporate network or from the Internet.
In this section Step 1: Assess

Remote Desktop Services (RDS) Architecture Explained

Pasted from <http://blogs.technet.com/b/yungchou/archive/2010/01/04/remote -desktop-services-rds-architecture-explained.aspx>

Product Evaluation: Remote Desktop Services: Whats new in Remote Desktop Services Getting Started: Remote Desktop Services: Step-by-step guides for installing and deploying Remote Desktop Services role services and features
Step 2: Plan Planning and Architecture: Remote Desktop Services: Hardware considerations and capacity planning guides

Getting Started: Remote Desktop Services - Step-by-Step Guides

Pasted from <http://technet.microsoft.com/enus/library/dd736539(WS.10).aspx>

Step 3: Deploy Deployment: Remote Desktop Services: Design Guide, Deployment Guide, Migration Guide
Step 4: Manage Operations: Remote Desktop Services: Managing and operating Remote Desktop Services Technical Reference: Remote Desktop Services: Group Policy settings and RDP settings

Step 5: Troubleshoot
Troubleshooting: Event messages, licensing issues, RDP Related resources Remote Desktop Services Component Architecture Poster This poster provides a visual reference for understanding key Remote Desktop Services technologies in Windows Server 2008 R2. Remote Desktop Services Script Center

The Remote Desktop Services Script Center contains a collection of scripts to help configure and deploy Remote Desktop Services. Remote Desktop Services (Terminal Services) on the Windows Server TechCenter TechCenters provide links to content outside of the Technical Library, including downloads, Knowledge Base articles, community (blogs and forums), and other resources. Terminal Services in Windows Server 2008
Pasted from <http://technet.microsoft.com/en-us/library/dd647502(WS.10).aspx>

REMOTE DESKTOP SESSION HOST

This role enables RemoteApp and Remote Desktop sessions New features of the RD Session Host role service introduced in Windows Server 2008 R2 include the following:

Configure Client Experience page Adds a new wizard page to the Add Roles Wizard when installing the RD Session Host role service of the Remote Desktop Services role. This new wizard page lets you enable the following advanced experiences for RD Session Host session users: Audio and video playback redirection Lets users redirect audio and video output from their computer to an RD Session Host session. Audio recording redirection Lets users redirect the output of an audio recording device, such as a microphone, from their computer to an RD Session Host session. Desktop composition Provides Windows Aero user interface elements within an RD Session Host session. Per-user RemoteApp filtering Lets you filter the list of RemoteApp programs available to a user account when logged on using RD Web Access. Fair-share CPU scheduling Dynamically distributes processor time across RD Session Host sessions based on the number of active sessions and the load on those sessions using the kernel-level scheduling mechanism of Windows Server 2008 R2. Windows Installer RDS compatibility Allows per-user application installations to be queued by the RD Session Host server and then handled by the Windows Installer. Roaming user profile cache management Lets you limit the size of the overall profile cache for users of your RD Session Host server. Remote Desktop IP Virtualization Lets IP addresses be assigned to Remote Desktop connections on either a per-session or per-program basis.

70-659 Page 43

Obs.: You can install the RD Session Host role service on the Standard, Enterprise, or Datacenter edition of Windows Server 2008 R2, with the Standard edition limited to 250 Remote Desktop Services connections.

All Group Policy Settings for Remote Desktop Services in Windows Server 2008 R2
Pasted from <http://technet.microsoft.com/en-us/library/ee791756(WS.10).aspx>

Understanding Remote Desktop Web Access

The Remote Desktop Web Access (RD Web Access) role service of Windows Server 2008 R2 was formerly called Terminal Services Web Access (TS Web Access) in Windows Server 2008. Installing the Remote Desktop Web Access role service lets you use Internet Information Services (IIS) to simplify the deploy ment of RemoteApp programs, session-based desktops, and virtual desktops to users on your network. Per user RemoteApp program filtering using RemoteApp and Desktop Connections: This enables RD Web Access to filter the view on a per-user basis so that each user logging on to RD Web Access sees only the programs that the administrator has configured for them to see. Single sign-on between RD Session Host and RD Web Access: This enhancement allows users to enter their user name and password only once when connecting to a RemoteApp program by using RD Web Access. Public and private computer option There are now two ways for users to access the RD Web Access Web page: public and private mode. When a user selects public mode, her user name is not remembered in the Web browser and RD Web Access cookies storing her user name time out in 20 minutes. When the user selects private mode, cookies storing her user name remain available for four hours. In either mode, passwords are not stored. Forms-based authentication This enables applications to provide their own logon page and perform their own credentials verification, and it uses ASP.NET to authenticate users, redirect unauthenticated users to the logon page, and perform all the necessary cookie management.

How RD Web Access Works

RD Web Access is implemented as a separate role service of the Remote Desktop Services role of Windows Server 2008 R2. Installing the RD Web Access role service on a server also installs the Web Server (IIS) role along with some of its components, which is needed to host the Web site that users connect to using their Web browsers to launch RemoteApp programs. Both the RD Web Access and RD Session Host role services must be present for RD Web Access to work. The simplest configuration is to install both the RD Web Access and RD Session Host role services on a single server. The RD Web Access and RD Session Host role services can also be installed on separate servers if needed. If this is done, however, you must add the computer account of the RD Web Access server to the RD Web Access Computers security group on your RD Session Host.

For larger deployments, you might install RD Web Access on a front-end Web server to service multiple RD Session Host servers on the back end. You can then configure RD Web Access to populate its list of RemoteApp programs from all your RD Session Host servers, including servers that belong to an RD Session Host farm. To connect to the RD Web Access server, a user opens a Web browser such as Internet Explorer and types https://<server_name>/rdweb in the address bar as described in the next section.

RD Connection Broker
The administrator can create a Workspace Configuration (.wcx) file using an RD Connection Broker server and distribute it to Windows 7 users so that RemoteApp and Desktop Connection can be configured without the need of having the user manually configure the RemoteApp and Desktop Connections Control Panel item.
The administrator can create a .wcx file and use Group Policy to silently run a script on Windows 7 computers so that RemoteApp and Desktop Connection is set up automatically when users log on to their computers.

After the client side of RemoteApp and Desktop Connections has been configured, Windows 7 users will see a new RemoteApp and Desktop Connections program group on their Start menu, which they can use to launch RemoteApp programs, session-based desktops, and virtual desktops that have been published for them to use. (See Figure 4-14.)

To pull a feed of available RemoteApp programs, session-based desktops, and virtual desktops from your RD Web Access server.

70-659 Page 44

The user needs to type the URL for the RD Web Access Web site, which is always in the following form: https://<server_name>/RDWeb/Feed/webfeed.aspx , where <server_name> is the FQDN of the RD Web Access server.

How RD Connection Broker Works

Similar to the TS Session Broker role service of Windows Server 2008, the RD Connection Broker role service allows a user to reconnect to an existing session of a load-balanced RD Session Host server farm. RD Connection Broker does this by storing session state information, including session IDs and their associated user names, and the name of the RD Session Host server where each session resides. When a user having an existing session connects to an RD Session Host server in a load-balanced farm, the RD Connection Broker server redirects the user to the RD Session Host server where the users session resides, preventing the user from being connected to a different server in the farm and thus having to start a new session. And if you enable the RD Connection Broker Load Balancing feature, the RD Connection Broker server can also do the following: Evenly distribute the session load between RD Session Host servers in a load-balanced RD Session Host server farm. Track the number of user sessions on each RD Session Host server in the farm. Redirect users who dont have an existing session to the RD Session Host server that has the fewest sessions.

* For an RD Web Access server to provide RemoteApp and Desktop Connection information from an RD Connection Broker server, you
must add the computer account for the RD Web Access server to the RD Web Access Computers security group on the RD Connection Broker server. You must be a member of the local Administrators group on the RD Connection Broker server to do this.

* For an RD Session Host server to provide redirection to virtual desktops, you must add the computer account for the RD Session Host
server to the Session Broker Computers security group on the RD Connection Broker server. And if you have deployed a load-balanced RD Session Host server farm to provide RemoteApp programs to users through RemoteApp and Desktop Connection, you must add the computer account for each RD Session Host server in the farm to the Session Broker Computers security group.

Deploying RD Gateway R2 server with NAP <http://blogs.msdn.com/b/rds/archive/2009/08/17/deploying-rdgateway-r2-server-with-nap.aspx>

Understanding Remote Desktop Gateway

The Remote Desktop Gateway (RD Gateway) role service in Windows Server 2008 R2 was formerly called Terminal Services Gateway (TS Gateway) in Windows Server 2008. Installing the RD Gateway role service enables users to securely connect over the Internet to RD Session Host servers or RD Virtualization Host behind the corporate firewall to access session-based desktops or virtual desktops, run RemoteApp programs, and access client computers that have Remote Desktop enabled. The resources that external users can connect to via RD Gateway include: RD Session Host servers running RemoteApp programs and session-based desktops RD Virtualization Host servers running virtual desktops Client computers that have Remote Desktop enabled

RD Gateway deployment in a perimeter network & Firewall rules

<http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx>

Configuring the TS Gateway NAP Scenario <http://technet.microsoft.com/en-us/library/cc732172(WS.10).aspx>

Microsoft VDI High Availability Deployment Options

<http://blogs.msdn.com/b/rds/archive/2010/03/01/microsoft-vdi-high-availability-deployment-options.aspx>

Step-by-Step and Capacity Planning Guides for Remote Desktop ServicesSP1 updated
Pasted from <http://ramazancan.wordpress.com/tag/rd-gateway/>

With RD Gateway, however, you can safely place your RD Session Host and RD Virtualization Host servers inside the corporate network; only the RD Gateway server itself needs to reside on a screened subnet of the perimeter network. This means that only the RD Gateway server is directly exposed to outside attack. And the attack surface of the RD Gateway server is lower than that of an RD Session Host and RD Virtualization Host server placed in a similar location because the only external port that needs to be open on the RD Gateway server is TCP port 443.

Deploying Remote Desktop Connection Broker with High Availability Step-by-Step Guide
<http://technet.microsoft.com/en-us/library/ff686148(WS.10).aspx>

Improving TS Gateway availability using NLB

<http://blogs.msdn.com/b/rds/archive/2009/03/24/improving-ts-gateway-availability-using-nlb.aspx>

Understanding Remote Desktop Virtualization Host

Remote Desktop Virtualization Host (RD Virtualization Host) is a completely new role service of the Remote Desktop Services role in Windows Server 2008 R2. Similar to how the RD Session Host role service allows users to run RemoteApp programs and access session-based desktops, the RD Virtualization Host service allows them to access virtual desktops (the desktops of virtual machines) through Remote Desktop Services. These virtual machines that Users access using the RD Virtualization Host role service must be running on a server running Windows Server 2008 R2 that has the Hyper-V server role installed.

How RD Virtualization Host Works

The RD Virtualization Host role service integrates with the Hyper-V server role of Windows Server 2008 R2 and must be installed on a server that has the Hyper-V server role installed.
You can use your RD Virtualization Host server to make virtual desktops available to your users in two forms: Personal virtual desktops In this scenario, you assign a single virtual machine to a single domain user account. Only one virtual machine can be assigned to each user, and only that particular user can remotely access that specific virtual machine. Each time the user establishes a Remote Desktop connection to the RD Virtualization Host server, the user is connected to the same virtual machine. Any customizations the user makes to her virtual desktop during a session are saved so that they can be available the next time the user accesses her virtual machine. Virtual desktop pools In this scenario, you begin by creating a pool of identically configured virtual machines. These virtual machines must have the same operating system and applications installed, the same service packs and updates applied, the same configuration settings, and so on. These virtual machines must also not have already been assigned to users as personal virtual desktops. When the user establishes a Remote Desktop Connection to the RD Virtualization Host server, he is connected to any of the virtual machines in the pool. Because all virtual machines in the pool are configured identically, the user experience is the same regardless of which virtual desktop he connects to. By default in this scenario, any customizations the user makes to his virtual desktop during a session are not saved and are discarded when the user logs off of his Remote Desktop session. However, by combining roaming user profiles with Folder Redirection and storing the roaming profiles and redirected folders on a separate server, any changes that the user makes to his virtual desktop can be saved so that they will be available the next time the user accesses a virtual desktop from the pool. Personal virtual desktops and virtual desktop pools can also be provisioned to users in one of two possible ways: By using RemoteApp and Desktop Connection. By using RD Web Access .

Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide, found at http://go.microsoft.com/fwlink/?LinkId=154801. Deploying Virtual Desktop Pools by Using RemoteApp and Desktop Connection Step-by-Step Guide, found at http://go.microsoft.com/fwlink/?LinkId=154802. Deploying Personal Virtual Desktops by Using Remote Desktop Web Access Step-by-Step Guide, found at http://go.microsoft.com/fwlink/? LinkId=147909. Deploying Virtual Desktop Pools by Using Remote Desktop Web Access Step-by-Step Guide, found at http://go.microsoft.com/fwlink/? LinkId=147906.

App-V Terminal S...

MEMORY MANAGEMENT
BEST PRACTICES Microsofts best practices for RD Session Host servers suggest that your page file should be two to three times the size
of the installed RAM to support all the individual user-mode memory areas for each process. The reasoning is that process creation is expensivetwo or three times more so than maintaining the process in memory. Because many people are using the same computer, its likely that the computer will be creating a lot of processes for all those people. Therefore, every time users start an application, theyre engaging in this expensive activity. To keep the RD Session Host server running smoothly, you need more memory than just enough to keep the processes running.

70-659 Page 45

All 32-bit operating systems have a 4-GB virtual memory address space; 64-bit operating systems have a 16-terabyte virtual memory address space 8 terabytes for user-mode processes and 8 terabytes for kernel mode.
Note that 64-bit Windows has another advantage: Its got a lot more room to store System PTEs (the PTEs used to map the location of memory the system is using). The amount of storage in 32-bit Windows is 660 MB; 64-bit Windows has 128 GB.

Like other key structures, the page file is larger in 64-bit Windows than 32-bit Windows; 64-bit Windows supports a 256-terabyte page file, and for 32-bit Windows, the maximum size is 16 terabytes.
Not all data can be paged to disk. Some important data (important to the functioning of the operating system, not important to a user) must be maintained in RAM at all times. Data that never gets paged is stored in an area of kernel-mode memory called the non-paged pool. Kernel-mode processes that store data that can be paged to disk store it in the paged pool. In previous versions of Windows, paged pools and non-paged pools had fixed sizes depending on the amount of RAM installed on the server; beginning with Windows Server 2008, these memory areas had no fixed size but could fluctuate depending on the needs of the operating system.

On 64-bit Windows, the maximum size of the non-paged pool is 128 GB, as opposed to 256 MB for 32-bit Windows.

Keep Shared Work Environments Generic

Whether youre delivering applications through VMs on an RD Virtualization Host or through sessions on an RD Session Host, its best to keep the application delivery system homogenous. All the RD Session Host servers in the same farm should have the same applications installed and the same settings configured; all the VMs in the same pool should have the same applications and configuration. Only the following four kinds of data should be on the servers. The page file The cached user profiles currently in use (while the profiles themselves are stored on a separate file server) The operating system The applications You should never store user-specific data like user profiles or user data on a shared application delivery role like an RD Virtualization Host pooled VM or an RD Session Host server. Doing so complicates backups (since data isnt on a central server) and can lead to an inconsistent user experience as users move from VM to VM or connect to a new session. IMPORTANT User profiles should not be stored on an RD Session Host server, but rather on a central file share so that theres only one copy of the profile. However, the profile will be cached on the RD Session Host server for the duration of the session its supporting. See Chapter 5, Managing User Data in a Remote Desktop Services Deployment, for more details about combining profiles and RDS.

CAPACITY PLANNING
Baseline RD Session Host Requirements
The base operating system uses more memory now, for reasons that have nothing to do with RDS. First, the server operating system runs Windows Internet Explorer 8, which uses more memory than Microsoft Internet Explorer 6. Any scenarios that require the Microsoft native browser will be affected by this. Second, the shell in Windows Server 2008 R2 and Windows 7 is more memory-intensive than that in Windows Server 2003 and Windows XP. And with Windows Server 2008, these additional memory consumers will affect an RD Session Host server in particular, because these programs are all about the user experience. Remember that 64-bit Windows uses more memory than 32-bit; a lot of the standard processes use more memory in the 64-bit version than they do in the 32-bit version. You need about 8 GB of RAM in an RD Session Host Server to bring it to parity with a 32-bit terminal server with 4 GB. However, at 16 GB, the RD Session Host server will start being able to support more users than the 32-bit server can.
DISK Split data among multiple hard disks (20 to 30 users to a disk spindle, as a guideline) for best performance and use hardware RAID 1 for disk fault tolerance. Allocate a disk spindle for every 20 users for best performance. User profiles, page files, and system and application files should be on separate physical volumes as far from each other as possible to avoid I/O bottlenecks.

NETWORK Of course, network speed is important to a centralized computing environment. Inhouse, bandwidth should not be a problem, although you might consider a multi-homed server so you can dedicate one network card to Remote Desktop Protocol (RDP) traffic and one to serving file and print requests.

MEMORY Allocate a working set amount of x MB per user. You can approximate the value of x by starting the applications that you expect your users to open, working through a normal scenario, and noting the value of Peak Working Set from Task Manager. If this is not possible, make an estimate starting with a minimum of 100 MB per session for a 64-bit operating system. Always make sure that the paging file is three times the size of RAM (for example, if the RD Session Host server has 16 GB of RAM, plan on a 48-GB page file).

PROCESSOR Processor speed was unlikely to be your biggest bottleneck when running the 32-bit version of Windows Server 2008, but its more important in 64-bit Windows where memory is no longer constrained. Quad-core processors are common these days; get a motherboard that has additional sockets. The amount of cache is more critical to processor responsiveness than the processors speed. More cache provides more space to store instructions that are quickly available to the processor to execute. Incremental changes in megahertz (MHz) made a lot more difference when you were moving from 66 MHz to 100 MHz. DFSS, introduced in Windows Server 2008 R2, automatically apportions processor time evenly among sessions. RD Session Host servers spread processor time among individual sessions by prioritizing all user application processes in the same way and using DFSS to ensure that no one session uses up all the processor time just because its running demanding applications.
NOTE You might have multiple processors in your RD Session Host server. Be aware that two processors dont render twice the power of one. Instead, there is a sliding scale. Approximately 1.8:1 when going from one to two processors Approximately 1.65:1 when going from two to four processors Therefore, if you have four processors in your RD Session Host server, you would use the following calculations to compute Max Users. 100 percent divided by 5 percent = 10 users. Now take into account the other three processors: 10*1.8*1.65 = 30 users at full load. If detailed information about user activity on the RD Session Host or RD Virtualization Host server is not available, then you can make some estimates about how many resources each session will need as follows. Allocate a percentage of a processor to a user based on how much CPU you expect users to need for running their tasks. For example, if you expect your users to need approximately 5 percent of the CPUs capacity for their work, expect to have about 20 users per CPU.

Each of these points will allow you to compute a number of supported users per specific resource. For example, if 5 percent of CPU

70-659 Page 46

Each of these points will allow you to compute a number of supported users per specific resource. For example, if 5 percent of CPU capacity per user means 20 users per CPU, to compute the number of users that four processors will support, the equation is 20 1.8 1.65 = 60 users at full load, for a margin of 50 percent of the maximum CPU usage, or 30 users. Youll likely end up with different results when calculating for different resources. Always use the lowest numbers to avoid overstressing the servers. And of course, keep in mind that this is just an approximate process. There is no guarantee that the system will not run out of resources.

Using the RD Load Simulation Tool

The RD Load Simulation Tool (RDLST) does just that. It simulates user sessions and individual user activity on an RD Session host server, given a set of parameters. You specify how many users you want to simulate, and what you want these users to do (for example, open a document, type some text, create a graphic image, or save the document). The tool will programmatically start remote desktop sessions to the specified RD Session Host from the designated clients and execute specified actions within each session. Based on how the server reacts to the load you put on it, you can get an idea of whether your server hardware is adequate for your needs, exceeds your needs (so you could add more users), or about right. By reviewing the performance data, you can also see which counters are showing strain. http://www.microsoft.com/downloads/details.aspx?FamilyID=c3f5f040-ab7b-4ec6-9ed3-1698105510ad&displaylang=en

Sizing RD Virtualization Host Servers

With Windows Server 2008 R2, you assign a certain amount of RAM to each VM when creating it, so if you have 10 VMs and x RAM, the absolute maximum of memory that each running VM can have is x/10, minus whatever the hypervisor needs to operate. After its created, you can also tweak the other hardware settings. A decent rule to remember for VMs using RDP for remote display is that you can run 4 VMs per core. Always test, though, because the configuration for those VMs will make or break the sizing.

NTFS File System Setting Under HKLM\System\CurrentControlSet\Control\FileSystem\ is NtfsDisableLastAccessUpdate (REG_DWORD) 1. This system-global switch reduces disk I/O load and latencies by disabling the updating of the date and time stamp for the last file or directory access. This key is set to 1 by default. Clean installations of Windows Server 2008 and Windows Server 2008 R2 set this key by default and you do not need to adjust it. Earlier versions of Windows operating systems did not set this key. If your server is running an earlier version of Windows or was upgraded to Windows Server 2008 or Windows Server 2008 R2, you should set this key to 1. Disabling the updates is effective when you are using large data sets (or many hosts) that contain thousands of directories. We recommend that you use IIS logging instead if you maintain this information only for Web administration. Caution: Some applications such as incremental backup utilities rely on this update information and do not function correctly without it.

Connection Broker
Discovering a VM The first step of using a VM is discovering that a VM exists. To allow users to discover VMs, the administrator assigns a personal desktop or creates a VM pool from the RemoteApp and Desktop Connections Manager on the RD Connection Broker. When an administrator assigns a personal VM, this assignment is recorded in the user account properties in AD DS. (Active Directory in both Windows Server 2008 and Windows Server2008 R2 support this user account property.) Both personal and pooled VMs are added to the publishing feed that populates both Remote Desktop Web Access and RemoteApp and Desktop Connections on clients running Windows 7. This publishing feed is customized for each users security credentials, so that one user does not see anothers personal desktop. RemoteApp program display is also filtered according to which users have permission to use which applications. That said, all VM pools are visible to all consumers of the feed.
Brokering connections Kim initiates the brokering phase by clicking the personal desktop or pooled VM icon. At this point, shes requested a type of resource, like access to a VM pool, and the brokering must get her to the most appropriate location based on the server load and what shes asked for. The RD Connection Broker is built to be flexible both in terms of determining what kind of resource Kim wants to connect to (a VM or a session) and the rules governing which connection is most appropriate. It does this by using a couple of different kinds of plug-ins: resource plug-ins, which are used for a specific kind of resource, and filter plug-ins, which are used in combination with a particular resource plug-in to tweak the rules governing which resource is chosen and what happens to prepare it for a connection.

RD Connection Broker comes with two resource plug-ins: a session plug-in used for connecting to RD Session Host servers and a VM plugin used to connect to personal and pooled VMs. Each of these resource plug-ins comes with built-in internal logic that the RD Connection Broker uses to determine where a connection should go and how its made ready to accept connections. By default, the VM plug-in will distribute VM requests evenly among all RD Virtualization Host servers available. Because our basic scenario includes only a single server, all connections will go there, but if more were available, then it would use a round-robin technique to distribute the VM requests. Resource plug-ins are stored on the RD Connection Broker in HKLM/System/CurrentControlSet/Services/Tssdis/Parameters/Resource. Figure 4-5 shows the settings for the VM resource plug-in. (This RD Connection Broker has only the VM Resource plug-in because there are currently no RD Session Host farms configured on it.) The value for IsEnabled must be 1 for the plug-in to function, and the system must be able to identify the plug-in by name, class ID (the unique identifier for a COM object), and provider.

FIGURE 4-5 Built-in VM resource plug-in

Orchestrating a VM Discovery and brokering get a user 95 percent of the way to a working VM, but not 100 percent. The final stage is orchestration, which means to make the VM ready for connections. Orchestration is an important step. Without it, the VM would have to be constantly on, waiting for a connection. Orchestration makes it possible to put a VM to sleep and wake it up on demand, saving hardware resources on the host.

As shown in Figure 4-6, during orchestration, the VM Host Agent finds a VM on the RD Virtualization Host that doesnt already have a connection and wakes it. You can watch this from Hyper-V Manager. A sleeping VM will wake up and be ready to accept incoming connections. The key part of this is the VM Host agentwithout that, the hypervisor has no way to know that it needs to wake up the VM. The WTS application programming interface (API) shown here is for managing the VM sessions. In Chapter 11, Managing Remote Desktop Sessions, you will learn more about how you can use tools built on this API to interact with sessions and VMs.

70-659 Page 47

Installing Programs on an RD Session Host Server

You should install the RD Session Host role service on the computer before you install any programs that you want to make available to users. If you install the RD Session Host role service on a computer that already has programs installed, some of the existing programs may not work correctly in a multiuser environment. Uninstalling and then reinstalling the affected programs may resolve these issues. To ensure that an application is installed correctly to work in a multiuser environment, you must put the RD Session Host server into a special installation mode before you install the application on the RD Session Host server. This special installation mode ensures that the correct registry entries and .ini files that are needed to support running the application in a multiuser environment are created during the installation process. You can put an RD Session Host server into this special installation mode by using either of the following: Install Application on Remote Desktop Session Host tool under Programs in Control Panel. This tool will run a wizard to help install the application. Change user /install command at a command prompt. You will have to start the installation of the application manually. After the application is installed, you must put the RD Session Host server into execution mode before remote users begin using the application. The Install Application on Remote Desktop Session Host tool will automatically put the RD Session Host server into execution mode when it is finished running. To put the RD Session Host server into execution mode from a command prompt, use the change user /execute command.

AD DS Schema Requirements for Personal Virtual Desktops

Janani Venkateswaran Program Manager II, Remote Desktop Virtualization Microsofts VDI solution offers two deployment scenarios: virtual desktop pools and personal virtual desktops. Virtual desktop pools do not depend on a specific AD DS schema level; however, personal virtual desktops do need a Windows Server 2008 or Windows Server 2008 R2 schema. Following are the AD DS requirements for personal virtual desktops. To deploy personal virtual desktops, your schema for the AD DS forest must be at least Windows Server 2008. To use the added functionality provided by the Personal Virtual Desktop tab in the User Account Properties dialog box in Active Directory Users And Computers, you must run Active Directory Users And Computers from a computer running Windows Server 2008 R2 or from a computer running Windows 7 that has Remote Server Administration Tools (RSAT) installed. You must use a domain functional level of at least Windows 2000 Server native mode. The functional levels Windows 2000 Server mixed mode and Windows Server 2003 interim mode are not supported.

User Profile and the Registry

The registry is organized into sections called keys, which align with a particular configuration option. For example, computer-wide settings are stored in HKEY_LOCAL_MACHINE (HKLM), whereas user-specific settings are stored in HKEY_CURRENT_USER (HKCU). As with all versions of Microsoft Windows NT since it was first released, Windows Server 2008 R2 and Windows 7 maintain user-specific settings in HKCU for each user logged on to the computer. You can see how HKCU works and reflects changes to the user environment by following the process outlined in the following How It Works sidebar, Observe How Changes to the Environment Are Reflected in the Registry.

In addition to loading HKCU with the contents of your profile, logging on to an RD Session Host server updates two parts of HKLM, the computer-wide section of the registry. HKLM\ Software\Microsoft\Windows NT\CurrentVersion\Profile List (Figure 5-2) contains a list of all profiles cached on the computer. It also lists the profiles used by the System account, Network Service account, and the Local Service account. As you can see, machine accounts have profiles just like user accounts do. The users are identified by security identifiers (SIDs), but you can distinguish them by browsing the keys. The values show the path to both the local cache (the ProfileImagePath key value shown in Figure 5-2) and to the roaming profile folder share (the CentralProfile key value shown in Figure 5-2), so its not hard to map user names to profiles.

How Profile Changes Are (Not) Merged

70-659 Page 48

How Profile Changes Are (Not) Merged

The operating system loads the contents of NTUSER.DAT into HKCU at logon and saves back to NTUSER.DAT at logoff, in the same way that you might open a Microsoft Word document when you log on, type in it for a while, and then save the document when you log off. This has some important implications for a remote environment. If you log on to two sessions, each of which is using the same roaming profile, you will have two copies of your profile open . If you make changes to the open profile, youll see them at the time, but they wont be saved into NTUSER.DAT until you log off. (Unlike the Word .d ocx file, the file system wont ask if you want to overwrite the profile file.) As in the previous example, if you have a profile open in Session 1 and in Session 2, log off Session 1 and then log off Session 2, only the changes made to the Session 2 copy of the profile will appear when you log on again and reload that profile.
Windows Server 2008 improved on this design in two ways. First, it introduced RemoteApp programs. All RemoteApp programs started from the same server by the same user account run in the same session, so they open only a single copy of your profile . Second, when deciding where to route incoming connections to an RD Session Host server farm, the RD Connection Broker will check to see if a user already has an open session on an RD Session Host server in the farm. If it does, then the user will be routed to the same se ssion to start the application. So, what is the result? You have preference to the server where you already have an open connection, and, so long as youre connecting to only a single server, only one copy of the profile will be open because all RemoteApp programs will run in the same session.

Profile Contents External to the Registry

Not all parts of a profile are stored in HKCU. The same folder that contains the NTUSER.DAT file also contains other folders that contain user data as well as application-specific data. In Windows Vista and Windows Server 2008, the profile includes the folders listed in Table 5 -2. (More folders might be available, depending on which applications you have installed.)

Managing Roaming User Data Deployment Guide located at http://technet.microsoft.com/en-us/library/cc766489(WS.10).aspx Because V1 profiles and V2 profiles are so different, you cant use the same profiles for Windows Server 2008 R2 RD Session Host servers that you did for terminal servers running Windows Server 2003or Windows XP VMs. The structures of the profiles dont match. (See the section entitled Sharing Folders Between Windows Server 2003 and Windows Server 2008 Roaming Profiles later in thi s chapter.) This is important both for supporting mixed deployments of terminal servers running Windows Server 2003 and Windows Server 2008 R2 RD Session Hosts, and for supporting Windows 7 VM pools and Windows XP VM pools. ( The changes to the profile structure between the operating systems are one reason why you should not combine Windows 7 and Windows XP VMs in the same pool. )

Best practices for a typical RDS deployment

Pasted from <http://blogs.msdn.com/b/rds/archive/2009/06/02/user -profiles-on-windows-server-2008-r2-remote-desktop-services.aspx>

Upload Profile Registry Settings in the Background

NTUSER.DAT is updated only when a user logs off. A user who does not log off isnt saving changes. This can lead to data loss . A new policy in Windows Server 2008 R2 enables this file to be uploaded while the user is logged on, as follows. Computer Configuration |Administrative Templates | System | User Profiles | Background upload of a roaming user profiles reg istry file while user is logged on Configure the setting to upload NTUSER.DAT on a set schedule (at a certain time of day) or at a set interval, designated in h ours. Speed Up Logons To encourage people to log off, make the logon process as painless as possible. Youve already learned about using Folder Red irection to minimize the size of a profile. To speed things up, you can also employ Group Policies to do the following. Cache roaming profiles. Limit the amount of time an RD Session Host server or VM will try to load the user profile before using a temporary profile. Set an upper limit on the size of a user profile. Process group policies asynchronously.

Caching Roaming Profiles

To reduce the time that it takes to log on to an RD Session Host server, the server will cache the roaming profiles. Ordinari ly, RD Session Host servers attempt to retrieve the roaming profile from its central location. Caching stores a copy of the profile on the RD Session Host server. This profile cache isnt used if the original roaming profile is available, but it can speed up logons in the case of slow or absent network connections. Caching profiles is not without its drawbacks. It consumes hard disk space on the RD Session Host server. It can also prevent new users from logging on if the space allocated to cached profiles gets filled up. If you do cache profiles, make sure that youve got sufficient spac e for your user base and use Group Policy to delete profiles that arent being used.

Process Group Policy Asynchronously

Caching user profiles also means that you can use asynchronous processing of Group Policy, a policy processing model introduc ed in Windows Server 2008. You can apply Group Policy synchronously or asynchronously. If you apply it synchronously (the default model for a serv er), logon doesnt complete until the Group Policy settings that apply to that user are applied. If you apply Group Policy asynchronously (the d efault action for a desktop), the user can log on while Group Policy is being applied. Asynchronous processing can lead to changes in the user environment after users have logged on but will speed up logon times if Group Policy processing is slowing things down. Allow asynchronous Group Policy processing by enabling the following Group Policy setting. Computer Configuration | Policies | Administrative Templates | System | Group Policy |Allow Asynchronous User Group Policy Pr ocessing When Logging On Through Remote Desktop Services This policy works only when logging on to an RDS session host. Its not needed when logging on to desktop pools, because a de sktop operating system already processes Group Policy asynchronously by default.

70-659 Page 49

Creating a New Roaming Profile

To implement roaming profiles, you will need to 1. Create a network share in which to store the roaming profiles. 2. Configure the user accounts (through Active Directory Users And Computers or Group Policy) to use roaming profiles. 3. Have each user log on and create the roaming profile. First, create a shared network location to store the roaming profiles. On the file server, create a new folder and set the ap propriate NTFS and share permissions, using the guidelines in Table 5-5.

Remote Desktop Session Host

To configure a user account to use roaming profiles, perform the following steps. 1. Open Active Directory Users And Computers, right-click a users account, and choose Properties. 2. For Remote Desktop Session Host situations, navigate to the Remote Desktop Services Profile tab and type the Profile Path location using the format \\servername\sharename\%username%.DomainName, as shown in Figure 5-6.

Virtual Machines
Pooled and personal VMs do not use Remote Desktop Services profiles. A pooled or personal VM is really a virtualized client d esktop and acts accordinglythat is, it uses regular profiles. For these VM scenarios, enter the profile shares UNC path on the Profiles tab of the user account Properties dialog box, sho wn in Figure 5-7.

Converting an Existing Local Profile to a Roaming Profile

Sometimes you will want to convert existing local profiles to roaming profiles. This can apply if you are converting a tradit ional desktop deployment to an all-RDS deployment, and you are willing to risk that the local profile settings are appropriate for the remote work environment.
Converting local profiles to roaming profiles is really simple. Configure all user accounts to use roaming policies as descri bed earlier, and specify that cached copies of the profile should be deleted. When users log on to the server where their local policy resides and then log off, their local profile will be copied to the network share that you specified. The cache on the server will be deleted and only the roaming profile in th e network share will remain. You might have done this conversion in Windows Server 2008 using the Copy To button in the User Profile Properties dialog box . This is no longer possible on a server running Windows 2008 R2 or a client running Windows 7 the button has been disabled.

Customizing a Default Profile

Customizing the default profile is one way to ensure that all new RDS users start with the same settings. The only supported method for customizing the default profile is to use the Sysprep.exe tool (built into Windows 7 and Windows Server 2008 R2) to overwrite the default profile with the profile that you are logged onto when you run Sysprep.exe. Here are the steps. 1. Log on as an administrator and customize the profile as needed. This is the profile that will be copied over the default u ser profile. 2. Create an Unattend.xml file and add a line of code to it to tell it to copy the profile of the user logged on over the def ault profile when the system reboots. The line you add is <CopyProfile>true</CopyProfile>

The following is example code for a 64-bit version Unattend.xml file with the extra line of code added. <?xml version="1.0" encoding="utf-8"?> <unattend xmlns="urn:schemas-microsoft-com:unattend"> <settings pass="specialize"> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <CopyProfile>true</CopyProfile> </component> </settings> <cpi:offlineImage cpi:source="catalog:e:/clg files/64-bit/install_windows 7 ultimate.clg" xmlns:cpi="urn:schemas-microsoft-com:cpi" /> </unattend>
3. Save this Unattend.xml file to C:\Windows\System32\Sysprep. 4. After you have the Unattend.xml file in place, open a command prompt and type the following command. sysprep.exe /oobe /reboot /generalize /unattend:unattend.xml

70-659 Page 50

sysprep.exe /oobe /reboot /generalize /unattend:unattend.xml

NOTE The article at http://support.microsoft.com/kb/973289 explains how to do this, but at the time of this writing, the syntax is incorrect. Use the one provided here.

Creating a Default Network Profile Assuming that you can use a network default profile for all your scenarios, on Windows 2008 (and Windows 7) you can copy a lo cal default profile to the NETLOGON share on a domain controller, following these steps. 1. Log on to the server with an admin account. 2. From the Run box, browse to the domain controller: \\DOMAIN CONTROLLER\NETLOGON 3. Create a folder in the NETLOGON share and name it Default User.v2. 4. From Server Manager, click Change System Properties, navigate to the Advanced tab, and then click the Settings button in t he User Profiles section. 5. Select the Default Profile from the list of profiles stored on the server and click Copy To. 6. Browse to or type the network path \\DOMAIN CONTROLLER\NETLOGON Default User.v2.

Controlling Group Policy Processing for an RDS Environment

When you have multiple users working on one computer, you need to control the environment as much as possible. The easiest wa y to do this is to perform the following steps. 1. Put RD Session Host server farms and all VMs pools into their own OUs. 2. Block inheritance of all GPOs that are not specifically enforced. (You might not have this option, depending on company po licy.) 3. Place computer and user GPOs on these OUs to specify the settings to be implemented for each pool and farm. Heres how to do all this. ORGANIZE FARMS AND POOLS INTO OUS First, create an OU for each RD Session Host farm or VM pool. (Because all members of a farm or pool are homogenous, they sho uld all be in the same OU.) Open Active Directory Users And Computers, right-click the domain, and choose New, Organizational Unit. Name it after the farm (for example, RDSH Farm1) and then drag all computer objects in the farm or poolinto the OU. BLOCK GPO INHERITANCE Next, if possible in your organization, block GPO inheritance for this OU. This ensures that only computer settings set by GP Os linked to this OU will apply to the computers in this OU. It also ensures that with Loopback Processing enabled, only user settings set by GPOs link ed to this OU will be applied to users logging on to the computers in this OU; other GPOs set at the domain or site level will not be applied. To block inheritance for a farm or pool OU, open the Group Policy Management console (GPMC; do this by clicking Start, Progra ms, Administrative Tools, and Group Policy Management), right-click the RD Session Host servers OU, and choose Block Inheritance. If possible, also do this for your pooled VM OUs. Personal VMs can be controlled like this, but more likely they will act as regular desktops in your environmen t and will treated as such in the case of Group Policy processing.

Enable Loopback Prolicy Processing When the RD Session Host server starts, computer GPOs are applied. When the user logs on to the RD Session Host server, the U ser GPOs are applied to the session. Then, because loopback policy processing is enabled, User GPOs that are applied to the RD Session Host server OU are applied last. In addition, if you have blocked inheritance, its possible that the only GPOs that will be applied are computer and user GPOs t hat are placed specifically on the OU. To enable Loopback Processing, right-click the Computer GPO applied to the RD Session Host server OU and choose Edit. The Group Policy Management Editor opens the GPO. Go to Computer Configuration, Policies, Administrative Templates, System, and Group Policy a nd find the User Group Policy Loopback Policy Processing Mode node in the pane on the right. Double-click it and you will see the dialog box shown in Figure 5 -14.

Using Group Policy to Define the Roaming Profile Share After you have a Group Policy infrastructure set up, you can create a policy to create roaming profile folders in the proper folder share location automatically. The Group Policy setting to set the path for RDS roaming profiles is a computer setting. Right-click your Computer Policy GPO and choose Edit. Expand the GPO to Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Profiles . In the pane at right, double-click Set Path For Remote Desktop Services Roaming User Profile, shown in Figure 5 -16.

70-659 Page 51

Select the Enabled option and type the RDS roaming profile share location in the Profile Path text box. If you use Group Poli cy to set the RDS roaming profile path, then the profile folders that are created take the form of username.domainname.V2; you do not need to add the %username% variable, the domain name, or the .V2 extension. This is in contrast to defining the path to the Remote Desktop Services profile folder by editing the user account properties through scripting or through Active Directory Users And Computers, where you must specify the username and domainname variables to create the folder properly. If the profile folders are created automatically when the user logs on, then the user gets sole access to the profile and is also set as the owner of the profile folder. To permit administrators to access the profile , enable the following GPO setting: Computer Configuration | Policies | Administrative Templates | System | User Profiles | Add The Administrators Security Group To Roaming User Profiles. With this GPO setting enabled, the following permissions are placed on newly created user folders. User Full Control, owner of folder SYSTEM Full Control Administrators Full Control (This is the local administrators group of the server where the profiles are stored, which also contains the Domain Admins group.)

Configuring Roaming Profile Paths for VMs

Pooled and personal VMs will run client operating systems. Setting an RDS roaming profile path on these machines simply wont work. They are client machines, and for the most part, they should be treated as such. To configure the roaming profile path for client machines, u se this GPO setting: Computer Configuration | Policies | Administrative Templates | System | User Profiles | Set Roaming Profile Path For All User s Logging On To This Computer. Enter the share name where your profiles are stored and add the %username% variable to the end of the path so that each user gets a unique profile folder, as follows. \\servername\sharename\%username%

Limit the size of profiles folder Another way to make sure that your servers do not run out of disk space due to an overgrown profile cache is to put a cap on the cache size. If the size of the entire cache exceeds the limit set by this policy, the server will delete the oldest profile in the cache until the ov erall size drops below the threshold you set. The GPO setting is located at Computer Configuration | Administrative Templates | Windows Components | Remote Desktop Services | RD Session Host | Profiles | Limit The Size Of The Entire Roaming User Profile Cache . Enable this setting and enter the following numbers. A monitoring Interval (in minutes): The interval at which the profile cache size is checked. Maximum cache size (in GB): This is the threshold. If the cache grows beyond this number, the oldest profiles start getting deleted.
DELETING CACHED PROFILES MANUALLY The problem is that cleaning up old profiles isnt just a matter of deleting some old directories. The registry maintains a list of profiles in HKLM\Software\Microsoft\Windows NT\ CurrentVersion\ProfileList. Sort through that key (see Figure 5-17), and youll see entries for everyone who currently has a profile cached on the server. Although the keys themselves are i dentified by the SIDs of the user accounts, you can see the names of the profile paths by examining the contents of the keys.

Centralizing Personal Data with Folder Redirection

The single biggest thing that you can do to affect profile size, simplify backups, and speed logons and logoffs is to redirec t user-specific storage out of the user profile. By default, user data folders such as Documents are in the profile, but they dont have to be. Instead you can create a pointer to a network share where the data actually lives. Users will still store files in their personal folders, but the user data wont be roamed, so it will not affect the time required to load the profiles at logon. Folder redirection is fundamentally very simple. If you go to HKCU\Software\Microsoft\ Windows\CurrentVersion\Explorer\User Shell Folders, youll see every folder in your profile and the current location of that folder. If Folder Redirection is not turned on, then all en tries will look like this: %USERPROFILE%\Music. The goal is to get rid of the %USERPROFILE% variable and replace it with a new location. You cant redirect all folders, but you can redirect the ones with the biggest impact on profile size. These folders are AppData(Roaming) Contains a users application settings that are not computerspecific and therefore can roam with the user Desktop Contains any items a user places on his desktop Start Menu Contains a users Start menu Documents Contains documents saved to the default location Favorites Contains a users Internet Explorer favorites Music Contains a users music files saved to the default location Pictures Contains a users pictures saved to the default location Video Contains a users video files saved to the default location Contacts Contains a users contacts saved to the default location Downloads Contains a users downloads saved to the default location Links Contains a users Favorite links from Internet Explorer Searches Contains a users saved searches Saved Games Contains a users saved games Before you redirect these folders, you need a place to redirect them to. Create a shared folder on the server where you want to store the redirected folders and set permissions on this folder according to the user profile folder permissions that were described in Table 5 -5. To redirect the folders to this share, open the GPMC, create or select an existing user GPO, right -click it, and choose Edit. Go to User Configuration | Policies | Windows Settings | Folder Redirection, as shown in Figure 5-22.

Not all 13 folders that can be redirected in Windows Server 2008 R2 can be redirected in Windows Server 2003, but some can. Y ou can share the data in these folders between the 2003 profiles and the 2008 profiles. On the Settings tab of each folder in the Folder Redirectio n container is an option called Also Apply Redirection Policy To Windows 2000, Windows 2000 Server, Windows XP And Windows Server 2003 Operating Systems. For some folders, this option is available, but on others (the ones that will not redirect for downlevel operating systems), it appear s dimmed and is unavailable.

70-659 Page 52

folders, this option is available, but on others (the ones that will not redirect for downlevel operating systems), it appear s dimmed and is unavailable.

Managing Roaming User Data Deployment Guide, available online at http://technet.microsoft.com/en-us/library/cc766489%28WS.10%29.aspx and for download from http://go.microsoft.com/fwlink/?LinkId=73760

Compressing RDP Data RDP supports two kinds of bulk compression (compression done on all virtual channels, as opposed to compressing individual ch annels). Both compress only when sent from server to client, not from client to server. Standard bulk compression compresses all the data going thro ugh RDP channels using a lossless technique known as Huffman compression. (Lossless compression doesnt lose any data during the compression/decompres sion process.) Windows Server 2008 added a new codec, called NSCodec, for improving graphics compression over the wide area network (WAN) fo r 32-bit and 24-bit graphics (used only with RDC 5.1). This lossy compression algorithm is controlled by the following Group Policy object (GPO). Computer Configuration | Administrative Templates | Windows Components | Remote Desktop Services | RD Session Host | Remote S ession Environment | Set Compression Algorithm For RDP Data

Which Client Devices Can You Add to the Remote Session? Most supported client devices require little setup to use in a remote session, as long as you meet the system requirements. F or PnP redirection, make sure that youve installed the Desktop Experience feature on each RD Session Host server or Windows 7 computer. For RD Easy P rint, make sure that youve installed RDP 6.1 or later on each client. RDP 7.0 is best as it does not require the Microsoft .NET Framework on the client, whereas RDP 6.1 does. You can configure device and resource redirection in one of four ways. Using Group Policy (highest priority) Using Active Directory Users And Computers on a per -user basis (printer redirection only; second priority) Using the Remote Desktop Session Host Configuration on a per-server basis (third priority) Using the RDC on a per-connection basis (fourth priority)

You can also disable redirection of specific types of supported plug and play devices with GPOs located at Computer Configuration | Administrative Templates | System | Device Installation | Device Installation Restrictions , but you need to know the Device IDs or Device globally unique identifiers (GUIDs) of the devices for which you wanted to disable redirection. For example, to block redirection of a camera, enable the GPO called Prevent Installation Of Devices Using Drivers That Match These Device Setup Classes and input the Device Class of the specific device for which you want to block redirection. To find out what a devices GUID is, open Computer Management, select Device Manager, right -click a device, select Properties, select the Details tab, and in the Properties drop-down box, choose Device Class GUID. Right-click the value and choose Copy. You can also alert the user that the device redirection has been blocked by policy restrictions by sending a pop -up message to the remote session. Enable either of these two GPOS and add a text message. Display A Custom Message When Installation Is Prevented By A Policy Setting Display A Custom Message Title When Device Installation Is Prevented By A Policy Setting By default, device redirection is allowed on a per RD Session Host server (except for audio and video playback). To disable s pecific device redirections, open the Remote Desktop Session Host Configuration on the server, double -click RDP-Tcp, select the Client Settings tab, and select the check box next to any of the following devices that you do not want to redirect. Drive Windows Printer LPT Port COM Port Clipboard Audio And Video Playback (disabled in RD Configuration by default) Audio Recording Support Plug And Play Devices Default To Main Client Printer

When You Cannot Use RD Easy Print

The RD Easy Print driver is installed by default on Windows XP SP3 and later, and using the RD Easy Print driver for printer redirection is also enabled by default. To make the server look for printer drivers instead of using the RD Easy Print driver, you must change the sequence in which the RD Easy Print driver will be used. The endpoint will try to use the RD Easy Print driver for printer redirection first and resort to other printer drivers only if the RD Easy Print driver is not available. Set one of the following GPOs to reverse this (make the endpoint use printer drivers first, an d then RD Easy Print). On a computer basis: Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Printer Redirection | Use Remote Desktop Easy Print Printer Driver First On a user basis: User Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Printer Redirection | Use Remote Desktop Easy Print Printer Driver First
If this policy is enabled or not configured, the server reflects its default behavior: RD Easy Print driver first, other driv ers second. To make the server look for other printer drivers before it attempts to use RD Easy Print, set the policy to Disabled.

Basic RDP Remoting: http://msdn.microsoft.com/en-us/library/cc240445(v=PROT.10).aspx

Graphics Acceleration: http://msdn.microsoft.com/en-us/library/cc241537(v=PROT.10).aspx Graphics Compression: http://msdn.microsoft.com/en-us/library/ff635378(v=PROT.10).aspx Desktop Composition: http://msdn.microsoft.com/en-us/library/cc216513(v=PROT.10).aspx and http://msdn.microsoft.com/enus/library/dd358323(v=PROT.10).aspx Dynamic Virtual Channels: http://msdn.microsoft.com/en-us/library/cc241215(v=PROT.10).aspx Basic Audio Remoting: http://msdn.microsoft.com/en-us/library/cc240933(v=PROT.10).aspx Clipboard Redirection: http://msdn.microsoft.com/en-us/library/cc241066(v=PROT.10).aspx Easy Print: http://msdn.microsoft.com/en-us/library/cc242947(v=PROT.10).aspx Printer Redirection: http://msdn.microsoft.com/en-us/library/cc242116(v=PROT.10).aspx Audio Input Redirection: http://msdn.microsoft.com/en-us/library/dd342521(v=PROT.10).aspx Multimedia Remoting: http://msdn.microsoft.com/en-us/library/dd342975(v=PROT.10).aspx Serial and Parallel Port Redirection: http://msdn.microsoft.com/en-us/library/cc242856(v=PROT.10).aspx File System Redirection: http://msdn.microsoft.com/en-us/library/cc241305(v=PROT.10).aspx Plug and Play Redirection: http://msdn.microsoft.com/en-us/library/cc242231(v=PROT.10).aspx

The following resources contain additional information and tools related to this chapter. Want more information about RDP performance? See the white paper linked at http://blogs.msdn.com/rds/archive/2010/02/05/announcing -the-remote-desktopprotocolperformance-improvements-in-windows-server-2008-r2-and-windows-7white-paper.aspx. Download RDC 7 for Windows Vista SP1+ and Windows XP SP3 at http://blogs.msdn.com/rds/archive/2009/10/28/announcing -the-availability-of-remotedesktopconnection-7-0-for-windows-xp-sp3-windows-vista-sp1-and-windows-vistasp2. aspx. You can download the Remote Desktop client for Macintosh at http://www.microsoft.com/mac/products/remote-desktop/default.mspx. New Windows 7 printing architecture can be downloaded at http://download.microsoft.com/download/5/E/6/5E66B27B -988B-4F50-AF3AC2FF1E62180F/ CON-T572_WH08.pptx. Microsoft Most Valuable Professional Emeritus Vera Noest has put together a great list of hotfixes and updates pertaining to printing, which can be found at http://ts.veranoest.net/ts_printing.asp.

Securing the User Environment

70-659 Page 53

Locking Down the Server

Restricting Device and Resource Redirection Using Group Policy
You can configure device and resource redirection by setting the corresponding device or resource Group Policy settings to th e appropriate state. Note that these are computer policies, not user policies. You configure device redirection based not on who someone is, but what m achine she is working on. The following computer policies are located at Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Device And Resource Redirection . Allow Audio Redirection You might want to disable audio redirection if youre not running any applications that require it because it takes up more bandwidth. Do Not Allow Clipboard Redirection What if youd generally like to enable clipboard redirection but have one or two sensitive applications? Because RemoteApp programs running on the same server for the same user are all running within a single session and in the same user context, its not possible to disable clipboard redirection on a per-application basis. To be that specific, youll need to isolate the applications requiring the higher level of security on separate servers and disable clipboard redirection on those servers . Do Not Allow COM Port Redirection To disable COM port redirection, enable this policy. Not many resources use COM ports these days. Do Not Allow Drive Redirection Redirecting user drives to the session enhances the feel of the session but opens a security hole. RDS drive redirection works two-ways: Any data that users can access from the terminal session can be copied from it, and they can copy data to any drive to which they have access. To turn off drive redirection for users or computers, enable this policy . Do Not Allow LPT Port Redirection LPT ports are used to access older printers. If you dont have a need to redirect these devices, enable this policy. Do Not Allow Supported Plug And Play Device Redirection Enable this policy to disable redirection for Plug and Play devices such as cameras. Do Not Allow Smart Card Device Redirection Enable this policy to disable smart card redirection. Drive redirection is an obvious security hole (it allows users to transfer files from their remote session to their local har d drive and vice versa), but printing can also create a security problem. To disable all printer redirection, enable this policy, found in the computers Group Policy settings: Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session H ost Server | Printer Redirection | Do Not Allow Client Printer Redirection. By default, it is not configured; if it is not configured, printer redirection can be controlled via Active Directory Users And Computers, Remote Desktop Connection (RDC), or the RD Configuration Tool.
Restricting Printer Redirection Using Active Directory Users And Computers Only printer redirection can be controlled via Active Directory Users And Computers . To do so, open Active Directory Users And Computers, double -click a user account, click the Environment tab, and select or clear the check box next to Connect Client Printers At Logon. This s etting is enabled by default.

Restricting Access to the Control Panel

User Configuration | Policies | Administrative Templates | Control Panel Prohibit Access To Control Panel Users should have no need to access the Control Panel. Enabling this setting removes Control Panel from the Start menu and Windows Explorer, so users wont have access to Control Panel, nor will they be able to run any of the Control Panel items.

Using AppLocker
Although older operating systems will continue to rely on SRP to control software access, AppLocker, which is new to Windows Server 2008 R2 and Windows 7 (Ultimate and Enterprise editions), supersedes SRP for these new operating systems and provides an enhanced softwar e restriction feature set. In fact, while AppLocker has some similarities to Software Restriction Policies, it is actually a completely new feature built using different technology. You can still use SRPs with Windows 7 and Windows Server 2008 R2, but if AppLocker rules and SRPs exist in the same GPO, AppL ocker rules policies will supersede any SRP policies for Windows 7 and Windows Server 2008 R2. Older operating systems will use only the Software Restr iction Policies. AppLocker is similar to SRP in that you create whitelists (rules that specifically allow access to files) and block lists (ru les that specifically deny access to files) to control access to files and folders on computers. You create rules as needed, for four predefined file categories ( collections): executables, scripts, installers, and DLLs.

AppLocker Underlying Philosophy: Admit Nothing, Deny Everything AppLockers basic approach is one of extreme control: Do exac tly what the rules dictate, and deny all other access for executables in that collection. It does this indiscriminately for both whitelists and block lists. In other words, if no rules are set for a specific collection, then all access is allowed. The minute that you create a rule for a collection, only what is allowed in that rule is applied, and all other access is denied. AppLocker Rule Conditions Again, the four collections are executables, installers, scripts, and DLLs. AppLocker rules for these four collections are ba sed on the following three conditions. Publisher The rule is based on the files digital signature and the extended attributes of that signature. A digital signature contains the following specific information (attributes) about the file. Publisher Example: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US Product Name Example: WINDOWS INTERNET EXPLORER File Name Example: IEXPLORE.EXE File Version Example: 8.0.7600.16385 When you create an AppLocker rule based on a files publisher, you browse and select the signed file, and the publisher attri butes retrieved from the files digital signature. By default, all four of these attributes are used to determine access eligibility, but you can choose how detailed the rule i s applied by moving the slider in the graphical user interface (GUI) to include or exclude certain attributes, as shown in Figure 7 -3.

Path The rule will affect a specific file or all files in a specific folder. Both of these options are set by specifying (by typing or browsing to) the path of the file or folder. File Hash File Hash rules are based on a digital fingerprint of a file. Using the file (an executable, script, installer, or DLL) as an input, an algorithm generates a representation (a hash) of the file. If you change anything about the file, its hash is no longer valid, and allo w rules will no longer work.

AppLocker Audit Mode

AppLocker is powerful. To help you determine the real effects of the rules that you make, AppLocker provides an audit only mode, in which you can log the effects of rules so that you can determine the overall results of rules before you put them into production. When App Locker rule collections are set to Audit Only mode, actions that the rules would have affected (allowed or denied) will be logged in the Event Viewer of the machine where the action was committed. For example, if a user executes CMD.exe on an RD Session Host server where an AppLocker rule that was e nforced would have denied the action, the following event would be logged in the RD Session Host server Event Log at Event Viewer/Application an d Services logs/Microsoft/Windows/AppLocker/EXE and DLL/. Event Id 8003: %SYSTEM32%\CMD.EXE was allowed to run but would have been prevented from running if the AppLocker policy were enforced.
First, for AppLocker rules to affect machines, those machines must be running the Application Identity Service. The service is not started by default, and the service setting is set to Manual. You might want to change the default service setting from manual to automatic, so that whenever you start the servers in the farm, AppLocker will work without you needing to turn the service on manually.

70-659 Page 54

In this example, you will see how to create policies directly on a farm member (the RD Session Host servers name is FUJI) th at is currently not accepting connections. Then you will see how to export the rules to an XML file and import them into a GPO that will be applied to an R D Session Host farm in Audit mode. When its clear that the AppLocker policies accomplish the intended goals but do not affect the users negatively, its safe to change the GPO to Enforce mode.
First, create and export the AppLocker policies by completing these steps. 1. On RD Session Host server FUJI, open the Local Security Policy, browse to the Application Control Policies folder, and exp and the AppLocker folder. 2. Right-click Executable Rules and choose Create Default Rules. Three executable rules will appear in the right pane, as shown in Fig ure 7-4. By creating the default rules, you have already given the BUILTIN/Administrators group full access to all files on the machine, because t his is one of the default rules.

3. Adjust the first rule to allow a specific user group ASH_Users (instead of Everyone) to access the Office executables, exc ept for Excel, as follows. a. Double-click the first rule highlighted in Figure 7-4. On the General tab, select the user group that you want to affect (in our example, ASH_Users). Keep the Allow option selected.

70-659 Page 55

Dicas
Monday, November 21, 2011 3:04 AM

http://virtualizationbrazil.wordpress.com/2010/12/30/dicas-e-truques-para-o-exame-70-659-tswindows-server-2008-r2-server-virtualization/

Dicas e Truques para o Exame 70-659: TS: Windows Server 2008 R2, Server Virtualization
Posted: 30 30UTC dezembro 30UTC 2010 in Hyper-V 0 1 Votes Sobre este Exame: Este exame voltado para validar as suas competncias em torno das reas de produtos de servidor da Microsoft e tecnologias de virtualizao. Perfil do Candidato: Os candidatos para esse exame devem ter mais de um ano e meio de experincia de trabalho com o Windows Server 2008, incluindo o Windows Server 2008 R2, Microsoft Hyper-V Server 2008 e o Hyper-V 2008 R2. Alm disso, os candidatos deve ter experincia com os produtos de virtualizao de servidores e tecnologias, incluindo System Center Virtual Machine Manager 2008, o Virtual Machine Manager 2008 R2, o System Center Operations Manager 2007 R2, Windows PowerShell 2.0 e o System Center Data Protection Manager (DPM) 2007. Materiais Preparatrios: Para ajudar voc a se preparar para este exame, a Microsoft learning recomenda que voc tenha experincia prtica com o produto e que voc use os recursos de formao a seguir. Este recurso de formao no abrange necessariamente todos os tpicos listados na seo habilidades avaliadas Treinamento em Classe: 10215AD: Implementing and Managing Microsoft Server Virtualization (5 Days) 10215A: Implementing and Managing Microsoft Server Virtualization (5 Days) Microsoft Press Books: MCTS selft-Paced Training Kit (Exam 70-652): Configuring Windows Server Virtualization Recursos de Canais Online: Technet MSDN Nota: Este exame j est disponvel em portugus (brasil); Habilidades que est sendo medida: Este exame mede a sua capacidade para realizar as tarefas tcnicas listas abaixo. As percentagens indicam o peso relativo de cada tpico importante no exame. Installing and Configuring Host and Parent Settings Adicionando o Hyper-V role no Windows Server 2008 R2 - Este objetivo pode incluir, mas no est limitado a: instalao e configurao do Hyper-V no Server Core, verificando as configuraes da Bios (ou seja DEP), acrescentando a funo Hyper-V usando o Virtual Machine Manager, a configurao do Hyper-V Server R2, identificando os requisitos de hardware. Habilitando o gerenciamento Remoto. - Este objetivo pode incluir, mas no est limitado a: Implantao do Virtual Machine Manager Agent, configuraes de regras do firewall, configurar as definies do virtual machine manager. Configurar redes virtuais e segurana das VLAN. - Este objetivo pode incluir, mas no est limitado a: Configurar Media Access Control (MAC) address pools, configurar as localizaes das redes, configurar VLAN tags, configurar seguranas das VLANs, configurar redes virtuais. Configurar Storage. - Este objetivo pode incluir, mas no est limitado a: configurar Multi Path Input Output (MPIO), executando o comando mpiocpl.exe, dynamics I/O redirection, iSCSI initiator, executando o comando iscsicli.exe.
70-659 Page 56

comando iscsicli.exe. Configurando Child Settings Configurando recursos filho. - Este objetivo pode incluir, mas no est limitado a: configurar discos, redes, CPU, e memoria. Configurar o armazenamento filho. - Este objetivo pode incluir, mas no est limitado a: configurando dynamic VM storage, criando discos diferencias, configurando pass-through disks, snapshots, gerenciando GUIDs, gerenciando logical unit numbers (LUNs), editando VHDs, copiando discos fsicos para VHDs. Configurando adaptadores de rede filho. - Este objetivo pode incluir, mas no est limitado a: criando adaptadores de rede sinttico e adaptadores de rede emulados, Configurando MAC spoofing, configurando VLAN ID, configurando jumbo frame, configurando TCP Offloading Engine (TOE). Criando e implantando mquinas virtuais. - Este objetivo pode incluir, mas no est limitado a: criar, clonar, implantar, e salvar a mquina virtual usando o Virtual Machine Manager; criar mquinas virtuais usando o Hyper-V Manager, configurar Self-Service Portal, scripting e implantao de mquinas virtuais usando Windows PowerShell Gerenciando e Monitorando ambiente virtuais Resolvendo questes de performance e recursos. - Este objetivo pode incluir, mas no est limitado a: configurando performance e resources optimization (PRO), monitorando o ambiente virtual usando o System Center Operations manager 2207 R2, configurando event triggers, alocando recursos para usar o Virtual Machine Manager, acompanhando o desempenho e diagnostico de problemas usando o Monitor de Desempenho ou Monitor de recursos. Configurando delegation of rights. - Este objetivo pode incluir, mas no est limitado a: criar politicas de usurio pelo Self Service Portal, criando e gerenciando templates, gerenciando e replicando libraries no Virtual Machine Manager. Criando regras e configurando authorization rights. - Este objetivo pode incluir, mas no est limitado a: criar regras e delegar permisso usando o Authorization Manager (AzMan), delegando permisso manualmente. Gerenciando non-Hyper-V-aware virtualization hosts. Este objetivo pode incluir, mas no est limitado a: gerenciar ESX/VI3 VMware host usando Virtual Machine Manager, gerenciando Virtual Server 2005 R2 hosts usando Virtual Machine Manager. Assegurando HA e Recover Gerenciando snapshots. - Este objetivo pode incluir, mas no est limitado a: criar, reverter, merge, deletar, e aplicar snapshots; configurando os locais de armazenamento. Gerenciando bakups. - Este objetivo pode incluir, mas no est limitado a: gerenciar backups online e off-line usando o DPM, Windows Server Backup, ou Volume Shadow Copy Service (VSS) Executando non-clustered migrations - Este objetivo inclui, mas no est limitado a: executar a SAN migration de uma partio filha, executar a migrao de rede de uma partio filha. Configurar o quick e o live Migrations. - Este objetivo pode incluir, mas no est limitado a: configurar a rede e storage para clustered Hyper-V setup, habilitar Cluster Shared Volumes (CSV), configurando dynamic I/O redirection Executando Migrao Executando physical-to-virtual (P2V) migration. - Este objetivo pode incluir, mas no est limitado a: configurar Virtual Machine Manager Intelligent Placement, executando migrao online e off-line . Executando a migrao atravs do import/export. - Este objetivo pode incluir, mas no est limitado a: configuraes de sesso do host, as configuraes de autenticao no nvel de rede, as configuraes de licena; restringir os usurios a nica sesso remota, que permite o redirecionamento de fuso horrio; configurar redirecionamento de recursos, a configurao de criptografia, configurarem o suporte multi-monitor. Configurando a Licena do RD. - Este objetivo pode incluir, mas no est limitado a: ativando e desativando o remote desktop
70-659 Page 57

- Este objetivo pode incluir, mas no est limitado a: ativando e desativando o remote desktop license servisse, instalando e revogando cliente access licenses (CALs), relatrios de uso da CAL. Configurando RD Connection Broker. - Este objetivo pode incluir, mas no est limitado a: instalando o RD Connection Broker, configurando DNS para o connection broker, configurando connection broker farms, integrando com RD Virtualization Host role service. Configurando RD Gateway. - Este objetivo pode incluir, mas no est limitado a: configurar RD gateway, integrando RD gateway com network access protection (NAP), configurando authentication authorization. Configurando RD Web Access. - Este objetivo pode incluir, mas no est limitado a: configurando RD web Access, configurando opes de autenticao (forms, single sign-on), configurando per-user RemoteApp program filtering, configurar as opes de computador publico e privado. Nota: Este exame tem durao de 02:45 (hh:mm) Questo 1 Na sua empresa tem um Servidor com Microsoft Hyper-V Server 2008 R2 no ambiente. Voc precisa fazer o backup manual de uma partio filha enquanto ela est desligada. Quais so os dois elementos que voc deve fazer o backup? O arquivo .vhd O arquivo de configurao .XML Dicas: O que um arquivo .vhd Basicamente um arquivo . vhd um disco rgido virtual que uma representao baseada em arquivos de um disco rgido fsico, com repetio completa de uma estrutura de header do disco. capaz de gerar uma cpia idntica (1:1) de um disco rgido, sem compactao. As mquinas virtuais exige o mesmo hardware bsico do que uma mquina fsica precisa para iniciar uma operao: uma placa-me, BIOS, memria, placa de rede, teclado, mouse, monitor e um disco rgido. A arquitetura do Hyper-V garante que as mquinas virtuais tenham a maior portabilidade possvel. Um desafio do projeto de portabilidade foi como fazer uma mquina virtual em um disco rgido porttil e acessvel ao mesmo tempo proporcionando um desempenho aceitvel. Existem cinco tipos de virtual hard disk: Fixed hard disk; Dynamically expanding hard disk. Differencing hard disk; Undo hard disk (no usado pelo Hyper-V); Automatic virtual hard disk O que um arquivo .xml Quando a informao do assistente submetida ao Hyper-V, um novo arquivo de configurao da mquina virtual (.xml) que contm as informaes de configurao criado. Para mais informaes consulte: http://technet.microsoft.com/en-us/library/cc708315(WS.10).aspx http://blogs.technet.com/b/puneetvig/ http://download.microsoft.com/download/0/7/7/0778C0BB-5281-4390-92CD-EC138A18F2F9/WS08 _R2_VHD_Performance_WhitePaper.docx Questo 2 Voc instala o Windows Server 2008 R2 (server core) em um servidor. Voc precisa habilitar o gerenciamento remoto para os discos no servidor usando o Disk Manager. O que voc deve fazer? Execute o seguinte comando: Netsh advfirewall Firewall set rule group=Remote Volume Management new enable=yes command. Dicas: http://blogs.technet.com/b/server_core/archive/2008/01/14/configuring-the-firewall-forremote-management-of-a-workgroup-server-core-installation.aspx Questo 3 Todos os servidores na sua rede executa o Windows Server 2008 R2. Voc implanta o Remote Desktop Services (RDS). Voc est configurando o Remote Desktop Session Host (RD Session Host). Voc precisa assegurar que os programas que esto sendo executado continuem em execuo quando os usurios no esto mais ativos no RD Sessions. Qual a configurao voc deve habilitar? Finalizar uma sesso desconectada (End a disconnected session) Dicas: http://technet.microsoft.com/pt-br/library/cc754272.aspx Questo 4 Voc est configurando seu Microsoft System Center Virtual Machine Manager (VMM) 2008 R2 no ambiente. O VMware ESX 3.5 chamado de Host1 est adicionado em uma infra-estrutura existente do VMware Infrastructure 3 (VI3), para que voc gerencie usando o VMM. Voc precisa
70-659 Page 58

existente do VMware Infrastructure 3 (VI3), para que voc gerencie usando o VMM. Voc precisa adicionar o Host1 no seu ambiente que tem o VMM. O que voc deve fazer? Voc deve usar o Add host Wizard, selecionar o VMware ESX Server (qualquer localizao). No campo nome do computador, coloque tipo o Fully qualified domain name (FQDN) do Host1. Dicas: http://technet.microsoft.com/en-us/library/cc917961.aspx Questo 5 Na sua companhia usa o Remote Desktop Services (RDS). Voc instala e configura o Remote Desktop Gateway (RD Gateway) em um servidor que executa o Windows Server 2008 R2. Os funcionrios se conectam ao RDS de computadores remotos no gerenciados. Os empregados no so capazes de acessar o servidor gateway, a partir dos computadores no gerenciados remotos. Voc precisa garantir que os funcionrios possam acessar o RD Gateway server. Voc deve criar um Remote desktop connection authorization policy (RD CAP). Dicas: http://technet.microsoft.com/pt-br/library/cc753324(WS.10).aspx Questo 6 Voc usa o Microsoft System Center Virtual Machine Manager (VMM) 2008 R2, para criar e gerenciar as mquinas virtuais (VMs). Voc est tentando criar a primeira VM no Hyper-V usando o Windows Powershel. Voc recebe uma mensagem de erro informando que a New-VM PowerShell cmdlet no reconhecida. Voc precisa ser capaz de criar a VM usando o PowerShell. O que voc deve fazer? No Windows PowerShell, execute o seguinte cmdlet: Add-PSSnapin Microsoft.SystemCenter.VirtualmachineManager. Dicas: http://pshyperv.codeplex.com/releases/view/38769 http://blogs.technet.com/b/scvmm/, http://blogs.msdn.com/b/powershell/ Questo 7 Voc usa o Microsoft System Center Virtual Machine Manager (VMM) 2008 R2 para gerenciar seu ambiente virtual. Falhas ocorrem quando voc executa a converso P2V off-line usando o VMM. Voc precisa assegurar que voc est com as informaes necessrias para fazer um troubleshoot do problema. O que voc deve fazer? Crie o arquivo scvmm_winpe_tracing.txt. Dicas: http://technet.microsoft.com/en-us/library/bb963740.aspx Questo 8 Seu ambiente virtual inclui um Windows Server 2008 R2 Hyper-V failover. Voc gerencia o ambiente usando o Microsoft System Center Virtual Machine Manager (VMM) 2008 R2. Voc precisa configurar o live migration para as mquinas virtuais (VMs). O que voc deve fazer? No Failover Cluster Manager, edite as propriedades da VM. Questo 9 Voc usa o Hyper-V Manager para ciar uma nova Mquina virtual chamada Skate1. Skate1 tem a seguinte configurao:

Voc inicia skate1 e inicia a instalao do Windows Server 2008 R2 a partir do DVD. Uma mensagem de erro ocorre, e voc est impossibilitado de instalar o Windows. O que voc precisa fazer para instalar o Windows Server 2008 R2 no Skate1?
70-659 Page 59

instalar o Windows Server 2008 R2 no Skate1? Adicione o skate1.vhd no IDE Controller 0 Questo 10- Seu Hyper-V servers roda Windows Server 2008 R2 Standard. Voc gerencia o ambiente virtual usando o Microsoft System Center Virtual Machine Mananger (VMM) 2008 R2. Voc precisa assegurar que voc consiga migrar as parties filhas entre os servidores. O que voc precisa fazer? SAN Migration Network Migration Dicas: http://www.gilham.org/Blog/Lists/Posts/Post.aspx?List=aab85845%2D88d2%2D4091% 2D8088%2Da6bbce0a4304&ID=119 Questo 11 Voc instala o Windows Server 2008 R2 Enterprise (verso Full). Voc precisa habilitar a role do Hyper-V no servidor. Start /w ocsetup Microsoft-Hyper-V Add-WindowsFeature Hyper-V (commando powershell) Dicas: http://technet.microsoft.com/en-us/library/cc732470(WS.10).aspx http://technet.microsoft.com/pt-br/library/cc732263(WS.10).aspx Questo 12 Voc est com o Windows Server 2008 R2 Hyper-V server. Voc precisa assegurar que voc ser solicitado a especificar um nome para quando criar o snapshot. Essa opo ser apresentada no Virtual Machine Connection Questo 13 Voc instala Windows Server 2008 R2 (Server Core) em um servidor. O servidor est armazenando uma mquina virtual (VMs) em um volume que est conectado no servidor por meio de uma conexo iSCSI. Voc precisa configurar o servidor para que as mquinas virtuais possam ser armazenadas no volume iSCSI. iscsi qaddTarget iscsi qloginTarget Dicas: http://blogs.technet.com/b/daven/archive/2008/06/19/iscsi.aspx http://www.virtualizationteam.com/microsoft/hyper-v/building-a-cluster-with-hyper-v-and-servercore-part-2-and-creating-a-windows-server-2008-cluster.html http://blogs.msdn.com/b/san/archive/2008/09/18/iscsicli-batch-file-to-quickly-connect-to-an-iscsitarget.aspx Questo 14 Voc est com o Windows Server 2008 R2 Hyper-V Server com um nico adaptador de rede que est conectado na rede. A rede virtual est configurada como Externa. As Mquinas virtuais (VMs) em execuo no servidor no so capazes de se comunicar com o servidor host na rede. Voc precisa se certificar que a VM que est sendo executada no servidor so capazes de se comunicar com o servidor host na rede. O que voc precisa fazer? Selecione a opo Permitir gerenciamento do sistema operacional para compartilhar este adaptador de rede. Questo 15 Sua empresa tem um Active Directory que inclui um grupo de segurana chamado Desenvolvedores. Voc tem um member server que roda Windows Server 2008 R2 com o Hyper-V. Voc precisa assegurar que os membros do grupo de Desenvolvimento possa s gerenciar as Mquinas Virtuais (VMs). Os membros desse grupo no devem ter privilgios administrativos sobre o servidor host. Voc deve usar o Authorization Manager Dicas: http://technet.microsoft.com/en-us/library/cc754509.aspx Questo 16 Voc esta configurando uma mquina virtual que est sendo executada em um servidor com Windows Server 2008 R2. O primeiro disco virtual est conectado ao IDE 0. Voc precisa adicionar discos virtuais na VM sem deslig-la. O que voc deve fazer? Adicione os discos virtuais a uma controladora SCSI existente. Questo 17 Voc usa o System Center Virtual Machine Manager (VMM) 2008 R2 para gerenciar o seu Hyper-V. Voc tem uma aplicao legada que no suportada no Windows Server 2008 R2. A aplicao roda em um servidor que tem a seguinte configurao: Um disco de 12GB, formatado com FAT 512 de RAM Voc precisa assegurar que voc possa executar o P2V do servidor. O que voc precisa fazer? Use o off-line P2V. Questo 18 Voc est com uma Microsoft Hyper-V Server 2008. Voc precisa ingressar o servidor em um domnio existente do Active Directory. Use o hvconfig. Complementos:
70-659 Page 60

Complementos: Anncio Oficial do E-Book : http://blogs.msdn.com/b/microsoft_press/archive/2010/02/16/free-ebookunderstanding-microsoft-virtualization-r2-solutions.aspx Download em formato XPS : http://download.microsoft.com/download/5/B/4/5B46A838-67BB-4F7C-92CBEABCA285DFDD/693821ebook.xps Download em format PDF : http://download.microsoft.com/download/5/B/4/5B46A838-67BB-4F7C-92CBEABCA285DFDD/693821ebook.pdf Boa Prova a todos; Dicas e Sugestes: wilstermanfernandes@hotmail.com Wilsterman Fernandes
Pasted from <http://virtualizationbrazil.wordpress.com/2010/12/30/dicas-e-truques-para-o-exame-70-659-ts-windowsserver-2008-r2-server-virtualization/>

Authorization Manager (AzMan)

Authorization Manager (AzMan)Part 1
Pasted from <http://kevin.refinenetworks.com/2011/11/authorization-manager-azman/>

Managing Hyper-V's security permissions

Pasted from <http://searchservervirtualization.techtarget.com/tip/Managing-Hyper-Vs-security-permissions>

70-659 Page 61

70-669 TS: Windows Server 2008 R2, Desktop Virtualization

Monday, November 21, 2011 2:36 AM

http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-669&locale=en-us#tab2 http://www.techexams.net/forums/virtualization/51260-70-669-resources.html Skills Being MeasuredThis exam measures your ability to accomplish the technical tasks listed below.The percentages indicate the relative weight of each major topic area on the exam. Deploying and Managing an Enterprise Desktop Virtualization Environment Install and configure Windows Virtual PC. This objective may include but it is not limited to: installing Windows Virtual PC on various platforms (32-bit, 64-bit), creating and managing virtual hard disks, configuring virtual machine resources including network resources, preparing host machines Enable and manage Windows XP Mode. This objective may include but it is not limited to: enable Windows XP Mode for Windows 7; publish applications to a host OS through Windows XP Mode; configure the BIOS to support hardware virtualization; create, deploy, and maintain Windows XP Mode images Create a MED-V infrastructure. This objective may include but it is not limited to: installing and managing server components (Image Repository, MED-V Instances), installing the MED-V client, configuring server settings Administer a MED-V environment. This objective may include but it is not limited to: managing workspaces, creating policies, publishing applications and menus, configuring reporting, customizing user and device settings in a virtual machine Create and deploy virtual desktop images. This objective may include but it is not limited to: using various tools to create or prepare images for deployment, deploying a workspace image by using a Web page, pre-staging images Deploying and Managing a Presentation Virtualization Environment Prepare and manage remote applications. This objective may include but it is not limited to: configuring application sharing, package applications for deployment by using RemoteApp, installing and configuring the RD Session Host Role Service on the server. Access published applications. This objective may include but it is not limited to: configuring Remote Desktop Web Access, configuring internal and external application access, configuring role-based application provisioning, configuring Remote Desktop client connections Configure client settings to access virtualized desktops. This objective may include but it is not limited to: configuring client settings, managing user home folders, identifying minimum client requirements Deploying and Managing an Application Virtualization (App-V) Environment Prepare virtual applications. This objective may include but is not limited to: sequencing applications, installing and configuring the sequencer, preparing applications for deployment in different environments, configuring virtual application interaction and sharing, choosing a method to deploy virtual applications Install and configure application virtualization environments. This objective may include but is not limited to: configuring App-V modes (stand-alone, lightweight, enterprise); install an App-V infrastructure including servers, management consoles, and clients Manage application virtualization environments. This objective may include but is not limited to: enabling and monitoring offline application
70-669 Page 62

 This objective may include but is not limited to: enabling and monitoring offline application usage, enabling and monitoring real-time sessions, managing application cache, configuring branch cache functionality Managing a Virtual Desktop Infrastructure Environment Configure user state virtualization. This objective may include but is not limited to: configuring roaming profiles, configuring folder redirection Manage virtual desktops remotely. This objective may include but is not limited to: working with Virtual Machine Manager SelfService Portal (SSP) to log in to, control, restart, or resume a desktop virtual machine, working with Remote Desktop Manager, working with Remote Desktop Licensing Manager, troubleshooting client Key Management Server (KMS) issues, configuring firewall exceptions on the client
Pasted from <http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-669&locale=en-us>

http://www.marcelosincic.com.br/blog/post/Exame-70-669e28093Microsoft-DesktopVirtualization.aspx

70-669 Page 63

Dicas
Monday, November 21, 2011 2:45 AM

Leia o ebook gratuito Understanding Microsoft Virtualization Solutions disponivel em

http://blogs.msdn.com/b/microsoft_press/archive/2010/02/16/free-ebook-understanding-microsoft-virtualizationr2-solutions.aspx que detalha a parte conceitual das tecnologias de virtualizao da Microsoft Leia os IPDs (Infrastructure Planning and Design) das tecnologias envolvidas em http://technet.microsoft.com/en-us/library/cc196387.aspx Consulte todos os tpicos do conteudo do exame para no deixar nenhum tpico descoberto http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-669#tab2

APP-V (Application Virtualization)

Este a tecnologia que a Microsoft adquiriu a alguns anos e se chamava SoftGrid. O conceito deste tipo de tecnologia muito interessante, mas apesar de levar o nome de virtualizao bem diferente dos modelos que conhecemos no Hyper-V e MED-V. formado pelo App-V Manager e o App-V Sequencer. O trabalho comea ao sequenciar uma aplicao e criar um pacote. Este processo nada mais do que um monitor que ao ser iniciado passa a copiar tudo o que acontecer em um desktop. Aps inici-lo fazemos a instalao de um software e ao final temos o pacote (package) pronto com todos os arquivos, chaves de registro e atalhos. Exemplos de perguntas sobre o App-V: Um pacote ficou corrompido, qual a melhor forma de resolver? Como voc faria para distribuir um pacote sem ter o App-V Manager no ambiente? Qual a ferramenta para garantir atualizaes no pacote sem redistribui-lo? Portal TechNet: http://technet.microsoft.com/en-us/appvirtualization/bb508934 e http://technet.microsoft.com/enus/appvirtualization/cc843994

MED-D (Enterprise Desktop Virtualization)

O MED-V nada mais do que um automatizador e gerenciador de imagens para o Windows Virtual PC do Windows 7, e formado pelo gerenciador e pelo MED-V Workspace que fica no desktop. Esta ferramenta ir permitir que as imagens de Windows XP criadas com aplicativos sejam distribuidas entre os usuarios. Por exemplo, imagine que duas determinadas aplicaes no executem no Windows 7 e seja necessrio usar o XP Mode. O MED-V ajudar a distribuir, atualizar e controlar estas VMs. Exemplos de perguntas sobre o MED-V: Como fazer para converter o MED-V j existente para Cluster? Como otimizar a distribuio de imagens do MED-V pela rede? Como evitar que o MED-V consuma muito espao em disco no servidor? Portal TechNet: http://technet.microsoft.com/en-us/windows/bb899442 e http://technet.microsoft.com/ptbr/windows/gg276319.aspx

RDS (Remote Desktop Services)

O RDS o Terminal Services do Windows 2008 e dispensa grandes explicaes. Porem, importante lembrar que ele formado por vrios componentes: RD Gateway para garantir acesso pela internet, RD Web Access para criar o portal de aplicaes pelo browser, RD Broker para distribuir e gerenciar afinidade entre o farm, RD Session para manter os perfis dos usurios. importante lembrar muito bem os papeis e como cada um deles se relaciona com outro e qual a melhor forma de trabalhar com estes papeis em uma empresa. Exemplos de perguntas sobre RDS: Dado um quadro de servidores com vrias funes, qual deles seria colocado no Conexo da Area de Trabalho? Como garantir que uma impressora do usurio no seja redirecionada para a sesso remota? Como impedir que um pendrive seja mapeado na sesso remota? Quais portas e servios adicionais precisam estar habilitados entre os papeis do RDS? Portal TechNet: http://technet.microsoft.com/en-us/library/cc770412.aspx e http://technet.microsoft.com/enus/edge/ff945046

VDI (Virtual Desktop Infrastructure)

Esta tecnologia pode ser facilmente explicada como uma juno do RDS com o Hyper-V para criar ambientes virtuais de desktop. Voc pode criar vrias VMs de Windows 7 no Hyper-V e pelo AD Users and Computers vincular os usurios as VMs quando eles acessarem pelo RDS. Esta foi a parte do exame que teve menos perguntas, j que o processo de VDI da Microsoft extremamente simples de ser criado e configurado. Tambm no facil encontrar documentao sobre isso, porem no Edge existem muitos vdeos. Exemplos de perguntas sobre VDI: Como fazer o licenciamento per-user e per-device, revogar de um ou outro e implementar? Qual a melhor forma de transferir dados de uma VM para outra? Como fazer com que um atalho aparea para todos os usurios? 70-669 Page 64

 Como fazer com que um atalho aparea para todos os usurios? Portal TechNet: http://technet.microsoft.com/en-us/edge/ff945049
Pasted from <http://www.marcelosincic.com.br/blog/post/Exame-70-669e28093Microsoft-Desktop-Virtualization.aspx>

Detalhes do Exame: http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-669#tab2 Vdeos sobre RDS e VDI: http://technet.microsoft.com/en-us/edge/video/ff955830 Srie de Vdeos sobre MED-V: http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID= 1f0d3e54-25d1-4ec1-a844-3b508bd63ffa
Pasted from <http://www.profissionaisti.com.br/2011/02/dicas-para-o-exame-70-669-windows-server-2008-r2-virtualization-desktop/>

Dicas para o exame 70-669 http://blogs.technet.com/b/gbanin/archive/2011/02/21/dicas-paraexame-70-669.aspx

70-669 Page 65

Materiais
Monday, November 21, 2011 2:48 AM

http://www.ucertify.com/exams/Microsoft/70-669.html

Deploying and Managing an Enterprise Desktop Virtualization Environment

Install and configure Windows Virtual PC.

Enable and manage Windows XP Mode.

Windows 7 XP Mode User Experience An Introduction to Windows XP Mode How to Install Windows XP Mode How to Install an Application on Windows XP Mode Windows XP Mode IT Pro Series Create a MED-V infrastructure. Administer a MED-V environment. 1- Preparing a MED-V Image 2 Testing, Packing, and Uploading a MED-V Image 3 MED-V Workspace Walkthrough 4 Publishing Different Applications to Different Users of the Same MED-V Image 5 Creating a MED-V Installation Package 6 MED-V First Time Setup with Domain Join 7 Monitoring and Troubleshooting Tools in MED-V 8 Updating a MED-V Image MED-V v1 SP1 User Experience Internet Explorer Virtualization with MED-V

70-669 Page 66

Microsoft Enterprise Desktop Virtualization (MED-V) Overview Optimised Desktop Series : Med-V

Deploying and Managing a Presentation Virtualization Environment

Prepare and manage remote applications. Access published applications.

Configure client settings to access virtualized desktops.

Part 1: RDS Session Host Initial Installation & Configuration Part 2: RDS Web Portal- Initial Installation & Configuration Part 3: RDS Connection Broker- Initial Installation & Configuration Part 4: RDS Gateway Initial Installation & Configuration Part 5: RDP7 Deep Dive & User Experience Microsoft VDI Part I: Server Side Configuration Microsoft VDI Part II: Virtual Desktop Configuration Microsoft VDI Part III: Client Side Experiences WindowsServer 2008 R2, Remote Desktop, VDI and Virtualization

Deploying and Managing an Application Virtualization (App-V) Environment

Prepare virtual applications. Install and configure application virtualization environments. Manage application virtualization environments. Application Virtualization (App-V) Video Series

Managing a Virtual Desktop Infrastructure Environment

Configure user state virtualization. Microsoft User State Virtualization Overview

70-669 Page 67

Roaming User Profiles Folder Redirection Manage virtual desktops remotely. How Do I: Configure the Virtual machine Manager 2008 self service portal

Pasted from <http://scriptimus.wordpress.com/2011/06/24/mcts-70-669-desktop-virtualization-exam-video-links/>

70-669 Page 68

segunda-feira, 16 de janeiro de 2012 21:31

http://www.professormesser.com/microsoft-70-680/free-microsoft-70-680-training/ Complete Section 1 - 1.1, 1.2, 1.3

70-680 Page 69

Sunday, December 04, 2011 11:48 PM

Pgina 130

ADFS doc: pg. 41

Readiness Virtualizati...

https://www.microsoftvirtualacademy.com/tracks/office -365-for-the-it-pro-platform

Access Exam Prep here Office 365 Jump Start (01): Microsoft Office 365 Overview for IT Pros Office 365 Jump Start (02): Deploying Clients For Office 365 Office 365 Jump Start (03): Microsoft Office 365 Administration & Automation Using Windows PowerShell Office 365 Jump Start (04): Microsoft Office 365 Identity and Access Solutions Office 365 Jump Start (05): Microsoft Office 365 Directory Synchronization Office 365 Jump Start (06): Exchange Online Overview for IT Pros Office 365 Jump Start (07): Microsoft Exchange Online Administration Office 365 Jump Start (08): Microsoft Staged Exchange Online Migration Office 365 Jump Start (09): Hybrid Options with Exchange Server & Exchange Online Office 365 Jump Start (10): Exchange Online Archiving & Compliance Office 365 Jump Start (11): Lync Online Overview & Configuration for IT Pros Office 365 Jump Start (12): SharePoint Online Overview Office 365 Jump Start (13): SharePoint Online Administration Office 365 Jump Start (14): SharePoint Online Extensibility & Customization Office 365 Jump Start (15): Office 365 Deployment Overview
Pasted from <http://technet.microsoft.com/en-us/edge/office-365-jump-start-01-microsoft-office-365-overview-for-it-pros>

Office Professional Plus para Office 365

Pasted from <http://technet.microsoft.com/pt-br/office/gg696034.aspx>

Office 365 for Enterprise Service Descriptions

Pasted from <http://www.microsoft.com/download/en/details.aspx?id=13602 >

Atualizar e configurar reas de trabalho manualmente para o Office 365

Pasted from <http://onlinehelp.microsoft.com/pt-br/office365-enterprises/ff637585.aspx>

Exchange Hybrid Deployment and Migration with Office 365 Office 365 is available in three different versions that are designed to give you just what you needno more, and no less. Heres the quick rundown: Office 365 for Small Business (which is the focus of this book) includes access to Office Web Apps, up to 50 user accounts, a 25-GB mailbox for each user, mobile support, the ability to stay in touch with instant messaging, presence technology, audio and video, and team sites with SharePoint Online. The subscription cost for Office 365 for Small Business is $6 per user. Office 365 Enterprise includes all the features of Small Business as well as the full Office Professional Desktop software and pay -as-you-go pricing options. Enterprise users can also add kiosk plans that offer access to email, documents, and team sites in Office 365. Enterprise users can choose from two different subscriptions: existing Business Productivity Online Suite (BPOS) customers pay $10 per month; enterprise users who want to purchase the pay -as-you-go Microsoft Office Professional Plus 2010 service pay $24 per month. Office 365 for Education provides students with access to the Office 365 services Office Web Apps, instant messaging, audio and video, and team sites plus the latest version of Microsoft Live@edu, an online community of thousands of schools. Pricing for Office 365 for Education is $10 for educators and staff; the service is free for students. Install Desktop Updates Manually http://community.office365.com/en-us/w/administration/manually-install-office-365-desktop-updates.aspx
Pasted from <http://help.outlook.com/en-us/140/ff633682.aspx>

Use Windows PowerShell to manage Office 365

Pasted from <http://onlinehelp.microsoft.com/office365 -enterprises/hh124998.aspx>

PS C:\Users\v-62doz> Import-Module MsOnline PS C:\Users\v-62doz> Get-Module MsOnline ModuleType Name ExportedCommands ---------- ------------------Binary MsOnline {Add-MsolRoleMember, Remove-MsolContact, GetMsolDomainFederationSetting...

PS C:\Users\v-62doz> Connect-MsolService

PS C:\Users\v-62doz> Get-MsolUser UserPrincipalName DisplayName --------------------------douglas.zan@dzan.onmicrosoft.com Douglas Zan teste1@dzan.onmicrosoft.com Teste1 teste2@dzan.onmicrosoft.com teste2 chris@dzan.onmicrosoft.com Chris Green roberto@dzan.onmicrosoft.com Roberto Almeida ben@dzan.onmicrosoft.com Ben Andrews cynthia@dzan.onmicrosoft.com Cynthia Carey melissa@dzan.onmicrosoft.com Melissa MacBeth maria@dzan.onmicrosoft.com Maria Jose jose@dzan.onmicrosoft.com Jose Rodrigues david@dzan.onmicrosoft.com David Longmuir isLicensed ---------True True True True True True True True True True True

Office365 Page 70

Password Policy change to never expire in Office 365

In office 365 you need only two lines to disable the password policy. First open the Microsoft Online Services Modul for Windows Powershell. (Download: 32bit or 64bit). Connect to Office 365 Connect-MsolService In the dialog enter the credentials of an administrator:

To change a single user: Set-MsolUser -UserPrincipalName <username> -PasswordNeverExpires $True To change all users at once: Get-MsolUser | Set-MsolUser -PasswordNeverExpires $True

Thats it. You can control the result with the following command: Get-MsolUser | fl
Pasted from <http://community.office365.com/en -us/b/office_365_technical_blog/archive/2011/11/01/how -to-disable-passwordpolicy-settings-in-bpos-and-office-365-with-powershell-grid-user-post.aspx>

Using remote PowerShell to manage Office 365 identities

Pasted from <http://philwicklund.com/blog/Pages/Using -remote-PowerShell-to-manage-Office-365-identities.aspx>

Handy PowerShell Administration Script for Office 365

Pasted from <http://blog.insidelync.com/2011/09/handy -powershell-administration-script-for-office-365-2/>

MOSDAL is a tool that is used for gathering data to troubleshoot customer issues. The purpose of the
MOSDAL toolkit is pretty much the same as the MPS Reports. It is nothing more than a utility that can be used to gather data from the customers environment and local system to assist in troubleshooting there scenarios. Just like the MPS reports the actually utilities and logs that are gathered are familiar to us and the MPS reports were just a wrapper to allow the customer to gather data for us easily and with minimal interaction. You will most likely end up collecting much more information that what you actually need but for the most part it is better to have too much rather than not enough data.

The customer can download this tool from http://support.microsoft.com/kb/960625

Assigning Administrative Roles for Users

The default roles are: (some of these are not avail in BETA but leaving them as they should be available for RTM) Tenant Administrator has control over all administrative functions User Account Administrator Able to manage users on the site Service Administrator has control over service settings Password Administrator can reset user passwords Billing Administrator- Has access to Billing information for the Online Services

Office365 Page 71

Exchange Online
Friday, January 20, 2012 12:33 AM

Exchange Unleashed pg. 213

Mailbox Archiving is available for users and can be deployed in a very flexible way. The users main Mailbox
and Archive mailbox can be in separate databases or locations. The Archive can be located in Exchange Online and the users main mailbox could be On-Premise. This also alleviates the issues with having PSTs on the network or not having access to the PST from OWA or Outlook on different machines. Now the users can save their mail to the Archive mailbox and have access to this data from all of their supported Outlook and OWA clients. With the introduction of a native archiving feature in Exchange Online, customers can move easily from an unmanaged to a managed solution. Now there data is stored and accessible from Exchange Online similar to the way their Mailbox is. The archive is a separate mailbox, managed and controlled by the administrator. The users will no longer have to worry about backup and restore of PST. The Archive Mailbox is searchable and accessible to the users. Users can drag and drop PSTs to an archive folder within their inbox or schedule auto-move of messages to archive through Folder or Item policy tags PSTs are now discoverable; legal holds can be easily applied and performance is not compromised for large mailboxes (10-100 GB)

Exchange Hybrid Deployment Configuration Tips: Sharing Free/Busy Information

Pasted from <http://community.office365.com/en-us/w/exchange/532.aspx>

Exchange Hybrid Deployment Moving Cloud-Based Mailboxes to the On-Premises Organization

Pasted from <http://community.office365.com/en-us/w/exchange/566.aspx>

Retention Policies have become an important part of our customers Exchange solution. Regulatory compliance
and corporate governance requirements has made it challenging for e-mail administrators and compliance officers to provide end users with simple tools for managing retention policies of the high volume of e-mail messages being sent and received daily. It is impractical for a small group of people to police e-mail to this end directly, so tools which enable end users to apply retention policies which are defined by the organization and tools which automatically apply such policies without IT intervention are required to effectively mitigate the risk associated with compliance and governance. These tools were built into Exchange 2010 and are included in Exchange Online. Retention policies can now be applied to any individual e-mail or folder rather than just a restricted set of managed folders. This gives Administrators much more granular control. Policies are defined centrally and pushed to the client, exposed directly to users in the UI for selection or notification Transport rules can be designed to automatically apply default policies for select groups of users or based on select attributes of e-mail Legal hold allows you to lock down the mailboxes of certain users, typically those involved in a lawsuit, so that they cannot permanently delete messages. Deleted messages are hidden from the users view, but they are still searchable

How to Configure TMG for Office 365 (Exchange) Hybrid deployments

Pasted from <http://community.office365.com/en-us/w/exchange/1042.aspx>

Exchange Control Panel (ECP) With Exchange 2010 one of the main tools for managing Exchange is the Exchange Control Panel. There is one big difference between the on-premise and the Exchange Online implementation of the ECP. For an Administrator to have access to the management tools with Exchange on-premise the Administrator needs to have a mailbox which is not really a big deal for an on-premise environment because there is no additional cost associated with that mailbox. With Exchange Online there is now no need to have a mailbox for the Administrator which is good for the fact that there will be no license wasted on the Administrators mailbox. The Exchange Control Panel allows the Users to configure their personal settings in an easy familiar way. Users will either log in to OWA then click on the Options from within OWA just as it works with the Exchange 2010 OnPremise or if the user has administrative privileges they can login to MOP and Access the ECP from there through OWA as well.

Hybrid Routing - Pointing your MX record to the Cloud

Pasted from <http://community.office365.com/en-us/w/exchange/514.aspx>

Manage Your Organization - Office 365 for enterprises

Pasted from <http://help.outlook.com/en-us/140/ff657678.aspx>

Security and Compliance for Exchange Online in Office 365

Pasted from <http://help.outlook.com/en-us/140/ff637239.aspx>

Videos for Exchange Online Administrators

Pasted from <http://help.outlook.com/en-us/140/gg622914.aspx>

Compliance Features in Exchange Online

Exchange management Console (EMC)

The Exchange Management Console (EMC) is used to manage Exchange Objects in a rich coexistence environment. If the environment has a combination of Exchange 2010 sp1 On-Premise and Exchange Online you can then use the EMC to manage the Organization settings, Users and migrate mailboxes. When you are in a rich coexistence environment most of the user management should be done on-premise which will be discuss in a later lesson (this is related to Directory Synchronization). There are a couple of limitation to the EMC with regards to managing Exchange Online and that is there is no Server Management section and there is no way to activate a user with a license. The reason for this is because the servers are managed by Microsoft and there is no need for the Exchange Online Tenant to access the server specific settings. The license management at this time can only be done through MOP so there is just no way to perform licensing due to the limited access to license assignment cmdlets.

Pasted from <http://help.outlook.com/en-us/140/hh147162.aspx>

The following demonstrates how to connect with the EMC On-Premise to Exchange Online service. 1. Install the service connector as described earlier in this module on the Exchange 2010 server that you plan to connect from 2. Open the EMC and right click the Microsoft Exchange node at the very top of the hierarchy, select the Add Exchange Forest option

3. Then provide a friendly name such as "cloud" and select Exchange Online from the dropdown menu and select the OK option

Office365 Page 72

4. This will prompt you for your Online Company Admin account, providing something like admin@exchcloud.onmicrosoft.com and the tenant admin password and select OK again

5. You will then see the Exchange Online Organization listed in the tree view along with your on-premise exchange server

Remote PowerShell for Exchange

Installing Powershell and prerequisites Microsoft Exchange Online Services requires the Windows Management Framework, which contains the correct versions of Windows PowerShell v2 and WinRM 2.0. If your computer is running Windows 7 or Windows Server 2008 R2, you don't have to install anything. The Windows Management Framework is already installed. Install the Windows Management Framework Download and install the Windows Management Framework. Choose the package that includes Windows PowerShell v2 and WinRM 2.0, and that applies to your operating system, system architecture, and language. http://go.microsoft.com/fwlink/?LinkId=165726

1. Ensure that the Service Connector is installed on the system that you intend to make the connection from 2. Open Windows Powershell from the start menu 3. Store the Credential for the Exchange Online Administrator account a. $Cred = Get-Credential b. You will then be prompted for credentials you should provide the credentials for the Exchange Online administrator account such as:

4. Then we need to create a new Remote Powershell Session a. $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic AllowRedirection

5. a.

We then need to import the session Import-PSSession $Session

A estudar

Office365 Page 73

A estudar
Create Exclusive Write Scopes
Pasted from <http://help.outlook.com/en-us/140/Ff852814.aspx>

Create Recipient Filter Scopes

Pasted from <http://help.outlook.com/en-us/140/Ff852813.aspx>

Use Windows PowerShell in Exchange Online

Pasted from <http://help.outlook.com/en-us/140/cc546278.aspx>

Configure Exchange Online for Office 365 for enterprises

Pasted from <http://help.outlook.com/en-us/140/gg603691.aspx>

Videos for Exchange Online Administrators

Pasted from <http://help.outlook.com/en-us/140/gg622914.aspx>

Administrator Role Groups in Exchange Online

Pasted from <http://help.outlook.com/en-us/140/ee441216.aspx>

CUTOVER EXCHANGE MIGRATION

Migrate the entire organization mailboxes from Exchange on-premises to your cloud-based email organization at once. - Maximum of 1.000 mailboxes from Exchange 2003/ 2007 or 2010. - More than 1.000 mailboxes from Exchange 2003 or 2007, you need to perform a Staged Migration. - For more than 1.000 mailboxes from Exchange 2010, you need to perform a Hybrid Deployment.
Requirements - Outlook Anywhere needs to be enabled - Do not activate Directory Synchronization before deploying the Cutover Migration - Verify that you can connect to your Exchange organization using Outlook Anywhere - Assign the migration administrator permissions to access mailboxes in your Exchange organization - Add your Exchange organization as an accepted domain of your cloud-based e-mail organization - Disable unified messaging - Outlook Anywhere can't be configured with a self-signed certificate.

What happens during a cutover Exchange migration When you migrate Exchange mailboxes to the cloud in a cutover Exchange migration: The migration service provisions new mailboxes in your cloud-based organization. It creates a cloud-based mailbox for each user account in your on-premises Exchange organization. On-premises distribution groups and contacts are also migrated to the cloud.
After the new cloud-based mailboxes are created, the migration service migrates e-mail messages, contacts, and calendar items from the Exchange mailboxes to the corresponding cloud-based mailboxes. After the initial migration, the Exchange and cloud-based mailboxes are synchronized every 24 hours, so that new e-mail sent to the Exchange mailbox is copied to the corresponding cloud-based mailbox. When you're ready, you can route e-mail directly to the cloud-based mailboxes, complete the migration, and then remove your on-premises Exchange organization.

Migrate All Mailboxes to the Cloud with a Cutover Exchange Migration

Pasted from <http://help.outlook.com/en-us/140/ms.exch.ecp.emailmigrationwizardexchangelearnmore.aspx>

STAGED EXCHANGE MIGRATION

Allows you to migrate a subset of your organization's mailboxes, while maintaining the rest of mailboxes in your onpremises Exchange organization. Use this type of migration as an intermediate step to moving completely to a cloud-based Exchange organization.
You cant use a staged Exchange migration to migrate Exchange 2010 mailboxes. If you have fewer than 1,000 Exchange 2010 mailboxes in your organization, you can use a cutover Exchange migration. If you have more than 1,000 Exchange 2010 mailboxes, you can implement a hybrid deployment.

Requirements: - Install and configure a directory synchronization tool for your cloud-based organization - Configure Outlook Anywhere on your on-premises Exchange server - Outlook Anywhere can't be configured with a self-signed certificate - Verify that you can connect to your Exchange organization using Outlook Anywhere - Prepare the CSV file Identify the group of users whose on-premises mailboxes you want to migrate to the cloud. Include these users in the CSV file that will make up the migration batch. Important The CSV file for a staged Exchange migration batch can contain a maximum of 1,000 rows. To migrate more than a 1,000 mailboxes, you have to submit additional CSV files. - Assign the migration administrator permissions to access mailboxes in your Exchange organization - Add your Exchange organization as an accepted domain of your cloud-based e-mail organization - Disable unified messaging

What happens during a staged Exchange migration When you use a staged Exchange migration and CSV file to migrate on-premises Exchange mailboxes to the cloud, the migration service does the following: It verifies that OLSync or the Microsoft Online Services Directory Synchronization tool is enabled for your cloud-based organization.

It checks that a mail-enabled user (MEU) exists in the cloud-based e-mail organization for each entry in the CSV file.
It converts the MEU to a mailbox. It configures mail forwarding by populating the TargetAddress property on the on-premises mailbox with the e-mail address of the cloud-based mailbox. This enables e-mail sent to an on-premises mailbox to be forwarded to the corresponding cloud-based mailbox. It e-mails a report that lists the cloud-based mailboxes that were successfully created and for which e-mail forwarding was configured. At this point, you can tell users to start using their new cloud-based mailbox. This report also lists any migration errors.

It migrates e-mail messages, contacts, and calendar items from the Exchange mailboxes to the corresponding cloud-based mailboxes. After the initial migration, the Exchange and cloud-based mailboxes aren't synchronized. New e-mail sent to the Exchange mailbox is forwarded to the corresponding cloud-based mailbox. It e-mails a final report when the data migration is complete. Obs: User on-premises cannot see free-busy status of migrated mailboxes on the cloud and vice-versa.

Office365 Page 74

Obs: User on-premises cannot see free-busy status of migrated mailboxes on the cloud and vice-versa.

Migrate a Subset of Mailboxes to the Cloud with a Staged Exchange Migration

Pasted from <http://help.outlook.com/en-us/140/ff959224.aspx>

EXCHANGE HYBRID DEPLOYMENT

Used for large organizations that in long term intend to keep both organizations: on-premises and cloud or intend to move all organizations mailboxes in a long term. A hybrid deployment requires Microsoft Exchange Server 2010. However, a full Exchange 2010 organization isnt required to enable a hybrid deployment. You can install a minimal Exchange 2010 hybrid server in an existing Exchange 2003 or Exchange 2007 organization.

MRS
The Microsoft Exchange Mailbox Replication Service (MRS), which resides on all Exchange 2010 Client Access servers, is the service responsible for mailbox moves, importing and exporting .pst files, and restoring disabled and soft-deleted mailboxes. Move requests require a hybrid deployment. Move requests let you move mailboxes back and forth between your onpremises Exchange organization and the cloud. You do this in the Exchange Management Console.

Office365 Page 75

PowerShell
Sunday, January 22, 2012 2:04 AM

DirSync PowerShell
- Forar sincronizao: Start-OnlineCoexistenceSync

Requirements to use Power Shell on Office 365 - Windows 7 or Windows 2008 R2 - .NET Framework 3.5 and PowerShell 2.0 installed - Microsoft Online Sign-in Assistant (http://onlinehelp.microsoft.com/en-us/office365enterprises/hh124998.aspx) - Microsoft Online PowerShell module To connect to the service: Connect-MsolService (It will pop up the credential window) Or Connect-MsolService -Credential $cred Or Connect-MsolService -Currentuser

Windows PowerShell
Pasted from <http://onlinehelp.microsoft.com/en-us/office365-enterprises/hh125001.aspx>

Office365 Page 76

Sharepoint
Monday, January 23, 2012 2:19 AM

<link id="css-article-ns" href="http://officeimg.vo.msecnd.net/_layouts/article.noscript.css?b= 5593%2E4000" rel="stylesheet"></link>

What is a site collection?

Your default SharePoint Online sites in Office 365 for professionals and small businesses are part of a single site collection. A site collection is a group of SharePoint sites that have the same owner and share administration settings, such as permissions. Site collections are hierarchical, and always include one top-level site and any sites below it. Your SharePoint Online site collection has two sites when you begin: The Team Site and a public-facing Website. The public site is the top-level site, but you create additional sites below the Team Site.
Note You cannot create additional site collections in SharePoint Online for Office 365 for

professionals and small businesses

Pasted from <http://office.microsoft.com/en-us/sharepoint-online-small-business-help/step-1-plan-sites-and-manageusers-HA102029292.aspx?CTT=5&origin=HA101988914>

SharePoint Online planning guide for Office 365 for enterprises

Pasted from <http://office.microsoft.com/en-us/sharepoint-online-enterprise-help/sharepoint-online-planning-guide-foroffice-365-beta-for-enterprises-HA101988931.aspx>

Office365 Page 77

DirSync
Tuesday, January 24, 2012 6:15 AM

Requirements: - Windows 2003 SP2 or higher - Installs SQL Server 2008 R2 Express (should use SQL full version - 2005/ 2008 servers for larger customers - more than 50.000 objects . 10GB DB size limit of SQL Server Express edition. - Microsoft Online ID components for authentication to Office 365 - It must be joined to Active Directory. - It cannot be a domain controller. - It must run Microsoft .NET Framework 3.x.

Hardware recommendations
To set up Active Directory synchronization, you must designate one computer as your directory synchronization computer, and then install the Microsoft Online Services Directory Synchronization tool on that computer. The following table shows the minimum recommended hardware requirements for the directory synchronization computer (32-bit) in relation to how many objects you have in your on-premises Active Directory.

Number of objects in Active Directory

Fewer than 10,000 10,00050,000 50,000100,000

CPU

Memory

Hard drive size

70 GB 70 GB 100 GB

1.6 GHz 4 GB 1.6 GHz 4 GB 1.6 GHz 16 GB

100,000300,000
300,000600,000 More than 600,000

1.6 GHz 32 GB
1.6 GHz 32 GB 1.6 GHz 32 GB

300 GB
450 GB 500 GB

Sync Object Limits - All customers initially subject to 10.000 object limit - Contact support to increase object limit. - Larger customer with 20.000 or more have to sign up to special subscription type. Attribute Validations UPN: - Cannot have dot "." immediately preceding "@" - Maximum 113 chars (64 for username, 48 for domain) - Cannot contain !#$%&\*+-/=?^_`{}|~<>() - Cannot have duplicate UPNs samAccountName: - Cannot contain "\/[]:|<>+=;?, - Cannot end with dot "." - Cannot be more than 20 chars - Cannot be empty ProxyAddresses: - Cannot contain smtp addresses with domains that are not registered for the tenant - Cannot have duplicate proxy addresses.
Office365 Page 78

- Cannot have duplicate proxy addresses. Obs: All errors are reported to Technical Notification Contact by email.

Plan for Directory Synchronization

Things to think about (to do first): 1. Do you plan to enable Identity Federation? - Register Domains with Office 365
- Activate Federation 2. Do you plan to enable Rich Co-existence? - Exchange 2010 SP1 CAS deployed on premise? 3. Is your Active Directory "Ready"? - Microsoft Online Deployment Guide - Microsoft Office 365 Deployment Readiness Tool

Changing the source of authority

There are three scenarios where you may change the source of authority for an object when you activate, deactivate, or reactivate directory synchronization from within the Office 365 Admin page or with Windows PowerShell. Source of authority is transferred after you perform the first sync. Activate: When you activate directory synchronization and then synchronize directories, the source of authority for any cloud object that is matched to an onpremises object is transferred from the cloud to your on-premises Active Directory. Activating directory synchronization is a requirement for an Exchange hybrid deployment, an Active Directory Federation Services (ADFS)/single sign-on (SSO), and the staged Exchange migration scenarios. Deactivate: When you deactivate directory synchronization, the source of authority is transferred from the on-premises Active Directory to the cloud. Deactivating directory synchronization is a requirement if you want to transfer all user, group, contact, and mailbox management to the cloud. For example, some organizations that used the staged Exchange migration tools to move their mailboxes to the cloud and no longer want to manage objects from on-premises can deactivate directory synchronization. Reactivate: When you reactivate directory synchronization, the source of authority is transferred from the cloud back to your on-premises Active Directory (where it previously resided). Its important to understand the implications of reactivating directory synchronization in this scenario. Directory data loss can occur when the source of authority is transferred from the cloud back to your on-premises organization. For example, consider a company that activated directory synchronization in January and created synced users in the cloud. In July, the company deactivates directory synchronization. This transferred the source of authority to the cloud, where the company subsequently edited the objects. In September, the company decided to deploy ADFS/SSO. They reactivated directory synchronization to transfer the source of authority back to the on-premises Active Directory. In this example, when directory synchronization is reactivated and run, any changes that have been made to the cloud objects from July through September would be overwritten and lost. The following variables influence whether this example would cause the data for cloud objects to be lost: The matching SMTP and GUID functionality that directory synchronization uses during the reactivate scenario The delta of user property data between the two corresponding objects in their respective directories (your on-premises Active Directory versus the cloud
Office365 Page 79

respective directories (your on-premises Active Directory versus the cloud directory) Its important to understand these variables so that you can prepare your environment for the source of authority transfer, helping you to minimize directory data loss. Specifically, data loss around email proxy addresses can create mail flow and logon issues for users. Therefore, the focus of your preparation should be on evaluating how you use proxy addresses for mail routing in your current messaging implementation. Matching functionality 1GUID match logic: When you reactivate directory synchronization, objects in the on-premises Active Directory are matched with objects in the cloud according to previous directory synchronization GUID (objectGUID) on the cloud objects. When such a match is found, the directory synchronization process makes a GUID match and overwrites the target object data in the cloud objects with the data from the corresponding on-premises objects. Matching functionality 2SMTP match logic: If directory synchronization does not find a GUID match in the cloud, a process called SMTP match is used. In this process, directory synchronization matches corresponding objects, according to the primary SMTP address. If a target (cloud) objects primary SMTP address matches a primary SMTP address of an object in the on-premises organization, the data for the on-premises object is used to overwrite the data for the corresponding cloud object. If a GUID or an SMTP match cannot be made, the directory synchronization process creates a new object in the cloud that is mastered from within the on-premises Active Directory. User property delta: The degree and nature of the difference between corresponding user objects in the on-premises and cloud directories are important considerations. If you have made no changes or have made only minimal changes to the user objects during the time the source of authority was in the cloud, the risk of mail-flow failure is low. If, on the other hand, you have made changes to SMTP addresses (primary, secondary, proxy, target address, and so on) to enable cross-premises routing, you must make sure that reactivating directory synchronization does not interrupt mail flow. Before you reactivate directory synchronization, we strongly recommend that you back up the existing cloud object data, and then evaluate how youve configured SMTP addressing in the cloud. Back up your cloud user object data: Before you reactivate directory synchronization, it is best practice to back up your cloud user object data. You should make a backup even if you have made minimal changes to user objects since you last deactivated directory synchronization. To make a backup of cloud user object data: 1. Connect to the cloud by using Windows PowerShell for Exchange. For more information about installing and connecting with remote Windows PowerShell, see Use Windows PowerShell in Exchange Online. 2. After you connect to the cloud, run the following cmdlet:

Get-Mailbox |select emailaddresses, name, userprincipalname, identity|export-csv -path C:\export\userlist.csv

This cmdlet extracts all user data into Userlist.csv. This file is in the Export directory. If you want to roll back the reactivation, Userlist.csv helps you to recover user objects to their current state. But it is important to know that rolling back reactivation is a manual, and potentially lengthy, process. Youll need the help of Microsoft Support.

Deactivate directory synchronization by using Windows PowerShell

If you want to manage objects in Office 365, and you no longer want to use directory
synchronization, follow this procedure: 1. Use Windows PowerShell to manage Office 365. 2. To deactivate directory synchronization, run the following cmdlet: Set-MsolDirSyncEnabled EnableDirSync $false To verify that directory synchronization was deactivated, run the following cmdlet: Office365 Page 80

 To verify that directory synchronization was deactivated, run the following cmdlet: (Get-MsolCompanyInformation).DirectorySynchronizationEnabled When this command returns False, directory synchronization has been disabled. It may take 72 hours for deactivation to be completed. The time depends on the number of objects that are in your Office 365 subscription account.

Pasted from <http://community.office365.com/en-us/w/sso/directory-synchronization-and-source-of-authority.aspx>

Office365 Page 81

ADFS 2.0
quarta-feira, 25 de janeiro de 2012 15:27

Plan for and deploy Active Directory Federation Services 2.0 for use with single sign-on
Pasted from <http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx>

Office365 Page 82

Support
domingo, 25 de maro de 2012 04:33

- SWT - Service Workflow Tool-> Act as a fornt-end to Product Studio, allowing frontline engineers to collect allrequired information for a Microsoft Online Directory Services (MSODS) PSID without opening Product Sutdio. - Product Studio - is a tool where you create a PSID for registering of a (SIE) - Service Interrupting Events, and to monitor the status of PSIDs assigned to them. You can create, edit, search for PSIDs, also to add attachments to PSIDs. Once created the PSID can only be opened within Product Studio. - Mos t of PSID are escalated or redirected to the right Team; - Microsoft Online Directory Services (MSODS) team is responsible for supporting the core directory and provisioning platform for Office 365; Escalations responsible for the creation of MSODS-related PSIDs fall into 4 categories: Break/Fix DCR/CDCR Known Issues SIE (multi-tenant outage

- Break/Fix - is a customer problem that cannot be resolved using documented troubleshooting steps. All break/fix issue should be escalated to the apropriate Escalation ServicesTeam (CTS) using CAP or MSSolve) KB2523463 - DCR/CDCR - Design Change Request or Critical Design Change Request, should be escalated to the apropriate Escalation Services Team. KB2523463 - Known Issue - Its a known behavior of the product. It is na issue requiring a customer to contact Microsoft Online Services Suppot for resolution to their issue. It is a service limitation. - SIE (multi-tenant outage) - Service Interrupting Event , replaces the term "service outage". SIE procedures are specific to the associated Ops/Engineering team. Criteria to Determine a Sev A and Sev 1 to be accepted when creating a PSID Tenant that has more than 350 paid seats and one of the following is true: Customer is threatening to leave the service and more than 20 users are already impacted. Customer or field has indicated that we may loose customer to Google. CEO or Vice-President is impacted. Sev 1 is only assigned if more than one tenant is impacted.

Office365 Page 83

tera-feira, 17 de janeiro de 2012 19:34

VMM08R2...

http://technet.microsoft.com/en-us/library/ee441285.aspx

http://technet.microsoft.com/pt-br/evalcenter/cc793138

http://technet.microsoft.com/pt-br/virtualization/default.aspx

VMM Docs Page 84

Cloud Computing
Sunday, January 22, 2012 12:55 AM

Definition: At its essence, cloud computing is the aggregation of resources (compute, storage and network) so that capacity requirements can be dynamically modified to match fluctuation in system workloads. This resource matching can be automated, or self-provisioned by line of business (LoB) resources interacting with the cloud environment in business terms (# of transactions, concurrent users, time to result).

Advantages - You can reduce overhead by consolidating resources into large shared datacenters. This creates efficiencies inn staffing and power consumption. You can scale your service usage up or down as you need - no overcapacity and no lost opportunity. - After consuming cloud services, you are billed on a monthly basis. So the cloud computing services are considered an operacional expense, not a capital expense .

Hint: An operating expense, operating expenditure, operational expense, operational expenditure or OPEX is an ongoing cost for running a product, business, or system.[1] Its counterpart, a capital expenditure (CAPEX), is the cost of developing or providing nonconsumable parts for the product or system. For example, the purchase of a photocopier involves CAPEX, and the annual paper, toner, power and maintenance costs represents OPEX.[2] For larger systems like businesses, OPEX may also include the cost of workers and facility expenses such as rent and utilities.
Pasted from <http://en.wikipedia.org/wiki/Operating_expen se>

Points to consider when planning migrate to the cloud: 1. Authentication for both public and private (enterprise) users. 2. Security threats and mitigations when using the public cloud. 3. Compliance regulations, and how to simplify them with the right architecture.

Cloud Computing: The First Trip to the Cloud

Pasted from <http://technet.microsoft.com/enus/magazine/hh771030.aspx>

A Non-Technical Overview of Cloud Computing

Pasted from <http://social.technet.microsoft.com/wiki/c ontents/articles/4854.aspx?wa=wsignin1.0>

Cloud Computing Page 85

Security of the Cloud

tera-feira, 7 de fevereiro de 2012 04:57

Cloud Computing Security Architecture (IT Pro Perspective)

Pasted from <http://social.technet.microsoft.com/wiki/contents/articles/3794.cloud-computing-security-architecture-itpro-perspective.aspx>

Hyper-V: Survival Guide (en-US)

Pasted from <http://social.technet.microsoft.com/wiki/contents/articles/125.hyper-v-survival-guide-en-us.aspx>

Cloud Computing Page 86

Private Cloud Jump Start (01): Introduction to the Microsoft Private Cloud with System Center 2012
tera-feira, 24 de abril de 2012 14:27

Private Cloud Jump Start (01): Introduction to the Microsoft Private Cloud with System Center 2012
Pasted from <http://technet.microsoft.com/en-us/edge/private-cloud-jump-start-01-introduction-to-the-microsoftprivate-cloud-with-system-center-2012>

Neste link est disponvel a srie completa de Private Cloud.

Private Cloud
Pasted from <https://www.microsoftvirtualacademy.com/LandingPageHandler.ashx?lPage=PrivateCloud&cID=8>

Download Microsoft Private Cloud Evaluation Software

Pasted from <http://technet.microsoft.com/pt-br/evalcenter/hh505660>

Microsoft Private Cloud Guided Labs

Pasted from <http://technet.microsoft.com/pt-br/evalcenter/hh913012>

Private Cloud Jump Start Page 87

quarta-feira, 25 de abril de 2012 13:48

Hyper-V Concepts - Snapshots

Pasted from <http://social.technet.microsoft.com/wiki/contents/articles/670.hyper-v-concepts-snapshots.aspx>

Confusion Over Hyper-V and Snapshots

Pasted from <http://www.aidanfinn.com/?p=11935>

Hyper-V Page 88

DNS
quinta-feira, 26 de abril de 2012 17:41

DNS consists of a hierarchical namespace, a collections of name servers and DNS clients called resolvers. Each name server is the authoritative source for a small part of the namespace. When DNS server receives name resolution requests from resolvers, it checks its own records for the IP address associated with the requested name . If the server does not have the information needed , it passes the request to other DNS servers until it reaches the authoritative server for that name. The authoritative server is the ultimate source for information about that name. The namespace is divided amoung many servers. Domain is an administrative entity that consists of a group of hosts When a DNS server is the authoritative source for a domain, it possessses information about the hosts in that domain in the form of resource records. The domain namespace takes the form of a tree that, much like a file system, and has its root at the top.

On the Internet, domains at each level are responsible for maintaining the information about domains at the next lower level. For Instance, a DNS that is owns a top-level domain ".com" has information about DNS servers that own second-level domains like "frabrikan.com" The Root Name Servers are the highest level DNS servers in the namespace. They maintain information about the Top-level Domains .

DNS QUERY TYPES Recursive Queries When a DNS server receives a recursive query, it takes full responsibility for resolving the name. If the server possesses the information about the requested name, it replies immediately to the requestor. If the server does not have the information, it sends referrals to other DNS servers until it obtains the information. Client computers use recursive queries to their designated DNS servers. The only acceptable replies to a recursive query are a successfully resolved name or name resolution failure.

Iterative Queries When a DNS server receives an Iterative Query, it replies with the best information it possesses at the time. This information could be the fully resolved name or a reference to another DNS server. DNS servers use Iterative queries when communicating with each other.

DNS SERVER TYPES

Caching-Only Servers
DNS Page 89

Caching-Only Servers Can resolve Internet DNS names for clients immediately after its installation. It has no zones or domains hosted on it. Used to simply resolve Internet names for clients. Keeps a cache of previously resolved queries. Using Forwarders A forwarder is a DNS server that receives queries from other DNS servers that are explicitly configured to send them. With Windows Server 2003 DNS servers, the forwarder requires no special configuration. However, you must configure the other DNS servers to send queries to the forwarder. To do this, from the Action menu in the DNS console, click Properties to display the servers Properties dialog box, click the Forwarders tab, and then supply the IP address of the DNS server that will act as a forwarder (see Figure 4-5). You can also specify multiple forwarder IP addresses, to provide fault tolerance.

You can also use forwarders to limit the number of servers that transmit name resolution queries through the firewall to the Internet. If you have five DNS servers on your network, all of which provide both internal and Internet name resolution services, you have five points where your network is vulnerable to attacks from the Internet. By configuring four of the DNS servers to send all their Internet queries to the fifth server, you create only one point of vulnerability.

Conditional Forwarders When you configure DNS server (Forwarders TAB) to forward queries of a specific domain to specific DNS servers. This speeds up the name resolution directing the queries of a specific domain to the authoritative server.

ZONE TYPES
Primary Zones Contains the master copy of the zone database All changes on zone's resource records are done on the primary zone and then replicated to the Secondary zone. If it is not integrated with Active Directory, it is stored in a simple text file on the local drive. (%Systemroot%\System32\DNS)
DNS Page 90

(%Systemroot%\System32\DNS) Secondary Zones It is a replica of a primary zone on another server. Contains a backup of the primary master zone database file, stored identically in a text file on local drive. A Secondary Zone can perform authoritative name resolutions for domains in the zone. You cannot modify resource records manually in a secondary zone. You can only update them by replicating from the primary zone using the process called Zone Transfer. Stub Zones A copy of the Primary Zone that contains only the Start Of Authority (SOA) and Name Server (NS) resource records , plus the Host (A) resource records that identify the SOA for the Zone. When a server hosting a Stub Zone receives a query for a name in that zone, it either forwards the request to the host of the zone or replies with a referral to that host, depending on whether the query is recursive or iterative. When you create a primary and secondary zones, you must configure Zone Transfer to allow the automatic replication from primary to secondary zone servers.

Active Directory-Integrated Zones Is when you select the "Store The Zone In Active Directory" (available if the server is a Domain Contoller) checkbox while creating a zone in the New Zone Wizard. The DNS resource records are stored in the Active Directory database. It is replicated along with the Active Directory data. Increases security because DCs perform a mutual authentication procedure before they exchange data and all data is encrypted You do not have to create Secondary Zones, since Active Directory uses a Multi-Master replication System. Conserves Network Bandwidth by replicating only the data that has changed and compressing it before transmitting it over the network.
With Windows 2000, zones were stored in the domain naming context (domain partition) meaning that zone information was replicated to every DC in the domain. Even if the DNS component had not been installed and running on a specific DC, this same DC would still have DNS zone information replicated to its domain partition. Windows 2003 introduced the concept of an application partition that facilitated two unique places where DNS zones can be stored. Windows 2003 and Windows Server 2008 store zone information in either the DomainDNSZones or ForestDNSZones of an application directory partition. Zone data stored in DomainDNSZones is replicated to every DNS server in the domain. DNS zone data stored in ForestDNSZone is replicated to every DNS server in the contiguous AD forest.

IMPLEMENTING DNS SERVERS Provide Redundancy: In order to avoid redundancy, you should have at least two copies of every zone online in the network. Improve performance and reduce bandwidth: when you have large network with many subnets and sites, the best practice is to keep a DNS server on each subnet and at least one on each site in order to avoid high traffic load amoung different subnets and also over WAN links that connect sites. A nearer DNS improves name resolution performance. Delegate Authority: In a large organization, a better solution to improve administration could be spliting the namespace into several subdomains for different office locations and administrative staff to maintain their own DNS resource records.

DNS Page 91

How DNS Support for Active Directory Works

Pasted from <http://technet.microsoft.com/en-us/library/cc759550(v=ws.10).aspx>

Typically, a Windows Server 2003 and later DNS namespace is deployed to mirror an Active Directory forest and domain infrastructure. In such a deployment, a partition of the DNS namespace is set aside for Active Directory, where a DNS domain name such as corp.contoso.com is used support the Active Directory forest root domain, and then subdomains of this name are created to suit additional Active Directory domains as needed. DNS Support for Active Directory Architecture

Active Directory is dependent on DNS as a domain controller location mechanism and uses DNS domain naming conventions in the architecture of Active Directory domains. There are three components in the dependency of Active Directory on DNS: Domain controller locator (Locator) - Implemented in the Netlogon service, enables a client to locate a domain controller. Active Directory domain names in DNS - Every Active Directory domain has a DNS domain name and every windows 2003 computers or later has a DNS name. Domains and computers on AD is represented by objects and in DNS are represented as nodes Active Directory DNS objects - When DNS data is stored in Active directory, each DNS zone is na Active Directory container object (class dnsZone). The dnsZone object contains a DNS node object (class dnsNode)for every unique name within that zone. The dnsNode object has a dnsRecord multivalue attribute that contains a value for every resource record that is associated with an objects name.

DNS Support for Active Directory Tools and Settings

Pasted from <http://technet.microsoft.com/en-us/library/cc738266(v=ws.10).aspx>

DNS Page 92

Active Directory
quinta-feira, 26 de abril de 2012 17:41

Troubleshooting WEBCasts:

Directory Services provides the means to organize, simplify and control access to resources of a network. Directory is a list of objects that represents network resources.

Active Directory Services offers the Following Features: Centralized Data Store: All data stored in Active Directory resides in a single, distributed data repository. Scalability: Enables you to scale the directory to meet business and network requirements through the configuration of domains na trees and the placement of domain controllers. Manageability: is based on hierarchical organization structures that makes the control of the resources privileges and other security settings. Makes it easier to locate network resources such as files and printers. Intregration with DNS Policy-based Administration: Policy are used to define the permited actions and settings for users and computers across a given site, domain or organization unit. Replication of information Active Directory provides multimaster replication technology to ensure information availability, fault tolerance, load balancing, and other performance benefits. Multimaster replication enables you to update the directory at any domain controller and replicates directory changes to any other domain controller. Flexible, secure authentication and authorization: Active Directory supports multiple authentication protocols, such as the Kerberos version 5 protocol, Secure Sockets Layer (SSL) version 3, and Transport Layer Security (TLS) using X.509 version 3 certificates. In addition, Active Directory provides security groups that span domains.

TechNet Support WebCast: Troubleshooting DNS configuration issues on domain controllers by using the DNS test in the Windows Server 2003 SP1-based version of the DCDIAG tool
Pasted from <http://support.microsoft.com/kb/905900/enus>

TechNet Support WebCast: Troubleshooting Active Directory replication using the Repadmin tool: A look into the inner workings
Pasted from <http://support.microsoft.com/kb/905739/enus>

TechNet Support WebCast: Operations guide for Microsoft Windows Server Update Services
Pasted from <http://support.microsoft.com/kb/913103/enus>

Active Directory Components

Everithing that Active Directory tracks is considered and object. An object is an user, computer, printer, resource or service. Many objects can share common attributes . A group of Atributes describe object classes in Active Directory. For example, all User objects share attributes to store a user name, full name, etc. The set of Attributes available for any particular object type is called schema. A container is an object used to organize Active Directory by grouping other objects. Each object in the AD has a name that allows an object to be identified uniquely, regardless of its type. The format is the LDAP Distinguished Name, ex: /O=Internet/DC=COM/DC=Microsoft/DC=MSPress/CN=Users/CN=Tony Northrup

Kerberos authentication and troubleshooting delegation issues

Pasted from <http://support.microsoft.com/kb/907272/enus>

TechNet Support WebCast: How to analyze and troubleshoot the Cancelable RPC dialog box
Pasted from <http://support.microsoft.com/kb/899618/enus>

User Principal Name

Distinguished names are great for computers but too cumbersome for people to remember. People have grown accustomed to e-mail addresses, so Active Directory provides these addresses as a shortcut to the full object name. Tony Northrup is a user of the mspress.microsoft.com domain. An administrator could create a user principal name within the microsoft.com domain to allow simpler access to my user account and hold a place for my e -mail address, like northrup@microsoft.com. Domains The core unit of logical structure in Active Directory is the domain , which can store millions of objects. Objects stored in a domain are those considered vital to the network. These vital objects are items the members of the networked community need in order to do their jobs: printers, documents, e -mail addresses, databases, users, distributed components, and other resources. OUs An OU is a container used to organize objects within a domain into a logical administrative group. OUs provide a means for handling administrative tasks, such as the administration of users and resources, as they are the smallest scope to which you can delegate administrative authority .

Support Webcast: Introduction to Network Access Protection

Pasted from <http://support.microsoft.com/kb/921070/enus>

Support WebCast: Windows Server 2003 Clustering: New Features

Pasted from <http://support.microsoft.com/kb/810220/enus>

Trees A tree is a grouping or hierarchical arrangement of one or more Windows Server 2003 domains that you create by adding one or more child domains to an existing parent domain. Domains in a tree share a contiguous namespace and a hierarchical naming structure.
Forests A forest is a grouping or hierarchical arrangement of one or more separate, completely independent domain trees. As such, forests have the following characteristics: All domains in a forest share a common schema. All domains in a forest share a common global catalog. All domains in a forest are linked by implicit two-way transitive trusts. Trees in a forest have different naming structures, according to their domains. Domains in a forest operate independently, but the forest enables communication across the entire organization.

Support WebCast: Microsoft COM+ and the Microsoft .NET Framework

Pasted from <http://support.microsoft.com/kb/324813/enus>

You receive an error message when Rendom.exe changes the DNS or NetBIOS name of a domain in Windows Server 2003
Pasted from <http://support.microsoft.com/kb/891370/enus>

Windows 2000 DNS and Active Directory information and technical resources
Pasted from <http://support.microsoft.com/kb/298448/enus>

GLOBAL CATALOG Is the central repository of information about objects in a tree or forest. By default a Global Catalog is created automatically on the initial Domain Controller in the first domain of the forest.
The Global Catalog holds a full replica of all objects in its domain and a partial replica of all objects attributes of every domain in the forest. The partial replica stores attributes most frequently used in search operations. When a user logs on to the network, the global catalog provides universal group membership information for the account to the domain controller processing the user logon information. If there is only one domain controller in a domain, the domain controller holds the global catalog server. If there are multiple domain controllers in the network, one domain controller is configured to hold the global catalog. Because a single global catalog contains information about all objects in all domains in the forest, a query about an object that is not contained in the local domain can be resolved by a global catalog server in the domain in which the query is initiated. Thus, finding information in the directory does not produce unnecessary query traffic across domain boundaries. The global catalog performs three key functions: It enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated. It enables finding directory information regardless of which domain in the forest actually contains the data. It resolves user principal names (UPNs) when the authenticating domain controller does not have knowledge of the account.

Active Directory Diagnostics, Troubleshooting, and Recovery

Pasted from <http://technet.microsoft.com/enus/library/cc961807.aspx>

Active Directory
Pasted from <http://technet.microsoft.com/library/Cc977985>

Troubleshooting Active Directory Replication Problems

Pasted from <http://technet.microsoft.com/enus/library/bb727057.aspx>

Deploying Active Directory for Branch Office Environments

Pasted from <http://technet.microsoft.com/enus/library/cc749916.aspx>

KCC and Topology Generation

Active Directory Page 93

 It enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated. It enables finding directory information regardless of which domain in the forest actually contains the data. It resolves user principal names (UPNs) when the authenticating domain controller does not have knowledge of the account. A global catalog server stores one domain directory partition that has writable objects with a full complement of writable attributes. In its role as global catalog server, it also stores the objects of all other domain directory partitions in a multidomain forest as read-only objects with a partial set of attributes. The set of attributes that are marked for inclusion in the global catalog are called the partial attribute set (PAS). An attribute is marked for inclusion in the PAS as part of its schema definition. How the Global Catalog Works <http://technet.microsoft.com/en-us/library/how-global-catalog-serverswork(v=ws.10).aspx>

Office Environments
Pasted from <http://technet.microsoft.com/enus/library/cc749916.aspx>

KCC and Topology Generation

Pasted from <http://technet.microsoft.com/enus/library/cc961781.aspx>

The Query Process A query is a specific request made by a user to the global catalog in order to retrieve, modify, or delete Active Directory data. The following steps, describe the query process: 1. The client queries its DNS server for the location of the global catalog server. 2. The DNS server searches for the global catalog server location and returns the IP address of the domain controller designated as the global catalog server. 3. The client queries the IP address of the domain controller designated as the global catalog server. The query is sent to port 3268 on the domain controller; standard Active Directory queries are sent to port 389. 4. The global catalog server processes the query. If the global catalog contains the attribute of the object being searched for, the global catalog server provides a response to the client. If the global catalog does not contain the attribute of the object being searched for, the query is referred to Active Directory.

JSI Tip 8684. TechNet Support WebCast: Volume Shadow Copy service Requestor API and Writer API overview AND TechNet Support WebCast: Volume Shadow Copy service Provider API and System Provider overview.
Pasted from <http://www.windowsitpro.com/article/tips/jsitip-8684-technet-support-webcast-volume-shadow-copyservice-requestor-api-and-writer-api-overview-and-technetsupport-webcast-volume-shadow-copy-service-provider-apiand-system-provider-overview->

ACTIVE DIRECTORY REPLICATION

http://technet.microsoft.com/en-us/library/cc755994(v=WS.10).aspx#w2k3tr_repto_how_uvgz

Active Directory replication uses Multimaster Replication, which means that replication can start from any Domain Controller. Each server keeps track of which updates it has received from which servers, and can intelligently request only necessary updates in case of a failure.
How replication works Each update is assigned with its own 64-bit Unique Sequence Number (USN). At each update the USN is incremented. When a server replicates an update it sends the USN along with the change. Each server keeps an internal list of replication partners and the highest USN received from them. The server receiving the updates, only accepts those changes with a USN higher than previously received. The updates are transported over Internet Protocol (IP) as packaged by the replication remote procedure call (RPC) protocol. Simple Mail Transfer Protocol (SMTP) can also be used to prepare non -domain updates for Transmission Control Protocol (TCP) transport over IP.

Protocol LDAP

Description The primary directory access protocol for Active Directory. Windows Server 2003 family, Windows XP, Windows 2000 Server family, and Windows 2000 Professional clients, as well as Windows 98, Windows 95, and Windows NT 4.0 clients that have the Active Directory client components installed, use LDAP v3 to connect to Active Directory.

IP
Replication RPC

Routable protocol that is responsible for the addressing, routing, and fragmenting of packets by the sending node. IP is required for Active Directory replication.
The Directory Replication Service (Drsuapi) RPC protocol, used in the enabling of administration and monitoring of Active Directory replication, to communicate replication status and topology and network topology from a client running administrative tools to a domain controller. RPC is required by Active Directory replication.

Replication Simple Replication protocol that can be used by Active Directory replication over IP network transport Mail Transfer for message-based replication between sites only and for non-domain replication only. Protocol (SMTP) What Information is Replicated The information stored in the directory (Ntds.dit file on \Windows\NTDS) is logically partitioned into four categories, called Directory Partitions The Directory Partitions are the units of replication. The Partitions are: Schema Partition: Defines the objects that can be created in the directory and the attributes those objects can have. This data is common to all domains in a forest and is replicated to Domain Contollers in a Forest. Configuration Partition: This partition describes the logical structure of the deployment , including data such as domain structure or replication topology. This data is common to all domains in a forest and is replicated to Domain Contollers in a Forest. Domain Partition: Describe all of the objects in a domain (Contain Domain objects and properties). This data is domain specific and is not replicated to any other domain. It is replicated to all Domain Controllers of that domain. Application Partition: This partition stores dynamic application-specific data in Active Directory. It allows you to control the scope of replication and the placement of replicas. The Application Partition can contain any type of object except security principals (user, groups and computers). The administrator can specify the scope of replication: specified Domain Controllers, All DCs in the domain or all DCs in the Forest.

Active Directory replication tips, tricks and best practices

<http://searchwindowsserver.techtarget.com/tip/Active-DirectoryReplication-Tips-Tricks-and-Best-Practices>

Active Directory Replication Guide

<http://searchwindowsserver.techtarget.com/tutorial/Active-DirectoryReplication-Guide>

Intrasite Replication Within a site, a Windows 2003 service known as Knowledge Consistency Checker ( KCC) automatically generates a topology for replication amoung Domain Contollers in the same domain using a ring structure. The KCC defines which server is best suited to replicate with each other, and builds connection objects. The KCC ensures that there are at least two replication paths fom one DC to another. The KCC analyzes the replication topology every 15 minute s to ensure that it still works. When more than seven DCs are added to a site, the KCC creates additional connection objects across the ring structure, to ensure that no Doman Controller is more than three hops from another Domain Controller (Called Propagation Dampening, to avoid loopping).

Tracking a deleted Active Directory object's replication status

<http://searchwindowsserver.techtarget.com/tip/Tracking-a-deletedActive-Directory-objects-replication-status>

Active Directory replication tips, tricks and best practices

<http://searchwindowsserver.techtarget.com/tip/Active-DirectoryReplication-Tips-Tricks-and-Best-Practices>

Active Directory Page 94

The KCC analyzes the replication topology every 15 minute s to ensure that it still works. When more than seven DCs are added to a site, the KCC creates additional connection objects across the ring structure, to ensure that no Doman Controller is more than three hops from another Domain Controller (Called Propagation Dampening, to avoid loopping). Intrasite replication is done through RPC protocol. When a domain controller writes a change to its local copy of the Active Directory, a timer is started that determines when the domain controller's replication partners should be notified of the change. By default, this interval is 15 seconds in Windows Server 2003 and later; it was 300 seconds (5 minutes) in Windows 2000. When this interval elapses, the domain controller initiates a notification to each intra -site replication partner that it has changes that need to be propagated. Another configurable parameter determines the number of seconds to pause between notification. This parameter prevents simultaneous replies by the replication partners. By default, this interval is 30 seconds. Both of these intervals can be modified by editing the registry.

Active Directory replication tips, tricks and best practices

<http://searchwindowsserver.techtarget.com/tip/Active-DirectoryReplication-Tips-Tricks-and-Best-Practices>

Active Directory Topology Programmer Tool http://www.microsoft.com/download/en/details.aspx?id= 13380

How to size an Active Directory domain controller in Windows

<http://searchwindowsserver.techtarget.com/tip/How-to-size-an-ActiveDirectory-domain-controller-in-Windows>

Quick fix for a non-replicating DC

<http://searchwindowsserver.techtarget.com/tip/Quick-fix-for-a-nonreplicating-DC>

Repadmin diagnoses Active Directory replication issues in Windows

<http://searchwindowsserver.techtarget.com/tip/Repadmin-diagnosesActive-Directory-replication-issues-in-Windows>

Repadmin /Replsum /bysrc /bydest /sort:delta

Fixing lingering object problems in complex Active Directory forests

<http://searchwindowsserver.techtarget.com/tip/Fixing-lingering-objectproblems-in-complex-Active-Directory-forests>

How to find and remove lingering objects in Active Directory

<http://searchwindowsserver.techtarget.com/tip/How-to-find-andremove-lingering-objects-in-Active-Directory>

Conflict Resolution In order to avoid conflicts of object changes in AD, the replication occurs at attributes level. AD uses three components on change responses: - Version number of the attribute; - Originating time (time stamp) of the attribute; - DC ID that originated the change notification. Intersite Replication To ensure replication between sites, you must create site links which are logical connections. The KCC generates the connections between sites. You provide information about replication transport used, cost of a site link, times when the link is available for use and how often the link should be used. One domain controller in each site is selected as the Intersite Topology Generator (ISTG). To enable replication across site links, the ISTG automatically designates one or more servers to perform site -to-site replication. These servers are called bridgehead servers. A bridgehead is a point where a connection leaves or enters a site. The ISTG creates a view of the replication topology for all sites , including existing connection objects between all domain controllers that are acting as bridgehead servers. The ISTG then creates inbound connection objects for servers in its site that it determines will act as bridgehead servers and for which connection objects do not already exist. Thus, the scope of operation for the KCC is the local server only, and the scope of operation for the ISTG is a single site. Intersite replication can be done through SMTP protocol only to replicate the schema , configuration partitions and global catalog . It cannot be used to replicate the domain directory partitions. Replication between sites over SMTP is supported for only domain controllers of different domains. Domain controllers of the same domain must replicate by using the RPC over IP transport.

Active Directory Replication Over Firewalls

<http://social.technet.microsoft.com/wiki/contents/articles/584.activedirectory-replication-over-firewalls.aspx>

Active Directory Domain Services (AD DS) Troubleshooting Survival Guide

<http://social.technet.microsoft.com/wiki/contents/articles/2285.aspx>

How Active Directory Replication Works

<http://social.technet.microsoft.com/wiki/contents/articles/how-activedirectory-replication-works.aspx>

Guia de Sobrevivncia: Active Directory no Windows Server 2008 e Windows Server 2008 R2
<http://social.technet.microsoft.com/wiki/ptbr/contents/articles/9720.guia-de-sobrevivencia-active-directory-nowindows-server-2008-e-windows-server-2008-r2.aspx>

Troubleshooting Active Directory Domain Services

<http://technet.microsoft.com/en-us/library/cc990288(v=ws.10).aspx>

Note You can identify a KCC-selected bridgehead server in Active Directory Sites and Services by viewing connection objects for the server (select the NTDS Settings object below the server object); if there are connections from servers in a different site or sites, the server represented by the selected NTDS Settings object is a bridgehead server. If you have Windows Support Tools installed, you can see all bridgehead servers by using the command repadmin /bridgeheads. In sites that have at least one domain controller that is running Windows Server 2003, the ISTG can select bridgehead servers from all eligible domain controllers for each directory partition that is represented in the site.
In Windows 2000 forests, a single bridgehead server per directory partition and per transport is designated as the bridgehead server that is responsible for intersite replication of that directory partition. Compression of Replication Data Intersite replication is compressed by default. Compressing replication data allows the data to be transferred over WAN links more quickly, thereby conserving network bandwidth. The cost of this benefit is an increase in CPU utilization on bridgehead servers. By default, replication data is compressed under the following conditions: Replication of updates between domain controllers in different sites. Replication of Active Directory to a newly created domain controller.

An interval in minutes that determines how often replication can occur (default is every 180 minutes, or 3 hours). The minimum interval is 15 minutes. If the interval exceeds the time allowed by the schedule, replication occurs once at the scheduled time Synchronous Replication Over IP The IP transport (RPC over IP) provides synchronous inbound replication. In the context of Active Directory replication, synchronous communication implies that after the destination domain controller sends the request for data, it waits for the source domain controller to receive the request, construct the reply, and send the reply before it requests changes from any other domain controllers; that is, inbound replication is sequential. Thus in synchronous transmission, the reply is received within a short time. The IP transport is appropriate for linking sites in fully routed networks.

Asynchronous Replication Over SMTP The SMTP transport (SMTP over IP) provides asynchronous replication. In asynchronous replication, the destination domain controller does not wait for the reply and it can have multiple asynchronous requests outstanding at any particular time. Thus in asynchronous transmission, the reply is not necessarily received within a short time. Asynchronous transport is appropriate for linking sites in networks that are not fully routed and have particularly

Active Directory Page 95

Asynchronous transport is appropriate for linking sites in networks that are not fully routed and have particularly slow WAN links. Note Although asynchronous replication can send multiple replication requests in parallel, the received replication packets are queued on the destination domain controller and the changes applied for only one partner and directory partition at a time. Replication Packet Size Replication packet sizes are computed on the basis of memory size unless you have more than 1 gigabyte (GB). By default, the system limits the packet size as follows: The packet size in bytes is 1/100th the size of RAM, with a minimum of 1 MB and a maximum of 10 MB. The packet size in objects is 1/1,000,000th the size of RAM, with a minimum of 100 objects and a maximum of 1,000 objects. For general estimates when this entry is not set, assume an approximate packet size of 100 objects.

SYSVOL REPLICATION ARTICLES

SYSVOL Replication Migration Guide: FRS to DFS Replication
Pasted from <http://technet.microsoft.com/en-us/library/dd640019(v=ws.10).aspx>

Introduction to Administering DFS-Replicated SYSVOL

Pasted from <http://technet.microsoft.com/en-us/library/cc794837(v=ws.10).aspx>

Setting the maximum packet size requires adding or modifying entries in the following registry path with the REG_DWORD data type: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters. These entries can be used to determine the maximum number of objects per packet and maximum size of the packets. The minimum values are indicated as the lowest value in the range.
Bridgehead Servers When domain controllers for the same domain are located in different sites, at least one bridgehead server per directory partition and per transport (IP or SMTP) replicates changes from one site to a bridgehead server in another site. A single bridgehead server can serve multiple partitions per transport and multiple transports. Replication within the site allows updates to flow between the bridgehead servers and the other domain controllers in the site. Note You can identify a KCC-selected bridgehead server in Active Directory Sites and Services by viewing connection objects for the server (select the NTDS Settings object below the server object); if there are connections from servers in a different site or sites, the server represented by the selected NTDS Settings object is a bridgehead server. If you have Windows Support Tools installed, you can see all bridgehead servers by using the command repadmin /bridgeheads. How Intersite Replication Works The following steps, illustrated in Figure 5-2, show how intersite replication works: 1. At the interval determined by the selected replication frequency, the bridgehead server in the Zurich site polls the bridgehead server in the Lucerne site for any updated data. 2. If the bridgehead server in the Lucerne site finds that it has updated Active Directory data, it compresses the data (if larger than 50 KB) and sends it to the bridge-head server in the Zurich site. 3. When the bridgehead server in the Zurich site has received all of the data, it then replicates the data to the other domain controllers in the site, without compressing the information.

Using the BurFlags registry key to reinitialize File Replication Service replica sets
Pasted from <http://support.microsoft.com/kb/290762/en-us>

Backing Up and Restoring an FRS-Replicated SYSVOL Folder

Pasted from <http://msdn.microsoft.com/en-us/library/windows/desktop/cc507518%28v=vs.85%29.aspx>

How to force a non-authoritative restore of the data in the Sysvol folder on a domain controller in Windows 2000 Server and in Windows Server 2003
Pasted from <http://support.microsoft.com/kb/840674/en-us>

How to configure Active Directory diagnostic event logging in Windows Server 2003 and in Windows 2000 Server
Pasted from <http://support.microsoft.com/default.aspx?scid=kb;en-us;314980>

Ultrasound - Monitoring and Troubleshooting Tool for File Replication Service (FRS)
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=61acb9b9-c354-4f98-a823-24cc0da73b50 &amp;DisplayLang=en

Connection Schedule Each connection object has a schedule that is set automatically by the KCC. The connection schedule controls the frequency of intrasite replication on the connection, with a minimum increment of 15 minutes. The default intrasite replication schedule for automatically generated connection objects is once per hour , which is set in the NTDS Site Settings object, available at the site level. Here you can set a default schedule of None (no replication), Once Per Hour (default), Twice Per Hour, or Four Times Per Hour.

Network Ports Used by Replication Topology By default, RPC-based replication uses dynamic port mapping. When connecting to an RPC endpoint during Active Directory replication, the RPC run time on the client contacts the RPC endpoint mapper on the server at a well known port (port 135). The server queries the RPC endpoint mapper on this port to determine what port has been assigned for Active Directory replication on the server. This query occurs whether the port assignment is dynamic (the default) or fixed. The client never needs to know which port to use for Active Directory replication. Note An endpoint comprises the protocol, local address, and port address. In addition to the dynamic port 135, other ports that are required for replication to occur are listed in the following table. Port Assignments for Active Directory Replication

Service Name
LDAP LDAP LDAP Kerberos DNS SMB over IP

UDP
389

TCP
389 3268 636 (Secure Sockets Layer [SSL])

88 53 445

88 53 445

Replication within a domain also requires FRS using a dynamic RPC port.

Setting Fixed Replication Ports Across a Firewall For each service that needs to communicate across a firewall, there is a fixed port and protocol. Normally, the directory service and FRS use dynamically allocated ports that require a firewall to have a wide range of ports open. Although FRS cannot be restricted to a fixed port, you can edit the registry to restrict the directory service to communicate on a static port.

Active Directory Page 96

communicate on a static port.

Restricting the directory service to using a fixed port requires editing the TCP/IP Port registry entry (REG_DWORD), located in:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters Changing this registry entry on a domain controller and restarting it causes the directory service to use the TCP port named in the registry entry. For example, port 49152 is DWORD=0000c000 (hexadecimal).

The FSMO Roles

The five FSMO roles are as follows: Schema master. This role is held by only one domain controller per forest. This role coordinates all changes to the Active Directory schema, and is required in order to process any schema updates. Only the schema master is permitted to replicate schema changes to other domain controllers in a forest. Domain naming master. This role is held by only one domain controller per forest. This role handles all changes to the forest-wide domain namespace, and is the only role that can process the addition or removal of a domain to or from the forest. RID master. This role is held by only one domain controller per domain. This role manages the relative identifier (RID) pool for the domain (for more information about RIDs, see the sidebar Relative Identifiers in a Domain). This role is also responsible for moving objects from one domain to another within a forest.

Account Lockout Policy Technical Overview

Pasted from <http://technet.microsoft.com/enus/library/hh994566(v=ws.10).aspx>

PDC emulator. This role is held by only one domain controller per domain. This role is the central authority for time synchronization within a domain, and emulates the functionality of a Windows NT 4.0 Primary Domain Controller (PDC). Any NT Backup Domain Controllers (BDCs) in a domain replicate from the PDC emulator. Pre Windows 2000 (Win2K) clients without the Microsoft Directory Services Client (DSClient) contact the PDC emulator to change user and computer passwords. The PDC emulator is also responsible for processing account lockouts. Finally, any failed logon attempts are first forwarded to the PDC emulator before returning a bad logon message to the client.

TRUST RELATIONSHIPS
Tree-root Trust The Tree-root trust is implicitly established between different Tree root domains in the same Forest. It can be set up only between the roots of two trees in the same forest. The trust is transitive and two -way.

Parent-child trust Implicitly established when you create a new child domain in a tree. These trust makes all objects in the domains of the tree available to all other domains in that tree. This trust is transitive and two-way.
Shortcut trust Must be explicitly (manually) by the administrator between two domains in a forest. Used to improve user logon times, which can be slow when two domains are logically distant from each other. This trust is transitive and can be one-way or two-way. External Trust Must be explicitly created by the administrator between windows 2003 domains that are in different forests, or between a Windows 2003 domain and a domain whose domain controller is running Windows NT4 r earlier. Is used when users need to access resources located in a windows NT 4 domain or in a domain located in a separate forest, which cannot be joined by a forest trust. The trust is nontransitive and can be one -way or two-way. Forest Trust Must be explicitly created by the system administrator between two forest root domains. This trust allows all domains in a forest to transitively trust all domains in another forest. The forest trust is not transitive across trees or more forests. EX.: If forest A trusts forest B and forest B trusts forest C. There is no trensitive trust between forest A and forest C . Realm Trust Must be explicitly created between a non-Windows Kerberos realm and a Windows Server 2003 domain. This trust provides interoperability between a Windows 2003 domain and any realm in Kerberos version 5 implementations. The trust can be transitive or nontransitive and one -way or two-way.

Active Directory Planning

Dedicated Forest Domain The forest root domain is dedicated exclusively to administer the forest infrastructure. A dedicated forest root domain is recommended for the following reasons: You can control the number of administrators allowed to make forest -wide changes. By limiting the number of administrators in the forest root domain, you reduce the likelihood that an administrative error will impact the entire forest. You can easily replicate the forest root across the enterprise. Because a dedicated root domain is small, it can be easily replicated anywhere on your network to pro-vide protection against catastrophes. Best Practice Active Directory Design for Managing Windows Networks
Pasted from <http://technet.microsoft.com/en-us/library/bb727085.aspx>

Storage Location for AD Database and log files

The default location for the database and database log files is %Systemroot% \Ntds, where %Systemroot% is the path and folder name where the Microsoft Windows Server 2003 system files are located, typically, C: \Windows. You can specify a different location at Installation Wizard. The directory database is stored in a file named Ntds.dit, which contains all of the information stored in the Active Directory data store. The directory database is an Extensible Storage Engine (ESE) database that contains the schema, global catalog, and objects stored on a domain controller.

Location of the Shared System Volume Folder Installing Active Directory creates the shared system volume, a folder structure that exists on all Windows Server 2003 domain controllers. It stores public files that must be replicated to other domain controllers, such as logon scripts and some of the Group Policy Objects (GPOs), for both the current domain and the enterprise. The default location for the shared system volume is %Systemroot%\Sysvol. However, you can specify a different location during Active Directory installation. The shared system volume must be located on a partition or volume formatted

Active Directory Page 97

during Active Directory installation. The shared system volume must be located on a partition or volume formatted with NTFS. The following table summarizes how to determine whether a domain controller's SYSVOL folder is being replicated by DFSR or FRS. If the domain controller is running Windows Server 2008 + domain functional level of Windows Server 2008 + SYSVOL migration completed Windows Server 2008 + domain functional level below Windows Server 2008 Windows Server 2003 Windows 2000 Server SYSVOL is replicated by DFSR FRS FRS FRS

If the domain's functional level is Windows Server 2008 and the domain has undergone SYSVOL migration, DFSR will be used to replicate the SYSVOL folder. If the first domain controller in the domain was promoted directly into the Windows Server 2008 functional level, DFSR is automatically used for SYSVOL replication. In such cases, there is no need for migration of SYSVOL replication from FRS to DFSR. If the domain was upgraded to Windows Server 2008 functional level, FRS is used for SYSVOL replication until the migration process from FRS to DFSR is complete. To determine whether DFSR or FRS is being used on a domain controller that is running Windows Server 2008, check the value of the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating Sysvols\LocalState registry subkey. If this registry subkey exists and its value is set to 3 (ELIMINATED), DFSR is being used. If the subkey does not exist, or if it has a different value, FRS is being used.
Pasted from <http://msdn.microsoft.com/en-us/library/windows/desktop/cc507518%28v=vs.85%29.aspx >

REQUIRED DNS RESOURCE RECORDS FOR DOMAIN CONTROLLERS To verify the presence of DNS resource records needed to join an Active Directory domain, complete the following steps: 1. Click Start, and then click Command Prompt. 2. Type nslookup and press Enter. 3. At the Nslookup (>) prompt, type q=srv and press Enter. 4. At the next prompt, type _ldap._tcp.dc._msdcs.DNSDomainName. The DNS query for resource records specified in the Nslookup command set q=srv returns both SRV and A resource records. 5. Review the output and determine if all domain controllers in the Active Directory domain that this computer is attempting to join are included and registered using valid IP addresses. In some cases, you might need to manually add or verify registration of the service (SRV) resource records used to support Windows Server 2003 domain controllers. 6. If you need to add the SRV resource records that have been created for a domain controller, open and view the Netlogon.dns file, created by the Active Directory Installation Wizard when a server computer is promoted to a domain controller. Netlogon.dns can be found at the following location on a domain controller: %Systemroot% \System32\Config\Netlogon.dns. If you have installed DNS manually or if your DNS solution does not support dynamic update, you must manually enter these records on your DNS server(s).

How to verify that SRV DNS records have been created for a domain controller
Pasted from <http://support.microsoft.com/kb/816587/enus>

2003 Branch Office Deployment Guide

http://blogs.msdn.com/b/canberrapfe/archive/2011/07/08/2003 -branch-office-deployment-guide.aspx

http://www.microsoft.com/DOWNLOADS/en/details.aspx?FamilyId=9353A4F6 -A8A8-40BB-9FA7-3A95C9540112 &amp;displaylang=en

- To install a Domain Controller you can run the command "DCPROMO /ADV:filepath". The filepath is the where you restored a backup took from an existing Domain Contoller in the domain.
- To install a Windows 2008 DC on a Windows 2003 forest you need to do the following: System State Backup on DCs; On Schema Master DC, with Windows 2008 media on it, run the command ADPREP/Forestprep; (schema, enterprise admin) On Infrastructure Master DC, run the command adprep /domainprep /gpprep; (domain admin, enterprise admin) If you are installing the first read-only domain controller (RODC) in the domain, run the adprep /rodcprep command on any computer in the forest. Wait for 15 minutes for replication to finish; Add the new Windows 2008 DC in the domain.

Pag. 104

Active Directory Page 98

Active Directory Architecture

segunda-feira, 30 de abril de 2012 16:35

Directory System Agent Directory System Agent (DSA) is the process that provides access to the store of the directory. DSA manages the Directory and understands what each directory object represents. For example, when you create objects, the DSA knows how to check the Active Directory Schema to identify the mandatory and optional attributes for that particular object. The DSA also manages other relationships, such as replication topology. Clients gain access to the directory by using one of the following mechanisms supported by the DSA:

LDAP Clientes connects to DSA by using LDAP protocol; Exchange and Outlook uses MAPI remote procedure call (RPC) interface to connect to DSA; Active Directory Domain Controllers connect to each other to perform replication by using RPC.

The key service components include the following:

Directory system agent. Builds a hierarchy from the parent-child relationships stored in the directory. Provides APIs for directory access calls. Is a directory service component that runs as Ntdsa.dll
Database layer. Provides an abstraction layer between applications and the database. Calls from applications are never made directly to the database; they go through the database layer.

Extensible storage engine. Communicates directly with individual records in the directory data store on the basis of the object's relative distinguished name attribute. Data store (the database file Ntds.dit). This file is manipulated only by the extensible storage engine database engine. You can administer the file by using the Ntdsutil command-line tool. (To use Ntdsutil, install the Support Tools that are located in the Support\Tools folder on the Windows 2000 Server operating system CD. To install the tools, double-click the Setup icon in that folder. For information about installing and using the Windows 2000 Support Tools and Support Tools Help, see the file Sreadme.doc in the Support\Tools folder of the Windows 2000 operating system CD.) http://technet.microsoft.com/en-us/library/cc961767.aspx

Extensible Storage Engine (ESE) The directory service component that runs as Esent.dll. ESE manages the tables of records that comprise the directory database.

Active Directory Page 99

KCC
sbado, 5 de maio de 2012 06:15

KCC and Topology Generation

The Knowledge Consistency Checker (KCC) is a dynamic-link library (DLL) that runs as a distributed application on every domain controller. The KCC on each domain controller modifies data in its local instance of the directory in response to forest-wide changes, which are made known to the KCC by changes to data in the configuration directory partition. The KCC generates and maintains the replication topology for replication within sites and between sites by converting KCC-defined and administrator-defined (if any) connection objects into a configuration that is understood by the directory replication engine. By default, the KCC reviews and makes modifications to the Active Directory replication topology every 15 minutes to ensure propagation of data, either directly or transitively, by creating and deleting connection objects as needed. The KCC recognizes changes that occur in the environment and ensures that domain controllers are not orphaned in the replication topology. Operating independently, the KCC on each domain controller uses its own view of the local replica of the configuration directory partition to arrive at the same intrasite topology. One KCC per site, the ISTG, determines the intersite replication topology for the site. Like the KCC that runs on each domain controller within a site, the instances of the ISTG in different sites do not communicate with each other. They independently use the same algorithm to produce a consistent, well-formed spanning tree of connections. Each site constructs its own part of the tree and, when all have run, a working replication topology exists across the enterprise.

The predictability of all KCCs allows scalability by reducing communication requirements between KCC instances. All KCCs agree on where connections will be formed, ensuring that redundant replication does not occur and that all parts of the enterprise are connected.
The KCC performs two major functions: Configures appropriate replication connections (connection objects) on the basis of the existing cross-reference, server, NTDS settings, site, site link, and site link bridge objects and the current status of replication.

Converts the connection objects that represent inbound replication to the local domain controller into the replication agreements that are actually used by the replication engine. These agreements, called replica links, accommodate replication of a single directory partition from the source to the destination domain controller.

Intervals at Which the KCC Runs By default, the KCC runs its first replication topology check five minutes after the domain controller starts. The domain controller then attempts initial replication with its intrasite replication partners. If a domain controller is being used for multiple other services, such as DNS, WINS, or DHCP, extending the replication topology check interval can ensure that all services have started before the KCC begins using CPU resources. You can edit the registry to modify the interval between startup and the time the domain controller first checks the replication topology. Note If you must edit the registry, use extreme caution. Registry information is provided here as a
Active Directory Page 100

If you must edit the registry, use extreme caution. Registry information is provided here as a reference for use by only highly skilled directory service administrators. It is recommended that you do not directly edit the registry unless, as in this case, there is no Group Policy or other Windows tools to accomplish the task. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. Storage of incorrect values can result in unrecoverable errors in the system.

Modifying the interval between startup and the time the domain controller first checks the replication topology requires changing the Repl topology update delay (secs) entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters as appropriate: Value: Number of seconds to wait between the time Active Directory starts and the KCC runs for the first time.

Default: 300 seconds (5 minutes)

Data type: REG_DWORD

Thereafter, as long as services are running, the KCC on each domain controller checks the replication topology every 15 minutes and makes changes as necessary. Modifying the interval at which the KCC performs topology review requires changing the Repl topology update period (secs) entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\NTDS\Parameters as appropriate: Value: Number of seconds between KCC topology updates

Default: 900 seconds (15 minutes)

Data type: REG_DWORD

Objects that the KCC Requires to Build the Replication Topology The following objects, which are stored in the configuration directory partition, provide the information required by the KCC to create the replication topology: Cross-reference. Each directory partition in the forest is identified in the Partitions container by a cross-reference object. The attributes of this object are used by the replication system to locate the domain controllers that store each directory partition. Server. Each domain controller in the forest is identified as a server object in the Sites container. NTDS Settings. Each server object that represents a domain controller has a child NTDS Settings object. Its presence identifies the server as having Active Directory installed. The NTDS Settings object must be present for the server to be considered by the KCC for inclusion in the replication topology. Site. The presence of the above objects also indicates to the KCC the site in which each domain controller is located for replication. For example, the distinguished name of the NTDS Settings object contains the name of the site in which the server object that represents the domain controller exists. Site link. A site link must be available between any set of sites and its schedule and cost properties
Active Directory Page 101

Site link. A site link must be available between any set of sites and its schedule and cost properties evaluated for routing decisions. Site link bridge. If they exist, site link bridge objects and properties are evaluated for routing decisions.

Simplified Ring Topology Generation A simplified process for creating the topology for replication within a site begins as follows: The KCC generates a list of all servers in the site that hold that directory partition. These servers are connected in a ring. For each neighboring server in the ring from which the current domain controller is to replicate, the KCC creates a connection object if one does not already exist. This simple approach guarantees a topology that tolerates a single failure. If a domain controller is not available, it is not included in the ring that is generated by the list of servers. However, this topology, with no other adjustments, accommodates only seven servers. Beyond this number, the ring would require more than three hops for some servers. The simplest case scenario seven or fewer domain controllers, all in the same domain and site would result in the replication topology shown in the following diagram. The only directory partitions to replicate are a single domain directory partition, the schema directory partition, and the configuration directory partition. Those topologies are generated first, and at that point, sufficient connections to replicate each directory partition have already been created. In the next series of diagrams, the arrows indicate one-way or two-way replication of the type of directory partitions indicated in the Legend. Simple Ring Topology that Requires No Optimization

Because a ring topology is created for each directory partition, the topology might look different if domain controllers from a second domain were present in the site. The next diagram illustrates the
Active Directory Page 102

domain controllers from a second domain were present in the site. The next diagram illustrates the topology for domain controllers from two domains in the same site with no global catalog servers defined in the site. Ring Topology for Two Domains in a Site that Has No Global Catalog Server

The next diagram illustrates replication between a global catalog server and three domains to which the global catalog server does not belong. When a global catalog server is added to the site in DomainA, additional connections are required to replicate updates of the other domain directory partitions to the global catalog server. The KCC on the global catalog server creates connection objects to replicate from domain controllers for each of the other domain directory partitions within the site, or from another global catalog server, to update the read-only partitions. Wherever a domain directory partition is replicated, the KCC also uses the connection to replicate the schema and configuration directory partitions. Note Connection objects are generated independently for the configuration and schema directory partitions (one connection) and for the separate domain and application directory partitions, unless a connection from the same source to destination domain controllers already exists for one directory partition. In that case, the same connection is used for all (duplicate connections are not created). Intrasite Topology for Site with Four Domains and a Global Catalog Server

Active Directory Page 103

Intersite Topology Generator The KCC on the domain controller that has the ISTG role creates the inbound connections on all domain controllers in its site that require replication with domain controllers in other sites. The sum of these connections for all sites in the forest forms the intersite replication topology. A fundamental concept in the generation of the topology within a site is that each server does its part to create a site-wide topology. In a similar manner, the generation of the topology between sites depends on each site doing its part to create a forest-wide topology between sites.

ISTG Role Ownership and Viability The owner of the ISTG role is communicated through normal Active Directory replication. Initially, the first domain controller in the site is the ISTG role owner. It communicates its role ownership to other domain controllers in the site by writing the distinguished name of its child NTDS Settings object to the interSiteTopologyGenerator attribute of the NTDS Site Settings object for the site. As a change to the configuration directory partition, this value is replicated to all domain controllers in the forest. The ISTG role owner is selected automatically. The role ownership does not change unless: The current ISTG role owner becomes unavailable. All domain controllers in the site are running Windows 2000 and one of them is upgraded to Windows Server 2003. If at least one domain controller in a site is running Windows Server 2003, the ISTG role is assumed by a domain controller that is running Windows Server 2003. The viability of the current ISTG is assessed by all other domain controllers in the site. The need for a new ISTG in a site is established differently, depending on the forest functional level that is in effect.

Active Directory Page 104

Troubleshooting
segunda-feira, 7 de maio de 2012 03:32

DCDIAG
http://support.microsoft.com/kb/905900/en-us

DCDIAG /TEST:DNS /v /e Executa testes completos (/v) referentes a configurao do DNS , inclusive verifica se os registros SRV e SOA esto corretos. O paremetro (/e) indica que o teste ser executado em todos os DCs da Floresta. No aconselhvel utilizar o parametro /e em uma floresta com mais de 200 DCs.
O parametro (/f:file.txt) envia os resultados para um arquivo txt O servio DHCP client necessrio estar rodando para registrar o registro Host (A) necessrios para os DCs.

Para registrar novamente os registros (SRV) reiniciar o servio de Netlogon ou rodar o comando NETDIAG /fix

REPADMIN
http://support.microsoft.com/kb/905739/en-us http://searchwindowsserver.techtarget.com/tip/Repadmin-diagnoses-Active-Directory-replication-issues-in-Windows Repadmin /showrepl (showreps) mostra os parceiros de replicao e o status da replicao de cada AD Partition (naming context). repadmin /showrepl DC_NAME /csv > Repl.csv envia o resultado para um arquivo CSV para organizarmos melhor a visualizao atravs do Excel.

Fixing lingering object problems in complex Active Directory forests

Pasted from <http://searchwindowsserver.techtarget.com/tip/Fixinglingering-object-problems-in-complex-Active-Directory-forests>

Repadmin /showconn DC_NAME mostra as conexes (Intrasite e intersite) criadas pelo KCC para cada AD Partition. Pode ser usado o parametro (/v) para mais detalhes.
Repadmin /replsummary DC_LIST /bysrc /bydest /sort:delta usado para monitorar a sade da replicao. O parametro (DC_LIST) pode ser usado para definir um DC ou uma lista de DCs , separado por espao. Repadmin /showobjmeta DC_NAME ObjectDN mostra os atributos de um objeto do AD (metadados) e a verso da ltima alterao (USN), bem como o time stamp da alterao. recomendado quando se quer verificar a consistencia dos dados entre 2 DCs.

Being proactive with Active Directory health

Pasted from <http://searchwindowsserver.techtarget.com/tip/Beingproactive-with-Active-Directory-health>

Cleaning up Active Directory

Pasted from <http://searchwindowsserver.techtarget.com/tip/Cleaningup-Active-Directory>

Repadmin /options * verifica quais DCs so Global Catalog

repadmin /removelingeringobjects <Destination_domain_controller> <Source_domain_controller_GUID> <Directory_partitionDN> /advisory_mode usado para detectar e remover lingering objects de uma Directory Partition http://support.microsoft.com/kb/870695/en-us http://searchwindowsserver.techtarget.com/tip/Fixing-lingering-object-problems-in-complex-Active-Directory-forests Repadmin /rehost <GCFQDN> <LDAPDN of NC B> <good source DC writable for NC B> Limpa o CG deletando a partio (Read Only) e recriando a partir the um DC saudvel que contenha a partio (writable) Clean the GC by rehosting all RO partitions and application NCs. (Domain Partition). Para as Application partitions use o parametro /application (DomainDNSZones/ ForestDNSZones) Ex.: Repadmin /rehost <GCFQDN> <LDAPDN of NC B> <good source DC writable for NC B> /application http://blogs.technet.com/b/glennl/archive/2007/10/04/so-you-want-to-clean-up-your-forest-of-lingering-objectsbefore-you-set-your-forest-to-strict-but-you-have-windows-2000-dcs-in-the-forest.aspx

Troubleshooting poor Windows logon performance in Active Directory environments

Pasted from <http://searchwindowsserver.techtarget.com/tip/Troubleshooting-poorWindows-logon-performance-in-Active-Directory-environments>

Domain controller is not functioning correctly

Pasted from <http://support.microsoft.com/kb/837513/en-us>

Troubleshooting KCC Event Log Errors

<http://blogs.technet.com/b/askds/archive/2008/10/31/troubleshooting -kcc-event-log-errors.aspx>

Repadmin /rebuildgc recria todos os Global Catalogs da Floresta, limpa todos os links temporrios e recria a topologia (em um ambiente muito grande pode causar sobrecarga na rede)
DNSLINT Ferramenta que faz parte do Support Tools. dnslint /s IPaddr /ad IPaddr /v auxilia no diagnstico the problemas de resoluo de DNS. http://technet.microsoft.com/en-us/library/replication-error-1722-the-rpc-server-is-unavailable(v=ws.10).aspx NETDOM NETDOM query fsmo apresenta quais DCs possuem as FSMOs. Esta ferramenta parte do Support Tools Windows 2003 dsquery server hasfsmo pdc Outra alternativa para encontrar os DCs com as FSMOs.

How to configure an authoritative time server in Windows Server

<http://support.microsoft.com/kb/816042/en-us>

Verify Installation - Verify AD Users and computers, on domain controllers OU if the computer object is there; - On %systemroot% if the folder Sysvol exists with some subfolders and if the share is enabled on it; - Verify the DNS if the the zone of the AD namespace was created along with the _msdcs zone ; Troubleshooting Installation

- Check DNS name is registered properly; - Verify Directory Service Logs and look for erros; - Use Netdiag and Dcdiag, Repadmin and NTDSUtil tools; - Verify Log files on %Systemroot%\Debug "DCPromoUI.log" and "DCPROMO.log and look for errors; Active Directory Backup and Restore - Create a System State Backup

Non-Authoritative Restore
Restore AD from the last backup state. All changes madeafter the last backup are replicated from other domain controllers. To perform a non-authoritative restore: 1. Restart system in "Directory Services Restore Mode"
Active Directory Page 105

1. Restart system in "Directory Services Restore Mode" 2. Use backup wizard to restore the data from system state backup. 3. Restart the server. (It will get changes since the last backup through network synchronization).

Authoritative Restore
Restore the whole domain structure and objects or only a selected object or container and bring it the state as it was at the backup. Changes made after the backup will be discarded. To perform an authoritative restore: 1. Perform a non-authoritative restore. 2. Run Ntdsutil (Do not restart the server after performing the non-authoritative restore) to mark objects as authoritative. 3. Restart the server. - If you restore the entire AD database Copy sysvol from an alternative location over the existing one (after the sysvol share is published. - If you restore specific objects, copy only the policy folders corresponding to the restored policy objects from an alternative location (after sysvol is published). - You cannot authoritatively restore the schema and the Configuration Naming Context. - Attempts to authoritatively restore a complete naming context will always include objects that can disrupt the proper functionality of crucial parts of Active Directory. Also in the entire Domain namespace restore, the passwords are restored to the time at the backup was taken.You should always try to authoritatively restore a minimal set of objects.

1. Type ntdsutil and press ENTER; 2. Type authoritative restore, and then press ENTER 3. Type restore subtree ou=OU_Name,dc=Domain_Name,dc=xxx or type restore object U=bosses,DC=ourdom,DC=com to restore a single object. 4. Type quit, press ENTER, type quit, and then press ENTER 5. Restart the domain controller http://support.microsoft.com/kb/241594/en-us http://technet.microsoft.com/en-us/library/cc779573(v=ws.10).aspx

Diagnosing and Troubleshooting Active Directory Problems

Pasted from <http://technet.microsoft.com/en-us/library/cc961826.aspx>

Pasted from <http://technet.microsoft.com/en-us/library/cc961826.aspx>

Active Directory Page 106

DHCP
quarta-feira, 2 de maio de 2012 17:12

How it Works?

Automatic IP Configuration
DHCP supports Automatic Private IP Addressing (APIPA), which enables computers running Windows 2000, Windows XP, and Windows Server 2003 to configure an IP address and subnet mask if a DHCP server is unavailable at system startup and the Automatic private IP address Alternate Configuration setting is selected. This feature is useful for clients on small private networks, such as a small-business office or a home office. The DHCP Client service on a computer running Windows XP and Windows Server 2003 uses the following process to auto-configure the client: 1. The DHCP client attempts to locate a DHCP server and obtain an IP address and configuration. 2. If a DHCP server cannot be found or does not respond after one minute, the DHCP client checks the settings on the Alternate Configuration tab of the properties of the TCP/IP protocol.
If Automatic private IP address is selected, the DHCP client auto-configures its IP address and subnet mask by using a selected address from the Microsoft-reserved Class B network, 169.254.0.0, with the subnet mask 255.255.0.0. The DHCP client tests for an address conflict to ensure that the IP address is not in use on the network. If a conflict is found, the client selects another IP address. The client retries auto-configuration up to 10 times. If User Configured is selected, the DHCP client configures a static IP address configuration. The DHCP client tests for an address conflict to ensure that the IP address is not already in use on the network. If a conflict is found, the DHCP client indicates the error condition to the user. 3. When the DHCP client succeeds in self-selecting an address, it configures its network interface with the IP address. The client then continues to check for a DHCP server in the background every five minutes. If a DHCP server responds, the DHCP client abandons its self-selected IP address and uses the address offered by the DHCP server (and any other DHCP option information that the server provides) to update its IP configuration settings. If the DHCP client obtained a lease from a DHCP server on a previous occasion, and the lease is still valid (not expired) at system startup, the client tries to renew its lease. If, during the renewal attempt, the client fails to locate any DHCP server, it attempts to ping the default gateway listed in the lease, and proceeds in one of the following ways: If the ping is successful, the DHCP client assumes that it is still located on the same network where it obtained its current lease, and continues to use the lease as long as the lease is still valid. By default the client then attempts, in the background, to renew its lease when 50 percent of its assigned lease time has expired. If the ping fails, the DHCP client assumes that it has been moved to a network where a DHCP server is not available. The client then auto-configures its IP address by using the settings on the Alternate Configuration tab. When the client is auto-configured, it attempts to locate a DHCP server and obtain a lease every five minutes.

Scopes A scope must be properly defined and activated before DHCP clients can use the DHCP server for automatic TCP/IP configuration. A DHCP scope is an administrative collection of IP addresses and TCP/IP configuration parameters that are available for lease to DHCP clients of a specific subnet. The network administrator creates a scope for each subnet. DHCP Messages The following list includes the eight types of messages that can be sent between DHCP clients and servers. For more information about the structure and specifics of each of these packets, see DHCP Message Format later in this section.

DHCPDiscover Broadcast by a DHCP client when it first attempts to connect to the network. The DHCPDiscover message requests IP address information from a DHCP server. DHCPOffer Broadcast by each DHCP server that receives the client DHCPDiscover message and has an IP address configuration to offer to the client. The DHCPOffer message contains an unleased IP address and additional TCP/IP configuration information, such as the subnet mask and default gateway. More than one DHCP server can respond with a DHCPOffer message. The client accepts the best offer, which for a Windows DHCP client is the first DHCPOffer message that it receives. DHCPRequest Broadcast by a DHCP client after it selects a DHCPOffer. The DHCPRequest message contains the IP address from the DHCPOffer that it selected. If the client is renewing or rebinding to a previous lease, this packet might be unicast directly to the server. DHCPAck Broadcast by a DHCP server to a DHCP client acknowledging the DHCPRequest message. At this time, the server also forwards any options.
DHCP Page 107

Broadcast by a DHCP server to a DHCP client acknowledging the DHCPRequest message. At this time, the server also forwards any options. Upon receipt of the DHCPAck, the client can use the leased IP address to participate in the TCP/IP network and complete its system startup. This message is typically broadcast, because the DHCP client does not officially have an IP address that it can use at this point. If the DHCPAck is in response to a DHCPInform, then the message is unicast directly to the host that sent the DHCPInform message.
DHCPNack Broadcast by a DHCP server to a DHCP client denying the clients DHCPRequest message. This might occur if the requested address is incorrect because the client moved to a new subnet or because the DHCP clients lease has expired and cannot be renewed. DHCPDecline Broadcast by a DHCP client to a DHCP server, informing the server that the offered IP address is declined because it appears to be in use by another computer. DHCPRelease Sent by a DHCP client to a DHCP server, relinquishing an IP address and canceling the remaining lease. This is unicast to the server that provided the lease. DHCPInform Sent from a DHCP client to a DHCP server, asking only for additional local configuration parameters; the client already has a configured IP address. This message type is also used by DHCP servers running Windows Server 2003 to detect unauthorized DHCP servers. DHCP Lease Process A DHCP-enabled client obtains a lease for an IP address from a DHCP server. Before the lease expires, the DHCP client must renew the lease or obtain a new lease. Leases are retained in the DHCP server database for a period of time after expiration. By default, this grace period is four hours and cleanup occurs once an hour for a DHCP server running Windows Server 2003. This protects a clients lease in case the client and server are in different time zones, the internal clocks of the client and server computers are not synchronized, or the client is off the network when the lease expires.

Obtaining a New Lease A DHCP client initiates a conversation with a DHCP server when it is seeking a new lease, renewing a lease, rebinding, or restarting. The DHCP conversation consists of a series of DHCP messages passed between the DHCP client and DHCP servers. The following figure shows an overview of this process when the DHCP server and DHCP client are on the same subnet. DHCP Lease Process Overview 1. The DHCP client requests an IP address by broadcasting a DHCPDiscover message to the local subnet.

2. The client is offered an address when a DHCP server responds with a DHCPOffer message containing an IP address and configuration information for lease to the client. If no DHCP server responds to the client request, the client sends DHCPDiscover messages at intervals of 0, 4, 8, 16, and 32 seconds, plus a random interval of between -1 second and 1 second. If there is no response from a DHCP server after one minute, the client can proceed in one of two ways: If the client is using the Automatic Private IP Addressing (APIPA) alternate configuration, the client self-configures an IP address for its interface.

If the client does not support alternate configuration, such as APIPA, or if IP auto-configuration has been disabled, the client network initialization fails.

In both cases, the client begins a new cycle of DHCPDiscover messages in the background every five minutes, using the same intervals as before (0, 4, 8, 16, and 32 seconds), until it receives a DHCPOffer message from a DHCP server.

3. The client indicates acceptance of the offer by selecting the offered address and broadcasting a DHCPRequest message in response.

4. The client is assigned the address and the DHCP server broadcasts a DHCPAck message in response, finalizing the terms of the lease.

Pasted from <http://technet.microsoft.com/en-us/library/cc780760(v=ws.10).aspx>

DHCP Page 108