6419A-En Configuring Managing Maintaining Windows Server08 Servers-TrainerWorkbook Vol1

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
6419A
Configuring, Managing and
Maintaining Windows Server
2008
Servers
Volume 1
Be sure to access the extended learning content on your
Course Companion CD enclosed on the back cover of the book.

ii Configuring, Managing and Maintaining Windows Server 2008 Servers

Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
2009 Microsoft Corporation. All rights reserved.
Microsoft, Microsoft Press, Active Directory, ActiveX, BitLocker, Excel, Hyper-V, Internet Explorer, MS,
MSDN, PowerPoint, SharePoint, SQL Server, Visual Basic, Visual Studio, Win32, Windows, Windows
Media, Windows NT, Windows PowerShell, Windows Server, and Windows Vista are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.

Product Number: 6419A
Part Number: X15-19813
Released: 02/2009

MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER
EDITION Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They
apply to the Licensed Content named above, which includes the media on which you received it, if any. The
terms also apply to any Microsoft
updates,
supplements,
Internet-based services, and
support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply.
By using the Licensed Content, you accept these terms. If you do not accept them, do not use
the Licensed Content.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. Academic Materials means the printed or electronic documentation such as manuals,
workbooks, white papers, press releases, datasheets, and FAQs which may be included in the
Licensed Content.
b. Authorized Learning Center(s) means a Microsoft Certified Partner for Learning Solutions
location, an IT Academy location, or such other entity as Microsoft may designate from time to time.
c. Authorized Training Session(s) means those training sessions authorized by Microsoft and
conducted at or through Authorized Learning Centers by a Trainer providing training to Students
solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or
MOC) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions
Courseware). Each Authorized Training Session will provide training on the subject matter of one
(1) Course.
d. Course means one of the courses using Licensed Content offered by an Authorized Learning
Center during an Authorized Training Session, each of which provides training on a particular
Microsoft technology subject matter.
e. Device(s) means a single computer, device, workstation, terminal, or other digital electronic or
analog device.
f. Licensed Content means the materials accompanying these license terms. The Licensed
Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student
Content, (iii) classroom setup guide, and (iv) Software. There are different and separate
components of the Licensed Content for each Course.
g. Software means the Virtual Machines and Virtual Hard Disks, or other software applications that
may be included with the Licensed Content.
h. Student(s) means a student duly enrolled for an Authorized Training Session at your location.

i. Student Content means the learning materials accompanying these license terms that are for
use by Students and Trainers during an Authorized Training Session. Student Content may include
labs, simulations, and courseware files for a Course.
j. Trainer(s) means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer
and b) such other individual as authorized in writing by Microsoft and has been engaged by an
Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its
behalf.
k. Trainer Content means the materials accompanying these license terms that are for use by
Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content
may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and
demonstration guides and script files for a Course.
l. Virtual Hard Disks means Microsoft Software that is comprised of virtualized hard disks (such as
a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single
computer or other device in order to allow end-users to run multiple operating systems concurrently.
For the purposes of these license terms, Virtual Hard Disks will be considered Trainer Content.
m. Virtual Machine means a virtualized computing experience, created and accessed using
Microsoft Virtual PC or Microsoft Virtual Server software that consists of a virtualized hardware
environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the
virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard
Disks will be considered Trainer Content.
n. you means the Authorized Learning Center or Trainer, as applicable, that has agreed to these
license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and
electronic), Trainer Content, Student Content, classroom setup guide, and associated media.
License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center
location or per Trainer basis.
3. INSTALLATION AND USE RIGHTS.
a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you
may:
i. either install individual copies of the relevant Licensed Content on classroom Devices only for
use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided
that the number of copies in use does not exceed the number of Students enrolled in and the
Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by
classroom Devices and only for use by Students enrolled in and the Trainer delivering the
Authorized Training Session, provided that the number of Devices accessing the Licensed
Content on such server does not exceed the number of Students enrolled in and the Trainer
delivering the Authorized Training Session.
iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to
use the Licensed Content that you install in accordance with (ii) or (ii) above during such
Authorized Training Session in accordance with these license terms.

i. Separation of Components. The components of the Licensed Content are licensed as a single
unit. You may not separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license
terms will apply to the use of those third party programs, unless other terms accompany those
programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized
Learning Center on a classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content.
You may install and Use one copy of the Licensed Content on the licensed Device solely for
your own personal training Use and for preparation of an Authorized Training Session.
B. Portable Device. You may install another copy on a portable device solely for your own
personal training Use and for preparation of an Authorized Training Session.
4. PRE-RELEASE VERSIONS. If this is a pre-release (beta) version, in addition to the other provisions
in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not
contain the same information and/or work the way a final version of the Licensed Content will. We
may change it for the final, commercial version. We also may not release a commercial version.
You will clearly and conspicuously inform any Students who participate in each Authorized Training
Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with
any further content, including but not limited to the final released version of the Licensed Content
for the Course.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to
Microsoft, without charge, the right to use, share and commercialize your feedback in any way and
for any purpose. You also give to third parties, without charge, any patent rights needed for their
products, technologies and services to use or interface with any specific parts of a Microsoft
software, Licensed Content, or service that includes the feedback. You will not give feedback that is
subject to a license that requires Microsoft to license its software or documentation to third parties
because we include your feedback in them. These rights survive this agreement.
c. Confidential Information. The Licensed Content, including any viewer, user interface, features
and documentation that may be included with the Licensed Content, is confidential and proprietary
to Microsoft and its suppliers.
i. Use. For five years after installation of the Licensed Content or its commercial release,
whichever is first, you may not disclose confidential information to third parties. You may
disclose confidential information only to your employees and consultants who need to know
the information. You must have written agreements with them that protect the confidential
information at least as much as this agreement.
ii. Survival. Your duty to protect confidential information survives this agreement.
iii. Exclusions. You may disclose confidential information in response to a judicial or
governmental order. You must first give written notice to Microsoft to allow it to seek a

protective order or otherwise protect the information. Confidential information does not
include information that
becomes publicly known through no wrongful act;
you received from a third party who did not breach confidentiality obligations to
Microsoft or its suppliers; or
you developed independently.
d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs
you is the end date for using the beta version, or (ii) the commercial release of the final release
version of the Licensed Content, whichever is first (beta term).
e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta
term, and will destroy all copies of same in the possession or under your control and/or in the
possession or under the control of any Trainers who have received copies of the pre-released
version.
f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta
version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If
Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you
for such copies and distribution.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Authorized Learning Centers and Trainers:
i. Software.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft
Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced
Server and/or other Microsoft products which are provided in Virtual Hard Disks.
A. If the Virtual Hard Disks and the labs are launched through the Microsoft
Learning Lab Launcher, then these terms apply:
Time-Sensitive Software. If the Software is not reset, it will stop running based upon the
time indicated on the install of the Virtual Machines (between 30 and 500 days after you
install it). You will not receive notice before it stops running. You may not be able to
access data used or information saved with the Virtual Machines when it stops running and
may be forced to reset these Virtual Machines to their original state. You must remove the
Software from the Devices at the end of each Authorized Training Session and reinstall and
launch it prior to the beginning of the next Authorized Training Session.
B. If the Virtual Hard Disks require a product key to launch, then these terms
apply:
Microsoft will deactivate the operating system associated with each Virtual Hard Disk.
Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized
Training Session, you will obtain from Microsoft a product key for the operating system
software for the Virtual Hard Disks and will activate such Software with Microsoft using such
product key.
C. These terms apply to all Virtual Machines and Virtual Hard Disks:

You may only use the Virtual Machines and Virtual Hard Disks if you comply with
the terms and conditions of this agreement and the following security
requirements:
o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or
Devices that are accessible to other networks.
o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at
the end of each Authorized Training Session, except those held at Microsoft Certified
Partners for Learning Solutions locations.
o You must remove the differencing drive portions of the Virtual Hard Disks from all
classroom Devices at the end of each Authorized Training Session at Microsoft Certified
Partners for Learning Solutions locations.
o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or
downloaded from Devices on which you installed them.
o You will strictly comply with all Microsoft instructions relating to installation, use,
activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.
o You may not modify the Virtual Machines and Virtual Hard Disks or any contents
thereof.
o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an
Authorized Training Session will be done in accordance with the classroom set-up guide for the
Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip
art, animations, sounds, music, shapes, video clips and templates provided with the Licensed
Content solely in an Authorized Training Session. If Trainers have their own copy of the
Licensed Content, they may use Media Elements for their personal training use.
iv. iv Evaluation Software. Any Software that is included in the Student Content designated as
Evaluation Software may be used by Students solely for their personal training outside of the
Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft
PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for
providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree
or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of
obscene or scandalous works, as defined by federal law at the time the work is created; and
(b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training
Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those
portions of the Licensed Content that are logically associated with instruction of the Authorized
Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer
agrees: (a) that any of these customizations or reproductions will only be used for providing an
Authorized Training Session and (b) to comply with all other terms and conditions of this
agreement.

iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and
use the Academic Materials. You may not make any modifications to the Academic Materials
and you may not print any book (either electronic or print version) in its entirety. If you
reproduce any Academic Materials, you agree that:
The use of the Academic Materials will be only for your personal reference or training use
You will not republish or post the Academic Materials on any network computer or
broadcast in any media;
You will include the Academic Materials original copyright notice, or a copyright notice to
Microsofts benefit in the format provided below:
Form of Notice:
2009 Reprinted for personal reference use only with permission by Microsoft
Corporation. All rights reserved.
Microsoft, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the US and/or other countries. Other
product and company names mentioned herein may be the trademarks of their
respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed
Content. It may change or cancel them at any time. You may not use these services in any way that
could harm them or impair anyone elses use of them. You may not use the services to try to gain
unauthorized access to any service, data, account or network by any means.
7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you
more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that
only allow you to use it in certain ways. You may not
install more copies of the Licensed Content on classroom Devices than the number of Students and
the Trainer in the Authorized Training Session;
allow more classroom Devices to access the server than the number of Students enrolled in and the
Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network
server;
copy or reproduce the Licensed Content to any server or location for further reproduction or
distribution;
disclose the results of any benchmark tests of the Licensed Content to any third party without
Microsofts prior written approval;
work around any technical limitations in the Licensed Content;
reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent
that applicable law expressly permits, despite this limitation;
make more copies of the Licensed Content than specified in this agreement or allowed by applicable
law, despite this limitation;
publish the Licensed Content for others to copy;

transfer the Licensed Content, in whole or in part, to a third party;
access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not
been authorized by Microsoft to access and use;
rent, lease or lend the Licensed Content; or
use the Licensed Content for commercial hosting services or general business purposes.
Rights to access the server software that may be included with the Licensed Content, including the
Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft
intellectual property in software or devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and
regulations. You must comply with all domestic and international export laws and regulations that apply
to the Licensed Content. These laws include restrictions on destinations, end users and end use. For
additional information, see www.microsoft.com/exporting.
9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed
Content marked as NFR or Not for Resale.
10. ACADEMIC EDITION. You must be a Qualified Educational User to use Licensed Content marked as
Academic Edition or AE. If you do not know whether you are a Qualified Educational User, visit
www.microsoft.com/education or contact the Microsoft affiliate serving your country.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you
fail to comply with the terms and conditions of these license terms. In the event your status as an
Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is
terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this
agreement, you must destroy all copies of the Licensed Content and all of its component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-
based services and support services that you use, are the entire agreement for the Licensed
Content and support services.
13. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws
of that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
Licensed Content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed as-is. You bear the risk of
using it. Microsoft gives no express warranties, guarantees or conditions. You may have
additional consumer rights under your local laws which this agreement cannot change. To
the extent permitted under your local laws, Microsoft excludes the implied warranties of
merchantability, fitness for a particular purpose and non-infringement.

16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT
RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL,
INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
anything related to the Licensed Content, software, services, content (including code) on third party
Internet sites, or third party programs; and
claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in
this agreement are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre
garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont
exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de
dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation
pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de
bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte,
de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel
dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne
sappliquera pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de
votre pays si celles-ci ne le permettent pas.
Configuring, Managing and Maintaining Windows Server 2008 Servers xi

Acknowledgement
Microsoft Learning would like to acknowledge and thank the following for their
contribution towards developing this title. Their effort at various stages in the
development has ensured that you have a good classroom experience.
Aaron Clutter Lead Developer
Aaron Clutter has been developing and leading the development of content for
Aeshen since 2002. He has a background as a Windows administrator and
network engineer.
Michael Cassens Content Developer
Michael Cassens is a Senior Content Developer at Aeshen and joined in 2006. He
earned his MCSD and MCP+Site Building certifications in 2000 and a Masters in
Computer Science in 2003. He has also worked as an independent software
consultant and an Adjunct Professor at the University of Montana since 1998.
Sean Masters Content Developer
Sean Masters joined Aeshen in 2007. He has worked in SMB technical operations
for nearly 10 years including 4 years as manager of information technology at a
property management firm and 4 years as a private consultant to various legal and
financial firms in the New England area.
Valerie Lee Content Developer
Valerie Lee joined Aeshen in 2006, and has gained extensive knowledge of
Microsoft technologies by working on Microsoft TechNet Content, Webcasts,
White Papers, and Microsoft Learning Courses. Prior to joining Aeshen, she
worked as a consultant in positions providing desktop and network
troubleshooting and training support.
Joel Barker Content Developer
Joel Barker has been developing content for Microsoft server products for five
years; prior to that he has held a variety of positions in the IT industry.
xii Configuring, Managing and Maintaining Windows Server 2008 Servers

Philip Morgan - Subject Matter Expert
Philip Morgan is a Senior Product Analyst at Aeshen and joined the company in
2007. He has been an MCT since 1996 and has worked as a trainer, consultant,
and network administrator helping people learn, implement, and use Microsoft
products.
Conan Kezema Technical Reviewer
Conan Kezema, MCSE, MCT is an educator, consultant, network systems architect,
and author who specializes in Microsoft technologies.
Configuring, Managing and Maintaining Windows Server 2008 Servers xiii

Contents
Module 1: Introduction to Managing Microsoft Windows Server 2008
Environment
Lesson 1: Server Roles 1-3
Lesson 2: Overview of Active Directory 1-15
Lesson 3: Using Windows Server 2008 Administrative Tools 1-28
Lesson 4: Using Remote Desktop for Administration 1-36
Lab: Administering Windows Server 2008 1-44
Module 2: Creating Active Directory Domain Services User and Computer
Objects
Lesson 1: Managing User Accounts 2-3
Lesson 2: Creating Computer Accounts 2-17
Lesson 3: Automating AD DS Object Management 2-24
Lesson 4: Using Queries to Locate Objects in AD DS 2-33
Lab: Creating AD DS User and Computer Accounts 2-39
Module 3: Creating Groups and Organizational Units
Lesson 1: Introduction to AD DS Groups 3-3
Lesson 2: Managing Groups 3-17
Lesson 3: Creating Organizational Units 3-22
Lab: Creating an OU Infrastructure 3-29
Module 4: Managing Access to Resources in Active Directory Domain Services
Lesson 1: Managing Access Overview 4-3
Lesson 2: Managing NTFS File and Folder Permissions 4-11
Lesson 3: Assigning Permissions to Shared Resources 4-20
Lesson 4: Determining Effective Permission 4-33
Lab: Managing Access to Resources 4-44
xiv Configuring, Managing and Maintaining Windows Server 2008 Servers

Module 5: Configuring Active Directory Objects and Trusts
Lesson 1: Delegate Administrative Access to Active Directory Objects 5-3
Lab A: Configuring Active Directory Delegation 5-12
Lesson 2: Configure Active Directory Trusts 5-16
Lab B: Configuring Active Directory Trusts 5-24
Module 6: Creating and Configuring Group Policy
Lesson 1: Overview of Group Policy 6-3
Lesson 2: Configuring the Scope of Group Policy Objects 6-18
Lesson 3: Evaluating the Application of Group Policy Objects 6-31
Lesson 4: Managing Group Policy Objects 6-37
Lesson 5: Delegating Administrative Control of Group Policy 6-47
Lab A: Creating and Configuring GPOs 6-51
Lab B: Verifying and Managing GPOs 6-57
Module 7: Configure User and Computer Environments By Using Group
Policy
Lesson 1: Configuring Group Policy Settings 7-3
Lesson 2: Configuring Scripts and Folder Redirection Using Group Policy 7-7
Lab A: Configuring Logon Scripts and Folder Redirection Using
Group Policy 7-13
Lesson 3: Configuring Administrative Templates 7-17
Lab B: Configuring Administrative Templates 7-23
Lesson 4: Deploying Software Using Group Policy 7-28
Lab C: Deploying Software with Group Policy 7-36
Lesson 5: Configuring Group Policy Preferences 7-39
Lab D: Configuring Group Policy Preferences 7-44
Lesson 6: Introduction to Group Policy Troubleshooting 7-48
Lesson 7: Troubleshooting Group Policy Application 7-55
Lesson 8: Troubleshooting Group Policy Settings 7-67
Lab E: Troubleshooting Group Policy Issues 7-71
Configuring, Managing and Maintaining Windows Server 2008 Servers xv

Module 8: Implementing Security Using Group Policy
Lesson 1: Configuring Security Policies 8-3
Lesson 2: Implementing Fine-Grained Password Policies 8-15
Lab A: Implementing Security Using Group Policy 8-20
Lesson 3: Restricting Group Membership and Access to Software 8-26
Lesson 4: Managing Security Using Security Templates 8-34
Lab B: Configuring and Verifying Security Policies 8-43
Module 9: Configuring Server Security Compliance
Lesson 1: Securing a Windows Infrastructure 9-3
Lesson 2: Overview of EFS 9-9
Lesson 3: Configuring an Audit Policy 9-13
Lesson 4: Overview of Windows Server Update Services (WSUS) 9-20
Lesson 5: Managing WSUS 9-32
Lab: Manage Server Security 9-40
Module 10: Configuring and Managing Storage Technologies
Lesson 1: Windows Server 2008 Storage Management Overview 10-3
Lesson 2: Managing Storage Using File Server Resource Manager 10-13
Lab A: Installing the FSRM Role Service 10-20
Lesson 3: Configuring Quota Management 10-22
Lab B: Configuring Storage Quotas 10-29
Lesson 4: Implementing File Screening 10-31
Lab C: Configuring File Screening 10-38
Lesson 5: Managing Storage Reports 10-40
Lab D: Generating Storage Reports 10-45
Lesson 6: Understanding Storage Area Networks 10-47
xvi Configuring, Managing and Maintaining Windows Server 2008 Servers

Module 11: Configuring and Managing Distributed File System
Lesson 1: Distributed Files System (DFS) Overview 11-3
Lesson 2: Configuring DFS Namespaces 11-13
Lab A: Installing the Distributed File System Role Service and
Creating a DFS Namespace 11-22
Lesson 3: Configuring DFS Replication 11-26
Lab B: Configuring Folder Targets and Viewing Diagnostic Reports 11-42
Module 12: Configuring Network Access Protection
Lesson 1: Overview of Network Access Protection 12-3
Lesson 2: How NAP Works 12-18
Lesson 3: Configuring NAP 12-25
Lesson 4: Monitoring and Troubleshooting NAP 12-33
Lab: Configuring NAP for DHCP and VPN 12-37
Module 13: Configuring Availability of Network Content and Resources
Lesson 1: Configuring Shadow Copies 13-3
Lab A: Configuring Shadow Copying 13-11
Lesson 2: Providing Server and Service Availability 13-14
Lab B: Configuring Network Load Balancing 13-26
Module 14: Monitoring and Maintaining Windows Server 2008 Servers
Lesson 1: Planning Monitoring Tasks 14-3
Lesson 2: Calculating a Server Baseline 14-9
Lesson 3: Measuring Performance Objects 14-14
Lab A: Identifying Windows Server 2008 Monitoring Requirements 14-24
Lesson 4: Selecting Appropriate Monitoring Tools 14-29
Lesson 5: Planning Notification Methods 14-37
Lesson 6: Overview of Windows Server 2008 Management Tasks 14-41
Lesson 7: Automating Windows Server 2008 Management 14-45
Lab B: Configuring Windows Server 2008 Monitoring 14-49
Configuring, Managing and Maintaining Windows Server 2008 Servers xvii

Module 15: Managing Windows Server 2008 Backup and Restore
Lesson 1: Planning Backups with Windows Server 2008 15-3
Lesson 2: Planning Backup Policy on Windows Server 2008 15-15
Lesson 3: Planning a Server Restore Policy 15-20
Lesson 4: Planning an EFS Restore Policy 15-29
Lesson 5: Troubleshooting Windows Server 2008 Startup 15-40
Lab A: Planning Windows Server 2008 Backup Policy 15-51
Lab B: Planning Windows Server 2008 Restore 15-58
Lab Answer Keys

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
About This Course xix
About This Course
This section provides you with a brief description of the course, audience,
suggested prerequisites, and course objectives.
Course Description
This five-day instructor-led course provides students with the knowledge and skills
to configure and manage Microsoft Windows Server 2008 servers. The course
focuses heavily on Active Directory Domain Services object creation and Group
Policy management. The course also focuses on configuring security, storage,
Network Access Protection, troubleshooting, and server data protection.
Audience
The primary audience for this course is IT Professionals who want to increase their
hands-on deployment and day-to-day management skills for Windows Server 2008
servers in an enterprise organization. The primary audience for this course will be
responsible for day-to day management of the server OS, file, and directory
services; software distribution, patches, and updates; profiling and monitoring; and
Tier 2 troubleshooting for a subset of the organizations servers.
The secondary audiences for this course are individuals who are network
infrastructure technology specialists.
Student Prerequisites
This course requires that you meet the following prerequisites:
At least one year experience operating Windows Servers daily in the area of
account management, server maintenance, server monitoring, or server
security
A+, Server+, hardware portion of Net+, and familiarity with Microsoft
Windows (client side)
Working knowledge of networking technologies
Intermediate understanding of network operating systems
Working experience with Windows Server 2003 and Windows Server 2008
Basic knowledge of Active Directory
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
About This Course xx
An understanding of security concepts and methodologies (for example,
corporate policies)
Basic knowledge of TCP/IP
Basic knowledge of scripting tools such as Windows Powershell and WMI

Course Objectives
After completing this course, students will be able to:
Describe the different administrative tools and tasks in Windows Server 2008
Configure AD DS user and computer accounts
Create Groups and Organizational Units
Manage access to shared resources in an AD DS environment
Configure Active Directory Objects and Trusts
Create and configure Group Policy Objects
Configure user and computer environments by using Group Policy
Implement security by using Group Policy
Configure and analyze server security and security update compliance
Configure and manage storage technologies included with
Windows Server 2008
Configure and manage Distributed File System
Configure Network Access Protection
Configure availability of network resources
Plan and Maintain Windows Server 2008 monitoring
Manage a Windows Server 2008 Backup and Restore
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
About This Course xxi
Course Outline
This section provides an outline of the course:
Module 1: Introduction to Managing Microsoft Windows Server 2008
Environment describes the fundamentals of an enterprise networking
environment, which consists of Windows Infrastructure Services, Windows
Application Platform Services, and Active Directory. This module also explains how
to o administer a Windows 2008 server.
Module 2: Creating Active Directory Domain Services User and Computer
Objects explains how to configure AD DS user and computer accounts.
Module 3: Creating Groups and Organizational Units explains how to configure
AD DS group accounts and organizational units.
Module 4: Managing Access to Resources in Active Directory Domain Services
explains how to manage access to shared resources in an AD DS environment.
Module 5: Configuring Active Directory Objects and Trusts explains how to
implement and configure AD DS objects and trusts.
Module 6: Creating and Configuring Group Policy explains how Group Policy
objects (GPOs) work and how to create and apply GPOs.
Module 7: Configure User and Computer Environments by Using Group Policy
describes how to configure user desktop settings by using Group Policy and how
to troubleshoot and resolve issues related to Group Policy.
Module 8: Implementing Security Using Group Policy describes how to
configure security settings and apply them using GPOs.
Module 9: Configuring Server Security Compliance explains how to configure
and analyze server security and security update compliance. This module also
describes some of the management tasks that you should undertake with a focus
on security update management and discusses automated maintenance tools such
as Windows Server Update Services.
Module 10: Configuring and Managing Storage Technologies explains how to
configure and troubleshoot file system storage technologies included with
Windows Server 2008.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
About This Course xxii
Module 11: Configuring and Managing Distributed File System explains how to
configure and manage Distributed File System.
Module 12: Configuring Network Access Protection explains how to configure
and manage NAP for DHCP, VPN, and 802.1X.
Module 13: Configuring Availability of Network Resources and Content explains
how to configure network resources and content availability. It explains how to
enable a shadow copy volume, which provides access to previous file and folder
versions on a network. Finally, this module explains how you can use failover
clustering and Network Load Balancing (NLB) to facilitate greater data availability
and workload scalability.
Module 14: Monitoring and Maintaining Windows Server 2008 Servers covers
planning your monitoring tasks to determine appropriate server baselines,
measuring key performance metrics, collecting data by using Data Collector Sets,
and identifying suitable notification methods when an alert occurs.
Module 15: Managing Windows Server 2008 Backup and Restore describes the
changes to backup in Windows Server 2008 and helps you to plan your backup
requirements and policy to meet the requirements of your organization. This
module also describes how you should plan for encrypted file system recovery,
restoration of system state data, and creating a server restore policy to verify server
operations.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
About This Course xxiii
Course Materials
The following materials are included with your kit:
Course Handbook. A succinct classroom learning guide that provides all the
critical technical information in a crisp, tightly-focused format, which is just
right for an effective in-class learning experience.
Lessons: Guide you through the learning objectives and provide the key
points that are critical to the success of the in-class learning experience.
Labs: Provide a real-world, hands-on platform for you to apply the
knowledge and skills learned in the module.
Module Reviews and Takeaways: Provide improved on-the-job reference
material to boost knowledge and skills retention.
Lab Answer Keys: Provide step-by-step lab solution guidance at your finger
tips when its needed.
Course Companion CD. Searchable, easy-to-navigate digital content with
integrated premium on-line resources designed to supplement the Course
Handbook.
Lessons: Include detailed information for each topic, expanding on the
content in the Course Handbook.
Labs: Include complete lab exercise information and answer keys in digital
form to use during lab time.
Resources: Include well-categorized additional resources that give you
immediate access to the most up-to-date premium content on TechNet,
MSDN, and Microsoft Press.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
About This Course xxiv
Student Course Files: Include the Allfiles.exe, a self-extracting executable
file that contains all the files required for the labs and demonstrations.
Note: To access the full course content, insert the Course Companion CD into the
CD-ROM drive, and then in the root directory of the CD, double-click StartCD.exe.
Course evaluation. At the end of the course, you will have the opportunity to
complete an online evaluation to provide feedback on the course, training
facility, and instructor.

To provide additional comments or feedback on the course, send e-mail to
support@mscourseware.com. To inquire about the Microsoft Certification
Program, send e-mail to mcphelp@microsoft.com.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
About This Course xxv
Virtual Machine Environment
This section provides the information for setting up the classroom environment to
support the business scenario of the course.
Virtual Machine Configuration
In this course, you will use Microsoft Virtual Server 2005 R2 with SP1 to perform
the labs.
Important: At the end of each lab, you must close the virtual machine and must not
save any changes. To close a virtual machine without saving the changes, perform
the following steps:
1. On the virtual machine, on the Action menu, click Close.
2. In the Close dialog box, in the What do you want the virtual machine to do?
list, click Turn off and delete changes, and then click OK.
The following table shows the role of each virtual machine used in this course:
Virtual machine Role
6419-LON-DC1 Domain Controller for EMEA.WoodgroveBank.com
6419-NYC-CL1 Client computer in WoodgroveBank.com
6419-NYC-CL2
Client computer in the Woodgrovebank.com
domain
6419-NYC-DC1 Domain Controller for WoodgroveBank.com
6419-NYC-DC2 Domain Controller for WoodgroveBank.com
6419-NYC-INF Member server for WoodgroveBank.com
6419-NYC-SVR1 Standalone server
6419-NYC-SVR2 Standalone server
6419-VAN-DC1 Domain Controller for Fabrikam.com

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
About This Course xxvi
Software Configuration
The following software is installed on each VM:
Windows Server 2008 Enterprise Edition
Windows Server 2003 Enterprise Edition is installed in 6419-VAN-DC1

Course Files
There are files associated with the labs in this course. The lab files are located in
the folder E:\ModXX\Labfiles within the virtual machines.
Classroom Setup
Each classroom computer will have the same virtual machine configured in the
same way.
Course Hardware Level
To ensure a satisfactory student experience, Microsoft Learning requires a
minimum equipment configuration for trainer and student computers in all
Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which
Official Microsoft Learning Product courseware are taught.
This course requires that you have a computer that meets or exceeds hardware
level 6, which specifies an Intel Virtualization Technology (Intel VT) or AMD
Virtualization (AMD-V) processor, dual 120 GB hard disks 7200 RM SATA or
better, 4 GB RAM expandable to 8GB or higher, a DVD drive, a network adapter, a
super VGA (SVGA) 17-inch monitor, a Microsoft Mouse or compatible pointing
device, and a sound card with amplified speakers.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Introduction to Managing Microsoft Windows Server 2008 Environment 1-1
Module 1
Introduction to Managing Microsoft Windows
Server 2008 Environment
Contents:
Lesson 1: Server Roles 1-3
Lesson 2: Overview of Active Directory 1-15
Lesson 3: Using Windows Server 2008 Administrative Tools 1-28
Lesson 4: Using Remote Desktop for Administration 1-36
Lab: Administering Windows Server 2008 1-44

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1-2 Configuring, Managing and Maintaining Windows Server 2008 Servers
Module Overview

Multiple tools exist to facilitate management of Microsoft Windows Server 2008
computers and Active Directory domains. In Windows Server 2008, many of
these tools have been consolidated into the Server Manager tool. This change offers
a single point for server administration.
By understanding the tools available to manage Windows Server 2008 and Active
Directory, you will be able to more quickly and effectively implement change
requests.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 1
Server Roles

Windows Server 2008 is configured by adding and removing server roles and
features. This is a new method of organizing the addition and removal of services.
Understanding server roles and features allows you to install and support only the
Windows Server 2008 components you need in your environment.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Windows Server 2008 Editions

Key Points
Windows Server 2008 is available in several editions to meet the needs of various
organizations. The editions are available for x86, x64, and Itanium processors.
Windows HPC Server 2008 is designed for clustering hundreds of computers
together to work on a single processing task. Hyper-V is a role that is provided
for 64-bit installations of Windows Server 2008. You can order Standard,
Enterprise, and Datacenter editions that do not have Hyper-V included.
Question: Describe the criteria you will use when deciding what edition of
Windows Server to deploy.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Server Roles?

Key Points
Server roles are a way to configure a computer running Windows Server 2008 to
perform a specific function. In a large enterprise, computers can be configured to
perform a single role to ensure greater scalability. In a small organization, many
roles can be combined on a single computer.
When deploying multiple server roles on a single computer, consider the
following:
The capacity of the computer should be sufficient for all the installed roles.
Ensure that security requirements for the roles you plan to install can co-exist
on a single computer.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configure security settings appropriately for all installed roles.
Plan ahead for possible migration paths if the computer becomes overloaded.

Question: In your work environment, what are the advantages of consolidated
servers, dedicated servers, or both?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are the Windows Infrastructure Services Roles?

Key Points
Windows infrastructure services roles are used to form the underlying framework
of software and services that are used by other applications within the
organization.
The table below describes Microsoft Windows infrastructure services roles:
Role Description
Active Directory Certificate
Services
Creates and manages certification authorities.
Certification authorities are used to create digital
certificates for identification and encryption.
Active Directory Rights
Management Services
Helps protect information from unauthorized use and
generates licenses that specify what actions can be
taken with protected content and by whom.
DHCP Server Automatically allocates IP addresses and IP
configuration information to clients.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
(continued)
Role Description
DNS Server Provides name resolution for TCP/IP networks.
Fax Server Sends and receives faxes electronically rather than
requiring paper-based copies of documents.
File Services Provides technologies for storage management, file
replication, and file searching.
Network Policy and Access
Services
Provides support for LAN or WAN routing, network
access policy enforcement, VPN connections, and dial-
up connections.
Hyper-V Provides server virtualization functionality.
Print Services Enables and manages network printing.
Terminal Services Allows users to run programs on a remote server but
view the results in a Remote Desktop window.
Windows Deployment
Services
Deploys Windows operating systems to computers over
the network.

Question: List the Windows infrastructure services roles used in your work
environment.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are the Windows Application Platform Services
Roles?

Key Points
Windows application platform services roles are used as a platform for the
development of applications.
The table below describes Windows application platform services roles:
Role Description
Application Server Provides a complete solution for hosting and
managing distributed business applications. Includes
services such as .NET Frameworks, Web server, and
Message Queuing.
Universal Description, Discovery,
and Integration (UDDI) Services
Shares information about Web services within an
organization or between business partners.
Web Server (IIS) Enables Windows Server 2008 as a Web server.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Question: List the Windows application platform roles used in your work
environment.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are the Active Directory Server Roles?

Key Points
The Active Directory roles allow you to implement and control Active Directory for
your organization.
Question: Briefly describe one or two scenarios where you would implement each
server role.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
AD DS Integration with Other Active Directory Server Roles

Key Points
Many of the other Windows Server 2008 server roles integrate with AD DS. Server
roles, such as the following, rely on AD DS:
Active Directory Federation Services (AD FS)
Active Directory Rights Management Services (AD RMS)
Active Directory Certificate Services (AD CS)

Question: Describe any other applications you aware of that can leverage AD DS.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Server Features?

Key Points
Server features support server roles or enhance the functionality of a server.
Question: Which of these features do you use in your work environment?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is Server Core?

Key Points
Server Core is a new installation option for Windows Server 2008. It provides a
minimal environment for running specific server roles. A graphical interface is not
included as part of the Server core installation.
Question: Describe two scenarios in which Server Core would be a beneficial
choice of server platform.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 2
Overview of Active Directory

Active Directory is a central repository of network information. Understanding
how Active Directory is organized is essential to understanding network security
and management. In this lesson, you will learn about Active directory domains,
forests, and domain controllers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is Active Directory?

Key Points
Active Directory is a central repository of network information that is used for
logon security and application configuration. The information stored in Active
Directory includes:
User accounts
Computer accounts
Application configuration information
Subnet addresses
Group accounts
Printer objects
Published folder objects
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Active Directory is not a large single database. It is composed of multiple partitions.
The domain partition holds information that is specific to a particular domain. The
configuration partition holds configuration information for Active Directory and
applications. The schema partition is the list of allowed objects and attributes in
Active Directory.
Question: Why is it important that the schema is replicated to all domain
controllers in entire forest?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Benefits of Active Directory

Key Points
Active Directory provides a single repository of information that is used for
network management. A workgroup is a peer-to-peer network without a centralized
security database. When Windows computers are not joined to a domain, they are
considered members of a workgroup. Each workgroup member has its own
security database and group policy store.
Question: Are there any situations where a workgroup would be preferable?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is a Domain?

Key Points
A domain is a logical grouping of objects such as:
User accounts. These are required for users to log on and access network
resources. Information such as e-mail addresses and mailing addresses can be
stored as part of a user account.
Computer accounts. These are required for a computer to participate in the
domain and become part of the security infrastructure. To log on with a
domain user account, you must use a computer that has a computer account
in the domain.
Groups. These are used to organize users and computers into sets for
assigning permissions to resources. Using groups make it easier to manage
access to resources such as files.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Question: How has your organization used domains to create security boundaries?
If your organization does not use domains, how might domains be used in your
organization?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is an Organization Unit?

Key Points
An organizational (OU) unit is a grouping of objects within a domain. OUs can
contain:
Users
Groups
Computers
Other OUs
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
OUs are used to:
Apply Group Policy Settings: Group Policy Settings can be associated with an
OU. When associated with an OU, the group policy applies to all user and
computer accounts within the OU.
Delegate management: Permissions to manage Active Directory objects can be
assigned to an OU. Permissions granted to an OU are inherited for objects
inside the OU.

Question: Describe one scenario when you would use a domain to organize a
network. Describe one scenario when you would use an OU to organize a network.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is a Forest?

Key Points
A forest is collection of domains that:
Share a common schema
Share a common Global Catalog
Are connected by two-way transitive trusts

When domains have a trust relationship, accounts in the trusted domain can be
granted access to resources in the trusting domain.
Domain trees in a forest are not required to have the same naming structures.
Question: Does a trust automatically allow users in one domain to access
resources in another domain?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is a Domain Controller?

Key Points
The following are characteristics of a domain controller:
A domain controller is a computer that holds a copy of Active Directory
information.
Domain controllers update this copy of Active Directory information through
multi-master replication with other domain controllers in the domain and
forest.
At minimum, a domain controller holds a copy of the local domain partition,
the configuration partition, and the schema partition.

Note: A global catalog server is a domain controller that holds a subset of the domain
information for all domains in the entire forest.
Question: How many domain controllers should you have?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is a Read-Only Domain Controller?

Key Points
An RODC is a new type of domain controller that Windows Server 2008 supports.
An RODC hosts read-only partitions of the AD DS database. This means that no
changes can ever be made to the database copy stored by RODC, and all AD DS
replication uses a one-way connection from a domain controller that has a
writeable database copy to the RODC.
Question: In your work environment, do you have scenarios where an RODC
would be beneficial?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Read-Only Domain Controller Features

Key Points
RODCs provide several features designed to work together to increase security.
These features minimize the risks of deploying a domain controller in a location
with low physical security or high exposure to attack.
Question: If you plan to use one or more RODCs in your work environment,
which RODC features do you plan to use?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Joining a Domain

Key Points
Join NYC-CL1 to the WoodgroveBank.com domain.
View the results of joining the domain.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 3
Using Windows Server 2008 Administrative
Tools

Each administrative tool included with Windows Server 2008 is used to manage
different system components. Administrative tools include:
Microsoft Management Console
Problem Reports and Solutions
Server Manager
Computer Management
Device Manager

By understanding the administrative tools available to you in Windows Server
2008, you can choose the best tool for the administrative task at hand.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Microsoft Management Console

Key Points
A snap-in is a program that allows you to perform specific administrative tasks.
New snap-ins are added when you install additional software components. For
example, the snap-ins for managing Microsoft Exchange Server 2007 are
added when you install Exchange Server 2007.
You can remotely administer a server by re-focusing the MMC snap-in to the
remote server.
Custom consoles allow you to create a console with only the capabilities that
you require as part of your job role.

Question: Will you create customized consoles for most of your management
tasks?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Server Manager

Key Points
Combining frequently used snap-ins into a single console simplifies administration
of your server.
Question: Why is it beneficial to combine frequently used snap-ins into a single
console?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Computer Management

Key Points
This administrative tool is included with Microsoft Windows 2000 Server and
Windows Server 2003 operating systems. Many of the snap-ins found in Server
Manager are also found in Computer Management.
Question: Will you use Computer Management or Server Manager to manage your
servers?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Device Manager

Key Points
On of the most common uses for Device Manager is updating device drivers.
Device drivers are used by the operating system to communicate with devices
such as network adapters or video adapters. When an incorrect driver is used,
the device will typically have limited functionality or no functionality at all.
Device Manager visually indicates if a device is disabled or is not functioning
properly. This makes it easy to identify malfunctioning components.

Question: Why would you update a device driver if a device appears to be working
properly?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Problem Reports and Solutions

Key Points
Problem Reports and Solutions is a utility for monitoring and resolving system
problems. Problem Reports and Solutions records the details of a system problem,
and then contacts Microsoft for a resolution of the problem.
Question: How do Problem Reports and Solutions improve upon the Dr. Watson
utility found in previous versions of Microsoft Windows operating system?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Using Windows Server 2008 Administrative
Tools

Key Points
Use Problem Reports and Solutions.
Use Server Manager.
Use Computer Management.
Use Device Manager.

Question: Which of the administrative tools demonstrated will you use most
often?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Common Administration Tasks

Key Points
Administrative tools can be grouped by the task in which each tool will commonly
be used. Sometimes multiple tools may be used to carry out a single task.
Question: Describe one or more common administrative tasks you carry out in
your work environment and a tool that would be used to carry out this task.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 4
Using Remote Desktop for Administration

Remote Desktop for Administration is widely used by most organizations to
access servers remotely and to perform system maintenance. There are many
configuration options you can use for controlling security of the connections and
other connection characteristics. Remote Desktop for Administration can help you
reduce the time and effort involved in server administration tasks.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Remote Desktop for Administration

Key Points
Remote Desktop for Administration is a service that allows administrators to access
the desktop of a computer running Windows Server 2008 remotely. This service
can be used to access a server from a corporate desktop or a remote location.
Note the following primary differences between Remote Desktop for
Administration and the Windows Server 2008 Terminal Services role:
Remote Desktop for Administration is limited to two concurrent remote
connections.
Remote Desktop for Administration requires no extra licensing.
Remote Desktop for Administration is installed by default but is not enabled
by default.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Note: Remote Desktop for Administration generates a much smaller amount of network
data than running server management utilities over the network from a workstation.
Question: What concerns are there about allowing a server administrator to use
Remote Desktop for Administration from home?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Benefits of Remote Desktop for Administration

Key Points
Remote Desktop for Administration is a useful tool with several benefits.

Note: Even though Server Core does not include a graphical desktop, you can enable
Remote Desktop for Administration. Once connected, you are presented with a
command prompt rather than a Windows desktop.
Question: Can Remote Desktop for Administration result in cost savings for an
organization?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Remote Desktop Client Configuration

Key Points
View the Remote Desktop options on NYC-CL1.
Describe the options on the following tabs:
General tab
Display tab
Local Resources tab
Programs tab
Experience tab
Advanced tab

Question: Why would you disable client features such as local drives and printers?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Securing Remote Desktop for Administration

Key Points
The first level of securing Remote Desktop for Administration is controlling
who can use it.
Remote Desktop for Administration is disabled by default. You can leave it
disabled for high security installations.
When enabled, access can be controlled by making users members of the
Remote Desktop Users group. Members of the Local Administrators group are
allowed to connect by default.
The Security layer determines the type of encryption that is performed
between the client and server.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Encryption level controls which data is encrypted and the strength of the
encryption.
The Require Network Level Authentication setting requires users to enter a
username and password before connecting to the server.

Question: Why should you not use the low encryption level?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Using Remote Desktop for Administration

Key Points
On NYC-DC1, enable Remote Desktop for Administration.
Configure security settings on NYC-DC1.
Connect to the console with the /console switch.

Question: When is connecting to the server console, rather than a remote session,
useful?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab: Administering Windows Server 2008

Exercise 1: Install the DNS Server Role
Scenario
You have decided to prepare the server NYC-SVR1 for remote management
through Remote Desktop. You will also install the DNS Server role and verify
domain membership on NYC-SVR1.
In this exercise, you will install the DNS Server role and verify domain
membership.
The main tasks for this exercise are as follows:
1. Start the virtual machines, and then log on.
2. Install the DNS Server Role.
3. Verify domain membership.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 1: Start the virtual machines, and then log on
1. On your host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6419A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6419A-NYC-CL1, click Launch.
4. In the Lab Launcher, next to 6419A-NYC-SVR1, click Launch.
5. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd.
6. Log on to NYC-CL1 as Administrator with the password Pa$$w0rd.
7. Log on to NYC-SVR1 as Administrator with the password Pa$$w0rd.
8. Minimize the Lab Launcher window.

Task 2: Install the DNS Server role
On NYC-SVR1, use Server Manager to install the DNS Server role using the
following settings:
Add only the DNS Server role service.

Task 3: Verify domain membership
1. On NYC-DC1, in Active Directory Users and Computers, verify that the NYC-
SVR1 computer account exists.
2. On NYC-SVR1, in Local Users and Groups, verify that Domain Admins is a
member of the local administrators group.

Results: After this exercise, you should have successfully installed the DNS Server role
and successfully verified domain membership.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Configuring Remote Desktop for Administration
Scenario
The server NYC-SVR1 is being used to run a new application for loan applications.
The person responsible for monitoring this application needs access to NYC-SVR1
remotely because he is not authorized to enter the data center. You need to enable
Remote Desktop for Administration for Axel Delgado with the highest level of
security possible.
In this exercise, you will enable Remote Desktop for Administration, and configure
security settings to allow Axel Delgato to carry out remote administration tasks.
1. Enable Remote Desktop for Administration.
2. Grant Axel Delgado access to Remote Desktop for Administration on NYC-
SVR1.
3. Configure security for Remote Desktop for Administration.
4. Give Axel Delgado rights to run Reliability and Performance Monitor.
5. Verify Remote Desktop for Administration Functionality.

Task 1: Enable Remote Desktop for Administration
1. On NYC-SVR1, open Remote settings in System Properties.
2. Allow connections only if Network Level Authentication is used.

Task 2: Grant Axel Delgado access to Remote Desktop for
Administration on NYC-SVR1
On NYC-SVR1 in Remote Settings, add Axel Delgado as a user allowed to
connect remotely.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 3: Configure security for Remote Desktop for Administration
1. On NYC-SVR1, open Terminal Service Configuration.
2. In the properties of RDP-TCP, configure:
Security layer: SSL (TLS1.0)
Encryption level: High
Allow connections only from computers running Remote Desktop with
Network Level Authentication

Task 4: Give Axel Delgado rights to run Reliability and Performance
Monitor
On NYC-SVR1, use Local Users and Groups to add Axel Delgado as a member
of Performance Log Users.

Task 5: Verify Remote Desktop for Administration functionality
1. On NYC-CL1, open Remote Desktop Connection.
2. Log on using the following information:
Computer: NYC-SVR1.woodgrovebank.com
User name: woodgrovebank\Axel
Password: Pa$$w0rd
3. In the Remote Desktop Connection window, open Reliability and Performance
Monitor. Notice that data associated with Resource Overview is not available
to Axel Delgado because Axel Delgado is not a local Administrator.
4. Verify that Axel Delgado can view information in Performance Monitor.

Results: After this exercise, you should have successfully used Axel Delgado's account
to remotely access NYC-SVR1 and run Reliability and Performance Monitor.
Lab Shutdown
After you complete the lab, you must shut down the 6419A-NYC-DC1, 6419A-
NYC-CL1, and 6419A-NYC-SVR1 virtual machines and discard any changes.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Module Review and Takeaways

Review Questions
1. Which server role must be installed to configure Windows Server 2008 as a
domain controller?
2. What is the relationship between Active Directory domains and Active
Directory forests?
3. Which administrative tool tracks system crashes and attempts to resolve them?
4. When monitoring performance, which tools can you use to track CPU
utilization over time?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Real-world Issues and Scenarios
1. You are the lead server administrator for your location in a large organization.
There are 4,000 users in your location, with seven server administrators. You
would like to configure administrative tools for the server administrators that
you manage. Each administrative tool would have all the options required for
them to perform their job tasks. How can you create these custom tools?
2. A computer running Windows Server 2008 has been in your organization for
about two months. It has been running perfectly until last week. Since last
week, it has been crashing once or twice a day. How can you determine the
cause of this problem?
3. You are the server administrator for a small organization with 100 users and
three computers running Windows Server 2008. Your IT manager would like
to respond more quickly to support calls after business hours. Currently, you
drive into the office when required. This takes up to an hour. How can you
avoid the need to return to the office to perform support tasks after hours?
And how will you address security concerns?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Tools
Tool Use for Where to find it
Active Directory Users and
Computers
Create user accounts Administrative Tools
Active Directory Domains and
Trusts
View and manage trusts Administrative Tools
Active Directory Sites and
Services
View and manage Active
Directory sites
Administrative Tools
ADSI Edit Perform manual edits of
Active Directory objects
Microsoft Management
Console
Add snap-ins to perform
administrative tasks
Create custom consoles
Command prompt
Problem Reports and Solutions Track solutions to system
problems
Server Manager Add or remove server roles
and features
Perform diagnostics
Manage server
configuration
Manage server storage
Computer Management Share folders
Access system tools
Manage server storage
Manage services
Manage Routing and
Remote Access
Device Manager Configure devices
Update drivers
Administrative Tools,
Computer
Management, Server
Management

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
(continued)
Task Manager View applications and
processes
View basic performance
information
Ctrl+Alt+Del, right-
click taskbar,
Ctrl+Shift+Esc
Reliability and Performance
Monitor
Resource Overview
Performance Monitor
Reliability Monitor
Data Collector Sets
Event Viewer View events in logs
Collect events at a single
computer
Query events
Administrative Tools,
Computer
Management, Server
Management
Remote Desktop for
Administration
Remotely connect to servers
and perform administrative
tasks
Control Panel >
System > Remote
settings
Terminal Services
Configuration
Configure Remote Desktop
for Administration
Local User and Computers
snap-in
Used to manage local users
and groups
Computer
Management, Server
Management
Active Directory Users and
Computers
Used to manage domain
user accounts and groups
Run As Administrator Elevate privileges of a
program
Context menu when
right-clicking an
application shortcut
runas Elevate privileges of a
program
Command prompt

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Creating Active Directory Domain Services User and Computer Objects 2-1
Module 2
Creating Active Directory Domain Services User
and Computer Objects
Contents:
Lesson 1: Managing User Accounts 2-3
Lesson 2: Creating Computer Accounts 2-17
Lesson 3: Automating AD DS Object Management 2-24
Lesson 4: Using Queries to Locate Objects in AD DS 2-33
Lab: Creating AD DS User and Computer Accounts 2-39
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Module Overview

One of your functions as an Active Directory Domain Services (AD DS)
administrator is to manage user and computer accounts. These accounts are AD DS
objects that individuals use to log on to the network and access resources. In this
module, you will learn about modifying user and computer accounts on computers
running the Microsoft Windows Server 2008 operating system in a networked
environment.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 1
Managing User Accounts

In AD DS for Windows Server 2008, all users that require access to network
resources must be configured with a user account. With this user account, users
can be authenticated to the AD DS domain and granted access to network
resources. As the AD DS administrator, you will need to know how to create and
configure user accounts.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is a User Account?

Key Points
A user account is an object that contains all of the information that defines a user
in Windows Server 2008. The account can be either a local or a domain account. A
user account includes the user name and password as well as group memberships.
A user account also contains many other settings that can be configured based
upon your organizational requirements.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Usage
With a user account, you can:
Allow or deny users to log on to a computer based on their user account
identity.
Grant users access to processes and services for a specific security context.
Manage users' access to resources such as AD DS objects and their properties,
shared folders, files, directories, and printer queues.

Question: List at least one advantage of creating local accounts. List at least one
advantage of creating domain accounts.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Names Associated with Domain User Accounts

Key Points
When creating a user account, an administrator provides a user logon name. User
logon names must be unique in the domain/forest in which the user account is
created.
Names generated by Active Directory
When a user account is created using Active Directory Users and Computers,
Active AD DS also creates:
An LDAP distinguished name.
An LDAP-relative distinguished name.
A SID and global unique identifier (GUID).

Question: Provide at least one example of good scalable unique domain user
name.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
User Account Password Options

Key Points
As a systems administrator, you can manage user account password options. These
options can be set when the user account is created or in the Properties dialog box
of a user account.
Systems administrators can also change the default domain password complexity
settings by accessing the Group Policy Management Editor. Administrators can
configure these settings by navigating to: Computer Configuration\Policies
\Windows Settings\Security Settings\Account Policies\Password Policy.
Question: Provide at least one example of a strong password.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Standard User Management

Key Points
Some common standard user tasks are resetting passwords, configuring group
management, assigning user profiles, creating home directories and setting user
expiration.
The Resetting Password function is accessed through the Active Directory
Users and Computers management console. Administrators can easily access
any user record and reset their password through a context menu.
The Group Management functionality is also accessed through the Active
Directory Users and Computers management console. Administrators can
create groups and then assign users to these groups by selecting the user and
adding them to a group.
Administrators can set an expiration date for users in the Active Directory
Users and Computers management console when new users are created.
In the Active Directory Users and Computers management console,
administrators can set logon hours, which provide specific times when a user
can access a computer.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administrators can assign a home directory to their users in the Active
Directory Users and Computers management console by accessing a user and
specifying the user's home directory in the Home Folder section.
Administrators can assign custom profiles to users in the Active Directory
Users and Computers management console. This allows administrators to
assign user access to resources.

Question: How many times can users attempt to login before they are locked out
(by default)?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Tools for Configuring User Accounts

Key Points
Active Directory Users and Computers
Active Directory Users and Computers is the primary tool used for day-to-day
administration of AD DS.
Command line tools
You also can use the command-line tools Dsadd, Dsmod, and Dsrm to manage
user accounts in AD DS.
Csvde
The Csvde command-line tool uses a comma-delimited text file, also known as a
comma-separated value format (Csvde format) as input to create multiple accounts
in AD DS.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Ldifde
Ldifde command-line tool uses a line-separated value format to create, modify, and
delete objects in Active Directory.
Windows PowerShell
Use Windows PowerShell when you want to change the attribute values for
multiple Active Directory objects or when the selection criteria for these objects are
complex.
Question: List at least two criteria required when selecting from the available
methods for automating user creation.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Configuring User Accounts

Key Points:
Add a User in Active Directory Users and Computers.
Add a User through the dsadd.
Review User Account and Properties.
Rename Account in Active Directory Users and Computers.
Rename Account using dsmod.
Review Password Complexity Settings.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Question: How would you create several user objects with the same settings for
attributes, such as department and office location?
Question: Under what circumstances would you disable a user account rather
than delete it?
Question: Why are you prompted to change the additional names when you
change the user name?
Question: Why would you rename a user name in AD DS when a user changes
their name rather than deleting the account and creating a new account with the
new name?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is a User Account Template?

Key Points
A user account template is an account that has commonly used settings and
properties already configured. You can use user account templates to simplify the
process of creating domain user accounts.
To perform this procedure, you must be a member of the Account Operators
group, Domain Admins group, or the Enterprise Admins group in Active
Directory, or you must have been delegated the appropriate authority.
To open Active Directory Users and Computers, click Start, click Control
Panel, double-click Administrative Tools, and then double-click Active
Directory Users and Computers.
To prevent a particular user from logging on for security reasons, you can
disable user accounts rather than deleting user accounts.
By creating disabled user accounts with common group memberships, you can
use disabled user accounts as account templates to simplify user account
creation.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Information such as logon hours, and groups are retained when a new user is
created from a template, but the Description and Office attributes are not
replicated.
Additional attributes can be viewed and modified in the Active Directory
Schema MMC snap-in.

Question: List at least one example of how your company uses account templates.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Creating and Using a User Account
Template

Key Points
Use Active Directory Users and Computers to add a new user to the Users
container.
Copy the template account, and rename its identity attributes.

Question: What are some fields not populated when you create a new user from a
template?
Question: How could you make a template account easy to find in AD DS?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 2
Creating Computer Accounts

In AD DS, computers are security principals, just like users. This means that
computers must have accounts and passwords. To be fully authenticated by
AD DS, a user must have a valid user account, and the user must also log on to the
domain from a computer that has a valid computer account. All computers
running Microsoft Windows NT or later operating systems must have computer
accounts in AD DS.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is a Computer Account?

Key Points
Computers access network resources to perform key tasks such as authenticating
user log on, obtaining an IP address, and receiving security policies. To have full
access to these network resources, computers must have valid accounts in AD DS.
The two main functions of a computer account are performing security and
management activities.
Question: List at least one way your company manages their computer accounts.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Options for Creating Computer Accounts

Key Points
You can create computer accounts in AD DS by joining the computer to the
domain, or by pre-staging computer accounts before joining the computer to the
domain. Both administrators and users can join computers to the domain.
Pre-staging the account is simply creating the computer account in AD before
joining the computer to the domain. If you need to secure the pre-staged account,
then you can provide a staging GUID that will then be used only by the computer
that matches the GUID.
Adding computers to an AD DS domain
If a computer is joined to a domain, the computer account is created in the
Computers container by default. In most organizations, administrators will move
the computer accounts to department-specific OUs so that specific software and
operating system configurations can be applied to the computers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Pre-staging computer accounts
You can ensure that computer accounts are configured in the right AD DS
container by pre-staging computer accounts. When you pre-stage a computer
account, you create the computer in the domain before joining the computer to the
domain. Organizations pre-stage computer accounts in order to automate the
operating system and application installation by using tools such as Windows
Deployment Services.
Question: List at least one advantage of pre-staging when deploying.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Managing Computer Accounts

Key Points
The most commonly used properties for computer accounts in AD DS are the
Location and Managed by properties. To maintain computers, you must find the
physical location of the computers.
The Location property can be used to document the computers physical
location in your network.
The Managed By property lists the individual responsible for the computer.
This information can be useful when you have a data center with servers for
different departments and you need to perform maintenance on the server.
You can call or send e-mail to the person who is responsible for the server
before you perform maintenance on the server.

Question: How can the Location and Managed by properties be used to automate
computer account management?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Configuring Computer Accounts

Key Points
Create a normal user account in Active Directory Users and Computers.
Configure the Computer Account Settings.
Disable and Reset an Account.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Question: A user is taking a two month leave from work. No one else will be
using the users computer, and you want to ensure that no one can log on to the
computer while she is gone. However, you want to minimize the amount of effort
required for the user to start using the computer when she comes back. How
should you configure the computer account?
Question: You are pre-staging 100 computer accounts for workstations that will
be added to the domain over the next few weeks. You want to ensure that only
members of the desktop support team can add the computers to the domain. What
should you do?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 3:
Automating AD DS Object Management

In most cases, you are likely to create and configure AD DS objects on an
individual basis. However, in some cases, you may need to create or modify the
configuration for many objects simultaneously. For example, if your organization
hires a large group of new employees, you may want to automate the new-accounts
configuration process. If your organization moves to a new location, you may want
to automate the task of assigning new addresses and phone numbers to all users.
This lesson describes how to manage multiple AD DS objects.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Tools for Automating AD DS Object Management

Key Points
Windows Server 2008 provides a number of tools that you can use to create or
modify multiple user accounts automatically in AD DS. Some of these tools require
that you use a text file containing information about the user accounts that you
want to create. You also can create Windows PowerShell scripts to add objects or
make changes to Active Directory objects.
Administrators can still use Microsoft Visual Basic Scripting Edition (VBScript) to
manage Active Directory objects. If students already have VB scripts developed,
they should be able to reuse those scripts with very little modification.
Question: List at least one way your organization has employed these tools to
automate AD DS Objects.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring AD DS Objects Using Command-Line Tools

Key Points
Use these command-line tools to configure AD DS objects.
Examples:
Dsadd - dsadd user "cn=Keith Harris,cn=users,dc=contoso,dc=com" samid
Keith fn Keith ln Harris display "Keith Harris" pwd Pa$$w0rd
Dsmod - dsmod computer "cn=sales2,ou=sales,dc=contoso,dc=com" -loc
Downtown desc Workstation
Dsrm - dsrm -subtree -c "cn=sales2,ou=sales,dc=contoso,dc=com"
Dsget - dsget user "cn=Keith Harris,cn=users,dc=contoso,dc=com" -memberof
net user - net user Gregory Weber Pa$$w0rd /ad
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Net group - Net group SalesGroup Gregory Weber
Net computer - Net computer //Sales2 /Del

Question: List at least one example of why an administrator would want to use
command line tools.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Managing User Objects with LDIFDE

Key Points
You can use the Ldifde command-line tool to create and make changes to multiple
accounts. When you use the Ldifde tool, you will use a line-separated text file to
provide the commands input information.
Question: List at least one way that LDIFDE makes user management more
scalable and reliable.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Managing User Objects with CSVDE

Key Points
You can use the Csvde command-line tool to create multiple accounts in AD DS;
however, you only can use the Csvde tool to create accounts, not to change them.
Question: List at least one advantage of using CSVDE over LDIFDE when
managing user objects.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is Windows PowerShell?

Key Points
Windows PowerShell is an extensible scripting and command-line technology
that developers and administrators can use to automate tasks in a Windows
environment. Windows PowerShell uses a set of small cmdlets that each performs
a specific task, but can also be combined in multiple cmdlets to perform complex
administrative tasks.
Windows PowerShell is directly accessible through the new command shell, called
PowerShell.exe. When you run Windows PowerShell from this command shell,
you can perform many of the tasks you could perform using the traditional
command shell (cmd.exe), plus many more.
Question: What is the difference between the command prompt and Windows
PowerShell?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Windows PowerShell Cmdlets

Key Points
Windows PowerShell is easy to learn because the use of Cmdlets. Pipelining is
consistent across all Cmdlets.
Question: List at least one important management cmdlets.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Configuring Active Directory Objects Using
Windows PowerShell

Key Points
Examine built in cmdlet commands.
Build Complex Commands using Pipelines and Auto-Complete.
Examine and run a pre-existing script.

Question: What are the advantages and disadvantages of modifying Active
Directory objects by using Windows PowerShell scripts? How can you address the
disadvantages?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 4
Using Queries to Locate Objects in AD DS

Some large organizations have thousands of user accounts in an AD DS domain.
Even if these accounts are grouped into different OUs, it can still take some time to
find a specific user in the domain. Windows Server 2008 provides several features
in Active Directory Users and Computers that make it easier to locate these users.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Options for Locating Objects in AD DS

Key Points
There are several options available in the Windows Server 2008 administration
tools that can increase the efficiency of looking for user accounts in domains with
many users.
To sort the order of objects in Active Directory Users and Computers:
1. View the user accounts in their container in Active Directory Users and
Computers.
2. Click any of the column headings to sort the order of the objects (either
ascending or descending).

You can also add more columns to the display and then sort the display based on
the additional column.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
To search for objects in Active Directory Users and Computers
Active Directory provides information about all objects on a network, including
people, groups, computers, printers, shared folders, and OUs. It is easy to search
for users, contacts, and groups by using the Find Users, Contacts, and Groups
dialog box.
Using a command line
You can use the dsquery command to find users and computers in AD DS that
match the specified search criteria.
Question: If an administrator were searching for a number of disparate users,
would it be more efficient to use the graphic user interface or the command line
tool?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Searching AD DS

Key Points
Create a Saved Query.
Export a query to an .xml file.

Question: You need to update the phone number for a user. You have only been
given the users first name and last name and you do not know which OU contains
the object. What is the quickest way to locate the user account?
Question: You need to create a new user account and want to check if a user name
is already in use in the domain. How could you do this?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is a Saved Query?

Key Points
The Active Directory Users and Computers management tool has a Saved Queries
folder in which you can create, edit, save, and organize saved queries. Saved
queries use predefined LDAP strings to search only the specified domain partition
allowing you to focus searches to a single container object. You can also create a
customized saved query that contains an LDAP search filter.
Queries are specific to the domain controller on which they were created. After you
successfully create your customized set of queries, you can copy the .msc file to
other Windows Server 2008 domain controllers that are in the same domain, and
reuse the same set of saved queries. Queries can also be shared throughout the
domain by exporting them to XML files and then importing those files to other
domain controllers.
Question: List at least one way that saved queries help with the long term
maintainability of your organization.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Using a Saved Query

Key Points
Create a Saved Query.
Export a query to an .xml file.

Question: You need to find all user accounts in your AD DS domain that are no
longer active. How would you do this?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab: Creating AD DS User and Computer
Accounts

Scenario
Woodgrove Bank is an enterprise that has offices located in several cities
throughout the world. Woodgrove Bank has deployed AD DS for Windows
Server 2008. As one of the network administrators, one of your primary tasks will
be to create and manage user and computer accounts.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 1: Creating and Configuring User Accounts
In this exercise, you will create and configure user accounts. You will create a
template and a user account based on the template. Finally, you will create a saved
query and verify its ability to return expected search results.
The main tasks are as follows:
2. Create a new user account.
3. Modify Kerim Hanifs user account properties.
4. Create a template for the New York Customer Service department.
5. Create a new user account based on the customer service template.
6. Modify the user account properties for all customer service representatives in
New York.
7. Modify the user account properties for all Branch Managers.
8. Create a saved query to find all investment users.

1. Click the 6419A Lab Launcher shortcut on your desktop. The Lab Launcher
starts.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 2: Create a new user account
1. On NYC-DC1, open Active Directory Users and Computers.
2. In the ITAdmins OU, create a new user with the following parameters:
First name: Kerim
Last name: Hanif
Full name: Kerim Hanif
User logon name: Kerim
Password: Pa$$w0rd
3. On NYC-CL1, verify that you can log on as Kerim, with a password of
Pa$$w0rd. When prompted, change the password to Pa$$w0rd1.
4. Log off from NYC-CL1.

Task 3: Modify Kerim Hanifs user account properties
1. Modify the user account properties for Kerim Hanifs account as follows:
Telephone number: 204-555-0100
Office: Downtown
E-mail: Kerim@WoodgroveBank.com
Remote Access Permission : Allow access
Logon Hours. Mon-Fri, 8:00 A.M. and 5:00 P.M
2. Add Kerim to the ITAdmins_WoodgroveGG group.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 4: Create a template for the New York Customer Service
department
In the CustomerService OU, create and configure a user account with the
property settings in the following table:
Property Value
First name CustomerService
Last name Template
Full name CustomerService Template
User logon name _ CustomerServiceTemplate
Password Pa$$w0rd
Description Customer Service Representative
Office New York Main Office
Member Of NYC_CustomerServiceGG
Department Customer Service
Logon Hours 6:00 A.M 6:00 P.M. Monday to Friday
Disable the account

Task 5: Create a new user account based on the customer service
template
1. Copy the CustomerService Template and create a new user with the following
parameters:
First Name: Sunil
Last Name: Koduri
User Logon Name: Sunil
Password: Pa$$w0rd
2. Enable the account.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 6: Modify the user account properties for all customer service
representatives in New York
1. In the CustomerService OU, update the properties of all the users to reflect the
following information:
Description: Customer Service Representative
Office: New York Main Office
Department: Customer Service
2. View the properties of one of the user accounts in the OU to confirm that the
Description, Office and Department attributes have been updated.

Task 7: Modify the user account properties for all Branch Managers
1. In Active Directory Users and Computers, search the WoodgroveBank.com
domain.
2. Use an advanced search and search for all user accounts that have a job title of
Branch Manager.
3. Select all of the user accounts located by the search, and add them to the
BranchManagersGG group.

Task 8: Create a saved query to find all investment users
1. In Active Directory Users and Computers, create a new saved query named
Find_Investment_Users that will search for all users with a department
attribute that starts with Investments.
2. Verify that the query displays all the users in the Investment departments in
each city.

Result: At the end of this exercise, you will have created and configured user accounts.
You will have created a template and a user account based on the template. And you
will have created a saved query and verified its ability to return expected search results.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Creating and Configuring Computer Accounts
In this exercise, you will create and configure computer accounts, delete a
computer account and join a computer to an AD DS domain.
1. Create a computer account by using Active Directory Users and Computers.
2. Delete a computer account in AD DS.
3. Join a computer to an AD DS domain.

Task 1: Create a computer account by using Active Directory Users and
Computers
1. On NYC-DC1, in Active Directory Users and Computers, create a new
computer account named Vista1 in the Computers container.
2. Configure the computer account settings so that Doris Krieger can join the
computer to the domain.

Task 2: Delete a computer account in AD DS
1. In Active Directory Users and Computers, delete the NYC-CL1 computer
account.
2. On NYC-CL1, attempt to log on as Axel with a password of Pa$$w0rd.

Task 3: Join a computer to an AD DS domain
1. On NYC-CL1, log on as a local Administrator with a password of Pa$$w0rd.
2. Access the System control panel, and click Change settings.
3. Change the computer name to NYC-CL3 and configure the computer to be a
member of a Workgroup called WORKGROUP.

Note: You will be prompted to authenticate. Authenticate as Administrator with a
password of Pa$$w0rd.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4. Restart the computer.
5. After the computer restarts, log on as Administrator with a password of
Pa$$w0rd.
6. Access the System control panel, and click Change settings.
7. Configure the computer to be a member of the WoodgroveBank.com domain.
8. Use the administrator credentials to join the computer to the domain.
9. Restart the computer.
10. On NYC-DC1, in Active Directory Users and Computers, verify that the
NYC-CL3 account was added to the domain.
11. On NYC-CL3, verify that you can log on as WoodgroveBank\Axel with a
password of Pa$$w0rd.

Result: At the end of this exercise, you will have created and configured computer
accounts, deleted a computer account and joined a computer to an AD DS domain.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 3: Automating the Management of AD DS Objects
Woodgrove Bank is opening a new Houston branch. The HR department has
provided you with a file that includes all of the new users that are being hired for
the Houston location. You need to import the user accounts into AD DS, and then
activate and assign passwords to all of the accounts.
You also need to modify the user properties for the Houston users by updating the
city information.
Woodgrove Bank is also planning on starting a Research and Development
department in the NYC location. You need to create a new OU for the research and
development (R&D) department in the Woodgrove Bank domain, and import and
configure new user accounts into AD DS.
1. Modify and use the Importusers.csv file to import a group of users into AD DS.
2. Modify and run the ActivateUser.vbs script to enable the imported user
accounts and assign a password to each account.
3. Modify and use the Modifyusers.ldf file to prepare for modifying the properties
for a group of users in AD DS.
4. Run the CreateUser.ps1 script to add new users to AD DS.

Task 1: Modify and use the Importusers.csv file to import a group of
users into AD DS
1. On NYC-DC1, browse to E:\Mod02\Labfiles and open ImportUsers.csv with
Notepad. Examine the header information required to create OUs and user
accounts.
2. Copy and paste the contents of the ImportUsers.txt file into the
ImportUsers.csv file, starting with the second line. Save the file as
C:\import.csv.
3. At the command prompt, type CSVDE I F C:\import.csv and then press
ENTER.
4. In Active Directory Users and Computers, verify that the Houston OU and five
child OUs were created, and that several user accounts were created in each
OU.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 2: Modify and run the ActivateUser.vbs script to enable the
imported user accounts and assign a password to each account
1. On NYC-DC1, in E:\ Mod02\Labfiles, edit Activateusers.vbs.
2. Modify the container value in the second line to:
OU=BranchManagers,OU=Houston,DC=WoodgroveBank,DC=com.
3. Modify the container values in the additional lines at the end of the script to
include the following OUs, and then save the file:
OU=CustomerService,OU=Houston,DC=WoodgroveBank,DC=com
OU=Executives,OU=Houston,DC=WoodgroveBank,DC=com
OU=Investments,OU=Houston,DC=WoodgroveBank,DC=com
OU=ITAdmins,OU=Houston,DC=WoodgroveBank,DC=com
4. Save the file as c:\Activateusers.vbs, and then run using Cscript
c:\Activateusers.vbs.
5. In Active Directory Users and Computers, browse to the Houston OU, and
then confirm that user accounts in all child OUs are activated.

Task 3: Modify and use the Modifyusers.ldf file to prepare to modify
the properties for a group of users in AD DS
1. On NYC-DC1, export all of the user accounts in the Houston child OUs by
using the following command:
LDIFDE f c:\Modifyusers.ldf d
"OU=Houston,DC=WoodgroveBank,DC=com" r "objectClass=user" l
physicalDeliveryOfficeName.
2. Edit the C:\Modifyusers.ldf file.
3. On the Edit menu, use the Replace option to replace all instances of
changetype: add, with changetype: modify.
4. After each changetype line, add the following lines:
replace: physicalDeliveryOfficeName
physicalDeliveryOfficeName: Houston
5. At the end of the entry for each user, add a dash () on its own line followed
by a blank line.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6. Save the file as C:\Modifyusers.
7. At the command prompt, type ldifde I f c:\Modifyusers.ldf and then press
ENTER.
8. In Active Directory Users and Computers, verify that the Office attribute for
the user accounts in Houston has been updated with the Houston location.

Task 4: Modify and run the CreateUser.ps1 script to add a new user to
AD DS
1. On NYC-DC1, in E:\Mod02\LabFiles, open CreateUser.ps1.
2. Under #Assign the location where the user account will be created,
note the entry $objADSI =
[ADSI]"LDAP://ou=ITAdmins,DC=WoodgroveBank,DC=com".
3. Enable execution in PowerShell by typing the following at a command prompt:
Set-ExecutionPolicy AllSigned, and then press ENTER.
4. Run the script: E:\Mod02\Labfiles\CreateUser.ps1

Note: You will be prompted to authenticate. Authenticate as Administrator with a
password of Pa$$w0rd. In Active Directory Users and Computers, in the ITAdmins OU,
verify that the user Jesper has been created.
Task 5: Close all virtual machines and discard undo disks
1. For each virtual machine that is running, close the Virtual Machine Remote
Control window.
2. In the Close box, select Turn off machine and discard changes. Click OK.
3. Close the 6419A Lab Launcher.

Result: At the end of this exercise, you will have examined several options for
automating the management of user objects.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Review Questions
1. You are responsible for managing accounts and access to resources for
members of your group. A user in your group leaves the company, and you
expect a replacement for that employee in a few days. What should you do
with the previous users account?
2. A user in your group must create a test lab with 24 computers that will be
joined to the domain but the account must be created in a separate OU. What
is the best way to do this?
3. You are responsible for maintaining the servers in your organization. You want
to enable other administrators in the organization to determine the physical
location of each server without adding any additional administrative tasks or
creating any additional documents. How can you do this?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4. To accelerate the process of creating new accounts when new employees enter
your group, you create a series of account templates that you use to create new
user accounts and groups. You are notified that a user with an account that
was created by using one of the non-manager account templates has been
accessing files that are restricted to the Managers group. What should you do?
5. You are responsible for managing computer accounts for your group. A user
reports that they cannot log on to the domain from a specific computer but
can log on from other computers. What should you do?
6. You have determined the best ways to search for Active Directory objects and
documented your recommended search criteria. However, the administrators
tell you that it is taking too long to create and then run the search. After further
research, you determine that most of the systems administrators are searching
for the same information. What can you do to accelerate the search process?

Considerations for Managing AD DS User and Computer Accounts
When managing AD DS user and computer accounts, consider the following:
If your organization typically creates large numbers of user accounts at the
same time, explore using of LDIFDE, CSVDE or Windows PowerShell scripts
to automate the process of creating the accounts. These tools can save a great
deal of time when adding or modifying multiple accounts.
Consider delegating permissions to create and manage user accounts in your
AD DS domain. You can delegate permissions at the domain or OU level.
At a minimum, you should retain the password complexity requirements in a
Windows Server 2008 domain. Complex passwords are more difficult for
users to remember, but they are also the most important first step in
maintaining AD DS security.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Creating Groups and Organizational Units 3-1
Module 3
Creating Groups and Organizational Units
Contents:
Lesson 1: Introduction to AD DS Groups 3-3
Lesson 2: Managing Groups 3-17
Lesson 3: Creating Organizational Units 3-22
Lab: Creating an OU Infrastructure 3-29
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Module Overview

One of the primary functions of a directory service such as Active Directory
Domain Services (AD DS) is to provide authorization for access to network
resources. Ultimately, access to network resources is based on the individual user
accounts. However, in most cases, you do not want to administer access to
resources by using individual user accounts. In a large company, this would result
in significant administrative effort. Because it is difficult to manage access to
network resources by using individual user accounts, you must learn to create
group objects to manage large collections of users simultaneously.
In an Active Directory domain, you can organize users and computers in
organizational units (OUs). You use an OU to group and organize objects for
administrative purposes, such as delegating administrative rights and assigning
Group Policy settings to a collection of objects as a single unit.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 1
Introduction to Groups

A group is a collection of user or computer accounts. You use groups to efficiently
manage access to domain resources, which helps simplify network management
and administration. You can use groups separately, or you can put one group
within another to simplify administration even more. This lesson describes how to
use and configure groups.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Groups?

Key Points
Groups are a logical collection of AD DS objects, such as users, computers, or
other groups. Groups can be made up according to their departments, locations,
or resources. Groups are an important administrative tool for simplifying
administration, and enable you to assign permissions for resources to multiple
users or computers concurrently instead of individually.

Note: Groups can be converted from distribution to security (or vice versa) if the domain
functional level is Microsoft Windows 2000 native or later versions.
Administrators can assign specific rights to group accounts or to individual user
accounts. These rights authorize users to perform specific actions, such as logging
on to a system interactively or backing up files and directories. User rights are
different from permissions because user rights apply to user accounts, and
permissions are attached to objects.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Group Scopes
There are three group scopes available:
Domain Local
Global
Universal

Question: Describe a situation where you would use a distribution group instead
of a security group.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
AD DS Domain Functional Levels

Key Points
Functional levels determine the available AD DS domain or forest capabilities. They
also determine which Windows Server operating systems that you can run on
domain controllers in the domain or forest. However, functional levels do not
affect which operating systems you can run on workstations and member servers
that are joined to the domain or forest.
When you deploy AD DS, set the domain and forest functional levels to the highest
value that your environment can support. This way, you can use as many AD DS
features as possible. For example, if you are sure that you will never add domain
controllers that run Microsoft Windows Server 2003 to the domain or forest,
select the Microsoft Windows Server 2008 functional level during the deployment
process. However, if you might retain or add domain controllers that run
Windows Server 2003, select the Windows Server 2003 functional level.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
After you raise the domain or forest functional level, you cannot go back to a lower
functional level.
Question: What domain functional level do you currently have in your
organization? If you dont know, what functional level do you think you should
have?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Global Groups?

Key Points
A global group is a security or distribution group that can contain users, groups,
and computers that are from the same domain as the global group. You can use
global security groups to assign user rights, delegate authority to AD DS objects, or
assign permissions to resources in any domain in the forest or any other trusting
domain in another forest.
Use groups with global scope to manage directory objects that require daily
maintenance, such as user and computer accounts. Because groups with global
scope are not replicated outside their own domain, you can change accounts in a
group having global scope frequently without generating replication traffic to the
global catalog.
The domain functional level must be Microsoft Windows 2000 native, Windows
Server 2003 or Windows Server 2008 to create global groups.
Question: In what ways could you use global groups in your organization?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Universal Groups?

Key Points
A universal group is a security or distribution group that can contain users, groups,
and computers from any domain in its forest. You can use universal security
groups to assign user rights and permissions to resources in any domain in the
forest.
Changes to the universal groups are registered in the Global Catalog. Therefore,
you shouldn't change the membership of a group with universal scope frequently.
Any changes to the membership of this type of group cause the entire membership
of the group to be replicated to every global catalog in the forest.
When the domain functional level is set to Windows 2000 mixed, security groups
with universal scope cannot be created, although distribution groups with
universal scope are still permitted. At the Windows 2000 native domain functional
level and higher, universal groups are available for both distribution and security
groups.
Question: In what ways could you use universal groups in your organization?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Domain Local Groups?

Key Points
A domain local group is a security or distribution group that can contain user
accounts from the local domain, any domain in the forest, or any trusted domain.
Domain local groups also can contain universal or global groups from any domain
in the forest or any trusted domain, and domain local groups from the local
domain.
The domain functional level must be Windows 200 native or higher to create
domain local groups.
Use a domain local group to assign permissions to resources that are located
in the same domain as the domain local group. You can put all global groups
that have to share the same resources into the appropriate domain local group.

Question: How could you provide members of a Sales department that travel
frequently between domains in a multi-city company with access to printers on
various domains that are managed by using domain local groups?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Local Groups?

Key Points
A local group is a collection of user accounts or domain groups that are created
on a member server of an AD DS domain or a stand-alone server; as well as, a
workstation. You can create local groups to grant permissions for resources
residing on the local computer. Local groups can contain local or domain user
accounts, computers, global groups, and universal groups.
You cannot create local groups on AD DS domain controllers. Domain controllers
do not have local users and groups, as the only security database located on a
domain controller is the AD DS database.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Note: Because groups that have a domain local scope also are known as local groups, it
is important to distinguish between a local group and a group that has a domain local
scope. Local groups also are known as machine local groups to distinguish them from
domain local groups.
Question: Describe a situation where you would use a local group instead of one
of the domain groups.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Discussion: Identifying Group Usage

Key Points
Discuss these scenarios with the classroom, led by your instructor.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is Group Nesting?

Key Points
When you use nesting, you add a group as a member of another group. You can
use nesting to combine group management. Nesting increases the member
accounts that are affected by a single action, and reduces replication traffic caused
by the replication of changes in group membership.
Group nesting is available when the domain functional level is Windows 2000
native, Windows Server 2003 or Windows Server 2008.

Note: You should avoid nesting multiple levels of groups. Tracking permissions is more
complex with multiple levels.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
The following are best practices:
AGDLP Accounts, Global, Domain Local, Permissions
Take accounts and place accounts into Global Groups.
Global group is then placed inside (nested) within the Domain Local
group.
Permission is assigned to the Domain Local group.
AGUDLP Accounts, Global, Universal, Domain Local, Permissions
In this practice, the global is first nested within a universal group.

Question: Describe a scenario where you could use nesting in your organization to
simplify management.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Discussion: Strategies for Nesting AD DS Groups

Key Points

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 2
Managing Groups

As an AD DS administrator, you will spend much of your time creating and
administering groups. The administration tasks could include selecting group
names, creating groups, and adding members to groups. This lesson describes how
to perform these tasks.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Considerations for Naming Groups

Key Points
A large organization might have many security and distribution groups. A
standardized naming convention can help you locate and identify groups more
easily. Keeping the names concise, using departmental, geographic, or project
names all are helpful ways to identify groups more easily.
Question: You want to create a security group for the finance department at
Contoso Corporation. Contoso has worldwide locations; however, the finance
department is only located in the New York office. Within the finance department,
there are separate departments for accounts receivable and accounts payable. How
many security groups would you create? What would be the name(s) for the
security group(s) you would create?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Creating Groups

Key Points
Create a security group.
Create a distribution group.

Question: Your organization requires a group that can be used to send e-mail to
users in multiple domains. The group will not be used to assign permissions. What
type of group should you create?
Question: Which group scope can be assigned permissions in any domain or
forest?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Identifying Group Membership

Key Points
Use Active Directory Users and Computers to determine the membership status of
both users and groups. All user accounts have a Member Of attribute that lists all
the groups of which the user is a member. All groups have a Members attribute
and a Member Of attribute. The Members attribute lists all user accounts or other
group accounts that are members of the group, while the Member Of tab indicates
into which groups the group has been added or nested.
The Managed By tab on the properties of a group lists the users or groups that
manage the group. You can easily delegate administration of the group on this tab.
Question: In what ways can the Member tab and the Members Of tab simply
management of groups?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Modifying Group Scope and Type

Key Points
In Active Directory Users and Computers, open a group and change its group
type.
Return the Group Type to its original setting.
Change the Group scope to a different scope.

Question: Describe a situation where you would want to change a group type.
Question: List some problems that may arise from changing a group type from
security to distribution.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 3
Creating Organizational Units

Another option for collecting several user and computer accounts for
administrative purposes is to create organizational units (OUs). In this lesson, you
will learn to create OUs. You also will learn about the available options for creating
OU hierarchies, and how to move objects between OUs.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is an Organizational Unit (OU)?

Key Points
An OU is an AD DS object that is contained in a domain. You can use OUs to
organize hundreds of thousands of directory objects into manageable units. OUs
are useful in grouping and organizing objects for administrative purposes, such as
delegating administrative rights and assigning policies to a collection of objects as a
single unit.
Question: Describe an example of how you can create an OU to isolate file and
print server accounts, and allow only a particular administrator to access these
accounts.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is an OU Hierarchy?

Key Points
AD DS OUs are used to create a hierarchical structure within a domain. By creating
an OU structure, you are grouping objects that you can administer as a unit.
An organizational hierarchy should logically represent an organizational structure.
That organization could be based on geographic, functional, resource-based, or
user classifications. Whatever the order, the hierarchy should make it possible to
administer AD DS resources as flexibly and effectively as possible. For example, if
all the computers that are used by IT administrators must be configured in a
certain way, you can group all the computers in an OU, and assign a policy to
manage the computers in the OU.
Question: What is one advantage of the OU structure being invisible to end-users?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
OU Hierarchy Examples

Key Points
Organizations may deploy OU hierarchies by using several different models.
Geographic OUs
If the organization has multiple locations and network management is distributed
geographically, you should use a location-based hierarchy. For example, you might
decide to create OUs for New York, Toronto, and Miami in a single domain.
Departmental OU
A Departmental OU is based only on the organization's business functions,
without regard to geographical location or divisional barriers. This approach works
well for small organizations with a single location.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Resource OUs
Resource OUs are designed to manage resource objects (non-users such as client
computers, servers, or printers). This design is most useful when all resources of a
given type are managed in the same manner. Resource-based OUs can simplify
software installations or printer selections based on Group Policies.
Management-based OUs
Management-based OUs reflect the various administrative divisions within the
organization by mirroring its structure in the OU structure. Responsibilities to
manage users and groups, when they are placed into nested departmental OUs,
can be delegated to managers of those departments.
The eventual OU design should represent how the business will be administered.
Delegation of authority, separation of administrative duties, central versus
distributed administration, and design flexibility are important factors you must
consider when you design Group Policy and select the scenarios to use for your
organization.
Question: How would you structure the OU hierarchy in your organization? If you
already have an OU structure in your organization, would you make any changes
based on this information?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Creating OUs

Key Points
Create a new OU named Vancouver.
Create subOUs within the newly created OU.
Place two user accounts in Marketing: Claus Hansen and Arno Harteveld.
Create several other objects within OUs.

Question: When you move a user, what can happen to a user in regards to Group
Policy and delegated authority?
Question: Why would you locate user accounts and computer accounts in
separate OUs?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
OUs and Groups Summary

Key Points
The main difference between OUs and groups is that security groups can be used
as security principals, whereas OUs can not be used to apply permissions.
If your organization typically creates many user groups or OUs at the same time,
explore using LDIFDE, CSVDE, or Windows PowerShell scripts to automate
creating the accounts. These tools can save you significant time when you are
adding or modifying multiple AD DS objects.
Question: You have a collection of users that you want to give permissions to
access certain file servers. Would you create an OU or a group for these users?
Describe the reason for your choice.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab: Creating an OU Infrastructure

Scenario
throughout the world. Woodgrove Bank is opening a new subsidiary in Vancouver,
and they need an OU design for the subsidiary. Woodgrove Bank has deployed
AD DS on servers running Windows Server 2008, and one of your primary tasks
will be to create a new OU design and move users from current positions to the
new subsidiary.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 1: Creating AD DS Groups
In this exercise, you will create three new groups by using Active Directory Users
and Computers. You will create one group by using Dsadd. You will add users to
the groups and inspect the results.
2. Create three groups using Active Directory Users and Computers.
3. Create a group using the Dsadd command-line tool.
4. Add members to the new groups.
5. Inspect the contents of the Vancouver groups.

starts.
4. Log on to NYC-DC1 as WOODGROVEBANK\Administrator with the
password Pa$$w0rd.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 2: Create three groups using Active Directory Users and
Computers
2. In the WoodgroveBank.com domain, create a new group in the Users
container using the following parameters:
Group Name: VAN_BranchManagersGG
Scope: Global
Type: Security
3. Repeat step 2 to create two more groups that have the same scope and type.
The two group names are as follows:
VAN_CustomerServiceGG
VAN_InvestmentsGG

Task 3: Create a group using the Dsadd command-line tool
1. At a command prompt, enter the following command:
dsadd group cn=VAN_MarketingGG,cn=Users,dc=WoodgroveBank,dc=com
samid VAN_MarketingGG secgrp yes scope g
2. Press ENTER.
3. Use the Find command to locate the new group in the WoodgroveBank.com
OU.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 4: Add members to the new groups
1. In Active Directory Users and Computers, search the WoodgroveBank.com
domain by using the standard Find box to find each of the user accounts listed
in the table in Step 2.
2. Add each worker to the groups indicated in the following table:
Find Add to group
Neville Burdan VAN_BranchManagersGG
Suchitra Mohan VAN_BranchManagersGG
Anton Kirilov VAN_CustomerServiceGG
Shelley Dyck VAN_CustomerServiceGG
Barbara Moreland VAN_InvestmentsGG
Nate Sun VAN_InvestmentsGG
Yvonne McKay VAN_MarketingGG
Monika Buschmann VAN_MarketingGG
Bernard Duerr VAN_MarketingGG

Task 5: Inspect the contents of the Vancouver groups
1. In Active Directory Users and Computers, click the Users container in
WoodgroveBank.com. In the contents view area, right-click
VAN_BranchManagersGG, and view its properties.
2. Open the Members tab and observe that Neville Burdon and Suchitra Mohan
are now members.

Result: At the end of this exercise, you will have created three new groups by using
Active Directory Users and Computers, and one new group by using Dsadd. You also
will have added users to the groups and inspected the results.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Planning an OU Hierarchy (Discussion)
In this exercise, you will discuss and determine how to plan an OU hierarchy.
Scenario
A new subsidiary of Woodgrove Bank is located in Vancouver, Canada. It will have
the following departments:
Management
Customer Service
Marketing
Investments

The OU hierarchy has to support delegation of administrative tasks to users within
that organizational unit.
Discussion Questions
1. Which approach to extending the organizational hierarchy of
WoodgroveBank.com is the most likely to be applied in creating the new
subsidiarys resources: Geographic, Organizational, or Functional? Why?
2. What would be the most logical way to additionally subdivide the subsidiarys
organizational unit (Geographic, Organizational, or Functional)?
3. What does the pattern of naming second level OUs in other centers suggest for
the new Vancouver OU?
4. What would be a simple but effective way of delegating administrative tasks
(such as adding users and computers to the domain, and changing user
properties such as password resets, and employee contact details) to certain
users within a department?

Result: At the end of this exercise, you will have discussed and determined how to
plan an OU hierarchy.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 3: Creating an OU Hierarchy
In this exercise, you will use the output from the previous discussion to create an
OU structure for the new Vancouver subsidiary of WoodgroveBank.com. You also
will move users (see list in this section) from other subsidiaries into groups, and
add groups to the appropriate OUs. Additionally, you will populate the groups that
have the members of the corresponding departments, and update the descriptions
of the user accounts that have been moved into the new subsidiary.
The benefit of having OUs based on administrative units is in delegating
administrative responsibilities to members of those units.
You will create OUs in two ways:
In Active Directory Users and Computers, by using an MMC snap-in
In Directory Service Tools, by using the Dsadd command-line tool

1. Create OUs using Active Directory Users and Computers.
2. Create an OU using Dsadd.
3. Nest an OU inside another OU.
4. Move groups that you created in Exercise 1 into the appropriate OUs.
5. Find and move users into Vancouver OUs.
6. Delegate control over an OU.
7. Test delegated user rights.
8. Close all virtual machines, and discard undo disks.

Task 1: Create OUs using Active Directory Users and Computers
2. At the root level of WoodgroveBank.com, create a new OU called Vancouver.
3. Inside the Vancouver OU, create three OUs with the following names:
BranchManagers
CustomerService
Marketing
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 2: Create an OU using Dsadd
1. Click Start, click Run, and then type cmd to open a command-line window.
2. Type the following command at the command prompt:
dsadd ou ou=Investments,dc=WoodgroveBank,dc=com -desc Investment
department -d WoodgroveBank.com -u Administrator -p Pa$$w0rd
3. Press ENTER.
4. In Active Directory Users and Computers, refresh the WoodgroveBank.com
domain object, and note the presence of the new OU.

Task 3: Nest an OU inside another OU
1. In Active Directory Users and Computers, refresh the object tree.
2. Move the new Investments OU from WoodgroveBank.com domain level into
the Vancouver OU. Click OK to dismiss the warning message.

Note: There is a potential risk associated with the movement of security groups from one
OU into another. Group Policies that are in effect in one OU may no longer be applied in
the new location. By default, AD DS notifies administrators of that risk whenever a group
is moved between OUs.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 4: Move groups that you created in Exercise 1 into the
appropriate OUs
1. In Active Directory Users and Groups, locate the remaining groups that you
created in Exercise 1 for the new Vancouver subsidiary in the
WoodgroveBank.com OU.
2. Move the following groups into the following Vancouver OUs:

Note: There are several ways to move objects between OUs in Active Directory Users and
Computers. You can use the Move command, drag the object into a new OU, or use the
Cut and Paste commands.
VAN_MarketingGG group to Vancouver\Marketing OU
VAN_BranchManagersGG group to Vancouver\BranchManagers OU
VAN_InvestmentsGG group to Vancouver\Investments OU
VAN_CustomerServiceGG group to Vancouver\CustomerService OU

Task 5: Find and move users into Vancouver OUs
Use Active Directory Users and Computers to find and move the following
users into the OUs that the following table lists:
Find Move to Vancouver OU
Neville Burdan BranchManagers
Suchitra Mohan BranchManagers
Anton Kirilov CustomerService
Shelley Dyck CustomerService
Barbara Moreland Investments
Nate Sun Investments
Yvonne McKay Marketing
Monika Buschmann Marketing
Bernard Duerr Marketing
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 6: Delegate control over an OU
1. In Active Directory Users and Computers, select the Vancouver\Marketing
OU, and open the Delegation of Control Wizard.
2. Add Yvonne McKay to the selected users and groups list, and then click Next.
3. Delegate to her the following common tasks:
Create, delete, and manage user accounts
Reset user passwords and force password change at next logon
Create, delete and manage groups
Modify the membership of a group
4. Click Next, and then click Finish.

Task 7: Test delegated user rights
1. On NYC-SVR1, log on with the account WoodgroveBank\Yvonne and the
password Pa$$w0rd.
2. Start Server Manager as an Administrator. Provide the domain administrator
credentials when prompted.
3. Install the Active Directory Domain Services Tools feature.

Note: This feature is under Remote Server Administration Tools.
4. When prompted, restart the computer and log on as Yvonne. Start Server
Manager as an Administrator, and let the installation complete.
5. Start Active Directory Users and Computers.
6. Reset the password of Monika Buschmann using the password Pa$$w0rd
again. You should see the following message:
Password for Monika Buschmann has been changed.
7. Try to move a user from the Miami BranchManagers OU into the Vancouver
BranchManagers OU. You should see the following message: Windows
cannot move object [user name] because: Access denied.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 8: Close all virtual machines, and discard undo disks
Control window.

Result: At the end of this exercise, you will have created OUs by using Active Directory
Users and Computers and Dsadd. You also will have delegated administrative
permissions and tested them.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Review Questions
1. You are responsible for managing accounts and access to resources for
members of your group. A user in your group transfers into another
department within the company. What should you do with the users account?
2. A project manager in your department is starting a group project that will
continue for the next year. Several users from your department and other
departments will be dedicated to the project during this time. The project team
must have access to the same shared resources. The project manager must be
able to manage the user accounts and group accounts in AD DS. However, you
do not want to give her permission to manage anything else in AD DS. What is
the best way to do this?
3. You are responsible for maintaining access to local resources, such as printers,
in your organization. You want to establish an efficient way to maintain
printing permissions to members in each work group, even while those
members may change frequently. You also want to simplify the replacement of
printers when one has to be taken offline for repairs, or replaced with a new
one. How can you do this with the least disruption and effort on your part?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4. You have decided to create a naming convention for all organizational units
and groups. What considerations should you take as you set a pattern for
naming new objects?
5. You take over the administration of your departments AD DS organizational
unit. When you open Active Directory Users and Computers and view the OU,
you notice that all groups and users exist at the same level. Groups that have
names such as Ajax_account, SW_Colorado, Nancy, and New_Canon_printer,
exist side-by-side with computer accounts named New_IBM_1, 2, 3, etc., and a
FileShare object named DO_NOT_OPEN. What should you do?
6. An employee in your company has transferred to another department. The
user account was removed from all groups associated with the old department
and added to groups associated with the new department. The user account
also was moved into the new department OU. After the user transfer is
complete, he informs you that he cannot access his files that are stored on a
file server. What should you do?

Considerations for Managing AD DS Groups and OUs
When you manage AD DS groups and organizational units, consider the following:
If your organization typically creates many user groups or OUs
simultaneously, explore using LDIFDE, CSVDE, or Windows PowerShell
scripts to automate creating the accounts. These tools can save you significant
time when you are adding or modifying multiple AD DS objects.
Consider delegating permissions to create and manage groups and OUs in
your AD DS domain. You can delegate permissions at the domain or OU level.
Keep the number of people to whom you delegate administrative control for
creating and modifying groups or OUs to a minimum. Separate various
functional needs for administration among users by adding additional OUs,
thereby separating their spheres of influence.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Managing Access to Resources in Active Directory Domain Services 4-1
Module 4
Managing Access to Resources in Active
Directory Domain Services
Contents:
Lesson 1: Managing Access Overview 4-3
Lesson 2: Managing NTFS File and Folder Permissions 4-11
Lesson 3: Assigning Permissions to Shared Resources 4-20
Lesson 4: Determining Effective Permission 4-33
Lab: Managing Access to Resources 4-44
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Module Overview

One of the primary reasons to deploy Active Directory Domain Services (AD DS)
is to enable users to access shared resources on the network. The previous
modules introduced users and groups as the primary way to enable access to those
resources. This module describes how to configure shared folders to enable those
users and groups to gain access to the resources.
Specifically, this module helps you learn the skills and knowledge necessary to:
Understand how permissions enable resource access.
Manage access to files and folders by using shared folder permissions, NTFS
file system permissions, or special permissions.
Manage permissions inheritance.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 1
Managing Access Overview

In order to manage access to resources, you must understand how Microsoft
Windows operating systems use security principals and security tokens to allow
access to resources. Then you must understand how permissions are applied to
resources such as shared folders. This lesson provides the information that you
need to manage access to resources.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Security Principles?

Key Points
A security principal is an AD DS entity that can be authenticated by a Windows
operating system. Security principals include the following:
User and computer accounts
A thread or process that runs in the security context of a user or computer
account
Groups of the previous accounts
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Every security principal is assigned a security identifier (SID) automatically when it
is created. A SID has two components:
Domain identifier. The domain identifier is the same for all security principals
created in the domain.
Relative identifier. The relative identifier is unique to each security principal
created in the domain.

Question: When a user is deleted and then recreated, they will be issued a new
SID. What are the ramifications of this?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Access Tokens?

Key Points
An access token is a protected object that contains information about the identity
and rights associated with a user account.
How access tokens are created
When a user logs on, if authentication is successful, the logon process provides a
SID that represents the user and a list of SIDs for the security groups of which the
user is a member. The Local Security Authority (LSA) on the computer uses this
information to create an access token that includes the SIDs and a list of rights
assigned by local security policy to the user and to the users security groups.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
How access tokens are used to verify the users user rights
After LSA creates the primary access token, a copy of the access token is attached
to every process and thread that executes on the users behalf. Whenever a thread
or process interacts with a shared resource or tries to perform a system task that
requires user rights, the operating system checks the access token associated with
the thread to verify the user access to the resource.
Question: When accessing a resource, is it a best practice to assign permission to
the Group SID or the User SID?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Permissions?

Key Points
Permissions define the type of access that is granted to a security principal for an
object.
When you assign permissions, you can:
Explicitly apply permissions. When you apply permissions explicitly, you
access the shared resource object directly and configure permissions on that
object. You can apply permissions explicitly on folders or files.
Configure permission inheritance. When you configure permissions on a
folder, the permissions are inherited by default on all subfolders or files in that
folder. You can accept the default permission inheritance or modify the default
behavior by blocking permission inheritance or by assigning explicit
permissions to lower level folders or files.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Accept implicitly applied permissions. If no permissions are assigned
explicitly to an object for a particular user account, and no inherited
permissions apply to the user account, the user will be denied access to the
object.

Question: List at least one way that administrators can easily maintain permissions
on an object?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
How Access Control Works

Key Points
The process of accessing an AD DS resource is called access control and it is based
on the verification of security principals.
All objects in AD DS, and all securable objects on a local computer or on the
network, have security descriptors assigned to them to help control access to the
objects. Security descriptors include information about who owns an object, who
can access it and in what way, and what types of access are audited.
Question: Which access control resource, DACL or SACL, plays a more critical role
in security?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 2
Managing NTFS File and Folder Permissions

In addition to configuring access to shared folders by using shared folder
permissions, you also can assign permissions by using NTFS permissions. The
information in this lesson presents the skills and knowledge that you must have to
manage access to files and folders by using NTFS permissions.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are NTFS Permissions?

Key Points
NTFS permissions specify which users, groups, and computers can access files and
folders. NTFS permissions also dictate what users, groups, and computers can do
with the contents of the file or folder.
NTFS file permissions include:
Read. Read the file, attributes, and permissions, and view owner.
Write. Write to the file, change attributes, and view permissions and owner.
Read & Execute. Execute applications plus all Read permissions.
Modify. All the previous permissions, plus ability to delete files.
Full Control. All the previous permissions, plus the ability to change
permissions and take ownership of the file.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
There are six basic NTFS folder permissions:
Read. Read files, folders, and subfolders, permissions and view owner.
Write. Create new files and folders, view permissions, and owner, change
folder attributes.
List Folder Contents. View files and subfolders.
Read & Execute. Execute applications plus all permissions of Read and List
Folder Contents.
Modify. All the previous permissions, plus ability to delete folder.
Full Control. All the previous permissions, plus the ability to change
permissions on the folder and take ownership.

Question: If an administrator wanted to prevent a user from viewing the
permissions or the owner of a folder which folder permission should be applied?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Standard and Special Permissions?

Key Points
NTFS permissions fall into two categories: standard and special. Standard
permissions are the most frequently assigned permissions. The permissions
described in the previous topic are standard permissions.
Special permissions give you a finer degree of control for assigning access to
objects.
Question: Think of a situation where administrators may need to assign special
permissions.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is NTFS Permissions Inheritance?

Key Points
By default, the permissions that you grant to a parent folder are inherited by its
subfolders and files.
A security principal that is inheriting permissions can have additional NTFS
permissions assigned, but the inherited permissions cannot be removed until
inheritance is blocked.
Blocking permission inheritance
The folder on which you prevent permissions inheritance becomes the new parent
folder, and the subfolders and files that are contained in it inherit the permissions
assigned to it. Permissions can be inherited only from a direct parent.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administrators can also use the Icalcs.exe utility to reset folder permissions while
in a specific folder or directory.
icacls.exe c:\folder_name /setowner "domain\user"
Question: List one or two ways permission inheritance can reduce administration
time.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Configuring NTFS Permissions

Key Points
Browse a directory, view the standard permissions.
View the advanced NTFS permissions.
View permission inheritance.

Question: If you deny NTFS permission to a group for a particular resource while
allowing the same permission to another group for that resource, what will happen
to the permissions of an individual who is a member of both groups?
Question: If a group added to a shared folder was given an NTFS permission of
Allow for Write in a shared folder, and Deny permission for Write in a nested
folder, what would their effective permissions be in the two folders?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Effects on NTFS Permissions When Copying and Moving
Files and Folders

Key Points
When you copy or move a file or folder, the permissions might change, depending
on where you move the file or folder. You should understand the changes that the
permissions undergo when they are copied or moved.
Copying a file
When you copy a file or folder from one folder to another folder, or from one
partition to another partition, permissions for the files or folders might change.
When you copy a file or folder:
Within a single NTFS partition, the copy of the folder or file inherits the
permissions of the destination folder.
To a different NTFS partition, the copy of the folder or file inherits the
permissions of the destination folder.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
To a non-NTFS partition, such as a file allocation table (FAT) partition, the
copy of the folder or file loses its NTFS permissions, because non-NTFS
partitions do not support NTFS permissions.

Moving a file
When you move a file or folder, permissions might change, depending on the
permissions of the destination folder. When you move a file or folder:
In the same NTFS partition, the folder or file keeps its original permissions. If
the permissions of the new parent folder are changed later, the file or folder
will inherit the new permissions. Permissions explicitly applied to the folder
will be retained. Permissions previously inherited will be lost.
To a different NTFS partition, the folder or file inherits the permissions of the
destination folder. When you move a folder or file between partitions,
Windows Server 2008 copies the folder or file to the new location and then
deletes it from the old location.
To a non-NTFS partition, the folder or file loses its NTFS permissions, because
non-NTFS partitions do not support NTFS permissions.

Question: Provide one or two examples where moving files and folders within the
same partition reduces administration time.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 3
Assigning Permissions to Shared Resources

Shared folders give users access to files and folders over a network. Users can
connect to the shared folder over the network to access its folders and files. Shared
folders can contain applications, public data, or a users personal data. Using
shared data folders provides a central location for users to access common files
and makes it easier to back up data that is contained in those files.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Shared Folders?

Key Points
When you share a folder, it is made available to multiple users simultaneously over
the network. As soon as they are granted permission, users can access all the files
and subfolders in the shared folder.
Most organizations deploy dedicated file servers to host shared folders. You can
store files in shared folders according to categories or functions. For example, you
can put shared files for the Sales department in one shared folder and shared files
for executives in another.
When you create a shared folder by using the Provision a Shared Folder Wizard in
the Share and Storage Management console, or by using the File Sharing Wizard,
you can configure the permissions assigned to each share as you create it.
Question: List at least one benefit of sharing folders across a network.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Administrative Shared Folders?

Key Points
Windows Server 2008 automatically creates shared folders on computers running
Windows that enable you to perform administrative tasks. These default
administrative shares have a dollar sign ($) at the end of the share name.
Appending the dollar sign at the end of the folder name hides the shared folder
from users who browse the network. Administrators can quickly administer files
and folders on remote servers by using these hidden shared folders.
Question: List at least one benefit of having and creating your own hidden shares.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Shared Folder Permissions

Key Points
Shared folder permissions apply only to users who connect to the folder over the
network. They do not restrict access to users who access the folder at the computer
where the folder is stored. You can grant shared folder permissions to user
accounts, groups, and computer accounts.
By default, users will have the same level of access to subfolders under a shared
folder as they have on the parent folder.
Question: List at least one example of when an administrator might give Full
Control to a folder.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Creating Shared Folders

Key Points
Create two test directories, populate each with a text file and some data.
Use Windows Explorer to create a share.
Using the Share and Storage Management Microsoft Management Console
(MMC) snap-in to create a hidden share.
Using the Share and Storage snap in to modify the share permissions.
Test share access.

In Windows Server 2008, the only groups that can create shared folders are the
Administrators, Server Operators, and Power Users groups. These groups are built-
in groups that are put in the Groups folder in Computer Management or the Built-
In container in Active Directory Users and Groups.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Question: How do you apply sharing permissions to a folder?
Question: How would you begin to create a shared folder by using the Using
Share and Storage Management MMC?
Question: Which tool would you use to create a shared folder?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Connecting to Shared Folders

Key Points
After you create a shared folder, users can access the folder over the network by
using multiple methods. Users can access a shared folder on another computer by
using:
The Network window (in Microsoft Windows Server 2008 or Microsoft
Windows Vista)
My Network Places (in Microsoft Windows Server 2003 or Microsoft Windows
XP)
The Map Network Drive feature
Searching AD DS
The Run command on the Start menu
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administrators can also publish Shared Folders to Active Directory using the
Active Directory Users and Computer interface. Within the Organizational
Unit, administrators can add a new Shared Folder making it searchable
through Active Directory.
Users can also search Active Directory Shared Folders by accessing My
Network Places in Windows XP and the Network in Windows Vista.

Windows Server 2008 turns on Access Based Enumeration by default on new
shares. Access Based Enumeration prevents the display of folders or other shared
resources that the user does not have rights to access.

Note: The Computer Browser service is disabled by default in Windows Server 2008.
Question: List at least one benefit of accessing resources through mapped drives.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Managing Shared Folders

Key Points
Create two test directories.
Use Windows Explorer to create a share.
Using the Share and Storage Management Microsoft Management Console
(MMC) snap-in, create a hidden share.
Modify the share permissions.

Question: What would happen if the user was editing the file but had not saved
the changes, and then an administrator used the Close File feature?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Considerations for Using Shared Folders

Key Points
When you are managing access to shared folders, consider the following best
practices when granting permissions:
Use the most restrictive permissions possible. Do not grant more
permissions for a shared folder than the users legitimately require. For
example, if a user only has to read the files in a folder, grant Read permission
for the folder to the user or group to which the user belongs.
Avoid assigning permissions to individual users. Use groups whenever
possible. Because it is inefficient to maintain user accounts directly, avoid
granting permissions to individual users.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Remember that Full Control lets users modify permissions. Assign Full
Control permissions with caution, as any change in existing permissions could
potentially affect security.
Use the Authenticated Users or the Domain Users group instead of the
Everyone group (if present) from the shared folders permissions list.
Because members of the Everyone group includes Guests, using the
Authenticated or Domain Users groups limits access to shared folders to only
authenticated users, and prevents users or viruses from accidentally deleting
or damaging data and application files.

Question: List one or two reasons why administrators should not leave the
Everyone group in a shares permissions.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Offline File Configuration and Deployment

Key Points
Offline files are available in Windows XP, Vista, Server 2003 and Server 2008:
Select a folder at a networking place, synchronize and then disconnect
computer. Users can set up a folder that will be taken offline by selecting it
and synchronizing it with the network files.
Make edits to documents on a disconnected computer. After the folder is
taken offline, the user can make edits to any of the documents in the folder.
The changes are made locally and can only be seen by the person making the
changes until the files are synchronized again.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Reconnect to the computer to the network again to update changes. Users
must reconnect their computer back to the network in order to update any
changes that were made locally.
Files are synchronized automatically. Once the folder is connected to the
network, Windows knows to synchronize the folder and its contents with the
server version ensuring the folder is up to date.

Question: List at least one example of how offline files are useful.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 4
Determining Effective Permission

You can assign user access to a shared folder by using shared folder permissions or
NTFS permissions. You also can assign permissions to individual user accounts or
group accounts. To determine what level of access the user actually has on the
network, you must understand how effective permissions are determined and how
you can view effective permissions.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Effective NTFS Permissions?

Key Points
Windows Server 2008 provides a tool (Effective Permissions tool) that shows
effective permissions, which are cumulative permissions based on group
membership.
The following principles determine effective permissions:
Cumulative permissions are the combination of the highest NTFS
permissions granted to the user and all the groups of which the user is a
member. For example, if a user is a member of a group that has Read
permission and a member of a group that has Modify permission, the user has
Modify permission.
Explicit Deny permissions override equivalent Allow permissions.
However, an explicit Allow permission can override an inherited deny
permission. For example, if a user is denied write access to a folder explicitly
but explicitly allowed write access to a subfolder or a particular file, the explicit
Allow would override the inherited Deny.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Permissions can be applied to a user or a group. Assigning permissions to
groups is preferred as it is more efficient than managing the permissions of
many individuals.
NTFS file permissions take priority over folder permissions. For example, if
a user has Modify permission to a folder but only has Read permission to
certain files in that folder, the effective permission for those files will be Read.
Every object is owned in an NTFS volume or in Active Directory. The owner
controls how permissions are set on the object and to whom permissions are
granted. For example, a user can create a file in a folder where the user
typically has Modify permission. However, because that user created the file,
the user can change the permissions. The user then can grant himself Full
Control over the file.

Question: Provide at least one example of how cumulative permissions benefit
administrators.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Discussion: Applying NTFS Permissions

In this discussion, you are presented with a scenario in which you are asked to
apply NTFS permissions. You and your classmates will discuss possible solutions
to the scenario.
Scenario
User1 is a member of the Users group and the Sales group. The graphic on the
slide shows folders and files on the NTFS partition.
Question: The Users group has Write permission, and the Sales group has Read
permission for Folder1. What permissions does User1 have for Folder1?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Question: The Users group has Read permission for Folder1. The Sales group has
Write permission for Folder2. What permissions does User1 have for File2?
Question: The Users group has Modify permission for Folder1. File2 should be
accessible only to the Sales group, and they should only be able to read File2.
What do you do to ensure that the Sales group has only Read permission for File2?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Evaluating Effective Permissions

Key Points
Open a directory, and assign permissions to a user.
Use the effective permissions tool.
Deny user permission.

Questions: Can the Effective Permissions tool return the actual permissions of a
user?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Effects of Combining Shared Folder and NTFS Permissions

Key Points
When enabling access to network resources on an NTFS volume, it is
recommended that you use the most restrictive NTFS permissions to control
access to folders and files, combined with the most restrictive shared folder
permissions that control network access.
Question: Provide at least one consideration an administrator must acknowledge
before combining Shared Folders and NTFS Permissions.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Discussion: Determining Effective NTFS and Shared Folder
Permissions

In this discussion, you will determine effective NTFS and shared folder
permissions.
Scenario
The figure shows two shared folders that contain folders or files that have NTFS
permissions. Look at each example, and determine a users effective permissions.
In the first example, the Users folder has been shared, and the Users group has the
shared folder permission Full Control. User1, User2, and User3 have been granted
the NTFS permission Full Control to only their folder. These users are all members
of the Users group.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Question: Discuss what the effective permissions are for User1, User2, and User3.
Can User1 take full control of User2s directory? Why? How does using the share
permission instead of the NTFS permission prevent users from accessing other
Users directories?
Question: You have shared the Data folder to the Sales Group. Within the Data
directory, you have given the Sales Group Full Control over the Sales Group. When
users in the Sales Group try to save a file in the \Data\Sales directory, they get an
access denied error. Why? What permission needs to be changed, and why?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Considerations for Implementing NTFS and Shared Folder
Permissions

Key Points
Here are several considerations to make administering permissions more
manageable:
1. Grant permissions to groups instead of users. Groups can always have
individuals added or deleted, while permissions on a case-by-case basis are
difficult to track.
2. Use Deny permissions only when necessary. Because deny permissions are
inherited exactly like allow permissions, assigning deny permissions to a
folder can result in users not being able to access files lower in the folder
structure. Deny permissions should be assigned in the following situations:
To exclude a subset of a group that has Allow permissions.
To exclude one permission when you have granted Full Control
permissions already to a user or group.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3. Never deny the Everyone group access to an object. If you deny everyone
access to an object, you deny administrators access. Instead, we recommend
that you remove the Everyone group, as long as you grant permissions for the
object to other users, groups, or computers.
4. Grant permissions to an object that is as high in the folder as possible so
that the security settings are propagated throughout the tree. For example,
instead of bringing groups representing all departments of the company
together into a Read folder, assign Domain Users (which is a default group
for all user accounts on the domain) to the share. In this manner, you
eliminate the need to update department groups before new users receive the
shared folder.
5. Use NTFS permissions instead of shared permissions for fine-grained
access. Configuring both NTFS and shared folder permissions can be difficult.
Consider assigning the most restrictive permissions for a group that contains
many users at the shared folder level, and then by using NTFS permissions to
assign more specific permissions.

Question: List one or two examples of best practices that you have implemented
when assigning Shared Folder or NTFS permission in your organization.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab: Managing Access to Resources

Scenario
throughout the world. Woodgrove Bank has deployed AD DS in Windows Server
2008. They have recently opened a new subsidiary in Toronto, Canada. As a
network administrator assigned to the new subsidiary, one of your primary tasks
will be to create and manage access to resources, including the shared folder
implementation. For example, groups that mirror the departmental organization of
the bank need shared file storage areas. You must also have shared folders to
enable files to be shared during special projects between departments.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 1: Planning a Shared Folder Implementation
(Discussion)
In this exercise, you will discuss and determine the best solutions for a shared
folder implementation.
Discussion Questions:
1. The Woodgrove Bank Toronto subsidiary has an organizational hierarchy, as
outlined by its organizational units (OUs) that supports the activities of its
four departments: Marketing, Investments, Management, and Customer
Service. Each department has groups populated with the employees in that
department. How could you give each department separate file-sharing spaces?
2. All members of the Toronto subsidiary must be able to read documents posted
by management about topics such as staffing, targets and projections, and
company news. To create a series of folders that will enable this information to
be available to all employees in the subsidiary, and managers from other parts
of the Woodgrove Bank, what sorts of groups would be needed? What sorts of
permissions would each require? What sorts of folder structures might be
needed?
3. A task force on reducing the subsidiarys carbon footprint (that is, its negative
impact on the natural environment) is collecting data from various
departments. They plan to keep the information private until they can publish
a report. How can individuals from various departments have contributing
status while restricting access to those outside their project?

Result: At the end of this exercise, you will have discussed and determined solutions
for a shared folder implementation.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Implementing a Shared Folder Implementation
In this exercise, you will create the shared folder implementation based on the
discussion in the previous exercise.
2. Create four new folders by using Windows Explorer.
3. Set share permissions for the folders.
4. Create a shared folder for all Domain Users by using Share and Storage
Management Microsoft Management Console (MMC).
5. Create a new group and shared folder for an interdepartmental project.

starts.

Task 2: Create four new folders by using Windows Explorer
1. On NYC-DC1, open Windows Explorer.
2. On drive C, create folders named:
Marketing
Managers
Investments
CustomerService
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 3: Set share properties for the folder
1. Right-click the Marketing folder, and then click Share.
2. In File Sharing dialog box, type TOR_MarketingGG, and then click Add.
3. Change the permission level to Contributor, and then click Share.
4. Repeat creating shares for each of the remaining folders, assigning the groups
and permissions.
TOR_BranchManagersGG (Managers folder)
TOR_InvestmentsGG (Investments folder)
TOR_CustomerServiceGG (CustomerService folder)

Task 4: Create another shared folder by using Share and Storage
Management MMC
1. On the Start menu, in Administrative Tools, click Share and Storage
Management.
2. Start Provision Share Wizard.
3. Click the Browse button. In the Browse Folder window, create a new folder
named CompanyNews on the C drive.
4. Do not change any other settings, but click Next all the way through to the
Create button. Click Create, and then click Close.
5. In the Shares list of the Share and Storage Management MMC, right-click
CompanyNews, and then click Properties.
6. In the Permissions tab, click Share Permissions. Add the Domain Users
group, and notice that their permission is set as Read.
7. Add the TOR _BranchManagersGG group, and give them Full Control
permissions.
8. Finish the Permissions settings, and exit Share and Storage Management
MMC.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 5: Create a new group and shared folder for an interdepartmental
project
1. Open Active Directory Users and Computers MMC.
2. Click the Toronto OU, and add a new global security group named
TOR_SpecialProjectGG.
3. Expand the following Toronto OUs, and use the Add to group command to
add the users listed in the following table:
Toronto OUs Names
Investment Aaron Con
Marketing Aidan Delaney
Branch Managers Sven Buck
Customer Service Dorena Paschke

4. Close Active Directory Users and Computers.
5. Create a new folder in drive C, and name it SpecialProjects.
6. Share the folder, adding the TOR_SpecialProjectGG group that has Contribute
permission levels.
7. Click Share.

Task 6: Block inheritance of a folder in a shared folder
1. Open the SpecialProjects folder.
2. Create a new folder called Unshared.
3. Change Unshared Properties by removing the inheritable permissions.
4. Give permissions back the Administrator.

Result: At the end of this exercise, you will have created a shared folder
implementation.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 3: Evaluating the Shared Folder Implementation
In this exercise, you will verify that the shared folder implementation meets the
security requirements provided in the documentation. You will log on as some
users to make sure that they have the required level of access.
1. Log on to NYC-CL1 as Sven.
2. Check the permissions for Company News.
3. Check permissions of interdepartmental share Special Projects.

Task 1: Log on to NYC-CL1 as Sven
Log on to NYC-CL1 as Sven, with the password Pa$$w0rd.

Task 2: Check the permissions for Company News
1. After you are logged on as Sven, open the Company News folder and create a
text file. Name it News.txt.
2. Create a folder named News, and drag News.txt into it.
3. Close the Company News window and log off.

Task 3: Check permissions of interdepartmental share Special Projects
1. Log on as Dorena with the password Pa$$w0rd.
2. Open the Special Project volume and create a text document.
3. Try to open Company News. Open the News.txt file inside the News folder.
4. Log off as Dorena.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Control window.

Result: At the end of this exercise, you will have verified that the shared folder
implementation meets security requirements.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Review Questions
1. What is the role of ACLs in granting access to resources on an AD DS
network?
2. How do DACLs differ from SACLs?
3. What happens to the shared folder configuration when you copy or move a
shared folder from one hard disk to another on the same server? What
happens to the shared folder configuration when you copy or move the shared
folder to another server?
4. You have to assign permissions to a shared folder so that all users in your
organization can read the contents of the folder. Which of these approaches
would be the best way to do this: accept the default permissions, assign read
permissions to the folder for the Domain Users group, or add groups
representing whole departments? How would this configuration change if your
organization had multiple domains?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5. When moving a folder in an NTFS partition, what permissions are required
over the source file or folder and over the destination folder?
6. What is the best way to create a shared folder that need to be accessed by
users who are situated on two domains?

Considerations for Managing Shared Folders and NTFS Permissions
When you manage AD DS shared folders and NTFS permissions, consider the
following:
Consider delegating permissions to create and manage shared folders in your
AD DS domain. You can delegate permissions to groups in the NTFS security
settings of the appropriate level of the shared folder hierarchy.
When allowing access to network resources on an NTFS volume, we
recommend that you use the most restrictive NTFS permissions to control
access to folders and files, combined with the most restrictive shared folder
permissions that control network access.
Document your shared folder and permissions configuration. The shared
folder configuration can be very difficult over time as users or departments
request new shared folders for many reasons. Without documentation, it can
be difficult to manage and troubleshoot file access issues.
All shared folders should be part of your regular backup process. The data that
is stored in the shared folders is usually important to your organization.
Therefore, you must make sure that you can recover it if a server were to fail.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Active Directory Objects and Trusts 5-1
Module 5
Configuring Active Directory Objects and Trusts
Contents:
Lesson 1: Delegate Administrative Access to Active Directory Objects 5-3
Lab A: Configuring Active Directory Delegation 5-12
Lesson 2: Configure Active Directory Trusts 5-16
Lab B: Configuring Active Directory Trusts 5-24
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Module Overview

After the initial deployment of Active Directory Domain Services (AD DS), the
most common tasks for an AD DS administrator are configuring and managing AD
DS objects. In most organizations, each employee is issued a user account, which is
added to one or more groups in AD DS. The user and group accounts enable
access to Windows Server-based network resources such as Web sites, mailboxes,
and shared folders.
This module describes how to perform many of these administrative tasks, and
options available for delegating or automating these tasks. This module also
describes how to configure and manage Active Directory trusts.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 1:
Delegate Administrative Access to Active
Directory Objects

One of the options available for effectively administering a Microsoft Windows
Server 2008 AD DS, is to delegate some of those administrative tasks to other
administrators or users. By delegating control, you can enable these users to
perform specific Active Directory management tasks, without granting them more
permissions than they need.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Active Directory Object Permissions

Key Points
Active Directory object permissions secure resources by enabling you to control
which administrators or users can access individual objects or object attributes,
and to control the type of access they have. You use permissions to assign
privileges for administrators to manage an organizational unit or a hierarchy of
organizational units, and the Active Directory objects contained within those
organizational units.
Denied permissions take precedence over any permission that you otherwise
allow to user accounts and groups.
You should use Deny permissions explicitly only when it is necessary to
remove a permission that a user is granted by being a particular groups
member.
When permission to perform an operation is not allowed, it is implicitly
denied.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Special permissions allow you to set permissions on a particular class of object
or individual attributes of an object class. For example, you could grant a user
Full Control over the group object class in a container, just grant the user the
ability to modify group memberships in a container, or just grant the user the
permissions needed to change a single attribute, such as the phone number,
on all user accounts.
Inherited permissions are those that are propagated to an object from a parent
object. For example, if you assign permissions at an OU level, by default, all of
those permissions are inherited by objects inside the OU.
Explicit permissions take precedence over inherited permissions, even
inherited Deny permissions.

Question: What are the risks with using special permissions to assign AD DS
permissions?
Question: What permissions would a user have on an object if you granted them
full control permission, and denied the user write access?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Active Directory Domain Services Object
Permission Inheritance

Key Points
Enable the Advanced view in Active Directory Users and Computers.
Disable permission inheritance by child items.
View the Effective Permissions for the object.

Question: What would happen to an objects permissions if you moved the object
from one OU to another if the OUs had different permissions applied?
Question: What would happen if you removed all permissions from an OU when
you blocked inheritance and did not assign any new permissions?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Effective Permissions?

Key Points
Accessible from an object's advanced properties settings, the Effective Permissions
tool helps you to determine the permissions for an Active Directory object. This
tool calculates the permissions that are granted to the specified user or group, and
takes into account the permissions that are in effect from group memberships and
any permission inherited from parent objects.
Question: When retrieving effective permissions, accurate retrieval of information
requires permission to read the membership information. If the specified user or
group is a domain object, what type of permissions does a Domain Administrator
need to have to read the object's group information on the domain? What about a
Local administrator and an Authenticated domain user?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is Delegation of Control?

Key Points
Delegation of control is the ability to assign management responsibility of Active
Directory objects to another user or group.
Delegated administration helps to ease the administrative burden of managing
your network by distributing routine administrative tasks to multiple users. With
delegated administration, you can assign basic administrative tasks to regular users
or groups. For example, you could give OU administrators the right to add or
remove user or computer objects, or an administrative assistant the right to reset
passwords.
By delegating administration, you give groups in your organization more control of
their local network resources. You also help secure your network from accidental
or malicious damage by limiting the membership of administrator groups.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
The Delegation of Control Wizard

You can define the delegation of administrative control in the following four ways:
Grant permissions to create or modify all objects in a specific organizational
unit or in the domain.
Grant permissions to create or modify some types of objects in a specific
organizational unit or at the domain level.
Grant permissions to create or modify a specific object in a specific
Grant permissions to modify specific attributes of an object, (such as granting
the permission to reset passwords on a user account) in a specific

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Discussion: Scenarios for Delegating Control

Discussion Questions
What are the benefits of delegating administrative permissions?
How would you use delegation of control in your organization?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Configuring Delegation of Control

Key Points
Use the Delegation of Control Wizard to delegate permissions to manage user
and computer accounts.
Use the Delegation of Control Wizard to delegate the administration of
individual attributes.
Use a Microsoft Windows PowerShell script to delegate the Password Reset
task.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab A: Configuring Active Directory Delegation

Scenario
To optimize the use of AD DS administrator time, Woodgrove Bank would like to
delegate some administrative tasks to interns and junior administrators. These
administrators will be granted access to manage user and group accounts in
different OUs. User accounts must also be configured with a standard
configuration. The organization also requires AD DS groups that will be used, to
assign permissions to a variety of network resources. The organization would like
to automate the user and group management tasks, and delegate some
administrative tasks to junior administrators.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 1: Delegating Control of AD DS Objects
In this exercise, you will delegate control of AD DS objects for other
administrators. You will also test the delegate permissions to ensure that
administrators can perform the required actions, but cannot perform other actions.
Woodgrove Bank has decided to delegate administrative tasks for the Toronto
office. In this office, the branch managers must be able to create and manage user
and group accounts. The customer service personnel must be able to reset user
passwords and configure some user information, such as phone numbers and
addresses.
1. Start the virtual machine and log on.
2. Assign full control of users and groups in the Toronto OU.
3. Assign rights to reset passwords and configure private user information in the
Toronto OU.
4. Verify the effective permissions assigned for the Toronto OU.
5. Test the delegated permissions for the Toronto OU.

Task 1: Start the virtual machine, and then log on
3. Log on to 6419A-NYC-DC1 as Administrator with the password Pa$$w0rd.

Task 2: Assign full control of users and groups in the Toronto OU
1. On NYC-DC1, run the Delegation of Control Wizard on the Toronto OU.
2. Assign the right to Create, delete and manage user accounts and the Create,
delete and manage groups to the Tor_BranchManagersGG.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 3: Assign rights to reset passwords and configure private user
information in the Toronto OU
1. On NYC-DC1, run the Delegation of Control Wizard on the Toronto OU.
2. Assign the right to Reset user passwords and force password change at next
logon to the Tor_CustomerServiceGG group.
3. Run the Delegation of Control Wizard again. Choose the option to create a
custom task.
4. Assign the Tor_CustomerServiceGG group permission to change personal
information only for user accounts.

Task 4: Verify the effective permissions assigned for the Toronto OU
1. In Active Directory Users and Computers, enable viewing of Advanced
Features.
2. Access the Advanced Security Settings for the Toronto OU.
3. Check the effective permissions for Sven Buck. Sven is a member of the
Tor_BranchManagersGG group. Verify that Sven has permissions to create and
delete user and group accounts.
4. Access the advanced security settings for Matt Berg, located in the
CustomerService OU in the Toronto OU. Verify that Matt has permissions to
create and delete user and group accounts.
5. Check the effective permissions for Helge Hoening. Helge is a member of the
Tor_CustomerServiceGG group. Verify that Helge has permissions to reset
passwords and permission to write personal attributes.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 5: Test the delegated permissions for the Toronto OU
1. Log on to NYC-DC1 as Sven with the password of Pa$$w0rd.
2. Start Active Directory Users and Computers, and verify that Sven can create a
new user in the Toronto organizational unit.
3. Verify that Sven can create a new group in the Toronto OU.
4. Verify that Sven cannot create a user in the ITAdmins OU.
5. Log off NYC-DC1, and then log on as Helge with the password Pa$$w0rd.
6. In Active Directory Users and Computers, verify that Helge does not have
permissions to create any new objects in the Toronto OU.
7. Verify that Helge can reset user passwords and configure user properties, such
as the office and telephone number.

Result: At the end of this exercise, you will have delegated the administrative tasks for
the Toronto office.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 2:
Configure Active Directory Trusts

Many organizations that deploy AD DS will deploy only one domain. However,
larger organizations, or organizations that need to enable access to resources in
other organizations or business units, may deploy several domains in the same
Active Directory forest or a separate forest. For users to access resources between
the forests, you must configure the forests with trusts. This lesson describes how to
configure and manage trusts in an Active Directory environment.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are AD DS Trusts?

Key Points
Trusts allow security principals to traverse their credentials from one domain to
another, and are necessary to allow resource access between domains. When you
configure a trust between domains, a user can be authenticated in their domain,
and their security credentials can then be used to access resources in a different
domain.
Trusts can be defined as transitive or non-transitive.
The user accounts are located in the trusted domain, while the resources are
located in the trusting domain.
The two protocol options for configuring trusts are the Kerberos protocol
version 5, and Microsoft Windows NT Local Area Network (LAN) Manager
(NTLM).

Question: What does a trust existing between two domains provide?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
AD DS Trust Options

Key Points
All trusts in Microsoft Windows 2000 Server, Microsoft Windows Server 2003, and
Microsoft Windows Server 2008 forests are transitive, two-way trusts. Therefore,
both domains in a trust relationship are trusted; however one-way trusts can be
configured.
This diagram illustrates a two-way trust between Forests 1 and 2, and a one-way
trust between domains E and A and domains B and Q.
Question: If you were going to configure a trust between a Windows Server 2008
domain and a Windows NT 4.0 domain, what type of trust would you need to
configure?
Question: If you need to share resources between domains, but do not want to
configure a trust, how could provide access to the shared resources?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
How Trusts Work Within a Forest

Key Points
When you set up trusts between domains either within the same forest, across
forests, or with an external realm, information about these trusts is stored in AD
DS so you can retrieve it when necessary. A trusted domain object (TDO) stores
this information.
The TDO stores information about the trust such as the trust transitivity and type.
Whenever you create a trust, a new TDO is created and stored in the System
container in the trusts domain.
Question: In this slide Domain B and Domain C have what type of Trust in this
forest? What are the limitations?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
How Trusts Work Between Forests

Key Points
Windows Server 2008 supports cross-forest trusts, which allow users in one forest
to access resources in another forest. When a user attempts to access a resource in
a trusted forest, AD DS must first locate the resource. After the resource is located,
the user can be authenticated and allowed to access the resource.
Question: Why would clients not able to access resources in a domain outside the
forest?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Reviewing Trusts

Key Points
Review the Active Directory Domains and Trusts MMC.

Question: When you set up a forest trust, what information will need to be
available in DNS in order for the forest trust to work?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are User Principal Names?

Key Points
A user principal name (UPN) is a logon name that is used only to log on to a
Windows Server 2008 network. There are two parts to a UPN, which are separated
by the @ sign, for example, suzan@WoodgroveBank.com.
The user principal name prefix, which in this example is suzan.
The user principal name suffix, which in this example is WoodgroveBank.com.

By default, the suffix is the domain name in which the user account was created.
You can use the other domains in the network, or additional suffixes that you
created, to configure other suffixes for users. For example, you may want to
configure a suffix to create user logon names that match users e-mail addresses.
Question: Provide a couple scenarios where UPNs would be useful?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are the Selective Authentication Settings?

Key Points
Another option for restricting authentication across trusts in a Windows
Server 2008 forest is selective authentication. With selective authentication, you
can restrict which computers in your forest can be accessed by another forests
users.
Question: Provide a scenario where it would be appropriate to enable selective
authentication?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab B: Configuring Active Directory Trusts

Scenario
Woodgrove Bank also has established a partner relationship with another
organization. Some users in each organization must be able to access resources in
the other organization. However, the access between organizations must be limited
to as few users and as few servers as possible.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 1: Configuring AD DS Trusts
In this exercise, you will configure trusts based on a trust-configuration design that
the enterprise administrator provides. You also will test the trust configuration to
ensure that the trusts are configured correctly.
Woodgrove Bank has initiated a strategic partnership with Fabrikam. Users at
Woodgrove Bank will need to have access to several file shares and applications
running on several servers at Fabrikam. Only users from Fabrikam should be able
to access shares on NYC-SVR1.
2. Configure the Network and DNS Settings to enable the forest trust.
3. Configure a forest trust between WoodgroveBank.com and Fabrikam.com.
4. Configure selective authentication for the forest trust to enable access to only
NYC-DC2.
5. Test the selective authentication.
6. Close all virtual machines and discard undo disks.

1. In the Lab Launcher, next to 6419A-VAN-DC1, click Launch.
4. Log on to 6419A-VAN-DC1 as Administrator with the password Pa$$w0rd.

Task 2: Configure the Network and DNS Settings to enable the forest
trust
1. On VAN-DC1, modify the Local Area Network properties to change the IP
address to 10.10.0.110, the Default gateway to 10.10.0.1, and the Preferred
DNS server to 10.10.0.110, and then click OK.
2. Synchronize the time on VAN-DC1 with NYC-DC1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3. In DNS Manager, add a conditional forwarder to forward all queries for
Woodgrovebank.com to 10.10.0.10.
4. In Active Directory Domains and Trusts, raise the domain and forest functional
level to Windows Server 2003.
5. On NYC-DC1, in the DNS Manager console, add a conditional forwarder to
forward all queries for Fabrikam.com to 10.10.0.110.
6. Close the DNS Manager console.

Task 3: Configure a forest trust between WoodgroveBank.com and
Fabrikam.com
1. On NYC-DC1, start Active Directory Domains and Trusts from the
Administrative Tools folder.
2. Right-click WoodgroveBank.com and then click Properties.
3. Start the New Trust Wizard and configure a forest trust with Fabikam.com.
4. Configure both sides of the trust. Use Administrator@Fabrikam.com to verify
the trust.
5. Accept the default s setting of domain-wide authentication for both domains.
6. Confirm both trusts.

Task 4: Configure selective authentication for the forest trust to
enable access to only NYC-DC2
1. In Active Directory Domains and Trusts, modify the incoming trust from
Fabriakm.com to use selective authentication.
2. In Active Directory Users and Computers, access NYC-DC2s properties. On
the Security tab, grant the MarketingGG group from Fabrikam.com
permission to authenticate to this server.
3. Access NYC-CL1s properties. On the Security tab, grant the MarketingGG
group from Fabrikam.com permission to authenticate to this workstation.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 5: Test the selective authentication
1. Log on to the NYC-CL1 virtual machine as Adam@fabrikam.com using the
password Pa$$w0rd.

Note: Adam is a member of the MarketingGG group at Fabrikam. He is able to log on to
a computer in the WoodgroveBank.com domain because of the trust between the two
forests and because he has been allowed to authenticate to NYC-CL1.
2. Try to access the \\NYC-DC2\Netlogon folder. Adam should be able to access
the folder.
3. Try to access the \\NYC-DC1\Netlogon folder. Adam should not be able to
access the folder because the server is not configured for selective
authentication.

1. For each running virtual machine, close the Virtual Machine Remote Control
window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.

Result: At the end of this exercise, you will have configured trusts based on a trust
configuration design.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Review Questions
1. If a there is a trust within a forest, and the resource is not in the users domain
how does the domain controller use the trust relationship to access the
resource?
2. The BranchOffice_Admins group has been granted full control of all user
accounts in the BranchOffice_OU. What permissions would the
BranchOffice_Admins have to a user account that was moved from the
BranchOffice_OU to the HeadOffice_OU?
3. Your organization has a Windows Server 2008 forest environment, but it has
just acquired another organization with a Windows 2000 forest environment
that contains a single domain. Users in both organizations must be able to
access resources in each others forest. What type of trust do you create
between the forest root domain of each forest?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Real-World Issues and Scenarios
Scenario: Your organization has two domains: Contoso.com and Fabrikam.com.
You need to allow users from Fabrikam.com to access a shared folder in
Contoso.com. Describe the steps for configuring this access.
Question: How could you remove Write share permissions from a single file that is
located inside a folder that is inheriting Write permissions from shared folder in
which it is located?
Question: When moving a folder in an NTFS partition, what permissions are
required over the source file or folder and over the destination folder?
Considerations for Configuring Active Directory Objects
Supplement or modify the following best practices for your own work situations:
Create a naming scheme for AD DS objects before starting the AD DS
deployment. For example, you need to plan how you will create user logon
names and devise your group-naming strategy. It is much easier to plan the
naming strategies early in the AD DS deployment rather than change the
names after deployment.
Plan your AD DS group strategy before deploying AD DS. When planning the
group strategy, consider the organizations plans for future growth. Even if the
organization only has a small number of users in a single domain, you may
want to implement an account group/resource group strategy if the
organization has an aggressive growth strategy or is likely to establish key
partnerships that may require forest trusts.
Look for opportunities to automate AD DS management tasks. It can take
considerable time to create csvde and ldifde files, or to write VBScript or
Windows PowerShell scripts. However, once these tools are in place, they can
save a great deal of time.
Another option for decreasing workload for AD DS administrators is to
delegate tasks. One strategy for determining what tasks to delegate is to
analyze what tasks take the most time for AD DS administrators. If mundane
tasks, such as creating user accounts, resetting passwords, or updating user
information, take a significant amount of time, consider delegating those
specific tasks to other users.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Tools
Use the following tools when configuring AD DS objects and trusts:
Server Manager Accessing the AD DS
management tools in a single
console.
Click Start, point to
Administrative Tools, and
then click Server Manager.
Active Directory
Users and
Computers
Creating and configuring all
AD DS objects.
then click Active Directory
Users and Computers.
Active Directory
Domains and Trusts
Creating and configuring
trusts.
then click Active Directory
Domains and Trusts.
Command line
tools (including
Csvde and Ldifde)
Creating and configuring AD
DS objects
These are installed by default
and are accessible at a
command prompt.
Windows
PowerShell
Writing scripts that can
automate AD DS object
management
Windows PowerShell is
available as a download from
Microsoft and can be
installed as a feature in
Windows Server 2008. After
installing Windows
PowerShell, all cmdlets are
accessible through the
Windows PowerShell
command shell.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Creating and Configuring Group Policy 6-1
Module 6
Creating and Configuring Group Policy
Contents:
Lesson 1: Overview of Group Policy 6-3
Lesson 2: Configuring the Scope of Group Policy Objects 6-18
Lesson 3: Evaluating the Application of Group Policy Objects 6-31
Lesson 4: Managing Group Policy Objects 6-37
Lesson 5: Delegating Administrative Control of Group Policy 6-47
Lab A: Creating and Configuring GPOs 6-51
Lab B: Verifying and Managing GPOs 6-57
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Module Overview

Administrators face increasingly complex challenges in managing the Information
Technology (IT) infrastructure. They must deliver and maintain customized
desktop configurations for a greater variety of employees, such as mobile users,
information workers, or others assigned to strictly defined tasks, such as data
entry.
Group Policy and the Active Directory Domain Services (AD DS) infrastructure in
Microsoft Windows Server 2008 enable IT administrators to automate user and
computer management, thus simplifying administrative tasks and reducing IT
costs. With Group Policy and AD DS, administrators can efficiently implement
security settings, enforce IT policies, and distribute software consistently across a
given site, domain, or range of organizational units (OUs).
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 1
Overview of Group Policy

This lesson introduces you to how to use Group Policy to simplify managing
computers and users in an Active Directory environment. You will learn how
Group Policy Objects (GPOs) are structured and applied, and about some of the
exceptions of how GPOs are applied.
This lesson also discusses Group Policy features that are included with Windows
Server 2008, which also will help simplify computer and user management.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is Group Policy?

Key Points
Group Policy is a Microsoft technology that supports one-to-many management of
computers and users in an Active Directory environment. By editing Group Policy
settings and targeting a Group Policy Object (GPO) at the intended users or
computers, you can centrally manage specific configuration parameters. In this
way, you can manage potentially thousands of computers or users by changing a
single GPO.
A Group Policy object is the collection of settings that are applied to selected users
and computers.
Group Policy can control many aspects of a target objects environment, including
the registry, NTFS file system security, audit and security policy, software
installation and restriction, desktop environment, logon/logoff scripts, and so on.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
One GPO can be associated with multiple containers in AD DS, through linking.
Conversely, multiple GPOs may link to one container.
Each computer running a Microsoft Windows operating system has a local Group
Policy object. In these objects, Group Policy settings are stored on individual
computers, whether or not they are part of an Active Directory environment or a
networked environment.
Local Group Policy objects contain fewer settings than nonlocal Group Policy
objects, particularly under Security Settings. Local Group Policy objects do not
support Folder Redirection or Group Policy Software Installation.
Question: When would local Group Policy be useful in a domain environment?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Group Policy Settings

Key Points
Group Policy has thousands of configurable settings (approximately 2,400). These
settings can affect nearly every area of the computing environment. You cannot
apply all of the settings to all versions of Microsoft Windows operating systems.
For example, many of the new settings that came with the Microsoft Windows XP
Professional operating system, Service Pack (SP) 2, such as software restriction
policies, only applied to that operating system. Equally, many of the hundreds of
new settings only apply to the Microsoft WindowsVista operating system and
Windows Server 2008. If a computer has a setting applied that it cannot process, it
simply ignores it.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Group Policy structure
Group Policy is split into two distinct areas:
Group Policy area What it does
Computer configuration Affects the HKEY_Local_Machine registry hive.
User configuration Affects the HKEY_Current_User registry hive.

Configuring Group Policy settings
Each area has three sections:
Section Description
Software settings Software can be deployed to either the user or the
computer. Software deployed to a user is specific
to that user. Software deployed to the computer is
available to all users of that computer.
Windows settings Contain script settings and security settings for
both user and computer, and Internet Explorer
maintenance for the user configuration.
Administrative templates Contain hundreds of settings that modify the
registry to control various aspects of the user or
computer environment.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Group Policy areas in Windows Vista and Server 2008
Many areas of Group Policy have been enhanced to include new features. They
include:
Feature Function
Antivirus Manages attachments behavior.
Client Help Determines where users can access help systems.
Deployed Printer Connections Automates printer deployment.
Internet Explorer 7 Replaces and expands the current Internet Explorer
Maintenance extension.
Wireless Configuration Sets up network wireless policies.
Terminal Services (TS) Enhances security and manageability of TS remote
connections.
Windows Error Reporting Disables Windows Feedback for any or all
components.

New areas of Group Policy include:
Feature Function
Removable storage device
management
Controls installation of hardware classes, and the
read/write capabilities of removable storage
devices.
Power management Controls all power management settings using
Group Policy.
User Account Control Controls the behavior of the User Account Control
feature.
Network Access Protection Manages Health Registration Authority, Internet
Authentication Service, and Network Access
Protection.
Windows Defender Configures Windows Defender settings.
Windows Firewall with Advance
Security
Controls Windows Firewall advanced
configurations.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Group Policy examples
Example 1: As the domain administrator, you want to disable the write ability for
removable disks in a GPO:
In the Group Policy Editor, point to Computer Configuration, point to
Administrative Templates, point to System, point to Removable Storage Access,
and then enable the Removable Disks: Deny write access setting.
Example 2: As the domain administrator, you want to disable the User Account
Control prompt for Administrators:
In the Group Policy Editor, point to Computer Configuration, point to Windows
Settings, point to Security Settings, point to Local Policies, point to Security
Options, and then set the User Account Control: Behavior of the elevation prompt
for administrators in Admin Approval Mode to Elevate without prompting. You
will need to restart the clients to accept the setting.

Note: A number of settings appear in both the user and the computer configuration, for
example, Offline file or Windows Messenger settings. With few exceptions, in case of a
conflict between the user and computer setting, the user settings will be ignored, and the
computer setting will be applied.
Question: Which of the new features will you find the most useful in your
environment?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
How Group Policy Is Applied

Key Points
Clients initiate Group Policy application by requesting GPOs from AD DS. When
Group Policy is applied to a user or computer, the client component interprets the
policy, and then makes the appropriate environment changes. These components
are known as Group Policy client-side extensions. As GPOs are processed, the
gpsvc service passes the list of GPOs that must be processed to each Group Policy
client-side extension. The extension then uses the list to process the appropriate
policy, when applicable.
Question: What would be some advantages and disadvantages to lowering the
refresh interval?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exceptions to Group Policy Processing

Key Points
Different factors can change the normal Group Policy processing behavior, such as
logging on using a slow connection. Also, different types of connections or
operating systems handle Group Policy processing differently.
Question: How is Network Location Awareness (NLA) better than Internet
Control Message Protocol (ICMP) in the proper application of Group Policy?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Group Policy Components

Key Points
You can use Group Policy templates to create and configure Group Policy settings,
which are stored by the GPOs. The GPOs in turn are stored in the System Volume
(SYSVOL) container in AD DS. The SYSVOL container acts as a central repository
for the GPOs. In this way, one policy may be associated with multiple Active
Directory containers through linking. Conversely, multiple policies may link to one
container.
Group Policy has three major components:
Group Policy templates
Group Policy container
Group Policy objects

Question: Think of at least one example of how your organization can benefit by
using the Group Policy components.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are ADM and ADMX Files?

Key Points
ADM Files
Traditionally, ADM files have been used to define the settings the administrator
can configure through Group Policy. Each successive Windows operating system
and service pack has included a newer version of these files. ADM files use their
own markup language. Because of this, it is difficult to customize ADM files. The
ADM templates are located in the %SystemRoot%\Inf folder.
ADMX Files
Windows Vista and Windows Server 2008 introduce a new format for displaying
registry-based policy settings. Registry-based policy settings are defined using a
standards-based XML file format known as ADMX files. These new files replace
ADM files. Group Policy tools on Windows Vista and Server 2008 will continue to
recognize custom ADM files you have in your existing environment, but will ignore
any ADM file that ADMX files have superseded.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Question: How could you tell if a GPO was created or edited using ADM or ADMX
files?
Question: List one benefit of the ADMX format with Group Policy Objects.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is the Central Store?

Key Points
For domain-based enterprises, administrators can create a central store location of
ADMX files that is accessible by anyone with permission to create or edit GPOs.
The GPO Editor on Microsoft Windows Vista and Windows Server 2008
automatically reads and displays Administrative Template policy settings from
ADMX files that the central store caches, and ignores the ones stored locally. If the
domain controller is not available, then the local store is used.
You must create the central store, and then update it manually on a domain
controller. The use of ADMX files is dependant on the computers operating
system where you are creating or editing the GPO. Therefore, the domain
controller can be a server with Microsoft Windows 2000, Microsoft Windows
Server2003, or Windows Server 2008. The File Replication Service (FRS) will
replicate the domain controller to that domains other controllers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
To create a Central Store for .admx and .adml files, create a folder that is named
PolicyDefinitions in the following location:
\\FQDN\SYSVOL\FQDN\policies

Note: FQDN is a fully qualified domain name.
For example, to create a Central Store for the Test.Microsoft.com domain, create a
PolicyDefinitions folder in the following location:
\\Test.Microsoft.Com\SYSVOL\Test.Microsoft.Com\Policies
Copy all files from the PolicyDefinitions folder on a Windows Vista-based client
computer to the PolicyDefinitions folder on the domain controller. The
PolicyDefinitions folder on a Windows Vista-based computer resides in the same
folder as Windows Vista. The PolicyDefinitions folder on the Windows Vista-based
computer stores all .admx files and .adml files for all languages that are enabled on
the client computer.
Question: What would be the advantage of creating the central store in your
environment?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Configuring Group Policy Objects

Key Points
Open the Group Policy Management Console (GPMC).
Create a new Group Policy named Desktop in the Group Policy container.
In the computer configuration, prevent the last logon name from displaying,
and prevent Windows Installer from running.
In the user configuration, remove the Search menu from the Start menu, and
hide the Screen Saver tab.

Question: When you open the GPMC on your Windows XP computer, you do not
see the new Windows Vista settings in the Group Policy Object Editor. Why not?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 2:
Configuring the Scope of Group Policy Objects

There are several techniques in Group Policy that allow administrators to
manipulate how Group Policy is applied. You can control the default processing
order of policy through enforcement, blocking inheritance, security filtering,
Windows Management Instrumentation (WMI) filters, or using the loopback
processing feature. In this lesson, you will learn about these techniques.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Group Policy Processing Order

Key Points
The GPOs that apply to a user or computer do not all have the same precedence.
GPOs are applied in a particular order. This order means that settings that are
processed first may be overwritten by settings that are processed later. For
example, a policy that restricts access to Control Panel applied at the domain level
could be reversed by a policy applied at the OU level for that particular OU.
If you link several GPOs to an organizational unit, their processing occurs in the
order that the administrator specifies on the Linked Group Policy Objects tab for
the organizational unit in the Group Policy Management Console (GPMC).
Question: Your organization has multiple domains spread over multiple sites. You
want to apply a Group Policy to all users in two different domains. What is the best
way to accomplish this?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Multiple Local Group Policy Objects?

Key Points
In Microsoft operating systems prior to Windows Vista, there was only one user
configuration available in the local Group Policy. That configuration was applied to
all users logged on from the local computer. This is still true, but Windows Vista
and Windows Server 2008 have an added feature. In Windows Vista and Windows
Server 2008, it now is possible to have different user settings for different local
users, although there remains only one computer configuration available that
affects all users.
Domain administrators can disable Local Group Policy objects processing on
clients running Windows Vista or Windows Server 2008 by enabling the Turn off
Local Group Policy objects processing policy setting in a domain GPO.
Question: When would multiple local Group Policy objects be useful in a domain
environment?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Options for Modifying Group Policy Processing

Key Points
There may be occasions when the normal behavior of Group Policy is not
desirable. For example, certain users or groups may need to be exempt from
restrictive Group Policy settings, or a GPO should be applied only to computers
with certain hardware or software characteristics. By default, all Group Policy
settings apply to the Authenticated Users group in a given container. However, you
can modify that behavior through various methods.
Using block inheritance prevents the child level from automatically inheriting
GPOs linked to higher sites, domains, or organizational units.
GPO-links that are enforced cannot be blocked from the parent container.
By denying or granting the Apply Group Policy permission, you can control
which users, groups, or computers actually receive the GPO settings. Security
group filtering will override enforcement.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
WMI provides access to properties of almost every hardware and software
object in the computing environment. Through WMI scripts, these properties
can be evaluated, and decisions about the application of Group Policy are
made based on the results.
You can completely block the application of a GPO for a given site, domain, or
organizational unit by disabling that containers GPO link.
You can use the Group Policy loopback feature to apply GPOs that only
depend on to what computer the user logs on.

Question: You have created a restrictive desktop policy and linked it to the
Finance OU. The Finance OU has several child OUs that have separate GPOs that
reverse some of your desktop restrictions. How would you ensure that all users in
the Finance department receive your desktop policy?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Configuring Group Policy Object Links

Key Points
Link the policy you created in the previous demo to the Toronto OU.
Log on as one of the Toronto users to test the results.
Disable the computer or user side of the policy. Doing this gives some
performance advantage by not processing parts of the policy that are known to
be empty.
Disable the entire policy. Occasionally you may need to do this for
troubleshooting policies.

Question: True or false if a GPO is linked to multiple containers, altering the
settings for one of those links will only affect that container.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Configuring Group Policy Inheritance

Key Points
Create a new OU and a new user in the OU.
In the Default Domain policy, enable the setting to remove the Help menu
from the Start menu. Test the settings.
Block inheritance for the new OU. Test the settings.
Enforce the Default Domain policy. Test the settings.
Turn off enforcement and inheritance blocking.

Question: Your domain has two domain-level policies, GPO1 and GPO2. You need
to ensure that all OUs receive GPO1, but GPO2 should not affect two of the OUs.
How could you accomplish this?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Filtering Group Policy Objects Using
Security Groups

Key Points
Create a new user in the OU that you created for the last demo.
Create a link between the OU and the GPO that removes the Search link from
the Start menu.
Use security filtering to exempt the new user from the GPO setting.
Log on as the first and test that there is no Help menu link.
Log on as the new and test that the Help menu link appears because security
filtering is in place.

Question: You want to ensure that a specific policy linked to an OU will only affect
the members of the Managers global group. How would you accomplish this?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Filtering Group Policy Objects Using WMI
Filters

Key Points
Use the GPMC to create a new WMI filter that targets only XP Professional
clients:
Root\CimV2; Select * from Win32_OperatingSystem where Caption =
Microsoft Windows XP Professional
Use the GPMC to create a new GPO named software.
Assign the WMI to the software GPO.

Question: You need to deploy a software application that requires computers to
have more than 1 GB or RAM. What is the best way to accomplish this?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
How Does Loopback Processing Work?

Key Points
User policy settings are normally derived entirely from the GPOs associated with
the user account, based on its AD DS location. However, Loopback processing
directs the system to apply an alternate set of user settings for the computer to any
user who logs on to a computer affected by this policy. Loopback processing is
intended for special-use computers where you must modify the user policy based
on the computer being used, such as the computers in public areas or classrooms.
When you apply loopback, it will affect all users except local ones.
Both the user objects and the computer objects can potentially have different
group policy settings applied (depending upon where each object resides in AD).
Loopback processing ensures that the computer objects policy takes precedence
over the user objects group policy settings.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Loopback operates using the following two modes:
Merge mode
Replace mode

Question: List one of the benefits of using Loop Processing?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Discussion: Configuring the Scope of Group Policy
Processing

Scenario
Use the following scenario information for your discussion.
Physical structure
Woodgrove bank has a single domain that spans two sites, Head Office and
Toronto. The Toronto site is connected to the Head Office site across a high-speed
link. Within the Head Office site, there is a branch office in Winnipeg. This office is
connected to Head Office across a slow link. There are five users in the Winnipeg
office. There is no domain controller in the Winnipeg office, but there is a SQL
server.
This organization has deployed both Windows XP Professional and Windows
Vista computers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Requirements
All domain computers that have Windows XP Professional installed will have a
small software application distributed through Group Policy.
Domain users should not have access to the desktop display properties. The
Administrators group will be exempt from this restriction.
Both the Winnipeg and Toronto branch users will have further desktop restrictions
applied.
Both branches will have a kiosk computer available in the lobby for public Internet
access. This computer needs to be locked down so that the user cannot change any
settings. Their computer accounts are located in their respective branches OU.
The computer accounts for all servers other than domain controllers will be
located in the servers OU or in a nested OU inside the Servers OU. All servers
must have baseline security settings applied.
SQL servers must have additional security settings applied.
Multimedia activity
The "Implementing Group Policy" activity includes multiple choice and drag-and-
drop exercises that test your knowledge. To access the activity, open the Web page
on the Student Materials CD, click Multimedia, and then click Implementing
Group Policy. Read the instructions, and then click the Effects of Group Policy
Settings tab to begin the activity.
Question: How would you construct a Group Policy scheme to satisfy the
requirements?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 3:
Evaluating the Application of Group Policy
Objects

System administrators need to know how Group Policy settings affect computers
and users in a managed environment. This information is essential when planning
Group Policy for a network, and when debugging existing GPOs. Obtaining the
information can be a complex task when you consider the many combinations of
sites, domains, and organizational units that are possible, and the many types of
Group Policy settings that can exist. Further complicating the task are security-
group filtering, and GPO inheritance, blocking, and enforcement. The Group
Policy Results (GPResult.exe) command-line tool and the GPMC provide reporting
features to simplify these tasks.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is Group Policy Reporting?

Key Points
Group Policy Reporting is a feature of Group Policy that makes implementation
and troubleshooting easier. Two main reporting tools are the GPResult.exe
command-line tool, and the Group Policy Results Wizard in the GPMC. The Group
Policy Results feature allows administrators to determine the resultant policy set
that was applied to a given computer and/or user that logged on to that computer.
Although these tools are similar, they each provide different information.
The built in Windows firewall must be configured to allow the incoming traffic we
want by using a Group Policy Object (GPO), so ironically, such a policy is the only
one we definitely cannot force to firewall-enabled remote computers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
The policy setting that needs to be enabled for all the mentioned methods is the
following:
Computer Settings | Administrative Templates | Network | Network Connections
| Windows Firewall | Domain Profile | "Windows Firewall: Allow remote
administration exception".
Question: You want to know which domain controller delivered Group Policy to a
client. Which utility would you use to find that out?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is Group Policy Modeling?

Key Points
Another method for testing Group Policy is to use the Group Policy Modeling
Wizard in the GPMC to model environment changes before you actually make
them. The Group Policy Modeling Wizard calculates the simulated net effect of
GPOs. Group Policy Modeling also simulates such things as security group
membership, WMI filter evaluation, and the effects of moving user or computer
objects to a different OU or site. You also can specify slow-link detection, loopback
processing, or both when using the Group Policy Modeling Wizard.
The Group Policy Modeling process actually runs on a domain controller in your
Active Directory domain. Because the wizard never queries the client computer, it
cannot take local policies into account.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Question: What simulations can be performed with the Group Policy Modeling
Wizard? Choose all that apply.
a. Loopback processing
b. Moving a user to a different domain in the same forest
c. Security group filtering
d. Slow link detection
e. WMI filtering
f. All of the above
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: How to Evaluate the Application of Group
Policy

Key Points
Login using the WOODGROVEBANK\Administrator account.
Run GPResult.
Use the GPMC to run the Group Policy Reporting Wizard for a User. Examine
the output, and save the report as an HTML file.
Use the GPMC to run the Group Policy Modeling Wizard to simulate what
would happen if the User moved to a different OU, and then compare the
differences.

Question: A user reports that they are unable to access Control Panel. Other users
in the department can access Control Panel. What tools might you use to
troubleshoot the problem?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 4:
Managing Group Policy Objects

GPMC provides mechanisms for backing up, restoring, migrating, and copying
existing GPOs. This is very important for maintaining your Group Policy
deployments in the event of error or disaster. It helps you avoid manually
recreating lost or damaged GPOs, and having to again go through the planning,
testing, and deployment phases. Part of your ongoing Group Policy operations
plan should include regular backups of all GPOs.
GPMC also provides for copying and importing GPOs, both from the same domain
and across domains.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
GPO Management Tasks

Key Points
Like critical data and Active Directory-related resources, you must back up GPOs to
protect the integrity of AD DS and GPOs. The GPMC not only provides the basic
backup and restore options, but also provides additional control over GPOs for
administrative purposes.
You can back up GPOs individually or as a whole with the GPMC.
The restore interface provides the ability for you to view the settings stored in
the backed-up version before restoring it.
Importing a GPO allows you to transfer settings from a backed-up GPO to an
existing GPO. It does not modify the existing security or links on the
destination GPO.
You can copy GPOs using the GPMC, both in the same domain and across
domains.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Note: It is not possible to merge imported settings with the current target GPO settings;
the imported settings will overwrite all existing settings.

Note: It is not possible to copy settings from multiple GPOs into a single GPO.
Question: You perform regular backups of GPOs. An administrator has
inadvertently changed a number of settings on the wrong GPO. What is the
quickest way to fix the problem?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is a Starter GPO?

Key Points
Starter GPOs store a collection of Administrative Template policy settings in a
single object. Starter GPOs only contain Administrative Templates. You can import
and export Starter GPOs to distribute them to other areas of your enterprise.
When you create a new GPO from a Starter GPO, the new GPO has all the
Administrative Template settings that the Starter GPO defined. In this way, Starter
GPOs act as templates for creating GPOs, which helps provide consistency in
distributed environments.
Individual Starter GPOs can be exported into .Cab files for easy distribution. You
then can import these cab files back into the GPMC. The GPMC stores Starter
GPOs in a folder named StarterGPOs, which is located in SYSVOL.
Question: List one of the benefits of using Starter GPOs.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Starter GPOs

Key Points
Open the Group Policy Management console.
In the GPMC console tree, click Starter GPOs.
In the results pane, click the Contents tab, and then click Load Cabinet.
In the Load Starter GPO dialog box, click Browse for CAB.
Click the name of the Starter GPO cabinet file that you want to install, and
then click Open.
In the Load Starter GPO dialog box, confirm that the correct Starter GPO
cabinet file is specified, and then click OK.
On the Contents tab, confirm that the name of the Starter GPO that you
installed appears in the list of Starter GPOs. The Starter GPO will be created in
the shared SYSVOL folder found on domain controllers, in all 24 languages in
which Windows Vista and Windows XP SP2 are available.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: How to Copy a GPO

Key Points
Use the GPMC to copy the Desktop policy that you created in the previous
demonstration.
Rename the resulting GPO with the name of your choice.
Question: What is the advantage of copying a GPO and linking it to an OU over
linking the original GPO to multiple OUs?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Backing Up and Restoring GPOs

Key Points
Create a folder named GPO_Back to hold the backed up GPOs.
Back up an individual GPO.
Back up all GPOs.
Delete one of the GPOs from the Group Policy folder.
Restore the GPO from the backup version.
Question: What permissions are required to back-up a GPO?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Importing a GPO

Key Points
Create a new GPO named Redirect.
Configure the Redirect policy to redirect the My Documents folder to a UNC
path of \\server\share.
Backup the Redirect policy.
Create a new GPO named Imported.
Import the policy settings from the Redirect policy to the Imported policy.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
When the scan discovers the settings that may need to be modified, create a
new migration table that changes the UNC path from \\server\share to
\\Srv1\docs.
Finish the Import Wizard, and show that the UNC path for My Documents has
changed from \\server\share to \\Srv1\docs.

Question: What is the purpose of a migration table?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Migrating Group Policy Objects

Key Points
The ADMX Migrator allows you to convert custom ADM templates into ADMX
templates. The associated ADML file is also created. Converted files are saved into
the users documents folder by default. Once you create the new files, copy the
ADMX file into the PolicyDefinitions folder, or the central store, and copy the
ADML file into the appropriate subfolder. The new Administrative Templates then
become available in the GPMC.
Question: List at least one benefit of using the ADMX Migrator utility.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 5:
Delegating Administrative Control of Group
Policy

In a distributed environment, it is common to have different groups delegated to
perform different administrative tasks. Group Policy management is one of the
administrative tasks that you can delegate.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Options for Delegating Control of GPOs

Key Points
Delegation allows the administrative workload to be distributed across the
enterprise. One group could be tasked with creating and editing GPOs, while
another group performs reporting and analysis duties. A separate group might be
in charge of WMI filters.
The following Group Policy tasks can be independently delegated:
Creating GPOs
Editing GPOs
Managing Group Policy links for a site, domain, or OU
Performing Group Policy Modeling analyses on a given domain or OU
Reading Group Policy Results data for objects in a given domain or OU
Creating WMI filters in a domain
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
The Group Policy Creator Owners group lets its members create new GPOs, and
edit or delete GPOs that they have created.
Question: List one of the benefits of the administrator delegating rights to create
new Group Policies.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: How to Delegate Administrative Control
of GPOs

Key Points
Use the Delegation of Control Wizard to delegate to a user the right to link an
existing GPO, and to use the Group Policy reporting tools.
Use the GPMC to delegate a different user the right to create Group Policy.
Use the GPMC to delegate the user the right to edit the desktop policy.

Question: A user located in a different domain in your forest needs permission to
create GPOs in your domain. What is the best way to accomplish this?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab A: Creating and Configuring GPOs

Scenario
The Woodgrove Bank has decided to implement Group Policy to manage user
desktops and to configure computer security. The organization already
implemented an OU configuration that includes top-level OUs by location, with
additional OUs within each location OU for different departments. User accounts
are in the same container as their workstation computer accounts. Server computer
accounts are spread throughout various OUs.

Note: Some of the tasks in this lab are designed to illustrate GPO management
techniques and settings and may not always follow best practices.
Group Policy Requirements
Domain users will not have access to the Run menu. The policy will apply to
all users except users in the IT Admin OU.
Executives will not have access to the desktop display settings.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
The NYC, Miami and Toronto branch users will not have access to the Control
Panel. All branch managers will be exempt from this restriction.
All domain computers will have a mandatory baseline security policy applied
that does not display the name of the last logged on user.
Computers running Windows Vista or Windows XP will have additional
settings applied to wait for the network at startup.
Users in the administrators group will have the URL for Microsoft support
added to their Favorites.
Kiosk computers in the branch offices will have Loopback processing enabled.

Exercise 1: Creating and Configuring Group Policy Objects
You will create and link the GPOs that the enterprise administrators design
specifies. Tasks include modifying the default domain policy, and creating policy
settings linked to specific OUs and sites.
1. Start and log on to NYC-DC1.
2. Create the GPOs.
3. Configure GPOs.
4. Link the GPOs.

Task 1: Start the virtual machines and then log on
3. Log on to NYC-DC1as Administrator with the password Pa$$w0rd.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 2: Create the group policy settings
Use the GPMC to perform the following:
Create a GPO named Restrict Control Panel.
Create a GPO named Restrict Desktop Display.
Create a GPO named Restrict Run Command.
Create a GPO named Baseline Security.
Create a GPO named Vista and XP Security.
Create a GPO named Admin Favorites.
Create a GPO named Kiosk Computer Security.

Task 3: Configure the policy settings
1. Edit the Baseline Security GPO (Computer Configuration\Policies\Windows
Settings\Security Settings\Local Policies\Security Options\ Interactive logon:
Do not display last user name) so that the name of the last logged on user is
not displayed.
2. Edit the Admin Favorites GPO (User Configuration\Policies\Windows
Settings\Internet Explorer Maintenance\URLs\Favorites and Links) to
include the URL for Microsoft tech support (http://support.microsoft.com) in
the Internet Favorites.
3. Edit the Restrict Desktop Display GPO (User Configuration\Policies
\Administrative Templates\Control Panel\Display\Remove Display in Control
Panel) to prevent access to the desktop display settings.
4. Edit the Kiosk Computer Security GPO (Computer Configuration\Policies
\Administrative Templates\System\Group Policy\User Group Policy
loopback processing mode) to use loopback processing, and to hide and
disable all items on the desktop for the logged on user.
5. Edit the Restrict Control Panel GPO (User Configuration\Policies
\Administrative Templates\Control Panel\Prohibit access to the Control
Panel) to prevent user access to Control Panel.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6. Edit the Restrict Run Command GPO (User Configuration\Policies
\Administrative Templates\Start Menu and Taskbar\Remove Run Menu from
the Start Menu) to prevent access to the Run menu.
7. Edit the Vista and XP Security GPO (Computer Configuration\Policies
\Administrative Templates\System\Logon\Always wait for the network at
computer startup and logon) to ensure that computers wait for the network at
startup.

Task 4: Link the GPOs to the appropriate containers
Use the GPMC to perform the following:
Link the Restrict Run Command GPO to the domain container.
Link the Baseline Security GPO to the domain container.
Link the Vista and XP Security GPO to the domain container
Link the Kiosk Computer Security GPO to the domain container.
Link the Admin Favorites GPO to the ITAdmins OU.
Link the Restrict Control Panel GPO to the NYC, Miami and Toronto OUs.
Link the Restrict Desktop Display GPO to the Executive OU.

Result: At the end of this exercise, you will have created and configured GPOs.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Managing the Scope of GPO Application
In this exercise, you will configure the scope of GPO settings based on the
enterprise administrators design. Tasks include disabling portions of GPOs,
blocking and enforcing inheritance, and applying filtering based on security
groups and WMI filters.
1. Configure Group Policy management for the domain container.
2. Configure Group Policy management for the IT Admin OU.
3. Configure Group Policy management for the branch OUs.
4. Create and apply a WMI filter for the Vista and XP Security GPO.

Task 1: Configure Group Policy management for the domain container
1. Configure the Baseline Security link to be Enforced, and the disable the User
side of the policy.
2. Configure the Vista and XP Security link to be Enforced.
3. Use security group membership filtering to configure the Kiosk Computer
Security GPO to apply only to the Kiosk Computers global group.

Task 2: Configure Group Policy management for the IT Admin OU
Block inheritance at the IT Admin OU, to exempt the ITAdmins users from the
Restrict Run Command GPO.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 3: Configure Group Policy management for the branch OUs
Use security group membership filtering to configure the Restrict Control
Panel GPO to deny the Apply Group Policy permission to the following
groups:
Mia_BranchManagersGG
NYC_BranchManagersGG
Tor_BranchManagersGG

Task 4: Create and apply a WMI filter for the Vista and XP Security
GPO
1. Create a new WMI query to retrieve users from the Windows XP and
Windows Vista operating systems.
2. Open GPMC and create a new WMI Filter.
3. Write a query to retrieve Windows XP and Windows Vista users in the
WMI Query box.

Result: At the end of this exercise, you will have configured the scope of GPO settings.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab B: Verifying and Managing GPOs

Scenario
The enterprise administrator has created a GPO deployment plan. You have been
asked to create GPOs so that certain policies can be applied to all domain objects.
Some policies are considered mandatory. You also want to create policy settings
that will apply only to subsets of the domains objects, and you want to have
separate policies for computer settings and user settings. You must delegate GPO
administration to administrators within each company location.

techniques and settings and may not always follow best practices.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Group Policy Requirements
Domain users will not have access to the Run menu. The policy will apply to
all users except users in the IT Admin OU.
Executives will not have access to the desktop display settings.
The NYC, Miami and Toronto branch users will not have access to the Control
Panel. All branch managers will be exempt from this restriction.
All domain computers will have a mandatory baseline security policy applied
that does not display the name of the last logged on user.
Computers running Windows Vista or Windows XP will have additional
settings applied to wait for the network at startup.
Users in the administrators group will have the URL for Microsoft support
added to their Favorites.
Kiosk computers in the branch offices will have Loopback processing enabled.

Exercise 1: Verifying GPO Application
In this exercise, you will test the application of GPOs to ensure that the GPOs are
being applied as the design specifies. Students will log on as specific users, and
also use Group Policy Modeling and Resultant Set of Policy (RSoP) to verify that
GPOs are being applied correctly.
1. Start NYC-CL1.
2. Verify that a Miami branch user is receiving the correct policy.
3. Verify that a Miami Branch Manager is receiving the correct policy.
4. Verify that a user in the IT Admin OU is receiving the correct policy.
5. Verify that a user in the Executive OU user is receiving the correct policy.
6. Verify that the username does not appear.
7. Use Group Policy modeling to test kiosk computer settings.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 1: Start NYC-CL1
Log on to NYC-CL1 as WOODGROVEBANK\Anton with the password
Pa$$w0rd.

Task 2: Verify that a Miami branch user is receiving the correct policy
1. Ensure that there is no link to the Run menu in the Accessories folder on the
Start menu.
2. Ensure that there is no link to Control Panel on the Start menu.
3. Log off.

Task 3: Verify that a Miami Branch Manager is receiving the correct
policy
1. Log on to NYC-CL1 as WOODGROVEBANK\Roya with the password
Pa$$w0rd.
Start menu.
3. Ensure that a link to Control Panel appears on the Start menu.
4. Log off.

Task 4: Verify that a user in the IT Admin OU is receiving the correct
policy
1. Log on to NYC-CL1 as WOODGROVEBANK\Betsy with the password
Pa$$w0rd.
2. Ensure that a link to the Run menu appears in the Accessories folder on the
Start menu.
4. Launch Internet Explorer, open the Favorites pane, and then ensure that the
link to Tech Support appears.
5. Log off.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 5: Verify that a user in the Executive OU user is receiving the
correct policy
1. Log on to NYC-CL1 as Chase with the password Pa$$w0rd.
Start menu.
4. Ensure that there is no access to the desktop display settings.
Hint: When you attempt to access display settings you will receive a message
informing you that this has been disabled.

5. Log off.

Task 6: Verify that the last logged on username does not appear
Verify that the last logged on username does not appear.

Task 7: Use Group Policy modeling to test kiosk computer settings
2. Launch the GPMC, right-click the Group Policy Modeling folder, click Group
Policy Modeling Wizard, and then click Next twice.
3. On the User and Computer Selection screen, click Computer and enter
Woodgrovebank\NYC-CL1, and click then Next three times.
4. In the Computer Security Groups screen, click Add.
5. In the Select Groups dialog box, type Kiosk Computers, and then click Next.
6. In the WMI Filters for Computers screen, click Next twice, click Finish and
then view the report.

Result: At the end of this exercise, you will have tested and verified a GPO application.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Managing GPOs
In this exercise, you will use the GPMC to back up, restore, and import GPOs.
1. Backup an individual policy.
2. Back up all GPOs.
3. Delete and restore an individual GPO.
4. Import a GPO.

Task 1: Backup an individual policy
1. Create a folder named C:\GPOBackup.
2. In the GPMC, open the Group Policy Objects folder.
3. Right-click the Restrict Control Panel policy, and then click Backup.
4. Browse to C:\GPOBackup.
5. Click Backup, and then click OK after the backup succeeds.

Task 2: Back up all GPOs
1. Right-click the Group Policy Objects folder and then click Back Up All.
2. Ensure that C:\GPOBackup is the backup location. Confirm the deletion.

Task 3: Delete and restore an individual GPO
1. Right-click the Admin Favorites policy and then click Delete. Click Yes and
then click OK when the deletion succeeds.
2. Right-click the Group Policy Objects folder and then click Manage Backups.
3. Restore the Admin Favorites GPO.
4. Confirm that the Admin Favorites policy appears in the Group Policy Objects
folder.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 4: Import a GPO
1. Create a new GPO named Import in the Group Policy Objects folder.
2. Right-click the Import GPO, and then click Import Settings.
3. In the Import Settings Wizard, click Next.
4. On the Backup GPO window, click Next.
5. Ensure the Backup folder location is C:\GPOBackup.
6. On the Source GPO screen, click Restrict Control Panel, and then click Next.
7. Finish the Import Settings wizard.
8. Click Import GPO, click the Settings tab, and then ensure that the Restrict
Access to Control Panel setting is Enabled.

Result: At the end of this exercise, you will have backed up, restored, and imported
GPOs.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 3: Delegating Administrative Control of GPOs
In this exercise, you will delegate administrative control of GPOs based on the
enterprise administrator design. Tasks include configuring permissions to create,
edit and link GPOs. You will then test the permissions configuration.
1. Grant Betsy the right to create GPOs in the domain.
2. Delegate the right to edit the Import GPO to Betsy.
3. Delegate the right to link GPOs to the Executives OU to Betsy.
4. Enable Domain Users to log on to domain controllers.
5. Test the delegation.

Task 1: Grant Betsy the right to create GPOs in the domain
1. Select the Group Policy Objects folder and then click the Delegation tab, and
then click Add.
2. In the Select Users dialog box, type Betsy in the Object name field, and then
click OK.

Task 2: Delegate the right to edit the Import GPO to Betsy
1. In the Group Policy Objects folder, select Import GPO, click the Delegation
tab, and then click Add.
2. In the Select Users dialog box, type Betsy in the Object name field and then
click OK.
3. In the Add Group or User dialog box, select Edit Settings from the drop-
down list, and then click OK.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 3: Delegate the right to link GPOs to the Executives OU to Betsy
1. Select the Executives OU, the click the Delegation tab, and then click Add.
2. In the Select Users dialog box, type Betsy in the Object name field, and then
click OK.
3. In the Add Group or User dialog box select This container only, and then
click OK.

Task 4: Enable Domain Users to log on to domain controllers

Note: This step is included in the lab to enable you to test the delegated permissions. As
a best practice, you should install the administration tools on a Windows workstation
rather than enable Domain Users to log on to domain controllers.
1. On NYC-DC1, start Group Policy Management, and then edit the Default
Domain Controllers Policy.
2. In the Group Policy Management Editor window, access the User Rights
Assignment folder.
3. Double-click Allow log on locally. In the Allow log on locally Properties
dialog box, click Add User or Group.
4. Grant the Domain Users group the log on locally right.
5. Open a command prompt, type GPUpdate /force, and then press ENTER.

Task 5: Test the delegation
1. Log on to NYC-CL1 as Betsy.
2. Create a Group Policy Management Console.
3. Right-click the Group Policy Objects folder, and then click New.
4. Create a new policy named Test. This operation will succeed.
5. Right-click Import GPO, and then click Edit. This operation will succeed.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6. Right-click Executives OU, and link the Test GPO to it. This operation will
succeed.
7. Right-click the Admin Favorites policy, and attempt to edit it. This operation
is not possible.
8. Close the GPMC.

Control window.
click OK.

Result: At the end of this exercise, you will have backed up, restored, and imported
GPOs.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Considerations
Keep the following considerations in mind when creating and configuring Group
Policy:
Create multiple local Group Policy objects when necessary
Upgrade and replace ADM files or use ADMX and ADML files for better
extensibility
Utilize different methods to control Group Policy, inheritance, filtering,
enforcement
Use the correct Group Policy tools and reporting to enhance Group Policy
Maintenance
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Review Questions
1. You want to force the application of certain Group Policy settings across a slow
link. What can you do?
2. You need to ensure that a domain level policy is enforced, but the Managers
global group needs to be exempt from the policy. How would you accomplish
this?
3. You want all GPOs that contain user settings to have certain Administrative
Templates enabled. You need to be able to send those policy settings to other
administrators in the enterprise. What is the best approach?
4. You want to control access to removable storage devices on all client
workstations through Group Policy. Can you use Group Policy to do this?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configure User and Computer Environments By Using Group Policy 7-1
Module 7
Configure User and Computer Environments By
Using Group Policy
Contents:
Lesson 1: Configuring Group Policy Settings 7-3
Lesson 2: Configuring Scripts and Folder Redirection Using Group Policy 7-7
Lab A: Configuring Logon Scripts and Folder Redirection Using
Group Policy 7-13
Lesson 3: Configuring Administrative Templates 7-17
Lab B: Configuring Administrative Templates 7-23
Lesson 4: Deploying Software Using Group Policy 7-28
Lab C: Deploying Software with Group Policy 7-36
Lesson 5: Configuring Group Policy Preferences 7-39
Lab D: Configuring Group Policy Preferences 7-44
Lesson 6: Introduction to Group Policy Troubleshooting 7-48
Lesson 7: Troubleshooting Group Policy Application 7-55
Lesson 8: Troubleshooting Group Policy Settings 7-67
Lab E: Troubleshooting Group Policy Issues 7-71
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Module Overview

This module introduces the job function of configuring the user environment
using Group Policy. Specifically, this module provides the skills and knowledge
that you need to use Group Policy to configure Folder Redirection, as well as how
to use scripts. You also will learn how Administrative Templates affect Microsoft
Windows Vista and Windows Server 2008, and how to deploy software using
Group Policy.
This module also describes troubleshooting procedures for Group Policy
processing clients and computers. These troubleshooting procedures may include
incorrect or incomplete policy settings, or lack of policy application to the
computer or user. You will learn the knowledge and skills necessary for
troubleshooting these issues.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 1
Configuring Group Policy Settings

Group Policy can deliver many different types of settings. Some setting are simply a
matter of turning them on, while others are more complex to configure. In
addition, Group Policy can be used to deploy software to some or all users in an
organization. Using Group Policy to deploy software can reduce the effort required
to keep computers up to date with required software. This lesson will describe how
to configure the various Group Policy settings.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Options for Configuring Group Policy Settings

Key Points
For a Group Policy setting to have an effect, you must configure it. Most Group
Policy settings have three states. They are:
Enabled: For example, to prevent access to Control Panel, you would enable
the policy setting Prohibit access to the Control Panel.
Disabled: For example, if you disable the Prohibit access to the Control Panel
at the child container level, you specifically are allowing access to Control
Panel.
Not Configured: A Group Policy setting that is set to Not Configured means
that the normal default behavior will be enforced, and that particular Group
Policy will have no effect on that setting.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
You also must configure values for some Group Policy settings. For example, to
configure restricted group-membership you need to provide values for the groups
and users.
Question: A domain level policy restricts access to the Control Panel. You want the
users in the Admin organizational unit (OU) to have access to the Control Panel,
but you do not want to block inheritance. How could you accomplish this?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Configuring Group Policy Settings Using
the Group Policy Editor

Key Points
Create and link a GPO to configure Windows Update settings.
Log on to client computer and test results.
Question: How could you prevent a lower-level policy from reversing the setting of
a higher-level policy?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 2
Configuring Scripts and Folder Redirection
Using Group Policy

Windows Server 2008 enables you to use Group Policy to deploy scripts to users
and computers. You can also redirect folders that the users profile includes, from
the users local hard disks to a central server.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Group Policy Scripts?

Key Points
You can use Group Policy scripts to perform any number of tasks. There may be
actions that you need performed every time a computer starts or shuts down, or
when users log off or on. For example, you can use scripts to:
Clean up desktops when users log off and shut down computers.
Delete the contents of temporary directories.
Map drives or printers.
Set environment variables.

For many of these settings, using Group Policy Preferences is a better alternative to
configuring them in Microsoft Windows images or using logon scripts. Group
Policy Preferences is covered in more detail later in this module.
Question: You keep logon scripts in a shared folder on the network. How could
you ensure that the scripts will always be available to users from all locations?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Configuring Scripts with Group Policy

Key Points
Create a login script that uses the command net use t: \\nyc-dc1\data.
Create and link a GPO to configure a logon script using the script you just
created.
Log on to client computer and test results.

Question: What other method could you use to assign logon scripts to users?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is Folder Redirection?

Key Points
Folder Redirection makes it easier for you to manage and back up data. By
redirecting folders, you can ensure user access to data regardless of the computers
to which they log on.
When you redirect folders, you change the folders storage location from the
users computer local hard disk to a shared folder on a network file server.
After you redirect a folder to a file server, it still appears to the user as if it is
stored on the local hard disk.

Question: List some disadvantages of folder redirection.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Folder Redirection Configuration Options

Key Points
There are three available settings for Folder Redirection: none, basic, and
advanced.
Basic folder redirection is for users who must redirect their folders to a
common area or users who need their data to be private.
Advanced redirection allows you to specify different network locations for
different Active Directory security groups.

Question: Users in the same department often log on to different computers. They
need access to their My Documents folder. They also need the data to be private.
What folder redirection setting would you choose?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Security Settings for Redirected Folders

Key Points
While you must manually create a shared network folder in which to store the
redirected folders, Folder Redirection can create the users redirected folders for
you.
When you use this option, the correct permissions are set automatically.
If you manually create folders, you must know the correct permissions.

Question: What steps could you take to protect the data while it is in transit
between the client and the server?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab A: Configuring Logon Scripts and Folder
Redirection Using Group Policy

Exercise 1: Configure Logon Scripts and Folder Redirection
Scenario
Woodgrove Bank has decided to implement Group Policy to manage user
desktops. The organization has already implemented an organizational unit (OU)
configuration that includes top-level OUs grouped by location, with additional
OUs within each location for different departments.
You have been tasked to create a script that will map a network drive to the shared
folder named Data on NYC-DC1. Then you will use Group Policy to assign the
script to all users in Toronto, Miami, and NYC OUs. The script needs to be stored
in a highly available location. You also will set permissions to share and secure a
folder on NYC-DC1. The Documents folder for all members of the Executive OU
will be redirected there.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
The main tasks for this exercise are:
1. Start the 6419A-NYC-DC1 virtual machine and log.
2. Review the logon script to map a network drive.
3. Configure and link the Logon Script GPO.
4. Share and secure a folder for the Executives group.
5. Redirect the Documents folder for the Executives group.
6. Start the 6419A-NYC-CL1 virtual machine, and then log on as
WOODGROVEBANK\Tony.
7. Observe the applied settings while logged on as a user in the Executives OU.

Task 1: Start the 6419A-NYC-DC1 virtual machine and log on as
WOODGROVEBANK\Administrator
Start NYC-DC1, and then log on as WOODGROVEBANK\Administrator
using the password Pa$$w0rd.

Task 2: Review the logon script to map a network drive
1. On NYC-DC1, browse to E:\Mod07\LabFiles\Scripts.
2. Review the Map.bat script, and then copy it to the clipboard.

Task 3: Configure and link the Logon Script GPO
1. Open Group Policy Management, and then create a new GPO named Logon
Script, linked to the WoodgroveBank.com domain.
2. Configure the Logon Script GPO with the following settings:
Under User Configuration, Policies, Windows Settings, Scripts
(Logon/Logoff), double-click Logon.
Paste the Map.bat logon script from the clipboard.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 4: Share and secure a folder for the Executives group
1. In Windows Explorer, browse to E:\Mod07\Labfiles.
2. Share the ExecData folder and set the following permissions:
Remove the Everyone group.
Add the Executives_WoodgroveGG group with full control.
On the Security tab, click Advanced.
Remove all users and groups except for CREATOR OWNER and
SYSTEM.
Add the Executives_WoodgroveGG group and apply the settings to this
folder only.
For Executives_WoodgroveGG, allow the List folder / read data and
Create folders / append data permissions.

Task 5: Redirect the Documents folder for the Executives group
1. In the Group Policy Management window, create a new GPO named
Executive Redirection, linked to the Executives OU.
2. Configure the Executives GPO with the following settings:
Under User Configuration, Polices, Windows Settings, Folder
Redirection, modify Documents.
Select the Basic - Redirect everyone's folder to the same location option.
In the Root Path field, type \\NYC-DC1\ExecData.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 6: Start the 6419A-NYC-CL1 virtual machine, and then log on as
WOODGROVEBANK\Tony
Start NYC-CL1, and then log on as WOODGROVEBANK\Tony using the
password Pa$$w0rd.

Task 7: Observe the applied settings while logged on as a user in the
Executives OU
1. Verify that the J: drive is mapped to the Data share on NYC-DC1.
2. In Documents Properties, verify the location is \\NYC-DC1\ExecData\Tony.

Result: At the end of this exercise, you will have configured logon scripts and folders
redirection.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 3
Configuring Administrative Templates

The Administrative Template files provide the majority of available policy
settings, which are designed to modify specific registry keys. This is known as
registry-based policy. For many applications, the use of registry-based policy that
the Administrative Template files deliver is the simplest and best way to support
centralized management of policy settings. In this lesson, you will learn how to
configure Administrative Templates.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Administrative Templates?

Key Points
Administrative Templates allow you to control the environment of the operating
system and user experience. There are two sets of Administrative Templates: one
for users, and one for computers.
Administrative Templates are the primary means of configuring the client
computers registry settings through Group Policy.
Administrative Templates are a repository of registry-based changes.
By using the administrative template sections of the GPO, you can deploy
hundreds of modifications to the computer (the HKEY_LOCAL_MACHINE
hive in the registry,) and user (the HKEY_CURRENT_USER hive in the
registry) portions of the Registry.

Question: What sections of the Administrative Templates will you find most useful
in your environment?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Configuring Administrative Templates

Key Points
On NYC-DC1, edit the Demo GPO.
Under Computer Configuration, under Internet Explorer, disable the ability to
delete browsing history.
Under User Configuration, hide the Screen Saver tab.
On NYC-CL1, log on as WOODGROVEBANK\Administrator and then review
the settings.
Question: You need to ensure that Windows Messenger is never allowed to run on
a particular computer. How could you use Administrative Templates to implement
this?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Modifying Administrative Templates

Key Points
Because ADMX files are XML based, you can use any text editor to edit or create
new ADMX files.
There are programs that are XML-aware, (such as Microsoft Visual Studio,)
that administrators or developers can use to create or modify ADMX files.
Once you have a valid ADMX file, you need only to place it in the Policy
Definitions folder, or in the Central Store, if one exists.

Tip: Leave the default ADMX files untouched, and create your own customized versions
for custom settings.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Adding Custom Administrative Templates

Key Points
Add a custom ADM file.
Copy sample ADMX files to the central store.
Review custom ADMX files.

Question: Can you still use custom ADM files to deliver Group Policy settings in
Windows Server 2008?
Question: What are two differences between ADM and ADMX files?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Discussion: Options for Using Administrative Templates

Key Points
You should consider creating a policy setting for the following purposes:
To help administrators manage and increase security of their desktop
computers.
To hide or disable a user interface that can lead users into a situation in which
they must call the helpdesk for support.
To hide or disable new behavior that might confuse users. A policy setting
created for this purpose allows administrators to manage the introduction of
new features until after user training has taken place.
To hide settings and options that might take up too much of users' time.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab B: Configuring Administrative Templates

Exercise 1: Configure Administrative Templates
Scenario
You have been asked to configure several Group Policy settings to control the user
environment and make the desktop more secure. You'll also modify the Default
Domain Policy to allow remote administration through the firewall, allowing you to
run Group Policy Results queries against target computers in the domain.
1. Modify the Default Domain Policy to allow remote administration through the
firewall for all domain computers.
2. Create and assign a GPO to prevent the installation of removable devices.
3. Create and assign a GPO to encrypt offline files for executive computers.
4. Create and assign a domain-level GPO for all domain users.
5. Create and assign a policy to limit profile size and turn off Windows Sidebar
for branch users.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 1: Modify the Default Domain Policy allow remote administration
through the firewall for all domain computers
On NYC-DC1, in the Group Policy Management console pane, configure the
Default Domain Policy GPO with the following settings:
Under Computer Configuration, Polices, Administrative Templates,
Network, Network Connections, Windows Firewall, Domain Profile,
enable Windows Firewall: Allow inbound remote administration
exception.
Under System, Group Policy, enable Group Policy slow link detection
and assign a Connection speed value of 800 Kbps.

Result: At the end of this task, you will have enabled remote administration through
the firewall. This allows the Group Policy Results Wizard to query target computers.

Task 2: Create and assign a GPO to prevent the installation of
removable devices
1. In the Group Policy Management window, create a new GPO named Prevent
Removable Devices, linked to the Miami, NYC, and Toronto OUs.
2. Configure the Prevent Removable Devices GPO with the following settings:
Under Computer Configuration, Policies, Administrative Templates,
System, Device Installation, Device Installation Restrictions, enable
Prevent installation of removable devices.

Task 3: Create and assign a GPO to encrypt offline files for executive
computers
1. In the Group Policy Management window, create a new GPO named Encrypt
Offline Files, linked to the Executives OU.
2. Configure the Encrypt Offline Files GPO with the following settings:
Network, Offline Files, enable Encrypt the Offline Files cache.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 4: Create and assign a domain-level GPO for all domain users
1. In the Group Policy Management window, create a new GPO named All Users
Policy, linked to the WoodgroveBank.com domain.
2. Configure the All Users Policy GPO with the following settings:
Under User Configuration, Policies, Administrative Templates, System,
enable Prevent access to registry editing tools.
Under Start Menu and Taskbar, enable Remove Clock from the system
notification area.

Task 5: Create and assign a policy to limit profile size and turn off
Windows Sidebar for branch users
1. In the Group Policy Management window, create a new GPO named Branch
Users Policy, linked to the Miami, NYC, and Toronto OUs.
2. Configure the Branch Users Policy GPO with the following settings:
Under User Configuration, Policies, Administrative Templates, System,
User Profiles, enable Limit profile size and assign a Max Profile size of
1000000 KB.
Under Windows Components, Windows Sidebar, enable Turn off
Windows Sidebar.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Verify GPO Application
1. Verify that the preferences have been applied.
2. Log on as a user in a Branch Office and observe the applied settings.
3. Use the Group Policy Results Wizard to review Group Policy application for a
target user and computer.

Task 1: Verify that the settings for Executives have been applied
1. On NYC-CL1, log on as WOODGROVEBANK\Tony.

Note: Some user settings can only be applied during logon or may not apply due to
cached credentials. These include roaming user profile path, Folder Redirection path, and
Software Installation settings. If the user is already logged on when these settings are
detected, they will not be applied until the next time the user is logged on.
2. Verify that the Windows Sidebar is not displayed.
3. In the notification area, verify that the clock is not displayed.
4. In the Taskbar Properties, on the Notification Area tab, verify that you do
not have the option to display the clock.
5. Verify that you do not have access to registry editing tools.
6. Log off NYC-CL1.

Task 2: Log on as a user in a Branch Office and observe the applied
settings
1. On NYC-CL1, log on as WOODGROVEBANK\Roya.
2. Verify that the Windows Sidebar is not displayed.
3. In the notification area, verify that the clock is not displayed.
4. In the notification area, double-click the Available profile space icon and
review the information.
5. In Documents Properties, verify the location is C:\Users\Roya.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6. Verify that you do not have access to registry editing tools.
8. Log off NYC-CL1

Task 3: Use the Group Policy Results Wizard to review Group Policy
application for a target user and computer
1. On NYC-DC1, in the Group Policy Management window, run the Group Policy
Results Wizard against NYC-CL1 for the user Tony.
2. Review the list of applied computer and user GPOs.
Question: Which GPOs were applied to the computer?
Question: Which GPOs were applied to the user?
3. On the Settings tab, under Computer Configuration, click Administrative
Templates, and then expand each of the settings.
Question: What settings were delivered to the computer?
4. Under User Configuration, expand each of the settings.
Question: What settings were delivered to the user?

Result: At the end of this exercise, you will have configured several Administrative
Templates policy settings for various OUs in the organization and then verified
successful GPO application.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 4
Deploying Software Using Group Policy

Windows Server 2008 includes a feature called Software Installation and
Maintenance that AD DS, Group Policy, and the Microsoft Windows Installer
service use to install, maintain, and remove software on your organizations
computers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Options for Deploying and Managing Software Using
Group Policy

Key Points
The software life cycle consists of four phases: preparation, deployment,
maintenance, and removal.
You can apply Group Policy settings to users or computers in a site, domain,
or an organizational unit to automatically install, upgrade, or remove software.
By applying Group Policy settings to software, you can manage the various
phases of software deployment without deploying software on each computer
individually.

Question: What types of applications would you deploy via Group Policy in your
environment?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
How Software Distribution Works

Key Points
To enable Group Policy to deploy and manage software, Windows Server 2008
uses the Windows Installer service. This component automates the installation and
removal of applications by applying a set of centrally defined setup rules during
the installation process.
Question: What are some disadvantages of deploying software through Group
Policy?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Options for Installing Software

Key Points
There are two deployment types available for delivering software to clients.
Administrators can either install software for users or computers in advance, or
give users the option to install the software when they require it.
Users do not share deployed applications, meaning an application you install
for one user through Group Policy will not be available to that computers
other users.
All users need their own instance of the application.
When you assign software to a user, the users Start menu advertises the
software when the user logs on. Installation does not begin until the user
double-clicks the application's icon or a file that is associated with the
application.
When you assign an application to a computer, the application is installed the
next time the computer starts. The application will be available to all users of
the computer.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
The Control Panel's Programs applet advertises a published program to the
user, who can install the application by using the Programs applet, or you can
set it up so the application is installed by document activation.
Applications that user's do not have permission to install are not advertised to
them.
Applications cannot be published to computers.

Question: What is an advantage of publishing an application over assigning it?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Options for Modifying the Software Distribution

Key Points
Software Installation in Group Policy includes options for configuring deployed
software.
You use software categories to organize published software into logical groups
so that users can locate applications easily in the Programs and Features applet
in Control Panel.
There are no predefined software categories. You can create software
categories to arrange different applications under specific headings.
To determine which software users install when they double click a file, you
can choose a file name extension and configure a priority for installing
applications that are associated with it.
You can use software modifications, or .MST files (also called transform files),
to deploy several configurations of one application.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Maintaining Software Using Group Policy

Key Points
Occasionally a software package will need to be upgraded to a newer version. The
Upgrades tab allows you to upgrade a package using the GPO.
You may redeploy a package if the original Windows Installer file has been
modified.
You can remove software packages if they were delivered originally using
Group Policy. Removal can be mandatory or optional.

Question: Your organization is upgrading to a newer version of a software
package. Some users in the organization require the old version. How would you
deploy the upgrade?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Discussion: Evaluating the Use of Group Policy to Deploy
Software

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab C: Deploying Software with Group Policy

Exercise 1: Deploy a Software Package with Group Policy
Scenario
Not all computers have Microsoft Office installed, but even those users may need
to be able to open and view a document such as a PowerPoint presentation. You
need to deploy the Microsoft Office PowerPoint viewer application to all
computers in the WoodgroveBank.com domain.
1. Copy a software package to the Data share.
2. Configure and review the software deployment GPO.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 1: Copy a software package to the Data share
On NYC-DC1, browse to E:\Mod07\LabFiles and copy and paste
PPVIEWER.MSI to the Data folder.

Task 2: Configure and review the software deployment GPO
1. On NYC-DC1, in the Group Policy Management window create a new GPO
named Software Deployment, linked to the WoodgroveBank.com domain.
2. Configure the Software Deployment GPO with the following settings:
Under Computer Configuration, Policies, Software Settings, Software
installation, right-click Software installation, point to New, and then
click Package.
Choose the Assign option, and type \\NYC-DC1\Data\ppviewer.msi.
3. Open the Microsoft Office PowerPoint Viewer 2003 package properties and
review the options on the following tabs:
General
Deployment
Upgrades
Categories
Modifications
Security

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Verify Software Installation
The main task for this exercise is:
1. Verify that the software package has been installed.

Task 1: Verify that the software package has been installed
1. On NYC-CL1, log on as WOODGROVEBANK\Administrator.
2. From a Command Prompt window, type GPUpdate /force and then restart
the computer when prompted.
3. When the computer restarts, log on as WOODGROVEBANK\Administrator.
4. In the Control Panel window, click Uninstall a program.
5. Notice that the Microsoft Office PowerPoint Viewer 2003 program has been
successfully installed.
6. Uninstall Microsoft Office PowerPoint Viewer 2003.
7. When the process completes, press F5 and notice that even though you can
uninstall the program, it comes back because the program is assigned through
Group Policy.

Result: At the end of this exercise, you will have successfully deployed an assigned
software package using Group Policy.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 5
Configuring Group Policy Preferences

Many common settings that affect the user and computer environment could not
be delivered through Group Policy, for example, mapped drives. These settings
were usually delivered through logon scripts or imaging solutions. Windows
Server 2008 includes the new Group Policy preferences built-in to the Group
Policy Management Console (GPMC). Additionally, administrators can configure
preferences by installing the Remote Server Administration Tools (RSAT) on a
computer running Windows Vista Service Pack 1 (SP1). This allows many
common settings to be delivered through Group Policy.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Group Policy Preferences?

Key Points
Group Policy preference extensions are more than twenty Group Policy extensions
that expand the range of configurable settings within a GPO.
The main difference between policy settings and preference settings is that
preference settings are not enforced.
The end user can change any preference setting that is applied through Group
Policy, but policy settings prevent users from changing them.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Difference Between Group Policy Settings and Preferences

Key Points
The key difference between preferences and Group Policy settings is enforcement.
In some cases, the same setting can be configured through a policy setting as
well as a preference item.
If both settings are configured and applied to the same object, the value of the
policy setting always applies.
Policy settings have a higher priority than preference settings.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Group Policy Preferences Features

Key Points
Most Group Policy preference extensions support the following actions for each
preference item:
Create: Create a new item on the targeted computer.
Delete: Remove an existing item from the targeted computer.
Replace: Delete and recreate an item on the targeted computer. The result is
that Group Policy preferences replace all existing settings and files associated
with the preference item.
Update: Modify an existing item on the targeted computer.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Deploying Group Policy Preferences

Key Points
Group Policy preferences do not require you to install any services on servers.
Windows Server 2008 includes Group Policy preferences by default as part of
the Group Policy Management Console (GPMC).
Administrators can configure and deploy Group Policy preferences in a
Windows Server 2003 environment by installing the RSAT on a computer
running Windows Vista with SP1.
On Windows XP and Windows Vista client computers, Group Policy Client
Side Extensions must be downloaded and installed.
Client Side Extensions are available through Windows Update.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab D: Configuring Group Policy Preferences

Exercise 1: Configure Group Policy Preferences
Scenario
In an effort to simplify Group Policy management, including eliminating the need
for logon scripts to map drives, you have been asked to deploy several Group
Policy Preferences settings that will allow for more flexibility for corporate users.
1. Add a shortcut to Notepad on the desktop of NYC-DC1.
2. Create a new folder named Reports on the C: drive of all computers running
Windows Server 2008.
3. Configure drive mapping.
4. Remove old Logon Script GPO.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 1: Add a shortcut to Notepad on the desktop of NYC-DC1
1. On NYC-DC1, in the Group Policy Management window, configure the
Default Domain Policy GPO with the following settings:
Under Computer Configuration, Preferences, Windows Settings, right-
click Shortcuts, point to New, and then click Shortcut.
In the New Shortcut Properties dialog box, create a shortcut for
Notepad.exe in the All Users Desktop location.
On the Common tab, configure item-level targeting for the computer
NYC-DC1.
2. Leave the Group Policy Management Editor window open for the next task.

Task 2: Create a new folder named Reports on the C: drive of all
computers running Windows Server 2008
1. In the Group Policy Management Editor window, under Windows Settings,
right click Folders, point to New, and then click Folder.
2. In the New Folder Properties dialog box, create the C:\Reports folder.
3. On the Common tab, configure item-level targeting for the Windows Server
2008 operating system.
4. Leave the Group Policy Management Editor window open for the next task.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 3: Configure drive mapping
1. In the Group Policy Management Editor window, under User Configuration,
Preferences, Windows Settings, Drive Maps, right-click Drive Maps, point to
New, and then click Mapped Drive.
2. Create a new mapped drive labeled Data for \\NYC-DC1\Data, using the
drive letter P, and select the Reconnect option.

Task 4: Remove old Logon Script GPO
In the Group Policy Management window, delete the Logon Script link for the
WoodgroveBank.com domain.

Note: You arent actually deleting the GPO, just the link to it in the domain.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Verify Group Policy Preferences Application
1. Verify that the preferences have been applied.

Task 1: Verify that the preferences have been applied
1. On NYC-DC1, log off, and then log back on as
WOODGROVEBANK\Administrator.
2. Verify that the P: drive is mapped to the Data share on NYC-DC1.
3. Verify that the C:\Reports folder exists.

Note: It may take a few moments for this folder to appear.

Note: To apply Group Policy preferences to Windows Vista computers, you must
download and install Group Policy Preference Client Side Extensions for Windows Vista
(KB943729).

1 For each virtual machine that is running, close the Virtual Machine Remote
Control window.
2. In the Close dialog box, select Turn off machine and discard changes, and
then click OK.

Result: At the end of this exercise, you will have configured and tested Group Policy
Preferences and verified their application.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 6
Introduction to Group Policy Troubleshooting

Group Policy can be complex to deploy and manage, and sometimes a setting can
cause unintended consequences for users or computers. This lesson provides
details about Group Policy processing and common problem areas, and describes
some of the troubleshooting tools available.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Scenarios for Group Policy Troubleshooting

Key Points
Group Policy processing has two distinct phases:
Core Group Policy processing. When a client begins to process Group Policy,
it must determine whether it can reach a domain controller, whether any
Group Policy objects (GPOs) have changed, and what policy settings (based
on client-side extension,) must be processed. The core Group Policy engine
performs the processing of this in the initial phase.
Client side extension (CSE) processing. Policy settings are grouped into
different categories, such as Administrative Templates, Security Settings,
Folder Redirection, Disk Quota, and Software Installation. The settings in each
category require a specific CSE to process them, and each CSE has its own
rules for processing settings. The core Group Policy engine calls the CSEs that
are required to process the settings that apply to the client.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Preparing to Troubleshoot Group Policy

Key Points
Group Policy issues may be a symptom of unrelated issues, such as network
connectivity, authentication problems, domain controller availability, or Domain
Name Service (DNS) configuration errors.
You should begin the troubleshooting process by determining the scope of the
issue. For example, is the issue widespread, or affecting a single client only? If the
issue affects a single client, you should check for physical issues, like incorrect
configurations, or hardware or operating system failures. These issues are usually
easy to diagnose.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Once you eliminate these causes, your first real troubleshooting step is to check
Event Viewer entries, Windows logs, and application and service logs, which can
provide valuable information about the root cause of issues. Log entries often
direct you to the area in which to begin your investigation. Once you narrow down
your problem area, you can use other diagnostic tools to pursue the issue.
Question: What diagnostic tool could you use to determine lease expiration of a
Dynamic Host Configuration Protocol (DHCP) address issued to a client
computer?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Tools for Troubleshooting Group Policy

Key Points
There are a number of diagnostic tools and logs that you can use to verify whether
you can trace a problem to core Group Policy:
Group Policy reporting RSoP: used to see how multiple Group Policy
objects affect various combinations of users and computers, or to predict the
effect of Group Policy settings on the network.
GPResult: used to display the Resultant Set of Policy (RSoP) information for a
remote user and computer.
Gpotool: used to traverse all of your domain controllers and check for
consistency between the Group Policy container (that is, information
contained in the directory service) and the Group Policy template (that is,
information contained in the SYSVOL share on the domain controller).
Gpupdate: used to refresh local and Active Directory-based Group Policy
settings, including security settings.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Dcgpofix: used to recreate the two default Windows Server GPOs and creates
security settings based on the operations that are performed during Dcpromo.
GPOLogView: used to export Group Policy event data from the system and
operational log into a text, HTML, or XML file.
Group Policy log files: used to obtain information about Group Policy events.
Group Policy Management Scripts: used to demonstrate the scripting
functionality of the Group Policy Management Console.

Group Policy Logging
If other tools do not provide the information you need to identify the problems
affecting Group Policy application, you can enable verbose logging and examine
the resulting log files. Log files can be generated on both the client and the server
to provide detailed information.
Question: What diagnostic tool will quickly display the current Group Policy slow
link threshold?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Using Group Policy Diagnostic Tools

Key Points
Run GPResult in regular and verbose mode.
Review the GPOTool included with the Windows Server 2008 Resource Kit.
Run GPUpdate and review the command line parameters.
Review the GPLogView tool available as a free download from Microsoft.
Run GPLogView in monitor mode.

Question: What steps must you take prior to running Group Policy reporting
RSoP on a remote computer?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 7
Troubleshooting Group Policy Application

When troubleshooting Group Policy issues, you need a firm understanding of the
interactions between Group Policy and its supporting technologies, and the ways
in which you manage, deploy, and apply Group Policy objects.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
How Client Side Extension Processing Works

Key Points
CSEs are dynamic-link libraries (DLLs) that perform the actual processing of
Group Policy settings.
Policy settings are grouped into different categories, such as Administrative
Templates, Security Settings, Folder Redirection, Disk Quota, and Software
Installation.
Each categorys settings require a specific CSE to process them, and each CSE
has its own rules for processing settings.
The core Group Policy process calls the appropriate CSEs to process those
settings.
Some CSEs behave differently under different circumstances. For example, a
number of CSEs do not process if a slow link is detected.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Security settings and Administrative Templates are always applied, and you
cannot turn them off. You can control the behavior of other CSEs across slow
links.
As Group Policy is processed, the Winlogon process passes the list of GPOs
that must be processed to each Group Policy client-side extension.

Question: Users in a branch office log on across a slow modem connection. You
want folder redirection to be applied to them even across the slow link. How
would you accomplish this?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Troubleshooting Group Policy Inheritance

Key Points
The following four settings can be used to alter the default inheritance of GPO
processing:
Block policy inheritance
GPO enforcement
GPO filtering of the access control list (ACL)
Windows Management Instrumentation (WMI) Filters

If none of the users or computers in an OU or entire subtree of OUs are receiving
policies that were linked to higher levels, it may be due to inheritance blocking.
GPMC interface provides a visual indicator of a blue exclamation mark when
inheritance is blocked.
Group Policy results reporting (RSoP) lists the GPOs that are being applied, and
the GPOs that are being blocked.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
You can run the Gpresult command from the target computer to get an idea about
whether any of these settings are prohibiting the policies from applying.
If inheritance is blocked incorrectly, removing the setting returns Group Policy
processing to normal.
Question: Are there scenarios in your organization that would benefit from
blocking inheritance?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Troubleshooting Group Policy Filtering

Key Points
Group Policy filtering determines which users and computers will receive the
GPOs settings. Group Policy object (GPO) filtering is based on two factors:
The security filtering on the GPO.
Any Windows Management Instrumentation (WMI) filters on the GPO.
Group Policy filtering may appear to look like inconsistent application of
policies in an OU. If some users, groups, or computers have filtering applied,
they will not receive policies that other users in the same OU receive.
To check filtering on a GPO, In GPMC, open Group Policy Objects node, select
the GPO you are troubleshooting, and then in the right pane select the Scope
tab. The Security Filtering and WMI Filtering panels show the current filtering
configuration.
To see the exact set of permissions for users, groups and computers, select the
Delegation tab and then click Advanced. Select the security group, user or
computer you want to review.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
If the policy object should be applied to the security group, user or computer,
the minimum permissions should be set to allow Read and Apply Group
Policy.
If a WMI filter is deleted, the links to the WMI filter are not automatically
deleted. If there is a link to a non-existent WMI filter, the GPO with that link
will not be processed until the link is removed or the filter is restored.

Question: You have applied security filtering to limit the GPO to apply only to the
Managers group. You did this by setting the following GPO permissions:
Authenticated Users are denied the Apply Group Policy permission.
The Managers group has been granted Read and Apply Group Policy
permission.

None of the managers are receiving the GPO settings. What is the problem?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Troubleshooting Group Policy Replication

Key Points
In a domain that contains more than one domain controller, Group Policy
information takes time to propagate, or replicate, from one domain controller to
another.
Replication issues are most noticeable in remote sites with slow connections
where there is long replication latency.
The GPOTool can check for consistency of policies across all domain
controllers. Another tool is Readmin, which can provide information about
Group Policy synchronization status, and general replication information.
Once you determine that replication is the issue, then you must determine if
the problem is with the FRS or AD DS replication.
A simple test for SYSVOL replication is to put a small test file into the SYSVOL
directory, and see if it replicates to other domain controllers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Likewise, a simple way to test AD DS replication is to create a test object, such
as an OU, and see if it replicates to other domain controllers.
In many cases, just waiting for normal replication cycles to complete resolves
the problem.

Question: What tool can be used to force replication across all domain controllers
in the domain?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Troubleshooting Group Policy Refresh

Key Points
Group Policy refresh refers to a clients periodic retrieval of GPOs.
During Group Policy refresh, the client contacts an available domain
controller. If any GPOs changed, the domain controller provides a list of all the
appropriate GPOs.
By default, GPOs are processed at the computer only if the version number of
at least one GPO has changed on the domain controller that the computer is
accessing.
Group Policy reporting provides information about when the last Group Policy
refresh occurred, on the summary page. The report also tells you if the
loopback setting is enabled.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Question: You have implemented folder redirection for a particular OU. Some
users report that their folders are not redirecting to the network share. What is the
first step you should take to resolve the problem?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Discussion: Troubleshooting Group Policy Configuration

Question: One user is getting settings applied that no one else is receiving. What
might be the issue and how would you start troubleshooting?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 8:
Troubleshooting Group Policy Settings

Group Policy settings issues are usually due to slow-link detection or incorrect
configuration. Understanding how Client Side Extension Processes work and how
slow links are determined assists in troubleshooting these issues.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Troubleshooting Administrative Template Policy Settings

Key Points
Administrative Templates may not be applied because the operating system is not
capable of interpreting the policy setting. Many of the newer policy settings apply
only to particular operating systems.
If the GPO that delivers true policies is unlinked, then the true policies are
removed. However, the administrator must undo the preference explicitly by
specifying a value in a GPO.
Question: Your network has a mixture of Windows XP and Windows Vista
computers. You have configured the Administrative Template to remove the games
link from the Start menu, but only the Windows Vista computers are enforcing the
setting. What is the problem?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Troubleshooting Script Policy Settings

Key Points
The Scripts CSE updates the registry with the location of script files so that the
UserInit process can find those values during its normal processing.
When a CSE reports success, it might mean only that the scripts location is
placed in the registry.
Even though the setting is in the registry, there could be problems preventing
the setting from being applied to the client. For example, if a script specified in
a Script setting has an error that prevents it from completing, the CSE does not
detect an error.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Group Policy processes a GPO and stores the script information in the registry,
in these locations:
HKCU\Software\Policies\Microsoft\Windows\System\Scripts (User
Scripts)
HKLM\Software\Policies\Microsoft\Windows\System\Scripts (Machine
Scripts)

Question: A logon script is assigned to an OU. The script executes properly for all
users, but some users report that they get an access-denied message when they try
to access the mapped drive. What is the problem?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab E: Troubleshooting Group Policy Issues

Exercise 1: Troubleshoot Group Policy Scripts
Scenario
Woodgrove Bank has completed its deployment of Windows Server 2008. As the
AD DS administrator, one of your primary tasks is troubleshooting AD DS issues
that have been escalated to you from the companys help desk. You are responsible
for resolving issues related to Group Policy application and configuration.
All domain users will have a drive mapping to a shared folder named Data. The
GPO is already created, and is backed up. You will restore and apply the GPO that
delivers that policy to the domain, and troubleshoot any issues with the policy.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1. Start the 6419A-NYC-DC1 virtual machine and log on as
WOODGROVEBANK\Administrator.
2. Create and link a domain Desktop policy.
3. Restore the Lab7A GPO.
4. Link the Lab7A GPO to the domain.
5. Start NYC-CL1 and log on as WOODGROVEBANK\Administrator.
6. Test the GPO.
7. Troubleshoot the GPO.
8. Resolve the issue and test the resolution.

Task 1: Start the 6419A-NYC-DC1 virtual machine and log on as
Start NYC-DC1, and then log on as WOODGROVEBANK\Administrator.

Task 2: Create and link a domain Desktop policy
1. On NYC-DC1, open Group Policy Management, and then create a new GPO
named Desktop, linked to the WoodgroveBank.com domain.
2. Configure the Desktop GPO with the following settings:
System, Logon, enable Always wait for the network at computer startup
and logon.
Under Network, Network Connections, Windows Firewall, Domain
Profile, enable Windows Firewall: Allow inbound remote
administration exception.
Under User Configuration, Policies, Windows Settings, Internet
Explorer Maintenance, in Important URLS, add
http://WoodGroveBank.com as a customized home page URL.
Under Administrative Templates, Start Menu and Taskbar, enable
Force classic Start Menu.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 3: Restore the Lab7A GPO
In the Group Policy Management window, restore the Lab 7A GPO from
E:\Mod07\LabFiles\GPOBackup.

Task 4: Link the Lab7A GPO to the domain
In the Group Policy Management window, link the Lab 7A GPO to the

Task 5: Start NYC-CL1 and log on as
1. Start NYC-CL1, and then log on as WOODGROVEBANK\Administrator.
2. Disable the Windows Firewall on NYC-CL1.

Task 6: Test the GPO
1. Verify that you see the classic Start menu.
2. In Windows Internet Explorer, verify that the home page opens to
http://WoodgroveBank.com.
4. Log off, and then log back on as WOODGROVEBANK\Roya.
6. In Internet Explorer, verify that the home page opens to
7. Notice that the J: drive is not mapped to the Data share on NYC-DC1.
8. Log off NYC-CL1.

Task 7: Troubleshoot the GPO
Results Wizard against NYC-CL1 for the user Roya.
2. Review the list of applied computer and user GPOs. Notice that the settings for
both the Desktop GPO and the Lab 7A GPO were applied successfully.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3. On the Settings tab, under User Configuration, Windows Settings, Scripts,
Logon, notice that the Lab 7A GPO was applied correctly.
5. Attempt to access the \\NYC-DC1\Scripts share, and then review the error.
6. Log off NYC-CL1.

Note: If time permits, you can view the Group Policy operational log as Administrator on
NYC-CL1. If you filter the view to show events that Roya generates, you would see that
the log does not detect any errors or warnings for this user. This is because the GPO only
sets a registry value that defines the location of the scripts folder. Group Policy is
unaware if the user has access to the location. The write to the registry was successful.
Therefore, the Group Policy log does not see any errors. You would have to audit Object
Access for the scripts folder to determine access issues.
Task 8: Resolve the issue and test the resolution
1. On NYC-DC1, browse to E:\Mod07\Labfiles\Scripts.
2. Review the permissions on the share and make sure that Authenticated Users
have permission to access the share.
4. Verify that the J: drive is now mapped to the Data share on NYC-DC1.
5. Log off NYC-CL1.

Note: Another way to resolve the issue would be to move the script to the Netlogon
share, or to eliminate the need for such a logon script altogether, you could configure a
mapped drive in Group Policy Preferences.
Result: At the end of this exercise, you will have resolved a Group Policy scripts issue.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Troubleshoot GPO Lab-7B
Scenario
Domain users in the Miami OU and all sub OUs should not have access to Control
Panel. You will restore and apply the GPO that delivers that policy to the Miami
OU.
The local onsite technician has submitted a help-desk ticket and escalated the
following issue to the server team:
Description of problem: No users should be able to access the Control Panel.
However, some users do have access to Control Panel, while others do not. In
particular, Roya, a Miami branch manager, has access to Control Panel.

This ticket has been escalated to the server team for resolution.
The main tasks in this exercise are:
1. Restore the Lab7B GPO.
2. Link the Lab7B GPO to the Miami OU.
3. Test the GPO.

Task 1: Restore the Lab7B GPO
On NYC-DC1, in the Group Policy Management window, restore the Lab 7B
GPO from backup.

Task 2: Link the Lab7B GPO to the Miami OU
In the Group Policy Management window, link the Lab 7B GPO to the Miami
OU.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1. On NYC-CL1, log on as WOODGROVEBANK\Rich.

Note: Rich is a member of the Miami OU.
3. In Internet Explorer, verify that the home page opens to
5. Notice that the Control Panel does not appear on the desktop or Start menu.
This is a setting from the Lab 7B GPO that was applied to the Miami OU.
6. Log off NYC-CLI, and then log back on as WOODGROVEBANK\Roya.
7. Notice that even though the GPO should prevent it, the Control Panel is still
present on the desktop and Start menu.
8. Log off NYC-CL1.

Results Wizard against NYC-CL1 for the user Rich.
2. In the report summary, notice that the Lab 7B GPO was applied.
3. On the Settings tab, under User Configuration, notice that the policy setting
to prohibit access to the Control Panel is enabled.
4. Rerun the query for Roya on NYC-CL1.
5. In the report summary, notice that the Lab 7B GPO has not been applied.
6. Review the denied GPOs and notice that the Lab 7B GPO is listed amongst the
denied GPO.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1. In the Group Policy Management window, review the Delegation tab for the
Lab 7B GPO.
2. Under Advanced settings, review the permissions for
MIA_BranchManagerGG, and notice that the Apply group policy setting is
set to Deny.
3. Remove the MIA_BranchManagerGG group from the permission list.
5. Notice that the Control Panel now correctly does not appear on the desktop or
Start menu.
6. Log off NYC-CL1.

Result: At the end of this exercise, you will have resolved a Group Policy objects issue.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 3: Troubleshoot GPO Lab-7C
Scenario
Users in the Miami OU should not have access to the Run command on the Start
menu. You will restore and link the Lab 7C GPO to apply this setting.
The local desktop technician has escalated the following issue to the server team:
Description of problem: No users should be able to access the Run command
on the Start menu, but all users in the Miami OU have access to the Run
command.

1. Restore the Lab7C GPO.
2. Link the Lab7C GPO to the Miami OU.
3. Test the GPO.

Task 1: Restore the Lab7C GPO
On NYC-DC1, in the Group Policy Management window, restore the Lab 7C
GPO from backup.

Task 2: Link the Lab7C GPO to the Miami OU
In the Group Policy Management window, link the Lab 7C GPO to the Miami
OU.

1. On NYC-CLI, log on as WOODGROVEBANK\Roya.
2. Click Start, and then notice the presence of the Run command. It is not
supposed to be there.
3. Log off NYC-CL1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1. On NYC-DC1, in the Group Policy Management window, rerun the query for
Roya on NYC-CL1.
2. In the report summary, under User Configuration Summary, notice that the
Lab 7C GPO is being applied.
3. On the Settings tab, under User Configuration, notice that the Add the Run
command to the Start Menu setting is enabled.

1. Edit the Lab 7C GPO.
2. In the Group Policy Management Editor window, under User Configuration,
Policies, Administrative Templates, Start Menu and Taskbar, change Add
the Run command to the Start Menu to Not Configured, and then click OK.
3. Change Add the Run command to the Start Menu to Enabled, and then click
OK.
5. Click Start, and notice that the Run command is no longer present.
6. Do not log off NYC-CL1.


M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 4: Troubleshoot GPO Lab-7D
Scenario
You will restore the Lab 7D GPO and link it to the Loopback folder. This GPO is
designed to enhance security.
A user in the Miami OU has submitted the following helpdesk ticket:
Description of problem: Since the application of the GPO, Roya no longer has
the classic Start menu or drive mapping, and no longer can run Internet
Explorer.

1. Create a new OU named Loopback.
2. Restore the Lab7D GPO.
3. Link the Lab7D GPO to the Loopback OU.
4. Move NYC-CL1 to the Loopback OU.
5. Test the GPO.

Task 1: Create a new OU named Loopback
2. Create a new Organizational Unit under WoodgroveBank.com named
Loopback.

Task 2: Restore the Lab7D GPO
On NYC-DC1, in the Group Policy Management window, restore the Lab 7D
GPO from backup.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 3: Link the Lab7D GPO to the Loopback OU
In the Group Policy Management window, link the Lab 7D GPO to the
Loopback OU.

Task 4: Move NYC-CL1 to the Loopback OU
In Active Directory Users and Computers, move the NYC-CL1 computer from
the Computers container to the Loopback OU.

1. Restart NYC-CL1.
2. When the computer restarts, log on as WOODGROVEBANK\Roya.
3. Click Start and notice that the Run command is present once again.
4. Notice also that the Control Panel is present on the desktop and Start menu.
These changes are not intentional.
5. Open Windows Internet Explorer and notice that Internet Explorer does not
launch.

1. On NYC-DC1, in the Group Policy Management window, rerun the query for
Roya on NYC-CL1.
2. In the summary report, under Computer Configuration, review the applied
GPOs and notice that the Lab 7D GPO has been applied.
3. On the Settings tab, under Computer Configuration, notice that loopback
processing mode is enabled.

Note: Group Policy applies to the user or computer in a manner that depends on where
both the user and the computer objects are located in Active Directory. However, in
some cases, users may need policy applied to them based on the location of the
computer object alone. You can use the Group Policy loopback feature to apply GPOs
that depend only on which computer the user logs on to.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1. In the Group Policy Management window, disable the link for the Lab 7D
GPO.

Note: Another alternative would be to disable loopback processing in the GPO itself,
especially if there were other settings in the GPO that you did wish to have applied.
2. Restart NYC-CL1.
3. When the computer restarts, log on as WOODGROVEBANK\Roya.
4. Click Start and notice that the Run command is no longer present.
5. Notice that the Control Panel is again absent from the desktop and Start
menu.
6. Open Internet Explorer and notice that Internet Explorer again opens
properly.

Control window.
2. In the Close dialog box, select Turn off machine and discard changes, and
then click OK.


M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Review Questions
1. You have assigned a logon script to an OU via Group Policy. The script is
located in a shared network folder named Scripts. Some users in the OU
receive the script, while others do not. What might be some causes?
2. What log will give folder redirection details?
3. What visual indicator in the GPMC designates that inheritance has been
blocked?
4. What GPO settings are applied across slow links by default?
5. Given a choice between a small number of GPOs with many settings or a large
number of GPOs with fewer settings, which is preferable?
6. Can you deliver Windows security updates through Group Policy?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Considerations
When configuring user environments using Group Policy, consider the following:
Policy settings that are Enabled enforce a setting.
Policy settings that are Disabled reverse a setting.
Policy settings that are Not Configured are not affected by Group Policy.
Scripts can be applied to the user or computer via Group Policy.
Scripts can be written in multiple languages.
Storing scripts in the NetLogon share makes them highly available.
Certain folders can be redirected from the users profile to a shared folder on
the network.
Different security groups can be redirected to different network locations.
Administrative Templates apply settings by modifying the registry for the user
and computer.
ADMX files can be customized.
Software can be distributed via Group Policy through .MSI files.
Software can be published to users or assigned to users or computers.
Software assigned to users is specific to that user.
Software assigned to computers is available to all users on that computer.
Software can be modified and maintained through Group Policy.
Software can be removed through Group Policy.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Consider the following when implementing an AD DS monitoring plan:
Client-side extensions handle application of Group Policy at regular,
configurable intervals.
GPO version numbers determine if a Group Policy has changed.
Not all CSEs process across a slow link.
Security settings refresh every 16 hours.
Windows XP and earlier versions log to the Userenv log for most Group-Policy
issues. You can modify the registry to enable other CSE logs.
Windows Vista logs to operational logs in Event Viewer.
Blocking inheritance will block all higher level polices from being applied,
unless those policies are enforced.
You can filter Group Policy to apply only to certain security principles by using
security settings, or WMI scripts.
Group Policy is made up of two parts: Group Policy templates, and Group
Policy containers. Group Policy replicates these objects on separate schedules
using different mechanisms.
Windows XP and later versions log on users with cached credentials by
default. Many users settings will require two logons because of this.
Windows XP and earlier use the ICMP to determine link speed. Windows
Vista and later versions use network awareness to determine link speed.
Security principles need permission to access script locations, so that they can
execute scripts.
Computer startup scripts run synchronously by default.
User logon scripts run asynchronously by default.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Tools
Use the following tools when troubleshooting Group Policy issues:
Tool Use
Ping Testing network connectivity.
NSlookup Testing DNS lookups.
DCdiag Testing domain controllers.
Set Displaying, setting, or removing environment variables.
Kerbtray Displaying Kerberos ticket information.
Group policy reporting
RSoP
Reporting information about the current policies being
delivered to clients.
GPResult A command-line utility that displays RSoP information.
GPOTool Checking Group Policy object stability, and monitors
policy replication.
GPResult Refreshing local and AD DS-based Group Policy settings.
Dcgpofix Restoring the default Group Policy objects to their
original state after initial installation.
GPOLogView Exporting Group Policy-related events from the system
and operational logs into text, HTML, or XML files. For
use with Windows Vista and later versions.
Group Policy
Management scripts
Sample scripts that perform a number of different
troubleshooting and maintenance tasks.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Implementing Security Using Group Policy 8-1
Module 8
Implementing Security Using Group Policy
Contents:
Lesson 1: Configuring Security Policies 8-3
Lesson 2: Implementing Fine-Grained Password Policies 8-15
Lab A: Implementing Security Using Group Policy 8-20
Lesson 3: Restricting Group Membership and Access to Software 8-26
Lesson 4: Managing Security Using Security Templates 8-34
Lab B: Configuring and Verifying Security Policies 8-43
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Module Overview

Failure to have adequate security policies can lead to many risks for an
organization. A well designed security policy helps to protect an organizations
investment in business information and internal resources, like hardware and
software. Having a security policy in itself is not enough, however. You must
implement the policy for it to be effective. You can leverage Group Policy to
standardize security to control the environment.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 1
Configuring Security Policies

Group Policy provides settings you can use to implement and manage security in
your organization. For example, you can use Group Policy settings to secure
passwords, startup, and permissions for system services.
In this lesson, you will learn the knowledge and skills necessary to configure
security policies.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Security Policies?

Key Points
Security policies are rules that protect resources on computers and networks.
Group Policy allows you to configure many of these rules as Group Policy settings.
For example, you can configure password policies as part of Group Policy.
Group Policy has a large security section to configure security for both users and
computers. This way, you can apply security consistently across organizational
units (OUs) in Active Directory Domain Services (AD DS) by defining security
settings in a Group Policy object that is associated with a site, domain, or OU.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Account Policies?

Key Points
Account policies protect your organizations accounts and data by mitigating the
threat of brute force guessing of account passwords. In Microsoft Windows
operating systems, and many other operating systems, the most common method
for authenticating a users identity is to use a secret password. Securing your
network environment requires that all users utilize strong passwords. Password
policy settings control the complexity and lifetime of passwords. You can configure
password policy settings through Group Policy.
The policy settings under Account policies should always be configured at the
domain level. Configuring these policy settings at any other Active Directory level
only affects local accounts on member computers at those levels.
Question: You must ensure that all users change their password exactly every 30
days. How would you configure account policies to accomplish this?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Local Policies?

Key Points
Every Windows2000 Server or later computer has exactly one Local Group Policy
Object (LGPO). In this object, Group Policy settings are stored on individual
computers, regardless of whether they are part of an Active Directory environment.
The LGPO is stored in a hidden folder named %windir%\system32\Group Policy.
This folder does not exist until you configure an LGPO.
Question: You have a Microsoft Windows Vista client that is not joined to the
domain. You want to force the Administrators to change their passwords every
seven days, while standard users change their passwords every 21 days. How
would you configure the local policy to achieve this?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Network Security Policies?

Key Points
Automating client computer configuration settings is an essential step to reduce
the cost of deploying networking security, and minimize support issues that result
from incorrectly configured settings.
Starting with Windows Server 2003, you were able to automate client wireless
configuration using the Wireless Networking Policies settings in Group Policy.
Microsoft Windows Server 2008 and Windows Vista include new features for
network policies, and Group Policy support for 802.1X authentication settings for
wired and wireless connections.
Question: How does your organization implement group policy to restrict access
to wireless networks?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Windows Firewall with Advanced Security

Key Points
Windows Vista and Windows Server 2008 include a new and enhanced version of
Windows Firewall. The new Windows Firewall is a stateful host-based firewall that
allows or blocks network traffic according to its configuration.
Windows Firewall with Advanced Security allows you to create the following rules:
Program rule: This type of rule allows traffic for a particular program. You can
identify the program by program path and executable name.
Port rule: This type of rule allows traffic on a particular TCP or User Datagram
Protocol (UDP) port number or range of port numbers.
Predefined rule: Windows includes a number of Windows functions that you
can enable, such as File and Printer Sharing, Remote Assistance, and Windows
Collaboration. Creating a predefined rule actually creates a group of rules that
allows the specified Windows functionality to access the network.
Custom rule: A custom rule allows you to create a rule that you may not be able
to create using the other types of rules.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
The default behavior of the new Windows Firewall is to:
Block all incoming traffic unless it is solicited or it matches a configured rule.
Allow all outgoing traffic unless it matches a configured rule.

Question: You want to ensure that users are not allowed to use the Telnet service
to connect to any other computers. How would you accomplish this?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Overview of Additional Security Settings

Key Points
Create a wired network policy and see the available options.
Create a Windows Vista wireless network policy, and see the options available.
Demonstrate how you can control services.
Demonstrate how you can control registry and file-system permissions.
Demonstrate the Windows Firewall with advanced security options. Create
some different types of rules as examples. Explore some of the predefined
rules.

Question: You need to ensure that a particular service is not allowed to run on any
of your network servers. How would you accomplish this?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Default Domain Controller Policies

Key Points
Default Domain Controllers Policy is linked to the Domain Controllers OU. This
policy generally affects only domain controllers, because by default, computer
accounts for domain controllers are kept in the Domain Controllers OU.
Question: Provide at least one example of a default controller policy that your
organization has customized?
Question: You need to grant an ordinary user the right to log on locally to domain
controllers. In which of the default policies should you configure this setting?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is the Default Domain Security Policy?

Key Points
The default domain policy is linked to the domain, and therefore affects all objects
in the domain unless a GPO that you applied at a lower level blocks or overrides
these settings. This policy has very few settings configured by default.
Note: Although you typically configure the Default Domain Policy to deliver
Account Policies, any domain-level policy is capable of delivering Account Policies
to the domain. If you configure multiple domain-level policies to provide Account
Policies, the policy with the highest priority will win.
Question: If multiple policies are configured at the domain level, what determines
the processing priority?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: What Is the Default Domain Controller
Security Policy?

Key Points
Open the default domain controller policy.
Explore the default audit policy.
Explore the user rights configuration.
Explore the security options.
Discuss the differences from the default domain policy.

Question: What is the default Group Policy refresh interval for domain
controllers?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Characteristics of Security Policy Settings

Key Points
Security policies protect the integrity of the computing environment by controlling
many aspects of it, such as password policies, security options, restricted groups,
network policies, services, public key policies, and so on.
Characteristics of Security Policies
Security policies are refreshed every 16 hours even if they have not changed.
Security policies are always processed, even across slow connections.

Question: You have configured a password policy in a GPO and linked that policy
to the Research OU. The policy is not affecting domain users in the OU. What is
the problem?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 2
Implementing Fine-Grained Password Policies

In Windows Server 2008, using fine-grained password policies, you can allow
different password requirements and account lockout policies for different Active
Directory users or groups.
In this lesson, you will learn the knowledge and skills to implement fine-grained
password policies.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Fine-Grained Password Policies?

Key Points
In previous versions of AD DS, you could apply only one password and account
lockout policy to all users in the domain. Fine-grained password policies allow you
to have different password requirements and account lockout policies for different
Active Directory users or groups. This is desirable when you want different sets of
users to have different password requirements, but do not want separate domains.
For example, the Domain Admins group may need strict password requirements to
which you do not want to subject ordinary users. If you do not implement fine-
grained passwords, then the normal default domain account policies apply to all
users.
Question: How would you use fine-grained passwords in your environment?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
How Fine-Grained Password Policies Are Implemented

Key Points
To store fine-grained password policies, Windows Server 2008 includes two new
object classes in the Active Directory schema. They are:
Password Settings Container (PSC)
Password Settings Object (PSO)

The PSC object class is created by default under the System container in the
domain, which stores that domains PSOs. You cannot rename, move, or delete this
container.
Question: How could you view the Password Settings Container in Active
Directory Users and Computers?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Implementing Fine-Grained Password Policies

Key Points
There are three major steps involved in implementing fine-grained passwords:
Create necessary groups, and add the appropriate users.
Create PSOs for all defined password policies.
Apply PSOs to the appropriate users or global security groups.

Question: In your organization, a number of users deal with confidential files on a
regular basis. You need to ensure that all these users have strict account polices
enforced. The user accounts are scattered across multiple OUs. How would you
accomplish this with the least administrative effort?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Implementing Fine-Grained Password
Policies

Key Points
Follow the steps in the step-by-step guide to create a PSO named 7Days that
forces the administrator to change passwords every seven days.
Use the values given in the step-by-step guide to fill in the ADSI edit wizard.

Question: What utilities can be used to manage PSOs? Choose all that apply.
a. ADSI edit
b. GPMC
c. CSVDE
d. LDIFDE
e. NTDSUtil
f. Active Directory Users and Computers
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab A: Implementing Security Using Group
Policy

Scenario
Woodgrove Bank has decided to implement Group Policy to configure security for
users and computers in the organization. The company recently upgraded all of
the workstations to Windows Vista, and all of the servers to Windows Server 2008.
The organization wants to utilize Group Policy to implement security settings for
the workstations, servers, and users.

techniques and settings, and may not always follow best practices.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 1: Configuring Account and Security Policy
Settings
You have been tasked to implement a domain account policy with the following
criteria:
Domain passwords will be eight characters.
Strong passwords will be enforced.
Passwords will be changed exactly every 20 days.
Accounts will be locked out for 30 minutes after five invalid logon attempts.

You also will configure a local policy on the Windows Vista client that enables the
local Administrator account, and prohibits access to the Run menu for Non-
Administrators.
Then you will create a wireless network policy for Windows Vista that creates a
profile for the Corp wireless network. This profile will define 802.1x as the
authentication method. This policy also will deny access to a wireless network
named Research.
Finally, you will configure a policy to prevent the Windows Installer service from
running on any domain controller.
1. Start the virtual machine, and log on as Administrator.
2. Create an account policy for the domain.
3. Configure local policy settings for a Windows Vista client.
4. Create a wireless network GPO for Windows Vista clients.
5. Configure a GPO that prohibits a service on all domain controllers.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 2: Create an account policy for the domain
1. Launch the Group Policy Management Console.
2. In the Group Policy Management console pane, expand Forest:
WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, and
then click Group Policy Objects.
3. In the details pane, right-click Default Domain Policy, and then click Edit.
4. In the Group Policy Management Editor, under Computer Configuration,
expand Policies, expand Windows Settings, expand Security Settings, and
then expand Account Policies.
5. Edit the Account Policy in the Default Domain Policy with the following
values:
Password Policy:
Domain passwords: 8 characters in length
Strong passwords: enforced
Minimum password age: 19 days
Maximum password age: 20 days
Account lockout policy:
Account Lockout Threshold: 5 invalid logon attempts
Account lockout duration: 30 minutes
Lockout counter: reset after 30 minutes

Task 3: Configure local policy settings for a Windows Vista client
1. Start NYC-CL1 and log on as WoodgroveBank\Administrator using the
password Pa$$w0rd.
2. Create a new MMC, and then add the snap-in for the Group Policy Object
Editor for the Local Computer.
3. Open Computer Configurations Windows Settings, open Security Settings,
open Local Policies, open Security Options, and then enable the Accounts:
Administrator Account Status setting.
4. Add the Group Policy Object Editor snap-in to the MMC again and then click
Browse.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5. Click the Users tab, select the Non-Administrators group, click OK, and then
Finish.
6. Open User Configuration, Administrative Templates, click the Start Menu
and Taskbar folder, and then enable the Remove Run from Start Menu
setting.
7. Close the MMC without saving the changes.

Task 4: Create a wireless network GPO for Windows Vista clients
1. On NYC-DC1, in the GPMC, create a new GPO named Vista Wireless.
2. Edit the GPO by right-clicking Windows Settings\Security Settings\Wireless
Network (IEEE 802.11) Policies, and then clicking Create a New Windows
Vista Policy.
3. In the New Vista Wireless Network Policy dialog box, click Add, and then
click Infrastructure.
4. Create a new profile named Corporate, and then in the Network Name
(SSID) field, type Corp.
5. Click the Security tab, change the Authentication method to Open with
802.1X, and then click OK.
6. Click the Network Permissions tab, and then click Add.
7. Type Research in the Network Name (SSID): field, set the Permission to
Deny, and then click OK twice.
8. Close the Group Policy Management Editor, and then leave the GPMC open.

Task 5: Configure a policy that prohibits a service on all domain
controllers
1. Edit the following to disable the Windows Installer service: Default Domain
Controller Policy, Computer Configuration, Policies, Windows Settings,
Security Settings, and System Services.
2. Close the Group Policy Management Editor and leave the GPMC open.

Result: At the end of this exercise, you will have configured account and security
policy settings.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Implementing Fine-Grained Password Policies
Your corporate security policy dictates that members of the IT Administrative
group will have strict password policies. The passwords must meet the following
criteria:
30 passwords will be remembered in password history.
Domain passwords will be 10 characters.
Strong passwords will be enforced.
Passwords will not be stored with reversible encryption.
Passwords will be changed every seven days exactly.
Accounts will be locked out for 30 minutes after three invalid logon attempts.

You will create a fine-grained password policy to enforce these policies for the IT
Admins global group.
1. Create a PSO using ADSI Edit.
2. Assign the ITAdmin PSO to the IT Admins global group.

Task 1: Create a PSO using ADSI edit
1. On NYC-DC1, in the Run menu, type adsiedit.msc, and then press ENTER.
2. Right-click ADSI Edit, click Connect to, and then click OK to accept the
defaults.
3. Navigate to DC=woodgrovebank, DC=com, CN=System, CN=Password
Settings Container, right-click CN=Password Settings Container, and then
create a new object.
4. In the Create Object dialog box, click msDS-PasswordSettings, and then click
Next.
5. In Value box type ITAdmin.
6. In the msDS-PasswordSettingsPrecedence value, type 10.
7. In the msDS-PasswordReversibleEncryptionEnabled value, type FALSE.
8. In the msDS-PasswordHistoryLength value, type 30.
9. In the msDS-PasswordComplexityEnabled value, type TRUE.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
10. In the msDS-MinimumPasswordLength value, type 10.
11. In the msDS-MinimumPasswordAge value, type -5184000000000.

Note: PSO values are time-based values entered using the integer8 format. Integer8 is a
64-bit number that represents the amount of time, in 100-nanosecond intervals, that has
passed since 12:00 AM January 1, 1601.
12. In the msDS-MaximumPasswordAge value, type -6040000000000.
13. In the msDS-LockoutThreshold value, type 3.
14. In the msDS-LockoutObservationWindow value, type -18000000000.
15. In the msDS-LockoutDuration value, type -18000000000 and then click
Finish.
16. Close the ADSI Edit MMC without saving changes.

Task 2: Assign the ITAdmin password policy to the IT Admins global
group
1. Open Active Directory Users and Computers.
2. Click View, and then click Advanced Features.
3. Expand Woodgrovebank.com, expand System, and then click Password
Settings Container.
4. In the details pane, right-click the ITAdmin PSO, and then click Properties.
5. Click the Attribute Editor tab, scroll down, select the msDS-PSOAppliesTo
attribute, and then click Edit.
6. Add the ITAdmins_WoodgroveGG group.
7. Close Active Directory Users and Computers.

Result: At the end of this exercise, you will have implemented fine-grained password
policies.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 3
Restricting Group Membership and Access to
Software

In a large network environment, one of the challenges of network security
is controlling the membership of built-in groups in the directory and on
workstations. Another concern is preventing access to unauthorized software on
workstations.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is Restricted Group Membership?

Key Points
In some cases, you may want to control the membership of certain groups in a
domain to prevent addition of other user accounts to those groups, such as the
local administrators group.
You can use the Restricted Groups policy to control group membership. Use the
policy to specify what members are placed in a group. If you define a Restricted
Groups policy and refresh Group Policy, any current member of a group that is not
on the Restricted Groups policy members list is removed. This can include default
members, such as domain administrators.
Although you can control domain groups by assigning Restricted Groups
policies to domain controllers, you should use this setting primarily to configure
membership of critical groups like Enterprise Admins and Schema Admins. You
also can use this setting to control the membership of built-in local groups on
workstations and member servers. For example, you can place the Helpdesk group
into the local Administrators group on all workstations.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
You cannot specify local users in a domain GPO. Any local users who currently are
in the local group that the policy controls will be removed. The only exception is
that the local Administrators account will always be in the local Administrators
group.
Question: Your company has five Web servers physically located across North
America. The Web servers' computer accounts are all located in a single OU. You
want to grant all the users in the global group named Web_Backup the right to
backup and restore the web servers. How could you use Group Policy to
accomplish this?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Configuring Restricted Group Membership

Key Points
Create and link a new Group Policy to the ITAdmins OU.
Add the administrators group to the GPO restricted groups list.
Configure the Administrators group membership to include Domain Admins
and the ITAdmins_WoodgroveGG global group.
Move the Windows Vista client into an ITAdmins OU, and then force the
update of Group Policy on the client.

Question: You created a Group Policy that adds the Helpdesk group to the local
Administrators group and you linked the policy to an OU. Now the Domain
Administrators no longer have any administrative authority on the computers in
that OU. What is the most likely problem and how would you solve it?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is a Software Restriction Policy?

Key Points
You may want to restrict access to software to prevent users from running
particular applications or types of applications, like VBscripts. Software restriction
policy provides administrators with a policy-driven mechanism for identifying
software and controlling its ability to run on a client computer.
Question: You have a number of computers in a workgroup. You need to restrict
access to a certain application so that only members of the Administrators group
are allowed to launch the application. How would you accomplish this?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Options for Configuring Software Restriction Policies

Key Points
Software Restriction policies use rules to determine whether an application is
allowed to run. When you create a rule, you first identify the application. Next
you identify it as an exception to the default policy setting of Unrestricted or
Disallowed. The enforcement engine queries the rules in the software restriction
policy before allowing a program to run.
Unrestricted security level allows all software to run according to the users normal
permissions, except for software that is identified specifically as an exception to the
rule.
Basic security level allows programs to execute as a user that does not have
Administrator access rights, but can still access resources accessible by normal
users.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Disallowed security level does not allow any software to run on the client
computer except for software that is identified specifically as an exception to the
rule.

Note: You should apply Disallowed security level only in very high-security or locked-
down environments. It can be difficult to manage because each allowed application must
be identified individually, and because you might need to update the policy each time a
service pack is applied to a software package.
Question: You need to restrict access to a certain application no matter into what
directory location the application is installed. What type of rule should you use?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Configuring Software Restriction Policies

Key Points
Create a hash rule to disallow Microsoft Internet Explorer.
Log off and log on to test the rule.

Note: Internet zone rules only apply to software that uses the Windows installer.
Question: You want to ensure that only digitally signed Visual Basic scripts are
allowed to run. What type of rule should you use?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 4
Managing Security Using Security Templates

A security policy is a group of security settings that affect a computers security.
You can use a security policy to establish account and local policies on your local
computer, and in Active Directory. You can create security templates to assist in
creating security policies to meet your companys security needs. You can then use
these templates to configure the security settings assigned to computers either
manually, or through Group Policy.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Security Templates?

Key Points
A security template is a collection of configured security settings. You can use
predefined security templates as a base to create security policies that you
customize to meet your needs, or you can create new templates. You use the
Security Templates snap-in to create or customize templates. After you create a new
template or customize a predefined security template, you can use it to configure
security on an individual computer or thousands of computers. Security templates
contain security settings for all security areas. You apply security templates by
using the Security Configuration and Analysis snap-in, the secedit command-line
tool, or by importing the template into Local Security Policy.
Question: Provide an example of how Security Templates can help organize your
existing security attributes.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration Applying Security Templates

Key Points
Create a new OU named Servers.
Create a new GPO named Security Baseline, and then assign it to the
servers OU.
Create an MMC with the Security templates snap-in.
Create a new security template named Server Baseline.
Configure some security settings. For example, rename the administrator
account, configure a restricted group, and so on.
Import the server baseline template into the security baseline GPO.

Question: You have multiple database servers that are located in different OUs.
What is the easiest way to apply consistent security settings to all of the database
servers?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is the Security Configuration Wizard?

Key Points
The Security Configuration Wizard (SCW) is an attack-surface reduction tool that
was introduced with Windows Server 2003 with Service Pack 1 (SP1). SCW assists
administrators in creating security policies, and determines the minimum
functionality that is required for a servers role or roles, and then disables
functionality that is not required.
SCW guides you through the process of creating, editing, applying, or rolling back
a security policy based on the servers selected roles. The security policies that you
create with SCW are XML files that, when applied, configure services, network
security, specific registry values, audit policy, and if applicable, Internet
Information Services (IIS).
Question: What types of server roles exist in your organization?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Configuring Server Security Using the
Security Configuration Wizard

Key Points
Open the Security Configuration Wizard, and then create a new policy.
Explore the security configuration database.
Step through the wizard and notice the various options.
Save the policy file as C:\baseline.xml.
Complete the wizard, but choose to apply the policy later.

Question: What types of server roles exist in your organization?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Options for Integrating the Security Configuration Wizard
and Security Templates

Key Points
Security policies that you create with the SCW can also include custom security
templates. Some of the settings that you can configure using the SCW partially
overlap with the settings that you can configure using security templates alone.
Neither set of configuration changes is completely inclusive of the other. For
example, the SCW includes IIS settings that are not included in any security
template. Conversely, security templates can include such items as Software
Restriction policies, which you cannot configure through SCW.
SCW saves its security policies as XML files. The scwcmd.exe command-line utility
allows you to convert these and save them as GPOs by using the scwcmd.exe
transform command. The SCW itself does not support GPOs.
Question: What is the main advantage of the SCW?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Importing Security Configuration Policies
into Security Templates

Key Points
Launch the command prompt.
Use scwcmd.exe to transform the Baseline.XML policy file that you created in
the last demo, into a GPO named ServerBaseline:
Scwcmd transform /p:C:\Baseline.xml /g:Serverbaseline
Open the GPMC and see that the GPO named Serverbaseline exists.

Question: You need to open a port on your Windows Vista client computers for a
custom application. Should you use the SCW or create a security template and use
a GPO?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is the Security Configuration and Analysis Tool?

Key Points
You can use the Security Configuration and Analysis tool to analyze and configure
local system security.
Regular analysis enables you to track and ensure an adequate level of security on
each computer as part of an enterprise risk management program. You can tune
the security levels and, most importantly, detect any security flaws that may occur
in the system over time.
You also can use Security Configuration and Analysis to configure local system
security.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Analyzing Security Policy Using the
Security Configuration and Analysis Tool

Key Points
Create a custom security template.
Import the custom template into the Security Configuration and Analysis Tool.
Run an analysis to compare the current settings to the custom security
template.

Question: Provide at least one example of how your organization can benefit from
using the Security Configuration and Analysis Tool.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab B: Configuring and Verifying Security
Policies

Scenario
The enterprise administrator created a design that includes modifications to the
default domain security policy, and additional GPOs for configuring security. The
company wants to have the flexibility to assign different password policies for
specific users. The company also wants to automate the configuration of security
settings as much as possible.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 1: Configuring Restricted Groups and Software
Restriction Policies
You need to ensure that the ITAdmins global group is included in the local
Administrators group for all of the organizations computers. Domain controllers
are considered high security, and Internet Explorer will not be allowed to run on
domain controllers. You also will prevent any Visual Basic scripts (VBS) from
running on the C: drive of domain controllers.
1. Configure restricted groups for the local administrators group.
2. Create a GPO that prohibits Internet Explorer and VBS scripts from running
on domain controllers.

Task 1: Configure restricted groups for the local administrators group
1. If required, open the GPMC, open the Group Policy Objects folder and then
edit the Default Domain Policy.
2. Navigate to Computer Configuration, expand Policies, expand Windows
Settings, expand Security Settings, right-click Restricted Groups, and then
click Add Group.
3. Add the Administrators group, and then click OK.
4. In the Administrators Properties dialog box, add the following groups:
Woodgrovebank\ITAdmins_WoodgroveGG
Woodgrovebank\Domain Admins
5. Close the Group Policy Management Editor.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 2: Prohibit Internet Explorer and VBS scripts from running on
domain controllers
1. Edit the Default Domain Controllers Policy.
2. Navigate to Windows Settings, expand Security Settings, right-click Software
Restriction Policies, and then click New Software Restriction Policy.
3. Right-click Additional Rules, and then click New Hash Rule.
4. Browse and navigate to C:\Program Files\Internet Explorer\iexplore.exe,
and then click Open. Ensure that the Security level is Disallowed.
5. Right-click Additional Rules, and then click New Path Rule.
6. In the Path field, type *.vbs and then click OK.
7. Close the Group Policy Management Editor.

Result: At the end of this exercise, you will have configured restricted groups and
software restriction policies.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Configuring Security Templates
You will create a security template for file and print servers that will rename the
Administrator account, and does not display the last user name that logged on.
You then will use the Security Configuration Wizard to create a security policy that
hardens the file and print server, and includes the security template. You will use
the SCW interface to apply the policy to the file and NYC-SVR1print server. Finally,
you will transform the policy into a GPO named FPSecurity.
1. Create a security template for the file and print servers.
2. Start NYC-SVR1, and disable the Windows Firewall.
3. Run the Security Configuration Wizard and import the FPSecurity template.
4. Transform the FPPolicy into a GPO.

Task 1: Create a security template for the file and print servers
1. On NYC-DC1, create a new MMC, and then add the snap-in for Security
Templates.
2. Expand Security Templates, right-click C:\Users\Administrators
\Documents\Security\Templates, and then click New Template.
3. Name the template FPSecurity.
4. Navigate to Local Polices, and then Security Options. Define the Accounts:
Rename administrator account with the value FPAdmin.
5. Set the Interactive Logon: Do not display last user name to be Enabled.
6. In the folder pane, right-click FPSecurity, and then click Save.
7. Close the MMC without saving the changes.

Task 2: Start NYC-SVR1 and disable the Windows Firewall
1. Start NYC-SVR1 and log on as WOODGROVEBANK\Administrator with the
password Pa$$w0rd.
2. Disable the Windows Firewall.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Note: This step is performed to simplify the lab and is not a recommended practice.
Task 3: Run the Security Configuration Wizard and import the
FPSecurity template
1. On NYC-DC1, launch the Security Configuration Wizard.
2. On the Welcome page, click Next.
3. On the Configuration Action screen, click Next.
4. On the Select Server screen type NYC-SVR1.woodgrovebank.com, and then
click Next.
5. After the configuration databases processes, click Next.
6. On the Role-Based service Configuration screen, click Next.
7. On the Select server Roles screen, clear the checkbox beside DNS Server.
8. Select the checkbox beside File Server.
9. Select the checkbox beside Print Server and then click Next.
10. On the Select Client Features screen, click Next.
11. On the Select Administration and Other Options screen, click Next.
12. On the Select Additional Services screen, click Next.
13. On the Handling Unspecified Services screen, continue clicking Next until
you reach the Security Policy File Name screen.
14. On the Security Policy File Name screen, type FPPolicy at the end of the
C:\Windows\security\msscw\policies\ path.
15. Click Include Security Templates, and then click Add.
16. Add the Documents\Security\Templates\FPSecurity policy.
17. On the Apply Security Policy screen, click Apply Now, and then click Next.
18. On the Applying Security Policy screen, click Next, and then click Finish.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 4: Transform the FPPolicy into a GPO
1. On NYC-DC1, launch the Command Prompt and type scwcmd transform
/p:C:\Windows\security\msscw\Policies\FPpolicy.xml
/g:FileServerSecurity.
2. Open the GPMC if necessary and then open the Group Policy Objects folder.
Double click the FilesServerSecurity GPO and then examine the settings.
3. Close the GPMC and log off NYC-DC1.

Result: At the end of this exercise, you will have configured security templates.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 3: Verifying the Security Configuration
You will log on as various users to test the results of Group Policy.
1. Log on as the Local Administrator of the Windows Vista computer and check
the membership of the local administrators group.
2. Log on to the Windows Vista computer as an ordinary user and test the
account policy.
3. Log on to the domain controller as the domain administrator and test software
restrictions and services.
4. Use Group Policy modeling to test the settings on the file and print server.

Task 1: Log on as the Local Administrator of the Windows Vista
computer and check the membership of the local administrators
group
1. Log on to NYC-CLI as NYC-CL1\administrator with the password
Pa$$w0rd.
2. Launch a Command Prompt, and run the GPupdate /force command.
3. Ensure that the Run menu appears in the Accessories folder on the Start
menu.
4. Open Control Panel, click User Accounts, click User Accounts, click Manage
User Accounts, click the Advanced tab, click Advanced, click Groups, open
the Administrators group, and then ensure that the Domain Admins and the
ITAdmins global groups are present.
5. Restart NYC-CL1.

Task 2: Log on to the Windows Vista computer as an ordinary user,
and test the policy
1. Log on to NYC-CL1 as Woodgrovebank\Roya with the password Pa$$w0rd.
2. Ensure that the Run menu does not appear in the Accessories folder on the
Start menu.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3. Press Right-ALT + DELETE, and then click Change a password.
4. In the Old Password field, type Pa$$w0rd.
5. In the New Password and Confirm password fields, type w0rdPa$$. You will
not be able to update the password because the minimum password age has
not expired.
6. Press Right-ALT + DELETE, and then click Change a password.
7. In the New Password and Confirm password fields, type pa. You will not be
able to update the password because the minimum password length has not
expired.
8. Log off NYC-CL1.

Task 3: Log on to the domain controller as the domain administrator,
and test software restrictions and services
2. Launch a Command Prompt, and then run the GPupdate /force command.
3. Attempt to launch Internet Explorer, read the error message, and then click
OK.
4. Navigate to E:\mod08\labfiles, double-click Hello.vbs, read the error
message, and then click OK.
5. Open the Services MMC in Administrative Tools. Scroll down to the
Windows Installer service, and ensure that it is set up Disabled.

Task 4: Use Group Policy modeling to test the settings on the file and
print server
1. Open the GPMC, and then launch the Group Policy Modeling Wizard.
2. Accept all the defaults except on the User and Computer Selection window.
3. Click Computer, and then type Woodgrovebank\NYC-SVR1.
4. After completing the wizard, observe the policy settings.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Control window.
click OK.

Result: At the end of this exercise, you will have verified the security configuration.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Considerations for Implementing Security Using Group Policy
Consider the following when implementing security using Group Policy:
The Default Domain Policy and the Default Domain Controllers Policy are
created by default.
Account policies must be implemented at the domain level.
Any domain level policy is capable of delivering account policies.
Clients receive account policies from domain controllers.
Local policies generally affect all users of the local computer, including domain
users.
Network security policies can control wireless configuration for Windows XP
and later.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Network security policies can control wired configuration for Windows Vista
and later.
Windows Firewall supports outbound rules.
Network awareness can automatically determine your firewall profile.
Firewall settings and IPsec settings are now integrated.
Fine-grained passwords allow different users or global groups to have different
account policies.
Fine-grained policies are not delivered through Group Policy.
Fine-grained policies must be created using ADSIedit or LDIFDE.
Both domain and local group membership can be controlled through Group
Policy.
Access to software can be controlled through Group Policy.
Local administrators can be exempted from software restrictions.
There are four rule types to control access to software.
Security templates can be used to provide a consistent set of security settings.
The Security Configuration Wizard can be used to assist in creating security
policies.

Review Questions
1. You want to place a software restriction policy on a new type of executable file.
What must you do before you can create a rule for this executable code?
2. What setting must you configure to ensure that users are only allowed 3
invalid logon attempts?
3. You want to provide consistent security settings for all client computers in the
organization. The computer accounts are scattered across multiple OUs. What
is the best way to provide this?
4. An administrator in your organization has accidentally modified the Default
Domain Controller Policy. You need to restore the policy to its original default
settings. How would you accomplish this?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Server Security Compliance 9-1
Module 9
Configuring Server Security Compliance
Contents:
Lesson 1: Securing a Windows Infrastructure 9-3
Lesson 2: Overview of EFS 9-9
Lesson 3: Configuring an Audit Policy 9-13
Lesson 4: Overview of Windows Server Update Services (WSUS) 9-20
Lesson 5: Managing WSUS 9-32
Lab: Manage Server Security 9-40
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Module Overview

This module explains how to secure servers, secure data on servers, and maintain
update compliance. It also details how to configure an audit policy and manage
updates using Windows Server Update Services (WSUS). Because keeping servers
and workstations updated with the most recent software updates helps increase
security, it is important to automate software updates. WSUS helps administrators
use automation to deploy software updates with less effort and more control.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 1
Securing a Windows Infrastructure

This lesson explains how to secure a server role within a Microsoft Windows
infrastructure. As organizations expand the availability of network data,
applications, and systems, it becomes more challenging to ensure network
infrastructure security. Security technologies in the Microsoft Windows Server
2008 operating system enable organizations to provide better protection for their
network resources and organizational assets in increasingly complex environments
and business scenarios.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Discussion: Challenges of Securing a Windows
Infrastructure

Key Points
Discuss the challenges of securing a Windows infrastructure.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Applying Defense-in-Depth to Increase Security

Key Points
The layers of defense provide a view of your environment, area by area, that you
should consider when designing your networks security defenses. You can modify
the detailed definitions of each layer based on your organizations security
priorities and requirements. The following list gives an example of what you could
address each level of defense:
Data. An organizations primary concerns at this layer are business and legal
issues that may arise from data loss or theft and operational issues that
vulnerabilities may expose at the host or application layers.
Application. An organizations primary concerns at this layer are access to the
binary files that comprise applications, access to the host through
vulnerabilities in the applications listening services, or inappropriate gathering
of specific system data to pass to someone who can use it for their own
purposes.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Host. An organizations primary concerns at this layer are preventing access to
the binary files that comprise the operating system, and access to the host
through vulnerabilities in the operating systems listening services.
Internal network. The risks to an organizations internal network largely
concern the sensitive data that they transmit via the networks. The
connectivity requirements for client workstations on these internal networks
also pose a number of risks.
Perimeter network. The primary risks at this layer focus on available
Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
ports that the network uses.
Physical security. An organizations primary concern at this layer, if using
antivirus systems, is to stop infected files from bypassing the perimeter and
internal network defenses.
Policies, procedures and awareness. It is important for you to promote awareness
in your organization to all interested parties. In many cases, ignorance of a risk
can lead to a security breach. For this reason, training also should be an
integral part of any security model.

Question: What is the most important part of the defense-in-depth security model?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Core Server Security Practices

Key Points
Without physical security, you have no security. Core server-security practices are
relatively easy to adopt, and you should integrate them into the standard security
configuration of all servers. Some of your core server-security practices should
include:
Apply the latest service packs, and all available security and critical updates.
Use the Security Configuration Wizard to scan and implement server security
based on server roles.
Use Group Policy and security templates to harden servers and lessen the
attack footprint.
Restrict scope of access for service accounts, which lessens damage should the
account be compromised.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Use security options to restrict who can log on locally to server consoles.
Restrict physical and network access to servers.

Question: Does your company have a detailed "build sheet" for all new
installations that occur on new hardware? What can you do to lessen the attack
footprint on your infrastructure?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 2
Overview of EFS

Data encryption on the filesystem is an important part of securing server data. The
Encrypting File System (EFS) integrates with NTFS to provide data encryption for
files. Encrypting a file with EFS is straightforward: users can select a checkbox and
the file will be encrypted. BitLocker Drive Encryption can be used to protect
operating system files on a server that has been physically compromised.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is Encrypting File System?

Key Points
Encrypting Files System (EFS) is a system for encrypting data files that is
included as part of Microsoft Windows 2000, Windows XP, Windows Server 2003,
Windows Vista, and Windows Server 2008. EFS generates a unique symmetrical
encryption key to encrypt each file. The symmetrical key is stored in the file
header.
Encrypting or decrypting a file or folder occurs when a user opens advanced
properties and checks or clears the Encrypt contents to secure data checkbox.
Question: Why would EFS be used to encrypt data in addition to using NTFS
permissions?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is BitLocker Drive Encryption?

Key Points
BitLocker Drive Encryption is a system that encrypts the entire operating system
volume. Encryption of additional data volumes is also an option. Encryption keys
are handled automatically in the background with little overhead.
Question: In what scenario would BitLocker be useful on a server?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Troubleshooting EFS

Key Points
When you encounter issues with EFS, first determine the circumstances under
which the error occurs:
Does the error affect multiple users or one user?
Is the error with a local or remote file?
Does the error occur during encryption or decryption?

Based on the information you gather about the issue, you can focus on the
probably causes.
Question: Have you faced any EFS troubleshooting scenarios in your work
environment? If so, how did you approach them?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 3
Configuring an Audit Policy

You can configure an audit policy that records user or system activity in specified
event categories. Additionally, you can monitor security-related activity, such as
who accesses an object, if a user logs on or off a computer, or if changes occur to
an auditing policy setting.
As a best practice, you should create an audit plan before implementing audit
policy.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is Auditing?

Key Points
Auditing is the process that tracks user activity by recording selected events in a
server or workstation security log.
The most common types of events to audit are:
Access to objects, such as files and folders.
Management of user and group accounts.
Users logging on and off the system.

Question: List three reasons that you may want to audit certain areas of a system
or a particular shared resource.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is an Audit Policy?

Key Points
An audit policy determines the security events that are reported to the network
administrator. When you implement an audit policy:
Specify the categories of events that you want to audit.
Set the size and behavior of the security log.
Audit directory service access or object access by determining for which
objects you are monitoring access and what type of access you want to
monitor. For example, if you want to audit any attempts by users to open a
particular file, you can configure auditing policy settings in the object access
event category so that both successful and failed attempts to read a file are
recorded.

Question: Provide an example of why you would want to log successful events and
failure events, as opposed to only failure events.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Types of Events to Audit

Key Points
Before you implement an auditing policy, you must decide which event categories
to audit. The auditing settings that you choose for the event categories define your
auditing policy. Auditing settings for the event categories are undefined by default
on member servers and workstations that are joined to a domain. Domain
controllers turn on auditing by default.
You can create an auditing policy that suits your organizations security needs by
defining auditing settings for specific event categories.
Question: What categories of events does your company presently audit? If your
company is not auditing, what event categories would you like to see audited in
your organization?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Troubleshooting Audit Policy

Key Points
After you configure auditing, the service may not work. This behavior can occur for
any of the following reasons:
A site, a domain, or an organizational unit policy setting overrides the
audit policy that you configured. To troubleshoot this issue, open the Audit
Policy, and view the Security Setting of the policy. If the security setting of the
policy is No auditing, a higher-level GPO may be overriding the audit policy
setting that you configured. To confirm this behavior, view the higher-level
GPO items that are linked to either the organizational unit or to the domain
for possible conflicts.
A GPO that overrides the audit policy setting has a higher priority. To
troubleshoot this issue, in Active Directory Users and Computers, view the
properties of your domain. Then view the Group Policy Object Links list on
the Group Policy tab. Items that are higher in the list override other lower-level
items.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
If the GPO that contains your audit policy setting is listed below a higher-
priority GPO item that turns off auditing, do one of the following steps:
Click the GPO that contains the audit policy setting that you want to use,
and then click Up to move it above the higher-priority item in the list.
Edit the GPO items that are listed above the GPO that contains the audit
policy setting to remove conflicting policy settings.
The site, the domain, or the organizational unit policy setting that contains
the audit policy setting has not replicated to other computers. To resolve
this issue, use the Secedit.exe command-line utility to force Group Policy to be
refreshed.

Object Access Auditing
Inheritance affects file and folder auditing. After you set up auditing on a
parent folder, new files and subfolders that are created in that folder inherit
auditing. If you do not want the file or folder to inherit auditing from the
parent, you can edit the auditing settings of the file or folder.
You can test an audit rule for a file or folder by opening and closing the file or
folder. Then you can look in the event log for the corresponding events.

Question: How often do you think you should check the security log to ensure
auditing is happening correctly?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: How to Configure Auditing

Key Points
Open Group Policy Management. Edit the Default Domain Controllers Policy
located under WoodgroveBank.com\Group Policy Objects\Default Domain
Controllers Policy.
In the Group Policy Management Editor console tree, expand Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies
\Audit Policy.
Enable one or more auditing policies.
Click the Explain tab of an auditing policy.
Enable auditing on object access.

Question: What is the default auditing policy setting for domain controllers? What
is the benefit of having this setting as the default setting for domain controllers?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 4
Overview of Windows Server Update Services
(WSUS)

This lesson introduces Windows Server Update Services (WSUS), which is a tool
for managing and distributing software updates that resolve security vulnerabilities
and other stability issues.
WSUS enables you to deploy the latest Microsoft product updates to computers
running the Windows operating system.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is Windows Server Update Services?

Key Points
WSUS enables you to deploy the latest Microsoft product updates to computers
running Windows Server 2003, Windows Server 2008, Windows Vista, Microsoft
Windows XP with Service Pack 2, and Windows 2000 with Service Pack 4
operating systems. Using WSUS enables you to manage the distribution of updates
to your networks computers that Microsoft Update releases.
WSUS 3.0 provides improvements in the following areas:
Ease of use
Improved deployment options
Better support for complex server hierarchies
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Better performance and bandwidth optimization
The ability to extend WSUS 3.0 using improved application programming
interfaces (APIs)

Question: Do you currently use WSUS services in your organization? If so, how
would the improvements to WSUS 3.0 affect how you use WSUS? If not, how
would implementing WSUS benefit your organization?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Obtaining Updates

Key Points
At least one WSUS server in your organization must synchronize updates with the
Windows Update servers on the Internet. Additional WSUS servers can
synchronize updates with a parent WSUS server.
You can use WSUS on an isolated network by copying update files from a WSUS
server that is connected to the Internet.
Question: Describe a scenario where an organization would have an isolated
network.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Windows Server Update Services Process

Key Points
It is recommended to implement an ongoing four-phase approach to the update
management process: assess, identify, evaluate and plan, and deploy. It is essential
to repeat the update management process on an ongoing basis, as new updates
become available that can enhance and protect the production environment.
Each phase has different goals and methods for using WSUS features to ensure
success during the update management process. It is important to note that you
can employ many of the features in more than one phase.
Question: You need to determine which types of updates to synchronize from
Microsoft Update and when to synchronize them. In which phase of the WSUS
process would this planning occur.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
WSUS Deployment Considerations

Key Points
Deployment considerations include the following:
Internet connectivity is required for at least one of your WSUS servers, although it
is possible to support isolated network segments that have no connection to the
Internet.
You should determine the number of WSUS servers that you require by examining
the number of client computers that you must support, the number of locations
that you have, and the type of WSUS deployment that you choose.
A simple WSUS deployment consists of a single WSUS server or farm, which
synchronizes updates from Windows Update and distributes them to computers
on the network.
A WSUS server hierarchy consists of a parent WSUS server, which synchronizes
with Windows Update, and downstream WSUS servers that synchronize with the
parent WSUS server.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
You can use computer groups to control whether computers should get different
updates. You can also use computer groups to create a limited release-testing
group for testing updates before full deployment.
You should consider where to store updates before distribution. You can store the
updates on Windows Update servers and use WSUS to control which updates the
computers will download or you can store the updates on the WSUS server.
Question: In your organization, would you use more than one WSUS server? If so,
would you link your WSUS servers together using autonomous mode or replica
mode?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Server Requirements for WSUS

Key Points
The number of client computers that your organization is updating is what
drives hardware and database software requirements. A WSUS server using the
recommended hardware can support a maximum of 20,000 clients. You must
format both the system partition and the partition on which you install WSUS with
the NTFS file system.
Question: Does your organization meet the software requirements for WSUS?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Installing WSUS

Key Points
Considerations for installing the WSUS server include:
You can store updates locally or you can have client computers connect to
Microsoft Update to get approved updates.
By default, WSUS offers to install Windows Internal Database, or you can
choose to use an exiting database instance.
You can use the default IIS Web site on port 80, or if you already have a Web
site on port 80, you can create an alternate site on port 8530 by selecting the
second option.

Once you install the WSUS server, you can install the WSUS administration
console to manage the WSUS server.
Question: Would you install the WSUS administration console on the same server
as the WSUS server in your organization?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
WSUS Group Policy Settings

Key Points
When you configure the Group Policy settings for WSUS, use a GPO linked to an
Active Directory container appropriate for your environment. Microsoft does not
recommend editing the Default Domain or Default Domain Controller GPOs to
add WSUS settings.
In a simple environment, link the GPO with the WSUS settings to the domain.
In more complex environment, you might have multiple GPOs linked to
several organizational units (OUs), which enables you to have different WSUS
policy settings applied to different types of computers.
To help protect computers against immediate security threats, set up more a
more frequent schedule for computers to contact the WSUS server, download,
and install updates.
Question: What is the risk in allowing users of desktop computers to delay restarts
that updates require?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Automatic Updates Configuration

Key Points
You can use Group Policy or the registry to configure Automatic Updates.
Configuring Automatic Updates involves pointing the client computers to the
WSUS server, ensuring that the Automatic Updates software you are using is
current, and configuring any additional environment settings.
The best way to configure Automatic Updates and WSUS environment options
depends on your network environment. In an Active Directory environment, you
use Group Policy. In a non-Active Directory environment, you might use the Local
Group Policy object (GPO) or edit the registry directly.
Question: Which method of client configuration would you use in your
environment?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Configuring WSUS

Key Points
Configure Automatic Update client settings using Group Policy.
Open Group Policy Management.
Create a new GPO in the WoodgroveBank.com domain.
Edit the GPO.
In the Group Policy Management Editor window, under Computer
Configuration, expand Policies, expand Administrative Templates, expand
Windows Components, and then click Windows Update.
Enable Configure Automatic Updates.

Question: Would you enable the Delay Restart for scheduled installations policy
in your organization? Why or why not?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 5
Managing WSUS

This lesson explains how you can manage WSUS by performing administrative
tasks using the WSUS 3.0 administration console, managing computer groups to
target updates to specific computers, and approving the installation of updates for
all the computers in your WSUS network or for different computer groups.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
WSUS Administration

Key Points
The WSUS 3.0 administration console has changed from a Web-based console to a
plug-in for MMC version 3.0.
The WSUS 3.0 administration console also enables you to:
Manage WSUS remotely.
Configure post-setup tasks using a wizard.
Generate multiple reports with improved precision.
Maintain server health more easily.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
You can also manage updates with command-line tools:
Wuauclt.exe can be used to control some aspects of the Windows Update
Agent.
Wsusutil.exe is the command-line tool for managing WSUS.

Question: Explain why having an MMC console for WSUS makes administration
easier.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Managing Computer Groups

Key Points
Computer groups are an important part of WSUS deployments, even a basic one.
Computer groups enable you to target updates to specific computers. There are
two default computer groups: All Computers and Unassigned Computers. By
default, when each client computer initially contacts the WSUS server, the server
adds that client computer to each of these groups.
You can create custom computer groups. One benefit of creating computer groups
is that they enable you to test updates before deploying updates widely. If testing
goes well, you can roll out the updates to the All Computers group. There is no
limit to the number of custom groups you can create.
Question: Describe a benefit of using computer groups in WSUS for deploying
updates.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Approving Updates

Key Points
After updates have synchronized to your WSUS server, they are scanned
automatically for relevance to the servers client computers. However, you must
approve the updates manually before they are deployed to your networks
computers.
When you approve an update, you are specifying what WSUS does with it (the
options are Install or Decline for a new update). You can approve updates for
the All Computers group or for subgroups.
If you do not approve an update, its approval status remains Not approved,
and your WSUS server allows clients to evaluate whether they need the
update.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
You can configure your WSUS server for automatic approval of certain updates.
You can also specify automatic approval of revisions to existing updates as they
become available. This option is selected by default.
Automatic approval rules will not apply to updates requiring an End User
License Agreement (EULA) that has not yet been accepted on the server. If you
find that applying an automatic approval rule does not cause all the relevant
updates to be approved, you should approve these updates manually.

Note: If your WSUS server is running in replica mode, you will not be able to approve
updates on your WSUS server.

Question: Would you choose automatic approval of updates in your organization
when automatic approval is available? Explain your reason.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Managing WSUS

Key Points
Add a computer to the WSUS console.
Approve an update to be applied to the computer.

Question: How do you install an update immediately?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Server Core Security Updates

Key Points
Windows Server 2008 Server Core requires fewer updates than a full server
installation of Windows Server 2008. However, you typically use the command
line to locally administer a Server Core installation.
Windows Update uses applicability rules so that only computers that have
Internet Explorer 7 install Internet Explorer 7 updates; these applicability settings
also apply to Server Core installations.
Question: Do any other management tasks for Server Core differ from the
standard full server implementation?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab: Manage Server Security

Exercise 1: Configuring Windows Software Update Services
Scenario
As the Windows Infrastructure Services Technology Specialist, you have been
tasked with configuring and managing server and client security patch compliance
as well as implementing an audit policy to track specific events occurring in AD
DS. You must ensure systems maintain compliance with corporate standards.
In this exercise, you will configure WSUS.
2. Use the Group Policy Management Console to create and link a GPO to the
domain to configure client updates.
3. Use the WSUS administration tool to view WSUS properties.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4. Create a computer group, and add NYC-CL2 to the new group.
5. Approve an update for Windows Vista clients.
6. Install an update on the Windows Vista client.
7. View WSUS reports.

Task 1: Start the virtual machines, and log on
1. On the host machine, click Start, point to All Programs, point to Microsoft
5. Log on to each virtual machine as Woodgrovebank\Administrator with the
password Pa$$w0rd.

Task 2: Use the Group Policy Management Console to create and link
a GPO to the domain to configure client updates
1. On NYC-DC1, open Group Policy Management.
2. Create a new GPO in the WoodGroveBank.com domain named WSUS.
3. Open the Group Policy Management Editor to edit the WSUS GPO.
4. In the Group Policy Management Editor window, under Computer
Configuration, expand Policies, expand Administrative Templates, expand
Windows Components, and then click Windows Update.
5. Enable Configure Automatic Updates.
6. Enable Specify intranet Microsoft update service location.
Set the intranet update service for detecting updates and the intranet
statistics server to http://NYC-SVR1.
7. Enable Automatic Updates detection frequency.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8. On NYC-CL2, run the GPUpdate /force command from the command
prompt.
9. Restart NYC-CL2 and log on as WoodgroveBank\Administrator after
NYC-CL2 restarts.

Task 3: Use the WSUS administration tool to view WSUS properties
1. On NYC-SVR1, open Microsoft Windows Server Update Services 3.0 SP1.
2. In the Update Services window, in the console pane under NYC-SVR1, click
Options.
3. Using the details pane, view the configuration settings available in WSUS.

Task 4: Create a computer group, and add NYC-CL2 to the new group
1. In the list pane, expand Computers, and then select All Computers.
2. In the Actions pane, click Add Computer Group, and name the group
HO Computers.
3. Change membership of the NYC-CL2.woodgrovebank.com computer object
so that it is a part of the HO Computers group.

Task 5: Approve an update for Windows Vista clients
1. In the Update Services windows, in the console pane, expand Updates, and
then click Security Updates.
2. In the details pane, change both the Approval and Status filters to Any, and
then click Refresh. Notice all of the updates available.
3. In the Critical Updates details pane, right-click Security Update for Windows
Vista (KB957095), and then click Approve.
4. Approve the update for all computers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5. In the Critical Updates details pane, right-click Security Update for Windows
Vista (KB957095), and then click Approve.
6. Set the deadline to yesterday's date.

Note: Entering yesterdays date will cause the update to be installed as soon as the client
computers contact the server. Note that because these VMs use the Microsoft Lab
Launcher environment, their date will not correspond with the actual date. This is by
design. Take note of the VMs configured date and enter a date one day before the VMs
configured date.

Task 6: Install an update on the Windows Vista client
1. On NYC-CL2, at the command prompt, type GPUpdate /force.
2. Once the policy has finished updating, type wuauclt /detectnow.
3. When prompted, restart the computer.
4. Log on as Woodgrovebank\administrator with a password of Pa$$w0rd.
5. Open Windows Update to review recently installed updates.

Task 7: View WSUS reports
On NYC-SVR1, run a Computer Detailed Status report to view updates for
NYC-CL2.

Results: After this exercise, you should have configured WSUS.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Configure Auditing
Scenario
As the network administrator, you have been tasked with implementing an audit
policy to track specific events occurring in AD DS. First, you will examine the audit
policys current state. Then you will configure auditing as required to track
successful and unsuccessful modifications made to Active Directory objects,
including the old and new attributes values. Finally, you will test the policy.
In this exercise you will enable auditing.
1. Examine the current state of the audit policy.
2. Enable Audit Directory Service Access on domain controllers.
3. Set the SACL for the domain.
4. Test the policy.

Task 1: Examine the current state of the audit policy
On NYC-DC1, type the following at the command prompt: Auditpol.exe /get
/category:* and then press ENTER.

Task 2: Enable Audit Directory Service Access on domain controllers
1. Open Group Policy Management. In the console pane, click
WoodgroveBank.com, expand Group Policy Objects, and then right-click the
Default Domain Controllers Policy, and then click Edit.
2. Expand Computer Configuration, expand Windows Settings, expand
Security Settings, expand Local Policies, and then click Audit Policy.
3. Enable the Audit Directory Service Access policy to audit both Success and
Failure.
4. At the Command Prompt, type Gpupdate.
5. When the update completes, run the Auditpol.exe /get /category:* command
again, and then examine the default audit-policy settings.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 3: Set the SACL for the domain
1. Open Active Directory Users and Computers.
2. On the View menu, click Advanced Features.
3. Enable auditing for the WoodgroveBank.com domain object.
Enable auditing for Everyone.
Audit both Successful and Failed for Write all Properties.

Task 4: Test the policy
1. Rename the Toronto OU to GTA.
2. Open Event Viewer, expand Windows Logs, and then click Security.
3. Open event 4662 and examine the event.
4. Return to Active Directory Users and Computers, and edit any user account to
change the phone number.
5. Return to Event Viewer, and examine the resulting directory service changes
events.
6. Close all open windows.

Control window.
click OK.

Result: At the end of this exercise, you will have configured AD DS Auditing.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Review Questions
1. What kind of security challenges might a small to medium-sized business
experience, that may not be as big an issue for a large enterprise?
2. If you decide to put an audit policy in place, how should you configure the
security log properties in Event Viewer?
3. What must an administrator do before any update is sent to clients and servers
via WSUS?
4. What is the reason for setting a deadline for automatic installation to a past
date?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Best Practices
Regardless of the operating system you are using, the basic steps for securing it are
the same. Consider the following best practices for securing an operating system:
Install all operating system service packs and updates.
Verify user account security.
Eliminate unnecessary applications and network services.
Configure system logging to record significant events.
Keep applications and operating systems up to date.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring and Managing Storage Technologies 10-1
Module 10
Configuring and Managing Storage
Technologies
Contents:
Lesson 1: Windows Server 2008 Storage Management Overview 10-3
Lesson 2: Managing Storage Using File Server Resource Manager 10-13
Lab A: Installing the FSRM Role Service 10-20
Lesson 3: Configuring Quota Management 10-22
Lab B: Configuring Storage Quotas 10-29
Lesson 4: Implementing File Screening 10-31
Lab C: Configuring File Screening 10-38
Lesson 5: Managing Storage Reports 10-40
Lab D: Generating Storage Reports 10-45
Lesson 6: Understanding Storage Area Networks 10-47
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Module Overview

File storage is important when managing Microsoft Windows Server
environments. Significant challenges exist when attempting to analyze, plan, and
implement storage solutions. The Windows Server 2008 operating system includes
several tools to help you configure and manage storage technologies.
This module will explain common capacity and storage management challenges,
and describe storage technologies that you can configure and manage to address
file-storage problems. This module also describes how to analyze usage trends, and
how to implement solutions to meet user requirements while complying with
company policy and industry and regulatory standards.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 1
Windows Server 2008 Storage Management
Overview

Windows Server 2008 operating system storage management and File Server
Resources Manager are storage technologies that you can configure and manage to
address common capacity and storage management challenges in the enterprise
environment.
This lesson will describe common capacity and storage management challenges
and will describe how you can use File Server Resources Manager and the
Windows Server 2008 operating system storage management to address these
challenges.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Common Capacity Management Challenges

Key Points
Capacity management is the process of planning, analyzing, sizing, and optimizing
methods to satisfy an organizations increase in data storage demands. As the
data that you need to store and access increases, so does your need for capacity
management. Keeping track of how much storage capacity is available, how
much storage space you need for future expansion, and how you are using the
environments storage enables you to meet the storage capacity requirements of
your organization.
Capacity management is also an attempt to control corporate storage misuse. Many
users tend to use server storage space store large personal multimedia files, such as
MP3s or digital photos, as well as other types of data, such as screensavers and
games.
Question: What capacity management challenges do you face in your work
environment?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Common Storage Management Challenges

Key Points
After capacity management, the next challenge is managing the file types that are
stored on servers. Many organizations store 60 to 100 percent of their work data,
including e-mail messages, office documents, and line-of-business application
databases. Some information is critical to the functioning of the business, while
other information is less critical. Critical information often must be maintained in
a state that allows it to always be available. Some data also may have specific
retention requirements due to industry or regulatory standards.
Unapproved files and programs also create storage management issues. Many
users tend to store non-work-related files and programs that can consume storage.
Storage management attempts to control this misuse of corporate space.
Question: What are some of the storage challenges in your organization?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Addressing Capacity and Storage Management Challenges

Key Points
Knowing how the company is currently using storage makes planning for
future storage requirements much more predictable.
Without policies and controls in place, users may often use storage for
noncompliant uses.
Having resource management policies in place allows for more predictability
when planning for future capacity.
Resource management policies may vary within a company. For example,
some departments may require more storage than others, and some
departments may want to store files in specific ways.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Tools such as File Server Resource Manager (FSRM) perform the tasks necessary
for analyzing storage usage, planning storage policies, and implementing the
policies.
The final step after analyzing and defining policies is to implement the policies.
Tools such as File Server Resource Manager (FSRM) perform the tasks necessary
for analyzing storage usage, planning storage policies, and implementing the
policies.
Question: In your work environment, what tools and strategies are currently used
to address capacity and storage management challenges?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Capacity Management Solutions

Key Points
Windows Server 2008 provides a number of tools and technologies to assist in
capacity management tasks. With the addition of other applications such as
Microsoft System Center Operations Manager (SCOM) and the File Server
Migration Toolkit (FSMT), a full range of storage management solutions can be
realized.
The FSMT helps you copy files and folders from servers running Microsoft
Windows 2003 Server, Microsoft Windows 2000 Server or Windows NT Server
4.0 operating systems to a server running Windows Server 2003, Windows Storage
Server 2003, Windows Server 2008 or Microsoft Windows Storage Server 2008.
The primary benefits of FSMT include:
Transparent migration experience for end users.
Maintains security settings for migrated files.
Consolidates shared folders with the same names from different servers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Supports server clusters as source and target file servers.
Roll-back functionality for failed migrations.

The FSMT can be downloaded from the Microsoft web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=d00e3eae-930a-
42b0-b595-66f462f5d87b&DisplayLang=en
Question: How do you currently address these capacity management challenges in
your work environment?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Storage Management Solutions

Key Points
Windows Server 2008 also provides a number of tools to assist in storage
management tasks. These tools include:
Fibre Channel Information Tool helps to gather configuration information
on a Fibre Channel SAN for management of Fibre Channel Host Bus Adapters
and discovery of SAN resources.
Virtual Disk Service provides a unified view of all disks and volumes,
regardless of whether they are connected by SCSI, Fiber Channel, iSCSI or PCI
RAID.
Storage Manager for SANs helps you create and manage logical unit numbers
(LUNs) on Fibre Channel and Internet SCSI (iSCSI) disk drive subsystems
that support Virtual Disk Service (VDS) in your storage area network (SAN).
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Operations Manager monitors up to thousands of servers, applications, and
clients to provide a comprehensive view of the health of an organizations IT
environment.

Question: How do you currently address these storage management challenges in
your work environment?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is File Server Resource Manager?

Key Points
File Server Resource Manager (FSRM) is a complete set of tools that allows
administrators to address the following key file-server management challenges:
Capacity management. Monitors usage patterns and utilization levels.
Policy management. Restricts which files are stored on the server.
Quota management. Limits how much data can be stored on the server.
Reports. Provides storage capacity usage reports to meet regulatory
requirements that allow the administrators, security groups and management
personnel the ability to perform oversight and auditing functions.

Question: Do you currently use FSRM in your work environment?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 2
Managing Storage Using File Server Resource
Manager

You use FSRM to configure quota management, implement file screening, and
generate storage reports. This lesson provides information about how to manage
storage using FSRM.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
FSRM Functions

Key Points
File System Resource Manager provides several features to carry out storage
management tasks. The following table describes FSRM functions:
Function Description
Create quotas to limit the
space allowed for a volume
or folder
Allows you to set the maximum amount of space
allotted to a user. It also allows the administrator to be
notified if the quota is exceeded.
Automatically generate
quotas
Allows you to specify that quotas are generated
dynamically when subfolders are created. This allows
the storage volume to be managed without having to
apply quotas every time a directory structure is
modified.
Create file screens Enables file filtering based on file extensions. Common
file categories can be grouped together to create file
groups.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
(continued)
Function Description
Monitor attempts to save
unauthorized files
Enables administrators to be notified when users
attempt to save an unapproved file type.
Define quota and file
screening templates
Allows you to customize and implement a detailed
company storage policy.
Generate scheduled or on-
demand storage reports
Allows you to create reports on a regular basis for
review, or create reports on demand, which allows you
to quickly generate a report for immediate
consumption.

Question: Describe two scenarios where one or more FSRM features could be used
in your work environment.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Installing the FSRM Role Service

Key Points
Start the NYC-SVR1 virtual machine.
Use Server Manager to add the FSRM role service.
Configure the volume during installation.
Open the FSRM management console.

Question: Will you install the FSRM role service on all servers in your
organization?
Question: How would you access the FSRM console from a workstation?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
FSRM Console Components

Key Points
The FSRM console enables you to view all their local storage resources from a
single console, and create and apply policies that control these resources. The
three tools included in the FSRM console are:
Quota Management node
File Screening Management node
Storage Reports Management node

Question: Describe a scenario in which you would use each FSRM console
component.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
FSRM Configuration Options

Key Points
When you create quotas and file screens, you have the option of sending e-mail
notifications to users when their quota limit is approaching or after they have
attempted to save files that have been blocked.
The default parameters for storage reports are used for the incident reports that are
generated when a quota or file screening event occurs.
By using File Server Resource Manager, you can record file screening activity in an
auditing database.
Question: In your work environment, are there currently server storage policies in
place? If so, how will you use the FSRM configuration options to enforce these
policies?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Configuring FSRM Options

Key Points
Configure email notifications in FSRM.
Configure storage report parameters and default report repository locations.

Question: In your work environment, how do you plan to integrate email
notifications for quota violations?
Question: In your work environment, what notification threshold provides enough
advance warning to users that they are approaching a quota threshold?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab A: Installing the FSRM Role Service

Scenario
As the Windows Infrastructure Services (WIS) Technology Specialist, you have
been tasked with configuring storage on a server to comply with corporate
standards. You must create the storage with minimal long-term management by
utilizing file screening and quota management.
Exercise 1: Installing the FSRM Role Service
Scenario
In this exercise, you will install the FSRM role service.
1. Start the NYC-DC1 and NYC-SVR1 virtual machines.
2. Install the FSRM server role on NYC-SVR1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 1: Start the NYC-DC1 and NYC-SVR1 virtual machines
4. Log on to both virtual machines as Woodgrovebank\Administrator with the
password Pa$$w0rd.

Task 2: Install the FSRM server role on NYC-SVR1
1. Using Server Manager, install the File System Resource Manager role service.
The role service is located under the File Services role.
2. Set Storage Usage Monitoring to Allfiles (E:).

Results: After this exercise, you should have successfully installed the FSRM role
service on NYC-SVR1.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 3
Configuring Quota Management

You use Quota management to create quotas that limit the space allowed for a
volume or folder, and to generate notifications when quota limits are approached
or exceeded. FSRM provides quota templates that you can apply easily to new
volumes or folders and that you can use across an organization. You also can auto-
apply quota templates to all existing folders in a volume or folder, as well as to any
new subfolders created in the future.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is Quota Management?

Key Points
A hard quota prevents users from saving files after the space limit is reached,
and it generates notifications when the data volume reaches the configured
threshold.
A soft quota does not enforce the quota limit, but it generates configured
notifications.
The quota limit applies to the entire folder subtree.

Question: In your work environment, which notification method do you plan to
use?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
FSRM Quotas vs. NTFS Disk Quotas

Key Points
The Microsoft Windows 2000 Server operating system, Windows Server 2003
operating system, and Windows Server 2008 operating systems support NTFS disk
quotas, which you can use to track and control disk usage on a per-user/per-
volume basis.
The above table outlines the advantages of using the FSRM quota management
tools compared to NTFS disk quotas.

Question: Are there any instances when you would use NTFS disk quotas instead
of FSRM quotas?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Quota Templates?

Key Points
Quota templates simplify the tasks associated with quota management. If you
base your quotas on a quota template and you later decide to change the quota
configuration, you can simply update the quota template and then choose to
update all quotas that are based on this template. For example, you might choose
to allow each user additional space on the storage server. By updating the quota
template, all quotas based on this template are updated for you automatically.
Question: Based on your work environment specifics, what quota templates do
you plan to create?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Creating and Modifying a Quota

Key Points
You can use the FSRM Quota Management node to create and modify quotas. By
creating a quota for a volume or folder, you limit the disk space that is allocated for
that volume or folder. The FSRM Quota Management node includes all the
necessary options to work with quotas.
Question: In what scenario would you use the command line Dirquota tool?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Monitoring Quota Usage

Key Points
After configuring and applying quotas to your file shares or volumes, you should
understand how to monitor disk usage to meet your organizations ongoing
storage requirements effectively.

Note: Quotas reduce the input/output (I/O) per-second performance of the storage
subsystem by a small amount (10 percent or less). Servers that apply quotas to more than
10,000 folders might experience a larger performance overhead.
Question: In your work environment, which quota usage monitoring method will
be most helpful?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: How to Create and Manage Quotas

Key Points
Create a quota template to restrict large files on E:.
Use the quota template to create a new quota.
Configure the quota to log an event when it is exceeded.

Question: What quota notifications do you plan to implement in your work
environment?
Question: What quota templates do you plan to implement in your environment?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab B: Configuring Storage Quotas

Exercise 1: Configuring Storage Quotas
Scenario
You must configure a quota template that allows users a maximum of 100 MB of
data in their user folders. When users exceed 85 percent of the quota, or when
they attempt to add files larger than 100 MB, an event should be logged to the
Event Viewer on the server.
1. Create a quota template.
2. Configure a quota based on the quota template.
3. Test that the quota is working by generating several large files.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 1: Create a quota template
In the File Server Resource Manager console, use the Quota Templates node
to configure a template that sets a hard limit of 100 MB on the maximum
folder size. Make sure this template also notifies the Event Viewer when the
folder reaches 85 percent and 100 percent capacity.

Task 2: Configure a quota based on the quota template
1. Use the File Server Resource Manager console and the Quotas node to create a
quota in the E:\Mod10\Labfiles\Users folder by using the quota template
that you created in Task 1.
2. Create an additional folder named User4 in the E:\Mod10\Labfiles\Users
folder, and ensure that the new folder is listed in the quotas list.

Task 3: Test that the Quota is working by generating several large files
1. Open a command prompt and use the fsutil file createnew file1.txt
89400000 command to create a file in the E:\Mod10\Labfiles\Users\User1
folder.
2. Check the Event Viewer for an Event ID of 12325.
3. Test that the quota works by attempting to create a file that is 16,400,000
bytes, and then press ENTER.
4. Enable NTFS folder compression for the E:\Mod10\Labfiles\Users folder.
Check to see what effect this has in the Quota console. Try again to create a file
that is 16,400,000 bytes.

Results: After this exercise, you should have seen the effect of a quota template that
imposes a 100MB limit on user storage on the E:\Mod10\Labfiles\Users folder.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 4
Implementing File Screening

Your security policy might prohibit specific file types from being placed on
company servers, and you might want to be notified if a specific file type is saved
on a file server. This lesson explains the concepts related to file screening that you
can use to manage the types of files that users can save on corporate file servers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is File Screening?

Key Points
Many organizations face issues with network users storing unauthorized or
personal data on corporate file servers. Not only does this misuse valuable storage
space, but it also increases the backup process duration, and might violate privacy
or security policies within the company.
You also can implement a screening process to notify you by e-mail when an
unauthorized file type has been stored on a shared folder. The e-mail message can
include information such as the name of the user who stored the file and its exact
location so that you can take appropriate precautionary steps.
Question: In your work environment, are there any server usage policies that file
screening could be used to enforce?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are File Groups?

Key Points
Before you begin working with file screens, you must understand the role file
groups play in the file screening process. A file group is used to define a namespace
for a file screen, file screen exception, or storage report.
A file group consists of a set of file name patterns that are grouped into two groups:
Files to include, and Files to exclude:
Files to include. These are files that should be included in the group.
Files to exclude. These are files that should not be included in the group.

Question: In your work environment, list two or three file groups you plan to
create.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is a File Screen Exception?

Key Points
Occasionally, you will need to allow exceptions to file screening. For example,
you might want to block video files from a file server, but you need to allow your
training group to save the video files for their computer-based training. To allow
files that other file screens are blocking, create a file screen exception.
A file screen exception is a configuration that overrides any file screening that
would otherwise apply to a folder and all its subfolders, in a designated exception
path. In other words, the file screen exception creates an exception to any rules
derived from a parent folder.
Question: Describe two ways you plat to use file screen exceptions in your work
environment.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is a File Screen Template?

Key Points
To simplify file screen management, base your file screens on file screen templates.
A file screen template defines the following:
File groups to block.
Screening types to perform.
Notifications to be generated.

You can configure two screening types in a file screen template: Active screening
does not allow users to save any files related to the selected file groups configured
with the template. Passive screening still allows users to save files but provides
notifications for monitoring.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
By creating file screens exclusively from templates, you can manage your file
screens centrally by updating the templates instead of the individual file screens.
Question: What file types do you plan to create file screen templates for in your
work environment?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Implementing File Screening

Key Points
Create a new file screen in the E:\ drive based upon the Block Audio and
Video Files default template.
Create a new custom file group and create a file screen exception to allow
Microsoft Windows Media Player audio (WMA) files.

Question: How do you plan to implement file screens in your work environment?
Question: How do you plan to implement file screen exceptions in your work
environment?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab C: Configuring File Screening

Exercise 1: Configuring File Screening
Scenario
You must configure file screening to monitor executable files.
1. Create a file screen.
2. Test the file screen.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 1: Create a file screen
On NYC-SVR1, in the File Server Resource Manager console, use the File
Screens node to create a file screen that monitors executable files in the
E:\Mod10\Labfiles\Users folder. When an executable is dropped into the
folder, the file screen will log an 8215 event in the Event Viewer.

Task 2: Test the file screen
1. Copy and paste E:\Mod10\Labfiles\example.bat to
E:\Mod10\Labfiles\Users\user1.
2. Open the Event Viewer and check the application log for Event ID 8215.

Results: After this exercise, you should have successfully implemented a file screen
that logs attempts to save executable files in E:\Mod10\Labfiles\Users.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 5
Managing Storage Reports

To better carry out capacity planning, you must be able to configure and generate
extensive reports based on current storage utilization. This lesson will describe
how to configure, schedule, and generate storage reports using FSRM.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Storage Reports?

Key Points
Storage reports provide information about file usage on a file server. The FSRM
Storage Reports Management feature allows you to generate storage reports on
demand and schedule periodic storage reports that help identify trends in disk
usage. You also can create reports to monitor attempts to save unauthorized files
by all users or a selected group of users.
The following table describes the storage report types in FSRM:
Report Description
Large Files Lists files that are larger than a specified size. Use this report to
identify files that are consuming excessive server disk space.
Files by Owner Lists files that are grouped by owner. Use this report to analyze
server usage patterns and to identify users who use large
amounts of disk space.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
(continued)
Report Description
Files by File Group Lists files that belong to specified file groups. Use this report to
identify file-group usage patterns and to identify file groups that
occupy large amounts of disk space. This can help you
determine which file screens to configure on the server.
Duplicate Files Lists duplicate files (files with the same name, size, and last-
modified date). Use this report to identify and reclaim disk space
that is lost due to duplicate files.
Least Recently Used
Files
Lists files that have not been accessed for a specified number of
days. This report can help you identify seldom-used data that
could be archived and removed from the server.
Most Recently Used
Files
Lists files that have been accessed within a specified number of
days. Use this report to identify frequently used data that should
be highly available.
Quota Usage Lists quotas for which the quota usage is higher than a specified
percentage. Use this report to identify quotas with high usage
levels so that appropriate action can be taken. This report
includes quotas that were created for volumes and folders in
FSRM only. It does not include quotas applied to volumes in
NTFS file system.
File Screening
Audit
Lists file screening violations that have occurred on the server,
for a specified number of days. Use this report to identify
individuals or applications that violate the file screening policy.

Question: In your work environment, how do you currently obtain information
about file usage on servers?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is a Report Task?

Key Points
The Scheduled Report Tasks node results pane includes the report task. Tasks are
identified by the reports to be generated, the namespace on which the report will
be created, and the report schedule. You also can view the current report status
(whether the report is running), the last run time and the result of that run, and
the next scheduled run time.
Question: In your work environment, how frequently will you schedule reports
using report tasks?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Generating On-Demand Reports

Key Points
During daily operations, you may want to generate reports on demand to analyze
aspects of current server disk usage. Use the Generate reports now action to
generate one or more reports. Current data is gathered before the reports are
generated.
Question: Under what circumstances do you plan to use on-demand reports?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab D: Generating Storage Reports

Exercise 1: Generating Storage Reports
Scenario
You must generate an on-demand storage report.
1. Generate an on-demand storage report.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 1: Generate an on-demand storage report
1. In the File Server Resource Manager console, run the Generate reports now
option in the Reports node.
2. Store the report in the E:\Mod10\Labfiles\Users folder.
3. Generate a File Screening Audit and a Quota Usage report.
4. Review the contents of the report.

Control (VMRC) window.
click OK.

Results: After this exercise, you should have successfully generated an on-demand
storage report.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 6
Understanding Storage Area Networks

With the rapid growth of the Internet and increased reliance on e-commerce, the
adoption of SANs has become more common due to the proliferation of data. This
lesson provides an overview of the concepts and terminology related to storage
area networks.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is a Storage Area Network?

Key Points
Storage Area Network
Many administrators confuse the terms Network Attached Storage (NAS) and
storage area network (SAN).
A SAN is a high-performance network, usually separate from the local area
network (LAN) of an organization, dedicated to delivering block
(unformatted) data between servers and storage.
A NAS device is typically a number of disks that are housed in an appliance
dedicated to sharing and storing files directly on the LAN, similar to accessing
files via a standard network share.

Question: In what way or ways do you currently use SAN storage in your work
environment?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
How Is a SAN Different from Direct Attached Storage?

Key Points
Both Direct-Attached Storage and SANs use the SCSI protocol to move data in
blocks rather than files. From the vantage point of most operating systems, DAS
and SAN storage are indistinguishable, despite the differences in their network
topologies.

Note: NAS devices differ from SANs by serving files via network shares rather than
simulating local disks attached to servers.
Question: How does SAN storage simplify backups?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is a Fibre Channel SAN?

Key Points
Fibre Channel (FC) is based on serial SCSI technologies and overcomes the
parallel SCSI limitations to enable essentially unlimited device connectivity over
long distances.
FC interconnects deliver high-performance block I/O to storage devices within
a SAN.
Unlike parallel SCSI devices that must arbitrate (or contend) for the bus, FC
channel devices, using switch technology, can transmit information between
multiple servers and multiple storage devices at the same time.

Question: Is Fibre Channel storage in use in your work environment?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Example of a Basic Fibre Channel SAN Configuration

Key Points
In a Fibre Channel SAN, each server contains an HBA that connects by means of
a Fibre Channel switch to a disk controller on the storage array. HBAs, although
they reside on the server, are also part of the storage network. They serve first to
provide the interface between the server and the attached Fibre Channel network
and second to provide I/O processing, offloading most of the server processing
required for transferring data. The resulting performance is very high and very
scalable.
Question: Does the SAN configuration depicted above provide fault-tolerance?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Discussion: Designing Redundancy in a Fibre Channel SAN

Key Points
Your organization has implemented a basic SAN scenario; however, you are
concerned about availability of the SAN components. Based on the diagram
presented, describe what is required to ensure availability and redundancy of the
SAN environment.
Question: Which components should be redundant to obtain high availability?
Question: How would you configure the connections between an HBA and a FC
switch to ensure availability?
Question: How would you ensure that the path between the switch and the disk
array is highly available?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Discussion: Designing Redundancy in a Fibre Channel SAN
Possible Solution

Key Points
Consider all points of failure when designing redundancy in the SAN.
Redundant HBAs, FC switches, and disk array controllers will increase the
level of redundancy in the SAN.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is iSCSI?

Key Points
Internet SCSI (iSCSI) is an industry standard that enables transmission of SCSI
block commands over an existing IP network by using the TCP/IP protocol. iSCSI
is a technological breakthrough that offers organizations the possibility of
delivering both messaging traffic and block-based storage over existing IP
networks, without installing a separate Fibre Channel network.
Question: In your work environment, is iSCSI implemented? If so, how has it been
implemented?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is the Microsoft iSCSI Software Initiator?

Key Points
The Microsoft iSCSI Software Initiator service is installed on a host server and
enables the server to connect to iSCSI target volumes on a storage array. The
Software Initiator service enables streamlined storage management for all aspects
of the iSCSI service.
Question: Describe at least one scenario where you would implement the
Microsoft iSCSI software initiator.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Example of a Basic iSCSI SAN Configuration

Key Points
An iSCSI-based SAN solution consists of two components:
iSCSI Software Initiator
iSCSI target

Question: Question: In the scenario depicted above, can either of the client
computers access the iSCSI storage?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is Storage Manager for SANs?

Key Points
Storage Manager for SANs is a server feature that is provided in Windows
Server 2008. Storage Manager for SANs can be used to assist in storage resource
provisioning and disk configuration tasks with the implementation of a SAN
solution. SAN provisioning has traditionally been viewed as the most complex of
storage tasks and typically includes proprietary tools and commands. Storage
Manager for SANs helps to simplify provisioning tasks and is designed to look and
behave like standard Windows-based applications that administrators are already
familiar with.
Storage Manager for SANs provides the following benefits and functionality:
Leverages the Virtual Disk Service to manage storage, with the addition of
vendor-provided VDS hardware providers.
Discovers storage arrays on a Fibre Channel or an Internet Small Computer
System Interface (iSCSI) SAN, including storage array properties such as
firmware information.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Provides the ability to create, delete, and expand storage array logical unit
numbers (LUNs).
Provides the ability to specify LUN options such as redundant array of
independent disk (RAID) levels.
Allows for the allocation of LUNs to specific servers on the SAN.
Monitors LUN status and health.

Question: What approach does your organization currently use to manage SAN
storage that is connected to Windows Servers?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Troubleshooting SAN Storage

Key Points
When you encounter issues with SAN storage, begin troubleshooting by gathering
information about the nature of the issue, hardware involved, and software
configuration.
After you have gathered enough information, you can analyze the information,
recommend changes, implement one or more changes, monitor the result, and
document the process for future reference.
Question: Have you faced any SAN troubleshooting scenarios in your work
environment? If so, how did you approach them?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Review Questions
1. What is the difference between a hard and soft quota?
2. When a common set of file types need to be blocked, what should you create
to block them in the most efficient manner?
3. If you want to apply a quota to all subfolders in a folder, including folders that
will be created in the future, what option must you configure in the quota
policy?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Tools
The following table describes the tools that you can use to configure FSRM:
Tool Description
Dirquota.exe Use to create and manage quotas and quota templates.
FileScrn.exe Use to create and manage file screens, file-screening
exceptions, and file groups.
StorRept.exe Use to configure report parameters and generate storage
reports on demand. You also can create report tasks and then
use Schtasks.exe to schedule them.
Fsutil Use to configure NTFS Quotas and create files to test quota
behavior.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring and Managing Distributed File System 11-1
Module 11
Configuring and Managing Distributed File
System
Contents:
Lesson 1: Distributed Files System (DFS) Overview 11-3
Lesson 2: Configuring DFS Namespaces 11-13
Lab A: Installing the Distributed File System Role Service and
Creating a DFS Namespace 11-22
Lesson 3: Configuring DFS Replication 11-26
Lab B: Configuring Folder Targets and Viewing Diagnostic Reports 11-42
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Module Overview

Many of todays enterprises are challenged with maintaining large numbers of
servers and users who often are distributed geographically throughout widespread
locations. In these situations, administrators must find ways that users can locate
the most recent files as quickly as possible. Managing multiple data sites often
introduces additional challenges, such as limiting network traffic over slow wide
area network (WAN) connections, ensuring the availability of files during WAN or
server failures, and backing up file servers that are located at smaller remote
offices.
This module introduces the Distributed File System (DFS) solution that you can
use to address these challenges by providing fault-tolerant access and WAN-
friendly replication of files located throughout an enterprise.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 1
Distributed File System (DFS) Overview

Administrators who manage file servers throughout an enterprise require efficient
access to resources and availability to files. DFS in the Microsoft Windows Server
2008 operating system provides two technologies to address these challenges: DFS
Replication and DFS Namespaces. This lesson introduces the two technologies,
and provides scenarios and requirements for deploying a DFS solution within your
network environment.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is the Distributed File System?

Key Points
DFS Namespaces allows administrators to group shared folders located on
different servers into one or more logically structured namespaces.
DFS Replication (DFS-R) is a multi-master replication engine used to synchronize
files between servers for both local and WAN network connections.
Remote Differential Compression (RDC) identifies and synchronizes the data
changes on a remote source, and uses compression techniques to minimize the
data that is sent across the network.

Question: Do you have experience working with DFS or the DFS predecessor, File
Replication service (FRS)?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
How DFS Namespaces and DFS Replication Work

Key Points
Even though DFS Namespaces and DFS Replication are separate technologies, they
can be used together to provide high availability and data redundancy.
The following process describes how DFS Namespaces and DFS Replication work
together:
1. User accesses folder in the configured namespace.
2. Client computer accesses the first server in the referral. This referral typically is
a server in the client's own site, unless there is no server located within the
client's site. In this case, the administrator can configure the target priority.

Question: In your organization, do you currently synchronize your shared folders?
If so, how do you keep them synchronized?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
DFS Scenarios

Key Points
Large organizations that have many branch offices often have to share files or
collaborate between these locations. DFS-R can help replicate files between branch
offices or from a branch office to a hub site.
DFS technologies can collect files from a remote office and replicate them to a
hub site, thus allowing the files to be used for a number of specific purposes.
You can use DFS Namespaces and DFS-R to publish and replicate documents,
software, and other line-of-business data throughout your organization.

Question: In what ways can you use DFS technologies within your organization?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Types of DFS Namespaces

Key Points
You can create either a domain-based or stand-alone namespace. Each type has
different characteristics.
A domain-based namespace can be used when:
Namespace high availability is required.
You need to hide the name of the namespace servers from users.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
A stand-alone namespace is used when:
Your organization has not implemented Active Directory domain services.
Your organization does not meet the requirements for a Windows Server 2008
mode, domain-based namespace, and you have requirements for more than
5,000 DFS folders. Stand-alone DFS namespaces support up to 50,000 folders
with targets.

Question: In your organization, would you implement a domain-based namespace
or a stand-alone namespace?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Folders and Folder Targets?

Key Points
You create one or more folders within a DFS namespace. These folders contain one
or more folder targets. If one of the folder targets is not available, the client will
attempt to access the next folder target in the referral. This increases the data
availability in the folder.
Question: Describe a scenario of how you would use folder targets in your
organization.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Namespace Server Requirements

Key Points
A namespace server is a domain controller or member server that hosts a DFS
Namespace. The operating system running on the server determines the number of
namespaces that a server can host.
The following table lists the guidelines you should use for namespace server
requirements:
Server hosting stand-alone Namespaces Server hosting Domain-Based Namespaces
Must contain an NTFS file system
volume to host the namespace
Must contain an NTFS volume to host the
namespace
Can be a member server or a domain
controller
Must be a member server or domain
controller in the domain that the
namespace is configured in
Can be a clustered file server Namespace cannot be a clustered resource
in a server cluster
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Question: How can you ensure the availability of domain-based roots with domain-
based DFS namespaces?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Installing DFS

Key Points
Install the DFS role services on both NYC-DC1 and NYC-DC2.
Add File Services role in the Server Manager.
Add Distributed File System Role Service.

Question: You need to deploy DFS technology within your environment. Is DFS
considered a role service or a feature?
Question: Is it possible to install DFS Replication without installing DFS
Namespaces?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 2
Configuring DFS Namespaces

Configuring DFS Namespaces consists of several tasks that include creating
the namespace structure, creating folders within the namespace, and adding
folder targets. You also may choose to perform additional management tasks,
such as configuring the referral order and DFS replication. This lesson provides
information on how to complete these configuration and management tasks to
deploy an effective DFS solution.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Deploying Namespaces for Publishing Content

Key Points
Most DFS implementations primarily consist of content published within the DFS
namespace.
Use the New Namespace Wizard to create the namespace from within the DFS
Management console.
After the namespace is created, you then can add a folder in the namespace.
You can add multiple folder targets to increase the folder's availability in the
namespace.
A referral is an ordered list of targets that a client computer receives from the
namespace server when a user accesses a namespace root or folder.

Question: Describe a scenario when having a client continue to access the failover
server would present problems.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Security Requirements for Creating and Managing a
Namespace

Key Points
To perform namespace management tasks, a user either has to be a member of an
administrative group or has to be delegated specific permission to perform the
task. You can right-click the namespace and then click Delegate Management
Permissions to delegate the required permissions.

Note: You also must add the user to the Local Administrators group on the namespace
server.
Question: How would you delegate namespace tasks in your organization?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: How to Create Namespaces

Key Points
Create a domain-based namespace.
Create the ProjectDocs namespace.
Create the AccountingSpreadhseets folder target.

Question: You want to enable advanced scalability and access-based enumeration.
Which option provides these features?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Increasing Availability of a Namespace

Key Points
For clients to connect to a DFS namespace, they must be able to connect to a
namespace server. This means that it is important to ensure the namespace servers
are always available. The process for increasing namespace availability varies for
domain-based and stand-alone namespaces. Domain-based namespaces can be
hosted on multiple servers. Stand-alone namespaces are limited to a single server.
Domain-based namespaces. You can increase the availability of a domain-based
namespace by specifying additional namespace servers to host it.
Stand-alone namespaces. You can increase the availability of a stand-alone
namespace by creating it as a shared resource in a server cluster.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Folder targets. You can increase the availability of each folder in a namespace
by adding multiple folder targets.

Question: Describe how you could use these methods to increase availability in
your organization.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Options for Optimizing a Namespace

Key Points
Renaming a folder allows you to reorganize the hierarchy of folders to best suit
your organization's users.
By disabling a folder target's referral, you prevent client computers from accessing
that folder target in the namespace. This is useful when you are moving data
between servers.
Clients do not contact a namespace server for a referral each time they access a
folder in a namespace. By default, namespace root referrals are cached for 300
seconds (five minutes), and folder referrals are cached for 1,800 seconds (30
minutes).
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
To maintain a consistent domain-based namespace across namespace servers,
namespace servers must poll Active Directory periodically to obtain the most
current namespace data.
Question: Describe a scenario when you would want to disable a folder targets
referral.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Configuring Folder Targets

Key Points
Configure a second folder target.
Examine namespace optimization settings.

Question: Which types of paths can you use when creating a new folder target?
Question: What kind of permissions do you need to add folder targets?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab A: Installing the Distributed File System
Role Service and Creating a DFS Namespace

Objectives
Install the Distributed File System Role Service.
Create a DFS Namespace.

Logon Information
Virtual Machines: 6419A-NYC-DC1 and 6419A-NYC-SVR1
User Name: WoodgroveBank\Administrator
Password: Pa$$w0rd

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 1: Installing the Distributed File System Role
Service
In this exercise, you will install the Distributed File System Role Service on both
NYC-DC1 and NYC-SVR1. This will provide redundancy for the CorpDocs
namespace and allow clients to contact the namespace server within their own site.
1. Start each virtual machine and log on.
2. Install the Distributed File System Role Service on NYC-DC1.
3. Install the Distributed File System Role Service on NYC-SVR1.

Task 1: Start each virtual machine and log on
password Pa$$w0rd.

Task 2: Install the Distributed File System Role Service on NYC-DC1
1. On NYC-DC1, start Server Manager.
2. Use the Add Roles Wizard to add the Distributed File System Role Service
including the DFS Namespaces and DFS Replication role services. Do not
create a namespace at this point.
3. Using the Server Manager Roles pane, verify that File Server, Distributed File
System, DFS Namespaces, and DFS Replication are installed.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 3: Install the Distributed File System Role Service on NYC-SVR1
1. On NYC-SVR1, start Server Manager.
2. Use the Add Roles Wizard to add the Distributed File System Role Service
including the DFS Namespaces and DFS Replication role services. Do not
create a namespace at this point.
3. Using the Server Manager Roles pane, verify that File Server, Distributed File
System, DFS Namespaces, and DFS Replication are all installed.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Creating a DFS Namespace
In this exercise, you will create the CorpDocs DFS namespace. You also will
configure both NYC-DC1 and NYC-SVR1 to host the CorpDocs namespace to
provide redundancy.
1. Use the New Namespace Wizard to create a new namespace.
2. Add an additional namespace server to host the namespace.

Task 1: Use the New Namespace Wizard to create a new namespace
1. On NYC-DC1, start the DFS Management console.
2. Use the New Namespaces Wizard to create a namespace with the following
options:
Namespace Server: NYC-DC1
Namespace Name and Settings: CorpDocs
Namespace Type: Domain-based namespace
3. In the left pane, click the plus sign next to Namespaces, and then click
\\WoodgroveBank.com\CorpDocs.
4. Verify that the CorpDocs namespace has been created on NYC-DC1.

Task 2: Add an additional namespace server to host the namespace
1. On NYC-DC1, in the DFS Management console, use the Add Namespace
Server Wizard to add a new namespace server with the following options:
Namespace server: NYC-SVR1
Click Yes to start the Distributed File System service
2. In the left pane, click the plus sign next to Namespaces, and then click

Note: Verify from the Details pane that that the CorpDocs namespace is now hosted on
both NYC-DC1 and NYC-SVR1.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 3
Configuring DFS Replication

To configure DFS-R effectively, it is important to understand the terminology and
requirements associated with the feature. This lesson provides information on the
specific elements, requirements, and scalability considerations as they relate to
DFS-R, and also provides a process for configuring an effective replication
topology.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is DFS Replication?

Key Points
DFS-R uses a new compression algorithm known as remote differential
compression (RDC).
DFS-R detects changes on the volume by monitoring the update sequence
number (USN) journal, and replicates changes only after the file is closed.
When a file is changed, only the changed blocks are replicated, not the entire
file.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
DFS-R is self-healing and can automatically recover from USN journal wraps,
USN journal loss, or loss of the DFS Replication database.
DFS-R uses a Windows Management Instrumentation (WMI) provider that
provides interfaces to obtain configuration and monitoring information from
the DFS Replication service.

Question: List one advantage and one disadvantage to having deleted files stored
in the Conflict and Deleted folders.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Replication Groups and Replicated Folders?

Key Points
A replication group consists of a set of member servers that participate in replicating
one or more replicated folders. There are two main types of replication groups:
Multipurpose replication group.
Replication group for data collection.

A replicated folder is a folder that is synchronized between each member server.
Question: How can creating multiple replicated folders in a single replication
group simplify deployment?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
DFS-R Requirements

Key Points
If you plan to use DFS Replication, the Active Directory schema must be updated
to at least the version equal to Windows Server 2003 R2, so that it includes the
Active Directory classes and attributes that DFS Replication uses.
You cannot enable replication across servers in different forests.
Question: Does your organization meet the requirements for DFS-R?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Scalability Considerations for DFS-R

Key Points
Use the above scalability considerations when deploying DFS-R. Remember, these
are guidelines and that you may be able to deploy configurations successfully that
exceed these guidelines. However, it is important to test and verify that there is
adequate space in the staging folders, and that latency is acceptable.
Question: DFS-R doesnt have restrictions on the size of files replicated; however,
there is a consideration to ensure the files get replicated. What is this
consideration?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Process for Deploying a Multipurpose Replication Group

Key Points
A multi-purpose replication group is used to replicate data between two or more
servers for general content sharing or for data publishing.
You can choose one of the following three types of topology that is used for the
connections between the replication group members.
Hub and spoke: Requires three or more members. In this topology, spoke
members are connected to one or more hub members. Data then is replicated
from the hub member to the spoke members.
Full mesh: In this topology, each member replicates with all other members of
the replication group. This works well with 10 or fewer members.
No topology: You can use this option if you want to create a custom topology
after you finish the wizard.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
After an initial replication group is created, you can modify the replicated folders,
the connection, or topology. You also can delegate permissions to other
administrators to allow for management of the replication group.
Question: What topology would you use in your organization?
Question: When is the best time to schedule replication?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Understanding the Initial Replication Process

When you first configure replication, you must choose a primary member that has
the most up-to-date files to be replicated. This server is considered authoritative for
any conflict resolution that occurs when the receiving members have files that are
older or newer when compared to the same files on the primary member.
The following concepts will help you to better understand the initial replication
process:
Initial replication does not begin immediately.
Initial replication always occurs between the primary member and its receiving
replication partners.
When receiving files from the primary member during initial replication, the
receiving members that contain files that are not present on the primary
member move those files to their respective DfsrPrivate\PreExisting folder.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
To determine whether files are identical on the primary member and receiving
member, DFS replication compares the files using a hash algorithm.
After the initialization of the replicated folder, the primary member
designation is removed.

Question: What is a consideration when choosing a primary member?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Generating Diagnostic Reports and Propagation Tests

Key Points
To help maintain and troubleshoot DFS-R, you can generate diagnostic reports and
perform propagation tests.
You can use the Diagnostic Report Wizard to perform the following:
Create a health report.
Start a propagation test.
Create a propagation report.

Question: How often would you run the diagnostic report wizard to create a health
report in your organization?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Deploying DFS-R

Key Points
Create and configure the AccountingDataRepl replication group.
Create a diagnostic report.

Question: Where are you able to modify the path for the staging folder?
Question: Which tab shows the sending and receiving members of the replication
group?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Troubleshooting DFS-R and Active Directory

Key Points
Common causes of Waiting for the DFS Replication service to retrieve replication
settings from Active Directory error:
Issue: Active Directory replication latency
Solutions:
Wait.
Force replication using repadmin (with /replicate /force) or replmon (with
synchronize directory partition).
Change your replication schedule and topology.

Issue: Active Directory replication blocked due to network mis-configurations such
as DNS resolution or firewall blocks.
Solution: Fix the network configuration.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Issue: Active Directory replication blocked due to topology mis-configurations.
Solution: Verify site topology in Active Directory and check event logs for topology
problems.
Issue: AD replication blocked due to lingering objects. Lingering objects are
typically objects that exist in the read-only GC partition of a domain controller but
no longer exist in the read-write source domain partition. This can happen when
an administrator brings a domain controller (DC) back online after it has been
shut off for months; source objects that were deleted and tomb-stoned are no
longer available. Since the old DC cant be told about the deletions anymore, there
are still reanimated versions.
Solution: To resolve this issue, you can use the Repadmin tool to remove lingering
objects from a directory partition - repadmin /removelingeringobjects.
Issue: Active Directory replication blocked due to tombstone lifetime - Event ID
2042 (It has been too long since this machine replicated).
Solution: In most circumstances, the best answer is to forcibly demote the DC if
you have other domain controllers that can handle the load in the meantime.
Question: List three places you can look for DFS-R troubleshooting information.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Troubleshooting DFS-R

Key Points
Several other issues and solutions include:
DFS-R is slow
Make sure operating system updates and DFS-R hotfixes are installed.
If the event that indicates the staging quota is over its configured size
(event ID 4208 in the DFS-R event log) is logged multiple times in an
hour, increase the staging quota by 20 percent.
If you see a considerable amount of DFS-R event log entries for 4302 and
4304, you may want to start examining how files are being used for
sharing violations.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Data isnt being replicated
DFS-R might not work across firewalls when replicating between branch
offices without a virtual private network (VPN) connection because it uses
the remote procedure call (RPC) dynamic endpoint mapper. Additionally,
configuring DFS-R using the DFS Management console does not work
when a firewall is enabled. To enable DFS-R to work through a firewall,
you can define a static port using the Dfsrdiag.exe command-line tool.
May have error ID: 6802 in Event Viewer if topology is not connected.
Not replicating .bak files
By default DFS-R has file filter on replicated folder that excludes the files
with names starting ~ or files with extension *.tmp or *.bak from
replication. You can change it using DFS Management Console.

Question: In your organization, would you include .bak files in your DFS
replication?
Question: What would be a disadvantage of replicating .bak files?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Lab B: Configuring Folder Targets and Viewing
Diagnostic Reports

Exercise 1: Configuring Folder Targets and Folder
Replication
In this exercise, you initially will create folder targets on two separate servers and
then verify that the CorpDocs namespace functions correctly. You then will add
availability and redundancy by creating additional folder targets and configuring
replication.
1. Create the HRTemplates folder, and configure a folder target on NYC-DC1.
2. Create the PolicyFiles folder, and configure a folder target on NYC-SVR1.
3. Verify the CorpDocs namespace functionality.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4. Create additional folder targets for the HRTemplates folder, and then
configure folder replication.
5. Create additional folder targets for the PolicyFiles folder, and then configure
folder replication.

Task 1: Create the HRTemplates folder, and configure a folder target
on NYC-DC1
1. On NYC-DC1, in the DFS Management console, right-click
2. Create a new folder called HRTemplates.
3. Add a new folder target called HRTemplateFiles using the following options:
Click the New Shared Folder button.
Share Name: HRTemplateFiles
Local path of shared folder: C:\HRTemplateFiles
Shared Folder Permissions: Administrators have full access; other users
have read-only permissions
4. In the console tree, click \\WoodgroveBank.com\CorpDocs.
5. In the details pane, click the Namespace tab. Notice that HRTemplates is
listed as an entry in the namespace.
6. In the console tree, expand \\WoodgroveBank.com\CorpDocs and then
click HRTemplates. In the details pane, notice that on the Folder Targets tab,
one folder target is configured.
7. Click the Replication tab, and notice that replication is not configured.

Task 2: Create the PolicyFiles folder, and configure a folder target on
NYC-SVR1
1. On NYC-DC1, in the DFS Management console, right-click
2. Create a new folder called PolicyFiles on NYC-SVR1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3. Add a new Folder target called PolicyFiles using the following options:
Click the New Shared Folder button.
Share Name: PolicyFiles
Local path of shared folder: C:\Policyfiles
Shared Folder Permissions: Administrators have full access; other users
4. In the console tree, expand \\WoodgroveBank.com\CorpDocs and then
click PolicyFiles. In the details pane, notice that on the Folder Targets tab,
one folder target is configured.

Task 3: Verify the CorpDocs namespace functionality
1. On NYC-DC1, click Start and then click Run.
2. Access the \\WoodgroveBank\CorpDocs namespace, and verify that both
HRTemplates and PolicyFiles are visible. (If they are not visible, wait for
approximately five minutes to complete.)
3. In the HRTemplates folder, create a new Rich Text Document file called
VacationRequest.
4. In the PolicyFiles folder, create a new Rich Text Document file called
OrderPolicies.

Task 4: Create additional folder targets for the HRTemplates folder,
and then configure folder replication
1. On NYC-DC1, in the DFS Management console, add a folder target with the
following options:
Path to folder target: \\NYC-SVR1\HRTemplates
Create share: Yes
Local Path of shared folder: C:\HRTemplates
Shared folder permissions: Administrators have full access; other users
Replication group: Yes
Replication Group name: woodgrovebank.com\corpdocs\hrtemplates
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Replicated folder name: HRTemplates
Primary member: NYC-DC1
Topology: Full mesh
Replication schedule: default
2. In the console tree, expand the Replication node, and then click
woodgrovebank.com\corpdocs\hrtemplates.
3. In the details pane, on the Memberships tab, verify that both NYC-DC1 and
NYC-SVR1 are listed and enabled.

Task 5: Create additional folder targets for the PolicyFiles folder, and
then configure folder replication
1. On NYC-DC1, in the DFS Management console, add a folder target with the
following options:
Path to folder target: \\NYC-DC1\PolicyFiles
Create share: Yes
Local Path of shared folder: C:\PolicyFiles
Shared folder permissions: Administrators have full access; other users
Replication group: Yes
Replication Group name: woodgrovebank.com\corpdocs\policyfiles
Replicated folder name: PolicyFiles
Primary member: NYC-SVR1
Topology: Full mesh
Replication schedule: default
2. In the console tree, expand the Replication node, and then click
woodgrovebank.com\corpdocs\PolicyFiles.
3. In the details pane, on the Memberships tab, verify that both NYC-DC1 and
NYC-SVR1 are listed and enabled.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Viewing Diagnostic Reports for Replicated
Folders
In this exercise, you will generate a diagnostic report to view the folder replication
status.
1. Create a diagnostic report for woodgrovebank.com\corpdocs\hrtemplates.

Task 1: Create a diagnostic report for
woodgrovebank.com\corpdocs\hrtemplates
1. On NYC-DC1, create a diagnostic report for
woodgrovebank.com\corpdocs\hrtemplates based upon the following
options:
Type of Diagnostic Report or Test: health report
Path and Name: default
Members to include: NYC-DC1 and NYC-SVR1
Options: Backlogged files enabled; Count replicated files enabled
2. Read through the report and take note of any errors or warnings. When you
are finished, close the Microsoft Internet Explorer window.
3. Create a diagnostic report for the policy files replication group. Read through
the report and take note of any errors or warnings. When you are finished,
close the Internet Explorer window. Note that there may be errors reported if
replication has not yet begun or finished.

click OK.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Review Questions
1. How can you use DFS in your File Services deployment?
2. What kind of compression technology is used by Windows Server 2008 DFS?
3. What are three main scenarios used for DFS?
4. What is the difference between a domain-based DFS namespace and a stand-
alone DFS namespace?
5. What is the default ordering method for client referral to folder targets?
6. What does the Primary Member configuration do when setting up replication?
7. Which folder is used to cache files and folders where conflicting changes are
made on two or more members?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Network Ports Used by DFS
The following table describes the network ports that DFS uses:
Service Name Relevant Computers UDP TCP
NetBIOS Name
Service
Domain controllers; root servers that are not
domain controllers; servers acting as folder
targets; client computers acting as folder targets
137 137
NetBIOS Datagram
Service
138
NetBIOS Session
Service
139
LDAP Server Domain controllers 389 389
Remote Procedure
Call (RPC) endpoint
mapper
Domain controllers 135
Server Message
Block (SMB)
445 445

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Tools
The following table lists the tools that you can use to configure and manage DFS:
Tool Use For Where to find it
Dfsutil Performing advanced
operations on DFS namespaces.
On a namespace server, type
Dfsutil at a command prompt.
Dfscmd.exe Scripting basic DFS tasks such
as configuring DFS roots and
targets.
On a namespace server, type
Dfscmd at a command prompt.
DFS
Management
Performing tasks related to DFS
namespaces and replication.
Click Start, and then point to
Administrative Tools, and then
click DFS Management.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Network Access Protection 12-1
Module 12
Configuring Network Access Protection
Contents:
Lesson 1: Overview of Network Access Protection 12-3
Lesson 2: How NAP Works 12-18
Lesson 3: Configuring NAP 12-25
Lesson 4: Monitoring and Troubleshooting NAP 12-33
Lab: Configuring NAP for DHCP and VPN 12-37
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Module Overview

Network Access Protection (NAP) ensures compliance with specific health policies
for systems accessing the network. NAP assists administrators in achieving and
maintaining a specific health policy. This module provides information about how
NAP works, and how to configure, monitor, and troubleshoot NAP.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 1
Overview of Network Access Protection

NAP is a system health policy-enforcement platform built into Microsoft Windows
Server 2008, Windows Vista, and Windows XP Service Pack 3. This platform
enables you to protect private network assets better by enforcing compliance with
system health requirements. NAP enables you to create customized health-
requirement policies to validate computer health before allowing access or
communication, as well as automatically update compliant computers to ensure
ongoing compliance and limit the access of non-compliant computers to a
restricted network until they become compliant.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is Network Access Protection?

NAP for Windows Server 2008, Windows Vista, and Windows XP Service Pack 3
provides components and an application programming interface (API) that help
administrators enforce compliance with health-requirement policies for network
access or communication. NAP enables developers and administrators to create
solutions for validating computers that connect to their networks, as well as
provide needed updates or access to needed health update resources and limit the
access or communication of non-compliant computers.
NAP has three important and distinct aspects:
Health state validation
Health policy compliance
Limited access

Question: How would you use NAP enforcement in your environment,
considering home users, roaming laptops and outside business partners?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
NAP Scenarios

Depending on their requirements, administrators can configure a solution to
address any or all of these scenarios for their networks.
Question: Have you ever had an issue with unsecure, unmanaged laptops causing
harm to your network? Do you think NAP would have addressed this issue?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
NAP Enforcement Methods

Components of the NAP infrastructure known as enforcement clients (ECs) and
enforcement servers (ESs) require health-state validation and enforce limited
network access for non-compliant computers to specific network access or
communication.
Administrators can use the enforcement methods separately or together to
limit the access or communication of non-compliant computers.
Network Policy Server (NPS) in Windows Server 2008, the replacement for
Internet Authentication Service (IAS) in Windows Server 2003, acts as a health
policy server for all of these NAP enforcement methods.
Windows Vista and Windows Server 2008 also include NAP support for
Terminal Services Gateway (TS Gateway) connections.

Question: Which of the NAP enforcement types would best suit your company?
Can you see your organization using multiple NAP enforcement types? If so, which
ones?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
NAP Platform Architecture

The components of a NAP-enabled network infrastructure consist of the following:
NAP clients are computers that support the NAP platform for system health-
validated network access or communication.
NAP enforcement points are computers or network-access devices that use
NAP to require evaluation of a NAP clients health state and provide restricted
network access or communication.
NAP enforcement points include HRA, VPN server, DHCP server and network
access devices.
HRA is a computer that runs Windows Server 2008 and Internet Information
Services (IIS), and that obtains health certificates from a certification authority
(CA) for compliant computers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
NAP health policy servers are computers that run Windows Server 2008 and
the NPS service, and that store health-requirement policies and provide
health-state validation for NAP. NPS is the replacement for the Internet
Authentication Service (IAS), and the Remote Authentication Dial-In User
Service (RADIUS) server and proxy that Windows Server 2003 provides.
Remediation servers are computers that contain health update resources that
NAP clients can access to remediate their non-compliant state. Examples
include antivirus signature, distribution servers and software update servers.

Question: Does your environment presently use 802.1x authentication at the
switch level? If so, would 802.1x NAP be beneficial, considering you can configure
remediation VLANs to offer limited access?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
NAP Architecture Interactions

The interactions for the computers and devices of a NAP-enabled network
infrastructure depend on the NAP enforcement methods chosen for unlimited
network connectivity. The architectures client side and server side have processes
that enable policy validation for the client, or remediation network access to help
the client become compliant with the requirements for unrestricted network
access.
Question: List an example of a NAP-enabled network infrastructure used in your
organization.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
NAP Client Infrastructure

The NAP client architecture consists of the following:
A layer of NAP enforcement client (EC) components - Each NAP EC is defined
for a different type of network access or communication.
A layer of system health agent (SHA) components - An SHA component
maintains and reports one or multiple elements of system health.
NAP Agent - Maintains the current health-state information of the NAP client
and facilitates communication between the NAP EC and SHA layers. The NAP
platform provides the agent.
SHA application programming interface (API) - Provides a set of function calls
that allow SHAs to register with the NAP Agent, to indicate system health
status, respond to NAP Agent queries for system health status, and for the NAP
Agent to pass system health-remediation information to a SHA.
NAP EC API - Provides a set of function calls that allow NAP ECs to register
with the NAP Agent, to request system health status, and pass system health-
remediation information to the NAP Agent.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
The NAP ECs for the NAP platform supplied in Windows Vista, Windows Server
2008, and Windows XP with SP2 (with the NAP Client for Windows XP) are the
following:
An IPsec NAP EC for IPsec-protected communications
An EAPHost NAP EC for 802.1X-authenticated connections
A VPN NAP EC for remote access VPN connections
A DHCP NAP EC for DHCP-based IPv4 address configuration

Question: How would your organization deal with enabling the appropriate EC on
non-domain computers that are outside of the management scope?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Using the NAP Client Configuration Tool

Key Points
Open the NAP Client Configuration tool.
Explore the options available.
Question: List at least one example of how the NAP client could benefit your
organization.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
NAP Server-Side Infrastructure

A Windows-based NAP enforcement point has a layer of NAP Enforcement
Server (ES) components. Each NAP ES is defined for a different type of network
access or communication. For example, there is a NAP ES for remote-access VPN
connections and a NAP ES for DHCP configuration. The NAP ES typically is
matched to a specific type of NAP-capable client. For example, the DHCP NAP ES
is designed to work with a DHCP-based NAP client. Third-party software vendors
or Microsoft can provide additional NAP ESs for the NAP platform.
The most common configuration for NAP server-side infrastructure consists of
NAP enforcement points providing network access or communication of a specific
type and separate NAP health policy servers providing system health validation
and remediation. It is possible to install the NPS service as a NAP health policy
server on individual Windows-based NAP enforcement points. However, in this
configuration, you must configure each NAP enforcement point separately with
network access and health policies. We recommend a configuration where you use
separate NAP health policy servers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
The overall NAP architecture consists of the following sets of components:
The three NAP client components (a SHA layer, the NAP Agent, and a NAP EC
layer)
The four NAP server-side components (a SHV layer, the NAP Administration
Server, the NPS service, and a NAP ES layer on Windows-based NAP
enforcement points)
Health-requirement servers
Remediation servers

Question: List at least one example of how the NAP health policy server can
monitor your networks.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Communication Between NAP Platform Components

Some common NAP-related terms you will see are:
SHV: System health validator. A module including registration and
unregistration with the NAP system.
SHA: System health agent. A SHA performs system health updates and
publishes its status in the form of statement of health (SoH) to the NAP Agent.
The SoH contains information that the NAP health policy server can use to
verify that the client computer is in the required state of health.
SoH: Statement of health. To indicate the health state of a specific SHA, an SHA
creates a SoH and passes it to the NAP Agent. A SoH can contain one or
multiple elements of system health.
SSoH: System statement of health. To indicate the overall health state of a NAP
client, the NAP Agent uses a SSoH, which includes version information for the
NAP client and the set of SoHs for the installed SHAs.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
SoHR: Statement of health response. A SHA is matched to a SHV on the server-
side of the NAP platform architecture. The corresponding SHV returns a SoHR
to the NAP client, which is passed by the NAP EC and the NAP Agent to the
SHA, informing it of what to do if the SHA is not in a required state of health.
SSoHR: System statement of health response. Based on the SoHRs from the
SHVs and the configured health policies, the NPS service creates a SSoHR,
which indicates whether the NAP client is compliant or non-compliant and
includes the set of SoHRs from the SHVs.

The NAP Agent component can communicate with the NAP Administration Server
component through the following process:
1. The NAP Agent passes the system SSoH to the NAP EC.
2. The NAP EC passes the SSoH to the NAP ES.
3. The NAP ES passes the SSoH to the NPS service.
4. The NPS service passes the SSoH to the NAP Administration Server.

The NAP Administration Server can communicate with the NAP Agent through the
following process:
1. The NAP Administration Server passes the SSoHR to the NPS service.
2. The NPS service passes the SSoHR to the NAP ES.
3. The NAP ES passes the SSoHR to the NAP EC.
4. The NAP EC passes the SSoHR to the NAP Agent.

A SHA can communicate with its corresponding SHV through the following
process:
1. The SHA passes its SoH to the NAP Agent.
2. The NAP Agent passes the SoH, contained within the SSoH, to the NAP EC.
3. The NAP EC passes the SoH to the NAP ES.
4. The NAP ES passes the SoH to the NAP Administration Server.
5. The NAP Administration Server passes the SoH to the SHV.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
The SHV can communicate with its corresponding SHA through the following
process:
1. The SHV passes its SoHR to the NAP Administration Server.
2. The NAP Administration Server passes the SoHR to the NPS service.
3. The NPS service passes the SoHR, contained within the SSoHR, to the NAP ES.
4. The NAP ES passes the SoHR to the NAP EC.
5. The NAP EC passes the SoHR to the NAP Agent.
6. The NAP Agent passes the SoHR to the SHA.

Question: List an example of how your organization can use NAP Platform
Components to facilitate communication.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 2
How NAP Works

The design of NAP enables administrators to configure it to meet their network
needs. Therefore, the actual NAP configuration will vary according to the
administrators preferences and requirements. However, the underlying operation
of NAP remains the same.
When a client attempts to access or communicate on the network, it must present
its statement of health (SoH). If a client is not compliant with system-health
requirements (for example, that it has the latest operating system and antivirus
updates installed), its access to, or communication on, the network can be limited
to a restricted network containing server resources, until the health-compliance
issues are remedied. After the updates are installed, the client requests access to the
network or attempts the communication again. If compliant, the client is granted
unlimited access to the network or the communication is allowed.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
NAP Enforcement Processes

With Network Access Protection, you can create customized health policies to
validate computer health before allowing access or communication, to update
compliant computers automatically to ensure ongoing compliance, and, optionally,
to confine non-compliant computers to a restricted network until they become
compliant.
Question: List at least one example of why you would customize a health policy.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
How IPsec Enforcement Works

IPsec enforcement limits communication for IPsec-protected NAP clients by
dropping incoming communication attempts sent from computers that cannot
negotiate IPsec protection using health certificates.
Unlike 802.1X and VPN enforcement, in which enforcement occurs at the network
entry point, each individual computer performs IPsec enforcement.
IPsec enforcement defines the following logical networks:
Secure network: The set of computers that have health certificates and that
require that incoming communication attempts use health certificates for IPsec
authentication.
Boundary network: The set of computers that have health certificates, but
which do not require that incoming communication attempts use health
certificates for IPsec authentication.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Restricted network: The set of computers that do not have health certificates
that include non-compliant NAP client computers, guests on the network, or
computers that are not NAP-capable, such as computers running Windows
versions that do not support NAP, or Apple Macintosh or UNIX-based
computers.

Question: For which computers in the secure network would you allow unsecure
communication from computers in the restricted network to succeed?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
How 802.1x Enforcement Works

IEEE 802.1X enforcement instructs an 802.1X-capable access point to use a limited
access profile, either a set of IP packet filters or a VLAN ID, to limit the traffic of
the non-compliant computer so that it can reach only resources on the restricted
network. For IP packet filtering, the 802.1X-capable access point applies the IP
packet filters to the IP traffic that is exchanged with the 802.1X client, and silently
discards all packets that do not correspond to a configured packet filter. For VLAN
IDs, the 802.1X-capable access point applies the VLAN ID to all of the packets
exchanged with the 802.1X client, and the traffic does not leave the VLAN
corresponding to the restricted network.
If the NAP client is non-compliant, the 802.1X connection has the limited access
profile applied and the NAP client can reach only the resources on the restricted
network.
Question: What must the network devices support to implement 802.1x NAP?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
How VPN Enforcement Works

VPN enforcement uses a set of remote-access IP packet filters to limit non-
compliant VPN client traffic so that it can reach only the resources on the restricted
network. The VPN server applies the IP packet filters to the IP traffic that it receives
from the VPN client, and silently discards all packets that do not correspond to a
configured packet filter.
Question: How does the VPN NAP enforcement method respond to non-
compliant computers that make connection attempts?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
How DHCP Enforcement Works

DHCP address configuration limits network access for the DHCP client through
its IPv4 routing table. DHCP enforcement sets the DHCP Router option value
to 0.0.0.0, so the non-compliant computer does not have a configured default
gateway. DHCP enforcement also sets the subnet mask for the allocated IPv4
address to 255.255.255.255, so that there is no route to the attached subnet.
To allow the non-compliant computer to access the restricted networks
remediation servers, the DHCP server assigns the Classless Static Routes DHCP
option. This option contains host routes to the restricted networks computers,
such as the DNS and remediation servers. The end result of DHCP limited network
access is a configuration and routing table that allows connectivity only to specific
destination addresses corresponding to the restricted network. Therefore, when an
application attempts to send to a unicast IPv4 address other than those supplied
via the Classless Static Routes option, the TCP/IP protocol returns a routing error.
Question: Does the DHCP NAP enforcement type work on IPv6 networks?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 3
Configuring NAP

This lesson provides information about configuring the client to interoperate with
the server-side infrastructure of a NAP-enforced environment.
A NAP-capable client is a computer that has the NAP components installed and can
verify its health state by sending a SoH to NPS.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are System Health Validators?

SHAs and SHVs, which are NAP infrastructure components, provide health-state
tracking and validation. Windows Vista and Windows XP Service Pack 3 include
a Windows Security Health Validator SHA that monitors the Windows Security
Center settings. Windows Server 2008 includes a corresponding Windows
Security Health Validator SHV. NAP is designed to be flexible and extensible, and
interoperates with any vendors software that provides SHAs and SHVs that use the
NAP API.
An SHV receives a SoH from the NAP Administration Server and compares the
system health status information in the SoH with the required system health state.
For example, if the SoH is from an antivirus SHA and contains the last virus-
signature file version number, the corresponding antivirus SHV can check with the
antivirus health requirement server for the latest version number to validate the
NAP clients SoH.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
The SHV returns a SoHR to the NAP Administration Server. The SoHR can contain
information about how the corresponding SHA on the NAP client can meet current
system-health requirements. For example, the SoHR that the antivirus SHV sends
could instruct the NAP clients antivirus SHA to request the latest version, by name
or IP address, of the antivirus signature file from a specific antivirus signature
server.
Question: Does NAP work only with Microsoft-supplied System Health Validators?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is a Health Policy?

If the client configuration state does not match the requirements that the health
policy defines, NPS takes one of the following actions, depending on the NAP
configuration:
It rejects the connection request.
It places the NAP client on a restricted network where it can receive updates
from remediation servers that bring the client into compliance with health
policy. After the NAP client achieves compliancy, NPS enables it to connect.
It allows the NAP client to connect to the network despite its non-compliance
with the health policy.

Question: Can you use only one SHV in a health policy?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Remediation Server Groups?

A remediation server hosts the updates that NAP agent can use to bring non-
compliant client computers into compliance with health policy, as NPS defines.
For example, a remediation server can host antivirus signatures. If health policy
requires that client computers have the latest antivirus definitions, then the
following work together to update non-compliant computers: an antivirus SHA,
an antivirus SHV, an antivirus policy server, and the remediation server.
Question: What services might a remediation server offer to update antivirus
signatures?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
NAP Client Configuration

You should remember these basic guidelines when you configure NAP clients:
Some NAP deployments that use Windows Security Health Validator require that
you enable Security Center:
Enable the Turn on Security Center (Domain PCs only) setting in Group
Policy under Computer Configuration, Administrative Templates, Windows
Components, and Security Center sections.

To use the setting, a firewall is enabled for all network connections:
The firewall software that is running on the client computer must be Windows
Firewall software or other firewall software that is compatible with Windows
Security Center. Firewall software that is not compatible with Windows
Security Center cannot be managed or detected by Windows Security Health
Agent (WSHA) on the client computer.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
The Network Access Protection service is required when you deploy NAP to NAP-
capable client computers.
Open Services from the Administrative Tools menu.
Change the startup type to Automatic for the Network Access Protection
service in the agent properties.

You also must configure the NAP enforcement clients on the NAP-capable
computers. You can use this procedure to install Group Policy Management and
enable Security Center on NAP-capable clients using Group Policy. Security Center
is required for some Network Access Protection (NAP) deployments that use
Windows Security Health Validator (WSHV).
Create a custom Microsoft Management Consoles (MMC) console with the
NAP Client Configuration snap-in.
Expand NAP Client Configuration, and select Enforcement Clients from the
console tree.
In the details pane, double-click the EC that you want to enable, and select
Enable This Enforcement Client from the Properties sheet.

You also can use the Netsh command to enable or disable ECs. Use the following
command to enable the DHCP EC on the client:
Netsh nap client set enforcement dhcp = enable

Membership in Domain Admins, or equivalent, is the minimum required to
complete this procedure.
Question: What Windows groups have the rights to enable Security Center in
Group Policy, enable NAP service on clients, and enable/disable NAP enforcement
clients?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Using the Configure NAP Wizard to Apply
Network Access Policies

Key Points
Open the Network Policy Server tool to configure NAP.
Create a policy for DHCP.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 4
Monitoring and Troubleshooting NAP

Troubleshooting and monitoring the NAP structure is an important administrative
task because of different technology levels, and varied expertise and prerequisites,
for each NAP enforcement method. Trace logs are available for NAP, but are
disabled by default. These logs serve two purposes: troubleshooting and evaluating
a networks health and security.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is NAP Tracing?

You can use the NAP Client Configuration snap-in to configure NAP tracing.
Tracing records NAP events in a log file, and is useful for troubleshooting and
maintenance. You also can use tracing logs to evaluate your networks health and
security. You can configure three levels of tracing: Basic, Advanced, and Debug.
You should enable NAP tracing when:
You are troubleshooting NAP problems.
You want to evaluate the overall health and security of your organizations
computers.

Question: List at least one example of how NAP tracing can be used to determine
an issue with client communication.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring NAP Tracing

There are two tools that are available for configuring NAP tracing. The NAP Client
Configuration console is part of the Windows user interface, and netsh is a
command-line tool.
To view the log files, navigate to the %systemroot%\tracing\nap directory, and
open the particular trace log that you want to view.
Question: What is the netsh command for enabling NAP debug logging levels?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Configuring Tracing

Key Points
Configure tracing from the Graphical Users Interface.
Configure tracking from the Command Line.

Question: Of what group must you be a member to enable NAP tracing?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab: Configuring NAP for DHCP and VPN

Objectives
Configure NAP for DHCP clients
Configure NAP for VPN clients

Scenario
As the Woodgrove Bank technology specialist, you need to establish a way to bring
client computers automatically into compliance. You will do this by using Network
Policy Server, creating client compliance policies, and configuring a NAP server to
check the current health of computers.

Note: Since NAP is a new and complex technology in Windows Server 2008, detailed
steps have been provided here for each of the tasks in this lab. For this reason, there will
be no separate lab answer key for this module.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 1: Configuring Network Access Protocol (NAP) for
Dynamic Host Configuration Protocol (DHCP) Clients
In this exercise, you will configure and test NAP for DHCP clients.
1. Start the NYC-DC1, NYC-SVR1, and NYC-CL1 virtual machines.
2. Install the Network Policy Server (NPS) and Dynamic Host Configuration
Protocol (DHCP) server roles.
3. Configure NYC-SVR1 as a NAP health policy server.
4. Configure DHCP service for NAP enforcement.
5. Configure NYC-CL1 as DHCP and NAP client.
6. Test NAP Enforcement.

Task 1: Start the NYC-DC1, NYC-SVR1, and NYC-CL1 virtual machines
Learning, and then click 6419A.
5. Log on to each virtual machine as WOODGROVEBANK\Administrator with
the password Pa$$w0rd.

Task 2: Install the Network Policy Server (NPS) and Dynamic Host
Configuration Protocol (DHCP) server roles
1. On NYC-SVR1, click Start, and then click Server Manager.
2. In the Server Manager console pane, right-click Roles, and then click Add
Roles.
3. On the Before You Begin page, click Next.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4. On the Select Server Roles page, select the DHCP Server and Network Policy
and Access Services check boxes, and then click Next twice.
5. On the Select Role Services page, select the Network Policy Server check
box, and then click Next twice.
6. On the Select Network Connection Bindings page, verify that 10.10.0.24 is
selected, and then click Next.
7. On the Specify IPv4 DNS Server Settings page, for Parent Domain, verify that
WoodGroveBank.com is listed.
8. In the Preferred DNS Server IPv4 Address field, type 10.10.0.10, and then
click Validate.
9. Verify that the result returned is Valid, and then click Next.
10. On the Specify IPv4 WINS Server Settings page, verify that WINS is not
required for applications on this network is selected, and then click Next.
11. On the Add or Edit DHCP Scopes page, click Add.
12. In the Add Scope dialog box, in Scope Name field, type NAP Scope.
13. In the Starting IP Address field, type 10.10.0.50.
14. In the Ending IP Address field, type 10.10.0.99.
15. In the Subnet Mask field, type 255.255.0.0.
16. Verify that the Activate this scope check box is selected, click OK, and then
click Next.
17. On the Configure DHCPv6 Stateless Mode page, click Disable DHCPv6
stateless mode for this server, and then click Next.
18. On the Authorize DHCP Server page, verify that Use current credentials is
19. On the Confirm Installation Selections page, click Install.
20. When the installation completes, click Close.
21. Close Server Manager.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 3: Configure NYC-SVR1 as a NAP health policy server
1. Click Start, point to Administrative Tools, and then click Network Policy
Server.
2. Configure SHVs:
a. In the Network Policy Server console pane, expand Network Access
Protection, and then click System Health Validators.
b. In the details pane, double-click Windows Security Health Validator.
c. In the Windows Security Health Validator Properties dialog box, click
Configure.
d. In the Windows Security Health Validator dialog box, on the Windows
Vista tab, clear all check boxes except A firewall is enabled for all
network connections.
e. Click OK twice.
3. Configure remediation server groups:
a. In the console pane, under Network Access Protection, right-click
Remediation Server Groups, and then click New.
b. In the New Remediation Server Group dialog box, in the Group Name
field, type Rem1.
c. Click Add.
d. In the Add New Server dialog box, in the IP address or DNS name field,
type 10.10.0.10, and then click Resolve.
e. Click OK twice.
4. Configure health policies:
a. In the console pane, expand Policies.
b. Right-click Health Policies, and then click New.
c. In the Create New Health Policy dialog box, in the Policy name field,
type DHCP Compliant.
d. In the Client SHV checks list, verify that Client passes all SHV checks is
selected.
e. Under SHVs used in this health policy, select the Windows Security
Health Validator check box, and then click OK.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
f. In the console pane, right-click Health Policies, and then click New.
g. In the Create New Health Policy dialog box, in the Policy name field,
type DHCP Noncompliant.
h. In the Client SHV checks list, click Client fails one or more SHV checks.
i. Under SHVs used in this health policy, select the Windows Security
Health Validator check box, and then click OK.
5. Configure a network policy for compliant computers:
a. In the console pane, under Policies, click Network Policies.
b. In the details pane, right-click Connections to Microsoft Routing and
Remote Access server and then click Disable.
c. Right-click Connections to other access servers, and then click Disable.
d. In the console pane, right-click Network Policies, and then click New.
e. On the Specify Network Policy Name and Connection Type page, in the
Policy name field, type DHCP Compliant-Full Access.
f. In the Type of network access server list, click DHCP Server and then
click Next.
g. On the Specify Conditions page, click Add.
h. In the Select condition dialog box, double-click Health Policies.
i. In the Health Policies dialog box, in the Health policies list, click DHCP
Compliant, and then click OK.
j. On the Specify Conditions page, verify that Health Policy is specified
under Conditions with a value of DHCP Compliant.
k. On the Specify Conditions page, click Add.
l. In the Select condition dialog box, double-click MS-Service Class.
m. In the MS-Service Class dialog box, type NAP Scope, and then click OK.
n. On the Specify Conditions page, verify that MS-Service class is specified
under Conditions with a value of NAP Scope, and then click Next.
o. On the Specify Access Permission page, verify that Access granted is
p. On the Configure Authentication Methods page, clear all check boxes,
then select Perform machine health check only, and then click Next.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
q. On the Configure Constraints page, click Next.
r. On the Configure Settings page, click NAP Enforcement.
s. In the details pane, verify that Allow full network access is selected and
then click Next.
t. On the Completing New Network Policy page, click Finish to complete
configuration of the network policy for compliant client computers.
6. Configure a network policy for non-compliant computers:
a. In the console pane, right-click Network Policies, and then click New.
b. On the Specify Network Policy Name and Connection Type page, in the
Policy name field, type DHCP Noncompliant-Restricted Access.
c. In the Type of network access server list, click DHCP Server and then
click Next.
d. On the Specify Conditions page, click Add.
e. In the Select condition dialog box, double-click Health Policies.
f. In the Health Policies dialog box, in the Health policies list, click DHCP
Noncompliant, and then click OK.
g. On the Specify Conditions page, verify that Health Policy is specified
under Conditions with a value of DHCP Noncompliant.
h. Click Add.
i. In the Select condition dialog box, double-click MS-Service Class.
j. In the MS-Service Class dialog box, type NAP Scope, and then click OK.
k. On the Specify Conditions page, verify that MS-Service class is specified
under Conditions with a value of NAP Scope, and then click Next.
l. On the Specify Access Permission page, verify that Access granted is

Note: A setting of Access granted does not mean that non-compliant clients are
granted full network access. It specifies that clients matching these conditions will be
granted an access level that the policy determines.
m. On the Configure Authentication Methods page, clear all check boxes,
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
n. On the Configure Constraints page, click Next.
o. On the Configure Settings page, click NAP Enforcement.
p. In the details pane, click Allow limited access.
q. Click Configure.
r. In the Remediation Server Group and Troubleshooting URL dialog box,
in the Remediation Server Group list, click Rem1.
s. In the Troubleshooting URL field, type
http://remediation.restricted.woodgrovebank.com, and then click OK.
t. Verify that Enable auto-remediation of client computers is selected and
then click Next.

Note: that although this remediation server does not exist due to the limitations of the
lab environment, it's important to understand how to configure the settings.
u. On the Completing New Network Policy page, click Finish to complete
configuration of the network policy for non-compliant client computers.
7. Configure a network policy for non NAP-capable computers:
a. In the console pane, right-click Network Policies, and then click New.
b. On the Specify Network Policy Name and Connection Type page, in the
Policy name field, type DHCP Non NAP-Capable.
c. In the Type of network access server list, click DHCP Server and then
click Next.
d. On the Specify Conditions page, click Add.
e. In the Select condition dialog box, double-click NAP-Capable
Computers.
f. In the NAP-Capable Computers dialog box, click Only computers that
are not NAP-capable, and then click OK.
g. On the Specify Conditions page, verify that NAP-Capable is specified
under Condition with a value of Computer is not NAP-Capable.
h. On the Specify Conditions page, click Add.
i. In the Select condition dialog box, double-click MS-Service Class.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
j. In the MS-Service Class dialog box, type Non NAP Scope, and then click
OK.
k. On the Specify Conditions page, verify that MS-Service class is specified
under Conditions with a value of Non NAP Scope, and then click Next.
l. On the Specify Access Permission page, verify that Access granted is
m. On the Configure Authentication Methods page, clear all check boxes,
n. On the Configure Constraints page, click Next.
o. On the Configure Settings page, click NAP Enforcement.
p. In the details pane, click Allow limited access.
q. Click Configure.
r. In the Remediation Server Group and Troubleshooting URL dialog box,
in the Remediation Server Group list, click Rem1.
s. In the Troubleshooting URL field, type
http://remediation.restricted.woodgrovebank.com, and then click OK.
t. Verify that Enable auto-remediation of client computers is selected and
then click Next.
u. On the Completing New Network Policy page, click Finish to complete
configuration of the network policy for older, non NAP-capable client
computers.
8. Configure connection request policy:
a. In the console pane, right-click Connection Request Policies, and then
click New.
b. On the Specify Connection Request Policy Name and Connection Type
page, in the Policy name field, type NAP DCHP.
c. In the Type of network access server list, click DHCP Server, and then
click Next.
d. On the Conditions page, click Add.
e. In the Select condition dialog box, double-click Day and Time
Restrictions.
f. In the Day and time restrictions dialog box, click All and then click
Permitted.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
g. Click OK and click Next.
h. On the Specify Connection Request Forwarding page, verify that
Authenticate requests on this server is selected and click Next.
i. On Specify Authentication Methods page, verify that Override network
policy authentication settings is not selected.
j. Click Next twice, and then click Finish.

Result: This completes configuration of the NAP network policies.

Task 4: Configure DHCP service for NAP enforcement
1. On NYC-DC1, click Start, point to Administrative Tools, and then click
DHCP.
2. In the DHCP console pane, expand nyc-dc1.woodgrovebank.com, expand
IPv4, and then click Scope [10.10.0.0] HeadOffice.
3. Right-click Scope [10.10.0.0] HeadOffice, and then click Delete.
4. In the DHCP dialog box, click Yes twice.
5. Close DHCP.
6. On NYC-SVR1, click Start, point to Administrative Tools, and then click
DHCP.
7. In the DHCP console pane, expand nyc-svr1.woodgrovebank.com, and then
expand IPv4, and then click Scope [10.10.0.0] NAP Scope.
8. Right-click Scope [10.10.0.0] NAP Scope, and then click Properties.
9. In the Scope [10.10.0.0] NAP Scope Properties dialog box, on the Network
Access Protection tab, click Enable for this scope.
10. Select Use custom profile.
11. In the Profile Name field, type NAP Scope, and then click OK.
12. In console pane, click Scope Options.
13. Right-click Scope Options, and then click Configure Options.
14. In the Scope Options dialog box, on the Advanced tab, in the User class list,
verify that Default User Class is selected.
15. Under Available Options, select the 015 DNS Domain Name check box.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
16. In the String value field, type woodgrovebank.com, and then click OK.
17. In console pane, right-click Scope Options, and then click Configure Options.
18. In the Scope Options dialog box, on the Advanced tab, in the User class list,
click Default Network Access Protection Class.
19. Under Available Options, select the 006 DNS Servers check box.
20. In the IP address field, type 10.10.0.10, and then click Add.

Note: that in this lab, the DNS server address is same for both the restricted and non-
restricted networks. In a real environment, you would specify a DNS server that existed
on the restricted network here.
21. Under Available Options, select the 015 DNS Domain Name check box.
22. In the String value field, type restricted.woodgrovebank.com, and then click
OK.

Note: The restricted.woodgrovebank.com domain is a restricted access network assigned
to non-compliant NAP clients.
23. Close DHCP.

Task 5: Configure NYC-CL1 as DHCP and NAP client
1. On NYC-CL1, enable Security Center:
a. Click Start, type mmc, and then press ENTER.
b. In the Console1 window, on the File menu, click Add/Remove Snap-in.
c. In the Add or Remove Snap-ins dialog box, under Available snap-ins,
click Group Policy Object Editor, and then click Add.
d. In the Select Group Policy Object dialog box, click Finish, and then click
OK.
e. In the console pane, expand Local Computer Policy, expand Computer
Configuration, expand Administrative Templates, expand Windows
Components, and then click Security Center.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
f. In the details pane, double-click Turn on Security Center (Domain PCs
only).
g. In the Turn on Security Center (Domain PCs only) Properties dialog
box, click Enabled, and then click OK.
2. Enable the DHCP enforcement client:
a. On the File menu, click Add/Remove Snap-in.
b. In the Add or Remove Snap-ins dialog box, under Available snap-ins,
click NAP Client Configuration, and then click Add.
c. In the NAP Client Configuration dialog box, click OK twice.
d. In the console pane, click NAP Client Configuration (Local Computer).
e. In the NAP Client Configuration details pane, click Enforcement Clients.
f. Right-click DHCP Quarantine Enforcement Client, and then click
Enable.
3. Enable and start the NAP agent service:
a. On the File menu, click Add/Remove Snap-in.
b. In the Add or Remove Snap-ins dialog box, under Available snap-ins,
click Services, and then click Add.
c. In the Services dialog box, click Finish, and then click OK.
d. In the console pane, click Services.
e. In the details pane, double-click Network Access Protection Agent.
f. In the Network Access Protection Agent Properties (Local Computer)
dialog box, in the Startup type list, click Automatic, and then click Start.
g. Wait for the NAP agent service to start, and then click OK.
h. Close Console1. When prompted to save settings, click No.
4. Configure NYC-CL1 for DHCP address assignment:
a. Click Start, right-click Network, and then click Properties.
b. In the Network and Sharing Center window, click View status.
c. In the Local Area Connection Status dialog box, click Properties.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
d. In the Local Area Connection Properties dialog box, clear the Internet
Protocol Version 6 (TCP/IPv6) check box.

Note: This reduces the labs complexity, particularly for those who are not familiar with
IPv6.
e. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
f. In the Internet Protocol Version 4 (TCP/IP) Properties dialog box, click
Obtain an IP address automatically, and then click Obtain DNS server
address automatically.
g. Click OK, and then click Close twice.
h. Close Network and Sharing Center.

Task 6: Test NAP enforcement
1. Verify DHCP assigned address and current quarantine state:
a. Click Start, point to All Programs, point to Accessories, and then click
Command Prompt.
b. At the command prompt, type ipconfig /all, and then press ENTER.
c. Verify that the DNS Suffix Search List is Woodgrovebank.com and
System Quarantine State is Not Restricted.
2. Configure the System Health Validator policy to require antivirus software:
a. On NYC-SVR1, in the Network Policy Server console pane, expand
Network Access Protection, and then click System Health Validators.
Configure.
d. In the Windows Security Health Validator dialog box, under Virus
Protection, select the An antivirus application is on check box and then
click OK twice.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3. Verify the restricted network on NYC-CL1:
a. On NYC-CL1, at the command prompt, type ipconfig /release and then
press ENTER.
b. Type ipconfig /renew and then press ENTER.
c. Verify the Connection-specific DNS suffix is now
restricted.woodgrovebank.com.
4. Close Command Prompt.
5. In the notification area, double-click the Network Access Protection icon.

Note: Notice it tells you the computer is not compliant with requirements of the
network. This may take a few minutes to appear.
6. Click Close.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Configuring NAP for VPN Clients
In this exercise, you will configure NAP for VPN Clients. This exercise uses the
Windows Security Health Agent and Windows Security Health Validator to require
that client computers have Windows Firewall enabled and have an antivirus
application installed.
You will create two network policies in this exercise. A compliant policy grants
full network access to an intranet network segment. A non-compliant policy
demonstrates network restriction by applying IP filters to the VPN tunnel interface
that only allow client access to a single remediation server.
1. Configure NYC-DC1 as an Enterprise Root CA.
2. Configure NYC-SVR1 with NPS functioning as a health policy server.
3. Configure NYC-SVR1 with the Routing and Remote Access Service (RRAS)
configured as a VPN server.
4. Configure NYC-CL1 as a VPN and NAP client.
5. Configure System Help for Networking.

Task 1: Configure NYC-DC1 as an Enterprise Root CA
1. On NYC-DC1, click Start, point to Administrative Tools, and then click
Certification Authority.
2. In the certsrv [Certification Authority (Local)] console pane, expand
WoodgroveBank-NYC-DC1-CA, right-click Certificate Templates, and then
click Manage.
3. In the Certificate Templates Console details pane, right-click Computer, and
then click Properties.
4. In the Computer Properties dialog box, on the Security tab, click
Authenticated Users.
5. In the Permissions for Authenticated Users pane, for Enroll, select the Allow
check box, and then click OK.
6. Close all windows.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 2: Configure NYC-SVR1 with NPS functioning as a health policy
server
1. Obtain computer certificate on NYC-SVR1 for server-side PEAP authentication:
a. On NYC-SVR1, click Start, type mmc, and then press ENTER.
b. In the Console1 window, on the File menu, click Add/Remove Snap-in.
c. In the Add or Remove Snap-ins dialog box, click Certificates, and then
click Add.
d. In the Certificates snap-in dialog box, click Computer account, click
Next, and then click Finish.
e. Click OK.
f. In the console pane, expand Certificates (Local Computer), right-click
Personal, point to All Tasks, and then click Request New Certificate.
g. In the Certificate Enrollment dialog box, click Next.
h. On the Request Certificates page, select the Computer check box, and
then click Enroll.
i. Verify the status of certificate installation as Succeeded, and then click
Finish.
j. Close Console1. When prompted to save settings, click No.
2. Install the Remote Access Service role service:
a. Click Start, and then click Server Manager.
b. In the Server Manager console pane, expand Roles, right-click Network
Policy and Access Services, and then click Add Role Services.
c. On the Select Role Services page, select the Remote Access Service check
box, and then click Next.
d. On the Confirm Installation Selections page, click Install.
e. When the installation completes, click Close.
f. Close Server Manager.
3. Configure NPS as a NAP health policy server:
a. In the Network Policy Server console pane, click System Health
Validators.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configure.
d. In the Windows Security Health Validator dialog box, clear the An
antivirus application is on check box, and then click OK twice.
4. Configure Network Policies using the Network Policy Wizard:
a. In the console pane, click NPS(local).
b. In the details pane, click Configure NAP.
c. On the Select Network Connection Method For Use with NAP page, in
the Network connection method list, click Virtual Private Network
(VPN) and then click Next.
d. On the Specify NAP Enforcement Servers Running VPN Server page,
click Next.
e. On the Configure User Groups and Machine Groups page, click Next.
f. On the Configure an Authentication Method page, review the settings,
and then click Next.
g. On the Specify NAP Remediation Server Group and URL page, in the
Remediation Server Group list, click Rem1.
h. In the Troubleshooting URL field, type
http://remediation.restricted.woodgrovebank.com and click Next.
i. On the Define NAP Health Policy page, review the settings, and then click
Next.
j. On the Completing NAP Enforcement Policy and RADIUS Client
Configuration page, review the policies that will be created, and then click
Finish.
5. Configure NAP VPN Non-compliant policy:
a. In the console pane, click Network Policies.
b. In the details pane, right-click NAP VPN Noncompliant, and then click
Properties.
c. On the Settings tab, click IP Filters.
d. Under IPv4, click Input Filters.
e. In the Inbound Filters dialog box, click New.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
f. In the Add IP Filter dialog box, select the Destination network check
box.
g. In the IP Address field, type 10.10.0.10.
h. In the Subnet mask field, type 255.255.255.255.
i. Click OK.
j. In the Inbound Filters dialog box, click Permit only the packets listed
below.
k. Click OK.

Note: This ensures that traffic from non-compliant clients can reach only NYC DC1.
l. Under IPv4, click Output Filters.
m. In the Outbound Filters dialog box, click New.
n. In the Add IP Filter dialog box, select Source network check box.
o. In the IP address field, type 10.10.0.10.
p. In the Subnet mask field, type 255.255.255.255.
q. Click OK.
r. In the Outbound Filters dialog box, click Permit only the packets listed
below.
s. Click OK twice.

Note: This ensures that only traffic from NYC DC1 can be sent to non-compliant clients.
6. Configure connection request policies:
a. In the console pane, click Connection Request Policies.
b. In the details pane, right-click Use windows authentication for all users,
and then click Disable.
c. Right-click NAP VPN, and then click Properties.
d. In the NAP VPN Properties dialog box, on the Conditions tab, click Add.
e. In the Select condition dialog box, double-click Tunnel Type.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
f. In the Tunnel Type dialog box, select the Layer Two Tunneling Protocol
L2TP and Point-to-Point Tunneling Protocol PPTP check boxes, and
then click OK.
g. On the Settings tab, click Authentication, and review the settings.
h. Click Authentication Methods, and review the settings.
i. In the details pane, click Add.
j. In the Add EAP dialog box, click Microsoft: Secured password (EAP-
MSCHAP v2), and then click OK.
k. Click Microsoft: Protected EAP (PEAP), and then click Edit.
l. In the Configure Protected EAP Properties dialog box, verify that Enable
Quarantine checks is selected, and then click OK twice.

Task 3: Configure NYC-SVR1 with the Routing and Remote Access
Service (RRAS) configured as a VPN server
1. On NYC-SVR1, click Start, point to Administrative Tools, and then click
Routing and Remote Access.
2. In the Routing and Remote Access window, right-click NYC-SVR1 (local), and
then click Configure and Enable Routing and Remote Access.
3. In the Routing and Remote Access Server Setup Wizard, click Next.
4. On the Configuration page, verify that Remote access (dial-up or VPN) is
5. On the Remote Access page, select the VPN check box, and then click Next.
6. On the VPN Connection page, click Local Area Connection 2.
7. Clear the Enable security on the selected interface by setting up static
packet filters check box, and then click Next.

Note: This ensures that NYC SVR1 will be able to ping NYC DC1 when attached to the
Internet subnet without requiring that you configure additional packet filters for Internet
Control Message Protocol (ICMP) traffic.
8. On the IP Address Assignment page, click From a specified range of
addresses, and then click Next.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
9. On the Address Range Assignment page, click New.
10. In the New IPv4 Address Range dialog box, in the Start IP address field, type
10.10.0.100.
11. In the End IP address field, type 10.10.0.110, click OK and then click Next.
12. On the Managing Multiple Remote Access Servers page, verify that No, use
Routing and Remote Access to authenticate connection requests is selected,
and then click Next.
13. Click Finish.
14. In the Routing and Remote Access dialog box, click OK twice.
15. Close Routing and Remote Access.
16. In the Network Policy Server console pane, right-click Connection Request
Policies and then click Refresh.
17. In the details pane, right-click Microsoft Routing and Remote Access Service
Policy and then click Disable.

Task 4: Configure NYC-CL1 as a VPN and NAP client
1. Enable the remote-access, quarantine-enforcement client:
a. On NYC-CL1, click Start, type napclcfg.msc, and then press ENTER.
b. In the napclcfg - [NAP Client Configuration (Local Computer)] console
pane, click Enforcement Clients.
c. In the details pane, right-click Remote Access Quarantine Enforcement
Client, and then click Enable.
d. Close the NAP Client Configuration window.
2. Configure NYC-CL1 for the Internet network segment:
a. Click Start, right-click Network, and then click Properties.
b. In the Network and Sharing Center window, next to Local Area
Connection, click View status.
c. In the Local Area Connection dialog box, click Properties.
d. In the Local Area Connection Properties dialog box, click Internet
Protocol Version 4 (TCP/IPv4), and then click Properties.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
e. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box,
click Use the following IP address.
f. In the IP address field, type 10.10.0.50.
g. In the Subnet mask field, type 255.255.0.0.
h. In the Default gateway field, type 10.10.0.1.
i. In the Preferred DNS server field, type 10.10.0.10.
j. Click OK twice, and then click Close.
3. Verify network connectivity for NYC-CL1:
a. Click Start | All Programs | Accessories, and then click Command
Prompt.
b. At the command prompt, type ping nyc-dc1 and then press ENTER.
c. Verify that a successful reply from 10.10.0.10 is returned.
4. Configure a VPN connection:
a. In the Network and Sharing Center Tasks pane, click Set up a connection
or network.
b. On the Choose a connection page, click Connect to a workplace, and
then click Next.
c. On the How do you want to connect page, click Use my Internet
connection (VPN).
d. On the Do you want to set up an Internet connection before continuing
page, click Ill set up an Internet connection later.
e. On the Type the Internet address to connect to page, in the Internet
address field, type 10.10.0.30.
f. In the Destination name field, type Woodgrove VPN.
g. Select the Allow other people to use this connection check box, and then
click Next.
h. On the Type your user name and password page, in the User name field,
type Administrator.
i. In the Password field, type Pa$$w0rd and then select the Remember this
password check box.
j. In the Domain (optional) field, type WOODGROVEBANK, and then
click Create.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
k. On the The connection is ready to use page, click Close.
l. In the Network and Sharing Center Tasks pane, click Manage network
connections.
m. In the Network Connections window, right-click Woodgrovebank VPN,
and then click Properties.
n. In the Woodgrove VPN Properties dialog box, on the Security tab, click
Advanced (custom settings), and then click Settings.
o. In the Advanced Security Settings dialog box, click Use Extensible
Authentication Protocol (EAP), and then in the Use Extensible
Authentication Protocol (EAP) list, click Protected EAP (PEAP)
(encryption enabled).
p. Click Properties.
q. In the Protected EAP Properties dialog box, verify that the Validate
server certificate check box is selected, and then clear the Connect to
these servers check box.
r. In the Select Authentication Method list, verify that Secured Password
(EAP-MSCHAP v2) is selected.
s. Clear the Enable Fast Reconnect check box, and then select the Enable
Quarantine checks check box.
t. Click OK three times.
5. Test the VPN connection:
a. In the Network Connections window, right-click Woodgrove VPN, and
then click Connect.
b. In the Connect Woodgrove VPN dialog box, click Connect.
c. In the Enter Credentials dialog box, click OK.
d. In the Validate Server Certificate dialog box, click View Server
Certificate.
e. In the Certificate dialog box, verify that Certificate Information states that
the certificate was issued to nyc-svr1Woodgrovebank.com by
WoodgroveBank-NYC-DC1-CA and then click OK twice.
f. Wait for the VPN connection to be made. Because NYC-CL1 is compliant,
it should have unlimited access to the intranet subnet.
g. At the command prompt, type ipconfig /all and press ENTER.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
h. Review the IP configuration and verify that System Quarantine State is
Not Restricted.
i. Type ping nyc-svr1 and then press ENTER. This should be successful.

Note: The client now meets the requirement for VPN full connectivity.
j. In the Network Connections window, right-click Woodgrove VPN, and
then click Disconnect.
6. Configure Windows Security Health Validator to require an antivirus
application:
a. On NYC-SVR1, in the Network Policy Server console pane, click System
Health Validators.
Configure.
d. In the Windows Security Health Validator dialog box, select the An
antivirus application is on check box.
e. Click OK twice.
7. Verify the client is placed on the restricted network:
a. On NYC-CL1, in the Network Connections window, right-click
Woodgrove VPN, and then click Connect.
b. In the Connect Woodgrove VPN dialog box, click Connect.
c. In the Enter Credentials dialog box, click OK.
d. Wait for the VPN connection to be made.
e. In the notification area, double-click the network access icon in the system
tray.
f. In the Network Access Protection dialog box, review the settings and
then click Close.

Note: This dialog box indicates the computer does not meet health requirements. This
message is displayed because antivirus software has not been installed.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
g. At the command prompt, type ipconfig /all and then press ENTER.
h. Review the IP configuration. The System Quarantine State should be
Restricted.
8. Disconnect from Woodgrovebank VPN.

Task 5: Configure System Help for Networking
1. On NYC-SVR1, click Start and then click Help and Support.
2. In the Windows Help and Support window, click Networking.
3. Verify that the Networking help topics exist.

click OK.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Review Questions
1. What are the three main client configurations that you need to configure for
most NAP deployments?
2. You want to evaluate the overall health and security of the NAP enforced
network. What do you need to do to start recording NAP events?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Best Practices
Consider the following best practices when implementing NAP:
Use strong enforcement methods (IPsec, 802.1x and VPN). Strong
enforcement methods provide the most secure and effective NAP deployment.
Do not rely on NAP to secure a network from malicious users. NAP is designed
to help administrators maintain the health of the networks computers, which
in turn helps maintain the networks overall integrity. NAP does not prevent
an authorized user with a compliant computer from uploading a malicious
program to the network or disabling the NAP agent.
Use consistent NAP policies throughout the site hierarchy to minimize
confusion. Configuring a NAP policy incorrectly may result in clients accessing
the network when they should be restricted or valid clients being erroneously
restricted. The more complicated your NAP policy design, the higher the risk
of incorrect configuration.
Do not rely on NAP as an instantaneous or real-time enforcement mechanism.
There are inherent delays in the NAP enforcement mechanism. While NAP
helps keep computers compliant over the long run, typical enforcement delays
may last for several hours or more due to many factors, including the settings
of various configuration parameters.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Tools
Tool Use For Where to find it
Services Enable and configure the NAP
service on client computers.
Click Start, click Control Panel, click
System and Maintenance, click
Administrative Tools, and then click
double-click Services.
Netsh nap Using netsh, you can create
scripts to configure automatically
a set of Windows Firewall with
Advanced Security settings, create
rules, monitor connections, and
display the configuration and
status of Windows Firewall with
Advanced Security.
Open a command window with
administrative rights and type netsh
nap. You can type help to get a full
list of available commands.
Group
policy
Some NAP deployments that use
Windows Security Health
Validator require that Security
Center is enabled. Group Policy
can also be used to enable and
manage the NAP client.
Enable the Turn on Security Center
(Domain PCs only) setting in the
Computer Configuration,
Administrative Templates,
Windows Components, and
Security Center sections of Group
Policy.
Configure
NAP with
a wizard
Used to create the health policies,
connection request policies, and
Network Access Protection (NAP)
with Network Policy Server.
Open the NPS (Local) console. In
Getting Started and Standard
Configuration, select Network
Access Protection (NAP) policy
server. The text and links below the
text change to reflect your selection.
Click Configure NAP with a wizard.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Availability of Network Content and Resources 13-1
Module 13
Configuring Availability of Network Content
and Resources
Contents:
Lesson 1: Configuring Shadow Copies 13-3
Lab A: Configuring Shadow Copying 13-11
Lesson 2: Providing Server and Service Availability 13-14
Lab B: Configuring Network Load Balancing 13-26
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Module Overview

This module explains how to configure network resources and content availability
and how to enable a shadow copy volume, which provides access to previous file
and folder versions on a network. Finally, this module explains how you can use
failover clustering and Network Load Balancing (NLB) to facilitate greater data
availability and workload scalability.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 1
Configuring Shadow Copies

In Microsoft Windows Server 2008 as in Microsoft Windows Server 2003, you
can enable shadow copies on a per-volume basis that will monitor changes made to
shares over the network, giving the user the opportunity to recover files and
folders.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Shadow Copies?

Key Points
The Previous Versions feature in Windows Server 2008 enables your users to
access previous versions of files and folders on your network. This is useful
because users can:
Recover files that were deleted accidentally.
Recover from accidentally overwriting a file.
Compare versions of a file while working.

Question: If you were to deploy shadow copies of shared folders in your network
environment, would you notice a decrease in calls from users needing restoration
from backups?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Considerations for Deploying Shadow Copies

Key Points
Before deploying shadow copies, gather the following information to assist with
planning:
How frequently will users modify the content of shadow copy-protected
folders?
How many previous versions of files do you want to maintain?
How much space is available for storing shadow copies?

Question: Apply these planning considerations to a shadow copy scenario in your
work environment and describe the choices you might make.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Shadow Copy Scheduling

Key Points
If you use the default values to enable shadow copies of shared folders on a
volume, tasks will be scheduled to create shadow copies at 7:00 A.M. and Noon.
The default storage area will be on the same volume, and its size will be limited
to10 percent of the available space.
If you decide that you want shadow copies to be made more often, verify that you
have allotted enough storage space and that you do not make copies so often that
it degrades server performance.
Question: How might you consider modifying the default schedule for your
environment? Do you have data in shares that might require a more aggressive
schedule?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Configuring Shadow Copies

Key Points
Open Computer Management.
Enable Shadow Copies on a single server volume.

Question: What are the possible drawbacks or costs of enabling Shadow Copies?
Question: Will you enable Shadow Copies on all volumes on your servers?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Managing Shadow Copies from a Client Perspective

Key Points
For previous versions of the Windows operating system, the Previous Versions
client software must be installed for the user to make use of shadow copies. The
Microsoft Windows Vista operating system has the Previous Versions client built
into the operating system, so client configuration is not necessary.
Question: What might be the problem if a user calls the Help Desk and complains
that the Previous Versions tab is missing from the shared folder/file properties?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Restoring Shadow Copies

Key Points
After you enable shadow copies of shared folders and start creating shadow copies,
you can use the Previous Versions feature to recover previous versions of files and
folders, or recover files and folders that have been renamed or were deleted.
Question: If a user calls you and says that the Previous Versions tab is not
visible, what would you ask to determine the problem?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Restoring Shadow Copies

Key Points
Use the Previous Versions tab to restore an older version of a file.

Question: How would you train users to perform shadow copy restorations on
their own?
Question: If a user wanted to restore part of a previous document version, how
would you advise them to proceed?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab A: Configuring Shadow Copying

Exercise 1: Configuring Shadow Copying
Scenario
You are the storage administrator for Woodgrove bank. You find your time is often
spent restoring previous versions of files from backups. You want to institute
shadow copies to allow users to recover their own previous versions.
In this exercise, you will configure and test shadow copies.
1. Enable shadow copies on a volume.
2. Change a file in a share location.
3. Manually create a shadow copy.
4. View the file previous versions, and restore to a previous version.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
starts.
5. Log on to NYC-DC1 as WOODGROVEBANK\Administrator with the
password Pa$$w0rd.

Task 2: Enable shadow copies on a volume
1. Using the Computer Management console, enable shadow copies for drive E:\.
2. Create an initial shadow copy for drive E:\.

Task 3: Change a file in a share location
1. On NYC-CL1, open the shadowtest.txt file at \\NYC-DC1\shadow\.
2. Add the following text to the end of the text file:
This is my text that I am adding to the file.
3. Save and close the shadowtest.txt file.
4. On NYC-CL1, open the shadowtest.txt file at \\NYC-DC1\shadow\.
5. Add the following text to the end of the text file:
This is my second modification to the file.
6. Save and close the shadowtest.txt file.

Task 4: Manually create a shadow copy
On NYC-DC1, create a new shadow copy of drive E\:.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 5: View the previous file versions, and restore to a previous
version
1. On NYC-CL1, view the previous versions tab of the properties of
\\NYC-DC1\shadow\shadowtest.txt.
2. View the previous version.
3. Restore the previous version.

Results: After this exercise, you should have established shadow copies on a share,
changed a file, and then restored the original version.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 2
Providing Server and Service Availability

Network Load Balancing (NLB) is a clustering technology that uses a distributed
algorithm to load balance network traffic across several hosts. This enhances the
scalability and availability of mission critical, IP-based services, such as Web,
Virtual Private Networking (VPN), Streaming Media, Terminal Services, Proxy, and
so on. It also provides high availability by detecting host failures and automatically
redistributing traffic to operational hosts.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Network Load Balancing Manager Overview

Key Points
When you install NLB as a network driver on each of the clusters member servers
or hosts, the cluster presents a virtual IP address to client requests. The client
requests go to all the hosts in the cluster, but only the host to which a given client
request is mapped accepts and handles the request. All the other hosts drop the
request. Depending on the configuration of each host in the cluster, the statistical
mapping algorithm, which is present on all the cluster hosts, maps the client
requests to particular hosts for processing.
Using NLB with compatible services offers the benefits of increased availability,
scalability, and load-balancing performance, as well as the ability to distribute a
large number of clients over a group of servers.
Question: Do you have any servers hosting stateless information that would
benefit from Network Load Balancing in your environment?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Installing Network Load Balancing

Key Points
Install the Network Load Balancing feature.

Question: Should you enable this feature on all servers?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Considerations for Creating a Network Load Balancing
Cluster

Key Points
To configure the Network Load Balancing cluster, you must configure three types
of parameters:
Host parameters, which are specific to each host in a NLB cluster. Host
parameters include:
Priority, which specifies a unique ID for each host. The host with the
lowest numerical priority among the current members of the cluster
handles all of the cluster's network traffic that is not covered by a port
rule.
Cluster parameters, which apply to a NLB cluster as a whole. Cluster
parameters include:
The IP Address and Subnet Mask for the NLB cluster.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Port rules, which override the Priority setting or provides load balancing for
specific ranges of ports. Port rules include the following attributes:
The Port Range specifies the port or ports which will be affected by the
port rule.
The Protocols setting determines the network protocol that the rule will
cover.

Question: What applications would require the optional shared storage?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Configuring a Network Load Balancing
Cluster

Key Points
Create a new NLB cluster.
Configure settings for the new NLB cluster.

Question: When should you configure multiple DIP for a cluster?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Clustering Terminology

Key Points
There are several important terms that are used when discussing clustering.
Question: Discuss your work environments approach to planned and unplanned
downtime.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is a Failover Cluster?

Key Points
A failover cluster is a group of independent computers that work together to
increase the availability of applications and services. Physical cables and software
connect the clustered servers, known as nodes. If one of the cluster nodes fails,
another node begins to provide service (a process known as failover). Therefore,
users experience a minimum of service disruptions.

Note: The failover cluster feature is not available in the Windows Web Server 2008 or
Windows Server 2008 Standard editions.
Failover clusters include the following new functionality:
New validation feature
Support for globally unique identifier (GUID) partition table (GPT) disks in
cluster storage
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Improvements to existing failover cluster functionality include:
Improved cluster setup
Simplified management interfaces
Improvements to stability and security, which can result in increased
availability
Improvements to the way a cluster works with storage
Improvements to interfaces for working with shared folders
Improvements to networking and security

Question: Have you employed previous versions of clustering technology?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Hardware Requirements for a Failover Cluster

Key Points
Carefully review the hardware on which you plan to deploy a failover cluster to
ensure that it is compatible with Windows Server 2008. This is especially necessary
if you are currently using that hardware for a server cluster running Windows
Server 2003. Hardware that supports a server cluster running Windows Server
2003 will not necessarily support a failover cluster running Windows Server 2008.

Note: You cannot perform a rolling upgrade from a server cluster running Windows
Server 2003 to a failover cluster running Windows Server 2008. However, after you create
a failover cluster running Windows Server 2008, you can use a wizard to migrate certain
resource settings to it from a server cluster running Windows Server 2003.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
The following hardware is required in a failover cluster:
Servers
Network adapters and cable (for network communication)
Device controllers or appropriate adapters for the storage if using shared SCSI
iSCSI initiator and dedicated network adapter if using iSCSI storage
Shared storage

Question: If you presently have a server cluster in a previous server version, can
you do a rolling upgrade to Windows Server 2008 Failover Clustering?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Failover Clustering Scenarios

Key Points
Failover clustering can be useful in a number of different scenarios:
File shares can be made highly available.
Applications like Microsoft Exchange can be made highly available.
Databases on Microsoft SQL Server can be made highly available.
Virtual Machines running on Hyper-V hosts can be made highly available.

Question: Describe one scenario in your work environment where you currently
use or plan to implement failover clustering.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab B: Configuring Network Load Balancing

Exercise 1: Configuring Network Load Balancing
Scenario
You have been asked to increase the reliability for a critical web server service.
Configure network load balancing for the service.
In this exercise, you will configure Network Load Balancing.
1. Install the Network Load Balancing feature on NYC-DC1 and NYC-SVR1.
2. Configure Network Load Balancing on NYC-DC1 and NYC-SVR1.
3. Test the Network Load Balancing cluster.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 1: Install Network Load Balancing
1. On NYC-DC1, open Server Manager.
2. Add the Network Load Balancing feature.
3. Repeat for NYC-SVR1.

Task 2: Create an NLB Cluster
1. On NYC-DC1, open Network Load Balancing Manager.
2. Create a new cluster with the hostname NYC-DC1 and start it.
3. Specify an IPv4 cluster IP of 10.10.0.70 with a Subnet Mask of 255.255.0.0.
4. Give the cluster a Full Internet Name of webfarm.woodgrovebank.com and
set the operation mode to Multicast.
5. Define port rules:
Port Range: 80 to 80
Protocols: TCP
Filtering mode: Multiple host
Affinity: none
6. Add the host NYC-SVR1 to the cluster.

Task 3: Test the NLB Cluster
1. Use Internet Explorer to browse to http://10.10.0.70.
2. The IIS 7.0 default page appears.
3. Turn off NYC-SVR1.
4. Use Internet Explorer to browse to http://10.10.0.70.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
click OK.

Results: Even though a NLB Cluster member is unavailable, the web site is still
available.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Review Questions
1. What is the danger of choosing to restore a folder in Shadow Copies?
2. How is failover clusters different from Network Load Balancing?

Best Practices
Consider the following best practices for NLB and Failover Clustering:
Properly secure the NLB hosts and the load-balanced applications:
Network Load Balancing does not provide additional security for the load-
balanced hosts and cannot be used as a firewall. It is important to properly
secure the load-balanced applications and hosts. Security procedures can
typically be found in the documentation for each particular application.
For example, if you are using NLB to load balance a cluster of IIS servers,
you should follow the procedures and guidelines for securing IIS.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
You must protect the NLB subnet from intrusion by unauthorized
computers and devices to avoid interference from unauthorized heartbeat
packets.
While not required, use two or more network adapters in each NLB cluster
host whenever possible:
If the cluster is operating in the default unicast mode, NLB cannot
distinguish between single adapters on each host. Therefore, any
communication among NLB cluster hosts is not possible unless each
cluster host has at least two network adapters.
You can configure Network Load Balancing on more than one network
adapter. However, if you use a second network adapter to address this
best practice, make sure that you install Network Load Balancing on only
one adapter (referred to as the cluster adapter.)
Use only the TCP/IP network protocol on the cluster adapter:
Do not add any other protocols (for example, IPX) to this adapter.
Enable Network Load Balancing Manager logging:
You can configure Network Load Balancing Manager (NLBM) to log each
NLBM event. This log can be very useful in troubleshooting problems or
errors when using NLBM. Enable NLBM logging by clicking Log Settings
in the Network Load Balancing Manager Options menu. Select the Enable
logging check box, and then specify a name and location for the log file.
The Network Load Balancing Manager log file contains potentially
sensitive information about the Network Load Balancing cluster and
hosts, so it must be properly secured. By default, the log file inherits the
directorys security settings in which it is created, so you may need to
change the explicit permissions on the file to restrict read and write access
to those individuals who do not need full control of the file. Be aware that
the individual using NLBM does require full control of the log file.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Verify that the load-balanced application is started on all cluster hosts on
which the application is installed:
NLB does not start or stop applications.
Use the following to help increase failover cluster security:
Do not set the Cluster service account to be a member of the domain
Administrators group. By giving the minimal possible user rights to the
Cluster service account, you avoid potential security issues if that account
is compromised.
Limit and audit access to shared data (for example, files and folders on
cluster disks).
Limit client access to cluster resources.
Use different accounts for the Cluster service and applications in the
cluster.
Use different Cluster service accounts for multiple clusters.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Monitoring and Maintaining Windows Server 2008 Servers 14-1
Module 14
Monitoring and Maintaining Windows Server
2008 Servers
Contents:
Lesson 1: Planning Monitoring Tasks 14-3
Lesson 2: Calculating a Server Baseline 14-9
Lesson 3: Measuring Performance Objects 14-14
Lab A: Identifying Windows Server 2008 Monitoring Requirements 14-24
Lesson 4: Selecting Appropriate Monitoring Tools 14-29
Lesson 5: Planning Notification Methods 14-37
Lesson 6: Overview of Windows Server 2008 Management Tasks 14-41
Lesson 7: Automating Windows Server 2008 Management 14-45
Lab B: Configuring Windows Server 2008 Monitoring 14-49
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Module Overview

Most businesses require cost-effective solutions that provide value for money. You
should monitor servers to ensure that they run efficiently and use available server
capacity.
Many administrators require performance-monitoring tools to identify components
that require additional tuning and troubleshooting. By identifying components that
require additional tuning, you can improve the efficiency of your servers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 1
Planning Monitoring Tasks

The Microsoft Windows Server 2008 operating system can use many monitoring
tools.
This lesson discusses the range of monitoring features that are available for
Windows Server 2008 and how you can plan to measure the efficiency of the
operating system and hardware components through monitoring.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Reasons for Monitoring

Key Points
You should monitor servers in your organization so that you can troubleshoot
unexpected performance problems from your hardware and software quickly and
easily.
By using performance-monitoring tools, you can determine when a server is really
slower at responding to user requests rather than relying on user perception of
"slow" and "fast" response times.
Interactive monitoring of systems is useful when you want to determine the effect
of performing a specific action or troubleshoot specific events. This type of
monitoring can also help you to ensure that you are meeting SLAs.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Reviewing collected data can be useful for tracking trends over time, determining
when to relocate resources, and deciding when to invest in new hardware to meet
the changing requirements of your business. You should use historical
performance data to assist you when you plan future server requirements.
Question: List four troubleshooting procedures that would benefit from server
monitoring.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Monitoring Methods

Key Points
You should select the most appropriate tool to suit the type of monitoring that is
required.
Question: Which tools do you currently plan to use to monitor Windows Server
2008? Consider long-term planning goals and specific troubleshooting instances.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Planning for Event Monitoring

Key Points
There are several considerations when planning for event monitoring. Consider the
following:
You should ensure that your systems are cost-effective for your organization.
Your business may achieve reductions in the effort staff spent on event
monitoring by implementing efficient event monitoring.
You can prevent service and system outages by ensuring that resources retain
enough capacity to meet service-level agreements (SLAs).

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Question: What is the monetary cost of reduced user productivity for your
organization?
Question: What is the cost of system outage that is caused by not monitoring
systems?
Question: What is the cost of a reactive approach to troubleshooting?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 2
Calculating a Server Baseline

This lesson discusses some of the key server components to measure. You will
learn how to use analysis and planning techniques from collected performance
metrics to improve your server infrastructure.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Key Hardware Components to Monitor

Key Points
The four main hardware components to monitor are processor, disk, memory and
network.
You should measure all of the key components in your system.
You should consider the server role and workload to determine which
hardware components are likely to restrict performance.
You can increase server performance by adding power or reducing the number
of users who are accessing a server.

Question: Which hardware components are most likely to restrict performance for
a file server?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Common Performance Metrics

Key Points
You should familiarize yourself with basic performance measurement objects and
counters to monitor the main hardware components.
Question: What performance issues could be identified by monitoring cache?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Analyzing Performance Trends

Key Points
It is important to align planning across your organization. By analyzing
performance trends, you can make decisions for the future.
You should give careful consideration to the value of performance data to
ensure that it reflects the real server environment.
You should consider performance analysis alongside business plans.
It may be possible to reduce the number of servers in operation after you have
measured performance.

Question: What additional server support will your current business plans
require?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Planning for Future Capacity Requirements

Key Points
You want to ensure that you are able to support future growth in your
organization. Planning for future capacity will allow your organization to grow
without compromising productivity.
Capacity planning focuses on:
The server workload.
The number of users that a server can support.
How to scale the systems to support additional workload and users in the
future.

Question: How can you scale up your existing server workload to support more
users?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 3
Measuring Performance Objects

Performance tuning is the continuous process of monitoring a server to determine
whether it can deliver the requested workload. You should tune servers to adjust to
the current workload to support more users or applications.
Windows Server 2008 enables you to create server roles to meet your business
requirements. You should tune these roles to ensure that they are performing
efficiently to maximize their use. In this lesson, you will learn some of the basic
performance counters to measure for different server roles.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Identifying Server Role Performance Metrics

Key Points
Windows Server 2008 uses server roles to improve server efficiency and security.
By identifying the role that a server performs, you can ensure that you measure
the necessary counters to monitor performance.
By using server roles, you ensure that you install and activate only the required
components on your servers.
Only the performance objects and counters that are relevant to the installed
server role are available to monitor.

Question: Which server roles will you use in your organization? Which objects
and counters will be available for you to monitor?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Identifying Key Performance Counters

Key Points
There are many counters that you should research and consider monitoring to
meet your specific requirements.
Windows Server 2008 enables monitoring of operating system performance
through performance objects and counters in the object. Windows Server 2008
collects data from counters in various ways, including:
Real-time snapshot value
Total since last server restart
Average over specific time interval
Average of last x values
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Number per second
Maximum value
Minimum value

Question: Why are average counters more useful than counters that show the
current value?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Primary CPU Performance Counters

Key Points
CPU counters are a feature of the computer's CPU that store the count of
hardware-related events.
Processor\% Processor Time: Shows the percentage of elapsed time that this
thread used the processor to execute instructions. An instruction is the basic
unit of execution in a processor, and a thread is the object that executes
instructions. Code executed to handle some hardware interrupts and trap
conditions is included in this count.
Processor\Interrupts/sec: Shows the rate, in incidents per second, at which the
processor received and serviced hardware interrupts.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Processor\System Processor Queue Length: The System\Processor Queue
Length counter is a rough indicator of the number of threads each processor is
servicing. The processor queue length, sometimes called processor queue
depth, reported by this counter is an instantaneous value that is representative
only of a current snapshot of the processor, so it is necessary to observe this
counter over a long period of time. Also, the System\Processor Queue Length
counter is reporting a total queue length for all processors, not a length per
processor.

Question: If the % Processor time is 80%, should any corrective action be taken?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Primary Memory Performance Counters

Key Points
The Memory performance object consists of counters that describe the behavior of
physical and virtual memory on the computer. Physical memory is the amount of
RAM on the computer. Virtual memory consists of space in physical memory and
on disk. Many of the memory counters monitor paging, which is the movement of
pages of code and data between disk and physical memory.
Question: If the pool nonpages bytes has a slow rise, what might be happening?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Primary Disk Performance Counters

Key Points
The LogicalDisk performance object consists of counters that monitor logical
partitions of hard or fixed disk drives. System Monitor identifies logical disks by
their drive letter, such as "C."
The PhysicalDisk performance object consists of counters that monitor hard or
fixed disk drives. Disks are used to store file, program, and paging data. They are
read to retrieve these items, and are written to record changes to them. The values
of physical disk counters are sums of the values of the logical disks (or partitions)
into which they are divided.
Question: Why do you want the % Disk time to be as low as possible?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Primary Network Performance Counters

Key Points
Most workloads require access to production networks to ensure communication
with other applications and services and to communicate with users. Network
requirements include elements such as throughputthat is, the total amount of
traffic that passes a given point on a network connection per unit of time.
Other network requirements include the presence of multiple network
connections. Workloads might require access to several different networks that
must remain secure. Examples include connections for:
Public network access.
Networks for performing backups and other maintenance tasks.
Dedicated remote-management connections.
Network adapter teaming for performance and failover.
Connections to the physical host server.
Connections to network-based storage arrays.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
By monitoring the network performance counters, you can evaluate your network
performance.
Question: If the output queue length is 5, what problems might you have in your
network?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab A: Identifying Windows Server 2008
Monitoring Requirements

Exercise 1: Evaluating Performance Metrics
Scenario
In this exercise, you will review data collector sets to locate problems and provide
troubleshooting advice to technical specialists.
1. Start each virtual machine and log on.
2. Identify performance problems with Windows Server 2008 - Part A.
3. Identify performance problems with Windows Server 2008 - Part B.
4. Identify performance problems with Windows Server 2008 - Part C.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 1: Start each virtual machine and log on
password Pa$$w0rd.

Task 2: Identify performance problems with Windows Server 2008 -
Part A
You know that the server 6419A-NYC-SVR1 experiences low network traffic and
has limited disk activity, but the help desk is receiving many reports that the server
is slow.
Use Performance Monitor to review the data collector log at
E:\Labfiles\Mod14\Ex1A\6419A-NYC-SVR1-LAB14-EX1A.blg on the server
6419A-NYC-SRV1:
Examine the following counters:
Processor - % Processor Time
System - Processor Queue Length
Process _ % Processor Time (All Instances)
What appears to be the problem on this server?
Write a brief report that outlines your findings and suggests possible solutions
to the problem.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Part B
You know that the server 6419A-NYC-SVR1 is not running processor-intensive
applications, but the help desk is receiving many reports that the server is slow.
E:\Labfiles\Mod14\Ex1B\6419A-NYC-SVR1-LAB14-EX1B.blg on the server
6419A-NYC-SVR1:
PhysicalDisk - Avg. Disk Queue Length
PhysicalDisk - Current Disk Queue Length
PhysicalDisk - Disk Transfers/sec
Process - IO Data Bytes/sec (All Instances)
to the problem.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Part C
You know that the server 6419A-NYC-SVR1 experiences low network traffic and is
not running processor-intensive applications, but the help desk is receiving many
reports that the server is slow.
E:\Labfiles\Mod14\Ex1C\6419A-NYC-SVR1-LAB14-EX1C.blg on the server
6419A-NYC-SVR1.
Process - Working Set-Private (All Instances)
Paging File - % Usage
Paging File - % Usage Peak
Memory - % Committed Bytes In Use
Memory - Available Mbytes
Memory - Committed Bytes
Memory - Page Faults/sec
Memory - Pool Nonpaged Bytes
Memory - Pool Paged Bytes
to the problem.

Results: After this exercise, you should have identified performance issues with servers
and suggested steps to resolve the problems.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Monitoring Performance Metrics
Scenario
In this exercise, you will plan the performance metrics that are required to measure
the scalability of a server.
The main task for this exercise is to create a data collector set to measure server
requirements.
Task 1: Create a data collector set to measure server requirements
Create a data collector set based on the System Performance template to
measure the performance requirements of a file server. This forms the base
performance metrics for measuring the capacity of this server.
Which specific counters do you anticipate will require careful analysis?

Results: After this exercise, you should have identified steps to create a data collector
set for measuring file server performance.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 4
Selecting Appropriate Monitoring Tools

Windows Server 2008 provides a range of tools to monitor the operating system
and applications that you can use to tune your system for efficiency. You should
use these tools and complement them where necessary with your own tools.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Windows Server 2008 Monitoring Tools

Key Points
Windows Server 2008 has a range of built-in tools to assist you in monitoring your
systems.
Windows Server 2008 Event Viewer collects information that relates to server
operations.
Task Manager enables you to view processes in real time to determine their exact
resource usage at a point in time.
All performance counters are available programmatically through Microsoft
Windows Management Instrumentation (WMI). By making performance counters
available through WMI, you can monitor servers by using scripts.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
You can use Microsoft Windows Reliability and Performance Monitor to examine
how programs you run affect your computer's performance, both in real time and
by collecting log data for later analysis.
Question: Which tools do you currently use to monitor servers? How can you
make use of improved monitoring tools in Windows Server 2008?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Reliability and Performance Monitor

Key Points
Performance Monitor provides a visual display of Windows performance objects
and counters, either in real time or as a review of historical data. Performance
Monitor features multiple graph views that you can use to review performance log
data. You can create custom views in Performance Monitor that you can export as
data collector sets for use with performance and logging features.
Question: What is a benefit to Data Collector Sets?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Reliability Monitor

Key Points
Reliability Monitor provides a system stability overview and trend analysis with
detailed information about individual events that may affect the overall stability of
the system.
Question: How can you use the Reliability Monitor in your organization?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Overview of the Reliability and
Performance Monitor

Key Points
Reliability and Performance Monitor resources view.
Performance Monitor overview.
Reliability Monitor overview.
Reports overview.

Question: Where can you find real-time information about network activity?
Question: Which Reliability Monitor reports will you implement in your work
environment?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Third-Party Monitoring Tools

Key Points
Third-party tools can help you monitor your server environment.
Hardware vendor tools are useful in detecting performance issues that occur
because of faulty hardware.
Many third-party tools integrate with System Center Operations Manager
(Operations Manager) 2007 to provide a centralized monitoring console for your
organization.
Question: Which third-party monitoring tools do you currently use, if any? How
can these help you monitor server performance in the future?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Subscriptions?

Key Points
Event Viewer enables you to view events on a single remote computer. However,
troubleshooting an issue might require you to examine a set of events stored
in multiple logs on multiple computers. Event Viewer provides the ability to
collect copies of events from multiple remote computers, and store them locally.
To specify which events to collect, you create an event subscription. After a
subscription is active and events are being collected, you can view and manipulate
these forwarded events as you would any other locally stored events.
Question: Where would subscriptions be most useful on in your organization?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 5
Planning Notification Methods

Your business will require you to react to various events to ensure that you
maintain SLAs. To meet SLAs, you must notify staff by using a range of methods to
take appropriate action to resolve problems. It may be necessary for staff to request
additional support to assist in troubleshooting some events.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Identifying Business Requirements

Key Points
Performance tuning is an ongoing exercise where you never achieve perfection.
You should ensure that your server operations run effectively and meet all of your
business SLAs.
You should always attempt to find the most cost-effective solution to a
performance bottleneck.
Question: What are your businesses response times and how does your business
makes staff available to provide support?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Suitable Notification Methods

Key Points
You should react in a measured and appropriate manner to an event.
Some events will require staff to react immediately to ensure that they
maintain system availability.
Other events may require staff to perform investigative work in the form of
additional system checks to determine the cause of a problem and then to
provide a solution to improve system performance. These system checks
usually do not require an immediate e-mail response.
Notifications to server events should take into account the severity of the
problem.

Question: How do you notify staff of service failure or maintenance problems? In
what ways can you improve this process?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Establishing an Escalation Path

Key Points
To meet SLAs, you should ensure that you have a clear audit trail to follow when
you escalate performance issues.
Your SLAs should state the amount of time problems remain at various stages
during resolution. This helps you to provide an acceptable and mutually
agreed level of service to your organization.
Where it is not possible to resolve an issue in-house, you should notify the
relevant people because further delays are likely.

Question: What improvements can you make to the escalation paths for issues
within your business?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 6
Overview of Windows Server 2008
Management Tasks

To ensure that the server runs optimally, it is important to understand what
management tasks you must perform on your servers.
You must decide how frequently to run each management task, and ensure that the
frequency reflects both maintenance and business requirements.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Windows Server 2008 Maintenance Tasks

Key Points
Performing regular maintenance tasks will help facilitate optimal server availability.
Regular maintenance tasks involve ensuring you computer is up-to-date with
the latest operating system updates, including security updates. You will also
want to ensure you have the latest security updates are installed for all
applications.
Monitoring performance, health and diagnostics on a regular basis will ensure
possible issues are caught early.
Troubleshooting tools, such as Event Viewer, are included with Windows
Server 2008. In addition, administrators can search the Microsoft TechNet
Web site, the Microsoft Web site, search engines, newsgroups, and blogs.

Question: List the monitoring tasks you perform at work most often.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Common Tasks for Different Server Roles

Key Points
Different server roles will necessitate different tasks. However, you will want to
perform some tasks for all types of servers, including reviewing system and
application event logs.
Question: Which event logs do you regularly review on your servers at work?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Frequency of Management Tasks

Key Points
To maximize administrator time while also providing adequate monitoring of
servers, you should follow guidelines for the frequency of management tasks.
Question: How often do you review server event logs?
Question: Do any of your servers have requirements that make scheduling
management tasks more difficult (such as 24x7 operations)?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 7
Automating Windows Server 2008
Maintenance

There are many advantages to automating aspects of your Windows Server 2008
management strategy.
Automating management tasks often saves time and can have a significant impact
on costs. However, there are many considerations to take into account that relate
to the methods, skills, software, and planning that you must perform before you
can deploy automation options.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Automation Requirements

Key Points
When you examine automation solutions for managing your server infrastructure,
you must consider several aspects that can provide benefits but may have hidden
restrictions or costs.
Question: Do you have any skills in scripting or in Windows PowerShell in your
organization?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task Automation Tools

Key Points
Microsoft provides many tools that can simplify complex or repetitive tasks in
Windows Server 2008. Although some of these tools may require additional skills,
several of them are straightforward to implement and offer immediate benefits.
In addition, you may use various third-party tools that can perform monitoring and
alerting, deploy configuration changes, or perform audits to more easily manage
computers on your network.
Question: Question: Do you currently use automation tools at work?
Question: In what ways can using automation tools benefit your organization?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Tool Selection Process

Key Points
When you choose tools to help you manage your infrastructure, you must consider
several factors to ensure that you make the right choice. You may need to select
several tools to ensure comprehensive coverage of all of your management
requirements.
Question: If you currently use some of these tools, why was the tool(s) chosen?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab B: Configuring Windows Server 2008
Monitoring

Exercise 1: Configuring Data Collector Sets
Scenario
In this exercise, you will configure data collector sets to generate an alert.
The main task for this exercise is to generate an alert by using a data collector set.
Task 1: Generate an alert by using a data collector set
Create a user-defined data collector set and configure an alert to trigger when
the counter Process - % Processor Time reaches 95%.
The alert should log an event in the application event log.

Results: After this exercise, you should have configured a performance alert.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Monitoring Extension Exercise
Scenario
In this exercise, you will create a data collector set to monitor a server that you
currently administer.
The main task for this exercise is to create a tailored data collector set.
Task 1: Create a tailored data collector set
Use the Reliability and Performance Monitor to create a data collector set for a
server in your organization.

Results: After this exercise, you should have identified performance counters that you
will need to collect from a server in your own organization.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 3: Automating Maintenance Tasks
Scenario
You decide that it will be easier to review the Directory Service log information
from a single, central location. You also want to produce a simple report about disk
space across several servers at the same time.
In this exercise, you will configure event forwarding for Directory Service events.
1. Forward Directory Service replication error messages to a central location.
2. Run a script to review disk space.

Task 1: Forward Directory Service replication error messages to a
central location
Log on to 6419A-NYC-DC1 by using the following information:
User name: woodgrovebank\administrator
Password: Pa$$w0rd
Add the computer NYC-SVR1 to the Administrators group in the
Log on to 6419A-NYC-SVR1 by using the following information:
User name: woodgrovebank\administrator
Password: Pa$$w0rd
Open Event Viewer.
Create a subscription to forward events from NYC-DC1 to NYC-SVR1 by
manually entering the query in the following code example:
<QueryList>
<Query Id="0" Path="Directory Service">
<Select Path="Directory Service">*[System[(Level=2 or Level=3)
and (EventID=1308 or EventID=1864)]]</Select>
</Query>
</QueryList>

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 2: Run a script to review disk space
Open Notepad.
Enter the text in the following code example into Notepad:
$aryComputers = "NYC-DC1","NYC-SVR1"
Set-Variable -name intDriveType -value 3 -option constant

foreach ($strComputer in $aryComputers)
{"Hard drives on: " + $strComputer
Get-WmiObject -class win32_logicaldisk -computername $strComputer |
Where {$_.drivetype -eq $intDriveType} | Format-table}
Save as C:\Users\Administrator.Woodgrovebank\Documents
\DriveReport.ps1.
Start Windows PowerShell.
Turn on Windows PowerShell script execution by typing the following:
set-executionpolicy unrestricted.
Run the DriveReport.ps1 script that you created and review the results.

Results: After this exercise, you should have configured Event Log forwarding for
Active Directory directory service replication errors and run a script to review disk
space.

click OK.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Review Questions
1. What are the benefits of monitoring server performance?
2. What are some of the tasks that you should undertake when you create a
performance baseline for a server?
3. What are the advantages of using a range of monitoring tools?
4. What are the advantages of measuring specific performance counters?
5. What are the advantages of using alerts to identify performance issues?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Best Practices Related to Windows Server 2008 Performance
Monitoring
Create server baselines for each of your server roles.
Reuse data collector sets across servers.
Use a range of tools, including third-party tools, to monitor your server
infrastructure.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Managing Windows Server 2008 Backup and Restore 15-1
Module 15
Managing Windows Server 2008 Backup and
Restore
Contents:
Lesson 1: Planning Backups with Windows Server 2008 15-3
Lesson 2: Planning Backup Policy on Windows Server 2008 15-15
Lesson 3: Planning a Server Restore Policy 15-20
Lesson 4: Planning an EFS Restore Policy 15-29
Lesson 5: Troubleshooting Windows Server 2008 Startup 15-40
Lab A: Planning Windows Server 2008 Backup Policy 15-51
Lab B: Planning Windows Server 2008 Restore 15-58

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Module Overview

Disaster recovery planning is a critical part of managing any server infrastructure.
This module examines the necessary planning for backup procedures to ensure
that you protect data and servers sufficiently against disasters.
By using the Microsoft Windows Server 2008 operating system, you can restore
data that was previously backed up to disk. You should plan your restore policy
based on the data that you have backed up from your backup strategy.
Restoring data is a riskier operation than backing up data because you can
overwrite and lose existing data through careless restore procedures. You should
only permit trusted administrators to perform restore operations; it is likely that
the restore operators are a subset of the backup operators, but in some
organizations, the backup and restore teams are separated.
You should use the knowledge that you gain from this module to improve your
Windows Server 2008 restore skills.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 1
Planning Backups with Windows Server 2008

This lesson examines the planning elements that are required to create a
successful, unobtrusive, and secure backup process. You can apply these
considerations when you are planning backup for various types of data on your
network. Typically, you will distribute backup tasks among various servers and
personnel in your environment.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Selecting Backup Software and Backup Operators

Key Points
When you plan your backup strategy, you must choose which backup software to
use and who should perform some of the required backup tasks.
You need to use backup software to back up the data and servers on your network.
You can choose the backup feature in the Windows Server 2008 operating system
or you can choose third-party backup software. Your choice depends on your
backup medium, how you intend to manage your backups across several servers,
and licensing costs, among other factors. For example, the Windows Server 2008
Backup feature has no additional licensing costs, but it does not support tape
backups.
The Windows Server 2008 Backup feature also supports command-line use
through the Wbadmin.exe command. This is useful for scripting or performing
specific backups such as system state data. Note that system state backup is only
available for the command line and is not available in the Windows Server Backup
snap-in user interface. In addition, you cannot configure a scheduled backup to
create system state backups. However, you can script the Wbadmin start
systemstatebackup command to run backups on a schedule.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
You may also have special requirements, such as databases, that you must regularly
back up. A database backup may require special software or tools to perform the
backup.
In addition, you must select staff members who should perform the backup tasks.
You must ensure that whoever is administering the backup process checks that
backups complete successfully and that they are aware of backup failures.
Question: What backup software or solutions do you currently use?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Process for Planning Backup in Windows Server 2008

Key Points
When you plan your backup strategy, you must plan the elements that are listed in
the following table.
List the data to back up. You must identify all data that requires backup so that you
can restore your data and systems in the event of a disaster.
Plan elements Details
List the data to
back up
You must identify all data that requires backup so that you can
restore your data and systems in the event of a disaster.
You must identify the quantity of data which in Windows Server
2008 includes which volumes to back up so that you can choose
an appropriate storage medium and identify how long a backup
or restore operation requires.
Create a backup
schedule
You must plan how frequently and at what times servers perform
automated backup tasks.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
(continued)
Plan elements Details
Choose a backup
type
Based on the frequency and the time that is taken to perform a
backup and a restore operation, you may also need to select a
backup type.
Your backup software (i.e. SQL Server 2008) may enable you to
choose from the following backup types:
Full or Normal
Incremental
Differential
The Windows Server 2008 Backup feature performs one scheduled
full backup followed by scheduled incremental backups by using
the Volume Shadow Copy Service (VSS).
Choose the
backup medium
Based on your backup software, the size of backups, and the time
to restore data, you should choose an appropriate backup
medium.
Backup media include:
Tape (not available with Windows Server 2008 backup)
Removable hard disk
DVD
Shared folder
Tape is available in various formats, supporting various data rates
and storage capacities. If you back up to tape, you should ensure
that the tape format that you use is appropriate to the quantity of
data that you are backing up.
The Windows Server 2008 Backup feature does not support
backing up to tape. Removable disks and shared folders are the
only supported storage media.
Consider the length of time that you require to retain backups to
restore data. Should you be able to restore data from one month
ago, six months ago, 12 months ago, or longer?
You must also consider the storage location of your backup
media. Tapes are susceptible to magnetic fields and heat, so they
should be stored away from these environmental factors.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
The Windows Server Backup feature in Windows Server 2008 consists of an MMC
snap-in and command-line tools that provide a complete solution for your day-to-
day backup and recovery needs. You can use four wizards to guide you through
running backups and recoveries. You can use Windows Server Backup to back up
a full server (all volumes), selected volumes, or the system state, which differs from
the more granular selection process from Windows Server 2003, and may impact
they way you perform backups. You can however still recover volumes, folders,
files, certain applications, and the system state.
And, in case of disasters like hard disk failures, you can perform a system recovery
by using a full server backup and the Windows Recovery Environmentthis will
restore your complete system onto the new hard disk.
You may wish to create a system state backup of the machine before you make
critical changes to the machine or active directory. The ability to take just a system
state backup is not exposed in the GUI interface of backup. If you wish to take just
a system state backup you must use the wbadmin.exe utility. WBadmin.exe is a
command line utility.
Question: What types of data do you regularly back up at work?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Creating a Backup Schedule

Key Points
When you create a backup schedule, you should consider the following factors:
How often does the data change? You may want to back up data that changes more
frequently more often so that you can restore as much information as possible. You
should also consider backing up data that changes less often less frequently to
reduce storage requirements and administrative overhead.
What is the cost to re-create the data? This cost should have an impact on how
frequently you back up data and the storage medium that you use to perform
backups. The storage medium has a large effect on the time that a backup takes.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
How long is the backup window? Certain types of backup take longer than other
types. For example, a full backup takes longer than an incremental backup, but an
incremental backup backs up only changes to data. You should choose the type
and frequency of backup based on how long you want the backup operation to
take. Backup operations use server resources, so you typically schedule them for
hours outside normal business hours. However, you may have other tasks, such as
automated maintenance on the server, or you may have global users, so the server
is accessed for extended hours throughout the day.
How often is a trial restore performed? You should periodically perform a trial
restore on your backups to ensure that the backup is accessible and the data is
recoverable. This is an essential part of disaster recovery planning and you should
not ignore it.
How long does a restore take? Restoring large amounts of data can take hours or
days, depending on the amount of data that was lost and the speed of the backup
media. You can back up different types of data in different ways or by using
different media so that you can restore the most important data more quickly. This
can be particularly useful when you are planning for disasters that involve the loss
of one or more servers or if you have service-level agreement (SLA) requirements to
meet.
You should typically automate the backup task by creating a scheduled backup job
in your backup software or by using task scheduling in Windows Server 2008.
Question: How frequently do you currently perform backups?
Question: Do you have different backup schedules for different data?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Creating the Data Retention Plan

Key Points
How long must you keep data? Must you keep data for legal compliance, such as
Sarbanes-Oxley, or for business requirements such as the ability to audit all
projects during the previous five years?
Where should you archive data? Do users require access to archived data regularly,
which may require keeping the data on a server, or can the data be archived to a
static medium such as optical or tape storage? For static media archival, you must
consider that media such as DVD or tape has a finite lifetime for storing data.
What is the cost of data storage? Different storage mechanisms and media have
different costs associated with them. If you keep your data archive on your
corporate storage area network (SAN), this has a relatively high cost per megabyte
(MB). If you keep archived data on a server hard disk, it has a lower cost per MB,
and data that is stored on tape has a very low cost per MB. Contrary to this is the
ease of access, so you must balance the cost against the ease of access for the data.
Typically, you move older data to cheaper storage media.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What software tools can assist data retention? Your backup software or additional
tools may have data-retention capabilities, or you could invest in software to assist
data retention in your organization. Consider tools such as Microsoft System
Center Data Protection Manager, which can offer backup capabilities and options
to archive older data to media such as tape instead of hard disk.
Question: What is your current data retention plan?
Question: Do you have any legal data retention requirements to fulfill?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Backing Up Encrypted Files and Virtual Machines

Key Points
Planning backups for encrypted files must include consideration for correctly
backing up and recovering the files and for backing up and recovering the
encryption keys.
Encrypting File System (EFS) is a powerful tool for encrypting files and folders on
client computers and remote file servers. It enables users to protect their data from
unauthorized access by other users or external attackers.
Backing up Hyper-V
Although not technically a backup, a VM snapshot provides a point in time to
which you can revert back using differencing disks and a copy of the VM
configuration file.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Although one exciting benefit of server virtualization is the prospect of no longer
having to individually back up the virtualized systems, simply backing up the
virtual machine files is not sufficient. Because these are live computers consisting
of in-memory data, data on disk, system configurations, and open files, there are
other things to consider.
Question: Do your users currently use Encrypting File System (EFS)?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 2
Planning Backup Policy on Windows
Server 2008

In addition to deciding on backup strategy for various types of data on your
network, you must also examine some wider issues when you plan your overall
backup policy.
This lesson examines some of the additional considerations that you must take
into account when you create your backup policy.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Factors That Affect Backup Policy

Key Points
Factor Details
Service-level
agreements
If your information technology (IT) department has agreed on
SLAs or intends to create SLAs for data or server availability, you
must include consideration of backup and restore processes with
your SLA. An SLA should specify the data or servers to which it
refers, and it should identify acceptable periods of unavailability. It
is important that the time that is taken to perform a restore
operation does not exceed the SLA; if it does, the SLA is
redundant.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
(continued)
Factor Details
Cost When you plan your backup policy, you must consider the cost of
your backup solution. Costs for your backup solutions can include
hardware, software, and media. You should carefully consider cost
with respect to backup and restore times, and the required
storage quantities. Larger storage capacities or faster storage
media are more expensive, but you may require these for specific
data types in your organization, such as database backups.
When you plan for increases in data storage, you should include
any necessary increase in backup costs that are required to
maintain your backup schedule.
Bandwidth If you back up to a different physical location, such as a secure off-
site storage provider or a dedicated disaster recovery site, you
must consider bandwidth requirements. The available bandwidth
for these backups directly impacts the time that is taken to
perform a backup and restore operation and, unless fast links are
available, you would typically use these as additional protection if
a physical or environmental disaster occurs at your primary
location.
You might also consider using Distributed File System (DFS)
replication to enable backup at another location. If you have
branch offices, you can decide to perform all regular file-based
backups from your main office by replicating content to the main
office and then performing the backup.
Personnel You should also consider who can perform backup tasks. This
includes physical tasks such as loading or changing tape libraries,
and system tasks such as performing backups or changing backup
schedules.

Question: Does your information technology (IT) department fulfill any service-
level agreements (SLAs)?
Question: Do you back up any data over the network?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Storage and Security Considerations

Key Points
Security considerations for your data backups are an important part of your overall
security strategy. Physical security is particularly important with backup storage
media, at both on-site and off-site locations.
Question: Who currently has access to backup media at your organization?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Process for Selecting Backup Operators

Key Points
When you plan who should perform key backup and restore tasks in your
organization, consider whether the backup and restore roles should be separated
for security purposes.
Training is also important for individuals to understand the effect of backup and
restore on data and related systems.
Question: Who performs backup and restore tasks in your organization?
Question: Are backup and restore roles separated in your organization?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 3
Planning a Server Restore Policy

This lesson will discuss the requirements for a restore policy on Windows Server
2008. Your restore policy should not be a static document that you write once and
archive. You should regularly update your server restore policy by reviewing the
results of trial and real restore operations.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Considerations for a Server Restore

Key Points
Total server failure may require data recovery from an off-site location.
You should determine whether a single file or application data requires restoring.
You should consider the potential impact that a failed restore could have on your
organization.
Question: Who determines the restore procedures during data and server loss
incidents within your organization?
Question: What process do you follow to ensure that you only restore valid data
and that no data is lost during the restore process?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Impact of a Server Restore

Key Points
Perform a brief business impact analysis before you restore data to determine the
possible number of users who are impacted by the restore of data.
Consider the effect on service-level agreements (SLAs) that the restore of data will
have.
Question: How can you improve the change management process for restoring
data in your organization?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Improving the Backup Plan

Key Points
You should continually strive to improve your backup plan after you have
identified areas for improvement from unsuccessful restores.
You should regularly review your backup policy by performing a trial restore of
data.
Question: What improvements can you make to your backup plans?
Question: What improvements can you make to your disaster recovery plans?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Change Management Considerations

Key Points
Data restore may require emergency changes to meet SLAs.
You can empower users to recover their own data by using earlier versions.
The Volume Shadow Copy Service (VSS) captures and copies stable images for
backup on running systems, particularly servers, without unduly degrading the
performance and stability of the services they provide.
Question: How do you ensure that restored data does not overwrite newer data in
your organization?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Restore Logs

Key Points
You should review backup log files after each backup. Some backups will fail; you
should ensure that the backups are complete and useable for restore.
After you have restored data, you should verify that the restoration of all files has
been successful by reviewing the associated log files.
Question: How frequently are the backup logs reviewed and trial restores
performed to ensure that the backups have worked as expected in your
organization?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Restore Options

Key Points
You should verify that access to restored data is only available to authorized users.
You should consider whether to restore data to an alternate location or to
overwrite existing files.
Question: What is the process in your organization for checking access to restored
data?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Security Analysis

Key Points
You should use the built-in group Backup Operators to enable users to back up
and restore files and folders.
If users only require the right to back up files, you should not place them in the
Backup Operators group, because this would grant users additional rights to
restore files.
Question: Who can restore files in your organization?
Question: Must you review membership of the Administrators and Backup
Operators groups?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Updating Backup Policy

Key Points
You should review, improve, and update all of your policies and working practices
to ensure that you continue to meet the requirements of your business.
By increasing the frequency of backups, you can provide access to recent changes
in documents for users.
Windows Server 2008 simplifies scheduling backup tasks by using VSS. This
improved backup enables users to restore files without resorting to assistance from
the IT team.
Question: How often do you update the backup and restore policy in your
organization? Can you identify areas of your current policies that require updating?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 4
Planning an EFS Restore Policy

By encrypting data, you secure it so that only the data owners can access the files.
This may lead to difficulties when you restore data because user encryption keys
are stored separately to files.
Because there is no way to recover data that has been encrypted with a corrupted
or missing certificate, it is critical that you back up the certificates which store
encryption keys and store them in a secure location. You can also specify a
recovery agent. This agent can restore the data. The recovery agent's certificate
serves a different purpose than the user's certificate.
This lesson will discuss the requirements for restoring encrypted data by using the
Encrypting File System (EFS) on Windows Server 2008. It is beyond the scope of
this course to detail the recovery of file encryption keys.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Considerations When Restoring EFS Data

Key Points
You should ensure that you could recover encryption keys and data as part of your
recovery strategy.
When you restore data, you should ensure that you match the file that is restored
with the same key that you used to encrypt the file.
You should have a documented and tested procedure to restore user encryption
keys.
Question: What steps must you take to ensure that you can recover EFS keys and
data?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Requirements for EFS Recovery

Key Points
There are many configurations and recovery options for EFS.
You can recover keys from Active Directory, backups, or recover the data by using
data recovery agents. You should also consider that if an organization does not
centralize key storage in AD, there is the possibility of recovery keys being stored
on multiple servers and workstations throughout the organization.
By using a recovery agent, you can ensure that data is recoverable in the event of
loss of the original user encryption keys.
In a secure environment where only the user who is encrypting a file may decrypt
it, your options for file and encryption key recovery may be limited to only the user
owning the file if the data recovery agent (DRA) keys are intentionally deleted. This
makes the file more secure by limiting access to only the user who is encrypting
the file; however, the tradeoff is that you can only ever recover the file by using the
original encryption key.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
You can use Group Policy settings to configure EFS across your organization.
You should consider the use of smart cards and storing keys on these cards as part
of your EFS strategy.
Question: What planning documentation is there in your organization for EFS?
How can you ensure that this documentation is updated and modified?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Preparing to Recover EFS Files

Key Points
Configure Windows Enterprise Certification Authority
The first step is to configure your computer running Windows Server 2008
Enterprise Edition to be an enterprise certification authority (CA). The CA is
responsible for issuing digital certificates that provide S/MIME functionality. To
configure your enterprise CA, you will need to:
Install and configure the Microsoft Active Directory domain service.
Install and configure Active Directory Certificate Services.

After you complete these steps, your Windows Server 2008 enterprise CA will be
configured to issue digital certificates.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Certificate Templates
The Encrypting File System (EFS) is a feature of Windows 2008 that allows users
to encrypt data directly on volumes that use the NTFS file system. It operates by
using certificates based on the X.509 standard. If no Certificate Authority (CA) is
available from which to request certificates, the EFS subsystem automatically
generates its own self-signed certificates for users and default recovery agents.
There are several circumstances in which an organization may want to implement
Certificate Authorities, as opposed to allowing EFS to generate its own self-signed
certificates.
Certificate Auto-enrollment Policy
Using the autoenrollment feature, organizations can manage the certificate lifecycle
for users, which includes:
Certificate renewal
Superseding of certificates
Multiple signature requirements

Certificate autoenrollment is based on the combination of Group Policy settings
and version 2 certificate templates. This combination allows the Microsoft
Windows XP Professional, Windows Vista, or Windows Server 2008 client to
enroll users when they log on to their domain, or a machine when it boots, and
keeps them periodically updated between these events.
Automatic enrollment of user certificates provides a quick and simple way to issue
certificates to users and to enable public key infrastructure (PKI) applications, such
as smart card logon, Encrypting File System (EFS), Secure Sockets Layer (SSL),
Secure/Multipurpose Internet Mail Extensions (S/MIME), and others, within an
Active Directory directory service environment. User autoenrollment minimizes the
high cost of normal PKI deployments and reduces the total cost of ownership
(TCO) for a PKI implementation when Windows XP Professional or Windows
Vista clients are configured to use Active Directory.
Question: Who in your organization is in charge of creating and configuring
certification authority?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Managing the Recovery Agent

Key Points
To designate a user as an additional recovery agent using the Add Recovery
Agent Wizard, click Add Data Recovery Agent.
To allow EFS to work without recovery agents, point to All Tasks and then
click Do Not Require Data Recovery Agents.
To delete this EFS policy and every recovery agent, point to All Tasks and then
click Delete Policy. If you select this option, users can still encrypt files on this
computer. Note that this option will not appear unless there is an EFS policy
on the computer.

Important: Before changing the recovery policy in any way, you should first back up the
recovery keys to a floppy disk.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Notes
To perform this procedure, you must be a member of the Administrators
group on the local computer, or you must have been delegated the appropriate
authority. If the computer is joined to a domain, members of the Domain
Admins group might be able to perform this procedure. As a security best
practice, consider using Run as to perform this procedure.
There is no default recovery agent on a standalone computer. A file recovery
certificate can be created by running cipher.exe /r, and the Add Data Recovery
Agent option can be used to import this certificate into the EFS policy. Fore
more information on cipher.exe, see Related Topics.
You can make changes to the File Recovery certificate by right-clicking the
certificate and then clicking Properties. For example, you can give the
certificate a friendly name and enter a text description.

Process for Exporting and Deleting Private Key
The first domain controller in a domain contains the built-in Administrator profile
that contains the public certificate and the private key for the default recovery
agent of the domain. The public certificate is imported to the Default Domain
Policy and is applied to domain clients by using Group Policy. If the Administrator
profile or if the first domain controller is no longer available, the private key that is
used to decrypt the encrypted files is lost, and files cannot be recovered through
that recovery agent.
To locate the Encrypted Data Recovery policy, open the Default Domain Policy in
the Group Policy Object Editor snap-in, expand Computer Configuration, expand
Windows Settings, expand Security Settings, and then expand Public Key Policies.
If you click to select the Delete the private key if the export is successful check box,
the private key is removed from the domain controller. As a best practice, we
recommend that you use this option. Install the recovery agent's private key only in
situations when you need it to recover files. At all other times, export, and then
store the recovery agent's private key offline to help maintain its security.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Note: We strongly recommend that you click to select the Enable strong protection
(requires IE 5.0, NT 4.0 SP4 or above check box to protect your private key from
unauthorized access.

Note: We recommend that you back up the file to a disk or to a removable media
device, and then store the backup in a location where you can confirm the physical
security of the backup.
Question: List at least one example of how your organization can use the Recovery
Agent to access EFS files during a disaster recovery scenario.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Recovering EFS Files

Key Points
Data RecoveryBest Practices
In general, the best practice for organizations to follow regarding data recovery is
to deploy a public key infrastructure (PKI) to issue certificates to users and data
recovery agents that are issued from a certification authority (CA). The Microsoft
Enterprise Certification Authority makes it easy for users to automatically get
certificates for use by EFS.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Other best practices include:
Using more than one DRA per domain, and storing the actual private keys for the
DRAs on a medium (floppy disk, CD-ROM, etc.) that can be secured and retrieved
only when appropriate security policies and practices have been followed. DRAs
may be defined at the site, domain or OU like any other Group Policy, and may be
combined as an aggregate policy based on the organization of Active Directory.
Question: Who in your organization has the proper DRA privileges to open EFS
encrypted files?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 5
Troubleshooting Windows Server 2008 Startup

Key Points
Sometimes a problem can arise that will prevent Windows from starting properly.
This lesson will discuss the common causes of startup problems, review startup
process that may be affected, and explore different troubleshooting techniques that
you can use depending on when the failure occurs.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Common Causes of Startup Problems

Key Points
Diagnosing and correcting hardware and software problems that affect the startup
process requires different tools and techniques than troubleshooting problems that
occur after the system has started, because the person troubleshooting the startup
problem does not have access to the full suite of Microsoft Windows Server 2008
troubleshooting tools. Resolving startup issues requires a clear understanding of
the startup process and core operating system components, as well as the tools
used to isolate and resolve problems.
Startup failure can result from a variety of problems, such as user error, driver
problems, application faults, hardware failures, disk or file corruption, system
misconfiguration, or virus activity. If the condition is serious enough, you might
need to reinstall Windows.
Question: Can you think of situations where you had to troubleshoot a Windows
startup problem and if so how did you resolve it?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Reviewing Startup Processes

Key Points
The above startup sequence applies to systems started or restarted after a normal
shutdown.
The detect and configure hardware phase detects and configures only hardware
necessary to start the kernel loading phase, including system buses, hard disks,
input devices, and parallel ports. Remaining hardware devices are configured
during the kernel loading phase.
Question: During startup, in which of these phases is system memory checked?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Being Prepared for Startup Failures

Key Points
Being prepared for a server failure means having being able to recover the server
quickly in the event of disaster. On a computer running Windows Server 2008,
you can use the following to perform recovery tasks:
Recovery Wizard. This wizard helps you recover files and folders, applications,
and volumes.
Catalog Recovery Wizard. This wizard helps you recover the backup catalog. This
wizard is only available if your backup catalog has become corrupted.
A Windows Setup disc and a backup created with Windows Server Backup.
This method helps you recover your operating system or full server.
You can also perform recoveries using the Wbadmin start recovery, Wbadmin
start systemstaterecovery, and Wbadmin restore catalog commands.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Additional preventative measure should be taken to ensure server health and
availability including:
Protecting the operating system with current Windows Updates and antivirus
signatures
Following vendor recommendations for hardware maintenance
Familiarizing yourself with advanced boot options (F8 on startup):
Safe Mode
Last Known Good Configuration
Boot Logging

References: Windows Server 2008 Help: Recover the Operating System
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Troubleshooting Startup Before the Windows Logo
Appears

Key Points
Use this flow chart to see how to troubleshoot startup problems that occur before
the Windows Server 2008 logo appears.
In earlier versions of Windows, a file called boot.ini contained information about
the Windows operating systems installed on the computer. This information was
displayed during the startup process when you turned on your computer. It was
most useful in multiboot configurations, or for advanced users or administrators
who needed to customize how Windows started.
In Windows Server 2008, the boot.ini file has been replaced with Boot
Configuration Data (BCD). This file is more versatile than boot.ini, and it can apply
to computer platforms that use means other than basic input/output system
(BIOS) to start the computer.
Question: Based on this flowchart, what would you say are the most common
causes of Windows failing to start before the Windows logo appears?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Troubleshooting Startup After the Windows Logo Appears

Key Points
If your computer displays the graphical Windows Server 2008 logo before
failing, use the process illustrated here to identify and disable the failing software
component to allow Windows to start successfully. Once Windows starts, you can
perform further troubleshooting to resolve the problem with the component if
necessary.
If the startup problem occurs immediately after updating or installing a startup
application, try troubleshooting the startup application.
When you are troubleshooting, the method for determining which services and
processes to temporarily disable varies from one computer to the next. The most
reliable way to determine what you can disable is to gather more information about
the services and processes enabled on your computer.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Windows Server 2008 includes several tools and features to generate a variety of
logs that can provide you with valuable troubleshooting information:
Event Viewer
Sc.exe
System Information
Error Reporting Service
Boot logs (covered earlier)

causes of Windows failing to start after the Windows logo appears?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Troubleshooting Startup Problems After Logon

Key Points
If your computer fails immediately after a user logs on, use the process shown here
to identify and disable the failing startup application to enable successful log on. If
the problem occurs immediately after updating or installing an application, try
uninstalling the application.
If a problem occurs after installing new software, you can temporarily disable or
uninstall the application to verify that the application is the source of the problem.
Problems with applications that run at startup can cause logon delays or even
prevent you from completing Windows startup in Normal mode. The following
sections provide techniques for temporarily disabling startup applications.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Disabling Startup Applications by Using the SHIFT Key
One way you can simplify your configuration is to disable startup applications. By
holding down the SHIFT key during the logon process you can prevent the
operating system from running startup programs or shortcuts.
causes of Windows failing to start after logon?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Recovering from Hardware Problems

Key Points
Although most hardware related problems do not stop Windows Server 2008 from
successfully starting, hardware related problems can appear before the logo would
normally appear in the startup process, and symptoms include warning messages,
startup failures, and Stop messages.
The causes are typically improper device configuration, incorrect driver settings, or
hardware malfunction and failure. You can also use the suggestions provided in
the companion CD for troubleshooting hardware issues not directly related to
startup.
Question: If you suspected a hardware related problem, what would be the first
things you would check?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab A: Planning Windows Server 2008 Backup
Policy

Exercise 1: Evaluating the Existing Backup Plan
Scenario
At Woodgrove Bank, data for several departments is stored across servers on the
network. In the New York office, several file servers are part of a domain-based
Distributed File System (DFS) namespace and host the following shares:
Sales. This share holds the shared data for the Sales department. The Sales
department updates it regularly with budgets, forecasts, and sales figures.
Finance. This share holds important data for the Finance department that
supplements the Finance application database. The Finance database should
not form part of your backup plan.
Human Resources. This share holds highly confidential data for the Human
Resources department. You have encrypted some of this data by using EFS.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Technical Library. This share holds technical information, such as white papers
and guidance documents, for the IT department. The IT department updates
this information infrequently.
Projects. This share holds documents that relate to any projects that are
running at the New York office and changes frequently.

In addition to the file servers, you are responsible for ensuring that four intranet
Web servers and two domain controllers can have the data or server restored in the
event of a disaster. Web pages on the intranet Web sites do not change frequently.
Currently, there is a scheduled weekly backup of the volumes that contain the
shares on the file servers and the volumes that contain the Web page content on
the Web servers.
In this exercise, you must review the existing backup plan against requirements
that the management team at Woodgrove Bank have specified.
1. Review the existing backup plan.
2. Propose changes to the backup plan.

Task 1: Start the NYC-DC1 and NYC-SVR1 virtual machines
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 2: Review the existing backup plan
1. You have agreed that no more than one day's critical data should be lost in the
event of a disaster. Critical data includes the Sales, Finance, and Projects data.
Does the current backup plan meet this requirement?
2. Currently, you copy the Human Resources confidential data onto a removable
hard disk that is attached to a computer in the Human Resources office. This
task is performed weekly by using a script to preserve the encryption on the
files. What are the consequences of this process and how would you address
them?
3. You have also agreed that, if a server fails, you should be able to restore that
server, including all installed roles, features, applications, and security identity,
in six hours. Does the current backup plan enable you to restore the servers in
this way?

Task 3: Propose changes to the backup plan
1. Propose an appropriate backup frequency for the shares in the following table:
Backup Frequency
Sales
Finance
Human Resources
Technical Library
Projects

2. How would you address the requirement to restore the servers and how
frequently would you back up the servers?

Results: After this exercise, you should have reviewed the existing backup plan and
proposed changes to the backup plan.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Updating the Backup Policy
Scenario
The management team at Woodgrove Bank has decided that an SLA should be put
in place for the mission-critical data that is stored on the intranet file servers and
Web servers. The SLA will specify availability for data and the recovery of deleted
items.
In addition, Woodgrove Bank must also comply with legal regulations that state
how long the bank must keep customer and financial data. Failure to comply with
these requirements entails heavy fines and penalties for the company. You must
keep Human Resources and financial information for a minimum of seven years. In
the event of an audit, you must provide access to this data within three working
days.
In this exercise, you will examine the SLA and legal requirements and propose
solutions to ensure compliance.
1. Create a backup strategy to comply with the SLA.
2. Create a backup strategy to comply with legal requirements.

Task 1: Create a backup strategy to comply with the SLA
1. You should be able to restore critical data, which includes the Sales, Finance,
and Projects shares, as quickly as possible in the event of a disaster. What
factors affect how quickly you can restore data?
2. Given that you have a limited budget to meet the SLA requirements, how
could you maximize your budget while providing backup for all of the
network data for which you are responsible?

Task 2: Create a backup strategy to comply with legal requirements
How will you ensure that the required data is stored for the minimum legal
requirement period and that the data is available for audit purposes when it is
required?

Results: After this exercise, you should have created a backup strategy to comply with
the SLA and legal storage requirements.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 3: Reviewing Backup Policy and Plans
Scenario
In this exercise, you will share your solutions with the class in an instructor-led
discussion. Be prepared to add solutions from your own experience at work to the
discussion.
The main task for this exercise is to discuss your solutions with the class.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 4: Implementing the Backup Policy
Scenario
In this exercise, you will implement a Backup policy for the NYC-SVR1 file server.
1. Initialize the backup storage volume.
2. Create the new backup schedule.

Task 1: Initialize the backup storage volume
1. Log on to 6419A-NYC-SVR1 by using the following information:
User name: Woodgrovebank\Administrator
Password: Pa$$w0rd
2. Use Disk Management to create a maximum-size simple volume on Disk 2.
Use a quick format.

Task 2: Create the new backup schedule
Use Windows Server Backup to create a new backup schedule. The backup
should include the file shares on the E: volume and backup to Disk 2, and you
should schedule the backup for 12:30 and 21:00 every day.

Results: After these tasks, you should have initialized a new disk and created the new
backup schedule by using Windows Server Backup.

Task 3: Backup the Domain Recovery Agent's Private Key
1. On NYC-DC1, use the Group Policy Management Editor to browse to the
Encrypting File System public policy (located in Default Group
Policy\Computer Configuration\Policies\Windows Settings\Security
Settings\Public Key Policies\Encrypting Files System).
2. From the Group Policy Management Editor, export the File Recovery
certificate private key to C:\AdminKey.pfx using a password of Pa$$w0rd.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 4: Lab Shutdown
click OK.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab B: Planning Windows Server 2008 Restore

Exercise 1: Evaluating Backup Data
Scenario
Woodgrove Bank has file servers that store shared data for several departments.
The server NYC-FS1 has file shares, including the Human Resources (HR) share,
on a redundant array of independent disks (RAID) 5 volume that is labeled E:. At
present, a member of the backup team performs a manual full backup of the E:
volume by using Windows Server Backup on a Friday evening. The backup takes
20 hours to complete because of the volume of data to back up. After the backup
completes, the backup team sends a copy of the backup to secure off-site storage.
Previous versions are not enabled on the E: volume.
In this exercise, you will analyze the backup data against restore requirements.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1. Evaluate file restoration.
2. Restore EFS files.
3. Evaluate server restore.

Task 1: Start the NYC-DC1, NYC-SVR1, and NYC-INF virtual machines
4. In the Lab Launcher, next to 6419A-NYC-INF, click Launch.

Task 2: Evaluate file restoration
On Thursday, a member of the HR department asks you to restore an important
file, which he created two days ago but someone subsequently deleted.
1. Why can you not restore the file?
2. How could you change the backup strategy so that it is possible to restore files
that have changed more recently?
3. What other effects would a change in backup strategy cause?

Task 3: Restore EFS files
Members of the HR department have encrypted some of the files that are stored on
the HR share by using EFS. The HR director asks you to restore some encrypted
confidential files that were originally written by Tommy Hartono, who has since
left the company. After you have restored the files, how can you provide access to
the files for the HR director?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 4: Evaluate server restore
On Wednesday, the server, NYC-FS1, suffers a hardware failure. Both the C: and E:
volumes are lost.
1. How can you restore the server and data?
2. How could you make the restore process easier?

Results: After this exercise, you should have analyzed the backup data against the
restore requirements.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Planning a Restore
Scenario
In this exercise, you will plan for trial restore operations to test your backups.
The main task for this exercise is to plan a trial restore.
Task 1: Plan a trial restore
1. In the following table, list the hardware and software requirements for
performing a trial restore:
Requirements

2. What additional consideration must you make for performing a trial restore of
the HR data on NYC-FS1?
3. With what types of backup data should you perform a trial restore?

Results: After this exercise, you should have planned for trial restore operations.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 3: Investigating a Failed Restore
Scenario
Users have reported that some files in the Technical Library share on 6419A-NYC-
SVR1 appear to be the wrong version.
In this exercise, you will investigate the files and resolve the problem.
1. Determine the reason for the wrong file version.
2. Create a Restore Operators group.
3. Separate the Backup and Restore roles.

Task 1: Determine the reason for the wrong file version
1. Log on to 6419A-NYC-SVR1 by using the following information:
Username: Woodgrovebank\Administrator
Password: Pa$$w0rd
2. Review the backup logs.
3. What operation was last performed?

Task 2: Create a Restore Operators group
Create a new local group on 6419A-NYC-SVR1 that is named Restore
Operators.

Task 3: Separate the Backup and Restore roles
Edit the local security policy on 6419A-NYC-SVR1 by using the following
settings:
Prevent the Backup Operators group from being able to restore files.
Allow the Restore Operators group to restore files.

Results: After this exercise, you should have investigated a failed restore and changed
the backup policy.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 4: Restoring System State Data
Scenario
The infrastructure team at Woodgrove Bank has escalated a problem with Dynamic
Host Configuration Protocol (DHCP). The DHCP service on 6419A-NYC-INF
cannot start and the server reports a general error.
In this exercise, you will perform a system state restore to repair the server.
1. Backup and restore specific files and folders.
2. Check the state of the DHCP service.
3. Perform a system state restore.

Task 1: Backup and restore specific files and folders
1. Run the Windows Server Backup.
2. Back up the E: volume.
3. Delete a file.
4. Use Windows Server Backup to recover the file.

Task 2: Check the state of the DHCP service
1. Log on to 6419A-NYC-INF by using the following information:
Username: Woodgrovebank\Administrator
Password: Pa$$w0rd
2. Is the DHCP service running?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 3: Perform a system state restore
1. Use the following command to get the backup version identifier:
wbadmin get versions -backuptarget:f:
2. Use the following command to perform the system state restore:
wbadmin start systemstaterecovery -version:<version identifier> -
backuptarget:f:
3. Cancel the backup after a couple of minutes.

Results: After this exercise, you should have seen how to backup and recovery files
from the command line and from the Windows Server Backup utility.

Task 4: Lab Shutdown
click OK.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Review Questions
1. What should you consider for your server restore policy?
2. What considerations should you take into account for the recovery of
encrypted data?
3. What steps should you take to verify restored data?
4. How do you know whether your backups are successful?
5. What provisions should you make for backup storage?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Real-World Issues and Scenarios
Your organization currently runs Microsoft Windows 2000 Server servers.
What do you anticipate the main issues will be when you back up data after
you have migrated to Windows Server 2008?
How do you plan to archive backup data after your migration?
How will you restore previous versions of files from Windows 2000 Server
after your migration?

Best Practices Related to Windows Server 2008 Backup
Do not add information technology (IT) administrators who require only the
right to back up files and folders to the Backup Operators group.
Create a local group and assign rights to back up files and folders on relevant
servers.
Restrict membership of the Backup Operators group solely to administrators
who are allowed to restore files and folders.
Perform regular backups to enable data to be restored to a point in time.
Educate users to enable them to recover their own files by using the Volume
Shadow Copy Service (VSS).

Best Practices Related to Windows Server 2008 Restore
Add IT administrators who require the right to restore files and folders to the
Backup Operators group.
Do not overwrite data files with older data.
Educate users to enable them to recover their own files by using VSS.
Develop an archive solution for your data to enable off-site storage.
Perform regular trial restore procedures to test your restore strategy.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Best Practices Related to Backup Policies
Identify the data sources that require backing up.
Identify specific requirements for backing up data, such as SLAs, legal
requirements, and the quantity of data that it is acceptable to lose.
Choose appropriate backup hardware, media, and software.
Specify your backup operators.
Specify your backup schedule.
Perform trial data and server restore operations.

Tools
Windows
Server Backup
Console
Scheduling backups of the
Windows Server 2008
operating system volumes.
Performing manual backups of
Windows Server 2008 volumes.
On the Administrative Tools
menu, after you have installed
the Backup feature.
Wbadmin.exe Scripting Windows Server 2008
backup tasks.
Performing system state
backups.
At the command prompt, after
you have installed the Backup
feature.
System Center
Data Protection
Manager
Backing up Windows Server
2008 data (application servers
and databases can also be
backed up).
Managing backup media.
Creating a data storage
hierarchy.
http://go.microsoft.com/fwlink/
?LinkId=121141

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Course Evaluation

Your evaluation of this course will help Microsoft understand the quality of your
learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will
use your responses to improve your future learning experience. Your open and
honest feedback is valuable and appreciated.

6419A-En Configuring Managing Maintaining Windows Server08 Servers-TrainerWorkbook Vol1

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

6419A-En Configuring Managing Maintaining Windows Server08 Servers-TrainerWorkbook Vol1

Încărcat de

Drepturi de autor:

Formate disponibile

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

S-ar putea să vă placă și