Manual Del Alumno WIndows Server 2008

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
6430B
Planning for Windows Server
2008 Servers

NETMIND
Apr 9 2010 7:45AM 80cdcdce-b134-4e21-b0f2-cb4572be11c5 Telefonica Netmind ittrainning.purchase@netmind.es
Warning: This is Telefonica Netmind's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed
Content is licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express
warranties, guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by
calling +1 800-785-3448.
ii Planning for Windows Server 2008 Servers

Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
2009 Microsoft Corporation. All rights reserved.
Microsoft, Microsoft Press, Access, Active Directory, ActiveSync, ActiveX, BitLocker, Excel, Forefront,
Hyper-V, Internet Explorer, MS, MSDN, MS-DOS, Outlook, PowerPoint, SharePoint, Silverlight,
SQ Server, Visio, Visual Basic, Visual Studio, Win32, Windows, Windows Live, Windows Media,
Windows NT, Windows PowerShell, Windows Server and Windows Vista are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.

Product Number: 6430B
Part Number: X16-25882
Released: 11/2009
NETMIND
calling +1 800-785-3448.
MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS COURSEWARE
BLENDED LEARNING COURSE - STUDENT EDITION
These license terms are an agreement between Microsoft Corporation and you. Please read them. They
apply to the licensed content named above, which includes the media on which you received it, if any. The
terms also apply to any Microsoft
updates,
supplements,
Internet-based services, and
support services
for this licensed content, unless other terms accompany those items. If so, those terms apply.
By using the licensed content, you accept these terms. If you do not accept them, do not use
the licensed content.
If you comply with these license terms, you have the rights below.
1. OVERVIEW.
Licensed Content. The licensed content includes software, printed materials, academic materials
(online and electronic), and associated media.
License Model. The licensed content is licensed on a per copy per device basis.
2. INSTALLATION AND USE RIGHTS.
a. Licensed Device. The licensed device is the device on which you use the licensed content. You
may install and use one copy of the licensed content on the licensed device.
b. Portable Device. You may install another copy on a portable device for use by the single
primary user of the licensed device.
c. Separation of Components. The components of the licensed content are licensed as a single
unit. You may not separate the components and install them on different devices.
d. Third Party Programs. The licensed content may contain third party programs. These license
terms will apply to your use of those third party programs, unless other terms accompany those
programs.
3. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Media Elements and Templates. You may use images, clip art, animations, sounds, music,
shapes, video clips and templates provided with the licensed content solely for your personal
training use. If you wish to use these media elements or templates for any other purpose, go to
www.microsoft.com/permission to learn whether that use is allowed.
b. Academic Materials. If the licensed content contains academic materials (such as white papers,
labs, tests, datasheets and FAQs), you may copy and use the academic materials. You may not
make any modifications to the academic materials and you may not print any book (either
NETMIND
calling +1 800-785-3448.
electronic or print version) in its entirety. If you reproduce any academic materials, you agree
that:
The use of the academic materials will be only for your personal reference or training use
You will not republish or post the academic materials on any network computer or broadcast in
any media;
You will include the academic materials original copyright notice, or a copyright notice to
Microsofts benefit in the format provided below:
Form of Notice:
2009 Reprinted for personal reference use only with permission by
Microsoft Corporation. All rights reserved.
Microsoft and Windows are either registered trademarks or trademarks of
Microsoft Corporation in the US and/or other countries. Other product and
company names mentioned herein may be the trademarks of their respective
owners.
c. Distributable Code. The licensed content may contain code that you are permitted to distribute
in programs you develop if you comply with the terms below.
i. Right to Use and Distribute. The code and text files listed below are Distributable Code.
REDIST.TXT Files. You may copy and distribute the object code form of code listed in
REDIST.TXT files.
Sample Code. You may modify, copy, and distribute the source and object code form of
code marked as sample.
Third Party Distribution. You may permit distributors of your programs to copy and
distribute the Distributable Code as part of those programs.
ii. Distribution Requirements. For any Distributable Code you distribute, you must
add significant primary functionality to it in your programs;
require distributors and external end users to agree to terms that protect it at least as
much as this agreement;
display your valid copyright notice on your programs; and
indemnify, defend, and hold harmless Microsoft from any claims, including attorneys fees,
related to the distribution or use of your programs.
NETMIND
calling +1 800-785-3448.
iii. Distribution Restrictions. You may not
alter any copyright, trademark or patent notice in the Distributable Code;
use Microsofts trademarks in your programs names or in a way that suggests your
programs come from or are endorsed by Microsoft;
distribute Distributable Code to run on a platform other than the Windows platform;
include Distributable Code in malicious, deceptive or unlawful programs; or
modify or distribute the source code of any Distributable Code so that any part of it
becomes subject to an Excluded License. An Excluded License is one that requires, as a
condition of use, modification or distribution, that
the code be disclosed or distributed in source code form; or
others have the right to modify it.
4. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the licensed
content. It may change or cancel them at any time. You may not use these services in any way that
could harm them or impair anyone elses use of them. You may not use the services to try to gain
unauthorized access to any service, data, account or network by any means.
5. SCOPE OF LICENSE. The licensed content is licensed, not sold. This agreement only gives you some
rights to use the licensed content. Microsoft reserves all other rights. Unless applicable law gives you
more rights despite this limitation, you may use the licensed content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the licensed content that
only allow you to use it in certain ways. You may not
disclose the results of any benchmark tests of the licensed content to any third party without
Microsofts prior written approval;
work around any technical limitations in the licensed content;
reverse engineer, decompile or disassemble the licensed content, except and only to the extent
that applicable law expressly permits, despite this limitation;
make more copies of the licensed content than specified in this agreement or allowed by
applicable law, despite this limitation;
publish the licensed content for others to copy;
rent, lease or lend the licensed content; or
use the licensed content for commercial licensed content hosting services.
Rights to access the server software that may be included with the Licensed Content, including the
Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft
intellectual property in software or devices that may access the server.
6. BACKUP COPY. You may make one backup copy of the licensed content. You may use it only to
reinstall the licensed content.
7. TRANSFER TO ANOTHER DEVICE. You may uninstall the licensed content and install it on another
device for your use. You may not do so to share this license between devices.
8. TRANSFER TO A THIRD PARTY. The first user of the licensed content may transfer it and this
agreement directly to a third party. Before the transfer, that party must agree that this agreement
NETMIND
calling +1 800-785-3448.
applies to the transfer and use of the licensed content. The first user must uninstall the licensed
content before transferring it separately from the device. The first user may not retain any copies.
9. EXPORT RESTRICTIONS. The licensed content is subject to United States export laws and
regulations. You must comply with all domestic and international export laws and regulations that
apply to the licensed content. These laws include restrictions on destinations, end users and end use.
For additional information, see www.microsoft.com/exporting.
10. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or licensed
content marked as NFR or Not for Resale.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if
you fail to comply with the terms and conditions of these license terms. Upon any termination of this
agreement, you must destroy all copies of the licensed content and all of its component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based
services and support services that you use, are the entire agreement for the licensed content and
support services.
13. APPLICABLE LAW.
a. United States. If you acquired the licensed content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the licensed content in any other country, the laws
of that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
licensed content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED AS-IS. YOU BEAR
THE RISK OF USING IT. MICROSOFT GIVES NO EXPRESS WARRANTIES, GUARANTEES OR
CONDITIONS. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL
LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER
YOUR LOCAL LAWS, MICROSOFT EXCLUDES THE IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
NETMIND
calling +1 800-785-3448.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER
FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU
CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS,
SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
anything related to the licensed content, software, services, content (including code) on third party
Internet sites, or third party programs; and
claims for breach of contract, breach of warranty, guarantee or condition, strict liability,
negligence, or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion
or limitation of incidental, consequential or other damages.
Please note: As this licensed content is distributed in Quebec, Canada, some of the clauses in
this agreement are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des
clauses dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel .
Toute utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune
autre garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la
protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit
locale, les garanties implicites de qualit marchande, dadquation un usage particulier et dabsence de
contrefaon sont exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de
dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation
pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de
bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel
dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus
ne sappliquera pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres
droits prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les
lois de votre pays si celles-ci ne le permettent pas.
NETMIND
calling +1 800-785-3448.

NETMIND
calling +1 800-785-3448.
Thank you for taking our training! Weve worked together with our Microsoft Certied Partners
for Learning Solutions and our Microsoft IT Academies to bring you a world-class learning
experiencewhether youre a professional looking to advance your skills or a
student preparing for a career in IT.
Microsoft Certied Trainers and InstructorsYour instructor is a technical and

instructional expert who meets ongoing certication requirements. And, if instructors
are delivering training at one of our Certied Partners for Learning Solutions, they are
also evaluated throughout the year by students and by Microsoft.

Certication Exam BenetsAfter training, consider taking a Microsoft Certication
exam. Microsoft Certications validate your skills on Microsoft technologies and can help
differentiate you when finding a job or boosting your career. In fact, independent
research by IDC concluded that 75% of managers believe certications are important to
team performance
1
. Ask your instructor about Microsoft Certication exam promotions
and discounts that may be available to you.

Customer Satisfaction GuaranteeOur Certied Partners for Learning Solutions offer
a satisfaction guarantee and we hold them accountable for it. At the end of class, please
complete an evaluation of todays experience. We value your feedback!
We wish you a great learning experience and ongoing success in your career!
Sincerely,
Microsoft Learning
www.microsoft.com/learning
1
IDC, Value of Certication: Team Certication and Organizational Performance, November 2006
Welcome!
NETMIND
calling +1 800-785-3448.

NETMIND
calling +1 800-785-3448.
Planning for Windows Server 2008 Servers xi

Acknowledgement
Microsoft Learning would like to acknowledge and thank the following for their
contribution towards developing this title. Their effort at various stages in the
development has ensured that you have a good classroom experience.
Andy WarrenSubject Matter Expert
Andrew Warren (MCSE, MCITP, and MCT) has more than 22 years of experience
in the IT industry, many of which have been spent in writing and teaching. He has
been involved as the subject matter expert (SME) for the 5115B course for
Windows Vista and the technical lead on a number of other courses. He also has
been involved in TechNet sessions on Microsoft Exchange Server 2007. Based in
the United Kingdom, he runs his own IT training and education consultancy.
Byron WrightSubject Matter Expert
Byron Wright is a partner in a consulting firm, where he performs network
consulting, computer systems implementation, and technical training. Byron is also
an instructor for the Asper School of Business at the University of Manitoba,
teaching management information systems and networking. Byron has authored
and coauthored a number of books on Windows servers, Windows Vista, and
Exchange Server, including the Windows Server 2008 Active Directory
Resource Kit.
NETMIND
calling +1 800-785-3448.
NETMIND
calling +1 800-785-3448.
Planning for Windows Server 2008 Servers xiii

Contents
Module 1: Planning Windows Server 2008 Deployment
Lesson 1: Overview of Change Management 1-3
Lesson 2: Planning a Single-Server Installation 1-23
Lesson 3: Performing a Single-Server Installation 1-38
Lesson 4: Automating Windows Server Deployment 1-49
Lab: Planning Windows Server 2008 Deployment 1-60
Module 2: Planning Network Infrastructure for Windows Server 2008
Lesson 1: Planning IPv4 Addressing 2-3
Lesson 2: Planning for Name Resolution Services 2-14
Lesson 3: Determining the Need for WINS 2-27
Lesson 4: Planning a Perimeter Network 2-37
Lesson 5: Planning an IPv4 to IPv6 Transition Strategy 2-42
Lab: Planning Network Infrastructure for Windows Server 2008 2-50
Module 3: Planning for Active Directory
Lesson 1: Selecting a Domain and Forest Topology 3-3
Lesson 2: Selecting a Domain and Forest Functional Level 3-19
Lesson 3: Planning Identity and Access Services in Active Directory 3-27
Lesson 4: Implementing Active Directory in the Physical Network 3-37
Lab: Planning for Active Directory 3-48
Module 4: Planning for Group Policy
Lesson 1: Planning Group Policy Application 4-3
Lesson 2: Planning Group Policy Processing 4-13
Lesson 3: Planning the Management of Group Policy Objects 4-24
Lesson 4: Planning the Management of Client Computers 4-37
Lab: Planning for Group Policy 4-52

NETMIND
warranties, guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling
+1 800-785-3448.
xiv Planning for Windows Server 2008 Servers

Module 5: Planning Application Servers
Lesson 1: Overview of Application Servers 5-3
Lesson 2: Supporting Web-Based Applications 5-17
Lesson 3: Supporting SQL Server Databases 5-30
Lesson 4: Deploying Client Applications 5-48
Lesson 5: Planning Terminal Services 5-55
Lab: Planning Application Servers 5-64
Module 6: Planning File and Print Services
Lesson 1: Planning and Deploying the File Services Role 6-3
Lesson 2: Managing Storage 6-24
Lesson 3: Planning and Implementing the Distributed File System 6-44
Lesson 4: Planning and Implementing Shared Printing 6-56
Lab: Planning File and Print Services 6-66
Module 7: Planning Server and Network Security
Lesson 1: Overview of Defense-in-Depth 7-3
Lesson 2: Planning for Windows Firewall with Advanced Security 7-11
Lesson 3: Planning Protection Against Viruses and Malware 7-24
Lesson 4: Planning Remote Access 7-38
Lesson 5: Planning for NAP 7-45
Lab: Planning Server and Network Security 7-59
NETMIND
+1 800-785-3448.
Planning for Windows Server 2008 Servers xv

Module 8: Planning Server Administration
Lesson 1: Selecting the Appropriate Administration Tool 8-4
Lesson 2: Planning Server Core Administration 8-17
Lesson 3: Delegating Administration 8-27
Lab: Planning Server Administration 8-34
Module 9: Planning and Implementing Monitoring and Maintenance
Lesson 1: Planning Monitoring Tasks 9-3
Lesson 2: Calculating a Server Baseline 9-9
Lesson 3: Tools for Monitoring Server Performance 9-17
Lesson 4: Planning Software Updates 9-29
Lab: Planning and Implementing Monitoring and Maintenance 9-40
Module 10: Planning High Availability and Disaster Recovery
Lesson 1: Choosing a High-Availability Solution 10-3
Lesson 2: Planning a Backup and Restore Strategy 10-23
Lab: Planning High Availability and Disaster Recovery 10-34
Module 11: Planning Virtualization
Lesson 1: Overview of Server Virtualization 9-4
Lesson 2: Business Scenarios for Server Virtualization 9-13
Lesson 3: Overview of System Center Virtual Machine Manager 9-20
Lesson 4: Planning Host Resources 9-31
Lab: Planning Virtualization 9-42
Lab Answer Keys
Module 1 Lab: Planning a Windows Server 2008 Deployment L1-1
Module 2 Lab: Planning Network Infrastructure for Windows Server 2008 L2-13
Module 3 Lab: Planning for Active Directory L3-25
Module 4 Lab: Planning for Group Policy L4-35
Module 5 Lab: Planning Application Servers L5-47
Module 6 Lab: Planning File and Print Services L6-57
Module 7 Lab: Planning Server and Network Security L7-69
NETMIND
+1 800-785-3448.
xvi Planning for Windows Server 2008 Servers

Module 8 Lab: Planning Server Administration L8-87
Module 9 Lab: Planning and Implementing Monitoring and Maintenance L9-95
Module 10 Lab: Planning High Availability and Disaster Recovery L10-103
Module 11 Lab: Planning Virtualization L11-113
NETMIND
+1 800-785-3448.

NETMIND
calling +1 800-785-3448.
About This Course i
About This Course
This section provides you with a brief description of the course, audience,
suggested prerequisites, and course objectives.
Course Description
This three-day instructor-led course is intended for IT pros who are interested in
the knowledge and skills necessary to plan a Windows Server 2008 operating
system infrastructure. This course is aimed at server administrators and is not a
how-to course; therefore, it has a significant number of planning exercises with
less focus on hands-on exercises than some courses.
The course content and exercises direct you toward making decisions and
providing guidance to others. This course reflects the decision-making tasks that a
server administrator undertakes.
Server administrators often act as an escalation point and sit between the technical
specialist role and architect role.
Audience
This course is intended for a server administrator who:
Is moving from a technical-specialist role to a decision-making role.
Wants to acquire the necessary knowledge to be able to plan for Windows
Server 2008 servers.

Student Prerequisites
You should have up to one year of experience with implementing server plans,
although you have probably not yet had full responsibility for planning.
This course requires that you meet the following prerequisites:
Skills equivalent to course 6418A (deployment)Installation and
configuration of Windows Server 2008, Windows Deployment Services,
Active Directory directory service upgrades
Skills equivalent to course 6420A (networking fundamentals)TCP/IP
configuration, server administration, network and data security
NETMIND
calling +1 800-785-3448.
About This Course ii
Skills equivalent to course 6421A (core network infrastructure training)
Domain Name System (DNS) configuration, Windows Internet Name Service
(WINS) configuration, IPv6 transition, remote access, network policies,
Network Access Protection (NAP), Distributed File System (DFS)
Skills equivalent to course 6424A (Active Directory fundamentals)Configure
Active Directory Domain Services (AD DS), configure Active Directory
Lightweight Directory Services (AD LDS), configure Active Directory
Certificate Services (AD CS), configure Active Directory Federation Services
(AD FS), create users and groups
Skills equivalent to course 6425A (core Active Directory training)Configure
AD DS security, trusts, sites, replication, Group Policy
Up to one year experience implementing server plans

Course Objectives
After completing this course, students will be able to:
Plan for both Windows Server 2008 installation and upgrade from a previous
version of Windows Server to Windows Server 2008.
Plan and implement network connectivity in Windows Server 2008 by using
IPv4-related technologies and plan a migration strategy to IPv6.
Plan the deployment of Active Directoryrelated services in Windows Server
2008.
Apply the design considerations for implementing group policy.
Plan the configuration of different applications services in Windows Server
2008.
Create a plan for file and print services to meet an organizations printing, file
storage, and access needs.
Create a plan to secure the Windows Server 2008 environment.
Create local and remote administration strategies for administering a Windows
Server 2008 environment.
Create a monitoring plan for the Windows Server 2008 environment.
Create a plan that will help mitigate the effects of various disaster scenarios on
the IT infrastructure.
Create a plan for using virtualization in a Windows Server 2008 environment.
NETMIND
calling +1 800-785-3448.
About This Course iii
Course Outline
This section provides an outline of the course:
Module 1: Planning Windows Server 2008 Deployment
Module 2: Planning Network Infrastructure for Windows Server 2008
Module 4: Planning for Group Policy
Module 7: Planning Server and Network Security
Module 9: Planning and Implementing Monitoring and Maintenance
Module 10: Planning High Availability and Disaster Recovery
NETMIND
calling +1 800-785-3448.
About This Course iv
Course Materials
The following materials are included with your kit:
Course Handbook. A succinct classroom learning guide that provides all the
critical technical information in a crisp, tightly-focused format, which is just
right for an effective in-class learning experience.
Lessons: Guide you through the learning objectives and provide the key
points that are critical to the success of the in-class learning experience.
Labs: Provide a real-world, hands-on platform for you to apply the
knowledge and skills learned in the module.
Module Reviews and Takeaways: Provide improved on-the-job reference
material to boost knowledge and skills retention.
Lab Answer Keys: Provide step-by-step lab solution guidance at your finger
tips when its needed.
Course Companion CD. Searchable, easy-to-navigate digital content with
integrated premium online resources designed to supplement the Course
Handbook.
Lessons: Include detailed information for each topic, expanding on the
content in the Course Handbook.
Labs: Include complete lab exercise information and answer keys in digital
form to use during lab time.
Resources: Include well-categorized additional resources that give you
immediate access to the most up-to-date premium content on TechNet,
MSDN, and Microsoft Press.
Student Course Files: Include the Allfiles.exe, a self-extracting executable
file that contains all the files required for the labs and demonstrations.
Note: To access the full course content, insert the Course Companion CD into the
CD-ROM drive, and then in the root directory of the CD, double-click StartCD.exe.
Course evaluation. At the end of the course, you will have the opportunity to
complete an online evaluation to provide feedback on the course, training
facility, and instructor.

To provide additional comments or feedback on the course, send e-mail to
support@mscourseware.com. To inquire about the Microsoft Certification
Program, send e-mail to mcphelp@microsoft.com.
NETMIND
calling +1 800-785-3448.
About This Course v
Virtual Machine Environment
This section provides the information for setting up the classroom environment to
support the business scenario of the course.
Virtual Machine Configuration
In this course, you will use Microsoft Virtual Server 2005 R2 with the Microsoft
Lab Launcher to perform the labs. There is also an optional lab included in
Module 11 that you may or may not want to complete. This optional lab is based
on Microsoft Hyper-V and as such you will need to meet the requirements for
installing Hyper-V around Hardware and software. Hardware details are included
in the Hardware Level 6 specification below and other considerations can be
found here:
Hyper-V: http://go.microsoft.com/fwlink/?LinkId=168247

Software required for Module 11 lab but not included in the Training Materials, is:
Windows Server 2008 64-bit Operating System

This software can be sourced from the Microsoft Partner Program via the Partner
Program Action Pack, detailed information on which is available at
https://partner.microsoft.com.
This optional lab is based on Microsoft Hyper-V.
Important: When shutting down the virtual machines in Lab Launcher, the default
setting is Shut Down The Virtual Machine And Save Changes. You should inform
students not to take the default setting but rather to take their time when shutting
down the virtual machines and make sure they select the bottom option in the list,
Turn Off Machines And Discard Changes, at the end of each lab.

To close a virtual machine without saving the changes on Hyper-V, perform the
following steps: 1. On the host computer, start Hyper-V Manager. 2. Right-click the
virtual machine name in the Virtual Machines list, and click Revert. 3. In the Revert
Virtual Machine dialog box, click Revert.
NETMIND
calling +1 800-785-3448.
About This Course vi
Classroom Setup
Each classroom computer will have the same virtual machines configured in the
same way.
Course Hardware Level
To ensure a satisfactory student experience, Microsoft Learning requires a
minimum equipment configuration for trainer and student computers in all
Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which
Official Microsoft Learning Product courseware are taught.
This course is a Hardware Level 5.5 course with additional random access memory
(RAM). Please see the classroom setup guide for detailed hardware specs. As stated
earlier, there is also an optional lab included in Module 11 that you may or may
not want to complete. This optional lab is based on Hyper-V.
Important: The Hardware Level in this course has been modified to run by default
under the assumption that 4 gigabytes (GB) RAM is available in the host machine
rather than 2 GB RAM, which is the normal amount of memory required, defined by
Hardware Level 5.5. So the default configuration on installation and boot-up is
configured to run where there is 4 GB RAM available in the host machine. For
detailed steps on how to set up this environment, please follow the steps outlined in
the Classroom Configuration Hardware Level 5.5 with 4 GB RAM section in the
classroom setup guide.

If you do not have 4 GB RAM available in the student machines, you will need to
follow alternative setup steps. An alternative LauncherSettings.config file is provided
with the course, which will redefine the RAM values for each of the virtual machines
to allow them to boot up and run at the normal, Hardware Level 5.5 definition,
allocation of 2 GB RAM being available in the host machine. For details on how to
set up the classroom where only 2 GB is available in the student machines, please
see the Classroom Configuration Hardware Level 5.5 with 4 GB RAM section in the
classroom setup guide.

It is also highly recommended that you read the MSL Lab Launcher Getting Started
Guide, which is available in the MCT Download Center. This contains information
about how to install and customize the MSL Lab Launcher in general terms and will
be complementary to what is contained in this course-specific setup guide.
NETMIND
calling +1 800-785-3448.
About This Course vii
Important (continued): The optional lab in Module 11 requires Hardware Level
6.This is to facilitate the setup of Hyper-V. If this hardware is not available, there is
also a paper-based element to the lab, which can still be completed.
Each classroom computer will serve as the host for four virtual machines that will
run in Virtual Server 2005 R2 SP1.
The following are the virtual machines, brief descriptions, and the RAM allocation
to each of them for the default installation, that is, 4 GB RAM available on the host
machine.
Virtual machine Description
RAM
(MB)
6430B-SEA-DC1 Domain controller in the adatum.com domain 1,024
6430B-SEA-SVR1 Windows Server in adatum.com domain 1,024
6430B-SEA-SVR2 Windows Server in adatum.com domain 1,024
6430B-SEA-CL1 Windows Vista computer in the adatum.com domain 768

Estimated time to set up the classroom: 120 minutes
The following are the virtual machines, brief descriptions, and the RAM allocation
to each of them for the nondefault installation, that is, 2 GB RAM available on the
host machine.
Virtual machine Description RAM (MB)
6430B-SEA-DC1 Domain controller in the adatum.com domain 512
6430B-SEA-SVR1 Windows Server in adatum.com domain 384
6430B-SEA-SVR2 Windows Server in adatum.com domain 384
6430B-SEA-CL1 Windows Vista computer in the adatum.com domain 384

Estimated time to set up the classroom: 140 minutes
Below are listed both Hardware Level 5.5 and Hardware Level 6. As stated earlier,
there is also an optional lab in Module 11 that requires Hardware Level 6.
NETMIND
calling +1 800-785-3448.
About This Course viii
Hardware Level 5.5
Pentium IV 2.4-gigahertz (GHz) processor
PCI 2.1 bus
4 GB of RAM
At least two 40 GB hard disks, 7,200 RPM
DVD drive
NonIndustry Standard Architecture (ISA) network adapter: 10/100 megabits
per second (Mbps)required full duplex
16 (MB) video adapter (32 MB recommended)
Super VGA (SVGA) 17-inch monitor
Microsoft Mouse or compatible pointing device
Sound card with amplified speakers
Projection display device that supports SVGA 800 x 600, 256 colors

In addition, the instructor computer must be connected to a projection display
device that supports SVGA 800 x 600 pixels, 256 colors.
Note: All virtual machines in this course were developed with a resolution of 1024 x
768.
Hardware Level 6
Pentium IV 2.4 GHz processor *
PCI 2.1 bus
4 GB of RAM
At least two 40 GB hard disks, 7,200 RPM
DVD drive
NonISA network adapter: 10/100 Mbps-required full duplex
NETMIND
calling +1 800-785-3448.
About This Course ix
16 MB video adapter (32 MB recommended)
SVGA 17-inch monitor
Microsoft Mouse or compatible pointing device
Sound card with amplified speakers
Projection display device that supports SVGA 800 x 600, 256 colors

In addition, the instructor computer must be connected to a projection display
device that supports SVGA 800 x 600 pixels, 256 colors.
* A 64-bit system with hardware-assisted virtualization enabled and data execution
prevention (DEP) is required to install Hyper-V
NETMIND
calling +1 800-785-3448.

NETMIND
calling +1 800-785-3448.
Planning Windows Server 2008 Deployment 1-1
Module 1
Planning Windows Server
2008 Deployment
Contents:
Lesson 1: Overview of Change Management 1-3
Lesson 2: Planning a Single-Server Installation 1-23
Lesson 3: Performing a Single-Server Installation 1-38
Lesson 4: Automating Windows Server Deployment 1-49
Lab: Planning Windows Server 2008 Deployment 1-60
NETMIND
calling +1 800-785-3448.
1-2 Planning for Windows Server 2008 Servers
Module Overview

The deployment of Windows Server 2008 must be carefully planned before it is
performed. This includes identifying the change management process to be used,
identifying the appropriate edition of Windows Server 2008, and evaluating
hardware considerations and applications considerations. Automating the
deployment of Windows Server 2008 with answer files or other technologies
should be evaluated. Failure to properly plan the deployment of Windows Server
2008 could result in downtime to critical business systems.
Objectives
After completing this module, you will be able to:
Describe how change management affects a deployment project.
Plan the deployment of a single computer running Windows Server 2008.
Describe how to perform a single-server installation.
Determine how to automatically deploy Windows Server 2008.

NETMIND
calling +1 800-785-3448.
Lesson 1
Overview of Change Management

Change management is an essential part of information technology management
for any organization. Using a change management process consistently results in
greater uptime for systems and faster troubleshooting processes. Two common
frameworks for managing change are the Information Technology Infrastructure
Library (ITIL) and Microsoft
Operations Framework (MOF). Regardless of the

framework you use, a service-level agreement (SLA) is used to define characteristics
of service support and availability. Microsoft also provides specific guidance for
implementing technologies in Microsoft Solution Accelerators.
Objectives
After completing this lesson, you will be able to:
Describe change management and its benefits.
Describe the considerations for change management.
NETMIND
calling +1 800-785-3448.
Describe MOF.
Describe ITIL.
Describe SLAs.
Describe Microsoft Solution Accelerators.

NETMIND
calling +1 800-785-3448.
Discussion: What Is Change Management?

Key Points
Change management is the process by which changes are approved, implemented,
and monitored. Some additional steps in formal processes might include a request
for change and change classification as part of the approval process. The change
management process varies widely for different organizations. In larger
organizations, change management is a formal process and can require that a
change-approval board approve all system changes. The board documents all
changes and when they are to occur. In smaller organizations, the process is often
less formal, only requiring the verbal approval of the manager responsible for
information systems.
Question: What is change?
Question: How does your organization address change management?

NETMIND
calling +1 800-785-3448.
Question: Are there some situations in which change management is more
important than others?
Question: What are the benefits of a formal change management process?
Question: Are there situations in which the normal change process cannot be
followed?

NETMIND
calling +1 800-785-3448.
Considerations for Managing Change

Key Points
Changes to any information system should be made in an organized and
controlled manner. The details of the change management process that you use are
less important than defining a process and using it consistently. A consistent
process ensures that all the necessary approvals are gathered before the change is
implemented and that impact on other systems is avoided.
Successful Change Management
For a change management process to be successful, it must be supported by the
organization. Using the change management process cannot be optional. All staff
must follow the change management procedures. If the change management
process is not enforced and communicated properly, most of the staff will stop
using it over time.
When a change management process is first implemented, many of the
information technology staff will complain about the level of bureaucracy involved.
However, after the initial adjustment in expectations has been made, information
technology staff frustration will be reduced.
NETMIND
calling +1 800-785-3448.
Question: Do you like using change management procedures?
Question: Do you see the value in using change management procedures in your
organization?

NETMIND
calling +1 800-785-3448.
What Is ITIL?

Key Points
ITIL was originally a set of about 60 books developed in the late 1980s by a
consortium of industry leaders as a set of best practices for IT. These books
described IT processes defined by ITIL and the interdependencies among them.
The development of the library was sponsored by the government of the United
Kingdoms Office of Government Commerce (OGC). ITIL version 3 was released
in 2007.
ITIL is a de facto standard for IT service management. It is widely implemented by
large and medium-sized organizations. In addition to the ITIL books, ITIL
certification is also available.
NETMIND
calling +1 800-785-3448.
ITIL Characteristics
ITIL is process oriented, meaning that it focuses on processes in IT organizations
rather than on such things as technology. Processes stress the importance of
objectives. Each ITIL process has a clearly defined objective, together with inputs
and outputs. Processes often involve more than one organizational unit. They can
help the IT organization to identify activities that are well-planned and well-
executed, on the one hand, and those that are carried out without any
coordination, in duplication, unnecessarily, or not at all, on the other.
Other ITIL characteristics include:
A striving for quality of service through continual improvement
A customer focus that includes understanding the needs of the business
Best practices for IT management
Independence of any specific technology
Descriptive guidance at a high level rather than detailed guidance, to preserve
adaptability to your organization

For more details about ITIL, talk to your local training center. You can
also find more information at the official ITIL Web site at
http://go.microsoft.com/fwlink/?LinkID=160967&clcid=0x409.
Question: Does your organization use ITIL?

NETMIND
calling +1 800-785-3448.
What Are ITIL Books?

Key Points
ITIL is a large set of documentation describing best practices for IT service
management. ITIL version 3 was released in 2007 and contains five core books.
Each book covers a different stage of the service life cycle. Additional books
providing more detail are provided for specialized topics related to the five core
books. The five core books are:
Service Strategy
Service Design
Service Transition
Service Operation
Continual Service Improvement

NETMIND
calling +1 800-785-3448.
Service Strategy
Service Strategy is the core of the ITIL model for IT service management. A service
strategy defines which services are offered by IT, who the services are for, and how
performance will be measured. When building this strategy, you must consider
the value of services and how customers (users or departments within your
organization) perceive that value. This varies between organizations based on not
only the business processes that are in place, but also based on organizational
culture.
Service Design
Whereas Service Strategy helps to define what services should be offered, Service
Design helps you decide in what way they will be offered. Outcomes of service
design include a service-level agreement, a process for supplier management, and a
plan for security. When creating a service design, you need to consider:
Business requirements
Risks and mitigation
Performance measurement
Policies and procedures
IT skills and capability

Service Transition
Service Transition explains the service design and implements it in a way that
meets all requirements of the service design. This includes not only requirements
during normal operational use, but also requirements for disaster recovery. One of
the key challenges and processes that must be defined for service transition is
change management. Testing of the services as they are implemented must be
performed.
Service Operation
From the customer perspective, service operation is when value is delivered.
Processes for ongoing maintenance of the applications and infrastructure are
defined. Also, processes for incident management and service desk must be in
place. Effective management of ongoing incidents is essential for customer
satisfaction.
NETMIND
calling +1 800-785-3448.
Continual Service Improvement
In any system or set of processes, there are opportunities to create additional
value through continual improvement. In the ITIL books, Continual Service
Improvement wraps around the other processes. For long-term success, an
organization must be constantly looking for ways to improve service to provide
additional value for customers.
The key to continual service improvement is the selection of metrics that can be
used to track progress. For each service, you must have metrics that allow you to
determine whether performance is improving or not. The metrics you select need
to relate directly to the value perceived by the customer. For example, IT staff
might want to track CPU utilization on a server, which has no inherent value to the
customer. A more appropriate measure would be how quickly an application
responds to user requests. One cause of slow performance could be CPU
utilization.
NETMIND
calling +1 800-785-3448.
What Is MOF?

Key Points
The Microsoft Operations Framework (MOF) process model describes a life cycle
that can be applied to systems of any size and related to any service solution. The
model groups similar information technology management functions called service
management functions (SMFs) into four quadrants.
NETMIND
calling +1 800-785-3448.
The following table describes the four quadrants in detail:
Quadrant Mission of Service Operations Management Review
Changing Introduce new service
solutions, technologies,
systems, applications,
hardware, and processes.
Release readiness review provides
approval to deploy the fully developed
and tested release.
Operating Execute day-to-day tasks
effectively and efficiently.
Operations review is scheduled
periodically to evaluate the information
technology staff's ability to maintain a
specific service, meet service-level
requirements, and document its
experience in a knowledge base.
Supporting Resolve incidents, problems,
and inquiries quickly.
Service-level agreement (SLA) evaluation
is performed periodically and evaluates
the information technology staff's ability
to meet the service-level requirements
defined in the SLA.
Optimizing Drive changes to optimize
cost, performance, capacity,
and availability in the delivery
of information technology
services.
Change initiation review increases the
likelihood that proposed changes are in
alignment with business objectives and
operability requirements.

Note: MOF extends the best practices found in ITIL by including guidance and best
practices derived from the experience of Microsoft operations groups, partners, and
customers.

For more information about MOF, see the Microsoft Solution
Accelerator for MOF on the Microsoft TechNet Web site at

NETMIND
calling +1 800-785-3448.
What Is Project Management?

Key Points
Project management is a set of techniques used to achieve a desired result on time,
within budget, and according to specification. The project management process
includes planning, estimating, and controlling all of the activities required to attain
the required end result. A key aspect of projects is that they have a limited scope
that is to be completed within a defined timeframe, meaning that they are
temporary and not ongoing.
The idea of project management is that, regardless of the project being completed,
there are a consistent set of procedures that help to ensure that the project is
completed successfully. The same set of procedures can be used to ensure success
for the building of a bridge as for the building of a new information system.
NETMIND
calling +1 800-785-3448.
The stages of project management are:
Initiation (scoping)
Planning and design
Executing
Monitoring and controlling
Closing

Initiation
During initiation, you must identify the deliverables that define when the
project has been completed. At this stage, you also obtain approval from senior
management for the project based on the benefits to the organization. High-level
planning for resources is also performed.
Planning and Design
During planning and design, you create a detailed plan of what needs to be
performed and when. The overall project is broken down into tasks. Then, based
on the tasks, you can define the required resources and schedule when activities
need to occur. As part of this process, a critical path is defined. The critical path
determines the shortest time frame in which the project can be completed.
Executing
During execution, the tasks determined in the plan are performed. The project
manager is responsible for assuring that the necessary resources are available and
that each task is assigned to an appropriate resource. Gantt charts are typically
used to show what tasks are being performed at a given time.
Monitoring and Controlling
Monitoring and controlling is processes used to supervise the completion of tasks
performed during execution. These processes are essential to identify any potential
problems as early as possible so that they can be corrected. One example of
monitoring is regular progress meetings to identify any tasks that are not being
completed on time or require additional resources.
NETMIND
calling +1 800-785-3448.
Closing
At the close of a project, you must verify that all deliverables are completed and
obtain client acceptance of those deliverables. Closing should also include the
completion of all documentation related to the project such as meeting minutes,
change control documentation, and testing documentation.
An important part of closing is a post-implementation review. This review helps
you to learn from the project by identifying positive processes that can be used
again. It also allows you identify mistakes so that you do not repeat them on the
next project.

There are a number of different project management methodologies
that can be used. One of the most commonly used is PRINCE2 (Projects
IN Controlled Environments). For more information about PRINCE2 see
the PRINCE2 Web site at http://go.microsoft.com/fwlink
/?LinkID=166904&clcid=0x409.

NETMIND
calling +1 800-785-3448.
What Are Service-Level Agreements?

Key Points
An SLA is an agreement between an IT group and an organization. It is important
to define an SLA early, because it documents the service expectations and
requirements that an organization expects the IT service provider to deliver. An
SLA might be written for the availability of a specific system component, a specific
service, or an entire system.
SLA Agreements and Change Management
An SLA should include a regular time that maintenance can be performed. During
the scheduled maintenance time, the system is not expected to be available. This is
typically when changes are implemented. The maintenance window may be daily,
weekly, or monthly, and may range from only a few minutes to a few hours.
When a major change such as a server migration is implemented, an additional
service outage may need to be negotiated as part of the change. For example, if a
file server has a one-hour daily maintenance window, and migrating data to a new
file server will take several hours, an additional outage must be negotiated.
NETMIND
calling +1 800-785-3448.
Types of SLAs
Internal SLAs
An internal SLA is between the IT department and other departments in the
same organization.
External SLAs
External SLAs are legally binding contracts and are more formal than internal
SLAs. An external SLA may have more structure, usually including cost and
bonus clauses and sometimes penalty clauses. However, an external SLA
always includes the services specific cost and deliverables, which often include
availability and security services.
Informal SLAs
Not all SLAs are contracts with formal terms and conditions. In some cases,
service-level expectations are based on a verbal agreement between the IT
provider and the organization. This is an informal SLA, and often these types
of agreements develop over time through casual conversations with the IT
provider. An internal agreement is often informal in smaller organizations.

NETMIND
calling +1 800-785-3448.
What Are Microsoft Solution Accelerators?

Key Points
Microsoft Solution Accelerators are free tools and guidance from Microsoft on how
to implement Microsoft technologies. If you are planning the implementation of
any new Microsoft technology, you should review the Microsoft Solution
Accelerators for content relevant to the new technology.
Some of the Microsoft Solution Accelerators relevant to Windows Server 2008 are:
Microsoft Assessment and Planning Toolkit
Infrastructure Planning and Design Guides for Windows Server
Microsoft Deployment Toolkit 2008
Windows Server 2008 Security Compliance Management Toolkit
Hyper-V Security Guide

NETMIND
calling +1 800-785-3448.

The Microsoft Solution Accelerators are found on the TechNet Web site
at http://go.microsoft.com/fwlink/?LinkID=165474&clcid=0x409.

NETMIND
calling +1 800-785-3448.
Lesson 2
Planning a Single-Server Installation

When you introduce Windows Server 2008 into your organization, you need to
determine which edition of Windows Server 2008 meets your needs. You also need
to consider the licensing requirement for Windows Server 2008. Some of the other
topics you need to consider are activation, virtualization, and consolidation of
server roles.
Objectives
Select an appropriate edition of Windows Server 2008.
Describe the Microsoft licensing programs.
Describe the considerations for client access licenses.
Describe the considerations for virtualization.
Describe the considerations for server activation.
Describe the considerations for consolidating server roles.
Describe the Microsoft Planning and Assessment Toolkit.
NETMIND
calling +1 800-785-3448.
Windows Server 2008 Editions

Key Points
Windows Server 2008 is available in several different editions to meet the unique
needs of different organizations. Each edition is priced differently, has different
support for hardware, and supports different features. You select the edition based
on your requirements for hardware support and features.
The most common editions of Windows Server 2008 are:
Windows Web Server 2008. This low-cost edition is meant to be used as a
Web application server. It supports up to four processors and 32 GB of RAM
(4 GB on 32-bit systems). It cannot be used as a domain controller.
Windows Server 2008 Foundation. This low-cost edition is meant to be used
in small offices with limited requirements. It is sold only by original equipment
manufacturers (OEMs), not at retail outlets or through volume licensing. It
supports only a single 64-bit processor and 8 GB of RAM. Infrastructure roles
are supported.
NETMIND
calling +1 800-785-3448.
Windows Server 2008 Standard. This edition supports up to four processors
and 32 GB of RAM (4 GB on 32-bit systems). Failover clustering and cross-file
replication for distributed file system (DFS) are not supported.
Windows Server 2008 Enterprise. This edition supports up to eight
processors and 2 TB of RAM (64 GB on 32-bit systems). Failover clustering
and cross-file replication for DFS are supported. Hot add memory is also
supported. This edition is typically used in larger organizations that require
these features.
Windows Server 2008 Datacenter. This edition supports up to 64 processors
(32 on 32-bit systems) and 2 TB of RAM (64 GB on 32-bit systems). All
features of Windows Server 2008 Enterprise are supported, as well as hot
replace memory, hot add processors, and hot replace processors. This edition
is typically used in larger organizations that require these features.

For more detailed information about the various editions of Windows
Server 2008, see the Overview of Edition page on the Microsoft Web site

NETMIND
calling +1 800-785-3448.
Ways to Obtain Licenses

Key Points
There are three main ways that you can obtain licenses for Windows Server 2008:
Retail. These licenses are purchased from an online or physical retailer. This
type of licensing is typically used by small organizations that are purchasing a
limited number of licenses.
OEM. These licenses are purchased with new hardware. The cost of these
licenses is typically less than retail, but the licenses cannot be moved from one
computer to another.
Volume license. Microsoft has a variety of volume license programs for
purchasing multiple copies of Microsoft software. The cost of these licenses is
typically less than retail but more than OEM licensing. Some volume licensing
options are subscription based rather purchased outright. Software Assurance
is also available. For larger organizations, one key benefit of volume licensing
is simplifying the licensing process.

NETMIND
calling +1 800-785-3448.
Software Assurance benefits vary depending on the type of volume licensing
purchased. In all cases, it includes new version rights for software, e-learning, and
product support. Other features may include an employee purchase program and
consulting services.
Regardless of how you obtain your server licenses, you are eligible to use a
previous version of Windows if required. This is referred to as a downgrade right.
For example, if you have an application that runs only on Windows Server 2003
and not Windows Server 2008, you can purchase a Windows Server 2008 license
and install Windows Server 2003 instead.

For more information about licensing, see the Windows Server 2008
Licensing Overview on the Microsoft Web site at http://go.microsoft.com
/fwlink/?LinkID=160956&clcid=0x409.

For more information about Software Assurance, see Microsoft Software
Assurance on the Microsoft Web site at http://go.microsoft.com

NETMIND
calling +1 800-785-3448.
Considerations for Client Access Licenses

Key Points
Client access licenses (CALs) are required for all devices and computers that
communicate with the Standard, Enterprise, and Datacenter editions of Windows
Server 2008. When you introduce Windows Server 2008 to your organization, you
must also update the CALs.
CALs are not required in the following circumstances:
When access is through the Internet and is anonymous or unauthenticated
for example, when access is through a Web site that does not have a user
logon.
When access is to Windows Web Server 2008. Not requiring CALs in this
instance allows you to run Web sites requiring authentication to the local Web
server.
When access is to Windows Server 2008 Foundation. An alternative licensing
scheme is used for Windows Server 2008 Foundation that does not use CALs.

NETMIND
calling +1 800-785-3448.
Per-Server and Per-Seat Licensing
When you install a server, you can select whether to use per-server or per-seat
licensing. Per-server licensing requires a server to have a CAL for each user who is
accessing it simultaneously. Per-seat licensing requires each user or device to have
only one CAL to access any number of servers. In general, per-seat licensing is
advantageous if you have users or devices accessing multiple servers.
User and Device CALs
If you use per seat-licensing, you can purchase either user or device CALs. A user
CAL allows a specific person to access the server. It cannot be shared between
multiple users, even if they are not logged on at the same time. However, a single
user can access the server from multiple devices by using a single CAL. A device
CAL allows a specific device to access the server. It can be shared between multiple
users of the same device. In general, a device CAL is more useful in environments
where workers use the devices in shifts.
Other Types of CALs
If you are accessing Terminal Services, you must have a Terminal Services CAL
in addition to the Windows Server CAL.
If you are using Rights Management Services, a Rights Management Services
CAL is required.
In some cases, an External Connector (EC) license can be used instead of
CALs.

NETMIND
calling +1 800-785-3448.
Considerations for Virtualization

Key Points
Hyper-V is a server role available in the Standard, Enterprise, and Datacenter
editions of Windows Server 2008. It allows Windows Server 2008 to act as a
virtualization host for virtual machines. It is possible to purchase these editions of
Windows Server 2008 without Hyper-V included. However, the price discount is
very small. Hyper-V is only available for 64-bit versions of Windows Server 2008.
When you purchase a single-server license for the Standard, Enterprise, or
Datacenter edition of Windows Server 2008, your license includes virtual image
use rights:
Windows Server 2008 Standard includes one virtual image license. This means
that you can install one physical and one virtual version of Windows Server
2008 Standard on the same physical server.
Windows Server 2008 Enterprise includes four virtual image licenses. This
means that you can install one physical and four virtual versions of Windows
Server 2008 standard on the same physical server.
NETMIND
calling +1 800-785-3448.
Windows Server 2008 Datacenter includes unlimited virtual image licenses.
This means that you can install one physical and unlimited virtual versions of
Windows Server 2008 standard on the same physical server. Using Windows
Server 2008 Datacenter on virtualization hosts can greatly simplify the
licensing of servers.

Note: The virtual image use rights include downgrade rights to run previous versions of
Windows Server. For example, a Hyper-V host running Windows Server 2008 Enterprise
could have a Windows Server 2003 virtual machine as one of the virtual machines
included in the virtual image use rights.
CALs are also a concern when you implement Hyper-V for virtualization. If you are
hosting a virtual machine on a Hyper-V host running Windows Server 2008, any
user accessing the virtual machine must have a Windows Server 2008 CAL. For
example, if a Windows Server 2003 virtual machine is hosted on a Hyper-V host,
all users or devices accessing the Windows Server 2003 virtual machine must have
a Windows Server 2008 CAL.
NETMIND
calling +1 800-785-3448.
Considerations for Server Activation

Key Points
Product activation is used by Microsoft to prevent casual copying of software.
Windows Server 2008 is one software product that must be activated. This is a
separate process from product registration.
Activation associates a specific set of hardware to a product key to ensure that the
product key is not reused on an unauthorized computer. However, no identifying
information is included as part of the activation process.
Initial activation can be performed over the Internet or by phone. If your server has
access to the Internet, that is the preferred method, because activation over the
Internet takes only a few moments. If your server does not have access to the
Internet, you must activate by telephone, which takes about ten minutes in most
cases.
NETMIND
calling +1 800-785-3448.
Unactivated Systems
If you do not activate a new server, after a grace period of 60 days the system will
be unlicensed. The desktop background will change to black, and you will receive
persistent notifications to activate. Only critical Windows updates will be installed.
Otherwise, the server will continue to function normally.
If you significantly modify the hardware in your server, you may be required to
reactivate within three days. You can reactivate either over the Internet or over the
phone. If you do not reactivate, the server is unlicensed with the same results as if
you had never activated it.
Key Management Service
In large organizations in which volume licensing is used, there is often a desire to
keep all activation activity within the organization rather than having each system
activate directly with Microsoft servers. In such a case, you can implement Key
Management Service (KMS). You can use a service record (SRV) in Domain Name
System (DNS) to automatically direct computers to the KMS server. Then new
servers will contact the KMS server for activation rather than contacting Microsoft
servers. However, the KMS server does need to be able to contact Microsoft
servers. Also, computers activated by using a KMS server must reconnect to the
KMS server to verify activation every 60 days.
Multiple Activation Key
When volume licensing is used, an organization may be given a multiple activation
key (MAK). A MAK can be used for multiple activations. When a MAK is used,
activation can be performed over the Internet, by phone, or by using a KMS server.

For more information about volume activation, see Volume Activation
2.0 for Windows Vista and Windows Server 2008 on the TechNet Web
site at http://go.microsoft.com/fwlink/?LinkID=160957&clcid=0x409.

NETMIND
calling +1 800-785-3448.
Considerations for Consolidating Server Roles

Key Points
There are no specific guidelines for which server roles can be combined on the
same server. The details of what is appropriate vary widely depending on how a
server role is being used in a specific organization. The key is to ensure that a
server resource does not become a bottleneck. For example, a file server with ten
users may generate almost no disk I/O, while a file server with 500 users may
experience disk I/O as a bottleneck.
Some rules of thumb for combining server roles are listed here:
Avoid combining server roles that place a significant load on the same resource
such as memory, disk I/O, the processor, or the network. For example, the
Streaming Media Services role can place a significant load on all server
resources and will not be combined with other roles in most circumstances.
Avoid combining server roles with different security requirements, such as a
domain controller and an external-facing Web server.
NETMIND
calling +1 800-785-3448.
Avoid combining server roles that experience peak utilization at the same time,
such as a domain controller and a Dynamic Host Configuration Protocol
(DHCP) server, both of which experience heavy utilization during morning
logins.
Consider combining domain controllers and DNS servers. This allows you to
take advantage of Active directoryenabled zones.
Consider giving each application a separate server to simplify server
maintenance.

The only way to accurately determine whether server roles can be combined is by
monitoring performance. Monitor the servers performing the role for a period of
time, and then determine whether combination will be a problem.
NETMIND
calling +1 800-785-3448.
What Is the Microsoft Assessment and Planning Toolkit?

Key Points
The Microsoft Assessment and Planning Toolkit (MAP) is a solution accelerator
that is available for download from Microsoft at no change. It performs hardware
inventory, compatibility analysis, and readiness reports. The tool makes it easy for
you to assess your current IT infrastructure and determine the right Microsoft
technologies for your IT needs.
The Windows Server 2008 Deployment scenarios for MAP are:
Windows Server 2008 Hardware Assessment. This scenario identifies which
servers are capable of running Windows Server 2008 and prescribes the
necessary hardware upgrades for those that are not. It also reports on the
availability of device drivers from Microsoft. Current roles and applications are
also identified.
Security Assessment. This scenario performs an inventory of network clients
and identifies security issues reported by Windows Security Center. It also
reports on Network Access Protection readiness.
NETMIND
calling +1 800-785-3448.
Performance Monitoring. This scenario monitors performance of processor,
network, and disk counters over an extended time period. This is typically
used to identify virtualization candidates.
Server Consolidation and Virtualization. This scenario uses data from the
Performance Monitoring scenario to model the virtualization of servers onto a
host.

For more information about MAP, see the Microsoft Assessment
and Planning Toolkit page on the TechNet Web site at

NETMIND
calling +1 800-785-3448.
Lesson 3
Performing a Single-Server Installation

When you install Windows Server 2008 onto your organization, you need to
consider whether you will be upgrading existing servers or installing new
servers and migrating services and applications to the new servers. If you are
implementing BitLocker Drive Encryption, you need to ensure that the server is
properly configured to support it. You also need to consider driver compatibility
and application compatibility with Windows Server 2008.
Objectives
Describe considerations for server upgrades.
Describe considerations for server migrations.
Describe the requirement for BitLocker.
Describe the considerations for device drivers.
Describe the considerations for application compatibility.
NETMIND
calling +1 800-785-3448.
Considerations for Performing Server Upgrades

Key Points
Windows Server 2008 performs upgrades differently from previous versions of
Windows Server. When you perform an in-place upgrade to Windows Server 2008,
the new operating system is installed in parallel to the existing operating system.
Then, the existing operating system is parsed for recognized settings, which are
migrated into the new installation of Windows Server 2008.
After the upgrade to Windows Server 2008 is complete, it is not possible to roll
back to the original operating system. However, if an error occurs during the
upgrade, the operating system can be rolled back.
The main benefits of performing an upgrade are:
Preservation of existing operating system settings when recognized. Any
settings that are unrecognized will not be moved to the new installation.
NETMIND
calling +1 800-785-3448.
Preservation of existing applications and their settings when recognized.
Applications should be tested to ensure that they are migrated properly.
Downtime is limited to the installation of the operating system. There is no
need to migrate large volumes of data between servers.

Some considerations for upgrading include:
Upgrades to Windows Server 2008 can only be performed from Windows
Server 2003 SP1 or later and Windows Server 2003 R2.
Itanium and Web editions cannot be upgraded.
Upgrades can only be performed in the same edition or an upgraded edition.
For example, Windows Server 2003 Standard edition can be upgraded to
Windows Server 2008 Standard or Enterprise edition. Windows Server 2003
Enterprise edition can only be upgraded to Windows Server 2008 Enterprise
edition. Only an existing Datacenter installation can be upgraded to Windows
Server 2008 Datacenter.
Upgrades can only be performed between the same processor architecture. For
example, a 32-bit version of Windows Server 2003 can only be upgraded to a
32-bit version of Windows Server 2008.
Upgrades must use the same language as the original installation.
You cannot upgrade to server core.

For more information about upgrading to Windows Server 2008, see
Upgrading to Windows Server 2008 on the TechNet Web site at
Question: What is the biggest risk in performing an upgrade?

NETMIND
calling +1 800-785-3448.
Considerations for Migrating to Windows Server 2008

Key Points
A migration occurs when you install Windows Server 2008 on new hardware and
then move the services, applications, and data from an existing server to the new
server. There is no downtime for services during the installation of Windows
Server 2008, but there may be downtime for services when they are being migrated
to the new server.
The main benefits of performing a migration are:
A clean installation of a new operating system is typically more reliable than an
upgrade of an existing operating system. Microsoft recommends using a clean
installation whenever possible.
The source server can be maintained for rollback even after the new server is
in place. If the new server is not performing properly after implementation,
you can go back to using the original server until the problem is resolved.
You can perform testing on the new server before putting it into production.
You can test applications and new configurations if required.
NETMIND
calling +1 800-785-3448.
You are not limited in how you move between operating system versions. You
can migrate data or applications from Windows Server 2003 Enterprise
Edition to Windows Server 2008 Standard.
You are not limited by the processor architecture of the source and destination
operating systems. You can migrate data or applications from a 32-bit
operating system to a 64-bit operating system.
You are not limited by the language configuration of the source and
destination operating systems. You can migrate data or applications from a
server running one language to a server running a different language.
You can migrate supported data and applications to server core. However,
server core has a limited number of server roles that it is suitable for.

Potential drawbacks to performing a server migration are:
Data must be manually moved to the new server. Large file shares can take a
significant amount of time to migrate.
Applications must be reinstalled and properly configuration on the new server.
If no one on staff is familiar with the details of the application, this can be error
prone.
Clients must be redirected to use services on the new server. This may require
that client computers be reconfigured manually in some cases, which is time
consuming. However, you can redirect clients to new file shares by changing
the drive letters mapped on the clients by using a logon script or group policy.
In some cases, you can update a host record in DNS to point to the IP address
of the new server.

For more information about migrating specific services to Windows
Server 2008, see the Migrate to Windows Server 2008 page on the
TechNet Web site at http://go.microsoft.com/fwlink

NETMIND
calling +1 800-785-3448.
Considerations for Implementing BitLocker

Key Points
BitLocker Drive Encryption is a feature in Windows Server 2008 that is used to
encrypt the boot volume of the server (the volume with the operating system).
Additional volumes, other than the system volume (the volume with ntldr), can
also be encrypted.
In addition to providing basic file security, BitLocker ensures the integrity of the
operating system. The operating system files on the boot volume are protected
because they are encrypted when the server is not running. The files on the system
partition are protected because a hash value is stored to ensure that there have
been no unauthorized modifications. This hash value is verified during startup.
NETMIND
calling +1 800-785-3448.
BitLocker requires:
Separate boot and system volumes (1.5 GB minimum). The minimum size
for the system volume is 1.5 GB. If you do not create two volumes during
initial installation, you can use the BitLocker Drive Preparation Tool. This tool
resizes the existing boot/system volume and then moves the system files to a
newly created system volume to enable BitLocker.
A Trusted Platform Module (TPM) version 1.2. The use of BitLocker
prevents someone from taking a hard drive in your server and gaining access
to the data, because the encryption key is stored in a TPM in the server. The
TPM is a storage location on the motherboard of the server. Alternatively, you
can store the encryption key on a USB drive, but this is less secure.

For more information about BitLocker, see the BitLocker
Drive Encryption page on the TechNet Web site at

NETMIND
calling +1 800-785-3448.
Considerations for Device Drivers

Key Points
Whenever you update an existing server to a new operating system, you must
ensure that device drivers are available for the new operating system to support the
existing hardware. Before performing an upgrade, you should check with your
hardware manufacturer to obtain drivers that are certified for Windows Server
2008. However, in many cases, a driver that worked in Windows Server 2003 will
also work for Windows Server 2008.
Many organizations are implementing 64-bit versions of Windows Server 2008 to
obtain the benefits of greater memory capacity. When you install a 64-bit operating
system, you must have 64-bit device drivers for your hardware. In some cases, 64-
bit device drivers will not be available for older hardware.
NETMIND
calling +1 800-785-3448.
By default, Windows Server 2008 will not load unsigned 64-bit device drivers, even
though it will accept them during the installation process. If you are unable to
obtain signed device drivers, this requirement can be disabled by going into the
Advanced Boot Options during startup and selecting Disable Driver Signature
Enforcement. However, this is not recommended.
If you are buying new hardware, verify with the vendor that there are 64-bit drivers
available before purchasing the new server. Most new servers have 64-bit drivers
available from the manufacturers Web site.
NETMIND
calling +1 800-785-3448.
Considerations for Application Compatibility

Key Points
Many applications that were designed to run on Windows Server 2003 are capable
of running on Windows Server 2008. However, the User Account Control (UAC)
feature in Windows Server 2008 may prevent some applications from running
properly. Before you implement a new application server, check with the
application vendor to ensure that it is supported on Windows Server 2008.
Windows Server 2008 stores some data in a different location than Windows
Server 2003. Windows Server 2008 has directory junctions at the old directory
names that redirect file requests to the new directory locations. For example,
C:\Documents and Settings is now a junction point that points to C:\Users.
Junction points work for most applications but not all, so ensure that your
application functions properly before beginning an upgrade or migration.
NETMIND
calling +1 800-785-3448.
Some key points to keep in mind when considering application compatibility are
the following:
When you upgrade a server to Windows Server 2008, an application
compatibility check is performed. However, this check has a limited database
of applications. You should manually verify that an application is capable of
running on Windows Server 2008 by contacting the applications vendor.
It is possible to run 32-bit applications on a 64-bit operating system. This is
done with Windows on Windows (WOW), similar to the mechanism that
allows 32-bit versions of Windows to run 16-bit applications. However, you
cannot run 16-bit applications on a 64-bit version of Windows Server 2008.

For more information, see the Application Considerations When
Upgrading to Windows Server 2008 page on the TechNet Web site at
http://technet.microsoft.com/en-us/library/cc771576(WS.10).aspx.

NETMIND
calling +1 800-785-3448.
Lesson 4
Automating Windows Server 2008 Deployment

In a small organization, performing each server installation manually is a
reasonable way to manage server installations. However, larger organizations may
want to standardize and speed up installation by automating deployment.
Depending on the existing infrastructure in your organization, you may choose to
use the Windows Automated Installation Kit (WAIK), Windows Deployment
Services (WDS), or the Microsoft Deployment Toolkit (MDT).
Objectives
Describe the considerations for automated deployments.
Describe the considerations for using WAIK.
Create an answer file.
Describe the considerations for using WDS.
Describe the purpose of MDT.
NETMIND
calling +1 800-785-3448.
Considerations for Automated Deployment

Key Points
An automated deployment is an installation in which user input is limited or not
required during the installation of Windows Server 2008. An automated
deployment can be performed in several different ways. The method you select will
be based on your needs and your existing infrastructure. Methods available for
automated deployment include answer files, Windows Deployment Services, and
the Microsoft Deployment Toolkit.
The main benefits of automated deployment are:
Consistent configuration. When the deployment process is automated, you
know that the operating system on each new server is configured in exactly the
same way. This helps avoid configuration problems and is very useful for
larger organizations with multiple servers.
Faster deployment. After the deployment process has been developed, it is
very fast to deploy new servers. The time required varies depending on the
deployment process, but in some cases, deployment may take only 15
minutes.
NETMIND
calling +1 800-785-3448.
The main disadvantages of automated deployment are:
Difficulty customizing configuration. The standard configuration created by
an automated deployment process may not be suitable for all servers. The
automatically deployed server must then be customized after installation.
Slowness of creation and testing of the deployment process compared with
the manual installation of a single server. In a smaller organization with only
a few servers, it may take longer to create and test an automated deployment
process than it would to perform several server installations.

NETMIND
calling +1 800-785-3448.
What Is WAIK?

Key Points
The Windows Automated Installation Kit (WAIK) includes a number of tools to
simplify the deployment of Windows Vista SP1 and Windows Server 2008 through
automation. The two main tools included with WAIK are:
Windows System Image Manager (WSIM). This tool is used to create answer
files that are used to perform unattended installations. The answer file
contains instructions used during the installation process. Any information
that is normally provided interactively during the installation can be placed in
the answer file instead.
ImageX. This tool is used to perform imaging of the operating system. After an
initial installation is performed, the operating system is configured as you
would like it with appropriate applications and updates. Then you use sysprep
to generalize the operating system before using ImageX to create an image of
the operating system. To save disk space, the Windows Imaging (WIM) images
created by ImageX can contain multiple images, and files that are common
between the images are only stored once in the WIM file. Images can also be
mounted and modified offline.
NETMIND
calling +1 800-785-3448.
WAIK also includes a large amount of documentation to help you develop an
automated installation. Some of the documentation includes:
Windows Setup Technical Reference. This document provides information
about how setup.exe performs installations and how the installation can be
automated by using an answer file.
Windows System Image Manager Technical Reference. This document
describes how to use WSIM to create answer files that can be used to perform
unattended installations.
ImageX Technical Reference. This document describes how to use ImageX to
perform imaging operations.
Sysprep Technical Reference. This document describes how to use sysprep to
prepare an operating system for imaging or for delivery to a customer.
Package Manager Technical Reference. This document describes how to
perform offline maintenance of a Windows image.

For more information about WAIK, see the Windows Automated
Installation Kit (Windows AIK) User's Guide page on the TechNet Web

NETMIND
calling +1 800-785-3448.
Demonstration: Creating an Answer File

An answer file for an automated installation is created by using the Windows
System Image Manager. The settings you can select are based on a catalog file that
is included on the Windows Server 2008 installation media. You can also create a
new catalog file based on a WIM file.
There are seven possible passes during setup that can be automated:
windowsPE. This pass automates installation controlled by WindowsPE
during the first stage of installation. Disk partitioning is possible at this stage.
offlineServicing. This pass is used to apply settings to an existing WIM file
offline. You can add Windows packages such as language packs.
generalize. This pass is used to apply settings when the operating system is
being generalized by sysprep.
Specialize. This pass is used to apply settings either during a regular
installation or when a sysprepped operating system is being configured.
NETMIND
calling +1 800-785-3448.
auditSystem. This pass is used to install device drivers in a generalized
operating system before it is specialized. This is a way to update an existing
generalized operating system.
auditUser. This pass is used to install applications in a generalized operating
system before it is specialized. This is a way to update an existing generalized
operating system.
oobeSystem. This pass automates the Out-of-Box Experience (Windows
Welcome).

For more information about the Windows Setup configuration passes,
see the Windows Setup Configuration Passes section of the Unattended
Windows Setup Reference.
High-level steps:
1. Open Windows System Image Manager.
2. Select a catalog file.
3. Create a new answer file.
4. Add the desired settings to the answer file.
5. Save the answer file.

NETMIND
calling +1 800-785-3448.
Considerations for Using Windows Deployment
Services (WDS)

Key Points
Windows Deployment Services (WDS) is a Windows Server 2008 tool that is used
to automate the deployment of Windows operating systems. Deployment can be
done with image files or by using an unattended installation.
When using WDS, keep the following considerations in mind:
By using WDS, you gain centralized administration over operating system
installations. You can trigger imaging operations from a single central location
rather than at each computer. When a large number of servers or client
computers are being installed, WDS helps simplify the process.
In most cases, you will use Pre-Boot Execution Environment (PXE) to connect
the computers with the WDS server. This requires that your computers
support PXE booting. PXE booting is a common feature in current computers,
but it must be enabled in the BIOS. DHCP is used during the PXE boot
process and must be properly configured.
NETMIND
calling +1 800-785-3448.
WDS is also capable of using multicasts for imaging. With multicasting,
multiple computers can be imaged in the same amount of time as a single
computer, because each image is received by multiple computers at the same
time. Network routers must be configured to allow multicasting. Many
organizations disable multicasting on routers.
When a computer boots from PXE, a Windows PE boot image is downloaded
to memory and used to perform the imaging process. The Windows PE boot
image that is downloaded must have support for the network adapter in the
computer being imaged.

For more information about WDS, see Module 4: Using Windows
Deployment Services in Course 6418B, Deploying Windows Server 2008.

NETMIND
calling +1 800-785-3448.
What Is the Microsoft Deployment Toolkit?

Key Points
Microsoft Deployment Toolkit (MDT) provides technology for deploying Windows
operating systems, the 2007 Microsoft Office system, and Microsoft Office 2003.
Microsoft Deployment is the next version of Business Desktop Deployment (BDD)
2007. However, the larger focus of Microsoft Deployment is on methodology and
best practices. By following the guidance in Microsoft Deployment, teams are
putting into action proven best practices that Microsoft uses in its own
development projects and that are based on the Microsoft Solutions Framework
(MSF).
MDT shows you how to use the new deployment tools together as part of an end-
to-end deployment process. MDT also provides tools and scripts to increase
automation and lower costs, as well as leveraging and enhancing other Microsoft
tools and products.
NETMIND
calling +1 800-785-3448.
Server Deployment Challenges
Server deployment introduces some unique challenges beyond those presented by
workstation deployment. Hardware configurations are often more complicated,
and network configuration may involve static IP addresses, multiple network
adapters, and advanced network components, such as TCP/IP offloading, Network
Load Balancing, and clustering.
Server operating system configuration is more complex than workstation operating
system configuration. For example, server disk configuration is complicated, as it
involves redundant array of independent disks (RAID) controllers, original
equipment manufacturer (OEM) configuration partitions, and Storage Area
Network (SAN) configurations. Correct server role installation and configuration is
very important, security is crucial, and upgrades are more common in some
scenarios.
MDT Deployment Approaches
MDT provides guidance for the following types of deployment:
Zero Touch Installation (ZTI) deployment for Microsoft System Center
Configuration Manager (SCCM) 2007. If the organization has an existing
System Center Configuration Manager infrastructure, teams can use that
infrastructure to capture the reference operating system image and efficiently
deploy it to client computers.
ZTI deployment for Systems Management Server (SMS) 2003. If the
organization has an existing Systems Management Server 2003 infrastructure,
use ZTI deployment to capture the reference operating system image, and then
deploy it using Systems Management Server 2003.
Lite Touch Installation (LTI) deployment. If the organization does not have
a System Center Configuration Manager or Systems Management Server 2003
infrastructure, teams can use the LTI process to capture reference operating
system images, and then deploy them across the network.

Question: Why would you use MDT in addition to WAIK or WDS?

NETMIND
calling +1 800-785-3448.
Lab: Planning a Windows Server 2008
Deployment

Note: Your instructor may run this lab as a class discussion.
A. Datum Corporation has a single head office with a single datacenter that hosts
all servers. The servers in the datacenter are running a mix of Windows 2000
Server, Windows Server 2003, and Windows Server 2003 R2. The organization has
entered into a new volume licensing agreement with Microsoft that allows all
servers to be updated to Windows Server 2008.
NETMIND
calling +1 800-785-3448.
Exercise 1: Creating a Planning Flowchart for a Windows
Server 2008 Deployment
Scenario
You have been tasked with creating a flowchart to help the IT staff in A. Datum
Corporation decide how to upgrade or migrate individual servers to Windows
Server 2008. This flowchart needs to help determine how the process is
accomplished and which edition of Windows Server 2008 will be used.
Sara Davis, the IT manager, has provided some information about what she
expects the flowchart to include and how to approach the task.
The main tasks for this exercise are as follows:
1. Read the supporting documentation.
2. Create the flowchart.

NETMIND
calling +1 800-785-3448.
Task 1: Read the supporting documentation
Supporting Documentation
E-mail thread of correspondence with Sara Davis:
Gregory Weber
From: Sara Davis [Sara@adatum.com]
Sent: 18 July 2009 11:30
To: Gregory@adatum.com
Subject: Re: Server Upgrade Flowchart
Greg,
I dont have a lot of preconceived notions about this should be put together. I just
know that we need some sort of tool to help us in our decision-making process
during the upgrades. Id rather have one person (you) do the research and
planning once than have the process repeated each time we do a server upgrade.
Since weve entered into the new volume licensing agreement, it makes sense to
implement Windows Server 2008 whenever possible.
I dont have a complete list of criteria that need to be taken into account. Youll
need to determine what is appropriate. However, some of the criteria I was
thinking of are:
32-bit vs. 64-bit
Upgrade vs. migrate
Application compatibility

The best way to approach this project is to generate a list of relevant criteria for the
decision-making process. Then you can arrange them into a flowchart that
represents the decision-making process.
In some cases, well have new hardware. In some cases, we wont have new
hardware. Your flowchart will need to take into account both situations.
Regards,
Sara.
NETMIND
calling +1 800-785-3448.
----- Original Message -----
From: Gregory Weber [Gregory@adatum.com]
Sent: 18 July 2009 10:01
To: Sara@adatum.com
Subject: Server Upgrade Flowchart
Sara,
I would like to confirm some of the details regarding the flowchart assignment you
gave me in the meeting this morning. As I understand it, you would like others on
the team to be able to use this flowchart to determine how any given server in our
organization can be updated to using Windows Server 2008. Is this correct?
Do you have any specific criteria that you think need to be taken into account?
Are there any assumptions I can make about new hardware?
Regards,
Greg

Task 2: Create the flowchart
1. On a piece of paper, generate a list of relevant criteria that must be considered
during the upgrade or migration process.
2. Use the list of criteria you have generated to create a flowchart for determining
whether to upgrade or migrate.
which edition of Windows Server 2008 you should use.
whether to use a 32-bit or 64-bit operating system.

Results: After this exercise, you should have created flowcharts to help to determine
how to upgrade or migrate an existing server to Windows Server 2008.

NETMIND
calling +1 800-785-3448.
Exercise 2: Planning a Windows Server 2008 Deployment
Scenario
Several servers in the A. Datum Corporation datacenter have been identified as the
first candidates for migration to Windows Server 2008. For each of these servers,
you must determine the process to be used.
1. Create a deployment plan for the archive file server.
2. Create a deployment plan for the main file server.
3. Create a deployment plan for the antivirus server.
4. Create a deployment plan for the human resources application server.

NETMIND
calling +1 800-785-3448.
Gregory Weber
From: Alan Steiner [Alan@adatum.com]
Sent: 22 July 2009 09:05
Subject: Re: First batch of server upgrades to Windows Server 2008
Attachments: Archive File Server.docx
Main File Server.docx
Antivirus Server.docx
Human Resources Application Server.docx
Greg,
Ive attached a document for each server. It includes the relevant information weve
documented for each server as well as the questions we need answered to perform
the upgrade or migration.
Regards
Alan.
Sent: 20 July 2009 08:45
To: Alan@adatum.com
Subject: First batch of server upgrades to Windows Server 2008
Alan,
Were going to be doing some server upgrades to Windows Server 2008 soon. Can
you please send me the analysis that you performed on the archive file server, main
file server, antivirus server, and human resources application server?
Thanks.
Greg
NETMIND
calling +1 800-785-3448.

Deployment Plan: Archive File Server
Document Reference Number: GW0688/1
Document Author
Date
Gregory Weber
20th July
Requirement Overview
This server is to be upgraded or migrated to Windows Server 2008 to take advantage of
the more efficient file-sharing protocols in Windows Server 2008.
The archive file server is used to store older data that is accessed only occasionally.
Extended outages are possible with notification.
It is used only as a file server. It has no other functions.
The hardware is relatively new, and no new hardware has been allocated for this server.
Additional Information
This server is currently running a 32-bit version of Windows Server 2003 R2.
Proposals
1. Will this server be upgraded on existing hardware or migrated to new hardware?

2. Which edition of Windows Server 2008 will be used?

3. Will 32-bit or 64-bit Windows Server 2008 be used?

NETMIND
calling +1 800-785-3448.

Deployment Plan: Main File Server
Document Author
Date
Gregory Weber
20th July
the more efficient file-sharing protocols in Windows Server 2008.
The main file server is mission critical and cannot be taken out of production during
business hours. Downtime must be limited to less than one day.
This server should support cross-file replication for DFS. This may be implemented in
the future to support remote offices, and the cross-file replication will reduce
synchronization traffic on the WAN.
Data for this file server is stored on a Fiber Channel Storage Area Network (SAN).
New hardware has been allocated for this server if required.
Clients access this file server through mapped drive letters that are created by a logon
script.
Proposals



4. How will downtime be minimized?

NETMIND
calling +1 800-785-3448.

Deployment Plan: Antivirus Server
Document Author
Date
Gregory Weber
25th July
This server is to be upgraded or migrated to Windows Server 2008 to standardize the
server operating systems.
The antivirus server can experience an outage of 24 hours without impacting clients.
New hardware has been allocated for this server.
The antivirus application has not been tested by the vendor in 64-bit environments and
is not supported in 64-bit environments.
Proposals



NETMIND
calling +1 800-785-3448.

Deployment Plan: Human Resources Application Server
Document Author
Date
Gregory Weber
25th July
the performance improvements in IIS 7.
The existing server is consistently short on memory, and a new server with 8 GB of
memory has been allocated to address this.
The application data is also stored on this server and must be taken into account.
There can be no downtime during business hours.
The new server should support failover clustering, as it is being considered for the
future.
None
Proposals



4. What process will you use to minimize downtime?

NETMIND
calling +1 800-785-3448.
Task 1: Create a deployment plan for the archive file server
1. Read the supporting documentation for the archive file server.
2. Update the proposal document by answering the questions.

Task 2: Create a deployment plan for the main file server

Task 3: Create a deployment plan for the antivirus server

Task 4: Create a deployment plan for the human resources application
server

Results: After this exercise, you should have created a deployment plan for the archive
file server, the main file servers, the antivirus server, and the human resources
application server.
NETMIND
calling +1 800-785-3448.
Module Review and Takeaways

Review Questions
1. Why is change management important when deploying Windows Server
2008?

2. When selecting a version of Windows Server 2008, which factors should you
take into account?

3. Is it better to upgrade an existing server or migrate to new hardware?

4. In which situations is automated deployment preferred to a manual
installation?

NETMIND
calling +1 800-785-3448.
Common Issues Related to Deploying Windows Server 2008
Identify the causes for the following common issues related to Windows Server
2008, and fill in the troubleshooting tips. For answers, refer to the relevant lessons
in the module.
Issue Troubleshooting Tip
Application incompatibility
Device driver availability
Servers requiring activation

Real-World Issues and Scenarios
1. You want to install Windows Server 2008 as a host for virtualization. This
server will host three virtual machines. Which is the most cost-effective version
of Windows Server 2008 to obtain?

2. You have a line-of-business application that runs on a 32-bit server with
Windows Server 2003 Standard Edition. You would like to migrate this server
to a 64-bit edition of Windows Server 2008 to take advantage of increased
memory. What process should you use to ensure that downtime is limited?

3. You are deploying Windows Server 2008 on ten servers in three locations. To
simplify documentation and management, you would like all ten servers to
have the same configuration. How does automating server deployment help to
ensure that the configuration is the same for all ten servers?

Best Practices Related to Windows Server 2008 Deployment
Supplement or modify the following best practices for your own work situations:
Remember to consider CALs when upgrading to Windows Server 2008.
In virtualized environments, consider using Windows Server 2008 Datacenter
to simplify server licensing.
Choose a 64-bit version of Windows Server 2008 if necessary drivers and
software are compatible. This also helps with greater memory access.
NETMIND
calling +1 800-785-3448.
When possible, perform a migration to Windows Server 2008 rather than an
upgrade.
When deploying Windows Server 2008 to multiple computers, consider the
use of automated deployment.

Tools
Tool Use For Where to Find It
Microsoft
Solution
Accelerators
Obtaining tools and guidance
for deploying Microsoft
technologies
On the TechNet Web site at
http://go.microsoft.com/fwlink
/?LinkID=165474&clcid=0x409
Microsoft
Assessment
and Planning
Toolkit
Identifying whether your
organization is ready to
deploy Windows Server 2008
On the Microsoft Assessment and
Planning Toolkit page on the TechNet
Web site at http://go.microsoft.com
/fwlink/?LinkID=160958&clcid=0x409
Windows
Automated
Installation Kit
Automating the installation
of Windows Server 2008
On the Automated Installation Kit (AIK)
for Windows Vista SP1 and Windows
Server 2008 page on the Microsoft Web
site at http://go.microsoft.com/fwlink
Windows
Deployment
Services
Centrally creating and
deploying Windows Server
2008 images
A server role in Windows Server 2008
Microsoft
Deployment
Toolkit
Planning and performing
automated installations of
Windows Server 2008
On the Microsoft Deployment Toolkit
page on the TechNet Web site at

NETMIND
calling +1 800-785-3448.

NETMIND
calling +1 800-785-3448.
Planning Network Infrastructure for Windows Server 2008 2-1
Module 2
Planning Network Infrastructure for
Windows Server 2008
Contents:
Lesson 1: Planning IPv4 Addressing 2-3
Lesson 2: Planning for Name Resolution Services 2-14
Lesson 3: Determining the Need for WINS 2-27
Lesson 4: Planning a Perimeter Network 2-37
Lesson 5: Planning an IPv4 to IPv6 Transition Strategy 2-42
Lab: Planning Network Infrastructure for Windows Server 2008 2-50
NETMIND
calling +1 800-785-3448.
Module Overview

Network infrastructure services play an important role in providing the foundation
for additional, higher-level services, such as Active Directory directory service, and
for applications, such as messaging and database systems. It is vital that you plan
the deployment of these foundation services with great care to ensure the smooth
running of mission-critical applications.
Objectives
Plan an IPv4 addressing strategy.
Plan the deployment and configuration of DNS servers.
Determine how to handle NetBIOS names within your organization.
Place appropriate servers in your perimeter network.
Plan an IPv4 to IPv6 transition strategy.

NETMIND
calling +1 800-785-3448.
Lesson 1
Planning IPv4 Addressing

In order to properly implement network services, it is important that you have a
thorough understanding of IPv4 addressing. Good understanding of IPv4
addressing enables you to make appropriate decisions about the configuration
and placement of network servers within your IPv4 infrastructure.
Objectives
Describe an IP subnet.
Plan an IPv4 addressing scheme.
Select an appropriate IPv4 addressing scheme
Plan the implementation of DHCP Servers.
Allocate IPv4 addresses by using DHCP.

NETMIND
calling +1 800-785-3448.
What Is a Subnet?

Key Points
A subnet is a networks physical segment, which a router or routers separate from
the rest of the network. When your Internet service provider (ISP) assigns your
network a Class A, B, or C address range, you often must subdivide the range to
match your networks physical layout. You subdivide a large network into logical
subnets.
When you subdivide a network into subnets, you create a unique ID for each
subnet, which you derive from the main network ID. To create subnets, you must
allocate some of the bits in the host ID to the network ID, which enables you to
create more networks.
NETMIND
calling +1 800-785-3448.
By using subnets, you can:
Use a single Class A, B, or C network across multiple physical locations.
Class First octet
Default subnet
mask
Number of
networks
Number of
hosts per
network
A 1-127 255.0.0.0 126 16,777,214
B 128-191 255.255.0.0 16,384 65,534
C 192-223 255.255.255.0 2,097,152 254

Reduce network congestion by segmenting traffic and reducing broadcasts on
each segment.
Overcome limitations of current technologies, such as exceeding the
maximum number of hosts that each segment can have. For example, Ethernet
can have no more than 1,024 hosts on a network. However, dividing the
segment into further segments increases the total number of allowable hosts.

A subnet mask specifies which part of an IPv4 address is the network ID and
which is the host ID. A subnet mask has four octets, similar to an IPv4 address.
In simple IPv4 networks, the subnet mask defines full octets as part of the network
ID and host ID. A 255 represents an octet that is part of the network ID, and a 0
represents an octet that is part of the host ID.
In complex networks, you might subdivide one octet with some bits that are for
the network ID and some for the host ID. Classless addressing, or Classless Inter-
Domain Routing (CIDR), is when you use more or less than a whole octet for
subnetting. This type of subnetting uses a different notation, which the following
example shows:
172.16.16.1/255.255.240.0
The following example shows the more common representation of classless IPv4
addressing:
172.16.16.1/20
The /20 represents how many subnet bits are in the mask, and this notation is
Variable Length Subnet Masking (VLSM).
NETMIND
calling +1 800-785-3448.
Private IP addresses are commonly used for local area networks (LANs). These
private IP address ranges are non-routed on the global Internet. An organization
needing a private address space can use these addresses without approval from an
ISP.
Private address ranges include:
Class Mask Range
A 10.0.0.0/8 10.0.0.0-10.255.255.255
B 172.16.0.0/12 172.16.0.0-172.31.255.255
C 192.168.0.0/16 192.168.0.0-192.168.255.255

Additional Reading
For more information see Address Allocation for Private Internets:
http://go.microsoft.com/fwlink/?LinkID=163880&clcid=0x409

NETMIND
calling +1 800-785-3448.
Planning an IPv4 Addressing Scheme

Key Points
In order to select an appropriate addressing scheme for your organization, you
must:
Choose whether to use public or private IPv4 addresses.
Calculate the number of subnets required. You can calculate the number of
subnet bits by determining how many you need in your network. Use the
formula 2^n, where n is the number of bits. The result must be at least the
number of subnets that your network requires.
Calculate the number of hosts in each subnet. You can calculate the number of
host bits required by using the formula 2^n-2, where n is the number of bits.
Select an appropriate subnet mask(s).
NETMIND
calling +1 800-785-3448.
When you have determined these factors, you must then:
Calculate the subnet addresses. To determine subnet addresses quickly, you
can use the lowest value bit in the subnet mask. For example, if you choose to
subnet the network 172.16.0.0 by using 3 bits, this would mean using
255.255.224.0 as the subnet mask. The decimal 224 is 11100000 in binary,
and the lowest bit has a value of 32, so that will be the increment between each
subnet address.
Determine the range of host addresses within each subnet. You can calculate
each subnets range of host addresses by using the following process: the first
host is one binary digit higher than the current subnet ID, and the last host is
two binary digits lower than the next subnet ID.
Implement the planned addressing scheme.

NETMIND
calling +1 800-785-3448.
Discussion: Selecting an Appropriate IPv4 Addressing
Scheme

Key Points
Question: Contoso.com has implemented IPv4 throughout the organization. It is
currently implementing a new head office building. The office will host 5,000
computers distributed fairly evenly across 10 floors of these offices. What address
class would suit this scenario?
Question: Analysis of the network traffic at the existing head office shows that the
maximum number of hosts per subnet should be around 100. How many subnets
are required, and assuming a network address for the whole site of 172.16.0.0,
what mask should you use to ensure sufficient support for the required subnets?

NETMIND
calling +1 800-785-3448.
Question: Assuming the network address for the head office is 172.16.0.0/19,
what mask would you assign to each subnet?
Question: How many hosts can you have in each subnet based on your selected
mask?
Question: Assuming you implement the mask you determined for each subnet,
what would the first subnet address be?
Question: What are the first and last host addresses for the first subnet?

NETMIND
calling +1 800-785-3448.
Planning the Deployment of DHCP Servers

Key Points
You can configure static IPv4 configuration manually for each of your networks
computers. IPv4 configuration includes:
IPv4 address
Subnet mask
Default gateway
DNS server

Static configuration requires that you visit each computer and input the IPv4
configuration. This method of computer management becomes very time-
consuming if your network has more than 20 users. Additionally, making a large
number of manual configurations increases the risk that mistakes will occur.
NETMIND
calling +1 800-785-3448.
DHCPv4 enables you to assign automatic IPv4 configuration for large numbers of
computers without having to assign each one individually. The DHCP service
receives requests for IPv4 configuration from computers that you configure to
obtain an IPv4 address automatically, and assigns IPv4 information from scopes
that you define for each of your networks subnets. The DHCP service identifies the
subnet from which the request originates, and assigns IP configuration from the
relevant scope.
Considerations for Planning DHCP Servers
In order to provide continued IPv4 functionality, the DHCP server must remain
online at all times to service renewal requests. However, to increase high
availability of the addressing service, consider deploying multiple DHCP servers.
When deploying DHCP servers, consider the following factors:
DHCP servers do not communicate with one another. Therefore, if you
configure duplicate or overlapping scopes on the servers, duplicate IP
addresses could be allocated, leading to network problems. Consider using the
80/20 rule to help to address this issue.
Routers do not typically forward the broadcast packets used by DHCP clients
during the initial configuration and renewal phases. Therefore, it is necessary
to implement additional functionality or protocols in order to ensure that
client computers that reside within subnets with no local DHCP server can still
obtain an IP address dynamically.
The DHCP service is disk intensive. Consequently, you must implement
DHCP on servers with an optimized disk subsystem.
Use shorter lease durations where there is a shortage of addresses available in
a pool.

NETMIND
calling +1 800-785-3448.
Demonstration: Allocating IPv4 Addresses with DHCP

Key Points
Deploy an additional DHCP server in the adatum.com domain.
Authorize the server in Active Directory.
Create the necessary scopes to support the 80/20 role for two subnets.

High-level steps:
Deploy the DHCP server role on the SEA-SVR1 server.
Create an IPv4 scope on SEA-SVR1 that provides 80 percent of the IPv4
addresses for subnet 1; the remainder is excluded from allocation.
Create a second IPv4 scope that provides 20 percent of the IPv4 addresses for
subnet 2; the remainder is excluded from allocation.

Question: Why is it important to authorize DHCP servers?
NETMIND
calling +1 800-785-3448.
Lesson 2
Planning for Name Resolution Services

Name resolution provides the foundation for many network services. The Domain
Name System (DNS) has been widely adopted as the standard for name resolution
in IP networks. To ensure that network services can function optimally, you must
plan your DNS implementation carefully.
Objectives
Describe the name resolution process.
Plan your DNS name space.
Plan DNS zones.
Describe DNS forwarding and when to use forwarding.
List the considerations for deploying the DNS role.
Deploy the DNS server role.
NETMIND
calling +1 800-785-3448.
How DNS Names Are Resolved

Key Points
When DNS names are resolved on the Internet, an entire system of computers is
used rather than just a single server. There are 13 root servers on the Internet that
are responsible for managing the overall structure of DNS resolution.
For example, the name resolution process for the name www.microsoft.com is:
A workstation queries the local DNS server for the IP address of
www.microsoft.com.
If the local DNS server does not have the information, then it queries a root
DNS server for the location of the .com DNS servers.
The local DNS server queries a .com DNS server for the location of the
Microsoft.com DNS servers.
The local DNS server queries the Microsoft.com DNS server for the IP address
of www.microsoft.com.
The IP address of www.microsoft.com is returned to the workstation.
NETMIND
calling +1 800-785-3448.
The name resolution process can be modified by:
Caching. After a local DNS server resolves a DNS name, it will cache the
results for approximately 24 hours. Subsequent resolution requests for the
DNS name are given the cached information.
Forwarding. A DNS server can be configured to forward DNS requests to
another DNS server instead of querying root servers. For example, requests for
all Internet names can be forwarded to a DNS server in your perimeter
network, or else to a DNS server at your ISP.
NETMIND
calling +1 800-785-3448.
Planning Your DNS Namespace

Key Points
When you begin planning your DNS name space, you must consider both the
internal name space as well as the external name space. There is no requirement
for you to implement the same DNS domain name internally that you have
externally. When implementing a domain name for your internal DNS name space,
there are three possible strategies:
Select a matching domain name internally, for example adatum.com. This
provides simplicity, which is why it is often a suitable choice for smaller
organizations.
Choose a different domain name, for example adatum.priv. This provides for
obvious separation in the name space. In complex networks with many
Internet-facing applications, use of a different name introduces some clarity
when configuring these applications. For example, edge servers, placed in your
perimeter network, often require multiple network interface cards, one
connected to the private network, and one servicing requests from the public
network. If they each have different domain names, it is often easier to
complete the configuration of that server.
NETMIND
calling +1 800-785-3448.
Implement a child domain of the public domain name, for example
priv.adatum.com. This provides a hybrid approach; the name is different,
allowing for separation of the name space, but also related to the public name,
providing simplicity.

NETMIND
calling +1 800-785-3448.
Planning DNS Zones

Key Points
In essence, a zone is a database that stores the information about a part of the DNS
name space. Often, the zone maps on a one-to-one basis with the DNS domains. If
you create a subdomain, for example south.adatum.com, then you must consider
how to implement the domain name into your DNS infrastructure.
There are essentially two approaches:
You can create a new zone for the new DNS domain name. This zone will have
its own DNS name servers, and you must configure a relationship between the
new child DNS domain name and its parent, adatum.com.
The alternative method is to create a subdomain in the existing adatum.com
zone. In this scenario, no name servers exist within the south.adatum.com
child domain; rather, the DNS servers in the parent domain, adatum.com,
service name query requests for hosts assigned a south.adatum.com DNS
name.

NETMIND
calling +1 800-785-3448.
Planning for Subdomains
The choice about whether to implement separate zones for child subdomains is
primarily based on two factors:
Administrative separation. If you want to provide for a degree of
administrative separation of the name space, you can choose to create multiple
zones, each with its own administrator.
Performance. If the child subdomain is large, and hosts many records, use
delegation so that the domain has its own DNS servers to host the zone; this
provides for higher performance.

Planning for Zone Transfers
After you have determined how many zones you will create, you must determine
the type of zones and how zone information will be replicated, or transferred,
between the name servers that service the zone. There are a number of choices:
You can implement Active Directory integrated zones. In this event, all domain
controllers that also host the DNS role receive zone data automatically through
Active Directory replication. This is the simplest approach, and the most
secure as Active Directory replication traffic is authenticated and encrypted.
Alternatively, you can implement non-Active Directory integrated zones. In this
instance, when you deploy the DNS role and create your zones, you must
define whether the zone is primary or secondary. A primary zone is an editable
copy of the zone, while a secondary zone is read-only, and provided for
servicing client queries. The secondary zone receives its zone data from a
master server on a periodic basis. You must define the relationship between
the secondary zone and its master server, which may be either a DNS server in
the primary zone, or another secondary DNS server. In addition, you must
enable and configure zone transfers.

Best Practice
Use Active Directory integrated zones to simplify zone transfers.
NETMIND
calling +1 800-785-3448.
What Is DNS Forwarding?

Key Points
A forwarder is a network DNS server that forwards DNS queries for external DNS
names to DNS servers outside that network. You also can use conditional
forwarders to forward queries according to specific domain names.
A network DNS server is designated a forwarder when other DNS servers in the
network forward to it the queries that they cannot resolve locally. By using a
forwarder, you can manage name resolution for names outside your network, such
as names on the Internet, and improve the efficiency of name resolution for your
networks computers.
The server that is forwarding requests in the network must be able to communicate
with the DNS server located on the Internet. This means either you configure it to
forward requests to another DNS server or it uses root hints to communicate.
NETMIND
calling +1 800-785-3448.
Best practices
Use a central forwarder DNS server for Internet name resolution. This can improve
performance, simplify troubleshooting, and is a security best practice.
You can use stub zones instead of conditional forwarding to handle name
resolution between specific domains. Use stub zones when you want a DNS server
hosting a parent zone to remain aware of the authoritative DNS servers for one of
its child zones.
Use stub zones if you want to provide for dynamic conditional forwarding.
NETMIND
calling +1 800-785-3448.
Considerations for the DNS Role

Key Points
When planning to deploy DNS, there are several considerations that you must
review. These considerations include:
How many DNS zones will you configure on the server?
How many DNS records will each zone contain?
How many DNS clients will be communicating with the server on which you
configure the DNS role?
Where will you place DNS servers?
Will you place the servers centrally or does it make more sense to locate DNS
servers in branch offices?

NETMIND
calling +1 800-785-3448.
Active Directory Integration
The Windows Server 2008 DNS role can store the DNS database two different
ways, as shown in the following table.
Storage
Method Description
Text File The DNS server role stores the DNS entries in a text file, which you
can edit with a text editor.
Active
Directory
The DNS server role stores the DNS entries in the Active Directory
database; this database can be replicated to other domain
controllers, even if they do not run the Windows Server 2008 DNS
role. You cannot use a text editor to edit DNS data that Active
Directory stores.

Active Directory integrated zones are easier to manage than traditional text-based
zones, and are more secure. The replication of zone data occurs as part of Active
Directory replication.
DNS Server Placement
Typically, you will deploy the DNS role on all domain controllers. If you decide to
implement some other strategy, keep the following points in mind:
How will client computers resolve names in the event of their usual DNS
server becoming unavailable?
What will the impact on network traffic be if client computers start to use an
alternate DNS server, perhaps distantly located?
How will you implement zone transfers? Active Directory integrated zones use
Active Directory replication to transfer the zone to all other domain
controllers. If you implement nonActive Directory integrated zones, you must
plan the zone transfer mechanism yourself.

NETMIND
calling +1 800-785-3448.
Demonstration: Deploying the DNS Server Role

Key Points
Deploy an additional DNS server in the adatum.com domain.
Configure delegation for a subdomain.
Configure a DNS zone on the new server.

High-level steps:
1. Deploy the DNS server role to the SEA-SVR1 server.
2. On SEA-DC1, create a DNS delegation for the south.adatum.com subdomain.
3. Reconfigure the DNS suffix of the SEA-SVR1 server to south.adatum.com.
4. On SEA-SVR1, create the south.adatum.com zone.
NETMIND
calling +1 800-785-3448.
5. Reconfigure the network properties on SEA-SVR1 and test DNS resolution.
6. Configure and test DNS forwarding on the SEA-SVR1 server.

Question: What is the difference between a DNS subdomain and a delegated
zone?

NETMIND
calling +1 800-785-3448.
Lesson 3
Determining the Need for WINS

NetBIOS is a session management protocol, implemented over TCP/IP networks as
NetBT. Traditionally, NetBIOS applications rely on broadcasts to facilitate name
registration, name release, and name querying. Windows Internet Naming Service
(WINS) is a NetBIOS name server that you can use to resolve NetBIOS names to
IPv4 addresses. WINS provides a centralized database for registering dynamic
mappings of NetBIOS names used on a network. If you have NetBIOS applications,
it is important you understand how the WINS service works in order to plan the
placement of WINS servers. In addition, you should understand how WINS
integrates with DNS in order to plan your migration from WINS.
NETMIND
calling +1 800-785-3448.
Objectives
Describe when WINS is required.
Plan a WINS server deployment.
Implement the WINS feature.
Describe the GlobalNames zone.
Implement the GlobalNames zone.

NETMIND
calling +1 800-785-3448.
When Is WINS Required?

Key Points
WINS resolves NetBIOS names to IP addresses, which can reduce NetBIOS
broadcast traffic and enable clients to resolve the NetBIOS names of computers
that are on different network segments (subnets).
There are several reasons WINS remains necessary on many networks. The main
reason is because some applications still use NetBIOS to provide functionality to
users.
WINS is required for the following reasons:
Older versions of Microsoft operating systems rely on WINS for name
resolution.
Some applications, typically older ones, rely on NetBIOS names.
You may need dynamic registration of single-label names.
NETMIND
calling +1 800-785-3448.
Users may rely on the Network Neighborhood or My Network Places network
browser features.
You may not be using Windows Server 2008 as your DNS infrastructure.

You must deploy the WINS feature before a computer running Windows Server
2008 can become a WINS server. It is recommended that you configure a WINS
server with a static IP address because client computers contact the WINS server
by using an IP address.

Note: WINS is an IPv4-only service, and it will not work in an IPv6 environment.
In addition to WINS, NetBIOS names can be resolved by broadcast messages or by
implementing LMHOSTS files on all computers. Broadcast messages do not work
well on large networks because routers do not pass broadcasts. Using an
LMHOSTS file for NetBIOS name resolution is a high-maintenance solution
because the file must be constantly updated on the computers.
NETMIND
calling +1 800-785-3448.
WINS Considerations

Key Points
The complete Windows Server 2008 WINS system includes the following
components:
WINS server. This computer processes name registration requests from WINS
clients, registers client names and IP addresses, and responds to NetBIOS
name queries that clients submit. The WINS server then returns the IP address
of a queried name if the name is listed in the server database.
WINS database. This database stores and replicates the NetBIOS name-to-IP
address mappings for a network.
WINS clients. These computers are configured to query a WINS server
directly. WINS clients dynamically register their NetBIOS names with a WINS
server.
NETMIND
calling +1 800-785-3448.
WINS proxy agent. This computer monitors name query broadcasts on a
subnet and forwards those queries directly to a WINS server. A WINS proxy
agent enables NetBIOS-enabled computers that are unable to communicate
directly with a WINS server to resolve NetBIOS names of remote computers.

When you configure multiple WINS servers, it is important that you configure
replication between them. This ensures that the integrity of the NetBIOS names
database is maintained. WINS servers that are replication partners can implement
replication in one of three ways:
Push replication. With push replication, after a threshold of changes has
occurred, the WINS server pushes the changes to its replication partners. You
can configure the threshold value.
Pull replication. With pull replication, a WINS server periodically pulls
changes down from its replication partners. You can configure the interval
value.
Push/Pull replication. Both push and pull replication is configured between
replication partners.

NETMIND
calling +1 800-785-3448.
Demonstration: Deploying the WINS Feature

Key Points
Deploy the WINS feature to the SEA-DC1 computer.
Use the NBTSTAT utility to register records.
Examine records with the WINS management console.

High-level steps:
1. Deploy the WINS server feature on the SEA-DC1 server.
2. Reconfigure the network settings on SEA-DC1 to use WINS for name
resolution.
3. Register NetBIOS records with the WINS server and examine these records.

Question: What NetBIOS records does a typical Windows computer register with
its WINS server?
NETMIND
calling +1 800-785-3448.
What Is the GlobalNames Zone?

Key Points
The GlobalNames Zone (GNZ) is a new feature of Windows Server 2008. The GNZ
provides single-label name resolution for large enterprise networks that do not
deploy WINS. Some networks may require the ability to have static, global records
with single-label names that WINS currently provides. These single-label names
refer to well-known and widely used servers with statically assigned IP addresses. A
GNZ is manually created and is not available for dynamic registration of records.
GNZ is intended to help customers migrate to DNS for all name resolution; the
DNS Server role in Windows Server 2008 supports the GNZ feature.
GNZ is intended to assist in the migration from WINS; however, it is not a
replacement for WINS. GNZ is not intended to support the single-label name
resolution of records that are registered in WINS dynamically and those that are
not managed by IT administrators typically. Support for these dynamically
registered records is not scalable, especially for larger customers with multiple
domains and/or forests.
NETMIND
calling +1 800-785-3448.
The recommended GNZ deployment is by using an Active Directory Domain
Services (AD DS)integrated zone, named GlobalNames, that is distributed
globally.
Instead of using the GNZ, you can choose to configure DNS and WINS integration.
You do this by configuring the DNS zone properties to perform WINS-lookups for
NetBIOS-compliant names. The advantage of this approach is that you can
configure client computers to only use a single name service, DNS, and still be able
to resolve NetBIOS-compliant names.
Best Practice
If your organization relies heavily on NetBIOS applications, continue to use WINS.
If you plan to migrate from WINS to DNS, implement WINS integration on your
DNS zones. When you have decommissioned most of your NetBIOS applications,
or only have a few NetBIOS applications, use the GNZ to manage static, single-
label names.
NETMIND
calling +1 800-785-3448.
Demonstration: Implementing the GlobalNames Zone

Key Points
Enable and configure the GlobalNames zone for the adatum.com forest.
Configure WINS-lookup on the adatum.com zone.
Compare WINS-lookup with the GNZ.

High-level steps:
1. On SEA-DC1, enable support for the GlobalNames zone.
2. Configure DNS/WINS integration on the adatum.com DNS zone.

Question: Can you enable dynamic update on the GlobalNames zone?

NETMIND
calling +1 800-785-3448.
Lesson 4
Planning a Perimeter Network

In order to make your network applications available to users connected to the
Internet, you must publish these applications. A common way of publishing these
applications, while maintaining security, is to use servers placed in a perimeter
network.
Objectives
Describe a perimeter network.
Determine which services should be deployed to the perimeter network.

NETMIND
calling +1 800-785-3448.
What Is a Perimeter Network?

Key Points
There are a number of different ways that you can configure your perimeter
network, and these include:
Three-legged firewall. A single device or computer with multiple network
interface cards, one of which is Internet facing, another of which is connected
to the perimeter network, and the remaining card being connected to the
intranet. Software installed on the host is used to create the separation
between the networks. The separation is achieved through filtering on the
firewall device so that only specified traffic is passed between the interfaces
designated as public, private, and perimeter. This solution works well for
smaller networks; however, because the firewall device is connected directly to
all three networks, security is compromised compared with other solutions.
NETMIND
calling +1 800-785-3448.
Dual back-to-back firewalls. In this scenario, two firewalls are connected in
sequence across three networks: the Internet, your perimeter network, and
your corporate intranet. The network to which both firewalls are connected is
the perimeter network. The firewalls are configured to allow only appropriate
traffic to pass between their connected networks. This is a more complex and
expensive solution because it requires additional hardware and software to
configure; however, it provides for a more secure environment and is the
configuration of choice for larger networks.

Through the combination of hardware and software, and with appropriate
configuration, you should be able to create a perimeter network with the degree
of network isolation that you require, while at the same time allowing for the
necessary communication between devices located in each of the three networks.
Best Practice
Only deploy services that you specifically need in your perimeter network, and
always publish services where possible, rather than physically deploy servers to the
perimeter.
NETMIND
calling +1 800-785-3448.
Which Services Should Be Placed In the Perimeter
Network?

Key Points
It is rare for an organization to operate without the need to connect its network
infrastructure to the Internet. At the very least, most organizations use e-mail
applications to conduct some elements of their core business.
Conduct an audit of the network services that you have within your organization
and determine which services must be available to users from the Internet. Then
consider how you want to make those services available. For example, if users
require access to their e-mail while they work away from their office, consider the
use of Web-based e-mail solutions because these are often easier to make securely
available.

Note: Applications can be configured to use specific Transmission Control Protocol (TCP)
ports; indeed, many applications are configurable to use only Hypertext Transfer
Protocol (HTTP) or HTTP Secure (HTTPS). This means that you can configure the Internet-
facing firewall to allow only TCP port 80/443 inbound.
NETMIND
calling +1 800-785-3448.
Typical Perimeter Applications
Although not an exhaustive list, the following table helps identify common
applications that you might need to make available in your perimeter network.
Applications Protocols Comments
E-mail Post Office Protocol 3 (POP3),
Internet Message Access Protocol 4
(IMAP4), Simple Mail Transfer
Protocol (SMTP), Outlook Web
Access (HTTPS), Outlook Anywhere
(HTTPS), Exchange ActiveSync
(HTTPS)
Microsoft Exchange Server 2007
supports extensive publishing
through the use of Microsoft ISA
server. In addition, the Exchange
Edge Transport server role
enables SMTP relay functionality
from the perimeter network.
Web server HTTP, HTTPS Place the Web servers directly in
the perimeter network or publish
them with ISA server.
Active
Directory
LDAP It is inadvisable to place domain
controllers in the perimeter
network. If your edge application
requires access to Active
Directory, consider deploying
Active Directory Lightweight
Directory Services (AD LDS) into
the perimeter.
Web
Conferencing
HTTPS, Session Initiation Protocol
(SIP), Persistent Shared Object
Model (PSOM), Real-time
Transport Protocol (RTP), Real-time
Control Protocol (RTCP)
Microsoft Office Communications
server supports the use of edge
servers to extent conferencing to
Internet participants. In addition,
an ISA server or other reverse-
proxy is required to enable some
conferencing features.
Instant
Messaging
SIP SIP is the industry standard
protocols used for instant
messaging.

NETMIND
calling +1 800-785-3448.
Lesson 5
Planning an IPv4 to IPv6 Transition Strategy

IPv6 is a critical technology that will help ensure that the Internet can support a
growing user base and the increasingly large number of IP-enabled devices. The
current IPv4 has served as the underlying Internet protocol for almost 30 years. Its
robustness, scalability, and limited feature set now is challenged by the growing
need for new IP addresses, due in large part to the rapid growth of new network-
aware devices. IPv6 slowly is becoming more common. While adoption may be
slow, it is important to understand how this technology will affect current
networks and how to integrate IPv6 into those networks.
Objectives
Describe the benefits of IPv6 over IPv4.
Describe IPv6 addressing.
Describe the IPv6 transition technologies.

NETMIND
calling +1 800-785-3448.
Benefits of IPv6

Key Points
Support for IPv6, a new suite of standard protocols for the Internets Network
layer, is built into Windows Server 2008.
The IPv6 protocol provides the following benefits:
Large address space. A 32-bit address space allows for 2^32 or 4,294,967,296
possible addresses. A 128-bit address space allows for 2^128 or
340,282,366,920,938,463,463,374,607,431,768,211,456 possible addresses.
Hierarchical addressing and routing infrastructure. The IPv6 address space
is designed to be more efficient for routers, which means that even though
there are many more addresses, routers can process data much more efficiently
because of address optimization.
NETMIND
calling +1 800-785-3448.
Stateless and Stateful address configuration. IPv6 has auto-configure
capability without a DHCP protocol, and it can find router information so that
hosts can access the Internet; this is a stateless address configuration. A
stateful address configuration is when you use the DHCPv6 protocol. Stateful
configuration has two additional configuration levels: one in which DHCP
provides all the information, including the IP address and the subnet
information, and another that provides just the subnet information.
Built-in security. IPv6 has built-in IP security, whereas in IPv4, it is an
extension of the protocol. This facilitates configuration of secure network
connections. In IPv4, modifying the IPv4 source, destination, and port
information could invalidate IP security (IPsec) data. This causes issues when
IPv4 traverses network address translators (NATs). IPv6 restores point-to-
point communication because NATing was conceived to extend the life of
IPv4 public IP addresses.
Prioritized delivery. IPv6 contains a field in the packet that allows network
devices to determine that the packet should be processed at a specified rate.
This allows traffic prioritization. For example, when streaming video traffic, it
is critical that the packets arrive in a timely manner. You can set this field to
ensure that network devices determine that the packet delivery is time
sensitive.
Neighbor detection. IPv6 has much better detection of other devices and
hosts in its local network. You can use this to create ad-hoc networks through
which you can share information.
Extensibility. Finally, IPv6 has been designed so that you can extend it with
much fewer constraints than IPv4.

NETMIND
calling +1 800-785-3448.
What Is the IPv6 Address Space?

Key Points
The most obvious distinguishing feature of IPv6 is its use of much larger addresses.
IPv4 IP addresses are expressed in four groups of decimal numbers, such as
192.168.1.1.
Each grouping of numbers represents a binary octet. In binary, the preceding
number is:
11000000.10101000.00000001.00000001 (4 octets = 32 Bits)
The size of an address in IPv6 is 128 bits, which is four times larger than an IPv4
address. IPv6 addresses also are expressed as hexadecimal addresses in their
readable format. For example, 2001:DB8:0:2F3B:2AA:FF:FE28:9C5A.
This may seem counterintuitive for end users. However, the assumption is that
average users will rely on DNS names to resolve hosts and rarely will type IPv6
addresses manually. The IPv6 address in hex also is easier to convert to binary and
vice versa. This simplifies working with subnets, and calculating hosts and
networks.
NETMIND
calling +1 800-785-3448.
Working with IPv6 Addresses
To convert an IPv6 binary address, which is 128 bits in length, perform the
following steps:
Break it into eight groups of 16 bits.
Convert each of these eight groupings of 16 bits into four hex characters.
For each of the 16 bits, evaluate four bits at a time to derive each hex number.
You should number each set of four binary numbers 1, 2, 4, and 8 starting
from the right and moving left. The first bit [0010] is assigned the value of 1,
the second bit [0010] is assigned the value of 2, the third bit [0010] is assigned
the valued of 4, and finally, the fourth bit [0010] is assigned the value of 8.
To derive the hexadecimal value for this section of four bits, add up the values
assigned to each bit where the bits are set to 1. In the example of 0010, the
only bit that is set to 1 is the bit assigned the 2 value. The rest are set to zero.
The hex value of these bits is 2.

Examples
The following table describes the 16-bit binary number portion of a 128-bit IP
address:
[0010][1111][0011][1011]
Binary 0010 1111
Values of each binary position 8421 8421
Adding values where the bit = 1 0+0+2+0 = 2 8 + 4 + 2 + 1 = 15 or hex F

The following example is a single IPv6 address in binary form. Note that the binary
representation of the IP address is quite long. The following two lines of binary
numbers is one IP address:
0010000000000001000011011011100000000000000000000010111100111011
0000001010101010000000001111111111111110001010001001110001011010
NETMIND
calling +1 800-785-3448.
The 128-bit address is divided along 16-bit boundaries (eight groupings of
16 bits):
0010000000000001 0000110110111000 0000000000000000
0010111100111011 0000001010101010 0000000011111111
1111111000101000 1001110001011010
Each boundary is further broken into sets of four bits. Applying the methodology
described above, convert the IPv6 address. The following table shows the binary
and corresponding hexadecimal values for each set of four bits:
Binary Hexadecimal
[0010][0000][0000][0001] [2][0][0][1]
[0000][1101][1011][1000] [0][D][B][8]
[0000][0000][0000][0000] [0][0][0][0]
[0010][1111][0011][1011] [2][F][3][B]
[0000][0010][1010][1010] [0][2][A][A]
[0000][0000][1111][1111] [0][0][F][F]
[1111][1110][0010][1000] [F][E][2][8]
[1001][1100][0101][1010] [9][C][5][A]

Each 16-bit block expressed as four hex characters then is delimited with colons.
The result is as follows:
2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A
You can simplify IPv6 representation further by removing the leading zeros within
each 16-bit block. However, each block must have at least a single digit. With
leading zero suppression, the address representation becomes the following:
2001:DB8:0:2F3B:2AA:FF:FE28:9C5A
NETMIND
calling +1 800-785-3448.
IPv6 Transition Technologies

Key Points
The migration from IPv4 to IPv6 is expected to take considerable time. This was
taken into consideration when designing IPv6 and as a result, the transition plan
for IPv6 is a multistep process that allows for extended coexistence. To achieve the
goal of a pure IPv6 environment, use the following general guidelines:
Upgrade your applications to be independent of IPv6 or IPv4. Applications
must be changed to use new Windows Sockets application programming
interfaces (APIs) so that name resolution, socket creation, and other functions
are independent regardless of whether you are using IPv4 or IPv6.
Update the DNS infrastructure to support IPv6 address and pointer entries
(PTR) records. You may have to upgrade the DNS infrastructure to support the
new AAAA records (required) and PTR records in the IP6.ARPA reverse
domain (optional). Additionally, ensure that the DNS servers support DNS
dynamic update for AAAA records so that IPv6 hosts can register their names
and IPv6 addresses automatically.
NETMIND
calling +1 800-785-3448.
Upgrade hosts to IPv6/IPv4 nodes. You must upgrade hosts to use a dual IP
layer or stack. You also must add DNS resolver support to process DNS query
results that contain both IPv4 and IPv6 addresses. Deploy ISATAP to ensure
that IPv6/IPv4 hosts can reach each other over the IPv4-only intranet.
Upgrade routing infrastructure for native IPv6 routing. You must upgrade
routers to support native IPv6 routing and IPv6 routing protocols.
Implement tunneling. An eventual successful transition to IPv6 requires
interim coexistence of IPv6 nodes in todays predominantly IPv4 environment.
To support this, IPv6 packets are tunneled automatically over IPv4 routing
infrastructures, enabling IPv6 clients to communicate with each other by using
6to4 addresses or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
addresses and tunneling IPv6 packets across IPv4 networks.
Convert IPv6/IPv4 nodes to IPv6-only nodes. You can upgrade IPv6/IPv4
nodes to be IPv6-only nodes. This should be a long-term goal, because it will
take years for all current IPv4-only network devices to be upgraded to IPv6-
only. For those IPv4-only nodes that cannot be upgraded to IPv6/IPv4 or IPv6-
only, employ translation gateways as appropriate so that IPv4-only nodes can
communicate with IPv6-only nodes.

NETMIND
calling +1 800-785-3448.
Lab: Planning Network Infrastructure for
Windows Server 2008

Adatum has created a new regional sales force. As a result, branch offices are being
fitted out to support the various regional sales teams. You are responsible for
planning the network infrastructure for these new branch offices. Joe Healy, the
national Sales Manager, has been communicating with you about his specific
requirements for the regional office. In addition, Alan Steiner, a colleague in IT, has
visited some of the branch offices.
NETMIND
calling +1 800-785-3448.
Exercise 1: Determining an Appropriate Network
Addressing Scheme
Scenario
You have been tasked with designing an IPv4 addressing scheme to support the
western region branch offices. There are 10 new offices, 3 in this region, and each
with around 100 computers.
Read the supporting documentation.
Answer the questions in the Update the Branch Office Network Infrastructure
Plan: IPv4 Addressing document.

NETMIND
calling +1 800-785-3448.
E-mail thread of correspondence with Joe Healy and Alan Steiner:
Gregory Weber
From: Joe Healy [Joe@adatum.com]
Sent: 21 July 2009 17:30
Subject: Re: Network applications for branches
Greg,
Well, I'm not terribly technical myself, but in terms of what the sales people use,
it's mostly office productivity software. They do have a sales database, of course,
which I believe to be built on SQL Server. Currently, that data is held on several
different databases, but we're merging that right now to create a national database.
I understand from your colleague, Alan Steiner, that we're going to create regional
replicas of the data in that database. As to network traffic, I guess you'd need to ask
Alan.
Hope that is useful.
Regards,
Joe
Sent: 20 July 2009 09:01
To: Joe@adatum.com
Subject: Network applications for branches
Joe,
I'm about to start working on this branch offices deployment. We're at the stage of
planning the network infrastructure. Can you tell me something about the
applications that the sales team uses? I'm trying to get a feel for network traffic and
usage patterns.
Regards,
Greg

NETMIND
calling +1 800-785-3448.
Gregory Weber
Sent: 22 July 2009 09:05
Subject: Re: Branch office network traffic analysis
Attachments: Adatum Western Region Branch Network Plan.vsd
Greg,
Each branch will be connected via a router to the head office; I've attached a basic
schematic of the western regional offices.
We've allocated the network address 10.10.32.0/21 for all branches in this region.
In terms of traffic, the database synchronization takes place overnight so should
not impact traffic overly. I think the traffic in the head office sales subnets right
now should be fairly indicative. Rather than send you the output, I'll just say that
we figure on around 50 computers per subnet.
Regards,
Alan
Sent: 22 July 2009 08:45
To: Alan@adatum.com
Subject: Branch office network traffic analysis
Alan,
Do you have any information about network traffic at the new branches? I
understand there is to be a database with regional replicas. Do you have any
information on that? I'm trying to figure out the number of subnets I'm going to
need per branch.
Any other information gratefully received!
Greg
NETMIND
calling +1 800-785-3448.
Adatum Western Region Branch Network Plan.vsd

NETMIND
calling +1 800-785-3448.

Task 2: Update the proposal document with your planned course of
action
Answer the questions in the Branch Office Network Infrastructure Plan:
IPv4 Addressing document.
Branch Office Network Infrastructure Plan: IPv4 Addressing
Document Author
Date
Gregory Weber
25th July
Requirements Overview
Design an IPv4 addressing scheme for the Adatum western regional branch sales
offices, shown in the exhibit.
The block address 10.10.32.0/21 has been reserved for this region.
You must devise a scheme that supports the required number of subnets, the
required number of hosts, and provide for 25% growth of hosts in each branch.
For each branch, provide the subnet addresses you plan to use, together with the
start and end IP addresses for each subnet.
You do not need to concern yourself with the IP addressing for the corporate side
of the router at each branch.

NETMIND
calling +1 800-785-3448.
(continued)
Proposals
1. How many subnets do you envisage requiring for this region?

2. How many hosts will you deploy in each subnet?

3. What subnet mask will you use for each branch?

4. What are the subnet addresses for each branch?

5. What range of host addresses are in each branch?

Results: After this exercise, you should have a completed IP addressing plan for the
western region branch offices.

NETMIND
calling +1 800-785-3448.
Exercise 2: Planning the Placement of Network Servers
Scenario
Having determined the appropriate addressing scheme for the branch offices in the
western region sales division, you must now determine how best to deploy
network services to support users working in those locations. Alan Steiner has sent
you an e-mail with some additional information about the requirements.
Using the information in the supporting documentation, and bearing in mind the
subnet addressing scheme you previously planned, complete the Branch Office
Network Infrastructure Plan: Network Services document.
Network Services document.

NETMIND
calling +1 800-785-3448.
E-Mail thread of correspondence with Alan Steiner:
Gregory Weber
Sent: 24 July 2009 17:00
Subject: Re: Branch office network services

Greg,
Answers in line below,
Regards,
Alan
Sent: 24 July 2009 13:30
To: Alan@adatum.com
Subject: Branch office network services
Alan,
OK, I have worked out an IP addressing scheme for the branches. Next I need to
think about the infrastructure. Could you answer the following questions?
1. How are IP addresses to be assigned for this region?
[Alan] By DHCP
2. Is there anything I should know about the DNS name space for the sales offices?
[Alan] The sales computers will be in their own DNS name space,
sales.adatum.com
3. I have a vague recollection that one of the line-of-business applications that sales
uses requires NetBIOS. Is that right?
[Alan] You're right, Greg, they need NetBIOS name resolution in sales.
Thanks,
Greg
NETMIND
calling +1 800-785-3448.

action
Branch Office Network Infrastructure Plan: Network Services
Document Author
Date
Gregory Weber
25th July
Requirements Overview
Specify which network services are required in each sales office, and any changes
that might be required in the head office to facilitate your proposals.
It is important that any router, server, or communications link failure does not
adversely affect users.

NETMIND
calling +1 800-785-3448.
(continued)
Proposals
1. How many DHCP servers do you propose to deploy in the region?

2. Where do you propose to deploy these servers?

3. What name resolution services are required?

4. To support the DNS name space in the sales division, how would you propose
to configure DNS?

5. Will you require WINS?

6. If so, how many WINS servers will you require for the region?

7. If not, how do you propose to support single-label names?

Results: After this exercise, you should have a completed plan for the deployment of
network services in the western regional branch offices.

NETMIND
calling +1 800-785-3448.
Exercise 3: Implementing the Planned Network Services
Scenario
You are on-site at one of the regional offices, and you must now configure network
services to support your proposals.
1. Start the virtual machines and log on.
2. Deploy the DHCP server role.
3. Configure scopes to support the branch office.
4. Configure DNS to support the branch office.
5. Enable DNS/WINS integration to support NetBIOS applications.

Task 1: Start the virtual machines, and then log on
1. On your host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6430B. The Lab Launcher starts.
2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch.
3. In the Lab Launcher, next to 6430B-SEA-SVR1, click Launch.
4. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password
Pa$$w0rd.
5. Log on to 6430B-SEA-SVR1 as ADATUM\Administrator with the password
Pa$$w0rd.
6. Minimize the Lab Launcher window.

Task 2: Deploy the DHCP Server role on SEA-SVR1
1. Switch to the SEA-SVR1 computer.
2. Use Server Manager to deploy the DHCP Server role. Use the following
information to complete the process:
a. On the Select Network Connection Bindings page, click Next.
b. On the Specify IPv4 DNS Server Settings page, in the Preferred DNS
Server IPv4 Address box, type 10.10.0.10, and then click Next.
NETMIND
calling +1 800-785-3448.
c. On the Specify IPv4 WINS Server Settings page, click Next.
d. On the Add or Edit DHCP Scopes page, click Next.
e. On the Configure DHCPv6 Stateless Mode page, click Disable DHCPv6
stateless mode for this server, and then click Next.
f. On the Authorize DHCP Server page, click Next.

Task 3: Configure the primary DHCP scope for subnet 1
Create a new scope. Use the following information to help complete the
process:
Scope Name: Branch 1 subnet 1 scope 1
IP address range: 10.10.32.1 > 10.10.32.125
Subnet mask: 25 bits
Exclusions: 10.10.32.100 > 10.10.32.125
Lease duration: default
Router: 10.10.32.126

Task 4: Configure the secondary DHCP scope for subnet 2
Create a new scope. Use the following information to help complete the
process:
Scope Name: Branch 1 subnet 2 scope 2
IP address range: 10.10.32.129 > 10.10.32.253
Subnet mask: 25 bits
Exclusions: 10.10.32.129 > 10.10.32.229
Lease duration: default
Router: 10.10.32.254

NETMIND
calling +1 800-785-3448.
Task 5: Create a subdomain in DNS
1. Switch to the SEA-DC1 computer.
2. Open the DNS Manager.
3. Add a new domain in the Adatum.com zone.

Task 6: Configure zone transfers for the Adatum.com zone
In the DNS Manager, enable zone transfers for the Adatum.com zone.

Task 7: Deploy the DNS role on SEA-SVR1
2. Using Server Manager, deploy the DNS Server role on SEA-SVR1.

Task 8: Configure a secondary zone on SEA-SVR1
Create a new forward lookup zone on SEA-SVR1. Use the following
information to help complete the process:
Zone type: secondary
Zone name: Adatum.com
Master DNS server: 10.10.0.10

Task 9: Enable the WINS feature, and configure DNS/WINS integration
1. Using Server Manager, on SEA-SVR1, add the WINS Server feature.
3. In DNS Manager, enable WINS Forward Lookup:
a. Right-click Adatum.com, and then click Properties.
b. On the WINS tab, select the Use WINS forward lookup check box.
c. In the IP address box, type 10.10.0.100, press Add, and then click OK.
NETMIND
calling +1 800-785-3448.
5. In DNS Manager, right-click Adatum.com, and then click Transfer from
Master.

Note: You might need to wait a few moments before you see the WINS record. Press
Refresh if needed.

Task 10: Configure DHCP options to support the deployed services
1. On SEA-SVR1, in the DHCP console, right-click Server Options, and then click
Configure Options.
2. Configure the following options:
006 DNS Servers: 10.10.0.100
015 DNS Domain Name: sales.adatum.com
044 WINS/NBNS Servers: 10.10.0.100

Results: After this exercise, you should have successfully deployed branch office
network services.
To prepare for the next module
1. For each running virtual machine, close the Virtual Machine Remote Control
(VMRC) window.
2. In the Close box, select Turn off machine and discard changes. Click OK.

NETMIND
calling +1 800-785-3448.

Review Questions
1. What is the host range of addresses in the 172.16.16.0/21 subnet?

2. You intend to deploy the DHCP server role where necessary throughout your
routed network. What considerations should you bear in mind?

3. What is the difference between a subdomain in a DNS zone, and a delegated
zone?

4. What are the advantages of Active Directory integrated zones?

5. When planning WINS, how many servers should you consider deploying?

NETMIND
calling +1 800-785-3448.

NETMIND
calling +1 800-785-3448.
Planning for Active Directory 3-1
Module 3
Planning for Active Directory
Contents:
Lesson 1: Selecting a Domain and Forest Topology 3-3
Lesson 2: Selecting a Domain and Forest Functional Level 3-19
Lesson 3: Planning Identity and Access Services in Active Directory 3-27
Lesson 4: Implementing Active Directory in the Physical Network 3-37
Lab: Planning for Active Directory 3-48
NETMIND
calling +1 800-785-3448.
Module Overview

In order to optimize an Active Directory Domain Services (AD DS) infrastructure,
you must plan the implementation carefully. This planning should include
consideration of the Active Directory directory services topology, the domain and
forest functional level, which related Active Directory services you must deploy in
order to support your network, and the steps you must take to configure Active
Directory to support your physical network infrastructure.
Objectives
Select an appropriate Active Directory topology.
Configure the domain and forest functional level.
Describe Active Directory identity and access services.
Configure Active Directory to support your physical network.

NETMIND
calling +1 800-785-3448.
Lesson 1
Selecting a Domain and Forest Topology

It is important that before you commence the deployment of Active Directory and
related services, you consider the overall design of the Active Directory topology in
terms of forests, trees, and domains; the site and subnet topology; the
organizational unit and administrative structure.
Objectives
Describe important Active Directory terminology.
Determine how many Active Directory forests to deploy.
Determine when to implement a design that incorporates multiple domains.
Determine how many Active Directory trees to implement in your forest.
Describe a trust relationship.
Select a suitable Active Directory topology.
NETMIND
calling +1 800-785-3448.
Overview of Active Directory

Key Points
Active Directory is a distributed database that provides a logical grouping of
objects, such as users, computers, and groups. Active Directory is managed
centrally by Windows Server 2008 servers deployed with the AD DS role. These
servers are known as domain controllers. In order to plan and deploy Active
Directory, you must understand the components that combine to create an Active
Directory infrastructure.
What Is a Forest?
In AD DS, a forest is the highest level of the logical structure hierarchy. An
Active Directory forest represents a single self-contained directory. A forest is a
security boundary, which means that administrators in a forest have complete
control over all access to information that is stored inside the forest and to the
domain controllers that are used to implement the forest.
Domain controllers in a forest share a common schema, a common global catalog,
and a common forest-root domain.
NETMIND
calling +1 800-785-3448.
What Is the Schema?
The schema is the Active Directory component that defines all the objects and
attributes that the directory service uses to store data. For instance, the schema
defines the user object type, and defines the attributes that are maintained for the
user object type such as full name, password, display name, and so forth.
The schema is a single master element of Active Directory. This means that you
must make changes to the schema at the domain controller that holds the schema
operations master role.
What Is the Global Catalog?
The global catalog is a distributed database that contains a searchable
representation of every object from all domains in a multidomain forest. However,
the global catalog does not contain all attributes for each object; rather, it maintains
a subset of attributesthose that are most likely to be useful in cross-domain
searches.
What Is a Tree?
If your Active Directory consists of more than one domain, you must define the
relationship between the domains. If the domains share a common root and a
contiguous namespace, then they are logically part of the same Active Directory
tree. A tree serves no administrative purpose; that is, there is no tree administrator
as there is a forest or domain administrator. A tree provides a logical, hierarchical
grouping of domains that have parent/child relationships defined through their
names. Your Active Directory tree maps to your DNS namespace.
What Is a Domain?
A domain is an administrative boundary. All domains host an Administrator user
account that has full administrative capabilities over all objects within the domain.
Although the administrator can delegate administration on objects within the
domain, the account retains full administrative control of all objects within the
domain.
In earlier versions of Windows Server, domains were considered to provide
complete administrative separation; indeed, one of the fundamental reasons for
selecting a multidomain topology was to provide for this separation. However, in
Active Directory, the administrator account in the forest root domain also has full
administrative control to all objects in the forest, rendering this domain-level
administrative separation invalid.
NETMIND
calling +1 800-785-3448.
A domain is a replication boundary. Active Directory consists of three elements, or
partitions; these are the schema, the configuration partition, and the domain
partition. Generally, it is only the domain partition that changes frequently.
The domain partition contains objects that are likely to be updated often; these
include users, computers, groups, and organizational units. Consequently, Active
Directory replication consists primarily of the updates to objects defined within the
domain partition. Only domain controllers in a particular domain receive domain
partition updates from other domain controllers.
What Is a Site?
A site is a logical representation of a geographical area in your network. A site
represents a high-speed network boundary for your Active Directory computers;
that is, computers that can communicate with high speed and low latency can be
grouped into a site; domain controllers within a site replicate Active Directory data
in an optimized way for this environment; this replication configuration is largely
automatic.
What Is an Organizational Unit?
Organizational units are container objects within a domain that enable an
administrator to group objects together for management purposes. Objects within
an organizational unit can be managed as a single entity.
NETMIND
calling +1 800-785-3448.
Considerations for Designing a Forest Infrastructure

Key Points
To create a forest design, first identify the business requirements that an
organizations directory structure needs to accommodate. This involves
determining how much autonomy the groups in the organization need to manage
their network resources, and whether each group needs to isolate their resources
on the network from other groups.
After identifying business requirements, you can determine the number of forests
needed. To determine this number, you must carefully identify and evaluate the
isolation and autonomy requirements for each group in the organization and map
those requirements to the appropriate forest design models.
NETMIND
calling +1 800-785-3448.
Considerations
There are several points that are helpful to consider when determining the number
of forests to deploy.
Isolation requirements limit design choices. Therefore, if isolation
requirements have been identified, be sure that the groups actually require
data isolation and that data autonomy is not sufficient for their needs. Then
the organization must ensure that the various groups in the organization
clearly understand the concepts of isolation and autonomy.
Negotiating the design can be a lengthy process. It can be difficult for groups
to come to agreement about ownership and utilization of available resources.
During the design process there must be enough time for the groups in the
organization to conduct adequate research to identify their needs, which
involves setting firm deadlines for design decisions and getting consensus
from all parties on the established deadlines.
Determining the number of forests to deploy involves balancing costs against
benefits. A single-forest model is the most cost-effective option and requires
the least amount of administrative overhead. Although a group in the
organization might prefer autonomous service operations, it might be more
cost-effective for the organization to subscribe to service delivery from a
centralized, trusted IT group, allowing the group to own data management
without creating the added costs of service management. Balancing costs
against benefits might require input from the executive sponsor.
After the design requirements are mapped to forest models and the forest
model is selected that meets the needs of the organization, you should
document the proposed forest design. The information that you should
include in the documentation is the name of the group for which the forest is
designed, the contact information for the forest owner, the type of forest for
each forest, and the requirements that each forest is designed to meet. This
documentation helps the design team to ensure that all of the appropriate
people are involved in the design process and to clarify the scope of the
deployment project.

NETMIND
calling +1 800-785-3448.
Best Practice
Use a single forest unless any of the following apply:
You need the level of administrative separation that multiple forests provide.
Your organization is very large, and consists of several distinct operating
divisions, each of which has different schema requirements.
You are deploying an application that is implemented on a per-forest basis,
such as Exchange Server 2007, and different parts of your organization have
differing requirements of this forest-level application.

Additional Reading
Download the Infrastructure Planning and Design Guide Series:
NETMIND
calling +1 800-785-3448.
Guidelines for Designing an Active Directory Domain
Infrastructure

Key Points
Domains partition the information that is stored inside the directory into smaller
portions so that the information can be more easily stored on various domain
controllers and so that administrators have a greater degree of control over
replication. Data that is stored in the directory is replicated throughout the forest
from one domain controller to another. Some data that is relevant to the entire
forest is replicated to all domain controllers, while other data that is relevant only
to a specific domain is replicated only to domain controllers in that particular
domain. A good domain design makes it possible to implement an efficient
replication topology.

Note: Active Directory consists of three partitions: the schema partition, the
configuration partition, and the domain partition. The first two are replicated to all
domain controllers within the forest; the last, the domain partition, is only replicated
among domain controllers that are part of the same domain.
NETMIND
calling +1 800-785-3448.
Guidelines
There are three guidelines when devising a domain infrastructure.
Review domain models. By reviewing the domain models, factors that impact
the domain design model can be identified. By identifying the amount of
available capacity on the network that can be allocated to Active Directory, an
organization can select a model that provides efficient replication of
information with minimal impact on available network bandwidth. If an
organization includes a large number of users, deploying more than one
domain enables the partitioning of data and gives more control over the
amount of replication traffic that will pass through a given network
connection. This makes it possible to control where data is replicated and
reduce the load created by replication traffic on slow links in the network.
Determine the number of domains. Every forest starts with a single domain.
The maximum number of users that a single domain forest can contain is
based on the slowest link that must accommodate replication between domain
controllers and the available bandwidth allocated to Active Directory. If all the
users cant be accommodated in a single domain, then an organization can
select the regional domain model. This involves dividing the organization into
regions that work in a specific organization and with the existing network. For
example, the organization can be separated into regions based on continental
boundaries. While an organization will need to create a domain for each
region, it is best to minimize the number of regions. Although it is possible to
include an unlimited number of domains in a forest, for manageability reasons
it is recommended that a forest include no more than 10 domains. The key in
determining the number of regions is to establish the appropriate balance
between optimizing replication bandwidth and minimizing administrative
complexity.

Note: If you identify three regions within your organization, it might be desirable to
create an empty forest root and three child domains. For example, in Adatum.com, there
are three regions: Europe, Americas, and Asia. Although the worldwide headquarters are
in North America, it might still be desirable to create the Adatum.com domain with three
children: europe.adatum.com, americas.adatum.com, and asia.adatum.com. This
configuration enables you to configure truly forest-wide settings on the empty forest
root while not affecting the region of the Americas.
NETMIND
calling +1 800-785-3448.
Determine whether to upgrade existing domains or deploy new domains.
This consideration is only important when upgrading an existing Windows
Server Active Directory infrastructure to Windows Server 2008 AD DS. In this
scenario, each domain will either be a new domain or an existing domain that
has been upgraded in place. Users from existing domains that are not
upgraded in place must be migrated into new domains. Moving accounts
between domains can impact end users. Before deciding whether to migrate
users into a new domain or upgrade existing domains in place, evaluate the
long-term administrative benefits of a new Active Directory domain against the
cost of migrating users into the domain.

NETMIND
calling +1 800-785-3448.
Determining Whether to Implement Multiple Trees in
Your Forest

Key Points
Active Directory trees are created by the relationship between the domains within
the forest. There is no intrinsic reason you should, or indeed, should not create
multiple trees within your forest. However, keep in mind that a single tree, with its
contiguous name space, is easier to manage, and easier for users to visualize.
Best Practice
Consider using multiple trees within a single forest if you have multiple name
spaces to support; for example, if within your organization there are several
distinct operating divisions with different public identities, you could create a
different tree for each operating division. Bear in mind that with this scenario, there
is no separation of administration because the forest root administrator still has
complete control over all objects in the forestin whichever tree they reside.

Note: There is no technical benefit to this strategyonly a political one.
NETMIND
calling +1 800-785-3448.
What Is a Trust Relationship?

Key Points
A trust relationship enables one security entity to trust another security entity for
the purposes of authentication. In Windows Server 2008, the security entity is the
Windows domain.
In any trust relationship, there are two parties involved; the trusting entity, and the
trusted entity. The trusting entity is the resource-holding entity, while the trusted
entity is the account-holding entity.
Types of Trusts
Trusts can be one-way or two-way. A one-way trust means that although one entity
trusts the other, the reciprocal is not true. In a two-way trust, both entities trust one
another.
Trusts can be transitive or nontransitive. In a transitive trust, if A trusts B and B
trusts C, then A also implicitly trusts C.
Windows Server 2008 supports a number of different trusts for use in different
situations.
NETMIND
calling +1 800-785-3448.
In a single forest, all domains trust one another with internal, two-way transitive
trusts. In essence, this means that all domains trust all other domains. These trusts
extend across trees within the forest. Aside from these automatically created trusts,
you can configure additional trusts between domains within your forest, between
your forest and other forests, and between your forest and other security entities,
such as Kerberos realms or Windows NT 4.0 domains. The following table
provides more information.
Trust
type Transitivity Direction Description
External Nontransitive One-way
or two-
way
Use external trusts to provide access to
resources that are located on a
Windows NT 4.0 domain or a domain that is
located in a separate forest that is not joined
by a forest trust.
Realm Transitive or
nontransitive
One-way
or two-
way
Use realm trusts to form a trust relationship
between a non-Windows Kerberos realm and
a Windows Server 2008 or a Windows
Server 2008 R2 domain.
Forest Transitive One-way
or two-
way
Use forest trusts to share resources between
forests. If a forest trust is a two-way trust,
authentication requests that are made in
either forest can reach the other forest.
Shortcut Transitive One-way
or two-
way
Use shortcut trusts to improve user logon
times between two domains within a
Windows Server 2008 or a Windows
Server 2008 R2 forest. This is useful when two
domains are separated by two domain trees.

NETMIND
calling +1 800-785-3448.
Discussion: Selecting an Active Directory Topology

Key Points
Scenario 1
The Fabrikam Corporation is planning to implement Active Directory throughout
its organization. Fabrikam has a worldwide operation, with offices based in
Europe, Asia, and North America. In consultation with staff in the IT department of
Fabrikam, you determine the following facts:
There are 30,000 users distributed fairly evenly across all the three regions.
Headquarters for the worldwide operation are in Dallas, Texas.
Headquarters for the North American division is also based in Dallas.
The Asian headquarters are based in Singapore, and the European
headquarters are in Paris, France.
NETMIND
calling +1 800-785-3448.
Each continental headquarters supports regional national offices; these
national offices are connected by high-speed links to their respective
continental headquarters.
The national offices act as hubs for branch offices.

Using this information, answer the following questions.
Question: What are your initial thoughts about a forest topology?
Question: How many domains do you envisage using?
Question: How many sites do you imagine will be required?
Question: Do you think that more than one tree is indicated?
Scenario 2
You spend some more time researching the Fabrikam organization, and learn the
following additional facts:
The Asian division has recently acquired a company, Contoso Corporation,
based in Australia that manufactures batteries for telecommunications
equipment. This company already has Active Directory deployed in a single
forest environment.
Fabrikam is planning to deploy Exchange Server 2007 within the first few
months of deploying Active Directory.

How might these new discoveries affect your plans? Answer the following
questions:
Question: How many forests do you envisage?
Question: How does implementing Exchange Server affect your plans?

NETMIND
calling +1 800-785-3448.
Scenario 3
With a final set of staff interviews with some of the regional IT managers, it
transpires that it is highly desirable to implement administrative separation of each
region. How does this affect your Active Directory topology?
Answer the following questions:
Question: How many forests do you envisage?
Question: How many domains are required?
Question: How many trusts will you need to create?
NETMIND
calling +1 800-785-3448.
Lesson 2
Selecting a Domain and Forest Functional Level

Windows Server 2008 AD DS provides a number of new features that are only
available if the appropriate domain and functional level has been configured. This
lesson explores these functional levels, and their related features.
Objectives
Describe the Active Directory features available in each of the domain
functional levels.
Describe the Active Directory features available in each of the forest functional
levels.
Configure the domain and forest functional level.

NETMIND
calling +1 800-785-3448.
What Are the Domain Functional Levels?

Key Points
The following table shows which features are enabled at each domain functional
level. It also shows the operating systems for domain controllers that are
supported at each functional level.
NETMIND
calling +1 800-785-3448.

Domain functional
level Enabled features
Supported domain
controller
operating systems
Windows 2000
native
All default Active Directory features and
the following features:
Universal groups are enabled for both
distribution groups and security groups.
Group conversion is enabled, which makes
conversion between security groups and
distribution groups possible.
Security identifier (SID) history.
Note: This is the default domain
functional level.
Windows 2000
Server
Windows Server
2003
Windows Server
2008
Windows Server
2003
All default Active Directory features, all
features from the Windows 2000 native
domain functional level, and the following
features:
The availability of the domain
management tool, netdom.exe, to
prepare for domain controller rename.
Update of the logon timestamp. The
lastLogonTimestamp attribute will be
updated with the last logon time of the
user or computer. This attribute is
replicated within the domain.
The ability to set the userPassword
attribute as the effective password on
inetOrgPerson and user objects.
The ability to redirect Users and
Computers containers. By default, two
well-known containers are provided for
housing computer and user/group
accounts: namely,
cn=Computers,<domain root> and
cn=Users,<domain root>. This feature
makes possible the definition of a new
well-known location for these accounts.
Windows Server
2003
Windows Server
2008

NETMIND
calling +1 800-785-3448.
(continued)
Domain functional
Supported domain
controller
operating systems
Windows Server
2003 (continued)
Includes constrained delegation so that
applications can take advantage of the
secure delegation of user credentials by
means of the Kerberos authentication
protocol. Delegation can be configured
to be allowed only to specific
destination services.
Supports selective authentication,
through which it is possible to specify
the users and groups from a trusted
forest who are allowed to authenticate
to resource servers in a trusting forest.

Windows Server
2008
All default Active Directory features, all
features from the Windows Server 2003
domain functional level, and the following
features:
Distributed File System Replication
support for SYSVOL, which provides
more robust and detailed replication of
SYSVOL contents.
Advanced Encryption Services (AES 128
and 256) support for the Kerberos
protocol.
Last Interactive Logon Information,
which displays the time of the last
successful interactive logon for a user,
from what workstation, and the number
of failed logon attempts since the last
logon.
Fine-grained password policies, which
make it possible for password and
account lockout policies to be specified
for users and global security groups in a
domain.
Windows Server
2008

Note: Changes to the domain functional level is not reversible.
NETMIND
calling +1 800-785-3448.
What Are the Forest Functional Levels?

Key Points
The following table shows which features are enabled at each forest functional
level. It also shows the operating systems for domain controllers that are
supported at each functional level.
Forest functional
Supported domain
controllers
Windows 2000 All default Active Directory features.
Note: This is the default forest functional
level.
Windows 2000
Server
Windows Server
2003
Windows Server
2008

NETMIND
calling +1 800-785-3448.
(continued)
Forest functional
Supported domain
controllers
Windows Server
2003
All default Active Directory features, and
the following features:
Forest trust.
Domain rename.
The ability to deploy a read-only
domain controller (RODC) that runs
Windows
Server 2008.
Improved Knowledge Consistency
Checker (KCC) algorithms and scalability.
The Intersite Topology Generator (ISTG)
uses improved algorithms that scale to
support forests with a greater number of
sites than can be supported at the
Windows 2000 forest functional level.
The ability to create instances of the
dynamic auxiliary class called
dynamicObject in a domain directory
partition.
The ability to convert an inetOrgPerson
object instance into a User object
instance, and the reverse.
The ability to create instances of the
new group types, called application
basic groups and Lightweight Directory
Access Protocol (LDAP) query groups, to
support role-based authorization.
Deactivation and redefinition of
attributes and classes in the schema.
Windows Server
2003
Windows Server
2008
Windows Server
2008
This functional level provides all the
features that are available at the Windows
Server 2003 forest functional level, but no
additional features. All domains that are
subsequently added to the forest,
however, will operate at the Windows
Server 2008 domain functional level by
default.
Windows Server
2008
NETMIND
calling +1 800-785-3448.

Note: Changes to the forest functional level are not reversible.
Guidelines for Raising the Domain or Forest Functional Level
The following guidelines apply to raising the domain or forest functional levels:
You must be a member of the Domain Admins group to raise the domain
functional level.
You must be a member of the Enterprise Admins group to raise the forest
functional level.
You can raise the domain functional level on the primary domain controller
(PDC) emulator operations master only. The AD DS administrative tools that
you use to raise the domain functional level (the Active Directory Domains and
Trusts snap-in and the Active Directory Users and Computers snap-in)
automatically target the PDC emulator when you raise the domain functional
level.
You can raise the forest functional level on the schema operations master only.
Active Directory Domains and Trusts automatically targets the schema
operations master when you raise the forest functional level.
You can raise the functional level of a domain only if all domain controllers in
the domain run the version or versions of Windows that the new functional
level supports.
You can raise the functional level of a forest only if all domain controllers in
the forest run the version or versions of Windows Server operating system that
the new functional level supports.
You cannot set the domain functional level to a value that is lower than the
forest functional level.
You cannot lower the domain or forest functional level after you have raised it.
You cannot reverse the operation of raising the domain and forest functional
levels. If you have to revert to a lower functional level, you must rebuild the
domain or forest, or restore it from a backup copy.

NETMIND
calling +1 800-785-3448.
Demonstration: Modifying the Functional Level

Key Points
Raise the domain functional level.
Raise the forest functional level.

High-level steps:
1. Raise the domain functional level of the Adatum.com domain to Windows
Server 2008.
2. Raise the forest functional level of the Adatum.com forest to Windows Server
2008.

Question: You recently raised the domain functional level of the sales.adatum.com
domain; however, now you want to revert to the Windows Server 2003 domain
functional level. Is this possible, and if so, how?
NETMIND
calling +1 800-785-3448.
Lesson 3
Planning Identity and Access Services in Active
Directory

Windows Server 2008 introduces new Active Directory Services. Active Directory
Lightweight Directory Services (AD LDS) replaces Active Directory Application
Mode (ADAM) with Windows Server 2003, and provides directory services for
applications; Active Directory Federation Services (AD FS) provides an identity
access solution; and Active Directory Rights Management Services (AD RMS)
provides services to enable the creation of information-protection solutions.
Objectives
Describe AD CS.
Describe AD LDS.
Describe AD FS.
Describe AD RMS.
NETMIND
calling +1 800-785-3448.
What Is AD CS?

Key Points
Active Directory Certificate Services (AD CS) extend the concept of trust so that a
user, computer, organization, or service can prove its identity outside or inside the
border of your Active Directory forest.
Certificates are issued from a certificate authority (CA). When a user, computer, or
service uses a certificate to prove its identity, the client in the transaction must trust
the issuing CA. A list of trusted root CAs, which includes, for example, VeriSign
and Thawte, is maintained by Windows, and updated as part of Windows Update.
If you think about the last time you made a purchase on an Intranet site, you will
recall that it was probably performed on a site using secure sockets layer (SSL),
with an HTTPS:// address. The server proves its identity to the client, your
browser, representing a certificate issued by a CA that your browser trusts, such as
VeriSign or Thawte.
NETMIND
calling +1 800-785-3448.
A public key infrastructure (PKI) is based on a chain of trust. A certificate authority
can create a certificate for another certificate authority. The second CA can then
issue certificates to users, computers, organizations, or services that will be trusted
by any client that trusts the upstream, root CA.
The certificates can be used for numerous purposes in an enterprise network,
including the creation of secure channels such as the SSL example mentioned
earlier and for virtual private networks (VPNs) and wireless security as well as for
authentication, such as smart card logon.
AD CS gives you the technologies and tools you need to create and manage a PKI.
Although AD CS can be run on a stand-alone server, it is much more common and
much more powerful to run AD CS integrated with AD DS, which can act as a
certificate store and can provide a framework within which to manage the lifetime
of certificates: how they are obtained, renewed, and revoked.
NETMIND
calling +1 800-785-3448.
What Is AD LDS?

Key Points
AD LDS is an independent mode of Active Directory, without the infrastructure
features that provides directory services for applications. In addition, it also
provides a data store and services for accessing the data store. AD LDS uses
standard application programming interfaces (APIs) for accessing the application
data, including APIs of Active Directory, Active Directory Service Interfaces,
Lightweight Data Access Protocol (LDAP), and System.DirectoryServices.
AD LDS does not have the infrastructure capabilities of Active Directory. It does
not include directory services for the Windows operating system, so it concentrates
on the requirements of specific applications. If AD LDS operates in an Active
Directory environment, it can use Active Directory for authentication.
AD LDS usage complements that of Active Directory. Although AD LDS and Active
Directory can operate concurrently within the same network, AD LDS serves the
requirements of specific applications. An instance of AD LDS can be created for a
specific application without a concern for the dependencies required by Active
Directory. Multiple instances of AD LDS, each supporting a separate application,
can run on a single AD LDS installation.
NETMIND
calling +1 800-785-3448.
AD LDS Usage Scenarios
There are four situations in which organizations will find the use of AD LDS
beneficial.
An organization with application-specific directories that uses customized
schemas or that depend on decentralized directory management can benefit
from AD LDS. Because AD LDS directories are separate from the domain
infrastructure of AD DS, they can support applications that depend on schema
extensions that are not desirable in the AD DS directorysuch as schema
extensions that are useful to a single application. In addition, the local server
administrator can administer the AD LDS directories; domain administrators
do not need to provide administrative support.
A company that has directory-enabled application development and
prototyping environments that are separate from the enterprises domain
structure can use AD LDS. Application developers who are creating directory-
enabled applications can install the AD LDS role on any server, even on stand-
alone servers or workstations. As a result, developers can control and modify
the directory in their development environment without interfering with the
organizations AD DS infrastructure. These applications can be deployed
subsequently with either AD LDS or AD DS as the applications directory
service, as appropriate. Network administrators can use AD LDS as a prototype
or pilot environment for applications that will eventually be deployed with
AD DS as its directory store, as long as the application does not depend on
features specific to AD DS.
A company that needs management of external client computers access to
network resources can benefit from AD LDS. Enterprises that need to
authenticate extranet client computers, such as Web client computers or
transient client computers, can use AD LDS as the directory store for
authentication. This helps enterprises avoid having to maintain external client
information in the enterprises domain directory.
Organizations that need to enable earlier LDAP client computers in a
heterogeneous environment to authenticate against AD DS can use AD LDS.
When organizations merge, there is often a need to integrate LDAP client
computers running different server operating systems into a single network
infrastructure. In such cases, rather than immediately upgrading client
computers running earlier LDAP applications or modifying the AD DS schema
to work with the earlier clients, network administrators can install the AD LDS
server role on one or more servers. The AD LDS server role acts as an interim
directory store using the earlier schema until the client computers can be
upgraded to use AD DS natively for LDAP access and authentication.
NETMIND
calling +1 800-785-3448.

Note: An example of the use of AD LDS is to support the Exchange Server 2007 Edge
Transport server role. The Edge Transport server is deployed to the perimeter network,
typically on a server computer that is not part of a domain. The Edge Transport server
hosts an instance of AD LDS to determine how to handle inbound messages; for
example, to which internal Hub Transport server to route a message to an intended
recipient.

NETMIND
calling +1 800-785-3448.
What Is AD FS?

Key Points
AD FS is a role of the Windows Server 2008 operating system that provides an
identity access solution. Using AD FS will give browser-based clients, both inside
and outside the network, access to protected, Internet-facing applications, even
when user accounts and applications are located in different networks or
organizations.
A typical scenario occurs when an application is in one network and a user account
is in another network, and the user is required to enter secondary credentials when
he or she attempts to access the application. However, with AD FS, secondary
accounts are not necessary. Instead, trust relationships are used to project a users
digital identity and access rights to trusted partners. In this federated environment,
each organization continues to manage its own identities, but each organization
can securely project and accept identities from other organizations.
The process of authenticating to one network while accessing resources in another
networkwithout the burden of repeated logon actionsis known as single sign-on
(SSO). AD FS provides a Web-based, SSO solution that authenticates users to
multiple Web applications over the life of a single browser session.
NETMIND
calling +1 800-785-3448.

Note: AD FS provides a federated identity management solution that interoperates with
other security products that support the WS-* Web Services Architecture. AD FS employs
the federation specification of WS-*, called the WS-Federation Passive Requestor Profile
(WS-F PRP). This specification makes it possible for environments that do not use the
Windows identity model to federate with Windows environments.
AD FS Role Services
The AD FS server role includes federation services, proxy services, and Web agent
services that you configure to enable Web SSO, federate Web-based resources,
customize the access experience, and manage how existing users are authorized to
access applications.
Depending on your organizations requirements, you can deploy servers running
any one of the following AD FS role services:
Federation Service: The Federation Service comprises one or more federation
servers that share a common trust policy. You use federation servers to route
authentication requests from user accounts in other organizations or from
clients that may be located anywhere on the Internet.
Federation Service Proxy: The Federation Service Proxy is a proxy to the
Federation Service in the perimeter network (also known as a demilitarized
zone (DMZ) and screened subnet). The Federation Service Proxy uses WS-
Federation Passive Requestor Profile (WS-F PRP) protocols to collect user
credential information from browser clients, and it sends the user credential
information to the Federation Service on their behalf.
Claims-aware agent: You use the claims-aware agent on a Web server that hosts
a claims-aware application to allow the querying of AD FS security token
claims. A claims-aware application is a Microsoft ASP.NET application that
uses claims that are present in an AD FS security token to make authorization
decisions and personalize applications.
Windows token-based agent: You use the Windows token-based agent on a
Web server that hosts a Windows NT token-based application to support
conversion from an AD FS security token to an impersonation-level, Windows
NT access token. A Windows NT token-based application is an application that
uses Windows-based authorization mechanisms.

NETMIND
calling +1 800-785-3448.
What Is AD RMS?

Key Points
AD RMS provides services to enable the creation of information-protection
solutions. AD RMS is a format and application-agnostic technology. It will work
with any AD RMSenabled application to provide persistent usage policies for
sensitive information. Content that can be protected using AD RMS includes
intranet sites, Web sites, e-mail messages, and documents. AD RMS includes a set
of core functions that enable developers to add information protection to the
functionality of existing applications.
The AD RMS system, which includes both server and client components,
performs several processes. First, it facilitates licensing and distributing rights-
protected information. An AD RMS system issues rights account certificates
identifying trusted entities, such as users, groups, and services that can publish
rights-protected content. After trust has been established, users can assign usage
rights and conditions to content they want to protect. These usage rights specify
who can access rights-protected content and what they can do with it. When the
content is protected, a publishing license is created for the content. This license
binds the specific usage rights to a given piece of content so that the content can
NETMIND
calling +1 800-785-3448.
be distributed. For example, a user can send a rights-protected document to other
users inside or outside of their organization without losing the assigned rights.
AD RMS also can be used for acquiring licenses to decrypt rights-protected content
and applying usage policies. Users who have been granted a rights account
certificate can access rights-protected content by using an AD RMS enabled client
application that allows users to view and work with rights-protected content to
preserve that contents integrity and to apply usage policies. When users attempt to
access rights-protected content, requests are sent to the AD RMS system to access,
or consume, that content. When a user attempts to consume the protected
content, the AD RMS licensing services on the AD RMS server issues a unique use
license that reads, interprets, and applies the usage rights and conditions specified
in the publishing licenses. The content is decrypted by using the electronic keys
from the content and applications, and the certificates of the trusted entities. The
usage rights and conditions are persistent and automatically applied everywhere
the content goes.
AD RMS can be used for creating rights-protected files and templates. Users who
are trusted entities in an AD RMS system can create and manage protection-
enhanced files by using familiar authoring applications and tools in an AD RMS-
enabled application that incorporates AD RMS technology features. In addition,
AD RMS enabled applications can use centrally defined and officially authorized
usage rights templates to help users efficiently apply a predefined set of usage
policies.
Additional Reading
AD RMS Documentation Roadmap:

NETMIND
calling +1 800-785-3448.
Lesson 4
Implementing Active Directory in the Physical
Network

An AD DS site topology is a logical representation of the physical network.
Designing an Active Directory site topology involves planning for domain
controller placement and designing sites, subnets, site links, and site link bridges
to ensure efficient routing of query and replication traffic.
Objectives
Describe the function of a domain controller.
Plan the appropriate placement for your domain controllers.
Configure sites.
Describe the functionality of a Read-Only Domain Controller (RODC).
Deploy an RODC.
NETMIND
calling +1 800-785-3448.
What Is a Domain Controller?

Key Points
Domain controllers host the AD DS. Domain controllers provide the following
functions on the network:
Authentication. Domain controllers store the domain accounts database, and
provide authentication services.
Optionally host operations master roles (formerly known as Flexible Single
Master Operations (FSMO) roles). There are five operations master roles; two
forest-wide roles and three domain roles. The forest-wide rolesthe schema
master and domain naming masterare both held on the first domain
controller in the forest. The domain rolesthe primary domain controller
(PDC) emulator, the relative identity (RID) master, and the infrastructure
masterare all held by the first domain controller in each domain. You can
transfer these roles as you require.
Optionally hosts the global catalog. You can designate any domain controller
as a global catalog server.
NETMIND
calling +1 800-785-3448.
Supports group policies and SYSVOL. Group policies consist of group policy
containers, stored in Active Directory, and group policy templates, stored in
the SYSVOL folder in the file system of all domain controllers. The domain
controller that hosts the PDC emulator operations master role acts as a single
master for the creation and modification of group policies.
Replication. Active Directory is a distributed directory service. Objects such as
users, computers, organizational units, and services are distributed across all
domain controllers in the forest, and can be updated on any domain controller
in the forest. Active Directory replication is the process by which the changes
that originate on one domain controller are automatically transferred to other
domain controllers. You can exert some control over this process by creating
sites and site links, and configuring replication bridgeheads between these
sites.

Note: Some changes can only be made on a domain controller that holds the
appropriate operations master role. For example, changes to the schema can only be
made on the schema operations master.

NETMIND
calling +1 800-785-3448.
Determining the Placement of Domain Controllers

Key Points
An AD DS site topology is a logical representation of the physical network.
Designing an Active Directory site topology involves planning for domain
controller placement and designing sites, subnets, site links, and site link bridges
to ensure efficient routing of query and replication traffic.
Create a Location Map
The first step in designing an effective Active Directory site topology is to collect
information about the organizations physical network topology. This can be done
by creating a location map that represents the physical network infrastructure of
the organization. The location map should identify the geographic locations that
contain groups of computers with internal connectivity of 10 megabits per second
(Mbps) or greater. After creating a location map, the type of communication link,
its link speed, and the available bandwidth between each location needs to be
documented. This information will be used to create site links later in the site
topology design process.
NETMIND
calling +1 800-785-3448.
Determine the Domain Controller Placement
The next step is to plan where to place domain controllers, including regional
domain controllers, forest root domain controllers, operations master role holders,
and global catalog servers.
Forest root domain controllers are needed to create trust paths for clients that need
to access resources in domains other than their own. Forest root domain
controllers should be placed at locations that host datacenters and in hub
locations. If users in a given location need to access resources from other domains
in the same location, and the network availability between the datacenter and the
user location is unreliable, then there is the option to either add a forest root
domain controller in the location or create a shortcut trust between the two
domains. It is more cost efficient to create a shortcut trust between the domains
unless there are other reasons to place a forest root domain controller in that
location.
Plan the Site Design
Next in the site topology design process is to create a site design. Creating a site
design involves deciding which locations will become sites, creating site objects,
creating subnet objects, and associating the subnets with sites.
Site Links and Site Link Bridges
The site link design connects sites with site links. Site links reflect the intersite
connectivity and method used to transfer replication traffic. Sites must be
connected with site links so that domain controllers at each site can replicate
Active Directory changes. The Active Directory site links will mirror the WAN links
between geographic sites.
A site link bridge connects two or more site links. A site link bridge connects two
or more site links and enables transitivity between site links.
Each site link in a bridge must have a site in common with another site link in the
bridge. The Knowledge Consistency Checker (KCC) uses the information on each
site link to compute the cost of replication between sites in one site link and sites
in the other site links of the bridge. Without the presence of a common site
between site links, the KCC also cannot establish direct connections between
domain controllers in the sites that are connected by the same site link bridge.
NETMIND
calling +1 800-785-3448.
By default, the site link bridge setting is transitive due to the default setting bridge-
all-site-links. It should only be necessary to change this default if:
Not all site links are fully routed. In this case, you can build the site link bridge
topography to match the actual routes of your network.
You need to control the replication behavior of Active Directory Domain
Services Traffic. For instance, in a hub and spoke network topology, it might
not be desirable to allow replication traffic between the satellite sites should
the hub site domain controllers fail. Similarly, if some sites replicate through a
firewall, disabling bridge-all-site-links allows control of replication, limiting
traffic through the firewall by creating site link bridges between sites on one
side of the firewall.

NETMIND
calling +1 800-785-3448.
Demonstration: Creating a Site

Key Points
Create a new site.
Configure the replication interval and schedule between the new site and the
existing site.

High-level steps:
Create a site object.
Configure the inter-site replication interval.
Configure the inter-site replication schedule.

Question: What is the default replication schedule and interval for the
DEFAULTIPSITELINK object?
NETMIND
calling +1 800-785-3448.
What Is a Read-Only Domain Controller?

Key Points
A read-only domain controller (RODC) is a new type of domain controller in the
Windows Server 2008 operating system. With an RODC, organizations can easily
deploy a domain controller in locations where physical security cannot be
guaranteed. An RODC hosts a read-only replica of the database in AD DS for a
given domain. The RODC is also capable of functioning as a global catalog server.
Beginning with Windows Server 2008, an organization can deploy an RODC to
address scenarios with limited wide area network (WAN) bandwidth or poor
physical security for computers. As a result, users in this situation can benefit from:
Improved security
Faster logon times
More efficient access to resources on the network
NETMIND
calling +1 800-785-3448.

RODC Feature Explanation
Read-only Active
Directory database
Except for account passwords, an RODC holds all the Active
Directory objects and attributes that a writable domain
controller holds. However, changes cannot be made to the
replica that is stored on the RODC. Changes must be made
on a writable domain controller and replicated back to the
RODC.
Unidirectional
replication
Because no changes are written directly to the RODC, no
changes originate at the RODC. Accordingly, writable
domain controllers that are replication partners do not have
to pull changes from the RODC. This reduces the workload
of bridgehead servers in the hub and the effort required to
monitor replication.
Credential caching Credential caching is the storage of user or computer
credentials. Credentials consist of a small set of
approximately 10 passwords that are associated with
security principals. By default, an RODC does not store user
or computer credentials. The exceptions are the computer
account of the RODC and a special krbtgt (Kerberos key
distribution service center account) account that each RODC
has. You must explicitly allow any other credential caching
on an RODC.
Administrator role
separation
You can delegate the local administrator role of an RODC to
any domain user without granting that user any user rights
for the domain or other domain controllers. This permits a
local branch user to log on to an RODC and perform
maintenance work on the server, such as upgrading a driver.
However, this does not give the branch user the right to log
on to any other domain controller or perform any other
administrative task in the domain.
Read-only Domain
Name System
You can install the Domain Name System (DNS) Server
service on an RODC. An RODC is able to replicate all
application directory partitions that DNS uses, including
ForestDNSZones and DomainDNSZones. If the DNS server is
installed on an RODC, clients can query it for name
resolution as they would query any other DNS server.

NETMIND
calling +1 800-785-3448.
The following points help summarize the RODC role:
The domain controller that holds the PDC emulator operations master role for
the domain must be running Windows Server 2008. This is necessary for
creating the new krbtgt account for the RODC and for ongoing RODC
operations.
The RODC needs to forward authentication requests to a global catalog server
running Windows Server 2008 in the site that is closest to the site with the
RODC. The Password Replication Policy is set on this domain controller to
determine if credentials are replicated to the branch location for a forwarded
request from the RODC.
The domain functional level must be Windows Server 2003 so that Kerberos
constrained delegation is available. Constrained delegation is used for security
calls that need to be impersonated under the context of the caller.
The forest functional level must be Windows Server 2003, so that linked-value
replication is available. This provides a higher level of replication consistency.
You must run adprep /rodcprep one time in the forest. This will update the
permissions on all of the DNS application directory partitions in the forest to
facilitate replication between RODCs that are also DNS servers.
Multiple RODCs for the same domain in the same site are not supported
because RODCs in the same site do not share information with each other.
Therefore, deploying multiple RODCs for the same domain in the same site
can lead to inconsistent logon experiences for users, if the writable domain
controllers cannot be reached on the network.
An RODC cannot hold operation master roles or function as a replication
bridgehead server.
You can deploy an RODC on Server Core for additional security.

NETMIND
calling +1 800-785-3448.
Demonstration: Deploying an RODC

Key Points
Prepare the forest for an RODC.
Deploy an RODC into a new site.
Configure and verify the password replication policy for the RODC.

High-level steps:
1. Prepare the forest with the adprep /rodcprep command.
2. Deploy the domain controller role on the SEA-SVR1 server.
3. Configure the RODC password replication policy for SEA-SVR1.

Question: Why is it desirable to not cache administrator passwords on an RODC?
NETMIND
calling +1 800-785-3448.
Lab: Planning for Active Directory

Adatum Corporation has recently acquired Contoso, a company with a range of
compatible products. Allison Brown, the IT Manager, has asked you to create a
document with recommendations about how best to incorporate the Contoso
network infrastructure into that of Adatum. Adatum has a large, wholly U.S.-based
network, with offices across the United States. Contoso has operations in the U.S.,
but also in Europe and the Far East.
The following table summarizes the high-level information:
Adatum Contoso
Total number of computers 10,000 10,000
Number of countries 1 5
Current directory service Windows Server 2008
AD DS
Windows NT 4.0 single-master
domain model
NETMIND
calling +1 800-785-3448.
(continued)
Adatum Contoso
Number of forests 1 0
External DNS name Adatum.com Contoso.com
Number of domains 1 5

Exercise 1: Selecting a Forest Topology
Scenario
You begin to conduct a survey and exchange a number of e-mails with colleagues
that have been on-site at Contoso. You determine that Contoso currently uses a
Windows NT 4.0 domain infrastructure consisting of five domains with
appropriate trust relationships connecting the domains.
Answer the questions in the Contoso Domain Migration document.


Task 2: Update the Contoso Domain Migration document with your
planned forest topology

NETMIND
calling +1 800-785-3448.
E-mail thread of correspondence with Alan Steiner:
Gregory Weber
Sent: 31 July 2009 14:50
Subject: Re: Contoso Domain Migration
Attachments: Windows NT4.0 Single-Master Model.doc
Greg,
Ive attached a document I located in an old TechNet library CD. It provides some
useful tips. The only comment Id make is that the single-master domain model is
usually implemented in order to keep all the user accounts in one account-holding
domain, and all the resources in multiple resource-holding domains. These days,
youd probably want to use organizational units within a domain to hold the
resourceslike computers and so forth. Youd almost certainly need to reduce the
number of domains.
Regards,
Alan
Sent: 31 July 2009 14:45
To: Alan@adatum.com
Subject: Contoso Domain Migration
Hello Alan,
Allison has asked me to draw up a proposal for a migration of the Contoso
network into our network infrastructure. I understand its running Windows NT
4.0. Im simply trying to determine the number and configuration of forests at this
point, but dont have much experience with these older Windows NT 4.0 domain
models. Do you have any guidance or general advice?
Regards,
Greg
NETMIND
calling +1 800-785-3448.
Windows NT4.0 Single-Master Model.doc
Windows NT supports four domain models:
Single domain. In this model, there is only one domain. The domain holds
both user/group accounts and resources. There is a single administrator for
both resources and user/group accounts.
Single-master domain. In this model, there is an account-holding domain and
as many resource-holding domains as required to support an organizations
requirements. There is separation of administration because the account-
holding administrator has no administrative control on the resource-holding
domains, and the administrators in the resource-holding domains do not have
administrative control over the account-holding domain, nor each others
resource-holding domain. One-way trusts are established between the
resource-holding and account-holding domains so that users and group from
the account-holding domain (trusted) can be granted permissions, through the
trust, to resources in the resource-holding domain (trusting) at the discretion
of the resource-holding administrator.
Multimaster domain. Windows NT 4.0 supports a maximum of around
15,000 user accounts in a single domain. Where organizations require the
administrative separation of the single-master domain model, but have a large
user base, they opt for the multimaster model. Additional trusts are required to
facilitate this model.
Complete trust. In this model, all domains trust all other domains. This
provides for the ability for users in any domain potentially to gain access to
resources held in any other domain. This model is the most similar to what AD
DS provides.

NETMIND
calling +1 800-785-3448.
Gregory Weber
Sent: 04 August 2009 08:45
Subject: Re: Details of Contoso domain model
Attachments: Adatum AD DS Overview.vsd; Contoso NT 4 Domain
Overview.vsd
Greg,
I do, and Ive attached ittogether with one of the Adatum.com domains. As you
know, we have a single AD DS domain, and use organizational units to manage
resources and sites for replication control. Contoso, of course, cannot use
organizational units or sites, as Windows NT 4.0 domains do not support them.
This is probably why they have several domainsto better control Windows NT
4.0 domain replication. Its possibly why they have four resource domains, too.
Regards,
Alan
Sent: 03 August 2009 09:10
To: Lan@adatum.com
Subject: Details of Contoso domain model
Alan,
Thanks for that Windows NT 4.0 document; it was very helpful. Do you happen to
have any diagrams of the actual domain infrastructure?
Thanks,
Greg
NETMIND
calling +1 800-785-3448.
Adatum AD DS Overview.vsd

Contoso NT 4 Domain Overview.vsd
NETMIND
calling +1 800-785-3448.

Contoso Domain Migration
Document Author
Date
Gregory Weber
5th August
To devise an appropriate forest and domain topology for the merged companies.
The new company will continue to operate with dual names; that is, the Adatum and
Contoso brands are equally important.
It is anticipated that the existing Windows NT 4.0 domain controllers and server will be
replaced as part of the migration process.
Proposals
1. Do you intend to upgrade the domain controllers in the Contoso network to
Windows Server 2008?

2. How many forests do you anticipate?

3. How many domains do you plan to implement?

4. How many trees do you envisage?

5. What trust relationships, aside from those created automatically, will you require?

NETMIND
calling +1 800-785-3448.
(continued)
Proposals (continued)
6. Provide a sketch of the completed forest.

Results: After this exercise, you should have a completed Contoso Domain Migration
document.
NETMIND
calling +1 800-785-3448.
Exercise 2: Planning Active Directory for a Branch Network
Scenario
Adatum has a number of new sales offices in the western region. Allison Brown has
asked you to determine the appropriate Active Directory configuration for them,
and to document your proposals.
Answer the questions in the Branch Office Planning document.

Gregory Weber
Sent: 24 August 2009 14:02
Subject: Re: Branch Office Plan
Attachments: Sales Office Details.doc
Greg,
Take a look at the attached document. Get back to me with any questions. I got
this from Joe Healy, the Sales manager.
Alan
Sent: 24 August 2009 13:30
To: Alan@adatum.com
Subject: Branch Office Plan
Alan,
What can you tell me about these new sales offices?
Thanks,
Greg

NETMIND
calling +1 800-785-3448.
Sales Office Details.doc
In the sales offices, we have a number of line-of-business applications, including a
Microsoft SQL Serverbased database. The local sales office updates and
replicates back to the head office overnight. The SQL Server database needs access
to a directory of customers.
In the western region, we have three offices, each with around 100 computers. We
have a routed connection back to the head office.
Alan Steiner tells me that name resolution is provided by WINS and DNS, as we
have a legacy NetBIOS application.
There was some talk of creating a separate name space for sales, such as
Sales.adatum.com, but we have implemented this only as an e-mail domain. The
computers are all part of the Adatum.com domain.
Weve had some issues in the past with security; we often have members of the
public in our sales offices, and consequently security is a critical factor. We dont
always have the option of a secure computer room, and so our laptops are locked
to the desks. Servers are often to be found in a closet, or small office.
Each branch office consists of a number of subnets; two for hosting the sales staff
laptops and another for branch network servers.
NETMIND
calling +1 800-785-3448.

Branch Office Planning
Document Author
Date
Gregory Weber
1st September
To determine the placement and configuration of domain controllers and related
services at the western region sales offices.
It is important that in the event of a link failure between the head office and branch
offices, users are still able to log on to the network and access services.
Proposals
1. Do you intend to deploy a domain controller(s) in the branch offices?
How many?

2. Will you deploy an RODC(s)?

3. How will you optimize the directory replication for the branches?

4. How will domain controllers know in which branch they are located?

5. Do you anticipate the need for global catalog services?

6. How will you configure global catalog and DNS?

7. What additional Active Directoryrelated services are required to support the
branch office line-of-business applications?

NETMIND
calling +1 800-785-3448.

Task 2: Update the Branch Office Planning document with your
proposals

Results: After this exercise, you should have a completed Branch Office Planning
document.

NETMIND
calling +1 800-785-3448.
Exercise 3: Deploying a Branch Domain Controller
Scenario
You have been tasked with performing the deployment of the new domain
controller at the Redmond sales branch office.
2. Raise the domain and forest functional level.
3. Create a new site and subnet object.
4. Configure the replication interval for the new site.
5. Prepare the forest for the new RODC.
6. Deploy the new RODC.
7. Configure the password replication policy and prepopulate the password
cache.

Pa$$w0rd.
Pa$$w0rd.

Task 2: Raise the domain functional level
2. Open Active Directory Users and Computers.
NETMIND
calling +1 800-785-3448.
3. Raise the domain functional level to Windows Server 2008.
4. Close Active Directory Users and Computers.

Task 3: Raise the domain forest level
1. Open Active Directory Domains and Trusts.
2. Raise the forest functional level to Windows Server 2008.
3. Close Active Directory Domains and Trusts.

Task 4: Create the Redmond site
1. Open Active Directory Sites and Services.
2. Create a new site with the following properties:
Name: Redmond
Associated site link: DEFAULTIPSITELINK

Task 5: Configure the replication interval
1. In Active Directory Sites and Services, expand Inter-Site Transports, expand
IP, and then click IP.
2. Modify the replication interval for DEFAULIPSITELINK:
Replicate every: 15 minutes

Task 6: Create the 10.10.0.0/16 subnet
1. In Active Directory Sites and Services, in the console, right-click Subnets, and
click New Subnet.
2. Create a new subnet with the following properties:
Prefix: 10.10.0.0/16
Site Name: Redmond
3. Close Active Directory Sites and Services.

NETMIND
calling +1 800-785-3448.
Task 7: Prepare the forest for the RODC
1. Open the Command Prompt.
2. At the command prompt, type each of the following commands, and then
press ENTER:
D:
Cd\Labfiles\Mod03\adprep
Adprep /rodcprep
3. Close the command prompt.

Task 8: Promote a new domain controller for the branch office
2. Run dcpromo with advanced mode installation.
3. Use the following options to complete the process:
Operating System Compatibility page: default.
Choose a Deployment Configuration page: Existing forest.
Network Credentials page: default.
Select a Domain page: default.
Select a Site page: default.
Additional Domain Controller Options page: select the Read-only domain
controller (RODC) check box. (Note: Leave the other check boxes
selected.)
In the Static IP assignment dialog box, click Yes, the computer will
use a dynamically assigned IP address (not recommended).
Specify the Password Replication Policy page: default.
Delegation of RODC Installation and Administration page: default.
Install from Media page: default.
Source Domain Controller page: default.
NETMIND
calling +1 800-785-3448.
Location for Database, Log Files, and SYSVOL page: default.
Directory Services Restore Mode Administrator Password page:
Password: Pa$$w0rd.
Confirm: Pa$$w0rd.
In the Active Directory Domain Services Installation dialog box, select
the Reboot on completion check box.

Task 9: Configure the password replication policy
1. When SEA-SVR1 has restarted, log on to the SEA-SVR1 virtual machine as
ADATUM\administrator with a password of Pa$$w0rd.
4. Locate SEA-SVR1 in the Domain Controllers folder.
5. View the Password Replication Policy page of the SEA-SVR1 Properties
dialog box.
6. Grant the SalesGG global group the Allow passwords for the account to
replicate to this RODC permission.
7. Click Apply, and then click Advanced.
8. From the Resultant Policy tab of the Advanced Password Replication Policy
for SEA-SVR1 dialog box, verify that Joes account is allowed to cache its
password.

NETMIND
calling +1 800-785-3448.
Task 10: Prepopulate the password cache
1. From the Policy Usage tab of the Advanced Password Replication Policy for
SEA-SVR1 dialog box, click Prepopulate Passwords.
2. Prepopulate the following user accounts passwords:
Joe; Jim; Parul; Heiko; Claus

Results: After this exercise, you should have successfully deployed an RODC for the
Redmond sales office.
(VMRC) window.
NETMIND
calling +1 800-785-3448.

Review Questions
1. In a multidomain network, why is the global catalog server important?

2. From a security perspective, what is the difference between implementing a
forest with two trees, and implementing two forests with forest trusts
established between them?

3. Why would you implement shortcut trusts between domains?

4. What domain functional level is required to support the redirection of the
default Users and Computers containers?

NETMIND
calling +1 800-785-3448.
5. You are concerned about the reliability of using FRS to replicate the SYSVOL
folder between domain controllers. What domain functional level must you
select in order to use DFS?

6. During the creation of a site object, with which other object must you associate
it?

NETMIND
calling +1 800-785-3448.
Planning for Group Policy 4-1
Module 4
Planning for Group Policy
Contents:
Lesson 1: Planning Group Policy Application 4-3
Lesson 2: Planning Group Policy Processing 4-13
Lesson 3: Planning the Management of Group Policy Objects 4-24
Lesson 4: Planning the Management of Client Computers 4-37
Lab: Planning for Group Policy 4-52
NETMIND
calling +1 800-785-3448.
Module Overview

Group Policy is an essential part of any Windows Server 2008 network. It can be
used as a centralized management tool to distribute settings and applications to
computers. For servers, group policy is typically used to distribute security
settings. For client computers, group policy is used to configure the user
environment and distribute applications.
Objectives
Plan group policy application.
Plan group policy processing.
Plan the management of group policy objects.
Plan the management of client computers.

NETMIND
calling +1 800-785-3448.
Lesson 1
Planning Group Policy Application

Group Policy objects contain a wide variety of settings that can be applied to users
or computers. An effective plan for implementing group policy needs to take into
account how and when these settings are applied. This ensures that the application
of group policy objects is predictable.
Objectives
Describe the types of group policy settings.
Describe the considerations for group policy application.
Describe the considerations for group policy application exceptions.
Describe the new group policy features in Windows Server 2008.

NETMIND
calling +1 800-785-3448.
Demonstration: Reviewing and Modifying Group
Policy Settings

Key Points
A Group Policy Object (GPO) contains thousands of settings that you can use to
control servers and client computers. However, individual settings are restricted in
how they can be applied.
The settings in a GPO that apply to a computer are limited by the operating system
of the computer. For example, some settings will apply to Windows Server 2008
but not Windows Server 2003. Windows Server 2003 ignores a setting that is
specific to Windows Server 2008.
A GPO has both user and computer settings. The user settings apply based on the
location of the user object in Active Directory directory services. The computer
settings apply based on the location of the computer object in Active Directory.
NETMIND
calling +1 800-785-3448.
A GPO also contains preferences. Unlike settings, which cannot be changed by the
user, preferences are a default configuration that can be modified by the user.
Preferences are new in Windows Vista and Windows Server 2008. They are used
to configure things such as Open Database Connectivity (ODBC) data sources,
printers, and mapped drive letters.
To review or modify the settings in a GPO:
1. Open Group Policy Management.
2. Browse to the Group Policy Objects container.
3. To modify a GPO, right-click it, and then select Edit.
4. To review the settings in a GPO, double-click the setting, and then select the
Settings tab.

Additonal Reading
Windows Server Group Policy page on the TechNet Web site:
http://go.microsoft.com/fwlink/?LinkId=99449

NETMIND
calling +1 800-785-3448.
Considerations for Group Policy Application

Key Points
Clients initiate Group Policy application by requesting GPOs from Active Directory
Domain Services (AD DS). When Group Policy is applied to a user or computer,
the client component interprets the policy, and then makes the appropriate
environment changes. These components are known as Group Policy client-side
extensions. As GPOs are processed, the Winlogon process passes the list of GPOs
that must be processed to each Group Policy client-side extension. The extension
then uses the list to process the appropriate policy, when applicable.
Consider the following:
Computer settings are processed when the computer starts. To apply new
computer settings immediately, you may need to reboot the system.
User settings are processed when a user logs on. To apply new user settings,
you may need to log off and log back on.
NETMIND
calling +1 800-785-3448.
You can speed up Group Policy processing by disabling unnecessary parts of a
Group Policy. For example, if a GPO is linked to an organizational unit (OU)
that contains only user accounts, you can disable the computer portion of the
GPO.
Group policy objects are cached locally and updated at timed intervals. The
default configuration refreshes GPOs on workstations and member servers
every 90 minutes. GPOs on domain controllers are refreshed every 5 minutes.
You can force an update of GPOs by running gpupdate.

NETMIND
calling +1 800-785-3448.
Group Policy Application Exceptions

Key Points
Typically, all settings from a GPO are applied during the startup and logon
process. However, there are exceptions that need to be considered.
Slow Link Detection
If Group Policy detects a slow link, specific Group Policy settings will not be
processed. The default slow link speed is 500 kilobits per second (Kbps), but this
is configurable.
Slow link detection is useful for controlling how Group Policy is processed at
branch offices and for roaming users with a virtual private network (VPN)
connection. For example, you may not want to automatically install software over a
VPN connection.
NETMIND
calling +1 800-785-3448.
Cached Credentials
When a Windows XP or Windows Vista computer is experiencing network
connectivity issues, a user may still log on by using cached credentials. Cached
Group Policy settings will still apply to this user. However, new Group Policy
settings will not be applied until the computer connects to the network and
downloads the updated GPO. You can disable cached credentials if this is a
concern.
Remote Access Connections
When a user logs on over a VPN connection, both user and computer settings are
copied to the computer as limited by slow link detection, but may not be applied
immediately. Most computer settings will not be applied immediately because they
must be applied before the user logs on. User settings are applied as part of the
logon process if the user initiates the VPN connection as part of the logon process.
If the user logs on to the computer and then initiates the VPN connection, then
Group Policy process is performed as a background process.
Moved Computer or User Objects
When a computer or user object is moved in Active Directory, the new Group
Policy settings are not applied immediately. It takes up to 30 minutes for the
Group Policy client to update and use the new object location. Then Group Policy
still needs to be refreshed at approximately 90 minutes.

For more information about Group Policy processing exceptions see
Controlling Client-Side Extensions by Using Group Policy on the TechNet
Web site at http://go.microsoft.com/fwlink/?LinkId=99452.

NETMIND
calling +1 800-785-3448.
New Group Policy Features in Windows Server 2008

Key Points
The new features in Group Policy enhance functionality of Group Policy and make
it easier to manage.
New Policies
If you are using Windows Vista as a desktop operating system, there are several
new categories of settings in Group Policy.
Power management settings. You can centrally control power management
for Windows Vista computers. This can be used to save money by putting
computers to sleep at night when they are not in use.
Blocking device installation. You can control the use of removable storage
devices. This allows you to prevent users from removing corporate data on
USB storage devices.
Firewall and IPSec settings. The settings for Windows Firewall and IPSec are
now combined. This reduces confusion where settings could potentially
conflict.
NETMIND
calling +1 800-785-3448.
Internet Explorer settings. The way Microsoft Internet Explorer settings are
applied has been modified to reduce the risk of unexpected behavior when
combined with local settings.
Location-based printing. You can now assign printers to users based on
location. This allows roaming users to have the correct printers for the location
they are in. For example, a laptop user would have one set of printers in the
head office and another set of printers when at a branch office.
Delegation of printer driver installation. There is now a setting to enable
non-administrators to install new printer drivers. This is important for roaming
users that may need to install a printer driver at a client site.

Note: Windows 7 also includes these categories of settings.
ADMX Templates
The administrative templates in previous versions of Windows were ADM files.
You have the option to replace these with ADMX files in Windows Server 2008.
The main benefits are easier editing, multi-language support, and greater efficiency.

Note: More information about ADMX files is provided in the topic Administering Group
Policy Objects.
Network Location Awareness
Windows Vista includes Network Location Awareness to accurately determine
network conditions. Group Policy uses this information to determine appropriate
actions. For example, if there is no connectivity to a domain controller, Group
Policy will not wait to time out, resulting in a faster startup.
NETMIND
calling +1 800-785-3448.
The two primary scenarios where this is a benefit are:
Connecting over VPNs. A background refresh of Group Policy is initiated
when users connect to the VPN.
Processing Group Policy through a firewall. If a firewall is configured to
block ICMP packets, Network Location Awareness still functions properly.
Slow link detection in Windows XP required the use of ICMP packets.

For more information about new features in Windows Server 2008
Group Policy see the Group Policy page in the TechNet Web site

NETMIND
calling +1 800-785-3448.
Lesson 2
Planning Group Policy Processing

Group Policy objects are processes primarily based on where the GPO is linked in
Active Directory. However, there are additional options available that modify the
default processing. Filtering lets you control Group Policy processing based on the
group membership of users or Windows Management Instrumentation (WMI)
settings on computers. You can block group policy inheritance to stop settings
from being applied to the lower OUs. Alternatively, you can enforce group policy
inheritance to ensure that settings are applied to all users or computers. Loopback
processing can be used to apply user settings based on the computer you log on at.
Objectives
Describe the considerations for Active Directory structure.
Describe the considerations for using filtering.
Describe the considerations for modifying inheritance.
Describe the considerations for using loopback processing.
NETMIND
calling +1 800-785-3448.
Considerations for Active Directory Structure

Key Points
GPOs can be created and linked to several locations. The GPOs are processed in a
specific order with the last processed GPO having the highest precedence. The
setting with the highest precedence is effective when there are conflicts between
the GPOs.
The processing order is: local group policy, site level GPOs, domain level GPOs,
first level organizational unit GPOs, second level organizational unit GPOs.
When planning the Active Directory structure, keep the followings GPO
considerations in mind:
Local group policy is typically only used when a setting needs to be applied to
only a single computer such as a kiosk.
Site level GPOs are useful for enforcing policies at a single physical location
that has multiple domains. Also, software distribution can be performed at the
site level to ensure that a local source is used for the installation. In general,
Microsoft recommends linking GPOs to domains and OUs rather than sites.
NETMIND
calling +1 800-785-3448.
A site-linked GPO exists in only one domain. If the GPO is being applied to
users or computers in another domain, it may slow down Group Policy
processing.
Domain-level GPOs are useful for applying standardized settings to an entire
domain. Also, there are some settings such as password polices that must be
configured at the domain level.

Note: Windows Server 2008 introduces fine-grained password polices that allow you to
configure password policies for groups of users rather than the entire domain.
Organizational unit GPOs are useful for applying standardized settings to
workgroups.
Create your OU structure to support group policy. For example create OUs for
various workgroups or classes of users to support applying different policies to
each workgroup. The same applies to computer objects.
When multiple GPOs are linked at the same level, you can configure a priority
level for each GPO. The GPO with the lowest link order has the highest
precedence.
GPOs cannot be linked to the default Users or Computers containers. Only
GPOs linked at the domain level apply to users and computers in those
containers. Consider moving user and computer objects into OUs to provide
more flexibility.
Multiple local GPOs can be applied only to local users and groups. This is
typically used only when a local user logs on. For example, a kiosk computer
where users do not log on to the Active Directory domain and you want to
differentiate between the user settings applied to standard users and the local
Administrator.

For more information about group policy processing, see group
policy processing and precedence on the TechNet Web site at
http://go.microsoft.com/fwlink/?LinkId=99456.

NETMIND
calling +1 800-785-3448.
Considerations for Using Filtering

Key Points
There are two ways in which filtering can be applied to group policy processing.
Security filtering controls which GPOs are processed based on user membership in
security groups. WMI filters control GPO processing based on the WMI queries to
a workstation. WMI queries can be used to determine most hardware and software
configuration information.
When using filtering, consider the following:
The use of security filtering can simplify OU planning for a domain. For
example, you can create an OU for the accounting department with one
generic GPO for all users and then have additional GPOs filtered by security
group membership for workgroups such as payables within the accounting
department.
The use of WMI filtering can ensure that new software is installed only to
appropriate computers. For example, a new application could be provided
only to computers with a specific amount of memory or a specific operating
system.
NETMIND
calling +1 800-785-3448.
Filtering is performed for each GPO. If a GPO is linked to multiple levels or
OUs, the filters apply to all links. This allows filtering to be centrally
controlled.

Security Filtering
Security filtering is based on the fact that GPOs have access control lists (ACLs)
associated with them. These ACLs contain access entries for different security
principals. In order for a GPO to be applied to a security principal in an OU, the
security principal requires at a minimum the following permissions set to:
Allow Read
Allow Apply Group Policy

By default, the Authenticated Users group has these permissions. By denying or
granting the Apply Group Policy permission, you can control which users, groups,
or computers actually receive the GPO settings.
WMI Filtering
WMI is a set of technologies for managing Windows-based environments. WMI
provides access to properties of almost every hardware and software object in the
computing environment. Through WMI scripts, these properties can be evaluated,
and decisions about the application of group policy are made based on the results.
For example, a WMI query could check for a minimum amount of RAM, or a
specific service pack, to determine if a group policy should be applied. You must
be a member of Domain Administrators, Enterprise Administrators, or Group
Policy Creator Owners groups to create WMI filters in the domain.

For more information about security filtering, see Security filtering using
GPMC on the TechNet Web site at http://go.microsoft.com/fwlink

For more information about WMI filtering, see WMI filtering using
GPMC on the TechNet Web site at http://go.microsoft.com/fwlink

NETMIND
calling +1 800-785-3448.
Considerations for Modifying Inheritance

Key Points
You have the option to modify the default group policy processing by blocking
inheritance and enforcing the application of specific GPOs. Using block
inheritance prevents the child level from automatically inheriting GPOs linked to
higher sites, domains, or organizational units. Enforcement prevents the settings in
a parent GPO from being blocked or overridden by settings in a child GPO.
When modifying inheritance, keep in mind the following key points:
Blocking inheritance is not selective. You cannot select specific policies to
block. When you block inheritance, it blocks the inheritance of all policies. To
reapply specific settings after the point of blocked inheritance, you need to link
a GPO with those settings after the point of blocked inheritance. This GPO can
be a new GPO with the specific setting required or an already exiting GPO that
is also linked elsewhere. Settings that you may want to reapply after
enforcement include security configuration or software disc.
NETMIND
calling +1 800-785-3448.
Use enforcement to enforce organization-wide standards. If you link a GPO at
the domain level and enforce it, then it prevents administrators with delegated
authority from overriding the enforced settings. This could be used for specific
desktop configuration settings such as security settings that have been
centrally determined.
You cannot enforce a filtered GPO. Filtering for a GPO is done on the GPO,
while enforcement is performed on the link. If a GPO is filtered, then the link
cannot be enforced. As a result, you should be careful when applying filtering
to a GPO that is enforced anywhere. This also means that you can use filtering
to stop enforcement for a specific group of users or computers.

For more information about modifying inheritance, see
Managing inheritance of group policy on the TechNet Web site at

NETMIND
calling +1 800-785-3448.
Considerations for Using Loopback Processing

Key Points
User policy settings are normally derived entirely from the GPOs associated with
the user account, based on its AD DS location. However, loopback processing
directs the system to apply the user settings from the GPOs that apply to the
computer to any user who logs on to a computer affected by this policy.
When planning for loopback processing, consider the following:
Loopback processing is typically enabled for special use computers where you
want different user settings to apply based on the computer that the user is
logged on at. For example, a computer used to run manufacturing equipment
may have more restrictive user settings in place.
When you want to apply additional restrictions to users based on the
computer they are logging on at, use merge mode. Merge mode combines the
settings from the user and the computer. The merged settings from the
computer will override settings from the user.
NETMIND
calling +1 800-785-3448.
When you want all users to have consistent user settings, use replace mode.
Replace mode uses only settings from the computer and ignores settings from
the user.
When you want to apply less restrictive settings to users based on the
computer they log on at, use replace mode. For example, in a training room,
you could have less restrictive policies than the standard office computers. The
computers in the training room would have user policy settings that are less
restrictive.
Use loopback processing to secure Terminal Servers. In most cases, you want
users to have a different configuration when connecting to a terminal server
rather than a regular office computer.

For more information about loopback processing, see Loopback
processing with merge or replace on the TechNet Web site at

NETMIND
calling +1 800-785-3448.
Demonstration: Modifying Group Policy Processing

All group policy management is performed by using the Group Policy Management
console. The steps for individual tasks vary.
To enforce a policy:
Right-click the policy link and select Enforced.

To block policy inheritance:
Right-click the OU and select Block Inheritance.

To perform security filtering on a policy:
1. View the Scope tab of the GPO.
2. Modify the list of users able to apply the GPO.

NETMIND
calling +1 800-785-3448.
To perform WMI filtering on a policy:
1. Create a WMI filter in the WMI Filters container.
2. Select the WMI filter on the Scope tab of the GPO.

To enable loopback processing:
1. Edit the GPO.
2. Set Computer Configuration\Policies\Administrative Templates
\System\Group Policy\User Group Policy loopback processing mode to
Enabled.
3. Select Replace or Merge Mode.

NETMIND
calling +1 800-785-3448.
Lesson 3
Planning the Management of Group Policy
Objects

There are a variety of options available when you are managing GPOs. You need to
consider whether you should introduce ADMX templates for group policy settings
or continue using ADM templates. You also have the option to use starter GPOs as
a base for building new GPOs. You must determine whether you will link GPOs to
multiple locations or create multiple GPOs. To ensure that you can recover GPOs if
necessary, you also need to consider how GPOs will be backed up. Finally, you can
delegate the management of GPOs in several ways.
NETMIND
calling +1 800-785-3448.
Objectives
Describe the considerations for administering GPOs.
Describe starter GPOs.
Describe the considerations for reusing or copying GPOs.
Describe the considerations for backing up and restoring GPOs.
Describe the considerations for delegating GPO management.

NETMIND
calling +1 800-785-3448.
Considerations for Administering Group Policy Objects

Key Points
When administering group policy objects, consider the following:
The tool for administering GPOs is the Group Policy Management Console
(GPMC). This tool is included as a feature in Windows Server 2008. You can
install GPMC on Windows Vista SP1 by downloading and installing the
Remote Server Administration Tools.
A GPO is composed of a group policy container and group policy template.
The group policy container is stored in Active Directory. The group policy
template is stored in the SYSVOL share on domain controllers.
When a new GPO is created, it must be replicated to other domain controllers.
Until replication is complete, the GPOs applied to a user or computer may be
inconsistent. Application of GPOs may also be inconsistent if there are
problems with Active Directory replication or the replication of SYSVOL in the
GPOs.
NETMIND
calling +1 800-785-3448.
The new ADMX format for Administrative Templates reduces the overall size
of a GPO by up to 4 MB because the ADMX files are located in a central store
rather than copied into the folder for each GPO as ADM templates were. This
makes group policy processing faster, reduces the size of SYSVOL, and
reduces network traffic generated by replication of SYSVOL between domain
controllers.
You should create a central store for ADMX files. This is not done
automatically during installation. A central store eliminates the need to copy
ADMX files to a computer where editing of a GPO is being performed.
ADMX files are easier to extend than ADM files because ADMX files are XML
files. This allows you to add new settings into a group policy. The new settings
can be used to set registry keys that control an application.
ADMX files can be used only by Windows Server 2008 and Windows Vista. If
you have down-level clients and servers, you must continue to use ADM
templates for those computers.
You can migrate customized ADM files to ADMX format by using the ADMX
Migrator.
When you are troubleshooting the application of group policy settings, use the
Group Policy Reporting feature in GPMC or GPResulte.exe. These display the
settings applied to a user or computer.
When you are planning the implementation of group policy, use the Group
Policy Modeling Wizard in GPMC. This allows you to view the effects of
changing site membership, security group membership, WMI filters, slow
links, loopback processing, and the movement of user and computer objects to
a new OU.

For more information about ADMX files see Managing Group Policy
ADMX Files Step-by-Step Guide on the TechNet Web site at

For more information about how to create a central store for ADMX
files see How to create a Central Store for Group Policy Administrative
Templates in Windows Vista on the Microsoft Help and Support Web site

NETMIND
calling +1 800-785-3448.
What Are Starter GPOs?

Key Points
Starter GPOs store a collection of Administrative Template policy settings in a
single object. Starter GPOs only contain Administrative Templates. When you
create a new GPO from a starter GPO, the new GPO has all the Administrative
Template settings that the starter GPO defined. In this way, starter GPOs act as
templates for creating GPOs.
The GPMC stores starter GPOs in a folder named StarterGPOs, which is located in
SYSVOL. Individual starter GPOs can be exported into .cab files for easy
distribution. You then can import these .cab files back into the GPMC.
NETMIND
calling +1 800-785-3448.
Scenarios for using starter GPOs:
Use starter GPOs to standardize GPO creation. For example, the starter GPOs
could contain standardized organizational settings. Delegated administrators
for OUs could create their own GPOs by copying the starter GPOs and adding
their own settings.
Use starter GPOs to move GPOs easily between domains. You can export
a starter GPO as a .cab file and then import into another domain. In a
multidomain environment, this simplifies standardization between domains.
Use starter GPOs to distribute customized settings to partners. For example, a
software developer could create a starter GPO with recommended settings for
their software. Customers could download the starter GPO and apply it to
their servers or workstations running the software.

NETMIND
calling +1 800-785-3448.
Considerations for Reusing or Copying GPOs

Key Points
When you create a GPO, it is stored as part of the domain structure. Some data is
stored in Active Directory and some data is stored in the SYSVOL share. That
content is then replicated to all domain controllers in the domain. To apply a GPO
to a domain or OU, you link the GPO to a domain or OU. You can link a single
GPO to multiple locations.
When considering reusing or copying GPOs, keep the following points in mind:
When you link a single GPO to multiple locations, it allows you to centrally
control the GPO. When the GPO is updated with new settings, the new
settings are applied to all users or computers affected by the GPO.
If a single GPO is linked to multiple locations, you should carefully control
which administrators have permissions to modify the GPO. A departmental
administrator could modify the central GPO while thinking that he was only
modifying settings for a single OU.
NETMIND
calling +1 800-785-3448.
When you have multiple copies of a GPO, it can be difficult to synchronize the
settings between them.
To simplify administration, use a single GPO linked to multiple locations for
common settings. Use individual GPOs linked to an OU to apply unique
settings.

NETMIND
calling +1 800-785-3448.
Considerations for Backing Up and Restoring GPOs

Key Points
When backing up and restoring GPOs, consider the following:
GPOs are backed up as part of a system state backup on a domain controller.
However, it is difficult to recover a GPO from a system state backup.
You can create a GPO backup at anytime by using the GPMC. GPMC allows
you to backup one or all GPOs. It is a good idea to back up GPOs before
making changes.
You can use scripts to schedule GPO backups. Then GPO backups are
available as a file that can be easily restored if required. The script
BackupAllGPOs.wsf is located in C:\Program Files\GPMC\Scripts.
Only read permissions are required to perform a backup of GPOs. This makes
it easy to delegate the backup of GPOs.
A starter GPO is not useful as a backup. A GPO backup contains all GPO
settings, not just administrative templates. This differentiates them from starter
GPOs.
NETMIND
calling +1 800-785-3448.
To recover a GPO and include security attributes for security filtering and
WMI filtering, you need to restore from backup. However, restoring the GPO
from backup will not recover or modify links. This means that enforcement,
which is configured on the link, will not be recovered.
To recover only GPO settings and not include security attributes for filtering or
WMI filtering, you need to import the settings from backup. In most cases, you
only need to recover settings and not security attributes.
After a GPO has been restored or settings have been imported from backup,
the changes must be replicated to other domain controllers before they are
effective for all users.

NETMIND
calling +1 800-785-3448.
Considerations for Delegating Management of GPOs

Key Points
When delegating management of GPOs, consider the following:
By default, only members of Domain Admins and Group Policy Creator
Owners are able to create GPOs. In most cases, you will want to delegate the
creation of GPOs without making users a member of Domain Admins.
You can delegate permission to create GPOs in a domain by making users a
member of the Group Policy Creator Owners group. Also, you can delegate
this permission from within GPMC at the Group Policy Objects folder.
By default, only members of Domain Admins, Enterprise Admins, and the
domain local Administrators can link GPOs with the domain or an OU. In
most cases, you will want to delegate the linking of GPOs without making
users a member of these groups.
You can delegate permission to link GPOs to domains and OUs within the
GPMC at the domain or OU. This is useful to allow departmental
administrators to link GPOs to their own OU.
NETMIND
calling +1 800-785-3448.
By default, only members of the Domain Admins and Enterprise Admins can
edit, delete, and modify security on a GPO. However, you can delegate these
permissions for specific GPOs. This can be useful for a departmental
administrator to be given the ability to manage the GPOs relevant to OUs for
his department.
You can delegate permission to use Group Policy Modeling and Group Policy
Results for individual OUs or the domain in GPMC. This is useful for
performing troubleshooting by using an account with lower permissions than
an administrative account. By using an account with lower permissions for
troubleshooting, you avoid the risk of accidentally modifying a GPO.
In addition to using GPMC, you can also delegate permissions for managing
GPOs by using Active Directory Users and Computers. However, using GPMC
simplifies the process.

For more information about delegating management of GPOs,
see Delegating Group Policy on the TechNet Web site at

NETMIND
calling +1 800-785-3448.
Discussion: Managing Group Policy

Key Points
Question: Who is responsible for managing group policy in your organization?
Question: Does your organization back up GPOs?
Question: Does your organization have a need to standardize GPOs by using
starter policies?

NETMIND
calling +1 800-785-3448.
Lesson 4
Planning the Management of Client Computers

Centralized management of client computers is a requirement in all but the
smallest computer networks. Group policy is one way that client computers can be
managed. You can use group policy to configure the user environment, distribute
applications, run logon scripts, and redirect folders. Each of these should be
planned carefully to ensure that they function as expected.
Objectives
Describe why client computers need to be managed.
Describe the methods for managing client computers.
Describe the considerations for using group policy preferences.
NETMIND
calling +1 800-785-3448.
Use group policy preferences.
Describe the considerations for deploying software by using group policy
objects.
Describe the considerations for using logon scripts.
Describe the considerations for using folder redirection.

NETMIND
calling +1 800-785-3448.
Why Manage Client Computers?

Key Points
Many network administrators consider servers to be the most important part of the
network. They are high-profile computers because many users are affected when
they do not function properly. However, client computers are just as important as
server computers. Each user on a network is working with a client computer and a
poorly configured client computer affects the productivity of that user.
Managing client computers includes:
Distributing applications. Installing applications on client computers is a
time-consuming process when performed manually on each computer. Even if
applications are included in an image used during initial configuration,
application updates still need to be applied. Applications and updates should
be installed by using an automated method. Using an automated method to
install applications and updates saves time and money for the organization.
NETMIND
calling +1 800-785-3448.
Enforcing security settings. Manually configuring security settings on each
client computer is a time-consuming and error prone process. To prevent users
from circumventing security guidelines, the users should not have control over
the security settings. The enforcement of security settings should be
automated to ensure that it is performed consistently.
Enforcing application settings. Some applications can affect the security of
your organization. There are a number of Internet Explorer settings such as
ActiveX Control settings that can make a computer less vulnerable to attack
when configured properly. Other configuration options such as the location of
a database server are important to ensure that applications are functional for
users. The ability to configure these settings centrally results in more reliable
performance for users and greater productivity.
Standardizing the user environment. In addition to technical considerations,
it is useful to standardize the user environment simply to make it consistent
from one computer to the next. This can include standardized desktop
configuration, standardized applications, and standardized drive letter
mappings to network shares. Standardizing the user environment makes it
easier for users to move from one computer to another and remain productive.
It also makes it easier to perform troubleshooting and provide help desk
support.

NETMIND
calling +1 800-785-3448.
Methods for Managing Client Computers

Key Points
Group policy is one of the easiest and most inexpensive methods you can use for
managing client computers. It can be used to perform software distribution,
enforce security settings, enforce application settings, and standardize the user
environment.
To manage client computers, you can use:
Group policy settings. Group policy settings include software distribution,
security settings, and administrative templates. The software distribution can
be used to distribute applications, application updates, and operating system
updates. The security settings control a wide variety of operating system
settings such as which users are allowed to perform Remote Desktop
operations and whether digital signing is required for network
communication. The administrative templates let you configure a wide variety
of settings for Windows components. Also, administrative templates can be
customized to deliver registry settings that control applications. Some vendors
provide administrative templates for their applications.
NETMIND
calling +1 800-785-3448.
Group Policy settings modify registry keys that standard user accounts are not
able to modify and are enforced. Group Policy settings are available for
Windows 2000 and newer operating systems.
Group policy preferences. Group policy preferences enable you to configure,
deploy, and manage operating system and application settings that were not
manageable using group policy. Examples include mapped drives, scheduled
tasks, and Start menu settings.
Scripts. By using a script, you can configure almost any aspect of an operating
system or application. The most common use of scripts is to map drive letters.
You can specify a logon script in the properties of each user account.
Group policy scripts. By using Group policy, you can run scripts that apply to
computer or user accounts. For computer accounts, there are startup and
shutdown scripts. For user accounts, there are logon and logoff scripts.
Windows Server Update Services (WSUS). WSUS is a solution from
Microsoft for applying updates to operating systems and application software.
Updates are downloaded from Microsoft Update and stored on the WSUS
server. Updates are only applied to clients and servers after they have been
approved.
System Center Configuration Manager (SCCM). SCCM is a solution for
configuration management, software distribution, and applying software
updates. SCCM can also be used for operating system deployment and asset
management.

NETMIND
calling +1 800-785-3448.
Considerations for Using Group Policy Preferences

Key Points
Considerations for using group policy Preferences include:
You can use both group policy settings and group policy preferences. There is
no conflict between group policy settings and group policy preferences. The
settings in group policy preferences are not available in group policy settings.
Preference settings are not enforced and can be modified by the user. You
should not consider preferences as a security enforcement mechanism.
Application of group policy preferences is supported for Windows XP with
SP2, Windows Vista, Windows Server 2003 with SP1, and Windows Server
2008. If you have Windows 2000 clients, you must use another mechanism to
standardize the user environment.
Use the Data Sources node to easily add or modify ODBC data sources for
applications. This is useful during application deployment or when a Microsoft
SQL Server database has been moved to a new server.
NETMIND
calling +1 800-785-3448.
Use the Drive Maps node as an alternative to mapping drive letters by using a
logon script. Writing a logon script is typically more complex than configuring
group policy preferences.
Use the Start Menu and Shortcuts node to standardize the ways of starting
applications. By standardizing the look of both the Start menu and Desktop
shortcuts, users will be able to easily move from one computer to another.
Also, it will be easier for the help desk to provide documentation.
Use the Internet Settings node to standardize the configuration of Internet
Explorer. This includes defining a home page, managing trusted sites, and
other options available in Internet Options.
Use targeting to determine which users and computers a preference item will
apply to. This allows you to simplify group policy application and have a single
GPO with many preference settings. The application of each preference item in
the GPO can be controlled individually. This avoids the need to use security or
WMI filtering GPO objects to implement group policy preferences.

NETMIND
calling +1 800-785-3448.
Demonstration: Using Group Policy Preferences

To configure group policy preferences:
1. Open the group policy Management console.
2. Create a new GPO.
3. Configure the User or Computer Preferences in the GPO.
4. Link the GPO to the appropriate OU.

NETMIND
calling +1 800-785-3448.
Considerations for Deploying Software by Using
Group Policy

Key Points
The considerations for software deployment by using group policy include the
following:
To place an application shortcut in the Start Menu, assign the application to a
computer or user. An application assigned to a computer will be available to all
users. An application assigned to a user will be available only for that user.
To allow users to access an application quickly on first use, assign the
application to the computer. Assigning an application to a computer installs
the application in the background on computer startup. Then when the user
accesses the application for the first time, it is already installed.
To limit disk space usage, assign applications to users or publish applications
to users. When an application is assigned or published to a user, the
application is not installed until first use or until installation is selected from
Control Panel.
NETMIND
calling +1 800-785-3448.
To install applications when required to view a document, enable document
activation for published applications. Assigned applications are always
installed as required to view documents based on the file extension of the
document.
To enable software distribution over a wide area network (WAN), use
Distributed File System (DFS) to replicate the installation files. Users will
automatically install the application from the closest replica of the files.
Restrict user permissions to the software installation files. Users require only
read access to the installation files. Allowing greater permissions may result in
installation files being accidentally deleted or infected with viruses.
Use categories to organize applications. When you publish applications, users
can install them from a list. Assigning the applications to categories organizes
the list and makes it easier for users to find the application they are looking
for.
Create transform (MST) files to customize the installation of applications. A
transform file is created by using an MSI editor. By including an MST file as
part of an application package, you can create a silent installation and modify
various installation options. The exact options that you can modify are
application dependent.
Use mandatory upgrades to keep consistent versions of applications in your
organization. Having consistent versions of applications simplifies support.
Use forced removal to remove applications from computers. This is useful
when the license for software is no longer valid or has been moved to a
different computer. An optional removal prevents new software installation,
but does not remove the software from computers where it is already installed.

For best practices on the use of group policy for software installation, see
Best practices for group policy Software Installation on the TechNet Web
site at http://go.microsoft.com/fwlink/?LinkId=99486.

NETMIND
calling +1 800-785-3448.
Considerations for Using Scripts

Key Points
A script for managing client computers can be written in any scripting language
supported by the client computer. The two most common languages for scripts are
batch files and Microsoft Visual Basic scripts. By using a script, you can configure
almost any aspect of an operating system or application.
You can specify a logon script in the properties of each user account. By using
group policy, you can run scripts that apply to computer or user accounts. For
computer accounts, there are startup and shutdown scripts. For user accounts,
there are logon and logoff scripts.
Considerations for using scripts:
Logon scripts are the most commonly used type of script. The most common
use of logon scripts is to map drive letters. If your environment supports the
use of group policy preferences, you may no longer need logon scripts.
Specifying the logon script in the properties of each user account is awkward
because it must be done for each account. It is simpler to use logon scripts in
group policy.
NETMIND
calling +1 800-785-3448.
Startup and shutdown scripts can be used to perform computer-specific
operations. For example, in a teaching classroom, a shutdown script could be
used to delete user profiles or temporary files.
Scripts can be stored in any network-accessible location. However, for logon
scripts specified in the properties of each user account, the preferred location
is the NETLOGON share. For group policy scripts, the preferred location is the
SYSVOL share. Both the NETLOGON and SYSVOL share are automatically
replicated between domain controllers. Replication between domain
controllers avoids the need to manually update logon scripts in multiple
locations and provides a backup in case a domain controller fails.

NETMIND
calling +1 800-785-3448.
Considerations for Using Folder Redirection

Key Points
The considerations for using folder redirection include:
You can redirect folders in addition to the My Documents folder (which
includes My Pictures). In Windows XP and Windows Vista, you can also
redirect the Application Data, Desktop, and Start Menu folders. In Windows
Vista only, you can also redirect Contacts, Downloads, Favorites, Searches,
Links, Music, Video, Saved Games, and Pictures.
Folder redirection makes it possible to back up user data without backing up
client computers. For example, many applications store configuration data and
templates in Application Data. If this folder is redirected to a network server,
then it can be backed up on the server without backing up the client
computer.
NETMIND
calling +1 800-785-3448.
Folder redirection reduces the size of user profiles. When roaming user
profiles are used to allow users to move between computers and retain their
settings, a common problem is large profiles resulting in extended logon
and logoff times. One of the primary reasons for this is files stored in My
Documents. When folders are redirected to a server, the files in those folders
are not downloaded with the roaming user profile.
If you want My Documents to be private storage space, redirect My Documents
to the user home folder. This provides easy access to the user home folder and
prevents most users from storing files locally.
If you want My Documents to be shared storage space, redirect My Documents
to a departmental share. This provides easy access to the department share
and prevents most users from storing files locally.
Allow folder redirection to automatically configure the necessary permissions
when creating a folder for each user under the root path. This will ensure that
the correct NTFS permissions are configured. However, the share and share
permissions need to be configured manually first.
When there is an interruption in network services, users with folder
redirection will experience problems. To mitigate this, use offline files in
conjunction with folder redirection. This ensures that users have access to files
during network interruptions. Remember to enable the Offline Files option to
synchronize all offline files before logging off.
It is a best practice to control what appears on the Start menu by using group
policy rather than by redirecting the Start Menu. Group policy preferences
control what is in the Start Menu.
It is possible to use Encrypting File System in conjunction with folder
redirection. However, to make this possible, the server must be trusted for
delegation. Also, files will not be encrypted while in transit over the network.

NETMIND
calling +1 800-785-3448.
Lab: Planning for Group Policy

A. Datum has never implemented group policy other than for basic password
configuration in the domain using the default GPOs. After attending a recent
seminar, the IT manager wants to use group policy more effectively for the
organization.
Exercise 1: Creating a Group Policy Plan
Scenario
You have been tasked with creating a plan for implementing group policy. Your IT
manager has provided you with a list of requirements that must be met by your
plan.
2. Create an OU structure.
3. Create a list of required GPOs.
NETMIND
calling +1 800-785-3448.
E-mail thread of correspondence with Allison Brown:
Gregory Weber
From: Allison Brown [Allison@adatum.com]
Sent: 21 July 2009 17:30
Subject: group policy implementation
Greg,
As we discussed in the meeting this morning, Id like you to take the lead on
planning our implementation of group policy. At this time, we have only the
default GPOs in place for the domain and domain controllers.
Here are some of the requirements that have come up that I believe can be
addressed best by using group policy:
Read and write access to removable drives should be blocked for all office
computers, including servers. Since weve upgraded all of the computers to
Windows Vista and Windows Server 2008, this should be no problem. We
must ensure that another GPO does not override this setting.
Due to the creation of the three new branch offices, we are hiring a new person
to manage those offices. Wed like the new person to be able to manage group
policy for those remote offices, but not the head office.
Id like to start using group policy preferences for drive mappings, rather than
logon scripts. We want the drive letters to be consistent in each location, but
the server names will vary in each location.
Application installation and updates for the branches will be done by using
group policy. In the branch offices, the sales staff and office staff will have
different applications. We need to be able to roll applications out one location
at a time during initial deployment. However, later updates can be done for all
branches at once. Application installation files should be stored in DFS and
replicated to each branch.
NETMIND
calling +1 800-785-3448.
The computer training lab in the head office should not be subject to the
restriction on removable drives. Well be using USB drives to configure these
computers for various courses.
The user desktops on the Terminal Server running Windows Server 2003 need
to be locked down. The Desktop and Start Menu should be simplified to
display only the application that users have access to. All users should have the
same configuration when logged on to the Terminal Server regardless of the
OU they are located in.

At minimum, I need to you to figure out how these can be implemented. As part of
your plan, please create an OU structure and define where each group policy will
be linked.
Let me know if you require any clarification.
Regards,
Allison
NETMIND
calling +1 800-785-3448.
2. On SEA-DC1, use Active Directory Users and Computers to review the existing
Active Directory structure.
3. Use the group policy Management Console to review the existing Active
Directory configuration.

Task 2: Create an OU structure
Draw a diagram of an OU structure that will allow you to meet the
requirements given to you by Allison.
NETMIND
calling +1 800-785-3448.
Task 3: Create a list of required GPOs
Create a list of GPOs required to implement the requirements given to you by
Allison.
GPO Name Settings Linked to Filters

Results: After this exercise, you should have a completed group policy plan for
A. Datum.

NETMIND
calling +1 800-785-3448.
Exercise 2: Implementing Group Policy
Scenario
After completing the group policy plan, you must now implement it.
1. Start the virtual machine and log on.
2. Create the OU structure.
3. Create the GPO for enforced security.
4. Create the GPO for Branch 1 preferences.
5. Create the GPOs for applications.
6. Create the GPO for Terminal Servers.
7. Verify application of policies for Branch1 sales staff.
8. Verify application of policies for Branch1 sales staff on the Terminal Server.

Pa$$w0rd.

Task 2: Create the OU structure
1. On SEA-DC1, open Active Directory Users and Computers.
2. Create an organizational unit named Head Office in the root of the
Adatum.com domain.
3. Create an organizational unit named Branches in the root of the Adatum.com
domain.
4. Create an organizational unit named Branch1 in the Branches OU.
NETMIND
calling +1 800-785-3448.
7. Create an organizational unit named Terminal Servers in the root of the
Adatum.com domain.

Task 3: Create the GPO for enforced security
1. Use Active Directory Users and Computers to create a new global security
group in the Head Office OU.
Group name: Lab Computers
2. Use Active Directory Users and Computers to create a new computer
account in the Head Office OU.
Computer name: Lab1
3. Add Lab1 as a member of the Lab Computers group.
4. Use group policy Management to create the enforced security GPO.
Name: Enforce Security
Computer Configuration\Policies\Administrative
Templates\System\Removable Storage Access\Removable Disks: Deny
read access, Enabled
Templates\System\Removable Storage Access\Removable Disks: Deny
write access, Enabled
Linked to Adatum.com
5. On the Enforced Security link to Adatum.com, make the policy Enforced.
6. On the Delegation tab of Enforced Security, use the Advanced button to
Deny Read permission for the Lab Computers group.

NETMIND
calling +1 800-785-3448.
Task 4: Create the GPO for Branch1 preferences
1. Use Group Policy Management to create a new GPO in the Group Policy
Objects container.
Name: Branch1 Preferences
User Configuration\Preferences\Windows Settings\Drive Maps Map
drive letter S to \\Branch1Srv\Shared.
2. Link Branch1 Preferences to the Branch1 OU.

Task 5: Create the GPOs for applications
1. Use Active Directory Users And Computers to create a new global security
group in the Branches OU.
Group name: Sales Staff
2. Use Active Directory Users And Computers to create a new global security
group in the Branches OU.
Group name: Office Staff
Objects container.
Name: Sales Applications
Objects container.
Name: Office Applications
5. Configure security filtering for the Sales Applications GPO on the Scope tab:
Remove the Authenticated Users group from the Security Filtering area.
Add the Sales Staff group to the Security Filtering area.
6. Configure security filtering for the Office Applications GPO on the Scope tab:
Remove the Authenticated Users group from the Security Filtering area.
Add the Office Staff group to the Security Filtering area.
7. Link the Sales Applications GPO to the Branch1 OU.
8. Link the Office Applications GPO to the Branch1 OU.
NETMIND
calling +1 800-785-3448.
Task 6: Create the GPO for Terminal Servers
Use Group Policy Management to create a new GPO that is linked to the
Terminal Servers OU.
Name: TS Lockdown
Computer Configuration\Policies\Administrative Templates
\System\Group Policy\User Group Policy loopback processing mode,
Enabled, Replace mode
User Configuration\Policies\Administrative Templates\Start Menu
and Taskbar\Remove and prevent access to the Shut Down, Restart,
Sleep, and Hibernate commands, Enabled
and Taskbar\Remove Run menu from Start Menu, Enabled
and Taskbar\Add Logoff to the Start Menu, Enabled

Task 7: Verify application of policies for Branch1 sales staff
1. Use Group Policy Management to model the application of policies for
Branch1 sales staff.
Use any domain controller
User container: Branch1
Computer container: Branch1
Advanced Simulation Options: none
User Security Groups: add the Sales Staff group
Skip to the final page after entering the User Security Groups information
2. Review the applied and denied GPOs for the computer.
3. Review the applied and denied GPOs for the user.

NETMIND
calling +1 800-785-3448.
Task 8: Verify application of policies for Branch1 sales staff on the
Terminal Server
1. Use Group Policy Management to model the application of policies for
Branch1 sales staff.
Use any domain controller
User container: Branch1
Computer container: Terminal Servers
Advanced Simulation Options: Loopback processing, Replace
User Security Groups: add the Sales Staff group
Skip to the final page after entering the User Security Groups information
2. Review the applied and denied GPOs for the computer.
3. Review the applied and denied GPOs for the user.

Results: After this exercise, you should have successfully implemented group policy.
(VMRC) window.

NETMIND
calling +1 800-785-3448.

Review Questions
1. What are some of the ways you can speed up group policy processing?

2. How can you modify how group policy is processed and applied?

3. Is it possible to delegate group policy management for just an OU?

NETMIND
calling +1 800-785-3448.
Common Issues Related to a Particular Technology Area in the Module
Identify the causes for the following common issues related to a particular
technology area in the module and fill in the troubleshooting tips. For answers,
refer to relevant lessons in the module.
Issue Troubleshooting tip
A GPO is not being applied
after creation
Run GPupdate.exe on the client to force GPOs to be
updated. This avoids the potential 90-minute refresh
interval on non-domain controllers.
Group policy is not applying
as expected
Use Group Policy Results in Group Policy Management
to view the GPOs that are being applied.
You are unsure how changes
will affect group policy
application
Use Group Policy Modeling in Group Policy
Management to view the results of potential changes
to network speed, loopback processing, site, security
group membership, and WMI filters.

1. You have configured a kiosk with an application for controlling manufacturing
equipment. You would like all users on the kiosk to have the same
configuration regardless of the organizational unit that their user object resides
in. How will you accomplish this?

2. In the past, you have created customized ADM templates and they were
automatically included with the GPO on SYSVOL. This allowed the GPO to be
properly edited from any location. You have now created a customized ADMX
template and realize that it is stored locally. Others will not be able to edit the
GPO. How can you resolve this?

3. Your organization has no formal plan in place for backing up GPOs. Only a
full backup, including system state, is being performed each day. How can you
improve this?

NETMIND
calling +1 800-785-3448.
Best Practices Related to a Particular Technology Area in This Module
Use group policy to manage settings on computers rather than manually
configuring each computer.
Disable unnecessary parts of GPOs to increase processing speed.
Plan your Active Directory OU structure with group policy in mind.
Use security filtering and WMI filtering for more flexible GPO application.
Use loopback processing for special use computers such as kiosks and
Terminal Servers.
Use starter GPOs to simplify the creation of new GPOs with similar settings.
Back up GPOs before modifying them.
Delegate the management of GPOs to OU administrators that are affected by
them. For example, delegate the management of GPOs for a region to an
administrator for that region. This can include linking and modifying the
GPOs.
Redirect folders to a server to simplify recovery if a client computer fails.

Tools
Tool Use for Where to find it
Group Policy
Management
Creating and
managing GPOs
Administrative Tools
GPResult.exe Troubleshooting GPO
application
C:\Windows\System32
ADMX Migrator Converts customized
ADM templates to
ADMX templates
BackupAllGPOs.wsf Script that can be used
to create scheduled
backups of GPOs
C:\Program Files\GPMC\Scripts

NETMIND
calling +1 800-785-3448.
Planning Application Servers 5-1
Module 5
Planning Application Servers
Contents:
Lesson 1: Overview of Application Servers 5-3
Lesson 2: Supporting Web-Based Applications 5-17
Lesson 3: Supporting SQL Server Databases 5-30
Lesson 4: Deploying Client Applications 5-48
Lesson 5: Planning Terminal Services 5-55
Lab: Planning Application Servers 5-64
NETMIND
calling +1 800-785-3448.
Module Overview

This module focuses on the support that Windows Server 2008 provides for
Application Servers. When supporting an application server, you first need to
understand the characteristics of the application, whether it is Web-based or
traditional. Microsoft SQL Server databases have unique support requirements
that are very different from infrastructure servers. Finally, part of planning
application servers is determining how remote users will access applications.
Terminal Services is an excellent method for providing remote access to
applications for roaming users and remote offices.
Objectives
Describe application servers.
Plan support for Web-based applications.
Plan support for SQL Server databases.
Plan the deployment of client applications.
Plan the implementation of Terminal Services.
NETMIND
calling +1 800-785-3448.
Lesson 1
Overview of Application Servers

An application server is a computer that is dedicated to running network-aware
application software. Examples of such software include SQL Server, Microsoft
Exchange Server, Internet Information Services (IIS), and Terminal Services. The
design of network-aware application software can be Web-based, or it may have a
client-server architecture. The system requirements of each application, including
its architecture, must be considered when configuring the computers that will host
them.
Windows Server 2008 includes features to support the application server role,
regardless of whether the application to be hosted has a Web-based or a client
server type of architecture.
NETMIND
calling +1 800-785-3448.
Objectives
Describe an application server.
Describe the types of authentication for traditional applications.
Describe the considerations for supporting traditional applications.
Describe the considerations for Web-based applications.
Describe Windows Server 2008 features and roles that support application
servers.
Describe considerations for maintaining application servers.

NETMIND
calling +1 800-785-3448.
What Is an Application Server?

Key Points
When computer networks became a common part of corporate environments, they
were initially used primarily for file sharing and printing. File sharing allowed
organizations to more easily control access to files and back them up. Shared
printing allowed many users to share a single printer and save on printing costs.
After file sharing and shared printing were common, application servers began to
be added to networks.
An application server is a server that runs user applications. They have more
intensive processing and memory requirements than file and print servers because
they perform more complex tasks. Some examples of application servers are Web
servers and e-mail servers.
NETMIND
calling +1 800-785-3448.
The applications that run on application servers are typically divided into two
categories:
Traditional applications. A traditional application may also be called a client
server application. Part of the application runs on a client computer and part
of the application runs on a server. Typically, the client (front end) application
serves as an end-user interface for processing requests sent to and receiving
responses from the server (back end). The bulk of data is stored on the server.
In some cases, the server portion of the application is just a SQL Server
database that all client computers communicate with. In other cases, there is a
middle tier with application logic that the client computers communicate with
and the middle tier communicates with a SQL Server database.
Web-based applications. A Web-based application uses a Web browser to
provide the user interface. The application logic is then performed on a Web
server and data is stored in a SQL Server database.

NETMIND
calling +1 800-785-3448.
Types of Authentication for Traditional Applications

Key Points
The authentication method used by a traditional application is determined by the
application developer. However, sometimes an application will provide several
options that an administrator can choose from when installing the application.
Some of the most common options for authentication are:
Active Directory. Some applications are able to communicate with Active
Directory directory services for authentication. This allows you to use the
existing user objects to assign permissions within the application.
LDAP. Lightweight Directory Access Protocol (LDAP) can be used to access
information in a variety of directories, including Active Directory Domain
Services (AD DS) and Active Directory Lightweight Directory Services
(AD LDS). This option also allows you to use the existing user objects to
assign permissions within the application.
NETMIND
calling +1 800-785-3448.
Internal. Some applications require user accounts to be generated within the
application. These user accounts are not linked with Active Directory user
accounts and must be managed separately. This means that users will have
one set of credentials when authenticating to Active Directory and another set
of credentials when logging on to the application.

NETMIND
calling +1 800-785-3448.
Considerations for Supporting Traditional Applications

Key Points
Some of the considerations for supporting traditional applications are:
Active Directory or LDAP authentication simplifies user logons. Either of
these authentication options allows users to log on using a single set of
credentials. This also simplifies user management.
Client software for traditional applications may be difficult to update. In
most cases, when you update the client software for a traditional application,
you must update the software on all client computers at the same time. This
may be a requirement to prevent older client software from corrupting data
used by the new client software. If you are unable to update all client software
in a timely way, some users may not be able to access the application for
several hours or even days.
NETMIND
calling +1 800-785-3448.
Traditional applications are difficult to regulate through firewalls. Many
traditional applications use remote procedure calls (RPC) for communication.
RPC uses random port numbers for communication and is therefore difficult
to control by using network firewalls. Although, host-based firewalls, such as
Windows Firewall, can control communication based on the process
generating the communication, which is not a problem.
Traditional applications are difficult to access over the Internet. Most
traditional applications are designed to use RPC, which is difficult to allow
through the firewalls between a corporate network and the Internet. Also, most
traditional applications are designed for local area networks (LANs) and
generate large amounts of network communication. You can operate
traditional applications over a virtual private network (VPN) connection to
accommodate RPC through a network firewall, but the application
performance is typically poor.

Note: When running a traditional application over the Internet, performance may be
slow even if only small amounts of data are transferred. Frequent communication
combined with high latency will result in slow performance.
Many traditional applications require NetBIOS name resolution. If a
traditional application required the NetBIOS name resolution, you may need
to maintain WINS servers or LMHOSTS files. This is an additional
administrative load.

NETMIND
calling +1 800-785-3448.
Considerations for Web-Based Applications

Key Points
Web-based applications use a Web-browser on client computers instead of
application software. The Web browser on the client is responsible only for
formatting and displaying processed data on the client computer. The Web server
sends all of the necessary data to the client. All of the application logic is
maintained in software executed on a Web server instead. The software on the
Web server typically communicates with a SQL Server database back-end for data
storage.
Some considerations for Web-based applications are:
Web-based applications are well suited for use over the Internet and by remote
locations. The amount of data passed between the Web server and the client is
relatively small when compared to traditional applications. All of the data
processing is performed before the information to display is transferred to the
Web browser on the client.
NETMIND
calling +1 800-785-3448.
Web-based applications require no additional infrastructure on most
networks. Unlike traditional applications, which may require older
infrastructure, such as NetBIOS name resolution, Web-based applications use
standard infrastructure already available on corporate networks such as
Domain Name System (DNS) name resolution and TCP/IP.
Web-based applications are easier to update than traditional applications.
When you update a Web-based application, it is done on the Web server.
Therefore, you update the application for all users in a single step. This can be
more complex if there are multiple Web servers in use as part of the
application.

NETMIND
calling +1 800-785-3448.
Windows Server 2008 Features and Roles That Support
Application Servers

Key Points
Windows Server 2008 has a number of features and roles that support the use of
Windows Server 2008 as an application server. The requirements vary depending
on the application. Individual application servers may require none or all of these
features and roles. Most applications will include the requirements in the
installation documentation.
.NET Framework 3.0 features. The Microsoft .NET Framework is used by
applications to access operating system services through application
programming interfaces (APIs). Version 3.0 includes the APIs necessary to
support the .NET Framework 2.0 applications and additional elements. This
means that a computer with the .NET Framework 3.0 installed can run
applications built for the .NET Framework 2.0 or the .NET Framework 3.0.
Earlier versions of the .NET Framework can be downloaded from the
Microsoft Web site if required and run in parallel with the .NET Framework
3.0.
NETMIND
calling +1 800-785-3448.
Desktop Experience feature. This feature contains applications and features
that are typically used by users on desktop computers such as desktop themes
and Windows Media Player. In some cases server applications will require
these components. For example, a streaming media encoder application may
require the installation of Windows Media Player.
Windows PowerShell feature. This feature provides a command shell that can
be used for scripting. Some server applications can be managed by using
Windows PowerShell. For example, Microsoft Exchange Server 2007
includes the Exchange Management Shell, which is used to administer
Exchange Server 2007.
Application Server role. This role is used to select the necessary features for
supporting applications built with the .NET Framework 3.0. The .NET
Framework 3.0 is installed as part of this role. You also have the option to
install the Web Server, COM+ Network Access, Windows Process Activation
Services, TCP Port Sharing, and Distributed Transactions.
Web Server (IIS) role. This role is used to provide support for basic Web sites
or Web-based applications. Various role services, such as authentication
options, can be configured during the installation process. The Web server
installed is IIS version 7. However, there are backward compatibility tools for
IIS version 6 that can be installed and are required for some applications.
Windows SharePoint Services 3.0. Windows SharePoint Services (WSS) can
be downloaded from the Microsoft Web site and installed on Windows Server
2008. WSS is a platform for creating collaborative Web sites, managing
documents, and managing events.

NETMIND
calling +1 800-785-3448.
Considerations for Maintaining Application Servers

Key Points
The maintenance of application servers is different than the maintenance of
infrastructure servers. Infrastructure services like Active Directory or DNS are
designed to be highly available. When one domain controller is down, clients and
applications automatically direct their Active Directory requests to other functional
domain controllers. Application servers may not have this type of redundancy.
Considerations for maintaining applications servers include:
Define a maintenance window for each application server. A maintenance
window is regularly scheduled time when users do not expect the application
server to be functional. During this time you can perform system updates or
other maintenance tasks. The maintenance window is scheduled at a time
when user activity would normally be minimal, such as late at night. If unusual
maintenance needs to be performed outside of that window, it must be
negotiated with the users of the application server.
NETMIND
calling +1 800-785-3448.
Understand the business impact of an application server. Knowing how your
organization uses an application server, rather than just the technical details,
allows you to recommend improvements for the application server to meet
those needs. For example, a critical application may benefit from the
implementation of high availability by using failover clustering or network
load balancing.
Enhance the availability of an application server by carefully planning updates
and version upgrades. An application server typically has a direct business
impact when it is not available. To avoid downtime, all updates should be
tested in a lab environment before being applied to the live server. Then, even
if testing was successful, you should have a rollback plan during the actual
update in case something goes wrong.
Understand the ramifications before implementing system changes. Many
server administrators understand the details of exactly how changes to
network infrastructure will affect their systems. However, an application may
only be understood in depth by the vendor that created the application. To
mitigate the risk of adverse effects, you should carefully read product
documentation or consult the vendor. You should also follow the change
management process of your organization to reduce the likelihood of
unexpected impacts.

NETMIND
calling +1 800-785-3448.
Lesson 2
Supporting Web-Based Applications

Web-based applications are well suited for remote offices and even users over the
Internet. However, when you configure Web-based applications, you need to
consider how users are authenticated and whether Secure Sockets Layer (SSL) will
be used to secure communication. If SSL is used to secure communication, you
need to determine from where you will obtain the SSL certificate and how it will be
configured. IIS provides application and application pools to control how Web-
based applications are processed on the server.
NETMIND
calling +1 800-785-3448.
Objectives
Describe the considerations for authenticating to Web-based applications.
Describe SSL.
Describe the considerations for selecting an SSL certificate.
Describe the considerations for dynamic Web content.
Describe the considerations for IIS applications.
Describe how to configure IIS to support a Web-based application.

NETMIND
calling +1 800-785-3448.
Authentication Considerations for Web-Based Applications

Key Points
When IIS is used as the Web server for a Web-based application, there are several
authentication options you can choose from. Which option you select will depend
on your scenario and the options supported by the application vendor.
Some authentication considerations for Web-based applications are:
Basic authentication is supported by all Web browsers and has no difficulty
traversing firewalls. However, it transmits credentials in clear text, which could
be viewed as they travel over the network or Internet. For this reason, basic
authentication is seldom used alone.
Basic authentication with SSL is the most commonly used authentication
methods. SSL is used to encrypt the credentials while they are in transit
between the Web browser and Web server. This makes the authentication
process secure and compatible with all Web browsers and Web servers. When
SSL is used to secure authentication, it is also normally used to secure all other
application data while in transit.
NETMIND
calling +1 800-785-3448.
Windows integrated authentication is useful for authenticating users on an
internal network. It allows the credentials from the workstation to be
automatically passed to the Web server without any user interaction. This
simplifies logons for users. However, in some cases, Internet firewalls can
prevent Windows integrated authentication from functioning properly and is
therefore not well suited to authentication over the Internet. Credentials are
encrypted during transit. You will always be prompted for credentials unless
the Web site you are accessing is part of the local intranet zone in Microsoft
Internet Explorer. Some Web browsers do not support Windows integrated
authentication.

Web sites accessed by using a single label name are considered part of
the local intranet zone. For more information, see How to use security
zones in Internet Explorer on the Microsoft Help and Support Web site at
Digest authentication encrypts credentials similar to Windows integrated
authentication, but is based on an Internet standard for wider compatibility.
However, digest authentication is only available when using Windows Server
2008 Enterprise Edition. It is not commonly used.
Certificate authentication allows client computers to present a certificate for
authentication rather than a username and password. This is considered more
secure than a username and password because it is more difficult to re-create
or guess. However, when compared with a username and password, the
configuration process for certificates is more complex, and certificates are
therefore used for authentication only when a high level of security is
important.
Multi-factor authentication is used to enhance the security on public Web sites.
Users are required to enter a username and password and also have a physical
component to log on. One of the most common ways the physical component
is implemented is a small device with a number that changes every one or two
minutes. Users are required to enter the number along with their credentials to
log on. This is commonly implemented in cases where a high level of security
is required, such as banking Web sites.

NETMIND
calling +1 800-785-3448.
What Is SSL?

Key Points
For Web-based applications, SSL is used to encrypt communication between a
Web browser and a Web server. The entire communication process between the
client and server is encrypted. This protects authentication credentials and
application data.
To enable SSL on a Web server, you must obtain a certificate for the Web server.
The public key and private key that are part of the certificate are used during the
communication process.
The SSL communication process is:
1. The client sends a request to the server by using HTTPS.
2. The server responds by providing the client with the public key of the server.
3. The client generates a symmetrical key for encryption.
NETMIND
calling +1 800-785-3448.
4. The client encrypts the symmetrical key by using the public key of the server
and transmits the encrypted symmetrical key to the server.
5. The server decrypts the symmetrical key by using its private key.
6. The symmetrical key is then used by both client and server to encrypt and
decrypt data sent between them.

TLS (Transport Layer Security) is a newer security protocol that includes
SSL and is used for generic TCP/IP encryption, not just Web servers. It
functions approximately the same way. For more information, see
Introduction (SSL/TLS in Windows Server 2003) on the TechNet Web site

NETMIND
calling +1 800-785-3448.
Considerations for Selecting an SSL Certificate

Key Points
The certificate used to secure SSL communication is used to verify the identity of
the Web server in addition to securing communication. The certificate contains a
subject name that identifies the server and must be trusted by the clients. You can
generate a certificate by using an internal CA (certification authority) or an external
CA.
Some considerations for selecting an SSL certificate are:
Certificates generated by an internal CA are not trusted by clients outside your
organization. An untrusted certificate generates warnings on the client
computers. Only use an internal CA for generating certificates for internal
clients where you can configure the clients to trust certificates issued by the
internal CA. Windows Server 2008 includes CA functionality and can generate
certificates at no cost.
NETMIND
calling +1 800-785-3448.
The cost of certificates generated by external CAs varies widely, but the
functionality is the same. The justification of cost variance between CAs is
typically based on the verification performed on the identity of the
organization requesting the certificate. Internet Explorer uses different colors
in the address bar to identify a level of trust based on how the identity was
validated.
The subject name in a certificate must match the name used in the URL
to access the Web site. If the subject name in the certificate is
webapp.contoso.com and you access the Web site by using https://webapp
or https://192.168.100.50, then the certificate will not be trusted. If you have
internal and external users accessing the Web site by using different DNS
names, then you can get a subject alternative name (SAN) certificate with
multiple names. However a SAN certificate is significantly more expensive than
a regular server certificate. You can also get wildcard certificates for a subject
name such as *.contoso.com. However, some clients and applications do not
function properly with wildcard certificates.

NETMIND
calling +1 800-785-3448.
Considerations for Dynamic Web Content

Key Points
Dynamic Web content is content on a Web server that requires processing beyond
just retrieving a static Web page from a disk. Dynamic Web content typically
includes some type of script embedded in the Web page that is processed by the
Web server before the content is delivered to the client. A very simple example of
dynamic Web content is a page footer that is inserted into each page delivered by a
Web server. Full Web applications that track user state during processes are more
complex.
Some considerations for dynamic Web content:
There a variety of ways that dynamic content can be implemented. They
include: ASP, ASP.NET, CGI, and service side includes. To avoid potential
security risks, you should enable only those methods that are required.
NETMIND
calling +1 800-785-3448.
A Web server with dynamic content requires significantly more processing
power and memory than a Web server with static content. As you add dynamic
content to a Web server, ensure that you monitor memory and processor
utilization to ensure that they are sufficient. This is particularly important if
you have a large number of users.
Running programs on a server with dynamic content introduces security risks.
For example, server-side scripts that do not properly verify content submitted
from forms can be susceptible to buffer overflow attacks. If your organization
develops Web-based applications, they should be carefully tested for security
flaws.
Default scripts meant to demonstrate server features and scripting are a
common source of security problems on Web servers. You should remove all
default scripts that are not required.

NETMIND
calling +1 800-785-3448.
Considerations for IIS Applications

Key Points
One of the concerns with Web-based applications is how one application on a Web
server will affect another. IIS uses the concept of applications and application pools
to control how dynamic content is processed.
An application is a URL (http://www.contoso.com/accounting/app.aspx) or
section of URL namespace (http://www.contoso.com/accounting/). For each
application you can define the credentials used to access the physical files on the
server. The default configuration passes the user credentials through. Each
application is also part of an application pool.
Application pools contain one or more applications. Each application pool is
treated as a single processing unit with its own memory space. There are a wide
variety of settings available to control CPU utilization limits, application pool
recycling,
NETMIND
calling +1 800-785-3448.
Considerations for IIS applications include:
Use the identity of an application pool to control permissions. For each
application pool, you must define the identity. The identity is the user account
used when executing the application code. The identity must have sufficient
permissions to access any necessary files. By default, the identity is the
Network Service account that has limited rights to the local system and has
permission to communicate on the network. If you have multiple application
pools and want them to remain completely separate, you can create an Active
Directory user to control permissions instead.
To prevent a failure in one application from affecting another, the two
applications should be placed in separate application pools. By default, there is
only one application for the entire Web site. You may need to create multiple
applications if you want to prevent one application from affecting another.
Creating multiple application pools may prevent user state information in the
application from being passed between parts of a Web-based application.
When creating new Web application pools, document the original
configuration so that you can roll back your changes if required.
Use application pool recycling to prevent manual stopping and starting of an
application pool. Some Web-based applications begin to experience problems
when they have been running for an extended period of time. This is typically
because they have not been programmed properly. In such a case, application
pool recycling automatically restarts the application. Application pool
recycling can be based on factors such as time, number of requests received, or
a scheduled time. Depending on the application, recycling may cause user
state information to be lost. Correcting the faulty application is preferred to
recycling.

NETMIND
calling +1 800-785-3448.
Demonstration: Configuring IIS

Key Points
In this demonstration, you will see how to configure IIS.
High-level steps:
1. Open IIS Manager.
2. Review bindings and the SSL certificate.
3. Create a new application.
4. Review application configuration.
5. Review application pool configuration and the recycling settings.

NETMIND
calling +1 800-785-3448.
Lesson 3
Supporting SQL Server Databases

Many application servers, such as SharePoint and Microsoft Project Server, use
SQL Server as a back end for data storage. It is essential that you understand the
basics of SQL Server operation and support to be able to properly support an
application server. There are multiple editions of SQL Server 2008 and the one you
need depends on the scenario it is being used in. Transaction logs are an integral
part of how SQL Server maintains databases and need to be considered when you
decide on a backup and restore strategy for a SQL Server database.
Objectives
Describe why database knowledge is required by administrators
Describe SQL Server.
NETMIND
calling +1 800-785-3448.
Describe SQL Server editions.
Describe SQL Server authentication options.
Use SQL Server management tools.
Describe how SQL Server uses transaction logs.
Describe the backup and restore options for SQL Server.
Select appropriate options for supporting SQL Server.

NETMIND
calling +1 800-785-3448.
Why Do Administrators Need to Understand Databases?

Key Points
As the administrator of a Windows network, you need to understand the basics
of how databases work. Databases are used as a back end to store data and
configuration information for a wide variety of applications. End-user applications
that store data in a database include most Web-based applications, SharePoint,
Microsoft Project server, and Exchange Server. Administrator utilities that use a
database include System Center Operations Manager and System Center Virtual
Machine Manager. To support these applications, you need to understand the
basics of database administration.
Managing the databases associated with an application is different from managing
files such as Microsoft Office Word documents or Microsoft Office Excel
spreadsheets. Some of the important differences are:
Databases have constantly changing data and the database files are constantly
open. To back up a database, special procedures are required. If you back up a
live database by using an open file agent for backup, the backup will be
inconsistent and you may not be able to restore it.
NETMIND
calling +1 800-785-3448.
Databases use transaction logs that grow over time. You need to ensure that
those transaction logs are truncated (cleared) so that disk space is not wasted.
Databases have their own internal security system. In most cases, applications
configure all of the necessary security. However, you may need to look at
security as part of troubleshooting an application.

Typically, it is not necessary for an administrator to understand the details of how
data is stored inside of a database. That is the responsibility of the application
developer. For example, databases consist of tables of information. An
administrator does not directly modify any of the data in the tables.
There are many different database vendors. The database vendor you select will be
based on the application. Each application vendor will define a list of databases
that can be used and how that database needs to be configured. Some applications
with limited data requirements will include the database installation as part of the
application installation. One of the most commonly used databases in Windows
networks is SQL Server.

Note: Exchange Server does not use SQL Server for data storage. Exchange Server uses a
different type of database called Microsoft Extensible Storage Engine (ESE).

NETMIND
calling +1 800-785-3448.
What Is SQL Server?

Key Points
Microsoft SQL Server 2008 is a database that can be used for a variety of purposes,
such as business intelligence or data warehousing. However, a common use for
SQL Server is as back-end data storage for applications. Both traditional client-
server applications and Web-based applications often use SQL Server to store
application data.
When applications query, modify, and add data to a SQL Server database, they use
Structured Query Language (SQL). SQL is a standard language that is used for
communication with databases. In some cases, it can be useful for server
administrators to be familiar with SQL, but it is not required to perform basic
management of Microsoft SQL Server.
Reporting Services is an optional feature of SQL Server that is used to
automatically generate reports from a SQL Server database. Some applications
require Reporting Services to be installed for full functionality. For example,
System Center Operations Manager requires Reporting Services to generate system
reports showing the health of monitored computers.
NETMIND
calling +1 800-785-3448.
When SQL Server is installed, there is a single instance by default. This instance is
unnamed and accessed by using the name of the server. Within each instance there
can be multiple databases. Each application will have its own database on a SQL
Server, but they can be in the same instance.
In addition, to the default instance, you can create named instances that are
accessed by using servername\instancename. This is required if applications
require databases with the same name or if settings between instances must be
different. For example, the applications may require a different sort order setting.
The communication settings for a database are often implemented as an Open
Database Connectivity (ODBC) connection. ODBC connections are stored on each
client computer and contain the location of the database. Applications use an
ODBC connection to locate the database.
NETMIND
calling +1 800-785-3448.
SQL Server Editions

Key Points
There are several editions of SQL Server 2008. Each edition has different features.
You should select the edition that meets the requirements of your applications.
Free editions of SQL Server 2008:
Express. This is an entry level database that is suitable for learning and
applications with limited data requirements. It supports only 1 CPU and 1 GB
of RAM. The maximum database size is 4 GB.
Compact. This edition is designed for use on mobile devices. There are no
limits on CPU and memory use. The maximum database size is 4 GB.
NETMIND
calling +1 800-785-3448.
Core editions of SQL Server 2008:
Standard. This edition is designed for use as a departmental database. It is
well suited to use as a back-end data store for departmental applications. It
supports 4 CPUs and has no limit on memory. There are no limits on the
database size, but is limited to 16 instances.
Enterprise. This edition is designed to support enterprise applications. It has
no limits on CPU or memory utilizations. It also has no limits on database size,
supports up to 50 instances, and can run on Itanium-based systems.
Enterprise edition also includes additional features for high availability,
security, data mining, data warehousing, and analysis services.

Specialized editions of SQL Server 2008:
Workgroup. This edition is designed for a remote office that needs a local
instance of company data. It is capable of synchronizing data from the main
office server running Standard or Enterprise Edition. It is limited to 2 CPUs
and 4 GB of RAM. Database size is unlimited.
Web. This edition is designed for Internet facing applications. It supports 4
CPUs, with unlimited memory support and database size. Licensing is per
processor per month.
Developer. This edition is has the same features are Enterprise Edition, but is
licensed only for development, testing, and demonstration. This edition may
not be used in production.

For detailed information about SQL Server 2008 editions and their
features, see Compare Edition Features on the Microsoft Web site at

For a pricing overview of SQL Server 2008 editions, see SQL Server 2008
Pricing on the Microsoft Web site at http://go.microsoft.com/fwlink

NETMIND
calling +1 800-785-3448.
SQL Server Authentication Options

Key Points
The data in a SQL Server database is protected by permissions, similar to how
NTFS permissions are used to protect data in the file system. For SQL Server to
appropriately determine permissions, the user must authenticate to SQL Server.
SQL Server 2008 authentication modes:
Windows authentication. In this authentication mode, all permissions are
linked to Active Directory or local Windows user accounts. In most cases, this
is easier for users and administrators. Users may be automatically
authenticated to an application based on the credentials cached in the local
workstation, or at least do not need to remember a second set of credentials.
Administrators do not need to maintain a second set of credentials.
NETMIND
calling +1 800-785-3448.
Mixed authentication. In this authentication mode, permissions can be linked
to Active Directory user accounts, local Windows user accounts, or local user
accounts created in SQL Server. This provides flexibility for situations where
you do not want users to be Active Directory users. For example, you may
want the administration of users for a database to be administered by the
database administration group rather than Active Directory administrators.

Before selecting an authentication mode, you need to determine the authentication
modes supported by your application. Some applications require the use of Active
Directory accounts, while others require the use of local users in SQL Server.
When you use mixed authentication, both the local SQL account sysadmin and sa
have full rights to the system. These accounts are used to provide administrative
access to the databases. The sa account is considered legacy and may be removed
in future versions. When you configure mixed authentication, you must provide a
password for the sa and sysadmin accounts. In previous versions of SQL Server,
this password was blank by default.
NETMIND
calling +1 800-785-3448.
Demonstration: SQL Server Management Tools

Key Points
There are a number of tools available to manage SQL Server 2008. Graphical tools
are the most commonly used by network administrators. More advanced database
administrators can use SQL commands directly to perform server management
tasks.
SQL Server Management Studio is a graphical utility for managing SQL Server
2008. With this utility, you can manage almost any aspect of SQL Server 2008
or previous versions of SQL Server. You can create databases, modify security,
configure backups, and many other features. You can also enter SQL
commands directly through SQL Server Management Studio.
SQL Server Configuration Manager is a graphical utility that performs a few
specific SQL Server management tasks. It can start and stop SQL services,
modify and manage the accounts used by SQL services, modify network
protocols.
NETMIND
calling +1 800-785-3448.
Command prompt utilities are provided to perform many tasks. These are
provided primarily to allow automation through scripting. The osql command
allows you to type SQL commands at a prompt and have them sent to a SQL
Server. The sqlcmd command allows you to send sql scripts to a SQL Server.

For more information about SQL Server 2008 management tools, see
Features and Tools Overview (SQL Server 2008) on the MSDN Web site
High-level steps:
1. Open SQL Server Management Studio.
2. Review the list of databases.
3. Review the properties of a database.
4. Review the authentication mode settings.
5. Review the instance level security accounts
6. Review the database level security accounts.

NETMIND
calling +1 800-785-3448.
How SQL Server Uses Transaction Logs

Key Points
Each action performed in a SQL Server 2008 database is referred to as a
transaction. Each transaction may have multiple steps, such as modifying multiple
tables. For example, a transaction may remove money from one account and then
add money to another account. It is important that all steps in a transaction are
completed successfully. To increase the reliability of transactions and prevent
problems with inconsistent databases, SQL Server 2008 uses transaction logs.
Each database has a transaction log. When a transaction is initiated, the transaction
is written to the transaction log before any modifications are performed in the
database. Then if there are any errors during the transaction, such as a power
failure or disk error, the transaction can be rolled back or completed to keep the
database consistent.
You can set a recovery model for a database that controls how logging is
performed. These are called recovery models because they control how you
perform recovery from a backup and how you perform backups.
NETMIND
calling +1 800-785-3448.
The recovery models for SQL Server 2008 are:
Simple recovery. This model uses circular logging for the transaction log. This
means that as transactions are written to the database, they are not kept in the
transaction log. As long as a transaction is complete, that transaction may be
deleted by SQL Server 2008. The main benefit of the simple recovery model is
that less disk space is used by transaction logs. However, recovery is limited to
the point in time that the backup was taken.
Full recovery. This model keeps transaction logs until they are backed up.
This uses more disk space than the simple recovery model, but allows you to
restore the database back to the point in time of database corruption. First, you
restore the database, and then replay the transaction logs. It is possible to only
replay the transaction logs back to a specific point in time if desired.
Bulk-logged recovery. This model is used only when a large amount of
transactions are being performed, typically as part of a maintenance routine or
data import. Bulk logging is more efficient on disk space than full recovery
mode, but does not allow recovery to a specific point in time.

For more information about recovery models in SQL Server 2008,
see Recovery Model Overview on the MSDN Web site at

NETMIND
calling +1 800-785-3448.
Backup and Restore Options for SQL Server

Key Points
Databases are not backed up in the same way as the file system of a server. You can
still perform full, differential, and incremental backups. However, each of these
options is working with the database and transaction logs.
When the full recovery mode is being used, you have the following options for
backup:
Full backup. When you perform a full backup, the database and transaction
logs are backed up. The transaction logs are also truncated. Truncating the
transaction logs frees up disk space.
Incremental backup. When you perform an incremental backup only the
transaction logs are backed up. The transaction logs are also truncated after
they are backed up. If you are performing a daily incremental backup, it
includes a single data of transaction logs.
NETMIND
calling +1 800-785-3448.
Differential backup. When you perform a differential backup, only the
transaction logs are backed up. The transaction logs are not truncated. So, the
second day you perform a differential backup, the transaction logs from day
one and day two are backed up.

When the simple recovery mode is being used, it is not possible to perform
incremental or differential backups because the log files contain only current
transactions. You can only perform full backups on a database by using simple
recovery mode.
When you recover a SQL database, you first restore the database and all of the
transaction logs; then the transaction logs are replayed to bring the database up to
a current state. Replaying transaction logs reapplies the transactions to the
database. If any transaction log is missing or corrupt, the replay will stop and you
cannot recover past that point.
NETMIND
calling +1 800-785-3448.
Support Considerations for SQL Server

Key Points
Some considerations for supporting SQL server are:
The transaction log file never shrinks in size automatically. When you truncate
a transaction log, the file size stays the same, but data is removed from the file.
You can manually shrink the file if required.
The database file never shrinks in size automatically. When you delete data
from a database, the file size stays the same, but data is removed from the file.
You can manually shrink the file if required.
To enhance recoverability, use full recovery mode. If you use simple recovery
mode, then you can only restore back to the point in time of the backup.
To enhance recoverability, store database files on a separate physical disk from
transaction logs. Then if a disk is lost or corrupted, you can restore the
database and replay the transaction logs up to the current point.
NETMIND
calling +1 800-785-3448.
When using incremental backups, ensure that your backup system is reliable.
A corrupted incremental backup will stop replay of all transactions, which
could result in losing data from multiple days.
Use a maintenance plan to automatically backup databases. A maintenance
plan in SQL Server 2008 allows you to create a schedule for database backups
and maintenance.
If your backup software does not have an agent for SQL Server, configure SQL
Server 2008 to backup the database to a file on disk that can be backed up by
your backup software. This avoids the need to stop the database for backups,
which would impact application availability.
The database for an application is only one part of the application. Consider all
servers that are part of an application when performing backups. For example,
an application on a Web front-end server may need to be the correct version to
work with a database that has been restored. This could be an issue after a
recent upgrade.

NETMIND
calling +1 800-785-3448.
Lesson 4
Deploying Client Applications

When you deploy a new operating system, you need to consider application
compatibility with that operating system. Even when a new operating system is not
being used, each organization needs to determine the best way to deploy
applications. In this lesson, you will learn about these topics and learn how to
deploy an application by using Group Policy.
Objectives
Describe considerations for application compatibility.
Describe the methods for deploying applications.
Deploy an application by using group policy.

NETMIND
calling +1 800-785-3448.
Considerations for Application Compatibility

Key Points
For commercial software, the best way to ensure that a desktop application is
compatible with a new desktop operating system is to verify with the application
vendor. If the application is supported on the new operating system, then you can
safely use it with the new operating system. If the application is not supported, it
may still work, but you should do extensive testing. Alternatively, you can wait for
the vendor to provide an updated version of the application for the new operating
system.
To simplify, Microsoft provides a list of applications that are compatible with
Windows Vista and Windows 7 on the TechNet Web site. This is an alternative to
verifying individually with each vendor.
NETMIND
calling +1 800-785-3448.
If an application has been developed internally or was custom developed, then you
can use the Application Compatibility Toolkit (ACT) to identify and resolve
compatibility issues before deploying a new operating system. ACT assists in the
collection of application inventory data. Then you can use ACT to organize and
analyze compatibility issues that are identified. After issues are identified, you can
test and verify that compatibility issues exist and attempt to mitigate them. ACT
includes tools to monitor.
Some applications have compatibility problems with User Account Control (UAC)
in Windows Vista and Windows 7. The Standard User Analyzer (SUA) Tool in ACT
helps to identify these issues. SUA also provides mitigation for UAC related
problems and saves it as an MSI file. The Compatibility Administrators is a tool in
ACT that is used to apply the MSI file to other computers in your organization.

For more information about application compatibility, see the
Application Compatibility page on the TechNet Web site at

NETMIND
calling +1 800-785-3448.
Application Deployment Methods

Key Points
Traditionally, applications were deployed by going from computer to computer
with a CD-ROM and installing the application manually by running setup.
However, this was a time consuming process and led to non-standard
configurations because each technician performing the software install may have
been selecting different options.
Other ways to deploy applications include:
Inclusion in an operating system image. When applications are included in
an operating system image, they do not need to be configured after a computer
is updated. However, this is only suitable for applications that are deployed to
all users. It also does not address the need to update applications when
updates become available.
NETMIND
calling +1 800-785-3448.
Group Policy. You can deploy applications by including them in a GPO that is
associated to users or computers. The application must be packaged as an MSI
file. You can add transform files (MST) to automate the installation of
applications. You can add updates (MSP) to update existing applications. This
is a good option for small and mid-sized organizations to deploy applications.
Larger organizations should consider System Center Configuration Manager
for easier manageability and additional features.
System Center Essentials. This product is designed to help manage clients
and servers for mid-sized organizations with up to 500 clients and 30 servers.
It is a centralized solution for software inventory, hardware inventory, health
monitoring, issue resolution, software deployment, and Windows update
deployment. For application deployment, it can deploy non-MSI applications
and control the installation of applications.
System Center Configuration Manager. System Center Configuration
Manager is an enterprise-level tool for managing the configuration of clients
and servers. It is a centralized solution for software inventory, hardware
inventory, software deployment, operating system deployment, Windows
update deployment, and computer configuration.
Application Virtualization (App-V). This product allows applications to be
delivered to a computer without being installed on that computer. Application
components are delivered to the computer on demand as required to speed up
delivery of the applications. The environment for the application is virtualized
to eliminate conflicts between applications such as DLL version
incompatibility. Application updates are performed centrally and used by each
computer the next time the application is used.
Terminal Services. This Windows Server 2008 role runs applications centrally
on a server. Only screen draw commands are sent to the client computer. This
results in fast connectivity over slow networks and allows you to centrally
control the application. Users can access either a full desktop remotely or just
the application in its own window.

NETMIND
calling +1 800-785-3448.

For more information about System Center Essentials, see the System
Center Essentials 2007 SP1 Overview white paper on the TechNet Web
site at http://go.microsoft.com/fwlink/?LinkID=89185.

For more information about the capabilities of System Center
Configuration Manager, see Capabilities on the Microsoft Web site at

For more information about Application Virtualization, see Microsoft
Application Virtualization 4.5 Release to Manufacturing on the
Microsoft Web site at http://go.microsoft.com/fwlink
NETMIND
calling +1 800-785-3448.
Demonstration: Deploying an Application by Using Group
Policy

Key Points
High-level steps:
1. Open Group Policy Management.
2. Create a new GPO.
3. Add the application to the new GPO.
4. Test delivery of the application.

NETMIND
calling +1 800-785-3448.
Lesson 5
Planning Terminal Services

Terminal Services is a solution for providing users with access to applications
remotely. Windows Server 2008 includes features that significantly enhance
Terminal Services functionality for local and remote users. When you implement
Terminal Services, the licensing for both Terminal Services and the applications
must be carefully planned.
Objectives
Describe the purpose of Terminal Services.
Describe the new Terminal Services feature in Windows Server 2008.
Describe the considerations for using Terminal Services licensing.
Describe considerations for using Terminal Services.

NETMIND
calling +1 800-785-3448.
What Is Terminal Services?

Key Points
Terminal Services is a Windows Server 2008 role that provides access to
applications that run centrally on a server. When clients connect to a Terminal
Server the amount of network traffic is very small. All application processing
occurs on the Terminal Server. The Terminal Server sends screen draw commands
to the client and the client sends mouse and keyboard input to the Terminal
Server.
The client accessing a terminal server can be a desktop computer running the
Remote Desktop client or a Windows terminal. A Windows terminal is a device
that only runs the Remote Desktop client and does not provide functionality to run
other applications.
When the Remote Desktop client is used to access a Terminal Server, file and
printer redirection can be implemented. File redirection allows the remote client to
save files from the Terminal Server to a local disk on the client. Printer redirection
allows the remote client to print from terminal server applications but have the
print job created on a local printer.
NETMIND
calling +1 800-785-3448.
A client connected to a terminal server can have a full desktop displayed or just a
single application window. The full desktop is useful for providing access to
remote users that need access to data and applications. The single application
window is useful for centralizing line-of-business applications in a single location.

For detailed information about Terminal Services, see Terminal
Services in Windows Server 2008 on the TechNet Web site

NETMIND
calling +1 800-785-3448.
New Terminal Services Features in Windows Server 2008

Key Points
Terminal Services in Windows Server 2008 has been updated with many useful
features. Some of the new features are:
Single sign-on. This simplifies logon over internal networks by allow the
credential from a client computer to be automatically passed to the terminal
server. When used to control a single application window, it makes the
process similar to opening a local application.
Easy Print. This simplifies printing to local computers on the client. It avoids
the need to install printer drivers on the terminal server that match the printer
on the client computer. All print jobs are created in XPS format on the
Terminal Server and rendered for the appropriate printer locally.
TS RemoteApp. This allows clients to open a window with a single application
when connecting to a Terminal Server rather than an entire desktop. This
simplifies the process for users and is very useful for line-of-business
applications that have been centralized on a Terminal Server.
NETMIND
calling +1 800-785-3448.
TS Web Access. This allows clients to begin a Terminal Services connection
from a Web page. This can be used to deploy a full desktop terminal services
experience or RemoteApp programs. Users can also use this functionality to
connect to their regular desktop computer when outside the office if they have
remote desktop access to it. The primary benefit is simplifying the connection
process for users.
TS Gateway. This allows clients to connect to internal terminal servers
through firewall and network address translation (NAT). The Remote Desktop
Protocol (RDP) communication is tunneled in HTTPS packets on port 443.
This is often used together with TS Web Access for remote users over the
Internet.

NETMIND
calling +1 800-785-3448.
Considerations for Terminal Services Licensing

Key Points
Terminal Services require client access licenses (CALs) in addition to the CALs
required for accessing Windows. Terminal Server CALs can be per device or per
user. Roaming users often access a terminal server from many devices. In such a
case, user-based licensing is more cost effective. For internal computers shared by
multiple users and accessing a line-of-business application device-based CALs will
be more cost effective.
Each Terminal Server must be configured to use per user or per device licensing. A
single Terminal Server cannot mix the two licensing modes. To use per user and
per device licensing, you must have at least two Terminal Servers.
NETMIND
calling +1 800-785-3448.
Application licensing is also a concern. When an application is installed on a client
computer, it is used by a single person at a time that typically requires a single
license fee. On a Terminal Server, the licensing varies depending on the policies of
the vendor. Some vendors include the rights to access an application by using
Terminal Services when a license has already been obtained for users on a desktop
computer. Some vendors require an application license to be purchased for each
concurrent user on a Terminal Server. Other vendors require an application license
to be purchased for every potential Terminal Server user.

Note: When a Terminal Server is installed, it will function for 120 days without
communicating with a licensing server. However, after 120 days, a Terminal Server will
stop allowing connections.

NETMIND
calling +1 800-785-3448.
Considerations for Using Terminal Services

Key Points
When planning for the Terminal Services role, keep the following considerations in
mind:
Use Terminal services to provide remote offices with access to centralized
applications. Accessing an application or data by using Terminal Services has
much better performance over a wide area network (WAN) than remotely
accessing application data.
Use Terminal Services to provide remote users with access to data and
applications. Accessing an application or data by using Terminal Services has
much better performance than using a VPN.
Centralize the deployment of line-of-business applications on a Terminal
Server. It is much easier to update a central copy of an application on a
Terminal Server than on multiple client computers.
Use RemoteApp to simplify access to applications on a terminal server. This
provides users with a desktop icon that is simpler to understand than using a
full Remote Desktop.
NETMIND
calling +1 800-785-3448.
Use the Web access gateway and TS Web access to support clients over the
Internet. The combination of these two features ensures that clients can access
Terminal Services applications from anywhere with an Internet connection,
even when the only access allowed is through a Web proxy.
Consider allowing remote users to remotely connect to their own desktop
computers. This provides users with a familiar environment and ensures that
all of their necessary applications are available.
Be aware that the loss of a Terminal Server will affect many users. Use network
load balancing and the Terminal Service Session Broker to provide high
availability for Terminal Services.

NETMIND
calling +1 800-785-3448.
Lab: Planning Application Servers

A. Datum has recently identified the need to implement new applications to meet
the needs of a growing organization. The first is a portal for collaborating on
projects. Windows SharePoint Services has been selected for this purpose. The
second need is a new financial application that will be deployed by using Terminal
Services.
Exercise 1: Creating a Plan for Application Servers
Scenario
You have been tasked with creating a plan for implementing Windows SharePoint
Services for collaboration and Terminal Services to support a financial application.
You determine how these application servers will be implemented based on
requirements provided by the IT manager.
NETMIND
calling +1 800-785-3448.
Gregory Weber
Sent: 30 July 2009 14:25
Subject: Group Policy implementation
Greg,
planning our implementation of the new application servers.
The first application server is for Windows SharePoint Services. We are
implementing this only as a pilot project at this point. A new server
(sharepoint.adatum.com) has been allocated for this task and has SQL Server 2008
Express already installed with an instance named SQLEXPRESS. If we move this
project out of the pilot phase, then well consider updates for better performance.
Windows SharePoint Services creates two Web sites on the server. One Web site is
for managing WSS and the other is for accessing content. The content that users
enter for the pages is stored in the SQL Server database.
Some of the things I need your input on are:
What server roles and features do you think will be required?
Do you have any concerns about hardware specifications?
What sort of maintenance schedule will this application require?
How will we ensure that this server and application are secure?
How can we simplify access to this application for internal users?
How should this be backed up?
The second application server is a Terminal Server that will be used by the new
financial application. This is also a pilot project that we need to test before rolling it
out to other users.
Some of the users are at head office and some others are at remote branches that
will be accessing over the WAN. I really need your input as to what benefits using
Terminal Services provides to us. I have to admit, Im not entirely clear as to why
we want to do it this way. However, the vendor recommended it.
NETMIND
calling +1 800-785-3448.
In addition, I need your input on:
Are there any benefits to using Windows Server 2008 for Terminal Services
rather than Windows Server 2003 in our scenario?
What are our licensing requirements?
What will the overall system look like from a user perspective when it is
implemented?
Regards
Allison

2. Create a plan for implementing Windows SharePoint Services.
3. Create a plan for implementing Terminal Services.

Determine if you need any more information and ask your instructor to clarify
if required.

Task 2: Create a plan for implementing Windows Share Point Services
What server roles and features do you think will be required for implementing
WSS?
Do you have any concerns about hardware specifications for the WSS server?
How can increasing workloads be accommodated?
What sort of maintenance schedule will WSS require?
How will we ensure that this server and WSS are secure?
How can we simplify access to WSS for internal users?
How should WSS be backed up?
NETMIND
calling +1 800-785-3448.
Task 3: Create a plan for implementing Terminal Services
What are the benefits of using Terminal Services for the financial application?
Are there any drawbacks to using Terminal Services?
rather than Windows Server 2003 in our scenario.
implemented?

Results: After this exercise, you should have created a plan for implementing WSS and
Terminal Services.

NETMIND
calling +1 800-785-3448.
Exercise 2: Implementing Windows SharePoint Services
Scenario
After planning how WSS will be supported, you need to install it and review the
installed components. You will also perform a backup of WSS.
1. Start the virtual machines and then log on.
2. Install Windows SharePoint Services.
3. Review the Web site configuration.
4. Configure Internet Explorer for Windows Authentication.
5. Back up Windows SharePoint Services.

Pa$$w0rd.
4. In the Lab Launcher, next to 6430B-SEA-CL1, click Launch.

Task 2: Install Windows SharePoint Services
1. Browse to D:\Labfiles\Mod05 and run SharePoint.exe.
2. Perform a Basic installation.
3. When installation is complete, run the SharePoint Products and Technologies
Configuration Wizard.
4. When the configuration is complete, log on to the SharePoint site as
Adatum\Administrator with a password of Pa$$w0rd.
Question: What is the URL of the SharePoint site?
NETMIND
calling +1 800-785-3448.
Task 3: Review the Web site configuration
1. Open Internet Information Services (IIS) Manager.
2. View the application pools.
3. View the Web sites.
4. View the Authentication for the SharePoint - 80 Web site.

Task 4: Configure Internet Explorer for Windows Authentication
1. Open the Internet Options dialog box.
2. Add http://sea-dc1 to the Local Intranet zone.
3. Use Internet Explorer to access the SharePoint site at http://sea-dc1.
Question: Were you prompted for credentials?

Task 5: Back up Windows SharePoint Services
1. Create the folder C:\SPBackup.
2. From Administrative Tools, open SharePoint 3.0 Central Administration.
3. On the Operations tab, perform a full backup of the farm to C:\SPBackup.

Results: After this exercise, you should have successfully implemented Windows
SharePoint Services and verified the configuration.

NETMIND
calling +1 800-785-3448.
Exercise 3: Implementing Terminal Services
Scenario
After planning how Terminal Services will be supported, you need to install
Terminal Services and deploy an application by using TS RemoteApp.
1. Install Terminal Services.
2. Install the financial application.
3. Prepare the financial application for distribution as a RemoteApp program.
4. Test the new application.

Task 1: Install Terminal Services
1. On SEA-DC1, open Server Manager.
2. Add the Terminal Services role with the Terminal Server role service and the
following options:
Authentication method: Do not require Network Level Authentication
Licensing mode: Configure later
Users and groups allowed to access Terminal Server: Administrators
3. Restart the server to complete the installation.

Task 2: Install the financial application
1. On SEA-DC1, browse to D:\Labfiles\Mod05 and run CalcPlus.msi.
2. Install to the default location.
3. Make the application available to Everyone.

NETMIND
calling +1 800-785-3448.
Task 3: Prepare the financial application for distribution as a
RemoteApp program
1. On SEA-DC1, open TS RemoteApp Manager, and then add Microsoft
Calculator Plus as a RemoteApp program.
2. Select Microsoft Calculator Plus and then Create Windows Installer
Package.
Location to save packages: C:\Program Files\Packaged Programs
Other package setting: default
Create a shortcut on the Desktop and Start menu folder in Remote
Programs
3. Share the C:\Program Files\Packaged Programs folder with default settings.
4. Use Group Policy Management to edit the Default Domain Policy and create
a new user policy for software installation:
Package: \\SEA-DC1\Packaged Programs\CalcPlus.msi
Deployment type: Assigned
Install this application at logon (in Properties or by using Advanced)

Task 4: Test the new application
1. On SEA-CL1, log on as Adatum\Administrator with a password of
Pa$$w0rd.
2. If the application shortcut does not appear on the desktop, run gpupdate and
then log on again.
NETMIND
calling +1 800-785-3448.
3. Configure single sign-on for Terminal Services by using the local group policy
editor.
Start gpedit.msc.
Browse to Computer Configuration\Administrative Templates\System
\Credentials Delegation.
Enable Allow Delegating Default Credentials and add termsrv/SEA-
DC1.adatum.com.
4. Start the Microsoft Calculator Plus application.

Results: After this exercise, you should have successfully implemented Terminal
Services and distributed a Terminal Services application.
(VMRC) window.

NETMIND
calling +1 800-785-3448.

Review Questions
1. How can you provide access to a client server application over the Internet and
still have acceptable performance?

2. Why do you need to consider transaction logs when planning backup and
recovery for SQL Server?

3. How can you isolate Web applications so that a programming error in one
does not affect another?

NETMIND
calling +1 800-785-3448.
Common Issues Related to Terminal Server Licensing
Identify the causes for the following common issues related to Terminal Server
licensing and fill in the troubleshooting tips. For answers, refer to relevant lessons
in the module.
A Windows Server 2008 Terminal
Server stops allowing connections
after 120 days.

User CALs are not being consumed by
a Terminal Server.

Device CALs are not being consumed
by a Terminal Server.

1. A Web-based application is considered critical for your organization. How can
you increase the availability of this application?

2. Your organization does not have backup software with an agent for SQL
Server. The agent for SQL Server has been ordered, but will not arrive for
several weeks. In the meantime, how can you backup the SQL Server database
without stopping the database?

3. Your organization has implemented a Web-based application. Authentication
for this application is based on Active Directory accounts. When users access
the application, they are prompted for credentials. How can you eliminate the
prompt for credentials?

NETMIND
calling +1 800-785-3448.
Best Practices Related to Supporting Traditional Applications
Simplify user logons by integrating authentication with Active Directory when
possible.
Use Terminal Services with RemoteApp to avoid the need to install a client
application on each computer.
Use Terminal Services to provide access to an application for roaming users or
remote offices.
Understand the business impact of an application when planning
maintenance.

NETMIND
calling +1 800-785-3448.

NETMIND
calling +1 800-785-3448.
Planning File and Print Services 6-1
Module 6
Planning File and Print Services
Contents:
Lesson 1: Planning and Deploying the File Services Role 6-3
Lesson 2: Managing Storage 6-24
Lesson 3: Planning and Implementing the Distributed File System 6-44
Lesson 4: Planning and Implementing Shared Printing 6-56
Lab: Planning File and Print Services 6-66
NETMIND
calling +1 800-785-3448.
Module Overview

In the earliest days of networking, server computers were little more than simple
files or printer sharing devices. The term file-server evolved to describe the
departmental computer to which all users connected to access their files. Over the
years, servers have evolved and provide many additional services, such as e-mail
systems, databases, and other collaborative applications; however, the need to
share files and printers is still one of the most common reasons for organizations
to implement server computers.
Objectives
Plan and deploy the Windows Server 2008 File Services role.
Manage storage effectively.
Implement an appropriate Distributed File System infrastructure.
Implement shared printing.

NETMIND
calling +1 800-785-3448.
Lesson 1
Planning and Deploying the File Services Role

The File Services role provides the basic features that enable you to create shared
folders and make them available in a number of ways throughout your
organization.
Objectives
Describe the function of each of the File Services role services.
Implement shared folders.
Manage access to shared folders.
Describe the considerations for File Services role.
Deploy the File Services role.

NETMIND
calling +1 800-785-3448.
What Are the File Services Role Services?

Key Points
Windows Server 2008 implements role-based deployments that enable you to
select the specific services that you want to deploy. This targeted deployment
extends to the elements that make up a role. The File Services role is comprised of
a series of separate functionalities, each of which provides a different feature set;
these functionalities are known as Role Services. The following table describes each
of the File Services Role Services.
NETMIND
calling +1 800-785-3448.
The following table describes each of the File Services Role Services.
Role Service Description
File Server Installs the Share and Storage Management snap-in. This tool
enables you to more easily manage shared folders and
volumes.
Distributed File
System
The Distributed File System (DFS) enables you to consolidate
a complex and distributed file share structure into a more
navigable and manageable entity. There are two separate
elements: DFS Namespaces and DFS Replication. You do not
need to install them both. DFS Namespaces provides the
primary functionality of DFS; that is, it enables the
consolidated shared environment that users navigate and
access. DFS Replication provides the multimaster replication
engine that ensures target folders that are part of a
namespace are synchronized.
File Server Resource
Manager
The File Server Resource Manager (FSRM) is a suite of tools
that enable you to configure and manage storage quotas, file
screens, and generate storage reports.
Services for Network
File System
UNIX and compatible operating systems have different folder
sharing requirements from Windowsbased client
computers. Services for Network File System (NFS) provide
the necessary services for UNIX client computers to be able to
share files stored on a Windows Server 2008 server.
Windows Search
Service
Windows Search Service is a new indexing solution that aims
to speed up file searches of the more common areas of the
Windows Server file system. It replaces the Indexing Service
that was provided with earlier versions of Windows Server.
Although Windows Server 2008 provides the Windows Server
2003 Indexing Service, you cannot install both this service
and the Windows Search Service together on the same server.
Use the Indexing Service only when you have a specific
legacy application that requires it.
Note: The Select Role Services wizard prevents you from
selecting both components.

NETMIND
calling +1 800-785-3448.
(continued)
Role Service Description
Windows Server 2003
File Services
Consists of two separate components: the File Replication
Service (FRS), and the Indexing Service. The FRS provides for
file-level synchronization between file servers that are not
implementing DFS. DFS Replication offers many benefits over
FRS, so unless you need FRS for a legacy application, or to
support integration with earlier versions of Windows Server,
consider using DFS instead.
Note: By default, the SYSVOL folder is replicated by using
FRS. You can reconfigure your domain controllers to use
DFS Replication to replicate SYSVOL provided that your
domain is in Windows Server 2008 functional mode.

When you decide to deploy the File Services role, you can select only the specific
role services that you need.
NETMIND
calling +1 800-785-3448.
Managing Shared File Resources

Key Points
Public Folder Sharing
Public folder sharing provides a simple way to make your server files available to
others. Windows Server 2008 supports the use of only one Public folder for each
server computer. You can place any files that you want to make available publicly
in the Public folder. The Public folder is located at C:\Users\Public, and contains
the following subfolders:
Public Documents
Public Downloads
Public Music
Public Pictures
Public Videos

NETMIND
calling +1 800-785-3448.
By default, Windows Server 2008 does not enable Public folder sharing. However,
files that the Public folder hierarchy stores are available to all users who have an
account on a given computer and who can log on to it locally. You cannot access
the Public folder from the network in this default configuration.

Note: Public folder sharing does not provide for granular control over permissions to
shared resources.
Basic Sharing
Basic folder sharing enables you to share a folder quickly and easily by right-
clicking the folder, and clicking Share. Although Windows creates the share name
automatically, you must define the permissions manually. The following table lists
the four simple share permissions that you can assign in this way.
Share
Permission
Associated NTFS File System
Permission Description
Reader Read and Execute, List Folder
Contents, Read
This gives read-only access.
Contributor Modify, Read and Execute, List
Folder Contents, Read, Write
This permission allows a user or group
full read and write access, but they
may not change permissions or
ownership.
Owner All (Full Control, Modify, Read
and Execute, List Folder
Contents, Read, Write)
The user who creates the share
receives this permission. A share has
only one owner, and this permission
type grants full control of the share
and its contents.
Co-owner All (Full Control, Modify, Read
and Execute, List Folder
Contents, Read, Write)
The share owner can grant additional
users Co-owner permission, which
entitles them to the same permissions
level as the Owner.

NETMIND
calling +1 800-785-3448.
Advanced Sharing
If you want to exert more control over the sharing process, use Advanced Sharing.
When you use Advanced Sharing to share a folder, you must specify:
A share name. The default name is the folder name.
The maximum number of simultaneous connections to the folder. The default
limitation is for 16,777,216 concurrent users.
Shared folder permissions. The Everyone group has default Read permissions.
Caching options. The default caching option enables files and programs that
users select to be available offline. You can disable offline files and programs,
and configure files and programs to be available offline automatically.

To use Advanced Sharing, right-click the folder that you want to share, click
Properties, click the Sharing tab, and then click Advanced Sharing.
There are only four different levels of shared folder permissions: full control,
change, read, and access denied. The following table summarizes the advanced
share permissions available.
Permission Description
Full Control Allows a user or group to manage permissions, to change ownership,
and to have full Read and Write share access.
Change Allows Read and Write access, but no management permissions.
Read Allows Read-only access.
Deny Specifically denies Full Control, Change, or Read permissions to the
user or group to whom you assign this permission.

Share permissions normally combine to provide the highest share permissions
assignment. For example, if users receive both Change and Read permissions to a
share, their effective permission will be Change. The exception to this is the Deny
permission, which overrides any other permission.

Note: By default, Read permissions are assigned to the Everyone group.

NETMIND
calling +1 800-785-3448.
Best Practices for Sharing Folders
Use the following guidelines to help establish and maintain your folder sharing
infrastructure.
Group files into a folder hierarchy. It is easier to share files if you have
grouped them logically; for example, place departmental data files into a
departmental folder, and then share that single folder.
Enable network discovery. Before you can enable folder sharing, you must
configure your computers visibility on the network. You can use the Network
and Sharing Center to configure computer visibility.
Use Advanced Sharing. Although enabling Public folder sharing or using
Basic sharing is straightforward, these mechanisms do not provide enough
administrative control for many situations; generally, it is more appropriate to
use Advanced sharing to make your files and folders available across the
network.
Consider caching carefully. Enabling caching improves file availability for
users that want to work offline. However, when large volumes of files are
synchronized, perhaps during the logon process, this can have a negative
impact on the network file servers performance. It is important to balance
availability with performance.
Change the default shared folder permission. It is usual to ensure that the
shared folder permissions match the NTFS file permissions, although if the
NTFS file system permissions have already been applied to the shared folder,
because only the agreed upon permissions apply through the share, you could
simply assign Full Control to the Authenticated Users group. This is discussed
more fully in the next topic.

NETMIND
calling +1 800-785-3448.
Managing Access Control

Key Points
To ensure the proper protection for your files when you share them, it is important
that you understand file-system security. NTFS file system permissions enable you
to define the access level that users have to files on the network or locally at your
Windows Server 2008 computer. You grant permissions on a file or folder for a
named user or group. An Access Control List (ACL) stores these permissions, and
controls what the user or group can do to the file or folder. The Local Security
Authority (LSA) enforces these permissions each time a user accesses the file or
folder.
NETMIND
calling +1 800-785-3448.
The following table lists the available file permissions.
File Permissions Description
Full Control Gives complete control of the file and permissions.
Modify Enables user to change file content and delete files.
Read and Execute Enables user to read files and start programs.
Read Provides Read-only access.
Write Provides Read and Write access.

The following table lists the available folder permissions.
Folder Permissions Description
Full Control Gives complete control of the folder, its contents, and
permissions.
Modify Provides Read and Write access.
Read and Execute Enables user to see folder contents and start programs.
List Folder Contents Provides no permission over files in folder, but enables user
to see them.
Read Provides Read-only access.
Write Enables user to change file content and delete files.

Permissions Inheritance
You can apply NTFS file system permissions at the file or the folder level. If you
apply permissions at the folder level, files and subfolders within the folder inherit
those permissions. If you set permissions at the file level, they apply only to that
file.
By grouping files together in folders, and assigning permissions to that folder, you
can manage permissions more efficiently. Consider an example. Alice Ciccu is in
charge of administering the Transport department files to which all other transport
users require read and write access. By setting the permissions on the Transport
Data folder so that user Alice Ciccu has Full Control permission and the Transport
group has Modify permission, inheritance will ensure that Alice and the Transport
group will receive the appropriate permissions in all the subfolders and files.
NETMIND
calling +1 800-785-3448.
Effective Permission
When a user receives multiple NTFS file system permissions, these permissions are
normally cumulative. For example, if you assign a user both read and write
permissions from different group memberships, the users effective permissions
would be both Read and Write. The exception to this rule is the Deny permission.
Deny permissions always override any allow permissions. The Windows Vista
user interface provides an easy way to check effective permissions on the File and
Folder Properties Advanced tab.

Note: Explicitly allowed permissions take precedence over an inherited deny.
Combined Permissions
When allowing access to network resources on an NTFS volume, you should use
the most restrictive NTFS file system permissions to control access to folders and
files, and use the most restrictive shared folder permissions to control network
access.
When you create a shared folder on a partition that is formatted with the NTFS file
system, both the shared folder permissions and the NTFS file system permissions
combine to secure file resources. NTFS file system permissions apply whether
users access the resource locally or over a network.
Best Practice
Use the following guidance to help establish and maintain your NTFS file and
folder permissions.
Avoid using the Everyone group. If you enable a guest user account on your
computer, the Everyone group includes anyone. Therefore, you should remove
the Everyone group from any permission lists, and replace it with the
Authenticated Users group.
Group files into a hierarchy. This enables you to more easily rely on folder
inheritance when configuring permissions.
NETMIND
calling +1 800-785-3448.
Only ever grant the minimum required permissions; use Full Control
permissions sparingly. In essence, aside from certain special folders that
are needed to support specific applications or features, folders fall into one
of three broad categories; these are: user home folders; data folders for
departments, or for the entire organization; and application folders. Generally,
you can assign users Full Control on their personal home folders. You should
assign only Modify permissions on departmental shared folders; this is
because assigning Full Control grants users the necessary permissions to
assign permissions, and to take ownership of files and folders. Finally, assign
only Read and Execute permissions on application folders.

Note: Be aware that if you grant your users Full Control of their home folders, it is
possible that they can remove administrator permissions; you can easily recover your
permissions, should you need to, but some administrators take the view that even on
home folders, users should only ever be assigned Modify permissions.

NETMIND
calling +1 800-785-3448.
Planning Encrypting File System (EFS)

Key Points
Encrypting File System (EFS) is a system for encrypting data files that is included
as part of Windows 2000, Windows XP, Windows Server 2003, Windows Vista,
and Windows Server 2008. EFS generates a unique symmetrical encryption key to
encrypt each file and folder. The symmetrical key is stored in the file header.
Comparing EFS to NTFS permissions:
NTFS controls access to files and folders but these settings can be modified by
someone who did not create them if they have an appropriate set of
credentials.
EFS controls access to file contents regardless of the permissions that are set
on the file or folder and can only be accessed only by the person who has
encrypted them (or other allowed user), even if somebody has gained physical
access to the computer. It is only possible to use EFS to encrypt files when
they are stored on an NTFS formatted volume.

NETMIND
calling +1 800-785-3448.
Comparing EFS to BitLocker:
BitLocker encrypts the whole hard drive. Any user who has credentials to
access a computer can therefore access that hard drive.
EFS encrypts individual files and folders and only the person who has
encrypted them (or another allowed user) has access to the contents of those
files and folders.

Note: EFS files can be shared with individual users, but not groups because there is no
mechanism to assign a certificate to a group.
Implementation of EFS would be suitable in a situation where the access to content
needs to be strictly controlled i.e. legal or security data for example. For example, a
legal document on a shared drive could be encrypted so that only a few users have
access to it rather than all users with NTFS permissions in the shared folder.
The process of encrypting and decrypting in EFS is completely transparent to the
user and to any applications involved. If a folder is configured for encryption any
file created in or moved to that folder will be encrypted.
By default EFS is enabled, however there are various configuration options that you
can use in Group Policies to implement EFS. To do so you should go to Computer
Configuration\Policies\Windows Settings\Security Settings\Public Key
Policies\Encrypting File System node in the Group Policy Management Editor.
The certificates required for EFS contain the necessary public and private keys.
If a Certification Authority (CA) is in place for the organization, the certificate
is requested from the CA. If a CA is not in place for the organization then EFS
automatically generates a self-signed certificate for the user. In general it is easier to
manage EFS certificates if they are generated and centrally managed by a CA. This
is particularly true for sharing EFS encrypted files. Self-signed certificates are stored
on the computer that has the encrypted file.
NETMIND
calling +1 800-785-3448.
Keys in EFS are protected with the user password and stored in a user profile.
Therefore anyone who gains access to the password will then also be able to
decrypt any files that have been encrypted by that user. As such it is important to
enforce a strong password policy and educate users as to security best practices to
ensure the risk of credentials being exposed is reduced.

Note: When the password of a local user is reset by an administrator, Windows is unable
to read the private key stored in the users profile. The key must be recovered from a
backup or a recovery agent must be used to recover the files.
You should also consider the use of smart cards and storing keys on these cards as
part of your EFS strategy. This will require a user the insert the smart card to access
encrypted files and would add an additional layer of security.
Question: Why would EFS be used to encrypt data in addition to using NTFS
permissions?

NETMIND
calling +1 800-785-3448.
Considerations for EFS Backup Strategy

Key Points
When encrypting data, you should be aware that, if the EFS keys are lost and there
are no recovery agents or key archival process in place, the EFS keys are not
recoverable, i.e. you also lose access to the data. There is no other solution
available to access data if keys are lost. Therefore a large part of planning for using
the EFS feature is to ensure that you can recover files in the event that keys are lost.
To allow for the recovery of encrypted files if keys are lost, EFS uses Data Recovery
Agents (DRA)s. The DRA has the ability to access and open any encrypted file. As
such it is a powerful facility and must be strictly controlled. You can use Group
Policy to specify one or more user accounts as Data Recovery Agents. By default the
Administrator account is designated as the data recovery agent in the Default
Domain group policy object.
Recovery Keys are special purpose certificates that are then used by the Data
Recovery Agents to decrypt the data when keys are lost. When an account is
designated as a recovery agent, a recovery certificate or key is then created for the
specified DRA account. You should backup the recovery keys assigned to a DRA by
exporting them to external storage and keeping them in a safe place.
NETMIND
calling +1 800-785-3448.
When a new DRA is added, it will apply to all files encrypted after that point in
time. However, the new DRA will not be added to existing encrypted files until
they are modified and saved.
Windows Server 2008 is capable of performing key archival for certificates issued
by the CA. This is an alternative to having users manually export their certificates,
including the private key. To allow for Key archival a user must be designated as a
Key Recovery Agent. The CA must be an Enterprise CA running on Windows
Server 2008 Enterprise Edition.
How an organization utilizes data recovery and key recovery depends on the
security policies of that specific organization. Organizations may have security
policies around access to keys or access to specific data. This policy will help
determine what approach is suitable to each organization.
You can recover keys from Active Directory backups, or recover the data by using
data recovery agents. By using Windows Server 2008, you can store your keys in
Active Directory for later recovery. Your plan should include contingencies for the
expiration date of both DRA and user keys.
You should plan for key recovery as part of your backup and recovery strategy.
You should ensure that you plan, test, and regularly perform EFS recovery on your
encrypted data and ensure that you can recover encryption keys and data as part of
that recovery strategy.

Note: Users are able to open encrypted files after their certificate expires. This allows the
user to open the files and update the existing keys with new keys. However, new files
cannot be encrypted by using keys from an expired certificate.
Question: What planning documentation is there in your organization for EFS?
How can you ensure that this documentation is updated and modified?

NETMIND
calling +1 800-785-3448.
Considerations for Planning File Services Role

Key Points
When planning for File Services, there are several key considerations that you must
keep in mind.
Performance
File-servers are by their nature fairly disk-intensive devices. Consequently, the two
critical performance-related resources in your file server are the physical disk and
the physical memory.
Remember that a Windows-based computer that has insufficient physical memory
uses the paging file to manage applications memory needs, while a computer with
more physical memory than is currently required is more favorably disposed
toward the Windows cache managers request for memory resources.
By adding memory to your file-server, you reduce paging and also ensure there is
plenty of memory for file-caching. In addition, use high-performance disk
subsystem components to help to optimize the file retrieval and storage processes.
NETMIND
calling +1 800-785-3448.
High-Availability
Failure can occur in many different components in a file-server computer. It is
important to try to eliminate as many of these potential points of failure as
budgetary constraints will allow. For example, you can implement some or all of
the following technologies to help increase file-server availability:
Uninterruptable power supply (UPS). By implementing a UPS you can help
to protect the file system from corruption following a power-outage.
Redundant power-supply. The power-supply in a computer is one of the few
moving parts and is subject to significant wear-and-tear. In the event of failure
of this component, regardless of the installation of a UPS, the file-server will be
unavailable. By deploying servers with redundant power-supplies, you can
guard against this unavailability.
Redundant array of independent disks (RAID). There are a number of RAID
definitions that provide different fault-tolerance and performance
characteristics. Select a configuration that provides the best balance of these
factors for your organization.
File-server clustering. Ultimately, a file-server computer may fail for any
number of reasons and become unavailable. For particularly critical file-
servers, consider implementing the Windows Server 2008 Failover Clustering
feature.

Placement and Number
You must consider the number and placement of file-servers for your organization.
In small networks, a single file-server may suffice; in larger networks, especially
enterprise-level networks, many file-servers might be needed to support users file
access needs. Factors that may influence your decision include:
Whether you have users located at branch offices or other remote locations.
Generally, unless you have exceptional circumstances, you should deploy one
or more file-servers, as needed, to each location that hosts users.
The link bandwidth and reliability between those locations and your central
offices. If your users access files at remote servers, and the available bandwidth
is not high enough to support the data throughput required, or the link is
unreliable, you must consider placing local file-servers at the remote locations;
you might also need to consider implementing a replication technology to
synchronize the data stored at the remote sites; for example, DFS Replication.
NETMIND
calling +1 800-785-3448.
The workload imposed by users activities on a server. Where your users use
of a single file-server exceeds its capacity, consider scaling out; that is, adding
additional file-servers and distributing the workload among them. Use the
Windows performance monitoring tools to help to identify the workload on a
given file-server. A comparison of current workload with previously gathered
statistics, that is trend analysis, will help you to anticipate capacity issues
before they arise.

NETMIND
calling +1 800-785-3448.
Demonstration: Deploying the File Services Role

Key Points
Deploy the File Services role.
Create a folder and share it.
Secure the folder.

Question: What other methods can you use for configuring a shared folder and
securing it?
High-level steps:
1. Deploy the file services role at the SEA-SVR1 server.
2. Create and share the transport-data folder.
3. Secure the permissions on the transport-data folder.
NETMIND
calling +1 800-785-3448.
Lesson 2
Managing Storage

Business in the digital age is tied to information, which must be stored. As an IT
Professional, meeting the storage requirements of your organization poses constant
challenges.
Objectives
Identify capacity and storage management challenges.
Describe the function of FSRM.
Plan FSRM quotas.
Plan FSRM file screens.
Use FSRM reports to help to manage storage.
Implement FSRM.
Describe a Storage Area Network.
NETMIND
calling +1 800-785-3448.
Capacity and Storage Management Challenges

Key Points
Capacity Management
Capacity management is the process of planning, analyzing, sizing, and optimizing
methods that aim to satisfy an organizations increase in data storage demands. As
the data that you need to store and access increases, so does your need for capacity
management.
To enable you to meet the storage capacity requirements of your organization,
consider the following points:
Keep track of how much storage capacity is available.
Determine how much storage space you need for future expansion.

Knowing how the company is currently using storage makes planning for future
storage requirements much more predictable. You can determine who is using data
and what they are storing. Without policies and controls in place, users may often
use storage for noncompliant uses.
NETMIND
calling +1 800-785-3448.
Storage Management
Storage management is the process of:
Identifying the misuse of storage space. Unapproved files and programs also
create storage management issues. Many users tend to store non-work-related
files and programs that can consume storage. Storage management attempts to
control this misuse of corporate space.
Understanding the regulatory requirements required of your organization.
Planning for storage growth.
Providing for high availability.

To address storage challenges, you need to:
Analyze how storage is being used.
Define storage resource management policies.
Acquire tools to implement policies.
Analyze how storage is being used.

After you analyze how storage is being used, resource management policies
become much easier to define. These policies determine the efficient and proper
use of available storage capacity, and having these policies in place allows for more
predictability when planning for future capacity. These policies should reflect the
companys needs, and any external compliance requirements. Policies might also
vary within a company. For example, some departments may require more storage
than others, and some departments may want to store files in specific ways.
Situations may occur in which a newly defined policy does not suit the needs of a
particular group of users. In these situations, it may be necessary to implement
policies that attempt to slow storage growth, and realign the groups operation
procedures with the organization.
The final step after analyzing and defining policies is to implement the policies.
Tools such as FSRM perform the tasks necessary for analyzing storage usage,
planning storage policies, and implementing the policies.
NETMIND
calling +1 800-785-3448.
The following table describes some of these storage management solutions.
Solution Explanation
Windows-based tool or
application
Capacity Management Provides disk and volume
space information
FSRM
Charge-Backs Provides customer billing
for storage costs
Indirect support through
FSRM
Data and Media Migration Allows data movement
from different media types
File Server Migration Tool
(FSMT)
Performance and
Availability Management
Provides application,
server, and subsystem
information.
System Center Operations
Manager (SCOM) (using a
hardware vendor pack)
Policy Management Sets and enforces polices
for systems and users
FSRM (file screening)
Quota Management Manages storage usage FSRM

NETMIND
calling +1 800-785-3448.
What Is File Server Resource Manager?

Key Points
FSRM is a complete set of tools that allows administrators to address the following
key file-server management challenges:
Capacity management. Monitors usage patterns and utilization levels. FSRM
addresses the challenge of analyzing how storage is being used in the
enterprise environment.
Policy management. Restricts which files are stored on the server. This
addresses the challenge of verifying that the stored and managed data is of an
appropriate nature, without requiring manual intervention. It also can prevent
accidental policy breaches if users inadvertently try to store noncompliant
files.
NETMIND
calling +1 800-785-3448.
Quota management. Limits how much data can be stored on the server. This
ensures that users may not exceed an allotted amount of capacity, unless
specified differently by an administrator.
Reports. Provides storage capacity usage reports to meet regulatory
requirements that allow the administrators, security groups, and management
personnel the ability to perform oversight and auditing functions.

FSRM provides several features to accomplish storage management tasks. The
following table describes FSRM functions:
Function Description
Create quotas to limit the
space allowed for a
volume or folder
Allows you to set the maximum amount of space allotted
to a user. It also allows the administrator to be notified if
the quota is exceeded.
Automatically generate
quotas
Allows you to specify that quotas are generated
dynamically when subfolders are created. This allows the
storage volume to be managed without having to apply
quotas every time a directory structure is modified.
Create file screens Enables file filtering based on file extensions. Common
file categories can be grouped together to create file
groups.
Monitor attempts to save
unauthorized files
Enables administrators to be notified when users attempt
to save an unapproved file type.
Define quota and file
screening templates
Allows you to customize and implement a detailed
company storage policy.
Generate scheduled or
on-demand storage
reports
Allows you to create reports on a regular basis for review,
or create reports on demand, which allows you to quickly
generate a report for immediate consumption.

NETMIND
calling +1 800-785-3448.
Planning Quotas

Key Points
You use Quota management to create quotas that limit the space allowed for a
volume or folder, and to generate notifications when quota limits are approached
or exceeded. FSRM provides quota templates that you can apply easily to new
volumes or folders and that you can use across an organization. You also can auto-
apply quota templates to all existing folders in a volume or folder, as well as to any
new subfolders created in the future.
In FSRM, you can create quotas that limit the space allowed for a volume or folder,
and then generate notifications when the quota limits are approached or exceeded.
By creating a quota for a volume or folder, you limit the disk space that is allocated
for it. The quota limit applies to the entire folder subtree.
NETMIND
calling +1 800-785-3448.
Types of Quotas
You can create two types of quotas:
Hard quota. A hard quota prevents users from saving files after the space limit
is reached, and it generates notifications when the data volume reaches the
configured threshold.
Soft quota. A soft quota does not enforce the quota limit, but it generates
configured notifications.

Notification Thresholds
To determine what happens as users approach the quota limit, you can configure
notification thresholds. For each threshold that you define, you can:
Send e-mail notifications.
Log an event.
Run a command or script.
Generate storage reports.

For example, when a folder reaches 85 percent of its quota limit, you might want
to notify the user who saved the file and their administrator, and then send another
notification when the quota limit is reached. In some cases, you might then want to
run a script that raises the quota limit automatically when a threshold is reached.
The following table outlines the advantages of using the FSRM quota management
tools compared to NTFS disk quotas.
Quota features FSRM quotas NTFS disk quotas
Quota Tracking By folder or by volume Per user/per volume
Disk Usage Calculation Actual disk space Logical file size
Notification Mechanisms E-mail, custom reports,
command execution, event
logs
Event logs only

NETMIND
calling +1 800-785-3448.
Default Quota Templates
FSRM provides several quota templates. To view the default templates, select the
Quota Templates node in the FSRM console tree. The default quota templates
include:
100 MB Limit. This template is configured as a hard quota with a 100-
megabyte (MB) limit. It also is configured to send e-mail and event-log
notifications when the threshold reaches 85, 95, and 100 percent.
200 MB Limit Reports to User. This template is configured with a hard quota
set at 200 MB. The notification thresholds are configured similar to the 100
MB Limit template, but this template also is configured to generate reports
when the limit reaches 100 percent, based on duplicate files, large files, and
those files accessed the least recently. These reports will be sent to the user
who exceeded the threshold and will be stored in the
%systemdrive%\StorageReports\Incident folder.
200 MB Limit with 50 MB Extension. This template is configured with a hard
quota set at 200 MB. The notification thresholds are set similar to the 100 MB
Limit template, but this template is configured with an additional command
that will automatically increase the quota limit with an extra 50 MB when the
limit reaches 100 percent.
250 MB Extended Limit. This template is applied automatically from within
the command threshold configuration of the 200 MB Limit with 50 MB
Extension quota template.
Monitor 200 GB Volume Usage. This is a soft quota set at 200 gigabytes (GB),
which allows users to exceed the limit. This template is used for monitoring,
and it is configured with threshold warnings and limits set at 70, 80, 90, and
100 percent.
Monitor 500 MB Share. This is a soft quota set at 500 MB. This template is
used for monitoring disk usage with notification thresholds set at 80, 100, and
120 percent.

NETMIND
calling +1 800-785-3448.
Planning File Screens

Key Points
Many organizations face issues with network users storing unauthorized or
personal data on corporate file servers. Not only does this misuse valuable storage
space, but it also increases the backup process duration, and might violate privacy
or security compliance issues within the company. You can use file screening to
manage the types of files that users can save on corporate file servers.
A file screen provides a flexible method to control the types of files that are saved
on company servers. For example, you can ensure that music files are not stored in
personal folders on a server, yet still allow storage of specific media file types that
support legal rights management or comply with company policies. In the same
scenario, you might want to assign special privileges to the companys vice
president, allowing storage of any file types in his or her personal folder.
You also can implement a screening process to notify you by e-mail when an
unauthorized file type has been stored on a shared folder. The e-mail message can
include information such as the name of the user who stored the file and its exact
location so that you can take appropriate precautionary steps.
NETMIND
calling +1 800-785-3448.
Before you begin working with file screens, you must understand the role file
groups play in determining the file screening process. A file group is used to define
a namespace for a file screen, file screen exception, or storage report.
Working with File Groups
A file group consists of a set of file name patterns that are grouped into two groups:
Files to include, and files to exclude:
Files to include. These are files that should be included in the group.
Files to exclude. These are files that should not be included in the group.

For example, an Audio Files file group might include the following file name
patterns:
Files to include: *.mp*. Includes all audio files created in current and future
MPEG formats (MPG, MP2, MP3, and so on).
Files to exclude: *.mpp. Excludes files created in Microsoft Project (.mpp
files), which would otherwise be included by the *.mp* inclusion rule.

FSRM provides several default file groups. You can define additional file groups, or
change the files to be included and excluded. Any changes that you make to a file
group affect all existing file screens, templates, and reports to which the file group
has been added.
To simplify file screen management, you should base your file screens on file
screen templates. A file screen template defines the following:
File groups to block. You can select what file groups to block in the file screen
template. You also can create or modify new file groups from the File Screen
Template Properties dialog box.
Screening types to perform. You can configure two screening types in a file
screen template: Active screening does not allow users to save any files related
to the selected file groups configured with the template. Passive screening still
allows users to save files but provides notifications for monitoring.
Notifications to be generated. Similar to quota templates, file screen
templates provide the ability to configure notifications by means of e-mail
messages, event logs, and reports. You also can configure specific commands
or scripts to run when a file screening event takes place.

NETMIND
calling +1 800-785-3448.
By creating file screens exclusively from templates, you can manage your file
screens centrally by updating the templates instead of the individual file screens.
When you make changes to a template, you can choose to apply those changes to
all file screens that are based on that template or only to those file screens whose
properties match those in the template. This feature simplifies storage-policy
change implementation, by providing one central point from where you can make
all updates.
NETMIND
calling +1 800-785-3448.
Using Reports to Manage Storage

Key Points
To assist in capacity planning, you must be able to configure and generate
extensive reports based on current storage numbers. In this topic, you will learn
how to configure, schedule, and generate storage reports by using FSRM.
Storage reports provide information about file usage on a file server. The FSRM
Storage Reports Management feature allows you to generate storage reports on
demand and schedule periodic storage reports that help identify trends in disk
usage. You also can create reports to monitor attempts to save unauthorized files
by all users or a selected group of users.
NETMIND
calling +1 800-785-3448.
Types of Storage Reports
The following table describes the storage report types in FSRM:
Large Files. Lists files that are larger than a specified size. Use this report to
identify files that are consuming excessive server disk space.
Files by Owner. Lists files that are grouped by owner. Use this report to
analyze server usage patterns and to identify users who use large amounts of
disk space.
Files by File Group. Lists files that belong to specified file groups. Use this
report to identify file-group usage patterns and to identify file groups that
occupy large amounts of disk space. This can help you determine which file
screens to configure on the server.
Duplicate Files. Lists duplicate files (files with the same name, size, and last-
modified date). Use this report to identify and reclaim disk space that is lost
due to duplicate files.
Least Recently Used Files. Lists files that have not been accessed for a
specified number of days. This report can help you identify seldom-used data
that could be archived and removed from the server.
Most Recently Used Files. Lists files that have been accessed within a
specified number of days. Use this report to identify frequently used data that
should be highly available.
Quota Usage. Lists quotas for which the quota usage is higher than a specified
percentage. Use this report to identify quotas with high usage levels so that
appropriate action can be taken. This report includes quotas that were created
for volumes and folders in FSRM only. It does not include quotas applied to
volumes in an NTFS file system.
File Screening Audit. Lists file screening violations that have occurred on the
server, for a specified number of days. Use this report to identify individuals or
applications that violate the file screening policy.

You can create report tasks that schedule one or more periodic reports, or you can
generate reports optionally on demand and display the reports immediately. For
on-demand reports, as with scheduled reports, current data is gathered before the
report is generated.
NETMIND
calling +1 800-785-3448.
Configuring Report Parameters
Most reports have configurable report parameters, which determine the content
that the report includes. The parameters vary with the report type. For some
reports, you can use report parameters to select the volumes and folders on which
to report, set a minimum file size to include, or restrict a report to files that specific
users own.
To generate a set of reports on a regular schedule, you must schedule a report task.
The report task enables you to specify the following:
The volumes and folders on which to report. You can browse to include
specific folders or volumes in your report.
Which reports to generate. By default, all of the reports are selected for a
scheduled report task.
What parameters to use. You can modify specific parameters for each of the
reports that you are generating.
How often to generate the reports. By default, when you create a new
schedule, reports are automatically set to generate at 9:00 A.M. daily, starting
the next day. You can schedule daily, weekly, or monthly reports, or generate
one-time only reports.
Which file formats to use when saving reports. Reports can be saved in
DHTML, HTML, XML, CSV, and text-file formats. By default, DHTML is the
only format enabled.

The Scheduled Report Tasks node results pane includes the report task. Tasks are
identified by the reports to be generated, the namespace on which the report will
be created, and the report schedule. You also can view the current report status
(whether the report is running), the last run time and the result of that run, and
the next scheduled run time.
NETMIND
calling +1 800-785-3448.
Demonstration: Using FSRM to Manage Storage

Key Points
Configure FSRM quotas.
Configure FSRM file screens.
Produce an FSRM storage report.
Question: How could you benefit from using quotas in your organization?
Question: How could you benefit from using file screens in your organization?

NETMIND
calling +1 800-785-3448.
High-level steps:
1. Configure quotas on the branch server (SEA-SVR1).
2. Configure a file screen on SEA-SVR1.
3. Configure FSRM options to enable reporting features.
4. Produce and examine a storage report.
NETMIND
calling +1 800-785-3448.
What Is a Storage Area Network?

Key Points
Traditional file-servers have tended to rely on direct-attached storage (DAS). In this
configuration, disks are either attached internally to a file-server, or else attached
locally in a disk array. DAS provides some storage management issues. These
issues include:
Inflexible resource sharing. Despite the fact that specific servers in your
organization might have excess storage, there is no easy way for this excess
storage to be redeployed to other servers that have additional storage
requirements. After a server has no more room for additional storage, the most
common way to add storage resources is to add a new server. The
disadvantages of this approach are increased capital expenditures and greater
management complexity.
NETMIND
calling +1 800-785-3448.
Backup complexity. As the computers in the organization proliferate,
protecting the data on them becomes more expensive and complex to
accomplish. Because backups must be done directly on the system housing the
data, IT personnel usually find themselves required to purchase additional
tape backup systems. Full backups become more difficult to schedule without
cutting into working hours.
Hardware proliferation. More equipment means less space for other business
purposes, more licensing expenses, more setup time, and more hardware to
troubleshoot and fix should a failure occur. Overbuying storage to insulate
against shortages ties up capital resources, and because storage disks are
bound to a specific server, server use remains inherently inflexible, because
servers cannot readily be repurposed for other application use.

To address these issues, a number of network-based storage technologies have
evolved. Network Attached Storage (NAS) servers are designed for ease of
deployment and can be plugged directly into the network without disruption of
services. Managing a NAS appliance is relatively simple and provides a small
learning curve for most administrators. NAS servers are typically used to
consolidate file servers and backup equipment and to expand storage capacity.
However, NAS does not support all applications, such as databases, which usually
need to be local to the database server.
Storage Area Network (SAN) solutions are ideal for database and online processing
applications that require rapid data access and block storage; however, because a
SAN is a dedicated network that can require specialized equipment, a great deal
more expertise is required to set up and maintain a SAN. In a SAN environment, a
storage volume appears local to a participating server.

Note: If the majority of documents that users must access are file based, NAS solutions
provide the most effective and low-cost networked storage solution. On the other hand,
if the greatest amount of information to be shared is produced by database applications,
SANs have been the most popular solution. For those many organizations that must
share both block-based and file-based data, a joint NAS-SAN solution can effectively
meet both needs.
NETMIND
calling +1 800-785-3448.
SANs address the limitations of DAS in the following ways:
Highly effective resource sharing. Implementing a SAN solution facilitates
on-demand resource provisioning. Because all servers have access to the same
storage pool, accommodating peak storage needs is a matter of shifting
resources to servers on an as-needed basis, rather than systematically
overbuying storage resources for each server.
Better storage utilization. Storage capacity utilization increases from about 50
percent with DAS to about 80 percent on a SAN. This increased storage
utilization, occurring because multiple servers now access a common pool of
storage, dramatically reduces the need for the common practice of storage
over-provisioning.
Hardware consolidation and availability. SANs facilitate the sharing of
maximally up-to-date data, equipment consolidation (including shifting from
discrete tape drives to shared tape libraries), effective clustering and
redundancy solutions, high-performance I/O, and a reduction in network
traffic. The net results of deploying a SAN are more efficient storage resource
management, better data protection, high availability, and improved
performance.

SANs are designed to enable centralization of storage resources, while at the same
time overcoming the distance and connectivity limitations posed by DAS. Parallel
SCSI interconnections limit DAS devices to a distance of 25 meters and can
connect a maximum of only 16 devices. A typical SAN implementation can extend
the distance limitation to 10 kilometers or more and enable an essentially
unlimited number of devices to attach to the network. These factors allow SANs to
effectively uncouple storage from the server and to pool on a network where
storage can be shared and easily provisioned, without the problems of scaling
associated with DAS.

Note: You can find out more about SANs here:

NETMIND
calling +1 800-785-3448.
Lesson 3
Planning and Implementing the Distributed
File System

In the Windows Server 2008 operating system, DFS enables you to create one or
more hierarchies of shared folders from across your network and replicate the
contents of those folders between servers where necessary; these hierarchies are
known as namespaces.
Objectives
Describe DFS.
Plan a DFS namespace.
Plan DFS replication.
Use DFS to provide for data storage scenarios.

NETMIND
calling +1 800-785-3448.
What Is DFS?

Key Points
DFS technologies in Windows Server 2008 provide a simplified way to access files
that are dispersed geographically throughout an organization. DFS also offers wide
area network (WAN)friendly file replication between servers. DFS technologies
include:
DFS Namespaces
DFS Replication
Remote Differential Compression

DFS Namespaces
DFS Namespaces allows administrators to group shared folders located on
different servers into one or more logically structured namespaces. Each
namespace appears to users as a single shared folder with a series of subfolders.
The subfolders typically point to shared folders that are located on various servers
in multiple geographical sites throughout the organization.
NETMIND
calling +1 800-785-3448.
DFS Replication
DFS Replication (DFS-R) is a multimaster replication engine used to synchronize
files between servers for both local and WAN network connections. DFS-R
supports replication scheduling, bandwidth throttling, and uses Remote
Differential Compression (RDC) to update only the portions of files that have
changed since the last replication. DFS-R can be used in conjunction with DFS
Namespaces or can be used as a stand-alone file replication mechanism.
Remote Differential Compression
Remote Differential Compression (RDC) identifies and synchronizes the data
changes on a remote source, and uses compression techniques to minimize the
data that is sent across the network. Instead of transferring similar or redundant
data repeatedly, RDC accurately identifies changes, referred to as deltas, within
and across files, and transmits only those changes to achieve significant bandwidth
savings. RDC detects data insertions, removals, or rearrangements in files, enabling
DFS-R to replicate only the changed file blocks when files are updated.
RDC also can copy any similar file from one client or server to another, using a
feature known as Cross-File Remote Differential Compression. RDC is suitable for
WAN scenarios where the data transmission costs outweigh the CPU costs of
computing differences between files.

Note: RDC is not used on files smaller than 64 KB. In this case, the file is compressed
before it is replicated.
Additional Reading
Distributed File System Technology Center:
http://go.microsoft.com/fwlink/?LinkId=102236&clcid=0x409
Overview of the Distributed File System Solution in Microsoft Windows Server
2003 R2: http://go.microsoft.com/fwlink/?LinkId=102237&clcid=0x409
About Remote Differential Compression:

NETMIND
calling +1 800-785-3448.
Considerations for Planning a DFS Namespace

Key Points
Domain-Based Namespace
A domain-based namespace is a DFS namespace that you create on a domain
member server, which uses the domain name in the DFS path. You can install
multiple namespace servers to host the same domain-based DFS namespace.
A domain-based namespace can be used when:
Namespace high availability is required.
You need to hide the name of the namespace servers from users. This also
makes it easier to replace a namespace server or migrate the namespace to a
different server. Users will then use the \\domainname\namespace format as
opposed to the \\servername\namespace format.

NETMIND
calling +1 800-785-3448.
As with stand-alone servers, domain-based DFS namespace servers require the File
Server role, but they provide increased functionality if the domain is in Windows
Server 2008 mode, including:
Support for more than 5,000 folders with targets. (The limit of 5,000 folders
applies to domains at a lower functional level.)
Support for Access-Based Directory Enumeration of folders within the DFS
hierarchy.

Note: Access-based directory enumeration allows users to list only the files and folders
to which they have access when browsing content on the file server. This eliminates user
confusion that can be caused when users connect to a file server and encounter a large
number of files and folders that they cannot access.
To use Windows Sever 2008 mode, the following requirements must be met:
The domain must be at the Windows Server 2008 domain functional level.
All namespace servers must be Windows Server 2008.

Note: You can migrate a domain-based namespace from Windows 2000 Server mode to
Windows Server 2008 mode by using the DFSutil command-line tool. You also can
enable or disable Access-based Enumeration by using the Share and Storage
Management MMC.
Stand-Alone Namespace
A stand-alone namespace is a DFS namespace that you create on a single server.
The DFS namespace server may be a member of a domain or workgroup. A stand-
alone DFS namespace server only requires the File Server role. Stand-alone DFS
namespaces are not fault-tolerant, but you can install a stand-alone DFS namespace
as a cluster resource on a Windows Server 2008 server cluster.
A stand-alone namespace is used when:
Your organization has not implemented Active Directory directory service.
Your organization does not meet the requirements for a Windows Server 2008
mode, domain-based namespace, and you have requirements for more than
5,000 DFS folders. Stand-alone DFS namespaces support up to 50,000 folders
with targets.
NETMIND
calling +1 800-785-3448.
The following table summarizes the characteristics of each namespace type.
Stand-alone namespace Domain-based namespace
Path \\ServerName\RootName \\NetBIOSDomainName\RootName
\\DNSDomainName\RootName
Namespace
information storage
Server registry and
memory cache
Active Directory Namespace server
memory cache
Minimum Active
Directory mode
Active Directory not
required
Windows Server 2008 to support
new features
Size Up to 50,000 folders with
targets
Up to 50,000 folders with targets
High-availability
support
Create as cluster resource
on server cluster
Implement additional namespace
servers
Supports DFS
Replication
Only when part of Active
Directory domain
Yes

Increasing Namespace Availability
You can increase the availability of a domain-based namespace by specifying
additional namespace servers to host it. You can add additional namespace servers
to an existing DFS namespace by using the DFS Management Console.
Stand-alone DFS namespaces exist only on a single namespace server. You can
increase the availability of a stand-alone namespace by creating it as a resource in a
server cluster.
Folders
Folders are the primary namespace elements. They appear after the namespace
root (\\server\rootname or \\domain\rootname) and help build the namespace
hierarchy. You use folders in a namespace to organize file shares and their contents
in the same way you use folders on a hard disk to organize files. When you create a
folder using the DFS Management console, you type a name for the folder and
specify whether to add any folder targets.
NETMIND
calling +1 800-785-3448.
Folder Targets
A folder target is a Universal Naming Convention (UNC) path to one of the
following locations:
A shared folder. For example, \\server\share.
A folder within a shared folder. For example, \\server\share\folder.
A path to another namespace. For example, \\domainname\rootname.

Increasing Folder Availability
You can increase the availability of each folder in a namespace by adding multiple
folder targets. When one folder target is unavailable, the namespace server directs
users to another folder target without even knowing that a problem has occurred.
If a server that is hosting a folder target becomes available again, failback occurs,
and the client computer will access the nearest copy of the folder target. You
should also configure replication among the folder targets to synchronize the
contents.
NETMIND
calling +1 800-785-3448.
Considerations for Planning DFS Replication

Key Points
You can increase data availability in your organization by holding two or more
copies of files on different servers and configuring the shares as folder targets for
the same DFS folder in a namespace. To ensure that the files are the same in the
two different locations, you can configure DFS Replication to synchronize the
content.
DFS-R is a state-based, multimaster replication engine that supports replication
scheduling and bandwidth control. DFS-R uses RDC to synchronize files and their
contents between computers.
RDC is an advanced compression technology that optimizes data transfers over
networks that have limited bandwidth. Instead of transferring similar or redundant
data repeatedly, RDC accurately identifies file deltas and transmits only differences
to achieve bandwidth savings. This effectively reduces the size of the data that is
sent and the overall bandwidth requirements for the transfer.
NETMIND
calling +1 800-785-3448.
DFS Replication detects changes on the volume by monitoring the update
sequence number (USN) journal, this journal and database replication help keep
DFS current. DFS Replication is self-healing and can recover automatically from
journal loss or loss of the DFS Replication database.
As stated previously, DFS-R is a multimaster replication engine that supports
replication scheduling and bandwidth throttling. DFS-R is the successor to the File
Replication service (FRS) that was introduced in Windows 2000 Server operating
systems. When planning for DFS-R, it is important to consider the following key
points related to DFS-R:
DFS-R uses an RDC. RDC is a client-server protocol that can be used to
efficiently update files over a limited-bandwidth network. RDC detects data
insertions, removals, and re-arrangements in files, enabling DFS-R to replicate
only the changed file blocks when files are updated.
DFS-R detects changes on the volume by monitoring the update sequence
number (USN) journal, and replicates changes only after the file is closed.
DFS-R uses a staging folder to stage a file before sending or receiving it. Staging
folders act as caches for new and changed files to be replicated from sending
members to receiving members.

Note: Each replicated folder has its own staging folder, which by default is located under
the local path of the replicated folder in the DfsrPrivate\Staging folder.
DFS-R uses a version vector exchange protocol to determine which files need
to be synchronized. The protocol sends less than 1 kilobyte (KB) per file
across the network to synchronize the metadata associated with changed files
on the sending and receiving members.
When a file is changed, only the changed blocks are replicated, not the entire
file. The RDC protocol determines the changed file blocks. Using default
settings, RDC works for any type of file larger than 64 KB, transferring only a
fraction of the file over the network.
DFS-R uses a conflict resolution heuristic of last writer wins for files that are
in conflict (that is, a file that is updated at multiple servers simultaneously)
and earliest creator wins for name conflicts.
NETMIND
calling +1 800-785-3448.

Note: Files and folders that lose the conflict resolution are moved to a folder known as
the Conflict and Deleted folder. You can also configure the service to move deleted files
to the Conflict and Deleted folder for retrieval should the file or folder be deleted. Each
replicated folder has its own Conflict and Deleted folder, which is located under the local
path of the replicated folder in the DfsrPrivate\ConflictandDeleted folder.
DFS-R is self-healing and can automatically recover from USN journal wraps,
USN journal loss, or loss of the DFS Replication database.
DFS-R uses a Windows Management Instrumentation (WMI) provider that
provides interfaces to obtain configuration and monitoring information from
the DFS Replication service.

Additional Reading
Distributed File System Replication: Frequently Asked Questions:

NETMIND
calling +1 800-785-3448.
DFS Data Storage Scenarios

Key Points
You can configure DFS Replication groups in two ways:
You can use a multipurpose replication group for replication of data between
two or more servers for the purpose of data availability, publication, or
content-sharing scenarios. This type of replication group uses multimaster
replication.
You can use a data collection replication group for replication of data between
two or more servers in a branch office scenario to enable backup of the branch
office data at the main office (also referred to as a hub site). Data collection
replication groups also use multimaster replication. In this scenario, no users
perform backup tasks at the branch office and administrators at the main
office can back up and restore data by using the replicated folder. In this
scenario, it is recommended that you configure permissions to prevent main
office users from modifying the replicated content.

NETMIND
calling +1 800-785-3448.
Several key scenarios can benefit from DFS Namespaces and DFS Replication.
These scenarios include:
Sharing files across branch offices
Data collection
Data distribution

Sharing Files Across Branch Offices
Large organizations that have many branch offices often have to share files or
collaborate between these locations. DFS-R can help replicate files between branch
offices or from a branch office to a hub site. Having files in multiple branch offices
also benefits users who travel from one branch office to another. The changes that
users make to their files in one branch office are replicated back to their branch
office.

Note: We recommend this scenario only if users can tolerate some file inconsistencies as
changes are replicated throughout the branch servers. Also note that DFS-R only
replicates a file after it is closed. Therefore, DFS-R is not recommended for replicating
database files or any files that are held open for long periods of time.
Data Collection
DFS technologies can collect files from a branch office and replicate them to a hub
site, thus allowing the files to be used for a number of specific purposes. Critical
data can be replicated to a hub site using DFS-R, and then backed up at the hub
site using standard backup procedures. This increases the branch office data
recoverability if a server fails, because files will be available in two separate
locations and also backed up. Additionally, companies can reduce branch office
costs by eliminating backup hardware and onsite information technology (IT)
personnel expertise. Replicated data also can be used to make branch office file
shares fault-tolerant. If the branch office server fails, clients in the branch office can
access the replicated data at the hub site.
Data Distribution
You can use DFS Namespaces and DFS-R to publish and replicate documents,
software, and other line-of-business data throughout your organization. DFS
Namespaces and folder targets can increase data availability and distribute client
load across various file servers.
NETMIND
calling +1 800-785-3448.
Lesson 4
Planning and Implementing Shared Printing

You are undoubtedly familiar with the process of administering printers. However,
in Windows Server 2008, the new Print Services role enables you to share your
attached printers on the network and to centralize print server and network printer
management tasks.
Objectives
Describe the shared printing components.
Describe a printer server.
Manage printer drivers.
Manage shared printers with Group Policy.

NETMIND
calling +1 800-785-3448.
Overview of Shared Printing

Key Points
To help you plan more effectively for shared printing, it is important to understand
the components and terminology of the shared printing architecture.
Print queue. A logical representation of a physical printer; it is the software
entity that links the printer that a user connects to with the print device that
their output arrives on. You can configure the print queue to handle print jobs
in a specified manner. The following table summarizes these settings.
Option Description
Always available/Available
from
The printer always prints output or only prints
output between times you designate.
Priority Jobs arriving at the printer are assigned a priority
level from 1 through 99, where 1 is the lowest
priority. By default, all jobs are assigned the lowest
priority.

NETMIND
calling +1 800-785-3448.
(continued)
Option Description
Spool print documents so
program finishes printing
faster
The print processor uses a spool folder to hold a
print job until the printer device is ready to process it
and produce the output.
Start printing immediately As the first page spools, the print device begins to
produce the output.
Start printing after last
page is spooled
The printer produces no output until the entire print
job spools.
Print directly to the printer This is useful only if you connect the printer locally
and it has enough memory. This option disables the
following four options: Hold mismatched jobs, Print
spooled documents first, Keep printed documents,
and Enable advanced printing features.
Hold mismatched jobs The printer does not process jobs that a user submits
after selecting the wrong paper type in the client
application.
Print spooled documents
first
Documents that finish spooling move ahead of
unspooled jobs in the printer queue.
Keep printed documents This option keeps a spool copy of local print jobs.
Enable advanced printing
features
This enables Enhanced Meta File printing, which
results in faster spooling. However, the print job may
take longer to complete. Disabling this setting results
in RAW print processing, which may be more
reliable.
New Driver You can use this button to update the printer driver.
Printing Defaults This option configures the default layout and paper
handling options for print jobs.
Print Processor This option defines the print processor for print jobs.
Separator Page You can configure a separator page to print between
jobs to help users manage their printouts.

NETMIND
calling +1 800-785-3448.
Print spooler. A software component that is responsible for rendering print
jobs so that they can be passed to the physical print device by using the
designated printer port.
Printer ports. The port defines the way in which the physical print device is
attached. Print device may either be attached locally, for example by using a
parallel port (LPT1) or by using a USB port. Alternatively, a print device may
be attached to the network, and the port identifies the network path to the
print device; for example, the Standard TCP/IP port enables an administrator
to share a print device that is direct-attached to a network by using its IP
address.
Printer driver. The printer driver is device specific and enables the print
spooler and related components to render the output into a format
understandable by the printer.
Print server cluster. To provide for high availability of shared printers, you
can enable print server clustering.

NETMIND
calling +1 800-785-3448.
What Is a Print Server?

Key Points
When planning print services, one of the first choices you must make is whether to
allow users to print directly to printers, or whether you want to share the printers
by using the Print Services role in Windows Server 2008. There are a number of
advantages to creating a printer server:
Printer Management. The new Print Services role provides a consolidated and
centralized management console that enables you to perform the following
tasks:
Open and manage active print queues.
Pause and restart printer jobs.
Deploy shared printers by using Group Policy.
Manage printer properties.
Add new printer drivers.
NETMIND
calling +1 800-785-3448.
Manage existing printer drivers.
Manage printer forms.
Manage printer ports.
Job redirection. If a user submits a print job to a shared printer, and the print
device servicing that queue goes offline, you can redirect the print job to
another print device without requiring the user to resubmit the job.
Print device pools. For heavy print environments, you can create a shared
printer, and define multiple ports for the printer. The print devices attached to
these ports will share the output.
Prioritize print jobs. You can create multiple printers that point to the same
print device, each with a different priority. This enables jobs with a higher
priority to get printed more quickly.

The main disadvantage of using a printer server is that it imposes a load on the
server computer. Processing print jobs renderingcan be CPU intensive. In
addition, spooling and de-spooling print jobs imposes a load on the disk
subsystem.
NETMIND
calling +1 800-785-3448.
Managing Printer Drivers

Key Points
Managing Driver Packages
Printer manufacturers must ensure that their drivers are available in driver
packages that are installed through an INF file. Occasionally, an INF file references
a file that is missing from the driver package. The driver store checks for file
dependencies before importing the driver package. If any of the file dependencies
are missing, the driver package does not load into the driver store.
You can preinstall printer drivers by using the Print Management snap-in on your
printer server. Users can then install these drivers with the Add Printer Wizard, or
use the Plug and Play process to install the printer. When you preinstall printer
drivers in this manner, you simplify the process of deploying approved printers,
and subsequently reduce calls to the help desk.
NETMIND
calling +1 800-785-3448.
Managing Legacy Printer Drivers
Although Windows Server 2008 includes numerous enhancements to the printing
subsystem, the basic driver model remains unchanged since earlier versions of
Windows Server; therefore, Windows Server 2003 drivers are generally compatible
with Windows Server 2008. However, always check with the printer manufacturer
before using legacy printer drivers.
Using the Pnputil.exe Command
Use the Pnputil.exe command-line tool to manage the driver store. You can use
Pnputil to both add and remove packages from the driver store, and to list third-
party packages already in the store.
Pnputil performs the following tasks:
Add a driver to the driver store.
Add a driver to the driver store, and install the driver in the same operation.
Delete a driver from the driver store.
List all drivers in the driver store.

The Pnputil command-line syntax is listed in the following table.
Command line Details
pnputil.exe a d:\usbcam\USBCAM.inf Add a package specified by USBCAM.inf.
pnputil.exe a c:\drivers\*.inf Add all packages in C:\drivers.
pnputil.exe i a a:\folder\device.inf Add and install a driver package.
pnputil.exe e List all third-party packages.
pnputil.exe d oem0.inf Delete package oem0.inf.
pnputil.exe f d oem0.inf Force deletion of package oem0.inf.

NETMIND
calling +1 800-785-3448.
Managing Printers with Group Policy

Key Points
Publishing
When you create and share a printer, you can optionally decide to list the printer
in Active Directory; this is known as publishing. Publishing makes it easier for
users to locate printers by searching for them.
Printer Locations
When you publish a printer, you can associate the printer with a location; this is a
multipart name that defines the physical location of the printer. In order to use
printer location strings, you must also define locations for your site and subnet
objects in Active Directory; this enables a client computer to determine its physical
location based on its IP configuration.
NETMIND
calling +1 800-785-3448.
Names should be representative of the physical locations. Additionally, when
planning your naming structure, remember the following facts:
Location names are in the form name/name/name/name/. The forward slash
is the separator for each element of the name.
A name can consist of any characters except for forward slash.
The number of levels to a name is limited to 256.
The maximum length of a name element is 32 characters.
The maximum length of an entire location name is 260 characters.

For example, if you have configured a site with the location string of Head
Quarters, and it contains a subnet called Floor6, and you have a printer in room3,
you might associate the location string Head Quarters/Floor6/room3 with the
printer. Users can now search by location, but you can also modify group policy
settings to prepopulate the printer location search dialog box with the current
computer location.
Deploying Printers
Rather than install and configure the printer onto each client computer, you can
also use group policy to deploy shared printers. You can achieve this either by
using the Group Policy Management console, or else by using the Printer
Management snap-in. Deploying printers enables you to make the printer available
easily on the client computer.
NETMIND
calling +1 800-785-3448.
Lab: Planning File and Print Services

Adatum has a number of new sales offices in the western region. Allison Brown, the
IT manager, has asked you to look into deploying the necessary server roles to
support users in the region. The sales department users access a number of shared
folders at the head office location, and want access to that content in the regional
branch offices. In addition, you determine that storage management is a concern in
the regions; the branch servers will be deployed with DAS, and ensuring that they
do not run out of disk space is an important factor in your plans.
NETMIND
calling +1 800-785-3448.
Exercise 1: Planning File and Print Services for a Branch
Office
Scenario
Your colleague, Alan Steiner, has been in discussion with Joe Healy, the Sales
manager. You communicate with Alan with some additional questions.
Update the Sales Branch Offices: File and Print Services document with your
proposals.


Task 2: Update the Sales Branch Offices: File and Print Services
document with your proposals
Answer the questions in the Sales Branch Offices: File and Print Services
document.

NETMIND
calling +1 800-785-3448.
Gregory Weber
Sent: 11 October 2009 08:41
Subject: Re: Sales offices: file and print services
Attachments: Requirements.doc
Greg,
Yes, Joe and I had a meeting and he sent over the attached document. Ive added
my comments, so it should have all the information you require.
Regards
Alan.
Sent: 10 October 2009 17:10
To: Alan@adatum.com
Subject: Sales offices: file and print services
Alan,
Im trying to determine which server roles I need to deploy to the regional sales
offices. I know youve been talking to Joe Healy. Rather than me repeat all the same
questions, what information did he provide about the way the department shares
its data?
Regards,
Greg
NETMIND
calling +1 800-785-3448.
Requirements.doc
Alan,
As promised an overview of what we require at the branches.

We have a sales database, and thats in the process of being consolidated;
currently, its distributed across a couple of disparate systems.
We also have some shared folders on the main sales server in the head office. Wed
like to get local copies of the content in these shared folders out to the regional
offices. In addition, any changes made at either end should be synchronized in
some way.
These shared folders have been getting quite a headache of late, and users are
having problems remembering the UNC names; it would be great if we could have
a single UNC to access all shared content from.
Recently, users have been copying all sorts of inappropriate files into the shared
folders; I dont think its malicious, just ill informed. The result is a badly
structured folder hierarchy. Id like to impose limitations on what type of files can
be stored, and where.
Weve been running short on server storage space. I know youre planning a SAN
for each branch office as the sales teams move out to the regions; but thats not
going to help us short-term. We need to be efficient in disk consumption, so Id
like a way of preventing users consuming too much space.
Joe Healy, Sales Manager

Additional comments added [Alan Steiner, IT Department]
Ive investigated the database issue; it wont affect us on your initial roll-out.
We should prevent executable files from being placed in the data areas because
these seem to be the main problem.
200 MB is ample storage for each user in the shared data area; few, if any, are using
more than around 100 MB.
The shared folder should follow corporate standards regarding permissions; that
is, Modify permissions granted to the appropriate global group.
We should be thinking about easy ways to deploy printers to these regions.
Alan Steiner, IT
NETMIND
calling +1 800-785-3448.

Sales Branch Offices: File and Print Services
Document Author
Date
Gregory Weber
15 October
Deploy the required services to the branch sales offices to meet the needs outlined in
the Requirements document.
The requirements are summarized as follows:
Deploy server roles to support file and print services.
Create a single UNC name to allow access to all sales shared resources. This single
UNC name should not be a single point of failure.
Provide for a means of synchronizing data between the branch and head office
sales shared folders.
Impose restrictions to prevent creation of executable files in data areas.
Impose hard limit on amount of disk space each user can consume in the data
folder.
Deploy printers to client computers quickly and easily.
Proposals
1. What server roles will you need to deploy to the branch servers to satisfy these
requirements?

2. Will you need to make any changes to the infrastructure at the head office to
support these requirements?

3. What folder and shared folder permissions would you recommend for sales data
areas?

NETMIND
calling +1 800-785-3448.
(continued)
4. How will you address the requirement for a single UNC name for all sales shared
resources and avoid a single point of failure?

5. How will you synchronize the sales data at each location?

6. What role or feature enables you to impose a restriction on the types of files that
users can create in designated folders?

7. What role or feature enables you to impose a restriction on the disk space users
can consume in designated folders?

8. Provide additional details about the specifics of the process you will use to
provide for the previous two requirements:

9. How do you intend to deploy printers to client computers?

Results: After this exercise, you should have a completed Sales Branch Offices: File and
Print Services document.

NETMIND
calling +1 800-785-3448.
Exercise 2: Implementing File and Print Services in a Branch
Office
Scenario
Your proposal for file and print services for the sales branch offices has been
approved. You must now implement a subset of your plan at a branch office.
1. Start the virtual machines, and log on.
2. Deploy the necessary server roles to support your plan.
3. Create, secure, and share data folders for the sales department.
4. Configure a DFS namespace.
5. Configure DFS-R to support your plan.
6. Configure FSRM to support your plan.
7. Deploy a shared printer for the branch office.

Pa$$w0rd.
Pa$$w0rd.
7. Log on to 6430B-SEA-CL1 as ADATUM\Joe with the password Pa$$w0rd.

NETMIND
calling +1 800-785-3448.
Task 2: Deploy the required server roles at the branch server
2. Open Server Manager.
3. Add the following roles:
File Services
File Server
Distributed File System. Click Create a namespace later using the
DFS Management snap-in in Server Manager.
File Server Resource Manager
Print Services
Default
4. Close Server Manager.

Task 3: Add additional role services on the SEA-DC1 computer
2. Open Server Manager.
3. Add the Distributed File System roles service to the File Services role.
Click Create a namespace later using the DFS Management snap-in in
Server Manager.

Task 4: Create, secure, and share the Sales-data folders
1. On SEA-DC1, create a folder called D:\Sales-data.
2. Modify the default security:
Remove the ADATUM\Users permission from the folder.
Grant ADATUM\SalesGG Modify access on the folder.
NETMIND
calling +1 800-785-3448.
3. Share the folder:
Share name: Sales-data
Shared permissions: Everyone Full Control
4. Close all open windows.
5. On SEA-SVR1, create a folder called C:\Sales-data.
6. Modify the default security:
Remove the ADATUM\Users permission from the folder.
Grant ADATUM\SalesGG Modify access on the folder.
7. Share the folder:
Share name: Sales-data
Shared permissions: Everyone Full Control

Task 5: Configure a DFS namespace
2. Open DFS Management.
3. Create a new namespace with the following properties:
Server to host namespace: SEA-DC1
Name: Sales
Type: Domain-based namespace

Task 6: Add a namespace server
1. Add a new namespace server to the \\Adatum.com\Sales namespace:
Server name: SEA-SVR1
2. In DFS Management, expand Namespaces, click \\Adatum.com\Sales, and
then in the results pane click the Namespace Servers tab. Verify that two
servers are listed.

NETMIND
calling +1 800-785-3448.
Task 7: Add a DFS folder
1. In DFS Management, in the navigation tree, right-click \\Adatum.com\Sales,
and then click New Folder.
2. Create a new folder with the following properties:
Name: Corporate Sales Data
Folder target: \\sea-dc1\sales-data

Task 8: Add a folder target
In DFS Management, right-click Corporate Sales Data, and then click Add
Folder Target:
Path to folder target: \\sea-svr1\sales-data
You are prompted to establish replication. In the Replication dialog box,
click Yes.

Task 9: Create a Replication group
1. In the Replicate Folder Wizard, click Next.
2. On the Replication Eligibility page, click Next.
3. Use the following information to complete the process:
Primary member: SEA-DC1
Topology selection: Full mesh
Replication Group Schedule: defaults
4. In the Replication Delay dialog box, click OK.
5. Close DFS Management.

Task 10: Configure quotas on the branch server
2. Open File Server Resource Manager.
NETMIND
calling +1 800-785-3448.
3. Create a new quota with the following properties:
Quota path: C:\Sales-data
Select Auto apply template and create quotas on existing and new
subfolders.
Quota : 200MB Limit Reports to User

Task 11: Configure a file screen for the branch server
In File Server Resource Manager, create a new file screen with the following
properties:
File screen path: C:\Sales-data
Block executable files

Task 12: Configure FSRM options
1. In the navigation tree, right click File Server Resource Manager (Local), and
then click Configure Options.
2. Scroll along the tabs, and then click the File Screen Audit tab.
3. Select the Record file screening activity in auditing database check box, and
then click OK.

Task 13: Test the file screen settings
1. Switch to the SEA-CL1 computer.
2. Map drive letter Z to \\sea-svr1\sales-data.
3. Open a command prompt and execute the following commands:
Z:
Copy c:\windows\*.exe
Question: Were you successful?
4. Switch to the SEA-SVR1 computer
5. In File Server Resource Manager, click Storage Reports and Management.
NETMIND
calling +1 800-785-3448.
6. In the action pane, click Generate Reports Now.
7. Create a new report with the following properties:
Folder name: C:\Sales-data
Reports to generate: File Screen Audit
In the Generate Storage Reports dialog box, click OK.
Question: In Internet Explorer, examine the report. Which user attempted to
create executables in the C:\Sales-data folder?

Task 14: Deploy a shared printer with group policy
1. On SEA-SVR1, open Print Management.
2. Add a new printer to SEA-SVR1 with the following properties:
Add a new printer using an existing port: LPT1: (Printer Port).
Manufacturer: Canon
Type: Canon Inkjet MP700
On the Printer Name and Sharing Settings page, click Next.
On the Printer Found page, click Next, and then click Finish.
3. Right-click Canon Inkjet MP700, and then Deploy with Group Policy.
4. Locate and select the Default Domain Policy.
5. In the Deploy with Group Policy dialog box, select the The users that this
GPO applies to (per user) check box, and then click Add and OK.
6. In the Printer Management dialog box, click OK.
7. Click OK to close the Deploy with Group Policy dialog box.

NETMIND
calling +1 800-785-3448.
Task 15: Test the printer deployment
2. Refresh the group policy, and then log off.
4. Click Start, click Control Panel, and then click Printer.
Question: Is the Canon printer listed?

Results: After this exercise, you should have successfully configured file and print
services for the branch office.
(VMRC) window.

NETMIND
calling +1 800-785-3448.

Review Questions
1. Which File Services server role supports UNIX users?

2. Why is using Public folder sharing inappropriate for many organizations?

3. Do you need to enable network discovery to be able to map network drives?

4. What RAID configuration would you recommend to provide a good balance
between fault tolerance and performance for an organization on a tight
budget?

5. Why would you implement a soft quota limit?

NETMIND
calling +1 800-785-3448.
6. What notifications can you configure for when users approach their quota
thresholds?

7. What is the benefit of using templates for file screens or quotas?

8. What are the primary benefits of a SAN over DAS?

9. What is the primary advantage of a domain-based DFS namespace?

10. How can fault tolerance of the content in a DFS namespace be provided?

NETMIND
calling +1 800-785-3448.
Planning Server and Network Security 7-1
Module 7
Planning Server and Network Security
Contents:
Lesson 1: Overview of Defense-in-Depth 7-3
Lesson 2: Planning for Windows Firewall with Advanced Security 7-11
Lesson 3: Planning Protection Against Viruses and Malware 7-24
Lesson 4: Planning Remote Access 7-38
Lesson 5: Planning for NAP 7-45
Lab: Planning Server and Network Security 7-59
NETMIND
calling +1 800-785-3448.
Module Overview

Maintaining security is an essential part of server and network management. One
way to analyze security requirements and solutions is by using the Defense-in-
Depth model. After identifying security requirements, you can use Windows
Server 2008 features such as Windows Firewall with Advanced Security and
Network Access Protection (NAP) to help secure your servers and network. When
planning server and network security, you must determine how to prevent viruses
and malware from entering your network. For remote users, you must determine
what type of VPN should be used.
Objectives
Describe Defense-in-Depth.
Plan for Windows Firewall with Advanced Security.
Plan protection against viruses and malware.
Manage remote access.
Plan for NAP.
NETMIND
calling +1 800-785-3448.
Lesson 1
Overview of Defense-in-Depth

The Defense-in-Depth model is a layered approach for analyzing network security.
It can be used to identify both risks and methods for mitigating those risks. The
layered approach allows you to see how mitigation methods can be combined for
greater security.
Objectives
Describe the layers of the Defense -in-Depth model.
Describe how to use Defense-in-Depth to identify risks.
Describe how to use Defense-in-Depth to mitigate risks.

NETMIND
calling +1 800-785-3448.
What Is Defense-in-Depth?

Key Points
Defending your organization in depth means that you apply a combination of
people, processes, and technology to protect against threats at each layer. If one
layer is compromised, the protections for other layers are still in place. Using a
layered approach increases the probability of detecting an attacker and reduces the
probability that an attack will be successful. As a general guideline, design and
build each layer of security under the assumption that every other layer has been
breached.
NETMIND
calling +1 800-785-3448.
The layers of the Defense-in-Depth model are:
Policies, procedures, and awareness. This layer refers to the policies put in
place by the organization to protect data and other network resources. For
example, there could be a policy that dictates that USB drives are not to be
brought in from outside the organization. Many policies and procedures are
not enforceable with technology. In many cases, you rely on staff to follow the
rules. This layer affects all other layers because the policies and procedures
you create will be related to protecting the resources defined in the other
layers.
Physical security. This layer refers to restricting physical access to network
resources. For example, the server room should be kept locked, and wiring for
the network backbone should not be physically accessible to unauthorized
people. As with the policies, procedures, and awareness layer, this layer affects
the resources defined in all other layers.
Perimeter. This layer refers to the connectivity points between the
organization and other information systems. This includes the Internet and
partner networks.
Internal network. This layer refers to the overall internal network of an
organization. This includes LAN and WAN components such as switches and
routers.
Host. This layer refers to the individual client and server computers on the
network. The operating system of each host is included in this layer.
Application. This layer refers to the applications that run on network hosts.
Client applications such as Microsoft Office are included here. Server
applications such as Microsoft Exchange Server are also included here.
Data. This layer refers to the data stored on the network. Data stored in file
shares is included here. Data in other locations such as databases is also
included.

NETMIND
calling +1 800-785-3448.
How to Use Defense-in-Depth to Identify Risks

Key Points
Some of the risks associated with Defense-in-Depth layers are:
Data. Any unauthorized or accidental access to data is a risk. This access can
include modification of data, deletion of data, or just viewing data.
Application. Loss of application functionality through denial of service is one
risk. However, a flawed application can also create risks for other layersfor
example, accidental data corruption.
Host. Operating system flaws are one source of risk. However, default
configuration options and weak passwords are also a risk. Failure of computer
components would also be included here.
Internal network. Risks on the internal network includes packet sniffing and
unauthorized use of wireless networks. Visiting consultants who connect to
the network are also a source of risk, as is simple failure of network
components.
NETMIND
calling +1 800-785-3448.
Perimeter. One source of risk is anonymous Internet users attempting to
break into your network or perform denial of service attacks. Partner networks
can also be a source of risk if their internal networks are compromised.
Physical security. The general rule of thumb for physical security of computer
networks is that any computer system that can be physically accessed is
vulnerable to utilities that can reset the Administrator password. This can be
done very quickly from a boot CD. Another risk is that a computer with data
can be stolen. Even accidental damage to exposed network components is a
concern (as could happen, for example, if a computer under a desk gets
kicked). Other more unusual risks related to physical security include flood
and fire.
Policies, procedures, and awareness. One risk is that staff do not follow the
policies and procedures that have been defined. This may be because they do
not see the benefit or because they are not aware of the policies and
procedures.

NETMIND
calling +1 800-785-3448.
How to Use Defense-in-Depth to Mitigate Risks

Key Points
When you perform risk analysis, you need to consider the value of each asset, the
cost of downtime, and the likelihood of a risk occurring. After you have identified
all of the risks, you can begin to identify methods to mitigate those risks.
Eventually, after the risks and their mitigation methods have been identified, you
can select the mitigation methods that you want to implement.

Note: Elimination of risk is not a realistic goal for computer security. The goal should be
to mitigate risk in a cost-effective way based on your risk analysis.
NETMIND
calling +1 800-785-3448.
Some ways to mitigate risk for the different layers of Defense-in-Depth are:
Data. To protect data, you can use ACL, NTFS permissions, share permissions,
EFS, BitLocker, and DRM.
Application. To protect applications, you should apply all security updates
when they become available. You should also configure application in a secure
way--for example, restricting the execution of ActiveX controls in Internet
Explorer. Finally, antivirus software should be used.
Host. For the operating system, you should apply security updates when they
become available. You should also configure your operating system in the
most secure way possible. For example, disable any unnecessary services. NAP
can be used to ensure that only healthy hosts connect to the network.
Internal network. Segmenting the network into multiple parts increases
security by allowing you to control communication between the segments. You
could place different departments on different segments. IPsec encrypts
network communication to ensure that it cannot be read by anyone with a
packet sniffer. Intrusion detection software monitors the network to identify
unusual activity.
Perimeter. The primary way to the perimeter of the network is by using
firewalls and proxy servers. However, virtual private networks are also used to
secure communication between the remote users on the Internet and the
corporate network.
Physical security. The primary mechanism for enforcing physical security is
simply locking doors to prevent access to essential network components.
However, you can also use tracking devices for mobile hardware such as
laptops.
Policies, procedures, and awareness. When policies and procedures are
introduced in an organization, the goal is to get employees to follow them. The
simplest method is user education. Employees will not follow procedures that
they do not know exist. However, when polices are well know and not being
followed, some type of disciplinary measure may be required.

NETMIND
calling +1 800-785-3448.
Discussion: Security Implementation

Key Points
Every organization evaluates security risks and asset values differently. With your
instructor, discuss the measures that your organization has in place to mitigate risk
at each layer of the Defense-in-Depth model.
NETMIND
calling +1 800-785-3448.
Lesson 2
Planning for Windows Firewall with Advanced
Security

Windows Firewall with Advanced Security can be used to protect both clients and
servers on your network by implementing a firewall on each host. You must
determine the rules that will be used to protect the computers on your network.
This includes the inbound rules, outbound rules, and connection security rules.
After you have determined the rules to be implemented, you must determine how
the rules will be created and applied to each computer.
NETMIND
calling +1 800-785-3448.
Objectives
Describe the considerations for types of rules.
Describe the consideration for configuring rule options.
Describe the considerations for connection security rules.
Describe IPsec isolation.
Describe the considerations for applying rules.

NETMIND
calling +1 800-785-3448.
Considerations for Types of Rules

Key Points
Windows Firewall with Advanced Security is an updated version of the Windows
Firewall that first appeared in Windows

XP. One of the major updates is the
inclusion of outbound rules and connection security rules.
The types of rules are:
Inbound. These rules control the network connections that the local computer
will accept from other computers. By default, all inbound connections are
blocked.
Outbound. These rules control the network connection that the local
computer can make with other computers. By default, all outbound
connections are allowed.
Connection security. These rules are a replacement for the IPsec rules in
previous versions of Windows. They are used to create and control IPsec
connections between computers.

NETMIND
calling +1 800-785-3448.
Considerations for the rule types are:
Block all inbound connections by default. This keeps a computer secure by
allowing only know connection types.
Create inbound rules to allow access to local applications when necessary. For
example, if a server application has been installed that uses port 8000, create a
new inbound security rule that allows connection for port 8000.
Use outbound rules to prevent communication with specific software. For
example, you can create an outbound rule that prevents users from accessing
an internal accounting Web server. You can also block a file-sharing
application.
To increase security, prevent outbound connections by default. This option
prevents unknown software on computers from communicating with other
computers. By doing this, you can prevent malware from spreading in your
organization because the malware on the infected computer will not be able to
create connections to other computers. However, there will be significant
administrative work to identify all of the allowed applications and create rules
that allow them to communicate on the network.
Use connection security rules to secure communication between computers.
The IPsec protocol initiated by using connection security rules encrypts
communication between computers to enhance security.

NETMIND
calling +1 800-785-3448.
Considerations for Rule Configuration Options

Key Points
The rules you create in Windows Firewall with Advanced Security have a number
of options that can be configured. Unlike with some firewalls, with Windows
Firewall with Advanced Security the options for configuration are not limited to
just port-based rules. The rules can also be created for specific programs.
Windows Firewall with Advanced Security also recognizes different network
profiles. Windows Vista and Windows Server 2008 recognize each unique
network that you connect to based on the Media Access Control (MAC) address of
the default gateway. Each network can be given a name and is assigned a profile.
The profiles are:
Public. This profile is meant to be used on publicly accessible networks. It is
typically used for laptop users that roam in public locations such as hotels.
Private. This profile is meant to be used on private networks where other
computers are known and secure. It is used for trusted locations such as a
home network or a corporate network.
NETMIND
calling +1 800-785-3448.
Domain. This profile is automatically assigned to any network that provides
authentication to a joined domain. In most cases, this will apply to computers
on a corporate network.

Considerations for rule configuration options are:
Simplify configuration by using program-based rules. Many applications that
create outbound connections use randomized port numbers. When
randomized port numbers are used, it is not possible to block the application
by port number. However, blocking the program is possible.
Use port-based rules when it is not possible to create program-based rules. For
example, Internet Information Services (IIS) cannot be blocked with a
program-based rule. For IIS you must create port-based rules.
Select the proper profile for rules. If you apply a rule to the wrong profile, it
will not be used. For example, a member server on an internal network will be
using the domain profile. An IIS exception for the member server must be
created for the domain profile or it will never be used by the server.
Train roaming users to select the correct profile for a new network. The first
time a roaming user connects his or her laptop to a new network, he or she
will be prompted to select a profile to use. Training the roaming users ensures
that they select the appropriate profile to protect their laptops. This helps
prevent data from being stolen from their computers and prevents them from
bringing malware back to the corporate network.
Use the Scope option to limit rules to specific IP addresses and IP address
ranges. You can use this to provide only part of your network with access to an
application. For example, if the human resources department is limited to a
specific IP address range, you can configure the inbound rule for the human
resources application on a server to allow only requests from that specific IP
address range.
Use the Interface Types option to apply rules only to wireless network or
remote access connections. Wireless networks and connections to remote
networks via remote access may be less secure than a corporate network. This
option allows you to enhance security for these types of connections.

NETMIND
calling +1 800-785-3448.
Considerations for Connection Security Rules

Key Points
Windows Vista and Windows Server 2008 include connection security rules as a
replacement for IPsec rules. When connection security rules are used, the
communication between computers is authenticated.
There are several types of connection security rules:
Isolation rules are used to prevent unauthorized computers from
communicating with each other. Domain isolation can be implemented with
these rules.
Server-to-server rules authenticate, and possibly encrypt, communication
between two hosts. These are typically used to secure communication between
a few hosts because you specify endpoints (IP addresses) that the rules apply
to.
Tunnel rules are used when Windows Server 2008 computers act as routers
and IPsec is used to secure communication between them.
NETMIND
calling +1 800-785-3448.
Authentication exemptions are used to allow operating systems that do not
support IPsec to communicate on the network. The exemptions are to an
existing rule.
Custom rules are use to create unique rules that do not match any of the types
available in the wizard. All configuration options are available in the wizard
when you create custom rules.

Some of the considerations for using connection security rules are:
Compatible connection security rules must exist on both hosts to create an
IPsec connection. For example, authentication must be configured in the same
way.
Connection security rules apply to all traffic between hosts, not just traffic
generated on specific ports or by specific applications.
When a connection security rule is in place, other rules can be enforced based
on the user or computer. This allows increased flexibility to restrict access to
some applications by user or computer rather than by IP address. This avoids
problems with changing IP addresses due to dynamic IP addressing.
Use Kerberos authentication to allow both user and computer authentication.
Kerberos is based on domain authentication and requires no additional
configuration. However, it is only suitable for computers that are members of
the domain.
Avoid applying IPsec rules and connection security rules to the same
computer. IPsec policies and connection security rules can be applied at the
same time, but this is not recommended because the two can conflict. When
there is a conflict, it is difficult to determine where the problem is occurring.
Test thoroughly before implementation to ensure that all computers are
configured properly. The best practice is to request IPsec authentication and
verify functionality before requiring IPsec authentication.
Use IPsec only where required as part of your security plan. Using IPsec
increases the complexity of your network and should not be done without a
defined purpose.

NETMIND
calling +1 800-785-3448.
What Is Server and Domain Isolation?

Key Points
Server and domain isolation are systems that use IPsec to segment and isolate parts
of a network. Computers on the isolated network ignore all requests from
computers outside the isolated network. The isolated network is created by using
isolation connection security rules and requiring authentication for inbound
connections.
All computers in the isolated network must be part of a domain. This is because
Kerberos will be used to provide authentication that identifies the computers. This
allows access to computers on the isolated network to be enforced based on the
identity of the computers. Exceptions can be created for specific hosts that do not
support IPsec or are not members of the domain by using authentication
exemption connection security rules.
Domain isolation restricts communication to computers that are members of the
domain. This prevents unauthorized access to hosts on your network. For
example, a visiting consultant who connects a laptop to your network would not
be able to communicate with any of the computers in the domain.
NETMIND
calling +1 800-785-3448.
Server isolation restricts communication to computers that are part of the same
workgroup. For example, you can isolate all of the computers in the research and
development department to enhance their security. To implement server isolation,
you use Active Directory groups to control access in Windows Firewall rules. The
Active Directory groups can have either users or computers as members,
depending on your goals.

Note: It is significantly more complex to implement server isolation when using IPsec
policies rather than connection security rules.

For detailed information about how to implement server and domain
isolation, see Introduction to Server and Domain Isolation on the
Microsoft TechNet Web site at http://go.microsoft.com/fwlink

NETMIND
calling +1 800-785-3448.
Considerations for Applying Rules

Key Points
There are multiple ways to deploy new firewall rules to hosts. Consider the
following:
Some applications will automatically create any necessary firewall rules for
their functionality. When you install a new application, you can review the
firewall configuration to see what changes have been made. It is useful to
document the changes made by an application in case you need to recover the
firewall configuration at a later time.
Back up firewall configuration before making changes. You can use the Export
Policy option in Windows Firewall to create a file containing the Windows
Firewall configuration. Later you can use the Import Policy option to restore
the configuration.
Windows Firewall with Advanced Security is suitable for configuring only a
small number of computers. It can only configure one host at a time. When a
manual process is repeated many times it is subject to human error.
NETMIND
calling +1 800-785-3448.
Use Group Policy to deploy rules to a large number of computers. This process
is automated and is therefore less prone to error. Any new computers added
to an organizational unit will automatically have the rules applied. Rules
deployed by using Group Policy will override conflicting rules created on a
local server.
Use netsh and Windows PowerShell to create scripts that manage firewall
rules. Scripts allow you to configure individual computers in a repeatable way
that eliminates the potential errors introduced when using Windows Firewall
with Advanced Security. In most cases, scripts will be used only when it is
difficult to configure an appropriate Group Policy object.

NETMIND
calling +1 800-785-3448.
Demonstration: Windows Firewall Rules Configuration
Options

Key Points
Steps
1. Open Windows Firewall with Advanced Security.
2. Open an inbound rule and review the available settings.
3. Create an isolation connection security rule.

NETMIND
calling +1 800-785-3448.
Lesson 3
Planning Protection Against Viruses and
Malware

The threat of viruses and malware is pervasive on computer networks. However,
there are products and Windows Server 2008 features that help prevent viruses
and malware from entering your network. Windows Defender and antivirus
software are products that detect and eliminate viruses and malware. Internet
Explorer 8 has security options built in to make it secure. User Account Control
limits the ability of viruses and malware to spread on the network. Finally, the
Security Configuration Wizard is used to harden a host and prevent security
problems.
NETMIND
calling +1 800-785-3448.
Objectives
Describe how viruses and malware enter the network.
Describe the considerations for using Windows Defender.
Describe the considerations for antivirus protection.
Describe the security benefits of Internet Explorer 8.
Describe User Account Control.
Describe how the Security Configuration Wizard can be used.

NETMIND
calling +1 800-785-3448.
How Viruses and Malware Enter the Network

Key Points
Viruses and malware are software that is installed on computers without
permission. When this software is installed, it is sometimes harmless, but it often
has serious consequences.
Some consequences of viruses and malware are:
Insertion of additional advertising into Web pages. The malware attempts to
generate revenue by placing additional advertisements on your computer that
you would not normally see. Often these advertisements appear as part of Web
search results or as pop-up windows.
Theft of passwords and personal data. Personal information is valuable to
those interested in identity theft or transferring money out of a bank account.
Malware can monitor the keystrokes on your computer for passwords and
other sensitive information.
NETMIND
calling +1 800-785-3448.
Data theft or loss. After malware has infected a computer, it is able to access
data on the local computer and the network. The malware has the same
permissions as the user logged on to the computer. Data can be stolen,
modified, or deleted.
System instability. Much malware is poorly written and causes computer
systems to become unstable. This leads to system crashes and frustrated users.
Your computer becomes part of a botnet. A botnet is a group of computers
that is controlled remotely via malware. The owners of a botnet can use the
botnet to perform denial of service attacks or send unsolicited commercial e-
mail (spam).

To prevent your computers from becoming infected with viruses and malware, it is
important to understand how they enter your network. Some of the ways viruses
and malware enter the network are:
As an e-mail attachment. Sometimes malware is sent as an e-mail attachment.
When users open the attachment, their computer becomes infected. Users
should be trained not to open e-mail attachments except from trusted sources.
As part of another program the user is installing. Many users are lured into
installing programs that seem helpful, but include malware along with the
installation. File-sharing programs are a common source of malware. Toolbars
for Internet Explorer and utilities to add emoticons to e-mail messages are also
common sources of malware.
From a Web page. Sometimes, due to flaws in Web browser software or add-
ons to Web browser software, a user can infect his or her computer simply by
viewing a Web page. In most cases, this type of vulnerability is corrected
quickly by the Web browser vendor issuing an update for the software.
Portable computers. A portable computer is inherently more vulnerable to
malware than a desktop computer just because it is moved into multiple
environments. If a portable computer becomes infected with malware and then
is reconnected to the network, it may spread the malware to other computers
on the network. Also, external vendors or staff may bring in portable
computers that do not meet organizational standards for malware protection.
Portable storage. Any type of portable storage may have malware on it that is
spread when it is attached to the computers in your network. This includes
portable disk drives, USB drives, music players, and smart phones.

NETMIND
calling +1 800-785-3448.
Considerations for Using Windows Defender

Key Points
Windows Defender helps protect client computers from spyware and malicious
software. However, Windows Defender is not anti-virus software. Windows
Defender is not part of Windows Server 2008 but should be used on client
computers to limit the chance of malware spreading to servers.
Considerations when using Windows Defender are as follows:
Enable real-time protection. Real-time protection actively monitors a
computer for software that is attempting to install itself. This can be software
from portable storage or from a Web page. Real-time protection prevents
malware from being installed.
Ensure that Windows Defender updates are being applied. Windows
Defender uses antispyware definitions to identify malware. The definitions are
provided by Windows Update. You need to ensure that new definitions are
being downloaded and applied or your computers will be vulnerable to recent
attempts.
NETMIND
calling +1 800-785-3448.
Use scheduled and manual scans to remove malware that was missed by
real-time protection. If malware was installed before the antispyware
definitions were updated, you can remove it by running a scheduled or manual
scan. In most scanning scenarios, options are used to scan for unwanted
software on the computer, to schedule scans on a regular basis, and to
automatically remove any malicious software that is detected during a scan.
Use definition-based actions for each alert level. The antispyware definitions
contain a recommended action for each piece of malware. In most cases, using
these default actions is appropriate. However, you can override the action for
categories of alerts to allow or remove threats.
Join Microsoft Spynet with a basic membership. This provides Microsoft
with information about malware detected but does not monitor unknown
software. If you select an advanced membership, Windows Defender will
prompt you for what to do with unknown software. The advanced
membership is fine for an IT professional but should not be used by typical
users.

For more information, see the Join the Spynet community page on the
Windows Help and How-to Web site at http://go.microsoft.com
Use Software Explorer to control the programs that start automatically on
your computer. In some cases, malware can be stopped by being prevented
from starting when the operating system boots. Software Explorer also allows
you to determine which software running on your computer is not classified
and view the antispyware definitions.

NETMIND
calling +1 800-785-3448.
Considerations for Antivirus Protection

Key Points
Antivirus software is an essential part of any network security plan. There is a wide
variety of vendors with antivirus products with a wide range of features. All
computers on a network, including servers, should have antivirus software.
Microsoft produces the Forefront line of security products, which includes
antivirus software.
General considerations for antivirus software are as follows:
Select antivirus software that can be centrally managed. Central
management is essential for most organizations. This enables you to easily
review the status of all computers from a central console and respond to them
quickly. This also allows you to deploy the software from a single console and
provide definition updates from a central location. Centralized management is
one of the primary differentiators between consumer and business-level
antivirus software.
NETMIND
calling +1 800-785-3448.
Update antivirus definitions at least once per day. Daily updates ensure that
you are able to detect new viruses almost as soon as they are known to be
spreading.
Carefully test heuristic-based scanning. Antivirus scanning based on
heuristics monitors what software is doing to try and identify it as a virus.
Heuristic scanning has the potential to detect viruses that are not in the
antivirus definitions, However, heuristics can also generate false positives that
incorrectly identify legitimate software as a virus. Test heuristic scanning
before it is enabled to reduce the chance of legitimate software being
quarantined on user workstations.
Use quarantine instead of removal for infected files. Moving a file to
quarantine means that you may be able to recover the contents of a file that
has become infected. If the file is simply removed, you may lose data. This
applies mostly to macro viruses in documents.

NETMIND
calling +1 800-785-3448.
Security Features of Internet Explorer 8

Key Points
Internet Explorer 8 is primarily used on client computers. However, it is also
included on Windows Server 2008. On servers, Internet Explorer includes
Enhance Security Configuration (ESC).
ESC raises the security settings for the security zones to provide additional
protection for your servers. For Internet Web sites, this prevents ActiveX controls
and scripts from running. If you encounter a Web site running scripts or ActiveX
controls, you are prompted to add the site to the Trusted Sites security zone.
Internet Explorer maintains two lists of sites in the Trusted Sites security zone.
One list is used when ESC is enabled; the other is used when ESC is disabled.
You can use Server Manager to enable or disable ESC for users or administrators
independently. On most servers, you should leave ESC enabled. Most Internet
browsing, including searching for troubleshooting documents, should be
performed from a client computer, rather than a server. However, you should
disable ESC for users on a terminal server if the users are expected to do Web
browsing in the terminal services session.
NETMIND
calling +1 800-785-3448.

Note: For detailed information about Internet Explorer ESC, see Internet Explorer 8
Enhanced Security Configuration on the TechNet Web site at
Other Internet Explorer 8 security features relevant to browsing from servers are as
follows:
IT professionals can increase security and trust through improvements in
ActiveX controls that enable command of how and where an ActiveX control
loads and which users can load them.
The XSS Filter in Internet Explorer 8 helps block cross-site scripting (XSS)
attacks, currently one of the most common Web site vulnerabilities.
Data Execution Prevention (DEP) is enabled by default to help prevent system
attacks in which malicious data exploits memory-related vulnerabilities to
execute code.
The SmartScreen Filter helps protect against phishing Web sites and sites
known to distribute malware. With the SmartScreen Filter enabled, Internet
Explorer 8 performs a detailed examination of the entire URL string and
compares the string to a database of sites known to distribute malware, and
then the browser checks with the Web service. If the Web site is known to be
unsafe, it is blocked and the user is notified with a bold SmartScreen blocking
page that offers clear language and guidance to help avoid Web sites known to
be unsafe.
Protected Mode forces Internet Explorer to request permission before writing
to files or the registry. The functionality relies on User Account Control. Some
Web-based applications do not work properly with Protected Mode enabled. If
an application needs to function without Protected Mode, add it to the Trusted
Sites security zone.

NETMIND
calling +1 800-785-3448.
What Is User Account Control (UAC)?

Key Points
User Account Control (UAC) is typically thought of as a security measure for client
computers, but it is also in place on Windows Server 2008. The purpose of UAC is
to allow most processes to run as a standard user account and be elevated to
administrator only when required. The elevation is performed without requiring
the use of Run As or making the user log off. Overall, UAC increases security
because any malware on the computer running in the context of the user will be
limited to running only processes that require standard user permissions.
For administrators, security is enhanced by Admin Approval Mode, which is
enabled by default. When a computer is configured to use Admin Approval Mode
and an administrator logs on, two access tokens are generated. One access token
has user-level permissions, and the other has administrator-level permissions.
NETMIND
calling +1 800-785-3448.
When an administrator runs an application or performs a system task, the user-
level token is used. If the user-level token does not provide sufficient privileges to
perform the task or run the application, the administrator is prompted for
permission to continue. This prevents malware from starting in the background
and using administrative privileges without the knowledge of the administrator.
Prompting for permission to continue is the default configuration, but this
behavior can be modified. You can also:
Prompt for credentials. This setting forces administrators to enter their
administrative credentials again to run the application. This may be suitable in
high-security environments but will frustrate administrators who run many
administrative utilities.
Elevate without prompting. This setting allows applications to run with
administrative privileges silently, without administrator interaction. Although
using this option is very convenient for administrators, it effectively negates
the benefits of UAC.

Built-in Administrator accounts are not subject to Admin Approval Mode by
default. The built-in Administrator accounts include the domain Administrator and
local Administrator accounts. Membership in administrative groups is not
sufficient for this to apply. It applies only to the Administrator accounts created
automatically by the system during installation. This is one reason why use of the
built-in Administrator accounts should be avoided for performing administrative
tasks.
UAC configuration settings can be modified in the Local Security Policy or by
using Group Policy. The settings in the Local Security Policy are located at Security
Settings\Local Policies\Security Options\User Account Control:*. The settings in a
Group Policy are located at Computer Configuration\Policies\Windows Settings\
Security Settings\Local Policies\Security Options\User Account Control:*. Settings
configured in a Group Policy will override settings configured in the Local Security
Policy.
NETMIND
calling +1 800-785-3448.
Using the Security Configuration Wizard (SCW)

Key Points
The Security Configuration Wizard (SCW) is included with Windows Server 2008
to help you reduce the attack surface of your computer by creating and applying a
security policy.
When you run SCW, it analyzes the computer to determine which roles, features,
and applications are installed. You can review this list and make modifications.
SCW then makes suggestions to enable and disable services, modify registry
settings for security, and audit.
After you use SCW to create a security policy, you can apply the policy to the same
computer or save it to a file and then apply it to another computer. After you apply
a security policy, the settings can be rolled back if required.
NETMIND
calling +1 800-785-3448.
Some considerations for using SCW:
Ensure that templates are registered for all applications on the server. SCW
uses templates to make recommendations for changes. If the appropriate
template is not imported, SCW cannot recommend changes for it. Some
applications ship with templates. For example, Microsoft Exchange Server
2007 includes templates that must be registered with SCW before SCW is
used on an computer running Exchange Server 2007.
Create a standard policy for specific server types. Rather than running SCW on
every server, create a policy on one server, and then apply that policy to
multiple servers. This will reduce administrative work.
Apply common settings by using Group Policy. Group Policy is the fastest way
to apply security settings to multiple computers. You can convert a security
template to a Group Policy object by using scwcmd with the transform option.
Disable unknown services only if you understand what the results will be.
SCW has a setting for unknown services. Disabling unknown services is done
only in very high security situations. When you use this option, you can use
the resulting policy only on servers with an identical configuration.
If a new security policy creates unexpected results, roll it back. When a
security policy is rolled back, the computer is placed in the state it was in
before the policy was applied. It is common to roll back policies during testing.
Test new policies before applying them to multiple computers. As with any
other configuration change, you should test new policies on one or a few
computers before applying them to a larger group of computers. This
minimizes the consequences of an unexpected issue.

Note: Windows Server 2008 security includes some templates with recommended
settings for applying security to Windows Server 2008 environments. Templates are
included for domain controllers and member servers. You can download the Windows
Server 2008 Security Guide from the Microsoft Web site at http://go.microsoft.com
NETMIND
calling +1 800-785-3448.
Lesson 4
Planning Remote Access

Remote access is used by many organizations to provide users with access to data
from outside the network. The most common type of remote access is virtual
private networks (VPNs). When planning a remote access solution, you must
determine which VPN protocols will be used, as each has a unique set of
characteristics that make it suited to different scenarios. Network policies and
Network Policy Server are used to control the authentication for remote access and
can be used in several configurations to meet the needs of your organization.
Objectives
Describe considerations for VPN protocols.
Describe considerations for network policies.
Describe considerations for Network Policy Server.

NETMIND
calling +1 800-785-3448.
Considerations for VPN Protocols

Key Points
A VPN uses a tunneling protocol to transfer data on a remote network. Tunneling
allows data that would not normally travel well over a remote connection to travel
to a remote network. For example, programs that use remote procedure calls
(RPC) have difficulty traversing firewalls. When a VPN is used, the application
requests are encapsulated in the packet used by the tunneling protocol.
A VPN can be used to access data and applications remotely. However, a VPN
requires the client computer to be configured with a VPN connection. This makes a
VPN suitable only for computers that can be configured, such as a home computer
or a company laptop. It is not typically possible to create a VPN connection on a
public access computer at a library or Internet caf.
A VPN connection typically has high latency, which makes a VPN unsuitable for
running most applications. Terminal Services is a better solution for running most
applications. A VPN is a reasonable way to transfer data.
NETMIND
calling +1 800-785-3448.
There are three types of VPN supported by Windows Server 2008 and Windows
Vista.
Point-to-Point Tunneling Protocol (PPTP). This type of VPN has been
available in Microsoft operating systems since the 1990s. It offers only user-
based authentication and the ability to encrypt data in transit. This type of
VPN is well understood by most IT professionals and easy to implement. Some
locations such as hotels may not allow this type of packet through their
firewall.
Layer 2 Tunneling Protocol (L2TP)/IPsec. This type of VPN was introduced
in Windows 2000. IPsec is used to secure the data and is encapsulated by
L2TP. IPsec enables computer authentication to be performed as part of the
authentication process for greater security. Also, IPsec encryption is
considered more secure than PPTP. The main drawback of L2TP/IPsec is the
complexity of configuration. IPsec must be properly configured to allow
authentication to occur. Like PPTP, this type of VPN is also blocked by some
firewalls.
Secure Socket Tunneling Protocol (SSTP). This type of VPN has the best
compatibility with firewalls and proxy servers. All data is encapsulated in
HTTPS packets, which are allowed through firewalls and proxy servers in
public locations, such as hotels. SSTP is only available starting with Windows
Server 2008 and Windows Vista. Configuration on the server side requires that
a Secure Sockets Layer (SSL) certificate be installed, but SSL configuration is
fairly simple to complete.

Note: Windows 7 and Windows Server 2008 R2 include an alternative to VPN
connections called DirectAccess. The primary benefit of DirectAccess is simplified access
to remote resources. For more information about DirectAccess, see DirectAccess on the
Microsoft Web site at http://go.microsoft.com/fwlink/?LinkID=167161&clcid=0x409.
Recommendations for VPNs:
Use PPTP for best compatibility with operating systems.
Use L2TP/IPsec to increase security.
Use SSTP to increase security and provide the best compatibility with firewalls
and proxy servers.

NETMIND
calling +1 800-785-3448.
Considerations for Network Policies

Key Points
Network policies are a set of rules used by Routing and Remote Access Servers
(RRAS) to determine which users are able to remotely connect. The most
commonly implemented RRAS functionality is a VPN server.
Some considerations for network policies are:
By default, each RRAS server has its own set of network policies. If you have
multiple RRAS servers, you must create the same set of policies on each server
for the same behavior to occur on each server.
You can maintain different network policies on different servers to meet the
needs of different user groups. For example, the engineering group may
maintain its own VPN server that only engineering users are able to use, while
another VPN server is used for other users in the organization.
The default network policies prevent access. To allow access, you must create a
new network policy or allow access on the Dial-in tab in the properties of a
user account.
NETMIND
calling +1 800-785-3448.
Simplify the management of network access by using groups to control access.
It is much more efficient to allow a group remote access by using a network
policy rather than allowing access for individual user accounts. Group
membership is one of the most common conditions applied to a remote access
connection.
Only the first matched network policy will apply. When there are multiple
network policies, they are processed in order. If the first network policy with
matching conditions denies access to a user, no further policies will be
evaluated. Ensure that network policies are in the correct order to obtain the
results you want. For example, if a large group of users such as the engineering
department has been granted remote access and you want to deny access to a
few users in another group, the network policy for the smaller group should
have a lower processing order (number 1 is processed before number 2).
Increase security by implementing additional conditions. For example, you can
use day and time restrictions to prevent remote access late at night when
legitimate use is unlikely.
Identify the authentication methods that meet your needs. When selecting
authentication methods, consider that MS-CHAPv2 provides better security
than MS-CHAP and can be used with Windows 2000 (and it can be used even
by Windows 95, with updates). Other more secure authentication such as
smart cards can be implemented by using Extensible Authentication Protocol
(EAP).
Use constraints with characteristics such as idle timeout and session timeout
to control a remote access connection. You can also configure port type
restrictions and day and time restriction as constraints. If a constraint for
port type or day and time does not match, access is denied and no further
processing of network policies is performed. This is different from day and
time restrictions in conditions where the next network policy would be
evaluated.
Apply the IP Filters setting to control which internal resources can be accessed
by remote access clients. For example, the IP filters applied to the marketing
department users could limit their access to a single file server with shared
marketing documents. This limits the potential damage if an unauthorized
user gains access to the network.

NETMIND
calling +1 800-785-3448.
Considerations for Network Policy Server (NPS)

Key Points
Network Policy Server (NPS) is a role service for the Network Policy and Access
Services role. Some of the functionality in NPS was provided by Internet
Authentication Server (IAS) in Windows Server 2003. It contains three
components:
RADIUS server. A RADIUS server is a central service that provides
authentication services for other applications. RRAS servers can forward
authentication requests to the RADIUS server instead of using local network
policies.
RAIDUS proxy. A RADIUS proxy is a central service that routes RADIUS
authentication requests to the appropriate RADIUS server.
NAP policy server. NAP requires a central location for health polices. A NAP
policy server performs this function.

NETMIND
calling +1 800-785-3448.
Some considerations for NPS are:
To centralize authentication for multiple RRAS servers, use the RADIUS server
functionality. The network policies created for the RADIUS server are used by
all RRAS servers when the authentication requests are forwarded to the
RADIUS server. Centralizing the network policies in a single location simplifies
maintenance of network policies.
To centralize logging for multiple RRAS servers, use the RADIUS server
functionality. You can configure RRAS servers to forward logging information
to a RADIUS server for centralized storage. This makes it easier to analyze and
troubleshoot RRAS authentication issues, particularly when network load
balancing is used for the RRAS servers and the client does not know which
RRAS server was being accessed.
Connection request policies are used to implement the RADIUS proxy
functionality in NPS. If a connection request policy does not match the
incoming RADIUS authentication request, the server acts as a RADIUS server
for the request.
Use the RADIUS proxy functionality to forward requests to independently
managed RADIUS servers. One group in an organization, such as the
engineering group, may want to maintain their own isolated RADIUS servers.
This allows the engineering group to independently control their logons.
RADIUS can be used to authenticate non-RRAS applications. For example, the
802.1X protocol for authenticating computers at a switch or wireless access
point uses RADIUS for authentication.

NETMIND
calling +1 800-785-3448.
Lesson 5
Planning for NAP

Network Access Protection (NAP) is a new feature in Windows Server 2008
designed to prevent unhealthy computers from communicating on the network.
Windows Server 2008 provides a System Health Validator that provides basic
monitoring capabilities for Windows XP, Windows Vista, and Windows Server
2008. When enforcing NAP policies, you can use DHCP, VPN, 802.1X, or IPsec
enforcement. The enforcement type you select is based on the needs and
infrastructure of your organization.
NETMIND
calling +1 800-785-3448.
Objectives
Describe Network Access Protection.
Describe the status characteristics monitored by Windows System Health
Validator.
Describe the considerations for DHCP enforcement.
Describe the considerations for VPN enforcement.
Describe the considerations for 802.1X enforcement.
Describe the considerations for IPSec enforcement.

NETMIND
calling +1 800-785-3448.
What Is NAP?

Key Points
NAP is a system that enforces client health before allowing access to the network.
Client health is defined in policies by an administrator and enforced by a Network
Policy Services (NPS) server. NAP does not block intruders or malicious users.
Instead, NAP ensures that clients have an appropriate configuration such as
software updates installed and antivirus software that is current.
NAP includes multiple enforcement mechanisms. You can implement one or more
of these mechanisms at the same time, depending on your network scenario.
When a computer is noncompliant with the health policy, you can then allow
limited access to the network. The limited access is, typically, to remediation
servers. Remediation servers provide resources for computers to become
compliant. For example, a remediation server could be a Windows Server Update
Services (WSUS) server that clients can use to download and apply required
updates.
NETMIND
calling +1 800-785-3448.
NAP can be implemented in virtually any scenario in which computers are
accessing a network. The most common scenarios are:
Desktop computers. NAP can be applied to all desktop computers in an
organization. This ensures that a misconfigured desktop computer does not
affect the security of the organization.
Roaming laptops. NAP can be implemented when wireless clients
authenticate to a wireless access point or a virtual private network (VPN)
connection. This ensures that laptops that are often outside the organizational
network are still in compliance when they return.
Visiting laptops. Visiting laptops are not controlled by the organization and
can often not be compliant with organizational policies. NAP can ensure that
they are restricted to a limited set of resources.
Home computers. Many employees use home computers when remotely
accessing the corporate network over a VPN connection. NAP can ensure that
these computers are healthy and do not introduce viruses or malware onto the
organizational network over the VPN.

NETMIND
calling +1 800-785-3448.
Status Monitored by Windows System Health Validator
(SHV)

Key Points
NAP uses a System Health Validator (SHV) on the server side and a System Health
Agent (SHA) on the client side to evaluate health status. The SHA and SHV are a
matched set that must be deployed together. NAP includes a Windows SHV, and a
corresponding Windows SHA is included in Windows XP SP3, Windows Vista,
Windows 7, and Windows Server 2008.
The settings monitored by the Windows SHV are based on the settings that are
monitored by Windows Security Center on the client. Software must be compatible
with the Windows Security Center to be monitored.
NETMIND
calling +1 800-785-3448.
The following are the settings that can be monitored for Windows Vista and
Windows Server 2008:
Firewall is enabled
Antivirus application is on and up to date
Antispyware application is on and up to date
Automatic updating is enabled
All available security updates installed
Locations where security updates can be downloaded

Note: Security Update Protection should not be enabled unless you have configured
WSUS for your network. If clients are not registered with a WSUS server and Security
Update Protection is enabled, clients are automatically placed on the restricted network
even if they are configured with the necessary updates.
NAP can be extended to monitor additional settings and software. You can do this
by deploying additional SHAs on NAP clients and additional SHVs on NPS servers.
Some products that NAP can integrate with are:
System Center Configuration Manager (SCCM). When SCCM is integrated
with NAP, you can monitor the application of specific updates.
Microsoft Forefront Client Security. When Forefront client security is
integrated with NAP, you can perform additional actions. For example, you
can perform an auto-remediation of a stopped service by restarting the stopped
service. You can perform Forefront integration by using the Microsoft
Forefront Integration Kit for Network Access Protection.

Note: To find organizations that are shipping an SHA and SHV for their products, see the
Network Access Protection Communities and Partners page on the Microsoft Web site at

NETMIND
calling +1 800-785-3448.
Considerations for Designing DHCP Enforcement

Key Points
DHCP enforcement requires the use of a NAP-integrated DHCP server. The DHCP
server included with Windows Server 2008 is NAP- integrated for IPv4 addressing,
but not for IPv6. The health status of the client computer is sent with the DHCP
lease request.
If the client computer is noncompliant, a lease is given with:
A default gateway of 0.0.0.0
A subnet mask of 255.255..255.255
Static routes to remediation servers

NETMIND
calling +1 800-785-3448.
Considerations for DHCP enforcement include the following:
DHCP enforcement is easy to implement and can apply to any computer with
a dynamic IP address.
DHCP enforcement is easy to circumvent. A client can circumvent DHCP
enforcement by using a static IP address. In addition, a noncompliant
computer could add static host routes to reach servers that are not
remediation servers.
DHCP enforcement is not possible for IPv6 clients. If computers on your
network use IPv6 addresses to communicate, DHCP enforcement is ineffective.

NETMIND
calling +1 800-785-3448.
Considerations for Designing VPN Enforcement

Key Points
VPN enforcement requires the use of a NAP-integrated VPN server. The RRAS
server included with Windows Server 2008 is NAP integrated. The health status of
the client computer is sent as part of the authentication process.
When a computer is noncompliant, the VPN connection is still authenticated.
However, IP filters are used to restrict access to only remediation servers.
Considerations for VPN enforcement include the following:
VPN enforcement is best suited to situations in which a VPN is already being
used. It is unlikely that you will implement VPN connections on an internal
network to use VPN enforcement.
NETMIND
calling +1 800-785-3448.
Use VPN enforcement to ensure that staff members connecting from home
computers are not introducing malware to your network. Home computers are
often not well maintained by users and represent a high risk. Many do not
have antivirus software or do not apply Windows updates regularly.
Use VPN enforcement to ensure that roaming laptops are not introducing
malware to your network. Roaming laptops are more susceptible to malware
than computers directly on the corporate network because they may be unable
to download virus updates and Windows updates from outside the corporate
network. Also, they are more likely to be in environments where malware is
present.

NETMIND
calling +1 800-785-3448.
Considerations for Designing 802.1X Enforcement

Key Points
To implement 802.1X enforcement, you must ensure that the network switches or
wireless access points (WAPs) support 802.1X authentication. The switches or
WAPs then act as an enforcement point for NAP clients. The health status of the
client is sent as part of the authentication process.
When a computer is noncompliant, the switch places the computer on a separate
virtual local area network (VLAN) or uses packet filters to restrict access to only
remediation servers.
NETMIND
calling +1 800-785-3448.
Considerations for 802.1X enforcement are as follows:
The isolation of noncompliant computers is enforced by the switch or WAP
that connects with the client. This makes it very difficult to circumvent and
therefore very secure.
Use 802.1X enforcement for internal computers. This type of enforcement is
appropriate for LAN computers with wired and wireless connections.
You cannot use 802.1X enforcement if your switches and WAPs do not
support the use of 802.1X for authentication.

NETMIND
calling +1 800-785-3448.
Considerations for Designing IPsec Enforcement

Key Points
To implement IPsec enforcement, you must put additional software components
on the network. A Health Registration Authority (HRA) is required to act as an
enforcement point, and a Certification Authority (CA) is required to generate
health certificates. However, no specific hardware components are required. So
IPsec enforcement can be implemented in any environment.
The health status of a computer is verified with an HRA. The HRA then issues a
health certificate to the computer. The health certificate is used for IPsec
authentication.
When a computer is noncompliant, the computer is unable to successfully
complete IPsec authentication and is limited to a restricted network. The restricted
network has remediation servers on it.
NETMIND
calling +1 800-785-3448.
Considerations for IPSec enforcement are as follows:
IPsec enforcement is more complex to implement than other enforcement
methods because it requires an HRA and a CA.
No additional hardware is required to implement IPsec enforcement. There is
no need to upgrade switches or WAPs as there might be if 802.1X enforcement
is selected. IPsec enforcement can be implemented in any environment.
IPsec enforcement is very secure and difficult to circumvent.
IPsec can be configured to encrypt communication for additional security.
IPsec enforcement is applied to IPv4 and IPv6 communication.

NETMIND
calling +1 800-785-3448.
Lab: Planning Server and Network Security

Exercise 1: Creating a Plan for Server and Network Security
Scenario
A. Datum has two security-related tasks that need to be planned out. A new Web-
based application is being implemented for the finance department and requires a
security plan. Also, as part of a security review, a plan needs to be developed for
preventing malware on the A. Datum network.
You have been tasked with creating a plan for the new finance application and
creating a plan for preventing malware on the network. Your IT manager has
provided you with a list of requirements that must be met by your plan.
2. Create a security plan for the new finance application.
3. Create a plan for preventing malware on the network.
NETMIND
calling +1 800-785-3448.
Gregory Weber
Sent: 4 Aug 2009 10:22
Subject: Security Plan for Finance Application
Greg,
planning security for the new Web-based finance application. Here are some of the
requirements that have come up:
All users of the application must be authenticated.
All data transferred over the network to or from the application must be
encrypted.
Access must be limited to only domain-joined computers in the finance
department.
The IT management committee has really bought in to the idea of Defense-in-
Depth that you presented at the last committee meeting. I think it would be helpful
if you could present the security plan for this server in that context.
Regards
Allison
NETMIND
calling +1 800-785-3448.
Gregory Weber
Sent: 4 Aug 2009 10:32
Subject: Malware Prevention Plan
Greg,
The IT management committee is also looking for a plan to prevent malware
within the organization. A competitor had an incident recently where customer
data was stolen, and it generated a lot of bad publicity for them, not to mention the
cost of monitoring the potential identity theft.
Im sure we already have reasonable measures in place, but the committee would
like to have a plan that lists potential sources of malware and how they can be
prevented. Just list any options you can think of. This will be a starting point for
discussion.
Please also put this information in context with Defense-in-Depth like the security
plan for the finance application.
Regards
Allison
NETMIND
calling +1 800-785-3448.

Task 2: Create a security plan for the new finance application
Fill in the following table with potential risks and mitigations for each layer of
the Defense-in-Depth model related to the new finance application.
Layer Risk Mitigation
Data

Application

Host

Internal
network

Perimeter

Physical
security

Policies,
procedures,
and awareness

NETMIND
calling +1 800-785-3448.
Task 3: Create a plan for preventing malware on the network
the Defense-in-Depth model related to preventing malware on the network.
Data

Application

Host

Internal
network

Perimeter

Physical
security

Policies,
procedures,
and awareness

Results: After this exercise, you should have a completed security plan for new finance
application and a plan for preventing malware on the network.

NETMIND
calling +1 800-785-3448.
Exercise 2: Implementing Windows Firewall Rules
Scenario
Your security plan for the new finance application calls for the implementation of
computer-specific firewall rules. Only computers in the finance department will be
allowed to access the finance application.
2. Create a group for the finance computers.
3. Create a connection security rule for authentication to the finance server.
4. Create a firewall rule to restrict access to the finance application.
5. Force Group Policy updates.
6. Test the application of rules.

Task 1: Start the virtual machines and log on
Pa$$w0rd.
5. Log on to 6430B-SEA-CL1 as ADATUM\Administrator with the password
Pa$$w0rd.

Task 2: Create a group for the finance computers
1. On SEA-DC1, open Active Directory Users and Computers.
2. Create a global security group named Finance Computers in the computers
container.
3. Add SEA-CL1 to the Finance Computers group.
NETMIND
calling +1 800-785-3448.
Task 3: Create a connection security rule for authentication to the
finance server
1. On SEA-DC1, use Group Policy Management to create the enforced security
GPO.
Name: Secure Financial Application
Linked to Adatum.com
2. Edit the Secure Financial Application GPO and create a new Connection
Security Rule.
Computer Configuration\Policies\Windows Settings\Security Settings
\Windows Firewall with Advanced Security\Windows Firewall with
Advanced Security\Connection Security Rules.
Rule type: Server-to-server
Endpoint 1: 10.10.0.10
Endpoint 2: Any IP address
Request authentication for inbound and outbound connections
Authentication method, Advanced: Computer (Kerberos V5)
Profiles: All
Name: Enable Authentication

Task 4: Create a firewall rule to restrict access to the finance
application
On SEA-DC1, use Window Firewall with Advanced Security to create a new
inbound rule.
Rule type: Port
Protocols and ports: TCP 80,443
Action: Allow the connection if it is secure and Require the connections
to be encrypted
User and computers: Only allow connections from the Finance
Computers group.
Profiles: All
Name: Restrict Access to Finance Application
NETMIND
calling +1 800-785-3448.
Task 5: Force Group Policy updates
1. On SEA-DC1, run gpupdate at a command prompt.
2. On SEA-CL1, run gpupdate at a command prompt.
3. Restart SEA-CL1 and log on as Administrator with a password of Pa$$w0rd.

Task 6: Test the application of rules
1. On SEA-CL1, use Internet Explorer to open http://10.10.0.10. This is
successful because the computer is authenticated and allowed.
2. Use Windows Firewall with Advanced Security to view the Main Mode
Security Associations in the Monitoring node. This shows that an IPsec
connection has been created.

Results: After this exercise, you should have successfully implemented firewall rules.

NETMIND
calling +1 800-785-3448.
Exercise 3: Implementing a VPN Server
Scenario
Your security plan requires a VPN to be implemented for some remote users.
Because all of the laptops are running Windows Vista, you have decided to use an
SSTP VPN for the highest level of compatibility with hotel firewalls and proxy
servers. Initially, you are configuring this only for domain Admins while testing.
1. Install Active Directory Certificate Services.
2. Create an SSL Certificate.
3. Configure RRAS.
4. Create a network policy to allow VPN access.
5. Configure the client with a trusted root certificate.
6. Configure and test an SSTP VPN connection.

Task 1: Install Active Directory Certificate Services
On SEA-DC1, use Server Manager to add the Active Directory Certificate
Services role.
Role services: Certification Authority and Certification Authority Web
Enrollment
Add required role services
CA type: Enterprise Root CA
Create a new private key
Cryptography: default
CA name: default
Validity period: default
Database and log locations: default.
NETMIND
calling +1 800-785-3448.
Task 2: Create an SSL certificate
On SEA-DC1, use Internet Information Services Manager to request a new
server certificate for SEA-DC1.
Create Domain Certificate
Common name: SEA-DC1.adatum.com
Organization: A. Datum
Organizational unit: IT
City/locality: Seattle
State/province: Washington
Country/region: US
Online Certification Authority: Adatum-SEA-DC1-CA\SEA-
DC1.Adatum.com
Friendly name: WebSSL

Task 3: Configure RRAS
On SEA-DC1, use the Routing and Remote Access administrative tool to
enable routing and remote access.
Configuration: Custom configuration
Custom configuration: VPN access
Start the service

Note: A custom configuration is used because SEA-DC1 has only a single network
adapter. You must have two network adapters to select the Remote Access (Dial-Up Or
VPN) configuration.

NETMIND
calling +1 800-785-3448.
Task 4: Create a network policy to allow VPN access
On SEA-DC1, use Network Policy Server to create a new network policy.
Policy name: Allow Domain Admins
Condition: Windows Groups Adatum\Domain Admins
Access permission: Access Granted
Authentication type: default
Constraints: default
Settings: default

Task 5: Configure the client with a trusted root certificate
1. On SEA-CL1, use Internet Explorer to open the Certificate Services Web site at
http://SEA-DC1.Adatum.com/certsrv.
2. Log on as Adatum\Administrator with a password of Pa$$w0rd.
3. Download a CA certificate, open it, and install it.
Automatically select the certificate store based on the type of
certificate.
4. Open an empty MMC console and add:
The Certificates snap-in focused on My user account
The Certificates snap-in focused on Local computer
5. Copy the Adatum-SEA-DC1-CA certificate from Certificates Current User\
Intermediate Certification Authorities\Certificates to Certificates (Local
Computer)\Trusted Root Certification Authorities\Certificates.

NETMIND
calling +1 800-785-3448.
Task 6: Configure and test an SSTP VPN connection
1. On SEA-CL1, open Connect To from the Start menu.
2. Set up a new connection
Connect to a workplace
Use my Internet connection (VPN)
Ill set up an Internet connection later
Internet address: SEA-DC1.Adatum.com
Destination name: Adatum VPN
Leave the username and password blank
3. Open Connect To from the Start menu.
4. Open the properties of the Adatum VPN connection and select SSTP as the
type of VPN on the Networking tab.
5 Connect the Adatum VPN.
6. Open Connect To from the Start menu and verify that the Adatum VPN
connection is connected.
7. Disconnect the VPN connection

Note: If you experience an error during your connection attempt, review the
configuration of your SSTP listener by using the instructions from Setting Up
The SSTP Listener And Verifying It in the Routing And Remote Access Blog at
http://go.microsoft.com/fwlink/?LinkID=167164&clcid=0x409. In particular, you must
manually remove and replace the certificate used by SSTP if you want to replace it.
Results: After this exercise, you should have successfully implemented an SSTP VPN.

NETMIND
calling +1 800-785-3448.
Exercise 4: Implementing NAP with DHCP Enforcement
Scenario
As part of your security plan, you have decided to implement NAP with DHCP
enforcement. This prevents unhealthy computers from connecting to the network
and helps to prevent the spread of malware.
1. Install Network Policy Server.
2. Configure NPS.
3. Configure DHCP.
4. Configure NAP Client by using Group Policy.
5. Configure networking on the client.
6. Configure the SHV.
7. Test compliance and auto-remediation on the client.
8. Close all virtual machines and discard undo disks.

Task 1: Install Network Policy Server
On SEA-DC1, use Server Manager to add the Network Policy and Access
Services server role.
Include the Network Policy Server role service.

Task 2: Configure NPS
1. On SEA-DC1, use the Network Policy Server administrative tool to select the
Network Access Protection (NAP) standard configuration and then configure
NAP.
Connection method: Dynamic Host Configuration Protocol (DHCP)
Policy name: NAP DHCP
RADIUS clients: None
DHCP scopes: None
User and machines groups: None
NETMIND
calling +1 800-785-3448.
Remediation server groups: None
Windows Security Health Validator
Enable auto-remediation of client computers
Deny full network access to NAP-ineligible client computers
2. Review the connection request policies created by the wizard.
3. Review the network policies created by the wizard.
4. Review the health policies created by the wizard.

Task 3: Configure DHCP
1. On SEA-DC1, use the DHCP administrative tool to enable Network Access
Protection for the Adatum Scope, and use the Default Network Access
Protection profile.
2. On the Advanced tab of Scope Options, for the User Class: Default Network
Access Protection Class, configure the following:
006 DNS Servers: 10.10.0.10
015 DNS Domain Name: restricted.adatum.com

Task 4: Configure NAP Client by using Group Policy
1. On SEA-DC1, use Active Directory Users and Computers to create a new
organizational unit, named NAP Clients, in the root of the Adatum.com
domain.
2. Move the SEA-CL1 computer object into the NAP Clients organizational unit.
3. Use the Group Policy Management administrative tool to create a new Group
Policy object, named DHCP NAP Client, linked to the NAP Clients
organizational unit and with the following settings:
Computer Configuration\Policies\Windows Settings/Security Settings
\System Services\Network Access Protection Agent: Automatic
Computer Configuration/Policies/Windows Settings/Security
Settings\Network Access Protection\NAP Client Configuration
\Enforcement Clients\DHCP Quarantine Enforcement Client: Enable
NETMIND
calling +1 800-785-3448.
Computer Configuration\Policies\Windows Settings\Security
Settings\Network Access Protection\NAP Client Configuration: Apply
from context menu
Templates\Windows Components\Security Center\Turn on Security
Center (Domain PCs only): Enabled

Task 5: Configure networking on the client
1. Restart SEA-CL1, and log on as Administrator with a password of Pa$$w0rd.
2. On SEA-CL1, open a command prompt and use the following command to
update group policy settings:
gpupdate
3. Reconfigure Local Area Connection to use DHCP to obtain an IP address and
DNS server.
4. Open a command prompt and use the following command to view the
configured IP address:
ipconfig /all
5. Notice that an IPv4 address has been configured, but the subnet mask is
255.255.255.255 and the Connection-specific DNS suffix is
restricted.adatum.com.

Task 6: Configure the SHV
On SEA-DC1, use the Network Policy Server administrative tool to configure
the Windows Security Health Validator in Network Access Protection.
Test only for an enabled firewall

NETMIND
calling +1 800-785-3448.
Task 7: Test compliance and auto-remediation on the client
1. On SEA-CL1, renew the IP address by using the command ipconfig /renew.
2. Notice that SEA-CL1 now has a default gateway, a subnet mask of
255.255.0.0, and the Connection-specific DNS suffix is Adatum.com.
3. In the Control Panel Security settings, turn off Windows Firewall.
4. Notice that Windows Firewall status is off only briefly, before being turned
back on by the NAP client

Results: After this exercise, you should have successfully implemented NAP with DHCP
enforcement.
(VMRC) window.

NETMIND
calling +1 800-785-3448.

Review Questions
1. How does Defense-in-Depth help you identify and mitigate risks?

2. What is the default configuration for outbound rules in Windows Firewall?

3. How can you identify when viruses or malware have infected a computer?

4. How does UAC prevent viruses and malware from infecting a computer?

5. Which type of IPsec authentication is required to configure firewall rules based
on users and computers?

NETMIND
calling +1 800-785-3448.
Common Issues Related to Remote Access
Identify the causes for the following common issues related to remote access and
fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue Troubleshooting Tip
A VPN connection is blocked by a
hotel firewall

A specific user is unable to log on
even though he or she is a member
of a group that is allowed access

Troubleshooting is difficult because
logs are located separately on each
VPN server

Configuration is time-consuming
because network policies must be
created on each VPN server

1. You have recently created a standardized list of firewall rules that you want to
apply to all Windows Vista computers in your organization. What is the best
way to do this?

2. You have recently migrated your servers to Windows Server 2008. After the
migration, administrators are being prompted for permission each time they
run an administrative tool on the server. A colleague suggests that this
functionality be disabled because it is annoying. How do you respond?

NETMIND
calling +1 800-785-3448.
3. Your organization has recently had a security breach on a Web-based
application server. In addition to analyzing how this problem occurred, you
need to evaluate security overall for this server. What areas do you need to
consider as you identify risks to this server?

4. Your organization has recently reviewed NAP as a potential method for
preventing malware from entering the network. Based on the initial evaluation,
your manager has asked you to identify the type of NAP enforcement that
would be most appropriate for your organization. Your organization would
like to begin with the simplest implementation possible for internal users.
What type of NAP enforcement should you use?

Best Practices Related to Planning Protection Against Viruses and
Malware
Use real-time protection to prevent viruses and malware from infecting a
computer. Scheduled scans find malware only after it is already on the
computer.
Use scheduled scans to find malware missed by real-time scanning because the
signature files did not include the malware at the time of infection.
Use antivirus software that can be centrally managed.
Update antivirus definitions at least once per day.
Use quarantine instead of removal for infected files.
Do not disable UAC, particularly for administrators. Disabling UAC also
disables Protected Mode in Internet Explorer.

NETMIND
calling +1 800-785-3448.

NETMIND
calling +1 800-785-3448.
Planning Server Administration 8-1
Module 8
Planning Server Administration
Contents:
Lesson 1: Selecting the Appropriate Administration Tool 8-4
Lesson 2: Planning Server Core Administration 8-17
Lesson 3: Delegating Administration 8-27
Lab: Planning Server Administration 8-34
NETMIND
calling +1 800-785-3448.
Module Overview

As a network administrator, you have many responsibilities and have to perform a
variety of administrative tasks on a day-to-day basis. Windows Server 2008
provides improved administrative tools that help to reduce the burden on any busy
administrator. A good understanding of the administrative tools available will help
you administer your network more efficiently.
Beginning with Windows Server 2008, you can choose to install Windows Server
with only core server functionality and with minimal overhead; although this does
limit the server to performing only key infrastructure roles, it can help improve
security and reduce administrative effort. This type of installation is called a Server
Core installation, and knowing how and where to implement Server Core is
important because it ensures you can get the best from your network infrastructure
roles.
NETMIND
calling +1 800-785-3448.
In larger networked environments, a single administrator, or even a team of
administrators, is unlikely to be able to perform all administrative tasks; often,
some of these tasks are delegated to additional groups of individuals within the
organization. It is important to know how to delegate which administrative tasks,
both securely and efficiently.
Objectives
Select an appropriate administrative tool for a given situation.
Determine where to deploy Server Core servers.
Delegate administrative tasks.

NETMIND
calling +1 800-785-3448.
Lesson 1
Selecting the Appropriate Administration Tool

When you are faced with multiple administrative tasks during your working day, it
is important that you know which tool to use for a specific task. Windows Server
2008 provides tools with both a graphical interface and a command-line interface.
Windows PowerShell extends the capabilities of the command line, and provides
you with a feature-rich, powerful, programmatic interface for performing your
administrative tasks.
As networks get larger, and servers more distant from the administrators that
manage them, it is important that you understand how to enable and perform
administrative tasks remotely.
NETMIND
calling +1 800-785-3448.
Objectives
Describe the function of Windows Server 2008 graphical administration tools.
Describe the function of Windows Server 2008 command-line tools.
Administer a server from the command line.
Enable remote administration.

NETMIND
calling +1 800-785-3448.
What Are the Graphical Administration Tools?

Key Points
There are many different administrative tools that you use in order to manage
Windows Server; many of these tools provide a graphical interface. If you have
administered earlier versions of Windows, you are probably familiar with many of
these tools. Windows Server 2008 provides two new administrative tools with a
graphical interface: the Initial Configuration Tasks (ICT) wizard and Server
Manager.
Initial Configuration Tasks
The Initial Configuration Tasks wizard is a new feature in Windows Server 2008; it
is launched automatically after the completion of the operating system installation.
This tool helps you complete setup and configure a new server. It includes many
security-related tasks, such as:
Set the time zone.
Configure network settings.
Configure the computer name.
NETMIND
calling +1 800-785-3448.
Configure workgroup or domain settings.
Enable automatic updates.
Download and install updates.
Add roles or features.
Enable Remote Desktop.
Configure Windows Firewall.

Note: You can rerun the ICT wizard by running Oobe.exe.
Server Manager
The new Server Manager console simplifies the task of administering and securing
server roles with Windows Server 2008. Server Manager in Windows Server 2008
provides tools to:
Add, remove, or manage server roles.
Add, remove, or manage server features.
Access diagnostics tools, including Event Viewer, Device Manager, and the
Reliability and Performance console.
Perform configuration of tasks, firewall settings, services, local users and
groups, and WMI settings.
Configure and manage storage.

In short, the Server Manager console provides a single point for managing a server.
The Server Manager console uses integrated wizards to guide you through the
process of adding server roles; these wizards perform all the necessary dependency
checks and perform conflict resolution so that your server is stable, reliable, and
secure.

Note: You can use Server Manage to add several roles at once, even if they are
unrelated. For example, if you plan to provision a server as a branch office, you might
select the DNS Server, DHCP Server, and Print Server roles simultaneously.

NETMIND
calling +1 800-785-3448.
You can use Server Manager to:
Perform regular, on-going server administration. The Server Manager console
reports on server status, exposes key management tasks, and guides
administrators to advanced management tools.
Manage server roles. A key component of the Server Manger is the server role
home pages. These pages provide an integrated view of server roles, including
their current status and current configurations. Some of these consoles include
a filtered event viewer that displays recent events related specifically to that
role. Server role home pages offer controls where you can diagnose problems
by selectively stopping and starting role services. These role-specific
summaries highlight potential problems and offer relevant troubleshooting
tools.

Note: The Server Manager console replaces the Computer Management tool in Windows
Server 2003.

NETMIND
calling +1 800-785-3448.
What Are the Command-Line Administration Tools?

Key Points
Although graphical tools are often simpler to use than command-line tools,
command-line tools can often be the quickest way of performing an administrative
task. For example, using Active Directory Users and Computers to change the
telephone number for all users that reside in a particular office building could take
a little while, whereas using a command-line tool enables you to perform the
update in a single, simple line of syntax.
ServerManagerCmd.exe
The ServerManagerCmd.exe tool enables you to perform certain Server Manager
tasks outside of the Windows graphical user interface (GUI), such as installation or
removal of roles, role services and features, command validation, and querying the
current state of the computer.
In addition, ServerManagerCmd.exe allows for installation or removal of multiple
roles, role services, or features in a single command instance by using XML answer
files.
NETMIND
calling +1 800-785-3448.
A set of command-line arguments are available to allow additional control over
how the answer file should be executed. For example, you can specify if the server
computer should be restarted automatically when the commands in the answer file
have been executed, perhaps as a requirement of the software you are installing or
removing.
Network Command-Line Tools
You can use the following tools at the command prompt to perform management
of network-related settings:
Netsh, or network shell, enables you to perform most network management
tasks. For example, you can reconfigure basic IP settings, configure Windows
Firewall, or configure settings on a Dynamic Host Configuration Protocol
(DHCP) server.
Netdom enables you to perform a number of domain and computer name-
related tasks, including adding a computer to a domain, changing a
computers name, and managing trust relationships between domains.
DNScmd enables you to administer the Domain Name System (DNS) server
role from the command prompt.
DFScmd enables you to administer the distributed file system file services
server role from the command prompt.

Active Directory Command-Line Tools
You can use the following tools from the command line to perform administration
of objects within your Active Directory forest:
Dsmod enables you to modify the properties of a specific Active Directory
object.
Dsquery enables you to search for objects that match defined criteria.
Dsget enables you to view a specified property of a given Active Directory
object.
Csvde uses comma-separated value files in order to import objects to or export
objects from Active Directory.
NETMIND
calling +1 800-785-3448.
Ldifde uses a Lightweight Directory Access Protocol (LDAP) conformant file to
create, modify, and delete Active Directory objects.
Dcpromo is a powerful tool that enables you to promote a computer to or
demote a computer from the domain controller role; it can be used with an
answer file to perform automated domain controller deployments.

Windows PowerShell
You install Windows PowerShell as a Windows Server 2008 feature. It is included
as a standard part of the Windows Server 2008 operating system. Windows
PowerShell is based on cmdlets that enable you to perform virtually any
management or administrative tasks by using simple, discoverable, verb-noun
syntax. One of the most far-reaching features of Windows PowerShell is the ability
to pipe, or pass, the result of one command to a following command; in this way,
you can create very powerful administrative commands with very little knowledge
of scripting.

Note: Windows PowerShell is based on the Microsoft .NET Framework; consequently,
you cannot easily deploy Windows PowerShell on Server Core servers, because Server
Core does not support the .NET Framework.

NETMIND
calling +1 800-785-3448.
Demonstration: Administering a Server from the
Command Line

Key Points
Use standard command-line tools.
Use Windows PowerShell.
Use the Directory Service (DS) tools.

High-level steps:
1. Use the Netsh command-line tool to configure network settings.
2. Use the Netdom command-line tool to perform Active Directoryrelated
administrative tasks.
3. Use winrs to execute a command on a remote server.
4. Install the Windows PowerShell feature.
5. Perform some typical Windows PowerShell tasks.
NETMIND
calling +1 800-785-3448.
6. Create and use a Windows PowerShell function.
7. Create and test a basic Windows PowerShell script.
8. Format the output from Windows PowerShell commands.
9. Use the DS tools to perform Active Directoryrelated tasks.

Question: How would you accomplish the task of updating users office location
by using Active Directory Users and Computers? For example, if all users with a
specific office location of London were moving to Windsor?

NETMIND
calling +1 800-785-3448.
Implementing Remote Administration

Key Points
In the early days of networking, it was common for administrators to perform
management tasks sitting at the server console. As networks have grown in size
and importance, this practice of interactive administration has diminished.
Consequently, it is important that you understand how to enable and use the
various remote management tools and technologies provided in Windows
Server 2008.
Changing the Focus of a Tool
Most administrative tools enable you to select the focus for your tool; for example,
you can use the DHCP console to manage a remote DHCP server by adding the
remote server to the console. This is often the simplest way of achieving remote
administration.
NETMIND
calling +1 800-785-3448.
Remote Server Administration Tools
Obviously, you can only add a remote server to an administrative console if your
computer has the administrative tools installed. You can install the Remote Server
Administration Tools (RSAT) as a feature on any Windows Server 2008 server
computer. To install the tools on a client computer running Windows Vista, you
must first download the tools.

Note: You can download the RSAT tools for Windows Vista from the Microsoft Download
Center at http://go.microsoft.com/fwlink/?LinkID=166022&clcid=0x409.
Remote Desktops
Perhaps one of the easiest ways of performing remote administration is to use
Remote Desktop. You can enable Remote Desktop on your remote server by using
the Remote Settings link from System in Control Panel. You can then use the
Remote Desktop Connection to connect to your remote server from any other
server or client computer. The advantage of using this method is that it requires no
additional features or software to be installed on the client or server computer.
If you want to administer multiple computers simultaneously, you can use the
Remote Desktops snap-in. To do this, run tsmmc.msc on any server computer. You
can then create Remote Desktop connections to multiple remote computers.
Windows Remote Management Command-Line Tool (WinRM)
You can also administer remote server computers with various command-line
tools. WinRM is the Microsoft implementation of the WS-Management protocol
that provides a way to communicate with both local and remote computers
securely by using Web services. For example, to enable remote management for a
computer, you can use the following command:
Winrm quickconfig
For more information about Windows Remote Management tools, see
NETMIND
calling +1 800-785-3448.
Windows Remote Shell (WinRS)
WinRS enables you to perform a command-line task over a secured connection on
a remote host. For example, to determine the current IP configuration of a remote
server, you can use the following command:
winrs -r:sea-dc1 -u:administrator -p:Pa$$w0rd ipconfig
Firewall Issues
It is important to realize that by default, Windows Firewall is enabled on all
network connections. Remote administration tools use a variety of protocols and
ports to connect to remote servers. You must modify the firewall settings to enable
remote administration. The following settings are relevant for enabling remote
administration:
Remote Administration
Remote Desktop
Remote Event Log Management
Remote Scheduled Tasks Management
Remote Service Management
Remote Volume Management
Windows Management Instrumentation (WMI)
Windows Remote Management

NETMIND
calling +1 800-785-3448.
Lesson 2
Planning Server Core Administration

With the Server Core installation type, Windows Server 2008 can be installed with
core functionality. By installing only the files, services, and related files needed to
support core network infrastructure roles, Server Core provides a more secure and
stable platform.
Objectives
Describe Server Core.
List the server roles and features supported by Server Core.
Determine when to deploy Server Core.
Enable effective administration of Server Core.

NETMIND
calling +1 800-785-3448.
What Is Server Core?

Key Points
Windows Server 2008 Server Core provides a minimal operating system
installation; this reduces disk space and memory requirements; the reduced
footprint in Server Core requires less maintenance and reduces opportunities for
network attacks, and can make Server Core a good candidate for remote branch
office scenarios.
Server Core is a minimal server installation option for Windows Server 2008
without a GUI. Server Core provides an environment for running key network
infrastructure roles only. To accomplish this, the Server Core installation option
installs only a subset of the executable files and supporting dynamic-link libraries
(DLLs).
NETMIND
calling +1 800-785-3448.
Server Core provides several benefits.
Server Core requires less software maintenance, such as installing updates.
Server Core has fewer attack vectors (services with listening ports) exposed to
the network, and therefore less of an attack surface.
Server core is easier to manage.
Server Core uses less disk space for installation.

You can perform an unattended Server Core deployment to install and configure
Server Core simultaneously, rendering post-installation configuration of the new
server unnecessary; this capability can be used to support scenarios like rapid
datacenter capacity scale-out or server deployment for remote branch offices.
Server Core supports network infrastructure roles, including:
DHCP Server
DNS Server
File Server
Domain Controller

This provides a stable, easier-to-secure platform for these roles.
NETMIND
calling +1 800-785-3448.
What Server Roles and Features Does Server Core Support?

Key Points
The server core installation of Windows Server 2008 supports the following server
roles:
Active Directory Domain Services (AD DS)
Active Directory Lightweight Directory Services (AD LDS)
DHCP Server
DNS Server
File Services
Print Services
Hyper-V
Web Services (IIS)

NETMIND
calling +1 800-785-3448.
After the installation is complete and the server is configured for use, you can also
install optional features. The server core installation of Windows Server 2008
supports the following optional features:
Failover Clustering
Windows Internet Name Service (WINS)
Network Load Balancing
Subsystem for UNIX-based applications
Backup
Multipath IO
Removable Storage Management
Windows BitLocker Drive Encryption
Simple Network Management Protocol (SNMP)
Distributed File System Replication
Simple Network Time Protocol (SNTP)

NETMIND
calling +1 800-785-3448.
Discussion: When to Deploy Server Core

Key Points
Scenario 1
Fabrikam wants to deploy new branch servers to its regional development centers.
The managers have asked you to advise them where they could implement Server
Core, and where they must use a full installation of Windows Server 2008.
Question: A number of Windows PowerShell scripts have been developed in order
to make changes to an application that is to be installed on one branch server. Is
Server Core suitable?
NETMIND
calling +1 800-785-3448.
Scenario 2
Contoso has decided to implement Server Core to support its users wherever
possible. The company wants to implement a domain controller at each branch
office.
Question: Could this role be supported by a Server Core deployment?
Question: It is important that data about the servers be collected by Contosos
third-party SNMP-management information system. Does this preclude the use of
Server Core?
Scenario 3
Northwind Traders has started to deploy Windows Server 2008 servers around the
organization. The company wants to ensure that its branch offices can support its
users needs in the event of a network failure between the branch and the head
office. Security is important because the branch offices often have customers
walking in off the street, and there is nowhere at the branches to physically secure
servers.
Question: What do you propose as a server solution for Northwind Traders?
Include the roles and features required to support your proposal.

NETMIND
calling +1 800-785-3448.
Administering Server Core

Key Points
Because no GUI is available, configuring and administering a Server Core
installation requires a different approach when compared to a full Windows Server
2008 installation. The minimal interface in Server Core requires a modified use of
command prompt administrative tools or remote administration over the network.
Initial Configuration
Before you can administer the server, you must complete the post-installation
configuration steps. These are:
Specify the IPv4 address. A DHCP address is configured by default, but you
can specify a static address.
Netsh interface ipv4 set address name="Local Area Connection"
source=static address=10.10.0.100 mask=255.255.0.0
gateway=10.10.0.1 1
NETMIND
calling +1 800-785-3448.
Specify the IPv4 DNS client-resolver configuration.
Netsh interface ipv4 set dns name="Local Area Connection"
source=static address=10.10.0.200 primary
Change the computer name.
Netdom renamecomputer %computername% /newname:sea-svr1
If you need to join the Server Core system to an existing Windows domain,
you will need a username and password for an account that has the proper
credentials.
Netdom join %computername% /domain:ADATUM
/userADATUM\administrator /passwordD:*
Configure the firewall.
Netsh advfirewall set rule group = "program to allow" new enable
=yes

Note: The program to allow is substituted with Remote Administration, Remote Service
Management, and the other remote management options discussed in the last lesson.
Activate the new installation of Windows Server 2008.
Slmgr.vbs -ato
Enable automatic updates.
Cscript c:\windows\system32\scregedit.wsf /AU 4

Note: Not all tasks can be performed from the command line or remotely through an
MMC snap-in. To enable you to configure these settings, the scregedit.wsf script is
included with the Server Core installation of Windows Server 2008. Scregedit.wsf can be
used to configure the paging file, enable automatic updates, enable error reporting,
enable Remote Desktop, and enable Terminal Server clients on previous versions of
Windows to connect to the Windows Server Corebased computer. Scregedit.wsf is
located in the \Windows\System32 folder of the server running the Server Core
installation.
NETMIND
calling +1 800-785-3448.
Ongoing Administration
After you have completed these steps, you can then remotely administer the server
by using the various methods described in the preceding lesson. Alternatively, you
can manage the Server Core installation from the command line interactively.
These commands are:
Tasklist. Displays and enables management of running tasks.
Oclist. Enables you to determine the available roles and features.
Ocsetup. Enables you to add or remove roles and features.
Netsh. Provides for network management.
Netdom. Provides for computer and domain administration.
Cscript. Enables you to launch scripts.
Dnscmd. Provides for management of the installed DNS server role.
Dfscmd. Enables you to manage DFS.

The case-sensitive Ocsetup Role Package command enables you to add or remove
server roles.
To add a role.
Start /w Ocsetup DHCPServerCore
To remove a role.
Start /w Ocsetup DHCPServerCore /Uninstall

Note: You cannot use the Active Directory Domain Controller Installation Wizard
(Dcpromo.exe) on a server running Server Core. You must use an unattended file with
Dcpromo.exe to install or remove the Domain Controller role on a server running a
Server Core installation.

NETMIND
calling +1 800-785-3448.
Lesson 3
Delegating Administration

Busy administrators cannot be expected to perform all day-to-day administration of
all servers within their organization. It is important to consider delegating certain
administrative tasks to individuals or teams of individuals in order to more
efficiently administer an organizations network infrastructure.
Objectives
List the common administrative tasks.
Determine which tasks can be delegated.
Delegate common administrative tasks.

NETMIND
calling +1 800-785-3448.
What Are the Common Administrative Tasks?

Key Points
In your role as a server administrator, you have many different tasks to perform;
some you perform infrequently, such as deploying additional servers; others, you
perform more frequently, such as resetting user passwords.
In order to enable you to work more efficiently, you can consider delegating some
of these tasks to other users within the organization. This topic describes the
common administrative tasks that you could consider delegating.
User and Group Administration
There are a variety of tasks that relate to user and group administration. These
include:
Creating user accounts
Modifying users properties
Resetting users passwords
Moving user accounts
NETMIND
calling +1 800-785-3448.
Deleting user accounts
Creating group accounts
Managing group account membership
Moving groups
Deleting groups

Client Computer Deployment and Administration
Most organizations regularly deploy new client computers. Tasks that relate to
computer deployment include:
Deploy the operating system to client computer
Join the client computer to domain
Reconfigure the client computer settings

Server Administration
To some extent, all of the administrative tasks discussed in this topic can be
considered to be server administration. However, for the purposes of this
discussion, server administration focuses on the tasks you perform solely on the
server computer:
Stop and start computer services.
Perform backup and restore operations.
Add and remove server roles or features.
Manage storage.
Configure local folder security.
Enable and configure sharing.
Configure firewall settings.
Configure specific applications that are installed on the server, for example
Microsoft Exchange Server, Microsoft SQL Server, or others.
Shut down the server.

NETMIND
calling +1 800-785-3448.
Group Policy Administration
Most organizations choose to use Group Policy Objects (GPOs) within their Active
Directory forest as an easy way to manage user and computer settings. These GPOs
have a far-reaching effect, so delegation of GPO administration should be carefully
considered. GPO-related administration includes:
Create new GPO.
Link GPO to specific Active Directory container object, such as an
Organizational Unit.
Configure GPO permissions.
Edit the GPO settings.
Use Group Policy management tools, such as the Group Policy Results
Wizard.

Network Infrastructure Administration
The network infrastructure roles include DHCP, DNS, WINS, Windows
Deployment Services, and Network Policy and Access Services. Some of the tasks
associated with these roles include:
Add or remove DHCP servers.
Create DHCP scope.
Administer DHCP scope options.
Authorize DHCP server in Active Directory.
Add or remove DNS servers.
Create DNS zones.
Administer the zone records.
Add the WINS server feature.
Administer WINS records.
Add the WDS role.
Configure images.
Administer routing and remote access.
NETMIND
calling +1 800-785-3448.
Administer Network Access Protection.
Administer network policies.

Active Directory Administration
Aside from administering users, groups, computers, and GPOsall of which are
Active Directory objectsthere are other aspects of Active Directory administration.
These include:
Modifying the schema
Adding or removing domains from the forest
Creating and administering trusts within and between forests
Creating and administering sites, site-links, site-link bridges, and subnets
Creating and administering organizational units (OUs)
Adding or removing domain controllers to an existing domain
Modifying the global catalog properties
Administering Active Directory replication

Note: This is not an exhaustive list of all administrative tasks, but rather should serve as
the basis for discussion about which administrative tasks could be delegated, and to
whom.

NETMIND
calling +1 800-785-3448.
Discussion: Which Tasks Should You Delegate?

Key Points
This is an open discussion. Consider the list of administrative tasks in the
preceding topic, and as a class, discuss which you might consider delegating. In
addition, explain to whom you might delegate the task. For example, you might
decide to delegate the ability to reset user passwords to someone at a branch office
with relevant technical experience at management level. However, you might not
want that same user to be responsible for deploying computer accounts.
NETMIND
calling +1 800-785-3448.
Demonstration: Delegating Administrative Tasks

Key Points
Delegate common administrative tasks

High-level steps:
1. Delegating administrative tasks to members of a local group.
2. Delegating administrative tasks by using the Delegate Control wizard.
3. Viewing and modifying Active Directory object permissions to enable
delegation.
4. Testing the delegated abilities.

Question: Would you recommend delegating common tasks directly to user
accounts? Why or why not?
NETMIND
calling +1 800-785-3448.
Lab: Planning Server Administration

The Sales department branch offices have been operational for some time. Joe
Healy has requested that he has more control over the administration of the Sales
branches.
Exercise 1: Planning for Branch Office Administration
Scenario
You track down a corporate document that provides more information about
which elements of the IT infrastructure are centrally managed. Alan Steiner has
appended some comments to this document that are pertinent to Sales. You must
determine which administrative tasks you can delegate to Joe.
Update the Branch Office Delegation document with your proposals.
NETMIND
calling +1 800-785-3448.
A Datum Corporate Security Policy.doc
No infrastructure roles should be delegated; DHCP, DNS, WINS, and WDS
should all be managed centrally by IT.
Group Policy Objects must only be created by IT.
Whenever delegation takes place, users must never be assigned permissions
directly; rather, an appropriate group strategy must be implemented.

Additional comments added [Alan Steiner, IT Department]
Branch offices are equipped with Read-Only Domain Controllers (RODCs), so any
edits to Active Directory objects must be made at the writable domain controllers
(DCs).
Joe needs to be able to determine which Group Policy settings will apply directly to
the sales team. Any really important stuff is configured at the domain level with
enforcement of the relevant GPO.
Joe needs to be able to manage user, group, and computer objects in the Sales OU
only.
We dont want to bother deploying administration tools to the client computer
desktops, so any administration must be handled over Remote Desktop Protocol
(RDP).
Were building up a library of useful Windows PowerShell scripts. I imagine well
want to let Joe have access to those.
NETMIND
calling +1 800-785-3448.

Branch Office Delegation
Document Author
Date
Gregory Weber
5th November
Determine which tasks can be delegated to Joe Healy in Sales.
Specify how this delegation will be achieved.

Proposals
1. Which features will you need to install on a recently deployed departmental server
to support administrative delegation?

2. How will you manage the requirement that Joe needs to be able to manage which
GPOs apply to the Sales OU without giving him the ability to edit the GPO
settings?

3. What delegated permissions will you give to Joe in Active Directory?

4. How will you achieve this?

5. Because you are not permitted to grant Joe any delegated permissions directly,
how will you achieve the required delegation?

NETMIND
calling +1 800-785-3448.

Task 2: Update the Branch Office Delegation document with your
proposals
Answer the questions in the Branch Office Delegation document.

Results: After this exercise, you should have a completed Branch Office Delegation
proposal document.
NETMIND
calling +1 800-785-3448.
Exercise 2: Delegating Administration to Branch Office
Personnel
Scenario
Having determined which tasks you intend to delegate and to whom, you must
now implement your plan.
2. Create the necessary security group.
3. Delegate control of the Sales OU.
4. Configure group membership on the SEA-SVR1 server.
5. Enable Remote Desktop on SEA-SVR1.
6. Install Windows PowerShell and RSAT on SEA-SVR1.
7. Perform branch administration.
8. Create and run a Windows PowerShell script.

Pa$$w0rd.
Pa$$w0rd.

NETMIND
calling +1 800-785-3448.
Task 2: Create the necessary security group
2. Create a new Global Security with the following properties:
Location: Sales organizational unit
Name: Sales-Admins
Members: Joe Healy

Task 3: Delegate control of the Sales organizational unit
1. Using the Delegate Control Wizard, delegate the following common tasks to
the Sales-Admins group on the Sales OU:
Create, delete, and manage user accounts
Reset user passwords and force password change at next logon
Read all user information
Create, delete, and manage groups
Modify the membership of a group
Manage Group Policy links
2. In Active Directory Users and Computers, enable the Advanced Features view.
3. Grant the Sales-Admins group the following permissions on the Sales OU:
Create Computer objects/Allow
Delete Computer objects/Allow
4. Grant the Sales-Admins group the following additional permissions
Descendant Computer objects in the Sales OU:
Full control/Allow

NETMIND
calling +1 800-785-3448.
Task 4: Configure group membership on the SEA-SVR1 server
2. Open Server Manager, and then in Server Manager, in the navigation tree,
expand Configuration, expand Local Users and Groups, and then click
Groups.
3. Add the Adatum\Sales-Admins global group to the local Administrators
group.

Task 5: Enable Remote Desktop on SEA-SVR1
1. Click Start, right-click Computer, and then click Properties.
2. In the Tasks list, click Remote settings.
3. Enable Remote Desktop with the highest level of security.
4. Enable members of the Sales-Admins global group to access this computer
remotely.
5. Close System.

Task 6: Install Windows PowerShell and RSAT on SEA-SVR1
1. From Server Manager, add the following features:
Remote Server Administration Tools:
Active Directory Domain Services Tools
Windows PowerShell
2. Restart when prompted.
Pa$$w0rd.
4. Complete the installation and then close Server Manager.

NETMIND
calling +1 800-785-3448.
Task 7: Perform branch administration

Note: If you are already logged on as Joe, please log off and then proceed with the lab.
2. Open Remote Desktop Connection:
IP address: 10.10.0.100
Username: adatum\Joe
Password: Pa$$w0rd
4. Delete the user Tom Higginbotham from the Sales OU.
5. Create a new computer account in the Sales OU called Sales-1.

Task 8: Create and run a Windows PowerShell script
1. Open Windows PowerShell with elevated privileges.
2. At the Windows PowerShell Command Prompt, type notepad user.ps1, and
then press ENTER.
3. In Notepad, type the following lines of code:
$objOU = [ADSI] "LDAP://OU=sales,DC=Adatum,DC=com"
$objUSR = $objOU.Create("User","cn=Tom Higginbotham")
$objUSR.Put("SAMACCOUNTNAME","Tom")
$objUSR.SetInfo()
4. Save the file and close Notepad.
5. Set the script execution policy to remote signed only:
Type set-executionpolicy remotesigned, and then press ENTER
6. Run the script:
Type ./user.ps1, and then press ENTER
NETMIND
calling +1 800-785-3448.
7. Switch to Active Directory Users and Computers and verify creation of the
Tom account in the Sales OU.

Results: After this exercise, you should have successfully delegated administration to
the branch personnel.
(VMRC) window.

NETMIND
calling +1 800-785-3448.

Review Questions
1. Which administrative tool(s) could you use to add server roles?

2. Which command-line tool(s) enables you to import objects into the Active
Directory directory service?

3. You have enabled Remote Desktop Connections on a server in your corporate
network and yet you are unable to access that server remotely. What possible
reasons for this failure could there be?

NETMIND
calling +1 800-785-3448.
4. There is no need to configure Windows Firewall on Server Core because it is
disabled by default, and Group Policy settings can be used to configure the
firewall. True or false?

5. Automatic updates are enabled on Server Core by using the Netsh Updates
context. True or False?

NETMIND
calling +1 800-785-3448.
Planning and Implementing Monitoring and Maintenance 9-1
Module 9
Planning and Implementing Monitoring and
Maintenance
Contents:
Lesson 1: Planning Monitoring Tasks 9-3
Lesson 2: Calculating a Server Baseline 9-9
Lesson 3: Tools for Monitoring Server Performance 9-17
Lesson 4: Planning Software Updates 9-29
Lab: Planning and Implementing Monitoring and Maintenance 9-40
NETMIND
calling +1 800-785-3448.
Module Overview

Monitoring the performance of servers is important for all organizations.
Most businesses require cost-effective solutions that provide value for money. You
should monitor servers to ensure that they run efficiently and use available server
capacity.
Many administrators require performance-monitoring tools to identify components
that require additional tuning and troubleshooting. By identifying components that
require additional tuning, you can improve the efficiency of your servers.
Objectives
Plan monitoring tasks.
Calculate a server performance baseline.
Select the appropriate monitoring and maintenance tool.
Plan software updates.
NETMIND
calling +1 800-785-3448.
Lesson 1
Planning Monitoring Tasks

The Windows Server 2008 operating system can use many monitoring tools.
This lesson discusses the range of monitoring features that are available for
Windows Server 2008 and how you can plan to measure the efficiency of the
operating system and hardware components through monitoring.
Objectives
Explain why it is important to monitor servers.
List various monitoring methods.
Plan for event monitoring.

NETMIND
calling +1 800-785-3448.
Discussion: Why Monitor Servers?

Key Points
This is an open discussion. Consider why it is necessary to monitor servers, and
suggest these reasons to your instructor.
NETMIND
calling +1 800-785-3448.
Monitoring Methods

Key Points
You should select the most appropriate tool to suit the type of monitoring that is
required.
There are several methods that you can use to collect performance data from
servers in your organization. You should use each of these methods to suit your
requirements.
Real-time monitoring of computers is useful when you want to determine the effect
of performing a specific action or troubleshoot specific events. This type of
monitoring can also help you to ensure that you are meeting service-level
agreements (SLAs).
Analyzing historical data can be useful for tracking trends over time, determining
when to relocate resources, and deciding when to invest in new hardware to meet
the changing requirements of your business. You should use historical
performance data to assist you when you plan future server requirements.
NETMIND
calling +1 800-785-3448.
A range of tools is available to assist you in the monitoring of your server
environment. These tools are described in the following table.
Tool Description
Windows Server 2008
Event Viewer
Windows Server 2008 Event Viewer collects information
that relates to server operations. This data can help to
identify performance issues on a server. You should
search for specific events in the event log file to locate
and identify problems.
Windows System
Resource Manager
(WSRM)
Using WSRM, you can control how CPU resources are
allocated to applications, services, and processes.
Managing these resources improves system performance
and reduces the chance that these applications, services,
or processes will interfere with the rest of the system.
WSRM is a feature of Windows Server 2008.
Network Monitor Network Monitor is a protocol analyzer. It enables you to
capture, view, and analyze network data. You can use it
to help troubleshoot problems with applications on the
network.
Network Monitor is provided with Windows Server 2008.
Reliability and
Performance Monitor
You can use Microsoft Windows Reliability and
Performance Monitor to examine how programs you run
affect your computers performance, both in real time
and by collecting log data for later analysis. Windows
Reliability and Performance Monitor uses performance
counters, event trace data, and configuration
information, which can be combined into data collector
sets.
Reliability and Performance Monitor is built in to
Windows Server 2008.
System Center Operations
Manager (Operations
Manager) 2007
Operations Manager enables you to build a complete
picture of the past and current performance of your
server infrastructure. Operations Manager can also
automatically respond to events and address problems
before they become an issue for you. Operations
Manager requires time to configure and requires
additional licenses.

NETMIND
calling +1 800-785-3448.
Planning for Event Monitoring

Key Points
You should consider the cost that monitoring events incurs. The cost that is
incurred to monitor systems is an investment in ensuring that your systems
continue to run effectively and efficiently. You can measure costs by using several
metrics, including:
Time allocated to personnel to perform monitoring tasks.
Money invested in monitoring systems.

An alternative view is to consider the cost of not monitoring your systems by
asking the following questions:
What is the monetary cost of reduced user productivity for your organization?
What is the cost of system outage that is caused by not monitoring systems?
What is the cost of a reactive approach to troubleshooting?

NETMIND
calling +1 800-785-3448.
By using automated systems, you can monitor servers proactively and possibly
reduce the overall number of staff who are required to perform monitoring. By
using tools such as Operations Manager 2007, you can automatically monitor and
fix certain server issues.
By providing an IT infrastructure that automatically responds to events, you create
a server infrastructure that is flexible and dynamic. Windows Server 2008 enables
dynamic system responses through Task Manager and other tools such as SCOM
2007 and third-party offerings.
Additional Reading
For more information about SCOM 2007, see the Microsoft System Center
Operations Manager Web site. http://go.microsoft.com/fwlink
For more information about the Dynamic Systems Initiative, see Dynamic Systems
Initiative Overview White Paper on the Microsoft Web site.
NETMIND
calling +1 800-785-3448.
Lesson 2
Calculating a Server Baseline

This lesson discusses some of the key server components to measure. You will
learn how to use analysis and planning techniques from collected performance
metrics to improve your server infrastructure.
Objectives
Determine which hardware components you should monitor.
Describe common performance metrics.
Analyze performance trends.
Plan for future capacity requirements.
NETMIND
calling +1 800-785-3448.
Discussion: Which Hardware Components Should You
Monitor?

Key Points
This is an open discussion.
NETMIND
calling +1 800-785-3448.
Common Performance Metrics

Key Points
You should familiarize yourself with basic performance measurement objects and
counters to monitor the main hardware components.
The following table lists some common performance metrics to measure.
Object Descriptions
Cache Monitors file system cache. The cache is an area of physical
memory that is used to store recently used data to permit
access to the data without having to read from the disk.
Memory Physical, random access memory (RAM) counters.
Virtual memory, RAM, and disk counters.
Includes paging, which is the movement of pages of code and
data between disk and physical memory.
Objects Logical objects in the system, including threads and processes.

NETMIND
calling +1 800-785-3448.
(continued)
Object Descriptions
Paging Reserved space on the disk that complements committed
physical memory.
Physical Hard or fixed drives as the computer sees them. (Hardware
RAID may not be visible to these counters.)
Process Monitors running applications and system processes. All of the
threads in a process share the same address space and have
access to the same data.
Processor Measure aspects of processor activity. Each processor is
represented as an instance of the object.
Server Measure communication between the local computer and
network.
System Counters that apply to more than one instance of component
processes on the computer.
Thread Counters that measure aspects of thread behavior. A thread is
the basic object that executes instructions on a processor. All
running processes have at least one thread.

For more information about common performance metrics,
see Performance Tuning Guidelines for Windows Server 2008
on the Windows Hardware Developer Central Web site at
http://go.microsoft.com/fwlink/?LinkID=140009.

NETMIND
calling +1 800-785-3448.
Analyzing Performance Trends

Key Points
You should give careful consideration to the value of performance data to ensure
that it reflects the real server environment.
You should consider performance analysis alongside business plans.
It may be possible to reduce the number of servers in operation after you have
measured performance.
By analyzing performance trends, you can predict when existing capacity is likely
to be exhausted. You should review historical analysis with consideration to your
business and use this to determine when additional capacity is required. Some
peaks are associated with one-time activities such as very large orders. Other peaks
occur on a regular basis, such as a monthly payroll, and these peaks may require
increased capacity to meet increasing numbers of employees.
NETMIND
calling +1 800-785-3448.
Planning for future server capacity is a requirement for all organizations. Business
planning often requires additional server capacity to meet targets. By aligning your
IT strategy with the strategy of the business, you can support the business
objectives.
You should plan the server capacity to maximize the use of available space, power,
and cooling. You should consider virtualizing your environment to reduce the
number of physical servers that are required. You can consolidate servers through
implementing 64-bit computing and utilizing Hyper-V.
NETMIND
calling +1 800-785-3448.
Planning for Future Capacity Requirements

Key Points
New server applications and services affect the performance of your IT
infrastructure. These services may receive dedicated hardware although they often
use the same local area network (LAN) and wide area network (WAN) network
infrastructure. Planning for future capacity should include all hardware
components and how new servers, services, and applications affect the existing
infrastructure. Factors such as power, cooling, and rack space are often overlooked
during initial exercises to plan capacity expansion. You should consider how your
servers can scale up and out to support an increased workload.
Tasks such as upgrading to Windows Server 2008 and updating operating systems
may affect your servers and network. It is not unknown for an update to cause a
problem with an application. Careful performance monitoring before and after
updates are applied can identify problems.
NETMIND
calling +1 800-785-3448.
An expanding business requires you to provide support for more users. You
should consider business requirements when you purchase hardware. This
consideration will ensure that you can meet future business requirements through
increasing the number of servers or by adding capacity to existing hardware.
Capacity requirements include:
More servers.
Additional hardware.
Reducing application loads.
Reducing users.

NETMIND
calling +1 800-785-3448.
Lesson 3
Tools for Monitoring Server Performance

Windows Server 2008 provides a range of tools to monitor the operating system
and applications that you can use to tune your system for efficiency. You should
use these tools and complement them where necessary with your own tools.
Objectives
List the Windows Server 2008 monitoring tools.
Describe the function of Performance Monitor.
Describe the function of Reliability Monitor.
Determine when to use third-party monitoring tools.
Use event subscriptions.
Identify business requirements.

NETMIND
calling +1 800-785-3448.
Windows Server 2008 Monitoring Tools

Key Points
Windows Server 2008 has a range of built-in tools to assist you in monitoring your
systems.
The following table lists tools that you can use to monitor Windows Server 2008.
Tool Description
Windows Server 2008
Event Viewer
Windows Server 2008 Event Viewer collects
information that relates to server operations. This data
can help to identify performance issues on a server.
You should search for specific events in the event log
file to locate and identify problems.
Log files are available through the Event Viewer
console; this removes much of the requirement for log
file interrogation by using tools such as Notepad.
However, some installation files and third-party
applications continue to require the use of programs
such as XML Notepad to review log file entries.
NETMIND
calling +1 800-785-3448.
(continued)
Tool Description
Task Manager Task Manager enables you to view processes in real
time to determine their exact resource usage at a
point in time.
Scripting All performance counters are available
programmatically through Windows Management
Instrumentation (WMI). By making performance
counters available through WMI, you can monitor
servers by using scripts. Windows Server 2008 supports
a range of scripting technologies, including Perl;
Microsoft Visual Basic, Scripting Edition (VBScript);
and the Windows PowerShell command-line
interface. Microsoft recommends that you use the new
features that are available through Windows
PowerShell when you script in Windows Server 2008.
Reliability and
Performance Monitor
You can use Microsoft Windows Reliability and
Performance Monitor to examine how programs you
run affect your computers performance, both in real
time and by collecting log data for later analysis.
Windows Reliability and Performance Monitor uses
performance counters, event trace data, and
configuration information, which can be combined
into data collector sets.

For more information about Microsoft System Center Operations
Manager 2007, see the white paper Introducing Microsoft System
Center Operations Manager 2007 on the Microsoft Download Center
Web site at http://go.microsoft.com/fwlink

NETMIND
calling +1 800-785-3448.
Performance Monitor

Key Points
Performance Monitor provides a visual display of Windows performance objects
and counters, either in real time or as a review of historical data. Performance
Monitor features multiple graph views that you can use to review performance log
data. You can create custom views in Performance Monitor that you can export as
data collector sets for use with performance and logging features.
New features of the Windows Reliability and Performance Monitor to Windows
Server 2008 include the following:
Data collector sets. Data collector sets group data collectors into reusable
elements for use with different performance monitoring scenarios.
NETMIND
calling +1 800-785-3448.
Wizards and templates for creating logs. Adding counters to log files and
scheduling their start, stop, and duration can now be performed through a
wizard interface. In addition, saving this configuration as a template allows
system administrators to collect the same log on subsequent computers
without repeating the data collector selection and scheduling processes.
Performance Logs and Alerts features have been incorporated into the
Windows Reliability and Performance Monitor for use with any Data Collector
Set.
Resource View. The home page of Windows Reliability and Performance
Monitor is the new Resource View screen, which provides a real-time graphical
overview of CPU, disk, network, and memory usage.
Reliability Monitor. Reliability Monitor calculates a System Stability Index
that reflects whether unexpected problems reduced the reliability of the
system. A graph of the Stability Index over time quickly identifies dates when
problems began to occur.
Unified property configuration for all data collection, including
scheduling. Whether creating a Data Collector Set for one time use or to log
activity on an ongoing basis, the interface for creation, scheduling, and
modification is the same. If a Data Collector Set proves to be useful for future
performance monitoring, it does not need to be re-created. It can be
reconfigured or copied as a template.
User-friendly diagnosis reports. Report generation time is improved and
reports can be created from data collected by using any Data Collector Set.
This allows system administrators to repeat reports and assess how changes
have affected performance or the reports recommendations.

Performance counters are values that are generated by the operating system
or applications to indicate performance measurements. You can use these
measurements for analysis and troubleshooting. You add performance counters to
Performance Monitor by selecting individual counters or by creating custom data
collector sets.
NETMIND
calling +1 800-785-3448.
You can view real-time values for performance counters in Performance Monitor by
using one of the following three views:
Line Chart. In the Line Chart view, you can view the value of each monitored
counter in a line chart that shows counter values against time. You can also
view the last, average, minimum, or maximum value for a counter by selecting
it in the user interface.
Histogram. In the Histogram view, you can view the current value for each
counter as a bar in a histogram (bar chart). You can also view the last, average,
minimum, or maximum value for a counter by selecting it in the user interface.
Report. In the Report view, you can view the current value for each counter as
a number in a text-based report.

Note: It is best practice to perform the monitoring activity from a remote computer; that
is, use Performance Monitor and related tools, such as data collector sets, to collect
statistics from a remote computer rather than from the local computer. The process of
running the monitoring tools imposes a load on the monitoring system and affects the
integrity of the data collected from the monitored system if they were one and the same.
You can collect data for any performance-related object from the remote computer. For
example, if the remote computer is running Microsoft Exchange Server or Microsoft SQL
Server, you can access these objects from the monitoring workstation.

NETMIND
calling +1 800-785-3448.
Reliability Monitor

Key Points
The Reliability monitor can be accessed through the Reliability and Performance
monitor.
Reliability Monitor provides a system stability overview and trend analysis with
detailed information about individual events that may affect the overall stability of
the system.
Windows Server 2008 uses the Reliability Analysis Component (RAC) to calculate
a reliability index that provides an indication of your overall system stability over
time. RAC also keeps track of any important changes to the system that are likely
to affect stability, such as Windows updates, application installations, and driver
installations. RAC begins collecting data at the time of system installation.
By using the Reliability Monitor, you can see the trends in your system reliability
index correlated with any potentially destabilizing events so that you can easily
trace a reliability change directly to a particular event.
NETMIND
calling +1 800-785-3448.
Third-Party Monitoring Tools

Key Points
Third-party tools can help you monitor your server environment.
Hardware vendor tools are useful in detecting performance issues that occur
because of faulty hardware.
Many third-party tools integrate with Operations Manager to provide a centralized
monitoring console for your organization.
Windows Server 2008 provides a range of monitoring tools to meet the
requirements of your operating system. System administrators often require
additional tools to simplify the process of monitoring many computers and
providing a complete picture of their server health. Some programs also require
specific tools to monitor their performance.
NETMIND
calling +1 800-785-3448.
Hardware vendors often provide tools to detect problems within hardware. You
should use these tools in conjunction with performance-monitoring tools to locate
and resolve hardware issues.
Operations Manager can monitor third-party products such as Dell OpenManage
and HP Systems Insight Manager. Operations Manager can also integrate with
other monitoring tools such as HP OpenView, IBM Tivoli, and CA Unicenter.
NETMIND
calling +1 800-785-3448.
What Are Subscriptions?

Key Points
Event Viewer enables you to view events on a single remote computer. However,
troubleshooting an issue might require you to examine a set of events stored in
multiple logs on multiple computers. Event Viewer provides the ability to collect
copies of events from multiple remote computers, and store them locally. To
specify which events to collect, you create an event subscription. After a
subscription is active and events are being collected, you can view and manipulate
these forwarded events as you would any other locally stored events.
Using the event-collecting feature requires that you configure both the forwarding
and the collecting computers. The functionality depends on the Windows Remote
Management (WinRM) and the Windows Event Collector services (Wecsvc). Both
of these services must be running on computers participating in the forwarding
and collecting process.
NETMIND
calling +1 800-785-3448.
Identifying Business Requirements

Key Points
Performance tuning is an ongoing exercise where you never achieve perfection.
You should ensure that your server operations run effectively and meet all of your
business SLAs.
You should always attempt to find the most cost-effective solution to a
performance bottleneck.
When you discover a performance issue, you can respond to the event in many
ways. Sometimes, you may want to record the data for future analysis or start a
performance-monitoring tool to collect additional data. Alternatively, you may
decide to do nothing.
By taking measured and appropriate actions to an event, you can ensure that you
continue to meet SLAs and provide appropriate service for your users.
NETMIND
calling +1 800-785-3448.
When you must increase server performance, you have several options, including:
Offloading some of the processing onto other servers.
Reconfiguring parameters to improve performance.
Adding more hardware or increasing the speed of existing hardware.
Redesigning the architecture to realize performance improvements.
Recoding the software that is experiencing the bottleneck.

Each of these options provides a solution to increase server performance. However,
you should consider the most cost-effective option for your business.
By comparing the cost of performance degradation to the cost to implement the
performance increase, you can provide a rudimentary value to the business of
implementing a solution.
NETMIND
calling +1 800-785-3448.
Lesson 4
Planning Software Updates

In this lesson, you will learn about the various options for software updates and
some of the best practices that you need to follow when performing software
updates.
Objectives
Describe Microsoft Update.
Describe Automatic Updates.
Describe Windows Server Update Services (WSUS).
Determine the best way to deploy WSUS in your organization.
Use best practice with WSUS.
NETMIND
calling +1 800-785-3448.
What Is Microsoft Update?

Key Points
Definition
Microsoft Update is a Web site that helps keep your systems up to date.
Use Microsoft Update to obtain updates for Windows operating systems and
applications, updated device drivers, and software. New content is added to the
site regularly, so you can always get the most recent updates to help protect your
server and the client computers on your network.
What Are Updates?
Updates can include security fixes, critical updates, and critical drivers.
These updates resolve known security and stability issues in Windows 2000,
Windows XP, and Windows Server 2003 operating systems. The Microsoft Update
site also has updates for applications such as Microsoft Office, Exchange Server,
and SQL Server.
NETMIND
calling +1 800-785-3448.
Update Categories
The categories for the Windows operating system updates are:
Critical updates. Security fixes and other important updates to keep computers
current and networks secure.
Recommended downloads. Latest Windows and Microsoft Internet Explorer
service packs and other important updates.
Windows tools. Utilities and other tools that are provided to enhance
performance, facilitate upgrades, and ease the burden on systems
administrators.
Internet and multimedia updates. Latest Internet Explorer releases, upgrades
to Microsoft Windows Media Player, and more.
Additional Windows downloads. Updates for desktop settings and other
Windows features.
Multilanguage features. Menus and dialog boxes, language support, and Input
Method Editors for a variety of languages.
Deployment guides and other software-related documents are also available.

NETMIND
calling +1 800-785-3448.
What Is Automatic Updates?

Key Points
Automatic Updates is a configurable option in Windows. It can download and
install operating system updates without any user intervention. The updates can be
downloaded from the Microsoft Update Web site or a WSUS server. Configuration
of Automatic Updates can be controlled centrally by the administrator.
Automatic Update Options
Automatic Updates gives you flexibility to decide how and when updates will be
installed. The options are:
Automatic. Updates are downloaded automatically and installed at a
scheduled time. This option installs updates for all users and is recommended.
If the computer is turned off at the scheduled update time, Windows will
install the updates the next time you start your computer. This is the
recommended option.
Download updates for me, but let me choose when to install them. Updates
are downloaded automatically, but they are not installed until an administrator
chooses to install them.
NETMIND
calling +1 800-785-3448.
Notify me but do not automatically download or install them. Updates are
not downloaded or installed automatically. The notifications are only shown to
administrators logged on to the local machine.
Turn off Automatic Updates. There will be no notifications when updates are
available for your computer. This option is not recommended.

Notification of Available Updates
After a download is complete, an icon appears in the notification area with a
message that the updates are ready to be installed. When you click the icon or
message, Automatic Updates guides you through the installation process. If you
choose not to install a specific update that has been downloaded, Windows deletes
its files from your computer. If you later change your mind, you can download it
by opening the System Properties dialog box, clicking the Automatic Updates tab,
and then clicking Offer Updates Again That I Have Previously Hidden.

Note: If required, the version of Automatic Updates is upgraded the first time a WSUS
server is contacted.
Digital Signatures
To ensure that the programs you download from Microsoft Update are from
Microsoft, all files are digitally signed. The purpose of digital signatures is to ensure
the authenticity and integrity of the signed files. Automatic Updates installs a file
only if it contains this digital signature.
NETMIND
calling +1 800-785-3448.
What Is WSUS?

Key Points
WSUS is an optional component for Windows 2000 Server or Window Server
2003 that can be downloaded from the Microsoft Web site. It acts as a central
point on your network for distributing updates to workstations and servers.
Supported Clients
WSUS Service Pack 1 (SP1) supports the following clients:
Windows Vista or later
Windows Server 2008 or later
Windows Server 2003, any edition
Windows XP Professional SP2 or later
Windows 2000 Professional SP4, Windows 2000 Server SP4, or
Windows 2000 Advanced Server with SP4

NETMIND
calling +1 800-785-3448.
Supported Software
WSUS 3.0 SP1 will update all of the products listed in the following table.
Applications updated by WSUS
Microsoft Office XP and
newer
Microsoft ISA Server 2004
and Newer
Windows Small Business
Server 2003
Microsoft Data Protection
Manager
Microsoft Exchange Server
2000 and newer
Microsoft SQL Server
2000 and newer
Windows Defender Microsoft Forefront Windows Live

Server Component
You install the server component of WSUS on a server running Windows Server
2003 or Windows Server 2008 inside your corporate firewall. The firewall must be
configured to allow your internal server to synchronize content with the Microsoft
Update Web site whenever critical updates for Windows are available. The
synchronization can be automatic, or the administrator can perform it manually.
Synchronized updates must be approved before they can be installed by client
computers. This allows testing of updates with corporate applications before
distribution. This is a key benefit of WSUS over Microsoft Update.
Client Component
Automatic Updates is the client software that downloads and installs updates from
a WSUS server. The client must be configured with the location of a WSUS server.
The location can be configured through registry edits or through Group Policy.
Using Group Policy is strongly recommended.

Note: WSUS is not intended to serve as a replacement for enterprise software
distribution solutions, such as Microsoft Systems Management Server or Microsoft Group
Policybased software distribution. Many customers use solutions such as Microsoft
Systems Management Server for complete software management, including responding
to security and virus issues, and these customers should continue using these solutions.
Advanced solutions such as Microsoft Systems Management Server provide the ability to
deploy all software throughout an enterprise, in addition to providing administrative
controls that are critical for medium-size and large organizations.

NETMIND
calling +1 800-785-3448.
WSUS Deployment Scenarios

Key Points
To allow for varied situations, you can deploy a WSUS server in several scenarios.
You can choose the deployment scenario that is most appropriate for your
organization. The decision factors may include the number of locations in your
network or the speed of your Internet connection.
Single-Site Network
In a single-site network, a single WSUS server can be sufficient to support as many
as 5,000 clients. This is suitable for most single-site networks.
Independent WSUS Servers
In a multiple-site network, you can configure multiple independent WSUS servers
at each location. This requires that each site use its own Internet connection to
download the updates. Having each site download its own updates reduces the
load on WAN links as compared to using a centralized server to download
updates.
NETMIND
calling +1 800-785-3448.
Independent WSUS servers are also managed independently. This scenario is best
suited to organizations with distributed IT support.
Replica WSUS Servers
Another option for multiple-site networks it to use replica WSUS servers. Replica
WSUS servers download their updates and configuration information from a
central WSUS server. This allows the approval of updates to be centralized for
multiple servers.
In this scenario, only one server is exposed to the Internet and it is the only server
that downloads updates from Microsoft Update. This server is set up as the
upstream server, the source from which the replica server synchronizes.
Disconnected WSUS Servers
For organizations that do not allow servers to communicate directly with the
Internet, you can deploy disconnected WSUS servers. In this scenario, you can set
up a server running WSUS that is connected to the Internet but isolated from the
rest of the network. After downloading, testing, and approving the updates on the
isolated server, an administrator would then export the update metadata and
content to external storage, and then, from the external storage, import the update
metadata and content to servers running WSUS within the intranet.
NETMIND
calling +1 800-785-3448.
Best Practice for Using WSUS

Key Points
Due to the complex interdependencies between operating system components and
corporate applications, it is strongly recommended that all updates be tested
before deploying them to WSUS clients. This is particularly important for custom
designed or in-house applications that may not be as well written as commercially
available applications.
Guidelines
Use the following guidelines to install updates on the client computers on your
network.
Use computer groups for testing.
Computer groups let you control which computers are approved to install updates.
Using computer groups to install updates on test computers avoids the hassle of
downloading updates for testing through a separate process.
NETMIND
calling +1 800-785-3448.
Configure an initial test group.
Create a test group of nonproduction computers for testing updates. These
computers should match your production environment as closely as possible. This
initial testing can be performed by the IT group or designated business users. In
this testing, you can identify obvious problems with installation or functionality. At
this stage, a problem update will have no impact on production.
Configure a business testing group.
Recruit power users from different business groups to act as test groups before
distributing updates to all users. Power users will be able to provide detailed
functional testing of applications. This will catch application-specific errors. At this
stage, a problem update will affect a limited group of users in production.
Deploy updates one department at a time.
Deploying updates to one department at a time will reduce the scope of a problem
if an update causes a problem. Testing can also be done on a per-department basis
because they typically have unique applications.
Remove problem updates.
If an update causes problems, mark it for removal. This will uninstall the update.
Be aware that some updates cannot be uninstalled.
NETMIND
calling +1 800-785-3448.
Lab: Planning and Implementing Monitoring
and Maintenance

Scenario
Some of the users at A. Datum Corporation are reporting issues with certain
servers in the New York offices that have been identified as running slowly. The IT
manager, Allison Brown, has forwarded to you some performance log files from the
problematic server. You must evaluate data that is collected from performance logs
and identify where potential problems may exist.
Exercise 1: Evaluating Performance Metrics
Scenario
In this exercise, you will review data collector sets to locate problems and provide
troubleshooting advice to technical specialists.
NETMIND
calling +1 800-785-3448.
1. Start the virtual machines, and log on.
2. Identify performance problems with Windows Server 2008 - Part A.
3. Identify performance problems with Windows Server 2008 - Part B.
4. Identify performance problems with Windows Server 2008 - Part C.

Pa$$w0rd.
Pa$$w0rd.

Task 2: Identify performance problems with Windows Server 2008 -
Part A
You know that the server 6430A-NYC-SVR1 experiences low network traffic and
has limited disk activity, but the help desk is receiving many reports that the server
is slow.
Switch to the SEA-SVR1 computer and review the data collector log at
D:\Labfiles\Mod09\Ex1A\EX1A.blg on the server 6430A-NYC-SVR1.

Question: What appears to be the problem on this server?
Question: Write a brief report that outlines your findings and suggests possible
solutions to the problem.
NETMIND
calling +1 800-785-3448.
Part B
You know that the server 6430A-NYC-SVR1 is not running processor-intensive
applications, but the help desk is receiving many reports that the server is slow.
On the SEA-SVR1 computer, review the data collector log at
D:\Labfiles\Mod09\Ex1B\EX1B.blg on the server 6430A-NYC-SVR1.

Part C
You know that the server 6430A-NYC-SVR1 experiences low network traffic and is
not running processor-intensive applications, but the help desk is receiving many
reports that the server is slow.
On the SEA-SVR1 computer, review the data collector log at
D:\Labfiles\Mod09\Ex1C\EX1C.blg on the server 6430A-NYC-SVR1.


Results: After this exercise, you should have identified performance issues with servers
and suggested steps to resolve the problems.

NETMIND
calling +1 800-785-3448.
Exercise 2: Monitoring Performance Metrics
Scenario
In this exercise, you will plan the performance metrics that are required to measure
the scalability of a server.
The main task for this exercise is to create a data collector set to measure server
requirements.
Task 1: Create a data collector set to measure server requirements
On the SEA-SVR1 computer, create a data collector set to measure the
performance requirements of a file server. This forms the base performance
metrics for measuring the capacity of this server.

Question: Which specific counters do you anticipate will require careful analysis?
Results: After this exercise, you should have identified steps to create a data collector
set for measuring file server performance.

NETMIND
calling +1 800-785-3448.
Exercise 3: Configuring Data Collector Sets
Scenario
In this exercise, you will configure data collector sets to generate an alert.
The main task for this exercise is to generate an alert by using a data collector set.
Task 1: Generate an alert by using a data collector set
On the SEA-SVR1 computer, create a user-defined data collector set and
configure an alert to trigger when the CPU reaches a critical state.

Results: After this exercise, you should have created a performance alert by using
Windows System Resource Manager (WSRM).

NETMIND
calling +1 800-785-3448.
Exercise 4: Evaluating Trends
Scenario
In this exercise, you will compare your answers to the previous exercises with the
rest of the class, share your answers with other students, and learn alternative
methods to identify performance issues.
The main task for this exercise is to discuss your solutions with the class.
(VMRC) window.

NETMIND
calling +1 800-785-3448.

Review Questions
1. What are the benefits of monitoring server performance?

2. What are some of the tasks that you should undertake when you create a
performance baseline for a server?

3. What are the advantages of using a range of monitoring tools?

4. What are the advantages of measuring specific performance counters?

5. What are the advantages of using alerts to identify performance issues?

NETMIND
calling +1 800-785-3448.
Planning High Availability and Disaster Recovery 10-1
Module 10
Planning High Availability and Disaster Recovery
Contents:
Lesson 1: Choosing a High-Availability Solution 10-3
Lesson 2: Planning a Backup and Restore Strategy 10-23
Lab: Planning High Availability and Disaster Recovery 10-34
NETMIND
calling +1 800-785-3448.
Module Overview

In most organizations these days, there is an increased reliance on the IT
infrastructure. Therefore, it is important that you understand how to plan for the
various high-availability and data recovery solutions provided by Windows Server
2008.
Objectives
Select a high-availability solution.
Select an appropriate backup and restore strategy.

NETMIND
calling +1 800-785-3448.
Lesson 1
Choosing a High-Availability Solution

You can use disk fault-tolerance, Windows Server 2008 Network Load Balancing,
and failover clustering to facilitate greater data availability and workload scalability.
Disk fault-tolerance ensures that your server continues to operate despite the
failure of one, or perhaps more than one, of the attached disks.
Network Load Balancing (NLB) is also used to support scalability and availability,
and is designed to work with applications in which maintaining state between
client requests is not critical.
Failover clustering can support both scalability and availability, and is designed to
work with applications that maintain state between client requests.
NETMIND
calling +1 800-785-3448.
Objectives
Identify the types of disasters from which you can recover your IT
infrastructure.
Describe RAID.
Describe Network Load Balancing.
Describe failover clustering.
List the hardware requirements of implementing a failover cluster.
Determine when to use failover clustering.
Select an appropriate high-availability solution.

NETMIND
calling +1 800-785-3448.
Discussion: What Potential Disasters Can You Protect
Against?

Key Points
This is an open discussion. Think about the sorts of problems that can occur that
will result in either service interruption or data loss; discuss these with the class.
NETMIND
calling +1 800-785-3448.
What Is RAID?

Key Points
Hard disks are one of the few components with moving parts in your server
computer. The constant movement inevitably means that the parts wear out, and
the hard disk fails. In order to ensure the continued operation of your server
following a disk failure, you must implement fault tolerance within your storage
sub-system.
Using Redundant Array of Independent Drives (RAID) enables you to provide disk
fault tolerance.
Choosing the RAID Level
Each RAID level involves a trade-off between the following factors:
Cost
Performance
Availability
Reliability
NETMIND
calling +1 800-785-3448.
You can determine the best RAID level for your servers by evaluating the read and
write loads of the various data types and then deciding how much you are willing
to spend to achieve the performance and availability/reliability that your
organization requires. The following table describes common RAID levels and their
relative costs, performance, availability, and reliability.
Configuration Performance Reliability Availability
Cost and
capacity
RAID 0
(striping)
Balanced load.
Potential for better
response times,
throughput, and
concurrency.
Difficult stripe unit
size choice.
Data loss after one
failure.
Single loss affects
entire array.
Single loss prevents
access to entire
array.
Minimal
cost.
Two-disk
minimum.
RAID 1
(mirroring)
Two data sources for
every read request
(up to 100%
performance boost
on reads).
However, writes must
update all mirrors.
Single loss and
often multiple
losses (in large
configurations) are
survivable.
Single loss and often
multiple losses (in
large configurations)
do not prevent
access.
Twice the
cost of
RAID.
Two-disk
minimum.
RAID 0+1
(striped
mirrors)
Two data sources for
every read request
(up to 100% read
performance boost).
Balanced load.
response times,
throughput, and
concurrency.
However, writes must
update mirrors and
you are faced with a
difficult stripe unit
size choice.
Single loss and
often multiple
losses (in large
configurations) are
survivable.
Single loss and often
multiple losses (in
large configurations)
do not prevent
access.
Twice the
cost of
RAID 0.
Four-disk
minimum.

NETMIND
calling +1 800-785-3448.
(continued)
Configuration Performance Reliability Availability Cost and
capacity
RAID 5
(rotated
parity)
Balanced load.
read response times,
throughput, and
concurrency.
However, up to 75%
write performance hit.
Read performance
degrades in failure
mode.
Single loss
survivable;
however, in-
progress write
requests might
still corrupt.
Multiple losses
affect entire array.
After a single loss,
array is vulnerable
until
reconstructed.
Single loss does not
prevent access.
However, multiple
losses prevent
access to entire
array.
To speed
reconstruction,
application access
might be slowed or
stopped.
One
additional
disk
required.
Three-disk
minimum.
RAID 6 (two
separate
erasure codes)
Balanced load.
read response times,
throughput, and
concurrency.
However, up to 83%
write performance hit.
Read performance
degrades in failure
mode.
All sectors must be
read for
reconstruction: major
slowdown.
Danger of data in
invalid state after
power loss and
recovery.
Single loss
survivable;
however, in-
progress write
requests might
still corrupt.
Note that more
than two losses
affect entire array.
After two losses,
array is vulnerable
until
reconstructed.
Single loss does not
prevent access.
More than two
losses prevent
access to entire
array.
To speed
reconstruction,
application access
might be slowed or
stopped.
Two
additional
disks
required.
Five-disk
minimum.

NETMIND
calling +1 800-785-3448.
(continued)
Configuration Performance Reliability Availability Cost and
capacity
RAID 1+0
(mirrored sets
in a striped
set)
Mirrored sets in a
striped set provide an
increase in
performance with an
increase in complexity.
RAID 1+0 creates
a second striped
set to mirrored
drives.
Performance is
better because all
remaining disks
are used.
The array can have
multiple drive losses
as long as no mirror
loses all of its drives.
Minimum
of 4 disks.
Must use an
even
number of
disks.

The following are sample uses for various RAID levels:
RAID 0: Temporary or reconstructible data, workloads that tend to develop
hot spots in the data, and workloads with high degrees of unrelated
concurrency.
RAID 1: Database logs, critical data, and concurrent sequential streams.
RAID 0+1: A general-purpose combination of performance and reliability for
critical data, workloads with hot spots, and high-concurrency workloads.
RAID 5: Web pages, semi-critical data, workloads without small writes,
scenarios where capital and operating costs are an overriding factor, and read-
dominated workloads.
RAID 6: Data mining, critical data (assuming quick replacement or hot spares),
workloads without small writes, scenarios where cost is a major factor, and
read-dominated workloads.
RAID 1+0: The primary use for a stripe of mirrors is for high transaction
databases. The lack of parity to calculate gives it a faster write speed. This
increases the risks of RAID 10; if a drive fails, the remaining drive in the mirror
is a single point of failure. To reduce this risk, vendors support a hot spare
drive, which automatically replaces and rebuilds a failed drive in the array.

NETMIND
calling +1 800-785-3448.
Additional Considerations
If you use more than two disks, RAID 0+1 is usually a better solution than
RAID 1.
When determining the number of physical disks that you should include in
RAID 0, RAID 5, and RAID 0+1 virtual disks, consider the following
information:
Bandwidth (and often response time) improves as you add disks.
Reliability, in terms of mean time to failure for the array, decreases as you
add disks.
Usable storage capacity increases as you add disks. For striped arrays, the
trade-off is in data isolation (small arrays) and better load balancing (large
arrays).
For RAID 1 arrays, the trade-off is in better cost/capacity (mirrorsthat is, a
depth of two) and the ability to withstand multiple disk failures (shadows
that is, depths of three or even four). Read and write performance issues can
also play a role in RAID 1 array size.
For RAID 5 arrays, the trade-off is in better data isolation and mean time
between failures (MTBF) for small arrays and better cost/capacity for large
arrays.
NETMIND
calling +1 800-785-3448.
What Is Network Load Balancing?

Key Points
Network Load Balancing (NLB) provides high availability and scalability for
TCP/IP-based services, including Web servers, File Transfer Protocol (FTP) servers,
other mission-critical servers, and COM+ applications. In an NLB configuration,
multiple servers run independently, and do not share any resources. Client
requests are distributed among the servers, and in the event of a server failure, NLB
detects the problem and distributes the load to another server. NLB allows you to
increase network service performance and availability.
Performance
NLB supports server performance scaling by distributing incoming network traffic
among one or more virtual IP addresses assigned to the NLB cluster. The hosts in
the cluster concurrently respond to different client requests, even multiple requests
from the same client. For example, a Web browser might obtain each of the
multiple images in a single Web page from different hosts within an NLB cluster.
This speeds up processing and shortens the response time to clients.
NETMIND
calling +1 800-785-3448.
High Availability
NLB supports high availability by redirecting incoming network traffic to working
cluster hosts if a host fails or is offline. Existing connections to an offline host are
lost, but the Internet services remain available. In most cases, for example with
Web servers, client software automatically retries the failed connections, and the
clients experience a delay of only a few moments before receiving a response.
Many applications work with NLB. In general, NLB can load balance any
application or service that uses TCP/IP as its network protocol and is associated
with a specific TCP or User Datagram Protocol (UDP) port.
Some examples are listed in the following table.
Protocol Examples
HTTP and HTTPS Microsoft Internet Information Services (IIS): Port 80
FTP Microsoft IIS: Port 20, port 21, and ports 1024-65535
SMTP Microsoft Exchange Server: Port 25
RDP Terminal Services: Port 3389
PPTP & IPSec Virtual private network (VPN) servers: 1723 for PPTP
Windows Media
over HTTP
Windows Media Server: TCP on port 80, 554, and 1755; UDP
on port 1755 and 5005
CIFS Print Services
HTTP & HTTPS Microsoft Internet Security and Acceleration Server (ISA)

Scalability
NLB allows administrators to scale network services to meet client demand. New
servers can be added to a load balancing cluster without rewriting applications or
reconfiguring clients. The Load Balancing cluster does not need to be taken offline
to add new capacity, and members of the Load Balancing cluster do not need to be
based on identical hardware.
NETMIND
calling +1 800-785-3448.
What Is Failover Clustering?

Key Points
A failover cluster is a group of independent computers that work together to
increase the availability of applications and services. Physical cables and software
connect the clustered servers, known as nodes. If one of the cluster nodes fails,
another node begins to provide service (a process known as failover). Therefore,
users experience a minimum of service disruptions.
In the Windows Server 2008 Enterprise and Windows Server 2008 Datacenter
operating system editions, the improvements to failover clusters, formerly known
as server clusters, are aimed at simplifying clusters, making them more secure, and
enhancing cluster stability.

Note: The failover cluster feature is not available in the Windows Web Server 2008 or
Windows Server 2008 Standard editions.

NETMIND
calling +1 800-785-3448.
New Failover Cluster Functionality
Failover clusters include the following new functionality:
New validation feature. With this feature, you can ensure that your system,
storage, and network configuration is suitable for a cluster. You can use the
new validation wizard in failover clusters to perform tests that include specific
simulations of cluster actions, and fall into the following categories:
System Configuration tests. These tests analyze whether the selected
servers meet specific requirements, such as the requirement that the
servers must run the same operating system version and software updates.
Network tests. These tests analyze whether the planned cluster networks
meet specific requirements, such as requirements for network
redundancy.
Storage tests. These tests analyze whether the storage meets specific
requirements, such as whether the storage correctly supports the
necessary small computer system interface (SCSI) commands and handles
simulated cluster actions correctly.
Support for globally unique identifier (GUID) partition table (GPT) disks in
cluster storage. GPT disks provide increased disk size and robustness.
Specifically, unlike master boot record (MBR) disks, GPT disks can have
partitions larger than two terabytes and have built-in redundancy in the way
partition information is stored. With failover clusters, you can use either type
of disk.

Additional Reading
For additional information about clustering, see Course 6423A: Implementing and
Managing Windows Server 2008 Clustering.

NETMIND
calling +1 800-785-3448.
Failover Cluster Requirements

Key Points
Carefully review the hardware on which you plan to deploy a failover cluster
to ensure that it is compatible with Windows Server 2008. This is especially
necessary if you are currently using that hardware for a server cluster running
Windows Server 2003. Hardware that supports a server cluster running Windows
Server 2003 does not necessarily support a failover cluster running Windows
Server 2008.

Note: You cannot perform a rolling upgrade from a server cluster running Windows
Server 2003 to a failover cluster running Windows Server 2008. However, after you create
a failover cluster running Windows Server 2008, you can use a wizard to migrate certain
resource settings to it from a server cluster running Windows Server 2003.

NETMIND
calling +1 800-785-3448.
The following hardware is required in a failover cluster:
Servers. Microsoft recommends that you use a set of matching computers that
contain the same or similar components.
Network adapters and cable (for network communication). The network
hardware, like other components in the failover cluster solution, must be
marked as Certified for Windows Server 2008. If you use iSCSI, your
network adapters must be dedicated to either network communication or
iSCSI, but not both.
In the network infrastructure that connects your cluster nodes, avoid having
single points of failure. There are multiple ways to accomplish this. You can
connect your cluster nodes by multiple, distinct networks. Alternatively, you
can connect your cluster nodes with one network that is constructed with
teamed network adapters, redundant switches, redundant routers, or similar
hardware that removes single points of failure.
Device controllers or appropriate adapters for the storage. For Serial Attached
SCSI or Fiber Channel: If you are using Serial Attached SCSI or Fiber Channel,
the mass-storage device controllers that are dedicated to the cluster storage in
all clustered servers should be identical. They should also use the same
firmware version.
For iSCSI: If you are using iSCSI, each clustered server must have one or
more network adapters or host bus adapters that are dedicated to the
cluster storage. The network you use for iSCSI cannot be used for network
communication. In all clustered servers, the network adapters you use to
connect to the iSCSI storage target should be identical, and we recommend
that you use Gigabit Ethernet or higher. For iSCSI, you cannot use teamed
network adapters, because iSCSI does not support them.
Storage. You must use shared storage that is compatible with Windows Server
2008. In most cases, the storage should contain multiple, separate disks or
logical unit numbers (LUNs) that are configured at the hardware level. For
some clusters, one disk functions as the witness disk, while other disks
contain the files required for the clustered services or applications.
Storage requirements include the following:
To use the native disk support included in failover clustering, use basic
disks, not dynamic disks.
Microsoft recommends that you format the partitions with the NTFS file
system. (For the witness disk, the partition must be NTFS).
For the partition style of the disk, you can use either MBR or GPT.
NETMIND
calling +1 800-785-3448.

Note: A witness disk is a disk in the cluster storage that is designated to hold a copy of
the cluster configuration database. A failover cluster has a witness disk only if this is
specified as part of the quorum configuration.

Important: Microsoft supports a failover cluster solution only if all the hardware
components are marked as Certified for Windows Server 2008. Additionally, the
complete configuration (servers, network, and storage) must pass all tests in the Validate
a Configuration Wizard, which is included in the Failover Cluster Management snap-in.
Additional Reading
For more information about iSCSI, see the iSCSI Cluster Support FAQ on the
Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=61375.
For information about hardware compatibility for Windows Server 2008, see the
Windows Server catalog at http://go.microsoft.com/fwlink/?LinkID=59821.
For information about the maximum number of servers that you can have in a
failover cluster, see the Edition Comparison by Technical Specification page of the
Windows Server 2008 Web site at http://go.microsoft.com/fwlink/?LinkId=92091.
NETMIND
calling +1 800-785-3448.
Failover Clustering Scenarios

Key Points
There are several scenarios in which failover clustering can be used as a high-
availability solution.
File Server
Failover clustering can be used to provide high availability for shared folders. The
highly available shared folders are stored on a shared storage device such as SAS or
an iSCSI SAN.
The clustered nodes use a heartbeat signal to check whether each node is alive.
In a two-node cluster, if one node fails, the remaining node must pick up all of the
file shares.
To ensure the highest availability, the cluster should host the maximum number of
shares that can be hosted by a single node. 2-node server clusters are focused on
high availability, not scale-out, therefore you should not expect to hold more
shares on a 2-node cluster than a single node.
NETMIND
calling +1 800-785-3448.
In a 4-node cluster, you have other options that may be more appropriate,
depending on the failure scenarios that you want to protect against. For example, if
you want to survive one node failing at any point in time, you can configure the
shares so that if one node fails, its work is spread across the remaining three nodes.
This means that each node could be loaded to 66 percent of the maximum number
of shares and still be within the maximum limit of a single node in the event of a
single failure. In this case, the cluster can host three times the number of shares
that a single server can host. If you want to survive two nodes failing, then a 4-node
cluster can hold twice as many shares (because if two nodes fail, the remaining two
nodes need to pick up the load from the two failed servers) and so on.
Application Server
Failover clustering can be used to provide high availability for an application such
as a Web-based application. This scenario may use a combination of failover
clustering and NLB to make an application highly available.
An example of this scenario is a highly available Web application that uses a back-
end failover cluster to make the static Web content and the Microsoft SQL Server
database(s) used by the Web site highly available. Multiple front-end IIS servers
using NLB would be used to provide scalability and availability for the Web
service.
In this scenario, there is redundancy for both front-end and back-end
infrastructure.
Database Server
As in previous scenarios, the highly available resource (in this case one or more
SQL databases) is stored on a shared storage device.
The clustered nodes use a heartbeat signal to check whether each node is alive, at
both the operating system level and the SQL Server level. At the operating system
level, the nodes in the cluster are in constant communication, validating the health
of all the nodes.
During failover of the SQL Server instance, SQL Server resources start up on the
new node. Windows clustering starts the SQL Server service for that instance on
the new node and SQL Server goes through the recovery process to start the
databases. After the service is started and the master database is online, the SQL
Server resource is considered to be up. Now the user databases will go through the
normal recovery process, which means that any completed transactions in the
transaction log are rolled forward (the Redo phase), and any incomplete
transactions are rolled back (the Undo phase).
NETMIND
calling +1 800-785-3448.
Hyper-V Server
If you want to consolidate multiple servers (as virtual machines) on one physical
server but want to avoid causing that server to become a single point of failure, you
can create a failover cluster in which all servers (nodes) run Hyper-V and are
configured to run one or more virtual machines as needed.
NETMIND
calling +1 800-785-3448.
Choosing Between NLB and Failover Clustering

Key Points
It is important to understand how failover clustering and NLB contrast. The
following table compares the functionality and recommended uses for failover
Clustering and NLB.
Failover Clustering NLB
Used for databases, e-mail services, line of
business (LOB) applications, and custom
applications
Used for Web servers, firewalls, Web
services, or other stateless applications
Provides high availability, scalability for
stateful applications and server
consolidation
Provides high availability and scalability
for stateless applications

NETMIND
calling +1 800-785-3448.
(continued)
Failover Clustering NLB
Can be deployed on a single network or
geographically distributed
Generally deployed on a single network
but can span multiple networks if
properly configured
Supports clusters up to eight nodes Supports clusters up to 32 nodes
Requires the use of shared or replicated
storage on cluster-compatible hardware
Doesnt require any special hardware or
software; works out of the box

NETMIND
calling +1 800-785-3448.
Lesson 2
Planning a Backup and Restore Strategy

Windows Backup has been improved in Windows Server 2008, with new features
such as Complete PC Backup. Backup with Windows Server 2008 uses Volume
Shadow Copy Service (VSS) and block-level backup technology to efficiently back
up and recover the operating system, files and folders. After the first full backup is
created, Backup automatically runs incremental backups by saving only the data
that has changed since the last backup.
Objectives
Describe the fundamental considerations of a backup strategy.
Determine what data must be backed up.
Describe Shadow Copies.
Determine how to implement shadow copies.
Plan a suitable backup strategy.
NETMIND
calling +1 800-785-3448.
Basics of Backup

Key Points
There are many ways in which you can unintentionally lose information on a
computer: a power surge, lightning, floods, hardware failures, and malicious
software. One of the most important considerations in an organization is backing
up your important information to prevent this potential information loss.
What to Back Up
Deciding what to back up is one consideration when developing a backup plan.
On a home computer, a user may want to back up bank records and other financial
information, digital photographs, software purchased and downloaded from the
Internet, music purchased and downloaded from the Internet, the e-mail address
book, a Microsoft Office Outlook calendar, and any other personal documents.
This decision is even more critical for businesses. Business information loss may
significantly disrupt business productivity. In most situations, a full data backup is
desirable. The key question for the organization is what data is vital to the
company? This may be things like customer or client database information, payroll
records, product information, and so forth.
NETMIND
calling +1 800-785-3448.
What Media to Use
After the decision is made about what data to backup, the next step is to determine
where to store the backup. Options for storage include external or internal hard
drives, CDs, DVDs, USB flash drives, and in some third-party backup systems, tape
devices.
Where to Store the Backups
To provide greater security, an organization should store these backups in an off-
site location. This would be helpful in a situation such as a fire where data would
have been potentially destroyed.
Who Should Perform the Backup/Restore Operations
The final fundamental consideration is who should perform backup, and perhaps
more critically, restore operations. After you have implemented a backup strategy,
you could automate the backup process; indeed, most backup solutions are
automated. However, it might occasionally be necessary to perform ad-hoc backup
operations. You should consider carefully which users can perform this task.
When you need to restore data, it is important that the right data is restored, and to
the correct location. For this reason, restore operations, aside from user-initiated
single file operations, should only be conducted by skilled administrative
personnel.
You can use the Windows Server built-in groups to assign the necessary backup
and restore privileges, or you can create your own groups as needed.
Windows Server Backup
Windows Server Backup provides a snap-in administrative tool and the WBAdmin
command (wbadmin.exe). Both the snap-in and the command line allow you to
perform manual or automated backups to an internal or external disk volume, a
remote share, or optical media. Backing up to tape is no longer supported by
Windows Server Backup.
NETMIND
calling +1 800-785-3448.
The system state back up concept is still present in Windows Server 2008 however
it contains much more data than in previous versions of Windows because of
interdependencies between server roles, physical configuration and Active
Directory.
Note that the legacy backup tool, NTBackup, is no longer supported. Furthermore,
Windows Server Backup is unable to restore backups made by NTBackup. You can
download a version of NTBackup that is compatible with Windows Server 2008
and supported for restoring legacy backup files onto Windows Server 2008 when
you need to recover data. However, NTBackup should not be used to perform any
new backup operations.
NETMIND
calling +1 800-785-3448.
Discussion: What Needs to Be Backed Up?

Key Points
This is an open discussion. Consider your own organization, and determine where
critical data exists; discuss what data needs to be backed up.
NETMIND
calling +1 800-785-3448.
What Are Shadow Copies?

Key Points
The Previous Versions feature in Windows Server 2008 enables your users to
access previous versions of files and folders on your network. This is useful
because users can:
Recover files that were deleted accidentally. If you delete a file accidentally, you
can open a previous version and copy it to a safe location.
Recover from accidentally overwriting a file. If you overwrite a file accidentally,
you can recover a previous version of the file.
Compare versions of a file while working. You can use previous versions when
you want to check what has changed between two versions of a file.

Users can access previous versions using the folder Properties dialog box. Available
versions appear on the Previous Versions tab under Folder Versions.
To enable previous file versions access, you must enable shadow copies of shared
folders on the file server. Shadow copies are copies of files that are located on the
server and appear as previous versions.
NETMIND
calling +1 800-785-3448.
Previous versions are read-only. You cannot make changes to a previous version of
the file as it exists on the server. Additionally, previous versions are periodically
deleted and can disappear at any time. If you want to ensure access to a previous
version of a file, you should copy it to a safe place.
A shadow copy volume appears as a complete, read-only copy of a volume at the
point-in-time of creation. Shadow copies are also known as snapshots or restore
points. These snapshots are used by backup and restore applications, including
Windows Server 2008 backup features.
Performing manual backups is a useful tool for data protection; however, Windows
Server 2008 provides another level of defense with built-in file protection. This
feature is what makes shadow copies a great self-service solution for enterprises.
The shadow copies, or snapshots, are saved each day, and the changes are tracked
at the block level and stored on the same volume (up to 15 percent of the disk set
aside). The shadow copies can then be selected during System Restore.
A shadow copy can be represented by blocks of data.
There is a separate area for the shadow copy storage.
When a change in the data occurs, VSS will replace the changes on system
files.
An administrator can then roll back the system with System Restore or copy-
on-write.

The copy-on-write method creates shadow copies that are differential rather than
full copies of the original data. This method makes a copy of the original data
before it is overwritten with new changes. When a change to the original volume
occurs, but before it is written to disk, the block about to be modified is read and
then written to a differences area, which preserves a copy of the data block before
it is overwritten with the change. Using the blocks in the differences area and
unchanged blocks in the original volume, a shadow copy can be logically
constructed that represents the shadow copy at the point in time in which it was
created.
NETMIND
calling +1 800-785-3448.
Shadow Copy Considerations

Key Points
When using Shadow Copy, there are some considerations that you should keep in
mind, such as those in the following topics.
Shadow Copy Support in Client Operating Systems
Shadow copies can be accessed by computers running Windows Server 2008,
Windows Server 2003, and by computers running Windows XP Professional on
which you have installed the Previous Versions Client pack (Twcli32.msi). You can
install this file manually on clients or deploy the file by using the software
distribution component of Group Policy.
If you have not yet deployed these operating systems or client packs on your
clients, you can deploy a single computer (or as many as necessary) from which
users can restore previous versions of files. You can also distribute the client pack
on a case-by-case basis to users who request that files be restored.
NETMIND
calling +1 800-785-3448.
Shadow Copy Support in Server Operating Systems
Shadow copies are available only on file servers running Windows Server 2008
and Windows Server 2003.
Shadow Copy Support on Server Clusters
If you use Shadow Copies for Shared Folders on mounted volumes in a cluster, do
not place the storage volume on a volume that is mounted to the source volume. In
addition, do not mount the source volume to the storage volume. Otherwise, the
cluster dependency between the Physical Disk resources of the mount point
volume and the volume it is mounted to will interfere with the cluster dependency
that is introduced by VSS between the source and storage volumes.
File System Requirements
Shadow copies are available only on NTFS volumes.
Recommended Scenarios for Using Shadow Copies
Shadow copies work best when the server stores user files such as documents,
spreadsheets, and graphics files. Do not use shadow copies to provide access to
previous versions of application or e-mail databases.
Amount of Volume Space to Allocate to Shadow Copies
When you enable shadow copies on a volume, you can specify the maximum
amount of volume space to be used for the shadow copies. The default limit is 10
percent of the source volume (the volume being copied). Increase the limit for
volumes where users frequently change files. Also, setting the limit too small
causes the oldest shadow copies to be deleted frequently, which defeats the
purpose of shadow copies and which will likely frustrate users. In fact, if the
amount of changes is greater than the amount of space allocated to storing shadow
copies, no shadow copy is created. Therefore, carefully consider the amount of disk
space that you want to set aside for shadow copies, while keeping in mind user
expectations for how many versions they want to be available. Your users might
expect only a single shadow copy to be available, or they might expect three days
or three weeks worth of shadow copies. The more shadow copies the users expect,
the more storage you need to allocate for storing them.

Note: Regardless of the volume space that you allocate for shadow copies, you can have
a maximum of 64 shadow copies for any volume. When the sixty-fifth shadow copy is
taken, the oldest shadow copy is purged.

NETMIND
calling +1 800-785-3448.
Frequency at Which Windows Server 2008 Creates Shadow Copies
By default, Windows Server 2008 creates shadow copies at 7:00 A.M. and at 12:00
noon Monday through Friday. However, you can change the schedule to better
accommodate users. Keep in mind that the more shadow copies you create,
the more disk space the shadow copies can consume, especially if files change
frequently. When you determine the schedule, avoid scheduling shadow copies to
occur more than once per hour.
Storing Shadow Copies on Separate Disks
You can dedicate a volume on separate disks for storing the shadow copies of
another volume on the same file server. For example, if user files are stored on
H:\, you might use another volume, such as S:\, to store the shadow copies.
Using a separate volume on separate disks provides better performance, and it is
recommended for heavily used file servers. If you plan to use a separate volume for
the storage area (where the shadow copies are stored), be sure to change the
maximum size to No Limit to reflect the space available on the storage area volume
instead of the source volume (where the user files are stored).

Note: If you plan to store the shadow copies on the same volume as the user files, note
that a burst of disk I/O can cause all shadow copies to be deleted. If you cannot tolerate
the sudden deletion of shadow copies, use a volume that will not be shadow copied,
preferably on separate disks, for storing shadow copies.
Additional Reading
For more information on restoring a previous version of a file or folder, see
Windows Server 2008 Help Topic: How do I restore a previous version of a file or
folder?
For more information on best practices for shadow copies of shared folders, see
Best Practices for Shadow Copies of Shared Folders at http://go.microsoft.com
/fwlink/?LinkID=139994.
NETMIND
calling +1 800-785-3448.
Discussion: Backup Considerations

Key Points
Question: To whom should you restrict backup operations?
Question: Why is using the Shadow Copies facility not a replacement for formal
backups?
Question: What are the disadvantages of tape media?
Question: How frequently should you back up critical data?

NETMIND
calling +1 800-785-3448.
Lab: Planning High Availability and Disaster
Recovery

The sales department at A. Datum Corporation has an application that has a Web-
based front end. The back end is provided by a Microsoft SQL Server database
application. Recently, a failure in the front end caused system unavailability for
several hours. Joe Healy, the Sales manager, has contacted Allison Brown, the IT
manager, and requested she finds a solution for the availability issue.
NETMIND
calling +1 800-785-3448.
Exercise 1: Planning for Branch Office High Availability and
Data Recovery

Note: Your instructor may run this exercise as a class discussion.
Scenario
Read any of the supporting documentation, and then propose a high-availability
solution that meets the requirements in the High Availability for Sales Database
document.
Update the High Availability for Sales Database document with your
proposals.

NETMIND
calling +1 800-785-3448.
Gregory Weber
Sent: 14 February 2010 13:30
Subject: Re: Sales Database

Greg,
The sales database is currently in the head office only, although that is set to
change; were creating a distributed version of the database later this year. The
distributed version will work essentially the same way, but there will be localized
versions of the databases replicated among the sales branch offices. It has a SQL
Server back-end, and the front-end is Web-based; IIS provides the front-end access.
The actual database is stored on disks attached to an iSCSI SAN.
The outage was caused when the Web server hosting the front end suffered a
power supply failure; it just started to smoke and then went offline!
In terms of backup, we currently perform a full backup to tape each Friday using a
third-party system; thereafter, we perform incremental backups to tape each work
day evening. Of course, SQL Server is performing replication during the working
day, so multiple instances of the data do exist. It would be nice to be able to
perform the backups more quickly.
Hope all that helps you,
Alan
Sent: 14 February 2010 12:29
To: Alan@adatum.com
Subject: Sales Database
Alan,
Ive got to come up with a solution to that database outage in Sales last month.
What can you tell me about it? Also, while I think about it, how is backup handled?
Thanks,
Greg
NETMIND
calling +1 800-785-3448.

High Availability for Sales Database
Document Author
Date
Gregory Weber
16th February
To provide a high-availability solution that ensures that the failure of any single
component will not cause the Sales database to become unavailable.
To ensure that the database is recoverable in the event of multiple disk failures.
All servers are installed with Windows Server 2008 Enterprise Edition.
Proposals
1. In the current system, what component(s) is a point of failure?

2. For each element, how would you propose to prevent a system failure resulting
from a component failure?

3. What Windows Server 2008 role or feature could help provide for each of these
proposals?

4. After implementing the roles or features proposed, is there any remaining
component that represents a single point of failure?

5. Have you any recommendations regarding this component(s)?

NETMIND
calling +1 800-785-3448.

Task 2: Update the High Availability for Sales Database document with
your proposals
Answer the questions in the High Availability for Sales Database document.

Results: After this exercise, you should have a completed High Availability for Sales
Database proposal document.

NETMIND
calling +1 800-785-3448.
Exercise 2: Implementing the High Availability and Disaster
Recovery Plan
Scenario
You will now implement a part of your high-availability and recovery plan.
2. Install NLB and IIS on both SEA-SVR1 and SEA-SVR2.
3. Create a simple Web site on both servers.
4. Create the NLB cluster.
5. Install Windows Server Backup Features and enable Shadow Copies on
SEA-SVR1.
6. Secure the backup process.
7. Perform a backup.
8. Test the NLB cluster.

Pa$$w0rd.
Pa$$w0rd.
Pa$$w0rd.

NETMIND
calling +1 800-785-3448.
Task 2: Install NLB on SEA-SVR1
2. Use Server Manager to add the Network Load Balancing feature.

Task 3: Install IIS on SEA-SVR1
1. Use Server Manager to add the Web Server (IIS) server role.
2. Accept defaults during the role installation process.

Task 4: Create a Web site on SEA-SVR1
1. Open a command prompt, and enter the following commands to copy a
simple Web site to the local server:
Cd\inetpub\wwwroot
Xcopy \\sea-dc1\c$\inetpub\wwwroot\intranet\*.* /s

2. Use Server Manager to add the Network Load Balancing feature.

1. Use Server Manager to add the Web Server (IIS) server role.
2. Accept defaults during the role installation process.

NETMIND
calling +1 800-785-3448.
1. Open a command prompt, and enter the following commands to copy a
simple Web site to the local server:
Cd\inetpub\wwwroot

Task 8: Create the NLB cluster
1. Switch to the SEA-DC1 computer and open Server Manager.
2. Add the Network Load Balancing Tools Feature. This is located under Remote
Server Administration Tools | Feature Administration Tools.
3. Open Network Load Balancing Manager and create a new cluster:
In the New Cluster: Connect dialog box, in the Host field, type
SEA-SVR1, click Connect, and then click Next.
On the Cluster IP Addresses page, click Add.
In the Add IP Address dialog box, in the IPv4 address field, type
10.10.10.10, and press TAB. Then in the Subnet mask field, type
255.255.0.0.
Click OK, and then click Next.
On the Cluster Parameters page, in the Full Internet name field, type
webfarm.adatum.com.
Click Multicast, and then click Next.
On the Port Rules page, click Edit.
In the Add/Edit Port Rule dialog box, in the From field, type 80, and in
the To field, type 80.
Under Protocols, click TCP.
For Affinity, click None.
Click OK, and then click Finish.
In the console tree, right-click webfarm.adatum.com, and then click Add
Host to Cluster.
NETMIND
calling +1 800-785-3448.
In the Add Host to Cluster: Connect dialog box, in the Host field, type
SEA-SVR2, and then click Connect.
Click Next.
On the Host Parameters page, click Next.
On the Port Rules page, click Finish.

Task 9: Configure DNS records
1. Open DNS Manager.
2. Create a new Host Record with the following properties, and then close DNS
Manager:
Location: Adatum.com zone
Name: webfarm

Note: Only enter the name webfarm; the domain suffix is added automatically.
IP address: 10.10.10.10

Note: You will test the cluster at the end of the exercise.

Task 10: Install the Windows Server Backup features
2. Use Server Manager to add the Windows Server Backup Features server
feature.

Task 11: Enable shadow copies
1. Click Start, click Computer, right-click Local Disk (C:), and then click
Configure Shadow Copies.
2. Enable shadow copies.
NETMIND
calling +1 800-785-3448.
3. Modify the shadow copy schedule to include both Saturdays and Sundays.
4. Create a manual shadow copy.

Task 12: Verify the presence of previous versions of the Web site
1. In Windows Explorer, double-click Local Disk (C:), double-click inetpub,
right-click wwwroot, and then click Properties.
2. Verify that there are previous versions listed.

Task 13: Establish groups to secure the backup process
1. Open Server Manager once more.
2. In Server Manager, expand Configuration, expand Local Users and Groups,
and then click Groups.
3. Modify the local Backup Operators group to include the member Joe from the
Adatun.com domain.
4. Log off.

Task 14: Perform a backup of the branch server
1. Log on to 6430B-SEA-SVR1 as ADATUM\Joe with the password Pa$$w0rd.
2. Load Windows Server Backup.
3. Perform a one-off backup with the following properties:
Backup configuration: Custom
Destination: \\sea-dc1\public
Advanced option: Vss copy backup (recommended)
4. After the backup has started, close Windows Server Backup.

NETMIND
calling +1 800-785-3448.
Task 15: Test the NLB cluster
2. Open Microsoft Internet Explorer.
3. In the Internet Explorer address bar, type http://webfarm.adatum.com, and
then press ENTER.
The A Datum Intranet appears.
4. Turn off the SEA-SVR1 computer. In the Close box, select Turn off machine
and discard changes. Click OK.
5. On SEA-DC1, type http://webfarm.Adatum.com, and then press ENTER.

Note: Even though an NLB Cluster member is unavailable, the Web site is still available.

Results: After this exercise, you should have successfully implemented your high-
availability and recovery plan.
(VMRC) window.
NETMIND
calling +1 800-785-3448.

Review Questions
1. You plan to deploy a Web farm. You want to provide a fault tolerant front end
for client computers connecting from the Internet. Which would be the most
suitable technology?

2. You want to implement a RAID solution that provides good read performance
and reasonable fault tolerance; however, lower cost is a factor. Which RAID
standard(s) would be suitable?

3. Which editions of Windows Server 2008 support the failover clustering
feature?

NETMIND
calling +1 800-785-3448.
4. Where do you store shared folders that are part of a File Server cluster?

5. Shadow copies work on the principal of providing incremental copies of
configured volumes at the block level. True or False?

NETMIND
calling +1 800-785-3448.
Planning Virtualization 11-1
Module 11
Planning Virtualization
Contents:
Lesson 1: Overview of Server Virtualization 9-4
Lesson 2: Business Scenarios for Server Virtualization 9-13
Lesson 3: Overview of System Center Virtual Machine Manager 9-20
Lesson 4: Planning Host Resources 9-31
Lab: Planning Virtualization 9-42
NETMIND
calling +1 800-785-3448.
Module Overview

Virtualization is a commonly used technology for increasing the efficiency and
availability of applications and services. Microsoft has several virtualization
products. Hyper-V is the hypervisor included with Windows Server 2008. For
organizations with multiple virtualization hosts, System Center Virtual Machine
Manager (VMM) can be used to centrally manage all aspects of virtualization.
When you plan the implementation of virtualization, you need to consider how
host resources are allocated to the virtual machines.
NETMIND
calling +1 800-785-3448.
Objectives
Describe virtualization and the technologies that can be used to implement
virtualization.
Describe the business scenarios for virtualization.
Describe how System Center Virtual Machine Manager can be used to manage
a virtual environment.
Plan host resources.

NETMIND
calling +1 800-785-3448.
Lesson 1
Overview of Server Virtualization

Server virtualization uses a hypervisor to all multiple operating systems to run
concurrently on a single computer. Microsoft provides Virtual PC, Virtual Server,
and Hyper-V to implement server virtualization. Each is has unique requirements
and benefits and is appropriate in different scenarios.
Objectives
Describe virtualization.
Describe Virtual PC.
Describe Virtual Server.
Describe Hyper-V.

NETMIND
calling +1 800-785-3448.
What Is Virtualization?

Key Points

Note: See the animation What Is Virtualization. Open the file
crse10068ae_01_01_01_ani01.swf from the Animations folder.
Virtualization enables multiple operating system instances to run on a single
computer. For example, a single computer could run multiple instances of
Windows Server 2008 at the same time, with each instance dedicated to running a
different application. Each instance is referred to as a virtual machine. Each virtual
machine is independent of the other and can be restarted and managed separately.
Also, the operating system running in each virtual machine can be different.
A hypervisor is used to enable virtualization. The hypervisor controls
communication between the virtual machines and resources such as memory or
hard disks. Depending on the virtualization technology used, a hypervisor may run
on bare metal or within a host operating system. The hypervisor may also present
emulated hardware to the guest operating systems in the virtual machines.
NETMIND
calling +1 800-785-3448.
Microsoft has several virtualization products. Microsoft Virtual PC is used on
desktop computers to run virtual machines for testing. Microsoft Virtual Server is
designed to run production servers in a virtual environment, with Windows Server
2003 as a host. Hyper-V is a server role that enables Windows Server 2008 to act as
a host for virtual machines.
NETMIND
calling +1 800-785-3448.
What Is Virtual PC?

Key Points
Microsoft Virtual PC is a virtualization technology for running multiple operating
system instances on a desktop computer. The latest version is Virtual PC 2007
Service Pack 1 (SP1) and can be downloaded from the Microsoft Web site.
The supported host operating systems for Virtual PC 2007 are:
Windows XP Professional (x86 and x64)
Windows XP Tablet PC Edition
Windows Server 2003 (x86 and x64)
Windows Vista Business, Enterprise, and Ultimate Editions (x86 and x64)

The primary use for Virtual PC is for testing scenarios where only a few virtual
machines with limited resources are required. Virtual PC uses only a single
processor core, which limits the volume of processing that all virtual machines can
do. Also, Virtual PC supports only 32-bit guest operating systems. This limits the
maximum memory to 4 GB.
NETMIND
calling +1 800-785-3448.
A major benefit to using Virtual PC is the ability to move data between the host and
guest. This allows you to easily move files to the guest without create a file share
and ensuring compatibility of network settings between the host and guest.
Many operating systems will run as a guest in Virtual PC. The supported guest
operating systems for Virtual PC are:
Windows Vista Ultimate
Windows Vista Enterprise
Windows Vista Business
Windows XP Professional
Windows XP Tablet PC Edition
Windows 2000 Professional
Windows 98 Second Edition
IBM OS/2 Warp 4 Fixpack 15, OS/2 Warp Convenience Pack 1, and OS/2
Warp Convenience Pack 2

NETMIND
calling +1 800-785-3448.
What Is Virtual Server?

Key Points
Microsoft Virtual Server is designed to run production servers in a virtual
environment. The latest version is Virtual Server 2005 R2 SP1 and can be
downloaded from the Microsoft Web site.
The supported host operating systems for Virtual Server are:
Windows Server 2003 (x86 and x64)
Windows XP (x86 and x64, nonproduction)
Windows Vista (x86 and x64, nonproduction)

Like Virtual PC, Virtual Server can be used to create a test environment for new
applications and operating system changes. Virtual Server supports multiple CPU
cores for each virtual machine and you can control how CPU cores are allocated to
each virtual machine. However, guest operating systems are limited to 32-bit
editions and, consequently, 4 GB of RAM per virtual machine.
NETMIND
calling +1 800-785-3448.
Management of Virtual Server is performed through a Web-based application
on the host. This makes it easy to manage virtual machines remotely, which is
required for many data centers. In general, Virtual Server provides features that
make it easier to manage than Virtual PC. This includes centralized management of
multiple Virtual Server hosts by using System Center Virtual Machines Manager.
Virtual Server also supports more operating systems than Virtual PC. The following
guest operating systems are supported in Virtual Server:
Windows Server 2003
Windows 2000 Server
Windows NT 4.0
Windows XP SP2
Red Hat Enterprise Linux versions 2.1, 3.0, and 4.0
Red Hat Linux versions 7.3 and 9.0
SUSE Linux Enterprise Server 9.0
SUSE Linux versions 9.2, 9.3, and 10.0

NETMIND
calling +1 800-785-3448.
What Is Hyper-V?

Key Points
Hyper-V is a server role included in 64-bit editions of Windows Server 2008
(Standard, Enterprise, and Datacenter) to host virtual machines. When the Hyper-
V role is installed on a computer, the Windows hypervisor is installed and begins
running after the computer is restarted. The Windows hypervisor is a bare metal
hypervisor that runs before the operating system.
Partitions
The instance of Windows Server 2008 with the Hyper-V role installed is the parent
partition. Child partitions are the virtual machines created to run new operating
system instances. If the parent partition fails, the child partitions will also fail. For
this reason, it is common to use the Server Core installation option of Windows
Server 2008 as the operating system in the parent partition. Using the Server Core
installation option reduces the attack surface of the parent partition and,
consequently, reduces the risk of failure. However, using the Server Core
installation option does not prevent failures of the parent partition due to other
reasons, such as hardware failure or unstable drivers.
NETMIND
calling +1 800-785-3448.
Drivers
Hyper-V uses a microkernelized hypervisor rather than a monolithic hypervisor.
This means that drivers are not part of the hypervisor. A microkernelized
hypervisor uses the drivers in the parent partition. This increases the reliability of
the hypervisor and performance. Child partitions use high-performance synthetic
drivers that are also referred to as enlightenments.

Note: Both Virtual PC and Virtual Server use a monolithic hypervisor that runs inside of
Windows.
Synthetic drivers are implemented on the guest operating system by installing
integration components. The integration components are available for Window
2000 Server, Windows Server 2003, Windows Server 2008, SUSE Linux Enterprise
Server 10, Windows Vista, and Windows XP.
Hyper-V Hardware Requirements
Hyper-V is not capable of running on all computers. The following hardware
requirements must be met:
64-bit x86 processor
Hardware-assisted virtualization, with AMD-Virtualization (AMD-V) or Intel
Virtualization Technology (Intel VT)
Hardware-enabled Data Execution Prevention (DEP), with AMD No Execute
(AMD NX) or Intel Execute Disable (Intel XD)

NETMIND
calling +1 800-785-3448.
Lesson 2
Business Scenarios for Server Virtualization

Server virtualization provides unique benefits for various scenarios. Server
consolidation increases efficiency and reduces hardware maintenance. Test
environments are less costly and more flexible when virtualized. When
virtualization is implemented for production servers, additional options, such as
Quick Migration, are available to increase server uptime.
Objectives
Describe server consolidation.
Describe virtualization for test environments.
Describe using virtualization for business continuity.

NETMIND
calling +1 800-785-3448.
Using Virtualization for Server Consolidation

Key Points
Many organizations prefer to host only a single application on a server. This
simplifies management and maintenance. When multiple applications are on a
server, it is possible that an update to one application may cause problems with
another application. Also, sometimes the best way to fix a nonfunctional
application is to restart the server. When multiple applications are on a single
server, the server reboot affects many users, not just the users of the
nonfunctioning application.
When there are many application servers with a single application, in many cases,
the utilization of system resources is very low. The processor utilization of a server
often averages less than 10 percent.
Maintenance of older application servers is also an issue. As hardware becomes
older, it will start to fail. In some cases, the application server may have poor
documentation and may be difficult to re-create. It may be very expensive or
difficult to rebuild the server on new hardware.
NETMIND
calling +1 800-785-3448.
Server consolidation is the process of converting physical servers to virtual
machines and then running many virtual machines on just a few virtualization
hosts. This has the following benefits:
More efficient utilization of hardware. You can place multiple virtual
machines on a single host to more fully use resources. For example, instead of
eight physical servers with 10 percent processor utilization, you can have a
single virtualization host with eight virtual machines and 80 percent processor
utilization. Typically, more efficient utilization of hardware results in reduced
hardware costs.
Reduced hardware maintenance. Fewer physical servers reduce the amount
of hardware maintenance that must be performed. Maintenance includes tasks
such as BIOS updates and firmware updates.
Simplified support of older operating systems. It is difficult to find drivers to
run older operating systems on newer hardware. By moving older operating
systems to a virtual environment, you avoid the need to find drivers for new
hardware.
Reduced power utilization. In most cases, a server virtualization project
retires older, inefficient hardware and uses newer, more efficient hardware.
When this is combined with a reduced number of physical servers, the
reduction in power utilization can be substantial.

NETMIND
calling +1 800-785-3448.
Using Virtualization for Test Environments

Key Points
It is a best practice to test all changes to a computing environment in a test lab
before implementing them in your live environment. This helps to ensure that
changes do not have unintended consequences. For example, you should test
software updates and configuration changes.
To make testing as reliable as possible, the test lab should closely resemble your
production environment. However, in some cases, this may require many servers.
The cost of creating a test lab with many physical servers is quite high and many
organizations simply do not have the physical space to host a test lab with many
physical servers. In the past, when an organization could not afford a test lab,
testing was not performed, which created a higher risk of problems when changes
were implemented.
NETMIND
calling +1 800-785-3448.
The benefits of virtualization for test environments are:
Reduced hardware cost. Virtualization helps you create a test lab by reducing
the physical hardware requirements. With a single virtualization host, you can
run four or more virtual machines. This allows you to replicate complex
environments with required servers.
Fast reconfiguration. Virtualization allows you to reconfigure a test lab in
minutes instead of hours. In a traditional test lab using only physical servers,
you need to reimage the operating system to switch between test
environments. When virtualization is used, you shut down one set of virtual
machines and start another.

Some limitations of virtualized test environments are:
Limited performance testing. To do performance testing, such as load testing,
the test environment must exactly match the production environment. So,
testing performance on a virtual machine is not relevant unless the production
server is also virtualized and allocated the same resources.
Unable to test hardware related changes. A virtualized environment is
isolated from the physical hardware that it runs on. So, you cannot use a
virtualized environment to test hardware drivers or firmware updates.

NETMIND
calling +1 800-785-3448.
Using Virtualization for Business Continuity

Key Points
Virtualization enables several scenarios that increase server availability and
simplify disaster recovery. Most of the benefit is due to the independence of the
virtual machine from the physical hardware of the virtualization hosts. This
independence makes it easy to move a virtualized server from one virtualization
host to another.
Business continuity scenarios include:
Simplified disaster recovery. It is difficult to restore a backup from one
physical server to another physical server with different hardware. A virtual
machine can simply be moved to a new virtualization host and started there
because there are not hardware incompatibilities. If the virtual machine files
are located on a storage area network (SAN), downtime can be only a minute.
NETMIND
calling +1 800-785-3448.
Additional backup options. To perform a backup on a physical server, you
run an agent on that server that communicates with a central backup server.
You can also install a backup agent in virtual machines to perform a backup
the same way. However, you also have the option to only perform a backup of
the virtualization host. The backup of the virtualization host includes the
virtual machines. The backup can be performed while the virtual machines are
running.
When Microsoft Data Protection Manager is used to backup a virtualization
host, you can perform almost continuous backups. In this scenario, snapshots
are taken up to every 30 minutes.

For more information about performing backups of virtual machines, see
Protecting Virtualized Environments with System Center Data Protection
Manager 2007 on the Microsoft Web site at http://go.microsoft.com
Quick migration. When the clustering feature of Windows Server 2008 is
combined with Hyper-V, you can perform Quick Migration of a virtual
machine from one virtualization host to another. When a quick migration is
performed, the virtual machine is paused while it is moved to another
virtualization host. The outage is very short because the virtual machine files
are stored on a SAN.

Windows Server 2008 R2 supports Live Migration which allows a
clustered virtual machine to be moved between virtualization hosts
without any downtime. For more information about Live Migration, see
Hyper-V Live Migration Overview & Architecture on the Microsoft Web
Snapshots. When operating system and application updates are performed,
there is always a risk of a problem occurring after the update is complete.
When virtualization is used, you can take a snapshot of the virtual machine
before the update is performed. Then, if there is a problem after the update,
you can revert to the snapshot.

NETMIND
calling +1 800-785-3448.
Lesson 3
Overview of System Center Virtual Machine
Manager

Microsoft provides Virtual PC, Virtual Server, and Hyper-V to implement server
virtualization. Each has unique requirements and benefits and is appropriate in
different scenarios.
Objectives
Describe System Center Virtual Machine Manager.
Describe how VMM can be used for server consolidation.
Describe how VMM can be used for provisioning resources.
Describe how VMM can be used to enhance business continuity.
Describe how VMM can be used to optimize performance.

NETMIND
calling +1 800-785-3448.
What Is VMM?

Key Points
System Center Virtual Machine Manager (VMM) is a product for managing
multiple virtualization hosts and their virtual machines through a single console. It
is a solution that solves many of the challenges introduced by virtualized
infrastructure.
Intelligent Placement
Choosing an appropriate Hyper-V host for a virtual machine is important to ensure
the good performance of the machine. When adding a new virtual machine to a
host, you need to ensure that the host has sufficient resources available. For
example, there must be sufficient free memory on the host to run the virtual
machine.
Intelligent Placement analyzes the performance characteristics of a server that is
being virtualized and the hosts available to place a virtual machine on. Based on
the analysis, hosts are ranked for you to choose from.
NETMIND
calling +1 800-785-3448.
Reporting
Monitoring of a virtualized environment can be difficult. When combined with
System Center Operations Manager, VMM provides reports to help you to monitor
your virtualized environment and identify virtualization candidates.
Not every server is an ideal candidate for virtualization. The best candidates for
virtualization typically have low resource requirements. Low memory utilization
enables many virtual machines to be run on a single Hyper-V host.
P2V Conversion
Moving an existing server to new hardware is never an easy process because new
drivers need to be installed. The move from physical hardware to a virtual machine
is similar. The operating system needs to have new drivers installed to access the
virtual storage and network adapter.
VMM automates the conversion of physical computers into virtual machines
through a process known as physical-to-virtual (P2V) conversion. P2V conversion
can either be online or offline. When online conversion is performed, downtime is
reduced.
Library
With VMM, you can create a library of templates and resources for virtual
machines. This helps you to quickly create virtual machines with the required
configuration.
Self-Service Provisioning
Self-service provisioning in VMM helps you to delegate the ability to create virtual
machines to Active Directory directory service users. You can restrict these users
to control the virtual machines they can create, the hosts that they can create them
on, and the resources that the virtual machines can use.
Multivendor Virtualization Platform Support
VMM is capable of managing not only Hyper-V hosts but also Virtual Server and
VMWare ESX hosts. This helps you to centralize the management of virtual
machines in a heterogeneous environment.
NETMIND
calling +1 800-785-3448.
Using VMM for Server Consolidation

Key Points
Server consolidation is the process by which multiple physical servers are
virtualized and run as virtual machines on a lesser number of virtualization hosts.
This reduction in physical servers results in higher resource utilization on the
virtualization hosts. Having a lower number of physical servers reduces hardware
costs, power utilization, and data center cooling requirements. When virtual
machines with similar security requirements are consolidated onto a single host,
security can also be increased. For example, computers to be isolated on the same
network segment can be placed on the same host.
Identification of Virtualization Candidates
Microsoft System Center Operations Manager 2007 can be used to collect long-
term performance data from virtualization candidates. VMM uses the performance
data from SCOM to generate a report on processor, physical memory, disk usage,
and network throughput.
NETMIND
calling +1 800-785-3448.
You can also use the Microsoft Assessment and Planning Toolkit (MAP) to evaluate
virtualization candidates. MAP will gather performance data from the virtualization
candidates and provide reports. However, MAP does not integrate directly with
VMM.
P2V Conversions
P2V conversions need to be simple and avoid downtime. VMM provides a wizard
to complete the P2V conversion while the source server is still running. This
process is scriptable for large-scale conversions. The wizard uses Background
Intelligent Transfer Services (BITS) to copy data from the source to the virtual
machine. Drivers for storage, memory, CPU, and network are replaced as part of
the process while preserving settings. To perform an online conversion, the source
computer must be running Windows Server 2008, Windows Vista, Windows
Server 2003 SP1, Windows Server 2003 R2, or Windows XP SP2.
Identification of Appropriate Hosts
Placing virtual machines on hosts with appropriate free resources is important to
ensure the performance of virtual machines. Intelligent Placement uses
performance data and available resources from hosts and the requirements of the
virtual machine to determine the best hosts for placement. When integrated with
SCOM, the actual performance data from the virtual machine is also used.
NETMIND
calling +1 800-785-3448.
Using VMM to Provision Resources

Key Points

Note: See the animation What Is Virtualization. Open the file
crse10068ae_01_02_02_ani01.swf from the Animations folder.
Provisioning a physical server can take days or even weeks if new hardware is
required. The time required to provision a physical server includes the time for
gaining approvals for server purchase, ordering the server, and configuring the
server. When VMM is used to create virtual machines, a new virtual machine can
be provisioned in just minutes. The central component in provisioning is the
library.
NETMIND
calling +1 800-785-3448.
The library contains resources for building virtual machines. The resources in a
library include virtual disks, International Organization for Standardization (ISO)
files, and templates. The operating system for new virtual machines is stored in the
library, on a virtual disk that has been Sysprepped. A new virtual machine can be
created by using individual library components or a template. Alternatively, an
existing virtual machine can be copied.
Provisioning can be delegated to other users. A delegated administrator uses the
VMM Administrator Console to perform actions within the scope defined by the
administrator. The scope can be limited to specific libraries or hosts. A self-service
user creates and manages virtual machines through the VMM Self-Service Portal.
You can restrict self-service users to creating virtual machines on specific hosts and
limit the actions they can perform on virtual machines. Quotas can be used to limit
the number of virtual machines created or resources used by self-service users. Self-
service users are often configured for test lab or development environments.
Companion CD Content
Provisioning a physical server can take days or even weeks if new hardware is
required. The time required to provision a physical server includes the time for
gaining approvals for server purchase, ordering the server, and configuring the
server. When VMM is used to create virtual machines, a new virtual machine can
be provisioned in just minutes. The central component in provisioning is the
library.
The library contains resources for building virtual machines. The resources in a
library include virtual disks, ISO files, and templates. The operating system for new
virtual machines is stored in the library, on a virtual disk that has been Sysprepped.
A new virtual machine can be created by using individual library components or a
template. Alternatively, an existing virtual machine can be copied.
Provisioning can be delegated to other users. A delegated administrator uses the
VMM Administrator Console to perform actions within the scope defined by the
administrator. The scope can be limited to specific libraries or hosts. A self-service
user creates and manages virtual machines through the VMM Self-Service Portal.
You can restrict self-service users to creating virtual machines on specific hosts and
limit the actions they can perform on virtual machines. Quotas can be used to limit
the number of virtual machines created or resources used by self-service users. Self-
service users are often configured for test lab or development environments.
NETMIND
calling +1 800-785-3448.
Using VMM to Enhance Business Continuity

Key Points
VMM does not provide any new functionality for virtual machines that enhance
business continuity. However, VMM does effectively manage business continuity
features that are provided by the virtualization host.
Clustering
VMM integrates with Windows Server 2008 failover clustering to provide highly
available virtual machines. After a host cluster has been configured, you use the
VMM Administrator Console to designate virtual machines as highly available.
Highly available virtual machines can fail over from one virtualization host in the
cluster to another.
NETMIND
calling +1 800-785-3448.
Quick Migration
When virtual machines are configured as highly available, you can perform a quick
migration between hosts in the failover cluster. Quick Migration pauses the virtual
machine and migrates it to another host in just a few seconds. Quick Migration can
be started from within VMM.
You can use Quick Migration to move virtual machines to an alternate host when
performing host maintenance. Moving virtual machines between hosts without
Quick Migration requires restarting the virtual machines.
Live Migration
Live Migration moves the virtual machine from one host to another, without any
downtime. The VMotion feature of VMware hosts provides live migration of virtual
machines and can be triggered within VMM. Live migration support is not
available for Windows Server 2008 Hyper-V hosts or Virtual Server hosts. Support
for live migration is planned for Hyper-V in Windows Server 2008 R2 as a feature
named Live Migration.
NETMIND
calling +1 800-785-3448.
Using VMM for Performance and Resource Optimization

Key Points
Ensuring optimal performance for virtual machines is a time-consuming process.
To ensure optimal performance, you must:
Monitor virtual machines and hosts.
Define events that indicate a problem.
Act on events to resolve a problem.

VMM includes Performance and Resource Optimization (PRO) to simplify and
automate this process. PRO uses performance data and events from SCOM to
identify concerns and perform actions based on these concerns. This can be used
to balance resource utilization between hosts or migrate virtual machines to
another host after a minor hardware failure.
NETMIND
calling +1 800-785-3448.
When PRO is enabled for hosts and virtual machines, PRO tips are generated.
These tips describe remedial action to be taken. You can define whether the PRO
tips are to be implemented automatically or manually. The rules for generating
PRO tips are contained in the VMM 2008 Management Pack, which is imported
into SCOM. You can customize these rules and create your own.
VMM also includes a reporting feature that helps you monitor virtualization hosts
and virtual machines. One of the most useful reports shows resource utilization
trends over time. This helps you identify hosts that are short on memory or
processor capacity before it becomes a problem. Reporting requires integration
with SCOM.
NETMIND
calling +1 800-785-3448.
Lesson 4
Planning Host Resources

Server virtualization uses a hypervisor to all multiple operating systems to run
concurrently on a single computer. Microsoft provides Virtual PC, Virtual Server,
and Hyper-V to implement server virtualization. Each has unique requirements and
benefits and is appropriate in different scenarios.
Objectives
Describe considerations for planning disk configuration.
Describe considerations for planning network configuration.
Describe considerations for planning memory utilization.
Describe considerations for planning processor utilization.
Describe considerations for planning host clustering.

NETMIND
calling +1 800-785-3448.
Considerations for Planning Disk Configuration

Key Points
Hyper-V hosts provide multiple ways by which disks can be accessed by the host
and virtual machines. This provides the flexibility to meet the needs of your
specific deployment.
Most virtual machines are configured using virtual disks. Virtual disks are files with
the .vhd extension that store all of the content in virtual machine disks. Each .vhd
file corresponds to a disk of a virtual machine. The .vhd file can be located on local
storage or a SAN.
NETMIND
calling +1 800-785-3448.
Considerations for planning disk configuration include:
Use fixed virtual disks to increase performance. A fixed-size virtual disk is
created as the maximum size of the virtual disk. This prevents fragmentation,
but increases disk utilization.
Use dynamic virtual disks to decrease disk utilization. The main benefit of
dynamic disks is that they only grow up to the size of the data they contain.
However, because they dynamically expand, they can become fragmented and
reduce performance.
Use passthrough disks for volumes larger than 2 terabytes (TB). A
passthrough disk allows a physical disk to be attached directly to a virtual
machine. This avoids the maximum size limit of 2 TB that applies to virtual
disks and increases disk performance. When passthrough disks are used, you
cannot use snapshots or dynamic expansion. You can configure passthrough
disks for a physical disk on the host or a Logical Unit Number (LUN) on a
SAN.
Use a SAN to enable faster migration of virtual machines between hosts. When
a SAN is used to store a virtual disk, you can migrate a virtual machine to a
new host by moving that SAN storage to the new host. Quick Migration and
highly available virtual machines rely on using a SAN for storage. The SAN can
be iSCSI or Fiber Channel.
Understand the input/output (I/O) of all virtual machines. The I/O capacity of
the disk subsystem in a host must be fast enough to support the total I/O of all
virtual machines. RAID 0 provides high speed, but no redundancy. RAID 10
combines high speed with a high level of redundancy.

NETMIND
calling +1 800-785-3448.
Considerations for Network Configuration

Key Points
Network configuration is critical for virtualized environments, because multiple
virtual machines share the same connectivity. That increases the need for both
speed and reliability. The capacity of the network connectivity for the virtualization
host must exceed the network requirements of all running virtual machines.
Network configuration options include:
VLANs. VLANs are commonly used by organizations to segment network
traffic traveling through their switches. Traffic is often segmented by IP
address for routing, but can also be segmented by other characteristics such as
MAC address range to isolate Voice over IP (VoIP) traffic. The networking
configuration supports the use of VLANs so that virtual machines can be
places on specific VLANs.
NETMIND
calling +1 800-785-3448.
Multiple network adapter cards. If you want to physically separate network
traffic for virtual machines, you can use multiple network adapter cards. You
create an external network for each network adapter card. Then virtual
machines are placed on external networks. This increases the overall network
capacity of the host when both network adapters are connected to the same
network.
Teaming network adapter cards. Teaming of network adapter cards allows
two network cards to act as a single unit. This increases network performance
and availability. Teaming relies on software provided by the network adapter
card manufacturer. If teaming is part of your Hyper-V hosts plan, ensure that
teaming software for your hardware has been released for Hyper-V.
Private networks. Many test environments need to be isolated from the
production network environment due to naming or IP addressing conflicts.
You can use private networks to isolate virtual machines from the production
network. A private network exists only inside a virtualization host and is not
connected to the external network in any way.

Companion CD Content
Network configuration is critical for virtualized environments, because multiple
virtual machines share the same connectivity. That increases the need for both
speed and reliability. The capacity of the network connectivity for the virtualization
host must exceed the network requirements of all running virtual machines.
Network configuration options include:
VLANs. VLANs are commonly used by organizations to segment network
traffic traveling through their switches. Traffic is often segmented by IP
address for routing, but can also be segmented by other characteristics such as
MAC address range to isolate Voice over IP (VoIP) traffic. The networking
configuration supports the use of VLANs so that virtual machines can be
places on specific VLANs.
Multiple network adapter cards. If you want to physically separate network
traffic for virtual machines, you can use multiple network adapter cards. You
create an external network for each network adapter card. Then virtual
machines are placed on external networks. This increases the overall network
capacity of the host when both network adapters are connected to the same
network.
NETMIND
calling +1 800-785-3448.
Teaming network adapter cards. Teaming of network adapter cards allows
two network cards to act as a single unit. This increases network performance
and availability. Teaming relies on software provided by the network adapter
card manufacturer. If teaming is part of your Hyper-V hosts plan, ensure that
teaming software for your hardware has been released for Hyper-V.
Private networks. Many test environments need to be isolated from the
production network environment due to naming or IP addressing conflicts.
You can use private networks to isolate virtual machines from the production
network. A private network exists only inside a virtualization host and is not
connected to the external network in any way.

NETMIND
calling +1 800-785-3448.
Considerations for Memory Utilization

Key Points
Hyper-V is included only in 64-bit editions of Windows Server 2008. Using a 64-bit
operating system allows each Hyper-V host to support a large amount of memory.
In theory, 64-bit hardware can address 16 exabytes of memory. However, this is
practically limited by server hardware design and the operating system.
Some considerations for memory utilization are:
Determine the total memory allocated to each virtual machine. The memory
required in a virtualization host is the total of the memory allocated to each
virtual machine and memory required by the host operating system.
Each Hyper-V guest supports up to 64 GB of memory. This makes
virtualization possible for applications servers with large memory
requirements such as database servers and Microsoft Exchange Server servers.
Turning off a virtual machine reduces memory requirements. When you turn
off or shut down a virtual machine, it no longer uses memory on the host. In
test environments, it is common to shut down one virtual machine in order to
free memory to run another.
NETMIND
calling +1 800-785-3448.
Considerations for Processor Utilization

Key Points
The virtual machines placed on a virtualization host all share the physical
processing power of that server. Hyper-V supports the use of multiple processors
and multiple cores per processor. This allows each host to provide a large volume
of processing capacity to the virtual machines.
Do not overload the host. You need to take care that the demands of the
virtual machines are not in excess of what the physical host can provide. If you
place virtual machines with too much demand for processing power on a host,
then application performance in the virtual machines will be reduced.
Consider utilization patterns. When placing virtual machines on hosts, try to
select virtual machines that do not have peak utilization at the same time. For
example, some virtual machines, such as domain controllers, will have their
highest utilization when users arrive in the morning, while other virtual
machines, such as application servers, will have their highest utilization later in
the day as users begin performing their daily tasks.
NETMIND
calling +1 800-785-3448.
Use multiple processors and multicore processors in virtualization hosts. You
should implement servers with multiple processors and multicore processors
to increase the scalability of virtualization hosts.
Allocate virtual machines to specific processor cores. To ensure that specific
virtual machines have enough processing power, you can allocate a processor
core specifically to a virtual machine. This gives the virtual machine exclusive
access to that processing capacity. Providing a virtual machine with exclusive
access to processing power ensures that performance of that virtual machine is
not reduced when other virtual machines on that host consume lots of
processing power.

NETMIND
calling +1 800-785-3448.
Considerations for Host Clustering

Key Points
Host clustering creates highly available virtual machines. The virtualization hosts
are part of a failover cluster and each virtual machine is a clustered application. If a
virtualization host fails, the virtual machines from that host are restarted on a
different host. The failover process takes a few minutes because it takes that long
for the operating system to boot up in the restarted virtual machines.
Considerations for host clustering include:
At least two Hyper-V hosts are required. To create a cluster you need at least
two Hyper-V hosts running Windows Server 2008, Enterprise or Datacenter
editions. The Standard edition is not capable of performing clustering. You can
use more hosts to have additional nodes in the cluster and more flexibility for
failover.
NETMIND
calling +1 800-785-3448.
Plan failover carefully. When virtual machines fail over from one host to
another, you need to ensure that you are not overloading the host. If you
overload the processor, network, or disk I/O, then virtual machines will have
reduced performance. If the memory is not allocated appropriately, then some
virtual machines may not be able to run.
Hosts must be connected to the same shared storage. The virtual disks for
each virtual machine must be stored on a SAN. When a virtual machine fails
over to a new host, the new host takes control of the shared disk where the
virtual disks are stored and starts the virtual machine.
Each virtual machine has its own LUN. Each virtual machine must have an
independent LUN on the SAN. This allows each virtual machine to fail over
independently. Failover clustering requires exclusive access to a SAN disk for
each host.

Note: Host clustering in Windows Server 2008 R2 supports sharing of LUNs for highly
available virtual machines.

NETMIND
calling +1 800-785-3448.
Lab: Planning Virtualization

Exercise 1: Creating a Virtualization Plan
Scenario
A. Datum Corporation has an IT management committee that is responsible for
overall technology direction. The committee recently asked you to provide them
with an overview of server virtualization benefits. Several weeks after that
presentation, you are approached by your manager to create a plan for a pilot
project for implementing Hyper-V as a virtualization host in your data center.
Your manager has sent you an e-mail detailing the overall requirements for the
project and a list of servers. You need to create a plan for the pilot project.
Create a plan for a virtualization pilot project.
NETMIND
calling +1 800-785-3448.
Gregory Weber
Sent: 4 Aug 2009 10:22
Attachments: Servers.doc
Subject: Security Plan for Finance Application
Greg,
Thanks again for taking the lead on this project. I need my most knowledgeable
server person to take care of this for me. I really dont trust anyone else to come up
with the right answers.
The IT management committee likes the idea of beginning to virtualize our servers.
The cost savings and flexibility were very compelling for them.
I need you to come up with a plan for our pilot project. We have a limited budget,
so the pilot will involve only a single host for now, and try to keep the
requirements somewhat modest.
What I need in the plan is:
Which servers will be virtualized?
How will those servers be virtualized?
Why were those servers selected?
Do we need any additional tools besides Hyper-V?
What are the hardware specifications for the server?
Which operating system should be used on the hosts?

Ive attached a list of our servers and their specification to get you started.
Regards
Allison

NETMIND
calling +1 800-785-3448.
Servers.doc
Name Purchase date
Processor
utilization
Memory
utilization Disk space
ExchangeNode1 July 2007 50% 3GB 120 GB
ExchangeNode2 July 2007 4% 500 MB 20GB
FinanceApp June 2009 20% 1.5 GB 30 GB
SQLProd Sept 2006 70% 2 GB 80 GB
PServer Feb 2002 15% 500 MB 7 GB
File1 Feb 2002 10% 500 MB 200 GB
PayrollApp Oct 2005 5% 500 MB 20 GB
Terminal June 2006 70% 1.5 GB 30 GB
SQLTest Nov 2004 30% 1 GB 80 GB
Billing Mar 2008 20% 1 GB 40 GB

Notes:
ExchangeNode1 and ExchangeNode2 are part of a cluster.
PayrollApp is used only twice a month for submitting payroll information to
the bank.
SQLProd is used by applications in production.
SQLTest is used only by technical support staff when testing updates to
applications.
Billing is used each day to perform time tracking and is considered mission
critical.

NETMIND
calling +1 800-785-3448.
if required.

Task 2: Create a plan for a virtualization pilot project
Which operating system should be used on the host?

Results: After this exercise, you should have a completed plan for a virtualization pilot
project.

NETMIND
calling +1 800-785-3448.
Exercise 2: Implementing Virtualization (Optional)
Scenario
After completing your plan for a virtualization pilot project, you need to install and
configure a Hyper-V host. Then you need to create a virtual machine to test the
functionality of the host.
1. Configure the computer BIOS for Hyper-V.
2. Install Windows Server 2008 on the host.
3. Install the Hyper-V role update.
4. Install the Hyper-V role.
5. Create a new virtual machine.
6. Install Windows Server 2008 in the virtual machine.

Note: The BIOS configuration steps in this exercise are correct for a Dell Optiplex 755
with an Intel processor. The steps may vary depending on the model of the computer
you are using, BIOS revision, and the processor type. For example, the name of specific
settings may be different or already enabled. Ask your instructor for help if required.
Task 1: Configure the computer BIOS for Hyper-V
1. Enter the computer BIOS setup.
2. Enable support for Hyper-V in the BIOS settings.
Virtualization: On
VT for Direct I/O: On
Trusted Execution: Off
Execute Disable: On
3. Save the changes to the BIOS settings.

NETMIND
calling +1 800-785-3448.
Task 2: Install Windows Server 2008 on the host
1. Start your computer by using the Windows Server 2008 installation DVD.

Note: You will be provided with the software required to complete this lab from your
instructor. It may or may not be a DVD.
2. Install Windows Server 2008 Enterprise edition (x64).
Language: US English
Do not activate automatically online
Version: Windows Server 2008 (Full Installation) x64
Accept the license agreement
Delete any existing partitions
Select Disk 0 for installation
Enter Pa$$w0rd as the password
3. Configure the host name as SEA-HOSTx, where x is a number assigned by
your instructor.

Task 3: Install the Hyper-V role update
1. Log on as Administrator with the password Pa$$w0rd.
2. Copy the Hyper-V update, Windows6.0-KB950050-x64.msu, to the
computer.
3. Run Windows6.0-KB950050-x64.msu.

Task 4: Install the Hyper-V role
2. Use the Server Manager console to install the Hyper-V role.
Network adapter: Local Area Connection

NETMIND
calling +1 800-785-3448.
Task 5: Create a new virtual machine
Use the Hyper-V Manager console to create a new virtual machine.
Name: SEA-VMx, where x is number assigned by your instructor
Memory: 1024
Network: your network card
Virtual hard disk settings: default

Task 6: Install Windows Server 2008 on the virtual machine
1. Start the virtual machine by using the Windows Server 2008 installation DVD.
2. Install the Windows Server 2008 Enterprise edition (x64).
Language: US English
Do not activate automatically online
Version: Windows Server 2008 (Full Installation) x64
Accept the license agreement
Select Disk 0 for installation
Enter password as Pa$$w0rd
3. Install Hyper-V Integration Services from the Action menu.

Results: After this exercise, you should have successfully implemented a Hyper-V host
and created a virtual machine.

NETMIND
calling +1 800-785-3448.

Review Questions
1. What is the difference between a microkernelized hypervisor and a monolithic
hypervisor?

2. What are the benefits of using virtualization for server consolidation?

3. How does VMM simplify the provisioning of new servers?

4. Where are the virtual disks stored when a host cluster is implemented?

NETMIND
calling +1 800-785-3448.
Common Issues Related to Virtual Machine Performance
Identify the causes for the following common issues related to virtual machine
performance and fill in the troubleshooting tips. For answers, refer to relevant
lessons in the module.
Insufficient disk performance
Insufficient processing performance
Insufficient network performance

1. You are an IT architect at a large insurance provider with seven physical
locations, 12,000 users, and 220 servers. Your organization wants to use server
virtualization to reduce management and hardware costs by combining
existing servers on new hardware. What criteria will you use when you select
servers for consolidation?

2. You are an IT architect at a large insurance provider. You have migrated many
important applications to VMs and want to increase the availability of those
VMs. How can availability of VMs be increased when you use Hyper-V?

3. You are the manager responsible for controlling the process that is used for
testing new application updates and releases at a large insurance provider. In
the past, you have maintained development, test, and production servers for
all applications. This resulted in hundreds of servers being stored in the data
center. How can you use Hyper-V to reduce hardware costs for development
and testing?

NETMIND
calling +1 800-785-3448.
Best Practices Related to Selecting Virtualization Candidates
Select candidates with low CPU utilization.
Select candidates with low memory utilization.
For initial conversion, select low-impact servers.
Select candidates with older hardware.
Use VMM reporting to locate virtualization candidates.

NETMIND
calling +1 800-785-3448.
Course Evaluation

Your evaluation of this course will help Microsoft understand the quality of your
learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will
use your responses to improve your future learning experience. Your open and
honest feedback is valuable and appreciated.
NETMIND
calling +1 800-785-3448.
Lab: Planning a Windows Server 2008 Deployment L1-1

Module 1: Planning Windows Server 2008
Deployment

Lab: Planning a Windows Server
2008 Deployment
Exercise 1: Creating a Planning Flowchart for a Windows
Server 2008 Deployment

Task 2: Create the flowchart
1. On a piece of paper, generate a list of relevant criteria that must be considered
during the upgrade or migration process.
Is new hardware available?
Does downtime window allow for data to be migrated to a new server?
Is testing of the new server required before placing into production?
Is the hardware 64-bit?
Are there 64-bit drivers for the hardware?
Is the existing operating system 32-bit or 64-bit?
Is server core being implemented?
Are there applications running on the server?
Are the applications compatible with Windows Server 2008?
Are the applications compatible with a 64-bit environment?
Is cross-file Distributed File System (DFS) replication required?
Is failover clustering required?
NETMIND
+1 800-785-3448.
L1-2 Lab: Planning a Windows Server 2008 Deployment

Is hot add memory required?
How much RAM is required?
Will this be a virtualization host with more than four guests?
whether to upgrade or migrate.

which edition of Windows Server 2008 you should use.
NETMIND
+1 800-785-3448.

NETMIND
+1 800-785-3448.

Use the list of criteria you have generated to create a flowchart for determining
whether to use a 32-bit of 64-bit operating system.
NETMIND
+1 800-785-3448.

NETMIND
+1 800-785-3448.

Results: After this exercise, you should have created flowcharts to help to determine
how to upgrade or migrate an existing server to Windows Server 2008.
NETMIND
+1 800-785-3448.

Exercise 2: Planning a Windows Server 2008 Deployment
Task 1: Create a deployment plan for the archive file server
Answer the questions in the Deployment Plan for the archive server.
Deployment Plan: Archive File Server
Document Author
Date
Gregory Weber
20th July
This server is to be upgraded or migrated to Windows Server 2008 to take
advantage of the more efficient file-sharing protocols in Windows Server 2008.
The archive file server is used to store older data that is accessed only occasionally.
Extended outages are possible with notification.
The hardware is relatively new, and no new hardware has been allocated for this
server.
This server is currently running a 32-bit version of Windows Server 2003 R2.
Proposals
1. Will this server be upgraded on existing hardware or migrated to new
hardware?
Answer: Because no new hardware has been allocated, this server must be
upgraded. The file server role is a limited risk for upgrading. It should be
recognized by the upgrade process.
Answer: Windows Server 2008 Standard can be used. There are no
requirements that necessitate the use of Windows Server 2008 Enterprise or
Datacenter.
Answer: A 32-bit version of Windows Server 2008 will be used, because you
cannot upgrade between processor architectures.

NETMIND
+1 800-785-3448.

Task 2: Create a deployment plan for the main file server
Answer the questions in the Deployment Plan for the main file server.
Document Author
Date
Gregory Weber
20th July
advantage of the more efficient file-sharing protocols in Windows Server 2008.
The main file server is mission critical and cannot be taken out of production during
business hours. Downtime must be limited to less than one day.
This server should support cross-file replication for DFS. This may be implemented in
the future to support remote offices, and the cross-file replication will reduce
synchronization traffic on the WAN.
Data for this file server is stored on a Fiber Channel Storage Area Network (SAN).
New hardware has been allocated for this server if required.
Clients access this file server through mapped drive letters that are created by a
logon script.
Proposals
hardware?
Answer: New hardware has been allocated, so this server should be migrated.
Answer: This server will use Windows Server 2008 Enterprise to support the
use of cross-file replication for DFS.

NETMIND
+1 800-785-3448.

(continued)
Answer: There is no indication of any reason not to use 64-bit, so a 64-bit
operating system should be used.
4. How will downtime be minimized?
Answer: Even though there is a large amount of data, the migration of this
data is not a concern. The data is stored on a SAN, and the new server can
point at the existing storage on the SAN. Clients can be directed to the new
server by updating their logon script.

NETMIND
+1 800-785-3448.

Task 3: Create a deployment plan for the antivirus server
Answer the questions in the Deployment Plan for the antivirus server.
Deployment Plan: Antivirus Server
Document Author
Date
Gregory Weber
25th July
This server is to be upgraded or migrated to Windows Server 2008 to standardize
the server operating systems.
The antivirus server can experience an outage of 24 hours without impacting
clients.
New hardware has been allocated for this server.
The antivirus application has not been tested by the vendor in 64-bit environments
and is not supported in 64-bit environments.
Proposals
hardware?
Answer: New hardware has been allocated for this server. So, it should be
migrated.
Answer: Windows Server 2008 Standard can be used because there are no
requirements that necessitate the use of Windows Server 2008 Enterprise or
Datacenter.
Answer: A 32-bit version of Windows Server 2008 should be used, because
the antivirus application is not supported on a 64-bit operating system. When
64-bit support is available, an upgrade to a 64-bit version of Windows Server
2008 can be considered.

NETMIND
+1 800-785-3448.

Task 4: Create a deployment plan for the human resources application
server
Answer the questions in the Deployment Plan for the human resources
application server.
Document Author
Date
Gregory Weber
25th July
advantage of the performance improvements in IIS 7.
The existing server is consistently short on memory, and a new server with 8GB of
memory has been allocated to address this.
The application data is also stored on this server and must be taken into account.
There can be no downtime during business hours.
The new server should support failover clustering, as it is being considered for the
future.
None

NETMIND
+1 800-785-3448.

(continued)
Proposals
hardware?
Answer: A new server has been allocated with additional memory. A
migration should be performed.
Answer: The memory requirement is 8 GB. This is possible with a 64-bit
version of Windows Server 2008 Standard. However, Windows Server 2008
Enterprise is required to support failover clustering.
Answer: A 64-bit version of Windows Server 2008 should be used to best
access the 8 GB of memory.
4. What process will you use to minimize downtime?
Answer: To minimize downtime, the new server should be implemented in
parallel with the existing server. After the new server has been thoroughly
tested, then you can perform a final data migration. Downtime is only
required for the final data migration.

Results: After this exercise, you should have created a deployment plan for the archive
file server, the main file servers, the antivirus server, and the human resources
application server.

NETMIND
+1 800-785-3448.
Lab: Planning Network Infrastructure for Windows Server 2008 L2-13

Module 2: Planning Network Infrastructure
for Windows Server 2008

Lab: Planning Network
Infrastructure for Windows Server
2008
Exercise 1: Determining an Appropriate Network
Addressing Scheme

action
Answer the questions in the Update the Branch Office Network Infrastructure
Plan: IPv4 Addressing document.
Document Author
Date
Gregory Weber
25th July
Design an IPv4 addressing scheme for the Adatum western regional branch sales
offices, shown in the exhibit.
The block address 10.10.32.0/21 has been reserved for this region.
You must devise a scheme that supports the required number of subnets, the
required number of hosts, and provide for 25% growth of hosts in each branch.
For each branch, provide the subnet addresses you plan to use, together with the
start and end IP addresses for each subnet.

NETMIND
+1 800-785-3448.
L2-14 Lab: Planning Network Infrastructure for Windows Server 2008

(continued)
You do not need to concern yourself with the IP addressing for the corporate side
of the router at each branch.
Proposals
1. How many subnets do you envisage requiring for this region?
Answer: There are 300 computers in the region. The specification states that
around 50 computers should be deployed in each subnet. We also need to
plan for growth of around 25%. Six subnets are required in the region to host
computers, but an additional subnet per location should be planned for to
host the growth in computers. This is a total of nine subnets.
2. How many hosts will you deploy in each subnet?
Answer: The specification states we must deploy a maximum of 50 host
computers per subnet.
3. What subnet mask will you use for each branch?
Answer: The current network address for the region is 10.10.32.0/21. This
leaves 11 bits to allocate to subnets and hosts. To express 9 subnets, we would
require 4 bits, as 3 bits only provides for 8 subnets. 4 bits actually provides for
16 subnets, which is plenty. This is a decimal mask of 255.255.255.128.
4. What are the subnet addresses for each branch?
Answer:
Branch 1:
10.10.32.0/25
10.10.32.128/25
10.10.33.0/25
Branch 2:
10.10.33.128/25
10.10.34.0/25
10.10.34.128/25
Branch 3:
10.10.35.0/25
10.10.35.128/25
10.10.36.0/25

NETMIND
+1 800-785-3448.

(continued)
5. What range of host addresses are in each branch?
Answer:
Branch 1:
10.10.32.1 > 10.10.32.126
10.10.32.129 > 10.10.32.254
10.10.33.1 > 10.10.33.126
Branch 2:
10.10.33.129 > 10.10.33.254
10.10.34.1 > 10.10.34.126
10.10.34.129 > 10.10.34.254
Branch 3:
10.10.35.1 > 10.10.35.126
10.10.35.129 > 10.10.35.254
10.10.36.1 > 10.10.36.126

Results: After this exercise, you should have a completed IP addressing plan for the
western region branch offices.

NETMIND
+1 800-785-3448.

Exercise 2: Planning the Placement of Network Servers

action
Document Author
Date
Gregory Weber
25th July
Specify which network services are required in each sales office, and any changes
that might be required in the head office to facilitate your proposals.
It is important that any router, server, or communications link failure does not
adversely affect users.
Proposals
1. How many DHCP servers do you propose to deploy in the region?
Answer: Assuming that the routers are all RFC-compliant, there is no need to
deploy DHCP servers in each subnet. Perhaps one DHCP server in each
location would be sufficient. For fault tolerance, duplicate scopes configured
at the head office DHCP server, with appropriate exclusions to support the
80/20 rule, would provide for addressing fault tolerance.
2. Where do you propose to deploy these servers?
Answer: One DHCP server in each regional office.
3. What name resolution services are required?
Answer: Both DNS and NetBIOS name resolution are required.

NETMIND
+1 800-785-3448.

(continued)
4. To support the DNS name space in the sales division, how would you propose
to configure DNS?
Answer: There are two choices:
a. Configure a subdomain for sales in the existing Adatum.com DNS name
space. Then create sufficient DNS servers for deployment to the region as
secondary servers of the Adatum.com zone.
b. Create a delegation for the sales.adatum.com zone in the Adatum.com
zone. Provide at least two name servers to support this delegated zone.
5. Will you require WINS?
Answer: Possibly.
6. If so, how many WINS servers will you require for the region?
Answer: Probably two, configured as replicas.
7. If not, how do you propose to support single-label names?
Answer: Instead of WINS, the GNZ could be used.

Results: After this exercise, you should have a completed plan for the deployment of
network services in the western regional branch offices.

NETMIND
+1 800-785-3448.

Exercise 3: Implementing the Planned Network Services
Pa$$w0rd.
Pa$$w0rd.

Task 2: Deploy the DHCP Server role on SEA-SVR1
2. Click Start, and then click Server Manager.
3. In Server Manager, in the console, click Roles.
4. In the results pane, under Roles Summary, click Add Roles.
5. In the Add Roles Wizard, click Next.
6. On the Select Server Roles page, in the Roles list, select the DHCP Server
check box, and then click Next.
7. On the DHCP Server page, click Next.
8. On the Select Network Connection Bindings page, click Next.
9. On the Specify IPv4 DNS Server Settings page, in the Preferred DNS Server
IPv4 Address box, type 10.10.0.10, and then click Next.
10. On the Specify IPv4 WINS Server Settings page, click Next.
11. On the Add or Edit DHCP Scopes page, click Next.
12. On the Configure DHCPv6 Stateless Mode page, click Disable DHCPv6
stateless mode for this server, and then click Next.
NETMIND
+1 800-785-3448.

13. On the Authorize DHCP Server page, click Next.
14. On the Confirm Installation Selections page, click Install.
15. On the Installation Results page, click Close.

Task 3: Configure the primary DHCP scope for subnet 1
1. Click Start, click Administrative Tools, and then click DHCP.
2. In the DHCP Console, expand sea-svr1.adatum.com, expand IPv4, and then
click IPv4.
3. Right-click IPv4, and then click New Scope.
4. In the New Scope Wizard, click Next.
5. On the Scope Name page, in the Name box, type Branch 1 subnet 1 scope 1,
and then click Next.
6. On the IP Address Range page, in the Start IP address box, type 10.10.32.1.
7. In the End IP address box, type 10.10.32.125.
8. In the Length box, type 25, and then click Next.
9. On the Add Exclusions page, in the Start IP address box, type 10.10.32.100.
10. In the End IP address box, type 10.10.32.125, click Add, and then click Next.
11. On the Lease Duration page, click Next.
12. On the Configure DHCP Options page, click Next.
13. On the Router (Default Gateway) page, in the IP address box, type
10.10.32.126, click Add, and then click Next.
14. On the Domain Name and DNS Servers page, click Next.
15. On the WINS Servers page, click Next.
16. On the Activate Scope page, click Next, and then click Finish.

NETMIND
+1 800-785-3448.

Task 4: Configure the secondary DHCP scope for subnet 2
1. Right-click IPv4, and then click New Scope.
2. In the New Scope Wizard, click Next.
3. On the Scope Name page, in the Name box, type Branch 1 subnet 2 scope 2,
4. On the IP Address Range page, in the Start IP address box, type
10.10.32.129.
5. In the End IP address box, type 10.10.32.253.
6. In the Length box, type 25, and then click Next.
7. On the Add Exclusions page, in the Start IP address box, type 10.10.32.129.
8. In the End IP address box, type 10.10.32.229, click Add, and then click Next.
9. On the Lease Duration page, click Next.
10. On the Configure DHCP Options page, click Next.
11. On the Router (Default Gateway) page, in the IP address box, type
10.10.32.254, click Add, and then click Next.
12. On the Domain Name and DNS Servers page, click Next.
13. On the WINS Servers page, click Next.
14. On the Activate Scope page, click Next, and then click Finish.

Task 5: Create a subdomain in DNS
2. Click Start, click Administrative Tools, and then click DNS.
3. In DNS Manager, expand SEA-DC1, expand Forward Lookup Zones, and
then expand Adatum.com.
4. Right-click Adatum.com, and then click New Domain.
5. In the New DNS Domain dialog box, in the text box, type sales, and then
click OK.

NETMIND
+1 800-785-3448.

Task 6: Configure zone transfers for the Adatum.com zone
1. Right-click Adatum.com, and then click Properties.
2. Click the Zone Transfers tab.
3. Select the Allow zone transfers check box, and then click OK.

Task 7: Deploy the DNS role on SEA-SVR1
2. Switch to Server Manager.
3. In Server Manager, click Add Roles, and then click Next.
4. On the Select Server Roles page, in the Roles list, select the DNS Server check
box, and then click Next.
5. On the DNS Server page, click Next.

Task 8: Configure a secondary zone on SEA-SVR1
1. Click Start, click Administrative Tools, and then click DNS.
2. In DNS Manager, expand SEA-SVR1, and then expand Forward Lookup
Zones.
3. Right-click Forward Lookup Zones, and then click New Zone.
4. Click Next, and on the Zone Type page, click Secondary zone, and then click
Next.
5. On the Zone Name page, in the Zone name box, type Adatum.com, and then
click Next.
6. On the Master DNS Servers page, in the IP Address list, type 10.10.0.10, and
then press ENTER.
7. Click Next, and then click Finish.
8. In DNS Manager, expand the Adatum.com zone.

NETMIND
+1 800-785-3448.

Task 9: Enable the WINS feature, and configure DNS/WINS integration
1. Switch to Server Manager.
2. In the console, click Features.
3. In the results pane, click Add Features.
4. In the Features list, select the WINS Server check box, and then click Next.
8. In DNS Manager, right-click Adatum.com, and then click Properties.
9. Click the WINS tab, and then select the Use WINS forward lookup check
box.
10. In the IP address box, type 10.10.0.100, press Add, and then click OK.
12. In DNS Manager, right-click Adatum.com, and then click Transfer from
Master.

Note: You might need to wait a few moments before you see the WINS record. Press
Refresh if needed.

Task 10: Configure DHCP options to support the deployed services
1. Switch to the DHCP console.
2. Right-click Server Options, and then click Configure Options.
3. In the Available Options list, select the 006 DNS Servers check box.
4. In the IP address box, type 10.10.0.100, and then click Add.
5. In the Available Options list, select the 015 DNS Domain Name check box.
NETMIND
+1 800-785-3448.

6. In the String value box, type sales.adatum.com, and then click Apply.
7. In the Available Options list, select the 044 WINS/NBNS Servers check box.
8. In the IP address box, type 10.10.0.100, click Add, and then click OK.

Results: After this exercise, you should have successfully deployed branch office
network services.
For each running virtual machine, close the Virtual Machine Remote Control
(VMRC) window.
In the Close box, select Turn off machine and discard changes. Click OK.

NETMIND
+1 800-785-3448.

NETMIND
+1 800-785-3448.
Lab: Planning for Active Directory L3-25


Lab: Planning for Active Directory
Exercise 1: Selecting a Forest Topology

Task 2: Update the Contoso Domain Migration document with your
planned forest topology
Document Author
Date
Gregory Weber
5th August
To devise an appropriate forest and domain topology for the merged companies.
The new company will continue to operate with dual names; that is, the Adatum and Contoso
brands are equally important.
It is anticipated that the existing Windows NT 4.0 domain controllers and server will be replaced as
part of the migration process.
Proposals
1. Do you intend to upgrade the domain controllers in the Contoso network to Windows Server
2008?
Answer: Answers will vary. It seems sensible to base the plan on the assumption that the
domain controllers will be upgraded. This means that an AD DS solution can be implemented.
If you do not intend to upgrade the domain controllers, it will be necessary to establish
multiple external trust relationships between the AD DS domains in Adatum and the Windows
NT 4.0 domain in Contoso.

NETMIND
+1 800-785-3448.
L3-26 Lab: Planning for Active Directory

(continued)
2. How many forests do you anticipate?
Answer: Answers will vary; either one or two forests. You could implement a single forest that
supports two trees: Adatum.com and Contoso.com. Alternatively, you could implement two
forests, one for each organization. The choice largely depends on how administration is to be
effected in the merged organization; if the two parts of the organization are to be separately
administered, then opt for two forests; otherwise, select one forest.
3. How many domains do you plan to implement?
Answer: Answers will vary. Currently, Adatum has a single domain. There is no compelling
reason the existing Windows NT 4.0 resource domains in Contoso could not be merged into a
single AD DS domain, and use organizational units to manage resources.
4. How many trees do you envisage?
Answer: Answers will vary. Either a single tree per forest if you select two forests, or else two
trees in a single Adatum.com forest: Adatum.com and Contoso.com.
5. What trust relationships, aside from those created automatically, will you require?
Answer: Answers will vary. Assuming that you opt for a single forest, no additional trusts are
required. If you opted for two forests, then a pair of forest root trusts would be required. If you
opted to remain in Windows NT 4.0 mode, then many trusts would be required; without
additional information, it is difficult to assess precisely how many. Remember that in Windows
NT, trusts are one-way and non-transitive.
6. Provide a sketch of the completed forest.
Answer: A possible solution consisting of a single forest of two trees:

Results: After this exercise, you should have a completed Contoso Domain Migration
document.
NETMIND
+1 800-785-3448.

Exercise 2: Planning Active Directory for a Branch Network

Task 2: Update the Branch Office Planning document with your
proposals
Document Author
Date
Gregory Weber
1st September
To determine the placement and configuration of domain controllers and related
services at the western region sales offices.
It is important that in the event of a link failure between the head office and branch
offices, users are still able to logon to the network and access services.
Proposals
1. Do you intend to deploy a domain controller(s) in the branch offices? How
many?
Answer: Yes, one domain controller per branch.
2. Will you deploy an RODC(s)?
Answer: The need for security is important; an RODC provides for a more
secure way of deploying a domain controller.
3. How will you optimize the directory replication for the branches?
Answer: Each branch will be represented in Active Directory by a site object.
4. How will domain controllers know in which branch they are located?
Answer: Subnet objects should also be created and associated with a site. The
domain controllers, and other computers, use their IP configuration to
determine their site location in Active Directory.

NETMIND
+1 800-785-3448.

(continued)
5. Do you anticipate the need for global catalog services?
Answer: Yes. Many services require access to global catalog.
6. How will you configure global catalog and DNS?
Answer: An RODC can support the global catalog and DNS role.
7. What additional Active Directoryrelated services are required to support the
branch office line-of-business applications?
Answer: A line-of-business application requires access to a directory service.
AD LDS might be suitable.

Results: After this exercise, you should have a completed Branch Office Planning
document.

NETMIND
+1 800-785-3448.

Exercise 3: Deploying a Branch Domain Controller
Pa$$w0rd.
Pa$$w0rd.

Task 2: Raise the domain functional level
2. Click Start, point to Administrative Tools, and then click Active Directory
Users and Computers.
3. In the console, right-click Adatum.com, and then click Raise domain
functional level.
4. In the Raise domain functional level dialog box, in the Select an available
domain functional level list, click Windows Server 2008, and then click
Raise.
5. In the Raise domain functional level dialog box, click OK.
6. In the subsequent Raise domain functional level dialog box, click OK.

NETMIND
+1 800-785-3448.

Task 3: Raise the forest functional level
Domains and Trusts.
2. In the console, right-click Active Directory Domains and Trusts [SEA-
DC1.Adatum.com], and then click Raise Forest Functional Level.
3. In the Raise forest functional level dialog box, in the Select an available
forest functional level list, click Windows Server 2008, and then click Raise.
4. In the Raise forest functional level dialog box, click OK.
5. In the subsequent Raise forest functional level dialog box, click OK.
6. Close Active Directory Domains and Trusts.

Task 4: Create the Redmond site
1. On the SEA-DC1 virtual machine, click Start, point to Administrative Tools,
and then click Active Directory Sites and Services.
2. In the console, expand Sites, right-click Sites, and then click New Site.
3. In the New Object Site dialog box, in the Name box, type Redmond.
4. In the Link Name list, click DEFAULTIPSITELINK, and then click OK.
5. In the Active Directory Domain Services dialog box, click OK.

Task 5: Configure the replication interval
1. In the console, expand Inter-Site Transports, expand IP, and then click IP.
2. In the results pane, in the list, right-click DEFAULTIPSITELINK, and then
click Properties.
3. In the DEFAULTIPSITELINK Properties dialog box, in the Replicate every
list, type 15 and then click OK.

NETMIND
+1 800-785-3448.

Task 6: Create the 10.10.0.0/16 subnet
1. In the console, right-click Subnets, and then click New Subnet.
2. In the New Object Subnet dialog box, in the Prefix box, type 10.10.0.0/16.
3. In the Site Name list, click Redmond, and then click OK.
4. Close Active Directory Sites and Services.

Task 7: Prepare the forest for the RODC
1. ON SEA-DC1, click Start, and then click Command Prompt.
2. At the command prompt, type D:, and then press ENTER.
3. At the command prompt, type cd\labfiles\Mod03\adprep, and then press
ENTER.
4. At the command prompt, type adprep /rodcprep, and then press ENTER.

Task 8: Promote a new domain controller for the branch office
2. Click Start, and in the Start Search box, type dcpromo, and then press
ENTER.
3. In the Active Directory Domain Services Installation Wizard, select the Use
advanced mode installation check box, and then click Next.
4. On the Operating System Compatibility page, click Next.
5. On the Choose a Deployment Configuration page, click Existing forest, and
then click Next.
6. On the Network Credentials page, click Next.
NETMIND
+1 800-785-3448.

7. On the Select a Domain page, click Next.
8. On the Select a Site page, click Next.
9. On the Additional Domain Controller Options page, select the Read-only
domain controller (RODC) check box, and then click Next.

Note: Leave the other check boxes selected.
10. In the Static IP assignment dialog box, click Yes, the computer will use a
dynamically assigned IP address (not recommended).
11. On the Specify the Password Replication Policy page, click Next.
12. On the Delegation of RODC Installation and Administration page, click
Next.
13. On the Install from Media page, click Next.
14. On the Source Domain Controller page, click Next.
15. On the Location for Database, Log Files, and SYSVOL page, click Next.
16. On the Directory Services Restore Mode Administrator Password page, in
the Password box, type Pa$$w0rd.
17. In the Confirm password box, type Pa$$w0rd, and then click Next.
18. On the Summary page, click Next.
19. In the Active Directory Domain Services Installation Wizard, select the Reboot
on completion check box.

Task 9: Configure the password replication policy
1. When SEA-SVR1 has restarted, log on to the SEA-SVR1 virtual machine as
ADATUM\administrator with a password of Pa$$w0rd.
2. Switch to the SEA-DC1 virtual machine.
4. In the console, expand Domain Controllers.
NETMIND
+1 800-785-3448.

5. In the results pane, right-click SEA-SVR1, and then click Properties.
6. In the SEA-SVR1 Properties dialog box, click the Password Replication
Policy.
7. Click Add, and in the Add Groups, Users and Computers dialog box, click
Allow passwords for the account to replicate to this RODC, and then click
OK.
8. In the Select Users, Computers, or Groups dialog box, in the Enter the
object names to select box, type SalesGG, click Check Names, and then click
OK.
9. In the SEA-SVR1 Properties dialog box, click Apply, and then click Advanced.
10. In the Advanced Password Replication Policy for SEA-SVR1 dialog box, click
the Resultant Policy tab.
11. Click Add, and in the Select Users, Computers, or Groups dialog box, in the
Enter the object names to select box, type Joe, click Check Names, and then
click OK.

Task 10: Pre-populate the password cache
the Policy Usage tab, and then click Prepopulate Passwords.
2. In the Select Users or Computers dialog box, in the Enter the object names
to select box, type joe; Jim; Parul; Heiko; Claus, click Check Names, and
then click OK.
3. In the Prepopulate Passwords dialog box, click Yes.
4. In the Prepopulate Password Success dialog box, click OK.
Close.
6. In the SEA-SVR1 Properties dialog box, click OK.

Results: After this exercise, you should have successfully deployed an RODC for the
Redmond sales office.
NETMIND
+1 800-785-3448.

(VMRC) window.

NETMIND
+1 800-785-3448.
Lab: Planning for Group Policy L4-35

Module 4: Planning Group Policy
Lab: Planning for Group Policy
Exercise 1: Creating a Group Policy Plan
2. On SEA-DC1, click Start, point to Administrative Tools, and click Active
Directory Users and Computers.
3. Review the Active Directory structure as necessary.
5. Click Start, point to Administrative Tools, and click Group Policy
Management.
6. Review the existing Group Policy configuration as necessary.
7. Close Group Policy Management.

NETMIND
+1 800-785-3448.
L4-36 Lab: Planning for Group Policy

Task 2: Create an OU structure
Draw a diagram of an OU structure that will allow you to meet the
requirements given to you by Allison.

Task 3: Create a list of required GPOs
Create a list of GPOs required to implement the requirements given to you by
Allison.
Enforced Security

Block read and
write access to
removable drives
Domain - Enforced Security filter: Lab
computers group
denied apply
permission
Head office
preferences
Drive letter
mappings for head
office
Head Office None
Branch 1
preferences
Drive letter
mappings for
branch 1
Branch 1 None

NETMIND
+1 800-785-3448.

(continued)
Branch 2
preferences
Drive letter
mappings for
branch 2
Branch 2 None
Branch 3
preferences
Drive letter
mappings for
branch 3
Branch 3 None
Branch Sales
Applications

Applications for
branch sales staff
Branch 1
Branch 2
Branch 3
Security filter: Branch
Sales Group
Branch Office
Applications

Applications for
branch office staff.
Branch 1
Branch 2
Branch 3
Security filter: Branch
Office Group
Terminal server

Lockdown desktop
Loopback: Replace
mode
Terminal Servers None

Results: After this exercise, you should have a completed Group Policy plan for
A. Datum.
NETMIND
+1 800-785-3448.

Exercise 2: Implementing Group Policy
Pa$$w0rd.

Task 2: Create the OU structure
2. In Active Directory Users and Computers, if necessary, expand Adatum.com,
and then click Adatum.com.
3. Right-click Adatum.com, point to New, and then click Organizational Unit.
4. In the New Object - Organizational Unit window, in the Name box, type Head
Office, and then click OK.
6. In the New Object - Organizational Unit window, in the Name box, type
Branches, and then click OK.
7. Right-click Branches, point to New, and then click Organizational Unit.
Branch1, and then click OK.
NETMIND
+1 800-785-3448.

Terminal Servers, and then click OK.

Task 3: Create the GPO for enforced security
2. In Active Directory Users and Computers, right-click Head Office, point to
New, and then click Group.
3. In the New Object Group window, in the Group name box, type Lab
Computers, and then click OK.
4. Right-click Head Office, point to New, and then click Computer.
5. In the New Object Computer window, in the Computer name box, type
Lab1, and then click OK.
6. Click Head Office, right-click Lab1, and then click Add to a group.
7. In the Select Groups window, in the Enter the object names to select box,
type Lab Computers, and then click OK.
8. Click OK to close the message stating that the operation was successful.
10. Click Start, point to Administrative Tools, and then click Group Policy
Management.
11. In Group Policy Management, expand Forest: Adatum.com, expand
Domains, and then expand Adatum.com.
12. Right-click Adatum.com, and then click Create a GPO in this domain, and
Link it here.
13. In the New GPO window, in the Name box, type Enforced Security, and then
click OK.
14. Right-click Enforced Security, and then click Edit.
NETMIND
+1 800-785-3448.

15. In the Group Policy Management Editor window, under Computer
Configuration, expand Policies, expand Administrative Templates, expand
System, and then click Removable Storage Access.
16. In the right pane, double-click Removable Disks: Deny read access.
17. In the Removable Disks: Deny Read Access Properties window, click Enabled,
and then click OK.
18. In the right pane, double-click Removable Disks: Deny write access.
19. In the Removable Disks: Deny write access Properties window, click Enabled,
and then click OK.
20. Close the Group Policy Management Editor.
21. In the Group Policy Management window, right-click Enforced Security, and
then click Enforced.
22. In the left pane, click Enforced Security.
23. In the Group Policy Management Console window, select the Do not show
this message again check box, and then click OK.
24. Click the Delegation tab, and then click Advanced.
25. In the Enforced Security Security Settings window, click Add, type Lab
Computers, and then click OK.
26. In the Permissions for Lab Computers area, select the Deny Read check box,
and then click OK.
27. In the Windows Security window, click Yes to continue.

Task 4: Create the GPO for Branch1 preferences
1. In the Group Policy Management window, in the left pane, click Group Policy
Objects.
2. Right-click Group Policy Objects, and then click New.
3. In the New GPO window, in the Name box, type Branch1 Preferences, and
then click OK.
4. Right-click Branch1 Preferences, and then click Edit.
5. In the Group Policy Management Editor window, under User Configuration,
expand Preferences, expand Windows Settings, and then click Drive Maps.
NETMIND
+1 800-785-3448.

6. Right-click Drive Maps, point to New, and then click Mapped Drive.
7. In the Location box, type \\Branch1Srv\Shared.
8. In the Drive letter area, select drive letter S, and then click OK.
9. Close the Group Policy Management Editor window.
10. In the Group Policy Management window, in the left pane, expand Branches,
and then click Branch1.
11. Right-click Branch1, and then click Link an Existing GPO.
12. In the Select GPO window, click Branch1 Preferences, and then click OK.

Task 5: Create the GPOs for applications
2. In Active Directory Users and Computers, right-click Branches, point to
New, and then click Group.
3. In the New Object Group window, in the Group name box, type Sales Staff,
and then click OK.
4. Right-click Branches, point to New, and then click Group.
5. In the New Object Group window, in the Group name box, type Office
Staff, and then click OK.
Objects.
9. In the New GPO window, in the Name box, type Sales Applications, and then
click OK.
11. In the New GPO window, in the Name box, type Office Applications, and
then click OK.
12. In the left pane, expand Group Policy Objects, and then click Sales
Applications.
NETMIND
+1 800-785-3448.

13. In the Security Filtering area, click Authenticated Users, and then click
Remove.
14. Click OK to confirm.
15. Click Add, type Sales Staff, and then click OK.
16. In the left pane, click Office Applications.
17. In the Security Filtering area, click Authenticated Users, and then click
Remove.
19. Click Add, type Office Staff, and then click OK.
21. In the Select GPO window, click Sales Applications, and then click OK.
23. In the Select GPO window, click Office Applications, and then click OK.

Task 6: Create the GPO for Terminal Servers
1. In the Group Policy Management window, right-click Terminal Servers, and
then click Create a GPO in this domain, and Link it here.
2. In the New GPO window, in the Name box, type TS Lockdown, and then
click OK.
3. Right-click TS Lockdown, and then click Edit.
Configuration, expand Policies, expand Administrative Templates, expand
System, and then click Group Policy.
5. Double-click User Group Policy loopback processing mode.
6. In the User Group Policy Loopback Processing Mode Properties window, click
Enabled. In the Mode box, ensure that Replace is selected, and then click OK.
7. Under User Configuration, expand Policies, expand Administrative
Templates, and then click Start Menu and Taskbar.
NETMIND
+1 800-785-3448.

8. Double-click Remove and prevent access to the Shut Down, Restart, Sleep,
and Hibernate commands.
9. On the Setting tab, click Enabled, and then click OK.
10. Double-click Remove Run menu from Start Menu.
12. Double-click Add Logoff to the Start Menu.
14. Close Group Policy Management Editor.

Task 7: Verify application of policies for Branch1 sales staff
Modeling.
2. Right-click Group Policy Modeling, and then click Group Policy Modeling
Wizard.
3. In the Group Policy Modeling Wizard window, click Next.
4. On the Domain Controller Selection page, click Next to accept the default
setting of Any available domain controller running Windows Server 2003
or later.
5. On the User and Computer Selection page, in the User information area,
click Browse.
6. In the Choose User Container window, expand Adatum, expand Branches,
click Branch1, and then click OK.
7. On the User and Computer Selection page, in the Computer information
area, click Browse.
8. In the Choose Computer Container window, expand Adatum, expand
Branches, click Branch1, and then click OK.
9. On the User and Computer Selection page, click Next.
10. On the Advanced Simulation Options page, click Next to select no options.
NETMIND
+1 800-785-3448.

11. On the User Security Groups page, click Add, type Sales Staff, and then click
OK.
12. Select the Skip to the final page of this wizard without collecting additional
data check box, and then click Next.
13. On the Summary of Selections page, click Next.
14. To view the model, click Finish.
15. In the Branch1 on Branch1 area, under Computer Configuration Summary,
expand Group Policy Objects, expand Applied GPOs, and expand Denied
GPOs.
Default Domain Policy has computer settings and is applied to computers
in Branch1.
Enforced Security has computer settings and is applied to computers in
Branch1.
Office Applications is denied due to security filtering. The computer is not
a member of the necessary group.
Sales Applications is denied due to security filtering. The computer is not a
member of the necessary group.
Branch1 Preferences is denied because there are no relevant settings for
computers. If computer settings are added to Branch1 Preferences, then
they would be applied.
16. Under User Configuration Summary, expand Group Policy Objects, expand
Applied GPOs, and expand Denied GPOs.
Branch1 Preferences has user settings and is applied to users in Branch1.
Enforced Security is denied because there are no relevant settings for
users. If user settings are added to Enforced Security, then they would be
applied.
Default Domain Policy is denied because there are no relevant settings for
users. If user settings are added to Default Domain Policy, then they
would be applied.
Office Applications is denied due to security filtering. The user is not a
member of the necessary group.
Sales Applications is denied because there are no relevant settings for
users. After the sales applications are added to the policy, then they will be
distributed to members of the Sales Staff group.
NETMIND
+1 800-785-3448.

Task 8: Verify application of policies for Branch1 sales staff on the
Terminal Server
Modeling.
2. Right-click Group Policy Modeling, and then click Group Policy Modeling
Wizard.
3. In the Group Policy Modeling Wizard window, click Next.
4. On the Domain Controller Selection page, click Next to accept the default
setting of Any available domain controller running Windows Server 2003
or later.
5. On the User and Computer Selection page, in the User information area,
click Browse.
6. In the Choose User Container window, expand Adatum, expand Branches,
click Branch1, and then click OK.
7. On the User and Computer Selection page, in the Computer information
area, click Browse.
8. In the Choose Computer Container window, expand Adatum, click Terminal
Servers, and then click OK.
9. On the User and Computer Selection page, click Next.
10. On the Advanced Simulation Options page, select the Loopback processing
check box, verify that Replace is selected, and then click Next.
11. On the User Security Groups page, click Add, type Sales Staff, and then click
OK.
12. Select the Skip to the final page of this wizard without collecting additional
data check box, and then click Next.
13. On the Summary of Selections page, click Next.
14. To view the model, click Finish.
NETMIND
+1 800-785-3448.

15. In the Branch1 on Terminal Servers area, under Computer Configuration
Summary, expand Group Policy Objects, expand Applied GPOs, and expand
Denied GPOs.
Default Domain Policy has computer settings and is applied to computers
in Terminal Servers.
TS Lockdown has computer settings and is applied to computers in
Terminal Servers.
Enforced Security has computer settings and is applied to computers in
Terminal Servers.
16. Under User Configuration Summary, expand Group Policy Objects, expand
Applied GPOs, and expand Denied GPOs.
TS Lockdown has user settings and is applied to Branch1 users logging on
to the Terminal Server.
Default Domain Policy is denied because there are no relevant settings for
users. If user settings are added to Default Domain Policy, then they
would be applied.
Enforced Security is denied because there are no relevant settings for
users. If user settings are added to Enforced Security, then they would be
applied.
Notice that none of the user policies that would typically apply to Branch
1 users are being applied due to loopback replace mode being used. For
example, Branch1 Preferences is not being applied.

Results: After this exercise, you should have successfully implemented group policy.
(VMRC) window.

NETMIND
+1 800-785-3448.
Lab: Planning Application Servers L5-47


Lab: Planning Application Servers
Exercise 1: Creating a Plan for Application Servers
if required.

Task 2: Create a plan for implementing Windows SharePoint Services
What server roles and features do you think will be required for implementing
WSS?
Answer: WSS requires: Web Server (IIS), the .NET Framework 3.0, and
ASP.NET enabled.
Do you have any concerns about hardware specifications for the WSS server?
Answer: Application servers with dynamic content such as WSS may have
high processor and memory utilization. SQL Server 2008 may also have high
processor and memory utilization. These should be closely monitored as the
workload continues to grow and this server is moved out of the pilot stage.
How can increasing workloads be accommodated?
Answer: There are two main issues: hardware capacity and database size. As
the load on the server grows, the SQL Server database can be moved to a
separate server to increase performance. Also SQL Server Express is limited to
a 4 GB database. This may not be enough to handle the data stored in WSS as
site usage begins to grow. An upgrade to SQL Server Standard Edition may be
required.
What sort of maintenance schedule will WSS require?
Answer: A maintenance window for WSS will need to be defined. The exact
time of the maintenance windows will have to be negotiated with the users of
WSS. The maintenance window should be outside of normal business hours
so that it does not interfere with use of the application.
NETMIND
+1 800-785-3448.
L5-48 Lab: Planning Application Servers

How will we ensure that this server and WSS are secure?
Answer: To secure any application server, you should ensure that only
required components are installed. In addition, an SSL certificate should be
implemented on the server to encrypt communication. The subject name for
the certificate needs to match the server name used in the URL for accessing
the SharePoint site.
How can we simplify access to WSS for internal users?
Answer: Using Windows integrated authentication allows user to authenticate
to WSS without entering their credentials. The credentials used on the
workstation will automatically be passed up to WSS. This simplifies logon for
the users.
How should WSS be backed up?
Answer: WSS stores data in a SQL Server database. You can use backup
software with a SQL Server agent to back up the database. Or you can use a
maintenance plan to back up the database to disk and then back up the file by
using your backup software. In addition, some backup software has a WSS
agent available that simplifies the restore of specific data components rather
than the whole database.
You can perform a full backup each day while the volume of data is relatively
small. When the server holds a large amount of data, you may need to start
using incremental backups to shorten the backup time.

Task 3: Create a plan for implementing Terminal Services
What are the benefits of using Terminal Services for the financial application?
Answer: In this scenario, Terminal Services provides two benefits: ease of
updates and faster remote access. It is easier to perform application updates on
a single Terminal Server rather than many client computers. For remote users
accessing data over a WAN link, the application will run much faster from the
Terminal Server that is located close to the data.
Are there any drawbacks to using Terminal Services?
Answer: The main drawback in this scenario is the risk that the Terminal
Server will fail. This failure would affect the productivity of all users. You can
mitigate this risk by implementing network load balancing.
NETMIND
+1 800-785-3448.

rather than Windows Server 2003 in our scenario?
Answer: Windows Server 2008 has several new features that are useful in this
scenario. Single sign-on allows users to access Terminal Services without
providing credentials. This simplifies the use of Terminal Services for users.
Also, Easy Print makes it much easier and more reliable to print by using
Terminal Services. Finally, TS RemoteApp allows just a single application
window to be opened rather than a remote desktop. This is less confusing for
some users.
Answer: To use Terminal Services, each user or device must have a TS CAL. If
users are not accessing the application from multiple locations, it may be
beneficial to use device-based licensing. For our server, we can use device
CALs or user CALs, but not both.
We also need to make sure that the financial application supports licensing for
Terminal Servers. Because using Terminal Services was recommended by the
vendor, it is likely. However, we should review how many licenses will be
required and their cost.
implemented?
Answer: Because access is only for a single application, TS RemoteApp and
single sign-on should be used. Users will click an icon on their desktop and
they will be connected to the application. From the user perspective, it will be
just like opening an application installed locally on their computer.

Results: After this exercise, you should have a completed plan for implementing WSS
and Terminal Services.

NETMIND
+1 800-785-3448.

Exercise 2: Implementing Windows SharePoint Services
Pa$$w0rd.

Task 2: Install Windows SharePoint Services
1. On SEA-DC1, click Start, and click Run.
2. In the Open box, type D:\Labfiles\Mod05\SharePoint.exe, and then click
OK.
3. On the Read The Microsoft Software License Terms page, select the I accept
the terms of this agreement check box, and then click Continue.
4. On the Choose the installation you want page, click Basic.
5. Verify that Run the SharePoint Products and Technologies Configuration
Wizard now is selected, and then click Close.
6. In the SharePoint Products And Technologies Configuration Wizard, click
Next.
7. Click Yes to close the warning window. Installation may take up to 10
minutes.
8. On the Configuration Successful page, click Finish. Internet Explorer will
open automatically and prompt you for a logon.
9. Log on as Adatum\Administrator with a password of Pa$$w0rd. Initial logon
will be slow because all of the scripts start for the first time.
10. Verify that you have successfully logged on to WSS. Note that the path used to
access the server is http://sea-dc1.
11. Close Internet Explorer.

NETMIND
+1 800-785-3448.

Task 3: Review the Web site configuration
1. On SEA-DC1, click Start, point to Administrative Tools, and then click
Internet Information Services (IIS) Manager.
2. Expand SEA-DC1, and click Application Pools. Notice that two new
application pools have been created for SharePoint.
3. Click Sites. Notice that there are two new Web sites. SharePoint 80 is the
main SharePoint site bound to Port 80. SharePoint Central Administration is
for administering SharePoint on a random port number.
4. Double-click SharePoint 80, and then double-click Authentication. Notice
that Windows Authentication is enabled.
5. Close Internet Information Services (IIS) Manager.

Task 4: Configure Internet Explorer for Windows Authentication
1. On SEA-DC1, click Start, type Internet Options, and then press ENTER.
2. In the Internet Properties window, click the Security tab, click Local
Intranet, and then click Sites.
3. In the Add this website to the zone box, type http://sea-dc1, and then click
Add.
4. If prompted, click Yes to move the site to the Local intranet zone.
5. Click Close, and then click OK.
6. Click Start, point to All Programs, and then click Internet Explorer.
7. In the Address bar, type http://sea-dc1, and then press ENTER. Notice that
you are no longer prompted for credentials.

NETMIND
+1 800-785-3448.

Task 5: Back up Windows SharePoint Services
1. On SEA-DC1, click Start, and then click Command Prompt.
2. Type md C:\SPBackup, and then press ENTER.
4. Click Start, point to Administrative Tools, and then click SharePoint 3.0
Central Administration.
5. Click the Operations tab.
6. Under Backup and Restore, click Perform a backup.
7. Select the Farm check box, and then click Continue to Backup Options.
8. Enter the following settings, and then click OK.
Backup content: Farm
Type of Backup: Full
Backup File Location: C:\SPBackup
9. Click Refresh every minute or so until the backup job is complete.

Results: After this exercise, you should have successfully implemented Windows
SharePoint Services and verified the configuration.

NETMIND
+1 800-785-3448.

Exercise 3: Implementing Terminal Services
Task 1: Install Terminal Services
1. On SEA-DC1, click Start, and click Server Manager.
2. In the left pane, click Roles, and then click Add Roles.
4. On the Select Server Roles page, select the Terminal Services check box, and
then click Next.
5. Read the Terminal Services page, and then click Next.
6. On the Select Role Services page, select the Terminal Server check box.
7. In the warning window, click Install Terminal Server anyway (not
recommended), and then click Next.
8. Read the Uninstall And Reinstall Application For Compatibility page, and
then click Next.
9. Read the Specify Authentication Method For Terminal Server page, click Do
not require Network Level Authentication, and then click Next.
10. On the Specify Licensing Mode page, click Next.
11. On the Select User Groups Allowed Access To This Terminal Server page,
click Next.
14. Click Yes to restart the server.
Note: Steps 15-17 should not be performed if you are performing the lab exercise
online.
16. Wait for the configuration to complete, and then click Close.
17. Close Server Manager
Note: To continue with the lab exercise online, close the Planning Application
Servers Lab A lab, and then launch the Planning Application Servers Lab B
lab.
NETMIND
+1 800-785-3448.

Task 2: Install the financial application
1. Click Start, and then click Computer.
2. Browse to D:\Labfiles\Mod05, and double-click CalcPlus.msi.
3. In the Microsoft Calculator Plus window, click Next.
4. On the License Agreement page, click I Agree, and then click Next.
5. On the Select Installation Folder page, use C:\Program Files\Microsoft
Calculator Plus\, click Everyone, and then click Next.
6. Click Close, and then close the Windows Explorer window.

Task 3: Prepare the financial application for distribution as a
RemoteApp program
1. Click Start, point to Administrative Tools, point to Terminal Services, and
then click TS RemoteApp Manager.
2. In the actions pane, click Add RemoteApp Programs.
3. In the RemoteApp Wizard, click Next.
4. Select the Microsoft Calculator Plus check box, and then click Next.
5. Click Finish.
6. In the RemoteApp Programs area, click Microsoft Calculator Plus.
7. Under Other Distribution Options, click Create Windows Installer Package.
8. In the RemoteApp Wizard, click Next.
9. On the Specify Package Settings page, click Next.
10. On the Configure Distribution Package page, select the Desktop check box,
11. Click Finish.
12. In the Packaged Programs window, browse up to C:\Program Files.
13. Right-click Packaged Programs, and then click Share.
14. Click Advanced Sharing.
15. Select the Share this folder check box, and then click OK.
NETMIND
+1 800-785-3448.

16. Click Close, and then close all open windows.
17. Click Start, point to Administrative Tools, and then click Group Policy
Management.
18. In the Group Policy Management window, expand Forest: Adatum.com,
expand Domains, expand Adatum.com, right-click Default Domain Policy,
and then click Edit.
19. Under User Configuration, expand Policies, expand Software Settings, right-
click Software installation, point to New, and then click Package.
20. Browse to \\SEA-DC1\Packaged Programs, click CalcPlus.msi, and then
click Open.
21. In the Deploy Software window, click Advanced, and then click OK.
22. In the Microsoft Calculator Plus Properties window, click the Deployment tab.
23. Under Deployment type, click Assigned.
24. Under Deployment options, select the Install this application at logon check
box, and then click OK.

Task 4: Test the new application
1. Log on SEA-CL1 as Administrator with a password of Pa$$w0rd.
2. If the Microsoft Calculator Plus icon does not appear on the desktop, then
perform the following steps:
a. Click Start, type cmd, and then press ENTER.
b. At the command prompt, type gpupdate, and then press ENTER.
c. Close the command prompt.
d. Click the Start button, click the arrow next to the Lock button, and then
click Restart.
Note: Steps e, f, and g should not be performed if you are performing the lab
exercise online.
e. Log on as Administrator with a password of Pa$$w0rd.
f. Wait for the configuration to complete, and then click Close.
g. Close Server Manager
NETMIND
+1 800-785-3448.

Note: To continue with the lab exercise online, close the Planning Application
Servers Lab B lab, and then launch the Planning Application Servers Lab
C lab.

3. Click Start, type gpedit.msc, and then press ENTER.
4. Under Computer Configuration, expand Administrative Templates, expand
System, and then click Credentials Delegation.
5. Double-click Allow Delegating Default Credentials, click Enabled, and then
click Show.
6. In the Show Contents window, click Add, type termsrv/SEA-
DC1.adatum.com, and then click OK.
7. In the Show Contents window, click OK.
8. In the Allow Delegating Default Credentials Properties window, click OK.
9. Close the Local Group Policy Editor.

Note: In a production environment, you would configure the group policy setting by
using a GPO rather than the local Group Policy.
10. On the desktop, double-click the Microsoft Calculator Plus icon.
11. Select the Dont ask me again for remote connections to the computer check
box, and then click Connect.
12. Wait while the application starts. This may take a few moments to log on to
the Terminal Server.
13. Close Microsoft Calculator Plus.

Note: Opening the application a second time is much faster.

Results: After this exercise, you should have successfully implemented a Terminal
Server and distributed a Terminal Services application.
NETMIND
+1 800-785-3448.

(VMRC) window.

NETMIND
+1 800-785-3448.

NETMIND
+1 800-785-3448.
Lab: Planning File and Print Services L6-59


Lab: Planning File and Print
Services
Exercise 1: Planning File and Print Services for a Branch
Office

Task 2: Update the Sales Branch Offices: File and Print Services
document with your proposals
Answer the questions in the Sales Branch Offices: File and Print Services
document.
Document Author
Date
Gregory Weber
15 October
Deploy the required services to the branch sales offices to meet the needs outlined
in the Requirements document.
The requirements are summarized as follows:
Deploy server roles to support file and print services.
Create a single UNC name to allow access to all sales shared resources. This single
UNC name should not be a single point of failure.
Provide for a means of synchronizing data between the branch and head office
sales shared folders.
Impose restrictions to prevent creation of executable files in data areas.
Impose hard limit on amount of disk space each user can consume in the data
folder.
NETMIND
+1 800-785-3448.
L6-60 Lab: Planning File and Print Services

Deploy printers to client computers quickly and easily.
NETMIND
+1 800-785-3448.

(continued)
Proposals
1. What server roles will you need to deploy to the branch servers to satisfy these
requirements?
Answer: File Services and Print Services
2. Will you need to make any changes to the infrastructure at the head office to
support these requirements?
Answer: Certain File Services service roles will need to be available to support
DFS.
3. What folder and shared folder permissions would you recommend for sales
data areas?
Answer: Data folders should be secured with the Modify permission for the
relevant global groupin this case, SalesGG. The shared folder can be
configured as Everyone Full Control because the agreed upon permissions are
therefore Modify for the SalesGG through the share onto the folder.
4. How will you address the requirement for a single UNC name for all sales
shared resources and avoid a single point of failure?
Answer: By deploying a DFS domain-based name space and adding folders to
the namespace. Adding additional namespace servers will provide fault
tolerance of the namespace.
5. How will you synchronize the sales data at each location?
Answer: By using DFS-R. A full mesh topology would be suitable.
6. What role or feature enables you to impose a restriction on the types of files
that users can create in designated folders?
Answer: FSRM file screening.
7. What role or feature enables you to impose a restriction on the disk space
users can consume in designated folders?
Answer: FSRM quotas.

NETMIND
+1 800-785-3448.

(continued)
8. Provide additional details about the specifics of the process you will use to
provide for the previous two requirements:
Answer: File screen: the Block Executable Files would be an appropriate
template on which to base the file screen.
Quotas: use of the 200 MB Limit Reports to User template is indicated.
9. How do you intend to deploy printers to client computers?
Answer: Creating, sharing, and then deploying with group policy.

Results: After this exercise, you should have a completed Sales Branch Offices: File and
Print Services document.
NETMIND
+1 800-785-3448.

Exercise 2: Implementing File and Print Services in a Branch
Office
Pa$$w0rd.
Pa$$w0rd.

Task 2: Deploy the required server roles at the branch server
3. In Server Manager, in the navigation tree, click Roles.
4. In the results pane, under Roles Summary, click Add Roles.
5. In the Add Roles Wizard, on the Before You Begin page, click Next.
6. On the Select Server Roles page, in the Roles list, select both the File Services
and Print Services check boxes, and then click Next.
7. On the Print Services page, click Next.
8. On the Select Role Services page, click Next.
9. On the File Services page, click Next.
NETMIND
+1 800-785-3448.

10. On the Select Role Services page, ensure that the File Server check box is
selected, select the following check boxes, and then click Next:
a. Distributed File System
b. File Server Resource Manager
11. On the Create a DFS Namespace page, click Create a namespace later using
the DFS Management snap-in in Server Manager, and then click Next.
12. On the Configure Storage Usage Monitoring page, click Next.

Task 3: Add additional role services on the SEA-DC1 computer
4. In the results pane, under Roles Summary, click File Services.
5. In the results pane, click Add Role Services.
6. On the Select Role Services page, select the Distributed File System check
7. On the Create a DFS Namespace page, click Create a namespace later using
the DFS Management snap-in in Server Manager, and then click Next.
NETMIND
+1 800-785-3448.

Task 4: Create, secure, and share the Sales-data folders
1. Click Start, click Computer, and then double-click Allfiles (D:).
2. Click Organize, and then click New Folder.
3. Type Sales-data, and then press ENTER.
4. Right-click Sales-data, and then click Properties.
5. In the Sales-data Properties dialog box, on the Security tab, click Advanced.
6. In the Advanced Security Settings for Sales-data dialog box, click Edit, clear
the Include inheritable permissions from this objects parent check box,
and then click Copy.
7. In the Advanced Security Settings for Sales-data dialog box, click OK.
8. Click OK again, and in the Sales-data Properties dialog box, click Edit.
9. In the Permissions for Sales-data dialog box, in the Group or user names
list, click Users (ADATUM\Users), and then click Remove.
Enter the object names to select (examples): box, type SalesGG, click Check
Names, and then click OK.
11. In the Permissions for Sales-data dialog box, in the Permissions for SalesGG
list, select the Allow/Modify check box, and then click OK.
12. In the Sales-data Properties dialog box, click the Sharing tab.
13. Click Advanced Sharing, and in the Advanced Sharing dialog box, select the
Share this folder check box, and then click Permissions.
14. In the Permissions for Sales-data dialog box, select the Allow/Full Control
check box, and then click OK.
15. In the Advanced Sharing dialog box, click OK.
16. In the Sales-data Properties dialog box, click Close.
17. Close Windows Explorer.
19. Click Start, click Computer, and then double-click Local Disk (C:).
NETMIND
+1 800-785-3448.

20. Click Organize, and then click New Folder.
21. Type Sales-data, and then press ENTER.
22. Right-click Sales-data, and then click Properties.
23. In the Sales-data Properties dialog box, on the Security tab, click Advanced.
24. In the Advanced Security Settings for Sales-data dialog box, click Edit, clear
the Include inheritable permissions from this objects parent check box,
and then click Copy.
25. In the Advanced Security Settings for Sales-data dialog box, click OK.
26. Click OK again, and in the Sales-data Properties dialog box, click Edit.
27. In the Permissions for Sales-data dialog box, in the Group or user names
list, click Users (SEA-SVR1\Users), and then click Remove.
Enter the object names to select (examples): box, type SalesGG, click Check
29. In the Permissions for Sales-data dialog box, in the Permissions for SalesGG
list, select the Allow/Modify check box, and then click OK.
30. In the Sales-data Properties dialog box, click the Sharing tab.
31. Click Advanced Sharing, and in the Advanced Sharing dialog box, select the
Share this folder check box, and then click Permissions.
32. In the Permissions for Sales-data dialog box, select the Allow/Full Control
check box, and then click OK.
33. In the Advanced Sharing dialog box, click OK.
34. In the Sales-data Properties dialog box, click the Close.
35. Close Windows Explorer.

Task 5: Configure a DFS namespace
2. Click Start, point to Administrative Tools, and then click DFS Management.
3. In DFS Management, in the navigation tree, click Namespaces.
NETMIND
+1 800-785-3448.

4. In the Actions pane, click New Namespace.
5. In the New Namespace Wizard, on the Namespace Server page, in the Server
box, type SEA-DC1, and then click Next.
6. On the Namespace Name and Settings page, in the Name box, type Sales,
7. On the Namespace Type page, click Next.
8. On the Review Settings and Create Namespace page, click Create.
9. On the Confirmation page, click Close.

Task 6: Add a namespace server
1. In DFS Management, in the navigation tree, click Namespaces, and in the
results pane, right-click \\Adatum.com\Sales, and then click Add Namespace
Server.
2. In the Add Namespace Server dialog box, in the Namespace server box, type
SEA-SVR1, and then click OK.
3. In the Warning dialog box, click Yes.
4. In DFS Management, expand Namespaces, click \\Adatum.com\Sales, and
then in the results pane, click the Namespace Servers tab.

Task 7: Add a DFS folder
1. In DFS Management, in the navigation tree, right-click \\Adatum.com\Sales,
and then click New Folder.
2. In the New Folder dialog box, in the Name box, type Corporate Sales Data.
3. Click Add, and in the Add Folder Target dialog box, in the Path to folder
target box, type \\sea-dc1\sales-data, and then click OK.
4. In the New Folder dialog box, click OK.
NETMIND
+1 800-785-3448.

Task 8: Add a folder target
1. In DFS Management, under Namespace, expand \\Adatum.com\Sales, right-
click Corporate Sales Data, and then click Add Folder Target.
2. In the New Folder Target dialog box, in the Path to folder target box, type
\\sea-svr1\Sales-data, and then click OK.
3. In the Replication dialog box, click Yes.

Task 9: Create a Replication group
1. In the Replicate Folder Wizard, click Next.
2. On the Replication Eligibility page, click Next.
3. On the Primary Member page, in the Primary member list, click SEA-DC1,
4. On the Topology Selection page, click Next.
5. On the Replication Group Schedule and Bandwidth page, click Next.
6. On the Review Settings and Create Replication Group page, click Create.
7. On the Confirmation page, click Close.
8. In the Replication Delay dialog box, click OK.
9. Close DFS Management.

Task 10: Configure quotas on the branch server
2. Click Start, point to Administrative Tools, and then click File Server
Resource Manager.
3. In File Server Resource Manager (Local), expand Quota Management, and
then click Quotas.
4. Right-click Quotas, and then click Create Quota.
5. In the Create Quota dialog box, in the Quota path box, type C:\Sales-data.
6. Click Auto apply template and create quotas on existing and new
subfolders.
NETMIND
+1 800-785-3448.

7. In the Derive properties from this quota template (recommended) list, click
200 MB Limit Reports to User.
8. Click Create.

Task 11: Configure a file screen for the branch server
1. In the navigation tree, expand File Screening Management, and then click
File Screens.
2. Right-click File Screens, and then click Create File Screen.
3. In the Create File Screen dialog box, in the File screen path box, type
C:\Sales-data, and in the list, click Block Executable Files. Then click Create.

Task 12: Configure FSRM options
1. In the navigation tree, right-click File Server Resource Manager (Local), and
then click Configure Options.
2. Scroll along the tabs, and then click the File Screen Audit tab.
3. Select the Record file screening activity in auditing database check box, and
then click OK.

Task 13: Test the file screen settings
2. Click Start, right-click Computer, and then click Map Network Drive.
3. In the Map Network Drive dialog box, in the Folder box, type \\sea-
svr1\sales-data, and then click Finish.
4. Click Start, point to All Programs, click Accessories, and then click
Command Prompt.
5. At the command prompt, type the following commands, pressing ENTER after
each one:
a. Z:
b. Copy c:\windows\*.exe
Question: Were you successful?
Answer: No
NETMIND
+1 800-785-3448.

7. In File Server Resource Manager, click Storage Reports and Management.
8. In the action pane, click Generate Reports Now.
9. In the Storage Report Task Properties dialog box, click Add.
10. In the Browse For Folder dialog box, expand Local Disk (C:), click Sales-
data, and then click OK.
11. In the Select reports to generate list, select the File Screening Audit check
box and then click OK.
12. In the Generate Storage Reports dialog box, click OK.
Question: In Internet Explorer, examine the report. Which user attempted to
create executables in the C:\Sales-data folder?
Answer: ADATUM\Joe.
13. Close all open Windows.

Task 14: Deploy a shared printer with group policy
1. On SEA-SVR1, click Start, point to Administrative tools, and then click Print
Management.
2. In Print Management, expand Print Servers, expand SEA-SVR1(local), and
then click Printers.
3. Right-click Printers, and then click Add Printer.
4. In the Network Printer Installation Wizard, on the Printer Installation page,
click Add a new printer using an existing port, and in the list, ensure that
LPT1: (Printer Port) is selected.
5. Click Next, and on the Printer Driver page, click Next.
6. On the Printer Installation page, in the Manufacturer list, click Canon, in the
Printers list, click Canon Inkjet MP700, and then click Next.
7. On the Printer Name and Sharing Settings page, click Next.
8. On the Printer Found page, click Next, and then click Finish.
9. Right-click Canon Inkjet MP700, and then Deploy with Group Policy.
NETMIND
+1 800-785-3448.

10. In the Deploy with Group Policy dialog box, click Browse.
11. In the Browse for a Group Policy Object dialog box, click Default Domain
Policy, and then click OK.
12. In the Deploy with Group Policy dialog box, select the The users that this
GPO applies to (per user) check box, and then click Add and OK.
13. In the Print Management dialog box, click OK.
14. Click OK to close the Deploy with Group Policy dialog box.

Task 15: Test the printer deployment
2. At the command prompt, type gpupdate /force, and press ENTER.
3. Log off.
5. Click Start, click Control Panel, and then click Printer.
Question: Is the Canon printer listed?
Answer: Yes.

Results: After this exercise, you should have successfully configured file and print
services for the branch office.
(VMRC) window.

NETMIND
+1 800-785-3448.

NETMIND
+1 800-785-3448.
Lab: Planning Server and Network Security L7-73

Module 7: Planning Server and Network
Security

Lab: Planning Server and Network
Security
Exercise 1: Creating a Plan for Server and Network Security

Task 2: Create a security plan for the new finance application
the Defense-in-Depth model related to the new finance application.
Data
Application data is
accessed by
unauthorized users
Application data is
accessed from
unauthorized computers
Locate application
database on a secure
server with limited
permissions
Use connection security
rules to restrict access to
appropriate computers in
an inbound rule
Application
Application is vulnerable
to denial of service
Application is vulnerable
to buffer overflow
attacks
Apply application
patches as they become
available

NETMIND
+1 800-785-3448.
L7-74 Lab: Planning Server and Network Security

(continued)
Host
Operating system
vulnerability results in
denial of service
Hardware failure results
in loss of service
Passwords are guessed
for a user account with
access to data
Ensure that operating
system updates are
applied
Ensure the hardware in
server is redundant
Ensure that complex
passwords are required
Use the Security
Configuration Wizard to
reduce the attack surface
Use NAP to prevent
malware
Internal network
Data is viewed while in
transit
Use SSL to encrypt data
and authentication
Perimeter
Internet users gain
access to the application
Use firewalls to prevent
access to the application
server from the Internet
Physical security
Server data is accessed
by using a boot CD
The service is physically
damaged by accident
Store the server in a
secure location where
unauthorized staff do not
have access
Policies, procedures,
and awareness
An administrator makes
changes to the server
without authorization,
resulting in a service
outage
Document all procedures
related to the server,
such as maintenance
windows and
configuration
Enforce a change
management process

NETMIND
+1 800-785-3448.

Task 3: Create a plan for preventing malware on the network
the Defense-in-Depth model related to preventing malware on the network.
Data
Application
Application installations
E-mail attachments
Application flaws
Web pages
Allow only administrators to
install new applications
Implement malware
scanning for all incoming e-
mail
Ensure that applications are
updated when updates are
released
Use SmartScreen
Filter in
Microsoft
Internet
Explorer
8
Host
Portable storage
Operating system flaws
Portable computers
Prevent the use of portable
storage devices for
computers
Ensure that Windows

updates are being applied
Use real-time scanning in
Windows Defender
Use NAP to prevent
unhealthy computers from
connecting to the network
Run antivirus software that
can be centrally monitored
with daily updates
Internal network
Portable computers Use intrusion detection to
monitor for unusual
network traffic
Perimeter
Web pages Implement malware
scanning on a Web proxy

NETMIND
+1 800-785-3448.

(continued)
Physical security

Policies, procedures,
and awareness
Staff may try to
circumvent security
policies with portable
storage.
Create an acceptable use
policy and ensure that staff
are educated about its
contents

Results: After this exercise, you should have a completed security plan for the new
finance application and a plan for preventing malware on the network.
NETMIND
+1 800-785-3448.

Exercise 2: Implementing Windows Firewall Rules
Task 1: Start the virtual machines and log on
Pa$$w0rd.
5. Log on to 6430B-SEA-CL1 as ADATUM\Administrator with the password
Pa$$w0rd.

Task 2: Create a group for the finance computers
1. On SEA-DC1, click Start, point to Administrative Tools, and click Active
2. In the Active Directory Users and Computers window, if necessary, expand
Adatum.com and then click Computers.
3. Right-click Computers, point to New, and then click Group.
4. In the Group name box, type Finance Computers and then click OK.
5. Right-click SEA-CL1 and click Add to a group.
6. In the Enter the object names to select box, type Finance Computers and
then click OK.
7. Click OK to clear the message about successful completion.

NETMIND
+1 800-785-3448.

Task 3: Create a connection security rule for authentication to the
finance server
1. On SEA-DC1, click Start, point to Administrative Tools, and click Group
Policy Management.
2. In Group Policy Management, expand Forest: Adatum.com, expand
Domains, and click Adatum.com.
3. Right-click Adatum.com and click Create a GPO in this domain, and Link it
here.
4. In the New GPO window, in the Name box, type Secure Financial
Application and click OK.
5. Right-click Secure Financial Application, and click Edit.
Configuration, expand Policies, expand Windows Settings, expand Security
Settings, expand Windows Firewall with Advanced Security, expand
Windows Firewall with Advanced Security, and click Connection Security
Rules.
7. Right-click Connection Security Rules and click New Rule.
8. In the New Connection Security Rule Wizard window, on the Rule Type page,
click Server-to-server, and then click Next.
9. On the Endpoints page, in the Endpoint 1 area, click These IP addresses, and
then click Add.
10. In the IP Address window, in the This IP address or subnet box, type
10.10.0.10, and then click OK.
11. On the Endpoints page, click Next.
12. On the Requirements page, click Request authentication for inbound and
outbound connections, and then click Next.
13. On the Authentication Method page, click Advanced and then click
Customize.
14. In the Customize Advanced Authentication Methods window, in the First
authentication area, click Add, click Computer (Kerberos V5), and click OK.
NETMIND
+1 800-785-3448.

15. In the Customize Advanced Authentication Methods window, click OK and
then click Next.
16. On the Profile page, click Next.
17. On the Name page, in the Name box, type Enable Authentication and then
click Finish.

Task 4: Create a firewall rule to restrict access to the finance
application
1. On SEA-DC1, click Start, point to Administrative Tools, and click Windows
Firewall with Advanced Security.
2. In the left pane, click Inbound Rules.
3. Right-click Inbound Rules and then click New Rule.
4. In the New Inbound Rule Wizard window, on the Rule Type page, click Port
5. On the Protocol and Ports page, click TCP.
6. In the Specific local ports box, type 80,443 and then click Next.
7. On the Action page, click Allow the connection if it is secure, select the
Require the connections to be encrypted check box, and then click Next.
8. On the Users and Computers page, select the Only allow connections from
these computers check box and then click Add.
9. In the Enter the object names to select box, type Finance Computers and
then click OK.
10. Click Next to continue.
11. On the Profile page, click Next.
12. On the Name page, in the Name box, type Restrict Access to Finance
Application and then click Finish.

NETMIND
+1 800-785-3448.

Task 5: Force Group Policy updates
1. On SEA-DC1, click Start, click Run, type gpupdate, and press ENTER.
2. On SEA-CL1, click Start, click Run, type gpupdate, and press ENTER.
3. Restart SEA-CL1 and log on as Adatum\Administrator with a password of
Pa$$w0rd.

Task 6: Test the application of rules
1. On SEA-CL1, click Start and click Internet.
2. In Internet Explorer, in the address bar, type http://10.10.0.10 and then
press ENTER.
3. Click Start, type Firewall, and then click Windows Firewall with Advanced
Security.
4. Expand Monitoring, expand Security Associations, and then click Main
Mode. Notice that there is a connection between 10.10.0.50 and 10.10.0.10.

Note: Negotiation of IPsec policies may be slow in the virtualized environment. A wait of
2 or 3 minutes is possible before the negotiation is complete and you are able to access
the Web site at 10.10.0.10.

Results: After this exercise, you should have successfully implemented firewall rules.

NETMIND
+1 800-785-3448.

Exercise 3: Implementing a VPN Server
Task 1: Install Active Directory Certificate Services
1. On SEA-DC1, click Start and click Server Manager.
2. In the left pane, click Roles and then click Add Roles.
3. Click Next to begin the Add Roles Wizard.
4. Select the Active Directory Certificate Services check box and click Next.
5. Click Next on the Introduction to Active Directory Certificate Services page.
6. Ensure that the Certification Authority check box is selected.
7. Select the Certification Authority Web Enrollment check box, click Add
Required Role Services, and click Next.
8. Ensure that Enterprise is selected, and click Next.
9. Ensure that Root CA is selected, and click Next.
10. Ensure that Create a new private key is selected, and click Next.
11. Click Next to accept the default cryptography settings.
12. Click Next to accept the default CA name of Adatum-SEA-DC1-CA.
13. Click Next to accept the default validity period of 5 years.
14. Click Next to accept the default database and log locations.
15. Click Next on the Web Server (IIS) page.
16. Click Next on the Select Role Services page.
17. Click Install on the Confirm Installation Selections page.
18. After installation is complete, click Close and close Server Manager.

Task 2: Create an SSL certificate
1. On SEA-DC1, click Start, point to Administrative Tools, and click Internet
Information Services (IIS) Manager.
2. In the left pane, click SEA-DC1 (Adatum\Administrator) and double-click
Server Certificates.
3. In the actions pane, click Create Domain Certificate.
NETMIND
+1 800-785-3448.

4. Enter the following and then click Next:
a. Common name: SEA-DC1.Adatum.com
b. Organization: A. Datum
c. Organizational unit: IT
d. City/locality: Seattle
e. State/province: Washington
f. Country/region: US
5. In the Specify Online Certification Authority box, type Adatum-SEA-DC1-
CA\SEA-DC1.Adatum.com.
6. In the Friendly name box, type WebSSL and click Finish.
7. Close Internet Information Services (IIS) Manager.

Task 3: Configure RRAS
1. On SEA-DC1, click Start, point to Administrative Tools, and click Routing
and Remote Access.
2. Right-click SEA-DC1 (local) and click Configure and Enable Routing and
Remote Access.
3. Click Next to start the Routing And Remote Access Server Setup Wizard.
4. Click Custom configuration and click Next.

Note: A custom configuration is required because this server has only a single network
card. In most cases, you could use the Remote Access (Dial-Up Or VPN) configuration.
5. Select the VPN access check box and click Next.
6. Click Finish.
7. Click Start Service.

NETMIND
+1 800-785-3448.

Task 4: Create a network policy to allow VPN access
1. On SEA-DC1, click Start, point to Administrative Tools, and click Network
Policy Server.
2. In the left pane, expand Policies and click Network Policies.
3. Right-click Network Policies and click New.
4. In the Policy name box, type Allow Domain Admins, and then click Next.
5. In the Specify Conditions window, click Add.
6. Click Windows Groups and click Add.
7. Click Add Groups, type Domain Admins, and click OK.
8. Click OK, and then click Next.
9. Click Access granted and then click Next.
10. Click Next to accept the default authentication types.
11. Click Next to accept the default constraints.
12. Click Next to accept the default settings.
13. Click Finish and close Network Policy Server.

Task 5: Configure the client with a trusted root certificate
1. On SEA-CL1, click Start and click Internet.
2. In the address bar, type http://SEA-DC1.Adatum.com/certsrv and press
ENTER.
4. Click Download a CA certificate, certificate chain, or CRL.
5. If necessary, click Close to clear the information about the information bar.
6. Click Download CA certificate and click Open.
7. When the Certificate window opens, click Install Certificate.
8. Click Next to start the Certificate Import Wizard.
9. Select Automatically select the certificate store based on the type of
certificate and click Next.
10. Click Finish.
NETMIND
+1 800-785-3448.

11. Click OK to close the Certificate Import Wizard dialog box.
12. Click OK to close the Certificate window.
14. Click Start, and in the Start Search box, type mmc, then press ENTER.
15. Click File and click Add/Remove Snap-in.
16. Double-click Certificates, click My user account and click Finish.
17. Double-click Certificates, click Computer account, and click Next.
18. Click Local computer: (the computer this console is running on) and click
Finish.
19. Click OK.
20. In the left pane, expand Certificates Current User, expand Intermediate
Certification Authorities, and click Certificates.
21. Right-click Adatum-SEA-DC1-CA and click Copy.
22. In the left pane, expand Certificates (Local Computer), expand Trusted Root
Certification Authorities, and then click Certificates.
23. Right-click Certificates and click Paste.
24. Close the MMC window.
25. Click No when prompted to save settings.

Task 6: Configure and test an SSTP VPN connection
1. On SEA-CL1, click Start and click Connect To.
2. Click Set up a connection or network.
3. Click Connect to a workplace and click Next.
4. Click Use my Internet connection (VPN).
5. Click Ill set up an Internet connection later.
6. In the Internet address box, type SEA-DC1.Adatum.com.
7. In the Destination name box, type Adatum VPN and then click Next.
NETMIND
+1 800-785-3448.

8. Click Create without entering a username and password.
9. Click Close.
10. Click Start and click Connect To.
11. Right-click Adatum VPN and click Properties.
12. Click the Networking tab.
13. In the Type of VPN box, select Secure Socket Tunneling Protocol (SSTP)
and then click OK.
14. Click Connect.
16. Click Close to close the Connect To A Network window.
17. Click Start and click Connect To.
Verify that the status of the connection is connected.
18. Click Disconnect.

Note: If you experience an error during your connection attempt, review the
configuration of your SSTP listener by using the instructions from Setting Up
The SSTP Listener And Verifying It in the Routing and Remote Access Blog at
http://blogs.technet.com/rrasblog/archive/2007/03/07/configuration-of-sstp-listener-
and-verification.aspx. In particular, you must manually remove and replace the certificate
used by SSTP if you want to change it.

NETMIND
+1 800-785-3448.

Exercise 4: Implementing NAP with DHCP Enforcement
Task 1: Install Network Policy Server
1. On SEA-DC1, click Start and click Server Manager.
2. In the left pane, expand Roles and then click Network Policy and Access
Services.
3. If necessary, scroll down, and then click Add Role Services.
4. On the Select Role Services page, select the Network Policy Server check
6. When installation is complete, click Close.

Task 2: Configure NPS
Network Policy Server.
2. If necessary, in the left pane, click NPS (Local).
3. In the Standard Configuration area, select Network Access Protection
(NAP) and click Configure NAP.
4. In the drop-down list box, select Dynamic Host Configuration Protocol
(DHCP) as the connection method.
5. Accept NAP DHCP as the policy name, and click Next.
6. Click Next to skip the configuration of RADIUS clients. This is not necessary
because DHCP is running on the NPS server.
7. On the Specify DHCP Scopes page, click Next.
8. On the Configure User Group and Machine Groups page, click Next.
9. On the Specify a NAP Remediation Server Group and URL page, click Next.
NETMIND
+1 800-785-3448.

10. On the Define NAP Health Policy page, ensure that the following are selected,
a. Windows Security Health Validator
b. Enable auto-remediation of client computers
c. Deny full network access to NAP-ineligible client computers. Allow access
to a restricted network only.
11. Review the settings and click Finish.
12. Expand Policies and click Connection Request Policies. Notice that a NAP
DHCP policy has been created by the wizard.
13. Click Network Policies. Notice that several policies for NAP have been created
by the wizard.
14. Click Health Policies. Notice that two policies for NAP have been created by
the wizard.
15. Close Network Policy Server.

Task 3: Configure DHCP
1. Click Start, point to Administrative Tools, and then click DHCP.
2. Expand SEA-DC1.adatum.com, expand IPv4, and then click Scope
[10.10.0.0] Adatum.
3. Right-click Scope [10.10.0.0] Adatum, and click Properties.
4. Click the Network Access Protection tab, click Enable for this scope, click
Use default Network Access Protection profile, and then click OK.
5. Expand Scope [10.10.0.10] Adatum, click Scope Options, right-click Scope
Options, and click Configure Options.
6. Click the Advanced tab, and in the User class box, select Default Network
Access Protection Class.
7. Select the 006 DNS Servers check box. In the IP Address box, type
10.10.0.10, and then click Add.
8. Select the 015 DNS Domain Name check box. In the String value box, type
restricted.adatum.com, and click OK.
9. Close DHCP.
NETMIND
+1 800-785-3448.

Task 4: Configure NAP Client by using Group Policy
1. On SEA-DC1, click Start, point to Administrative Tools, and then click Active
2. In the left pane, right-click Adatum.com, point to New, and click
Organizational Unit.
3. In the Name box, type NAP Clients, and then click OK.
4. In the left pane, click Computers.
5. Right-click SEA-CL1 and click Move.
6. Click NAP Clients, and click OK.
8. Click Start, point to Administrative Tools, and click Group Policy
Management.
9. Under Forest: Adatum.com, under Domains, expand Adatum.com, and then
click NAP Clients.
10. Right-click NAP Clients and click Create a GPO in this domain, and Link it
here.
11. In the Name box, type DHCP NAP Client and click OK.
12. Right-click DHCP NAP Client and click Edit.
13. In the left pane, browse to Computer Configuration\Policies\Administrative
Templates\Windows Components\Security Center.
14. Double-click Turn on Security Center (Domain PCs only), click Enabled,
and then click OK.
15. Browse to Computer Configuration\Policies\Windows Settings\Security
Settings\System Services and double-click Network Access Protection
Agent.
16. Select the Define this policy setting check box, click Automatic, and click
OK.
17. In the left pane, in Security Settings, expand Network Access Protection,
expand NAP Client Configuration, and then click Enforcement Clients.
18. Right-click DHCP Quarantine Enforcement Client and click Enable.
NETMIND
+1 800-785-3448.

19. In the left pane, right-click NAP Client Configuration and click Apply.
20. Close the Group Policy Management Editor.

Task 5: Configure networking on the client
1. Restart SEA-CL1, and log on as Adatum\Administrator with a password of
Pa$$w0rd.
2. Click Start, in the Start Search box, type cmd, and then press ENTER.
3. Type gpupdate and press ENTER.
If an error occurs, wait a few moments and try again. The error is the
result of the authentication negotiation for the connection security rule in
a previous exercise.
To verify connectivity to SEA-DC1, you can use Internet Explorer to access
the http://10.10.0.10 Web site.
5. Click Start, right-click Network, and click Properties.
6. Under Tasks, click Manage network connections.
7. Right-click Local Area Connection and click Properties.
8. Click Internet Protocol Version 4 (TCP/IPv4) and click the Properties
button.
9. Click Obtain an IP address automatically, click Obtain DNS server address
automatically, and then click OK.
10. Click Close and close all open windows.
Wait a few moments, and in most cases a warning about limited network
access will appear in the system tray. If this warning does not appear after a
few moments, continue with the next step. You will verify that the client
computer is on the restricted network in step 12.
11. Click Start, in the Start Search box, type cmd, and then press ENTER.
12. At the command prompt, type ipconfig /all and press ENTER. Notice that an
IPv4 address has been configured, but the subnet mask is 255.255.255.255
and the Connection-specific DNS suffix is restricted.adatum.com.
NETMIND
+1 800-785-3448.

Task 6: Configure the SHV
Network Policy Server.
2. In the left pane, expand Network Access Protection and click System Health
Validators.
3. Right-click Windows Security Health Validator, and click Properties.
4. Click the Configure button.
5. On the Windows Vista tab, deselect all check boxes except A firewall is
enabled for all network connections, and then click OK.
6. Click OK to close the Windows Security Health Validator Properties window.
7. Close Network Policy Server.

Task 7: Test compliance and auto-remediation on the client
1. On SEA-CL1, click Start, type cmd, and press ENTER.
2. Type ipconfig /renew and press ENTER. Notice that SEA-CL1 now has a
default gateway, a subnet mask of 255.255.0.0, and the Connection-specific
DNS suffix is Adatum.com.
4. Click Start, and click Control Panel.
5. Click Security, and click Windows Firewall.
6. Click Change settings.
7. Click Off and click OK. Notice that Windows Firewall status is off only briefly
before being turned back on by the NAP client.

(VMRC) window.

NETMIND
+1 800-785-3448.
Lab: Planning Server Administration L8-91


Lab: Planning Server
Administration
Exercise 1: Planning for Branch Office Administration

Task 2: Update the Branch Office Delegation document with your
proposals
Answer the questions in the Branch Office Delegation document.
Document Author
Date
Gregory Weber
5th November
Determine which tasks can be delegated to Joe Healy in Sales.
Specify how this delegation will be achieved.
None
Proposals
1. Which features will you need to install on a recently deployed departmental
server to support administrative delegation?
Answer: Answers will vary, but in order to support the Windows PowerShell
scripts, the server will require Windows PowerShell. Because client computers
are not allowed to host management and administration tools, the local server
must have the Remote Server Administration Tools feature installed.

NETMIND
+1 800-785-3448.
L8-92 Lab: Planning Server Administration

(continued)
2. How will you manage the requirement that Joe needs to be able to manage
which GPOs apply to the Sales OU without giving him the ability to edit the
GPO settings?
Answer: Assign a group to which Joe belongs, the Manage Group Policy links
Active Directory permission on the Sales OU.
3. What delegated permissions will you give to Joe in Active Directory?
Answer: Aside from the Manage Group Policy links permission, these
additional permissions are required on the Sales OU in order to administer
Users, Groups, and Computers:
Create and delete computer objects
4. How will you achieve this?
Answer: The Delegate Control wizard will enable you to establish most of
these permissions as common tasks. However, the computer administration
permissions need to be assigned manually, or as custom tasks.
5. Because you are not permitted to grant Joe any delegated permissions
directly, how will you achieve the required delegation?
Answer: Create a global group and add Joe to the group; grant that group
permissions.

Results: After this exercise, you should have a completed Branch Office Delegation
proposal document.

NETMIND
+1 800-785-3448.

Exercise 2: Delegating Administration to Branch Office
Personnel
Pa$$w0rd.
Pa$$w0rd.

Task 2: Create the necessary security group
3. In Active Directory Users and Computers, expand Adatum.com, and then
click the Sales organizational unit.
4. Right-click Sales, click New, and then click Group.
5. In the New Object Group dialog box, in the Group name box, type Sales-
Admins, and then click OK.
6. In the results pane, double-click Sales-Admins.
7. In the Sales-Admins Properties dialog box, click the Members tab, and then
click Add.
8. In the Select Users, Contacts, Computers, or Groups dialog box, in the Enter
the object names to select (examples) box, type Joe, click Check Names, and
then click OK.
9. In the Sales-Admins Properties dialog box, click OK.

NETMIND
+1 800-785-3448.

Task 3: Delegate control of the Sales organizational unit
1. In the navigation pane, right-click Sales, and then click Delegate Control.
2. In the Delegation of Control Wizard, click Next.
3. On the Users or Groups page, click Add.
object names to select (examples) box, type Sales-admins, click Check
5. On the Users or Groups page, click Next.
6. On the Tasks to Delegate page, in the Delegate the following common tasks
list, select the following check boxes, and then click Next:
Manage Group Policy links
7. On the Completing the Delegation of Control Wizard page, click Finish.
8. In Active Directory Users and Computers, click View, and then click
Advanced Features.
9. Right-click Sales, and then click Properties.
10. In the Sales Properties dialog box, click the Security tab, and then click
Advanced.
11. In the Advanced Security Settings for Sales dialog box, click Add.
12. In the Select User, Computer, or Group dialog box, in the Enter the object
name to select (examples) box, type Sales-admins, click Check Names, and
then click OK.
13. In the Permission Entry for Sales dialog box, in the Permissions list, select
the following check boxes, and then click OK:
Create Computer objects/Allow
Delete Computer objects/Allow
NETMIND
+1 800-785-3448.

14. In the Advanced Security Settings for Sales dialog box, click Add.
15. In the Select User, Computer, or Group dialog box, in the Enter the object
name to select (examples) box, type Sales-admins, click Check Names, and
then click OK.
16. In the Permission Entry for Sales dialog box, in the Apply to list, click
Descendant Computer objects.
17. In the Permissions list, click Full control/Allow, and then click OK.
18. In the Advanced Security Settings for Sales dialog box, click OK.
19. In the Sales Properties dialog box, click OK.

Task 4: Configure group membership on the SEA-SVR1 server
3. In Server Manager, in the navigation tree, expand Configuration, expand
Local Users and Groups, and then click Groups.
4. In the Groups list, double-click Administrators.
5. In the Administrators Properties dialog box, click Add, and in the Select
Users, Computers, or Groups dialog box, in the Enter the object names to
select (examples) box, type Sales-admins, click Check Names, and then click
OK.
6. In the Administrators Properties dialog box, click OK.

Task 5: Enable remote desktop on SEA-SVR1
1. Click Start, right-click Computer, and then click Properties.
2. In the Tasks list, click Remote settings.
3. In the System Properties dialog box, click Allow connections only from
computers running Remote Desktop with Network Level Authentication
(more secure).
4. In the Remote Desktop dialog box, click OK.
5. In the System Properties dialog box, click Select Users.
NETMIND
+1 800-785-3448.

6. In the Remote Desktop Users dialog box, click Add.
7. In the Select Users or Groups dialog box, in the Enter the object name to
select (examples) box, type Sales-admins, click Check Names, and then click
OK.
8. In the Remote Desktop Users dialog box, click OK.
9. In the System Properties dialog box, click OK.
10. Close System.

Task 6: Install Windows PowerShell and RSAT on SEA-SVR1
2. In Server Manager, in the navigation tree, click Features.
3. In the results pane, under Features Summary, click Add Features.
4. In the Add Features Wizard, on the Select Features page, expand Remote
Server Administration Tools.
5. Expand Role Administration Tools, and then select the Active Directory
Domain Services Tools check box.
6. Select the Windows PowerShell check box, and then click Next.
7. On the Confirm Installation Selections page, click Install, and then when
prompted, click Close, and in the Add Features Wizard dialog box, click Yes.
Pa$$w0rd.
9. In the Resume Configuration Wizard, click Close.

Task 7: Perform branch administration

Note: if you are already logged on as Joe, please log off and then proceed with the lab.
2. Log on as ADATUM\Joe with the password Pa$$w0rd.
NETMIND
+1 800-785-3448.

3. Click Start, and in the Start Search box, type mstsc.exe, and then press
ENTER.
4. In the Remote Desktop Connection dialog box, in the Computer list, type
10.10.0.100, and then click Connect.
5. In the Windows Security dialog box, in the User name box, type
adatum\Joe.
6. In the Password box, type Pa$$w0rd, and then click OK.
8. In the User Account Control dialog box, click Continue.
9. In Active Directory Users and Computers, expand Adatum.com, and then
click the Sales organizational unit.
10. In the results pane, right-click Tom Higginbotham, and then click Delete.
11. In the Active Directory Domain Services dialog box, click Yes.
12. Right-click Sales, click New, and then click Computer.
13. In the New Object Computer dialog box, in the Computer name box, type
Sales-1 and then click OK.

Task 8: Create and run a Windows PowerShell script
1. Click Start, point to All Programs, click Windows PowerShell 1.0, right-click
Windows PowerShell, and then click Run as administrator.
2. In the User Account Control dialog box, click Continue.
3. At the Windows PowerShell Command Prompt, type notepad user.ps1 and
then press ENTER.
4. In the Notepad dialog box, click Yes.
5. In Notepad, type the following lines of code:
$objOU = [ADSI]"LDAP://OU=sales,DC=Adatum,DC=com"
$objUSR = $objOU.Create("User","cn=Tom Higginbotham")
$objUSR.Put("SAMACCOUNTNAME","Tom")
$objUSR.SetInfo()
6. Click File, click Save, and then close Notepad.
NETMIND
+1 800-785-3448.

7. At the Windows PowerShell Command Prompt, type set-executionpolicy
remotesigned, and then press ENTER.
8. At the Windows PowerShell Command Prompt, type ./user.ps1 and then
press ENTER.
9. Switch to Active Directory Users and Computers.
10. Refresh the view.
11. Right-click Tom Higginbotham, and then click Enable Account.

(VMRC) window.

NETMIND
+1 800-785-3448.
Lab: Planning and Implementing Monitoring and Maintenance L9-99

Module 9: Planning and Implementing
Monitoring and Maintenance

Lab: Planning and Implementing
Monitoring and Maintenance
Exercise 1: Evaluating Performance Metrics
Pa$$w0rd.
Pa$$w0rd.

Part A
You know that the server 6430A-NYC-SVR1 experiences low network traffic and
has limited disk activity, but the help desk is receiving many reports that the server
is slow.
2. Click Start, point to Administrative Tools, and then click Reliability and
Performance Monitor.
3. Expand Monitoring Tools, and then click Performance Monitor.
NETMIND
+1 800-785-3448.
L9-100 Lab: Planning and Implementing Monitoring and Maintenance

4. In Performance Monitor, click the View Log Data button (CTRL+L).
5. In the Performance Monitor Properties dialog box, on the Source tab, click
Log Files, and then click Add.
6. In the Select Log File dialog box, in the File name box, type
D:\Labfiles\Mod09\Ex1A\EX1A.blg, and then click Open.
7. In the Performance Monitor Properties dialog box, click OK.
8. In Performance Monitor, click Add (CTRL+I).
9. In the Add Counters dialog box, under Available counters, expand
Processor, and then click % Processor Time.
10. Under Instances of selected object, click 0, and then click Add.
11. In the Add Counters dialog box, under Available counters, expand System,
click Processor Queue Length, click Add, and then click OK.
12. View the graph of the CPU usage on 6430A-NYC-SVR1:
a. The maximum value is 100 percent.
b. The average value is 82.58 percent.
14. In the Add Counters dialog box, under Available counters, expand Process,
and then click % Processor Time.
15. Under Instances of selected object, select <All Instances>, click Add, and
then click OK.
16. Review the % Processor Time used by each process. It is useful to use the
Highlight button (CTRL+ H) to view each instance. Identify the process that is
consuming the CPU.
Answer: The cpustres process is consuming most of the CPU time.
17. Close Reliability and Performance Monitor.
NETMIND
+1 800-785-3448.

Task 3: Identify performance problems with Windows Server 2008
Part B
You know that the server 6430A-NYC-SVR1 is not running processor-intensive
applications, but the help desk is receiving many reports that the server is slow.
2. Under Monitoring Tools, and then click Performance Monitor.
3. In Performance Monitor, click View Log Data (CTRL+L).
Log files, and then click Add.
D:\Labfiles\Mod09\Ex1B\EX1B.blg, and then click Open.
8. In the Add Counters dialog box, under Available counters, expand Physical
Disk, and then click Avg. Disk Queue Length.
9. Under Instances of selected object, click 0 C:, and then click Add.
10. Under Available counters, click Current Disk Queue Length.
12. Under Available counters, click Disk Transfers/sec.
14. Under Available counters, expand Process, and then click IO Data Bytes/sec.
15. Under Instances of selected object, click <All Instances>, click Add, and then
click OK.
16. Review the IO Data Bytes/sec values for each process. It is useful to use the
Highlight button (Ctrl+H) to view each instance. Identify the process that is
consuming the disk transfer capacity.
Answer: The explorer process is consuming the disk resources.
17. Close the Reliability and Performance Monitor.
NETMIND
+1 800-785-3448.

Task 4: Identify performance problems with Windows Server 2008
Part C
You know that the server 6430A-NYC-SVR1 experiences low network traffic and is
not running processor-intensive applications, but the help desk is receiving many
reports that the server is slow.
2. Under Monitoring Tools, and then click Performance Monitor.
3. In Performance Monitor, click View Log Data (CTRL+L).
Log files, and then click Add.
D:\Labfiles\Mod09\Ex1C\EX1C.blg, and then click Open.
8. In the Add Counters dialog box, under Available counters, expand Process,
and then click Working Set -Private.
9. Under Instances of selected object, click <All Instances>, and then click Add.
10. Under Available counters, expand Paging File, click % Usage, hold down
CTRL, and then click % Usage Peak.
11. Under Instances of selected object, click \??\C:\pagefile.sys, and then click
Add.
12. Under Available counters, expand Memory, click % Committed Bytes In
Use, hold down CTRL and click Available MBytes, Committed Bytes, Page
Faults/sec, Pages/sec, Pool Nonpaged Bytes, Pool Paged Bytes, click Add,
and then click OK.
13. View the graph of the memory and process usage on 6430A-NYC-SVR1.
Review the minimum and maximum values for each process to locate the
problem. (The value for Available Mbytes drops to 4 MB.). Review the
Working Set - Private value for each process. It is useful to use the highlight
button (CTRL+H) to view each instance. Determine which process is
consuming memory.
Answer: The leakyapp processes are consuming memory.
NETMIND
+1 800-785-3448.

Exercise 2: Monitoring Performance Metrics
Task 1: Create a data collector set to measure server requirements
1. In Reliability and Performance Monitor, expand Data Collector Sets, and then
click User Defined.
2. On the Action menu, point to New, and then click Data Collector Set.
3. In the Create new Data Collector Set dialog box, in the Name box, type File-
Server-Monitoring, and then click Next.
4. On the Which template would you like to use? page, ensure that System
Performance is selected, and then click Next.
5. On the Where would you like the data to be saved? page, accept the default
location, and then click Next.
6. On the Create the data collector set? page, click Finish.
7. In Reliability and Performance Monitor, double-click File-Server-Monitoring,
and then double-click Performance Counter. Review the properties and add
any additional objects and counters that are required. In the Performance
Counter Properties dialog box, click OK.
8. Right-click File-Server-Monitoring, and then click Properties.
9. In the File-Server-Monitoring Properties dialog box, on the Stop Condition
tab, in the Overall duration box, type 2, and then click OK.
10. In Reliability and Performance Monitor, right-click File-Server-Monitoring,
and then click Start.
11. In Reliability and Performance Monitor, on the Action menu, click Latest
Report.
12. Review the collected data. (After approximately two minutes, the report should
show the results of the data collector.)
13. Close the Reliability and Performance Monitor.
NETMIND
+1 800-785-3448.

Exercise 3: Configuring Data Collector Sets
Task 1: Generate an alert by using a data collector set
Create a user-defined data collector set and configure an alert to trigger when the
CPU reaches a critical state.
1. Click Start, point to All Programs, point to Administrative Tools, and then
click Reliability and Performance Monitor.
2. Select Data Collector Sets, and then double-click User Defined.
3. On the Action menu, point to New, and then click Data Collector Set.
4. In the Create new Data Collector Set dialog box, in the Name box, type High-
CPU-Monitoring
5. Click Create manually (Advanced), and then click Next.
6. On the What type of data do you want to include? page, click Performance
Counter Alert, and then click Next.
7. On the Which performance counters would you like to monitor? page, click
Add.
8. Under Available counters, expand Processor, and then click %Processor
Time.
9. Under Instances of selected object, click 0, click Add, and then click OK.
10. On the Which performance counters would you like to monitor? page, in
the Limit box, type 95 and then click Next.
11. On the Create the data collector set? page, click Finish.
12. In Reliability and Performance Monitor, double-click High-CPU-Monitoring,
and then double-click DataCollector01. (You may need to adjust the sample
interval time to trigger the alert.)
13. In the DataCollector01 Properties dialog box, on the Alert Action tab, select
the Log an entry in the application event log check box, and then click OK.
14. Close Reliability and Performance Monitor.
NETMIND
+1 800-785-3448.

Exercise 4: Evaluating Trends
Scenario
In this exercise, you will compare your answers to the previous exercises with the
rest of the class, share your answers with other students, and learn alternative
methods to identify performance issues.
The main task for this exercise is to discuss your solutions with the class.
You should compare the performance counters that have been used and explain
why you have used specific counters to make your decision. You should also
consider other counters that other students have used.
(VMRC) window.

NETMIND
+1 800-785-3448.

NETMIND
+1 800-785-3448.
Lab: Planning High Availability and Disaster Recovery L10-107

Module 10: Planning High Availability and
Disaster Recovery

Lab: Planning High Availability and
Disaster Recovery
Exercise 1: Planning for Branch Office High Availability and
Data Recovery

Task 2: Update the High Availability for Sales Database document with
your proposals
Answer the questions in the High Availability for Sales Database document.
Document Author
Date
Gregory Weber
16th February
To provide a high-availability solution that ensures that the failure of any single
component will not cause the Sales database to become unavailable.
To ensure that the database is recoverable in the event of multiple disk failures.
All servers are installed with Windows Server2008 Enterprise Edition.

NETMIND
+1 800-785-3448.
L10-108 Lab: Planning High Availability and Disaster Recovery
(continued)
1. In the current system, what component(s) is a point of failure?
Answer: The back-end database; the front-end Web servers; the storage that
hosts the database; the supply of power to all systems.
2. For each element, how would you propose to prevent a system failure
resulting from a component failure?
Answer: The back-end database. Implement Failover Clustering; this is
required because the database is statefulthat is, it contains data that
changes, and each client computers view of the system is different at a point
in time.
The front-end Web servers. Implement Network Load Balancing; the front end
is stateless, and contains no changing data. Client computers are indifferent as
to which Web server they connect through.
The storage that hosts the database. Consider implementing a RAID solution
for the storage that hosts the database.
The supply of power to all systems. An uninterruptable power supply (UPS)
does provide some uptime during a power failure, and often enough to
properly shut down a database to avoid corruption.
3. What Windows Server 2008 role or feature could help provide for each of
these proposals?
Answer: Windows Server 2008 provides the Network Load Balancing and
Failover Clustering features. Although disk fault tolerance can be provided
through the software, it is usually more appropriate to implement a fault-
tolerant array through hardware.
4. After implementing the roles or features proposed, is there any remaining
component that represents a single point of failure?
Answer: Loss or unavailability of a datacenter.
5. Have you any recommendations regarding this component(s)?
Answer: Alan Steiner mentioned that the database is to be replicated among
the branches. This will provide a contingency in the event of link-failure.

Results: After this exercise, you should have a completed High Availability for Sales
Database proposal document.

NETMIND
+1 800-785-3448.

Exercise 2: Implementing the High Availability and Disaster
Recovery Plan
Pa$$w0rd.
Pa$$w0rd.
Pa$$w0rd.

3. In the navigation tree, click Features.
5. In the Add Features Wizard, select the Network Load Balancing check box,

NETMIND
+1 800-785-3448.
2. In the results pane, click Add Roles.
4. In the Roles list, select the Web Server (IIS) check box. Then in the Add
Roles Wizard dialog box, click Add Required Features, and click Next.
5. On the Web Server (IIS) page, click Next.

1. Click Start, and then click Command Prompt.
2. Type the following commands at the command prompt, and press ENTER
after each command:
Cd\inetpub\wwwroot
Exit

5. In the Add Features Wizard, select the Network Load Balancing check box,
NETMIND
+1 800-785-3448.


2. In the results pane, click Add Roles.
4. In the Roles list, select the Web Server (IIS) check box. Then in the Add
Roles Wizard dialog box, click Add Required Features, and click Next.
5. On the Web Server (IIS) page, click Next.

1. Click Start, and then click Command Prompt.
2. Type the following commands at the command prompt, and press ENTER
after each command:
Cd\inetpub\wwwroot
Exit

Task 8: Create the NLB cluster
NETMIND
+1 800-785-3448.
5. In the Features list, expand Remote Server Administration Tools, expand
Feature Administration Tools, select the Network Load Balancing Tools
check box, and then click Next.
6. Click Install, and then click Close.
8. Click Start, point to Administrative Tools, and then click Network Load
Balancing Manager.
9. When the Network Load Balancing Manager window opens, maximize the
window.
10. In the navigation tree, right-click Network Load Balancing Clusters, and then
click New Cluster.
11. In the New Cluster: Connect dialog box, in the Host field, type SEA-SVR1,
and then click Connect.
12. Click Next.
13. Click Next on the Host Parameters page.
14. On the Cluster IP Addresses page, click Add.
15. In the Add IP Address dialog box, in the IPv4 address field, type 10.10.10.10,
and press TAB. Then in the Subnet mask field, type 255.255.0.0.
16. Click OK, and then click Next.
17. On the Cluster Parameters page, in the Full Internet name field, type
webfarm.adatum.com.
18. Click Multicast, and then click Next.
19. On the Port Rules page, click Edit.
20. In the Add/Edit Port Rule dialog box, in the From field, type 80, and in the
To field, type 80.
21. Under Protocols, click TCP.
22. For Affinity, click None.
23. Click OK, and then click Finish.
NETMIND
+1 800-785-3448.

24. In the console tree, right-click webfarm.adatum.com, and then click Add Host
To Cluster.
25. In the Add Host to Cluster: Connect dialog box, in the Host field, type
SEA-SVR2, and then click Connect.
26. Click Next.
27. On the Host Parameters page, click Next.
28. On the Port Rules page, click Finish.

Task 9: Configure DNS records
1. Click Start, point to Administrative Tools, and then click DNS.
2. In DNS Manager, expand SEA-DC1, expand Forward Lookup Zones, expand
Adatum.com, and then right-click Adatum.com.
3. Click New Host (A or AAAA).
4. In the New Host dialog box, in the Name box, type webfarm.
5. In the IP address box, type 10.10.10.10, and then click Add Host.
6. In the DNS dialog box, click OK.
7. In the New Host dialog box, click Done.
8. Close DNS Manager.

Note: You will test the cluster at the end of the exercise.

Task 10: Install the Windows Server Backup features
2. Click Start, and then click Server Manager
3. In Server Manager, in the navigation tree, click Features.
5. In the Features list, select the Windows Server Backup Features check box,
NETMIND
+1 800-785-3448.
7. On the Installation Results page, click Close, and then close Server Manager.

Task 11: Enable shadow copies
1. Click Start, click Computer, right-click Local Disk (C:), and then click
Configure Shadow Copies.
2. In the Shadow Copies dialog box, click Enable.
3. In the Enable Shadow Copies dialog box, click Yes.
4. In the Shadow Copies dialog box, click Settings.
5. In the Settings dialog box, click Schedule.
6. In the C:\ dialog box, select both the Sat and Sun check boxes, and then click
OK.
7. In the Settings dialog box, click OK.
8. In the Shadow Copies dialog box, click Create Now, and then click OK.

Task 12: Verify the presence of previous versions of the Web site
1. In Windows Explorer, double-click Local Disk (C:), double-click inetpub,
right-click wwwroot, and then click Properties.
2. In the wwwroot Properties dialog box, click the Previous Versions tab.
3. Verify that there are previous versions listed, and then click OK.

Task 13: Establish groups to secure the backup process
2. In Server Manager, expand Configuration, expand Local Users and Groups,
and then click Groups.
3. In the Groups list, double-click Backup Operators.
4. In the Backup Operators Properties dialog box, click Add.
object names to select (examples) box, type Joe, click Check Names, and
then click OK.
NETMIND
+1 800-785-3448.

6. In the Backup Operators Properties dialog box, click OK.
7. Log off.

Task 14: Perform a backup of the branch server
1. Log on to 6430B-SEA-SVR1 as ADATUM\Joe with the password Pa$$w0rd.
2. Click Start, point to Administrative Tools, and then click Windows Server
Backup.
3. In the User Account Control dialog box, in the Password box, type
Pa$$w0rd, and then click OK.
4. In Windows Server Backup (Local), in the actions pane, click Backup Once.
5. In the Backup Once Wizard, on the Backup options page, click Next.
6. On the Select backup configuration page, click Custom, and then click Next.
7. On the Select backup items page, click Next.
8. On the Specify destination type, click Remote shared folder, and then click
Next.
9. On the Specify remote folder page, in the Type the path to the remote
shared folder box, type \\sea-dc1\public, and then click Next.
10. On the Specify advanced option page, click Vss copy backup
(recommended), and then click Next.
11. On the Confirmation page, click Backup.
12. After the backup has started, click Close.
13. Close Windows Server Backup.

Task 15: Test the NLB cluster
2. Click Start, point to All Programs, and then click Internet Explorer.
3. In the Microsoft Internet Explorer address bar, type
http://webfarm.adatum.com, and then press ENTER.
The A Datum Intranet appears.
NETMIND
+1 800-785-3448.
4. Turn off the SEA-SVR1 computer. In the Close box, select Turn off machine
and discard changes. Click OK.
5. On SEA-DC1, in the Internet Explorer address bar, type
http://webfarm.Adatum.com, and then press ENTER.

Note: Even though an NLB Cluster member is unavailable, the Web site is still available.
Results: After this exercise, you should have successfully implemented your high-
availability and recovery plan.
(VMRC) window.

NETMIND
+1 800-785-3448.
Lab: Planning Virtualization L11-117


Lab: Planning Virtualization
Exercise 1: Creating a Virtualization Plan
if required.

Task 2: Create a plan for a virtualization pilot project

Note: Your answers may vary from the lab answer key in this plan. There are several
acceptable combinations of servers to virtualize. This is only one example.
Answer: The first servers to be virtualized are SQLTest and PServer.
Answer: Those servers were selected because there were relatively low
utilization for memory, older hardware, and relatively low risk. If they were
unavailable for a few hours it would not impact production too much.
Answer: A physical-to-virtual conversion will be performed to convert the
servers. This is faster and more reliable than just backing up and restoring the
servers.
Answer: Yes, System Center Virtual Machine Manager is required to perform
the physical-to-virtual migrations. This tool will also be beneficial for
centralized management as our virtualization environment grows.
NETMIND
+1 800-785-3448.
L11-118 Lab: Planning Virtualization

Answer: The requirements for virtualizing these servers are relatively light, but
we should buy sufficient hardware that we can use for additional virtual
machines down the road. I suggest the following specifications:
Dual processor, quad core
24 GB of RAM
6 hot swap SCSI drives, two disks mirrored for the host operating system,
and 3 disks in a RAID 5 array with a hot spare for the virtual machines
Which operating system should be used on the host?
Answer: To run Hyper-V, we need a 64-bit version of Windows Server 2008.
Standard edition supports up to 32 GB of RAM, which is more than adequate
for our needs. Standard edition also supports up to 4 processors, which also
meets our needs.
We already own licenses for the virtual machines we will be creating, so
licensing is not a concern. However, in the long run we may want to consider
Enterprise or Datacenter editions because they include multiple virtualization
licenses.

Results: After this exercise, you should have a completed plan for a virtualization pilot
project.

NETMIND
+1 800-785-3448.

Exercise 2: Implementing Virtualization (Optional)
Task 1: Configure the computer BIOS for Hyper-V

Note: The first set of BIOS configuration steps in this exercise are correct for a Dell
Optiplex 755 with an Intel processor. Also included are steps for a HP DC5850 machine.
The steps will vary depending on the model of the computer you are using, BIOS
revision, and the processor type. For example, the name of specific settings may be
different or already enabled. Ask your instructor for help if required.
1. Start your computer.
2. Press F2 to enter the BIOS setup.
3. Use the down arrow key to select Performance, and then press ENTER to
expand Performance.
4. Use the down arrow key to select Virtualization, and then press ENTER.
5. Select On, and then press ENTER.
6. Use the down arrow key to select VT for Direct I/O, and then press ENTER.
8. Use the down arrow key to select Trusted Execution, and then press ENTER.
9. Select Off, and then press ENTER.
10. Use the down arrow key to select Security, and then press ENTER to expand
Security.
11. Use the down arrow key to select Execute Disable, and then press ENTER.
13. Press ESC.
14. Select Save/Exit, and then and press ENTER.

NETMIND
+1 800-785-3448.

The following are BIOS setting steps are based on an HP DC5850.
Configure the computer BIOS for Hyper-V:
1. Start your computer.
2. Press F10 to enter the BIOS setup.
3. Select English, and then press ENTER.
4. Use the right arrow key to select the Security menu, press the down arrow key
to select System Security, and then press ENTER.
5. Press the down arrow key once, and then press the right arrow key once to
enable the Virtualization Technology. Press ENTER.
6. Press F10 to accept the changes.
7. Press the left arrow key to select the File menu.
8. Use the down arrow key to select Save Changes and Exit, and then press
ENTER.

Task 2: Install Windows Server 2008 on the host
1. Place the Windows Server 2008 DVD in the DVD drive, and then restart your
computer.

Note: You will be provided with the software required to complete the lab installation
from your Instructor. It may or may not be a DVD.
2. To access the boot menu of a Dell Optiplex 755 computer, press F12. Read the
POST screen of your computer to determine the appropriate key for your
computer.
3. Select the DVD-ROM drive, and then press ENTER.
4. If prompted, press a key to start the computer from DVD.
5. To accept the default language as US English, click Next.
6. Click Install now.
7. Clear the Automatically activate Windows when Im online check box, and
then click Next.
NETMIND
+1 800-785-3448.

8. To clear the warning, click No.
9. Click Windows Server 2008 Enterprise (Full Installation) x64, select the
I have selected the version of Windows that I purchased check box, and
then click Next.
10. Select the I accept the license terms check box, and then click Next.
11. Click Custom (advanced).
12. Click Drive options (advanced).
13. To delete all existing partitions, click an existing partition.
14. Click Delete.
16. Repeat steps 13-15 to delete all partitions.
17. Click Disk 0, and then click Next.
18. After the computer restarts, click OK.
19. In the New password and Confirm password boxes, type Pa$$w0rd, and
then press ENTER.
20. To clear the password change confirmation message, click OK.
21. In the Initial Configuration Tasks window, click Provide computer name
and domain.
22. In the System Properties window, on the Computer Name tab, click Change.
23. In the Computer name box, type SEA-HOSTx, where x is number assigned by
your instructor, and then click OK.
24. To close the message about restarting to apply changes, click OK.
25. In the System Properties window, click Close.
26. Click Restart Now.

NETMIND
+1 800-785-3448.

Task 3: Install the Hyper-V role update
2. Obtain the Hyper-V update, Windows6.0-KB950050-x64.msu, by going to
3. Place the update on the desktop of SEA-HOSTx.
4. To begin installation, double-click Windows6.0-KB950050-x64.msu, and
then click OK.
5. When installation is complete, click Restart Now.

Task 4: Install the Hyper-V role
1. Log on as Administrator with a password of Pa$$w0rd.
3. In the left pane of Server Manager, click Roles.
4. In the right pane of the console, click Add Roles, and then click Next.
5. Select the Hyper-V check box, and then click Next.
6. Read the Introduction to Hyper-V page, and then click Next.
7. Select the Local Area Connection check box, and then click Next.
8. Click Install.
9. When the role installation is complete, click Close.
10. When prompted to restart, click Yes.
12. Wait for the installation of the Hyper-V role to complete, and then click Close.

NETMIND
+1 800-785-3448.

Task 5: Create a new virtual machine
1. Click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In the left pane of the Hyper-V Manager console, click SEA-HOST1.
3. In the actions pane, click New, and then click Virtual Machine.
4. On the Before You Begin page, click Next.
5. In the Name box, type SEA-VMx, where x is a number assigned by your
instructor, and then click Next.
6. In the Memory box, type 1024, and then click Next.
7. In the Network list, select your network adapter, and then click Next.
8. To accept the default virtual hard disk settings, click Next.
9. On the Installation Options page, click Next.
10. Click Finish.

Task 6: Install Windows Server 2008 on the virtual machine
1. Place the Windows Server 2008 installation DVD in your DVD drive.
2. In the Virtual Machines area of the Hyper-V Manager console, right-click
SEA-VMx, and then click Settings.
3. In the Hardware area, click DVD Drive.
4. In the right pane, click Physical CD/DVD drive, and then click OK.
5. In the Virtual Machines area, right-click SEA-VMx, and then click Start.
6. In the Virtual Machines area, right-click SEA-VMx, and then click Connect.
This opens a new window for viewing the SEA-VMx virtual machine.
7. In the SEA-VMx On Localhost Virtual Machine Connection window, click
Next to install using the default language of US English, and then click Install
Now.
8. Clear the Automatically activate Windows when Im online check box, and
then click Next.
9. To clear the warning, click No.
NETMIND
+1 800-785-3448.

10. Click Windows Server 2008 Enterprise (Full Installation) x64, select the
I have selected the version of Windows that I purchased check box, and
then click Next.
11. Select the I accept the license terms check box, and then click Next.
12. Click Custom (advanced).
13. Click Disk 0 Unallocated Space, and then click Next.
14. After the computer restarts, click OK.
15. In the New password and Confirm password boxes, type Pa$$w0rd, and
then press ENTER.
16. To clear the password change confirmation message, click OK.
17. In the SEA-VMx On Localhost Virtual Machine Connection window, click
Action, and then click Insert Integration Services Setup Disk.
18. In the Autoplay window, click Install Hyper-V Integration Services.
19. To upgrade or repair the installation, click OK.
20. To restart, click Yes.

Results: After this exercise, you should have successfully implemented a Hyper-V host
and created a virtual machine.

NETMIND
+1 800-785-3448.

Manual Del Alumno WIndows Server 2008

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Manual Del Alumno WIndows Server 2008

Diunggah oleh

Hak Cipta:

Format Tersedia

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

Microsoft Certied Trainers and InstructorsYour instructor is a technical and

Operations Framework (MOF). Regardless of the

Anda mungkin juga menyukai