6419A ENU Companion

O F F I C I A L
M I C R O S O F T
L E A R N I N G
P R O D U C T
6419A
Configuring, Managing, and Maintaining Windows Server 2008 Servers Companion Content
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2009 Microsoft Corporation. All rights reserved. Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners.
Product Number: 6419A Released: xx/200x
Introduction to Administrative Tasks in Windows Server 2008 Environment
1-1
Module 1
Introduction to Administrative Tasks in Windows Server

2008 Environment
Contents:
Lesson 1: Server Roles Lesson 2: Overview of Active Directory Lesson 3: Using Windows Server 2008 Administrative Tools Lesson 4: Using Remote Desktop for Administration Module Reviews and Takeaways Lab Review Questions and Answers 2 5 9 12 16 20
1-2
Configuring, Managing, and Maintaining Windows Server 2008 Servers
Lesson 1
Server Roles
Contents:
Question and Answers 3
1-3
Question and Answers

Windows Server 2008 Editions
Question: Describe the criteria you will use when deciding what edition of Windows Server to deploy. Answer: Answers may vary. Examples of possible answers include: anticipated workload; clustering requirements; available budget; or projected growth.
What Are Server Roles?

Question: In your work environment, do you use consolidated servers, dedicated servers, or both? Answer: Answers may vary, but in general this question should help students reflect on how their work environment does or does not consolidate multiple roles onto a single server.
What Are the Windows Infrastructure Server Roles?

Question: List the Windows infrastructure services roles used in your work environment. Answer: Answers may vary. This question should offer students an opportunity to reflect on how the capabilities of Windows Server are used in their environment. A good follow-up question would be to ask students if there are any roles they plan to implement in the future.
What Are the Windows Application Platform Server Roles?

Question: List the Windows application platform roles used in your work environment. Answer: Answers may vary. This question should offer students an opportunity to reflect on how the capabilities of Windows Server are used in their environment. A good followup question would be to ask students if there are any roles they plan to implement in the future.
What Are the Active Directory Server Roles?

Question: Briefly describe one or two scenarios where you would implement each server role. Answer: Answers may vary. An example of a possible answer is: An organization that wants to centrally manage user accounts and security implements AD DS. An organization has developed a public-facing web-based membership application and uses AD LDS to store user profiles for this application. An organization uses AD CS to create certificates for client authentication and SSLenabled intranet sites. An organization uses AD RMS and AD FS together to protect confidential documents from being leaked and to provide data access for a partner organization.
AD DS Integration and other Active Directory Server Roles

Question: Describe any other applications you aware of that can leverage AD DS. Answer: Answers may vary. Because AD DS can be accessed programmatically, custom applications can be designed to access AD DS. In addition, applications like fax servers or human resources applications may access AD DS.
What Are Server Features?

Question: Which of these features do you use in your work environment?
Answer: Answers may vary. This question should provide students an opportunity to reflect on how
Windows Server 2008 features may map to their work environment requirements.
1-4
What is Server Core?

Question: Describe two or three scenarios in which Server Core would be a beneficial choice of server platform. Answer: Answers may vary. Examples of possible answers include: remote site infrastructure servers that are going to be managed remotely, infrastructure servers that you want to host in virtual machines (the reduced memory and disk requirements of Windows Server Core allow more favorable consolidation ratios on virtualization hosts).
1-5
Lesson 2
Overview of Active Directory

Contents:
Question and Answers Detailed Demo Steps 6
8
1-6

What Is Active Directory?
Question: Why is it important that the schema is replicated to all domain controllers in entire forest? Answer: So that all domain controllers are able to store the same information.
Benefits of Active Directory

Question: Are there any situations where a workgroup would be preferable? Answer: From a technical perspective no. However, some very small organizations do not want the expense of implementing a dedicated server.
What Is a Domain?
Question: How has your organization used domains to create security boundaries? If your
organization does not use domains, how might domains be used in your organization?
Answer: Answers may vary. This question should provide students with an opportunity to reflect on the relationship between the logical structure of a business organization and the use of one or more domains. In general, students should demonstrate an understanding of how domains represent groupings of users and computers that follow a common security policy.
What Is an Organization Unit?

Question: Describe one scenario when you would use a domain to organize a network. Describe one scenario when you would use an OU to organize a network. Answer: Answers may vary. In general, students should understand that a domain represents a security boundary, and requires at least one domain controller. Because multiple OUs can exist within a single domain, they are useful for mapping the logical structure of Active Directory to the actual structure of the organization in a more fine-grained manner than domains. However, in cases where differing security requirements exist within an organization, multiple domains will often be required.
What Is a Forest?
Question: Does a trust automatically allow users in one domain to access resources in another
domain?
Answer: No. When trust relationships are in place, users must still be granted permission to access
resources in other domains.
What Is a Domain Controller?

Question: How many domain controllers should you have?
Answer: In a large organization, you should have at least two domain controllers per physical
location. In smaller organizations, you may have only one domain controller per physical location.
Some smaller locations may use a domain controller that is located across a WAN link.
1-7
What Is a Read-Only Domain Controller?

Question: In your work environment, do you have scenarios where an RODC would be beneficial? Answer: Answers may vary. Students should be able to identify the primary scenarios where RODC servers are useful, which is remote sites, placements with lower physical security, or edge placements. And they should be able to relate their situation to these use scenarios.
Read-Only Domain Controller Features

Question: If you plan to use one or more RODCs in your work environment, which RODC features do
you plan to use?
Answer: Answers may vary. This question should provide an opportunity for students to reflect on
how students can configure the features of an RODC server to best fit their environment.
Demonstration: Joining a Domain

Question: Do Windows Vista workstations have computer objects in Active Directory? Answer: Yes. When a workstation joins a domain, a computer object is created in Active Directory for that workstation.
1-8
Detailed Demo Steps

Demonstration: Joining a Domain
Demo Steps
1. Ensure that NYC-DC1 and NYC-CL1 are started. 2. Log on to NYC-CL1 as LocalAdmin with a password of Pa$$w0rd. 3. In NYC-CL1 System Properties, click the Computer Name tab, click Change, Select workgroup, type a workgroup name, confirm your settings and then reboot the computer. 4. Log on to NYC-CL1 as LocalAdmin with a password of Pa$$w0rd. 5. In NYC-CL1 System Properties, click the Computer Name tab, click Change, Select Domain, type woodgrovebank, supply the administrator username and password, confirm your settings and then reboot the computer. 6. Afterwards, view the results of joining a domain: Computer account for NYC-CL1 is created Domain Admins is a member of local Administrators Domain Users is a member of local Users Group Policy is applied
1-9
Lesson 3
Using Windows Server 2008 Administrative Tools

Contents:
11
1-10

Microsoft Management Console
Question: Will you create customized consoles for most of your management tasks? Answer: In most cases, the snap-ins that are included with Administrative Tools are sufficient for general server management. Most students will not create customized consoles.
Server Manager
Question: Why is it beneficial to combine frequently used snap-ins into a single console? Answer: It is more efficient to use a single console instead of several consoles with a single snap-in. Also, using a single console avoids the need to create custom, special purpose consoles.
Computer Management
Question: Will you use Computer Management or Server Manager to manage your servers? Answer: You will use Server Manager for managing your servers. This is the current tool created by Microsoft for server management.
Device Manager
Question: Why would you update a device driver if a device appears to be working properly? Answer: Manufacturers release updated drivers for devices that resolve problems. When a new driver is released, you can review the release notes to determine whether the fixes included in the driver warrant installation. Newer drivers may be more stable or perform faster than previous versions.
Problem Reports and Solutions

Question: How does Problem Reports and Solutions improve upon the Dr. Watson utility found in
previous versions of Microsoft Windows operating system?
Answer: Dr. Watson did not track historical problems. It only attempted to resolve a problem
immediately after it occurred.
Demonstration: Using Windows Server 2008 Administrative Tools

Question: Which of the administrative tools demonstrated will you use most often? Answer: In most cases, you will use Server Management. It contains most of the snap-ins that you need for daily server management.
Common Administration Tasks

Question: Describe one or more common administrative tasks you carry out in your work
environment and a tool that would be used to carry out this task.
Answer: Answers may vary. An example of a possible answers is: Using the Event Viewer tool within
Server Manager to carry out security auditing.
1-11
Detailed Demo Steps

Demonstration: Using Windows Server 2008 Administrative Tools
Demo Steps
1. 2. 3. 4. Open Problem Reports and Solutions and review the tool. Open Server Manager and review the tool. Open Computer Management and review the tool. Open Device Manager and review the tool.
1-12
Lesson 4
Using Remote Desktop for Administration

Contents:
14
1-13

Remote Desktop for Administration
Question: What concerns are there about allowing a server administrator to use Remote Desktop for Administration from home? Answer: Remote connectivity to the remote server must be appropriately secured. For example, you may require a VPN connection before allowing access to servers. This prevents third parties on the Internet from connecting to servers and using a brute force password attack on the server.
Benefits of Remote Desktop for Administration

Question: Can Remote Desktop for Administration result in cost savings for an organization? Answer: Yes. Avoiding the need to return to the office after hours may save overtime costs. Allowing management of servers from remote locations may result in cost savings from centralized management. Avoiding trips to the server room to manage servers reduces the number of hours required for server management.
Demonstration: Remote Desktop Client Configuration

Question: Why would you disable client features such as local drives and printers? Answer: In most cases, these features are not required for server administration and can create system risks. Local drives could allow malware to access to a server. Printing over Remote Desktop for Administration is not required for server management and may introduce system instability if the server attempts to load printer drivers for the client printers. Question: Why would you disable client features such as local drives and printers? Answer: In most cases, these features are not required for server administration and can create system risks. Local drives could allow malware to access to a server. Printing over Remote Desktop for Administration is not required for server management and may introduce system instability if the server attempts to load printer drivers for the client printers.
Securing Remote Desktop for Administration

Question: Why should you not use the low encryption level?
Answer: Low encryption does not encrypt the data transmitted from the server to the client. This may
allow someone to intercept the data during the remote desktop session.
Demonstration: Using Remote Desktop for Administration

Question: When is connecting to the server console, rather than a remote session, useful? Answer: When you have a task running in the server console, it is useful to check the status of that task by connecting remotely to the console.
1-14
Detailed Demo Steps

Demonstration: Remote Desktop Client Configuration
Demo Steps
In this demonstration: 1. 2. On NYC-CL1, open Remote Desktop Client. Review the options on the following tabs:
General tab
The computer field is the name or IP address of the computer you will connect to.
The user name filed is the user name you will log on to the destination computer with.
Note that connection settings can be saved for future use.
Display tab
The Remote desktop size slider is used to choose the size of the remote desktop. The Colors setting is used to set the number of colors displayed. Higher settings can slightly degrade performance. The Display the connection bar when in full screen mode is used to display a bar at the top of the screen when full screen mode is used.
Local Resources tab

The Remote computer sound setting determines whether sounds from the remote computer will be
played on the local computer.
The Keyboard setting determines whether Windows key combinations are sent from the local computer to
the remote computer.
The Local devices and resources setting determines which local devices (such as disk drives and USB
devices) will be available within the remote session.
Programs tab allows you to set a program to be started when the remote session begins.
Experience tab has several settings that allow users to turn on or off components of the visual experience.
Advanced tab has settings related to handling mismatches in security level between server and client and
settings related to TS Gateway.
Demonstration: Using Remote Desktop for Administration

Demo Steps
In this demonstration: 1. 2. 3. 4. On NYC-DC1, enable Remote Desktop for Administration. Add a user to Remote Desktop Users group. View the security settings in Terminal Services Configuration. On NYC-CL1, connect to remote desktop for administration on NYC-DC1.
1-15
5.
Demonstrate connecting to the console as well with the /console switch.
1-16
Module Reviews and Takeaways

Review questions
1. Question: Describe the criteria you will use when deciding what edition of Windows Server to deploy. Answer: Answers may vary. Examples of possible answers include: anticipated workload; clustering requirements; available budget; or projected growth. 2. Question: In your work environment, what are the advantages of consolidated servers, dedicated servers, or both? Answer: Answers may vary, but in general this question should help students reflect on how the specifics of their work environment may benefit from dedicated or consolidated servers. Students should demonstrate an understanding of the following considerations: workload requirements, hardware cost, security implications, server management implications, and unplanned outages. 3. Question: List the Windows infrastructure services roles used in your work environment. Answer: Answers may vary. This question should offer students an opportunity to reflect on how the capabilities of Windows Server are used in their environment. A good follow-up question would be to ask students if there are any roles they plan to implement in the future. 4. Question: List the Windows application platform roles used in your work environment. Answer: Answers may vary. This question should offer students an opportunity to reflect on how the capabilities of Windows Server are used in their environment. A good follow-up question would be to ask students if there are any roles they plan to implement in the future. 5. Question: Briefly describe one or two scenarios where you would implement each server role. Answer: Answers may vary. An example of a possible answer is: An organization that wants to centrally manage user accounts and security implements AD DS. An organization has developed a public-facing web-based membership application and uses AD LDS to store user profiles for this application. An organization uses AD CS to create certificates for client authentication and SSL-enabled intranet sites. An organization uses AD RMS and AD FS together to protect confidential documents from being leaked and to provide data access for a partner organization. 6. Question: Describe any other applications you aware of that can leverage AD DS. Answer: Answers may vary. Because AD DS can be accessed programmatically, custom applications can be designed to access AD DS. In addition, applications, like fax servers or human resources applications, may access AD DS. 7. Question: Which of these features do you use in your work environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on how Windows Server 2008 features may map to their work environment requirements. 8. Question: Describe two scenarios in which Server Core would be a beneficial choice of server platform. Answer: Answers may vary. Examples of possible answers include: remote site infrastructure servers that are going to be managed remotely, infrastructure servers that you want to host in virtual machines (the reduced memory and disk requirements of Windows Server Core allow more favorable consolidation ratios on virtualization hosts). 9. Question: Why is it important that the schema is replicated to all domain controllers in entire forest? Answer: So that all domain controllers are able to store the same information.
1-17
10. Question: Are there any situations where a workgroup would be preferable? Answer: From a technical perspective no. However, some very small organizations do not want the expense of implementing a dedicated server. 11. Question: How has your organization used domains to create security boundaries? If your organization does not use domains, how might domains be used in your organization? Answer: Answers may vary. This question should provide students with an opportunity to reflect on the relationship between the logical structure of a business organization and the use of one or more domains. In general, students should demonstrate an understanding of how domains represent groupings of users and computers that follow a common security policy. 12. Question: Describe one scenario when you would use a domain to organize a network. Describe one scenario when you would use an OU to organize a network. Answer: Answers may vary. In general, students should understand that a domain represents a security boundary, and requires at least one domain controller. Because multiple OUs can exist within a single domain, they are useful for mapping the logical structure of Active Directory to the actual structure of the organization in a more fine-grained manner than domains. However, in cases where differing security requirements exist within an organization, multiple domains will often be required. 13. Question: Does a trust automatically allow users in one domain to access resources in another domain? Answer: No. When trust relationships are in place, users must still be granted permission to access resources in other domains. 14. Question: How many domain controllers should you have? Answer: In a large organization, you should have at least two domain controllers per physical location. In smaller organizations, you may have only one domain controller per physical location. Some smaller locations may use a domain controller that is located across a WAN link. 15. Question: In your work environment, do you have scenarios where an RODC would be beneficial? Answer: Answers may vary. Students should be able to identify the primary scenarios where RODC servers are useful, which is remote sites, placements with lower physical security, or edge placements. And they should be able to relate their situation to these use scenarios. 16. Question: If you plan to use one or more RODCs in your work environment, which RODC features do you plan to use? Answer: Answers may vary. This question should provide an opportunity for students to reflect on how students can configure the features of an RODC server to best fit their environment. 17. Question: Do Microsoft Windows Vista workstations have computer objects in Active Directory? Answer: Yes. When a workstation joins a domain, a computer object is created in Active Directory for that workstation. 18. Question: Will you create customized consoles for most of your management tasks? Answer: In most cases, the snap-ins that are included with Administrative Tools are sufficient for general server management. Most students will not create customized consoles. 19. Question: Why is it beneficial to combine frequently used snap-ins into a single console? Answer: It is more efficient to use a single console instead of several consoles with a single snapin. Also, using a single console avoids the need to create custom, special purpose consoles.
1-18
20. Question: Will you use Computer Management or Server Manager to manage your servers? Answer: You will use Server Manager for managing your servers. This is the current tool created by Microsoft for server management. 21. Question: Why would you update a device driver if a device appears to be working properly? Answer: Manufacturers release updated drivers for devices that resolve problems. When a new driver is released, you can review the release notes to determine whether the fixes included in the driver warrant installation. Newer drivers may be more stable or perform faster than previous versions. 22. Question: How does Problem Reports and Solutions improve upon the Dr. Watson utility found in previous versions of Microsoft Windows operating system? Answer: Dr. Watson did not track historical problems. It only attempted to resolve a problem immediately after it occurred. 23. Question: Which of the administrative tools demonstrated will you use most often? Answer: In most cases, you will use Server Management. It contains most of the snap-ins that you need for daily server management. 24. Question: Describe one or more common administrative tasks you carry out in your work environment and a tool that would be used to carry out this task. Answer: Answers may vary. An example of a possible answers is: Using the Event Viewer tool within Server Manager to carry out security auditing. 25. Question: What concerns are there about allowing a server administrator to use Remote Desktop for Administration from home? Answer: Remote connectivity to the remote server must be appropriately secured. For example, you may require a VPN connection before allowing access to servers. This prevents third parties on the Internet from connecting to servers and using a brute force password attack on the server. 26. Question: Can Remote Desktop for Administration result in cost savings for an organization? Answer: Yes. Avoiding the need to return to the office after hours may save overtime costs. Allowing management of servers from remote locations may result in cost savings from centralized management. Avoiding trips to the server room to manage servers reduces the number of hours required for server management. 27. Question: Which server role must be installed to configure Windows Server 2008 as a domain controller? Answer: The Active Directory Domain Services role must be installed. After installation, dcpromo can be used to configure the server as a domain controller. 28. Question: What is the relationship between Active Directory domains and Active Directory forests? Answer: An Active Directory forest can have one or more domains. When there are multiple domains in a forest, then domain objects are replicated only between domain controllers in the same domain. Domain objects include user objects and computer objects. There are automatic transitive trusts between domains in the same forest. 29. Question: Which administrative tool tracks system crashes and attempts to resolve them? Answer: Problem Reports and Solutions tracks system crashes. It attempts to find a resolution for the problem at the time the problem occurs, and continues to monitor Microsoft for a resolution if it is not resolved. 30. Question: When monitoring performance, which tools can you use to track CPU utilization over time?
1-19
Answer: You can use Performance Monitor or Data Collector Sets to monitor CPU utilization over time. Performance Monitor provides a visual graph. A Data Collector Set can log performance counters to a file.
1-20
Lab Review Questions and Answers

1. Question: Why would you choose to allow connections only from computers that can use Network Level Authentication? Answer: Because gaining remote access to a Windows Server could compromise the security of that server, you may want to choose a more restrictive authentication method for remote access. If you choose this setting, only Windows Vista or other Windows Server 2008 computers will be able to authenticate for remote access. 2. Question: List the default settings for which users are allowed to connect remotely through Remote Desktop. Answer: The members of the Administrators groups are allowed to connect through Remote Desktop by default. 3. Question: Describe one or more scenarios where encryption methods other than SSL would be suitable. Answer: Answers may vary. Examples of possible answers include: When supporting older clients or clients that do not support SLL.
Creating Active Directory Domain Services User and Computer Objects
2-1
Module 2
Creating Active Directory Domain Services User and

Computer Objects
Contents:
Lesson 1: Managing User Accounts Lesson 2: Creating Computer Accounts Lesson 3: Automating AD DS Object Management Lesson 4: Using Queries to Locate Objects in AD DS Module Reviews and Takeaways Lab Review Questions and Answers 2 9 13 18 23 27
2-2
Lesson 1
Managing User Accounts

Contents:
Question and Answers Detailed Demo Steps Additional Reading 3
5
8
2-3

What Is a User Account?
Question: List at least one advantage of creating local accounts. List at least one advantage of creating domain accounts. Answer: Answers may vary. An example of a possible answer is: Advantages of local accounts include no requirement for a network and no requirement for a domain controller. Advantages of domain accounts include centralized administration of the network.
Names Associated with Domain User Accounts

Question: Provide at least one example of good scalable unique domain user name. Answer: Answers may vary. Possible answers include: jsmith, smithj, joe.smith.
User Account Password Options

Question: ; Provide at least one example of a strong password. Answer: Answers may vary. Possible answers include: P@ssw0rd, PassWord!!, PaSsWord!.
Standard User Management

Question: How many times can users attempt to login before they are locked out (by default)? Answer: By default, they can attempt as many times as they want. Administrators must change the account lockout threshold in the Local Security Policy.
Tools for Configuring User Accounts

Question: List at least two criteria required when selecting from among the available methods for automating user creation. Answer: Answers may vary. Student answers should demonstrate an understanding of the relative benefits of each automation method and an ability to map those benefits to the students particular needs.
Demonstration: Configuring User Accounts

Question: How would you create several user objects with the same settings for attributes, such as department and office location? Answer: Create a user template with the appropriate attributes, and then copy the template to create the new user account. Question: Under what circumstances would you disable a user account rather than delete it?
2-4
Answer: If a user is on temporary leave, but will be returning, you would disable the account. Also, many organizations have a policy of disabling user accounts when users leave the organization, and then deleting the account at a later date. Question: Why are you prompted to change the additional names when you change the user name? Answer: Answers may vary. Possible answers might include: the additional names are typically associated to the user name. Question: Why are you prompted to change the additional names when you change the user name? Answer: Answers may vary. Possible answers might include: the additional names are typically associated to the user name.
What Is a User Account Template?

Question: ; List at least one example of how your company uses account templates. Answer: Answers may vary. Possible answers might include: Replicate logon hours for users in a department.
Demonstration: Creating and Using a User Account Template

Question: What are some fields not populated when you create a new user from a template? Answer: Answers may vary. Possible answers include Office and Description. Question: How could you make a template account easy to find in AD DS? Answer: Answers may vary. Possible answers may include: Giving it a name that ends with the _Template.
2-5
Detailed Demo Steps

Demo Steps
The following steps required NYC-DC1 to be running.
Add a User in Active Directory Users and Computers

1. Start NYC-DC1 and logon as WOODGROVEBANK\Administrator with the password Pa$$w0rd. 2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. 3. In the console pane, expand Woodgrovebank.com. 4. Right-click ITAdmins, point to New, and then click User. 5. In the New Object - User dialog box, in the First Name field, type Robert. 6. In the Last Name field, type Miller. 7. In the User logon name field, type rmiller and then click Next. 8. In the Password and Confirm Password fields, type Pa$$w0rd, and then click Next. 9. Click Finish.
Add a User through the dsadd

1. Click Start and then click Command Prompt. 2. In the Administrator: Command Prompt window, type dsadd user "cn=Keith Harris,cn=users,dc=WoodgroveBank,dc=com" samid Keith fn Keith ln Harris display "Keith Harris" pwd Pa$$w0rd and then press ENTER.
Review User Account and Properties

1. In Active Directory Users and Computers window and click Users. ; 2. Double-click Keith Harris. 3. In the Description field, type Standard User. 4. In the Office field, type Main. 5. Click OK.
Rename Account in Active Directory Users and Computers

1. Right-click Keith Harris and then click Rename. 2. In the Name field, type Jeff Harris and then press ENTER. 3. In the First Name field, type Jeff. 4. In the User logon name field, type jharris. 5. In the User logon name list, click @WoodgroveBank.com 6. Click OK.
2-6
Rename Account using dsmod

1. From the Command Prompt, type dsmod user "cn=Jeff Harris, cn=users, dc=WoodgroveBank, dc=com" -fn Keith -ln Harris -display "Keith Harris" -pwd Pa$$w0rd and then press ENTER
Review Password Complexity Settings

1. Click Start, point to Administrative Tools, and then click Group Policy Management. 2. Expand Forest: WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, and then expand Group Policy Objects. 3. Right-click Default Domain Policy and then click Edit. 4. In the Group Policy Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Account Policies, and then click Password Policy. 5. In the details pane, review the password complexity settings.
Demonstration: Creating and Using a User Account Template

Demo Steps
The following steps required NYC-DC1 to running.
Create a User Account Template

1. Click Start, point to Administrative Tools and then click Active Directory Users and
Computers.
2. Right-click Users, point to New, and then click User. 3. In the New Object - User dialog box, in the First name field, type Sales. 4. In the Last name field, type Template. 5. In the User logon name field, type stemplate and then click Next. 6. In the Password and Confirm Password fields, type Pa$$w0rd. 7. Select Account is disabled. 8. Click Next and then click Finish. 9. In the Users OU, double-click Sales Template. 10. In the Sales Template Properties dialog box, in the Description field, type Sales and
Marketing Team.
11. In the Office field, type Main Sales. 12. Click OK.
Copy the Sales Template

1. In the Users detail pane, right-click Sales Template and then click Copy. 2. In the Copy Object - User dialog box, in the First name field, type Michael. 3. In the Last name field, type Miller. 4. In the User logon name, type mmiller.
2-7
5. 6. 7. 8. 9.
In the Password and Confirm Password fields, type Pa$$w0rd. Click Next. Clear the Account is disabled check box. Click Next and then Finish. In the Active Directory Users and Computers window, double-click Michael Miller.
10. Review the Description and Office fields.
2-8
Additional Reading
Names Associated with Domain User Accounts
For more information on Object Names, see Object Names.
User Account Password Options

For more information, seeion, see Microsoft Windows Server 2008 Help.
Standard User Management

User Management
Tools for Configuring User Accounts

User and Group Accounts Dsadd

DSMOD Rename a user account
What Is a User Account Template?

For more information on Copying User Accounts, see Copying User Accounts.
2-9
Lesson 2
Creating Computer Accounts

Contents:
11
12
2-10

What Is a Computer Account?
Question: List at least one way your company manages their computer accounts. Answer: Answers may vary. Possible answers include: Using Group Policies to restrict access for users. Allow users to gain access to network resources or domain access.
Options for Creating Computer Accounts

Question: List at least one advantage of pre-staging when deploying. Answer: Answers may vary. Possible answers include: automate the creation of new users in an organizational unit. Reduce minor deployment issues thereby reducing live account changes.
Managing Computer Accounts

Question: How can the Location and Managed by properties be used to automate computer account management? Answer: Answers may vary. Possible answers include: Using the Location property can help administrators find the physical location of a computer and the Managed by property can help determine which user handles the machine. These two properties help administrators manage computers much easier.
Demonstration: Configuring Computer Accounts

Question: A user is taking a two month leave from work. No one else will be using the users computer, and you want to ensure that no one can log on to the computer while she is gone. However, you want to minimize the amount of effort required for the user to start using the computer when she comes back. How should you configure the computer account? Answer: Answers may vary. Possible answers include: Administrators might disable an account for when an employee is terminated or no longer associated with the company. Accounts are also disabled for temporary or contract workers that are only part of the organization for a defined period of time. Administrators might also disable an account for a user that takes an extended leave of absence. Question: You are prestaging 100 computer accounts for workstations that will be added to the domain over the next few weeks. You want to ensure that only members of the desktop support team can add the computers to the domain. What should you do? Answer: Answers may vary. Possible answers include: Administrators might want to configure the desktop support team to a group that allows them to add computers to the domain if they are within their organizational unit.
2-11
Detailed Demo Steps

Demonstration: Configuring Computer Accounts
Demo Steps
The following steps require NYC-DC1 to be running.
Create a normal user account in Active Directory Users and Computers

1. Click Start, then point to Administrative Tools and then click Active Directory Users and Computers. 2. Right-click the Users OU, point to New, and then click User. 3. In the New Object - User dialog box, in the First name field, type Standard. 4. In the Last name field, type User. 5. In User logon name field, type suser and then click Next. 6. In the Password and Confirm password fields, type Pa$$w0rd and then click Next. 7. Click Finish.
Configure the Computer Account Settings

1. In the Active Directory Users and Computers window, double-click Standard User. 2. In the Standard User Properties dialog box, click the Account tab. 3. Click Logon Hours. 4. Click Sunday and then click Logon denied. 5. Click OK.
Disable and Reset an Account

1. In the Active Directory Users and Computers window, right-click Standard User and then click Disable Account. 2. In the Active Directory Domain Services dialog box, click OK. 3. Note the icon next to the Standard User account. 4. Right-click Standard User and then click Enable Account. 5. In the Active Directory Domain Services dialog box, click OK. 6. Right-click Standard User and then click Reset Password. 7. Review the settings and then click Cancel. Note: This account cannot log into any computers if it has been disabled. Reset accounts require a new password to be entered by the user when the log in the next time.
2-12
Additional Reading
What Is a Computer Account?
For more information, see Manage computers.
Options for Creating Computer Accounts

For more information on the following, see the links. Join a computer to a domain Manage computers
Managing Computer Accounts

For more information on the following, see the links. Manage computers Deploying Group Policy Using Windows Vista
2-13
Lesson 3
Automating AD DS Object Management
Contents:
16
17
2-14

Tools for Automating AD DS Object Management
Question: List at least one way your organization has employed these tools to automate AD DS Objects. Answer: Answers may vary. Possible answers include: PowerShell can automate listing and modifying users. CSDVE and LDIFDE can also create and modify accounts. AD Users and Computers is the GUI to create and modify users. DS Tools can also automate user create and modification.
Configuring AD DS Objects Using Command-Line Tools

Question: List at least one example of why an administrator would want to use command line tools. Answer: Answers may vary. Possible answers include batch files. ; List at least one example of why an administrator would want to use command line tools.
Managing User Objects with LDIFDE

Question: List at least one way that LDIFDE makes user management more scalable and reliable. Answer: Answers may vary. Possible answers include: User information can be easily imported creating new users, groups and organizational units including all the appropriate properties without having to configure each account individually.
Managing User Objects with CSVDE

Question: List at least one advantage of using CSVDE over LDIFDE when managing user objects. Answer: Answers may vary. CSVDE takes advantage of using CSV files which is a common file format and can be read and updated using applications such as Microsoft Excel.
What Is Windows PowerShell?

Question: What is the difference between the command prompt and Windows PowerShell? Answer: Answers may vary. Possible answers include: cmdlets, custom cmdlets, and third-party cmdlets.
Windows PowerShell Cmdlets

Question: List at least one important management cmdlets. Answer: Answers may vary.Possible answers include: Get-QADUser, Disable-QADUser, Get-
QADComputer.
2-15
Demonstration: Configuring Active Directory Objects Using Windows PowerShell

Question: What are the advantages and disadvantages of modifying Active Directory objects by using Windows PowerShell scripts? How can you address the disadvantages? Answer: The biggest advantage is that you can apply changes to multiple accounts at one time. By running a script that uses a file for input, you can easily create or modify the attributes for 1,000s of users. The biggest disadvantage is that it can take a significant amount of time to create the scripts, and even longer to create the input files that provide the script data. One way to minimize the time needed to create the input files is to export the data from existing applications, or to use tools like Microsoft Office Excel to edit the files.
2-16
Detailed Demo Steps

Demonstration: Configuring Active Directory Objects Using Windows PowerShell Demo Steps
Examine built in cmdlet commands
1. Click Start, point to All Programs, point to Windows PowerShell 1.0 and then click Windows PowerShell. 2. In the Windows PowerShell window, type Get-Command and then press ENTER. 3. Review the results.
Build Complex Commands using Pipelines and Auto-Complete

1. Type Get-Command | Get-Help and then press ENTER 2. Review the results 3. Type Get- and then press TAB two times. 4. Press ENTER 5. Review the results
Examine and run a pre-existing script

1. Browse to E:\Mod02\Democode. 2. Right-click CreateUser.ps1 and then click Edit. 3. Review the script and then close Notepad. 4. Type Set-ExecutionPolicy AllSigned and then press ENTER 5. Type E:\Mod02\Democode\CreateUser.ps1 and then press ENTER. 6. When the prompt appears, press R and then press ENTER. 7. Click Start, point to Administrative Tools and then click Active Directory Users and
Computers.
8. Click ITAdmins and note that Jesper is there. 9. Close all windows.
2-17
Additional Reading
Configuring AD DS Objects Using Command-Line Tools
Additional reading material on the following, see the links. DSadd/mod/rm commands
Managing User Objects with LDIFDE

For more information on LDIFDE, see LDIFDE.
Managing User Objects with CSVDE

For more information on CSVDE, see CSVDE.
What Is Windows PowerShell?

For more information on Windows PowerShell 1.0, see Microsoft Support: Windows PowerShell 1.0 Documentation Pack.
Windows PowerShell Cmdlets

For more information on Windows PowerShell 1.0, see Windows PowerShell 1.0 Documentation Pack.
Demonstration: Configuring Active Directory Objects Using Windows PowerShell

For more information on the following, see the links. Windows PowerShell Blog Scripting with Windows PowerShell
2-18
Lesson 4
Using Queries to Locate Objects in AD DS

Contents:
20
22
2-19

Options for Locating Objects in AD DS
Question: If an administrator were searching for a number of disparate users, would it be more efficient to use the graphic user interface or the command line tool? Answer: Answers may vary.
Demonstration: Searching AD DS
Question: You need to update the phone number for a user. You have only been given the users first name and last name and you do not know which OU contains the object. What is the quickest way to locate the user account? Answer: Answers may vary. Possible answers include using the Find User/Computer dialog. Question: You need to create a new user account and want to check if a user name is already in use in the domain. How could you do this? Answer: Answers may vary. Possible answers include using the Find User/Computer dialog.
What Is a Saved Query?

Question: List at least one way saved queries help with the long term maintainability of your
organization.
Answer: Answers may vary. Possible answers include: Administrators can easily search for users again based on the same search criteria as the organization grows.
Demonstration: Using a Saved Query

Question: You need to find all user accounts in your AD DS domain that are no longer active. How would you do this? Answer: Answers may vary. Possible answers include: creating a saved query that searches for all disabled accounts.
2-20
Detailed Demo Steps

Demonstration: Searching AD DS
Demo Steps Search Active Directory for Users
1. Click Start, point to Administrative Tools, and then click Active Directory Users and
Computers.
2. Right-click WoodgroveBank.com and then click Find. 3. In the Find Users, Contacts and Groups dialog box, click Advanced. 4. Click Field, point to User and then click Last Name. 5. In the Condition field, ensure that Starts with is selected. 6. In the Value field, type B and then click Add. 7. Click Find Now and then review the results. 8. Close the Find Users, Contacts and Groups dialog box. 9. Click the Find Objects in Active Directory Domain Services icon. 10. In the Find Users, Contacts and Groups dialog box, click Advanced. 11. Click Field, point to Groups, and then click Members. 12. In the Condition field, click Present and then click Add. 13. Click Find Now and then review the results.
Search for Objects using dsquery

1. Click Start and then click Command Prompt. 2. In the Command Prompt window, type dsquery computer /name nyc-dc1 and then press ENTER. 3. Review the results.
Demonstration: Using a Saved Query Demo Steps

Create a Saved Query
1. Click Start, point to Administrative Tools and then click Active Directory Users And
Computers.
2. Right-click Saved Queries, point to New and then click Query. 3. In the Name field, type Saved Query 1. 4. Click Define Query. 5. In the Find Common Queries dialog box, in the Find field, click Users, Contacts, And Groups. 6. Click the Advanced tab.
2-21
7. 8. 9.
Click Field, point to User, and then click Last Name. In the Condition field, click Starts with. In the Value field, type C and click Add.
10. Click OK twice. 11. Expand Saved Queries and then review Saved Query 1.
Export a query to an .xml file

1. 2. 3. Right-click Saved Query 1, point to All Tasks, and then click Export Query Definition. In the Save As dialog box, notice the Save as type option. Click Cancel.
2-22
Additional Reading
Options for Locating Objects in AD DS
For more information, see Manage Computers.
What Is a Saved Query?

For more information, see Active Directory Users and Computers Help.
2-23

Review questions
1. Question: List at least one advantage of creating local accounts. List at least one advantage of creating domain accounts? Answers: Answers may vary. An example of a possible answer is: Advantages of local accounts include no requirement for a network and no requirement for a domain controller. Advantages of domain accounts include centralized administration of the network. 2. Question: Provide at least one example of good scalable unique domain user name.
Answer: Answers may vary. Possible answers include: jsmith, smithj, joe.smith.
3. Question: Provide at least one example of a strong password. Answer: Answers may vary. Possible answers include: P@ssw0rd, PassWord!!, PaSsWord! Additionally, any combination of eight or more upper and lower case along with alphanumeric characters constitutes a strong password. 4. Question: How many times can users attempt to login before they are locked out (by default)? Answer: By default, they can attempt as many times as they want. Administrators must change the account lockout threshold in the Local Security Policy. 5. Question: List at least two criteria required when selecting from among the available methods for automating user creation. Answer: Answers may vary. Student answers should demonstrate an understanding of the relative benefits of each automation method and an ability to map those benefits to the students particular needs. 6. Question: How would you create several user objects with the same settings for attributes, such as department and office location? Answer: Create a user template with the appropriate attributes, and then copy the template to create the new user account. 7. Question: Under what circumstances would you disable a user account rather than delete it? Answer: If a user is on temporary leave, but will be returning, you would disable the account. Also, many organizations have a policy of disabling user accounts when users leave the organization, and then deleting the account at a later date. 8. Question: Why are you prompted to change the additional names when you change the user name? Answer: Answers may vary. Possible answers might include: the additional names are typically associated to the user name. 9. Question: Why would you rename a user name in AD DS when a user changes their name rather than deleting the account and creating a new account with the new name? Answer: Answers may vary. Possible answers might include: Its easier to modify an account than re-creating an account including all the user information and group memberships. 10. Question: List at least one example of how your company uses account templates. Answer: Answers may vary. Possible answers might include: Replicate logon hours for users in a department. 11. Question: What are some fields not populated when you create a new user from a template? Answer: Answers may vary. Possible answers include Office and Description.
2-24
12. Question: How could you make a template account easy to find in AD DS? Answer: Answers may vary. Possible answers may include: Giving it a name that ends with the _Template. 13. Question: List at least one way your company manages their computer accounts. Answer: Answers may vary. Possible answers include: Using Group Policies to restrict access for users. Allow users to gain access to network resources or domain access. 14. Question: List at least one advantage of pre-staging when deploying. Answer: Answers may vary. Possible answers include: automate the creation of new users in an organizational unit. Reduce minor deployment issues thereby reducing live account changes. 15. Question: How can the Location and Managed by properties be used to automate computer account management? Answer: Answers may vary. Possible answers include: Using the Location property can help administrators find the physical location of a computer and the Managed by property can help determine which user handles the machine. These two properties help administrators manage computers much easier. 16. Question: A user is taking a two month leave from work. No one else will be using the users computer, and you want to ensure that no one can log on to the computer while she is gone. However, you want to minimize the amount of effort required for the user to start using the computer when she comes back. How should you configure the computer account? Answer: Answers may vary. Possible answers include: Administrators might disable an account for when an employee is terminated or no longer associated with the company. Accounts are also disabled for temporary or contract workers that are only part of the organization for a defined period of time. Administrators might also disable an account for a user that takes an extended leave of absence. 17. Question: You are pre-staging 100 computer accounts for workstations that will be added to the domain over the next few weeks. You want to ensure that only members of the desktop support team can add the computers to the domain. What should you do? Answer: Answers may vary. Possible answers include: Administrators might want to configure the desktop support team to a group that allows them to add computers to the domain if they are within their organizational unit. 18. Question: List at least one way your organization has employed these tools to automate AD DS Objects. Answer: Answers may vary. Possible answers include: PowerShell can automate listing and modifying users. CSDVE and LDIFDE can also create and modify accounts. AD Users and Computers is the GUI to create and modify users. DS Tools can also automate user create and modification. 19. Question: List at least one example of why an administrator would want to use command line tools. Answer: Answers may vary. Possible answers include batch files. 20. Question: List at least one way that LDIFDE makes user management more scalable and reliable. Answer: Answers may vary. Possible answers include: User information can be easily imported creating new users, groups and organizational units including all the appropriate properties without having to configure each account individually.
2-25
21. Question: List at least one advantage of using CSVDE over LDIFDE when managing user objects. Answer: Answers may vary. CSVDE takes advantage of using CSV files which is a common file format and can be read and updated using applications such as Microsoft Excel. 22. Question: What is the difference between the command prompt and Windows PowerShell? Answer: Answers may vary. Possible answers include: cmdlets, custom cmdlets, and third-party cmdlets. 23. Question: List at least one important management cmdlets. Answer: Answers may vary. Possible answers include: Get-QADUser, Disable-QADUser, GetQADComputer 24. Question: What are the advantages and disadvantages of modifying Active Directory objects by using Windows PowerShell scripts? How can you address the disadvantages? Answer: The biggest advantage is that you can apply changes to multiple accounts at one time. By running a script that uses a file for input, you can easily create or modify the attributes for thousands of users. The biggest disadvantage is that it can take a significant amount of time to create the scripts, and even longer to create the input files that provide the script data. One way to minimize the time needed to create the input files is to export the data from existing applications, or to use tools like Microsoft Office Excel to edit the files. 25. Question: If an administrator were searching for a number of disparate users, would it be more efficient to use the graphic user interface or the command-line tool? Answer: Answers may vary. 26. Question: You need to update the phone number for a user. You have only been given the users first name and last name and you do not know which OU contains the object. What is the quickest way to locate the user account? Answer: Answers may vary. Possible answers include using the Find User/Computer dialog. 27. Question: You need to create a new user account and want to check if a user name is already in use in the domain. How could you do this? Answer: Answers may vary. Possible answers include using the Find User/Computer dialog. 28. Question: List at least one way saved queries help with the long term maintainability of your organization. Answer: Answers may vary. Possible answers include: Administrators can easily search for users again based on the same search criteria as the organization grows. 29. Question: You need to find all user accounts in your AD DS domain that are no longer active. How would you do this? Answer: Answers may vary. Possible answers include: creating a saved query that searches for all disabled accounts. 30. Question: You are responsible for managing accounts and access to resources for members of your group. A user in your group leaves the company, and you expect a replacement for that employee in a few days. What should you do with the previous users account? Answer: The best solution is to delete the old user account, and create a new account for the new user. For security purposes, you always should create a new account for each new user. 31. Question: A user in your group must create a test lab with 24 computers that will be joined to the domain, but the account must be created in a separate OU. What is the best way to do this? Answer: Have a domain administrator pre-stage the computer accounts in the AD DS OU.
2-26
32. Question: You are responsible for maintaining the servers in your organization. You want to enable other administrators in the organization to determine the physical location of each server without adding any additional administrative tasks or creating any additional documents. How can you do this? Answer: Modify the Location property for the computer account of each server to display the servers address information. 33. Question: To accelerate the process of creating new accounts when new employees enter your group, you create a series of account templates that you use to create new user accounts and groups. You are notified that a user with an account that was created by using one of the nonmanager account templates has been accessing files that are restricted to the Managers group. What should you do? Answer: Ensure that you gave the correct group membership to each account created from your template. 34. Question: You are responsible for managing computer accounts for your group. A user reports that they cannot log on to the domain from a specific computer but can log on from other computers. What should you do? Answer: You should reset the computer account for the computer and then rejoin the computer to the domain.
2-27

1. Question: In order for the searches like the ones used in this lab to return accurate results, what do you have to do when creating the user accounts? Answer: You have to make sure that all user account properties that you will need to perform the search are filled in and that the values are formatted consistently. For example, if the company attribute is filled in as WoodgroveBank for some users and Woodgrove Bank for other users, you will get inconsistent results if you search for the exact name. 2. Question: Your organization has a group of desktop support technicians who need to be able to add all computers to the AD DS domain. How can you ensure that these technicians can add more than 10 computers to the domain without granting them more permissions than required? Answer: The best way to configure this level of permission is to grant the desktop technicians permission to add computer accounts to the domain. If they have been granted this permission explicitly, they will be able to add as many computer accounts as required. You also could have a domain administrator pre-stage the computer accounts and assign the permission to add the account to the domain to desktop support technician group.
Creating Groups and Organizational Units
3-1
Module 3
Contents:
Lesson 1: Introduction to Groups Lesson 2: Managing Groups Lesson 3: Creating Organizational Units Module Reviews and Takeaways Lab Review Questions and Answers 2 6 10 14 18
3-2
Lesson 1
Introduction to Groups
Contents:
Question and Answers Additional Reading 3
5
3-3

What Are Groups?
Question: Describe a situation where you would use a distribution group instead of a security group. Answer: This answer can include any situation where you don't need to have security enabled.
AD DS Domain Functional Levels

Question: What domain functional level do you currently have in you organization? If you don't know, what functional level do you think you should have? Answer: Answers will vary. You should have the highest functional level possible to ensure you have the most available features.
What Are Global Groups?

Question: In what ways could you use global groups in your organization? Answer: Your answer should follow the general guideline of using groups with global scope to manage directory objects that require daily maintenance, such as user and computer accounts.
What Are Universal Groups?

Question: In what ways could you use universal groups in your organization? Answer: Your answer should follow the general guideline of using groups with universal scope to consolidate groups that span domains.
What Are Domain Local Groups?

Question: How could you provide members of a Sales department that travel frequently between domains in a multicity company with access to printers on various domains that are managed by using domain local groups? Answer: In this situation, you can create a group with domain local scope and assign it permission to access the printer. Put the Sales user accounts in a group with global scope, and then add this group to the group having domain local scope. When you want to give the Sales users access to a new printer, assign the group with domain local scope permission to access the new printer. All members of the group with global scope automatically receive access to the new printer.
What Are Local Groups?

Question: Describe a situation where you would use a local group instead of one of the domain groups. Answer: Your answers will vary, but remember that you use local groups when you want to assign user rights for your local computer.
3-4
What is Group Nesting?

Question: Describe a scenario where you could use nesting in your organization to simplify management. Answer: Students answers will vary. For example, you can create a group of users that you want to have similar permissions and then add them to the groups that have those permissions, instead of adding each user to those groups separately.
3-5
Additional Reading
What Are Groups?
For more information on group accounts, see Understanding Group Accounts
AD DS Domain Functional Levels

For more information on Domain Funcational Levels, see: Understanding AD DS Functional Levels Functional Levels Background Information Identifying Your Windows Server 2008 Functional Level Upgrade
What Are Global Groups?

For more information on global groups, see: Group Scope Understanding Group Accounts
What Are Universal Groups?

For more information on universal groups, see: Group Scope Understanding Group Accounts
What Are Domain Local Groups?

For more information on domain local groups, see: Group Scope Understanding Group Accounts
What Are Local Groups?

For more information on local users and groups, see Understanding Local Users and Groups.
3-6
Lesson 2
Managing Groups
Contents:
8
9
3-7

Considerations for Naming Groups
Question: You want to create a security group for the finance department at Contoso corporation. Contoso has worldwide locations; however, the finance department is only located in the New York office. Within the finance department, there are separate departments for accounts receivable and accounts payable. How many security groups would you create? What would be the name(s) for the security group(s) you would create? Answer: There are several answers to this question, but should be based on the principles listed on the slide. There shouldn't be more than two groups created, unless students have demonstrated an understanding of the considerations for naming groups and provided a good explanation for the creation of more than two groups. Example of the names could simply be "AccountsPayable" and "AccountsReceivable". Or, if students choose to have one group, it can be named "Finance."
Demonstration: Creating Groups

Question: Your organization requires a group that can be used to send e-mail to users in multiple domains. The group will not be used to assign permissions. What type of group should you create? Answer: Distribution group Question: Which group scope can be assigned permissions in any domain or forest? Answer: Universal groups
Identifying Group Membership

Question: In what ways can the Member tab and the Members Of tab simply management of groups? Answer: The students answers may vary, but can include having quick access to group membership with these two tabs reduces administrative time managing group membership.
Demonstration: Modifying Group Scope and Type

Question: Describe a situation where you would want to change a group type. Answer: For example, if a group is a distribution group and you wanted to add specific permissions to the group. In this situation you may want to change a distribution group to a security group. Question: List some problems that may arise from changing a group type from security to
distribution.
Answer: Changing a user's group type from security to distribution may cause users to gain or lose access to network resources, depending if the security group was used to grant or deny permissions to network resources. Since distribution groups aren't security enabled, you will lose all the permissions that were applied to the group.
3-8
Detailed Demo Steps

Demonstration: Creating Groups
Create Groups
Create a security group. Create a distribution group.
Create a group using Dsadd

Open a Command Prompt Create a group using the following command: dsadd group "cn=Van_ITGG,ou=Vancouver,dc=WoodgroveBank,dc=com" -samid Van_ITGG secgrp yes -scope g
Add Members to a Group

1. Add a user to a group: 1. Open Active Directory Users and Computers. 2. Create a new user account. 3. Add new user into the Van_ITGG group. 2. Add groups into other groups: 1. Choose a group that shares folders 2. Add a user group into that folder to give immediate access to the shared folders.
Delegate Administration
1. Open the properties of a group. 2. Click the Managed By tab. 3. Delegate control to a Nate Sun.
Demonstration: Modifying Group Scope and Type

Modify Group Scope and Type
1. In Active Directory Users and Computers, open a group and change its group type: 1. Locate a group, such as Toronto_MarketingGG in Toronto/Marketing OU. 2. Double-click it to see its Properties panel. Change the scope to Universal, and then click Apply. 2. Return the Group Type to its original setting. 3. Change the Group scope to a different scope.
3-9
Additional Reading
Identifying Group Membership
For more information on finding a group in Which a user is a member, see Active Directory Users and Computers Help topic - "Finding a Group in Which a User is a Member"
3-10
Lesson 3
Creating Organizational Units

Contents:
12
13
3-11

What Is an OU?
Question: Describe an example of how you can create an OU to isolate file and print server accounts, and allow only a particular administrator to access these accounts. Answer: For example, you can create an OU called ResourceOU and use it to store all the computer accounts that belong to the file and print servers managed by a group. Then you can configure security on the OU such that only data administrators in the group have access to the OU. This prevents data administrators in other groups from tampering with the file and print server accounts.
What Is an OU Hierarchy?
Question: What is one advantage of the OU structure being invisible to end-users? Answer: The organizational unit structure is an administrative tool for service and data administrators and is easy to change. This allows you to continue to review and update your OU structure design to reflect changes in your administrative structure and to support policy-based administration.
OU Hierarchy Examples
Question: How would you structure the OU hierarchy in your organization? If you already have an OU structure in your organization, would you make any changes based on this information? Answer: Answer will vary based on students organizations.
Demonstration: Creating OUs

Question: When you move a user, what can happen to a users in regards to Group Policy and delegated authority? Answer: A moved user comes under the delegated authority of the administrator of the new OU. In some cases, this may mean the user has access to many new resources. However, the user should not lose details of their personal profile, such as their e-mail address. Question: Why would you locate user accounts and computer accounts into separate OUs? Answer: One example is easier administration.
OUs and Groups Summary

Question: You have a collection of users that you want to give permissions to access certain file servers. Would you create an OU or a group for these users? Describe the reason for your choice. Answer: You should create a security group for these users. By adding users to a security group, you can enable permissions, and you can easily move the group or add more permissions if you want to give the users access to different servers.
3-12
Detailed Demo Steps

Demonstration: Creating OUs
Create an OU
1. Using Active Directory Users and Computers, create a new OU in the root of the domain: 1. Open NYC-DC1 using Active Directory Users and Computers. 2. Create a new OU, and name it Vancouver. 2. Create subOUs within the newly created domain. Nested OUs within Vancouver OU: Marketing and Sales. 3. Place two user accounts in Marketing: Claus Hansen and Arno Harteveld. 4. Create several other objects to demonstrate the various objects that OUs can contain: 1. Computer: Locate the Computers OU, and add a new computer account. 2. Printer: Add a printer object to the Printers OU (add Printer OU if needed). 3. Group: Add a global groups for either the Sales or Marketing teams. Add the above users into their corresponding groups.
Move Objects Between OUs

1. Using Active Directory Users and Computers, take a user from the Vancouver Sales OU in previous demonstration, right-click and move the user to the Vancouver Marketing OU. 2. Click the user, and then drag the user to the original OU: o The drag approach to moving users between OUs produces the same result as the Move command.
Create an OU using Dsadd

1. Open a Command Prompt 2. Create an OU using the following command: dsadd ou "ou=Production,dc=WoodgroveBank,dc=com" -desc "Production department" -d WoodgroveBank.com -u Administrator -p Pa$$w0rd
Use the Delegation of Control Wizard

Delegate control to the Production OU using the Delegation of Control Wizard.
3-13
Additional Reading
What Is an OU?
For more information on the following, see the links. Active Directory Users and Computers Help topic, "Understanding Organizational Units" Reviewing Organizational Unit Design Concepts Windows Server Glossary Organizational Units
OU Hierarchy Examples
For more information on Design Considerations for Organizational Unit Structure and Use of Group Policy Objects, see Design Considerations for Organizational Unit Structure and Use of Group Policy Objects.
OUs and Groups Summary

For more information, see the following links: For more information on security filtering, see Using Security Filtering to Apply GPOs to Selected Groups. For more information on OU design, see Reviewing OU Design Concepts. For more information on groups, see Groups: Active Directory.
3-14

Review questions
1. Question: Describe a situation where you would use a distribution group instead of a security group. Answer: The answers will vary, but will include any situation where you dont need to have security enabled. 2. Question: What domain functional level do you currently have in you organization? If you dont know, what functional level do you think you should have? Answer: Answers will vary. You should have the highest functional level possible to ensure you have the most available features. 3. Question: In what ways could you use global groups in your organization? Answer: The students answers will vary depending on their organization, but will follow this general guideline: use groups with global scope to manage directory objects that require daily maintenance, such as user and computer accounts. 4. Question: In what ways could you use universal groups in your organization? Answer: The students answers will vary depending on their organization, but will follow this general guideline: use groups with universal scope to consolidate groups that span domains. 5. Question: How could you provide members of a Sales department that travel frequently between domains in a multi-city company with access to printers on various domains that are managed by using domain local groups? Answer: In this situation, you can create a group with domain local scope and assign it permission to access the printer. Put the Sales user accounts in a group with global scope, and then add this group to the group having domain local scope. When you want to give the Sales users access to a new printer, assign the group with domain local scope permission to access the new printer. All members of the group with global scope automatically receive access to the new printer. 6. Question: Describe a situation where you would use a local group instead of one of the domain groups. Answer: The students answers will vary, but should demonstrate an understanding that you use local groups when you want to assign user rights for your local computer. 7. Question: Describe a scenario where you could use nesting in your organization to simplify management. Answer: Students answers will vary. For example, you can create a group of users that you want to have similar permissions and then add them to the groups that have those permissions, instead of adding each user to those groups separately. 8. Question: You want to create a security group for the finance department at Contoso corporation. Contoso has worldwide locations; however, the finance department is only located in the New York office. Within the finance department, there are separate departments for accounts receivable and accounts payable. How many security groups would you create? What would be the name(s) for the security group(s) you would create? Answer: There are several answers to this question, but should be based on the principles listed on the slide. There shouldnt be more than two groups created, unless students have demonstrated an understanding of the considerations for naming groups and provided a good explanation for the creation of more than two groups. Example of the names could simply be
3-15
AccountsPayable and AccountsReceivable. Or, if students choose to have one group, it can be named Finance. 9. Question: Your organization requires a group that can be used to send e-mail to users in multiple domains. The group will not be used to assign permissions. What type of group should you create? Answer: Distribution group 10. Question: Which group scope can be assigned permissions in any domain or forest? Answer: Universal groups 11. Question: In what ways can the Member tab and the Members Of tab simplify management of groups? Answer: The students answers may vary, but can include having quick access to group membership with these two tabs reduces administrative time managing group membership. 12. Question: Describe a situation where you would want to change a group type. Answer: For example, if a group is a distribution group and you wanted to add specific permissions to the group. In this situation, you may want to change a distribution group to a security group. 13. Question: List some problems that may arise from changing a group type from security to distribution. Answer: Changing a users group type from security to distribution may cause users to gain or lose access to network resources, depending if the security group was used to grant or deny permissions to network resources. Since distribution groups arent security enabled, you will lose all the permissions that were applied to the group. 14. Question: Describe an example of how you can create an OU to isolate file and print server accounts, and allow only a particular administrator to access these accounts. Answer: For example, you can create an OU called ResourceOU and use it to store all the computer accounts that belong to the file and print servers managed by a group. Then you can configure security on the OU such that only data administrators in the group have access to the OU. This prevents data administrators in other groups from tampering with the file and print server accounts. 15. Question: What is one advantage of the OU structure being invisible to end-users? Answer: The organizational unit structure is an administrative tool for service and data administrators and is easy to change. This allows you to continue to review and update your OU structure design to reflect changes in your administrative structure and to support policy-based administration. 16. Question: How would you structure the OU hierarchy in your organization? If you already have an OU structure in your organization, would you make any changes based on this information? Answer: Answer will vary based on students organizations. 17. Question: When you move a user, what can happen to a users in regards to Group Policy and delegated authority? Answer: A moved user comes under the delegated authority of the administrator of the new OU. In some cases, this may mean the user has access to many new resources. However, the user should not lose details of their personal profile, such as their e-mail address. 18. Question: Why would you locate user accounts and computer accounts into separate OUs? Answer: One example is easier administration.
3-16
19. Question: You have a collection of users that you want to give permissions to access certain file servers. Would you create an OU or a group for these users? Describe the reason for your choice. Answer: You should create a security group for these users. By adding users to a security group, you can enable permissions, and you can easily move the group or add more permissions if you want to give the users access to different servers. 20. Question: You are responsible for managing accounts and access to resources for your group members. A user in your group transfers into another department within the company. What should you do with the users account? Answer: Although your company may have an HR representative with AD DS permissions to move user accounts, the best solution involves having the user account moved into the appropriate OU of the new department. In this manner, the Group Policies associated with the new department will be enforced. If applying the correct Group Policies is important, the users account should be disabled until somebody with appropriate security permissions can move it into the new OU. 21. Question: A project manager in your department is starting a group project that will continue for the next year. Several users from your department and other departments will be dedicated to the project during this time. The project team must have access to the same shared resources. The project manager must be able to manage the user accounts and group accounts in AD DS. However, you do not want to give her permission to manage anything else in AD DS. What is the best way to do this? Answer: Create a new global security group. Add the project members to the group. Create a new OU outside your departments OU. Assign full control of the OU to the project manager. Add the global group to the new OU. Add resources to the OU, such as shared files and printers. Keep track of the project, and delete the global group when the work finishes. You can keep the OU if another project requires it. However, you should delete it if there is no immediate need for it. 22. Question: You are responsible for maintaining access to local resources, such as printers, in your organization. You want to establish an efficient way to maintain printing privileges to members in each work group, even while those members may change frequently. You also want to simplify the replacement of printers when one has to be taken offline for repairs or replaced. How can you do this with the least disruption and effort on your part? Answer: Create a domain local group that will be used to assign access to the printer resources. Add global groups of individuals who depend on that printer into the domain printer group. In this manner, users may be reassigned in or out of the global groups, but the global group membership in the domain local group will make sure there is uninterrupted printing access. In the event you must have a new local domain group for a new printer, the global user groups can be added easily as a member of the domain local group to reestablish printing access. Nesting strategies help reduce administrative workload and also reduce replication, as all changes are to the local domain alone. 23. Question: You have decided to create a naming convention for all organizational units and groups. What considerations should you take as you set a pattern for naming new objects? Answer: Names of objects such as these should be easy to remember and representational, but not overly specific. Top-level OU names frequently reflect geographical or department names. For example, a subsidiary located in Seattle could have a top-level OU called Seattle. As for groups, the name could suggest location, function, and scope. For example, a global group of teachers with delegated IT responsibilities at their school (school acronym GSS) might have a name of GSS_ITteach_G. A naming convention such as this would be useful when sorting groups by name.
3-17
24. Question: You take over the administration of your departments AD DS organizational unit. When you open Active Directory Users and Computers and view the OU, you notice that all groups and users exist at the same level. Groups that have names such as Ajax_account, SW_Colorado, Nancy, and New_Canon_printer, exist side by side with computer accounts named New_IBM_1, 2, 3, etc, and a FileShare object named DO_NOT_OPEN. What should you do? Answer: Start by documenting the types of user groups that exist in the department. Create groups for each unique user group, and apply a consistent naming convention. Create child OUs to simplify administration of different users within the organization unit. 25. Question: An employee in your company has transferred from one department to another. The user account was removed from all groups associated with the old department and added to group associated with the new department. The user account also was moved into the new department OU. After the user transfer is complete, he informs you that he cannot access his files that are stored on a file server. What should you do? Answer: The user must have been granted permission to the file based on a group membership. You must add the user back to the group that has access to the files or move the files to a location that is accessible to members of the new department groups.
3-18
1. Question: Several tools exist for creating groups in AD DS. Which tool would be more likely to work at any workstation, as long as you could log on to the domain? Answer: The command-line tools are most likely to work from all workstations. These tools will be installed at any workstation you encounter, unlike Active Directory Users and Computers, which must be installed on a workstation or server. A practical skill to acquire is becoming accustomed to some basic command-line administrative commands. 2. Question: You work in a rapidly growing enterprise which is about to expand into new markets across the country. What recommendations do you make regarding an organizational unit hierarchy as you contemplate the growth? Answer: With a list of all of the different business units before you, you plan to accommodate the organizational functions of each group, as well as how best to delegate administrative tasks. Your organizational hierarchy should reflect both geographical and organizational boundaries to provide the best administrative flexibility and scalability. 3. Question: When delegating administrative responsibilities within a department, how could you give a person permission to reset passwords, add a new user, and update account properties (like phone numbers)? Answer: By using the Delegation of Access Wizard on an OU, it is possible to add individuals or groups of users into a position in which they can make minor interventions, or you can increase that level to full control.
Managing Access to Resources in Active Directory Domain Services
4-1
Module 4
Managing Access to Resources in Active Directory Domain

Services
Contents:
Lesson 1: Managing Access Overview Lesson 2: Managing NTFS File and Folder Permissions Lesson 3: Assigning Permissions to Shared Resources Lesson 4: Determining Effective Permission Module Reviews and Takeaways Lab Review Questions and Answers 2 5 10 16 21 25
4-2
Lesson 1
Managing Access Overview

Contents:
4
4-3

What Are Security Principals?
Question: When a user is deleted and then recreated, they will be issued a new SID. What are the ramifications of this? Answer: Answers may vary. Possible answers include: If the user is restored using Ntdsutil, there is no real effect because the old-SID is stored in the users SID-history making it possible to be change domains without losing permissions granted previously, otherwise, their permissions may need to be restored manually.
What Are Access Tokens?

Question: When accessing a resource, is it a best practice to assign permission to the Group SID or the User SID? Answer: Typically, the Group SID should be used to deny or allow access to resources so that permissions are granted based on the users role in the company instead of the specific user.
What Are Permissions?

Question: List at least one way that administrators can easily maintain permissions on an object? Answer: Answers may vary. Possible answers include: Administrators can assign permissions to objects to each user individually exerting more granular control over different objects. However, this method can result in more maintenance as the organization grows. A more effective way is to create groups that users can belong to. Administrators can the assign permissions to objects based on groups thereby eliminating the need to reassign individual rights if the person changes positions or function in a company.
How Access Control Works

Question: Which access control resource, DACL or SACL, plays a more critical role in security? Answer: Answers may vary.
4-4
Additional Reading
What Are Security Principals?
For more information, see Windows Server Glossary.
What Are Access Tokens?

Windows Server GlossaryAccess Tokens Technical Reference
What Are Permissions?

How Access Control Works

For more information, see MSDN Glossary.
4-5
Lesson 2
Managing NTFS File and Folder Permissions

Contents:
8
9
4-6

What Are NTFS Permissions?
Question: If an administrator wanted to prevent a user from viewing the permissions or the owner of a folder which folder permission should they apply? Answer: The administrator should apply the List Folder Contents permission so that the user can view the files and subfolders, but they will not have access to the permissions of the folder or the owner of the folder.
What Are Standard and Special Permissions?

Question: Think of a situation where administrators may need to assign special permissions. Answer: Answers may vary.
What Is NTFS Permissions Inheritance?

Question: List at least one way permission inheritance can reduce administration time. Answer: Answers may vary. Possible answers include: Administrators can change permissions at the parent level and have the same permissions propagate throughout all the sub folders without having to reassign permissions to each of those folders individually.
Demonstration: Configuring NTFS Permissions

Question: You deny an NTFS permission to a group for a particular resource while allowing the same permission to another group for that resource, what will happen to the permissions of an individual who is a member of both groups? Answer: The user will be denied access. Deny permissions always override any allow permissions. Question: If a group was given an NTFS permission of Allow for Write in a shared folder, and a Deny permission for Write in a nested folder, what would their effective permissions be in the two folders? Answer: They would be able to write in the top level folder. If you used Sharing Permission of ReadOnly in the nested folder, they would continue to be able to write in the nested folder also, as that permission would be inherited. However, if you used the NTFS deny permission in the nested folder, they would not be able to write in the nested folder because it would be denied explicitly.
Effects on NTFS Permissions When Copying and Moving Files and Folders
Question: Provide one or two examples where moving files and folders within the same partition reduces administration time. Answer: Answers may vary. Possible answers include: Administrators do not need to worry about permissions being changed or altered because the permissions are kept if files and folders are moved
4-7
within the same partition. Likewise, administrators do not need to change the permissions of the destination folder which could have ramifications on other files and folders within the folder.
4-8
Detailed Demo Steps

Demonstration: Configuring NTFS Permissions
Demo Steps
1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start and then click Computer. Double-click Local Disk (C:). Right-click Users and then click Properties. In the Users Properties dialog box, click the Security tab. For Permisions for Everyone, review the different permission options. Review the Accept and Deny options. Click Advanced. Click Everyone and then click Edit. In the Advanced Security Settings for Users dialog box, click Everyone and then click Edit.
10. In the Permission Entry for Users, review all the permission options. 11. Click Cancel. 12. In the Advanced Security Settings for Users dialog box, review the Include inheritable permissions from this object's parents and the Replace all existing inheritable permissions on all descendents with inheritable permissions from this object check boxes.
4-9
Additional Reading
What Are NTFS Permissions?
What Are Standard and Special Permissions?

For more information on Permissions for files and folders, see Permissions for files and folders.
What Is NTFS Permissions Inheritance?

Effects on NTFS Permissions When Copying and Moving Files and Folders
4-10
Lesson 3
Assigning Permissions to Shared Resources

Contents:
13
15
4-11

What Are Shared Folders?
Question: ; List at least one benefit of sharing folders across a network. Answer: Answers may vary. Possible answers include: keep information up to date within a group of users. Decreased change of duplication of files because all files for an account can be stored in a shared central repository.
What Are Administrative Shared Folders?

Question: List one at least one benefit of having and creating your own hidden shares. Answer: Answers may vary. Possible answers include: can keep documents stored in a central location that administrators can access from anywhere, but are not at risk from other users viewing them. Question: List one or two ways of how system administrators use this daily in the field. Answer: Answers may vary.
Shared Folder Permissions

Question: List at least one example of when an administrator might give Full Control to a folder. Answer: Answers may vary. Possible answers may include: Administrators may want a shared folder with complete flexibility given to the users of the resource.
Demonstration: Creating Shared Folders

Question: How do you apply sharing permissions to a folder? Answer: Right-click the folder, click Sharing, name groups or users to add to the share permissions, and designate them as Readers, Contributors, or Co-owners. Question: How would you begin to create a new shared folder using the Using Share and Storage Management MMC? Answer: You can use the Provision a Shared Folder Wizard to assign location and NTFS permissions to a shared folder. Question: Which tool would you use to create a new shared folder? Answer: Answers will vary. Using Windows Explorer may be quicker, but the Provision a Shared Folder Wizard provides more options for configuring the shared folder.
Connecting to Shared Folders

Question: List one or two benefits of accessing resources through mapped drives.
4-12
Answer: Answers may vary. Possible answers include: User no longer have to remember the network share name to access the information. The drive appears within Windows Explorer and acts like a local resource.
4-13
Detailed Demo Steps

Demonstration: Creating Shared Folders
Demo Steps Create two test folders
1. Click Start and then click Computer. 2. Double-click Local Disk (C:). 3. Click File, point to New and then click Folder. 4. Type Shared Folder 1 and then press ENTER. 5. Double-click Shared Folder 1. 6. Click File, point to New, and then click Text Document. 7. Type Test Data 1.txt and then press ENTER. 8. Click the Back button. 9. Click File, point to New and then click Folder. 10. Type Shared Folder 2 and then press ENTER. 11. Double-click Shared Folder 2. 12. Click File, point to New, and then click Text Document. 13. Type Test Data 2.txt and then press ENTER. 14. Click the Back button.
Create a Shared Folder

1. Right-click Shared Folder 1 and click Share. 2. In the File Sharing dialog box, for the Choose people on your network to share with, click Everyone. 3. Click Add and then click Share. 4. In the File Sharing dialog box, click Done.> 5. In Windows Explorer, notice the icon next to Shared Folder 1.
Create a Hidden Share

1. Click Start, type mmc and then press ENTER. 2. On the File menu, click Add/Remove Snap-in 3. In the Add or Remove Snap-in dialog box, click Share and Store Management. 4. Click Add and then click OK. 5. In the Console 1 window, click Share and Store Management. 6. Under Actions, click Provision Share. 7. On the Shared Folder Location page, click Browse.
4-14
8. 9.
Browse to C:\Shared Folder 2 and click OK. Click Next four times.
10. On the SMB Permissions page, click Users and Groups have custom permissions. 11. Click Permissions. 12. In the Permissions for setup dialog box, click Everyone and then click Remove. 13. Click Add and then in the Add Users, Computers, or Groups dialog box, type Marco Tanara and WOODGROVEBANK\Administrator. 14. Click OK twice. 15. Click Next and then click Create. 16. On the Confirmation page, click Close.
Modify the Permissions of the Hidden Share

1. 2. 3. 4. 5. In the Console 1 window, double-click Shared Folder 2. In the Shared Folder 2 Properties dialog, click the Permissions tab. Click Share Permissions. Click Marco Tanara and for Permissions for Marco Tanaro, click Full Control. Click OK twice.
Test the Share Folders

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, log in as WOODGROVEBANK\Sven using the password Pa$$w0rd. Click Start, type \\NYC-DC1\ and then press ENTER. Double-click Shared Folder 2. In the Network Error dialog box, review the error and then click See details. Read the Access denied message and then click Cancel. Click Start and then click Switch User. Log in as WOODGROVEBANK\Marco using the password Pa$$w0rd. Click Start, type \\NYC-DC1\ and then press ENTER. Double-click Shared Folder 2 and view the item in the folder.
4-15
Additional Reading
What Are Shared Folders?
What Are Administrative Shared Folders?

Shared Folder Permissions

For more information on Best Practices for Shared Folders, see Best Practices for Shared Folders.
Connecting to Shared Folders

For more information, see Glossary of Registry Terms Publish a Shared Folder in Active Directory Searching Active Directory Shared Folders
4-16
Lesson 4
Determining Effective Permission

Contents:
19
20
4-17

What Are Effective NTFS Permissions
Question: Provide at least one examples of how cumulative permissions benefit administrators. Answer: Answers may vary. Possible answers include: Administrators can not only apply global group permissions, but they can also get more granular with their permission needs ensuring that only the users that require access will get access.
Discussion: Applying NTFS Permissions

Question: The Users group has Write permission, and the Sales group has Read permission for Folder1. What permissions does User1 have for Folder1? Answer: User1 has Write and Read permissions for Folder1, because User1 is a member of the Users group, which has Write permission, and the Sales group, which has Read permission. Question: The Users group has Read permission for Folder1. The Sales group has Write permission for Folder2. What permissions does User1 have for File2? Answer: User1 has Read and Write permissions for File2, because User1 is a member of the Users group, which has Read permission for Folder1, and the Sales group, which has Write permission for Folder2. File2 inherits permissions from both Folder2 and Folder1. Question: The Users group has Modify permission for Folder1. File2 should be available only to the Sales group, and they should only be able to read File2. What do you do to make sure that the Sales group has only Read permission for File2? Answer: Prevent permissions inheritance for Folder2 or File2. Remove the permissions for Folder2 or File2 that Folder2 has inherited from Folder1. Grant only Read permission to the Sales group for Folder2 or File2.
Demonstration: Evaluating Effective Permissions

Question: Can the Effective Permissions tool return the actual permissions of a user? Answer: The Effective Permissions tool only produces an approximation of the permissions that a user has. The actual permissions the user has may be different, since permissions can be granted or denied based on how a user logs on. This logon-specific information cannot be determined by the Effective Permissions tool, since the user is not logged on; therefore, the effective permissions it displays reflect only those permissions specified by the user or group and not the permissions specified by the logon.
Effects of Combining Shared Folder and NTFS Permissions

Question: Provide at least one consideration an administrator must acknowledge before combining Shared Folders and NTFS Permissions.
4-18
Answer: Answers may vary. Possible answers include: Administrators must know which structure has the most restrictive permission assigned. Administrators must also determine if the shared folder permissions and NTFS permissions are compatible.
Discussion: Determining Effective NTFS and Shared Folder Permissions

Question: Discuss what the effective permissions are for User1, User2, and User3. Can User1 take full control of User2s directory? Why? How does using the share permission instead of the NTFS permission prevent users from accessing other Users directories. Answer: Answers may vary. Question: You have shared the Data folder to the Sales Group. Within the Data directory, you have given the Sales Group Full Control over the Sales Group. When users in the Sales Group try to save a file in the \Data\Sales directory, they get a access denied error. Why? What permission needs to be changed, and why? Answer: Answers may vary.
Considerations for Implementing NTFS and Shared Folder Permissions

Question: List one or two examples of best practices that you have implemented when assigning Shared Folder or NTFS permission in your organization. Answer: Answers may vary.
4-19
Detailed Demo Steps

Demo Steps
1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start and then click Computer. In Windows Explorer, double-click Local Disk (C:). On the File menu, point to New and then click Folder. Type Permission Folder and then press ENTER. Right-click Permission Folder and then click Properties. In the Permission Folder Properties dialog box, click the Security tab. Click Edit. In the Permissions for Permisison Folder dialog box, click Add. In the Select Users, Computers, or Groups dialog box, type Sven Buck and then click OK twice.
10. In the Permission Folder Properties dialog box, click Advanced. 11. In the Advanced Security Settings for Permission Folder, click the Effective Permission tab. 12. Click Select. 13. In the Select Users, Computers or Groups dialog box, type Sven Buck and then click OK. 14. Review the Effective permissions that are set. 15. In the Advanced Security Settings for Permission Folder, click the Permissions tab. 16. Click Edit. 17. Under Permission Entries, click Sven Buck and click Edit. 18. In the Permission Entry for Permissions Folder dialog box, for Create files/write data, click Deny and then click OK twice. 19. In the Windows Security dialog box, read the message and click Yes. 20. Click OK. 21. In the Advanced Security Settings for Permission Folder, click the Effective Permissions tab. 22. Click Select. 23. In the Select Users, Computers or Groups dialog box, type Sven Buck and then click OK. 24. Review the Effective permissions that are set.
4-20
Additional Reading
What Are Effective NTFS Permissions
Discussion: Applying NTFS Permissions


Effects of Combining Shared Folder and NTFS Permissions

Discussion: Determining Effective NTFS and Shared Folder Permissions

Considerations for Implementing NTFS and Shared Folder Permissions

4-21

Review questions
1. Question: When a user is deleted and then recreated, they will be issued a new SID. What are the ramifications of this? Answer: Answers may vary. Possible answers include: If the user is restored using Ntdsutil, there is no real effect because the old-SID is stored in the users SID-history making it possible to be change domains without losing permissions granted previously; otherwise, their permissions may need to be restored manually. 2. Question: When accessing a resource, is it a best practice to assign permission to the Group SID or the User SID? Answer: Typically, the Group SID should be used to deny or allow access to resources so that permissions are granted based on the users role in the company instead of the specific user. 3. Question: List at least one way that administrators can easily maintain permissions on an object? Answer: Answers may vary. Possible answers include: Administrators can assign permissions to objects to each user individually exerting more granular control over different objects. However, this method can result in more maintenance as the organization grows. A more effective way is to create groups that users can belong to. Administrators can the assign permissions to objects based on groups thereby eliminating the need to reassign individual rights if the person changes positions or function in a company. 4. Question: Which access control resource, DACL or SACL, plays a more critical role in security? Answer: Answers may vary. 5. Question: If an administrator wanted to prevent a user from viewing the permissions or the owner of a folder which folder permission should they apply? Answer: The administrator should apply the List Folder Contents permission so that the user can view the files and subfolders, but they will not have access to the permissions of the folder or the owner of the folder. 6. Question: Think of a situation where administrators may need to assign special permissions.. Answer: Answers may vary. 7. Question: List at least one way permission inheritance can reduce administration time. Answer: Answers may vary. Possible answers include: Administrators can change permissions at the parent level and have the same permissions propagate throughout all the sub folders without having to reassign permissions to each of those folders individually. 8. Question: If you deny an NTFS permission to a group for a particular resource while allowing the same permission to another group for that resource, what will happen to the permissions of an individual who is a member of both groups? Answer: The user will be denied access. Deny permissions always override any allow permissions. 9. Question: If a group was given an NTFS permission of Allow for Write in a shared folder, and a Deny permission for Write in a nested folder, what would their effective permissions be in the two folders? Answer: They would be able to write in the top level folder. If you used Sharing Permission of Read-Only in the nested folder, they would continue to be able to write in the nested folder also, as that permission would be inherited. However, if you used the NTFS deny permission in the nested folder, they would not be able to write in the nested folder because it would be denied explicitly.
4-22
10. Question: Provide one or two examples where moving files and folders within the same partition reduces administration time. Answer: Answers may vary. Possible answers include: Administrators do not need to worry about permissions being changed or altered because the permissions are kept if files and folders are moved within the same partition. Likewise, administrators do not need to change the permissions of the destination folder which could have ramifications on other files and folders within the folder. 11. Question: List at least one benefit of sharing folders across a network. Answer: Answers may vary. Possible answers include: keep information up to date within a group of users. Decreased change of duplication of files because all files for an account can be stored in a shared central repository. 12. Question: List one or two benefits of having and creating your own hidden shares. Answer: Answers may vary. Possible answers include: can keep documents stored in a central location that administrators can access from anywhere, but are not at risk from other users viewing them. 13. Question: List one at least one benefit of having and creating your own hidden shares. Answer: Answers may vary. Possible answers include: can keep documents stored in a central location that administrators can access from anywhere, but are not at risk from other users viewing them. 14. Question: List at least one example of when an administrator might give Full Control to a folder. Answer: Answers may vary. Possible answers may include: Administrators may want a shared folder with complete flexibility given to the users of the resource. 15. Question: How do you apply sharing permissions to a folder? Answer: Right-click the folder, click Sharing, name groups or users to add to the share permissions, and designate them as Readers, Contributors, or Co-owners. 16. Question: How would you begin to create a new shared folder using the Using Share and Storage Management MMC? Answer: You can use the Provision a Shared Folder Wizard to assign location and NTFS permissions to a shared folder. 17. Question: Which tool would you use to create a new shared folder? Answer: Answers will vary. Using Windows Explorer may be quicker, but the Provision a Shared Folder Wizard provides more options for configuring the shared folder. 18. Question: List one or two benefits of accessing resources through mapped drives. Answer: Answers may vary. Possible answers include: User no longer have to remember the network share name to access the information. The drive appears within Windows Explorer and acts like a local resource. 19. Question: What would happen if the user was editing the file but had not saved the changes, and then an administrator used the Close File feature? Answer: Unsaved file changes would be lost. 20. Question: List one or two reasons why administrators should not leave the Everyone group in a shares permissions. Answer: Answers may vary. Possible answers include: Unattended users may access and read or change sensitive material. These users may include subordinates or even contractors with a company.
4-23
21. Question: List at least one example of how offline files are useful. Answer: Answers may vary. 22. Question: Provide at least one example of how cumulative permissions benefit administrators. Answer: Answers may vary. Possible answers include: Administrators can not only apply global group permissions, but they can also get more granular with their permission needs ensuring that only the users that require access will get access. 23. Question: The Users group has Write permission, and the Sales group has Read permission for Folder1. What permissions does User1 have for Folder1? Answer: User1 has Write and Read permissions for Folder1, because User1 is a member of the Users group, which has Write permission, and the Sales group, which has Read permission. 24. Question: The Users group has Read permission for Folder1. The Sales group has Write permission for Folder2. What permissions does User1 have for File2? Answer: User1 has Read and Write permissions for File2, because User1 is a member of the Users group, which has Read permission for Folder1, and the Sales group, which has Write permission for Folder2. File2 inherits permissions from both Folder2 and Folder1. 25. Question: The Users group has Modify permission for Folder1. File2 should be available only to the Sales group, and they should only be able to read File2. What do you do to make sure that the Sales group has only Read permission for File2? Answer: Prevent permissions inheritance for Folder2 or File2. Remove the permissions for Folder2 or File2 that Folder2 has inherited from Folder1. Grant only Read permission to the Sales group for Folder2 or File2. 26. Question: Can the Effective Permissions tool return the actual permissions of a user? Answer: The Effective Permissions tool only produces an approximation of the permissions that a user has. The actual permissions the user has may be different, since permissions can be granted or denied based on how a user logs on. This logon-specific information cannot be determined by the Effective Permissions tool, since the user is not logged on; therefore, the effective permissions it displays reflect only those permissions specified by the user or group and not the permissions specified by the logon. 27. Question: Provide at least one consideration an administrator must acknowledge before combining Shared Folders and NTFS Permissions. Answer: Answers may vary. Possible answers include: Administrators must know which structure has the most restrictive permission assigned. Administrators must also determine if the shared folder permissions and NTFS permissions are compatible. 28. Question: Discuss what the effective permissions are for User1, User2, and User3. Can User1 take full control of User2s directory? Why? How does using the share permission instead of the NTFS permission prevent users from accessing other Users directories. Answer: Answers may vary. 29. Question: You have shared the Data folder to the Sales Group. Within the Data directory, you have given the Sales Group Full Control over the Sales Group. When users in the Sales Group try to save a file in the \Data\Sales directory, they get a access denied error. Why? What permission needs to be changed, and why? Answer: Answers may vary. 30. Question: List one or two examples of best practices that you have implemented when assigning Shared Folder or NTFS permission in your organization. Answer: Answers may vary.
4-24
31. Question: What is the role of access control lists (ACL) in granting access to resources on an AD DS network? Answer: Access control lists (ACL) are attached to every file and folder on an NTFS partition. The ACL contains access control entries (ACE) in which the details of who may access or be denied access to the resource is stored. 32. Question: How do discretionary access control lists (DACLs) differ from system access control lists (SACLs)? Answer: The DACL defines permissions, that is, who may access the resource or who should be denied access to a resource. The DACL also defines the level of access granted to each user or group. The SACL defines which actions will be audited on the object. 33. Question: What happens to the shared folder configuration when you copy or move a shared folder from one hard disk to another on the same server? What happens to the shared folder configuration when you copy or move the shared folder to another server? Answer: In both cases, the copied or moved shared folder will not be configured as a shared folder. If you copy a shared folder, the original remains a shared folder. 34. Question: You need to assign permissions to a shared folder so that all users in your organization can read the contents of the folder. Which of these approaches would be the best way to do this: accept the default permissions, assign read permissions to the folder for the Domain Users group, or add groups representing whole departments? How would this configuration change if your organization had multiple domains? Answer: The best option would be to add the Domain Users group, because it includes all user accounts in the domain. Departmental groups could also provide the access but would require more administrative effort in keeping member lists current. By default, the Everyone group is assigned Read permission when you create a shared folder. This group includes Guest logons and therefore provides an unnecessarily wide range of access. If your organization has more than one domain, you could assign permissions to the Authenticated Users group. 35. Question: When moving a folder in an NTFS partition, what permissions are required over the source file or folder and over the destination folder? Answer: You must have both Write permission for the destination folder and Modify permission for the source file or folder. Modify permission is required to move a folder or file because Windows Server 2008 deletes the folder or file from the source folder after it copies it to the destination folder. 36. Question: What is the best way to create a shared folder that needs to be accessed by users who are situated on two domains? Answer: Configure global security groups that contain intended department members in both domains. Create a shared folder on a server in one of the domains. Create a Domain Local group in the domain where the shared folder is located, and then add both global groups to the domain local group. Edit the share level and NTFS permissions of the shared folder so that both groups have minimum required permissions.
4-25

1. Question: To give several of your colleagues access to a shared folder, what should you do to assign access most efficiently? Answer: Create a global group, add the users to the group, and then add the group to the folders shared permissions list. 2. Question: How could you configure a shared folder that would allow a department to share files where everyone could add their files and read those of others, but only a small group of individuals could edit the contents of all the files? Answer: Create two groups: Editors and Members. Create a shared folder with both groups receiving Contributor permission. Nest a second folder within the shared folder, and change its NTFS permissions for the Members group to explicitly Deny Write permissions. Members of the editors groupas long as they do not belong to the Members group as wellcould move files into the nested folder, and even continue to edit them there while protecting against unintentional change by any other users. 3. Question: Why might you want to use Share and Storage Management MMC rather than Windows Explorer to create a shared folder? Answer: The Share and Storage MMC offers both shared folder creation and management tools that let you see all shared folders and how many users are connected at any time.
Configuring Active Directory Objects and Trusts
5-1
Module 5
Contents:
Lesson 1: Delegate Administrative Access to Active Directory Objects Lesson 2: Configure Active Directory Trusts Module Reviews and Takeaways Lab Review Questions and Answers 2 7 10 13
5-2
Lesson 1
Delegate Administrative Access to Active Directory Objects

Contents:
Detailed Demo Steps
Additional Reading
3 6
5-3
Detailed Demo Steps

Demonstration: Active Directory Domain Services Object Permission Inheritance
Demo Steps: Configure permissions on the NYC OU without inheritance:
1. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Users and Computers. 2. On the View menu, click Advanced Features. 3. In the console pane, right-click NYC, and then click Properties. 4. In the NYC Properties dialog box, on the Security tab, click Add. 5. In the Select Users, Computers, or Groups dialog box, type Doris, and then click OK. 6. On the NYC Properties dialog box, under Permissions for Doris Krieger, select Write, and then click OK.
Review permission on child OUs:

1. In the console pane, expand NYC, right-click BranchManagers, and then click Properties. 2. In the BranchManagers Properties dialog box, on the Security tab, notice that Doris does not have permssions for this OU as she does in the parent OU. 3. Click Cancel.
Modify inherted permissions:

1. In the console pane, right-click NYC, and then click Properties. 2. In the NYC Properties dialog box, on the Security tab, click Advanced. 3. In the Advanced Security Settings for NYC dialog box, click the entry for Doris Krieger, and then click Edit. 4. In the Permission Entry for NYC dialog box, in the Apply to list, review the options. 5. Click This object and all descendant objects, and then click OK three times. 6. In the console pane, right-click BranchManagers and then click Properties. 7. In the BranchManagers Properties dialog box, on the Security tab, click Doris Krieger and notice that she has Read and Write permissions on child OUs now. 8. Click Remove and then read the Windows Security dialog box warning. 9. Click OK. 10. Click Advanced. 11. In the Advanced Security Settings for BranchManagers dialog box, clear the Include inheritable permissions for this object's parent check box. 12. In the Windows Security dialog box, review the message and then click Copy.
5-4
13. In the Advanced Security Settings for BranchManagers dialog box, click Doris Krieger and then click Remove. 14. Click OK. 15. In the Permissions dialog box, review the warning, and then click Yes. 16. Click OK.
Review effective permissions on a child OU:

1. In the console pane, right-click Marketing, and then click Properties. 2. In the Marketing Properties dialog box, on the Security tab, click Advanced. 3. In the Advanced Security Settings for Marketing dialog box, on the Effective Permission tab, click Select. 4. In the Select User, Computer, or Group dialog box, type Doris and then click OK. 5. Review the list of effective permissions, and then click Cancel twice.
Demonstration: Configuring Delegation of Control

Demo Steps: Run the Delegation of Control Wizard to allow a user to manage user accounts:
1. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Users and Computers. 2. On the View menu, click Advanced Features. 3. In the console pane, right-click Miami, and then click Delegate Control. 4. In the Delegation of Control Wizard, click Next. 5. On the Users or Groups page, click Add. 6. In the Select Users, Computers, or Groups dialog box, type William, click OK, and then click Next. 7. On the Tasks to Delegate page, select the Create, delete, and manage user accounts check box, click Next, and then click Finish.
Review creating custom delegation permissions:

1. In the console pane, right-click Miami, and then click Delegate Control. 2. In the Delegation of Control Wizard, click Next. 3. On the Users or Groups page, click Add. 4. In the Select Users, Computers, or Groups dialog box, type William, click OK, and then click Next. 5. On the Tasks to Delegate page, click Create a custom task to delegate, and then click Next. 6. On the Active Directory Object Type page, review the scope of delegation options, and then click Next. 7. On the Permissions page, review the configuration options and then click Cancel.
5-5
Review permissions on a child OU:

1. In the console pane, expand Miami, right-click BranchManagers, and then click Properties. 2. In the Branch Managers Properties dialog box, on the Security tab, click Advanced. 3. In the Advanced Security Settings for BranchManagers dialog box, on the Effective
Permissions tab, click Select.
4. In the Select User, Computer, or Group dialog box, type William and then click OK. 5. Review the list of permissions, and then click Cancel twice.
Run a PowerShell script to delegate the password reset permission for a user:
1. Click Start, type notepad e:\mod05\democode\grantpasswordreset.ps1 and then press ENTER. 2. In the Notepad window, review the script and then close Notepad when done. 3. Click Start, point to All Programs, point to Windows PowerShell 1.0, and then click Windows PowerShell. 4. In the Windows PowerShell window, type set-executionpolicy unrestricted and then press ENTER. 5. Type e:\mod05\democode\grantpasswordreset.ps1 -container "ou=miami,dc=woodgrovebank,dc=com" -trustee "woodgrovebank\roya" and then press ENTER. 6. If you wish, open Active Directory Users and Computers to review the effective permissions for Roya.
5-6
Additional Reading
Active Directory Object Permissions
For more information on the following, see the links. Access control in Active Directory Assign, change, or remove permissions on Active Directory objects or attributes
Demonstration: Active Directory Domain Services Object Permission Inheritance

For more information, see Assign, change, or remove permissions on Active Directory objects or attributes
What Are Effective Permissions?

For more information, see Effective Permissions tool.
5-7
Lesson 2
Configure Active Directory Trusts

Contents:
Detailed Demo Steps Additional Reading 8
9
5-8
Detailed Demo Steps

Demonstration: Reviewing Trusts
Demo Steps: Review an existing child trust:
1. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts. 2. In the console pane, right-click WoodgroveBank.com, and then click Properties. 3. In the WoodgroveBank.com Properties dialog box, under Domains trusted by this domain (outgoing trusts), click EMEA.WoodgroveBank.com and then click Properties. 4. In the EMEA.WoodgroveBank.com Properties dialog box, review the trust properties and then click Cancel when finished.
Review the New Trust Wizard:

1. In the WoodgroveBank.com Properties dialog box, click New Trust. 2. In the New Trust Wizard, click Next. 3. On the Trust Name page, type fabrikam.com and then click Next. 4. On the Trust Type page, review the options and then click Cancel twice. Note: because a domain controller for this domain cannot be contacted at this point, you will not be able to configure the trust to the fabrikam.com domain at this point; it will be done in a later lab exercise.
5-9
Additional Reading
AD DS Trust Options
For more information on managing trusts, see Active Directory Domains and Trusts Help: Managing Trusts.
How Trusts Work Within a Forest

For more information on Managing Trusts, see Active Directory Domains and Trusts Help: Managing Trusts.
How Trusts Work Between Forests

For more information on How Domains and Forests Work, see How Domains and Forests Work.
What Are User Principal Names?

For more information on Active Directory naming, see Active Directory naming.
What Are the Selective Authentication Settings?

For more information on the following, see the links. Enable selective authentication over a forest trust Grant the Allowed to Authenticate permission on computers in the trusting domain or forest
5-10

Review questions
1. Question: What are the risks with using special permissions to assign AD DS permissions? Answer: The primary risk is that because special permissions can be so detailed, you may forget that certain permissions are applied until an administrator cannot perform some action that they should be able to perform. If you are going to use special permissions, you must ensure that you document the permissions very carefully. 2. Question: What permissions would a user have on an object if you granted them full control permission, and denied the user write access? Answer: The user would have read-only access. They could view all of the attributes for the object, but could not change any. 3. Question: What would happen to an objects permissions if you moved the object from one OU to another, if the OUs had different permissions applied? Answer: When you move objects between organizational units, the following conditions apply: Permissions that are set explicitly on the object remain the same. 4. An object inherits permissions from the organizational unit to which it is moved. 5. An object no longer inherits permissions from the organizational unit from which it was moved. 6. Question: What would happen if you removed all permissions from an OU when you blocked inheritance, and did not assign any new permissions? Answer: In this case, no one would be able to access the objects in the OU. However, the OU owner can always access the object to assign permissions. 7. Question: When retrieving effective permissions, accurate retrieval of information requires permission to read the membership information. If the specified user or group is a domain object, what type of permissions does a Domain Administrator need to have to read the object's group information on the domain. What about a Local administrator and an Authenticated domain user? Answer: Domain administrators have permission to read membership information on all objects.
Local administrators on a workstation or stand-alone server cannot read membership information
for a domain user.
Authenticated domain users can only read membership information when the domain is in Pre-
Windows 2000 compatibility mode.
8. Question: What are the benefits of delegating administrative permissions? Answer: One of the main benefits to delegating administrative permissions, is that you can grant users permissions to perform specific tasks in a limited section of AD DS, without granting them any broader administrative permission. You can limit the scope of the delegated permissions to a specific OU,, or you can limit the delegated permissions to a specific object or even a specific attribute of an object. 9. Question: How would you use delegation of control in your organization? Answer: Answers will vary. In very small organizations, with a single team of administrators responsible for all administrative tasks, delegating control may not be an option. However, many organizations may find some way that they can delegate control to some tasks. Often this is done at a department OU level, or at a branch office OU level.
5-11
10. Question: What does a trust existing between two domains provide? Answer: Trusts help provide for controlled access to shared resources in a resource domain (the trusting domain) by verifying that incoming authentication requests come from a trusted authority (the trusted domain). In this way, trusts act as bridges that allow only validated authentication requests to travel between domains. 11. Question: If you were going to configure a trust between a Windows Server 2008 domain and a Windows NT 4.0 domain, what type of trust would you configure? Answer: You would have to configure an external trust. 12. Question: If you need to share resources between domains, but do not want to configure a trust, how could you provide access to the shared resources? Answer: One option would be to allow anonymous access to the resources. For example, you could store the data on a Windows SharePoint Services site and enable anonymous access to the SharePoint site. Another option is to create user accounts in the domain where the resources exist for another domains users that need to access the resources. When the users try to access the resource, they will need to enter the credentials from the target domain. 13. Question: A user located in a different domain in your forest needs permission to create GPOs in your domain. What is the best way to accomplish this? Answer: 14. Question: In this slide Domain B and Domain C have a what type of Trust in this forest? What are the limitations? Answer: Domain B & Domain C have a one-way trust, Domain B can access Domain C, but Domain C can not directly access Domain B. 15. Question: Why would a clients not able to access resources in a domain outside the forest? Answer: This can occur if there is a failure on the external trust between the domains and can be resolved by resetting and verifying the trust between the domains. 16. Question: When you set up a forest trust, what information will need to be available in DNS for the forest trust to work? Answer: In order to configure the trust, and in order for the trust to work after configuration, domain controllers in both forests will need to be able to resolve the DNS names for the domain controllers in the other forest. This means that you must configure DNS to enable this name resolution. You can enable name resolution by configuring conditional forwarding, stub zones, or zone transfers. 17. Question: Provide a couple scenarios where UPNs would be useful. Answer: Students answer will vary, and the student response should indicate that they understand how it simplifies the users experience. For example, an organization with multiple domains may choose to use the forest root domain as the UPN for all users. Another example is if an organization uses Simple Mail Transfer Protocol (SMTP) addresses for e-mail that are different than the domain name, administrators may choose to add the SMTP domain address as a UPN suffix so that the users e-mail address also can be their logon name. 18. Question: Provide a scenario where it would be appropriate to enable selective authentication? Answer: Students answer will vary, and the student response should indicate that they understand the security that selective authentication provides. 19. Question: When addressing Active Directory permissions, there are risks. How does explicitly denied permissions contribute to that risk? Answer: The risk is that an explicitly denied permissions always override allowed permissions.
5-12
20. Question: If a there is a trust within a forest, and the resource is not in the users domain how does the domain controller use the trust relationship to access the resource. Answer: The domain controller uses the trust relationship with its parent, and refers the users computer to a domain controller in its parent domain. This attempt to locate a resource and continues up the trust hierarchy, possibly to the forest root domain, and down the trust hierarchy, until contact occurs with a domain controller in the domain where the resource exists. 21. Question: You have created a global group called Helpdesk, which contains all the help desk accounts. You want the help desk personnel to be able to perform any operation on local desktop computers, including take ownership of files. Which is the best built-in group to use? Answer: Add the Helpdesk group to the Administrators local group, because the help desk personnel must be able to perform any operation on the desktop computers. 22. Question: The BranchOffice_Admins group has been granted full control of all user accounts in the BranchOffice_OU. What permissions would the BranchOffice_Admins have to a user account that was moved from the BranchOffice_OU to the HeadOffice_OU? Answer: The BranchOffice_Admins would not have any permissions on the user account because permissions are inherited from the OU where the account is located. 23. Question: Your organization has a Windows Server 2008 forest environment, but it has just acquired another organization with a Windows 2000 forest environment that contains a single domain. Users in both organizations must be able to access resources in each others forest. What type of trust do you create between the forest root domain of each forest? Answer: You will need to implement an external trust, because Windows 2000 does not support forest trusts. Only Windows Server 2003 or later supports forest trusts.
5-13

1. Question: After the trusts are configured as described in the lab, what resources will users in Woodgrovebank be able to access in the Frabrikam.com domain? Answer: By default, the users will not have any access, because the lab did not configure any shares in the Frabrikam domain to allow access for Woodgrovebank users. However, because the trust is using domain-wide authentication, users will be able to access resources on any server in the Frabrikam.com domain once permissions are configured. 2. Question: How would you configure a forest trust with another organization if the organization does not provide you with their administrator credentials? Answer: You would be able to configure and verify one side of the trust only. Administrators in the other organization must configure the trust in their domain.
Creating and Configuring Group Policy
6-1
Module 6
Contents:
Lesson 1: Overview of Group Policy Lesson 2: Configuring the Scope of Group Policy Objects Lesson 3: Evaluating the Application of Group Policy Objects Lesson 4: Managing Group Policy Objects Lesson 5: Delegating Administrative Control of Group Policy Module Reviews and Takeaways Lab Review Questions and Answers 2 8 16 21 28 32 36
6-2
Lesson 1
Overview of Group Policy

Contents:
5
7
6-3

What Is Group Policy?
Question: When would local Group Policy be useful in a domain environment? Answer: Companies that use imaging technologies to deploy operating systems could use local Group Polices to help secure and standardize images. In this way, computers that are not connected to the local area network (LAN) still would be subject to certain restrictions for all users.
Group Policy Settings

Question: Which of the new features will you find most useful in your environment? Answer: Answers may vary.
How Group Policy Is Applied

Question: What would be some advantages and disadvantages to lowering the refresh interval? Answer: Advantages - Provides faster updates for new settings. Ensures that mobile users are more likely to get settings refreshed. Disadvantages - Increases network traffic. Consumes more local computer resources to check for updates.
Exceptions to Group Policy Processing

Question: How is NLA better than Internet Control Message Policy (ICMP) in the proper application of Group Policy? Answer: Mobile users that move in and out of wireless networks, docking stations, hibernation, etc, will know immediately about the availability of domain controllers.
Group Policy Components

Question: Think of at least one example of how your organization can benefit by using the Group Policy components. Answer: Answers may vary.
What Are ADM and ADMX files?

Question: How could you tell if a GPO was created or edited using ADM or ADMX files? Answer: When you open the GPO in SYSVOL, if there is an ADM folder, then the GPO was created or opened from a computer with SDM files. If there is no ADM folder, than it must have been created from a Windows Vista or Windows Server 2008 computer. Question: List one benefit of the ADMX format with Group Policy Objects. Answer: Answers may vary. Possible answers include: language independence, XML-based, not stored in the GPO.
6-4
What Is the Central Store?

Question: What would be the advantage of creating the central store in your environment? Answer: Answers may vary.
Demonstration: Configuring Group Policy Objects

Question: When you open the GPMC on your Windows XP computer, you do not see the new Windows Vista settings in the Group Policy Object Editor. Why not? Answer: The XP operating system cannot interpret the ADMX files, and will not display those templates.
6-5
Detailed Demo Steps

Demonstration: Configuring Group Policy Objects
Demo steps: Review the Group Policy Management Interface
1. Click Start, point to Administrative Tools, and then click Group Policy Management. 2. In the Group Policy Management window, right-click Group Policy Management, and then click Add Forest. 3. In the Add Forest dialog box, read the text and click Cancel. 4. In the Group Policy Management window, expand Forest: WoodgroveBank.com, expand Domains, expand on WoodgroveBank.com, and then click on Group Policy Objects. 5. In the details pane, examine the group policy objects, and then click the Delegation tab. 6. Review the users and groups who have permissions to create group policy objects on this domain.
Create a new Group Policy

1. Right-click Group Policy Objects folder, and then click New. 2. In the New GPO dialog box, in the Name field, type Desktop, and then click OK.
Edit the Group Policy

1. In the Group Policy Management window, in the Group Policy Objects folder, right-click the Desktop policy, and then click Edit. 2. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options. 3. In the details pane, double-click Interactive logon: Do not display last user name. 4. In the Interactive logon: Do not display last user name Properties dialog box, select the Define this policy setting check box, click Enabled, and then click OK. 5. Under the Local Policies folder, click System Services. 6. In the details pane, double-click Windows Installer 7. In the Windows Installer Properties dialog box, select Define this policy setting checkbox, and then click OK. 8. Under User Configuration, expand Policies, expand Administrative Templates, and then click Start Menu and Taskbar. 9. In the details pane, double-click Remove Search link from Remove Run menu from Start Menu. 10. In the from Remove Run menu from the Start Menu Properties dialog box, click OK. 11. Under the Administratrive Templates folder, expand Control Panel and then click Display. 12. In the details pane, double-click Hide Screen Save tab.
6-6
13. In the Hide Screen Saver tab Properties, click Enabled and click OK. 14. Close all windows.
6-7
Additional Reading
What Is Group Policy?
For more information on Windows Server Group Policy, see Windows Server Group Policy.
How Group Policy Is Applied

For more information on Windows Server Group Policy, see Windows Server Group Policy.
Exceptions to Group Policy Processing

For more information on Controlling Client-Side Extensions by Using Group Policy, see Controlling ClientSide Extensions by Using Group Policy.
Group Policy Components

For more information on the following, see the links. How Core Group Policy Works Deploying Group Policy Using Windows Vista
What Is the Central Store?

For more information on Creating a Central Store for Group Policy Administrative Templates in Window Vista, see How to create a Central Store for Group Policy Administrative Templates in Windows Vista.
6-8
Lesson 2
Configuring the Scope of Group Policy Objects

Contents:
Detailed Demo Steps
Additional Reading
9 11 15
6-9

Group Policy Processing Order
Question: Your organization has multiple domains spread over multiple sites. You want to apply a Group Policy to all users in two different domains. What is the best way to accomplish this? Answer: The GPO must be applied separately to each domain. If the settings are changed for one domain, then you must change them manually for the other domain to remain in synch. The GPMC simplifies the task of copying the GPO to another domain.
What Are Multiple Local Group Policy Objects?

Question: When would multiple local Group Policy objects be useful in a domain environment?
Options for Modifying Group Policy Processing

Question: You have created a restrictive desktop policy and linked it to the Finance OU. The Finance OU has several child OUs that have separate GPOs that reverse some of your desktop restrictions. How would you ensure that all users in the Finance department receive your desktop policy? Answer: Enforce the GPO link at the Finance OU level.
Demonstration: Configuring Group Policy Object Links

Question: True or false: if a GPO is linked to multiple containers, altering the settings for one of those links will affect only that container. Answer: False. Changing the settings of a GPO will affect all the containers to which the GPO is linked.
Demonstration: Configuring Group Policy Inheritance

Question: Your domain has two domain-level policies, GPO1 and GPO2. You need to ensure that all OUs receive GPO1, but GPO2 should not affect two of the OUs. How could you accomplish this? Answer: Block inheritance for the OUs that should not receive GPO2, and set the link on GPO1 to be enforced to ensure that all OUs receive GPO1.
Demonstration: Filtering Group Policy Objects Using Security Groups

Question: You want to ensure that a specific policy linked to an OU will affect only the members of the Managers global group. How would you accomplish this? Answer: Use the security page of the GPO to remove the Authenticated Users group and, then add the Managers global group, and grant them Read and Apply Group Policy permissions.
Demonstration: Filtering Group Policy Objects Using WMI Filters

Question: You need to deploy a software application that requires computers to have more than 1 GB of RAM. What is the best way to accomplish this?
6-10
How Does Loopback Processing Work?

Question: List one of the benefits of using Loop Processing.
Discussion: Configuring the Scope of Group Policy Processing

Question: What are the advantages to using security group filtering over blocking inheritance, to prevent Group Policy from being applied? Question: When would blocking inheritance be more appropriate?
6-11
Detailed Demo Steps

Demonstration: Configuring Group Policy Object Links
Demo steps: Link an existing GPO
1. On NYC-DC1, click Start, point to Administrative Tools and then click Group Policy
Management.
2. In the Group Policy Management window, expand Forest: WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, and then click the Toronto OU. 3. Right-click the Toronto folder, and then click Link an Existing GPO. 4. In the Select GPO dialog box, click Desktop and click OK. 5. Expand the Toronto folder, right-click Desktop, and then click Enforced. 6. In the warning dialog box, click OK.
Test the linked GPO

1. Log on to NYC-CL1 as WOODGROVEBANK\Sven using the password P@ssw0rd. 2. Click Start, point to All Programs, point to Accessories and then verify that Run is not present in the Start Menu. 3. Click Start and then click Control Panel. 4. In the Control Panel window, under Appearance and Personalization, click Personalization and then verify that the Screen Saver link is not available. 5. Logoff Sven. 6. Press Ctrl+Alt+Delete and note that the last logged in user is not present.
Disable the policy

1. On NYC-DC1, in the Group Policy Management window, ;click Group Policy Objects. 2. In the details pane, right-click Desktop, point to GPO Status and review the options. Note: Disabling Computer or User policy changes can help increase performance by not processing parts of the policy that are known to be empty. By disabling the whole policy, users can troubleshoot policies.
Demonstration: Configuring Group Policy Inheritance

Demo steps: Create a New Organizational Unit with a new User
1. Click Start, point to Administrative Tools, and click Active Directory Users and Computers. 2. In the Active Directory Users and Computers window, right-click WoodgroveBank.com, point to New, and then click Organizational Unit. 3. In the New Object - Organizational Unit dialog box, in the Name field, type Test OU, and then click OK.
6-12
4. Right-click the Test OU folder, point to New, and then click User. 5. In the New Object - User dialog box, in the First name field, type User1. 6. In the User logon name field, type User1, and then click Next. 7. In the Password and Confirm password fields, type Pa$$w0rd. 8. Clear the User must change password at next logon checkbox, click Next, and then click Finish.
Edit the Default Domain Policy

1. Click Start, point to Administrative Tools, and click Group Policy Management 2. In the Group Policy Management window, expand Forest: WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, then and click Group Policy Objects. 3. In the details pane of the Group Policy Objects folder, right-click the Default Domain Policy, and the click Edit. 4. In the Group Policy Management Editor window, expand User Configuration, expand Policies, expand Administrative Templates, and then click Start Menu and Taskbar. 5. In the details pane, double-click Remove Help menu from Start menu. 6. In the Remove Help menu from Start menu dialog box, click Enabled, and then click OK.
Test the new policy settings

1. On NYC-CL1, logon as WOODGROVEBANK\User1 using password Pa$$w0rd. 2. Click Start and note that the Help menu is not present. 3. Logout User 1
Block Inheritance
1. On NYC-DC1, in the Group Policy Management window, click the Test OU folder. 2. Right-click the Test OU folder, and then click Block Inheritance. 3. Note the Test OU folder icon changes.
Test the blocked policy settings

1. On NYC-CL1, logon as WOODGROVEBANK\User1 using password Pa$$w0rd. 2. Click Start and note that the Help menu is now present. 3. Logout User 1
Enforce the Default Domain Policy

1. On NYC-DC1, in the Group Policy Management window, click the Test OU folder. 2. Right-click the Test OU folder, and then click Link an Existing GPO. 3. In the Select GPO dialog box, click Default Domain Policy, and then click OK. 4. Expand the Test OU folder, right-click the Default Domain Policy, and then click Enforced. 5. Note that the linked GPO icon changes.
6-13
Test the enforced policy settings

1. On NYC-CL1, logon as WOODGROVEBANK\User1 using then password Pa$$w0rd. 2. Click Start and note that the Help menu is not present. 3. Logout User 1 4. Note that the enforced policies override the blocked inheritance.
Remove the enforced policy settings and blocked inheritance

1. On NYC-DC1, in the Group Policy Management window, expand the Test OU folder, right-click the Default Domain Policy, and then click Delete. 2. In the warning dialog, click OK. 3. Right-click the Test OU folder, and then click Block inheritance.
Demonstration: Filtering Group Policy Objects Using Security Groups

Demo steps: Create a New User
Computers.
2. In the Active Directory Users and Computers window, expand WoodgroveBank.com, and the click the Test OU folder. 3. Right-click the Test OU folder, point to New, and then click User. 4. In the New Object - User dialog box, in the First name field, type User2. 5. In the User logon name field, type User2, and then click Next. 6. In the Password and Confirm password fields, type Pa$$w0rd. 7. Clear the User must change password at next logon checkbox, click Next, and then click Finish.
Create a Link to a GPO

1. Click Start, point to Administrative Tools, and then click Group Policy. 2. In the Group Policy Management window, expand Forest: WoodgroveBank.com , expand Domains , expand WoodgroveBank.com, and then click Test OU. 3. Right-click the Test OU folder, and then click Link an Existing GPOn Existing GPO. 4. In the Select GPO dialog Desktop, and then click OK. 5. In the details pane of the Test OU folder, right-click Desktop, and then click Enforced. 6. In the warning dialog box, click OK.
Apply Security Filtering

1. Expand the Test OU folder, and then click Desktop. 2. In the Group Policy Management Console dialog box, click OK. 3. In the details pane, under Security Filtering, click Authenticated Users, and then click Remove.
6-14
4. In the confirmation dialog box, click OK. 5. In the details pane, under Security Filtering, click Add. 6. In the Select User, Computer, or Group dialog box, type User1, and then click OK.
Test Group Policy Setting

1. OOn NYC-CL1, log on as WOODGROVEBANK\User1 using password Pa$$w0rd. 2. Click Start and note that the Help menu is not present. 3. Logout UUser 1 4. On NYC-CL1, log on as WOODGROVEBANK\User2 using password Pa$$w0rd. 5. Click Start and note that the Help menu is now present. 6. Logout User 2
Demonstration: Filtering Group Policy Objects Using WMI Filters

Demo steps:
Create a new WMI Filter 1. Click Start, point to Administrative Tools, and then click Group Policy Management. 2. In the Group Policy Management window, right-click WMI Filters and click New. 3. In the New WMI Filter dialog box, in the Name field, type XP Filter. 4. In the Queries pane, click Add. 5. In the WMI Query dialog box, in the Query field, type Select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP Professional" and click OK. 6. In the New WMI Filter dialog box, click Save.
Create a new Group Policy

1. Right-click the Group Policy Objects folder, and then click New. 2. In the New GPO dialog box, in the Name field, type software, and then click OK.
Assign the WMI Filter to the GPO

1. Expand the Group Policy Objects folder, and then click software. 2. In the details pane, under WMI Filtering, in the the This GPO is linked to the following WMI Filter list, select XP Filter. 3. In the confirmation dialog, click Yes.
6-15
Additional Reading
Group Policy Processing Order
For more information on Group Policy processing and procedures, see Group Policy processing and precedence.
What Are Multiple Local Group Policy Objects?

For more information on managing multiple Local Group Policy objects, see Step-by-Step Guide to Managing Multiple Local Group Policy Objects.
Options for Modifying Group Policy Processing

For more information on controlling Group Policy object scope, see Controlling the Scope of Group Policy Objects using GPMC .
Discussion: Configuring the Scope of Group Policy Processing

For more information on controlling Group Policy object scope, see Controlling the Scope of Group Policy Objects using GPMC .
6-16
Lesson 3
Evaluating the Application of Group Policy Objects

Contents:
Detailed Demo Steps
Additional Reading
17 18 20
6-17

What Is Group Policy Reporting?
Question: You want to know which domain controller delivered Group Policy to a client. Which utility would you use? Answer: GPResult.exe will provide that information.
What Is Group Policy Modeling?

Question: What simulations can you perform with the Group Policy Modeling Wizard? Choose all that apply: 1. 2. 3. 4. 5. Loopback processing Moving a user to a different domain in the same forest Security group filtering Slow link detection WMI filtering All of the above
Answer: A, D and E are correct. You cannot simulate migrating users across domains. You can simulate security group membership, but not security group filtering.
Demonstration: How to Evaluate the Application of Group Policy

Question: A user reports that they are unable to access Control Panel, yet other users in the department can access Control Panel. What tools might you use to troubleshoot the problem? Answer: The Group Policy Results Wizard can tell you if the problem is Group Policy related, and if so, what policy is providing the setting.
6-18
Detailed Demo Steps

Demonstration: How to Evaluate the Application of Group Policy
Demo steps: View Group Policy Results
1. Click Start, and then click Command Prompt. 2. In the Administrator: Command Prompt window, type GPResult. 3. Review the output in the command window. 4. Close the command window.
Use the Group Policy Reporting Wizard

1. Click Start, point to Administrative Tools, and then click Group Policy Management. 2. In the Group Policy Management window, right-click Group Policy Results, and then click Group Policy Results Wizard. 3. In the Group Policy Results Wizard, click Next. 4. On the Computer Selection page, click Next. 5. On the User Selection page, click Next. 6. On the Summary of Selections page, click Next. 7. On the Completing the Group Policy Results Wizard page, click Finish. 8. In the Internet Explorer dialog box, click Add. 9. In the Trusted Sites dialog box, click Add, and then click Close. 10. Review the Group Policy Results.
Save the Report as an HTML File

1. Expand the Group Policy Results folder, right-click the Administrator on NYC-DC1 report, and then click Save Report. 2. In the Save GPO Report dialog box, click Save.
Use the Group Policy Modeling Wizard

1. Right-click the Group Policy Modeling folder, and then click Group Policy Modeling Wizard. 2. In the Group Policy Modeling Wizard, click Next. 3. On the Domain Controller Selection page, click Next. 4. On the User and Computer Selection page, under User information, click User, and then click Browse. 5. In the Select User dialog box, type User1. 6. Under Computer information, click Browse. 7. In the Choose Computer Container dialog box, expand WoodgroveBank, click ITAdmins, and then click OK.
6-19
8. 9.
On the User and Computer Selection page, click Next. On the Advanced Simulation Options, click Next.
10. On the Alternate Active Directory Paths page, click Next. 11. On the User Security Groups page, click Next. 12. On the Computer Security Groups page, click Next. 13. On the WMI Filters for Users page, click Next. 14. On the WMI Filters for Computers page, click Next. 15. On the Summary of Selections page, click Next. 16. On the Completing Group Policy Modeling Wizard page, click Finish. 17. Review the Report.
6-20
Additional Reading
What Is Group Policy Reporting?
For more information on the following, see the links. Command-line reference A-Z, and then click on Gpresult
What Is Group Policy Modeling?

For more information on Evaluating Group Policy Settings by Using Group Policy Modeling and Group Policy Results, see Using Group Policy Modeling and Group Policy Results to Evaluate Group Policy Settings.
6-21
Lesson 4
Managing Group Policy Objects

Contents:
23
27
6-22

GPO Management Tasks
Question: You perform regular backups of GPOs. An administrator has inadvertently changed a number of settings on the wrong GPO. What is the quickest way to fix the problem? Answer: Restoring a previous backed up version will restore the original settings.
What Is a Starter GPO?

Question: List one of the benefits of using Starter GPOs. Answer: Answers may vary. Possible answers include: Making GPO creation easier and more reliable. Providing backups for GPOs.
Demonstration: How to Copy a GPO

Question: What is the advantage of copying a GPO and linking it to an OU, versus linking the original GPO to multiple OUs? Answer: If the original GPO is modified, it will affect all the OUs to which it is linked. A copied GPO is a new instance of the GPO that has no connection to the original GPO.
Demonstration: Backing up and Restoring GPOs

Question: What permissions are required to back-up a GPO? Answer: Read permission.
Demonstration: Importing a GPO

Question: What is the purpose of a migration table? Answer: Migration tables allow you to, if required, change specific references in copied or imported GPOs, in the new location where the GPO will be applied.
Migrating Group Policy Objects

Question: List at least one benefit of using the ADMX Migrator utility. Answer: Answers may vary. Possible answers include: The ADMX Migrator tool is a free conversion tool that allows administrators to migrate their ADM files to ADMX file format saving time and reducing the amount of re-work that may need to be done.
6-23
Detailed Demo Steps

Demonstration: Starter GPOs
Demo steps: Install the Starter GPO for Vista
1. Click Start, and then click Computer. 2. Navigate to E:\Mod06\DemoCode, and then double-click VistaStarterGPOs.msi. 3. Install the Starter GPO accepting all defaults.
Add the Starter GPO to Group Policy Management

1. Click Start, point to Administrative Tools, and then click Group Policy Management. 2. In the Group Policy Management window, expand Forest: WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, and then click Starter GPOs. 3. In the details pane of the Starter GPOs folder, click Create Starter GPOs folder. 4. In the Starter GPOs in WoodgroveBank.com page, click Load Cabinet. 5. In the Load Starter GPO dialog box, click Browse for CAB. 6. In the Browse for CAB dialog box, navigate to C:\Program Files\Microsoft Group Policy\StarterGPOs\Windows Vista, click Windows Vista EC User.cab, and then click Open. 7. In the Load Starter GPO dialog box, click OK. 8. Expand the Starter GPOs folder, and then click Windows Vista EC User. 9. Review the results in the details pane.
Demonstration: How to Copy a GPO

Demo steps:
1. Click Start, point to Administrative Tools, and then click Group Policy Management. 2. In the Group Policy Management window, expand Forest: WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, and then click Group Policy Objects. 3. In the details pane of the Group Policy Objects folder, right-click the Desktop policy, and then click Copy. 4. Right-click the Group Policy Objects folder, and then click Paste. 5. In the Copy GPO dialog box, click OK. 6. In the Copy dialog box, click OK. 7. In the details pane of the Group Policy Objects folder, right-click the Copy of Desktop policy, and then click Rename. 8. Rename Copy of Desktop to Desktop 2.
6-24
Demonstration: Backing up and Restoring GPOs

Demo Demo steps: Create a Backup Folder
1. Click Start, and then click Computer. 2. Double-click Local Disk (C:). 3. On the File menu, point to New, and then click Folder. 4. Rename the folder GPO_Back.
Backup a Single GPO

1. Click Start, point to Administrative Tools, and , and then click Group Policy Management. 2. In the Group Policy Management window, expand Forest: WoodgroveBank.com , expand Domains , expand WoodgroveBank.com, and then click Group Policy Objects. 3. In the details pane of the Group Policy Objects folder, right-click the Desktop policy, and then click Backup. 4. In the Back Up Group Policy Object dialog box, in the Location field, type C:\GPO_Back, and then click Back Up. 5. In the Backup dialog box, click OK.
Backup a All GPOs

1. In the Group Policy Management window, expand Forest: WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, and then click Group Policy Objects. 2. Right-click the Group Policy Objects folder, and then click Back Up All. 3. In the Back Up Group Policy Object dialog box, click Back Up. 4. In the Backup dialog box, click Back Up.
Delete an existing GPO

1. In the details pane of the Group Policy Objects folder, right-click Desktop 2, and then click Delete. 2. In the confirmation dialog box, click Yes. 3. In the Delete dialog box, click OK.
Restore a GPO
1. Right-click the Group Policy Objects folder, and then click Manage Backups. 2. In the Manage Backups dialog box, click the Desktop 2 policy, and then click Restore. 3. In the confirmation dialog box, click OK. 4. In the Restore dialog box, click OK. 5. In the Manage Backups dialog box, click Close. 6. Note that the Desktop 2 GPO exists again.
6-25
Demonstration: Importing a GPO

Demo steps: Create a new GPO
1. Click Start, point to Administrative Tools, and then click Group Policy Management. 2. In the Group Policy Management window, expand Forest: WoodgroveBank.com, expand Domains, expand on WoodgroveBank.com, and then click Group Policy Objects. 3. Right-click the Group Policy Objects folder and click New. 4. In the New GPO dialog box, in the Name field, type Redirect, and then click OK.
Edit the GPO

1. In the Group Policy Management window, in the Group Policy Objects folder, right-click the Redirect policy and click Edit. 2. In the Group Policy Management Editor, expand User Configuration, expand Policies, expand Windows Settings, and then expand Folder Redirection. 3. Right-click the Documents folder, and then click Properties. 4. In the Document Properties dialog box, in the Setting list, click Basic - Redirect everyone's folder to the same location. 5. In the Target folder location list, click Redirect to the following location. 6. For the Root Path field, type \\server\share, and then click OK. 7. In the Warning dialog box, click Yes. 8. In the second Warning dialog box, click Yes. 9. Close the Group Policy Management Editor.
Backup the Redirect GPO

1. In the Group Policy Management window, click the Group Policy Objects folder. 2. In the details pane, right-click the Redirect policy, and then click Backup. 3. In the Back Up Group Policy Object dialog box, click Back Up. 4. In the Backup dialog box, click OK.
Create a new GPO

1. In the Group Policy Management window, right-click the Group Policy Objects folder, and then click New. 2. In the new GPO dialog box, in the Name field, type Imported, and then click OK.
Import the Redirect policy to the Imported policy

1. In the details pane of the Group Policy Objects folder, right-click the Imported policy and click Import Settings. 2. In the Import Settings Wizard, click Next. 3. On the Backup GPO page, click Next.
6-26
4. On the Backup location page, click Next. 5. On the Source GPO page, click Redirect and click Next. 6. On the Scanning Backup page, click Next. 7. On the Migrating References page, select the Using this migration table to map them in the destination GPO radio button, and then click New. 8. In the Migration Table Editor - New window, in the Source Name field, type \\server\share. 9. In the Source Type list, ensure that UNC Path is selected. 10. In the Destination Name field, type \\Srv1\docs. 11. On the File menu, click Save. 12. In the Save As dialog box, in the File Name field, type Migration1, and then click Save. 13. Close the Migration Table Editor window. 14. On the Migrating References page, click Next. 15. On the Completing the Importing Settings Wizard page, click Finish. 16. In the Import dialog box, click OK.
Verify the new Import GPO

1. In the details pane of the Group Policy Object folder, right-click the Imported policy, and then click Edit. 2. In the Group Policy Management Editor, expand User Configuration, expand Policies, expand Windows Settings, and then expand Folder Redirection. 3. Right-click the Documents folder, and then click Properties. 4. Ensure that the Root Path field contains \\Srv1\docs. 5. Close all windows.
6-27
Additional Reading
What Is a Starter GPO?
For more information on the Starter GPOs, see Help Topics: Working with Starter GPOs.
Demonstration: Starter GPOs

Download Starter GPOs
Migrating Group Policy Objects

For more information on ADMX Migrator, see ADMX Migrator.
6-28
Lesson 5
Delegating Administrative Control of Group Policy

Contents:
Detailed Demo Steps
Additional Reading
29 30 31
6-29

Options for Delegating Control of GPOs
Question: List one of the benefits of the administrator delegating rights to create new Group Policies. Answer: Answers may vary. Possible answers include: Administrators can provide a mechanism for users to create new Group Policies without giving them rights to configure anything else. This provides better overall security without making administration too inflexible.
Demonstration: How to Delegate Administrative Control of GPOs

Question: A user located in a different domain in your forest needs permission to create GPOs in your domain. What is the best way to accomplish this? Answer: You must use the GPMC to delegate permission to create GPOs to the user. You cannot add the user to the Group Policy Creator Owners group, because it is a global group and therefore cannot contain a user from a different domain.
6-30
Detailed Demo Steps

Demonstration: How to Delegate Administrative Control of GPOs
Demo steps: Using the Delegation of Control Wizard
Computers.
2. In the Active Directory Users and Computers window, expand WoodgroveBank.com. 3. Right-click the Test OU folder, and then click Delegate Control. 4. In the Delegation Control Wizard, click Next. 5. On the Users or Groups page, click Add. 6. In the Select Users, Computers, or Groups dialog box, type User1, and then click OK. 7. On the Users or Groups page, click Next. 8. On the Tasks to Delegate page, select the Manage Group Policy links checkbox and the Generate Resultant Set of Policy (Planning) checkbox. 9. On the Completing the Delegation of Control Wizard page, click Finish.
Delegate the right to create Group Policy

1. Click Start, point to Administrative Tools, and click Group Policy Management. 2. In the Group Policy Management window, expand Forest: WoodgroveBank.com, then expand Domains, then expand on WoodgroveBank.com, and then click Group Policy Objects. 3. In the details pane, click the Delegation tab. 4. On the Delegation page, click Add. 5. In the Select Users, Computers, or Groups dialog box, type User2 and click OK.
Delegate the right to edit the Desktop policy

1. In the details pane, click the Contents tab. 2. Double-click the Desktop GPO. 3. In the Desktop details pane, click the Delegation tab. 4. On the Delegation page, click Add. 5. In the Select Users, Computers, or Groups dialog box, type User2 and click OK. 6. In the Add Group or User dialog box, in the Permissions list, click Edit settings. 7. Close all windows.
6-31
Additional Reading
Options for Delegating Control of GPOs
For more information on delegating group policy, see Delegating Group Policy.
6-32

Review questions
1. Question: What are the risks with using special permissions to assign AD DS permissions? Answer: The primary risk is that because special permissions can be so detailed, you may forget that certain permissions are applied until an administrator cannot perform some action that they should be able to perform. If you are going to use special permissions, you must ensure that you document the permissions very carefully. 2. Question: When would local Group Policy be useful in a domain environment? Answer: Companies that use imaging technologies to deploy operating systems could use local Group Polices to help secure and standardize images. In this way, computers that are not connected to the local area network (LAN) still would be subject to certain restrictions for all users. 3. Question: Which of the new features will you find most useful in your environment?
Answer: Answers will vary.
4. Question: What would be some advantages and disadvantages to lowering the refresh interval? Answer: Advantages Provides faster updates for new settings. Ensures that mobile users are more likely to get settings refreshed. Disadvantages Increases network traffic. Consumes more local computer resources to check for updates. 5. Question: How is NLA better than Internet Control Message Policy (ICMP) in the proper application of Group Policy? Answer: Mobile users that move in and out of wireless networks, docking stations, hibernation, etc, will know immediately about the availability of domain controllers. 6. Question: Think of at least one example of how your organization can benefit by using the Group Policy components. Answer: Answers may vary. 7. Question: How could you tell if a GPO was created or edited using ADM or ADMX files? Answer: When you open the GPO in SYSVOL, if there is an ADM folder, then the GPO was created or opened from a computer with SDM files. If there is no ADM folder, than it must have been created from a Windows Vista or Windows Server 2008 computer. Question: List one benefit of the ADMX format with Group Policy Objects. Answer: Answers may vary. Possible answers include: language independence, XML-based, not stored in the GPO. 8. Question: What would be the advantage of creating the central store in your environment? Answer: Answers may vary. 9. Question: When you open the GPMC on your Windows XP computer, you do not see the new Windows Vista settings in the Group Policy Object Editor. Why not? Answer: The XP operating system cannot interpret the ADMX files, and will not display those templates. 10. Question: Your organization has multiple domains spread over multiple sites. You want to apply a Group Policy to all users in two different domains. What is the best way to accomplish this? Answer: The GPO must be applied separately to each domain. If the settings are changed for one domain, then you must change them manually for the other domain to remain in synch. The GPMC simplifies the task of copying the GPO to another domain.
6-33
11. Question: When would multiple local Group Policy objects be useful in a domain environment? Answer: Companies may use multiple local Group Policy objects to exempt domain and local administrative accounts from local restrictions. 12. Question: You have created a restrictive desktop policy and linked it to the Finance OU. The Finance OU has several child OUs that have separate GPOs that reverse some of your desktop restrictions. How would you ensure that all users in the Finance department receive your desktop policy? Answer: Enforce the GPO link at the Finance OU level. 13. Question: True or false: if a GPO is linked to multiple containers, altering the settings for one of those links will affect only that container. Answer: False. Changing the settings of a GPO will affect all the containers to which the GPO is linked. 14. Question: Your domain has two domain-level policies, GPO1 and GPO2. You need to ensure that all OUs receive GPO1, but GPO2 should not affect two of the OUs. How could you accomplish this? Answer: Block inheritance for the OUs that should not receive GPO2, and set the link on GPO1 to be enforced to ensure that all OUs receive GPO1. 15. Question: You want to ensure that a specific policy linked to an OU will affect only the members of the Managers global group. How would you accomplish this? Answer: Use the security page of the GPO to remove the Authenticated Users group and, then add the Managers global group, and grant them Read and Apply Group Policy permissions. 16. Question: You need to deploy a software application that requires computers to have more than 1 GB of RAM. What is the best way to accomplish this? Answer: Create a WMI filter to test for the amount of RAM, and link that filter to the GPO that delivers the software package. 17. Question: List one of the benefits of using Loop Processing? Answer: Answers may vary. Possible answers include: enforce policies with a number of different users on the same computer. Safeguard machines from unauthorized access. 18. Question: What are the advantages to using security group filtering over blocking inheritance, to prevent Group Policy from being applied? Answer: Security group filtering allows you to block or apply specific policies, while blocking inheritance affects all higher-level policies. Question: When would blocking inheritance be more appropriate? Answer: When you need to prevent all the objects in an OU from receiving Group Policy, and there are too many objects to make filtering a practical solution. 19. Question: You want to know which domain controller delivered Group Policy to a client. Which utility would you use? Answer: GPResult.exe will provide that information. 20. Question: What simulations can you perform with the Group Policy Modeling Wizard? Choose all that apply: A. Loopback processing B. Moving a user to a different domain in the same forest C. Security group filtering
6-34
D. Slow link detection E. WMI filtering F. All of the above Answer: A, D and E are correct. You cannot simulate migrating users across domains. You can simulate security group membership, but not security group filtering. 21. Question: A user reports that they are unable to access Control Panel, yet other users in the department can access Control Panel. What tools might you use to troubleshoot the problem? Answer: The Group Policy Results Wizard can tell you if the problem is Group Policy related, and if so, what policy is providing the setting. 22. Question: You perform regular backups of GPOs. An administrator has inadvertently changed a number of settings on the wrong GPO. What is the quickest way to fix the problem? Answer: Restoring a previous backed up version will restore the original settings. 23. Question: List one of the benefits of using Starter GPOs. Answer: Answers may vary. Possible answers include: Making GPO creation easier and more reliable. Providing backups for GPOs. 24. Question: What is one benefit of using Starter GPOs? Answer: Answers may vary. 25. Question: What is the advantage of copying a GPO and linking it to an OU, versus linking the original GPO to multiple OUs? Answer: If the original GPO is modified, it will affect all the OUs to which it is linked. A copied GPO is a new instance of the GPO that has no connection to the original GPO. 26. Question: What permissions are required to back-up a GPO? Answer: Read permission. 27. Question: What is the purpose of a migration table? Answer: Migration tables allow you to, if required, change specific references in copied or imported GPOs, in the new location where the GPO will be applied. 28. Question: List at least one benefit of using the ADMX Migrator utility. Answer: Answers may vary. Possible answers include: The ADMX Migrator tool is a free conversion tool that allows administrators to migrate their ADM files to ADMX file format saving time and reducing the amount of re-work that may need to be done. 29. Question: List one of the benefits of the administrator delegating rights to create new Group Policies. Answer: Answers may vary. Possible answers include: Administrators can provide a mechanism for users to create new Group Policies without giving them rights to configure anything else. This provides better overall security without making administration too inflexible. 30. Question: A user located in a different domain in your forest needs permission to create GPOs in your domain. What is the best way to accomplish this? Answer: You must use the GPMC to delegate permission to create GPOs to the user. You cannot add the user to the Group Policy Creator Owners group, because it is a global group and therefore cannot contain a user from a different domain. 31. Question: You want to force the application of certain Group Policy settings across a slow link. What can you do?
6-35
Answer: Use Group Policy to force those settings to be applied across the link, or use Group Policy to change the slow link threshold. 32. Question: You need to ensure that a domain level policy is enforced, but the Managers global group needs to be exempt form the policy. How would you accomplish this? Answer: Set the link to be enforced at the domain level, and use security group filtering to deny Apply Group Policy permission to the Administrators group. 33. Question: You want all GPOs that contain user settings to have certain Administrative Templates enabled. You need to be able to send those policies to other administrators in the enterprise. What is the best approach? Answer: Configure a Starter GPO to have the required basic settings, and then export the GPO to a .cab file. That file then can be imported by other administrators. 34. Question: You want to control access to removable storage devices on all client workstations through Group Policy. Can you use Group Policy to do this? Answer: You can only control access to removable storage devices on Windows Vista and Windows Server 2008.
6-36

1. Question: What other method could be used to grant a user the right to create GPOs in the domain? Answer: Add the user to the Group Policy Creator Owner group. 2. Question: If you need to apply a GPO to computers that have certain services installed, what is the best approach? Answer: Create a WMI Filter to query for the services. 3. Question: You want to ensure that a specific policy linked to an OU will affect only the members of the Managers global group. How would you accomplish this? Answer: Use the security page of the GPO to remove the Authenticated Users group and, then add the Managers global group, and grant them Read and Apply Group Policy permissions. 4. Question: You need to deploy a software application that requires computers to have more than 1 GB of RAM. What is the best way to accomplish this? Answer: Create a WMI filter to test for the amount of RAM, and link that filter to the GPO that delivers the software package. 5. Question: List one of the benefits of using Loop Processing? Answer: Answers may vary. Possible answers include: enforce policies with a number of different users on the same computer. Safeguard machines from unauthorized access.
Configure User and Computer Environments By Using Group Policy
7-1
Module 7

Contents:
Lesson 1: Configuring Group Policy Settings Lesson 2: Configuring Scripts and Folder Redirection Using Group Policy Lesson 3: Configuring Administrative Templates Lesson 4: Deploying Software Using Group Policy Lesson 5: Configuring Group Policy Preferences Lesson 6: Introduction to Group Policy Troubleshooting Lesson 7: Troubleshooting Group Policy Application Lesson 8: Troubleshooting Group Policy Settings Module Reviews and Takeaways Lab Review Questions and Answers 2 6 10 15 18 20 24 27 30 33
7-2
Lesson 1
Configuring Group Policy Settings

Contents:
Questions and Answers Detailed Demo Steps Additional Reading 3
4
5
7-3
Questions and Answers

Options for Configuring Group Policy Settings
Question: A domain-level policy restricts access to the Control Panel. You want the users in the Admin organizational unit (OU) to have access to the Control Panel, but you do not want to block inheritance. How could you accomplish this? Answer: Create a policy that is linked to the Admin OU that has the restriction disabled to the Control Panel setting.
Demonstration: Configuring Group Policy Settings Using the Group Policy Editor
Question: How could you prevent a lower-level policy from reversing the setting of a higher-level policy? Answer: Enforce the link of the higher-level policy.
7-4
Detailed Demo Steps

Demonstration steps Create and configure the Demo GPO:
1. On NYC-DC1, log on as WOODGROVEBANK\Administrator using the password Pa$$w0rd. 2. Click Start, point to Administrative Tools, and then click Group Policy Management. 3. In the Group Policy Management console pane, right-click WoodgroveBank.com, and then click Create a GPO in this domain, and Link it here. 4. In the New GPO dialog box, in the Name field, type Demo GPO and then click OK. 5. In the console pane, expand Group Policy Objects, right-click Demo GPO, and then click Edit. 6. In the Group Policy Management Editor console pane, under Computer Configuration, expand Policies, expand Administrative Templates, expand Windows Components, and then click Windows Update. 7. In the details pane, double-click Configure Automatic Updates. 8. In the Configure Automatic Updates Properties dialog box, click Enabled. 9. In the Configure automatic updating list, review the settings, and then click 4 - Auto
download and schedule the install.
10. Click Next Setting. 11. In the Specify intranet Microsoft update service location Properties dialog box, review the options for configuring intranet update services, and then click OK. 12. Close Group Policy Management Editor.
Test Group Policy application on client computer:

1. On NYC-CL1, log on as WOODGROVEBANK\Administrator using the password Pa$$w0rd. 2. Click Start, type gpupdate /force and then press ENTER. 3. When the update is complete, click Start, and then click Control Panel. 4. In the Control Panel window, under Security, click Check for updates. 5. In the Windows Update window, click Change settings. 6. In the Change settings window, review review the Windows Update settings and notice that you cannot change them. 7. Click Cancel and then close Windows Update. 8. Log off NYC-CL1.
7-5
Additional Reading
Options for Configuring Group Policy Settings
For more information on the working of core Group Policy, see "How Core Group Policy Works", http://go.microsoft.com/fwlink/?LinkId=99468.
For more information about planning and deploying Group Policy, see "Planning and Deploying Group Policy", http://go.microsoft.com/fwlink/?LinkID=134056
7-6
Lesson 2
Configuring Scripts and Folder Redirection Using

Group Policy
Contents:
Questions and Answers Detailed Demo Steps Additional Reading 7 8 9
7-7

What Are Group Policy Scripts?
Question: You keep logon scripts in a shared folder on the network. How could you ensure that the scripts will always be available to users from all locations? Answer: Place the scripts in the Netlogon share in the SYSVOL folder.
Demonstration: Configuring Scripts with Group Policy

Question: What other method could you use to assign logon scripts to users? Answer: You also can use the user's properties in Active Directory Users and Computers to assign scripts to users.
What Is Folder Redirection?

Question: List some disadvantages of folder redirection. Answer: Mobile users that are not on the local area network (LAN) will not have access to their data. Network connectivity issues could prevent users from accessing their data. A single server represents a single point of failure for multiple users.
Folder Redirection Configuration Options

Question: Users in the same department often log on to different computers. They need access to their My Documents folder. They also need the data to be private. What folder redirection setting would you choose? Answer: Create a folder for each user under the root path. This will create a My Documents folder to which only the user has access.
Options for Securing Redirected Folders

Question: What steps could you take to protect the data while it is in transit between the client and the server? Answer: Internet Protocol security (IPSec) could be employed to protect network traffic.
7-8
Detailed Demo Steps

Demonstration: Configuring Scripts with Group Policy
Demonstration Steps Create the logon script:
1. On NYC-DC1, log on as WOODGROVEBANK\Administrator using the password Pa$$w0rd. 2. Click Start, type notepad, and then press ENTER. 3. In the Notepad window, type net use t: \\nyc-dc1\data. 4. On the File menu, click Save. 5. In the Save As dialog box, in the File name field, type \\nyc-dc1\netlogon\drivemap.bat. 6. In the Save as type list, click All Files (*.*), and then click Save. 7. Close Notepad.
Edit the Demo GPO:

1. On NYC-DC1, in the Group Policy Management console pane, right-click Demo GPO, and then click Edit. 2. In the Group Policy Management Editor console pane, under User Configuration, expand Policies, expand Windows Settings, and then click Scripts (Logon/Logoff). 3. In the details pane, double-click Logon. 4. In the Logon Properties dialog box, click Add. 5. In the Add a Script dialog box, in the Script Name field, type \\nyc dc1\netlogon\drivemap.bat and then click OK twice.
6. Close Group Policy Management Editor, and then close Group Policy Management.

1. On NYC-CL1, log on as WOODGROVEBANK\Administrator using the password Pa$$w0rd. 2. Click Start, and then click Computer. 3. In the Computer window, notice that the Data share is mapped to drive T. 4. If the drive does not show up after a few moments, you may need to log off and log back on. 5. Log off NYC-CL1.
7-9
Additional Reading
What Are Group Policy Scripts?
For more information about Group Policy scripts, see "The Two Sides of Group Policy Script Extension Processing", http://go.microsoft.com/fwlink/?LinkId=99469
What Is Folder Redirection?

For more information about folder redirection, see "What Is Folder Redirection Extension?", http://go.microsoft.com/fwlink/?LinkId=99472 For more information about managing roaming user data, see "Managing Roaming User Data Deployment Guide", http://go.microsoft.com/fwlink/?LinkId=99474
Options for Securing Redirected Folders

For more information about security considerations when configuring folder redirection, see "Security Considerations when Configuring Folder Redirection", http://go.microsoft.com/fwlink/?LinkId=99477
7-10
Lesson 3
Configuring Administrative Templates
Contents:
12
14
7-11

What Are Administrative Templates?
Question: What sections of the Administrative Templates will you find most useful in your
environment?
Demonstration: Configuring Administrative Templates

Question: You need to ensure that Windows Messenger is never allowed to run on a particular computer. How could you use Administrative Templates to implement this? Answer: Enable the setting to prevent access to Windows Messenger in the computer configuration Administrative Templates. This will override any user configuration settings.
Demonstration: Adding Custom Administrative Templates

Question: Can you still use custom ADM files to deliver Group Policy settings in Windows Server 2008? Answer: Yes. The Group Policy Editor will recognize valid ADM files. Clients receiving settings are unaware whether the settings were created based on ADM, or ADMX templates. Question: What are two differences between ADM and ADMX files? Answer: ADM files are stored within a GPO, while ADMX files are stored in the central store and available for any GPO. Also, ADM files use their own markup language, while ADMX files use a standards-based XML format.
7-12
Detailed Demo Steps

Demonstration: Configuring Administrative Templates
Demonstration Steps Edit the Demo GPO:
1. On NYC-DC1, in the Group Policy Management console pane, right-click Demo GPO, and then click Edit. 2. In the Group Policy Management Editor console pane, under Computer Configuration, expand Policies, expand Administrative Templates, expand Windows Components, and then click Internet Explorer. 3. In the details pane, double-click Turn off "Delete Browsing History" functionality. 4. In the Turn off "Delete Browsing History" functionality dialog box, click Enabled, and then click OK. 5. In the console pane, under User Configuration, expand Policies, expand Administrative Templates, expand Control Panel, and then click Display. 6. In the details pane, double-click Hide Screen Saver tab. 7. In the Hide Screen Saver tab Properties dialog box, click Enabled, and then click OK. 8. Close Group Policy Management Editor.

1. On NYC-CL1, log on as WOODGROVEBANK\Administrator using the password Pa$$w0rd. 2. Click Start, right-click Internet, and then click Internet Properties. 3. In the Internet Properties dialog box, under Browsing history, verify that the Delete button is grayed out. 4. Click Cancel. 5. On the desktop, right-click, and then click Personalize. 6. In the Personalization window, verify that the Screen Saver option is not present. 7. Log off NYC-CL1.
Demonstration: Adding Custom Administrative Templates

Demonstration Steps Add a custom ADM file:
1. On NYC-DC1, in the Group Policy Management console pane, right-click Demo GPO, and then click Edit. 2. In the Group Policy Management Editor console pane, under Computer Configuration, expand Policies. 3. Right-click Administrative Templates, and then click Add/Remove Templates. 4. In the Add/Remove Templates dialog box, click Add.
7-13
5. In the Policy Templates dialog box, browse to E:\Mod07\LabFiles\Templates\adms. 6. Click example2.adm, click Open, and then click Close. 7. In the console pane, notice that the Classic Administrative Templates node is now present. 8. Expand Classic Administrative Templates, and then click Example 2 Policy settings. 9. Review the sample policy settings, and then close Group Policy Management Editor. 10. Close Group Policy Management.
Copy sample ADMX files to the central store:

1. On NYC-DC1, click Start, and then click Computer. 2. In the Computer window, browse to E:\Mod07\LabFiles\Templates\PolicyDefinitions. 3. On the Edit menu, click Select All. 4. Right-click the selected files, and then click Copy. 5. Browse to C:\Windows\PolicyDefinitions, and then review the list of administrative templates. 6. On the Edit menu, click Paste. 7. In the Confirm Folder Replace dialog box, click Yes. 8. Close Windows Explorer.
Review custom ADMX files:

1. On NYC-DC1, click Start, point to Administrative Templates, and then click Group Policy Management. 2. In the Group Policy Management console pane, under Group Policy Objects, right-click Demo GPO, and then click Edit. 3. In the console pane, under both Computer Configuration and User Configuration, expand Polices, expand Administrative Templates, and then click Example 2 Policy settings. 4. Review the sample policy settings, and then close Group Policy Management.
7-14
Additional Reading
What Are Administrative Templates?
For more information about using administrative template files with registry-based Group Policy, see "Using Administrative Template Files with Registry-Based Group Policy", http://go.microsoft.com/fwlink/?LinkId=99478
Modifying Administrative Templates

For more information about creating custom ADMX files, see "Creating a Custom Base ADMX File", http://go.microsoft.com/fwlink/?LinkId=99480
Discussion: Options for Using Administrative Templates

For more information about creating policy settings, see "Design Considerations for Creating Policy Settings", http://go.microsoft.com/fwlink/?LinkID=139957
7-15
Lesson 4
Deploying Software Using Group Policy
Contents:
Questions and Answers Additional Reading 16
17
7-16

Options for Deploying and Managing Software by Using Group Policy
Question: What types of applications would you deploy via Group Policy in your environment? Answer: Answers will vary.
How Software Distribution Works

Question: What are some disadvantages of deploying software through Group Policy? Answer: Large applications generate a lot of network traffic. You cannot control when the installation will occur. Laptop users are not able to connect to the distribution point when they are not connected to the LAN. This client-side extension that delivers software does not function over a slow link, by default.
Options for Installing Software

Question: What is an advantage of publishing an application over assigning it? Answer: Unneeded software will not be installed automatically.
Options for Modifying the Software Distribution

Question: You have deployed a number of published applications. Many of those applications are for the use of the Finance department. What could you do to make it easier for Finance department users to locate those applications? Answer: Create a category for the Finance department, and then publish those applications in the Finance category.
Maintaining Software Using Group Policy

Question: You organization is upgrading to a newer version of a software package. Some users in the organization require the old version. How would you deploy the upgrade? Answer: You would deploy an optional upgrade to allow users to keep the old version, if required.
Discussion: Evaluating the Use of Group Policy to Deploy Software

Question: You want to deploy an administrative utility to members of the Domain Admins security group. These utilities should be available from any computer that an administrator logs onto, but only installed when necessary. What is the best approach to accomplish this? Answer: Create a Group Policy to publish the administrative utility to the Domain Admins security group.
7-17
Additional Reading
Options for Deploying and Managing Software by Using Group Policy
For more information about using Group Policy Installation, see "Group Policy Installation overview", http://go.microsoft.com/fwlink/?LinkId=113760
How Software Distribution Works

For more information on using Group Policy to install software remotely in Windows 2000, see "How to use Group Policy to install software remotely in Windows 2000", http://go.microsoft.com/fwlink/?LinkId=99482
Options for Installing Software

For more information on Group Policy software installation, see "Group Policy Software Installation overview", http://go.microsoft.com/fwlink/?LinkId=113760
Options for Modifying the Software Distribution

For more information about adding or removing modifications to an application package, see "Add or remove modifications for an application package", http://go.microsoft.com/fwlink/?LinkId=99487
Maintaining Software Using Group Policy

For more information about best practices for Group Policy Software Installation, see "Best practices for Group Policy Software Installation, Upgrade or Remove an application section", http://go.microsoft.com/fwlink/?LinkId=99488
7-18
Lesson 5
Configuring Group Policy Preferences
Contents:
Additional Reading 19
7-19
Additional Reading
What Are Group Policy Preferences?
For more information about Group Policy preferences, see "Information about new Group Policy preferences in Windows Server 2008", http://go.microsoft.com/fwlink/?LinkID=139955
Group Policy Preferences Features

For more information about getting started with Group Policy Preferences, see "Group Policy Preferences: Getting Started", http://go.microsoft.com/fwlink/?LinkID=139956
7-20
Lesson 6
Introduction to Group Policy Troubleshooting

Contents:
Detailed Demo Steps
Additional Reading
21 22 23
7-21

Preparing to Troubleshoot Group Policy
Question: What diagnostic tool could you use to determine lease expiration of a Dynamic Host Configuration Protocol (DHCP) address that has been issued to a client computer? Answer: IPConfig /all will provide DHCP lease information.
Demonstration: Using Group Policy Diagnostic Tools

Question: What steps must you take prior to running Group Policy reporting RSoP on a remote computer? Answer: You must ensure that the remote procedure call (RPC) service is available on the remote client. You can do this by modifying the Windows Firewall manually, or through a Group Policy setting that allows remote administration.
7-22
Detailed Demo Steps

Demonstration: Using Group Policy Diagnostic Tools
Demonstration Steps
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start, and then click Command Prompt. In the Command Prompt type Gpresult and then press ENTER. Scroll through and review the list of command line parameters. Type Gpresult /R and then press ENTER. Scroll through and review the results. Type Gpresult /R /V and then press ENTER. Scroll through and review the results. Type "C:\Program Files\Windows Resource Kits\Tools\GPOTool.exe" and then press ENTER. Scroll through and review the results.
10. Type GPUpdate /? and then press ENTER. 11. Scroll through and review the results. 12. Type GPUpdate /force and then press ENTER. 13. Review the results. 14. Type "C:\Program Files\GroupPolicy Logview\GPLogView.exe" and then press ENTER. 15. Scroll through and review the results. 16. Type "C:\Program Files\GroupPolicy Logview\GPLogView.exe" -o gpevents.txt and then press ENTER. 17. Type notepad gpevents.txt and then press ENTER. 18. In the Notepad window, scroll through and review the results. 19. Close Notepad. 20. To run GPOLogView in monitor mode, type "C:\Program Files\GroupPolicy
Logview\GPLogView.exe" -o gpevents.txt and then press ENTER.
21. Click Start, and then click Command Prompt. 22. In the second Command Prompt window, type GPUpdate /force and then press ENTER. 23. Switch to the first command prompt window and then scroll through review the results. 24. Close both Command Prompt windows.
7-23
Additional Reading
Scenarios for Group Policy Troubleshooting
For more information on Group Policy Troubleshooting, see "Group Policy Troubleshooting", http://go.microsoft.com/fwlink/?LinkId=101100.
Preparing to Troubleshoot Group Policy

For more information about troubleshooting systems using the Netdiag tool, see "Troubleshooting Your Systems with Network Diagnostics", http://go.microsoft.com/fwlink/?LinkId=101101
Tools for Troubleshooting Group Policy

For more information about Group Policy modeling, see "Group Policy Modeling and Results", http://go.microsoft.com/fwlink/?LinkId=101105 For more information about manually creating a default domain GPO, see "How to manually create Default Domain GPO", http://go.microsoft.com/fwlink/?LinkId=101106 For more information about refreshing Group Policy settings by using GPUpdate.exe, see "Refresh Group Policy settings with GPUpdate.exe", http://go.microsoft.com/fwlink/?LinkId=101108 For more information about fixing Group Policy problems by using log files, see "Fixing Group Policy problems by using log files", http://go.microsoft.com/fwlink/?LinkId=101109
7-24
Lesson 7
Troubleshooting Group Policy Application

Contents:
26
7-25

How Client Side Extension Processing Works
Question: Users in a branch office log on across a slow modem connection. You want folder redirection to be applied to them even across the slow link. How would you accomplish this? Answer: You would configure the folder redirection CSE to be enabled across slow links.
Troubleshooting Group Policy Inheritance

Question: Are there scenarios in your organization that would benefit from blocking inheritance? Answer: Answers will vary.
Troubleshooting Group Policy Filtering

Question: You have applied security filtering to limit the GPO to apply only to the Managers group. You did this by setting the following GPO permissions: Authenticated Users are denied the Apply Group Policy permission. The Managers group has been granted Read and Apply Group Policy permission.
None of the Managers are receiving the GPO settings. What is the problem? Answer: Because deny permission overrides any allow permissions, the denial of Authenticated Users is preventing anyone from getting the GPO settings.
Troubleshooting Group Policy Replication

Question: What tool can you use to force replication across all domain controllers in the domain? Answer: Replication Monitor can force all domain controllers to replicate.
Troubleshooting Group Policy Refresh

Question: You have implemented folder redirection for a particular OU. Some users report that their folders are not redirecting to the network share. What is the first step you should take to resolve the problem? Answer: Folder redirection is applied only at logon, so ensure that users have logged off and logged on twice, to determine that cached credentials are not the issue.
Discussion: Troubleshooting Group Policy Configuration

Question: One user is having settings applied that no one else is receiving. What might be the issue and how would you start troubleshooting? Answer: The problem might be a result of a local Group Policy setting on the computer. Local policies are applied if there are no domain policies that change them. Group Policy reporting (RSoP) reveals these issues.
7-26
Additional Reading
How Client Side Extension Processing Works
For more information about identifying Group Policy client-side extensions, see "Identifying Group Policy Client-Side Extensions", http://go.microsoft.com/fwlink/?LinkId=101115 For more information about Group Policy and network bandwidth, see "Group Policy and Network Bandwidth" http://go.microsoft.com/fwlink/?LinkId=101117
Troubleshooting Group Policy Inheritance

For more information on Fixing Group Policy problems by using log files, see "Fixing Core Group Policy problems", http://go.microsoft.com/fwlink/?LinkId=101110
Troubleshooting Group Policy Filtering

For more information about Group Policy troubleshooting, see "Group Policy Troubleshooting", http://go.microsoft.com/fwlink/?LinkId=101100
Troubleshooting Group Policy Replication

For more information about GPOTool, see "GPOTool (from Win2K Server Resource Kit)", http://go.microsoft.com/fwlink/?LinkId=101107
Troubleshooting Group Policy Refresh

For more information about refreshing Group Policy settings, see "Refresh Group Policy settings with GPUpdate.exe", http://go.microsoft.com/fwlink/?LinkId=101108
7-27
Lesson 8
Troubleshooting Group Policy Settings
Contents:
29
7-28

Troubleshooting Administrative Template Policy Settings
Question: Your network has a mixture of Windows XP and Windows Vista computers. You have configured the Administrative Template to remove the games link from the Start Menu, but only the Windows Vista computers are enforcing the setting. What is the problem? Answer: This setting applies only to Windows Vista and later operating systems.
Troubleshooting Script Policy Settings

Question: A logon script is assigned to an OU. The script executes properly for all users, but some users report that they get an access-denied message when they try to access the mapped drive. What is the problem? Answer: The permissions set on the network share to which the users map are the most likely problem. The drive mapping itself succeeds, even if the user does not have permission to the location.
7-29
Additional Reading
Troubleshooting Administrative Template Policy Settings
For more information on fixing Administrative Template policy setting problems, see "Fixing Administrative Template policy setting problems", http://go.microsoft.com/fwlink/?LinkId=101118
Troubleshooting Script Policy Settings

For more information on fixing scripts policy settings problems, see "Fixing Scripts policy settings problems", http://go.microsoft.com/fwlink/?LinkId=101119
7-30

Review Questions
1. Question: A domain-level policy restricts access to the Control Panel. You want the users in the Admin organizational unit (OU) to have access to the Control Panel, but you do not want to block inheritance. How could you accomplish this? Answer: Create a policy that is linked to the Admin OU that has the restriction disabled to the Control Panel setting. 2. Question: How could you prevent a lower-level policy from reversing the setting of a higherlevel policy? Answer: Enforce the link of the higher-level policy. 3. Question: You keep logon scripts in a shared folder on the network. How could you ensure that the scripts will always be available to users from all locations? Answer: Place the scripts in the Netlogon share in the SYSVOL folder. 4. Question: What other method could you use to assign logon scripts to users? Answer: You also can use the users properties in Active Directory Users and Computers to assign scripts to users. 5. Question: List some disadvantages of folder redirection. Answer: Mobile users that are not on the local area network (LAN) will not have access to their data. Network connectivity issues could prevent users from accessing their data. A single server represents a single point of failure for multiple users. 6. Question: Users in the same department often log on to different computers. They need access to their My Documents folder. They also need the data to be private. What folder redirection setting would you choose? Answer: Create a folder for each user under the root path. This will create a My Documents folder to which only the user has access. 7. Question: What steps could you take to protect the data while it is in transit between the client and the server? Answer: Internet Protocol security (IPSec) could be employed to protect network traffic. 8. Question: What sections of the Administrative Templates will you find most useful in your environment? Answer: Answers will vary. 9. Question: You need to ensure that Windows Messenger is never allowed to run on a particular computer. How could you use Administrative Templates to implement this? Answer: Enable the setting to prevent access to Windows Messenger in the computer configuration Administrative Templates. This will override any user configuration settings. 10. Question: Can you still use custom ADM files to deliver Group Policy settings in Windows Server 2008? Answer: Yes. The Group Policy Editor will recognize valid ADM files. Clients receiving settings are unaware whether the settings were created based on ADM, or ADMX templates. 11. Question: What are two differences between ADM and ADMX files? Answer: ADM files are stored within a GPO, while ADMX files are stored in the central store and
7-31
available for any GPO. Also, ADM files use their own markup language, while ADMX files use a standards-based XML format. 12. Question: What types of applications would you deploy via Group Policy in your environment? Answer: Answers will vary. 13. Question: What are some disadvantages of deploying software through Group Policy? Answer: Large applications generate a lot of network traffic. You cannot control when the installation will occur. Laptop users are not able to connect to the distribution point when they are not connected to the LAN. This client-side extension that delivers software does not function over a slow link, by default. 14. Question: What is an advantage of publishing an application over assigning it? Answer: Unneeded software will not be installed automatically. 15. Question: You have deployed a number of published applications. Many of those applications are for the use of the Finance department. What could you do to make it easier for Finance department users to locate those applications? Answer: Create a category for the Finance department, and then publish those applications in the Finance category. 16. Question: You organization is upgrading to a newer version of a software package. Some users in the organization require the old version. How would you deploy the upgrade? Answer: You would deploy an optional upgrade to allow users to keep the old version, if required. 17. Question: What diagnostic tool could you use to determine lease expiration of a Dynamic Host Configuration Protocol (DHCP) address that has been issued to a client computer? Answer: IPConfig /all will provide DHCP lease information. 18. Question: What steps must you take prior to running Group Policy reporting RSoP on a remote computer? Answer: You must ensure that the remote procedure call (RPC) service is available on the remote client. You can do this by modifying the Windows Firewall manually, or through a Group Policy setting that allows remote administration. 19. Question: Users in a branch office log on across a slow modem connection. You want folder redirection to be applied to them even across the slow link. How would you accomplish this? Answer: You would configure the folder redirection CSE to be enabled across slow links. 20. Question: Are there scenarios in your organization that would benefit from blocking inheritance? Answer: Answers will vary. 21. Question: You have applied security filtering to limit the GPO to apply only to the Managers group. You did this by setting the following GPO permissions: Authenticated Users are denied the Apply Group Policy permission. The Managers group has been granted Read and Apply Group Policy permission. None of the Managers are receiving the GPO settings. What is the problem? Answer: Because deny permission overrides any allow permissions, the denial of Authenticated Users is preventing anyone from getting the GPO settings. 22. Question: What tool can you use to force replication across all domain controllers in the domain? Answer: Replication Monitor can force all domain controllers to replicate.
7-32
23. Question: You have implemented folder redirection for a particular OU. Some users report that their folders are not redirecting to the network share. What is the first step you should take to resolve the problem? Answer: Folder redirection is applied only at logon, so ensure that users have logged off and logged on twice, to determine that cached credentials are not the issue. 24. Question: One user is having settings applied that no one else is receiving. What might be the issue and how would you start troubleshooting? Answer: The problem might be a result of a local Group Policy setting on the computer. Local policies are applied if there are no domain policies that change them. Group Policy reporting (RSoP) reveals these issues. 25. Question: Your network has a mixture of Windows XP and Windows Vista computers. You have configured the Administrative Template to remove the games link from the Start Menu, but only the Windows Vista computers are enforcing the setting. What is the problem? Answer: This setting applies only to Windows Vista and later operating systems. 26. Question: A logon script is assigned to an OU. The script executes properly for all users, but some users report that they get an access-denied message when they try to access the mapped drive. What is the problem? Answer: The permissions set on the network share to which the users map are the most likely problem. The drive mapping itself succeeds, even if the user does not have permission to the location. 27. Question: You have assigned a logon script to an OU via Group Policy. The script is located in a shared network folder named Scripts. Some users in the OU receive the script, while others do not. What might be some causes? Answer: The network location may not be accessible by all users. Share level or NTFS permissions on the folder may be set incorrectly. 28. Question: What steps could you take to prevent these types of problems from re-occurring? Answer: Move the scripts into the NetLogon share. This will solve permission or accessibility issues. 29. Question: You have two logon scripts assigned to users: script1, and script2. Script2 depends on script1 completing successfully. Your users report that script2 never runs. What is the problem, and how would you correct it? Answer: Logon scripts run asynchronous (all at once). Script2 is failing before script1 completes. You will have to change the processing to be synchronous, to correct the problem. 30. Question: What log will give folder redirection details? Answer: You can enable the FDdeploy.log to provide information about folder redirection. 31. Question: What visual indicator in the GPMC designates that inheritance has been blocked? Answer: The visual indicator is a blue exclamation mark on the OU where inheritance is being blocked. 32. Question: What GPO settings are applied across slow links by default? Answer: Security Settings, Administrative Settings, and Recovery Policy.
7-33
1. Question: You have configured folder redirection for an OU, but none of the users folders are being redirected to the network location. When you look in the root folder, you observe that a subdirectory named for each user has been created, but they are empty. What is the problem? Answer: The problem is most likely permission-related. The users named subdirectories are being created by the Group Policy, but the users dont have enough permission to create their redirected folders inside them. 2. Question: Some Group Policy settings are not applied immediately when a user logs on or when Group Policy is refreshed. What could be the problem? Answer: If a user connects to the network with cached credentials, Group Policy is not processed. Logging off and logging back on will cause Group Policy to apply any changes. Also, to ensure that Group Policy is applied over a slow link, the user must select the Logon using dialup connection check box in the Windows Logon dialog box. 3. Question: If you have the same policy setting configured differently under both Computer Configuration and User Configuration, which setting will apply? Answer: User configuration settings are applied first, followed by computer configuration settings. Therefore, any conflicting settings under user configuration will be overridden by those under computer configuration. 4. Question: You want to deploy an administrative utility to members of the Domain Admins security group. These utilities should be available from any computer that an administrator logs onto, but only installed when necessary. What is the best approach to accomplish this? Answer: Create a GPO that publishes the utility, and link it to the domain. Apply security filters to the GPO such that it only applies to the Domain Admins group. 5. Question: You want to deploy a Group Policy setting that restricts access to Registry modification tools. Should you configure policy settings in Group Policy or Group Policy Preferences? Answer: To enforce a restriction policy in a domain, you should configure the appropriate policy settings in Group Policy, not Group Policy Preferences. Policy settings are enforces, while preference settings are not. This means that users can change any preference setting that is applied through Group Policy, but policy settings prevent users from changing them. 6. Question: If you wanted to configure mapped drives and desktop shortcuts for specific users in the domain, should you configure policy settings in Group Policy or Group Policy Preferences? Answer: Again, its a matter of whether you wish to enforce such settings. Although you can configure such things as mapped drives and Internet Explorer settings through either policy settings or preferences, preferences give the user the freedom to change them, while policy settings do not. 7. Question: If a policy at the domain level is set for enforcement while another policy at the OU level with a conflicting setting also is set to be enforced, which policy setting will the OU clients receive? Answer: Clients in the OU will receive the first enforced policy settings at the domain level. The conflicting policy setting at the lower level will be ignored, even though the policy is set to be enforced. Any other settings in the OU policy will be applied and enforced, as long as those settings do not conflict with the domain-enforced policy.
7-34
8. Question: If you use group policy to configure the slow-link detection threshold to be zero, what does that indicate? Answer: A slow-link threshold of zero indicates that all connections are considered fast.
Implementing Security Using Group Policy
8-1
Module 8
Contents:
Lesson 1: Configuring Security Policies Lesson 2: Implementing Fine-Grained Password Policies Lesson 3: Restricting Group Membership and Access to Software Lesson 4: Managing Security Using Security Templates Module Reviews and Takeaways Lab Review Questions and Answers 2 9 13 18 24 27
8-2
Lesson 1
Configuring Security Policies

Contents:
5
8
8-3

What Are the Account Policies?
Question: You must ensure that all users change their password exactly every 30 days. How would you configure account policies to accomplish this? Answer: Set the Minimum Password Age value to be 29 days, and set the Maximum Password Age value to be 30 days.
What Are Local Policies?

Question: You have a Windows Vista client that is not joined to the domain. You want to force the Administrators to change their passwords every seven days, while standard users change their passwords every 21 days. How would you configure the local policy to achieve this? Answer: You cannot do this. It is not possible to have different password policies for different local users. Local password policies are stored in the Local Group Policy Object (LGPO) computer configuration.
What Are Network Security Policies?

Question: How does your organization implement group policy to restrict access to wireless networks? Answer: Answers may vary.
Windows Firewall with Advanced Security

Question: You want to ensure that users are not allowed to use the Telnet service to connect to any other computers. How would you accomplish this? Answer: Create a GPO that configures the Windows Firewall with an outbound rule that blocks port 23, and links the GPO to the appropriate containers.
Demonstration: Overview of Additional Security Settings

Question: You need to ensure that a particular service is not allowed to run on any servers in your network. How would you accomplish this? Answer: Configure a security setting in a GPO that prohibits the service, and apply the GPO to the appropriate containers.
What Is the Default Domain Security Policy?

Question: If multiple policies are configured at the domain level, what determines the processing priority? Answer: The Link Order of the policy determines the processing order. The policy with the lowest Link Order number is processed last, and therefore has the highest precedence.
8-4
Question: You need to grant an ordinary user the right to log on locally to domain controllers. In which of the default policies should you configure this setting? Answer: You need to configure this setting in the Default Domain Controllers policy. Setting this policy at the domain level will not work, because the Default Domain Controllers policy has configured this setting and has a higher precedence.
Default Domain Controllers Policy

Question: Provide at least one example of a default controller policy that your organization has customized? Answer: Answers may vary.
Demonstration: What Is the Default Domain Controller Security Policy?

Question: What is the default Group Policy refresh interval for domain controllers? Answer: Every five minutes.
Characteristics of Security Policy Settings

Question: You have configured a password policy in a GPO, and linked that policy to the Research OU. The policy is not affecting domain users in the OU. What is the problem? Answer: You can configure password policies for domain users only at the domain level.
8-5
Detailed Demo Steps

Demonstration: Overview of Additional Security Settings
Demo Steps: Create a wired network policy
Management.
2. In the Group Policy Management window, expand Forest: WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, and then click Group Policy Objects. 3. Right-click the Group Policy Objects folder, and then click New. 4. In the New GPO dialog box, in the Name field, type Vista Wired, and then click OK. 5. In the details pane, right-click Vista Wired, and then click Edit. 6. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, and then expand Security Settings. 7. Right-click Wired Network (IEEE 802.3) Policies, and then click Create A New Windows Vista Policy. 8. In the New Vista Wired Network Policy Properties dialog box, click the Security tab. 9. On the Security tab, in the Select a network Authentication method list, click Microsoft: Protected EAP (PEAP), and then click OK. 10. Close Group Policy Management Editor.
Create a Vista wireless network policy

1. Right-click the Group Policy Objects folder, and then click New. 2. In the New GPO dialog box, in the Name field, type Vista Wireless, and then click OK. 3. In the details pane, right-click Vista Wireless, and then click Edit. 4. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, and then expand Security Settings. 5. Right-click Wireless Network (IEEE 802.11) Policies, and then click Create A New Windows Vista Policy. 6. In the New Vista Wireless Network Policy Properties dialog box, click Add, and then click Infrastructure. 7. In the New Profiles properties dialog box, in the Profile Name field, type Corporate. 8. In the Network Name(s) (SSID) field, type Corp, and then click Add. 9. On the Security tab, in the Authentication list, click Open with 802.1X, and then click OK. 10. On the Network Permissions tab, click Add. 11. In the New Permission Entry dialog box, in the Network Name (SSID): field, type Research, verify that Permission is set to Deny, and then click OK twice.
8-6
12. Close Group Policy Management Editor.
View Control of Services

1. In the details pane of the Group Policy Objects folder, right-click the Default Domain Policy, and then click Edit. 2. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, and then expand Security Settings. 3. Under the Security Settings folder, click System Services. 4. In the details pane, double-click DHCP Server. 5. Note the properties that can be set in the DHCP Server Properties box, and then click Cancel.
View Registry and File System permissions

1. Under the Security Settings folder, click Registry. 2. Right-click the Registry folder, and then click Add Key. 3. In the Select Registry Key dialog box, expand MACHINE, click SOFTWARE, and then click OK. 4. In the Database Security for MACHINE\SOFTWARE dialog box, click Advanced. 5. In the Advanced Security Settings for MACHINE\SOFTWARE dialog box, click Users
(WOODGROVEBANK\Users), and then click Edit.
6. In the Permission Entry for MACHINE\SOFTWARE dialog box, review the permissions options available, and then click Cancel four times. 7. Right-click the File System folder, and then click Add File. 8. In the Add a file or folder dialog box, expand Local Disk (C:), click WoodgroveCert.cer, and then click OK. 9. In the Database Security for %SystemDrive%\WoodGroveCert.cer dialog box, click
Advanced.
10. In the Advanced Security Settings for %SystemDrive%\WoodgroveCert.cer, click Users (WOODGROVEBANK\Users), and then click Edit. 11. In the Permission Entry for %SystemDrive%\WoodgroveCert.cer, review the permission options available, and then click Cancel three times. 12. Close all windows.
VView Windows Firewall with Advanced Security Options

1. Click Start, point to Administrative Tools and then click Windows Firewall with Advanced Security. 2. In the details pane, review the options. 3. In the left hand pane, click the Inbound Rules. 4. In the details pane, double-click Core Networking - IPv6 (IPv6-In). 5. In the Core Networking - IPv6 (IPv6-In) Properties dialog box, take note of the options available and click Cancel. 6. In the left hand pane, click the Outbound Rules.
8-7
7. In the details pane, double-click Core Networking - IPv6 (IPv6-Out). 8. In the Core Networking - IPv6 (IPv6-Out) Properties dialog box, take note of the options available and click Cancel. 9. Right-click Inbound Rules, and then click New Rule. 10. On the Rule Type page, select the Custom radio button, and then click Next. 11. On the Program page, select the All Programs radio button, and then click Next. 12. On the Protocol and Ports page, click Next. 13. On the Scope page, click Next. 14. On the Action page, click Next. 15. On the Profile page, click Next. 16. On the Name page, in the Name field, type My Custom Rule, and then click Finish. 17. Close all windows.
Demonstration: What Is the Default Domain Controller Security Policy?

Demo Steps:
Management.
2. In the Group Policy Management window, expand Forest: WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, and then click Group Policy Objects. 3. In the details pane, right-click the Default Domain Controllers Policy, and then click Edit. 4. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click on Audit Policy. 5. Take note of the policies that can be set. 6. Under then Local Policies folder, click User Rights Management. 7. Take note of the policies that can be set. 8. Under the Local Policies folder, click Security Options. 9. Take note of the policies that can be set.
8-8
Additional Reading
What Are the Account Policies?
For more information on account passwords and policies, see Account Passwords and Policies in Windows Server 2003.
Windows Firewall with Advanced Security

For more information on the new Windows Firewall in Windows Vista and Windows Longhorn, see The New Windows Firewall in Windows Vista and Windows Longhorn.
What Is the Default Domain Security Policy?

For more information on Domain Policy, see Windows Server 2003 Security Guide Chapter 3: The Domain Policy.
Characteristics of Security Policy Settings

For more information on Troubleshooting Group Policy application problems, see Troubleshooting Group Policy application problems.
8-9
Lesson 2
Implementing Fine-Grained Password Policies

Contents:
11
12
8-10

What Are Fine-Grained Password Policies?
Question: How would you use fine-grained passwords in your environment? Answer: Answers may vary.
How Fine-Grained Password Policies Are Implemented

Question: How could you view the Password Settings Container in Active Directory Users and Computers? Answer: You need to enable the Advanced Features view in Active Directory Users and Computers.

Question: In your organization, a number of users deal with confidential files on a regular basis. You need to ensure that all these users have strict account polices enforced. The user accounts are scattered across multiple OUs. How would you accomplish this with the least administrative effort. Answer: Create a shadow global group and place all the appropriate users into that group. Then create and assign a PSO to the group.
Demonstration: Implementing Fine-Grained Password Policies

Question: What utilities can be used to manage PSOs? Choose all that apply: a. b. c. d. e. f. ADSI edit GPMC CSVDE LDIFDE NTDSUtil Active Directory Users and Computers
Answer: Answers A, D, and F are correct.
8-11
Detailed Demo Steps

Demo Steps:
1. Click Start, type adsiedit.msc, and then press ENTER. 2. In the ADSI Edit window, in the console pane, right-click ADSI Edit, and then click Connect to. 3. In the Connection Settings dialog box, click OK. 4. In the console pane, expand Default naming context [NYC-DC1.WoodgroveBank.com], expand DC=WoodgroveBank, DC=com, expand CN=System, right-click CN=Password Settings Container, point to New, and then click Object. 5. In the Create Object dialog box, click msDS-PasswordSettings, and then click Next. 6. On the Attribute: cn page, in the Value field, type Administrator, and then click Next. 7. On the Attribute: msDS-PasswordSettingsPrecedence page, in the Value field, type 10, and then click Next. 8. On the Attribute: msDS-PasswordReversibleEncryptionEnabled page, in the Value field, type false, and then click Next. 9. On the Attribute: msDS-PasswordHistoryLength page, in the Value field, type 30, and then click Next. 10. On the Attribute: msDS-PasswordComplexityEnabled page, in the Value field, type true, and then click Next. 11. On the Attribute: msDS-MinimumPasswordLength page, in the Value field, type 10, and then click Next. 12. On the Attribute: msDS-MinimumPasswordAge page, in the Value field, type 5184000000000, and then click Next.
13. On the Attribute: msDS-MaximumPasswordAge page, in the Value field, type 6048000000000, and then click Next.
14. On the Attribute: msDS-LockoutThreshold page, in the Value field, type 3, and then click Next. 15. On the Attribute: msDS-LockoutObservationWindow page, in the Value field, type 18000000000, and then click Next.
16. On the Attribute: msDS-LockoutDuration page, in the Value field, type -18000000000, click Next, and then click Finish. 17. Close the ADSI Edit.
8-12
Additional Reading
What Are Fine-Grained Password Policies?
For more information on the fine-grained password policies, see AD DS: Fine-Grained Password Policies.
How Fine-Grained Password Policies Are Implemented

For more information on the fine-grained password policies, see AD DS: Fine-Grained Password Policies.

For more information on the fine-grained password policies, see Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration.

For more information on this topic see Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration: http://go.microsoft.com/fwlink/?LinkId=113764
8-13
Lesson 3
Restricting Group Membership and Access to

Software
Contents:
8-14

What Is Restricted Group Membership?
Question: Your company has five Web servers physically located across North America. The Web servers' computer accounts are all located in a single OU. You want to grant all the users in the global group named Web_Backup, the right to back up and restore the Web servers. How could you use Group Policy to accomplish this? Answer: Create and link a GPO to the OU. Configure the restricted Group Policy setting to place the Web_Backup group in to the local Backup Operators group on all the Web servers.
Demonstration: Configuring Restricted Group Membership

Question: You created a Group Policy that adds the Helpdesk group to the local Administrators group, and you linked the policy to an OU. Now the Domain Administrators no longer have any administrative authority on the computers in that OU. What is the most likely problem, and how would you solve it? Answer: The restricted Group Policy setting did not include Domain Admins on the list of groups to be placed into the local Administrators group, and therefore was removed. To solve the issue, place the Domain Admins group on the list of restricted groups.
What Is a Software Restriction Policy?

Question: You have a number of computers in a workgroup. You need to restrict access to a certain application so that only members of the Administrators group are allowed to launch the application. How would you accomplish this? Answer: Local Group Policy supports software restriction policies for the computer configuration only. You can exempt the local Administrators group from the restriction by configuring the Enforcement setting.
Options for Configuring Software Restriction Policies

Question: You need to restrict access to a certain application no matter into what directory location the application is installed. What type of rule should you use? Answer: A Hash rule will identify the application uniquely, and prevent access to it no matter where the application was installed.
Demonstration: Configuring Software Restriction Policies

Question: You want to ensure that only digitally signed Visual Basic scripts are allowed to run. What type of rule should you use? Answer: You can use a certificate rule to specify that VB scripts must be signed, and what digital signatures are valid.
8-15
Detailed Demo Steps

Demonstration: Configuring Restricted Group Membership
Demo steps: Create a new group policy and link the policy to an existing OU
1. Click Start, point to Administrative Tools and then click Group Policy Management. 2. In the Group Policy Management window, expand Forest: WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, and then click Group Policy Objects. 3. Right-click the Group Policy Objects folder, and then click New. 4. In the New GPO dialog box, in the Name field, type ITAdmin Policy, and then click OK. 5. Right-click the ITAdmins folder, and then click Link an Existing GPO. 6. In the Select GPO dialog box, in the Group Policy objects pane, click ITAdmin Policy, and then click OK.
Add the Administrators group to the Restricted Groups list

1. Under the Group Policy Objects folder, right-click the ITAdmin Policy, and then click Edit. 2. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, and then expand Security Settings. 3. Under the Security Settings folder, right-click Restricted Groups, and then click Add Group. 4. In the Add Group dialog box, in the Group field, type Administrators, and then click OK. 5. In the Administrators Properties dialog box, for Members of this group, click Add. 6. In the Add Member dialog box, in the Members of this group field, type Domain Admins, and then click OK. 7. Next to Members of this group, click Add. 8. In the Add Member dialog box, in the Members of this group field, type
ITAdmins_WoodgroveGG, and then click OK twice.
9. Close the Group Policy Management Editor.
Move the Windows Vista client into the ITAdmins OU

1. Click Start, point to Administrative Tools and then click Active Directory Users and
Computers.
2. In the Active Directory Users and Computers window, expand WoodgroveBank.com, and then click Computers. 3. In the details pane, right-click NYC-CL1, and then click Move. 4. In the Move dialog box, click ITAdmins, and then click OK.
8-16
Demonstration: Configuring Software Restriction Policies

Demo steps: Create a new group policy rule to disallow Internet Explorer
1. Click Start, point to Administrative Tools and then click Group Policy Management. 2. In the Group Policy Management window, expand Forest: WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, and then click Group Policy Objects. 3. Right-click the Group Policy Objects folder, and then click New. 4. In the New GPO dialog box, in the Name field, type IEPolicy, and then click OK. 5. Under the Group Policy Objects folder, right-click the IEPolicy, and then click Edit. 6. In the Group Policy Management Editor, under User Configuration, expand Policies, expand Windows Settings, and then expand Security Settings. 7. Right-click Software Restriction Policies, and then click New Software Restriction Policies. 8. In the details pane, right-click Additional Rules, and then click New Hash Rule. 9. In the New Hash Rule dialog box, click Browse. 10. In the Open dialog box, browse to C:\Program Files\Internet Explorer. 11. Click iexplore.exe, and then click Open. 12. Verify that the Security level is Disallowed, and then click OK. 13. Close the Group Policy Mangement Editor.
Apply the new policy to an OU

1. In the Group Policy Management window, right-click the Toronto folder, and then click Link an Existing GPO. 2. In the Select GPO dialog box, in the Group Policy objects pane, click IEPolicy, and then click OK. 3. Under the Toronto OU, right-click the IEPolicy, and then click Enforced.
Test the new software restriction policy

1. On NYC-CL1, log on as WOODGROVEBANK\Sven with the password Pa$$w0rd. 2. Click Start, point to All Programs, point to Accessories, and then click Command Prompt. 3. In the Command Prompt, type gpupdate /force, and then press ENTER. 4. Click Start, and then click Internet Explorer. 5. In the Explorer.EXE dialog box, read the error message and then click OK. 6. In the Internet dialog box, click No. 7. Log out Sven.
8-17
Additional Reading
What Is a Software Restriction Policy?
For more information on using Software Restriction policies to protect against unauthorized software, see Using Software Restriction Policies to Protect Against Unauthorized Software.
Options for Configuring Software Restriction Policies

For more information on using Software Restriction policies to protect against unauthorized software, see Using Software Restriction Policies to Protect Against Unauthorized Software.
8-18
Lesson 4
Managing Security Using Security Templates

Contents:
20
23
8-19

What Are Security Templates?
Question: Provide an example of how Security Templates can help organize your existing security attributes. Answer: Answers may vary.
Demonstration: Applying Security Templates

Question: You have multiple database servers that are located in different OUs. What is the easiest way to apply consistent security settings to all of the database servers? Answer: Create a security template that contains all the appropriate security settings and import the template into a GPO. Then link that GPO to the OUs, and, if necessary, filter the GPO to apply to the database computers.
What Is the Security Configuration Wizard?

Question: List at least one example of how the Security Configuration Wizard can reduce your attack surface. Answer: Answers may vary.
Demonstration: Configuring Server Security Using the Security Configuration Wizard

Question: What types of server roles exist in your organization? Answer: Answers may vary.
Options for Integrating the Security Configuration Wizard and Security Templates
Question: What is the main advantage of the SCW? Answer: It allows you to create policies that provide consistent security settings across multiple instances of a particular server role.
Demonstration: Importing Security Configuration Policies into Security Templates

Question: You need to open a port on your Windows Vista client computers for a custom
application. Should you use the SCW, or create a security template and use a GPO?
Answer: You should create a security template and import it into a GPO. The SCW is not designed to be used for client operating systems.
8-20
Detailed Demo Steps

Demonstration: Applying Security Templates
Demo Steps: Create a new OU
Computers.
2. In the Active Directory Users and Computers window, right-click WoodgroveBank.com, point to New, and then click Organizational Unit. 3. In the New Object - Organizational Unit dialog box, in the Name field, type Server. 4. Close Active Directory Users and Computers.
Create a new group policy object

1. Click Start, point to Administrative Tools and then click Group Policy Management. 2. In the Group Policy Management window, expand Forest: WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, and then click Group Policy Objects. 3. Right-click the Group Policy Objects folder, and then click New. 4. In the New GPO dialog box, in the Name field, type Security Baseline, and then click OK.
Apply the new policy to the Server OU

1. In the Group Policy Management window, right-click the Server folder, and then click Link an Existing GPO. 2. In the Select GPO dialog box, in the Group Policy objects pane, click Security Baseline, and then click OK. 3. Under the Server OU, right-click the Security Baseline, and then click Enforced.
Create a Security template

1. Click Start, type MMC, and then press ENTER 2. ;In the Console1 window, on the File menu, click Add/Remove Snap-in. 3. In the Add or Remove Snap-ins dialog box, scroll down, click Security Templates, click Add, and then click OK. 4. In the console pane, expand Security Templates, right-click C:\Users\Administrator\Documents\Security\Templates, and then click New Template. 5. ;In the C:\Users\Administrator\Documents\Security\Templates dialog box, in the Template name field, type Server Baseline, and then click OK. 6. Expand C:\Users\Administrator\Documents\Security\Templates, expand Sever Baseline, expand Local Polices, and then click Security Options. 7. In the details pane, double-click Interactive Logon: Do not display last user name. 8. In the Interactive logon: Do not display last user name Properties dialog box, select the Define this policy setting in the template check box, click Enabled, and then click OK.
8-21
9. In the console pane, right-click Server Baseline, and then click Save. 10. Close the MMC window and do not save changes.
Import the security template into the Group Policy

1. Switch to the Group Policy Management window. 2. Under the Group Policy Objects folder, right-click the Server Baseline, and then click Edit. 3. In the Group Policy Management Editor, under User Configuration, expand Policies, expand Windows Settings, and then expand Security Settings. 4. Right-click Security Settings, and then click Import Policy. 5. In the Import Policy From dialog box, click Server Baseline.inf, and then click Open. 6. In the Group Policy Management Editor, under the Security Settings folder, expand Local Policies, and then click Security Options. 7. Note that the Interactive Logon: Do not display last user name setting has been enabled. 8. Close all windows.
Demonstration: Configuring Server Security Using the Security Configuration Wizard

Demo Steps:
1. Click Start, point to Administrative Tools, and then click Security Configuration Wizard. 2. In the Security Configuration Wizard, click Next. 3. On the Configuration Action page, click Next. 4. On the Select a Server page, click Next. 5. On the Processing Security Configuration Database page, click View Configuration
Database.
6. In the Internet Explorer dialog box, click Yes. 7. In the SCW Viewer window, expand Server Roles, expand DHCP Server, and then take note of the description. 8. Close the SCW Viewer. 9. On the Processing Security Configuration Database page, click Next. 10. On the Role-Based Service Configuration page, click Next. 11. On the Select Server Roles page, click Next. 12. On the Select Client Features page, click Next. 13. On the Select Administration and Other Options page, click Next. 14. On the Select Additional Services page, click Next. 15. On the Handling Unspecified Services page, click Next. 16. On the Confirm Service Changes page, click Next. 17. On the Network Security page, click Next.
8-22
18. On the Network Security Rules page, click Next. 19. On the Registry Settings page, click Next. 20. On the Require SMB Security Signatures page, click Next. 21. On the Require LDAP Signing page, click Next. 22. On the Outbound Authentication Methods page, click Next. 23. On the Outbound Authentication using Domain Accounts, click Next. 24. On the Registry Settings Summary page, click Next. 25. On the Audit Policy page, click Next. 26. On the System Audit Policy page, click Next. 27. On the Audit Policy Summary page, click Next. 28. On the Save Security Policy page, click Next. 29. On the Security Policy File Name page, in the Security policy file name field, type C:\baseline.xml 30. On the Apply Security Policy page, click Next. 31. On the Completing the Security Configuration Wizard page, click Finish.
Demonstration: Importing Security Configuration Policies into Security Templates

Demo Steps: Transform an XML policy into a Group Policy Object
1. Click Start, and then click Command Prompt. 2. http In the Administrator: Command Prompt window, type Scwcmd transform
/p:C:\Baseline.xml /g:Serverbaseline, and then press ENTER.http
3. http Close the Command Prompt.http
View the new Group Policy Object

1. Click Start, point to Administrative Tools and then click Group Policy Management. 2. In the Group Policy Management window, expand Forest: WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, and then click Group Policy Objects. 3. Note that the new group policy, Serverbaseline is now in the Group Policy Object folder. 4. Close the Group Policy Management window.
8-23
Additional Reading
What Are Security Templates?
For more information on security templates, see Security Templates.
8-24

Review Questions
1. Question: You must ensure that all users change their password exactly every 30 days. How would you configure account policies to accomplish this? Answer: Set the Minimum Password Age value to be 29 days, and set the Maximum Password Age value to be 30 days. 2. Question: You have a Windows Vista client that is not joined to the domain. You want to force the Administrators to change their passwords every seven days, while standard users change their passwords every 21 days. How would you configure the local policy to achieve this? Answer: You cannot do this. It is not possible to have different password policies for different local users. Local password policies are stored in the Local Group Policy Object (LGPO) computer configuration. 3. Question: How does your organization implement group policy to restrict access to wireless networks? Answer: Answers may vary. 4. Question: You want to ensure that users are not allowed to use the Telnet service to connect to any other computers. How would you accomplish this? Answer: Create a GPO that configures the Windows Firewall with an outbound rule that blocks port 23, and links the GPO to the appropriate containers. 5. Question: You need to ensure that a particular service is not allowed to run on any servers in your network. How would you accomplish this? Answer: Configure a security setting in a GPO that prohibits the service, and apply the GPO to the appropriate containers. 6. Question: Provide at least one example of a default controller policy that your organization has customized? Answer: Answers may vary. 7. Question: You need to grant an ordinary user the right to log on locally to domain controllers. In which of the default policies should you configure this setting? Answer: You need to configure this setting in the Default Domain Controllers policy. Setting this policy at the domain level will not work, because the Default Domain Controllers policy has configured this setting and has a higher precedence. 8. Question: If multiple policies are configured at the domain level, what determines the processing priority? Answer: The Link Order of the policy determines the processing order. The policy with the lowest Link Order number is processed last, and therefore has the highest precedence. 9. Question: What is the default Group Policy refresh interval for domain controllers?
Answer: Every five minutes.
10. Question: You have configured a password policy in a GPO, and linked that policy to the Research OU. The policy is not affecting domain users in the OU. What is the problem? Answer: You can configure password policies for domain users only at the domain level. 11. Question: How would you use fine-grained passwords in your environment?
Answer: Answers may vary.
8-25
12. Question: How could you view the Password Settings Container in Active Directory Users and Computers? Answer: You need to enable the Advanced Features view in Active Directory Users and Computers. 13. Question: In your organization, a number of users deal with confidential files on a regular basis. You need to ensure that all these users have strict account polices enforced. The user accounts are scattered across multiple OUs. How would you accomplish this with the least administrative effort? Answer: Create a shadow global group and place all the appropriate users into that group. Then create and assign a PSO to the group 14. Question: What utilities can be used to manage PSOs? Choose all that apply: a. ADSI edit b. GPMC c. CSVDE d. LDIFDE e. NTDSUtil f. Active Directory Users and Computers
Answer: a, d, and f are correct.
15. Question: You have a number of computers in a workgroup. You need to restrict access to a certain application so that only members of the Administrators group are allowed to launch the application. How would you accomplish this? Answer: Local Group Policy supports software restriction policies for the computer configuration only. You can exempt the local Administrators group from the restriction by configuring the Enforcement setting. 16. Question: You need to restrict access to a certain application no matter into what directory location the application is installed. What type of rule should you use? Answer: A Hash rule will identify the application uniquely, and prevent access to it no matter where the application was installed. 17. Question: You want to ensure that only digitally signed Visual Basic scripts are allowed to run. What type of rule should you use? Answer: You can use a certificate rule to specify that VB scripts must be signed, and what digital signatures are valid. 18. Question: Provide an example of how Security Templates can help organize your existing security attributes. Answer: Answers may vary. 19. Question: You have multiple database servers that are located in different OUs. What is the easiest way to apply consistent security settings to all of the database servers? Answer: Create a security template that contains all the appropriate security settings and import the template into a GPO. Then link that GPO to the OUs, and, if necessary, filter the GPO to apply to the database computers. 20. Question: List at least one example of how the Security Configuration Wizard can reduce your attack surface. Answer: Answers may vary. 21. Question: What types of server roles exist in your organization? Answer: Answers may vary.
8-26
22. Question: What is the main advantage of the SCW? Answer: It allows you to create policies that provide consistent security settings across multiple instances of a particular server role. 23. Question: You need to open a port on your Windows Vista client computers for a custom application. Should you use the SCW, or create a security template and use a GPO? Answer: You should create a security template and import it into a GPO. The SCW is not designed to be used for client operating systems. 24. Question: Provide at least one example of how your organization can benefit from using the Security Configuration and Analysis Tool. Answer: Answers may vary. 25. Question: You want to place a software restriction policy on a new type of executable file. What must you do before you can create a rule for this executable code? Answer: You must add the file extension to the list of Designated Files Types. 26. Question: What setting must you configure to ensure that users are allowed only three invalid logon attempts? Answer: The Account Lockout Threshold setting. 27. Question: You want to provide consistent security settings for all client computers in the organization. The computer accounts are scattered across multiple OUs. What is the best way to provide this? Answer: Create a security template that has all the appropriate settings, and then import the template into GPOs linked to the appropriate OUs. 28. Question: An administrator in your organization has accidentally modified the Default Domain Controller Policy. You need to restore the policy to its original default settings. How would you accomplish this? Answer: You would use the Dcgpofix command-line utility with the following syntax: dcgpofix /target:DC
8-27

1. Question: You want to control to which wireless networks your Windows Vista clients will have access. What is the best way to accomplish this? Answer: Create a Wireless Network Policy and create a list of allowed SSIDs. 2. Question: You need to harden security on all the database servers across your organization. What tool is best suited for this task? Answer: The Security Configuration Wizard. 3. Question: You have used the Security Configuration Wizard to create a policy for your servers running IIS. You have transformed the policy into a GPO. You apply the GPO to the proper OU, but the IIS settings are not being deployed. What is the problem? Answer: You cannot deploy IIS settings via Group Policy.
Configuring Server Security Compliance
9-1
Module 9
Contents:
Lesson 1: Securing a Windows Infrastructure Lesson 2: Implementing Encryption Lesson 3: Configuring an Audit Policy Lesson 4: Overview of Windows Server Update Services Lesson 5: Managing WSUS Module Reviews and Takeaways Lab Review Questions and Answers 2 5 7 11 16 21 25
9-2
Lesson 1
Securing a Windows Infrastructure

Contents:
4
9-3

Discussion: Challenges of Securing a Windows Infrastructure
Question: What do you think are the consequences of not addressing security within your network environment. Answer: Examples include virus attacks and theft of information. Question: Discuss challenges related to implementing and managing secure configuration of servers. Answer: Organizations typically find it challenging to implement and manage secure configurations, often for servers that perform more than one role. It typically has been difficult to determine and manage required services, and which ports need to be open and who needs access to servers.(Related Technologies: Security Configuration Wizard, Group Policy, Security Templates) Question: Discuss challenges related to protecting against malicious software threats and intrusions. Answer: Organizations need to determine the most effective way to ensure that their environment is protected from software threats that result from an inadequate update-management process. Organizations also tend to protect a network's perimeter, without giving any thought to protecting specific servers or segments within their network environment. (Related Technologies: Windows Server Update Services [WSUS], Network Access Protection [NAP], Internet Protocol security [IPsec], Windows Firewall) Question: Discuss challenges implementing effective identity and access control. Answer: Organizations may require more effective methods to identify and control who is logging on and accessing resources. (Related Technologies: Smart cards, Encrypting File System [EFS], Bit locker, Public Key Infrastructure [PKI], Rights Management Services, Federation Services)
Applying Defense-in-Depth to Increase Security

Question: What is the most important part of the defense-in-depth security model? Answer: All parts are equally important. This model identifies seven levels of security defenses that are designed to ensure that attempts to compromise the security of an organization will be met by a robust set of defenses at each level.
Core Server Security Practices

Question: Does your company have a detailed "build sheet" for all new installations that occur on new hardware? What can you do to lessen the attack footprint on your infrastructure? Answer: This will depend on your organization. You can implement any of the core server security practices that are not currently employed in your organization.
9-4
Additional Reading
Discussion: Challenges of Securing a Windows Infrastructure
For more information on the Windows Server 2008 Security Overview, see Windows Server 2008: Windows Help and Support - "Security Overview"
Applying Defense-in-Depth to Increase Security

For more information on the antivirus defense-in-depth, see Antivirus Defense-in-Depth Guide.
Core Server Security Practices

For more information on security and protection, see Security and Protection.
9-5
Lesson 2
Implementing Encryption
Contents:
Questions and Answers 6
9-6

What Is Encrypting File System?
Question: Why would EFS be used to encrypt data in addition to using NTFS permissions? Answer: When a hard drive is stolen, NTFS permissions are easy to overcome by placing the hard drive in another computer. The administrator of the other computer can take ownership of the files and gain access to them. EFS can also be used by individual users to help secure a file on a share that can be accessed by other users.
What Is BitLocker Drive Encryption?

Question: In what scenario would BitLocker be useful on a server? Answer: There are many scenarios. However, one scenario is during server moves to a new location. Servers are at a higher risk of being stolen when they are moved from one location to another after a company merger or the creation of a branch office. BitLocker helps to protect the data on disk from being accessed if the server is stolen.
Troubleshooting EFS
Question: Have you faced any EFS troubleshooting scenarios in your work environment? If so, how did you approach them? Answer: Answers may vary. This question should provide students an opportunity to further reflect on the troubleshooting guidance in this topic.
9-7
Lesson 3
Configuring an Audit Policy

Contents:
9
10
9-8

What Is Auditing?
Question: List three reasons that you may want to audit certain areas of a system or a particular shared resource. Answer: Monitoring the creation or modification of objects gives you a way to track potential security problems, helps to ensure user accountability, and provides evidence in the event of a security breach.
What Is an Audit Policy?

Question: Provide an example of why you would want to log successful events and failure events, as opposed to only failure events. Answer: The Security log records an audit event whenever users perform certain specified actions. For example, the modification of a file or a policy can trigger an event that shows the action that was performed, the associated user account, and the date and time of the action. These events can be both successful and failed attempts to perform actions. Logging the successful events can be important to identify security breaches.
Types of Events to Audit

Question: What categories of events does your company presently audit? If your company is not auditing, what event categories would you like to see audited in your organization? Answer: Students answers will vary based on their organization.
Troubleshooting Audit Policy

Question: How often do you think you should check the security log to ensure auditing is happening correctly? Answer: This depends on your organization and your auditing settings.
Demonstration: How to Configure Auditing

Question: What is the default auditing policy setting for domain controllers? What is the benefit of having this setting as the default setting for domain controllers? Answer: The default auditing policy setting for domain controllers is No Auditing. This means that even if auditing is enabled in the domain, the domain controllers do not inherit auditing policy locally. If you want domain auditing policy to apply to domain controllers, you must modify this policy setting. The no auditing setting makes the domain controller more secure by default.
9-9
Detailed Demo Steps

Demonstration: How to Configure Auditing
Enable Auditing
1. Open Group Policy Management. Edit the Default Domain Controllers Policy located under WoodgroveBank.com\Group Policy Objects\Default Domain Controllers Policy. 2. In the Group Policy Management Editor console tree, expand Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy. 3. Enable one or more auditing policies. 4. Click the Explain tab of an auditing policy.
Enable auditing on object access

1. Open Active Directory Users and Computers. 2. Enable auditing for the Toronto OU.
9-10
Additional Reading
What Is Auditing?
For more information on auditing, see Auditing overview.
What Is an Audit Policy?

Types of Events to Audit

Troubleshooting Audit Policy

For more information on auditing, see Auditing security events best practices.
9-11
Lesson 4
Overview of Windows Server Update Services

Contents:
14
15
9-12

What Is Windows Server Update Services?
Question: Do you currently use WSUS services in your organization? If so, how would the improvements to WSUS 3.0 affect how you use WSUS? If not, how would implementing WSUS benefit your organization? Answer: Your answers will vary based on your organization.
Obtaining Updates
Question: Describe a scenario where an organization would have an isolated network. Answer: If you have a network segment that is not connected to the Internet. In this example, you create a WSUS server that is connected to the Internet but isolated from the intranet. After you download updates to this server, you can hand-carry media to disconnected servers running WSUS, by exporting and importing updates. Another scenario is when organizations have high-cost or low-bandwidth links to the Internet. Downloading enough updates for all Microsoft products throughout an organization can be bandwidth-intensive, and importing and exporting updates enables organizations to download updates once and distribute by using inexpensive media.
Windows Server Update Services Process

Question: You need to determine which types of updates to synchronize from Microsoft Update and when to synchronize them. In which phase of the WSUS process would this planning occur? Answer: Identify
WSUS Deployment Considerations

Question: In your organization, would you use more than one WSUS server? If so, would you link your WSUS servers together using autonomous mode or replica mode? Answer: Students answers will vary depending on their organization and network restrictions.
Server Requirements for WSUS

Question: Does your organization meet the software requirements for WSUS? Answer: Answers will vary based on your organization.
Installing WSUS
Question: Would you install the WSUS administration console on the same server as the WSUS server in your organization? Answer: Students answers will vary based on their organizations.
9-13
WSUS Group Policy Settings

Question: What is the risk in allowing users of desktop computers to delay restarts that updates require? Answer: Updates may never be applied if users continually delay restarts, and the computer may still be at risk.
Automatic Updates Configuration

Question: Which method of client configuration would you use in your environment? Answer: This answer will depend on whether you have an Active Directory environment. If you do have Active Directory, you will use Group Policy. If you have a non-Active Directory environment, you will use the registry editor for client configuration.
Demonstration: Configuring WSUS

Question: Would you enable the Delay Restart for scheduled installations policy in your
organization? Why or why not?
Answer: Students answers will vary based on their organizations. You might not want to enable this policy to ensure that all computers get updated right away. You might enable this policy so users have a chance to save their files before the computer restarts.
9-14
Detailed Demo Steps

Demonstration: Configuring WSUS
Configure Automatic Update client settings using Group Policy
1. Open Group Policy Management. 2. Create a new GPO in the WoodgroveBank.com domain. 3. Edit the GPO. 4. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Administrative Templates, expand Windows Components, and then click Windows Update. 5. Enable Configure Automatic Updates.
9-15
Additional Reading
What Is Windows Server Update Services?
For more information on the following, see the links. Microsoft Windows Server Update Services 3.0 Overview New in Windows Server Update Services 3.0
Obtaining Updates
For more information on the following, see the links. Determine Bandwidth Options to Use Choose a type of WSUS Deployment
Windows Server Update Services Process

For more information on Microsoft Windows Server Update Services 3.0, see Microsoft Windows Server Update Services 3.0 Overview.
WSUS Deployment Considerations

For more information about WSUS requirements and considerations, see Deploying Microsoft Windows Server Update Services 3.0
Server Requirements for WSUS

For more information on Deploying Microsoft Windows Server Update Services 3.0, see Deploying Microsoft Windows Server Update Services 3.0.
Installing WSUS
For more information on the following, see the links. Run WSUS 3.0 Server Setup Install the WSUS 3.0 Administration Console
WSUS Group Policy Settings

For more information on the following, see the links. Configure Automatic Updates by Using Group Policy Managing the WSUS Automatic Updates Client Download, Install, and Reboot Behavior with Group Policy
Automatic Updates Configuration

For more information on Deploying Microsoft Windows Server Update Services 3.0, see Deploying Microsoft Windows Server Update Services 3.0.
9-16
Lesson 5
Managing WSUS
Contents:
19
20
9-17

WSUS Administration
Question: Explain why having an MMC console for WSUS makes administration easier. Answer: An MMC console is integrated with the operating system. The new user interface provides the following features: Home pages at each node containing an overview of the tasks associated with the node Advanced filtering New columns allowing you to sort updates according to MSRC number, MSRC severity, KB article, and installation status Column selection, sorting, and reordering Shortcut menus, allowing you to right-click and choose an action Reporting integrated with update views Custom views
These features make it easier to manage WSUS and save administrator time.
Managing Computer Groups

Question: Describe a benefit of using computer groups in WSUS for deploying updates. Answer: WSUS allows you to target updates to groups of client computers, so you can ensure that specific computers always get the right updates at the most convenient times. For example, if all the computers in one department (such as the Accounting team) have a specific configuration, you can set up a group for that team, decide which updates their computers need and what time they should be installed, and then use WSUS reports to evaluate the updates for the team.
Approving Updates
Question: Would you choose automatic approval of updates in your organization when automatic approval is available? Explain your reason. Answer: Answers will vary. You may want to consider administrator time versus administrator control over updates.
Demonstration: Managing WSUS

Question: How do you install an update immediately? Answer: If you want to install an update immediately, you can specify a deadline at the current time or in the past.
9-18
Server Core Security Updates

Question: Do any other management tasks for Server Core differ from the standard full server implementation? Answer: Yes, many management tasks can be different for a Server Core installation. Tasks that are performed at the server are typically based on the command line, although remote management may also use Remote Desktop or Microsoft Management Console (MMC) tools.
9-19
Detailed Demo Steps

Perform these steps: Add a computer to the WSUS console. Approve an update to be applied to the computer.
9-20
Additional Reading
WSUS Administration
For more information on the following, see the links. Client Behavior with Update Deadlines Managing WSUS 3.0 from the Command Line
Managing Computer Groups

For more information on Release Notes for Microsoft Windows Server Update Services 3.0, see Release Notes for Microsoft Windows Server Update Services 3.0
Approving Updates
For more information on the following, see the links. Managing Windows Server Update Services 3.0 Best Practices with Windows Server Update Services 3.0

For more information on the following, see the links. Create the Computer Groups Approve WSUS 3.0 Updates
9-21

Review Questions
1. Question: Start this topic by asking students what they think are the consequences of not addressing security within their network environment. Answer: Examples include virus attacks and theft of information. 2. Question: Discuss challenges related to implementing and managing secure configuration of servers. Answer: Discuss how organizations typically find it challenging to implement and manage secure configurations, often for servers that perform more than one role. It typically has been difficult to determine and manage required services, and which ports need to be open and who needs access to servers. (Related Technologies: Security Configuration Wizard, Group Policy, Security Templates) 3. Question: Discuss challenges related to protecting against malicious software threats and intrusions Answer: Discuss how organizations need to determine the most effective way to ensure that their environment is protected from software threats that result from an inadequate updatemanagement process. Organizations also tend to protect a networks perimeter, without giving any thought to protecting specific servers or segments within their network environment. (Related Technologies: Windows Server Update Services [WSUS], Network Access Protection [NAP], Internet Protocol security [IPsec], Windows Firewall) 4. Question: Discuss challenges implementing effective identity and access control Answer: Organizations may require more effective methods to identify and control who is logging on and accessing resources. 5. Question: What is the most important part of the defense-in-depth security model? Answer: All parts are equally important. This model identifies seven levels of security defenses that are designed to ensure that attempts to compromise the security of an organization will be met by a robust set of defenses at each level. 6. Question: Does your company have a detailed "build sheet" for all new installations that occur on new hardware? What can you do to lessen the attack footprint on your infrastructure? Answer: This will depend on the students individual organization. Students can implement any of the core server security practices that are not currently employed in their organization. 7. Question: List three reasons that you may want to audit certain areas of a system or a particular shared resource. Answer: Monitoring the creation or modification of objects gives you a way to track potential security problems, helps to ensure user accountability, and provides evidence in the event of a security breach. 8. Question: Provide an example of why you would want to log successful events and failure events, as opposed to only failure events. Answer: The Security log records an audit event whenever users perform certain specified actions. For example, the modification of a file or a policy can trigger an event that shows the action that was performed, the associated user account, and the date and time of the action. These events can be both successful and failed attempts to perform actions. Logging the successful events can be important to identify security breaches.
9-22
9. Question: What categories of events does your company presently audit? If your company is not auditing, what event categories would you like to see audited in your organization? Answer: Students answers will vary based on their organization. 10. Question: How often do you think you should check the security log to ensure auditing is happening correctly? Answer: This depends on your organization and your auditing settings. 11. Question: What is the default auditing policy setting for domain controllers? What is the benefit of having this setting as the default setting for domain controllers? Answer: The default auditing policy setting for domain controllers is No Auditing. This means that even if auditing is enabled in the domain, the domain controllers do not inherit auditing policy locally. If you want domain auditing policy to apply to domain controllers, you must modify this policy setting. The no auditing setting makes the domain controller more secure by default. 12. Question: Do you currently use WSUS services in your organization? If so, how would the improvements to WSUS 3.0 affect how you use WSUS? If not, how would implementing WSUS benefit your organization? Answer: Students answers will vary based on their organizations. 13. Question: Describe a scenario where an organization would have an isolated network. Answer: If you have a network segment that is not connected to the Internet. In this example, you create a WSUS server that is connected to the Internet but isolated from the intranet. After you download updates to this server, you can hand-carry media to disconnected servers running WSUS, by exporting and importing updates. 14. Question: You need to determine which types of updates to synchronize from Microsoft Update and when to synchronize them. In which phase of the WSUS process would this planning occur? Answer: Identify 15. Question: In your organization, would you use more than one WSUS server? If so, would you link your WSUS servers together using autonomous mode or replica mode? Answer: Students answers will vary depending on their organization and network restrictions. 16. Question: Does your organization meet the software requirements for WSUS? Answer: Students answers will vary based on their organizations. 17. Question: Would you install the WSUS administration console on the same server as the WSUS server in your organization? Answer: Students answers will vary based on their organizations. 18. Question: What is the risk in allowing users of desktop computers to delay restarts that updates require? Answer: Updates may never be applied if users continually delay restarts, and the computer may still be at risk. 19. Question: Which method of client configuration would you use in your environment? Answer: This answer will depend on whether the student has an Active Directory environment. If the student does have Active Directory, he/she will use Group Policy. If the student has a nonActive Directory environment, he/she will use the registry editor for client configuration. 20. Question: Would you enable the Delay Restart for scheduled installations policy in your organization? Why or why not? Answer: Students answers will vary based on their organizations. You might not want to enable
9-23
this policy to ensure that all computers get updated right away. You might enable this policy so users have a chance to save their files before the computer restarts. 21. Question: Explain why having an MMC console for WSUS makes administration easier. Answer: An MMC console is integrated with the operating system. The new user interface provides the following features: Home pages at each node containing an overview of the tasks associated with the node Advanced filtering New columns allowing you to sort updates according to MSRC number, MSRC severity, KB article, and installation status Column selection, sorting, and reordering Shortcut menus, allowing you to right-click and choose an action Reporting integrated with update views Custom views These features make it easier to manage WSUS and save administrator time. 22. Question: Describe a benefit of using computer groups in WSUS for deploying updates. Answer: WSUS allows you to target updates to groups of client computers, so you can ensure that specific computers always get the right updates at the most convenient times. For example, if all the computers in one department (such as the Accounting team) have a specific configuration, you can set up a group for that team, decide which updates their computers need and what time they should be installed, and then use WSUS reports to evaluate the updates for the team. 23. Question: Would you choose automatic approval of updates in your organization when automatic approval is available? Explain your reason. Answer: Students answers will vary. You may want to consider administrator time versus administrator control over updates. 24. Question: How do you install an update immediately? Answer: If you want to install an update immediately, you can specify a deadline at the current time or in the past. 25. Question: Do any other management tasks for Server Core differ from the standard full server implementation? Answer: Yes, many management tasks can be different for a Server Core installation. Tasks that are performed at the server are typically based on the command line, although remote management may also use Remote Desktop or Microsoft Management Console (MMC) tools. 26. Question: What kind of challenges that would affect security might a small to medium-sized business experience that a larger enterprise would not? Answer: Expertise in specific departments may be lacking, servers might host a multitude of roles, there may not be enough individuals available to implement and manage a more robust solution, and a lack of funds for hardware, and in some cases, physical security. 27. Question: If you decide to put an audit policy in place, how should you configure the securitylog properties in Event Viewer? Answer: You should ensure that there is adequate space for generated events, configure the log to not overwrite events, and specify an interval when administrators should save and clear the log for reference or legal reasons. 28. Question: What must an administrator do before any update is sent to clients and servers via WSUS?
9-24
Answer: Configure automatic approval of certain types of updates or manually specify that the update is approved for installation. 29. Question: What is the reason for setting a deadline for automatic installation to a past date? Answer: The update would be applied immediately at the next interval when the computer contacts the WSUS server.
9-25

1. Question: After installing the WSUS server software, a wizard appears to help you with the configuration of WSUS properties. How can you change any incorrectly assigned properties after the wizard has been completed? Answer: You can use the WSUS administration console, and select Options in the list pane. You then can change individual properties or choose to run the wizard again to reconfigure the WSUS installation.
Configuring and Managing Storage Technologies
10-1
Module 10

Contents:
Lesson 1: Windows Server 2008 Storage Management Overview Lesson 2: Managing Storage Using File Server Resource Manager Lesson 3: Configuring Quota Management Lesson 4: Implementing File Screening Lesson 5: Managing Storage Reports Lesson 6: Understanding Storage Area Networks Module Reviews and Takeaways Lab Review Questions and Answers 2 4 9 13 17 20 23 28
10-2
Lesson 1
Windows Server 2008 Storage Management Overview

Contents:
3
10-3

Common Capacity Management Challenges
Question: What capacity management challenges do you face in your work environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on and discuss the capacity management challenges that are relevant to them.
Common Storage Management Challenges

Question: What are some of the storage challenges in your organization? Answer: Answers will vary based on the different applications that each students company uses.
Addressing Capacity and Storage Management Challenges

Question: In your work environment, what tools and strategies are currently used to address capacity and storage management challenges? Answer: Answers may vary. This question should provide students an opportunity to reflect on and discuss the current approaches used in their work environment.
Capacity Management Solutions

Question: How do you currently address these capacity management challenges in your work environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on and discuss how they currently manage capacity.
Storage Management Solutions

Question: How do you currently address these storage management challenges in your work environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on and discuss how they currently manage storage.
What Is File Server Resource Manager?

Question: Do you currently use FSRM in your work environment? Answer: Answers may vary.
10-4
Lesson 2
Managing Storage Using File Server Resource

Manager
Contents:
10-5

FSRM Functions
Question: Describe two scenarios where one or more FSRM features could be used in your work environment. Answer: Answers may vary. An example of a possible answer is: The IT department wants to prevent users from saving personal media files on corporate servers and plans to use file screens to prevent this type of access. The R&D department generates large data models and needs to periodically review storage usage to identify data for archiving.
Demonstration: Installing the FSRM Role Service

Question: Will you install the FSRM role service on all servers in your organization? Answer: Answers may vary. Most scenarios will not require the FSRM role on all servers. Question: How would you access the FSRM console from a workstation? Answer: Using Remote Desktop for Administration would be one possible method for accessing the FSRM console remotely.
FSRM Console Components

Question: Describe a scenario in which you would use each FSRM console component. Answer: Answers may vary. A possible answer might be: I would use the Quota Management component when trying to keep users in Engineering from storing an excessive number of large models on their file server. I would use File Screening Management when configuring things so that admin staff do not store personal data on the server. And I would use storage reports during weekly server maintenance to make sure storage usage is within bounds and I would also use these reports less frequently when planning storage capacity expansion.
FSRM Configuration Options

Question: In your work environment, are there currently server storage policies in place? If so, how will you use the FSRM configuration options to enforce these policies? Answer: Answers may vary. This question should provide students an opportunity to make hypothetical planning decisions about which FSRM configuration options they are likely to use in their work environment.
Demonstration: Configuring FSRM Options

Question: In your work environment, how do you plan to integrate email notifications for quota violations? Answer: Answers may vary. This question should provide students an opportunity to reflect on how they can implement email notifications in their work environment.
10-6
Question: In your work environment, what notification threshold provides enough advance warning to users that they are approaching a quota threshold? Answer: Answers may vary. In general, students should identify the relationship between storage usage habits and the notification threshold. You would typically use a smaller percentage with faster growth levels of storage utilization.
10-7
Detailed Demo Steps

Demonstration: Installing the FSRM Role Service
For this demonstration, perform the following tasks: 1. Start the NYC-SVR1 virtual machine. Log in as NYC-SVR1\administrator with a password of Pa$$w0rd 2. Show how to install the File Services role: 1. On NYC-SRV1, use the Server Manager console to start the Add Role Services Wizard to add a new role service to the File Server role. 2. Install the File Server Resource Manager Role Service by selecting File Server Resource Manager. 3. Show how to configure volume during installation. 1. Choose to monitor drive E:, and accept the default location for storage reports. 2. Open the FSRM console by clicking Start, Administrative tools, and then clicking File Server Resource Manager. 4. In the console tree, point out the following nodes: Quota Management, File Screening
Management, and Storage Reports Management.
Demonstration: Configuring FSRM Options

For this demonstration, perform the following tasks: 1. Start the NYC-SVR1 virtual machine. Log in as NYC-SVR1\administrator with a password of Pa$$w0rd 2. Click Start, Administrative tools, and then click File Server Resource Manager. 3. Configure e-mail notifications. 1. In the FSRM console tree, expand Quota Management and click Quotas. 2. In the details pane, right click the existing Quota and click Edit Quota Properties.3.In the Notification thresholds section, click Warning (85%) and then click Edit. 3. Explain the options on the E-mail message tab. 4. Demonstrate the storage report parameters and default report repository locations. 1. In the FSRM console tree, right-click File Server Resource Manager (Local) and then click Configure Options. 2. In the File Server Resource Manager Options dialog box, click the Report Locations tab. 3. Point out to students the default report locations and the options for modifying these locations. 4. Click the Storage Reports tab. 5. Under Reports, click Large Files and then click Edit Parameters. 6. Show students how this parameter can be modified.
10-8
Additional Reading
FSRM Functions
For more information on Step-by-Step Guide for File Server Resource Manager in Windows Server 2008, see Windows Server 2008 Step-by-Step Guides: Step-by-Step Guide for File Server Resource Manager in Windows Server 2008.doc.
FSRM Console Components

FSRM Configuration Options

10-9
Lesson 3
Configuring Quota Management

Contents:
11
12
10-10

What Is Quota Management?
Question: In your work environment, which notification method do you plan to use? Answer: Answers may vary. This question should provide students an opportunity to reflect on which notification method is most appropriate for their work environment.
FSRM Quotas vs. NTFS Disk Quotas

Question: Are there any instances when you would use NTFS disk quotas instead of FSRM quotas? Answer: Answers may vary, but in general if the more advanced features provided by FSRM quotas are not required, then NTFS disk quotas would be used.
What Are Quota Templates?

Question: Based on your work environment specifics, what quota templates do you plan to create? Answer: Answers may vary. This question should provide students an opportunity to reflect on how quota templates can be applied in their work environment.
Creating and Modifying a Quota

Question: In what scenario would you use the command line Dirquota tool? Answer: Answers may vary, but in general this utility would be more useful when scripting quota modifications.
Monitoring Quota Usage

Question: In your work environment, which quota usage monitoring method will be most helpful? Answer: Answers may vary. Good answers will demonstrate an understanding of how quota usage monitoring methods map to specific requirements in the stuDents work environment.
Demonstration: How to Create and Manage Quotas

Question: What quota notifications do you plan to implement in your work environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on how they will implement quota notifications in their work environment. Question: What quota templates do you plan to implement in your environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on how they will implement quota templates in their work environment.
10-11
Detailed Demo Steps

Demonstration: How to Create and Manage Quotas
For this demonstration perform the following tasks: 1. Start the NYC-SVR1 virtual machine. Log in as NYC-SVR1\administrator with a password of Pa$$w0rd 2. Click Start, Administrative tools, and then click File Server Resource Manager. 3. Create a new quota template: 1. In the FSRM console tree, expand Quota Management and then click Quota Templates. 2. Right-click Quota Templates and select Create Quota Template. 3. In the Template Name field, type Monitor E: for Large Files 4. In the Limit field, type 1. 5. In the drop-down box to the right of the Limit field, select GB. 6. Click Add. 4. On the E-mail Message tab, select both checkboxes, and then click the Event Log tab. 5. Select Send warning to event log, and then click OK. 6. Dismiss the warning about SMTP server configuration. If students are interested, show them how to configure the SMTP server used for sending notifications after this demonstration by setting File Server Resource Manager Options. Create a new quota based on a quota template: 1. In the details pane, right-click Monitor E: for Large files and then click Create Quota from Template. 2. In the Quota path field, type E:\ 3. Click Create. 4. Generate a quota notification: 1. Click Start, and then click Command Prompt. 2. Type e: and then press ENTER. 3. Type ; cd \ and then press ENTER. 4. Type fsutil file createnew largefile.txt 1300000000 and then press ENTER. 5. Click Start, click Administrative tools, and then click Event Viewer. 6. Expand Windows Logs, and then click on Application. 7. Note the event with Event ID of 12325.
10-12
Additional Reading
What Is Quota Management?
FSRM Quotas vs. NTFS Disk Quotas

What Are Quota Templates?

Creating and Modifying a Quota

Monitoring Quota Usage

10-13
Lesson 4
Implementing File Screening

Contents:
15
16
10-14

What Is File Screening?
Question: In your work environment, are there any server usage policies that file screening could be used to enforce? Answer: Answers may vary. This question should provide students an opportunity to reflect on how they might implement file screening in their environment.
What Are File Groups?

Question: In your work environment, list two or three file groups you plan to create. Answer: Answers may vary. An example answer might be: One file group for word processor and spreadsheet documents. A second file group for restricted content like MP3 files. And a third file group for desktop database software files.
What Is a File Screen Exception?

Question: Describe two ways you plat to use file screen exceptions in your work environment. Answer: Answers may vary. An example of a possible answer would be: You might want to block video files from a file server, but you need to allow your training group to save the video files for their computer-based training. To allow files that other file screens are blocking, create a file screen exception.
What Is a File Screen Template?

Question: What file types do you plan to create file screen templates for in your work environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on how they will implement file screen templates in their work environment.
Demonstration: Implementing File Screening

Question: How do you plan to implement file screens in your work environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on the practical aspects of how they might implement file screens in their work environment. Question: How do you plan to implement file screen exceptions in your work environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on the practical aspects of how they might implement file screen exceptions in their work environment.
10-15
Detailed Demo Steps

Demonstration: Implementing File Screening
For this demonstration perform the following tasks: 1. Start the NYC-SVR1 virtual machine. Log in as NYC-SVR1\administrator with a password of Pa$$w0rd 2. Click Start, Administrative tools, and then click File Server Resource Manager. 3. Create a new file screen in the E:\ drive based upon the Block Audio and Video Files default template. 1. In the FSRM console tree, expand File Screening Management and then click File Screen Templates. 2. In the details pane, right-click Block Audio and Video Files and then click Create File Screen from Template. 3. In the File screen path field, type E:\, and then click OK. 4. Create a new custom file group and create a file screen exception to allow Microsoft Windows Media Player audio (WMA) files. 1. In the FSRM console tree, right-click File Groups and then click Create File Group. 2. In the File group name field, type WMA files.3.In the Files to include field, type *.wma and then click Add. 3. Click OK. 5. In the FSRM console tree, right-click File Screens and then click Create File Screen Exception. 6. In the Exception path field, type E:\Mod12. 7. In the Select file groups to exclude from screening box, select WMA files, and then click OK.
10-16
Additional Reading
What Is File Screening?
What Are File Groups?

What Is a File Screen Exception?

What Is a File Screen Template?

10-17
Lesson 5
Managing Storage Reports

Contents:
19
10-18

What Are Storage Reports?
Question: In your work environment, how do you currently obtain information about file usage on servers? Answer: Answers may vary. This question should provide students with an opportunity to reflect on their current storage reporting practices.
What Is a Report Task?

Question: In your work environment, how frequently will you schedule reports using report tasks? Answer: Answers may vary. In general, more frequently changing storage will need to be more closely monitored by having report tasks run more frequently.
Generating On-Demand Reports

Question: Under what circumstances do you plan to use on-demand reports? Answer: Answers may vary based on the specifics of students work environments. Possible answers include: When attempting to determine why disk space is running low, when attempting to diagnose storage problems, or when planning for future storage allocation.
10-19
Additional Reading
What Are Storage Reports?
What Is a Report Task?

Generating On-Demand Reports

10-20
Lesson 6
Understanding Storage Area Networks
Contents:
Questions and Answers 21
10-21

What Is a Storage Area Network?
Question: In what way or ways do you currently use SAN storage in your work environment? Answer: Answers may vary. This question should simply provide students an opportunity to reflect on how SAN storage is or is not used in their work environment. This question should also provide an opportunity to discuss potential applications for SAN storage in students work environment.
How Is a SAN Different from Direct Attached Storage?

Question: How does SAN storage simplify backups? Answer: By consolidating storage, SAN storage reduces the number of discrete locations that must be backed up and the number of backup agents that must be deployed and maintained.
What Is a Fibre Channel SAN?

Question: Is Fibre Channel storage in use in your work environment?
Answer: Answers may vary. This question should provide students an opportunity to reflect on
whether and how SAN storage is used in their work environment.
Example of a Basic Fibre Channel SAN Configuration

Question: Does the SAN configuration depicted above provide fault-tolerance? Answer: No, it does not. If the two servers labeled Host were configured as a failover cluster there would be some fault-tolerance, but the failure of the FC switch or a controller in the disk array would product a complete outage for the SAN.
Discussion: Designing Redundancy in a Fibre Channel SAN

Question: Which components should be redundant to obtain high availability?
Answer: Components that should be redundant include the HBAs, FC switches, and the controller on
the disk array.
Question: How would you configure the connections between an HBA and a FC switch to ensure
availability?
Answer: The HBA should be connected to dual FC switches to provide high availability in the event
that one switch breaks down.
Question: How would you ensure that the path between the switch and the disk array is highly
available?
Answer: Ensure that each switch is connected to multiple controllers on the disk array.
What Is iSCSI?
Question: In your work environment, is iSCSI implemented? If so, how has it been implemented? Answer: Answers may vary. This question should provide students an opportunity to reflect on how
10-22
iSCSI has been implemented in their work environment, or if it has not been implemented how it could be implemented.
What Is the Microsoft iSCSI Software Initiator?

Question: Describe at least one scenario where you would implement the Microsoft iSCSI software initiator. Answer: Answers may vary based on the specifics of students work environments. A possible answer would be: I want to migrate my Exchange Server message store to a SAN to increase scalability so I plan to implement the Microsoft iSCSI software initiator to provide this access.
Example of a Basic iSCSI SAN Configuration

Question: In the scenario depicted above, can either of the client computers access the iSCSI
storage?
Answer: They can be configured with an iSCSI initiator and thereby access the iSCSI target. This
configuration is less common.
What is Storage Manager for SANs?

Question: What approach does your organization currently use to manage SAN storage that is connected to Windows Servers? Answer: Answers may vary. This question should provide students with an opportunity to reflect on their organizations current SAN management tools and how Storage Manager for SANs could be used as a tool for SAN management.
Troubleshooting SAN Storage

Question: Have you faced any SAN troubleshooting scenarios in your work environment? If so, how did you approach them? Answer: Answers may vary. This question should provide students an opportunity to further reflect on the troubleshooting guidance in this topic.
10-23

Review Questions
1. Question: What capacity management challenges do you face in your work environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on and discuss the capacity management challenges that are relevant to them. 2. Question: What are some of the storage challenges in your organization? Answer: Answers will vary based on the different applications that each students company uses. 3. Question: In your work environment, what tools and strategies are currently used to address capacity and storage management challenges? Answer: Answers may vary. This question should provide students an opportunity to reflect on and discuss the current approaches used in their work environment. 4. Question: How do you currently address these capacity management challenges in your work environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on and discuss how they currently manage capacity. 5. Question: How do you currently address these storage management challenges in your work environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on and discuss how they currently manage storage. 6. Question: Do you currently use FSRM in your work environment?
7. Question: Why would EFS be used to encrypt data in addition to using NTFS permissions? Answer: When a hard drive is stolen, NTFS permissions are easy to overcome by placing the hard drive in another computer. The administrator of the other computer can take ownership of the files and gain access to them. EFS can also be used by individual users to help secure a file on a share that can be accessed by other users. 8. Question: In what scenario would BitLocker be useful on a server? Answer: There are many scenarios. However, one scenario is during server moves to a new location. Servers are at a higher risk of being stolen when they are moved from one location to another after a company merger or the creation of a branch office. BitLocker helps to protect the data on disk from being accessed if the server is stolen. 9. Question: Describe two scenarios where one or more FSRM features could be used in your work environment. Answer: Answers may vary. An example of a possible answer is: The IT department wants to prevent users from saving personal media files on corporate servers and plans to use file screens to prevent this type of access. The R&D department generates large data models and needs to periodically review storage usage to identify data for archiving. 10. Question: Will you install the FSRM role service on all servers in your organization?
Answer: Answers may vary. Most scenarios will not require the FSRM role on all servers.
11. Question: How would you access the FSRM console from a workstation? Answer: Using Remote Desktop for Administration would be one possible method for accessing the FSRM console remotely.
10-24
12. Question: Describe a scenario in which you would use each FSRM console component. Answer: Answers may vary. A possible answer might be: I would use the Quota Management component when trying to keep users in Engineering from storing an excessive number of large models on their file server. I would use File Screening Management when configuring things so that admin staff do not store personal data on the server. And I would use storage reports during weekly server maintenance to make sure storage usage is within bounds and I would also use these reports less frequently when planning storage capacity expansion. 13. Question: In your work environment, are there currently server storage policies in place? If so, how will you use the FSRM configuration options to enforce these policies? Answer: Answers may vary. This question should provide students an opportunity to make hypothetical planning decisions about which FSRM configuration options they are likely to use in their work environment. 14. Question: In your work environment, how do you plan to integrate email notifications for quota violations? Answer: Answers may vary. This question should provide students an opportunity to reflect on how they can implement email notifications in their work environment. 15. Question: In your work environment, what notification threshold provides enough advance warning to users that they are approaching a quota threshold? Answer: Answers may vary. In general, students should identify the relationship between storage usage habits and the notification threshold. You would typically use a smaller percentage with faster growth levels of storage utilization. 16. Question: In your work environment, which notification method do you plan to use? Answer: Answers may vary. This question should provide students an opportunity to reflect on which notification method is most appropriate for their work environment. 17. Question: Are there any instances when you would use NTFS disk quotas instead of FSRM quotas? Answer: Answers may vary, but in general if the more advanced features provided by FSRM quotas are not required, then NTFS disk quotas would be used. 18. Question: Based on your work environment specifics, what quota templates do you plan to create? Answer: Answers may vary. This question should provide students an opportunity to reflect on how quota templates can be applied in their work environment. 19. Question: In what scenario would you use the command line Dirquota tool? Answer: Answers may vary, but in general this utility would be more useful when scripting quota modifications. 20. Question: In your work environment, which quota usage monitoring method will be most helpful? Answer: Answers may vary. Good answers will demonstrate an understanding of how quota usage monitoring methods map to specific requirements in the stuents work environment. 21. Question: What quota notifications do you plan to implement in your work environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on how they will implement quota notifications in their work environment. 22. Question: What quota templates do you plan to implement in your environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on how they will implement quota templates in their work environment.
10-25
23. Question: In your work environment, are there any server usage policies that file screening could be used to enforce? Answer: Answers may vary. This question should provide students an opportunity to reflect on how they might implement file screening in their environment. 24. Question: In your work environment, list two or three file groups you plan to create. Answer: Answers may vary. An example answer might be: One file group for word processor and spreadsheet documents. A second file group for restricted content like MP3 files. And a third file group for desktop database software files. 25. Question: Describe two ways you plat to use file screen exceptions in your work environment. Answer: Answers may vary. An example of a possible answer would be: You might want to block video files from a file server, but you need to allow your training group to save the video files for their computer-based training. To allow files that other file screens are blocking, create a file screen exception. 26. Question: What file types do you plan to create file screen templates for in your work environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on how they will implement file screen templates in their work environment. 27. Question: How do you plan to implement file screens in your work environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on the practical aspects of how they might implement file screens in their work environment. 28. Question: How do you plan to implement file screen exceptions in your work environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on the practical aspects of how they might implement file screen exceptions in their work environment. 29. Question: In your work environment, how do you currently obtain information about file usage on servers? Answer: Answers may vary. This question should provide students with an opportunity to reflect on their current storage reporting practices. 30. Question: In your work environment, how frequently will you schedule reports using report tasks? Answer: Answers may vary. In general, more frequently changing storage will need to be more closely monitored by having report tasks run more frequently. 31. Question: Under what circumstances do you plan to use on-demand reports? Answer: Answers may vary based on the specifics of students work environments. Possible answers include: When attempting to determine why disk space is running low, when attempting to diagnose storage problems, or when planning for future storage allocation. 32. Question: In what way or ways do you currently use SAN storage in your work environment? Answer: Answers may vary. This question should simply provide students an opportunity to reflect on how SAN storage is or is not used in their work environment. This question should also provide an opportunity to discuss potential applications for SAN storage in students work environment. 33. Question: How does SAN storage simplify backups? Answer: By consolidating storage, SAN storage reduces the number of discrete locations that must be backed up and the number of backup agents that must be deployed and maintained.
10-26
34. Question: Is Fibre Channel storage in use in your work environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on whether and how SAN storage is used in their work environment. 35. Question: Does the SAN configuration depicted above provide fault-tolerance? Answer: No, it does not. If the two servers labeled Host were configured as a failover cluster there would be some fault-tolerance, but the failure of the FC switch or a controller in the disk array would product a complete outage for the SAN. 36. Question: What approach does your organization currently use to manage SAN storage that is connected to Windows Servers? Answer: Answers may vary. This question should provide students with an opportunity to reflect on their organizations current SAN management tools and how Storage Manager for SANs could be used as a tool for SAN management. 37. Question: Which components should be redundant to obtain high availability? Answer: Components that should be redundant include the HBAs, FC switches, and the controller on the disk array. 38. Question: How would you configure the connections between an HBA and a FC switch to ensure availability? Answer: The HBA should be connected to dual FC switches to provide high availability in the event that one switch breaks down. 39. Question: How would you ensure that the path between the switch and the disk array is highly available? Answer: Ensure that each switch is connected to multiple controllers on the disk array. 40. Question: In your work environment, is iSCSI implemented? If so, how has it been implemented? Answer: Answers may vary. This question should provide students an opportunity to reflect on how iSCSI has been implemented in their work environment, or if it has not been implemented how it could be implemented. 41. Question: Describe at least one scenario where you would implement the Microsoft iSCSI software initiator. Answer: Answers may vary based on the specifics of students work environments. A possible answer would be: I want to migrate my Exchange Server message store to a SAN to increase scalability so I plan to implement the Microsoft iSCSI software initiator to provide this access. 42. Question: In the scenario depicted above, can either of the client computers access the iSCSI storage? Answer: They can be configured with an iSCSI initiator and thereby access the iSCSI target. This configuration is less common. 43. Question: Have you faced any SAN troubleshooting scenarios in your work environment? If so, how did you approach them? Answer: Answers may vary. This question should provide students an opportunity to further reflect on the troubleshooting guidance in this topic. 44. Question: Have you faced any EFS troubleshooting scenarios in your work environment? If so, how did you approach them? Answer: Answers may vary. This question should provide students an opportunity to further reflect on the troubleshooting guidance in this topic.
10-27
45. Question: What is the difference between hard and soft quotas? Answer: A hard quota enforces the configured quota and does not allow the user to exceed it. A soft quota allows the user to exceed the quota and follows its configured notification routine. 46. Question: When a common set of file types need to be blocked, what should you create to block them in the most efficient manner? Answer: You should create file groups where you can specify a common set of files to be filtered when the group is selected in a File Screening policy. 47. Question: If you want to apply a quota to all subfolders in a folder, including folders that will be created in the future, what option must you configure in the quota policy? Answer: The auto quota option must be enabled. This will cause the quota to be applied to folders when they are created.
10-28

1. Question: Why did you choose to implement storage monitoring on only the E: drive? Answer: Storage monitoring incurs a small performance overhead, so it should only be used on volumes where it is needed. 2. Question: Why did compressing the Users folder result in a quota usage size reduction? How is this different from NTFS? Answer: The quota usage for FSRM is calculated based on the amount of disk space that the files is actually using. NTFS calculates quotas based on the normal size of the file, even if the files is compressed. 3. Question: What are some other notification methods that you can implement when configuring quotas and file screening? Answer: E-mail, command prompt, and reports. 4. Question: Describe a scenario when you would use a storage report format other than HTML. Answer: Answers may vary. One possible answer is a scenario where you are importing storage reports to a database table. In this scenario you might use the CSV format.
Configuring and Managing Distributed File System
11-1
Module 11

Contents:
Lesson 1: Distributed File System (DFS) Overview Lesson 2: Configuring DFS Namespaces Lesson 3: Configuring DFS Replication Module Reviews and Takeaways Lab Review Questions and Answers 2 7 12 17 20
11-2
Lesson 1
Distributed File System (DFS) Overview
Contents:
5
6
11-3

What Is the Distributed File System?
Question: Do you have experience working with DFS or the DFS predecessor, File Replication service (FRS)? Answer: Answers will vary based on your experience.
How DFS Namespaces and DFS Replication Work

Question: In your organization, do you currently synchronize your shared folders? If so, how do you keep them synchronized? Answer: Answers will vary based on your organization.
DFS Scenarios
Question: In what ways can you use DFS technologies within your organization? Answer: Answers will vary based on your organization.
Types of DFS Namespaces

Question: In your organization, would you implement a domain-based namespace or a stand-alone namespace? Answer: Answers will vary depending on your organization. In most cases domain-based namespaces will be used.
What Are Folders and Folder Targets?

Question: Describe a scenario of how you would use folder targets to increase data availability in your organization. Answer: Example: Create a folder with a folder target that points to a target on a clustered file server.
Namespace Server Requirements

Question: How can you ensure the availability of domain-based roots with domain-based DFS namespaces? Answer: For domain-based DFS namespaces, you ensure the availability of domain-based DFS roots by creating multiple root targets on nonclustered file servers or on the local storage of the nodes of server clusters. (Domain-based DFS roots cannot be created on cluster storage.)
Demonstration: Installing DFS

Question: You need to deploy DFS technology within your environment. Is DFS considered a role service or a feature?
11-4
Answer: DFS is installed as a File Server role in Windows Server 2008. Question: Is it possible to install DFS Replication without installing DFS Namespaces? Answer: Yes.
11-5
Detailed Demo Steps

Demonstration: Installing DFS
For this demonstration, perform the following tasks: 1. Start the NYC-DC1 and NYC-DC2 computers and log on to NYC-DC2 as
WoodgroveBank\Administrator with a password of Pa$$w0rd.
2. Start Server Manager. In the details pane, click Add Roles. 3. On the Before You Begin page, click Next. 4. On the Server Roles page, select File Services, and then click Next. 5. On the File Services page, click Next. 6. On the Role Services page, select Distributed File System, and then click Next. 7. On the DFS Namespaces page, select Create a namespace later using the DFS Management snap-in in Server Manager, and then click Next. 8. On the Confirmation page, click Install. 9. Allow the role installation to complete. 10. On NYC-DC1, click Start, and then click Server Manager. 11. In the console pane, click Roles. 12. In the details pane, under Roles Summary, notice that the File Services role has been installed. You now must add specific role services for this role. 13. Scroll down to the File Services section, and then under Role Services, click Add Role Services. 14. On the Select Role Services page, select Distributed File System, and then click Next. 15. On the Create a DFS Namespace page, click Create a namespace later using the DFS Management snap-in in Server Manager, and then click Next. 16. On the Confirm Installation Selections page, click Install. 17. When the installation is complete, click Close Note: Leave the NYC-DC1 and NYC-DC2 VMs running for the next demonstration in this module.
11-6
Additional Reading
What Is the Distributed File System?
For more information on the following, see the links. Distributed File System Technology Center Overview of the Distributed File System Solution in Microsoft Windows Server 2003 R2 Microsoft Distributed File System - IT Value Card About Remote Differential Compression Optimizing File Replication over Limited-Bandwidth Networks using Remote Differential
Compression
How DFS Namespaces and DFS Replication Work

For more information on the following, see the links. Overview of the Distributed File System Solution in Microsoft Windows Server 2003 R2 Distributed File System: Frequently Asked Questions Distributed File System Replication: Frequently Asked Questions
DFS Scenarios
For more information on Overview of the Distributed File System Solution in Microsoft Windows Server 2003 R2, see Overview of the Distributed File System Solution in Microsoft Windows Server 2003 R2.
Types of DFS Namespaces

For more information on choosing a namespace type, see Distributed File System Management Help Topic - "Choosing a Namespace Type".
What Are Folders and Folder Targets?

For more information on DFS management, see DFS Management
Namespace Server Requirements

For more information on DFS Namespaces Server Requirements, see Distributed File System Management Help Topic - "Prepare to Deploy DFS Namespaces: Review DFS Namespaces Server Requirements".
11-7
Lesson 2
Configuring DFS Namespaces

Contents:
9
11
11-8

Deploying Namespaces for Publishing Content
Question: Describe a scenario when having a client continue to access the failover server would present problems. Answer: This behavior can be problematic in branch office environments when clients continue to access the hub server even after the branch server is restored.
Security Requirements for Creating and Managing a Namespace

Question: How would you delegate namespace tasks in your organization? Answer: Answers will vary based on your organizations and user permissions.
Demonstration: How to Create Namespaces

Question: You want to enable advanced scalability and access-based enumeration. Which option provides these features? Answer: The Windows Server 2008 namespace mode.
Increasing Availability of a Namespace

Question: Describe how you could use these methods to increase availability in your organization. Answer: Your answers will vary, but will depend on whether you decide to create domain-based or stand-alone based namespaces, and whether there are multiple server available to host folder targets.
Options for Optimizing a Namespace

Question: Describe a scenario when you would want to disable a folder target's referral. Answer: If the server that hosts the folder target needs to be taken offline, you wouldn't want users directed to that server.
Demonstration: Configuring Folder Targets

Question: Which types of paths can you use when creating a new folder target? Question: What kind of permissions do you need to add folder targets?
11-9
Detailed Demo Steps

Demonstration: How to Create Namespaces
Demonstrate the process of creating a namespace by performing the following tasks: 1. On NYC-DC2, click Start | Administrative Tools | DFS Management. 2. In the DFS Management console tree, right-click Namespaces and then click New Namespace. 3. The Namespace Server wizard appears. On the Namespace Server page, type NYC-DC2, and then click Next. 4. On the Namespace Name and Settings page, type ProjectDocs, and then click Edit Settings. 5. Select Use Custom Permissions, and then click Customize. 6. In Permission for ProjectDocs, click Add. 7. In the Enter object names to select field, type Aaron, and then click OK. 8. Grant the Change permission to Aaron Con, and then click OK twice. 9. On the Namespace Name and Settings page, click Next. 10. On the Namespace Type page, click Next. 11. On the Review Settings and Create Namespace page, click Create. 12. On the Confirmation page, click Close. 13. In the DFS Management console tree, right-click \\WoodgroveBank.com\ProjectDocs and then click New Folder. 14. In the New Folder dialog box in the Name field, type AccountingSpreadsheets. 15. Click Add. 16. In the Add Folder Target dialog box, click Browse. 17. In the Browse for Shared Folders dialog box, in the Server field, type NYC-DC2, and then click Show Shared Folders. 18. Click New Shared Folder. 19. In the Create Share dialog box, in the Share name field, type YearEndReports. 20. In the Local path of shared folder field, type C:\YearEndReports. 21. Under Shared folder permissions, click Administrators have full access; other users have read-only permissions, and then click OK.
Demonstration: Configuring Folder Targets

1. On NYC-DC2, in the DFS Management console pane, right-click AccountingSpreadsheets, and then click Add Folder Target. 2. In the New Folder Target dialog box, in the Path to folder target field, type \\NYC DC1\AccountingSpreadsheets, and then click OK.
3. In the Warning dialog box, click Yes to create the \\NYC-DC1\AccountingSpreadsheets shared folder.
11-10
4. In the Create Share dialog box, in the Local path of shared folder field, type C:\AccountingSpreadsheets. 5. Under Shared folder permissions, click Administrators have full access; other users have read-only permissions, and then click OK. 6. In the Warning box, click Yes to create the C:\AccountingSpreadsheets folder. 7. In the Replication dialog box, click No. 8. On NYC-DC2, in the DFS Management console pane, expand \\WoodgroveBank\ProjectDocs and click AccountingSpreadsheets. 9. In the details pane, right-click \\NYC-DC1\AccountingSpreadhseets and then click Disable Folder Target. 10. On NYC-DC2, in the DFS Management console pane, right-click \\Woodgrovebank\ProjectDocs and then click Properties. 11. Note the different options in the Properties window.
11-11
Additional Reading
Deploying Namespaces for Publishing Content
For more information on the following, see the links. Distributed File System Management Help Topic - "Deploying DFS Namespaces"
Security Requirements for Creating and Managing a Namespace

For more information on the following, see the links. Delegate management permissions for an existing namespace Security requirements for creating and managing namespaces
Increasing Availability of a Namespace

For more information on increasing the availability of a namespace, see Increasing the Availability of a Namespace.
Options for Optimizing a Namespace

For more information on the following, see the links. Distributed File System Management Help Topic - "Tuning DFS Namespaces"
11-12
Lesson 3
Configuring DFS Replication

Contents:
15
16
11-13

What Is DFS Replication?
Question: List one advantage and one disadvantage to having deleted files stored in the Conflict and Deleted folders. Answer: One advantage is for data recovery in case of accidental deletion. One disadvantage is the storage space required for saving all the deleted files.
What Are Replication Groups and Replicated Folders?

Question: How can creating multiple replicated folders in a single replication group simplify
deployment?
Answer: Creating multiple replicated folders in a single replication group simplifies the process of deploying replicated folders because the topology, schedule, and bandwidth throttling for the replication group are applied to each replicated folder.
DFS Replication Requirements

Question: Does your organization meet the requirements for DFS-R? Answer: Your answer will vary based on your organization.
Scalability Considerations for DFS Replication

Question: DFS-R doesn't have restrictions on the size of files replicated; however, there is a
consideration to ensure the files get replicated. What is this consideration?
Answer: The staging folder is appropriately sized.
Process for Deploying a Multipurpose Replication Group

Question: What topology would you use in your organization? Answer: Answers will vary. Question: When is the best time to schedule replication? Answer: When users won't be changing files.
Understanding the Initial Replication Process

Question: What is a consideration when choosing a primary member? Answer: You should choose the member with the most up-to-date files as the primary member.
11-14
Generating Diagnostic Reports and Propagation Tests

Question: How often would you run the diagnostic report wizard to create a health report in your organization? Answer: As often as necessary to ensure DFS-R is functioning correctly. This will vary based on student's needs. Students will also want to run the health report whenever they are experiencing DFS R problems, including slow replication and folders or files not replicating.
Demonstration: Deploying DFS Replication

Question: Where are you able to modify the path for the staging folder? Answer: On the Advanced tab. Question: Which tab shows the sending and receiving members of the replication group? Answer: The Connections tab.
11-15
Detailed Demo Steps

Demonstration: Deploying DFS Replication
Demonstrate the following tasks: 1. In the DFS Management console tree on NYC-DC2, right-click Replication and then click New Replication Group. 2. The New Replication Group Wizard appears. On the Replication Group Type page, verify that Multipurpose replication group is selected and then click Next. 3. On the Name and Domain page in the Name of replication group field, type
AccountingDataRepl, and then click Next.
4. On the Replication Group Members page, click Add. 5. In the Enter the object names to select field, type NYC-DC1; NYC-DC2 and then click OK. 6. Click Next. 7. On the Topology Selection page, verify that Full mesh is selected, and then click Next. 8. On the Replication Group Schedule and Bandwidth page, verify that Replicate continuously using the specified bandwidth is selected, and then click Next. 9. On the Primary Member page, select NYC-DC2, and then click Next. 10. On the Folders to Replicate page, click Add. 11. In the Local path of the folder to replicate field, type C:\YearEndReports, and then click OK. 12. On the Folders to Replicate page, click Next. 13. On the Local Path of YearEndReports on Other Members page, click Edit. 14. In the Edit dialog box, click Enabled and type C:\YearEndReports in the Local path of folder field. 15. Click OK. The Create Path warning appears. Click Yes. 16. On the Local Path of YearEndReports on Other Members page, click Next. 17. On the Review Settings and Create Replication Group page, click Create. 18. On the Confirmation page, click Close. 19. In the DFS Management console tree on NYC-DC2, expand Replication, right-click
AccountingDataRepl, and then click Create Diagnostic Report.
20. Accept all defaults for the report. 21. View the report in Internet Explorer.
11-16
Additional Reading
What Is DFS Replication?
For more information on the following, see the links. Introduction to DFS Replication Staging folders and Conflict and Deleted folders
What Are Replication Groups and Replicated Folders?

For more information on Replication groups and replicated folders, see Replication groups and replicated folders.
DFS Replication Requirements

For more information on the following, see the links. DFS Replication requirements Distributed File System Replication: Frequently Asked Questions
Scalability Considerations for DFS Replication

For more information on the following, see the links. DFS Replication scalability guidelines Understanding DFS Replication limits More on DFS Replication limits
Process for Deploying a Multipurpose Replication Group

For more information on Deploying DFS Replication, see Deploying DFS Replication.
Understanding the Initial Replication Process

For more information on What to expect during initial replication, see What to expect during initial replication.
Generating Diagnostic Reports and Propagation Tests

For more information on Create a diagnostic report for DFS Replication, see Create a diagnostic report for DFS Replication.
11-17

Review Questions
1. Question: Do you have experience working with DFS or the DFS predecessor, File Replication service (FRS)? Answer: Answers will vary based on students experience. 2. Question: In your organization, do you currently synchronize your shared folders? If so, how do you keep them synchronized? Answer: Answers will vary based on students organizations. 3. Question: In what ways can you use DFS technologies within your organization? Answer: Answers will vary but will be related to the three scenarios: sharing files across branch offices, data collection and data distribution. 4. Question: In your organization, would you implement a domain-based namespace or a stand alone namespace? Answer: Answers will vary depending on students organizations. In most cases domain-based namespaces will be used. 5. Question: Describe a scenario of how you would use folder targets to increase data availability in your organization. Answer: Example: Create a folder with a folder target that points to a target on a clustered file server. 6. Question: How can you ensure the availability of domain-based roots with domain-based DFS namespaces? Answer: For domain-based DFS namespaces, you ensure the availability of domain-based DFS roots by creating multiple root targets on nonclustered file servers or on the local storage of the nodes of server clusters. (Domain-based DFS roots cannot be created on cluster storage.) 7. Question: You need to deploy DFS technology within your environment. Is DFS considered a role service or a feature? Answer: DFS is installed as a File Server role in Windows Server 2008. 8. Question: Is it possible to install DFS Replication without installing DFS Namespaces?
Answer: Yes.
9. Question: Describe a scenario when having a client continue to access the failover server would present problems. Answer: This behavior can be problematic in branch office environments when clients continue to access the hub server even after the branch server is restored. 10. Question: How would you delegate namespace tasks in your organization?
Answer: Answers will vary based on students organizations and user permissions.
11. Question: You want to enable advanced scalability and access-based enumeration. Which option provides these features? Answer: The Windows Server 2008 namespace mode. 12. Question: Describe how you could use these methods to increase availability in your organization. Answer: Students answers will vary, but will depend on whether they decide to create domain
11-18
based or stand-alone based namespaces, and whether there are multiple server available to host folder targets. 13. Question: Describe a scenario when you would want to disable a folder targets referral. Answer: If the server that hosts the folder target needs to be taken offline, you wouldnt want users directed to that server. 14. Question: Which types of paths can you use when creating a new folder target? Answer: Universal Naming Convention (UNC) path to a shared folder, a folder within a shared folder or a path to another namespace. 15. Question: What kind of permissions do you need to add folder targets? Answer: To perform this procedure, you must be a member of the Local Administrators group on each server that hosts the namespace, or you must have been delegated the ability to manage an existing namespace. 16. Question: List one advantage and one disadvantage to having deleted files stored in the Conflict and Deleted folders. Answer: One advantage is for data recovery in case of accidental deletion. One disadvantage is the storage space required for saving all the deleted files. 17. Question: How can creating multiple replicated folders in a single replication group simplify deployment? Answer: Creating multiple replicated folders in a single replication group simplifies the process of deploying replicated folders because the topology, schedule, and bandwidth throttling for the replication group are applied to each replicated folder. 18. Question: Does your organization meet the requirements for DFS-R? Answer: Students answers will vary based on their organization. 19. Question: DFS-R doesnt have restrictions on the size of files replicated; however, there is a consideration to ensure the files get replicated. What is this consideration? Answer: The staging folder is appropriately sized. 20. Question: What topology would you use in your organization? Answer: Students answers will vary depending on their organization. 21. Question: When is the best time to schedule replication? Answer: When users wont be changing files. 22. Question: What is a consideration when choosing a primary member? Answer: You should choose the member with the most up-to-date files as the primary member. 23. Question: How often would you run the diagnostic report wizard to create a health report in your organization? Answer: As often as necessary to ensure DFS-R is functioning correctly. This will vary based on students needs. Students will also want to run the health report whenever they are experiencing DFS-R problems, including slow replication and folders or files not replicating. 24. Question: List three places you can look for DFS-R troubleshooting information. Answer: Event log, Conflict and Deleted folder, and the Health Report. 25. Question: In your organization, would you include .bak files in your DFS replication? Answer: Answers will vary based on students organizations. 26. Question: What would be a disadvantage of replicating .bak files? Answer: Higher bandwidth usage.
11-19
27. Question: How can you use DFS in your File Services deployment? Answer: You can use DFS to provide DFS namespaces and file replication. DFS namespaces provide a virtual view of shared folders on different servers. DFS replication provides highavailability and fault-tolerance to files and folders. 28. Question: What kind of compression technology is used by Windows Server 2008 DFS? Answer: Windows Server 2008 uses Remote Differential Compression to help optimize data transfers over limited-bandwidth networks. 29. Question: What are three main scenarios used for DFS? Answer: Three main scenarios include sharing files across branch offices, data collection, and data publishing or distribution. 30. Question: What is the difference between a domain-based DFS namespace and a stand-alone DFS namespace? Answer: A domain-based DFS namespace is hosted on multiple servers, whereas a stand-alone DFS namespace is only hosted on a single server. Users will connect to a domain-based namespace using the domain name in the URL (example: \\Contoso.com\corpfiles), whereas a users will connect to a stand-alone namespace using the server name (\\SEA-SRV1\corpfiles) 31. Question: What is the default ordering method for client referral to folder targets? Answer: Targets in the clients site are always listed first in a referral. Targets outside of the clients site are listed according to the ordering method which is set to Lowest cost by default. 32. Question: What does the Primary Member configuration do when setting up replication? Answer: The Primary Member is used as the authoritative server during the initial replication. After initial replication is complete, the primary member designation is removed. 33. Question: Which folder is used to cache files and folders where conflicting changes are made on two or more members? Answer: The \DfsrPrivate\ConflictAndDeleted folder stores conflicting files and also can cache deleted files and folders.
11-20

1. Question: You need to install DFS. Where is the Distributed File System installation performed? Answer: The Distributed File System is a role service that can be installed with the File Services role. 2. Question: What are the requirements for deploying a namespace in Windows Server 2008 mode? Answer: The domain must use Windows Server 2008 domain functional level, and all namespace servers must be running Windows Server 2008. 3. Question: What are the benefits of hosting a namespace on several namespace servers? Answer: Hosting a namespace on several namespace servers increases availability in the event that a namespace server fails. Users will still be able to access the namespace using one of the remaining namespace servers. 4. Question: You have just configured a replication group, but it does not seem to be replicating any files. What could be wrong? Answer: Since replication information is stored in Active Directory, all of the group members may not have the replication information if there is latency in the AD replication.
Configuring Network Access Protection
12-1
Module 12
Contents:
Lesson 1: Overview of Network Access Protection Lesson 2: How NAP Works Lesson 3: Configuring NAP Lesson 4: Monitoring and Troubleshooting NAP Module Reviews and Takeaways Lab Review Questions and Answers 2
7
10
15
19
22
12-2
Lesson 1
Overview of Network Access Protection
Contents:
5
6
12-3

What Is Network Access Protection?
Question: How would you use NAP enforcement in your environment, considering home users, roaming laptops, and outside business partners? Answer: Answers will vary.
NAP Scenarios
Question: Have you ever had an issue with unsecure, unmanaged laptops causing harm to your network? Do you think NAP would have addressed this issue? Answer: Answers will vary.
NAP Enforcement Methods

Question: Which of the NAP enforcement types would best suit your company? Can you see your organization using multiple NAP enforcement types? If so, which ones? Answer: Answers will vary.
NAP Platform Architecture

Question: Does your environment presently use 802.1x authentication at the switch level? If so, would 802.1x NAP be beneficial, considering you can configure remediation VLANs to offer limited access? Answer: Answers will vary.
NAP Architecture Interactions

Question: List an example of a NAP-enabled network infrastructure used in your organization. Answer: Answers will vary.
NAP Client Infrastructure

Question: How would your organization deal with enabling the appropriate EC on nondomain computers that are outside of the management scope? Answer: Answers will vary.
Demostration: Using the NAP Client Configuration Tool

Question: List at least one example of how the NAP client could benefit your organization. Answer: Answers will vary.
12-4
NAP Server-Side Infrastructure

Question: List at least one example of how the NAP health policy server can monitor your networks. Answer: Answers will vary.
Communication Between NAP Platform Components

Question: List an example of how your organization can use NAP Platform Components to facilitate communication. Answer: Answers will vary.
12-5
Detailed Demo Steps

Demo Steps:
1. Click Start, type MMC, and then press ENTER. 2. In the Console1 window, on the File menu, click Add/Remove Snap-in. 3. In the Add or Remove Snap-ins dialog box, scroll down, click NAP Client Management, click Add. 4. In the NAP Client Configuration dialog box, click OK twice. 5. In the Console 1 window, expand NAP Client Configuration (Local Computer), and then click Enforcement Clients. 6. In the details pane, take note of the Enforcement clients. 7. In the Console 1 window, click User Interface Settings. 8. In the details pane, right-click User Interface Settings, and then click Properties. 9. In the User Interface Settings Properties dialog box, take note of the description, and then click Cancel. 10. In the Console 1 window, click Health Registration Settings. 11. In the details pane, click Learn more about request policy settings. 12. In the Microsoft Management Console window, take note of the help file, and then close the window. 13. In the details pane, click Learn more about trusted health registration authority servers. 14. In the Microsoft Management Console window, take note of the help file, and then close the window. 15. Close Console 1.
12-6
Additional Reading
What Is Network Access Protection?
For more information on Introduction to Network Access Protection, see Introduction to Network Access Protection.
NAP Scenarios
For more information on Network Access Protection, see Network Access Protection.
NAP Enforcement Methods

For more information on the following, see the links. Terminal Services Network Access Protection Enforcement
NAP Platform Architecture

For more information on Network Access Protection Platform Architecture, see Network Access Protection Platform Architecture.
NAP Architecture Interactions

NAP Client Infrastructure

For more information on the following, see the links. Network Access Protection Platform Architecture NAP Client Status

For more information on the following, see the links. Network Access Protection Platform Architecture NAP Client Status
NAP Server-Side Infrastructure

Communication Between NAP Platform Components

12-7
Lesson 2
How NAP Works

Contents:
Questions and Answers Additional Reading 8 9
12-8

NAP Enforcement Processes
Question: List at least one example of why you would customize a health policy. Answer: Answers will vary.
How IPsec Enforcement Works

Question: For which computers in the secure network would you allow unsecure communication from computers in the restricted network to succeed? Answer: You can create IP filters to allow certain communications to remain unauthenticated. A Web server might be such a server.
How 802.1X Enforcement Works

Question: What must the network devices support to implement 802.1x NAP? Answer: Network devices must support 802.1x authentication, usually through RADIUS.
How VPN Enforcement Works

Question: How does the VPN NAP enforcement method respond to noncompliant computers that make connection attempts? Answer: You can place IP packet filters to restrict communications to specific intranet resources, usually remediation servers.
How DHCP Enforcement Works

Question: Does the DHCP NAP enforcement type work on IPv6 networks?
Answer: No. It is available only for IPv4 scopes.
12-9
Additional Reading
NAP Enforcement Processes
For more information on Security and Policy Enforcement, see Security and Policy Enforcement.
How IPsec Enforcement Works

For more information on Network Access Protection IPSec, see Understanding NAP IPSec Enforcement.
How 802.1X Enforcement Works

For more information on the following, see the links. Network Access Protection Platform Architecture NAP Enforcement for 802.1x
How VPN Enforcement Works

For more information on Network Access Protection Platform Architecture, see Network Access Protection Platform Architecture. NAP Enforcement for VPN
How DHCP Enforcement Works

For more information on Network Access Protection Platform Architecture, see Network Access Protection Platform Architecture. NAP Enforcement for DHCP
12-10
Lesson 3
Configuring NAP
Contents:
12
14
12-11

What Are System Health Validators?
Question: Does NAP work only with Microsoft-supplied System Health Validators? Answer: No. It is extensible, so you can use any vendors System Health Agents and System Health Validators if they follow the NAP API.
What Is a Health Policy?

Question: Can you use only one SHV in a health policy? Answer: No. You can specify any that are available.
What Are Remediation Server Groups?

Question: What services might a remediation server offer to update antivirus signatures? Answer: It might offer a File Transfer Protocol (FTP) service, or something similar, so clients can download and install the latest signatures.
NAP Client Configuration

Question: What Windows groups have the rights to enable Security Center in Group Policy, enable NAP service on clients, and enable/disable NAP enforcement clients? Answer: The following groups have these rights: Enterprise Admins, Domain Admins, and Local Administrators.
12-12
Detailed Demo Steps

Demonstration: Using the Configure NAP Wizard to Apply Network Access Policies
Demo Steps: Create NAP for DHCP
1. Click Start, point to Administrative Tools, and then click Network Policy Server. 2. In the Network Policy Server window, click NPS (local), and then in the details pane, click Configure NAP. 3. On the Select Network Connection Method For Use with NAP page, in the Network
connection method list, click Dynamic Host Configuration Protocol (DHCP).
4. Note that the policy name defaults to NAP DHCP, and take note of the additional requirements (selecting this link opens NPS Help to the appropriate section that informs you what is required to make this NAP solution successful in implementation), and then click Next. 5. On the Specify NAP Enforcement Servers Running DHCP Server page, click Next. 6. On the Specify DHCP Scopes page, next to DHCP scopes, click Add. 7. In the MS-Service Class dialog box, type DHCP Scope, click OK, and then click Next. 8. On the Configure User Groups and Machine Groups page, click Next. 9. On the Specify a NAP Remediation Server Group and URL page, click New Group. 10. In the New Remediation Server Group dialog box, in the Group Name field, type RemTest, and then click Add. 11. In the Add New Server dialog box, in the IP address or DNS name field, type 10.10.0.10, and then click OK. 12. In ; the New Remediation Server Group dialog box, click OK. 13. On the Specify a NAP Remediation Server Group and URL page, click Next. 14. On the Define NAP Health Policy page, click Next. 15. On the Completing NAP Enforcement Policy and RADIUS Client Configuration page, click Finish.
Configure the NAP Client Management

1. Click Start, type MMC, and then press ENTER. 2. In the Console1 window, on the File menu, click Add/Remove Snap-in. 3. In the Add or Remove Snap-ins dialog box, scroll down, click NAP Client Management, click Add. 4. In the NAP Client Configuration dialog box, click OK twice. 5. In the console pane, expand NAP Client Configuration, and then click Enforcement Clients. 6. In the details pane, right-click DHCP Quarantine Enforcement Client, and then click Enable.
12-13
7. Close Console 1.
Enable a scope in DHCP for use by NAP:

1. Click Start, point to Administrative Tools, and then click DHCP. 2. In the DHCP window, expand nyc-dc1.woodgrovebank.com, expand IPv4, right-click Scope [10.10.0.0] Head Office, and then click Properties. 3. In the Scope [10.10.0.0] Head Office Properties dialog box, click the Network Access
Protection tab.
4. Under Network Access Protection Settings, select the Enable for this scope radio button, and then click OK.
12-14
Additional Reading
What Are System Health Validators?
For more information on the following, see the links. Network Access Protection Platform Architecture Introduction to Network Access Protection System Health Validators
What Is a Health Policy?

For more information on Health Policies, see Help Topic: Health Policies.
What Are Remediation Server Groups?

For more information on Remediation Server Groups, see Help Topic: Remediation Server Groups.
NAP Client Configuration

For more information on the following, see the links. Help Topic: Enable Security Center in Group Policy Help Topic: Enable the Network Access Protection Service on Clients Help Topic: Configure NAP Enforcement Clients
12-15
Lesson 4
Monitoring and Troubleshooting NAP
Contents:
17
18
12-16

What Is NAP Tracing?
Question: List at least one example of how NAP tracing can be used to determine an issue with client communication. Answer: Answers may vary.
Configuring NAP Tracing

Question: What is the netsh command for enabling NAP debug logging levels? Answer: The command is netsh nap client set tracing state=enable level=verbose.
Demonstration: Configuring Tracing

Question: Of what group must you be a member to enable NAP tracing? Answer: You must be a member of Local Administrators.
12-17
Detailed Demo Steps

Demonstration: Configuring Tracing
Demo Steps: Configure tracing from NAP Client Configuration
1. Click Start, type MMC, and then press ENTER. 2. In the Console1 window, on the File menu, click Add/Remove Snap-in. 3. In the Add or Remove Snap-ins dialog box, scroll down, click NAP Client Management, click Add. 4. In the NAP Client Configuration dialog box, click OK twice. 5. In tIn the console pane, right click NAP Client Configuration (Local Computer), and then click Properties. 6. In the NAP Client Configuration (Local Computer) Properties dialog box, for Enable or disable tracing on this computer, select the Enabled radio button. 7. In the Specify the level of detail at which the tracing logs are written list, click Advanced, and then click OK.
To configure tracing from the command line

1. Click Start, and then click Command Prompt. 2. In the Administrator: Command Prompt, type netsh nap client set tracing state = enable, and then press ENTER.
View the Log Files

1. Click Start, and then click Computer. 2. Navigate to the %systemroot%\tracing\nap directory, and open the particular trace log that you want to view. 3. Close all windows. Note: You must be a member of the Local Administrators group or have been delegated the appropriate authority to perform these procedures.
12-18
Additional Reading
What Is NAP Tracing?
For more information on NAP tracing, see Help and Support Topic: NAP tracing.
Configuring NAP Tracing

For more information on the following, see the links. Help Topic: Enable and Disable NAP Tracing Help Topic: Specify Level of Detail in the NAP Trace Log
12-19

Review Questions
1. Question: How would you use NAP enforcement in your environment, considering home users, roaming laptops, and outside business partners? Answer: Answers may vary, but common usage scenarios include: Checking the health and status of roaming laptops Ensuring the health of desktop computers Verifying the compliance and health of computers in remote offices Determining the health of visiting laptops Verifying the compliance and health of unmanaged home computers 2. Question: Have you ever had an issue with unsecure, unmanaged laptops causing harm to your network? Do you think NAP would have addressed this issue? Answer: Answers may vary, but NAP could have theoretically helped in these situations by preventing computers from accessing the network if they did not have an antivirus program installed and did not have the latest Windows updates. 3. Question: Which of the NAP enforcement types would best suit your company? Can you see your organization using multiple NAP enforcement types? If so, which ones? Answer: Answers may vary depending on the enforcement method most suited to the students environments. 4. Question: Does your environment presently use 802.1x authentication at the switch level? If so, would 802.1x NAP be beneficial, considering you can configure remediation VLANs to offer limited access? Answer: Answers will vary. Discuss with students. 5. Question: List an example of a NAP-enabled network infrastructure used in your organization. Answer: Answers may vary, but any Windows operating system from Windows XP SP2 and later is NAP capable. 6. Question: How would your organization deal with enabling the appropriate EC on non-domain computers that are outside of the management scope? Answer: Answers will vary, but IPsec enforcement is going to be the most secure method. 7. Question: List at least one example of how the NAP client could benefit your organization. Answer: Answers may vary depending on the students environments, but some possible examples include checking the health and status of desktop computers, roaming laptops, computers in remote offices, and unmanaged home computers. 8. Question: List at least one example of how the NAP health policy server can monitor your networks. Answer: Answers may vary, but any scenario in which its important to enforce health requirements by monitoring and assessing the health of client computers when they attempt to connect or to communicate on a network would be valid. 9. Question: List an example of how your organization can use NAP Platform Components to facilitate communication. Answer: Answers may vary but depend on the students preferred enforcement method (DHCP, VPN, and so on.)
12-20
10. Question: List at least one example of why you would customize a health policy. Answer: Answers may vary. Health policies determine which SHVs to use and the parameters for checking the SHVs. For example, a custom health policy could be used in conjunction with a third-party SHV for a virus protection program. 11. Question: For which computers in the secure network would you allow unsecure communication from computers in the restricted network to succeed? Answer: You can create IP filters to allow certain communications to remain unauthenticated. A Web server might be such a server. 12. Question: What must the network devices support to implement 802.1x NAP? Answer: Network devices must support 802.1x authentication, usually through RADIUS. 13. Question: How does the VPN NAP enforcement method respond to non-compliant computers that make connection attempts? Answer: You can place IP packet filters to restrict communications to specific intranet resources, usually remediation servers. 14. Question: Does the DHCP NAP enforcement type work on IPv6 networks? Answer: No. It is available only for IPv4 scopes. 15. Question: Does NAP work only with Microsoft-supplied System Health Validators? Answer: No. It is extensible, so you can use any vendors System Health Agents and System Health Validators if they follow the NAP API. 16. Question: Can you use only one SHV in a health policy? Answer: No. You can specify any that are available. 17. Question: What services might a remediation server offer to update antivirus signatures? Answer: It might offer a File Transfer Protocol (FTP) service, or something similar, so clients can download and install the latest signatures. 18. Question: What Windows groups have the rights to enable Security Center in Group Policy, enable NAP service on clients, and enable/disable NAP enforcement clients? Answer: The following groups have these rights: Enterprise Admins, Domain Admins, and Local Administrators. 19. Question: List at least one example of how NAP tracing can be used to determine an issue with client communication. Answer: Answers may vary, but one example could be to review detailed information on why a client computer has been deemed non-compliant or is otherwise quarantined to a restricted network. 20. Question: What is the netsh command for enabling NAP debug logging levels? Answer: The command is netsh nap client set tracing state=enable level=verbose. 21. Question: Of what group must you be a member to enable NAP tracing? Answer: You must be a member of Local Administrators. 22. Question: What are the three main client configurations that need to be configured for most NAP deployments? Answer: Some NAP deployments that use Windows Security Health Validator require that you enable Security Center. The Network Access Protection service is required when you deploy NAP to NAP-capable client computers. You also must configure the NAP enforcement clients on the NAP-capable computers.
12-21
23. Question: You want to evaluate the overall health and security of the NAP enforced network. What do you need to do to start recording NAP events? Answer: NAP trace logging is disabled by default and should be enabled if you want to troubleshoot NAP-related problems or evaluate the overall health and security of your organizations computers. You can use the NAP Client Management console or the netsh command-line tool to enable logging functionality.
12-22

1. Question: The DHCP NAP enforcement method is the weakest enforcement method in Microsoft Windows Server 2008. What makes it less preferable than other ways? Answer: It is less preferable because a manually assigned IP address on the client machine circumvents the DHCP NAP enforcement altogether. 2. Question: Could you use the remote access NAP solution alongside the IPsec NAP solution? What benefit would be realized by using such a scenario? Answer: Yes. You can use one or all of the NAP solutions in an environment. One benefit is that the communication on the intranet also would be secured with IPsec, not just the tunnel between the Internet host and the Routing and Remote Access server. 3. Question: Could you have used DHCP NAP enforcement for the Routing and Remote Access client? Answer: No. It would not have worked, because the IP addresses assigned to the Routing and Remote Access client are coming from a static pool on the Routing and Remote Access server itself.
Configuring Availability of Network Content and Resources
13-1
Module 13
Contents:
Lesson 1: Configuring Shadow Copies Lesson 2: Providing Server and Service Availability Module Reviews and Takeaways Lab Review Questions and Answers 2
7
13
15
13-2
Lesson 1
Configuring Shadow Copies

Contents:
5
6
13-3

What are Shadow Copies?
Question: If you were to deploy shadow copies of shared folders in your network environment, would you notice a decrease in calls from users needing restoration from backups? Answer: Most likely, once the users become trained, calls would decrease.
Considerations for Deploying Shadow Copies

Question: How might you consider modifying the default schedule for your environment? Do you have data in shares that might require a more aggressive schedule?
Shadow Copy Scheduling

Question: How might you consider modifying the default schedule for your environment? Do you have data in shares that might require a more aggressive schedule?
Demonstration: Configuring Shadow Copies

Question: What are the possible drawbacks or costs of enabling Shadow Copies? Answer: Shadow copies will require more drive space and potentially affect the performance of servers. Question: What are the possible drawbacks or costs of enabling Shadow Copies? Answer: Shadow copies will require more drive space and potentially affect the performance of servers.
Managing Shadow Copies from a Client Perspective

Question: What might be the problem if a user calls the Help Desk and complains that the Previous Versions tab is missing from the shared folder/file properties? Answer: A Windows XP or Windows 2000 client may not have the Previous Versions client installed. Client may be accessing the path not using the share path.
Restoring Shadow Copies

Question: If a user calls you and says that the Previous Versions tab is not visible, what would you ask to determine the problem. Answer: Determine the operating system. ; If the client is Windows XP or Windows 2000, confirm that the previous versions application has been installed. ; Confirm that the user is accessing via the share not through an alternate path.
Demonstration: Restoring Shadow Copies

Question: How would you train users to perform shadow copy restorations on their own?
13-4
Question: If a user wanted to restore part of a previous document version, how would you advise them to proceed? Answer: Make a copy of the document before restoring to a previous version, and then manually combine the two document versions.
13-5
Detailed Demo Steps

Demonstration: Configuring Shadow Copies
Demonstration steps:
Open Computer Management. In the console tree, right-click Shared Folders, click All Tasks, and then click Configure Shadow Copies. Click the volume where you want to enable shared folder shadow copies, and then click Enable. To make changes to the default schedule and storage area, click Settings.
Demonstration: Restoring Shadow Copies

Use the mapped drive or UNC path to access the location of the object you wish to restore to a previous version. Right-click the file or folder you wish to restore, and then click Properties. Click the Previous Versions tab, and view the available versions sorted by date and time. Select the point in time for which you want to restore the file or folder, and then select the appropriate option: Open, Copy, or Restore.
13-6
Additional Reading
What are Shadow Copies?
For more information on Windows Server 2008 versions, see Windows Server 2008 Help Topic: How do I use Previous Versions?
Considerations for Deploying Shadow Copies

For more information on Enable and Configure Shadow Copies of Shared Folders, see Windows Server 2008 Help Topic: Enable and Configure Shadow Copies of Shared Folders.
Shadow Copy Scheduling

For more information on Enable and Configure Shadow Copies of Shared Folders, see Windows Server 2008 Help Topic: Enable and Configure Shadow Copies of Shared Folders.
Managing Shadow Copies from a Client Perspective

For more information on How do I use Previous Versions?, see Windows Server 2008 Help Topic: How do I use Previous Versions?.
Restoring Shadow Copies

For more information on restoring a previous version of a file or folder, see Windows Server 2008 Help Topic: How do I restore a previous version of a file or folder? For more information on Best Practices for Shadow Copies of Shared Folders, see "Best Practices for Shadow Copies of Shared Folders" http://go.microsoft.com/fwlink/?LinkID=139994
13-7
Lesson 2
Providing Server and Service Availability
Contents:
10
12
13-8

Network Load Balancing Manager Overview
Question: Do you have any servers hosting stateless information that would benefit from Network Load Balancing in your environment?
Demonstration: Installing Network Load Balancing

Question: Should you enable this feature on all servers? Answer: No. For security and performance reasons, only enable the necessary services on servers.
Considerations for Creating a Network Load Balancing Cluster

Question: What applications would require the optional shared storage? Answer: When an application has shared data, such as a database or file service. Print services, for instance, do not require shared storage.
Demonstration: Configuring a Network Load Balancing Cluster

Question: When should you configure multiple DIP for a cluster? Answer: Multiple IP addresses can allow for access from different subnets or compatibility with IPv4 and IPv6.
Clustering Terminology
Question: Discuss your work environments approach to planned and unplanned downtime. Answer: Answers may vary.
What is a Failover Cluster?

Question: Have you employed previous versions of clustering technology? Answer: Answers may vary.
Hardware Requirements for a Failover Cluster

Question: If you presently have a server cluster in a previous server version, can you do a rolling upgrade to Windows Server 2008 Failover Clustering? Answer: No.
Failover Clustering Scenarios

Question: Describe one scenario in your work environment where you currently use or plan to implement failover clustering.
13-9
Answer: Answers may vary. This question should provide students with an opportunity to reflect on what services they can use in conjunction with failover clustering to provide high availability.
13-10
Detailed Demo Steps

Demonstration: Installing Network Load Balancing
Demonstration Steps
NLB is a feature of Windows Server 2008, and as such, you must use the Server Manager tool to install it:
Click Start, point to Administrative Tools, point to Server Manager, click Add Features, and then select Windows Network Load Balancing from the available features list.
Demonstration: Configuring a Network Load Balancing Cluster

In Windows Server 2008, there are two ways to install Network Load Balancing on either Full or management clients: Using graphical user interface (GUI) utility Network Load Balancing Manager (NLBmgr) Using netcfg APIs and Network Load Balancing wmi classes To open Network Load Balancing Manager, click Start, point to Administrative Tools, and then click Network Load Balancing Manager. To configure a new cluster, click Cluster Menu, and then click New. A dialog box will appear, asking you to enter the name of the server/host which will be part of the NLB cluster. Type the name of the first host in the cluster. The first host becomes the default host with lowest Host ID, so you may want to add the host which should handle traffic when no port rules are defined. (This settings can be changed later.) 3.Click Connect. You will see a list of interfaces that can be used to configure Network Load Balancing. Note that they may have two interfaces on the server, one facing the outside/public interface and one management interface. NLB also will work with a singular interface. Select the interface on which you want to configure the cluster, and then click Next. 4.The next page asks you to configure Dedicated IP addresses (DIP) for the host. Click Add. The Add IP Address dialog box allows you to add an IPv4/IPv6 address. If you want Network Load Balancing Manager to pick an IPv6 address, click Generate v6 address. If the router on the network you are configuring supports Site-local and Global addresses, all three checkboxes will be enabled. Otherwise, only those checkboxes for which there is router support will be enabled. If you select all three checkboxes, then three DIPs will be added (local, site-local, and global in scope). You can add multiple IPv4/IPv6 addresses by clicking Add again. You can remove DIP in the list by highlighting it and clicking Remove, or edit it by selecting it and clicking Edit. Traffic sent to the hosts dedicated IP addresses is not load-balanced. You should add all IP addresses in this list to the host that does not need to be load-balanced. The default state is the state of the cluster when it is configured on a host. Priority is the unique Host ID of the host. (Each host in the cluster should have a unique host ID). Click Next. The Cluster/Virtual IP address (VIP) page appears. You must add all the IP addresses on which the traffic will be load balanced.
13-11
To add another host, click Cluster Add host and follow the similar GUI steps used to add the first host, and then click Next. Choose the primary cluster IP for the cluster. If you need to access a cluster with name and not VIP addresses, you can also provide a cluster name in the Full Internet Name box. This name must be registered manually with DNS/WINS. The default mode that we recommend for NLB operation is Unicast. If you are concerned about the switch flooding in this mode, you can choose Multicast or IGMP multicast mode. The next page allows you to configure port rules. These rules dictate the behavior of Network Load Balancing clusters and should be configured appropriately. Click Finish to complete the single host Network Load Balancing cluster configuration.
13-12
Additional Reading
Network Load Balancing Manager Overview
For more information how network load balancing works, see "How Network Load Balancing Technology Works" For more information on NLB, see the Windows Server 2008 Help Topic "Network Load Balancing."
Considerations for Creating a Network Load Balancing Cluster

For more information on Create a new network load balancing cluster, see Windows Server 2008 Network Load Balancing Help topic: Create a new network load balancing cluster.
Clustering Terminology
For more information on Failover clusters, see "Windows Server 2008 Technical Library" http://go.microsoft.com/fwlink/?LinkId=99823
What is a Failover Cluster?

For more information on Failover clusters, see "Windows Server 2008 Technical Library" http://go.microsoft.com/fwlink/?LinkId=99823
Hardware Requirements for a Failover Cluster

For more information on Windows Server 2008 Failover Cluster Management, see Windows Server 2008 Failover Cluster Management Help topic: "Understanding Requirements for Failover Clusters."
Failover Clustering Scenarios

For more information on Windows Server 2008 Failover Cluster Management, see Windows Server 2008 Failover Cluster Management Help topic: "Understanding Requirements for Failover Clusters."
13-13

Review questions
1. Question: If you were to deploy shadow copies of shared folders in your network environment, would you notice a decrease in calls from users needing restoration from backups? Answer: Most likely, once the users become trained, calls would decrease. 2. Question: Apply these planning considerations to a shadow copy scenario you face in your work environment and describe the choices you might make. Answer: Answers may vary. This question should provide students with an opportunity to think through these planning considerations. 3. Question: How might you consider modifying the default schedule for your environment? Do you have data in shares that might require a more aggressive schedule? Answer: Answers will vary. Lead a discussion on the merits and necessity of shorter schedules. 4. Question: What are the possible drawbacks or costs of enabling Shadow Copies? Answer: Shadow copies will require more drive space and potentially affect the performance of servers. Question: Will you enable Shadow Copies on all volumes on your servers? Answer: Answers may vary but in general it is recommended that Shadow Copies be enabled only on volumes where it is needed. 5. Question: What might be the problem if a user calls the Help Desk and complains that the Previous Versions tab is missing from the shared folder/file properties? Answer: A Windows XP or Windows 2000 client may not have the Previous Versions client installed. Client may be accessing the path not using the share path. 6. Question: If a user calls you and says that the Previous Versions tab is not visible, what would you ask to determine the problem. Answer: Determine the operating system. If the client is Windows XP or Windows 2000, confirm that the previous versions application has been installed. Confirm that the user is accessing via the share not through an alternate path. 7. Question: How would you train users to perform shadow copy restorations on their own? Answer: Will vary. Lead a discussion on training user behavior. 8. Question: If a user wanted to restore part of a previous document version, how would you advise them to proceed? Answer: Make a copy of the document before restoring to a previous version, and then manually combine the two document versions. 9. Question: Do you have any servers hosting stateless information that would benefit from Network Load Balancing in your environment? Answer: Answers will vary. 10. Question: Should you enable this feature on all servers? Answer: No. For security and performance reasons, only enable the necessary services on servers. 11. Question: What applications would require the optional shared storage? Answer: When an application has shared data, such as a database or file service. Static web sites, for instance, do not require shared storage.
13-14
12. Question: When should you configure multiple DIP for a cluster? Answer: Multiple IP addresses can allow for access from different subnets or compatibility with IPv4 and IPv6. 13. Question: Describe a scenario where you might deploy or have already deployed NLB in your work environment. What settings are in use in this scenario? Answer: Answes may vary. This question should provide students with an opportunity to think about what settings they would choose for a scenario that is relevant in their work environment. 14. Question: Discuss your work environments approach to planned and unplanned downtime. Answer: Answers may vary. 15. Question: Have you employed previous versions of clustering technology? Answer: Answers may vary. 16. Question: If you presently have a server cluster in a previous server version, can you do a rolling upgrade to Windows Server 2008 Failover Clustering? Answer: No. 17. Question: Describe one scenario in your work environment where you currently use or plan to implement failover clustering. Answer: Answers may vary. This question should provide students with an opportunity to reflect on what services they can use in conjunction with failover clustering to provide high availability. 18. Question: What is the danger of choosing to restore a folder in Shadow Copies? Answer: The current version is deleted. 19. Question: How is failover clusters different from Network Load Balancing? Answer: The NLB cluster data must be stateless, yet because of shared storage in a failover cluster, stateless data may be involved.
13-15

1. Question: Where Shadow Copies are enabled, is there a limitation on the number of shadow copies per volume that Windows Server 2008 keeps? Answer: Yes, the maximum is 64 copies, regardless of the available storage space. 2. Question: When a user chooses to make a copy of a previous version, what happens to the permissions for the new object? Does it retain the security setting or revert to the default setting? Answer: It reverts to default security settings. 3. Question: In a scenario where you want to load balance some but not all services on a NLB cluster, what configuration do you implement? Answer: In this scenario, you would implement NLB cluster rules to distinguish which services are load balanced and which are not.
Monitoring and Maintaining Windows Server 2008 Servers
14-1
Module 14

Contents:
Lesson 1: Planning Monitoring Tasks Lesson 2: Calculating a Server Baseline Lesson 3: Measuring Performance Objects Lesson 4: Selecting Appropriate Monitoring Tools Lesson 5: Planning Notification Methods Lesson 6: Overview of Windows Server 2008 Maintenance Tasks Lesson 7: Automating Windows Server 2008 Maintenance Module Reviews and Takeaways Lab Review Questions and Answers 2 5 8 11 15 17 19 22 25
14-2
Lesson 1
Planning Monitoring Tasks

Contents:
4
14-3

Reasons for Monitoring
Question: What troubleshooting procedures can you think of that would benefit from server
monitoring?
Answer: There are several reasons to monitor servers for performance. These include: Establishing baseline metrics to determine normal operating conditions for servers. Improving server performance by detecting anomalies. Simplifying troubleshooting through early identification of malfunctioning components. Making server management proactive through early identification of potential problems. Predicting requirements for future server capacity. Reallocating underused resources.
Monitoring Methods
Question: Which tools do you currently plan to use to monitor Windows Server 2008? Consider longterm planning goals and specific troubleshooting instances. Answer: Students answers will vary based on their organization.
Planning for Event Monitoring

Question: What is the monetary cost of reduced user productivity for your organization? Answer: Answers will vary. This will be the fraction of the operating cost that results from the reduced user productivity. Question: What is the cost of system outage that is caused by not monitoring systems? Answer: The cost of downtime resulting from the system outage. Question: What is the cost of a reactive approach to troubleshooting? Answer: Lost productivity, administrator time to troubleshoot.
14-4
Additional Reading
Planning for Event Monitoring
For more information see the following: For more information about Operations Manager, see the Microsoft System Center Operations Manager. For more information about the Dynamic Systems Initiative, see Dynamic Systems Initiative Overview White Paper.
14-5
Lesson 2
Calculating a Server Baseline

Contents:
7
14-6

Key Hardware Components to Monitor
Question: Which hardware components are most likely to restrict performance for a file server? Answer: Disk, but all components can restrict performance for a file server.
Common Performance Metrics

Question: What performance issues could be identified by monitoring cache? Answer: If too much memory is being used for the file system cache, server performance may be slow. You might want to identify the reason for the high cache usage and make changes if necessary.
Analyzing Performance Trends

Question: What additional server support will your current business plans require? Answers: Answers will vary based on students organizations.
Planning for Future Capacity Requirements

Question: How can you scale up your existing server workload to support more users? Answer: Answers will vary, but can include adding additional physical servers, hardware to existing servers, or adding virtual servers with Hyper-V.
14-7
Additional Reading
Key Hardware Components to Monitor
For more information on performance issues related to key hardware components, see Solving Performance Problems.
Common Performance Metrics

For more information about common performance metrics, see Performance Tuning Guidelines for Windows Server 2008.
14-8
Lesson 3
Measuring Performance Objects

Contents:
10
14-9

Identifying Server Role Performance Metrics
Question: Which server roles will you use in your organization? Which objects and counters will be available for you to monitor? Answer: Answers will vary.
Identifying Key Performance Counters

Question: Why are average counters more useful than counters that show the current value? Answer: Values may fluctuate and at a point-in-time value may be higher or lower than normal. By looking at an average value you are able to get a more accurate view of the value.
Primary CPU Performance Counters

Question: If the % Processor time is 80%, should any corrective action be taken? Answer: This amount is greater than the ideal value. You should evaluate your environment and decide if you should add additional processors or split the server load among more than one server.
Primary Memory Performance Counters

Question: If the pool nonpages bytes has a slow rise, what might be happening? Answer: A slow rise might indicate a memory leak - the failure to properly deallocate memory that was previously allocated.
Primary Disk Performance Counters

Question: Why do you want the % Disk time to be as low as possible? Answer: The higher the % disk time the busier the server is and the more resources that are being used. If this value is high, you will want to evaluate your organization requirements and whether to add additional resources to free up disk time on the server.
Primary Network Performance Counters

Question: If the output queue length is 5, what problems might you have in your network? Answer: You might have delays which can slow down productivity.
14-10
Additional Reading
Identifying Server Role Performance Metrics
For more information on server role performance metrics, see Performance Tuning Guidelines for Windows Server 2008.
Identifying Key Performance Counters

For more information about performance monitoring, see Using Performance Tools to Obtain a Baseline.
Primary CPU Performance Counters

For more information on CPU performance counters, see the following: Suggested Performance Counters to Watch. Processor Object.
Primary Memory Performance Counters

For more information on memory performance counters, see the following: Suggested Performance Counters to Watch . Memory Object.
Primary Disk Performance Counters

For more information on memory performance counters, see the following: Performance Tuning Guidelines for Windows Server 2008 . LogicalDisk Object. Physical Disk Object
Primary Network Performance Counters

For more information on network performance counters, see Performance Tuning Guidelines for Windows Server 2008 .
14-11
Lesson 4
Selecting Appropriate Monitoring Tools
Contents:
13
14
14-12

Windows Server 2008 Monitoring Tools
Question: Which tools do you currently use to monitor servers? How can you make use of improved monitoring tools in Windows Server 2008? Answer: Answers will vary based on students organization.
Reliability and Performance Monitor

Question: What is a benefit to Data Collector Sets? Answer: Once a group of data collectors are stored as a Data Collector Set, operations such as scheduling can be applied to the entire set through a single property change. This makes monitoring tasks quicker for an administrator.
Reliability Monitor
Question: How can you use the Reliability Monitor in your organization? Answer: Answers will vary. For example, students can use the Reliability Monitor to track application updates and the affect on the system stability.
Demonstration: Overview of the Reliability and Performance Monitor

Question: Where can you find real-time information about network activity? Answer: The Resource Overview page has a Network section that supplies real-time data on network activity. Question: Which Reliability Monitor reports will you implement in your work environment? Answer: Answers may vary. This question should provide students with an opportunity to discuss how they plan to implement Reliability Monitor reports.
Third-Party Monitoring Tools

Question: Which third-party monitoring tools do you currently use? How can these help you monitor server performance in the future? Answer: Answers will vary.
14-13
Detailed Demo Steps

Demonstration: Overview of the Reliability and Performance Monitor
1. Click Start | Administrative Tools | Reliability and Performance Monitor. 2. 3. Briefly examine the resource overview screen. Expand each of the CPU, Disk, Network and Memory sections to examine details. Open Performance Monitor. Mention that this has not changed significantly from Windows Server2003.
4. Click the green Plus sign on the toolbar to add objects and counters. 5. In the Add Counters dialog box, expand the Directory Services object, select the DRA Inbound Bytes Total/sec counter, and then click Add. 6. Repeat the previous step to add the following counters: DRA Outbound Bytes Total/sec DS Threads In Use DS Directory Reads/sec DS Directory Writes/sec
7. Expand Security System-Wide Statistics, and add the Kerberos Authentications counter. 8. Expand DNS, add the UDP Query Received counter, and then click OK. 9. In the folder pane, right-click Performance Monitor, click New, and then click Data Collector Set. 10. In the Create New Data Collector Set dialog box, type Active Directory in the Name field, and then click Next. 11. Leave the Root directory as the default path, click Next, and then click Finish. 12. Expand Data Collector Sets, expand User Defined, right-click the Active Directory data collector set, and then click Start. 13. Expand Reports, expand User Defined, expand Active Directory, and then click System Monitor Log.blg. The Report Status shows that the log is collecting data. 14. In the Data Collector Sets section, right-click the Active Directory data collector set, and then click Stop. 15. Click the System Monitor Log.blg. The log chart is displayed in the details pane. 16. Open Reliability Monitor. Expand any one of the reports and examine it. 17. Open Reports, and then examine each of the system reports that are available.
14-14
Additional Reading
Windows Server 2008 Monitoring Tools
For more information on Windows Server 2008 monitoring tools, see the following: Monitoring Windows Server 2008 with Operations Manager. Monitoring Events. How to use and troubleshoot issues with Windows Task Manager.
Reliability and Performance Monitor

For more information on Windows Reliability and Performance Monitor, see Windows Reliability and Performance Monitor.
Reliability Monitor
For more information on Windows Reliability and Performance Monitor, see Windows Reliability and Performance Monitor.
Third-Party Monitoring Tools

For more information on Operations Manager, see Monitoring Windows Server 2008 with Operations Manager.
What Are Subscriptions?

For more information on the following, see the links. Event Subscriptions Configure Computers to Forward and Collect Events
14-15
Lesson 5
Planning Notification Methods

Contents:
14-16

Identifying Business Requirements
Question: What are your businesses response times and how does your business makes staff available to provide support? Answer: Answers will vary
Suitable Notification Methods

Question: How do you currently notify administrators of issues with servers? How could you improve this process? Answer: Answers will vary.
Establishing an Escalation Path

Question: What improvements can you make to the escalation paths for issues within your business? Answer: Answers will vary.
14-17
Lesson 6
Overview of Windows Server 2008 Maintenance Tasks

Contents:
14-18

Windows Server 2008 Maintenance Tasks
Question: List the monitoring tasks you perform at work most often. Answer: Answers will vary. You should perform several everyday management tasks to ensure that your Windows Server 2008 environment is running correctly. You should perform some of these tasks, such as health and diagnostics monitoring, at regular intervals, but you can perform other tasks, such as troubleshooting, only when they are required.
Common Tasks for Different Server Roles

Question: Which event logs do you regularly review on your servers at work? Answer: Answers will vary. You should review all logs that will affect server availability.
Frequency of Management Tasks

Question: How often do you review server event logs? Answer: Answers will vary. Question: Do any of your servers have requirements that make scheduling management tasks more difficult (such as 24x7 operations)?
14-19
Lesson 7
Automating Windows Server 2008 Maintenance

Contents:
21
14-20

Automation Requirements
Question: Do you have any skills in scripting or in Windows PowerShell in your organization? Answer: Answers will vary.
Task Automation Tools

Question: Do you currently use automation tools at work? Answer: Answers will vary. Question: In what ways can using automation tools benefit your organization? Answer: Examples include saving time and saving money.
Tool Selection Process

Question: If you currently use some of these tools, why was the tool(s) chosen? Answer: Answers will vary, but should be thinking about the benefits and disadvantages of the available tools and which tools would work best for your organization.
14-21
Additional Reading
Task Automation Tools
For more information on Windows PowerShell, see Getting Started with Windows PowerShell.
14-22

Review questions
1. Question: List four troubleshooting procedures that would benefit from server monitoring. Answer: There are many troubleshooting procedures that benefit from server monitoring. Some include: Establishing baseline metrics to determine normal operating conditions for servers. Improving server performance by detecting anomalies. Simplifying troubleshooting through early identification of malfunctioning components. Making server management proactive through early identification of potential problems. Predicting requirements for future server capacity. Reallocating underused resources. 2. Question: Which tools do you currently plan to use to monitor Windows Server 2008? Consider long-term planning goals and specific troubleshooting instances. Answer: Students answers will vary based on their organization. 3. Question: What is the monetary cost of reduced user productivity for your organization?
Answer: Answers will vary. This will be the fraction of the operating cost that results from the
reduced user productivity.
4. Question: What is the cost of system outage that is caused by not monitoring systems?
Answer: The cost of downtime resulting from the system outage.
5. Question: What is the cost of a reactive approach to troubleshooting?
Answer: Lost productivity, administrator time to troubleshoot.
6. Question: Which hardware components are most likely to restrict performance for a file server? Answer: Disk, but all components can restrict performance for a file server. 7. Question: What performance issues could be identified by monitoring cache? Answer: If too much memory is being used for the file system cache, server performance may be slow. You might want to identify the reason for the high cache usage and make changes if necessary. 8. Question: What additional server support will your current business plans require?
Answer: Answers will vary based on students organizations.
9. Question: How can you scale up your existing server workload to support more users? Answer: Answers will vary, but can include adding additional physical servers, hardware to existing servers, or adding virtual servers with Hyper-V. 10. Question: Which server roles will you use in your organization? Which objects and counters will be available for you to monitor? Answer: Answers will vary. 11. Question: Why are average counters more useful than counters that show the current value? Answer: Values may fluctuate and at a point-in-time value may be higher or lower than normal. By looking at an average value you are able to get a more accurate view of the value. 12. Question: If the % Processor time is 80%, should any corrective action be taken? Answer: This amount is greater than the ideal value. You should evaluate your environment and decide if you should add additional processors or split the server load among more than one server.
14-23
13. Question: If the pool nonpages bytes has a slow rise, what might be happening? Answer: A slow rise might indicate a memory leak - the failure to properly deallocate memory that was previously allocated. 14. Question: Why do you want the % Disk time to be as low as possible? Answer: The higher the % disk time the busier the server is and the more resources that are being used. If this value is high, you will want to evaluate your organization requirements and whether to add additional resources to free up disk time on the server. 15. Question: If the output queue length is 5, what problems might you have in your network? Answer: You might have delays which can slow down productivity. 16. Question: Which tools do you currently use to monitor servers? How can you make use of improved monitoring tools in Windows Server 2008? Answer: Answers will vary based on students organization. 17. Question: What is a benefit to Data Collector Sets? Answer: Once a group of data collectors are stored as a Data Collector Set, operations such as scheduling can be applied to the entire set through a single property change. This makes monitoring tasks quicker for an administrator. 18. Question: How can you use the Reliability Monitor in your organization? Answer: Answers will vary. For example, students can use the Reliability Monitor to track application updates and the affect on the system stability. 19. Question: Where can you find real-time information about network activity? Answer: The Resource Overview page has a Network section that supplies real-time data on network activity. 20. Question: Which Reliability Monitor reports will you implement in your work environment? Answer: Answers may vary. This question should provide students with an opportunity to discuss how they plan to implement Reliability Monitor reports. 21. Question: Which third-party monitoring tools do you currently use, if any? How can these help you monitor server performance in the future? Answer: Answers will vary. 22. Question: Where would subscriptions be most useful on in your organization? Answer: Answers will vary 23. Question: What are your businesses response times and how does your business makes staff available to provide support? Answer: Answers will vary. 24. Question: How do you notify staff of service failure or maintenance problems? In what ways can you improve this process? Answer: Answers will vary based on students organizations. 25. Question: What improvements can you make to the escalation paths for issues within your business? Answer: Answers will vary based on students organizations. 26. Question: List the monitoring tasks you perform at work most often. Answer: Answers will vary. You should perform several everyday management tasks to ensure that your Windows Server 2008 environment is running correctly. You should perform some of these
14-24
tasks, such as health and diagnostics monitoring, at regular intervals, but you can perform other tasks, such as troubleshooting, only when they are required. 27. Question: Which event logs do you regularly review on your servers at work? Answer: Answers will vary. You should review all logs that will affect server availability. 28. Question: How often do you review server event logs? Answer: Answers will vary. 29. Question: Do any of your servers have requirements that make scheduling management tasks more difficult (such as 24x7 operations)? Answer: Answers will vary. 30. Question: Do you have any skills in scripting or in Windows PowerShell in your organization? Answer: Answers will vary. 31. Question: Do you currently use automation tools at work? Answer: Answers will vary. 32. Question: In what ways can using automation tools benefit your organization? Answer: Examples include saving time and saving money. 33. Question: If you currently use some of these tools, why was the tool(s) chosen? Answer: Answers will vary, but should get students thinking about the benefits and disadvantages of the available tools and which tools would work best for their organization. 34. Question: What are the benefits of monitoring server performance? Answer: Capacity planning, identifying and removing performance bottlenecks, improving server troubleshooting. 35. Question: What are some of the tasks that you should undertake when you create a performance baseline for a server? Answer: Use Reliability and Performance Monitor to create a data collector set, use Reliability and Performance Monitor to identify when server capacity is high and low, and ensure that the server is working under normal operating conditions. 36. Question: What are the advantages of using a range of monitoring tools? Answer: It is possible to collect data in real time, you can use historical data analysis to identify performance trends, various Windows events can be consolidated by using tools such as Operations Manager. 37. Question: What are the advantages of measuring specific performance counters? Answer: Troubleshooting specific server issues, identifying malfunctioning hardware, identifying software application issues. 38. Question: What are the advantages of using alerts to identify performance issues? Answer: Administrators can react quickly to problems, Reliability and Performance Monitor can make use of WMI to alert administrators, Reliability and Performance Monitor can start a data collector set on an alert.
14-25

1. Question: How can you view information about a performance counter? Answer: In the Performance Monitor, add a counter, select the counter in the dialog box, and then select the Show description dialog box. 2. Question: Task Manager does not display CPU information for virtual machines running on HyperV. How could you view CPU usage information for these virtual machines? Answer: To view CPU usage information for virtual machines running on a Hyper-V server, use Performance and Reliability Monitor to view the data from Hyper-V performance counters. 3. Question: Did you receive any warnings on the Performance Report? If so, why did you receive this warning(s) and how would you fix the warning(s)? Answer: You should have received a warning regarding memory. The virtual machine does not have enough allocated memory (512 MB) to function efficiently. The easiest way to fix this warning is to allocate more memory to the virtual machine. If this was a physical computer, you would want to add more RAM to the computer. 4. Question: What approach did you use to determine the performance issues using Performance Monitor logs? Answer: Answers may vary. This question should provide students with an opportunity to discuss their troubleshooting approach.
Managing Windows Server 2008 Backup and Restore
15-1
Module 15

Contents:
Lesson 1: Planning Backups with Windows Server 2008 Lesson 2: Planning Backup Policy on Windows Server 2008 Lesson 3: Planning a Server Restore Policy Lesson 4: Planning an EFS Restore Policy Lesson 5: Troubleshooting Windows Server 2008 Startup Module Reviews and Takeaways Lab Review Questions and Answers 2 5 8 12 15 19 22
15-2
Lesson 1
Planning Backups with Windows Server 2008

Contents:
Question and Answers Additional Reading 3 4
15-3

Selecting Backup Software and Backup Operators
Question: What backup software or solutions do you currently use? Answer: Answers may vary.
Creating a Backup Schedule

Question: How frequently do you currently perform backups? Answer: Answers may vary. Question: Do you have different backup schedules for different data? Answer: Answers may vary.
Creating the Data Retention Plan

Question: What is your current data retention plan? Answer: Answers may vary. Question: Do you have any legal data retention requirements to fulfill? Answer: Answers may vary.
Backing Up Encrypted Files and Virtual Machines

Question: Do your users currently use Encrypting File System (EFS)? Answer: Answers may vary.
15-4
Additional Reading
Selecting Backup Software and Backup Operators
For more information on the following, see the links. Windows Server Backup
Process for Planning Backup in Windows Server 2008

Creating a Backup Schedule

Creating the Data Retention Plan

For more information about System Center Data Protection Manager, see the System Center Data Protection Manager 2007 Web site.
Backing Up Encrypted Files and Virtual Machines

For more information on the following, see the links. Recover Encrypted Files Backup Virtual Machines
15-5
Lesson 2
Planning Backup Policy on Windows Server 2008
Contents:
7
15-6

Factors That Affect Backup Policy
Question: Does your information technology (IT) department fulfill any service-level agreements
(SLAs)?
Question: Do you back up any data over the network?
Answer: Answer may vary.
Storage and Security Considerations

Question: Who currently has access to backup media at your organization? Answer: Answers may vary.
Process for Selecting Backup Operators

Question: Who performs backup and restore tasks in your organization? Answer: Answers may vary. Question: Are backup and restore roles separated in your organization? Answer: Answer may vary.
15-7
Additional Reading
Factors That Affect Backup Policy
For more information on the following, see the links. Backup using GPMC
Storage and Security Considerations

Process for Selecting Backup Operators

For more information on the following, see the links. Backup Best Practices
15-8
Lesson 3
Planning a Server Restore Policy

Contents:
11
15-9

Considerations for a Server Restore
Question: Who determines the restore procedures during data and server loss incidents within your organization? Answer: Answers may vary.
Question: What process do you follow to ensure that you only restore valid data and that no data is
lost during the restore process?
Answer: Answer may vary.
Impact of a Server Restore

Question: How can you improve the change management process for restoring data in your organization? Answer: Answers may vary.
Improving the Backup Plan

Question: What improvements can you make to your backup plans? Answer: Answers may vary. Question: What improvements can you make to your disaster recovery plans? Answer: Answer may vary.
Change Management Considerations

Question: How do you ensure that restored data does not overwrite newer data in your
organization?
Restore Logs
Question: How do you verify that all files are successfully restored after a restore takes place? Answer: Answer may vary.
Restore Options
Question: What is the process in your organization for checking access to restored data? Answer: Answers may vary.
15-10
Security Analysis
Question: Who can restore files in your organization? Answer: Answers may vary. Question: Must you review membership of the Administrators and Backup Operators groups? Answer: Answer may vary.
Updating Backup Policy

Question: How often do you update the backup and restore policy in your organization? Can you identify areas of your current policies that require updating? Answer: Answers may vary.
15-11
Additional Reading
Considerations for a Server Restore
For more information on the following, see the links. Backup and Restore Best Practices
Impact of a Server Restore

Improving the Backup Plan

Change Management Considerations

For more information on the following, see the links. Best Practices for Change Management
Restore Logs
For more information about Wbadmin.exe, see Wbadmin on the Microsoft TechNet Web site.
Restore Options
For more information on the following, see the links. Best Practices Backup and Restore
Security Analysis
For more information on the following, see the links. References: Security Considerations for Backup and Restore
Updating Backup Policy

15-12
Lesson 4
Planning an EFS Restore Policy

Contents:
14
15-13

Considerations When Restoring EFS Data
Question: What steps must you take to ensure that you can recover EFS keys and data? Answer: Answers may vary.
Requirements for EFS Recovery

Question: What planning documentation is there in your organization for EFS? How can you ensure that this documentation is updated and modified? Answer: Answers may vary.
Preparing to Recover EFS Files

Question: Who in your organization is in charge of creating and configuring certification authority? Answer: Answers may vary.
Managing the Recovery Agent

Question: List at least one example of how your organization can use the Recovery Agent to access EFS files during a disaster recovery scenario.n where you can confirm the physical security of the backup. 17.Verify the settings that are displayed on the Completing the Certificate Export Wizard page, and then click Finish. Question: List at least one example of how your organization can use the Recovery Agent to access EFS files during a disaster recovery scenario. Answers: Answers may vary.
Recovering EFS Files

Question: Who in your organization has the proper DRA privileges to open EFS encrypted files? Answer: Answers may vary.
15-14
Additional Reading
Considerations When Restoring EFS Data
For more information about EFS, see "Data Encryption Toolkit for Mobile PCs" on the Microsoft TechNet Web site. For more information about planning for EFS, see Plan Data Encryption in "Planning" in the Server Deployment section of the Microsoft TechNet Web site.
Requirements for EFS Recovery

For more information about EFS, see "Encrypting File System" on the Microsoft TechNet Web site.
Preparing to Recover EFS Files

For more information, see Best Practices for EFS on the Microsoft TechNet Web site.
Managing the Recovery Agent

For more information, see Backup Recovery Agent Private Key on the Microsoft TechNet Web site.
Recovering EFS Files

For more information about EFS, see Encrypting File System on the Microsoft TechNet Web site.
15-15
Lesson 5
Troubleshooting Windows Server 2008 Startup

Contents:
18
15-16

Common Causes of Startup Problems
Question: Can you think of situations where you had to troubleshoot a Windows startup problem and if so how did you resolve it? Answer: Answers may vary.
Reviewing Startup Processes

Question: During startup, in which of these phases is system memory checked? Answer: In the POST phase, initial hardware checks are performed, such as determining the amount of memory present.
Troubleshooting Startup Before the Windows Logo Appears

Question: Based on this flowchart, what would you say are the most common causes of Windows failing to start before the Windows logo appears? Answer: In general, if Windows fails to start and the product logo does not appear, problems can typically be caused by corruption in boot files or in the system volume. While these problems can often be repaired without taking drastic measures, such as reinstalling the operating system, it could also indicate a hardware problem such as a failing hard disk.
Troubleshooting Startup After the Windows Logo Appears

Question: Based on this flowchart, what would you say are the most common causes of Windows failing to start after the Windows logo appears? Answer: While the range of problems that can cause Windows to fail after the logo appears may be large, they are often related to driver or Windows service issues.
Troubleshooting Startup Problems After Logon

Question: Based on this flowchart, what would you say are the most common causes of Windows failing to start after logon? Answer: Often the case of startup problems occurring after logon is a result of a problematic application that is configured to start automatically. Repairing, temporarily disabling, or removing the application may be required. And, as with any problem that impacts Windows availability, scanning the system for viruses may be necessary.
Recovering from Hardware Problems

Question: If you suspected a hardware related problem, what would be the first things you would check?
15-17
Answer: Answers will vary, but can include simply making sure that the computer is receiving power, checking that all cables are correctly plugged in, and opening the case to ensure that CPU, memory, and other devices are properly and firmly seated.
15-18
Additional Reading
Being Prepared for Startup Failures
Windows Server 2008 Help: Recover the Operating System
15-19

Review questions
1. Question: What backup software or solutions do you currently use?
2. Question: What types of data do you regularly back up at work?
3. Question: How frequently do you currently perform backups?
4. Question: Do you have different backup schedules for different data?
5. Question: What is your current data retention plan?
6. Question: Do you have any legal data retention requirements to fulfill?
7. Question: Do your users currently use Encrypting File System (EFS)?
8. Question: Does your information technology (IT) department fulfill any service-level agreements (SLAs)? Answer: Answers may vary. 9. Question: Do you back up any data over the network?
10. Question: Who currently has access to backup media at your organization?
11. Question: Who performs backup and restore tasks in your organization?
12. Question: Are backup and restore roles separated in your organization?
13. Question: Who determines the restore procedures during data and server loss incidents within your organization? Answer: Answers may vary. 14. Question: What process do you follow to ensure that you only restore valid data and that no data is lost during the restore process? Answer: Answers may vary. 15. Question: List at least one example of when it becomes imperative that a server restore is required. Answer: Answers may vary. 16. Question: How can you improve your companys backup plan?
15-20
17. Question: What considerations does your company employ when applying change management? Answer: Answers may vary. 18. Question: How do you verify that all files are successfully restored after a restore takes place? Answer: Answers may vary. 19. Question: Will you restore to a different location or replace existing files? Answer: Answers may vary. 20. Question: What steps should you take to ensure that only the correct people have access to the files after they have been restored? Answer: Answers may vary. 21. Question: Who can restore files in their organization, and who should be able to restore files? Answer: Answers may vary. 22. Question: When did you last update your backup and restore policies? Answer: Answers may vary. 23. Question: List at least one example of how your company can recover EFS data. Answer: Answers may vary. 24. Question: Who in your organization determines whether the requirements for EFS recovery have been met? Answer: Answers may vary. 25. Question: Who in your organization is in charge of creating and configuring certification authority? Answer: Answers may vary. 26. Question: List at least one example of how your organization can use the Recovery Agent to access EFS files during a disaster recovery scenario. Answer: Answers may vary. 27. Question: Who in your organization has the proper DRA privileges to open EFS encrypted files? Answer: Answers may vary. 28. Question: Can you think of situations where you had to troubleshoot a Windows startup problem, and if so how did you resolve it? Answer: Answers may vary. 29. Question: During startup, in which of these phases is system memory checked? Answer: In the POST phase, initial hardware checks are performed, such as determining the amount of memory present. 30. Question: Based on this flowchart, what would you say are the most common causes of Windows failing to start before the Windows logo appears? Answer: In general, if Windows fails to start and the product logo does not appear, problems can typically be caused by corruption in boot files or in the system volume. While these problems can often be repaired without taking drastic measures, such as reinstalling the operating system, it could also indicate a hardware problem such as a failing hard disk. 31. Question: Based on this flowchart, what would you say are the most common causes of Windows failing to start after the Windows logo appears? Answer: While the range of problems that can cause Windows to fail after the logo appears may be large, they are often related to driver or Windows service issues.
15-21
32. Question: Based on this flowchart, what would you say are the most common causes of Windows failing to start after logon? Answer: Often the case of startup problems occurring after logon is a result of a problematic application that is configured to start automatically. Repairing, temporarily disabling, or removing the application may be required. And, as with any problem that impacts Windows availability, scanning the system for viruses may be necessary. 33. Question: If you suspected a hardware related problem, what would be the first things you would check? Answer: Answers will vary, but can include simply making sure that the computer is receiving power, checking that all cables are correctly plugged in, and opening the case to ensure that CPU, memory, and other devices are properly and firmly seated. 34. Question: How do you know whether your backups are successful? Answer: Your backup tool should be able to log and report unsuccessful backups, but you should also perform a trial restore to test backups regularly. 35. Question: What provisions should you make for backup storage? Answer: You should consider physically secure storage, media capacity, how long you will keep the backup, and if the media is susceptible to environmental factors such as heat or high magnetic fields. 36. Question: What should you consider for your server restore policy? Answer: 1. Regular updates 2. Frequent testing 3. The impact of restoring data 37. Question: What considerations should you take into account for the recovery of encrypted data? Answer: 1. Locating original and changed encryption keys 2. Use of recovery agents 3. Restoring the correct data and matching keys 38. Question: What steps should you take to verify restored data? Answer: 1. Review log files 2. Check security and access to files after restore 3. Check the data integrity and version of restored files
15-22

1. Question: List at least one example of how administrators can create an effective backup policy? Answer: Answers may vary. 2. Question: List at least one example of how plan an effective backup and restore procedure?
3. Question: List at least one example of how administrators can trace through a failed restore? Answer: Answers may vary.
R-1
Resources
Contents:
Microsoft Learning Technet and MSDN Content Communities 2 3 22
R-2
Microsoft Learning
This section describes various Microsoft Learning programs and offerings. Microsoft Skills Assessments Describes the skills assessment options available through Microsoft. Microsoft Learning Describes the training options available through Microsoft face-to-face or self-paced. Microsoft Certification Program Details how to become a Microsoft Certified Professional, Microsoft Certified Database Administrators, and more. Microsoft Learning Support o o To provide comments or feedback about the course, send e-mail to support@mscourseware.com. To ask about the Microsoft Certification Program (MCP), send e-mail to mcphelp@microsoft.com
R-3
Technet and MSDN Content

This section includes content from Microsoft TechNet and MSDN that provides in-depth discussion on technical topics related to Windows Server 2008.
Module 1
For more information see, "Object names: Active Directory", http://go.microsoft.com/fwlink/?LinkID=139916 For more information see, "Microsoft Operations Framework 4.0", http://go.microsoft.com/fwlink/?LinkID=139924 For more information see, "User and Group Accounts", http://go.microsoft.com/fwlink/?LinkID=139921 For more information see, "TechNet Library", http://go.microsoft.com/fwlink/?LinkID=139920 For more information see, "Dsmod", http://go.microsoft.com/fwlink/?LinkID=139914 For more information see, "Microsoft Windows 2000 Scripting Guide, Copying User Accounts", http://go.microsoft.com/fwlink/?LinkID=139923 For more information see, "Windows Server 2003 Product Help, Manage Computers", http://go.microsoft.com/fwlink/?LinkID=139918 For more information see, "Windows Server 2003 Deployment, Join a computer to a domain", http://go.microsoft.com/fwlink/?LinkID=139917 For more information see, "Deploying Group Policy Using Windows Vista", http://go.microsoft.com/fwlink/?LinkID=139922 For more information see, "LDIFDE", http://go.microsoft.com/fwlink/?LinkId=99439 For more information see, "CSVDE", http://go.microsoft.com/fwlink/?LinkId=99440 For more information see, "Windows PowerShell 1.0 Documentation Pack", http://go.microsoft.com/fwlink/?LinkId=99441 For more information see, "Windows PowerShell Blog", http://go.microsoft.com/fwlink/?LinkId=99442 For more information see, "Scripting with Windows PowerShell", http://go.microsoft.com/fwlink/?LinkId=99443 For more information see, "Manage Organizational Units", http://go.microsoft.com/fwlink/?LinkID=139915 For more information see, "Dsquery", http://go.microsoft.com/fwlink/?LinkID=139919 For more information see, "Understanding Group Accounts", http://go.microsoft.com/fwlink/?LinkID=139928
Module 2
For more information see, "Understanding AD DS Functional Levels", http://go.microsoft.com/fwlink/?LinkID=139933 For more information see, "Functional Levels Background Information", http://go.microsoft.com/fwlink/?LinkID=139929
R-4
For more information see, "Group scope", http://go.microsoft.com/fwlink/?LinkID=139939 For more information see, "Understanding Local Users and Groups", http://go.microsoft.com/fwlink/?LinkID=139936 For more information see, "Nesting groups", http://go.microsoft.com/fwlink/?LinkID=139938 For more information see, "Defining a Security Group Naming Policy", http://go.microsoft.com/fwlink/?LinkID=139935 For more information see, "Microsoft Operations Framework 4.0", http://go.microsoft.com/fwlink/?LinkID=139943 For more information see, "Dsadd group", http://go.microsoft.com/fwlink/?LinkID=139931 For more information see, "Reviewing Organizational Unit Design Concepts", http://go.microsoft.com/fwlink/?LinkID=139940 For more information see, "Organizational units", http://go.microsoft.com/fwlink/?LinkID=139941 For more information see, "Design Considerations for Organizational Unit Structure and Use of Group Policy Objects", http://go.microsoft.com/fwlink/?LinkID=139937 For more information see, "Dsadd ou", http://go.microsoft.com/fwlink/?LinkID=139934 For more information see, "Reviewing OU Design Concepts", http://go.microsoft.com/fwlink/?LinkID=139925 For more information see, "Delegating Administration by Using OU Objects", http://go.microsoft.com/fwlink/?LinkID=139926 For more information see, "Using Security Filtering to Apply GPOs to Selected Groups", http://go.microsoft.com/fwlink/?LinkID=139927 For more information see, "Object names: Active Directory", http://go.microsoft.com/fwlink/?LinkId=104472 For more information see, "User and Group Accounts", http://go.microsoft.com/fwlink/?LinkId=104473 For more information see, "Dsadd", http://go.microsoft.com/fwlink/?LinkId=104474 For more information see, "Dsmod", http://go.microsoft.com/fwlink/?LinkID=139914 For more information see, "Rename a user account", http://go.microsoft.com/fwlink/?LinkId=104475 For more information see, "Copying User Accounts", http://go.microsoft.com/fwlink/?LinkId=104476 For more information see, "Manage Computers", http://go.microsoft.com/fwlink/?LinkId=104477 For more information see, "Join a computer to a domain", http://go.microsoft.com/fwlink/?LinkId=104479 For more information see, "Deploying Group Policy Using Windows Vista", http://go.microsoft.com/fwlink/?LinkId=104481 For more information see, "LDIFDE", http://go.microsoft.com/fwlink/?LinkId=99439 For more information see, "CSVDE", http://go.microsoft.com/fwlink/?LinkId=99440
R-5
For more information see, "Windows PowerShell 1.0 Documentation Pack", http://go.microsoft.com/fwlink/?LinkId=99441 For more information see, "Understanding Group Accounts", http://go.microsoft.com/fwlink/?LinkID=139928
Module 3
For more information see, "Understanding AD DS Functional Levels", http://go.microsoft.com/fwlink/?LinkID=139933 For more information see, "Functional Levels Background Information", http://go.microsoft.com/fwlink/?LinkID=139929 For more information see, "Identifying Your Windows Server 2008 Functional Level Upgrade", http://go.microsoft.com/fwlink/?LinkID=139932 For more information see, "Group scope", http://go.microsoft.com/fwlink/?LinkId=104483 For more information see, "Understanding Local Users and Groups", http://go.microsoft.com/fwlink/?LinkId=104486 For more information see, "Reviewing Organizational Unit Design Concepts", http://go.microsoft.com/fwlink/?LinkId=104487 For more information see, "Windows Server 2008 Glossary", http://go.microsoft.com/fwlink/?LinkId=104488 For more information see, "Organizational units", http://go.microsoft.com/fwlink/?LinkId=104453 For more information see, "Design Considerations for Organizational Unit Structure and Use of Group Policy Objects", http://go.microsoft.com/fwlink/?LinkId=104489 For more information see, "Using Security Filtering to Apply GPOs to Selected Groups", http://go.microsoft.com/fwlink/?LinkID=139927 For more information see, "Reviewing OU Design Concepts", http://go.microsoft.com/fwlink/?LinkID=139925 For more information see, "Groups", http://go.microsoft.com/fwlink/?LinkID=139930 For more information see, "Group scope", http://go.microsoft.com/fwlink/?LinkID=139939 For more information see, "Understanding Local Users and Groups", http://go.microsoft.com/fwlink/?LinkID=139936 For more information see, "Nesting groups", http://go.microsoft.com/fwlink/?LinkID=139938 For more information see, "Defining a Security Group Naming Policy", http://go.microsoft.com/fwlink/?LinkID=139935 For more information see, "Dsadd group", http://go.microsoft.com/fwlink/?LinkID=139931 For more information see, "Reviewing Organizational Unit Design Concepts", http://go.microsoft.com/fwlink/?LinkID=139940 For more information see, "Organizational units", http://go.microsoft.com/fwlink/?LinkID=139941 For more information see, "Design Considerations for Organizational Unit Structure and Use of Group Policy Objects", http://go.microsoft.com/fwlink/?LinkID=139937 For more information see, "Dsadd ou", http://go.microsoft.com/fwlink/?LinkID=139934
R-6
For more information see, "Delegating Administration by Using OU Objects", http://go.microsoft.com/fwlink/?LinkID=139926 For more information see, "How to restore deleted user accounts and their group memberships in Active Directory", http://go.microsoft.com/fwlink/?LinkID=139945
Module 4
For more information see, "Access Tokens Technical Reference", http://go.microsoft.com/fwlink/?LinkID=139951 For more information see, "Permissions for files and folders", http://go.microsoft.com/fwlink/?LinkID=139952 For more information see, "Best practices for Shared Folders", http://go.microsoft.com/fwlink/?LinkID=139950 For more information see, "Glossary of Registry Terms", http://go.microsoft.com/fwlink/?LinkID=139946 For more information see, "Publishing a Shared Folder in Windows 2000 Active Directory", http://go.microsoft.com/fwlink/?LinkID=139944 For more information see, "Windows Server Hacks: Creating a Shortcut for Searching Active Directory", http://go.microsoft.com/fwlink/?LinkID=139953 For more information see, "Changes to Offline Files in Windows Vista", http://go.microsoft.com/fwlink/?LinkID=139948 For more information see, "Effective Permissions tool", http://go.microsoft.com/fwlink/?LinkID=139949 For more information see, "Access Tokens Technical Reference", http://go.microsoft.com/fwlink/?LinkId=104492 For more information see, "Permissions for files and folders", http://go.microsoft.com/fwlink/?LinkId=104499 For more information see, "Best practices for Shared Folders", http://go.microsoft.com/fwlink/?LinkId=104496 For more information see, "Access control in Active Directory", http://go.microsoft.com/fwlink/?LinkId=101070
Module 5
For more information see, "Assign, change, or remove permissions on Active Directory objects or attributes", http://go.microsoft.com/fwlink/?LinkId=101071 For more information see, "Effective Permissions tool", http://go.microsoft.com/fwlink/?LinkId=101072 For more information see, "How Domains and Forests Work", http://go.microsoft.com/fwlink/?LinkId=101073 For more information see, "Active Directory naming", http://go.microsoft.com/fwlink/?LinkId=101074 For more information see, "Enable selective authentication over a forest trust", http://go.microsoft.com/fwlink/?LinkId=101075
R-7
For more information see, "Grant the Allowed to Authenticate permission on computers in the trusting domain or forest", http://go.microsoft.com/fwlink/?LinkId=101076 For more information see, "Understanding When to Create a Shortcut Trust", http://go.microsoft.com/fwlink/?LinkID=107061 For more information see, "Nltest Overview", http://go.microsoft.com/fwlink/?LinkID=93567 For more information see, "Windows Server Group Policy", http://go.microsoft.com/fwlink/?LinkId=99449 For more information see, "Summary of New or Expanded Group Policy Settings", http://go.microsoft.com/fwlink/?LinkId=99450 For more information see, "What"s New in Group Policy in Windows Vista", http://go.microsoft.com/fwlink/?LinkId=99451 For more information see, "Group Policy Processing", http://go.microsoft.com/fwlink/?LinkId=112457 For more information see, "Group Policy application rules for domain controllers", http://go.microsoft.com/fwlink/?LinkId=112458 For more information see, "How a slow link is detected for processing user profiles and Group Policy", http://go.microsoft.com/fwlink/?LinkId=112459 For more information see, "Group Policy is not applied due to cached credentials", http://go.microsoft.com/fwlink/?LinkId=112460 For more information see, "Controlling Client-Side Extensions by Using Group Policy", http://go.microsoft.com/fwlink/?LinkId=99452
Module 7
For more information see, "How Core Group Policy Works", http://go.microsoft.com/fwlink/?LinkId=99468 For more information see, "Managing Group Policy ADMX Files Step-by-Step Guide", http://go.microsoft.com/fwlink/?LinkId=112461 For more information see, "How to create a Central Store for Group Policy Administrative Templates in Window Vista", http://go.microsoft.com/fwlink/?LinkId=99455 For more information see, "TechNet Virtual Lab: Managing Windows Server 2008 Beta 3 and Windows Vista using Group Policy", http://go.microsoft.com/fwlink/?LinkId=112462 For more information see, "Group Policy processing and precedence", http://go.microsoft.com/fwlink/?LinkId=99456 For more information see, "Multiple Local Group Policy objects", http://go.microsoft.com/fwlink/?LinkId=112463 For more information see, "Step-by-Step Guide to Managing Multiple Local Group Policy Objects", http://go.microsoft.com/fwlink/?LinkId=99457 For more information see, "Controlling the Scope of Group Policy Objects using GPMC", http://go.microsoft.com/fwlink/?LinkId=99458 For more information see, "Loopback processing with merge or replace", http://go.microsoft.com/fwlink/?LinkId=99459
R-8
For more information see, "Create or delete a Group Policy object", http://go.microsoft.com/fwlink/?LinkId=112464 For more information see, "Link a Group Policy object using GPMC", http://go.microsoft.com/fwlink/?LinkId=112465 For more information see, "Disable a Group Policy object link using GPMC", http://go.microsoft.com/fwlink/?LinkId=112466 For more information see, "Fixing Core Group Policy problems", http://go.microsoft.com/fwlink/?LinkId=101110 For more information see, "Filter using security groups", http://go.microsoft.com/fwlink/?LinkId=112467 For more information see, "Using Security Filtering to Apply GPOs to Selected Groups", http://go.microsoft.com/fwlink/?LinkId=112468 For more information see, "Security filtering using GPMC", http://go.microsoft.com/fwlink/?LinkId=112469 For more information see, "Loopback processing of Group Policy", http://go.microsoft.com/fwlink/?LinkId=99460 For more information see, "Group Policy Results (Administering Group Policy with Group Policy Management Console)", http://go.microsoft.com/fwlink/?LinkId=99462 For more information see, "Determine Resultant Set of Policy with GPResult.exe", http://go.microsoft.com/fwlink/?LinkId=113117 For more information see, "Using Group Policy Modeling and Group Policy Results to Evaluate Group Policy Settings", http://go.microsoft.com/fwlink/?LinkId=99463 For more information see, "Backing up, Restoring, Migrating, and Copying GPOs", http://go.microsoft.com/fwlink/?LinkId=99464 For more information see, "Import using GPMC", http://go.microsoft.com/fwlink/?LinkId=99465 For more information see, "Import a Group Policy object using GPMC", http://go.microsoft.com/fwlink/?LinkId=113123 For more information see, "Starter Group Policy Objects (GPOs)", http://go.microsoft.com/fwlink/?LinkID=139954 For more information see, "Copy a Group Policy object using GPMC", http://go.microsoft.com/fwlink/?LinkId=113118 For more information see, "Copy using GPMC", http://go.microsoft.com/fwlink/?LinkId=113119 For more information see, "Back up a Group Policy object using GPMC", http://go.microsoft.com/fwlink/?LinkId=113120 For more information see, "Restore using GPMC", http://go.microsoft.com/fwlink/?LinkId=113121 For more information see, "Restore a backed-up Group Policy object using GPMC", http://go.microsoft.com/fwlink/?LinkId=113122 For more information see, "ADMX Migrator", http://go.microsoft.com/fwlink/?LinkId=99466 For more information see, "ADMX Migrator download", http://go.microsoft.com/fwlink/?LinkId=113124
R-9
For more information see, "Delegating Group Policy", http://go.microsoft.com/fwlink/?LinkId=99467 For more information see, "Delegation and policy-related permissions", http://go.microsoft.com/fwlink/?LinkId=113125 For more information see, "How Core Group Policy Works", http://go.microsoft.com/fwlink/?LinkId=99468 For more information see, "Group Policy Planning and Deployment Guide", http://go.microsoft.com/fwlink/?LinkID=134056 For more information see, "The Two Sides of Group Policy Script Extension Processing", http://go.microsoft.com/fwlink/?LinkId=99469 For more information see, "The Two Sides of Group Policy Script Extension Processing", http://go.microsoft.com/fwlink/?LinkId=99470 For more information see, "Overview of Logon, Logoff, Startup, and Shutdown Scripts in Windows 2000", http://go.microsoft.com/fwlink/?LinkId=99471 For more information see, "How to assign scripts in Windows 2000", http://go.microsoft.com/fwlink/?LinkId=113127 For more information see, "What Is Folder Redirection Extension?", http://go.microsoft.com/fwlink/?LinkId=99472 For more information see, "IE7 in Vista: Folder Redirection for Favorites on the Same Machine", http://go.microsoft.com/fwlink/?LinkId=99473 For more information see, "Recommendations for Folder Redirection", http://go.microsoft.com/fwlink/?LinkId=99475 For more information see, "Folder Redirection feature in Windows", http://go.microsoft.com/fwlink/?LinkId=99476 For more information see, "Security Considerations when Configuring Folder Redirection", http://go.microsoft.com/fwlink/?LinkId=99477 For more information see, "Windows Server 2003", http://go.microsoft.com/fwlink/?LinkId=99478 For more information see, "Administrative Templates Extension Technical Reference", http://go.microsoft.com/fwlink/?LinkId=99479 For more information see, "How To Use the Group Policy Editor to Manage Local Computer Policy in Windows X", http://go.microsoft.com/fwlink/?LinkId=113126 For more information see, "Creating a Custom Base ADMX File", http://go.microsoft.com/fwlink/?LinkId=99480 For more information see, "Group Policy Sample ADMX Files", http://go.microsoft.com/fwlink/?LinkId=99481 For more information see, "2007 Office system Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool version 2.0", http://go.microsoft.com/fwlink/?LinkId=113758 For more information see, "Design Considerations for Creating Policy Settings", http://go.microsoft.com/fwlink/?LinkID=139957
R-10
For more information see, "How to use Group Policy to install software remotely in Windows 2000", http://go.microsoft.com/fwlink/?LinkId=99482 For more information see, "Use Group Policy Software Installation to deploy the 2007 Office system", http://go.microsoft.com/fwlink/?LinkId=99483 For more information see, "Group Policy Software Installation overview", http://go.microsoft.com/fwlink/?LinkId=113760 For more information see, "Specify categories for applications to be managed", http://go.microsoft.com/fwlink/?LinkId=99485 For more information see, "Add or remove modifications for an application package", http://go.microsoft.com/fwlink/?LinkId=99487 For more information see, "Best practices for Group Policy Software Installation", http://go.microsoft.com/fwlink/?LinkId=99488 For more information see, "Set Group Policy Software Installation defaults", http://go.microsoft.com/fwlink/?LinkId=99489 For more information see, "Best practices for Group Policy Software Installation", http://go.microsoft.com/fwlink/?LinkId=99486 For more information see, "Information about new Group Policy preferences in Windows Server 2008", http://go.microsoft.com/fwlink/?LinkID=139955 For more information see, "Group Policy Preferences: Getting Started", http://go.microsoft.com/fwlink/?LinkID=139956 For more information see, "Group Policy Preferences Frequently Asked Questions (FAQ)", http://go.microsoft.com/fwlink/?LinkID=139958 For more information see, "Group Policy Troubleshooting", http://go.microsoft.com/fwlink/?LinkId=101100 For more information see, "Troubleshooting Your Systems with Network Diagnostics", http://go.microsoft.com/fwlink/?LinkId=101101 For more information see, "Using NSlookup.exe", http://go.microsoft.com/fwlink/?LinkId=101102 For more information see, "Unable to access domain controller", http://go.microsoft.com/fwlink/?LinkId=101103 For more information see, "Kerbtray.exe: Kerberos Tray", http://go.microsoft.com/fwlink/?LinkId=101104 For more information see, "Group Policy Modeling and Results", http://go.microsoft.com/fwlink/?LinkId=101105 For more information see, "How to manually create Default Domain GPO", http://go.microsoft.com/fwlink/?LinkId=101106 For more information see, "Refresh Group Policy settings with GPUpdate.exe", http://go.microsoft.com/fwlink/?LinkId=101108 For more information see, "Fixing Group Policy problems by using log files", http://go.microsoft.com/fwlink/?LinkId=101109
R-11
For more information see, "Identifying Group Policy Client-Side Extensions", http://go.microsoft.com/fwlink/?LinkId=101115 For more information see, "Computer Policy for Client-side Extensions", http://go.microsoft.com/fwlink/?LinkId=101116 For more information see, "Group Policy and Network Bandwidth", http://go.microsoft.com/fwlink/?LinkId=101117 For more information see, "Fixing Core Group Policy problems", http://go.microsoft.com/fwlink/?LinkId=101110 For more information see, "Fixing Administrative Template policy setting problems", http://go.microsoft.com/fwlink/?LinkId=101118 For more information see, "Troubleshooting Group Policy application problems", http://go.microsoft.com/fwlink/?LinkId=101119
Module 8
For more information see, "Windows Server Group Policy", http://go.microsoft.com/fwlink/?LinkId=113761 For more information see, "Group Policy Security Settings", http://go.microsoft.com/fwlink/?LinkId=99491 For more information see, "Chapter 3: The Domain Policy", http://go.microsoft.com/fwlink/?LinkId=99492 For more information see, "Joining a Windows Vista Wired Client to a Domain", http://go.microsoft.com/fwlink/?LinkId=99495 For more information see, "Securing Wireless LANs with Certificate Services", http://go.microsoft.com/fwlink/?LinkId=99496 For more information see, "The Cable Guy Wireless Group Policy Settings for Windows Vista", http://go.microsoft.com/fwlink/?LinkId=99497 For more information see, "Define Active Directory-based Wireless Network Policies", http://go.microsoft.com/fwlink/?LinkId=99498 For more information see, "The New Windows Firewall in Windows Vista and Windows Server 2008", http://go.microsoft.com/fwlink/?LinkId=99499 For more information see, "Chapter 4: Strengthening Domain and Domain Controller Policy Settings", http://go.microsoft.com/fwlink/?LinkID=139959 For more information see, "Appendix A: Security Group Policy Settings", http://go.microsoft.com/fwlink/?LinkId=113762 For more information see, "Troubleshooting Group Policy application problems", http://go.microsoft.com/fwlink/?LinkId=101119 For more information see, "AD DS: Fine-Grained Password Policies", http://go.microsoft.com/fwlink/?LinkId=99500 For more information see, "AD DS Fine-Grained Password and Account Lockout Policy Step-byStep Guide", http://go.microsoft.com/fwlink/?LinkId=99501
R-12
For more information see, "AD DS Fine-Grained Password and Account Lockout Policy Step-byStep Guide", http://go.microsoft.com/fwlink/?LinkId=113764 For more information see, "Restricted Groups", http://go.microsoft.com/fwlink/?LinkId=99502 For more information see, "How To Use Software Restriction Policies in Windows Server 2003", http://go.microsoft.com/fwlink/?LinkId=113765 For more information see, "Using Software Restriction Policies to Protect Against Unauthorized Software", http://go.microsoft.com/fwlink/?LinkId=99503 For more information see, "Security Templates", http://go.microsoft.com/fwlink/?LinkId=99504 For more information see, "Security Configuration Wizard Overview", http://go.microsoft.com/fwlink/?LinkId=99507 For more information see, "Security Watch The Security Configuration Wizard", http://go.microsoft.com/fwlink/?LinkId=99508 For more information see, "Security Configuration Wizard for Windows Server 2003", http://go.microsoft.com/fwlink/?LinkId=99506 For more information see, "Best practices for Security Configuration and Analysis", http://go.microsoft.com/fwlink/?LinkID=112102&clcid=0x409 For more information see, "Account Passwords and Policies in Windows Server 2003", http://go.microsoft.com/fwlink/?LinkId=99493 For more information see, "Security Configuration and Analysis", http://go.microsoft.com/fwlink/?LinkId=102267&clcid=0x409
Module 9
For more information see, "Antivirus Defense-in-Depth Guide", http://go.microsoft.com/fwlink/?LinkId=102264&clcid=0x409 For more information see, "Using Encrypting File System", http://go.microsoft.com/fwlink/?LinkID=139961 For more information see, "Auditing overview", http://go.microsoft.com/fwlink/?LinkId=102268&clcid=0x409 For more information see, "Auditing Policy", http://go.microsoft.com/fwlink/?LinkID=112103&clcid=0x409 For more information see, "Audit Policies and Subcategories", http://go.microsoft.com/fwlink/?LinkID=139962 For more information see, "AD DS Auditing Step-by-Step Guide", http://go.microsoft.com/fwlink/?LinkID=112104&clcid=0x409 For more information see, "Viewing security logs", http://go.microsoft.com/fwlink/?LinkID=139977 For more information see, "How inheritance affects file and folder auditing", http://go.microsoft.com/fwlink/?LinkID=139976 For more information see, "Auditing Security Events Best practices", http://go.microsoft.com/fwlink/?LinkID=139978
R-13
For more information see, "How to use Group Policy to audit registry keys in Windows Server 2003", http://go.microsoft.com/fwlink/?LinkID=139960 For more information see, "Auditing Security Events How To...", http://go.microsoft.com/fwlink/?LinkID=139975 For more information see, "Microsoft Windows Server Update Services 3.0 Overview", http://go.microsoft.com/fwlink/?LinkId=102269&clcid=0x409 For more information see, "Determine Bandwidth Options to ", http://go.microsoft.com/fwlink/?LinkID=139968 For more information see, "Choose a Type of WSUS Deployment", http://go.microsoft.com/fwlink/?LinkID=139971 For more information see, "WSUS and the Update Management Process", http://go.microsoft.com/fwlink/?LinkID=139967 For more information see, "Server and Client Requirements", http://go.microsoft.com/fwlink/?LinkID=112105&clcid=0x409 For more information see, "Install the WSUS 3.0 Administration Console", http://go.microsoft.com/fwlink/?LinkID=139973 For more information see, "Configure Automatic Updates by Using Group Policy", http://go.microsoft.com/fwlink/?LinkID=139974 For more information see, "Managing the WSUS Automatic Updates Client Download, Install, and Reboot Behavior with Group Policy", http://go.microsoft.com/fwlink/?LinkID=139963 For more information see, "Determine a Method to Configure Clients", http://go.microsoft.com/fwlink/?LinkID=112106&clcid=0x409 For more information see, "Managing Windows Server Update Services 3.0", http://go.microsoft.com/fwlink/?LinkId=102274&clcid=0x409 For more information see, "Appendix H: The wuauclt Utility", http://go.microsoft.com/fwlink/?LinkID=139972 For more information see, "Managing WSUS 3.0 from the Command Line", http://go.microsoft.com/fwlink/?LinkID=139969 For more information see, "Approving the Updates", http://go.microsoft.com/fwlink/?LinkID=112108&clcid=0x409 For more information see, "Create the Computer Groups", http://go.microsoft.com/fwlink/?LinkID=139966 For more information see, "Approve WSUS 3.0 Updates", http://go.microsoft.com/fwlink/?LinkID=139965 For more information see, "Security Content Overview", http://go.microsoft.com/fwlink/?LinkId=102262&clcid=0x409 For more information see, "Infrastructure Planning and Design", http://go.microsoft.com/fwlink/?LinkId=102263&clcid=0x409 For more information see, "Antivirus Defense-in-Depth Guide", http://go.microsoft.com/fwlink/?LinkId=102264&clcid=0x409
R-14
For more information see, "Security and Protection", http://go.microsoft.com/fwlink/?LinkId=102265&clcid=0x409 For more information see, "Auditing overview", http://go.microsoft.com/fwlink/?LinkId=102268&clcid=0x409 For more information see, "Microsoft Windows Server Update Services 3.0 Overview", http://go.microsoft.com/fwlink/?LinkId=102269&clcid=0x409 For more information see, "New in Windows Server Update Services 3.0", http://go.microsoft.com/fwlink/?LinkId=102270&clcid=0x409 For more information see, "Deploying Microsoft Windows Server Update Services 3.0 SP1", http://go.microsoft.com/fwlink/?LinkId=79983 For more information see, "Client Behavior with Update Deadlines", http://go.microsoft.com/fwlink/?LinkId=102272&clcid=0x409 For more information see, "Release Notes for Microsoft Windows Server Update Services 3.0", http://go.microsoft.com/fwlink/?LinkId=102273&clcid=0x409 For more information see, "Managing Windows Server Update Services 3.0", http://go.microsoft.com/fwlink/?LinkId=102274&clcid=0x409 For more information see, "Best Practices with Windows Server Update Services 3.0", http://go.microsoft.com/fwlink/?LinkId=102275&clcid=0x409
Module 10
For more information see, "Setting File Server Resource Manager Options", http://go.microsoft.com/fwlink/?LinkID=112086&clcid=0x409 For more information see, "Quota Management", http://go.microsoft.com/fwlink/?LinkID=112087&clcid=0x409 For more information see, "Create a quota template", http://go.microsoft.com/fwlink/?LinkID=112088&clcid=0x409 For more information see, "Create an auto quota", http://go.microsoft.com/fwlink/?LinkID=112089&clcid=0x409 For more information see, "What to expect during initial replication", http://go.microsoft.com/fwlink/?LinkId=102255&clcid=0x409 For more information see, "File Screening Management", http://go.microsoft.com/fwlink/?LinkID=112090&clcid=0x409 For more information see, "Define file groups for screening", http://go.microsoft.com/fwlink/?LinkID=112091&clcid=0x409 For more information see, "Create a file screen exception", http://go.microsoft.com/fwlink/?LinkID=112092&clcid=0x409 For more information see, "Create a file screen template", http://go.microsoft.com/fwlink/?LinkID=112093&clcid=0x409 For more information see, "Storage Reports", http://go.microsoft.com/fwlink/?LinkID=112094&clcid=0x409
R-15
For more information see, "Schedule a set of reports", http://go.microsoft.com/fwlink/?LinkID=112095&clcid=0x409 For more information see, "Generate reports on demand", http://go.microsoft.com/fwlink/?LinkID=112096&clcid=0x409 For more information see, "Windows Server 2008 Step-by-Step Guides", http://go.microsoft.com/fwlink/?LinkId=113166
Module 11
For more information see, "Distributed File System Technology Center", http://go.microsoft.com/fwlink/?LinkId=102236&clcid=0x409 For more information see, "Overview of the Distributed File System Solution in Microsoft Windows Server 2003 R2", http://go.microsoft.com/fwlink/?LinkId=102237&clcid=0x409 For more information see, "Microsoft Distributed File System", http://go.microsoft.com/fwlink/?LinkId=102238&clcid=0x409 For more information see, "About Remote Differential Compression", http://go.microsoft.com/fwlink/?LinkId=102239&clcid=0x409 For more information see, "Optimizing File Replication over Limited-Bandwidth Networks using Remote Differential Compression", http://go.microsoft.com/fwlink/?LinkId=102240&clcid=0x409 For more information see, "Distributed File System: Frequently Asked Questions", http://go.microsoft.com/fwlink/?LinkId=102242&clcid=0x409 For more information see, "Distributed File System Replication: Frequently Asked Questions", http://go.microsoft.com/fwlink/?LinkId=102241&clcid=0x409 For more information see, "DFS Management", http://go.microsoft.com/fwlink/?LinkId=102243&clcid=0x409 For more information see, "Deploy a namespace for publishing content", http://go.microsoft.com/fwlink/?LinkId=102244&clcid=0x409 For more information see, "How to Manage Remote Access to the Registry", http://go.microsoft.com/fwlink?linkid=46803 For more information see, "Delegate management permissions for an existing namespace", http://go.microsoft.com/fwlink/?LinkId=102245&clcid=0x409 For more information see, "Security requirements for creating and managing namespaces", http://go.microsoft.com/fwlink/?LinkId=102246&clcid=0x409 For more information see, "Optimizing a Namespace", http://go.microsoft.com/fwlink/?LinkId=102248&clcid=0x409 For more information see, "Introduction to DFS Replication", http://go.microsoft.com/fwlink/?LinkId=102249&clcid=0x409 For more information see, "Staging folders and Conflict and Deleted folders", http://go.microsoft.com/fwlink/?LinkId=102250&clcid=0x409 For more information see, "Replication groups and replicated folders", http://go.microsoft.com/fwlink/?LinkId=102251&clcid=0x409
R-16
For more information see, "DFS Replication requirements", http://go.microsoft.com/fwlink/?LinkId=102252&clcid=0x409 For more information see, "DFS Replication scalability guidelines", http://go.microsoft.com/fwlink/?LinkId=102253&clcid=0x409 For more information see, "More on DFS Replication Limits", http://go.microsoft.com/fwlink/?LinkId=70575 For more information see, "Deploying DFS Replication", http://go.microsoft.com/fwlink/?LinkId=102254&clcid=0x409 For more information see, "What to expect during initial replication", http://go.microsoft.com/fwlink/?LinkId=102255&clcid=0x409 For more information see, "Create a diagnostic report for DFS Replication", http://go.microsoft.com/fwlink/?LinkId=102256&clcid=0x409 For more information see, "Five Common Causes of Waiting for the DFS Replication service to retrieve replication settings from Active Directory", http://go.microsoft.com/fwlink/?LinkID=139980 For more information see, "Outdated Active Directory objects generate event ID 1988 in Windows Server 2003", http://go.microsoft.com/fwlink/?LinkID=139981 For more information see, "Top 10 Common Causes of Slow Replication with DFSR", http://go.microsoft.com/fwlink/?LinkID=139979 For more information see, "Distributed File System Technology Center", http://go.microsoft.com/fwlink/?LinkId=102236&clcid=0x409 For more information see, "Overview of the Distributed File System Solution in Microsoft Windows Server 2003 R2", http://go.microsoft.com/fwlink/?LinkId=102237&clcid=0x409 For more information see, "Microsoft Distributed File System", http://go.microsoft.com/fwlink/?LinkId=102238&clcid=0x409 For more information see, "About Remote Differential Compression", http://go.microsoft.com/fwlink/?LinkId=102239&clcid=0x409 For more information see, "Optimizing File Replication over Limited-Bandwidth Networks using Remote Differential Compression", http://go.microsoft.com/fwlink/?LinkId=102240&clcid=0x409 For more information see, "Distributed File System: Frequently Asked Questions", http://go.microsoft.com/fwlink/?LinkId=102242&clcid=0x409 For more information see, "Distributed File System Replication: Frequently Asked Questions", http://go.microsoft.com/fwlink/?LinkId=102241&clcid=0x409 For more information see, "DFS Management", http://go.microsoft.com/fwlink/?LinkId=102243&clcid=0x409 For more information see, "Deploy a namespace for publishing content", http://go.microsoft.com/fwlink/?LinkId=102244&clcid=0x409 For more information see, "Delegate management permissions for an existing namespace", http://go.microsoft.com/fwlink/?LinkId=102245&clcid=0x409
R-17
For more information see, "Security requirements for creating and managing namespaces", http://go.microsoft.com/fwlink/?LinkId=102246&clcid=0x409 For more information see, "Increasing the Availability of a Namespace", http://go.microsoft.com/fwlink/?LinkId=102247&clcid=0x409 For more information see, "Optimizing a Namespace", http://go.microsoft.com/fwlink/?LinkId=102248&clcid=0x409 For more information see, "Introduction to DFS Replication", http://go.microsoft.com/fwlink/?LinkId=102249&clcid=0x409 For more information see, "Staging folders and Conflict and Deleted folders", http://go.microsoft.com/fwlink/?LinkId=102250&clcid=0x409 For more information see, "Replication groups and replicated folders", http://go.microsoft.com/fwlink/?LinkId=102251&clcid=0x409 For more information see, "DFS Replication requirements", http://go.microsoft.com/fwlink/?LinkId=102252&clcid=0x409 For more information see, "DFS Replication scalability guidelines", http://go.microsoft.com/fwlink/?LinkId=102253&clcid=0x409 For more information see, "Deploying DFS Replication", http://go.microsoft.com/fwlink/?LinkId=102254&clcid=0x409 For more information see, "What to expect during initial replication", http://go.microsoft.com/fwlink/?LinkId=102255&clcid=0x409 For more information see, "Create a diagnostic report for DFS Replication", http://go.microsoft.com/fwlink/?LinkId=102256&clcid=0x409 For more information see, "Fixing Replication DNS Lookup Problems (Event IDs 1925, 2087, 2088", http://go.microsoft.com/fwlink/?LinkID=139982 For more information see, "Fixing Replication Connectivity Problems (Event ID 1925", http://go.microsoft.com/fwlink/?LinkID=139984 For more information see, "Event ID 1311: Replication configuration does not reflect the physical network", http://go.microsoft.com/fwlink/?LinkID=139983
Module 12
For more information see, "Network Access Protection", http://go.microsoft.com/fwlink/?LinkId=102224&clcid=0x409 For more information see, "Terminal Services", http://go.microsoft.com/fwlink/?LinkId=102225&clcid=0x409 For more information see, "Network Access Protection Platform Architecture", http://go.microsoft.com/fwlink/?LinkId=102226&clcid=0x409 For more information see, "Network Access Protection", http://go.microsoft.com/fwlink/?LinkId=102227&clcid=0x409 For more information see, "Security and Policy Enforcement", http://go.microsoft.com/fwlink/?LinkId=102228&clcid=0x409
R-18
For more information see, "Overview of Network Access Protection", http://go.microsoft.com/fwlink/?LinkID=139985 For more information see, "Terminal Services", http://go.microsoft.com/fwlink/?LinkId=102225&clcid=0x409 For more information see, "About Enforcing Compliance with Network Access Protection", http://go.microsoft.com/fwlink/?LinkID=139989 For more information see, "Network Access Protection Platform Architecture", http://go.microsoft.com/fwlink/?LinkId=102226&clcid=0x409 For more information see, "About the NAP Client Status in Network Access Protection", http://go.microsoft.com/fwlink/?LinkID=139986 For more information see, "Network Access Protection Security Best Practices", http://go.microsoft.com/fwlink/?LinkID=139988 For more information see, "NAP Enforcement for VPN", http://go.microsoft.com/fwlink/?LinkID=139991 For more information see, "NAP Enforcement for DHCP", http://go.microsoft.com/fwlink/?LinkID=139990 For more information see, "Introduction to Network Access Protection", http://go.microsoft.com/fwlink/?LinkId=102223&clcid=0x409 For more information see, "About System Health Validator Points in Network Access Protection", http://go.microsoft.com/fwlink/?LinkID=139987
Module 13
For more information see, "What is a shadow copy?", http://go.microsoft.com/fwlink/?LinkID=139992 For more information see, "Shadow Copies of Shared Folders", http://go.microsoft.com/fwlink/?LinkID=139993 For more information see, "Introduction to Shadow Copies of Shared Folders", http://go.microsoft.com/fwlink/?LinkID=139996 For more information see, "Best Practices for Shadow Copies of Shared Folders", http://go.microsoft.com/fwlink/?LinkID=139994 For more information see, "How Network Load Balancing Technology Works", http://go.microsoft.com/fwlink/?LinkId=102260&clcid=0x409 For more information see, "Network Load Balancing Best practices", http://go.microsoft.com/fwlink/?LinkId=102261&clcid=0x409 For more information see, "Windows Server 2003 R2 Enterprise Edition Cluster Server Resource Center", http://go.microsoft.com/fwlink/?LinkID=139997 For more information see, "Windows Server 2008", http://go.microsoft.com/fwlink/?LinkId=99823&clcid=0x409 For more information see, "Network Interface on a Clustered Node", http://go.microsoft.com/fwlink/?LinkID=139995
R-19
For more information see, "How Network Load Balancing Technology Works", http://go.microsoft.com/fwlink/?LinkId=102260 For more information see, "Windows Server 2008", http://go.microsoft.com/fwlink/?LinkId=99823 For more information see, "Windows Server Catalog", http://go.microsoft.com/fwlink/?LinkID=59821 For more information see, "Compare Technical Features and Specifications", http://go.microsoft.com/fwlink/?LinkId=92091 For more information see, "iSCSI Cluster Support: Frequently Asked Questions", http://go.microsoft.com/fwlink/?LinkId=61375
Module 14
For more information see, "Solving performance problems", http://go.microsoft.com/fwlink/?LinkID=140000 For more information see, "Performance Tuning Guidelines for Windows Server 2008", http://go.microsoft.com/fwlink/?LinkID=140009 For more information see, "Suggested Performance Counters to Watch", http://go.microsoft.com/fwlink/?LinkID=140003 For more information see, "Processor Object", http://go.microsoft.com/fwlink/?LinkID=140005 For more information see, "Memory Object", http://go.microsoft.com/fwlink/?LinkID=140002 For more information see, "LogicalDisk Object", http://go.microsoft.com/fwlink/?LinkID=140004 For more information see, "Physical Disk Object", http://go.microsoft.com/fwlink/?LinkID=140001 For more information see, "Monitoring Windows Server 2008 with OpsMgr 2007", http://go.microsoft.com/fwlink/?LinkID=140007 For more information see, "Monitoring Events", http://go.microsoft.com/fwlink/?LinkID=140006 For more information see, "How to use and troubleshoot issues with Windows Task Manager", http://go.microsoft.com/fwlink/?LinkID=139998 For more information see, "Windows Reliability and Performance Monitor", http://go.microsoft.com/fwlink/?LinkID=139999 For more information see, "Windows Vista Performance and Reliability Monitoring Step-by-Step Guide", http://go.microsoft.com/fwlink/?LinkId=99517 For more information see, "Event Viewer", http://go.microsoft.com/fwlink/?LinkId=99509 For more information see, "Getting Started With Windows PowerShell", http://go.microsoft.com/fwlink/?LinkID=140008 For more information see, "Dynamic Systems Initiative Overview White Paper", http://go.microsoft.com/fwlink/?LinkId=121160 For more information see, "Performance Tuning Guidelines for Windows Server 2008", http://go.microsoft.com/fwlink/?LinkId=121171 For more information see, "Using Performance Tools to Obtain a Baseline", http://go.microsoft.com/fwlink/?LinkId=121123 For more information see, "Event Subscriptions", http://go.microsoft.com/fwlink/?LinkId=99512
R-20
For more information see, "Configure Computers to Forward and Collect Events", http://go.microsoft.com/fwlink/?LinkId=99513
Module 15
For more information see, "Windows Server Backup Step-by-Step Guide for Windows Server 2008", http://go.microsoft.com/fwlink/?LinkID=140018 For more information see, "Transferring Encrypted Files That Need to Be Recovered", http://go.microsoft.com/fwlink/?LinkID=140012 For more information see, "Backing Up Hyper-V Virtual Machines ", http://go.microsoft.com/fwlink/?LinkID=140010 For more information see, "Backup using GPMC", http://go.microsoft.com/fwlink/?LinkID=140019 For more information see, "Backup Best Practices", http://go.microsoft.com/fwlink/?LinkID=140017 For more information see, "Best Practices for Backup and Restore", http://go.microsoft.com/fwlink/?LinkID=140015 For more information see, "Best Practices for Change Management", http://go.microsoft.com/fwlink/?LinkID=140021 For more information see, "Security Considerations for Backup and Restore", http://go.microsoft.com/fwlink/?LinkID=140011 For more information see, "Security Considerations for Backup and Restore", http://go.microsoft.com/fwlink/?LinkID=140020 For more information see, "Best practices for the Encrypting File System", http://go.microsoft.com/fwlink/?LinkID=140013 For more information see, "How to back up the recovery agent Encrypting File System (EFS) private key in Windows Server 2003, in Windows 2000, and in Windows XP", http://go.microsoft.com/fwlink/?LinkID=140014 For more information see, "Encrypting File System in Windows XP and Windows Server 2003", http://go.microsoft.com/fwlink/?LinkID=140016 For more information see, "Wbadmin", http://go.microsoft.com/fwlink/?LinkId=93131 For more information see, "Scripting with Windows PowerShell", http://go.microsoft.com/fwlink/?LinkId=93317 For more information see, "Windows NT Backup - Restore Utility ", http://go.microsoft.com/fwlink/?LinkId=82917 For more information see, "Wbadmin", http://go.microsoft.com/fwlink/?LinkId=121122 For more information see, "Data Encryption Toolkit for Mobile PCs", http://go.microsoft.com/fwlink/?LinkId=121045 For more information see, "Microsoft Deployment Security Feature Team Guide: Planning", http://go.microsoft.com/fwlink/?LinkId=121046 For more information see, "Encrypting File System", http://go.microsoft.com/fwlink/?LinkId=121047
R-21
Communities
For more information, see "Top 10 Common Causes of Slow Replication with DFSR", http://go.microsoft.com/fwlink/?LinkID=139979 For more information, see "Five Common Causes of Waiting for the DFS Replication service to retrieve replication settings from Active Directory", http://go.microsoft.com/fwlink/?LinkID=139980 For more information, see "Backing Up Hyper-V Virtual Machines ", http://go.microsoft.com/fwlink/?LinkID=140010
R-22
Send Us Your Feedback

You can search the Microsoft Knowledge Base for known issues at Microsoft Help and Support before submitting feedback. Search using either the course number and revision, or the course title. Note Not all training products will have a Knowledge Base article if that is the case, please ask your instructor whether or not there are existing error log entries.
Courseware Feedback
Send all courseware feedback to support@mscourseware.com. We truly appreciate your time and effort. We review every e-mail received and forward the information on to the appropriate team. Unfortunately, because of volume, we are unable to provide a response but we may use your feedback to improve your future experience with Microsoft Learning products.
Reporting Errors
When providing feedback, include the training product name and number in the subject line of your email. When you provide comments or report bugs, please include the following: Document or CD part number Page number or location Complete description of the error or suggested change
Please provide any details that are necessary to help us verify the issue.
Important All errors and suggestions are evaluated, but only those that are validated are added to the product Knowledge Base article.

6419A ENU Companion

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

6419A ENU Companion

Diunggah oleh

Hak Cipta:

Format Tersedia

O F F I C I A L

Product Number: 6419A Released: xx/200x

Introduction to Administrative Tasks in Windows Server 2008 Environment

Introduction to Administrative Tasks in Windows Server

Configuring, Managing, and Maintaining Windows Server 2008 Servers

Introduction to Administrative Tasks in Windows Server 2008 Environment

Question and Answers

What Are Server Roles?

What Are the Windows Infrastructure Server Roles?

What Are the Windows Application Platform Server Roles?

What Are the Active Directory Server Roles?

AD DS Integration and other Active Directory Server Roles

What Are Server Features?

Configuring, Managing, and Maintaining Windows Server 2008 Servers

What is Server Core?

Introduction to Administrative Tasks in Windows Server 2008 Environment

Overview of Active Directory

Configuring, Managing, and Maintaining Windows Server 2008 Servers

Question and Answers

Benefits of Active Directory

What Is an Organization Unit?

What Is a Domain Controller?

Introduction to Administrative Tasks in Windows Server 2008 Environment

What Is a Read-Only Domain Controller?

Read-Only Domain Controller Features

Demonstration: Joining a Domain

Configuring, Managing, and Maintaining Windows Server 2008 Servers

Detailed Demo Steps

Introduction to Administrative Tasks in Windows Server 2008 Environment

Using Windows Server 2008 Administrative Tools

Configuring, Managing, and Maintaining Windows Server 2008 Servers

Question and Answers

Problem Reports and Solutions

Demonstration: Using Windows Server 2008 Administrative Tools

Common Administration Tasks

Introduction to Administrative Tasks in Windows Server 2008 Environment

Detailed Demo Steps

Configuring, Managing, and Maintaining Windows Server 2008 Servers

Using Remote Desktop for Administration

Introduction to Administrative Tasks in Windows Server 2008 Environment

Question and Answers

Benefits of Remote Desktop for Administration

Demonstration: Remote Desktop Client Configuration

Securing Remote Desktop for Administration

Demonstration: Using Remote Desktop for Administration

Configuring, Managing, and Maintaining Windows Server 2008 Servers

Detailed Demo Steps

Local Resources tab

Demonstration: Using Remote Desktop for Administration

Introduction to Administrative Tasks in Windows Server 2008 Environment

Demonstrate connecting to the console as well with the /console switch.

Configuring, Managing, and Maintaining Windows Server 2008 Servers

Module Reviews and Takeaways

Introduction to Administrative Tasks in Windows Server 2008 Environment

Configuring, Managing, and Maintaining Windows Server 2008 Servers

Introduction to Administrative Tasks in Windows Server 2008 Environment

Configuring, Managing, and Maintaining Windows Server 2008 Servers

Lab Review Questions and Answers

Creating Active Directory Domain Services User and Computer Objects

Creating Active Directory Domain Services User and

Configuring, Managing, and Maintaining Windows Server 2008 Servers

Managing User Accounts

Creating Active Directory Domain Services User and Computer Objects