M I C R O S O F T
L E A R N I N G
P R O D U C T
6419A
Configuring, Managing, and Maintaining Windows Server 2008 Servers Companion Content
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2009 Microsoft Corporation. All rights reserved. Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners.
1-1
Module 1
1-2
Lesson 1
Server Roles
Contents:
Question and Answers 3
1-3
1-4
1-5
Lesson 2
1-6
What Is a Domain?
Question: How has your organization used domains to create security boundaries? If your
organization does not use domains, how might domains be used in your organization?
Answer: Answers may vary. This question should provide students with an opportunity to reflect on the relationship between the logical structure of a business organization and the use of one or more domains. In general, students should demonstrate an understanding of how domains represent groupings of users and computers that follow a common security policy.
What Is a Forest?
Question: Does a trust automatically allow users in one domain to access resources in another
domain?
Answer: No. When trust relationships are in place, users must still be granted permission to access
resources in other domains.
1-7
1-8
1-9
Lesson 3
1-10
Server Manager
Question: Why is it beneficial to combine frequently used snap-ins into a single console? Answer: It is more efficient to use a single console instead of several consoles with a single snap-in. Also, using a single console avoids the need to create custom, special purpose consoles.
Computer Management
Question: Will you use Computer Management or Server Manager to manage your servers? Answer: You will use Server Manager for managing your servers. This is the current tool created by Microsoft for server management.
Device Manager
Question: Why would you update a device driver if a device appears to be working properly? Answer: Manufacturers release updated drivers for devices that resolve problems. When a new driver is released, you can review the release notes to determine whether the fixes included in the driver warrant installation. Newer drivers may be more stable or perform faster than previous versions.
1-11
1-12
Lesson 4
1-13
1-14
General tab
The computer field is the name or IP address of the computer you will connect to.
The user name filed is the user name you will log on to the destination computer with.
Note that connection settings can be saved for future use.
Display tab
The Remote desktop size slider is used to choose the size of the remote desktop. The Colors setting is used to set the number of colors displayed. Higher settings can slightly degrade performance. The Display the connection bar when in full screen mode is used to display a bar at the top of the screen when full screen mode is used.
1-15
5.
1-16
1-17
10. Question: Are there any situations where a workgroup would be preferable? Answer: From a technical perspective no. However, some very small organizations do not want the expense of implementing a dedicated server. 11. Question: How has your organization used domains to create security boundaries? If your organization does not use domains, how might domains be used in your organization? Answer: Answers may vary. This question should provide students with an opportunity to reflect on the relationship between the logical structure of a business organization and the use of one or more domains. In general, students should demonstrate an understanding of how domains represent groupings of users and computers that follow a common security policy. 12. Question: Describe one scenario when you would use a domain to organize a network. Describe one scenario when you would use an OU to organize a network. Answer: Answers may vary. In general, students should understand that a domain represents a security boundary, and requires at least one domain controller. Because multiple OUs can exist within a single domain, they are useful for mapping the logical structure of Active Directory to the actual structure of the organization in a more fine-grained manner than domains. However, in cases where differing security requirements exist within an organization, multiple domains will often be required. 13. Question: Does a trust automatically allow users in one domain to access resources in another domain? Answer: No. When trust relationships are in place, users must still be granted permission to access resources in other domains. 14. Question: How many domain controllers should you have? Answer: In a large organization, you should have at least two domain controllers per physical location. In smaller organizations, you may have only one domain controller per physical location. Some smaller locations may use a domain controller that is located across a WAN link. 15. Question: In your work environment, do you have scenarios where an RODC would be beneficial? Answer: Answers may vary. Students should be able to identify the primary scenarios where RODC servers are useful, which is remote sites, placements with lower physical security, or edge placements. And they should be able to relate their situation to these use scenarios. 16. Question: If you plan to use one or more RODCs in your work environment, which RODC features do you plan to use? Answer: Answers may vary. This question should provide an opportunity for students to reflect on how students can configure the features of an RODC server to best fit their environment. 17. Question: Do Microsoft Windows Vista workstations have computer objects in Active Directory? Answer: Yes. When a workstation joins a domain, a computer object is created in Active Directory for that workstation. 18. Question: Will you create customized consoles for most of your management tasks? Answer: In most cases, the snap-ins that are included with Administrative Tools are sufficient for general server management. Most students will not create customized consoles. 19. Question: Why is it beneficial to combine frequently used snap-ins into a single console? Answer: It is more efficient to use a single console instead of several consoles with a single snapin. Also, using a single console avoids the need to create custom, special purpose consoles.
1-18
20. Question: Will you use Computer Management or Server Manager to manage your servers? Answer: You will use Server Manager for managing your servers. This is the current tool created by Microsoft for server management. 21. Question: Why would you update a device driver if a device appears to be working properly? Answer: Manufacturers release updated drivers for devices that resolve problems. When a new driver is released, you can review the release notes to determine whether the fixes included in the driver warrant installation. Newer drivers may be more stable or perform faster than previous versions. 22. Question: How does Problem Reports and Solutions improve upon the Dr. Watson utility found in previous versions of Microsoft Windows operating system? Answer: Dr. Watson did not track historical problems. It only attempted to resolve a problem immediately after it occurred. 23. Question: Which of the administrative tools demonstrated will you use most often? Answer: In most cases, you will use Server Management. It contains most of the snap-ins that you need for daily server management. 24. Question: Describe one or more common administrative tasks you carry out in your work environment and a tool that would be used to carry out this task. Answer: Answers may vary. An example of a possible answers is: Using the Event Viewer tool within Server Manager to carry out security auditing. 25. Question: What concerns are there about allowing a server administrator to use Remote Desktop for Administration from home? Answer: Remote connectivity to the remote server must be appropriately secured. For example, you may require a VPN connection before allowing access to servers. This prevents third parties on the Internet from connecting to servers and using a brute force password attack on the server. 26. Question: Can Remote Desktop for Administration result in cost savings for an organization? Answer: Yes. Avoiding the need to return to the office after hours may save overtime costs. Allowing management of servers from remote locations may result in cost savings from centralized management. Avoiding trips to the server room to manage servers reduces the number of hours required for server management. 27. Question: Which server role must be installed to configure Windows Server 2008 as a domain controller? Answer: The Active Directory Domain Services role must be installed. After installation, dcpromo can be used to configure the server as a domain controller. 28. Question: What is the relationship between Active Directory domains and Active Directory forests? Answer: An Active Directory forest can have one or more domains. When there are multiple domains in a forest, then domain objects are replicated only between domain controllers in the same domain. Domain objects include user objects and computer objects. There are automatic transitive trusts between domains in the same forest. 29. Question: Which administrative tool tracks system crashes and attempts to resolve them? Answer: Problem Reports and Solutions tracks system crashes. It attempts to find a resolution for the problem at the time the problem occurs, and continues to monitor Microsoft for a resolution if it is not resolved. 30. Question: When monitoring performance, which tools can you use to track CPU utilization over time?
1-19
Answer: You can use Performance Monitor or Data Collector Sets to monitor CPU utilization over time. Performance Monitor provides a visual graph. A Data Collector Set can log performance counters to a file.
1-20
2-1
Module 2
2-2
Lesson 1
2-3
2-4
Answer: If a user is on temporary leave, but will be returning, you would disable the account. Also, many organizations have a policy of disabling user accounts when users leave the organization, and then deleting the account at a later date. Question: Why are you prompted to change the additional names when you change the user name? Answer: Answers may vary. Possible answers might include: the additional names are typically associated to the user name. Question: Why are you prompted to change the additional names when you change the user name? Answer: Answers may vary. Possible answers might include: the additional names are typically associated to the user name.
2-5
2-6
2-7
5. 6. 7. 8. 9.
In the Password and Confirm Password fields, type Pa$$w0rd. Click Next. Clear the Account is disabled check box. Click Next and then Finish. In the Active Directory Users and Computers window, double-click Michael Miller.
2-8
Additional Reading
Names Associated with Domain User Accounts
For more information on Object Names, see Object Names.
2-9
Lesson 2
2-10
2-11
2-12
Additional Reading
What Is a Computer Account?
For more information, see Manage computers.
2-13
Lesson 3
Contents:
Question and Answers Detailed Demo Steps Additional Reading 14
16
17
2-14
2-15
2-16
2-17
Additional Reading
Configuring AD DS Objects Using Command-Line Tools
Additional reading material on the following, see the links. DSadd/mod/rm commands
2-18
Lesson 4
2-19
Demonstration: Searching AD DS
Question: You need to update the phone number for a user. You have only been given the users first name and last name and you do not know which OU contains the object. What is the quickest way to locate the user account? Answer: Answers may vary. Possible answers include using the Find User/Computer dialog. Question: You need to create a new user account and want to check if a user name is already in use in the domain. How could you do this? Answer: Answers may vary. Possible answers include using the Find User/Computer dialog.
2-20
2-21
7. 8. 9.
Click Field, point to User, and then click Last Name. In the Condition field, click Starts with. In the Value field, type C and click Add.
10. Click OK twice. 11. Expand Saved Queries and then review Saved Query 1.
2-22
Additional Reading
Options for Locating Objects in AD DS
For more information, see Manage Computers.
2-23
2-24
12. Question: How could you make a template account easy to find in AD DS? Answer: Answers may vary. Possible answers may include: Giving it a name that ends with the _Template. 13. Question: List at least one way your company manages their computer accounts. Answer: Answers may vary. Possible answers include: Using Group Policies to restrict access for users. Allow users to gain access to network resources or domain access. 14. Question: List at least one advantage of pre-staging when deploying. Answer: Answers may vary. Possible answers include: automate the creation of new users in an organizational unit. Reduce minor deployment issues thereby reducing live account changes. 15. Question: How can the Location and Managed by properties be used to automate computer account management? Answer: Answers may vary. Possible answers include: Using the Location property can help administrators find the physical location of a computer and the Managed by property can help determine which user handles the machine. These two properties help administrators manage computers much easier. 16. Question: A user is taking a two month leave from work. No one else will be using the users computer, and you want to ensure that no one can log on to the computer while she is gone. However, you want to minimize the amount of effort required for the user to start using the computer when she comes back. How should you configure the computer account? Answer: Answers may vary. Possible answers include: Administrators might disable an account for when an employee is terminated or no longer associated with the company. Accounts are also disabled for temporary or contract workers that are only part of the organization for a defined period of time. Administrators might also disable an account for a user that takes an extended leave of absence. 17. Question: You are pre-staging 100 computer accounts for workstations that will be added to the domain over the next few weeks. You want to ensure that only members of the desktop support team can add the computers to the domain. What should you do? Answer: Answers may vary. Possible answers include: Administrators might want to configure the desktop support team to a group that allows them to add computers to the domain if they are within their organizational unit. 18. Question: List at least one way your organization has employed these tools to automate AD DS Objects. Answer: Answers may vary. Possible answers include: PowerShell can automate listing and modifying users. CSDVE and LDIFDE can also create and modify accounts. AD Users and Computers is the GUI to create and modify users. DS Tools can also automate user create and modification. 19. Question: List at least one example of why an administrator would want to use command line tools. Answer: Answers may vary. Possible answers include batch files. 20. Question: List at least one way that LDIFDE makes user management more scalable and reliable. Answer: Answers may vary. Possible answers include: User information can be easily imported creating new users, groups and organizational units including all the appropriate properties without having to configure each account individually.
2-25
21. Question: List at least one advantage of using CSVDE over LDIFDE when managing user objects. Answer: Answers may vary. CSVDE takes advantage of using CSV files which is a common file format and can be read and updated using applications such as Microsoft Excel. 22. Question: What is the difference between the command prompt and Windows PowerShell? Answer: Answers may vary. Possible answers include: cmdlets, custom cmdlets, and third-party cmdlets. 23. Question: List at least one important management cmdlets. Answer: Answers may vary. Possible answers include: Get-QADUser, Disable-QADUser, GetQADComputer 24. Question: What are the advantages and disadvantages of modifying Active Directory objects by using Windows PowerShell scripts? How can you address the disadvantages? Answer: The biggest advantage is that you can apply changes to multiple accounts at one time. By running a script that uses a file for input, you can easily create or modify the attributes for thousands of users. The biggest disadvantage is that it can take a significant amount of time to create the scripts, and even longer to create the input files that provide the script data. One way to minimize the time needed to create the input files is to export the data from existing applications, or to use tools like Microsoft Office Excel to edit the files. 25. Question: If an administrator were searching for a number of disparate users, would it be more efficient to use the graphic user interface or the command-line tool? Answer: Answers may vary. 26. Question: You need to update the phone number for a user. You have only been given the users first name and last name and you do not know which OU contains the object. What is the quickest way to locate the user account? Answer: Answers may vary. Possible answers include using the Find User/Computer dialog. 27. Question: You need to create a new user account and want to check if a user name is already in use in the domain. How could you do this? Answer: Answers may vary. Possible answers include using the Find User/Computer dialog. 28. Question: List at least one way saved queries help with the long term maintainability of your organization. Answer: Answers may vary. Possible answers include: Administrators can easily search for users again based on the same search criteria as the organization grows. 29. Question: You need to find all user accounts in your AD DS domain that are no longer active. How would you do this? Answer: Answers may vary. Possible answers include: creating a saved query that searches for all disabled accounts. 30. Question: You are responsible for managing accounts and access to resources for members of your group. A user in your group leaves the company, and you expect a replacement for that employee in a few days. What should you do with the previous users account? Answer: The best solution is to delete the old user account, and create a new account for the new user. For security purposes, you always should create a new account for each new user. 31. Question: A user in your group must create a test lab with 24 computers that will be joined to the domain, but the account must be created in a separate OU. What is the best way to do this? Answer: Have a domain administrator pre-stage the computer accounts in the AD DS OU.
2-26
32. Question: You are responsible for maintaining the servers in your organization. You want to enable other administrators in the organization to determine the physical location of each server without adding any additional administrative tasks or creating any additional documents. How can you do this? Answer: Modify the Location property for the computer account of each server to display the servers address information. 33. Question: To accelerate the process of creating new accounts when new employees enter your group, you create a series of account templates that you use to create new user accounts and groups. You are notified that a user with an account that was created by using one of the nonmanager account templates has been accessing files that are restricted to the Managers group. What should you do? Answer: Ensure that you gave the correct group membership to each account created from your template. 34. Question: You are responsible for managing computer accounts for your group. A user reports that they cannot log on to the domain from a specific computer but can log on from other computers. What should you do? Answer: You should reset the computer account for the computer and then rejoin the computer to the domain.
2-27
3-1
Module 3
Creating Groups and Organizational Units
Contents:
Lesson 1: Introduction to Groups Lesson 2: Managing Groups Lesson 3: Creating Organizational Units Module Reviews and Takeaways Lab Review Questions and Answers 2 6 10 14 18
3-2
Lesson 1
Introduction to Groups
Contents:
Question and Answers Additional Reading 3
5
3-3
3-4
3-5
Additional Reading
What Are Groups?
For more information on group accounts, see Understanding Group Accounts
3-6
Lesson 2
Managing Groups
Contents:
Question and Answers Detailed Demo Steps Additional Reading 7
8
9
3-7
3-8
Delegate Administration
1. Open the properties of a group. 2. Click the Managed By tab. 3. Delegate control to a Nate Sun.
3-9
Additional Reading
Identifying Group Membership
For more information on finding a group in Which a user is a member, see Active Directory Users and Computers Help topic - "Finding a Group in Which a User is a Member"
3-10
Lesson 3
3-11
What Is an OU Hierarchy?
Question: What is one advantage of the OU structure being invisible to end-users? Answer: The organizational unit structure is an administrative tool for service and data administrators and is easy to change. This allows you to continue to review and update your OU structure design to reflect changes in your administrative structure and to support policy-based administration.
OU Hierarchy Examples
Question: How would you structure the OU hierarchy in your organization? If you already have an OU structure in your organization, would you make any changes based on this information? Answer: Answer will vary based on students organizations.
3-12
3-13
Additional Reading
What Is an OU?
For more information on the following, see the links. Active Directory Users and Computers Help topic, "Understanding Organizational Units" Reviewing Organizational Unit Design Concepts Windows Server Glossary Organizational Units
OU Hierarchy Examples
For more information on Design Considerations for Organizational Unit Structure and Use of Group Policy Objects, see Design Considerations for Organizational Unit Structure and Use of Group Policy Objects.
3-14
3-15
AccountsPayable and AccountsReceivable. Or, if students choose to have one group, it can be named Finance. 9. Question: Your organization requires a group that can be used to send e-mail to users in multiple domains. The group will not be used to assign permissions. What type of group should you create? Answer: Distribution group 10. Question: Which group scope can be assigned permissions in any domain or forest? Answer: Universal groups 11. Question: In what ways can the Member tab and the Members Of tab simplify management of groups? Answer: The students answers may vary, but can include having quick access to group membership with these two tabs reduces administrative time managing group membership. 12. Question: Describe a situation where you would want to change a group type. Answer: For example, if a group is a distribution group and you wanted to add specific permissions to the group. In this situation, you may want to change a distribution group to a security group. 13. Question: List some problems that may arise from changing a group type from security to distribution. Answer: Changing a users group type from security to distribution may cause users to gain or lose access to network resources, depending if the security group was used to grant or deny permissions to network resources. Since distribution groups arent security enabled, you will lose all the permissions that were applied to the group. 14. Question: Describe an example of how you can create an OU to isolate file and print server accounts, and allow only a particular administrator to access these accounts. Answer: For example, you can create an OU called ResourceOU and use it to store all the computer accounts that belong to the file and print servers managed by a group. Then you can configure security on the OU such that only data administrators in the group have access to the OU. This prevents data administrators in other groups from tampering with the file and print server accounts. 15. Question: What is one advantage of the OU structure being invisible to end-users? Answer: The organizational unit structure is an administrative tool for service and data administrators and is easy to change. This allows you to continue to review and update your OU structure design to reflect changes in your administrative structure and to support policy-based administration. 16. Question: How would you structure the OU hierarchy in your organization? If you already have an OU structure in your organization, would you make any changes based on this information? Answer: Answer will vary based on students organizations. 17. Question: When you move a user, what can happen to a users in regards to Group Policy and delegated authority? Answer: A moved user comes under the delegated authority of the administrator of the new OU. In some cases, this may mean the user has access to many new resources. However, the user should not lose details of their personal profile, such as their e-mail address. 18. Question: Why would you locate user accounts and computer accounts into separate OUs? Answer: One example is easier administration.
3-16
19. Question: You have a collection of users that you want to give permissions to access certain file servers. Would you create an OU or a group for these users? Describe the reason for your choice. Answer: You should create a security group for these users. By adding users to a security group, you can enable permissions, and you can easily move the group or add more permissions if you want to give the users access to different servers. 20. Question: You are responsible for managing accounts and access to resources for your group members. A user in your group transfers into another department within the company. What should you do with the users account? Answer: Although your company may have an HR representative with AD DS permissions to move user accounts, the best solution involves having the user account moved into the appropriate OU of the new department. In this manner, the Group Policies associated with the new department will be enforced. If applying the correct Group Policies is important, the users account should be disabled until somebody with appropriate security permissions can move it into the new OU. 21. Question: A project manager in your department is starting a group project that will continue for the next year. Several users from your department and other departments will be dedicated to the project during this time. The project team must have access to the same shared resources. The project manager must be able to manage the user accounts and group accounts in AD DS. However, you do not want to give her permission to manage anything else in AD DS. What is the best way to do this? Answer: Create a new global security group. Add the project members to the group. Create a new OU outside your departments OU. Assign full control of the OU to the project manager. Add the global group to the new OU. Add resources to the OU, such as shared files and printers. Keep track of the project, and delete the global group when the work finishes. You can keep the OU if another project requires it. However, you should delete it if there is no immediate need for it. 22. Question: You are responsible for maintaining access to local resources, such as printers, in your organization. You want to establish an efficient way to maintain printing privileges to members in each work group, even while those members may change frequently. You also want to simplify the replacement of printers when one has to be taken offline for repairs or replaced. How can you do this with the least disruption and effort on your part? Answer: Create a domain local group that will be used to assign access to the printer resources. Add global groups of individuals who depend on that printer into the domain printer group. In this manner, users may be reassigned in or out of the global groups, but the global group membership in the domain local group will make sure there is uninterrupted printing access. In the event you must have a new local domain group for a new printer, the global user groups can be added easily as a member of the domain local group to reestablish printing access. Nesting strategies help reduce administrative workload and also reduce replication, as all changes are to the local domain alone. 23. Question: You have decided to create a naming convention for all organizational units and groups. What considerations should you take as you set a pattern for naming new objects? Answer: Names of objects such as these should be easy to remember and representational, but not overly specific. Top-level OU names frequently reflect geographical or department names. For example, a subsidiary located in Seattle could have a top-level OU called Seattle. As for groups, the name could suggest location, function, and scope. For example, a global group of teachers with delegated IT responsibilities at their school (school acronym GSS) might have a name of GSS_ITteach_G. A naming convention such as this would be useful when sorting groups by name.
3-17
24. Question: You take over the administration of your departments AD DS organizational unit. When you open Active Directory Users and Computers and view the OU, you notice that all groups and users exist at the same level. Groups that have names such as Ajax_account, SW_Colorado, Nancy, and New_Canon_printer, exist side by side with computer accounts named New_IBM_1, 2, 3, etc, and a FileShare object named DO_NOT_OPEN. What should you do? Answer: Start by documenting the types of user groups that exist in the department. Create groups for each unique user group, and apply a consistent naming convention. Create child OUs to simplify administration of different users within the organization unit. 25. Question: An employee in your company has transferred from one department to another. The user account was removed from all groups associated with the old department and added to group associated with the new department. The user account also was moved into the new department OU. After the user transfer is complete, he informs you that he cannot access his files that are stored on a file server. What should you do? Answer: The user must have been granted permission to the file based on a group membership. You must add the user back to the group that has access to the files or move the files to a location that is accessible to members of the new department groups.
3-18
1. Question: Several tools exist for creating groups in AD DS. Which tool would be more likely to work at any workstation, as long as you could log on to the domain? Answer: The command-line tools are most likely to work from all workstations. These tools will be installed at any workstation you encounter, unlike Active Directory Users and Computers, which must be installed on a workstation or server. A practical skill to acquire is becoming accustomed to some basic command-line administrative commands. 2. Question: You work in a rapidly growing enterprise which is about to expand into new markets across the country. What recommendations do you make regarding an organizational unit hierarchy as you contemplate the growth? Answer: With a list of all of the different business units before you, you plan to accommodate the organizational functions of each group, as well as how best to delegate administrative tasks. Your organizational hierarchy should reflect both geographical and organizational boundaries to provide the best administrative flexibility and scalability. 3. Question: When delegating administrative responsibilities within a department, how could you give a person permission to reset passwords, add a new user, and update account properties (like phone numbers)? Answer: By using the Delegation of Access Wizard on an OU, it is possible to add individuals or groups of users into a position in which they can make minor interventions, or you can increase that level to full control.
4-1
Module 4
4-2
Lesson 1
4-3
4-4
Additional Reading
What Are Security Principals?
For more information, see Windows Server Glossary.
4-5
Lesson 2
4-6
Effects on NTFS Permissions When Copying and Moving Files and Folders
Question: Provide one or two examples where moving files and folders within the same partition reduces administration time. Answer: Answers may vary. Possible answers include: Administrators do not need to worry about permissions being changed or altered because the permissions are kept if files and folders are moved
4-7
within the same partition. Likewise, administrators do not need to change the permissions of the destination folder which could have ramifications on other files and folders within the folder.
4-8
10. In the Permission Entry for Users, review all the permission options. 11. Click Cancel. 12. In the Advanced Security Settings for Users dialog box, review the Include inheritable permissions from this object's parents and the Replace all existing inheritable permissions on all descendents with inheritable permissions from this object check boxes.
4-9
Additional Reading
What Are NTFS Permissions?
For more information, see MSDN Glossary.
Effects on NTFS Permissions When Copying and Moving Files and Folders
For more information, see MSDN Glossary.
4-10
Lesson 3
4-11
4-12
Answer: Answers may vary. Possible answers include: User no longer have to remember the network share name to access the information. The drive appears within Windows Explorer and acts like a local resource.
4-13
4-14
8. 9.
Browse to C:\Shared Folder 2 and click OK. Click Next four times.
10. On the SMB Permissions page, click Users and Groups have custom permissions. 11. Click Permissions. 12. In the Permissions for setup dialog box, click Everyone and then click Remove. 13. Click Add and then in the Add Users, Computers, or Groups dialog box, type Marco Tanara and WOODGROVEBANK\Administrator. 14. Click OK twice. 15. Click Next and then click Create. 16. On the Confirmation page, click Close.
4-15
Additional Reading
What Are Shared Folders?
For more information, see MSDN Glossary.
4-16
Lesson 4
4-17
4-18
Answer: Answers may vary. Possible answers include: Administrators must know which structure has the most restrictive permission assigned. Administrators must also determine if the shared folder permissions and NTFS permissions are compatible.
4-19
10. In the Permission Folder Properties dialog box, click Advanced. 11. In the Advanced Security Settings for Permission Folder, click the Effective Permission tab. 12. Click Select. 13. In the Select Users, Computers or Groups dialog box, type Sven Buck and then click OK. 14. Review the Effective permissions that are set. 15. In the Advanced Security Settings for Permission Folder, click the Permissions tab. 16. Click Edit. 17. Under Permission Entries, click Sven Buck and click Edit. 18. In the Permission Entry for Permissions Folder dialog box, for Create files/write data, click Deny and then click OK twice. 19. In the Windows Security dialog box, read the message and click Yes. 20. Click OK. 21. In the Advanced Security Settings for Permission Folder, click the Effective Permissions tab. 22. Click Select. 23. In the Select Users, Computers or Groups dialog box, type Sven Buck and then click OK. 24. Review the Effective permissions that are set.
4-20
Additional Reading
What Are Effective NTFS Permissions
For more information, see MSDN Glossary.
4-21
4-22
10. Question: Provide one or two examples where moving files and folders within the same partition reduces administration time. Answer: Answers may vary. Possible answers include: Administrators do not need to worry about permissions being changed or altered because the permissions are kept if files and folders are moved within the same partition. Likewise, administrators do not need to change the permissions of the destination folder which could have ramifications on other files and folders within the folder. 11. Question: List at least one benefit of sharing folders across a network. Answer: Answers may vary. Possible answers include: keep information up to date within a group of users. Decreased change of duplication of files because all files for an account can be stored in a shared central repository. 12. Question: List one or two benefits of having and creating your own hidden shares. Answer: Answers may vary. Possible answers include: can keep documents stored in a central location that administrators can access from anywhere, but are not at risk from other users viewing them. 13. Question: List one at least one benefit of having and creating your own hidden shares. Answer: Answers may vary. Possible answers include: can keep documents stored in a central location that administrators can access from anywhere, but are not at risk from other users viewing them. 14. Question: List at least one example of when an administrator might give Full Control to a folder. Answer: Answers may vary. Possible answers may include: Administrators may want a shared folder with complete flexibility given to the users of the resource. 15. Question: How do you apply sharing permissions to a folder? Answer: Right-click the folder, click Sharing, name groups or users to add to the share permissions, and designate them as Readers, Contributors, or Co-owners. 16. Question: How would you begin to create a new shared folder using the Using Share and Storage Management MMC? Answer: You can use the Provision a Shared Folder Wizard to assign location and NTFS permissions to a shared folder. 17. Question: Which tool would you use to create a new shared folder? Answer: Answers will vary. Using Windows Explorer may be quicker, but the Provision a Shared Folder Wizard provides more options for configuring the shared folder. 18. Question: List one or two benefits of accessing resources through mapped drives. Answer: Answers may vary. Possible answers include: User no longer have to remember the network share name to access the information. The drive appears within Windows Explorer and acts like a local resource. 19. Question: What would happen if the user was editing the file but had not saved the changes, and then an administrator used the Close File feature? Answer: Unsaved file changes would be lost. 20. Question: List one or two reasons why administrators should not leave the Everyone group in a shares permissions. Answer: Answers may vary. Possible answers include: Unattended users may access and read or change sensitive material. These users may include subordinates or even contractors with a company.
4-23
21. Question: List at least one example of how offline files are useful. Answer: Answers may vary. 22. Question: Provide at least one example of how cumulative permissions benefit administrators. Answer: Answers may vary. Possible answers include: Administrators can not only apply global group permissions, but they can also get more granular with their permission needs ensuring that only the users that require access will get access. 23. Question: The Users group has Write permission, and the Sales group has Read permission for Folder1. What permissions does User1 have for Folder1? Answer: User1 has Write and Read permissions for Folder1, because User1 is a member of the Users group, which has Write permission, and the Sales group, which has Read permission. 24. Question: The Users group has Read permission for Folder1. The Sales group has Write permission for Folder2. What permissions does User1 have for File2? Answer: User1 has Read and Write permissions for File2, because User1 is a member of the Users group, which has Read permission for Folder1, and the Sales group, which has Write permission for Folder2. File2 inherits permissions from both Folder2 and Folder1. 25. Question: The Users group has Modify permission for Folder1. File2 should be available only to the Sales group, and they should only be able to read File2. What do you do to make sure that the Sales group has only Read permission for File2? Answer: Prevent permissions inheritance for Folder2 or File2. Remove the permissions for Folder2 or File2 that Folder2 has inherited from Folder1. Grant only Read permission to the Sales group for Folder2 or File2. 26. Question: Can the Effective Permissions tool return the actual permissions of a user? Answer: The Effective Permissions tool only produces an approximation of the permissions that a user has. The actual permissions the user has may be different, since permissions can be granted or denied based on how a user logs on. This logon-specific information cannot be determined by the Effective Permissions tool, since the user is not logged on; therefore, the effective permissions it displays reflect only those permissions specified by the user or group and not the permissions specified by the logon. 27. Question: Provide at least one consideration an administrator must acknowledge before combining Shared Folders and NTFS Permissions. Answer: Answers may vary. Possible answers include: Administrators must know which structure has the most restrictive permission assigned. Administrators must also determine if the shared folder permissions and NTFS permissions are compatible. 28. Question: Discuss what the effective permissions are for User1, User2, and User3. Can User1 take full control of User2s directory? Why? How does using the share permission instead of the NTFS permission prevent users from accessing other Users directories. Answer: Answers may vary. 29. Question: You have shared the Data folder to the Sales Group. Within the Data directory, you have given the Sales Group Full Control over the Sales Group. When users in the Sales Group try to save a file in the \Data\Sales directory, they get a access denied error. Why? What permission needs to be changed, and why? Answer: Answers may vary. 30. Question: List one or two examples of best practices that you have implemented when assigning Shared Folder or NTFS permission in your organization. Answer: Answers may vary.
4-24
31. Question: What is the role of access control lists (ACL) in granting access to resources on an AD DS network? Answer: Access control lists (ACL) are attached to every file and folder on an NTFS partition. The ACL contains access control entries (ACE) in which the details of who may access or be denied access to the resource is stored. 32. Question: How do discretionary access control lists (DACLs) differ from system access control lists (SACLs)? Answer: The DACL defines permissions, that is, who may access the resource or who should be denied access to a resource. The DACL also defines the level of access granted to each user or group. The SACL defines which actions will be audited on the object. 33. Question: What happens to the shared folder configuration when you copy or move a shared folder from one hard disk to another on the same server? What happens to the shared folder configuration when you copy or move the shared folder to another server? Answer: In both cases, the copied or moved shared folder will not be configured as a shared folder. If you copy a shared folder, the original remains a shared folder. 34. Question: You need to assign permissions to a shared folder so that all users in your organization can read the contents of the folder. Which of these approaches would be the best way to do this: accept the default permissions, assign read permissions to the folder for the Domain Users group, or add groups representing whole departments? How would this configuration change if your organization had multiple domains? Answer: The best option would be to add the Domain Users group, because it includes all user accounts in the domain. Departmental groups could also provide the access but would require more administrative effort in keeping member lists current. By default, the Everyone group is assigned Read permission when you create a shared folder. This group includes Guest logons and therefore provides an unnecessarily wide range of access. If your organization has more than one domain, you could assign permissions to the Authenticated Users group. 35. Question: When moving a folder in an NTFS partition, what permissions are required over the source file or folder and over the destination folder? Answer: You must have both Write permission for the destination folder and Modify permission for the source file or folder. Modify permission is required to move a folder or file because Windows Server 2008 deletes the folder or file from the source folder after it copies it to the destination folder. 36. Question: What is the best way to create a shared folder that needs to be accessed by users who are situated on two domains? Answer: Configure global security groups that contain intended department members in both domains. Create a shared folder on a server in one of the domains. Create a Domain Local group in the domain where the shared folder is located, and then add both global groups to the domain local group. Edit the share level and NTFS permissions of the shared folder so that both groups have minimum required permissions.
4-25
5-1
Module 5
Configuring Active Directory Objects and Trusts
Contents:
Lesson 1: Delegate Administrative Access to Active Directory Objects Lesson 2: Configure Active Directory Trusts Module Reviews and Takeaways Lab Review Questions and Answers 2 7 10 13
5-2
Lesson 1
5-3
5-4
13. In the Advanced Security Settings for BranchManagers dialog box, click Doris Krieger and then click Remove. 14. Click OK. 15. In the Permissions dialog box, review the warning, and then click Yes. 16. Click OK.
5-5
Run a PowerShell script to delegate the password reset permission for a user:
1. Click Start, type notepad e:\mod05\democode\grantpasswordreset.ps1 and then press ENTER. 2. In the Notepad window, review the script and then close Notepad when done. 3. Click Start, point to All Programs, point to Windows PowerShell 1.0, and then click Windows PowerShell. 4. In the Windows PowerShell window, type set-executionpolicy unrestricted and then press ENTER. 5. Type e:\mod05\democode\grantpasswordreset.ps1 -container "ou=miami,dc=woodgrovebank,dc=com" -trustee "woodgrovebank\roya" and then press ENTER. 6. If you wish, open Active Directory Users and Computers to review the effective permissions for Roya.
5-6
Additional Reading
Active Directory Object Permissions
For more information on the following, see the links. Access control in Active Directory Assign, change, or remove permissions on Active Directory objects or attributes
5-7
Lesson 2
5-8
5-9
Additional Reading
AD DS Trust Options
For more information on managing trusts, see Active Directory Domains and Trusts Help: Managing Trusts.
5-10
5-11
10. Question: What does a trust existing between two domains provide? Answer: Trusts help provide for controlled access to shared resources in a resource domain (the trusting domain) by verifying that incoming authentication requests come from a trusted authority (the trusted domain). In this way, trusts act as bridges that allow only validated authentication requests to travel between domains. 11. Question: If you were going to configure a trust between a Windows Server 2008 domain and a Windows NT 4.0 domain, what type of trust would you configure? Answer: You would have to configure an external trust. 12. Question: If you need to share resources between domains, but do not want to configure a trust, how could you provide access to the shared resources? Answer: One option would be to allow anonymous access to the resources. For example, you could store the data on a Windows SharePoint Services site and enable anonymous access to the SharePoint site. Another option is to create user accounts in the domain where the resources exist for another domains users that need to access the resources. When the users try to access the resource, they will need to enter the credentials from the target domain. 13. Question: A user located in a different domain in your forest needs permission to create GPOs in your domain. What is the best way to accomplish this? Answer: 14. Question: In this slide Domain B and Domain C have a what type of Trust in this forest? What are the limitations? Answer: Domain B & Domain C have a one-way trust, Domain B can access Domain C, but Domain C can not directly access Domain B. 15. Question: Why would a clients not able to access resources in a domain outside the forest? Answer: This can occur if there is a failure on the external trust between the domains and can be resolved by resetting and verifying the trust between the domains. 16. Question: When you set up a forest trust, what information will need to be available in DNS for the forest trust to work? Answer: In order to configure the trust, and in order for the trust to work after configuration, domain controllers in both forests will need to be able to resolve the DNS names for the domain controllers in the other forest. This means that you must configure DNS to enable this name resolution. You can enable name resolution by configuring conditional forwarding, stub zones, or zone transfers. 17. Question: Provide a couple scenarios where UPNs would be useful. Answer: Students answer will vary, and the student response should indicate that they understand how it simplifies the users experience. For example, an organization with multiple domains may choose to use the forest root domain as the UPN for all users. Another example is if an organization uses Simple Mail Transfer Protocol (SMTP) addresses for e-mail that are different than the domain name, administrators may choose to add the SMTP domain address as a UPN suffix so that the users e-mail address also can be their logon name. 18. Question: Provide a scenario where it would be appropriate to enable selective authentication? Answer: Students answer will vary, and the student response should indicate that they understand the security that selective authentication provides. 19. Question: When addressing Active Directory permissions, there are risks. How does explicitly denied permissions contribute to that risk? Answer: The risk is that an explicitly denied permissions always override allowed permissions.
5-12
20. Question: If a there is a trust within a forest, and the resource is not in the users domain how does the domain controller use the trust relationship to access the resource. Answer: The domain controller uses the trust relationship with its parent, and refers the users computer to a domain controller in its parent domain. This attempt to locate a resource and continues up the trust hierarchy, possibly to the forest root domain, and down the trust hierarchy, until contact occurs with a domain controller in the domain where the resource exists. 21. Question: You have created a global group called Helpdesk, which contains all the help desk accounts. You want the help desk personnel to be able to perform any operation on local desktop computers, including take ownership of files. Which is the best built-in group to use? Answer: Add the Helpdesk group to the Administrators local group, because the help desk personnel must be able to perform any operation on the desktop computers. 22. Question: The BranchOffice_Admins group has been granted full control of all user accounts in the BranchOffice_OU. What permissions would the BranchOffice_Admins have to a user account that was moved from the BranchOffice_OU to the HeadOffice_OU? Answer: The BranchOffice_Admins would not have any permissions on the user account because permissions are inherited from the OU where the account is located. 23. Question: Your organization has a Windows Server 2008 forest environment, but it has just acquired another organization with a Windows 2000 forest environment that contains a single domain. Users in both organizations must be able to access resources in each others forest. What type of trust do you create between the forest root domain of each forest? Answer: You will need to implement an external trust, because Windows 2000 does not support forest trusts. Only Windows Server 2003 or later supports forest trusts.
5-13
6-1
Module 6
Creating and Configuring Group Policy
Contents:
Lesson 1: Overview of Group Policy Lesson 2: Configuring the Scope of Group Policy Objects Lesson 3: Evaluating the Application of Group Policy Objects Lesson 4: Managing Group Policy Objects Lesson 5: Delegating Administrative Control of Group Policy Module Reviews and Takeaways Lab Review Questions and Answers 2 8 16 21 28 32 36
6-2
Lesson 1
6-3
6-4
6-5
6-6
13. In the Hide Screen Saver tab Properties, click Enabled and click OK. 14. Close all windows.
6-7
Additional Reading
What Is Group Policy?
For more information on Windows Server Group Policy, see Windows Server Group Policy.
6-8
Lesson 2
6-9
6-10
6-11
6-12
4. Right-click the Test OU folder, point to New, and then click User. 5. In the New Object - User dialog box, in the First name field, type User1. 6. In the User logon name field, type User1, and then click Next. 7. In the Password and Confirm password fields, type Pa$$w0rd. 8. Clear the User must change password at next logon checkbox, click Next, and then click Finish.
Block Inheritance
1. On NYC-DC1, in the Group Policy Management window, click the Test OU folder. 2. Right-click the Test OU folder, and then click Block Inheritance. 3. Note the Test OU folder icon changes.
6-13
6-14
4. In the confirmation dialog box, click OK. 5. In the details pane, under Security Filtering, click Add. 6. In the Select User, Computer, or Group dialog box, type User1, and then click OK.
6-15
Additional Reading
Group Policy Processing Order
For more information on Group Policy processing and procedures, see Group Policy processing and precedence.
6-16
Lesson 3
6-17
Answer: A, D and E are correct. You cannot simulate migrating users across domains. You can simulate security group membership, but not security group filtering.
6-18
6-19
8. 9.
On the User and Computer Selection page, click Next. On the Advanced Simulation Options, click Next.
10. On the Alternate Active Directory Paths page, click Next. 11. On the User Security Groups page, click Next. 12. On the Computer Security Groups page, click Next. 13. On the WMI Filters for Users page, click Next. 14. On the WMI Filters for Computers page, click Next. 15. On the Summary of Selections page, click Next. 16. On the Completing Group Policy Modeling Wizard page, click Finish. 17. Review the Report.
6-20
Additional Reading
What Is Group Policy Reporting?
For more information on the following, see the links. Command-line reference A-Z, and then click on Gpresult
6-21
Lesson 4
6-22
6-23
6-24
Restore a GPO
1. Right-click the Group Policy Objects folder, and then click Manage Backups. 2. In the Manage Backups dialog box, click the Desktop 2 policy, and then click Restore. 3. In the confirmation dialog box, click OK. 4. In the Restore dialog box, click OK. 5. In the Manage Backups dialog box, click Close. 6. Note that the Desktop 2 GPO exists again.
6-25
6-26
4. On the Backup location page, click Next. 5. On the Source GPO page, click Redirect and click Next. 6. On the Scanning Backup page, click Next. 7. On the Migrating References page, select the Using this migration table to map them in the destination GPO radio button, and then click New. 8. In the Migration Table Editor - New window, in the Source Name field, type \\server\share. 9. In the Source Type list, ensure that UNC Path is selected. 10. In the Destination Name field, type \\Srv1\docs. 11. On the File menu, click Save. 12. In the Save As dialog box, in the File Name field, type Migration1, and then click Save. 13. Close the Migration Table Editor window. 14. On the Migrating References page, click Next. 15. On the Completing the Importing Settings Wizard page, click Finish. 16. In the Import dialog box, click OK.
6-27
Additional Reading
What Is a Starter GPO?
For more information on the Starter GPOs, see Help Topics: Working with Starter GPOs.
6-28
Lesson 5
6-29
6-30
6-31
Additional Reading
Options for Delegating Control of GPOs
For more information on delegating group policy, see Delegating Group Policy.
6-32
6-33
11. Question: When would multiple local Group Policy objects be useful in a domain environment? Answer: Companies may use multiple local Group Policy objects to exempt domain and local administrative accounts from local restrictions. 12. Question: You have created a restrictive desktop policy and linked it to the Finance OU. The Finance OU has several child OUs that have separate GPOs that reverse some of your desktop restrictions. How would you ensure that all users in the Finance department receive your desktop policy? Answer: Enforce the GPO link at the Finance OU level. 13. Question: True or false: if a GPO is linked to multiple containers, altering the settings for one of those links will affect only that container. Answer: False. Changing the settings of a GPO will affect all the containers to which the GPO is linked. 14. Question: Your domain has two domain-level policies, GPO1 and GPO2. You need to ensure that all OUs receive GPO1, but GPO2 should not affect two of the OUs. How could you accomplish this? Answer: Block inheritance for the OUs that should not receive GPO2, and set the link on GPO1 to be enforced to ensure that all OUs receive GPO1. 15. Question: You want to ensure that a specific policy linked to an OU will affect only the members of the Managers global group. How would you accomplish this? Answer: Use the security page of the GPO to remove the Authenticated Users group and, then add the Managers global group, and grant them Read and Apply Group Policy permissions. 16. Question: You need to deploy a software application that requires computers to have more than 1 GB of RAM. What is the best way to accomplish this? Answer: Create a WMI filter to test for the amount of RAM, and link that filter to the GPO that delivers the software package. 17. Question: List one of the benefits of using Loop Processing? Answer: Answers may vary. Possible answers include: enforce policies with a number of different users on the same computer. Safeguard machines from unauthorized access. 18. Question: What are the advantages to using security group filtering over blocking inheritance, to prevent Group Policy from being applied? Answer: Security group filtering allows you to block or apply specific policies, while blocking inheritance affects all higher-level policies. Question: When would blocking inheritance be more appropriate? Answer: When you need to prevent all the objects in an OU from receiving Group Policy, and there are too many objects to make filtering a practical solution. 19. Question: You want to know which domain controller delivered Group Policy to a client. Which utility would you use? Answer: GPResult.exe will provide that information. 20. Question: What simulations can you perform with the Group Policy Modeling Wizard? Choose all that apply: A. Loopback processing B. Moving a user to a different domain in the same forest C. Security group filtering
6-34
D. Slow link detection E. WMI filtering F. All of the above Answer: A, D and E are correct. You cannot simulate migrating users across domains. You can simulate security group membership, but not security group filtering. 21. Question: A user reports that they are unable to access Control Panel, yet other users in the department can access Control Panel. What tools might you use to troubleshoot the problem? Answer: The Group Policy Results Wizard can tell you if the problem is Group Policy related, and if so, what policy is providing the setting. 22. Question: You perform regular backups of GPOs. An administrator has inadvertently changed a number of settings on the wrong GPO. What is the quickest way to fix the problem? Answer: Restoring a previous backed up version will restore the original settings. 23. Question: List one of the benefits of using Starter GPOs. Answer: Answers may vary. Possible answers include: Making GPO creation easier and more reliable. Providing backups for GPOs. 24. Question: What is one benefit of using Starter GPOs? Answer: Answers may vary. 25. Question: What is the advantage of copying a GPO and linking it to an OU, versus linking the original GPO to multiple OUs? Answer: If the original GPO is modified, it will affect all the OUs to which it is linked. A copied GPO is a new instance of the GPO that has no connection to the original GPO. 26. Question: What permissions are required to back-up a GPO? Answer: Read permission. 27. Question: What is the purpose of a migration table? Answer: Migration tables allow you to, if required, change specific references in copied or imported GPOs, in the new location where the GPO will be applied. 28. Question: List at least one benefit of using the ADMX Migrator utility. Answer: Answers may vary. Possible answers include: The ADMX Migrator tool is a free conversion tool that allows administrators to migrate their ADM files to ADMX file format saving time and reducing the amount of re-work that may need to be done. 29. Question: List one of the benefits of the administrator delegating rights to create new Group Policies. Answer: Answers may vary. Possible answers include: Administrators can provide a mechanism for users to create new Group Policies without giving them rights to configure anything else. This provides better overall security without making administration too inflexible. 30. Question: A user located in a different domain in your forest needs permission to create GPOs in your domain. What is the best way to accomplish this? Answer: You must use the GPMC to delegate permission to create GPOs to the user. You cannot add the user to the Group Policy Creator Owners group, because it is a global group and therefore cannot contain a user from a different domain. 31. Question: You want to force the application of certain Group Policy settings across a slow link. What can you do?
6-35
Answer: Use Group Policy to force those settings to be applied across the link, or use Group Policy to change the slow link threshold. 32. Question: You need to ensure that a domain level policy is enforced, but the Managers global group needs to be exempt form the policy. How would you accomplish this? Answer: Set the link to be enforced at the domain level, and use security group filtering to deny Apply Group Policy permission to the Administrators group. 33. Question: You want all GPOs that contain user settings to have certain Administrative Templates enabled. You need to be able to send those policies to other administrators in the enterprise. What is the best approach? Answer: Configure a Starter GPO to have the required basic settings, and then export the GPO to a .cab file. That file then can be imported by other administrators. 34. Question: You want to control access to removable storage devices on all client workstations through Group Policy. Can you use Group Policy to do this? Answer: You can only control access to removable storage devices on Windows Vista and Windows Server 2008.
6-36
7-1
Module 7
7-2
Lesson 1
7-3
Demonstration: Configuring Group Policy Settings Using the Group Policy Editor
Question: How could you prevent a lower-level policy from reversing the setting of a higher-level policy? Answer: Enforce the link of the higher-level policy.
7-4
7-5
Additional Reading
Options for Configuring Group Policy Settings
For more information on the working of core Group Policy, see "How Core Group Policy Works", http://go.microsoft.com/fwlink/?LinkId=99468.
Demonstration: Configuring Group Policy Settings Using the Group Policy Editor
For more information about planning and deploying Group Policy, see "Planning and Deploying Group Policy", http://go.microsoft.com/fwlink/?LinkID=134056
7-6
Lesson 2
7-7
7-8
7-9
Additional Reading
What Are Group Policy Scripts?
For more information about Group Policy scripts, see "The Two Sides of Group Policy Script Extension Processing", http://go.microsoft.com/fwlink/?LinkId=99469
7-10
Lesson 3
Contents:
Questions and Answers Detailed Demo Steps Additional Reading 11
12
14
7-11
7-12
7-13
5. In the Policy Templates dialog box, browse to E:\Mod07\LabFiles\Templates\adms. 6. Click example2.adm, click Open, and then click Close. 7. In the console pane, notice that the Classic Administrative Templates node is now present. 8. Expand Classic Administrative Templates, and then click Example 2 Policy settings. 9. Review the sample policy settings, and then close Group Policy Management Editor. 10. Close Group Policy Management.
7-14
Additional Reading
What Are Administrative Templates?
For more information about using administrative template files with registry-based Group Policy, see "Using Administrative Template Files with Registry-Based Group Policy", http://go.microsoft.com/fwlink/?LinkId=99478
7-15
Lesson 4
Contents:
Questions and Answers Additional Reading 16
17
7-16
7-17
Additional Reading
Options for Deploying and Managing Software by Using Group Policy
For more information about using Group Policy Installation, see "Group Policy Installation overview", http://go.microsoft.com/fwlink/?LinkId=113760
7-18
Lesson 5
Contents:
Additional Reading 19
7-19
Additional Reading
What Are Group Policy Preferences?
For more information about Group Policy preferences, see "Information about new Group Policy preferences in Windows Server 2008", http://go.microsoft.com/fwlink/?LinkID=139955
7-20
Lesson 6
7-21
7-22
10. Type GPUpdate /? and then press ENTER. 11. Scroll through and review the results. 12. Type GPUpdate /force and then press ENTER. 13. Review the results. 14. Type "C:\Program Files\GroupPolicy Logview\GPLogView.exe" and then press ENTER. 15. Scroll through and review the results. 16. Type "C:\Program Files\GroupPolicy Logview\GPLogView.exe" -o gpevents.txt and then press ENTER. 17. Type notepad gpevents.txt and then press ENTER. 18. In the Notepad window, scroll through and review the results. 19. Close Notepad. 20. To run GPOLogView in monitor mode, type "C:\Program Files\GroupPolicy
Logview\GPLogView.exe" -o gpevents.txt and then press ENTER.
21. Click Start, and then click Command Prompt. 22. In the second Command Prompt window, type GPUpdate /force and then press ENTER. 23. Switch to the first command prompt window and then scroll through review the results. 24. Close both Command Prompt windows.
7-23
Additional Reading
Scenarios for Group Policy Troubleshooting
For more information on Group Policy Troubleshooting, see "Group Policy Troubleshooting", http://go.microsoft.com/fwlink/?LinkId=101100.
7-24
Lesson 7
7-25
None of the Managers are receiving the GPO settings. What is the problem? Answer: Because deny permission overrides any allow permissions, the denial of Authenticated Users is preventing anyone from getting the GPO settings.
7-26
Additional Reading
How Client Side Extension Processing Works
For more information about identifying Group Policy client-side extensions, see "Identifying Group Policy Client-Side Extensions", http://go.microsoft.com/fwlink/?LinkId=101115 For more information about Group Policy and network bandwidth, see "Group Policy and Network Bandwidth" http://go.microsoft.com/fwlink/?LinkId=101117
7-27
Lesson 8
Contents:
Questions and Answers Additional Reading 28
29
7-28
7-29
Additional Reading
Troubleshooting Administrative Template Policy Settings
For more information on fixing Administrative Template policy setting problems, see "Fixing Administrative Template policy setting problems", http://go.microsoft.com/fwlink/?LinkId=101118
7-30
7-31
available for any GPO. Also, ADM files use their own markup language, while ADMX files use a standards-based XML format. 12. Question: What types of applications would you deploy via Group Policy in your environment? Answer: Answers will vary. 13. Question: What are some disadvantages of deploying software through Group Policy? Answer: Large applications generate a lot of network traffic. You cannot control when the installation will occur. Laptop users are not able to connect to the distribution point when they are not connected to the LAN. This client-side extension that delivers software does not function over a slow link, by default. 14. Question: What is an advantage of publishing an application over assigning it? Answer: Unneeded software will not be installed automatically. 15. Question: You have deployed a number of published applications. Many of those applications are for the use of the Finance department. What could you do to make it easier for Finance department users to locate those applications? Answer: Create a category for the Finance department, and then publish those applications in the Finance category. 16. Question: You organization is upgrading to a newer version of a software package. Some users in the organization require the old version. How would you deploy the upgrade? Answer: You would deploy an optional upgrade to allow users to keep the old version, if required. 17. Question: What diagnostic tool could you use to determine lease expiration of a Dynamic Host Configuration Protocol (DHCP) address that has been issued to a client computer? Answer: IPConfig /all will provide DHCP lease information. 18. Question: What steps must you take prior to running Group Policy reporting RSoP on a remote computer? Answer: You must ensure that the remote procedure call (RPC) service is available on the remote client. You can do this by modifying the Windows Firewall manually, or through a Group Policy setting that allows remote administration. 19. Question: Users in a branch office log on across a slow modem connection. You want folder redirection to be applied to them even across the slow link. How would you accomplish this? Answer: You would configure the folder redirection CSE to be enabled across slow links. 20. Question: Are there scenarios in your organization that would benefit from blocking inheritance? Answer: Answers will vary. 21. Question: You have applied security filtering to limit the GPO to apply only to the Managers group. You did this by setting the following GPO permissions: Authenticated Users are denied the Apply Group Policy permission. The Managers group has been granted Read and Apply Group Policy permission. None of the Managers are receiving the GPO settings. What is the problem? Answer: Because deny permission overrides any allow permissions, the denial of Authenticated Users is preventing anyone from getting the GPO settings. 22. Question: What tool can you use to force replication across all domain controllers in the domain? Answer: Replication Monitor can force all domain controllers to replicate.
7-32
23. Question: You have implemented folder redirection for a particular OU. Some users report that their folders are not redirecting to the network share. What is the first step you should take to resolve the problem? Answer: Folder redirection is applied only at logon, so ensure that users have logged off and logged on twice, to determine that cached credentials are not the issue. 24. Question: One user is having settings applied that no one else is receiving. What might be the issue and how would you start troubleshooting? Answer: The problem might be a result of a local Group Policy setting on the computer. Local policies are applied if there are no domain policies that change them. Group Policy reporting (RSoP) reveals these issues. 25. Question: Your network has a mixture of Windows XP and Windows Vista computers. You have configured the Administrative Template to remove the games link from the Start Menu, but only the Windows Vista computers are enforcing the setting. What is the problem? Answer: This setting applies only to Windows Vista and later operating systems. 26. Question: A logon script is assigned to an OU. The script executes properly for all users, but some users report that they get an access-denied message when they try to access the mapped drive. What is the problem? Answer: The permissions set on the network share to which the users map are the most likely problem. The drive mapping itself succeeds, even if the user does not have permission to the location. 27. Question: You have assigned a logon script to an OU via Group Policy. The script is located in a shared network folder named Scripts. Some users in the OU receive the script, while others do not. What might be some causes? Answer: The network location may not be accessible by all users. Share level or NTFS permissions on the folder may be set incorrectly. 28. Question: What steps could you take to prevent these types of problems from re-occurring? Answer: Move the scripts into the NetLogon share. This will solve permission or accessibility issues. 29. Question: You have two logon scripts assigned to users: script1, and script2. Script2 depends on script1 completing successfully. Your users report that script2 never runs. What is the problem, and how would you correct it? Answer: Logon scripts run asynchronous (all at once). Script2 is failing before script1 completes. You will have to change the processing to be synchronous, to correct the problem. 30. Question: What log will give folder redirection details? Answer: You can enable the FDdeploy.log to provide information about folder redirection. 31. Question: What visual indicator in the GPMC designates that inheritance has been blocked? Answer: The visual indicator is a blue exclamation mark on the OU where inheritance is being blocked. 32. Question: What GPO settings are applied across slow links by default? Answer: Security Settings, Administrative Settings, and Recovery Policy.
7-33
1. Question: You have configured folder redirection for an OU, but none of the users folders are being redirected to the network location. When you look in the root folder, you observe that a subdirectory named for each user has been created, but they are empty. What is the problem? Answer: The problem is most likely permission-related. The users named subdirectories are being created by the Group Policy, but the users dont have enough permission to create their redirected folders inside them. 2. Question: Some Group Policy settings are not applied immediately when a user logs on or when Group Policy is refreshed. What could be the problem? Answer: If a user connects to the network with cached credentials, Group Policy is not processed. Logging off and logging back on will cause Group Policy to apply any changes. Also, to ensure that Group Policy is applied over a slow link, the user must select the Logon using dialup connection check box in the Windows Logon dialog box. 3. Question: If you have the same policy setting configured differently under both Computer Configuration and User Configuration, which setting will apply? Answer: User configuration settings are applied first, followed by computer configuration settings. Therefore, any conflicting settings under user configuration will be overridden by those under computer configuration. 4. Question: You want to deploy an administrative utility to members of the Domain Admins security group. These utilities should be available from any computer that an administrator logs onto, but only installed when necessary. What is the best approach to accomplish this? Answer: Create a GPO that publishes the utility, and link it to the domain. Apply security filters to the GPO such that it only applies to the Domain Admins group. 5. Question: You want to deploy a Group Policy setting that restricts access to Registry modification tools. Should you configure policy settings in Group Policy or Group Policy Preferences? Answer: To enforce a restriction policy in a domain, you should configure the appropriate policy settings in Group Policy, not Group Policy Preferences. Policy settings are enforces, while preference settings are not. This means that users can change any preference setting that is applied through Group Policy, but policy settings prevent users from changing them. 6. Question: If you wanted to configure mapped drives and desktop shortcuts for specific users in the domain, should you configure policy settings in Group Policy or Group Policy Preferences? Answer: Again, its a matter of whether you wish to enforce such settings. Although you can configure such things as mapped drives and Internet Explorer settings through either policy settings or preferences, preferences give the user the freedom to change them, while policy settings do not. 7. Question: If a policy at the domain level is set for enforcement while another policy at the OU level with a conflicting setting also is set to be enforced, which policy setting will the OU clients receive? Answer: Clients in the OU will receive the first enforced policy settings at the domain level. The conflicting policy setting at the lower level will be ignored, even though the policy is set to be enforced. Any other settings in the OU policy will be applied and enforced, as long as those settings do not conflict with the domain-enforced policy.
7-34
8. Question: If you use group policy to configure the slow-link detection threshold to be zero, what does that indicate? Answer: A slow-link threshold of zero indicates that all connections are considered fast.
8-1
Module 8
Implementing Security Using Group Policy
Contents:
Lesson 1: Configuring Security Policies Lesson 2: Implementing Fine-Grained Password Policies Lesson 3: Restricting Group Membership and Access to Software Lesson 4: Managing Security Using Security Templates Module Reviews and Takeaways Lab Review Questions and Answers 2 9 13 18 24 27
8-2
Lesson 1
8-3
8-4
Question: You need to grant an ordinary user the right to log on locally to domain controllers. In which of the default policies should you configure this setting? Answer: You need to configure this setting in the Default Domain Controllers policy. Setting this policy at the domain level will not work, because the Default Domain Controllers policy has configured this setting and has a higher precedence.
8-5
8-6
8-7
7. In the details pane, double-click Core Networking - IPv6 (IPv6-Out). 8. In the Core Networking - IPv6 (IPv6-Out) Properties dialog box, take note of the options available and click Cancel. 9. Right-click Inbound Rules, and then click New Rule. 10. On the Rule Type page, select the Custom radio button, and then click Next. 11. On the Program page, select the All Programs radio button, and then click Next. 12. On the Protocol and Ports page, click Next. 13. On the Scope page, click Next. 14. On the Action page, click Next. 15. On the Profile page, click Next. 16. On the Name page, in the Name field, type My Custom Rule, and then click Finish. 17. Close all windows.
8-8
Additional Reading
What Are the Account Policies?
For more information on account passwords and policies, see Account Passwords and Policies in Windows Server 2003.
8-9
Lesson 2
8-10
8-11
8-12
Additional Reading
What Are Fine-Grained Password Policies?
For more information on the fine-grained password policies, see AD DS: Fine-Grained Password Policies.
8-13
Lesson 3
8-14
8-15
8-16
8-17
Additional Reading
What Is a Software Restriction Policy?
For more information on using Software Restriction policies to protect against unauthorized software, see Using Software Restriction Policies to Protect Against Unauthorized Software.
8-18
Lesson 4
8-19
Options for Integrating the Security Configuration Wizard and Security Templates
Question: What is the main advantage of the SCW? Answer: It allows you to create policies that provide consistent security settings across multiple instances of a particular server role.
8-20
8-21
9. In the console pane, right-click Server Baseline, and then click Save. 10. Close the MMC window and do not save changes.
8-22
18. On the Network Security Rules page, click Next. 19. On the Registry Settings page, click Next. 20. On the Require SMB Security Signatures page, click Next. 21. On the Require LDAP Signing page, click Next. 22. On the Outbound Authentication Methods page, click Next. 23. On the Outbound Authentication using Domain Accounts, click Next. 24. On the Registry Settings Summary page, click Next. 25. On the Audit Policy page, click Next. 26. On the System Audit Policy page, click Next. 27. On the Audit Policy Summary page, click Next. 28. On the Save Security Policy page, click Next. 29. On the Security Policy File Name page, in the Security policy file name field, type C:\baseline.xml 30. On the Apply Security Policy page, click Next. 31. On the Completing the Security Configuration Wizard page, click Finish.
8-23
Additional Reading
What Are Security Templates?
For more information on security templates, see Security Templates.
8-24
8-25
12. Question: How could you view the Password Settings Container in Active Directory Users and Computers? Answer: You need to enable the Advanced Features view in Active Directory Users and Computers. 13. Question: In your organization, a number of users deal with confidential files on a regular basis. You need to ensure that all these users have strict account polices enforced. The user accounts are scattered across multiple OUs. How would you accomplish this with the least administrative effort? Answer: Create a shadow global group and place all the appropriate users into that group. Then create and assign a PSO to the group 14. Question: What utilities can be used to manage PSOs? Choose all that apply: a. ADSI edit b. GPMC c. CSVDE d. LDIFDE e. NTDSUtil f. Active Directory Users and Computers
Answer: a, d, and f are correct.
15. Question: You have a number of computers in a workgroup. You need to restrict access to a certain application so that only members of the Administrators group are allowed to launch the application. How would you accomplish this? Answer: Local Group Policy supports software restriction policies for the computer configuration only. You can exempt the local Administrators group from the restriction by configuring the Enforcement setting. 16. Question: You need to restrict access to a certain application no matter into what directory location the application is installed. What type of rule should you use? Answer: A Hash rule will identify the application uniquely, and prevent access to it no matter where the application was installed. 17. Question: You want to ensure that only digitally signed Visual Basic scripts are allowed to run. What type of rule should you use? Answer: You can use a certificate rule to specify that VB scripts must be signed, and what digital signatures are valid. 18. Question: Provide an example of how Security Templates can help organize your existing security attributes. Answer: Answers may vary. 19. Question: You have multiple database servers that are located in different OUs. What is the easiest way to apply consistent security settings to all of the database servers? Answer: Create a security template that contains all the appropriate security settings and import the template into a GPO. Then link that GPO to the OUs, and, if necessary, filter the GPO to apply to the database computers. 20. Question: List at least one example of how the Security Configuration Wizard can reduce your attack surface. Answer: Answers may vary. 21. Question: What types of server roles exist in your organization? Answer: Answers may vary.
8-26
22. Question: What is the main advantage of the SCW? Answer: It allows you to create policies that provide consistent security settings across multiple instances of a particular server role. 23. Question: You need to open a port on your Windows Vista client computers for a custom application. Should you use the SCW, or create a security template and use a GPO? Answer: You should create a security template and import it into a GPO. The SCW is not designed to be used for client operating systems. 24. Question: Provide at least one example of how your organization can benefit from using the Security Configuration and Analysis Tool. Answer: Answers may vary. 25. Question: You want to place a software restriction policy on a new type of executable file. What must you do before you can create a rule for this executable code? Answer: You must add the file extension to the list of Designated Files Types. 26. Question: What setting must you configure to ensure that users are allowed only three invalid logon attempts? Answer: The Account Lockout Threshold setting. 27. Question: You want to provide consistent security settings for all client computers in the organization. The computer accounts are scattered across multiple OUs. What is the best way to provide this? Answer: Create a security template that has all the appropriate settings, and then import the template into GPOs linked to the appropriate OUs. 28. Question: An administrator in your organization has accidentally modified the Default Domain Controller Policy. You need to restore the policy to its original default settings. How would you accomplish this? Answer: You would use the Dcgpofix command-line utility with the following syntax: dcgpofix /target:DC
8-27
9-1
Module 9
Configuring Server Security Compliance
Contents:
Lesson 1: Securing a Windows Infrastructure Lesson 2: Implementing Encryption Lesson 3: Configuring an Audit Policy Lesson 4: Overview of Windows Server Update Services Lesson 5: Managing WSUS Module Reviews and Takeaways Lab Review Questions and Answers 2 5 7 11 16 21 25
9-2
Lesson 1
9-3
9-4
Additional Reading
Discussion: Challenges of Securing a Windows Infrastructure
For more information on the Windows Server 2008 Security Overview, see Windows Server 2008: Windows Help and Support - "Security Overview"
9-5
Lesson 2
Implementing Encryption
Contents:
Questions and Answers 6
9-6
Troubleshooting EFS
Question: Have you faced any EFS troubleshooting scenarios in your work environment? If so, how did you approach them? Answer: Answers may vary. This question should provide students an opportunity to further reflect on the troubleshooting guidance in this topic.
9-7
Lesson 3
9-8
9-9
9-10
Additional Reading
What Is Auditing?
For more information on auditing, see Auditing overview.
9-11
Lesson 4
9-12
Obtaining Updates
Question: Describe a scenario where an organization would have an isolated network. Answer: If you have a network segment that is not connected to the Internet. In this example, you create a WSUS server that is connected to the Internet but isolated from the intranet. After you download updates to this server, you can hand-carry media to disconnected servers running WSUS, by exporting and importing updates. Another scenario is when organizations have high-cost or low-bandwidth links to the Internet. Downloading enough updates for all Microsoft products throughout an organization can be bandwidth-intensive, and importing and exporting updates enables organizations to download updates once and distribute by using inexpensive media.
Installing WSUS
Question: Would you install the WSUS administration console on the same server as the WSUS server in your organization? Answer: Students answers will vary based on their organizations.
9-13
9-14
9-15
Additional Reading
What Is Windows Server Update Services?
For more information on the following, see the links. Microsoft Windows Server Update Services 3.0 Overview New in Windows Server Update Services 3.0
Obtaining Updates
For more information on the following, see the links. Determine Bandwidth Options to Use Choose a type of WSUS Deployment
Installing WSUS
For more information on the following, see the links. Run WSUS 3.0 Server Setup Install the WSUS 3.0 Administration Console
9-16
Lesson 5
Managing WSUS
Contents:
Questions and Answers Detailed Demo Steps Additional Reading 17
19
20
9-17
These features make it easier to manage WSUS and save administrator time.
Approving Updates
Question: Would you choose automatic approval of updates in your organization when automatic approval is available? Explain your reason. Answer: Answers will vary. You may want to consider administrator time versus administrator control over updates.
9-18
9-19
9-20
Additional Reading
WSUS Administration
For more information on the following, see the links. Client Behavior with Update Deadlines Managing WSUS 3.0 from the Command Line
Approving Updates
For more information on the following, see the links. Managing Windows Server Update Services 3.0 Best Practices with Windows Server Update Services 3.0
9-21
9-22
9. Question: What categories of events does your company presently audit? If your company is not auditing, what event categories would you like to see audited in your organization? Answer: Students answers will vary based on their organization. 10. Question: How often do you think you should check the security log to ensure auditing is happening correctly? Answer: This depends on your organization and your auditing settings. 11. Question: What is the default auditing policy setting for domain controllers? What is the benefit of having this setting as the default setting for domain controllers? Answer: The default auditing policy setting for domain controllers is No Auditing. This means that even if auditing is enabled in the domain, the domain controllers do not inherit auditing policy locally. If you want domain auditing policy to apply to domain controllers, you must modify this policy setting. The no auditing setting makes the domain controller more secure by default. 12. Question: Do you currently use WSUS services in your organization? If so, how would the improvements to WSUS 3.0 affect how you use WSUS? If not, how would implementing WSUS benefit your organization? Answer: Students answers will vary based on their organizations. 13. Question: Describe a scenario where an organization would have an isolated network. Answer: If you have a network segment that is not connected to the Internet. In this example, you create a WSUS server that is connected to the Internet but isolated from the intranet. After you download updates to this server, you can hand-carry media to disconnected servers running WSUS, by exporting and importing updates. 14. Question: You need to determine which types of updates to synchronize from Microsoft Update and when to synchronize them. In which phase of the WSUS process would this planning occur? Answer: Identify 15. Question: In your organization, would you use more than one WSUS server? If so, would you link your WSUS servers together using autonomous mode or replica mode? Answer: Students answers will vary depending on their organization and network restrictions. 16. Question: Does your organization meet the software requirements for WSUS? Answer: Students answers will vary based on their organizations. 17. Question: Would you install the WSUS administration console on the same server as the WSUS server in your organization? Answer: Students answers will vary based on their organizations. 18. Question: What is the risk in allowing users of desktop computers to delay restarts that updates require? Answer: Updates may never be applied if users continually delay restarts, and the computer may still be at risk. 19. Question: Which method of client configuration would you use in your environment? Answer: This answer will depend on whether the student has an Active Directory environment. If the student does have Active Directory, he/she will use Group Policy. If the student has a nonActive Directory environment, he/she will use the registry editor for client configuration. 20. Question: Would you enable the Delay Restart for scheduled installations policy in your organization? Why or why not? Answer: Students answers will vary based on their organizations. You might not want to enable
9-23
this policy to ensure that all computers get updated right away. You might enable this policy so users have a chance to save their files before the computer restarts. 21. Question: Explain why having an MMC console for WSUS makes administration easier. Answer: An MMC console is integrated with the operating system. The new user interface provides the following features: Home pages at each node containing an overview of the tasks associated with the node Advanced filtering New columns allowing you to sort updates according to MSRC number, MSRC severity, KB article, and installation status Column selection, sorting, and reordering Shortcut menus, allowing you to right-click and choose an action Reporting integrated with update views Custom views These features make it easier to manage WSUS and save administrator time. 22. Question: Describe a benefit of using computer groups in WSUS for deploying updates. Answer: WSUS allows you to target updates to groups of client computers, so you can ensure that specific computers always get the right updates at the most convenient times. For example, if all the computers in one department (such as the Accounting team) have a specific configuration, you can set up a group for that team, decide which updates their computers need and what time they should be installed, and then use WSUS reports to evaluate the updates for the team. 23. Question: Would you choose automatic approval of updates in your organization when automatic approval is available? Explain your reason. Answer: Students answers will vary. You may want to consider administrator time versus administrator control over updates. 24. Question: How do you install an update immediately? Answer: If you want to install an update immediately, you can specify a deadline at the current time or in the past. 25. Question: Do any other management tasks for Server Core differ from the standard full server implementation? Answer: Yes, many management tasks can be different for a Server Core installation. Tasks that are performed at the server are typically based on the command line, although remote management may also use Remote Desktop or Microsoft Management Console (MMC) tools. 26. Question: What kind of challenges that would affect security might a small to medium-sized business experience that a larger enterprise would not? Answer: Expertise in specific departments may be lacking, servers might host a multitude of roles, there may not be enough individuals available to implement and manage a more robust solution, and a lack of funds for hardware, and in some cases, physical security. 27. Question: If you decide to put an audit policy in place, how should you configure the securitylog properties in Event Viewer? Answer: You should ensure that there is adequate space for generated events, configure the log to not overwrite events, and specify an interval when administrators should save and clear the log for reference or legal reasons. 28. Question: What must an administrator do before any update is sent to clients and servers via WSUS?
9-24
Answer: Configure automatic approval of certain types of updates or manually specify that the update is approved for installation. 29. Question: What is the reason for setting a deadline for automatic installation to a past date? Answer: The update would be applied immediately at the next interval when the computer contacts the WSUS server.
9-25
10-1
Module 10
10-2
Lesson 1
10-3
10-4
Lesson 2
10-5
10-6
Question: In your work environment, what notification threshold provides enough advance warning to users that they are approaching a quota threshold? Answer: Answers may vary. In general, students should identify the relationship between storage usage habits and the notification threshold. You would typically use a smaller percentage with faster growth levels of storage utilization.
10-7
10-8
Additional Reading
FSRM Functions
For more information on Step-by-Step Guide for File Server Resource Manager in Windows Server 2008, see Windows Server 2008 Step-by-Step Guides: Step-by-Step Guide for File Server Resource Manager in Windows Server 2008.doc.
10-9
Lesson 3
10-10
10-11
10-12
Additional Reading
What Is Quota Management?
For more information on Step-by-Step Guide for File Server Resource Manager in Windows Server 2008, see Windows Server 2008 Step-by-Step Guides: Step-by-Step Guide for File Server Resource Manager in Windows Server 2008.doc.
10-13
Lesson 4
10-14
10-15
10-16
Additional Reading
What Is File Screening?
For more information on Step-by-Step Guide for File Server Resource Manager in Windows Server 2008, see Windows Server 2008 Step-by-Step Guides: Step-by-Step Guide for File Server Resource Manager in Windows Server 2008.doc.
10-17
Lesson 5
10-18
10-19
Additional Reading
What Are Storage Reports?
For more information on Step-by-Step Guide for File Server Resource Manager in Windows Server 2008, see Windows Server 2008 Step-by-Step Guides: Step-by-Step Guide for File Server Resource Manager in Windows Server 2008.doc.
10-20
Lesson 6
Contents:
Questions and Answers 21
10-21
What Is iSCSI?
Question: In your work environment, is iSCSI implemented? If so, how has it been implemented? Answer: Answers may vary. This question should provide students an opportunity to reflect on how
10-22
iSCSI has been implemented in their work environment, or if it has not been implemented how it could be implemented.
10-23
10-24
12. Question: Describe a scenario in which you would use each FSRM console component. Answer: Answers may vary. A possible answer might be: I would use the Quota Management component when trying to keep users in Engineering from storing an excessive number of large models on their file server. I would use File Screening Management when configuring things so that admin staff do not store personal data on the server. And I would use storage reports during weekly server maintenance to make sure storage usage is within bounds and I would also use these reports less frequently when planning storage capacity expansion. 13. Question: In your work environment, are there currently server storage policies in place? If so, how will you use the FSRM configuration options to enforce these policies? Answer: Answers may vary. This question should provide students an opportunity to make hypothetical planning decisions about which FSRM configuration options they are likely to use in their work environment. 14. Question: In your work environment, how do you plan to integrate email notifications for quota violations? Answer: Answers may vary. This question should provide students an opportunity to reflect on how they can implement email notifications in their work environment. 15. Question: In your work environment, what notification threshold provides enough advance warning to users that they are approaching a quota threshold? Answer: Answers may vary. In general, students should identify the relationship between storage usage habits and the notification threshold. You would typically use a smaller percentage with faster growth levels of storage utilization. 16. Question: In your work environment, which notification method do you plan to use? Answer: Answers may vary. This question should provide students an opportunity to reflect on which notification method is most appropriate for their work environment. 17. Question: Are there any instances when you would use NTFS disk quotas instead of FSRM quotas? Answer: Answers may vary, but in general if the more advanced features provided by FSRM quotas are not required, then NTFS disk quotas would be used. 18. Question: Based on your work environment specifics, what quota templates do you plan to create? Answer: Answers may vary. This question should provide students an opportunity to reflect on how quota templates can be applied in their work environment. 19. Question: In what scenario would you use the command line Dirquota tool? Answer: Answers may vary, but in general this utility would be more useful when scripting quota modifications. 20. Question: In your work environment, which quota usage monitoring method will be most helpful? Answer: Answers may vary. Good answers will demonstrate an understanding of how quota usage monitoring methods map to specific requirements in the stuents work environment. 21. Question: What quota notifications do you plan to implement in your work environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on how they will implement quota notifications in their work environment. 22. Question: What quota templates do you plan to implement in your environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on how they will implement quota templates in their work environment.
10-25
23. Question: In your work environment, are there any server usage policies that file screening could be used to enforce? Answer: Answers may vary. This question should provide students an opportunity to reflect on how they might implement file screening in their environment. 24. Question: In your work environment, list two or three file groups you plan to create. Answer: Answers may vary. An example answer might be: One file group for word processor and spreadsheet documents. A second file group for restricted content like MP3 files. And a third file group for desktop database software files. 25. Question: Describe two ways you plat to use file screen exceptions in your work environment. Answer: Answers may vary. An example of a possible answer would be: You might want to block video files from a file server, but you need to allow your training group to save the video files for their computer-based training. To allow files that other file screens are blocking, create a file screen exception. 26. Question: What file types do you plan to create file screen templates for in your work environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on how they will implement file screen templates in their work environment. 27. Question: How do you plan to implement file screens in your work environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on the practical aspects of how they might implement file screens in their work environment. 28. Question: How do you plan to implement file screen exceptions in your work environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on the practical aspects of how they might implement file screen exceptions in their work environment. 29. Question: In your work environment, how do you currently obtain information about file usage on servers? Answer: Answers may vary. This question should provide students with an opportunity to reflect on their current storage reporting practices. 30. Question: In your work environment, how frequently will you schedule reports using report tasks? Answer: Answers may vary. In general, more frequently changing storage will need to be more closely monitored by having report tasks run more frequently. 31. Question: Under what circumstances do you plan to use on-demand reports? Answer: Answers may vary based on the specifics of students work environments. Possible answers include: When attempting to determine why disk space is running low, when attempting to diagnose storage problems, or when planning for future storage allocation. 32. Question: In what way or ways do you currently use SAN storage in your work environment? Answer: Answers may vary. This question should simply provide students an opportunity to reflect on how SAN storage is or is not used in their work environment. This question should also provide an opportunity to discuss potential applications for SAN storage in students work environment. 33. Question: How does SAN storage simplify backups? Answer: By consolidating storage, SAN storage reduces the number of discrete locations that must be backed up and the number of backup agents that must be deployed and maintained.
10-26
34. Question: Is Fibre Channel storage in use in your work environment? Answer: Answers may vary. This question should provide students an opportunity to reflect on whether and how SAN storage is used in their work environment. 35. Question: Does the SAN configuration depicted above provide fault-tolerance? Answer: No, it does not. If the two servers labeled Host were configured as a failover cluster there would be some fault-tolerance, but the failure of the FC switch or a controller in the disk array would product a complete outage for the SAN. 36. Question: What approach does your organization currently use to manage SAN storage that is connected to Windows Servers? Answer: Answers may vary. This question should provide students with an opportunity to reflect on their organizations current SAN management tools and how Storage Manager for SANs could be used as a tool for SAN management. 37. Question: Which components should be redundant to obtain high availability? Answer: Components that should be redundant include the HBAs, FC switches, and the controller on the disk array. 38. Question: How would you configure the connections between an HBA and a FC switch to ensure availability? Answer: The HBA should be connected to dual FC switches to provide high availability in the event that one switch breaks down. 39. Question: How would you ensure that the path between the switch and the disk array is highly available? Answer: Ensure that each switch is connected to multiple controllers on the disk array. 40. Question: In your work environment, is iSCSI implemented? If so, how has it been implemented? Answer: Answers may vary. This question should provide students an opportunity to reflect on how iSCSI has been implemented in their work environment, or if it has not been implemented how it could be implemented. 41. Question: Describe at least one scenario where you would implement the Microsoft iSCSI software initiator. Answer: Answers may vary based on the specifics of students work environments. A possible answer would be: I want to migrate my Exchange Server message store to a SAN to increase scalability so I plan to implement the Microsoft iSCSI software initiator to provide this access. 42. Question: In the scenario depicted above, can either of the client computers access the iSCSI storage? Answer: They can be configured with an iSCSI initiator and thereby access the iSCSI target. This configuration is less common. 43. Question: Have you faced any SAN troubleshooting scenarios in your work environment? If so, how did you approach them? Answer: Answers may vary. This question should provide students an opportunity to further reflect on the troubleshooting guidance in this topic. 44. Question: Have you faced any EFS troubleshooting scenarios in your work environment? If so, how did you approach them? Answer: Answers may vary. This question should provide students an opportunity to further reflect on the troubleshooting guidance in this topic.
10-27
45. Question: What is the difference between hard and soft quotas? Answer: A hard quota enforces the configured quota and does not allow the user to exceed it. A soft quota allows the user to exceed the quota and follows its configured notification routine. 46. Question: When a common set of file types need to be blocked, what should you create to block them in the most efficient manner? Answer: You should create file groups where you can specify a common set of files to be filtered when the group is selected in a File Screening policy. 47. Question: If you want to apply a quota to all subfolders in a folder, including folders that will be created in the future, what option must you configure in the quota policy? Answer: The auto quota option must be enabled. This will cause the quota to be applied to folders when they are created.
10-28
11-1
Module 11
11-2
Lesson 1
Contents:
Questions and Answers Detailed Demo Steps Additional Reading 3
5
6
11-3
DFS Scenarios
Question: In what ways can you use DFS technologies within your organization? Answer: Answers will vary based on your organization.
11-4
Answer: DFS is installed as a File Server role in Windows Server 2008. Question: Is it possible to install DFS Replication without installing DFS Namespaces? Answer: Yes.
11-5
11-6
Additional Reading
What Is the Distributed File System?
For more information on the following, see the links. Distributed File System Technology Center Overview of the Distributed File System Solution in Microsoft Windows Server 2003 R2 Microsoft Distributed File System - IT Value Card About Remote Differential Compression Optimizing File Replication over Limited-Bandwidth Networks using Remote Differential
Compression
DFS Scenarios
For more information on Overview of the Distributed File System Solution in Microsoft Windows Server 2003 R2, see Overview of the Distributed File System Solution in Microsoft Windows Server 2003 R2.
11-7
Lesson 2
11-8
11-9
11-10
4. In the Create Share dialog box, in the Local path of shared folder field, type C:\AccountingSpreadsheets. 5. Under Shared folder permissions, click Administrators have full access; other users have read-only permissions, and then click OK. 6. In the Warning box, click Yes to create the C:\AccountingSpreadsheets folder. 7. In the Replication dialog box, click No. 8. On NYC-DC2, in the DFS Management console pane, expand \\WoodgroveBank\ProjectDocs and click AccountingSpreadsheets. 9. In the details pane, right-click \\NYC-DC1\AccountingSpreadhseets and then click Disable Folder Target. 10. On NYC-DC2, in the DFS Management console pane, right-click \\Woodgrovebank\ProjectDocs and then click Properties. 11. Note the different options in the Properties window.
11-11
Additional Reading
Deploying Namespaces for Publishing Content
For more information on the following, see the links. Distributed File System Management Help Topic - "Deploying DFS Namespaces"
11-12
Lesson 3
11-13
11-14
11-15
11-16
Additional Reading
What Is DFS Replication?
For more information on the following, see the links. Introduction to DFS Replication Staging folders and Conflict and Deleted folders
11-17
11-18
based or stand-alone based namespaces, and whether there are multiple server available to host folder targets. 13. Question: Describe a scenario when you would want to disable a folder targets referral. Answer: If the server that hosts the folder target needs to be taken offline, you wouldnt want users directed to that server. 14. Question: Which types of paths can you use when creating a new folder target? Answer: Universal Naming Convention (UNC) path to a shared folder, a folder within a shared folder or a path to another namespace. 15. Question: What kind of permissions do you need to add folder targets? Answer: To perform this procedure, you must be a member of the Local Administrators group on each server that hosts the namespace, or you must have been delegated the ability to manage an existing namespace. 16. Question: List one advantage and one disadvantage to having deleted files stored in the Conflict and Deleted folders. Answer: One advantage is for data recovery in case of accidental deletion. One disadvantage is the storage space required for saving all the deleted files. 17. Question: How can creating multiple replicated folders in a single replication group simplify deployment? Answer: Creating multiple replicated folders in a single replication group simplifies the process of deploying replicated folders because the topology, schedule, and bandwidth throttling for the replication group are applied to each replicated folder. 18. Question: Does your organization meet the requirements for DFS-R? Answer: Students answers will vary based on their organization. 19. Question: DFS-R doesnt have restrictions on the size of files replicated; however, there is a consideration to ensure the files get replicated. What is this consideration? Answer: The staging folder is appropriately sized. 20. Question: What topology would you use in your organization? Answer: Students answers will vary depending on their organization. 21. Question: When is the best time to schedule replication? Answer: When users wont be changing files. 22. Question: What is a consideration when choosing a primary member? Answer: You should choose the member with the most up-to-date files as the primary member. 23. Question: How often would you run the diagnostic report wizard to create a health report in your organization? Answer: As often as necessary to ensure DFS-R is functioning correctly. This will vary based on students needs. Students will also want to run the health report whenever they are experiencing DFS-R problems, including slow replication and folders or files not replicating. 24. Question: List three places you can look for DFS-R troubleshooting information. Answer: Event log, Conflict and Deleted folder, and the Health Report. 25. Question: In your organization, would you include .bak files in your DFS replication? Answer: Answers will vary based on students organizations. 26. Question: What would be a disadvantage of replicating .bak files? Answer: Higher bandwidth usage.
11-19
27. Question: How can you use DFS in your File Services deployment? Answer: You can use DFS to provide DFS namespaces and file replication. DFS namespaces provide a virtual view of shared folders on different servers. DFS replication provides highavailability and fault-tolerance to files and folders. 28. Question: What kind of compression technology is used by Windows Server 2008 DFS? Answer: Windows Server 2008 uses Remote Differential Compression to help optimize data transfers over limited-bandwidth networks. 29. Question: What are three main scenarios used for DFS? Answer: Three main scenarios include sharing files across branch offices, data collection, and data publishing or distribution. 30. Question: What is the difference between a domain-based DFS namespace and a stand-alone DFS namespace? Answer: A domain-based DFS namespace is hosted on multiple servers, whereas a stand-alone DFS namespace is only hosted on a single server. Users will connect to a domain-based namespace using the domain name in the URL (example: \\Contoso.com\corpfiles), whereas a users will connect to a stand-alone namespace using the server name (\\SEA-SRV1\corpfiles) 31. Question: What is the default ordering method for client referral to folder targets? Answer: Targets in the clients site are always listed first in a referral. Targets outside of the clients site are listed according to the ordering method which is set to Lowest cost by default. 32. Question: What does the Primary Member configuration do when setting up replication? Answer: The Primary Member is used as the authoritative server during the initial replication. After initial replication is complete, the primary member designation is removed. 33. Question: Which folder is used to cache files and folders where conflicting changes are made on two or more members? Answer: The \DfsrPrivate\ConflictAndDeleted folder stores conflicting files and also can cache deleted files and folders.
11-20
12-1
Module 12
Contents:
Lesson 1: Overview of Network Access Protection Lesson 2: How NAP Works Lesson 3: Configuring NAP Lesson 4: Monitoring and Troubleshooting NAP Module Reviews and Takeaways Lab Review Questions and Answers 2
7
10
15
19
22
12-2
Lesson 1
Contents:
Questions and Answers Detailed Demo Steps Additional Reading 3
5
6
12-3
NAP Scenarios
Question: Have you ever had an issue with unsecure, unmanaged laptops causing harm to your network? Do you think NAP would have addressed this issue? Answer: Answers will vary.
12-4
12-5
12-6
Additional Reading
What Is Network Access Protection?
For more information on Introduction to Network Access Protection, see Introduction to Network Access Protection.
NAP Scenarios
For more information on Network Access Protection, see Network Access Protection.
12-7
Lesson 2
12-8
12-9
Additional Reading
NAP Enforcement Processes
For more information on Security and Policy Enforcement, see Security and Policy Enforcement.
12-10
Lesson 3
Configuring NAP
Contents:
Questions and Answers Detailed Demo Steps Additional Reading 11
12
14
12-11
12-12
12-13
7. Close Console 1.
12-14
Additional Reading
What Are System Health Validators?
For more information on the following, see the links. Network Access Protection Platform Architecture Introduction to Network Access Protection System Health Validators
12-15
Lesson 4
Contents:
Questions and Answers Detailed Demo Steps Additional Reading 16
17
18
12-16
12-17
12-18
Additional Reading
What Is NAP Tracing?
For more information on NAP tracing, see Help and Support Topic: NAP tracing.
12-19
12-20
10. Question: List at least one example of why you would customize a health policy. Answer: Answers may vary. Health policies determine which SHVs to use and the parameters for checking the SHVs. For example, a custom health policy could be used in conjunction with a third-party SHV for a virus protection program. 11. Question: For which computers in the secure network would you allow unsecure communication from computers in the restricted network to succeed? Answer: You can create IP filters to allow certain communications to remain unauthenticated. A Web server might be such a server. 12. Question: What must the network devices support to implement 802.1x NAP? Answer: Network devices must support 802.1x authentication, usually through RADIUS. 13. Question: How does the VPN NAP enforcement method respond to non-compliant computers that make connection attempts? Answer: You can place IP packet filters to restrict communications to specific intranet resources, usually remediation servers. 14. Question: Does the DHCP NAP enforcement type work on IPv6 networks? Answer: No. It is available only for IPv4 scopes. 15. Question: Does NAP work only with Microsoft-supplied System Health Validators? Answer: No. It is extensible, so you can use any vendors System Health Agents and System Health Validators if they follow the NAP API. 16. Question: Can you use only one SHV in a health policy? Answer: No. You can specify any that are available. 17. Question: What services might a remediation server offer to update antivirus signatures? Answer: It might offer a File Transfer Protocol (FTP) service, or something similar, so clients can download and install the latest signatures. 18. Question: What Windows groups have the rights to enable Security Center in Group Policy, enable NAP service on clients, and enable/disable NAP enforcement clients? Answer: The following groups have these rights: Enterprise Admins, Domain Admins, and Local Administrators. 19. Question: List at least one example of how NAP tracing can be used to determine an issue with client communication. Answer: Answers may vary, but one example could be to review detailed information on why a client computer has been deemed non-compliant or is otherwise quarantined to a restricted network. 20. Question: What is the netsh command for enabling NAP debug logging levels? Answer: The command is netsh nap client set tracing state=enable level=verbose. 21. Question: Of what group must you be a member to enable NAP tracing? Answer: You must be a member of Local Administrators. 22. Question: What are the three main client configurations that need to be configured for most NAP deployments? Answer: Some NAP deployments that use Windows Security Health Validator require that you enable Security Center. The Network Access Protection service is required when you deploy NAP to NAP-capable client computers. You also must configure the NAP enforcement clients on the NAP-capable computers.
12-21
23. Question: You want to evaluate the overall health and security of the NAP enforced network. What do you need to do to start recording NAP events? Answer: NAP trace logging is disabled by default and should be enabled if you want to troubleshoot NAP-related problems or evaluate the overall health and security of your organizations computers. You can use the NAP Client Management console or the netsh command-line tool to enable logging functionality.
12-22
13-1
Module 13
Configuring Availability of Network Content and Resources
Contents:
Lesson 1: Configuring Shadow Copies Lesson 2: Providing Server and Service Availability Module Reviews and Takeaways Lab Review Questions and Answers 2
7
13
15
13-2
Lesson 1
13-3
13-4
Question: If a user wanted to restore part of a previous document version, how would you advise them to proceed? Answer: Make a copy of the document before restoring to a previous version, and then manually combine the two document versions.
13-5
13-6
Additional Reading
What are Shadow Copies?
For more information on Windows Server 2008 versions, see Windows Server 2008 Help Topic: How do I use Previous Versions?
13-7
Lesson 2
Contents:
Question and Answers Detailed Demo Steps Additional Reading 8
10
12
13-8
Clustering Terminology
Question: Discuss your work environments approach to planned and unplanned downtime. Answer: Answers may vary.
13-9
Answer: Answers may vary. This question should provide students with an opportunity to reflect on what services they can use in conjunction with failover clustering to provide high availability.
13-10
NLB is a feature of Windows Server 2008, and as such, you must use the Server Manager tool to install it:
Click Start, point to Administrative Tools, point to Server Manager, click Add Features, and then select Windows Network Load Balancing from the available features list.
13-11
To add another host, click Cluster Add host and follow the similar GUI steps used to add the first host, and then click Next. Choose the primary cluster IP for the cluster. If you need to access a cluster with name and not VIP addresses, you can also provide a cluster name in the Full Internet Name box. This name must be registered manually with DNS/WINS. The default mode that we recommend for NLB operation is Unicast. If you are concerned about the switch flooding in this mode, you can choose Multicast or IGMP multicast mode. The next page allows you to configure port rules. These rules dictate the behavior of Network Load Balancing clusters and should be configured appropriately. Click Finish to complete the single host Network Load Balancing cluster configuration.
13-12
Additional Reading
Network Load Balancing Manager Overview
For more information how network load balancing works, see "How Network Load Balancing Technology Works" For more information on NLB, see the Windows Server 2008 Help Topic "Network Load Balancing."
Clustering Terminology
For more information on Failover clusters, see "Windows Server 2008 Technical Library" http://go.microsoft.com/fwlink/?LinkId=99823
13-13
13-14
12. Question: When should you configure multiple DIP for a cluster? Answer: Multiple IP addresses can allow for access from different subnets or compatibility with IPv4 and IPv6. 13. Question: Describe a scenario where you might deploy or have already deployed NLB in your work environment. What settings are in use in this scenario? Answer: Answes may vary. This question should provide students with an opportunity to think about what settings they would choose for a scenario that is relevant in their work environment. 14. Question: Discuss your work environments approach to planned and unplanned downtime. Answer: Answers may vary. 15. Question: Have you employed previous versions of clustering technology? Answer: Answers may vary. 16. Question: If you presently have a server cluster in a previous server version, can you do a rolling upgrade to Windows Server 2008 Failover Clustering? Answer: No. 17. Question: Describe one scenario in your work environment where you currently use or plan to implement failover clustering. Answer: Answers may vary. This question should provide students with an opportunity to reflect on what services they can use in conjunction with failover clustering to provide high availability. 18. Question: What is the danger of choosing to restore a folder in Shadow Copies? Answer: The current version is deleted. 19. Question: How is failover clusters different from Network Load Balancing? Answer: The NLB cluster data must be stateless, yet because of shared storage in a failover cluster, stateless data may be involved.
13-15
14-1
Module 14
14-2
Lesson 1
14-3
Monitoring Methods
Question: Which tools do you currently plan to use to monitor Windows Server 2008? Consider longterm planning goals and specific troubleshooting instances. Answer: Students answers will vary based on their organization.
14-4
Additional Reading
Planning for Event Monitoring
For more information see the following: For more information about Operations Manager, see the Microsoft System Center Operations Manager. For more information about the Dynamic Systems Initiative, see Dynamic Systems Initiative Overview White Paper.
14-5
Lesson 2
14-6
14-7
Additional Reading
Key Hardware Components to Monitor
For more information on performance issues related to key hardware components, see Solving Performance Problems.
14-8
Lesson 3
14-9
14-10
Additional Reading
Identifying Server Role Performance Metrics
For more information on server role performance metrics, see Performance Tuning Guidelines for Windows Server 2008.
14-11
Lesson 4
Contents:
Question and Answers Detailed Demo Steps Additional Reading 12
13
14
14-12
Reliability Monitor
Question: How can you use the Reliability Monitor in your organization? Answer: Answers will vary. For example, students can use the Reliability Monitor to track application updates and the affect on the system stability.
14-13
4. Click the green Plus sign on the toolbar to add objects and counters. 5. In the Add Counters dialog box, expand the Directory Services object, select the DRA Inbound Bytes Total/sec counter, and then click Add. 6. Repeat the previous step to add the following counters: DRA Outbound Bytes Total/sec DS Threads In Use DS Directory Reads/sec DS Directory Writes/sec
7. Expand Security System-Wide Statistics, and add the Kerberos Authentications counter. 8. Expand DNS, add the UDP Query Received counter, and then click OK. 9. In the folder pane, right-click Performance Monitor, click New, and then click Data Collector Set. 10. In the Create New Data Collector Set dialog box, type Active Directory in the Name field, and then click Next. 11. Leave the Root directory as the default path, click Next, and then click Finish. 12. Expand Data Collector Sets, expand User Defined, right-click the Active Directory data collector set, and then click Start. 13. Expand Reports, expand User Defined, expand Active Directory, and then click System Monitor Log.blg. The Report Status shows that the log is collecting data. 14. In the Data Collector Sets section, right-click the Active Directory data collector set, and then click Stop. 15. Click the System Monitor Log.blg. The log chart is displayed in the details pane. 16. Open Reliability Monitor. Expand any one of the reports and examine it. 17. Open Reports, and then examine each of the system reports that are available.
14-14
Additional Reading
Windows Server 2008 Monitoring Tools
For more information on Windows Server 2008 monitoring tools, see the following: Monitoring Windows Server 2008 with Operations Manager. Monitoring Events. How to use and troubleshoot issues with Windows Task Manager.
Reliability Monitor
For more information on Windows Reliability and Performance Monitor, see Windows Reliability and Performance Monitor.
14-15
Lesson 5
14-16
14-17
Lesson 6
14-18
14-19
Lesson 7
14-20
14-21
Additional Reading
Task Automation Tools
For more information on Windows PowerShell, see Getting Started with Windows PowerShell.
14-22
14-23
13. Question: If the pool nonpages bytes has a slow rise, what might be happening? Answer: A slow rise might indicate a memory leak - the failure to properly deallocate memory that was previously allocated. 14. Question: Why do you want the % Disk time to be as low as possible? Answer: The higher the % disk time the busier the server is and the more resources that are being used. If this value is high, you will want to evaluate your organization requirements and whether to add additional resources to free up disk time on the server. 15. Question: If the output queue length is 5, what problems might you have in your network? Answer: You might have delays which can slow down productivity. 16. Question: Which tools do you currently use to monitor servers? How can you make use of improved monitoring tools in Windows Server 2008? Answer: Answers will vary based on students organization. 17. Question: What is a benefit to Data Collector Sets? Answer: Once a group of data collectors are stored as a Data Collector Set, operations such as scheduling can be applied to the entire set through a single property change. This makes monitoring tasks quicker for an administrator. 18. Question: How can you use the Reliability Monitor in your organization? Answer: Answers will vary. For example, students can use the Reliability Monitor to track application updates and the affect on the system stability. 19. Question: Where can you find real-time information about network activity? Answer: The Resource Overview page has a Network section that supplies real-time data on network activity. 20. Question: Which Reliability Monitor reports will you implement in your work environment? Answer: Answers may vary. This question should provide students with an opportunity to discuss how they plan to implement Reliability Monitor reports. 21. Question: Which third-party monitoring tools do you currently use, if any? How can these help you monitor server performance in the future? Answer: Answers will vary. 22. Question: Where would subscriptions be most useful on in your organization? Answer: Answers will vary 23. Question: What are your businesses response times and how does your business makes staff available to provide support? Answer: Answers will vary. 24. Question: How do you notify staff of service failure or maintenance problems? In what ways can you improve this process? Answer: Answers will vary based on students organizations. 25. Question: What improvements can you make to the escalation paths for issues within your business? Answer: Answers will vary based on students organizations. 26. Question: List the monitoring tasks you perform at work most often. Answer: Answers will vary. You should perform several everyday management tasks to ensure that your Windows Server 2008 environment is running correctly. You should perform some of these
14-24
tasks, such as health and diagnostics monitoring, at regular intervals, but you can perform other tasks, such as troubleshooting, only when they are required. 27. Question: Which event logs do you regularly review on your servers at work? Answer: Answers will vary. You should review all logs that will affect server availability. 28. Question: How often do you review server event logs? Answer: Answers will vary. 29. Question: Do any of your servers have requirements that make scheduling management tasks more difficult (such as 24x7 operations)? Answer: Answers will vary. 30. Question: Do you have any skills in scripting or in Windows PowerShell in your organization? Answer: Answers will vary. 31. Question: Do you currently use automation tools at work? Answer: Answers will vary. 32. Question: In what ways can using automation tools benefit your organization? Answer: Examples include saving time and saving money. 33. Question: If you currently use some of these tools, why was the tool(s) chosen? Answer: Answers will vary, but should get students thinking about the benefits and disadvantages of the available tools and which tools would work best for their organization. 34. Question: What are the benefits of monitoring server performance? Answer: Capacity planning, identifying and removing performance bottlenecks, improving server troubleshooting. 35. Question: What are some of the tasks that you should undertake when you create a performance baseline for a server? Answer: Use Reliability and Performance Monitor to create a data collector set, use Reliability and Performance Monitor to identify when server capacity is high and low, and ensure that the server is working under normal operating conditions. 36. Question: What are the advantages of using a range of monitoring tools? Answer: It is possible to collect data in real time, you can use historical data analysis to identify performance trends, various Windows events can be consolidated by using tools such as Operations Manager. 37. Question: What are the advantages of measuring specific performance counters? Answer: Troubleshooting specific server issues, identifying malfunctioning hardware, identifying software application issues. 38. Question: What are the advantages of using alerts to identify performance issues? Answer: Administrators can react quickly to problems, Reliability and Performance Monitor can make use of WMI to alert administrators, Reliability and Performance Monitor can start a data collector set on an alert.
14-25
15-1
Module 15
15-2
Lesson 1
15-3
15-4
Additional Reading
Selecting Backup Software and Backup Operators
For more information on the following, see the links. Windows Server Backup
15-5
Lesson 2
Contents:
Question and Answers Additional Reading 6
7
15-6
15-7
Additional Reading
Factors That Affect Backup Policy
For more information on the following, see the links. Backup using GPMC
15-8
Lesson 3
15-9
Restore Logs
Question: How do you verify that all files are successfully restored after a restore takes place? Answer: Answer may vary.
Restore Options
Question: What is the process in your organization for checking access to restored data? Answer: Answers may vary.
15-10
Security Analysis
Question: Who can restore files in your organization? Answer: Answers may vary. Question: Must you review membership of the Administrators and Backup Operators groups? Answer: Answer may vary.
15-11
Additional Reading
Considerations for a Server Restore
For more information on the following, see the links. Backup and Restore Best Practices
Restore Logs
For more information about Wbadmin.exe, see Wbadmin on the Microsoft TechNet Web site.
Restore Options
For more information on the following, see the links. Best Practices Backup and Restore
Security Analysis
For more information on the following, see the links. References: Security Considerations for Backup and Restore
15-12
Lesson 4
15-13
15-14
Additional Reading
Considerations When Restoring EFS Data
For more information about EFS, see "Data Encryption Toolkit for Mobile PCs" on the Microsoft TechNet Web site. For more information about planning for EFS, see Plan Data Encryption in "Planning" in the Server Deployment section of the Microsoft TechNet Web site.
15-15
Lesson 5
15-16
15-17
Answer: Answers will vary, but can include simply making sure that the computer is receiving power, checking that all cables are correctly plugged in, and opening the case to ensure that CPU, memory, and other devices are properly and firmly seated.
15-18
Additional Reading
Being Prepared for Startup Failures
Windows Server 2008 Help: Recover the Operating System
15-19
15-20
17. Question: What considerations does your company employ when applying change management? Answer: Answers may vary. 18. Question: How do you verify that all files are successfully restored after a restore takes place? Answer: Answers may vary. 19. Question: Will you restore to a different location or replace existing files? Answer: Answers may vary. 20. Question: What steps should you take to ensure that only the correct people have access to the files after they have been restored? Answer: Answers may vary. 21. Question: Who can restore files in their organization, and who should be able to restore files? Answer: Answers may vary. 22. Question: When did you last update your backup and restore policies? Answer: Answers may vary. 23. Question: List at least one example of how your company can recover EFS data. Answer: Answers may vary. 24. Question: Who in your organization determines whether the requirements for EFS recovery have been met? Answer: Answers may vary. 25. Question: Who in your organization is in charge of creating and configuring certification authority? Answer: Answers may vary. 26. Question: List at least one example of how your organization can use the Recovery Agent to access EFS files during a disaster recovery scenario. Answer: Answers may vary. 27. Question: Who in your organization has the proper DRA privileges to open EFS encrypted files? Answer: Answers may vary. 28. Question: Can you think of situations where you had to troubleshoot a Windows startup problem, and if so how did you resolve it? Answer: Answers may vary. 29. Question: During startup, in which of these phases is system memory checked? Answer: In the POST phase, initial hardware checks are performed, such as determining the amount of memory present. 30. Question: Based on this flowchart, what would you say are the most common causes of Windows failing to start before the Windows logo appears? Answer: In general, if Windows fails to start and the product logo does not appear, problems can typically be caused by corruption in boot files or in the system volume. While these problems can often be repaired without taking drastic measures, such as reinstalling the operating system, it could also indicate a hardware problem such as a failing hard disk. 31. Question: Based on this flowchart, what would you say are the most common causes of Windows failing to start after the Windows logo appears? Answer: While the range of problems that can cause Windows to fail after the logo appears may be large, they are often related to driver or Windows service issues.
15-21
32. Question: Based on this flowchart, what would you say are the most common causes of Windows failing to start after logon? Answer: Often the case of startup problems occurring after logon is a result of a problematic application that is configured to start automatically. Repairing, temporarily disabling, or removing the application may be required. And, as with any problem that impacts Windows availability, scanning the system for viruses may be necessary. 33. Question: If you suspected a hardware related problem, what would be the first things you would check? Answer: Answers will vary, but can include simply making sure that the computer is receiving power, checking that all cables are correctly plugged in, and opening the case to ensure that CPU, memory, and other devices are properly and firmly seated. 34. Question: How do you know whether your backups are successful? Answer: Your backup tool should be able to log and report unsuccessful backups, but you should also perform a trial restore to test backups regularly. 35. Question: What provisions should you make for backup storage? Answer: You should consider physically secure storage, media capacity, how long you will keep the backup, and if the media is susceptible to environmental factors such as heat or high magnetic fields. 36. Question: What should you consider for your server restore policy? Answer: 1. Regular updates 2. Frequent testing 3. The impact of restoring data 37. Question: What considerations should you take into account for the recovery of encrypted data? Answer: 1. Locating original and changed encryption keys 2. Use of recovery agents 3. Restoring the correct data and matching keys 38. Question: What steps should you take to verify restored data? Answer: 1. Review log files 2. Check security and access to files after restore 3. Check the data integrity and version of restored files
15-22
R-1
Resources
Contents:
Microsoft Learning Technet and MSDN Content Communities 2 3 22
R-2
Microsoft Learning
This section describes various Microsoft Learning programs and offerings. Microsoft Skills Assessments Describes the skills assessment options available through Microsoft. Microsoft Learning Describes the training options available through Microsoft face-to-face or self-paced. Microsoft Certification Program Details how to become a Microsoft Certified Professional, Microsoft Certified Database Administrators, and more. Microsoft Learning Support o o To provide comments or feedback about the course, send e-mail to support@mscourseware.com. To ask about the Microsoft Certification Program (MCP), send e-mail to mcphelp@microsoft.com
R-3
Module 1
For more information see, "Object names: Active Directory", http://go.microsoft.com/fwlink/?LinkID=139916 For more information see, "Microsoft Operations Framework 4.0", http://go.microsoft.com/fwlink/?LinkID=139924 For more information see, "User and Group Accounts", http://go.microsoft.com/fwlink/?LinkID=139921 For more information see, "TechNet Library", http://go.microsoft.com/fwlink/?LinkID=139920 For more information see, "Dsmod", http://go.microsoft.com/fwlink/?LinkID=139914 For more information see, "Microsoft Windows 2000 Scripting Guide, Copying User Accounts", http://go.microsoft.com/fwlink/?LinkID=139923 For more information see, "Windows Server 2003 Product Help, Manage Computers", http://go.microsoft.com/fwlink/?LinkID=139918 For more information see, "Windows Server 2003 Deployment, Join a computer to a domain", http://go.microsoft.com/fwlink/?LinkID=139917 For more information see, "Deploying Group Policy Using Windows Vista", http://go.microsoft.com/fwlink/?LinkID=139922 For more information see, "LDIFDE", http://go.microsoft.com/fwlink/?LinkId=99439 For more information see, "CSVDE", http://go.microsoft.com/fwlink/?LinkId=99440 For more information see, "Windows PowerShell 1.0 Documentation Pack", http://go.microsoft.com/fwlink/?LinkId=99441 For more information see, "Windows PowerShell Blog", http://go.microsoft.com/fwlink/?LinkId=99442 For more information see, "Scripting with Windows PowerShell", http://go.microsoft.com/fwlink/?LinkId=99443 For more information see, "Manage Organizational Units", http://go.microsoft.com/fwlink/?LinkID=139915 For more information see, "Dsquery", http://go.microsoft.com/fwlink/?LinkID=139919 For more information see, "Understanding Group Accounts", http://go.microsoft.com/fwlink/?LinkID=139928
Module 2
For more information see, "Understanding AD DS Functional Levels", http://go.microsoft.com/fwlink/?LinkID=139933 For more information see, "Functional Levels Background Information", http://go.microsoft.com/fwlink/?LinkID=139929
R-4
For more information see, "Group scope", http://go.microsoft.com/fwlink/?LinkID=139939 For more information see, "Understanding Local Users and Groups", http://go.microsoft.com/fwlink/?LinkID=139936 For more information see, "Nesting groups", http://go.microsoft.com/fwlink/?LinkID=139938 For more information see, "Defining a Security Group Naming Policy", http://go.microsoft.com/fwlink/?LinkID=139935 For more information see, "Microsoft Operations Framework 4.0", http://go.microsoft.com/fwlink/?LinkID=139943 For more information see, "Dsadd group", http://go.microsoft.com/fwlink/?LinkID=139931 For more information see, "Reviewing Organizational Unit Design Concepts", http://go.microsoft.com/fwlink/?LinkID=139940 For more information see, "Organizational units", http://go.microsoft.com/fwlink/?LinkID=139941 For more information see, "Design Considerations for Organizational Unit Structure and Use of Group Policy Objects", http://go.microsoft.com/fwlink/?LinkID=139937 For more information see, "Dsadd ou", http://go.microsoft.com/fwlink/?LinkID=139934 For more information see, "Reviewing OU Design Concepts", http://go.microsoft.com/fwlink/?LinkID=139925 For more information see, "Delegating Administration by Using OU Objects", http://go.microsoft.com/fwlink/?LinkID=139926 For more information see, "Using Security Filtering to Apply GPOs to Selected Groups", http://go.microsoft.com/fwlink/?LinkID=139927 For more information see, "Object names: Active Directory", http://go.microsoft.com/fwlink/?LinkId=104472 For more information see, "User and Group Accounts", http://go.microsoft.com/fwlink/?LinkId=104473 For more information see, "Dsadd", http://go.microsoft.com/fwlink/?LinkId=104474 For more information see, "Dsmod", http://go.microsoft.com/fwlink/?LinkID=139914 For more information see, "Rename a user account", http://go.microsoft.com/fwlink/?LinkId=104475 For more information see, "Copying User Accounts", http://go.microsoft.com/fwlink/?LinkId=104476 For more information see, "Manage Computers", http://go.microsoft.com/fwlink/?LinkId=104477 For more information see, "Join a computer to a domain", http://go.microsoft.com/fwlink/?LinkId=104479 For more information see, "Deploying Group Policy Using Windows Vista", http://go.microsoft.com/fwlink/?LinkId=104481 For more information see, "LDIFDE", http://go.microsoft.com/fwlink/?LinkId=99439 For more information see, "CSVDE", http://go.microsoft.com/fwlink/?LinkId=99440
R-5
For more information see, "Windows PowerShell 1.0 Documentation Pack", http://go.microsoft.com/fwlink/?LinkId=99441 For more information see, "Understanding Group Accounts", http://go.microsoft.com/fwlink/?LinkID=139928
Module 3
For more information see, "Understanding AD DS Functional Levels", http://go.microsoft.com/fwlink/?LinkID=139933 For more information see, "Functional Levels Background Information", http://go.microsoft.com/fwlink/?LinkID=139929 For more information see, "Identifying Your Windows Server 2008 Functional Level Upgrade", http://go.microsoft.com/fwlink/?LinkID=139932 For more information see, "Group scope", http://go.microsoft.com/fwlink/?LinkId=104483 For more information see, "Understanding Local Users and Groups", http://go.microsoft.com/fwlink/?LinkId=104486 For more information see, "Reviewing Organizational Unit Design Concepts", http://go.microsoft.com/fwlink/?LinkId=104487 For more information see, "Windows Server 2008 Glossary", http://go.microsoft.com/fwlink/?LinkId=104488 For more information see, "Organizational units", http://go.microsoft.com/fwlink/?LinkId=104453 For more information see, "Design Considerations for Organizational Unit Structure and Use of Group Policy Objects", http://go.microsoft.com/fwlink/?LinkId=104489 For more information see, "Using Security Filtering to Apply GPOs to Selected Groups", http://go.microsoft.com/fwlink/?LinkID=139927 For more information see, "Reviewing OU Design Concepts", http://go.microsoft.com/fwlink/?LinkID=139925 For more information see, "Groups", http://go.microsoft.com/fwlink/?LinkID=139930 For more information see, "Group scope", http://go.microsoft.com/fwlink/?LinkID=139939 For more information see, "Understanding Local Users and Groups", http://go.microsoft.com/fwlink/?LinkID=139936 For more information see, "Nesting groups", http://go.microsoft.com/fwlink/?LinkID=139938 For more information see, "Defining a Security Group Naming Policy", http://go.microsoft.com/fwlink/?LinkID=139935 For more information see, "Dsadd group", http://go.microsoft.com/fwlink/?LinkID=139931 For more information see, "Reviewing Organizational Unit Design Concepts", http://go.microsoft.com/fwlink/?LinkID=139940 For more information see, "Organizational units", http://go.microsoft.com/fwlink/?LinkID=139941 For more information see, "Design Considerations for Organizational Unit Structure and Use of Group Policy Objects", http://go.microsoft.com/fwlink/?LinkID=139937 For more information see, "Dsadd ou", http://go.microsoft.com/fwlink/?LinkID=139934
R-6
For more information see, "Delegating Administration by Using OU Objects", http://go.microsoft.com/fwlink/?LinkID=139926 For more information see, "How to restore deleted user accounts and their group memberships in Active Directory", http://go.microsoft.com/fwlink/?LinkID=139945
Module 4
For more information see, "Access Tokens Technical Reference", http://go.microsoft.com/fwlink/?LinkID=139951 For more information see, "Permissions for files and folders", http://go.microsoft.com/fwlink/?LinkID=139952 For more information see, "Best practices for Shared Folders", http://go.microsoft.com/fwlink/?LinkID=139950 For more information see, "Glossary of Registry Terms", http://go.microsoft.com/fwlink/?LinkID=139946 For more information see, "Publishing a Shared Folder in Windows 2000 Active Directory", http://go.microsoft.com/fwlink/?LinkID=139944 For more information see, "Windows Server Hacks: Creating a Shortcut for Searching Active Directory", http://go.microsoft.com/fwlink/?LinkID=139953 For more information see, "Changes to Offline Files in Windows Vista", http://go.microsoft.com/fwlink/?LinkID=139948 For more information see, "Effective Permissions tool", http://go.microsoft.com/fwlink/?LinkID=139949 For more information see, "Access Tokens Technical Reference", http://go.microsoft.com/fwlink/?LinkId=104492 For more information see, "Permissions for files and folders", http://go.microsoft.com/fwlink/?LinkId=104499 For more information see, "Best practices for Shared Folders", http://go.microsoft.com/fwlink/?LinkId=104496 For more information see, "Access control in Active Directory", http://go.microsoft.com/fwlink/?LinkId=101070
Module 5
For more information see, "Assign, change, or remove permissions on Active Directory objects or attributes", http://go.microsoft.com/fwlink/?LinkId=101071 For more information see, "Effective Permissions tool", http://go.microsoft.com/fwlink/?LinkId=101072 For more information see, "How Domains and Forests Work", http://go.microsoft.com/fwlink/?LinkId=101073 For more information see, "Active Directory naming", http://go.microsoft.com/fwlink/?LinkId=101074 For more information see, "Enable selective authentication over a forest trust", http://go.microsoft.com/fwlink/?LinkId=101075
R-7
For more information see, "Grant the Allowed to Authenticate permission on computers in the trusting domain or forest", http://go.microsoft.com/fwlink/?LinkId=101076 For more information see, "Understanding When to Create a Shortcut Trust", http://go.microsoft.com/fwlink/?LinkID=107061 For more information see, "Nltest Overview", http://go.microsoft.com/fwlink/?LinkID=93567 For more information see, "Windows Server Group Policy", http://go.microsoft.com/fwlink/?LinkId=99449 For more information see, "Summary of New or Expanded Group Policy Settings", http://go.microsoft.com/fwlink/?LinkId=99450 For more information see, "What"s New in Group Policy in Windows Vista", http://go.microsoft.com/fwlink/?LinkId=99451 For more information see, "Group Policy Processing", http://go.microsoft.com/fwlink/?LinkId=112457 For more information see, "Group Policy application rules for domain controllers", http://go.microsoft.com/fwlink/?LinkId=112458 For more information see, "How a slow link is detected for processing user profiles and Group Policy", http://go.microsoft.com/fwlink/?LinkId=112459 For more information see, "Group Policy is not applied due to cached credentials", http://go.microsoft.com/fwlink/?LinkId=112460 For more information see, "Controlling Client-Side Extensions by Using Group Policy", http://go.microsoft.com/fwlink/?LinkId=99452
Module 7
For more information see, "How Core Group Policy Works", http://go.microsoft.com/fwlink/?LinkId=99468 For more information see, "Managing Group Policy ADMX Files Step-by-Step Guide", http://go.microsoft.com/fwlink/?LinkId=112461 For more information see, "How to create a Central Store for Group Policy Administrative Templates in Window Vista", http://go.microsoft.com/fwlink/?LinkId=99455 For more information see, "TechNet Virtual Lab: Managing Windows Server 2008 Beta 3 and Windows Vista using Group Policy", http://go.microsoft.com/fwlink/?LinkId=112462 For more information see, "Group Policy processing and precedence", http://go.microsoft.com/fwlink/?LinkId=99456 For more information see, "Multiple Local Group Policy objects", http://go.microsoft.com/fwlink/?LinkId=112463 For more information see, "Step-by-Step Guide to Managing Multiple Local Group Policy Objects", http://go.microsoft.com/fwlink/?LinkId=99457 For more information see, "Controlling the Scope of Group Policy Objects using GPMC", http://go.microsoft.com/fwlink/?LinkId=99458 For more information see, "Loopback processing with merge or replace", http://go.microsoft.com/fwlink/?LinkId=99459
R-8
For more information see, "Create or delete a Group Policy object", http://go.microsoft.com/fwlink/?LinkId=112464 For more information see, "Link a Group Policy object using GPMC", http://go.microsoft.com/fwlink/?LinkId=112465 For more information see, "Disable a Group Policy object link using GPMC", http://go.microsoft.com/fwlink/?LinkId=112466 For more information see, "Fixing Core Group Policy problems", http://go.microsoft.com/fwlink/?LinkId=101110 For more information see, "Filter using security groups", http://go.microsoft.com/fwlink/?LinkId=112467 For more information see, "Using Security Filtering to Apply GPOs to Selected Groups", http://go.microsoft.com/fwlink/?LinkId=112468 For more information see, "Security filtering using GPMC", http://go.microsoft.com/fwlink/?LinkId=112469 For more information see, "Loopback processing of Group Policy", http://go.microsoft.com/fwlink/?LinkId=99460 For more information see, "Group Policy Results (Administering Group Policy with Group Policy Management Console)", http://go.microsoft.com/fwlink/?LinkId=99462 For more information see, "Determine Resultant Set of Policy with GPResult.exe", http://go.microsoft.com/fwlink/?LinkId=113117 For more information see, "Using Group Policy Modeling and Group Policy Results to Evaluate Group Policy Settings", http://go.microsoft.com/fwlink/?LinkId=99463 For more information see, "Backing up, Restoring, Migrating, and Copying GPOs", http://go.microsoft.com/fwlink/?LinkId=99464 For more information see, "Import using GPMC", http://go.microsoft.com/fwlink/?LinkId=99465 For more information see, "Import a Group Policy object using GPMC", http://go.microsoft.com/fwlink/?LinkId=113123 For more information see, "Starter Group Policy Objects (GPOs)", http://go.microsoft.com/fwlink/?LinkID=139954 For more information see, "Copy a Group Policy object using GPMC", http://go.microsoft.com/fwlink/?LinkId=113118 For more information see, "Copy using GPMC", http://go.microsoft.com/fwlink/?LinkId=113119 For more information see, "Back up a Group Policy object using GPMC", http://go.microsoft.com/fwlink/?LinkId=113120 For more information see, "Restore using GPMC", http://go.microsoft.com/fwlink/?LinkId=113121 For more information see, "Restore a backed-up Group Policy object using GPMC", http://go.microsoft.com/fwlink/?LinkId=113122 For more information see, "ADMX Migrator", http://go.microsoft.com/fwlink/?LinkId=99466 For more information see, "ADMX Migrator download", http://go.microsoft.com/fwlink/?LinkId=113124
R-9
For more information see, "Delegating Group Policy", http://go.microsoft.com/fwlink/?LinkId=99467 For more information see, "Delegation and policy-related permissions", http://go.microsoft.com/fwlink/?LinkId=113125 For more information see, "How Core Group Policy Works", http://go.microsoft.com/fwlink/?LinkId=99468 For more information see, "Group Policy Planning and Deployment Guide", http://go.microsoft.com/fwlink/?LinkID=134056 For more information see, "The Two Sides of Group Policy Script Extension Processing", http://go.microsoft.com/fwlink/?LinkId=99469 For more information see, "The Two Sides of Group Policy Script Extension Processing", http://go.microsoft.com/fwlink/?LinkId=99470 For more information see, "Overview of Logon, Logoff, Startup, and Shutdown Scripts in Windows 2000", http://go.microsoft.com/fwlink/?LinkId=99471 For more information see, "How to assign scripts in Windows 2000", http://go.microsoft.com/fwlink/?LinkId=113127 For more information see, "What Is Folder Redirection Extension?", http://go.microsoft.com/fwlink/?LinkId=99472 For more information see, "IE7 in Vista: Folder Redirection for Favorites on the Same Machine", http://go.microsoft.com/fwlink/?LinkId=99473 For more information see, "Recommendations for Folder Redirection", http://go.microsoft.com/fwlink/?LinkId=99475 For more information see, "Folder Redirection feature in Windows", http://go.microsoft.com/fwlink/?LinkId=99476 For more information see, "Security Considerations when Configuring Folder Redirection", http://go.microsoft.com/fwlink/?LinkId=99477 For more information see, "Windows Server 2003", http://go.microsoft.com/fwlink/?LinkId=99478 For more information see, "Administrative Templates Extension Technical Reference", http://go.microsoft.com/fwlink/?LinkId=99479 For more information see, "How To Use the Group Policy Editor to Manage Local Computer Policy in Windows X", http://go.microsoft.com/fwlink/?LinkId=113126 For more information see, "Creating a Custom Base ADMX File", http://go.microsoft.com/fwlink/?LinkId=99480 For more information see, "Group Policy Sample ADMX Files", http://go.microsoft.com/fwlink/?LinkId=99481 For more information see, "2007 Office system Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool version 2.0", http://go.microsoft.com/fwlink/?LinkId=113758 For more information see, "Design Considerations for Creating Policy Settings", http://go.microsoft.com/fwlink/?LinkID=139957
R-10
For more information see, "How to use Group Policy to install software remotely in Windows 2000", http://go.microsoft.com/fwlink/?LinkId=99482 For more information see, "Use Group Policy Software Installation to deploy the 2007 Office system", http://go.microsoft.com/fwlink/?LinkId=99483 For more information see, "Group Policy Software Installation overview", http://go.microsoft.com/fwlink/?LinkId=113760 For more information see, "Specify categories for applications to be managed", http://go.microsoft.com/fwlink/?LinkId=99485 For more information see, "Add or remove modifications for an application package", http://go.microsoft.com/fwlink/?LinkId=99487 For more information see, "Best practices for Group Policy Software Installation", http://go.microsoft.com/fwlink/?LinkId=99488 For more information see, "Set Group Policy Software Installation defaults", http://go.microsoft.com/fwlink/?LinkId=99489 For more information see, "Best practices for Group Policy Software Installation", http://go.microsoft.com/fwlink/?LinkId=99486 For more information see, "Information about new Group Policy preferences in Windows Server 2008", http://go.microsoft.com/fwlink/?LinkID=139955 For more information see, "Group Policy Preferences: Getting Started", http://go.microsoft.com/fwlink/?LinkID=139956 For more information see, "Group Policy Preferences Frequently Asked Questions (FAQ)", http://go.microsoft.com/fwlink/?LinkID=139958 For more information see, "Group Policy Troubleshooting", http://go.microsoft.com/fwlink/?LinkId=101100 For more information see, "Troubleshooting Your Systems with Network Diagnostics", http://go.microsoft.com/fwlink/?LinkId=101101 For more information see, "Using NSlookup.exe", http://go.microsoft.com/fwlink/?LinkId=101102 For more information see, "Unable to access domain controller", http://go.microsoft.com/fwlink/?LinkId=101103 For more information see, "Kerbtray.exe: Kerberos Tray", http://go.microsoft.com/fwlink/?LinkId=101104 For more information see, "Group Policy Modeling and Results", http://go.microsoft.com/fwlink/?LinkId=101105 For more information see, "How to manually create Default Domain GPO", http://go.microsoft.com/fwlink/?LinkId=101106 For more information see, "Refresh Group Policy settings with GPUpdate.exe", http://go.microsoft.com/fwlink/?LinkId=101108 For more information see, "Fixing Group Policy problems by using log files", http://go.microsoft.com/fwlink/?LinkId=101109
R-11
For more information see, "Identifying Group Policy Client-Side Extensions", http://go.microsoft.com/fwlink/?LinkId=101115 For more information see, "Computer Policy for Client-side Extensions", http://go.microsoft.com/fwlink/?LinkId=101116 For more information see, "Group Policy and Network Bandwidth", http://go.microsoft.com/fwlink/?LinkId=101117 For more information see, "Fixing Core Group Policy problems", http://go.microsoft.com/fwlink/?LinkId=101110 For more information see, "Fixing Administrative Template policy setting problems", http://go.microsoft.com/fwlink/?LinkId=101118 For more information see, "Troubleshooting Group Policy application problems", http://go.microsoft.com/fwlink/?LinkId=101119
Module 8
For more information see, "Windows Server Group Policy", http://go.microsoft.com/fwlink/?LinkId=113761 For more information see, "Group Policy Security Settings", http://go.microsoft.com/fwlink/?LinkId=99491 For more information see, "Chapter 3: The Domain Policy", http://go.microsoft.com/fwlink/?LinkId=99492 For more information see, "Joining a Windows Vista Wired Client to a Domain", http://go.microsoft.com/fwlink/?LinkId=99495 For more information see, "Securing Wireless LANs with Certificate Services", http://go.microsoft.com/fwlink/?LinkId=99496 For more information see, "The Cable Guy Wireless Group Policy Settings for Windows Vista", http://go.microsoft.com/fwlink/?LinkId=99497 For more information see, "Define Active Directory-based Wireless Network Policies", http://go.microsoft.com/fwlink/?LinkId=99498 For more information see, "The New Windows Firewall in Windows Vista and Windows Server 2008", http://go.microsoft.com/fwlink/?LinkId=99499 For more information see, "Chapter 4: Strengthening Domain and Domain Controller Policy Settings", http://go.microsoft.com/fwlink/?LinkID=139959 For more information see, "Appendix A: Security Group Policy Settings", http://go.microsoft.com/fwlink/?LinkId=113762 For more information see, "Troubleshooting Group Policy application problems", http://go.microsoft.com/fwlink/?LinkId=101119 For more information see, "AD DS: Fine-Grained Password Policies", http://go.microsoft.com/fwlink/?LinkId=99500 For more information see, "AD DS Fine-Grained Password and Account Lockout Policy Step-byStep Guide", http://go.microsoft.com/fwlink/?LinkId=99501
R-12
For more information see, "AD DS Fine-Grained Password and Account Lockout Policy Step-byStep Guide", http://go.microsoft.com/fwlink/?LinkId=113764 For more information see, "Restricted Groups", http://go.microsoft.com/fwlink/?LinkId=99502 For more information see, "How To Use Software Restriction Policies in Windows Server 2003", http://go.microsoft.com/fwlink/?LinkId=113765 For more information see, "Using Software Restriction Policies to Protect Against Unauthorized Software", http://go.microsoft.com/fwlink/?LinkId=99503 For more information see, "Security Templates", http://go.microsoft.com/fwlink/?LinkId=99504 For more information see, "Security Configuration Wizard Overview", http://go.microsoft.com/fwlink/?LinkId=99507 For more information see, "Security Watch The Security Configuration Wizard", http://go.microsoft.com/fwlink/?LinkId=99508 For more information see, "Security Configuration Wizard for Windows Server 2003", http://go.microsoft.com/fwlink/?LinkId=99506 For more information see, "Best practices for Security Configuration and Analysis", http://go.microsoft.com/fwlink/?LinkID=112102&clcid=0x409 For more information see, "Account Passwords and Policies in Windows Server 2003", http://go.microsoft.com/fwlink/?LinkId=99493 For more information see, "Security Configuration and Analysis", http://go.microsoft.com/fwlink/?LinkId=102267&clcid=0x409
Module 9
For more information see, "Antivirus Defense-in-Depth Guide", http://go.microsoft.com/fwlink/?LinkId=102264&clcid=0x409 For more information see, "Using Encrypting File System", http://go.microsoft.com/fwlink/?LinkID=139961 For more information see, "Auditing overview", http://go.microsoft.com/fwlink/?LinkId=102268&clcid=0x409 For more information see, "Auditing Policy", http://go.microsoft.com/fwlink/?LinkID=112103&clcid=0x409 For more information see, "Audit Policies and Subcategories", http://go.microsoft.com/fwlink/?LinkID=139962 For more information see, "AD DS Auditing Step-by-Step Guide", http://go.microsoft.com/fwlink/?LinkID=112104&clcid=0x409 For more information see, "Viewing security logs", http://go.microsoft.com/fwlink/?LinkID=139977 For more information see, "How inheritance affects file and folder auditing", http://go.microsoft.com/fwlink/?LinkID=139976 For more information see, "Auditing Security Events Best practices", http://go.microsoft.com/fwlink/?LinkID=139978
R-13
For more information see, "How to use Group Policy to audit registry keys in Windows Server 2003", http://go.microsoft.com/fwlink/?LinkID=139960 For more information see, "Auditing Security Events How To...", http://go.microsoft.com/fwlink/?LinkID=139975 For more information see, "Microsoft Windows Server Update Services 3.0 Overview", http://go.microsoft.com/fwlink/?LinkId=102269&clcid=0x409 For more information see, "Determine Bandwidth Options to ", http://go.microsoft.com/fwlink/?LinkID=139968 For more information see, "Choose a Type of WSUS Deployment", http://go.microsoft.com/fwlink/?LinkID=139971 For more information see, "WSUS and the Update Management Process", http://go.microsoft.com/fwlink/?LinkID=139967 For more information see, "Server and Client Requirements", http://go.microsoft.com/fwlink/?LinkID=112105&clcid=0x409 For more information see, "Install the WSUS 3.0 Administration Console", http://go.microsoft.com/fwlink/?LinkID=139973 For more information see, "Configure Automatic Updates by Using Group Policy", http://go.microsoft.com/fwlink/?LinkID=139974 For more information see, "Managing the WSUS Automatic Updates Client Download, Install, and Reboot Behavior with Group Policy", http://go.microsoft.com/fwlink/?LinkID=139963 For more information see, "Determine a Method to Configure Clients", http://go.microsoft.com/fwlink/?LinkID=112106&clcid=0x409 For more information see, "Managing Windows Server Update Services 3.0", http://go.microsoft.com/fwlink/?LinkId=102274&clcid=0x409 For more information see, "Appendix H: The wuauclt Utility", http://go.microsoft.com/fwlink/?LinkID=139972 For more information see, "Managing WSUS 3.0 from the Command Line", http://go.microsoft.com/fwlink/?LinkID=139969 For more information see, "Approving the Updates", http://go.microsoft.com/fwlink/?LinkID=112108&clcid=0x409 For more information see, "Create the Computer Groups", http://go.microsoft.com/fwlink/?LinkID=139966 For more information see, "Approve WSUS 3.0 Updates", http://go.microsoft.com/fwlink/?LinkID=139965 For more information see, "Security Content Overview", http://go.microsoft.com/fwlink/?LinkId=102262&clcid=0x409 For more information see, "Infrastructure Planning and Design", http://go.microsoft.com/fwlink/?LinkId=102263&clcid=0x409 For more information see, "Antivirus Defense-in-Depth Guide", http://go.microsoft.com/fwlink/?LinkId=102264&clcid=0x409
R-14
For more information see, "Security and Protection", http://go.microsoft.com/fwlink/?LinkId=102265&clcid=0x409 For more information see, "Auditing overview", http://go.microsoft.com/fwlink/?LinkId=102268&clcid=0x409 For more information see, "Microsoft Windows Server Update Services 3.0 Overview", http://go.microsoft.com/fwlink/?LinkId=102269&clcid=0x409 For more information see, "New in Windows Server Update Services 3.0", http://go.microsoft.com/fwlink/?LinkId=102270&clcid=0x409 For more information see, "Deploying Microsoft Windows Server Update Services 3.0 SP1", http://go.microsoft.com/fwlink/?LinkId=79983 For more information see, "Client Behavior with Update Deadlines", http://go.microsoft.com/fwlink/?LinkId=102272&clcid=0x409 For more information see, "Release Notes for Microsoft Windows Server Update Services 3.0", http://go.microsoft.com/fwlink/?LinkId=102273&clcid=0x409 For more information see, "Managing Windows Server Update Services 3.0", http://go.microsoft.com/fwlink/?LinkId=102274&clcid=0x409 For more information see, "Best Practices with Windows Server Update Services 3.0", http://go.microsoft.com/fwlink/?LinkId=102275&clcid=0x409
Module 10
For more information see, "Setting File Server Resource Manager Options", http://go.microsoft.com/fwlink/?LinkID=112086&clcid=0x409 For more information see, "Quota Management", http://go.microsoft.com/fwlink/?LinkID=112087&clcid=0x409 For more information see, "Create a quota template", http://go.microsoft.com/fwlink/?LinkID=112088&clcid=0x409 For more information see, "Create an auto quota", http://go.microsoft.com/fwlink/?LinkID=112089&clcid=0x409 For more information see, "What to expect during initial replication", http://go.microsoft.com/fwlink/?LinkId=102255&clcid=0x409 For more information see, "File Screening Management", http://go.microsoft.com/fwlink/?LinkID=112090&clcid=0x409 For more information see, "Define file groups for screening", http://go.microsoft.com/fwlink/?LinkID=112091&clcid=0x409 For more information see, "Create a file screen exception", http://go.microsoft.com/fwlink/?LinkID=112092&clcid=0x409 For more information see, "Create a file screen template", http://go.microsoft.com/fwlink/?LinkID=112093&clcid=0x409 For more information see, "Storage Reports", http://go.microsoft.com/fwlink/?LinkID=112094&clcid=0x409
R-15
For more information see, "Schedule a set of reports", http://go.microsoft.com/fwlink/?LinkID=112095&clcid=0x409 For more information see, "Generate reports on demand", http://go.microsoft.com/fwlink/?LinkID=112096&clcid=0x409 For more information see, "Windows Server 2008 Step-by-Step Guides", http://go.microsoft.com/fwlink/?LinkId=113166
Module 11
For more information see, "Distributed File System Technology Center", http://go.microsoft.com/fwlink/?LinkId=102236&clcid=0x409 For more information see, "Overview of the Distributed File System Solution in Microsoft Windows Server 2003 R2", http://go.microsoft.com/fwlink/?LinkId=102237&clcid=0x409 For more information see, "Microsoft Distributed File System", http://go.microsoft.com/fwlink/?LinkId=102238&clcid=0x409 For more information see, "About Remote Differential Compression", http://go.microsoft.com/fwlink/?LinkId=102239&clcid=0x409 For more information see, "Optimizing File Replication over Limited-Bandwidth Networks using Remote Differential Compression", http://go.microsoft.com/fwlink/?LinkId=102240&clcid=0x409 For more information see, "Distributed File System: Frequently Asked Questions", http://go.microsoft.com/fwlink/?LinkId=102242&clcid=0x409 For more information see, "Distributed File System Replication: Frequently Asked Questions", http://go.microsoft.com/fwlink/?LinkId=102241&clcid=0x409 For more information see, "DFS Management", http://go.microsoft.com/fwlink/?LinkId=102243&clcid=0x409 For more information see, "Deploy a namespace for publishing content", http://go.microsoft.com/fwlink/?LinkId=102244&clcid=0x409 For more information see, "How to Manage Remote Access to the Registry", http://go.microsoft.com/fwlink?linkid=46803 For more information see, "Delegate management permissions for an existing namespace", http://go.microsoft.com/fwlink/?LinkId=102245&clcid=0x409 For more information see, "Security requirements for creating and managing namespaces", http://go.microsoft.com/fwlink/?LinkId=102246&clcid=0x409 For more information see, "Optimizing a Namespace", http://go.microsoft.com/fwlink/?LinkId=102248&clcid=0x409 For more information see, "Introduction to DFS Replication", http://go.microsoft.com/fwlink/?LinkId=102249&clcid=0x409 For more information see, "Staging folders and Conflict and Deleted folders", http://go.microsoft.com/fwlink/?LinkId=102250&clcid=0x409 For more information see, "Replication groups and replicated folders", http://go.microsoft.com/fwlink/?LinkId=102251&clcid=0x409
R-16
For more information see, "DFS Replication requirements", http://go.microsoft.com/fwlink/?LinkId=102252&clcid=0x409 For more information see, "DFS Replication scalability guidelines", http://go.microsoft.com/fwlink/?LinkId=102253&clcid=0x409 For more information see, "More on DFS Replication Limits", http://go.microsoft.com/fwlink/?LinkId=70575 For more information see, "Deploying DFS Replication", http://go.microsoft.com/fwlink/?LinkId=102254&clcid=0x409 For more information see, "What to expect during initial replication", http://go.microsoft.com/fwlink/?LinkId=102255&clcid=0x409 For more information see, "Create a diagnostic report for DFS Replication", http://go.microsoft.com/fwlink/?LinkId=102256&clcid=0x409 For more information see, "Five Common Causes of Waiting for the DFS Replication service to retrieve replication settings from Active Directory", http://go.microsoft.com/fwlink/?LinkID=139980 For more information see, "Outdated Active Directory objects generate event ID 1988 in Windows Server 2003", http://go.microsoft.com/fwlink/?LinkID=139981 For more information see, "Top 10 Common Causes of Slow Replication with DFSR", http://go.microsoft.com/fwlink/?LinkID=139979 For more information see, "Distributed File System Technology Center", http://go.microsoft.com/fwlink/?LinkId=102236&clcid=0x409 For more information see, "Overview of the Distributed File System Solution in Microsoft Windows Server 2003 R2", http://go.microsoft.com/fwlink/?LinkId=102237&clcid=0x409 For more information see, "Microsoft Distributed File System", http://go.microsoft.com/fwlink/?LinkId=102238&clcid=0x409 For more information see, "About Remote Differential Compression", http://go.microsoft.com/fwlink/?LinkId=102239&clcid=0x409 For more information see, "Optimizing File Replication over Limited-Bandwidth Networks using Remote Differential Compression", http://go.microsoft.com/fwlink/?LinkId=102240&clcid=0x409 For more information see, "Distributed File System: Frequently Asked Questions", http://go.microsoft.com/fwlink/?LinkId=102242&clcid=0x409 For more information see, "Distributed File System Replication: Frequently Asked Questions", http://go.microsoft.com/fwlink/?LinkId=102241&clcid=0x409 For more information see, "DFS Management", http://go.microsoft.com/fwlink/?LinkId=102243&clcid=0x409 For more information see, "Deploy a namespace for publishing content", http://go.microsoft.com/fwlink/?LinkId=102244&clcid=0x409 For more information see, "Delegate management permissions for an existing namespace", http://go.microsoft.com/fwlink/?LinkId=102245&clcid=0x409
R-17
For more information see, "Security requirements for creating and managing namespaces", http://go.microsoft.com/fwlink/?LinkId=102246&clcid=0x409 For more information see, "Increasing the Availability of a Namespace", http://go.microsoft.com/fwlink/?LinkId=102247&clcid=0x409 For more information see, "Optimizing a Namespace", http://go.microsoft.com/fwlink/?LinkId=102248&clcid=0x409 For more information see, "Introduction to DFS Replication", http://go.microsoft.com/fwlink/?LinkId=102249&clcid=0x409 For more information see, "Staging folders and Conflict and Deleted folders", http://go.microsoft.com/fwlink/?LinkId=102250&clcid=0x409 For more information see, "Replication groups and replicated folders", http://go.microsoft.com/fwlink/?LinkId=102251&clcid=0x409 For more information see, "DFS Replication requirements", http://go.microsoft.com/fwlink/?LinkId=102252&clcid=0x409 For more information see, "DFS Replication scalability guidelines", http://go.microsoft.com/fwlink/?LinkId=102253&clcid=0x409 For more information see, "Deploying DFS Replication", http://go.microsoft.com/fwlink/?LinkId=102254&clcid=0x409 For more information see, "What to expect during initial replication", http://go.microsoft.com/fwlink/?LinkId=102255&clcid=0x409 For more information see, "Create a diagnostic report for DFS Replication", http://go.microsoft.com/fwlink/?LinkId=102256&clcid=0x409 For more information see, "Fixing Replication DNS Lookup Problems (Event IDs 1925, 2087, 2088", http://go.microsoft.com/fwlink/?LinkID=139982 For more information see, "Fixing Replication Connectivity Problems (Event ID 1925", http://go.microsoft.com/fwlink/?LinkID=139984 For more information see, "Event ID 1311: Replication configuration does not reflect the physical network", http://go.microsoft.com/fwlink/?LinkID=139983
Module 12
For more information see, "Network Access Protection", http://go.microsoft.com/fwlink/?LinkId=102224&clcid=0x409 For more information see, "Terminal Services", http://go.microsoft.com/fwlink/?LinkId=102225&clcid=0x409 For more information see, "Network Access Protection Platform Architecture", http://go.microsoft.com/fwlink/?LinkId=102226&clcid=0x409 For more information see, "Network Access Protection", http://go.microsoft.com/fwlink/?LinkId=102227&clcid=0x409 For more information see, "Security and Policy Enforcement", http://go.microsoft.com/fwlink/?LinkId=102228&clcid=0x409
R-18
For more information see, "Overview of Network Access Protection", http://go.microsoft.com/fwlink/?LinkID=139985 For more information see, "Terminal Services", http://go.microsoft.com/fwlink/?LinkId=102225&clcid=0x409 For more information see, "About Enforcing Compliance with Network Access Protection", http://go.microsoft.com/fwlink/?LinkID=139989 For more information see, "Network Access Protection Platform Architecture", http://go.microsoft.com/fwlink/?LinkId=102226&clcid=0x409 For more information see, "About the NAP Client Status in Network Access Protection", http://go.microsoft.com/fwlink/?LinkID=139986 For more information see, "Network Access Protection Security Best Practices", http://go.microsoft.com/fwlink/?LinkID=139988 For more information see, "NAP Enforcement for VPN", http://go.microsoft.com/fwlink/?LinkID=139991 For more information see, "NAP Enforcement for DHCP", http://go.microsoft.com/fwlink/?LinkID=139990 For more information see, "Introduction to Network Access Protection", http://go.microsoft.com/fwlink/?LinkId=102223&clcid=0x409 For more information see, "About System Health Validator Points in Network Access Protection", http://go.microsoft.com/fwlink/?LinkID=139987
Module 13
For more information see, "What is a shadow copy?", http://go.microsoft.com/fwlink/?LinkID=139992 For more information see, "Shadow Copies of Shared Folders", http://go.microsoft.com/fwlink/?LinkID=139993 For more information see, "Introduction to Shadow Copies of Shared Folders", http://go.microsoft.com/fwlink/?LinkID=139996 For more information see, "Best Practices for Shadow Copies of Shared Folders", http://go.microsoft.com/fwlink/?LinkID=139994 For more information see, "How Network Load Balancing Technology Works", http://go.microsoft.com/fwlink/?LinkId=102260&clcid=0x409 For more information see, "Network Load Balancing Best practices", http://go.microsoft.com/fwlink/?LinkId=102261&clcid=0x409 For more information see, "Windows Server 2003 R2 Enterprise Edition Cluster Server Resource Center", http://go.microsoft.com/fwlink/?LinkID=139997 For more information see, "Windows Server 2008", http://go.microsoft.com/fwlink/?LinkId=99823&clcid=0x409 For more information see, "Network Interface on a Clustered Node", http://go.microsoft.com/fwlink/?LinkID=139995
R-19
For more information see, "How Network Load Balancing Technology Works", http://go.microsoft.com/fwlink/?LinkId=102260 For more information see, "Windows Server 2008", http://go.microsoft.com/fwlink/?LinkId=99823 For more information see, "Windows Server Catalog", http://go.microsoft.com/fwlink/?LinkID=59821 For more information see, "Compare Technical Features and Specifications", http://go.microsoft.com/fwlink/?LinkId=92091 For more information see, "iSCSI Cluster Support: Frequently Asked Questions", http://go.microsoft.com/fwlink/?LinkId=61375
Module 14
For more information see, "Solving performance problems", http://go.microsoft.com/fwlink/?LinkID=140000 For more information see, "Performance Tuning Guidelines for Windows Server 2008", http://go.microsoft.com/fwlink/?LinkID=140009 For more information see, "Suggested Performance Counters to Watch", http://go.microsoft.com/fwlink/?LinkID=140003 For more information see, "Processor Object", http://go.microsoft.com/fwlink/?LinkID=140005 For more information see, "Memory Object", http://go.microsoft.com/fwlink/?LinkID=140002 For more information see, "LogicalDisk Object", http://go.microsoft.com/fwlink/?LinkID=140004 For more information see, "Physical Disk Object", http://go.microsoft.com/fwlink/?LinkID=140001 For more information see, "Monitoring Windows Server 2008 with OpsMgr 2007", http://go.microsoft.com/fwlink/?LinkID=140007 For more information see, "Monitoring Events", http://go.microsoft.com/fwlink/?LinkID=140006 For more information see, "How to use and troubleshoot issues with Windows Task Manager", http://go.microsoft.com/fwlink/?LinkID=139998 For more information see, "Windows Reliability and Performance Monitor", http://go.microsoft.com/fwlink/?LinkID=139999 For more information see, "Windows Vista Performance and Reliability Monitoring Step-by-Step Guide", http://go.microsoft.com/fwlink/?LinkId=99517 For more information see, "Event Viewer", http://go.microsoft.com/fwlink/?LinkId=99509 For more information see, "Getting Started With Windows PowerShell", http://go.microsoft.com/fwlink/?LinkID=140008 For more information see, "Dynamic Systems Initiative Overview White Paper", http://go.microsoft.com/fwlink/?LinkId=121160 For more information see, "Performance Tuning Guidelines for Windows Server 2008", http://go.microsoft.com/fwlink/?LinkId=121171 For more information see, "Using Performance Tools to Obtain a Baseline", http://go.microsoft.com/fwlink/?LinkId=121123 For more information see, "Event Subscriptions", http://go.microsoft.com/fwlink/?LinkId=99512
R-20
For more information see, "Configure Computers to Forward and Collect Events", http://go.microsoft.com/fwlink/?LinkId=99513
Module 15
For more information see, "Windows Server Backup Step-by-Step Guide for Windows Server 2008", http://go.microsoft.com/fwlink/?LinkID=140018 For more information see, "Transferring Encrypted Files That Need to Be Recovered", http://go.microsoft.com/fwlink/?LinkID=140012 For more information see, "Backing Up Hyper-V Virtual Machines ", http://go.microsoft.com/fwlink/?LinkID=140010 For more information see, "Backup using GPMC", http://go.microsoft.com/fwlink/?LinkID=140019 For more information see, "Backup Best Practices", http://go.microsoft.com/fwlink/?LinkID=140017 For more information see, "Best Practices for Backup and Restore", http://go.microsoft.com/fwlink/?LinkID=140015 For more information see, "Best Practices for Change Management", http://go.microsoft.com/fwlink/?LinkID=140021 For more information see, "Security Considerations for Backup and Restore", http://go.microsoft.com/fwlink/?LinkID=140011 For more information see, "Security Considerations for Backup and Restore", http://go.microsoft.com/fwlink/?LinkID=140020 For more information see, "Best practices for the Encrypting File System", http://go.microsoft.com/fwlink/?LinkID=140013 For more information see, "How to back up the recovery agent Encrypting File System (EFS) private key in Windows Server 2003, in Windows 2000, and in Windows XP", http://go.microsoft.com/fwlink/?LinkID=140014 For more information see, "Encrypting File System in Windows XP and Windows Server 2003", http://go.microsoft.com/fwlink/?LinkID=140016 For more information see, "Wbadmin", http://go.microsoft.com/fwlink/?LinkId=93131 For more information see, "Scripting with Windows PowerShell", http://go.microsoft.com/fwlink/?LinkId=93317 For more information see, "Windows NT Backup - Restore Utility ", http://go.microsoft.com/fwlink/?LinkId=82917 For more information see, "Wbadmin", http://go.microsoft.com/fwlink/?LinkId=121122 For more information see, "Data Encryption Toolkit for Mobile PCs", http://go.microsoft.com/fwlink/?LinkId=121045 For more information see, "Microsoft Deployment Security Feature Team Guide: Planning", http://go.microsoft.com/fwlink/?LinkId=121046 For more information see, "Encrypting File System", http://go.microsoft.com/fwlink/?LinkId=121047
R-21
Communities
For more information, see "Top 10 Common Causes of Slow Replication with DFSR", http://go.microsoft.com/fwlink/?LinkID=139979 For more information, see "Five Common Causes of Waiting for the DFS Replication service to retrieve replication settings from Active Directory", http://go.microsoft.com/fwlink/?LinkID=139980 For more information, see "Backing Up Hyper-V Virtual Machines ", http://go.microsoft.com/fwlink/?LinkID=140010
R-22
Courseware Feedback
Send all courseware feedback to support@mscourseware.com. We truly appreciate your time and effort. We review every e-mail received and forward the information on to the appropriate team. Unfortunately, because of volume, we are unable to provide a response but we may use your feedback to improve your future experience with Microsoft Learning products.
Reporting Errors
When providing feedback, include the training product name and number in the subject line of your email. When you provide comments or report bugs, please include the following: Document or CD part number Page number or location Complete description of the error or suggested change
Please provide any details that are necessary to help us verify the issue.
Important All errors and suggestions are evaluated, but only those that are validated are added to the product Knowledge Base article.