6430B-ENU_TrainerHandbook_Volume1.pdf

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

6430B Planning for Windows Server® 2008 Servers

Volume 1

Be sure to access the extended learning content on your Course Companion CD enclosed on the back cover of the book.

ii Planning for Windows Server® 2008 Servers

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.

© 2009 Microsoft Corporation. All rights reserved.

Microsoft, Microsoft Press, Access, Active Directory, ActiveSync, ActiveX, BitLocker, Excel, Forefront, Hyper-V, Internet Explorer, MS, MSDN, MS-DOS, Outlook, PowerPoint, SharePoint, Silverlight, SQ Server, Visio, Visual Basic, Visual Studio, Win32, Windows, Windows Live, Windows Media, Windows NT, Windows PowerShell, Windows Server and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Product Number: 6430B

Part Number: X16-25882

Released: 11/2009

MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER EDITION – Pre-Release and Final Release Versions These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft

• updates,

• supplements,

• Internet-based services, and

• support services

for this Licensed Content, unless other terms accompany those items. If so, those terms apply.

By using the Licensed Content, you accept these terms. If you do not accept them, do not use the Licensed Content.

If you comply with these license terms, you have the rights below.

1. DEFINITIONS.

a. “Academic Materials” means the printed or electronic documentation such as manuals, workbooks, white papers, press releases, datasheets, and FAQs which may be included in the Licensed Content.

b. “Authorized Learning Center(s)” means a Microsoft Certified Partner for Learning Solutions location, an IT Academy location, or such other entity as Microsoft may designate from time to time.

c. “Authorized Training Session(s)” means those training sessions authorized by Microsoft and conducted at or through Authorized Learning Centers by a Trainer providing training to Students solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or “MOC”) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions Courseware). Each Authorized Training Session will provide training on the subject matter of one (1) Course.

d. “Course” means one of the courses using Licensed Content offered by an Authorized Learning Center during an Authorized Training Session, each of which provides training on a particular Microsoft technology subject matter.

e. “Device(s)” means a single computer, device, workstation, terminal, or other digital electronic or analog device.

f. “Licensed Content” means the materials accompanying these license terms. The Licensed Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student Content, (iii) classroom setup guide, and (iv) Software. There are different and separate components of the Licensed Content for each Course.

g. “Software” means the Virtual Machines and Virtual Hard Disks, or other software applications that may be included with the Licensed Content.

h. “Student(s)” means a student duly enrolled for an Authorized Training Session at your location.

i. “Student Content” means the learning materials accompanying these license terms that are for use by Students and Trainers during an Authorized Training Session. Student Content may include labs, simulations, and courseware files for a Course.

j. “Trainer(s)” means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer and b) such other individual as authorized in writing by Microsoft and has been engaged by an Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its behalf.

k. “Trainer Content” means the materials accompanying these license terms that are for use by Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and demonstration guides and script files for a Course.

l. “Virtual Hard Disks” means Microsoft Software that is comprised of virtualized hard disks (such as a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single computer or other device in order to allow end-users to run multiple operating systems concurrently. For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.

m. “Virtual Machine” means a virtualized computing experience, created and accessed using Microsoft® Virtual PC or Microsoft® Virtual Server software that consists of a virtualized hardware environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.

n. “you” means the Authorized Learning Center or Trainer, as applicable, that has agreed to these license terms.

2. OVERVIEW.

Licensed Content. The Licensed Content includes Software, Academic Materials (online and electronic), Trainer Content, Student Content, classroom setup guide, and associated media.

License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center location or per Trainer basis.

3. INSTALLATION AND USE RIGHTS.

a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you may:

i. either install individual copies of the relevant Licensed Content on classroom Devices only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of copies in use does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session, OR

ii. install one copy of the relevant Licensed Content on a network server only for access by classroom Devices and only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of Devices accessing the Licensed Content on such server does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session.

iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to use the Licensed Content that you install in accordance with (ii) or (ii) above during such Authorized Training Session in accordance with these license terms.

i. Separation of Components. The components of the Licensed Content are licensed as a single unit. You may not separate the components and install them on different Devices.

ii. Third Party Programs. The Licensed Content may contain third party programs. These license terms will apply to the use of those third party programs, unless other terms accompany those programs.

b. Trainers:

i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized Learning Center on a classroom Device to deliver an Authorized Training Session.

ii. Trainers may also Use a copy of the Licensed Content as follows:

A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content. You may install and Use one copy of the Licensed Content on the licensed Device solely for your own personal training Use and for preparation of an Authorized Training Session.

B. Portable Device. You may install another copy on a portable device solely for your own personal training Use and for preparation of an Authorized Training Session.

4. PRE-RELEASE VERSIONS. If this is a pre-release (“beta”) version, in addition to the other provisions in this agreement, these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the same information and/or work the way a final version of the Licensed Content will. We may change it for the final, commercial version. We also may not release a commercial version. You will clearly and conspicuously inform any Students who participate in each Authorized Training Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with any further content, including but not limited to the final released version of the Licensed Content for the Course.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to Microsoft, without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Licensed Content, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback in them. These rights survive this agreement.

c. Confidential Information. The Licensed Content, including any viewer, user interface, features and documentation that may be included with the Licensed Content, is confidential and proprietary to Microsoft and its suppliers.

i. Use. For five years after installation of the Licensed Content or its commercial release, whichever is first, you may not disclose confidential information to third parties. You may disclose confidential information only to your employees and consultants who need to know the information. You must have written agreements with them that protect the confidential information at least as much as this agreement.

ii. Survival. Your duty to protect confidential information survives this agreement.

iii. Exclusions. You may disclose confidential information in response to a judicial or governmental order. You must first give written notice to Microsoft to allow it to seek a

protective order or otherwise protect the information. Confidential information does not include information that

• becomes publicly known through no wrongful act;

• you received from a third party who did not breach confidentiality obligations to Microsoft or its suppliers; or

• you developed independently.

d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs you is the end date for using the beta version, or (ii) the commercial release of the final release version of the Licensed Content, whichever is first (“beta term”).

e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta term, and will destroy all copies of same in the possession or under your control and/or in the possession or under the control of any Trainers who have received copies of the pre-released version.

f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you for such copies and distribution.

5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.

a. Authorized Learning Centers and Trainers:

i. Software.

ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced Server and/or other Microsoft products which are provided in Virtual Hard Disks.

A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning Lab Launcher, then these terms apply:

Time-Sensitive Software. If the Software is not reset, it will stop running based upon the time indicated on the install of the Virtual Machines (between 30 and 500 days after you install it). You will not receive notice before it stops running. You may not be able to access data used or information saved with the Virtual Machines when it stops running and may be forced to reset these Virtual Machines to their original state. You must remove the Software from the Devices at the end of each Authorized Training Session and reinstall and launch it prior to the beginning of the next Authorized Training Session.

B. If the Virtual Hard Disks require a product key to launch, then these terms apply:

Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized Training Session, you will obtain from Microsoft a product key for the operating system software for the Virtual Hard Disks and will activate such Software with Microsoft using such product key.

C. These terms apply to all Virtual Machines and Virtual Hard Disks:

You may only use the Virtual Machines and Virtual Hard Disks if you comply with the terms and conditions of this agreement and the following security requirements:

o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or Devices that are accessible to other networks.

o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session, except those held at Microsoft Certified Partners for Learning Solutions locations.

o You must remove the differencing drive portions of the Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session at Microsoft Certified Partners for Learning Solutions locations.

o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or downloaded from Devices on which you installed them.

o You will strictly comply with all Microsoft instructions relating to installation, use, activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.

o You may not modify the Virtual Machines and Virtual Hard Disks or any contents thereof.

o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.

ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an Authorized Training Session will be done in accordance with the classroom set-up guide for the Course.

iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip art, animations, sounds, music, shapes, video clips and templates provided with the Licensed Content solely in an Authorized Training Session. If Trainers have their own copy of the Licensed Content, they may use Media Elements for their personal training use.

iv. iv Evaluation Software. Any Software that is included in the Student Content designated as “Evaluation Software” may be used by Students solely for their personal training outside of the Authorized Training Session.

b. Trainers Only:

i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of obscene or scandalous works, as defined by federal law at the time the work is created; and (b) to comply with all other terms and conditions of this agreement.

ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those portions of the Licensed Content that are logically associated with instruction of the Authorized Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer agrees: (a) that any of these customizations or reproductions will only be used for providing an Authorized Training Session and (b) to comply with all other terms and conditions of this agreement.

iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and use the Academic Materials. You may not make any modifications to the Academic Materials and you may not print any book (either electronic or print version) in its entirety. If you reproduce any Academic Materials, you agree that:

• The use of the Academic Materials will be only for your personal reference or training use

• You will not republish or post the Academic Materials on any network computer or broadcast in any media;

• You will include the Academic Material’s original copyright notice, or a copyright notice to Microsoft’s benefit in the format provided below:

Form of Notice:

© 2009 Reprinted for personal reference use only with permission by Microsoft Corporation. All rights reserved.

Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the US and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.

6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content. It may change or cancel them at any time. You may not use these services in any way that could harm them or impair anyone else’s use of them. You may not use the services to try to gain unauthorized access to any service, data, account or network by any means.

7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allow you to use it in certain ways. You may not

• install more copies of the Licensed Content on classroom Devices than the number of Students and the Trainer in the Authorized Training Session;

• allow more classroom Devices to access the server than the number of Students enrolled in and the Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network server;

• copy or reproduce the Licensed Content to any server or location for further reproduction or distribution;

• disclose the results of any benchmark tests of the Licensed Content to any third party without Microsoft’s prior written approval;

• work around any technical limitations in the Licensed Content;

• reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that applicable law expressly permits, despite this limitation;

• make more copies of the Licensed Content than specified in this agreement or allowed by applicable law, despite this limitation;

• publish the Licensed Content for others to copy;

• transfer the Licensed Content, in whole or in part, to a third party;

• access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not been authorized by Microsoft to access and use;

• rent, lease or lend the Licensed Content; or

• use the Licensed Content for commercial hosting services or general business purposes.

• Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or devices that may access the server.

8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting.

9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed Content marked as “NFR” or “Not for Resale.”

10. ACADEMIC EDITION. You must be a “Qualified Educational User” to use Licensed Content marked as “Academic Edition” or “AE.” If you do not know whether you are a Qualified Educational User, visit www.microsoft.com/education or contact the Microsoft affiliate serving your country.

11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of these license terms. In the event your status as an Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this agreement, you must destroy all copies of the Licensed Content and all of its component parts.

12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire agreement for the Licensed Content and support services.

13. APPLICABLE LAW.

a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.

b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply.

14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.

15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed “as-is.” You bear the risk of using it. Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and non-infringement.

16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.

This limitation applies to

• anything related to the Licensed Content, software, services, content (including code) on third party Internet sites, or third party programs; and

• claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French.

Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français.

EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.

LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.

Cette limitation concerne:

• tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et

• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.

Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard.

EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas.

Thank you for taking our training! We’ve worked together with our Microsoft Certifi ed Partners for Learning Solutions and our Microsoft IT Academies to bring you a world-class learning experience—whether you’re a professional looking to advance your skills or a student preparing for a career in IT.

■ Microsoft Certifi ed Trainers and Instructors—Your instructor is a technical and instructional expert who meets ongoing certifi cation requirements. And, if instructors are delivering training at one of our Certifi ed Partners for Learning Solutions, they are also evaluated throughout the year by students and by Microsoft.

■ Certifi cation Exam Benefi ts—After training, consider taking a Microsoft Certifi cation exam. Microsoft Certifi cations validate your skills on Microsoft technologies and can help differentiate you when finding a job or boosting your career. In fact, independent research by IDC concluded that 75% of managers believe certifi cations are important to team performance1. Ask your instructor about Microsoft Certifi cation exam promotions and discounts that may be available to you.

■ Customer Satisfaction Guarantee—Our Certifi ed Partners for Learning Solutions offer a satisfaction guarantee and we hold them accountable for it. At the end of class, please complete an evaluation of today’s experience. We value your feedback!

We wish you a great learning experience and ongoing success in your career!

Sincerely,

Microsoft Learningwww.microsoft.com/learning

1 IDC, Value of Certifi cation: Team Certifi cation and Organizational Performance, November 2006

Welcome!

Planning for Windows Server® 2008 Servers xiii

Acknowledgement Microsoft Learning would like to acknowledge and thank the following for their contribution towards developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.

Andy Warren–Subject Matter Expert Andrew Warren (MCSE, MCITP, and MCT) has more than 22 years of experience in the IT industry, many of which have been spent in writing and teaching. He has been involved as the subject matter expert (SME) for the 5115B course for Windows Vista® and the technical lead on a number of other courses. He also has been involved in TechNet sessions on Microsoft® Exchange Server 2007. Based in the United Kingdom, he runs his own IT training and education consultancy.

Byron Wright–Subject Matter Expert Byron Wright is a partner in a consulting firm, where he performs network consulting, computer systems implementation, and technical training. Byron is also an instructor for the Asper School of Business at the University of Manitoba, teaching management information systems and networking. Byron has authored and coauthored a number of books on Windows® servers, Windows Vista, and Exchange Server, including the Windows Server® 2008 Active Directory® Resource Kit.

Planning for Windows Server® 2008 Servers xv

Contents

Volume 1

Module 1: Planning Windows Server 2008 Deployment

Lesson 1: Overview of Change Management 1-3

Lesson 2: Planning a Single-Server Installation 1-23

Lesson 3: Performing a Single-Server Installation 1-38

Lesson 4: Automating Windows Server Deployment 1-49

Lab: Planning Windows Server 2008 Deployment 1-60

Module 2: Planning Network Infrastructure for Windows Server 2008

Lesson 1: Planning IPv4 Addressing 2-3

Lesson 2: Planning for Name Resolution Services 2-14

Lesson 3: Determining the Need for WINS 2-27

Lesson 4: Planning a Perimeter Network 2-37

Lesson 5: Planning an IPv4 to IPv6 Transition Strategy 2-42

Lab: Planning Network Infrastructure for Windows Server 2008 2-50

Module 3: Planning for Active Directory

Lesson 1: Selecting a Domain and Forest Topology 3-3

Lesson 2: Selecting a Domain and Forest Functional Level 3-19

Lesson 3: Planning Identity and Access Services in Active Directory 3-27

Lesson 4: Implementing Active Directory in the Physical Network 3-37

Lab: Planning for Active Directory 3-48

Module 4: Planning for Group Policy

Lesson 1: Planning Group Policy Application 4-3

Lesson 2: Planning Group Policy Processing 4-13

Lesson 3: Planning the Management of Group Policy Objects 4-24

Lesson 4: Planning the Management of Client Computers 4-37

Lab: Planning for Group Policy 4-52

xvi Planning for Windows Server® 2008 Servers

Module 5: Planning Application Servers

Lesson 1: Overview of Application Servers 5-3

Lesson 2: Supporting Web-Based Applications 5-17

Lesson 3: Supporting SQL Server Databases 5-30

Lesson 4: Deploying Client Applications 5-48

Lesson 5: Planning Terminal Services 5-55

Lab: Planning Application Servers 5-64

Lab Answer Keys

Module 1 Lab: Planning a Windows Server 2008 Deployment L1-1

Module 2 Lab: Planning Network Infrastructure for

Windows Server 2008 L2-13

Module 3 Lab: Planning for Active Directory L3-25

Module 4 Lab: Planning for Group Policy L4-35

Module 5 Lab: Planning Application Servers L5-47

Volume 2

Module 6: Planning File and Print Services

Lesson 1: Planning and Deploying the File Services Role 6-3

Lesson 2: Managing Storage 6-24

Lesson 3: Planning and Implementing the Distributed File System 6-44

Lesson 4: Planning and Implementing Shared Printing 6-56

Lab: Planning File and Print Services 6-66

Module 7: Planning Server and Network Security

Lesson 1: Overview of Defense-in-Depth 7-3

Lesson 2: Planning for Windows Firewall with Advanced Security 7-11

Lesson 3: Planning Protection Against Viruses and Malware 7-24

Lesson 4: Planning Remote Access 7-38

Lesson 5: Planning for NAP 7-45

Lab: Planning Server and Network Security 7-59

Planning for Windows Server® 2008 Servers xvii

Module 8: Planning Server Administration

Lesson 1: Selecting the Appropriate Administration Tool 8-4

Lesson 2: Planning Server Core Administration 8-17

Lesson 3: Delegating Administration 8-27

Lab: Planning Server Administration 8-34

Module 9: Planning and Implementing Monitoring and Maintenance

Lesson 1: Planning Monitoring Tasks 9-3

Lesson 2: Calculating a Server Baseline 9-9

Lesson 3: Tools for Monitoring Server Performance 9-17

Lesson 4: Planning Software Updates 9-29

Lab: Planning and Implementing Monitoring and Maintenance 9-40

Module 10: Planning High Availability and Disaster Recovery

Lesson 1: Choosing a High-Availability Solution 10-3

Lesson 2: Planning a Backup and Restore Strategy 10-23

Lab: Planning High Availability and Disaster Recovery 10-34

Module 11: Planning Virtualization

Lesson 1: Overview of Server Virtualization 9-4

Lesson 2: Business Scenarios for Server Virtualization 9-13

Lesson 3: Overview of System Center Virtual Machine Manager 9-20

Lesson 4: Planning Host Resources 9-31

Lab: Planning Virtualization 9-42

Lab Answer Keys

Module 6 Lab: Planning File and Print Services L6-57

Module 7 Lab: Planning Server and Network Security L7-69

Module 8 Lab: Planning Server Administration L8-87

Module 9 Lab: Planning and Implementing Monitoring and

Maintenance L9-95

Module 10 Lab: Planning High Availability and Disaster Recovery L10-103

Module 11 Lab: Planning Virtualization L11-113

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

About This Course i

About This Course This section provides you with a brief description of the course, audience, suggested prerequisites, and course objectives.

Course Description This three-day instructor-led course is intended for IT pros who are interested in the knowledge and skills necessary to plan a Windows Server® 2008 operating system infrastructure. This course is aimed at server administrators and is not a “how-to” course; therefore, it has a significant number of planning exercises with less focus on hands-on exercises than some courses.

The course content and exercises direct you toward making decisions and providing guidance to others. This course reflects the decision-making tasks that a server administrator undertakes.

Server administrators often act as an escalation point and sit between the technical specialist role and architect role.

Audience This course is intended for a server administrator who:

• Is moving from a technical-specialist role to a decision-making role.

• Wants to acquire the necessary knowledge to be able to plan for Windows Server 2008 servers.

Student Prerequisites You should have up to one year of experience with implementing server plans, although you have probably not yet had full responsibility for planning.

This course requires that you meet the following prerequisites:

• Skills equivalent to course 6418A (deployment)—Installation and configuration of Windows Server 2008, Windows® Deployment Services, Active Directory® directory service upgrades

• Skills equivalent to course 6420A (networking fundamentals)—TCP/IP configuration, server administration, network and data security

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

About This Course ii

• Skills equivalent to course 6421A (core network infrastructure training)—Domain Name System (DNS) configuration, Windows Internet Name Service (WINS) configuration, IPv6 transition, remote access, network policies, Network Access Protection (NAP), Distributed File System (DFS)

• Skills equivalent to course 6424A (Active Directory fundamentals)—Configure Active Directory Domain Services (AD DS), configure Active Directory Lightweight Directory Services (AD LDS), configure Active Directory Certificate Services (AD CS), configure Active Directory Federation Services (AD FS), create users and groups

• Skills equivalent to course 6425A (core Active Directory training)—Configure AD DS security, trusts, sites, replication, Group Policy

• Up to one year experience implementing server plans

Course Objectives After completing this course, students will be able to:

• Plan for both Windows Server 2008 installation and upgrade from a previous version of Windows Server to Windows Server 2008.

• Plan and implement network connectivity in Windows Server 2008 by using IPv4-related technologies and plan a migration strategy to IPv6.

• Plan the deployment of Active Directory–related services in Windows Server 2008.

• Apply the design considerations for implementing group policy.

• Plan the configuration of different applications services in Windows Server 2008.

• Create a plan for file and print services to meet an organization’s printing, file storage, and access needs.

• Create a plan to secure the Windows Server 2008 environment.

• Create local and remote administration strategies for administering a Windows Server 2008 environment.

• Create a monitoring plan for the Windows Server 2008 environment.

• Create a plan that will help mitigate the effects of various disaster scenarios on the IT infrastructure.

• Create a plan for using virtualization in a Windows Server 2008 environment.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

About This Course iii

Course Outline This section provides an outline of the course:

• Module 1: Planning Windows Server 2008 Deployment

• Module 2: Planning Network Infrastructure for Windows Server 2008

• Module 3: Planning for Active Directory

• Module 4: Planning for Group Policy

• Module 5: Planning Application Servers

• Module 6: Planning File and Print Services

• Module 7: Planning Server and Network Security

• Module 8: Planning Server Administration

• Module 9: Planning and Implementing Monitoring and Maintenance

• Module 10: Planning High Availability and Disaster Recovery

• Module 11: Planning Virtualization

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

About This Course iv

Course Materials The following materials are included with your kit:

• Course Handbook. A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience.

• Lessons: Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience.

• Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module.

• Module Reviews and Takeaways: Provide improved on-the-job reference material to boost knowledge and skills retention.

• Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when it’s needed.

• Course Companion CD. Searchable, easy-to-navigate digital content with integrated premium online resources designed to supplement the Course Handbook.

• Lessons: Include detailed information for each topic, expanding on the content in the Course Handbook.

• Labs: Include complete lab exercise information and answer keys in digital form to use during lab time.

• Resources: Include well-categorized additional resources that give you immediate access to the most up-to-date premium content on TechNet, MSDN®, and Microsoft Press®.

• Student Course Files: Include the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and demonstrations.

Note: To access the full course content, insert the Course Companion CD into the CD-ROM drive, and then in the root directory of the CD, double-click StartCD.exe.

• Course evaluation. At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor.

To provide additional comments or feedback on the course, send e-mail to [email protected]. To inquire about the Microsoft Certification Program, send e-mail to [email protected].

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

About This Course v

Virtual Machine Environment This section provides the information for setting up the classroom environment to support the business scenario of the course.

Virtual Machine Configuration In this course, you will use Microsoft® Virtual Server 2005 R2 with the Microsoft Lab Launcher to perform the labs. There is also an optional lab included in Module 11 that you may or may not want to complete. This optional lab is based on Microsoft Hyper-V™ and as such you will need to meet the requirements for installing Hyper-V around Hardware and software. Hardware details are included in the Hardware Level 6 specification below and other considerations can be found here:

• Hyper-V: http://go.microsoft.com/fwlink/?LinkId=168247

Software required for Module 11 lab but not included in the Training Materials, is:

• Windows Server 2008 64-bit Operating System

This software can be sourced from the Microsoft Partner Program via the Partner Program Action Pack, detailed information on which is available at https://partner.microsoft.com.

This optional lab is based on Microsoft Hyper-V.

Important: When shutting down the virtual machines in Lab Launcher, the default setting is Shut Down The Virtual Machine And Save Changes. You should inform students not to take the default setting but rather to take their time when shutting down the virtual machines and make sure they select the bottom option in the list, Turn Off Machines And Discard Changes, at the end of each lab. To close a virtual machine without saving the changes on Hyper-V, perform the following steps: 1. On the host computer, start Hyper-V Manager. 2. Right-click the virtual machine name in the Virtual Machines list, and click Revert. 3. In the Revert Virtual Machine dialog box, click Revert.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

About This Course vi

Classroom Setup Each classroom computer will have the same virtual machines configured in the same way.

Course Hardware Level To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.

This course is a Hardware Level 5.5 course with additional random access memory (RAM). Please see the classroom setup guide for detailed hardware specs. As stated earlier, there is also an optional lab included in Module 11 that you may or may not want to complete. This optional lab is based on Hyper-V.

Important: The Hardware Level in this course has been modified to run by default under the assumption that 4 gigabytes (GB) RAM is available in the host machine rather than 2 GB RAM, which is the normal amount of memory required, defined by Hardware Level 5.5. So the default configuration on installation and boot-up is configured to run where there is 4 GB RAM available in the host machine. For detailed steps on how to set up this environment, please follow the steps outlined in the Classroom Configuration – Hardware Level 5.5 with 4 GB RAM section in the classroom setup guide. If you do not have 4 GB RAM available in the student machines, you will need to follow alternative setup steps. An alternative LauncherSettings.config file is provided with the course, which will redefine the RAM values for each of the virtual machines to allow them to boot up and run at the normal, Hardware Level 5.5 definition, allocation of 2 GB RAM being available in the host machine. For details on how to set up the classroom where only 2 GB is available in the student machines, please see the Classroom Configuration – Hardware Level 5.5 with 4 GB RAM section in the classroom setup guide. It is also highly recommended that you read the MSL Lab Launcher Getting Started Guide, which is available in the MCT Download Center. This contains information about how to install and customize the MSL Lab Launcher in general terms and will be complementary to what is contained in this course-specific setup guide.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

About This Course vii

Important (continued): The optional lab in Module 11 requires Hardware Level 6.This is to facilitate the setup of Hyper-V. If this hardware is not available, there is also a paper-based element to the lab, which can still be completed.

Each classroom computer will serve as the host for four virtual machines that will run in Virtual Server 2005 R2 SP1.

The following are the virtual machines, brief descriptions, and the RAM allocation to each of them for the default installation, that is, 4 GB RAM available on the host machine.

Virtual machine Description RAM (MB)

6430B-SEA-DC1 Domain controller in the adatum.com domain 1,024

6430B-SEA-SVR1 Windows Server in adatum.com domain 1,024

6430B-SEA-SVR2 Windows Server in adatum.com domain 1,024

6430B-SEA-CL1 Windows Vista® computer in the adatum.com domain 768

Estimated time to set up the classroom: 120 minutes

The following are the virtual machines, brief descriptions, and the RAM allocation to each of them for the nondefault installation, that is, 2 GB RAM available on the host machine.

Virtual machine Description RAM (MB)

6430B-SEA-DC1 Domain controller in the adatum.com domain 512

6430B-SEA-SVR1 Windows Server in adatum.com domain 384

6430B-SEA-SVR2 Windows Server in adatum.com domain 384

6430B-SEA-CL1 Windows Vista computer in the adatum.com domain 384

Estimated time to set up the classroom: 140 minutes

Below are listed both Hardware Level 5.5 and Hardware Level 6. As stated earlier, there is also an optional lab in Module 11 that requires Hardware Level 6.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

About This Course viii

Hardware Level 5.5

• Pentium IV 2.4-gigahertz (GHz) processor

• PCI 2.1 bus

• 4 GB of RAM

• At least two 40 GB hard disks, 7,200 RPM

• DVD drive

• Non–Industry Standard Architecture (ISA) network adapter: 10/100 megabits

per second (Mbps)–required full duplex

• 16 (MB) video adapter (32 MB recommended)

• Super VGA (SVGA) 17-inch monitor

• Microsoft Mouse or compatible pointing device

• Sound card with amplified speakers

• Projection display device that supports SVGA 800 x 600, 256 colors

In addition, the instructor computer must be connected to a projection display device that supports SVGA 800 x 600 pixels, 256 colors.

Note: All virtual machines in this course were developed with a resolution of 1024 x 768.

Hardware Level 6

• Pentium IV 2.4 GHz processor *

• PCI 2.1 bus

• 4 GB of RAM

• At least two 40 GB hard disks, 7,200 RPM

• DVD drive

• Non–ISA network adapter: 10/100 Mbps-required full duplex

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

About This Course ix

• 16 MB video adapter (32 MB recommended)

• SVGA 17-inch monitor

• Microsoft Mouse or compatible pointing device

• Sound card with amplified speakers

• Projection display device that supports SVGA 800 x 600, 256 colors

In addition, the instructor computer must be connected to a projection display device that supports SVGA 800 x 600 pixels, 256 colors.

* A 64-bit system with hardware-assisted virtualization enabled and data execution prevention (DEP) is required to install Hyper-V

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Planning Windows Server® 2008 Deployment 1-1

Module 1 Planning Windows Server® 2008 Deployment

Contents: Lesson 1: Overview of Change Management 1-3

Lesson 2: Planning a Single-Server Installation 1-23

Lesson 3: Performing a Single-Server Installation 1-38

Lesson 4: Automating Windows Server Deployment 1-49

Lab: Planning Windows Server 2008 Deployment 1-60

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

1-2 Planning for Windows Server® 2008 Servers

Module Overview

The deployment of Windows Server 2008 must be carefully planned before it is performed. This includes identifying the change management process to be used, identifying the appropriate edition of Windows Server 2008, and evaluating hardware considerations and applications considerations. Automating the deployment of Windows Server 2008 with answer files or other technologies should be evaluated. Failure to properly plan the deployment of Windows Server 2008 could result in downtime to critical business systems.

Objectives After completing this module, you will be able to:

• Describe how change management affects a deployment project.

• Plan the deployment of a single computer running Windows Server 2008.

• Describe how to perform a single-server installation.

• Determine how to automatically deploy Windows Server 2008.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1 Overview of Change Management

Change management is an essential part of information technology management for any organization. Using a change management process consistently results in greater uptime for systems and faster troubleshooting processes. Two common frameworks for managing change are the Information Technology Infrastructure Library (ITIL) and Microsoft® Operations Framework (MOF). Regardless of the framework you use, a service-level agreement (SLA) is used to define characteristics of service support and availability. Microsoft also provides specific guidance for implementing technologies in Microsoft Solution Accelerators.

Objectives After completing this lesson, you will be able to:

• Describe change management and its benefits.

• Describe the considerations for change management.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Describe MOF.

• Describe ITIL.

• Describe SLAs.

• Describe Microsoft Solution Accelerators.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Discussion: What Is Change Management?

Key Points Change management is the process by which changes are approved, implemented, and monitored. Some additional steps in formal processes might include a request for change and change classification as part of the approval process. The change management process varies widely for different organizations. In larger organizations, change management is a formal process and can require that a change-approval board approve all system changes. The board documents all changes and when they are to occur. In smaller organizations, the process is often less formal, only requiring the verbal approval of the manager responsible for information systems.

Question: What is change?

Question: How does your organization address change management?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Question: Are there some situations in which change management is more important than others?

Question: What are the benefits of a formal change management process?

Question: Are there situations in which the normal change process cannot be followed?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Managing Change

Key Points Changes to any information system should be made in an organized and controlled manner. The details of the change management process that you use are less important than defining a process and using it consistently. A consistent process ensures that all the necessary approvals are gathered before the change is implemented and that impact on other systems is avoided.

Successful Change Management

For a change management process to be successful, it must be supported by the organization. Using the change management process cannot be optional. All staff must follow the change management procedures. If the change management process is not enforced and communicated properly, most of the staff will stop using it over time.

When a change management process is first implemented, many of the information technology staff will complain about the level of bureaucracy involved. However, after the initial adjustment in expectations has been made, information technology staff frustration will be reduced.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Question: Do you like using change management procedures?

Question: Do you see the value in using change management procedures in your organization?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is ITIL?

Key Points ITIL was originally a set of about 60 books developed in the late 1980s by a consortium of industry leaders as a set of best practices for IT. These books described IT processes defined by ITIL and the interdependencies among them. The development of the library was sponsored by the government of the United Kingdom’s Office of Government Commerce (OGC). ITIL version 3 was released in 2007.

ITIL is a de facto standard for IT service management. It is widely implemented by large and medium-sized organizations. In addition to the ITIL books, ITIL certification is also available.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


ITIL Characteristics

ITIL is process oriented, meaning that it focuses on processes in IT organizations rather than on such things as technology. Processes stress the importance of objectives. Each ITIL process has a clearly defined objective, together with inputs and outputs. Processes often involve more than one organizational unit. They can help the IT organization to identify activities that are well-planned and well-executed, on the one hand, and those that are carried out without any coordination, in duplication, unnecessarily, or not at all, on the other.

Other ITIL characteristics include:

• A striving for quality of service through continual improvement

• A customer focus that includes understanding the needs of the business

• Best practices for IT management

• Independence of any specific technology

• Descriptive guidance at a high level rather than detailed guidance, to preserve adaptability to your organization

For more details about ITIL, talk to your local training center. You can also find more information at the official ITIL Web site at http://go.microsoft.com/fwlink/?LinkID=160967&clcid=0x409.

Question: Does your organization use ITIL?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Are ITIL Books?

Key Points ITIL is a large set of documentation describing best practices for IT service management. ITIL version 3 was released in 2007 and contains five core books. Each book covers a different stage of the service life cycle. Additional books providing more detail are provided for specialized topics related to the five core books. The five core books are:

• Service Strategy

• Service Design

• Service Transition

• Service Operation

• Continual Service Improvement

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Service Strategy

Service Strategy is the core of the ITIL model for IT service management. A service strategy defines which services are offered by IT, who the services are for, and how performance will be measured. When building this strategy, you must consider the value of services and how customers (users or departments within your organization) perceive that value. This varies between organizations based on not only the business processes that are in place, but also based on organizational culture.

Service Design

Whereas Service Strategy helps to define what services should be offered, Service Design helps you decide in what way they will be offered. Outcomes of service design include a service-level agreement, a process for supplier management, and a plan for security. When creating a service design, you need to consider:

• Business requirements

• Risks and mitigation

• Performance measurement

• Policies and procedures

• IT skills and capability

Service Transition

Service Transition explains the service design and implements it in a way that meets all requirements of the service design. This includes not only requirements during normal operational use, but also requirements for disaster recovery. One of the key challenges and processes that must be defined for service transition is change management. Testing of the services as they are implemented must be performed.

Service Operation

From the customer perspective, service operation is when value is delivered. Processes for ongoing maintenance of the applications and infrastructure are defined. Also, processes for incident management and service desk must be in place. Effective management of ongoing incidents is essential for customer satisfaction.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Continual Service Improvement

In any system or set of processes, there are opportunities to create additional value through continual improvement. In the ITIL books, Continual Service Improvement wraps around the other processes. For long-term success, an organization must be constantly looking for ways to improve service to provide additional value for customers.

The key to continual service improvement is the selection of metrics that can be used to track progress. For each service, you must have metrics that allow you to determine whether performance is improving or not. The metrics you select need to relate directly to the value perceived by the customer. For example, IT staff might want to track CPU utilization on a server, which has no inherent value to the customer. A more appropriate measure would be how quickly an application responds to user requests. One cause of slow performance could be CPU utilization.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is MOF?

Key Points The Microsoft Operations Framework (MOF) process model describes a life cycle that can be applied to systems of any size and related to any service solution. The model groups similar information technology management functions called service management functions (SMFs) into four quadrants.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


The following table describes the four quadrants in detail:

Quadrant Mission of Service Operations Management Review

Changing Introduce new service solutions, technologies, systems, applications, hardware, and processes.

Release readiness review provides approval to deploy the fully developed and tested release.

Operating Execute day-to-day tasks effectively and efficiently.

Operations review is scheduled periodically to evaluate the information technology staff's ability to maintain a specific service, meet service-level requirements, and document its experience in a knowledge base.

Supporting Resolve incidents, problems, and inquiries quickly.

Service-level agreement (SLA) evaluation is performed periodically and evaluates the information technology staff's ability to meet the service-level requirements defined in the SLA.

Optimizing Drive changes to optimize cost, performance, capacity, and availability in the delivery of information technology services.

Change initiation review increases the likelihood that proposed changes are in alignment with business objectives and operability requirements.

Note: MOF extends the best practices found in ITIL by including guidance and best practices derived from the experience of Microsoft operations groups, partners, and customers.

For more information about MOF, see the Microsoft Solution Accelerator for MOF on the Microsoft TechNet Web site at http://go.microsoft.com/fwlink/?LinkID=160865&clcid=0x409.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is Project Management?

Key Points Project management is a set of techniques used to achieve a desired result on time, within budget, and according to specification. The project management process includes planning, estimating, and controlling all of the activities required to attain the required end result. A key aspect of projects is that they have a limited scope that is to be completed within a defined timeframe, meaning that they are temporary and not ongoing.

The idea of project management is that, regardless of the project being completed, there are a consistent set of procedures that help to ensure that the project is completed successfully. The same set of procedures can be used to ensure success for the building of a bridge as for the building of a new information system.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


The stages of project management are:

• Initiation (scoping)

• Planning and design

• Executing

• Monitoring and controlling

• Closing

Initiation

During initiation, you must identify the deliverables that define when the project has been completed. At this stage, you also obtain approval from senior management for the project based on the benefits to the organization. High-level planning for resources is also performed.

Planning and Design

During planning and design, you create a detailed plan of what needs to be performed and when. The overall project is broken down into tasks. Then, based on the tasks, you can define the required resources and schedule when activities need to occur. As part of this process, a critical path is defined. The critical path determines the shortest time frame in which the project can be completed.

Executing

During execution, the tasks determined in the plan are performed. The project manager is responsible for assuring that the necessary resources are available and that each task is assigned to an appropriate resource. Gantt charts are typically used to show what tasks are being performed at a given time.

Monitoring and Controlling

Monitoring and controlling is processes used to supervise the completion of tasks performed during execution. These processes are essential to identify any potential problems as early as possible so that they can be corrected. One example of monitoring is regular progress meetings to identify any tasks that are not being completed on time or require additional resources.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Closing

At the close of a project, you must verify that all deliverables are completed and obtain client acceptance of those deliverables. Closing should also include the completion of all documentation related to the project such as meeting minutes, change control documentation, and testing documentation.

An important part of closing is a post-implementation review. This review helps you to learn from the project by identifying positive processes that can be used again. It also allows you identify mistakes so that you do not repeat them on the next project.

There are a number of different project management methodologies that can be used. One of the most commonly used is PRINCE2 (Projects IN Controlled Environments). For more information about PRINCE2 see the PRINCE2 Web site at http://go.microsoft.com/fwlink /?LinkID=166904&clcid=0x409.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Are Service-Level Agreements?

Key Points An SLA is an agreement between an IT group and an organization. It is important to define an SLA early, because it documents the service expectations and requirements that an organization expects the IT service provider to deliver. An SLA might be written for the availability of a specific system component, a specific service, or an entire system.

SLA Agreements and Change Management

An SLA should include a regular time that maintenance can be performed. During the scheduled maintenance time, the system is not expected to be available. This is typically when changes are implemented. The maintenance window may be daily, weekly, or monthly, and may range from only a few minutes to a few hours.

When a major change such as a server migration is implemented, an additional service outage may need to be negotiated as part of the change. For example, if a file server has a one-hour daily maintenance window, and migrating data to a new file server will take several hours, an additional outage must be negotiated.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Types of SLAs

• Internal SLAs

An internal SLA is between the IT department and other departments in the same organization.

• External SLAs

External SLAs are legally binding contracts and are more formal than internal SLAs. An external SLA may have more structure, usually including cost and bonus clauses and sometimes penalty clauses. However, an external SLA always includes the service’s specific cost and deliverables, which often include availability and security services.

• Informal SLAs

Not all SLAs are contracts with formal terms and conditions. In some cases, service-level expectations are based on a verbal agreement between the IT provider and the organization. This is an informal SLA, and often these types of agreements develop over time through casual conversations with the IT provider. An internal agreement is often informal in smaller organizations.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Are Microsoft Solution Accelerators?

Key Points Microsoft Solution Accelerators are free tools and guidance from Microsoft on how to implement Microsoft technologies. If you are planning the implementation of any new Microsoft technology, you should review the Microsoft Solution Accelerators for content relevant to the new technology.

Some of the Microsoft Solution Accelerators relevant to Windows Server 2008 are:

• Microsoft Assessment and Planning Toolkit

• Infrastructure Planning and Design Guides for Windows Server

• Microsoft Deployment Toolkit 2008

• Windows Server 2008 Security Compliance Management Toolkit

• Hyper-V™ Security Guide

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


The Microsoft Solution Accelerators are found on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkID=165474&clcid=0x409.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2 Planning a Single-Server Installation

When you introduce Windows Server 2008 into your organization, you need to determine which edition of Windows Server 2008 meets your needs. You also need to consider the licensing requirement for Windows Server 2008. Some of the other topics you need to consider are activation, virtualization, and consolidation of server roles.

Objectives

After completing this lesson, you will be able to:

• Select an appropriate edition of Windows Server 2008.

• Describe the Microsoft licensing programs.

• Describe the considerations for client access licenses.

• Describe the considerations for virtualization.

• Describe the considerations for server activation.

• Describe the considerations for consolidating server roles.

• Describe the Microsoft Planning and Assessment Toolkit.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Windows Server 2008 Editions

Key Points Windows Server 2008 is available in several different editions to meet the unique needs of different organizations. Each edition is priced differently, has different support for hardware, and supports different features. You select the edition based on your requirements for hardware support and features.

The most common editions of Windows Server 2008 are:

• Windows Web Server 2008. This low-cost edition is meant to be used as a Web application server. It supports up to four processors and 32 GB of RAM (4 GB on 32-bit systems). It cannot be used as a domain controller.

• Windows Server 2008 Foundation. This low-cost edition is meant to be used in small offices with limited requirements. It is sold only by original equipment manufacturers (OEMs), not at retail outlets or through volume licensing. It supports only a single 64-bit processor and 8 GB of RAM. Infrastructure roles are supported.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Windows Server 2008 Standard. This edition supports up to four processors and 32 GB of RAM (4 GB on 32-bit systems). Failover clustering and cross-file replication for distributed file system (DFS) are not supported.

• Windows Server 2008 Enterprise. This edition supports up to eight processors and 2 TB of RAM (64 GB on 32-bit systems). Failover clustering and cross-file replication for DFS are supported. Hot add memory is also supported. This edition is typically used in larger organizations that require these features.

• Windows Server 2008 Datacenter. This edition supports up to 64 processors (32 on 32-bit systems) and 2 TB of RAM (64 GB on 32-bit systems). All features of Windows Server 2008 Enterprise are supported, as well as hot replace memory, hot add processors, and hot replace processors. This edition is typically used in larger organizations that require these features.

For more detailed information about the various editions of Windows Server 2008, see the Overview of Edition page on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkID=166905&clcid=0x409.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Ways to Obtain Licenses

Key Points There are three main ways that you can obtain licenses for Windows Server 2008:

• Retail. These licenses are purchased from an online or physical retailer. This type of licensing is typically used by small organizations that are purchasing a limited number of licenses.

• OEM. These licenses are purchased with new hardware. The cost of these licenses is typically less than retail, but the licenses cannot be moved from one computer to another.

• Volume license. Microsoft has a variety of volume license programs for purchasing multiple copies of Microsoft software. The cost of these licenses is typically less than retail but more than OEM licensing. Some volume licensing options are subscription based rather purchased outright. Software Assurance is also available. For larger organizations, one key benefit of volume licensing is simplifying the licensing process.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Software Assurance benefits vary depending on the type of volume licensing purchased. In all cases, it includes new version rights for software, e-learning, and product support. Other features may include an employee purchase program and consulting services.

Regardless of how you obtain your server licenses, you are eligible to use a previous version of Windows® if required. This is referred to as a downgrade right. For example, if you have an application that runs only on Windows Server 2003 and not Windows Server 2008, you can purchase a Windows Server 2008 license and install Windows Server 2003 instead.

For more information about licensing, see the Windows Server 2008 Licensing Overview on the Microsoft Web site at http://go.microsoft.com /fwlink/?LinkID=160956&clcid=0x409.

For more information about Software Assurance, see Microsoft Software Assurance on the Microsoft Web site at http://go.microsoft.com /fwlink/?LinkID=166906&clcid=0x409.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Client Access Licenses

Key Points Client access licenses (CALs) are required for all devices and computers that communicate with the Standard, Enterprise, and Datacenter editions of Windows Server 2008. When you introduce Windows Server 2008 to your organization, you must also update the CALs.

CALs are not required in the following circumstances:

• When access is through the Internet and is anonymous or unauthenticated—for example, when access is through a Web site that does not have a user logon.

• When access is to Windows Web Server 2008. Not requiring CALs in this instance allows you to run Web sites requiring authentication to the local Web server.

• When access is to Windows Server 2008 Foundation. An alternative licensing scheme is used for Windows Server 2008 Foundation that does not use CALs.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Per-Server and Per-Seat Licensing

When you install a server, you can select whether to use per-server or per-seat licensing. Per-server licensing requires a server to have a CAL for each user who is accessing it simultaneously. Per-seat licensing requires each user or device to have only one CAL to access any number of servers. In general, per-seat licensing is advantageous if you have users or devices accessing multiple servers.

User and Device CALs

If you use per seat-licensing, you can purchase either user or device CALs. A user CAL allows a specific person to access the server. It cannot be shared between multiple users, even if they are not logged on at the same time. However, a single user can access the server from multiple devices by using a single CAL. A device CAL allows a specific device to access the server. It can be shared between multiple users of the same device. In general, a device CAL is more useful in environments where workers use the devices in shifts.

Other Types of CALs

• If you are accessing Terminal Services, you must have a Terminal Services CAL in addition to the Windows Server CAL.

• If you are using Rights Management Services, a Rights Management Services CAL is required.

• In some cases, an External Connector (EC) license can be used instead of CALs.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Virtualization

Key Points Hyper-V is a server role available in the Standard, Enterprise, and Datacenter editions of Windows Server 2008. It allows Windows Server 2008 to act as a virtualization host for virtual machines. It is possible to purchase these editions of Windows Server 2008 without Hyper-V included. However, the price discount is very small. Hyper-V is only available for 64-bit versions of Windows Server 2008.

When you purchase a single-server license for the Standard, Enterprise, or Datacenter edition of Windows Server 2008, your license includes virtual image use rights:

• Windows Server 2008 Standard includes one virtual image license. This means that you can install one physical and one virtual version of Windows Server 2008 Standard on the same physical server.

• Windows Server 2008 Enterprise includes four virtual image licenses. This means that you can install one physical and four virtual versions of Windows Server 2008 standard on the same physical server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Windows Server 2008 Datacenter includes unlimited virtual image licenses. This means that you can install one physical and unlimited virtual versions of Windows Server 2008 standard on the same physical server. Using Windows Server 2008 Datacenter on virtualization hosts can greatly simplify the licensing of servers.

Note: The virtual image use rights include downgrade rights to run previous versions of Windows Server. For example, a Hyper-V host running Windows Server 2008 Enterprise could have a Windows Server 2003 virtual machine as one of the virtual machines included in the virtual image use rights.

CALs are also a concern when you implement Hyper-V for virtualization. If you are hosting a virtual machine on a Hyper-V host running Windows Server 2008, any user accessing the virtual machine must have a Windows Server 2008 CAL. For example, if a Windows Server 2003 virtual machine is hosted on a Hyper-V host, all users or devices accessing the Windows Server 2003 virtual machine must have a Windows Server 2008 CAL.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Server Activation

Key Points Product activation is used by Microsoft to prevent casual copying of software. Windows Server 2008 is one software product that must be activated. This is a separate process from product registration.

Activation associates a specific set of hardware to a product key to ensure that the product key is not reused on an unauthorized computer. However, no identifying information is included as part of the activation process.

Initial activation can be performed over the Internet or by phone. If your server has access to the Internet, that is the preferred method, because activation over the Internet takes only a few moments. If your server does not have access to the Internet, you must activate by telephone, which takes about ten minutes in most cases.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Unactivated Systems

If you do not activate a new server, after a grace period of 60 days the system will be unlicensed. The desktop background will change to black, and you will receive persistent notifications to activate. Only critical Windows updates will be installed. Otherwise, the server will continue to function normally.

If you significantly modify the hardware in your server, you may be required to reactivate within three days. You can reactivate either over the Internet or over the phone. If you do not reactivate, the server is unlicensed with the same results as if you had never activated it.

Key Management Service

In large organizations in which volume licensing is used, there is often a desire to keep all activation activity within the organization rather than having each system activate directly with Microsoft servers. In such a case, you can implement Key Management Service (KMS). You can use a service record (SRV) in Domain Name System (DNS) to automatically direct computers to the KMS server. Then new servers will contact the KMS server for activation rather than contacting Microsoft servers. However, the KMS server does need to be able to contact Microsoft servers. Also, computers activated by using a KMS server must reconnect to the KMS server to verify activation every 60 days.

Multiple Activation Key

When volume licensing is used, an organization may be given a multiple activation key (MAK). A MAK can be used for multiple activations. When a MAK is used, activation can be performed over the Internet, by phone, or by using a KMS server.

For more information about volume activation, see Volume Activation 2.0 for Windows Vista® and Windows Server 2008 on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkID=160957&clcid=0x409.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Consolidating Server Roles

Key Points There are no specific guidelines for which server roles can be combined on the same server. The details of what is appropriate vary widely depending on how a server role is being used in a specific organization. The key is to ensure that a server resource does not become a bottleneck. For example, a file server with ten users may generate almost no disk I/O, while a file server with 500 users may experience disk I/O as a bottleneck.

Some rules of thumb for combining server roles are listed here:

• Avoid combining server roles that place a significant load on the same resource such as memory, disk I/O, the processor, or the network. For example, the Streaming Media Services role can place a significant load on all server resources and will not be combined with other roles in most circumstances.

• Avoid combining server roles with different security requirements, such as a domain controller and an external-facing Web server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Avoid combining server roles that experience peak utilization at the same time, such as a domain controller and a Dynamic Host Configuration Protocol (DHCP) server, both of which experience heavy utilization during morning logins.

• Consider combining domain controllers and DNS servers. This allows you to take advantage of Active directory–enabled zones.

• Consider giving each application a separate server to simplify server maintenance.

The only way to accurately determine whether server roles can be combined is by monitoring performance. Monitor the servers performing the role for a period of time, and then determine whether combination will be a problem.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is the Microsoft Assessment and Planning Toolkit?

Key Points The Microsoft Assessment and Planning Toolkit (MAP) is a solution accelerator that is available for download from Microsoft at no change. It performs hardware inventory, compatibility analysis, and readiness reports. The tool makes it easy for you to assess your current IT infrastructure and determine the right Microsoft technologies for your IT needs.

The Windows Server 2008 Deployment scenarios for MAP are:

• Windows Server 2008 Hardware Assessment. This scenario identifies which servers are capable of running Windows Server 2008 and prescribes the necessary hardware upgrades for those that are not. It also reports on the availability of device drivers from Microsoft. Current roles and applications are also identified.

• Security Assessment. This scenario performs an inventory of network clients and identifies security issues reported by Windows Security Center. It also reports on Network Access Protection readiness.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Performance Monitoring. This scenario monitors performance of processor, network, and disk counters over an extended time period. This is typically used to identify virtualization candidates.

• Server Consolidation and Virtualization. This scenario uses data from the Performance Monitoring scenario to model the virtualization of servers onto a host.

For more information about MAP, see the Microsoft Assessment and Planning Toolkit page on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkID=160958&clcid=0x409.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 3 Performing a Single-Server Installation

When you install Windows Server 2008 onto your organization, you need to consider whether you will be upgrading existing servers or installing new servers and migrating services and applications to the new servers. If you are implementing BitLocker™ Drive Encryption, you need to ensure that the server is properly configured to support it. You also need to consider driver compatibility and application compatibility with Windows Server 2008.

Objectives


• Describe considerations for server upgrades.

• Describe considerations for server migrations.

• Describe the requirement for BitLocker.

• Describe the considerations for device drivers.

• Describe the considerations for application compatibility.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Performing Server Upgrades

Key Points Windows Server 2008 performs upgrades differently from previous versions of Windows Server. When you perform an in-place upgrade to Windows Server 2008, the new operating system is installed in parallel to the existing operating system. Then, the existing operating system is parsed for recognized settings, which are migrated into the new installation of Windows Server 2008.

After the upgrade to Windows Server 2008 is complete, it is not possible to roll back to the original operating system. However, if an error occurs during the upgrade, the operating system can be rolled back.

The main benefits of performing an upgrade are:

• Preservation of existing operating system settings when recognized. Any settings that are unrecognized will not be moved to the new installation.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Preservation of existing applications and their settings when recognized. Applications should be tested to ensure that they are migrated properly.

• Downtime is limited to the installation of the operating system. There is no need to migrate large volumes of data between servers.

Some considerations for upgrading include:

• Upgrades to Windows Server 2008 can only be performed from Windows Server 2003 SP1 or later and Windows Server 2003 R2.

• Itanium and Web editions cannot be upgraded.

• Upgrades can only be performed in the same edition or an upgraded edition. For example, Windows Server 2003 Standard edition can be upgraded to Windows Server 2008 Standard or Enterprise edition. Windows Server 2003 Enterprise edition can only be upgraded to Windows Server 2008 Enterprise edition. Only an existing Datacenter installation can be upgraded to Windows Server 2008 Datacenter.

• Upgrades can only be performed between the same processor architecture. For example, a 32-bit version of Windows Server 2003 can only be upgraded to a 32-bit version of Windows Server 2008.

• Upgrades must use the same language as the original installation.

• You cannot upgrade to server core.

For more information about upgrading to Windows Server 2008, see Upgrading to Windows Server 2008 on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkID=160959&clcid=0x409.

Question: What is the biggest risk in performing an upgrade?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Migrating to Windows Server 2008

Key Points A migration occurs when you install Windows Server 2008 on new hardware and then move the services, applications, and data from an existing server to the new server. There is no downtime for services during the installation of Windows Server 2008, but there may be downtime for services when they are being migrated to the new server.

The main benefits of performing a migration are:

• A clean installation of a new operating system is typically more reliable than an upgrade of an existing operating system. Microsoft recommends using a clean installation whenever possible.

• The source server can be maintained for rollback even after the new server is in place. If the new server is not performing properly after implementation, you can go back to using the original server until the problem is resolved.

• You can perform testing on the new server before putting it into production. You can test applications and new configurations if required.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• You are not limited in how you move between operating system versions. You can migrate data or applications from Windows Server 2003 Enterprise Edition to Windows Server 2008 Standard.

• You are not limited by the processor architecture of the source and destination operating systems. You can migrate data or applications from a 32-bit operating system to a 64-bit operating system.

• You are not limited by the language configuration of the source and destination operating systems. You can migrate data or applications from a server running one language to a server running a different language.

• You can migrate supported data and applications to server core. However, server core has a limited number of server roles that it is suitable for.

Potential drawbacks to performing a server migration are:

• Data must be manually moved to the new server. Large file shares can take a significant amount of time to migrate.

• Applications must be reinstalled and properly configuration on the new server. If no one on staff is familiar with the details of the application, this can be error prone.

• Clients must be redirected to use services on the new server. This may require that client computers be reconfigured manually in some cases, which is time consuming. However, you can redirect clients to new file shares by changing the drive letters mapped on the clients by using a logon script or group policy. In some cases, you can update a host record in DNS to point to the IP address of the new server.

For more information about migrating specific services to Windows Server 2008, see the Migrate to Windows Server 2008 page on the TechNet Web site at http://go.microsoft.com/fwlink /?LinkID=166908&clcid=0x409.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Implementing BitLocker

Key Points BitLocker Drive Encryption is a feature in Windows Server 2008 that is used to encrypt the boot volume of the server (the volume with the operating system). Additional volumes, other than the system volume (the volume with ntldr), can also be encrypted.

In addition to providing basic file security, BitLocker ensures the integrity of the operating system. The operating system files on the boot volume are protected because they are encrypted when the server is not running. The files on the system partition are protected because a hash value is stored to ensure that there have been no unauthorized modifications. This hash value is verified during startup.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


BitLocker requires:

• Separate boot and system volumes (1.5 GB minimum). The minimum size for the system volume is 1.5 GB. If you do not create two volumes during initial installation, you can use the BitLocker Drive Preparation Tool. This tool resizes the existing boot/system volume and then moves the system files to a newly created system volume to enable BitLocker.

• A Trusted Platform Module (TPM) version 1.2. The use of BitLocker prevents someone from taking a hard drive in your server and gaining access to the data, because the encryption key is stored in a TPM in the server. The TPM is a storage location on the motherboard of the server. Alternatively, you can store the encryption key on a USB drive, but this is less secure.

For more information about BitLocker, see the BitLocker Drive Encryption page on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkID=166909&clcid=0x409.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Device Drivers

Key Points Whenever you update an existing server to a new operating system, you must ensure that device drivers are available for the new operating system to support the existing hardware. Before performing an upgrade, you should check with your hardware manufacturer to obtain drivers that are certified for Windows Server 2008. However, in many cases, a driver that worked in Windows Server 2003 will also work for Windows Server 2008.

Many organizations are implementing 64-bit versions of Windows Server 2008 to obtain the benefits of greater memory capacity. When you install a 64-bit operating system, you must have 64-bit device drivers for your hardware. In some cases, 64-bit device drivers will not be available for older hardware.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


By default, Windows Server 2008 will not load unsigned 64-bit device drivers, even though it will accept them during the installation process. If you are unable to obtain signed device drivers, this requirement can be disabled by going into the Advanced Boot Options during startup and selecting Disable Driver Signature Enforcement. However, this is not recommended.

If you are buying new hardware, verify with the vendor that there are 64-bit drivers available before purchasing the new server. Most new servers have 64-bit drivers available from the manufacturer’s Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Application Compatibility

Key Points Many applications that were designed to run on Windows Server 2003 are capable of running on Windows Server 2008. However, the User Account Control (UAC) feature in Windows Server 2008 may prevent some applications from running properly. Before you implement a new application server, check with the application vendor to ensure that it is supported on Windows Server 2008.

Windows Server 2008 stores some data in a different location than Windows Server 2003. Windows Server 2008 has directory junctions at the old directory names that redirect file requests to the new directory locations. For example, C:\Documents and Settings is now a junction point that points to C:\Users. Junction points work for most applications but not all, so ensure that your application functions properly before beginning an upgrade or migration.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Some key points to keep in mind when considering application compatibility are the following:

• When you upgrade a server to Windows Server 2008, an application compatibility check is performed. However, this check has a limited database of applications. You should manually verify that an application is capable of running on Windows Server 2008 by contacting the application’s vendor.

• It is possible to run 32-bit applications on a 64-bit operating system. This is done with Windows on Windows (WOW), similar to the mechanism that allows 32-bit versions of Windows to run 16-bit applications. However, you cannot run 16-bit applications on a 64-bit version of Windows Server 2008.

For more information, see the Application Considerations When Upgrading to Windows Server 2008 page on the TechNet Web site at http://technet.microsoft.com/en-us/library/cc771576(WS.10).aspx.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 4 Automating Windows Server 2008 Deployment

In a small organization, performing each server installation manually is a reasonable way to manage server installations. However, larger organizations may want to standardize and speed up installation by automating deployment. Depending on the existing infrastructure in your organization, you may choose to use the Windows Automated Installation Kit (WAIK), Windows Deployment Services (WDS), or the Microsoft Deployment Toolkit (MDT).

Objectives


• Describe the considerations for automated deployments.

• Describe the considerations for using WAIK.

• Create an answer file.

• Describe the considerations for using WDS.

• Describe the purpose of MDT.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Automated Deployment

Key Points An automated deployment is an installation in which user input is limited or not required during the installation of Windows Server 2008. An automated deployment can be performed in several different ways. The method you select will be based on your needs and your existing infrastructure. Methods available for automated deployment include answer files, Windows Deployment Services, and the Microsoft Deployment Toolkit.

The main benefits of automated deployment are:

• Consistent configuration. When the deployment process is automated, you know that the operating system on each new server is configured in exactly the same way. This helps avoid configuration problems and is very useful for larger organizations with multiple servers.

• Faster deployment. After the deployment process has been developed, it is very fast to deploy new servers. The time required varies depending on the deployment process, but in some cases, deployment may take only 15 minutes.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


The main disadvantages of automated deployment are:

• Difficulty customizing configuration. The standard configuration created by an automated deployment process may not be suitable for all servers. The automatically deployed server must then be customized after installation.

• Slowness of creation and testing of the deployment process compared with the manual installation of a single server. In a smaller organization with only a few servers, it may take longer to create and test an automated deployment process than it would to perform several server installations.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is WAIK?

Key Points The Windows Automated Installation Kit (WAIK) includes a number of tools to simplify the deployment of Windows Vista SP1 and Windows Server 2008 through automation. The two main tools included with WAIK are:

• Windows System Image Manager (WSIM). This tool is used to create answer files that are used to perform unattended installations. The answer file contains instructions used during the installation process. Any information that is normally provided interactively during the installation can be placed in the answer file instead.

• ImageX. This tool is used to perform imaging of the operating system. After an initial installation is performed, the operating system is configured as you would like it with appropriate applications and updates. Then you use sysprep to generalize the operating system before using ImageX to create an image of the operating system. To save disk space, the Windows Imaging (WIM) images created by ImageX can contain multiple images, and files that are common between the images are only stored once in the WIM file. Images can also be mounted and modified offline.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


WAIK also includes a large amount of documentation to help you develop an automated installation. Some of the documentation includes:

• Windows Setup Technical Reference. This document provides information about how setup.exe performs installations and how the installation can be automated by using an answer file.

• Windows System Image Manager Technical Reference. This document describes how to use WSIM to create answer files that can be used to perform unattended installations.

• ImageX Technical Reference. This document describes how to use ImageX to perform imaging operations.

• Sysprep Technical Reference. This document describes how to use sysprep to prepare an operating system for imaging or for delivery to a customer.

• Package Manager Technical Reference. This document describes how to perform offline maintenance of a Windows image.

For more information about WAIK, see the Windows Automated Installation Kit (Windows AIK) User's Guide page on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkID=160964&clcid=0x409.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Creating an Answer File

An answer file for an automated installation is created by using the Windows System Image Manager. The settings you can select are based on a catalog file that is included on the Windows Server 2008 installation media. You can also create a new catalog file based on a WIM file.

There are seven possible passes during setup that can be automated:

• windowsPE. This pass automates installation controlled by WindowsPE during the first stage of installation. Disk partitioning is possible at this stage.

• offlineServicing. This pass is used to apply settings to an existing WIM file offline. You can add Windows packages such as language packs.

• generalize. This pass is used to apply settings when the operating system is being generalized by sysprep.

• Specialize. This pass is used to apply settings either during a regular installation or when a sysprepped operating system is being configured.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• auditSystem. This pass is used to install device drivers in a generalized operating system before it is specialized. This is a way to update an existing generalized operating system.

• auditUser. This pass is used to install applications in a generalized operating system before it is specialized. This is a way to update an existing generalized operating system.

• oobeSystem. This pass automates the Out-of-Box Experience (Windows Welcome).

For more information about the Windows Setup configuration passes, see the Windows Setup Configuration Passes section of the Unattended Windows Setup Reference.

High-level steps:

1. Open Windows System Image Manager.

2. Select a catalog file.

3. Create a new answer file.

4. Add the desired settings to the answer file.

5. Save the answer file.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Using Windows Deployment Services (WDS)

Key Points Windows Deployment Services (WDS) is a Windows Server 2008 tool that is used to automate the deployment of Windows operating systems. Deployment can be done with image files or by using an unattended installation.

When using WDS, keep the following considerations in mind:

• By using WDS, you gain centralized administration over operating system installations. You can trigger imaging operations from a single central location rather than at each computer. When a large number of servers or client computers are being installed, WDS helps simplify the process.

• In most cases, you will use Pre-Boot Execution Environment (PXE) to connect the computers with the WDS server. This requires that your computers support PXE booting. PXE booting is a common feature in current computers, but it must be enabled in the BIOS. DHCP is used during the PXE boot process and must be properly configured.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• WDS is also capable of using multicasts for imaging. With multicasting, multiple computers can be imaged in the same amount of time as a single computer, because each image is received by multiple computers at the same time. Network routers must be configured to allow multicasting. Many organizations disable multicasting on routers.

• When a computer boots from PXE, a Windows PE boot image is downloaded to memory and used to perform the imaging process. The Windows PE boot image that is downloaded must have support for the network adapter in the computer being imaged.

For more information about WDS, see Module 4: “Using Windows Deployment Services” in Course 6418B, Deploying Windows Server 2008.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is the Microsoft Deployment Toolkit?

Key Points Microsoft Deployment Toolkit (MDT) provides technology for deploying Windows operating systems, the 2007 Microsoft Office system, and Microsoft Office 2003. Microsoft Deployment is the next version of Business Desktop Deployment (BDD) 2007. However, the larger focus of Microsoft Deployment is on methodology and best practices. By following the guidance in Microsoft Deployment, teams are putting into action proven best practices that Microsoft uses in its own development projects and that are based on the Microsoft Solutions Framework (MSF).

MDT shows you how to use the new deployment tools together as part of an end-to-end deployment process. MDT also provides tools and scripts to increase automation and lower costs, as well as leveraging and enhancing other Microsoft tools and products.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Server Deployment Challenges

Server deployment introduces some unique challenges beyond those presented by workstation deployment. Hardware configurations are often more complicated, and network configuration may involve static IP addresses, multiple network adapters, and advanced network components, such as TCP/IP offloading, Network Load Balancing, and clustering.

Server operating system configuration is more complex than workstation operating system configuration. For example, server disk configuration is complicated, as it involves redundant array of independent disks (RAID) controllers, original equipment manufacturer (OEM) configuration partitions, and Storage Area Network (SAN) configurations. Correct server role installation and configuration is very important, security is crucial, and upgrades are more common in some scenarios.

MDT Deployment Approaches

MDT provides guidance for the following types of deployment:

• Zero Touch Installation (ZTI) deployment for Microsoft System Center Configuration Manager (SCCM) 2007. If the organization has an existing System Center Configuration Manager infrastructure, teams can use that infrastructure to capture the reference operating system image and efficiently deploy it to client computers.

• ZTI deployment for Systems Management Server (SMS) 2003. If the organization has an existing Systems Management Server 2003 infrastructure, use ZTI deployment to capture the reference operating system image, and then deploy it using Systems Management Server 2003.

• Lite Touch Installation (LTI) deployment. If the organization does not have a System Center Configuration Manager or Systems Management Server 2003 infrastructure, teams can use the LTI process to capture reference operating system images, and then deploy them across the network.

Question: Why would you use MDT in addition to WAIK or WDS?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab: Planning a Windows Server 2008 Deployment

Note: Your instructor may run this lab as a class discussion.

A. Datum Corporation has a single head office with a single datacenter that hosts all servers. The servers in the datacenter are running a mix of Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2. The organization has entered into a new volume licensing agreement with Microsoft that allows all servers to be updated to Windows Server 2008.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 1: Creating a Planning Flowchart for a Windows Server 2008 Deployment

Scenario You have been tasked with creating a flowchart to help the IT staff in A. Datum Corporation decide how to upgrade or migrate individual servers to Windows Server 2008. This flowchart needs to help determine how the process is accomplished and which edition of Windows Server 2008 will be used.

Sara Davis, the IT manager, has provided some information about what she expects the flowchart to include and how to approach the task.

The main tasks for this exercise are as follows:

1. Read the supporting documentation.

2. Create the flowchart.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 1: Read the supporting documentation

Supporting Documentation E-mail thread of correspondence with Sara Davis:

Gregory Weber From: Sara Davis [[email protected]] Sent: 18 July 2009 11:30 To: [email protected] Subject: Re: Server Upgrade Flowchart

Greg,

I don’t have a lot of preconceived notions about this should be put together. I just know that we need some sort of tool to help us in our decision-making process during the upgrades. I’d rather have one person (you) do the research and planning once than have the process repeated each time we do a server upgrade. Since we’ve entered into the new volume licensing agreement, it makes sense to implement Windows Server 2008 whenever possible.

I don’t have a complete list of criteria that need to be taken into account. You’ll need to determine what is appropriate. However, some of the criteria I was thinking of are:

• 32-bit vs. 64-bit

• Upgrade vs. migrate

• Application compatibility

The best way to approach this project is to generate a list of relevant criteria for the decision-making process. Then you can arrange them into a flowchart that represents the decision-making process.

In some cases, we’ll have new hardware. In some cases, we won’t have new hardware. Your flowchart will need to take into account both situations.

Regards,

Sara.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


----- Original Message ----- From: Gregory Weber [[email protected]] Sent: 18 July 2009 10:01 To: [email protected] Subject: Server Upgrade Flowchart

Sara,

I would like to confirm some of the details regarding the flowchart assignment you gave me in the meeting this morning. As I understand it, you would like others on the team to be able to use this flowchart to determine how any given server in our organization can be updated to using Windows Server 2008. Is this correct?

Do you have any specific criteria that you think need to be taken into account?

Are there any assumptions I can make about new hardware?

Regards,

Greg

Task 2: Create the flowchart 1. On a piece of paper, generate a list of relevant criteria that must be considered

during the upgrade or migration process.

2. Use the list of criteria you have generated to create a flowchart for determining whether to upgrade or migrate.

3. Use the list of criteria you have generated to create a flowchart for determining which edition of Windows Server 2008 you should use.

4. Use the list of criteria you have generated to create a flowchart for determining whether to use a 32-bit or 64-bit operating system.

Results: After this exercise, you should have created flowcharts to help to determine how to upgrade or migrate an existing server to Windows Server 2008.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Planning a Windows Server 2008 Deployment

Scenario Several servers in the A. Datum Corporation datacenter have been identified as the first candidates for migration to Windows Server 2008. For each of these servers, you must determine the process to be used.


1. Create a deployment plan for the archive file server.

2. Create a deployment plan for the main file server.

3. Create a deployment plan for the antivirus server.

4. Create a deployment plan for the human resources application server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Gregory Weber From: Alan Steiner [[email protected]] Sent: 22 July 2009 09:05 To: [email protected] Subject: Re: First batch of server upgrades to Windows Server 2008 Attachments: Archive File Server.docx Main File Server.docx Antivirus Server.docx Human Resources Application Server.docx

Greg,

I’ve attached a document for each server. It includes the relevant information we’ve documented for each server as well as the questions we need answered to perform the upgrade or migration.

Regards

Alan.

----- Original Message ----- From: Gregory Weber [[email protected]] Sent: 20 July 2009 08:45 To: [email protected] Subject: First batch of server upgrades to Windows Server 2008

Alan,

We’re going to be doing some server upgrades to Windows Server 2008 soon. Can you please send me the analysis that you performed on the archive file server, main file server, antivirus server, and human resources application server?

Thanks.

Greg

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Deployment Plan: Archive File Server

Document Reference Number: GW0688/1

Document Author

Date

Gregory Weber

20th July

Requirement Overview

This server is to be upgraded or migrated to Windows Server 2008 to take advantage of the more efficient file-sharing protocols in Windows Server 2008.

The archive file server is used to store older data that is accessed only occasionally. Extended outages are possible with notification.

It is used only as a file server. It has no other functions.

The hardware is relatively new, and no new hardware has been allocated for this server.

Additional Information

This server is currently running a 32-bit version of Windows Server 2003 R2.

Proposals

1. Will this server be upgraded on existing hardware or migrated to new hardware?

2. Which edition of Windows Server 2008 will be used?

3. Will 32-bit or 64-bit Windows Server 2008 be used?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Deployment Plan: Main File Server


Document Author

Date

Gregory Weber

20th July



The main file server is mission critical and cannot be taken out of production during business hours. Downtime must be limited to less than one day.


This server should support cross-file replication for DFS. This may be implemented in the future to support remote offices, and the cross-file replication will reduce synchronization traffic on the WAN.

Data for this file server is stored on a Fiber Channel Storage Area Network (SAN).

New hardware has been allocated for this server if required.


Clients access this file server through mapped drive letters that are created by a logon script.

Proposals




4. How will downtime be minimized?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Deployment Plan: Antivirus Server


Document Author

Date

Gregory Weber

25th July


This server is to be upgraded or migrated to Windows Server 2008 to standardize the server operating systems.

The antivirus server can experience an outage of 24 hours without impacting clients.

New hardware has been allocated for this server.


The antivirus application has not been tested by the vendor in 64-bit environments and is not supported in 64-bit environments.

Proposals




MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Deployment Plan: Human Resources Application Server


Document Author

Date

Gregory Weber

25th July


This server is to be upgraded or migrated to Windows Server 2008 to take advantage of the performance improvements in IIS 7.

The existing server is consistently short on memory, and a new server with 8 GB of memory has been allocated to address this.

The application data is also stored on this server and must be taken into account.

There can be no downtime during business hours.

The new server should support failover clustering, as it is being considered for the future.


None

Proposals




4. What process will you use to minimize downtime?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 1: Create a deployment plan for the archive file server 1. Read the supporting documentation for the archive file server.

2. Update the proposal document by answering the questions.

Task 2: Create a deployment plan for the main file server 1. Read the supporting documentation for the archive file server.


Task 3: Create a deployment plan for the antivirus server 1. Read the supporting documentation for the archive file server.


Task 4: Create a deployment plan for the human resources application server 1. Read the supporting documentation for the archive file server.


Results: After this exercise, you should have created a deployment plan for the archive file server, the main file servers, the antivirus server, and the human resources application server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Module Review and Takeaways

Review Questions 1. Why is change management important when deploying Windows Server

2008?

2. When selecting a version of Windows Server 2008, which factors should you take into account?

3. Is it better to upgrade an existing server or migrate to new hardware?

4. In which situations is automated deployment preferred to a manual installation?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Common Issues Related to Deploying Windows Server 2008 Identify the causes for the following common issues related to Windows Server 2008, and fill in the troubleshooting tips. For answers, refer to the relevant lessons in the module.

Issue Troubleshooting Tip

Application incompatibility

Device driver availability

Servers requiring activation

Real-World Issues and Scenarios 1. You want to install Windows Server 2008 as a host for virtualization. This

server will host three virtual machines. Which is the most cost-effective version of Windows Server 2008 to obtain?

2. You have a line-of-business application that runs on a 32-bit server with Windows Server 2003 Standard Edition. You would like to migrate this server to a 64-bit edition of Windows Server 2008 to take advantage of increased memory. What process should you use to ensure that downtime is limited?

3. You are deploying Windows Server 2008 on ten servers in three locations. To simplify documentation and management, you would like all ten servers to have the same configuration. How does automating server deployment help to ensure that the configuration is the same for all ten servers?

Best Practices Related to Windows Server 2008 Deployment Supplement or modify the following best practices for your own work situations:

• Remember to consider CALs when upgrading to Windows Server 2008.

• In virtualized environments, consider using Windows Server 2008 Datacenter to simplify server licensing.

• Choose a 64-bit version of Windows Server 2008 if necessary drivers and software are compatible. This also helps with greater memory access.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• When possible, perform a migration to Windows Server 2008 rather than an upgrade.

• When deploying Windows Server 2008 to multiple computers, consider the use of automated deployment.

Tools

Tool Use For Where to Find It

Microsoft Solution Accelerators

Obtaining tools and guidance for deploying Microsoft technologies

On the TechNet Web site at http://go.microsoft.com/fwlink /?LinkID=165474&clcid=0x409

Microsoft Assessment and Planning Toolkit

Identifying whether your organization is ready to deploy Windows Server 2008

On the Microsoft Assessment and Planning Toolkit page on the TechNet Web site at http://go.microsoft.com /fwlink/?LinkID=160958&clcid=0x409

Windows Automated Installation Kit

Automating the installation of Windows Server 2008

On the Automated Installation Kit (AIK) for Windows Vista SP1 and Windows Server 2008 page on the Microsoft Web site at http://go.microsoft.com/fwlink /?LinkID=165476&clcid=0x409

Windows Deployment Services

Centrally creating and deploying Windows Server 2008 images

A server role in Windows Server 2008

Microsoft Deployment Toolkit

Planning and performing automated installations of Windows Server 2008

On the Microsoft Deployment Toolkit page on the TechNet Web site at http://go.microsoft.com/fwlink /?LinkID=165477&clcid=0x409

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Planning Network Infrastructure for Windows Server® 2008 2-1

Module 2 Planning Network Infrastructure for Windows Server® 2008

Contents: Lesson 1: Planning IPv4 Addressing 2-3

Lesson 2: Planning for Name Resolution Services 2-14

Lesson 3: Determining the Need for WINS 2-27

Lesson 4: Planning a Perimeter Network 2-37

Lesson 5: Planning an IPv4 to IPv6 Transition Strategy 2-42

Lab: Planning Network Infrastructure for Windows Server 2008 2-50

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Module Overview

Network infrastructure services play an important role in providing the foundation for additional, higher-level services, such as Active Directory® directory service, and for applications, such as messaging and database systems. It is vital that you plan the deployment of these foundation services with great care to ensure the smooth running of mission-critical applications.

Objectives

After completing this module, you will be able to:

• Plan an IPv4 addressing strategy.

• Plan the deployment and configuration of DNS servers.

• Determine how to handle NetBIOS names within your organization.

• Place appropriate servers in your perimeter network.

• Plan an IPv4 to IPv6 transition strategy.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1 Planning IPv4 Addressing

In order to properly implement network services, it is important that you have a thorough understanding of IPv4 addressing. Good understanding of IPv4 addressing enables you to make appropriate decisions about the configuration and placement of network servers within your IPv4 infrastructure.

Objectives


• Describe an IP subnet.

• Plan an IPv4 addressing scheme.

• Select an appropriate IPv4 addressing scheme

• Plan the implementation of DHCP Servers.

• Allocate IPv4 addresses by using DHCP.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is a Subnet?

Key Points A subnet is a network’s physical segment, which a router or routers separate from the rest of the network. When your Internet service provider (ISP) assigns your network a Class A, B, or C address range, you often must subdivide the range to match your network’s physical layout. You subdivide a large network into logical subnets.

When you subdivide a network into subnets, you create a unique ID for each subnet, which you derive from the main network ID. To create subnets, you must allocate some of the bits in the host ID to the network ID, which enables you to create more networks.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


By using subnets, you can:

• Use a single Class A, B, or C network across multiple physical locations.

Class First octet Default subnet mask

Number of networks

Number of hosts per network

A 1-127 255.0.0.0 126 16,777,214

B 128-191 255.255.0.0 16,384 65,534

C 192-223 255.255.255.0 2,097,152 254

• Reduce network congestion by segmenting traffic and reducing broadcasts on

each segment.

• Overcome limitations of current technologies, such as exceeding the maximum number of hosts that each segment can have. For example, Ethernet can have no more than 1,024 hosts on a network. However, dividing the segment into further segments increases the total number of allowable hosts.

A subnet mask specifies which part of an IPv4 address is the network ID and which is the host ID. A subnet mask has four octets, similar to an IPv4 address.

In simple IPv4 networks, the subnet mask defines full octets as part of the network ID and host ID. A 255 represents an octet that is part of the network ID, and a 0 represents an octet that is part of the host ID.

In complex networks, you might subdivide one octet with some bits that are for the network ID and some for the host ID. Classless addressing, or Classless Inter-Domain Routing (CIDR), is when you use more or less than a whole octet for subnetting. This type of subnetting uses a different notation, which the following example shows:

172.16.16.1/255.255.240.0

The following example shows the more common representation of classless IPv4 addressing:

172.16.16.1/20

The /20 represents how many subnet bits are in the mask, and this notation is Variable Length Subnet Masking (VLSM).

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Private IP addresses are commonly used for local area networks (LANs). These private IP address ranges are non-routed on the global Internet. An organization needing a private address space can use these addresses without approval from an ISP.

Private address ranges include:

Class Mask Range

A 10.0.0.0/8 10.0.0.0-10.255.255.255

B 172.16.0.0/12 172.16.0.0-172.31.255.255

C 192.168.0.0/16 192.168.0.0-192.168.255.255

Additional Reading • For more information see Address Allocation for Private Internets:

http://go.microsoft.com/fwlink/?LinkID=163880&clcid=0x409

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Planning an IPv4 Addressing Scheme

Key Points In order to select an appropriate addressing scheme for your organization, you must:

• Choose whether to use public or private IPv4 addresses.

• Calculate the number of subnets required. You can calculate the number of subnet bits by determining how many you need in your network. Use the formula 2^n, where n is the number of bits. The result must be at least the number of subnets that your network requires.

• Calculate the number of hosts in each subnet. You can calculate the number of host bits required by using the formula 2^n-2, where n is the number of bits.

• Select an appropriate subnet mask(s).

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


When you have determined these factors, you must then:

• Calculate the subnet addresses. To determine subnet addresses quickly, you can use the lowest value bit in the subnet mask. For example, if you choose to subnet the network 172.16.0.0 by using 3 bits, this would mean using 255.255.224.0 as the subnet mask. The decimal 224 is 11100000 in binary, and the lowest bit has a value of 32, so that will be the increment between each subnet address.

• Determine the range of host addresses within each subnet. You can calculate each subnet’s range of host addresses by using the following process: the first host is one binary digit higher than the current subnet ID, and the last host is two binary digits lower than the next subnet ID.

• Implement the planned addressing scheme.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Discussion: Selecting an Appropriate IPv4 Addressing Scheme

Key Points

Question: Contoso.com has implemented IPv4 throughout the organization. It is currently implementing a new head office building. The office will host 5,000 computers distributed fairly evenly across 10 floors of these offices. What address class would suit this scenario?

Question: Analysis of the network traffic at the existing head office shows that the maximum number of hosts per subnet should be around 100. How many subnets are required, and assuming a network address for the whole site of 172.16.0.0, what mask should you use to ensure sufficient support for the required subnets?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Question: Assuming the network address for the head office is 172.16.0.0/19, what mask would you assign to each subnet?

Question: How many hosts can you have in each subnet based on your selected mask?

Question: Assuming you implement the mask you determined for each subnet, what would the first subnet address be?

Question: What are the first and last host addresses for the first subnet?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Planning the Deployment of DHCP Servers

Key Points You can configure static IPv4 configuration manually for each of your network’s computers. IPv4 configuration includes:

• IPv4 address

• Subnet mask

• Default gateway

• DNS server

Static configuration requires that you visit each computer and input the IPv4 configuration. This method of computer management becomes very time-consuming if your network has more than 20 users. Additionally, making a large number of manual configurations increases the risk that mistakes will occur.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


DHCPv4 enables you to assign automatic IPv4 configuration for large numbers of computers without having to assign each one individually. The DHCP service receives requests for IPv4 configuration from computers that you configure to obtain an IPv4 address automatically, and assigns IPv4 information from scopes that you define for each of your network’s subnets. The DHCP service identifies the subnet from which the request originates, and assigns IP configuration from the relevant scope.

Considerations for Planning DHCP Servers In order to provide continued IPv4 functionality, the DHCP server must remain online at all times to service renewal requests. However, to increase high availability of the addressing service, consider deploying multiple DHCP servers.

When deploying DHCP servers, consider the following factors:

• DHCP servers do not communicate with one another. Therefore, if you configure duplicate or overlapping scopes on the servers, duplicate IP addresses could be allocated, leading to network problems. Consider using the 80/20 rule to help to address this issue.

• Routers do not typically forward the broadcast packets used by DHCP clients during the initial configuration and renewal phases. Therefore, it is necessary to implement additional functionality or protocols in order to ensure that client computers that reside within subnets with no local DHCP server can still obtain an IP address dynamically.

• The DHCP service is disk intensive. Consequently, you must implement DHCP on servers with an optimized disk subsystem.

• Use shorter lease durations where there is a shortage of addresses available in a pool.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Allocating IPv4 Addresses with DHCP

Key Points • Deploy an additional DHCP server in the adatum.com domain.

• Authorize the server in Active Directory.

• Create the necessary scopes to support the 80/20 role for two subnets.

High-level steps:

• Deploy the DHCP server role on the SEA-SVR1 server.

• Create an IPv4 scope on SEA-SVR1 that provides 80 percent of the IPv4 addresses for subnet 1; the remainder is excluded from allocation.

• Create a second IPv4 scope that provides 20 percent of the IPv4 addresses for subnet 2; the remainder is excluded from allocation.

Question: Why is it important to authorize DHCP servers?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2 Planning for Name Resolution Services

Name resolution provides the foundation for many network services. The Domain Name System (DNS) has been widely adopted as the standard for name resolution in IP networks. To ensure that network services can function optimally, you must plan your DNS implementation carefully.

Objectives


• Describe the name resolution process.

• Plan your DNS name space.

• Plan DNS zones.

• Describe DNS forwarding and when to use forwarding.

• List the considerations for deploying the DNS role.

• Deploy the DNS server role.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


How DNS Names Are Resolved

Key Points When DNS names are resolved on the Internet, an entire system of computers is used rather than just a single server. There are 13 root servers on the Internet that are responsible for managing the overall structure of DNS resolution.

For example, the name resolution process for the name www.microsoft.com is:

• A workstation queries the local DNS server for the IP address of www.microsoft.com.

• If the local DNS server does not have the information, then it queries a root DNS server for the location of the .com DNS servers.

• The local DNS server queries a .com DNS server for the location of the Microsoft.com DNS servers.

• The local DNS server queries the Microsoft.com DNS server for the IP address of www.microsoft.com.

• The IP address of www.microsoft.com is returned to the workstation.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


The name resolution process can be modified by:

• Caching. After a local DNS server resolves a DNS name, it will cache the results for approximately 24 hours. Subsequent resolution requests for the DNS name are given the cached information.

• Forwarding. A DNS server can be configured to forward DNS requests to another DNS server instead of querying root servers. For example, requests for all Internet names can be forwarded to a DNS server in your perimeter network, or else to a DNS server at your ISP.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Planning Your DNS Namespace

Key Points When you begin planning your DNS name space, you must consider both the internal name space as well as the external name space. There is no requirement for you to implement the same DNS domain name internally that you have externally. When implementing a domain name for your internal DNS name space, there are three possible strategies:

• Select a matching domain name internally, for example adatum.com. This provides simplicity, which is why it is often a suitable choice for smaller organizations.

• Choose a different domain name, for example adatum.priv. This provides for obvious separation in the name space. In complex networks with many Internet-facing applications, use of a different name introduces some clarity when configuring these applications. For example, edge servers, placed in your perimeter network, often require multiple network interface cards, one connected to the private network, and one servicing requests from the public network. If they each have different domain names, it is often easier to complete the configuration of that server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Implement a child domain of the public domain name, for example priv.adatum.com. This provides a hybrid approach; the name is different, allowing for separation of the name space, but also related to the public name, providing simplicity.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Planning DNS Zones

Key Points In essence, a zone is a database that stores the information about a part of the DNS name space. Often, the zone maps on a one-to-one basis with the DNS domains. If you create a subdomain, for example south.adatum.com, then you must consider how to implement the domain name into your DNS infrastructure.

There are essentially two approaches:

• You can create a new zone for the new DNS domain name. This zone will have its own DNS name servers, and you must configure a relationship between the new child DNS domain name and its parent, adatum.com.

• The alternative method is to create a subdomain in the existing adatum.com zone. In this scenario, no name servers exist within the south.adatum.com child domain; rather, the DNS servers in the parent domain, adatum.com, service name query requests for hosts assigned a south.adatum.com DNS name.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Planning for Subdomains The choice about whether to implement separate zones for child subdomains is primarily based on two factors:

• Administrative separation. If you want to provide for a degree of administrative separation of the name space, you can choose to create multiple zones, each with its own administrator.

• Performance. If the child subdomain is large, and hosts many records, use delegation so that the domain has its own DNS servers to host the zone; this provides for higher performance.

Planning for Zone Transfers After you have determined how many zones you will create, you must determine the type of zones and how zone information will be replicated, or transferred, between the name servers that service the zone. There are a number of choices:

• You can implement Active Directory integrated zones. In this event, all domain controllers that also host the DNS role receive zone data automatically through Active Directory replication. This is the simplest approach, and the most secure as Active Directory replication traffic is authenticated and encrypted.

• Alternatively, you can implement non-Active Directory integrated zones. In this instance, when you deploy the DNS role and create your zones, you must define whether the zone is primary or secondary. A primary zone is an editable copy of the zone, while a secondary zone is read-only, and provided for servicing client queries. The secondary zone receives its zone data from a master server on a periodic basis. You must define the relationship between the secondary zone and its master server, which may be either a DNS server in the primary zone, or another secondary DNS server. In addition, you must enable and configure zone transfers.

Best Practice Use Active Directory integrated zones to simplify zone transfers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is DNS Forwarding?

Key Points A forwarder is a network DNS server that forwards DNS queries for external DNS names to DNS servers outside that network. You also can use conditional forwarders to forward queries according to specific domain names.

A network DNS server is designated a forwarder when other DNS servers in the network forward to it the queries that they cannot resolve locally. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve the efficiency of name resolution for your network’s computers.

The server that is forwarding requests in the network must be able to communicate with the DNS server located on the Internet. This means either you configure it to forward requests to another DNS server or it uses root hints to communicate.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Best practices Use a central forwarder DNS server for Internet name resolution. This can improve performance, simplify troubleshooting, and is a security best practice.

You can use stub zones instead of conditional forwarding to handle name resolution between specific domains. Use stub zones when you want a DNS server hosting a parent zone to remain aware of the authoritative DNS servers for one of its child zones.

Use stub zones if you want to provide for dynamic conditional forwarding.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for the DNS Role

Key Points When planning to deploy DNS, there are several considerations that you must review. These considerations include:

• How many DNS zones will you configure on the server?

• How many DNS records will each zone contain?

• How many DNS clients will be communicating with the server on which you configure the DNS role?

• Where will you place DNS servers?

• Will you place the servers centrally or does it make more sense to locate DNS servers in branch offices?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Active Directory Integration The Windows Server 2008 DNS role can store the DNS database two different ways, as shown in the following table.

Storage Method Description

Text File The DNS server role stores the DNS entries in a text file, which you can edit with a text editor.

Active Directory

The DNS server role stores the DNS entries in the Active Directory database; this database can be replicated to other domain controllers, even if they do not run the Windows Server 2008 DNS role. You cannot use a text editor to edit DNS data that Active Directory stores.

Active Directory integrated zones are easier to manage than traditional text-based zones, and are more secure. The replication of zone data occurs as part of Active Directory replication.

DNS Server Placement Typically, you will deploy the DNS role on all domain controllers. If you decide to implement some other strategy, keep the following points in mind:

• How will client computers resolve names in the event of their usual DNS server becoming unavailable?

• What will the impact on network traffic be if client computers start to use an alternate DNS server, perhaps distantly located?

• How will you implement zone transfers? Active Directory integrated zones use Active Directory replication to transfer the zone to all other domain controllers. If you implement non–Active Directory integrated zones, you must plan the zone transfer mechanism yourself.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Deploying the DNS Server Role

Key Points • Deploy an additional DNS server in the adatum.com domain.

• Configure delegation for a subdomain.

• Configure a DNS zone on the new server.

High-level steps:

1. Deploy the DNS server role to the SEA-SVR1 server.

2. On SEA-DC1, create a DNS delegation for the south.adatum.com subdomain.

3. Reconfigure the DNS suffix of the SEA-SVR1 server to south.adatum.com.

4. On SEA-SVR1, create the south.adatum.com zone.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


5. Reconfigure the network properties on SEA-SVR1 and test DNS resolution.

6. Configure and test DNS forwarding on the SEA-SVR1 server.

Question: What is the difference between a DNS subdomain and a delegated zone?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 3 Determining the Need for WINS

NetBIOS is a session management protocol, implemented over TCP/IP networks as NetBT. Traditionally, NetBIOS applications rely on broadcasts to facilitate name registration, name release, and name querying. Windows Internet Naming Service (WINS) is a NetBIOS name server that you can use to resolve NetBIOS names to IPv4 addresses. WINS provides a centralized database for registering dynamic mappings of NetBIOS names used on a network. If you have NetBIOS applications, it is important you understand how the WINS service works in order to plan the placement of WINS servers. In addition, you should understand how WINS integrates with DNS in order to plan your migration from WINS.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Objectives


• Describe when WINS is required.

• Plan a WINS server deployment.

• Implement the WINS feature.

• Describe the GlobalNames zone.

• Implement the GlobalNames zone.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


When Is WINS Required?

Key Points WINS resolves NetBIOS names to IP addresses, which can reduce NetBIOS broadcast traffic and enable clients to resolve the NetBIOS names of computers that are on different network segments (subnets).

There are several reasons WINS remains necessary on many networks. The main reason is because some applications still use NetBIOS to provide functionality to users.

WINS is required for the following reasons:

• Older versions of Microsoft® operating systems rely on WINS for name resolution.

• Some applications, typically older ones, rely on NetBIOS names.

• You may need dynamic registration of single-label names.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Users may rely on the Network Neighborhood or My Network Places network browser features.

• You may not be using Windows Server 2008 as your DNS infrastructure.

You must deploy the WINS feature before a computer running Windows Server 2008 can become a WINS server. It is recommended that you configure a WINS server with a static IP address because client computers contact the WINS server by using an IP address.

Note: WINS is an IPv4-only service, and it will not work in an IPv6 environment.

In addition to WINS, NetBIOS names can be resolved by broadcast messages or by implementing LMHOSTS files on all computers. Broadcast messages do not work well on large networks because routers do not pass broadcasts. Using an LMHOSTS file for NetBIOS name resolution is a high-maintenance solution because the file must be constantly updated on the computers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


WINS Considerations

Key Points The complete Windows Server 2008 WINS system includes the following components:

• WINS server. This computer processes name registration requests from WINS clients, registers client names and IP addresses, and responds to NetBIOS name queries that clients submit. The WINS server then returns the IP address of a queried name if the name is listed in the server database.

• WINS database. This database stores and replicates the NetBIOS name-to-IP address mappings for a network.

• WINS clients. These computers are configured to query a WINS server directly. WINS clients dynamically register their NetBIOS names with a WINS server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• WINS proxy agent. This computer monitors name query broadcasts on a subnet and forwards those queries directly to a WINS server. A WINS proxy agent enables NetBIOS-enabled computers that are unable to communicate directly with a WINS server to resolve NetBIOS names of remote computers.

When you configure multiple WINS servers, it is important that you configure replication between them. This ensures that the integrity of the NetBIOS names database is maintained. WINS servers that are replication partners can implement replication in one of three ways:

• Push replication. With push replication, after a threshold of changes has occurred, the WINS server pushes the changes to its replication partners. You can configure the threshold value.

• Pull replication. With pull replication, a WINS server periodically pulls changes down from its replication partners. You can configure the interval value.

• Push/Pull replication. Both push and pull replication is configured between replication partners.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Deploying the WINS Feature

Key Points • Deploy the WINS feature to the SEA-DC1 computer.

• Use the NBTSTAT utility to register records.

• Examine records with the WINS management console.

High-level steps:

1. Deploy the WINS server feature on the SEA-DC1 server.

2. Reconfigure the network settings on SEA-DC1 to use WINS for name resolution.

3. Register NetBIOS records with the WINS server and examine these records.

Question: What NetBIOS records does a typical Windows computer register with its WINS server?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is the GlobalNames Zone?

Key Points The GlobalNames Zone (GNZ) is a new feature of Windows Server 2008. The GNZ provides single-label name resolution for large enterprise networks that do not deploy WINS. Some networks may require the ability to have static, global records with single-label names that WINS currently provides. These single-label names refer to well-known and widely used servers with statically assigned IP addresses. A GNZ is manually created and is not available for dynamic registration of records. GNZ is intended to help customers migrate to DNS for all name resolution; the DNS Server role in Windows Server 2008 supports the GNZ feature.

GNZ is intended to assist in the migration from WINS; however, it is not a replacement for WINS. GNZ is not intended to support the single-label name resolution of records that are registered in WINS dynamically and those that are not managed by IT administrators typically. Support for these dynamically registered records is not scalable, especially for larger customers with multiple domains and/or forests.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


The recommended GNZ deployment is by using an Active Directory Domain Services (AD DS)–integrated zone, named GlobalNames, that is distributed globally.

Instead of using the GNZ, you can choose to configure DNS and WINS integration. You do this by configuring the DNS zone properties to perform WINS-lookups for NetBIOS-compliant names. The advantage of this approach is that you can configure client computers to only use a single name service, DNS, and still be able to resolve NetBIOS-compliant names.

Best Practice If your organization relies heavily on NetBIOS applications, continue to use WINS. If you plan to migrate from WINS to DNS, implement WINS integration on your DNS zones. When you have decommissioned most of your NetBIOS applications, or only have a few NetBIOS applications, use the GNZ to manage static, single-label names.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Implementing the GlobalNames Zone

Key Points • Enable and configure the GlobalNames zone for the adatum.com forest.

• Configure WINS-lookup on the adatum.com zone.

• Compare WINS-lookup with the GNZ.

High-level steps:

1. On SEA-DC1, enable support for the GlobalNames zone.

2. Configure DNS/WINS integration on the adatum.com DNS zone.

Question: Can you enable dynamic update on the GlobalNames zone?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 4 Planning a Perimeter Network

In order to make your network applications available to users connected to the Internet, you must publish these applications. A common way of publishing these applications, while maintaining security, is to use servers placed in a perimeter network.

Objectives


• Describe a perimeter network.

• Determine which services should be deployed to the perimeter network.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is a Perimeter Network?

Key Points There are a number of different ways that you can configure your perimeter network, and these include:

• Three-legged firewall. A single device or computer with multiple network interface cards, one of which is Internet facing, another of which is connected to the perimeter network, and the remaining card being connected to the intranet. Software installed on the host is used to create the separation between the networks. The separation is achieved through filtering on the firewall device so that only specified traffic is passed between the interfaces designated as public, private, and perimeter. This solution works well for smaller networks; however, because the firewall device is connected directly to all three networks, security is compromised compared with other solutions.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Dual back-to-back firewalls. In this scenario, two firewalls are connected in sequence across three networks: the Internet, your perimeter network, and your corporate intranet. The network to which both firewalls are connected is the perimeter network. The firewalls are configured to allow only appropriate traffic to pass between their connected networks. This is a more complex and expensive solution because it requires additional hardware and software to configure; however, it provides for a more secure environment and is the configuration of choice for larger networks.

Through the combination of hardware and software, and with appropriate configuration, you should be able to create a perimeter network with the degree of network isolation that you require, while at the same time allowing for the necessary communication between devices located in each of the three networks.

Best Practice Only deploy services that you specifically need in your perimeter network, and always publish services where possible, rather than physically deploy servers to the perimeter.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Which Services Should Be Placed In the Perimeter Network?

Key Points It is rare for an organization to operate without the need to connect its network infrastructure to the Internet. At the very least, most organizations use e-mail applications to conduct some elements of their core business.

Conduct an audit of the network services that you have within your organization and determine which services must be available to users from the Internet. Then consider how you want to make those services available. For example, if users require access to their e-mail while they work away from their office, consider the use of Web-based e-mail solutions because these are often easier to make securely available.

Note: Applications can be configured to use specific Transmission Control Protocol (TCP) ports; indeed, many applications are configurable to use only Hypertext Transfer Protocol (HTTP) or HTTP Secure (HTTPS). This means that you can configure the Internet-facing firewall to allow only TCP port 80/443 inbound.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Typical Perimeter Applications Although not an exhaustive list, the following table helps identify common applications that you might need to make available in your perimeter network.

Applications Protocols Comments

E-mail Post Office Protocol 3 (POP3), Internet Message Access Protocol 4 (IMAP4), Simple Mail Transfer Protocol (SMTP), Outlook Web Access (HTTPS), Outlook Anywhere (HTTPS), Exchange ActiveSync® (HTTPS)

Microsoft Exchange Server 2007 supports extensive publishing through the use of Microsoft ISA server. In addition, the Exchange Edge Transport server role enables SMTP relay functionality from the perimeter network.

Web server HTTP, HTTPS Place the Web servers directly in the perimeter network or publish them with ISA server.

Active Directory

LDAP It is inadvisable to place domain controllers in the perimeter network. If your edge application requires access to Active Directory, consider deploying Active Directory Lightweight Directory Services (AD LDS) into the perimeter.

Web Conferencing

HTTPS, Session Initiation Protocol (SIP), Persistent Shared Object Model (PSOM), Real-time Transport Protocol (RTP), Real-time Control Protocol (RTCP)

Microsoft Office Communications server supports the use of edge servers to extent conferencing to Internet participants. In addition, an ISA server or other reverse-proxy is required to enable some conferencing features.

Instant Messaging

SIP SIP is the industry standard protocols used for instant messaging.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 5 Planning an IPv4 to IPv6 Transition Strategy

IPv6 is a critical technology that will help ensure that the Internet can support a growing user base and the increasingly large number of IP-enabled devices. The current IPv4 has served as the underlying Internet protocol for almost 30 years. Its robustness, scalability, and limited feature set now is challenged by the growing need for new IP addresses, due in large part to the rapid growth of new network-aware devices. IPv6 slowly is becoming more common. While adoption may be slow, it is important to understand how this technology will affect current networks and how to integrate IPv6 into those networks.

Objectives


• Describe the benefits of IPv6 over IPv4.

• Describe IPv6 addressing.

• Describe the IPv6 transition technologies.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Benefits of IPv6

Key Points Support for IPv6, a new suite of standard protocols for the Internet’s Network layer, is built into Windows Server 2008.

The IPv6 protocol provides the following benefits:

• Large address space. A 32-bit address space allows for 2^32 or 4,294,967,296 possible addresses. A 128-bit address space allows for 2^128 or 340,282,366,920,938,463,463,374,607,431,768,211,456 possible addresses.

• Hierarchical addressing and routing infrastructure. The IPv6 address space is designed to be more efficient for routers, which means that even though there are many more addresses, routers can process data much more efficiently because of address optimization.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Stateless and Stateful address configuration. IPv6 has auto-configure capability without a DHCP protocol, and it can find router information so that hosts can access the Internet; this is a stateless address configuration. A stateful address configuration is when you use the DHCPv6 protocol. Stateful configuration has two additional configuration levels: one in which DHCP provides all the information, including the IP address and the subnet information, and another that provides just the subnet information.

• Built-in security. IPv6 has built-in IP security, whereas in IPv4, it is an extension of the protocol. This facilitates configuration of secure network connections. In IPv4, modifying the IPv4 source, destination, and port information could invalidate IP security (IPsec) data. This causes issues when IPv4 traverses network address translators (NATs). IPv6 restores point-to-point communication because “NAT’ing” was conceived to extend the life of IPv4 public IP addresses.

• Prioritized delivery. IPv6 contains a field in the packet that allows network devices to determine that the packet should be processed at a specified rate. This allows traffic prioritization. For example, when streaming video traffic, it is critical that the packets arrive in a timely manner. You can set this field to ensure that network devices determine that the packet delivery is time sensitive.

• Neighbor detection. IPv6 has much better detection of other devices and hosts in its local network. You can use this to create ad-hoc networks through which you can share information.

• Extensibility. Finally, IPv6 has been designed so that you can extend it with much fewer constraints than IPv4.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is the IPv6 Address Space?

Key Points The most obvious distinguishing feature of IPv6 is its use of much larger addresses.

IPv4 IP addresses are expressed in four groups of decimal numbers, such as 192.168.1.1.

Each grouping of numbers represents a binary octet. In binary, the preceding number is:

11000000.10101000.00000001.00000001 (4 octets = 32 Bits)

The size of an address in IPv6 is 128 bits, which is four times larger than an IPv4 address. IPv6 addresses also are expressed as hexadecimal addresses in their “readable” format. For example, 2001:DB8:0:2F3B:2AA:FF:FE28:9C5A.

This may seem counterintuitive for end users. However, the assumption is that average users will rely on DNS names to resolve hosts and rarely will type IPv6 addresses manually. The IPv6 address in hex also is easier to convert to binary and vice versa. This simplifies working with subnets, and calculating hosts and networks.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Working with IPv6 Addresses To convert an IPv6 binary address, which is 128 bits in length, perform the following steps:

• Break it into eight groups of 16 bits.

• Convert each of these eight groupings of 16 bits into four hex characters.

• For each of the 16 bits, evaluate four bits at a time to derive each hex number. You should number each set of four binary numbers 1, 2, 4, and 8 starting from the right and moving left. The first bit [0010] is assigned the value of 1, the second bit [0010] is assigned the value of 2, the third bit [0010] is assigned the valued of 4, and finally, the fourth bit [0010] is assigned the value of 8.

• To derive the hexadecimal value for this section of four bits, add up the values assigned to each bit where the bits are set to 1. In the example of 0010, the only bit that is set to 1 is the bit assigned the 2 value. The rest are set to zero. The hex value of these bits is 2.

Examples The following table describes the 16-bit binary number portion of a 128-bit IP address:

[0010][1111][0011][1011]

Binary 0010 1111

Values of each binary position 8421 8421

Adding values where the bit = 1 0+0+2+0 = 2 8 + 4 + 2 + 1 = 15 or hex F

The following example is a single IPv6 address in binary form. Note that the binary representation of the IP address is quite long. The following two lines of binary numbers is one IP address:

0010000000000001000011011011100000000000000000000010111100111011 0000001010101010000000001111111111111110001010001001110001011010

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


The 128-bit address is divided along 16-bit boundaries (eight groupings of 16 bits):

0010000000000001 0000110110111000 0000000000000000 0010111100111011 0000001010101010 0000000011111111 1111111000101000 1001110001011010

Each boundary is further broken into sets of four bits. Applying the methodology described above, convert the IPv6 address. The following table shows the binary and corresponding hexadecimal values for each set of four bits:

Binary Hexadecimal

[0010][0000][0000][0001] [2][0][0][1]

[0000][1101][1011][1000] [0][D][B][8]

[0000][0000][0000][0000] [0][0][0][0]

[0010][1111][0011][1011] [2][F][3][B]

[0000][0010][1010][1010] [0][2][A][A]

[0000][0000][1111][1111] [0][0][F][F]

[1111][1110][0010][1000] [F][E][2][8]

[1001][1100][0101][1010] [9][C][5][A]

Each 16-bit block expressed as four hex characters then is delimited with colons. The result is as follows:

2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A

You can simplify IPv6 representation further by removing the leading zeros within each 16-bit block. However, each block must have at least a single digit. With leading zero suppression, the address representation becomes the following:

2001:DB8:0:2F3B:2AA:FF:FE28:9C5A

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


IPv6 Transition Technologies

Key Points The migration from IPv4 to IPv6 is expected to take considerable time. This was taken into consideration when designing IPv6 and as a result, the transition plan for IPv6 is a multistep process that allows for extended coexistence. To achieve the goal of a pure IPv6 environment, use the following general guidelines:

• Upgrade your applications to be independent of IPv6 or IPv4. Applications must be changed to use new Windows Sockets application programming interfaces (APIs) so that name resolution, socket creation, and other functions are independent regardless of whether you are using IPv4 or IPv6.

• Update the DNS infrastructure to support IPv6 address and pointer entries (PTR) records. You may have to upgrade the DNS infrastructure to support the new AAAA records (required) and PTR records in the IP6.ARPA reverse domain (optional). Additionally, ensure that the DNS servers support DNS dynamic update for AAAA records so that IPv6 hosts can register their names and IPv6 addresses automatically.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Upgrade hosts to IPv6/IPv4 nodes. You must upgrade hosts to use a dual IP layer or stack. You also must add DNS resolver support to process DNS query results that contain both IPv4 and IPv6 addresses. Deploy ISATAP to ensure that IPv6/IPv4 hosts can reach each other over the IPv4-only intranet.

• Upgrade routing infrastructure for native IPv6 routing. You must upgrade routers to support native IPv6 routing and IPv6 routing protocols.

• Implement tunneling. An eventual successful transition to IPv6 requires interim coexistence of IPv6 nodes in today’s predominantly IPv4 environment. To support this, IPv6 packets are tunneled automatically over IPv4 routing infrastructures, enabling IPv6 clients to communicate with each other by using 6to4 addresses or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) addresses and tunneling IPv6 packets across IPv4 networks.

• Convert IPv6/IPv4 nodes to IPv6-only nodes. You can upgrade IPv6/IPv4 nodes to be IPv6-only nodes. This should be a long-term goal, because it will take years for all current IPv4-only network devices to be upgraded to IPv6-only. For those IPv4-only nodes that cannot be upgraded to IPv6/IPv4 or IPv6-only, employ translation gateways as appropriate so that IPv4-only nodes can communicate with IPv6-only nodes.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab: Planning Network Infrastructure for Windows Server 2008


Adatum has created a new regional sales force. As a result, branch offices are being fitted out to support the various regional sales teams. You are responsible for planning the network infrastructure for these new branch offices. Joe Healy, the national Sales Manager, has been communicating with you about his specific requirements for the regional office. In addition, Alan Steiner, a colleague in IT, has visited some of the branch offices.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 1: Determining an Appropriate Network Addressing Scheme

Scenario You have been tasked with designing an IPv4 addressing scheme to support the western region branch offices. There are 10 new offices, 3 in this region, and each with around 100 computers.


• Read the supporting documentation.

• Answer the questions in the Update the Branch Office Network Infrastructure Plan: IPv4 Addressing document.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Supporting Documentation E-mail thread of correspondence with Joe Healy and Alan Steiner:

Gregory Weber From: Joe Healy [[email protected]] Sent: 21 July 2009 17:30 To: [email protected] Subject: Re: Network applications for branches

Greg,

Well, I'm not terribly technical myself, but in terms of what the sales people use, it's mostly office productivity software. They do have a sales database, of course, which I believe to be built on SQL Server. Currently, that data is held on several different databases, but we're merging that right now to create a national database. I understand from your colleague, Alan Steiner, that we're going to create regional replicas of the data in that database. As to network traffic, I guess you'd need to ask Alan.

Hope that is useful.

Regards,

Joe

----- Original Message ----- From: Gregory Weber [[email protected]] Sent: 20 July 2009 09:01 To: [email protected] Subject: Network applications for branches

Joe,

I'm about to start working on this branch offices deployment. We're at the stage of planning the network infrastructure. Can you tell me something about the applications that the sales team uses? I'm trying to get a feel for network traffic and usage patterns.

Regards,

Greg

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Gregory Weber From: Alan Steiner [[email protected]] Sent: 22 July 2009 09:05 To: [email protected] Subject: Re: Branch office network traffic analysis Attachments: Adatum Western Region Branch Network Plan.vsd

Greg,

Each branch will be connected via a router to the head office; I've attached a basic schematic of the western regional offices.

We've allocated the network address 10.10.32.0/21 for all branches in this region.

In terms of traffic, the database synchronization takes place overnight so should not impact traffic overly. I think the traffic in the head office sales subnets right now should be fairly indicative. Rather than send you the output, I'll just say that we figure on around 50 computers per subnet.

Regards,

Alan

----- Original Message ----- From: Gregory Weber [[email protected]] Sent: 22 July 2009 08:45 To: [email protected] Subject: Branch office network traffic analysis

Alan,

Do you have any information about network traffic at the new branches? I understand there is to be a database with regional replicas. Do you have any information on that? I'm trying to figure out the number of subnets I'm going to need per branch.

Any other information gratefully received!

Greg

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Adatum Western Region Branch Network Plan.vsd

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 1: Read the supporting documentation • Read the supporting documentation.

Task 2: Update the proposal document with your planned course of action • Answer the questions in the Branch Office Network Infrastructure Plan:

IPv4 Addressing document.

Branch Office Network Infrastructure Plan: IPv4 Addressing


Document Author

Date

Gregory Weber

25th July

Requirements Overview

Design an IPv4 addressing scheme for the Adatum western regional branch sales offices, shown in the exhibit.

The block address 10.10.32.0/21 has been reserved for this region.

You must devise a scheme that supports the required number of subnets, the required number of hosts, and provide for 25% growth of hosts in each branch.

For each branch, provide the subnet addresses you plan to use, together with the start and end IP addresses for each subnet.


You do not need to concern yourself with the IP addressing for the corporate side of the router at each branch.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


(continued)


Proposals

1. How many subnets do you envisage requiring for this region?

2. How many hosts will you deploy in each subnet?

3. What subnet mask will you use for each branch?

4. What are the subnet addresses for each branch?

5. What range of host addresses are in each branch?

Results: After this exercise, you should have a completed IP addressing plan for the western region branch offices.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Planning the Placement of Network Servers

Scenario Having determined the appropriate addressing scheme for the branch offices in the western region sales division, you must now determine how best to deploy network services to support users working in those locations. Alan Steiner has sent you an e-mail with some additional information about the requirements.

Using the information in the supporting documentation, and bearing in mind the subnet addressing scheme you previously planned, complete the Branch Office Network Infrastructure Plan: Network Services document.



• Answer the questions in the Branch Office Network Infrastructure Plan: Network Services document.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Supporting Documentation E-Mail thread of correspondence with Alan Steiner:

Gregory Weber From: Alan Steiner [[email protected]] Sent: 24 July 2009 17:00 To: [email protected] Subject: Re: Branch office network services

Greg,

Answers in line below,

Regards,

Alan

----- Original Message ----- From: Gregory Weber [[email protected]] Sent: 24 July 2009 13:30 To: [email protected] Subject: Branch office network services

Alan,

OK, I have worked out an IP addressing scheme for the branches. Next I need to think about the infrastructure. Could you answer the following questions?

1. How are IP addresses to be assigned for this region?

[Alan] By DHCP

2. Is there anything I should know about the DNS name space for the sales offices?

[Alan] The sales computers will be in their own DNS name space, sales.adatum.com

3. I have a vague recollection that one of the line-of-business applications that sales uses requires NetBIOS. Is that right?

[Alan] You're right, Greg, they need NetBIOS name resolution in sales.

Thanks,

Greg

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED




Network Services document.

Branch Office Network Infrastructure Plan: Network Services


Document Author

Date

Gregory Weber

25th July

Requirements Overview

Specify which network services are required in each sales office, and any changes that might be required in the head office to facilitate your proposals.


It is important that any router, server, or communications link failure does not adversely affect users.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


(continued)


Proposals

1. How many DHCP servers do you propose to deploy in the region?

2. Where do you propose to deploy these servers?

3. What name resolution services are required?

4. To support the DNS name space in the sales division, how would you propose to configure DNS?

5. Will you require WINS?

6. If so, how many WINS servers will you require for the region?

7. If not, how do you propose to support single-label names?

Results: After this exercise, you should have a completed plan for the deployment of network services in the western regional branch offices.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Implementing the Planned Network Services

Scenario You are on-site at one of the regional offices, and you must now configure network services to support your proposals.


1. Start the virtual machines and log on.

2. Deploy the DHCP server role.

3. Configure scopes to support the branch office.

4. Configure DNS to support the branch office.

5. Enable DNS/WINS integration to support NetBIOS applications.

Task 1: Start the virtual machines, and then log on 1. On your host machine, click Start, point to All Programs, point to Microsoft

Learning, and then click 6430B. The Lab Launcher starts.

2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch.

3. In the Lab Launcher, next to 6430B-SEA-SVR1, click Launch.

4. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd.

5. Log on to 6430B-SEA-SVR1 as ADATUM\Administrator with the password Pa$$w0rd.

6. Minimize the Lab Launcher window.

Task 2: Deploy the DHCP Server role on SEA-SVR1 1. Switch to the SEA-SVR1 computer.

2. Use Server Manager to deploy the DHCP Server role. Use the following information to complete the process:

a. On the Select Network Connection Bindings page, click Next.

b. On the Specify IPv4 DNS Server Settings page, in the Preferred DNS Server IPv4 Address box, type 10.10.0.10, and then click Next.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


c. On the Specify IPv4 WINS Server Settings page, click Next.

d. On the Add or Edit DHCP Scopes page, click Next.

e. On the Configure DHCPv6 Stateless Mode page, click Disable DHCPv6 stateless mode for this server, and then click Next.

f. On the Authorize DHCP Server page, click Next.

Task 3: Configure the primary DHCP scope for subnet 1 • Create a new scope. Use the following information to help complete the

process:

• Scope Name: Branch 1 subnet 1 scope 1

• IP address range: 10.10.32.1 > 10.10.32.125

• Subnet mask: 25 bits

• Exclusions: 10.10.32.100 > 10.10.32.125

• Lease duration: default

• Router: 10.10.32.126

Task 4: Configure the secondary DHCP scope for subnet 2 • Create a new scope. Use the following information to help complete the

process:

• Scope Name: Branch 1 subnet 2 scope 2

• IP address range: 10.10.32.129 > 10.10.32.253

• Subnet mask: 25 bits

• Exclusions: 10.10.32.129 > 10.10.32.229

• Lease duration: default

• Router: 10.10.32.254

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 5: Create a subdomain in DNS 1. Switch to the SEA-DC1 computer.

2. Open the DNS Manager.

3. Add a new domain in the Adatum.com zone.

Task 6: Configure zone transfers for the Adatum.com zone • In the DNS Manager, enable zone transfers for the Adatum.com zone.

Task 7: Deploy the DNS role on SEA-SVR1 1. Switch to the SEA-SVR1 computer.

2. Using Server Manager, deploy the DNS Server role on SEA-SVR1.

Task 8: Configure a secondary zone on SEA-SVR1 • Create a new forward lookup zone on SEA-SVR1. Use the following

information to help complete the process:

• Zone type: secondary

• Zone name: Adatum.com

• Master DNS server: 10.10.0.10

Task 9: Enable the WINS feature, and configure DNS/WINS integration 1. Using Server Manager, on SEA-SVR1, add the WINS Server feature.

2. Switch to the SEA-DC1 computer.

3. In DNS Manager, enable WINS Forward Lookup:

a. Right-click Adatum.com, and then click Properties.

b. On the WINS tab, select the Use WINS forward lookup check box.

c. In the IP address box, type 10.10.0.100, press Add, and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


4. Switch to the SEA-SVR1 computer.

5. In DNS Manager, right-click Adatum.com, and then click Transfer from Master.

Note: You might need to wait a few moments before you see the WINS record. Press Refresh if needed.

Task 10: Configure DHCP options to support the deployed services 1. On SEA-SVR1, in the DHCP console, right-click Server Options, and then click

Configure Options.

2. Configure the following options:

• 006 DNS Servers: 10.10.0.100

• 015 DNS Domain Name: sales.adatum.com

• 044 WINS/NBNS Servers: 10.10.0.100

Results: After this exercise, you should have successfully deployed branch office network services.

To prepare for the next module 1. For each running virtual machine, close the Virtual Machine Remote Control

(VMRC) window.

2. In the Close box, select Turn off machine and discard changes. Click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



Review Questions 1. What is the host range of addresses in the 172.16.16.0/21 subnet?

2. You intend to deploy the DHCP server role where necessary throughout your routed network. What considerations should you bear in mind?

3. What is the difference between a subdomain in a DNS zone, and a delegated zone?

4. What are the advantages of Active Directory integrated zones?

5. When planning WINS, how many servers should you consider deploying?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Planning for Active Directory® 3-1

Module 3 Planning for Active Directory®

Contents: Lesson 1: Selecting a Domain and Forest Topology 3-3

Lesson 2: Selecting a Domain and Forest Functional Level 3-19

Lesson 3: Planning Identity and Access Services in Active Directory 3-27

Lesson 4: Implementing Active Directory in the Physical Network 3-37

Lab: Planning for Active Directory 3-48

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Module Overview

In order to optimize an Active Directory® Domain Services (AD DS) infrastructure, you must plan the implementation carefully. This planning should include consideration of the Active Directory directory services topology, the domain and forest functional level, which related Active Directory services you must deploy in order to support your network, and the steps you must take to configure Active Directory to support your physical network infrastructure.

Objectives


• Select an appropriate Active Directory topology.

• Configure the domain and forest functional level.

• Describe Active Directory identity and access services.

• Configure Active Directory to support your physical network.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1 Selecting a Domain and Forest Topology

It is important that before you commence the deployment of Active Directory and related services, you consider the overall design of the Active Directory topology in terms of forests, trees, and domains; the site and subnet topology; the organizational unit and administrative structure.

Objectives


• Describe important Active Directory terminology.

• Determine how many Active Directory forests to deploy.

• Determine when to implement a design that incorporates multiple domains.

• Determine how many Active Directory trees to implement in your forest.

• Describe a trust relationship.

• Select a suitable Active Directory topology.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Overview of Active Directory

Key Points Active Directory is a distributed database that provides a logical grouping of objects, such as users, computers, and groups. Active Directory is managed centrally by Windows Server® 2008 servers deployed with the AD DS role. These servers are known as domain controllers. In order to plan and deploy Active Directory, you must understand the components that combine to create an Active Directory infrastructure.

What Is a Forest? In AD DS, a forest is the highest level of the logical structure hierarchy. An Active Directory forest represents a single self-contained directory. A forest is a security boundary, which means that administrators in a forest have complete control over all access to information that is stored inside the forest and to the domain controllers that are used to implement the forest.

Domain controllers in a forest share a common schema, a common global catalog, and a common forest-root domain.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is the Schema? The schema is the Active Directory component that defines all the objects and attributes that the directory service uses to store data. For instance, the schema defines the user object type, and defines the attributes that are maintained for the user object type such as full name, password, display name, and so forth.

The schema is a single master element of Active Directory. This means that you must make changes to the schema at the domain controller that holds the schema operations master role.

What Is the Global Catalog? The global catalog is a distributed database that contains a searchable representation of every object from all domains in a multidomain forest. However, the global catalog does not contain all attributes for each object; rather, it maintains a subset of attributes—those that are most likely to be useful in cross-domain searches.

What Is a Tree? If your Active Directory consists of more than one domain, you must define the relationship between the domains. If the domains share a common root and a contiguous namespace, then they are logically part of the same Active Directory tree. A tree serves no administrative purpose; that is, there is no tree administrator as there is a forest or domain administrator. A tree provides a logical, hierarchical grouping of domains that have parent/child relationships defined through their names. Your Active Directory tree maps to your DNS namespace.

What Is a Domain?

A domain is an administrative boundary. All domains host an Administrator user account that has full administrative capabilities over all objects within the domain. Although the administrator can delegate administration on objects within the domain, the account retains full administrative control of all objects within the domain.

In earlier versions of Windows Server, domains were considered to provide complete administrative separation; indeed, one of the fundamental reasons for selecting a multidomain topology was to provide for this separation. However, in Active Directory, the administrator account in the forest root domain also has full administrative control to all objects in the forest, rendering this domain-level administrative separation invalid.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


A domain is a replication boundary. Active Directory consists of three elements, or partitions; these are the schema, the configuration partition, and the domain partition. Generally, it is only the domain partition that changes frequently.

The domain partition contains objects that are likely to be updated often; these include users, computers, groups, and organizational units. Consequently, Active Directory replication consists primarily of the updates to objects defined within the domain partition. Only domain controllers in a particular domain receive domain partition updates from other domain controllers.

What Is a Site? A site is a logical representation of a geographical area in your network. A site represents a high-speed network boundary for your Active Directory computers; that is, computers that can communicate with high speed and low latency can be grouped into a site; domain controllers within a site replicate Active Directory data in an optimized way for this environment; this replication configuration is largely automatic.

What Is an Organizational Unit? Organizational units are container objects within a domain that enable an administrator to group objects together for management purposes. Objects within an organizational unit can be managed as a single entity.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Designing a Forest Infrastructure

Key Points To create a forest design, first identify the business requirements that an organization’s directory structure needs to accommodate. This involves determining how much autonomy the groups in the organization need to manage their network resources, and whether each group needs to isolate their resources on the network from other groups.

After identifying business requirements, you can determine the number of forests needed. To determine this number, you must carefully identify and evaluate the isolation and autonomy requirements for each group in the organization and map those requirements to the appropriate forest design models.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations

There are several points that are helpful to consider when determining the number of forests to deploy.

• Isolation requirements limit design choices. Therefore, if isolation requirements have been identified, be sure that the groups actually require data isolation and that data autonomy is not sufficient for their needs. Then the organization must ensure that the various groups in the organization clearly understand the concepts of isolation and autonomy.

• Negotiating the design can be a lengthy process. It can be difficult for groups to come to agreement about ownership and utilization of available resources. During the design process there must be enough time for the groups in the organization to conduct adequate research to identify their needs, which involves setting firm deadlines for design decisions and getting consensus from all parties on the established deadlines.

• Determining the number of forests to deploy involves balancing costs against benefits. A single-forest model is the most cost-effective option and requires the least amount of administrative overhead. Although a group in the organization might prefer autonomous service operations, it might be more cost-effective for the organization to subscribe to service delivery from a centralized, trusted IT group, allowing the group to own data management without creating the added costs of service management. Balancing costs against benefits might require input from the executive sponsor.

• After the design requirements are mapped to forest models and the forest model is selected that meets the needs of the organization, you should document the proposed forest design. The information that you should include in the documentation is the name of the group for which the forest is designed, the contact information for the forest owner, the type of forest for each forest, and the requirements that each forest is designed to meet. This documentation helps the design team to ensure that all of the appropriate people are involved in the design process and to clarify the scope of the deployment project.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Best Practice Use a single forest unless any of the following apply:

• You need the level of administrative separation that multiple forests provide.

• Your organization is very large, and consists of several distinct operating divisions, each of which has different schema requirements.

• You are deploying an application that is implemented on a per-forest basis, such as Exchange Server 2007, and different parts of your organization have differing requirements of this forest-level application.

Additional Reading • Download the Infrastructure Planning and Design Guide Series:

http://go.microsoft.com/fwlink/?LinkID=163879&clcid=0x409.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Guidelines for Designing an Active Directory Domain Infrastructure

Key Points Domains partition the information that is stored inside the directory into smaller portions so that the information can be more easily stored on various domain controllers and so that administrators have a greater degree of control over replication. Data that is stored in the directory is replicated throughout the forest from one domain controller to another. Some data that is relevant to the entire forest is replicated to all domain controllers, while other data that is relevant only to a specific domain is replicated only to domain controllers in that particular domain. A good domain design makes it possible to implement an efficient replication topology.

Note: Active Directory consists of three partitions: the schema partition, the configuration partition, and the domain partition. The first two are replicated to all domain controllers within the forest; the last, the domain partition, is only replicated among domain controllers that are part of the same domain.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Guidelines

There are three guidelines when devising a domain infrastructure.

• Review domain models. By reviewing the domain models, factors that impact the domain design model can be identified. By identifying the amount of available capacity on the network that can be allocated to Active Directory, an organization can select a model that provides efficient replication of information with minimal impact on available network bandwidth. If an organization includes a large number of users, deploying more than one domain enables the partitioning of data and gives more control over the amount of replication traffic that will pass through a given network connection. This makes it possible to control where data is replicated and reduce the load created by replication traffic on slow links in the network.

• Determine the number of domains. Every forest starts with a single domain. The maximum number of users that a single domain forest can contain is based on the slowest link that must accommodate replication between domain controllers and the available bandwidth allocated to Active Directory. If all the users can’t be accommodated in a single domain, then an organization can select the regional domain model. This involves dividing the organization into regions that work in a specific organization and with the existing network. For example, the organization can be separated into regions based on continental boundaries. While an organization will need to create a domain for each region, it is best to minimize the number of regions. Although it is possible to include an unlimited number of domains in a forest, for manageability reasons it is recommended that a forest include no more than 10 domains. The key in determining the number of regions is to establish the appropriate balance between optimizing replication bandwidth and minimizing administrative complexity.

Note: If you identify three regions within your organization, it might be desirable to create an empty forest root and three child domains. For example, in Adatum.com, there are three regions: Europe, Americas, and Asia. Although the worldwide headquarters are in North America, it might still be desirable to create the Adatum.com domain with three children: europe.adatum.com, americas.adatum.com, and asia.adatum.com. This configuration enables you to configure truly forest-wide settings on the empty forest root while not affecting the region of the Americas.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Determine whether to upgrade existing domains or deploy new domains. This consideration is only important when upgrading an existing Windows Server Active Directory infrastructure to Windows Server 2008 AD DS. In this scenario, each domain will either be a new domain or an existing domain that has been upgraded in place. Users from existing domains that are not upgraded in place must be migrated into new domains. Moving accounts between domains can impact end users. Before deciding whether to migrate users into a new domain or upgrade existing domains in place, evaluate the long-term administrative benefits of a new Active Directory domain against the cost of migrating users into the domain.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Determining Whether to Implement Multiple Trees in Your Forest

Key Points Active Directory trees are created by the relationship between the domains within the forest. There is no intrinsic reason you should, or indeed, should not create multiple trees within your forest. However, keep in mind that a single tree, with its contiguous name space, is easier to manage, and easier for users to visualize.

Best Practice Consider using multiple trees within a single forest if you have multiple name spaces to support; for example, if within your organization there are several distinct operating divisions with different public identities, you could create a different tree for each operating division. Bear in mind that with this scenario, there is no separation of administration because the forest root administrator still has complete control over all objects in the forest—in whichever tree they reside.

Note: There is no technical benefit to this strategy—only a political one.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is a Trust Relationship?

Key Points A trust relationship enables one security entity to trust another security entity for the purposes of authentication. In Windows Server 2008, the security entity is the Windows® domain.

In any trust relationship, there are two parties involved; the trusting entity, and the trusted entity. The trusting entity is the resource-holding entity, while the trusted entity is the account-holding entity.

Types of Trusts

Trusts can be one-way or two-way. A one-way trust means that although one entity trusts the other, the reciprocal is not true. In a two-way trust, both entities trust one another.

Trusts can be transitive or nontransitive. In a transitive trust, if A trusts B and B trusts C, then A also implicitly trusts C.

Windows Server 2008 supports a number of different trusts for use in different situations.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


In a single forest, all domains trust one another with internal, two-way transitive trusts. In essence, this means that all domains trust all other domains. These trusts extend across trees within the forest. Aside from these automatically created trusts, you can configure additional trusts between domains within your forest, between your forest and other forests, and between your forest and other security entities, such as Kerberos realms or Windows NT® 4.0 domains. The following table provides more information.

Trust type Transitivity Direction Description

External Nontransitive One-way or two-way

Use external trusts to provide access to resources that are located on a Windows NT 4.0 domain or a domain that is located in a separate forest that is not joined by a forest trust.

Realm Transitive or nontransitive

One-way or two-way

Use realm trusts to form a trust relationship between a non-Windows Kerberos realm and a Windows Server 2008 or a Windows Server 2008 R2 domain.

Forest Transitive One-way or two-way

Use forest trusts to share resources between forests. If a forest trust is a two-way trust, authentication requests that are made in either forest can reach the other forest.

Shortcut Transitive One-way or two-way

Use shortcut trusts to improve user logon times between two domains within a Windows Server 2008 or a Windows Server 2008 R2 forest. This is useful when two domains are separated by two domain trees.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Discussion: Selecting an Active Directory Topology

Key Points Scenario 1

The Fabrikam Corporation is planning to implement Active Directory throughout its organization. Fabrikam has a worldwide operation, with offices based in Europe, Asia, and North America. In consultation with staff in the IT department of Fabrikam, you determine the following facts:

• There are 30,000 users distributed fairly evenly across all the three regions.

• Headquarters for the worldwide operation are in Dallas, Texas.

• Headquarters for the North American division is also based in Dallas.

• The Asian headquarters are based in Singapore, and the European headquarters are in Paris, France.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Each continental headquarters supports regional national offices; these national offices are connected by high-speed links to their respective continental headquarters.

• The national offices act as hubs for branch offices.

Using this information, answer the following questions.

Question: What are your initial thoughts about a forest topology?

Question: How many domains do you envisage using?

Question: How many sites do you imagine will be required?

Question: Do you think that more than one tree is indicated?

Scenario 2

You spend some more time researching the Fabrikam organization, and learn the following additional facts:

• The Asian division has recently acquired a company, Contoso Corporation, based in Australia that manufactures batteries for telecommunications equipment. This company already has Active Directory deployed in a single forest environment.

• Fabrikam is planning to deploy Exchange Server 2007 within the first few months of deploying Active Directory.

How might these new discoveries affect your plans? Answer the following questions:

Question: How many forests do you envisage?

Question: How does implementing Exchange Server affect your plans?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Scenario 3

With a final set of staff interviews with some of the regional IT managers, it transpires that it is highly desirable to implement administrative separation of each region. How does this affect your Active Directory topology?

Answer the following questions:

Question: How many forests do you envisage?

Question: How many domains are required?

Question: How many trusts will you need to create?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2 Selecting a Domain and Forest Functional Level

Windows Server 2008 AD DS provides a number of new features that are only available if the appropriate domain and functional level has been configured. This lesson explores these functional levels, and their related features.

Objectives


• Describe the Active Directory features available in each of the domain functional levels.

• Describe the Active Directory features available in each of the forest functional levels.

• Configure the domain and forest functional level.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Are the Domain Functional Levels?

Key Points The following table shows which features are enabled at each domain functional level. It also shows the operating systems for domain controllers that are supported at each functional level.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Domain functional level Enabled features

Supported domain controller operating systems

Windows 2000 native

All default Active Directory features and the following features:

Universal groups are enabled for both distribution groups and security groups.

Group conversion is enabled, which makes conversion between security groups and distribution groups possible.

Security identifier (SID) history.

Note: This is the default domain functional level.

Windows 2000 Server

Windows Server 2003

Windows Server 2008

Windows Server 2003

All default Active Directory features, all features from the Windows 2000 native domain functional level, and the following features:

• The availability of the domain management tool, netdom.exe, to prepare for domain controller rename.

• Update of the logon timestamp. The lastLogonTimestamp attribute will be updated with the last logon time of the user or computer. This attribute is replicated within the domain.

• The ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects.

• The ability to redirect Users and Computers containers. By default, two well-known containers are provided for housing computer and user/group accounts: namely, cn=Computers,<domain root> and cn=Users,<domain root>. This feature makes possible the definition of a new well-known location for these accounts.

Windows Server 2003

Windows Server 2008

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


(continued)

Domain functional level Enabled features

Supported domain controller operating systems

Windows Server 2003 (continued)

• Includes constrained delegation so that applications can take advantage of the secure delegation of user credentials by means of the Kerberos authentication protocol. Delegation can be configured to be allowed only to specific destination services.

• Supports selective authentication, through which it is possible to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.

Windows Server 2008

All default Active Directory features, all features from the Windows Server 2003 domain functional level, and the following features:

• Distributed File System Replication support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents.

• Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol.

• Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon.

• Fine-grained password policies, which make it possible for password and account lockout policies to be specified for users and global security groups in a domain.

Windows Server 2008

Note: Changes to the domain functional level is not reversible.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Are the Forest Functional Levels?

Key Points The following table shows which features are enabled at each forest functional level. It also shows the operating systems for domain controllers that are supported at each functional level.

Forest functional level Enabled features

Supported domain controllers

Windows 2000 All default Active Directory features.

Note: This is the default forest functional level.

Windows 2000 Server

Windows Server 2003

Windows Server 2008

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


(continued)

Forest functional level Enabled features

Supported domain controllers

Windows Server 2003

All default Active Directory features, and the following features:

• Forest trust.

• Domain rename.

• The ability to deploy a read-only domain controller (RODC) that runs Windows Server 2008.

• Improved Knowledge Consistency Checker (KCC) algorithms and scalability. The Intersite Topology Generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than can be supported at the Windows 2000 forest functional level.

• The ability to create instances of the dynamic auxiliary class called dynamicObject in a domain directory partition.

• The ability to convert an inetOrgPerson object instance into a User object instance, and the reverse.

• The ability to create instances of the new group types, called application basic groups and Lightweight Directory Access Protocol (LDAP) query groups, to support role-based authorization.

• Deactivation and redefinition of attributes and classes in the schema.

Windows Server 2003

Windows Server 2008

Windows Server 2008

This functional level provides all the features that are available at the Windows Server 2003 forest functional level, but no additional features. All domains that are subsequently added to the forest, however, will operate at the Windows Server 2008 domain functional level by default.

Windows Server 2008

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Note: Changes to the forest functional level are not reversible.

Guidelines for Raising the Domain or Forest Functional Level The following guidelines apply to raising the domain or forest functional levels:

• You must be a member of the Domain Admins group to raise the domain functional level.

• You must be a member of the Enterprise Admins group to raise the forest functional level.

• You can raise the domain functional level on the primary domain controller (PDC) emulator operations master only. The AD DS administrative tools that you use to raise the domain functional level (the Active Directory Domains and Trusts snap-in and the Active Directory Users and Computers snap-in) automatically target the PDC emulator when you raise the domain functional level.

• You can raise the forest functional level on the schema operations master only. Active Directory Domains and Trusts automatically targets the schema operations master when you raise the forest functional level.

• You can raise the functional level of a domain only if all domain controllers in the domain run the version or versions of Windows that the new functional level supports.

• You can raise the functional level of a forest only if all domain controllers in the forest run the version or versions of Windows Server operating system that the new functional level supports.

• You cannot set the domain functional level to a value that is lower than the forest functional level.

• You cannot lower the domain or forest functional level after you have raised it.

• You cannot reverse the operation of raising the domain and forest functional levels. If you have to revert to a lower functional level, you must rebuild the domain or forest, or restore it from a backup copy.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Modifying the Functional Level

Key Points • Raise the domain functional level.

• Raise the forest functional level.

High-level steps:

1. Raise the domain functional level of the Adatum.com domain to Windows Server 2008.

2. Raise the forest functional level of the Adatum.com forest to Windows Server 2008.

Question: You recently raised the domain functional level of the sales.adatum.com domain; however, now you want to revert to the Windows Server 2003 domain functional level. Is this possible, and if so, how?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 3 Planning Identity and Access Services in Active Directory

Windows Server 2008 introduces new Active Directory Services. Active Directory Lightweight Directory Services (AD LDS) replaces Active Directory Application Mode (ADAM) with Windows Server® 2003, and provides directory services for applications; Active Directory Federation Services (AD FS) provides an identity access solution; and Active Directory Rights Management Services (AD RMS) provides services to enable the creation of information-protection solutions.

Objectives


• Describe AD CS.

• Describe AD LDS.

• Describe AD FS.

• Describe AD RMS.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is AD CS?

Key Points Active Directory Certificate Services (AD CS) extend the concept of trust so that a user, computer, organization, or service can prove its identity outside or inside the border of your Active Directory forest.

Certificates are issued from a certificate authority (CA). When a user, computer, or service uses a certificate to prove its identity, the client in the transaction must trust the issuing CA. A list of trusted root CAs, which includes, for example, VeriSign and Thawte, is maintained by Windows, and updated as part of Windows Update.

If you think about the last time you made a purchase on an Intranet site, you will recall that it was probably performed on a site using secure sockets layer (SSL), with an HTTPS:// address. The server proves its identity to the client, your browser, representing a certificate issued by a CA that your browser trusts, such as VeriSign or Thawte.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


A public key infrastructure (PKI) is based on a chain of trust. A certificate authority can create a certificate for another certificate authority. The second CA can then issue certificates to users, computers, organizations, or services that will be trusted by any client that trusts the upstream, root CA.

The certificates can be used for numerous purposes in an enterprise network, including the creation of secure channels such as the SSL example mentioned earlier and for virtual private networks (VPNs) and wireless security as well as for authentication, such as smart card logon.

AD CS gives you the technologies and tools you need to create and manage a PKI. Although AD CS can be run on a stand-alone server, it is much more common and much more powerful to run AD CS integrated with AD DS, which can act as a certificate store and can provide a framework within which to manage the lifetime of certificates: how they are obtained, renewed, and revoked.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is AD LDS?

Key Points AD LDS is an independent mode of Active Directory, without the infrastructure features that provides directory services for applications. In addition, it also provides a data store and services for accessing the data store. AD LDS uses standard application programming interfaces (APIs) for accessing the application data, including APIs of Active Directory, Active Directory Service Interfaces, Lightweight Data Access Protocol (LDAP), and System.DirectoryServices.

AD LDS does not have the infrastructure capabilities of Active Directory. It does not include directory services for the Windows operating system, so it concentrates on the requirements of specific applications. If AD LDS operates in an Active Directory environment, it can use Active Directory for authentication.

AD LDS usage complements that of Active Directory. Although AD LDS and Active Directory can operate concurrently within the same network, AD LDS serves the requirements of specific applications. An instance of AD LDS can be created for a specific application without a concern for the dependencies required by Active Directory. Multiple instances of AD LDS, each supporting a separate application, can run on a single AD LDS installation.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


AD LDS Usage Scenarios There are four situations in which organizations will find the use of AD LDS beneficial.

• An organization with application-specific directories that uses customized schemas or that depend on decentralized directory management can benefit from AD LDS. Because AD LDS directories are separate from the domain infrastructure of AD DS, they can support applications that depend on schema extensions that are not desirable in the AD DS directory—such as schema extensions that are useful to a single application. In addition, the local server administrator can administer the AD LDS directories; domain administrators do not need to provide administrative support.

• A company that has directory-enabled application development and prototyping environments that are separate from the enterprise’s domain structure can use AD LDS. Application developers who are creating directory-enabled applications can install the AD LDS role on any server, even on stand-alone servers or workstations. As a result, developers can control and modify the directory in their development environment without interfering with the organization’s AD DS infrastructure. These applications can be deployed subsequently with either AD LDS or AD DS as the application’s directory service, as appropriate. Network administrators can use AD LDS as a prototype or pilot environment for applications that will eventually be deployed with AD DS as its directory store, as long as the application does not depend on features specific to AD DS.

• A company that needs management of external client computers’ access to network resources can benefit from AD LDS. Enterprises that need to authenticate extranet client computers, such as Web client computers or transient client computers, can use AD LDS as the directory store for authentication. This helps enterprises avoid having to maintain external client information in the enterprise’s domain directory.

• Organizations that need to enable earlier LDAP client computers in a heterogeneous environment to authenticate against AD DS can use AD LDS. When organizations merge, there is often a need to integrate LDAP client computers running different server operating systems into a single network infrastructure. In such cases, rather than immediately upgrading client computers running earlier LDAP applications or modifying the AD DS schema to work with the earlier clients, network administrators can install the AD LDS server role on one or more servers. The AD LDS server role acts as an interim directory store using the earlier schema until the client computers can be upgraded to use AD DS natively for LDAP access and authentication.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Note: An example of the use of AD LDS is to support the Exchange Server 2007 Edge Transport server role. The Edge Transport server is deployed to the perimeter network, typically on a server computer that is not part of a domain. The Edge Transport server hosts an instance of AD LDS to determine how to handle inbound messages; for example, to which internal Hub Transport server to route a message to an intended recipient.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is AD FS?

Key Points AD FS is a role of the Windows Server 2008 operating system that provides an identity access solution. Using AD FS will give browser-based clients, both inside and outside the network, access to protected, Internet-facing applications, even when user accounts and applications are located in different networks or organizations.

A typical scenario occurs when an application is in one network and a user account is in another network, and the user is required to enter secondary credentials when he or she attempts to access the application. However, with AD FS, secondary accounts are not necessary. Instead, trust relationships are used to project a user’s digital identity and access rights to trusted partners. In this federated environment, each organization continues to manage its own identities, but each organization can securely project and accept identities from other organizations.

The process of authenticating to one network while accessing resources in another network—without the burden of repeated logon actions—is known as single sign-on (SSO). AD FS provides a Web-based, SSO solution that authenticates users to multiple Web applications over the life of a single browser session.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Note: AD FS provides a federated identity management solution that interoperates with other security products that support the WS-* Web Services Architecture. AD FS employs the federation specification of WS-*, called the WS-Federation Passive Requestor Profile (WS-F PRP). This specification makes it possible for environments that do not use the Windows identity model to federate with Windows environments.

AD FS Role Services The AD FS server role includes federation services, proxy services, and Web agent services that you configure to enable Web SSO, federate Web-based resources, customize the access experience, and manage how existing users are authorized to access applications.

Depending on your organization’s requirements, you can deploy servers running any one of the following AD FS role services:

• Federation Service: The Federation Service comprises one or more federation servers that share a common trust policy. You use federation servers to route authentication requests from user accounts in other organizations or from clients that may be located anywhere on the Internet.

• Federation Service Proxy: The Federation Service Proxy is a proxy to the Federation Service in the perimeter network (also known as a demilitarized zone (DMZ) and screened subnet). The Federation Service Proxy uses WS-Federation Passive Requestor Profile (WS-F PRP) protocols to collect user credential information from browser clients, and it sends the user credential information to the Federation Service on their behalf.

• Claims-aware agent: You use the claims-aware agent on a Web server that hosts a claims-aware application to allow the querying of AD FS security token claims. A claims-aware application is a Microsoft ASP.NET application that uses claims that are present in an AD FS security token to make authorization decisions and personalize applications.

• Windows token-based agent: You use the Windows token-based agent on a Web server that hosts a Windows NT token-based application to support conversion from an AD FS security token to an impersonation-level, Windows NT access token. A Windows NT token-based application is an application that uses Windows-based authorization mechanisms.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is AD RMS?

Key Points AD RMS provides services to enable the creation of information-protection solutions. AD RMS is a format and application-agnostic technology. It will work with any AD RMS–enabled application to provide persistent usage policies for sensitive information. Content that can be protected using AD RMS includes intranet sites, Web sites, e-mail messages, and documents. AD RMS includes a set of core functions that enable developers to add information protection to the functionality of existing applications.

The AD RMS system, which includes both server and client components, performs several processes. First, it facilitates licensing and distributing rights-protected information. An AD RMS system issues rights account certificates identifying trusted entities, such as users, groups, and services that can publish rights-protected content. After trust has been established, users can assign usage rights and conditions to content they want to protect. These usage rights specify who can access rights-protected content and what they can do with it. When the content is protected, a publishing license is created for the content. This license binds the specific usage rights to a given piece of content so that the content can

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


be distributed. For example, a user can send a rights-protected document to other users inside or outside of their organization without losing the assigned rights.

AD RMS also can be used for acquiring licenses to decrypt rights-protected content and applying usage policies. Users who have been granted a rights account certificate can access rights-protected content by using an AD RMS enabled client application that allows users to view and work with rights-protected content to preserve that content’s integrity and to apply usage policies. When users attempt to access rights-protected content, requests are sent to the AD RMS system to access, or “consume,” that content. When a user attempts to consume the protected content, the AD RMS licensing services on the AD RMS server issues a unique use license that reads, interprets, and applies the usage rights and conditions specified in the publishing licenses. The content is decrypted by using the electronic keys from the content and applications, and the certificates of the trusted entities. The usage rights and conditions are persistent and automatically applied everywhere the content goes.

AD RMS can be used for creating rights-protected files and templates. Users who are trusted entities in an AD RMS system can create and manage protection-enhanced files by using familiar authoring applications and tools in an AD RMS-enabled application that incorporates AD RMS technology features. In addition, AD RMS enabled applications can use centrally defined and officially authorized usage rights templates to help users efficiently apply a predefined set of usage policies.

Additional Reading • AD RMS Documentation Roadmap:

http://go.microsoft.com/fwlink/?LinkID=163878&clcid=0x409

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 4 Implementing Active Directory in the Physical Network

An AD DS site topology is a logical representation of the physical network. Designing an Active Directory site topology involves planning for domain controller placement and designing sites, subnets, site links, and site link bridges to ensure efficient routing of query and replication traffic.

Objectives


• Describe the function of a domain controller.

• Plan the appropriate placement for your domain controllers.

• Configure sites.

• Describe the functionality of a Read-Only Domain Controller (RODC).

• Deploy an RODC.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is a Domain Controller?

Key Points Domain controllers host the AD DS. Domain controllers provide the following functions on the network:

• Authentication. Domain controllers store the domain accounts database, and provide authentication services.

• Optionally host operations master roles (formerly known as Flexible Single Master Operations (FSMO) roles). There are five operations master roles; two forest-wide roles and three domain roles. The forest-wide roles—the schema master and domain naming master—are both held on the first domain controller in the forest. The domain roles—the primary domain controller (PDC) emulator, the relative identity (RID) master, and the infrastructure master—are all held by the first domain controller in each domain. You can transfer these roles as you require.

• Optionally hosts the global catalog. You can designate any domain controller as a global catalog server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Supports group policies and SYSVOL. Group policies consist of group policy containers, stored in Active Directory, and group policy templates, stored in the SYSVOL folder in the file system of all domain controllers. The domain controller that hosts the PDC emulator operations master role acts as a single master for the creation and modification of group policies.

• Replication. Active Directory is a distributed directory service. Objects such as users, computers, organizational units, and services are distributed across all domain controllers in the forest, and can be updated on any domain controller in the forest. Active Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers. You can exert some control over this process by creating sites and site links, and configuring replication bridgeheads between these sites.

Note: Some changes can only be made on a domain controller that holds the appropriate operations master role. For example, changes to the schema can only be made on the schema operations master.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Determining the Placement of Domain Controllers

Key Points An AD DS site topology is a logical representation of the physical network. Designing an Active Directory site topology involves planning for domain controller placement and designing sites, subnets, site links, and site link bridges to ensure efficient routing of query and replication traffic.

Create a Location Map The first step in designing an effective Active Directory site topology is to collect information about the organization’s physical network topology. This can be done by creating a location map that represents the physical network infrastructure of the organization. The location map should identify the geographic locations that contain groups of computers with internal connectivity of 10 megabits per second (Mbps) or greater. After creating a location map, the type of communication link, its link speed, and the available bandwidth between each location needs to be documented. This information will be used to create site links later in the site topology design process.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Determine the Domain Controller Placement The next step is to plan where to place domain controllers, including regional domain controllers, forest root domain controllers, operations master role holders, and global catalog servers.

Forest root domain controllers are needed to create trust paths for clients that need to access resources in domains other than their own. Forest root domain controllers should be placed at locations that host datacenters and in hub locations. If users in a given location need to access resources from other domains in the same location, and the network availability between the datacenter and the user location is unreliable, then there is the option to either add a forest root domain controller in the location or create a shortcut trust between the two domains. It is more cost efficient to create a shortcut trust between the domains unless there are other reasons to place a forest root domain controller in that location.

Plan the Site Design Next in the site topology design process is to create a site design. Creating a site design involves deciding which locations will become sites, creating site objects, creating subnet objects, and associating the subnets with sites.

Site Links and Site Link Bridges The site link design connects sites with site links. Site links reflect the intersite connectivity and method used to transfer replication traffic. Sites must be connected with site links so that domain controllers at each site can replicate Active Directory changes. The Active Directory site links will mirror the WAN links between geographic sites.

A site link bridge connects two or more site links. A site link bridge connects two or more site links and enables transitivity between site links.

Each site link in a bridge must have a site in common with another site link in the bridge. The Knowledge Consistency Checker (KCC) uses the information on each site link to compute the cost of replication between sites in one site link and sites in the other site links of the bridge. Without the presence of a common site between site links, the KCC also cannot establish direct connections between domain controllers in the sites that are connected by the same site link bridge.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


By default, the site link bridge setting is transitive due to the default setting “bridge-all-site-links.” It should only be necessary to change this default if:

• Not all site links are fully routed. In this case, you can build the site link bridge topography to match the actual routes of your network.

• You need to control the replication behavior of Active Directory Domain Services Traffic. For instance, in a hub and spoke network topology, it might not be desirable to allow replication traffic between the satellite sites should the hub site domain controllers fail. Similarly, if some sites replicate through a firewall, disabling bridge-all-site-links allows control of replication, limiting traffic through the firewall by creating site link bridges between sites on one side of the firewall.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Creating a Site

Key Points • Create a new site.

• Configure the replication interval and schedule between the new site and the existing site.

High-level steps:

• Create a site object.

• Configure the inter-site replication interval.

• Configure the inter-site replication schedule.

Question: What is the default replication schedule and interval for the DEFAULTIPSITELINK object?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is a Read-Only Domain Controller?

Key Points A read-only domain controller (RODC) is a new type of domain controller in the Windows Server 2008 operating system. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts a read-only replica of the database in AD DS for a given domain. The RODC is also capable of functioning as a global catalog server.

Beginning with Windows Server 2008, an organization can deploy an RODC to address scenarios with limited wide area network (WAN) bandwidth or poor physical security for computers. As a result, users in this situation can benefit from:

• Improved security

• Faster logon times

• More efficient access to resources on the network

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


RODC Feature Explanation

Read-only Active Directory database

Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the replica that is stored on the RODC. Changes must be made on a writable domain controller and replicated back to the RODC.

Unidirectional replication

Because no changes are written directly to the RODC, no changes originate at the RODC. Accordingly, writable domain controllers that are replication partners do not have to pull changes from the RODC. This reduces the workload of bridgehead servers in the hub and the effort required to monitor replication.

Credential caching Credential caching is the storage of user or computer credentials. Credentials consist of a small set of approximately 10 passwords that are associated with security principals. By default, an RODC does not store user or computer credentials. The exceptions are the computer account of the RODC and a special krbtgt (Kerberos key distribution service center account) account that each RODC has. You must explicitly allow any other credential caching on an RODC.

Administrator role separation

You can delegate the local administrator role of an RODC to any domain user without granting that user any user rights for the domain or other domain controllers. This permits a local branch user to log on to an RODC and perform maintenance work on the server, such as upgrading a driver. However, this does not give the branch user the right to log on to any other domain controller or perform any other administrative task in the domain.

Read-only Domain Name System

You can install the Domain Name System (DNS) Server service on an RODC. An RODC is able to replicate all application directory partitions that DNS uses, including ForestDNSZones and DomainDNSZones. If the DNS server is installed on an RODC, clients can query it for name resolution as they would query any other DNS server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


The following points help summarize the RODC role:

• The domain controller that holds the PDC emulator operations master role for the domain must be running Windows Server 2008. This is necessary for creating the new krbtgt account for the RODC and for ongoing RODC operations.

• The RODC needs to forward authentication requests to a global catalog server running Windows Server 2008 in the site that is closest to the site with the RODC. The Password Replication Policy is set on this domain controller to determine if credentials are replicated to the branch location for a forwarded request from the RODC.

• The domain functional level must be Windows Server 2003 so that Kerberos constrained delegation is available. Constrained delegation is used for security calls that need to be impersonated under the context of the caller.

• The forest functional level must be Windows Server 2003, so that linked-value replication is available. This provides a higher level of replication consistency.

• You must run adprep /rodcprep one time in the forest. This will update the permissions on all of the DNS application directory partitions in the forest to facilitate replication between RODCs that are also DNS servers.

• Multiple RODCs for the same domain in the same site are not supported because RODCs in the same site do not share information with each other. Therefore, deploying multiple RODCs for the same domain in the same site can lead to inconsistent logon experiences for users, if the writable domain controllers cannot be reached on the network.

• An RODC cannot hold operation master roles or function as a replication bridgehead server.

• You can deploy an RODC on Server Core for additional security.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Deploying an RODC

Key Points • Prepare the forest for an RODC.

• Deploy an RODC into a new site.

• Configure and verify the password replication policy for the RODC.

High-level steps:

1. Prepare the forest with the adprep /rodcprep command.

2. Deploy the domain controller role on the SEA-SVR1 server.

3. Configure the RODC password replication policy for SEA-SVR1.

Question: Why is it desirable to not cache administrator passwords on an RODC?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab: Planning for Active Directory


Adatum Corporation has recently acquired Contoso, a company with a range of compatible products. Allison Brown, the IT Manager, has asked you to create a document with recommendations about how best to incorporate the Contoso network infrastructure into that of Adatum. Adatum has a large, wholly U.S.-based network, with offices across the United States. Contoso has operations in the U.S., but also in Europe and the Far East.

The following table summarizes the high-level information:

Adatum Contoso

Total number of computers 10,000 10,000

Number of countries 1 5

Current directory service Windows Server 2008 AD DS

Windows NT 4.0 single-master domain model

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


(continued)

Adatum Contoso

Number of forests 1 0

External DNS name Adatum.com Contoso.com

Number of domains 1 5

Exercise 1: Selecting a Forest Topology

Scenario You begin to conduct a survey and exchange a number of e-mails with colleagues that have been on-site at Contoso. You determine that Contoso currently uses a Windows NT 4.0 domain infrastructure consisting of five domains with appropriate trust relationships connecting the domains.



• Answer the questions in the Contoso Domain Migration document.


Task 2: Update the Contoso Domain Migration document with your planned forest topology • Answer the questions in the Contoso Domain Migration document.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Supporting Documentation E-mail thread of correspondence with Alan Steiner:

Gregory Weber From: Alan Steiner [[email protected]] Sent: 31 July 2009 14:50 To: [email protected] Subject: Re: Contoso Domain Migration Attachments: Windows NT4.0 Single-Master Model.doc

Greg,

I’ve attached a document I located in an old TechNet library CD. It provides some useful tips. The only comment I’d make is that the single-master domain model is usually implemented in order to keep all the user accounts in one account-holding domain, and all the resources in multiple resource-holding domains. These days, you’d probably want to use organizational units within a domain to hold the resources—like computers and so forth. You’d almost certainly need to reduce the number of domains.

Regards,

Alan

----- Original Message ----- From: Gregory Weber [[email protected]] Sent: 31 July 2009 14:45 To: [email protected] Subject: Contoso Domain Migration

Hello Alan,

Allison has asked me to draw up a proposal for a migration of the Contoso network into our network infrastructure. I understand it’s running Windows NT 4.0. I’m simply trying to determine the number and configuration of forests at this point, but don’t have much experience with these older Windows NT 4.0 domain models. Do you have any guidance or general advice?

Regards,

Greg

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Windows NT4.0 Single-Master Model.doc Windows NT supports four domain models:

• Single domain. In this model, there is only one domain. The domain holds both user/group accounts and resources. There is a single administrator for both resources and user/group accounts.

• Single-master domain. In this model, there is an account-holding domain and as many resource-holding domains as required to support an organization’s requirements. There is separation of administration because the account-holding administrator has no administrative control on the resource-holding domains, and the administrators in the resource-holding domains do not have administrative control over the account-holding domain, nor each other’s resource-holding domain. One-way trusts are established between the resource-holding and account-holding domains so that users and group from the account-holding domain (trusted) can be granted permissions, through the trust, to resources in the resource-holding domain (trusting) at the discretion of the resource-holding administrator.

• Multimaster domain. Windows NT 4.0 supports a maximum of around 15,000 user accounts in a single domain. Where organizations require the administrative separation of the single-master domain model, but have a large user base, they opt for the multimaster model. Additional trusts are required to facilitate this model.

• Complete trust. In this model, all domains trust all other domains. This provides for the ability for users in any domain potentially to gain access to resources held in any other domain. This model is the most similar to what AD DS provides.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Gregory Weber From: Alan Steiner [[email protected]] Sent: 04 August 2009 08:45 To: [email protected] Subject: Re: Details of Contoso domain model Attachments: Adatum AD DS Overview.vsd; Contoso NT 4 Domain Overview.vsd

Greg,

I do, and I’ve attached it—together with one of the Adatum.com domains. As you know, we have a single AD DS domain, and use organizational units to manage resources and sites for replication control. Contoso, of course, cannot use organizational units or sites, as Windows NT 4.0 domains do not support them. This is probably why they have several domains—to better control Windows NT 4.0 domain replication. It’s possibly why they have four resource domains, too.

Regards,

Alan

----- Original Message ----- From: Gregory Weber [[email protected]] Sent: 03 August 2009 09:10 To: [email protected] Subject: Details of Contoso domain model

Alan,

Thanks for that Windows NT 4.0 document; it was very helpful. Do you happen to have any diagrams of the actual domain infrastructure?

Thanks,

Greg

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Adatum AD DS Overview.vsd

Contoso NT 4 Domain Overview.vsd

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Contoso Domain Migration


Document Author

Date

Gregory Weber

5th August


To devise an appropriate forest and domain topology for the merged companies.


The new company will continue to operate with dual names; that is, the Adatum and Contoso brands are equally important.

It is anticipated that the existing Windows NT 4.0 domain controllers and server will be replaced as part of the migration process.

Proposals

1. Do you intend to upgrade the domain controllers in the Contoso network to Windows Server 2008?

2. How many forests do you anticipate?

3. How many domains do you plan to implement?

4. How many trees do you envisage?

5. What trust relationships, aside from those created automatically, will you require?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


(continued)


Proposals (continued)

6. Provide a sketch of the completed forest.

Results: After this exercise, you should have a completed Contoso Domain Migration document.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Planning Active Directory for a Branch Network

Scenario Adatum has a number of new sales offices in the western region. Allison Brown has asked you to determine the appropriate Active Directory configuration for them, and to document your proposals.



• Answer the questions in the Branch Office Planning document.

Supporting Documentation E-mail thread of correspondence with Alan Steiner:

Gregory Weber From: Alan Steiner [[email protected]] Sent: 24 August 2009 14:02 To: [email protected] Subject: Re: Branch Office Plan Attachments: Sales Office Details.doc

Greg,

Take a look at the attached document. Get back to me with any questions. I got this from Joe Healy, the Sales manager.

Alan

----- Original Message ----- From: Gregory Weber [[email protected]] Sent: 24 August 2009 13:30 To: [email protected] Subject: Branch Office Plan

Alan,

What can you tell me about these new sales offices?

Thanks,

Greg

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Sales Office Details.doc In the sales offices, we have a number of line-of-business applications, including a Microsoft SQL Server®–based database. The local sales office updates and replicates back to the head office overnight. The SQL Server database needs access to a directory of customers.

In the western region, we have three offices, each with around 100 computers. We have a routed connection back to the head office.

Alan Steiner tells me that name resolution is provided by WINS and DNS, as we have a legacy NetBIOS application.

There was some talk of creating a separate name space for sales, such as Sales.adatum.com, but we have implemented this only as an e-mail domain. The computers are all part of the Adatum.com domain.

We’ve had some issues in the past with security; we often have members of the public in our sales offices, and consequently security is a critical factor. We don’t always have the option of a secure computer room, and so our laptops are locked to the desks. Servers are often to be found in a closet, or small office.

Each branch office consists of a number of subnets; two for hosting the sales staff laptops and another for branch network servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Branch Office Planning


Document Author

Date

Gregory Weber

1st September


To determine the placement and configuration of domain controllers and related services at the western region sales offices.


It is important that in the event of a link failure between the head office and branch offices, users are still able to log on to the network and access services.

Proposals

1. Do you intend to deploy a domain controller(s) in the branch offices? How many?

2. Will you deploy an RODC(s)?

3. How will you optimize the directory replication for the branches?

4. How will domain controllers know in which branch they are located?

5. Do you anticipate the need for global catalog services?

6. How will you configure global catalog and DNS?

7. What additional Active Directory–related services are required to support the branch office line-of-business applications?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



Task 2: Update the Branch Office Planning document with your proposals • Answer the questions in the Branch Office Planning document.

Results: After this exercise, you should have a completed Branch Office Planning document.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Deploying a Branch Domain Controller

Scenario You have been tasked with performing the deployment of the new domain controller at the Redmond sales branch office.


1. Start the virtual machines and log on.

2. Raise the domain and forest functional level.

3. Create a new site and subnet object.

4. Configure the replication interval for the new site.

5. Prepare the forest for the new RODC.

6. Deploy the new RODC.

7. Configure the password replication policy and prepopulate the password cache.








Task 2: Raise the domain functional level 1. Switch to the SEA-DC1 computer.

2. Open Active Directory Users and Computers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. Raise the domain functional level to Windows Server 2008.

4. Close Active Directory Users and Computers.

Task 3: Raise the domain forest level 1. Open Active Directory Domains and Trusts.

2. Raise the forest functional level to Windows Server 2008.

3. Close Active Directory Domains and Trusts.

Task 4: Create the Redmond site 1. Open Active Directory Sites and Services.

2. Create a new site with the following properties:

• Name: Redmond

• Associated site link: DEFAULTIPSITELINK

Task 5: Configure the replication interval 1. In Active Directory Sites and Services, expand Inter-Site Transports, expand

IP, and then click IP.

2. Modify the replication interval for DEFAULIPSITELINK:

• Replicate every: 15 minutes

Task 6: Create the 10.10.0.0/16 subnet 1. In Active Directory Sites and Services, in the console, right-click Subnets, and

click New Subnet.

2. Create a new subnet with the following properties:

• Prefix: 10.10.0.0/16

• Site Name: Redmond

3. Close Active Directory Sites and Services.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 7: Prepare the forest for the RODC 1. Open the Command Prompt.

2. At the command prompt, type each of the following commands, and then press ENTER:

• D:

• Cd\Labfiles\Mod03\adprep

• Adprep /rodcprep

3. Close the command prompt.

Task 8: Promote a new domain controller for the branch office 1. Switch to the SEA-SVR1 computer.

2. Run dcpromo with advanced mode installation.

3. Use the following options to complete the process:

• Operating System Compatibility page: default.

• Choose a Deployment Configuration page: Existing forest.

• Network Credentials page: default.

• Select a Domain page: default.

• Select a Site page: default.

• Additional Domain Controller Options page: select the Read-only domain controller (RODC) check box. (Note: Leave the other check boxes selected.)

• In the Static IP assignment dialog box, click Yes, the computer will use a dynamically assigned IP address (not recommended).

• Specify the Password Replication Policy page: default.

• Delegation of RODC Installation and Administration page: default.

• Install from Media page: default.

• Source Domain Controller page: default.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Location for Database, Log Files, and SYSVOL page: default.

• Directory Services Restore Mode Administrator Password page:

• Password: Pa$$w0rd.

• Confirm: Pa$$w0rd.

• In the Active Directory Domain Services Installation dialog box, select the Reboot on completion check box.

Task 9: Configure the password replication policy 1. When SEA-SVR1 has restarted, log on to the SEA-SVR1 virtual machine as

ADATUM\administrator with a password of Pa$$w0rd.


3. Open Active Directory Users and Computers.

4. Locate SEA-SVR1 in the Domain Controllers folder.

5. View the Password Replication Policy page of the SEA-SVR1 Properties dialog box.

6. Grant the SalesGG global group the Allow passwords for the account to replicate to this RODC permission.

7. Click Apply, and then click Advanced.

8. From the Resultant Policy tab of the Advanced Password Replication Policy for SEA-SVR1 dialog box, verify that Joe’s account is allowed to cache its password.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 10: Prepopulate the password cache 1. From the Policy Usage tab of the Advanced Password Replication Policy for

SEA-SVR1 dialog box, click Prepopulate Passwords.

2. Prepopulate the following user accounts’ passwords:

• Joe; Jim; Parul; Heiko; Claus


Results: After this exercise, you should have successfully deployed an RODC for the Redmond sales office.


(VMRC) window.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



Review Questions 1. In a multidomain network, why is the global catalog server important?

2. From a security perspective, what is the difference between implementing a forest with two trees, and implementing two forests with forest trusts established between them?

3. Why would you implement shortcut trusts between domains?

4. What domain functional level is required to support the redirection of the default Users and Computers containers?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


5. You are concerned about the reliability of using FRS to replicate the SYSVOL folder between domain controllers. What domain functional level must you select in order to use DFS?

6. During the creation of a site object, with which other object must you associate it?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Planning for Group Policy 4-1

Module 4 Planning for Group Policy

Contents: Lesson 1: Planning Group Policy Application 4-3

Lesson 2: Planning Group Policy Processing 4-13

Lesson 3: Planning the Management of Group Policy Objects 4-24

Lesson 4: Planning the Management of Client Computers 4-37

Lab: Planning for Group Policy 4-52

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Module Overview

Group Policy is an essential part of any Windows Server® 2008 network. It can be used as a centralized management tool to distribute settings and applications to computers. For servers, group policy is typically used to distribute security settings. For client computers, group policy is used to configure the user environment and distribute applications.

Objectives


• Plan group policy application.

• Plan group policy processing.

• Plan the management of group policy objects.

• Plan the management of client computers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1 Planning Group Policy Application

Group Policy objects contain a wide variety of settings that can be applied to users or computers. An effective plan for implementing group policy needs to take into account how and when these settings are applied. This ensures that the application of group policy objects is predictable.


• Describe the types of group policy settings.

• Describe the considerations for group policy application.

• Describe the considerations for group policy application exceptions.

• Describe the new group policy features in Windows Server 2008.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Reviewing and Modifying Group Policy Settings

Key Points A Group Policy Object (GPO) contains thousands of settings that you can use to control servers and client computers. However, individual settings are restricted in how they can be applied.

The settings in a GPO that apply to a computer are limited by the operating system of the computer. For example, some settings will apply to Windows Server 2008 but not Windows Server 2003. Windows Server 2003 ignores a setting that is specific to Windows Server 2008.

A GPO has both user and computer settings. The user settings apply based on the location of the user object in Active Directory® directory services. The computer settings apply based on the location of the computer object in Active Directory.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


A GPO also contains preferences. Unlike settings, which cannot be changed by the user, preferences are a default configuration that can be modified by the user. Preferences are new in Windows Vista® and Windows Server 2008. They are used to configure things such as Open Database Connectivity (ODBC) data sources, printers, and mapped drive letters.

To review or modify the settings in a GPO:

1. Open Group Policy Management.

2. Browse to the Group Policy Objects container.

3. To modify a GPO, right-click it, and then select Edit.

4. To review the settings in a GPO, double-click the setting, and then select the Settings tab.

Additonal Reading • Windows Server® Group Policy page on the TechNet Web site:

http://go.microsoft.com/fwlink/?LinkId=99449

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Group Policy Application

Key Points Clients initiate Group Policy application by requesting GPOs from Active Directory Domain Services (AD DS). When Group Policy is applied to a user or computer, the client component interprets the policy, and then makes the appropriate environment changes. These components are known as Group Policy client-side extensions. As GPOs are processed, the Winlogon process passes the list of GPOs that must be processed to each Group Policy client-side extension. The extension then uses the list to process the appropriate policy, when applicable.

Consider the following:

• Computer settings are processed when the computer starts. To apply new computer settings immediately, you may need to reboot the system.

• User settings are processed when a user logs on. To apply new user settings, you may need to log off and log back on.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• You can speed up Group Policy processing by disabling unnecessary parts of a Group Policy. For example, if a GPO is linked to an organizational unit (OU) that contains only user accounts, you can disable the computer portion of the GPO.

• Group policy objects are cached locally and updated at timed intervals. The default configuration refreshes GPOs on workstations and member servers every 90 minutes. GPOs on domain controllers are refreshed every 5 minutes. You can force an update of GPOs by running gpupdate.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Group Policy Application Exceptions

Key Points Typically, all settings from a GPO are applied during the startup and logon process. However, there are exceptions that need to be considered.

Slow Link Detection

If Group Policy detects a slow link, specific Group Policy settings will not be processed. The default slow link speed is 500 kilobits per second (Kbps), but this is configurable.

Slow link detection is useful for controlling how Group Policy is processed at branch offices and for roaming users with a virtual private network (VPN) connection. For example, you may not want to automatically install software over a VPN connection.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Cached Credentials

When a Windows XP or Windows Vista computer is experiencing network connectivity issues, a user may still log on by using cached credentials. Cached Group Policy settings will still apply to this user. However, new Group Policy settings will not be applied until the computer connects to the network and downloads the updated GPO. You can disable cached credentials if this is a concern.

Remote Access Connections

When a user logs on over a VPN connection, both user and computer settings are copied to the computer as limited by slow link detection, but may not be applied immediately. Most computer settings will not be applied immediately because they must be applied before the user logs on. User settings are applied as part of the logon process if the user initiates the VPN connection as part of the logon process. If the user logs on to the computer and then initiates the VPN connection, then Group Policy process is performed as a background process.

Moved Computer or User Objects

When a computer or user object is moved in Active Directory, the new Group Policy settings are not applied immediately. It takes up to 30 minutes for the Group Policy client to update and use the new object location. Then Group Policy still needs to be refreshed at approximately 90 minutes.

For more information about Group Policy processing exceptions see Controlling Client-Side Extensions by Using Group Policy on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=99452.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


New Group Policy Features in Windows Server 2008

Key Points The new features in Group Policy enhance functionality of Group Policy and make it easier to manage.

New Policies

If you are using Windows Vista as a desktop operating system, there are several new categories of settings in Group Policy.

• Power management settings. You can centrally control power management for Windows Vista computers. This can be used to save money by putting computers to sleep at night when they are not in use.

• Blocking device installation. You can control the use of removable storage devices. This allows you to prevent users from removing corporate data on USB storage devices.

• Firewall and IPSec settings. The settings for Windows Firewall and IPSec are now combined. This reduces confusion where settings could potentially conflict.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Internet Explorer settings. The way Microsoft® Internet Explorer® settings are applied has been modified to reduce the risk of unexpected behavior when combined with local settings.

• Location-based printing. You can now assign printers to users based on location. This allows roaming users to have the correct printers for the location they are in. For example, a laptop user would have one set of printers in the head office and another set of printers when at a branch office.

• Delegation of printer driver installation. There is now a setting to enable non-administrators to install new printer drivers. This is important for roaming users that may need to install a printer driver at a client site.

Note: Windows 7 also includes these categories of settings.

ADMX Templates

The administrative templates in previous versions of Windows were ADM files. You have the option to replace these with ADMX files in Windows Server 2008. The main benefits are easier editing, multi-language support, and greater efficiency.

Note: More information about ADMX files is provided in the topic “Administering Group Policy Objects.”

Network Location Awareness

Windows Vista includes Network Location Awareness to accurately determine network conditions. Group Policy uses this information to determine appropriate actions. For example, if there is no connectivity to a domain controller, Group Policy will not wait to time out, resulting in a faster startup.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


The two primary scenarios where this is a benefit are:

• Connecting over VPNs. A background refresh of Group Policy is initiated when users connect to the VPN.

• Processing Group Policy through a firewall. If a firewall is configured to block ICMP packets, Network Location Awareness still functions properly. Slow link detection in Windows XP required the use of ICMP packets.

For more information about new features in Windows Server 2008 Group Policy see the Group Policy page in the TechNet Web site http://go.microsoft.com/fwlink/?LinkID=164082&clcid=0x409.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2 Planning Group Policy Processing

Group Policy objects are processes primarily based on where the GPO is linked in Active Directory. However, there are additional options available that modify the default processing. Filtering lets you control Group Policy processing based on the group membership of users or Windows Management Instrumentation (WMI) settings on computers. You can block group policy inheritance to stop settings from being applied to the lower OUs. Alternatively, you can enforce group policy inheritance to ensure that settings are applied to all users or computers. Loopback processing can be used to apply user settings based on the computer you log on at.

Objectives


• Describe the considerations for Active Directory structure.

• Describe the considerations for using filtering.

• Describe the considerations for modifying inheritance.

• Describe the considerations for using loopback processing.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Active Directory Structure

Key Points GPOs can be created and linked to several locations. The GPOs are processed in a specific order with the last processed GPO having the highest precedence. The setting with the highest precedence is effective when there are conflicts between the GPOs.

The processing order is: local group policy, site level GPOs, domain level GPOs, first level organizational unit GPOs, second level organizational unit GPOs.

When planning the Active Directory structure, keep the followings GPO considerations in mind:

• Local group policy is typically only used when a setting needs to be applied to only a single computer such as a kiosk.

• Site level GPOs are useful for enforcing policies at a single physical location that has multiple domains. Also, software distribution can be performed at the site level to ensure that a local source is used for the installation. In general, Microsoft recommends linking GPOs to domains and OUs rather than sites.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• A site-linked GPO exists in only one domain. If the GPO is being applied to users or computers in another domain, it may slow down Group Policy processing.

• Domain-level GPOs are useful for applying standardized settings to an entire domain. Also, there are some settings such as password polices that must be configured at the domain level.

Note: Windows Server 2008 introduces fine-grained password polices that allow you to configure password policies for groups of users rather than the entire domain.

• Organizational unit GPOs are useful for applying standardized settings to workgroups.

• Create your OU structure to support group policy. For example create OUs for various workgroups or classes of users to support applying different policies to each workgroup. The same applies to computer objects.

• When multiple GPOs are linked at the same level, you can configure a priority level for each GPO. The GPO with the lowest link order has the highest precedence.

• GPOs cannot be linked to the default Users or Computers containers. Only GPOs linked at the domain level apply to users and computers in those containers. Consider moving user and computer objects into OUs to provide more flexibility.

• Multiple local GPOs can be applied only to local users and groups. This is typically used only when a local user logs on. For example, a kiosk computer where users do not log on to the Active Directory domain and you want to differentiate between the user settings applied to standard users and the local Administrator.

For more information about group policy processing, see group policy processing and precedence on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=99456.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Using Filtering

Key Points There are two ways in which filtering can be applied to group policy processing. Security filtering controls which GPOs are processed based on user membership in security groups. WMI filters control GPO processing based on the WMI queries to a workstation. WMI queries can be used to determine most hardware and software configuration information.

When using filtering, consider the following:

• The use of security filtering can simplify OU planning for a domain. For example, you can create an OU for the accounting department with one generic GPO for all users and then have additional GPOs filtered by security group membership for workgroups such as payables within the accounting department.

• The use of WMI filtering can ensure that new software is installed only to appropriate computers. For example, a new application could be provided only to computers with a specific amount of memory or a specific operating system.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Filtering is performed for each GPO. If a GPO is linked to multiple levels or OUs, the filters apply to all links. This allows filtering to be centrally controlled.

Security Filtering

Security filtering is based on the fact that GPOs have access control lists (ACLs) associated with them. These ACLs contain access entries for different security principals. In order for a GPO to be applied to a security principal in an OU, the security principal requires at a minimum the following permissions set to:

• Allow Read

• Allow Apply Group Policy

By default, the Authenticated Users group has these permissions. By denying or granting the Apply Group Policy permission, you can control which users, groups, or computers actually receive the GPO settings.

WMI Filtering

WMI is a set of technologies for managing Windows-based environments. WMI provides access to properties of almost every hardware and software object in the computing environment. Through WMI scripts, these properties can be evaluated, and decisions about the application of group policy are made based on the results. For example, a WMI query could check for a minimum amount of RAM, or a specific service pack, to determine if a group policy should be applied. You must be a member of Domain Administrators, Enterprise Administrators, or Group Policy Creator Owners groups to create WMI filters in the domain.

For more information about security filtering, see Security filtering using GPMC on the TechNet Web site at http://go.microsoft.com/fwlink /?LinkID=164084&clcid=0x409.

For more information about WMI filtering, see WMI filtering using GPMC on the TechNet Web site at http://go.microsoft.com/fwlink /?LinkID=164152&clcid=0x409.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Modifying Inheritance

Key Points You have the option to modify the default group policy processing by blocking inheritance and enforcing the application of specific GPOs. Using block inheritance prevents the child level from automatically inheriting GPOs linked to higher sites, domains, or organizational units. Enforcement prevents the settings in a parent GPO from being blocked or overridden by settings in a child GPO.

When modifying inheritance, keep in mind the following key points:

• Blocking inheritance is not selective. You cannot select specific policies to block. When you block inheritance, it blocks the inheritance of all policies. To reapply specific settings after the point of blocked inheritance, you need to link a GPO with those settings after the point of blocked inheritance. This GPO can be a new GPO with the specific setting required or an already exiting GPO that is also linked elsewhere. Settings that you may want to reapply after enforcement include security configuration or software disc.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Use enforcement to enforce organization-wide standards. If you link a GPO at the domain level and enforce it, then it prevents administrators with delegated authority from overriding the enforced settings. This could be used for specific desktop configuration settings such as security settings that have been centrally determined.

• You cannot enforce a filtered GPO. Filtering for a GPO is done on the GPO, while enforcement is performed on the link. If a GPO is filtered, then the link cannot be enforced. As a result, you should be careful when applying filtering to a GPO that is enforced anywhere. This also means that you can use filtering to stop enforcement for a specific group of users or computers.

For more information about modifying inheritance, see Managing inheritance of group policy on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkID=164153&clcid=0x409.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Using Loopback Processing

Key Points User policy settings are normally derived entirely from the GPOs associated with the user account, based on its AD DS location. However, loopback processing directs the system to apply the user settings from the GPOs that apply to the computer to any user who logs on to a computer affected by this policy.

When planning for loopback processing, consider the following:

• Loopback processing is typically enabled for special use computers where you want different user settings to apply based on the computer that the user is logged on at. For example, a computer used to run manufacturing equipment may have more restrictive user settings in place.

• When you want to apply additional restrictions to users based on the computer they are logging on at, use merge mode. Merge mode combines the settings from the user and the computer. The merged settings from the computer will override settings from the user.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• When you want all users to have consistent user settings, use replace mode. Replace mode uses only settings from the computer and ignores settings from the user.

• When you want to apply less restrictive settings to users based on the computer they log on at, use replace mode. For example, in a training room, you could have less restrictive policies than the standard office computers. The computers in the training room would have user policy settings that are less restrictive.

• Use loopback processing to secure Terminal Servers. In most cases, you want users to have a different configuration when connecting to a terminal server rather than a regular office computer.

For more information about loopback processing, see Loopback processing with merge or replace on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkID=164209&clcid=0x409.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Modifying Group Policy Processing

All group policy management is performed by using the Group Policy Management console. The steps for individual tasks vary.

To enforce a policy:

• Right-click the policy link and select Enforced.

To block policy inheritance:

• Right-click the OU and select Block Inheritance.

To perform security filtering on a policy:

1. View the Scope tab of the GPO.

2. Modify the list of users able to apply the GPO.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


To perform WMI filtering on a policy:

1. Create a WMI filter in the WMI Filters container.

2. Select the WMI filter on the Scope tab of the GPO.

To enable loopback processing:

1. Edit the GPO.

2. Set Computer Configuration\Policies\Administrative Templates \System\Group Policy\User Group Policy loopback processing mode to Enabled.

3. Select Replace or Merge Mode.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 3 Planning the Management of Group Policy Objects

There are a variety of options available when you are managing GPOs. You need to consider whether you should introduce ADMX templates for group policy settings or continue using ADM templates. You also have the option to use starter GPOs as a base for building new GPOs. You must determine whether you will link GPOs to multiple locations or create multiple GPOs. To ensure that you can recover GPOs if necessary, you also need to consider how GPOs will be backed up. Finally, you can delegate the management of GPOs in several ways.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



• Describe the considerations for administering GPOs.

• Describe starter GPOs.

• Describe the considerations for reusing or copying GPOs.

• Describe the considerations for backing up and restoring GPOs.

• Describe the considerations for delegating GPO management.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Administering Group Policy Objects

Key Points When administering group policy objects, consider the following:

• The tool for administering GPOs is the Group Policy Management Console (GPMC). This tool is included as a feature in Windows Server 2008. You can install GPMC on Windows Vista SP1 by downloading and installing the Remote Server Administration Tools.

• A GPO is composed of a group policy container and group policy template. The group policy container is stored in Active Directory. The group policy template is stored in the SYSVOL share on domain controllers.

• When a new GPO is created, it must be replicated to other domain controllers. Until replication is complete, the GPOs applied to a user or computer may be inconsistent. Application of GPOs may also be inconsistent if there are problems with Active Directory replication or the replication of SYSVOL in the GPOs.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• The new ADMX format for Administrative Templates reduces the overall size of a GPO by up to 4 MB because the ADMX files are located in a central store rather than copied into the folder for each GPO as ADM templates were. This makes group policy processing faster, reduces the size of SYSVOL, and reduces network traffic generated by replication of SYSVOL between domain controllers.

• You should create a central store for ADMX files. This is not done automatically during installation. A central store eliminates the need to copy ADMX files to a computer where editing of a GPO is being performed.

• ADMX files are easier to extend than ADM files because ADMX files are XML files. This allows you to add new settings into a group policy. The new settings can be used to set registry keys that control an application.

• ADMX files can be used only by Windows Server 2008 and Windows Vista. If you have down-level clients and servers, you must continue to use ADM templates for those computers.

• You can migrate customized ADM files to ADMX format by using the ADMX Migrator.

• When you are troubleshooting the application of group policy settings, use the Group Policy Reporting feature in GPMC or GPResulte.exe. These display the settings applied to a user or computer.

• When you are planning the implementation of group policy, use the Group Policy Modeling Wizard in GPMC. This allows you to view the effects of changing site membership, security group membership, WMI filters, slow links, loopback processing, and the movement of user and computer objects to a new OU.

For more information about ADMX files see Managing Group Policy ADMX Files Step-by-Step Guide on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=99453.

For more information about how to create a central store for ADMX files see How to create a Central Store for Group Policy Administrative Templates in Windows Vista on the Microsoft Help and Support Web site at http://go.microsoft.com/fwlink/?LinkID=164210&clcid=0x409.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Are Starter GPOs?

Key Points Starter GPOs store a collection of Administrative Template policy settings in a single object. Starter GPOs only contain Administrative Templates. When you create a new GPO from a starter GPO, the new GPO has all the Administrative Template settings that the starter GPO defined. In this way, starter GPOs act as templates for creating GPOs.

The GPMC stores starter GPOs in a folder named StarterGPOs, which is located in SYSVOL. Individual starter GPOs can be exported into .cab files for easy distribution. You then can import these .cab files back into the GPMC.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Scenarios for using starter GPOs:

• Use starter GPOs to standardize GPO creation. For example, the starter GPOs could contain standardized organizational settings. Delegated administrators for OUs could create their own GPOs by copying the starter GPOs and adding their own settings.

• Use starter GPOs to move GPOs easily between domains. You can export a starter GPO as a .cab file and then import into another domain. In a multidomain environment, this simplifies standardization between domains.

• Use starter GPOs to distribute customized settings to partners. For example, a software developer could create a starter GPO with recommended settings for their software. Customers could download the starter GPO and apply it to their servers or workstations running the software.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Reusing or Copying GPOs

Key Points When you create a GPO, it is stored as part of the domain structure. Some data is stored in Active Directory and some data is stored in the SYSVOL share. That content is then replicated to all domain controllers in the domain. To apply a GPO to a domain or OU, you link the GPO to a domain or OU. You can link a single GPO to multiple locations.

When considering reusing or copying GPOs, keep the following points in mind:

• When you link a single GPO to multiple locations, it allows you to centrally control the GPO. When the GPO is updated with new settings, the new settings are applied to all users or computers affected by the GPO.

• If a single GPO is linked to multiple locations, you should carefully control which administrators have permissions to modify the GPO. A departmental administrator could modify the central GPO while thinking that he was only modifying settings for a single OU.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• When you have multiple copies of a GPO, it can be difficult to synchronize the settings between them.

• To simplify administration, use a single GPO linked to multiple locations for common settings. Use individual GPOs linked to an OU to apply unique settings.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Backing Up and Restoring GPOs

Key Points When backing up and restoring GPOs, consider the following:

• GPOs are backed up as part of a system state backup on a domain controller. However, it is difficult to recover a GPO from a system state backup.

• You can create a GPO backup at anytime by using the GPMC. GPMC allows you to backup one or all GPOs. It is a good idea to back up GPOs before making changes.

• You can use scripts to schedule GPO backups. Then GPO backups are available as a file that can be easily restored if required. The script BackupAllGPOs.wsf is located in C:\Program Files\GPMC\Scripts.

• Only read permissions are required to perform a backup of GPOs. This makes it easy to delegate the backup of GPOs.

• A starter GPO is not useful as a backup. A GPO backup contains all GPO settings, not just administrative templates. This differentiates them from starter GPOs.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• To recover a GPO and include security attributes for security filtering and WMI filtering, you need to restore from backup. However, restoring the GPO from backup will not recover or modify links. This means that enforcement, which is configured on the link, will not be recovered.

• To recover only GPO settings and not include security attributes for filtering or WMI filtering, you need to import the settings from backup. In most cases, you only need to recover settings and not security attributes.

• After a GPO has been restored or settings have been imported from backup, the changes must be replicated to other domain controllers before they are effective for all users.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Delegating Management of GPOs

Key Points When delegating management of GPOs, consider the following:

• By default, only members of Domain Admins and Group Policy Creator Owners are able to create GPOs. In most cases, you will want to delegate the creation of GPOs without making users a member of Domain Admins.

• You can delegate permission to create GPOs in a domain by making users a member of the Group Policy Creator Owners group. Also, you can delegate this permission from within GPMC at the Group Policy Objects folder.

• By default, only members of Domain Admins, Enterprise Admins, and the domain local Administrators can link GPOs with the domain or an OU. In most cases, you will want to delegate the linking of GPOs without making users a member of these groups.

• You can delegate permission to link GPOs to domains and OUs within the GPMC at the domain or OU. This is useful to allow departmental administrators to link GPOs to their own OU.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• By default, only members of the Domain Admins and Enterprise Admins can edit, delete, and modify security on a GPO. However, you can delegate these permissions for specific GPOs. This can be useful for a departmental administrator to be given the ability to manage the GPOs relevant to OUs for his department.

• You can delegate permission to use Group Policy Modeling and Group Policy Results for individual OUs or the domain in GPMC. This is useful for performing troubleshooting by using an account with lower permissions than an administrative account. By using an account with lower permissions for troubleshooting, you avoid the risk of accidentally modifying a GPO.

• In addition to using GPMC, you can also delegate permissions for managing GPOs by using Active Directory Users and Computers. However, using GPMC simplifies the process.

For more information about delegating management of GPOs, see Delegating Group Policy on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=99467.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Discussion: Managing Group Policy

Key Points

Question: Who is responsible for managing group policy in your organization?

Question: Does your organization back up GPOs?

Question: Does your organization have a need to standardize GPOs by using starter policies?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 4 Planning the Management of Client Computers

Centralized management of client computers is a requirement in all but the smallest computer networks. Group policy is one way that client computers can be managed. You can use group policy to configure the user environment, distribute applications, run logon scripts, and redirect folders. Each of these should be planned carefully to ensure that they function as expected.

Objectives


• Describe why client computers need to be managed.

• Describe the methods for managing client computers.

• Describe the considerations for using group policy preferences.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Use group policy preferences.

• Describe the considerations for deploying software by using group policy objects.

• Describe the considerations for using logon scripts.

• Describe the considerations for using folder redirection.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Why Manage Client Computers?

Key Points Many network administrators consider servers to be the most important part of the network. They are high-profile computers because many users are affected when they do not function properly. However, client computers are just as important as server computers. Each user on a network is working with a client computer and a poorly configured client computer affects the productivity of that user.

Managing client computers includes:

• Distributing applications. Installing applications on client computers is a time-consuming process when performed manually on each computer. Even if applications are included in an image used during initial configuration, application updates still need to be applied. Applications and updates should be installed by using an automated method. Using an automated method to install applications and updates saves time and money for the organization.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Enforcing security settings. Manually configuring security settings on each client computer is a time-consuming and error prone process. To prevent users from circumventing security guidelines, the users should not have control over the security settings. The enforcement of security settings should be automated to ensure that it is performed consistently.

• Enforcing application settings. Some applications can affect the security of your organization. There are a number of Internet Explorer settings such as ActiveX® Control settings that can make a computer less vulnerable to attack when configured properly. Other configuration options such as the location of a database server are important to ensure that applications are functional for users. The ability to configure these settings centrally results in more reliable performance for users and greater productivity.

• Standardizing the user environment. In addition to technical considerations, it is useful to standardize the user environment simply to make it consistent from one computer to the next. This can include standardized desktop configuration, standardized applications, and standardized drive letter mappings to network shares. Standardizing the user environment makes it easier for users to move from one computer to another and remain productive. It also makes it easier to perform troubleshooting and provide help desk support.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Methods for Managing Client Computers

Key Points Group policy is one of the easiest and most inexpensive methods you can use for managing client computers. It can be used to perform software distribution, enforce security settings, enforce application settings, and standardize the user environment.

To manage client computers, you can use:

• Group policy settings. Group policy settings include software distribution, security settings, and administrative templates. The software distribution can be used to distribute applications, application updates, and operating system updates. The security settings control a wide variety of operating system settings such as which users are allowed to perform Remote Desktop operations and whether digital signing is required for network communication. The administrative templates let you configure a wide variety of settings for Windows components. Also, administrative templates can be customized to deliver registry settings that control applications. Some vendors provide administrative templates for their applications.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Group Policy settings modify registry keys that standard user accounts are not able to modify and are enforced. Group Policy settings are available for Windows 2000 and newer operating systems.

• Group policy preferences. Group policy preferences enable you to configure, deploy, and manage operating system and application settings that were not manageable using group policy. Examples include mapped drives, scheduled tasks, and Start menu settings.

• Scripts. By using a script, you can configure almost any aspect of an operating system or application. The most common use of scripts is to map drive letters. You can specify a logon script in the properties of each user account.

• Group policy scripts. By using Group policy, you can run scripts that apply to computer or user accounts. For computer accounts, there are startup and shutdown scripts. For user accounts, there are logon and logoff scripts.

• Windows Server Update Services (WSUS). WSUS is a solution from Microsoft for applying updates to operating systems and application software. Updates are downloaded from Microsoft Update and stored on the WSUS server. Updates are only applied to clients and servers after they have been approved.

• System Center Configuration Manager (SCCM). SCCM is a solution for configuration management, software distribution, and applying software updates. SCCM can also be used for operating system deployment and asset management.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Using Group Policy Preferences

Key Points Considerations for using group policy Preferences include:

• You can use both group policy settings and group policy preferences. There is no conflict between group policy settings and group policy preferences. The settings in group policy preferences are not available in group policy settings.

• Preference settings are not enforced and can be modified by the user. You should not consider preferences as a security enforcement mechanism.

• Application of group policy preferences is supported for Windows XP with SP2, Windows Vista, Windows Server 2003 with SP1, and Windows Server 2008. If you have Windows 2000 clients, you must use another mechanism to standardize the user environment.

• Use the Data Sources node to easily add or modify ODBC data sources for applications. This is useful during application deployment or when a Microsoft SQL Server® database has been moved to a new server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Use the Drive Maps node as an alternative to mapping drive letters by using a logon script. Writing a logon script is typically more complex than configuring group policy preferences.

• Use the Start Menu and Shortcuts node to standardize the ways of starting applications. By standardizing the look of both the Start menu and Desktop shortcuts, users will be able to easily move from one computer to another. Also, it will be easier for the help desk to provide documentation.

• Use the Internet Settings node to standardize the configuration of Internet Explorer. This includes defining a home page, managing trusted sites, and other options available in Internet Options.

• Use targeting to determine which users and computers a preference item will apply to. This allows you to simplify group policy application and have a single GPO with many preference settings. The application of each preference item in the GPO can be controlled individually. This avoids the need to use security or WMI filtering GPO objects to implement group policy preferences.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Using Group Policy Preferences

To configure group policy preferences:

1. Open the group policy Management console.

2. Create a new GPO.

3. Configure the User or Computer Preferences in the GPO.

4. Link the GPO to the appropriate OU.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Deploying Software by Using Group Policy

Key Points The considerations for software deployment by using group policy include the following:

• To place an application shortcut in the Start Menu, assign the application to a computer or user. An application assigned to a computer will be available to all users. An application assigned to a user will be available only for that user.

• To allow users to access an application quickly on first use, assign the application to the computer. Assigning an application to a computer installs the application in the background on computer startup. Then when the user accesses the application for the first time, it is already installed.

• To limit disk space usage, assign applications to users or publish applications to users. When an application is assigned or published to a user, the application is not installed until first use or until installation is selected from Control Panel.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• To install applications when required to view a document, enable document activation for published applications. Assigned applications are always installed as required to view documents based on the file extension of the document.

• To enable software distribution over a wide area network (WAN), use Distributed File System (DFS) to replicate the installation files. Users will automatically install the application from the closest replica of the files.

• Restrict user permissions to the software installation files. Users require only read access to the installation files. Allowing greater permissions may result in installation files being accidentally deleted or infected with viruses.

• Use categories to organize applications. When you publish applications, users can install them from a list. Assigning the applications to categories organizes the list and makes it easier for users to find the application they are looking for.

• Create transform (MST) files to customize the installation of applications. A transform file is created by using an MSI editor. By including an MST file as part of an application package, you can create a silent installation and modify various installation options. The exact options that you can modify are application dependent.

• Use mandatory upgrades to keep consistent versions of applications in your organization. Having consistent versions of applications simplifies support.

• Use forced removal to remove applications from computers. This is useful when the license for software is no longer valid or has been moved to a different computer. An optional removal prevents new software installation, but does not remove the software from computers where it is already installed.

For best practices on the use of group policy for software installation, see Best practices for group policy Software Installation on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=99486.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Using Scripts

Key Points A script for managing client computers can be written in any scripting language supported by the client computer. The two most common languages for scripts are batch files and Microsoft Visual Basic scripts. By using a script, you can configure almost any aspect of an operating system or application.

You can specify a logon script in the properties of each user account. By using group policy, you can run scripts that apply to computer or user accounts. For computer accounts, there are startup and shutdown scripts. For user accounts, there are logon and logoff scripts.

Considerations for using scripts:

• Logon scripts are the most commonly used type of script. The most common use of logon scripts is to map drive letters. If your environment supports the use of group policy preferences, you may no longer need logon scripts.

• Specifying the logon script in the properties of each user account is awkward because it must be done for each account. It is simpler to use logon scripts in group policy.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Startup and shutdown scripts can be used to perform computer-specific operations. For example, in a teaching classroom, a shutdown script could be used to delete user profiles or temporary files.

• Scripts can be stored in any network-accessible location. However, for logon scripts specified in the properties of each user account, the preferred location is the NETLOGON share. For group policy scripts, the preferred location is the SYSVOL share. Both the NETLOGON and SYSVOL share are automatically replicated between domain controllers. Replication between domain controllers avoids the need to manually update logon scripts in multiple locations and provides a backup in case a domain controller fails.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Using Folder Redirection

Key Points The considerations for using folder redirection include:

• You can redirect folders in addition to the My Documents folder (which includes My Pictures). In Windows XP and Windows Vista, you can also redirect the Application Data, Desktop, and Start Menu folders. In Windows Vista only, you can also redirect Contacts, Downloads, Favorites, Searches, Links, Music, Video, Saved Games, and Pictures.

• Folder redirection makes it possible to back up user data without backing up client computers. For example, many applications store configuration data and templates in Application Data. If this folder is redirected to a network server, then it can be backed up on the server without backing up the client computer.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Folder redirection reduces the size of user profiles. When roaming user profiles are used to allow users to move between computers and retain their settings, a common problem is large profiles resulting in extended logon and logoff times. One of the primary reasons for this is files stored in My Documents. When folders are redirected to a server, the files in those folders are not downloaded with the roaming user profile.

• If you want My Documents to be private storage space, redirect My Documents to the user home folder. This provides easy access to the user home folder and prevents most users from storing files locally.

• If you want My Documents to be shared storage space, redirect My Documents to a departmental share. This provides easy access to the department share and prevents most users from storing files locally.

• Allow folder redirection to automatically configure the necessary permissions when creating a folder for each user under the root path. This will ensure that the correct NTFS permissions are configured. However, the share and share permissions need to be configured manually first.

• When there is an interruption in network services, users with folder redirection will experience problems. To mitigate this, use offline files in conjunction with folder redirection. This ensures that users have access to files during network interruptions. Remember to enable the Offline Files option to synchronize all offline files before logging off.

• It is a best practice to control what appears on the Start menu by using group policy rather than by redirecting the Start Menu. Group policy preferences control what is in the Start Menu.

• It is possible to use Encrypting File System in conjunction with folder redirection. However, to make this possible, the server must be trusted for delegation. Also, files will not be encrypted while in transit over the network.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab: Planning for Group Policy


A. Datum has never implemented group policy other than for basic password configuration in the domain using the default GPOs. After attending a recent seminar, the IT manager wants to use group policy more effectively for the organization.

Exercise 1: Creating a Group Policy Plan

Scenario You have been tasked with creating a plan for implementing group policy. Your IT manager has provided you with a list of requirements that must be met by your plan.



2. Create an OU structure.

3. Create a list of required GPOs.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Supporting Documentation E-mail thread of correspondence with Allison Brown:

Gregory Weber From: Allison Brown [[email protected]] Sent: 21 July 2009 17:30 To: [email protected] Subject: group policy implementation

Greg,

As we discussed in the meeting this morning, I’d like you to take the lead on planning our implementation of group policy. At this time, we have only the default GPOs in place for the domain and domain controllers.

Here are some of the requirements that have come up that I believe can be addressed best by using group policy:

• Read and write access to removable drives should be blocked for all office computers, including servers. Since we’ve upgraded all of the computers to Windows Vista and Windows Server 2008, this should be no problem. We must ensure that another GPO does not override this setting.

• Due to the creation of the three new branch offices, we are hiring a new person to manage those offices. We’d like the new person to be able to manage group policy for those remote offices, but not the head office.

• I’d like to start using group policy preferences for drive mappings, rather than logon scripts. We want the drive letters to be consistent in each location, but the server names will vary in each location.

• Application installation and updates for the branches will be done by using group policy. In the branch offices, the sales staff and office staff will have different applications. We need to be able to roll applications out one location at a time during initial deployment. However, later updates can be done for all branches at once. Application installation files should be stored in DFS and replicated to each branch.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• The computer training lab in the head office should not be subject to the restriction on removable drives. We’ll be using USB drives to configure these computers for various courses.

• The user desktops on the Terminal Server running Windows Server 2003 need to be locked down. The Desktop and Start Menu should be simplified to display only the application that users have access to. All users should have the same configuration when logged on to the Terminal Server regardless of the OU they are located in.

At minimum, I need to you to figure out how these can be implemented. As part of your plan, please create an OU structure and define where each group policy will be linked.

Let me know if you require any clarification.

Regards,

Allison

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 1: Read the supporting documentation 1. Read the supporting documentation.

2. On SEA-DC1, use Active Directory Users and Computers to review the existing Active Directory structure.

3. Use the group policy Management Console to review the existing Active Directory configuration.

Task 2: Create an OU structure • Draw a diagram of an OU structure that will allow you to meet the

requirements given to you by Allison.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Create a list of required GPOs • Create a list of GPOs required to implement the requirements given to you by

Allison.

GPO Name Settings Linked to Filters

Results: After this exercise, you should have a completed group policy plan for A. Datum.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Implementing Group Policy

Scenario After completing the group policy plan, you must now implement it.


1. Start the virtual machine and log on.

2. Create the OU structure.

3. Create the GPO for enforced security.

4. Create the GPO for Branch 1 preferences.

5. Create the GPOs for applications.

6. Create the GPO for Terminal Servers.

7. Verify application of policies for Branch1 sales staff.

8. Verify application of policies for Branch1 sales staff on the Terminal Server.






Task 2: Create the OU structure 1. On SEA-DC1, open Active Directory Users and Computers.

2. Create an organizational unit named Head Office in the root of the Adatum.com domain.

3. Create an organizational unit named Branches in the root of the Adatum.com domain.

4. Create an organizational unit named Branch1 in the Branches OU.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED




7. Create an organizational unit named Terminal Servers in the root of the Adatum.com domain.

Task 3: Create the GPO for enforced security 1. Use Active Directory Users and Computers to create a new global security

group in the Head Office OU.

• Group name: Lab Computers

2. Use Active Directory Users and Computers to create a new computer account in the Head Office OU.

• Computer name: Lab1

3. Add Lab1 as a member of the Lab Computers group.

4. Use group policy Management to create the enforced security GPO.

• Name: Enforce Security

• Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access\Removable Disks: Deny read access, Enabled

• Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access\Removable Disks: Deny write access, Enabled

• Linked to Adatum.com

5. On the Enforced Security link to Adatum.com, make the policy Enforced.

6. On the Delegation tab of Enforced Security, use the Advanced button to Deny Read permission for the Lab Computers group.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: Create the GPO for Branch1 preferences 1. Use Group Policy Management to create a new GPO in the Group Policy

Objects container.

• Name: Branch1 Preferences

• User Configuration\Preferences\Windows Settings\Drive Maps – Map drive letter S to \\Branch1Srv\Shared.

2. Link Branch1 Preferences to the Branch1 OU.

Task 5: Create the GPOs for applications 1. Use Active Directory Users And Computers to create a new global security

group in the Branches OU.

• Group name: Sales Staff

2. Use Active Directory Users And Computers to create a new global security group in the Branches OU.

• Group name: Office Staff

3. Use Group Policy Management to create a new GPO in the Group Policy Objects container.

• Name: Sales Applications

4. Use Group Policy Management to create a new GPO in the Group Policy Objects container.

• Name: Office Applications

5. Configure security filtering for the Sales Applications GPO on the Scope tab:

• Remove the Authenticated Users group from the Security Filtering area.

• Add the Sales Staff group to the Security Filtering area.

6. Configure security filtering for the Office Applications GPO on the Scope tab:

• Remove the Authenticated Users group from the Security Filtering area.

• Add the Office Staff group to the Security Filtering area.

7. Link the Sales Applications GPO to the Branch1 OU.

8. Link the Office Applications GPO to the Branch1 OU.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 6: Create the GPO for Terminal Servers • Use Group Policy Management to create a new GPO that is linked to the

Terminal Servers OU.

• Name: TS Lockdown

• Computer Configuration\Policies\Administrative Templates \System\Group Policy\User Group Policy loopback processing mode, Enabled, Replace mode

• User Configuration\Policies\Administrative Templates\Start Menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands, Enabled

• User Configuration\Policies\Administrative Templates\Start Menu and Taskbar\Remove Run menu from Start Menu, Enabled

• User Configuration\Policies\Administrative Templates\Start Menu and Taskbar\Add Logoff to the Start Menu, Enabled

Task 7: Verify application of policies for Branch1 sales staff 1. Use Group Policy Management to model the application of policies for

Branch1 sales staff.

• Use any domain controller

• User container: Branch1

• Computer container: Branch1

• Advanced Simulation Options: none

• User Security Groups: add the Sales Staff group

• Skip to the final page after entering the User Security Groups information

2. Review the applied and denied GPOs for the computer.

3. Review the applied and denied GPOs for the user.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 8: Verify application of policies for Branch1 sales staff on the Terminal Server 1. Use Group Policy Management to model the application of policies for

Branch1 sales staff.

• Use any domain controller

• User container: Branch1

• Computer container: Terminal Servers

• Advanced Simulation Options: Loopback processing, Replace

• User Security Groups: add the Sales Staff group

• Skip to the final page after entering the User Security Groups information

2. Review the applied and denied GPOs for the computer.

3. Review the applied and denied GPOs for the user.

Results: After this exercise, you should have successfully implemented group policy.


(VMRC) window.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



Review Questions 1. What are some of the ways you can speed up group policy processing?

2. How can you modify how group policy is processed and applied?

3. Is it possible to delegate group policy management for just an OU?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Common Issues Related to a Particular Technology Area in the Module Identify the causes for the following common issues related to a particular technology area in the module and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.

Issue Troubleshooting tip

A GPO is not being applied after creation

Run GPupdate.exe on the client to force GPOs to be updated. This avoids the potential 90-minute refresh interval on non-domain controllers.

Group policy is not applying as expected

Use Group Policy Results in Group Policy Management to view the GPOs that are being applied.

You are unsure how changes will affect group policy application

Use Group Policy Modeling in Group Policy Management to view the results of potential changes to network speed, loopback processing, site, security group membership, and WMI filters.

Real-World Issues and Scenarios 1. You have configured a kiosk with an application for controlling manufacturing

equipment. You would like all users on the kiosk to have the same configuration regardless of the organizational unit that their user object resides in. How will you accomplish this?

2. In the past, you have created customized ADM templates and they were automatically included with the GPO on SYSVOL. This allowed the GPO to be properly edited from any location. You have now created a customized ADMX template and realize that it is stored locally. Others will not be able to edit the GPO. How can you resolve this?

3. Your organization has no formal plan in place for backing up GPOs. Only a full backup, including system state, is being performed each day. How can you improve this?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Best Practices Related to a Particular Technology Area in This Module Supplement or modify the following best practices for your own work situations:

• Use group policy to manage settings on computers rather than manually configuring each computer.

• Disable unnecessary parts of GPOs to increase processing speed.

• Plan your Active Directory OU structure with group policy in mind.

• Use security filtering and WMI filtering for more flexible GPO application.

• Use loopback processing for special use computers such as kiosks and Terminal Servers.

• Use starter GPOs to simplify the creation of new GPOs with similar settings.

• Back up GPOs before modifying them.

• Delegate the management of GPOs to OU administrators that are affected by them. For example, delegate the management of GPOs for a region to an administrator for that region. This can include linking and modifying the GPOs.

• Redirect folders to a server to simplify recovery if a client computer fails.

Tools

Tool Use for Where to find it

Group Policy Management

• Creating and managing GPOs

Administrative Tools

GPResult.exe • Troubleshooting GPO application

C:\Windows\System32

ADMX Migrator • Converts customized ADM templates to ADMX templates

http://go.microsoft.com/fwlink /?LinkID=164211&clcid=0x409

BackupAllGPOs.wsf • Script that can be used to create scheduled backups of GPOs

C:\Program Files\GPMC\Scripts

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Planning Application Servers 5-1

Module 5 Planning Application Servers

Contents: Lesson 1: Overview of Application Servers 5-3

Lesson 2: Supporting Web-Based Applications 5-17

Lesson 3: Supporting SQL Server Databases 5-30

Lesson 4: Deploying Client Applications 5-48

Lesson 5: Planning Terminal Services 5-55

Lab: Planning Application Servers 5-64

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Module Overview

This module focuses on the support that Windows Server® 2008 provides for Application Servers. When supporting an application server, you first need to understand the characteristics of the application, whether it is Web-based or traditional. Microsoft® SQL Server® databases have unique support requirements that are very different from infrastructure servers. Finally, part of planning application servers is determining how remote users will access applications. Terminal Services is an excellent method for providing remote access to applications for roaming users and remote offices.

Objectives


• Describe application servers.

• Plan support for Web-based applications.

• Plan support for SQL Server databases.

• Plan the deployment of client applications.

• Plan the implementation of Terminal Services.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1 Overview of Application Servers

An application server is a computer that is dedicated to running network-aware application software. Examples of such software include SQL Server, Microsoft Exchange Server, Internet Information Services (IIS), and Terminal Services. The design of network-aware application software can be Web-based, or it may have a client-server architecture. The system requirements of each application, including its architecture, must be considered when configuring the computers that will host them.

Windows Server 2008 includes features to support the application server role, regardless of whether the application to be hosted has a Web-based or a client server type of architecture.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Objectives


• Describe an application server.

• Describe the types of authentication for traditional applications.

• Describe the considerations for supporting traditional applications.

• Describe the considerations for Web-based applications.

• Describe Windows Server 2008 features and roles that support application servers.

• Describe considerations for maintaining application servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is an Application Server?

Key Points When computer networks became a common part of corporate environments, they were initially used primarily for file sharing and printing. File sharing allowed organizations to more easily control access to files and back them up. Shared printing allowed many users to share a single printer and save on printing costs. After file sharing and shared printing were common, application servers began to be added to networks.

An application server is a server that runs user applications. They have more intensive processing and memory requirements than file and print servers because they perform more complex tasks. Some examples of application servers are Web servers and e-mail servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


The applications that run on application servers are typically divided into two categories:

• Traditional applications. A traditional application may also be called a client server application. Part of the application runs on a client computer and part of the application runs on a server. Typically, the client (front end) application serves as an end-user interface for processing requests sent to and receiving responses from the server (back end). The bulk of data is stored on the server. In some cases, the server portion of the application is just a SQL Server database that all client computers communicate with. In other cases, there is a middle tier with application logic that the client computers communicate with and the middle tier communicates with a SQL Server database.

• Web-based applications. A Web-based application uses a Web browser to provide the user interface. The application logic is then performed on a Web server and data is stored in a SQL Server database.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Types of Authentication for Traditional Applications

Key Points The authentication method used by a traditional application is determined by the application developer. However, sometimes an application will provide several options that an administrator can choose from when installing the application. Some of the most common options for authentication are:

• Active Directory. Some applications are able to communicate with Active Directory® directory services for authentication. This allows you to use the existing user objects to assign permissions within the application.

• LDAP. Lightweight Directory Access Protocol (LDAP) can be used to access information in a variety of directories, including Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). This option also allows you to use the existing user objects to assign permissions within the application.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Internal. Some applications require user accounts to be generated within the application. These user accounts are not linked with Active Directory user accounts and must be managed separately. This means that users will have one set of credentials when authenticating to Active Directory and another set of credentials when logging on to the application.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Supporting Traditional Applications

Key Points Some of the considerations for supporting traditional applications are:

• Active Directory or LDAP authentication simplifies user logons. Either of these authentication options allows users to log on using a single set of credentials. This also simplifies user management.

• Client software for traditional applications may be difficult to update. In most cases, when you update the client software for a traditional application, you must update the software on all client computers at the same time. This may be a requirement to prevent older client software from corrupting data used by the new client software. If you are unable to update all client software in a timely way, some users may not be able to access the application for several hours or even days.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Traditional applications are difficult to regulate through firewalls. Many traditional applications use remote procedure calls (RPC) for communication. RPC uses random port numbers for communication and is therefore difficult to control by using network firewalls. Although, host-based firewalls, such as Windows® Firewall, can control communication based on the process generating the communication, which is not a problem.

• Traditional applications are difficult to access over the Internet. Most traditional applications are designed to use RPC, which is difficult to allow through the firewalls between a corporate network and the Internet. Also, most traditional applications are designed for local area networks (LANs) and generate large amounts of network communication. You can operate traditional applications over a virtual private network (VPN) connection to accommodate RPC through a network firewall, but the application performance is typically poor.

Note: When running a traditional application over the Internet, performance may be slow even if only small amounts of data are transferred. Frequent communication combined with high latency will result in slow performance.

• Many traditional applications require NetBIOS name resolution. If a traditional application required the NetBIOS name resolution, you may need to maintain WINS servers or LMHOSTS files. This is an additional administrative load.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Web-Based Applications

Key Points Web-based applications use a Web-browser on client computers instead of application software. The Web browser on the client is responsible only for formatting and displaying processed data on the client computer. The Web server sends all of the necessary data to the client. All of the application logic is maintained in software executed on a Web server instead. The software on the Web server typically communicates with a SQL Server database back-end for data storage.

Some considerations for Web-based applications are:

• Web-based applications are well suited for use over the Internet and by remote locations. The amount of data passed between the Web server and the client is relatively small when compared to traditional applications. All of the data processing is performed before the information to display is transferred to the Web browser on the client.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Web-based applications require no additional infrastructure on most networks. Unlike traditional applications, which may require older infrastructure, such as NetBIOS name resolution, Web-based applications use standard infrastructure already available on corporate networks such as Domain Name System (DNS) name resolution and TCP/IP.

• Web-based applications are easier to update than traditional applications. When you update a Web-based application, it is done on the Web server. Therefore, you update the application for all users in a single step. This can be more complex if there are multiple Web servers in use as part of the application.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Windows Server 2008 Features and Roles That Support Application Servers

Key Points Windows Server 2008 has a number of features and roles that support the use of Windows Server 2008 as an application server. The requirements vary depending on the application. Individual application servers may require none or all of these features and roles. Most applications will include the requirements in the installation documentation.

• .NET Framework 3.0 features. The Microsoft .NET Framework is used by applications to access operating system services through application programming interfaces (APIs). Version 3.0 includes the APIs necessary to support the .NET Framework 2.0 applications and additional elements. This means that a computer with the .NET Framework 3.0 installed can run applications built for the .NET Framework 2.0 or the .NET Framework 3.0. Earlier versions of the .NET Framework can be downloaded from the Microsoft Web site if required and run in parallel with the .NET Framework 3.0.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Desktop Experience feature. This feature contains applications and features that are typically used by users on desktop computers such as desktop themes and Windows Media Player. In some cases server applications will require these components. For example, a streaming media encoder application may require the installation of Windows Media® Player.

• Windows PowerShell feature. This feature provides a command shell that can be used for scripting. Some server applications can be managed by using Windows PowerShell™. For example, Microsoft Exchange Server 2007 includes the Exchange Management Shell, which is used to administer Exchange Server 2007.

• Application Server role. This role is used to select the necessary features for supporting applications built with the .NET Framework 3.0. The .NET Framework 3.0 is installed as part of this role. You also have the option to install the Web Server, COM+ Network Access, Windows Process Activation Services, TCP Port Sharing, and Distributed Transactions.

• Web Server (IIS) role. This role is used to provide support for basic Web sites or Web-based applications. Various role services, such as authentication options, can be configured during the installation process. The Web server installed is IIS version 7. However, there are backward compatibility tools for IIS version 6 that can be installed and are required for some applications.

• Windows SharePoint Services 3.0. Windows SharePoint® Services (WSS) can be downloaded from the Microsoft Web site and installed on Windows Server 2008. WSS is a platform for creating collaborative Web sites, managing documents, and managing events.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Maintaining Application Servers

Key Points The maintenance of application servers is different than the maintenance of infrastructure servers. Infrastructure services like Active Directory or DNS are designed to be highly available. When one domain controller is down, clients and applications automatically direct their Active Directory requests to other functional domain controllers. Application servers may not have this type of redundancy.

Considerations for maintaining applications servers include:

• Define a maintenance window for each application server. A maintenance window is regularly scheduled time when users do not expect the application server to be functional. During this time you can perform system updates or other maintenance tasks. The maintenance window is scheduled at a time when user activity would normally be minimal, such as late at night. If unusual maintenance needs to be performed outside of that window, it must be negotiated with the users of the application server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Understand the business impact of an application server. Knowing how your organization uses an application server, rather than just the technical details, allows you to recommend improvements for the application server to meet those needs. For example, a critical application may benefit from the implementation of high availability by using failover clustering or network load balancing.

• Enhance the availability of an application server by carefully planning updates and version upgrades. An application server typically has a direct business impact when it is not available. To avoid downtime, all updates should be tested in a lab environment before being applied to the live server. Then, even if testing was successful, you should have a rollback plan during the actual update in case something goes wrong.

• Understand the ramifications before implementing system changes. Many server administrators understand the details of exactly how changes to network infrastructure will affect their systems. However, an application may only be understood in depth by the vendor that created the application. To mitigate the risk of adverse effects, you should carefully read product documentation or consult the vendor. You should also follow the change management process of your organization to reduce the likelihood of unexpected impacts.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2 Supporting Web-Based Applications

Web-based applications are well suited for remote offices and even users over the Internet. However, when you configure Web-based applications, you need to consider how users are authenticated and whether Secure Sockets Layer (SSL) will be used to secure communication. If SSL is used to secure communication, you need to determine from where you will obtain the SSL certificate and how it will be configured. IIS provides application and application pools to control how Web-based applications are processed on the server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Objectives


• Describe the considerations for authenticating to Web-based applications.

• Describe SSL.

• Describe the considerations for selecting an SSL certificate.

• Describe the considerations for dynamic Web content.

• Describe the considerations for IIS applications.

• Describe how to configure IIS to support a Web-based application.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Authentication Considerations for Web-Based Applications

Key Points When IIS is used as the Web server for a Web-based application, there are several authentication options you can choose from. Which option you select will depend on your scenario and the options supported by the application vendor.

Some authentication considerations for Web-based applications are:

• Basic authentication is supported by all Web browsers and has no difficulty traversing firewalls. However, it transmits credentials in clear text, which could be viewed as they travel over the network or Internet. For this reason, basic authentication is seldom used alone.

• Basic authentication with SSL is the most commonly used authentication methods. SSL is used to encrypt the credentials while they are in transit between the Web browser and Web server. This makes the authentication process secure and compatible with all Web browsers and Web servers. When SSL is used to secure authentication, it is also normally used to secure all other application data while in transit.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Windows integrated authentication is useful for authenticating users on an internal network. It allows the credentials from the workstation to be automatically passed to the Web server without any user interaction. This simplifies logons for users. However, in some cases, Internet firewalls can prevent Windows integrated authentication from functioning properly and is therefore not well suited to authentication over the Internet. Credentials are encrypted during transit. You will always be prompted for credentials unless the Web site you are accessing is part of the local intranet zone in Microsoft Internet Explorer®. Some Web browsers do not support Windows integrated authentication.

Web sites accessed by using a single label name are considered part of the local intranet zone. For more information, see How to use security zones in Internet Explorer on the Microsoft Help and Support Web site at http://go.microsoft.com/fwlink/?LinkID=165683&clcid=0x409.

• Digest authentication encrypts credentials similar to Windows integrated authentication, but is based on an Internet standard for wider compatibility. However, digest authentication is only available when using Windows Server 2008 Enterprise Edition. It is not commonly used.

• Certificate authentication allows client computers to present a certificate for authentication rather than a username and password. This is considered more secure than a username and password because it is more difficult to re-create or guess. However, when compared with a username and password, the configuration process for certificates is more complex, and certificates are therefore used for authentication only when a high level of security is important.

• Multi-factor authentication is used to enhance the security on public Web sites. Users are required to enter a username and password and also have a physical component to log on. One of the most common ways the physical component is implemented is a small device with a number that changes every one or two minutes. Users are required to enter the number along with their credentials to log on. This is commonly implemented in cases where a high level of security is required, such as banking Web sites.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is SSL?

Key Points For Web-based applications, SSL is used to encrypt communication between a Web browser and a Web server. The entire communication process between the client and server is encrypted. This protects authentication credentials and application data.

To enable SSL on a Web server, you must obtain a certificate for the Web server. The public key and private key that are part of the certificate are used during the communication process.

The SSL communication process is:

1. The client sends a request to the server by using HTTPS.

2. The server responds by providing the client with the public key of the server.

3. The client generates a symmetrical key for encryption.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


4. The client encrypts the symmetrical key by using the public key of the server and transmits the encrypted symmetrical key to the server.

5. The server decrypts the symmetrical key by using its private key.

6. The symmetrical key is then used by both client and server to encrypt and decrypt data sent between them.

TLS (Transport Layer Security) is a newer security protocol that includes SSL and is used for generic TCP/IP encryption, not just Web servers. It functions approximately the same way. For more information, see Introduction (SSL/TLS in Windows Server 2003) on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkID=165684&clcid=0x409.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Selecting an SSL Certificate

Key Points The certificate used to secure SSL communication is used to verify the identity of the Web server in addition to securing communication. The certificate contains a subject name that identifies the server and must be trusted by the clients. You can generate a certificate by using an internal CA (certification authority) or an external CA.

Some considerations for selecting an SSL certificate are:

• Certificates generated by an internal CA are not trusted by clients outside your organization. An untrusted certificate generates warnings on the client computers. Only use an internal CA for generating certificates for internal clients where you can configure the clients to trust certificates issued by the internal CA. Windows Server 2008 includes CA functionality and can generate certificates at no cost.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• The cost of certificates generated by external CAs varies widely, but the functionality is the same. The justification of cost variance between CAs is typically based on the verification performed on the identity of the organization requesting the certificate. Internet Explorer uses different colors in the address bar to identify a level of trust based on how the identity was validated.

• The subject name in a certificate must match the name used in the URL to access the Web site. If the subject name in the certificate is webapp.contoso.com and you access the Web site by using https://webapp or https://192.168.100.50, then the certificate will not be trusted. If you have internal and external users accessing the Web site by using different DNS names, then you can get a subject alternative name (SAN) certificate with multiple names. However a SAN certificate is significantly more expensive than a regular server certificate. You can also get wildcard certificates for a subject name such as *.contoso.com. However, some clients and applications do not function properly with wildcard certificates.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Dynamic Web Content

Key Points Dynamic Web content is content on a Web server that requires processing beyond just retrieving a static Web page from a disk. Dynamic Web content typically includes some type of script embedded in the Web page that is processed by the Web server before the content is delivered to the client. A very simple example of dynamic Web content is a page footer that is inserted into each page delivered by a Web server. Full Web applications that track user state during processes are more complex.

Some considerations for dynamic Web content:

• There a variety of ways that dynamic content can be implemented. They include: ASP, ASP.NET, CGI, and service side includes. To avoid potential security risks, you should enable only those methods that are required.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• A Web server with dynamic content requires significantly more processing power and memory than a Web server with static content. As you add dynamic content to a Web server, ensure that you monitor memory and processor utilization to ensure that they are sufficient. This is particularly important if you have a large number of users.

• Running programs on a server with dynamic content introduces security risks. For example, server-side scripts that do not properly verify content submitted from forms can be susceptible to buffer overflow attacks. If your organization develops Web-based applications, they should be carefully tested for security flaws.

• Default scripts meant to demonstrate server features and scripting are a common source of security problems on Web servers. You should remove all default scripts that are not required.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for IIS Applications

Key Points One of the concerns with Web-based applications is how one application on a Web server will affect another. IIS uses the concept of applications and application pools to control how dynamic content is processed.

An application is a URL (http://www.contoso.com/accounting/app.aspx) or section of URL namespace (http://www.contoso.com/accounting/). For each application you can define the credentials used to access the physical files on the server. The default configuration passes the user credentials through. Each application is also part of an application pool.

Application pools contain one or more applications. Each application pool is treated as a single processing unit with its own memory space. There are a wide variety of settings available to control CPU utilization limits, application pool recycling,

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for IIS applications include:

• Use the identity of an application pool to control permissions. For each application pool, you must define the identity. The identity is the user account used when executing the application code. The identity must have sufficient permissions to access any necessary files. By default, the identity is the Network Service account that has limited rights to the local system and has permission to communicate on the network. If you have multiple application pools and want them to remain completely separate, you can create an Active Directory user to control permissions instead.

• To prevent a failure in one application from affecting another, the two applications should be placed in separate application pools. By default, there is only one application for the entire Web site. You may need to create multiple applications if you want to prevent one application from affecting another.

• Creating multiple application pools may prevent user state information in the application from being passed between parts of a Web-based application. When creating new Web application pools, document the original configuration so that you can roll back your changes if required.

• Use application pool recycling to prevent manual stopping and starting of an application pool. Some Web-based applications begin to experience problems when they have been running for an extended period of time. This is typically because they have not been programmed properly. In such a case, application pool recycling automatically restarts the application. Application pool recycling can be based on factors such as time, number of requests received, or a scheduled time. Depending on the application, recycling may cause user state information to be lost. Correcting the faulty application is preferred to recycling.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Configuring IIS

Key Points In this demonstration, you will see how to configure IIS.

High-level steps:

1. Open IIS Manager.

2. Review bindings and the SSL certificate.

3. Create a new application.

4. Review application configuration.

5. Review application pool configuration and the recycling settings.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 3 Supporting SQL Server Databases

Many application servers, such as SharePoint and Microsoft Project Server, use SQL Server as a back end for data storage. It is essential that you understand the basics of SQL Server operation and support to be able to properly support an application server. There are multiple editions of SQL Server 2008 and the one you need depends on the scenario it is being used in. Transaction logs are an integral part of how SQL Server maintains databases and need to be considered when you decide on a backup and restore strategy for a SQL Server database.

Objectives


• Describe why database knowledge is required by administrators

• Describe SQL Server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Describe SQL Server editions.

• Describe SQL Server authentication options.

• Use SQL Server management tools.

• Describe how SQL Server uses transaction logs.

• Describe the backup and restore options for SQL Server.

• Select appropriate options for supporting SQL Server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Why Do Administrators Need to Understand Databases?

Key Points As the administrator of a Windows network, you need to understand the basics of how databases work. Databases are used as a back end to store data and configuration information for a wide variety of applications. End-user applications that store data in a database include most Web-based applications, SharePoint, Microsoft Project server, and Exchange Server. Administrator utilities that use a database include System Center Operations Manager and System Center Virtual Machine Manager. To support these applications, you need to understand the basics of database administration.

Managing the databases associated with an application is different from managing files such as Microsoft Office Word documents or Microsoft Office Excel® spreadsheets. Some of the important differences are:

• Databases have constantly changing data and the database files are constantly open. To back up a database, special procedures are required. If you back up a live database by using an open file agent for backup, the backup will be inconsistent and you may not be able to restore it.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Databases use transaction logs that grow over time. You need to ensure that those transaction logs are truncated (cleared) so that disk space is not wasted.

• Databases have their own internal security system. In most cases, applications configure all of the necessary security. However, you may need to look at security as part of troubleshooting an application.

Typically, it is not necessary for an administrator to understand the details of how data is stored inside of a database. That is the responsibility of the application developer. For example, databases consist of tables of information. An administrator does not directly modify any of the data in the tables.

There are many different database vendors. The database vendor you select will be based on the application. Each application vendor will define a list of databases that can be used and how that database needs to be configured. Some applications with limited data requirements will include the database installation as part of the application installation. One of the most commonly used databases in Windows networks is SQL Server.

Note: Exchange Server does not use SQL Server for data storage. Exchange Server uses a different type of database called Microsoft Extensible Storage Engine (ESE).

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is SQL Server?

Key Points Microsoft SQL Server 2008 is a database that can be used for a variety of purposes, such as business intelligence or data warehousing. However, a common use for SQL Server is as back-end data storage for applications. Both traditional client-server applications and Web-based applications often use SQL Server to store application data.

When applications query, modify, and add data to a SQL Server database, they use Structured Query Language (SQL). SQL is a standard language that is used for communication with databases. In some cases, it can be useful for server administrators to be familiar with SQL, but it is not required to perform basic management of Microsoft SQL Server.

Reporting Services is an optional feature of SQL Server that is used to automatically generate reports from a SQL Server database. Some applications require Reporting Services to be installed for full functionality. For example, System Center Operations Manager requires Reporting Services to generate system reports showing the health of monitored computers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


When SQL Server is installed, there is a single instance by default. This instance is unnamed and accessed by using the name of the server. Within each instance there can be multiple databases. Each application will have its own database on a SQL Server, but they can be in the same instance.

In addition, to the default instance, you can create named instances that are accessed by using servername\instancename. This is required if applications require databases with the same name or if settings between instances must be different. For example, the applications may require a different sort order setting.

The communication settings for a database are often implemented as an Open Database Connectivity (ODBC) connection. ODBC connections are stored on each client computer and contain the location of the database. Applications use an ODBC connection to locate the database.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


SQL Server Editions

Key Points There are several editions of SQL Server 2008. Each edition has different features. You should select the edition that meets the requirements of your applications.

Free editions of SQL Server 2008:

• Express. This is an entry level database that is suitable for learning and applications with limited data requirements. It supports only 1 CPU and 1 GB of RAM. The maximum database size is 4 GB.

• Compact. This edition is designed for use on mobile devices. There are no limits on CPU and memory use. The maximum database size is 4 GB.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Core editions of SQL Server 2008:

• Standard. This edition is designed for use as a departmental database. It is well suited to use as a back-end data store for departmental applications. It supports 4 CPUs and has no limit on memory. There are no limits on the database size, but is limited to 16 instances.

• Enterprise. This edition is designed to support enterprise applications. It has no limits on CPU or memory utilizations. It also has no limits on database size, supports up to 50 instances, and can run on Itanium-based systems. Enterprise edition also includes additional features for high availability, security, data mining, data warehousing, and analysis services.

Specialized editions of SQL Server 2008:

• Workgroup. This edition is designed for a remote office that needs a local instance of company data. It is capable of synchronizing data from the main office server running Standard or Enterprise Edition. It is limited to 2 CPUs and 4 GB of RAM. Database size is unlimited.

• Web. This edition is designed for Internet facing applications. It supports 4 CPUs, with unlimited memory support and database size. Licensing is per processor per month.

• Developer. This edition is has the same features are Enterprise Edition, but is licensed only for development, testing, and demonstration. This edition may not be used in production.

For detailed information about SQL Server 2008 editions and their features, see Compare Edition Features on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkID=167150&clcid=0x409.

For a pricing overview of SQL Server 2008 editions, see SQL Server 2008 Pricing on the Microsoft Web site at http://go.microsoft.com/fwlink /?LinkID=167151&clcid=0x409.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


SQL Server Authentication Options

Key Points The data in a SQL Server database is protected by permissions, similar to how NTFS permissions are used to protect data in the file system. For SQL Server to appropriately determine permissions, the user must authenticate to SQL Server.

SQL Server 2008 authentication modes:

• Windows authentication. In this authentication mode, all permissions are linked to Active Directory or local Windows user accounts. In most cases, this is easier for users and administrators. Users may be automatically authenticated to an application based on the credentials cached in the local workstation, or at least do not need to remember a second set of credentials. Administrators do not need to maintain a second set of credentials.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Mixed authentication. In this authentication mode, permissions can be linked to Active Directory user accounts, local Windows user accounts, or local user accounts created in SQL Server. This provides flexibility for situations where you do not want users to be Active Directory users. For example, you may want the administration of users for a database to be administered by the database administration group rather than Active Directory administrators.

Before selecting an authentication mode, you need to determine the authentication modes supported by your application. Some applications require the use of Active Directory accounts, while others require the use of local users in SQL Server.

When you use mixed authentication, both the local SQL account sysadmin and sa have full rights to the system. These accounts are used to provide administrative access to the databases. The sa account is considered legacy and may be removed in future versions. When you configure mixed authentication, you must provide a password for the sa and sysadmin accounts. In previous versions of SQL Server, this password was blank by default.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: SQL Server Management Tools

Key Points There are a number of tools available to manage SQL Server 2008. Graphical tools are the most commonly used by network administrators. More advanced database administrators can use SQL commands directly to perform server management tasks.

• SQL Server Management Studio is a graphical utility for managing SQL Server 2008. With this utility, you can manage almost any aspect of SQL Server 2008 or previous versions of SQL Server. You can create databases, modify security, configure backups, and many other features. You can also enter SQL commands directly through SQL Server Management Studio.

• SQL Server Configuration Manager is a graphical utility that performs a few specific SQL Server management tasks. It can start and stop SQL services, modify and manage the accounts used by SQL services, modify network protocols.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Command prompt utilities are provided to perform many tasks. These are provided primarily to allow automation through scripting. The osql command allows you to type SQL commands at a prompt and have them sent to a SQL Server. The sqlcmd command allows you to send sql scripts to a SQL Server.

For more information about SQL Server 2008 management tools, see Features and Tools Overview (SQL Server 2008) on the MSDN Web site at http://go.microsoft.com/fwlink/?LinkID=165686&clcid=0x409.

High-level steps:

1. Open SQL Server Management Studio.

2. Review the list of databases.

3. Review the properties of a database.

4. Review the authentication mode settings.

5. Review the instance level security accounts

6. Review the database level security accounts.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


How SQL Server Uses Transaction Logs

Key Points Each action performed in a SQL Server 2008 database is referred to as a transaction. Each transaction may have multiple steps, such as modifying multiple tables. For example, a transaction may remove money from one account and then add money to another account. It is important that all steps in a transaction are completed successfully. To increase the reliability of transactions and prevent problems with inconsistent databases, SQL Server 2008 uses transaction logs.

Each database has a transaction log. When a transaction is initiated, the transaction is written to the transaction log before any modifications are performed in the database. Then if there are any errors during the transaction, such as a power failure or disk error, the transaction can be rolled back or completed to keep the database consistent.

You can set a recovery model for a database that controls how logging is performed. These are called recovery models because they control how you perform recovery from a backup and how you perform backups.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


The recovery models for SQL Server 2008 are:

• Simple recovery. This model uses circular logging for the transaction log. This means that as transactions are written to the database, they are not kept in the transaction log. As long as a transaction is complete, that transaction may be deleted by SQL Server 2008. The main benefit of the simple recovery model is that less disk space is used by transaction logs. However, recovery is limited to the point in time that the backup was taken.

• Full recovery. This model keeps transaction logs until they are backed up. This uses more disk space than the simple recovery model, but allows you to restore the database back to the point in time of database corruption. First, you restore the database, and then replay the transaction logs. It is possible to only replay the transaction logs back to a specific point in time if desired.

• Bulk-logged recovery. This model is used only when a large amount of transactions are being performed, typically as part of a maintenance routine or data import. Bulk logging is more efficient on disk space than full recovery mode, but does not allow recovery to a specific point in time.

For more information about recovery models in SQL Server 2008, see Recovery Model Overview on the MSDN Web site at http://go.microsoft.com/fwlink/?LinkID=165687&clcid=0x409.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Backup and Restore Options for SQL Server

Key Points Databases are not backed up in the same way as the file system of a server. You can still perform full, differential, and incremental backups. However, each of these options is working with the database and transaction logs.

When the full recovery mode is being used, you have the following options for backup:

• Full backup. When you perform a full backup, the database and transaction logs are backed up. The transaction logs are also truncated. Truncating the transaction logs frees up disk space.

• Incremental backup. When you perform an incremental backup only the transaction logs are backed up. The transaction logs are also truncated after they are backed up. If you are performing a daily incremental backup, it includes a single data of transaction logs.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Differential backup. When you perform a differential backup, only the transaction logs are backed up. The transaction logs are not truncated. So, the second day you perform a differential backup, the transaction logs from day one and day two are backed up.

When the simple recovery mode is being used, it is not possible to perform incremental or differential backups because the log files contain only current transactions. You can only perform full backups on a database by using simple recovery mode.

When you recover a SQL database, you first restore the database and all of the transaction logs; then the transaction logs are replayed to bring the database up to a current state. Replaying transaction logs reapplies the transactions to the database. If any transaction log is missing or corrupt, the replay will stop and you cannot recover past that point.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Support Considerations for SQL Server

Key Points Some considerations for supporting SQL server are:

• The transaction log file never shrinks in size automatically. When you truncate a transaction log, the file size stays the same, but data is removed from the file. You can manually shrink the file if required.

• The database file never shrinks in size automatically. When you delete data from a database, the file size stays the same, but data is removed from the file. You can manually shrink the file if required.

• To enhance recoverability, use full recovery mode. If you use simple recovery mode, then you can only restore back to the point in time of the backup.

• To enhance recoverability, store database files on a separate physical disk from transaction logs. Then if a disk is lost or corrupted, you can restore the database and replay the transaction logs up to the current point.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• When using incremental backups, ensure that your backup system is reliable. A corrupted incremental backup will stop replay of all transactions, which could result in losing data from multiple days.

• Use a maintenance plan to automatically backup databases. A maintenance plan in SQL Server 2008 allows you to create a schedule for database backups and maintenance.

• If your backup software does not have an agent for SQL Server, configure SQL Server 2008 to backup the database to a file on disk that can be backed up by your backup software. This avoids the need to stop the database for backups, which would impact application availability.

• The database for an application is only one part of the application. Consider all servers that are part of an application when performing backups. For example, an application on a Web front-end server may need to be the correct version to work with a database that has been restored. This could be an issue after a recent upgrade.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 4 Deploying Client Applications

When you deploy a new operating system, you need to consider application compatibility with that operating system. Even when a new operating system is not being used, each organization needs to determine the best way to deploy applications. In this lesson, you will learn about these topics and learn how to deploy an application by using Group Policy.

Objectives


• Describe considerations for application compatibility.

• Describe the methods for deploying applications.

• Deploy an application by using group policy.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Application Compatibility

Key Points For commercial software, the best way to ensure that a desktop application is compatible with a new desktop operating system is to verify with the application vendor. If the application is supported on the new operating system, then you can safely use it with the new operating system. If the application is not supported, it may still work, but you should do extensive testing. Alternatively, you can wait for the vendor to provide an updated version of the application for the new operating system.

To simplify, Microsoft provides a list of applications that are compatible with Windows Vista® and Windows 7 on the TechNet Web site. This is an alternative to verifying individually with each vendor.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


If an application has been developed internally or was custom developed, then you can use the Application Compatibility Toolkit (ACT) to identify and resolve compatibility issues before deploying a new operating system. ACT assists in the collection of application inventory data. Then you can use ACT to organize and analyze compatibility issues that are identified. After issues are identified, you can test and verify that compatibility issues exist and attempt to mitigate them. ACT includes tools to monitor.

Some applications have compatibility problems with User Account Control (UAC) in Windows Vista and Windows 7. The Standard User Analyzer (SUA) Tool in ACT helps to identify these issues. SUA also provides mitigation for UAC related problems and saves it as an MSI file. The Compatibility Administrators is a tool in ACT that is used to apply the MSI file to other computers in your organization.

For more information about application compatibility, see the Application Compatibility page on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkID=165693&clcid=0x409.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Application Deployment Methods

Key Points Traditionally, applications were deployed by going from computer to computer with a CD-ROM and installing the application manually by running setup. However, this was a time consuming process and led to non-standard configurations because each technician performing the software install may have been selecting different options.

Other ways to deploy applications include:

• Inclusion in an operating system image. When applications are included in an operating system image, they do not need to be configured after a computer is updated. However, this is only suitable for applications that are deployed to all users. It also does not address the need to update applications when updates become available.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Group Policy. You can deploy applications by including them in a GPO that is associated to users or computers. The application must be packaged as an MSI file. You can add transform files (MST) to automate the installation of applications. You can add updates (MSP) to update existing applications. This is a good option for small and mid-sized organizations to deploy applications. Larger organizations should consider System Center Configuration Manager for easier manageability and additional features.

• System Center Essentials. This product is designed to help manage clients and servers for mid-sized organizations with up to 500 clients and 30 servers. It is a centralized solution for software inventory, hardware inventory, health monitoring, issue resolution, software deployment, and Windows update deployment. For application deployment, it can deploy non-MSI applications and control the installation of applications.

• System Center Configuration Manager. System Center Configuration Manager is an enterprise-level tool for managing the configuration of clients and servers. It is a centralized solution for software inventory, hardware inventory, software deployment, operating system deployment, Windows update deployment, and computer configuration.

• Application Virtualization (App-V). This product allows applications to be delivered to a computer without being installed on that computer. Application components are delivered to the computer on demand as required to speed up delivery of the applications. The environment for the application is virtualized to eliminate conflicts between applications such as DLL version incompatibility. Application updates are performed centrally and used by each computer the next time the application is used.

• Terminal Services. This Windows Server 2008 role runs applications centrally on a server. Only screen draw commands are sent to the client computer. This results in fast connectivity over slow networks and allows you to centrally control the application. Users can access either a full desktop remotely or just the application in its own window.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


For more information about System Center Essentials, see the “System Center Essentials 2007 SP1 Overview” white paper on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkID=89185.

For more information about the capabilities of System Center Configuration Manager, see Capabilities on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkID=165689&clcid=0x409.

For more information about Application Virtualization, see Microsoft Application Virtualization 4.5 Release to Manufacturing on the Microsoft Web site at http://go.microsoft.com/fwlink /?LinkID=165691&clcid=0x409.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Deploying an Application by Using Group Policy

Key Points High-level steps:

1. Open Group Policy Management.

2. Create a new GPO.

3. Add the application to the new GPO.

4. Test delivery of the application.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 5 Planning Terminal Services

Terminal Services is a solution for providing users with access to applications remotely. Windows Server 2008 includes features that significantly enhance Terminal Services functionality for local and remote users. When you implement Terminal Services, the licensing for both Terminal Services and the applications must be carefully planned.

Objectives


• Describe the purpose of Terminal Services.

• Describe the new Terminal Services feature in Windows Server 2008.

• Describe the considerations for using Terminal Services licensing.

• Describe considerations for using Terminal Services.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is Terminal Services?

Key Points Terminal Services is a Windows Server 2008 role that provides access to applications that run centrally on a server. When clients connect to a Terminal Server the amount of network traffic is very small. All application processing occurs on the Terminal Server. The Terminal Server sends screen draw commands to the client and the client sends mouse and keyboard input to the Terminal Server.

The client accessing a terminal server can be a desktop computer running the Remote Desktop client or a Windows terminal. A Windows terminal is a device that only runs the Remote Desktop client and does not provide functionality to run other applications.

When the Remote Desktop client is used to access a Terminal Server, file and printer redirection can be implemented. File redirection allows the remote client to save files from the Terminal Server to a local disk on the client. Printer redirection allows the remote client to print from terminal server applications but have the print job created on a local printer.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


A client connected to a terminal server can have a full desktop displayed or just a single application window. The full desktop is useful for providing access to remote users that need access to data and applications. The single application window is useful for centralizing line-of-business applications in a single location.

For detailed information about Terminal Services, see Terminal Services in Windows Server 2008 on the TechNet Web site http://go.microsoft.com/fwlink/?LinkID=165694&clcid=0x409.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


New Terminal Services Features in Windows Server 2008

Key Points Terminal Services in Windows Server 2008 has been updated with many useful features. Some of the new features are:

• Single sign-on. This simplifies logon over internal networks by allow the credential from a client computer to be automatically passed to the terminal server. When used to control a single application window, it makes the process similar to opening a local application.

• Easy Print. This simplifies printing to local computers on the client. It avoids the need to install printer drivers on the terminal server that match the printer on the client computer. All print jobs are created in XPS format on the Terminal Server and rendered for the appropriate printer locally.

• TS RemoteApp. This allows clients to open a window with a single application when connecting to a Terminal Server rather than an entire desktop. This simplifies the process for users and is very useful for line-of-business applications that have been centralized on a Terminal Server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• TS Web Access. This allows clients to begin a Terminal Services connection from a Web page. This can be used to deploy a full desktop terminal services experience or RemoteApp programs. Users can also use this functionality to connect to their regular desktop computer when outside the office if they have remote desktop access to it. The primary benefit is simplifying the connection process for users.

• TS Gateway. This allows clients to connect to internal terminal servers through firewall and network address translation (NAT). The Remote Desktop Protocol (RDP) communication is tunneled in HTTPS packets on port 443. This is often used together with TS Web Access for remote users over the Internet.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Terminal Services Licensing

Key Points Terminal Services require client access licenses (CALs) in addition to the CALs required for accessing Windows. Terminal Server CALs can be per device or per user. Roaming users often access a terminal server from many devices. In such a case, user-based licensing is more cost effective. For internal computers shared by multiple users and accessing a line-of-business application device-based CALs will be more cost effective.

Each Terminal Server must be configured to use per user or per device licensing. A single Terminal Server cannot mix the two licensing modes. To use per user and per device licensing, you must have at least two Terminal Servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Application licensing is also a concern. When an application is installed on a client computer, it is used by a single person at a time that typically requires a single license fee. On a Terminal Server, the licensing varies depending on the policies of the vendor. Some vendors include the rights to access an application by using Terminal Services when a license has already been obtained for users on a desktop computer. Some vendors require an application license to be purchased for each concurrent user on a Terminal Server. Other vendors require an application license to be purchased for every potential Terminal Server user.

Note: When a Terminal Server is installed, it will function for 120 days without communicating with a licensing server. However, after 120 days, a Terminal Server will stop allowing connections.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Using Terminal Services

Key Points When planning for the Terminal Services role, keep the following considerations in mind:

• Use Terminal services to provide remote offices with access to centralized applications. Accessing an application or data by using Terminal Services has much better performance over a wide area network (WAN) than remotely accessing application data.

• Use Terminal Services to provide remote users with access to data and applications. Accessing an application or data by using Terminal Services has much better performance than using a VPN.

• Centralize the deployment of line-of-business applications on a Terminal Server. It is much easier to update a central copy of an application on a Terminal Server than on multiple client computers.

• Use RemoteApp to simplify access to applications on a terminal server. This provides users with a desktop icon that is simpler to understand than using a full Remote Desktop.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Use the Web access gateway and TS Web access to support clients over the Internet. The combination of these two features ensures that clients can access Terminal Services applications from anywhere with an Internet connection, even when the only access allowed is through a Web proxy.

• Consider allowing remote users to remotely connect to their own desktop computers. This provides users with a familiar environment and ensures that all of their necessary applications are available.

• Be aware that the loss of a Terminal Server will affect many users. Use network load balancing and the Terminal Service Session Broker to provide high availability for Terminal Services.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab: Planning Application Servers


A. Datum has recently identified the need to implement new applications to meet the needs of a growing organization. The first is a portal for collaborating on projects. Windows SharePoint Services has been selected for this purpose. The second need is a new financial application that will be deployed by using Terminal Services.

Exercise 1: Creating a Plan for Application Servers

Scenario You have been tasked with creating a plan for implementing Windows SharePoint Services for collaboration and Terminal Services to support a financial application. You determine how these application servers will be implemented based on requirements provided by the IT manager.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Supporting Documentation E-mail thread of correspondence with Allison Brown:

Gregory Weber From: Allison Brown [[email protected]] Sent: 30 July 2009 14:25 To: [email protected] Subject: Group Policy implementation

Greg,

As we discussed in the meeting this morning, I’d like you to take the lead on planning our implementation of the new application servers.

The first application server is for Windows SharePoint Services. We are implementing this only as a pilot project at this point. A new server (sharepoint.adatum.com) has been allocated for this task and has SQL Server 2008 Express already installed with an instance named SQLEXPRESS. If we move this project out of the pilot phase, then we’ll consider updates for better performance.

Windows SharePoint Services creates two Web sites on the server. One Web site is for managing WSS and the other is for accessing content. The content that users enter for the pages is stored in the SQL Server database.

Some of the things I need your input on are:

• What server roles and features do you think will be required?

• Do you have any concerns about hardware specifications?

• What sort of maintenance schedule will this application require?

• How will we ensure that this server and application are secure?

• How can we simplify access to this application for internal users?

• How should this be backed up?

The second application server is a Terminal Server that will be used by the new financial application. This is also a pilot project that we need to test before rolling it out to other users.

Some of the users are at head office and some others are at remote branches that will be accessing over the WAN. I really need your input as to what benefits using Terminal Services provides to us. I have to admit, I’m not entirely clear as to why we want to do it this way. However, the vendor recommended it.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


In addition, I need your input on:

• Are there any benefits to using Windows Server 2008 for Terminal Services rather than Windows Server 2003 in our scenario?

• What are our licensing requirements?

• What will the overall system look like from a user perspective when it is implemented?

Let me know if you require any clarification.

Regards

Allison



2. Create a plan for implementing Windows SharePoint Services.

3. Create a plan for implementing Terminal Services.


• Determine if you need any more information and ask your instructor to clarify if required.

Task 2: Create a plan for implementing Windows Share Point Services • What server roles and features do you think will be required for implementing

WSS?

• Do you have any concerns about hardware specifications for the WSS server?

• How can increasing workloads be accommodated?

• What sort of maintenance schedule will WSS require?

• How will we ensure that this server and WSS are secure?

• How can we simplify access to WSS for internal users?

• How should WSS be backed up?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Create a plan for implementing Terminal Services • What are the benefits of using Terminal Services for the financial application?

• Are there any drawbacks to using Terminal Services?

• Are there any benefits to using Windows Server 2008 for Terminal Services rather than Windows Server 2003 in our scenario.



Results: After this exercise, you should have created a plan for implementing WSS and Terminal Services.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Implementing Windows SharePoint Services

Scenario After planning how WSS will be supported, you need to install it and review the installed components. You will also perform a backup of WSS.


1. Start the virtual machines and then log on.

2. Install Windows SharePoint Services.

3. Review the Web site configuration.

4. Configure Internet Explorer for Windows Authentication.

5. Back up Windows SharePoint Services.





4. In the Lab Launcher, next to 6430B-SEA-CL1, click Launch.


Task 2: Install Windows SharePoint Services 1. Browse to D:\Labfiles\Mod05 and run SharePoint.exe.

2. Perform a Basic installation.

3. When installation is complete, run the SharePoint Products and Technologies Configuration Wizard.

4. When the configuration is complete, log on to the SharePoint site as Adatum\Administrator with a password of Pa$$w0rd.

Question: What is the URL of the SharePoint site?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Review the Web site configuration 1. Open Internet Information Services (IIS) Manager.

2. View the application pools.

3. View the Web sites.

4. View the Authentication for the SharePoint - 80 Web site.

Task 4: Configure Internet Explorer for Windows Authentication 1. Open the Internet Options dialog box.

2. Add http://sea-dc1 to the Local Intranet zone.

3. Use Internet Explorer to access the SharePoint site at http://sea-dc1.

Question: Were you prompted for credentials?

Task 5: Back up Windows SharePoint Services 1. Create the folder C:\SPBackup.

2. From Administrative Tools, open SharePoint 3.0 Central Administration.

3. On the Operations tab, perform a full backup of the farm to C:\SPBackup.

Results: After this exercise, you should have successfully implemented Windows SharePoint Services and verified the configuration.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Implementing Terminal Services

Scenario After planning how Terminal Services will be supported, you need to install Terminal Services and deploy an application by using TS RemoteApp.


1. Install Terminal Services.

2. Install the financial application.

3. Prepare the financial application for distribution as a RemoteApp program.

4. Test the new application.

Task 1: Install Terminal Services 1. On SEA-DC1, open Server Manager.

2. Add the Terminal Services role with the Terminal Server role service and the following options:

• Authentication method: Do not require Network Level Authentication

• Licensing mode: Configure later

• Users and groups allowed to access Terminal Server: Administrators

3. Restart the server to complete the installation.

Task 2: Install the financial application 1. On SEA-DC1, browse to D:\Labfiles\Mod05 and run CalcPlus.msi.

2. Install to the default location.

3. Make the application available to Everyone.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Prepare the financial application for distribution as a RemoteApp program 1. On SEA-DC1, open TS RemoteApp Manager, and then add Microsoft

Calculator Plus as a RemoteApp program.

2. Select Microsoft Calculator Plus and then Create Windows Installer Package.

• Location to save packages: C:\Program Files\Packaged Programs

• Other package setting: default

• Create a shortcut on the Desktop and Start menu folder in Remote Programs

3. Share the C:\Program Files\Packaged Programs folder with default settings.

4. Use Group Policy Management to edit the Default Domain Policy and create a new user policy for software installation:

• Package: \\SEA-DC1\Packaged Programs\CalcPlus.msi

• Deployment type: Assigned

• Install this application at logon (in Properties or by using Advanced)

Task 4: Test the new application 1. On SEA-CL1, log on as Adatum\Administrator with a password of

Pa$$w0rd.

2. If the application shortcut does not appear on the desktop, run gpupdate and then log on again.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. Configure single sign-on for Terminal Services by using the local group policy editor.

• Start gpedit.msc.

• Browse to Computer Configuration\Administrative Templates\System \Credentials Delegation.

• Enable Allow Delegating Default Credentials and add termsrv/SEA-DC1.adatum.com.

4. Start the Microsoft Calculator Plus application.

Results: After this exercise, you should have successfully implemented Terminal Services and distributed a Terminal Services application.


(VMRC) window.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



Review Questions 1. How can you provide access to a client server application over the Internet and

still have acceptable performance?

2. Why do you need to consider transaction logs when planning backup and recovery for SQL Server?

3. How can you isolate Web applications so that a programming error in one does not affect another?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Common Issues Related to Terminal Server Licensing Identify the causes for the following common issues related to Terminal Server licensing and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.

Issue Troubleshooting tip

A Windows Server 2008 Terminal Server stops allowing connections after 120 days.

User CALs are not being consumed by a Terminal Server.

Device CALs are not being consumed by a Terminal Server.

Real-World Issues and Scenarios 1. A Web-based application is considered critical for your organization. How can

you increase the availability of this application?

2. Your organization does not have backup software with an agent for SQL Server. The agent for SQL Server has been ordered, but will not arrive for several weeks. In the meantime, how can you backup the SQL Server database without stopping the database?

3. Your organization has implemented a Web-based application. Authentication for this application is based on Active Directory accounts. When users access the application, they are prompted for credentials. How can you eliminate the prompt for credentials?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Best Practices Related to Supporting Traditional Applications Supplement or modify the following best practices for your own work situations:

• Simplify user logons by integrating authentication with Active Directory when possible.

• Use Terminal Services with RemoteApp to avoid the need to install a client application on each computer.

• Use Terminal Services to provide access to an application for roaming users or remote offices.

• Understand the business impact of an application when planning maintenance.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab: Planning a Windows Server 2008 Deployment L1-1

Module 1: Planning Windows Server® 2008 Deployment

Lab: Planning a Windows Server 2008 Deployment Exercise 1: Creating a Planning Flowchart for a Windows Server 2008 Deployment


Task 2: Create the flowchart 1. On a piece of paper, generate a list of relevant criteria that must be considered

during the upgrade or migration process.

• Is new hardware available?

• Does downtime window allow for data to be migrated to a new server?

• Is testing of the new server required before placing into production?

• Is the hardware 64-bit?

• Are there 64-bit drivers for the hardware?

• Is the existing operating system 32-bit or 64-bit?

• Is server core being implemented?

• Are there applications running on the server?

• Are the applications compatible with Windows Server 2008?

• Are the applications compatible with a 64-bit environment?

• Is cross-file Distributed File System (DFS) replication required?

• Is failover clustering required?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L1-2 Module 1: Planning Windows Server® 2008 Deployment

• Is hot add memory required?

• How much RAM is required?

• Will this be a virtualization host with more than four guests?

2. Use the list of criteria you have generated to create a flowchart for determining whether to upgrade or migrate.

3. Use the list of criteria you have generated to create a flowchart for determining which edition of Windows Server 2008 you should use.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Use the list of criteria you have generated to create a flowchart for determining whether to use a 32-bit of 64-bit operating system.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Results: After this exercise, you should have created flowcharts to help to determine how to upgrade or migrate an existing server to Windows Server 2008.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Planning a Windows Server 2008 Deployment

Task 1: Create a deployment plan for the archive file server • Read the supporting documentation.

• Answer the questions in the Deployment Plan for the archive server.

Deployment Plan: Archive File Server


Document Author

Date

Gregory Weber

20th July



The archive file server is used to store older data that is accessed only occasionally. Extended outages are possible with notification.


The hardware is relatively new, and no new hardware has been allocated for this server.


This server is currently running a 32-bit version of Windows Server 2003 R2.

Proposals


Answer: Because no new hardware has been allocated, this server must be upgraded. The file server role is a limited risk for upgrading. It should be recognized by the upgrade process.


Answer: Windows Server 2008 Standard can be used. There are no requirements that necessitate the use of Windows Server 2008 Enterprise or Datacenter.


Answer: A 32-bit version of Windows Server 2008 will be used, because you cannot upgrade between processor architectures.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Create a deployment plan for the main file server • Read the supporting documentation.

• Answer the questions in the Deployment Plan for the main file server.



Document Author

Date

Gregory Weber

20th July



The main file server is mission critical and cannot be taken out of production during business hours. Downtime must be limited to less than one day.


This server should support cross-file replication for DFS. This may be implemented in the future to support remote offices, and the cross-file replication will reduce synchronization traffic on the WAN.

Data for this file server is stored on a Fiber Channel Storage Area Network (SAN).

New hardware has been allocated for this server if required.


Clients access this file server through mapped drive letters that are created by a logon script.

Proposals


Answer: New hardware has been allocated, so this server should be migrated.


Answer: This server will use Windows Server 2008 Enterprise to support the use of cross-file replication for DFS.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


(continued)




Answer: There is no indication of any reason not to use 64-bit, so a 64-bit operating system should be used.

4. How will downtime be minimized?

Answer: Even though there is a large amount of data, the migration of this data is not a concern. The data is stored on a SAN, and the new server can point at the existing storage on the SAN. Clients can be directed to the new server by updating their logon script.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Create a deployment plan for the antivirus server • Read the supporting documentation.

• Answer the questions in the Deployment Plan for the antivirus server.

Deployment Plan: Antivirus Server


Document Author

Date

Gregory Weber

25th July


This server is to be upgraded or migrated to Windows Server 2008 to standardize the server operating systems.

The antivirus server can experience an outage of 24 hours without impacting clients.

New hardware has been allocated for this server.


The antivirus application has not been tested by the vendor in 64-bit environments and is not supported in 64-bit environments.

Proposals


Answer: New hardware has been allocated for this server. So, it should be migrated.


Answer: Windows Server 2008 Standard can be used because there are no requirements that necessitate the use of Windows Server 2008 Enterprise or Datacenter.


Answer: A 32-bit version of Windows Server 2008 should be used, because the antivirus application is not supported on a 64-bit operating system. When 64-bit support is available, an upgrade to a 64-bit version of Windows Server 2008 can be considered.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: Create a deployment plan for the human resources application server • Read the supporting documentation.

• Answer the questions in the Deployment Plan for the human resources application server.



Document Author

Date

Gregory Weber

25th July


This server is to be upgraded or migrated to Windows Server 2008 to take advantage of the performance improvements in IIS 7.

The existing server is consistently short on memory, and a new server with 8GB of memory has been allocated to address this.

The application data is also stored on this server and must be taken into account.

There can be no downtime during business hours.

The new server should support failover clustering, as it is being considered for the future.


None

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


(continued)


Proposals


Answer: A new server has been allocated with additional memory. A migration should be performed.


Answer: The memory requirement is 8 GB. This is possible with a 64-bit version of Windows Server 2008 Standard. However, Windows Server 2008 Enterprise is required to support failover clustering.


Answer: A 64-bit version of Windows Server 2008 should be used to best access the 8 GB of memory.

4. What process will you use to minimize downtime?

Answer: To minimize downtime, the new server should be implemented in parallel with the existing server. After the new server has been thoroughly tested, then you can perform a final data migration. Downtime is only required for the final data migration.

Results: After this exercise, you should have created a deployment plan for the archive file server, the main file servers, the antivirus server, and the human resources application server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab: Planning Network Infrastructure for Windows Server 2008 L2-13

Module 2: Planning Network Infrastructure for Windows Server® 2008

Lab: Planning Network Infrastructure for Windows Server 2008 Exercise 1: Determining an Appropriate Network Addressing Scheme


Task 2: Update the proposal document with your planned course of action • Answer the questions in the Update the Branch Office Network Infrastructure

Plan: IPv4 Addressing document.



Document Author

Date

Gregory Weber

25th July


Design an IPv4 addressing scheme for the Adatum western regional branch sales offices, shown in the exhibit.

The block address 10.10.32.0/21 has been reserved for this region.

You must devise a scheme that supports the required number of subnets, the required number of hosts, and provide for 25% growth of hosts in each branch.

For each branch, provide the subnet addresses you plan to use, together with the start and end IP addresses for each subnet.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L2-14 Module 2: Planning Network Infrastructure for Windows Server® 2008

(continued)



You do not need to concern yourself with the IP addressing for the corporate side of the router at each branch.

Proposals

1. How many subnets do you envisage requiring for this region?

Answer: There are 300 computers in the region. The specification states that around 50 computers should be deployed in each subnet. We also need to plan for growth of around 25%. Six subnets are required in the region to host computers, but an additional subnet per location should be planned for to host the growth in computers. This is a total of nine subnets.

2. How many hosts will you deploy in each subnet?

Answer: The specification states we must deploy a maximum of 50 host computers per subnet.

3. What subnet mask will you use for each branch?

Answer: The current network address for the region is 10.10.32.0/21. This leaves 11 bits to allocate to subnets and hosts. To express 9 subnets, we would require 4 bits, as 3 bits only provides for 8 subnets. 4 bits actually provides for 16 subnets, which is plenty. This is a decimal mask of 255.255.255.128.

4. What are the subnet addresses for each branch?

Answer:

Branch 1:

10.10.32.0/25

10.10.32.128/25

10.10.33.0/25

Branch 2:

10.10.33.128/25

10.10.34.0/25

10.10.34.128/25

Branch 3:

10.10.35.0/25

10.10.35.128/25

10.10.36.0/25

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


(continued)



5. What range of host addresses are in each branch?

Answer:

Branch 1:

10.10.32.1 > 10.10.32.126

10.10.32.129 > 10.10.32.254

10.10.33.1 > 10.10.33.126

Branch 2:

10.10.33.129 > 10.10.33.254

10.10.34.1 > 10.10.34.126

10.10.34.129 > 10.10.34.254

Branch 3:

10.10.35.1 > 10.10.35.126

10.10.35.129 > 10.10.35.254

10.10.36.1 > 10.10.36.126

Results: After this exercise, you should have a completed IP addressing plan for the western region branch offices.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Planning the Placement of Network Servers



Network Services document.



Document Author

Date

Gregory Weber

25th July


Specify which network services are required in each sales office, and any changes that might be required in the head office to facilitate your proposals.


It is important that any router, server, or communications link failure does not adversely affect users.

Proposals

1. How many DHCP servers do you propose to deploy in the region?

Answer: Assuming that the routers are all RFC-compliant, there is no need to deploy DHCP servers in each subnet. Perhaps one DHCP server in each location would be sufficient. For fault tolerance, duplicate scopes configured at the head office DHCP server, with appropriate exclusions to support the 80/20 rule, would provide for addressing fault tolerance.

2. Where do you propose to deploy these servers?

Answer: One DHCP server in each regional office.

3. What name resolution services are required?

Answer: Both DNS and NetBIOS name resolution are required.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


(continued)



4. To support the DNS name space in the sales division, how would you propose to configure DNS?

Answer: There are two choices:

a. Configure a subdomain for sales in the existing Adatum.com DNS name space. Then create sufficient DNS servers for deployment to the region as secondary servers of the Adatum.com zone.

b. Create a delegation for the sales.adatum.com zone in the Adatum.com zone. Provide at least two name servers to support this delegated zone.

5. Will you require WINS?

Answer: Possibly.

6. If so, how many WINS servers will you require for the region?

Answer: Probably two, configured as replicas.

7. If not, how do you propose to support single-label names?

Answer: Instead of WINS, the GNZ could be used.

Results: After this exercise, you should have a completed plan for the deployment of network services in the western regional branch offices.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Implementing the Planned Network Services








Task 2: Deploy the DHCP Server role on SEA-SVR1 1. Switch to the SEA-SVR1 computer.

2. Click Start, and then click Server Manager.

3. In Server Manager, in the console, click Roles.

4. In the results pane, under Roles Summary, click Add Roles.

5. In the Add Roles Wizard, click Next.

6. On the Select Server Roles page, in the Roles list, select the DHCP Server check box, and then click Next.

7. On the DHCP Server page, click Next.

8. On the Select Network Connection Bindings page, click Next.

9. On the Specify IPv4 DNS Server Settings page, in the Preferred DNS Server IPv4 Address box, type 10.10.0.10, and then click Next.

10. On the Specify IPv4 WINS Server Settings page, click Next.

11. On the Add or Edit DHCP Scopes page, click Next.

12. On the Configure DHCPv6 Stateless Mode page, click Disable DHCPv6 stateless mode for this server, and then click Next.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


13. On the Authorize DHCP Server page, click Next.

14. On the Confirm Installation Selections page, click Install.

15. On the Installation Results page, click Close.

Task 3: Configure the primary DHCP scope for subnet 1 1. Click Start, click Administrative Tools, and then click DHCP.

2. In the DHCP Console, expand sea-svr1.adatum.com, expand IPv4, and then click IPv4.

3. Right-click IPv4, and then click New Scope.

4. In the New Scope Wizard, click Next.

5. On the Scope Name page, in the Name box, type Branch 1 subnet 1 scope 1, and then click Next.

6. On the IP Address Range page, in the Start IP address box, type 10.10.32.1.

7. In the End IP address box, type 10.10.32.125.

8. In the Length box, type 25, and then click Next.

9. On the Add Exclusions page, in the Start IP address box, type 10.10.32.100.

10. In the End IP address box, type 10.10.32.125, click Add, and then click Next.

11. On the Lease Duration page, click Next.

12. On the Configure DHCP Options page, click Next.

13. On the Router (Default Gateway) page, in the IP address box, type 10.10.32.126, click Add, and then click Next.

14. On the Domain Name and DNS Servers page, click Next.

15. On the WINS Servers page, click Next.

16. On the Activate Scope page, click Next, and then click Finish.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: Configure the secondary DHCP scope for subnet 2 1. Right-click IPv4, and then click New Scope.

2. In the New Scope Wizard, click Next.

3. On the Scope Name page, in the Name box, type Branch 1 subnet 2 scope 2, and then click Next.

4. On the IP Address Range page, in the Start IP address box, type 10.10.32.129.

5. In the End IP address box, type 10.10.32.253.

6. In the Length box, type 25, and then click Next.

7. On the Add Exclusions page, in the Start IP address box, type 10.10.32.129.

8. In the End IP address box, type 10.10.32.229, click Add, and then click Next.

9. On the Lease Duration page, click Next.

10. On the Configure DHCP Options page, click Next.

11. On the Router (Default Gateway) page, in the IP address box, type 10.10.32.254, click Add, and then click Next.

12. On the Domain Name and DNS Servers page, click Next.

13. On the WINS Servers page, click Next.

14. On the Activate Scope page, click Next, and then click Finish.

Task 5: Create a subdomain in DNS 1. Switch to the SEA-DC1 computer.

2. Click Start, click Administrative Tools, and then click DNS.

3. In DNS Manager, expand Forward Lookup Zones, and then expand Adatum.com.

4. Right-click Adatum.com, and then click New Domain.

5. In the New DNS Domain dialog box, in the text box, type sales, and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 6: Configure zone transfers for the Adatum.com zone 1. Right-click Adatum.com, and then click Properties.

2. Click the Zone Transfers tab.

3. Select the Allow zone transfers check box, and then click OK.

Task 7: Deploy the DNS role on SEA-SVR1 1. Switch to the SEA-SVR1 computer.

2. Switch to Server Manager.

3. In Server Manager, click Add Roles, and then click Next.

4. On the Select Server Roles page, in the Roles list, select the DNS Server check box, and then click Next.

5. On the DNS Server page, click Next.



Task 8: Configure a secondary zone on SEA-SVR1 1. Click Start, click Administrative Tools, and then click DNS.

2. In DNS Manager, expand SEA-SVR1, and then expand Forward Lookup Zones.

3. Right-click Forward Lookup Zones, and then click New Zone.

4. Click Next, and on the Zone Type page, click Secondary zone, and then click Next.

5. On the Zone Name page, in the Zone name box, type Adatum.com, and then click Next.

6. On the Master DNS Servers page, in the IP Address list, type 10.10.0.10, and then press ENTER.

7. Click Next, and then click Finish.

8. In DNS Manager, expand the Adatum.com zone.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 9: Enable the WINS feature, and configure DNS/WINS integration 1. Switch to Server Manager.

2. In the console, click Features.

3. In the results pane, click Add Features.

4. In the Features list, select the WINS Server check box, and then click Next.




8. In DNS Manager, right-click Adatum.com, and then click Properties.

9. Click the WINS tab, and then select the Use WINS forward lookup check box.

10. In the IP address box, type 10.10.0.100, press Add, and then click OK.

11. Switch to the SEA-SVR1 computer.

12. In DNS Manager, right-click Adatum.com, and then click Transfer from Master.

Note: You might need to wait a few moments before you see the WINS record. Press Refresh if needed.

Task 10: Configure DHCP options to support the deployed services 1. Switch to the DHCP console.

2. Right-click Server Options, and then click Configure Options.

3. In the Available Options list, select the 006 DNS Servers check box.

4. In the IP address box, type 10.10.0.100, and then click Add.

5. In the Available Options list, select the 015 DNS Domain Name check box.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


6. In the String value box, type sales.adatum.com, and then click Apply.

7. In the Available Options list, select the 044 WINS/NBNS Servers check box.

8. In the IP address box, type 10.10.0.100, click Add, and then click OK.

Results: After this exercise, you should have successfully deployed branch office network services.

To prepare for the next module • For each running virtual machine, close the Virtual Machine Remote Control

(VMRC) window.

• In the Close box, select Turn off machine and discard changes. Click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab: Planning for Active Directory L3-25

Module 3: Planning for Active Directory®

Lab: Planning for Active Directory Exercise 1: Selecting a Forest Topology


Task 2: Update the Contoso Domain Migration document with your planned forest topology • Answer the questions in the Contoso Domain Migration document.



Document Author

Date

Gregory Weber

5th August


To devise an appropriate forest and domain topology for the merged companies.


The new company will continue to operate with dual names; that is, the Adatum and Contoso brands are equally important.

It is anticipated that the existing Windows NT® 4.0 domain controllers and server will be replaced as part of the migration process.

Proposals

1. Do you intend to upgrade the domain controllers in the Contoso network to Windows Server 2008?

Answer: Answers will vary. It seems sensible to base the plan on the assumption that the domain controllers will be upgraded. This means that an AD DS solution can be implemented. If you do not intend to upgrade the domain controllers, it will be necessary to establish multiple external trust relationships between the AD DS domains in Adatum and the Windows NT 4.0 domain in Contoso.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L3-26 Module 3: Planning for Active Directory®

(continued)



2. How many forests do you anticipate?

Answer: Answers will vary; either one or two forests. You could implement a single forest that supports two trees: Adatum.com and Contoso.com. Alternatively, you could implement two forests, one for each organization. The choice largely depends on how administration is to be effected in the merged organization; if the two parts of the organization are to be separately administered, then opt for two forests; otherwise, select one forest.

3. How many domains do you plan to implement?

Answer: Answers will vary. Currently, Adatum has a single domain. There is no compelling reason the existing Windows NT 4.0 resource domains in Contoso could not be merged into a single AD DS domain, and use organizational units to manage resources.

4. How many trees do you envisage?

Answer: Answers will vary. Either a single tree per forest if you select two forests, or else two trees in a single Adatum.com forest: Adatum.com and Contoso.com.

5. What trust relationships, aside from those created automatically, will you require?

Answer: Answers will vary. Assuming that you opt for a single forest, no additional trusts are required. If you opted for two forests, then a pair of forest root trusts would be required. If you opted to remain in Windows NT 4.0 mode, then many trusts would be required; without additional information, it is difficult to assess precisely how many. Remember that in Windows NT, trusts are one-way and non-transitive.

6. Provide a sketch of the completed forest.

Answer: A possible solution consisting of a single forest of two trees:

Results: After this exercise, you should have a completed Contoso Domain Migration document.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Planning Active Directory for a Branch Network


Task 2: Update the Branch Office Planning document with your proposals • Answer the questions in the Branch Office Planning document.



Document Author

Date

Gregory Weber

1st September


To determine the placement and configuration of domain controllers and related services at the western region sales offices.


It is important that in the event of a link failure between the head office and branch offices, users are still able to logon to the network and access services.

Proposals

1. Do you intend to deploy a domain controller(s) in the branch offices? How many?

Answer: Yes, one domain controller per branch.

2. Will you deploy an RODC(s)?

Answer: The need for security is important; an RODC provides for a more secure way of deploying a domain controller.

3. How will you optimize the directory replication for the branches?

Answer: Each branch will be represented in Active Directory by a site object.

4. How will domain controllers know in which branch they are located?

Answer: Subnet objects should also be created and associated with a site. The domain controllers, and other computers, use their IP configuration to determine their site location in Active Directory.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


(continued)



5. Do you anticipate the need for global catalog services?

Answer: Yes. Many services require access to global catalog.

6. How will you configure global catalog and DNS?

Answer: An RODC can support the global catalog and DNS role.

7. What additional Active Directory–related services are required to support the branch office line-of-business applications?

Answer: A line-of-business application requires access to a directory service. AD LDS might be suitable.

Results: After this exercise, you should have a completed Branch Office Planning document.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Deploying a Branch Domain Controller








Task 2: Raise the domain functional level 1. Switch to the SEA-DC1 computer.

2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

3. In the console, right-click Adatum.com, and then click Raise domain functional level.

4. In the Raise domain functional level dialog box, in the Select an available domain functional level list, click Windows Server 2008, and then click Raise.

5. In the Raise domain functional level dialog box, click OK.

6. In the subsequent Raise domain functional level dialog box, click OK.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Raise the forest functional level 1. Click Start, point to Administrative Tools, and then click Active Directory

Domains and Trusts.

2. In the console, right-click Active Directory Domains and Trusts [SEA-DC1.Adatum.com], and then click Raise Forest Functional Level.

3. In the Raise forest functional level dialog box, in the Select an available forest functional level list, click Windows Server 2008, and then click Raise.

4. In the Raise forest functional level dialog box, click OK.

5. In the subsequent Raise forest functional level dialog box, click OK.

6. Close Active Directory Domains and Trusts.

Task 4: Create the Redmond site 1. On the SEA-DC1 virtual machine, click Start, point to Administrative Tools,

and then click Active Directory Sites and Services.

2. In the console, expand Sites, right-click Sites, and then click New Site.

3. In the New Object – Site dialog box, in the Name box, type Redmond.

4. In the Link Name list, click DEFAULTIPSITELINK, and then click OK.

5. In the Active Directory Domain Services dialog box, click OK.

Task 5: Configure the replication interval 1. In the console, expand Inter-Site Transports, expand IP, and then click IP.

2. In the results pane, in the list, right-click DEFAULTIPSITELINK, and then click Properties.

3. In the DEFAULTIPSITELINK Properties dialog box, in the Replicate every list, type 15 and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 6: Create the 10.10.0.0/16 subnet 1. In the console, right-click Subnets, and then click New Subnet.

2. In the New Object – Subnet dialog box, in the Prefix box, type 10.10.0.0/16.

3. In the Site Name list, click Redmond, and then click OK.

4. Close Active Directory Sites and Services.

Task 7: Prepare the forest for the RODC 1. ON SEA-DC1, click Start, and then click Command Prompt.

2. At the command prompt, type D:, and then press ENTER.

3. At the command prompt, type cd\labfiles\Mod03\adprep, and then press ENTER.

4. At the command prompt, type adprep /rodcprep, and then press ENTER.


Task 8: Promote a new domain controller for the branch office 1. Switch to the SEA-SVR1 computer.

2. Click Start, and in the Start Search box, type dcpromo, and then press ENTER.

3. In the Active Directory Domain Services Installation Wizard, select the Use advanced mode installation check box, and then click Next.

4. On the Operating System Compatibility page, click Next.

5. On the Choose a Deployment Configuration page, click Existing forest, and then click Next.

6. On the Network Credentials page, click Next.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


7. On the Select a Domain page, click Next.

8. On the Select a Site page, click Next.

9. On the Additional Domain Controller Options page, select the Read-only domain controller (RODC) check box, and then click Next.

Note: Leave the other check boxes selected.

10. In the Static IP assignment dialog box, click Yes, the computer will use a dynamically assigned IP address (not recommended).

11. On the Specify the Password Replication Policy page, click Next.

12. On the Delegation of RODC Installation and Administration page, click Next.

13. On the Install from Media page, click Next.

14. On the Source Domain Controller page, click Next.

15. On the Location for Database, Log Files, and SYSVOL page, click Next.

16. On the Directory Services Restore Mode Administrator Password page, in the Password box, type Pa$$w0rd.

17. In the Confirm password box, type Pa$$w0rd, and then click Next.

18. On the Summary page, click Next.

19. In the Active Directory Domain Services Installation Wizard, select the Reboot on completion check box.

Task 9: Configure the password replication policy 1. When SEA-SVR1 has restarted, log on to the SEA-SVR1 virtual machine as

ADATUM\administrator with a password of Pa$$w0rd.

2. Switch to the SEA-DC1 virtual machine.

3. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

4. In the console, expand Domain Controllers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


5. In the results pane, right-click SEA-SVR1, and then click Properties.

6. In the SEA-SVR1 Properties dialog box, click the Password Replication Policy.

7. Click Add, and in the Add Groups, Users and Computers dialog box, click Allow passwords for the account to replicate to this RODC, and then click OK.

8. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select box, type SalesGG, click Check Names, and then click OK.

9. In the SEA-SVR1 Properties dialog box, click Apply, and then click Advanced.

10. In the Advanced Password Replication Policy for SEA-SVR1 dialog box, click the Resultant Policy tab.

11. Click Add, and in the Select Users, Computers, or Groups dialog box, in the Enter the object names to select box, type Joe, click Check Names, and then click OK.

Task 10: Pre-populate the password cache 1. In the Advanced Password Replication Policy for SEA-SVR1 dialog box, click

the Policy Usage tab, and then click Prepopulate Passwords.

2. In the Select Users or Computers dialog box, in the Enter the object names to select box, type joe; Jim; Parul; Heiko; Claus, click Check Names, and then click OK.

3. In the Prepopulate Passwords dialog box, click Yes.

4. In the Prepopulate Password Success dialog box, click OK.

5. In the Advanced Password Replication Policy for SEA-SVR1 dialog box, click Close.

6. In the SEA-SVR1 Properties dialog box, click OK.


Results: After this exercise, you should have successfully deployed an RODC for the Redmond sales office.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



(VMRC) window.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab: Planning for Group Policy L4-35

Module 4: Planning Group Policy

Lab: Planning for Group Policy Exercise 1: Creating a Group Policy Plan

Task 1: Read the supporting documentation 1. Read the supporting documentation.

2. On SEA-DC1, click Start, point to Administrative Tools, and click Active Directory Users and Computers.

3. Review the Active Directory structure as necessary.


5. Click Start, point to Administrative Tools, and click Group Policy Management.

6. Review the existing Group Policy configuration as necessary.

7. Close Group Policy Management.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L4-36 Module 4: Planning Group Policy

Task 2: Create an OU structure • Draw a diagram of an OU structure that will allow you to meet the

requirements given to you by Allison.

Task 3: Create a list of required GPOs • Create a list of GPOs required to implement the requirements given to you by

Allison.


Enforced Security

Block read and write access to removable drives

Domain - Enforced Security filter: Lab computers group denied apply permission

Head office preferences

Drive letter mappings for head office

Head Office None

Branch 1 preferences

Drive letter mappings for branch 1

Branch 1 None

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


(continued)




Branch 2 None



Branch 3 None

Branch Sales Applications

Applications for branch sales staff

Branch 1

Branch 2

Branch 3

Security filter: Branch Sales Group

Branch Office Applications

Applications for branch office staff.

Branch 1

Branch 2

Branch 3

Security filter: Branch Office Group

Terminal server

Lockdown desktop

Loopback: Replace mode

Terminal Servers None

Results: After this exercise, you should have a completed Group Policy plan for A. Datum.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Implementing Group Policy






Task 2: Create the OU structure 1. Click Start, point to Administrative Tools, and then click Active Directory

Users and Computers.

2. In Active Directory Users and Computers, if necessary, expand Adatum.com, and then click Adatum.com.

3. Right-click Adatum.com, point to New, and then click Organizational Unit.

4. In the New Object - Organizational Unit window, in the Name box, type Head Office, and then click OK.


6. In the New Object - Organizational Unit window, in the Name box, type Branches, and then click OK.

7. Right-click Branches, point to New, and then click Organizational Unit.

8. In the New Object - Organizational Unit window, in the Name box, type Branch1, and then click OK.





MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



14. In the New Object - Organizational Unit window, in the Name box, type Terminal Servers, and then click OK.


Task 3: Create the GPO for enforced security 1. Click Start, point to Administrative Tools, and then click Active Directory


2. In Active Directory Users and Computers, right-click Head Office, point to New, and then click Group.

3. In the New Object – Group window, in the Group name box, type Lab Computers, and then click OK.

4. Right-click Head Office, point to New, and then click Computer.

5. In the New Object – Computer window, in the Computer name box, type Lab1, and then click OK.

6. Click Head Office, right-click Lab1, and then click Add to a group.

7. In the Select Groups window, in the Enter the object names to select box, type Lab Computers, and then click OK.

8. Click OK to close the message stating that the operation was successful.


10. Click Start, point to Administrative Tools, and then click Group Policy Management.

11. In Group Policy Management, expand Forest: Adatum.com, expand Domains, and then expand Adatum.com.

12. Right-click Adatum.com, and then click Create a GPO in this domain, and Link it here.

13. In the New GPO window, in the Name box, type Enforced Security, and then click OK.

14. Right-click Enforced Security, and then click Edit.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


15. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Administrative Templates, expand System, and then click Removable Storage Access.

16. In the right pane, double-click Removable Disks: Deny read access.

17. In the Removable Disks: Deny Read Access Properties window, click Enabled, and then click OK.

18. In the right pane, double-click Removable Disks: Deny write access.

19. In the Removable Disks: Deny write access Properties window, click Enabled, and then click OK.

20. Close the Group Policy Management Editor.

21. In the Group Policy Management window, right-click Enforced Security, and then click Enforced.

22. In the left pane, click Enforced Security.

23. In the Group Policy Management Console window, select the Do not show this message again check box, and then click OK.

24. Click the Delegation tab, and then click Advanced.

25. In the Enforced Security Settings window, click Add, type Lab Computers, and then click OK.

26. In the Permissions for Lab Computers area, select the Deny Read check box, and then click OK.

27. In the Windows Security window, click Yes to continue.

Task 4: Create the GPO for Branch1 preferences 1. In the Group Policy Management window, in the left pane, click Group Policy

Objects.

2. Right-click Group Policy Objects, and then click New.

3. In the New GPO window, in the Name box, type Branch1 Preferences, and then click OK.

4. Right-click Branch1 Preferences, and then click Edit.

5. In the Group Policy Management Editor window, under User Configuration, expand Preferences, expand Windows Settings, and then click Drive Maps.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


6. Right-click Drive Maps, point to New, and then click Mapped Drive.

7. In the Location box, type \\Branch1Srv\Shared.

8. In the Drive letter area, select drive letter S, and then click OK.

9. Close the Group Policy Management Editor window.

10. In the Group Policy Management window, in the left pane, expand Branches, and then click Branch1.

11. Right-click Branch1, and then click Link an Existing GPO.

12. In the Select GPO window, click Branch1 Preferences, and then click OK.

Task 5: Create the GPOs for applications 1. Click Start, point to Administrative Tools, and then click Active Directory


2. In Active Directory Users and Computers, right-click Branches, point to New, and then click Group.

3. In the New Object – Group window, in the Group name box, type Sales Staff, and then click OK.

4. Right-click Branches, point to New, and then click Group.

5. In the New Object – Group window, in the Group name box, type Office Staff, and then click OK.


7. In the Group Policy Management window, in the left pane, click Group Policy Objects.


9. In the New GPO window, in the Name box, type Sales Applications, and then click OK.


11. In the New GPO window, in the Name box, type Office Applications, and then click OK.

12. In the left pane, expand Group Policy Objects, and then click Sales Applications.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


13. In the Security Filtering area, click Authenticated Users, and then click Remove.

14. Click OK to confirm.

15. Click Add, type Sales Staff, and then click OK.

16. In the left pane, click Office Applications.

17. In the Security Filtering area, click Authenticated Users, and then click Remove.

18. Click OK to confirm.

19. Click Add, type Office Staff, and then click OK.


21. In the Select GPO window, click Sales Applications, and then click OK.


23. In the Select GPO window, click Office Applications, and then click OK.

Task 6: Create the GPO for Terminal Servers 1. In the Group Policy Management window, right-click Terminal Servers, and

then click Create a GPO in this domain, and Link it here.

2. In the New GPO window, in the Name box, type TS Lockdown, and then click OK.

3. Right-click TS Lockdown, and then click Edit.

4. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Administrative Templates, expand System, and then click Group Policy.

5. Double-click User Group Policy loopback processing mode.

6. In the User Group Policy Loopback Processing Mode Properties window, click Enabled. In the Mode box, select Replace, and then click OK.

7. Under User Configuration, expand Policies, expand Administrative Templates, and then click Start Menu and Taskbar.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


8. Double-click Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands.

9. On the Setting tab, click Enabled, and then click OK.

10. Double-click Remove Run menu from Start Menu.


12. Double-click Add Logoff to the Start Menu.


14. Close Group Policy Management Editor.

Task 7: Verify application of policies for Branch1 sales staff 1. In the Group Policy Management window, in the left pane, click Group Policy

Modeling.

2. Right-click Group Policy Modeling, and then click Group Policy Modeling Wizard.

3. In the Group Policy Modeling Wizard window, click Next.

4. On the Domain Controller Selection page, click Next to accept the default setting of Any available domain controller running Windows Server 2003 or later.

5. On the User and Computer Selection page, in the User information area, click Browse.

6. In the Choose User Container window, expand Adatum, expand Branches, click Branch 1, and then click OK.

7. On the User and Computer Selection page, in the Computer information area, click Browse.

8. In the Choose Computer Container window, expand Adatum, expand Branches, click Branch 1, and then click OK.

9. On the User and Computer Selection page, click Next.

10. On the Advanced Simulation Options page, click Next to select no options.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


11. On the User Security Groups page, click Add, type Sales Staff, and then click OK.

12. Select the Skip to the final page of this wizard without collecting additional data check box, and then click Next.

13. On the Summary of Selections page, click Next.

14. To view the model, click Finish.

15. In the Branch1 on Branch1 area, under Computer Configuration Summary, expand Group Policy Objects, expand Applied GPOs, and expand Denied GPOs.

• Default Domain Policy has computer settings and is applied to computers in Branch1.

• Enforced Security has computer settings and is applied to computers in Branch1.

• Office Applications is denied due to security filtering. The computer is not a member of the necessary group.

• Sales Applications is denied due to security filtering. The computer is not a member of the necessary group.

• Branch1 Preferences is denied because there are no relevant settings for computers. If computer settings are added to Branch1 Preferences, then they would be applied.

16. Under User Configuration Summary, expand Group Policy Objects, expand Applied GPOs, and expand Denied GPOs.

• Branch1 Preferences has user settings and is applied to users in Branch1.

• Enforced Security is denied because there are no relevant settings for users. If user settings are added to Enforced Security, then they would be applied.

• Default Domain Policy is denied because there are no relevant settings for users. If user settings are added to Default Domain Policy, then they would be applied.

• Office Applications is denied due to security filtering. The user is not a member of the necessary group.

• Sales Applications is denied because there are no relevant settings for users. After the sales applications are added to the policy, then they will be distributed to members of the Sales Staff group.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 8: Verify application of policies for Branch1 sales staff on the Terminal Server 1. In the Group Policy Management window, in the left pane, click Group Policy

Modeling.

2. Right-click Group Policy Modeling, and then click Group Policy Modeling Wizard.

3. In the Group Policy Modeling Wizard window, click Next.

4. On the Domain Controller Selection page, click Next to accept the default setting of Any available domain controller running Windows Server 2003 or later.

5. On the User and Computer Selection page, in the User information area, click Browse.

6. In the Choose User Container window, expand Adatum, expand Branches, click Branch1, and then click OK.

7. On the User and Computer Selection page, in the Computer information area, click Browse.

8. In the Choose Computer Container window, expand Adatum, click Terminal Servers, and then click OK.

9. On the User and Computer Selection page, click Next.

10. On the Advanced Simulation Options page, select the Loopback processing check box, verify that Replace is selected, and then click Next.

11. On the User Security Groups page, click Add, type Sales Staff, and then click OK.

12. Select the Skip to the final page of this wizard without collecting additional data check box, and then click Next.

13. On the Summary of Selections page, click Next.

14. To view the model, click Finish.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


15. In the Branch1 on Terminal Servers area, under Computer Configuration Summary, expand Group Policy Objects, expand Applied GPOs, and expand Denied GPOs.

• Default Domain Policy has computer settings and is applied to computers in Terminal Servers.

• TS Lockdown has computer settings and is applied to computers in Terminal Servers.

• Enforced Security has computer settings and is applied to computers in Terminal Servers.

16. Under User Configuration Summary, expand Group Policy Objects, expand Applied GPOs, and expand Denied GPOs.

• TS Lockdown has user settings and is applied to Branch1 users logging on to the Terminal Server.

• Default Domain Policy is denied because there are no relevant settings for users. If user settings are added to Default Domain Policy, then they would be applied.

• Enforced Security is denied because there are no relevant settings for users. If user settings are added to Enforced Security, then they would be applied.

• Notice that none of the user policies that would typically apply to Branch 1 users are being applied due to loopback replace mode being used. For example, Branch1 Preferences is not being applied.

17. Close Group Policy Management.

Results: After this exercise, you should have successfully implemented group policy.


(VMRC) window.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab: Planning Application Servers L5-47

Module 5: Planning Application Servers

Lab: Planning Application Servers Exercise 1: Creating a Plan for Application Servers


• Determine if you need any more information and ask your instructor to clarify if required.

Task 2: Create a plan for implementing Windows SharePoint Services • What server roles and features do you think will be required for implementing

WSS?

Answer: WSS requires: Web Server (IIS), the .NET Framework 3.0, and ASP.NET enabled.

• Do you have any concerns about hardware specifications for the WSS server?

Answer: Application servers with dynamic content such as WSS may have high processor and memory utilization. SQL Server 2008 may also have high processor and memory utilization. These should be closely monitored as the workload continues to grow and this server is moved out of the pilot stage.

• How can increasing workloads be accommodated?

Answer: There are two main issues: hardware capacity and database size. As the load on the server grows, the SQL Server database can be moved to a separate server to increase performance. Also SQL Server Express is limited to a 4 GB database. This may not be enough to handle the data stored in WSS as site usage begins to grow. An upgrade to SQL Server Standard Edition may be required.

• What sort of maintenance schedule will WSS require?

Answer: A maintenance window for WSS will need to be defined. The exact time of the maintenance windows will have to be negotiated with the users of WSS. The maintenance window should be outside of normal business hours so that it does not interfere with use of the application.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L5-48 Module 5: Planning Application Servers

• How will we ensure that this server and WSS are secure?

Answer: To secure any application server, you should ensure that only required components are installed. In addition, an SSL certificate should be implemented on the server to encrypt communication. The subject name for the certificate needs to match the server name used in the URL for accessing the SharePoint site.

• How can we simplify access to WSS for internal users?

Answer: Using Windows integrated authentication allows user to authenticate to WSS without entering their credentials. The credentials used on the workstation will automatically be passed up to WSS. This simplifies logon for the users.

• How should WSS be backed up?

Answer: WSS stores data in a SQL Server database. You can use backup software with a SQL Server agent to back up the database. Or you can use a maintenance plan to back up the database to disk and then back up the file by using your backup software. In addition, some backup software has a WSS agent available that simplifies the restore of specific data components rather than the whole database.

You can perform a full backup each day while the volume of data is relatively small. When the server holds a large amount of data, you may need to start using incremental backups to shorten the backup time.

Task 3: Create a plan for implementing Terminal Services • What are the benefits of using Terminal Services for the financial application?

Answer: In this scenario, Terminal Services provides two benefits: ease of updates and faster remote access. It is easier to perform application updates on a single Terminal Server rather than many client computers. For remote users accessing data over a WAN link, the application will run much faster from the Terminal Server that is located close to the data.

• Are there any drawbacks to using Terminal Services?

Answer: The main drawback in this scenario is the risk that the Terminal Server will fail. This failure would affect the productivity of all users. You can mitigate this risk by implementing network load balancing.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Are there any benefits to using Windows Server 2008 for Terminal Services rather than Windows Server 2003 in our scenario?

Answer: Windows Server 2008 has several new features that are useful in this scenario. Single sign-on allows users to access Terminal Services without providing credentials. This simplifies the use of Terminal Services for users. Also, Easy Print makes it much easier and more reliable to print by using Terminal Services. Finally, TS RemoteApp allows just a single application window to be opened rather than a remote desktop. This is less confusing for some users.


Answer: To use Terminal Services, each user or device must have a TS CAL. If users are not accessing the application from multiple locations, it may be beneficial to use device-based licensing. For our server, we can use device CALs or user CALs, but not both.

We also need to make sure that the financial application supports licensing for Terminal Servers. Because using Terminal Services was recommended by the vendor, it is likely. However, we should review how many licenses will be required and their cost.


Answer: Because access is only for a single application, TS RemoteApp and single sign-on should be used. Users will click an icon on their desktop and they will be connected to the application. From the user perspective, it will be just like opening an application installed locally on their computer.

Results: After this exercise, you should have a completed plan for implementing WSS and Terminal Services.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Implementing Windows SharePoint Services





4. In the Lab Launcher, next to 6430B-SEA-CL1, click Launch.


Task 2: Install Windows SharePoint Services 1. On SEA-DC1, click Start, and click Run.

2. In the Open box, type D:\Labfiles\Mod05\SharePoint.exe, and then click OK.

3. On the Read The Microsoft Software License Terms page, select the I accept the terms of this agreement check box, and then click Continue.

4. On the Choose The Installation You Want page, click Basic.

5. Verify that Run the SharePoint Products and Technologies Configuration Wizard now is selected, and then click Close.

6. In the SharePoint Products And Technologies Configuration Wizard, click Next.

7. Click Yes to close the warning window. Installation may take up to 10 minutes.

8. On the Configuration Successful page, click Finish. Internet Explorer will open automatically and prompt you for a logon.

9. Log on as Adatum\Administrator with a password of Pa$$w0rd. Initial logon will be slow because all of the scripts start for the first time.

10. Verify that you have successfully logged on to WSS. Note that the path used to access the server is http://sea-dc1.

11. Close Internet Explorer.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Review the Web site configuration 1. On SEA-DC1, click Start, point to Administrative Tools, and then click

Internet Information Services (IIS) Manager.

2. Expand SEA-DC1, and click Application Pools. Notice that two new application pools have been created for SharePoint.

3. Click Sites. Notice that there are two new Web sites. SharePoint – 80 is the main SharePoint site bound to Port 80. SharePoint Central Administration is for administering SharePoint on a random port number.

4. Double-click SharePoint – 80, and then double-click Authentication. Notice that Windows Authentication is enabled.

5. Close Internet Information Services (IIS) Manager.

Task 4: Configure Internet Explorer for Windows Authentication 1. On SEA-DC1, click Start, type Internet Options, and then press ENTER.

2. In the Internet Properties window, click the Security tab, click Local Intranet, and then click Sites.

3. In the Add this website to the zone box, type http://sea-dc1, and then click Add.

4. If prompted, click Yes to move the site to the Local intranet zone.

5. Click Close, and then click OK.

6. Click Start, point to All Programs, and then click Internet Explorer.

7. In the Address bar, type http://sea-dc1, and then press ENTER. Notice that you are no longer prompted for credentials.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 5: Back up Windows SharePoint Services 1. On SEA-DC1, click Start, and then click Command Prompt.

2. Type md C:\SPBackup, and then press ENTER.


4. Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration.

5. Click the Operations tab.

6. Under Backup and Restore, click Perform a backup.

7. Select the Farm check box, and then click Continue to Backup Options.

8. Enter the following settings, and then click OK.

• Backup content: Farm

• Type of Backup: Full

• Backup File Location: C:\SPBackup

9. Click Refresh every minute or so until the backup job is complete.


Results: After this exercise, you should have successfully implemented Windows SharePoint Services and verified the configuration.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Implementing Terminal Services

Task 1: Install Terminal Services 1. On SEA-DC1, click Start, and click Server Manager.

2. In the left pane, click Roles, and then click Add Roles.

3. In the Add Roles Wizard, click Next.

4. On the Select Server Roles page, select the Terminal Services check box, and then click Next.

5. Read the Terminal Services page, and then click Next.

6. On the Select Role Services page, select the Terminal Server check box.

7. In the warning window, click Install Terminal Server anyway (not recommended), and then click Next.

8. Read the Uninstall And Reinstall Application For Compatibility page, and then click Next.

9. Read the Specify Authentication Method For Terminal Server page, click Do not require Network Level Authentication, and then click Next.

10. On the Specify Licensing Mode page, click Configure later, and then click Next.

11. On the Select User Groups Allowed Access To This Terminal Server page, click Next.



14. Click Yes to restart the server.

15. Log on as Adatum\Administrator with a password of Pa$$w0rd.

16. Wait for the configuration to complete, and then click Close.

17. Close Server Manager

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Install the financial application 1. Click Start, and then click Computer.

2. Browse to D:\Labfiles\Mod05, and double-click CalcPlus.msi.

3. In the Microsoft Calculator Plus window, click Next.

4. On the License Agreement page, click I Agree, and then click Next.

5. On the Select Installation Folder page, use C:\Program Files\Microsoft Calculator Plus\, click Everyone, and then click Next.

6. Click Close, and then close the Windows Explorer window.

Task 3: Prepare the financial application for distribution as a RemoteApp program 1. Click Start, point to Administrative Tools, point to Terminal Services, and

then click TS RemoteApp Manager.

2. In the actions pane, click Add RemoteApp Programs.

3. In the RemoteApp Wizard, click Next.

4. Select the Microsoft Calculator Plus check box, and then click Next.

5. Click Finish.

6. In the RemoteApp Programs area, click Microsoft Calculator Plus.

7. Under Other Distribution Options, click Create Windows Installer Package.

8. In the RemoteApp Wizard, click Next.

9. On the Specify Package Settings page, click Next.

10. On the Configure Distribution Package page, select the Desktop check box, and then click Next.

11. Click Finish.

12. In the Packaged Programs window, browse up to C:\Program Files.

13. Right-click Packaged Programs, and then click Share.

14. Click Advanced Sharing.

15. Select the Share this folder check box, and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


16. Click Close, and then close all open windows.

17. Click Start, point to Administrative Tools, and then click Group Policy Management.

18. In the Group Policy Management window, expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click Default Domain Policy, and then click Edit.

19. Under User Configuration, expand Policies, expand Software Settings, right-click Software installation, point to New, and then click Package.

20. Browse to \\SEA-DC1\Packaged Programs, click CalcPlus.msi, and then click Open.

21. In the Deploy Software window, click Advanced, and then click OK.

22. In the Microsoft Calculator Plus Properties window, click the Deployment tab.

23. Under Deployment type, click Assigned.

24. Under Deployment options, select the Install this application at logon check box, and then click OK.

25. Close all open windows.

Task 4: Test the new application 1. Log on SEA-CL1 as Administrator with a password of Pa$$w0rd.

2. If the Microsoft Calculator Plus icon does not appear on the desktop, then perform the following steps:

a. Click Start, type cmd, and then press ENTER.

b. At the command prompt, type gpupdate, and then press ENTER.

c. Close the command prompt.

d. Restart SEA-CL1, and log on again as Administrator.

3. Click Start, type gpedit.msc, and then press ENTER.

4. Under Computer Configuration, expand Administrative Templates, expand System, and then click Credentials Delegation.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


5. Double-click Allow Delegating Default Credentials, click Enabled, and then click Show.

6. In the Show Contents window, click Add, type termsrv/SEA-DC1.adatum.com, and then click OK.

7. In the Show Contents window, click OK.

8. In the Allow Delegating Default Credentials Properties window, click OK.

9. Close the Local Group Policy Editor.

Note: In a production environment, you would configure the group policy setting by using a GPO rather than the local Group Policy.

10. On the desktop, double-click the Microsoft Calculator Plus icon.

11. Select the Don’t ask me again for remote connections to the computer check box, and then click Connect.

12. Wait while the application starts. This may take a few moments to log on to the Terminal Server.

13. Close Microsoft Calculator Plus.

Note: Opening the application a second time is much faster.

Results: After this exercise, you should have successfully implemented a Terminal Server and distributed a Terminal Services application.


(VMRC) window.


Date post:	08-Nov-2014
Category:	Documents
Upload:	sreedhar-sid
View:	127 times
Download:	5 times