6420B ENU TrainerHandbook

O F F I C I A L
M I C R O S O F T
L E A R N I N G
P R O D U C T
6420B
Fundamentals of Windows Server 2008
ii
Information in this document, including URL and other Internet Web site references, is subject to change without notice.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people,
places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain
name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright
laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no
representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the
products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of
Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of
Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any
changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from
any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply
endorsement of Microsoft of the site or the products contained therein.
2010 Microsoft Corporation. All rights reserved.
Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
All other trademarks are property of their respective owners.
Product Number: 6420B

Part Number : X17-46552
Released: 10/2010
MICROSOFT LICENSE TERMS

OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER EDITION
Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed
Content named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft
updates,
supplements,
Internet-based services, and
support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply.
By using the Licensed Content, you accept these terms. If you do not accept them, do not use the Licensed
Content.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. Academic Materials means the printed or electronic documentation such as manuals, workbooks, white papers,
press releases, datasheets, and FAQs which may be included in the Licensed Content.
b. Authorized Learning Center(s) means a Microsoft Certified Partner for Learning Solutions location, an IT
Academy location, or such other entity as Microsoft may designate from time to time.
c. Authorized Training Session(s) means those training sessions authorized by Microsoft and conducted at or
through Authorized Learning Centers by a Trainer providing training to Students solely on Official Microsoft Learning
Products (formerly known as Microsoft Official Curriculum or MOC) and Microsoft Dynamics Learning Products
(formerly know as Microsoft Business Solutions Courseware). Each Authorized Training Session will provide training on
the subject matter of one (1) Course.
d. Course means one of the courses using Licensed Content offered by an Authorized Learning Center during an
Authorized Training Session, each of which provides training on a particular Microsoft technology subject matter.
e. Device(s) means a single computer, device, workstation, terminal, or other digital electronic or analog device.
f.
Licensed Content means the materials accompanying these license terms. The Licensed Content may include, but
is not limited to, the following elements: (i) Trainer Content, (ii) Student Content, (iii) classroom setup guide, and (iv)
Software. There are different and separate components of the Licensed Content for each Course.
g.
Software means the Virtual Machines and Virtual Hard Disks, or other software applications that may be included
with the Licensed Content.
h. Student(s) means a student duly enrolled for an Authorized Training Session at your location.
i.
Student Content means the learning materials accompanying these license terms that are for use by Students and
Trainers during an Authorized Training Session. Student Content may include labs, simulations, and courseware files
for a Course.
j.
Trainer(s) means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer and b) such other
individual as authorized in writing by Microsoft and has been engaged by an Authorized Learning Center to teach or
instruct an Authorized Training Session to Students on its behalf.
k. Trainer Content means the materials accompanying these license terms that are for use by Trainers and Students,
as applicable, solely during an Authorized Training Session. Trainer Content may include Virtual Machines, Virtual Hard
Disks, Microsoft PowerPoint files, instructor notes, and demonstration guides and script files for a Course.
l.
Virtual Hard Disks means Microsoft Software that is comprised of virtualized hard disks (such as a base virtual hard
disk or differencing disks) for a Virtual Machine that can be loaded onto a single computer or other device in order to
allow end-users to run multiple operating systems concurrently. For the purposes of these license terms, Virtual Hard
Disks will be considered Trainer Content.
m. Virtual Machine means a virtualized computing experience, created and accessed using Microsoft Virtual PC or
Microsoft Virtual Server software that consists of a virtualized hardware environment, one or more Virtual Hard Disks,
and a configuration file setting the parameters of the virtualized hardware environment (e.g., RAM). For the purposes
of these license terms, Virtual Hard Disks will be considered Trainer Content.
n.
you means the Authorized Learning Center or Trainer, as applicable, that has agreed to these license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and electronic), Trainer Content,
Student Content, classroom setup guide, and associated media.
License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center location or per Trainer
basis.
3. INSTALLATION AND USE RIGHTS.

a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you may:
i.
either install individual copies of the relevant Licensed Content on classroom Devices only for use by Students
enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of copies in use
does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by classroom Devices and
only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the
number of Devices accessing the Licensed Content on such server does not exceed the number of Students
enrolled in and the Trainer delivering the Authorized Training Session.
iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to use the Licensed
Content that you install in accordance with (ii) or (ii) above during such Authorized Training Session in accordance
with these license terms.
i.
Separation of Components. The components of the Licensed Content are licensed as a single unit. You may not
separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license terms will apply to
the use of those third party programs, unless other terms accompany those programs.
b. Trainers:
i.
Trainers may Use the Licensed Content that you install or that is installed by an Authorized Learning Center on a
classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content. You may install
and Use one copy of the Licensed Content on the licensed Device solely for your own personal training Use and
for preparation of an Authorized Training Session.
B. Portable Device. You may install another copy on a portable device solely for your own personal training Use
and for preparation of an Authorized Training Session.
4. PRE-RELEASE VERSIONS. If this is a pre-release (beta) version, in addition to the other provisions in this agreement,
these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the same
information and/or work the way a final version of the Licensed Content will. We may change it for the final,
commercial version. We also may not release a commercial version. You will clearly and conspicuously inform any
Students who participate in each Authorized Training Session of the foregoing; and, that you or Microsoft are under no
obligation to provide them with any further content, including but not limited to the final released version of the
Licensed Content for the Course.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to Microsoft, without
charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to
third parties, without charge, any patent rights needed for their products, technologies and services to use or interface
with any specific parts of a Microsoft software, Licensed Content, or service that includes the feedback. You will not
give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties
because we include your feedback in them. These rights survive this agreement.
c. Confidential Information. The Licensed Content, including any viewer, user interface, features and documentation
that may be included with the Licensed Content, is confidential and proprietary to Microsoft and its suppliers.
i.
Use. For five years after installation of the Licensed Content or its commercial release, whichever is first, you
may not disclose confidential information to third parties. You may disclose confidential information only to
your employees and consultants who need to know the information. You must have written agreements with
them that protect the confidential information at least as much as this agreement.
ii.
Survival. Your duty to protect confidential information survives this agreement.
iii. Exclusions. You may disclose confidential information in response to a judicial or governmental order. You
must first give written notice to Microsoft to allow it to seek a protective order or otherwise protect the
information. Confidential information does not include information that
becomes publicly known through no wrongful act;
you received from a third party who did not breach confidentiality obligations to Microsoft or its suppliers;
or
you developed independently.
d.
Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs you is the end date
for using the beta version, or (ii) the commercial release of the final release version of the Licensed Content, whichever
is first (beta term).
e.
Use. You will cease using all copies of the beta version upon expiration or termination of the beta term, and will
destroy all copies of same in the possession or under your control and/or in the possession or under the control of any
Trainers who have received copies of the pre-released version.
f.
Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta version (in either print
and/or CD version) and distribute such copies to Students and/or Trainers. If Microsoft allows such distribution, you
will follow any additional terms that Microsoft provides to you for such copies and distribution.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.

a. Authorized Learning Centers and Trainers:
i.
Software.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft Windows Vista,
Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced Server and/or other Microsoft products
which are provided in Virtual Hard Disks.
A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning Lab Launcher,
then these terms apply:
Time-Sensitive Software. If the Software is not reset, it will stop running based upon the time indicated on the
install of the Virtual Machines (between 30 and 500 days after you install it). You will not receive notice before
it stops running. You may not be able to access data used or information saved with the Virtual Machines
when it stops running and may be forced to reset these Virtual Machines to their original state. You must
remove the Software from the Devices at the end of each Authorized Training Session and reinstall and launch
it prior to the beginning of the next Authorized Training Session.
B. If the Virtual Hard Disks require a product key to launch, then these terms apply:
Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before installing any
Virtual Hard Disks on classroom Devices for use during an Authorized Training Session, you will obtain from
Microsoft a product key for the operating system software for the Virtual Hard Disks and will activate such
Software with Microsoft using such product key.
C. These terms apply to all Virtual Machines and Virtual Hard Disks:
You may only use the Virtual Machines and Virtual Hard Disks if you comply with the terms and
conditions of this agreement and the following security requirements:
o
You may not install Virtual Machines and Virtual Hard Disks on portable Devices or Devices that are
accessible to other networks.
You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at the end of each
Authorized Training Session, except those held at Microsoft Certified Partners for Learning Solutions
locations.
You must remove the differencing drive portions of the Virtual Hard Disks from all classroom Devices at
the end of each Authorized Training Session at Microsoft Certified Partners for Learning Solutions locations.
You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or downloaded from
Devices on which you installed them.
You will strictly comply with all Microsoft instructions relating to installation, use, activation and
deactivation, and security of Virtual Machines and Virtual Hard Disks.
You may not modify the Virtual Machines and Virtual Hard Disks or any contents thereof.
You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an Authorized Training
Session will be done in accordance with the classroom set-up guide for the Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip art, animations,
sounds, music, shapes, video clips and templates provided with the Licensed Content solely in an Authorized
Training Session. If Trainers have their own copy of the Licensed Content, they may use Media Elements for their
personal training use.
iv. iv Evaluation Software. Any Software that is included in the Student Content designated as Evaluation
Software may be used by Students solely for their personal training outside of the Authorized Training Session.
b. Trainers Only:
i.
Use of PowerPoint Slide Deck Templates . The Trainer Content may include Microsoft PowerPoint slide decks.
Trainers may use, copy and modify the PowerPoint slide decks only for providing an Authorized Training Session.
If you elect to exercise the foregoing, you will agree or ensure Trainer agrees: (a) that modification of the slide
decks will not constitute creation of obscene or scandalous works, as defined by federal law at the time the work is
created; and (b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session, Trainers may
customize and reproduce, in accordance with the MCT Agreement, those portions of the Licensed Content that are
logically associated with instruction of the Authorized Training Session. If you elect to exercise the foregoing
rights, you agree or ensure the Trainer agrees: (a) that any of these customizations or reproductions will only be
used for providing an Authorized Training Session and (b) to comply with all other terms and conditions of this
agreement.
iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and use the Academic
Materials. You may not make any modifications to the Academic Materials and you may not print any book (either
electronic or print version) in its entirety. If you reproduce any Academic Materials, you agree that:
The use of the Academic Materials will be only for your personal reference or training use
You will not republish or post the Academic Materials on any network computer or broadcast in any media;
You will include the Academic Materials original copyright notice, or a copyright notice to Microsofts benefit in
the format provided below:
Form of Notice:
2010 Reprinted for personal reference use only with permission by Microsoft Corporation. All
rights reserved.
Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of
Microsoft Corporation in the US and/or other countries. Other product and company names
mentioned herein may be the trademarks of their respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content. It may change
or cancel them at any time. You may not use these services in any way that could harm them or impair anyone elses use
of them. You may not use the services to try to gain unauthorized access to any service, data, account or network by any
means.
7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the
Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation,
you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any
technical limitations in the Licensed Content that only allow you to use it in certain ways. You may not
install more copies of the Licensed Content on classroom Devices than the number of Students and the Trainer in the
Authorized Training Session;
allow more classroom Devices to access the server than the number of Students enrolled in and the Trainer delivering
the Authorized Training Session if the Licensed Content is installed on a network server;
copy or reproduce the Licensed Content to any server or location for further reproduction or distribution;
disclose the results of any benchmark tests of the Licensed Content to any third party without Microsofts prior written
approval;
work around any technical limitations in the Licensed Content;
reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that applicable law
expressly permits, despite this limitation;
make more copies of the Licensed Content than specified in this agreement or allowed by applicable law, despite this
limitation;
publish the Licensed Content for others to copy;
transfer the Licensed Content, in whole or in part, to a third party;
access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not been authorized
by Microsoft to access and use;
rent, lease or lend the Licensed Content; or
use the Licensed Content for commercial hosting services or general business purposes.
Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disks
does not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or
devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must
comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws
include restrictions on destinations, end users and end use. For additional information, see
www.microsoft.com/exporting.
9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed Content marked as NFR
or Not for Resale.
10. ACADEMIC EDITION. You must be a Qualified Educational User to use Licensed Content marked as Academic Edition
or AE. If you do not know whether you are a Qualified Educational User, visit www.microsoft.com/education or contact
the Microsoft affiliate serving your country.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with
the terms and conditions of these license terms. In the event your status as an Authorized Learning Center or Trainer a)
expires, b) is voluntarily terminated by you, and/or c) is terminated by Microsoft, this agreement shall automatically
terminate. Upon any termination of this agreement, you must destroy all copies of the Licensed Content and all of its
component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services and
support services that you use, are the entire agreement for the Licensed Content and support services.
13. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the
interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws
of the state where you live govern all other claims, including claims under state consumer protection laws, unfair
competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country
apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country.
You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does
not change your rights under the laws of your country if the laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed as-is. You bear the risk of using it.
Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights
under your local laws which this agreement cannot change. To the extent permitted under your local laws,
Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and noninfringement.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT AND
ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES,
INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
anything related to the Licensed Content, software, services, content (including code) on third party Internet sites, or
third party programs; and
claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the
extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or
exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential
or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement
are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce contrat
sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute utilisation de ce
contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie expresse. Vous pouvez
bnficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier.
La ou elles sont permises par le droit locale, les garanties implicites de qualit marchande, dadquation un usage particulier
et dabsence de contrefaon sont exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous
pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement hauteur de
5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y compris les dommages spciaux,
indirects ou accessoires et pertes de bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites
Internet tiers ou dans des programmes tiers ; et
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte, de ngligence ou
dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si votre pays
nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires ou de quelque nature que
ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus par les lois
de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays si celles-ci ne le
permettent pas.
ix
Acknowledgements
Microsoft Learning would like to acknowledge and thank the following for their contribution towards
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Andrew J. Warren Content Developer

Andrew Warren (MCSE, MCITP, and MCT) has more than 22 years of experience in the IT industry, many of
which have been spent in writing and teaching. He has been involved as the subject matter expert (SME)
for the 6430B course for Windows Server 2008 and the technical lead on a number of other courses. He
also has been involved in TechNet sessions on Microsoft Exchange Server 2007.
Jason Kellington Content Developer

Jason Kellington is a trainer, consultant and author who specializes in a number of Microsoft products. He
has over ten years of experience in the IT industry as an administrator, developer, educator and technical
writer. Through his consulting practice, he provides a range of services including specialized training,
network planning and deployment and database design and maintenance. Jason is an MCT, MCITP and
MCSE.
Justin Rodino - Content Developer

Justin Rodino started his instructional career as a guest lecturer at Purdue University. From Purdue, Justin
was an instructor and courseware developer for Altiris/Symantec where he became involved with
Microsoft technologies. He is an MCT and MVP, and involved with the Windows and Office teams at
Microsoft. Justin has also authored or co-authored many books including the Office 2010 Bible. He speaks
at Microsoft events and runs his own consulting company.
Claudia Woods Technical Reviewer

Claudia has been a LAN Administrator, IT Pro Consultant and Technology Instructor for more than twenty
years. She designs and implements technology solutions for an international customer base. Claudia also
holds instructor certifications for CompTIA CTT+, VMware VCI (3.x/4.x), and Microsoft MCT (NT - 2008).
Her Microsoft specialties include Windows Server, Active Directory and Exchange Messaging.
Contents
Module 1: Understanding Network Infrastructure
Lesson 1: Network Architecture Standards
1-3
Lesson 2: Local Area Networking
1-11
Lesson 3: Wide Area Networking
1-19
Lesson 4: Wireless Networking
1-28
Lesson 5: Connecting to the Internet
1-35
Lesson 6: Remote Access
1-41
Lab: Selecting Network Infrastructure Components
1-48
Module 2: Connecting Network Components

Lesson 1: Understanding the OSI Model
2-3
Lesson 2: Understanding Adapters, Hubs, and Switches
2-11
Lesson 3: Understanding Routing
2-19
Lesson 4: Understanding Media Types
2-26
Lab: Connecting Network Components
2-34
Module 3: Implementing TCP/IP

Lesson 1: Overview of TCP/IP
3-3
Lesson 2: Understanding IPv4 Addressing
3-11
Lesson 3: Configuring IPv4
3-24
Lesson 4: Understanding IPv6
3-32
Lesson 5: Name Resolution
3-42
Lab: Implementing TCP/IP
3-55
Module 4: Implementing Storage in Windows Server

Lesson 1: Identifying Storage Technologies
4-3
Lesson 2: Managing Disks and Volumes
4-15
Lesson 3: Implementing RAID
4-21
Lab: Implementing Storage in Windows Server
4-30
Module 5: Installing and Configuring Windows Server

Lesson 1: Installing Windows Server
5-3
Lesson 2: Managing Services
5-19
Lesson 3: Managing Peripherals and Devices
5-25
Lab: Installing Windows Server
5-34
xi
xii
Module 6: Windows Server Roles

Lesson 1: Role-Based Deployment
6-3
Lesson 2: Deploying Role-Specific Servers
6-9
Lab: Implementing Server Roles
6-20
Module 7: Implementing Active Directory Domain Services

Lesson 1: Introducing AD DS
7-3
Lesson 2: Implementing AD DS
7-15
Lesson 3: Managing Users, Groups, and Computers
7-24
Lesson 4: Implementing Organizational Units
7-34
Lesson 5: Implementing Group Policy
7-39
Lab: Implementing AD DS
7-48
Module 8: Implementing IT Security Layers

Lesson 1: Overview of Defense-in-Depth
8-3
Lesson 2: Physical Security
8-17
Lesson 3: Internet Security
8-22
Lab: Implementing IT Security Layers
8-33
Module 9: Implementing Windows Server Security

Lesson 1: Overview of Windows Security
9-3
Lesson 2: Securing Files and Folders
9-17
Lesson 3: Implementing Encryption
9-32
Lab: Implementing Windows Security
9-45
Module 10: Implementing Network Security

Lesson 1: Overview of Network Security
10-3
Lesson 2: Implementing Firewalls
10-7
Lesson 3: Network Access Protection
10-23
Lab: Implementing Network Security
10-31
Module 11: Implementing Security Software

Lesson 1: Client Protection Features
11-4
Lesson 2: E-Mail Protection
11-18
Lesson 3: Server Protection
11-28
Lab: Implementing Security Software
11-39
Module 12: Monitoring Server Performance

Lesson 1: Overview of Server Components
12-3
Lesson 2: Performance Monitoring
12-8
Lab: Monitoring Server Performance
12-17
Module 13: Maintaining Windows Server

Lesson 1: Troubleshooting Windows Server Startup
13-3
Lesson 2: Server Availability and Data Recovery
13-12
Lesson 3: Applying Updates to Windows Server
13-24
Lesson 4: Troubleshooting Windows Server
13-30
Lab: Maintaining Windows Server
13-41
Module 14: Implementing Virtualization

Lesson 1: Overview of Virtualization Technologies
14-3
Lesson 2: Implementing the Hyper-V Role
14-16
Lab: Implementing Virtualization
14-37
Lab Answer Keys
xiii
xiv
About This Course
xv
About This Course

This section provides you with a brief description of the course, audience, suggested prerequisites, and
course objectives.
Course Description
This course is designed to provide foundation skills in networking and Windows Server security, network
services, and administration.
Audience
Candidates for this course are seeking to gain fundamental knowledge and skills around security,
networking, and administration in Windows Server 2008 R2. It can apply to home computer users,
academic, information workers, developers, or help desk technicians wishing to begin a new skills path or
up-skill to Windows Server technologies. It is for candidates wishing to prepare for the Microsoft
Technology Associate (MTA) certification in Windows Server 2008. Candidates for this course may also
include IT Pros with skills within other IT areas or operating systems (such as Linux) who wish to gain an
insight into Windows Server.
Student Prerequisites
This course requires that you meet the following prerequisites:
A good fundamental knowledge of general computing equivalent with the CompTIA A+ Certification.
An ability to understand basic security, networking and administration concepts.
Some previous knowledge and experience with desktop operating systems, although this is not
mandatory.
No programming skills are required, although some experience and knowledge of scripting
technologies would be advantageous.
Course Objectives
After completing this course, students will be able to:
Describe fundamental network components and terminology thus enabling you to select an
appropriate network component in a particular scenario.
Implement a network by selecting network hardware components and technologies and determine
the appropriate network hardware and wiring components for a given situation.
Describe the protocols and services within the Transmission Control Protocol/Internet Protocol
(TCP/IP) suite of protocols and implement IPv4 within a Windows Server environment.
Select appropriate storage technologies and configure storage on Windows Server.
Perform a local media-based installation of Windows Server 2008 R2.
Describe server roles.
Implement and configure an Active Directory Domain Service (AD DS) forest.
Describe the concept of defense-in-depth and determine how to implement this approach with
Windows Server.
Identify the security features in Windows Server that help to provide defense-in-depth.
xvi
About This Course
Identify the network-related security features in Windows Server to mitigate security threats to you
network.
Identify and implement additional software components to enhance your organizations security.
Monitor a server to determine the performance level.
Identify the Windows Server tools available to maintain and troubleshoot Windows Server.
Create and configure a virtual machine with Hyper-V.
Course Outline
This section provides an outline of the course:
Module 1 Understanding Network Infrastructure In this module, you will learn how to describe
fundamental network component and terminology thus enabling you to select an appropriate network
component in a particular scenario.
Module 2, Connecting Network Components In this module, students will learn to build a network
using network hardware components and technologies.
You will also learn to determine the appropriate network hardware and wiring components for a given
situation.
Module 3, Implementing TCP/IP In this module, you will be able to describe the protocols and
services within the TCP/IP suite of protocols. You will also learn to implement IPv4 within a Windows
environment.
Module 4, Implementing Storage in Windows Server In this module, you will learn about storage
technologies and how they are implemented with Windows Server. You will also learn to configure
storage on Windows Server.
Module 5, Installing and Configuring Windows Server In this module, you will learn to understand
the various options available for installing Windows Server and to complete an installation. You will also
launch a local media setup and then perform the post-installation configuration of a server.
Module 6, Windows Server Roles In this module, you will learn to deploy server roles to support a
business scenario. You will also learn to implement appropriate server roles to support a given scenario.
Module 7, Implementing Active Directory Domain Services In this module, you will learn to
implement an AD DS forest. You will also create and configure an AD DS forest.
Module 8, Implementing IT Security Layers In this module, you will learn to deploy server roles to
support a business scenario. You will also learn to implement appropriate server roles to support a given
scenario.
Module 9,Implementing Windows Server Security In this module, you will understand security
features in Windows Server to help to provide defense-in-depth. You will also implement some of the
Windows Server security features.
Module 10, Implementing Network Security In this module, you will describe the security-related
threats to an organizations network and the technologies available in Windows Server to mitigate these
risks. You will also implement network-related security features in Windows Server.
Module 11, Implementing Security Software In this module, you will identify and implement
additional software components to enhance an organizations security. You will also analyze and secure a
Windows Server.
About This Course
xvii
Module 12,Monitoring Server Performance In this module, you will identify a poorly performing
server. You will also monitor a server to determine the performance level.
Module 13, Maintaining Windows Server In this module, you will understand the tools available and
the methods to employ to maintain and troubleshoot Windows Server. You will also learn how to
maintain and troubleshoot Windows Server systems.
Module 14, Implementing Virtualization In this module, you will understand the virtualization
technologies provided by Microsoft. You will also create and configure a virtual machine with Hyper-V.
xviii
About This Course
Course Materials
The following materials are included with your kit:
Course Handbook A succinct classroom learning guide that provides all the critical technical
information in a crisp, tightly-focused format, which is just right for an effective in-class learning
experience.
Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
Module Reviews and Takeaways: Provide improved on-the-job reference material to boost
knowledge and skills retention.
Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when its
needed.
Course Companion Content on the http://www.microsoft.com/learning/companionmoc/ Site:

Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to
supplement the Course Handbook.
Modules: Include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and answers
and Module Reviews and Takeaways sections, which contain the review questions and answers, best
practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios
with answers.
Resources: Include well-categorized additional resources that give you immediate access to the most
up-to-date premium content on TechNet, MSDN, Microsoft Press
Student Course files on the http://www.microsoft.com/learning/companionmoc/ Site: Includes the

Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and
demonstrations.
Course evaluation At the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
To provide additional comments or feedback on the course, send e-mail to

support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail
to mcphelp@microsoft.com.
About This Course
Virtual Machine Environment

This section provides the information for setting up the classroom environment to support the business
scenario of the course.
Virtual Machine Configuration

In this course, you will use Microsoft Virtual Server 2005 R2 with SP1 to perform the labs.
The following table shows the role of each virtual machine used in this course:
Virtual machine
Role
6420B-NYC-DC1
Windows Server 2008 R2 domain controller in the Contoso.com

domain
6420B-NYC-SVR1
A virtual machine with no operating system installed
6420B-NYC-SVR2
Windows Server 2008 R2 member server in Contoso.com
6420B-NYC-SVR3
6420B-NYC-SVR4
6420B-NYC-CL1
A Windows 7 computer in the Contoso.com domain
Software Configuration
The following software is installed on each VM:
Windows Server 2008 R2 Enterprise
Windows 7
Microsoft Office 2007, Service Pack 2
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment
configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions
(CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.
Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor
Dual 120 GB hard disks 7200 RM SATA or better*
4 GB RAM
DVD drive
Network adapter
Super VGA (SVGA) 17-inch monitor
Microsoft Mouse or compatible pointing device
Sound card with amplified speakers
*Striped
xix
xx
About This Course
Understanding Network Infrastructure
Module 1
Contents:
Lesson 1: Network Architecture Standards
1-3
Lesson 2: Local Area Networking
1-11
Lesson 3: Wide Area Networking
1-19
Lesson 4: Wireless Networking
1-28
Lesson 5: Connecting to the Internet
1-35
Lesson 6: Remote Access
1-41
1-48
1-1
1-2
Module Overview
Networks are a critical component of an effective Windows Server 2008 operating system environment.
The majority of computing systems today are connected in some way to a network. A typical corporate
network has many different components and can connect a computer to others in the next room, across a
city, or on the other side of the globe.
This module reviews the general characteristics of computer networks and introduces components and
concepts commonly associated with networks, providing you with the basic information required to
understand the fundamentals of a network computing environment
Objectives
After completing this module, you will be able to:
Describe physical network topologies and standards.
Define Local Area Networks (LANs).
Define Wide Area Networks (WANs).
Describe wireless networking technologies.
Explain how to connect a network to the Internet.
Describe how technologies are used for remote access.
1-3
Lesson 1
Network Architecture Standards
A network is created using a number of different physical components and logical standards that define
the specific qualities of a network. Network architecture refers to the set of physical components and
logical standards that provide the basis for communication within a network.
In order to troubleshoot a network environment, you must have an understanding about the composition
and capabilities of the networks architecture.
Objectives
After completing this lesson, you will be able to:
Describe fundamental network topology and components.
Describe network architecture.
Describe network access methods.
Describe the Institute of Electronic Engineers (IEEE) 802 standards.
1-4
Network Components and Terminology
Key Points
A network is a collection of devices connected to each other in order to facilitate communication and the
sharing of resources.
The majority of computer networks share a common set of components and common terminology
regardless of differences in implementation or technology used.
The key components of a network are:
Data. Data refers to the actual information being sent over a network.
Node. A network node refers to a device that either sends or receives data on a network. Typical
nodes are computers, but they can be other devices that are directly attached to the network such as
printers or scanners.
Client. A computer on a network that primarily receives data or uses other resources on the network
is referred to as a client.
Server. A server is a computer on a network that is primarily responsible for sharing or serving data
and resources to other computers on the network. A server commonly provides access to shared files
or devices such as printers to the entire network.
Peer. A peer performs the functions of a client computer, but also provides shared resources like a
server computer does. Peers are common in small networks when a dedicated server computer is not
necessary or cost-efficient.
Network adapter. A network adapter is a device that allows a node to physically connect to a
network. It provides the interface between the hardware of the device connecting to the network and
the network itself.
Hub. A hub is a device for connecting multiple nodes on a network. Each node that is physically
connected to the hub can communicate with all other nodes connected to the same hub.
1-5
Switch. A switch performs the same basic functions as a hub, but it allows for more sophisticated and
efficient interaction with the data. As such, a switch can provide much improved performance over a
hub when any more than a few nodes are connected to the network.
Note: Due to the decreasing cost of network switches, they have largely replaced hubs, even in small
networks.
Router. A router is a device that is responsible for connecting individual networks together and
ensuring that the data traveling outside of any given network reaches its destination. Routers contain
a list of potential destinations or routes that it uses to send and receive data from other networks.
Media. The physical material used to connect devices on a network is referred to as that networks
media. Media is typically some type of cable, but can also be wireless radio frequency, infrared or
some other less physical medium.
Transport protocol. A transport protocol refers to the set of rules that govern how data is packaged,
sent and unpackaged when it is transmitted over the network.
Bandwidth. The throughput or speed at which a network operates is referred to as bandwidth.

Network bandwidth is determined by the functionality of the combination of components in a
network.
1-6
Network Architecture
Key Points
Network architecture refers to both the set of physical components that work together to connect
computers in a network as well as the functional organization and configuration of those components.
Network architecture standards also govern how data is packaged and transmitted on a network.
Ethernet
Ethernets low cost reliability and simplicity of implementation have made it the predominant architecture
standard found in modern networks. It is used in both small and large networking environments.
In basic form, an Ethernet network involves several nodes connected with copper wire cables to a hub or
switch. For larger bandwidth requirements or longer distance connections, fiber-optic cable is often used.
Ethernet has evolved into a number of specific standards. Over time, changes to network media,
computing technology and bandwidth requirements have forced changes to the Ethernet standard to
accommodate the evolving network environment.
The following table provides key characteristics of the most commonly implemented Ethernet standards.
Standard
Media
Bandwidth
Common uses
10BASE-T
Twisted copper
10Mbps
Local networks
100BASE-TX
Twisted copper
100Mbps
Local networks
100BASE-FX
Fiber-optic
100Mbps
Distant networks
1000BASE-T
Twisted copper
1Gbps (1000Mbps)
Local networks
1000BASE-LX
Fiber-optic
1Gbps
Distant networks
10GBASE-T
Twisted copper
10Gbps
Local networks
Standard
Media
Bandwidth
Common uses
10GBASE-LR/ER
Fiber-optic
10Gbps
Distant networks
1-7
Of the standards listed in this table, 100BASE-TX and 1000BASE-T are the ones most commonly found in
modern LANs. 1000BASE-LX and 10GBASE-LR/ER are the most commonly found in long distance Ethernet
connections.
FDDI
Fiber Distributed Data Interface (FDDI) uses primarily fiber-optic cable as a medium for transmission and is
capable of spanning distances of 200km and a speed of 100 megabits per second (Mbps). It was
historically used to connect a number of geographically separated networks together, but has been
largely replaced by Ethernet.
Token Ring
Token ring uses primarily copper wire for data transmission and is capable of speeds of 4Mbps and
16Mbps. Token ring was common in early corporate networks as an alternative to Ethernet, but has been
largely replaced by Ethernet.
1-8
Network Media Access Control Methods
Key Points
When data is transmitted on a network, it travels along that networks media to reach its destination. The
set of rules that define how and when a node sends data along the media is called the network media
access control method.
On a computer network, data appears to move simultaneously from node to node without interruption.
However, only a single node may access the network media at any given time. Nodes give the illusion of
simultaneous access by taking turns accessing the network media for very short periods of time. If two
nodes were to transmit data onto the network media at the same time, the data from each node would
collide along the media and the data would be destroyed. In an environment with hundreds of computers
sharing the same network media, network media access control methods are critical to ensuring network
data is transmitted correctly to its destination.
There are three primary network media access control methods.
Carrier-Sense Multiple Access with Collision Detection (CSMA/CD)

When CSMA/CD is used as a network media access control method, a node first listens on the network
media to ensure that there is no existing data transmission in progress from another node. If no other
transmission signal is present, the node will transmit its data. If a transmission signal exists on the network
media, the node will wait for a small interval of time before checking again, repeating this process until
the media is free of other data transmissions before sending its own transmission.
When two nodes wanting to send data check the network simultaneously and find no existing
transmission, they will both transmit their data, causing a data collision on the network. When this
occurs, both nodes detect the collision, stop transmitting their data immediately, and send out a signal
that informs all nodes on the media that a collision has occurred and that they should not transmit. Then,
the nodes that caused the collision will wait for a random period of time before attempting to retransmit
their data.
1-9
CSMA/CD is the network media access method used for Ethernet networks. It provides the network with a
fast method of data transmission and collision resolution, but because simultaneous data transmission and
collisions can occur, it becomes increasingly less efficient as more nodes are added to a specific segment
of network media.
Carrier-Sense Multiple Access with Collision Avoidance (CSMA/CA)

When CSMA/CA is implemented, nodes advertise their intent to transmit data on the network media prior
to actually transmitting the data. Nodes on the network media are constantly listening for the
advertisements of other nodes, and if an advertisement is detected, the node will avoid transmitting its
own data.
This method allows for nodes to more efficiently avoid collisions with data transmitted from other nodes
on the network media when compared to CSMA/CD. It also allows for more consistent communication on
the network media for data transmission notification, especially if intermittent node connectivity is an
issue or if a node is not always aware of every other node on the network media. This makes CSMA/CA an
excellent candidate for wireless networks, hence its adoption as the network media access control method
for the 802.11 group of wireless networking standards. CSMA/CAs collision avoidance method does come
at the cost of being generally a slower method than CSMA/CD.
Token Passing
Token passing is a method that uses a small piece of data or token to signify the intention to transmit
data. This token, along with the other data being sent, is passed around to all systems in the network.
When the token and data reach the intended destination, the data is passed to the destination system and
the token continues through the remainder of the systems until it reaches the originating system,
confirming transmission to the entire network. Both FDDI and token ring make use of the token passing
method.
Both CSMA/CD and CSMA/CA are considered contention-based network media access control methods
because the nodes on the network share or contend for access to the media. Token passing is referred to
as a deterministic method, which refers to the ability to determine the amount of time data transmission
and confirmation will take, due to the orderly fashion by which nodes access the network media.
1-10
IEEE 802 Standards
Key Points
The IEEE manages the definition of technical standards for electronic engineering and manufacturing.
These standards define specific qualities in a technology to allow for devices manufactured within the
scope of that technology to work together. These standards allow devices such as network adapters and
switches that are manufactured by different vendors to work together on the same network.
One of the most notable and recognizable standards is the IEEE 802 family of standards that define the
functionality of different aspects of a network environment.
The IEEE 802 standard has more than 15 sub-standards that pertain to specific technologies found in a
network environment. Some of the key IEEE 802 standards are listed below:
IEEE 802.3 defines Ethernet network standards
IEEE 802.5 defines token ring network standards
IEEE 802.11 defines local wireless network standards
IEEE 802.16 defines high capacity wireless network standards
1-11
Lesson 2
Local Area Networking
A LAN is the most basic and commonly implemented form of computer network. This lesson introduces
you to the LAN and its associated concepts and technologies.
The LAN is the building block for all major and more complex networks, so this lesson will also familiarize
you with LAN structure, design and implementation.
Objectives
Describe LANs.
Describe how nodes on a LAN communicate.
Describe components of a LAN.
Describe wiring topologies and access methods.
1-12
What Is a LAN?
Key Points
A LAN is a computer network that covers a specific physical area such as a home, office or closely built
group of buildings, like a school campus or airport. LANs also typically feature a high bandwidth capacity
and have the ability to provide equal bandwidth and network access to all nodes.
Due to constantly improving technology and the high bandwidth available in modern networking
technology, LANs are becoming less dependent on geographic proximity. Virtually all modern LANs use
the Ethernet standard for network connectivity.
1-13
How Nodes on a LAN Communicate
Key Points
While communication may appear to be constant between nodes on a LAN, especially when used to offer
functionality such as video conferencing, it has already been established that communication on a LAN
consists not of a constant stream of data from node to node, but shared access to the network media
using short transmissions of relatively small pieces of data to allow for all nodes on the network to have
access. In most cases, the data a user interacts with on a LAN (a file, video conference, print job, etc.) is far
too large to be contained in a single transmission from a node. In order for a LAN to deliver these large
amounts of data, the information must be broken down into a network frame.
In general, a network frame contains a part of the original data being sent, along with network specific
information regarding the frames sender, the frames recipient and information allowing for the frame to
be reassembled into readable data at its destination. A frame also contains error checking information
that allows it to be retransmitted from the sender should it not arrive at its destination as planned. The
actual structure of a frame depends on the type of network being used. For example, an Ethernet frame
will differ slightly in structure from a token ring frame.
The sender and destination of each frame, along with every other node on the LAN, have a unique
network address. This address allows for simple and precise delivery methods throughout the LAN and
also allows for each node to be distinctly identifiable on the network.
A nodes media access control (MAC) address is the most basic form of uniquely identifying it on a LAN.
MAC addresses are assigned to all network adapters at the time of manufacture and are most often
represented in hexadecimal format (ex: 00-22-FB-8A-41-64).
1-14
Physical Components of a LAN
Key Points
The physical components of a LAN are responsible for taking network data and transmitting it to its
destination along some type of physical media that connects the nodes together.
A LAN can vary in complexity from two or three connected nodes in the same room to thousands of
nodes connected over a considerable area. As such, LANs can consist of only a few components or a large
number of interconnected components.
The most common physical LAN components are:
Network adapters. Network adapters provide the point of contact between a LAN node and the rest
of the network. It is typically connected to the network via a wire or cable. Different network
architectures (Ethernet, token ring) require different network adapters to interface with the LAN. For
example, an Ethernet network adapter will not function when connected to a token ring network.
Wiring or cable. A LANs wiring provides the physical media along which a LANs data is sent. LAN
cable types will vary and are classified into a number of different types according to the physical
qualities of the cable. Common cable types include:
Unshielded twisted pair (UTP). The cable is the most common type found in Ethernet LANs. It
consists of four pairs of copper wire twisted together and is usually terminated with an RJ-45
connector. UTP is by far the most common cabling standard used in LANs.
Coaxial copper. The cable is used in older Ethernet networks and is typically terminated with a
barrel-type BNC connector.
Fiber-optic. The cable uses light transmitted along glass or fiber tubes, rather than the electrical
signals sent across copper-based cable. It is capable of transmitting data over longer distances
than copper and is typically used for connections that exceed the length restrictions of copper
cables in areas where electromagnetic interference would prohibit the use of copper cable.
1-15
Hubs. Hubs provide a central point of connectivity for nodes in a network and allow for more
complex and efficient LAN implementations. A switch is an advanced type of hub that allows for
intelligent delivery or switching of information to nodes on a LAN.
Termination points. Termination points or jacks describe the physical termination of a network cable
that allows a node to physically connect to the LAN. Typically, termination points exist as wall plates
with an appropriate receptacle for a short network cable that runs from the jack to the network
adapter of the node device.
Wiring cabinets. Wiring cabinets or wiring closets provide a location where a number of hubs,
switches or other LAN connectivity devices are located to provide a central point of connection for
LAN nodes located in a specific physical area such as a building or floor of a building. These locations
are typically a small room or closet.
1-16
LAN Physical Topologies
Key Points
A LANs physical topology refers to the actual layout and connection of the physical components of a
LAN. The physical topology of a LAN is determined primarily by the networks size, architecture and
required functionality.
Physical topology plays a key role in determining a LANs bandwidth capability and overall performance.
As a result, physical topology is a very important part of LAN design, especially in larger networks.
There are five main physical topology types.
Bus topology. In a LAN where physical bus topology is used, nodes are connected to each other in a
consecutive line along a segment of network media. The network media is then typically terminated
at each end with a special device or connector that acts as the boundary for that particular segment
or piece of the LAN. Bus topology technology has been largely replaced by star topology in LANs.
Advantages: A LAN using bus topology is easy to set up, and the ability to quickly add systems
makes it suitable for small LANs or temporary networks.
Disadvantages: Implementing bus topology to connect individual nodes together on a LAN is

based on out-of-date technology. If one section of the network media becomes disconnected or
breaks, the entire network ceases to function. This makes a bus topology-based LAN difficult
to troubleshoot.
Ring topology. In a physical ring topology, nodes are connected in much the same way as with a bus
topology, but rather than each end of the network media being terminated, the ends are connected
together to form a ring. Ring topology technology has been largely replaced by star topology
technology in LANs.
Advantages: Similar to bus topology, a LAN using ring topology is easy to set up, and the ability
to quickly add systems makes it suitable for small LANs.
Disadvantages: Unfortunately, the same disadvantages that a LAN using bus topology faces also
exist in a LAN based on ring topology. The LAN is based on out-of-date technology; if one
1-17
section of the network media becomes disconnected or breaks, the entire network ceases to
function. This can make a LAN based on ring topology difficult to troubleshoot.
Star topology. When using star topology, nodes are not connected to each other as they are in a bus
or ring topology, but instead they are connected to a central device such as a hub or switch. Modern
Ethernet-based LANs typically use star topology for their physical configuration.
Advantages: LANs utilizing star topology become more reliable on a node by node basis because
of the presence of the hub. With the addition of this device, nodes are dependent only on their
individual connection to the hub for access to the rest of the network. When using star topology,
the break or disconnection of a cable affects only the node using that specific cable, making the
LAN generally more reliable and easier to troubleshoot.
Disadvantages: LANs based on star topology typically require more hardware and planning to
implement, due primarily to the addition of the hub device as well the extra length of network
cable required to connect each node back to the centrally located hub. They also still contain a
single point of failure; the network hub. If this device fails the entire network ceases to function.
Hybrid topology. Different from any of the previously defined topologies, hybrid topology does not
refer to a specific physical configuration, but rather the combination of one or more different
topologies used together on the same LAN. The most common form of hybrid topology consists of a
multiple star topology-based network connected together using bus topology to form a single LAN.
LANs based on hybrid topology are very common, and become necessary when designing large or
complex LANs.
Mesh topology. In a LAN based on mesh topology, extra connections are added to provide a level of
fault tolerance to the network. In a mesh topology-based LAN, information has more than one path it
can take between at least two individual nodes. This addition of extra connections or meshing is
typically done for critical or high traffic connections within the LAN. Mesh topology features two
separate forms of meshing.
Fully meshed: In this configuration, a direct link exists between every pair of nodes on the
network. This provides the highest level of fault tolerance available, but also cost and complexity
increase exponentially as more nodes are added to the network.
Partially meshed: Partially meshed LANs are far more common than their fully-meshed
counterparts. They do not provide direct connections between every pair of nodes, but rather
introduce a number of redundant connections based on both providing fault tolerance and
maintaining a reasonable cost of implementation.
Question: What topology configuration might you recommend for a new Ethernet LAN being built to
connect computers located in several buildings together on a school campus?
1-18
LAN Logical Topologies
Key Points
A LANs logical topology refers to how the data flows between nodes on the network. Logical topology is
largely independent of a LANs physical topology, despite the shared terminology between certain types
of physical and logical topology. A LANs logical topology is largely dependent on the network standard
used to implement data flow on the network, such as Ethernet, FDDI or token ring.
Ethernet
In an Ethernet-based LAN, data is transmitted along the network media to all other connected nodes. This
mass transmittal is referred to as broadcasting. The broadcasted transmission is detected by all nodes on
the network, but only those nodes for which the transmission was intended will accept and receive the
incoming data. This type of logical topology is most commonly referred to as bus logical topology. It is
important to include and understand the use of the word logical in this term, as the term bus physical
topology is used to define a physical topology concept that is separate from the logical concept defined
here.
FDDI and Token Ring

Another logical topology called ring logical topology is implemented in both FDDI and token ring-based
LANs. In a ring logical topology, data is transmitted to each individual node in a determined, sequential
order. Once a node has received the transmission and dealt with the accompanying data, the transmission
is passed on to the next node in the topology.
1-19
Lesson 3
Wide Area Networking
Computer networks are found all across the world. Organizations that operate those networks often have
multiple offices or locations in different cities, countries or continents. The organizations often require
their networks to be connected to each other in order to meet their organizations business needs, but are
unable to connect these locations together with LAN technology due to its high cost to implement over
long distances.
WAN provides these organizations the ability to connect their networks regardless of geographic
boundaries, transcending the limitations of LAN technologies.
WANs are the basis for the global level of network connectivity that we have in todays computing
environment.
Objectives
Describe WANs.
Describe components of a WAN.
Describe WAN standards.
Describe T-Carrier and E-Carrier standards.
Describe Optical Carrier standards.
Describe Integrated Services Digital Network (ISDN).
Describe methods used to connect to the Internet using WAN components.
1-20
What Is a WAN?
Key Points
A WAN is a geographically distributed network composed of multiple LANs joined into a single large
network typically using leased or third-party services.
A WAN is used primarily to connect a group of LANs together that belong to the same organization or
have a specific requirement of interconnectivity. Historically, technology used to implement links that
connect multiple LANs together to form a WAN has been relatively slow and unreliable when compared
with LAN capabilities. However, with evolving technology, modern WAN links are capable of higher
bandwidth and can make multiple interconnected LANs appear as one large LAN to the users of the
network in terms of network speed and resource access. In this way, the lines between LANs and WANs
have become somewhat blurred.
1-21
Physical WAN Components
Key Points
A WAN may be composed of a number of different components, depending on the WAN technology
used and whether an organizations WAN has been self-constructed or consists of leased or rented
services from telecommunications companies.
Common WAN components are:
Bridge. A bridge allows for the connection of two or more network segments or LANs. A bridge
forwards network data between LANs and identifies nodes on the WAN using the nodes MAC
address. A bridge is the most basic way to connect two LAN segments together.
Router. A router performs many of the same functions as a bridge, but allows for more efficient and
complex direction of data. Unlike a bridge, a router can determine the specific LAN a node belongs to
and direct the traffic only to that LAN rather than broadcasting the information to all LANs and all
nodes within the WAN.
Leased line. A leased line refers to a WAN connection usually provided by a third party, typically a
telecommunications company. The telecommunications company uses their existing equipment to
connect one or more separate LANs together. This service can be implemented using a number of
different technologies. The actual technology used is usually transparent to the connected LANs
which will typically be connected to the leased line via a router which contains the proper routes to
the other connected LANs.
Backhaul or backbone. A backbone segment of a WAN refers to a high capacity section of the WAN
over which the bulk of WAN traffic will travel. In contrast to a leased line, many backbone segments
are built and owned by the organization operating the LANs connected by the backbone. This type of
connection allows for multiple LANs to be connected together at a high speed without having to pay
ongoing rental or leasing costs or rely on a third party for consistent WAN connectivity. Backbones
do, however, have the drawback of being relatively costly to implement.
1-22
What Are the WAN Standards?
Key Points
Most WAN networks rely on data sent through third party telecommunications providers and often make
use of the providers existing communications infrastructure to send data between LANs. In this context,
WAN connections use a number of different standards for data transmission. These standards are typically
chosen for bandwidth capability, but available technology and regional location also play a part in
determining what WAN standards are available to an organization for the implementation of their WAN.
WAN standards typically define the method used to manipulate the data along the connection, as well as
the bandwidth capability of a WAN connection and the media used.
WAN standards also use multiplexing to allow efficient use of WAN connections. Multiplexing refers to
the process of combining and sending multiple, simultaneous data transmissions over the same media.
This allows for higher bandwidth capability and shared usage of a single WAN connection.
There are four commonly used WAN standards covered in this topic:
T-Carrier standards. T-carrier standards are a group of standards implemented primarily in North
America and some parts of eastern Asia and Japan that govern digital data transmission.
E-Carrier standards. E-carrier standards are a group of standards similar to the T-Carrier standards.
The E-Carrier standards were developed in Europe and used globally with the exception of the
regions that have adopted the T-Carrier standard as mentioned above.
Optical Carrier (OC) standards. OC standards contain specifications for transmitting digital data over
fiber-optic networks.
ISDN. ISDN allows simultaneous voice and data transmission over existing public telephone network
infrastructure.
1-23
What Are the T-Carrier and E-Carrier Standards?
Key Points
T-Carrier and E-Carrier standards are a family of WAN standards used by telecommunications companies
to deliver digital communications over long distances. T-Carrier is the standard most commonly used in
North America. The
E-Carrier standard, first developed in Europe, has been adopted by most of the rest of the world.
The T-Carrier and E-Carrier standards are graded according to bandwidth capability in a T1, T2, T3 to E1,
E2, E3 etc. format. However, T1/E1 and T3/E3 are the most common and comprise the majority of TCarrier or E-Carrier-based network implementations.
T1. A T1 line has a bandwidth capability of 1.544 Mbps. T1 typically uses 2 pairs of twisted-pair
copper wire as its media.
T3. A T3 line provides a bandwidth capability of 44.736 Mbps. T3 typically uses fiber-optic cable as its
media.
E1. An E1 line has a potential bandwidth of 2.048 Mbps. Similar to T1, E1 is typically carried over
copper wire-based media.
E3. An E3 line has a potential throughput of 34.368 Mbps. Like T3, E3 typically uses fiber-optic cable
as its media.
1-24
Optical Carrier Standards
Key Points
Optical Carrier (OC-X) standards refer to a set of specifications for digital data over specifically designed
fiber-optic networks, Synchronous Optical Network (SONET) in North America and Synchronous Digital
Hierarchy (SDH) in the rest of the world. Designed for high capacity, long-distance connections, optical
carrier connections are widely used as the backbone of the Internet. OC-X connections are also used as
private connections and as a carrier for bandwidth-intensive applications, such as video conferencing.
The base bandwidth unit for an OC-X connection is 51.84Mbps. Common OC-X classifications are as
follows:
OC-1 - 51.84
OC-3 - 155.52
OC-12 - 622.08Mbps
OC-24 1244.16Mbps
OC-48 2488.32Mbps
OC-192 9953.28Mbps
OC-768 39,813.12Mbps
1-25
What Is ISDN?
Key Points
ISDN uses the preexisting public telephone network to provide digital voice and data services. In early
WANs, ISDN was a very popular method for connecting LANs together, but has since been largely
replaced by standards built on more modern technology.
Similar to E-Carrier and T-Carrier networks, an ISDN connection used individual 64 kilobits per second
(Kbps) channels to transmit data, although not using the same technology. An ISDN connection is also
dial-on-demand in nature, requiring a call to be placed on the line before a connection is made. However,
digital call placement on ISDN typically takes only one or two seconds.
ISDN has two common types:
Basic Rate Interface (BRI). BRI typically uses two 64Kbps channels and supports a bandwidth of
128Kbps.
Primary Rate Interface (PRI). PRI uses 23 64Kbps channels and supports a bandwidth of 1.536Mbps,
roughly equivalent to the bandwidth of T1 and E1 lines. PRI ISDN connections are commonly used as
backup or alternate route connections for T1 or E1 connections.
While everyday usage of ISDN is less common than it used to be, ISDN lines are still frequently used in
many parts of the world as low cost backup connections to more robust WAN links.
1-26
Connecting to the Internet with WAN Components
Key Points
While private WANs and LANs are critical pieces of an organizations computing environment, almost all
of them require connection to the rest of the world for communication outside of the organization.
Typically, this is through the public Internet.
In theory, the Internet exists as a large, global WAN. As a result, WAN-based technologies are used
extensively throughout the Internet to connect private LANs and WANs. These technologies are typically
implemented and operated by telecommunications providers who connect the end user to the Internet
using their existing infrastructure as an intermediary network. This service is typically leased or rented to
individuals or organizations to give them access to Internet connectivity.
Along with the previously discussed T-Carrier, E-Carrier and ISDN technologies, other common WANbased Internet connection technologies are:
Digital Subscriber Line (DSL). DSL uses existing telephone network infrastructure to transmit data. It
involves the simultaneous transmission of both voice and data over the same physical line by using a
separate higher frequency for data transmission and a filter on the physical line to separate the
frequencies. DSL comes in two main types, both of which use a modem for sending and receiving the
signal along the telephone infrastructure.
Symmetric DSL (SDSL). SDSL allows equal bandwidth for both sending and receiving data at the
same speed.
Asymmetric DSL (ADSL). ADSL uses different data rates for sending and receiving, with the
sending bandwidth typically considerably lower than the receiving bandwidth. As it is less
expensive to implement, ADSL is typically provided for residential use.
Cable modem. Cable modems provide a service similar to that of DSL, but use the cable TV medium
as an intermediary connection to the Internet.
3G and 4G wireless. Historically, mobile communications networks have been typically reserved for
voice communications over the wireless network. With the advent of faster, more robust networks like
3G and 4G, however, the use of these networks for digital data transmission has become more
prevalent and has become a common method used by mobile computer users to access network
connectivity when not in a LAN environment.
1-27
1-28
Lesson 4
Wireless Networking
Wireless networking has become an important part of both home and corporate networks. Wireless
networks allow nodes to operate apart from the confines of physically wired connections. The increased
mobility and freedom that a wireless network offers allow organizations to use computing resources in
ways not feasible using wired network components.
Wireless networks come in many different configurations using multiple standards and different
technology.
Familiarity with wireless networking components, terminology and standards is very important to overall
computer networking knowledge.
Objectives
Describe the components of a wireless network.
Describe wireless networking standards and protocols.
Describe 802.11x.
Describe different ways to secure wireless networks.
1-29
Wireless Networking Components
Key Points
A wireless network consists of two or more network devices connected together using some form of
wireless technology, typically using either radio-frequency or microwave transmission technology.
While completely wireless networks are common in smaller LANs found in homes or small offices, wireless
networks are typically used to expand or extend a larger, traditionally wired network in corporate settings.
This could be in a LAN environment, providing network access to mobile users in a non-wired location
such as an outdoor area or in a WAN environment to connect to locations where physical network media
like copper or fiber is impossible or not cost effective.
The following are common components and terminology found in wireless networks:
Wireless network adapter. Like its wired counterpart, a wireless network adapter connects a node to
the wireless network and is capable of both sending and receiving information on the wireless
network.
Access point. An access point provides a means of connecting to the wireless network. This can be in
the form of another wireless network adapter or, more commonly, a centralized, dedicated access
point. This dedicated access point may or may not be used to connect the wireless network to an
existing wired network or LAN.
Ad-hoc network. An ad-hoc wireless network consists only of wireless nodes connecting to each other
and has no centralized access point. Ad-hoc wireless networks are typically used for temporary, peerto-peer connections between two computers.
Infrastructure network. An infrastructure network is a wireless network that provides a centralized

access point for wireless network clients. Infrastructure networks are the most common wireless
network type used in enterprise network environments.
Service set identifier (SSID). An SSID is a string of characters that identifies and advertises a wireless
access points existence to potential clients. This string is typically configurable to any alpha-numeric
value, so it also provides a method of applying naming schemes to SSIDs if necessary.
1-30
Wireless Standards and Protocols
Key Points
Wireless standards govern the implementation and functionality of wireless networks and fall under the
IEEE 802 family of network standards.
In the majority of wireless networks, there are two common types, each with its own IEEE 802 definition.
802.11. The 802.11 working group defines standards for wireless LANs. This group of standards
generally uses radio frequency spectrum for the sending and receiving of data. 802.11 networks exist
as the most common form of wireless network and benefit from simple setup and node addition and
relatively low implementation costs.
802.16. The 802.16 working group of standards governs wireless WAN technology. The 802.16
standards are commonly referred to as Worldwide Interoperability for Microwave Access (WiMAX).
The 802.16 networks use microwave transmission for the sending and receiving of data and are
typically used for backhaul or backbone connections for a telecommunications network or high
capacity corporate WAN. Due to the line-of-sight requirement for WiMAX devices to communicate,
additional infrastructure such as towers and large antennae are required for an 802.16
implementation, which can make implementation relatively costly.
1-31
What Is 802.11?
Key Points
As previously noted, the IEEE 802.11 working group of standards defines the aspects of wireless LANs.
802.11 is one of the most recognizable IEEE standard categories, due to the widespread use of the
numeric identifier to refer to wireless LANs and devices in general. The IEEE 802.11 working group consists
of four commonly used standards
802.11a. 802.11a devices operate in the 5 gigahertz (GHz) radio frequency (RF) band. It offers a
theoretical bandwidth of 54Mbps, but suffers from a relatively short range due to the technical
limitations of radio waves at 5GHz.
Note: 802.11 bandwidth is often discussed as theoretical. This is because factors like distance from
the access point, interference from other devices and physical obstructions can affect the wireless
signal and decrease the actual bandwidth available to a client.
802.11b. 802.11b devices operate in the 2.4GHz RF band and offer a slight improvement in range
over 802.11a, especially when located in buildings or around multiple obstructions. However, the
maximum throughput of 802.11b is considerably lower than 802.11a at 11Mbps.
802.11g. 802.11g was developed to combine the data throughput capabilities of 802.11a and the
increased range and reliability of 802.11b. It operates in the 2.4GHz RF band and offers a theoretical
bandwidth of 54Mbps.
802.11n. 802.11n is the most recently developed and published standard, and improves upon 802.11g
in both bandwidth and range. 802.11n also introduces the concept of multiple-input multiple-output
(MIMO) channels to allow the combining of multiple signals into a single data stream for increased
network throughput. While the physical maximum throughput on an 802.11n network is 150Mbps,
the ability combines the signals of up to 4 physical antennae and allows for a theoretical maximum
throughput of 600Mbps. 802.11n is quickly becoming the most common form of 802.11 network
deployed.
1-32
802.11 Specification Details

Standard
Released
Frequency
Data Rate
Outdoor
Indoor range range
802.11a
Sep 1999
5GHz
54Mbps
50 feet
100 feet
802.11b
Sep 1999
2..4GHz
11Mbps
150 feet
300 feet
802.11g
Jun 2003
2.4GHz
54Mbps
150 feet
300 feet
802.11n
Oct 2009
2.4-2.5GHz
600Mbps
300 feet
600 feet
1-33
Securing Wireless Networks
Key Points
With the ease of implementation and physical availability of wireless networks, security is a major concern.
Unlike a wired network where a node needs to connect to a physical endpoint (typically inside a building),
a typical wireless network has no inherent physical security and is available for connection as long as the
node attempting connection is within range of the access point.
As the effective range of wireless networks increases, this lack of physical security becomes a greater
concern. Unauthorized access to the network and the potential loss or theft of business data is a
considerable liability in an unsecured wireless network.
There are several different security protocols developed for 802.11 networks.
Wired Equivalent Privacy (WEP). The WEP encryption standard was the original standard for wireless
LANs and provided 128-bit and 256-bit encryption of data transmitted over the network.
WEP uses a shared passcode or security key for the encryption of data. Users connecting to a WEPprotected network would be asked to enter this key upon initiating connection to the network in
order to be granted access. The overall strength of WEP security lies in the complexity of this key.
Short, simple keys that are easily guessable compromise the overall security of the protocol.
Multiple technical flaws were discovered in the WEP protocol encryption algorithm and were quickly
exposed by malicious hackers and industry watchdogs. WEP is the weakest of all wireless security
protocols and is considered to be outdated and has been largely superseded by other more secure
protocols.
WiFi Protected Access (WPA). WPA standards provide an increased level of security and stability over
WEP. It is comprised of two different versions:
WPAv1. WPAv1 was originally designed as a firmware upgrade to WEP. It allows for WEP-based
networks to be upgraded to the newer, more secure standard without the addition or
replacement of any devices. WPAv1 can utilize a variety of encryption algorithms.
1-34
WPAv2. WPAv2 offers several technical improvements over WPAv1, but retains the same basic
structure. WPAv2 is the most secure and preferred method of encryption over most wireless
networks.
Both WPAv1 and WPAv2 allow for two methods of security key configuration. They can use a single,
pre-shared key (PSK) that is used for universal access to the network in much the same way as a WEP
key. This method is referred to as WPA-PSK or WPA-Personal. The second method involves the
incorporation of a Remote Dial-In User Service (RADIUS) server to allow for individual nodes to retain
their own key. This implementation is referred to as WPA-Enterprise and eliminates the security risks
of using a single, shared key for universal network access.
In addition to the encryption methods listed above, several non-encryption methods exist that, when
combined with the use of encryption methods, further enhance wireless network security.
MAC filtering. MAC filtering allows a wireless access point to refuse connection to nodes accessing it
unless their MAC address is contained in a specific list stored on the access point. This allows for a
network administrator to enter the MAC addresses of only those nodes that should be allowed to
connect to the wireless access point.
Note: MAC filtering can be easily circumvented using a process known as MAC spoofing, whereby a
potential client provides a false MAC address with the purpose of obtaining access to the network.
Smart Cards and universal serial bus (USB) tokens. Physical devices, such as smart cards and USB
tokens also provide an additional layer of physical security to wireless networks. These methods
require the end user to have a smart card or USB token to physically attach to their computer before
access to the network is granted.
Hidden SSID. Another method for obscuring the identity of a wireless network is hiding the SSID.
Configurable at the access point, hiding the SSID prevents the SSID of the wireless network from
showing up in the list of available networks on a potential client. When a networks SSID is hidden,
clients need to know the SSID of the network and enter it manually to connect, along with satisfying
any other security requirements the network may have. A hidden SSID can add a certain level of
security to your network, but it should not be considered a security measure in itself; numerous
commonly known methods exist for locating and identifying hidden SSIDs.
1-35
Lesson 5
Connecting to the Internet
Almost every corporate LAN or WAN has a network link that connects it to the rest of the world, the
Internet.
The Internet has become the most important medium for global communications, and, as such, corporate
networks need to be connected to this global network to take advantage of what the Internet has to offer.
Objectives
Describe the Internet.
Describe and contrast intranets and extranets.
Describe a firewall.
Describe security zones.
Describe proxy and reverse proxy servers.
1-36
What Is the Internet?
Key Points
The Internet is a system of interconnected networks that spans the globe. It is used to connect billions of
users worldwide to a large variety of information, resources and services. It is comprised of both hardware
and software infrastructure that allows for the communication between any two computers connected to
the Internet.
The Internet has its roots in early WANs implemented by military and educational institutions to facilitate
communications between geographically dispersed computer systems or networks. As more nodes were
added and the network grew and began allowing for public access, the Internet gradually came into
existence. The advent of graphical content and the software that allowed for viewing this content began
the popularization of the Internet as a medium for public information exchange.
The physical structure of the Internet is somewhat ambiguous and constantly changing, but at its core, the
Internet bears many similarities to a vast, global WAN. While Internet communication appears
straightforward to the end user, the path that data takes between two communicating nodes can travel
over hundreds of different physical connections and be relayed through numerous intermediary network
nodes before reaching its destination. The Internet uses Internet Protocol (IP) as the basis for
communication between nodes.
Individual nodes or networks are typically connected to the Internet using the methods mentioned in the
last topic of the previous lesson. These methods typically involve connectivity through a
telecommunications provider. Global telecommunication providers provide the bulk of the physical
network infrastructure on which the Internet operates.
The Internet by nature is an open and generally non-secure system. When corporate LANs and WANs
connect to and through the Internet, specific devices, methods and concepts are applied to ensure the
integrity and private nature of the corporate LAN or WAN architecture.
1-37
Intranets and Extranets
Key Points
Intranet
An intranet refers to a private computer network that uses the IP suite of technologies to securely share
information within the network.
An intranet shares many communication methods with the public Internet and, as such, an intranet
environment functions very much like a small, encapsulated version of the Internet.
Intranets are commonly used to provide privatized versions of Internet communication methods, such as
Web sites, e-mail, or file transfer. They facilitate the same type of easy information sharing like the
Internet, but allow an organization to confine its scope to avoid the loss or theft of corporate data.
In general, a LAN refers to the physical structure that provides network connectivity where the term
intranet refers primarily to a group of services provided on that LAN.
Extranet
In its typical form, an extranet is a piece of a companys intranet that has been exposed to a larger
network, usually the Internet. This is usually done to share specific corporate information with partners or
customers and requires an extra level of security and network design to ensure that private information
within the intranet is separated from the information on the extranet and not inadvertently exposed to
the public. The information on the extranet itself is usually not left completely exposed to the public
Internet either, but protected with a security device such as data encryption or authentication
mechanisms like usernames and passwords.
1-38
What Is a Firewall?
Key Points
A firewall is the key component used in segmenting networks to protect a private network from security
risks inherent to connecting to an untrusted network. A firewall is a system or device used as a single
point of connection between separate networks. It interprets network communication and allows safe or
desirable network traffic to pass through while restricting or denying unsafe or undesirable traffic.
In a network environment, a firewall typically exists as a separate device or computer on the network that
is designated exclusively to perform the functions of a firewall. For example, a firewall may determine the
source address of a piece of data and deny or allow the data to enter the network.
The term firewall is also used to refer to a piece of software installed on a node computer that performs
traffic filtering similar to that of a dedicated firewall device. When the term is used in this lesson, it is used
to refer exclusively to the dedicated network firewall defined above, and not the node-based software
type.
Different types of firewalls allow for varying levels of network data inspection.
1-39
What Is a Perimeter Network?
Key Points
The purpose of the perimeter network is to act as a security buffer between the untrusted and private
networks for resources that must be shared by those who are not part of the internal network. A
perimeter network commonly contains any nodes that share information with the public Internet. This
may include items like e-mail servers, Web servers or proxy servers.
Perimeter networks are generally implemented using firewalls. A firewall is placed at the connection of the
perimeter network to the untrusted network and another firewall typically separates the perimeter
network from the private network. This configuration separates the participating networks into three
zones: the private network, the perimeter network and the untrusted network.
The main function of a perimeter network is security. A perimeter network is neither entirely a public part
of the Internet, an untrusted network nor entirely a private part of the organizations network. The
purpose of the perimeter network is to act as a security buffer between the untrusted and private
networks.
1-40
Proxy and Reverse Proxy Servers
Key Points
A proxy server is a variant of a firewall that is used primarily to process client requests for data that exists
outside of the network. Proxy servers are most commonly used to provide and control access to the World
Wide Web to ensure that the information being requested is safe and pertinent.
Proxy servers are also used to temporarily store or cache data, again, most commonly from the World
Wide Web. This allows the proxy server to redirect clients that request data from servers outside of the
local network to a locally stored copy for faster and more secure access.
Proxy servers are most commonly used in conjunction with a firewall. In this configuration, a firewall will
allow a specific type of traffic only if the traffic is originating from, or intended for, the proxy server. In this
way, clients wanting to send or receive that specific type of traffic must do so through the proxy server, or
their transmissions will be blocked or denied at the firewall.
Conversely, a reverse proxy server takes some or all data incoming to a network and distributes it to the
appropriate nodes on the network. Reverse proxy servers are commonly used for load balancing, which
allows the reverse proxy server to take large amounts of incoming data and distribute it among similarly
configured nodes, all capable of processing the data. Reverse proxy severs can also provide data security
filtering and caching in the same manner as a proxy server.
Lesson 6
Remote Access
Direct connections to private networks provide the fastest, most secure method for an organization to
share data and resources.
However, organizations are increasingly finding it necessary for their employees to have access to their
private network in situations where a direct physical connection is not possible.
Objectives:
Describe the considerations for branch offices.
Describe remote access.
Describe encryption and authentication.
Select a suitable Virtual Private Network (VPN) protocol.
Explain RADIUS.
1-41
1-42
What Is a Branch Office?
Key Points
In its basic form, a branch office refers to a location where an organization does business or hosts
employees outside of its central location of operations. It could be as large as or larger than the central
location itself, or as small as a single employee working from a home office.
Branch offices are typically located outside of the physical range of an organizations central LAN, in
another section of a large city or in another city, country or continent. These branch offices often require
the ability to provide some or all of the services provided by the central location, and almost always
require access to the same data and resources to operate efficiently.
An organization like a bank may require each of its branches to have access to financial information
stored in servers at the central office, or a real estate agency may have brokers that work from home
offices that require access to updated property and client information.
1-43
What Is Remote Access?
Key Points
While the majority of functionality on a typical corporate network happens within the LAN, organizations
are increasingly looking for ways to allow their employees access to their information while not directly
connected to the private network. In other situations, an organization may be unable to directly connect
one or more remote locations to the private network and require a different, more indirect approach. In
these situations, remote access is required.
Remote access methods typically use an intermediary and possibly untrusted connection method, such as
the Internet to indirectly gain access to a central private network.
Remote access may be required in any of the following situations:
Geographically dispersed branch offices.
An employee working from home.
Customers or partners requiring access to information hosted on the organizations private network.
Question: What other scenarios can you think of that would require remote access?
1-44
Encryption and Authentication
Key Points
When an intermediary or untrusted connection is used to gain access to a private network, the security of
the data traveling between the remote location and the private network as well as the security of the
private network itself becomes a serious concern.
To combat this concern and provide a safe means of transmitting private data and preventing
unauthorized access to the private network, encryption and authentication are used when implementing
remote access connections.
Encryption refers to the intentional scrambling or encrypting of data to prevent a third party from
reading the data should it be intercepted between its sender and its intended destination. When data
encryption is used for transmitting data on a network, its sender uses a specific algorithm to encrypt the
data and send it on the network. The intended receiver, aware of this encryption, uses the same algorithm
to unscramble, or decrypt the data.
Typically, encryption is combined with a method used to prove that the nodes involved are indeed the
nodes for which the communication is intended. In other words, the identities of these nodes are verified.
This method of verification is referred to as authentication. Authentication is typically implemented as a
password or combination of user identification and a password, but can also include physical methods
such as digital certificates, smart cards or USB tokens.
1-45
Virtual Private Networks
Key Points
At one point, direct dialup access was the most popular method of providing remote access to a private
network. With the advent of widely available high speed internet access, dialup access has been largely
replaced by VPN connections.
When encryption and authentication are implemented to protect information traveling across a remote
access connection, a VPN is created.
Fundamentally, a VPN exists when a secure connection has established between a node and a private
network using an intermediary and typically untrusted network. This connection is commonly referred to
as a tunnel, which describes the secure connections separation from the intermediary network due to the
encryption used for the data.
Technically, VPNs are implemented using a variety of methods that govern communication mechanisms,
encryption and authentication, but whose technical definition is outside the scope of this topic. Several of
the most common VPN protocols are listed below.
Point-to-Point Tunneling Protocol (PPTP)
Layer Two Tunneling Protocol (L2TP)
Secure Socket Tunneling Protocol (SSTP)
Internet Protocol Security (IPsec)
DirectAccess
DirectAccess is a new feature available when using a Windows 7 operating system computer to connect
to a Windows Server 2008 R2 operating system-based network. DirectAccess gives users the experience of
being connected to their corporate network any time they have Internet access.
When DirectAccess is enabled, requests for corporate resources (such as e-mail servers, shared folders, or
intranet Web sites) are securely directed to the corporate network, without requiring users to use a third
1-46
party VPN solution. This allows for the same user experience regardless of whether the computer is
connected to the corporate network or not. The DirectAccess client is connected to the corporate network
before the user even logs on, making the login and authentication process identical to the process used
when connected directly to the corporate network.
DirectAccess uses Internet Protocol version (IPV6) for communication between clients and servers.
However, connection from and through non-IPV6 networks can be coordinated automatically using a
number of different IPV6 translation technologies which are configured at the DirectAccess server.
The following points provide key information regarding DirectAccess when enabled in a Windows Server
2008 R2 environment:
Windows 7 or Windows Server 2008 R2 is the required operating system on the DirectAccess client
computer.
Windows Server 2008 R2 is the required operating system for the DirectAccess server in the corporate
network.
The DirectAccess server must be a member of the Active Directory domain, but not a domain
controller.
1-47
RADIUS
Key Points
RADIUS is a networking protocol that provides for centralized management of authentication,
authorization and accounting or tracking for nodes that connect to and utilize remote access. RADIUS is a
very common protocol available for use in most network environments and is used to perform the
following functions with regard to remote access:
Authenticate nodes before allowing them to access the network
Authorize access for nodes specific to network services or resources
Account for and track the usage of those services and resources
A server implementing RADIUS allows an organization to simplify and better manage remote access to
their network, especially when multiple remote access points exist in the environment.
1-48
Exercise: Determining Appropriate Network Components

Lab Scenario
Contoso, Ltd. has recently decided to decentralize its marketing department, currently located in New
York. In addition to the New York location, a new marketing office is being built in Seattle to house the
media design staff.
You are responsible for choosing the LAN design and general components for the new office and
ensuring that the two offices are connected in a way that allows staff in the Seattle office to access the
information they need from the New York office.
You have received e-mails from the Seattle office manager outlining the duties assigned to the new office
as well as a list of employees that will be using the Seattle office and their primary job functions.
The main tasks for this exercise are as follows:
1.
2.
Read the supporting documentation.

Update the proposal document with your planned course of action.
Task 1: Read the supporting documentation
Read the supporting documentation. The following emails were sent to you by the Seattle office
manager.
E-mail #1
From:
Subject:
Susan Walker
Seattle office building
Hi,
We have been working with the new building contractors and they have come up with a basic design.
1-49
No drawings have been drafted yet, so I will try to explain what they have in mind. The space will
basically be split into two parts. We will have six offices in one part of the office for our design team
members, typical office stuff. The other half will be a large, open conference room built for partner
consultation. Basically, it will be a place where our consultants meet with our partners to show them
progress on projects, samples of media and things like that. Its going to be pretty casual, with most of
the furniture being couches and coffee tables.
I hope that gives you a good enough idea for your side of things.
Thanks,
Susan
E-mail #2
From:
Subject:
Susan Walker
Seattle staff
Hi again,
Here are the details on our Seattle staff and what each of their roles entails.
We will have three video editors that will be in three of the six offices, Frank, Lisa and Peter. The bulk of
their day is spent editing video for various projects. They work as a collaborative team, so they are
constantly sending material (videos) back and forth to each other. Frank asked me to tell you that the
videos can be really big. They have issues with the videos taking a long time to copy to and from the
server in New York. Im not sure if there is something you can do to improve that in Seattle.
There are four creative consultants. Nick and Brenda will be in the office and John and Martha will be
working from home offices. Their primary role is to meet with our partners to determine overall needs.
Then they come up with the basic design concept and forward it to the video editors who begin the
video design process. Throughout the process, the creative consultants provide samples of the work
being done and get feedback from the customers. This will be done using the conference room for local
partners and Im hoping you can come up with something that will allow our out-of-town partners to
view and comment on the development process remotely? Our internal staff will need to be able to
view and update the material, and our home users and partners will need to be able to view and update
it from their locations. This is sensitive information, so it needs to have some type of password or
security around it so not just anybody can see it. They have also asked if there would be a way for both
the in-office consultants and the two coming from home to have access to the material located on the
server to show clients on their laptops when they meet in the conference room.
We also need to be able to share files with New York as well. My primary role is to manage the staff
here and provide general updates and material samples to New York as well. This typically doesnt
involve a lot of files or very big files, but it does need to be secure, and our partner agreement doesnt
allow us to use e-mail to send the files, so they will have to be hosted on some sort of server, I guess. I
am not very technical, sorry.
Hopefully thats what youre looking for. Thanks for your time.
Susan
Task 2: Update the proposal document with your planned course of action
Answer the questions in the Branch Office Network Infrastructure Plan: Component Needs
Assessment.
Branch Office Network Infrastructure Plan: Component Needs Assessment
Document Author:
Date:
Requirements Overview
You
22nd March
1-50
Recommend basic infrastructure components for the implementation of the network in the new Seattle
location.
Recommend infrastructure to connect the Seattle location to the New York location.
Recommend infrastructure to allow home office users and partners access to the resources they need
from the Seattle location.
Proposals
1.
2.
3.
4.
What Ethernet infrastructure should be used for the staff offices portion of the Seattle location?
What infrastructure should be used to connect the conference room portion of the Seattle location?
What components and technology would you use to connect the New York and Seattle branches?
What is the best architecture to allow both partners and home office users to access their
information using only one method of access?
Results: After this exercise, you should have identified the infrastructure and components required to
implement a network in a new location.
1-51
Module Review and Takeaways
Review Questions
1.
2.
Why are firewalls so critical when designing and deploying networks?

What makes a wireless network more vulnerable to unauthorized access than a wired network?
1-52
Connecting Network Components
Module 2
Contents:
Lesson 1: Understanding the OSI Model
2-3
Lesson 2: Understanding Adapters, Hubs, and Switches
2-11
Lesson 3: Understanding Routing
2-19
Lesson 4: Understanding Media Types
2-26
2-34
2-1
2-2
Module Overview
Networks consist of a variety of components; these components fall into various categories based on their
operational characteristics. For example, those components that deal with electrical signaling are referred
to as low-level network components. Conversely, those components that handle user requests, for
example applications, are referred to as high-level components.
This module explores the functionality of low-level networking components, including switches and
routers. In addition, the module provides guidance on how best to connect these and other components
together to provide additional network functionality.
Objectives
Describe the industry standard protocol model.
Describe adapters, hubs, and switches.
Describe routing technologies and protocols.
Describe wiring methodologies and standards.
2-3
Lesson 1
Understanding the OSI Model
Over the years, many networking protocol stacks have been developed by different vendors to support
their own networking products. In order to bring some structure and standardization to this independent
evolution of network protocol stacks, the International Organization for Standards (ISO) developed the
Open Systems Interconnection (OSI) reference model.
Objectives
Describe the OSI model.
Describe lower layer protocols and devices within the model.
Describe network protocols within the model.
Describe the upper layers in the model.
2-4
The OSI Model
Key Points
The OSI model defines the generic tasks that are performed for network communication. You can think of
each layer of the OSI model as a piece of software or hardware that performs specific tasks for that layer.
Each layer communicates with the layer below and the layer above. Application data that is transmitted
over the network must pass through all of the following seven layers.
Layer
Description
Application
Represents application programming interfaces (APIs) that developers can use to

perform network functions when building applications.
Presentation
Translates the data generated by the application layer from its own syntax into
common transport syntax suitable for transmission over a network.
Session
Enables and controls a communication session between two applications.
Transport
Ensures that packets are delivered in the order in which they are sent and without loss
or duplication.
Network
Determines the physical path over which data is transmitted based on network
conditions, the priority of services, and other factors. This is the only layer of the OSI
model that uses logical networking and can move packets between different networks.
Data-link
Provides error-free transfer of data frames from one computer to another over the
physical layer. The media access control (MAC) address of a network card exists at this
layer and is added to the packet to create a frame. Data is passed from the data-link
layer to the physical layer as a stream of 1s and 0s.
Physical
Defines the physical mechanisms for placing a raw stream of data bits on the network
cabling.
2-5
Why Use the OSI Model?

The OSI model is used as a common reference point when comparing the function of different protocols
and types of network hardware. The OSI model is important for comparing different products and
understanding the functions that a device is performing.
For example:
A router is a layer 3 device. Based on this you know that a router understands logical networks and
can move packets from one network to another.
Hypertext Transfer Protocol (HTTP) is a layer 5-7 protocol. Based on this you know that applications
use HTTP to communicate over the network.
Ethernet is a standard for layers 1-2. Based on this you know that Ethernet defines physical
characteristics for media (network cabling), how signals are transmitted over that media, and when
devices are allowed to communicate on the media.
2-6
The Lower Layers of the OSI Model
Key Points
The lower layers of the OSI model are responsible for encapsulating requests from the upper layers into a
meaningful structure to be merged onto the media; the way in which this is done varies from one network
architecture to another.
The data-link layer is responsible for:
Transferring data between devices.
Managing the MAC addressing scheme.
Encapsulating requests from the middle layers into data-link frames and passing these to the physical
layer for merging onto the media.
Passing protocol-specific data up the stack.
Error checking.
The physical layer is responsible for:
Establishing, maintaining, and terminating connections to the media.
Participating in the process of managing media access among multiple hosts.
Converting the data-link frames into a meaningful signal for merging onto the media.
Interpreting and converting signals on the media into data-link frames.
2-7
The Middle Layers of the OSI Model
Key Points
In the middle of the OSI model sits the transport and network layers. These layers are often referred to as
the network protocol layer.
The transport layer is responsible for:
Transferring data between applications on different hosts.
Providing reliable end-to-end transfer of data between these applications.
Encapsulating application requests in datagrams and passing these to the network layer.
Passing incoming datagrams to the appropriate session layer protocol.
The network layer is responsible for:
Implementing a logical addressing scheme to identify hosts on an Internet.
Routing packets to the appropriate logical address as identified by the upper layers.
Encapsulating transport layer datagrams into network packets and passing them to the data-link
layer.
Passing incoming packets up the protocol stack to the appropriate transport layer protocol.
In the early days of networking, different vendors produced their own, proprietary networking protocols.
These included:
Internet Packet Exchange/Sequenced Packet Exchange (IPX/SPX). This Novell protocol was used to
provide transport and network layer services for the Novell NetWare operating system. Although
proprietary, the protocol stack was widely implemented in other networking operating systems,
including Microsoft Windows Server operating systems. SPX is a transport layer protocol, while
IPX provides network layer support.
2-8
AppleTalk. Another proprietary protocol providing transport and network layer functions. The Apple
Corp. implemented this protocol to support their Apple Mac computer systems. Microsoft
Corporation provided some support for this protocol in their Windows platform.
TCP/IP. Initially developed as a suite of protocols to support applications running on the UNIX
platform. During the 1990s, this protocol began to gain acceptance by network product vendors,
including Microsoft, Novell, and Apple. TCP/IP provides a four-layer architecture that offers support
for all layers of the OSI reference model. TCP/IP implements two transport layer protocols: TCP and
User Datagram Protocol (UDP). At the network layer, IP is implemented.
Networking services sit on top of the protocol stack, and pass instructions down the stack to the media. It
is the job of the network protocol stack to interpret service requests and encapsulate them in a form
accessible by lower-level protocols.
2-9
The Upper Layers of the OSI Model
Key Points
The upper layers of the OSI model consist of the Application layer, the Presentation layer, and the Session
layer. These upper layers are occupied by network applications, or services.
The application layer is responsible for interacting with network-aware software components. Functions
typically include:
Identifying network hosts with which applications wish to communicate.
Determining available resources.
Synchronizing communication between network hosts.
The presentation layer provides independence from differences in the way in which network data is
presented; this enables applications, which use different syntax, to communicate. The presentation layer:
Formatting and encrypting data for transmission on a network.
Providing compatibility between applications using different syntax.
The session layer is responsible for:
Establishing, maintaining, and terminating connections, known as sessions, between local and remote
applications.
Selecting the appropriate transport layer protocol for communications with remote applications.
Different network operating systems implement different network services, but they provide similar
functionality:
Authentication
File and print services
E-mail
2-10
Client-server applications, such as a database
2-11
Lesson 2
Understanding Adapters, Hubs, and Switches
Operating at the lower levels of the network architecture, switches and hubs are responsible for
connecting physical devices together. The choices that you make regarding the deployment and
configuration of these components can have far-reaching effects on the behavior of interconnected
devices and overall network functionality and performance. It is therefore important that you are able to
differentiate between devices such as hubs and switches and be able to select a hub or switch based on its
functionality.
Objectives
Describe a network adapter.
Describe transmission speed.
Describe hubs.
Describe switches.
Describe layer 2 and layer 3 switches.
Describe the capabilities of a virtual local area network (VLAN).
2-12
What Is a Network Adapter?
Key Points
A network adapter is the lowest level component that you install in your computer. It is responsible for
converting instructions from higher level components, specifically the network protocol stack, into
electrical signals and merging these signals onto the network media.
The network adapter is also responsible for converting electrical signals received on the wire into
meaningful instructions that it then passes up to the network protocol stack.
Note: The network media might be physical wiring or a wireless network. For convenience, the term
wire will be used except where an explicit differentiation is required.
Frames and Addressing

The network adapter encapsulates the instructions it receives from the protocol stack into a logical
sequence known as a frame.
Frames contain addressing information to ensure that the protocol stack message reaches the correct
target network adapter on the local network. Each network adapter has a unique address known as a
MAC address. This 48-bit address is placed by the network adapter into the source MAC address field in
the network frame.
Note: The authority responsible for allocating a unique address is the Institute of Electrical and
Electronics Engineers (IEEE). Specifically, a standard known as IEEE 802 deals with MAC addressing. A
MAC address is usually expressed in hexadecimal; for example, 00-22-15-7B-2D-F0 is an Ethernet MAC
address.
To determine the MAC address of the destination network adapter, the local network adapter typically
broadcasts a request for the required MAC address.
2-13
Note: Aside from these unique MAC addresses, the addressing fields in a frame can also contain
specially formatted addresses; these include broadcasts and multicasts. These special addresses and the
types of communications that require them are discussed later in the course.
In addition to the destination and source MAC addresses, a frame contains various other fields including a
data field; this data field contains the protocol stack message. The last field in a typical frame is the frame
check sequence (FCS); this field is used to calculate a checksum value to determine the integrity of the
frame. Frames that are damaged in transit are dropped by the network adapter.
Installing a Network Adapter

Historically, those responsible for installing network adapters into computers had to fit the separate
network adapter into an available slot in the computers internal expansion. These days, it is more usual to
find network adapters as integrated components on the computers motherboard. Once the network
adapter is installed, you must connect it to the network. Typically, network adapters have a single
connector for this purpose.
Note: The connector is a Registered Jack 45 (RJ-45) connector.
Once you have connected the network adapter to the network cabling, depending upon your
requirements, you must attach the other end of the wire to a network hub or switch.
2-14
Transmission Speeds
Key Points
The services supported by your network and the volume of data that it supports are determined by
several factors, including transmission speeds of the network components you install.
Note: The term bandwidth is often used to describe the transmission speed of a network.
Early networks operated at low bandwidths by todays standards. For example, early implementations of
Ethernet operated at three million bits per second or 3 megabits per second (3 Mbps). Modern network
technologies are capable of transmitting much faster than this; typical Ethernet operates at a bandwidth
of between one gigabit per second (Gbps) and 10 Gbps.
It is important to remember that although the bandwidth of your network might be 1 Gbps, the actual
throughput (or the volume of data in bits) may be considerably less. One reason for this is because
popular network technologies such as Ethernet operate on a contention basis. In other words, the nodes
or hosts on the network compete for bandwidth. This contention process leads to loss of throughput.
2-15
What Is a Hub?
Key Points
Some early networks used wiring systems in which each node was connected to the others directly in a
ring. Other networks implemented a single cable that was routed to each node in sequence creating a
chain of networked computers. There are a number of problems with both of these cabling methods.
Firstly, if the cable was damaged, network integrity was lost and communication was disrupted; secondly,
because cabling was often laid with a view to limiting cable lengths, or finding a convenient path to the
next node, it was not always easy to locate the faulty cable. As networks became more popular,
administrators sought to solve these problems.
Later on, network devices that enabled star wiring of networks nodes were adopted. These devices were
known as hubs and enabled each network node to be connected back to a central point. This addressed
the problem of unstructured wiring and also of network failure resulting from a break in the cable. A cable
fault resulted in a single node being isolated.
Some early hubs supported different types of cabling connectors, referred to as ports, to enable
connection of twisted-pair cabling, coaxial cabling, and other media. Even todays simple consumer hubs
support wired, wireless, and asymmetric digital subscriber line (ADSL) ports.
It is possible to use hubs to extend your network. Depending on the network topology being used, you
can connect a chain of hubs together potentially over quite long distances.
Note: Ethernet has a number of rules that define how you can extend the network. As defined in the
5-4-3 rule, you can connect five segments using four repeaters so long as only three of the segments
have active nodes. Given that in early, coaxial implementations of Ethernet, the maximum segment
length with thick coaxial was 500 meters, the maximum end-to-end length of an Ethernet network is
defined as 2.5 kilometers; this does not take account of bridging or routing as a means to extend the
network.
2-16
Characteristics of a Switch
Key Points
In contention-based networks, like Ethernet, all connected nodes share the media and its available
bandwidth. Consequently, if there are ten nodes on a network with a 10 Mbps bandwidth, it can be said
that each node has an available bandwidth of a tenth of the total bandwidth, or 1 Mbps. If you add nodes
to the network, the share each has of the total decreases in inverse proportion to the number of
connected nodes. Thus, when there are twenty nodes each has a twentieth of the bandwidth. A significant
problem of contention networks with many connected nodes is that throughput degrades. The simple
solution is to reduce the number of nodes in each segment; you can do this by implementing MAC-level
bridging.
A switch is like a hub; it acts as a wiring concentrator to which all network devices are connected. It
performs the same isolation when a cable failure occurs while maintaining the integrity of the network.
However, there are some fundamental differences.
Characteristics of a Switch
Layer 2 Switches
The significant difference between a hub and switch is that the switch is able to perform MAC-level
bridging between ports. In other words, each node has exclusive use of the bandwidth of the segment for
the duration of its transmission. The switch acts as a multiport MAC-level bridge, switching traffic between
the ports as required.
You can configure each host to have a single port, or you can connect a hub to a switch port. When
connecting a hub to a switch port, the nodes on the hub all share the bandwidth configured for the port
on the switch to which the hub is connected. In this way, you can determine how much bandwidth is
available to each port and nodes connected to the ports. Switches that exclusively provide function are
sometimes differentiated by being referred to as layer 2 switches.
2-17
Layer 3 Switches
Some switches can provide protocol-specific routing functions at the protocol stack layer. For example,
you can configure the switch to provide routing for IP packets, but to perform MAC-level bridging for
non-IP-based frames. Switches that provide this routing functionality are referred to as Layer 3 switches.
Note: Network protocols, like IP, encapsulate instructions received from higher level protocols, such as
TCP, into a structure known as a packet.
Layer 3 switches route packets. The switch examines the packet and makes a routing decision based on
the destination packet address. Layer 3 switches also perform additional routing functions. For example,
layer 3 switches can check packet integrity, respond to Simple Network Management Protocol (SNMP)
management systems, and observe and decrement packet time-to-live (TTL) values.
In some ways, a layer 3 switch can provide a number of improvements over more traditional routers. For
example, layer 3 switches:
Divide networks into logical subnets by using the layer 2 configuration rather than at the port level,
like a traditional router; this provides a more flexible configuration.
Are generally less expensive than traditional routers.
Provide faster forwarding performance than traditional routers.
Bear in mind that layer 3 switches do not provide support for WANs.
Layer 4 Switches
Some more advanced switches are equipped with a firewall service module that enables the switch to
make forwarding decisions based on the type of data in the segment. These types of advanced
functionality switches are often referred to as layer 4 switches.
Note: Transport protocols, like TCP, encapsulate instructions received from applications into a
structure known as a segment.
Switches with a firewall service module examine the content of segments received and determine whether
and how to route the segment based on the specific TCP port being used.
Note: TCP ports are examined in a later module of this course.
In addition to port switching, layer 4 switches (and some layer 3 switches) are able to make switching
decisions based upon the priority of network traffic. In this mode, lower priority traffic is buffered at the
switch while higher priority traffic is handled.
Note: Quality of service (QoS) values are a way of indicating the priority of traffic and some network
transport protocols implement QoS to support application prioritization needs. The switch is capable
of reading and interpreting these QoS values.
2-18
What Is a VLAN?
Key Points
A local area network (LAN) is often referred to as a broadcast domain. This means that nodes connected
to the LAN can use a broadcast, when necessary, to communicate with one another. Generally, routers do
not propagate broadcasts, and so another definition of a LAN is a collection of nodes bounded by routers.
Note: A broadcast is a specially addressed network frame that is processed by all nodes connected to a
LAN segment. Bridges, and MAC-level switches, pass broadcasts. Routers typically do not. The
destination MAC address of a broadcast frame is: FF-FF-FF-FF-FF-FF.
A VLAN is a virtual implementation of a LAN, defined within the switch or, between switches. You can
configure the switch, or switches, in such a way that traffic handled between certain ports on the switch is
treated as though it were traffic on a single LAN. Traffic from other ports outside this VLAN is typically
routed.
The advantage of implementing VLANs is that you can:
Exert a fine degree of control over how traffic moves through your network.
Control network bandwidth by configuring nodes that frequently communicate with one another
onto the same VLAN.
Easily reconfigure your VLAN to encompass more or fewer nodes. You might need to rewire your
network to achieve the same ends with a LAN.
Isolate network traffic to a specific VLAN; for example, to isolate computers that do not meet
organizational security requirements.
2-19
Lesson 3
Understanding Routing
It is important to understand how routers make routing decisions so that you can plan their deployment
and configuration to support the desired functionality of your network. Different routing protocols are
suited to different network environments. A good understanding of these different protocols will enable
you to manage your LAN and wide area network (WAN) more efficiently.
Objectives
Describe routers.
Describe a routing table.
Understand routing protocols.
Select a suitable routing configuration.
2-20
What Is a Router?
Key Points
Historically, routers were implemented in networks in order to extend the LAN into a WAN. One router
interface would be connected to the LAN, and another to a telephony circuit of some type. At the
destination, a similarly configured router was deployed. Packets could flow between the networks as
required.
As the cost of routers decreased, network administrators began to implement routers within a single
geographic location in order to manage traffic. Routers forward packets based on the destination network
identification (ID) rather than on the MAC address of a host. Routers operate at the network layer and
handle transport protocol instructions encapsulated in packets.
Network nodes determine that a destination host is on another LAN (or VLAN) when they initiate
communications. Elements of the network transport protocol make this determination by comparing the
source and destination network addresses in the packet. When a node is determined to be in a different
network, the node attempts to route the packet to that network. Usually this means that the packet is
forwarded to a router on the local network. This behavior is a significant departure from the way
communications occur with layer 2 switches or bridges; the nodes explicitly address the frame to the
router that will handle the routing process of the encapsulated packet.
In order to perform routing, the router must know what other networks exist and how to reach them.
Routers maintain this information in routing tables. Routing tables are either static or dynamic. Static
routing tables are maintained by a network administrator who must add the required routes manually to
the table. Dynamic routing tables are maintained by the propagation of routing information between
routers themselves using specialist routing protocols.
2-21
How a Router Determines a Destination
Key Points
A router determines the destination network for a packet by examining the destination network address
and comparing it to entries in its routing table. If the destination network is found in the routing table,
and there is a single route to that network, the router forwards the packet to the next router in turn.
When multiple routes to the destination network exist, the router must make a selection as to the best
route.
To determine the best path to a remote network, routers use routing algorithms. Most algorithms support
multiple paths between networks. Multiple paths are beneficial because they enable redundancy in your
routing architecture. Some routing algorithms use a hierarchical structure and implement routing
backbones. Hierarchical routing structure helps ensure you use the routing infrastructure efficiently by
bypassing slower, localized networks in favor of the backbone.
Some algorithms implement distance vectors in which routing tables are periodically propagated to all
neighboring routers. Others use link-state propagation, in which smaller, more frequent updates are
propagated.
Route Selection
The router attempts to choose which route to use based on factors such as the route with the most
reliable link, the route with the least cost, or perhaps the route with the lowest current network load; these
criteria are known as metrics. Commonly implemented metrics include:
Bandwidth
Path cost
Reliability
Shortest path length
Network load over path
2-22
Likely end-to-end delay time
Hop count
Note: A hop occurs when a packet transits a router.
Restrictions, such as maximum transmission packet size
Communications cost of the route
When the router has selected a route, it forwards the packet to the next router in turn.
Note: Each packet on an IP network has a field called the TTL counter. Every time the packet transits
through a network device, such as a router, the TTL counter is decremented by at least one. When the
TTL reaches zero, the router then holding the packet drops it; this ensures that packets do not loop
around the network.
Routing Example
For example, in the following scenario, a packet is routed across three networks: network A, network B,
and network C. Two routers connect these networks, each configured with a routing table. A host in
network A communicates with a host in network C. The following are steps describing how network A
communicates with network C:
1.
2.
3.
4.
5.
6.
The originating host creates a packet addressed to C:12. The host determines that network C is not
the local network.
It has no knowledge of network C and forwards the packet to an adjacent router.
The router receives the packet and examines the destination address. It compares the destination
network address and determines that it has an appropriate entry for the destination network in its
routing table.
In this instance, it forwards packets for network C to interface B.254.
The second router receives the packet and examines the destination address. It compares the
destination network address and determines that it has an appropriate entry for the destination
network in its routing table. In fact, the router is locally connected to the network destination
network.
The second router forwards the packet to the appropriate host.
Static versus Dynamic Routing

In small networks, it is possible to maintain routing table entries manually. However, for larger networks
with many routers, this is less feasible. You can configure routing tables for routers dynamically by
installing a routing protocol.
Note: Hosts, including routers, can be configured with a default gateway property in IP networks. When
a host, or router, does not have a specific route to a target network, it forwards the packet to its
configured default gateway. This is the usual configuration for network nodes. However, for small
networks comprising no more than two routers in sequence, you can avoid the need for maintaining a
routing table at all. Instead, configure each router to use the other routers local interface as its default
gateway.
The main advantage of using dynamic routing, aside from the benefit of not having to manually configure
your routers, is that dynamic routing supports changes in the routing infrastructure. If you add or remove
a network, you do not need to update all of your routing tables; the routing protocols that you
implement make these changes automatically.
2-23
2-24
Common Routing Protocols
Key Points
By implementing a routing protocol on your routers, you enable your routers to learn about the state of
networks, and the routes to those networks. Additionally, this learned information can be propagated
onwards to other routers in your organization.
The way in which route propagation occurs varies between routing protocols. Some route propagation
methods are better suited to large internetworks, while others are more appropriate for small networks.
Routing protocols fall into one of two categories. The first is interior routing protocol, used for
propagating routing information within an enterprise network. The second is exterior routing protocol,
used for propagating routing information between enterprises; for example, on the Internet.
The following information summarizes the common routing protocols:
Routing Information Protocol (RIP). A popular Interior Gateway Protocol (IGP). RIP uses a distance
vector algorithm to identify remote networks. It supports relatively small internetworks as destinations
with a hop count greater than sixteen considered unreachable.
Open Shortest Path First (OSPF). A popular link-state IGP routing protocol. OSPF uses a link-state
mechanism to propagate routing information. Link-state protocols maintain data regarding the
network segments to which they are connected and the current state of these networks.
Consequently, OSPF protocols are suitable for larger internal networks than RIP.
Border Gateway Protocol (BGP). This exterior gateway protocol (EGP) was specifically designed to
enable interconnection of many enterprises on the Internet.
2-25
Discussion: Selecting a Suitable Routing Protocol
Key Points
Consider the following questions, and then discuss your answers with the class.
Question: A subsidiary of Fabrikam, Inc. has a medium-sized network consisting of around 500 nodes.
These nodes are distributed across several floors in their headquarters building. Additionally, there are
about a dozen branch offices each with around ten nodes. Routers have been deployed within the
network to interconnect the networks. Would you recommend static or dynamic routing?
Question: Is the use of a routing protocol indicated? If so, which one would you recommend?
Question: Tailspin Toys has a small network consisting of around 100 nodes. Recently, network
throughput has been affected by network traffic. You decide to install routers to help manage the
network traffic. Initially, there will be three networks connected by two routers. Would you recommend
static or dynamic routing?
Question: How else could you configure these routers?
Question: Tailspin Toys implements an Internet connection by using a router. How does this change the
router configuration you have selected?
2-26
Lesson 4
Understanding Media Types
Although you can connect devices to a network using wireless components, it is more usual to use wired
media. There are a variety of wired media types, each with different characteristics: cabling distances, load
and resistivity, and the ability to resist external electromagnetic interference. This lesson explores the
cabling characteristics and standards.
Objectives
Describe coaxial cable.
Describe twisted-pair cable.
Describe the CAT standards.
Describe fiber cable.
Select a suitable cable type.
2-27
Coaxial Cable
Key Points
Construction
Coaxial (coax) cable consists of two copper conductors separated by insulating materials. The central core
is manufactured from either stranded or solid copper wire, surrounded by an insulator. Around this first
insulator is a second, stranded copper conductor. The whole is then protected by a plastic covering.
Coax has different electrical characteristics based upon its construction. Thin coax supports shorter cable
runs and fewer devices, while thick coax can span greater distances and supports the connection of more
devices. Thick coax enables longer cable runs and more devices, but is unwieldy. Consequently, it is more
usually used to provide backbone connections.
Standards
There are two standards that define coax cable characteristics:
American Wire Gauge (AWG). This defines the diameter of the central conductor. A numbering
system indicates the diameter used. For example, 14 AWG indicates a thicker cable, while 18 AWG is a
thinner cable. It is important to realize that the electrical characteristics of the cable change with its
diameter; specifically, thicker wire carries higher currents further because it has lower resistance over a
given distance.
Radio Grade (RG). Developed by the US military, these standards define coax characteristics in terms
of susceptibility to interference and resistivity. There are many RG coax standards; networking
components use a small subset:
RG58. Fairly thin and flexible; consequently, ideal for connecting nodes to the network. However,
RG58 does not support long cable runs or a large number of connected devices. It has an
impedance of 50 ohms and uses 20 AWG copper wire.
RG59. As for RG58, but with a slightly thicker (18 AWG) core and an impedance of 75 ohms.
RG11. Thick coax cable with 75 ohm impedance. 14 AWG cable provides the solid core.
2-28
Connectors
Coax is connected to network devices using a variety of connector types based on the thickness of the
wire.
Thick coax. Devices use a piercing tap, or vampire connector, to connect to thick coaxial cable. The
connector surrounds the cable, and conductive spikes penetrate the cable to the central and outer
conductors. The connector is then attached to the network device by using an Attachment Unit
Interface (AUI) connector; this 15-pin connector is also sometimes known as a Digital Intel Xerox (DIX)
connector.
Thin coax. RG58 and RG59 use Bayonet Neill Concelman (BNC) connectors. Generally, the network
adapter in the host is connected to the RG58 by using a T-piece connector with BNC ends.
Note: Coax must be terminated. In order to prevent signals reflecting back up the media, a resistor is
attached to both ends of the cable; this absorbs the signal, preventing reflection. You must use a
terminator of the correct impedance.
Coax is not commonly used in networking applications today. This is primarily because of the
unstructured nature of the wiring and the relatively high installation costs. In addition, coax is not
especially fault-tolerant. A break in the cable disrupts the entire segment because you now have two
unterminated segments. It is also quite difficult to locate the exact location of the cable break, although
devices like Time Domain Reflectometers (TDRs) can be used to help.
When to Use Coax

Coax, even thin coax, is highly resistant to electromagnetic interference (EMI); consequently, it can be a
good choice for situations where you anticipate high levels of EMI. It is also worth remembering that coax
supports longer cable runs between hosts than twisted pair cabling; thick coax supports a maximum
length of 500 meters.
2-29
Twisted-Pair Cable
Key Points
You can use twisted-pair cabling to support a number of applications including telephony and
networking.
Construction
As the name suggests, the cable is constructed from a pair, or sometimes several pairs, of insulated cables,
twisted around one another, all enclosed in a protective outer sheath of plastic.
Note: The proximity of the other cable in the pair can introduce crosstalk, or interference. It is the
twisting that helps eliminate this. The more twists per meter, the higher the cable rating; for example
Category (Cat) 4 cable has fewer twists per meter than Cat 5 cable.
To help eliminate external interference, the twisted-pair cable is wrapped in a layer of insulation. Some
cables have more of this insulation to provide for improved EMI-resistance. Twisted-pair cabling with
thicker shielding is referred to as shielded twisted pair (STP), while the standard twisted-pair cabling is
referred to as unshielded twisted-pair (UTP).
Connectors
You connect devices with STP or UTP to the network using a number of different connectors.
RJ11. A four-contact connector supporting two-pair cables typically used for telephony.
RJ45. An eight-contact connector supporting four-pair cables typically used for data applications.
When to Use Twisted-Pair

UTP is relatively inexpensive both in terms of the cabling and associated components, and in terms of
the cost to lay the cable. Consequently, other factors aside, it should be the preferred choice. However,
UTP is susceptible to EMI; where this is an issue, or you require longer cable runs, select STP.
2-30
What Are the CAT Standards?
Key Points
Standards maintained by the Telecommunications Industry Association (TIA)/Electronic Industries Alliance
(EIA) define the additional characteristics of twisted-pair cable.
These standards are often referred to as the CAT standards.
CAT
Number of
pairs
Distance
(meters)
Capacity
(Mbps)
Frequency
Use
Voice/Modem
IBM Cabling/Token Ring
10
10
16
Ethernet
100
16
20
Token Ring
100
100
100
High-speed Ethernet
5e
100
1000
100
Gigabit Ethernet
100/55
1000+/10Gbps
250
Gigabit Ethernet/10G Ethernet
6a
100
10Gbps
500
10G Ethernet
100
10Gbps
600
10G Ethernet
2-31
Fiber Cable
Key Points
Copper cables suffer from the effects of EMI and in addition, they also suffer from a loss of signal, called
attenuation, over distance. Fiber cables are less prone to either of these. Since fiber cables are more
reliable, they are used in situations that demand longer cable runs or in areas where high-levels of EMI are
expected; around lift shafts, for example.
Construction
An optical fiber cable is constructed of:
Glass or plastic core. This provides the transmission medium.
Cladding. This covers the core. Light signals cannot traverse this layer. The reflective surface of the
cladding layer reflects the light signals back into the core.
Buffer. This protective layer is placed around the core and cladding.
Note: Because each optical fiber supports light signals in only one direction at a time, some cables
implement multiple fibers bundled in a single cable.
There are two types of fiber cable:
Multimode fiber. Consists of several fibers. Light signals are generated by light-emitting diodes
(LEDs). Typically, multimode fiber supports bandwidths of around 100 Mbps at distances of up to 2
kilometers and 10 Gbps over 300 meters.
Single-mode fiber. Contains a single, thin fiber that supports higher bandwidths and longer cable
runs than multimode fiber. 40 Gbps is possible over distances of several hundred kilometers. Light
signals are generated by laser diodes. More expensive than multimode fiber.
2-32
Connectors
There are a variety of connectors for use with fiber cabling, depending on whether you are using
multimode fiber or single-mode fiber, and the particular application of the cable.
Straight Tip (ST). The fiber equivalent of a coaxial BNC connector, using a push-and-twist locking
system. Typically used with multimode fiber.
Subscriber Connectors (SCs). Provide a simple push/pull connection.
Local Connectors (LCs). Similar to SCs, but smaller.
Ferrule Connectors (FCs). Older single-mode fiber connectors, now replaced by SCs and LCs.
Mechanical Transfer Registered Jack (MT-RJ). Support multimode fiber cables using a snap-on
connector.
When to Use Fiber

Fiber cabling is more expensive than its copper equivalent. It is used where higher bandwidths over long
distances are required that exceed the capabilities of copper wiring. Additionally, in areas of extreme EMI
fiber cabling is preferable.
2-33
Discussion: Selecting a Suitable Cabling Strategy
Key Points
There are a number of cabling options to choose from. Consider the following questions, and then discuss
your answers.
Question: Fabrikam has purchased a new building to house their Research and Development team. There
are two floors, each to support around one hundred network nodes. Each workstation is to have a
telephone installed. You want to minimize future disruption, so any cabling solution must provide for
emerging standards. The nature of the work the R & D team undertakes necessitates a high bandwidth
solution. What cabling system would you recommend?
Question: Fabrikams R & D center is across the private parking lot from the head offices. You need to
connect the R & D office back to the head office so that research staff has access to corporate services.
What cable would you recommend for this application?
2-34
Lab Setup
For this lab, you do not require any virtual machines.
Lab Scenario
Contoso, Ltd has created a new research and development team. As a result, a number of remote R & D
branch offices are being fitted.
2-35
Exercise 1: Determining the Appropriate Network Hardware

Scenario
You are responsible for planning the installation of new network components for these new branch
offices. Alan Brewer, the national R & D Manager, has been communicating with you about his specific
requirements for the regional offices. In addition, Ed Meadows, your boss in information technology (IT),
has visited some of the branch offices.
1.
2.

Answer the questions in the Branch Office Network Components Deployment Plan document.
Supporting Documentation
E-mail thread of correspondence with Ed Meadows:
Charlotte Weiss
From:
Sent:
To:
Subject:
Attached:
Ed Meadows [Ed@contoso.com]
1 Feb 2010 14:20
Charlotte@contoso.com
New branch offices
Contoso Branch Network Plan.vsd
Charlotte,
The network diagrams you suggested. Theyre not quite completed yet, but you can update them with the
details of the components you require.
As you can see, there are three branches, and then the R & D function at the head office. We need to
connect the computers together in the branches and then connect the branches to the head offices.
Regards,
Ed
2-36
Contoso Branch Network Plan.vsd
Task 1: Read the supporting deployment plan document
Read the supporting deployment plan document.
Branch Office Network Components Deployment Plan
Document Reference Number: CW010210/1
Document Author
Date
Charlotte Weiss
1st Feb
To determine which components to install to connect nodes at branch offices and to connect
branches to head office.
Additional Information
High-bandwidth applications will be used in the branches.
Devices must provide for virtual local area networks (VLANs) to support project teams that span
each branch.
Traffic should be isolated in the branch except where necessary.
It should be possible to manage traffic in the branch based upon its priority.
Proposals
1. What devices are required in the branches to support these requirements?

2. What devices are required to connect the branches together and connect the branches to the
head office?
3. What issues arise when you implement these devices?
5. Update the Contoso Branch Network Plan.vsd diagram to show what types of device you will
implement.
Results: After this exercise, you should have completed both the Contoso Branch Network Plan.vsd
diagram and the Branch Office Network Components Deployment Plan.
2-37
2-38
Exercise 2: Selecting a Suitable Wiring Infrastructure

Scenario
You are ready to deploy the selected network components; however, first you must determine a wiring
plan for each branch.
1.
2.

Answer the questions in the Branch Office Network Wiring Plan document.
E-Mail thread of correspondence with Ed Meadows:
Charlotte Weiss
From:
Sent:
To:
Subject:
20 Feb 2010 13:00
Wiring at the branches
Charlotte,
Thanks for the component deployment plan. Good work.
I want you to consider the wiring plan, now. As I understand things from Alan Brewer, theres going to be
quite a bit of network traffic. Whatever we use needs to support high capacity.
In addition, the branches use some weird scientific kit; Alan told me all about it, but it was way over my
head. However, the upshot is that we might experience some high levels of EMI.
Finally, cost is a factor. Were getting near the end of the financial year, and Alans drawing on the last of
his departmental budget. See what you can do to keep the cost down.
Regards,
Ed
Oh yes, he doesnt want to have to rewire anytime soon. Make sure this is future-proofed as far as budget
allows.
2-39
Branch Office Network Wiring Plan
Document Author
Date
Charlotte Weiss
20th Feb
Provide a wiring plan for the branch offices.
Quite high bandwidths are expected.
High levels of electromagnetic interference (EMI) are expected in some areas of the branches.
Cost is a limiting factor.
The solution, so far as is possible, should be future-proofed.
Proposals
1. What sort of cable would be suitable here, bearing in mind the information supplied and the plan
you outlined for network components earlier?
2. How will you address the issue of high levels of EMI?
3. What cable standards do you propose?
Results: After this exercise, you should have completed the Branch Office Network Wiring Plan.
2-40
Review Questions
1.
2.
3.
How does a switch differ from a hub?

You are planning to implement a large, routed internetwork. What routing protocol would you
consider for this entirely autonomous network?
Why is coax generally not a good choice for data networks?
Implementing TCP/IP
Module 3
Implementing TCP/IP
Contents:
Lesson 1: Overview of TCP/IP
3-3
Lesson 2: Understanding IPv4 Addressing
3-11
Lesson 3: Configuring IPv4
3-24
Lesson 4: Understanding IPv6
3-32
Lesson 5: Name Resolution
3-42
3-55
3-1
3-2
Module Overview
Network protocols are responsible for providing a communications channel between applications running
on separate hosts. Most network protocols are actually a collection of multiple protocols, collectively
known as a protocol stack. Each of the protocols in the stack provides a different networking function.
This module describes the requirements of a protocol stack and then focuses on the Transmission Control
Protocol/Internet Protocol (TCP/IP) protocol stack.
Objectives
Describe the functionality of the TCP/IP suite.
Describe IPv4 addressing.
Configure an IPv4 network.
Describe IPv6 addressing and transition.
Describe the various name resolution methods used by TCP/IP hosts.
Implementing TCP/IP
3-3
Lesson 1
Overview of TCP/IP
TCP/IP is an industry-standard suite of protocols that provides communication in a heterogeneous

network. It enables you to connect different operating systems together in a manner that helps to enable
cross-platform communications.
Objectives
Describe the elements of the TCP/IP suite of protocols.
Describe the individual protocols that make up the TCP/IP suite.
Describe application layer protocols.
Describe a Windows Socket and identify port numbers for specified protocols.
3-4
The TCP/IP Protocol Suite
Key Points
The tasks performed by TCP/IP in the communication process are distributed between protocols that are
organized into four distinct layers of the TCP/IP stack.
The four layers of the TCP/IP protocol stack are:
Application layer. Protocols used by applications to access network resources.
Transport layer. Protocols used to control data transfer reliability on the network.
Internet layer. Protocols used to control packet movement between networks.
Network interface layer. Protocols that define how datagrams from the Internet layer are transmitted
on the media.
Benefits of Architecture Layers

Dividing the network functions into a stack of separate protocols, rather than creating a single protocol,
provides several benefits:
Separate protocols make it easier to support a variety of computing platforms. Creating or modifying
protocols to support new standards does not require modification of the entire protocol stack.
Having multiple protocols operating at the same layer makes it possible for applications to select the
protocols that provide only the level of service required.
Because the stack is split into layers, the development of the protocols can proceed simultaneously by
personnel who are uniquely qualified in the operations of the particular layers.
Implementing TCP/IP
3-5
Protocols in the TCP/IP Suite
Key Points
The Open Systems Interconnection (OSI) model defines distinct layers related to packaging, sending, and
receiving data transmissions over a network. The layered suite of protocols that form the TCP/IP stack
carry out these functions.
Application Layer
The application layer of the TCP/IP model corresponds to the application, presentation, and session layers
of the OSI model. This layer provides services and utilities that enable applications to access network
resources.
Transport Layer
The transport layer corresponds to the transport layer of the OSI model and is responsible for end-to-end
communication using TCP or User Datagram Protocol (UDP). The TCP/IP protocol suite offers application
programmers the choice of TCP or UDP as a transport layer protocol. The transport layer protocol used by
an application is determined by the developer of an application based on the communication
requirements of the application.
TCP. Provides connection-oriented reliable communications for applications. Connection-oriented

communication confirms that the destination is ready to receive data before it sends the data. TCP
confirms that all packets are received to make communication reliable. Reliable communication is
desired in most cases and is used by most applications. Web servers, File Transfer Protocol (FTP)
clients, and other applications that move large amounts of data use TCP.
UDP. Provides connectionless and unreliable communication. Reliable delivery is the responsibility of
the application when UDP is used. Applications use UDP for faster communication with less overhead
than TCP. Applications such as streaming audio and video use UDP so that a single missing packet will
not delay playback. UDP is also used by applications that send small amounts of data, such as Domain
Name System (DNS) name lookups.
3-6
Internet Layer
The Internet layer corresponds to the network layer of the OSI model and consists of several separate
protocols, including: IP; Address Resolution Protocol (ARP); Internet Group Management Protocol (IGMP);
and Internet Control Message Protocol (ICMP). The protocols at the Internet layer encapsulate transportlayer data into units called packets, addresses them, and routes them to their destinations.
IP. Responsible for routing and addressing. The Windows 7 operating system and the Windows
Server 2008 R2 operating system implement a dual-layer IP protocol stack, including support for
both IPv4 and IPv6.
ARP. Used by IP to determine the media access control (MAC) address of local network adapters
that is, adapters installed in computers on the local network from the IP address of a local host. It is
broadcast-based meaning that ARP frames cannot transit a router and are therefore localized. Some
implementations of TCP/IP provided support for Reverse ARP (RARP) in which the MAC address of a
network adapter is used to determine the corresponding IP address.
IGMP. Provides support for multitasking applications over routers in IPv4 networks.
ICMP. Used to send error messages in an IP-based network.
Network Interface Layer

The network interface layer (sometimes referred to as the link layer or data-link layer) corresponds to the
data-link and physical layers of the OSI model. The network interface layer specifies the requirements for
sending and receiving packets on the network media. This layer is often not formally considered part of
the TCP/IP protocol suite because the tasks are performed by the combination of the network adapter
driver and the network adapter.
Implementing TCP/IP
3-7
TCP/IP Applications
Key Points
Application layer protocols are used by applications to communicate over the network. A client and server
must be using the same application layer protocol to communicate. For example, a Web server and Web
browser both use Hypertext Transfer Protocol (HTTP). The following table lists some common application
layer protocols.
Protocol
Description
HTTP
Used for communication between Web browsers and Web servers.
Hypertext Transfer
Protocol Secure
(HTTPS)
A version of HTTP that is used to encrypt communication between Web browsers

and Web servers.
Remote procedure
call (RPC) over
HTTP
RPC over HTTP. Used to tunnel RPC packets inside of HTTP packets to traverse
firewalls. Implementing RPCs over HTTP or HTTPS is a common Microsoft method
for encapsulating RPCs in a format that can more easily traverse firewalls.
File Transfer
Protocol (FTP)
Used to transfer files between FTP clients and servers. Commonly used on the
Internet.
Remote Desktop
Protocol (RDP)
Used to remote control a computer running Microsoft Windows over a network.
Server Message
Blocks (SMB)
Used by servers and client computers running Windows for file and printer sharing.
Simple Mail
Transfer Protocol
(SMTP)
Used to transfer e-mail messages over the Internet.
3-8
Protocol
Description
Post Office
Protocol version 3
(POP3)
Used to retrieve messages from an e-mail server.
Implementing TCP/IP
3-9
What Is a Socket?
Key Points
TCP and UDP Sockets
When an application wants to establish communication with an application on a remote host, it creates a
TCP or a UDP socket, as appropriate. The socket identifies the transport protocol that the application uses,
which could be TCP or UDP. The socket next identifies the IPv4 or IPv6 address of the source and
destination hosts. Finally, to ensure that communication takes place successfully between the appropriate
applications on the two communicating hosts, the socket identifies the TCP or UDP port number that the
applications are using. This combination of transport protocol, IP address, and port creates a socket.
Well-Known Ports
Applications are assigned a port number between 0 and 65,535. The first 1,024 ports are well-known
ports that have been assigned to specific applications, although client-server applications can
communicate with each other as long as both reference the same port number. The following table
identifies some of these well-known ports.
Port
Protocol
Application
80
TCP
HTTP used by a Web server
443
TCP
HTTPS for secured Web server
110
TCP
POP3 used for e-mail retrieval from e-mail clients
25
TCP
SMTP that e-mail servers and clients use to send

e-mail
53
UDP
DNS
3-10
Port
Protocol
Application
53
TCP
DNS
21
TCP
FTP
80
TCP
HTTP used by a Web server
It typically is not necessary for you to configure your applications to use specific ports. However, you must
be aware of the ports that applications are using to ensure that the required ports are open through any
firewalls in your organization.
Implementing TCP/IP
Lesson 2
Understanding IPv4 Addressing
In order to connect network hosts on an IPv4 network, it is important that you know how to configure
IPv4 addresses and related properties.
Objectives
Convert binary to decimal.
Describe the information required to configure an IPv4 host.
Describe classful addressing.
Describe classless addressing.
Describe how bits are used in a subnet mask.
Implement an IPv4 subnetting scheme.
Determine subnet addresses.
Determine host addresses.
Describe private IPv4 addressing.
3-11
3-12
How Dotted Decimal Notation Relates to Binary Numbers
Key Points
When you assign IP addresses, you use dotted decimal notation. The dotted decimal notation is based on
the decimal number system. However, in the background, computers use IP addresses in binary. To
understand how to choose a subnet mask for complex networks, you must understand IP addresses in
binary.
Within an 8-bit octet, each bit position has an assigned decimal value. A bit that is set to 0 always has a
zero value. A bit that is set to 1 can be converted to a decimal value. The low-order bit, the rightmost bit
in the octet, represents a decimal value of 1. The high-order bit, the leftmost bit in the octet, represents a
decimal value of 128. The highest decimal value of an octet is 255, that is, all bits are set to 1.
Most of the time, you can use a calculator to convert decimal numbers to binary and vice versa. The
Calculator application included in Microsoft Windows can perform decimal-to-binary conversions, as
shown in the following example.
Binary format
Dotted decimal notation
10000011 01101011 00000011 00011000
131.107.3.24
Implementing TCP/IP
3-13
IPv4 Addressing
Key Points
To configure network connectivity, you must be familiar with IPv4 addresses and how they work. Assign a
unique IPv4 address to each networked computer; the IPv4 address identifies the computer to other
computers on the network.
Components of an IPv4 Address

IPv4 uses 32-bit addresses, so if you view the address in its binary format, it has 32 characters, as the
following example shows:
11000000101010000000000111001000
IPv4 divides the address into four octets, as the following address shows:
11000000.10101000.00000001.11001000
To make the IP addresses more readable, binary representation of the address typically shows it in decimal
form. For example:
192.168.1.200
The address, in conjunction with a subnet mask:
Identifies the unique identity of the computer, which is the host ID.
Identifies the subnet on which the computer resides, which is the network ID.
Enables a networked computer to communicate with other networked computers in a routed

environment.
3-14
What Is a Subnet Mask?

A subnet is a network segment. A router or routers separates the subnet from the rest of the network.
When your Internet service provider (ISP) assigns a network to a Class A, B, or C address range, you often
must subdivide the range to match the networks physical layout. The subnet mask that you use
determines in which subnet your computer is located.
Default Gateway
A default gateway is a device, usually a router, on a TCP/IP internet that forwards IP packets to other
subnets. A router connects groups of subnets to create an intranet.
In an intranet, any given subnet might have several routers that connect it to other subnets, both local
and remote. You must configure one of the routers as the default gateway for local hosts. This enables the
local hosts to transmit with hosts on remote networks.
Before a host sends an IPv4 packet, it uses its own subnet mask to determine whether the destination host
is on the same network or on a remote network. If the destination host is on the same network, the
sending host addresses the packet directly to the destination host. If the destination host is on a different
network, the host transmits the packet to a router for delivery.
When a host on the network uses IPv4 to transmit a packet to a destination subnet, IPv4 consults the
internal routing table to determine the appropriate router for the packet to reach the destination subnet.
If the routing table does not contain any routing information about the destination subnet, IPv4 forwards
the packet to the default gateway. The host assumes that the default gateway contains the required
routing information.
In most cases, use a Dynamic Host Configuration Protocol (DHCP) server to assign the default gateway
automatically to a DHCP client. This is more straightforward than manually assigning a default gateway on
each host.
Implementing TCP/IP
3-15
Simple IPv4 Implementations
Key Points
IPv4 Address Classes
The Internet Assigned Numbers Authority (IANA) organizes IPv4 addresses into classes. The number of
hosts that a network has determines the class of addresses that are required. IANA has named the IPv4
address classes from Class A through Class E.
Classes A, B, and C are IP addresses that you can assign to host computers as unique IP addresses. You can
use Class D for multicasting. The IANA reserves Class E for experimental use.
A subnet mask specifies which part of an IPv4 address is the network ID and which part of the IPv4
address is the host ID. A subnet mask has four octets, similar to an IPv4 address.
Simple IPv4 Networks

In simple IPv4 networks, the subnet mask defines full octets as part of the network ID and host ID. A 255
represents an octet that is part of the network ID, and a 0 represents an octet that is part of the host ID.
Class A, B, and C networks use a default subnet mask. The following table lists the characteristics of each
IP address class.
Class
First Octet
Default Subnet
Mask
Number of
networks
Number of Hosts per Network
1-127
255.0.0.0
126
16,777,214
128-191
255.255.0.0
16,384
65,534
192-223
255.255.255.0
2,097,152
254
3-16
Note: the IPv4 address 127.0.0.1 is used as a loopback address; you can use this address to test the
local configuration of the IPv4 protocol stack. Consequently, the network address 127 is not
permitted for configuring IPv4 hosts.
Implementing TCP/IP
3-17
More Complex IPv4 Implementations
Key Points
In complex networks, subnet masks might not be simple combinations of 255 and 0. Rather, you might
subdivide one octet with some bits that are for the network ID and some for the host ID. Classless
addressing, or classless interdomain routing (CIDR), is when you do not use an octet for subnetting. You
use either more of the octet or less of the octet. This type of subnetting uses a different notation, which
the following example shows:
172.16.16.1/255.255.240.0
The following example shows the more common representation of classless IPv4 addressing:
172.16.16.1/20
The /20 represents how many subnet bits are in the mask. This notation style is called variable length
subnet masking (VLSM).
Question: Contoso, Ltd. has implemented IPv4 throughout the organization. It is currently implementing
a new head office building. The office will host 5,000 computers distributed fairly evenly across 10 floors
of these offices. What address class would suit this scenario?
3-18
How Bits Are Used in a Subnet Mask
Key Points
In simple networks, subnet masks are composed of four octets, and each octet has a value of 255 or 0. If
the octet is 255, that octet is part of the network ID. If the octet is 0, that octet is part of the host ID.
In complex networks, you can convert the subnet mask to binary, and evaluate each bit in the subnet
mask. A subnet mask is composed of contiguous 1s and 0s. The 1s start at the leftmost bit and continue
uninterrupted until the bits change to all 0s.
The network ID of a subnet mask can be identified by the 1s. The host ID can be identified by the 0s. Any
bits taken from the host ID and allocated to the network ID must be contiguous with the original network
ID. For each bit that is 1, that bit is part of the network ID. For each bit that is 0, that bit is part of the host
ID. The mathematical process used to compare an IP address and a subnet mask is called ANDing.
When you use more bits for the subnet mask, you can have more subnets, but fewer hosts on each
subnet. Using more bits than you need allows for subnet growth, but limits growth for hosts. Using fewer
bits than you need allows for growth in the number of hosts you can have, but limits growth in subnets.
Question: Which is more important, allowing the number of hosts to grow or allowing the number of
subnets to grow?
Implementing TCP/IP
3-19
Implementing an IPv4 Subnetting Scheme
Key Points
When you subdivide a network into subnets, create a unique ID for each subnet derived from the main
network ID. To create subnets, you must allocate some of the bits in the host ID to the network ID. This
enables you to create more networks.
By using subnets, you can:
Use a single Class A, B, or C network across multiple physical locations.
Reduce network congestion by segmenting traffic and reducing broadcasts on each segment.
Overcome limitations of current technologies, such as exceeding the maximum number of hosts that
each segment can have.
3-20
Determining Subnet Addresses
Key Points
Before you define a subnet mask, estimate how many segments and hosts for each segment you may
require. This enables you to use the appropriate number of bits for the subnet mask.
You can calculate the number of subnet bits you need in the network. Use the formula 2^n, where n is the
number of bits. The result is the number of subnets that your network requires.
The following table indicates the number of subnets that you can create by using a specific number of
bits.
Number of bits
Number of subnets
16
32
64
To determine the subnet addresses quickly, you can use the lowest value bit in the subnet mask. For
example, if you choose to subnet the network 172.16.0.0 by using 3 bits, this mean the subnet mask is
255.255.224.0. The decimal 224 is 11100000 in binary, and the lowest bit has a value of 32, so that is the
increment between each subnet address.
The following table shows examples of calculating subnet addresses.
Binary network number
Decimal network number
Implementing TCP/IP
Binary network number
172.16.00000000.00000000
172.16.0.0
172.16.00100000.00000000
172.16.32.0
172.16.01000000.00000000
172.16.64.0
172.16.01100000.00000000
172.16.96.0
172.16.10000000.00000000
172.16.128.0
172.16.10100000.00000000
172.16.160.0
172.16.11000000.00000000
172.16.192.0
172.16.11100000.00000000
172.16.224.0
3-21
3-22
Determining Host Addresses
Key Points
To determine host bits in the mask, determine the required number of bits for the supporting hosts on a
subnet. Calculate the number of host bits required by using the formula 2^n-2, where n is the number of
bits. This result must be at least the number of hosts that you need for your network, and it is also the
maximum number of hosts that you can configure on that subnet.
The following table shows how many hosts a class C network has available based on the number of host
bits.
Number of bits
Number of hosts
14
30
62
You can calculate each subnets range of host addresses by using the following process:
1.
2.
The first host is one binary digit higher than the current subnet ID.
The last host is two binary digits lower than the next subnet ID.
The following table shows examples of calculating host addresses.

Host range
Implementing TCP/IP
Host range
172.16.64.0
172.16.64.1 - 172.16.95.254
172.16.96.0
172.16.96.1 - 172.16.127.254
172.16.128.0
172.16.128.1 - 172.16.159.254
3-23
In order to select an appropriate addressing scheme for your organization, you must:
1.
2.
3.
4.
Choose whether to use public or private IPv4 addresses.

Calculate the number of subnets required. You can calculate the number of subnet bits by
determining how many you need in your network. Use the formula 2^n, where n is the number of
bits. The result must be at least the number of subnets that your network requires.
Calculate the number of hosts in each subnet. You can calculate the number of host bits required by
using the formula 2^n-2, where n is the number of bits.
Select an appropriate subnet mask(s).
When you have determined these factors, you must then:

1.
2.
3.
Calculate the subnet addresses. To determine subnet addresses quickly, you can use the lowest value
bit in the subnet mask. For example, if you choose to subnet the network 172.16.0.0 by using three
bits, this would mean using 255.255.224.0 as the subnet mask. The decimal 224 is 11100000 in binary,
and the lowest bit has a value of 32, so that will be the increment between each subnet address.
Determine the range of host addresses within each subnet. You can calculate each subnets range of
host addresses by using the following process: the first host is one binary digit higher than the current
subnet ID, and the last host is two binary digits lower than the next subnet ID.
Implement the planned addressing scheme.
Question: Analysis of the network traffic at the existing head office shows that the maximum number of
hosts per subnet should be around 100. How many subnets are required, and assuming a network address
for the whole site of 172.16.0.0, what mask should you use to ensure sufficient support for the required
subnets?
3-24
Lesson 3
Configuring IPv4
Once you understand how to design an IPv4 addressing scheme, it is important that you know how to
correctly implement that addressing scheme.
Objectives
Describe private IPv4 addressing.
Describe how to configure IP addresses automatically.
Configure an IPv4 address.
Verify IP connectivity.
Implementing TCP/IP
3-25
Public and Private IPv4 Addresses
Key Points
Devices and hosts that connect directly to the Internet require a public IPv4 address. Hosts and devices
that do not connect directly to the Internet do not require a public IPv4 address.
Public IPv4 Addresses

Public IPv4 addresses must be unique. IANA assigns public IPv4 addresses. Usually, your ISP allocates you
one or more public addresses from its address pool. The number of addresses that your ISP allocates to
you depends upon how many devices and hosts that you have to connect to the Internet.
Private IPv4 Addresses

The pool of IPv4 addresses is becoming smaller, so IANA is reluctant to allocate superfluous IPv4
addresses. Technologies such as Network Address Translation (NAT) enable administrators to use a
relatively small number of public IPv4 addresses, and at the same time, enable local hosts to connect to
remote hosts and services on the Internet.
IANA defines the following address ranges as private. Internet-based routers do not forward packets
originating from, or destined to, these ranges.
Class
Mask
Range
10.0.0.0/8
10.0.0.0 - 10.255.255.255
172.16.0.0/12
172.16.0.0 - 172.31.255.255
192.168.0.0/16
192.168.0.0 - 192.168.255.255
Note: RFC3330 defines these private address ranges.
3-26
Question: Which of the following is not a private IP address?

a.
b.
c.
d.
171.16.16.254
192.16.18.5
192.168.1.1
10.255.255.254
Implementing TCP/IP
3-27
Automatic IPv4 Configuration
Key Points
When you configure Windows operating systems on networks, you must know how to assign static IP
addresses manually and be able to support computers that use DHCP to assign IP addresses dynamically.
Static Configuration
You can configure static IPv4 configuration manually for each of your networks computers. Typical IPv4
configuration includes the following:
IPv4 address
Subnet mask
Default gateway
DNS server
Static configuration requires that you visit each computer and input the IPv4 configuration. This method
of computer management is time consuming if your network has more than twenty users. Additionally,
making a large number of manual configurations heightens the risk of mistakes.
DHCPv4
DHCPv4 enables you to assign automatic IPv4 configurations for large numbers of computers without
having to assign each one individually. The DHCP service receives requests for IPv4 configuration from
computers that you configure to obtain an IPv4 address automatically. It also assigns IPv4 information
from scopes that you define for each of your networks subnets. The DHCP service identifies the subnet
from which the request originated and assigns IP configuration from the relevant scope.
DHCP helps simplify the IP configuration process, but you must be aware that if you use DHCP to assign
IPv4 information and the service is business-critical, you must do the following:
3-28
1.
2.
Include resilience into your DHCP service design so that the failure of a single server does not prevent
the service from functioning.
Configure the scopes on the DHCP server carefully. If you make a mistake, it can affect the whole
network and prevent communication.
IPv4 Alternate Configuration

If you use a laptop to connect to multiple networks, such as at work and at home, each network may
require a different IP configuration. Windows supports the use of an alternate static IP address for this
situation.
When you configure Windows computers to obtain an IPv4 address from DHCP, use the Alternate
Configuration tab to control the behavior. If a DHCP server is not available; configure the specific IP
address, subnet mask, and other related properties for use in the absence of your DHCP server.
Note: By default, Windows uses automatic private IP addressing (APIPA) to assign itself an IP address
automatically from the 169.254.0.0 to 169.254.255.255 address range. If the computer has an address
from the APIPA range, it is an indication that the computer cannot communicate with a DHCP server.
Bear in mind that an APIPA address can only be used to communicate with similarly configured hosts
on the local network only.
Implementing TCP/IP
3-29
Demonstration: How to Configure IPv4
Key Points
You can configure IP settings either from the Network and Sharing Center or else by using the netsh
command-line tool. You can configure a Windows computer to have a manual IP configuration or else to
obtain an IP configuration automatically.
In this demonstration, you will see how to configure IPv4 settings manually and automatically.
Demonstration Steps:
1.
2.
3.
4.
5.
6.
View currently leased IP addresses on a DHCP server.

Assign an automatic IPv4 configuration to NYC-CL1.
Verify a new address was leased.
Release the address with Ipconfig /release.
Verify the release of the address.
Manually assign an IPv4 configuration to NYC-CL1.
3-30
Demonstration: How to Verify IPv4 Configuration
Key Points
Windows 7 includes a number of utilities that help you to verify your IP configuration. These tools include:
IPConfig
Ping
Tracert
Pathping
NSlookup
IPConfig
The IPConfig tool is the primary client-side DHCP troubleshooting tool. If your computer is experiencing
connectivity problems, you can use IPConfig to determine the computers IP address. If the address is in
the range 169.254.0.1 to 169.254.255.254, the computer is using an APIPA address. This might indicate a
DHCP-related problem.
From the client computer, open an elevated command prompt, and then use the IPConfig options in the
table below to diagnose the problem.
Option
Description
/all
This option displays all IP address configuration information.

If the computer uses DHCP, you should verify the DHCP Server option in the output. This
indicates the server from which the client is attempting to obtain an address. Also, verify
the Lease Obtained and Lease Expires values to determine when the client last obtained
an address.
/release
It sometimes is necessary to force the computer to release an IP address.
Implementing TCP/IP
3-31
Option
Description
/renew
This option forces the client computer to renew its DHCP lease. This is useful when you
think that the DHCP-related issue is resolved, and you want to obtain a new lease without
restarting the computer.
Ping verifies IP-level connectivity to another TCP/IP computer. Ping sends and receives ICMP Echo
Request messages and displays the receipt of corresponding Echo Reply messages. Ping is the primary
TCP/IP command used to troubleshoot connectivity.
Tracert determines the path taken to a destination computer by sending ICMP Echo Requests. The path
that displays is the list of router interfaces between a source and a destination.
Pathping traces a route through the network in a manner similar to Tracert. However, Pathping provides
detailed statistics on the individual network steps or hops.
NSlookup displays information that you can use to diagnose your DNS infrastructure. You can use
NSlookup to confirm connection to the DNS server and that the required records exist.
In this demonstration, you will see how to use Ipconfig.exe to verify the computers IPv4 configuration.
1.
2.
3.
4.
5.
6.
7.
Determine the current IPv4 configuration.

Stop the DHCP service.
Configure NYC-CL1 to obtain an address dynamically.
Verify the address obtained.
Verify network communications with ping.exe.
Restart DHCP and renew the IP address on NYC-CL1.
Verify network communications with ping.exe.
3-32
Lesson 4
Understanding IPv6
IPv6 is a critical technology that will help ensure that the Internet can support a growing user base and
the increasingly large number of IP-enabled devices. The current IPv4 has served as the underlying
Internet protocol for almost 30 years. Its robustness, scalability, and limited feature set now is challenged
by the growing need for new IP addresses, due in large part to the rapid growth of new network-aware
devices. IPv6 slowly is becoming more common. While adoption may be slow, it is important to
understand how this technology will affect current networks and how to integrate IPv6 into those
networks.
Objectives
Describe IPv6.
Describe an IPv6 address.
Describe IPv6 Address types.
Describe IPv6 interface identifiers.
Describe IPv6 transition technologies.
Configure an IPv6 address.
Implementing TCP/IP
3-33
Benefits of Using IPv6
Key Points
The new features and functionality in IPv6 addresses many IPv4 limitations. RFC 791 defined IPv4 in 1981.
Since then, limitations to future network connectivity have arisen. These limitations include the following:
Limited address space. IPv4 uses only 32-bits to represent addresses. IANA has allocated the majority
of these addresses.
Difficult routing management. IANA has not provisioned allocated IPv4 addresses for efficient route
management. As a result, Internet backbone routers have over 85,000 routes in their routing tables.
Complex host configuration. Automatic configuration of IPv4 hosts requires that you implement
stateful autoconfiguration, for example, a DHCP server or appropriately configured router.
No built-in security. IPv4 does not include any method for securing network data. You must
implement Internet Protocol Security (IPsec) and other protocols to secure data on IPv4 networks, but
this requires significant configuration and can be complex to implement.
Limited Quality of Service (QoS). The implementation of QoS in IPv4 relies on the use of TCP and UDP
ports to identify data. This may not be appropriate in all circumstances.
IPv6 Improvements
IPv6 enhancements help enable secure communication on the Internet and over corporate networks.
Some IPv6 features include the following:
Larger address space. IPv6 uses a 128-bit address space, which provides significantly more addresses
than IPv4.
More efficient routing. IANA provisions global addresses for the Internet to support hierarchical
routing. This reduces how many routes that Internet backbone routers must process and improves
routing efficiency.
Simpler host configuration. IPv6 supports dynamic client configuration by using DHCPv6. IPv6 also
enables routers to configure hosts dynamically.
3-34
Built-in security. IPv6 includes native IPsec support. This ensures that all hosts encrypt data in transit.
Better prioritized delivery support. IPv6 includes a Flow Label in the packet header to provide
prioritized delivery support. This designates the communication between computers with a priority
level, rather than relying on port numbers that applications use. It also assigns a priority to the
packets in which IPsec encrypts the data.
Redesigned header. The design of the header for IPv6 packets is more efficient in processing and
extensibility. IPv6 moves nonessential and optional fields to extension headers for more efficient
processing. Extension headers are no more than the full size of the IPv6 packet, which accommodates
more information than possible in the 40 bytes that the IPv4 packet header allocates.
Implementing TCP/IP
3-35
The IPv6 Address Space
Key Points
The IPv6 address space uses 128-bits compared to the 32-bits that the IPv4 address space uses. Therefore,
a significantly larger number of addresses are possible with IPv6 than with IPv4. An IPv6 address allocates
64-bits for the network ID and 64-bits for the host ID. However, for hierarchical routing, IPv6 may allocate
less than 64-bits to the network ID.
IPv6 Syntax
IPv6 does not use a dotted decimal notation to compress the addresses. Instead, IPv6 uses hexadecimal
notation, with a colon between each set of four digits. Each hexadecimal digit represents four bits.
To shorten IPv6 addresses further, you can drop leading zeros and use zero compression. Within each
group of four digits, drop leading zeros and include a single grouping of four zeros as a single zero. By
using zero compression, you represent multiple contiguous groupings of zeros as a set of double colons.
Description
Example
A full IPv6 address
2001:0DB8:0000:0000:02AA:00FF:FE28:9C5A/64
An IPv6 with leading zeros

dropped
2001:DB8:0:0:2AA:FF:FE28:9C5A/64
An IPv6 address with contiguous

groupings of zeros and leading
zeros dropped
2001:DB8::2AA:FF:FE28:9C5A/64
Each IPv6 address uses a prefix to define the network ID. You use this prefix in place of a subnet mask
similar to using CIDR in IPv4. The prefix is a forward slash followed by the number of bits that the network
ID includes. In the preceding examples, the prefix defines 64-bits in the network ID.
3-36
IPv6 Address Types
Key Points
IPv6 address types are similar to IPv4 address types.
The IPv6 address types are:
Unicast. An IPv6 unicast address is equivalent to an IPv4 unicast address. You can use this for one-toone communication between hosts. Each IPv6 host has multiple unicast addresses. There are three
types of unicast address:
Global unicast address. These are equivalent to public IPv4 addresses. They are globally routable
and reachable on the IPv6 portion of the Internet.
Public topology. Refer to the first 48 bits of a global unicast address as the public topology. The
public topology is unique over the entire Internet. It is the collection of larger and smaller ISPs
that provide access to the IPv6 Internet. IANA assigns a single unique address in the global
routing prefix to an ISP.
Site topology. An ISP can subnet the network address that IANA assigns by using the next 16 bits,
which are the site topology. The 16 bits of site topology allow an ISP to create up to 65,536
subnets in the most efficient manner applicable to that ISPs customer base.
Link-local addresses. Hosts use link-local addresses when communicating with neighboring hosts on
the same link. For example, on a single-link IPv6 network with no router, hosts communicate by using
link-local addresses.
IPv6 link-local addresses are equivalent to IPv4 APIPA addresses. When a DHCP server fails, APIPA
allocates addresses in the private range 169.254.0.1 to 169.254.255.254. Clients verify their address is
unique on the LAN using ARP. When the DHCP server is again able to service requests, clients update
their addresses automatically.
Other characteristics of link-local addresses include:
Link-local addresses always begin with FE80.
Implementing TCP/IP
3-37
An IPv6 router never forwards link-local traffic beyond the link.
An APIPA address is assigned automatically to an IPv4 host. Use of this address restricts
communication to the local subnet, and it is generally used when other suitable addresses are not
available.
Unique local unicast addresses. These are the equivalent to IPv4 private address spaces, such as
10.0.0.0/8. All unique local unicast addresses have the prefix FD00::/8.
A global ID uses the next 40 bits. The global ID is an identifier that uniquely represents an
organization. Randomly generate this ID to maximize uniqueness between organizations. This is
useful when two organizations merge.
When you use unique global IDs, routing occurs between organizations without network
reconfiguration. Use the next 16 bits within the organization to generate subnets for routing
between and within locations. The allocated 16 bits allow an organization to create up to 65,536
subnets for internal use.
Anycast. An anycast address is an IPv6 unicast address that is assigned to multiple computers. When
IPv6 addresses communication to an anycast address, only the closest host responds. You typically use
this for locating services or the nearest router.
Multicast. An IPv6 multicast is equivalent to an IPv4 multicast address. You use this for one-to-many
communication between computers that you define as using the same multicast address.
In IPv4, you typically assign a single host with a single unicast address. However, in IPv6, you can assign
multiple unicast addresses to each host. To verify communication processes on a network, know for what
purposes IPv6 uses each of these addresses.
3-38
Interface Identifiers
Key Points
The last 64-bits of an IPv6 address are the interface identifier. The interface identifier is equivalent to the
host ID in an IPv4 address. Each interface on an IPv6 network must have a unique interface identifier.
Because the interface identifier is unique to each interface, IPv6 uses the Interface Identifier rather than
MAC addresses to identify hosts uniquely.
Within the Windows environment, Windows Server 2008 R2 uses an Extended Unique Identifier (EUI)-64
addresses, which the Institute of Electrical and Electronics Engineers, Inc. (IEEE) defines. Gigabit adapters
use an EUI-64 address in place of a MAC address. Network adapters using a MAC address generate a
EUI-64 address by padding the 48-bit MAC address with additional information.
To preserve privacy in network communication, generate an interface identifier rather than use the
network adapters hardware address. To assign an interface identifier, IPv6 hosts can use the following:
A randomly generated temporary identifier
A randomly generated permanent identifier
A manually assigned identifier
Windows uses randomly generated permanent interface identifiers by default but this can be disabled
with the netsh tool.
Implementing TCP/IP
3-39
Transitioning to IPv6
Key Points
The migration from IPv4 to IPv6 is expected to take considerable time. This was taken into consideration
when designing IPv6 and as a result, the transition plan for IPv6 is a multistep process that allows for
extended coexistence. To achieve the goal of a pure IPv6 environment, consider the following points:
Applications must be independent of IPv4 and IPv6. Applications must be changed to use new
Windows Sockets application programming interfaces (APIs) so that name resolution, socket creation,
and other functions are independent regardless of whether you are using IPv4 or IPv6.
DNS must support IPv6 record types. You may have to upgrade the DNS infrastructure to support the
new authentication, authorization, accounting and auditing (AAAA) records (required) and pointer
(PTR) records in the IP6.ARPA reverse domain (optional). Additionally, ensure that the DNS servers
support DNS dynamic updates for AAAA records so that IPv6 hosts can register their names and IPv6
addresses automatically.
Hosts must support both IPv6 and IPv4. You must upgrade hosts to use a dual-IP layer or stack. You
also must add DNS resolver support to process DNS query results that contain both IPv4 and IPv6
addresses. Deploy Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) to ensure that IPv6/IPv4
hosts can reach each other over the IPv4-only intranet.
Routing infrastructure must support native IPv6 routing. You must upgrade routers to support native
IPv6 routing and IPv6 routing protocols.
An eventual successful transition to IPv6 requires interim coexistence of IPv6 nodes in todays
predominantly IPv4 environment. To support this, IPv6 packets are tunneled automatically over IPv4
routing infrastructures, enabling IPv6 clients to communicate with each other by using 6to4 addresses
or ISATAP addresses and tunneling IPv6 packets across IPv4 networks.
You can upgrade IPv6/IPv4 nodes to be IPv6-only nodes. This should be a long-term goal, because it
will take years for all current IPv4-only network devices to be upgraded to IPv6-only. For those IPv4only nodes that cannot be upgraded to IPv6/IPv4 or IPv6-only, employ translation gateways as
appropriate so that IPv4-only nodes can communicate with IPv6-only nodes.
3-40
IPv6 Automatic Configuration
Key Points
In addition to IPv4 automatic IP addressing, you must understand how IPv6 addresses are dynamically
assigned.
IPv6 Address Auto-Configuration

Auto-configuration is a method of assigning an IPv6 address to an interface automatically. Autoconfiguration can be stateful or stateless. DHCPv6 performs stateful auto-configuration while router
advertisements perform stateless configuration.
A stateful address is so called because this address is assigned from a service on a server or other device,
which records the assigned address. The service that allocated the address to the client manages the
stateful address. Stateless addresses are configured by the client and are not maintained by a service. The
record of the address assignment is not maintained.
The first step in auto-configuration generates a link-local address with which the host communicates with
other hosts on the local network; this communication is necessary to perform further auto-configuration
tasks. The host then performs the following actions in order to configure IPv6:
1.
2.
When the host generates the link-local address, the host also performs duplicate address detection to
ensure that it is unique.
An IPv6 host will send up to three router solicitations on each interface to obtain IPv6 configuration
information. The configuration process that IPv6 uses varies depending on the response it receives to
router solicitations:
If IPv6 receives no router advertisement, it uses DHCPv6 to configure the interface.
If IPv6 receives a router advertisement with the autonomous flag on, then the client uses stateless
auto-configuration and obtains the routing prefix from the router.
If IPv6 receives a router advertisement with the managed address configuration flag on, then it
uses DHCPv6 to obtain an IPv6 address.
Implementing TCP/IP
3-41
If IPv6 receives a router advertisement with the managed address configuration flag off and the
other stateful configuration flag on, it obtains additional IPv6 configuration options from
DHCPv6. However, it obtains the IPv6 address by using stateless configuration.
DHCPv6
DHCPv6 is a service that provides stateful auto-configuration of IPv6 hosts. It can configure IPv6 hosts
automatically with an IPv6 address and other configuration information such as DNS servers. This is
equivalent to DHCPv4 for IPv4 networks.
When a host obtains an IPv6 address from a DHCPv6 server, the following occurs:
1.
2.
3.
4.
5.
The client sends a Solicit message to locate DHCPv6 servers.

The server sends an Advertise message to indicate that it offers IPv6 addresses and configuration
options.
The client sends a Request message to a specific DHCPv6 server to request configuration information.
The selected server sends a Reply message to the client that contains the address and configuration
settings.
When a client requests configuration information only, the following occurs:
The client sends an Information-request message.
A DHCPv6 server sends a Reply message to the client with the requested configuration settings.
Note: On large networks, you can DHCPv6 relay agents instead of placing a DHCP server on each
subnet.
3-42
Lesson 5
Name Resolution
Computers can communicate over a network by using a name in place of an IP address. Name resolution
is used to find an IP address that corresponds to a name, such as a hostname. This lesson focuses on
different types of computer names and the methods to resolve them.
Objectives
Configure host names.
Describe DNS.
Describe DNS zones.
Understand how DNS names are resolved.
Describe name resolution with the Windows Internet Name Service (WINS).
Describe the NetBIOS name resolution process.
Describe the purpose of the DNS GlobalNames Zone.
Describe the process used by resolvers to resolve names.
Troubleshoot name resolution.
Implementing TCP/IP
3-43
Configuring a Computer Name
Key Points
Name resolution is the process of converting computer names to IP addresses. Name resolution is an
essential part of computer networking because it is easier for users to remember names than abstract
numbers such as an IPv4 address. The application developer determines an applications name. In
Windows operating systems, applications can request network services through Windows Sockets,
Winsock Kernel, or NetBIOS. If an application requests network services through Windows Sockets or
Winsock Kernel, it uses host names. If an application requests services through NetBIOS, it uses a NetBIOS
name.
Note: NetBIOS is a session management protocol used in earlier versions of Microsoft network
operating systems. Both Windows 7 and Windows Server 2008 R2 provide support for NetBIOS.
Many current applications, including Internet applications, use Windows Sockets to access network
services. Newer applications designed for Windows 7 and Windows Server 2008 R2 use Winsock Kernel.
Earlier applications use NetBIOS.
Host Name
A host name is a user-friendly name that is associated with a hosts IP address and identifies it as a TCP/IP
host. A host name can be no more than 255 characters in length and contains alphanumeric characters,
periods, and hyphens.
Host names are an alias or a fully qualified domain name (FQDN).
An alias is a single name associated with an IP address.
The host name combines an alias with a domain name to create the FQDN.
The elements of the name include periods as separators. Applications use the structured FQDN on the
Internet.
An example of an FQDN is payroll.contoso.com.
3-44
NetBIOS Name
Applications use the 16-character NetBIOS name to identify a NetBIOS resource on a network. A NetBIOS
name represents a single computer or a group of computers. NetBIOS uses the first 15 characters for a
specific computers name and the final sixteenth character to identify a resource or service on that
computer. An example of a NetBIOS name is NYC-SVR2[20h].
Implementing TCP/IP
3-45
What Is DNS?
Key Points
DNS is a service that manages the resolution of host names to IP addresses. TCP/IP identifies source and
destination computers by their IPv4 or IPv6 addresses. However, since it is easier for users to remember
names than numbers, common or user-friendly names are assigned to the computers IP address. The
most common type of name used is a host name.
In addition to resolving host names to IP addresses, DNS can be used to:
Locate domain controllers and global catalog servers. This is used when logging on to the Active
Directory Domain Service (AD DS).
Resolve IP addresses to host names. This is useful when a log file contains only the IP address of a
host.
Locate mail server for e-mail delivery. This is used for the delivery of all Internet e-mail.
3-46
DNS Zones and Records
Key Points
A DNS zone is a specific portion of DNS namespace that can contains DNS records. A DNS zone is hosted
on a DNS server that is responsible for responding to queries for records in a specific domain. For example
the DNS server responsible for resolving www.contoso.com to an IP address would have the contoso.com
zone.
Forward Lookup Zones

Forward lookup zones are capable of hosting a number of different record types. The most common
record type in forward lookup zones is an A record, also known as a host record. This record is used when
resolving a host name to an IP address.
Other record types in forward lookup zones include:
SRV. Service records are used to locate domain controllers and global catalog servers.
MX. Mail exchange records are used to locate the mail servers responsible for a domain.
CNAME. Canonical name records resolve to another host name.
Reverse Lookup Zones

Reverse lookup zones contain PTR records. PTR records are used to resolve IP addresses to host names. An
organization typically has control over the reverse lookup zones for their internal network. However, some
PTR records for external IP addresses obtained from an Internet service provider (ISP) may be managed by
the ISP.
Implementing TCP/IP
3-47
How Internet DNS Names Are Resolved
Key Points
When DNS names are resolved on the Internet, an entire system of computers is used rather than just a
single server. There are 13 root servers on the Internet that are responsible for managing the overall
structure of DNS resolution. When you register a domain name on the Internet, you are paying for the
privilege of being part of this system.
The name resolution process for the name www.microsoft.com is:
1.
2.
3.
4.
5.
A workstation queries the local DNS server for the IP address of www.microsoft.com.
If the local DNS server does not have the information, then it queries a root DNS server for the
location of the .com DNS servers.
The local DNS server queries a .com DNS server for the location of the Microsoft.com DNS servers.
The local DNS server queries the Microsoft.com DNS server for the IP address of www.microsoft.com.
The IP address of www.microsoft.com is returned to the workstation.
The name resolution process can be modified by:
Caching. After a local DNS server resolves a DNS name, it will cache the results for approximately 24
hours. Subsequent resolution requests for the DNS name are given the cached information.
Forwarding. A DNS server can be configured to forward DNS requests to another DNS server instead
of querying root servers. For example, requests for all Internet names can be forwarded to a DNS
server at an ISP.
3-48
What Is WINS?
Key Points
WINS is a NetBIOS name server that you can use to resolve NetBIOS names to IPv4 addresses. WINS
provides a centralized database for registering dynamic mappings of NetBIOS names used on a network.
In addition to WINS, NetBIOS names can be resolved by broadcast messages or by implementing Lmhosts
files on all computers. Broadcast messages do not work well on large networks because they are filtered
out by routers. Using an Lmhosts file for NetBIOS name resolution is a high maintenance solution because
the file must be constantly updated on the computers.
WINS is built on a protocol that registers, resolves, and releases NetBIOS names by using unicast
transmissions, rather than repeated transmissions of broadcast messages. This protocol allows the system
to work across routers and eliminates the need for an Lmhosts file, restoring the dynamic nature of
NetBIOS name resolution and allowing the system to work seamlessly with DHCP. For example, when
dynamic addressing through DHCP assigns new IPv4 addresses to computers that move between subnets,
the computers register the new address with the WINS database automatically.
Implementing TCP/IP
3-49
The NetBIOS Name Resolution Process
Key Points
The NetBIOS name resolution process varies, depending on the NetBIOS over TCP/IP (NetBT) node type
that is specified on the computer. However, in most cases, the default NetBT node type is not altered. If all
NetBIOS name resolution methods fail, clients will attempt to use host name resolution methods to
resolve NetBIOS names.
Note: You can change the NetBIOS node type by modifying options in the registry. Alternatively, on
client computers that obtain a dynamic IPv4 configuration from a DHCP server, you can specify the
node type with DHCP options.
When a WINS server is configured on the computer, the NetBIOS name resolution process is as follows:
1.
2.
3.
4.
5.
6.
7.
Windows checks the local NetBIOS name cache.

Windows contacts its configured WINS servers.
Windows broadcasts as many as three NetBIOS Name Query Request messages on the directly
attached subnet.
Windows searches the Lmhosts file.
Windows checks whether the NetBIOS name is the same as the local host name.
Windows searches the DNS resolver cache.
Windows sends a DNS request to its configured DNS servers.
The name resolution process stops when the first IPv4 address is found for the name.
Note: NetBIOS name resolution is not used for IPv6 addresses.
3-50
The GlobalNames Zone
Key Points
The GlobalNames Zone (GNZ) is a new feature of Windows Server 2008. The GNZ provides single-label
name resolution for large enterprise networks that do not deploy WINS. Some networks may require the
ability to have static, global records with single-label names that WINS currently provides. These singlelabel names refer to well-known and widely-used servers with statically assigned IP addresses. A GNZ is
manually created and is not available for dynamic registration of records. GNZ is intended to help
customers migrate to DNS for all name resolution; the DNS Server role in Windows Server 2008 supports
the GNZ feature.
GNZ is intended to assist in the migration from WINS; however, it is not a replacement for WINS. GNZ is
not intended to support the single-label name resolution of records that are registered in WINS
dynamically and those that are not managed by IT administrators typically. Support for these dynamically
registered records is not scalable, especially for larger customers with multiple domains and/or forests.
The recommended GNZ deployment uses an AD DSintegrated zone, named GlobalNames that is
distributed globally.
Instead of using the GNZ, you can choose to configure DNS and WINS integration. You do this by
configuring the DNS zone properties to perform WINS-lookups for NetBIOS-compliant names. The
advantage of this approach is that you can configure client computers to only use a single name service,
DNS, and still be able to resolve NetBIOS-compliant names.
Implementing TCP/IP
3-51
How a Client Resolves a Name
Key Points
Windows supports a number of different methods for resolving computer names, such as DNS, WINS, and
the host name resolution process.
Domain Name System

DNS is the Microsoft standard for resolving host names to IP Addresses. Applications also use DNS to do
the following:
Locate domain controllers and global catalog servers. This is used when logging on to the AD DS.
Resolve IP addresses to host names. This is useful when a log file contains only a hosts IP address.
Locate mail server for e-mail delivery. This is used for the delivery of all Internet e-mail.
Windows Internet Naming Service

WINS provides a centralized database for registering dynamic mappings of a networks NetBIOS names.
Support is retained for WINS to provide backward compatibility.
You can resolve NetBIOS names by using:
Broadcast messages. Broadcast messages do not work well on large networks because routers do not
propagate broadcasts.
Lmhosts file on all computers. Using an Lmhosts file for NetBIOS name resolution is a high
maintenance solution because you must maintain the file manually on all computers.
Host Name Resolution Process

When an application specifies a host name and uses Windows Sockets, TCP/IP uses the DNS resolver
cache and DNS when attempting to resolve the host name. The hosts file is loaded into the DNS resolver
cache. If NetBIOS over TCP/IP is enabled, TCP/IP also uses NetBIOS name resolution methods when
resolving host names.
3-52
Windows resolves host names by:

1.
2.
3.
4.
5.
6.
7.
Checking whether the host name is the same as the local host name.
Searching the DNS resolver cache.
Sending a DNS request to its configured DNS servers.
Converting the host name to a NetBIOS name and checking the local NetBIOS name cache.
Contacting the hosts configured WINS servers.
Broadcasting as many as three NetBIOS Name Query Request messages on the subnet that is directly
attached.
Searching the Lmhosts file.
Note: You can exert control over the precise order used to resolve names. For example, if you disable
NetBIOS over TCP/IP, none of the NetBIOS name resolution methods are attempted. Alternatively,
you can modify the NetBIOS node type which results in a change in the precise order in which the
NetBIOS name resolution methods are attempted.
Implementing TCP/IP
3-53
Demonstration: How to Troubleshoot Name Resolution
Key Points
The primary tools for troubleshooting host name resolution are IPConfig.exe and Nslookup.exe. When you
troubleshoot name resolution, you must understand what name resolution methods the computer is
using, and in what order the computer uses them. Be sure to clear the DNS resolver cache between
resolution attempts. If you cannot connect to a remote host and suspect a name resolution problem,
troubleshoot name resolution as follows:
1.
Open an elevated command prompt, and then clear the DNS resolver cache by typing the following
command:
IPConfig /flushdns
2.
3.
Attempt to ping the remote host by its IP address. This helps identify whether the issue is related to
name resolution. If the ping succeeds with the IP address but fails by its host name, then the problem
is related to name resolution.
Attempt to ping the remote host by its hostname. For accuracy, use the FQDN with a trailing period.
For example, enter the following command at the command prompt:
Ping nyc-dc1.contoso.com.
4.
If the ping is successful, then the problem is probably not related to name resolution. If the ping is
unsuccessful, edit the C:\windows\system32\drivers
\etc\hosts text file, and add the appropriate entry to the end of the file. For example, add this line and
save the file:
10.10.0.10nyc-dc1.contoso.com
5.
Now perform the Ping-by-host-name test once more. Name resolution should now be successful.
Verify that the name resolved correctly by examining the DNS resolver cache; use the following
command at a command prompt:
IPConfig /displaydns
3-54
6.
7.
Remove the entry that you added to the hosts file, and then clear the resolver cache once more.
At the command prompt, type the following command, and then examine the contents of the
filename.txt file to identify the failed stage in name resolution:
Nslookup.exe d2 nyc-dc1.contoso.com. > filename.txt
You should understand how to interpret the output so that you can identify whether the name
resolution problem lies with the client computers configuration, the name server, or the
configuration of records within the name server zone database.
In this demonstration, you will see how to troubleshoot name resolution with Nslookup.exe.
1.
2.
3.
4.
5.
Stop the DNS service.

Test name resolution with ping.exe.
Restart the DNS service.
Test name resolution again.
Use Nslookup.exe to test DNS resolution.
Implementing TCP/IP
3-55
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
2.
3.
4.
5.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
In Hyper-V Manager, click 6420B-NYC-DC1, and in the actions pane, click Start.
In the actions pane, click Connect. Wait until the virtual machine starts.
Log on using the following credentials:
User name: Administrator
Password: Pa$$w0rd
Domain: Contoso
Repeat these steps for 6420B-NYC-SVR2 and 6420B-NYC-CL1.
Lab Scenario
Contoso, Ltd. has created a new research and development team. As a result, computers are being
deployed to new R & D offices.
You have been tasked with assigning a number of client computers appropriate IP configurations, but first
you must choose a suitable IP addressing scheme for the new branches.
3-56
Exercise 1: Determining an Appropriate IPv4 Addressing Scheme

Scenario
You are responsible for planning the installation of new network components for these new branch
offices. Ed Meadows, your boss in Information Technology (IT), has visited some of the branch offices and
has drawn up a network plane. In addition, you have the Branch Office IP Addressing Scheme document
to help you determine an appropriate IP addressing scheme for the branches.
1.
2.

Answer the questions in the Branch Office IP Addressing Scheme document.
Charlotte Weiss
From:
Sent:
To:
Subject:
Attached:
28 Feb 2010 08:14
New branch offices IP addressing scheme
Contoso Branch IP Addressing.vsd
Charlotte,
I have attached the network diagram for the first three branches. There are around 100 hosts at each
branch, all of which require an IPv4 address. Dont forget those wide area network links; well need a
network address for each of them, too.
Well be placing a DHCP server at each branch to allocate IP addresses to the local hosts, so each
computer must be configured to obtain an IP address dynamically.
Regards,
Ed
Implementing TCP/IP
Contoso Branch IP Addressing.vsd
3-57
3-58

Branch Office IP Addressing Scheme
Document Author
Date
Charlotte Weiss
10th March
To design an IPv4 addressing scheme for the Contoso, Ltd. R & D branch offices.
One router connects the three branches back to the head office.
There are three wide area network (WAN) links.
There are three branches, each of which can be configured as a single subnet.
The network address 172.16.0.0/16 is allocated to the branch offices, while the head office uses
10.10.0.0/16.
Proposals
1. How many network addresses do you need to support these requirements?
2. What class address is 172.16.0.0/16?
3. Is this a private or public address?
4. Ed has allocated the first block of addresses to the first branch: 172.16.16.0/20. What is the next
logical subnet using this initial subnet?
5. What is the first and last host in this subnet?
6. What would the subnet mask be for hosts in this subnet?
7. Update the Contoso Branch IP Addressing.vsd diagram to show the network addresses you will
implement in the branches; do not worry about the WAN links
Results: After this exercise, you should have completed both the Contoso Branch IP Addressing.vsd
diagram and the Branch Office IP Addressing Scheme document.
Implementing TCP/IP
3-59
Exercise 2: Configuring IPv4 with Windows Server 2008

Scenario
While your addressing scheme for the branches is being considered, Ed has asked you to configure a new
DHCP server for the head office.
1.
2.
3.
4.
Configure a DHCP Scope.

Configure the client computer to obtain an IP address dynamically.
Verify that the client computer obtained an address.
Determine the IP address on the client computer.
Task 1: Configure a Dynamic Host Configuration Protocol (DHCP) scope

1.
2.
3.
4.
Switch to NYC-SVR2.
Open DHCP from Administrative Tools.
Delete the existing scope.
Use the following steps to create a new scope:
a.
b.
c.
d.
e.
Right-click IPv4 and then click New Scope.
Scope name: Head Office 1
Scope description: Client computer addresses
On the IP Address Range page, enter the following information:
Start IP address: 10.10.0.150
End IP address: 10.10.0.160
Length: 16
Subnet mask: 255.255.0.0
On the Add Exclusions and Delay page, accept the defaults.

On the Lease Duration page, accept the defaults.
On the Configure DHCP Options page, accept the defaults, and then use the following
information to configure the scope options:
i.
ii.
iii.
f.
g.
5.
Router address: 10.10.0.1.

On the Domain Name and DNS Servers page, accept the defaults.
On the WINS Servers page, accept the defaults.
On the Activate Scope page, accept the defaults.

On the Completing the New Scope Wizard page, click Finish.
In the console, expand Scope [10.10.0.0] Head Office 1, and then click Address Leases.
Task 2: Configure the client computer to obtain an IP address dynamically

1.
2.
3.
4.
5.
6.
Switch to NYC-CL1.
Open Control Panel.
Select Network and Internet and then select Network and Sharing Center.
In the left-pane, click Change adapter settings.
Right-click Local Area Connection and then click Properties.
Modify the Internet Protocol Version 4 (TCP/IPv4) properties with the following settings:
Obtain an IP address automatically.
3-60
7.
Obtain DNS server address automatically.
Click OK twice.
Task 3: Verify that the client computer obtained an address

1.
2.
Switch to the NYC-SVR2 computer.

In DHCP, press F5.
Note: You can see a new lease for NYC-CL1.
Task 4: Determine the IP address on the client computer

1.
2.
3.
Switch back to NYC-CL1.

Open a command prompt.
At the command prompt, type the following command and press ENTER:
Ipconfig /all
Question: What is the current IPv4 address?

Question: Is DHCP Enabled configured for Yes?
Question: What is the IP address of the DHCP server?
Question: When does the DHCP Lease expire?
Results: After this exercise, you should have created a DHCP scope and allocated a client address.
Implementing TCP/IP
Exercise 3: Verifying the Configuration

Scenario
Ed has asked you to verify the functionality of the DHCP server.
1.
2.
3.
4.
Stop DHCP.
Attempt to renew the IPv4 address on the client computer.
Restart DHCP.
Renew the client address and verify IPv4.
Task 1: Stop DHCP

1.
2.

In DHCP, right-click nyc-svr2.contoso.com, point to All Tasks, and then click Stop.
Task 2: Attempt to renew the IPv4 address on the client computer

1.
2.
Switch to the NYC-CL1 computer and switch to the command prompt.

Ipconfig /release
3.
Ipconfig /renew
Note: This might take a few minutes as the client computer attempts contact with the original DHCP
server, and then any other DHCP server.
4.
Ipconfig
5.
Question: What IPv4 address is listed?

Question: What does this signify?
Ping nyc-dc1.contoso.com
Note: You are unsuccessful.
Task 3: Restart DHCP
Switch to NYC-SVR2 and restart the DHCP service.
Task 4: Renew the client address and verify IPv4

1.
Switch to NYC-CL1 and at the command prompt, type the following command and press ENTER:
Ipconfig /renew

3-61
3-62
2.
Note: You are successful.
Results: After this exercise, you should have successfully verified the functionality of the DHCP server
in the head office.
Implementing TCP/IP
3-63
Exercise 4: Configuring and Testing Name Resolution

Scenario
Ed Meadows wants to establish a Web server on NYC-DC1.Contoso.com. However, he would prefer to use
the www prefix rather than nyc-dc1. You will create the required records in DNS to facilitate this request.
1.
2.
3.
4.
View the current DNS records.

Force a dynamic update.
Add a new DNS record.
Verify the record.
Task 1: View the current Domain Name System (DNS) records

1.
2.
Switch to NYC-DC1.
Open DNS Manager from Administrative Tools.
Question: What is the current IP address of the NYC-CL1 Host (A) record in the Contoso.com forward
lookup zone?
Task 2: Force a dynamic update

1.
2.
3.
4.
5.
6.
Switch to NYC-CL1.
In Network Connections, right-click Local Area Connection and then click Properties.
Modify the Internet Protocol Version 4 (TCP/IPv4) properties with the following settings:
IP address: 10.10.0.51
Default gateway: 10.10.0.1
Preferred DNS server: 10.10.0.10
Click OK twice.
Switch to NYC-DC1.
Refresh the display.
Question: What is the current IP address listed against the NYC-CL1 Host (A) record?
Task 3: Add a new DNS record

1.
Ipconfig /displaydns
2.
Question: What records are listed?

Ping www.contoso.com

3.
4.
Switch to NYC-DC1.
In DNS Manager, create a new record:
Type: New Alias (CNAME)
Alias name (uses parent domain if left blank): www
3-64
Fully qualified domain name (FQDN) for target host:

nyc-dc1.contoso.com
Task 4: Verify the record

1.
2.
Switch to NYC-CL1.

3.
Ipconfig /flushdns
4.

5.
Question: What record is returned regarding www.contoso.com?

Results: After this exercise, you should have successfully added a new DNS record.
Implementing TCP/IP
Exercise 5: Viewing the IPv6 Configuration

Scenario
Contoso, Ltd. is not currently planning to implement IPv6, but Ed wants to know what the current IPv6
addresses are. You will use Ipconfig to determine what IPv6 addresses are in use.
The main task for this exercise is as follows:
1.
Determine the current IPv6 address.
Task 1: Determine the current IPv6 address
On NYC-CL1, at the command prompt, type the following command and press ENTER.
Ipconfig /all
Question: Is there an IPv6 address listed?

Question: What kind of address is it?
Results: After this exercise, you should have determined that the local host has only a link-local IPv6
address
To prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps:
1.
2.
3.
4.
5.
6.
On the host computer, start Hyper-V Manager.

Right-click 6420B-NYC-DC1 in the Virtual Machines list, and then click Revert.
In the Revert Virtual Machine dialog box, click Revert.
In the Virtual Machines pane, click 6420B-NYC-DC1, and then in the actions pane, click Start.
To connect to the virtual machine for the next modules lab, click
6420B-NYC-DC1, and then in the actions pane, click Connect.
Important: Start the 6420B-NYC-DC1 virtual machine first, and ensure that it is fully started before
starting the other virtual machines.
3-65
3-66
Review Questions
1.
2.
3.
4.
5.
NetBIOS operates at which layer of the OSI reference model?

Which transport layer protocol provides for connectionless oriented delivery in IP-based networks?
Your host computer has been assigned the following IPv4 configuration: 10.10.16.1/20. The default
gateway is: 10.10.8.1. You are experiencing communications problems. Why?
You do not want to implement WINS in your network, but you do have some legacy applications that
require NetBIOS. How could you manage NetBIOS names within your existing DNS infrastructure?
You are troubleshooting DNS name resolution from a client computer. What must you remember to
do before each test?
Tools
Tool
Use for
Where to find it
Ipconfig.exe
Verifying and testing IP
Command line
configuration
Nslookup.exe
Troubleshooting DNS
Command line
Ping.exe
Verify basic IP functionality
Command line
Netsh.exe
Configuring network settings,
Command line
including IP settings, from the

command line
Implementing Storage in Windows Server
Module 4
Contents:
Lesson 1: Identifying Storage Technologies
4-3
Lesson 2: Managing Disks and Volumes
4-15
Lesson 3: Implementing RAID
4-22
4-30
4-1
4-2
Module Overview
One of the key components when you plan and deploy Windows Server 2008 R2 operating system
computers is storage. Most organizations require a great deal of storage because users and applications
are constantly working with and creating new data that needs to be stored in a central location.
For example, every e-mail sent or received requires storage. Every time someone visits a Web site, a log
gets written and storage gets consumed. Every time someone logs into a server, an audit trail is created in
an event log and storage is used. Even as files are created, copied and moved, storage is involved.
This module will introduce you to different storage technologies, discuss how to implement the storage
solutions in Windows Server 2008 R2 and will finish a discussion on a resilient strategy for your storage
that will be tolerant in various ways, helping to avoid unplanned downtime and loss of data.
Objectives
After completing this module you will be able to:
Identify a suitable storage technology.
Manage storage within Windows Server.
Implement disk fault tolerance.
4-3
Lesson 1
Identifying Storage Technologies
As you plan for any server deployment, you will inevitably need storage. There are various types of
storage, from locally attached, to remotely accessed via Ethernet, or even fiber connected. Each solution
has benefits as well as pitfalls associated with it.
As you prepare to deploy storage for your environment, you need to make some important decisions. Ask
yourself the following questions. Will the storage need to be fast? Will it need to be highly available? How
much storage will your deployment actually require? How much resilience will you need to add to the
initial storage requirement in order to ensure your investment remains secure in the future? This lesson
will address these questions.
Objectives
After completing this lesson you will be able to:
Describe local direct access storage (DAS).
Describe network-attached storage (NAS).
Describe storage area networks (SANs).
Describe Fiber Channel SANs.
Describe iSCSI SANs.
Implement Internet small computer system interface (iSCSI) with Windows Server.
4-4
What Is Direct Attached Storage?
Key Points
Almost all servers provide some built-in storage. This type of storage is referred to as DAS. DAS can be
disks that are physically located inside the server or can be disks that are connected to the server with a
universal serial bus (USB) cable or an alternative communications methodology. The primary idea behind
DAS is that it is physically connected to the server. If the server suffers a power failure, the storage will be
unavailable as well. DAS has both advantages and disadvantages and also comes in various types, which
affect the speed and the performance of the storage.
Common Types of DAS

There are five common types of DAS that can also be used in other instances such as SAN and NAS
technologies described later in this module.
The five common types of DAS are:
Enhanced Integrated Drive Electronics (EIDE). EIDE is based on standards that were created in 1986.
The Integrated Drive Electronics (IDE) interface supports both the ATA-2 and ATAPI standards.
Enhanced refers to the ATA-2 (Fast ATA) standard which provides faster transfer rates and allows for
multiple channels, each connecting two devices. In practice, the terms EIDE, IDE and ATA are
synonymous. These drives are commonly found connected using a 40- or 80-wire cable and can only
have two devices chained at any time. Due to the addressing standards of this technology, there is a
128 gigabyte (GB) limitation on storage using EIDE. Further, the speeds of EIDE are limited to a
maximum of 133 megabytes (MB)/sec. EIDE drives are almost never used on servers today.
Serial Advanced Technology Attachment (SATA). SATA is a computer bus interface, or channel for
connecting the motherboard or device adapters to mass storage devices such as hard disk drives and
optical drives. SATA was designed to replace EIDE. It is able to use the same low-level commands, but
SATA host-adapters and devices communicate via a high-speed serial cable over two pairs of
conductors. SATA was introduced in 2003 and can operate at speeds of 1.5, 3.0 and 6.0 GB/sec
depending on the SATA revision (1, 2 or 3 respectively). SATA drives are less expensive than other
4-5
drive options but also provide less performance. Organizations may choose to deploy SATA drives
when they require large amounts of storage, but not high performance.
A variation on the SATA interface that has been released is eSATA, which is designed to enable high
speed access to externally attached SATA drives.
Small computer system interface (SCSI). SCSI is a set of standards for physically connecting and
transferring data between computers and peripheral devices. SCSI was originally introduced in 1978
and was designed as an interface on a lower level communication, subsequently allowing it to take
less processing power and perform transactions at higher speeds. SCSI became a standard in 1986.
Similar to EIDE, SCSI was designed to run over parallel cables; however, recently this has been
expanded to run over other various mediums. The 1986 parallel specification of SCSI had initial speed
transfers of 40 MB/sec. The more recent 2003 implementation, Ultra 640 SCSI, also known as Ultra 5,
can transfer data at speeds of 5120 MB/sec. SCSI disks provide higher performance than SATA disks
but are also more expensive.
Serial Attached SCSI (SAS). SAS is a further implementation of the SCSI standard. SAS depends on a
point-to-point serial protocol that replaces the parallel SCSI bus technology, and uses the standard
SCSI command set. SAS offers backwards-compatibility with second generation SATA drives.
Solid State Drives (SSD). SSDs are data storage devices that use solid-state memory to store data
rather than using the spinning disks and movable read/write heads that are used in other disks. SSDs
use microchips to store the data and do not contain any moving parts. SSDs provide very fast disk
access, use less power and are less susceptible to failure from being dropped, but are also much more
expensive per MB of storage. SSDs typically use the SATA interface so you can usually replace hard
disk drives with SSDs without any modification.
Note: Another type of DAS is USB-attached storage. USB-attached storage uses either SATA drives or
solid state media to store data.
Advantages of DAS
A typical DAS system is made of a data storage device that would include enclosures holding a number of
hard disk drives connected directly to a computer through a host bus adapter (HBA). Between the DAS
and the computer there are no network devices such as, a hub, switch, or router, therefore connecting the
storage directly to the server which usually utilizes it. This makes DAS the easiest storage system to deploy
and maintain.
DAS is also usually the least expensive storage available today and is widely available in various speeds,
sizes and accommodates varying installations. In addition to being inexpensive, DAS is very easy to
configure. In most instances, you would simply plug in the device, ensure Windows Server 2008 R2
recognizes it, and then use Disk Management to configure the disks.
Disadvantages of DAS
Storing data locally on DAS makes the centralization of data more difficult because the date is located on
multiple servers. This can make it more complex to backup the data and for users to locate the data they
are looking for. Furthermore, if any one device that has DAS connected to it suffers a power outage, the
storage is also unavailable.
DAS also has drawbacks in its access methodologies. Due to the way reads and writes are handled by the
server operating system, DAS can be slower than other storage technologies. Another drawback with DAS
is that it shares the processing power and memory of the server it is connected to. This means that on
very busy servers, disk access may be slowed down by the fact that the operating system is overloaded.
4-6
What Is Network Attached Storage?
Key Points
NAS is storage that is connected to a dedicated storage device and then accessed over the network. NAS
is different than DAS in that the storage is not directly attached to each individual server, but rather is
accessible across the network to many servers. Each NAS device has a dedicated operating system which
solely controls the access to the data on the device. This reduces the overhead associated with sharing the
storage device with other server services. An example of NAS software is Windows Storage Server.
To enable NAS storage, you need a storage device. Frequently, these devices are appliances which do not
have any regular server interfaces such as keyboards, mice and monitors. Instead, to configure the device,
you just provide a network configuration and then access the device across the network. To configure the
device, you create network shares on the device which are then accessible to users on the network using
the name of the NAS and the share created.
Advantages of NAS
NAS is an ideal choice for organizations looking for a simple and cost-effective way to achieve fast data
access for multiple clients at the file level. Implementers of NAS benefit from performance and
productivity gains as the processing power of the NAS device is dedicated solely to the distribution of the
files.
NAS also fits nicely into the market as a mid-priced solution. It is not expensive but suits more needs than
DAS in that NAS storage is usually much larger than DAS and offers a single location for all critical files,
rather than inter-dispersed on various servers or devices with DAS. In summary, NAS offers centralized
storage at an affordable price.
NAS can also be considered a Plug and Play solution that is easy to install, deploy and manage, with or
without information technology (IT) staff at hand.
4-7
Disadvantages of NAS
While NAS is affordable for mid-size businesses, it is not expandable as a SAN solution. NAS, similar to
DAS, also has overheads of an operating system, which reads and writes data in different ways than a SAN
solution; therefore they are more frequently prone to the possibility of data loss depending on the size of
the data being copied.
NAS is also slower than SAN technologies. NAS is frequently accessed via Ethernet protocols and as such,
relies heavily on the network supporting the NAS solution. For this reason, NAS is commonly used as a file
sharing/storage solution and cannot and should not be used with data intensive applications such as
Microsoft Exchange Server and Microsoft SQL Server.
4-8
What Is a Storage Area Network?
Key Points
The third type of storage is a SAN. A SAN is a specialized highspeed network that connects computer
systems, or host servers, to high performance storage subsystems. A SAN usually includes various
components such as HBAs, special switches helping route traffic, and storage disk arrays with logical unit
numbers (LUNs) for storage.
A SAN enables multiple servers to access a pool of storage in which any server can potentially access any
storage unit. A SAN uses a network like any other network, such as a local area network (LAN). Therefore,
you can use a SAN to connect many different devices and hosts in order to provide access to any device
from anywhere.
Unlike DAS or NAS, a SAN is controlled by a hardware device and does not rely on software to deliver
access to storage.
Advantages of SAN
SAN technologies read and write at block levels, making data access much speedier. Reading and writing
at the block level takes away knowledge of application data. With most DAS and NAS solutions, if you
write a file of 8 GB, the entire file will have to be read/written and its checksum calculated, whereas with
SAN, it will be written to based on the block size the SAN is set up for. This speed is accomplished by fiber
access methodologies as well as the block level writing, rather than having to read/write an entire file with
a checksum.
SANs also provide:
Centralization of storage into a single pool, which enables storage resources and server resources to
grow independently. It also enables storage to be dynamically assigned from the pool when it is
required. Storage on a given server can be increased or decreased as needed without complex
reconfiguring or re-cabling of devices.
Common infrastructure for attaching storage, which enables a single common management model
for configuration and deployment.
Storage devices that are inherently shared by multiple systems.
Data transfer directly from device to device without server intervention.
A high level of redundancy. Most SANs are deployed with multiple network devices and paths
through the network. As well, the storage device contains redundant components such as power
supplies and hard disks.
4-9
Disadvantages of SAN
The main drawback to SAN technology is that it often requires management tools and expertise skills due
to the complexities in the configuration and is considerably expensive. An entry level SAN can often cost
as much a fully loaded server with DAS or even an NAS device and often that is without any SAN disks
or configuration.
In order to manage a SAN, not only do you have to often use command-line utilities, but you also have to
have a firm understanding of the underlying technology (i.e., the LUN setup, the fiber channel back end,
the block sizing, etc.). Also, each storage vendor often implements SANs using different tools and features.
Because of this, organizations often have dedicated personnel just to manage the SAN deployment.
Note: SANs can be implemented using a variety of technologies. The most common options are Fiber
Channel and iSCSI. These technologies are described later in this lesson.
4-10
What Is a Fiber Channel SAN?
Key Points
The most common option for implementing a SAN is to implement a fiber channel infrastructure. Fiber
channel transmits the SCSI commands required to interact with the hard disks over twisted-pair copper
wire, or more commonly fiber optic cables. Fiber channel is commonly found in speeds of 1, 2, or 4
gigabits (GB) per second.
Fiber channel SAN components include:
Specialized interface cards that connect the servers with the SAN. These devices, usually called HBAs,
enable the server to communicate with the storage device across the SAN.
Note: iSCSI SANs can also use HBAs. Each type of HBA is specific to the technology used to access
the storage device.
Specialized network switches. These switches route SCSI commands rather than routing IP traffic.
Twisted-pair copper wire or fiber optic cables. All network connections between the servers and the
storage device use these cables.
Storage device. SANs require one more dedicated storage devices. Frequently these devices can
contain hundreds of disks and store multiple terabytes of data.
LUNs. In most cases, servers are given access to only a small part of the entire storage available on the
storage device. To implement this storage solution, the storage available is divided into smaller pieces
and then exposed to the servers through a LUN. On the server, each LUN appears as an attached
drive.
Multipath I/O
In most cases, you will deploy multiple HBAs on each server that is connected to a SAN, and connect the
HBAs to two separate fiber channel networks. This means that the storage is still accessible if there is a
failure of one of the networks.
4-11
In order to simplify the implementation of this solution, Microsoft provides a generic storage driver that
uses multipath I/O (MPIO) to simplify the implementation of this solution for storage vendors.
MPIO provides:
Dynamic configuration and replacement of devices. The operating system must be able to
dynamically discover and configure adapters that are connected to the same storage media, in order
to support multiple paths to the same storage device.
Generic device specific module. Microsoft supplies a generic device specific module (DSM) that
interacts with the multipath bus driver on behalf of the storage device.
Dynamic load balancing. The multipath software supports the ability to distribute I/O transactions
across multiple adapters. The DSM is responsible for load-balancing policy for its storage device.
Fault tolerance. Multipath software can function in a fault-tolerant mode in which only a single
channel is active.
Fiber Channel over Ethernet (FCoE)

FCoE is an encapsulation of fiber channel frames over Ethernet networks. This allows fiber channel to use
10 GB Ethernet networks while preserving the fiber channel protocol rather than having to use traditional
fiber, fiber cards and fiber switches.
FCoE maps fiber channel natively over Ethernet while being independent of the Ethernet forwarding
scheme. The FCoE protocol specification allows SAN traffic to be passed by Ethernet rather than having to
have dedicated hardware in place.
It should be noted that FCoE operates directly above Ethernet in the network protocol stack and
therefore, is not routable at the IP layer, and will not work across routed IP networks.
4-12
What Is an iSCSI SAN?
Key Points
A second option for implementing SANs is to use iSCSI. iSCSI transmits SCSI commands over internet
protocol (IP) rather than using fiber channel. iSCSI is an IP-based storage networking standard for linking
servers to storage devices. iSCSI carries standard SCSI commands over IP networks to facilitate data
transfers over intranets and to manage storage over long distances. iSCSI can be used to transmit data
over LANs, wide area networks (WANs), or even over the larger Internet.
iSCSI relies on standard Ethernet networking, and does not require any specialized hardware such as HBA
or fiber channel network switches. iSCSI uses TCP/IP (typically TCP ports 860 and 3260). In essence, iSCSI
simply allows two hosts to negotiate and then exchange SCSI commands using an existing network. By
doing this, iSCSI takes a popular high performance local storage bus and emulates it over WANs, creating
a SAN. Unlike some SAN protocols, iSCSI requires no dedicated cabling; it can be run over existing
switching and IP infrastructure. However, the performance of an iSCSI SAN deployment can be severely
degraded if not operated on a dedicated network or subnet. iSCSI is often seen as a low-cost alternative
to fiber channel, which requires dedicated infrastructure.
Note: While you can use a standard network connection to connect the server to the iSCSI storage
device, you can also use dedicated HBAs or dedicated network adapters.
An iSCSI SAN deployment includes the following:
High performance and highly available IP network. You can use standard network interface adapters
and standard network switches to connect the servers to the storage device. In order to provide
adequate performance, the network should provide speeds of at least 1 gigabyte per second (Gbps),
and should provide multiple paths through the network.
iSCSI Targets. iSCSI targets are located on the storage device and are used to enable access to the
storage. Many storage vendors implement hardware level iSCSI targets as part of their storage
4-13
devices. Other devices or appliances, such as Windows Storage Server devices, implement iSCSI target
by using software.
iSCSI Initiators. iSCSI initiators run on the servers that want to connect to the storage device. Windows
Server 2008 and Windows Server 2008 R2 provide iSCSI initiators as a standard component.
iSCSI Qualified Name (IQN). IQNs are globally unique identifiers that are used to address initiators
and targets on an iSCSI network. When you configure an iSCSI target, you must configure the IQN for
the iSCSI initators that will be connecting to the target. iSCSI initiators also use IQNs to connect to the
iSCSI targets.
4-14
Demonstration: How to Implement an iSCSI Storage Solution in Windows

Server
In this demonstration you will see how to:
Create iSCSI targets.
Configure the iSCSI initiator.
Connect to an iSCSI target.

Important: The iSCSI Software Target used in the demonstration is packaged and distributed
optionally by Original Equipment Manufacturers (OEMs) on systems that are running Windows
Storage Server. Microsoft does not support the use of the iSCSI Software Target on Windows Server
2008 R2, and is it is being used in this context for training purposes only.
Create an iSCSI target on NYC-SVR3 for Data1.
Connect NYC-SVR2 to the iSCSI target.
Create a volume on the iSCSI storage.
Question: What parts are critical when using the iSCSI initiator to connect to an iSCSI target?
4-15
Lesson 2
Managing Disks and Volumes
Identifying which storage technology to deploy is the first critical step in making sure your environment is
prepared for data storage requirements. However, identifying the type of storage is only the first step.
There are other steps you need to take to prepare for data storage requirements.
Once you have identified the best storage solution, or have chosen a mix of storage solutions, you need
to figure out the best way to manage that storage. Ask yourself the following questions. Will all of the
disks be allocated the same amount of storage space? Will the type of file systems be the same for all
disks?
Questions like these as well as why it is important to manage disks and what is important about the
management of disks will be described throughout this lesson.
Objectives
Describe basic and dynamic disks.
Describe and select file systems.
Describe mount points.
Create and manage volumes.
4-16
Basic Disks vs. Dynamic Disks
Key Points
Windows Server 2008 R2 supports both basic disks and dynamic disks.
Basic Disk
Basic storage uses normal partition tables supported by MS-DOS, and all versions of Microsoft Windows.
A disk initialized for basic storage is called a basic disk. A basic disk contains basic partitions, such as
primary partitions and extended partitions. Extended partitions can be subdivided into logical drives.
By default, when you initialize a disk in Windows, the disk will be configured as a basic disk. Basic disks
can easily be converted to dynamic disks without any loss of data. However, to convert a dynamic disk to
basic disk, all data on the disk will be lost.
Some applications cannot address data stored on dynamic disks. In addition, there is no performance gain
by converting basic disks to dynamic disks. For these reasons, most administrators do not convert basic
disks to dynamic disks unless they need to use some of the additional volume configuration options
available with dynamic disks.
Dynamic Disk
Dynamic storage is supported in all Windows operating systems beginning with the Windows XP
operating systems and the Microsoft Windows NT Server 4.0 operating system. A disk initialized for
dynamic storage is called a dynamic disk. A dynamic disk contains dynamic volumes, such as simple
volumes, spanned volumes, striped volumes, mirrored volumes, and redundant array of independent disks
(RAID)-5 volumes. With dynamic storage, you can perform disk and volume management without the
need to restart Windows.
When you configure dynamic disks, you create volumes rather than partitions. A volume is a storage unit
made from free space on one or more disks. It can be formatted with a file system and can be assigned a
drive letter or configured with a mount point.
4-17
Simple Volumes. A simple volume uses free space from a single disk. It can be a single region on a
disk or consist of multiple, concatenated regions. A simple volume can be extended within the same
disk or onto additional disks. If a simple volume is extended across multiple disks, it becomes a
spanned volume.
Spanned Volumes. A spanned volume is created from free disk space that is linked together from
multiple disks. You can extend a spanned volume onto a maximum of 32 disks. A spanned volume
cannot be mirrored and is not fault-tolerant; therefore if you lose one disk, you lose all of the
spanned volume.
Striped Volumes. A striped volume is a volume whose data is spread across two or more physical
disks. The data on this type of volume is allocated alternately and evenly to each of the physical disks.
A striped volume cannot be mirrored or extended and is not fault-tolerant, again meaning the loss
of one disk will cause the loss of data immediately. Striping is also known as RAID-0.
Mirrored Volumes. A mirrored volume is a fault-tolerant volume whose data is duplicated on two
physical disks. All of the data on one volume is copied to another disk to provide data redundancy. If
one of the disks fails, the data can still be accessed from the remaining disk. A mirrored volume
cannot be extended. Mirroring is also known as RAID-1.
RAID-5 Volumes. A RAID-5 volume is a fault-tolerant volume whose data is striped across a minimum
of three or more disks. Parity (a calculated value that can be used to reconstruct data after a failure) is
also striped across the disk array. If a physical disk fails, the portion of the RAID-5 volume that was on
that failed disk can be re-created from the remaining data and the parity. A RAID-5 volume cannot be
mirrored or extended.
Required Disk Volumes

Regardless of which type of disk you use, you must configure a system volume and boot volume on one
of the hard disks in the server.
System Volumes. The system volume contains the hardware-specific files that are needed to load
Windows (for example, Bootmgr, BOOTSECT.bak, and BCD). The system volume can be, but does not
have to be, the same as the boot volume.
Boot Volumes. The boot volume contains the Windows operating system files that are located in the
%Systemroot% and %Systemroot%'System32 folders. The boot volume can be, but does not have to
be, the same as the system volume.
Note: When you install the Windows 7 operating or Windows 2008 R2 in a clean installation, a
separate system volume is created to enable encrypting the boot volume by using BitLocker.
4-18
Selecting a File System
Key Points
File Allocation Table (FAT)
FAT is the most simplistic of the file systems supported by Windows. The FAT file system is characterized
by a table that resides at the very top of the volume. To protect the volume, two copies of the FAT are
kept in case one becomes damaged. In addition, the FAT tables and the root directory must be stored in a
fixed location so that the system's boot files can be correctly located.
A disk formatted with FAT is allocated in clusters, whose sizes are determined by the size of the volume.
When a file is created, an entry is created in the directory and the first cluster number containing data is
established. This entry in the FAT table either indicates that this is the last cluster of the file, or points to
the next cluster. There is no organization to the FAT directory structure, and files are given the first open
location on the drive.
Because of the size limitation with the file allocation table, the original release of FAT could only access
partitions that were less than 2 GB in size. To enable larger disks, Microsoft developed FAT32. FAT32
supported partitions up to 2 terabytes.
FAT does not provide any security for files on the partition. You should never use FAT or FAT32 as the file
system for disks attached to Windows Server 2008 R2 servers. You might consider using FAT or FAT32 to
format external media such as USB flash media.
NTFS File System

NTFS is the standard file system for all Windows operating systems beginning with Windows NT Server
4.0. Unlike FAT, there are no special objects on the disk and there is no dependence on the underlying
hardware, such as 512 byte sectors. In addition, there are no special locations on the disk, such as FAT
tables, in NTFS.
NTFS has several improvements over FAT such as improved support for metadata and the use of
advanced data structures to improve performance, reliability, and disk space utilization, plus additional
4-19
extensions such as security access control lists (ACLs), which allow for auditing and file system journaling
as well encryption.
NTFS is required for a number of Windows Server 2008 R2 roles and features such as Active Directory
Directory Services, Volume Shadow Services, Distributed File Services and File Replication Services. NTFS
also provides a much higher level of security than FAT or FAT 32. For these reasons, you should always use
NTFS for all hard disks connected to Windows Server 2008 R2 or Windows 7 computers.
4-20
What Is a Mount Point?
Key Points
Mount points are used in Windows operating systems to make a portion or an entire part of a disk
useable by the operating system. Most commonly, mount points are associated with drive letter mappings
so that the operating system can gain access to the disk through the drive letter.
With Windows operating systems beginning with the Windows 2000 Server operating system, you can
also enable volume mount points, which enable you to mount a hard disk to an empty folder that is
located on another drive. For example, if you add a new hard disk to a server, rather than mounting the
drive using a drive letter, you can assign a folder name such as C:\Datadrive to the drive. When you do
this, any time you access the C:\Datadrive folder, you are actually accessing the new hard disk.
Volume mount points can be useful in the following scenarios:
If you are running out of drive space on a server and you want to add disk space without modifying
the folder structure. You can add the hard disk, and configure a folder to point to the hard disk.
Note: You can assign volume mount points only to empty folders on an NTFS partition. This means
that if you want to use an existing folder name, you must first rename the folder, create and mount
the hard disk using the required folder name, and then copy the data to the mounted folder.
If you are running out of available letters to assign to partitions or volumes. If you have many hard
disks attached to the server, you may run out of available letters in the alphabet to assign drive
letters. By using a volume mount point, you can add additional partitions or volumes without using
more drive letters.
If you need to separate disk input\output within a folder structure. For example, if you are using an
application that requires a specific file structure, but which uses the hard disks extensively, you can
separate the disk I\O by creating a volume mount point within the folder structure.
4-21
Demonstration: How to Create and Manage Volumes in Windows Server
In this demonstration you will see how to create and manage volumes in Windows Server.
This demonstration shows how to configure volumes using the command-line tools diskpart and Disk
Management. Most disk configuration can be completed using Disk Management. In some cases, for
example, if you are trying to repair a server using the recovery environment, you will have to use diskpart
if you need to change the disk configuration.
1.
2.
3.
4.
Create a Simple volume using diskpart.

Create a Striped volume using Disk Management.
Configure a volume mount point.
Resize volumes using Disk Management.
4-22
Lesson 3
Implementing RAID
Now that you have learned about the types of storage and the methods in which you can address the
storage, the next important thing is to consider reliability and availability. In most organizations, the data
stored on the storage attached to Windows Server 2008 R2 servers will be important and it will be
essential that the data is always available.
Windows Server 2008 R2 supports the use of RAID to provide this type of reliability. This lesson provides
an overview of RAID and provides suggestions on the type of RAID to use in various scenarios.
Objectives
Explain the need for disk fault tolerance.
Describe each of the RAID solutions.
Explain the value of RAID levels.
Describe how to implement RAID in Windows Server.
4-23
What Is RAID?
Key Points
RAID is a technology that enables you to configure storage systems that provide high reliability and
potentially high performance. RAID implements these storage systems by combining multiple disks into a
single logical unit called a RAID array that, depending on the configuration, can withstand the failure of
one or more of the physical hard disks, or provide higher performance than is available by using a single
disk.
RAID provides a very important component in planning and deploying Windows Server 2008 R2 servers.
In most organizations, it is important that the servers be available all of the time. Most servers provide
highly redundant components such as redundant power supplies, and redundant network adapters. The
goal of this redundancy is to ensure that the server remains available even when a single component on
the server fails. By implementing RAID, you can provide the same level of redundancy for the storage
system.
How RAID Works

RAID enables fault tolerance by using additional disks to ensure that the disk subsystem can continue to
function even if one or more disks in the subsystem fail. RAID uses two options for enabling fault
tolerance:
Disk mirroring. With disk mirroring, all of the information that is written to one disk is also written to
another disk. If one of the disks fails, the other disk is still available.
Using parity information. Parity information is used to calculate the information that was stored on a
disk in the event of a disk failure. If this option is used, the server or RAID controller calculates the
parity information for each block of data written to the disks, and then stores this information on
another disk or across multiple disks. If one of the disks in the RAID array fails, the server can use the
data that is still available on the functional disks and the parity information to recreate the data that
was stored on the failed disk.
4-24
RAID subsystems can also provide potentially better performance than single disk by distributing disk
reads and writes across multiple disks. For example, when implementing disk striping, the server can read
information from all hard disks in the stripe set. When combined with multiple disk controllers, this can
provide significant improvements in disk performance.
Important: Although RAID can provide a greater level of tolerance for disk failure, you should not use
RAID to replace traditional backup. In case a server were to have a power surge or catastrophic failure
and all of the disks were to fail, then you would still need to rely on standard backups.
Question: Should all disks be configured with the same amount of fault tolerance?
4-25
Considerations for Implementing RAID
Key Points
When implementing RAID, you need to make several decisions.
Hardware RAID vs. Software RAID

Hardware RAID is implemented by installing a RAID controller in the server, and then configuring RAID by
using the RAID controller configuration tool. With this implementation, the RAID configuration is hidden
from the operating system as the RAID arrays are exposed to the operating system as single disks. The
only configuration you need to perform in the operating system is to create volumes on the disks.
Software RAID is implemented by exposing all of the disks available on the server to the operating system
and then configuring RAID from within the operating system. Windows Server 2008 R2 supports the use
of software RAID and you can use Disk Management to configure several different levels of RAID.
When choosing to implement hardware or software RAID, consider the following:
Hardware RAID requires disk controllers that are RAID capable. Most disk controllers shipped with
new servers have this functionality.
To configure hardware RAID, you need to access the disk controller management program. Normally,
you can access this during the server boot process.
Implementing disk mirroring for the disk containing the system and boot volume with software RAID
can require additional configuration when a disk fails. Because the RAID configuration is managed by
the operating system, you must configure one of the disks in the mirror as the boot disk. If that disk
fails, you may need to modify the boot configuration for the server in order to start the server. This is
not an issue with hardware RAID because the disk controller will access the available disk and expose
it to the operating system.
In older servers, you may get better performance with software RAID when using parity because the
server processor could calculate parity more quickly than the disk controller. This is no longer an issue
4-26
with newer servers, where you may get better performance on the server because you can offload the
parity calculations to the disk controller.
Choosing a RAID Level

You can configure different levels of RAID. When you configure a RAID level, you need to be aware of the
following implications:
Performance implications. Some RAID levels provide very high performance while other RAID levels
provide much worse performance. Some RAID levels provide high read performance, but lower write
performance. You need to consider these performance characteristics when choosing a RAID level.
Level of redundancy. RAID levels also provide different levels of redundancy. Some RAID levels cannot
support the loss of any disks, some RAID levels can support the loss of one or more disks. You need to
consider your requirements for redundancy when choosing a RAID level.
Storage utilization. RAID levels also have different levels of storage utilization. With some RAID levels,
the storage capacity for the entire RAID array is equal to the total amount of disk space for all disks in
the array. For other RAID levels, one or more disks may be used to store parity information. With disk
mirroring, the RAID array storage capacity is half of the storage capacity of the disks.
In most cases, you will need to choose which of the three options are most important for your RAID
implementation. Each RAID level provides a high level of functionality for one or two options, but no RAID
level provides high functionality for all options. This means that you will need to evaluate the required
RAID level for each server or application separately.
4-27
RAID Levels
Key Points
When implementing RAID, you need to decide what level of RAID to implement. The table below lists the
features for each different RAID level.
RAID Levels
Level
Description
Space
Performance utilization
Redundancy Comments
RAID 0 Striped set

without parity or
mirroring
Data is written
sequentially to
each disk
High read
and write
performance
All space
on the
disks is
available
A single disk Use only in situations where you

failure results require high performance and can
in the loss of tolerate data loss
all data
RAID 1 Mirrored set

without parity or
striping
Data is written to
both disks at the
same time
Good
performance
Can only
use the
amount of
space
available
on the
smallest
disk
Can tolerate a Frequently used for system and

single disk
boot volumes with hardware RAID
failure
RAID 2 Data is written in Extremely

bits to each disk high
with parity written performance
to separate disk
or disks
One or
more disks
used for
parity
Can tolerate a Requires that all disks be

single disk
synchronized
failure
Not currently used
4-28
RAID 3 Data is written in Very high

bytes to each disk performance
with parity written
to separate disk
or disks
One disk
used for
parity
Can tolerate a Requires that all disks be

single disk
synchronized
failure
Rarely used
RAID 4 Data is written in

blocks to each
disk with parity
written to a
dedicated disk
Good read
One disk
performance, used for
poor write
parity
performance
Can tolerate a Rarely used

single disk
failure
RAID 5 Striped set with

distributed parity
Data is written in
blocks to each
disk with parity
spread across all
disks
Good read
performance,
poor write
performance
Can tolerate a
The
equivalent single disk
of one disk failure
used for
parity
Very commonly used for data

storage where performance is not
critical but maximizing disk usage
is important
RAID 6 Striped set with

dual distributed
parity
Data is written in
blocks to each
disk with double
parity written
across all disks
Good read
performance,
poor write
performance
The
equivalent
of two
disks used
for parity
Can tolerate
two disk
failures
Commonly used for data storage

where performance is not critical
but maximizing disk usage and
availability are important
RAID
0+1
Striped sets in a
mirrored set
A set of drives is
striped, and then
the strip set is
mirrored
Very good
read and
write
performance
Half the
disk space
is available
due to
mirroring
Can tolerate Not commonly used

the failure of
two or more
disks as long
as all failed
disks are in
the same
striped set
RAID
1+0
Mirrored set in a
stripe set
Several drives are
mirrored to a
second set of
drives, and then
one drive from
each mirror is
striped
Very good
read and
write
performance
Half the
disk space
is available
due to
mirroring
Can tolerate
the failure of
two or more
disks as long
as both disks
in a mirror do
not fail
Frequently used in scenarios

where performance and
redundancy are critical, and the
cost of the additional disks
required is acceptable
Demonstration: How to Implement RAID in Windows Server
In this demonstration you will see how to implement mirroring and RAID 5.
Demonstration Step:
Implement mirroring and RAID 5.
Question: Do you think youll use Software RAID or hardware RAID? Will you even use RAID?
4-29
4-30
Lab Setup
1.
2.
3.
4.
5.
In Hyper-V Manager, click 6420B-NYC-DC1, and in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
Domain: Contoso
Repeat these steps for 6420B-NYC-SVR2 and 6420B-NYC-SVR3.
4-31
Exercise 1: Creating a New Volume

Scenario
Contoso, Ltd has just procured a new server and it is your job to add storage to their new infrastructure.
You will add disks of various sizes using differing methodologies.
1.
2.
Create a 100 MB Simple Disk.

Assign the new Disk a Drive Letter.
Task 1: Create a 100 MB simple disk

1.
2.
3.
On NYC-SVR3, open Disk Management.

Create a 100 MB Simple Volume at the end of Disk 0. Do not assign a drive letter.
Quick Format the volume as NTFS.
Task 2: Assign the new disk a drive letter
Assign letter J to the newly created 100 MB volume.

Results: After this exercise, you should have a J: drive which is 100 MB in size.
4-32
Exercise 2: Creating a Fault Tolerant Disk Configuration

Scenario
Contoso, Ltd is planning to store business critical information on the disks in the new servers. This means
that it is important that the data on the disk is always available. You need to implement a RAID-5 array to
ensure that the data remains available if a single disk fails.
1.
2.
3.
Convert disks.
Assign the three disks to a RAID 5 array.
Format the newly created array.
Task 1: Convert disks

1.
2.
3.
On NYC-SVR3, open the command prompt with administrative credentials and then run diskpart.
Use the Select disk command to select Disk 1. Bring the disk online with the Online Disk command,
remove the read only attribute but running the Attributes disk clear readonly command, and then
convert it to dynamic by using the Convert Dynamic command.
Repeat the previous step for Disk 2 and Disk 3.
Task 2: Assign the three disks to a RAID 5 array
On NYC-SVR3, at the diskpart command prompt, use the create volume raid size=100 disk=1,2,3
command to create a RAID 5 volume of 100 MB using disk 1, 2 and 3.
Task 3: Format the newly created array

1.
2.
At the diskpart command prompt, use the format fs=ntfs label=r5r quick command to quick
format the RAID-5 volume as an NTFS file system with the label R5R.
Close all open windows on NYC-SVR3.
Results: After this exercise, you should have configured a RAID 5 array in Diskpart with the label
R5R.
4-33
Exercise 3: Implementing the Windows iSCSI initiator

Scenario
Contoso, Ltd is also considering deploying a SAN using iSCSI. In order to gain experience with the process
for configuring the SAN, the organization has decided to deploy the iSCSI target software on a Windows
server. You need to implement the iSCSI target software and configure the iSCSI initiator software on
another server.
1.
2.
3.
4.

Connect the iSCSI target to NYC-SVR2.
Create volumes on the shared storage.
Important: The iSCSI Software Target used in this lab is packaged and distributed optionally by OEMs
on systems that are running Windows Storage Server. Microsoft does not support the use of the iSCSI
Software Target on Windows Server 2008 R2, and it is used in this context for training purposes only.
Task 1: Create an iSCSI target on NYC-SVR3 for Data1

1.
2.
3.
On NYC-SVR3, start the Microsoft iSCSI Software Target management console.

Create a new iSCSI target with the following configuration:
Target name: LUN-01
iSCSI Initiators Identifiers: IP address 10.10.0.20
Create a new virtual disk with the following configuration:
File: C:\Disks\Disk-01.vhd
Size: 8000 MB
Target name: LUN-01
Task 2: Create an iSCSI target on NYC-SVR3 for the Data2 disk
Create a new virtual disk with the following configuration:
File: C:\Disks\Disk-02.vhd
Size: 20000 MB
Target name: LUN-01
Task 3: Connect the iSCSI target to NYC-SVR2

1.
2.
3.
4.
On NYC-SVR2, start the iSCSI Initiator management console.

On the Targets tab, connect to the 10.10.0.30 target.
Ensure the computer establishes a connection to iqn.1991-05.com.microsoft:NYC-SVR3-lun-01target.
On the Volumes and Devices tab, click Auto-Configure.
Task 4: Create volumes on the shared storage

1.
2.
On NYC-SVR2, open Server Manager, and then access Disk Management.

Bring Disk 2 and Disk 3 online, and initialize the disks.
4-34
3.
4.
On Disk 2, create a new simple volume with the drive letter Q and a volume label of Data1.
On Disk 3, create a new simple volume with the drive letter M and a volume label of Data2.
Results: After this exercise, you should have implemented a Windows iSCSI target.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps:
1.
2.
3.
4.
5.
6.

In the Virtual Machines pane, click 6420B-NYC-DC1, and then in the Actions pane, click Start.
4-35
Review Questions
1.
2.
3.
What are the different types of disks?

List some different storage technologies?
What are the most important implementations of RAID?
4-36
Installing and Configuring Windows Server
Module 5
Contents:
Lesson 1: Installing Windows Server
5-3
Lesson 2: Managing Services
5-19
Lesson 3: Managing Peripherals and Devices
5-25
5-34
5-1
5-2
Module Overview
In order to have a server that fits the needs of your organization and one that operates in an efficient and
consistent manner, specific steps and considerations need to be taken. The most critical piece of a
Windows Server 2008 R2 operating system servers operability is the initial installation and
configuration.
Windows Server 2008 R2 editions, installation options, optimal service and device configuration and
general post-installation configuration all contribute to the functionality and effectiveness of your
Windows Server implementation.
Objectives
Install Windows Server 2008 R2.
Manage services.
Manage devices and device drivers.
5-3
Lesson 1
Installing Windows Server
The method by which you install Windows Server 2008 R2 and the edition and options you choose
determine how quickly and effectively your server can begin performing its functions.
This lesson will introduce you to the key components and considerations involved with installing Windows
Server 2008 R2.
Objectives
Describe a server operating system.
Select the appropriate edition of Windows Server 2008.
Describe the benefits of using Server Core.
Describe the various installation methods.
Describe the various installation types.
Describe the process for installing Windows Server 2008 R2.
Describe the process for deploying Windows Server using Microsoft Windows Deployment Services.
Configure a recently installed server.
5-4
What Is a Server Operating System?
Key Points
A server is a critical part of a computer network. Unlike a client, whose primary role is performing tasks for
the end user, a server is responsible for serving a variety of resources to the rest of the network. These
resources could include file shares, hosted applications, or shared printers. Servers also play a key role in
maintaining the integrity of a computer network. Servers use authentication and resource access rules to
ensure that information and resources on the network are available only to those who are authorized to
use them. Servers also provide additional network related services such as assigning IP addresses,
performing name resolution, or routing network traffic.
The key component to supplying these services in an effective manner is the server operating system. The
server operating system communicates with the servers hardware, ensuring that it is being utilized
properly. A server operating system also provides a centralized environment to manage the servers
functionality and resources, allowing administrators to interact with the server computer in a meaningful
and efficient way. Server operating systems also often expand functionality of the operating system to
support typical server hardware features like hot-swappable memory and processors and hard disk
redundancy features.
Question: What different functions might a server perform in a network environment?
5-5
Choosing an Edition of Windows Server 2008
Key Points
Windows Server 2008 R2 is available in different editions to support varying server and workload needs of
organizations. Each edition of Windows Server 2008 R2 is packaged with a unique set of features that
target that edition to a particular environment or even a specific role. The seven editions of Windows
Server 2008 R2 address almost every possible type of server implementation you would find in a network
environment.
The following table lists the most commonly used Windows Server 2008 R2 editions:
Edition
Description
Windows Server 2008 R2

Foundation operating system
A cost-effective advanced server platform that targets small business

owners and information technology (IT) generalists. Windows Server
Foundation is designed to provide core server features at a low cost.
Windows Server Foundation is capable of supporting only one
processor and up to 8 gigabytes (GB) of RAM.

Standard operating system
The Windows Server Standard edition offers the most commonly used
features in Windows Server 2008 R2 and is designed to meet almost all
general server computing requirements. It adds features like Server
Core, Hyper-V and DirectAccess to the functionality of Windows
Server Foundation. Windows Server Standard supports up to 4
processors and up to 32GB of RAM.

Enterprise operating system
Windows Server Enterprise expands upon Windows Server Standard,

adding enterprise level capabilities such as clustering, extended remote
access and virtualization capabilities. In addition, Windows Server
Enterprise provides support for up to 8 processors and 2 terabytes of
RAM.
Windows Server Datacenter provides the full capabilities of the
5-6
Edition
Description
Datacenter operating system
Windows Server 2008 platform. Designed for business critical

applications and large scale virtualization implementation, Windows
Server Datacenter provides everything required for complex server
solutions. Windows Server Datacenter supports up to 64 processors and
2 terabytes of RAM, as well as support for hot-swappable processors
and memory.
The following specialized editions of Windows Server 2008 R2 are also available:
Edition
Description
Windows Web Server 2008

R2 operating system
A Web application and services platform, Windows Web Server 2008 R2

includes Internet Information Services (IIS) 7.5 and is designed as an
Internet-facing server. Windows Web Server 2008 R2 includes Web
server and Domain Name System (DNS) server roles.
Windows Server 2008 R2 HPC Provides an enterprise-class platform for high-performance computing
Edition
(HPC). It can scale to thousands of processing cores and includes
management consoles that help you to proactively monitor and
maintain system health and stability. Job scheduling interoperability and
flexibility enables integration between Windows and Linux based HPC
platforms.
Windows Server 2008 R2 for
Itanium-based Systems
operating system
Built specifically to support Itanium-based IA64 processor architecture,

Windows Server 2008 for Itanium-based Systems provides the same
feature set as Windows Server Datacenter and is designed for high
workload scenarios.
5-7
What Is the Server Core Installation Option?
Key Points
Since the early days of the Microsoft Windows platform, Windows servers have been implemented as
full-featured servers that include a wide variety of features, some that might never be used in a
particular network environment. These extra, unused features could cause the server to consume more
system resources than required or leave the overall security of the server more vulnerable to exploitation.
Server Core is a minimal installation option available in Windows Server 2008 R2. Server Core provides a
low-maintenance server environment with limited functionality when compared to a full installation of
Windows Server 2008 R2. This configuration is designed to provide a server environment that reduces:
Servicing requirements.
Management requirements.
Disk space usage.
Potential security vulnerabilities.
To achieve these goals, the Server Core installation option installs only the server components required for
essential operating system functions. This includes removing most aspects of the graphical user interface
(GUI), and offering only a small number of features when compared with a full installation of Windows
Server 2008 R2.
In a Server Core installation, server management is performed primarily by using command-line tools or
using the Microsoft Management Console (MMC) from a remote computer. All GUI elements are removed
from a Server Core installation with the exception of those listed in the following table.
GUI application
Executable name
Command Prompt
Cmd.exe
5-8
GUI application
Executable name
Microsoft Support Diagnostic Tool
Msdt.exe
Notepad
Notepad.exe
Registry Editor
Regedt32.exe
Microsoft System Information
Msinfo32.exe
Task Manager
Taskmgr.exe
Microsoft Windows Installer
Msiexec.exe
While the limited GUI makes the server more difficult to access for someone with malicious intent, it can
also make performing some administration tasks on the server more complicated for the administrator of
the server, especially if administration is being performed locally, where only the command-line interface
can be used.
Note: New to Windows Server 2008 R2 is the Sconfig tool, which provides the server administrator
with a text-based menu from which the administrator can initiate common server configuration tasks,
rather than running tasks manually directly from the command line.
The Server Core installation option is not available in Windows Server Foundation, the
Windows Server 2008 R2 HPC Edition, or Windows Server 2008 R2 for Itanium-based Systems.
Question: In what situations might a Server Core installation be used instead of a full installation of
Windows Server 2008 R2?
5-9
Selecting an Installation Method
Key Points
Various methods exist for installing Windows Server 2008 R2. These methods are determined primarily by
the media from which the operating system is installed. Depending on your installation scenario and the
availability of specific hardware or degree of physical access to the server, several methods exist to ensure
that Windows Server 2008 R2 can be installed in any situation.
Installation Methods
Local media. The standard and simplest method of installing Windows Server 2008 R2 is using local
media. Windows Server 2008 R2 can be installed locally using an installation DVD inserted into the
DVD drive of the server or run from a Universal Serial Bus (USB) flash drive attached to the computer.
Local media installations require the least amount of planning and pre-configuration, but require the
most manual intervention during installation as well as physical access to the server for at least a
portion of the installation process.
Network share. Windows Server 2008 R2 can also be installed from a shared location on the network.
This allows for installation on servers where only remote access is available or for servers that do not
have a DVD drive or USB ports available to support a local media installation. Network share
installations also allow for multiple servers to use the same copy of the installation files at one time,
avoiding the need to have multiple DVDs or USB flash drives. Similar to a local media installation,
network share installations require a considerable amount of user interaction and, typically, physical
access to the server to initiate the installation process.
Automated Deployment. Deployment refers to an advanced, pre-planned installation of Windows

Server 2008 R2, typically done over the network and involving multiple servers. Commonly, server
deployments will also include a large degree of pre-configuration and automation, requiring less
hands-on administration during the installation process. Deployment is typically configured and
executed through a dedicated deployment tool or by using answer files.
5-10
Selecting an Installation Type
Key Points
New Install
A new install of Windows Server 2008 R2 is typically done when a server is installed to perform a new role
on the network or when it is not necessary to retain any information from the operating system previously
installed on the server. A new install involves installing the operating system either onto an empty hard
disk or overwriting existing information on a hard disk.
Upgrade
An upgrade installation of Windows Server 2008 R2 involves replacing an existing operating system with
Windows Server 2008 R2, but retaining operating system and application settings, as well as other data
stored on the system. Upgrade installations are typically done when existing system information would be
too difficult or time consuming to recreate or migrate to a new installation of Windows Server 2008 R2.
The following upgrade scenarios are supported:
Current operating system
Supported upgrade path
Windows Server 2003 Standard Edition

Windows Server 2008 R2 Standard operating system,
operating system with Service Pack 2 (SP2) or Windows Server 2008 R2 Enterprise operating system
Windows Server 2003 R2 Standard Edition
operating system
Windows Server 2003 Enterprise Edition
operating system with SP2 or Windows
Server 2003 R2 Enterprise Edition operating
system
Windows Server 2008 R2 Enterprise, Windows

Server 2008 R2 Datacenter operating system
Windows Server 2003 Datacenter Edition

operating system with SP2 or Windows
Windows Server 2008 R2 Datacenter
Current operating system
5-11
Supported upgrade path
Server 2003 R2 Datacenter Edition operating

system
Server Core installation of Windows
Server 2008 Standard operating system with
or without SP2
Server Core installation of either Windows

Server 2008 R2 Standard or Windows Server 2008 R2
Enterprise

Server 2008 Enterprise operating system with Server 2008 R2 Enterprise or Windows Server 2008 R2
or without SP2
Datacenter
Server 2008 Datacenter operating system
Server Core installation of Windows Server 2008 R2

Datacenter
Server Core installation of Windows Web

Server 2008 operating system with or without Server 2008 R2 Standard or Windows Web
SP2
Server 2008 R2 operating system
Full installation of Windows Server 2008
Standard with or without SP2
Full installation of either Windows Server 2008 R2

Standard or Windows Server 2008 R2 Enterprise

Enterprise with or without SP2
Full installation of either Windows Server 2008 R2

Enterprise or Windows Server 2008 R2 Datacenter

DataCenter with or without SP2
Full installation of Windows Server 2008 R2 DataCenter

Foundation with or without SP2
Full Installation of Windows Server 2008 R2 Standard
Note: When upgrading from previous Windows Server operating systems, it is important to note that
Windows Server 2008 R2 no longer supports 32-bit processors. Only 64-bit processors are supported.
Migration
A migration install is characterized by the backing up of data or settings from an existing server
installation and erasing or overwriting that server with a new installation of Windows Server 2008 R2. The
backed up data or settings are then restored to the newly installed server. This type of migration
installation is typically used when the data and settings involved are easily backed up and it is not
necessary to maintain the entire configuration of the existing server. Alternatively, a migration can also
involve the installation of Windows Server 2008 R2 on a new physical server and transferring the settings
and applications from the original server to the new one. This method has the benefit of leaving the old
server completely intact should the need arise to rollback to the old configuration. Unfortunately, this
method also typically involves a large amount of planning and detail in implementation to ensure that all
aspects of the old server are transferred to the new server.
5-12
Installing Windows Server
Key Points
There are several general steps involved in installing Windows Server 2008 R2 that universally apply to all
installation methods and types.
1.
Ensure that the server hardware meets minimum requirements. Windows Server 2008 R2 requires a
minimum level of hardware to run properly. The following table lists the most common basic
hardware requirements for a Windows Server 2008 R2 installation:
Component
Minimum required
Processor
1.4 gigahertz (GHz) (64-bit processor)
Memory
512 megabyte (MB) RAM
Disk Space
10GB free
Note: Minimum requirements are just that; a minimum. In a production environment, the hardware
used for a server should always be appropriately scaled to meet the resource requirements for the
server operating system, installed roles, features and applications and, typically, future growth.
In addition, specific features may need to be configured on the server hardware to support Windows
Server 2008 R2. For example, basic input/output system (BIOS) level virtualization settings must be
enabled to allow the Hyper-V virtualization role to run.
Also, some hardware used during the installation process (typically hard disks) may not have device
driver support built into Windows Server 2008 R2. In these cases, the device driver must be preloaded
prior to attempting installation or a copy of the media containing the driver must be available during
installation.
5-13
2.
Backup all pertinent data if you are installing Windows Server 2008 R2 in an upgrade or migration
scenario.
3. Run setup.exe from local media, or a network share or deployment location.
4. Confirm regional and language settings.
5. Choose edition to install.
6. Read and accept license agreement.
7. Choose installation type.
8. Choose location for installation.
9. Install files.
10. Set Administrator password.
Once initial setup is completed, Windows Server 2008 R2 starts for the first time and presents options for
further configuration.
5-14
Deploying Window Server with Windows Deployment Services
Key Points
Windows Deployment Services is a set of operating system components that allow for the efficient
deployment of a number of different operating systems, including Windows Server 2008 R2.
The Windows Deployment Services components can be divided into the following three categories:
Windows Deployment Services Server components. These components reside on a Windows Server
2008 R2 server and are responsible for hosting and sharing out the files necessary for operating
system deployment. A Windows Deployment Services server is capable of deploying operating
systems to multiple computers at one time.
Windows Deployment Services Client components. The client components run on the computers that
the operating system is being deployed to. They allow the computer to communicate properly with
the Windows Deployment Services server and determine which operating systems are available for
deployment.
Windows Deployment Services Management components. The Windows Deployment Services

management components provide administrators with the tools necessary to configure and manage a
Windows Deployment Services environment, performing tasks like adding new operating system
images and managing Windows Deployment Services configuration settings.
Windows Deployment Steps

A typical Windows Deployment Services deployment of Windows Server involves the following basic steps:
1.
2.
Build image file(s). Windows Deployment Services uses Windows Imaging Format (WIM) to package
operating system files for deployment. WIM allows for a single file to contain all of the information
needed to deploy one or several versions of an operating system. These images are copied to
deployed computers and unpackaged on the computers hard disk into a ready-to-run version of the
operating system.
Build unattended answer file(s). Windows Deployment Services provides the ability to automate
operating system installation during deployment using unattended answer files which provide
3.
4.
5-15
information to the deployment process regarding various configuration options available. These files
allow for an administrator to deploy the operating system without any intervention or manual entry
of information during the deployment process. These files can be reused or customized for multiple
deployments.
Create a deployment transmission. By creating a transmission, the Windows Deployment Services
server is advertising to the rest of the network that it has a number of images ready for deployment.
Initiate installation from client. When a computer loads a Windows Deployment Services boot image
(typically from DVD or by booting from the network), Windows Deployment Services presents the
computer with a list of available images for deployment. Once an image is chosen, the deployment
process is initialized and the Windows Deployment Services server begins unpacking the image file
onto the new computer.
Question: In what situations would a Windows Deployment Services Server be used by an
organization? In what situations would a Windows Deployment Services Server not be efficient to
implement?
5-16
Post-Installation Configuration Settings
Key Points
A number of common tasks need to be performed on a server after installation has been completed.
These include time zone and clock settings, network configuration, setting a unique computer name and
domain membership, configuring Windows Update settings, adding server roles and features, modifying
Remote Desktop settings and configuring Windows Firewall settings.
All of these tasks are available in the Initial Configuration Tasks (ICT) Wizard that runs when the computer
is started for the first time immediately following installation. It includes links for the following tasks:
Activate Windows. You can continue to use Windows Server while it is not activated for a grace
period. After this period expires, Windows continues to function, however the system is then
unlicensed.
Set the time zone. It is important to configure the time zone because many network-related services
do not function correctly if the computer clocks of networked computers are excessively out-of-sync.
Configure the network settings. By default, both IPv4 and IPv6 are configured to obtain an IP address
automatically. Most server installations will utilize static IP address information.
Configure computer name and domain membership. By default, the computer name is automatically
generated; the suggested name may not comply with organizational standards that you have in
place. The computer is assigned membership of a workgroup by default. In many cases, the computer
will need to be joined to a domain.
Enable automatic updating and feedback settings. By default, automatic updates are disabled and
Windows error reporting is off.
Download and install updates. It is important to ensure that the computer is up-to-date with urgent
and security-related updates.
Add roles. No roles are installed by default.
Add features. No features are installed by default.
Enable Remote Desktop. Remote Desktop is disabled by default.
Configure Windows Firewall. The computer is connected to a public network location and the
Windows Firewall is enabled by default, using the public location profile.
5-17
In a deployment situation, many of these tasks may have been completed during the deployment process
using answer files. In this case, the ICT Wizard provides a central location to confirm that the deployment
settings have been configured properly.
Note: In a Server Core installation, the ICT Wizard is one of the many GUI elements that have been
removed. As a result, Server Core post-installation configuration must be done locally using the
command line or the sconfig tool or remotely using MMC on another computer. This extra effort
required for configuration makes Server Core installations excellent candidates for using answer files
for automated configuration in a deployment scenario.
5-18
Demonstration: How to Configure a Server After Installation
In this demonstration, you will see how to use the Initial Configuration Tasks Wizard to configure the
following post-installation settings.
1.
2.
3.
4.
Set the time zone.

Assign IP addressing details.
Enable automatic updating.
Join the computer to a domain.
5-19
Lesson 2
Managing Services
In Windows Server 2008 R2, services provide the functionality for the core of the operating system. They
provide the framework on which Windows roles and features are built. Effectively managing these services
is critical to the efficient and reliable operation of a Windows Server.
Objectives
Describe a service.
Configure the startup properties for a service.
Troubleshoot service issues.
5-20
What Is a Service?
Key Points
In Windows Server 2008 R2, a service or service application is a long running executable that performs a
specific function that is designed to require no user intervention. Where an application may be started
and closed numerous times by a user over any given time, a service will typically remain running for the
entire time that the operating system is running, unless directed to do otherwise by the operating system
or associated applications. Services typically consist of an executable file and a directory for storing service
components.
Service Examples
Services are responsible for the majority of Windows Server 2008 R2 functionality. Some common services
and their primary functions are listed below.
Print Spooler. Loads files to memory for printing.
Server. Supports file and print sharing over the network.
Task Scheduler. Enables a user to configure and schedule automated tasks.
Windows Error Reporting. Allows errors to be reported when programs stop working or responding.
Windows Time. Maintains date and time synchronization within a network.
Service Startup
Unlike applications, which are executed by the user on an as needed basis, the execution of services is
controlled by the operating system or related software applications. Each service is initialized at the
startup of the computer according to its startup type. Startup types are listed below.
Automatic. Starts the service at system start.
Manual. Starts a service as required or when called from an application.
Disabled. Prevents a service and its dependencies from running.
Automatic (Delayed). Starts the service on a timed delay from system start. This is used to speed up
system startup time in some cases, or to force the service to wait until any services that it is
dependent on start.
5-21
5-22
Demonstration: How to Configure Service Startup
In this demonstration, you will see how to view and configure service startup options using the Services
applet within Server Manager.
1.
2.
3.
Open the Services MMC snap-in.

Change service settings.
View service settings options.
5-23
Troubleshooting Services
Key Points
Due to the critical nature of Windows services, service failure or service-related problems can cause
various forms of operating instability. These issues need to be diagnosed and resolved quickly in order to
maintain consistent system operation.
Service failures can be caused by a number of issues including the following:
Service account restrictions. Services run under the context of a Windows account, which determines
the level of access that the server and its related functions have in relation to the rest of the system.
Commonly, the built-in LocalSystem account is used for service execution, which gives a service a
high level of access to the rest of the operating system. Some services, however, will run under a
specifically configured account typically referred to as a service account. This service account is
created for the sole use of running the related service and may contain specific security restrictions or
dependencies, depending on the nature of the service. Incorrect password settings or
overly restrictive service account permissions can cause a service to fail to start properly.
Service dependencies. Many services run as a solitary application, unrelated to any other services. In
other cases, a service may be dependent on the successful operation of other services to allow it to
properly start. If one of these dependency services fails, it could also cause the dependent service to
fail to start.
Corrupt or missing files. If the files necessary for a services execution are missing or corrupted, the
service may fail to start or behave erratically.
Solving Service-Related Issues

A number of different methods and tools exist to assist with troubleshooting services in Windows Server
2008 R2:
Safe Mode. The Safe-Mode boot feature is available when pressing the F8 key as the operating
system starts. Safe Mode loads the minimal set of services required for the operating system to run
5-24
and can allow the repair, removal or disabling of failing services that are preventing Windows from
starting properly.
Last Known Good Configuration. Also accessed by pressing the F8 key as the operating system starts,
Last Known Good Configuration restores operating system settings contained in the registry as they
were the last time the computer started correctly.
MSConfig.exe. MSConfig, or the Microsoft System Configuration Utility, is a graphically-based utility

that can be used to modify and troubleshoot the Windows startup process. It gives the user a detailed
level of control over which aspects of the operating system are enabled when the systems starts. It
also allows for more specific control over services and the separation of native services from third
party installed services.
5-25
Lesson 3
Managing Peripherals and Devices
A large number of individual components combine to provide the computer hardware on which a
Window Server runs. Disk drives, processors, memory, keyboards, monitors, network adapters, printers,
scanners and many other components play an important role in providing the functionality required for a
server to perform its duties.
The proper management and maintenance of these components ensures that the server components
work cohesively to provide proper functionality.
Objectives
Describe a device.
Describe typical settings required for a device.
Describe a device driver.
Describe driver signing.
Update a device driver.
Rollback a device driver.
5-26
What Is a Device?
Key Points
A device is a hardware component installed in or attached to a computer that performs a specific
function.
Device functions can be as narrow as that of a computers memory, or as diverse as a multifunction
printer/copier/scanner. Devices are also connected to the computer in a variety of ways. Many devices
attach directly to the computers motherboard such as processors, memory and network adapters, while
some devices such as printers, cameras, flash drives, mice or keyboards use external connection
technologies such as USB or FireWire.
Devices work together to provide a computers complete functionality, and a single malfunctioning device
can affect the performance of other devices or the entire computer.
5-27
Hardware Settings for Devices
Key Points
In order for devices to function cooperatively within a computer, they need to be able to share the
computers resources and establish methods of communication with other devices. Devices require
specific settings that control where and when they communicate with the rest of the computer. These
settings must be unique to the device to ensure that one device is not interfering with the functionality of
another device. Historically, these settings needed to be configured by the end user using the BIOS of the
computer, physical switches on the device itself or special configuration software provided by the device
manufacturer. Common device settings include:
Direct memory access (DMA) channel. DMA allows certain devices attached to the computer to
directly access the computers memory without using the computers processor. Typically, each device
utilizing DMA must have a unique DMA channel assigned to it.
Interrupt request (IRQ) line. IRQ lines are used to send interrupt requests to a computers processor
when a device requires processor use.
Input/Output Range. Input/Output Range specifies the range of addresses in memory that a device
uses to send and receive information between the device and Windows. A devices input/output
range must be unique to that specific device.
Memory range. Memory range refers to the specific physical memory address in the computer that a
device has reserved for its general use. A devices memory range must be unique to that specific
device.
Note: The value for each of these settings for a particular device can be viewed in Device Manager
using the Resource tab of the devices Properties window.
5-28
Plug and Play

While some devices still require manual configuration of hardware settings, the majority of computers and
computer devices utilize Plug and Play technology for device settings. With plug and play, new hardware
is discovered by the computer once it is installed. The computer, in conjunction with the computers
operating system, automatically assigns and tracks the resources necessary for the device to function,
avoiding conflict with other devices already installed in the computer. This functionality eliminates manual
device configuration and avoids inadvertent settings conflicts associated with manual configuration.
Windows Server 2008 R2 fully supports Plug and Play devices and drivers. To support Plug and Play,
devices must meet the following requirements:
Be uniquely identified.
State the services it provides and resources it requires.
Identify the driver that supports it.
Allow software to configure it.

Note: Almost all current devices support Plug and Play. Very few devices still require resource
settings to be configured manually.
5-29
What Is a Device Driver?
Key Points
A driver is a small software program that allows the computer to communicate with a specific device. A
driver acts as an interface between the actual hardware components of the device and Windows Server
2008 R2. The device driver exposes the capabilities of the device to the operating system so the device
can be utilized effectively and interface with related devices. A device driver is typically specific to an
operating system. Without drivers, the devices you connect to the computer will not work properly.
Windows Server 2008 R2 provides driver support for most common devices. The drivers for these devices
come pre-installed and will automatically install when the device is connected to the computer. In cases
where a driver cannot be found within Windows Server 2008 R2s native drivers, Windows Update can be
used to search for new or updated drivers. Device drivers can also be obtained from the installation media
that came with the device or from the device manufacturers Web site.
Driver Staging
Additionally, device drivers can be installed into Windows Server 2008 R2 or staged for future use. When
a driver is staged, the driver files are stored within Windows and treated as part of the original set of
drivers native to the operating system. This allows devices using that driver to be recognized immediately
and have its driver installed automatically without requiring user intervention like specifying a driver
location or checking a manufacturers Web site.
Note: Device drivers are built for a specific processor architecture type. 64-bit device drivers will work
only on a 64-bit operating system and 32-bit device drivers will work only on a 32-bit operating
system. Since Windows Server 2008 R2 support 64-bit architecture only, 32-bit drivers will not work for
devices installed on a Windows Server 2008 R2 computer.
5-30
Driver Signing
Key Points
A signed driver is a device driver that includes a digital signature provided from a trusted third party
source. This digital signature acts as an electronic security mark that identifies the publisher of the
software and confirms that the contents of the driver package are the original contents and unchanged. If
a driver has been signed by a publisher, you can be confident the driver comes from that publisher and is
not altered.
The benefits of using signed drivers include:
Improved security.
Reduced support costs.
Better user experience.
When a device is installed and the device driver specified is digitally signed, Windows will install the driver
without any user intervention and start the driver once the install is complete. All device drivers that come
pre-installed with Windows have been digitally signed.
Windows will alert you with one of the following messages if a driver is not signed, if it was signed by a
publisher that has not verified its identity with a certification authority, or if the driver has been altered
since it was released:
Windows cannot verify the publisher of this driver. This driver either doesn't have a digital signature,
or it has been signed with a digital signature that was not verified by a trusted certification authority.
You should only install this driver if you obtained it from a reliable source.
This driver has been altered. This driver was altered after it was digitally signed by a verified publisher.
The package may have been altered to include malicious software that could harm your computer or
steal information. In rare cases, legitimate publishers do alter driver packages after they have been
digitally signed. You should only install an altered driver if you obtained it from a reliable source.
5-31
Windows cannot install this driver. A driver that lacks a valid digital signature, or that was altered after
it was signed, can't be installed on 64-bit versions of Windows.
Note: When staging drivers into the Windows Server 2008 R2 driver store, all staged drivers must be
digitally signed.
5-32
Demonstration: How to Update a Device Driver
In this demonstration, you will see how to update a device driver using Device Manager.
1.
2.
Open Device Manager.

Update a device driver.
Demonstration: How to Rollback a Driver
In this demonstration, you will see how to rollback a device driver using Device Manager.
1.
2.
Open Device Manager.

Rollback a device driver.
5-33
5-34
Lab Setup
1.
2.
3.
4.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
The first task in your new job as junior server administrator is to perform the initial installation and
configuration of a new server for the Research and Development department of Contoso, Ltd In this
instance, the company decided a local media-based installation should be performed. Once the
installation is complete, you will configure the servers post-installation settings as per the supplied
documentation. Additionally, the startup settings for some services must be configured, and a new device
driver must be tested for proper functionality.
E-mail message from your boss, Jim Hance.
Jeff Price
From:
Sent:
To:
Jim Hance [Jim@contoso.com]

1 May 2010 17:00
Jeff@contoso.com
Subject:
5-35
New Server Installation
Jeff,
Please use the following information to install the new server for R&D.
Installation options
Language: English
Time and currency format: English (United States)
Keyboard or input method: US
Product: Windows Server 2008 R2 Enterprise (Full Installation)
Administrator password: Pa$$w0rd
Post-installation configuration options:
Time zone: (UTC-05:00) Eastern Time (US & Canada)
IP address: 10.10.0.100
Gateway: 10.10.0.1
DNS Servers: 10.10.0.10 and 10.10.0.11
Enable automatic Windows Update
Server name: NYC-SVR1
Domain name: Contoso.com (use the Contoso\Administrator account with a password of Pa$$w0rd when
prompted for credentials)
Please let Lisa from the Sr. Server Admin team know when youre finished, shell finish the configuration
and get the server to R&D.
Thanks,
Jim
5-36
Exercise 1: Performing a Local Media-Based Installation

Scenario
You have installed the new server.
1.
2.
Read the server installation instructions.

Install Windows Server 2008 R2 as specified in the e-mail
Task 1: Read the server installation instructions
Read the contents of the e-mail message in the lab scenario.
Task 2: Install Windows Server 2008

1.
Attach the Windows Server 2008 R2 Installation DVD to NYC-SVR1 using these steps:
a.
b.
c.
d.
e.
2.
3.
Switch to Hyper-V Manager, right click on 6420B-NYC-SVR1 and then click Settings.
In the Settings for 6420B-NYC-SVR1 dialog box, click DVD-Drive in the Hardware Pane.
In the DVD-Drive pane, select Image file and then click Browse.
Navigate to C:\Program Files\Microsoft Learning\6420\Drives, click
WServer2008R2_Eval.iso and then click Open.
In the Settings for 6420B-NYC-SVR1 dialog box, click OK.
Start and connect to the 6420B-NYC-SVR1 virtual machine.

Install the operating system using the Installation Options section provided in the e-mail from Jim
Hance.
Note: Setup will proceed by copying and expanding files, installing features and updates, and
complete installation. This phase takes around twenty minutes. Your instructor might continue with
other activities during this phase.
Results: After this exercise, you should have installed a new Windows Server 2008 R2 server.
5-37
Exercise 2: Configuring Windows Server

Scenario
You have been asked to perform post-installation configuration on the recently installed server for the
R&D department according to the instructions provided by Jim Hance.
1.
2.
Read the server post-installation configuration instructions.

Configure post-installation settings as specified in the Post-installation configuration options section
of the e-mail from Jim Hance.
Task 1: Read server post-installation configuration instructions
Task 2: Configure post-installation settings

1.
2.
3.
4.
5.
If necessary, switch to the NYC-SVR1 virtual machine.

Use the ICT to configure time zone settings as specified in the e-mail.
Use the ICT to configure networking settings as specified in the e-mail.
Use the ICT to configure automatic updating and feedback settings as specified in the e-mail.
Use the ICT to configure computer name and domain settings as specified in the e-mail.
Results: After this exercise, you should have configured post-installation settings using the Initial
Configurations Tasks Wizard.
5-38
Exercise 3: Configuring Services

Scenario
The new server for the R&D department has been installed and configured. Additional changes need to
be made to some services to prepare the server for its new role.
In order to prevent printers from being installed and used on the server, the Spooler service needs to be
stopped and set to Disabled to prevent it from starting when the server is restarted.
1.
Configure Print Spooler service settings.
Task 1: Configure Print Spooler service settings

1.
2.
3.
4.
5.
On NYC-SVR1 logon as Contoso\Administrator with a password of Pa$$w0rd.

Open Server Manager.
Browse to the Services node.
Configure the Print Spooler service startup option to Disabled.
Stop the Print Spooler service.
Results: After this exercise, you should have used Server Manager to make changes to service startup
options.
Exercise 4: Configuring Devices

Scenario
A new device driver for the keyboard attached to the R&D server needs to be tested for proper
functionality before being configured for permanent use. The current standard PS/2 keyboard will be
replaced by a PC/AT Enhanced PS/2 Keyboard. You have been asked to ensure that the new PC/AT
Enhanced PS/2 Keyboard driver will update properly. Once proper operation has been confirmed, you
have been asked to rollback the driver to the previous version.
1.
2.
Update the Standard PS/2 Keyboard driver.

Rollback the driver to its previous version.
Task 1: Update the Standard PS/2 Keyboard driver

1.
2.
3.
4.
On NYC-SVR1, open Server Manager.

Select Device Manager and expand Keyboards.
Update the Standard PS/2 Keyboard driver to the new PC/AT Enhanced PS/2 Keyboard driver.
Restart the computer when prompted.
Task 2: Rollback the driver to its previous version

1.
2.
3.
4.
5.
6.
7.
8.
Log on to the 6420B- NYC-SVR1 virtual machine as Contoso\Administrator with a password of

Pa$$w0rd.
When the Initial Configuration Tasks window appears, click the Close button to close the window.
Select Device Manager and expand Keyboards.
Rollback the driver to the Standard PS/2 Keyboard driver.
Restart when prompted and then log on as Contoso\Administrator with the password of
Pa$$w0rd.
Verify that the driver has been successfully rolled back.
Results: After this exercise, you should have performed update and rollback operations on a device
driver.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:
1.
2.
3.
4.
5.
6.

Repeat these steps for 6420B-NYC-SVR1.
6420B-NYC-DC1, and then in the Actions pane, click Connect.
5-39
5-40
Review Questions
1.
2.
3.
4.
Why is it more difficult to perform post-installation tasks on a Server Core installation of Windows
Server 2008 R2 as opposed to a full installation?
If you need to troubleshoot system instability, what tool should you use to disable a specific set of
services from running at startup?
If a newly installed video adapter device driver is preventing Windows from starting properly, what
tools would you use first to return the system to an operable state?
What factors should be considered when staging drivers in the Windows driver store?
Tools
Tool
Use for
Where to find it
Sconfig
Menu-based administration From the Run prompt: sconfig.exe

of Server Core installations
Windows
Deployment
Services
Windows Deployment
ICT
Wizard
Initial post-installation
Registry
editor
Edit settings in the
MSConfig
Edit Windows Server
Services for automated

deployment of Windows
operating systems
Windows Automated Installation Kit:

http://www.microsoft.com
/downloads/details.aspx?familyid=696DD665-9F76-4177A811-39C26D3B3B34&displaylang=en
Type ICT in the search field of the start menu.
configuration of the server

From the Run prompt: regedit.exe
Windows registry
settings and troubleshoot
startup issues
From the Run prompt: msconfig.exe
5-41
Tool
Use for
Device
Manager
Manage server devices and Type Device Manager in the search field of the start
settings
Where to find it
menu.
5-42
Windows Server Roles
Module 6
Contents:
Lesson 1: Role-Based Deployment
6-3
Lesson 2: Deploying Role-Specific Servers
6-9
6-20
6-1
6-2
Module Overview
Servers perform a variety of functions. In the past, these functions were combined into a monolithic
operating system. Each server was loaded with all of the necessary software to perform all server functions
irrespective of the actual functions it performed. The Windows Server 2008 operating system separates
server functions into distinct server roles. By default, a server has no enabled roles. It is more efficient to
select which particular server roles you want based on the functional requirements of the server computer.
It is important to understand the functional requirements of a server computer and select and deploy
appropriate server roles to support these functional requirements.
Objectives
Select and install server roles and features to support different types of servers.
Describe different types of servers.
Lesson 1
Role-Based Deployment
Windows Server 2008 is configured by adding and removing server roles and features. This is a new
method of organizing the addition and removal of services. Understanding server roles and features
allows you to install and support only the Windows Server 2008 components you need in your
environment.
Objectives
Describe server roles.
Describe role services.
Describe server features.
Use Server Manager.
Manage server roles and features.
6-3
6-4
What Is a Server Role?
Key Points
Server roles in Windows Server 2008 R2 describe a servers primary function. For example, a server role
might be an Active Directory Domain Service (AD DS) domain controller or a Web server. You can
choose to install one or many roles on a Windows Server 2008 R2 installation. You use the Server Manager
administrative tool for the installation and removal of server roles in a Windows Server 2008 R2
environment.
You can consider a role as a grouping of closely related, complementary features, for which, most of the
time, installing the role means installing one or more of its role services.
6-5
What Are Role Services?
Key Points
Many server roles also have role services. Role services are software programs that provide various
functionalities of a role. When you install a role, you can choose which role services the role provides for
other users and computers in your enterprise. Some roles, such as Domain Name System (DNS) Server,
have only a single function, and therefore do not have available role services. Other roles, such as Web
Server, have several role services, such as File Transfer Protocol (FTP), that can be installed.
Role services allow you to control which role functionality is installed and enabled; this is useful where you
only require a subset of the functionality of a given server role. For example, the File Services server role
contains the following role services:
File Server
Distributed File System
File Server Resource Manager
Services for Network File System
Windows Search Service
The Windows Server 2003 operating system File Services
BranchCache for network files
When you decide to deploy the File Services role, you can select only the specific role services that you
need.
6-6
What Are Features?
Key Points
A feature typically does not describe the servers primary function. Instead, it describes a servers auxiliary
or supporting function. Consequently, an administrator typically installs a feature not as the primary
function of the server, but to augment the functionality of an installed role. For example, failover
clustering is a feature that administrators can choose to install after installing specific roles, such as File
Services, to make the File Services role more redundant.
Certain Microsoft Windows features are required for certain roles. For example, if you add the server
role Application Server, the Add Role Wizard asks for your confirmation to install the Microsoft .NET
Framework version 3.51 and the Windows Process Activation Service because these features are required
to support that role.
6-7
Overview of Server Manager
Key Points
The new Server Manager console simplifies the task of managing and securing server roles with Windows
Server 2008. The Server Manager in Windows Server 2008 R2 provides tools for:
Managing a server's identity.
Displaying current server status.
Identifying problems with server role configurations.
Managing all roles designated for the server.
Server Manager replaces the Computer Management console and provides a single point for managing a
server.
The Server Manager console uses integrated wizards to step the user through adding server roles. You can
use Server Manager to add several roles at once, even if they are unrelated. For example, a server being
provisioned for a branch office could have the DNS Server, Dynamic Host Configuration Protocol (DHCP)
Server, and Print Server roles added at once. The Server Manager Wizard performs all of the necessary
dependency checks and conflict resolution so the server is stable, reliable, and secure. The Server Manager
console replaces the Computer Management tool in Windows Server 2003.
The Server Manager can also be used as a portal for regular ongoing server management. The Server
Manager console reports on server status, exposes key management tasks, and guides administrators to
advanced management tools. A key component of the Server Manager is the server role home pages.
These pages provide an integrated view of server roles, including their current status and current
configurations. Some of these consoles include a filtered event viewer that displays recent events related
specifically to that role. Server role home pages offer controls where you can diagnose problems by
selectively stopping and starting role services. These role-specific summaries highlight potential problems
and offer relevant troubleshooting tools.
6-8
Demonstration: How to Manage Roles and Features
Key Points
You can install or remove roles and features with a number of management tools.
Initial Configuration Tasks

The Initial Configuration Tasks window is launched automatically at the first logon after the completion of
the operating system installation. This tool helps you to complete the setup and configure a new server. It
also includes two options that enable you to manage roles and features; the Add Roles and Add Features
options in the Initial Configuration Tasks window enable you to begin adding roles and features to your
server as soon as you complete installation.
Server Manager
The Server Manager console uses integrated wizards to step you through the process of adding server
roles. You can use Server Manager to add several roles at once, even if they are unrelated. For example, a
server being provisioned for a branch office could have the DNS Server, DHCP Server, and Print Server
roles added at once. The Server Manager Wizard performs all of the necessary dependency checks and
conflict resolution so the server is stable, reliable, and secure.
Deployment Image Servicing and Management Tool

The command-line tool Dism.exe enables you to install and manage server roles and features on both the
full and Server Core installations of Windows Server 2008 R2.
In this demonstration, you will see how to add roles and features to a server.
1.
2.
3.

Add the DHCP Server and DNS Server roles simultaneously.
Add the AD DS role.
6-9
Lesson 2
Deploying Role-Specific Servers
In smaller organizations, server functions are often combined into a single server computer. In larger
organizations with many server computers, it is more common to dedicate a server to a specific subset of
server functions.
Objectives
Describe a file and print server.
Describe a domain controller.
Describe an application server.
Describe a Web server.
Describe a remote access server.
6-10
What Is a File Server?
Key Points
Historically, the term file server was often used as a generic term to describe any server. Presently, the
term file server means a server that supports services that are necessary to enable users to store their files
on storage accessible to the server.
On a Windows Server 2008 R2 file server, you must:
Provide sufficient storage for users files.
Share the folders that contain users files.
Configure security settings to ensure appropriate levels of access to users files.
Provide a mechanism that is used to backup, and where necessary restore, shared files.
File services are often combined with print services. In Windows Server 2008 R2, you can share locally or
network-attached printers. By doing so, you can reduce the overall number of print devices in your
organization as users do not need a printer each. In Windows Server 2008 R2, file and print services are
treated as separate server roles.
Note: It is important to understand that the storage used to host users files does not necessarily
need to be locally attached to the file server. A number of technologies exist that enable networkattached storage to be used by file servers.
Deploying a File Server

To deploy a file server, install the File Services server role. This role consists of seven role services. These
are:
File Server. Manages shared folders and enables users to access files on this server.
Distributed File System (DFS). Provides tools and services to support DFS namespaces and replication.
File Server Resource Manager. Enables you to manage quotas and file screens and to create and
manage reports on file usage.
Services for Network File System. Provides compatibility services for UNIX-based computers.
Windows Search Service. Permits fast searches of file-based content.
Windows Server 2003 File Services. Provides compatible file services for Windows Server 2003
computers.
BranchCache for network files. Installs the required services to support branch office environments.
Additionally, you might consider deploying the Print and Document Services role if your file server will
also provide print services.
6-11
6-12
What Is a Domain Controller?
Key Points
A domain controller is a computer that holds a copy of AD DS information. At minimum, a domain
controller holds a copy of the local domain partition, the configuration partition, and the schema
partition.
Functions
User authentication and computer authentication for a domain require access to a domain controller.
Credentials are sent to the domain controller for verification.
Domain controllers are also used by applications to query AD DS information. For example, Microsoft
Exchange Server 2010 reads configuration information from AD DS.
DNS is used to locate domain controllers. If DNS is configured incorrectly, then users may not be able to
log on or logon times will be very slow.
Global Catalog Servers

Some domain controllers are also configured as global catalog servers. A global catalog server holds a
subset of the domain information for all domains in the entire forest. This is useful when applications need
to query AD DS information for all domains in the forest. For example, Microsoft Office Outlook 2007
queries AD DS to build an address list for all Microsoft Exchange Server 2010 recipients in the
organization.
Deploying a Domain Controller

To deploy a domain controller, install the AD DS server role. You must then promote the server to a
domain controller and define its specific function within your AD DS forest environment; use dcpromo.exe
to perform this task.
Note: You can run dcpromo.exe without first deploying the required server role as the role is
automatically deployed by dcpromo.exe if necessary.
Question: How many domain controllers should you have?
6-13
6-14
What Is an Application Server?
Key Points
An application server is a computer that is dedicated to running network-aware application software.
Examples of such software include Microsoft SQL Server, Microsoft Exchange Server, Internet
Information Services (IIS), and Terminal Services.
The design of network-aware application software can be Web-based, or it may have a client-server
architecture. You must consider the system requirements of each application, including its architecture,
when configuring the server computers that will host them.
An application server is a server that runs user applications. They have more intensive processing and
memory requirements than file and print servers because they perform more complex tasks.
The applications that run on application servers are typically divided into two categories:
Traditional applications. A traditional application may also be called a client-server application. Part of
the application runs on a client computer and part of the application runs on a server. Typically, the
client (front-end) application serves as an end-user interface for processing requests sent to and
receiving responses from the server (back-end). The bulk of data is stored on the server. In some
cases, the server portion of the application is just a SQL Server database that all client computers
communicate with. In other cases, there is a middle tier with application logic that the client
computers communicate with and the middle tier communicates with a SQL Server database.
Web-based applications. A Web-based application uses a Web browser to provide the user interface.
The application logic is then performed on a Web server and data is stored in a SQL Server database.
Windows Server 2008 includes features to support the application server role, regardless of whether the
application to be hosted has a Web-based or a client-server type of architecture.
Deploying an Application Server

To deploy an Application server, install the Application Server role. This role consists of six role services.
These are:
6-15
.NET Framework 3.5.1. Provides infrastructure for creating securely connected services and workflow
applications.
Web Server (IIS) Support. Enables the application server to host internal or external Web sites.
Microsoft Component Object Model (COM+) Network Access. Enables the server to host and allow
remote invocation of applications.
TCP Port Sharing. Allows multiple net.tcp applications to share a single TCP port so that they can
coexist on the same server while remaining logically separate.
Windows Process Activation Service Support. Enables the server to invoke applications remotely.
Distributed Transactions. Provides services that help to ensure reliable and complete transactions over
distributed databases.
Note: An application server is different from a Web server because it hosts applications that run
natively on the server and the client, instead of preparing and providing content to a browser.
6-16
What Is a Web Server?
Key Points
A Web server is a server computer attached to either the Internet or the corporate intranet serving static
pages, dynamic pages, and streaming content to client computers that are equipped with a Web browser.
Types of Web Service Content
Static content. Static content is data that is the same for all users that view it. It does not change
based on where the users connect from or which user is connected. This is the most common type of
data on computer networks.
Some examples of static content are:
Basic Hypertext Markup Language (HTML) Web pages.
Microsoft Office Word documents.
Microsoft Office PowerPoint slides.
Dynamic content. Dynamic content is data that can be different each time it is accessed by a user.
This content can change depending on variables such as which user is accessing the content or the
users location. This type of content is most commonly found in modern Web sites and Web-based
applications.
A common way to build dynamic content is by using Active Server Pages (ASP) and ASP.NET. These
methods use scripts in Web pages that are processed by the server to generate the Web pages that
are delivered to users.
Examples of dynamic content include:
A Web page that displays a users name when the user accesses the Web site.
A Web page that displays the Internet Protocol (IP) address of a user accessing content.
A Web page that changes content depending on the demographics or location of the user.
6-17
Streaming content. Streaming content is data that is delivered to users at the speed required for
playback. Non-streaming content is delivered to users at the fastest possible speed that the client,
servers, and network can support. This can lead to increases in network traffic and cause network
congestion. Windows Server 2008 and Microsoft Windows Media Services provide support for
streaming content.
Examples of streaming content include:
Online radio stations
Online video
Security
Although users often connect anonymously to a Web server, users often require the Web server to verify
its identity; this is typically achieved through the use of a digital certificate installed on the Web server and
the use of the Secure Sockets Layer (SSL) protocol.
Although users connecting to an Internet-connected Web server do not need to authenticate themselves,
users connecting to a corporate Web server within an intranet, or remotely from home, are often required
to provide credentials to identify themselves.
Deploying a Web Server

To deploy a Web server, install the Web Server (IIS) role. This role consists of four role services. These are:
Web Server. Provides support for HTML Web sites with optional support for ASP.NET, ASP, and Web
Server extensions.
Management Tools. Provides tools to manage your IIS 7 deployment.
FTP Server. Enables you to provide file transfer support by using the FTP protocol.
IIS Hostable Web Core. Enables you to write custom code that hosts core IIS functions within your
application.
Note: In Windows Server, the Web Server (IIS) role is often required to support other server roles or
functions.
6-18
What Is a Remote Access Server?
Key Points
Remote access can mean accessing data from a home, a hotel room, or a mobile device. From these
locations, you may be using a virtual private network (VPN) or a dial-up connection. When a VPN
connection is used, you must select the appropriate protocol based on your needs. The Windows
Server 2008 operating system includes the Routing and Remote Access role to act as a remote access
server accepting dial-up and VPN connections.
Remote access servers enable users to access corporate resources from outside of the corporate network.
Situations that may require a remote access server include the following:
Staff working from home in the evenings
Staff telecommuting
Working from hotels during business trips
Wireless clients for accessing data on the road
One of the most common resources accessed by remote users is e-mail. Depending on the type of work
being done remotely, users may also have to access files on computers that share resources. Regardless of
what type of data is being accessed, there is an increased concern about security because the data is
traveling outside of the organization where it is more susceptible to being stolen.
Deploying a Remote Access Server

To deploy a remote access server, install the Network Policy and Access Services role. This role consists of
four role services. These are:
Network Policy Server. Allows you to create and enforce network access policies for network access
connections, health enforcement, and network connection authorization.
Routing and Remote Access. Enables you to provide remote access facilities and local routing
capabilities.
Health Registration Authority. Validates certificate requests that contain health claims; used in
Network Access Protection (NAP) enforcement.
Host Credential Authorization Protocol. Enables you to integrate your NAP solution with Cisco
Network Access Control.
Question: What are some examples of security concerns for data that is accessed remotely?
6-19
6-20
Lab Setup
1.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
Contoso, Ltd. has deployed client computers to a number of new R & D branch offices. It is planning to
install new server computers at these branches to enable network infrastructure features, to support
custom applications, and to enable file and print services to support office productivity applications on
the client computers. Your task is to read the requirements document and determine what server roles are
required to support the needs of users at the branch offices.
6-21
Exercise 1: Determining the Appropriate Roles to Deploy

Note: Your instructor may run this exercise as a class discussion.
Scenario
Ed Meadows has forwarded an e-mail to you from Alan Brewer, the Research department head. Also
attached to the e-mail is the Branch Office Server Deployment Requirements document. You must read
the supporting documentation and complete the Branch Office Server Deployment Recommendations
document.
1.
2.

Complete the Branch Office Server Deployment Recommendations document.
Charlotte Weiss
From:
Sent:
To:
Subject:
Attached:
3 April 2010 17:14
FW: New branch offices Server Deployment
Branch Office Server Deployment Requirements.doc
Charlotte,
Please see Alans comments and review the attached document for further information.
Regards,
Ed
----- Original Message ----From:
Alan Brewer [Alan@Contoso.com]
Sent:
1 April 2010 13:30
To:
Ed@Contoso.com
Subject:
New branch offices Server Deployment
Ed,
Obviously I dont understand all of the technicalities, but what we want at the branches is the ability to
work as usual even if the link to the head offices is unavailable.
We have a database that we use; the branches synchronize their data with the head office database
periodically.
All workers at the branches are using standard office productivity software; Microsoft Office Word 2007,
Microsoft Office Excel 2007, and other Office components. They save their work to a server. Shared
printers are available throughout the branches for all users.
We often have visiting laptops and users moving between branches, so they need to be able to connect to
the network without user or administrator intervention.
Hope this helps,
6-22
Alan
Branch Office Server Deployment Requirements.doc

Branch Office Technical Overview
During interviews with staff and following research at each branch, I have determined the following
requirements:
Client computers require automatic IPv4 configuration.
Users must be able to logon to the network even if the link to the head offices is unavailable.
Users share files and store them centrally on shared folders.
Shared printers are accessible by all at the branch.
A database server exists at each branch that contains a subset of the data for the whole Research
department; synchronization occurs automatically with the head office.
It is important that updates to computers are not obtained directly from the Internet, but rather from
a server locally.
Read the supporting documentation to determine the server requirements of the branch offices.
Task 2: Complete the Branch Office Server Deployment Recommendations document

1.
2.
Answer the questions in the Branch Office Server Deployment Recommendations document.
Complete the Deployment Proposals section of the document.
Branch Office Server Deployment Recommendations
Document Author
Date
Charlotte Weiss
4th April
Deploy required server roles to the branch offices to ensure that the needs of the users are met.
None.
Proposals
1. How will you address the requirement that all computers can obtain an IPv4 configuration
automatically even if the link to the head office is down?
2. How will you address the requirement that all users must be able to logon to the network even if
the link to the head office is down?
3. How will you address the requirement that users need to be able to access shared files?
4. How will you address the requirement that users need to be able to use shared printers?
5. What kind of server best supports the needs of the database application?
6. What roles support this kind of server?
7. How will you address the requirement that the computers must obtain updates from a local
update server?
8. Which roles are required at the branch servers?
Results: After this exercise, you should have completed the Branch Office Server Deployment
Recommendations document.
6-23
6-24
Exercise 2: Deploying the Determined Server Roles

Scenario
You have studied the supporting documentation and Ed has asked you to deploy a subset of the required
roles on a test server in the lab environment. Assuming all goes well in the test lab, you will deploy these
roles to production servers at the branch offices.
1.
2.
3.
4.
Deploy infrastructure-related roles.

Deploy file and print-related roles.
Deploy application server-related roles.
Deploy supplemental roles and features.
Task 1: Deploy infrastructure-related roles

1.
2.
3.
4.
5.

Add the following server roles:
DHCP Server
DNS Server
Accept the defaults for all Add Roles Wizard pages to complete the installation process. For the
Network Connection Bindings page, remove the check mark next to 192.168.10.1.
Add the Active Directory Domain Services role.
Note: It is necessary to add the AD DS role separately from the DNS role.
6.
Accept the defaults for all Add Roles Wizard pages to complete the installation process.
Note: You are not required to configure AD DS.
Task 2: Deploy file and print-related roles

1.
2.
In Server Manager, add the following server roles:
File Services
Print and Document Services
Accept the defaults for all Add Roles Wizard pages to complete the installation process.
Task 3: Deploy application server-related roles

1.
2.
In Server Manager, add the Application Server server role.

When prompted, select the Web Server (IIS) Support role service.
Task 4: Verify supplemental roles and features

1.
2.
3.
4.
In Roles Summary, why are some roles showing with a red cross symbol?
In the navigation pane, click Features.
Examine the features that are installed.
When where these installed?
5.
Close Server Manager.
Results: After this exercise, you should have deployed all required roles and features.

following steps:
1.
2.
3.
4.
5.
6.

6-25
6-26
Review Questions
1.
2.
How is a server role different from a server feature?

You have just deployed the AD DS server role. What else must you do?
Tools
Tool
Use for
Where to find it
Server Manager
Managing server
Start Menu
configuration, including
adding roles and features
Initial Configuration
Tasks
Managing initial settings of a
Run oob.exe from command line.
server following installation
Best Practices Related to Server Roles

Supplement or modify the following best practices for your own work situations:
When planning the number of domain controllers and global catalog servers, always deploy at least
one domain controller/global catalog server per physical site.
Combine multiple roles on a single server computer when deploying servers in smaller organizations;
scale out these roles in larger organizations so that you can optimize performance.
Implementing Active Directory Domain Services
Module 7
Contents:
Lesson 1: Introducing AD DS
7-3
Lesson 2: Implementing AD DS
7-15
Lesson 3: Managing Users, Groups, and Computers
7-24
Lesson 4: Implementing Organizational Units
7-34
Lesson 5: Implementing Group Policy
7-39
7-48
7-1
7-2
Module Overview
The Windows Server 2008 R2 operating system Active Directory Domain Services (AD DS) is a
Microsoft Windows-based directory service. As a directory service, AD DS stores information about
objects on a network and makes this information available to users and network administrators.
Objectives
Describe the fundamental features of AD DS.
Implement AD DS.
Manage objects in a domain.
Implement organizational units (OUs) for managing groups and objects.
Configure client computers centrally with group policy objects (GPOs).
7-3
Lesson 1
Introducing AD DS
AD DS enables network users to access resources anywhere on the network using a single logon process
and provides network administrators with an intuitive, hierarchical view of the network and a single point
of administration for all network objects. Understanding the fundamental building blocks of AD DS
enables you to make more informed decisions about implementing and configuring AD DS.
Objectives
Describe a forest.
Describe the schema.
Describe the domain.
Describe trees.
Describe OUs.
Describe trusts.
7-4
The AD DS Forest
Key Points
In AD DS, a forest is the highest level of the logical structure hierarchy. An Active Directory forest
represents a single, self-contained directory. A forest is a security boundary, which means that
administrators in a forest have complete control over all access to information that is stored inside the
forest and to the domain controllers that are used to implement the forest.
It is typical to implement a single forest within your organization unless you have some specific need for
multiple forests. For example, if you want to create separate administrative areas for different parts of
your organization, you must create multiple forests to represent those administrative areas.
If you implement multiple forests within your organization they will, by default, operate separately from
each other as if they were the only directory service in your organization.
Note: You can integrate multiple forests by creating security relationships between them known as
external or forest trust relationships.
Forest Wide Operations

AD DS is a multi-master directory service. This means that most changes to the directory can be made at
any writable instance of the directory. That is, any writeable domain controller. Some changes, however,
are single-master. This means they can only be made on one specific domain controller in the forest or
domain, depending on the particular change. Domain controllers at which you can make these singlemaster changes are said to hold operations master roles. There are five operations master roles, two of
which are forest-wide and the remaining three are domain-wide.
The two operations master roles assigned for the entire forest are:
Domain naming master. The job of the domain naming master is to ensure there are unique names
throughout the entire forest. That is, it ensures that the fully-qualified name of each machine exists
only once in the entire forest.
Schema master. The schema master tracks the schema of the forest and maintains changes to the
underlying structure of the forest.
As these are key critical forest-wide roles, each forest must have only one schema master and domain
naming master.
7-5
7-6
The AD DS Schema
Key Points
The schema is the AD DS component that defines all objects and attributes that AD DS uses to store data.
AD DS stores and retrieves information from a wide variety of applications and services. So that it can
store and replicate data from these various sources, AD DS standardizes how data is stored in the
directory. By standardizing how data is stored, AD DS can retrieve, update, and replicate data while
ensuring that the integrity of the data is maintained.
AD DS uses objects as units of storage. All objects are defined in the schema. Each time that the directory
handles data, the directory queries the schema for an appropriate object definition. Based on the object
definition in the schema, the directory creates the object and stores the data.
Object definitions control the types of data that the objects can store, as well as the syntax of the data.
Using this information, the schema ensures that all objects conform to their standard definitions. As a
result, AD DS can store, retrieve, and validate the data that it manages, regardless of the application that is
the original source of the data. Only data that has an existing object definition in the schema can be
stored in the directory. If a new type of data needs to be stored, a new object definition for the data must
first be created in the schema.
In AD DS, the schema defines the following:
Objects that are used to store data in the directory.
Rules that define what types of objects you can create, what attributes must be defined when you
create the object, and what attributes are optional.
Structure and the content of the directory itself.
The schema is a single master element of AD DS. This means that you must make changes to the schema
at the domain controller that holds the schema operations master role.
7-7
The schema is replicated among all domain controllers in the forest. Any change that is made to the
schema is replicated to every domain controller in the forest from the schema operations master role
holder, typically the first domain controller in the forest.
Because the schema dictates how information is stored, and because any changes that are made to the
schema affect every domain controller, changes to the schema should be made only when necessary
through a tightly controlled process after you have performed testing to ensure that there will be no
adverse effects on the rest of the forest.
Although you might not make any change to the schema directly, some applications make changes to the
schema to support additional features. For example, when you install Microsoft Exchange Server 2010 into
your AD DS forest, the installation program extends the schema to support new object types and
attributes.
7-8
What Is a Domain?
Key Points
A domain is an administrative boundary. All domains host an Administrator user account that has full
administrative capabilities over all objects within the domain. Although the administrator can delegate
administration on objects within the domain, the account retains full administrative control of all objects
within the domain.
In earlier versions of Windows Server, domains were considered to provide complete administrative
separation; indeed, one of the fundamental reasons for selecting a multidomain topology was to provide
for this separation. However, in AD DS, the administrator account in the forest root domain also has full
administrative control to all objects in the forest, rendering this domain-level administrative separation
invalid.
A domain is a replication boundary. AD DS consists of three elements, or partitions; these are the schema,
the configuration partition, and the domain partition. Generally, it is only the domain partition that
changes frequently.
The domain partition contains objects that are likely to be updated often; these include users, computers,
groups, and OUs. Consequently, AD DS replication consists primarily of the updates to objects defined
within the domain partition. Only domain controllers in a particular domain receive domain partition
updates from other domain controllers. Partitioning data enables organizations to replicate data only to
where it is needed. In this way, the directory can scale globally over a network that has limited available
bandwidth.
A domain is an authentication boundary. Each user account in a domain can be authenticated by domain
controllers from that domain. Domains in a forest trust one another, and it is these trusts that enable a
user from one domain to access resources held in another domain.
7-9
Domain Wide Operations

There are three operations master roles per domain. Initially assigned to the first domain controller in
each domain, these are the following:
Relative identifier (RID) master. Whenever an object is created in AD DS, the domain controller where
the object is created assigns the object a unique identifying number known as a security identity
(SID). To ensure that no two domain controllers assign the same SID to two different objects, the RID
master allocates blocks of SIDs to each domain controller within the domain.
Primary domain controller emulator. This role is the most important in as much as its temporary loss
is noticed far more quickly than any other operations master role. It is responsible for a number of
domain-wide functions, including:
Updating account lockout status
Single master for the creation and replication of GPO
Time synchronization for the domain
Infrastructure master. This role is responsible for maintaining inter-domain object references. For
example, when a group in one domain contains a member from another domain, the infrastructure
master is responsible for maintaining the integrity of this reference.
These three roles must be unique in each domain, so each domain can have only one RID master, one
primary domain controller (PDC) emulator, and one infrastructure master.
7-10
AD DS Trees
Key Points
If your AD DS consists of more than one domain, you must define the relationship between the domains.
If the domains share a common root and a contiguous namespace, then they are logically part of the
same Active Directory tree. A tree serves no administrative purpose. In other words, there is no tree
administrator as there is a forest or domain administrator. A tree provides a logical, hierarchical grouping
of domains that have parent/child relationships defined through their names. Your Active Directory tree
maps to your Domain Name System (DNS) namespace.
Active Directory trees are created by the relationship between the domains within the forest. There is no
intrinsic reason you should, or indeed, should not create multiple trees within your forest. However, keep
in mind that a single tree, with its contiguous name space, is easier to manage, and easier for users to
visualize.
Consider using multiple trees within a single forest if you have multiple name spaces to support. For
example, if within your organization there are several distinct operating divisions with different public
identities, you could create a different tree for each operating division. Bear in mind that with this
scenario, there is no separation of administration because the forest root administrator still has complete
control over all objects in the forestin whichever tree they reside.
7-11
Organizational Units
Key Points
An OU is a container object within a domain that you can use to consolidate users, groups, computers,
and other objects. There are two reasons to create OUs:
Configure objects contained within the OU. You can assign GPOs to the OU, and the settings apply to
all objects within the OU.
Delegate administrative control of objects within the OU. You can assign management permissions on
an OU thereby delegating control of that OU to a user or group within AD DS other than the
administrator.
Note: An OU is the smallest scope or unit to which you can assign Group Policy settings or delegate
administrative authority.
You can use OUs to represent the hierarchical, logical structures within your organization. For example,
you can create OUs that represent the departments within your organization, the geographic regions
within your organization, and those that are a combination of both departmental and geographic regions.
You can then manage the configuration and use of user, group, and computer accounts based on your
organizational model.
Every AD DS domain contains a standard set of containers and OUs that are created when you install AD
DS. These include the following:
Domain container, which serves as the root container to the hierarchy.
Built-in container, which holds the default service administrator accounts.
Users container, which is the default location for new user accounts and groups created in the
domain.
Computers container, which is the default location for new computer accounts created in the domain.
7-12
Domain Controllers OU, which is the default location for the computer accounts for domain
controllers computer accounts.
7-13
Trusts Relationships
Key Points
A trust relationship enables one security entity to trust another security entity for the purposes of
authentication. In the Windows Server 2008 R2 operating system, the security entity is the Windows
domain.
The primary purpose of a trust relationship is to facilitate a user in one domain gaining access to a
resource in another domain without needing to hold a user account in both domains.
In any trust relationship, there are two parties involved; the trusting entity, and the trusted entity. The
trusting entity is the resource holding entity, while the trusted entity is the account holding entity. For
example, if you lend someone your laptop computer, you trust them. You are the resource holding entity.
It is your laptop; they are trusted as the account holding entity.
Types of Trusts
Trusts can be one-way or two-way.
A one-way trust means that although one entity trusts the other, the reciprocal is not true. For example,
just because you lend Steve your laptop does not mean that Steve will necessarily lend you his car.
In a two-way trust, both entities trust one another.
Trusts can be transitive or nontransitive. In a transitive trust, A trusts B and B trusts C, then A also implicitly
trusts C. For example, if you lend Steve your laptop, and Steve lends his car to Mary, then you might lend
your cell phone to Mary.
Windows Server 2008 R2 supports a number of different trusts for use in different situations.
In a single forest, all domains trust one another with internal, two-way transitive trusts. In essence, this
means that all domains trust all other domains. These trusts extend across trees within the forest. Aside
from these automatically created trusts, you can configure additional trusts between domains within your
forest, between your forest and other forests, and between your forest and other security entities, such as
7-14
Kerberos realms or the Microsoft Windows NT 4.0 operating system domains. The following table
provides more information.
Trust
type
Transitivity
Direction
Description
External
Nontransitive
One-way or
two-way
Use external trusts to provide access to resources that

are located on a Windows NT Server 4.0 domain or a
domain that is located in a separate forest that is not
joined by a forest trust.
Realm
Transitive or
nontransitive
One-way or
two-way
Use realm trusts to form a trust relationship between a

non-Windows Kerberos realm and a Windows
Server 2008 operating system or a Windows
Server 2008 R2 domain.
Forest
Transitive
One-way or
two-way
Use forest trusts to share resources between forests. If a

forest trust is a two-way trust, authentication requests
that are made in either forest can reach the other forest.
Shortcut
Transitive
One-way or
two-way
Use shortcut trusts to improve user logon times between

two domains within a Windows Server 2008 or a
Windows Server 2008 R2 forest. This is useful when two
domains are separated by two domain trees.
7-15
Lesson 2
Implementing AD DS
To implement AD DS you must deploy domain controllers. Understanding where and how to create
domain controllers to optimize your network infrastructure is important to ensure that you optimize AD
DS.
Objectives
Describe the role of a domain controller.
Describe when to use Read-Only domain controllers.
Describe AD DS sites.
Understand AD DS replication.
Configure DNS to support AD DS functions.
7-16
What Is a Domain Controller?
Key Points
You create a domain when you promote a Windows Server 2008 R2 server computer to a domain
controller. Domain controllers host the AD DS.
Domain controllers provide the following functions on the network:
Provides authentication. Domain controllers store the domain accounts database, and provide
authentication services.
Hosts operations master roles as an option. These roles were formerly known as Flexible Single Master
Operations (FSMO) roles. There are five operations master roles, two forest-wide roles and three
domain roles. You can transfer these roles as you require.
Hosts the global catalog as an option. You can designate any domain controller as a global catalog
server.
Note: The global catalog is a distributed database that contains a searchable representation of every
object from all domains in a multidomain forest. However, the global catalog does not contain all
attributes for each object. Instead, the global catalog maintains a subset of attributesthose that are
most likely to be useful in cross-domain searches.
Supports group policies and the System Volume (SYSVOL). Group policies consist of group policy
containers, stored in AD DS, and group policy templates, stored in the SYSVOL folder in the file
system of all domain controllers.
Provides replication. AD DS is a distributed directory service. Objects such as users, computers, OUs,
and services are distributed across all domain controllers in the forest, and can be updated on any
domain controller in the forest.
Note: You can deploy read-only domain controllers (RODCs) to branch offices where physical security
might be less rigorous than elsewhere in your organization. For more information about using RODCs,
visit the Microsoft TechNet Web site.
Note: Domain controllers in a forest share a common schema, a common global catalog, and a
common forest root domain.
7-17
7-18
What Is a Read-Only Domain Controller?
Key Points
An RODC is a new type of domain controller in Windows Server 2008 R2. With an RODC, organizations
can easily deploy a domain controller in locations where physical security cannot be guaranteed. An
RODC hosts a read-only replica of the database in AD DS for a given domain. The RODC is also capable of
functioning as a global catalog server.
Beginning with Windows Server 2008, an organization can deploy an RODC to address scenarios with
limited wide area network (WAN) bandwidth or poor physical security for computers. As a result, users in
this situation can benefit from:
Improved security.
Faster logon times.
More efficient access to resources on the network.

RODC Feature
Explanation
Read-only Active
Directory database
Except for account passwords, an RODC holds all of the Active Directory
objects and attributes that a writable domain controller holds. However,
changes cannot be made to the replica that is stored on the RODC. Changes
must be made on a writable domain controller and replicated back to the
RODC.
Unidirectional
replication
Because no changes are written directly to the RODC, no changes originate at

the RODC. Accordingly, writable domain controllers that are replication
partners do not have to pull changes from the RODC. This reduces the
workload of bridgehead servers in the hub and the effort required to monitor
replication.
Credential caching
Credential caching is the storage of user or computer credentials. Credentials

consist of a small set of approximately ten passwords that are associated with
RODC Feature
7-19
Explanation
security principals. By default, an RODC does not store user or computer
credentials. The exceptions are the computer account of the RODC and a
special krbtgt (Kerberos key distribution service center account) account that
each RODC has. You must explicitly allow any other credential caching on an
RODC.
Administrator role
separation
You can delegate the local administrator role of an RODC to any domain user
without granting that user any user rights for the domain or other domain
controllers. This permits a local branch user to log on to an RODC and perform
maintenance work on the server, such as upgrading a driver. However, this
does not give the branch user the right to log on to any other domain
controller or perform any other administrative task in the domain.
Read-only Domain
Name System
You can install the DNS Server service on an RODC. An RODC is able to
replicate all application directory partitions that DNS uses, including
ForestDNSZones and DomainDNSZones. If the DNS server is installed on an
RODC, clients can query it for name resolution as they would query any other
DNS server.
The following points help summarize the RODC role:
The domain controller that holds the PDC emulator operations master role for the domain must be
running Windows Server 2008. This is necessary for creating the new krbtgt account for the RODC
and for ongoing RODC operations.
The RODC needs to forward authentication requests to a global catalog server running Windows
Server 2008 in the site that is closest to the site with the RODC. The Password Replication Policy is set
on this domain controller to determine if credentials are replicated to the branch location for a
forwarded request from the RODC.
The domain functional level must be Windows Server 2003 so that Kerberos constrained delegation is
available. Constrained delegation is used for security calls that need to be impersonated under the
context of the caller.
The forest functional level must be Windows Server 2003, so that linked-value replication is available.
This provides a higher level of replication consistency.
You must run adprep /rodcprep one time in the forest. This will update the permissions on all of the
DNS application directory partitions in the forest to facilitate replication between RODCs that are also
DNS servers.
An RODC cannot hold operations master roles or function as a replication bridgehead server.
You can deploy an RODC on Server Core for additional security.
7-20
AD DS Sites
Key Points
A site is a logical representation of a geographical area in your network. A site represents a high-speed
network boundary for your AD DS computers; that is, computers that can communicate with high speed
and low latency can be grouped into a site; domain controllers within a site replicate AD DS data in an
optimized way for this environment; this replication configuration is largely automatic.
Note: Sites are used by client computers to locate services such as domain controllers and global
catalog servers. It is important that each site that you create has at least one domain controller and
global catalog server.
7-21
AD DS Replication
Key Points
AD DS replication is how changes to directory data are transferred between domain controllers in an AD
DS forest. The AD DS replication model defines the mechanisms that allow directory updates to be
transferred automatically between domain controllers to provide a seamless replication solution for the
AD DS distributed directory service.
There are three partitions in AD DS and it is the domain partition that contains the data that changes most
frequently and consequently makes up the bulk of AD DS replication data.
Active Directory Site Links

A site link is used to handle the replication between groups of sites. You can use the default site link
provided in AD DS, or else create additional site links as your needs dictate. You can configure settings on
site links to determine the schedule and availability of the replication path to help control replication.
When two sites are connected by a site link, the replication system automatically creates connections
between specific domain controllers in each site that are called bridgehead servers.
7-22
Configuring DNS for AD DS
Key Points
Installing DNS
AD DS requires DNS. The DNS server role is not installed on Windows Server 2008 R2 by default. Like
other functionality, it is added in a role-based manner when a server is configured to perform the role.
You can install the DNS server role using the Add Role link in Server Manager. The DNS server role can
also be added automatically by the Active Directory Domain Services Installation Wizard (dcpromo.exe).
The domain controller options page of the wizard allows you to add the DNS server role.
Configuring DNS Zones

After installing a DNS server, you can begin adding zones to the server. You can select to store the zone
data in AD DS if the DNS server is a domain controller. This creates an Active Directory integrated zone. If
you deselect this option, the zone data is stored in a file, rather than in AD DS.
Dynamic Updates
When you create a zone, you are also prompted to specify whether dynamic updates are supported.
Dynamic updates reduce the management overhead of a zone, because clients can add, delete, and
update their own resource records.
Dynamic updates leave open the possibility that a resource record could be spoofed. For example, a
computer could register a record named www, effectively redirecting traffic from your Web server to the
incorrect address.
To eliminate the possibility of spoofing, Windows Server 2008 R2 DNS Server service supports secure
dynamic updates. A client must authenticate prior to updating its resource records, so the DNS server
knows whether the client is the same computer that has the permission to modify the resource record.
7-23
DNS Zone Transfers

An enterprise should strive to ensure that a zone can be resolved authoritatively by at least two DNS
servers.
If the zone is AD DS integrated, you can simply add the DNS server role to another domain controller in
the same domain as the first DNS server. Active Directory integrated zones, and the replication of the DNS
zone by AD DS, are described in the next lesson.
If the zone is not AD DS integrated, you must add another DNS server and configure it to host a
secondary zone. Remember that a secondary zone is a read-only copy of the primary zone.
SRV Records
A Service Locator (SRV) resource record resolves a query for a network service, allowing a client to locate a
host that provides a specific service.
SRV records are used in these and many other scenarios:
When a domain controller needs to replicate changes from its partners
When a client computer needs to authenticate to AD DS
When a user changes his or her password
When an Microsoft Exchange server performs a directory lookup
When an administrator opens Active Directory Users and Computers
An SRV record follows the syntax shown below:

protocol.service.name TTL class
type
priority weight port
target
An example of an SRV record is shown below:

_ldap._tcp.contoso.com
600 IN SRV
100
389 hqdc01.contoso.com
The components of the record are:
The protocol service name, such as the Lightweight Directory Access Protocol (LDAP) service offered
by a domain controller.
The time-to-live value, in seconds.
The class (all records in a Windows DNS server will be IN or INternet).
The type: SRV.
The priority and weight, which help clients determine which host should be preferred.
The port on which the service is offered by the server. Port 389 is the standard port for LDAP on a
Windows domain controller.
The target, or host of the service, which in this case is the domain controller named
hqdc01.contoso.com.
When a client process is looking for a domain controller, it can query DNS for an LDAP service. The query
returns both the SRV record and the A record for the server(s) that provide the requested service.
7-24
Lesson 3
Managing Users, Groups, and Computers
One of your functions as an AD DS administrator is to manage user, group, and computer accounts. These
accounts are AD DS objects that individuals use to log on to the network and access resources. In this
lesson, you will learn about modifying user, group, and computer accounts in an AD DS domain.
Objectives
Describe user accounts.
Describe groups.
Understand when to nest groups.
List the default built-in groups.
Describe a computer account.
Provide best practices for user, group, and computer management.
Create and manage users, groups, and computer accounts.
7-25
What Are User Accounts?
Key Points
In AD DS for Windows Server 2008, all users that require access to network resources must be configured
with a user account. With this user account, users can be authenticated to the AD DS domain and granted
access to network resources.
A user account is an object that contains all of the information that defines a user in Windows Server 2008
R2. The account can be either a local or a domain account. A user account includes the user name and
password as well as group memberships. A user account also contains many other settings that you can
configure based upon your organizational requirements.
With a user account, you can:
Allow or deny users to log on to a computer based on their user account identity.
Grant users access to processes and services for a specific security context.
Manage users' access to resources such as AD DS objects and their properties, shared folders, files,
directories, and printer queues.
The Users container located in Active Directory Users and Computers displays the three built-in user
accounts: Administrator, Guest, and HelpAssistant. These built-in user accounts are created automatically
when you create the domain.
A user account enables a user to log on to computers and domains with an identity that can be
authenticated by the domain.
To maximize security, you should avoid multiple users sharing one account. By avoiding multiple users on
an account, each user who logs on to the network should have a unique user account and password.
When creating a user account, you must provide a user logon name. User logon names must be unique in
the domain/forest in which the user account is created.
7-26
What Are Groups?
Key Points
A group is a collection of user accounts, computer accounts, contacts, and other groups that you can
manage as a single unit. There are three common reasons for creating groups in AD DS. These are:
Granting permissions. Rather than assign a number of user accounts the same permissions on the
same resource, you could create a group, add the users as members, and grant the group permissions
on the resource.
Assigning rights. When a user requires administrative control of a resource, such as a server, it is
better to add the user to a management group created for that purpose. Then, if the user changes
job functions within your organization, you can remove them from the group. You can remove their
assigned rights on the server without the need to change permissions.
Distributing e-mail. When your users want to send e-mail messages to multiple users, you can create
specialized groups within the e-mail system to facilitate the process more efficiently.
Objects that belong to a particular group are referred to as group members.
Group Types
There are two types of groups in AD DS: distribution groups and security groups.
Security Groups
You create security groups to consolidate objects to which you want to assign permissions or rights. You
can also use security groups for distribution purposes within an e-mail application, such as Exchange
Server.
Distribution Groups
You can use distribution groups only with e-mail applications, such as Exchange Server, to send e-mail to
multiple users. Distribution groups are not security-enabled and cannot be assigned permissions on
resources or objects in AD DS. In smaller organizations, it is usually unnecessary to create distribution
7-27
groups as security groups can be mail-enabled. However, in larger organizations, the separation of
distribution and security groups enables you to separate the administration of the e-mail system and AD
DS.
Group Scope
Any group, whether it is a security group or a distribution group, is characterized by a scope that
identifies the extent to which the group is applied in the domain tree or forest. There are three group
scopes:
Domain local. Domain local groups can contain members from any domain in the forest but can only
be granted permissions and assigned rights on objects on the local domain. In other words, the
groups abilities are localized.
Global. Global groups can contain members only from the local domain, but can be granted
permissions or assigned rights anywhere in the forest. In other words, the groups abilities are global.
Universal. A universal group can contain members from anywhere in the forest and can be granted
permissions and assigned rights anywhere in the forest. In other words, the groups abilities and
membership are universal. Another important characteristic of a universal group is that the
membership list is maintained in the global catalog; consequently, you can only mail-enable universal
groups in Exchange Server.
Question: Describe a situation where you would use a distribution group instead of a security group.
7-28
Nesting Groups
Key Points
When you use nesting, you add a group as a member of another group. You can use nesting to combine
group management. Nesting increases the member accounts that are affected by a single action, and
reduces replication traffic caused by the replication of changes in group membership.
The following are best practices for nesting groups:
1.
2.
3.
Add user accounts into global groups.

Add global group to a domain local group.
Assign permissions or rights to the domain local group.
You can remember the preceding process with this pneumonic:

Accounts > Global > Domain Local < Permissions (AGDLP).
For larger organizations that require an additional tier of groups, consider adding global groups to
universal groups:
1.
2.
3.
4.
Add user accounts into global groups.

Add the global group to an appropriate universal group.
Add the universal group to the domain local group.
Assign permissions or rights to the domain local group.
You can remember the preceding process with this pneumonic:

Accounts > Global > Universal > Domain Local < Permissions (AGUDLP).
7-29
Default Built-In Groups
Key Points
In both domains and standalone workgroup-based computers, there are built-in groups. You can use the
built-in groups to simplify administration. For example, adding user accounts to the built-in Domain
Admins group enables the member user to perform administration on all domain computers.
Note: Bear in-mind that some of these built-in groups have powerful pre-assigned rights and privileges.
Although it can be convenient to add users to built-in groups to achieve an administrative goal, you
may be inadvertently assigning more rights and privileges than you intended.
In addition to built-in groups, there are system groups. These system groups do not have an explicitly
maintained membership list, but rather have an implicit membership. For example, the group
Authenticated Users contains anyone who is able to logon to the domain. You can use system groups to
assign management permissions and rights or permissions on resources.
Note: Because these system groups do not have an explicit membership list, they are not displayed in
Active Directory Users and Computers.
If the built-in and system groups are not sufficient for your needs, create additional groups as required.
The built-in groups are stored in the Users folder and the Builtin folder under the domain root.
7-30
Computer Accounts
Key Points
In AD DS, computers are security principals, just like users. This means that computers must have accounts
and passwords. To be fully authenticated by AD DS, a user must have a valid user account, and the user
must also log on to the domain from a computer that has a valid computer account. All computers
running Microsoft Windows NT or later operating systems must have computer accounts in AD DS.
Computers access network resources to perform key tasks such as authenticating user log on, obtaining
an IP address, and receiving security policies. To have full access to these network resources, computers
must have valid accounts in AD DS. The two main functions of a computer account are performing
security and management activities.
If you join a computer to a domain, the computer account is created in the Computers container by
default. In most organizations, administrators move the computer accounts to department-specific OUs so
that specific software and operating system configurations can be applied to the computers.
The most commonly used properties for computer accounts in AD DS are the Location and Managed By
properties. To maintain computers, you must find the physical location of the computers.
The Location property can be used to document the computers physical location in your network.
The Managed By property lists the individual responsible for the computer. This information can be
useful when you have a data center with servers for different departments and you need to perform
maintenance on the server. You can call or send e-mail to the person who is responsible for the server
before you perform maintenance on the server.
7-31
Account Management Best Practices
Key Points
Consider the following best practices to help to ensure that you manage accounts within your AD DS
forest efficiently.
User Accounts
When planning and implementing user accounts, consider the following points:
Create a user account for all users who need to access your forest; do not allow users to share user
accounts.
Implement a naming convention that yields simple-to-remember, unique user names. Bear in-mind
that the more users you have, the more likely there are to be duplicates within your organization.
Create accounts for temporary or contract staff with the same naming convention that you use for
other users. That is, do not use generic account names such as Temp1.
Plan the accounts policy carefully to ensure that it meets the security needs of your organization. The
accounts policy includes password length, password complexity rules, and the maximum password
age for user accounts.
Group Accounts
When planning and implementing groups, consider the following points:
Use the built-in and system groups where appropriate to simplify administration.
Nest groups to more efficiently control access to resources in larger organizations.
Avoid assigning permissions and rights directly to user accounts. Use groups to make on-going
maintenance easier.
Use a group naming convention that identifies who belongs to a group or what rights a management
group has. For example, the Sales global group obviously identifies users that are in the Sales
department, while the Printer Managers local group contains users with printer management rights.
7-32
Computer Accounts
When planning computers, consider the following points:
Limit who has the ability to create computer accounts.
Implement a naming convention that helps you identify the role and location of a computer.
Implement the Manage by and Location properties of computer accounts so that they are easier to
locate and manage.
7-33
Demonstration: How to Manage Accounts
Key Points
You can manage user, group, and computer accounts by using either Active Directory Users and
Computers or the Active Directory Administrative Center (ADAC).
In this demonstration you will see how to create an account using the ADAC. After creating the account,
you will see how to make it a member of a group.
1.
2.
3.
Run Active Directory Administrative Center.

Create a new user Claus Hansen.
Add Claus to the Domain Admins group.
7-34
Lesson 4
Implementing Organizational Units
You can use OUs to collect users, groups, and computers together for administrative purposes. In this
lesson, you will learn why and how to use OUs to help to administer your organization.
Objectives
Describe why to use OUs.
Create and manage OUs.
Delegate permissions on OUs.
7-35
Why Use Organizational Units?
Key Points
An OU is an AD DS object that is contained in a domain. You can use OUs to organize hundreds of
thousands of directory objects into manageable units. OUs are useful in grouping and organizing objects
for administrative purposes, such as delegating administrative rights and assigning policies to a collection
of objects as a single unit.
AD DS OUs are used to create a hierarchical structure within a domain. By creating an OU structure, you
are grouping objects that you can administer as a unit.
An organizational hierarchy should logically represent an organizational structure. That organization
could be based on geographic, functional, resource-based, or user classifications. Whatever the order, the
hierarchy should make it possible to administer AD DS resources as flexibly and effectively as possible. For
example, if all of the computers that are used by information technology (IT) administrators must be
configured in a certain way, you can group all of the computers in an OU, and assign a policy to manage
the computers in the OU.
OU Hierarchical Models
Organizations may deploy OU hierarchies by using several different models. The following are different
OU models:
Geographic OUs. If the organization has multiple locations and network management is distributed
geographically, you should use a location-based hierarchy. For example, you might decide to create
OUs for New York, Toronto, and Miami in a single domain.
Departmental OUs. A Departmental OU is based only on the organization's business functions,

without regard to geographical location or divisional barriers. This approach works well for small
organizations with a single location.
Resource OUs. Resource OUs are designed to manage resource objects (non-users such as client
computers, servers, or printers). This design is most useful when all resources of a given type are
7-36
managed in the same manner. Resource-based OUs can simplify software installations or printer
selections based on Group Policies.
Management-based OUs. Management-based OUs reflect the various administrative divisions within
the organization by mirroring its structure in the OU structure. Responsibilities to manage users and
groups, when they are placed into nested departmental OUs, can be delegated to managers of those
departments.
The eventual OU design should represent how the business will be administered. Delegation of authority,
separation of administrative duties, central versus distributed administration, and design flexibility are
important factors you must consider when you design Group Policy and select the scenarios to use for
your organization.
Question: Describe one scenario when you would use a domain to organize a network. Describe one
scenario when you would use an OU to organize a network.
7-37
Demonstration: How to Manage Organizational Units
Key Points
In this demonstration, you will see how to create an organizational unit using the ADAC. After the creation
of the organizational unit, you will see how to add objects to it.
1.
2.
3.
4.
Run Active Directory Administration Center.

Create a new organizational unit called Sales.
Add Claus Hansen to the Sales organizational unit.
Create a new computer called PRO-W7E-0001 in the Sales organizational unit.
7-38
Demonstration: How to Delegate Administration
Key Points
In this demonstration you will see how to delegate control of an organizational unit to a user.
1.
2.
Run Active Directory Users and Computers.

Delegate control of the Sales organizational unit to Claus Hansen.
7-39
Lesson 5
Implementing Group Policy
Once you have created users, groups, computer accounts, and an OU structure in your AD DS and
reducing IT costs. With Group Policy forest, the next step is commonly implementing group policy. Group
Policy and the AD DS infrastructure in Windows Server 2008 R2 enable IT administrators to automate user
and computer management, thus simplifying administrative tasks and AD DS, administrators can
efficiently implement security settings, enforce IT policies, and distribute software consistently across a
given site, domain, or range of OUs.
Objectives
Describe GPOs.
Understand local, site, domain, and organizational unit-linked policies.
Explain how to use GPO management tools.
Describe GPO Policies and Preferences.
Create a GPO and assign to an organizational units.
7-40
What Is a GPO?
Key Points
Group Policy is a Microsoft technology that supports one-to-many management of computers and users
in an AD DS environment. By editing Group Policy settings and targeting a GPO at the intended users or
computers, you can centrally manage specific configuration parameters. In this way, you can manage
potentially thousands of computers or users by changing a single GPO.
A GPO is the collection of settings that are applied to selected users and computers.
Group Policy can control many aspects of a target objects environment, including: the registry, NTFS file
system security, audit and security policy, software installation and restriction, desktop environment,
logon/logoff scripts, and many other settings.
One GPO can be associated with multiple containers in AD DS, through linking. Conversely, multiple GPOs
may link to one container.
Each computer running a Microsoft Windows operating system has a local GPO. In these objects, Group
Policy settings are stored on individual computers, whether or not they are part of an AD DS environment
or a networked environment.
Note: Local GPOs contain fewer settings than nonlocal GPOs, particularly under Security Settings and
do not support all of the GPO settings of a domain Group Policy such as Folder Redirection or Group
Policy Software Installation.
Group Policy has thousands of configurable settings (approximately 2,400). These settings can affect
nearly every area of the computing environment. You cannot apply all of the settings to all versions of
Microsoft Windows operating systems. For example, many of the new settings that came with the
Microsoft Windows XP Professional operating system, Service Pack (SP) 2, such as software restriction
policies, only applied to that operating system. Equally, many of the hundreds of new settings only apply
7-41
to the Windows 7 operating system and Windows Server 2008 R2. If a computer has a setting applied that
it cannot process, it simply ignores it.
7-42
Applying GPOs
Key Points
Clients initiate Group Policy application by requesting GPOs from AD DS. When Group Policy is applied to
a user or computer, the client component interprets the policy, and then makes the appropriate
environment changes. These components are known as Group Policy client-side extensions. As GPOs are
processed, a service on the domain controller passes the list of GPOs that must be processed to each
Group Policy client-side extension. The extension then uses the list to process the appropriate policy,
when applicable.
The site, domain, and organizational unit links from a GPO are used as the primary targeting principle for
defining which computers and users should receive a GPO. Security filtering and Windows Management
Instrumentation (WMI) filtering can be used to further reduce the set of computers and users to which the
GPO will apply. The group policy engine uses the following logic in processing GPOs: If a GPO is linked to
a domain, site, or organizational unit that applies to the user or computer, the group policy engine must
then determine whether the GPO should be added to its GPO list for processing.
GPOs that apply to a user or computer do not all have the same precedence. Settings that are applied
later can override settings that are applied earlier. Group Policy settings are processed in the following
order:
Local GPO. Each computer has exactly one GPO that is stored locally. This processes for both
computer and user group policy processing.
Site. Any GPOs that have been linked to the site that the computer belongs to are processed next.
Processing is in the order that is specified by the administrator, on the Linked GPOs tab for the site in
Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and
therefore has the highest precedence.
Domain. Processing of multiple domain-linked GPOs is in the order specified by the administrator, on
the Linked GPOs tab for the domain in GPMC. The GPO with the lowest link order is processed last,
and therefore has the highest precedence.
7-43
Organizational units. GPOs that are linked to the organizational unit that is highest in the AD DS
hierarchy are processed first, and then GPOs that are linked to its child organizational unit are
processed, and so on. Finally, the GPOs that are linked to the organizational unit that contain the user
or computer are processed.
GPOs can also be filtered by WMI settings such as hardware or software settings, configurations or even
applications that are installed.
7-44
Creating and Managing GPOs
Key Points
You can create or manage GPOs in many ways. A GPO can be created from a template or by default using
a graphical user interface (GUI) tool such as the GPMC. Once you have created the GPO you can link it to
the appropriate container: site, domain, or OU.
GPMC provides mechanisms for backing up, restoring, migrating, and copying existing GPOs. This is very
important for maintaining your Group Policy deployments in the event of error or disaster. It helps you
avoid manually recreating lost or damaged GPOs, and having to again go through the planning, testing,
and deployment phases. Part of your ongoing Group Policy operations plan should include regular
backups of all GPOs.
GPMC also provides for copying and importing GPOs, both from the same domain and across domains.
7-45
Policies and Preferences
Key Points
Many common configuration settings were traditionally delivered through logon or startup scripts. This
required writing, debugging, and storing the scripts in a central location, and then applying the scripts by
using user settings or Group Policy. Group Policy preferences enable IT professionals to configure, deploy,
and manage many common operating system and application settings that they previously were not able
to manage using Group Policy.
Group Policy preferences are new for Windows Server 2008, and include more than 20 new Group Policy
extensions that expand the range of configurable settings within a GPO. In contrast to policy settings, you
allow users to change preferences after you deploy them.
The key difference between preferences and policy settings is enforcement. Group Policy strictly enforces
policy settings. Organizations typically deploy two types of settings: managed and unmanaged. Managed
settings are policy settings that you enforce. Unmanaged settings are preferences. In contrast to policy
settings, you allow users to change preferences after you deploy them.
The following table describes the differences between policies and preferences:
Preferences
Policies
Preferences are not enforced.
Settings are enforced.
User interface is not disabled.
User interface is disabled.
Import individual registry settings or

entire registry branches from a local or
a remote computer.
Cannot create policy settings to manage files, folders, and so

on.
Not available in local Group Policy.
Available in local Group Policy.
Supports non-Group Policyaware
Requires Group Policyaware applications.
7-46
Preferences
Policies
applications.
Original settings are overwritten.
Original settings are not changed.
Removing the preference item does

not restore the original setting.
Removing the policy setting restores the original settings.
Targeting is granular, with a user

interface for each type of targeting
item.
Filtering is based on WMI and requires writing WMI queries.
Supports targeting at the individual

preference item level.
Supports filtering at a GPO level.
When choosing whether to deploy an item by using Group Policy settings or preferences, the most
important factor is whether or not you want to enforce the setting. To configure a setting without
enforcing it, use preferences. The next factor is whether the application or feature is Group Policyaware.
To enforce items for which no policy setting is available, you can deploy them as preference items and
then disable the Apply Once And Do Not Reapply option in the configuration of the setting.
7-47
Demonstration: How to Create a GPO and Link It to an Organizational Unit
Key Points
In this demonstration you will see how to create a GPO using the GPMC. After the creation of the GPO
you will link the GPO to Production OU and then log in as a production user. You will then see what
happens when the GPO is not applied.
1.
2.
3.
4.
5.
6.
Ensure the GPMC is installed.

Create a new GPO.
Restrict users from starting Task Manager when pressing CTRL+ALT+DEL.
Link the GPO to the Sales OU.
Log on as Claus Hansen to show the GPO is working.
Log on as the Administrator to show the GPO is not applied.
7-48
Lab Setup
1.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
Contoso, Ltd. has created a new department ahead of a merger with the A Datum Corporation. Ed
Meadows has asked you to create a new OU in AD DS to support this new department and populate it
with the users, groups, and computers to support the new staff.
7-49
Exercise 1: Promoting a New Domain Controller

Scenario
Ed thinks that having more users will place additional load on the existing domain controller in New York.
He has asked you to promote an existing member server as a new domain controller.
1.
Add an additional domain controller.
Task: Add an additional domain controller

1.
2.
3.

Run dcpromo and wait while the AD DS binaries are installed.
Complete the Active Directory Domain Services Installation Wizard using the following information:
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
Operating system compatibility: accept defaults

Choose a Deployment Configuration: Existing forest: Add a domain controller to an existing
domain
Network credentials: accept defaults
Select a domain: Contoso.com (default)
Select a site: NewYork
Additional domain controller options: accept defaults
Acknowledge the DNS warning message.
Location for database, log files, and SYSVOL: accept defaults
Directory Services Restore Mode Administrator Password: Pa$$w0rd
Select the Reboot on completion check box.
Results: After this exercise, you will have promoted a new domain controller.
7-50
Exercise 2: Creating an Organizational Unit

Scenario
You must now create the required organizational unit for team members.
1.
Create an organizational unit.
Task: Create an organizational unit

1.
2.
3.
Once NYC-SVR2 has restarted, log on using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
In Active Directory Users and Computers, in the Navigation pane, click Contoso.com.
Create a new organizational unit in the Contoso.com domain called A Datum Merger Team.
Results: After this exercise, you will have created a new organizational list.
7-51
Exercise 3: Configuring Accounts

Scenario
Ed has asked that you create the necessary users accounts and groups, and move the users computer
accounts into the OU. You need two groups, one for all team members and one for the manager, Tony
Allen. You will then grant Tony Allen the ability to reset user passwords on all user accounts in the A
Datum Corporation Merger Team OU.
1.
2.
3.
4.
5.
Add user accounts.

Create groups.
Add members to the groups.
Move a computer account.
Delegate control of the OU.
Task 1: Add user accounts

1.
In Active Directory Users and Computers, create the following user accounts in the A Datum Merger
Team OU using the following information to complete the process:
a.
b.
c.
d.
2.
Configure users first names and last names.

User logon name is first name.
Password is Pa$$w0rd.
Clear the User must change password at next logon option.
Users to create are:

a.
b.
c.
d.
e.
Christian Kemp
Tony Allen
Pia Lund
Soha Kamal
Oliver Cox
Task 2: Create groups
In the A Datum Merger Team OU, create the following Global Security groups:
Mergers and Acquisitions
Merger Team Management
Task 3: Add members to the groups

1.
2.
Add all new users in the A Datum Merger Team OU to the Mergers and Acquisitions group.
Add only Tony Allen to the Merger Team Management Group.
Task 4: Move a computer account
In Active Directory Users and Computers, in the Computers folder, move the NYC-CL1 computer to
the A Datum Merger Team OU.
Task 5: Delegate control of the OU
Using the Delegation of Control Wizard, grant the Merger Team Management global security group
the right to Reset user passwords and force password change at next logon on the A Datum
Merger Team OU.
7-52
Results: After this exercise, you will have created the necessary users accounts and groups, and moved
the users computer accounts into the OU.
7-53
Exercise 4: Creating a GPO

Scenario
You must now create a GPO and link it to the A Datum Merger Team OU. The GPO will launch a logon
script for users in the new OU.
1.
2.
3.
Create a GPO.
Link the GPO.
Test the GPO.
Task 1: Create a GPO

1.
2.
3.
Open Group Policy Management.

Create a new GPO called A Datum Merger Team GPO.
Open the GPO for editing. Use the following steps to complete the process of creating a logon script
for the team:
a.
In the Group Policy Management Editor, expand User Configuration, expand Policies, expand
Windows Settings, and then click Scripts (Logon/Logoff).
b. In the Results pane, double-click Logon.
c. In the Logon Properties dialog box, click Add.
d. In the Add a Script dialog box, click Browse.
e. In the Browse dialog box, right-click in the No items match your search box, click New, and
then click Text Document.
f. Highlight the entire filename, including the file extension, and type logon.vbs and press ENTER.
g. In the Rename dialog box, click Yes.
h. Right-click logon.vbs and then click Edit.
i. In the Open File Security Warning dialog box, click Open.
j. In notepad, type msgbox Welcome to the A Datum Merger Team.
k. Click File and then click Save.
l. Close Notepad.
m. In the Browse dialog box, click Open.
n. In the Add a Script box, click OK.
o. In the Logon Properties dialog box, click OK.
4.
Close Group Policy Management Editor.
Task 2: Link the GPO
Link the A Datum Merger Team GPO to the A Datum Merger Team organizational unit.
Task 3: Test the GPO

1.
2.
3.
Switch to NYC-CL1 and log off.

User name: Tony
Password: Pa$$w0rd
Domain: Contoso
Does the script run?
7-54
Results: After this exercise, you will have created a GPO and linked it to the A Datum Merger Team
OU.

following steps:
1.
2.
3.
4.
5.
6.

Repeat these steps for 6420B-NYC-SVR2 and 6420B-NYC-CL1
Review Questions
1.
2.
3.
4.
For most organizations, how many AD DS forests are required?

If you are installing an AD DS compatible e-mail application, what implications does this have for
your AD DS schema?
What kind of trusts are implemented between domains in a single forest?
Why create organizational units?
Tools
Tool
Use for
Where to find it
Active Directory Users

and Computers
Managing objects within AD
Administrative Tools
Active Directory
Administrative Center
Managing objects within AD
Group Policy
Management Console
Creating, managing, and
DS such as Users, groups, and

computers
DS such as Users, groups, and

computers
editing group policies
7-55
7-56
Implementing IT Security Layers
Module 8
Contents:
Lesson 1: Overview of Defense-in-Depth
8-3
Lesson 2: Physical Security
8-17
Lesson 3: Internet Security
8-22
8-33
8-1
8-2
Module Overview
Security is an integral part of any computer network and must be considered from many perspectives.
Data security for Web content and files accessed on network shares are common concerns. In addition to
file and share permissions, you can also use data encryption to restrict data access.
Objectives
Identify security threats at all levels and mitigate those threats.
Describe physical security risks and identify mitigations.
Identify Internet-based security threats and protect against them.
Lesson 1
Overview of Defense-in-Depth
There are various ways to approach security design for computers. Defense-in-depth is one model for
analyzing and implementing security for computer systems. The model uses layers to describe different
areas of security.
Objectives
Describe defense-in-depth.
Describe how policies, procedures, and awareness can help to implement defense-in-depth.
Describe physical security threats and mitigations.
Describe perimeter network security threats and mitigations.
Describe internal network security threats and mitigations.
Describe host-based security threats and mitigations.
Describe application-based security threats and mitigations.
Describe data-based security threats and mitigations.
8-3
8-4
What Is Defense-in-Depth?
Key Points
When you park your car in a public place, you consider a number of factors before walking away from it.
For example, where it is parked, whether the doors are locked, and whether you have left anything of
value lying on the seat. You understand the risks associated with parking in a public place, and you can
mitigate those risks. As with your car, you cannot properly implement security features on a computer
network without first understanding the security risks posed to that network.
You can mitigate risks to your computer network by providing security at differing infrastructure layers.
The term defense-in-depth is often used to describe the use of multiple security technologies at different
points throughout your organization.
Policies, Procedures, and Awareness

Physical security measures need to operate within the context of organizational policies regarding security
best practice. For example, enforcing a strong user password policy is not helpful if users write their
passwords down and stick them to their computer screens. When establishing a security foundation for
your organizations network, it is a good idea to start with establishing appropriate policies and
procedures and making users aware of them. Then you may progress to the other aspects of the defensein-depth model.
Physical Security
If any unauthorized person can gain physical access to your computer, then most other security measures
are of little consequence. Ensure that computers containing the most sensitive data, such as servers, are
physically secure.
Perimeter
These days, no organization is an isolated enterprise. Organizations operate within a global community,
and network resources must be available to service that global community. This might include building a
8-5
Web site to describe your organizations services, or making internal services such as Web conferencing
and e-mail, accessible externally so that users can work from home or from satellite offices.
Perimeter networks mark the boundary between public and private networks. Providing specialist servers,
such as a reverse proxy, in the perimeter network allows you to more securely provide corporate services
across the public network.
Note: A reverse proxy enables you to publish services from the corporate intranet, such as e-mail or
Web services, without placing the e-mail or Web servers in the perimeter.
Networks
Once you connect computers to a network, they are susceptible to a number of threats. These threats
include eavesdropping, spoofing, denial of service, and replay attacks. This is especially relevant when
communication takes place over public networks by users working from home, or from remote offices.
Note: Common network security threats, such as eavesdropping and spoofing, and their mitigations
are discussed in course 6420B: Fundamentals of Windows
Server 2008, Module 10: Implementing Network Security.
Host
The next layer of defense is that used for the host computer. You must keep computers secure with the
latest security updates.
Application
Applications are only as secure as your latest security update. You should consistently use Microsoft
Windows Update to keep your applications up-to-date.
Data
The final layer of security is data security. To help ensure protection of your network, ensure proper use of
file permissions, encryption, and backup.
Question: How many layers of the defense-in-depth model should be secured?
8-6
Policies, Procedures, and Awareness
Key Points
Security is not only a technology-based solution. Organizations also implement policies, procedures, and
awareness programs to help prevent security incidents. Security relies on staff and users following policies
and procedures. For example, rules must be in place to determine under what circumstances a password
can be reset and how that new password is communicated to the user. Without these rules, unauthorized
password resets could unknowingly be performed that would allow an attacker to access your system.
Even when you implement rules to help prevent security problems, they can be circumvented. Some ways
that policies and procedures are compromised include:
Users unaware of the rules. When users are unaware of the rules, they cannot be expected to follow
them.
Users viewing rules as unnecessary. If the reason for rules is not adequately communicated to users,
then some treat the rules as unnecessary.
Social engineering. Users and computer administrators are vulnerable to social engineering where
they are convinced to break the rules. Sometimes this involves impersonating a legitimate user.
Mitigation
Consider the following to help to mitigate these threats:
Create specific rules that help prevent social engineering.
Educate users on rules and their relevance.
Implement compliance monitoring.
It is very important that you make users aware of your security rules, their relevance to the organization,
and the ramifications or consequences of not abiding by those security rules.
Question: What are some examples of policies and procedures being compromised and affecting
computer system security?
8-7
8-8
Physical Layer Security
Key Points
This is one of the most commonly overlooked areas of securing computer systems. In general, anyone that
has physical access to computer systems can:
Damage systems. This can be as simple as a server stored beside a desk that is accidentally knocked or
has coffee spilled on it.
Install unauthorized software on systems. Unauthorized software can be used to attack systems; for
example, there are utilities available to reset the administrator password on a Windows-based
workstation or member server.
Modify data. After a system has been compromised, data can be modified. This could be done by a
disgruntled employee to modify their own performance review.
Steal data. Data such as credit card information could be stolen after a system has been
compromised.
Steal hardware. If laptops are left unsecured, they can be stolen. Even servers improperly secured can
be stolen along with their data.
Mitigation
You must secure the network infrastructure including physical security. The problem is that while you
want to make it difficult for non-authorized people to access your computers and infrastructure, you want
to make it relatively straightforward for authorized employees.
Consider the following to help to mitigate physical security threats:
Restrict physical access by locking doors.
Monitor server room access.
Install fire suppression equipment.
Question: What are some examples of compromises when physical layer security is not in place?
8-9
8-10
Perimeter Layer Security
Key Points
Perimeter layer security refers to connectivity between your network and other untrusted networks. The
most commonly considered untrusted network is the Internet. However, there are other untrusted
networks that are a concern:
Remote access client. The client computers are accessing your network from a remote network over
which you have little or no control. Yet, the clients have access to more data on your network than
typical Internet hosts.
Business partners. You do not control the networks of business partners and cannot ensure that they
have appropriate security controls in place. If a business partner is compromised, then the network
links between your organization and the business partner pose a risk.
Mitigation
To keep your organization safe, create a private network and a perimeter network through the use of
firewalls, intruder prevention and detection systems, and other components.
Consider the following to help to mitigate perimeter security threats:
Implement firewalls at network boundaries.
Implement network address translation (NAT).
Use virtual private networks (VPNs) and implement encryption.
Question: In what way could a business partner be a risk?
8-11
Internal Network Layer Security
Key Points
Internal network layer security refers to events on the internally controlled network, including local area
networks (LANs) and wide area networks (WANs). This layer is easier to secure because you have control
of the devices on these networks.
The security risks to the internal network layer are:
Unauthorized network communication. Hosts may communicate with servers to which they have no
need. This raises the risk of host-level exploits being performed. Restricting network communication
to specific servers helps to prevent this.
Unauthorized network hosts. Frequently, security risks can be introduced to a network by

unauthorized hosts connecting to the network. A common source of unauthorized hosts is visitors
with laptops.
Unauthorized packet sniffing. The risk of unauthorized packet sniffing on modern wired networks is
minimal because switches control packet delivery and ensure that packets are sent only to the specific
destination. However, wireless networks are vulnerable, especially when only basic security measures,
such as wired equivalent privacy (WEP), are used to help secure access.
Default configurations on network devices. Network devices, such as routers, have a default
configuration that includes a default management username and password; failure to change these
compromises your network security.
Note: Packet sniffing occurs when a malicious attacker connects a network data analyzer to the
network to capture and examine network packets in transit; this can lead to additional attacks,
depending upon the data captured. For example, if the attacker can capture username and password
information in transit, they can exploit this to gain access to your computer network servers and data.
8-12
Mitigation
At the heart of many of these risks is the concept of authentication. If two computers can identify one
another, then they can communication more securely. You can provide authentication services in a
number of ways, such as digital certificates that are exchanged during initial communications. How you
distribute and manage these certificates depends on your organization, but might include the use of a
public key infrastructure (PKI) that you implement within your organization.
Note: You cannot always rely on authentication as some applications, such as network analysis, do
not support authentication.
Besides authentication, consider using encryption to ensure that data is secure while it is in transit. You
can encrypt communication to either the perimeter-based or edge servers from the public network with
tunneling technologies, and communication between the edge servers and the internal network with
Internet protocol security (IPsec).
In addition, Secure Socket Layer (SSL) can provide for secure and authenticated communications across
networks, and is widely used on the Internet.
Consider the following to help to mitigate these threats:
Do not make it easy to connect to your network; if someone can plug a laptop into your network and
access your intranet, you could face serious problems.
Encrypt network communication.
Segment the network.
Require mutual authentication.
Restrict switch ports and wireless access points based on media access control (MAC) address or client
certificates.
Question: Why is wireless communication more at risk for packet sniffing than wired communication?
8-13
Host Layer Security
Key Points
The host layer refers to the individual computers on the network. This includes the operating system, but
not application software. Operating system services, such as a Web server, are included in host layer
security.
Host layer security can be compromised by:
Operating system vulnerabilities. An operating system is complex. Consequently, there are often
vulnerabilities that hackers can exploit. These vulnerabilities enable attackers to install malicious
software or control hosts.
Default operating system configurations. Operating systems and their services include default
configurations. In some cases, the default configuration may not include a password or may include
sample files with vulnerabilities. Attackers use their knowledge of default configurations to
compromise systems.
Viruses are one mechanism used to attack hosts. The virus uses operating system flaws or default
configurations to replicate itself.
Mitigation
Windows Update and Windows Server Update Services (WSUS) can help to keep your Windows
computers up-to-date. In addition, you should consider using antivirus and malware protection. In the
Windows 7 operating system, consider using Microsoft Forefront Protection Manager and Windows
Defender to guard against security threats to host computers.
Consider the following to help you to mitigate these threats:
Harden operating systems.
Monitor access attempts.
Implement antivirus and anti-spyware software.
8-14
Implement host-based firewalls.
Question: What is an example of host layer security being compromised?
8-15
Application Layer Security
Key Points
The application layer refers to applications running on the hosts. This includes additional services, such as
mail servers, and desktop applications, such as Microsoft Office. The risks to applications are similar to the
risks to hosts and include:
Application vulnerabilities. Applications are complex programs that are likely to have vulnerabilities.
Attackers can use these vulnerabilities to install malicious applications or remotely control a
computer.
Default application configurations. Applications, such as databases, may have a default password or
no password at all. Not securing the default configuration simplifies the work of attackers attempting
to access a system.
Viruses introduced by users. In some cases, viruses are introduced by user actions rather than flaws. In
other cases, an application is actually a Trojan horse that has malicious code embedded in what
appears to be a useful application.
Mitigation
Consider the following to help you to mitigate these threats:
Run applications with the least privileges possible.
Install security updates.
Enable only required features and functionality.
Question: Give an example of malicious applications that may be installed by a user.
8-16
Data Layer Security
Key Points
The data layer refers to data stored on your computers. This includes data files, application files,
databases, and Active Directory Domain service (AD DS). When the data layer is compromised it can
result in:
Unauthorized access to data files. Unauthorized access to data files may result in unintended users
reading data. For example, the salaries of other staff. It may also result in data being modified and
becoming inaccurate.
Unauthorized access to AD DS. This may result in user passwords being reset and attackers logging
on by using the reset passwords.
Modification of application files. When application files are modified, they may perform unwanted
tasks such as replicating data over the Internet where an attacker can access it.
Mitigation
This can take many forms, and might include using NTFS file system permissions and shared folder
permissions to ensure that only authorized users can access files at a defined level of access. You might
also be concerned with intellectual property rights and ensuring that your data is used appropriately.
Finally, for data privacy, you can use both file and disk encryption technologies, such as the Encrypting
File System (EFS) or Windows BitLocker Drive Encryption.
Consider the following to help to mitigate data layer security threats:
Implement and configure suitable NTFS files system permissions.
Implement encryption.
Implement rights management.
Question: Give an example of a data layer compromise.
Lesson 2
Physical Security
Physical security provides the first level of defense against the malicious attacker. Consequently, it is
important to ensure that your network and the attached computers are physically secure. This lesson
explores common physical security threats, their mitigations, and how Windows Server can help to
provide physical security on your network.
Objectives
Describe physical security risks.
Provide best practice for mitigating these risks.
Explain the Windows tools used to help provide physical security.
8-17
8-18
What Are the Physical Security Risks?
Key Points
Aside from physical damage to inappropriately located servers and potential resulting data loss, the main
physical security risks to your networked computers are:
Data compromise arising from the loss or theft of your server computers or server storage devices.
Data compromise resulting from unmanaged computers connecting to your network.
Data compromise resulting from the introduction of storage devices into your network that can
contain malicious or damaging software.
8-19
Physical Security Best Practices
Key Points
To help to reduce the physical security risks, consider the following points:
Site security. Where possible, ensure that only authorized persons have access to the physical site
where your computers are located. This is more difficult with branch offices, and also with certain
commercial markets such as retail.
Computer security. Ensure that server computers, or any computer that contains or has access to
important data, are physically secure. Ideally, place servers and their storage devices in computer
rooms that are protected by physical security mechanisms such as keypads. In high-security
environments, consider implementing biometric security to ensure that only authorized persons can
physically access your computers.
Disable Log On Locally. The ability to logon interactively at a computer is a right that is typically
granted to all users for all computers in your forest with the exception of domain controllers.
Consider further restricting the right to Log on Locally where more security is required. If a user
cannot logon, this diminishes their ability to perform actions on your network.
Mobile device security. Mobile devices, for example laptop computers and mobile phones, provide
users with the convenience of being able to access the corporate network from anywhere. However,
this raises the possibility that these devices might be lost or stolen. Ensure that you implement
appropriate security on mobile devices so that in the event of their loss, data is not compromised.
Consider implementing remote wipe technologies on mobile devices such as Windows Mobile
handsets. Consider implementing EFS and BitLocker Drive Encryption on laptops.
Removable devices and drives. Consider very carefully whether the convenience of users being able to
copy files to and from removable storage devices outweighs the security risk posed. If you decide that
users will be allowed to use removable storage devices, consider implementing
BitLocker-to-Go on these devices. This consideration will provide for data encryption on the device.
8-20
Implementing Physical Security with Windows Server Tools
Key Points
Windows Server provides a number of tools and features that can help you implement physical security.
Encrypting File System

The EFS is the built-in file encryption tool for Windows file systems. A component of the NTFS file system,
EFS enables transparent encryption and decryption of files by using advanced, standard cryptographic
algorithms. Any individual or program that does not possess the appropriate cryptographic key cannot
read the encrypted data. Encrypted files can be protected even from those who gain physical possession
of the computer that the files reside on. Even persons who are otherwise authorized to access the
computer and its file system cannot view the data.
BitLocker Drive Encryption

BitLocker provides protection for the computer operating system and data stored on the operating
system volume by ensuring that data stored on a computer remains encrypted, even if the computer is
tampered with when the operating system is not running. BitLocker provides a closely integrated solution
in a Windows Server 2008 R2 operating system and Windows 7 to address the threats of data theft or
exposure from lost, stolen, or inappropriately decommissioned personal computers.
Read-Only Domain Controllers (RODC)

RODC is a new type of domain controller in Windows Server 2008 R2. With an RODC, you can easily
deploy a domain controller in locations where physical security cannot be guaranteed such as, a branch
office. An RODC hosts a read-only replica of the database in AD DS for a given domain.
When an RODC services the logon request for a user on your network, that users credentials are cached
at the server; only users accounts at the branch office are cached in this way. If the RODC is stolen, only
this subset of your domain accounts is compromised making it easier and quicker for you to maintain user
account security.
8-21
Note: By default, no user credentials are cached on the RODC. This is safer because in the event of
the RODC being stolen, no user passwords are compromised. However, if the link between the head
office, where the writable domain controllers exist, and the branch office fails, and caching is not
enabled, users at the branch cannot logon until the link is reestablished.
Group Policies
If you allow users to add storage devices, such as universal serial bus (USB) memory sticks or external hard
drives, to their network-attached computers, you may potentially introduce additional security risks.
Windows Server can use group policy objects (GPOs) to enforce rules on network-attached computers
that control or prohibit the addition of storage devices.
Network Access Protection

When you allow computers to connect to your network from unmanaged locations, such as users homes,
or you allow computers from other organizations to connect to your network, you expose your network
to security risks.
Your network is only as secure as the least secure computer attached to it. Many programs and tools exist
to help you to secure your network-attached computers, such as antivirus or malware detection software.
However, if the software on some of the connected computers is not up-to-date, or worse, not enabled or
configured correctly, then these computers pose a security risk.
Computers that remain within your office environment and are always connected to the same network are
relatively easy to keep configured and updated. Computers that connect to different networks, especially
unmanaged networks, are less easy to control, for example, laptop computers that are connected to
customer networks, or to public wireless fidelity (Wi-Fi) hotspots. In addition, unmanaged computers
seeking to connect remotely to your network, such as users home computers, pose a challenge.
Network Access Protection (NAP) is a policy-enforcement platform that is built into the Windows 7, the
Windows Vista operating system, the Windows XP operating system with Service Pack 3 (SP3), and the
Windows Server 2008 and Windows Server 2008 R2 operating systems. NAP allows you to more strongly
protect network assets by enforcing compliance with system health requirements.
NAP provides the necessary software components to help ensure that computers connected or
connecting to your network remain manageable, so they do not become a security risk to the network
and other attached computers. This enables you to more confidently allow computers to connect to your
network.
Access Control
Once computers have connected to your network and have access to your server data, you can protect
the integrity of the data by configuring appropriate file permissions. Ensure that you only grant
permissions where needed and grant the minimum permissions required. This is especially important in
situations where users from outside your organization are connecting to your network.
8-22
Lesson 3
Internet Security
Internet access has become increasingly important in recent years, both for work productivity, and
personal development and entertainment. As the demand for Internet connectivity grows, and users
perform increasingly complex tasks on the Internet, there is an increase in related risks. This lesson
explores the technologies and features available in Windows to help to protect your Windows-based
computers while connected to the Internet.
Objectives
Describe the risks posed by connecting to the Internet.
Describe possible mitigations to these risks.
Describe the Windows Server components and features that can help provide this Internet security.
Describe Windows Internet Explorer (IE) security settings.
Configure IE security settings.
8-23
What Are the Risks?
Key Points
When you connect your computer to any untrusted network, including the Internet, you expose it to
numerous potential security risks. One way in which you can consider the security risks posed by the
Internet is to consider the applications that you use when connected to the Internet. Common
applications, and associated security risks, include:
E-mail. An e-mail message can contain a malicious payload; the message might contain:
A malicious executable file that is attached to the message.
A request for personal information.
Inappropriate content.
Embedded links to unsafe Web sites.
It is also important to remember that almost all e-mail is sent in clear-text; that is, unencrypted. This
means that if the message is intercepted, anyone can read and potentially modify the message
contents. Additionally, most e-mail is transmitted between hosts that have no knowledge of one
another. Consequently, most e-mail traffic is not authenticated making it more difficult to determine
the true originator of a message.
Web browsing. A Web site can hide numerous security risks including malicious programs. Common
risks associated with Web sites include:
Plug-ins. These are applications designed to work with your browser to provide additional
capabilities. For example, you can use plug-ins to enable your browser to view video files. They
have the ability to expose security flaws in your browser.
Active-X controls. These small programs are downloaded by your browser to enable it to perform
a number of specialized tasks, including manipulating data files or viewing specific file types.
Malicious Active-X controls can pose a security threat to your computer.
8-24
Cross-site scripting. Enables malicious attackers to enable client-side scripts in Web pages that
you computer is viewing, even when the Web site you are viewing is considered a safe source.
Cookies. Cookies are used for authentication, session tracking, storage of Web site preferences,
shopping cart contents, and many other potential uses. Because of the sensitive data stored in
cookies, they have the potential to be misused by malicious individuals.
It is also important to be sure that you have navigated to the appropriate site rather than to a bogus
site masquerading as a legitimate site.
Instant Messaging (IM). This method of communicating with friends and colleagues is very popular.
However, it has attracted the attention of malicious attackers. IM messages can contain links to unsafe
Web sites or be used to initiate file transfers, remote control sessions, or share files and content on
your computer.
Social networking. There are numerous social networking sites. These sites can pose the same security
risks as any other Web site. However, it is important to remember that these sites exist as a way for
you to share information, some of which may be personal information. Exercise caution when you
share your personal information with others.
File download. Any file that you download from the Internet may come from an untrusted source and
may contain harmful code. It is important that you only download files from trusted sources and that,
where possible, files are digitally signed so that you can easily determine the files origin. This is
especially relevant for device drivers as files of this type, if malicious, can have a far more detrimental
effect on your computer.
Computer updates. It is common for software installed on your computer, including the operating
system, to periodically check for and download updates. This is one way of ensuring that your
computer is up-to-date, performs optimally, and remains secured through the application of security
updates. However, software obtained from an untrusted source could use this update mechanism to
download malicious code onto your computer. Ensure that you verify that the updates are safe.
In addition, simply connecting to the Internet exposes your computer to possible security risks. For
example, if you connect to the Internet from your home or from the office, the chances are that the
connection is reliable and reasonably secure. However, when you connect to the Internet from a location
such as a wireless hotspot, you might expose your computer to additional security risks.
Also, bear in-mind that although the connection provided by the hotspot might, in itself, be secure, other
computers that are connected to the network might be compromised by security flaws that might affect
your computer. In addition, it is common for hotspots to provide an unsecured connection for easier
wireless Internet access. However, under these circumstances, data that your computer sends and receives
can be captured and accessed by third parties.
8-25
Mitigating the Risks
Key Points
You can help reduce the chances of your computers security being compromised if you observe the
defense-in-depth approach when you connect your computer to the Internet.
When performing common tasks on the Internet, consider the following points to help mitigate security
risks:
E-Mail. Implement e-mail software or use additional software with your e-mail software that supports
the following important security features:
Anti-spam control. Ensure that junk e-mail is either quarantined or deleted. Anti-spam software
can identify spam messages using a variety of technologies.
Antivirus control. Scan incoming and out-going messages for viruses. Ensure that you keep the
virus software up-to-date to provide adequate protection against new and emerging threats.
Attachment handling controls. Some e-mail software, such as Microsoft Office Outlook, enables
you to configure how attachments of specific types are handled. For example, you can configure
the e-mail software to block attachments of a file type that can contain malicious code, also
known as executable files.
Web browsing. A Web browser should provide the ability to select appropriate security settings based
upon the trustworthiness of a Web site. For example, IE enables you to define security settings for
different security zones, such as Internet, local intranet, trusted sites, and restricted sites. Security
settings within the context of these zones include whether or not to download and run ActiveX
controls, scripting behavior, and how to handle signed or unsigned content.
It is also important to implement security software when you browse the Web. Suitable software
should provide antivirus protection, protection against spyware, identity protection, and a link
scanner that can help identify unsafe Web sites before you visit them.
8-26
Finally, be cautious when you shop online. Only use sites that you trust, that can provide a digital
certificate to verify their identity, and that provide you with a redress should something go amiss with
your order.
IM. Many security software packages provide protection against viruses in files that you might
attempt to receive by an instant message. However, it is important that you are careful about the
information that you divulge during an instant message conversation as these messages are often
sent and received in clear text.
Social networking. It is important that you only divulge information through social networking sites
that you are happy to see in the public domain. It is a good idea to limit the type of information that
you share. For example, divulging details about your finances, combined with information about your
address can give a malicious attacker sufficient information to steal your identity and commit fraud.
File download. You can limit your exposure to unsafe downloads by implementing antivirus software.
Additionally, by only downloading files from trusted sources and files that provide a digital signature,
you can help to reduce the security risk posed by downloads. Often, downloaded files may appear
safe but actually contain code that can install additional software that harms your computer.
Windows implements a security feature called User Account Control (UAC) that enables you to
control unintended software installations.
Computer updates. To ensure that your computer updates are safe, only download updates from safe
sources. Computers that are running either Windows 7 or Windows Server 2008 R2 obtain their
updates from the Microsoft Web site or from a local server within your workplace organization
running Windows Server Update Services (WSUS).
Connecting to the Internet. When you connect to the Internet, ensure that you have enabled a hostbased firewall. Computers that are running either Windows 7 or Windows Server 2008 R2 implement
the Windows Firewall with Advanced Security. When you first connect to a new network, such as a
wireless hotspot, you must define whether the network is public or private. Windows Firewall with
Advanced Security then adjusts the security settings based upon your selection.
In addition to a host-based firewall, it is also advisable to ensure that the router that connects to the
Internet provides additional protection. Typical home-office asymmetric digital subscriber line (ADSL)
routers provide NAT and firewall functionality.
8-27
Implementing Internet Security with Windows
Key Points
Windows 7 and Windows Server 2008 R2 provide a number of security features that help to ensure that
connectivity to the Internet is more secure.
UAC
UAC is a security feature that provides a way for each user to elevate their status from a standard user
account to an administrator account without logging off, switching users, or using the Run As command.
UAC is a collection of features rather than just a prompt. These features, including File and Registry
Redirection, Installer Detection, the UAC prompt, and the ActiveX Installer Service, enable Windows users
to run with user accounts that are not members of the Administrators group. These accounts are generally
referred to as standard users and are broadly described as running with least privilege.
When a change is made to your computer that requires administrator-level permissions, UAC notifies you
as follows:
If you are an administrator, click Yes to continue.
If you are not an administrator, someone with an administrator account on the computer will have to
enter his or her password for you to continue.
If you are a standard user, providing permission temporarily gives you administrator rights to complete
the task and then your permissions are returned back to standard user when you are finished. This ensures
that even if you are using an administrator account, changes cannot be made to your computer without
your knowledge. This security can help prevent malicious software and spyware from being installed on or
making changes to your computer.
Windows Firewall
Windows Firewall is a host-based, stateful firewall included in Windows Server 2008 R2. It drops incoming
traffic that does not correspond to traffic sent in response to a request (solicited traffic) or unsolicited
8-28
traffic that has been specified as allowed (accepted traffic). Windows Firewall helps provide protection
from malicious users and programs that rely on unsolicited incoming traffic to attack computers. Windows
Firewall can also drop outgoing traffic and is configured using the Windows Firewall with Advanced
Security snap-in, which integrates rules for both firewall behavior and traffic protection with IPsec.
Windows Defender
Windows Defender in Windows 7 helps protect you from spyware and malicious software. Windows
Defender is not antivirus software. Windows Defender offers three ways to help keep spyware from
infecting the computer:
Real-time protection is the mechanism that actively monitors for malware and alerts you when
potentially unwanted software attempts to install itself or to run on the computer. It also alerts you
when programs attempt to change important Windows settings.
The SpyNet community helps you see how other people respond to software that has not yet been
classified for risks. When you participate, your choices are added to the community ratings to help
other people choose what to do.
Scanning options are used to scan for unwanted software on the computer, to schedule scans on a
regular basis, and to automatically remove any malicious software that is detected during a scan.
8-29
Internet Explorer Security Settings
Key Points
IE security options help you secure your computer while providing a functional browsing environment. IE
has new functionality that helps protect computers against malicious software, and helps protect users
against data theft from fraudulent Web sites. In addition, IE comes with safe and easy add-on functionality
that gives users full control over adding functionality to their online experiences, while at the same time
avoiding inadvertent, unwanted software downloads.
Dynamic Security Options

The following table describes the most important Dynamic Security options that you can configure for IE.
Dynamic security
options
Use
ActiveX Opt-in
Disables nearly all pre-installed ActiveX controls to prevent potentially vulnerable

controls from being exposed to attack. You can easily enable or disable ActiveX
controls as needed through the Information Bar and the Add-on Manager.
Security Status Bar
Enhances Web site security and privacy settings awareness by displaying colorcoded notifications next to the address bar. Internet Explorer changes the Address
Bar to green for Web sites bearing new High Assurance certificates, indicating
that the site owner has completed extensive identity verification checks. Microsoft
Phishing Filter notifications, certificate names, and the gold padlock icon are now
also adjacent to the address bar for better visibility. Certificate and privacy detail
information can easily be displayed with a single click on the Security Status Bar.
SmartScreen Filter Protects you against phishing sites, warns you when visiting potential or known
fraudulent sites, and blocks the site if required. The opt-in filter updates several
times per hour with the latest security information from Microsoft, and several
industry partners.
8-30
Dynamic security
options
Use
Cross-Domain
Barriers
Limits scripts on Web pages from interacting with content from other domains or
windows. This enhanced safeguard helps protect the computer against malicious
software by limiting malicious Web sites from potentially manipulating flaws in
other Web sites, or causing you to download undesired content or software.
Delete Browsing
History
Allows you to clean up cached pages, passwords, form data, cookies, and history.
Address Bar
Protection
Displays an address bar for every windowwhether pop-up or standardto help

block malicious sites from emulating trusted sites.
International
Adds support for International Domain Names in Uniform Resource Locators
Domain Name Anti- (URLs), and notifies you when visually similar characters in the URL are not
Spoofing
expressed in the same language. Thus it protects you against sites that could
otherwise appear as known, trustworthy sites.
URL Handling
Security
Redesigned URL parsing ensures consistent processing and minimizes possible

exploitation. The new URL handler helps centralize critical data parsing, and
increases data consistency.
Fix Settings for Me
Warns you with an Information Bar when current security settings may put you at
risk, which can prevent you from browsing with unsafe settings. Within the
Internet Options dialog box, certain items are highlighted in red when they are
not safely configured. In addition, this option issues reminders that the settings
remain unsafe. You can instantly reset Internet security settings to the MediumHigh default level by clicking Fix Settings for Me in the Information Bar.
Add-ons Disabled
Mode
Helps you troubleshoot difficulties in launching IE, or in reaching specific Web

sites, by causing Internet Explorer to start in
No Add-ons mode, in which only critical system Add-ons are enabled.
Protected Mode
Protected mode in the Windows Vista security infrastructure is one of the important new IE security
features. Protected mode provides IE with the rights needed to browse the Web, while simultaneously
withholding rights needed to silently install programs or modify sensitive system data. In addition,
Protected mode helps protect against malicious downloads by restricting the ability to write to any local
machine zone resources other than temporary Internet files. Web-based software cannot write to any
location other than the Temporary Internet Files folder without explicit user consent.
Running programs with limited user rights rather than administrator rights offers better protection against
attacks, because Windows can restrict the malicious code from performing damaging actions. This
additional defense helps ensure that scripted actions or automatic processes cannot download data to
locations other than directories with lower rights, such as the Temporary Internet Files folder.
Although Protected mode does not protect against all forms of attack, it significantly reduces the ability
of an attack to write, alter, or destroy data on the user's computer, or to install malicious code.
Parental Controls
To help keep children safer online, parents can control browsing behavior through the Parental Control
settings built into Windows Vista. You can monitor a child's activities and remotely change the restriction
levels. You can apply a restriction to many activities on the computer, such as playing games or browsing
8-31
the Internet. You can also examine a child's browsing session afterwards; the child lacks the necessary
permissions to remove their session history.
Note: Parental Control settings are only available if the computer is not a member of a domain.
Add-on Manager
The Internet Explorer Add-on Manager is designed to give you greater control over IE add-ons.
Add-ons are a great way to introduce new functionality to your online experience. However, add-ons are
also a great way of introducing malicious software to your computer. You can use the Add-on Manager to
display:
Add-ons that have been used by IE.
Add-ons currently loaded in IE.
Add-ons that run without requiring permission.
Downloaded ActiveX controls.
You can then selectively enable or disable these add-ons, and delete any ActiveX controls.
SmartScreen Filter
Businesses put a lot of effort into protecting computer assets and resources. Phishing attacks, otherwise
known as social engineering attacks, can evade those protections and result in users giving up personal
information. The majority of phishing scams target individuals in an attempt to extort money or perform
identity theft.
With the introduction of the SmartScreen Filter, Internet Explorer 8 builds on the Phishing Filter
technology introduced in Internet Explorer 7. The Phishing Filter was designed to warn users when they
attempt to visit known phishing sites. The SmartScreen Filter replaces the Phishing Filter and helps protect
against phishing Web sites, other deceptive sites, and sites known to distribute malware.
The SmartScreen Filter improves upon the Phishing Filter by providing:
An improved user interface.
Faster performance.
New heuristics and enhanced telemetry.
Anti-malware support.
Improved Group Policy support.
8-32
Demonstration: How to Secure Internet Explorer
Key Points
In this demonstration, you will see how to disable an add-on.
1.
2.
3.
View a Web page that uses an ActiveX control.

Disable the control.
View the Web page again to verify the add-on is disabled.
8-33
Lab Setup
1.
2.
3.
4.
5.
6.
Password: Pa$$w0rd
Domain: Contoso
Repeat these steps 2 and 3 for 6420B-NYC-CL1.

User name: Alan
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
Alan Brewer has visited various Research department branch offices. On his return to the head office of
Contoso, Ltd, he produced a list of security concerns and sent them by e-mail to Ed Meadows, your boss.
Ed has tasked you with the resolution of these issues.
8-34
Exercise 1: Implementing Physical Security

Scenario
The security issues revolve around the fact that many of the branch offices cannot be physically secured.
Once you have completed the incident record, make proposals about how best to address Alans concerns
over physical security.
1.
2.

Complete the Incident Record.
Contoso Network Security Policy Laptops
Document Reference Number: EM220109/1
Document Author
Date
Ed Meadows
22nd January
Overview
This document defines the corporate policy regarding laptops and other portable computing devices
within Contoso, Ltd.
Policies
1. Any network device that is moved from the office of Contoso, Ltd. must be configured in such a way
that loss of the device does not lead to a compromise of the stored data.
2. Laptops can connect to other networks provided:
a. A suitable firewall is in place.
b. The computer is up-to-date with security updates.
c. Protection against viruses and malware is installed.
3. Portable storage devices are permitted for use on laptops as long as their loss does not compromise
the data stored on them.
8-35
Charlotte Weiss
From:
Sent:
To:
Subject:
Attached:
6 May 2010 12:01
RE: Branch offices security concerns
Incident Record
Charlotte,
Please look at the attached incident record and review Alans concerns. Get a plan together for resolving
these security concerns. Thanks,
Ed
----- Original Message ----From:
Alan Brewer [Alan@Contoso.com]
Sent:
5 May 2010 11:45
To:
Ed@Contoso.com
Subject:
Branch offices security concerns
Ed,
I just got back from the branches. Im pretty worried that, given the sensitive nature of the data we handle
in Research, physical security is pretty lax compared with the head office. I have listed my main concerns
below:
Laptops are used by research staff; they often take these home.
In some branches there is no dedicated room for the servers.
We often let external contract staff connect their own computers to our research networks.
I notice that some personnel bring music files on USB drives into the offices.
Regards, Alan

1.
2.
Read e-mail and the attached incident record with a view to determining the possible problem
causes.
Read the Contoso Network Security Policy Laptops document with a view to determine if you
must enforce any changes at the branch based on corporate policies.
Task 2: Complete the incident record

1.
2.
Answer the questions in the incident record.

Complete the Resolution section of the incident record.
Contoso Incident Record
Incident Reference Number: 501285
Called logged by
Date of call
Time of call
User
Ed Meadows
10th May
10:50
Alan Brewer
8-36

Status
OPEN
Incident Details
Call logged by Information Technology (IT) manager following inquiries at branch offices
concerning physical security problems raised by Research department manager, Alan Brewer.
Reported concerns:
1. Laptops are used by research staff and they often take these home.
2. In some branches there is no dedicated room for the servers.
3. External contract staff can connect their own computers to the research networks.
4. Staff uses personal USB storage devices on work computers.
Questions
1. What security policies apply to the branch office laptops as defined in the Contoso Network
Security Policy Laptops document?
2. What security concerns do you have about the branch offices?
3. How would you address the concerns you might have about laptop computer use?
4. How would you address the concerns you might have about the lack of dedicated server
computer rooms?
5. How would you address the concerns you might have about contractor computer use?
6. How would you address the concerns you might have about removable storage devices?
7. Complete the resolution section below with a summary of your proposals.
Resolution
Results: After this exercise, you should have completed the incident record.
8-37
Exercise 2: Configuring Security Settings in Internet Explorer

Scenario
When Alan returned from the branch offices, he had a few problems with his laptop computer. You
determined that these problems were related to his laptops Internet Explorer settings. You must verify the
settings are appropriate.
1.
2.
3.
4.
5.
Verify current Internet Explorer security settings.

Change the Intranet Zone security settings.
Test the Security changes.
Add the Web site to the Trusted Sites List.
Test the Security Zone change.
Task 1: Verify current Internet Explorer security settings

1.
2.
3.
Switch to the NYC-CL1 computer.

Open Internet Explorer.
What is the current security level for the Local intranet zone?
Task 2: Change the Intranet Zone security settings

1.
2.
3.
Change the security settings for the Local intranet zone to High.
Enable Protected Mode for the Local intranet zone.
Close Internet Explorer.
Task 3: Test the security changes

Note: If the Welcome to Internet Explorer 8 dialog box appears, click Ask me later.
1.
2.
3.
4.
Open Internet Explorer.

Navigate to http://nyc-dc1/intranet.
What is the security zone of this Web site?
On the Contoso Intranet Home page, click Current Projects.
5.
Question: Did the web page load successfully?

Question: In Manage Add-ons, can you see the Tabular Data Control Add-on?
Close the Contoso Projects web page.
Task 4: Add the Web site to the Trusted Sites List

Question: What is the current security level for the Trusted sites zone?
Add the http://nyc-dc1 site to the Trusted sites list.
Task 5: Test the Security Zone change

1.
2.
Question: Did the projects list populate?

Question: In Manage Add-ons, can you see a Tabular Data Control Add-on?
8-38
Results: After this exercise, you should have modified Internet Explorer security settings.

following steps:
1.
2.
3.
4.
5.
6.

Repeat these steps for 6420B-NYC-CL1.
8-39
Review Questions
1.
Why is it important to educate your users about your organizations acceptable use policy?
2.
How could you help to reduce the risk that your wireless network is the target of unauthorized packet
sniffing?
3.
What are the risks associated with allowing your users to connect their laptops to Wi-Fi hotspots?
Best Practices for Implementing Defense-in-Depth

Supplement or modify the following best practices for your own work situations:
Create specific rules that help prevent social engineering and educate users on these rules and their
relevance.
Restrict physical access to servers by locking doors and then monitor server room access.
Implement firewalls at network boundaries.
Implement NAT.
Use VPNs and implement network encryption.
Restrict switch ports and wireless access points based on MAC address or client certificates.
Harden operating systems.
Monitor access attempts.
Implement antivirus and anti-spyware software.
Implement host-based firewalls.
8-40
Run applications with the least privileges possible.
Install security updates.
Enable only required features and functionality.
Implement and configure suitable NTFS file system permissions.
Implement file and/or volume encryption.
Implement rights management.
Implementing Windows Server Security
Module 9
Contents:
Lesson 1: Overview of Windows Security
9-3
Lesson 2: Securing Files and Folders
9-17
Lesson 3: Implementing Encryption
9-32
9-45
9-1
9-2
Module Overview
As organizations expand the availability of network data, applications, and systems, it becomes more
challenging to ensure network infrastructure security. Security technologies in the Windows Server 2008
R2 operating system enable organizations to provide better protection for their network resources and
organizational assets in increasingly complex environments and business scenarios. This module reviews
the tools and concepts available for implementing security within a Microsoft Windows infrastructure.
Objectives
Describe the features in Windows Server 2008 R2 that help improve your networks security.
Explain how to secure files and folders within a Windows Server environment.
Explain how to use the encryption features provided by Windows Server 2008 R2 to secure access to
resources.
Lesson 1
Overview of Windows Security
Windows Server 2008 R2 includes numerous features that provide different methods for implementing
security. These features combine together to form the core of Windows Server 2008 R2s security
functionality. Understanding these features and their associated concepts as well as being familiar with
their basic implementation is critical to maintaining a secure environment.
Objectives
Describe authentication and authorization.
Describe User Account Control (UAC).
Describe file and shared folder permissions.
Describe account lockout and password policies.
Describe Fine-Grained Password Policies.
Describe auditing features.
Describe encryption.
9-3
9-4
What Are Authentication and Authorization?
Key Points
Windows Server 2008 R2 security at the user level is centered around user accounts, which are typically
identified by a username and verified with a password. The username and password combination allows a
user to gain access to network resources as specified by the user accounts permissions. This process is
typically broken down into two components: authentication and authorization.
Authentication
Authentication is the process of confirming that something is authentic. Authentication distinguishes
legitimate users from uninvited guests, and is the most visible and fundamental concept in security. In
private and public computer networks (including the Internet), the most common authentication method
used to control access to resources involves verification of a users credentials; that is, a username and a
password.
However, the username and password combination is only the most basic form of authentication. Other
mechanisms and tools can also be used in the Windows Server 2008 R2 environment to add multiple
layers to the authentication process to ensure that users identities on your network are legitimate and
secure. Some of the key mechanisms available include:
Smart Cards. A smart card refers to a card-shaped device that contains specific digital information, in
most cases used to specifically identify an individual. Smart cards can be used as an additional means
of security when combined with a username and password. For example, an organization may issue
smart cards to administrative users, requiring them to use a username and password as well as the
smart card to log in when using accounts with elevated administrative permissions. This combination
provides an extra measure of security for the usage of those accounts.
Biometrics. The term biometrics refers to the measuring of an unchanging physical or behavioral
characteristic to uniquely identify a given person. Fingerprints are the most common form of
implemented biometrics. Other possibilities include facial recognition, iris scanning, and voice
recognition. Biometrics are most commonly used in conjunction with a username and password to
provide an added measure of security in environments where highly sensitive data is involved.
9-5
Biometrics can also be used as the sole means of authentication, and, due to the personal nature of
authentication, are considered more secure than smart cards.
Public key infrastructure (PKI). PKI refers to the infrastructure required to use mathematically related
digital keys in the process of encrypting and decrypting data. PKI will be covered in more detail
later in this module.
Remote Authentication Dial-In User Service (RADIUS). Windows Server 2008 R2 contains support for
RADIUS, a widely supported networking protocol that provides centralized management of
authentication over multiple systems. RADIUS is most typically used to unify remote authentication to
multiple, disparate systems. For example, an organization may use a virtual private network (VPN)
server from Company A, be given access to network segments via routers from Company B and also
be given access to Windows-based services and applications, all with one username and password.
Authorization
Authorization is the process of determining whether an identified user is permitted access to a resource
and what the appropriate level of access is for that user. This could include authorization to read a file,
authorization to modify file and folder properties, authorization to delete a file or folders, or a
combination of these or many other permissions.
Authorization has two main components within Windows Server.
The initial definition of permissions for system resources by the owner of a specific resource or a
system administrator
The subsequent checking of permission values by the system or application when a user attempts to
access a system resource
It is important to note that it is possible to have authorization (access to resources) without first providing
authentication (entering a username and password). This occurs many times in modern computing. For
example, when you access a Web page on the Internet, you are accessing the resources on that Web
server (pages, graphics, etc.) without providing any type of authentication to the Web server.
9-6
What Is UAC?
Key Points
Administrative accounts carry with them a large degree of security risk. When an administrative account is
logged in, its privileges allow access to the entire Windows system, including the registry, system files and
configuration settings. As long as an administrative account is logged in, the system is vulnerable to attack
and has the potential to be compromised.
UAC provides a method by which all users can be aware of the way their account privileges are being
used on the computer.
UAC in Windows Server 2008 R2

By default, both standard users and administrators access resources and run applications in the security
context of a standard user.
The UAC prompt provides a way for a user to elevate his or her status from a standard user account to
an administrator account without logging off or switching users, or using Run As and creates a more
secure environment for the running and installing of applications.
When an application requires administrator-level permission, UAC notifies you as follows:
If you are an administrator, you can click Yes to elevate your permission level and continue. This
process of requesting approval is known as Admin Approval Mode.
Note: In Windows Server 2008 R2, the built-in Administrator account does not run in Admin
Approval Mode. This results in no UAC prompts when using the local Administrator account.
If you are not an administrator, the username and password for an account that has administrative
permissions needs to be entered. Providing administrative credentials temporarily gives you the
administrative privileges required to complete the task. After the task is complete, your permissions
are returned back to those of a standard user.
9-7
This process of notification and elevation of privileges makes it so that even if you are using an
administrator account, changes cannot be made to your computer without you knowing about it, which
can help prevent malicious software (malware) and spyware from being installed on or making changes to
your computer.
UAC will allow certain system-level changes to occur without prompting, even when logged on as a local
user:
Install updates from Windows Update.
Install drivers from Windows Update or those that are packaged with the operating system.
View Windows settings.
Pair Bluetooth devices with the computer.
Reset the network adapter and perform other network diagnostic and repair tasks.
Modifying UAC Behavior

The UAC notification experience can also be modified within the Windows Server 2008 R2 control panel
to adjust the frequency and behavior of UAC prompts.
UAC can also be configured using Group Policy. The following Group Policy object (GPO) settings can be
configured for UAC:
Administrator Approval Mode for the built-in Administrator account.
Behavior of the elevation prompt for administrators in Admin Approval Mode.
Behavior of the elevation prompt for standard users.
Detect application installations and prompt for elevation.
Only elevate executables that are signed and validated.
Only elevate UIAccess applications that are installed in secure locations.
Run all administrators in Admin Approval Mode.
Switch to the secure desktop when prompting for elevation.
Virtualize file and registry write failures to per-user locations.

Note: By default, UAC is not configured or enabled in Server Core installations of Windows Server
2008 R2.
9-8
File and Folder Permissions
Key Points
The files and folders stored on a server can contain many different forms of data. As an administrator, you
may not want all users on the network to be able to perform certain operations on specific files and
folders. Once authenticated, a user in Windows Server 2008 R2 is given authorization to access such files
and folders through file and folder permissions.
Two main categories of permissions exist in Windows Server 2008 R2.
NTFS file system file and folder permissions. NTFS permissions are assigned to files and folders on
NTFS volumes and govern the access given to users who attempt to access the files. NTFS permissions
are assignable to individual or sets of files and folders.
Shared folder permissions. When a local folder is shared or made accessible to the rest of the
network, a separate set of permissions are assigned to the folder that control users accessing the files
from a network location. Shared folder permissions are assignable only to a folder or group of folders,
not to individual files.
Combined permissions. Shared folder permissions are combined with the NTFS file and folder
permissions to provide a two-level set of permissions for that specific folder when accessed over the
network.
Note: Both NTFS file and folder permissions and shared folder permissions have a variety of access
levels that can be granted or denied to a specific user or group of users. These levels will be covered
in detail later in this module.
Question: How do shared folder permissions affect access to local NTFS files and folders?
9-9
Account Lockout and Password Policies
Key Points
The security provided by a password system depends on the passwords being kept secret at all times.
Thus, a password is vulnerable to compromise whenever it is used, stored, or even known. In passwordbased authentication, this vulnerability presents a significant risk to system security.
You can help protect your system by customizing password policy settings, including requiring users to
change their password regularly, specifying a minimum length for passwords, and requiring passwords to
meet certain *complexity requirements.
A domains password policy settings are controlled by a number of GPO settings related to accounts and
passwords.
You can help protect your computer or domain by customizing your password policy settings, including
requiring users to change their password regularly, specifying a minimum length for passwords, and
requiring passwords to meet certain complexity requirements.
Policy
What it does
Best practice
Password must meet

complexity
requirements
Requires that passwords:

Be at least six characters long.
Contain a combination of at least
three of the following characters:
uppercase letters, lowercase letters,
numbers, symbols (punctuation
marks).
Do not contain the user's user name
or screen name.
Enable this setting. These

complexity requirements can help
ensure a strong password. Strong
passwords are more difficult to
crack than those containing simple
letters or numbers.
Enforce password
history
Prevents users from creating a new

password that is the same as their
Use a number that is greater than 1.

Enforcing password history ensures
9-10
Policy
What it does
Best practice
current password or a recently used

password. To specify how many
passwords are remembered, provide a
value. For example, a value of 1 means
that only the last password will be
remembered, and a value of 5 means
that the previous five passwords will be
remembered.
that passwords that have been

compromised are not used over and
over.
Maximum password
age
Sets the maximum number of days that a

password is valid. After this number of
days, the user will have to change the
password.
Set a maximum password age of 3070 days. Setting the number of days
too high provides hackers with an
extended window of opportunity to
crack the password. Setting the
number of days too low might be
frustrating for users who have to
change their passwords too
frequently.
Minimum password
age
Sets the minimum number of days that

must pass before a password can be
changed.
Set the minimum password age to

at least
1 day. By doing so, you require that
the user can only change their
password once a day. This will help
to enforce other settings. For
example, if the past five passwords
are remembered, this will ensure
that at least five days must pass
before the user can reuse their
original password. If the minimum
password age is set to 0, the user
can change their password six times
on the same day and begin reusing
their original password on the same
day.
Minimum password
length
Specifies the fewest number of

characters a password can have.
Set the length between eight and 12

characters (provided that they also
meet complexity requirements). A
longer password is more difficult to
crack than a shorter password,
assuming the password is not a
word or common phrase.
Store passwords using

reversible encryption
Stores the password using encryption

that can be reversed in order for certain
applications to verify the password.
Do not use this setting unless you

use a program that requires it,
enabling this setting decreases the
security of stored passwords.
In addition, another group of GPO settings governing account lockout policies are available to control
what actions are taken by the operating system if a user repeatedly fails to enter a valid password when
logging on to the system. These are known as Account Lockout Policy settings.
Policy
What it does
Best practice
Account lockout
Specifies the number of failed
A setting between 3 and 5 will allow for
9-11
Policy
What it does
Best practice
threshold
login attempts allowed before

reasonable user error as well as limiting repeated
the account is locked out. For
login attempts for malicious purposes.
example, if the threshold is set to
3 the account will be locked out
after a user enters incorrect login
information three times.
Account lockout
duration
Allows you to specify a

timeframe, in minutes, after
which the account will
automatically unlock and resume
normal operation. If you specify
0 the account will be locked out
indefinitely until an
administrator manually unlocks
it.
Once the threshold has been reached and the

account is locked out, the account should remain
locked long enough to block or deter any
potential attacks, but short enough not to
interfere with productivity of legitimate users. A
duration of 30 to 90 minutes should work well in
most situations.
Reset account
lockout counter
after
Defines a timeframe for counting

the incorrect login attempts. If
the policy is set for one hour and
the account lockout threshold is
set for three attempts, a user can
enter the incorrect login
information three times within
one hour. If they enter the
incorrect information twice, but
get it correct the third time the
counter will reset after one hour
has elapsed (from the first
incorrect entry) so that future
failed attempts will again start
counting at one.
Using a timeframe between 30 and 60 minutes is

sufficient to deter automated attacks as well as
manual attempts by an attacker to guess a
password.
Note: Account Policy settings can be accessed by clicking on the Start button, clicking Run and
typing secpol.msc into the Open dialog box.
Question: What would be the effect on a users account if they entered their password incorrectly fives
times between 10:00AM and 10:25AM with the following settings applied to their account:
Account lockout threshold: 4
Account lockout duration: 60 minutes
Reset account lockout After: 30 minutes.
9-12
Fine-Grained Password Policies
Key Points
In an Active Directory Domain Services (AD DS) environment, standard password and account lockout
policies are applied to the entire domain. This behavior may not be desired by organizations that require
different password and account lockout policies for different users or groups.
Fine-grained password policies provide the solution to this issue. Fine-grained password policies allow an
administrator to apply multiple, unique password policies to multiple users or groups within the same
domain.
Individual fine-grained password policies are each stored within their own Active Directory object called a
Password Settings object (PSO). All PSOs are stored within a parent container called a Password Settings
Container (PSC). PSO stores policy information regarding password and account lockout policy settings
are mentioned in the previous topic.
Passwords must meet the following complexity requirements:
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Store passwords using reversible encryption
Account lockout duration
Account lockout threshold
Reset account lockout after
A PSO can be linked to one or more AD DS users or global security groups. Once linked, the setting
defined within that PSO will apply to the linked users to groups.
Note: A PSO may not be linked to an Active Directory organizational unit (OU), only to AD DS users
and groups.
9-13
9-14
Auditing Features
Key Points
Auditing is the process that tracks user activity by recording selected events in a security log. Auditing
provides a recorded log of access and activity, allowing an administrator to determine whether or not
resources are being accessed and utilized appropriately and according to policy. Auditing logs the
following information regarding system activity:
What occurred?
Who did it?
When did the event occur?
What was the result?
The most common types of events to audit are:
Access to objects, such as files and folders.
Management of user and group accounts.
Users logging on and off the system.

Note: For example, you may want to monitor which users are accessing a specific document file and
what type of operations they are performing on it (read, write, change permissions, etc.). When
auditing is enabled within Windows for file and folder objects, you can configure auditing on the
document file to record information for each time a user accesses the document in any way.
9-15
Data Encryption Features
Key Points
Windows Server 2008 R2 provides features that provide both file and volume-level encryption.
Encrypting File System (EFS)

EFS provides core file level encryption for files and folders stored on NTFS volumes. EFS supports industry
standard encryption algorithms and smart cardbased encryption. By default, users generate self-signed
encryption keys which allow for both the encryption and decryption of files or folders. Other users cannot
view the contents of the files unless the key is made available to them.
EFS allows users to quickly and conveniently encrypt files or folders containing sensitive data, knowing the
data will be secure regardless of file or folder permissions granted.
While EFS provides for the encryption of file contents, it does not encrypt file metadata such as file name,
file size, file extension type or assigned permissions.
BitLocker
BitLocker Drive Encryption is a system built into Windows Server 2008 R2 that provides for encryption of
the entire operating system volumes as well as additional data volumes.
BitLocker-to-Go provides for the encryption of removable data drives like universal serial bus (USB) flash
drives or portable hard drives.
Bitlocker utilizes keys for encryption in similar fashion to EFS, but provides for more options for key
management. Users can store encryption keys on a removable USB drive, incorporate passkeys or
incorporate a special hardware feature called Trusted Platform Module (TPM) to ensure that an encrypted
volume only allows for decryption while attached to a specific system.
BitLockers features are designed to be simple to implement and allow for transparent file system access
once fully configured.
9-16
Comparing BitLocker and EFS

The following table compares BitLocker and EFS encryption functionality:
BitLocker functionality
EFS functionality
Encrypts volumes (the entire operating system volume, including

Windows system files and the hibernation file)
Encrypts files
Does not require user certificates
Requires user certificates
For example, EFS is used to protect individual files and folders that belong to a specific user, such as
sensitive documents. The encryption process is commonly initiated by the user as well.
BitLocker, on the other hand, is used to encrypt entire volumes or hard disks and is useful for ensuring
that the data on a disk in a server cannot be read in case it is removed and placed in another server.
9-17
Lesson 2
Securing Files and Folders
Ensuring data integrity and security is a fundamental aspect of a Windows Server 2008 R2
implementation. The assignment of proper permissions to users and groups for the resources they require
access to is the first level of data security in a Windows Server environment.
This lesson covers the configuring of permissions, best practices for maintaining permissions functionality
and auditing file and folder access to ensure that configured permissions are operating effectively.
Objectives
Describe the available file and folder permissions on NTFS volumes.
Describe inheritance.
Describe shared folder permissions.
Explain how NTFS and shared folder permissions combine.
Implement best practice when sharing and securing files.
Secure shared files.
Describe file auditing.
Audit file access.
9-18
NTFS File and Folder Permissions
Key Points
NTFS file and folder permissions specify which users, groups, and computers can access files and folders
on an NTFS volume. NTFS permissions also dictate what users, groups, and computers can do with the
contents of the file or folder.
There are two types of NTFS permissions:
Standard. Standard permissions are the most commonly used permissions.
Special. Special permissions provide a finer degree of control for assigning access to files and folders;
however, special permissions are more complex to manage than standard permissions.
Standard File and Folder Permissions

The following table lists the standard NTFS file and folder permissions. You can choose whether to allow
or deny each of the permissions.
File permissions
Description
Full Control
This gives complete control of the file/folder and control of permissions.
Modify
This gives read and write access.
Read and Execute
Allows a file to be read and programs can be started.

Allows folder content to be seen and programs can be started.
Read
This give read only access.
Write
Allows file content to be changed and files can be deleted.

Allows folder content to be changed and files can be deleted.
Special permissions
Allows custom permissions configuration.
9-19
Note: Groups or users granted Full Control on a folder can delete any files in that folder regardless of
the permissions protecting the file.
To modify NTFS permissions, you must be given the Full Control NTFS permission for a folder or file. The
one exception is for file and folder owners. The owner of a file or folder can modify NTFS permissions
even if they do not have any other current NTFS permissions. Administrators can always take ownership of
files and folders to make modifications to NTFS permissions.
Special File and Folder Permissions

Special permissions give you a finer degree of control for assigning access to files and folders. However,
special permissions are more complex to manage than standard permissions. The following table defines
the special permissions that can be assigned for each file and folder:
File permissions
Description
Traverse
Folder/Execute File
The Traverse Folder permission applies only to folders. This permission allows or
denies the user from moving through folders to reach other files or folders, even
if the user has no permissions for the traversed folders. Traverse Folder takes
effect only when the group or user is not granted the Bypass Traverse Checking
user right. The Bypass Traverse Checking user right checks user rights in the
Group Policy snap-in. By default, the Everyone group is given the Bypass
Traverse Checking user right.
The Execute File permission allows or denies access to program files that are
running.
If you set the Traverse Folder permission on a folder, the Execute File permission
is not automatically set on all files in that folder.
List Folder/Read Data
The List Folder permission allows or denies the user from viewing file names and
subfolder names in the folder. The List Folder permission applies only to folders
and affects only the contents of that folder. This permission is not affected if the
folder that you are setting the permission on is listed in the folder list. Also, this
setting has no effect on viewing the file structure from the command-line
interface.
The Read Data permission applies only to files and allows or denies the user from
viewing data in files.
Read Attributes
The Read Attributes permission allows or denies the user from viewing the
attributes of a file or folder, such as read-only and hidden attributes. Attributes
are defined by NTFS.
Read Extended
Attributes
The Read Extended Attributes permission allows or denies the user from viewing
the extended attributes of a file or folder. Extended attributes are defined by
programs and can vary by program.
Create Files/Write Data The Create Files permission applies only to folders and allows or denies the user
from creating files in the folder.
The Write Data permission applies only to files and allows or denies the user
from making changes to the file and overwriting existing content by NTFS.
Created
Folders/Append Data
The Create Folders permission applies only to folders and allows or denies the
user from creating folders in the folder.
The Append Data permission applies only to files and allows or denies the user
from making changes to the end of the file but not from changing, deleting, or
overwriting existing data.
9-20
File permissions
Description
Write Attributes
The Write Attributes permission allows or denies the user from changing the
attributes of a file or folder, such as read-only or hidden. Attributes are defined
by NTFS.
The Write Attributes permission does not imply that you can create or delete
files or folders; it includes only the permission to make changes to the attributes
of a file or folder. To allow or to deny Create or Delete operations, see Create
Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and
Delete.
Write Extended
Attributes
The Write Extended Attributes permission allows or denies the user from
changing the extended attributes of a file or folder. Extended attributes are
defined by programs and can vary by program.
The Write Extended Attributes permission does not imply that the user can
create or delete files or folders; it includes only the permission to make changes
to the attributes of a file or folder. To allow or to deny Create or Delete
operations, view the Create Files/Write Data, Create Folders/Append Data,
Delete Subfolders and Files, and Delete sections in this article.
Delete Subfolders and

Files
The Delete Subfolders and Files permission applies only to folders and allows or
denies the user from deleting subfolders and files, even if the Delete permission
is not granted on the subfolder or file.
Delete
The Delete permission allows or denies the user from deleting the file or folder. If
you have not been assigned Delete permission on a file or folder, you can still
delete the file or folder if you are granted Delete Subfolders and Files
permissions on the parent folder.
Read Permissions
Read permissions allows or denies the user from reading permissions about the
file or folder, such as Full Control, Read, and Write.
Change Permissions
Change Permissions allows or denies the user from changing permissions on the
file or folder, such as Full Control, Read, and Write.
Take Ownership
The Take Ownership permission allows or denies the user from taking ownership
of the file or folder. The owner of a file or folder can change permissions on it,
regardless of any existing permissions that protect the file or folder.
Synchronize
The Synchronize permission allows or denies different threads to wait on the

handle for the file or folder and synchronize with another thread that may signal
it. This permission applies only to multiple-threaded, multiple-process programs.
Note: When assigning both standard and special NTFS permissions, permissions set to Deny typically
override permissions set to Allow.
To configure NTFS file and folder permissions, follow these steps:
1.
2.
3.
4.
Right-click on the file or folder to which you want to assign permissions and click Properties.
Click on the Security tab to view existing permissions.
To modify standard permissions, click the Edit button.
To modify special permissions, click the Advanced button.
9-21
Permissions Inheritance
Key Points
By default, the permissions granted to a parent folder are inherited by its subfolders and files. Permissions
can be inherited only from a direct parent and any files and folders contained within the parent folder will
be assigned the same permissions as the parent folder, even if the parent folders permissions are
modified. Permissions inherited in this manner are referred to as implicit permissions. A folder or file will
always inherit its parent folders permissions unless inheritance is blocked.
When blocking inheritance, the folder for which you block permissions inheritance becomes the new
parent folder, and the subfolders and files that are contained in it inherit the permissions assigned to it. A
folder that has had inheritance blocked will retain its originally inherited permissions as its default
permission set until those permissions are modified. Permissions can be inherited only from a direct
parent. Permissions inherited in this manner are referred to as implicit permissions.
In addition to inherited or implicit permissions, permissions assigned to a file or folder that override that
file or folders inherited permissions are called explicit permissions. Explicit permissions are specifically set
for a given set of files and folders, and behave slightly different when being moved within an NTFS
volume.
To block inheritance for a file or folder, perform the following steps:
1.
2.
3.
4.
5.
6.
Right-click the file or folder to which you want to block inheritance, and then click Properties.
Click the Security tab to view existing permissions.
Click the Advanced button.
In the Permissions window, click the Change Permissions button.
In the Permissions window, uncheck Include inheritable permissions from this objects parent.
Click the Add or Remove button, depending on what permissions you want assigned to the blocked
folder.
9-22
Copying vs. Moving Files

When you copy or move a file or folder, the permissions might change, depending on where you move
the file or folder. You should understand the changes that the permissions undergo when they are copied
or moved.
Copying a File
When you copy a file or folder from one folder to another folder, or from one partition to another
partition, the following rules apply:
Within a single NTFS partition, the copy of the folder or file inherits the permissions of the destination
folder.
To a different NTFS partition, the copy of the folder or file inherits the permissions of the destination
folder.
To a non-NTFS partition, such as a file allocation table (FAT) partition, the copy of the folder or file
loses its NTFS permissions, because non-NTFS partitions do not support NTFS permissions.
Moving a File
When you move a file or folder, the following rules apply:
Within the same NTFS partition, the folder or file keeps its original permissions. If the permissions of
the new parent folder are changed later, the file or folder will inherit the new permissions.
Permissions explicitly applied to the folder will be retained. Permissions previously inherited will be
lost.
To a different NTFS partition, the folder or file inherits the permissions of the destination folder. When
you move a folder or file between partitions, the Windows Server 2008 operating system copies the
folder or file to the new location and then deletes it from the old location.
To a non-NTFS partition, the folder or file loses its NTFS permissions, because non-NTFS partitions do
not support NTFS permissions.
9-23
Shared Folder Permissions
Key Points
When you share a folder, it is made available over the network. In order to ensure appropriate access to
the files is granted, shared folder permissions must be applied.
Shared folder permissions apply only to users who connect to the folder over the network. They do not
restrict access to users who access them locally on the computer where the folder is stored. You can grant
shared folder permissions to user accounts, groups, and computer accounts.
By default, a shared folder is already protected by the NTFS permissions applied to that specific folder.
The following table lists the options available for shared folder permissions. You can choose whether to
allow or deny each of the permissions.
File permissions
Description
Read
Read permission allows users to view folder and file names, and file data and
the attributes of files. Users are also able to access the shared folder's
subfolders, and run program files and scripts.
Change
Users that are granted the Change permission can perform all of the functions
granted by the Read permissions as well as create and delete files and
subfolders. Users are also able to change file attributes, change the data in
files, and append data to files.
Full Control
Users that are granted the Full Control permission can perform all the tasks
enabled by the Change permissions as well as take ownership of files, and
change file permissions.
The shared folder permissions above are available through Windows Server 2008 R2s Advanced Sharing
properties, found in the folders Properties dialog box. A more simplified set of permissions (Read or
Read/Write) can be assigned by right-clicking on the folder and selecting Share, which brings up the File
Sharing dialog box.
9-24
Note: As with NTFS permissions, when assigning shared folder permissions, permissions set to Deny
typically override permissions set to Allow.
9-25
Evaluating Combined, Shared and Local Permissions
Key Points
When a shared folder is created on a partition formatted with the NTFS file system, both the shared folder
permissions and the NTFS file system permissions are combined to protect file resources. NTFS file system
permissions apply whether the resource is accessed locally or over a network, but they are filtered against
the share folder permissions.
So, when accessing a shared folder over the network, a user must have the appropriate permissions
granted on a shared folder to gain access to the files and folders within that folder. Once it has been
determined that the user has been granted access through the shared folder permissions, the users access
to the specific NTFS file(s) or folder(s) is checked against the users NTFS permissions. If both the shared
folder permissions and the NTFS permissions allow the type of access that the user is attempting on the
files, access is granted.
When you grant shared folder permissions on an NTFS volume, the following rules apply:
By default, the Everyone group is granted the shared folder permission Read.
Note: If the guest user account is enabled on your computer, the Everyone group includes anyone.
According to best practice, remove the Everyone group from any permission lists and replace it with
the Authenticated Users group.
Users must have the appropriate NTFS file system permissions for each file and subfolder in a shared
folder in addition to the appropriate shared folder permissions to access those resources.
When NTFS file system permissions and shared folder permissions are combined, the resulting
permission is the most restrictive one of the effective shared folder permissions or the effective NTFS
file system permissions.
9-26
The share permissions on a folder apply to that folder, to all files in that folder, to subfolders, and to
all files in those subfolders.
The following analogy can be helpful in understanding what happens when you combine NTFS and share
permissions. When dealing with a shared folder, you must always go through the shared folder to access
its files over the network. Therefore, you can think of the shared folder permissions as a filter that only
allows users to perform actions on its contents that are acceptable to the share permissions. All NTFS
permissions that are less restrictive than the share permissions are filtered out so that only the share
permission remains.
For example, if the share permission is set to Read, then the most you can do when accessing the share
over the network is read the contents, even if individual NTFS file permission is set to Full Control. If
configuring the share permission to Modify, then you are allowed to read or modify the shared folder
contents. If the NTFS permission is set to Full Control, then the share permissions filter the effective
permission down to just Modify.
9-27
Considerations for Securing Files and Folders
Key Points
When you are managing access to resources using NTFS file and folder permissions and shared folder
permissions, consider the following best practices:
Use the most restrictive permissions possible. Do not grant more permissions for a file or folder than
the users legitimately require. For example, if a user only has to read the files in a folder, grant Read
permission for the folder to the user or group to which the user belongs.
Avoid assigning permissions to individual users. Use groups whenever possible. Because it is
inefficient to maintain user accounts directly, avoid granting permissions to individual users.
Use restrictive shared folder permissions only when necessary. To avoid complicated combined
permissions scenarios, use NTFS file and folder permissions to restrict or grant access as much as
possible. NTFS file and folder permissions offer much more precise control over user access and
always apply to file and folder security, whether being accessed locally or over the network.
Use Deny permissions with caution. Deny permissions always override Allow permissions and can
result in users being mistakenly restricted access to files or folders.
Remember that Full Control lets users modify permissions. Assign Full Control permissions with
caution, as any change in existing permissions could potentially affect security.
Use the Authenticated Users or the Domain Users group instead of the Everyone group (if present)
from the shared folders permissions list. The Everyone group includes guest users. Using the
Authenticated or Domain Users groups limits file or folder access to only authenticated users, and
prevents users or viruses from accidentally deleting or damaging files.
Be conscious of explicitly set permissions and the effects of blocked inheritance. When assigning
permissions to a parent folder, be aware that some subfolders and files might have inheritance
blocked and explicit permissions specified. In this case, such subfolders and files will not inherit the
parent folders permissions when changes are made.
9-28
You can use the Effective Permissions tool to evaluate the permissions assigned to a user or group for
a specific file or folder. Effective Permissions allows you to select users or groups and then shows you
the effective permissions for those users or groups according to all of the permissions set on the
specific file or folder. You use the following steps to reach the Effective Permissions tool:
1.
2.
3.
Right-click on the file or folder you wish to evaluate and click Properties.
In the Properties dialog box, click the Security tab and then click the Advanced button.
In the Advanced Security Settings dialog box, click the Effective Permissions tab.
Demonstration: How to Secure a Shared Folder
In this demonstration, you will see how to create a folder, secure it using NTFS permissions, share the
folder and further secure it with shared folder permissions.
1.
2.
3.
Create a new folder.

Assign NTFS permissions to the new folder.
Share the new folder and assign shared folder permissions
9-29
9-30
File Auditing
Key Points
Securing files and folders with permissions will only help protect data; they will not tell you who deleted
important data or who was trying to access files and folders inappropriately. To track who accessed files
and folders and what they did, you must configure auditing for file and folder access. Every
comprehensive security strategy should include auditing.
Configuring file and folder auditing in Windows Server 2008 is a two part process:
1.
2.
Enabling audit object policy in GPO in Group Policy. This setting can be reached by running
secpol.msc from a command prompt or from the Run command on the Start menu. Once in Local
Security Policy, expand Local Policy and click Audit Policy.
Once Audit object access has been enabled in Local Security Policy, auditing must be enabled for any
files and users you want to audit. These settings can be reached by navigating to the Properties
window for the folder you want to audit, selecting the Security tab, clicking the Advanced button
and selecting the Auditing tab in the Advanced Security Settings dialog box.
When enabling auditing on a specific folder, the same inheritance rules used by NTFS permissions
and Shared folder permissions apply to the auditing properties. By default, files and folders will inherit
their parents audit settings unless inheritance is blocked or explicitly specified.
Note: Unlike permissions, there is only one method of applying auditing properties; to allow them.
There is no Deny option when configuring auditing properties.
Once configured, file and folder auditing events will be recorded to the Windows security log. This log can
be viewed in Event Viewer, located in the Diagnostics section of Server Manager.
Demonstration: How to Configure File Auditing
In this demonstration, you will see how to configure the Audit object access security policy to audit file
access.
1.
2.
3.
Configure the object access auditing policy to audit file access.

Create a new folder and enable auditing.
Test the object access auditing policy.
9-31
9-32
Lesson 3
Implementing Encryption
In this age of information interconnection, an organizations network may consist of intranets, Internet
sites, and extranetsall of which are potentially susceptible to access by unauthorized individuals who
intend to maliciously view or alter an organizations digital information assets. Therefore, it is important
that you have some means of ensuring that your organizations data and communications are secure. To
make your communication secure, it is important for you to understand the fundamentals of the systems
that make secure data possible.
Objectives
After completing this lesson, students will be able to:
Describe a digital certificate.
Describe a PKI.
Describe how digital certificates are used.
Describe how EFS helps to ensure file privacy.
Describe how to share files encrypted with EFS.
Describe how to encrypt Offline Files using EFS.
Describe how BitLocker protects entire drives.
9-33
What Are Digital Certificates?
Key Points
A digital certificate is a physical digital entity that binds a persons or organizations identity to
mathematically related private and public keys for the use of encrypting and decrypting data as well as
verifying the authenticity of the user or organization in relation to the data being exchanged.
A digital certificate makes it possible to verify someone's claim that they have the right to use a given key,
helping to prevent people from using phony keys to impersonate other users. Used in conjunction with
encryption, digital certificates provide a more complete security solution, assuring the identity of all
parties involved in a transaction.
A digital certificate generally contains information about the following:
A user, computer, or network device that holds the private key corresponding to the issued certificate.
The user, computer, or network device is referred to as the owner or subject of the certificate.
A public key of the certificate's associated public and private key pair.
The issuer of the certificate, commonly known as a Certificate Authority (CA).
The issue and expiry dates of the public key associated with the certificate.
The serial number of the digital certificate.
The digital signature of the issuing CA.
The names of the encryption and/or digital signing algorithms supported by the certificate.
Also, a digital certificate may contain additional information, such as the encryption algorithms supported,
the acceptable applications or uses for the certificate or other applicable information.
9-34
What Is a PKI?
Key Points
A PKI enables the distribution and management of digital certificates to users and computers in a secure
and trustworthy manner.
A PKI is a system of components that allow for the authentication and verification of authenticity of each
party involved in digital communication through the use of public key cryptography.
A PKI consists of the following components:
CAs. CAs represent the people, processes and tools used to create digital certificates and securely
bind the users identity to their public keys. Before issuing a digital certificate to a user, a CA will verify
that users identity and the validity of their purpose for obtaining a digital certificate.
A CA will place their digital signature on a certificate, which both verifies that the certificate has come
from a trusted source as well as acting like a tamper-proof seal on the certificate itself, preventing any
attempts to tamper with the digital certificate.
CAs also operate in a hierarchal manner, where CAs that issue certificates may use another, more
widely trusted CA as its parent to maintain the level of trust necessary within a PKI environment.
Certification revocation lists (CRLs). CRLs contain a list of certificates that have been revoked or
removed from a CA prior to the certificates expiry date.
Certificate and CA management tools. When a Windows Server 2008 R2 server is configured as a CA,
a specific set of tools are available to create and manage certificates, manage CRLs and perform
maintenance on different aspects of the PKI environment.
Certificates. Digital certificates are the primary item of circulation in a PKI. A PKI exists primarily for
the proper management of these certificates.
9-35
How Are Digital Certificates Used?
Key Points
In modern cryptography, data is encrypted and decrypted using a key which contains the information
necessary for performing the encryption or decryption. A key is a piece of physical data, and may be
protected by a password or attached to a smart card or even a Windows users account.
In the simplest form of data encryption, data is both encrypted and decrypted using the same key. This
method of using the same key for both encryption and decryption is known as symmetric encryption.
Symmetric encryption works very well when the same user is both encrypting and decrypting the data.
However, when the user encrypting the data is different than the user who is decrypting the data and
especially if the encryption and decryption process must happen on different computers or networks,
symmetric encryption becomes more problematic. In this case, the user encrypting the data must find
some way to make the key available to the user decrypting the data. Anytime the key is exchanged
between users, it becomes vulnerable to being intercepted and compromised.
The use of digital certificates introduces an alternative to the shortcomings of symmetric encryption. Data
exchange using a digital certificate uses asymmetric encryption. When using asymmetric encryption, a pair
of mathematically related keys is used to encrypt or decrypt data. One of the keys, commonly referred to
as the private key, is held by an individual. A second key, the public key, is attached to the digital
certificate, which can be digitally requested at any time. With this form of encryption, either the private or
public key can be used to encrypt the data. Then, the opposite key is used to decrypt the data.
For example, in the above diagram, data at the Contoso Ltds Web server is encrypted using Contoso,
Ltds private key and SSL encryption. The resultant encrypted data is sent out over the public Internet to
the Web client who is accessing the information on the server. Since the data has encrypted using
Contoso Ltds private key, the Web client can be assured that the information is coming from Contoso,
Ltds and is genuine.
Alternatively, data sent from the client to the server, such as personal or financial information, is first
encrypted using SSL and Contoso Ltds public key attached to the digital certificate. The user can be
9-36
assured that encrypted information is safe in transit because only Contoso, Ltds private key can decrypt
the data. It is critical for private keys to be secured in order to maintain the integrity of this exchange.
Digital certificates are used for a wide variety of purposes. Depending on the nature of the issuing CA,
certain digital certificates may have a specific level of trust assigned to them. Public, Private and Selfsigned certificates each have individual characteristics that make them suitable for specific
implementations. The following points outline characteristics of Public, Private and Self-signed certificates:
Public CAs typically charge a fee for providing a digital certificate, but the certificate is universally
trusted. Also, public certificates can be used in almost any situation a private certificate is used. Digital
certificates used on the public Internet are most commonly issued by a public CA.
Private certificates allow an organization to manage their certificate issuing process and any number
of certificates can be generated at no cost. This allows an organization with the requirement to issue
many certificates for internal use to use a private CA and not incur the costs associated with a large
number of public certificates. This gives an organization a great deal of control of certificate
management, but requires additional administrative overhead. Private certificates may be used within
an organization to facilitate secure e-mail or the encryption of individuals data.
Self-signed certificates do not require the implementation of a stand alone CA. Rather, the application
itself creates and signs the certificate. This decreases the administrative overhead of maintaining a
private CA and the organization incurs no extra costs. The main drawback however, is that the selfsigned certificate has a very limited valid scope; strictly within the application itself.
Question: In what situations would a public certificate signed by a trusted CA be requested or required?
Question: Why would a private certificate be used instead of a public certificate?
Question: Why would an organization choose to use self-signed certificates over private certificates?
9-37
EFS
Key Points
EFS is the built-in file encryption tool for Windows file systems. A component of the NTFS file system, EFS
enables transparent encryption and decryption of files by using advanced, standard cryptographic
algorithms. Any individual or program that does not possess the appropriate cryptographic key cannot
read the encrypted data. Encrypted files can be protected even from those who gain physical possession
of the computer that the files reside on. Even persons who are otherwise authorized to access the
computer and its file system cannot view the data.
Information technology (IT) professionals must understand that while encryption is a powerful addition to
any defensive plan, other defensive strategies must be used because encryption is not the correct
countermeasure for every threat. However, every defensive weapon, if used incorrectly, carries the
potential for harm. EFS must be understood, implemented appropriately, and managed effectively to
ensure that your experience, the experience of those to whom you provide support, and the data you
want to protect are not compromised.
The following are important basic facts about EFS:
EFS encryption does not occur at the application level but rather at the file-system level; therefore,
the encryption and decryption process is transparent to the user and to the application.
If a folder is marked for encryption, every file created in or moved to the folder will be encrypted.
Applications do not have to understand EFS or manage EFS-encrypted files any differently than
unencrypted files.
If a user attempts to open a file and possesses the key to do so, the file opens without additional
effort on the user's part. If the user does not possess the key, he or she receives an "Access denied"
error message.
File encryption uses a symmetric key that is encrypted with the users public key and stored in the file
header. A certificate with the users public and private keys (known as asymmetric keys) is stored in
the users profile.
9-38
This key pair is bound to a user identity (ID) and made available to the user who has possession of the
user ID and password. The users private key must be available for the file to be decrypted.
If the private key is damaged or missing, even the user that encrypted the file cannot decrypt it. If a
recovery agent exists, then the file may be recoverable. If key archival has been implemented, then
the key may be recovered, and the file decrypted; otherwise, the file may be lost. This encryption
system is commonly referred to as PKI.
The users certificate that contains his or her public and private keys can be archived (for example,
exported to a floppy disk) and kept in a safe place to ensure recovery, if keys become damaged.
The users public and private keys are protected by the user's password. Any user who can obtain the
user ID and password can log on as that user and decrypt that user's files.
Therefore, a strong password policy and strong user education must be a component of each
organization's security practices to ensure the protection of EFS-encrypted files.
EFS-encrypted files do not remain encrypted during transport if saved to or opened from a folder on
a remote server. The file is decrypted, traverses the network in plaintext, and if saved to a folder on
the local drive that is marked for encryption, is encrypted locally. EFS-encrypted files can remain
encrypted while traversing the network if they are being saved to a Web folder using WebDAV.
EFS is only supported on the NTFS file system. If a user moves or copies an encrypted file to a nonNTFS file system, like a floppy disk or USB flash drive formatted with the file allocation table 32-bit
(FAT32) file system, the file will no longer be encrypted.
Note: When users encrypt files in remote shared folders, their keys are stored on the file server.
Managing EFS Certificates

EFS uses public key cryptography to allow the encryption of files. The keys are obtained from the users
EFS certificate. Because the EFS certificates may also contain private key information, they must be
managed correctly.
Users can make encrypted files accessible to other users EFS certificates. If you grant access to another
users EFS certificate, that user can, in turn, make the file available to other users EFS certificates.
Note: EFS certificates are only issued to individual users, not to groups.
EFS in Windows Server 2008 R2

Windows Server 2008 R2 includes a number of new EFS features, including:
Support for Storing Private Keys on Smart Cards. Windows Server 2008 includes full support for
storing users private keys on smart cards. If a user logs onto Windows with a smart card, EFS can also
use the smart card for file encryption.
Administrators can also store their domains recovery keys on a smart card. Recovering files is then as
simple as logging on to the affected machine, either locally or using Remote Desktop, and using the
recovery smart card to access the files.
EFS Rekeying wizard. The EFS rekeying wizard allows users to choose an EFS certificate and then select
and migrate existing files that will use the newly chosen EFS certificate.
9-39
They can also use the wizard to migrate users in existing installations from software certificates to
smart cards. The wizard is also helpful in recovery situations because it is more efficient than
decrypting and re-encrypting files.
New Group Policy Settings for EFS. You can use Group Policy to centrally control and configure EFS
protection policies for the entire enterprise. A number of Group Policy options were added to help
administrators define and implement EFS organizational policies.
Per-User Encryption of Offline Files. You can use EFS to encrypt offline copies of files from remote
servers. When this option is enabled, each file in the offline cache is encrypted with a public key from
the user who cached the file. Thus, only that user has access to the file, and even local administrators
cannot read the file without access to the user's private keys.
Support for AES 256-Bit Encryption. EFS supports industry standard encryption algorithms including
Advanced Encryption Standard (AES). AES uses a 256-bit symmetric encryption key and is the default
EFS algorithm.
9-40
Sharing Files Encrypted with EFS
Key Points
EFS users can share encrypted files with other users on file shares and in Web folders. With this support,
you can give individual users permission to access an encrypted file. The ability to add users is restricted
to individual files. After a file has been encrypted, file sharing is enabled through the user interface. You
must first encrypt a file and then save it before adding more users. Users can be added either from the
local computer or from AD DS and Active Directory if the user has a valid certificate for EFS.
It is important that users electing to share encrypted files keep the following points in mind:
Shared EFS files are not file shares. If authorized users need to access shared EFS files over the
network, a file share or Web folder is required. Alternatively, users can establish remote sessions with
computers that store encrypted files by using Terminal Services.
Any user who is authorized to decrypt a file can authorize other users to access the file. Granting
access is not limited to the file owner. Caution users to share files only with trusted accounts because
those accounts can authorize other accounts. Removing the Write permission from a user or group of
users can prevent this problem, but it also prevents the user or group from modifying the file.
EFS sharing requires that the users who will be authorized to access the encrypted file have EFS
certificates. These certificates can be located in roaming profiles or in the user profiles on the
computer on which the file to be shared is stored, or they can be stored in and retrieved from AD DS
and Active Directory.
EFS sharing of an encrypted file often means that the file will be accessed across the network. It is
best if Web folders are used for encrypted file storage whenever possible.
If a user chooses to remotely access an encrypted file stored on a file share and to authorize other
users to access the file, the authorization process and requirements are the same as on the local
computer. Additionally, EFS must impersonate the user to perform this operation, and all of the
requirements for remote EFS operations on files stored on file shares apply.
If a user chooses to remotely access an encrypted file stored on a Web folder and to authorize other
users to access the file, the file is automatically transmitted to the local computer in ciphertext. The
authorization process takes place on the local computer with the same requirements as for encrypted
files stored locally.
You can authorize individual users to access encrypted files. Perform the following steps to share an
encrypted file with other users:
1.
2.
3.
In Windows Explorer, right-click the encrypted file and then click Properties.
On the General tab, select Advanced.
In the Advanced Attributes dialog box, under Compress or Encrypt Attributes, select Details.
Note: If you select an encrypted folder instead of an encrypted file, the Details button appears
dimmed. You can add users to individual encrypted files but not to folders.
4.
5.
9-41
In the Encryption Details dialog box, click Add.

Add a user from the local computer or from AD DS.
9-42
Offline File Encryption Using EFS
Key Points
Windows Server 2008 R2 supports the local caching of network files for use when the network connection
may not be available. This feature is referred to as Offline Files. With Offline Files, users are able to have
access to the files they need, regardless of the status of their connection to the network.
Offline files are capable of being encrypted using EFS. Encrypting offline files provides an additional level
of security and ensures that the locally cached copies of network files are protected from unauthorized
access, just as they would be if they were encrypted on the network share.
Windows Server 2008 R2 introduces the ability to encrypt offline files on a per user basis, improving upon
the security of encrypted offline files in previous versions of Windows.
Note: Encrypting offline files does not encrypt the network version of the file; it only encrypts the
local copy.
9-43
BitLocker Drive Encryption
Key Points
Windows BitLocker Drive Encryption provides protection for the computer operating system and data
stored on the operating system volume by ensuring that data stored on a computer remains encrypted,
even if the computer is tampered with when the operating system is not running. BitLocker provides a
closely integrated solution in Windows Server 2008 R2 to address the threats of data theft or exposure
from lost, stolen, or inappropriately decommissioned personal computers.
Data on a lost or stolen computer can become vulnerable to unauthorized access when a user either runs
a software attack tool against it or transfers the computers hard disk to a different computer. BitLocker
helps mitigate unauthorized data access by enhancing Windows file and system protections. BitLocker
also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.
BitLocker Drive Encryption performs two functions that provide both offline data protection and
system integrity verification:
Encrypts all data stored on the Windows operating system volume (and configured data volumes).
This includes the Windows operating system, hibernation and paging files, applications, and data
used by applications.
BitLocker also provides an umbrella protection for non-Microsoft applications, which benefits the
applications automatically when they are installed on the encrypted volume.
Is configured by default to use a Trusted Platform Module (TPM) to help ensure the integrity of early
startup components (components used in the earlier stages of the startup process), and "locks" any
BitLocker-protected volumes so that they remain protected even if the computer is tampered with
when the operating system is not running.
System Integrity Verification

BitLocker uses the TPM to verify the integrity of the startup process by:
9-44
Providing a method to check that early boot file integrity has been maintained, and to help ensure
that there has been no adverse modification of those files, such as with boot sector viruses or root
kits.
Enhancing protection to mitigate offline software-based attacks. Any alternative software that might
start the system does not have access to the decryption keys for the Windows operating system
volume.
Locking the system when tampered with. If any monitored files have been tampered with, the system
does not start. This alerts the user to the tampering since the system fails to start as usual. In the
event that system lockout occurs, BitLocker offers a simple recovery process.
In conjunction with the TPM, BitLocker verifies the integrity of early startup components, which helps
prevent additional offline attacks, such as attempts to insert malicious code into those components. This
functionality is important because the components in the earliest part of the startup process must be
available unencrypted so that the computer can start.
As a result, an attacker can change the code in those early startup components and then gain access to
the computer, even though the data on the disk was encrypted. Then, if the attacker gains access to
confidential information such as the BitLocker keys or user passwords, BitLocker and other Windows
security protections can be circumvented.
Additionally, BitLocker Drive Encryption technology in Windows Server 2008 R2 is extended from
operating system drives and fixed data drives to include removable storage devices such as portable hard
drives and USB flash drives.
Using BitLocker To Go with Removable Drives

When a laptop is lost or stolen, the loss of data typically has more impact than the loss of the computer
asset. As more people use removable storage devices, they can lose data without losing a PC. BitLocker To
Go provides enhanced protection against data theft and exposure by extending BitLocker drive
encryption support to removable storage devices such as USB flash drives, and is manageable through
Group Policy.
In Windows Server 2008 R2, users can encrypt their removable media by opening Windows Explorer,
right-clicking the drive, and clicking Turn On BitLocker. They will then be asked to choose a method to
unlock the drive. These options include:
Password. This is a combination of letters, symbols, and numbers the user will enter to unlock the
drive.
Smart card. In most cases, a smart card is issued by your organization and a user enters a smart card
PIN to unlock the drive.
After choosing the unlock methods, users will be asked to print or save their recovery password. This is a
48-digit password that can also be stored in AD DS and Active Directory and used if other unlock
methods fail (for example, when a password is forgotten). Finally, users will be asked to confirm their
unlock selections and to begin encryption.
When you insert a BitLocker-protected drive into your computer, Windows will automatically detect that
the drive is encrypted and prompt you to unlock it.
9-45
Lab Setup
1.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
9-46
Exercise 1: Configuring an Accounts Policy

Scenario
You have been asked to implement a password policy in order to meet the requirements of new Contoso,
Ltd company security policies.
Your supervisor has asked you to configure settings to comply with the following criteria, ensuring that
best practices are used when settings are not specifically defined by company policy.
Best Practices
Passwords must be at least eight characters long.
Password must contain at least three of the four following character types: lowercase letters (a-z),
uppercase letters (A-Z), numbers (0-9),
non-alphanumeric characters (example, ! @ # $).
Passwords must be changed every 60 days.
Users cannot use a password again until five other different passwords have been used.
Users should be locked out of the system after repeated failed logon attempts.

1.
2.
Configure Password Policy settings according to company policy.

Configure Account Lockout Policy settings according to company policy.
Task 1: Configure Password Policy settings

1.
2.
3.
On NYC-DC1, open the Group Policy Managment console.

Edit the Default Domain Policy.
Modify the Password policy settings, updating the appropriate settings with the information above.
Task 2: Configure Account Lockout Policy settings
Modify the Account Lockout Policy settings, updating the appropriate settings with the information
above.
Results: After this exercise, you should have configured Password and Account Lockout settings in
Account Policies.
9-47
Exercise 2: Securing NTFS Files and Folders

Scenario
The Research team at Contoso, Ltd has asked for a new folder to be created on NYC-SVR3 to store
general research information as well as information regarding their projects and special classified
information. They would like this folder and its contents to be fully accessible to the entire Research team,
with the exception of the classified information, which should be unavailable to all members of the
Research team with the exception of Max Stevens, the Research Manager, who should have full access to
classified information. The Research team will access the files and folders exclusively over the network.
You have been asked by your supervisor to create a shared folder structure that satisfies the Research
teams request.
1.
2.
3.
Create the C:\Research folder structure.

Assign appropriate NTFS file and folder permissions to the folder structure.
Share the C:\Research folder on the network and set appropriate shared folder permissions.
Task 1: Create the C:\Research folder structure

1.
2.
On NYC-SVR3, create a new folder called C:\Research.

Create two subfolders in C:\Research named Classified and Projects.
Task 2: Assign appropriate NTFS file and folder permissions to the folder structure
1.
2.
3.
4.
Block inheritance for the C:\Research folder.

Assign the Contoso\Research group Full Control over the C:\Research folder.
Block inheritance for the C:\Research\Classified folder.
Assign only Contoso\Max Full Control over the C:\Research\Classified folder.
Task 3: Share the C:\Research folder on the network and set appropriate shared folder
permissions
1.
2.
Share the C:\Research folder on the network.

Assign Full Control permissions for C:\Research to the Contoso\Research group.
Results: After this exercise, you should have secured NTFS and shared folders.
9-48
Exercise 3: Encrypting Files

Scenario
It has been requested by your supervisor that, on NYC-SVR3, specific files containing sensitive information
in the Classified subfolder of the new Research shared folder be encrypted to prevent unauthorized
access. You have been asked to test encryption on the Classified folder.
1.
2.
3.
Encrypt files and folders using EFS.

Confirm that files are encrypted.
Decrypt files and folders.
Task 1: Encrypt files and folders using Encrypting File System (EFS)
1.
2.
3.
4.
If necessary, log on to NYC-SVR3 as Contoso\Administrator with the password of Pa$$w0rd.

Create a test file called Personal.txt in the C:\Research\Classified folder.
Encrypt the C:\Research\Classified folder and files within it.
Log off of NYC-SVR3.
Task 2: Confirm that files are encrypted

1.
2.
3.
Log on to NYC-SVR3 as Contoso\Max with the password of Pa$$w0rd.

Confirm that the Classified folder and files have been encrypted by attempting to open the
Personal.txt file in the C:\Research\Classified folder. The encrypted file and folder names should
also be listed in green text.
Log off of NYC-SVR3.
Task 3: Decrypt files and folders

1.
2.
Log on to NYC-SVR3 as Contoso\Administrator with the password of Pa$$w0rd.

Decrypt the contents of C:\Research \Classified.
Results: After this exercise, you should have encrypted and decrypted files and folders using EFS.

following steps:
1.
2.
3.
4.
5.
6.

9-49
Review Questions
1.
What is the most efficient way to give several users access to a shared folder with the same
permissions?
2.
What are some of the ways of protecting sensitive data in Windows Server 2008?
Best Practices for UAC
UAC Security Settings are configurable in the local Security Policy Manager (secpol.msc) or the Local
Group Policy Editor (gpedit.msc). However, in most corporate environments, Group Policy is preferred
because it can be centrally managed and controlled. There are nine GPO settings that can be
configured for UAC.
Because the user experience can be configured with Group Policy, there can be different user
experiences, depending on policy settings. The configuration choices made in your environment
affect the prompts and dialog boxes that standard users, administrators, or both, can view.
For example, you may require administrative permissions to change the UAC setting to Always notify
me or Always notify me and wait for my response. With this type of configuration, a yellow
notification appears at the bottom of the User Account Control Settings page indicating the
requirement.
Best Practices for EFS

The following is a list of standard best practices for EFS users:
Users should export their certificates and private keys to removable media and store the media
securely when it is not in use. For the greatest possible security, the private key must be removed
from the computer whenever the computer is not in use. This protects against attackers who
physically obtain the computer and try to access the private key. When the encrypted files must be
accessed, the private key can easily be imported from the removable media.
9-50
Encrypt the My Documents folder for all users (User_profile\My Documents). This makes sure that the
personal folder, where most documents are stored, is encrypted by default.
Users should encrypt folders rather than individual files. Programs work on files in various ways.
Encrypting files consistently at the folder level makes sure that files are not unexpectedly decrypted.
The private keys that are associated with recovery certificates are extremely sensitive. These keys must
be generated either on a computer that is physically secured, or their certificates must be exported to
a .pfx file, protected with a strong password, and saved on a disk that is stored in a physically secure
location.
Best Practices for Windows BitLocker

Because BitLocker stores its own encryption and decryption key in a hardware device that is separate from
the hard disk, you must have one of the following:
A computer with TPM.
A removable USB memory device, such as a USB flash drive. If your computer does not have TPM
version 1.2 or higher, BitLocker stores its key on the memory device.
The most secure implementation of BitLocker leverages the enhanced security capabilities of TPM
version 1.2.
On computers that do not have a TPM version 1.2, you can still use BitLocker to encrypt the Windows
operating system volume. However, this implementation will require the user to insert a USB startup
key to start the computer or resume from hibernation and does not provide the pre-startup system
integrity verification offered by BitLocker that is working with a TPM.
Implementing Network Security
Module 10
Contents:
Lesson 1: Overview of Network Security
10-3
Lesson 2: Implementing Firewalls
10-7
Lesson 3: Network Access Protection
10-23
10-31
10-1
10-2
Module Overview
When you connect your computers to a network, you may expose them to additional security threats. It is
important that you identify possible threats, and implement appropriate Windows network security
features to help to eliminate them.
Objectives
Identify network-based security threats.
Implement Windows Firewall to secure Windows hosts.
Explain how to enforce corporate compliance.
10-3
Lesson 1
Overview of Network Security
There are many network-based security threats. It is important to understand the nature of these threats
and be able to implement appropriate security measures to mitigate them.
Objectives
Describe the security threats that can appear on networks.
Describe common solutions to these threats.
10-4
Network Security Threats
Key Points
There are a variety of network security threats, but they fall into a number of categories. Common
network-based security threats include:
Eavesdropping. An eavesdropping attack occurs when a malicious person captures network packets
being sent and received by workstations connected to your network. Eavesdropping attacks may
result in sensitive data, such as passwords, being compromised which can lead to other, perhaps more
damaging, attacks.
Note: Eavesdropping is also known as sniffing.
Denial-of-service. This attack is intended to limit the function of a network application, or make the
application, or network resource, unavailable. There are numerous ways in which a malicious person
can initiate a denial-of-service attack; often, however, the attacker is aware of vulnerabilities in the
target application that they can exploit in order to render it unavailable.
Port scanning. Applications running on a Transmission Control Protocol/Internet Protocol (TCP/IP)

host use TCP or User Datagram Protocol (UDP) ports to identify themselves. One way in which an
attacker can exploit your network is to query hosts for the ports on which they listen for client
requests; these ports are said to be open. Once an attacker can identify an open port, they can use
other attack techniques to attempt to gain access to your network.
Man-in-the-middle. The malicious attacker uses a computer to impersonate a legitimate host on the
network with which your computers are communicating. The attacker intercepts all of the
communications intended for the destination host. The attacker may wish to view the data in transit
between the two hosts, but can also modify the data in transit.
Hacking. This is a generic term that means any type of network attack.
Question: Has your network been the victim of a malicious attack? What type of attack was it?
10-5
Mitigating Network Security Threats
Key Points
One of the most important things to realize is that attackers look for access into your network using a
variety of tools and techniques. Once they have found a way in, however minor and apparently
innocuous, they can exploit that success, and take the attack further. For this reason, it is important to
implement a holistic approach to network security to ensure that one loophole or omission does not
result in another.
You can use any or all of the following defense mechanisms to help to protect your network from
malicious attack.
Internet protocol security (IPsec). IPsec provides a way to authenticate IP-based communications
between two hosts and, where desirable, encrypt that network traffic.
Firewalls. Firewalls allow or block network traffic based on the type of traffic.
Perimeter networks. A perimeter network is an isolated area on your network to and from which there
is defined network traffic flow. When you need to make network services available on the Internet, it
is inadvisable to connect the hosting servers directly to the Internet. By placing these servers in a
perimeter network, you can make them available to Internet users without letting those users gain
access to your corporate intranet.
Virtual private networks (VPNs). When your users must connect to your corporate intranet from the
Internet, it is important that they do so as securely as possible. The Internet is a public network and
data in transit across it is susceptible to eavesdropping or man-in-the-middle attacks. By
authenticating and encrypting connections between your remote users and your corporate intranet
through the use of a VPN you can mitigate these risks.
Server hardening. By only running the services you need, you can make your servers inherently more
secure. To determine what services you require, you must establish a baseline of security among your
servers. Because it is sometimes difficult to determine precisely which Windows Server services are
required to support the desired functionality, you can use tools such as the Security Configuration
Wizard or the Microsoft Baseline Security Analyzer to help you.
10-6
Intruder detection. While it is important to implement the preceding techniques to help to secure
your network, it is also sensible to monitor your network for signs that it has been attacked. You can
implement intruder detection systems to help you perform this task. You can implement intruder
detection systems on devices at the perimeter of your network such as Internet-facing routers.
10-7
Lesson 2
Implementing Firewalls
A firewall helps protect your computer against access attempts from unauthorized computers that are
located on the Internet. You can implement firewalls using software, hardware, or a combination of both.
Firewalls work on the principle of filtering network traffic based on the characteristics of that traffic, and
then either allowing or blocking the traffic as determined by your configuration.
Objectives
Describe common firewall solutions.
Design a perimeter network.
Describe Windows Firewall.
Describe network location profiles.
Describe configurable settings in Windows Firewall with Advanced Security management console
snap-in.
Implement an inbound rule.
Describe IPsec.
Describe connection security rules.
10-8
Types of Firewall
Key Points
There are four types of firewalls. These are:
Application-layer gateways. Operate at the application layer of the Open Systems Interconnection
(OSI) model. Application-layer gateways proxy requests to or from your network and do not allow
traffic for which you have not defined a proxy. In other words, a Hypertext Transfer Protocol (HTTP)
proxy does not pass File Transfer Protocol (FTP) traffic. Application-layer gateways enable you to
configure Network Address Translation (NAT) traversal filters that can support both IP address and
port translation settings to support specific application layer protocols. This enables applications such
as instant messaging, file transfer, and others to function through your firewall without you needing
to open up multiple specific ports.
Circuit-level gateways. Operate at the session layer of the OSI model and monitor datagrams between
communicating hosts to verify that requested sessions are legitimate. Circuit-level gateways monitor
the TCP hand-shaking process used to establish TCP sessions between hosts to determine if the
session is legitimate. Additionally, information passed from your network to remote hosts appears to
originate from the circuit-level gateway. This is useful in hiding information about your network from
remote hosts.
Packet filters. Operate at the network level of the OSI model and are often implemented as part of a
router. Each packet is filtered and compared with an action list to determine the appropriate action to
take with the packet. Actions include allowing or blocking the packet. Most consumer broadband
routers provide this functionality.
Stateful multilayer inspection. These firewalls combine aspects of the other three firewall types
providing a high level of security. A stateful multilayer inspection firewall examines data at all seven
layers of the OSI model. Unlike other firewalls, stateful multilayer inspection firewalls not only inspect
the packet header, but also inspect the packet payload. Each packet is examined and compared with
example packets to determine the likelihood the packet contains malicious data.
You can install firewalls on hosts, such as Windows Server, or implement firewalls as software in devices
such as routers.
10-9
10-10
What Is a Perimeter Network?
Key Points
In order to make your network applications available to users connected to the Internet, you must publish
these applications. A common way of publishing these applications, while maintaining security, is to use
servers placed in a perimeter network.
There are a number of different ways that you can configure your perimeter network, and these include:
Three-legged firewall. A single device or computer with multiple network interface cards, one of
which is Internet-facing, another of which is connected to the perimeter network, and the remaining
card being connected to the intranet. Software installed on the host is used to create the separation
between the networks. The separation is achieved through filtering on the firewall device so that only
specified traffic is passed between the interfaces designated as public, private, and perimeter. This
solution works well for smaller networks; however, because the firewall device is connected directly to
all three networks, security is compromised compared with other solutions.
Dual back-to-back firewalls. In this scenario, two firewalls are connected in sequence across three
networks: the Internet, your perimeter network, and your corporate intranet. The network to which
both firewalls are connected is the perimeter network. The firewalls are configured to allow only
appropriate traffic to pass between their connected networks. This is a more complex and expensive
solution because it requires additional hardware and software to configure; however, it provides for a
more secure environment and is the configuration of choice for larger networks.
Through the combination of hardware and software, and with appropriate configuration, you should be
able to create a perimeter network with the degree of network isolation that you require, while at the
same time allowing for the necessary communication between devices located in each of the three
networks.
Best Practice
Only deploy services that you specifically need in your perimeter network, and always publish services
where possible, rather than physically deploy servers to the perimeter.
10-11
It is rare for an organization to operate without the need to connect its network infrastructure to the
Internet. At the very least, most organizations use e-mail applications to conduct some elements of their
core business.
Conduct an audit of the network services that you have within your organization and determine which
services must be available to users from the Internet. Then consider how you want to make those services
available. For example, if users require access to their e-mail while they work away from their office,
consider the use of Web-based e-mail solutions because these are often easier to make securely available.
Note: Applications can be configured to use specific TCP ports; indeed, many applications are
configurable to use only HTTP or HTTP Secure (HTTPS). This means that you can configure the
Internet-facing firewall to allow only TCP port 80/443 inbound.
Typical Perimeter Applications

Although not an exhaustive list, the following table helps identify common applications that you might
need to make available in your perimeter network.
Applications Protocols
Comments
E-mail
Post Office Protocol 3 (POP3),

Internet Message Access Protocol
4 (IMAP4), Simple Mail Transfer
Protocol (SMTP), Microsoft Office
Outlook Web Access (HTTPS),
Outlook Anywhere (HTTPS),
Microsoft Exchange ActiveSync
(HTTPS)
Microsoft Exchange Server supports extensive

publishing through the use of ForeFront Threat
Management Gateway (TMG). In addition, the
Exchange Edge Transport server role enables SMTP
relay functionality from the perimeter network.
Web server
HTTP, HTTPS
Place the Web servers directly in the perimeter

network or publish them with ForeFront TMG.
Active
Directory
Domain
Services
(AD DS)
Microsoft Lightweight Directory

Access Protocol (LDAP)
It is inadvisable to place domain controllers in the

perimeter network. If your edge application requires
access to Active Directory domains, consider
deploying Microsoft Active Directory Lightweight
Directory Services (AD LDS) into the perimeter.
Web
HTTPS, Session Initiation Protocol
Conferencing (SIP), Persistent Shared Object
Model (PSOM), Real-time
Transport Protocol (RTP), Realtime Control Protocol (RTCP)
Microsoft Office Communications server supports the

use of edge servers to extend conferencing to
Internet participants. In addition, a ForeFront TMG
server or other reverse-proxy is required to enable
some conferencing features.
Instant
Messaging
SIP is the industry standard protocol used for instant

messaging.
SIP
Question: What services do you make available to users on the Internet?
10-12
What Is Windows Firewall?
Key Points
Windows Firewall is a host-based, stateful firewall included in the Windows Server 2008 R2 operating
system. Windows Firewall helps provide protection from malicious users and programs that rely on
unsolicited incoming traffic to attack computers.
Microsoft first introduced Windows Firewall in the Windows XP with Service Pack 2 (SP2) operating
system. Windows Server 2008 R2 provides significant improvements to Windows Firewall.
In Windows Server 2008 R2, Windows Firewall implements network traffic filtering in both directions
that is, inbound and outbound traffic. By default, Windows Firewall blocks all inbound traffic unless it
either matches a configured rule, or is in response to a request from the local computer. By default,
Windows Firewall allows all outbound traffic, unless it matches a configured rule. You can configure
Windows Firewall by using several different management programs. The choice of which program to use
depends on whether you wish to administer a single computer, or multiple computers. In addition, only
some of the management programs give you access to the more advanced Windows Firewall
configuration settings.
You access the new Windows Firewall with Advanced Security console from Control Panel by selecting
Administrative Tools. You can also access the same configuration settings by using Group Policy. Windows
Firewall with Advanced Security allows you to configure more advanced settings than you could by using
the Windows Firewall Control Panel item.
10-13
Network Location Profiles
Key Points
The first time that your computer connects to a network, you must select a network location. This
automatically sets appropriate firewall and security settings for that type of network. When you are
connecting to networks in different locations, choosing a network location can help ensure that the
computer is always set to an appropriate security level. There are three network locations:
Private networks. Private networks are networks at home or work where you know and trust the
people and devices on the network. When private networks are selected, Network Discovery is turned
on.
Public networks. Public networks are networks in public places. This location keeps the computer from
being visible to other computers. When Public place is the selected network location, Network
Discovery is turned off.
Domain networks. Domain networks are networks at a workplace that are attached to a domain. This
option is used automatically for any network that allows communication with a domain controller.
Network Discovery is on by default.
You can modify the firewall settings for each type of network location from the main Windows Firewall
page. Click Turn Windows Firewall on or off, select the network location, and then make your selection.
You can also choose to modify the following options:
Block all incoming connections, including those in the list of allowed programs
Notify me when Windows Firewall blocks a new problem

Note: Some settings may be managed by your system administrator depending on Group Policy
configurations.
10-14
The Public networks location blocks certain programs and services from running to help protect the
computer from unauthorized access. If you are connected to a Public network and Windows Firewall is
turned on, some programs or services might ask you to allow them to communicate through the firewall
so that they work properly.
10-15
Configuring Windows Firewall with Advanced Security
Key Points
Use the Windows Firewall with Advanced Security Properties page to configure basic firewall
properties for domain, private, and public network profiles. A firewall profile is a way of grouping settings,
including firewall rules and connection security rules. Use the IPsec Settings tab to configure the default
values for IPsec configuration options. The options that you can configure for each of the three network
profiles are:
Firewall State. You can turn the firewall on or off independently for each profile.
Inbound Connections. You can configure to block connections that do not match any active firewall
rules, block all connections regardless of inbound rule specifications, or allow inbound connections
that do not match an active firewall rule.
Outbound Connections. You can configure to allow connections that do not match any active firewall
rules or block outbound connections that do not match an active firewall rule.
Settings. You can configure display notifications, unicast responses, local firewall rules, and local
connection security rules.
Logging. You can configure and enable logging.
Windows Firewall with Advanced Security Rules

Rules are a collection of criteria that define which traffic you will allow, block, or secure with the firewall.
You can configure different types of rules:
Inbound
Outbound
Connection Security
10-16
Inbound Rules
Inbound rules explicitly allow or block traffic that matches criteria in the rule. For example, you can
configure a rule to allow traffic secured by IPsec for Remote Desktop through the firewall, but block the
same traffic if it is not secured by IPsec.
When Windows is first installed, all unsolicited inbound traffic is blocked. To allow a certain type of
unsolicited inbound traffic, you must create an inbound rule that describes that traffic. For example, if you
want to run a Web server, then you must create a rule that allows unsolicited inbound network traffic on
TCP port 80. You can configure the default action that Windows Firewall with Advanced Security takes
whether connections are allowed or blocked when no inbound rule applies.
Outbound Rules
Windows Firewall allows all outbound traffic unless a rule blocks it. Outbound rules explicitly allow or
deny traffic originating from the computer that matches the criteria in the rule. For example, you can
configure a rule to explicitly block outbound traffic to a computer (by IP address) through the firewall, but
allow the same traffic for other computers.
Inbound and Outbound Rule Types

There are four different types of inbound and outbound rules:
Program rules. Program rules can control connections for a program. Use this type of firewall rule to
allow a connection based on the program that is trying to connect. These rules are useful when you
are not sure of the port or other required settings since you only specify the path to the program
executable (.exe) file.
Port rules. Port rules can control connections for a TCP or UDP port. Use this type of firewall rule to
allow a connection based on the TCP or UDP port number over which the computer is trying to
connect. You specify the protocol and individual or multiple local ports.
Predefined rules. Predefined rules can control connections for a Windows experience. Use this type of
firewall rule to allow a connection by selecting one of the programs or experiences from the list.
Network-aware programs that you install typically add their own entries to this list so that you can
enable and disable them as a group.
Custom rules. Custom rules can be configured as needed. Use this type of firewall rule to allow a
connection based on criteria not covered by the other types of firewall rules.
Connection Security Rules

Firewall rules and connection security rules are complementary, and both contribute to a defense-indepth strategy to help protect your computer. Connection security rules secure traffic by using IPsec while
it crosses the network. Use connection security rules to specify that connections between two computers
must be authenticated or encrypted. Connection security rules specify how and when authentication
occurs, but they do not allow connections. To allow a connection, create an inbound or outbound rule.
After a connection security rule is in place, you can specify that inbound and outbound rules apply only to
specific users or computers.
Note: Connection Security Rules are discussed in a separate topic.
Monitoring
Windows Firewall uses the monitoring interface to display information about current firewall rules,
connection security rules, and security associations. The Monitoring overview page displays which profiles
are active (domain, private, or public) and the settings for the active profiles.
Note: When you view the Windows Firewall with Advanced Security snap-in within the Group Policy
Editor snap-in, the Monitoring node does not display. Also keep in mind, The Windows Firewall with
Advanced Security events are available in Event Viewer.
10-17
10-18
Demonstration: How to Use Windows Firewall to Manage Inbound

Network Traffic
Key Points
In this demonstration, you will see how enable an inbound firewall rule.
1.
2.
3.
4.
Verify the correct functionality of ping.

Create a new firewall rule.
Test the rule.
Disable the rule.
10-19
What Is IPsec?
Key Points
IPsec is a framework of open standards for protecting communications over IP networks through
cryptographic security services. IPsec supports:
Network-level peer authentication.
Data origin authentication.
Data integrity.
Data confidentiality.
Replay protection.
You typically use IPsec to attain confidentiality, integrity, and authentication in data transport across
insecure channels. Though its original purpose was to secure traffic across public networks, its
implementations are often used to increase the security of private networks, since organizations are not
always sure if weaknesses in their own private networks are susceptible to exploitation.
IPsec provides the following benefits:
Offers mutual authentication before and during communications.
Forces both parties to identify themselves during the communication process.
Enables confidentiality through IP traffic encryption, and digital packet authentication.
IPsec operates in two modes:
Transport mode. This is the default mode for IPsec. In transport mode, IPsec only encrypts the IP
payload; the IP header is not encrypted. Transport mode should be selected for end-to-end
communications, such as that which occurs between a client and a server computer.
10-20
Tunnel mode. In tunnel mode, IPsec encrypts the IP header and the payload. Tunnel mode is most
useful for communications between two networks when that communication takes place over an
untrustworthy network, such as the Internet.
10-21
Connection Security Rules
Key Points
In earlier Windows versions, managing IPsec policies and managing Windows Firewall were two separate
processes achieved by using different management tools. Windows Server 2008 R2 unites IPsec and
Windows Firewall so that you can manage both IPsec and Windows Firewall policies and rules through a
single interface and set of command-line utilities.
IPsec Integration with Windows Firewall

The advantage of combining IPsec and Windows Firewall is that you can avoid overlapping possibly
conflicting rules and policies, and you can streamline the process of securing your computer against
unauthorized access.
You can configure IPsec with connection security rules in Windows Firewall with Advanced Security. These
rules allow you to associate IPsec rules with Windows Firewall network profiles.
Firewall rules allow traffic through the firewall, but do not secure that traffic. To secure traffic with IPsec,
you can create connection security rules; however, when you create a connection security rule, this does
not allow the traffic through the Windows Firewall. You must create a firewall rule to do this, if the traffic
is not allowed by the firewalls default behavior. Connection security rules are not applied to programs
and services; they are applied between the computers that make up the two endpoints.
What Are Connection Security Rules?

A connection security rule forces authentication between two peer computers before they can establish a
connection and transmit secure information. Windows Firewall with Advanced Security uses IPsec to
enforce these rules.
Use connection security rules to configure IPsec settings for specific connections between computers.
Windows Firewall with Advanced Security uses the rules to evaluate network traffic, and then blocks or
allows messages based on the criteria you establish in the rules. In some circumstances, Windows Firewall
with Advanced Security blocks the communication. If you configure settings that require security for a
10-22
connection (in either direction) and the two computers cannot authenticate each other, then the
connection is blocked.
The configurable connection security rules are:
Isolation. An isolation rule isolates computers by restricting connections based on credentials such as
domain membership or health status. Isolation rules allow you to implement an isolation strategy for
servers or domains.
Authentication exemption. You can use an authentication exemption to designate connections that
do not require authentication. You can designate computers by specific IP address, an IP address
range, a subnet, or a predefined group such as a gateway.
Server to Server. A server-to-server rule protects connections between specific computers. This type of
rule usually protects connections between servers. When you create the rule, you specify the network
endpoints between which communications are protected. You then designate requirements and the
authentication you want to use.
Tunnel. A tunnel rule allows you to protect connections between gateway computers. You typically
use it when connecting across the Internet between two security gateways. You must specify the
tunnel endpoints by IP address, and then specify the authentication method used.
Custom. Use a custom rule to authenticate connections between two endpoints when you cannot set
up the authentication rules you need by using the other rules available in the New Connection
Security Rule wizard.
Connection Security Rules Settings

When you enable and configure a connection security rule, you must define the following properties:
Requirements. You can select whether the rule requests authentication, requires inbound
authentication, or requires both inbound and outbound authentication.
Authentication methods. You can select between a number of authentication methods; Kerberos,
digital certificates, NTLMv2, and pre-shared key. You can also configure the rule to attempt a number
of different methods in a preferred order.
Profile. Associate the rule with the appropriate network profile. You can select one or all of the
following: domain, private, or public.
Exempt computers. For authentication exemption rules only, define the exempt computers by IP
address, IP address range, or IP subnet.
Endpoints. For server-to-server rules only, define the IP addresses affected by the rule.
Tunnel endpoints. For tunnel rules only, define the tunnel endpoints affected by the rule.
Note: There is a significant difference between connection security rules and IPsec policies. An IPsec
policy can filter traffic to the specific port level, while a connection security rule cannotit only
applies between computers, and not for specific types of traffic between those computers.
10-23
Lesson 3
Network Access Protection
Network Access Protection (NAP) helps to ensure compliance with specific health policies for computers
accessing your network. NAP helps you achieve and maintain a specific health policy. This lesson provides
information about how NAP works, and how to configure NAP.
Objectives
Explain why network compliance is important.
Describe NAP.
Describe the NAP scenarios.
Explain how NAP can control network access.
Configure NAP with DHCP.
10-24
Why Is Network Compliance Important?
Key Points
If computers connect to your network without protection from viruses, malware, and other network-borne
security threats, their security may be compromised which in turn could compromise the security of other
computers on your network. It is important to ensure that all computers connecting to your network are
up-to-date with security updates, are running antivirus and anti-malware software which is up-to-date,
and have a suitably configured firewall running.
While it is relatively straightforward to ensure desktop computers that remain connected to only your
corporate intranet are compliant with these requirements, it is less easy with roaming computers or
computers that connect to your network from unmanaged networks such as those of a business partner
or the home networks of your users.
NAP in the Windows Server 2008 R2 operating system provides a way for you to manage network
compliance through the use of network health policies.
10-25
What Is Network Access Protection?
Key Points
NAP provides components to help you enforce health requirement policies for network access and
communication. NAP allows you to create policies for validating computers that connect to your network,
and to provide required updates or access to required health update resources while limiting the access or
communication of noncompliant computers. You can customize your health maintenance solution to:
Monitor computers accessing your network for health policy compliance. The health policy may
include checks for:
Up-to-date antivirus patterns.
Appropriate firewall status.
Up-to-date malware protection.
Windows Update settings.
Update computers with software updates to meet health policy requirements.
Limit access for computers that do not meet health policy requirements, to a restricted network.
Although NAP helps you automatically maintain the health of your networks computers, which in turn
helps maintain your networks overall integrity, NAP does not protect your network from malicious users.
For example, if a computer has all of the software and configuration settings that the health policy
requires, then the computer is compliant and has unlimited network access; however, NAP does not
prevent an authorized user with a compliant computer from uploading a malicious program to the
network, or engaging in other inappropriate behavior.
NAP Functions
NAP has three important and distinct functions:
Health state validation. When a computer attempts to connect to the network, the NAP health policy
server validates the computers health state against the health-requirement policies that you define.
10-26
You also can define what to do if a computer is not compliant. In a monitoring-only environment, the
NAP health policy server validates the health state of all computers, and then logs the compliance
state of each computer for subsequent analysis. In a limited-access environment, computers that
comply with the health-requirement policies have unlimited network access. Computers that do not
comply with health-requirement policies may have their access limited to a restricted network.
Health policy compliance. You can help ensure compliance with health requirement policies by
automatically updating noncompliant computers with missing software updates and configuration
changes. You can do this by using management software, such as Microsoft System Center
Configuration Manager 2007. In a monitoring-only environment, computers have network access
before they are updated with required updates or configuration changes. In a limited access
environment, noncompliant computers have limited access until the updates and configuration
changes are complete. In both environments, computers that are compatible with NAP can become
compliant automatically, and you can define exceptions for computers that are not NAP-compatible.
Limited access. You can protect your network by limiting noncompliant computers access. You can
base limited network access on a specific time limit, or on what the noncompliant computer can
access. In the latter case, you define a restricted network containing health update resources, and the
limited access lasts until the noncompliant computer becomes compliant. You also can configure
exceptions, so computers that are not compatible with NAP do not have their network access limited.
10-27
NAP Scenarios
Key Points
NAP provides a solution for the common scenarios described in this section. Depending on your needs,
you can configure a solution to address any or all of these scenarios for your network.
Roaming Laptops
Portability and flexibility are two primary laptop advantages, but these features also present a health
threat. Users frequently connect their laptops to other networks. While laptops are away from your
organization, they might not receive the most recent software updates or configuration changes.
Additionally, exposure to unprotected networks, such as the Internet, may introduce security-related
threats to the laptops. NAP allows you to check any laptops health state when it reconnects to the
organizations network, whether through a virtual private network (VPN) connection, or the workplace
network connection.
Desktop Computers
Although desktop computers usually do not leave the company building, they still can present a threat to
your network. To minimize this threat, you must maintain these computers with the most recent updates
and required software. Otherwise, these computers are at risk of infection from Web sites, e-mail, files
from shared folders, and other publicly accessible resources. NAP allows you to automate health state
checks to verify each desktop computers compliance with health-requirement policies. You can check log
files to determine which computers do not comply. Additionally, using management software allows you
to generate automatic reports, and to automatically update noncompliant computers. When you change
health-requirement policies, computers can be provisioned automatically with the most recent updates.
Visiting Laptops
Organizations frequently need to allow consultants, business partners, and guests to connect to their
private networks. The laptops that these visitors bring into your organization might not meet system
health requirements, and can present health risks. NAP enables you to determine which visiting laptops
10-28
are noncompliant, and limit their access to restricted networks. Typically, you would not require or
provide any updates or configuration changes for visiting laptops. You can configure Internet access for
visiting laptops, but not for other organizational computers that have limited access.
Unmanaged Home Computers

Unmanaged home computers that are not a member of the companys Active Directory domain can
connect to a managed company network through VPN. Unmanaged home computers provide an
additional challenge, because you cannot physically access these computers. Lack of physical access
makes enforcing compliance with health requirementssuch as the use of antivirus softwaremore
difficult. However, NAP enables you to verify the health state of a home computer every time it makes a
VPN connection to the company network, and to limit its access to a restricted network until it meets
system health requirements.
10-29
NAP Enforcement Methods
Key Points
Components of the NAP infrastructureknown as enforcement clients and enforcement serversrequire
health state validation, and enforce limited network access for noncompliant computers. The Windows 7
operating system, the Windows Vista operating system, the Windows XP with SP3 operating system, the
Windows Server 2008 operating system, and Windows Server 2008 R2 include NAP support for the
following network access or communication methods:
IPsec-protected traffic. With IPsec enforcement, a computer must be compliant to initiate

communications with other compliant computers.
Institute of Electrical and Electronics Engineers (IEEE) 802.1X-authenticated network connections. With
IEEE 802.1X enforcement, a computer must be compliant to obtain unlimited network access through
an IEEE 802.1X-authenticated network connection, such as to an authenticating Ethernet switch, or an
IEEE 802.11 wireless access point (AP).
Remote access VPN connections. With VPN enforcement, a computer must be compliant to obtain
unlimited network access through a remote access VPN connection.
Dynamic Host Configuration Protocol (DHCP) address configurations. With DHCP enforcement, a
computer must be compliant to obtain unlimited access to Internet Protocol version 4 (IPv4) address
configuration from a DHCP server. For noncompliant computers, network access is restricted with an
IPv4 address configuration that limits access to the restricted network.
These network access or communication methods are known as NAP enforcement methods. You can use
them separately or together to limit noncompliant computer access or communication. A server that is
running Network Policy Server (NPS) in Windows Server 2008the replacement for Internet
Authentication Server (IAS) in Windows Server 2003acts as a health policy server for all of these NAP
enforcement methods.
Question: Which of the NAP enforcement types would best suit your company? Can you see your
organization using multiple NAP enforcement types? If so, which ones?
10-30
Demonstration: How to Configure NAP with DHCP Enforcement
Key Points
In this demonstration, you will see how to enable an inbound firewall rule.
1.
2.
3.
4.
5.
6.
7.
Install the Network Policy Server role.

Configure DHCP.
Configure System health validators.
Create health policies.
Create network policies.
Configure client settings.
Test NAP.
10-31
Lab Setup
1.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
Ed Meadows has asked you to improve network security on domain-attached computers. He has supplied
the requirements in an e-mail message. You must read the requirements and then implement them on a
client computer.
Charlotte Weiss
From: Ed Meadows [Ed@contoso.com]
Sent:
18 June 2010 13:14
To:
Subject: Improving network security
Charlotte,
10-32
Ive got some concerns about network security. Id like to prevent attackers from using ping.exe on our
network. As you know, by using ping.exe, malicious attackers can determine whether servers are online
and may be able to exploit additional weaknesses on those servers with other tools.
Additionally, I want to make sure that only clients that are running antivirus software can connect to the
network. Can you implement these changes?
Thanks
Ed
Exercise 1: Configuring Windows Firewall with Advanced Security

Scenario
You must implement a firewall rule that blocks inbound ICMPv4 traffic to prevent malicious attackers
using ping.exe on the Contoso, Ltd network.
1.
2.
3.
4.
Test network connectivity with Ping.

Configure a new firewall rule.
Test the rule.
Disable the new rule.
Task 1: Test network connectivity with Ping

1.
2.
3.
Switch to the NYC-DC1 computer.

On NYC-DC1, open a command prompt.
Ping NYC-CL1.
Question: Are you successful?
Task 2: Configure a new firewall rule

1.
2.
3.

On NYC-CL1, open Windows Firewall with Advanced Security.
Create a new Inbound Rule using the following information to complete the process:
a.
b.
c.
d.
e.
f.
g.
Rule Type: Custom

Program: All Programs
Protocol type: ICMPv4
Scope: Default value
Action: Block the connection
Profile: Default value
Name: Contoso ICMPv4 Rule
Question: From the monitoring node, under Firewall, can you see the new rule?
Task 3: Test the rule
Switch back to the NYC-DC1 computer.

Question: Can you ping NYC-CL1?
Task 4: Disable the new rule

1.
2.
3.
4.
5.

In Windows Firewall with Advanced Security, click Inbound Rules.
Disable the Contoso ICMPv4 Rule.
Close Windows Firewall with Advanced Security.
Switch back to NYC-DC1.
Question: Can you ping NYC-CL1?
Results: After this exercise, you should have created and tested an inbound firewall rule.
10-33
10-34
Exercise 2: Configuring Compliance with NAP

Scenario
You must now implement NAP for DHCP enforcement to achieve the second objective of ensuring that
client computers that connect to the network must be running antivirus software.
1.
2.
3.
4.
5.
6.
7.
8.
9.
Install the Network Policy Server role.

Configure the DHCP Server role.
Configure the System Health Validator.
Disable unessential network policies.
Create required health policies.
Create the required network policies.
Configure client NAP settings.
Configure client to obtain and IPv4 address dynamically.
Test NAP.
Task 1: Install the Network Policy Server role

1.
2.
3.
4.

Add the Network Policy and Access Services role.
Install only the Network Policy Server role service.
Task 2: Configure the Dynamic Host Configuration Protocol (DHCP) Server role
1. Open DHCP from Administrative Tools.
2.
3.
4.
5.
6.
7.
8.
9.
View the Properties of the scope.

On the Network Access Protection tab, select Enable for this scope.
In the navigation pane, click Scope Options.
Right-click Scope Options, and then click Configure Options.
On the Advanced tab, in the User class list, select Default Network Access Protection Class.
In the Available Options list, configure the 006 DNS Servers option with an IP address of
10.10.0.10.
Configure the 015 DNS Domain Name String value with restricted.contoso.com.
Close DHCP.
Task 3: Configure the System Health Validator

1.
2.
3.
4.
On NYC-SVR2, open Network Policy Server from Administrative Tools.

In the navigation pane, expand Network Access Protection, expand System Health Validators,
expand Windows Security Health Validator, and then click Settings.
In the Results pane, double-click Default Configuration.
In the Windows Security Health Validator dialog box, clear all check boxes except An antivirus
application is on, and then click OK.
Note: Configure only the settings for Windows 7/Windows Vista clients.
10-35
Task 4: Disable unessential network policies

1.
In the Network Policy Server console, in the navigation pane, expand Policies and then click
Network Policies.
In the Results pane, right click each of the two listed policies, and for each one, click Disable.
2.
Task 5: Create required health policies

1.
2.
In the navigation pane, click Health Policies.

Create a new health policy with the following properties:
3.
Policy name: Healthy Client
Client SHV checks: Client passes all SHV checks
Health validator: Windows Security Health Validator.
Create a new health policy with the following properties:
Policy name: Un-Healthy Client
Client SHV checks: Client fails one or more SHV checks
Health validator: Windows Security Health Validator
Task 6: Create the required network policies

Note: Due to the relative complexity of this process, these steps are a duplicate of those in the Lab
Answer Key.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
In the navigation pane, click Network Policies.

Right-click Network Policies and then click New.
In the New Network Policy wizard, on the Specify Network Policy Name and Connection Type
page, in the Policy name box, type Healthy Unrestricted Client and click Next.
On the Specify Conditions page, click Add.
In the Select condition dialog box, click Health Policies and then click Add.
In the Health Policies dialog box, in the Health policies list, click Healthy Client and then click OK.
On the Specify Conditions page, click Next.
On the Specify Access Permission page, click Next.
On the Configure Authentication Methods page, clear all check boxes, select the Perform
machine health check only check box and then click Next.
On the Configure Constraints page, click Next.
On the Configure Settings page, in the Settings list, click NAP Enforcement.
In the Results pane, click Allow full network access and then click Next.
On the Completing New Network Policy page, click Finish.
page, in the Policy name box, type Un-healthy Restricted Client and click Next.
In the Health Policies dialog box, in the Health policies list, click Un-Healthy Client and then click
OK.
10-36
21. On the Configure Authentication Methods page, clear all check boxes, select the Perform
22. On the Configure Constraints page, click Next.
23. On the Configure Settings page, in the Settings list, click NAP Enforcement.
24. In the Results pane, click Allow limited access and then click Next.
25. On the Completing New Network Policy page, click Finish.
Task 7: Configure client NAP settings

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

Run napclcfg.msc.
Enable the DHCP Quarantine Enforcement Client.
Close napclcfg.msc.
Run services.msc.
Configure the Network Access Protection Agent for Automatic startup and then manually start it.
Close services.msc.
Run mmc.exe.
Add the Group Policy Object Editor snap-in to the console using the defaults.
In the console tree, expand Local Computer Policy/Computer Configuration
/Administrative Templates/Windows Components/Security Center.
11. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.
12. Close the console.
Task 8: Configure client to obtain an IPv4 address dynamically

1.
2.
3.
4.
Click Start, and in the Search box, type Network and in the Control Panel (28) list, click Network
and Sharing Center.
In Network and Sharing Center, in the left-pane, click Change adapter settings.
Configure the adapter to:
a.
b.
Obtain an IP address automatically.

Obtain DNS server address automatically.
Note: Configure Internet Protocol Version 4 (TCP/IPv4).
Task 9: Test NAP

1.
2.
3.
4.
On NYC-CL1, open a command prompt.

Type ipconfig /release and press ENTER.
Type ipconfig /renew and press ENTER.
Type ipconfig /all and press ENTER.
Question: What is your Connection-specific DNS Suffix?
Question: What is your Quarantine State?
Results: After this exercise, you should have enabled NAP with DHCP enforcement.

following steps:
1.
2.
3.
4.
5.
6.
10-37
10-38
Review Questions
1.
2.
3.
Why is it important to publish services to the perimeter rather than connect servers directly to the
Internet?
If you wanted to ensure that only domain computers could communicate with other domain
computers, how could you easily achieve this with Windows Firewall?
You have implemented NAP in your organization, but are surprised when a computer from a visiting
organization is responsible for a virus outbreak, despite meeting your organizations health
requirements. Should you be surprised?
Best Practices
Do not make it easy to connect to your network; if someone can plug a laptop into your network and
access your intranet, you could face serious problems.
Install antivirus and anti-malware software.
Keep security software up-to-date.
Implement firewalls.
Publish services to your perimeter network.
Encrypt network communication.
Restrict switch ports and wireless access points based on media access control (MAC) address or client
certificates.
10-39
Tools
Tool
Use for
Where to find it
Server Manager
Add roles
Start Menu
DHCP
Manage DHCP server
Network Policy Server
Manage NAP and network
policies
mmc.exe
Creating custom management Command-line or Run

tools by adding snap-ins
Ping.exe
Testing network connectivity
Command-line
Windows Firewall with

Advanced Security
Managing inbound,
Control Panel
Services.msc
Manage services
Command-line or Run
Napclcfg.msc
Manage NAP client settings
Command-line or Run
outbound, and IPsec rules
10-40
Implementing Security Software
Module 11
Contents:
Lesson 1: Client Protection Features
11-3
Lesson 2: E-Mail Protection
11-13
Lesson 3: Server Protection
11-20
11-29
11-1
11-2
Module Overview
Computers are now, more than ever, interconnected. The Internet is accessible from almost anywhere a
user takes a computer, and corporate networks are accessible from a users home through remote access.
Communication among networks is continuous. Critical and private information is routinely sent out via email, and the number of e-mail messages received by users continues to increase. Private corporate
networks are now almost always connected in some way to the public Internet and a great deal of
available server-oriented software requires, or at least recommends Internet access.
As the extent of connectivity increases, so to does the risk of some manner of compromise to the
computer or network connected. Malicious code, unauthorized use and data theft are all risks that need
to be accounted for and mitigated by an information technology (IT) administrator.
Objectives
Implement Windows Server technologies and features to improve client security.
Describe security threats posed by e-mail and how to mitigate these threats.
Explain how to improve server security using Windows Server security analysis and hardening tools.
11-3
Lesson 1
Client Protection Features
As client operating systems get more advanced and security threats increase, more mitigating features are
being built into the operating system as a first line of defense. Building defenses into the operating
system, however, is not meant to be the sole method used to secure your client infrastructure. Client
protection features provide further methods to protect your client infrastructure, providing a safer
infrastructure as a whole.
With the release of the Windows Server 2008 R2 operating system there are a few built-in technologies
that have been modified and other new features added in order to help you to enhance the security of
your desktop infrastructure, which is in constant communication with your network.
This lesson will introduce you to these technologies and explain how they can be used within your
environment to help enhance the security and integrity of your client infrastructure.
Objectives
Describe Software Restriction Policies (SRPs).
Describe AppLocker.
Describe how to use AppLocker rules.
Configure AppLocker.
Describe the differences between SRP and AppLocker.
11-4
What Are Software Restriction Policies?
Key Points
One of the primary security concerns for client computers is the current applications available on each
computer. In order to do their jobs, users need access to the applications that meet their specific needs.
There is also the possibility, however, that unneeded or unwanted applications get installed on the client
computers, whether unintentionally or for malicious or non-business purposes.
Introduced in the Windows XP operating system and the Windows Server 2003 operating system, SRPs
allow an administrator to identify and specify which applications are permitted to run on client
computers. SRP settings are configured and deployed to clients using Group Policy. An SRP set is
comprised of the following key components.
Rules
Rules govern how SRP responds to an application being run or installed. Rules are the key constructs
within an SRP and a group of rules together determine how an SRP will respond to applications being
executed. Rules can be based on one of the following criteria which apply to the primary executable file
for the application in question.
Hash. A cryptographic fingerprint of the file.
Certificate. A software publisher certificate used to digitally sign a file.
Path. The local or Universal Naming Convention (UNC) path of where the file is stored.
Zone. The Internet Zone.
Security Levels
Each applied SRP is assigned a security level that governs the way the operating system reacts when the
application that is defined in the rule is executed. The three available security levels are explained in the
following points.
Disallowed. The software identified in the rule will not run, regardless of the access rights of the user.
Basic User. Allows the software identified in the rule to run as a standard, non-administrative user.
Unrestricted. Allows the software identified in the rule to run unrestricted by SRP.
11-5
Default Security Level

The way a system behaves in general is determined by the Default Security Level, which governs how the
operating system reacts to applications without any SRP rules defined. The following three points outline
a system default behavior, based on the Default Security Level applied in the SRP.
Disallowed. No applications will be allowed to run unless an SRP rule is created that allows each
specific application or set of applications to run.
Basic User. All applications will run under the context of a basic user, regardless of the permissions of
the user that is logged in unless an SRP rule is created to modify this behavior for a specific
application or set of applications.
Unrestricted. All applications will run as if SRP was not enabled, unless specifically defined by an SRP
rule.
Based on these three components, there are two primary ways to use SRPs.
If an administrator knows all of the software that should be allowed to run on clients, the Default
Security Level could be set to Disallowed. All applications that should be allowed to run can be
identified in SRP rules that would apply either the Basic User or Unrestricted security level to each
individual application, depending on the security requirements.
If an administrator does not have a comprehensive list of the software that should be allowed to run
on clients, the Default Security Level could be set to Unrestricted or Basic User, depending on security
requirements. Any applications that should not be allowed to run could then be identified using SRP
rules which would use a security level setting of Disallowed.
Software Restriction Policy settings can be found in Group Policy in the following location: Computer
Configuration\Windows Settings\Security Settings\Software Restriction Policies.
Note: Software Restriction Policies are not enabled by default in Windows Server 2008 R2.
11-6
What Is AppLocker?
Key Points
Applocker (introduced in the Windows 7 operating system and Windows Server 2008 R2) provides a
number of enhancements which improve upon the functionality previously provided by SRP. AppLocker
provides administrators with a variety of methods for quickly and concisely determining the identity of
applications that they may want to restrict or permit access to.
AppLocker is applied through Group Policy to computer objects within an organizational unit. As well,
individual AppLocker rules can be applied to individual Active Directory Domain Services (AD DS) users
or groups.
AppLocker also contains options for monitoring or auditing the application of rules, both as rules are
being enforced and in an audit-only scenario.
AppLocker can help organizations prevent unlicensed or malicious software from executing, and can
selectively restrict ActiveX controls from being installed. It can also reduce the total cost of ownership by
ensuring that workstations are standardized across their enterprise and that users are running only the
software and applications that are approved by the enterprise.
Specifically, the following scenarios provide examples of where AppLocker can be used to provide some
level of application management.
Your organization implements a policy to standardize the applications used within each business
group, so you need to determine the expected usage compared to the actual usage.
The security policy for application usage has changed, and you need to evaluate where and when
those deployed applications are being accessed.
Your organization's security policy dictates the use of only licensed software, so you need to
determine which applications are not licensed or prevent unauthorized users from running licensed
software.
11-7
An application is no longer supported by your organization, so you need to prevent it from being
used by everyone.
A new application or a new version of an application is deployed, and you need to allow certain
groups to use it.
Specific software tools are not allowed within the organization, or only specific users have access to
those tools.
A single user or small group of users needs to use a specific application that is denied for all others.
Some computers in your organization are shared by people who have different software usage needs.
AppLocker is available in the following editions of Windows:
Windows Server 2008 R2 Standard operating system
Windows Server 2008 R2 Enterprise operating system
Windows Server 2008 R2 Datacenter operating system
Windows Server 2008 R2 for Itanium-based Systems operating system
Windows 7 Ultimate operating system
Windows 7 Enterprise operating system

Note: Applocker is not enabled by default in Windows Server 2008 R2.
11-8
AppLocker Rules
Key Points
Like SRP, AppLocker uses a rule-based implementation. Rules are the main component used to control
application execution and provide the foundation for a secure application control environment.
AppLocker Rules are created in the Group Policy Editor interface and provide a number of easy to use
wizards to configure and establish your AppLocker environment.
Default Rules
AppLocker contains a small set of default rules designed to ensure key operating systems. Specifically, the
default rules enable the following:
All users to run files in the default Program Files directory.
All users to run all files signed by the Windows operating system.
Members of the built-in Administrators group to run all files.
Creating Rules
Rules are comprised of the following elements.
Permissions. The permissions setting determines how AppLocker will affect the application defined in
the rule. There are two settings for permissions.
Allow. Allow specifically allows the application to run.
Deny. Deny specifically denies the application to run.
In addition, the Permissions area contains the option to specify users or groups to apply the rule to.
Conditions. The Conditions settings provide the details around the actual application definition for
the rule. There are three conditions from which to select.
11-9
Publisher. Publisher identifies the application based on a number of variables contained within
the software publishers digital signature. This condition can only be used if the application you
wish to identify has been digitally signed by its publisher.
Path. Path allows you to specify a specific file or folder path where the applications executable
file resides. If a folder is selected, the rule being defined will apply to all files contained in the
folder.
File hash. File hash identifies the applications executable file based on file hash of the executable.
File hash is most commonly selected when the application selected has not been digitally signed
by its publisher.
In addition, the Conditions section provides the option to add exceptions based on the condition used or
another of the conditions. For example, a rule created using the Publisher may allow all applications that
have been digitally signed the publisher Microsoft. In addition, an exception may be created based on a
Path condition to restrict applications found in a specific folder.
Name. A descriptive name can be provided to allow for easy identification and sorting of multiple
AppLocker rules.
11-10
Demonstration: How to Configure AppLocker
Key Points
In this demonstration you will see how to configure AppLocker.
1.
2.
3.
Create a new AppLocker Rule.

Enable enforcement AppLocker Rules.
Confirm the enforcement of an AppLocker Rule.
11-11
SRP vs. AppLocker
Key Points
While SRPs have been included in Windows Server 2008 R2 and Windows 7 for backwards compatibility
purposes, AppLocker provides a number of enhancements over SRP. AppLocker is the recommended tool
for providing application management when working within a Windows Server 2008 R2 and Windows 7
environment. AppLocker provides a more simplified and streamlined implementation and interface than
SRP while also enabling a greater measure of control and flexibility when creating and implementing
Rules.
AppLocker Benefits vs. SRP

When implementing SRPs in previous Windows versions, it was particularly difficult to create policies that
were secure and remained functional after software updates were applied. This was due to the lack of
granularity of certificate rules and the fragility of hash rules that became invalid when an application
binary was updated. To address this issue, AppLocker enables you to create a rule that combines a
certificate and a product name, file name, and file version. This simplifies your ability to specify that
anything signed by a particular vendor for a specific product name can run.
Certificate rules in SRP allow you to trust all software signed by a specific publisher; however, AppLocker
gives you much greater flexibility. When creating publisher rules, you can trust the publisher, and also drill
down to the product level, the executable level, and even the version.
For example, with SRP, you can create a rule that affectively reads Trust all content signed by Microsoft.
With AppLocker, you further refine the rule to specify: Trust the Microsoft Office 2007 Suite if it is
signed by Microsoft and the version is greater than 12.0.0.0.
The AppLocker enhancements over the SRP feature can be summarized as follows:
The ability to define rules based on attributes derived from a files digital signature, including the
publisher, product name, file name, and file version. SRP supports certificate rules, but they are less
granular and more difficult to define.
11-12
A more intuitive enforcement model; only a file that is specified in an AppLocker rule is allowed to run.
A new, more accessible user interface that is accessed through a new Microsoft Management Console
(MMC) snap-in extension to the Group Policy Management Console snap-in.
An audit-only enforcement mode that allows administrators to determine which files will be prevented
from running if the policy were in effect.
The following table outlines other key differences between AppLocker and SRPs.
Feature
SRP
AppLocker
Rule scope
Specific user or group (per

Group Policy object [GPO])
Specific users or groups (per rule)
Rule conditions provided
File hash, path, certificate,

registry path, Internet zone
File hash, path, publisher
Rule types provided
Allow and Deny
Allow and Deny
Default Rule action
Allow and deny
Implicit Deny
Audit only mode
No
Yes
Wizard to create multiple rules at No

one time
Yes
Policy import or export
No
Yes
Rule collection
No
Yes
Windows PowerShell support
No
Yes
Custom error messages
No
Yes
Implementing AppLocker and SRPs

Prior to Windows Server 2008 R2 and Windows 7, Windows operating systems were only able to use SRP
rules. In Windows Server 2008 R2 and Windows 7, you can apply SRP or AppLocker rules, but not both.
This allows you to upgrade an existing implementation to Windows 7 and still take advantage of the SRP
rules defined in group policies.
However, if Windows Server 2008 R2 or Windows 7 have both AppLocker and SRP rules applied in a
group policy, then only the AppLocker rules are enforced and the SRP rules are ignored.
When you add a single AppLocker rule in Windows Server 2008 R2 or Windows 7, all processing of SRP
rules stops. Therefore, if you are replacing SRP rules with AppLocker rules, then you must implement all
AppLocker rules that you require at one time. If you implement the AppLocker rules incrementally, then
you will lose the functionality provided by SRP rules that have not yet been replaced with corresponding
AppLocker rules.
Note: SRP is still the standard method to restrict software usage in versions of Windows prior to
Windows Server 2008 and Windows 7.
Question: Why must AppLocker rules be defined in a GPO separate from SRP rules?
11-13
Lesson 2
E-Mail Protection
One of the major threats today is the introduction of malicious code into a corporate network. Malicious
code can be extremely detrimental to the proper functionality of the corporate network and the creators
of malicious code are becoming increasingly inventive in finding new ways to introduce this code into an
environment.
One of the most common and effective methods of getting malicious code into an environment is
through e-mail. Due to its widespread use, necessity for organizational functionality as well as the
inherent trust of the delivery mechanism, e-mails carrying some form of malicious code continue to be a
problem for IT administrators.
This lesson will introduce you to various methods for mitigating the threat of unsafe e-mail activity within
a number of different areas in a corporate network environment.
Objectives:
Describe common e-mail threats.
Describe the possible server solutions to these threats.
Describe possible client-based solutions.
11-14
Common E-Mail Security Threats
Key Points
A large amount of todays e-mail messages are unwanted or unsolicited. Even as
e-mail filtering systems become more intelligent in the way they analyze and block these types of
messages, the perpetrators of these illegitimate e-mails are coming up with new ways to get around the
protection provided. The most common threats of e-mail today are:
Spam
Spam is usually an unsolicited e-mail that arrives in your inbox, typically sent as part of a bulk junk e-mail
operation. E-mail addresses are harvested or collected in various methods, most commonly by extracting
addresses from internet forums and postings. These addresses are then used to target users to purchase
goods and services that may or may not be valid. Often spammers will include propaganda to make the
e-mail look more valid than it actually is, and viruses are sometimes present in spam e-mails.
Phishing
One form of spam is called phishing. Phishing is an attempt to gather what is usually sensitive information
from a user. The most common form of phishing is to request to harvest key security information and
bank details from a user by diverting them to a falsified Web site. Over the years phishing attacks have
increased. It is an easy way to gain access to reusable information without having to continually spam the
user trying to get them to purchase goods or services. Windows Server 2008 R2, Windows 7, and Windows
Internet Explorer (IE) 8 (the default browser) includes a phishing filter which checks against
known falsified Web sites commonly trying to gather information from unsuspecting users.
Spoofing
Spoofing is another common threat wherein the sender attempts to mask or hide their identity as if they
were someone else. Spoofing makes an e-mail from User A to User B allow User A to essentially identify
themselves as anyone they would like to be, rather than simply being User A.
11-15
Viruses
A virus is a piece of malicious code that will copy itself and then expand in some way shape or form.
Usually it sends itself out in a piece of spam or by taking control of other computers and trying to infect
them as well. The term virus has become a catch-all term referring to traditional viruses, wherein there
was not a reason other than to exploit code. But now the term includes malware, adware and spyware,
and all programs which infect machines. Many viruses will perform malicious activity on an infected
computer, such as data theft or disabling of essential applications.
11-16
Server-Side Solutions
Key Points
To protect from the various levels of threats that exist within the confines of e-mail infrastructure, several
methods and layers of protection are required to effectively keep the threat of e-mail-based attacks at an
acceptable level.
In a server environment, several general methods exist that combine to decrease the threat of unwanted
e-mail or e-mail server activity.
Content Filtering
Content filtering is a method commonly used to identify spam e-mail. Typically, either software installed
on a server or a dedicated device is responsible for intercepting e-mail either to (most common) or from
the e-mail server. The contents of the e-mail are then checked against an existing database or catalog of
known spam-related terms or patterns. E-mail messages that appear to be spam are either deleted or sent
to a quarantine area, preventing them from reaching their intended destination.
Sender and Recipient Filtering

Similar to content filtering, sender and recipient filtering selectively filters incoming or outgoing e-mail
messages. With send and recipient filtering, however, the filtering process is dependent on a relatively
static database of senders and/or recipients that can be filtered. There are two types of sender and
recipient filtering.
Blocklist filtering identifies e-mail addresses that are known to be associated with unwanted activity.
E-mails coming from blocklisted addresses are filtered and removed.
Allowlist filtering works in the reverse of blocklist filtering. When allowlist filtering is used, e-mail
addresses contained in the allowlist database are identified as valid addresses. Allowlist filtering is
most commonly used in conjunction with content filtering to prevent e-mails coming from valid
senders being incorrectly identified as spam.
11-17
IP Block/Allow Lists
Using IP addresses is another way to identify the source of e-mail messages. E-mail servers can be
configured to check against a database of IP addresses that are either known as valid or addresses that
have been flagged as sources of spam-related activity. Similar to e-mail address filtering, IP-based
blocklists and allowlists are often used in conjunction with more sophisticated content filtering to
decrease the occurrence of false positives.
DNS Reverse Lookup

Another way e-mail is protected is by using reverse DNS lookup rules. If an e-mail destined for your
organization comes from @contoso.com, the first thing most
e-mail servers do is to ensure it is a legitimate e-mail and do a reverse DNS lookup on the e-mail server
hosting contoso.com. This is done by checking for the DNS PTR record to ensure to confirm the source of
the e-mail. This ensures that the
e-mail is from a valid source. If there is no reverse e-mail server for contoso.com the e-mail will be
discarded.
Sender Policy Framework (SPF) records work as an extension of DNS reverse lookups and can prevent
sender e-mail address forgery. SPF records put the onus on the sending organization to register the IP
addresses or alias for all e-mail servers that are allowed to send e-mail from the organizations domain.
Receiving
e-mail servers can check the SPF records, and only accept e-mail from the authorized servers.
Microsoft Exchange Server Edge Transport Server

Edge Transport Servers are specifically configured Microsoft Exchange servers that handle all e-mail flow
in and out of an organizations core Exchange servers. An Edge Transport server is located in an
organizations perimeter network, acting as a gateway to the e-mail infrastructure of the private network.
An Edge Transport server can perform content filtering, address filtering, and a number of other antispam-related functions that help protect against unwanted e-mail activity. Edge Transport servers identify
and filter e-mail content prior to it entering the private corporate network, thereby decreasing and
organizations risk and exposure to
e-mail-related attacks and the issues that can arise from such attacks.
Microsoft Forefront Protection for Exchange Server

Microsoft Forefront is a group of technologies that provide anti-malware protection in a Windows
environment.
Microsoft Forefront Protection for Exchange Server is an edge-based solution, meaning that it is deployed
into an organizations perimeter network in the same way as a Microsoft Exchange Edge Transport server.
Microsoft Forefront Protection for Exchange Server can also be deployed on Exchange Servers inside of
the organization.
Microsoft Forefront Protection for Exchange Server is a comprehensive solution to edge-based e-mail
security management. It provides anti-spam and e-mail filtering capabilities, anti-virus detection and
filtering, and attachment blocking. It also provides the enforcement of policy-based e-mail management,
allowing administrators to be very specific about the management of e-mail security in their environment.
11-18
Client-Side Solutions
Key Points
While server-based solutions and tools deployed into an organizations perimeter network provide the
best defense against e-mail-based threats attempting to enter your network, no one solution will
eliminate 100% of e-mail-based threats.
Client-side e-mail security management provides an additional level of protection from unwanted e-mail
for your users.
Microsoft Office Outlook 2007 and 2010 Defenses

As well as antivirus programs and boundary defenses, Microsoft Office Outlook 2007 and 2010 provide
additional layers of security. Office Outlook 2007 and 2010 have junk filters built in which restrict
potentially harmful attachments as well as images from being displayed. This junk filter is based on the
concept of trusted senders as well as its own logic.
Office Outlook 2007 and 2010 maintain two lists of sender addresses for the purpose of filtering received
e-mail content. Office Outlook 2007 and 2010 users can maintain these lists according to messages they
receive and how they want those messages handled by Office Outlook 2007 and 2010.
Safe senders. Safe senders are addresses that have been identified as known and trusted senders of email. Messages received from addresses located in the safe senders list are treated in a trusted
manner and will be allowed to display images and other functions that might be considered
potentially harmful if coming from an untrusted address.
Block senders. In contrast to the safe senders list, the blocked senders list contains a list of addresses
that are known as unsafe. Messages from these addresses are filtered in order to prevent the potential
for harmful activity.
Office Outlook 2007 and 2010 also allow a user to maintain a list of international top-level domains (TLDs)
that are marked as unsafe or unwanted. For example, to block e-mail coming from addresses in Germany
or Mexico, the TLDs .de and .mx would be added to the Blocked TLD list.
11-19
When an e-mail comes in, Office Outlook 2007 and 2010 check the validity of the e-mail and check the
level of junk e-mail protection you have set. There are four levels of security:
No filtering. This setting will allow all e-mail to get in regardless of the sender and will not use Office
Outlook 2007 and 2010s built-in junk e-mail settings.
Low. This will perform a basic scan and analyze e-mail as it comes in, allowing most e-mail to pass
through and end up in the inbox. It also takes into account the safe senders, safe recipients, blocked
senders list and international settings which are configurable in Office Outlook 2007 and 2010. The
safe senders and safe recipients list is a list of people you trust, no matter what kind of logic Office
Outlook 2007 and 2010 might apply to the e-mail. These lists will ensure that the e-mail, provided it
gets past the front line of defense, always ends up in your inbox. The blocked senders list is just that,
any e-mail address or domain on the blocked senders list immediately gets treated as junk e-mail.
The international setting allows blocking of top level domains as well as specific character encoding
sets. For example, if you never intend on getting
e-mail from anyone in Mexico, you can set the international setting to treat any e-mail from .mx as
junk e-mail. Further, if you never expect anything in the Taiwanese character set, you can set that
character set to be treated as junk.
High. High, similar to Low, filters e-mail, only on a more aggressive scale, letting less e-mail through
to your inbox. High also takes into account all of the aforementioned lists.
Safe Lists Only. Safe Lists Only is the most extensive filtering possible, but can treat some potential
safe e-mail as junk. Safe Lists Only will only allow e-mail from the safe senders and safe recipients
lists mentioned above and treats all remaining e-mail as junk e-mail.
Antivirus Programs
Most antivirus programs integrate with e-mail programs like Microsoft Office Outlook and scan e-mail
before you read it. It will also scan it while you read it and any attachments included in the e-mail will also
be scanned. This provides a second layer of defense in case the perimeter-based servers have missed a
potentially harmful e-mail.
This second level or layer of security also allows an end user or an IT department to put more rigorous
checks in place on specific machines rather than at the global level. For example, the global policy might
be to allow Microsoft Office Word, Microsoft Office Excel and Microsoft Office PowerPoint files
through the firewall. However, at the second layer, the antivirus program will block the service staff of the
company from receiving any attachments at all.
11-20
Lesson 3
Server Protection
An organizations servers represent the core of its network functionality. Servers typically host multiple
business critical services within an organization. An infected file server may propagate a virus to remote
workstations further crippling a network, whereas an infected e-mail server could potentially cut off
external communications between your organization and your clients for an extended period of time. As a
result, security measures implemented on the server infrastructure represent one of the most important
aspects of maintaining overall network integrity and functionality.
This lesson introduced a number of ways to ensure that your servers are protected from circumstances
that could leave them vulnerable to attack.
Objectives
Describe how to maintain server security.
Describe the Security Configuration wizard (SCW).
Configure a Security Policy using the SCW.
Describe Microsoft Baseline Security Analyzer (MBSA).
Use the MBSA to help secure your servers.
11-21
Maintaining Server Security
Key Points
Ensuring the security of your Windows Server 2008 R2 servers is an ongoing process that requires routine
attention and maintenance to ensure that your servers are the least exposed to attack as possible. Several
areas exist that should be considered when maintaining the security of your servers.
Maintaining Updates
Operating systems, including Windows Server 2008 R2 are constantly changing and evolving in response
to customer demand for new features, newly identified security risks or other changes in the computing
world. As well, applications installed on servers experience the same state of constant change for many of
the same reasons. Due to this ever-changing state, operating systems and the applications that run on
them are constantly being updated. While many update processes, such as Microsoft Update and
Windows Server Update Services (WSUS) are primarily automated, these automated processes need to be
routinely examined for proper operation.
User Account Security

The state of your servers (and, if applicable, domains) account security is critical to ensuring the integrity
of your server environment. Account passwords should be enforced by a password complexity policy and
passwords should be regularly updated to prevent unauthorized account access. Unused accounts should
be disabled or removed from the system. Accounts with elevated privileges, such as administrative
accounts, should be closely monitored and used only for their intended purpose. For additional security,
these accounts could be protected with an added measure of security, such as a smart card or a biometric
authentication device.
Unused Services or Features

Disabling unused services and features within Windows Server 2008 R2 not only reduces the potential
vulnerability of your server to attack, but also carries the added benefit of potentially increased
performance.
11-22
Application Installation and Usage

Like unused services or features, unused applications can expose your server to security vulnerabilities as
well as potential performance implications. In addition, carefully monitoring installed applications will
ensure that malicious or unauthorized application installations are detected and removed.
Windows Firewall
Windows Firewall is your servers first line of defense against incoming network attacks. Leaving Windows
Firewall enabled and ensuring that it is properly configured for your server leaves that layer of protection
intact and provides you with a manageable and flexible way to protect against potential network
vulnerabilities that may exist in other applications on your server.
11-23
What Is the Security Configuration Wizard?
Key Points
The SCW can be used to enhance the security of a server by closing ports and disabling services not
required for the servers roles.
The SCW can be launched from the home page of Server Manager, in the Security Information section, or
from the Administrative Tools folder. There is also a command-line version of the tool, scwcmd.exe.
The SCW is role-based in accordance with the new role-based configuration of Windows Server 2008 R2.
The SCW is typically run on a server prior to that server being deployed. This way, the attack surface of the
server is reduced before it is deployed into the infrastructure and exposed to potential threats.
When the SCW is run, it scans the server and identifies the current state of the server relative to potential
changes that may need to be made. SCW scans the following:
Roles that are installed on the server.
Roles likely being performed by the server.
Services installed on the server but not defined in the security configuration database.
IP addresses and subnets configured for the server.
The information discovered about the server is saved in an XML file. This server-specific file is called the
configuration database.
The initial settings in the configuration database are called the baseline settings. After the server has been
scanned and the configuration database has been created, you have the opportunity to modify the
database, which will then be used to generate the security policy to configure services, firewall rules,
registry settings, and audit policies. The security policy can then be applied to the server or to other
servers playing similar roles. The SCW is a series wizard pages that presents these four security policy
categories in separate sections:
Role-based service configuration
11-24
Network security
Registry settings
Audit policy
Role-Based Service Configuration

The outcome of this section is a set of policies that configure the startup state of services on the server.
You want to ensure that only the services required by the servers roles start and that other services do not
start. To achieve this outcome, the SCW presents pages that display the server roles, client features,
administration and other options detected on the scanned server. You can add or remove roles, features,
and options to reflect the desired role configuration.
Network Security
The Network Security section produces the firewall settings of the security policy. Those settings will be
applied by Windows Firewall with Advanced Security. Like the Role-Based Service Configuration section,
the Network Security section displays a page of settings derived from the baseline settings in the
configuration database. The settings in the Network Security section, however, are firewall rules rather
than service startup modes.
Registry Settings
The Registry Settings section configures protocols used to communicate with other computers. These
wizard pages determine Server Message Block (SMB) packet signing, Lightweight Directory Access
Protocol (LDAP) signing, LAN Manager authentication levels, and storage of password LAN Manager hash
values. Each of these settings is described on the appropriate page, and a link on each page takes you to a
Security Configuration wizard Help page that details the setting.
Audit Policy
The Audit Policy section generates settings that manage the auditing of success and failure events and the
file system objects that are audited. Additionally, the section enables you to incorporate a security
template called SCWAudit.inf into the security policy.
Security Policies
When the SCW has completed the assessment of the server, it provides the opportunity to capture the
settings in a security policy.
A security policy is the end result of the SCW run on a server. A security policy is an XML-based file that
contains the settings obtained from the details provided during the SCW process. The policy contains
potential changes to Windows settings from the following areas:
Services
Network security including firewall rules
Registry values
Audit policy
The saved policy can then be modified or deployed to servers by converting the policy to a GPO using the
scwcmd.exe command-line tool and deploying the GPO using Group Policy.
Deploying a Security Policy Using Group Policy

You can apply a security policy created by the SCW to a server by using SCW itself, by using the
Scwcmd.exe command, or by transforming the security policy into a GPO.
To transform a security policy into a GPO:
Log on as a domain administrator and run Scwcmd.exe with the transform command.
For example:
scwcmd transform /p:"Contoso DC Security.xml /g:"Contoso DC Security GPO
This command will create a GPO called Contoso DC Security GPO with settings imported from the
Contoso DC Security.xml security policy file. The resulting GPO can then be linked to an appropriate
scopesite, domain, or organizational unit (OU)by using the Group Policy Management console.
Be sure to type scwcmd.exe transform /? for help and guidance about this process.
11-25
11-26
Demonstration: Using the SCW
Key Points
In this demonstration you will see how to use the SCW to create a security policy.
Demonstration Step:
Use the SCW to create a security policy.
11-27
What Is the Microsoft Baseline Security Analyzer?
Key Points
MBSA is a software tool that analyzes the security state of an environment in accordance with Microsoft
security recommendations. MBSA analyzes the current server state and documents any changes that will
further secure the server and lock it down from attacks. Beginning in version 2.1, MBSA provides support
for Windows Server 2008 R2.
MBSA uses Microsoft Update to check for the status of security updates and software updates for
Microsoft applications such as Exchange and SQL Server as well as built-in applications like IE, Internet
Information Server and offers guidance for the correction of detected inconsistencies.
In addition to the standard wizard-based interface, MBSA also provides a command-line interface
(mbsacli.exe) which allows the MBSA to be run from within a script or as part of an automated task.
MBSA is designed for and geared towards small and medium businesses, but it can also be effectively
used in a larger enterprise environment.
11-28
Demonstration: Using the MBSA to Secure Windows Servers
Key Points
In this demonstration you will see how to use MBSA to secure Windows Servers.
1.
2.
Install the MBSA tool.

Use MBSA to diagnose any problems with NYC-SVR2.
11-29
Lab Setup
1.
2.
3.
4.
5.
6.
Password: Pa$$w0rd
Domain: Contoso

In Hyper-V Manager, click 6420B-NYC-CL1, and in the Actions pane, click Start and then, in the
Actions pane, click Connect. Do not log on to
NYC-CL1 until instructed to do so.
11-30
Exercise 1: Restricting Applications with AppLocker

Scenario
Microsoft Office 2007 has recently been installed in the Research Department at Contoso, Ltd on all client
computers. Previously, WordPad was used for word processing tasks in the Research Department. To
encourage users to use the new word processing capabilities of Office Word 2007, you have been asked
to restrict users in the Research Department from running WordPad on their computers.
1.
2.
3.
Create a Group Policy object (GPO) to enforce the default AppLocker Executable rules.
Apply the GPO to the Contoso.com domain.
Test the AppLocker rule.
Task 1: Create a Group Policy object (GPO) to enforce the default AppLocker Executable
rules
1.
2.
3.
Switch to NYC-DC1.
Open the Group Policy Management console and create a GPO entitled Wordpad Restriction
Policy.
Edit the new GPO with the following settings:
Application Control Policy: Under Executable Rules create a new executable publisher rule for
C:\Program Files\Windows NT
\Accessories\wordpad.exe that denies Everyone access to run any version of wordpad.exe.
Configure Executable rules to be enforced.
Configure the Application Identity service to run and set it to Automatic.
Task 2: Apply the GPO to the Contoso.com domain
Apply the WordPad Restriction Policy GPO to the Contoso.com domain container.
Task 3: Test the AppLocker rule

1.
2.
3.
Log on to NYC-CL1 as Contoso\Alan with the password of Pa$$w0rd.

Refresh Group Policy by running gpudate /force from the command prompt.
Try to run Start - All Programs - Accessories WordPad.
Note: The AppLocker policy should restrict you from running this application. If the application
runs, log off NYC-CL1 and log on again. Once the policy setting has applied, the application will be
restricted.
Results: After this exercise, you will have restricted an application by using AppLocker.
11-31
Exercise 2: Using the Security Configuration Wizard

Scenario
You have been asked to use the Security Configuration wizard to create a security policy for domain
controllers in the contoso.com domain based on the configuration of NYC-DC1. You will then convert the
security policy into a GPO, which could then be deployed to all domain controllers by using Group Policy.
1.
2.
Create a security policy.

Transform a security policy into a GPO.
Task 1: Create a security policy

1.
2.
3.
4.
On NYC-DC1, run the Security Configuration Wizard in the Administrative Tools folder.
Carry through the steps of the wizard, accepting the defaults.
Save the resultant Security Policy as DC Security Policy.xml.
When prompted to apply the Security Policy, select Apply later.
Task 2: Transform a security policy into a GPO

1.
2.
On NYC-DC1, use c:\windows\security\msscw\policies\scwcmd to transform DC-Security

Policy.xml to a GPO named DC Security Policy GPO.
In Group Policy Management console, examine the newly created DC Security Policy GPO.
Results: After this exercise, you will have used the Security Configuration wizard to create a security
policy named DC Security Policy, and transformed the security policy to a Group Policy object named
DC Security Policy.
11-32
Exercise 3: Hardening the Security Settings on Windows Server

Scenario
You have been asked to run MBSA on NYC-SVR2 to test for any areas requiring updates or maintenance.
1.
2.
Install Microsoft Baseline Security Analyzer (MBSA) on NYC-SVR2.

Run the default MBSA scan.
Task 1: Install Microsoft Baseline Security Analyzer (MBSA) on

NYC-SVR2
1.
2.
3.
Switch to NYC-SVR2.
Open Windows Explorer and navigate to E:\Labfiles\MBSA.
Run MBSASetup-x64-EN.msi using the defaults.
Task 2: Run the default MBSA scan
On NYC-SVR2, run the MBSA scan (ensuring to remove the check for updates checkmark).
Note: For demonstration and lab purposes you can change the automatic updates setting, however
you will not be able to get updates as the classroom does not have internet connectivity.
Results: Your results should show several administrative vulnerabilities including the following:
Automatic Updates
Password Expiration
Incomplete Updates
Local Account Password Test
File System
Autologon
Guest Account
Restrict Anonymous
Administrators
Windows Firewall
Results: After this exercise, you will have used the MBSA to harden security settings.

following steps:
1.
2.
3.
4.
5.

6.
11-33
11-34
Review Questions
1.
What are the key differences between AppLocker and legacy Software Restriction Policies?
2.
Why are server-side e-mail security solutions typically more effective and easy to implement than
client-side solutions?
3.
Why is maintaining software updates important to server security
Tools
Tool
Use for
Where to find it
Software Restriction
Policies
Managing software execution in legacy
Group Policy Management
AppLocker
Managing software execution in Windows Group Policy Management
environments or in environments where

Windows Server 2008 R2 and Windows 7
co-exist with legacy Windows operating
systems
Server 2008 R2 and Windows 7
environments
Microsoft Forefront
Protection for
Exchange Server
Provide antimalware protection for a

Microsoft Exchange Server environment
Security
Generate and apply security policy
Configuration wizard
templates to decrease the vulnerability of
For more information see,

Forefront Protection 2010 for
Exchange Server
http://www.microsoft.com
/forefront/protection-forexchange/en/us/default.aspx
Start Menu
11-35
Tool
Use for
Where to find it
Microsoft Baseline
Security Analyzer
Analyze the security state of an
For more information see,

Microsoft Baseline Security
Analyzer:
http://technet.microsoft.com/enus/security/cc184924.aspx
environment in accordance with

Microsoft security recommendations.
11-36
Monitoring Server Performance
Module 12
Contents:
Lesson 1: Overview of Server Components
12-3
Lesson 2: Performance Monitoring
12-8
12-17
12-1
12-2
Module Overview
Monitoring the performance of servers is important for all organizations. Businesses require cost-effective
solutions that provide value for money. You should monitor servers to ensure that they run efficiently and
use available server capacity.
Many administrators require performance monitoring tools to identify components that require additional
tuning and troubleshooting. By identifying components that require additional tuning, you can improve
the efficiency of your servers.
Objectives
Identify server components that are impacted through excessive workloads.
Measure system resource usage and identify component bottlenecks.
12-3
Lesson 1
Overview of Server Components
Before you can start to collect meaningful performance-related statistics, you must be able to identify the
important server components that affect server performance most significantly. A bottlenecked server
component can lead to significant performance problems. This lesson explores server components and
explains how to identify server bottlenecks.
Objectives
Describe the important server components.
Explain the benefits of 64-bit computing.
Describe performance bottlenecks.
12-4
Server Components
Key Points
The four main hardware components to monitor are processor, disk, memory and network. Understanding
how these four key hardware components are utilized by the operating system and how they interact with
one another is an important step along the road to understanding how to optimize server performance.
When monitoring performance, you should consider:
The measurement of all key components in your system.
The server role and workload to determine which hardware components are likely to restrict
performance.
The ability to increase server performance by adding power or reducing the number of users who are
accessing a server.
Processor
One important factor in determining the overall processor capacity of your server computer is processor
speed. Processor speed is determined by the number of operations it can perform in a measured period of
time. Servers with multiple processors, or processors with multiple cores, generally perform processorintensive tasks with greater efficiency and are consequently faster than single processor or single-core
processor servers.
Processor architecture is also important. 64-bit processors can access more memory and have a significant
effect on performance. This is true especially when applications running on your server require a large
amount of memory.
Disk
Hard disks are used to store programs and data. Consequently, the speed of the server is affected by the
throughput of your disks, especially when the server is performing disk-intensive tasks. Disks have moving
12-5
parts and it takes time to position the read/write heads over the appropriate sector on the disk to retrieve
the requested information.
By selecting faster disks, and by using collections of disks to optimize access times, you can alleviate the
potential for the disk subsystem to create a performance bottleneck.
It is also worth remembering that information on the disk is moved into memory before it can be used. If
there is a surplus of memory, the Windows Server operating system creates a file cache for items
recently written to or read from the disks. Installing additional memory in a server can often improve the
disk subsystem performance.
Memory
Programs and data are loaded from disk into memory before the program can manipulate the data. In
servers that run multiple programs, or where datasets are very large, increasing the amount of memory
installed can help improve server performance.
Windows Server uses a memory model in which excessive memory requests are not rejected, but handled
by a process known as paging. During paging, data and programs in memory not currently being utilized
by processes are moved into an area on the hard disk known as the paging file; this frees up physical
memory to satisfy the excessive requests. However, because a disk is comparatively slow, paging has an
effect on server performance. By adding more memory, and by using a 64-bit processor architecture that
supports larger memory, you can reduce the need for paging.
Network
It is easy to underestimate the effect of a poorly performing network as it is not as easy to see or to
measure as the other three server components. However, as so many of the programs and so much of the
data that processes, and since application access is stored on network devices, it should not be surprising
that the network is a critical component for performance monitoring.
12-6
64-bit Computing
Key Points
The Windows Server 2008 R2 operating system is only available in 64-bit versions. 64-bit operating
systems offer a number of significant advantages. For example, installing 64-bit operating systems offers
the ability to scale up (increase processor cores and memory) more than is possible with a 32-bit
operating system.
Device Driver Considerations

You must ensure that the kernel-mode drivers that you will use are all signed digitally; digital signatures
for kernel-mode software are an important way to ensure security on computer systems. The mandatory
kernel-mode, code signing policy applies to all kernel-mode software on systems running Windows Server
2008 R2.
Application Compatibility
In addition to ensuring that you have digitally signed drivers, you must consider application compatibility.
Windows Server 2008 R2 includes kernel and user mode application programming interface (API) changes
that support virtualization, scalability, performance, power management, and networking enhancements.
Consequently, applications designed to run on an earlier, 32-bit version of Windows Server may not run
correctly on Windows Server 2008 R2.
You must verify the correct functionality of important applications before you deploy Windows Server
2008 R2, and where necessary, implement application fixes to ensure correct functionality.
Microsoft provides a number of application compatibility tools that can help you test, and where required,
fix your applications so that they run correctly within the 64-bit Windows Server 2008 R2 environment.
Question: How many of the servers installed in your organization have 64-bit hardware but only 32-bit
operating systems?
12-7
Performance Bottlenecks
Key Points
A performance bottleneck occurs when a server is unable to service the current requests for a specific
resource. The resource might be a server component, such as a disk, memory, processor, or network.
Alternatively, the bottleneck might be caused by the shortage of a component within an application
package.
By using performance monitoring tools on a regular basis, and comparing the results to your baseline and
to historical data, you can identify server bottlenecks before they impact users.
Once you have identified a bottleneck, you must decide how to remove it. Option include:
Running fewer applications.
Distributing users across additional servers.
Adding additional resources to the server.
In severe circumstances, a server suffering from a severe resource shortage may stop processing user
requests. However, if your server is experiencing a bottleneck but is still operating within acceptable limits,
you might decide to defer any changes until the situation is resolved, or until you have an opportunity to
take corrective action.
12-8
Lesson 2
Performance Monitoring
Windows Server provides a number of tools that enable you to gather and analyze performance-related
statistics; it is important that you know what data to collect with these tools so that you can identify
performance problems on your servers before they impact your users.
Objectives
Describe the process of performance monitoring.
View real-time performance data.
Capture performance data for subsequent analysis.
Describe Data Collector Sets.
Identify server bottlenecks by using alerts.
12-9
The Process of Performance Monitoring
Key Points
There are several methods that you can use to collect performance data from servers in your organization.
You should use each of these methods to suit your organizations requirements.
Real-time monitoring of computers is useful when you want to determine the effect of performing a
specific action or troubleshoot specific events. This type of monitoring can also help you to ensure that
you are meeting service level agreements (SLAs).
Analyzing historical data can be useful for tracking trends over time, determining when to relocate
resources, and deciding when to invest in new hardware to meet the changing requirements of your
business. You should use historical performance data to assist you when you plan future server
requirements.
If you intend to gather data for historical comparison, it is important to establish a performance baseline.
To create a baseline, you must collect performance data over a period of time during which your server is
under typical load. When you come to collect data in the future, you must ensure you collect statistics
about the same resources as those you analyzed in your baseline. You can then compare resource usage
against your baseline and see whether there are sufficient resources to satisfy user demands.
A range of tools is available to assist you in the monitoring of your server environment. These tools are
described in the following table.
Tool
Description
Windows Server 2008

R2 Event Viewer
Windows Server 2008 R2 Event Viewer collects information that relates to

server operations. This data can help you to identify performance issues on a
server. You should search for specific events in the event log file to locate and
identify problems.
Microsoft Windows Using WSRM, you can control how CPU resources are allocated to
System Resource
applications, services, and processes. Managing these resources improves
12-10
Tool
Description
Manager (WSRM)
system performance and reduces the chance that these applications, services,
or processes will interfere with the rest of the system.
WSRM is a feature of Windows Server 2008 R2.
Microsoft Network
Monitor
Network Monitor is a protocol analyzer. It enables you to capture, view, and

analyze network data. You can use it to help troubleshoot problems with
applications on the network.
You can download Network Monitor from the Microsoft Download Center
Web site.
Microsoft Windows
Performance Monitor
You can use Microsoft Windows Performance Monitor to examine how

programs you run affect your computers performance, both in real-time and
by collecting log data for later analysis. Windows Performance Monitor uses
performance counters, event trace data, and configuration information, which
can be combined into data collector sets.
Performance Monitor is built into Windows Server 2008 R2.
Microsoft System
Center Operations
Manager 2007
(Operations Manager)
Operations Manager enables you to build a complete picture of the past and
current performance of your server infrastructure. Operations Manager can
also automatically respond to events and address problems before they
become an issue for you. Operations Manager requires time to configure and
requires additional licenses.
12-11
Demonstration: How to Capture Current Performance Activity
Key Points
There are many counters that you should research and consider monitoring to meet your specific
requirements.
Windows Server 2008 R2 enables monitoring of operating system performance through performance
objects and counters in the object. Windows Server 2008 R2 collects data from counters in various ways,
including:
Real-time snapshot value
Total since last server restart
Average over specific time interval
Average of last x values
Number per second
Maximum value
Minimum value
Primary Processor Counters

CPU counters are a feature of the computer's CPU that stores the count of hardware-related events.
Processor>% Processor Time. Shows the percentage of elapsed time that this thread used the
processor to execute instructions. An instruction is the basic unit of execution in a processor, and a
thread is the object that executes instructions. Code executed to handle some hardware interrupts
and trap conditions is included in this count.
Processor>Interrupts/sec. Shows the rate, in incidents per second, at which the processor received
and serviced hardware interrupts.
12-12
System>Processor Queue Length. This counter is a rough indicator of the number of threads each
processor is servicing. The processor queue length, sometimes called processor queue depth,
reported by this counter is an instantaneous value that is representative only of a current snapshot of
the processor, so it is necessary to observe this counter over a long period of time. Also, the
System\Processor Queue Length counter is reporting a total queue length for all processors, not a
length per processor.
Primary Memory Counters

The Memory performance object consists of counters that describe the behavior of physical and virtual
memory on the computer. Physical memory is the amount of RAM on the computer. Virtual memory
consists of space in physical memory and on disk. Many of the memory counters monitor paging, which is
the movement of pages of code and data between disk and physical memory.
Memory>Pages/sec. Shows the number of hard page faults per second. A hard page fault occurs
when the requested memory page cannot be located in RAM because it currently exists in the paging
file. An increase in this counter indicates that more paging is occurring which in turn suggests a lack
of physical memory.
Primary Disk Counters

The Physical Disk performance object consists of counters that monitor hard or fixed disk drives. Disks are
used to store file, program, and paging data. They are read to retrieve these items, and are written to
record changes to them. The values of physical disk counters are sums of the values of the logical disks (or
partitions) into which they are divided.
Physical Disk>%Disk time. This counter shows how busy a particular disk is. A counter approaching
100% indicates that the disk is busy nearly all of the time and may suggest a performance bottleneck
is imminent.
Physical Disk>Average Disk Queue Length. This counter shows how many disk requests are waiting to
be serviced by the I/O manager in Windows Server at a given moment. The longer the queue, the less
satisfactory the disk throughput is.
Primary Network Counters

Most workloads require access to production networks to ensure communication with other applications
and services and to communicate with users. Network requirements include elements such as
throughputthat is, the total amount of traffic that passes a given point on a network connection per
unit of time.
Other network requirements include the presence of multiple network connections. Workloads might
require access to several different networks that must remain secure. Examples include connections for:
Public network access.
Networks for performing backups and other maintenance tasks.
Dedicated remote-management connections.
Network adapter teaming for performance and failover.
Connections to the physical host server.
Connections to network-based storage arrays.
By monitoring the network performance counters, you can evaluate your networks performance.
In this demonstration, you will see how to use Performance Monitor to view real-time performance data.
1.
2.
3.
View current activity in System Summary.

Use Performance Monitor to view a chart on current activity.
Use a Report to view the current activity.
12-13
12-14
What Are Data Collector Sets?
Key Points
A Data Collector Set is the foundation of Windows Server performance monitoring and reporting in
Performance Monitor.
Data Collector Sets enable you to gather performance-related and other system statistics for analysis with
other tools within Performance Monitor, or with third-party tools.
While it is useful to analyze current performance activity on a server computer, it is perhaps more useful
to collect performance data over a period of time for subsequent analysis and comparison with previously
gathered data. This data comparison enables you to make determinations about resource usage, to plan
for growth, and to identify potential performance problems.
Data Collector Sets can contain the following types of data collectors:
Performance counters. Provides data about the servers performance.
Event trace data. Provides information about system activities and eventsoften useful for
troubleshooting.
System configuration information. Enables you to record the current state of registry keys and to
record changes to those keys.
You can create a Data Collector Set from a template, from an existing set of data collectors in a
Performance Monitor view, or by selecting individual data collectors and setting each individual option in
the Data Collector Set properties.
Demonstration: How to Use Data Collector Sets to Capture Performance

Data
Key Points
In this demonstration, you will see how to collect performance data in a data collector set.
1.
2.
3.
Create a data collector set.

Create a disk load on the server.
Analyze the resulting data in a report.
12-15
12-16
Demonstration: How to Use Alerts to Identify Performance Bottlenecks
Key Points
You can use alerts in Performance Monitor to determine when a threshold has been exceeded and then to
take appropriate action, such as run a program, generate an Event Log error, and start a data collector set.
In this demonstration, you will see how to create an alert.
1.
2.
3.
Create a data collector set with an alert counter.

Generate a load on the server to exceed configured threshold.
Examine event log for resulting event.
12-17
Lab Setup
1.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
You have successfully deployed some new servers at the Contoso, Ltd branch offices. Before the system
goes live, you decide to establish a performance baseline so that you can compare future workloads to
the expected workload.
12-18
Exercise 1: Creating a Performance Baseline

Scenario
You load Performance Monitor on the server and create a baseline using typical performance counters.
1.
2.
3.
4.
Create a Data Collector Set.

Start the Data Collector Set.
Create workload on the server.
Analyze collected data.
Task 1: Create a Data Collector Set

1.
2.
3.

Open Performance Monitor.
Create a new user defined data collector set using the following information to complete the process:
a.
b.
c.
d.
e.
f.
4.
Name: NYC-SVR2 Performance

Create: Create manually (Advanced)
Type of data: Performance counter
Select the following counters:
Processor, %Processor Time
Memory, Pages/sec
PhysicalDisk, %Disk Time
PhysicalDisk, Avg. Disk Queue Length
System, Processor Queue Length
Network Interface, Bytes Total/sec
Sample interval: 1 second

Where to store data: default value
Save and close the data collector set.
Task 2: Start the Data Collector Set
In Performance Monitor, in the Results pane, right-click

NYC-SVR2 Performance, and then click Start.
Task 3: Create workload on the server

1.
Open a command prompt and run the following commands, pressing ENTER after each command:
Fsutil file createnew bigfile 104857600
Copy bigfile \\nyc-dc1\c$
Copy \\nyc-dc1\c$\bigfile bigfile2
Del bigfile*.*
Del \\nyc-dc1\c$\bigfile*.*
2.
Do not close the command prompt.
Task 4: Analyze collected data

1.
2.
3.
Switch to Performance Monitor.

Stop the NYC-SVR2 Performance data collector set.
In Performance Monitor, in the navigation pane, click Performance Monitor.
4.
5.
6.
7.
8.
9.
12-19
On the toolbar, click View Log Data.

In the Performance Monitor Properties dialog box, on the Source tab, click Log files and then click
Add.
In the Select Log File dialog box, double-click Admin.
Double-click NYC-SVR2 Performance, double-click the
NYC-SVR2_date-000001 folder and then double-click DataCollector01.blg.
Click the Data tab and then click Add.
Select the following counters:
Memory, Pages/sec
10. On the toolbar, click the down arrow and then click Report.
11. Record the values listed in the report for analysis later.
Recorded values:
Memory, Pages/sec
Results: After this exercise, you should have established a baseline.
12-20
Exercise 2: Simulating a Server Load

Scenario
Having created the baseline, you now simulate a load to represent the system in live usage.
1.
2.
Load a new program on the server.

Configure the load on the server.
Task 1: Load a new program on the server

1.
2.
On NYC-SVR2, switch to the command prompt.

Change to the C:\Labfiles\StressTool folder.
Task 2: Configure the load on the server
On NYC-SVR2, run StressTool.exe 95.

Results: After this exercise, you should have introduced a load on your server.
Exercise 3: Gathering Additional Performance Data

Scenario
Users are complaining of poor server performance and you investigate by using the previously created
data collector set.
1.
Start the data collector set again.
Task: Start the data collector set again

1.
2.
3.

Start the NYC-SVR2 Performance data collector set.
Wait one minute for data to be captured.
Results: After this exercise, you should have captured additional performance data.
12-21
12-22
Exercise 4: Determining Probable Performance Bottlenecks

Scenario
You compare the results achieved under the new load with those collected when you first deployed the
server.
1.
2.
3.
Stop the running program.

View performance data.
Analyze results and draw a conclusion.
Task 1: Stop the running program
At the command prompt, press CTRL+ C and then close the command prompt.
Task 2: View performance data

1.
2.
3.
4.
5.
6.
7.
8.
9.

Stop the data collector set.
On the toolbar, click View log data.
Remove.
Click Add.
In the Select Log File dialog box, click Up One Level.
Double-click the NYC-SVR2_date-000002 folder and then double-click DataCollector01.blg.
Click the Data tab and then click OK.
Note: If you receive an error at this point, or the values in your report are zero, repeat steps 4-9.
Recorded values:
Memory, Pages/sec
Task 3: Analyze results and draw a conclusion

1.
2.
Compared with your previous report, which values have changed?

What would you recommend?
Results: After this exercise, you should have identified a potential bottleneck.

following steps:
1.
2.
3.
4.
5.
6.

12-23
12-24
Review Questions
1.
2.
In what ways does 64-bit computing potentially improve performance?

What significant counters should you monitor in Windows Server Performance Monitor?
Tools
Tool
Use for
Where to find it
Fsutil.exe
Configure and manage the
Command line
file system
Performance Monitor
Monitoring and analyzing

real-time and logged
performance data
Start Menu
Maintaining Windows Server
Module 13
Contents:
Lesson 1: Troubleshooting Windows Server Startup
13-3
Lesson 2: Server Availability and Data Recovery
13-12
Lesson 3: Applying Updates to Windows Server
13-24
Lesson 4: Troubleshooting Windows Server
13-30
13-41
13-1
13-2
Module Overview
The Windows Server 2008 R2 operating system provides a platform for organizations to build their
technology infrastructure on. Windows Server is designed for the dynamic and efficient management of
technology resources as well as providing effective solutions for business needs.
Windows Servers roles are commonly very critical in an organizations network infrastructure. It is critical
to assure the Windows Servers are performing as efficiently as possible in their roles. To support Windows
Server, you must maintain skills and knowledge to properly maintain an efficiently operating and
continually available server infrastructure. You also must have the ability to troubleshoot issues within that
infrastructure when they arise.
Objectives
Troubleshoot the Windows Server boot process.
Implement high availability and recovery technologies to improve system availability.
Explain the importance of system updates.
Implement an appropriate troubleshooting methodology to resolve problems with Windows Server.
13-3
Lesson 1
Troubleshooting Windows Server Startup
The Windows Server startup process ensures that all aspects of a Windows Servers functionality are
checked and initiated in a way that results in a stable and properly running server. Several issues can
emerge in the startup process and the key to troubleshooting or, even better, avoiding these issues is the
knowledge of how the Windows Server startup process works.
This lesson will introduce the details of the Windows Server startup process and give you the tools you
need to identify and correct issues related to Windows Server startup.
Objectives
Describe the Windows Server startup process.
Identify the startup troubleshooting tools.
Apply the considerations for troubleshooting the startup environment.
Recover the startup environment.
13-4
Windows Server Startup
Key Points
The Windows Server boot process is made up of a number of steps involving components both inside and
outside of the operating system environment. At first glance, startup seems to be one of the most basic
features of an operating system. However, there's nothing simple or basic about startup processes and
procedures.
The Windows Server Startup Process

Power On Self-Test (POST)
The Windows Server startup process consists of a number of steps, beginning with the initialization of
system hardware through the computers basic input/output system (BIOS) or eXtensible Firmware
Interface (EFI) firmware interface. This process is commonly referred to as POST. The POST process
typically involves quick checks of system hardware components to confirm proper operation and
functionality. Additionally, most BIOS or EFI systems provide for more intensive POST procedures in the
event that troubleshooting needs to be performed on the POST process.
Boot Environment, Windows Boot Manager and Windows Boot Loader
Unlike earlier releases of Windows Server operating systems, Windows Server 2008 R2 doesn't use an
initialization (.ini) file for the boot process. Rather, the operating system uses the Windows Boot
Manager to manage the operating system startup process.
This new boot environment dramatically changes the way the operating system starts and is designed to
resolve issues related to the following:
Boot integrity
Operating system integrity
Firmware abstraction
13-5
The boot environment is loaded before the operating system, making the boot environment independent
of the operating system. This process ensures that the boot environment can be used to confirm the
integrity of the startup process and the operating system itself before actually starting the operating
system by starting a boot loader.
A boot loader, in its most basic form, loads the initial files required to start an operating system. In a
default installation of Windows Server 2008 R2, there is one boot loader reference stored in Windows
Boot Manager called Windows Boot Loader, which launches the Windows Server 2008 R2 operating
system. The Windows Boot Loader is stored in \Windows\System32\winload.exe and when started by
Windows Boot Manager, it begins the initial load process of the operating system.
Within the boot environment, Windows Boot Manager controls the boot process using the information in
the boot configuration data (BCD) store. Entries in the BCD store are loaded by Windows Boot Manager
and contain configuration data about the various boot loaders installed on the system including the
following:
Device where the boot loader is stored.
Path to the executable file of the boot loader.
Descriptive name of the boot loader.
Boot loader recovery options.
System root of boot loader files.
When multiple boot loaders are referenced in the BCD store, Windows Boot Manager will prompt the user
at startup to choose which boot loader should be started. For example, a server may have Windows Server
2008 R2 installed on one partition and a client operating system like the Windows 7 operating system
installed on another partition to allow the computer to start either of the operating systems, dependent
on the needs of the user. This configuration is known as a multi-boot configuration.
Multi-boot configurations are often complicated and may require modification of the BCD store in order
to accommodate changes made to the system. These changes can be made using a command-line tool
called BCDEdit.
Note: To start BCDEdit, type BCDEdit.exe from the command prompt.
Certain aspects of the BCD store can also be modified within Windows Server 2008 R2. These settings
can be accessed by opening the System applet in Control Panel, clicking Advanced System
Settings, then clicking on the Advanced tab in the System Properties window and finally clicking
Settings under Startup and Recovery.
Detect and Configure Hardware

Once Windows Boot Manager has started the Windows Boot Loader, the Windows Server 2008 R2
operating system begins to load. It starts by detecting hardware and loading the key device drivers
required for initial operating system startup (hard disks, input devices such as keyboards and mice, system
buses, and others).
Loading the Operating System Kernel
An operating system kernel is the most basic and fundamental portion of that operating system. The
kernel controls system hardware and resources, managing them and making them available to
applications running on the system.
13-6
Once the operating system kernel has loaded, the operating system is ready to begin interaction with the
rest of the system software as well as user input, most commonly beginning with the logon.
Logon and Plug and Play Drivers

When a user logs on to a Windows Server 2008 R2 environment, the users credentials are processed and
validated against the default security database, most commonly either the local security database or
possibly Active Directory Domain Services (AD DS). After the credentials have been validated, the user
gains access to the operating system and applications, and any Plug and Play or user mode drivers load to
complete the Windows Server 2008 R2 startup process.
13-7
Troubleshooting Tools in the Startup Environment
Key Points
During the Windows startup process, the failure or malfunction of any component involved can cause the
startup process to fail or behave erratically. Events like hard disk failure, missing or corrupted files, thirdparty driver bugs or intentional or accidental damage of system files can interfere with the startup
process. Windows Server 2008 R2 provides several tools to help troubleshoot and repair components
involved in the startup process, allowing the operating system to startup correctly and efficiently.
Note: All three of these tools are available from the Windows Advanced Options Boot menu, which is
accessible by pressing the F8 key prior to the Windows Server 2008 R2 startup splash screen.
Windows Recovery Environment (WinRE)

During the installation process, Windows Server 2008 R2 creates a special hidden partition on the system
disk that contains a number of useful diagnostic and repair tools known collectively as the Windows
Recovery Environment (WinRE). These tools are accessible prior to system startup manually through the F8
boot menu. Additionally, WinRE will start automatically if the system startup process failed to complete
during the last boot.
Upon starting WinRE, you are presented with three options for recovery.
System Image Recovery allows you to restore the operating system from a backup created earlier
using Windows Server Backup.
Windows Memory Diagnostic performs memory diagnostic tests that check the systems random
access memory (RAM).
Command Prompt opens a command prompt with administrative privileges that provides full access
to the systems file system and volumes.
13-8
Note: If a system loses electrical power during the boot process, WinRE will automatically launch the
next time the system is booted.
Last Known Good Configuration

Using the Last Known Good Configuration restores a systems configuration to the state is was in at the
end of the last successful startup. Last Known Good Configuration makes a copy of configuration
information stored in the registry each time the operating system startup process completes successfully
and a user logs on to the system. Last Known Good Configuration stores the values for the following to
registry hives, or groups of values.
HKLM\SYSTEM\CurrentControlSet\Control: This registry hive contains system configuration settings.
HKLM\SYSTEM\CurrentControlSet\Services: This registry hive contains settings that control driver and
service configuration.
When you choose the Last Known Good Configuration option from the Windows Advanced Options
menu, it marks the values in the two registry hives above as failed and replaces them with the copy taken
after the last successful startup.
Safe Mode
The safe mode option allows the user to run system startup using a limited set of files, services and drivers.
With this limited configuration, it makes failure from a malfunctioning driver or service less likely and
allows you to troubleshoot from within the Windows graphical user interface (GUI) environment. On the
Windows Advanced Options menu, several options exist for starting Windows in Safe mode.
Safe mode starts loading only a basic set of files, drivers and services, including mouse, keyboard,
storage and basic video drivers. No networking services or drivers are started.
Safe Mode with Command Prompt loads the same service and driver set as Safe mode, but starts you
at the command prompt rather than in the Windows GUI.
Safe Mode with Networking starts the same as Safe mode, but adds drivers and services necessary to
provide network functionality.
Other Windows Advanced Options

In addition to the three tools discussed above for troubleshooting startup, the Windows Advanced
Options menu provides other choices that can assist with troubleshooting Windows startup.
Enable Boot Logging starts the boot logging process, which records all startup events to a boot log.
Enable Low-Resolution Video sets the system resolution to 640 x 480 pixels, allowing you to reset
your display resolution in the event that it was changed to a setting that rendered the system
unusable.
Disable Driver Signature Enforcement disables the default behavior in Windows Server 2008 R2 that
requires drivers loaded on startup to contain a valid digital signature.
13-9
Considerations for Troubleshooting Startup
Key Points
When issues arise with the Windows startup process, resolving those issues and getting the system back to
a bootable state as quickly as possible is your highest priority. It is important to consider which startup
tool will best diagnose and solve the issue before you begin the troubleshooting process.
The following examples of common startup issues list conditions that prevent the startup process from
completing successfully along with considerations for troubleshooting that specific problem and which
tool or tools will best assist in correcting the problem.
Master Boot Record (MBR) Corruption
Symptoms. When a systems MBR is corrupted or missing, the system will halt the startup process
immediately following BIOS POST and a black screen or one of the following messages may appear:
Invalid partition table, Error loading operating system or Missing operating system.
Causes. The MBR can become corrupt due to hard disk errors, disk corruption or intentional
destruction of MBR data by a virus or malicious user.
Resolution. Launch WinRE, choose the Command Prompt option and execute bootrec/fixmbr. This
command replaces the executable code in the MBR.
BCD Misconfiguration
Symptoms. After BIOS POST, you will see a message that begins Windows could not start because
of a computer disk hardware configuration problem, Could not read from selected boot disk,
or Check boot path and disk hardware.
Causes. The BCD has been deleted, become corrupt, or no longer refers to the proper boot volume,
potentially because the addition of a partition has changed the name of the volume.
Resolution. Launch WinRE, choose the Command Prompt option, and then execute the
bootrec/scanos and bootrec/rebuildbcd commands. These commands will scan each volume
looking for Windows installations. When they discover an installation, they will ask you whether it
13-10
should be added to the BCD as a boot option and what name should be displayed for the installation
in the boot menu. For other kinds of BCD-related damage, you can also use Bcdedit.exe to perform
tasks such as building a new BCD from scratch or cloning an existing good copy.
System File Corruption
Symptoms. System file (dynamic-link libraries (DLLs), drivers, executables) corruption typically will
cause a message on a black screen after BIOS POST that says, Windows could not start because the
following file is missing or corrupt, followed by the name of a file and a request to reinstall the file.
Causes. The volume on which a system file is located is corrupt or one or more system files have been
deleted or become corrupt.
Resolution. Boot into the Windows Recovery Environment, choose the Command Prompt option, and
then execute the chkdsk command. Chkdsk will attempt to repair volume corruption. If Chkdsk does
not report any problems, obtain a backup copy of the system file in question and replace the file.
Crash or Hang After Splash Screen Appears
Symptoms. Issues that occur after the Windows splash screen appears, after the desktop appears or
after you log in fall into this category and can manifest as a blue screen crash or an unresponsive
system hang.
Causes. This type of problem is commonly caused by a device driver or potential corruption of
registry information.
Resolution. The first and most straightforward method for attempting to restore a normal startup
process would be to invoke the Last Known Good Configuration. This will load the appropriate
registry information from a backup taken when the system last booted properly. This would allow for
the review of recent changes to the operating system to attempt to discover what caused the crash or
hang. If the problem is caused by a driver or service that existed on the system prior to when the Last
Known Good Configuration was taken, another solution will need to be adopted. In this case, Safe
mode may allow the system to boot properly at which point you can disable newly installed drivers or
services in an effort to determine the cause of the problem.
Question: Which tool would you use to recover a system that fails to start properly immediately following
the installation of a new network card?
Demonstration: How to Recover the Startup Environment
Key Points
In this demonstration, you will see how to recover a system from startup failure.
1.
2.
Use the Windows Advanced Options Menu to launch an appropriate tool.

Use the Command Prompt to launch various tools associated with troubleshooting the startup
process.
13-11
13-12
Lesson 2
Server Availability and Data Recovery
Organizations depend on constant and consistent access to their business information and applications. In
this environment, a server is only useful when it is operating properly and it contains the correct data. A
server that is experiencing intermittent failures, sporadically unavailable or one that contains inconsistent
data or has lost data can cause large problems for an organization, often detrimentally affecting their line
of business.
As someone responsible for the operation of your organizations servers, you need to be aware of the
variety of methods that Windows Server offers to allow for high availability, reliability and consistency as
well as how to implement these methods.
Objectives
Describe the need for backup.
Describe the requirement to provide for business continuity.
Differentiate between availability and recovery solutions.
Describe Network Load Balancing (NLB).
Describe failover clustering.
Implement a backup solution.
13-13
Why Backup Data?
Key Points
Data is the most important digital commodity in the business world. Data hosted on an organizations
servers is most often critical to their line of business. Inventories, legal documents, and wage and
employee information are just some of the important pieces of business information data that are
frequently hosted on servers.
The retention or backup of this data is the first line of defense against any event or circumstance that
could put the security, validity or the existence of that data at risk. Events that could lead to data loss
include natural disasters like a flood, earthquake or lightning strike. Environmental issues such as fire,
plumbing malfunctions or power surges can also contribute to the loss of data. Finally, malicious or
accidental activity like hacking, file deletion, equipment theft or intentional damage often lead to data
being lost.
Backing up your companys data in Windows Server 2008 R2 is an important part of maintaining a reliable
server environment. Not only business data, as discussed above, is at risk, but data contained in the
operating system and server applications themselves need to be retained should the need to restore or
recreate them arise.
User or Business Data

Most user or business-related data that is stored on a server is stored in a specifically allocated drive or
folder structure, dedicated exclusively to storing that data. In this configuration, all of the business data is
in one place, and can be backed up as a whole rather than backing up data from a variety of disparate
locations on the server. The location and structure of this data will depend on the individual organization,
and can vary from implementation to implementation.
System Data
System data, such as operating system and application data, however, is almost always stored in a
consistent location on the operating system. While not always accessed or modified by employees directly
13-14
like business data, system data is critical to the operation of a server. It is important that the Windows
Server system volume, which holds the location of the Windows Server operating system files, be backed
up as well to ensure that a server is recoverable from its backups in the case of a system failure.
13-15
Discussion: The Importance of Business Continuity
Key Points
Business continuity planning refers to the ongoing maintenance activity and infrastructure planning and
implementation that allow an organization to carry on their line of business in the event of a disaster or
system failure.
The ability for an organizations server infrastructure to ensure business continuity at times of crisis is a
very important aspect of server management and maintenance.
Question: What types of events could interfere with business continuity?
Question: What would the cost be to your organization if your server infrastructure was unavailable for
an hour, a day, or a week?
13-16
High Availability and Data Recovery
Key Points
Organizations have come to rely more and more on their information technology (IT) infrastructure to
support their business needs. In many cases, an organizations server infrastructure provides applications
or contains data that is critical to business operations. As a result, the availability of those applications and
the retention and safety of that data must be managed to ensure business continuity through high
availability and data recovery.
High Availability
High availability refers to the ability of a server infrastructure to remain available and operable in the
event of hardware, application or service outages within the server infrastructure itself.
Organizations that are required to meet service level agreements (SLAs) or that run applications critical to
an organizations daily business typically use high availability solutions to achieve required server uptimes.
This uptime value is often referred to as the number of 9s referred to in the percentage of that servers
total availability. It is not uncommon for companies to strive for five nines of uptime (99.999%), which
equates to less than ten minutes per year of server downtime.
High availability typically involves multiple servers configured to perform the same role or provide similar
services. If one of the servers experiences a hardware or software failure, the remaining servers continue to
provide the services.
Windows Server 2008 R2 contains several features that assist you in maintaining high availability in your
server infrastructure.
Fault Tolerant Hardware Support

Windows Server 2008 R2 supports fault tolerant hardware architecture supplied by many server hardware
vendors that allows for the removal, addition or replacement of hardware components such as fans,
power supplies, memory, hard disks, network cards and processors. This architecture allows a server to
13-17
remain running and available while hardware upgrades occur or faulty hardware components are
replaced.
Failover Clustering
Failover clustering allows for a group of servers to work together to provide a set of applications or
services. Together, these servers provide a fault tolerant configuration that continues to provide its
applications and services, even if one of the servers in the cluster fails or becomes unavailable.
Network Load Balancing (NLB)

NLB provides for the high availability of Transmission Control Protocol/Internet Protocol (TCP/IP) based
network services. In a network load balancing configuration, each server is aware of the others in its group
and when one server fails or becomes unavailable on the network, traffic is redirected among the other
servers, ensuring continuity of the network services.
Data Recovery
Data recovery processes ensure that critical data is recoverable, should the data be lost, corrupted or
destroyed. This typically involves the copying or backing up of data to a device separate from the server.
These devices can be external hard disks or flash drives, tapes, or network locations. Often, these devices
are stored in a different physical location than the server being backed up in the case that the location
was physically destroyed or damaged by a disaster such as a fire or flood.
When data is lost, corrupted, or destroyed, the backed up data can then be restored to the original
location on the server; or to a separate server until the original server has been restored or rebuilt.
Windows Server Backup

The built-in tool for backing up data in Windows Server 2008 R2 is Windows Server Backup. Windows
Server Backup is a simple and easy to use backup and recovery tool. You can use Windows Server Backup
to perform full, copy and incremental backups on both local and remote systems.
When you use Windows Server Backup, you need to have separate, dedicated media for storing backed
up data. Windows Server Backup can use external and internal disks, DVDs, or shared folders for backup
and restore locations. DVDs can be used only to restore full volumes of data, not individual files, folders or
application data.
You can use Windows Server Backup for recovery in several ways. Rather than having to manually restore
files from multiple backups if the files were stored in incremental backups, you can recover folders and
files by choosing the date on which you backed up the version of the item(s) you want to restore. You can
recover data to the same server hardware or to new server hardware that has no operating system.
Note: Backups taken with Windows Server Backup can also be restored from within the WinRE.
While Windows Server Backup provides built in data recovery in Windows Server 2008 R2, many thirdparty solutions can be leveraged to provide a robust, enterprise-level data recovery solution.
Question: Why would an organization need to implement both high availability and data recovery
processes to ensure business continuity?
13-18
Network Load Balancing
Key Points
NLB provides high availability and scalability for TCP/IP-based services, including Web servers, File
Transfer Protocol (FTP) servers, other mission-critical servers and services. In an NLB configuration,
multiple servers run independently, and do not share any resources. This group of servers is referred to as
a cluster. Client requests are distributed among the servers, and in the event of a server failure, NLB
detects the problem and distributes the load to another server. NLB allows you to increase network
service performance and availability.
High Availability
NLB supports high availability by redirecting incoming network traffic to working cluster hosts if a host
fails or is offline. Existing connections to an offline host are lost, but the Internet services remain available.
In most cases, for example with Web servers, client software automatically retries the failed connections,
and the clients experience a delay of only a few moments before receiving a response.
Many applications work with NLB. Generally, NLB can load balance any application or service that uses
TCP/IP as its network protocol and is associated with a specific TCP or User Datagram Protocol (UDP) port.
Some examples are listed in the following table.
Protocol
Examples
Hypertext Transfer
Protocol (HTTP) and
HTTP Secure (HTTPS)
Microsoft Internet Information Services (IIS): Port 80
FTP
Microsoft IIS: Port 20, port 21, and ports 1024-65535
Simple Mail Transfer

Protocol (SMTP)
Microsoft Exchange Server: Port 25
Protocol
13-19
Examples
Remote Desktop Protocol Terminal Services: Port 3389

(RDP)
Point-to-Point Tunneling Virtual private network (VPN) servers: 1723 for PPTP
Protocol (PPTP) &
Internet Protocol Security
(IPsec)
Performance
NLB supports server performance scaling by distributing incoming network traffic among one or more
virtual IP addresses assigned to the NLB cluster. The hosts in the cluster concurrently respond to different
client requests, even multiple requests from the same client. For example, a Web browser might obtain
each of the multiple images in a single Web page from different hosts within an NLB cluster. This speeds
up processing and shortens the response time to clients.
Scalability
NLB allows administrators to scale network services to meet client demand. New servers can be added to
a load balancing cluster without modifying the applications or reconfiguring clients. The NLB cluster does
not need to be taken offline to add new capacity, and members of the Load Balancing cluster do not need
to be based on identical hardware.
13-20
Failover Clustering
Key Points
Failover clustering is another technology in Windows Server 2008 R2 that provides for high availability. In
a failover cluster, a group of servers, or a cluster, work together to increase the availability of a set of
applications and services. Physical cables and software connect the clustered servers, referred to as nodes.
If any of the cluster nodes fail, other nodes begin to provide service to clients (a process known as
failover). With this method, system downtime is minimized and a high level of availability is provided.
Applications that are best suited for configuration in a failover cluster are applications that use a
centralized set of data. Applications like Microsoft SQL Server, Microsoft Exchange Server, and services
like Dynamic Host Configuration Protocol (DHCP), file and print, and Dynamic Name System (DNS) use
centralized data sets and are therefore ideal for being configured as a failover cluster.
Note: The failover cluster feature is only available in the Windows Server 2008 R2 Enterprise operating
system and the Windows Server 2008 R2 Datacenter operating system.
Failover Clustering Benefits

Failover clustering provides several benefits for mission-critical server and application deployments,
including:
Reduced downtime in the event of server failure.
Reduced downtime in the event of operating system failure.
Reduced downtime during periods of planned server maintenance.
Applications or services that are added to a failover cluster must be cluster-aware in order to take
advantage of the full benefits provided by failover clustering. Cluster-aware refers to the applications
ability to register with the failover cluster in order to communicate with the cluster and take advantage of
the clusters features. Applications and services that are cluster-aware include the following:
Distributed File System (DFS) Namespace Server
DHCP Server
Exchange Server
File Server
Print Server
SQL Server
Windows Internet Name Service (WINS) Server
13-21
Note: Exchange Server 2007 and Exchange Server 2010 provide failover clustering solutions that do
not require a single data store. These versions of Exchange Server can use replication to maintain
multiple copies of the mailbox databases.
Applications that do not support cluster events are called cluster-unaware. Some cluster-unaware
applications can be configured as high availability resources and can be failed over. The following
provisions apply:
IP-based protocols are used for cluster communications. The application must use an IP-based
protocol for its network communications.
Nodes in the cluster access application data through shared storage devices. If the application isn't
able to store its data in a configurable location, the application data is not available on failover.
Client applications experience a temporary loss of network connectivity when failover occurs. If client
applications cannot retry and recover from this, they will cease to function normally.
13-22
Providing for Data Recovery
Key Points
Providing for data recovery involves implementing a plan that includes what to backup, how often to
back it up, what media the backed up data will be stored on, where that media will be stored, and who
can backup and restore the data.
What to Back Up
Deciding what to back up is one consideration when developing a backup plan. Business information loss
may significantly disrupt business productivity. In most situations, a full data backup is desirable. The key
question for the organization is what data is vital to the company? This data may consist of customer or
client database information, payroll records, and product information.
When to Back Up
A few questions need to be answered when considering back up. Ask yourself, When do I need to
backup?, How often should backups be made? and, How long will my backup take and what time of
day will the backup take place? When asking how often backups occur, the answer depends on your
business data and how frequently it changes. An organizations sales history may only need to be backed
up monthly, but the current sales database which is constantly being updated with sales information may
need to be backed up multiple times per day. The second and third questions, regarding how long the
backup will take and when the backup should be taken are dependent on each other. Often, data being
backed up cannot be in use by users and applications during the backup process. A full backup of all
servers in a datacenter may take 15-20 hours. If your business operates on a ten hour work day, that only
leaves 14 hours to do your backup. Typically, the longer, full backup is done during off hours, perhaps on
a weekend. Then, smaller backups of specific information or critical information are taken more often
throughout the week.
13-23
What Media to Use

After the decision is made about what data to backup, the next step is to determine where to store the
backup. Options for storage include external or internal hard drives, CDs, DVDs, universal serial bus (USB)
flash drives, in some third-party backup systems, and tape devices.
Where to Store the Backups

To provide greater security, an organization should store these backups in an off-site location. This is
helpful in a situation such as a fire where backup media stored onsite may be potentially destroyed.
Who Should Perform the Backup/Restore Operations

The final fundamental consideration is who should perform the backup, and perhaps more critically,
restore operations. After you have implemented a backup strategy, you could automate the backup
process; indeed, most backup solutions are automated. However, it might occasionally be necessary to
perform ad hoc backup operations. You should consider carefully which users can perform this task.
When you need to restore data, it is important that the right data is restored, and to the correct location.
For this reason, restore operations, aside from user-initiated single file operations, should only be
conducted by skilled administrative personnel.
You can use the Windows Server built-in groups to assign the necessary backup and restore privileges, or
you can create your own groups as needed.
Windows Server Backup

Windows Server Backup provides a means of administration, a Microsoft Management Console (MMC)
snap-in administrative tool and the WBAdmin command (wbadmin.exe). Both the snap-in and the
command-line tools allow you to perform manual or automated backups to an internal or external disk
volume, a remote share, or optical media. Backing up to tape is no longer supported by Windows Server
Backup.
Question: What would an appropriate backup plan look like for your organization or department?
13-24
Lesson 3
Applying Updates to Windows Server
Windows Server 2008 R2 provides a full featured framework that allows it to maintain itself in a current
and secure state through updates.
Objectives
Describe the need to keep Windows Server up-to-date.
Describe what needs to be kept up-to-date.
Explain how Windows Server obtains updates using Windows Server Update Services (WSUS).
Implement WSUS.
13-25
Why Update Windows?
Key Points
Globally, computing happens in an ever changing environment. New technology emerges daily, while
new ways to exploit technology seem to emerge hourly. As technology advances and security concerns
appear, your server infrastructure needs to be both prepared and protected in order to perform
efficiently.
The following questions can be asked of a static, non-updated server running Windows Server 2008 R2.
Does your server have a vulnerability to malicious code that takes advantage of potential weak spots
identified in your servers operating or application configuration?
When a new device is installed, how can you ensure that you have the most recent version of the
driver installed?
How can you be sure you are running the latest and most compatible versions of your applications?
You need to update your Windows Servers to ensure that you can avoid the pitfalls associated with the
points above, but manual configuration of a single server can be a time-consuming and tedious process,
let alone the configuration of hundreds of servers.
The key source of Windows updates is the Microsoft Update Web site. Here, a catalog of updates is stored
and available for download and installation to your computer.
Windows Server 2008 R2 contains a robust infrastructure for managing interaction with the Microsoft
Update process, but it is up to you to ensure that the tools available are tailored to your environment and
working in a way that ensures your infrastructure is secure and regularly updated.
13-26
What Must Be Updated?
Key Points
Updates can be applied to a variety of areas within the Windows Server infrastructure:
Core Operating System. The core files of your servers operating system must be kept up to date in
order to correct possible security vulnerabilities and maintain the most recent set of features and
functionality. New versions of executables, additional features, and updated .dll and data files are a
few of the aspects of the core operating system that may be implemented as part of an update.
Drivers. Hardware devices on your servers need to have the most recent drivers installed to ensure
that your system functions properly and that all of the components can work together as a cohesive
whole without conflicts or interruption. The way that Windows interacts with your server and the
attached hardware is governed primarily by the device drivers that Windows loads for the devices.
Old, corrupt or incompatible drivers can cause a device to function improperly and could cause
system instability or even failure.
Applications. Updates also need to be performed on applications as well. Service Packs, feature
updates, and security fixes all ensure that your applications are able to consistently provide their
associated services within your environment.
In addition to these three core areas, other aspects such as device firmware may also need to be
periodically updated.
13-27
Windows Server Update Services
Key Points
WSUS enables network administrators to simplify and gain greater control over the process of applying
updates to all computers in the network environment.
When WSUS is installed on a server, WSUS downloads all of the latest updates from the Microsoft Update
servers on the Internet, and then all other computers on the network are configured to download their
updates directly from the WSUS server.
In a typical WSUS implementation, instead of each computer downloading the same update files
independently, only the WSUS server downloads the files from the Microsoft Update servers. The WSUS
server downloads a copy of each available update and saves it in a local data store, making it available for
access by all of the computers on the network. Because the WSUS server has to download only one copy
of each update, the amount of bandwidth consumed by the update process is reduced drastically. WSUS
also provides administrators with the opportunity to research, evaluate, and test updates before deploying
them to the network clients.
A Windows Server Update Services server has several components and settings that are configurable to
suit the needs of your environment.
Synchronization. This setting controls when WSUS will synchronize with Internet-based Microsoft
Update servers to download new updates.
Products. This setting controls which products WSUS will download updates for. This includes
Windows server and client operating systems, as well as many Microsoft applications and server
products, such as Microsoft Office, SQL Server, Exchange Server, and many others.
Classifications. Microsoft updates come in several different classifications which identify the type and
urgency of the update. This setting allows you to select which classifications WSUS will synchronize.
Languages. By default, WSUS synchronizes only updates in the language that you specified when
installing Windows Server 2008 R2.
13-28
Approvals. This setting controls how updates are applied to clients and which classifications are set for
automatic approval and subsequent install. By default, WSUS automatically approves all security,
critical, and definition updates for servers. For clients, WSUS approves all security, critical, and
definition updates, plus service packs.
Storage. WSUS downloads only the approved updates and stores them, in Cab format, in the
C:\WSUS\WsusContent folder by default.
Server updates. By default, servers download the latest updates from the WSUS server and inform the
administrator that they are ready to install. An administrator must install them manually using the
Windows Update control panel applet.
Client updates. Clients connect to the WSUS server and download the latest updates for their
respective operating systems, and then install them automatically according to the set schedule. If
necessary, the Automatic Updates client restarts the computer when the update installations finish.
WSUS is managed with an MMC snap-in which allows you to configure settings, manage and view the
status of updates as well as add new client computers or groups to the WSUS server.
Using Group Policy to Configure Windows Update Settings

WSUS clients are configured via group policy object (GPO) settings.
GROUP POLICY SETTING
FUNCTION
Configure Automatic Updates
Enables the Automatic Updates client, specifies whether the client

should download and install updates with or without user
intervention, and specifies the installation interval and time of day.
Specify intranet Microsoft

update service location
Specifies the URL that Automatic Updates clients use to access the
WSUS server on the local network.
Automatic Updates detection

frequency
Specifies the interval at which Automatic Updates clients check the

server for new updates.
Allow non-administrators to
receive update notifications
Enables users without administrative privileges to receive notifications

of impending update downloads or installations from the Automatic
Updates client.
Allow Automatic Updates

immediate installation
Specifies whether the Automatic Updates client should install updates

that do not require a service interruption or system restart
immediately.
No auto-restart with logged on

users for scheduled automatic
updates installations
Specifies whether the Automatic Updates client can trigger a system

restart when a user is logged on to the system. When set to Disabled,
the computer can restart automatically while a user is logged on to
the computer.
Re-prompt for restart with

scheduled installations
Specifies the time interval the Automatic Updates client should wait
before restarting the computer after a user postponed a previous
restart request.
Delay Restart for scheduled

installations
before restarting the computer after an update installation.
Reschedule Automatic Updates

scheduled installations
after system startup before initiating an update installation that did
not occur because the computer was offline.
Demonstration: How to Configure WSUS to Provide Updates to Your

Organization
Key Points
In this demonstration, you will see how to configure WSUS.
1.
2.
Open Group Policy Management Console.

View Group Policy settings for WSUS.
13-29
13-30
Lesson 4
Troubleshooting Windows Server
When a system failure or an event that affects system performance occurs, you need to be able to repair
the problem or resolve the issue quickly and efficiently. With so many variables and possibilities in the
modern network environment, the ability to determine the root cause quickly often depends on having a
logical and comprehensive troubleshooting methodology. You also must understand the tools available to
determine the root cause and make corrections to the environment if applicable.
Objectives
Develop a troubleshooting methodology.
Describe troubleshooting stages.
Select troubleshooting tools.
Troubleshoot component areas.
Use Windows tools to troubleshoot problems.
13-31
Developing a Troubleshooting Methodology
Key Points
Troubleshooting a problem, especially when dealing with technology, can be a multi-step process
involving a large number of potential root causes and several attempts to resolve the issue before the
actual root cause is determined. From gathering information to testing possible fixes to ensuring that fixes
work properly and can be maintained, a troubleshooting methodology can help your troubleshooting
process remain organized and efficient.
Key concepts and practices must be understood and observed throughout the troubleshooting process to
ensure that the issue is resolved in the most effective way possible.
Assessment of Impact
Understanding how an issue affects your network environment and the operations of your organization is
a very important part of the troubleshooting process. An issue that impacts critical services, such as pointof-sale operations in a busy retail store, may need to have a temporary partial fix or workaround
implemented until the root cause of the issue can be determined and corrected.
As the troubleshooting process proceeds, the temporary fix may need to be reassessed to ensure that it is
supporting the rest of the environment as effectively as possible. Finally, once the original issue has been
determined and corrected, a method for replacing the temporary fix with the permanent solution needs
to be determined and implemented in a way that has the least impact on your organizations operations.
Communication
Almost every issue you troubleshoot is going to affect at least one person in your organization. Those
affected need to know specifically how the issue will affect them going forward. In addition, they should
be informed regarding the progress of the troubleshooting process, time estimates for resolution and
process changes that may be required of them due to a temporary fix. When the issue has been corrected
and the environment returned to a completely functioning state, they also need to be notified that the
issue is resolved. All of these items fall under the category of communication.
13-32
Communication is one of the most critical components in the troubleshooting process and is often
overlooked. Communication may consist of face-to-face conversation, phone calls, e-mails or the
updating of a helpdesk ticket with troubleshooting progress.
If there are a number of people affected by an issue, your communication methods may need to be
adjusted to ensure that the information is reaching those affected as efficiently as possible. For example, if
an issue affects an entire department, you may establish one person from that department, often a
manager, to communicate directly with. Any information regarding the troubleshooting process is then
relayed by the manager to the others in the department. This ensures that you are able to focus on the
troubleshooting process, and assigns responsibility to the manager for making sure that his staff members
are aware of the status and progress of the troubleshooting process.
Documentation
Throughout the troubleshooting process, documentation must be maintained at all levels. Initial
symptoms, affected people and systems, potential causes, as well as both failed and successful attempts to
resolve the issue need to be recorded and appropriately documented to ensure that you make forward
progress in the troubleshooting process.
Failing to document the troubleshooting process could result in overlooked symptoms,
miscommunication or communication breakdown, failed solutions being attempted multiple times, or
even the return to seemingly normal operation without knowing the specifics of the resolution or if a
permanent fix was completed. Once an issue has been resolved, your proper documentation of the
resolution and the steps taken to achieve that resolution can help you to expedite the troubleshooting
process of similar issues.
13-33
Stages in a Typical Troubleshooting Methodology
Key Points
In any troubleshooting methodology, especially one where multiple people may be involved in the
troubleshooting process, it is important to have an established troubleshooting process. Using this
process, the issue raised is taken through a number of stages, each bringing the issue closer to the final
resolution.
1.
2.
3.
4.
Define the issue. The first step in the troubleshooting process is to correctly define the issue. This
means ensuring that you have obtained specific information regarding the symptoms observed by
those experiencing the issue. This could consist of physical descriptions from end users (my screen
went blank when I clicked the start button) or the observation of the issue yourself. Ensuring that you
understand the scope and the facts of the issue is very important. Incorrect or incomplete information
can lead to incorrect assumptions about troubleshooting information and could potentially result in
the elimination of all assumed root causes without an actual resolution.
Gather initial information. The next step in the process is to gather appropriate information about the
issue. Typically, this gathering consists of actions like extended observation of the symptoms, running
diagnostic tests on affected hardware and software or obtaining technical information from vendors
or suppliers of affected items.
Determine probable causes for the issue. Once the appropriate information has been gathered, a list
of probable causes needs to be recorded and typically ranked, ensuring that the most probable
causes are investigated first. As the troubleshooting process proceeds the causes are tested one by
one, it may lead to the removal of causes other than the cause being tested. It also may lead to new
causes being added to the list as a result of more information gathered during testing.
Develop an action plan. Next, you should determine an action plan to test for the most probable
cause or causes. This plan may involve one or more steps, and should be documented to ensure that
it is carried out properly and that it can be repeated if necessary later in the troubleshooting process.
Also, your development plan should allow for rollback after implementation in case the action plan
does not resolve the issue.
13-34
5.
6.
7.
8.
Implement the action plan. Once a plan has been established, the plan should be implemented and
the process documented.
Test the results of the action plan. After the implementation of the plan has been completed, you
should test the environment to determine if the issue has been corrected. You should also check to
ensure that related systems and users are not negatively impacted by the results of the action plan.
Document the results of the action plan and repeat the action plan steps if necessary. The results of
your action plan should then be documented. If the result of the action plan corrected the matter in a
satisfactory manner, you should carry on to the last step of closing the issue and finalizing the
documentation. If your action plan was unsuccessful, you should rollback the action plan steps. Then
move on to the next probable cause on the list and begin the action plan steps for that cause,
repeating the process until the cause is determined and resolution is achieved.
Record issue as resolved and finalize documentation. Once you have determined the issue as
resolved, any temporary fixes or workarounds should be removed and affected users should be
informed of the resolution. In addition, the documentation of the resolution and steps taken in the
troubleshooting process should be finalized and recorded in a manner that allows for later reference
or cataloging. This may be through a helpdesk ticketing application, a Microsoft Office Word or
Microsoft Office Excel document, or simply a written record in a notebook.
Summary
When these steps are observed and carried out properly, your troubleshooting process will follow a logical
and thorough methodology that will assist you in resolving an issue quickly and efficiently as well as
equipping you with the ability to quickly resolve the issue should it occur again in your environment.
13-35
Windows Server Troubleshooting Tools
Key Points
When you are troubleshooting issues in Windows Server 2008 R2, detailed and correct information is your
most valuable asset in determining and resolving the issue. The more information you have available to
you regarding the issue, the more likely you are to be able to determine both the most probable cause
and the most effective solution. Windows Server 2008 R2 contains several built-in tools that allow you to
gather information about the server environment and identify potential issues.
Event Viewer
Windows Event Viewer provides access to the Windows 2008 event logs. Event logs provide information
regarding system events that occur within Windows. These events include information, warning and error
messages about Windows components and installed applications.
Event Viewer provides categorized lists of essential Windows log events (application, security, setup and
system) as well as log groupings for individual installed applications and specific Windows component
categories. Individual events provide detailed information regarding the type of event that occurred,
when the event occurred, the source of the event as well as detailed technical information to assist in
troubleshooting the event.
Additionally, Event Viewer allows you to consolidate logs from multiple computers onto a centralized
computer using subscriptions. Finally, you can configure Event Viewer to perform an action based on a
specific event or events occurring. This may include sending an e-mail message, launching an application
or running a script or other maintenance action that could notify you or attempt to resolve a potential
issue.
Note: Event Viewer can be accessed by clicking the Start button, clicking Administrative Tools and
then clicking Event Viewer.
13-36
Task Manager
Windows Task Manager is the simplest and quickest way to monitor real-time resource usage and
performance information in Windows Server 2008 R2. The Task Manager provides information about
currently running applications, processes and services as well as a high-level performance view of three
system resources: CPU, memory, and network. Within Task Manager, you can also see a list of currently
logged-on users.
Note: To open the Task Manager, do one of the following:
1. Press CTRL+SHIFT+ESC.
2. Press CTRL+ALT+DEL, and then click Task Manager.
3. Right-click the taskbar, and then click Task Manager.
4. Click the Start button, and then in the Start Search box, type taskmgr.exe.
Resource Monitor
Resource Monitor provides features similar to Task Manager, but greatly enhanced. It provides a
comprehensive view of the performance of each of the key system components (CPU, disk, network, and
memory) in both a graphical and a detailed report form. Resource Monitor provides detailed information
that allows you to troubleshoot resource or performance-based issues at a very specific level.
Note: To launch Resource Monitor, do one of the following.
1. Open Task Manager, click the Performance tab, and then click Resource Monitor.
2. Click Start, and then in the Start Search box, type perfmon /res, and then press ENTER.
Performance Monitor
Windows Performance monitor is an MMC snap-in that allows you to measure and compare the
performance of a large number of system components. This information can be displayed graphically in
real time or collected and reported on for a given time period. Windows accumulates the data for these
components using objects called counters. A counter can track the information regarding a single
component or aspect of the system within Performance Monitor.
In addition to the default counters, applications installed on a Windows Server such as Microsoft SQL
Server or Microsoft Exchange Server may add their own counters to Performance Monitor, allowing you to
monitor various aspects of those application installations.
Performance Monitor is capable of monitoring a specific set of counters over a period of time for
monitoring purposes as well as the ability to view detailed reports of system performance and
configuration.
Note: To launch Performance Monitor, do the following:
Click Start , click Administrative Tools, and then click Performance Monitor.
Reliability Monitor
Reliability Monitor provides an overview of system stability and the events and changes that impact the
overall stability of a system. It tracks software installation and uninstallation, Windows failures, application
failures, and hardware failures.
13-37
Reliability Monitor calculates a System Stability Index that reflects in graph form whether unexpected
problems reduced the system's reliability. The accompanying System Stability Report provides details to
help identify the specific changes that reduced reliability.
Note: To launch Reliability Monitor, do the following:
Click Start, in the Start Search box, type perfmon /rel, and then press ENTER.
External Sources
In addition to the troubleshooting tools included with Windows, external sources such as product
manuals, vendor Web sites or community forums or discussion groups can be used to provide additional
resources for the troubleshooting process.
13-38
Troubleshooting Component Areas
Key Points
Early in the troubleshooting process, you will attempt to determine the cause of the problem. Typically,
the problem will be with some component of the computer and its associated hardware, software and
environment in general. These elements can be classified into a number of system component categories.
By attempting to determine which system component is causing a problem, you are using the subtractive
approach to troubleshooting. For example, if the computer will not start, you might determine that the
cause could be hardware related, such as a hard disk failure, or operating system related, such as a
missing startup file. However, it is important to consider that a combination of components in different
categories can cause some issues. The following sections look more closely at the main system
components.
Operating System
Faults or corruptions in the system registry or with system services can result in operating systemrelated
problems. The operating system controls user and application access to the computer hardware. The
operating system is composed of device drivers, services, security components, applications, network
components, and the configuration that links these components together. However, for troubleshooting
purposes, you should consider the operating system as just the base elementsstartup files, startup
configuration components, and operating system servicesand not the security, application, or network
elements.
Operating system faults often manifest during the computer startup process. For example, if a user
accidentally deletes a critical startup file, the operating system will be unable to start. If you install a new
operating system service pack, or update, it might introduce unexpected problems. For this reason, it is
important to test all service packs and updates before you deploy them.
Hardware
For the purposes of troubleshooting, hardware-related problems include problems with the physical
computer, attached peripherals and devices, as well as device drivers related to these components.
13-39
Computers are very reliable, but certain components are more prone to failure. Components with moving
parts, such as disk drives and power supplies, tend to wear out. These problems are readily identifiable
and easily fixed.
Other hardware-related issues can occur due to incompatible devices or device conflicts. To communicate
with the rest of the computer, the operating system allocates each device a unique configuration.
Occasionally, the operating system is unable to allocate to all devices the necessary unique configuration;
this may result in device failure or even cause the computer to fail to start at all.
Network Components
You can define any network configuration as a network component. For example, the TCP/IP
configuration is a network component, so problems related to a computers IP address, subnet mask, and
default gateway are all network componentrelated. Many network component problems with server
computers can manifest at client computers, in the form of applications or operating system components
operating in an unexpected way due to lack of network connectivity. Consequently, it can be difficult to
determine precisely where a network component problem lies.
Security
When a user is unable to access a resource that the user should have access to, or conversely, when a user
can access a resource they should be restricted from, there is typically a security-related issue.
Some security-related problems can manifest as network component problems. For example, problems
with the firewall configuration might result in users being unable to access resources to which they should
have access. Data encryption and authentication issues can also result in security problems.
Problems can also occur because of users having elevated administrative rights, or excessive permissions
on important files or folders. For example, a user with Full Control of the Windows system folder may
accidentally delete sensitive system files, resulting in an unstable or unusable operating system.
Applications
Application-related problems are those specifically related to the application programs installed and used
by the users. Many of these problems result from misuse of the application by the user or from the user
attempting to do something with the application that the application does not support. Adequate user
training should minimize these sorts of problems.
If a user reports a problem with an application and misuse has not caused the problem, the problems
cause might be a software error or bug. You can consult the applications documentation to determine
whether this is a known problem and whether service packs or hot fixes exist that will eliminate the
problem.
Users that report performance problems with applications might have hardware-related problems rather
than an application problem. The computer may require more memory, or the computers disk may be
fragmented. You can determine whether a problem is hardware performance related because hardware
performance problems typically affect more than one application.
Application incompatibility issues can also cause significant problems. A specific combination of
applications running at the same time may cause operating system failures and data loss. You can avoid
application incompatibility issues by deploying only applications that you have tested in combination
together, and by restricting end users from installing additional applications.
13-40
Demonstration: How to Use Windows Tools to Help Troubleshoot

Windows Server Problems
Key Points
In this demonstration, you will see how to use various Windows troubleshooting tools.
1.
2.
3.
Open and view Event Viewer.

Open and view Task Manager.
Open and view Resource Monitor.
13-41
Key Points
After completing this lab, you will be able to:
Troubleshoot the Windows startup process.
Install and configure WSUS.
Gather information to start the troubleshooting process.
Lab Setup
1.
2.
3.
4.
5.
6.
Password: Pa$$w0rd
Domain: Contoso

Start 6420B-NYC-SVR4.
Lab Scenario
A number of troubleshooting tickets have been submitted to you to correct three separate issues that
exist in the Contoso, Ltd company network environment.
13-42
Exercise 1: Troubleshooting the Startup Process

Scenario
A helpdesk Incident Record has been forwarded to you for resolution by the Contoso, Ltd helpdesk
support team. Users in the New York office have reported being unable to access network resources on a
specific server. You have been asked to review the Incident Record, resolve the issue and complete the
Incident Record.The main tasks for this exercise are as follows:
1.
2.
3.

Complete the assessment information on the Incident Record.
Resolve the issue and complete the Incident Record.
Called logged by
Date of call
Time of call
User
Status
John Peoples
15th May
11:45
Daniel Roth
OPEN
Incident Details:
Call logged by IT helpdesk. Branch users cannot access shared files on NYC-SVR4.
1. File shares not accessible over the network.
2. Cannot connect to NYC-SVR4 with Remote Desktop Connection.
3. Cannot ping NYC-SVR4 IP address.
4. All other network resources in the branch location are functioning properly.
Preliminary Questions:
1. Where is the best place to troubleshoot this problem from?
2. What considerations should be made regarding NYC-SVR4 and the people and services that require
the services provided by NYC-SVR4?
Assessment Questions:
1. What is the error message displayed on NYC-SVR4?
2. What could the possible causes of this error message be?
3. What tool should you use to attempt to correct the problem causing the error message?
4. How can you access these tools?
Resolution Questions:
Task 1: Read supporting documentation

1.
2.
Read the attached Incident Record to determine possible troubleshooting methods.

Answer the Preliminary Questions in the Incident Record.
Task 2: Investigate the issue on 6420B-NYC-SVR4

1.
2.
13-43
Observe the error message displayed on NYC-SVR4 and answer the Assessment Questions in the
Incident Record.
Task 3: Resolve the issue on NYC-SVR4 and complete the Incident Record
1.
Attach the Windows Server 2008 R2 Installation DVD to NYC-SVR4 using these steps.
a.
b.
c.
d.
e.
In the Settings for 6420B-NYC-SVR4 dialog box, click DVD Drive in the Hardware Pane.
In the DVD Drive Pane, select Image file and then click Browse.
WServer2008R2_Eval.iso and then click Open.
2.
3.

On the 6420B-NYC-SVR4 on localhost Virtual Machine Connection window toolbar, click Action
and then click Reset.
4. In the Reset Machine dialog box, click Reset.
5. When Press Any Key to boot from DVD or CD is displayed, press ENTER.
6. At the Install Windows dialog box, click Next and then click Repair your computer.
7. In the System Recovery Options dialog box, select Use recovery tools that can help fix problems
starting Windows and then click Next. Click Command Prompt.
8. Use bcdedit to view the current BCD store.
9. Use bootrec to scan for the operating system and to rebuild the BCD store with the newly found
operating system entry. When prompted, add the rebuilt installation to the boot list.
10. Restart the computer to ensure proper operation.
11. Complete the Resolution Questions in the Incident Record.
12. Revert the NYC-SVR4 virtual machine.
Results: After this exercise, you should have used Windows tools to troubleshoot the startup process.
13-44
Exercise 2: Installing and Configuring WSUS

Scenario
You have been forwarded a request to install and configure a WSUS server in Contoso, Ltds New York
location and test the configuration by configuring a client machine to use the WSUS Server to receive
automatic updates.
1.
2.
3.
4.
5.
6.
7.
8.

Install prerequisites for WSUS on NYC-SVR2.
Configure NYC-SVR2 as a WSUS Server.
Use Group Policy to enable NYC-CL1 to obtain updates from the new WSUS server.
Create a computer group, and add NYC-CL1 to the new group.
Approve an update for Windows 7 clients.
Install an update on the Windows 7 client.
View WSUS reports.
Contoso Add Request
Request Reference Number: 10527
Requested By
Date of Request
Assigned to
Status
Nancy Anderson
17th May
You
OPEN
Request Details:
Configure WSUS for local distribution of updates for the New York office:
1. Install prerequisite components on NYC-SVR2.
2. Install WSUS on NYC-SVR2.
3. Configure WSUS as detailed:
Restore the WSUS backup from E:\Labfiles\WSUS\Backup.
4. Configure test client NYC-CL1 to receive updates from the newly configured WSUS server.
5. Test the configuration by installing updates on NYC-CL1.
Read the attached request form.
Task 2: Install prerequisite components on NYC-SVR2

1.
Install Internet Information Server by doing the following:

a.
b.
Switch to NYC-SVR2.
Run Server Manager and add the Web Server (IIS) role with the following components
enabled:
ASP.NET
Windows Authentication
Dynamic Content Compression
13-45
IIS 6.0 Metabase Compatibility
Note: When prompted, click Add Required Role Services.
Note: There are a number of roles selected by default, no not de-select any of these roles.
2.
3.
Close the Add Roles Wizard after installation is finished and then close Server Manager.
Install Microsoft Report Viewer by doing the following.
a.
b.
Open Windows Explorer and browse to E:\Labfiles\WSUS\.

Run the Reportviewer.exe file, and install Report Viewer by using the installation wizard.
Task 3: Configure NYC-SRV2 as a WSUS server

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
Browse to E:\Labfiles\WSUS.
Run the file WSUS30-KB972455-x64.exe to start the Windows Server Update Services 3.0 SP2 Setup
Wizard.
Install WSUS.
Use the location C:\WSUS for updates, Windows Internal Database as a WSUS database, and the
existing IIS Default Web site.
At the end of installation, the Windows Server Update Services Configuration Wizard appears. Do not
run this wizard, click Cancel to close it. You will restore configuration data using a backup in the next
steps.
Click Start, type CMD.exe and then press ENTER.

Type Net Stop MSSQL$Microsoft##SSEE, and then press ENTER.
In Windows Explorer, browse to E:\LabFiles\WSUS\Backup.
Click Organize, and then click Select All.
Click Organize, and then click Copy.
In the Address bar, click Computer.
Browse to C:\WSUS\.
Click Organize, and then click Paste.
In the Confirm Folder Replace dialog box, select the check box next to Do this for all current
items, and then click Yes.
In the Copy File dialog box, select the check box next to Do this for the next 1 conflicts, and
then click Copy and Replace.
When the file copy is complete, at the command prompt, type Net Start
MSSQL$Microsoft##SSEE, and then press ENTER.
Click Start, point to Administrative Tools, and then click Internet Information Services (IIS)
Manager.
In the tree view, expand NYC-SVR2, and then click Application Pools.
Right-click WsusPool, and then click Recycle.
Close Internet Information Services (IIS) Manager.
At the command prompt, type: cd "C:\Program Files\Update Services
\Tools", and then press ENTER.
Type wsusutil reset, and then press ENTER.
13-46
23. Close the command prompt.
Task 4: Use Group Policy to enable NYC-CL1 to obtain updates from the new WSUS
server
1.
2.
3.
4.
5.
6.
On NYC-DC1, open Group Policy Management.

Create a new GPO linked to the Contoso.com domain named WSUS.
Open the Group Policy Management Editor to edit the WSUS GPO.
In the Group Policy Management Editor window, under Computer Configuration, expand
Policies, expand Administrative Templates, expand Windows Components, and then click
Windows Update.
Enable Configure Automatic Updates.
Enable Specify intranet Microsoft update service location.
7.
8.
9.
Set the intranet update service for detecting updates and the intranet statistics server to
http://NYC-SVR2.
Enable Automatic Updates detection frequency.

Start 6420B-NYC-CL1 and log on as Contoso\Administrator with the password of Pa$$w0rd.
On NYC-CL1, open a command prompt and type, wuauclt /a /r and then press ENTER.
Task 5: Create a computer group, and add NYC-CL1 to the new group
1.
2.
3.
4.
On NYC-SVR2, open the Windows Server Update Services console.

Expand NYC-SVR2, expand Computers, and then select All Computers. In the details pane, change
the Status to Any. Click Refresh.
In the Actions pane, click Add Computer Group, and name the group TestComputers.
Change membership of the NYC-CL1.contoso.com computer object so that it is a part of the
TestComputers group.
Task 6: Approve an update for Windows 7 operating system clients

1.
2.
3.
In the Update Services window, in the console pane, expand Updates, and then click Security
Updates.
In the details pane, change the Approval filter to Any Except Declined, change the Status filter to
Any, and then click Refresh. Notice all of the updates available.
In the Security Updates pane, right-click Security Update for Windows 7 (KB981332), and then
click Approve.
Note: Do not select the x64 versions of the updates specified.

4.
5.
6.
7.
Approve the update for all computers.

In the console pane, click Critical Updates.
In the Critical Updates details pane, right-click Update for Windows 7 (KB976662), and then click
Approve.
Set a deadline for yesterday's date.
Note: Entering yesterdays date will cause the update to be installed as soon as the client computers
contact the server.
Task 7: Install an update on the Windows 7 operating system client

1.
2.
3.
On NYC-CL1, at the command prompt, run GPUpdate /force.

Once the policy has finished updating, run wuauclt /detectnow.
Open Windows Update to review recently installed updates.
Note: It may take several minutes for the Windows Update icon to appear.
Task 8: View WSUS reports
On NYC-SVR2, run a Computer Detailed Status report to view updates for NYC-CL1.
Results: At the end of this exercise, you will have configured WSUS to manage updates.
13-47
13-48
Exercise 3: Gathering Information to Start the Troubleshooting Process

Scenario
You have been asked to examine possible performance issues with NYC-SVR2.
You know that the server NYC-SVR2 experiences low network traffic and has limited disk activity, but the
help desk is receiving many reports that the server is slow.
Later that week, the help desk receives reports that the server is running slow again. You know that the
server NYC-SVR2 is not running processor-intensive applications.
1.
2.
Examine the Performance Monitor logs for the first issue and answer the resolution questions for Part
A.
Examine the Performance Monitor logs for the first issue and answer the resolution questions for Part
B.
Contoso Incident Record PART A (Complete for Task 1)
Called logged by
Date of call
Time of call
User
Status
John Peoples
19th May
12:10
Daniel Roth
OPEN
Incident Details:
Call logged by IT helpdesk. Users report NYC-SVR2 is running slow. Performance Monitor logs are stored
in E:\Labfiles\Captures\6420B-NYC-SVR2-LAB13-EX3-PARTA.blg.
1. What do the Performance Logs for NYC-SVR2 indicate could be the source of the problem?
2. Keeping in mind your answer from question 1, what steps (using a troubleshooting methodology)
would you take to continue the troubleshooting process?
Contoso Incident Record PART B (Complete for Task 2)
Called logged by
Date of call
Time of call
User
Status
John Peoples
20th May
13:15
Daniel Roth
OPEN
Incident Details:
Call logged by IT helpdesk. Users report NYC-SVR2 is running slow, Performance Monitor logs are stored
in E:\Labfiles\Captures\6420B-NYC-SVR2-LAB13-EX3-PARTB.blg.
13-49

Task 1: Examine the Performance Monitor logs for the first issue and answer the
resolution questions for Part A
1.
2.
3.
4.
5.

Use Performance Monitor on NYC-SVR2 to review the data collector logs at
E:\Labfiles\Captures\6420B-NYC-SVR2-LAB13-EX3-PARTA.blg on the server.
Examine the following counters:
Processor - % Processor Time (Instance 0)
System - Processor Queue Length
Process _ % Processor Time (All Instances)
Complete the resolution questions in Part A of the Incident Record.

Close Performance Monitor.
resolution questions for Part B
1.
2.
3.
4.
5.

Use Performance Monitor on NYC-SVR2 to review the data collector logs at
E:\Labfiles\Captures\6420B-NYC-SVR2-LAB13-EX3-PARTB.blg on the server.
Examine the following counters:
PhysicalDisk - Avg. Disk Queue Length (Instance 0 C:)
PhysicalDisk - Current Disk Queue Length (Instance 0 C:)
PhysicalDisk - Disk Transfers/sec (Instance 0 C:)
Process - IO Data Bytes/sec (All Instances)
Complete the resolution questions in Part B of the Incident Record.

Results: After this exercise, you should have gathered information to start the troubleshooting
process.

When you finish the lab, shut down the virtual machines and revert them back to their initial state. To do
this, complete the following steps:
1.
2.
3.
4.

13-50
Review Questions
1.
2.
3.
What is the key functionality of a boot loader?

How does fault tolerant hardware provide for high availability, provided the hardware is supported by
Windows Server 2008 R2?
What benefits does Performance Monitor offer over Resource Monitor?
Tools
Tool
Use for
Where to find it
BCDEdit
Editing Windows Boot
From the command line, type bcedit.
Configuration Data Store

WSUS
Managing Microsoft Updates in http://www.microsoft.com

the enterprise
WinRE
/downloads/details.aspx?
FamilyId=a206ae20-2695-436c-9578403a7d46e40&displaylang=en
Used to repair various aspects of Choose Repair Computer from the F8

a Windows Server.
Last Known Good

Configuration
Loads system registry settings
Safe Mode
Loads Windows Server with a
saved from the last successful

system startup.
minimal set of drivers and
services for troubleshooting
purposes.
Windows Advance Options boot menu, or

choose Repair Computer when booting from
Windows 2008 installation media.
Choose Last Known Good Configuration
from the F8 Windows Advance Options boot
menu.
Choose one of the Safe Mode options from
the F8 Windows Advanced Options boot
menu.
13-51
Tool
Use for
Where to find it
Windows Server
Backup
Backup Windows Server
Click Start, type Windows Server Backup

into the Start Search field and press ENTER.
Windows Update
Updates operating system,
computers.
device driver and Microsoft
application components.
WSUS
Allows for centralized

management of the Windows
Update process.
Click Start, type Windows Update into the

Start Search field and press ENTER.
http://technet.microsoft.com
/en-us/wsus/default.aspx.
Event Viewer
View Windows logs.
Task Manager
View basic real-time information Press CTRL+SHIFT+ESC.
Click Start, click Administrative Tools and

then click Event Viewer.
regarding the Windows

environment.
Resource Monitor
View detailed real-time

information regarding the
Windows environment.
Performance
Monitor
View and collect real time and
Reliability Monitor
View an overview of system
historical performance and

configuration information
regarding the Windows
environment.
events and relative system
stability.
From Task Manager, click the Performance

tab and then click the Resource Monitor
button.
Click the Start button, click Administrative
Tools and then click Performance Monitor.
Click the Start button, and then in the Start

Search box, type perfmon /rel, and then
press ENTER.
13-52
Implementing Virtualization
Module 14
Contents:
Lesson 1: Overview of Virtualization Technologies
14-3
Lesson 2: Implementing the Hyper-V Role
14-14
14-29
14-1
14-2
Module Overview
Almost all organizations are looking for ways to decrease the cost and complexity of providing an
Information Technology (IT) infrastructure.
Virtualization has become a key component in developing an efficient and cost effective IT strategy. This
module introduces virtualization, and it describes how virtualization relates to server, desktop, and
application environments. This module also describes how to implement server virtualization by deploying
and configuring the Hyper-V server role.
Objectives
Describe the various virtualization technologies.
Implement server virtualization with Hyper-V.
14-3
Lesson 1
Overview of Virtualization Technologies
Microsoft provides a complete set of products that provide virtualization solutions in many scenarios. You
can use these virtualization products in many different ways to make the IT infrastructure more efficient
and effective. This lesson provides an overview of the Microsoft virtualization solutions, and details how
you can use them to address many of todays IT infrastructure issues.
Objectives
Describe virtualization technologies.
Describe server virtualization.
Describe desktop virtualization.
Describe presentation virtualization.
Describe application virtualization.
14-4
Microsoft Virtualization Technologies
Key Points
Virtualization separates the application and operating system components that users work with from the
actual physical components that provide the application or operating system services. For example, virtual
machines provide all of the functionality of physical servers, but the operating system is not tied to any
particular piece of hardware, and can be made available where it is most convenient. Applications
traditionally have run on an operating system that is running on a particular piece of hardware. With
application and presentation virtualization, those applications may be running on a centralized server or
in a virtual environment that is completely portable to other operating systems or hardware devices.
Virtualization Solutions
Microsoft provides virtualization solutions that address most of the virtualization requirements for most
organizations.
Server virtualization. Windows Server 2008 Hyper-V and Microsoft Virtual Server 2005 R2 enable
server virtualization, so that you can run multiple virtual machines on a single physical server. This
allows greater density of resource use (hardware, utilities, space) while allowing you to maintain
operational isolation and security.
Desktop virtualization. Desktop virtualization is provided by running Microsoft Virtual PC on the

Windows Vista operating system, or Windows Virtual PC and Windows XP Mode on the Windows
7 operating system. Desktop virtualization enables you to run multiple operating systems on a single
workstation, and to run an incompatible legacy or line-of-business (LOB) application within a morecurrent desktop operating system. Microsoft provides a way to manage a complex desktop
virtualization environment through Microsoft Enterprise Desktop Virtualization (MED-V). With MEDV, you can create and manage a centralized collection of Virtual PC images, and then deliver those
images to client computers as required.
Presentation virtualization. Remote Desktop Services (RDS) in Windows Server 2008 R2 provides
presentation virtualization. RDS replaces Terminal Services, which was available in previous Windows
versions. Presentation virtualization enables you to run applications and maintain application storage
14-5
on centralized servers, while providing users with a familiar application interface on their
workstations. RDS provides the tools required to create a seamless environment for users so they can
run applications locally or on a remote server with very minimal differences. Microsoft extends the
concepts of presentation and desktop virtualization with Virtual Desktop Infrastructure (VDI). With
VDI, you can host client virtual machines on a Hyper-V infrastructure and provide access to the virtual
machine through RDS.
Application virtualization. Application virtualization enables you to run applications in a virtualized

environment on a users desktop. With application virtualization, the application is isolated from the
underlying operating system because the application is encapsulated in a virtual environment. When
you deploy a complete application virtualization solution, you can use centralized servers to distribute
the virtual applications. Microsoft Application Virtualization (App-V) is an example of an application
virtualization platform.
User state virtualization. User state virtualization enables users to take advantage of separating their
documents and profile information from a specific computer, which makes it easy to get working
again on a new machine in case of a stolen or dropped laptop. Profile virtualization also makes it easy
for users to move between computers, or to experience the same desktop environment when using
one of the other virtualization technologies.
Virtualization management. One of the critical components in deploying virtualization is to be able to

manage the solution, including both the physical and virtual components. The System Center suite of
tools provides virtualization management. Tools like System Center Configuration Manager, System
Center Operations Manager 2007, and System Center Virtual Machine Manager (VMM) provide a
familiar set of tools for managing both the virtual environment and the physical layer that hosts the
virtual environment.
14-6
Server Virtualization
Key Points
Server virtualization enables you to configure one or more virtual machines that emulate a physical
computer. Multiple virtual machines can run on one physical server, with all the virtual machines sharing
the resources available on the physical server.
Microsoft provides three products for server virtualization:
Microsoft Virtual Server 2005 R2
Windows Server 2008 Hyper-V
Windows Server 2008 R2 Hyper-V

Note: Windows Server 2008 R2 Hyper-V uses the same underlying technology to enable server
virtualization as Windows Server 2008, but it also provides some significant new features.
Benefits of Server Virtualization

Server virtualization provides many benefits, including:
Server consolidation. Many servers that organizations deploy are underutilized. By deploying multiple
virtual machines on a much lower number of physical servers, you can increase the server resource
utilization significantly while decreasing the number of physical servers. You can deploy many virtual
machines on one physical server. In most organizations, this will result in a significant decrease in
power and space consumption in the data centers.
Service or application isolation. Server virtualization enables you to run each service or application on
an isolated operating system. This means that you can prevent one application from impacting
another application when upgrades or changes are made. This is preferable to running multiple
applications or services on a single operating system.
14-7
Simplified server deployment. By creating standard virtual machine builds, you can deploy new server
builds more easily. Because you are deploying virtual machines rather than physical servers, you do
not need to acquire new hardware or locate data center space and power, for each new server.
Note: You may need to invest in new server and storage hardware when first implementing server
virtualization, but an important result of server virtualization is the decrease in the number of physical
servers that your organization will need.
Increased service and application availability. Because the service or application no longer connects
directly to a specific piece of hardware, it is much easier to ensure high availability and recoverability.
With live migration in Windows Server 2008 R2, you can move a virtual machine to another physical
server with little or no perceived outage.
Multiple operating systems can run on one consistent platform. With server virtualization, you can
deploy multiple operating system technologies on a single hardware platform. For example, you can
deploy the Windows Server 2003 operating system, the Windows Server 2008 operating system, and
Linux on one Windows Server 2008 R2 Hyper-V host. Server virtualization also makes it much easier
to replace hardware when it becomes obsolete or fails.
14-8
Desktop Virtualization
Key Points
Desktop virtualization provides new options for deploying client desktops by enabling several ways to
virtualize the desktop. Traditionally, users have worked on a specific piece of hardware that is running a
single operating system and all applications.
Client-Hosted Desktop Virtualization

Client-hosted desktop virtualization uses Microsoft Virtual PC on Windows Vista and Windows Virtual PC
on Windows 7 to enable users to run multiple virtual machines on their Windows desktop. Client-hosted
desktop virtualization creates a separate environment on the desktop, allowing incompatible legacy or
LOB applications to operate within their native environment on top of a more-current desktop operating
system.
In Windows 7, Microsoft provides a preconfigured Windows XP operating system virtual machine that can
be run as a Windows Virtual PC virtual machine. Windows XP mode enables you to run applications
seamlessly from a Windows 7 computer or from the Windows XP virtual machine.
VDI
VDI extends the concept of desktop virtualization by running client operating systems as virtual machines
on servers in the data center. This means that the virtual client computers are not running on the user
desktop, but on a centralized Hyper-V environment in the data center. Users can interact with the virtual
machines by using regular computers or thin clients, and then establishing remote desktop connections to
the virtual machines. In Windows Server 2008, VDI has been integrated with RDS to provide a consistent
client experience.
VDI enables you to centralize a users desktop for easier management. With VDI, the user can get an
individualized desktop experience with full administrative control over desktop and applications.
14-9
MED-V
The Microsoft Desktop Optimization Pack includes MED-V, which enhances the management of the
virtual machines that deploy to user desktops. MED-V adds four additional components on top of Virtual
PC to enable enterprise deployment of desktop virtualization.
Virtual image repository and delivery. Simplifies the process of creating, testing, delivering, and
updating virtual images.
Centralized management and monitoring. Manages the life cycle of a virtual machine.
Usage policy and data transfer control. An endpoint agent enforces usage policies for the virtual
machine
Seamless end-user experience.
Question: When would you use each of the desktop virtualization options?
14-10
Presentation Virtualization
Key Points
Presentation virtualization runs applications on a central server, with only the application interface, mouse
movements, and keystrokes sent across the network between the central server and the client computer.
Presentation virtualization creates virtual sessions in which the executing applications project their user
interfaces remotely.
Presentation virtualization was available for several Windows Server versions as Terminal Services. In
Windows Server 2008 R2, the presentation virtualization feature is renamed to RDS.
Windows Server 2008 R2 RDS Features

Windows Server 2008 R2 provides several important features that optimize the deployment of
presentation virtualization:
Remote Desktop RemoteApp. RemoteApp allows single applications to be accessible through Remote
Desktop connections. With RemoteApp, an applications user interface appears on the desktop as if
that application were running locally. In fact, an application accessed via RemoteApp appears in the
task bar like a local application, and you also can launch it like one: from the Start menu, through a
shortcut, or by opening a file with the application extension.
Remote Desktop Web Access. Enables you to launch single applications and complete desktops from
a Web browser.
Remote Desktop Gateway. Encapsulates Remote Desktop Protocol (RDP) traffic in Hypertext Transfer
Protocol Secure (HTTPS). This gives users outside an organizations firewall more secure access to
internal applications without using a virtual private network (VPN).
Remote Desktop Connection Broker. Provides load balancing functionality for Terminal Services
connections and enables a user to reconnect to an existing session in a load-balanced terminal server
farm.
14-11
RemoteApp and Desktop Connection. This Control Panel client application allows users running
Windows 7 to easily connect to RemoteApp programs and Remote Desktops.
Benefits of Presentation Virtualization

Running applications on a shared server like this offers several benefits, including:
You can centralize your data. This means that you can store it safely on a central server rather than on
multiple desktop machines, which improves security because information is not spread across many
different systems.
You can reduce the cost of managing applications significantly. Instead of updating each application
on each individual desktop, for example, you must change only the single shared copy on the server.
Presentation virtualization also allows using simpler desktop operating system images or specialized
desktop devices, commonly called thin clients, both of which can lower management costs.
You can combine application virtualization with presentation virtualization to reduce the issues with
incompatibilities between applications. You can install App-V applications on Remote Desktop
Session Host servers and run multiple instances of potentially incompatible applications on the
centralized server.
In some cases, presentation virtualization can improve performance. For example, if a client or server
application needs to access large amounts of data from a central database, it may be quicker to run
the application on a Remote Desktop Session Host that is located close to the data, rather than pull
the data across a slow network connection to the client.
14-12
Application Virtualization
Key Points
You can use application virtualization to create virtual applications that you then can distribute to user
desktops. Each virtual application includes its own registry entries, specific dynamic-link libraries (DLLs),
and other resources. When you deploy a virtual application, it uses its own copy of these shared resources.
Because the virtual application runs in an isolated environment, incompatible applications can share the
same workstation.
App-V provides an application virtualization solution.
Benefits of App-V
App-V provides the following benefits:
App-V enables you to run potentially incompatible applications on the same client computer.
Applications commonly share various application or operating system components with other
applications on the client computer. For example, one application might require a specific version of a
DLL, while another application on that system might require a different version of the same DLL.
Installing both applications may result in one of the applications overwriting the DLL that the other
requires. With application virtualization, each application can have its own version of all required files
and settings on the client computer.
Application virtualization can make application deployment significantly easier. When you create a
virtual application, you create a single file that you can distribute to client computers. Since the
applications are encapsulated in a virtual environment, you do not need to test new applications for
conflicts with existing applications before you roll them out.
From the users perspective, a virtual application can be launched and run just like any other
application. The user can start the virtual application from the Start menu, from a desktop icon, or by
file extension association. The application appears in Task Manager. When the application is running,
you can connect to printers, network connections, and other resources just like you can from any
other application.
14-13
Virtual applications are easy to deploy and manage. You can stream a virtual application from a
server, on demand, so the user can download it automatically the first time he needs to use it. If you
must update an application, administrators can update the server version of the application, and the
updated files then download the next time the client computer needs to run the application.
14-14
Lesson 2
Implementing the Hyper-V Role
Server virtualization requires a host platform that enables you to run virtual machines. The current
product from Microsoft that provides this platform is Windows Server 2008 R2 Hyper-V. This lesson
explains how to deploy and configure the Hyper-V role.
Objectives
Describe Hyper-V.
Describe the hardware prerequisites of Hyper-V.
Describe a virtual hard disk.
Describe a virtual network.
Describe a virtual machine.
Create a virtual machine.
Describe VMM 2008 R2.
14-15
What Is Hyper-V?
Key Points
The Hyper-V role in Windows Server 2008 and Windows Server 2008 R2 provides software infrastructure
and basic management tools that you can use to create and manage a virtualized server computing
environment.
Hyper-V is a hypervisor-based virtualization technology. The hypervisor is the processor-specific
virtualization platform that allows multiple isolated operating systems to share a single hardware
platform.
Hyper-V is a Type 1 hypervisor. A Type-1 hypervisor is a hypervisor that is considered a bare-metal
hypervisor and runs directly on top of hardware. Type 1 hypervisors are often referred to as hardware
virtualization engines. Hyper-V is designed using a 64-bit hypervisor. The hypervisor allows multiple
virtual machines to access physical memory and CPU resources without conflicts. Also, it allows creation of
64-bit guest operating systems. In combination with virtualization-aware hardware that includes
processors using Intel VT and AMD V technology, the Hyper-V hypervisor enables high performance and
excellent scalability for guest operating systems.
Because the Hyper-V hypervisor takes advantage of Intel VT and AMD-V technology, more of the work of
virtualizing multiple operating systems is performed by the processor hardware and less needs to be
performed by the virtualization stack and hypervisor. The virtualization stack runs within the parent
partition and has direct access to hardware devices. The parent partition then creates child partitions,
which host the guest operating systems.
After the initial Windows Server 2008 R2 installation, the operating system can access the server hardware
directly. After you add the Hyper-V role, a thin hypervisor layer between the operating system and the
hardware resources is added. The currently installed operating system becomes the parent partition from
where you can create and manage child partitions. Child partitions also do not have direct access to other
hardware resources and are presented a virtual view of the resources, as virtual devices.
14-16
Drivers in the parent partition are used for accessing the server hardware. Child partitions use virtualized
devices through virtual server client (VSC) drivers, which communicate through Virtual Machine Bus
(VMBus) with Virtualization Service Providers (VSP) in the parent partition. Requests to the virtual devices
are redirected either through the VMBus or through the hypervisor to the devices in the parent partition.
The VMBus manages the requests. The VMBus is a logical inter-partition communication channel. The
parent partition hosts VSPs, which communicate over the VMBus to handle device access requests from
child partitions. Child partitions host VSCs, which redirect device requests to VSPs in the parent partition
through the VMBus.
14-17
Hardware Requirements for Hyper-V
Key Points
Before you can run virtual machines in Windows Server 2008 R2 Hyper-V, you must ensure that you
properly address and configure all hardware perquisites on the host computer. There are four
requirements that you must meet before you can install the Hyper-V server role successfully: You must
have:
An x64-based processor.
Hardware data execution prevention (DEP).
Hardware-assisted virtualization.
A basic input/output system (BIOS) that allows you to enable DEP and hardware-assisted
virtualization.
DEP
You must have hardware-enforced DEP enabled by configuring either the Advanced Micro Devices (AMD)
no execute bit (NX bit) or the Intel execute disable bit (XD bit).
Note: DEP provides operating system protection from applications executing code in a nonexecutable memory region; this helps to prevent malicious code from executing on your computer.
Hardware-enforced DEP provides improved protection over that available in software-enforced DEP.
Hardware Virtualization
If you want to run Hyper-V, you must have servers that are capable of running AMD Virtualization (AMDV) or Intel Virtualization Technology (Intel VT).
14-18
Note: Using hardware virtualization improves the performance of virtual machines over that offered
by software virtualization engines, such as Microsoft Virtual Server. Virtualization is improved because
the hardware, rather than the software, can handle certain critical, non-virtualizable guest operating
system requests. Hardware virtualization reduces the load on the host operating system.
After modifying the BIOS to support hardware virtualization and DEP, you may have to turn off the server
for the settings to take effect. Performing a restart may not enable the new settings. You must turn off the
computer completely, and then restart it.
Note: A new feature of Windows Server 2008 R2 Hyper-V is support for AMDs Rapid Virtualization
Indexing (RVI) and Intel's Extended Page Tables. While Hyper-V does not require these two new
features, it does provide performance improvements for processor capabilities. You can install Hyper-V
safely on older hardware if it meets DEP and hardware virtualization requirements.
14-19
Virtual Hard Disks
Key Points
A virtual hard disk provides storage for a virtual machine. Within the virtual machine, the virtual hard disk
is represented as a physical disk, and the virtual machine uses it as if it were a physical disk. There are
different types of virtual hard disks (VHDs) that have various advantages and disadvantages.
Dynamically Expanding VHDs

Dynamically expanding VHDs are virtual disks that start very small and then grow as you write data to
them. Dynamically expanding VHDs are ideal for use in an environment where performance is not your
primary consideration. Organizations typically use dynamically expanding disks in test and development
environments. A dynamically expanding disk grows only to the space that you allocate to it when you
create the VHD. Dynamically expanding disk performance has increased and has nearly the same
performance levels as fixed-size disks.
One of the potential issues with using dynamically expanding VHDs is that you must manage storage
utilization after deployment. If you have multiple dynamically expanding VHDs located in a single storage
location that is less than the total maximum size of the VHDs, you must monitor the storage location to
ensure that the VHDs do not expand to use up all available space.
Another potential issue with dynamically expanding virtual hard disks is that the VHD file may become
fragmented on the host computers physical hard disk, which could affect the virtual disks performance.
Fixed-Size VHDs
Fixed-size VHDs are disks that use as much physical disk space as you specify when you create the disk.
For example, if you create a 100 gigabyte (GB) fixed-size VHD, it will use 100 GB of physical disk space.
The primary benefit with using fixed size disks is that all of the storage required for the disks is committed
when you create the disks, thus reducing the likelihood that you will over commit your storage resources.
14-20
One of the reasons for choosing fixed-size VHDs is that dynamically-expanding VHDs may not support
some applications. For example, Microsoft does not support Microsoft Exchange Server 2010 or Exchange
Server 2007 deployed on dynamically expanding VHDs.
One of the disadvantages of fixed-size disks is that the disks may take longer to move from one server to
another.
Differencing VHDs
A differencing virtual hard disk is a virtual hard disk associated with another virtual hard disk in a parentchild relationship. The differencing disk is the child and the associated virtual disk is the parent. The
parent disk can be any type of virtual hard disk. The differencing disk (the child) stores a record of all
changes made to the parent disk and provides a way to save changes without altering the parent disk. In
other words, by using differencing disks, you ensure that changes are made to the differencing disks and
not to the original virtual hard disk. You can merge changes from the differencing disk to the original
virtual hard disk, when appropriate.
The differencing hard disk expands dynamically as data intended for the parent disk is written to the
differencing disk. You should write-protect or lock the parent disk. If another process modifies the
parent disk, and does not recognize the differencing disks parent/child relationship, then all
differencing disks related to the parent disk become invalid, and any data written to them is lost. By
locking the parent disk, you can mount the disk on more than one virtual machine, similar to a readonly floppy disk or CD-ROM.
You cannot specify a size for a differencing disk. Differencing disks can grow as large as the parent
disks to which they are associated. However, unlike dynamically expanding disks, differencing disks
cannot be compacted directly. You can compact differencing disks only after merging the disk with a
dynamically-expanding parent disk.
If you are using differencing disks, it is important to have a standardized naming convention for your
virtual hard drives. It is not readily apparent from examining the virtual hard drive in Hyper-V
manager whether it is a differencing drive or a parent disk.
Pass-Through Disks
Hyper-V also allows for the use of a pass-through disk type. When you configure a virtual machine to use
a pass-through disk, the virtual machine will use an entire physical disk or volume on the host computer.
If you intend to use pass-through disks to support an operating system installation, you must store the
guest configuration file in an alternate location. This is because the operating systems installation will
consume the entire pass-through disk. For example, you could locate the configuration file on another
internal drive in the Hyper-V server itself, or if the host computer is part of a failover cluster, you can host
the configuration file on a separate cluster that provides highly available file services. Be aware that you
cannot dynamically expand pass-through disks.
Question: Describe a scenario in which you would use a dynamic disk?
14-21
Virtual Networks
Key Points
Virtual Network Manager gives you the ability to create a mechanism for binding virtual machines to a
physical network. Virtual Network Manager enables you to create and manage virtual networks. You can
use Virtual Network Manager to add, remove, and modify the virtual networks. Virtual Network Manager
is available from Hyper-V Manager.
When you create a virtual network, Hyper-V creates a virtual switch. The virtual switch routes traffic based
on either the media access control (MAC) addresses or the virtual local area network (VLAN) Identifiers.
The virtual switch modifies the MAC addresses of packets as it is used to route traffic with different MAC
addresses than the physical network card MAC address. The advantage is that it can bind to any 802.3
compliant physical Ethernet network adapter.
You cannot connect a virtual network to a wireless network adapter. The virtual switch changes the MAC
address of the source packet so that it does not match its own MAC address. As a result, you cannot
provide wireless networking capabilities to virtual machines, because the 802.11 standard does not
support the MAC address changes. You can attach only one virtual network to a specific physical network
adapter at a time. You cannot attach multiple virtual networks to the same physical network adapter.
When you create a virtual network:
Hyper-V creates a software-based switch.
You can associate only one Hyper-V virtual network with a single physical network adaptor.
It is bound to a physical network adapter and all other protocols are automatically unbound.
You can use it to control and secure network traffic that enters and leaves a virtual machine.
Windows Server 2008 R2 Hyper-V supports three types of virtual networks: external, internal, and private.
When you create a virtual network through either the Hyper-V Manager or Windows Management
Instrumentation (WMI), you also create a new software-based switch. There is no limit to how many virtual
networks or ports for virtual machine connections that you can create.
14-22
You can configure three types of virtual networks:
External. An external virtual network binds to a physical network adapter on the Hyper-V server so
that the virtual machine can have access to a physical network. When you create a new external
virtual network, Hyper-V creates a virtual network adapter on the parent partition unless you clear the
option to Allow management operating system to share this network adapter. You would use an
external connection when your virtual machine needs to access or be accessed on the corporate
network or beyond the corporate environment.
Note: When you create an external virtual network, and clear the option to Allow management
operating system to share this network adapter, the physical network adapter will be available only
for virtual machines and will not be accessible by the host computer. This is a best practice if you want
to isolate virtual machine network traffic from host network traffic. In this scenario, you must not clear
this option on at least one network adapter or not create a virtual network that uses one of the
physical network adapters to ensure that the host computer can communicate on the network.
Internal. When you create an internal virtual network, it allows the virtual machines to communicate
with each other and with the Hyper-V server, but they cannot communicate with the physical
network. This scenario is commonly used to simulate a networked environment with the base system.
An internal network might be used in a training environment.
Private. The creation of a VPN enables the virtual machines to communicate with each other, but
there is no association with any physical network adapter in the parent partition. This means that the
virtual machines can communicate with each other but not with the host computer or with other
computers on external networks. You can use private networks if you need to isolate virtual machines
for security reasons. You may also have virtual machines that are being used for testing purposes and
you do not want the virtual machines to inadvertently access the corporate network.
Question: Can you describe the steps you would use to isolate virtual machines from the physical
network?
14-23
Virtual Machines
Key Points
Virtual Machine Components
A virtual machine includes the following components:
Virtual processors. You can configure virtual machines with up to four virtual processors, depending
on the operating system that is running in the virtual machine. The number of virtual processors that
you can assign to a virtual machine is limited to the host computers number of processor cores, but
you can assign more virtual processors in total between running virtual machines than there are
processor cores on the host computer.
Memory. You can configure virtual machines with up to 64 GB of memory. The memory that you can
assign to virtual machines is limited by the amount of random access memory (RAM) that the host
computer has available. You cannot run virtual machines where the cumulative memory exceeds the
amount of RAM available on the host computer.
Network adapters. The virtual machine uses network adapters to connect to the external network, to
other virtual machines on the same host, or to the host computer. You can assign multiple virtual
network adapters in virtual machines.
Virtual disks. Virtual disks are .vhd files that are available to the virtual machine as the system drive or
for data storage. You have several options when configuring virtual disks. You also can create virtual
machine snapshots, which creates Automatic VHD files with an .AVHD extension.
Supported Guest Operating Systems

The following operating systems are supported in virtual machines:
Windows Server 2008 and Windows Server 2008 R2. All server editions are supported except for the
Windows Server 2008 R2 for Itanium-based Systems operating system edition. You can install both
64-bit and 32-bit versions and configure them with one, two, or four virtual processors.
14-24
The Windows Server 2003 Standard Edition operating system with Service Pack 2 (SP2) and the
Windows Server 2003 R2 Standard Edition operating system with SP2. All server editions are
supported except for the Windows Server 2003 Enterprise Edition for Itanium-based systems
operating system. You can install both the 64-bit and 32-bit versions and configure them with one or
two virtual processors.
The Microsoft Windows 2000 Server with SP4 operating system. Both Server and Advanced server
editions are supported and you can configure them with only one processor.
Red Hat Enterprise Linux 5.2, 5.3 and 5.4. Both x86 and x64 editions are supported but you can
configure them with only one processor. Linux Integration Components for Hyper-V are available and
supported for these versions of Linux.
SUSE Linux Enterprise Server 10 with Service Pack 1 or 2, and SUSE Linux Enterprise Server 11. Both
x86 and x64 editions are supported, but you can configure them with only one processor. Linux
Integration Components for Hyper-V are available and supported for these versions of Linux.
Windows 7, Windows Vista, and Windows XP with SP2 or later. You can configure Windows 7 virtual
machines with up to four processors. Additionally, you can configure Windows Vista and Windows XP
SP3 with one or two processors and Windows XP SP2 with one processor.
14-25
Demonstration: How to Configure a Virtual Machine
Key Points
You can install the Hyper-V role either on a full or Server Core installation of Windows Server 2008 R2.
Installing the Hyper-V role on a full installation of Windows Server 2008 R2 installs all of the Hyper-V
components. However, to install the Hyper-V role, you must be a member of the local Administrators
group or your administrator must give you permissions.
After you install and configure the Hyper-V role on a server running Windows Server 2008 R2, you can
manage the Hyper-V role and virtual machines by using the Hyper-V management tools. The
management tools consist of the Hyper-V Manager, which is a Microsoft Management Console (MMC)
snap-in, and Virtual Machine Connection, which provides you with direct access to a virtual machine
through a network connection.
You also can manage the Hyper-V server role and connect to a virtual machine running in Hyper-V from
remote computers. If you are running Windows Server 2008 or Windows Server 2008 R2, you can install
the Hyper-V Tools feature. You also can manage Hyper-V from a client machine by installing the Remote
Server Administration Tools management tools.
The Hyper-V Manager is the central graphical interface console that an administrator will use to manage
small Hyper-V environments. You can use the Hyper-V Manager to administer several Hyper-V servers. In
larger deployments, you should use the System Center VMM.
The Hyper-V Manager has three panes. The left pane shows the Hyper-V servers that you are managing
currently. The center pane displays the virtual machines that you have installed on the selected Hyper-V
server, as well as snapshots of highlighted virtual machines and their details. The right pane lists the
actions available for managing a virtual server and virtual machines.
Managing Virtual Machines

You can configure virtual machines, create, and delete virtual machines, and export and import virtual
machines.
14-26
Virtual Machine Snapshots

A virtual machine snapshot is a point-in-time capture of a virtual machine with all configurations and
states present. You can create a snapshot while the virtual machine is running, is turned off, or is in a
saved state. You can return, or revert, a virtual machine to a previous state. You return a virtual machine
to a previous point-in-time by applying a snapshot. This will return the virtual machine to the state it was
in when the snapshot was taken. As part of this snapshot application process, you have the option of
taking a snapshot of the current state of the virtual machine before you revert to a previous version.
Import and Export

You can use the export functionality when you want to move a virtual machine to another host computer.
You can export the virtual machine only when the virtual machine is turned off or in a saved state. To
move the virtual machine to another host, copy the exported files to the new host, and then import the
virtual machine. When importing a virtual machine, you have the option to copy a virtual machine. In that
case, you will generate a new machine ID. If you are going to move a virtual machine, or if you are going
to use a backup copy, then you should use the original virtual machine ID.
Virtual Machine State

You can manage the state of a virtual machine through this interface. You can Start, Turn Off, Shut
Down, Save, Pause, Reset, or Rename the state of a virtual machine.
Managing Virtual Machine Configurations

You can access the virtual machine configurations by right-clicking the virtual machine, and then clicking
Settings. In the virtual machine settings, you can configure the virtual machine hardware and
management settings. You can manage an entire Hyper-V server role from a single interface, and you can
manage multiple servers from the Hyper-V Manager.
In this demonstration, you will see how to create and configure a virtual machine in Hyper-V Console.
1.
2.
3.
Create a differencing disk.

Create a virtual machine.
Create and apply snapshots.
14-27
What Is VMM 2008 R2?
Key Points
VMM 2008 R2 enables you to administer and manage virtual environments from a central location. It also
helps increase physical server utilization and enables the VMM administrator and authorized self-service
end users to provision new virtual machines rapidly. It is a solution that solves many of the challenges
found in a virtualized infrastructure.
You specifically can use Virtual Machine Manager to:
Manage Hyper-V hosts.
Manage Virtual Server 2005 R2 based hosts.
Manage VMware hosts.
Manage and deploy virtual machines.
Perform physical-to-virtual (P2V) and virtual-to-virtual (V2V) conversions.
Support Hyper-V.
VMM can integrate fully with your current Hyper-V environment, and it provides the same functionality as
Hyper-V Manager, as well as numerous extended management features. VMM takes full advantage of
Hyper-V benefits through a powerful, yet easy to use, console that streamlines many management tasks
for virtual infrastructures. Additionally, administrators can manage virtualization host servers and their
virtual resources through one unified console.
You can use VMM to manage virtualization in many business scenarios, including server consolidation,
resource provisioning, business continuity enhancement, and performance and resource optimization.
Some key benefits that VMM offers include:
Maximizes data center resources through consolidation. A typical physical server in the data center
operates at only 5 to 15 percent CPU capacity. VMM can help consolidate suitable server workloads
onto a virtual machine host infrastructure, which frees up physical resources for repurposing or
14-28
hardware retirement. By consolidating physical servers, you ensure that data center growth is less
constrained by space, electrical, and cooling requirements.
Supports for Microsoft Virtual Server and VMware ESX. With this release, VMM now manages VMware
ESX virtualized infrastructure in conjunction with the Virtual Center product. VMware versions that are
supported are VMware ESX Server 3.0 or above, VMware ESX Server 3.5i, VMware VirtualCenter (VC)
2.5 (VMware Infrastructure 3 [VI3]), and VMware vSphere 4 (VI3 features only). Now administrators
running multiple virtualization platforms can rely on one tool to manage virtually everything. Because
of VMM compatibility with VMware VI3 (through Virtual Center), the VMM now supports features
such as VMotion, and provides VMM-specific features such as Intelligent Placement to VMware
servers.
Enables Performance and Resource Optimization (PRO). PRO provides the dynamic management of
virtual resources though management packs that are PRO-enabled. Utilizing the deep monitoring
capabilities of System Center Operations Manager 2007, PRO enables administrators to establish
remedial actions that VMM will execute if a PRO identifies poor performance or pending failures in
hardware, operating systems, or applications. As an open and extensible platform, PRO encourages
partners to design custom management packs that promote compatibility of their products and
solutions with PROs powerful management capabilities.
Converts machines by converting a physical machine to a virtual one can be a daunting undertaking-slow, problematic, and typically requiring you to halt the physical server. However, the enhanced P2V
conversion in VMM means that P2V conversions will become routine. Similarly, VMM also provides a
straightforward wizard that can convert VMware virtual machines to VHDs through a quick and easy
V2V transfer process.
Provisions new machines quickly. VMM enables this efficiency by providing IT administrators with the
ability to deploy virtual machines in a fraction of the time it would take to deploy a physical server.
Through one console, VMM allows administrators to manage and monitor virtual machines and hosts
to ensure they are meeting the needs of the corresponding business groups.
Minimizes deployment guesswork with Intelligent Placement. VMM does extensive data analysis on a
number of factors before recommending which physical server should host a given virtual workload.
This is especially critical when administrators are determining how to place several virtual workloads
on the same host machine. With access to the historical data that Operations Manager 2007 provides,
the Intelligent Placement process is able to factor past performance characteristics to ensure the best
possible match between the virtual machine and its host hardware.
Delegates virtual machine management for Development and Test. This latest version of VMM
features a thoroughly reworked and improved self-service Web portal, allowing administrators to
delegate this provisioning role to authorized users while maintaining precise control over the
management of virtual machines.
Organizes virtual machine components with the library. To keep a data centers virtual house in order,
VMM provides a centralized library to store the building blocks for various virtual machines, such as
off-line machines and other virtualization components. With the librarys easy-to-use structured
format, IT administrators can quickly locate and reuse specific components, thereby remaining highly
productive and responsive to new server requests and modifications.
Provides a rich management and scripting environment with Windows PowerShell. The entire VMM
Administrator Console is built on the command-line and scripting environment, Windows PowerShell.
This version of VMM adds additional PowerShell cmdlets and view script controls, which allow
administrators to exploit customizing and automating operations at an unprecedented level.
14-29
Lab Setup
For this lab, you will use the available host computer environment. Before you begin the lab, you must
1.
2.
Ensure that your host computer is running and that you are logged on.
Ensure that no virtual machines are currently running.
Lab Scenario
Contoso, Ltd. has decided to introduce virtualization into their IT environment because they wish to
reduce their hardware and power expenditures for the data center. The company has started deploying
Hyper-V host computers running on Windows Server 2008 R2. You now need to create several virtual
machines on the host computers.
14-30
Exercise 1: Creating the VHDs

Scenario
Contoso, Ltd. has deployed one Hyper-V host computer for testing purposes. For the initial deployment,
your computer will host test virtual machines. Because Contoso, Ltd. will eventually use these virtual
machines in production, it is important that they perform well. At this stage of the deployment, IT
management has not decided which production servers to virtualize, but you should prepare at least two
virtual machines that you can use for the initial proof-of-concept testing. On the first, deploy no
operating system. On the second, you should deploy an initial server on this host computer that is running
Windows Server 2008 R2.
1.
2.
Create a dynamically expanding hard disk.

Create a differencing hard disk.
Task 1: Create a dynamically expanding hard disk
On your host computer, in Hyper-V Manager, create a new virtual hard disk with the following
configuration:
Type: Dynamically expanding
Name: NYC-Prod1.vhd
Location: C:\Program Files\Microsoft Learning
Maximum size: 32 GB
Task 2: Create a differencing hard disk
configuration:
Type: Differencing
Name: NYC-Test1.vhd
Parent drive: C:\Program Files\Microsoft Learning\base\drives

\WS08R2- SVR2.vhd
Results: After this exercise, you should have created the required VHDs.
14-31
Exercise 2: Creating New Virtual Machines

Scenario
Now that you have configured the VHDs, the next step is to create the virtual machines for the test and
production environments.
1.
2.
Create a new virtual machine for the production environment.

Create a new virtual machine for the test environment.
Task 1: Create a new virtual machine for the production environment
On your host computer, in Hyper-V Manager, create a new virtual machine based on the following
criteria:
Name: NYC-PROD1
Memory: 1024 MB RAM
Networking: Private Network
Use an existing virtual disk, NYC-PROD1.vhd, that you created for production in Exercise 1.
Task 2: Create a new virtual machine for the test environment
On your host computer, in Hyper-V Manager, create a new virtual machine based on the following
criteria:
Name: NYC-TEST1
Memory: 1024 MB RAM
Networking: Private Network
Use an existing virtual disk, NYC-TEST1.vhd, that you created for test in Exercise 1.
Results: After this exercise, you should have created the two virtual machines required for testing
purposes.
14-32
Exercise 3: Modifying Virtual Machine Settings

Scenario
The IT department has created the initial design for the production virtual machines. The design specifies
that all virtual machines in production will need a separate data disk. Because the virtual machines will
need a second disk for data, and performance is most important, you should create a small computer
system interface (SCSI) adapter and use it to connect to the second disk. Additionally, you should
configure the virtual machines with two processors and 2,048 megabyte (MB) of RAM.
The main task for this exercise is:
1.
Modify the virtual machine configuration for production.
Task: Modify the virtual machine configuration for production

1.
2.
3.
4.
5.
configuration:
Type: Dynamically expanding
Name: NYC-Prod1-Data.vhd
Maximum size: 64 GB
Access the settings for the NYC-PROD1 virtual machine.

Add the NYC-PROD1-Data.vhd virtual hard disk to a SCSI controller on the virtual machine.
Change the RAM assigned to the virtual machine to 2048.
Change the processors assigned to the virtual machine to 2.
Results: After this exercise, you should have modified the virtual machine settings.
14-33
Exercise 4: Creating and Applying Virtual Machine Snapshots

Scenario
In order to test applications on the test computers, you need to understand how snapshots work. In this
exercise, you will configure and test snapshots using the test virtual machine.
The main tasks for this exercise are:
1.
2.
Create a snapshot.
Apply snapshots.
Task 1: Create a snapshot

1.
2.
3.
4.
In Hyper-V Manager, ensure that the NYC-TEST1 virtual machine is turned off.
Create a new snapshot of NYC-TEST1, and name it PRE-Test Snapshot.
Start NYC-TEST1, and connect to it. Log on as Administrator using the password Pa$$w0rd.
Close all open windows or dialog boxes.
Task 2: Apply snapshots

1.
2.
3.
4.
5.
6.
7.
On the virtual machine desktop, create a new text document called Snapshot1.txt.
Create a new snapshot of NYC-TEST1, and name it Snapshot2.
On the virtual machine desktop, create a new text document called Snapshot2.txt.
Revert the virtual machine. On the virtual machine desktop, verify that the Snapshot2.txt file is no
longer on the desktop.
Apply the PRE-Test Snapshot. Verify that the virtual machine turns off. This is the state that the
virtual machine was in when you created the snapshot.
Apply Snapshot2, and start the virtual machine. Verify that the Snapshot1.txt file is on the desktop.
Shutdown the virtual machine.
Results: After this exercise, you should have created snapshots and applied them to your virtual
machines.
14-34
Review Questions
1.
2.
3.
4.
5.
Your organization is considering implementing server virtualization using Hyper-V. What is the
primary consideration that you will need to consider when purchasing servers for this role?
What are the hardware and BIOS prerequisites to install the Hyper-V Role?
What are the differences between External, Internal, and Private virtual networks?
Where is the option to change the location of the .VHD and virtual machines?
What does it mean when the mouse pointer displays as a small dot in a virtual machine window?
Common Issues Related to Virtual Networks

Issue
Troubleshooting tip
The virtual machines on a host

computer cannot communicate
with each other.
Verify that they are using the same VLAN ID. If they are using a
compatible VLAN, then verify the IP address configuration in the
virtual machines.
You have copied a virtual hard disk

file from one host to another.
When you start the virtual machine,
the network settings have changed.
When you copy a virtual hard disk file from one host to another,
the network configuration is not moved with the virtual machine.
To retain the network configuration, you need to export and then
import the virtual machine.
You have exported a virtual

machine on one host, and
imported the files on another host.
The network adapter on the virtual
machine is not connected.
When you import the virtual machine on a host, you need to

ensure that the destination host computer has the same virtual
networks configured as the source host computer. If the networks
are not identical, the virtual network cannot be connected to the
virtual machine.
14-35
Real-World Issues and Scenarios

1.
2.
3.
You are going to deploy Hyper-V on the Windows Server 2008 R2 servers. You have concerns about
performance problems with so many virtual machines running on a server.
You have concerns about the hardware requirements to deploy Hyper-V. Another department will
create the virtual machines and then ship them to you for installation and configuration. When you
import the virtual machine into Hyper-V and attempt to start the virtual machine, you receive an
error that Hyper-V launch failed; Either VMX not present or not enabled in BIOS.
Your organization is testing a custom application. The testers report that when they install the
application on computers running an older version of the same application, they get errors. How
could you address this issue?
14-36
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will use your responses to
improve your future learning experience. Your open and honest feedback is valuable and appreciated.
L1-1
Module 1: Understanding Network Infrastructure
Lab: Selecting Network Infrastructure

Components
Exercise: Determining Appropriate Network Components
Answer the questions in the Branch Office Network Infrastructure Plan: Component Needs
Assessment.
Branch Office Network Infrastructure Plan: Component Needs Assessment
Document Author:
Date:
You
22nd March
Recommend basic infrastructure components for the implementation of the network in the new
Seattle location.
Recommend infrastructure to connect the Seattle location to the New York location.
Recommend infrastructure to allow home office users and partners access to the resources they
need from the Seattle location.
Proposals:
1. What Ethernet standard should be used for the staff offices portion of the Seattle location?
Answer: Due to the large amount of data being sent back and forth on the network, the fastest
possible Ethernet standard should be used that can be deployed in an office LAN environment.
10GBASE-T offers a throughput of 10Gbps and uses copper wire cabling as its medium, which can
be easily installed into each office as the new building is being constructed.
2. What infrastructure should be used to connect the conference room portion of the Seattle
location?
Answer: With the conference rooms size and the variance in location and mobility of users and
their laptops, a wireless infrastructure should be used for the conference room, preferably the
fastest available, 802.11n. Encryption should also be added to the wireless network, preferably
using WPAv2, the most secure and current wireless encryption protocol.
3. What components and technology would you use to connect the New York and Seattle
branches?
Answer: T1 would be a good choice. There isnt a lot of data being sent between the two offices,
and a leased T1 connection through a telecommunications provider would allow for data to be
sent between locations in a secure fashion.
4. What is the best architecture to allow both partners and home office users to access their
information using only one method of access?
Answer: An extranet could be set up, providing a server available for both partners and remote
users to exchange their files. This would provide one point of access, as well as a centralized place
to host the files that these two groups are using. A VPN solution could be considered for the
home office users, but because they only need access to a few files, an extranet would be a more
logical choice.
L1-2
L2-1
Module 2: Connecting Network Components

Exercise 1: Determining the Appropriate Network Hardware
Task 1: Read the supporting deployment plan document
Read the supporting deployment plan document.
Document Author
Date
Charlotte Weiss
1st Feb
To determine which components to install to connect nodes at branch offices and to connect
branches to head office.
High-bandwidth applications will be used in the branches.
Devices must provide for virtual local area networks (VLANs) to support project teams that span
each branch.
Traffic should be isolated in the branch except where necessary.
It should be possible to manage traffic in the branch based upon its priority.
Proposals
1.
2.
3.
4.
What devices are required in the branches to support these requirements?

Answer: Switches. These provide a way of connecting the nodes on the network and support
VLANs. In addition, traffic is isolated to the required VLAN except where necessary. In addition,
simple hubs do not support quality of service (QoS).
What devices are required to connect the branches together and connect the branches to the
head office?
Answer: Routers. Although switches can provide routing function, wide area network (WAN)
routers are needed to connect the branches together and to connect to the head office.
What issues arise when you implement these devices?
Answer: You must select a mechanism to manage the routing tables. You could use static
routes, or alternatively implement a routing protocol like Routing Information Protocol (RIP) or
Open Shortest Path First (OSPF).
Update the Contoso Branch Network Plan.vsd diagram to show what types of device you will
implement.
Answer: See below.
L2-2
L2-3
Exercise 2: Selecting a Suitable Wiring Infrastructure

Branch Office Network Wiring Plan
Document Author
Date
Charlotte Weiss
20th Feb
Provide a wiring plan for the branch offices.
Quite high bandwidths are expected.
High levels of electromagnetic interference (EMI) are expected in some areas of the branches.
Cost is a limiting factor.
The solution, so far as is possible, should be future-proofed.
Proposals
1. What sort of cable would be suitable here, bearing in mind the information supplied and the plan
you outlined for network components earlier?
Answer: Switches were indicated earlier, which means coax is not feasible. Twisted-pair and fiber
cabling is indicated.
2. How will you address the issue of high levels of EMI?
Answer: Where required, install shielded twisted pair. Areas where this is not sufficient; use fiber.
3. What cable standards do you propose?
Answer: For copper, Category (Cat) 5e or higher. Cat 6 supports 10 gigabits per second (Gpbs)
Ethernet and better future-proofs the solution. For fiber, multimode fiber is cheaper and should
address the bandwidth requirements.
L2-4
L3-1
Module 3: Implementing TCP/IP

Exercise 1: Determining an Appropriate IPv4 Addressing Scheme
Branch Office IP Addressing Scheme

Document Author
Date
Charlotte Weiss
10th March
To design an IPv4 addressing scheme for the Contoso, Ltd R & D branch offices.
One router connects the three branches back to the head office.
There are three wide area network (WAN) links.
There are three branches, each of which can be configured as a single subnet.
The network address 172.16.0.0/16 is allocated to the branch offices, while the head office uses
10.10.0.0/16.
Proposals
1. How many network addresses do you need to support these requirements?
Answer: Six.
2. What class address is 172.16.0.0/16?
Answer: Class B.
3. Is this a private or public address?
Answer: Private.
4. Ed has allocated the first block of addresses to the first branch: 172.16.16.0/20. What is the next
logical subnet using this initial subnet?
Answer: 172.16.32.0/20. The next is 172.16.48.0/20.
5. What is the first and last host in this subnet?
Answer: The first host is one binary digit higher than the subnet ID while the last host is two
binary digits lower than the next subnet ID. Thus, the first host is 172.16.16.1/20 and the last is
172.16.31.254.
6. What would the subnet mask be for hosts in this subnet?
Answer: 255.255.240.0.
7. Update the Contoso Branch IP Addressing.vsd diagram to show the network addresses you will
implement in the branches; do not worry about the WAN links.
Answer: See the illustration on the next page.
L3-2
Results: After this exercise, you should have completed both the Contoso Branch IP Addressing.vsd
diagram and the Branch Office IP Addressing Scheme document.
Exercise 2: Configuring IPv4 with Windows Server 2008

Task 1: Configure a Dynamic Host Configuration Protocol (DHCP) scope
1.
2.
3.
4.
5.
6.
7.
8.
9.

Click Start, point to Administrative Tools, and then click DHCP.
In DHCP, in the console, expand nyc-svr2.contoso.com, expand IPv4, right-click Scope [10.10.0.0]
Deployment, and then click Delete.
In the DHCP dialog box, click Yes.
Right-click IPv4 and then click New Scope.
In the New Scope Wizard, click Next.
On the Scope Name page, in the Name box, type Head Office 1.
In the Description box, type Client computer addresses, and then click Next.
On the IP Address Range page, enter the following information and then click Next.
10.
11.
12.
13.
Start IP address: 10.10.0.150

End IP address: 10.10.0.160
Length: 16
On the Add Exclusions and Delay page, click Next.

On the Lease Duration page, click Next.
On the Configure DHCP Options page, click Next.
On the Router (Default Gateway) page, in the IP address box, type 10.10.0.1, click Add, and then
click Next.
14. On the Domain Name and DNS Servers page, click Next.
15.
16.
17.
18.
L3-3
On the WINS Servers page, click Next.

On the Activate Scope page, click Next.
On the Completing the New Scope Wizard page, click Finish.
In the console, expand Scope [10.10.0.0] Head Office 1, and then click Address Leases.
Task 2: Configure the client computer to obtain an IP address dynamically

1.
2.
3.
4.
5.
6.
7.

Click Start, and then click Control Panel.
In Control Panel, click Network and Internet.
Click Network and Sharing Center.
In the left-pane, click Change adapter settings.
In the Local Area Connection Properties dialog box, double-click Internet Protocol Version 4
(TCP/IPv4).
8. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address
automatically.
9. Click Obtain DNS server address automatically and then click OK.
10. In the Local Area Connection Properties dialog box, click OK.
Task 3: Verify that the client computer obtained an address

1.
2.

In DHCP, press F5.
Note: You can see a new lease for NYC-CL1.
Task 4: Determine the IP address on the client computer

1.
2.
3.

Click Start, in the Search box, type cmd.exe and press ENTER.
At the command prompt, type the following command and then press ENTER:
Ipconfig /all
Question: What is the current IPv4 address?

Answer: Answers will vary, but it is most likely to be 10.10.0.150.
Question: Is DHCP Enabled configured for Yes?
Answer: Yes.
Question: What is the IP address of the DHCP server?
Answer: 10.10.0.20.
Question: When does the DHCP Lease expire?
Answer: Answers will vary, but should be 8 days in advance.
Results: After this exercise, you should have created a DHCP scope and allocated a client address.
Exercise 3: Verifying the Configuration

Task 1: Stop DHCP
1.
2.

In DHCP, right-click nyc-svr2.contoso.com, point to All Tasks, and then click Stop.
L3-4
Task 2: Attempt to renew the IPv4 address on the client computer

1.
2.
3.

Switch to the command prompt.
Ipconfig /release
4.
Ipconfig /renew
Note: This might take a few minutes as the client computer attempts contact the original DHCP server,
and then any other DHCP server.
5.
Ipconfig

Answer: Answers will vary, but the address begins 169.254
Answer: The computer is using an automatic private IP addressing (APIPA) address as it has failed to
obtain an address from a DHCP server.
6.
Task 3: Restart DHCP

1.
2.
Switch to NYC-SVR2 again.

In DHCP, right-click nyc-svr2.contoso.com, point to All Tasks, and then click Start.
Task 4: Renew the client address and verify IPv4

1.
Ipconfig /renew

Answer: Answers will vary, but they will most likely be 10.10.0.150.
Answer: The computer has successfully obtained an IPv4 configuration.
2.
L3-5
Results: After this exercise, you should have successfully verified the functionality of the DHCP server
in the head office.
Exercise 4: Configuring and Testing Name Resolution

Task 1: View the current Domain Name System (DNS) records
1.
2.
3.
Switch to NYC-DC1.
Click Start, point to Administrative Tools, and then click DNS.
In DNS Manager, expand Forward Lookup Zones, and then click on Contoso.com.
Answer: 10.10.0.150
Task 2: Force a dynamic update

1.
2.
3.
4.
5.
6.

If necessary, click Start, and then click Control Panel. Click View network status and tasks and then
click Change adapter settings.
In Network Connections, right-click Local Area Connection, and then click Properties.
(TCP/IPv4).
In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the following IP
address.
Use the following information to complete the configuration and then click OK:
7.
8.
9.
IP address: 10.10.0.51
In the Local Area Connection Properties dialog box, click OK.

Switch to NYC-DC1.
In DNS Manager, in Contoso.com, press F5.
Answer: 10.10.0.51
Task 3: Add a new DNS record

1.
Question: What records are listed?

Answer: Answer will vary, but there will be a number of records for nyc-dc1.
2.
L3-6

3.
4.
5.
6.
Switch to NYC-DC1.
In DNS Manager, right-click Contoso.com and then click New Alias (CNAME).
In the New Resource Record dialog box, in the Alias name (uses parent domain if left blank) box,
type www.
In the Fully qualified domain name (FQDN) for target host box, type
nyc-dc1.contoso.com and then click OK.
Task 4: Verify the record

1.
2.
Switch to NYC-CL1.

3.
Ipconfig /flushdns
4.

5.
Question: What record is returned regarding www.contoso.com?

Answer:
www.contoso.com
--------------------------Record Name . . . . . : www.contoso.com
Record Type . . . . . : 5
Time To Live . . . . . : 3569
Data Length . . . . . . : 4
Section . . . . . . . . . . : Answer
CNAME Record . . : nyc-dc1.contoso.com
(Answers might vary slightly)
Results: After this exercise, you should have successfully added a new DNS record.
Exercise 5: Viewing the IPv6 Configuration

Task: Determine the current IPv6 address
On NYC-CL1, at the command prompt, type the following command and press ENTER:
Ipconfig /all
Question: Is there an IPv6 address listed?

Answer: Yes.
Question: What kind of address is it?
Answer: Link-Local IPv6 Address.
Results: After this exercise, you should have determined that the local host has only a link-local IPv6
address.

following steps:
1.
2.
3.
4.
5.
6.

L3-7
L3-8
L4-1
Module 4: Implementing Storage in Windows Server

Exercise 1: Creating a New Volume
Task 1: Create a 100 MB simple disk
1.
On NYC-SVR3, click Start, point to Administrative Tools and then click Computer Management.
Under Computer Management, expand Storage, and then click Disk Management.
Right-click on the end of Disk 0 (in the black area) and choose New Simple Volume. Click Next.
Change Simple volume size in MB to 100. Click Next.
Choose Do not assign a drive letter or drive path. Click Next.
On the Format Partition page, click Next.
Click Finish.
2.
3.
4.
5.
6.
Task 2: Assign the new disk a drive letter

1.
On NYC-SVR3, in Computer Management, right-click on the New Volume partition at the end of
Disk 0 and choose Change Drive Letter and Paths.
Click Add.
Change Assign the following drive letter to J: and then click OK.
Close the Computer Management console.
2.
3.
4.
Results: After this exercise, you should have a J: drive which is 100 MB in size.
Exercise 2: Creating a Fault Tolerant Disk Configuration

Task 1: Convert disks
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
On NYC-SVR3, click Start, and then type cmd. When cmd appears under Programs, right click it and
choose Run as administrator.
In the Command console, type diskpart and then press ENTER.
Type select disk 1 and then press ENTER.
Type online disk and then press ENTER.
Type attributes disk clear readonly and press ENTER.
Type convert dynamic and then press ENTER.
Task 2: Assign the three disks to a RAID 5 array
On NYC-SVR3, in the Command console, at the DISKPART prompt, type create volume raid
size=100 disk=1,2,3, and then press ENTER.
L4-2
Task 3: Format the newly created array

1.
On NYC-SVR3, in the Command console, at the DISKPART prompt, type select volume 4, and then
press ENTER.
Type format fs=ntfs label=r5r quick and then press ENTER.
Close the Command prompt.
2.
3.
Results: After this exercise, you should have configured a RAID 5 array in Diskpart with the label
R5R.
Exercise 3: Implementing the Windows iSCSI Initiator

Task 1: Create an iSCSI target on NYC-SVR3 for Data1
Important: The iSCSI Software Target is packaged and distributed optionally by Original Equipment
Manufacturers (OEMs) on systems that are running Windows Storage Server. Microsoft does not
support the use of the iSCSI Software Target on Windows Server 2008 R2, and is it is being used in
this context for training purposes only.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
On NYC-SVR3, click Start, point to Administrative Tools, and then click Microsoft iSCSI Software
Target.
In the tree pane of the iSCSITarget [Microsoft iSCSI Software Target] console, right-click iSCSI
Targets, and then click Create iSCSI Target.
On the Welcome to the Create iSCSI Target Wizard page, click Next.
In the iSCSI target name box of the iSCSI Target Identification page, type LUN-01, and then click
Next.
On the iSCSI Initiators Identifiers page, click Advanced.
In the Advanced Identifiers dialog box, click Add.
In the Identifier Type box of the Add/Edit Identifier dialog box, click IP Address, in the Value box,
type 10.10.0.20, and then click OK.
In the Advanced Identifiers dialog box, click OK.
On the iSCSI Initiators Identifiers page, ensure that the IQN Identifier box displays the text, Click
Advanced button to view alternate identifiers, and then click Next.
On the Completing the Create iSCSI Target Wizard page, click Finish.
In the tree pane of the iSCSITarget [Microsoft iSCSI Software Target] console, under iSCSI Targets,
right-click Devices, and then click Create Virtual Disk.
On the Welcome to the Create Virtual Disk Wizard page, click Next.
In the File box of the File page, type C:\Disks\Disk-01.vhd, and then click Next.
In Size of virtual disk (MB) box of the Size page, type 8000, and then click Next.
On the Description page, click Next.
On the Access page, click Add.
In the Add Target dialog box, in the Target Name list, click LUN-01, and then click OK.
On the Access page, click Next.
On the Completing the Create Virtual Disk Wizard page, click Finish.
Task 2: Create an iSCSI target on NYC-SVR3 for the Data2 disk

1.
In the tree pane of the iSCSITarget [Microsoft iSCSI Software Target] console, under iSCSI Targets,
right-click Devices, and then click Create Virtual Disk.
2.
L4-3
On the Welcome to the Create Virtual Disk Wizard page of the Create Virtual Disk Wizard, click
Next.
In the File box of the File page, type C:\Disks\Disk-02.vhd, and then click Next.
In Size of virtual disk (MB) box of the Size page, type 20000, and then click Next.
On the Description page, click Next.
On the Access page, click Add.
In the Add Target dialog box, in the Target Name list, click LUN-01, and then click OK.
On the Access page, click Next.
On the Completing the Create Virtual Disk Wizard page, click Finish.
3.
4.
5.
6.
7.
8.
9.
Task 3: Connect the iSCSI target to NYC-SVR2

1.
On NYC-SVR2, on the Start menu, point to Administrative Tools, and then click iSCSI Initiator.
Click Yes.
On the Targets tab of the iSCSI Initiator Properties dialog box, in the Target box, type 10.10.0.30,
and then click Quick Connect.
In the Quick Connect dialog box, ensure that the status of
iqn.1991-05.com.microsoft:NYC-SVR3-lun-01-target is Connected, and then click Done.
On the Volumes and Devices tab, click Auto Configure. Verify that two volumes are added to the
Volume List.
In the iSCSI Initiator Properties dialog box, click OK.
2.
3.
4.
5.
Task 4: Create volumes on the shared storage

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
On NYC-SVR2, click Start, point to Administrative Tools, and then click Server Manager.
In the tree pane of the Server Manager console, expand Storage, and then click Disk Management.
Right-click Disk 2, and then click Online.
Right-click Disk 3, and then click Online.
Right-click Disk 2, and then click Initialize Disk. Verify that both Disk 2 and Disk 3 are selected, and
then click OK.
In the Disk Management result pane, right-click the Unallocated area on Disk 2, and then click New
Simple Volume.
On the Welcome to the New Simple Volume Wizard page of the New Simple Volume Wizard, click
Next.
On the Specify Volume Size page, click Next.
On the Assign Drive Letter or Path page, next to Assign the following drive letter, click Q, and
then click Next.
On the Format Partition page, in the Volume label box, type Data1, and then click Next.
On the Completing the New Simple Volume Wizard page, click Finish.
In the Disk Management result pane, right-click the Unallocated area on Disk 3, and then click New
Simple Volume.
On the Welcome to the New Simple Volume Wizard page of the New Simple Volume Wizard, click
Next.
On the Specify Volume Size page, click Next.
On the Assign Drive Letter or Path page, next to Assign the following drive letter, click M, and
then click Next.
On the Format Partition page, in the Volume label box, type Data2, and then click Next.
On the Completing the New Simple Volume Wizard page, click Finish.
Results: After this exercise, you should have implemented a Windows iSCSI target.
L4-4

following steps:
1.
2.
3.
4.
5.
6.

L5-1
Module 5: Installing and Configuring Windows Server

Exercise 1: Performing a Local Media-Based Installation
Task 1: Read the server installation instructions
Read the contents of the e-mail message presented in the Lab scenario.
Task 2: Install Windows Server 2008

1.
Attach the Windows Server 2008 R2 Installation DVD to NYC-SVR1 using these steps:
a.
b.
c.
d.
e.
In the DVD-Drive pane, select Image file, and then click Browse.
WServer2008R2_Eval.iso, and then click Open.
2.
Right-click 6420B-NYC-SVR1 and then click Connect. Click the Start button. The computer starts
and automatically begins the installation.
3. In the Install Windows dialog box, in the Language to install list, click English.
4. In the Time and currency format list, click English (United States).
5. In the Keyboard or input method list, click US and then click Next.
6. In the Install Windows dialog box, click Install now.
7. In the Operating system list, click Windows Server 2008 R2 Enterprise (Full Installation) and then
click Next.
8. On the Please read the license terms page, select the I accept the license terms check box, and
then click Next.
9. On the Which type of installation do you want? page, click Custom (advanced).
10. On the Where do you want to install Windows? page, click Next.
Note: Setup proceeds; setup copies files, expands files, installs features and updates, and completes
installation. This phase takes around twenty minutes. Your instructor might continue with other
activities during this phase.
11. At the The users password must be changed before logging on the first time prompt, click
OK.
12. In the New password box, type Pa$$w0rd.
13. In the Confirm password box, type Pa$$w0rd and then press ENTER.
14. At the Your password has been changed prompt, click OK.
Results: At the end of this exercise, you will have installed Windows Server 2008 using the instructions
provided.
Exercise 2: Configuring Windows Server

Task 1: Read server post-installation configuration instructions
L5-2
Task 2: Configure post-installation settings

1.
Use the Installation Configuration Tasks (ICT) to configure time zone settings as specified in the email.
a.
b.
c.
d.
2.
Click Set time zone.

In the Date and Time dialog box, click the Change time zone button.
Select (UTC-05:00) Eastern Time (US & Canada), ensure that Automatically adjust clock for
Daylight Saving Time is selected and click OK.
In the Date and Time dialog box, click OK.
Use the ICT to configure networking settings as specified in the e-mail.

a.
b.
c.
d.
e.
Click Configure networking.

In the Network Connections window, right click Local Area Connection and select Properties.
Click on Internet Protocol Version 4 (TCP/IPv4) and click the Properties button.
In the Internet Protocol Version 4 (TCP/IPv4) Properties window, select Use the following IP
address.
Enter the following values:
f.
g.
Select Use the following DNS server addresses.

Enter the following values:
h.
i.
j.
3.

Alternate DNS server: 10.10.0.11
In the Internet Protocol Version 4 (TCP/IPv4) Properties window, click OK.

In the Local Area Connection Properties window, click Close.
Close the Network Connections window.
Use the ICT to configure automatic updating and feedback settings as specified in the e-mail.
a.
b.
4.
IP address: 10.10.0.100
Click Enable automatic updating and feedback.

In the Enable Windows Automatic Updating and Feedback window, select Enable Windows
automatic updating and feedback.
Use the ICT to configure computer name and domain settings as specified in the e-mail.
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
Click on Provide computer name and domain.

In the System Properties window, click the Change button.
In the Computer Name/Domain Changes window, type NYC-SVR1 in the Computer name field.
Select Domain in the Member of section and type Contoso.com in the Domain field.
Click OK.
When prompted to enter administrative account details, use Contoso\Administrator and a
password of Pa$$w0rd.
When the Welcome to the Contoso domain dialog box appears, click OK.
When prompted that you must restart your computer to apply these changes, click OK.
In the System Properties window, click Close.
When prompted to restart, click Restart Now.
L5-3
Results: At the end of this exercise, you will have configured post-installation settings on a Windows
Server 2008 computer using the instructions provided.
Exercise 3: Configuring Services

Task 1: Configure Print Spooler service settings
1.
2.
3.
4.
5.
6.
7.
8.
Log on to the 6420B-NYC-SVR1 virtual machine as Contoso\Administrator with a password of

Pa$$w0rd.
On 6420B- NYC-SVR1 click Start, right-click Computer and then click Manage.
In Server Manager, expand Configuration in the left-hand column and select Services.
Scroll down to Print Spooler. Note that Print Spooler status is Started and startup is set to
Automatic.
Right-click on Print Spooler and then click Properties.
Click the drop down box for Startup type and choose Disabled.
Click the Stop button to stop the Print Spooler service and then click OK.
Results: At the end of this exercise, you will have configured service startup settings using the Services
Applet.
Exercise 4: Configuring Devices

Task 1: Update the Standard PS/2 Keyboard driver
1.
2.
3.
4.
5.
6.
7.
8.
On NYC-SVR1, click Start, right-click Computer, and then click Manage.

In Server Manager, expand Diagnostics in the left hand column and select Device Manager.
In the Device Manager window, expand Keyboards, right-click Standard PS/2 Keyboard, and then
click Update Driver Software.
In the Update Driver Software Standard PS/2 Keyboard dialog box, click Browse my computer
for driver software.
On the Browse for driver software on your computer page, click Let me pick from a list of
device drivers on my computer.
In the Show compatible hardware list, click PC/AT Enhanced PS/2 Keyboard (101/102 Key) and
then click Next.
Click Close.
In the System Settings Change dialog box, click Yes to restart the computer.
Results: At the end of this exercise, you will have updated a device driver using Device Manager.
Task 2: Rollback the driver to its previous version

1.
2.
3.
4.
5.
6.

Pa$$w0rd.
Click Start, right-click Computer, and then click Manage.
In Server Manager, expand Diagnostics in the left hand column and select Device Manager.
In the Device Manager window, expand Keyboards, right-click
PC/AT Enhanced PS/2 Keyboard (101/102 Key) and then click Properties.
In the PC/AT Enhanced PS/2 Keyboard (101/102 Key) Properties dialog box, click the Driver tab.
L5-4
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
Click Roll Back Driver.

In the Driver Package rollback dialog box, click Yes.
Click Close, and then in the System Settings Change dialog box, click Yes to restart the computer.
Pa$$w0rd.
Click Start, right-click Computer, and then click Manage.
In Computer Management, click Device Manager.
Expand Keyboards and then click Standard PS/2 Keyboard.
Verify that you have successfully rolled back the driver.
Results: At the end of this exercise, you will have performed a rollback on a device driver using Device
Manager.

following steps:
1.
2.
3.
4.
5.
6.

L6-1
Module 6: Windows Server Roles

Exercise 1: Determining the Appropriate Roles to Deploy
Note: Your instructor may run this exercise as a class discussion.
Read the supporting documentation to determine the server requirements of the branch offices.
Task 2: Complete the Branch Office Server Deployment Recommendations document

1.
2.
Answer the questions in the Branch Office Server Deployment Recommendations document.
Complete the Deployment Proposals section of the document.
Document Author
Date
Charlotte Weiss
4th April
Deploy required server roles to the branch offices to ensure that the needs of the users are met.
None.
Proposals
1. How will you address the requirement that all computers can obtain an IPv4 configuration
automatically even if the link to the head office is down?
Answer: Deploy the Dynamic Host Configuration Protocol (DHCP) server role to each branch and
configure an appropriate scope for the branch.
2. How will you address the requirement that all users must be able to logon to the network even if
the link to the head office is down?
Answer: Deploy an Active Directory Domain Services (AD DS) domain controller to each
branch. Deploying a read-only domain controller (RODC) might be sensible especially where
physical security is an issue. AD DS domain controllers also require Domain Name System (DNS),
so the DNS server role must also be deployed to the branches.
3. How will you address the requirement that users need to be able to access shared files?
Answer: Deploy the File Services role.
4. How will you address the requirement that users need to be able to use shared printers?
Answer: Deploy the Print and Document Services role.
5. What kind of server best supports the needs of the database application?
Answer: An application server.
6. What roles support this kind of server?
Answer: The Application Server role provides the necessary components.
7. How will you address the requirement that the computers must obtain updates from a local
L6-2

update server?
Answer: Deploy the Windows Server Update Service role.
Proposals
8. Which roles are required at the branch servers?
Answer: DHCP Server
DNS Server
AD DS
File Services
Print and Document services
Application Server
Windows Server Update Service
Results: After this exercise, you should have completed the Branch Office Server Deployment
Recommendations document.
Exercise 2: Deploying the Determined Server Roles

Task 1: Deploy infrastructure-related roles
1.
2.
3.
4.

Click Start, point to Administrative Tools, and then click Server Manager.
In Server Manager, in the navigation pane, click Roles, and then in the Results pane, click Add Roles.
In the Add Roles Wizard, on the Before You Begin page, click Next and then on the Select Server
Roles page, in the Roles list, select the following check boxes, and then click Next.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
DHCP Server
DNS Server
On the DNS Server and DHCP Server pages, click Next.

On the Select Network Connection Bindings page, remove the check box next to 192.168.10.1,
and then click Next.
On the Specify IPv4 DNS Server Settings page, click Next.
On the Specify IPv4 WINS Server Settings page, click Next.
On the Add or Edit DHCP Scopes page, click Next.
On the Configure DHCPv6 Stateless Mode page, click Next.
On the Specify IPv6 DNS Server Settings page, click Next.
On the Authorize DHCP Server page, click Next.
On the Confirm Installation Selections page, click Install.
On the Installation Results page, click Close.
In the Results pane, click Add Roles.
Note: It is necessary to add the AD DS role separately from the DNS role.
16. In the Add Roles Wizard, on the Before You Begin page, click Next and then on the Select Server
Roles page, in the Roles list, select the Active Directory Domain Services check box.
17. In the Add Roles Wizard dialog box, click Add Required Features.
18.
19.
20.
21.
L6-3
On the Select Server Roles page, click Next.

On the Active Directory Domain Services page, click Next.
Note: You are not required to configure AD DS.
Task 2: Deploy file and print-related roles

1.
2.
3.
4.
5.
6.
7.
8.

Roles page, in the Roles list, select the following check boxes and then click Next.
File Services
Print and Document Services
On the Print and Document Services page, click Next.

On the Select Role Services page, click Next.
On the File Services page, click Next.
On the Select Role Services page, click Next.
Task 3: Deploy application server-related roles

1.
2.

Roles page, in the Roles list, select the Application Server check box.
3. In the Add Roles wizard dialog box, click Add Required Features.
4. On the Select Server Roles page, click Next.
5. On the Application Server page, click Next.
6. On the Select Role Services page, select the Web Server (IIS) Support check box.
7. In the Add Roles Wizard dialog box, click Add Required Role Services.
8. On the Select Role Services page, click Next.
9. On the Web Server (IIS) page, click Next.
10. On the Select Role Services page, click Next.
11. On the Confirm Installation Selections page, click Install.
12. On the Installation Results page, click Close.
Task 4: Verify supplemental roles and features

Question: In Roles Summary, why are some roles showing with a red cross symbol?
Answer: Some require additional configuration while others have experienced a number of errors in the
recent past.
1.
2.
In the navigation pane, click Features.

Examine the features that are installed.
Question: When where these installed?

Answer: As part of the installation process of the installed roles and role services.
3.
L6-4
Results: After this exercise, you should have deployed all required roles and features.

following steps:
1.
2.
3.
4.
5.
6.

L7-1
Module 7: Implementing Active Directory Domain Services
Exercise 1: Promoting a New Domain Controller
Task: Add an additional domain controller
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.

Click Start and in the Search box, type dcpromo and then press ENTER.
Wait while the Active Directory Domain Services (AD DS) binaries are installed.
In the Active Directory Domain Services Installation Wizard, on the Welcome to the Active
Directory Domain Services Installation Wizard page, click Next.
On the Operating System Compatibility page, click Next.
On the Choose a Deployment Configuration page, click Existing forest and then click Next.
On the Network Credentials page, click Next.
On the Select a Domain page, click Next.
On the Select a Site page, click Next.
On the Additional Domain Controller Options page, click Next.
In the Active Directory Domain Services Installation Wizard warning dialog box, click Yes.
On the Location for Database, Log Files, and SYSVOL page, click Next.
On the Directory Services Restore Mode Administrator Password page, in the Password and
Confirm password boxes, type Pa$$w0rd and then click Next.
On the Summary page, click Next.
In the Active Directory Domain Services Installation Wizard dialog box, select the Reboot on
completion check box.
Results: After this exercise, you will have promoted a new domain controller.
Exercise 2: Creating an Organizational Unit

Task: Create an organizational unit
1.
2.
3.
4.
5.
Once NYC-SVR2 has restarted, log on using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
In Active Directory Users and Computers, in the Navigation pane, click Contoso.com.
Right-click Contoso.com, point to New, and then click Organizational Unit.
In the New Object Organizational Unit dialog box, in the Name box, type A Datum Merger
Team and then click OK.
Results: After this exercise, you will have created a new organizational list.
L7-2
Exercise 3: Configuring Accounts

Task 1: Add user accounts
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
In Active Directory Users and Computers, right-click A Datum Merger Team, point to New and then
click User.
In the New Object User dialog box, in the First name box, type Christian.
In the Last name box, type Kemp.
In the User logon name box, type Christian and then click Next.
In the Password and Confirm password boxes, type Pa$$w0rd.
Clear the User must change password at next logon check box and then click Next.
Click Finish.
click User.
In the New Object User dialog box, in the First name box, type Tony.
In the Last name box, type Allen.
In the User logon name box, type Tony and then click Next.
Click Finish.
click User.
In the New Object User dialog box, in the First name box, type Pia.
In the Last name box, type Lund.
In the User logon name box, type Pia and then click Next.
Click Finish.
click User.
In the New Object User dialog box, in the First name box, type Soha.
In the Last name box, type Kamal.
In the User logon name box, type Soha and then click Next.
Click Finish.
click User.
In the New Object User dialog box, in the First name box, type Oliver.
In the Last name box, type Cox.
In the User logon name box, type Oliver and then click Next.
Click Finish.
Task 2: Create groups

1.
2.
click Group.
In the New Object Group dialog box, in the Group Name box, type Mergers and Acquisitions
and then click OK.
3.
4.
L7-3
click Group.
In the New Object Group dialog box, in the Group Name box, type Merger Team Management
and then click OK.
Task 3: Add members to the groups

1.
2.
3.
4.
In Active Directory Users and Computers, in the Results pane, click Christian Kemp.
Hold the CTRL key and then click Oliver Cox, Pia Lund, Soha Kamal, and Tony Allen.
Release the CTRL key, right-click Tony Allen, and then click Add to a group.
In the Select Groups dialog box, in the Enter the object names to select (examples) box, type
Mergers and Acquisitions.
5. Click Check Names and then click OK.
6. In the Active Directory Domain Services dialog box, click OK.
7. In the Results pane, double-click Tony Allen.
8. In the Tony Allen Properties dialog box, click the Member Of tab.
9. Click Add, and in the Select Groups dialog box, in the Enter the object names to select
(examples) box, type Merger Team Management.
10. Click Check Names and then click OK.
11. In the Tony Allen Properties dialog box, click OK.
Task 4: Move a computer account

1.
2.
3.
4.
In Active Directory Users and Computers, in the Navigation pane, click Computers.
In the Results pane, right-click NYC-CL1, and then click Move.
In the Move dialog box, in the Move object into container list, click A Datum Merger Team and
then click OK.
In Active Directory Users and Computers, in the Navigation pane, click
A Datum Merger Team.
Task 5: Delegate control of the OU

1.
2.
3.
4.
5.
6.
7.
In the Navigation pane, right-click on A Datum Merger Team and then click Delegate Control.
In the Delegation of Control Wizard, on the Welcome to the Delegation of Control Wizard page,
click Next.
On the Users or Groups page, click Add.
In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select
(examples): box, type Merger Team Management, click Check Names and then click OK.
On the Users or Groups page, click Next.
On the Tasks to Delegate page, select the Reset user passwords and force password change at
next logon check box and then click Next.
Click Finish.
Results: After this exercise, you will have created the necessary users accounts and groups, and
moved the users computer accounts into the OU.
Exercise 4: Creating a GPO

Task 1: Create a GPO
1.
2.
3.
Click Start, point to Administrative Tools, and then click Group Policy Management.
Expand Forest: Contoso.com, expand Domains, and then expand Contoso.com.
In the Navigation pane, right-click on Group Policy Objects, and then click New.
L7-4
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
In the New GPO dialog box, in the Name box, type A Datum Merger Team GPO and then click OK.
Expand Group Policy Objects, right-click on A Datum Merger Team GPO, and then click Edit.
In the Group Policy Management Editor, expand User Configuration, expand Policies, expand
Windows Settings, and then click Scripts (Logon/Logoff).
In the Results pane, double-click Logon.
In the Logon Properties dialog box, click Add.
In the Add a Script dialog box, click Browse.
In the Browse dialog box, right-click in the No items match your search box, click New, and then
click Text Document.
Highlight the entire filename, including the file extension, and type logon.vbs and press ENTER.
In the Rename dialog box, click Yes.
Right-click logon.vbs and then click Edit.
In the Open File Security Warning dialog box, click Open.
In notepad, type msgbox Welcome to the A Datum Merger Team.
Click File and then click Save.
Close Notepad.
In the Browse dialog box, click Open.
In the Add a Script box, click OK.
In the Logon Properties dialog box, click OK.
Close the Group Policy Management Editor.
Task 2: Link the GPO

1.
2.
In Group Policy Management, in the Navigation pane, right-click A Datum Merger Team, and then
click Link an Existing GPO.
In the Select GPO dialog box, in the Group Policy objects list, click A Datum Merger Team GPO
and then click OK.
Task 3: Test the GPO

1.
2.
Switch to NYC-CL1 and log off.

User name: Tony
Password: Pa$$w0rd
Domain: Contoso
Question: Does the script run?

Answer: Yes.
Results: After this exercise, you will have created a GPO and linked it to the A Datum Merger Team
OU.

following steps:
1.
2.
3.
4.
5.

Repeat these steps for 6420B-NYC-S VR2 and 6420B-NYC-CL1.
6.
L7-5
L7-6
L8-1
Module 8: Implementing IT Security Layers

Exercise 1: Implementing Physical Security
1.
2.
Read e-mail and the attached incident record with a view to determining the possible problem
causes.
Read the Contoso Network Security Policy Laptops document with a view to determine if you must
enforce any changes at the branch based on corporate policies.
Task 2: Complete the incident record

1.
2.
Answer the questions in the incident record.

Complete the Resolution section of the incident record.
Called logged by
Date of call
Time of call
User
Status
Ed Meadows
10th May
10:50
Alan Brewer
OPEN
Incident Details
Call logged by Information Technology (IT) manager following enquiries at branch offices
concerning physical security problems raised by Research department manager, Alan Brewer.
Reported concerns:
1. Laptops are used by research staff and they often take these home.
2. In some branches there is no dedicated room for the servers.
3. External contract staff can connect their own computers to the research networks.
4. Staff use personal Universal Serial Bus (USB) storage devices on work computers.
Questions
1. What security policies apply to the branch office laptops as defined in the Contoso Network
Security Policy Laptops document?
Answer: All of the policies apply.
2. What security concerns do you have about the branch offices?
Answer: If users can take their laptops home, this raises several security issues. Firstly, the users
are connecting to unmanaged networks (at home or possibly elsewhere) and then reconnecting
to the corporate network. Secondly, the laptop computers are at risk of being lost or stolen.
3. How would you address the concerns you might have about the lack of dedicated server
computer rooms?
Answer: Place the servers in a location that is least likely to result in their accidental damage.
4. How would you address the concerns you might have about contractor computer use?
Answer: Implement NAP to ensure that only computers that meet the network health
requirements can connect.
L8-2

5. How would you address the concerns you might have about removable storage devices?
Answer: Use Group Policy Object (GPO) to restrict the type of device that users can use; if
appropriate, block all use of external universal serial bus (USB) storage devices.
Answer: See lab answer key for suggested answer.
Answer: See lab answer key for suggested answer.
Resolution
Enable and configure BitLocker and EFS on portable computers.
Enable and configure BitLocker on servers.
Deploy only RODCs to branches, not writable domain controllers (DCs).
Implement NAP.
Implement GPO to restrict USB storage device usage.
Configure restrictive file permissions.
Results: After this exercise, you should have completed the incident record.
Exercise 2: Configuring Security Settings in Internet Explorer

Task 1: Verify current Internet Explorer security settings
1.
2.
3.
4.
5.

On the Taskbar, click Internet Explorer.
Click Tools, and then click Internet Options.
In the Internet Options dialog box, click the Security tab.
In the Select a zone to view or change security settings list, click Local intranet.
Question: What is the current Security level for this zone?
Answer: Medium-low.
Task 2: Change the Intranet Zone security settings

1.
2.
3.
Under Security level for this zone, move the slider to High.
Select the Enable Protected Mode (requires restarting Internet Explorer) check box and then
click OK.
Task 3: Test the security changes

Note: If the Welcome to Internet Explorer 8 dialog box appears, click Ask me later.
1.
2.
3.
On the Taskbar, click Internet Explorer.

In the Address bar, type http://nyc-dc1/intranet and press ENTER.
Examine the status bar. What security zone is this Web site?
Answer: Local intranet.
4.
5.
Read the Information Bar. What is the problem?

Answer: An add-on for this Web site failed to run.
6.
Click Tools, and then click Manage Add-ons.

Question: Can you see a Tabular Data Control Add-on?
Answer: No.
7.
8.
In the Manage Add-ons dialog box, click Close.

Close the Contoso Projects Web page.
Task 4: Add the Web site to the Trusted Sites list

1.
2.
3.
On the Contoso Intranet Home Page, click Tools, and then click Internet Options.
In the Internet Options dialog box, click the Security tab.
In the Select a zone to view or change security settings list, click Trusted sites.
Question: What is the current Security level for this zone?
Answer: Medium.
4.
5.
6.
Click Sites.
In the Trusted sites dialog box, clear the Require server verification (https:) for all sites in this
zone check box, click Add, and then click Close.
In the Internet Options dialog box, click OK.
Task 5: Test the Security Zone change

1.
On the Contoso Intranet Home Page, click Current Projects.

Question: Did the projects list populate?
Answer: Yes.
2.
Click Tools, and then click Manage Add-ons.

Question: Can you see a Tabular Data Control Add-on?
Answer: Yes.
3.
4.
5.
In the Manage Add-ons dialog box, click Close.

Close the Contoso Projects Web page.
Close the Contoso Intranet Home Page.
Results: After this exercise, you should have modified Internet Explorer security settings.

following steps:
1.
2.
3.
4.
5.
6.

Repeat these steps for 6420B-NYC-CL1.
L8-3
L8-4
L9-1
Module 9: Implementing Windows Server Security

Exercise 1: Configuring an Accounts Policy
Task 1: Configure Password Policy settings
1.
2.
3.
4.
5.
6.
7.
8.
9.
Switch to the NYC-DC1 virtual machine.

Click Start, point to Administrative Tools, and then click Group Policy Management.
Expand Forest:Contoso.com, expand Domains, expand Contoso.com. Right-click Default Domain
Policy and then click Edit.
Under Computer Configuration, expand Policies, expand Windows Settings, expand Security
Settings, and then click Account Policies.
In the results window, double-click Password Policy.
Double-click Enforce password history and type 5 into the passwords remembered field. Click OK.
Double-click Maximum password age and type 60 into the password will expire in: field. Click OK.
Double-click Minimum password length and type 8 into the Password must be at least: field.
Click OK.
Double-click Password must meet complexity requirements and verify that Enabled is selected.
Click OK.
Task 2: Configure Account Lockout Policy settings

1.
2.
3.
4.
5.
6.
Click Account Lockout Policy in the left hand pane of the Group Policy Management Editor window.
Double-click Account lockout threshold and type 3 into the Invalid logon attempts field.
In the Account lockout threshold Properties dialog box, click OK.
In the Suggested Value Changes window, click OK to accept the suggested values.
Close the Group Policy Management Editor window.
Close the Group Policy Management console.
Results: At the end of this exercise, you will have configured password and account lockout policy
settings.
Exercise 2: Securing NTFS Files and Folders

Task 1: Create the C:\Research folder structure
1.
2.
3.
4.
5.
6.
7.
8.
On NYC-SVR3, click Start, click Computer, and then double-click Local Disk (C:).
On the toolbar, click New folder.
Type Research in the folder name field and press ENTER.
Double-click the Research folder.
Type Classified in the folder name field and press ENTER.
Type Projects in the folder name field and press ENTER.
Task 2: Assign appropriate NTFS file and folder permissions to the folder structure
1.
2.
3.
Click the Back button and then right-click the Research folder and click Properties.
In the Research Properties dialog box, click the Security tab, click Advanced.
In the Advanced Security Settings for Research dialog box, click the Change Permissions button.
L9-2
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
In the Advanced Security Settings for Research dialog box, uncheck the Include inheritable
permissions from this objects parent check box and click the Add button in the Windows
Security pop-up dialog box.
In the Advanced Security Settings for Research dialog box, click OK.
In the Advanced Security Settings for Research dialog box, click OK again.
In the Research Properties dialog box, on the Security tab, click Edit.
In the Permissions for Research dialog box, in the Group or user names box, click Users (NYCSVR3\Users) and then click the Remove button.
In the Permissions for Research dialog box, click Add.
In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object
names to select (examples) box, type Contoso\Research, click Check Names, and then click OK.
In the Group or user names box, click Research (Contoso\Research).
In the Permissions for Research dialog box, next to Full Control, select the Allow check box and
click OK.
In the Research Properties window, click OK.
Double-click the Research folder and then right-click the Classified folder and click Properties.
In the Classified Properties dialog box, on the Security tab, click Advanced.
In the Advanced Security Settings for Classified dialog box, click the Change Permissions button.
In the Advanced Security Settings for Classified dialog box, uncheck the Include inheritable
permissions from this objects parent check box and click the Add button in the Windows
Security pop-up dialog box.
Note: Clicking the Remove button here will remove all NTFS permissions for the folder, including
your permissions as Administrator. This will prohibit you from making any changes to the folder,
including assigning permissions.
18.
19.
20.
21.
22.
23.
24.
25.
26.
In the Advanced Security Settings for Classified dialog box, click OK.
In the Advanced Security Settings for Classified dialog box, click OK again.
In the Classified Properties dialog box, on the Security tab, click Edit.
In the Permissions for Classified dialog box, in the Group or user names box, click Research
Contoso\Research) and then click the Remove button.
In the Permissions for Classified dialog box, click Add.
names to select (examples) box, type Contoso\Max, click Check Names, and then click OK.
In the Group or user names box, click Max Stevens (Contoso\Max).
In the Permissions for Classified dialog box, next to Full Control, select the Allow check box and
click OK.
In the Classified Properties window, click OK.
Task 3: Share the C:\Research folder on the network and set appropriate shared folder
permissions
1.
2.
3.
4.
5.
Click the Back button, and then right-click the Research folder and click Properties.
In the Research Properties dialog box, click the Sharing tab, click Advanced Sharing.
Click the Share this folder check box, leave the Share name as Research, and then click the
Permissions button.
In the Permissions for Research dialog box, in the Group or user names box, click Everyone and
then click the Remove button.
In the Permissions for Research dialog box, click Add.
L9-3
6.
names to select (examples) box, type Contoso\Research, click Check Names, and then click OK.
7. In the Group or user names box, click Research (Contoso\Research).
8. In the Permissions for Research dialog box, next to Full Control, select the Allow check box, and
then click OK.
9. In the Advanced Sharing dialog box, click OK.
10. In the Research Properties dialog box, click Close.
11. Close Windows Explorer.
Results: At the end of this exercise, you will have assigned both NTFS file, folder and Shared folder
permissions.
Exercise 3: Encrypting Files

Task 1: Encrypt files and folders using Encrypting File System (EFS)
1.
2.
3.
4.
5.
6.
7.
8.
9.
On NYC-SVR3, click Start, click Computer, and then double-click Local Disk (C:).
In the right-hand pane, double-click on the Research folder.
In the right-hand pane, double-click on the Classified folder.
In the right-hand pane, right-click, point to New and then click Text Document.
Rename the New Text Document.txt file as Personal.txt.
In the left hand column, double click on Local Disk (C:) and then click on the Research folder.
In the right-hand column, right click the Classified folder and click Properties.
In the Classified Properties dialog box, click the Advanced button.
In the Advanced Attributes dialog box, check the Encrypt contents to secure data checkbox and
click OK.
10. In the Classified Properties dialog box, click OK.
11. In the Confirm Attribute Changes pop-up dialog box, ensure Apply changes to this folder,
subfolders and files is selected, then click OK.
12. Close Windows Explorer and then log off of NYC-SVR3.
Task 2: Confirm that files are encrypted

1.
2.
3.
4.
5.
6.
7.
Log on to NYC-SVR3 as Contoso\Max with a password of Pa$$w0rd.

Click Start, click Computer, and then double-click Local Disk (C:).
In the right-hand pane, double-click on the Classified folder.
In the right-hand pane, double-click on Personal and confirm that a pop-up dialog box appears
informing you that Access is denied and click OK.
Close Notepad.
Close Windows Explorer and log off of NYC-SVR3.
Task 3: Decrypt files and folders

1.
2.
3.
4.
5.
6.
7.
Log on to NYC-SVR3 as Contoso\Administrator with a password of Pa$$w0rd.

Click Start, click Computer, and then double-click Local Disk (C:).
In the right-hand pane, right-click on the Classified folder and click Properties.
In the Classified Properties dialog box, click the Advanced button.
In the Advanced Attributes dialog box, uncheck the Encrypt contents to secure data checkbox
and click OK.
In the Classified Properties dialog box, click OK.
L9-4
8.
9.
In the Confirm Attribute Changes pop-up dialog box, ensure Apply changes to this folder,
subfolders and files is selected, then click OK.
Close Windows Explorer.
Results: At the end of this exercise, you will have encrypted and decrypted files using EFS.

following steps:
1.
2.
3.
4.
5.
6.

Module 10: Implementing Network Security

Exercise 1: Configuring Windows Firewall with Advanced Security
Task 1: Test network connectivity with Ping
1.
2.
3.

On NYC-DC1, click Start, and in the Search box, type cmd.exe and press ENTER.
Ping nyc-cl1

Answer: Yes
Task 2: Configure a new firewall rule

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.

On NYC-CL1, click Start, and in the Search box, type Windows Firewall.
In the Programs (1) list, click Windows Firewall with Advanced Security.
In Windows Firewall with Advanced Security, in the navigation pane, click Inbound Rules.
Right-click Inbound Rules and then click New Rule.
In the New Inbound Rule Wizard, on the Rule Type page, click Custom and then click Next.
On the Program page, click All programs, and then click Next.
On the Protocol and Ports page, in the Protocol type list, click ICMPv4 and then click Next.
On the Scope page, click Next.
On the Action page, click Block the connection and then click Next.
On the Profile page, click Next.
On the Name page, in the Name box, type Contoso ICMPv4 Rule and then click Finish.
In the navigation pane, expand Monitoring and then click Firewall.
Question: Can you see the new rule?
Answer: Yes
Task 3: Test the rule

1.
2.

Ping nyc-cl1

Answer: No
Task 4: Disable the new rule

1.
2.
3.
4.
5.
6.

In Windows Firewall with Advanced Security, in the navigation pane, click Inbound Rules.
In the Results pane, right-click Contoso ICMPv4 Rule and then click Disable Rule.
Close Windows Firewall with Advanced Security.
L10-1
L10-2
Ping nyc-cl1

Answer: Yes
Results: After this exercise, you should have created and tested an inbound firewall rule.
Exercise 2: Configuring Compliance with NAP

Task 1: Install the Network Policy Server role
1.
2.
3.
4.
5.

On the Taskbar, click Server Manager.
In Server Manager, click Roles.
In the Action pane, click Add Roles.
Roles page, select the Network Policy and Access Services check box and then click Next.
6. On the Network Policy and Access Services page, click Next.
7. On the Select Role Services page, select the Network Policy Server check box, and then click Next.
8. On the Confirm Installation Selections page, click Install.
9. On the Installation Results page, click Close.
10. Close Server Manager.
Task 2: Configure the Dynamic Host Configuration Protocol (DHCP) Server role
1.
2.
Click Start, point to Administrative Tools, and then click DHCP.

In DHCP, expand NYC-SVR2.contoso.com, expand IPv4, click and then right-click Scope [10.10.0.0]
Deployment, and then click Properties.
3. In the Scope [10.10.0.0] Deployment Properties dialog box, click the Network Access Protection
tab, click Enable for this scope, and then click OK.
4. In the navigation pane, click Scope Options.
5. Right-click Scope Options, and then click Configure Options.
6. In the Scope Options dialog box, click the Advanced tab.
7. In the User class list, click Default Network Access Protection Class.
8. In the Available Options list, select the 006 DNS Servers check box.
9. In the IP address box, type 10.10.0.10 and then click Add.
10. In the Available Options list, select the 015 DNS Domain Name check box.
11. In the String value box, type restricted.contoso.com and then click OK.
12. Close DHCP.
Task 3: Configure the System Health Validator

1.
2.
3.
4.
On NYC-SVR2, click Start, point to Administrative Tools, and then click Network Policy Server.
In the navigation pane, expand Network Access Protection, expand System Health Validators,
expand Windows Security Health Validator, and then click Settings.
In the Results pane, double-click Default Configuration.
In the Windows Security Health Validator dialog box, clear all check boxes except An antivirus
application is on and then click OK.
Note: Configure only the settings for Windows 7/Windows Vista clients.
L10-3
Task 4: Disable unessential network policies

1.
2.
In Network Policy Server, in the navigation pane, expand Policies and then click Network Policies.
In the Results pane, right click each of the two listed policies, and for each one, click Disable.
Task 5: Create required health policies

1.
2.
3.
4.
5.
6.
7.
8.
9.
In the navigation pane, click Health Policies.

Right-click Health Policies, and then click New.
In the Create New Health Policy dialog box, in the Policy name box, type Healthy Client.
In the Client SHV checks list, click Client passes all SHV checks.
Select the Windows Security Health Validator check box and then click OK.
Right-click Health Policies, and then click New.
In the Create New Health Policy dialog box, in the Policy name box, type Un-Healthy Client.
In the Client SHV checks list, click Client fails one or more SHV checks.
Select the Windows Security Health Validator check box and then click OK.
Task 6: Create the required network policies

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
In the navigation pane, click Network Policies.

page, in the Policy name box, type Healthy Unrestricted Client and click Next.
In the Health Policies dialog box, in the Health policies list, click Healthy Client and then click OK.
In the Results pane, click Allow full network access and then click Next.
page, in the Policy name box, type Un-healthy Restricted Client and click Next.
In the Health Policies dialog box, in the Health policies list, click Un-Healthy Client and then click
OK.
In the Results pane, click Allow limited access and then click Next.
Task 7: Configure client NAP settings

1.
L10-4
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
Click Start, and in the Search box, type napclcfg.msc and then press ENTER.
In napclcfg [NAP Client Configuration (Local Computer)], in the navigation pane, click Enforcement
Clients.
In the Results pane, right-click DHCP Quarantine Enforcement Client and then click Enable.
Close napclcfg [NAP Client Configuration (Local Computer)].
Click Start, and in the Search box, type Services.msc and press ENTER.
In Services, in the Results pane, double-click Network Access Protection Agent.
In the Network Access Protection Agent Properties (Local Computer) dialog box, in the Startup
type list, click Automatic.
Click Start and then click OK.
Close Services.
Click Start, and in the Search box, type mmc, and then press ENTER.
On the File menu, click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, under Available snap-ins, click Group Policy Object
Editor, and then click Add.
In the Select Group Policy Object dialog box, click Finish, and then click OK.
In the console tree, expand Local Computer Policy, expand Computer Configuration, expand
Administrative Templates, expand Windows Components, and then click Security Center.
Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.
Close the console window. When prompted to save settings, click No.
Task 8: Configure client to obtain an IPv4 address dynamically

1.
2.
3.
4.
5.
6.
7.
Click Start, and in the Search box, type Network and in the Control Panel (28) list, click Network
and Sharing Center.
In Network and Sharing Center, in the left-pane, click Change adapter settings.
(TCP/IPv4).
In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address
automatically.
Click Obtain DNS server address automatically and then click OK.
In the Local Area Connection Properties dialog box, click OK.
Task 9: Test NAP

1.
2.
On NYC-CL1, click Start, and in the Search box, type cmd.exe and press ENTER.
Ipconfig /release
3.
Ipconfig /renew
4.
Ipconfig /all
Question: What is your Connection-specific Domain Name System (DNS) Suffix?

Answer: Restricted.contoso.com
Question: What is your Quarantine State?
Answer: Restricted
Results: After this exercise, you should have enabled NAP with DHCP enforcement.

following steps:
1.
2.
3.
4.
5.
6.

L10-5
L10-6
L11-1
Module 11: Implementing Security Software

Exercise 1: Restricting Applications with AppLocker
Task 1: Create a Group Policy object (GPO) to enforce the default AppLocker
Executable rules
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
On NYC-DC1, click Start, click Administrative Tools, and then click Group Policy Management.
Expand Forest: Contoso.com, then expand Domains.
Expand Contoso.com.
Click Group Policy Objects.
Right-click Group Policy Objects and click New.
Name the new GPO WordPad Restriction Policy and click OK.
Right-click WordPad Restriction Policy and click Edit.
Expand Computer Configuration, then expand Policies, then expand Windows Settings, then
expand Security Settings, then expand Application Control Policies and then expand AppLocker.
Select Executable Rules, then right-click and select Create New Rule.
Click Next.
On the Permissions screen, select Deny, and then click Next.
On the Conditions screen, select Publisher, and then click Next.
Click Browse , and then click Computer.
Double click Local Disk (C:).
Double-click Program Files, then double click Windows NT, then double-click Accessories and then
select wordpad.exe and click Open.
Move the slider up to the File name: position and click Next.
Click Next again, then click Create.
Click Yes if prompted to create default rules.
In the Group Policy Editor, expand Computer Configuration, expand Windows Settings, and then
expand Security Settings.
Expand Application Control Policies.
Click AppLocker, and then right-click and select Properties.
On the Enforcement tab, under Executable rules, click the Configured checkbox and select Enforce
rules.
Click OK.
In the Group Policy Editor, expand Computer Configuration, expand Windows Settings, and then
expand Security Settings.
Click on System Services and then double-click on Application Identity.
In the Application Identity Properties dialog box, select the Define this policy setting check box.
Select Automatic under Select service startup mode and click OK.
Close Group Policy Management Editor.
Task 2: Apply the GPO to the Contoso.com domain

1.
2.
3.
4.
5.
In the Group Policy Management window, expand Forest: Contoso.com.

Expand Domains.
Expand Contoso.com.
Expand Group Policy Objects.
Drag the WordPad Restriction Policy GPO on top of the Contoso.com domain container.
L11-2
6.
7.
8.
9.
Click OK to link the GPO to the domain.

Click Start, in the Search programs and files box, type cmd, and then press ENTER.
In the Command Prompt window, type gpupdate /force and press ENTER. Wait for the policy to be
updated.
Task 3: Test the AppLocker rule

1.
2.
3.
Log on to the NYC-CL1 as Contoso\Alan with a password of Pa$$w0rd.

Click Start, in the Search programs and files box, type cmd, and then press ENTER.
In the Command Prompt window, type gpupdate /force and press ENTER. Wait for the policy to be
updated.
Click Start, click All programs, click Accessories and then click WordPad.
Click OK when prompted with a message.
4.
5.
Note: The AppLocker policy should restrict you from running this application. If the application runs,
log off NYC-CL1 and log on again. It may take a few minutes for the policy setting to apply to NYCCL1 Once the policy setting has applied, the application will be restricted.
Results: After this exercise, you will have restricted an application by using AppLocker.
Exercise 2: Use the Security Configuration Wizard

Task 1: Create a security policy
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
On NYC-DC1 click Start, click Administrative Tools and run the Security Configuration Wizard.
On the Welcome to the Security Configuration Wizard page, click Next.
On the Configuration Action page, select Create a new security policy, and then click Next.
On the Select Server page, accept the default server name, NYC-DC1, and click Next.
On the Processing Security Configuration Database page, you can optionally click View
Configuration Database and explore the configuration that was discovered on NYC-DC1.
Click Next.
On the Role-Based Service Configuration section introduction page, click Next.
On the Select Server Roles page, you can optionally explore the settings that were discovered on
NYC-DC1, but do not change any settings. Click Next.
On the Select Client Features page, you can optionally explore the settings that were discovered on
NYC-DC1, but do not change any settings. Click Next.
On the Select Administration and Other Options page, you can optionally explore the settings that
were discovered on NYC-DC1, but do not change any settings. Click Next.
On the Select Additional Services page, you can optionally explore the settings that were
discovered on NYC-DC1, but do not change any settings. Click Next.
On the Handling Unspecified Services page, do not change the default setting; do not change the
startup mode of the service. Click Next.
On the Confirm Service Changes page, in the View list, choose All services.
Examine the settings in the Current Startup Mode column, which reflect service startup modes on
NYC-DC1, and compare them to the settings in the Policy Startup Mode column.
In the View list, select Changed services.
Click Next.
L11-3
17. On the Network Security section introduction page, click Next.

18. On the Network Security Rules page, you can optionally examine the firewall rules derived from the
configuration of NYC-DC1. Do not change any settings. Click Next.
19. On the Registry Settings section introduction page, click Next.
20. On each page of the Registry Settings section, examine the settings, but do not change any of them,
then click Next. Continue clicking Next at each page until you get to the Registry Settings
Summary page appears, examine the settings and click Next.
21. On the Audit Policy section introduction page, click Next.
22. On the System Audit Policy page, examine but do not change the settings. Click Next.
23. On the Audit Policy Summary page, examine the settings in the Current Setting and Policy
Setting columns. Click Next.
24. On the Save Security Policy section introduction page, click Next.
25. In the Security Policy File Name text box, click at the end of the file path and type DC Security
Policy.
26. Click the View Security Policy button.
Note: You are prompted to confirm the use of the ActiveX control.
27.
28.
29.
30.
31.
Click Yes.
Close the window after you have examined the policy.
In the Security Configuration Wizard, click Next.
On the Apply Security Policy page, accept the Apply later default setting, and then click Next.
Click Finish.
Task 2: Transform a security policy into a GPO

1.
2.
3.
4.
5.
6.
7.
8.
On NYC-DC1, click Start, in the Search programs and files box, type cmd, and then press ENTER.
Type cd c:\windows\security\msscw\policies and then press ENTER.
Type scwcmd transform /p:DC Security Policy.xml /g:DC Security Policy and then press
ENTER.
Close the Command Prompt window.
Click Start, click Administrative Tools, and then click Group Policy Management.
In the console tree expand Forest:Contoso.com, Domains, Contoso.com, and Group Policy
Objects, and then click DC Security Policy. This is the GPO created by the Scwcmd.exe command.
Click the Settings tab to examine the settings of the GPO.
Results: After this exercise, you will have used the Security Configuration wizard to create a security
policy named DC Security Policy, and transformed the security policy to a Group Policy object named
DC Security Policy.
Exercise 3: Hardening the Security Settings on Windows Server

Task 1: Install Microsoft Baseline Security Analyzer (MBSA) on
NYC-SVR2
1.
2.
3.
On NYC-SVR2, open Windows Explorer and navigate to E:\Labfiles\MBSA.

Double-click MBSASetup-x64-en.msi. Click Run.
Click Next.
L11-4
4.
5.
6.
7.
8.
Choose I accept the license agreement.

Click Next.
Click Next.
Click Install.
Click OK.
Task 2: Run the default MBSA scan

1.
2.
3.
On NYC-SVR2, on the desktop, double-click Microsoft Baseline Security Analyzer 2.1.

Click Scan a computer.
Remove the Check for security updates checkmark.
Note: It is important to note the best practice is to keep this box checked, but for the class as there is
no Internet connectivity, it will fail if you dont uncheck it.
4.
Click Start Scan.

Note: For demonstration and lab purposes you can change the automatic updates setting, however
you will not be able to get updates as the classroom does not have internet connectivity.
Results: Your results should show several administrative vulnerabilities including the following:
Automatic Updates
Password Expiration
Incomplete Updates
Local Account Password Test
File System
Autologon
Guest Account
Restrict Anonymous
Administrators
Windows Firewall
Results: After this exercise, you will have used the MBSA to harden security settings.

following steps:
1.
2.
3.
4.

5.
6.
L11-5
L11-6
L12-1
Module 12: Monitoring Server Performance

Exercise 1: Creating a Performance Baseline
Task 1: Create a Data Collector Set
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.

Click Start, point to Administrative Tools and then click Performance Monitor.
In Performance Monitor, in the navigation pane, expand Data Collector Sets, and then click User
Defined.
Right-click User Defined, point to New and then click Data Collector Set.
In the Create new Data Collector Set wizard, in the Name box, type NYC-SVR2 Performance.
Click Create manually (Advanced) and then click Next.
On the What type of data do you want to include? page, select the Performance counter check
box, and then click Next.
On the Which performance counters would you like to log? page, click Add.
In the Available counters list, expand Processor, click %Processor Time, and then click Add >>.
In the Available counters list, expand Memory, click Pages/sec, and then click Add >>.
In the Available counters list, expand PhysicalDisk, click %Disk Time, and then click Add >>.
Click Avg. Disk Queue Length, and then click Add >>.
In the Available counters list, expand System, click Processor Queue Length, and then click Add
>>.
In the Available counters list, expand Network Interface, click Bytes Total/sec, and then click Add
>>, and then click OK.
On the Which performance counters would you like to log? page, in the Sample interval box,
type 1 and then click Next.
On the Where would you like the data to be saved? page, click Next.
On the Create the data collector set? page, click Save and close and then click Finish.
Task 2: Start the Data Collector Set
In Performance Monitor, in the Results pane, right-click NYC-SVR2 Performance, and then click
Start.
Task 3: Create workload on the server

1.
2.
Click Start, and in the Search box, type cmd.exe and press ENTER.
Fsutil file createnew bigfile 104857600
3.
Copy bigfile \\nyc-dc1\c$
4.
Copy \\nyc-dc1\c$\bigfile bigfile2
5.
L12-2
Del bigfile*.*
6.
Del \\nyc-dc1\c$\bigfile*.*
7.
Do not close the command prompt.
Task 4: Analyze collected data

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.

In the navigation pane, right-click NYC-SVR2 Performance and then click Stop.
On the toolbar, click View Log Data.
Add.
In the Select Log File dialog box, double-click Admin.
Double-click NYC-SVR2 Performance, double-click the
NYC-SVR2_date-000001 folder and then double-click DataCollector01.blg.
Click the Data tab and then click Add.
In the Add Counters dialog box, in the Available counters list, expand Memory, click Pages/sec
and then click Add >>.
Expand Network Interface, click Bytes Total/sec, and then click Add >>.
Expand PhysicalDisk, click %Disk Time and then click Add >>.
Click Avg. Disk Queue Length and then click Add >>.
Expand Processor, click %Processor Time, and then click Add >>.
Expand System, click Processor Queue Length, click Add >>, and then click OK.
In the Performance Monitor Properties dialog box, click OK.
On the toolbar, click the down arrow and then click Report.
Record the values listed in the report for analysis later.
Results: After this exercise, you should have established a baseline.
Exercise 2: Simulating a Server Load

Task 1: Load a new program on the server
1.
2.
On NYC-SVR2, switch to the command prompt.

Cd\Labfiles\StressTool
Task 2: Configure the load on the server
StressTool 95
Results: After this exercise, you should have introduced a load on your server.
L12-3
Exercise 3: Gathering Additional Performance Data

Task: Start the data collector set again
1.
2.
3.

In Performance Monitor, click User Defined, in the results pane, right-click NYC-SVR2 Performance,
and then click Start.
Wait for one minute to allow data to be captured.
Results: After this exercise, you should have captured additional performance data
Exercise 4: Determining Probable Performance Bottlenecks

Task 1: Stop the running program
1.
2.
3.
After one minute, switch to the command prompt.

Press CTRL+ C.
Close the command prompt.
Task 2: View performance data

1.
2.
3.
4.
5.
6.
7.
8.
9.

In the navigation pane, right-click NYC-SVR2 Performance and then click Stop.
On the toolbar, click View log data.
Remove.
Click Add.
In the Select Log File dialog box, click Up One Level.
Double-click the NYC-SVR2_date-000002 folder and then double-click DataCollector01.blg.
Click the Data tab and then click OK.
Note: If you receive an error at this point, or the values in your report are zero, repeat steps 4-9.
Task 3: Analyze results and draw a conclusion

Question: Compared with your previous report, which values have changed?
Answer: Memory and disk activity are reduced; however, processor activity has increased
significantly.
Question: What would you recommend?
Answer: Continue to monitor the server to ensure that the processor workload does not reach
capacity.
Results: After this exercise, you should have identified a potential bottleneck
L12-4

following steps:
1.
2.
3.
4.
5.
6.

L13-1
Module 13: Maintaining Windows Server

Exercise 1: Troubleshooting the Startup Process
Contoso, Ltd Incident Record
Called logged by
Date of call
Time of call
User
Status
John Peoples
15th May
11:45
Daniel Roth
OPEN
Incident Details:
Call logged by information technology (IT) helpdesk. Branch users cannot access shared files on NYCSVR4.
1. File shares not accessible over the network.
2. Cannot connect to NYC-SVR4 with Remote Desktop Connection.
3. Cannot ping NYC-SVR4 IP address.
4. All other network resources in the branch location are functioning properly.
Preliminary Questions:
1. Where is the best place to troubleshoot this problem from?
Answer: If file shares, remote desktop and ping are unavailable, the troubleshooting process for this
problem will need to be done locally, in the physical location of the computer, or alternatively over
the phone with someone at the physical computer who can assist you with the troubleshooting
process.
2. What considerations should be made regarding NYC-SVR4 and the people and services that require
the services provided by NYC-SVR4?
Answer: If NYC-SVR4 performs critical services, a replacement or spare should be checked for
availability, should the troubleshooting process carry beyond the first one or two most probable
causes.
Assessment Questions:
1. What is the error message displayed on NYC-SVR4?
Answer: The Windows Boot Configuration Data file does not contain a valid OS entry.
2. What could the possible causes of this error message be?
Answer: The problem is a corrupt or damaged Boot Configuration Data (BCD) store. There is no
reference in the BCD to allow the Boot Manager to access the Windows 2008 Boot Loader.
3. What tool should you use to attempt to correct the problem causing the error message?
Answer: bcdedit.exe will allow you to view the status of the BCD store. In this case, there is no entry
for an operating system in the BCD store for NYC-SVR4. To correct this, run bootrec.exe with the
/scanos switch to find the operating system on the computer, and then run bootrec.exe with the
/rebuildbcd switch to create a new BCD store with a pointer to the boot loader for the found
operating system.
4. How can you access these tools?
Answer: By starting the computer using the Windows Server 2008 R2 Installation disc and choosing
the Repair your computer and Command Prompt options.
L13-2
Contoso, Ltd Incident Record

1. How did you resolve the problem?
Answer: By using bcdedit and bootrec as described in the answer for Assessment Question 3.
2. What should the next steps in the troubleshooting process be?
Answer: Have a user or users connect to NYC-SVR4 to ensure that their applications are functioning
properly. Notify the remainder of the users of NYC-SVR4 that the server is operating properly and
they can resume their use of NYC-SVR4. Additionally, the details of the problem, along with the steps
used to repair the problem should be documented and archived for future reference and logging
purposes.

1.
Read the attached Incident Record to determine possible troubleshooting methods.
2.
Answer the Preliminary Questions in the incident record (see Incident Record for answers).
Task 2: Investigate the issue on 6420B-NYC-SVR4

1.
2.
3.
In Hyper-V Manager, click 6420B-NYC-SVR4, and in the Actions pane, click Connect.
View the error message on the screen.
Answer the Assessment Questions in the Incident Record (see incident record for answers).
Task 3: Resolve the issue on NYC-SVR4 and complete the Incident Record
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
In the DVD-Drive Pane, select Image file and then click Browse.
Navigate to C:\Program Files\Microsoft Learning\6420\Drives, click WServer2008R2_Eval.iso
and then click Open.
On the 6420B-NYC-SVR4 on localhost Virtual Machine Connection window toolbar, click Action
and then click Reset.
In the Reset Machine dialog box, click Reset.
When Press Any Key to boot from DVD or CD is displayed, press ENTER.
At the Install Windows dialog box, click Next.
In the Install Windows dialog box, click Repair your computer.
In the System Recovery Options dialog box, click Use recovery tools that can help fix problems
starting Windows. Click Next.
In the System Recovery Options dialog box, click Command Prompt.
At the command prompt, type the following and press ENTER:
bcdedit
15. Observe the lack of an operating system entry in the BCD Store.
16. At the command prompt, type the following and press ENTER:
bootrec /scanos
17. At the command prompt, type the following and press ENTER:
Bootrec /rebuildbcd
18.
19.
20.
21.
22.
23.
L13-3
At the Add installation to boot list prompt, press Y and then press ENTER.
Close the command prompt window.
In the System Recovery Options dialog box, click the Restart button.
Ensure that NYC-SVR4 boots properly to the logon screen.
Answer the Resolution Questions on the Incident Record (see Incident Record for answers).
Revert the NYC-SVR4 virtual machine.
Results: After this exercise, you should have used Windows tools to troubleshoot the startup process.
Exercise 2: Installing and Configuring WSUS

Read the attached request form.
Task 2: Install prerequisite components on NYC-SVR2

1.
2.
3.
4.
5.
6.

In the console tree, click Roles.
In the details pane, click Add Roles.
In the Add Roles Wizard, click Next.
On the Select Server Roles page, select Web Server (IIS). Click Next twice.
On the Select Role Services page, select:
ASP.NET
Windows Authentication
Dynamic Content Compression
IIS 6 Metabase Compatibility
Note: When prompted, click Add Required Role Services.
Note: There are a number of other roles selected by default. Do not de-select any of these roles.
7.
8.
9.
10.
11.
12.
13.
14.
15.
Click Next.
Click Install.
When the installation is complete, click Close.
Open Windows Explorer and browse to E:\Labfiles\WSUS\.
Double-click Reportviewer.exe.
In the Microsoft Report Viewer Redistributable 2008 SP1 Setup wizard, click Next.
On the License Terms page, click I have read and accept the license terms, and then click Install.
Click Finish.
Task 3: Configure NYC-SRV2 as a WSUS server

1.
2.
3.
On NYC-SVR2, browse to E:\Labfiles\WSUS.

Double-click WSUS30-KB972455-x64.exe. Click Run.
In the Windows Server Update Services 3.0 SP2 Setup Wizard, click Next.
L13-4
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
On the Installation Mode Selection page, ensure that Full Server installation including
Administration Console is selected, and then click Next.
On the License Agreement page, click I accept the terms of the License agreement, and then click
Next.
On the Select Update Source page, ensure that Store updates locally is selected and the path
shows C:\WSUS. Click Next.
On the Database Options page, ensure that Install Windows Internal Database on this computer
is selected, and that C:\WSUS is entered for the location of the database, and then click Next.
On the Web Site Selection page, click Next to use the existing IIS Default Web site.
On the Ready to Install Windows Server Update Services 3.0 SP2 page, click Next.
When the installation completes, click Finish.
In a few moments the Windows Server Update Services Configuration Wizard will appear.
Click Cancel.
Click Start, type CMD.exe and then press ENTER.
Type Net Stop MSSQL$Microsoft##SSEE, and then press ENTER.
In Windows Explorer, browse to E:\LabFiles\WSUS\Backup.
Click Organize, and then click Select All.
Click Organize, and then click Copy.
In the Address bar, click Computer.
Browse to C:\WSUS\.
Click Organize, and then click Paste.
In the Confirm Folder Replace dialog box, select the check box next to Do this for all current
items, and then click Yes.
In the Copy File dialog box, select the check box next to Do this for the next 1 conflicts, and then
click Copy and Replace.
When the file copy is complete, at the command prompt, type
Net Start MSSQL$Microsoft##SSEE, and then press ENTER.
Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In the tree view, expand NYC-SVR2, and then click Application Pools.
Right-click WsusPool, and then click Recycle.
Close Internet Information Services (IIS) Manager.
At the command prompt, type: cd "C:\Program Files\Update Services\Tools", and then press ENTER.
Type wsusutil reset, and then press ENTER.
Close the command prompt.
Task 4: Use Group Policy to enable NYC-CL1 to obtain updates from the new WSUS
server
1.
2.
3.
4.
5.
6.
On NYC-DC1, click Start, point to Administrative Tools, and then click Group Policy Management.
In the console pane, expand Forest: Contoso.com, expand Domains, and then click Contoso.com.
Right-click Contoso.com, and then click Create a GPO in this domain, and Link it here.
In the New GPO dialog box, type WSUS in the Name field, and then click OK.
In the details pane, right-click WSUS, and then click Edit.
In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Administrative Templates, expand Windows Components, and then click Windows
Update.
7. In the details pane, double-click Configure Automatic Updates.
8. In the Configure Automatic Updates dialog box, click Enabled, and then click Next Setting.
9. On the Specify intranet Microsoft update service location dialog box, click Enabled.
10. In the Set the intranet update service for detecting updates field, type http://NYC-SVR2.
L13-5
11.
12.
13.
14.
In the Set the intranet statistics server field, type http://NYC-SVR2, and then click Next Setting.
On the Automatic Updates detection frequency dialog box, click Enabled, and then click OK.
Close Group Policy Management Editor, and then close Group Policy Management.
Start and log on to the 6420B-NYC-CL1 virtual machine as Contoso\Administrator with the
password Pa$$w0rd.
15. On NYC-CL1, open a command prompt and type, wuauclt /a /r and then press ENTER.
Task 5: Create a computer group, and add NYC-CL1 to the new group
1.
2.
3.
4.
5.
6.
7.
8.
Switch to the NYC-SVR2 computer and open the Windows Server Update Services console.
Expand NYC-SVR2, expand Computers, and then click All Computers.
In the Actions pane, click Add Computer Group.
In the Add Computer Group dialog box, type TestComputers, and then click Add.
In the console pane, expand All Computers, and then click Unassigned Computers.
In the details pane, in the Status list, click Any, and then click Refresh.
Right-click nyc-cl1.contoso.com, and then click Change Membership.
In the Set Computer Group Membership dialog box, select the TestComputers check box, and
then click OK.
Task 6: Approve an update for Windows 7 operating system clients

1.
2.
3.
In the console pane, expand Updates, and then click Security Updates.
In the details pane, in the Approval list, click Any Except Declined.
In the Status list, click Any, and then click Refresh.
Note: Notice all of the updates available.
4.
Scroll down, right-click Security Update for Windows 7 (KB981332), and then click Approve.
Note: Do not select the x64 versions of the updates specified.
5.
In the Approve Updates dialog box, click the arrow next to All Computers, click Approved for
Install, and then click OK.
6. On the Approval Progress page, when the process is complete, click Close.
7. In the console pane, click Critical Updates.
8. In the details pane, right-click Update for Windows 7 (KB976662), and then click Approve.
9. In the Approve Updates dialog box, click the arrow next to All Computers, point to Deadline, and
then click Custom.
10. In the Choose Deadline dialog box, in the Date field, type in yesterdays date, and then click OK
twice.
Note: Entering yesterdays date will cause the update to be installed as soon as the client computers
contact the server.
11. In the Approval Progress dialog box, click Close.
Task 7: Install an update on the Windows 7 operating system client

1.
On NYC-CL1, click Start, type cmd, and then press ENTER.
L13-6
2.
At the Command Prompt, type GPUpdate /force, and then press ENTER.
Note: Wait for the policy to finish updating.
3.
4.
5.
6.
7.
At the command prompt, type wuauclt /detectnow, and then press ENTER.
The Windows Update icon appears in the notification area and automatically installs the update.
Click Start, click All Programs, and then click Windows Update.
Click View update history.
Verify that Security Update for Windows 7 (KB976662) has been installed and Security Update for
Windows 7 (KB981332) is available to be installed.
Note: It may take several minutes for the Windows Update icon to appear.
Note: Due to the limitations of the lab environment, the KB957097 update is pre-loaded on the
WSUS server to demonstrate the update process.
8.
Close Windows Update.
Task 8: View WSUS reports

1.
2.
3.
4.
5.
6.
7.
On NYC-SVR2, in the Update Services console, click Reports.

Review the various reports available in WSUS.
In the details pane, click Computer Detailed Status.
In the Computers Report for NYC-SVR2 window, click Run Report.
On the completed report, note how many updates are listed under
nyc-cl1.contoso.com.
Close the Computers Report for NYC-SVR2 window.
Close Update Services.
Results: At the end of this exercise, you will have configured WSUS to manage updates.
Exercise 3: Gathering Information to Start the Troubleshooting Process

Called logged by
Date of call
Time of call
User
Status
Incident Details:
John Peoples
19th May
12:10
Daniel Roth
OPEN
L13-7

Call logged by IT helpdesk. Users report NYC-SVR2 is running slow. Performance Monitor logs are stored
in E:\Labfiles\Captures\6420B-NYC-SVR2-LAB13-EX3-PARTA.blg.
Answer: The cpustres process is consuming most of the CPU time.
Answer: A likely first step would be to determine what the cpustres process is responsible for doing
and if any users are experiencing issues with those services. If no specific cause can be found, you
might restart the cpustres process before ensuring that all users using the services associated with the
cpustres are prepared for the services to be temporarily unavailable. Further monitoring of the
cpustres application may be necessary to determine if the application might require repair or
updating.
Called logged by
Date of call
Time of call
User
Status
John Peoples
20th May
13:15
Daniel Roth
OPEN
Incident Details:
Call logged by IT helpdesk. Users report NYC-SVR2 is running slow, Performance Monitor logs are stored
in E:\Labfiles\Captures\6420B-NYC-SVR2-LAB13-EX3-PARTB.blg.
Answer: The explorer.exe process is consuming disk resources
Answer: If explorer.exe is consuming disk processes, it may be in the middle of a lengthy disk write or
read; possibly copying or moving files. To troubleshoot further, you could view the Disk tab off of the
Resource Monitor to determine what specific files explorer was using. Then you could locate the
source of the file operations and determine if they are necessary and possibly if they could be carried
out during non-business hours.
resolution questions for Part A
1.
2.
3.
4.
5.
6.
7.
8.
On NYC-SVR2, click Start, point to Administrative Tools, and then click Performance Monitor.
In the Performance Monitor console, expand Monitoring Tools, and then click Performance
Monitor.
In details pane, click the View Log Data button (CTRL+L).
In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then
click Add.
In the Select Log File dialog box, browse to E:\Labfiles\Captures.
Click 6420B-NYC-SVR2-LAB13-EX3-PARTA.blg and then click Open.
In the Performance Monitor details pane, click Add (CTRL+I).
L13-8
9.
In the Add Counters dialog box, under Available counters, expand Processor, and then click %
Processor Time.
10. Under Instances of selected object, click 0, and then click Add.
11. In the Add Counters dialog box, under Available counters, expand System, click Processor Queue
Length, click Add, and then click OK.
12. At the bottom of the window, click % Processor Time to view the graph of the CPU usage on NYCSVR2 and notice that:
The minimum value is 34 percent
The maximum value is 100 percent.
The average value is 82.58 percent.
13. Click Add (CTRL+I).

14. In the Add Counters dialog box, under Available counters, expand Process, and then click %
Processor Time.
15. Under Instances of selected object, click <All Instances>, click Add, and then click OK.
16. Review the % Processor Time used by each process. It is useful to use the Highlight button (CTRL+ H)
to view each instance. Identify the process that is consuming the CPU.
17. See the Incident Record for answers to the questions.
18. Close Performance Monitor.
Task 2: Examine the Performance Monitor logs for the second issue and answer the
resolution questions for Part B
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
On NYC-SVR2, click Start, point to Administrative Tools, and then click Performance Monitor.
In the Performance Monitor console, expand Monitoring Tools, and then click Performance
Monitor.
In the details pane, click View Log Data (CTRL+L).
In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then
click Add.
In the Select Log File dialog box, browse to E:\Labfiles\Captures.
Click 6420B-NYC-SVR2-LAB14-EX3-PARTB.blg and then click Open.
In the Performance Monitor details pane, click Add (CTRL+I).
In the Add Counters dialog box, under Available counters, expand PhysicalDisk, and then click
Avg. Disk Queue Length.
Under Instances of selected object, click 0 C:, and then click Add.
Under Available counters, click Current Disk Queue Length.
Under Available counters, click Disk Transfers/sec.
Under Available counters, expand Process, and then click IO Data Bytes/sec.
Under Instances of selected object, click <All Instances>, click Add, and then click OK.
Review the IO Data Bytes/sec values for each process. It is useful to use the Highlight button
(CTRL+H) to view each instance. Identify the process that is consuming the disk transfer capacity.
See the Incident Record for answers to the questions.
Results: At the end of this exercise you will have gathered information to start the troubleshooting
process.
L13-9

When you finish the lab, shut down the virtual machines and revert them back to their initial state. To do
this, complete the following steps:
1.
2.
3.
4.

L13-10
L14-1
Module 14: Implementing Virtualization

To start the lab, complete the following steps
1.
2.
Ensure that your host computer is running and that you are logged on.
Ensure that no virtual machines are currently running.
Exercise 1: Creating the VHDs

Task 1: Create a dynamically expanding hard disk
1.
2.
3.
4.
5.
6.
7.
On your host computer, open Hyper-V Manager.

In the Actions pane, click New, and then click Hard Disk.
On the Before You Begin page, click Next.
On the Choose Disk Type page, click Dynamically expanding, and then click Next.
On the Specify Name and Location page, in the Name field, type
NYC-Prod1.vhd, in the Location field, type c:\Program Files
\Microsoft Learning, and then click Next.
On the Configure Disk page, configure a maximum size of 32 gigabytes (GB), and then click Next.
On the Completing the New Virtual Disk Wizard page, click Finish.
Task 2: Create a differencing hard disk

1.
2.
3.
4.
5.
6.
7.
In Hyper-V Manager, in the Actions pane, click New, and then click Hard Disk.
On the Choose Disk Type page, click Differencing, and then click Next.
NYC-Test1.vhd, and in the Location field, type c:\Program Files
On the Configure Disk page, click Browse. Browse to C:\Program Files
\Microsoft Learning\base\drives, click WS08R2- SVR2.vhd, and then click Open.
On the Configure Disk page, click Next.
On the Completing the New Virtual Disk Wizard page, click Finish.
Results: After this exercise, you should have created the required virtual hard disks (VHDs).
Exercise 2: Creating New Virtual Machines

Task 1: Create a new virtual machine for the production environment
1.
2.
3.
4.
5.
6.
In Hyper-V Manager, click New, and then click Virtual Machine.

The New Virtual Machine Wizard appears. Click Next.
NYC-PROD1.
Select the Store the virtual machine in a different location check box. In the Location field, type
C:\Program Files\Microsoft Learning, and then click Next.
On the Assign Memory page, in the Memory field, type 1024, and then click Next.
On the Configure Networking page, in the Connection list, click Private Network, and then click
Next.
L14-2
7.
8.
On the Connect Virtual Hard Disk page, click Use an existing virtual hard disk, click Browse, click
NYC-PROD1.vhd, click Open, and then click Next.
On the Completing the New Virtual Machine Wizard page, click Finish.
Task 2: Create a new virtual machine for the test environment

1.
2.
3.
4.
5.
6.
7.
8.
In Hyper-V Manager, click New, and then click Virtual Machine.

The New Virtual Machine Wizard appears. Click Next.
NYC-TEST1.
Select the Store the virtual machine in a different location check box. In the Location field, type
C:\Program Files\Microsoft Learning, and then click Next.
On the Assign Memory page, in the Memory field, type 1024, and then click Next.
On the Configure Networking page, in the Connection list, click Private Network, and then click
Next.
On the Connect Virtual Hard Disk page, click Use an existing virtual hard disk, click Browse, click
NYC-TEST1.vhd, click Open, and then click Next.
On the Completing the New Virtual Machine Wizard page, click Finish.
Results: After this exercise, you should have created the two virtual machines required for testing
purposes.
Exercise 3: Modifying Virtual Machine Settings

Task: Modify the virtual machine configuration for production
1.
2.
3.
4.
In Hyper-V Manager, in the Actions pane, click New, and then click Hard Disk.
On the Choose Disk Type page, click Dynamically expanding, and then click Next.
NYC-PROD1-Data.vhd, and in the Location field, type C:\Program Files
5. On the Configure Disk page, change the Size to 64 GB, click Next, and then click Finish.
6. In Hyper-V Manager, in the Virtual Machines pane, right-click NYC-PROD1, and then click Settings.
7. On the Settings for NYC-PROD1 page, click SCSI Controller, click Add, and then in the Hardware
list, click SCSI Controller.
8. On the SCSI Controller pane, click Hard Drive, and then click Add.
9. In the Media section, click Browse, select NYC-PROD1-Data.vhd, and then click Open.
10. Click Apply.
11. Click Memory, and then change the RAM to 2048.
12. Click Processor, change the Number of logical processors to 2, and then click OK.
Results: After this exercise, you should have modified the virtual machine settings.
Exercise 4: Creating and Applying Virtual Machine Snapshots

Task 1: Create a snapshot
1.
2.
3.
In Hyper-V Manager, ensure that the NYC-TEST1 virtual machine is turned off.
Click NYC-TEST1. In the Actions pane, under NYC-TEST1, click Snapshot.
Click the snapshot that was created, and type PRE-Test Snapshot.
4.
5.
6.
L14-3
Right-click NYC-TEST1, and then click Start.

Right-click NYC-TEST1, and then click Connect.
In the NYC-TEST1 on localhost - Virtual Machine Connection window, wait for the virtual machine
to start. Then, on the Action menu, click CTRL+ALT+DELETE. Type Pa$$w0rd as the password, and
then press ENTER.
If the Windows Activation dialog box dialog appears, click Cancel.
If you are prompted to restart the computer, click Restart Later.
7.
8.
Task 2: Apply snapshots

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
Right-click the virtual machine desktop, point to New, and click Text document. Type
Snapshot1.txt, and then press ENTER.
In Hyper-V Manager, click NYC-TEST1. In the Actions pane, under
NYC-TEST1, click Snapshot.
Click the snapshot, and then type Snapshot2.
Right-click the virtual machine desktop, point to New, and click Text document. Type
Snapshot2.txt, and then press ENTER.
In Hyper-V Manager, ensure that the NYC-TEST1 virtual machine is selected.
Under NYC-TEST1, click Revert. In the Revert Snapshot dialog box, click Revert.
On the virtual machine desktop, verify that the Snapshot2.txt is no longer on the desktop.
In the Snapshots pane, under Virtual Machines, right-click PRE-Test Snapshot, and then click Apply.
In the Apply Snapshot window, click Apply.
Verify that the virtual machine turns off. This is the state the virtual machine was in when you created
the snapshot.
In the Snapshots pane, under Virtual Machines, right-click Snapshot2, and then click Apply.
In the Apply Snapshot window, click Apply. Ensure that the NYC-TEST1 virtual machine is selected,
and then on the Actions pane, click Start.
On the virtual machine desktop, verify that the Snapshot1.txt is on the desktop.
On the Action menu, click Shut Down. In the Shut Down Machine dialog box, click Shut Down.
Results: After this exercise, you should have created snapshots and applied them to your virtual
machines.
L14-4

6420B ENU TrainerHandbook

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

6420B ENU TrainerHandbook

Uploaded by

Copyright:

Available Formats

O F F I C I A L

Fundamentals of Windows Server 2008

Product Number: 6420B

MICROSOFT LICENSE TERMS

Internet-based services, and

3. INSTALLATION AND USE RIGHTS.

Survival. Your duty to protect confidential information survives this agreement.

becomes publicly known through no wrongful act;

you developed independently.

5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.

work around any technical limitations in the Licensed Content;

publish the Licensed Content for others to copy;

transfer the Licensed Content, in whole or in part, to a third party;

rent, lease or lend the Licensed Content; or

Fundamentals of Windows Server 2008

Fundamentals of Windows Server 2008

Andrew J. Warren Content Developer

Jason Kellington Content Developer

Justin Rodino - Content Developer

Claudia Woods Technical Reviewer

Fundamentals of Windows Server 2008

Lesson 2: Local Area Networking

Lesson 3: Wide Area Networking

Lesson 4: Wireless Networking

Lesson 5: Connecting to the Internet

Lesson 6: Remote Access

Lab: Selecting Network Infrastructure Components

Module 2: Connecting Network Components

Lesson 2: Understanding Adapters, Hubs, and Switches

Lesson 3: Understanding Routing

Lesson 4: Understanding Media Types

Lab: Connecting Network Components

Module 3: Implementing TCP/IP

Lesson 2: Understanding IPv4 Addressing

Lesson 3: Configuring IPv4

Lesson 4: Understanding IPv6

Lesson 5: Name Resolution

Lab: Implementing TCP/IP

Module 4: Implementing Storage in Windows Server

Lesson 2: Managing Disks and Volumes

Lesson 3: Implementing RAID

Lab: Implementing Storage in Windows Server

Module 5: Installing and Configuring Windows Server

Lesson 2: Managing Services

Lesson 3: Managing Peripherals and Devices

Lab: Installing Windows Server

Fundamentals of Windows Server 2008

Module 6: Windows Server Roles

Lesson 2: Deploying Role-Specific Servers

Lab: Implementing Server Roles

Module 7: Implementing Active Directory Domain Services

Lesson 3: Managing Users, Groups, and Computers

Lesson 4: Implementing Organizational Units

Lesson 5: Implementing Group Policy

Module 8: Implementing IT Security Layers

Lesson 2: Physical Security

Lesson 3: Internet Security

Lab: Implementing IT Security Layers

Module 9: Implementing Windows Server Security

Lesson 2: Securing Files and Folders

Lesson 3: Implementing Encryption

Lab: Implementing Windows Security

Module 10: Implementing Network Security