Professional Documents
Culture Documents
6420B ENU TrainerHandbook
6420B ENU TrainerHandbook
M I C R O S O F T
L E A R N I N G
P R O D U C T
6420B
Fundamentals of Windows Server 2008
ii
Information in this document, including URL and other Internet Web site references, is subject to change without notice.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people,
places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain
name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright
laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no
representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the
products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of
Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of
Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any
changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from
any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply
endorsement of Microsoft of the site or the products contained therein.
2010 Microsoft Corporation. All rights reserved.
Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
All other trademarks are property of their respective owners.
updates,
supplements,
support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply.
By using the Licensed Content, you accept these terms. If you do not accept them, do not use the Licensed
Content.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. Academic Materials means the printed or electronic documentation such as manuals, workbooks, white papers,
press releases, datasheets, and FAQs which may be included in the Licensed Content.
b. Authorized Learning Center(s) means a Microsoft Certified Partner for Learning Solutions location, an IT
Academy location, or such other entity as Microsoft may designate from time to time.
c. Authorized Training Session(s) means those training sessions authorized by Microsoft and conducted at or
through Authorized Learning Centers by a Trainer providing training to Students solely on Official Microsoft Learning
Products (formerly known as Microsoft Official Curriculum or MOC) and Microsoft Dynamics Learning Products
(formerly know as Microsoft Business Solutions Courseware). Each Authorized Training Session will provide training on
the subject matter of one (1) Course.
d. Course means one of the courses using Licensed Content offered by an Authorized Learning Center during an
Authorized Training Session, each of which provides training on a particular Microsoft technology subject matter.
e. Device(s) means a single computer, device, workstation, terminal, or other digital electronic or analog device.
f.
Licensed Content means the materials accompanying these license terms. The Licensed Content may include, but
is not limited to, the following elements: (i) Trainer Content, (ii) Student Content, (iii) classroom setup guide, and (iv)
Software. There are different and separate components of the Licensed Content for each Course.
g.
Software means the Virtual Machines and Virtual Hard Disks, or other software applications that may be included
with the Licensed Content.
h. Student(s) means a student duly enrolled for an Authorized Training Session at your location.
i.
Student Content means the learning materials accompanying these license terms that are for use by Students and
Trainers during an Authorized Training Session. Student Content may include labs, simulations, and courseware files
for a Course.
j.
Trainer(s) means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer and b) such other
individual as authorized in writing by Microsoft and has been engaged by an Authorized Learning Center to teach or
instruct an Authorized Training Session to Students on its behalf.
k. Trainer Content means the materials accompanying these license terms that are for use by Trainers and Students,
as applicable, solely during an Authorized Training Session. Trainer Content may include Virtual Machines, Virtual Hard
Disks, Microsoft PowerPoint files, instructor notes, and demonstration guides and script files for a Course.
l.
Virtual Hard Disks means Microsoft Software that is comprised of virtualized hard disks (such as a base virtual hard
disk or differencing disks) for a Virtual Machine that can be loaded onto a single computer or other device in order to
allow end-users to run multiple operating systems concurrently. For the purposes of these license terms, Virtual Hard
Disks will be considered Trainer Content.
m. Virtual Machine means a virtualized computing experience, created and accessed using Microsoft Virtual PC or
Microsoft Virtual Server software that consists of a virtualized hardware environment, one or more Virtual Hard Disks,
and a configuration file setting the parameters of the virtualized hardware environment (e.g., RAM). For the purposes
of these license terms, Virtual Hard Disks will be considered Trainer Content.
n.
you means the Authorized Learning Center or Trainer, as applicable, that has agreed to these license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and electronic), Trainer Content,
Student Content, classroom setup guide, and associated media.
License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center location or per Trainer
basis.
either install individual copies of the relevant Licensed Content on classroom Devices only for use by Students
enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of copies in use
does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by classroom Devices and
only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the
number of Devices accessing the Licensed Content on such server does not exceed the number of Students
enrolled in and the Trainer delivering the Authorized Training Session.
iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to use the Licensed
Content that you install in accordance with (ii) or (ii) above during such Authorized Training Session in accordance
with these license terms.
i.
Separation of Components. The components of the Licensed Content are licensed as a single unit. You may not
separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license terms will apply to
the use of those third party programs, unless other terms accompany those programs.
b. Trainers:
i.
Trainers may Use the Licensed Content that you install or that is installed by an Authorized Learning Center on a
classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content. You may install
and Use one copy of the Licensed Content on the licensed Device solely for your own personal training Use and
for preparation of an Authorized Training Session.
B. Portable Device. You may install another copy on a portable device solely for your own personal training Use
and for preparation of an Authorized Training Session.
4. PRE-RELEASE VERSIONS. If this is a pre-release (beta) version, in addition to the other provisions in this agreement,
these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the same
information and/or work the way a final version of the Licensed Content will. We may change it for the final,
commercial version. We also may not release a commercial version. You will clearly and conspicuously inform any
Students who participate in each Authorized Training Session of the foregoing; and, that you or Microsoft are under no
obligation to provide them with any further content, including but not limited to the final released version of the
Licensed Content for the Course.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to Microsoft, without
charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to
third parties, without charge, any patent rights needed for their products, technologies and services to use or interface
with any specific parts of a Microsoft software, Licensed Content, or service that includes the feedback. You will not
give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties
because we include your feedback in them. These rights survive this agreement.
c. Confidential Information. The Licensed Content, including any viewer, user interface, features and documentation
that may be included with the Licensed Content, is confidential and proprietary to Microsoft and its suppliers.
i.
Use. For five years after installation of the Licensed Content or its commercial release, whichever is first, you
may not disclose confidential information to third parties. You may disclose confidential information only to
your employees and consultants who need to know the information. You must have written agreements with
them that protect the confidential information at least as much as this agreement.
ii.
iii. Exclusions. You may disclose confidential information in response to a judicial or governmental order. You
must first give written notice to Microsoft to allow it to seek a protective order or otherwise protect the
information. Confidential information does not include information that
you received from a third party who did not breach confidentiality obligations to Microsoft or its suppliers;
or
d.
Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs you is the end date
for using the beta version, or (ii) the commercial release of the final release version of the Licensed Content, whichever
is first (beta term).
e.
Use. You will cease using all copies of the beta version upon expiration or termination of the beta term, and will
destroy all copies of same in the possession or under your control and/or in the possession or under the control of any
Trainers who have received copies of the pre-released version.
f.
Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta version (in either print
and/or CD version) and distribute such copies to Students and/or Trainers. If Microsoft allows such distribution, you
will follow any additional terms that Microsoft provides to you for such copies and distribution.
Software.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft Windows Vista,
Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced Server and/or other Microsoft products
which are provided in Virtual Hard Disks.
A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning Lab Launcher,
then these terms apply:
Time-Sensitive Software. If the Software is not reset, it will stop running based upon the time indicated on the
install of the Virtual Machines (between 30 and 500 days after you install it). You will not receive notice before
it stops running. You may not be able to access data used or information saved with the Virtual Machines
when it stops running and may be forced to reset these Virtual Machines to their original state. You must
remove the Software from the Devices at the end of each Authorized Training Session and reinstall and launch
it prior to the beginning of the next Authorized Training Session.
B. If the Virtual Hard Disks require a product key to launch, then these terms apply:
Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before installing any
Virtual Hard Disks on classroom Devices for use during an Authorized Training Session, you will obtain from
Microsoft a product key for the operating system software for the Virtual Hard Disks and will activate such
Software with Microsoft using such product key.
C. These terms apply to all Virtual Machines and Virtual Hard Disks:
You may only use the Virtual Machines and Virtual Hard Disks if you comply with the terms and
conditions of this agreement and the following security requirements:
o
You may not install Virtual Machines and Virtual Hard Disks on portable Devices or Devices that are
accessible to other networks.
You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at the end of each
Authorized Training Session, except those held at Microsoft Certified Partners for Learning Solutions
locations.
You must remove the differencing drive portions of the Virtual Hard Disks from all classroom Devices at
the end of each Authorized Training Session at Microsoft Certified Partners for Learning Solutions locations.
You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or downloaded from
Devices on which you installed them.
You will strictly comply with all Microsoft instructions relating to installation, use, activation and
deactivation, and security of Virtual Machines and Virtual Hard Disks.
You may not modify the Virtual Machines and Virtual Hard Disks or any contents thereof.
You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an Authorized Training
Session will be done in accordance with the classroom set-up guide for the Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip art, animations,
sounds, music, shapes, video clips and templates provided with the Licensed Content solely in an Authorized
Training Session. If Trainers have their own copy of the Licensed Content, they may use Media Elements for their
personal training use.
iv. iv Evaluation Software. Any Software that is included in the Student Content designated as Evaluation
Software may be used by Students solely for their personal training outside of the Authorized Training Session.
b. Trainers Only:
i.
Use of PowerPoint Slide Deck Templates . The Trainer Content may include Microsoft PowerPoint slide decks.
Trainers may use, copy and modify the PowerPoint slide decks only for providing an Authorized Training Session.
If you elect to exercise the foregoing, you will agree or ensure Trainer agrees: (a) that modification of the slide
decks will not constitute creation of obscene or scandalous works, as defined by federal law at the time the work is
created; and (b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session, Trainers may
customize and reproduce, in accordance with the MCT Agreement, those portions of the Licensed Content that are
logically associated with instruction of the Authorized Training Session. If you elect to exercise the foregoing
rights, you agree or ensure the Trainer agrees: (a) that any of these customizations or reproductions will only be
used for providing an Authorized Training Session and (b) to comply with all other terms and conditions of this
agreement.
iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and use the Academic
Materials. You may not make any modifications to the Academic Materials and you may not print any book (either
electronic or print version) in its entirety. If you reproduce any Academic Materials, you agree that:
The use of the Academic Materials will be only for your personal reference or training use
You will not republish or post the Academic Materials on any network computer or broadcast in any media;
You will include the Academic Materials original copyright notice, or a copyright notice to Microsofts benefit in
the format provided below:
Form of Notice:
2010 Reprinted for personal reference use only with permission by Microsoft Corporation. All
rights reserved.
Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of
Microsoft Corporation in the US and/or other countries. Other product and company names
mentioned herein may be the trademarks of their respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content. It may change
or cancel them at any time. You may not use these services in any way that could harm them or impair anyone elses use
of them. You may not use the services to try to gain unauthorized access to any service, data, account or network by any
means.
7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the
Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation,
you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any
technical limitations in the Licensed Content that only allow you to use it in certain ways. You may not
install more copies of the Licensed Content on classroom Devices than the number of Students and the Trainer in the
Authorized Training Session;
allow more classroom Devices to access the server than the number of Students enrolled in and the Trainer delivering
the Authorized Training Session if the Licensed Content is installed on a network server;
copy or reproduce the Licensed Content to any server or location for further reproduction or distribution;
disclose the results of any benchmark tests of the Licensed Content to any third party without Microsofts prior written
approval;
reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that applicable law
expressly permits, despite this limitation;
make more copies of the Licensed Content than specified in this agreement or allowed by applicable law, despite this
limitation;
access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not been authorized
by Microsoft to access and use;
use the Licensed Content for commercial hosting services or general business purposes.
Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disks
does not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or
devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must
comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws
include restrictions on destinations, end users and end use. For additional information, see
www.microsoft.com/exporting.
9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed Content marked as NFR
or Not for Resale.
10. ACADEMIC EDITION. You must be a Qualified Educational User to use Licensed Content marked as Academic Edition
or AE. If you do not know whether you are a Qualified Educational User, visit www.microsoft.com/education or contact
the Microsoft affiliate serving your country.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with
the terms and conditions of these license terms. In the event your status as an Authorized Learning Center or Trainer a)
expires, b) is voluntarily terminated by you, and/or c) is terminated by Microsoft, this agreement shall automatically
terminate. Upon any termination of this agreement, you must destroy all copies of the Licensed Content and all of its
component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services and
support services that you use, are the entire agreement for the Licensed Content and support services.
13. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the
interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws
of the state where you live govern all other claims, including claims under state consumer protection laws, unfair
competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country
apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country.
You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does
not change your rights under the laws of your country if the laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed as-is. You bear the risk of using it.
Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights
under your local laws which this agreement cannot change. To the extent permitted under your local laws,
Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and noninfringement.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT AND
ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES,
INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
anything related to the Licensed Content, software, services, content (including code) on third party Internet sites, or
third party programs; and
claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the
extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or
exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential
or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement
are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce contrat
sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute utilisation de ce
contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie expresse. Vous pouvez
bnficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier.
La ou elles sont permises par le droit locale, les garanties implicites de qualit marchande, dadquation un usage particulier
et dabsence de contrefaon sont exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous
pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement hauteur de
5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y compris les dommages spciaux,
indirects ou accessoires et pertes de bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites
Internet tiers ou dans des programmes tiers ; et
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte, de ngligence ou
dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si votre pays
nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires ou de quelque nature que
ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus par les lois
de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays si celles-ci ne le
permettent pas.
ix
Acknowledgements
Microsoft Learning would like to acknowledge and thank the following for their contribution towards
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Contents
Module 1: Understanding Network Infrastructure
Lesson 1: Network Architecture Standards
1-3
1-11
1-19
1-28
1-35
1-41
1-48
2-3
2-11
2-19
2-26
2-34
3-3
3-11
3-24
3-32
3-42
3-55
4-3
4-15
4-21
4-30
5-3
5-19
5-25
5-34
xi
xii
6-3
6-9
6-20
7-3
Lesson 2: Implementing AD DS
7-15
7-24
7-34
7-39
Lab: Implementing AD DS
7-48
8-3
8-17
8-22
8-33
9-3
9-17
9-32
9-45
10-3
10-7
10-23
10-31
11-4
11-18
11-28
11-39
12-3
12-8
12-17
13-3
13-12
13-24
13-30
13-41
14-3
14-16
14-37
xiii
xiv
xv
Course Description
This course is designed to provide foundation skills in networking and Windows Server security, network
services, and administration.
Audience
Candidates for this course are seeking to gain fundamental knowledge and skills around security,
networking, and administration in Windows Server 2008 R2. It can apply to home computer users,
academic, information workers, developers, or help desk technicians wishing to begin a new skills path or
up-skill to Windows Server technologies. It is for candidates wishing to prepare for the Microsoft
Technology Associate (MTA) certification in Windows Server 2008. Candidates for this course may also
include IT Pros with skills within other IT areas or operating systems (such as Linux) who wish to gain an
insight into Windows Server.
Student Prerequisites
This course requires that you meet the following prerequisites:
A good fundamental knowledge of general computing equivalent with the CompTIA A+ Certification.
Some previous knowledge and experience with desktop operating systems, although this is not
mandatory.
No programming skills are required, although some experience and knowledge of scripting
technologies would be advantageous.
Course Objectives
After completing this course, students will be able to:
Describe fundamental network components and terminology thus enabling you to select an
appropriate network component in a particular scenario.
Implement a network by selecting network hardware components and technologies and determine
the appropriate network hardware and wiring components for a given situation.
Describe the protocols and services within the Transmission Control Protocol/Internet Protocol
(TCP/IP) suite of protocols and implement IPv4 within a Windows Server environment.
Implement and configure an Active Directory Domain Service (AD DS) forest.
Describe the concept of defense-in-depth and determine how to implement this approach with
Windows Server.
Identify the security features in Windows Server that help to provide defense-in-depth.
xvi
Identify the network-related security features in Windows Server to mitigate security threats to you
network.
Identify and implement additional software components to enhance your organizations security.
Identify the Windows Server tools available to maintain and troubleshoot Windows Server.
Course Outline
This section provides an outline of the course:
Module 1 Understanding Network Infrastructure In this module, you will learn how to describe
fundamental network component and terminology thus enabling you to select an appropriate network
component in a particular scenario.
Module 2, Connecting Network Components In this module, students will learn to build a network
using network hardware components and technologies.
You will also learn to determine the appropriate network hardware and wiring components for a given
situation.
Module 3, Implementing TCP/IP In this module, you will be able to describe the protocols and
services within the TCP/IP suite of protocols. You will also learn to implement IPv4 within a Windows
environment.
Module 4, Implementing Storage in Windows Server In this module, you will learn about storage
technologies and how they are implemented with Windows Server. You will also learn to configure
storage on Windows Server.
Module 5, Installing and Configuring Windows Server In this module, you will learn to understand
the various options available for installing Windows Server and to complete an installation. You will also
launch a local media setup and then perform the post-installation configuration of a server.
Module 6, Windows Server Roles In this module, you will learn to deploy server roles to support a
business scenario. You will also learn to implement appropriate server roles to support a given scenario.
Module 7, Implementing Active Directory Domain Services In this module, you will learn to
implement an AD DS forest. You will also create and configure an AD DS forest.
Module 8, Implementing IT Security Layers In this module, you will learn to deploy server roles to
support a business scenario. You will also learn to implement appropriate server roles to support a given
scenario.
Module 9,Implementing Windows Server Security In this module, you will understand security
features in Windows Server to help to provide defense-in-depth. You will also implement some of the
Windows Server security features.
Module 10, Implementing Network Security In this module, you will describe the security-related
threats to an organizations network and the technologies available in Windows Server to mitigate these
risks. You will also implement network-related security features in Windows Server.
Module 11, Implementing Security Software In this module, you will identify and implement
additional software components to enhance an organizations security. You will also analyze and secure a
Windows Server.
xvii
Module 12,Monitoring Server Performance In this module, you will identify a poorly performing
server. You will also monitor a server to determine the performance level.
Module 13, Maintaining Windows Server In this module, you will understand the tools available and
the methods to employ to maintain and troubleshoot Windows Server. You will also learn how to
maintain and troubleshoot Windows Server systems.
Module 14, Implementing Virtualization In this module, you will understand the virtualization
technologies provided by Microsoft. You will also create and configure a virtual machine with Hyper-V.
xviii
Course Materials
The following materials are included with your kit:
Course Handbook A succinct classroom learning guide that provides all the critical technical
information in a crisp, tightly-focused format, which is just right for an effective in-class learning
experience.
Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
Module Reviews and Takeaways: Provide improved on-the-job reference material to boost
knowledge and skills retention.
Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when its
needed.
Modules: Include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and answers
and Module Reviews and Takeaways sections, which contain the review questions and answers, best
practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios
with answers.
Resources: Include well-categorized additional resources that give you immediate access to the most
up-to-date premium content on TechNet, MSDN, Microsoft Press
Course evaluation At the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
Role
6420B-NYC-DC1
6420B-NYC-SVR1
6420B-NYC-SVR2
6420B-NYC-SVR3
6420B-NYC-SVR4
6420B-NYC-CL1
Software Configuration
The following software is installed on each VM:
Windows 7
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
4 GB RAM
DVD drive
Network adapter
*Striped
xix
xx
Module 1
Understanding Network Infrastructure
Contents:
Lesson 1: Network Architecture Standards
1-3
1-11
1-19
1-28
1-35
1-41
1-48
1-1
1-2
Module Overview
Networks are a critical component of an effective Windows Server 2008 operating system environment.
The majority of computing systems today are connected in some way to a network. A typical corporate
network has many different components and can connect a computer to others in the next room, across a
city, or on the other side of the globe.
This module reviews the general characteristics of computer networks and introduces components and
concepts commonly associated with networks, providing you with the basic information required to
understand the fundamentals of a network computing environment
Objectives
After completing this module, you will be able to:
1-3
Lesson 1
A network is created using a number of different physical components and logical standards that define
the specific qualities of a network. Network architecture refers to the set of physical components and
logical standards that provide the basis for communication within a network.
In order to troubleshoot a network environment, you must have an understanding about the composition
and capabilities of the networks architecture.
Objectives
After completing this lesson, you will be able to:
1-4
Key Points
A network is a collection of devices connected to each other in order to facilitate communication and the
sharing of resources.
The majority of computer networks share a common set of components and common terminology
regardless of differences in implementation or technology used.
The key components of a network are:
Data. Data refers to the actual information being sent over a network.
Node. A network node refers to a device that either sends or receives data on a network. Typical
nodes are computers, but they can be other devices that are directly attached to the network such as
printers or scanners.
Client. A computer on a network that primarily receives data or uses other resources on the network
is referred to as a client.
Server. A server is a computer on a network that is primarily responsible for sharing or serving data
and resources to other computers on the network. A server commonly provides access to shared files
or devices such as printers to the entire network.
Peer. A peer performs the functions of a client computer, but also provides shared resources like a
server computer does. Peers are common in small networks when a dedicated server computer is not
necessary or cost-efficient.
Network adapter. A network adapter is a device that allows a node to physically connect to a
network. It provides the interface between the hardware of the device connecting to the network and
the network itself.
Hub. A hub is a device for connecting multiple nodes on a network. Each node that is physically
connected to the hub can communicate with all other nodes connected to the same hub.
1-5
Switch. A switch performs the same basic functions as a hub, but it allows for more sophisticated and
efficient interaction with the data. As such, a switch can provide much improved performance over a
hub when any more than a few nodes are connected to the network.
Note: Due to the decreasing cost of network switches, they have largely replaced hubs, even in small
networks.
Router. A router is a device that is responsible for connecting individual networks together and
ensuring that the data traveling outside of any given network reaches its destination. Routers contain
a list of potential destinations or routes that it uses to send and receive data from other networks.
Media. The physical material used to connect devices on a network is referred to as that networks
media. Media is typically some type of cable, but can also be wireless radio frequency, infrared or
some other less physical medium.
Transport protocol. A transport protocol refers to the set of rules that govern how data is packaged,
sent and unpackaged when it is transmitted over the network.
1-6
Network Architecture
Key Points
Network architecture refers to both the set of physical components that work together to connect
computers in a network as well as the functional organization and configuration of those components.
Network architecture standards also govern how data is packaged and transmitted on a network.
Ethernet
Ethernets low cost reliability and simplicity of implementation have made it the predominant architecture
standard found in modern networks. It is used in both small and large networking environments.
In basic form, an Ethernet network involves several nodes connected with copper wire cables to a hub or
switch. For larger bandwidth requirements or longer distance connections, fiber-optic cable is often used.
Ethernet has evolved into a number of specific standards. Over time, changes to network media,
computing technology and bandwidth requirements have forced changes to the Ethernet standard to
accommodate the evolving network environment.
The following table provides key characteristics of the most commonly implemented Ethernet standards.
Standard
Media
Bandwidth
Common uses
10BASE-T
Twisted copper
10Mbps
Local networks
100BASE-TX
Twisted copper
100Mbps
Local networks
100BASE-FX
Fiber-optic
100Mbps
Distant networks
1000BASE-T
Twisted copper
1Gbps (1000Mbps)
Local networks
1000BASE-LX
Fiber-optic
1Gbps
Distant networks
10GBASE-T
Twisted copper
10Gbps
Local networks
Standard
Media
Bandwidth
Common uses
10GBASE-LR/ER
Fiber-optic
10Gbps
Distant networks
1-7
Of the standards listed in this table, 100BASE-TX and 1000BASE-T are the ones most commonly found in
modern LANs. 1000BASE-LX and 10GBASE-LR/ER are the most commonly found in long distance Ethernet
connections.
FDDI
Fiber Distributed Data Interface (FDDI) uses primarily fiber-optic cable as a medium for transmission and is
capable of spanning distances of 200km and a speed of 100 megabits per second (Mbps). It was
historically used to connect a number of geographically separated networks together, but has been
largely replaced by Ethernet.
Token Ring
Token ring uses primarily copper wire for data transmission and is capable of speeds of 4Mbps and
16Mbps. Token ring was common in early corporate networks as an alternative to Ethernet, but has been
largely replaced by Ethernet.
1-8
Key Points
When data is transmitted on a network, it travels along that networks media to reach its destination. The
set of rules that define how and when a node sends data along the media is called the network media
access control method.
On a computer network, data appears to move simultaneously from node to node without interruption.
However, only a single node may access the network media at any given time. Nodes give the illusion of
simultaneous access by taking turns accessing the network media for very short periods of time. If two
nodes were to transmit data onto the network media at the same time, the data from each node would
collide along the media and the data would be destroyed. In an environment with hundreds of computers
sharing the same network media, network media access control methods are critical to ensuring network
data is transmitted correctly to its destination.
There are three primary network media access control methods.
1-9
CSMA/CD is the network media access method used for Ethernet networks. It provides the network with a
fast method of data transmission and collision resolution, but because simultaneous data transmission and
collisions can occur, it becomes increasingly less efficient as more nodes are added to a specific segment
of network media.
Token Passing
Token passing is a method that uses a small piece of data or token to signify the intention to transmit
data. This token, along with the other data being sent, is passed around to all systems in the network.
When the token and data reach the intended destination, the data is passed to the destination system and
the token continues through the remainder of the systems until it reaches the originating system,
confirming transmission to the entire network. Both FDDI and token ring make use of the token passing
method.
Both CSMA/CD and CSMA/CA are considered contention-based network media access control methods
because the nodes on the network share or contend for access to the media. Token passing is referred to
as a deterministic method, which refers to the ability to determine the amount of time data transmission
and confirmation will take, due to the orderly fashion by which nodes access the network media.
1-10
Key Points
The IEEE manages the definition of technical standards for electronic engineering and manufacturing.
These standards define specific qualities in a technology to allow for devices manufactured within the
scope of that technology to work together. These standards allow devices such as network adapters and
switches that are manufactured by different vendors to work together on the same network.
One of the most notable and recognizable standards is the IEEE 802 family of standards that define the
functionality of different aspects of a network environment.
The IEEE 802 standard has more than 15 sub-standards that pertain to specific technologies found in a
network environment. Some of the key IEEE 802 standards are listed below:
1-11
Lesson 2
A LAN is the most basic and commonly implemented form of computer network. This lesson introduces
you to the LAN and its associated concepts and technologies.
The LAN is the building block for all major and more complex networks, so this lesson will also familiarize
you with LAN structure, design and implementation.
Objectives
After completing this lesson, you will be able to:
Describe LANs.
1-12
What Is a LAN?
Key Points
A LAN is a computer network that covers a specific physical area such as a home, office or closely built
group of buildings, like a school campus or airport. LANs also typically feature a high bandwidth capacity
and have the ability to provide equal bandwidth and network access to all nodes.
Due to constantly improving technology and the high bandwidth available in modern networking
technology, LANs are becoming less dependent on geographic proximity. Virtually all modern LANs use
the Ethernet standard for network connectivity.
1-13
Key Points
While communication may appear to be constant between nodes on a LAN, especially when used to offer
functionality such as video conferencing, it has already been established that communication on a LAN
consists not of a constant stream of data from node to node, but shared access to the network media
using short transmissions of relatively small pieces of data to allow for all nodes on the network to have
access. In most cases, the data a user interacts with on a LAN (a file, video conference, print job, etc.) is far
too large to be contained in a single transmission from a node. In order for a LAN to deliver these large
amounts of data, the information must be broken down into a network frame.
In general, a network frame contains a part of the original data being sent, along with network specific
information regarding the frames sender, the frames recipient and information allowing for the frame to
be reassembled into readable data at its destination. A frame also contains error checking information
that allows it to be retransmitted from the sender should it not arrive at its destination as planned. The
actual structure of a frame depends on the type of network being used. For example, an Ethernet frame
will differ slightly in structure from a token ring frame.
The sender and destination of each frame, along with every other node on the LAN, have a unique
network address. This address allows for simple and precise delivery methods throughout the LAN and
also allows for each node to be distinctly identifiable on the network.
A nodes media access control (MAC) address is the most basic form of uniquely identifying it on a LAN.
MAC addresses are assigned to all network adapters at the time of manufacture and are most often
represented in hexadecimal format (ex: 00-22-FB-8A-41-64).
1-14
Key Points
The physical components of a LAN are responsible for taking network data and transmitting it to its
destination along some type of physical media that connects the nodes together.
A LAN can vary in complexity from two or three connected nodes in the same room to thousands of
nodes connected over a considerable area. As such, LANs can consist of only a few components or a large
number of interconnected components.
The most common physical LAN components are:
Network adapters. Network adapters provide the point of contact between a LAN node and the rest
of the network. It is typically connected to the network via a wire or cable. Different network
architectures (Ethernet, token ring) require different network adapters to interface with the LAN. For
example, an Ethernet network adapter will not function when connected to a token ring network.
Wiring or cable. A LANs wiring provides the physical media along which a LANs data is sent. LAN
cable types will vary and are classified into a number of different types according to the physical
qualities of the cable. Common cable types include:
Unshielded twisted pair (UTP). The cable is the most common type found in Ethernet LANs. It
consists of four pairs of copper wire twisted together and is usually terminated with an RJ-45
connector. UTP is by far the most common cabling standard used in LANs.
Coaxial copper. The cable is used in older Ethernet networks and is typically terminated with a
barrel-type BNC connector.
Fiber-optic. The cable uses light transmitted along glass or fiber tubes, rather than the electrical
signals sent across copper-based cable. It is capable of transmitting data over longer distances
than copper and is typically used for connections that exceed the length restrictions of copper
cables in areas where electromagnetic interference would prohibit the use of copper cable.
1-15
Hubs. Hubs provide a central point of connectivity for nodes in a network and allow for more
complex and efficient LAN implementations. A switch is an advanced type of hub that allows for
intelligent delivery or switching of information to nodes on a LAN.
Termination points. Termination points or jacks describe the physical termination of a network cable
that allows a node to physically connect to the LAN. Typically, termination points exist as wall plates
with an appropriate receptacle for a short network cable that runs from the jack to the network
adapter of the node device.
Wiring cabinets. Wiring cabinets or wiring closets provide a location where a number of hubs,
switches or other LAN connectivity devices are located to provide a central point of connection for
LAN nodes located in a specific physical area such as a building or floor of a building. These locations
are typically a small room or closet.
1-16
Key Points
A LANs physical topology refers to the actual layout and connection of the physical components of a
LAN. The physical topology of a LAN is determined primarily by the networks size, architecture and
required functionality.
Physical topology plays a key role in determining a LANs bandwidth capability and overall performance.
As a result, physical topology is a very important part of LAN design, especially in larger networks.
There are five main physical topology types.
Bus topology. In a LAN where physical bus topology is used, nodes are connected to each other in a
consecutive line along a segment of network media. The network media is then typically terminated
at each end with a special device or connector that acts as the boundary for that particular segment
or piece of the LAN. Bus topology technology has been largely replaced by star topology in LANs.
Advantages: A LAN using bus topology is easy to set up, and the ability to quickly add systems
makes it suitable for small LANs or temporary networks.
Ring topology. In a physical ring topology, nodes are connected in much the same way as with a bus
topology, but rather than each end of the network media being terminated, the ends are connected
together to form a ring. Ring topology technology has been largely replaced by star topology
technology in LANs.
Advantages: Similar to bus topology, a LAN using ring topology is easy to set up, and the ability
to quickly add systems makes it suitable for small LANs.
Disadvantages: Unfortunately, the same disadvantages that a LAN using bus topology faces also
exist in a LAN based on ring topology. The LAN is based on out-of-date technology; if one
1-17
section of the network media becomes disconnected or breaks, the entire network ceases to
function. This can make a LAN based on ring topology difficult to troubleshoot.
Star topology. When using star topology, nodes are not connected to each other as they are in a bus
or ring topology, but instead they are connected to a central device such as a hub or switch. Modern
Ethernet-based LANs typically use star topology for their physical configuration.
Advantages: LANs utilizing star topology become more reliable on a node by node basis because
of the presence of the hub. With the addition of this device, nodes are dependent only on their
individual connection to the hub for access to the rest of the network. When using star topology,
the break or disconnection of a cable affects only the node using that specific cable, making the
LAN generally more reliable and easier to troubleshoot.
Disadvantages: LANs based on star topology typically require more hardware and planning to
implement, due primarily to the addition of the hub device as well the extra length of network
cable required to connect each node back to the centrally located hub. They also still contain a
single point of failure; the network hub. If this device fails the entire network ceases to function.
Hybrid topology. Different from any of the previously defined topologies, hybrid topology does not
refer to a specific physical configuration, but rather the combination of one or more different
topologies used together on the same LAN. The most common form of hybrid topology consists of a
multiple star topology-based network connected together using bus topology to form a single LAN.
LANs based on hybrid topology are very common, and become necessary when designing large or
complex LANs.
Mesh topology. In a LAN based on mesh topology, extra connections are added to provide a level of
fault tolerance to the network. In a mesh topology-based LAN, information has more than one path it
can take between at least two individual nodes. This addition of extra connections or meshing is
typically done for critical or high traffic connections within the LAN. Mesh topology features two
separate forms of meshing.
Fully meshed: In this configuration, a direct link exists between every pair of nodes on the
network. This provides the highest level of fault tolerance available, but also cost and complexity
increase exponentially as more nodes are added to the network.
Partially meshed: Partially meshed LANs are far more common than their fully-meshed
counterparts. They do not provide direct connections between every pair of nodes, but rather
introduce a number of redundant connections based on both providing fault tolerance and
maintaining a reasonable cost of implementation.
Question: What topology configuration might you recommend for a new Ethernet LAN being built to
connect computers located in several buildings together on a school campus?
1-18
Key Points
A LANs logical topology refers to how the data flows between nodes on the network. Logical topology is
largely independent of a LANs physical topology, despite the shared terminology between certain types
of physical and logical topology. A LANs logical topology is largely dependent on the network standard
used to implement data flow on the network, such as Ethernet, FDDI or token ring.
Ethernet
In an Ethernet-based LAN, data is transmitted along the network media to all other connected nodes. This
mass transmittal is referred to as broadcasting. The broadcasted transmission is detected by all nodes on
the network, but only those nodes for which the transmission was intended will accept and receive the
incoming data. This type of logical topology is most commonly referred to as bus logical topology. It is
important to include and understand the use of the word logical in this term, as the term bus physical
topology is used to define a physical topology concept that is separate from the logical concept defined
here.
1-19
Lesson 3
Computer networks are found all across the world. Organizations that operate those networks often have
multiple offices or locations in different cities, countries or continents. The organizations often require
their networks to be connected to each other in order to meet their organizations business needs, but are
unable to connect these locations together with LAN technology due to its high cost to implement over
long distances.
WAN provides these organizations the ability to connect their networks regardless of geographic
boundaries, transcending the limitations of LAN technologies.
WANs are the basis for the global level of network connectivity that we have in todays computing
environment.
Objectives
After completing this lesson, you will be able to:
Describe WANs.
1-20
What Is a WAN?
Key Points
A WAN is a geographically distributed network composed of multiple LANs joined into a single large
network typically using leased or third-party services.
A WAN is used primarily to connect a group of LANs together that belong to the same organization or
have a specific requirement of interconnectivity. Historically, technology used to implement links that
connect multiple LANs together to form a WAN has been relatively slow and unreliable when compared
with LAN capabilities. However, with evolving technology, modern WAN links are capable of higher
bandwidth and can make multiple interconnected LANs appear as one large LAN to the users of the
network in terms of network speed and resource access. In this way, the lines between LANs and WANs
have become somewhat blurred.
1-21
Key Points
A WAN may be composed of a number of different components, depending on the WAN technology
used and whether an organizations WAN has been self-constructed or consists of leased or rented
services from telecommunications companies.
Common WAN components are:
Bridge. A bridge allows for the connection of two or more network segments or LANs. A bridge
forwards network data between LANs and identifies nodes on the WAN using the nodes MAC
address. A bridge is the most basic way to connect two LAN segments together.
Router. A router performs many of the same functions as a bridge, but allows for more efficient and
complex direction of data. Unlike a bridge, a router can determine the specific LAN a node belongs to
and direct the traffic only to that LAN rather than broadcasting the information to all LANs and all
nodes within the WAN.
Leased line. A leased line refers to a WAN connection usually provided by a third party, typically a
telecommunications company. The telecommunications company uses their existing equipment to
connect one or more separate LANs together. This service can be implemented using a number of
different technologies. The actual technology used is usually transparent to the connected LANs
which will typically be connected to the leased line via a router which contains the proper routes to
the other connected LANs.
Backhaul or backbone. A backbone segment of a WAN refers to a high capacity section of the WAN
over which the bulk of WAN traffic will travel. In contrast to a leased line, many backbone segments
are built and owned by the organization operating the LANs connected by the backbone. This type of
connection allows for multiple LANs to be connected together at a high speed without having to pay
ongoing rental or leasing costs or rely on a third party for consistent WAN connectivity. Backbones
do, however, have the drawback of being relatively costly to implement.
1-22
Key Points
Most WAN networks rely on data sent through third party telecommunications providers and often make
use of the providers existing communications infrastructure to send data between LANs. In this context,
WAN connections use a number of different standards for data transmission. These standards are typically
chosen for bandwidth capability, but available technology and regional location also play a part in
determining what WAN standards are available to an organization for the implementation of their WAN.
WAN standards typically define the method used to manipulate the data along the connection, as well as
the bandwidth capability of a WAN connection and the media used.
WAN standards also use multiplexing to allow efficient use of WAN connections. Multiplexing refers to
the process of combining and sending multiple, simultaneous data transmissions over the same media.
This allows for higher bandwidth capability and shared usage of a single WAN connection.
There are four commonly used WAN standards covered in this topic:
T-Carrier standards. T-carrier standards are a group of standards implemented primarily in North
America and some parts of eastern Asia and Japan that govern digital data transmission.
E-Carrier standards. E-carrier standards are a group of standards similar to the T-Carrier standards.
The E-Carrier standards were developed in Europe and used globally with the exception of the
regions that have adopted the T-Carrier standard as mentioned above.
Optical Carrier (OC) standards. OC standards contain specifications for transmitting digital data over
fiber-optic networks.
ISDN. ISDN allows simultaneous voice and data transmission over existing public telephone network
infrastructure.
1-23
Key Points
T-Carrier and E-Carrier standards are a family of WAN standards used by telecommunications companies
to deliver digital communications over long distances. T-Carrier is the standard most commonly used in
North America. The
E-Carrier standard, first developed in Europe, has been adopted by most of the rest of the world.
The T-Carrier and E-Carrier standards are graded according to bandwidth capability in a T1, T2, T3 to E1,
E2, E3 etc. format. However, T1/E1 and T3/E3 are the most common and comprise the majority of TCarrier or E-Carrier-based network implementations.
T1. A T1 line has a bandwidth capability of 1.544 Mbps. T1 typically uses 2 pairs of twisted-pair
copper wire as its media.
T3. A T3 line provides a bandwidth capability of 44.736 Mbps. T3 typically uses fiber-optic cable as its
media.
E1. An E1 line has a potential bandwidth of 2.048 Mbps. Similar to T1, E1 is typically carried over
copper wire-based media.
E3. An E3 line has a potential throughput of 34.368 Mbps. Like T3, E3 typically uses fiber-optic cable
as its media.
1-24
Key Points
Optical Carrier (OC-X) standards refer to a set of specifications for digital data over specifically designed
fiber-optic networks, Synchronous Optical Network (SONET) in North America and Synchronous Digital
Hierarchy (SDH) in the rest of the world. Designed for high capacity, long-distance connections, optical
carrier connections are widely used as the backbone of the Internet. OC-X connections are also used as
private connections and as a carrier for bandwidth-intensive applications, such as video conferencing.
The base bandwidth unit for an OC-X connection is 51.84Mbps. Common OC-X classifications are as
follows:
OC-1 - 51.84
OC-3 - 155.52
OC-12 - 622.08Mbps
OC-24 1244.16Mbps
OC-48 2488.32Mbps
OC-192 9953.28Mbps
OC-768 39,813.12Mbps
1-25
What Is ISDN?
Key Points
ISDN uses the preexisting public telephone network to provide digital voice and data services. In early
WANs, ISDN was a very popular method for connecting LANs together, but has since been largely
replaced by standards built on more modern technology.
Similar to E-Carrier and T-Carrier networks, an ISDN connection used individual 64 kilobits per second
(Kbps) channels to transmit data, although not using the same technology. An ISDN connection is also
dial-on-demand in nature, requiring a call to be placed on the line before a connection is made. However,
digital call placement on ISDN typically takes only one or two seconds.
ISDN has two common types:
Basic Rate Interface (BRI). BRI typically uses two 64Kbps channels and supports a bandwidth of
128Kbps.
Primary Rate Interface (PRI). PRI uses 23 64Kbps channels and supports a bandwidth of 1.536Mbps,
roughly equivalent to the bandwidth of T1 and E1 lines. PRI ISDN connections are commonly used as
backup or alternate route connections for T1 or E1 connections.
While everyday usage of ISDN is less common than it used to be, ISDN lines are still frequently used in
many parts of the world as low cost backup connections to more robust WAN links.
1-26
Key Points
While private WANs and LANs are critical pieces of an organizations computing environment, almost all
of them require connection to the rest of the world for communication outside of the organization.
Typically, this is through the public Internet.
In theory, the Internet exists as a large, global WAN. As a result, WAN-based technologies are used
extensively throughout the Internet to connect private LANs and WANs. These technologies are typically
implemented and operated by telecommunications providers who connect the end user to the Internet
using their existing infrastructure as an intermediary network. This service is typically leased or rented to
individuals or organizations to give them access to Internet connectivity.
Along with the previously discussed T-Carrier, E-Carrier and ISDN technologies, other common WANbased Internet connection technologies are:
Digital Subscriber Line (DSL). DSL uses existing telephone network infrastructure to transmit data. It
involves the simultaneous transmission of both voice and data over the same physical line by using a
separate higher frequency for data transmission and a filter on the physical line to separate the
frequencies. DSL comes in two main types, both of which use a modem for sending and receiving the
signal along the telephone infrastructure.
Symmetric DSL (SDSL). SDSL allows equal bandwidth for both sending and receiving data at the
same speed.
Asymmetric DSL (ADSL). ADSL uses different data rates for sending and receiving, with the
sending bandwidth typically considerably lower than the receiving bandwidth. As it is less
expensive to implement, ADSL is typically provided for residential use.
Cable modem. Cable modems provide a service similar to that of DSL, but use the cable TV medium
as an intermediary connection to the Internet.
3G and 4G wireless. Historically, mobile communications networks have been typically reserved for
voice communications over the wireless network. With the advent of faster, more robust networks like
3G and 4G, however, the use of these networks for digital data transmission has become more
prevalent and has become a common method used by mobile computer users to access network
connectivity when not in a LAN environment.
1-27
1-28
Lesson 4
Wireless Networking
Wireless networking has become an important part of both home and corporate networks. Wireless
networks allow nodes to operate apart from the confines of physically wired connections. The increased
mobility and freedom that a wireless network offers allow organizations to use computing resources in
ways not feasible using wired network components.
Wireless networks come in many different configurations using multiple standards and different
technology.
Familiarity with wireless networking components, terminology and standards is very important to overall
computer networking knowledge.
Objectives
After completing this lesson, you will be able to:
Describe 802.11x.
1-29
Key Points
A wireless network consists of two or more network devices connected together using some form of
wireless technology, typically using either radio-frequency or microwave transmission technology.
While completely wireless networks are common in smaller LANs found in homes or small offices, wireless
networks are typically used to expand or extend a larger, traditionally wired network in corporate settings.
This could be in a LAN environment, providing network access to mobile users in a non-wired location
such as an outdoor area or in a WAN environment to connect to locations where physical network media
like copper or fiber is impossible or not cost effective.
The following are common components and terminology found in wireless networks:
Wireless network adapter. Like its wired counterpart, a wireless network adapter connects a node to
the wireless network and is capable of both sending and receiving information on the wireless
network.
Access point. An access point provides a means of connecting to the wireless network. This can be in
the form of another wireless network adapter or, more commonly, a centralized, dedicated access
point. This dedicated access point may or may not be used to connect the wireless network to an
existing wired network or LAN.
Ad-hoc network. An ad-hoc wireless network consists only of wireless nodes connecting to each other
and has no centralized access point. Ad-hoc wireless networks are typically used for temporary, peerto-peer connections between two computers.
Service set identifier (SSID). An SSID is a string of characters that identifies and advertises a wireless
access points existence to potential clients. This string is typically configurable to any alpha-numeric
value, so it also provides a method of applying naming schemes to SSIDs if necessary.
1-30
Key Points
Wireless standards govern the implementation and functionality of wireless networks and fall under the
IEEE 802 family of network standards.
In the majority of wireless networks, there are two common types, each with its own IEEE 802 definition.
802.11. The 802.11 working group defines standards for wireless LANs. This group of standards
generally uses radio frequency spectrum for the sending and receiving of data. 802.11 networks exist
as the most common form of wireless network and benefit from simple setup and node addition and
relatively low implementation costs.
802.16. The 802.16 working group of standards governs wireless WAN technology. The 802.16
standards are commonly referred to as Worldwide Interoperability for Microwave Access (WiMAX).
The 802.16 networks use microwave transmission for the sending and receiving of data and are
typically used for backhaul or backbone connections for a telecommunications network or high
capacity corporate WAN. Due to the line-of-sight requirement for WiMAX devices to communicate,
additional infrastructure such as towers and large antennae are required for an 802.16
implementation, which can make implementation relatively costly.
1-31
What Is 802.11?
Key Points
As previously noted, the IEEE 802.11 working group of standards defines the aspects of wireless LANs.
802.11 is one of the most recognizable IEEE standard categories, due to the widespread use of the
numeric identifier to refer to wireless LANs and devices in general. The IEEE 802.11 working group consists
of four commonly used standards
802.11a. 802.11a devices operate in the 5 gigahertz (GHz) radio frequency (RF) band. It offers a
theoretical bandwidth of 54Mbps, but suffers from a relatively short range due to the technical
limitations of radio waves at 5GHz.
Note: 802.11 bandwidth is often discussed as theoretical. This is because factors like distance from
the access point, interference from other devices and physical obstructions can affect the wireless
signal and decrease the actual bandwidth available to a client.
802.11b. 802.11b devices operate in the 2.4GHz RF band and offer a slight improvement in range
over 802.11a, especially when located in buildings or around multiple obstructions. However, the
maximum throughput of 802.11b is considerably lower than 802.11a at 11Mbps.
802.11g. 802.11g was developed to combine the data throughput capabilities of 802.11a and the
increased range and reliability of 802.11b. It operates in the 2.4GHz RF band and offers a theoretical
bandwidth of 54Mbps.
802.11n. 802.11n is the most recently developed and published standard, and improves upon 802.11g
in both bandwidth and range. 802.11n also introduces the concept of multiple-input multiple-output
(MIMO) channels to allow the combining of multiple signals into a single data stream for increased
network throughput. While the physical maximum throughput on an 802.11n network is 150Mbps,
the ability combines the signals of up to 4 physical antennae and allows for a theoretical maximum
throughput of 600Mbps. 802.11n is quickly becoming the most common form of 802.11 network
deployed.
1-32
Released
Frequency
Data Rate
Outdoor
Indoor range range
802.11a
Sep 1999
5GHz
54Mbps
50 feet
100 feet
802.11b
Sep 1999
2..4GHz
11Mbps
150 feet
300 feet
802.11g
Jun 2003
2.4GHz
54Mbps
150 feet
300 feet
802.11n
Oct 2009
2.4-2.5GHz
600Mbps
300 feet
600 feet
1-33
Key Points
With the ease of implementation and physical availability of wireless networks, security is a major concern.
Unlike a wired network where a node needs to connect to a physical endpoint (typically inside a building),
a typical wireless network has no inherent physical security and is available for connection as long as the
node attempting connection is within range of the access point.
As the effective range of wireless networks increases, this lack of physical security becomes a greater
concern. Unauthorized access to the network and the potential loss or theft of business data is a
considerable liability in an unsecured wireless network.
There are several different security protocols developed for 802.11 networks.
Wired Equivalent Privacy (WEP). The WEP encryption standard was the original standard for wireless
LANs and provided 128-bit and 256-bit encryption of data transmitted over the network.
WEP uses a shared passcode or security key for the encryption of data. Users connecting to a WEPprotected network would be asked to enter this key upon initiating connection to the network in
order to be granted access. The overall strength of WEP security lies in the complexity of this key.
Short, simple keys that are easily guessable compromise the overall security of the protocol.
Multiple technical flaws were discovered in the WEP protocol encryption algorithm and were quickly
exposed by malicious hackers and industry watchdogs. WEP is the weakest of all wireless security
protocols and is considered to be outdated and has been largely superseded by other more secure
protocols.
WiFi Protected Access (WPA). WPA standards provide an increased level of security and stability over
WEP. It is comprised of two different versions:
WPAv1. WPAv1 was originally designed as a firmware upgrade to WEP. It allows for WEP-based
networks to be upgraded to the newer, more secure standard without the addition or
replacement of any devices. WPAv1 can utilize a variety of encryption algorithms.
1-34
WPAv2. WPAv2 offers several technical improvements over WPAv1, but retains the same basic
structure. WPAv2 is the most secure and preferred method of encryption over most wireless
networks.
Both WPAv1 and WPAv2 allow for two methods of security key configuration. They can use a single,
pre-shared key (PSK) that is used for universal access to the network in much the same way as a WEP
key. This method is referred to as WPA-PSK or WPA-Personal. The second method involves the
incorporation of a Remote Dial-In User Service (RADIUS) server to allow for individual nodes to retain
their own key. This implementation is referred to as WPA-Enterprise and eliminates the security risks
of using a single, shared key for universal network access.
In addition to the encryption methods listed above, several non-encryption methods exist that, when
combined with the use of encryption methods, further enhance wireless network security.
MAC filtering. MAC filtering allows a wireless access point to refuse connection to nodes accessing it
unless their MAC address is contained in a specific list stored on the access point. This allows for a
network administrator to enter the MAC addresses of only those nodes that should be allowed to
connect to the wireless access point.
Note: MAC filtering can be easily circumvented using a process known as MAC spoofing, whereby a
potential client provides a false MAC address with the purpose of obtaining access to the network.
Smart Cards and universal serial bus (USB) tokens. Physical devices, such as smart cards and USB
tokens also provide an additional layer of physical security to wireless networks. These methods
require the end user to have a smart card or USB token to physically attach to their computer before
access to the network is granted.
Hidden SSID. Another method for obscuring the identity of a wireless network is hiding the SSID.
Configurable at the access point, hiding the SSID prevents the SSID of the wireless network from
showing up in the list of available networks on a potential client. When a networks SSID is hidden,
clients need to know the SSID of the network and enter it manually to connect, along with satisfying
any other security requirements the network may have. A hidden SSID can add a certain level of
security to your network, but it should not be considered a security measure in itself; numerous
commonly known methods exist for locating and identifying hidden SSIDs.
1-35
Lesson 5
Almost every corporate LAN or WAN has a network link that connects it to the rest of the world, the
Internet.
The Internet has become the most important medium for global communications, and, as such, corporate
networks need to be connected to this global network to take advantage of what the Internet has to offer.
Objectives
After completing this lesson, you will be able to:
Describe a firewall.
1-36
Key Points
The Internet is a system of interconnected networks that spans the globe. It is used to connect billions of
users worldwide to a large variety of information, resources and services. It is comprised of both hardware
and software infrastructure that allows for the communication between any two computers connected to
the Internet.
The Internet has its roots in early WANs implemented by military and educational institutions to facilitate
communications between geographically dispersed computer systems or networks. As more nodes were
added and the network grew and began allowing for public access, the Internet gradually came into
existence. The advent of graphical content and the software that allowed for viewing this content began
the popularization of the Internet as a medium for public information exchange.
The physical structure of the Internet is somewhat ambiguous and constantly changing, but at its core, the
Internet bears many similarities to a vast, global WAN. While Internet communication appears
straightforward to the end user, the path that data takes between two communicating nodes can travel
over hundreds of different physical connections and be relayed through numerous intermediary network
nodes before reaching its destination. The Internet uses Internet Protocol (IP) as the basis for
communication between nodes.
Individual nodes or networks are typically connected to the Internet using the methods mentioned in the
last topic of the previous lesson. These methods typically involve connectivity through a
telecommunications provider. Global telecommunication providers provide the bulk of the physical
network infrastructure on which the Internet operates.
The Internet by nature is an open and generally non-secure system. When corporate LANs and WANs
connect to and through the Internet, specific devices, methods and concepts are applied to ensure the
integrity and private nature of the corporate LAN or WAN architecture.
1-37
Key Points
Intranet
An intranet refers to a private computer network that uses the IP suite of technologies to securely share
information within the network.
An intranet shares many communication methods with the public Internet and, as such, an intranet
environment functions very much like a small, encapsulated version of the Internet.
Intranets are commonly used to provide privatized versions of Internet communication methods, such as
Web sites, e-mail, or file transfer. They facilitate the same type of easy information sharing like the
Internet, but allow an organization to confine its scope to avoid the loss or theft of corporate data.
In general, a LAN refers to the physical structure that provides network connectivity where the term
intranet refers primarily to a group of services provided on that LAN.
Extranet
In its typical form, an extranet is a piece of a companys intranet that has been exposed to a larger
network, usually the Internet. This is usually done to share specific corporate information with partners or
customers and requires an extra level of security and network design to ensure that private information
within the intranet is separated from the information on the extranet and not inadvertently exposed to
the public. The information on the extranet itself is usually not left completely exposed to the public
Internet either, but protected with a security device such as data encryption or authentication
mechanisms like usernames and passwords.
1-38
What Is a Firewall?
Key Points
A firewall is the key component used in segmenting networks to protect a private network from security
risks inherent to connecting to an untrusted network. A firewall is a system or device used as a single
point of connection between separate networks. It interprets network communication and allows safe or
desirable network traffic to pass through while restricting or denying unsafe or undesirable traffic.
In a network environment, a firewall typically exists as a separate device or computer on the network that
is designated exclusively to perform the functions of a firewall. For example, a firewall may determine the
source address of a piece of data and deny or allow the data to enter the network.
The term firewall is also used to refer to a piece of software installed on a node computer that performs
traffic filtering similar to that of a dedicated firewall device. When the term is used in this lesson, it is used
to refer exclusively to the dedicated network firewall defined above, and not the node-based software
type.
Different types of firewalls allow for varying levels of network data inspection.
1-39
Key Points
The purpose of the perimeter network is to act as a security buffer between the untrusted and private
networks for resources that must be shared by those who are not part of the internal network. A
perimeter network commonly contains any nodes that share information with the public Internet. This
may include items like e-mail servers, Web servers or proxy servers.
Perimeter networks are generally implemented using firewalls. A firewall is placed at the connection of the
perimeter network to the untrusted network and another firewall typically separates the perimeter
network from the private network. This configuration separates the participating networks into three
zones: the private network, the perimeter network and the untrusted network.
The main function of a perimeter network is security. A perimeter network is neither entirely a public part
of the Internet, an untrusted network nor entirely a private part of the organizations network. The
purpose of the perimeter network is to act as a security buffer between the untrusted and private
networks.
1-40
Key Points
A proxy server is a variant of a firewall that is used primarily to process client requests for data that exists
outside of the network. Proxy servers are most commonly used to provide and control access to the World
Wide Web to ensure that the information being requested is safe and pertinent.
Proxy servers are also used to temporarily store or cache data, again, most commonly from the World
Wide Web. This allows the proxy server to redirect clients that request data from servers outside of the
local network to a locally stored copy for faster and more secure access.
Proxy servers are most commonly used in conjunction with a firewall. In this configuration, a firewall will
allow a specific type of traffic only if the traffic is originating from, or intended for, the proxy server. In this
way, clients wanting to send or receive that specific type of traffic must do so through the proxy server, or
their transmissions will be blocked or denied at the firewall.
Conversely, a reverse proxy server takes some or all data incoming to a network and distributes it to the
appropriate nodes on the network. Reverse proxy servers are commonly used for load balancing, which
allows the reverse proxy server to take large amounts of incoming data and distribute it among similarly
configured nodes, all capable of processing the data. Reverse proxy severs can also provide data security
filtering and caching in the same manner as a proxy server.
Lesson 6
Remote Access
Direct connections to private networks provide the fastest, most secure method for an organization to
share data and resources.
However, organizations are increasingly finding it necessary for their employees to have access to their
private network in situations where a direct physical connection is not possible.
Objectives:
After completing this lesson, you will be able to:
Explain RADIUS.
1-41
1-42
Key Points
In its basic form, a branch office refers to a location where an organization does business or hosts
employees outside of its central location of operations. It could be as large as or larger than the central
location itself, or as small as a single employee working from a home office.
Branch offices are typically located outside of the physical range of an organizations central LAN, in
another section of a large city or in another city, country or continent. These branch offices often require
the ability to provide some or all of the services provided by the central location, and almost always
require access to the same data and resources to operate efficiently.
An organization like a bank may require each of its branches to have access to financial information
stored in servers at the central office, or a real estate agency may have brokers that work from home
offices that require access to updated property and client information.
1-43
Key Points
While the majority of functionality on a typical corporate network happens within the LAN, organizations
are increasingly looking for ways to allow their employees access to their information while not directly
connected to the private network. In other situations, an organization may be unable to directly connect
one or more remote locations to the private network and require a different, more indirect approach. In
these situations, remote access is required.
Remote access methods typically use an intermediary and possibly untrusted connection method, such as
the Internet to indirectly gain access to a central private network.
Remote access may be required in any of the following situations:
Customers or partners requiring access to information hosted on the organizations private network.
Question: What other scenarios can you think of that would require remote access?
1-44
Key Points
When an intermediary or untrusted connection is used to gain access to a private network, the security of
the data traveling between the remote location and the private network as well as the security of the
private network itself becomes a serious concern.
To combat this concern and provide a safe means of transmitting private data and preventing
unauthorized access to the private network, encryption and authentication are used when implementing
remote access connections.
Encryption refers to the intentional scrambling or encrypting of data to prevent a third party from
reading the data should it be intercepted between its sender and its intended destination. When data
encryption is used for transmitting data on a network, its sender uses a specific algorithm to encrypt the
data and send it on the network. The intended receiver, aware of this encryption, uses the same algorithm
to unscramble, or decrypt the data.
Typically, encryption is combined with a method used to prove that the nodes involved are indeed the
nodes for which the communication is intended. In other words, the identities of these nodes are verified.
This method of verification is referred to as authentication. Authentication is typically implemented as a
password or combination of user identification and a password, but can also include physical methods
such as digital certificates, smart cards or USB tokens.
1-45
Key Points
At one point, direct dialup access was the most popular method of providing remote access to a private
network. With the advent of widely available high speed internet access, dialup access has been largely
replaced by VPN connections.
When encryption and authentication are implemented to protect information traveling across a remote
access connection, a VPN is created.
Fundamentally, a VPN exists when a secure connection has established between a node and a private
network using an intermediary and typically untrusted network. This connection is commonly referred to
as a tunnel, which describes the secure connections separation from the intermediary network due to the
encryption used for the data.
Technically, VPNs are implemented using a variety of methods that govern communication mechanisms,
encryption and authentication, but whose technical definition is outside the scope of this topic. Several of
the most common VPN protocols are listed below.
DirectAccess
DirectAccess is a new feature available when using a Windows 7 operating system computer to connect
to a Windows Server 2008 R2 operating system-based network. DirectAccess gives users the experience of
being connected to their corporate network any time they have Internet access.
When DirectAccess is enabled, requests for corporate resources (such as e-mail servers, shared folders, or
intranet Web sites) are securely directed to the corporate network, without requiring users to use a third
1-46
party VPN solution. This allows for the same user experience regardless of whether the computer is
connected to the corporate network or not. The DirectAccess client is connected to the corporate network
before the user even logs on, making the login and authentication process identical to the process used
when connected directly to the corporate network.
DirectAccess uses Internet Protocol version (IPV6) for communication between clients and servers.
However, connection from and through non-IPV6 networks can be coordinated automatically using a
number of different IPV6 translation technologies which are configured at the DirectAccess server.
The following points provide key information regarding DirectAccess when enabled in a Windows Server
2008 R2 environment:
Windows 7 or Windows Server 2008 R2 is the required operating system on the DirectAccess client
computer.
Windows Server 2008 R2 is the required operating system for the DirectAccess server in the corporate
network.
The DirectAccess server must be a member of the Active Directory domain, but not a domain
controller.
1-47
RADIUS
Key Points
RADIUS is a networking protocol that provides for centralized management of authentication,
authorization and accounting or tracking for nodes that connect to and utilize remote access. RADIUS is a
very common protocol available for use in most network environments and is used to perform the
following functions with regard to remote access:
Account for and track the usage of those services and resources
A server implementing RADIUS allows an organization to simplify and better manage remote access to
their network, especially when multiple remote access points exist in the environment.
1-48
Read the supporting documentation. The following emails were sent to you by the Seattle office
manager.
E-mail #1
From:
Subject:
Susan Walker
Seattle office building
Hi,
We have been working with the new building contractors and they have come up with a basic design.
1-49
No drawings have been drafted yet, so I will try to explain what they have in mind. The space will
basically be split into two parts. We will have six offices in one part of the office for our design team
members, typical office stuff. The other half will be a large, open conference room built for partner
consultation. Basically, it will be a place where our consultants meet with our partners to show them
progress on projects, samples of media and things like that. Its going to be pretty casual, with most of
the furniture being couches and coffee tables.
I hope that gives you a good enough idea for your side of things.
Thanks,
Susan
E-mail #2
From:
Subject:
Susan Walker
Seattle staff
Hi again,
Here are the details on our Seattle staff and what each of their roles entails.
We will have three video editors that will be in three of the six offices, Frank, Lisa and Peter. The bulk of
their day is spent editing video for various projects. They work as a collaborative team, so they are
constantly sending material (videos) back and forth to each other. Frank asked me to tell you that the
videos can be really big. They have issues with the videos taking a long time to copy to and from the
server in New York. Im not sure if there is something you can do to improve that in Seattle.
There are four creative consultants. Nick and Brenda will be in the office and John and Martha will be
working from home offices. Their primary role is to meet with our partners to determine overall needs.
Then they come up with the basic design concept and forward it to the video editors who begin the
video design process. Throughout the process, the creative consultants provide samples of the work
being done and get feedback from the customers. This will be done using the conference room for local
partners and Im hoping you can come up with something that will allow our out-of-town partners to
view and comment on the development process remotely? Our internal staff will need to be able to
view and update the material, and our home users and partners will need to be able to view and update
it from their locations. This is sensitive information, so it needs to have some type of password or
security around it so not just anybody can see it. They have also asked if there would be a way for both
the in-office consultants and the two coming from home to have access to the material located on the
server to show clients on their laptops when they meet in the conference room.
We also need to be able to share files with New York as well. My primary role is to manage the staff
here and provide general updates and material samples to New York as well. This typically doesnt
involve a lot of files or very big files, but it does need to be secure, and our partner agreement doesnt
allow us to use e-mail to send the files, so they will have to be hosted on some sort of server, I guess. I
am not very technical, sorry.
Hopefully thats what youre looking for. Thanks for your time.
Susan
Task 2: Update the proposal document with your planned course of action
Answer the questions in the Branch Office Network Infrastructure Plan: Component Needs
Assessment.
Branch Office Network Infrastructure Plan: Component Needs Assessment
Document Author:
Date:
Requirements Overview
You
22nd March
1-50
Recommend basic infrastructure components for the implementation of the network in the new Seattle
location.
Recommend infrastructure to connect the Seattle location to the New York location.
Recommend infrastructure to allow home office users and partners access to the resources they need
from the Seattle location.
Proposals
1.
2.
3.
4.
What Ethernet infrastructure should be used for the staff offices portion of the Seattle location?
What infrastructure should be used to connect the conference room portion of the Seattle location?
What components and technology would you use to connect the New York and Seattle branches?
What is the best architecture to allow both partners and home office users to access their
information using only one method of access?
Results: After this exercise, you should have identified the infrastructure and components required to
implement a network in a new location.
1-51
Review Questions
1.
2.
1-52
Module 2
Connecting Network Components
Contents:
Lesson 1: Understanding the OSI Model
2-3
2-11
2-19
2-26
2-34
2-1
2-2
Module Overview
Networks consist of a variety of components; these components fall into various categories based on their
operational characteristics. For example, those components that deal with electrical signaling are referred
to as low-level network components. Conversely, those components that handle user requests, for
example applications, are referred to as high-level components.
This module explores the functionality of low-level networking components, including switches and
routers. In addition, the module provides guidance on how best to connect these and other components
together to provide additional network functionality.
Objectives
After completing this module, you will be able to:
2-3
Lesson 1
Over the years, many networking protocol stacks have been developed by different vendors to support
their own networking products. In order to bring some structure and standardization to this independent
evolution of network protocol stacks, the International Organization for Standards (ISO) developed the
Open Systems Interconnection (OSI) reference model.
Objectives
After completing this lesson, you will be able to:
2-4
Key Points
The OSI model defines the generic tasks that are performed for network communication. You can think of
each layer of the OSI model as a piece of software or hardware that performs specific tasks for that layer.
Each layer communicates with the layer below and the layer above. Application data that is transmitted
over the network must pass through all of the following seven layers.
Layer
Description
Application
Presentation
Translates the data generated by the application layer from its own syntax into
common transport syntax suitable for transmission over a network.
Session
Transport
Ensures that packets are delivered in the order in which they are sent and without loss
or duplication.
Network
Determines the physical path over which data is transmitted based on network
conditions, the priority of services, and other factors. This is the only layer of the OSI
model that uses logical networking and can move packets between different networks.
Data-link
Provides error-free transfer of data frames from one computer to another over the
physical layer. The media access control (MAC) address of a network card exists at this
layer and is added to the packet to create a frame. Data is passed from the data-link
layer to the physical layer as a stream of 1s and 0s.
Physical
Defines the physical mechanisms for placing a raw stream of data bits on the network
cabling.
2-5
A router is a layer 3 device. Based on this you know that a router understands logical networks and
can move packets from one network to another.
Hypertext Transfer Protocol (HTTP) is a layer 5-7 protocol. Based on this you know that applications
use HTTP to communicate over the network.
Ethernet is a standard for layers 1-2. Based on this you know that Ethernet defines physical
characteristics for media (network cabling), how signals are transmitted over that media, and when
devices are allowed to communicate on the media.
2-6
Key Points
The lower layers of the OSI model are responsible for encapsulating requests from the upper layers into a
meaningful structure to be merged onto the media; the way in which this is done varies from one network
architecture to another.
The data-link layer is responsible for:
Encapsulating requests from the middle layers into data-link frames and passing these to the physical
layer for merging onto the media.
Error checking.
Converting the data-link frames into a meaningful signal for merging onto the media.
2-7
Key Points
In the middle of the OSI model sits the transport and network layers. These layers are often referred to as
the network protocol layer.
The transport layer is responsible for:
Encapsulating application requests in datagrams and passing these to the network layer.
Routing packets to the appropriate logical address as identified by the upper layers.
Encapsulating transport layer datagrams into network packets and passing them to the data-link
layer.
Passing incoming packets up the protocol stack to the appropriate transport layer protocol.
In the early days of networking, different vendors produced their own, proprietary networking protocols.
These included:
Internet Packet Exchange/Sequenced Packet Exchange (IPX/SPX). This Novell protocol was used to
provide transport and network layer services for the Novell NetWare operating system. Although
proprietary, the protocol stack was widely implemented in other networking operating systems,
including Microsoft Windows Server operating systems. SPX is a transport layer protocol, while
IPX provides network layer support.
2-8
AppleTalk. Another proprietary protocol providing transport and network layer functions. The Apple
Corp. implemented this protocol to support their Apple Mac computer systems. Microsoft
Corporation provided some support for this protocol in their Windows platform.
TCP/IP. Initially developed as a suite of protocols to support applications running on the UNIX
platform. During the 1990s, this protocol began to gain acceptance by network product vendors,
including Microsoft, Novell, and Apple. TCP/IP provides a four-layer architecture that offers support
for all layers of the OSI reference model. TCP/IP implements two transport layer protocols: TCP and
User Datagram Protocol (UDP). At the network layer, IP is implemented.
Networking services sit on top of the protocol stack, and pass instructions down the stack to the media. It
is the job of the network protocol stack to interpret service requests and encapsulate them in a form
accessible by lower-level protocols.
2-9
Key Points
The upper layers of the OSI model consist of the Application layer, the Presentation layer, and the Session
layer. These upper layers are occupied by network applications, or services.
The application layer is responsible for interacting with network-aware software components. Functions
typically include:
The presentation layer provides independence from differences in the way in which network data is
presented; this enables applications, which use different syntax, to communicate. The presentation layer:
Establishing, maintaining, and terminating connections, known as sessions, between local and remote
applications.
Selecting the appropriate transport layer protocol for communications with remote applications.
Different network operating systems implement different network services, but they provide similar
functionality:
Authentication
2-10
2-11
Lesson 2
Operating at the lower levels of the network architecture, switches and hubs are responsible for
connecting physical devices together. The choices that you make regarding the deployment and
configuration of these components can have far-reaching effects on the behavior of interconnected
devices and overall network functionality and performance. It is therefore important that you are able to
differentiate between devices such as hubs and switches and be able to select a hub or switch based on its
functionality.
Objectives
After completing this lesson, you will be able to:
Describe hubs.
Describe switches.
2-12
Key Points
A network adapter is the lowest level component that you install in your computer. It is responsible for
converting instructions from higher level components, specifically the network protocol stack, into
electrical signals and merging these signals onto the network media.
The network adapter is also responsible for converting electrical signals received on the wire into
meaningful instructions that it then passes up to the network protocol stack.
Note: The network media might be physical wiring or a wireless network. For convenience, the term
wire will be used except where an explicit differentiation is required.
2-13
Note: Aside from these unique MAC addresses, the addressing fields in a frame can also contain
specially formatted addresses; these include broadcasts and multicasts. These special addresses and the
types of communications that require them are discussed later in the course.
In addition to the destination and source MAC addresses, a frame contains various other fields including a
data field; this data field contains the protocol stack message. The last field in a typical frame is the frame
check sequence (FCS); this field is used to calculate a checksum value to determine the integrity of the
frame. Frames that are damaged in transit are dropped by the network adapter.
2-14
Transmission Speeds
Key Points
The services supported by your network and the volume of data that it supports are determined by
several factors, including transmission speeds of the network components you install.
Note: The term bandwidth is often used to describe the transmission speed of a network.
Early networks operated at low bandwidths by todays standards. For example, early implementations of
Ethernet operated at three million bits per second or 3 megabits per second (3 Mbps). Modern network
technologies are capable of transmitting much faster than this; typical Ethernet operates at a bandwidth
of between one gigabit per second (Gbps) and 10 Gbps.
It is important to remember that although the bandwidth of your network might be 1 Gbps, the actual
throughput (or the volume of data in bits) may be considerably less. One reason for this is because
popular network technologies such as Ethernet operate on a contention basis. In other words, the nodes
or hosts on the network compete for bandwidth. This contention process leads to loss of throughput.
2-15
What Is a Hub?
Key Points
Some early networks used wiring systems in which each node was connected to the others directly in a
ring. Other networks implemented a single cable that was routed to each node in sequence creating a
chain of networked computers. There are a number of problems with both of these cabling methods.
Firstly, if the cable was damaged, network integrity was lost and communication was disrupted; secondly,
because cabling was often laid with a view to limiting cable lengths, or finding a convenient path to the
next node, it was not always easy to locate the faulty cable. As networks became more popular,
administrators sought to solve these problems.
Later on, network devices that enabled star wiring of networks nodes were adopted. These devices were
known as hubs and enabled each network node to be connected back to a central point. This addressed
the problem of unstructured wiring and also of network failure resulting from a break in the cable. A cable
fault resulted in a single node being isolated.
Some early hubs supported different types of cabling connectors, referred to as ports, to enable
connection of twisted-pair cabling, coaxial cabling, and other media. Even todays simple consumer hubs
support wired, wireless, and asymmetric digital subscriber line (ADSL) ports.
It is possible to use hubs to extend your network. Depending on the network topology being used, you
can connect a chain of hubs together potentially over quite long distances.
Note: Ethernet has a number of rules that define how you can extend the network. As defined in the
5-4-3 rule, you can connect five segments using four repeaters so long as only three of the segments
have active nodes. Given that in early, coaxial implementations of Ethernet, the maximum segment
length with thick coaxial was 500 meters, the maximum end-to-end length of an Ethernet network is
defined as 2.5 kilometers; this does not take account of bridging or routing as a means to extend the
network.
2-16
Characteristics of a Switch
Key Points
In contention-based networks, like Ethernet, all connected nodes share the media and its available
bandwidth. Consequently, if there are ten nodes on a network with a 10 Mbps bandwidth, it can be said
that each node has an available bandwidth of a tenth of the total bandwidth, or 1 Mbps. If you add nodes
to the network, the share each has of the total decreases in inverse proportion to the number of
connected nodes. Thus, when there are twenty nodes each has a twentieth of the bandwidth. A significant
problem of contention networks with many connected nodes is that throughput degrades. The simple
solution is to reduce the number of nodes in each segment; you can do this by implementing MAC-level
bridging.
A switch is like a hub; it acts as a wiring concentrator to which all network devices are connected. It
performs the same isolation when a cable failure occurs while maintaining the integrity of the network.
However, there are some fundamental differences.
Characteristics of a Switch
Layer 2 Switches
The significant difference between a hub and switch is that the switch is able to perform MAC-level
bridging between ports. In other words, each node has exclusive use of the bandwidth of the segment for
the duration of its transmission. The switch acts as a multiport MAC-level bridge, switching traffic between
the ports as required.
You can configure each host to have a single port, or you can connect a hub to a switch port. When
connecting a hub to a switch port, the nodes on the hub all share the bandwidth configured for the port
on the switch to which the hub is connected. In this way, you can determine how much bandwidth is
available to each port and nodes connected to the ports. Switches that exclusively provide function are
sometimes differentiated by being referred to as layer 2 switches.
2-17
Layer 3 Switches
Some switches can provide protocol-specific routing functions at the protocol stack layer. For example,
you can configure the switch to provide routing for IP packets, but to perform MAC-level bridging for
non-IP-based frames. Switches that provide this routing functionality are referred to as Layer 3 switches.
Note: Network protocols, like IP, encapsulate instructions received from higher level protocols, such as
TCP, into a structure known as a packet.
Layer 3 switches route packets. The switch examines the packet and makes a routing decision based on
the destination packet address. Layer 3 switches also perform additional routing functions. For example,
layer 3 switches can check packet integrity, respond to Simple Network Management Protocol (SNMP)
management systems, and observe and decrement packet time-to-live (TTL) values.
In some ways, a layer 3 switch can provide a number of improvements over more traditional routers. For
example, layer 3 switches:
Divide networks into logical subnets by using the layer 2 configuration rather than at the port level,
like a traditional router; this provides a more flexible configuration.
Bear in mind that layer 3 switches do not provide support for WANs.
Layer 4 Switches
Some more advanced switches are equipped with a firewall service module that enables the switch to
make forwarding decisions based on the type of data in the segment. These types of advanced
functionality switches are often referred to as layer 4 switches.
Note: Transport protocols, like TCP, encapsulate instructions received from applications into a
structure known as a segment.
Switches with a firewall service module examine the content of segments received and determine whether
and how to route the segment based on the specific TCP port being used.
Note: TCP ports are examined in a later module of this course.
In addition to port switching, layer 4 switches (and some layer 3 switches) are able to make switching
decisions based upon the priority of network traffic. In this mode, lower priority traffic is buffered at the
switch while higher priority traffic is handled.
Note: Quality of service (QoS) values are a way of indicating the priority of traffic and some network
transport protocols implement QoS to support application prioritization needs. The switch is capable
of reading and interpreting these QoS values.
2-18
What Is a VLAN?
Key Points
A local area network (LAN) is often referred to as a broadcast domain. This means that nodes connected
to the LAN can use a broadcast, when necessary, to communicate with one another. Generally, routers do
not propagate broadcasts, and so another definition of a LAN is a collection of nodes bounded by routers.
Note: A broadcast is a specially addressed network frame that is processed by all nodes connected to a
LAN segment. Bridges, and MAC-level switches, pass broadcasts. Routers typically do not. The
destination MAC address of a broadcast frame is: FF-FF-FF-FF-FF-FF.
A VLAN is a virtual implementation of a LAN, defined within the switch or, between switches. You can
configure the switch, or switches, in such a way that traffic handled between certain ports on the switch is
treated as though it were traffic on a single LAN. Traffic from other ports outside this VLAN is typically
routed.
The advantage of implementing VLANs is that you can:
Exert a fine degree of control over how traffic moves through your network.
Control network bandwidth by configuring nodes that frequently communicate with one another
onto the same VLAN.
Easily reconfigure your VLAN to encompass more or fewer nodes. You might need to rewire your
network to achieve the same ends with a LAN.
Isolate network traffic to a specific VLAN; for example, to isolate computers that do not meet
organizational security requirements.
2-19
Lesson 3
Understanding Routing
It is important to understand how routers make routing decisions so that you can plan their deployment
and configuration to support the desired functionality of your network. Different routing protocols are
suited to different network environments. A good understanding of these different protocols will enable
you to manage your LAN and wide area network (WAN) more efficiently.
Objectives
After completing this lesson, you will be able to:
Describe routers.
2-20
What Is a Router?
Key Points
Historically, routers were implemented in networks in order to extend the LAN into a WAN. One router
interface would be connected to the LAN, and another to a telephony circuit of some type. At the
destination, a similarly configured router was deployed. Packets could flow between the networks as
required.
As the cost of routers decreased, network administrators began to implement routers within a single
geographic location in order to manage traffic. Routers forward packets based on the destination network
identification (ID) rather than on the MAC address of a host. Routers operate at the network layer and
handle transport protocol instructions encapsulated in packets.
Network nodes determine that a destination host is on another LAN (or VLAN) when they initiate
communications. Elements of the network transport protocol make this determination by comparing the
source and destination network addresses in the packet. When a node is determined to be in a different
network, the node attempts to route the packet to that network. Usually this means that the packet is
forwarded to a router on the local network. This behavior is a significant departure from the way
communications occur with layer 2 switches or bridges; the nodes explicitly address the frame to the
router that will handle the routing process of the encapsulated packet.
In order to perform routing, the router must know what other networks exist and how to reach them.
Routers maintain this information in routing tables. Routing tables are either static or dynamic. Static
routing tables are maintained by a network administrator who must add the required routes manually to
the table. Dynamic routing tables are maintained by the propagation of routing information between
routers themselves using specialist routing protocols.
2-21
Key Points
A router determines the destination network for a packet by examining the destination network address
and comparing it to entries in its routing table. If the destination network is found in the routing table,
and there is a single route to that network, the router forwards the packet to the next router in turn.
When multiple routes to the destination network exist, the router must make a selection as to the best
route.
To determine the best path to a remote network, routers use routing algorithms. Most algorithms support
multiple paths between networks. Multiple paths are beneficial because they enable redundancy in your
routing architecture. Some routing algorithms use a hierarchical structure and implement routing
backbones. Hierarchical routing structure helps ensure you use the routing infrastructure efficiently by
bypassing slower, localized networks in favor of the backbone.
Some algorithms implement distance vectors in which routing tables are periodically propagated to all
neighboring routers. Others use link-state propagation, in which smaller, more frequent updates are
propagated.
Route Selection
The router attempts to choose which route to use based on factors such as the route with the most
reliable link, the route with the least cost, or perhaps the route with the lowest current network load; these
criteria are known as metrics. Commonly implemented metrics include:
Bandwidth
Path cost
Reliability
2-22
Hop count
Note: A hop occurs when a packet transits a router.
When the router has selected a route, it forwards the packet to the next router in turn.
Note: Each packet on an IP network has a field called the TTL counter. Every time the packet transits
through a network device, such as a router, the TTL counter is decremented by at least one. When the
TTL reaches zero, the router then holding the packet drops it; this ensures that packets do not loop
around the network.
Routing Example
For example, in the following scenario, a packet is routed across three networks: network A, network B,
and network C. Two routers connect these networks, each configured with a routing table. A host in
network A communicates with a host in network C. The following are steps describing how network A
communicates with network C:
1.
2.
3.
4.
5.
6.
The originating host creates a packet addressed to C:12. The host determines that network C is not
the local network.
It has no knowledge of network C and forwards the packet to an adjacent router.
The router receives the packet and examines the destination address. It compares the destination
network address and determines that it has an appropriate entry for the destination network in its
routing table.
In this instance, it forwards packets for network C to interface B.254.
The second router receives the packet and examines the destination address. It compares the
destination network address and determines that it has an appropriate entry for the destination
network in its routing table. In fact, the router is locally connected to the network destination
network.
The second router forwards the packet to the appropriate host.
a network, you do not need to update all of your routing tables; the routing protocols that you
implement make these changes automatically.
2-23
2-24
Key Points
By implementing a routing protocol on your routers, you enable your routers to learn about the state of
networks, and the routes to those networks. Additionally, this learned information can be propagated
onwards to other routers in your organization.
The way in which route propagation occurs varies between routing protocols. Some route propagation
methods are better suited to large internetworks, while others are more appropriate for small networks.
Routing protocols fall into one of two categories. The first is interior routing protocol, used for
propagating routing information within an enterprise network. The second is exterior routing protocol,
used for propagating routing information between enterprises; for example, on the Internet.
The following information summarizes the common routing protocols:
Routing Information Protocol (RIP). A popular Interior Gateway Protocol (IGP). RIP uses a distance
vector algorithm to identify remote networks. It supports relatively small internetworks as destinations
with a hop count greater than sixteen considered unreachable.
Open Shortest Path First (OSPF). A popular link-state IGP routing protocol. OSPF uses a link-state
mechanism to propagate routing information. Link-state protocols maintain data regarding the
network segments to which they are connected and the current state of these networks.
Consequently, OSPF protocols are suitable for larger internal networks than RIP.
Border Gateway Protocol (BGP). This exterior gateway protocol (EGP) was specifically designed to
enable interconnection of many enterprises on the Internet.
2-25
Key Points
Consider the following questions, and then discuss your answers with the class.
Question: A subsidiary of Fabrikam, Inc. has a medium-sized network consisting of around 500 nodes.
These nodes are distributed across several floors in their headquarters building. Additionally, there are
about a dozen branch offices each with around ten nodes. Routers have been deployed within the
network to interconnect the networks. Would you recommend static or dynamic routing?
Question: Is the use of a routing protocol indicated? If so, which one would you recommend?
Question: Tailspin Toys has a small network consisting of around 100 nodes. Recently, network
throughput has been affected by network traffic. You decide to install routers to help manage the
network traffic. Initially, there will be three networks connected by two routers. Would you recommend
static or dynamic routing?
Question: How else could you configure these routers?
Question: Tailspin Toys implements an Internet connection by using a router. How does this change the
router configuration you have selected?
2-26
Lesson 4
Although you can connect devices to a network using wireless components, it is more usual to use wired
media. There are a variety of wired media types, each with different characteristics: cabling distances, load
and resistivity, and the ability to resist external electromagnetic interference. This lesson explores the
cabling characteristics and standards.
Objectives
After completing this lesson, you will be able to:
2-27
Coaxial Cable
Key Points
Construction
Coaxial (coax) cable consists of two copper conductors separated by insulating materials. The central core
is manufactured from either stranded or solid copper wire, surrounded by an insulator. Around this first
insulator is a second, stranded copper conductor. The whole is then protected by a plastic covering.
Coax has different electrical characteristics based upon its construction. Thin coax supports shorter cable
runs and fewer devices, while thick coax can span greater distances and supports the connection of more
devices. Thick coax enables longer cable runs and more devices, but is unwieldy. Consequently, it is more
usually used to provide backbone connections.
Standards
There are two standards that define coax cable characteristics:
American Wire Gauge (AWG). This defines the diameter of the central conductor. A numbering
system indicates the diameter used. For example, 14 AWG indicates a thicker cable, while 18 AWG is a
thinner cable. It is important to realize that the electrical characteristics of the cable change with its
diameter; specifically, thicker wire carries higher currents further because it has lower resistance over a
given distance.
Radio Grade (RG). Developed by the US military, these standards define coax characteristics in terms
of susceptibility to interference and resistivity. There are many RG coax standards; networking
components use a small subset:
RG58. Fairly thin and flexible; consequently, ideal for connecting nodes to the network. However,
RG58 does not support long cable runs or a large number of connected devices. It has an
impedance of 50 ohms and uses 20 AWG copper wire.
RG59. As for RG58, but with a slightly thicker (18 AWG) core and an impedance of 75 ohms.
RG11. Thick coax cable with 75 ohm impedance. 14 AWG cable provides the solid core.
2-28
Connectors
Coax is connected to network devices using a variety of connector types based on the thickness of the
wire.
Thick coax. Devices use a piercing tap, or vampire connector, to connect to thick coaxial cable. The
connector surrounds the cable, and conductive spikes penetrate the cable to the central and outer
conductors. The connector is then attached to the network device by using an Attachment Unit
Interface (AUI) connector; this 15-pin connector is also sometimes known as a Digital Intel Xerox (DIX)
connector.
Thin coax. RG58 and RG59 use Bayonet Neill Concelman (BNC) connectors. Generally, the network
adapter in the host is connected to the RG58 by using a T-piece connector with BNC ends.
Note: Coax must be terminated. In order to prevent signals reflecting back up the media, a resistor is
attached to both ends of the cable; this absorbs the signal, preventing reflection. You must use a
terminator of the correct impedance.
Coax is not commonly used in networking applications today. This is primarily because of the
unstructured nature of the wiring and the relatively high installation costs. In addition, coax is not
especially fault-tolerant. A break in the cable disrupts the entire segment because you now have two
unterminated segments. It is also quite difficult to locate the exact location of the cable break, although
devices like Time Domain Reflectometers (TDRs) can be used to help.
2-29
Twisted-Pair Cable
Key Points
You can use twisted-pair cabling to support a number of applications including telephony and
networking.
Construction
As the name suggests, the cable is constructed from a pair, or sometimes several pairs, of insulated cables,
twisted around one another, all enclosed in a protective outer sheath of plastic.
Note: The proximity of the other cable in the pair can introduce crosstalk, or interference. It is the
twisting that helps eliminate this. The more twists per meter, the higher the cable rating; for example
Category (Cat) 4 cable has fewer twists per meter than Cat 5 cable.
To help eliminate external interference, the twisted-pair cable is wrapped in a layer of insulation. Some
cables have more of this insulation to provide for improved EMI-resistance. Twisted-pair cabling with
thicker shielding is referred to as shielded twisted pair (STP), while the standard twisted-pair cabling is
referred to as unshielded twisted-pair (UTP).
Connectors
You connect devices with STP or UTP to the network using a number of different connectors.
RJ11. A four-contact connector supporting two-pair cables typically used for telephony.
RJ45. An eight-contact connector supporting four-pair cables typically used for data applications.
2-30
Key Points
Standards maintained by the Telecommunications Industry Association (TIA)/Electronic Industries Alliance
(EIA) define the additional characteristics of twisted-pair cable.
These standards are often referred to as the CAT standards.
CAT
Number of
pairs
Distance
(meters)
Capacity
(Mbps)
Frequency
Use
Voice/Modem
10
10
16
Ethernet
100
16
20
Token Ring
100
100
100
High-speed Ethernet
5e
100
1000
100
Gigabit Ethernet
100/55
1000+/10Gbps
250
6a
100
10Gbps
500
10G Ethernet
100
10Gbps
600
10G Ethernet
2-31
Fiber Cable
Key Points
Copper cables suffer from the effects of EMI and in addition, they also suffer from a loss of signal, called
attenuation, over distance. Fiber cables are less prone to either of these. Since fiber cables are more
reliable, they are used in situations that demand longer cable runs or in areas where high-levels of EMI are
expected; around lift shafts, for example.
Construction
An optical fiber cable is constructed of:
Cladding. This covers the core. Light signals cannot traverse this layer. The reflective surface of the
cladding layer reflects the light signals back into the core.
Buffer. This protective layer is placed around the core and cladding.
Note: Because each optical fiber supports light signals in only one direction at a time, some cables
implement multiple fibers bundled in a single cable.
Multimode fiber. Consists of several fibers. Light signals are generated by light-emitting diodes
(LEDs). Typically, multimode fiber supports bandwidths of around 100 Mbps at distances of up to 2
kilometers and 10 Gbps over 300 meters.
Single-mode fiber. Contains a single, thin fiber that supports higher bandwidths and longer cable
runs than multimode fiber. 40 Gbps is possible over distances of several hundred kilometers. Light
signals are generated by laser diodes. More expensive than multimode fiber.
2-32
Connectors
There are a variety of connectors for use with fiber cabling, depending on whether you are using
multimode fiber or single-mode fiber, and the particular application of the cable.
Straight Tip (ST). The fiber equivalent of a coaxial BNC connector, using a push-and-twist locking
system. Typically used with multimode fiber.
Ferrule Connectors (FCs). Older single-mode fiber connectors, now replaced by SCs and LCs.
Mechanical Transfer Registered Jack (MT-RJ). Support multimode fiber cables using a snap-on
connector.
2-33
Key Points
There are a number of cabling options to choose from. Consider the following questions, and then discuss
your answers.
Question: Fabrikam has purchased a new building to house their Research and Development team. There
are two floors, each to support around one hundred network nodes. Each workstation is to have a
telephone installed. You want to minimize future disruption, so any cabling solution must provide for
emerging standards. The nature of the work the R & D team undertakes necessitates a high bandwidth
solution. What cabling system would you recommend?
Question: Fabrikams R & D center is across the private parking lot from the head offices. You need to
connect the R & D office back to the head office so that research staff has access to corporate services.
What cable would you recommend for this application?
2-34
Lab Setup
For this lab, you do not require any virtual machines.
Lab Scenario
Contoso, Ltd has created a new research and development team. As a result, a number of remote R & D
branch offices are being fitted.
2-35
Supporting Documentation
E-mail thread of correspondence with Ed Meadows:
Charlotte Weiss
From:
Sent:
To:
Subject:
Attached:
Ed Meadows [Ed@contoso.com]
1 Feb 2010 14:20
Charlotte@contoso.com
New branch offices
Contoso Branch Network Plan.vsd
Charlotte,
The network diagrams you suggested. Theyre not quite completed yet, but you can update them with the
details of the components you require.
As you can see, there are three branches, and then the R & D function at the head office. We need to
connect the computers together in the branches and then connect the branches to the head offices.
Regards,
Ed
2-36
Task 2: Update the proposal document with your planned course of action
Answer the questions in the Branch Office Network Components Deployment Plan document.
Branch Office Network Components Deployment Plan
Document Reference Number: CW010210/1
Document Author
Date
Charlotte Weiss
1st Feb
Requirements Overview
To determine which components to install to connect nodes at branch offices and to connect
branches to head office.
Additional Information
High-bandwidth applications will be used in the branches.
Devices must provide for virtual local area networks (VLANs) to support project teams that span
each branch.
Traffic should be isolated in the branch except where necessary.
It should be possible to manage traffic in the branch based upon its priority.
Proposals
1. What devices are required in the branches to support these requirements?
Results: After this exercise, you should have completed both the Contoso Branch Network Plan.vsd
diagram and the Branch Office Network Components Deployment Plan.
2-37
2-38
Supporting Documentation
E-Mail thread of correspondence with Ed Meadows:
Charlotte Weiss
From:
Sent:
To:
Subject:
Ed Meadows [Ed@contoso.com]
20 Feb 2010 13:00
Charlotte@contoso.com
Wiring at the branches
Charlotte,
Thanks for the component deployment plan. Good work.
I want you to consider the wiring plan, now. As I understand things from Alan Brewer, theres going to be
quite a bit of network traffic. Whatever we use needs to support high capacity.
In addition, the branches use some weird scientific kit; Alan told me all about it, but it was way over my
head. However, the upshot is that we might experience some high levels of EMI.
Finally, cost is a factor. Were getting near the end of the financial year, and Alans drawing on the last of
his departmental budget. See what you can do to keep the cost down.
Regards,
Ed
Oh yes, he doesnt want to have to rewire anytime soon. Make sure this is future-proofed as far as budget
allows.
2-39
Task 2: Update the proposal document with your planned course of action
Answer the questions in the Branch Office Network Wiring Plan document.
Branch Office Network Wiring Plan
Document Reference Number: CW200210/1
Document Author
Date
Charlotte Weiss
20th Feb
Requirements Overview
Provide a wiring plan for the branch offices.
Additional Information
Quite high bandwidths are expected.
High levels of electromagnetic interference (EMI) are expected in some areas of the branches.
Cost is a limiting factor.
The solution, so far as is possible, should be future-proofed.
Proposals
1. What sort of cable would be suitable here, bearing in mind the information supplied and the plan
you outlined for network components earlier?
2. How will you address the issue of high levels of EMI?
3. What cable standards do you propose?
Results: After this exercise, you should have completed the Branch Office Network Wiring Plan.
2-40
Review Questions
1.
2.
3.
Implementing TCP/IP
Module 3
Implementing TCP/IP
Contents:
Lesson 1: Overview of TCP/IP
3-3
3-11
3-24
3-32
3-42
3-55
3-1
3-2
Module Overview
Network protocols are responsible for providing a communications channel between applications running
on separate hosts. Most network protocols are actually a collection of multiple protocols, collectively
known as a protocol stack. Each of the protocols in the stack provides a different networking function.
This module describes the requirements of a protocol stack and then focuses on the Transmission Control
Protocol/Internet Protocol (TCP/IP) protocol stack.
Objectives
After completing this module, you will be able to:
Implementing TCP/IP
3-3
Lesson 1
Overview of TCP/IP
Objectives
After completing this lesson, you will be able to:
Describe a Windows Socket and identify port numbers for specified protocols.
3-4
Key Points
The tasks performed by TCP/IP in the communication process are distributed between protocols that are
organized into four distinct layers of the TCP/IP stack.
The four layers of the TCP/IP protocol stack are:
Transport layer. Protocols used to control data transfer reliability on the network.
Network interface layer. Protocols that define how datagrams from the Internet layer are transmitted
on the media.
Separate protocols make it easier to support a variety of computing platforms. Creating or modifying
protocols to support new standards does not require modification of the entire protocol stack.
Having multiple protocols operating at the same layer makes it possible for applications to select the
protocols that provide only the level of service required.
Because the stack is split into layers, the development of the protocols can proceed simultaneously by
personnel who are uniquely qualified in the operations of the particular layers.
Implementing TCP/IP
3-5
Key Points
The Open Systems Interconnection (OSI) model defines distinct layers related to packaging, sending, and
receiving data transmissions over a network. The layered suite of protocols that form the TCP/IP stack
carry out these functions.
Application Layer
The application layer of the TCP/IP model corresponds to the application, presentation, and session layers
of the OSI model. This layer provides services and utilities that enable applications to access network
resources.
Transport Layer
The transport layer corresponds to the transport layer of the OSI model and is responsible for end-to-end
communication using TCP or User Datagram Protocol (UDP). The TCP/IP protocol suite offers application
programmers the choice of TCP or UDP as a transport layer protocol. The transport layer protocol used by
an application is determined by the developer of an application based on the communication
requirements of the application.
UDP. Provides connectionless and unreliable communication. Reliable delivery is the responsibility of
the application when UDP is used. Applications use UDP for faster communication with less overhead
than TCP. Applications such as streaming audio and video use UDP so that a single missing packet will
not delay playback. UDP is also used by applications that send small amounts of data, such as Domain
Name System (DNS) name lookups.
3-6
Internet Layer
The Internet layer corresponds to the network layer of the OSI model and consists of several separate
protocols, including: IP; Address Resolution Protocol (ARP); Internet Group Management Protocol (IGMP);
and Internet Control Message Protocol (ICMP). The protocols at the Internet layer encapsulate transportlayer data into units called packets, addresses them, and routes them to their destinations.
IP. Responsible for routing and addressing. The Windows 7 operating system and the Windows
Server 2008 R2 operating system implement a dual-layer IP protocol stack, including support for
both IPv4 and IPv6.
ARP. Used by IP to determine the media access control (MAC) address of local network adapters
that is, adapters installed in computers on the local network from the IP address of a local host. It is
broadcast-based meaning that ARP frames cannot transit a router and are therefore localized. Some
implementations of TCP/IP provided support for Reverse ARP (RARP) in which the MAC address of a
network adapter is used to determine the corresponding IP address.
IGMP. Provides support for multitasking applications over routers in IPv4 networks.
Implementing TCP/IP
3-7
TCP/IP Applications
Key Points
Application layer protocols are used by applications to communicate over the network. A client and server
must be using the same application layer protocol to communicate. For example, a Web server and Web
browser both use Hypertext Transfer Protocol (HTTP). The following table lists some common application
layer protocols.
Protocol
Description
HTTP
Hypertext Transfer
Protocol Secure
(HTTPS)
Remote procedure
call (RPC) over
HTTP
RPC over HTTP. Used to tunnel RPC packets inside of HTTP packets to traverse
firewalls. Implementing RPCs over HTTP or HTTPS is a common Microsoft method
for encapsulating RPCs in a format that can more easily traverse firewalls.
File Transfer
Protocol (FTP)
Used to transfer files between FTP clients and servers. Commonly used on the
Internet.
Remote Desktop
Protocol (RDP)
Server Message
Blocks (SMB)
Used by servers and client computers running Windows for file and printer sharing.
Simple Mail
Transfer Protocol
(SMTP)
3-8
Protocol
Description
Post Office
Protocol version 3
(POP3)
Implementing TCP/IP
3-9
What Is a Socket?
Key Points
TCP and UDP Sockets
When an application wants to establish communication with an application on a remote host, it creates a
TCP or a UDP socket, as appropriate. The socket identifies the transport protocol that the application uses,
which could be TCP or UDP. The socket next identifies the IPv4 or IPv6 address of the source and
destination hosts. Finally, to ensure that communication takes place successfully between the appropriate
applications on the two communicating hosts, the socket identifies the TCP or UDP port number that the
applications are using. This combination of transport protocol, IP address, and port creates a socket.
Well-Known Ports
Applications are assigned a port number between 0 and 65,535. The first 1,024 ports are well-known
ports that have been assigned to specific applications, although client-server applications can
communicate with each other as long as both reference the same port number. The following table
identifies some of these well-known ports.
Port
Protocol
Application
80
TCP
443
TCP
110
TCP
25
TCP
53
UDP
DNS
3-10
Port
Protocol
Application
53
TCP
DNS
21
TCP
FTP
80
TCP
It typically is not necessary for you to configure your applications to use specific ports. However, you must
be aware of the ports that applications are using to ensure that the required ports are open through any
firewalls in your organization.
Implementing TCP/IP
Lesson 2
In order to connect network hosts on an IPv4 network, it is important that you know how to configure
IPv4 addresses and related properties.
Objectives
After completing this lesson, you will be able to:
3-11
3-12
Key Points
When you assign IP addresses, you use dotted decimal notation. The dotted decimal notation is based on
the decimal number system. However, in the background, computers use IP addresses in binary. To
understand how to choose a subnet mask for complex networks, you must understand IP addresses in
binary.
Within an 8-bit octet, each bit position has an assigned decimal value. A bit that is set to 0 always has a
zero value. A bit that is set to 1 can be converted to a decimal value. The low-order bit, the rightmost bit
in the octet, represents a decimal value of 1. The high-order bit, the leftmost bit in the octet, represents a
decimal value of 128. The highest decimal value of an octet is 255, that is, all bits are set to 1.
Most of the time, you can use a calculator to convert decimal numbers to binary and vice versa. The
Calculator application included in Microsoft Windows can perform decimal-to-binary conversions, as
shown in the following example.
Binary format
131.107.3.24
Implementing TCP/IP
3-13
IPv4 Addressing
Key Points
To configure network connectivity, you must be familiar with IPv4 addresses and how they work. Assign a
unique IPv4 address to each networked computer; the IPv4 address identifies the computer to other
computers on the network.
IPv4 divides the address into four octets, as the following address shows:
11000000.10101000.00000001.11001000
To make the IP addresses more readable, binary representation of the address typically shows it in decimal
form. For example:
192.168.1.200
Identifies the unique identity of the computer, which is the host ID.
Identifies the subnet on which the computer resides, which is the network ID.
3-14
Default Gateway
A default gateway is a device, usually a router, on a TCP/IP internet that forwards IP packets to other
subnets. A router connects groups of subnets to create an intranet.
In an intranet, any given subnet might have several routers that connect it to other subnets, both local
and remote. You must configure one of the routers as the default gateway for local hosts. This enables the
local hosts to transmit with hosts on remote networks.
Before a host sends an IPv4 packet, it uses its own subnet mask to determine whether the destination host
is on the same network or on a remote network. If the destination host is on the same network, the
sending host addresses the packet directly to the destination host. If the destination host is on a different
network, the host transmits the packet to a router for delivery.
When a host on the network uses IPv4 to transmit a packet to a destination subnet, IPv4 consults the
internal routing table to determine the appropriate router for the packet to reach the destination subnet.
If the routing table does not contain any routing information about the destination subnet, IPv4 forwards
the packet to the default gateway. The host assumes that the default gateway contains the required
routing information.
In most cases, use a Dynamic Host Configuration Protocol (DHCP) server to assign the default gateway
automatically to a DHCP client. This is more straightforward than manually assigning a default gateway on
each host.
Implementing TCP/IP
3-15
Key Points
IPv4 Address Classes
The Internet Assigned Numbers Authority (IANA) organizes IPv4 addresses into classes. The number of
hosts that a network has determines the class of addresses that are required. IANA has named the IPv4
address classes from Class A through Class E.
Classes A, B, and C are IP addresses that you can assign to host computers as unique IP addresses. You can
use Class D for multicasting. The IANA reserves Class E for experimental use.
A subnet mask specifies which part of an IPv4 address is the network ID and which part of the IPv4
address is the host ID. A subnet mask has four octets, similar to an IPv4 address.
First Octet
Default Subnet
Mask
Number of
networks
1-127
255.0.0.0
126
16,777,214
128-191
255.255.0.0
16,384
65,534
192-223
255.255.255.0
2,097,152
254
3-16
Note: the IPv4 address 127.0.0.1 is used as a loopback address; you can use this address to test the
local configuration of the IPv4 protocol stack. Consequently, the network address 127 is not
permitted for configuring IPv4 hosts.
Implementing TCP/IP
3-17
Key Points
In complex networks, subnet masks might not be simple combinations of 255 and 0. Rather, you might
subdivide one octet with some bits that are for the network ID and some for the host ID. Classless
addressing, or classless interdomain routing (CIDR), is when you do not use an octet for subnetting. You
use either more of the octet or less of the octet. This type of subnetting uses a different notation, which
the following example shows:
172.16.16.1/255.255.240.0
The following example shows the more common representation of classless IPv4 addressing:
172.16.16.1/20
The /20 represents how many subnet bits are in the mask. This notation style is called variable length
subnet masking (VLSM).
Question: Contoso, Ltd. has implemented IPv4 throughout the organization. It is currently implementing
a new head office building. The office will host 5,000 computers distributed fairly evenly across 10 floors
of these offices. What address class would suit this scenario?
3-18
Key Points
In simple networks, subnet masks are composed of four octets, and each octet has a value of 255 or 0. If
the octet is 255, that octet is part of the network ID. If the octet is 0, that octet is part of the host ID.
In complex networks, you can convert the subnet mask to binary, and evaluate each bit in the subnet
mask. A subnet mask is composed of contiguous 1s and 0s. The 1s start at the leftmost bit and continue
uninterrupted until the bits change to all 0s.
The network ID of a subnet mask can be identified by the 1s. The host ID can be identified by the 0s. Any
bits taken from the host ID and allocated to the network ID must be contiguous with the original network
ID. For each bit that is 1, that bit is part of the network ID. For each bit that is 0, that bit is part of the host
ID. The mathematical process used to compare an IP address and a subnet mask is called ANDing.
When you use more bits for the subnet mask, you can have more subnets, but fewer hosts on each
subnet. Using more bits than you need allows for subnet growth, but limits growth for hosts. Using fewer
bits than you need allows for growth in the number of hosts you can have, but limits growth in subnets.
Question: Which is more important, allowing the number of hosts to grow or allowing the number of
subnets to grow?
Implementing TCP/IP
3-19
Key Points
When you subdivide a network into subnets, create a unique ID for each subnet derived from the main
network ID. To create subnets, you must allocate some of the bits in the host ID to the network ID. This
enables you to create more networks.
By using subnets, you can:
Reduce network congestion by segmenting traffic and reducing broadcasts on each segment.
Overcome limitations of current technologies, such as exceeding the maximum number of hosts that
each segment can have.
3-20
Key Points
Before you define a subnet mask, estimate how many segments and hosts for each segment you may
require. This enables you to use the appropriate number of bits for the subnet mask.
You can calculate the number of subnet bits you need in the network. Use the formula 2^n, where n is the
number of bits. The result is the number of subnets that your network requires.
The following table indicates the number of subnets that you can create by using a specific number of
bits.
Number of bits
Number of subnets
16
32
64
To determine the subnet addresses quickly, you can use the lowest value bit in the subnet mask. For
example, if you choose to subnet the network 172.16.0.0 by using 3 bits, this mean the subnet mask is
255.255.224.0. The decimal 224 is 11100000 in binary, and the lowest bit has a value of 32, so that is the
increment between each subnet address.
The following table shows examples of calculating subnet addresses.
Binary network number
Implementing TCP/IP
172.16.00000000.00000000
172.16.0.0
172.16.00100000.00000000
172.16.32.0
172.16.01000000.00000000
172.16.64.0
172.16.01100000.00000000
172.16.96.0
172.16.10000000.00000000
172.16.128.0
172.16.10100000.00000000
172.16.160.0
172.16.11000000.00000000
172.16.192.0
172.16.11100000.00000000
172.16.224.0
3-21
3-22
Key Points
To determine host bits in the mask, determine the required number of bits for the supporting hosts on a
subnet. Calculate the number of host bits required by using the formula 2^n-2, where n is the number of
bits. This result must be at least the number of hosts that you need for your network, and it is also the
maximum number of hosts that you can configure on that subnet.
The following table shows how many hosts a class C network has available based on the number of host
bits.
Number of bits
Number of hosts
14
30
62
You can calculate each subnets range of host addresses by using the following process:
1.
2.
The first host is one binary digit higher than the current subnet ID.
The last host is two binary digits lower than the next subnet ID.
Host range
Implementing TCP/IP
Host range
172.16.64.0
172.16.64.1 - 172.16.95.254
172.16.96.0
172.16.96.1 - 172.16.127.254
172.16.128.0
172.16.128.1 - 172.16.159.254
3-23
In order to select an appropriate addressing scheme for your organization, you must:
1.
2.
3.
4.
2.
3.
Calculate the subnet addresses. To determine subnet addresses quickly, you can use the lowest value
bit in the subnet mask. For example, if you choose to subnet the network 172.16.0.0 by using three
bits, this would mean using 255.255.224.0 as the subnet mask. The decimal 224 is 11100000 in binary,
and the lowest bit has a value of 32, so that will be the increment between each subnet address.
Determine the range of host addresses within each subnet. You can calculate each subnets range of
host addresses by using the following process: the first host is one binary digit higher than the current
subnet ID, and the last host is two binary digits lower than the next subnet ID.
Implement the planned addressing scheme.
Question: Analysis of the network traffic at the existing head office shows that the maximum number of
hosts per subnet should be around 100. How many subnets are required, and assuming a network address
for the whole site of 172.16.0.0, what mask should you use to ensure sufficient support for the required
subnets?
3-24
Lesson 3
Configuring IPv4
Once you understand how to design an IPv4 addressing scheme, it is important that you know how to
correctly implement that addressing scheme.
Objectives
After completing this lesson, you will be able to:
Verify IP connectivity.
Implementing TCP/IP
3-25
Key Points
Devices and hosts that connect directly to the Internet require a public IPv4 address. Hosts and devices
that do not connect directly to the Internet do not require a public IPv4 address.
Mask
Range
10.0.0.0/8
10.0.0.0 - 10.255.255.255
172.16.0.0/12
172.16.0.0 - 172.31.255.255
192.168.0.0/16
192.168.0.0 - 192.168.255.255
3-26
171.16.16.254
192.16.18.5
192.168.1.1
10.255.255.254
Implementing TCP/IP
3-27
Key Points
When you configure Windows operating systems on networks, you must know how to assign static IP
addresses manually and be able to support computers that use DHCP to assign IP addresses dynamically.
Static Configuration
You can configure static IPv4 configuration manually for each of your networks computers. Typical IPv4
configuration includes the following:
IPv4 address
Subnet mask
Default gateway
DNS server
Static configuration requires that you visit each computer and input the IPv4 configuration. This method
of computer management is time consuming if your network has more than twenty users. Additionally,
making a large number of manual configurations heightens the risk of mistakes.
DHCPv4
DHCPv4 enables you to assign automatic IPv4 configurations for large numbers of computers without
having to assign each one individually. The DHCP service receives requests for IPv4 configuration from
computers that you configure to obtain an IPv4 address automatically. It also assigns IPv4 information
from scopes that you define for each of your networks subnets. The DHCP service identifies the subnet
from which the request originated and assigns IP configuration from the relevant scope.
DHCP helps simplify the IP configuration process, but you must be aware that if you use DHCP to assign
IPv4 information and the service is business-critical, you must do the following:
3-28
1.
2.
Include resilience into your DHCP service design so that the failure of a single server does not prevent
the service from functioning.
Configure the scopes on the DHCP server carefully. If you make a mistake, it can affect the whole
network and prevent communication.
Implementing TCP/IP
3-29
Key Points
You can configure IP settings either from the Network and Sharing Center or else by using the netsh
command-line tool. You can configure a Windows computer to have a manual IP configuration or else to
obtain an IP configuration automatically.
In this demonstration, you will see how to configure IPv4 settings manually and automatically.
Demonstration Steps:
1.
2.
3.
4.
5.
6.
3-30
Key Points
Windows 7 includes a number of utilities that help you to verify your IP configuration. These tools include:
IPConfig
Ping
Tracert
Pathping
NSlookup
IPConfig
The IPConfig tool is the primary client-side DHCP troubleshooting tool. If your computer is experiencing
connectivity problems, you can use IPConfig to determine the computers IP address. If the address is in
the range 169.254.0.1 to 169.254.255.254, the computer is using an APIPA address. This might indicate a
DHCP-related problem.
From the client computer, open an elevated command prompt, and then use the IPConfig options in the
table below to diagnose the problem.
Option
Description
/all
/release
Implementing TCP/IP
3-31
Option
Description
/renew
This option forces the client computer to renew its DHCP lease. This is useful when you
think that the DHCP-related issue is resolved, and you want to obtain a new lease without
restarting the computer.
Ping verifies IP-level connectivity to another TCP/IP computer. Ping sends and receives ICMP Echo
Request messages and displays the receipt of corresponding Echo Reply messages. Ping is the primary
TCP/IP command used to troubleshoot connectivity.
Tracert determines the path taken to a destination computer by sending ICMP Echo Requests. The path
that displays is the list of router interfaces between a source and a destination.
Pathping traces a route through the network in a manner similar to Tracert. However, Pathping provides
detailed statistics on the individual network steps or hops.
NSlookup displays information that you can use to diagnose your DNS infrastructure. You can use
NSlookup to confirm connection to the DNS server and that the required records exist.
Demonstration Steps:
In this demonstration, you will see how to use Ipconfig.exe to verify the computers IPv4 configuration.
1.
2.
3.
4.
5.
6.
7.
3-32
Lesson 4
Understanding IPv6
IPv6 is a critical technology that will help ensure that the Internet can support a growing user base and
the increasingly large number of IP-enabled devices. The current IPv4 has served as the underlying
Internet protocol for almost 30 years. Its robustness, scalability, and limited feature set now is challenged
by the growing need for new IP addresses, due in large part to the rapid growth of new network-aware
devices. IPv6 slowly is becoming more common. While adoption may be slow, it is important to
understand how this technology will affect current networks and how to integrate IPv6 into those
networks.
Objectives
After completing this lesson, you will be able to:
Describe IPv6.
Implementing TCP/IP
3-33
Key Points
The new features and functionality in IPv6 addresses many IPv4 limitations. RFC 791 defined IPv4 in 1981.
Since then, limitations to future network connectivity have arisen. These limitations include the following:
Limited address space. IPv4 uses only 32-bits to represent addresses. IANA has allocated the majority
of these addresses.
Difficult routing management. IANA has not provisioned allocated IPv4 addresses for efficient route
management. As a result, Internet backbone routers have over 85,000 routes in their routing tables.
Complex host configuration. Automatic configuration of IPv4 hosts requires that you implement
stateful autoconfiguration, for example, a DHCP server or appropriately configured router.
No built-in security. IPv4 does not include any method for securing network data. You must
implement Internet Protocol Security (IPsec) and other protocols to secure data on IPv4 networks, but
this requires significant configuration and can be complex to implement.
Limited Quality of Service (QoS). The implementation of QoS in IPv4 relies on the use of TCP and UDP
ports to identify data. This may not be appropriate in all circumstances.
IPv6 Improvements
IPv6 enhancements help enable secure communication on the Internet and over corporate networks.
Some IPv6 features include the following:
Larger address space. IPv6 uses a 128-bit address space, which provides significantly more addresses
than IPv4.
More efficient routing. IANA provisions global addresses for the Internet to support hierarchical
routing. This reduces how many routes that Internet backbone routers must process and improves
routing efficiency.
Simpler host configuration. IPv6 supports dynamic client configuration by using DHCPv6. IPv6 also
enables routers to configure hosts dynamically.
3-34
Built-in security. IPv6 includes native IPsec support. This ensures that all hosts encrypt data in transit.
Better prioritized delivery support. IPv6 includes a Flow Label in the packet header to provide
prioritized delivery support. This designates the communication between computers with a priority
level, rather than relying on port numbers that applications use. It also assigns a priority to the
packets in which IPsec encrypts the data.
Redesigned header. The design of the header for IPv6 packets is more efficient in processing and
extensibility. IPv6 moves nonessential and optional fields to extension headers for more efficient
processing. Extension headers are no more than the full size of the IPv6 packet, which accommodates
more information than possible in the 40 bytes that the IPv4 packet header allocates.
Implementing TCP/IP
3-35
Key Points
The IPv6 address space uses 128-bits compared to the 32-bits that the IPv4 address space uses. Therefore,
a significantly larger number of addresses are possible with IPv6 than with IPv4. An IPv6 address allocates
64-bits for the network ID and 64-bits for the host ID. However, for hierarchical routing, IPv6 may allocate
less than 64-bits to the network ID.
IPv6 Syntax
IPv6 does not use a dotted decimal notation to compress the addresses. Instead, IPv6 uses hexadecimal
notation, with a colon between each set of four digits. Each hexadecimal digit represents four bits.
To shorten IPv6 addresses further, you can drop leading zeros and use zero compression. Within each
group of four digits, drop leading zeros and include a single grouping of four zeros as a single zero. By
using zero compression, you represent multiple contiguous groupings of zeros as a set of double colons.
Description
Example
2001:0DB8:0000:0000:02AA:00FF:FE28:9C5A/64
2001:DB8:0:0:2AA:FF:FE28:9C5A/64
2001:DB8::2AA:FF:FE28:9C5A/64
Each IPv6 address uses a prefix to define the network ID. You use this prefix in place of a subnet mask
similar to using CIDR in IPv4. The prefix is a forward slash followed by the number of bits that the network
ID includes. In the preceding examples, the prefix defines 64-bits in the network ID.
3-36
Key Points
IPv6 address types are similar to IPv4 address types.
The IPv6 address types are:
Unicast. An IPv6 unicast address is equivalent to an IPv4 unicast address. You can use this for one-toone communication between hosts. Each IPv6 host has multiple unicast addresses. There are three
types of unicast address:
Global unicast address. These are equivalent to public IPv4 addresses. They are globally routable
and reachable on the IPv6 portion of the Internet.
Public topology. Refer to the first 48 bits of a global unicast address as the public topology. The
public topology is unique over the entire Internet. It is the collection of larger and smaller ISPs
that provide access to the IPv6 Internet. IANA assigns a single unique address in the global
routing prefix to an ISP.
Site topology. An ISP can subnet the network address that IANA assigns by using the next 16 bits,
which are the site topology. The 16 bits of site topology allow an ISP to create up to 65,536
subnets in the most efficient manner applicable to that ISPs customer base.
Link-local addresses. Hosts use link-local addresses when communicating with neighboring hosts on
the same link. For example, on a single-link IPv6 network with no router, hosts communicate by using
link-local addresses.
IPv6 link-local addresses are equivalent to IPv4 APIPA addresses. When a DHCP server fails, APIPA
allocates addresses in the private range 169.254.0.1 to 169.254.255.254. Clients verify their address is
unique on the LAN using ARP. When the DHCP server is again able to service requests, clients update
their addresses automatically.
Other characteristics of link-local addresses include:
Implementing TCP/IP
3-37
An APIPA address is assigned automatically to an IPv4 host. Use of this address restricts
communication to the local subnet, and it is generally used when other suitable addresses are not
available.
Unique local unicast addresses. These are the equivalent to IPv4 private address spaces, such as
10.0.0.0/8. All unique local unicast addresses have the prefix FD00::/8.
A global ID uses the next 40 bits. The global ID is an identifier that uniquely represents an
organization. Randomly generate this ID to maximize uniqueness between organizations. This is
useful when two organizations merge.
When you use unique global IDs, routing occurs between organizations without network
reconfiguration. Use the next 16 bits within the organization to generate subnets for routing
between and within locations. The allocated 16 bits allow an organization to create up to 65,536
subnets for internal use.
Anycast. An anycast address is an IPv6 unicast address that is assigned to multiple computers. When
IPv6 addresses communication to an anycast address, only the closest host responds. You typically use
this for locating services or the nearest router.
Multicast. An IPv6 multicast is equivalent to an IPv4 multicast address. You use this for one-to-many
communication between computers that you define as using the same multicast address.
In IPv4, you typically assign a single host with a single unicast address. However, in IPv6, you can assign
multiple unicast addresses to each host. To verify communication processes on a network, know for what
purposes IPv6 uses each of these addresses.
3-38
Interface Identifiers
Key Points
The last 64-bits of an IPv6 address are the interface identifier. The interface identifier is equivalent to the
host ID in an IPv4 address. Each interface on an IPv6 network must have a unique interface identifier.
Because the interface identifier is unique to each interface, IPv6 uses the Interface Identifier rather than
MAC addresses to identify hosts uniquely.
Within the Windows environment, Windows Server 2008 R2 uses an Extended Unique Identifier (EUI)-64
addresses, which the Institute of Electrical and Electronics Engineers, Inc. (IEEE) defines. Gigabit adapters
use an EUI-64 address in place of a MAC address. Network adapters using a MAC address generate a
EUI-64 address by padding the 48-bit MAC address with additional information.
To preserve privacy in network communication, generate an interface identifier rather than use the
network adapters hardware address. To assign an interface identifier, IPv6 hosts can use the following:
Windows uses randomly generated permanent interface identifiers by default but this can be disabled
with the netsh tool.
Implementing TCP/IP
3-39
Transitioning to IPv6
Key Points
The migration from IPv4 to IPv6 is expected to take considerable time. This was taken into consideration
when designing IPv6 and as a result, the transition plan for IPv6 is a multistep process that allows for
extended coexistence. To achieve the goal of a pure IPv6 environment, consider the following points:
Applications must be independent of IPv4 and IPv6. Applications must be changed to use new
Windows Sockets application programming interfaces (APIs) so that name resolution, socket creation,
and other functions are independent regardless of whether you are using IPv4 or IPv6.
DNS must support IPv6 record types. You may have to upgrade the DNS infrastructure to support the
new authentication, authorization, accounting and auditing (AAAA) records (required) and pointer
(PTR) records in the IP6.ARPA reverse domain (optional). Additionally, ensure that the DNS servers
support DNS dynamic updates for AAAA records so that IPv6 hosts can register their names and IPv6
addresses automatically.
Hosts must support both IPv6 and IPv4. You must upgrade hosts to use a dual-IP layer or stack. You
also must add DNS resolver support to process DNS query results that contain both IPv4 and IPv6
addresses. Deploy Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) to ensure that IPv6/IPv4
hosts can reach each other over the IPv4-only intranet.
Routing infrastructure must support native IPv6 routing. You must upgrade routers to support native
IPv6 routing and IPv6 routing protocols.
An eventual successful transition to IPv6 requires interim coexistence of IPv6 nodes in todays
predominantly IPv4 environment. To support this, IPv6 packets are tunneled automatically over IPv4
routing infrastructures, enabling IPv6 clients to communicate with each other by using 6to4 addresses
or ISATAP addresses and tunneling IPv6 packets across IPv4 networks.
You can upgrade IPv6/IPv4 nodes to be IPv6-only nodes. This should be a long-term goal, because it
will take years for all current IPv4-only network devices to be upgraded to IPv6-only. For those IPv4only nodes that cannot be upgraded to IPv6/IPv4 or IPv6-only, employ translation gateways as
appropriate so that IPv4-only nodes can communicate with IPv6-only nodes.
3-40
Key Points
In addition to IPv4 automatic IP addressing, you must understand how IPv6 addresses are dynamically
assigned.
When the host generates the link-local address, the host also performs duplicate address detection to
ensure that it is unique.
An IPv6 host will send up to three router solicitations on each interface to obtain IPv6 configuration
information. The configuration process that IPv6 uses varies depending on the response it receives to
router solicitations:
If IPv6 receives a router advertisement with the autonomous flag on, then the client uses stateless
auto-configuration and obtains the routing prefix from the router.
If IPv6 receives a router advertisement with the managed address configuration flag on, then it
uses DHCPv6 to obtain an IPv6 address.
Implementing TCP/IP
3-41
If IPv6 receives a router advertisement with the managed address configuration flag off and the
other stateful configuration flag on, it obtains additional IPv6 configuration options from
DHCPv6. However, it obtains the IPv6 address by using stateless configuration.
DHCPv6
DHCPv6 is a service that provides stateful auto-configuration of IPv6 hosts. It can configure IPv6 hosts
automatically with an IPv6 address and other configuration information such as DNS servers. This is
equivalent to DHCPv4 for IPv4 networks.
When a host obtains an IPv6 address from a DHCPv6 server, the following occurs:
1.
2.
3.
4.
5.
A DHCPv6 server sends a Reply message to the client with the requested configuration settings.
Note: On large networks, you can DHCPv6 relay agents instead of placing a DHCP server on each
subnet.
3-42
Lesson 5
Name Resolution
Computers can communicate over a network by using a name in place of an IP address. Name resolution
is used to find an IP address that corresponds to a name, such as a hostname. This lesson focuses on
different types of computer names and the methods to resolve them.
Objectives
After completing this lesson, you will be able to:
Describe DNS.
Describe name resolution with the Windows Internet Name Service (WINS).
Implementing TCP/IP
3-43
Key Points
Name resolution is the process of converting computer names to IP addresses. Name resolution is an
essential part of computer networking because it is easier for users to remember names than abstract
numbers such as an IPv4 address. The application developer determines an applications name. In
Windows operating systems, applications can request network services through Windows Sockets,
Winsock Kernel, or NetBIOS. If an application requests network services through Windows Sockets or
Winsock Kernel, it uses host names. If an application requests services through NetBIOS, it uses a NetBIOS
name.
Note: NetBIOS is a session management protocol used in earlier versions of Microsoft network
operating systems. Both Windows 7 and Windows Server 2008 R2 provide support for NetBIOS.
Many current applications, including Internet applications, use Windows Sockets to access network
services. Newer applications designed for Windows 7 and Windows Server 2008 R2 use Winsock Kernel.
Earlier applications use NetBIOS.
Host Name
A host name is a user-friendly name that is associated with a hosts IP address and identifies it as a TCP/IP
host. A host name can be no more than 255 characters in length and contains alphanumeric characters,
periods, and hyphens.
The host name combines an alias with a domain name to create the FQDN.
The elements of the name include periods as separators. Applications use the structured FQDN on the
Internet.
3-44
NetBIOS Name
Applications use the 16-character NetBIOS name to identify a NetBIOS resource on a network. A NetBIOS
name represents a single computer or a group of computers. NetBIOS uses the first 15 characters for a
specific computers name and the final sixteenth character to identify a resource or service on that
computer. An example of a NetBIOS name is NYC-SVR2[20h].
Implementing TCP/IP
3-45
What Is DNS?
Key Points
DNS is a service that manages the resolution of host names to IP addresses. TCP/IP identifies source and
destination computers by their IPv4 or IPv6 addresses. However, since it is easier for users to remember
names than numbers, common or user-friendly names are assigned to the computers IP address. The
most common type of name used is a host name.
In addition to resolving host names to IP addresses, DNS can be used to:
Locate domain controllers and global catalog servers. This is used when logging on to the Active
Directory Domain Service (AD DS).
Resolve IP addresses to host names. This is useful when a log file contains only the IP address of a
host.
Locate mail server for e-mail delivery. This is used for the delivery of all Internet e-mail.
3-46
Key Points
A DNS zone is a specific portion of DNS namespace that can contains DNS records. A DNS zone is hosted
on a DNS server that is responsible for responding to queries for records in a specific domain. For example
the DNS server responsible for resolving www.contoso.com to an IP address would have the contoso.com
zone.
SRV. Service records are used to locate domain controllers and global catalog servers.
MX. Mail exchange records are used to locate the mail servers responsible for a domain.
Implementing TCP/IP
3-47
Key Points
When DNS names are resolved on the Internet, an entire system of computers is used rather than just a
single server. There are 13 root servers on the Internet that are responsible for managing the overall
structure of DNS resolution. When you register a domain name on the Internet, you are paying for the
privilege of being part of this system.
The name resolution process for the name www.microsoft.com is:
1.
2.
3.
4.
5.
A workstation queries the local DNS server for the IP address of www.microsoft.com.
If the local DNS server does not have the information, then it queries a root DNS server for the
location of the .com DNS servers.
The local DNS server queries a .com DNS server for the location of the Microsoft.com DNS servers.
The local DNS server queries the Microsoft.com DNS server for the IP address of www.microsoft.com.
The IP address of www.microsoft.com is returned to the workstation.
Caching. After a local DNS server resolves a DNS name, it will cache the results for approximately 24
hours. Subsequent resolution requests for the DNS name are given the cached information.
Forwarding. A DNS server can be configured to forward DNS requests to another DNS server instead
of querying root servers. For example, requests for all Internet names can be forwarded to a DNS
server at an ISP.
3-48
What Is WINS?
Key Points
WINS is a NetBIOS name server that you can use to resolve NetBIOS names to IPv4 addresses. WINS
provides a centralized database for registering dynamic mappings of NetBIOS names used on a network.
In addition to WINS, NetBIOS names can be resolved by broadcast messages or by implementing Lmhosts
files on all computers. Broadcast messages do not work well on large networks because they are filtered
out by routers. Using an Lmhosts file for NetBIOS name resolution is a high maintenance solution because
the file must be constantly updated on the computers.
WINS is built on a protocol that registers, resolves, and releases NetBIOS names by using unicast
transmissions, rather than repeated transmissions of broadcast messages. This protocol allows the system
to work across routers and eliminates the need for an Lmhosts file, restoring the dynamic nature of
NetBIOS name resolution and allowing the system to work seamlessly with DHCP. For example, when
dynamic addressing through DHCP assigns new IPv4 addresses to computers that move between subnets,
the computers register the new address with the WINS database automatically.
Implementing TCP/IP
3-49
Key Points
The NetBIOS name resolution process varies, depending on the NetBIOS over TCP/IP (NetBT) node type
that is specified on the computer. However, in most cases, the default NetBT node type is not altered. If all
NetBIOS name resolution methods fail, clients will attempt to use host name resolution methods to
resolve NetBIOS names.
Note: You can change the NetBIOS node type by modifying options in the registry. Alternatively, on
client computers that obtain a dynamic IPv4 configuration from a DHCP server, you can specify the
node type with DHCP options.
When a WINS server is configured on the computer, the NetBIOS name resolution process is as follows:
1.
2.
3.
4.
5.
6.
7.
The name resolution process stops when the first IPv4 address is found for the name.
Note: NetBIOS name resolution is not used for IPv6 addresses.
3-50
Key Points
The GlobalNames Zone (GNZ) is a new feature of Windows Server 2008. The GNZ provides single-label
name resolution for large enterprise networks that do not deploy WINS. Some networks may require the
ability to have static, global records with single-label names that WINS currently provides. These singlelabel names refer to well-known and widely-used servers with statically assigned IP addresses. A GNZ is
manually created and is not available for dynamic registration of records. GNZ is intended to help
customers migrate to DNS for all name resolution; the DNS Server role in Windows Server 2008 supports
the GNZ feature.
GNZ is intended to assist in the migration from WINS; however, it is not a replacement for WINS. GNZ is
not intended to support the single-label name resolution of records that are registered in WINS
dynamically and those that are not managed by IT administrators typically. Support for these dynamically
registered records is not scalable, especially for larger customers with multiple domains and/or forests.
The recommended GNZ deployment uses an AD DSintegrated zone, named GlobalNames that is
distributed globally.
Instead of using the GNZ, you can choose to configure DNS and WINS integration. You do this by
configuring the DNS zone properties to perform WINS-lookups for NetBIOS-compliant names. The
advantage of this approach is that you can configure client computers to only use a single name service,
DNS, and still be able to resolve NetBIOS-compliant names.
Implementing TCP/IP
3-51
Key Points
Windows supports a number of different methods for resolving computer names, such as DNS, WINS, and
the host name resolution process.
Locate domain controllers and global catalog servers. This is used when logging on to the AD DS.
Resolve IP addresses to host names. This is useful when a log file contains only a hosts IP address.
Locate mail server for e-mail delivery. This is used for the delivery of all Internet e-mail.
Broadcast messages. Broadcast messages do not work well on large networks because routers do not
propagate broadcasts.
Lmhosts file on all computers. Using an Lmhosts file for NetBIOS name resolution is a high
maintenance solution because you must maintain the file manually on all computers.
3-52
Checking whether the host name is the same as the local host name.
Searching the DNS resolver cache.
Sending a DNS request to its configured DNS servers.
Converting the host name to a NetBIOS name and checking the local NetBIOS name cache.
Contacting the hosts configured WINS servers.
Broadcasting as many as three NetBIOS Name Query Request messages on the subnet that is directly
attached.
Searching the Lmhosts file.
Note: You can exert control over the precise order used to resolve names. For example, if you disable
NetBIOS over TCP/IP, none of the NetBIOS name resolution methods are attempted. Alternatively,
you can modify the NetBIOS node type which results in a change in the precise order in which the
NetBIOS name resolution methods are attempted.
Implementing TCP/IP
3-53
Key Points
The primary tools for troubleshooting host name resolution are IPConfig.exe and Nslookup.exe. When you
troubleshoot name resolution, you must understand what name resolution methods the computer is
using, and in what order the computer uses them. Be sure to clear the DNS resolver cache between
resolution attempts. If you cannot connect to a remote host and suspect a name resolution problem,
troubleshoot name resolution as follows:
1.
Open an elevated command prompt, and then clear the DNS resolver cache by typing the following
command:
IPConfig /flushdns
2.
3.
Attempt to ping the remote host by its IP address. This helps identify whether the issue is related to
name resolution. If the ping succeeds with the IP address but fails by its host name, then the problem
is related to name resolution.
Attempt to ping the remote host by its hostname. For accuracy, use the FQDN with a trailing period.
For example, enter the following command at the command prompt:
Ping nyc-dc1.contoso.com.
4.
If the ping is successful, then the problem is probably not related to name resolution. If the ping is
unsuccessful, edit the C:\windows\system32\drivers
\etc\hosts text file, and add the appropriate entry to the end of the file. For example, add this line and
save the file:
10.10.0.10nyc-dc1.contoso.com
5.
Now perform the Ping-by-host-name test once more. Name resolution should now be successful.
Verify that the name resolved correctly by examining the DNS resolver cache; use the following
command at a command prompt:
IPConfig /displaydns
3-54
6.
7.
Remove the entry that you added to the hosts file, and then clear the resolver cache once more.
At the command prompt, type the following command, and then examine the contents of the
filename.txt file to identify the failed stage in name resolution:
Nslookup.exe d2 nyc-dc1.contoso.com. > filename.txt
You should understand how to interpret the output so that you can identify whether the name
resolution problem lies with the client computers configuration, the name server, or the
configuration of records within the name server zone database.
Demonstration Steps:
In this demonstration, you will see how to troubleshoot name resolution with Nslookup.exe.
1.
2.
3.
4.
5.
Implementing TCP/IP
3-55
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
2.
3.
4.
5.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
In Hyper-V Manager, click 6420B-NYC-DC1, and in the actions pane, click Start.
In the actions pane, click Connect. Wait until the virtual machine starts.
Log on using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
Contoso, Ltd. has created a new research and development team. As a result, computers are being
deployed to new R & D offices.
You have been tasked with assigning a number of client computers appropriate IP configurations, but first
you must choose a suitable IP addressing scheme for the new branches.
3-56
Supporting Documentation
E-Mail thread of correspondence with Ed Meadows:
Charlotte Weiss
From:
Sent:
To:
Subject:
Attached:
Ed Meadows [Ed@contoso.com]
28 Feb 2010 08:14
Charlotte@contoso.com
New branch offices IP addressing scheme
Contoso Branch IP Addressing.vsd
Charlotte,
I have attached the network diagram for the first three branches. There are around 100 hosts at each
branch, all of which require an IPv4 address. Dont forget those wide area network links; well need a
network address for each of them, too.
Well be placing a DHCP server at each branch to allocate IP addresses to the local hosts, so each
computer must be configured to obtain an IP address dynamically.
Regards,
Ed
Implementing TCP/IP
3-57
3-58
Task 2: Update the proposal document with your planned course of action
Charlotte Weiss
10th March
Requirements Overview
To design an IPv4 addressing scheme for the Contoso, Ltd. R & D branch offices.
Additional Information
One router connects the three branches back to the head office.
There are three wide area network (WAN) links.
There are three branches, each of which can be configured as a single subnet.
The network address 172.16.0.0/16 is allocated to the branch offices, while the head office uses
10.10.0.0/16.
Proposals
1. How many network addresses do you need to support these requirements?
2. What class address is 172.16.0.0/16?
3. Is this a private or public address?
4. Ed has allocated the first block of addresses to the first branch: 172.16.16.0/20. What is the next
logical subnet using this initial subnet?
5. What is the first and last host in this subnet?
6. What would the subnet mask be for hosts in this subnet?
7. Update the Contoso Branch IP Addressing.vsd diagram to show the network addresses you will
implement in the branches; do not worry about the WAN links
Results: After this exercise, you should have completed both the Contoso Branch IP Addressing.vsd
diagram and the Branch Office IP Addressing Scheme document.
Implementing TCP/IP
3-59
Switch to NYC-SVR2.
Open DHCP from Administrative Tools.
Delete the existing scope.
Use the following steps to create a new scope:
a.
b.
c.
d.
e.
Length: 16
f.
g.
5.
In the console, expand Scope [10.10.0.0] Head Office 1, and then click Address Leases.
Switch to NYC-CL1.
Open Control Panel.
Select Network and Internet and then select Network and Sharing Center.
In the left-pane, click Change adapter settings.
Right-click Local Area Connection and then click Properties.
Modify the Internet Protocol Version 4 (TCP/IPv4) properties with the following settings:
3-60
7.
Click OK twice.
Implementing TCP/IP
Stop DHCP.
Attempt to renew the IPv4 address on the client computer.
Restart DHCP.
Renew the client address and verify IPv4.
3.
At the command prompt, type the following command and press ENTER:
Ipconfig /renew
Note: This might take a few minutes as the client computer attempts contact with the original DHCP
server, and then any other DHCP server.
4.
At the command prompt, type the following command and press ENTER:
Ipconfig
5.
Switch to NYC-CL1 and at the command prompt, type the following command and press ENTER:
Ipconfig /renew
3-61
3-62
2.
At the command prompt, type the following command and press ENTER:
Ping nyc-dc1.contoso.com
Results: After this exercise, you should have successfully verified the functionality of the DHCP server
in the head office.
Implementing TCP/IP
3-63
Switch to NYC-DC1.
Open DNS Manager from Administrative Tools.
Question: What is the current IP address of the NYC-CL1 Host (A) record in the Contoso.com forward
lookup zone?
4.
5.
6.
Switch to NYC-CL1.
In Network Connections, right-click Local Area Connection and then click Properties.
Modify the Internet Protocol Version 4 (TCP/IPv4) properties with the following settings:
IP address: 10.10.0.51
Click OK twice.
Switch to NYC-DC1.
Refresh the display.
Question: What is the current IP address listed against the NYC-CL1 Host (A) record?
Switch to NYC-CL1 and at the command prompt, type the following command and press ENTER:
Ipconfig /displaydns
2.
Switch to NYC-DC1.
In DNS Manager, create a new record:
3-64
Switch to NYC-CL1.
At the command prompt, type the following command and press ENTER:
Ping www.contoso.com
At the command prompt, type the following command and press ENTER:
Ipconfig /flushdns
4.
At the command prompt, type the following command and press ENTER:
Ping www.contoso.com
At the command prompt, type the following command and press ENTER:
Ipconfig /displaydns
Implementing TCP/IP
On NYC-CL1, at the command prompt, type the following command and press ENTER.
Ipconfig /all
Important: Start the 6420B-NYC-DC1 virtual machine first, and ensure that it is fully started before
starting the other virtual machines.
3-65
3-66
Review Questions
1.
2.
3.
4.
5.
Tools
Tool
Use for
Where to find it
Ipconfig.exe
Command line
configuration
Nslookup.exe
Troubleshooting DNS
Command line
Ping.exe
Command line
Netsh.exe
Command line
Module 4
Implementing Storage in Windows Server
Contents:
Lesson 1: Identifying Storage Technologies
4-3
4-15
4-22
4-30
4-1
4-2
Module Overview
One of the key components when you plan and deploy Windows Server 2008 R2 operating system
computers is storage. Most organizations require a great deal of storage because users and applications
are constantly working with and creating new data that needs to be stored in a central location.
For example, every e-mail sent or received requires storage. Every time someone visits a Web site, a log
gets written and storage gets consumed. Every time someone logs into a server, an audit trail is created in
an event log and storage is used. Even as files are created, copied and moved, storage is involved.
This module will introduce you to different storage technologies, discuss how to implement the storage
solutions in Windows Server 2008 R2 and will finish a discussion on a resilient strategy for your storage
that will be tolerant in various ways, helping to avoid unplanned downtime and loss of data.
Objectives
After completing this module you will be able to:
4-3
Lesson 1
As you plan for any server deployment, you will inevitably need storage. There are various types of
storage, from locally attached, to remotely accessed via Ethernet, or even fiber connected. Each solution
has benefits as well as pitfalls associated with it.
As you prepare to deploy storage for your environment, you need to make some important decisions. Ask
yourself the following questions. Will the storage need to be fast? Will it need to be highly available? How
much storage will your deployment actually require? How much resilience will you need to add to the
initial storage requirement in order to ensure your investment remains secure in the future? This lesson
will address these questions.
Objectives
After completing this lesson you will be able to:
Implement Internet small computer system interface (iSCSI) with Windows Server.
4-4
Key Points
Almost all servers provide some built-in storage. This type of storage is referred to as DAS. DAS can be
disks that are physically located inside the server or can be disks that are connected to the server with a
universal serial bus (USB) cable or an alternative communications methodology. The primary idea behind
DAS is that it is physically connected to the server. If the server suffers a power failure, the storage will be
unavailable as well. DAS has both advantages and disadvantages and also comes in various types, which
affect the speed and the performance of the storage.
Enhanced Integrated Drive Electronics (EIDE). EIDE is based on standards that were created in 1986.
The Integrated Drive Electronics (IDE) interface supports both the ATA-2 and ATAPI standards.
Enhanced refers to the ATA-2 (Fast ATA) standard which provides faster transfer rates and allows for
multiple channels, each connecting two devices. In practice, the terms EIDE, IDE and ATA are
synonymous. These drives are commonly found connected using a 40- or 80-wire cable and can only
have two devices chained at any time. Due to the addressing standards of this technology, there is a
128 gigabyte (GB) limitation on storage using EIDE. Further, the speeds of EIDE are limited to a
maximum of 133 megabytes (MB)/sec. EIDE drives are almost never used on servers today.
Serial Advanced Technology Attachment (SATA). SATA is a computer bus interface, or channel for
connecting the motherboard or device adapters to mass storage devices such as hard disk drives and
optical drives. SATA was designed to replace EIDE. It is able to use the same low-level commands, but
SATA host-adapters and devices communicate via a high-speed serial cable over two pairs of
conductors. SATA was introduced in 2003 and can operate at speeds of 1.5, 3.0 and 6.0 GB/sec
depending on the SATA revision (1, 2 or 3 respectively). SATA drives are less expensive than other
4-5
drive options but also provide less performance. Organizations may choose to deploy SATA drives
when they require large amounts of storage, but not high performance.
A variation on the SATA interface that has been released is eSATA, which is designed to enable high
speed access to externally attached SATA drives.
Small computer system interface (SCSI). SCSI is a set of standards for physically connecting and
transferring data between computers and peripheral devices. SCSI was originally introduced in 1978
and was designed as an interface on a lower level communication, subsequently allowing it to take
less processing power and perform transactions at higher speeds. SCSI became a standard in 1986.
Similar to EIDE, SCSI was designed to run over parallel cables; however, recently this has been
expanded to run over other various mediums. The 1986 parallel specification of SCSI had initial speed
transfers of 40 MB/sec. The more recent 2003 implementation, Ultra 640 SCSI, also known as Ultra 5,
can transfer data at speeds of 5120 MB/sec. SCSI disks provide higher performance than SATA disks
but are also more expensive.
Serial Attached SCSI (SAS). SAS is a further implementation of the SCSI standard. SAS depends on a
point-to-point serial protocol that replaces the parallel SCSI bus technology, and uses the standard
SCSI command set. SAS offers backwards-compatibility with second generation SATA drives.
Solid State Drives (SSD). SSDs are data storage devices that use solid-state memory to store data
rather than using the spinning disks and movable read/write heads that are used in other disks. SSDs
use microchips to store the data and do not contain any moving parts. SSDs provide very fast disk
access, use less power and are less susceptible to failure from being dropped, but are also much more
expensive per MB of storage. SSDs typically use the SATA interface so you can usually replace hard
disk drives with SSDs without any modification.
Note: Another type of DAS is USB-attached storage. USB-attached storage uses either SATA drives or
solid state media to store data.
Advantages of DAS
A typical DAS system is made of a data storage device that would include enclosures holding a number of
hard disk drives connected directly to a computer through a host bus adapter (HBA). Between the DAS
and the computer there are no network devices such as, a hub, switch, or router, therefore connecting the
storage directly to the server which usually utilizes it. This makes DAS the easiest storage system to deploy
and maintain.
DAS is also usually the least expensive storage available today and is widely available in various speeds,
sizes and accommodates varying installations. In addition to being inexpensive, DAS is very easy to
configure. In most instances, you would simply plug in the device, ensure Windows Server 2008 R2
recognizes it, and then use Disk Management to configure the disks.
Disadvantages of DAS
Storing data locally on DAS makes the centralization of data more difficult because the date is located on
multiple servers. This can make it more complex to backup the data and for users to locate the data they
are looking for. Furthermore, if any one device that has DAS connected to it suffers a power outage, the
storage is also unavailable.
DAS also has drawbacks in its access methodologies. Due to the way reads and writes are handled by the
server operating system, DAS can be slower than other storage technologies. Another drawback with DAS
is that it shares the processing power and memory of the server it is connected to. This means that on
very busy servers, disk access may be slowed down by the fact that the operating system is overloaded.
4-6
Key Points
NAS is storage that is connected to a dedicated storage device and then accessed over the network. NAS
is different than DAS in that the storage is not directly attached to each individual server, but rather is
accessible across the network to many servers. Each NAS device has a dedicated operating system which
solely controls the access to the data on the device. This reduces the overhead associated with sharing the
storage device with other server services. An example of NAS software is Windows Storage Server.
To enable NAS storage, you need a storage device. Frequently, these devices are appliances which do not
have any regular server interfaces such as keyboards, mice and monitors. Instead, to configure the device,
you just provide a network configuration and then access the device across the network. To configure the
device, you create network shares on the device which are then accessible to users on the network using
the name of the NAS and the share created.
Advantages of NAS
NAS is an ideal choice for organizations looking for a simple and cost-effective way to achieve fast data
access for multiple clients at the file level. Implementers of NAS benefit from performance and
productivity gains as the processing power of the NAS device is dedicated solely to the distribution of the
files.
NAS also fits nicely into the market as a mid-priced solution. It is not expensive but suits more needs than
DAS in that NAS storage is usually much larger than DAS and offers a single location for all critical files,
rather than inter-dispersed on various servers or devices with DAS. In summary, NAS offers centralized
storage at an affordable price.
NAS can also be considered a Plug and Play solution that is easy to install, deploy and manage, with or
without information technology (IT) staff at hand.
4-7
Disadvantages of NAS
While NAS is affordable for mid-size businesses, it is not expandable as a SAN solution. NAS, similar to
DAS, also has overheads of an operating system, which reads and writes data in different ways than a SAN
solution; therefore they are more frequently prone to the possibility of data loss depending on the size of
the data being copied.
NAS is also slower than SAN technologies. NAS is frequently accessed via Ethernet protocols and as such,
relies heavily on the network supporting the NAS solution. For this reason, NAS is commonly used as a file
sharing/storage solution and cannot and should not be used with data intensive applications such as
Microsoft Exchange Server and Microsoft SQL Server.
4-8
Key Points
The third type of storage is a SAN. A SAN is a specialized highspeed network that connects computer
systems, or host servers, to high performance storage subsystems. A SAN usually includes various
components such as HBAs, special switches helping route traffic, and storage disk arrays with logical unit
numbers (LUNs) for storage.
A SAN enables multiple servers to access a pool of storage in which any server can potentially access any
storage unit. A SAN uses a network like any other network, such as a local area network (LAN). Therefore,
you can use a SAN to connect many different devices and hosts in order to provide access to any device
from anywhere.
Unlike DAS or NAS, a SAN is controlled by a hardware device and does not rely on software to deliver
access to storage.
Advantages of SAN
SAN technologies read and write at block levels, making data access much speedier. Reading and writing
at the block level takes away knowledge of application data. With most DAS and NAS solutions, if you
write a file of 8 GB, the entire file will have to be read/written and its checksum calculated, whereas with
SAN, it will be written to based on the block size the SAN is set up for. This speed is accomplished by fiber
access methodologies as well as the block level writing, rather than having to read/write an entire file with
a checksum.
SANs also provide:
Centralization of storage into a single pool, which enables storage resources and server resources to
grow independently. It also enables storage to be dynamically assigned from the pool when it is
required. Storage on a given server can be increased or decreased as needed without complex
reconfiguring or re-cabling of devices.
Common infrastructure for attaching storage, which enables a single common management model
for configuration and deployment.
A high level of redundancy. Most SANs are deployed with multiple network devices and paths
through the network. As well, the storage device contains redundant components such as power
supplies and hard disks.
4-9
Disadvantages of SAN
The main drawback to SAN technology is that it often requires management tools and expertise skills due
to the complexities in the configuration and is considerably expensive. An entry level SAN can often cost
as much a fully loaded server with DAS or even an NAS device and often that is without any SAN disks
or configuration.
In order to manage a SAN, not only do you have to often use command-line utilities, but you also have to
have a firm understanding of the underlying technology (i.e., the LUN setup, the fiber channel back end,
the block sizing, etc.). Also, each storage vendor often implements SANs using different tools and features.
Because of this, organizations often have dedicated personnel just to manage the SAN deployment.
Note: SANs can be implemented using a variety of technologies. The most common options are Fiber
Channel and iSCSI. These technologies are described later in this lesson.
4-10
Key Points
The most common option for implementing a SAN is to implement a fiber channel infrastructure. Fiber
channel transmits the SCSI commands required to interact with the hard disks over twisted-pair copper
wire, or more commonly fiber optic cables. Fiber channel is commonly found in speeds of 1, 2, or 4
gigabits (GB) per second.
Fiber channel SAN components include:
Specialized interface cards that connect the servers with the SAN. These devices, usually called HBAs,
enable the server to communicate with the storage device across the SAN.
Note: iSCSI SANs can also use HBAs. Each type of HBA is specific to the technology used to access
the storage device.
Specialized network switches. These switches route SCSI commands rather than routing IP traffic.
Twisted-pair copper wire or fiber optic cables. All network connections between the servers and the
storage device use these cables.
Storage device. SANs require one more dedicated storage devices. Frequently these devices can
contain hundreds of disks and store multiple terabytes of data.
LUNs. In most cases, servers are given access to only a small part of the entire storage available on the
storage device. To implement this storage solution, the storage available is divided into smaller pieces
and then exposed to the servers through a LUN. On the server, each LUN appears as an attached
drive.
Multipath I/O
In most cases, you will deploy multiple HBAs on each server that is connected to a SAN, and connect the
HBAs to two separate fiber channel networks. This means that the storage is still accessible if there is a
failure of one of the networks.
4-11
In order to simplify the implementation of this solution, Microsoft provides a generic storage driver that
uses multipath I/O (MPIO) to simplify the implementation of this solution for storage vendors.
MPIO provides:
Dynamic configuration and replacement of devices. The operating system must be able to
dynamically discover and configure adapters that are connected to the same storage media, in order
to support multiple paths to the same storage device.
Generic device specific module. Microsoft supplies a generic device specific module (DSM) that
interacts with the multipath bus driver on behalf of the storage device.
Dynamic load balancing. The multipath software supports the ability to distribute I/O transactions
across multiple adapters. The DSM is responsible for load-balancing policy for its storage device.
Fault tolerance. Multipath software can function in a fault-tolerant mode in which only a single
channel is active.
4-12
Key Points
A second option for implementing SANs is to use iSCSI. iSCSI transmits SCSI commands over internet
protocol (IP) rather than using fiber channel. iSCSI is an IP-based storage networking standard for linking
servers to storage devices. iSCSI carries standard SCSI commands over IP networks to facilitate data
transfers over intranets and to manage storage over long distances. iSCSI can be used to transmit data
over LANs, wide area networks (WANs), or even over the larger Internet.
iSCSI relies on standard Ethernet networking, and does not require any specialized hardware such as HBA
or fiber channel network switches. iSCSI uses TCP/IP (typically TCP ports 860 and 3260). In essence, iSCSI
simply allows two hosts to negotiate and then exchange SCSI commands using an existing network. By
doing this, iSCSI takes a popular high performance local storage bus and emulates it over WANs, creating
a SAN. Unlike some SAN protocols, iSCSI requires no dedicated cabling; it can be run over existing
switching and IP infrastructure. However, the performance of an iSCSI SAN deployment can be severely
degraded if not operated on a dedicated network or subnet. iSCSI is often seen as a low-cost alternative
to fiber channel, which requires dedicated infrastructure.
Note: While you can use a standard network connection to connect the server to the iSCSI storage
device, you can also use dedicated HBAs or dedicated network adapters.
An iSCSI SAN deployment includes the following:
High performance and highly available IP network. You can use standard network interface adapters
and standard network switches to connect the servers to the storage device. In order to provide
adequate performance, the network should provide speeds of at least 1 gigabyte per second (Gbps),
and should provide multiple paths through the network.
iSCSI Targets. iSCSI targets are located on the storage device and are used to enable access to the
storage. Many storage vendors implement hardware level iSCSI targets as part of their storage
4-13
devices. Other devices or appliances, such as Windows Storage Server devices, implement iSCSI target
by using software.
iSCSI Initiators. iSCSI initiators run on the servers that want to connect to the storage device. Windows
Server 2008 and Windows Server 2008 R2 provide iSCSI initiators as a standard component.
iSCSI Qualified Name (IQN). IQNs are globally unique identifiers that are used to address initiators
and targets on an iSCSI network. When you configure an iSCSI target, you must configure the IQN for
the iSCSI initators that will be connecting to the target. iSCSI initiators also use IQNs to connect to the
iSCSI targets.
4-14
Demonstration Steps:
Question: What parts are critical when using the iSCSI initiator to connect to an iSCSI target?
4-15
Lesson 2
Identifying which storage technology to deploy is the first critical step in making sure your environment is
prepared for data storage requirements. However, identifying the type of storage is only the first step.
There are other steps you need to take to prepare for data storage requirements.
Once you have identified the best storage solution, or have chosen a mix of storage solutions, you need
to figure out the best way to manage that storage. Ask yourself the following questions. Will all of the
disks be allocated the same amount of storage space? Will the type of file systems be the same for all
disks?
Questions like these as well as why it is important to manage disks and what is important about the
management of disks will be described throughout this lesson.
Objectives
After completing this lesson, you will be able to:
4-16
Key Points
Windows Server 2008 R2 supports both basic disks and dynamic disks.
Basic Disk
Basic storage uses normal partition tables supported by MS-DOS, and all versions of Microsoft Windows.
A disk initialized for basic storage is called a basic disk. A basic disk contains basic partitions, such as
primary partitions and extended partitions. Extended partitions can be subdivided into logical drives.
By default, when you initialize a disk in Windows, the disk will be configured as a basic disk. Basic disks
can easily be converted to dynamic disks without any loss of data. However, to convert a dynamic disk to
basic disk, all data on the disk will be lost.
Some applications cannot address data stored on dynamic disks. In addition, there is no performance gain
by converting basic disks to dynamic disks. For these reasons, most administrators do not convert basic
disks to dynamic disks unless they need to use some of the additional volume configuration options
available with dynamic disks.
Dynamic Disk
Dynamic storage is supported in all Windows operating systems beginning with the Windows XP
operating systems and the Microsoft Windows NT Server 4.0 operating system. A disk initialized for
dynamic storage is called a dynamic disk. A dynamic disk contains dynamic volumes, such as simple
volumes, spanned volumes, striped volumes, mirrored volumes, and redundant array of independent disks
(RAID)-5 volumes. With dynamic storage, you can perform disk and volume management without the
need to restart Windows.
When you configure dynamic disks, you create volumes rather than partitions. A volume is a storage unit
made from free space on one or more disks. It can be formatted with a file system and can be assigned a
drive letter or configured with a mount point.
4-17
Simple Volumes. A simple volume uses free space from a single disk. It can be a single region on a
disk or consist of multiple, concatenated regions. A simple volume can be extended within the same
disk or onto additional disks. If a simple volume is extended across multiple disks, it becomes a
spanned volume.
Spanned Volumes. A spanned volume is created from free disk space that is linked together from
multiple disks. You can extend a spanned volume onto a maximum of 32 disks. A spanned volume
cannot be mirrored and is not fault-tolerant; therefore if you lose one disk, you lose all of the
spanned volume.
Striped Volumes. A striped volume is a volume whose data is spread across two or more physical
disks. The data on this type of volume is allocated alternately and evenly to each of the physical disks.
A striped volume cannot be mirrored or extended and is not fault-tolerant, again meaning the loss
of one disk will cause the loss of data immediately. Striping is also known as RAID-0.
Mirrored Volumes. A mirrored volume is a fault-tolerant volume whose data is duplicated on two
physical disks. All of the data on one volume is copied to another disk to provide data redundancy. If
one of the disks fails, the data can still be accessed from the remaining disk. A mirrored volume
cannot be extended. Mirroring is also known as RAID-1.
RAID-5 Volumes. A RAID-5 volume is a fault-tolerant volume whose data is striped across a minimum
of three or more disks. Parity (a calculated value that can be used to reconstruct data after a failure) is
also striped across the disk array. If a physical disk fails, the portion of the RAID-5 volume that was on
that failed disk can be re-created from the remaining data and the parity. A RAID-5 volume cannot be
mirrored or extended.
System Volumes. The system volume contains the hardware-specific files that are needed to load
Windows (for example, Bootmgr, BOOTSECT.bak, and BCD). The system volume can be, but does not
have to be, the same as the boot volume.
Boot Volumes. The boot volume contains the Windows operating system files that are located in the
%Systemroot% and %Systemroot%'System32 folders. The boot volume can be, but does not have to
be, the same as the system volume.
Note: When you install the Windows 7 operating or Windows 2008 R2 in a clean installation, a
separate system volume is created to enable encrypting the boot volume by using BitLocker.
4-18
Key Points
File Allocation Table (FAT)
FAT is the most simplistic of the file systems supported by Windows. The FAT file system is characterized
by a table that resides at the very top of the volume. To protect the volume, two copies of the FAT are
kept in case one becomes damaged. In addition, the FAT tables and the root directory must be stored in a
fixed location so that the system's boot files can be correctly located.
A disk formatted with FAT is allocated in clusters, whose sizes are determined by the size of the volume.
When a file is created, an entry is created in the directory and the first cluster number containing data is
established. This entry in the FAT table either indicates that this is the last cluster of the file, or points to
the next cluster. There is no organization to the FAT directory structure, and files are given the first open
location on the drive.
Because of the size limitation with the file allocation table, the original release of FAT could only access
partitions that were less than 2 GB in size. To enable larger disks, Microsoft developed FAT32. FAT32
supported partitions up to 2 terabytes.
FAT does not provide any security for files on the partition. You should never use FAT or FAT32 as the file
system for disks attached to Windows Server 2008 R2 servers. You might consider using FAT or FAT32 to
format external media such as USB flash media.
4-19
extensions such as security access control lists (ACLs), which allow for auditing and file system journaling
as well encryption.
NTFS is required for a number of Windows Server 2008 R2 roles and features such as Active Directory
Directory Services, Volume Shadow Services, Distributed File Services and File Replication Services. NTFS
also provides a much higher level of security than FAT or FAT 32. For these reasons, you should always use
NTFS for all hard disks connected to Windows Server 2008 R2 or Windows 7 computers.
4-20
Key Points
Mount points are used in Windows operating systems to make a portion or an entire part of a disk
useable by the operating system. Most commonly, mount points are associated with drive letter mappings
so that the operating system can gain access to the disk through the drive letter.
With Windows operating systems beginning with the Windows 2000 Server operating system, you can
also enable volume mount points, which enable you to mount a hard disk to an empty folder that is
located on another drive. For example, if you add a new hard disk to a server, rather than mounting the
drive using a drive letter, you can assign a folder name such as C:\Datadrive to the drive. When you do
this, any time you access the C:\Datadrive folder, you are actually accessing the new hard disk.
Volume mount points can be useful in the following scenarios:
If you are running out of drive space on a server and you want to add disk space without modifying
the folder structure. You can add the hard disk, and configure a folder to point to the hard disk.
Note: You can assign volume mount points only to empty folders on an NTFS partition. This means
that if you want to use an existing folder name, you must first rename the folder, create and mount
the hard disk using the required folder name, and then copy the data to the mounted folder.
If you are running out of available letters to assign to partitions or volumes. If you have many hard
disks attached to the server, you may run out of available letters in the alphabet to assign drive
letters. By using a volume mount point, you can add additional partitions or volumes without using
more drive letters.
If you need to separate disk input\output within a folder structure. For example, if you are using an
application that requires a specific file structure, but which uses the hard disks extensively, you can
separate the disk I\O by creating a volume mount point within the folder structure.
4-21
In this demonstration you will see how to create and manage volumes in Windows Server.
This demonstration shows how to configure volumes using the command-line tools diskpart and Disk
Management. Most disk configuration can be completed using Disk Management. In some cases, for
example, if you are trying to repair a server using the recovery environment, you will have to use diskpart
if you need to change the disk configuration.
Demonstration Steps:
1.
2.
3.
4.
4-22
Lesson 3
Implementing RAID
Now that you have learned about the types of storage and the methods in which you can address the
storage, the next important thing is to consider reliability and availability. In most organizations, the data
stored on the storage attached to Windows Server 2008 R2 servers will be important and it will be
essential that the data is always available.
Windows Server 2008 R2 supports the use of RAID to provide this type of reliability. This lesson provides
an overview of RAID and provides suggestions on the type of RAID to use in various scenarios.
Objectives
After completing this lesson, you will be able to:
4-23
What Is RAID?
Key Points
RAID is a technology that enables you to configure storage systems that provide high reliability and
potentially high performance. RAID implements these storage systems by combining multiple disks into a
single logical unit called a RAID array that, depending on the configuration, can withstand the failure of
one or more of the physical hard disks, or provide higher performance than is available by using a single
disk.
RAID provides a very important component in planning and deploying Windows Server 2008 R2 servers.
In most organizations, it is important that the servers be available all of the time. Most servers provide
highly redundant components such as redundant power supplies, and redundant network adapters. The
goal of this redundancy is to ensure that the server remains available even when a single component on
the server fails. By implementing RAID, you can provide the same level of redundancy for the storage
system.
Disk mirroring. With disk mirroring, all of the information that is written to one disk is also written to
another disk. If one of the disks fails, the other disk is still available.
Using parity information. Parity information is used to calculate the information that was stored on a
disk in the event of a disk failure. If this option is used, the server or RAID controller calculates the
parity information for each block of data written to the disks, and then stores this information on
another disk or across multiple disks. If one of the disks in the RAID array fails, the server can use the
data that is still available on the functional disks and the parity information to recreate the data that
was stored on the failed disk.
4-24
RAID subsystems can also provide potentially better performance than single disk by distributing disk
reads and writes across multiple disks. For example, when implementing disk striping, the server can read
information from all hard disks in the stripe set. When combined with multiple disk controllers, this can
provide significant improvements in disk performance.
Important: Although RAID can provide a greater level of tolerance for disk failure, you should not use
RAID to replace traditional backup. In case a server were to have a power surge or catastrophic failure
and all of the disks were to fail, then you would still need to rely on standard backups.
Question: Should all disks be configured with the same amount of fault tolerance?
4-25
Key Points
When implementing RAID, you need to make several decisions.
Hardware RAID requires disk controllers that are RAID capable. Most disk controllers shipped with
new servers have this functionality.
To configure hardware RAID, you need to access the disk controller management program. Normally,
you can access this during the server boot process.
Implementing disk mirroring for the disk containing the system and boot volume with software RAID
can require additional configuration when a disk fails. Because the RAID configuration is managed by
the operating system, you must configure one of the disks in the mirror as the boot disk. If that disk
fails, you may need to modify the boot configuration for the server in order to start the server. This is
not an issue with hardware RAID because the disk controller will access the available disk and expose
it to the operating system.
In older servers, you may get better performance with software RAID when using parity because the
server processor could calculate parity more quickly than the disk controller. This is no longer an issue
4-26
with newer servers, where you may get better performance on the server because you can offload the
parity calculations to the disk controller.
Performance implications. Some RAID levels provide very high performance while other RAID levels
provide much worse performance. Some RAID levels provide high read performance, but lower write
performance. You need to consider these performance characteristics when choosing a RAID level.
Level of redundancy. RAID levels also provide different levels of redundancy. Some RAID levels cannot
support the loss of any disks, some RAID levels can support the loss of one or more disks. You need to
consider your requirements for redundancy when choosing a RAID level.
Storage utilization. RAID levels also have different levels of storage utilization. With some RAID levels,
the storage capacity for the entire RAID array is equal to the total amount of disk space for all disks in
the array. For other RAID levels, one or more disks may be used to store parity information. With disk
mirroring, the RAID array storage capacity is half of the storage capacity of the disks.
In most cases, you will need to choose which of the three options are most important for your RAID
implementation. Each RAID level provides a high level of functionality for one or two options, but no RAID
level provides high functionality for all options. This means that you will need to evaluate the required
RAID level for each server or application separately.
4-27
RAID Levels
Key Points
When implementing RAID, you need to decide what level of RAID to implement. The table below lists the
features for each different RAID level.
RAID Levels
Level
Description
Space
Performance utilization
Redundancy Comments
High read
and write
performance
All space
on the
disks is
available
Good
performance
Can only
use the
amount of
space
available
on the
smallest
disk
One or
more disks
used for
parity
4-28
One disk
used for
parity
Good read
One disk
performance, used for
poor write
parity
performance
Good read
performance,
poor write
performance
Can tolerate a
The
equivalent single disk
of one disk failure
used for
parity
Good read
performance,
poor write
performance
The
equivalent
of two
disks used
for parity
Can tolerate
two disk
failures
RAID
0+1
Striped sets in a
mirrored set
A set of drives is
striped, and then
the strip set is
mirrored
Very good
read and
write
performance
Half the
disk space
is available
due to
mirroring
RAID
1+0
Mirrored set in a
stripe set
Several drives are
mirrored to a
second set of
drives, and then
one drive from
each mirror is
striped
Very good
read and
write
performance
Half the
disk space
is available
due to
mirroring
Can tolerate
the failure of
two or more
disks as long
as both disks
in a mirror do
not fail
In this demonstration you will see how to implement mirroring and RAID 5.
Demonstration Step:
Question: Do you think youll use Software RAID or hardware RAID? Will you even use RAID?
4-29
4-30
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
2.
3.
4.
5.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
In Hyper-V Manager, click 6420B-NYC-DC1, and in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
4-31
4-32
Convert disks.
Assign the three disks to a RAID 5 array.
Format the newly created array.
3.
On NYC-SVR3, open the command prompt with administrative credentials and then run diskpart.
Use the Select disk command to select Disk 1. Bring the disk online with the Online Disk command,
remove the read only attribute but running the Attributes disk clear readonly command, and then
convert it to dynamic by using the Convert Dynamic command.
Repeat the previous step for Disk 2 and Disk 3.
On NYC-SVR3, at the diskpart command prompt, use the create volume raid size=100 disk=1,2,3
command to create a RAID 5 volume of 100 MB using disk 1, 2 and 3.
At the diskpart command prompt, use the format fs=ntfs label=r5r quick command to quick
format the RAID-5 volume as an NTFS file system with the label R5R.
Close all open windows on NYC-SVR3.
Results: After this exercise, you should have configured a RAID 5 array in Diskpart with the label
R5R.
4-33
3.
File: C:\Disks\Disk-01.vhd
Size: 8000 MB
File: C:\Disks\Disk-02.vhd
Size: 20000 MB
4-34
3.
4.
On Disk 2, create a new simple volume with the drive letter Q and a volume label of Data1.
On Disk 3, create a new simple volume with the drive letter M and a volume label of Data2.
Results: After this exercise, you should have implemented a Windows iSCSI target.
4-35
Review Questions
1.
2.
3.
4-36
Module 5
Installing and Configuring Windows Server
Contents:
Lesson 1: Installing Windows Server
5-3
5-19
5-25
5-34
5-1
5-2
Module Overview
In order to have a server that fits the needs of your organization and one that operates in an efficient and
consistent manner, specific steps and considerations need to be taken. The most critical piece of a
Windows Server 2008 R2 operating system servers operability is the initial installation and
configuration.
Windows Server 2008 R2 editions, installation options, optimal service and device configuration and
general post-installation configuration all contribute to the functionality and effectiveness of your
Windows Server implementation.
Objectives
After completing this module, you will be able to:
Manage services.
5-3
Lesson 1
The method by which you install Windows Server 2008 R2 and the edition and options you choose
determine how quickly and effectively your server can begin performing its functions.
This lesson will introduce you to the key components and considerations involved with installing Windows
Server 2008 R2.
Objectives
After completing this lesson, you will be able to:
Describe the process for deploying Windows Server using Microsoft Windows Deployment Services.
5-4
Key Points
A server is a critical part of a computer network. Unlike a client, whose primary role is performing tasks for
the end user, a server is responsible for serving a variety of resources to the rest of the network. These
resources could include file shares, hosted applications, or shared printers. Servers also play a key role in
maintaining the integrity of a computer network. Servers use authentication and resource access rules to
ensure that information and resources on the network are available only to those who are authorized to
use them. Servers also provide additional network related services such as assigning IP addresses,
performing name resolution, or routing network traffic.
The key component to supplying these services in an effective manner is the server operating system. The
server operating system communicates with the servers hardware, ensuring that it is being utilized
properly. A server operating system also provides a centralized environment to manage the servers
functionality and resources, allowing administrators to interact with the server computer in a meaningful
and efficient way. Server operating systems also often expand functionality of the operating system to
support typical server hardware features like hot-swappable memory and processors and hard disk
redundancy features.
Question: What different functions might a server perform in a network environment?
5-5
Key Points
Windows Server 2008 R2 is available in different editions to support varying server and workload needs of
organizations. Each edition of Windows Server 2008 R2 is packaged with a unique set of features that
target that edition to a particular environment or even a specific role. The seven editions of Windows
Server 2008 R2 address almost every possible type of server implementation you would find in a network
environment.
The following table lists the most commonly used Windows Server 2008 R2 editions:
Edition
Description
The Windows Server Standard edition offers the most commonly used
features in Windows Server 2008 R2 and is designed to meet almost all
general server computing requirements. It adds features like Server
Core, Hyper-V and DirectAccess to the functionality of Windows
Server Foundation. Windows Server Standard supports up to 4
processors and up to 32GB of RAM.
5-6
Edition
Description
The following specialized editions of Windows Server 2008 R2 are also available:
Edition
Description
Windows Server 2008 R2 HPC Provides an enterprise-class platform for high-performance computing
Edition
(HPC). It can scale to thousands of processing cores and includes
management consoles that help you to proactively monitor and
maintain system health and stability. Job scheduling interoperability and
flexibility enables integration between Windows and Linux based HPC
platforms.
Windows Server 2008 R2 for
Itanium-based Systems
operating system
5-7
Key Points
Since the early days of the Microsoft Windows platform, Windows servers have been implemented as
full-featured servers that include a wide variety of features, some that might never be used in a
particular network environment. These extra, unused features could cause the server to consume more
system resources than required or leave the overall security of the server more vulnerable to exploitation.
Server Core is a minimal installation option available in Windows Server 2008 R2. Server Core provides a
low-maintenance server environment with limited functionality when compared to a full installation of
Windows Server 2008 R2. This configuration is designed to provide a server environment that reduces:
Servicing requirements.
Management requirements.
To achieve these goals, the Server Core installation option installs only the server components required for
essential operating system functions. This includes removing most aspects of the graphical user interface
(GUI), and offering only a small number of features when compared with a full installation of Windows
Server 2008 R2.
In a Server Core installation, server management is performed primarily by using command-line tools or
using the Microsoft Management Console (MMC) from a remote computer. All GUI elements are removed
from a Server Core installation with the exception of those listed in the following table.
GUI application
Executable name
Command Prompt
Cmd.exe
5-8
GUI application
Executable name
Msdt.exe
Notepad
Notepad.exe
Registry Editor
Regedt32.exe
Msinfo32.exe
Task Manager
Taskmgr.exe
Msiexec.exe
While the limited GUI makes the server more difficult to access for someone with malicious intent, it can
also make performing some administration tasks on the server more complicated for the administrator of
the server, especially if administration is being performed locally, where only the command-line interface
can be used.
Note: New to Windows Server 2008 R2 is the Sconfig tool, which provides the server administrator
with a text-based menu from which the administrator can initiate common server configuration tasks,
rather than running tasks manually directly from the command line.
The Server Core installation option is not available in Windows Server Foundation, the
Windows Server 2008 R2 HPC Edition, or Windows Server 2008 R2 for Itanium-based Systems.
Question: In what situations might a Server Core installation be used instead of a full installation of
Windows Server 2008 R2?
5-9
Key Points
Various methods exist for installing Windows Server 2008 R2. These methods are determined primarily by
the media from which the operating system is installed. Depending on your installation scenario and the
availability of specific hardware or degree of physical access to the server, several methods exist to ensure
that Windows Server 2008 R2 can be installed in any situation.
Installation Methods
Local media. The standard and simplest method of installing Windows Server 2008 R2 is using local
media. Windows Server 2008 R2 can be installed locally using an installation DVD inserted into the
DVD drive of the server or run from a Universal Serial Bus (USB) flash drive attached to the computer.
Local media installations require the least amount of planning and pre-configuration, but require the
most manual intervention during installation as well as physical access to the server for at least a
portion of the installation process.
Network share. Windows Server 2008 R2 can also be installed from a shared location on the network.
This allows for installation on servers where only remote access is available or for servers that do not
have a DVD drive or USB ports available to support a local media installation. Network share
installations also allow for multiple servers to use the same copy of the installation files at one time,
avoiding the need to have multiple DVDs or USB flash drives. Similar to a local media installation,
network share installations require a considerable amount of user interaction and, typically, physical
access to the server to initiate the installation process.
5-10
Key Points
New Install
A new install of Windows Server 2008 R2 is typically done when a server is installed to perform a new role
on the network or when it is not necessary to retain any information from the operating system previously
installed on the server. A new install involves installing the operating system either onto an empty hard
disk or overwriting existing information on a hard disk.
Upgrade
An upgrade installation of Windows Server 2008 R2 involves replacing an existing operating system with
Windows Server 2008 R2, but retaining operating system and application settings, as well as other data
stored on the system. Upgrade installations are typically done when existing system information would be
too difficult or time consuming to recreate or migrate to a new installation of Windows Server 2008 R2.
The following upgrade scenarios are supported:
Current operating system
5-11
Note: When upgrading from previous Windows Server operating systems, it is important to note that
Windows Server 2008 R2 no longer supports 32-bit processors. Only 64-bit processors are supported.
Migration
A migration install is characterized by the backing up of data or settings from an existing server
installation and erasing or overwriting that server with a new installation of Windows Server 2008 R2. The
backed up data or settings are then restored to the newly installed server. This type of migration
installation is typically used when the data and settings involved are easily backed up and it is not
necessary to maintain the entire configuration of the existing server. Alternatively, a migration can also
involve the installation of Windows Server 2008 R2 on a new physical server and transferring the settings
and applications from the original server to the new one. This method has the benefit of leaving the old
server completely intact should the need arise to rollback to the old configuration. Unfortunately, this
method also typically involves a large amount of planning and detail in implementation to ensure that all
aspects of the old server are transferred to the new server.
5-12
Key Points
There are several general steps involved in installing Windows Server 2008 R2 that universally apply to all
installation methods and types.
1.
Ensure that the server hardware meets minimum requirements. Windows Server 2008 R2 requires a
minimum level of hardware to run properly. The following table lists the most common basic
hardware requirements for a Windows Server 2008 R2 installation:
Component
Minimum required
Processor
Memory
Disk Space
10GB free
Note: Minimum requirements are just that; a minimum. In a production environment, the hardware
used for a server should always be appropriately scaled to meet the resource requirements for the
server operating system, installed roles, features and applications and, typically, future growth.
In addition, specific features may need to be configured on the server hardware to support Windows
Server 2008 R2. For example, basic input/output system (BIOS) level virtualization settings must be
enabled to allow the Hyper-V virtualization role to run.
Also, some hardware used during the installation process (typically hard disks) may not have device
driver support built into Windows Server 2008 R2. In these cases, the device driver must be preloaded
prior to attempting installation or a copy of the media containing the driver must be available during
installation.
5-13
2.
Backup all pertinent data if you are installing Windows Server 2008 R2 in an upgrade or migration
scenario.
3. Run setup.exe from local media, or a network share or deployment location.
4. Confirm regional and language settings.
5. Choose edition to install.
6. Read and accept license agreement.
7. Choose installation type.
8. Choose location for installation.
9. Install files.
10. Set Administrator password.
Once initial setup is completed, Windows Server 2008 R2 starts for the first time and presents options for
further configuration.
5-14
Key Points
Windows Deployment Services is a set of operating system components that allow for the efficient
deployment of a number of different operating systems, including Windows Server 2008 R2.
The Windows Deployment Services components can be divided into the following three categories:
Windows Deployment Services Server components. These components reside on a Windows Server
2008 R2 server and are responsible for hosting and sharing out the files necessary for operating
system deployment. A Windows Deployment Services server is capable of deploying operating
systems to multiple computers at one time.
Windows Deployment Services Client components. The client components run on the computers that
the operating system is being deployed to. They allow the computer to communicate properly with
the Windows Deployment Services server and determine which operating systems are available for
deployment.
2.
Build image file(s). Windows Deployment Services uses Windows Imaging Format (WIM) to package
operating system files for deployment. WIM allows for a single file to contain all of the information
needed to deploy one or several versions of an operating system. These images are copied to
deployed computers and unpackaged on the computers hard disk into a ready-to-run version of the
operating system.
Build unattended answer file(s). Windows Deployment Services provides the ability to automate
operating system installation during deployment using unattended answer files which provide
3.
4.
5-15
information to the deployment process regarding various configuration options available. These files
allow for an administrator to deploy the operating system without any intervention or manual entry
of information during the deployment process. These files can be reused or customized for multiple
deployments.
Create a deployment transmission. By creating a transmission, the Windows Deployment Services
server is advertising to the rest of the network that it has a number of images ready for deployment.
Initiate installation from client. When a computer loads a Windows Deployment Services boot image
(typically from DVD or by booting from the network), Windows Deployment Services presents the
computer with a list of available images for deployment. Once an image is chosen, the deployment
process is initialized and the Windows Deployment Services server begins unpacking the image file
onto the new computer.
Question: In what situations would a Windows Deployment Services Server be used by an
organization? In what situations would a Windows Deployment Services Server not be efficient to
implement?
5-16
Key Points
A number of common tasks need to be performed on a server after installation has been completed.
These include time zone and clock settings, network configuration, setting a unique computer name and
domain membership, configuring Windows Update settings, adding server roles and features, modifying
Remote Desktop settings and configuring Windows Firewall settings.
All of these tasks are available in the Initial Configuration Tasks (ICT) Wizard that runs when the computer
is started for the first time immediately following installation. It includes links for the following tasks:
Activate Windows. You can continue to use Windows Server while it is not activated for a grace
period. After this period expires, Windows continues to function, however the system is then
unlicensed.
Set the time zone. It is important to configure the time zone because many network-related services
do not function correctly if the computer clocks of networked computers are excessively out-of-sync.
Configure the network settings. By default, both IPv4 and IPv6 are configured to obtain an IP address
automatically. Most server installations will utilize static IP address information.
Configure computer name and domain membership. By default, the computer name is automatically
generated; the suggested name may not comply with organizational standards that you have in
place. The computer is assigned membership of a workgroup by default. In many cases, the computer
will need to be joined to a domain.
Enable automatic updating and feedback settings. By default, automatic updates are disabled and
Windows error reporting is off.
Download and install updates. It is important to ensure that the computer is up-to-date with urgent
and security-related updates.
Configure Windows Firewall. The computer is connected to a public network location and the
Windows Firewall is enabled by default, using the public location profile.
5-17
In a deployment situation, many of these tasks may have been completed during the deployment process
using answer files. In this case, the ICT Wizard provides a central location to confirm that the deployment
settings have been configured properly.
Note: In a Server Core installation, the ICT Wizard is one of the many GUI elements that have been
removed. As a result, Server Core post-installation configuration must be done locally using the
command line or the sconfig tool or remotely using MMC on another computer. This extra effort
required for configuration makes Server Core installations excellent candidates for using answer files
for automated configuration in a deployment scenario.
5-18
In this demonstration, you will see how to use the Initial Configuration Tasks Wizard to configure the
following post-installation settings.
Demonstration Steps:
1.
2.
3.
4.
5-19
Lesson 2
Managing Services
In Windows Server 2008 R2, services provide the functionality for the core of the operating system. They
provide the framework on which Windows roles and features are built. Effectively managing these services
is critical to the efficient and reliable operation of a Windows Server.
Objectives
After completing this lesson, you will be able to:
Describe a service.
5-20
What Is a Service?
Key Points
In Windows Server 2008 R2, a service or service application is a long running executable that performs a
specific function that is designed to require no user intervention. Where an application may be started
and closed numerous times by a user over any given time, a service will typically remain running for the
entire time that the operating system is running, unless directed to do otherwise by the operating system
or associated applications. Services typically consist of an executable file and a directory for storing service
components.
Service Examples
Services are responsible for the majority of Windows Server 2008 R2 functionality. Some common services
and their primary functions are listed below.
Windows Error Reporting. Allows errors to be reported when programs stop working or responding.
Service Startup
Unlike applications, which are executed by the user on an as needed basis, the execution of services is
controlled by the operating system or related software applications. Each service is initialized at the
startup of the computer according to its startup type. Startup types are listed below.
Automatic (Delayed). Starts the service on a timed delay from system start. This is used to speed up
system startup time in some cases, or to force the service to wait until any services that it is
dependent on start.
5-21
5-22
In this demonstration, you will see how to view and configure service startup options using the Services
applet within Server Manager.
Demonstration Steps:
1.
2.
3.
5-23
Troubleshooting Services
Key Points
Due to the critical nature of Windows services, service failure or service-related problems can cause
various forms of operating instability. These issues need to be diagnosed and resolved quickly in order to
maintain consistent system operation.
Service failures can be caused by a number of issues including the following:
Service account restrictions. Services run under the context of a Windows account, which determines
the level of access that the server and its related functions have in relation to the rest of the system.
Commonly, the built-in LocalSystem account is used for service execution, which gives a service a
high level of access to the rest of the operating system. Some services, however, will run under a
specifically configured account typically referred to as a service account. This service account is
created for the sole use of running the related service and may contain specific security restrictions or
dependencies, depending on the nature of the service. Incorrect password settings or
overly restrictive service account permissions can cause a service to fail to start properly.
Service dependencies. Many services run as a solitary application, unrelated to any other services. In
other cases, a service may be dependent on the successful operation of other services to allow it to
properly start. If one of these dependency services fails, it could also cause the dependent service to
fail to start.
Corrupt or missing files. If the files necessary for a services execution are missing or corrupted, the
service may fail to start or behave erratically.
Safe Mode. The Safe-Mode boot feature is available when pressing the F8 key as the operating
system starts. Safe Mode loads the minimal set of services required for the operating system to run
5-24
and can allow the repair, removal or disabling of failing services that are preventing Windows from
starting properly.
Last Known Good Configuration. Also accessed by pressing the F8 key as the operating system starts,
Last Known Good Configuration restores operating system settings contained in the registry as they
were the last time the computer started correctly.
5-25
Lesson 3
A large number of individual components combine to provide the computer hardware on which a
Window Server runs. Disk drives, processors, memory, keyboards, monitors, network adapters, printers,
scanners and many other components play an important role in providing the functionality required for a
server to perform its duties.
The proper management and maintenance of these components ensures that the server components
work cohesively to provide proper functionality.
Objectives
After completing this lesson, you will be able to:
Describe a device.
5-26
What Is a Device?
Key Points
A device is a hardware component installed in or attached to a computer that performs a specific
function.
Device functions can be as narrow as that of a computers memory, or as diverse as a multifunction
printer/copier/scanner. Devices are also connected to the computer in a variety of ways. Many devices
attach directly to the computers motherboard such as processors, memory and network adapters, while
some devices such as printers, cameras, flash drives, mice or keyboards use external connection
technologies such as USB or FireWire.
Devices work together to provide a computers complete functionality, and a single malfunctioning device
can affect the performance of other devices or the entire computer.
5-27
Key Points
In order for devices to function cooperatively within a computer, they need to be able to share the
computers resources and establish methods of communication with other devices. Devices require
specific settings that control where and when they communicate with the rest of the computer. These
settings must be unique to the device to ensure that one device is not interfering with the functionality of
another device. Historically, these settings needed to be configured by the end user using the BIOS of the
computer, physical switches on the device itself or special configuration software provided by the device
manufacturer. Common device settings include:
Direct memory access (DMA) channel. DMA allows certain devices attached to the computer to
directly access the computers memory without using the computers processor. Typically, each device
utilizing DMA must have a unique DMA channel assigned to it.
Interrupt request (IRQ) line. IRQ lines are used to send interrupt requests to a computers processor
when a device requires processor use.
Input/Output Range. Input/Output Range specifies the range of addresses in memory that a device
uses to send and receive information between the device and Windows. A devices input/output
range must be unique to that specific device.
Memory range. Memory range refers to the specific physical memory address in the computer that a
device has reserved for its general use. A devices memory range must be unique to that specific
device.
Note: The value for each of these settings for a particular device can be viewed in Device Manager
using the Resource tab of the devices Properties window.
5-28
Be uniquely identified.
5-29
Key Points
A driver is a small software program that allows the computer to communicate with a specific device. A
driver acts as an interface between the actual hardware components of the device and Windows Server
2008 R2. The device driver exposes the capabilities of the device to the operating system so the device
can be utilized effectively and interface with related devices. A device driver is typically specific to an
operating system. Without drivers, the devices you connect to the computer will not work properly.
Windows Server 2008 R2 provides driver support for most common devices. The drivers for these devices
come pre-installed and will automatically install when the device is connected to the computer. In cases
where a driver cannot be found within Windows Server 2008 R2s native drivers, Windows Update can be
used to search for new or updated drivers. Device drivers can also be obtained from the installation media
that came with the device or from the device manufacturers Web site.
Driver Staging
Additionally, device drivers can be installed into Windows Server 2008 R2 or staged for future use. When
a driver is staged, the driver files are stored within Windows and treated as part of the original set of
drivers native to the operating system. This allows devices using that driver to be recognized immediately
and have its driver installed automatically without requiring user intervention like specifying a driver
location or checking a manufacturers Web site.
Note: Device drivers are built for a specific processor architecture type. 64-bit device drivers will work
only on a 64-bit operating system and 32-bit device drivers will work only on a 32-bit operating
system. Since Windows Server 2008 R2 support 64-bit architecture only, 32-bit drivers will not work for
devices installed on a Windows Server 2008 R2 computer.
5-30
Driver Signing
Key Points
A signed driver is a device driver that includes a digital signature provided from a trusted third party
source. This digital signature acts as an electronic security mark that identifies the publisher of the
software and confirms that the contents of the driver package are the original contents and unchanged. If
a driver has been signed by a publisher, you can be confident the driver comes from that publisher and is
not altered.
The benefits of using signed drivers include:
Improved security.
When a device is installed and the device driver specified is digitally signed, Windows will install the driver
without any user intervention and start the driver once the install is complete. All device drivers that come
pre-installed with Windows have been digitally signed.
Windows will alert you with one of the following messages if a driver is not signed, if it was signed by a
publisher that has not verified its identity with a certification authority, or if the driver has been altered
since it was released:
Windows cannot verify the publisher of this driver. This driver either doesn't have a digital signature,
or it has been signed with a digital signature that was not verified by a trusted certification authority.
You should only install this driver if you obtained it from a reliable source.
This driver has been altered. This driver was altered after it was digitally signed by a verified publisher.
The package may have been altered to include malicious software that could harm your computer or
steal information. In rare cases, legitimate publishers do alter driver packages after they have been
digitally signed. You should only install an altered driver if you obtained it from a reliable source.
5-31
Windows cannot install this driver. A driver that lacks a valid digital signature, or that was altered after
it was signed, can't be installed on 64-bit versions of Windows.
Note: When staging drivers into the Windows Server 2008 R2 driver store, all staged drivers must be
digitally signed.
5-32
In this demonstration, you will see how to update a device driver using Device Manager.
Demonstration Steps:
1.
2.
In this demonstration, you will see how to rollback a device driver using Device Manager.
Demonstration Steps:
1.
2.
5-33
5-34
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
2.
3.
4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
In Hyper-V Manager, click 6420B-NYC-DC1, and in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
The first task in your new job as junior server administrator is to perform the initial installation and
configuration of a new server for the Research and Development department of Contoso, Ltd In this
instance, the company decided a local media-based installation should be performed. Once the
installation is complete, you will configure the servers post-installation settings as per the supplied
documentation. Additionally, the startup settings for some services must be configured, and a new device
driver must be tested for proper functionality.
Supporting Documentation
E-mail message from your boss, Jim Hance.
Jeff Price
From:
Sent:
To:
Subject:
5-35
Jeff,
Please use the following information to install the new server for R&D.
Installation options
Language: English
Time and currency format: English (United States)
Keyboard or input method: US
Product: Windows Server 2008 R2 Enterprise (Full Installation)
Administrator password: Pa$$w0rd
Post-installation configuration options:
Time zone: (UTC-05:00) Eastern Time (US & Canada)
IP address: 10.10.0.100
Subnet mask: 255.255.0.0
Gateway: 10.10.0.1
DNS Servers: 10.10.0.10 and 10.10.0.11
Enable automatic Windows Update
Server name: NYC-SVR1
Domain name: Contoso.com (use the Contoso\Administrator account with a password of Pa$$w0rd when
prompted for credentials)
Please let Lisa from the Sr. Server Admin team know when youre finished, shell finish the configuration
and get the server to R&D.
Thanks,
Jim
5-36
Attach the Windows Server 2008 R2 Installation DVD to NYC-SVR1 using these steps:
a.
b.
c.
d.
e.
2.
3.
Switch to Hyper-V Manager, right click on 6420B-NYC-SVR1 and then click Settings.
In the Settings for 6420B-NYC-SVR1 dialog box, click DVD-Drive in the Hardware Pane.
In the DVD-Drive pane, select Image file and then click Browse.
Navigate to C:\Program Files\Microsoft Learning\6420\Drives, click
WServer2008R2_Eval.iso and then click Open.
In the Settings for 6420B-NYC-SVR1 dialog box, click OK.
Results: After this exercise, you should have installed a new Windows Server 2008 R2 server.
5-37
5-38
Results: After this exercise, you should have used Server Manager to make changes to service startup
options.
Results: After this exercise, you should have performed update and rollback operations on a device
driver.
Important: Start the 6420B-NYC-DC1 virtual machine first, and ensure that it is fully started before
starting the other virtual machines.
5-39
5-40
Review Questions
1.
2.
3.
4.
Why is it more difficult to perform post-installation tasks on a Server Core installation of Windows
Server 2008 R2 as opposed to a full installation?
If you need to troubleshoot system instability, what tool should you use to disable a specific set of
services from running at startup?
If a newly installed video adapter device driver is preventing Windows from starting properly, what
tools would you use first to return the system to an operable state?
What factors should be considered when staging drivers in the Windows driver store?
Tools
Tool
Use for
Where to find it
Sconfig
Windows
Deployment
Services
Windows Deployment
ICT
Wizard
Initial post-installation
Registry
editor
MSConfig
Windows registry
settings and troubleshoot
startup issues
5-41
Tool
Use for
Device
Manager
Manage server devices and Type Device Manager in the search field of the start
settings
Where to find it
menu.
5-42
Module 6
Windows Server Roles
Contents:
Lesson 1: Role-Based Deployment
6-3
6-9
6-20
6-1
6-2
Module Overview
Servers perform a variety of functions. In the past, these functions were combined into a monolithic
operating system. Each server was loaded with all of the necessary software to perform all server functions
irrespective of the actual functions it performed. The Windows Server 2008 operating system separates
server functions into distinct server roles. By default, a server has no enabled roles. It is more efficient to
select which particular server roles you want based on the functional requirements of the server computer.
It is important to understand the functional requirements of a server computer and select and deploy
appropriate server roles to support these functional requirements.
Objectives
After completing this module, you will be able to:
Select and install server roles and features to support different types of servers.
Lesson 1
Role-Based Deployment
Windows Server 2008 is configured by adding and removing server roles and features. This is a new
method of organizing the addition and removal of services. Understanding server roles and features
allows you to install and support only the Windows Server 2008 components you need in your
environment.
Objectives
After completing this lesson, you will be able to:
6-3
6-4
Key Points
Server roles in Windows Server 2008 R2 describe a servers primary function. For example, a server role
might be an Active Directory Domain Service (AD DS) domain controller or a Web server. You can
choose to install one or many roles on a Windows Server 2008 R2 installation. You use the Server Manager
administrative tool for the installation and removal of server roles in a Windows Server 2008 R2
environment.
You can consider a role as a grouping of closely related, complementary features, for which, most of the
time, installing the role means installing one or more of its role services.
6-5
Key Points
Many server roles also have role services. Role services are software programs that provide various
functionalities of a role. When you install a role, you can choose which role services the role provides for
other users and computers in your enterprise. Some roles, such as Domain Name System (DNS) Server,
have only a single function, and therefore do not have available role services. Other roles, such as Web
Server, have several role services, such as File Transfer Protocol (FTP), that can be installed.
Role services allow you to control which role functionality is installed and enabled; this is useful where you
only require a subset of the functionality of a given server role. For example, the File Services server role
contains the following role services:
File Server
When you decide to deploy the File Services role, you can select only the specific role services that you
need.
6-6
Key Points
A feature typically does not describe the servers primary function. Instead, it describes a servers auxiliary
or supporting function. Consequently, an administrator typically installs a feature not as the primary
function of the server, but to augment the functionality of an installed role. For example, failover
clustering is a feature that administrators can choose to install after installing specific roles, such as File
Services, to make the File Services role more redundant.
Certain Microsoft Windows features are required for certain roles. For example, if you add the server
role Application Server, the Add Role Wizard asks for your confirmation to install the Microsoft .NET
Framework version 3.51 and the Windows Process Activation Service because these features are required
to support that role.
6-7
Key Points
The new Server Manager console simplifies the task of managing and securing server roles with Windows
Server 2008. The Server Manager in Windows Server 2008 R2 provides tools for:
Server Manager replaces the Computer Management console and provides a single point for managing a
server.
The Server Manager console uses integrated wizards to step the user through adding server roles. You can
use Server Manager to add several roles at once, even if they are unrelated. For example, a server being
provisioned for a branch office could have the DNS Server, Dynamic Host Configuration Protocol (DHCP)
Server, and Print Server roles added at once. The Server Manager Wizard performs all of the necessary
dependency checks and conflict resolution so the server is stable, reliable, and secure. The Server Manager
console replaces the Computer Management tool in Windows Server 2003.
The Server Manager can also be used as a portal for regular ongoing server management. The Server
Manager console reports on server status, exposes key management tasks, and guides administrators to
advanced management tools. A key component of the Server Manager is the server role home pages.
These pages provide an integrated view of server roles, including their current status and current
configurations. Some of these consoles include a filtered event viewer that displays recent events related
specifically to that role. Server role home pages offer controls where you can diagnose problems by
selectively stopping and starting role services. These role-specific summaries highlight potential problems
and offer relevant troubleshooting tools.
6-8
Key Points
You can install or remove roles and features with a number of management tools.
Server Manager
The Server Manager console uses integrated wizards to step you through the process of adding server
roles. You can use Server Manager to add several roles at once, even if they are unrelated. For example, a
server being provisioned for a branch office could have the DNS Server, DHCP Server, and Print Server
roles added at once. The Server Manager Wizard performs all of the necessary dependency checks and
conflict resolution so the server is stable, reliable, and secure.
Demonstration Steps:
1.
2.
3.
6-9
Lesson 2
In smaller organizations, server functions are often combined into a single server computer. In larger
organizations with many server computers, it is more common to dedicate a server to a specific subset of
server functions.
Objectives
After completing this lesson, you will be able to:
6-10
Key Points
Historically, the term file server was often used as a generic term to describe any server. Presently, the
term file server means a server that supports services that are necessary to enable users to store their files
on storage accessible to the server.
On a Windows Server 2008 R2 file server, you must:
Provide a mechanism that is used to backup, and where necessary restore, shared files.
File services are often combined with print services. In Windows Server 2008 R2, you can share locally or
network-attached printers. By doing so, you can reduce the overall number of print devices in your
organization as users do not need a printer each. In Windows Server 2008 R2, file and print services are
treated as separate server roles.
Note: It is important to understand that the storage used to host users files does not necessarily
need to be locally attached to the file server. A number of technologies exist that enable networkattached storage to be used by file servers.
File Server. Manages shared folders and enables users to access files on this server.
Distributed File System (DFS). Provides tools and services to support DFS namespaces and replication.
File Server Resource Manager. Enables you to manage quotas and file screens and to create and
manage reports on file usage.
Services for Network File System. Provides compatibility services for UNIX-based computers.
Windows Server 2003 File Services. Provides compatible file services for Windows Server 2003
computers.
BranchCache for network files. Installs the required services to support branch office environments.
Additionally, you might consider deploying the Print and Document Services role if your file server will
also provide print services.
6-11
6-12
Key Points
A domain controller is a computer that holds a copy of AD DS information. At minimum, a domain
controller holds a copy of the local domain partition, the configuration partition, and the schema
partition.
Functions
User authentication and computer authentication for a domain require access to a domain controller.
Credentials are sent to the domain controller for verification.
Domain controllers are also used by applications to query AD DS information. For example, Microsoft
Exchange Server 2010 reads configuration information from AD DS.
DNS is used to locate domain controllers. If DNS is configured incorrectly, then users may not be able to
log on or logon times will be very slow.
Note: You can run dcpromo.exe without first deploying the required server role as the role is
automatically deployed by dcpromo.exe if necessary.
Question: How many domain controllers should you have?
6-13
6-14
Key Points
An application server is a computer that is dedicated to running network-aware application software.
Examples of such software include Microsoft SQL Server, Microsoft Exchange Server, Internet
Information Services (IIS), and Terminal Services.
The design of network-aware application software can be Web-based, or it may have a client-server
architecture. You must consider the system requirements of each application, including its architecture,
when configuring the server computers that will host them.
An application server is a server that runs user applications. They have more intensive processing and
memory requirements than file and print servers because they perform more complex tasks.
The applications that run on application servers are typically divided into two categories:
Traditional applications. A traditional application may also be called a client-server application. Part of
the application runs on a client computer and part of the application runs on a server. Typically, the
client (front-end) application serves as an end-user interface for processing requests sent to and
receiving responses from the server (back-end). The bulk of data is stored on the server. In some
cases, the server portion of the application is just a SQL Server database that all client computers
communicate with. In other cases, there is a middle tier with application logic that the client
computers communicate with and the middle tier communicates with a SQL Server database.
Web-based applications. A Web-based application uses a Web browser to provide the user interface.
The application logic is then performed on a Web server and data is stored in a SQL Server database.
Windows Server 2008 includes features to support the application server role, regardless of whether the
application to be hosted has a Web-based or a client-server type of architecture.
6-15
.NET Framework 3.5.1. Provides infrastructure for creating securely connected services and workflow
applications.
Web Server (IIS) Support. Enables the application server to host internal or external Web sites.
Microsoft Component Object Model (COM+) Network Access. Enables the server to host and allow
remote invocation of applications.
TCP Port Sharing. Allows multiple net.tcp applications to share a single TCP port so that they can
coexist on the same server while remaining logically separate.
Windows Process Activation Service Support. Enables the server to invoke applications remotely.
Distributed Transactions. Provides services that help to ensure reliable and complete transactions over
distributed databases.
Note: An application server is different from a Web server because it hosts applications that run
natively on the server and the client, instead of preparing and providing content to a browser.
6-16
Key Points
A Web server is a server computer attached to either the Internet or the corporate intranet serving static
pages, dynamic pages, and streaming content to client computers that are equipped with a Web browser.
Static content. Static content is data that is the same for all users that view it. It does not change
based on where the users connect from or which user is connected. This is the most common type of
data on computer networks.
Some examples of static content are:
Dynamic content. Dynamic content is data that can be different each time it is accessed by a user.
This content can change depending on variables such as which user is accessing the content or the
users location. This type of content is most commonly found in modern Web sites and Web-based
applications.
A common way to build dynamic content is by using Active Server Pages (ASP) and ASP.NET. These
methods use scripts in Web pages that are processed by the server to generate the Web pages that
are delivered to users.
Examples of dynamic content include:
A Web page that displays a users name when the user accesses the Web site.
A Web page that displays the Internet Protocol (IP) address of a user accessing content.
A Web page that changes content depending on the demographics or location of the user.
6-17
Streaming content. Streaming content is data that is delivered to users at the speed required for
playback. Non-streaming content is delivered to users at the fastest possible speed that the client,
servers, and network can support. This can lead to increases in network traffic and cause network
congestion. Windows Server 2008 and Microsoft Windows Media Services provide support for
streaming content.
Examples of streaming content include:
Online video
Security
Although users often connect anonymously to a Web server, users often require the Web server to verify
its identity; this is typically achieved through the use of a digital certificate installed on the Web server and
the use of the Secure Sockets Layer (SSL) protocol.
Although users connecting to an Internet-connected Web server do not need to authenticate themselves,
users connecting to a corporate Web server within an intranet, or remotely from home, are often required
to provide credentials to identify themselves.
Web Server. Provides support for HTML Web sites with optional support for ASP.NET, ASP, and Web
Server extensions.
FTP Server. Enables you to provide file transfer support by using the FTP protocol.
IIS Hostable Web Core. Enables you to write custom code that hosts core IIS functions within your
application.
Note: In Windows Server, the Web Server (IIS) role is often required to support other server roles or
functions.
6-18
Key Points
Remote access can mean accessing data from a home, a hotel room, or a mobile device. From these
locations, you may be using a virtual private network (VPN) or a dial-up connection. When a VPN
connection is used, you must select the appropriate protocol based on your needs. The Windows
Server 2008 operating system includes the Routing and Remote Access role to act as a remote access
server accepting dial-up and VPN connections.
Remote access servers enable users to access corporate resources from outside of the corporate network.
Situations that may require a remote access server include the following:
Staff telecommuting
One of the most common resources accessed by remote users is e-mail. Depending on the type of work
being done remotely, users may also have to access files on computers that share resources. Regardless of
what type of data is being accessed, there is an increased concern about security because the data is
traveling outside of the organization where it is more susceptible to being stolen.
Network Policy Server. Allows you to create and enforce network access policies for network access
connections, health enforcement, and network connection authorization.
Routing and Remote Access. Enables you to provide remote access facilities and local routing
capabilities.
Health Registration Authority. Validates certificate requests that contain health claims; used in
Network Access Protection (NAP) enforcement.
Host Credential Authorization Protocol. Enables you to integrate your NAP solution with Cisco
Network Access Control.
Question: What are some examples of security concerns for data that is accessed remotely?
6-19
6-20
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 6420B-NYC-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
Contoso, Ltd. has deployed client computers to a number of new R & D branch offices. It is planning to
install new server computers at these branches to enable network infrastructure features, to support
custom applications, and to enable file and print services to support office productivity applications on
the client computers. Your task is to read the requirements document and determine what server roles are
required to support the needs of users at the branch offices.
6-21
Scenario
Ed Meadows has forwarded an e-mail to you from Alan Brewer, the Research department head. Also
attached to the e-mail is the Branch Office Server Deployment Requirements document. You must read
the supporting documentation and complete the Branch Office Server Deployment Recommendations
document.
The main tasks for this exercise are as follows:
1.
2.
Supporting Documentation
E-mail thread of correspondence with Ed Meadows:
Charlotte Weiss
From:
Sent:
To:
Subject:
Attached:
Ed Meadows [Ed@contoso.com]
3 April 2010 17:14
Charlotte@contoso.com
FW: New branch offices Server Deployment
Branch Office Server Deployment Requirements.doc
Charlotte,
Please see Alans comments and review the attached document for further information.
Regards,
Ed
----- Original Message ----From:
Alan Brewer [Alan@Contoso.com]
Sent:
1 April 2010 13:30
To:
Ed@Contoso.com
Subject:
New branch offices Server Deployment
Ed,
Obviously I dont understand all of the technicalities, but what we want at the branches is the ability to
work as usual even if the link to the head offices is unavailable.
We have a database that we use; the branches synchronize their data with the head office database
periodically.
All workers at the branches are using standard office productivity software; Microsoft Office Word 2007,
Microsoft Office Excel 2007, and other Office components. They save their work to a server. Shared
printers are available throughout the branches for all users.
We often have visiting laptops and users moving between branches, so they need to be able to connect to
the network without user or administrator intervention.
Hope this helps,
6-22
Alan
Users must be able to logon to the network even if the link to the head offices is unavailable.
A database server exists at each branch that contains a subset of the data for the whole Research
department; synchronization occurs automatically with the head office.
It is important that updates to computers are not obtained directly from the Internet, but rather from
a server locally.
Read the supporting documentation to determine the server requirements of the branch offices.
Answer the questions in the Branch Office Server Deployment Recommendations document.
Complete the Deployment Proposals section of the document.
Branch Office Server Deployment Recommendations
Document Reference Number: CW040410/1
Document Author
Date
Charlotte Weiss
4th April
Requirements Overview
Deploy required server roles to the branch offices to ensure that the needs of the users are met.
Additional Information
None.
Proposals
1. How will you address the requirement that all computers can obtain an IPv4 configuration
automatically even if the link to the head office is down?
2. How will you address the requirement that all users must be able to logon to the network even if
the link to the head office is down?
3. How will you address the requirement that users need to be able to access shared files?
4. How will you address the requirement that users need to be able to use shared printers?
5. What kind of server best supports the needs of the database application?
6. What roles support this kind of server?
7. How will you address the requirement that the computers must obtain updates from a local
update server?
8. Which roles are required at the branch servers?
Results: After this exercise, you should have completed the Branch Office Server Deployment
Recommendations document.
6-23
6-24
4.
5.
DHCP Server
DNS Server
Accept the defaults for all Add Roles Wizard pages to complete the installation process. For the
Network Connection Bindings page, remove the check mark next to 192.168.10.1.
Add the Active Directory Domain Services role.
Note: It is necessary to add the AD DS role separately from the DNS role.
6.
Accept the defaults for all Add Roles Wizard pages to complete the installation process.
2.
File Services
Accept the defaults for all Add Roles Wizard pages to complete the installation process.
In Roles Summary, why are some roles showing with a red cross symbol?
In the navigation pane, click Features.
Examine the features that are installed.
When where these installed?
5.
Results: After this exercise, you should have deployed all required roles and features.
Important: Start the 6420B-NYC-DC1 virtual machine first, and ensure that it is fully started before
starting the other virtual machines.
6-25
6-26
Review Questions
1.
2.
Tools
Tool
Use for
Where to find it
Server Manager
Managing server
Start Menu
configuration, including
adding roles and features
Initial Configuration
Tasks
When planning the number of domain controllers and global catalog servers, always deploy at least
one domain controller/global catalog server per physical site.
Combine multiple roles on a single server computer when deploying servers in smaller organizations;
scale out these roles in larger organizations so that you can optimize performance.
Module 7
Implementing Active Directory Domain Services
Contents:
Lesson 1: Introducing AD DS
7-3
Lesson 2: Implementing AD DS
7-15
7-24
7-34
7-39
Lab: Implementing AD DS
7-48
7-1
7-2
Module Overview
The Windows Server 2008 R2 operating system Active Directory Domain Services (AD DS) is a
Microsoft Windows-based directory service. As a directory service, AD DS stores information about
objects on a network and makes this information available to users and network administrators.
Objectives
After completing this module you will be able to:
Implement AD DS.
7-3
Lesson 1
Introducing AD DS
AD DS enables network users to access resources anywhere on the network using a single logon process
and provides network administrators with an intuitive, hierarchical view of the network and a single point
of administration for all network objects. Understanding the fundamental building blocks of AD DS
enables you to make more informed decisions about implementing and configuring AD DS.
Objectives
After completing this lesson you will be able to:
Describe a forest.
Describe trees.
Describe OUs.
Describe trusts.
7-4
The AD DS Forest
Key Points
In AD DS, a forest is the highest level of the logical structure hierarchy. An Active Directory forest
represents a single, self-contained directory. A forest is a security boundary, which means that
administrators in a forest have complete control over all access to information that is stored inside the
forest and to the domain controllers that are used to implement the forest.
It is typical to implement a single forest within your organization unless you have some specific need for
multiple forests. For example, if you want to create separate administrative areas for different parts of
your organization, you must create multiple forests to represent those administrative areas.
If you implement multiple forests within your organization they will, by default, operate separately from
each other as if they were the only directory service in your organization.
Note: You can integrate multiple forests by creating security relationships between them known as
external or forest trust relationships.
Domain naming master. The job of the domain naming master is to ensure there are unique names
throughout the entire forest. That is, it ensures that the fully-qualified name of each machine exists
only once in the entire forest.
Schema master. The schema master tracks the schema of the forest and maintains changes to the
underlying structure of the forest.
As these are key critical forest-wide roles, each forest must have only one schema master and domain
naming master.
7-5
7-6
The AD DS Schema
Key Points
The schema is the AD DS component that defines all objects and attributes that AD DS uses to store data.
AD DS stores and retrieves information from a wide variety of applications and services. So that it can
store and replicate data from these various sources, AD DS standardizes how data is stored in the
directory. By standardizing how data is stored, AD DS can retrieve, update, and replicate data while
ensuring that the integrity of the data is maintained.
AD DS uses objects as units of storage. All objects are defined in the schema. Each time that the directory
handles data, the directory queries the schema for an appropriate object definition. Based on the object
definition in the schema, the directory creates the object and stores the data.
Object definitions control the types of data that the objects can store, as well as the syntax of the data.
Using this information, the schema ensures that all objects conform to their standard definitions. As a
result, AD DS can store, retrieve, and validate the data that it manages, regardless of the application that is
the original source of the data. Only data that has an existing object definition in the schema can be
stored in the directory. If a new type of data needs to be stored, a new object definition for the data must
first be created in the schema.
In AD DS, the schema defines the following:
Rules that define what types of objects you can create, what attributes must be defined when you
create the object, and what attributes are optional.
The schema is a single master element of AD DS. This means that you must make changes to the schema
at the domain controller that holds the schema operations master role.
7-7
The schema is replicated among all domain controllers in the forest. Any change that is made to the
schema is replicated to every domain controller in the forest from the schema operations master role
holder, typically the first domain controller in the forest.
Because the schema dictates how information is stored, and because any changes that are made to the
schema affect every domain controller, changes to the schema should be made only when necessary
through a tightly controlled process after you have performed testing to ensure that there will be no
adverse effects on the rest of the forest.
Although you might not make any change to the schema directly, some applications make changes to the
schema to support additional features. For example, when you install Microsoft Exchange Server 2010 into
your AD DS forest, the installation program extends the schema to support new object types and
attributes.
7-8
What Is a Domain?
Key Points
A domain is an administrative boundary. All domains host an Administrator user account that has full
administrative capabilities over all objects within the domain. Although the administrator can delegate
administration on objects within the domain, the account retains full administrative control of all objects
within the domain.
In earlier versions of Windows Server, domains were considered to provide complete administrative
separation; indeed, one of the fundamental reasons for selecting a multidomain topology was to provide
for this separation. However, in AD DS, the administrator account in the forest root domain also has full
administrative control to all objects in the forest, rendering this domain-level administrative separation
invalid.
A domain is a replication boundary. AD DS consists of three elements, or partitions; these are the schema,
the configuration partition, and the domain partition. Generally, it is only the domain partition that
changes frequently.
The domain partition contains objects that are likely to be updated often; these include users, computers,
groups, and OUs. Consequently, AD DS replication consists primarily of the updates to objects defined
within the domain partition. Only domain controllers in a particular domain receive domain partition
updates from other domain controllers. Partitioning data enables organizations to replicate data only to
where it is needed. In this way, the directory can scale globally over a network that has limited available
bandwidth.
A domain is an authentication boundary. Each user account in a domain can be authenticated by domain
controllers from that domain. Domains in a forest trust one another, and it is these trusts that enable a
user from one domain to access resources held in another domain.
7-9
Relative identifier (RID) master. Whenever an object is created in AD DS, the domain controller where
the object is created assigns the object a unique identifying number known as a security identity
(SID). To ensure that no two domain controllers assign the same SID to two different objects, the RID
master allocates blocks of SIDs to each domain controller within the domain.
Primary domain controller emulator. This role is the most important in as much as its temporary loss
is noticed far more quickly than any other operations master role. It is responsible for a number of
domain-wide functions, including:
Infrastructure master. This role is responsible for maintaining inter-domain object references. For
example, when a group in one domain contains a member from another domain, the infrastructure
master is responsible for maintaining the integrity of this reference.
These three roles must be unique in each domain, so each domain can have only one RID master, one
primary domain controller (PDC) emulator, and one infrastructure master.
7-10
AD DS Trees
Key Points
If your AD DS consists of more than one domain, you must define the relationship between the domains.
If the domains share a common root and a contiguous namespace, then they are logically part of the
same Active Directory tree. A tree serves no administrative purpose. In other words, there is no tree
administrator as there is a forest or domain administrator. A tree provides a logical, hierarchical grouping
of domains that have parent/child relationships defined through their names. Your Active Directory tree
maps to your Domain Name System (DNS) namespace.
Active Directory trees are created by the relationship between the domains within the forest. There is no
intrinsic reason you should, or indeed, should not create multiple trees within your forest. However, keep
in mind that a single tree, with its contiguous name space, is easier to manage, and easier for users to
visualize.
Consider using multiple trees within a single forest if you have multiple name spaces to support. For
example, if within your organization there are several distinct operating divisions with different public
identities, you could create a different tree for each operating division. Bear in mind that with this
scenario, there is no separation of administration because the forest root administrator still has complete
control over all objects in the forestin whichever tree they reside.
7-11
Organizational Units
Key Points
An OU is a container object within a domain that you can use to consolidate users, groups, computers,
and other objects. There are two reasons to create OUs:
Configure objects contained within the OU. You can assign GPOs to the OU, and the settings apply to
all objects within the OU.
Delegate administrative control of objects within the OU. You can assign management permissions on
an OU thereby delegating control of that OU to a user or group within AD DS other than the
administrator.
Note: An OU is the smallest scope or unit to which you can assign Group Policy settings or delegate
administrative authority.
You can use OUs to represent the hierarchical, logical structures within your organization. For example,
you can create OUs that represent the departments within your organization, the geographic regions
within your organization, and those that are a combination of both departmental and geographic regions.
You can then manage the configuration and use of user, group, and computer accounts based on your
organizational model.
Every AD DS domain contains a standard set of containers and OUs that are created when you install AD
DS. These include the following:
Users container, which is the default location for new user accounts and groups created in the
domain.
Computers container, which is the default location for new computer accounts created in the domain.
7-12
Domain Controllers OU, which is the default location for the computer accounts for domain
controllers computer accounts.
7-13
Trusts Relationships
Key Points
A trust relationship enables one security entity to trust another security entity for the purposes of
authentication. In the Windows Server 2008 R2 operating system, the security entity is the Windows
domain.
The primary purpose of a trust relationship is to facilitate a user in one domain gaining access to a
resource in another domain without needing to hold a user account in both domains.
In any trust relationship, there are two parties involved; the trusting entity, and the trusted entity. The
trusting entity is the resource holding entity, while the trusted entity is the account holding entity. For
example, if you lend someone your laptop computer, you trust them. You are the resource holding entity.
It is your laptop; they are trusted as the account holding entity.
Types of Trusts
Trusts can be one-way or two-way.
A one-way trust means that although one entity trusts the other, the reciprocal is not true. For example,
just because you lend Steve your laptop does not mean that Steve will necessarily lend you his car.
In a two-way trust, both entities trust one another.
Trusts can be transitive or nontransitive. In a transitive trust, A trusts B and B trusts C, then A also implicitly
trusts C. For example, if you lend Steve your laptop, and Steve lends his car to Mary, then you might lend
your cell phone to Mary.
Windows Server 2008 R2 supports a number of different trusts for use in different situations.
In a single forest, all domains trust one another with internal, two-way transitive trusts. In essence, this
means that all domains trust all other domains. These trusts extend across trees within the forest. Aside
from these automatically created trusts, you can configure additional trusts between domains within your
forest, between your forest and other forests, and between your forest and other security entities, such as
7-14
Kerberos realms or the Microsoft Windows NT 4.0 operating system domains. The following table
provides more information.
Trust
type
Transitivity
Direction
Description
External
Nontransitive
One-way or
two-way
Realm
Transitive or
nontransitive
One-way or
two-way
Forest
Transitive
One-way or
two-way
Shortcut
Transitive
One-way or
two-way
7-15
Lesson 2
Implementing AD DS
To implement AD DS you must deploy domain controllers. Understanding where and how to create
domain controllers to optimize your network infrastructure is important to ensure that you optimize AD
DS.
Objectives
After completing this lesson you will be able to:
Describe AD DS sites.
Understand AD DS replication.
7-16
Key Points
You create a domain when you promote a Windows Server 2008 R2 server computer to a domain
controller. Domain controllers host the AD DS.
Domain controllers provide the following functions on the network:
Provides authentication. Domain controllers store the domain accounts database, and provide
authentication services.
Hosts operations master roles as an option. These roles were formerly known as Flexible Single Master
Operations (FSMO) roles. There are five operations master roles, two forest-wide roles and three
domain roles. You can transfer these roles as you require.
Hosts the global catalog as an option. You can designate any domain controller as a global catalog
server.
Note: The global catalog is a distributed database that contains a searchable representation of every
object from all domains in a multidomain forest. However, the global catalog does not contain all
attributes for each object. Instead, the global catalog maintains a subset of attributesthose that are
most likely to be useful in cross-domain searches.
Supports group policies and the System Volume (SYSVOL). Group policies consist of group policy
containers, stored in AD DS, and group policy templates, stored in the SYSVOL folder in the file
system of all domain controllers.
Provides replication. AD DS is a distributed directory service. Objects such as users, computers, OUs,
and services are distributed across all domain controllers in the forest, and can be updated on any
domain controller in the forest.
Note: You can deploy read-only domain controllers (RODCs) to branch offices where physical security
might be less rigorous than elsewhere in your organization. For more information about using RODCs,
visit the Microsoft TechNet Web site.
Note: Domain controllers in a forest share a common schema, a common global catalog, and a
common forest root domain.
7-17
7-18
Key Points
An RODC is a new type of domain controller in Windows Server 2008 R2. With an RODC, organizations
can easily deploy a domain controller in locations where physical security cannot be guaranteed. An
RODC hosts a read-only replica of the database in AD DS for a given domain. The RODC is also capable of
functioning as a global catalog server.
Beginning with Windows Server 2008, an organization can deploy an RODC to address scenarios with
limited wide area network (WAN) bandwidth or poor physical security for computers. As a result, users in
this situation can benefit from:
Improved security.
Explanation
Read-only Active
Directory database
Except for account passwords, an RODC holds all of the Active Directory
objects and attributes that a writable domain controller holds. However,
changes cannot be made to the replica that is stored on the RODC. Changes
must be made on a writable domain controller and replicated back to the
RODC.
Unidirectional
replication
Credential caching
RODC Feature
7-19
Explanation
security principals. By default, an RODC does not store user or computer
credentials. The exceptions are the computer account of the RODC and a
special krbtgt (Kerberos key distribution service center account) account that
each RODC has. You must explicitly allow any other credential caching on an
RODC.
Administrator role
separation
You can delegate the local administrator role of an RODC to any domain user
without granting that user any user rights for the domain or other domain
controllers. This permits a local branch user to log on to an RODC and perform
maintenance work on the server, such as upgrading a driver. However, this
does not give the branch user the right to log on to any other domain
controller or perform any other administrative task in the domain.
Read-only Domain
Name System
You can install the DNS Server service on an RODC. An RODC is able to
replicate all application directory partitions that DNS uses, including
ForestDNSZones and DomainDNSZones. If the DNS server is installed on an
RODC, clients can query it for name resolution as they would query any other
DNS server.
The domain controller that holds the PDC emulator operations master role for the domain must be
running Windows Server 2008. This is necessary for creating the new krbtgt account for the RODC
and for ongoing RODC operations.
The RODC needs to forward authentication requests to a global catalog server running Windows
Server 2008 in the site that is closest to the site with the RODC. The Password Replication Policy is set
on this domain controller to determine if credentials are replicated to the branch location for a
forwarded request from the RODC.
The domain functional level must be Windows Server 2003 so that Kerberos constrained delegation is
available. Constrained delegation is used for security calls that need to be impersonated under the
context of the caller.
The forest functional level must be Windows Server 2003, so that linked-value replication is available.
This provides a higher level of replication consistency.
You must run adprep /rodcprep one time in the forest. This will update the permissions on all of the
DNS application directory partitions in the forest to facilitate replication between RODCs that are also
DNS servers.
An RODC cannot hold operations master roles or function as a replication bridgehead server.
7-20
AD DS Sites
Key Points
A site is a logical representation of a geographical area in your network. A site represents a high-speed
network boundary for your AD DS computers; that is, computers that can communicate with high speed
and low latency can be grouped into a site; domain controllers within a site replicate AD DS data in an
optimized way for this environment; this replication configuration is largely automatic.
Note: Sites are used by client computers to locate services such as domain controllers and global
catalog servers. It is important that each site that you create has at least one domain controller and
global catalog server.
7-21
AD DS Replication
Key Points
AD DS replication is how changes to directory data are transferred between domain controllers in an AD
DS forest. The AD DS replication model defines the mechanisms that allow directory updates to be
transferred automatically between domain controllers to provide a seamless replication solution for the
AD DS distributed directory service.
There are three partitions in AD DS and it is the domain partition that contains the data that changes most
frequently and consequently makes up the bulk of AD DS replication data.
7-22
Key Points
Installing DNS
AD DS requires DNS. The DNS server role is not installed on Windows Server 2008 R2 by default. Like
other functionality, it is added in a role-based manner when a server is configured to perform the role.
You can install the DNS server role using the Add Role link in Server Manager. The DNS server role can
also be added automatically by the Active Directory Domain Services Installation Wizard (dcpromo.exe).
The domain controller options page of the wizard allows you to add the DNS server role.
Dynamic Updates
When you create a zone, you are also prompted to specify whether dynamic updates are supported.
Dynamic updates reduce the management overhead of a zone, because clients can add, delete, and
update their own resource records.
Dynamic updates leave open the possibility that a resource record could be spoofed. For example, a
computer could register a record named www, effectively redirecting traffic from your Web server to the
incorrect address.
To eliminate the possibility of spoofing, Windows Server 2008 R2 DNS Server service supports secure
dynamic updates. A client must authenticate prior to updating its resource records, so the DNS server
knows whether the client is the same computer that has the permission to modify the resource record.
7-23
SRV Records
A Service Locator (SRV) resource record resolves a query for a network service, allowing a client to locate a
host that provides a specific service.
SRV records are used in these and many other scenarios:
type
target
600 IN SRV
100
389 hqdc01.contoso.com
The protocol service name, such as the Lightweight Directory Access Protocol (LDAP) service offered
by a domain controller.
The priority and weight, which help clients determine which host should be preferred.
The port on which the service is offered by the server. Port 389 is the standard port for LDAP on a
Windows domain controller.
The target, or host of the service, which in this case is the domain controller named
hqdc01.contoso.com.
When a client process is looking for a domain controller, it can query DNS for an LDAP service. The query
returns both the SRV record and the A record for the server(s) that provide the requested service.
7-24
Lesson 3
One of your functions as an AD DS administrator is to manage user, group, and computer accounts. These
accounts are AD DS objects that individuals use to log on to the network and access resources. In this
lesson, you will learn about modifying user, group, and computer accounts in an AD DS domain.
Objectives
After completing this lesson, you will be able to:
Describe groups.
7-25
Key Points
In AD DS for Windows Server 2008, all users that require access to network resources must be configured
with a user account. With this user account, users can be authenticated to the AD DS domain and granted
access to network resources.
A user account is an object that contains all of the information that defines a user in Windows Server 2008
R2. The account can be either a local or a domain account. A user account includes the user name and
password as well as group memberships. A user account also contains many other settings that you can
configure based upon your organizational requirements.
With a user account, you can:
Allow or deny users to log on to a computer based on their user account identity.
Grant users access to processes and services for a specific security context.
Manage users' access to resources such as AD DS objects and their properties, shared folders, files,
directories, and printer queues.
The Users container located in Active Directory Users and Computers displays the three built-in user
accounts: Administrator, Guest, and HelpAssistant. These built-in user accounts are created automatically
when you create the domain.
A user account enables a user to log on to computers and domains with an identity that can be
authenticated by the domain.
To maximize security, you should avoid multiple users sharing one account. By avoiding multiple users on
an account, each user who logs on to the network should have a unique user account and password.
When creating a user account, you must provide a user logon name. User logon names must be unique in
the domain/forest in which the user account is created.
7-26
Key Points
A group is a collection of user accounts, computer accounts, contacts, and other groups that you can
manage as a single unit. There are three common reasons for creating groups in AD DS. These are:
Granting permissions. Rather than assign a number of user accounts the same permissions on the
same resource, you could create a group, add the users as members, and grant the group permissions
on the resource.
Assigning rights. When a user requires administrative control of a resource, such as a server, it is
better to add the user to a management group created for that purpose. Then, if the user changes
job functions within your organization, you can remove them from the group. You can remove their
assigned rights on the server without the need to change permissions.
Distributing e-mail. When your users want to send e-mail messages to multiple users, you can create
specialized groups within the e-mail system to facilitate the process more efficiently.
Group Types
There are two types of groups in AD DS: distribution groups and security groups.
Security Groups
You create security groups to consolidate objects to which you want to assign permissions or rights. You
can also use security groups for distribution purposes within an e-mail application, such as Exchange
Server.
Distribution Groups
You can use distribution groups only with e-mail applications, such as Exchange Server, to send e-mail to
multiple users. Distribution groups are not security-enabled and cannot be assigned permissions on
resources or objects in AD DS. In smaller organizations, it is usually unnecessary to create distribution
7-27
groups as security groups can be mail-enabled. However, in larger organizations, the separation of
distribution and security groups enables you to separate the administration of the e-mail system and AD
DS.
Group Scope
Any group, whether it is a security group or a distribution group, is characterized by a scope that
identifies the extent to which the group is applied in the domain tree or forest. There are three group
scopes:
Domain local. Domain local groups can contain members from any domain in the forest but can only
be granted permissions and assigned rights on objects on the local domain. In other words, the
groups abilities are localized.
Global. Global groups can contain members only from the local domain, but can be granted
permissions or assigned rights anywhere in the forest. In other words, the groups abilities are global.
Universal. A universal group can contain members from anywhere in the forest and can be granted
permissions and assigned rights anywhere in the forest. In other words, the groups abilities and
membership are universal. Another important characteristic of a universal group is that the
membership list is maintained in the global catalog; consequently, you can only mail-enable universal
groups in Exchange Server.
Question: Describe a situation where you would use a distribution group instead of a security group.
7-28
Nesting Groups
Key Points
When you use nesting, you add a group as a member of another group. You can use nesting to combine
group management. Nesting increases the member accounts that are affected by a single action, and
reduces replication traffic caused by the replication of changes in group membership.
The following are best practices for nesting groups:
1.
2.
3.
7-29
Key Points
In both domains and standalone workgroup-based computers, there are built-in groups. You can use the
built-in groups to simplify administration. For example, adding user accounts to the built-in Domain
Admins group enables the member user to perform administration on all domain computers.
Note: Bear in-mind that some of these built-in groups have powerful pre-assigned rights and privileges.
Although it can be convenient to add users to built-in groups to achieve an administrative goal, you
may be inadvertently assigning more rights and privileges than you intended.
In addition to built-in groups, there are system groups. These system groups do not have an explicitly
maintained membership list, but rather have an implicit membership. For example, the group
Authenticated Users contains anyone who is able to logon to the domain. You can use system groups to
assign management permissions and rights or permissions on resources.
Note: Because these system groups do not have an explicit membership list, they are not displayed in
Active Directory Users and Computers.
If the built-in and system groups are not sufficient for your needs, create additional groups as required.
The built-in groups are stored in the Users folder and the Builtin folder under the domain root.
7-30
Computer Accounts
Key Points
In AD DS, computers are security principals, just like users. This means that computers must have accounts
and passwords. To be fully authenticated by AD DS, a user must have a valid user account, and the user
must also log on to the domain from a computer that has a valid computer account. All computers
running Microsoft Windows NT or later operating systems must have computer accounts in AD DS.
Computers access network resources to perform key tasks such as authenticating user log on, obtaining
an IP address, and receiving security policies. To have full access to these network resources, computers
must have valid accounts in AD DS. The two main functions of a computer account are performing
security and management activities.
If you join a computer to a domain, the computer account is created in the Computers container by
default. In most organizations, administrators move the computer accounts to department-specific OUs so
that specific software and operating system configurations can be applied to the computers.
The most commonly used properties for computer accounts in AD DS are the Location and Managed By
properties. To maintain computers, you must find the physical location of the computers.
The Location property can be used to document the computers physical location in your network.
The Managed By property lists the individual responsible for the computer. This information can be
useful when you have a data center with servers for different departments and you need to perform
maintenance on the server. You can call or send e-mail to the person who is responsible for the server
before you perform maintenance on the server.
7-31
Key Points
Consider the following best practices to help to ensure that you manage accounts within your AD DS
forest efficiently.
User Accounts
When planning and implementing user accounts, consider the following points:
Create a user account for all users who need to access your forest; do not allow users to share user
accounts.
Implement a naming convention that yields simple-to-remember, unique user names. Bear in-mind
that the more users you have, the more likely there are to be duplicates within your organization.
Create accounts for temporary or contract staff with the same naming convention that you use for
other users. That is, do not use generic account names such as Temp1.
Plan the accounts policy carefully to ensure that it meets the security needs of your organization. The
accounts policy includes password length, password complexity rules, and the maximum password
age for user accounts.
Group Accounts
When planning and implementing groups, consider the following points:
Use the built-in and system groups where appropriate to simplify administration.
Avoid assigning permissions and rights directly to user accounts. Use groups to make on-going
maintenance easier.
Use a group naming convention that identifies who belongs to a group or what rights a management
group has. For example, the Sales global group obviously identifies users that are in the Sales
department, while the Printer Managers local group contains users with printer management rights.
7-32
Computer Accounts
When planning computers, consider the following points:
Implement a naming convention that helps you identify the role and location of a computer.
Implement the Manage by and Location properties of computer accounts so that they are easier to
locate and manage.
7-33
Key Points
You can manage user, group, and computer accounts by using either Active Directory Users and
Computers or the Active Directory Administrative Center (ADAC).
In this demonstration you will see how to create an account using the ADAC. After creating the account,
you will see how to make it a member of a group.
Demonstration Steps:
1.
2.
3.
7-34
Lesson 4
You can use OUs to collect users, groups, and computers together for administrative purposes. In this
lesson, you will learn why and how to use OUs to help to administer your organization.
Objectives
After completing this lesson, you will be able to:
7-35
Key Points
An OU is an AD DS object that is contained in a domain. You can use OUs to organize hundreds of
thousands of directory objects into manageable units. OUs are useful in grouping and organizing objects
for administrative purposes, such as delegating administrative rights and assigning policies to a collection
of objects as a single unit.
AD DS OUs are used to create a hierarchical structure within a domain. By creating an OU structure, you
are grouping objects that you can administer as a unit.
An organizational hierarchy should logically represent an organizational structure. That organization
could be based on geographic, functional, resource-based, or user classifications. Whatever the order, the
hierarchy should make it possible to administer AD DS resources as flexibly and effectively as possible. For
example, if all of the computers that are used by information technology (IT) administrators must be
configured in a certain way, you can group all of the computers in an OU, and assign a policy to manage
the computers in the OU.
OU Hierarchical Models
Organizations may deploy OU hierarchies by using several different models. The following are different
OU models:
Geographic OUs. If the organization has multiple locations and network management is distributed
geographically, you should use a location-based hierarchy. For example, you might decide to create
OUs for New York, Toronto, and Miami in a single domain.
Resource OUs. Resource OUs are designed to manage resource objects (non-users such as client
computers, servers, or printers). This design is most useful when all resources of a given type are
7-36
managed in the same manner. Resource-based OUs can simplify software installations or printer
selections based on Group Policies.
Management-based OUs. Management-based OUs reflect the various administrative divisions within
the organization by mirroring its structure in the OU structure. Responsibilities to manage users and
groups, when they are placed into nested departmental OUs, can be delegated to managers of those
departments.
The eventual OU design should represent how the business will be administered. Delegation of authority,
separation of administrative duties, central versus distributed administration, and design flexibility are
important factors you must consider when you design Group Policy and select the scenarios to use for
your organization.
Question: Describe one scenario when you would use a domain to organize a network. Describe one
scenario when you would use an OU to organize a network.
7-37
Key Points
In this demonstration, you will see how to create an organizational unit using the ADAC. After the creation
of the organizational unit, you will see how to add objects to it.
Demonstration Steps:
1.
2.
3.
4.
7-38
Key Points
In this demonstration you will see how to delegate control of an organizational unit to a user.
Demonstration Steps:
1.
2.
7-39
Lesson 5
Once you have created users, groups, computer accounts, and an OU structure in your AD DS and
reducing IT costs. With Group Policy forest, the next step is commonly implementing group policy. Group
Policy and the AD DS infrastructure in Windows Server 2008 R2 enable IT administrators to automate user
and computer management, thus simplifying administrative tasks and AD DS, administrators can
efficiently implement security settings, enforce IT policies, and distribute software consistently across a
given site, domain, or range of OUs.
Objectives
After completing this lesson, you will be able to:
Describe GPOs.
7-40
What Is a GPO?
Key Points
Group Policy is a Microsoft technology that supports one-to-many management of computers and users
in an AD DS environment. By editing Group Policy settings and targeting a GPO at the intended users or
computers, you can centrally manage specific configuration parameters. In this way, you can manage
potentially thousands of computers or users by changing a single GPO.
A GPO is the collection of settings that are applied to selected users and computers.
Group Policy can control many aspects of a target objects environment, including: the registry, NTFS file
system security, audit and security policy, software installation and restriction, desktop environment,
logon/logoff scripts, and many other settings.
One GPO can be associated with multiple containers in AD DS, through linking. Conversely, multiple GPOs
may link to one container.
Each computer running a Microsoft Windows operating system has a local GPO. In these objects, Group
Policy settings are stored on individual computers, whether or not they are part of an AD DS environment
or a networked environment.
Note: Local GPOs contain fewer settings than nonlocal GPOs, particularly under Security Settings and
do not support all of the GPO settings of a domain Group Policy such as Folder Redirection or Group
Policy Software Installation.
Group Policy has thousands of configurable settings (approximately 2,400). These settings can affect
nearly every area of the computing environment. You cannot apply all of the settings to all versions of
Microsoft Windows operating systems. For example, many of the new settings that came with the
Microsoft Windows XP Professional operating system, Service Pack (SP) 2, such as software restriction
policies, only applied to that operating system. Equally, many of the hundreds of new settings only apply
7-41
to the Windows 7 operating system and Windows Server 2008 R2. If a computer has a setting applied that
it cannot process, it simply ignores it.
7-42
Applying GPOs
Key Points
Clients initiate Group Policy application by requesting GPOs from AD DS. When Group Policy is applied to
a user or computer, the client component interprets the policy, and then makes the appropriate
environment changes. These components are known as Group Policy client-side extensions. As GPOs are
processed, a service on the domain controller passes the list of GPOs that must be processed to each
Group Policy client-side extension. The extension then uses the list to process the appropriate policy,
when applicable.
The site, domain, and organizational unit links from a GPO are used as the primary targeting principle for
defining which computers and users should receive a GPO. Security filtering and Windows Management
Instrumentation (WMI) filtering can be used to further reduce the set of computers and users to which the
GPO will apply. The group policy engine uses the following logic in processing GPOs: If a GPO is linked to
a domain, site, or organizational unit that applies to the user or computer, the group policy engine must
then determine whether the GPO should be added to its GPO list for processing.
GPOs that apply to a user or computer do not all have the same precedence. Settings that are applied
later can override settings that are applied earlier. Group Policy settings are processed in the following
order:
Local GPO. Each computer has exactly one GPO that is stored locally. This processes for both
computer and user group policy processing.
Site. Any GPOs that have been linked to the site that the computer belongs to are processed next.
Processing is in the order that is specified by the administrator, on the Linked GPOs tab for the site in
Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and
therefore has the highest precedence.
Domain. Processing of multiple domain-linked GPOs is in the order specified by the administrator, on
the Linked GPOs tab for the domain in GPMC. The GPO with the lowest link order is processed last,
and therefore has the highest precedence.
7-43
Organizational units. GPOs that are linked to the organizational unit that is highest in the AD DS
hierarchy are processed first, and then GPOs that are linked to its child organizational unit are
processed, and so on. Finally, the GPOs that are linked to the organizational unit that contain the user
or computer are processed.
GPOs can also be filtered by WMI settings such as hardware or software settings, configurations or even
applications that are installed.
7-44
Key Points
You can create or manage GPOs in many ways. A GPO can be created from a template or by default using
a graphical user interface (GUI) tool such as the GPMC. Once you have created the GPO you can link it to
the appropriate container: site, domain, or OU.
GPMC provides mechanisms for backing up, restoring, migrating, and copying existing GPOs. This is very
important for maintaining your Group Policy deployments in the event of error or disaster. It helps you
avoid manually recreating lost or damaged GPOs, and having to again go through the planning, testing,
and deployment phases. Part of your ongoing Group Policy operations plan should include regular
backups of all GPOs.
GPMC also provides for copying and importing GPOs, both from the same domain and across domains.
7-45
Key Points
Many common configuration settings were traditionally delivered through logon or startup scripts. This
required writing, debugging, and storing the scripts in a central location, and then applying the scripts by
using user settings or Group Policy. Group Policy preferences enable IT professionals to configure, deploy,
and manage many common operating system and application settings that they previously were not able
to manage using Group Policy.
Group Policy preferences are new for Windows Server 2008, and include more than 20 new Group Policy
extensions that expand the range of configurable settings within a GPO. In contrast to policy settings, you
allow users to change preferences after you deploy them.
The key difference between preferences and policy settings is enforcement. Group Policy strictly enforces
policy settings. Organizations typically deploy two types of settings: managed and unmanaged. Managed
settings are policy settings that you enforce. Unmanaged settings are preferences. In contrast to policy
settings, you allow users to change preferences after you deploy them.
The following table describes the differences between policies and preferences:
Preferences
Policies
7-46
Preferences
Policies
applications.
Original settings are overwritten.
When choosing whether to deploy an item by using Group Policy settings or preferences, the most
important factor is whether or not you want to enforce the setting. To configure a setting without
enforcing it, use preferences. The next factor is whether the application or feature is Group Policyaware.
To enforce items for which no policy setting is available, you can deploy them as preference items and
then disable the Apply Once And Do Not Reapply option in the configuration of the setting.
7-47
Key Points
In this demonstration you will see how to create a GPO using the GPMC. After the creation of the GPO
you will link the GPO to Production OU and then log in as a production user. You will then see what
happens when the GPO is not applied.
Demonstration Steps:
1.
2.
3.
4.
5.
6.
7-48
Lab: Implementing AD DS
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
2.
3.
4.
5.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
In Hyper-V Manager, click 6420B-NYC-DC1, and in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
Contoso, Ltd. has created a new department ahead of a merger with the A Datum Corporation. Ed
Meadows has asked you to create a new OU in AD DS to support this new department and populate it
with the users, groups, and computers to support the new staff.
7-49
Results: After this exercise, you will have promoted a new domain controller.
7-50
2.
3.
Password: Pa$$w0rd
Domain: Contoso
In Active Directory Users and Computers, in the Navigation pane, click Contoso.com.
Create a new organizational unit in the Contoso.com domain called A Datum Merger Team.
Results: After this exercise, you will have created a new organizational list.
7-51
In Active Directory Users and Computers, create the following user accounts in the A Datum Merger
Team OU using the following information to complete the process:
a.
b.
c.
d.
2.
Christian Kemp
Tony Allen
Pia Lund
Soha Kamal
Oliver Cox
In the A Datum Merger Team OU, create the following Global Security groups:
Add all new users in the A Datum Merger Team OU to the Mergers and Acquisitions group.
Add only Tony Allen to the Merger Team Management Group.
In Active Directory Users and Computers, in the Computers folder, move the NYC-CL1 computer to
the A Datum Merger Team OU.
Using the Delegation of Control Wizard, grant the Merger Team Management global security group
the right to Reset user passwords and force password change at next logon on the A Datum
Merger Team OU.
7-52
Results: After this exercise, you will have created the necessary users accounts and groups, and moved
the users computer accounts into the OU.
7-53
Create a GPO.
Link the GPO.
Test the GPO.
In the Group Policy Management Editor, expand User Configuration, expand Policies, expand
Windows Settings, and then click Scripts (Logon/Logoff).
b. In the Results pane, double-click Logon.
c. In the Logon Properties dialog box, click Add.
d. In the Add a Script dialog box, click Browse.
e. In the Browse dialog box, right-click in the No items match your search box, click New, and
then click Text Document.
f. Highlight the entire filename, including the file extension, and type logon.vbs and press ENTER.
g. In the Rename dialog box, click Yes.
h. Right-click logon.vbs and then click Edit.
i. In the Open File Security Warning dialog box, click Open.
j. In notepad, type msgbox Welcome to the A Datum Merger Team.
k. Click File and then click Save.
l. Close Notepad.
m. In the Browse dialog box, click Open.
n. In the Add a Script box, click OK.
o. In the Logon Properties dialog box, click OK.
4.
Link the A Datum Merger Team GPO to the A Datum Merger Team organizational unit.
3.
Password: Pa$$w0rd
Domain: Contoso
7-54
Results: After this exercise, you will have created a GPO and linked it to the A Datum Merger Team
OU.
Important: Start the 6420B-NYC-DC1 virtual machine first, and ensure that it is fully started before
starting the other virtual machines.
Review Questions
1.
2.
3.
4.
Tools
Tool
Use for
Where to find it
Administrative Tools
Active Directory
Administrative Center
Group Policy
Management Console
Administrative Tools
7-55
7-56
Module 8
Implementing IT Security Layers
Contents:
Lesson 1: Overview of Defense-in-Depth
8-3
8-17
8-22
8-33
8-1
8-2
Module Overview
Security is an integral part of any computer network and must be considered from many perspectives.
Data security for Web content and files accessed on network shares are common concerns. In addition to
file and share permissions, you can also use data encryption to restrict data access.
Objectives
After completing this module, you will be able to:
Lesson 1
Overview of Defense-in-Depth
There are various ways to approach security design for computers. Defense-in-depth is one model for
analyzing and implementing security for computer systems. The model uses layers to describe different
areas of security.
Objectives
After completing this lesson, you will be able to:
Describe defense-in-depth.
Describe how policies, procedures, and awareness can help to implement defense-in-depth.
8-3
8-4
What Is Defense-in-Depth?
Key Points
When you park your car in a public place, you consider a number of factors before walking away from it.
For example, where it is parked, whether the doors are locked, and whether you have left anything of
value lying on the seat. You understand the risks associated with parking in a public place, and you can
mitigate those risks. As with your car, you cannot properly implement security features on a computer
network without first understanding the security risks posed to that network.
You can mitigate risks to your computer network by providing security at differing infrastructure layers.
The term defense-in-depth is often used to describe the use of multiple security technologies at different
points throughout your organization.
Physical Security
If any unauthorized person can gain physical access to your computer, then most other security measures
are of little consequence. Ensure that computers containing the most sensitive data, such as servers, are
physically secure.
Perimeter
These days, no organization is an isolated enterprise. Organizations operate within a global community,
and network resources must be available to service that global community. This might include building a
8-5
Web site to describe your organizations services, or making internal services such as Web conferencing
and e-mail, accessible externally so that users can work from home or from satellite offices.
Perimeter networks mark the boundary between public and private networks. Providing specialist servers,
such as a reverse proxy, in the perimeter network allows you to more securely provide corporate services
across the public network.
Note: A reverse proxy enables you to publish services from the corporate intranet, such as e-mail or
Web services, without placing the e-mail or Web servers in the perimeter.
Networks
Once you connect computers to a network, they are susceptible to a number of threats. These threats
include eavesdropping, spoofing, denial of service, and replay attacks. This is especially relevant when
communication takes place over public networks by users working from home, or from remote offices.
Note: Common network security threats, such as eavesdropping and spoofing, and their mitigations
are discussed in course 6420B: Fundamentals of Windows
Server 2008, Module 10: Implementing Network Security.
Host
The next layer of defense is that used for the host computer. You must keep computers secure with the
latest security updates.
Application
Applications are only as secure as your latest security update. You should consistently use Microsoft
Windows Update to keep your applications up-to-date.
Data
The final layer of security is data security. To help ensure protection of your network, ensure proper use of
file permissions, encryption, and backup.
Question: How many layers of the defense-in-depth model should be secured?
8-6
Key Points
Security is not only a technology-based solution. Organizations also implement policies, procedures, and
awareness programs to help prevent security incidents. Security relies on staff and users following policies
and procedures. For example, rules must be in place to determine under what circumstances a password
can be reset and how that new password is communicated to the user. Without these rules, unauthorized
password resets could unknowingly be performed that would allow an attacker to access your system.
Even when you implement rules to help prevent security problems, they can be circumvented. Some ways
that policies and procedures are compromised include:
Users unaware of the rules. When users are unaware of the rules, they cannot be expected to follow
them.
Users viewing rules as unnecessary. If the reason for rules is not adequately communicated to users,
then some treat the rules as unnecessary.
Social engineering. Users and computer administrators are vulnerable to social engineering where
they are convinced to break the rules. Sometimes this involves impersonating a legitimate user.
Mitigation
Consider the following to help to mitigate these threats:
It is very important that you make users aware of your security rules, their relevance to the organization,
and the ramifications or consequences of not abiding by those security rules.
Question: What are some examples of policies and procedures being compromised and affecting
computer system security?
8-7
8-8
Key Points
This is one of the most commonly overlooked areas of securing computer systems. In general, anyone that
has physical access to computer systems can:
Damage systems. This can be as simple as a server stored beside a desk that is accidentally knocked or
has coffee spilled on it.
Install unauthorized software on systems. Unauthorized software can be used to attack systems; for
example, there are utilities available to reset the administrator password on a Windows-based
workstation or member server.
Modify data. After a system has been compromised, data can be modified. This could be done by a
disgruntled employee to modify their own performance review.
Steal data. Data such as credit card information could be stolen after a system has been
compromised.
Steal hardware. If laptops are left unsecured, they can be stolen. Even servers improperly secured can
be stolen along with their data.
Mitigation
You must secure the network infrastructure including physical security. The problem is that while you
want to make it difficult for non-authorized people to access your computers and infrastructure, you want
to make it relatively straightforward for authorized employees.
Consider the following to help to mitigate physical security threats:
Question: What are some examples of compromises when physical layer security is not in place?
8-9
8-10
Key Points
Perimeter layer security refers to connectivity between your network and other untrusted networks. The
most commonly considered untrusted network is the Internet. However, there are other untrusted
networks that are a concern:
Remote access client. The client computers are accessing your network from a remote network over
which you have little or no control. Yet, the clients have access to more data on your network than
typical Internet hosts.
Business partners. You do not control the networks of business partners and cannot ensure that they
have appropriate security controls in place. If a business partner is compromised, then the network
links between your organization and the business partner pose a risk.
Mitigation
To keep your organization safe, create a private network and a perimeter network through the use of
firewalls, intruder prevention and detection systems, and other components.
Consider the following to help to mitigate perimeter security threats:
8-11
Key Points
Internal network layer security refers to events on the internally controlled network, including local area
networks (LANs) and wide area networks (WANs). This layer is easier to secure because you have control
of the devices on these networks.
The security risks to the internal network layer are:
Unauthorized network communication. Hosts may communicate with servers to which they have no
need. This raises the risk of host-level exploits being performed. Restricting network communication
to specific servers helps to prevent this.
Unauthorized packet sniffing. The risk of unauthorized packet sniffing on modern wired networks is
minimal because switches control packet delivery and ensure that packets are sent only to the specific
destination. However, wireless networks are vulnerable, especially when only basic security measures,
such as wired equivalent privacy (WEP), are used to help secure access.
Default configurations on network devices. Network devices, such as routers, have a default
configuration that includes a default management username and password; failure to change these
compromises your network security.
Note: Packet sniffing occurs when a malicious attacker connects a network data analyzer to the
network to capture and examine network packets in transit; this can lead to additional attacks,
depending upon the data captured. For example, if the attacker can capture username and password
information in transit, they can exploit this to gain access to your computer network servers and data.
8-12
Mitigation
At the heart of many of these risks is the concept of authentication. If two computers can identify one
another, then they can communication more securely. You can provide authentication services in a
number of ways, such as digital certificates that are exchanged during initial communications. How you
distribute and manage these certificates depends on your organization, but might include the use of a
public key infrastructure (PKI) that you implement within your organization.
Note: You cannot always rely on authentication as some applications, such as network analysis, do
not support authentication.
Besides authentication, consider using encryption to ensure that data is secure while it is in transit. You
can encrypt communication to either the perimeter-based or edge servers from the public network with
tunneling technologies, and communication between the edge servers and the internal network with
Internet protocol security (IPsec).
In addition, Secure Socket Layer (SSL) can provide for secure and authenticated communications across
networks, and is widely used on the Internet.
Consider the following to help to mitigate these threats:
Do not make it easy to connect to your network; if someone can plug a laptop into your network and
access your intranet, you could face serious problems.
Restrict switch ports and wireless access points based on media access control (MAC) address or client
certificates.
Question: Why is wireless communication more at risk for packet sniffing than wired communication?
8-13
Key Points
The host layer refers to the individual computers on the network. This includes the operating system, but
not application software. Operating system services, such as a Web server, are included in host layer
security.
Host layer security can be compromised by:
Operating system vulnerabilities. An operating system is complex. Consequently, there are often
vulnerabilities that hackers can exploit. These vulnerabilities enable attackers to install malicious
software or control hosts.
Default operating system configurations. Operating systems and their services include default
configurations. In some cases, the default configuration may not include a password or may include
sample files with vulnerabilities. Attackers use their knowledge of default configurations to
compromise systems.
Viruses are one mechanism used to attack hosts. The virus uses operating system flaws or default
configurations to replicate itself.
Mitigation
Windows Update and Windows Server Update Services (WSUS) can help to keep your Windows
computers up-to-date. In addition, you should consider using antivirus and malware protection. In the
Windows 7 operating system, consider using Microsoft Forefront Protection Manager and Windows
Defender to guard against security threats to host computers.
Consider the following to help you to mitigate these threats:
8-14
8-15
Key Points
The application layer refers to applications running on the hosts. This includes additional services, such as
mail servers, and desktop applications, such as Microsoft Office. The risks to applications are similar to the
risks to hosts and include:
Application vulnerabilities. Applications are complex programs that are likely to have vulnerabilities.
Attackers can use these vulnerabilities to install malicious applications or remotely control a
computer.
Default application configurations. Applications, such as databases, may have a default password or
no password at all. Not securing the default configuration simplifies the work of attackers attempting
to access a system.
Viruses introduced by users. In some cases, viruses are introduced by user actions rather than flaws. In
other cases, an application is actually a Trojan horse that has malicious code embedded in what
appears to be a useful application.
Mitigation
Consider the following to help you to mitigate these threats:
8-16
Key Points
The data layer refers to data stored on your computers. This includes data files, application files,
databases, and Active Directory Domain service (AD DS). When the data layer is compromised it can
result in:
Unauthorized access to data files. Unauthorized access to data files may result in unintended users
reading data. For example, the salaries of other staff. It may also result in data being modified and
becoming inaccurate.
Unauthorized access to AD DS. This may result in user passwords being reset and attackers logging
on by using the reset passwords.
Modification of application files. When application files are modified, they may perform unwanted
tasks such as replicating data over the Internet where an attacker can access it.
Mitigation
This can take many forms, and might include using NTFS file system permissions and shared folder
permissions to ensure that only authorized users can access files at a defined level of access. You might
also be concerned with intellectual property rights and ensuring that your data is used appropriately.
Finally, for data privacy, you can use both file and disk encryption technologies, such as the Encrypting
File System (EFS) or Windows BitLocker Drive Encryption.
Consider the following to help to mitigate data layer security threats:
Implement encryption.
Lesson 2
Physical Security
Physical security provides the first level of defense against the malicious attacker. Consequently, it is
important to ensure that your network and the attached computers are physically secure. This lesson
explores common physical security threats, their mitigations, and how Windows Server can help to
provide physical security on your network.
Objectives
After completing this lesson, you will be able to:
8-17
8-18
Key Points
Aside from physical damage to inappropriately located servers and potential resulting data loss, the main
physical security risks to your networked computers are:
Data compromise arising from the loss or theft of your server computers or server storage devices.
Data compromise resulting from the introduction of storage devices into your network that can
contain malicious or damaging software.
8-19
Key Points
To help to reduce the physical security risks, consider the following points:
Site security. Where possible, ensure that only authorized persons have access to the physical site
where your computers are located. This is more difficult with branch offices, and also with certain
commercial markets such as retail.
Computer security. Ensure that server computers, or any computer that contains or has access to
important data, are physically secure. Ideally, place servers and their storage devices in computer
rooms that are protected by physical security mechanisms such as keypads. In high-security
environments, consider implementing biometric security to ensure that only authorized persons can
physically access your computers.
Disable Log On Locally. The ability to logon interactively at a computer is a right that is typically
granted to all users for all computers in your forest with the exception of domain controllers.
Consider further restricting the right to Log on Locally where more security is required. If a user
cannot logon, this diminishes their ability to perform actions on your network.
Mobile device security. Mobile devices, for example laptop computers and mobile phones, provide
users with the convenience of being able to access the corporate network from anywhere. However,
this raises the possibility that these devices might be lost or stolen. Ensure that you implement
appropriate security on mobile devices so that in the event of their loss, data is not compromised.
Consider implementing remote wipe technologies on mobile devices such as Windows Mobile
handsets. Consider implementing EFS and BitLocker Drive Encryption on laptops.
Removable devices and drives. Consider very carefully whether the convenience of users being able to
copy files to and from removable storage devices outweighs the security risk posed. If you decide that
users will be allowed to use removable storage devices, consider implementing
BitLocker-to-Go on these devices. This consideration will provide for data encryption on the device.
8-20
Key Points
Windows Server provides a number of tools and features that can help you implement physical security.
8-21
Note: By default, no user credentials are cached on the RODC. This is safer because in the event of
the RODC being stolen, no user passwords are compromised. However, if the link between the head
office, where the writable domain controllers exist, and the branch office fails, and caching is not
enabled, users at the branch cannot logon until the link is reestablished.
Group Policies
If you allow users to add storage devices, such as universal serial bus (USB) memory sticks or external hard
drives, to their network-attached computers, you may potentially introduce additional security risks.
Windows Server can use group policy objects (GPOs) to enforce rules on network-attached computers
that control or prohibit the addition of storage devices.
Access Control
Once computers have connected to your network and have access to your server data, you can protect
the integrity of the data by configuring appropriate file permissions. Ensure that you only grant
permissions where needed and grant the minimum permissions required. This is especially important in
situations where users from outside your organization are connecting to your network.
8-22
Lesson 3
Internet Security
Internet access has become increasingly important in recent years, both for work productivity, and
personal development and entertainment. As the demand for Internet connectivity grows, and users
perform increasingly complex tasks on the Internet, there is an increase in related risks. This lesson
explores the technologies and features available in Windows to help to protect your Windows-based
computers while connected to the Internet.
Objectives
After completing this lesson, you will be able to:
Describe the Windows Server components and features that can help provide this Internet security.
8-23
Key Points
When you connect your computer to any untrusted network, including the Internet, you expose it to
numerous potential security risks. One way in which you can consider the security risks posed by the
Internet is to consider the applications that you use when connected to the Internet. Common
applications, and associated security risks, include:
E-mail. An e-mail message can contain a malicious payload; the message might contain:
Inappropriate content.
It is also important to remember that almost all e-mail is sent in clear-text; that is, unencrypted. This
means that if the message is intercepted, anyone can read and potentially modify the message
contents. Additionally, most e-mail is transmitted between hosts that have no knowledge of one
another. Consequently, most e-mail traffic is not authenticated making it more difficult to determine
the true originator of a message.
Web browsing. A Web site can hide numerous security risks including malicious programs. Common
risks associated with Web sites include:
Plug-ins. These are applications designed to work with your browser to provide additional
capabilities. For example, you can use plug-ins to enable your browser to view video files. They
have the ability to expose security flaws in your browser.
Active-X controls. These small programs are downloaded by your browser to enable it to perform
a number of specialized tasks, including manipulating data files or viewing specific file types.
Malicious Active-X controls can pose a security threat to your computer.
8-24
Cross-site scripting. Enables malicious attackers to enable client-side scripts in Web pages that
you computer is viewing, even when the Web site you are viewing is considered a safe source.
Cookies. Cookies are used for authentication, session tracking, storage of Web site preferences,
shopping cart contents, and many other potential uses. Because of the sensitive data stored in
cookies, they have the potential to be misused by malicious individuals.
It is also important to be sure that you have navigated to the appropriate site rather than to a bogus
site masquerading as a legitimate site.
Instant Messaging (IM). This method of communicating with friends and colleagues is very popular.
However, it has attracted the attention of malicious attackers. IM messages can contain links to unsafe
Web sites or be used to initiate file transfers, remote control sessions, or share files and content on
your computer.
Social networking. There are numerous social networking sites. These sites can pose the same security
risks as any other Web site. However, it is important to remember that these sites exist as a way for
you to share information, some of which may be personal information. Exercise caution when you
share your personal information with others.
File download. Any file that you download from the Internet may come from an untrusted source and
may contain harmful code. It is important that you only download files from trusted sources and that,
where possible, files are digitally signed so that you can easily determine the files origin. This is
especially relevant for device drivers as files of this type, if malicious, can have a far more detrimental
effect on your computer.
Computer updates. It is common for software installed on your computer, including the operating
system, to periodically check for and download updates. This is one way of ensuring that your
computer is up-to-date, performs optimally, and remains secured through the application of security
updates. However, software obtained from an untrusted source could use this update mechanism to
download malicious code onto your computer. Ensure that you verify that the updates are safe.
In addition, simply connecting to the Internet exposes your computer to possible security risks. For
example, if you connect to the Internet from your home or from the office, the chances are that the
connection is reliable and reasonably secure. However, when you connect to the Internet from a location
such as a wireless hotspot, you might expose your computer to additional security risks.
Also, bear in-mind that although the connection provided by the hotspot might, in itself, be secure, other
computers that are connected to the network might be compromised by security flaws that might affect
your computer. In addition, it is common for hotspots to provide an unsecured connection for easier
wireless Internet access. However, under these circumstances, data that your computer sends and receives
can be captured and accessed by third parties.
8-25
Key Points
You can help reduce the chances of your computers security being compromised if you observe the
defense-in-depth approach when you connect your computer to the Internet.
When performing common tasks on the Internet, consider the following points to help mitigate security
risks:
E-Mail. Implement e-mail software or use additional software with your e-mail software that supports
the following important security features:
Anti-spam control. Ensure that junk e-mail is either quarantined or deleted. Anti-spam software
can identify spam messages using a variety of technologies.
Antivirus control. Scan incoming and out-going messages for viruses. Ensure that you keep the
virus software up-to-date to provide adequate protection against new and emerging threats.
Attachment handling controls. Some e-mail software, such as Microsoft Office Outlook, enables
you to configure how attachments of specific types are handled. For example, you can configure
the e-mail software to block attachments of a file type that can contain malicious code, also
known as executable files.
Web browsing. A Web browser should provide the ability to select appropriate security settings based
upon the trustworthiness of a Web site. For example, IE enables you to define security settings for
different security zones, such as Internet, local intranet, trusted sites, and restricted sites. Security
settings within the context of these zones include whether or not to download and run ActiveX
controls, scripting behavior, and how to handle signed or unsigned content.
It is also important to implement security software when you browse the Web. Suitable software
should provide antivirus protection, protection against spyware, identity protection, and a link
scanner that can help identify unsafe Web sites before you visit them.
8-26
Finally, be cautious when you shop online. Only use sites that you trust, that can provide a digital
certificate to verify their identity, and that provide you with a redress should something go amiss with
your order.
IM. Many security software packages provide protection against viruses in files that you might
attempt to receive by an instant message. However, it is important that you are careful about the
information that you divulge during an instant message conversation as these messages are often
sent and received in clear text.
Social networking. It is important that you only divulge information through social networking sites
that you are happy to see in the public domain. It is a good idea to limit the type of information that
you share. For example, divulging details about your finances, combined with information about your
address can give a malicious attacker sufficient information to steal your identity and commit fraud.
File download. You can limit your exposure to unsafe downloads by implementing antivirus software.
Additionally, by only downloading files from trusted sources and files that provide a digital signature,
you can help to reduce the security risk posed by downloads. Often, downloaded files may appear
safe but actually contain code that can install additional software that harms your computer.
Windows implements a security feature called User Account Control (UAC) that enables you to
control unintended software installations.
Computer updates. To ensure that your computer updates are safe, only download updates from safe
sources. Computers that are running either Windows 7 or Windows Server 2008 R2 obtain their
updates from the Microsoft Web site or from a local server within your workplace organization
running Windows Server Update Services (WSUS).
Connecting to the Internet. When you connect to the Internet, ensure that you have enabled a hostbased firewall. Computers that are running either Windows 7 or Windows Server 2008 R2 implement
the Windows Firewall with Advanced Security. When you first connect to a new network, such as a
wireless hotspot, you must define whether the network is public or private. Windows Firewall with
Advanced Security then adjusts the security settings based upon your selection.
In addition to a host-based firewall, it is also advisable to ensure that the router that connects to the
Internet provides additional protection. Typical home-office asymmetric digital subscriber line (ADSL)
routers provide NAT and firewall functionality.
8-27
Key Points
Windows 7 and Windows Server 2008 R2 provide a number of security features that help to ensure that
connectivity to the Internet is more secure.
UAC
UAC is a security feature that provides a way for each user to elevate their status from a standard user
account to an administrator account without logging off, switching users, or using the Run As command.
UAC is a collection of features rather than just a prompt. These features, including File and Registry
Redirection, Installer Detection, the UAC prompt, and the ActiveX Installer Service, enable Windows users
to run with user accounts that are not members of the Administrators group. These accounts are generally
referred to as standard users and are broadly described as running with least privilege.
When a change is made to your computer that requires administrator-level permissions, UAC notifies you
as follows:
If you are not an administrator, someone with an administrator account on the computer will have to
enter his or her password for you to continue.
If you are a standard user, providing permission temporarily gives you administrator rights to complete
the task and then your permissions are returned back to standard user when you are finished. This ensures
that even if you are using an administrator account, changes cannot be made to your computer without
your knowledge. This security can help prevent malicious software and spyware from being installed on or
making changes to your computer.
Windows Firewall
Windows Firewall is a host-based, stateful firewall included in Windows Server 2008 R2. It drops incoming
traffic that does not correspond to traffic sent in response to a request (solicited traffic) or unsolicited
8-28
traffic that has been specified as allowed (accepted traffic). Windows Firewall helps provide protection
from malicious users and programs that rely on unsolicited incoming traffic to attack computers. Windows
Firewall can also drop outgoing traffic and is configured using the Windows Firewall with Advanced
Security snap-in, which integrates rules for both firewall behavior and traffic protection with IPsec.
Windows Defender
Windows Defender in Windows 7 helps protect you from spyware and malicious software. Windows
Defender is not antivirus software. Windows Defender offers three ways to help keep spyware from
infecting the computer:
Real-time protection is the mechanism that actively monitors for malware and alerts you when
potentially unwanted software attempts to install itself or to run on the computer. It also alerts you
when programs attempt to change important Windows settings.
The SpyNet community helps you see how other people respond to software that has not yet been
classified for risks. When you participate, your choices are added to the community ratings to help
other people choose what to do.
Scanning options are used to scan for unwanted software on the computer, to schedule scans on a
regular basis, and to automatically remove any malicious software that is detected during a scan.
8-29
Key Points
IE security options help you secure your computer while providing a functional browsing environment. IE
has new functionality that helps protect computers against malicious software, and helps protect users
against data theft from fraudulent Web sites. In addition, IE comes with safe and easy add-on functionality
that gives users full control over adding functionality to their online experiences, while at the same time
avoiding inadvertent, unwanted software downloads.
Use
ActiveX Opt-in
Enhances Web site security and privacy settings awareness by displaying colorcoded notifications next to the address bar. Internet Explorer changes the Address
Bar to green for Web sites bearing new High Assurance certificates, indicating
that the site owner has completed extensive identity verification checks. Microsoft
Phishing Filter notifications, certificate names, and the gold padlock icon are now
also adjacent to the address bar for better visibility. Certificate and privacy detail
information can easily be displayed with a single click on the Security Status Bar.
SmartScreen Filter Protects you against phishing sites, warns you when visiting potential or known
fraudulent sites, and blocks the site if required. The opt-in filter updates several
times per hour with the latest security information from Microsoft, and several
industry partners.
8-30
Dynamic security
options
Use
Cross-Domain
Barriers
Limits scripts on Web pages from interacting with content from other domains or
windows. This enhanced safeguard helps protect the computer against malicious
software by limiting malicious Web sites from potentially manipulating flaws in
other Web sites, or causing you to download undesired content or software.
Delete Browsing
History
Allows you to clean up cached pages, passwords, form data, cookies, and history.
Address Bar
Protection
International
Adds support for International Domain Names in Uniform Resource Locators
Domain Name Anti- (URLs), and notifies you when visually similar characters in the URL are not
Spoofing
expressed in the same language. Thus it protects you against sites that could
otherwise appear as known, trustworthy sites.
URL Handling
Security
Warns you with an Information Bar when current security settings may put you at
risk, which can prevent you from browsing with unsafe settings. Within the
Internet Options dialog box, certain items are highlighted in red when they are
not safely configured. In addition, this option issues reminders that the settings
remain unsafe. You can instantly reset Internet security settings to the MediumHigh default level by clicking Fix Settings for Me in the Information Bar.
Add-ons Disabled
Mode
Protected Mode
Protected mode in the Windows Vista security infrastructure is one of the important new IE security
features. Protected mode provides IE with the rights needed to browse the Web, while simultaneously
withholding rights needed to silently install programs or modify sensitive system data. In addition,
Protected mode helps protect against malicious downloads by restricting the ability to write to any local
machine zone resources other than temporary Internet files. Web-based software cannot write to any
location other than the Temporary Internet Files folder without explicit user consent.
Running programs with limited user rights rather than administrator rights offers better protection against
attacks, because Windows can restrict the malicious code from performing damaging actions. This
additional defense helps ensure that scripted actions or automatic processes cannot download data to
locations other than directories with lower rights, such as the Temporary Internet Files folder.
Although Protected mode does not protect against all forms of attack, it significantly reduces the ability
of an attack to write, alter, or destroy data on the user's computer, or to install malicious code.
Parental Controls
To help keep children safer online, parents can control browsing behavior through the Parental Control
settings built into Windows Vista. You can monitor a child's activities and remotely change the restriction
levels. You can apply a restriction to many activities on the computer, such as playing games or browsing
8-31
the Internet. You can also examine a child's browsing session afterwards; the child lacks the necessary
permissions to remove their session history.
Note: Parental Control settings are only available if the computer is not a member of a domain.
Add-on Manager
The Internet Explorer Add-on Manager is designed to give you greater control over IE add-ons.
Add-ons are a great way to introduce new functionality to your online experience. However, add-ons are
also a great way of introducing malicious software to your computer. You can use the Add-on Manager to
display:
You can then selectively enable or disable these add-ons, and delete any ActiveX controls.
SmartScreen Filter
Businesses put a lot of effort into protecting computer assets and resources. Phishing attacks, otherwise
known as social engineering attacks, can evade those protections and result in users giving up personal
information. The majority of phishing scams target individuals in an attempt to extort money or perform
identity theft.
With the introduction of the SmartScreen Filter, Internet Explorer 8 builds on the Phishing Filter
technology introduced in Internet Explorer 7. The Phishing Filter was designed to warn users when they
attempt to visit known phishing sites. The SmartScreen Filter replaces the Phishing Filter and helps protect
against phishing Web sites, other deceptive sites, and sites known to distribute malware.
The SmartScreen Filter improves upon the Phishing Filter by providing:
An improved user interface.
Faster performance.
New heuristics and enhanced telemetry.
Anti-malware support.
Improved Group Policy support.
8-32
Key Points
In this demonstration, you will see how to disable an add-on.
Demonstration Steps:
1.
2.
3.
8-33
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
2.
3.
4.
5.
6.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
In Hyper-V Manager, click 6420B-NYC-DC1, and in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
Alan Brewer has visited various Research department branch offices. On his return to the head office of
Contoso, Ltd, he produced a list of security concerns and sent them by e-mail to Ed Meadows, your boss.
Ed has tasked you with the resolution of these issues.
8-34
Supporting Documentation
Contoso Network Security Policy Laptops
Document Reference Number: EM220109/1
Document Author
Date
Ed Meadows
22nd January
Overview
This document defines the corporate policy regarding laptops and other portable computing devices
within Contoso, Ltd.
Policies
1. Any network device that is moved from the office of Contoso, Ltd. must be configured in such a way
that loss of the device does not lead to a compromise of the stored data.
2. Laptops can connect to other networks provided:
a. A suitable firewall is in place.
b. The computer is up-to-date with security updates.
c. Protection against viruses and malware is installed.
3. Portable storage devices are permitted for use on laptops as long as their loss does not compromise
the data stored on them.
8-35
Charlotte Weiss
From:
Sent:
To:
Subject:
Attached:
Ed Meadows [Ed@contoso.com]
6 May 2010 12:01
Charlotte@contoso.com
RE: Branch offices security concerns
Incident Record
Charlotte,
Please look at the attached incident record and review Alans concerns. Get a plan together for resolving
these security concerns. Thanks,
Ed
----- Original Message ----From:
Alan Brewer [Alan@Contoso.com]
Sent:
5 May 2010 11:45
To:
Ed@Contoso.com
Subject:
Branch offices security concerns
Ed,
I just got back from the branches. Im pretty worried that, given the sensitive nature of the data we handle
in Research, physical security is pretty lax compared with the head office. I have listed my main concerns
below:
Laptops are used by research staff; they often take these home.
We often let external contract staff connect their own computers to our research networks.
I notice that some personnel bring music files on USB drives into the offices.
Regards, Alan
Read e-mail and the attached incident record with a view to determining the possible problem
causes.
Read the Contoso Network Security Policy Laptops document with a view to determine if you
must enforce any changes at the branch based on corporate policies.
Ed Meadows
10th May
10:50
Alan Brewer
8-36
OPEN
Incident Details
Call logged by Information Technology (IT) manager following inquiries at branch offices
concerning physical security problems raised by Research department manager, Alan Brewer.
Reported concerns:
1. Laptops are used by research staff and they often take these home.
2. In some branches there is no dedicated room for the servers.
3. External contract staff can connect their own computers to the research networks.
4. Staff uses personal USB storage devices on work computers.
Questions
1. What security policies apply to the branch office laptops as defined in the Contoso Network
Security Policy Laptops document?
2. What security concerns do you have about the branch offices?
3. How would you address the concerns you might have about laptop computer use?
4. How would you address the concerns you might have about the lack of dedicated server
computer rooms?
5. How would you address the concerns you might have about contractor computer use?
6. How would you address the concerns you might have about removable storage devices?
7. Complete the resolution section below with a summary of your proposals.
Resolution
Results: After this exercise, you should have completed the incident record.
8-37
Change the security settings for the Local intranet zone to High.
Enable Protected Mode for the Local intranet zone.
Close Internet Explorer.
5.
2.
8-38
Results: After this exercise, you should have modified Internet Explorer security settings.
8-39
Review Questions
1.
Why is it important to educate your users about your organizations acceptable use policy?
2.
How could you help to reduce the risk that your wireless network is the target of unauthorized packet
sniffing?
3.
What are the risks associated with allowing your users to connect their laptops to Wi-Fi hotspots?
Create specific rules that help prevent social engineering and educate users on these rules and their
relevance.
Restrict physical access to servers by locking doors and then monitor server room access.
Implement NAT.
Restrict switch ports and wireless access points based on MAC address or client certificates.
8-40
Module 9
Implementing Windows Server Security
Contents:
Lesson 1: Overview of Windows Security
9-3
9-17
9-32
9-45
9-1
9-2
Module Overview
As organizations expand the availability of network data, applications, and systems, it becomes more
challenging to ensure network infrastructure security. Security technologies in the Windows Server 2008
R2 operating system enable organizations to provide better protection for their network resources and
organizational assets in increasingly complex environments and business scenarios. This module reviews
the tools and concepts available for implementing security within a Microsoft Windows infrastructure.
Objectives
After completing this module, you will be able to:
Describe the features in Windows Server 2008 R2 that help improve your networks security.
Explain how to secure files and folders within a Windows Server environment.
Explain how to use the encryption features provided by Windows Server 2008 R2 to secure access to
resources.
Lesson 1
Windows Server 2008 R2 includes numerous features that provide different methods for implementing
security. These features combine together to form the core of Windows Server 2008 R2s security
functionality. Understanding these features and their associated concepts as well as being familiar with
their basic implementation is critical to maintaining a secure environment.
Objectives
After completing this lesson, you will be able to:
Describe encryption.
9-3
9-4
Key Points
Windows Server 2008 R2 security at the user level is centered around user accounts, which are typically
identified by a username and verified with a password. The username and password combination allows a
user to gain access to network resources as specified by the user accounts permissions. This process is
typically broken down into two components: authentication and authorization.
Authentication
Authentication is the process of confirming that something is authentic. Authentication distinguishes
legitimate users from uninvited guests, and is the most visible and fundamental concept in security. In
private and public computer networks (including the Internet), the most common authentication method
used to control access to resources involves verification of a users credentials; that is, a username and a
password.
However, the username and password combination is only the most basic form of authentication. Other
mechanisms and tools can also be used in the Windows Server 2008 R2 environment to add multiple
layers to the authentication process to ensure that users identities on your network are legitimate and
secure. Some of the key mechanisms available include:
Smart Cards. A smart card refers to a card-shaped device that contains specific digital information, in
most cases used to specifically identify an individual. Smart cards can be used as an additional means
of security when combined with a username and password. For example, an organization may issue
smart cards to administrative users, requiring them to use a username and password as well as the
smart card to log in when using accounts with elevated administrative permissions. This combination
provides an extra measure of security for the usage of those accounts.
Biometrics. The term biometrics refers to the measuring of an unchanging physical or behavioral
characteristic to uniquely identify a given person. Fingerprints are the most common form of
implemented biometrics. Other possibilities include facial recognition, iris scanning, and voice
recognition. Biometrics are most commonly used in conjunction with a username and password to
provide an added measure of security in environments where highly sensitive data is involved.
9-5
Biometrics can also be used as the sole means of authentication, and, due to the personal nature of
authentication, are considered more secure than smart cards.
Public key infrastructure (PKI). PKI refers to the infrastructure required to use mathematically related
digital keys in the process of encrypting and decrypting data. PKI will be covered in more detail
later in this module.
Remote Authentication Dial-In User Service (RADIUS). Windows Server 2008 R2 contains support for
RADIUS, a widely supported networking protocol that provides centralized management of
authentication over multiple systems. RADIUS is most typically used to unify remote authentication to
multiple, disparate systems. For example, an organization may use a virtual private network (VPN)
server from Company A, be given access to network segments via routers from Company B and also
be given access to Windows-based services and applications, all with one username and password.
Authorization
Authorization is the process of determining whether an identified user is permitted access to a resource
and what the appropriate level of access is for that user. This could include authorization to read a file,
authorization to modify file and folder properties, authorization to delete a file or folders, or a
combination of these or many other permissions.
Authorization has two main components within Windows Server.
The initial definition of permissions for system resources by the owner of a specific resource or a
system administrator
The subsequent checking of permission values by the system or application when a user attempts to
access a system resource
It is important to note that it is possible to have authorization (access to resources) without first providing
authentication (entering a username and password). This occurs many times in modern computing. For
example, when you access a Web page on the Internet, you are accessing the resources on that Web
server (pages, graphics, etc.) without providing any type of authentication to the Web server.
9-6
What Is UAC?
Key Points
Administrative accounts carry with them a large degree of security risk. When an administrative account is
logged in, its privileges allow access to the entire Windows system, including the registry, system files and
configuration settings. As long as an administrative account is logged in, the system is vulnerable to attack
and has the potential to be compromised.
UAC provides a method by which all users can be aware of the way their account privileges are being
used on the computer.
If you are an administrator, you can click Yes to elevate your permission level and continue. This
process of requesting approval is known as Admin Approval Mode.
Note: In Windows Server 2008 R2, the built-in Administrator account does not run in Admin
Approval Mode. This results in no UAC prompts when using the local Administrator account.
If you are not an administrator, the username and password for an account that has administrative
permissions needs to be entered. Providing administrative credentials temporarily gives you the
administrative privileges required to complete the task. After the task is complete, your permissions
are returned back to those of a standard user.
9-7
This process of notification and elevation of privileges makes it so that even if you are using an
administrator account, changes cannot be made to your computer without you knowing about it, which
can help prevent malicious software (malware) and spyware from being installed on or making changes to
your computer.
UAC will allow certain system-level changes to occur without prompting, even when logged on as a local
user:
Install drivers from Windows Update or those that are packaged with the operating system.
Reset the network adapter and perform other network diagnostic and repair tasks.
9-8
Key Points
The files and folders stored on a server can contain many different forms of data. As an administrator, you
may not want all users on the network to be able to perform certain operations on specific files and
folders. Once authenticated, a user in Windows Server 2008 R2 is given authorization to access such files
and folders through file and folder permissions.
Two main categories of permissions exist in Windows Server 2008 R2.
NTFS file system file and folder permissions. NTFS permissions are assigned to files and folders on
NTFS volumes and govern the access given to users who attempt to access the files. NTFS permissions
are assignable to individual or sets of files and folders.
Shared folder permissions. When a local folder is shared or made accessible to the rest of the
network, a separate set of permissions are assigned to the folder that control users accessing the files
from a network location. Shared folder permissions are assignable only to a folder or group of folders,
not to individual files.
Combined permissions. Shared folder permissions are combined with the NTFS file and folder
permissions to provide a two-level set of permissions for that specific folder when accessed over the
network.
Note: Both NTFS file and folder permissions and shared folder permissions have a variety of access
levels that can be granted or denied to a specific user or group of users. These levels will be covered
in detail later in this module.
Question: How do shared folder permissions affect access to local NTFS files and folders?
9-9
Key Points
The security provided by a password system depends on the passwords being kept secret at all times.
Thus, a password is vulnerable to compromise whenever it is used, stored, or even known. In passwordbased authentication, this vulnerability presents a significant risk to system security.
You can help protect your system by customizing password policy settings, including requiring users to
change their password regularly, specifying a minimum length for passwords, and requiring passwords to
meet certain *complexity requirements.
A domains password policy settings are controlled by a number of GPO settings related to accounts and
passwords.
You can help protect your computer or domain by customizing your password policy settings, including
requiring users to change their password regularly, specifying a minimum length for passwords, and
requiring passwords to meet certain complexity requirements.
Policy
What it does
Best practice
Enforce password
history
9-10
Policy
What it does
Best practice
Maximum password
age
Set a maximum password age of 3070 days. Setting the number of days
too high provides hackers with an
extended window of opportunity to
crack the password. Setting the
number of days too low might be
frustrating for users who have to
change their passwords too
frequently.
Minimum password
age
Minimum password
length
In addition, another group of GPO settings governing account lockout policies are available to control
what actions are taken by the operating system if a user repeatedly fails to enter a valid password when
logging on to the system. These are known as Account Lockout Policy settings.
Policy
What it does
Best practice
Account lockout
9-11
Policy
What it does
Best practice
threshold
Account lockout
duration
Reset account
lockout counter
after
Note: Account Policy settings can be accessed by clicking on the Start button, clicking Run and
typing secpol.msc into the Open dialog box.
Question: What would be the effect on a users account if they entered their password incorrectly fives
times between 10:00AM and 10:25AM with the following settings applied to their account:
9-12
Key Points
In an Active Directory Domain Services (AD DS) environment, standard password and account lockout
policies are applied to the entire domain. This behavior may not be desired by organizations that require
different password and account lockout policies for different users or groups.
Fine-grained password policies provide the solution to this issue. Fine-grained password policies allow an
administrator to apply multiple, unique password policies to multiple users or groups within the same
domain.
Individual fine-grained password policies are each stored within their own Active Directory object called a
Password Settings object (PSO). All PSOs are stored within a parent container called a Password Settings
Container (PSC). PSO stores policy information regarding password and account lockout policy settings
are mentioned in the previous topic.
Passwords must meet the following complexity requirements:
A PSO can be linked to one or more AD DS users or global security groups. Once linked, the setting
defined within that PSO will apply to the linked users to groups.
Note: A PSO may not be linked to an Active Directory organizational unit (OU), only to AD DS users
and groups.
9-13
9-14
Auditing Features
Key Points
Auditing is the process that tracks user activity by recording selected events in a security log. Auditing
provides a recorded log of access and activity, allowing an administrator to determine whether or not
resources are being accessed and utilized appropriately and according to policy. Auditing logs the
following information regarding system activity:
What occurred?
9-15
Key Points
Windows Server 2008 R2 provides features that provide both file and volume-level encryption.
BitLocker
BitLocker Drive Encryption is a system built into Windows Server 2008 R2 that provides for encryption of
the entire operating system volumes as well as additional data volumes.
BitLocker-to-Go provides for the encryption of removable data drives like universal serial bus (USB) flash
drives or portable hard drives.
Bitlocker utilizes keys for encryption in similar fashion to EFS, but provides for more options for key
management. Users can store encryption keys on a removable USB drive, incorporate passkeys or
incorporate a special hardware feature called Trusted Platform Module (TPM) to ensure that an encrypted
volume only allows for decryption while attached to a specific system.
BitLockers features are designed to be simple to implement and allow for transparent file system access
once fully configured.
9-16
EFS functionality
Encrypts files
For example, EFS is used to protect individual files and folders that belong to a specific user, such as
sensitive documents. The encryption process is commonly initiated by the user as well.
BitLocker, on the other hand, is used to encrypt entire volumes or hard disks and is useful for ensuring
that the data on a disk in a server cannot be read in case it is removed and placed in another server.
9-17
Lesson 2
Ensuring data integrity and security is a fundamental aspect of a Windows Server 2008 R2
implementation. The assignment of proper permissions to users and groups for the resources they require
access to is the first level of data security in a Windows Server environment.
This lesson covers the configuring of permissions, best practices for maintaining permissions functionality
and auditing file and folder access to ensure that configured permissions are operating effectively.
Objectives
After completing this lesson, you will be able to:
Describe inheritance.
9-18
Key Points
NTFS file and folder permissions specify which users, groups, and computers can access files and folders
on an NTFS volume. NTFS permissions also dictate what users, groups, and computers can do with the
contents of the file or folder.
There are two types of NTFS permissions:
Special. Special permissions provide a finer degree of control for assigning access to files and folders;
however, special permissions are more complex to manage than standard permissions.
Description
Full Control
Modify
Read
Write
Special permissions
9-19
Note: Groups or users granted Full Control on a folder can delete any files in that folder regardless of
the permissions protecting the file.
To modify NTFS permissions, you must be given the Full Control NTFS permission for a folder or file. The
one exception is for file and folder owners. The owner of a file or folder can modify NTFS permissions
even if they do not have any other current NTFS permissions. Administrators can always take ownership of
files and folders to make modifications to NTFS permissions.
Description
Traverse
Folder/Execute File
The Traverse Folder permission applies only to folders. This permission allows or
denies the user from moving through folders to reach other files or folders, even
if the user has no permissions for the traversed folders. Traverse Folder takes
effect only when the group or user is not granted the Bypass Traverse Checking
user right. The Bypass Traverse Checking user right checks user rights in the
Group Policy snap-in. By default, the Everyone group is given the Bypass
Traverse Checking user right.
The Execute File permission allows or denies access to program files that are
running.
If you set the Traverse Folder permission on a folder, the Execute File permission
is not automatically set on all files in that folder.
The List Folder permission allows or denies the user from viewing file names and
subfolder names in the folder. The List Folder permission applies only to folders
and affects only the contents of that folder. This permission is not affected if the
folder that you are setting the permission on is listed in the folder list. Also, this
setting has no effect on viewing the file structure from the command-line
interface.
The Read Data permission applies only to files and allows or denies the user from
viewing data in files.
Read Attributes
The Read Attributes permission allows or denies the user from viewing the
attributes of a file or folder, such as read-only and hidden attributes. Attributes
are defined by NTFS.
Read Extended
Attributes
The Read Extended Attributes permission allows or denies the user from viewing
the extended attributes of a file or folder. Extended attributes are defined by
programs and can vary by program.
Create Files/Write Data The Create Files permission applies only to folders and allows or denies the user
from creating files in the folder.
The Write Data permission applies only to files and allows or denies the user
from making changes to the file and overwriting existing content by NTFS.
Created
Folders/Append Data
The Create Folders permission applies only to folders and allows or denies the
user from creating folders in the folder.
The Append Data permission applies only to files and allows or denies the user
from making changes to the end of the file but not from changing, deleting, or
overwriting existing data.
9-20
File permissions
Description
Write Attributes
The Write Attributes permission allows or denies the user from changing the
attributes of a file or folder, such as read-only or hidden. Attributes are defined
by NTFS.
The Write Attributes permission does not imply that you can create or delete
files or folders; it includes only the permission to make changes to the attributes
of a file or folder. To allow or to deny Create or Delete operations, see Create
Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and
Delete.
Write Extended
Attributes
The Write Extended Attributes permission allows or denies the user from
changing the extended attributes of a file or folder. Extended attributes are
defined by programs and can vary by program.
The Write Extended Attributes permission does not imply that the user can
create or delete files or folders; it includes only the permission to make changes
to the attributes of a file or folder. To allow or to deny Create or Delete
operations, view the Create Files/Write Data, Create Folders/Append Data,
Delete Subfolders and Files, and Delete sections in this article.
The Delete Subfolders and Files permission applies only to folders and allows or
denies the user from deleting subfolders and files, even if the Delete permission
is not granted on the subfolder or file.
Delete
The Delete permission allows or denies the user from deleting the file or folder. If
you have not been assigned Delete permission on a file or folder, you can still
delete the file or folder if you are granted Delete Subfolders and Files
permissions on the parent folder.
Read Permissions
Read permissions allows or denies the user from reading permissions about the
file or folder, such as Full Control, Read, and Write.
Change Permissions
Change Permissions allows or denies the user from changing permissions on the
file or folder, such as Full Control, Read, and Write.
Take Ownership
The Take Ownership permission allows or denies the user from taking ownership
of the file or folder. The owner of a file or folder can change permissions on it,
regardless of any existing permissions that protect the file or folder.
Synchronize
Note: When assigning both standard and special NTFS permissions, permissions set to Deny typically
override permissions set to Allow.
To configure NTFS file and folder permissions, follow these steps:
1.
2.
3.
4.
Right-click on the file or folder to which you want to assign permissions and click Properties.
Click on the Security tab to view existing permissions.
To modify standard permissions, click the Edit button.
To modify special permissions, click the Advanced button.
9-21
Permissions Inheritance
Key Points
By default, the permissions granted to a parent folder are inherited by its subfolders and files. Permissions
can be inherited only from a direct parent and any files and folders contained within the parent folder will
be assigned the same permissions as the parent folder, even if the parent folders permissions are
modified. Permissions inherited in this manner are referred to as implicit permissions. A folder or file will
always inherit its parent folders permissions unless inheritance is blocked.
When blocking inheritance, the folder for which you block permissions inheritance becomes the new
parent folder, and the subfolders and files that are contained in it inherit the permissions assigned to it. A
folder that has had inheritance blocked will retain its originally inherited permissions as its default
permission set until those permissions are modified. Permissions can be inherited only from a direct
parent. Permissions inherited in this manner are referred to as implicit permissions.
In addition to inherited or implicit permissions, permissions assigned to a file or folder that override that
file or folders inherited permissions are called explicit permissions. Explicit permissions are specifically set
for a given set of files and folders, and behave slightly different when being moved within an NTFS
volume.
To block inheritance for a file or folder, perform the following steps:
1.
2.
3.
4.
5.
6.
Right-click the file or folder to which you want to block inheritance, and then click Properties.
Click the Security tab to view existing permissions.
Click the Advanced button.
In the Permissions window, click the Change Permissions button.
In the Permissions window, uncheck Include inheritable permissions from this objects parent.
Click the Add or Remove button, depending on what permissions you want assigned to the blocked
folder.
9-22
Copying a File
When you copy a file or folder from one folder to another folder, or from one partition to another
partition, the following rules apply:
Within a single NTFS partition, the copy of the folder or file inherits the permissions of the destination
folder.
To a different NTFS partition, the copy of the folder or file inherits the permissions of the destination
folder.
To a non-NTFS partition, such as a file allocation table (FAT) partition, the copy of the folder or file
loses its NTFS permissions, because non-NTFS partitions do not support NTFS permissions.
Moving a File
When you move a file or folder, the following rules apply:
Within the same NTFS partition, the folder or file keeps its original permissions. If the permissions of
the new parent folder are changed later, the file or folder will inherit the new permissions.
Permissions explicitly applied to the folder will be retained. Permissions previously inherited will be
lost.
To a different NTFS partition, the folder or file inherits the permissions of the destination folder. When
you move a folder or file between partitions, the Windows Server 2008 operating system copies the
folder or file to the new location and then deletes it from the old location.
To a non-NTFS partition, the folder or file loses its NTFS permissions, because non-NTFS partitions do
not support NTFS permissions.
9-23
Key Points
When you share a folder, it is made available over the network. In order to ensure appropriate access to
the files is granted, shared folder permissions must be applied.
Shared folder permissions apply only to users who connect to the folder over the network. They do not
restrict access to users who access them locally on the computer where the folder is stored. You can grant
shared folder permissions to user accounts, groups, and computer accounts.
By default, a shared folder is already protected by the NTFS permissions applied to that specific folder.
The following table lists the options available for shared folder permissions. You can choose whether to
allow or deny each of the permissions.
File permissions
Description
Read
Read permission allows users to view folder and file names, and file data and
the attributes of files. Users are also able to access the shared folder's
subfolders, and run program files and scripts.
Change
Users that are granted the Change permission can perform all of the functions
granted by the Read permissions as well as create and delete files and
subfolders. Users are also able to change file attributes, change the data in
files, and append data to files.
Full Control
Users that are granted the Full Control permission can perform all the tasks
enabled by the Change permissions as well as take ownership of files, and
change file permissions.
The shared folder permissions above are available through Windows Server 2008 R2s Advanced Sharing
properties, found in the folders Properties dialog box. A more simplified set of permissions (Read or
Read/Write) can be assigned by right-clicking on the folder and selecting Share, which brings up the File
Sharing dialog box.
9-24
Note: As with NTFS permissions, when assigning shared folder permissions, permissions set to Deny
typically override permissions set to Allow.
9-25
Key Points
When a shared folder is created on a partition formatted with the NTFS file system, both the shared folder
permissions and the NTFS file system permissions are combined to protect file resources. NTFS file system
permissions apply whether the resource is accessed locally or over a network, but they are filtered against
the share folder permissions.
So, when accessing a shared folder over the network, a user must have the appropriate permissions
granted on a shared folder to gain access to the files and folders within that folder. Once it has been
determined that the user has been granted access through the shared folder permissions, the users access
to the specific NTFS file(s) or folder(s) is checked against the users NTFS permissions. If both the shared
folder permissions and the NTFS permissions allow the type of access that the user is attempting on the
files, access is granted.
When you grant shared folder permissions on an NTFS volume, the following rules apply:
By default, the Everyone group is granted the shared folder permission Read.
Note: If the guest user account is enabled on your computer, the Everyone group includes anyone.
According to best practice, remove the Everyone group from any permission lists and replace it with
the Authenticated Users group.
Users must have the appropriate NTFS file system permissions for each file and subfolder in a shared
folder in addition to the appropriate shared folder permissions to access those resources.
When NTFS file system permissions and shared folder permissions are combined, the resulting
permission is the most restrictive one of the effective shared folder permissions or the effective NTFS
file system permissions.
9-26
The share permissions on a folder apply to that folder, to all files in that folder, to subfolders, and to
all files in those subfolders.
The following analogy can be helpful in understanding what happens when you combine NTFS and share
permissions. When dealing with a shared folder, you must always go through the shared folder to access
its files over the network. Therefore, you can think of the shared folder permissions as a filter that only
allows users to perform actions on its contents that are acceptable to the share permissions. All NTFS
permissions that are less restrictive than the share permissions are filtered out so that only the share
permission remains.
For example, if the share permission is set to Read, then the most you can do when accessing the share
over the network is read the contents, even if individual NTFS file permission is set to Full Control. If
configuring the share permission to Modify, then you are allowed to read or modify the shared folder
contents. If the NTFS permission is set to Full Control, then the share permissions filter the effective
permission down to just Modify.
9-27
Key Points
When you are managing access to resources using NTFS file and folder permissions and shared folder
permissions, consider the following best practices:
Use the most restrictive permissions possible. Do not grant more permissions for a file or folder than
the users legitimately require. For example, if a user only has to read the files in a folder, grant Read
permission for the folder to the user or group to which the user belongs.
Avoid assigning permissions to individual users. Use groups whenever possible. Because it is
inefficient to maintain user accounts directly, avoid granting permissions to individual users.
Use restrictive shared folder permissions only when necessary. To avoid complicated combined
permissions scenarios, use NTFS file and folder permissions to restrict or grant access as much as
possible. NTFS file and folder permissions offer much more precise control over user access and
always apply to file and folder security, whether being accessed locally or over the network.
Use Deny permissions with caution. Deny permissions always override Allow permissions and can
result in users being mistakenly restricted access to files or folders.
Remember that Full Control lets users modify permissions. Assign Full Control permissions with
caution, as any change in existing permissions could potentially affect security.
Use the Authenticated Users or the Domain Users group instead of the Everyone group (if present)
from the shared folders permissions list. The Everyone group includes guest users. Using the
Authenticated or Domain Users groups limits file or folder access to only authenticated users, and
prevents users or viruses from accidentally deleting or damaging files.
Be conscious of explicitly set permissions and the effects of blocked inheritance. When assigning
permissions to a parent folder, be aware that some subfolders and files might have inheritance
blocked and explicit permissions specified. In this case, such subfolders and files will not inherit the
parent folders permissions when changes are made.
9-28
You can use the Effective Permissions tool to evaluate the permissions assigned to a user or group for
a specific file or folder. Effective Permissions allows you to select users or groups and then shows you
the effective permissions for those users or groups according to all of the permissions set on the
specific file or folder. You use the following steps to reach the Effective Permissions tool:
1.
2.
3.
Right-click on the file or folder you wish to evaluate and click Properties.
In the Properties dialog box, click the Security tab and then click the Advanced button.
In the Advanced Security Settings dialog box, click the Effective Permissions tab.
In this demonstration, you will see how to create a folder, secure it using NTFS permissions, share the
folder and further secure it with shared folder permissions.
Demonstration Steps:
1.
2.
3.
9-29
9-30
File Auditing
Key Points
Securing files and folders with permissions will only help protect data; they will not tell you who deleted
important data or who was trying to access files and folders inappropriately. To track who accessed files
and folders and what they did, you must configure auditing for file and folder access. Every
comprehensive security strategy should include auditing.
Configuring file and folder auditing in Windows Server 2008 is a two part process:
1.
2.
Enabling audit object policy in GPO in Group Policy. This setting can be reached by running
secpol.msc from a command prompt or from the Run command on the Start menu. Once in Local
Security Policy, expand Local Policy and click Audit Policy.
Once Audit object access has been enabled in Local Security Policy, auditing must be enabled for any
files and users you want to audit. These settings can be reached by navigating to the Properties
window for the folder you want to audit, selecting the Security tab, clicking the Advanced button
and selecting the Auditing tab in the Advanced Security Settings dialog box.
When enabling auditing on a specific folder, the same inheritance rules used by NTFS permissions
and Shared folder permissions apply to the auditing properties. By default, files and folders will inherit
their parents audit settings unless inheritance is blocked or explicitly specified.
Note: Unlike permissions, there is only one method of applying auditing properties; to allow them.
There is no Deny option when configuring auditing properties.
Once configured, file and folder auditing events will be recorded to the Windows security log. This log can
be viewed in Event Viewer, located in the Diagnostics section of Server Manager.
In this demonstration, you will see how to configure the Audit object access security policy to audit file
access.
Demonstration Steps:
1.
2.
3.
9-31
9-32
Lesson 3
Implementing Encryption
In this age of information interconnection, an organizations network may consist of intranets, Internet
sites, and extranetsall of which are potentially susceptible to access by unauthorized individuals who
intend to maliciously view or alter an organizations digital information assets. Therefore, it is important
that you have some means of ensuring that your organizations data and communications are secure. To
make your communication secure, it is important for you to understand the fundamentals of the systems
that make secure data possible.
Objectives
After completing this lesson, students will be able to:
Describe a PKI.
9-33
Key Points
A digital certificate is a physical digital entity that binds a persons or organizations identity to
mathematically related private and public keys for the use of encrypting and decrypting data as well as
verifying the authenticity of the user or organization in relation to the data being exchanged.
A digital certificate makes it possible to verify someone's claim that they have the right to use a given key,
helping to prevent people from using phony keys to impersonate other users. Used in conjunction with
encryption, digital certificates provide a more complete security solution, assuring the identity of all
parties involved in a transaction.
A digital certificate generally contains information about the following:
A user, computer, or network device that holds the private key corresponding to the issued certificate.
The user, computer, or network device is referred to as the owner or subject of the certificate.
A public key of the certificate's associated public and private key pair.
The issue and expiry dates of the public key associated with the certificate.
The names of the encryption and/or digital signing algorithms supported by the certificate.
Also, a digital certificate may contain additional information, such as the encryption algorithms supported,
the acceptable applications or uses for the certificate or other applicable information.
9-34
What Is a PKI?
Key Points
A PKI enables the distribution and management of digital certificates to users and computers in a secure
and trustworthy manner.
A PKI is a system of components that allow for the authentication and verification of authenticity of each
party involved in digital communication through the use of public key cryptography.
A PKI consists of the following components:
CAs. CAs represent the people, processes and tools used to create digital certificates and securely
bind the users identity to their public keys. Before issuing a digital certificate to a user, a CA will verify
that users identity and the validity of their purpose for obtaining a digital certificate.
A CA will place their digital signature on a certificate, which both verifies that the certificate has come
from a trusted source as well as acting like a tamper-proof seal on the certificate itself, preventing any
attempts to tamper with the digital certificate.
CAs also operate in a hierarchal manner, where CAs that issue certificates may use another, more
widely trusted CA as its parent to maintain the level of trust necessary within a PKI environment.
Certification revocation lists (CRLs). CRLs contain a list of certificates that have been revoked or
removed from a CA prior to the certificates expiry date.
Certificate and CA management tools. When a Windows Server 2008 R2 server is configured as a CA,
a specific set of tools are available to create and manage certificates, manage CRLs and perform
maintenance on different aspects of the PKI environment.
Certificates. Digital certificates are the primary item of circulation in a PKI. A PKI exists primarily for
the proper management of these certificates.
9-35
Key Points
In modern cryptography, data is encrypted and decrypted using a key which contains the information
necessary for performing the encryption or decryption. A key is a piece of physical data, and may be
protected by a password or attached to a smart card or even a Windows users account.
In the simplest form of data encryption, data is both encrypted and decrypted using the same key. This
method of using the same key for both encryption and decryption is known as symmetric encryption.
Symmetric encryption works very well when the same user is both encrypting and decrypting the data.
However, when the user encrypting the data is different than the user who is decrypting the data and
especially if the encryption and decryption process must happen on different computers or networks,
symmetric encryption becomes more problematic. In this case, the user encrypting the data must find
some way to make the key available to the user decrypting the data. Anytime the key is exchanged
between users, it becomes vulnerable to being intercepted and compromised.
The use of digital certificates introduces an alternative to the shortcomings of symmetric encryption. Data
exchange using a digital certificate uses asymmetric encryption. When using asymmetric encryption, a pair
of mathematically related keys is used to encrypt or decrypt data. One of the keys, commonly referred to
as the private key, is held by an individual. A second key, the public key, is attached to the digital
certificate, which can be digitally requested at any time. With this form of encryption, either the private or
public key can be used to encrypt the data. Then, the opposite key is used to decrypt the data.
For example, in the above diagram, data at the Contoso Ltds Web server is encrypted using Contoso,
Ltds private key and SSL encryption. The resultant encrypted data is sent out over the public Internet to
the Web client who is accessing the information on the server. Since the data has encrypted using
Contoso Ltds private key, the Web client can be assured that the information is coming from Contoso,
Ltds and is genuine.
Alternatively, data sent from the client to the server, such as personal or financial information, is first
encrypted using SSL and Contoso Ltds public key attached to the digital certificate. The user can be
9-36
assured that encrypted information is safe in transit because only Contoso, Ltds private key can decrypt
the data. It is critical for private keys to be secured in order to maintain the integrity of this exchange.
Digital certificates are used for a wide variety of purposes. Depending on the nature of the issuing CA,
certain digital certificates may have a specific level of trust assigned to them. Public, Private and Selfsigned certificates each have individual characteristics that make them suitable for specific
implementations. The following points outline characteristics of Public, Private and Self-signed certificates:
Public CAs typically charge a fee for providing a digital certificate, but the certificate is universally
trusted. Also, public certificates can be used in almost any situation a private certificate is used. Digital
certificates used on the public Internet are most commonly issued by a public CA.
Private certificates allow an organization to manage their certificate issuing process and any number
of certificates can be generated at no cost. This allows an organization with the requirement to issue
many certificates for internal use to use a private CA and not incur the costs associated with a large
number of public certificates. This gives an organization a great deal of control of certificate
management, but requires additional administrative overhead. Private certificates may be used within
an organization to facilitate secure e-mail or the encryption of individuals data.
Self-signed certificates do not require the implementation of a stand alone CA. Rather, the application
itself creates and signs the certificate. This decreases the administrative overhead of maintaining a
private CA and the organization incurs no extra costs. The main drawback however, is that the selfsigned certificate has a very limited valid scope; strictly within the application itself.
Question: In what situations would a public certificate signed by a trusted CA be requested or required?
Question: Why would a private certificate be used instead of a public certificate?
Question: Why would an organization choose to use self-signed certificates over private certificates?
9-37
EFS
Key Points
EFS is the built-in file encryption tool for Windows file systems. A component of the NTFS file system, EFS
enables transparent encryption and decryption of files by using advanced, standard cryptographic
algorithms. Any individual or program that does not possess the appropriate cryptographic key cannot
read the encrypted data. Encrypted files can be protected even from those who gain physical possession
of the computer that the files reside on. Even persons who are otherwise authorized to access the
computer and its file system cannot view the data.
Information technology (IT) professionals must understand that while encryption is a powerful addition to
any defensive plan, other defensive strategies must be used because encryption is not the correct
countermeasure for every threat. However, every defensive weapon, if used incorrectly, carries the
potential for harm. EFS must be understood, implemented appropriately, and managed effectively to
ensure that your experience, the experience of those to whom you provide support, and the data you
want to protect are not compromised.
The following are important basic facts about EFS:
EFS encryption does not occur at the application level but rather at the file-system level; therefore,
the encryption and decryption process is transparent to the user and to the application.
If a folder is marked for encryption, every file created in or moved to the folder will be encrypted.
Applications do not have to understand EFS or manage EFS-encrypted files any differently than
unencrypted files.
If a user attempts to open a file and possesses the key to do so, the file opens without additional
effort on the user's part. If the user does not possess the key, he or she receives an "Access denied"
error message.
File encryption uses a symmetric key that is encrypted with the users public key and stored in the file
header. A certificate with the users public and private keys (known as asymmetric keys) is stored in
the users profile.
9-38
This key pair is bound to a user identity (ID) and made available to the user who has possession of the
user ID and password. The users private key must be available for the file to be decrypted.
If the private key is damaged or missing, even the user that encrypted the file cannot decrypt it. If a
recovery agent exists, then the file may be recoverable. If key archival has been implemented, then
the key may be recovered, and the file decrypted; otherwise, the file may be lost. This encryption
system is commonly referred to as PKI.
The users certificate that contains his or her public and private keys can be archived (for example,
exported to a floppy disk) and kept in a safe place to ensure recovery, if keys become damaged.
The users public and private keys are protected by the user's password. Any user who can obtain the
user ID and password can log on as that user and decrypt that user's files.
Therefore, a strong password policy and strong user education must be a component of each
organization's security practices to ensure the protection of EFS-encrypted files.
EFS-encrypted files do not remain encrypted during transport if saved to or opened from a folder on
a remote server. The file is decrypted, traverses the network in plaintext, and if saved to a folder on
the local drive that is marked for encryption, is encrypted locally. EFS-encrypted files can remain
encrypted while traversing the network if they are being saved to a Web folder using WebDAV.
EFS is only supported on the NTFS file system. If a user moves or copies an encrypted file to a nonNTFS file system, like a floppy disk or USB flash drive formatted with the file allocation table 32-bit
(FAT32) file system, the file will no longer be encrypted.
Note: When users encrypt files in remote shared folders, their keys are stored on the file server.
Support for Storing Private Keys on Smart Cards. Windows Server 2008 includes full support for
storing users private keys on smart cards. If a user logs onto Windows with a smart card, EFS can also
use the smart card for file encryption.
Administrators can also store their domains recovery keys on a smart card. Recovering files is then as
simple as logging on to the affected machine, either locally or using Remote Desktop, and using the
recovery smart card to access the files.
EFS Rekeying wizard. The EFS rekeying wizard allows users to choose an EFS certificate and then select
and migrate existing files that will use the newly chosen EFS certificate.
9-39
They can also use the wizard to migrate users in existing installations from software certificates to
smart cards. The wizard is also helpful in recovery situations because it is more efficient than
decrypting and re-encrypting files.
New Group Policy Settings for EFS. You can use Group Policy to centrally control and configure EFS
protection policies for the entire enterprise. A number of Group Policy options were added to help
administrators define and implement EFS organizational policies.
Per-User Encryption of Offline Files. You can use EFS to encrypt offline copies of files from remote
servers. When this option is enabled, each file in the offline cache is encrypted with a public key from
the user who cached the file. Thus, only that user has access to the file, and even local administrators
cannot read the file without access to the user's private keys.
Support for AES 256-Bit Encryption. EFS supports industry standard encryption algorithms including
Advanced Encryption Standard (AES). AES uses a 256-bit symmetric encryption key and is the default
EFS algorithm.
9-40
Key Points
EFS users can share encrypted files with other users on file shares and in Web folders. With this support,
you can give individual users permission to access an encrypted file. The ability to add users is restricted
to individual files. After a file has been encrypted, file sharing is enabled through the user interface. You
must first encrypt a file and then save it before adding more users. Users can be added either from the
local computer or from AD DS and Active Directory if the user has a valid certificate for EFS.
It is important that users electing to share encrypted files keep the following points in mind:
Shared EFS files are not file shares. If authorized users need to access shared EFS files over the
network, a file share or Web folder is required. Alternatively, users can establish remote sessions with
computers that store encrypted files by using Terminal Services.
Any user who is authorized to decrypt a file can authorize other users to access the file. Granting
access is not limited to the file owner. Caution users to share files only with trusted accounts because
those accounts can authorize other accounts. Removing the Write permission from a user or group of
users can prevent this problem, but it also prevents the user or group from modifying the file.
EFS sharing requires that the users who will be authorized to access the encrypted file have EFS
certificates. These certificates can be located in roaming profiles or in the user profiles on the
computer on which the file to be shared is stored, or they can be stored in and retrieved from AD DS
and Active Directory.
EFS sharing of an encrypted file often means that the file will be accessed across the network. It is
best if Web folders are used for encrypted file storage whenever possible.
If a user chooses to remotely access an encrypted file stored on a file share and to authorize other
users to access the file, the authorization process and requirements are the same as on the local
computer. Additionally, EFS must impersonate the user to perform this operation, and all of the
requirements for remote EFS operations on files stored on file shares apply.
If a user chooses to remotely access an encrypted file stored on a Web folder and to authorize other
users to access the file, the file is automatically transmitted to the local computer in ciphertext. The
authorization process takes place on the local computer with the same requirements as for encrypted
files stored locally.
You can authorize individual users to access encrypted files. Perform the following steps to share an
encrypted file with other users:
1.
2.
3.
In Windows Explorer, right-click the encrypted file and then click Properties.
On the General tab, select Advanced.
In the Advanced Attributes dialog box, under Compress or Encrypt Attributes, select Details.
Note: If you select an encrypted folder instead of an encrypted file, the Details button appears
dimmed. You can add users to individual encrypted files but not to folders.
4.
5.
9-41
9-42
Key Points
Windows Server 2008 R2 supports the local caching of network files for use when the network connection
may not be available. This feature is referred to as Offline Files. With Offline Files, users are able to have
access to the files they need, regardless of the status of their connection to the network.
Offline files are capable of being encrypted using EFS. Encrypting offline files provides an additional level
of security and ensures that the locally cached copies of network files are protected from unauthorized
access, just as they would be if they were encrypted on the network share.
Windows Server 2008 R2 introduces the ability to encrypt offline files on a per user basis, improving upon
the security of encrypted offline files in previous versions of Windows.
Note: Encrypting offline files does not encrypt the network version of the file; it only encrypts the
local copy.
9-43
Key Points
Windows BitLocker Drive Encryption provides protection for the computer operating system and data
stored on the operating system volume by ensuring that data stored on a computer remains encrypted,
even if the computer is tampered with when the operating system is not running. BitLocker provides a
closely integrated solution in Windows Server 2008 R2 to address the threats of data theft or exposure
from lost, stolen, or inappropriately decommissioned personal computers.
Data on a lost or stolen computer can become vulnerable to unauthorized access when a user either runs
a software attack tool against it or transfers the computers hard disk to a different computer. BitLocker
helps mitigate unauthorized data access by enhancing Windows file and system protections. BitLocker
also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.
BitLocker Drive Encryption performs two functions that provide both offline data protection and
system integrity verification:
Encrypts all data stored on the Windows operating system volume (and configured data volumes).
This includes the Windows operating system, hibernation and paging files, applications, and data
used by applications.
BitLocker also provides an umbrella protection for non-Microsoft applications, which benefits the
applications automatically when they are installed on the encrypted volume.
Is configured by default to use a Trusted Platform Module (TPM) to help ensure the integrity of early
startup components (components used in the earlier stages of the startup process), and "locks" any
BitLocker-protected volumes so that they remain protected even if the computer is tampered with
when the operating system is not running.
9-44
Providing a method to check that early boot file integrity has been maintained, and to help ensure
that there has been no adverse modification of those files, such as with boot sector viruses or root
kits.
Enhancing protection to mitigate offline software-based attacks. Any alternative software that might
start the system does not have access to the decryption keys for the Windows operating system
volume.
Locking the system when tampered with. If any monitored files have been tampered with, the system
does not start. This alerts the user to the tampering since the system fails to start as usual. In the
event that system lockout occurs, BitLocker offers a simple recovery process.
In conjunction with the TPM, BitLocker verifies the integrity of early startup components, which helps
prevent additional offline attacks, such as attempts to insert malicious code into those components. This
functionality is important because the components in the earliest part of the startup process must be
available unencrypted so that the computer can start.
As a result, an attacker can change the code in those early startup components and then gain access to
the computer, even though the data on the disk was encrypted. Then, if the attacker gains access to
confidential information such as the BitLocker keys or user passwords, BitLocker and other Windows
security protections can be circumvented.
Additionally, BitLocker Drive Encryption technology in Windows Server 2008 R2 is extended from
operating system drives and fixed data drives to include removable storage devices such as portable hard
drives and USB flash drives.
Password. This is a combination of letters, symbols, and numbers the user will enter to unlock the
drive.
Smart card. In most cases, a smart card is issued by your organization and a user enters a smart card
PIN to unlock the drive.
After choosing the unlock methods, users will be asked to print or save their recovery password. This is a
48-digit password that can also be stored in AD DS and Active Directory and used if other unlock
methods fail (for example, when a password is forgotten). Finally, users will be asked to confirm their
unlock selections and to begin encryption.
When you insert a BitLocker-protected drive into your computer, Windows will automatically detect that
the drive is encrypted and prompt you to unlock it.
9-45
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
2.
3.
4.
5.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
In Hyper-V Manager, click 6420B-NYC-DC1, and in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
9-46
Best Practices
Password must contain at least three of the four following character types: lowercase letters (a-z),
uppercase letters (A-Z), numbers (0-9),
non-alphanumeric characters (example, ! @ # $).
Users cannot use a password again until five other different passwords have been used.
Users should be locked out of the system after repeated failed logon attempts.
Modify the Account Lockout Policy settings, updating the appropriate settings with the information
above.
Results: After this exercise, you should have configured Password and Account Lockout settings in
Account Policies.
9-47
Task 2: Assign appropriate NTFS file and folder permissions to the folder structure
1.
2.
3.
4.
Task 3: Share the C:\Research folder on the network and set appropriate shared folder
permissions
1.
2.
9-48
Task 1: Encrypt files and folders using Encrypting File System (EFS)
1.
2.
3.
4.
3.
9-49
Review Questions
1.
What is the most efficient way to give several users access to a shared folder with the same
permissions?
2.
What are some of the ways of protecting sensitive data in Windows Server 2008?
UAC Security Settings are configurable in the local Security Policy Manager (secpol.msc) or the Local
Group Policy Editor (gpedit.msc). However, in most corporate environments, Group Policy is preferred
because it can be centrally managed and controlled. There are nine GPO settings that can be
configured for UAC.
Because the user experience can be configured with Group Policy, there can be different user
experiences, depending on policy settings. The configuration choices made in your environment
affect the prompts and dialog boxes that standard users, administrators, or both, can view.
For example, you may require administrative permissions to change the UAC setting to Always notify
me or Always notify me and wait for my response. With this type of configuration, a yellow
notification appears at the bottom of the User Account Control Settings page indicating the
requirement.
Users should export their certificates and private keys to removable media and store the media
securely when it is not in use. For the greatest possible security, the private key must be removed
from the computer whenever the computer is not in use. This protects against attackers who
physically obtain the computer and try to access the private key. When the encrypted files must be
accessed, the private key can easily be imported from the removable media.
9-50
Encrypt the My Documents folder for all users (User_profile\My Documents). This makes sure that the
personal folder, where most documents are stored, is encrypted by default.
Users should encrypt folders rather than individual files. Programs work on files in various ways.
Encrypting files consistently at the folder level makes sure that files are not unexpectedly decrypted.
The private keys that are associated with recovery certificates are extremely sensitive. These keys must
be generated either on a computer that is physically secured, or their certificates must be exported to
a .pfx file, protected with a strong password, and saved on a disk that is stored in a physically secure
location.
A removable USB memory device, such as a USB flash drive. If your computer does not have TPM
version 1.2 or higher, BitLocker stores its key on the memory device.
The most secure implementation of BitLocker leverages the enhanced security capabilities of TPM
version 1.2.
On computers that do not have a TPM version 1.2, you can still use BitLocker to encrypt the Windows
operating system volume. However, this implementation will require the user to insert a USB startup
key to start the computer or resume from hibernation and does not provide the pre-startup system
integrity verification offered by BitLocker that is working with a TPM.
Module 10
Implementing Network Security
Contents:
Lesson 1: Overview of Network Security
10-3
10-7
10-23
10-31
10-1
10-2
Module Overview
When you connect your computers to a network, you may expose them to additional security threats. It is
important that you identify possible threats, and implement appropriate Windows network security
features to help to eliminate them.
Objectives
After completing this module, you will be able to:
10-3
Lesson 1
There are many network-based security threats. It is important to understand the nature of these threats
and be able to implement appropriate security measures to mitigate them.
Objectives
After completing this lesson, you will be able to:
10-4
Key Points
There are a variety of network security threats, but they fall into a number of categories. Common
network-based security threats include:
Eavesdropping. An eavesdropping attack occurs when a malicious person captures network packets
being sent and received by workstations connected to your network. Eavesdropping attacks may
result in sensitive data, such as passwords, being compromised which can lead to other, perhaps more
damaging, attacks.
Note: Eavesdropping is also known as sniffing.
Denial-of-service. This attack is intended to limit the function of a network application, or make the
application, or network resource, unavailable. There are numerous ways in which a malicious person
can initiate a denial-of-service attack; often, however, the attacker is aware of vulnerabilities in the
target application that they can exploit in order to render it unavailable.
Man-in-the-middle. The malicious attacker uses a computer to impersonate a legitimate host on the
network with which your computers are communicating. The attacker intercepts all of the
communications intended for the destination host. The attacker may wish to view the data in transit
between the two hosts, but can also modify the data in transit.
Hacking. This is a generic term that means any type of network attack.
Question: Has your network been the victim of a malicious attack? What type of attack was it?
10-5
Key Points
One of the most important things to realize is that attackers look for access into your network using a
variety of tools and techniques. Once they have found a way in, however minor and apparently
innocuous, they can exploit that success, and take the attack further. For this reason, it is important to
implement a holistic approach to network security to ensure that one loophole or omission does not
result in another.
You can use any or all of the following defense mechanisms to help to protect your network from
malicious attack.
Internet protocol security (IPsec). IPsec provides a way to authenticate IP-based communications
between two hosts and, where desirable, encrypt that network traffic.
Firewalls. Firewalls allow or block network traffic based on the type of traffic.
Perimeter networks. A perimeter network is an isolated area on your network to and from which there
is defined network traffic flow. When you need to make network services available on the Internet, it
is inadvisable to connect the hosting servers directly to the Internet. By placing these servers in a
perimeter network, you can make them available to Internet users without letting those users gain
access to your corporate intranet.
Virtual private networks (VPNs). When your users must connect to your corporate intranet from the
Internet, it is important that they do so as securely as possible. The Internet is a public network and
data in transit across it is susceptible to eavesdropping or man-in-the-middle attacks. By
authenticating and encrypting connections between your remote users and your corporate intranet
through the use of a VPN you can mitigate these risks.
Server hardening. By only running the services you need, you can make your servers inherently more
secure. To determine what services you require, you must establish a baseline of security among your
servers. Because it is sometimes difficult to determine precisely which Windows Server services are
required to support the desired functionality, you can use tools such as the Security Configuration
Wizard or the Microsoft Baseline Security Analyzer to help you.
10-6
Intruder detection. While it is important to implement the preceding techniques to help to secure
your network, it is also sensible to monitor your network for signs that it has been attacked. You can
implement intruder detection systems to help you perform this task. You can implement intruder
detection systems on devices at the perimeter of your network such as Internet-facing routers.
10-7
Lesson 2
Implementing Firewalls
A firewall helps protect your computer against access attempts from unauthorized computers that are
located on the Internet. You can implement firewalls using software, hardware, or a combination of both.
Firewalls work on the principle of filtering network traffic based on the characteristics of that traffic, and
then either allowing or blocking the traffic as determined by your configuration.
Objectives
After completing this lesson, you will be able to:
Describe configurable settings in Windows Firewall with Advanced Security management console
snap-in.
Describe IPsec.
10-8
Types of Firewall
Key Points
There are four types of firewalls. These are:
Application-layer gateways. Operate at the application layer of the Open Systems Interconnection
(OSI) model. Application-layer gateways proxy requests to or from your network and do not allow
traffic for which you have not defined a proxy. In other words, a Hypertext Transfer Protocol (HTTP)
proxy does not pass File Transfer Protocol (FTP) traffic. Application-layer gateways enable you to
configure Network Address Translation (NAT) traversal filters that can support both IP address and
port translation settings to support specific application layer protocols. This enables applications such
as instant messaging, file transfer, and others to function through your firewall without you needing
to open up multiple specific ports.
Circuit-level gateways. Operate at the session layer of the OSI model and monitor datagrams between
communicating hosts to verify that requested sessions are legitimate. Circuit-level gateways monitor
the TCP hand-shaking process used to establish TCP sessions between hosts to determine if the
session is legitimate. Additionally, information passed from your network to remote hosts appears to
originate from the circuit-level gateway. This is useful in hiding information about your network from
remote hosts.
Packet filters. Operate at the network level of the OSI model and are often implemented as part of a
router. Each packet is filtered and compared with an action list to determine the appropriate action to
take with the packet. Actions include allowing or blocking the packet. Most consumer broadband
routers provide this functionality.
Stateful multilayer inspection. These firewalls combine aspects of the other three firewall types
providing a high level of security. A stateful multilayer inspection firewall examines data at all seven
layers of the OSI model. Unlike other firewalls, stateful multilayer inspection firewalls not only inspect
the packet header, but also inspect the packet payload. Each packet is examined and compared with
example packets to determine the likelihood the packet contains malicious data.
You can install firewalls on hosts, such as Windows Server, or implement firewalls as software in devices
such as routers.
10-9
10-10
Key Points
In order to make your network applications available to users connected to the Internet, you must publish
these applications. A common way of publishing these applications, while maintaining security, is to use
servers placed in a perimeter network.
There are a number of different ways that you can configure your perimeter network, and these include:
Three-legged firewall. A single device or computer with multiple network interface cards, one of
which is Internet-facing, another of which is connected to the perimeter network, and the remaining
card being connected to the intranet. Software installed on the host is used to create the separation
between the networks. The separation is achieved through filtering on the firewall device so that only
specified traffic is passed between the interfaces designated as public, private, and perimeter. This
solution works well for smaller networks; however, because the firewall device is connected directly to
all three networks, security is compromised compared with other solutions.
Dual back-to-back firewalls. In this scenario, two firewalls are connected in sequence across three
networks: the Internet, your perimeter network, and your corporate intranet. The network to which
both firewalls are connected is the perimeter network. The firewalls are configured to allow only
appropriate traffic to pass between their connected networks. This is a more complex and expensive
solution because it requires additional hardware and software to configure; however, it provides for a
more secure environment and is the configuration of choice for larger networks.
Through the combination of hardware and software, and with appropriate configuration, you should be
able to create a perimeter network with the degree of network isolation that you require, while at the
same time allowing for the necessary communication between devices located in each of the three
networks.
Best Practice
Only deploy services that you specifically need in your perimeter network, and always publish services
where possible, rather than physically deploy servers to the perimeter.
10-11
It is rare for an organization to operate without the need to connect its network infrastructure to the
Internet. At the very least, most organizations use e-mail applications to conduct some elements of their
core business.
Conduct an audit of the network services that you have within your organization and determine which
services must be available to users from the Internet. Then consider how you want to make those services
available. For example, if users require access to their e-mail while they work away from their office,
consider the use of Web-based e-mail solutions because these are often easier to make securely available.
Note: Applications can be configured to use specific TCP ports; indeed, many applications are
configurable to use only HTTP or HTTP Secure (HTTPS). This means that you can configure the
Internet-facing firewall to allow only TCP port 80/443 inbound.
Comments
Web server
HTTP, HTTPS
Active
Directory
Domain
Services
(AD DS)
Web
HTTPS, Session Initiation Protocol
Conferencing (SIP), Persistent Shared Object
Model (PSOM), Real-time
Transport Protocol (RTP), Realtime Control Protocol (RTCP)
Instant
Messaging
SIP
10-12
Key Points
Windows Firewall is a host-based, stateful firewall included in the Windows Server 2008 R2 operating
system. Windows Firewall helps provide protection from malicious users and programs that rely on
unsolicited incoming traffic to attack computers.
Microsoft first introduced Windows Firewall in the Windows XP with Service Pack 2 (SP2) operating
system. Windows Server 2008 R2 provides significant improvements to Windows Firewall.
In Windows Server 2008 R2, Windows Firewall implements network traffic filtering in both directions
that is, inbound and outbound traffic. By default, Windows Firewall blocks all inbound traffic unless it
either matches a configured rule, or is in response to a request from the local computer. By default,
Windows Firewall allows all outbound traffic, unless it matches a configured rule. You can configure
Windows Firewall by using several different management programs. The choice of which program to use
depends on whether you wish to administer a single computer, or multiple computers. In addition, only
some of the management programs give you access to the more advanced Windows Firewall
configuration settings.
You access the new Windows Firewall with Advanced Security console from Control Panel by selecting
Administrative Tools. You can also access the same configuration settings by using Group Policy. Windows
Firewall with Advanced Security allows you to configure more advanced settings than you could by using
the Windows Firewall Control Panel item.
10-13
Key Points
The first time that your computer connects to a network, you must select a network location. This
automatically sets appropriate firewall and security settings for that type of network. When you are
connecting to networks in different locations, choosing a network location can help ensure that the
computer is always set to an appropriate security level. There are three network locations:
Private networks. Private networks are networks at home or work where you know and trust the
people and devices on the network. When private networks are selected, Network Discovery is turned
on.
Public networks. Public networks are networks in public places. This location keeps the computer from
being visible to other computers. When Public place is the selected network location, Network
Discovery is turned off.
Domain networks. Domain networks are networks at a workplace that are attached to a domain. This
option is used automatically for any network that allows communication with a domain controller.
Network Discovery is on by default.
You can modify the firewall settings for each type of network location from the main Windows Firewall
page. Click Turn Windows Firewall on or off, select the network location, and then make your selection.
You can also choose to modify the following options:
Block all incoming connections, including those in the list of allowed programs
10-14
The Public networks location blocks certain programs and services from running to help protect the
computer from unauthorized access. If you are connected to a Public network and Windows Firewall is
turned on, some programs or services might ask you to allow them to communicate through the firewall
so that they work properly.
10-15
Key Points
Use the Windows Firewall with Advanced Security Properties page to configure basic firewall
properties for domain, private, and public network profiles. A firewall profile is a way of grouping settings,
including firewall rules and connection security rules. Use the IPsec Settings tab to configure the default
values for IPsec configuration options. The options that you can configure for each of the three network
profiles are:
Firewall State. You can turn the firewall on or off independently for each profile.
Inbound Connections. You can configure to block connections that do not match any active firewall
rules, block all connections regardless of inbound rule specifications, or allow inbound connections
that do not match an active firewall rule.
Outbound Connections. You can configure to allow connections that do not match any active firewall
rules or block outbound connections that do not match an active firewall rule.
Settings. You can configure display notifications, unicast responses, local firewall rules, and local
connection security rules.
Inbound
Outbound
Connection Security
10-16
Inbound Rules
Inbound rules explicitly allow or block traffic that matches criteria in the rule. For example, you can
configure a rule to allow traffic secured by IPsec for Remote Desktop through the firewall, but block the
same traffic if it is not secured by IPsec.
When Windows is first installed, all unsolicited inbound traffic is blocked. To allow a certain type of
unsolicited inbound traffic, you must create an inbound rule that describes that traffic. For example, if you
want to run a Web server, then you must create a rule that allows unsolicited inbound network traffic on
TCP port 80. You can configure the default action that Windows Firewall with Advanced Security takes
whether connections are allowed or blocked when no inbound rule applies.
Outbound Rules
Windows Firewall allows all outbound traffic unless a rule blocks it. Outbound rules explicitly allow or
deny traffic originating from the computer that matches the criteria in the rule. For example, you can
configure a rule to explicitly block outbound traffic to a computer (by IP address) through the firewall, but
allow the same traffic for other computers.
Program rules. Program rules can control connections for a program. Use this type of firewall rule to
allow a connection based on the program that is trying to connect. These rules are useful when you
are not sure of the port or other required settings since you only specify the path to the program
executable (.exe) file.
Port rules. Port rules can control connections for a TCP or UDP port. Use this type of firewall rule to
allow a connection based on the TCP or UDP port number over which the computer is trying to
connect. You specify the protocol and individual or multiple local ports.
Predefined rules. Predefined rules can control connections for a Windows experience. Use this type of
firewall rule to allow a connection by selecting one of the programs or experiences from the list.
Network-aware programs that you install typically add their own entries to this list so that you can
enable and disable them as a group.
Custom rules. Custom rules can be configured as needed. Use this type of firewall rule to allow a
connection based on criteria not covered by the other types of firewall rules.
Monitoring
Windows Firewall uses the monitoring interface to display information about current firewall rules,
connection security rules, and security associations. The Monitoring overview page displays which profiles
are active (domain, private, or public) and the settings for the active profiles.
Note: When you view the Windows Firewall with Advanced Security snap-in within the Group Policy
Editor snap-in, the Monitoring node does not display. Also keep in mind, The Windows Firewall with
Advanced Security events are available in Event Viewer.
10-17
10-18
Key Points
In this demonstration, you will see how enable an inbound firewall rule.
Demonstration Steps:
1.
2.
3.
4.
10-19
What Is IPsec?
Key Points
IPsec is a framework of open standards for protecting communications over IP networks through
cryptographic security services. IPsec supports:
Data integrity.
Data confidentiality.
Replay protection.
You typically use IPsec to attain confidentiality, integrity, and authentication in data transport across
insecure channels. Though its original purpose was to secure traffic across public networks, its
implementations are often used to increase the security of private networks, since organizations are not
always sure if weaknesses in their own private networks are susceptible to exploitation.
IPsec provides the following benefits:
Transport mode. This is the default mode for IPsec. In transport mode, IPsec only encrypts the IP
payload; the IP header is not encrypted. Transport mode should be selected for end-to-end
communications, such as that which occurs between a client and a server computer.
10-20
Tunnel mode. In tunnel mode, IPsec encrypts the IP header and the payload. Tunnel mode is most
useful for communications between two networks when that communication takes place over an
untrustworthy network, such as the Internet.
10-21
Key Points
In earlier Windows versions, managing IPsec policies and managing Windows Firewall were two separate
processes achieved by using different management tools. Windows Server 2008 R2 unites IPsec and
Windows Firewall so that you can manage both IPsec and Windows Firewall policies and rules through a
single interface and set of command-line utilities.
10-22
connection (in either direction) and the two computers cannot authenticate each other, then the
connection is blocked.
The configurable connection security rules are:
Isolation. An isolation rule isolates computers by restricting connections based on credentials such as
domain membership or health status. Isolation rules allow you to implement an isolation strategy for
servers or domains.
Authentication exemption. You can use an authentication exemption to designate connections that
do not require authentication. You can designate computers by specific IP address, an IP address
range, a subnet, or a predefined group such as a gateway.
Server to Server. A server-to-server rule protects connections between specific computers. This type of
rule usually protects connections between servers. When you create the rule, you specify the network
endpoints between which communications are protected. You then designate requirements and the
authentication you want to use.
Tunnel. A tunnel rule allows you to protect connections between gateway computers. You typically
use it when connecting across the Internet between two security gateways. You must specify the
tunnel endpoints by IP address, and then specify the authentication method used.
Custom. Use a custom rule to authenticate connections between two endpoints when you cannot set
up the authentication rules you need by using the other rules available in the New Connection
Security Rule wizard.
Requirements. You can select whether the rule requests authentication, requires inbound
authentication, or requires both inbound and outbound authentication.
Authentication methods. You can select between a number of authentication methods; Kerberos,
digital certificates, NTLMv2, and pre-shared key. You can also configure the rule to attempt a number
of different methods in a preferred order.
Profile. Associate the rule with the appropriate network profile. You can select one or all of the
following: domain, private, or public.
Exempt computers. For authentication exemption rules only, define the exempt computers by IP
address, IP address range, or IP subnet.
Endpoints. For server-to-server rules only, define the IP addresses affected by the rule.
Tunnel endpoints. For tunnel rules only, define the tunnel endpoints affected by the rule.
Note: There is a significant difference between connection security rules and IPsec policies. An IPsec
policy can filter traffic to the specific port level, while a connection security rule cannotit only
applies between computers, and not for specific types of traffic between those computers.
10-23
Lesson 3
Network Access Protection (NAP) helps to ensure compliance with specific health policies for computers
accessing your network. NAP helps you achieve and maintain a specific health policy. This lesson provides
information about how NAP works, and how to configure NAP.
Objectives
After completing this lesson, you will be able to:
Describe NAP.
10-24
Key Points
If computers connect to your network without protection from viruses, malware, and other network-borne
security threats, their security may be compromised which in turn could compromise the security of other
computers on your network. It is important to ensure that all computers connecting to your network are
up-to-date with security updates, are running antivirus and anti-malware software which is up-to-date,
and have a suitably configured firewall running.
While it is relatively straightforward to ensure desktop computers that remain connected to only your
corporate intranet are compliant with these requirements, it is less easy with roaming computers or
computers that connect to your network from unmanaged networks such as those of a business partner
or the home networks of your users.
NAP in the Windows Server 2008 R2 operating system provides a way for you to manage network
compliance through the use of network health policies.
10-25
Key Points
NAP provides components to help you enforce health requirement policies for network access and
communication. NAP allows you to create policies for validating computers that connect to your network,
and to provide required updates or access to required health update resources while limiting the access or
communication of noncompliant computers. You can customize your health maintenance solution to:
Monitor computers accessing your network for health policy compliance. The health policy may
include checks for:
Limit access for computers that do not meet health policy requirements, to a restricted network.
Although NAP helps you automatically maintain the health of your networks computers, which in turn
helps maintain your networks overall integrity, NAP does not protect your network from malicious users.
For example, if a computer has all of the software and configuration settings that the health policy
requires, then the computer is compliant and has unlimited network access; however, NAP does not
prevent an authorized user with a compliant computer from uploading a malicious program to the
network, or engaging in other inappropriate behavior.
NAP Functions
NAP has three important and distinct functions:
Health state validation. When a computer attempts to connect to the network, the NAP health policy
server validates the computers health state against the health-requirement policies that you define.
10-26
You also can define what to do if a computer is not compliant. In a monitoring-only environment, the
NAP health policy server validates the health state of all computers, and then logs the compliance
state of each computer for subsequent analysis. In a limited-access environment, computers that
comply with the health-requirement policies have unlimited network access. Computers that do not
comply with health-requirement policies may have their access limited to a restricted network.
Health policy compliance. You can help ensure compliance with health requirement policies by
automatically updating noncompliant computers with missing software updates and configuration
changes. You can do this by using management software, such as Microsoft System Center
Configuration Manager 2007. In a monitoring-only environment, computers have network access
before they are updated with required updates or configuration changes. In a limited access
environment, noncompliant computers have limited access until the updates and configuration
changes are complete. In both environments, computers that are compatible with NAP can become
compliant automatically, and you can define exceptions for computers that are not NAP-compatible.
Limited access. You can protect your network by limiting noncompliant computers access. You can
base limited network access on a specific time limit, or on what the noncompliant computer can
access. In the latter case, you define a restricted network containing health update resources, and the
limited access lasts until the noncompliant computer becomes compliant. You also can configure
exceptions, so computers that are not compatible with NAP do not have their network access limited.
10-27
NAP Scenarios
Key Points
NAP provides a solution for the common scenarios described in this section. Depending on your needs,
you can configure a solution to address any or all of these scenarios for your network.
Roaming Laptops
Portability and flexibility are two primary laptop advantages, but these features also present a health
threat. Users frequently connect their laptops to other networks. While laptops are away from your
organization, they might not receive the most recent software updates or configuration changes.
Additionally, exposure to unprotected networks, such as the Internet, may introduce security-related
threats to the laptops. NAP allows you to check any laptops health state when it reconnects to the
organizations network, whether through a virtual private network (VPN) connection, or the workplace
network connection.
Desktop Computers
Although desktop computers usually do not leave the company building, they still can present a threat to
your network. To minimize this threat, you must maintain these computers with the most recent updates
and required software. Otherwise, these computers are at risk of infection from Web sites, e-mail, files
from shared folders, and other publicly accessible resources. NAP allows you to automate health state
checks to verify each desktop computers compliance with health-requirement policies. You can check log
files to determine which computers do not comply. Additionally, using management software allows you
to generate automatic reports, and to automatically update noncompliant computers. When you change
health-requirement policies, computers can be provisioned automatically with the most recent updates.
Visiting Laptops
Organizations frequently need to allow consultants, business partners, and guests to connect to their
private networks. The laptops that these visitors bring into your organization might not meet system
health requirements, and can present health risks. NAP enables you to determine which visiting laptops
10-28
are noncompliant, and limit their access to restricted networks. Typically, you would not require or
provide any updates or configuration changes for visiting laptops. You can configure Internet access for
visiting laptops, but not for other organizational computers that have limited access.
10-29
Key Points
Components of the NAP infrastructureknown as enforcement clients and enforcement serversrequire
health state validation, and enforce limited network access for noncompliant computers. The Windows 7
operating system, the Windows Vista operating system, the Windows XP with SP3 operating system, the
Windows Server 2008 operating system, and Windows Server 2008 R2 include NAP support for the
following network access or communication methods:
Institute of Electrical and Electronics Engineers (IEEE) 802.1X-authenticated network connections. With
IEEE 802.1X enforcement, a computer must be compliant to obtain unlimited network access through
an IEEE 802.1X-authenticated network connection, such as to an authenticating Ethernet switch, or an
IEEE 802.11 wireless access point (AP).
Remote access VPN connections. With VPN enforcement, a computer must be compliant to obtain
unlimited network access through a remote access VPN connection.
Dynamic Host Configuration Protocol (DHCP) address configurations. With DHCP enforcement, a
computer must be compliant to obtain unlimited access to Internet Protocol version 4 (IPv4) address
configuration from a DHCP server. For noncompliant computers, network access is restricted with an
IPv4 address configuration that limits access to the restricted network.
These network access or communication methods are known as NAP enforcement methods. You can use
them separately or together to limit noncompliant computer access or communication. A server that is
running Network Policy Server (NPS) in Windows Server 2008the replacement for Internet
Authentication Server (IAS) in Windows Server 2003acts as a health policy server for all of these NAP
enforcement methods.
Question: Which of the NAP enforcement types would best suit your company? Can you see your
organization using multiple NAP enforcement types? If so, which ones?
10-30
Key Points
In this demonstration, you will see how to enable an inbound firewall rule.
Demonstration Steps:
1.
2.
3.
4.
5.
6.
7.
10-31
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
2.
3.
4.
5.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
In Hyper-V Manager, click 6420B-NYC-DC1, and in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
Ed Meadows has asked you to improve network security on domain-attached computers. He has supplied
the requirements in an e-mail message. You must read the requirements and then implement them on a
client computer.
E-Mail thread of correspondence with Ed Meadows:
Charlotte Weiss
From: Ed Meadows [Ed@contoso.com]
Sent:
18 June 2010 13:14
To:
Charlotte@contoso.com
Subject: Improving network security
Charlotte,
10-32
Ive got some concerns about network security. Id like to prevent attackers from using ping.exe on our
network. As you know, by using ping.exe, malicious attackers can determine whether servers are online
and may be able to exploit additional weaknesses on those servers with other tools.
Additionally, I want to make sure that only clients that are running antivirus software can connect to the
network. Can you implement these changes?
Thanks
Ed
Question: From the monitoring node, under Firewall, can you see the new rule?
10-33
10-34
Task 2: Configure the Dynamic Host Configuration Protocol (DHCP) Server role
1. Open DHCP from Administrative Tools.
2.
3.
4.
5.
6.
7.
8.
9.
10-35
In the Network Policy Server console, in the navigation pane, expand Policies and then click
Network Policies.
In the Results pane, right click each of the two listed policies, and for each one, click Disable.
2.
3.
10-36
21. On the Configure Authentication Methods page, clear all check boxes, select the Perform
machine health check only check box and then click Next.
22. On the Configure Constraints page, click Next.
23. On the Configure Settings page, in the Settings list, click NAP Enforcement.
24. In the Results pane, click Allow limited access and then click Next.
25. On the Completing New Network Policy page, click Finish.
Click Start, and in the Search box, type Network and in the Control Panel (28) list, click Network
and Sharing Center.
In Network and Sharing Center, in the left-pane, click Change adapter settings.
Right-click Local Area Connection and then click Properties.
Configure the adapter to:
a.
b.
2.
3.
4.
5.
6.
Right-click 6420B-NYC-DC1 in the Virtual Machines list, and then click Revert.
In the Revert Virtual Machine dialog box, click Revert.
Repeat these steps for 6420B-NYC-SVR2 and 6420B-NYC-CL1.
In the Virtual Machines pane, click 6420B-NYC-DC1, and then in the Actions pane, click Start.
To connect to the virtual machine for the next modules lab, click
6420B-NYC-DC1, and then in the Actions pane, click Connect.
Important: Start the 6420B-NYC-DC1 virtual machine first, and ensure that it is fully started before
starting the other virtual machines.
10-37
10-38
Review Questions
1.
2.
3.
Why is it important to publish services to the perimeter rather than connect servers directly to the
Internet?
If you wanted to ensure that only domain computers could communicate with other domain
computers, how could you easily achieve this with Windows Firewall?
You have implemented NAP in your organization, but are surprised when a computer from a visiting
organization is responsible for a virus outbreak, despite meeting your organizations health
requirements. Should you be surprised?
Best Practices
Do not make it easy to connect to your network; if someone can plug a laptop into your network and
access your intranet, you could face serious problems.
Implement firewalls.
Restrict switch ports and wireless access points based on media access control (MAC) address or client
certificates.
10-39
Tools
Tool
Use for
Where to find it
Server Manager
Add roles
Start Menu
DHCP
Administrative Tools
Administrative Tools
policies
mmc.exe
Ping.exe
Command-line
Managing inbound,
Control Panel
Services.msc
Manage services
Command-line or Run
Napclcfg.msc
Command-line or Run
10-40
Module 11
Implementing Security Software
Contents:
Lesson 1: Client Protection Features
11-3
11-13
11-20
11-29
11-1
11-2
Module Overview
Computers are now, more than ever, interconnected. The Internet is accessible from almost anywhere a
user takes a computer, and corporate networks are accessible from a users home through remote access.
Communication among networks is continuous. Critical and private information is routinely sent out via email, and the number of e-mail messages received by users continues to increase. Private corporate
networks are now almost always connected in some way to the public Internet and a great deal of
available server-oriented software requires, or at least recommends Internet access.
As the extent of connectivity increases, so to does the risk of some manner of compromise to the
computer or network connected. Malicious code, unauthorized use and data theft are all risks that need
to be accounted for and mitigated by an information technology (IT) administrator.
Objectives
After completing this module you will be able to:
Describe security threats posed by e-mail and how to mitigate these threats.
Explain how to improve server security using Windows Server security analysis and hardening tools.
11-3
Lesson 1
As client operating systems get more advanced and security threats increase, more mitigating features are
being built into the operating system as a first line of defense. Building defenses into the operating
system, however, is not meant to be the sole method used to secure your client infrastructure. Client
protection features provide further methods to protect your client infrastructure, providing a safer
infrastructure as a whole.
With the release of the Windows Server 2008 R2 operating system there are a few built-in technologies
that have been modified and other new features added in order to help you to enhance the security of
your desktop infrastructure, which is in constant communication with your network.
This lesson will introduce you to these technologies and explain how they can be used within your
environment to help enhance the security and integrity of your client infrastructure.
Objectives
After completing this lesson you will be able to:
Describe AppLocker.
Configure AppLocker.
11-4
Key Points
One of the primary security concerns for client computers is the current applications available on each
computer. In order to do their jobs, users need access to the applications that meet their specific needs.
There is also the possibility, however, that unneeded or unwanted applications get installed on the client
computers, whether unintentionally or for malicious or non-business purposes.
Introduced in the Windows XP operating system and the Windows Server 2003 operating system, SRPs
allow an administrator to identify and specify which applications are permitted to run on client
computers. SRP settings are configured and deployed to clients using Group Policy. An SRP set is
comprised of the following key components.
Rules
Rules govern how SRP responds to an application being run or installed. Rules are the key constructs
within an SRP and a group of rules together determine how an SRP will respond to applications being
executed. Rules can be based on one of the following criteria which apply to the primary executable file
for the application in question.
Path. The local or Universal Naming Convention (UNC) path of where the file is stored.
Security Levels
Each applied SRP is assigned a security level that governs the way the operating system reacts when the
application that is defined in the rule is executed. The three available security levels are explained in the
following points.
Disallowed. The software identified in the rule will not run, regardless of the access rights of the user.
Basic User. Allows the software identified in the rule to run as a standard, non-administrative user.
Unrestricted. Allows the software identified in the rule to run unrestricted by SRP.
11-5
Disallowed. No applications will be allowed to run unless an SRP rule is created that allows each
specific application or set of applications to run.
Basic User. All applications will run under the context of a basic user, regardless of the permissions of
the user that is logged in unless an SRP rule is created to modify this behavior for a specific
application or set of applications.
Unrestricted. All applications will run as if SRP was not enabled, unless specifically defined by an SRP
rule.
Based on these three components, there are two primary ways to use SRPs.
If an administrator knows all of the software that should be allowed to run on clients, the Default
Security Level could be set to Disallowed. All applications that should be allowed to run can be
identified in SRP rules that would apply either the Basic User or Unrestricted security level to each
individual application, depending on the security requirements.
If an administrator does not have a comprehensive list of the software that should be allowed to run
on clients, the Default Security Level could be set to Unrestricted or Basic User, depending on security
requirements. Any applications that should not be allowed to run could then be identified using SRP
rules which would use a security level setting of Disallowed.
Software Restriction Policy settings can be found in Group Policy in the following location: Computer
Configuration\Windows Settings\Security Settings\Software Restriction Policies.
Note: Software Restriction Policies are not enabled by default in Windows Server 2008 R2.
11-6
What Is AppLocker?
Key Points
Applocker (introduced in the Windows 7 operating system and Windows Server 2008 R2) provides a
number of enhancements which improve upon the functionality previously provided by SRP. AppLocker
provides administrators with a variety of methods for quickly and concisely determining the identity of
applications that they may want to restrict or permit access to.
AppLocker is applied through Group Policy to computer objects within an organizational unit. As well,
individual AppLocker rules can be applied to individual Active Directory Domain Services (AD DS) users
or groups.
AppLocker also contains options for monitoring or auditing the application of rules, both as rules are
being enforced and in an audit-only scenario.
AppLocker can help organizations prevent unlicensed or malicious software from executing, and can
selectively restrict ActiveX controls from being installed. It can also reduce the total cost of ownership by
ensuring that workstations are standardized across their enterprise and that users are running only the
software and applications that are approved by the enterprise.
Specifically, the following scenarios provide examples of where AppLocker can be used to provide some
level of application management.
Your organization implements a policy to standardize the applications used within each business
group, so you need to determine the expected usage compared to the actual usage.
The security policy for application usage has changed, and you need to evaluate where and when
those deployed applications are being accessed.
Your organization's security policy dictates the use of only licensed software, so you need to
determine which applications are not licensed or prevent unauthorized users from running licensed
software.
11-7
An application is no longer supported by your organization, so you need to prevent it from being
used by everyone.
A new application or a new version of an application is deployed, and you need to allow certain
groups to use it.
Specific software tools are not allowed within the organization, or only specific users have access to
those tools.
A single user or small group of users needs to use a specific application that is denied for all others.
Some computers in your organization are shared by people who have different software usage needs.
AppLocker is available in the following editions of Windows:
11-8
AppLocker Rules
Key Points
Like SRP, AppLocker uses a rule-based implementation. Rules are the main component used to control
application execution and provide the foundation for a secure application control environment.
AppLocker Rules are created in the Group Policy Editor interface and provide a number of easy to use
wizards to configure and establish your AppLocker environment.
Default Rules
AppLocker contains a small set of default rules designed to ensure key operating systems. Specifically, the
default rules enable the following:
All users to run all files signed by the Windows operating system.
Creating Rules
Rules are comprised of the following elements.
Permissions. The permissions setting determines how AppLocker will affect the application defined in
the rule. There are two settings for permissions.
In addition, the Permissions area contains the option to specify users or groups to apply the rule to.
Conditions. The Conditions settings provide the details around the actual application definition for
the rule. There are three conditions from which to select.
11-9
Publisher. Publisher identifies the application based on a number of variables contained within
the software publishers digital signature. This condition can only be used if the application you
wish to identify has been digitally signed by its publisher.
Path. Path allows you to specify a specific file or folder path where the applications executable
file resides. If a folder is selected, the rule being defined will apply to all files contained in the
folder.
File hash. File hash identifies the applications executable file based on file hash of the executable.
File hash is most commonly selected when the application selected has not been digitally signed
by its publisher.
In addition, the Conditions section provides the option to add exceptions based on the condition used or
another of the conditions. For example, a rule created using the Publisher may allow all applications that
have been digitally signed the publisher Microsoft. In addition, an exception may be created based on a
Path condition to restrict applications found in a specific folder.
Name. A descriptive name can be provided to allow for easy identification and sorting of multiple
AppLocker rules.
11-10
Key Points
In this demonstration you will see how to configure AppLocker.
Demonstration Steps:
1.
2.
3.
11-11
Key Points
While SRPs have been included in Windows Server 2008 R2 and Windows 7 for backwards compatibility
purposes, AppLocker provides a number of enhancements over SRP. AppLocker is the recommended tool
for providing application management when working within a Windows Server 2008 R2 and Windows 7
environment. AppLocker provides a more simplified and streamlined implementation and interface than
SRP while also enabling a greater measure of control and flexibility when creating and implementing
Rules.
11-12
A more intuitive enforcement model; only a file that is specified in an AppLocker rule is allowed to run.
A new, more accessible user interface that is accessed through a new Microsoft Management Console
(MMC) snap-in extension to the Group Policy Management Console snap-in.
An audit-only enforcement mode that allows administrators to determine which files will be prevented
from running if the policy were in effect.
The following table outlines other key differences between AppLocker and SRPs.
Feature
SRP
AppLocker
Rule scope
Implicit Deny
No
Yes
Yes
No
Yes
Rule collection
No
Yes
No
Yes
No
Yes
11-13
Lesson 2
E-Mail Protection
One of the major threats today is the introduction of malicious code into a corporate network. Malicious
code can be extremely detrimental to the proper functionality of the corporate network and the creators
of malicious code are becoming increasingly inventive in finding new ways to introduce this code into an
environment.
One of the most common and effective methods of getting malicious code into an environment is
through e-mail. Due to its widespread use, necessity for organizational functionality as well as the
inherent trust of the delivery mechanism, e-mails carrying some form of malicious code continue to be a
problem for IT administrators.
This lesson will introduce you to various methods for mitigating the threat of unsafe e-mail activity within
a number of different areas in a corporate network environment.
Objectives:
After completing this lesson, you will be able to:
11-14
Key Points
A large amount of todays e-mail messages are unwanted or unsolicited. Even as
e-mail filtering systems become more intelligent in the way they analyze and block these types of
messages, the perpetrators of these illegitimate e-mails are coming up with new ways to get around the
protection provided. The most common threats of e-mail today are:
Spam
Spam is usually an unsolicited e-mail that arrives in your inbox, typically sent as part of a bulk junk e-mail
operation. E-mail addresses are harvested or collected in various methods, most commonly by extracting
addresses from internet forums and postings. These addresses are then used to target users to purchase
goods and services that may or may not be valid. Often spammers will include propaganda to make the
e-mail look more valid than it actually is, and viruses are sometimes present in spam e-mails.
Phishing
One form of spam is called phishing. Phishing is an attempt to gather what is usually sensitive information
from a user. The most common form of phishing is to request to harvest key security information and
bank details from a user by diverting them to a falsified Web site. Over the years phishing attacks have
increased. It is an easy way to gain access to reusable information without having to continually spam the
user trying to get them to purchase goods or services. Windows Server 2008 R2, Windows 7, and Windows
Internet Explorer (IE) 8 (the default browser) includes a phishing filter which checks against
known falsified Web sites commonly trying to gather information from unsuspecting users.
Spoofing
Spoofing is another common threat wherein the sender attempts to mask or hide their identity as if they
were someone else. Spoofing makes an e-mail from User A to User B allow User A to essentially identify
themselves as anyone they would like to be, rather than simply being User A.
11-15
Viruses
A virus is a piece of malicious code that will copy itself and then expand in some way shape or form.
Usually it sends itself out in a piece of spam or by taking control of other computers and trying to infect
them as well. The term virus has become a catch-all term referring to traditional viruses, wherein there
was not a reason other than to exploit code. But now the term includes malware, adware and spyware,
and all programs which infect machines. Many viruses will perform malicious activity on an infected
computer, such as data theft or disabling of essential applications.
11-16
Server-Side Solutions
Key Points
To protect from the various levels of threats that exist within the confines of e-mail infrastructure, several
methods and layers of protection are required to effectively keep the threat of e-mail-based attacks at an
acceptable level.
In a server environment, several general methods exist that combine to decrease the threat of unwanted
e-mail or e-mail server activity.
Content Filtering
Content filtering is a method commonly used to identify spam e-mail. Typically, either software installed
on a server or a dedicated device is responsible for intercepting e-mail either to (most common) or from
the e-mail server. The contents of the e-mail are then checked against an existing database or catalog of
known spam-related terms or patterns. E-mail messages that appear to be spam are either deleted or sent
to a quarantine area, preventing them from reaching their intended destination.
Blocklist filtering identifies e-mail addresses that are known to be associated with unwanted activity.
E-mails coming from blocklisted addresses are filtered and removed.
Allowlist filtering works in the reverse of blocklist filtering. When allowlist filtering is used, e-mail
addresses contained in the allowlist database are identified as valid addresses. Allowlist filtering is
most commonly used in conjunction with content filtering to prevent e-mails coming from valid
senders being incorrectly identified as spam.
11-17
IP Block/Allow Lists
Using IP addresses is another way to identify the source of e-mail messages. E-mail servers can be
configured to check against a database of IP addresses that are either known as valid or addresses that
have been flagged as sources of spam-related activity. Similar to e-mail address filtering, IP-based
blocklists and allowlists are often used in conjunction with more sophisticated content filtering to
decrease the occurrence of false positives.
11-18
Client-Side Solutions
Key Points
While server-based solutions and tools deployed into an organizations perimeter network provide the
best defense against e-mail-based threats attempting to enter your network, no one solution will
eliminate 100% of e-mail-based threats.
Client-side e-mail security management provides an additional level of protection from unwanted e-mail
for your users.
Safe senders. Safe senders are addresses that have been identified as known and trusted senders of email. Messages received from addresses located in the safe senders list are treated in a trusted
manner and will be allowed to display images and other functions that might be considered
potentially harmful if coming from an untrusted address.
Block senders. In contrast to the safe senders list, the blocked senders list contains a list of addresses
that are known as unsafe. Messages from these addresses are filtered in order to prevent the potential
for harmful activity.
Office Outlook 2007 and 2010 also allow a user to maintain a list of international top-level domains (TLDs)
that are marked as unsafe or unwanted. For example, to block e-mail coming from addresses in Germany
or Mexico, the TLDs .de and .mx would be added to the Blocked TLD list.
11-19
When an e-mail comes in, Office Outlook 2007 and 2010 check the validity of the e-mail and check the
level of junk e-mail protection you have set. There are four levels of security:
No filtering. This setting will allow all e-mail to get in regardless of the sender and will not use Office
Outlook 2007 and 2010s built-in junk e-mail settings.
Low. This will perform a basic scan and analyze e-mail as it comes in, allowing most e-mail to pass
through and end up in the inbox. It also takes into account the safe senders, safe recipients, blocked
senders list and international settings which are configurable in Office Outlook 2007 and 2010. The
safe senders and safe recipients list is a list of people you trust, no matter what kind of logic Office
Outlook 2007 and 2010 might apply to the e-mail. These lists will ensure that the e-mail, provided it
gets past the front line of defense, always ends up in your inbox. The blocked senders list is just that,
any e-mail address or domain on the blocked senders list immediately gets treated as junk e-mail.
The international setting allows blocking of top level domains as well as specific character encoding
sets. For example, if you never intend on getting
e-mail from anyone in Mexico, you can set the international setting to treat any e-mail from .mx as
junk e-mail. Further, if you never expect anything in the Taiwanese character set, you can set that
character set to be treated as junk.
High. High, similar to Low, filters e-mail, only on a more aggressive scale, letting less e-mail through
to your inbox. High also takes into account all of the aforementioned lists.
Safe Lists Only. Safe Lists Only is the most extensive filtering possible, but can treat some potential
safe e-mail as junk. Safe Lists Only will only allow e-mail from the safe senders and safe recipients
lists mentioned above and treats all remaining e-mail as junk e-mail.
Antivirus Programs
Most antivirus programs integrate with e-mail programs like Microsoft Office Outlook and scan e-mail
before you read it. It will also scan it while you read it and any attachments included in the e-mail will also
be scanned. This provides a second layer of defense in case the perimeter-based servers have missed a
potentially harmful e-mail.
This second level or layer of security also allows an end user or an IT department to put more rigorous
checks in place on specific machines rather than at the global level. For example, the global policy might
be to allow Microsoft Office Word, Microsoft Office Excel and Microsoft Office PowerPoint files
through the firewall. However, at the second layer, the antivirus program will block the service staff of the
company from receiving any attachments at all.
11-20
Lesson 3
Server Protection
An organizations servers represent the core of its network functionality. Servers typically host multiple
business critical services within an organization. An infected file server may propagate a virus to remote
workstations further crippling a network, whereas an infected e-mail server could potentially cut off
external communications between your organization and your clients for an extended period of time. As a
result, security measures implemented on the server infrastructure represent one of the most important
aspects of maintaining overall network integrity and functionality.
This lesson introduced a number of ways to ensure that your servers are protected from circumstances
that could leave them vulnerable to attack.
Objectives
After completing this lesson, you will be able to:
11-21
Key Points
Ensuring the security of your Windows Server 2008 R2 servers is an ongoing process that requires routine
attention and maintenance to ensure that your servers are the least exposed to attack as possible. Several
areas exist that should be considered when maintaining the security of your servers.
Maintaining Updates
Operating systems, including Windows Server 2008 R2 are constantly changing and evolving in response
to customer demand for new features, newly identified security risks or other changes in the computing
world. As well, applications installed on servers experience the same state of constant change for many of
the same reasons. Due to this ever-changing state, operating systems and the applications that run on
them are constantly being updated. While many update processes, such as Microsoft Update and
Windows Server Update Services (WSUS) are primarily automated, these automated processes need to be
routinely examined for proper operation.
11-22
Windows Firewall
Windows Firewall is your servers first line of defense against incoming network attacks. Leaving Windows
Firewall enabled and ensuring that it is properly configured for your server leaves that layer of protection
intact and provides you with a manageable and flexible way to protect against potential network
vulnerabilities that may exist in other applications on your server.
11-23
Key Points
The SCW can be used to enhance the security of a server by closing ports and disabling services not
required for the servers roles.
The SCW can be launched from the home page of Server Manager, in the Security Information section, or
from the Administrative Tools folder. There is also a command-line version of the tool, scwcmd.exe.
The SCW is role-based in accordance with the new role-based configuration of Windows Server 2008 R2.
The SCW is typically run on a server prior to that server being deployed. This way, the attack surface of the
server is reduced before it is deployed into the infrastructure and exposed to potential threats.
When the SCW is run, it scans the server and identifies the current state of the server relative to potential
changes that may need to be made. SCW scans the following:
Services installed on the server but not defined in the security configuration database.
The information discovered about the server is saved in an XML file. This server-specific file is called the
configuration database.
The initial settings in the configuration database are called the baseline settings. After the server has been
scanned and the configuration database has been created, you have the opportunity to modify the
database, which will then be used to generate the security policy to configure services, firewall rules,
registry settings, and audit policies. The security policy can then be applied to the server or to other
servers playing similar roles. The SCW is a series wizard pages that presents these four security policy
categories in separate sections:
11-24
Network security
Registry settings
Audit policy
Network Security
The Network Security section produces the firewall settings of the security policy. Those settings will be
applied by Windows Firewall with Advanced Security. Like the Role-Based Service Configuration section,
the Network Security section displays a page of settings derived from the baseline settings in the
configuration database. The settings in the Network Security section, however, are firewall rules rather
than service startup modes.
Registry Settings
The Registry Settings section configures protocols used to communicate with other computers. These
wizard pages determine Server Message Block (SMB) packet signing, Lightweight Directory Access
Protocol (LDAP) signing, LAN Manager authentication levels, and storage of password LAN Manager hash
values. Each of these settings is described on the appropriate page, and a link on each page takes you to a
Security Configuration wizard Help page that details the setting.
Audit Policy
The Audit Policy section generates settings that manage the auditing of success and failure events and the
file system objects that are audited. Additionally, the section enables you to incorporate a security
template called SCWAudit.inf into the security policy.
Security Policies
When the SCW has completed the assessment of the server, it provides the opportunity to capture the
settings in a security policy.
A security policy is the end result of the SCW run on a server. A security policy is an XML-based file that
contains the settings obtained from the details provided during the SCW process. The policy contains
potential changes to Windows settings from the following areas:
Services
Registry values
Audit policy
The saved policy can then be modified or deployed to servers by converting the policy to a GPO using the
scwcmd.exe command-line tool and deploying the GPO using Group Policy.
Log on as a domain administrator and run Scwcmd.exe with the transform command.
For example:
scwcmd transform /p:"Contoso DC Security.xml /g:"Contoso DC Security GPO
This command will create a GPO called Contoso DC Security GPO with settings imported from the
Contoso DC Security.xml security policy file. The resulting GPO can then be linked to an appropriate
scopesite, domain, or organizational unit (OU)by using the Group Policy Management console.
Be sure to type scwcmd.exe transform /? for help and guidance about this process.
11-25
11-26
Key Points
In this demonstration you will see how to use the SCW to create a security policy.
Demonstration Step:
11-27
Key Points
MBSA is a software tool that analyzes the security state of an environment in accordance with Microsoft
security recommendations. MBSA analyzes the current server state and documents any changes that will
further secure the server and lock it down from attacks. Beginning in version 2.1, MBSA provides support
for Windows Server 2008 R2.
MBSA uses Microsoft Update to check for the status of security updates and software updates for
Microsoft applications such as Exchange and SQL Server as well as built-in applications like IE, Internet
Information Server and offers guidance for the correction of detected inconsistencies.
In addition to the standard wizard-based interface, MBSA also provides a command-line interface
(mbsacli.exe) which allows the MBSA to be run from within a script or as part of an automated task.
MBSA is designed for and geared towards small and medium businesses, but it can also be effectively
used in a larger enterprise environment.
11-28
Key Points
In this demonstration you will see how to use MBSA to secure Windows Servers.
Demonstration Steps:
1.
2.
11-29
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
2.
3.
4.
5.
6.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
In Hyper-V Manager, click 6420B-NYC-DC1, and in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
11-30
Create a Group Policy object (GPO) to enforce the default AppLocker Executable rules.
Apply the GPO to the Contoso.com domain.
Test the AppLocker rule.
Task 1: Create a Group Policy object (GPO) to enforce the default AppLocker Executable
rules
1.
2.
3.
Switch to NYC-DC1.
Open the Group Policy Management console and create a GPO entitled Wordpad Restriction
Policy.
Edit the new GPO with the following settings:
Application Control Policy: Under Executable Rules create a new executable publisher rule for
C:\Program Files\Windows NT
\Accessories\wordpad.exe that denies Everyone access to run any version of wordpad.exe.
Apply the WordPad Restriction Policy GPO to the Contoso.com domain container.
Results: After this exercise, you will have restricted an application by using AppLocker.
11-31
On NYC-DC1, run the Security Configuration Wizard in the Administrative Tools folder.
Carry through the steps of the wizard, accepting the defaults.
Save the resultant Security Policy as DC Security Policy.xml.
When prompted to apply the Security Policy, select Apply later.
11-32
Switch to NYC-SVR2.
Open Windows Explorer and navigate to E:\Labfiles\MBSA.
Run MBSASetup-x64-EN.msi using the defaults.
On NYC-SVR2, run the MBSA scan (ensuring to remove the check for updates checkmark).
Note: For demonstration and lab purposes you can change the automatic updates setting, however
you will not be able to get updates as the classroom does not have internet connectivity.
Results: Your results should show several administrative vulnerabilities including the following:
Automatic Updates
Password Expiration
Incomplete Updates
Local Account Password Test
File System
Autologon
Guest Account
Restrict Anonymous
Administrators
Windows Firewall
Results: After this exercise, you will have used the MBSA to harden security settings.
6.
To connect to the virtual machine for the next modules lab, click
6420B-NYC-DC1, and then in the Actions pane, click Connect.
Important: Start the 6420B-NYC-DC1 virtual machine first, and ensure that it is fully started before
starting the other virtual machines.
11-33
11-34
Review Questions
1.
What are the key differences between AppLocker and legacy Software Restriction Policies?
2.
Why are server-side e-mail security solutions typically more effective and easy to implement than
client-side solutions?
3.
Tools
Tool
Use for
Where to find it
Software Restriction
Policies
AppLocker
Microsoft Forefront
Protection for
Exchange Server
Security
Generate and apply security policy
Configuration wizard
templates to decrease the vulnerability of
Windows Server 2008 R2
11-35
Tool
Use for
Where to find it
Microsoft Baseline
Security Analyzer
11-36
Module 12
Monitoring Server Performance
Contents:
Lesson 1: Overview of Server Components
12-3
12-8
12-17
12-1
12-2
Module Overview
Monitoring the performance of servers is important for all organizations. Businesses require cost-effective
solutions that provide value for money. You should monitor servers to ensure that they run efficiently and
use available server capacity.
Many administrators require performance monitoring tools to identify components that require additional
tuning and troubleshooting. By identifying components that require additional tuning, you can improve
the efficiency of your servers.
Objectives
After completing this module, you will be able to:
12-3
Lesson 1
Before you can start to collect meaningful performance-related statistics, you must be able to identify the
important server components that affect server performance most significantly. A bottlenecked server
component can lead to significant performance problems. This lesson explores server components and
explains how to identify server bottlenecks.
Objectives
After completing this lesson, you will be able to:
12-4
Server Components
Key Points
The four main hardware components to monitor are processor, disk, memory and network. Understanding
how these four key hardware components are utilized by the operating system and how they interact with
one another is an important step along the road to understanding how to optimize server performance.
When monitoring performance, you should consider:
The server role and workload to determine which hardware components are likely to restrict
performance.
The ability to increase server performance by adding power or reducing the number of users who are
accessing a server.
Processor
One important factor in determining the overall processor capacity of your server computer is processor
speed. Processor speed is determined by the number of operations it can perform in a measured period of
time. Servers with multiple processors, or processors with multiple cores, generally perform processorintensive tasks with greater efficiency and are consequently faster than single processor or single-core
processor servers.
Processor architecture is also important. 64-bit processors can access more memory and have a significant
effect on performance. This is true especially when applications running on your server require a large
amount of memory.
Disk
Hard disks are used to store programs and data. Consequently, the speed of the server is affected by the
throughput of your disks, especially when the server is performing disk-intensive tasks. Disks have moving
12-5
parts and it takes time to position the read/write heads over the appropriate sector on the disk to retrieve
the requested information.
By selecting faster disks, and by using collections of disks to optimize access times, you can alleviate the
potential for the disk subsystem to create a performance bottleneck.
It is also worth remembering that information on the disk is moved into memory before it can be used. If
there is a surplus of memory, the Windows Server operating system creates a file cache for items
recently written to or read from the disks. Installing additional memory in a server can often improve the
disk subsystem performance.
Memory
Programs and data are loaded from disk into memory before the program can manipulate the data. In
servers that run multiple programs, or where datasets are very large, increasing the amount of memory
installed can help improve server performance.
Windows Server uses a memory model in which excessive memory requests are not rejected, but handled
by a process known as paging. During paging, data and programs in memory not currently being utilized
by processes are moved into an area on the hard disk known as the paging file; this frees up physical
memory to satisfy the excessive requests. However, because a disk is comparatively slow, paging has an
effect on server performance. By adding more memory, and by using a 64-bit processor architecture that
supports larger memory, you can reduce the need for paging.
Network
It is easy to underestimate the effect of a poorly performing network as it is not as easy to see or to
measure as the other three server components. However, as so many of the programs and so much of the
data that processes, and since application access is stored on network devices, it should not be surprising
that the network is a critical component for performance monitoring.
12-6
64-bit Computing
Key Points
The Windows Server 2008 R2 operating system is only available in 64-bit versions. 64-bit operating
systems offer a number of significant advantages. For example, installing 64-bit operating systems offers
the ability to scale up (increase processor cores and memory) more than is possible with a 32-bit
operating system.
Application Compatibility
In addition to ensuring that you have digitally signed drivers, you must consider application compatibility.
Windows Server 2008 R2 includes kernel and user mode application programming interface (API) changes
that support virtualization, scalability, performance, power management, and networking enhancements.
Consequently, applications designed to run on an earlier, 32-bit version of Windows Server may not run
correctly on Windows Server 2008 R2.
You must verify the correct functionality of important applications before you deploy Windows Server
2008 R2, and where necessary, implement application fixes to ensure correct functionality.
Microsoft provides a number of application compatibility tools that can help you test, and where required,
fix your applications so that they run correctly within the 64-bit Windows Server 2008 R2 environment.
Question: How many of the servers installed in your organization have 64-bit hardware but only 32-bit
operating systems?
12-7
Performance Bottlenecks
Key Points
A performance bottleneck occurs when a server is unable to service the current requests for a specific
resource. The resource might be a server component, such as a disk, memory, processor, or network.
Alternatively, the bottleneck might be caused by the shortage of a component within an application
package.
By using performance monitoring tools on a regular basis, and comparing the results to your baseline and
to historical data, you can identify server bottlenecks before they impact users.
Once you have identified a bottleneck, you must decide how to remove it. Option include:
In severe circumstances, a server suffering from a severe resource shortage may stop processing user
requests. However, if your server is experiencing a bottleneck but is still operating within acceptable limits,
you might decide to defer any changes until the situation is resolved, or until you have an opportunity to
take corrective action.
12-8
Lesson 2
Performance Monitoring
Windows Server provides a number of tools that enable you to gather and analyze performance-related
statistics; it is important that you know what data to collect with these tools so that you can identify
performance problems on your servers before they impact your users.
Objectives
After completing this lesson, you will be able to:
12-9
Key Points
There are several methods that you can use to collect performance data from servers in your organization.
You should use each of these methods to suit your organizations requirements.
Real-time monitoring of computers is useful when you want to determine the effect of performing a
specific action or troubleshoot specific events. This type of monitoring can also help you to ensure that
you are meeting service level agreements (SLAs).
Analyzing historical data can be useful for tracking trends over time, determining when to relocate
resources, and deciding when to invest in new hardware to meet the changing requirements of your
business. You should use historical performance data to assist you when you plan future server
requirements.
If you intend to gather data for historical comparison, it is important to establish a performance baseline.
To create a baseline, you must collect performance data over a period of time during which your server is
under typical load. When you come to collect data in the future, you must ensure you collect statistics
about the same resources as those you analyzed in your baseline. You can then compare resource usage
against your baseline and see whether there are sufficient resources to satisfy user demands.
A range of tools is available to assist you in the monitoring of your server environment. These tools are
described in the following table.
Tool
Description
Microsoft Windows Using WSRM, you can control how CPU resources are allocated to
System Resource
applications, services, and processes. Managing these resources improves
12-10
Tool
Description
Manager (WSRM)
system performance and reduces the chance that these applications, services,
or processes will interfere with the rest of the system.
WSRM is a feature of Windows Server 2008 R2.
Microsoft Network
Monitor
Microsoft Windows
Performance Monitor
Microsoft System
Center Operations
Manager 2007
(Operations Manager)
Operations Manager enables you to build a complete picture of the past and
current performance of your server infrastructure. Operations Manager can
also automatically respond to events and address problems before they
become an issue for you. Operations Manager requires time to configure and
requires additional licenses.
12-11
Key Points
There are many counters that you should research and consider monitoring to meet your specific
requirements.
Windows Server 2008 R2 enables monitoring of operating system performance through performance
objects and counters in the object. Windows Server 2008 R2 collects data from counters in various ways,
including:
Maximum value
Minimum value
Processor>% Processor Time. Shows the percentage of elapsed time that this thread used the
processor to execute instructions. An instruction is the basic unit of execution in a processor, and a
thread is the object that executes instructions. Code executed to handle some hardware interrupts
and trap conditions is included in this count.
Processor>Interrupts/sec. Shows the rate, in incidents per second, at which the processor received
and serviced hardware interrupts.
12-12
System>Processor Queue Length. This counter is a rough indicator of the number of threads each
processor is servicing. The processor queue length, sometimes called processor queue depth,
reported by this counter is an instantaneous value that is representative only of a current snapshot of
the processor, so it is necessary to observe this counter over a long period of time. Also, the
System\Processor Queue Length counter is reporting a total queue length for all processors, not a
length per processor.
Memory>Pages/sec. Shows the number of hard page faults per second. A hard page fault occurs
when the requested memory page cannot be located in RAM because it currently exists in the paging
file. An increase in this counter indicates that more paging is occurring which in turn suggests a lack
of physical memory.
Physical Disk>%Disk time. This counter shows how busy a particular disk is. A counter approaching
100% indicates that the disk is busy nearly all of the time and may suggest a performance bottleneck
is imminent.
Physical Disk>Average Disk Queue Length. This counter shows how many disk requests are waiting to
be serviced by the I/O manager in Windows Server at a given moment. The longer the queue, the less
satisfactory the disk throughput is.
By monitoring the network performance counters, you can evaluate your networks performance.
In this demonstration, you will see how to use Performance Monitor to view real-time performance data.
Demonstration Steps:
1.
2.
3.
12-13
12-14
Key Points
A Data Collector Set is the foundation of Windows Server performance monitoring and reporting in
Performance Monitor.
Data Collector Sets enable you to gather performance-related and other system statistics for analysis with
other tools within Performance Monitor, or with third-party tools.
While it is useful to analyze current performance activity on a server computer, it is perhaps more useful
to collect performance data over a period of time for subsequent analysis and comparison with previously
gathered data. This data comparison enables you to make determinations about resource usage, to plan
for growth, and to identify potential performance problems.
Data Collector Sets can contain the following types of data collectors:
Event trace data. Provides information about system activities and eventsoften useful for
troubleshooting.
System configuration information. Enables you to record the current state of registry keys and to
record changes to those keys.
You can create a Data Collector Set from a template, from an existing set of data collectors in a
Performance Monitor view, or by selecting individual data collectors and setting each individual option in
the Data Collector Set properties.
Key Points
In this demonstration, you will see how to collect performance data in a data collector set.
Demonstration Steps:
1.
2.
3.
12-15
12-16
Key Points
You can use alerts in Performance Monitor to determine when a threshold has been exceeded and then to
take appropriate action, such as run a program, generate an Event Log error, and start a data collector set.
In this demonstration, you will see how to create an alert.
Demonstration Steps:
1.
2.
3.
12-17
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
2.
3.
4.
5.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
In Hyper-V Manager, click 6420B-NYC-DC1, and in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
You have successfully deployed some new servers at the Contoso, Ltd branch offices. Before the system
goes live, you decide to establish a performance baseline so that you can compare future workloads to
the expected workload.
12-18
e.
f.
4.
Memory, Pages/sec
Open a command prompt and run the following commands, pressing ENTER after each command:
Fsutil file createnew bigfile 104857600
Copy bigfile \\nyc-dc1\c$
Copy \\nyc-dc1\c$\bigfile bigfile2
Del bigfile*.*
Del \\nyc-dc1\c$\bigfile*.*
2.
4.
5.
6.
7.
8.
9.
12-19
Memory, Pages/sec
10. On the toolbar, click the down arrow and then click Report.
11. Record the values listed in the report for analysis later.
Recorded values:
Memory, Pages/sec
12-20
Results: After this exercise, you should have captured additional performance data.
12-21
12-22
At the command prompt, press CTRL+ C and then close the command prompt.
Note: If you receive an error at this point, or the values in your report are zero, repeat steps 4-9.
Recorded values:
Memory, Pages/sec
Results: After this exercise, you should have identified a potential bottleneck.
1.
2.
3.
4.
5.
6.
Important: Start the 6420B-NYC-DC1 virtual machine first, and ensure that it is fully started before
starting the other virtual machines.
12-23
12-24
Review Questions
1.
2.
Tools
Tool
Use for
Where to find it
Fsutil.exe
Command line
file system
Performance Monitor
Start Menu
Module 13
Maintaining Windows Server
Contents:
Lesson 1: Troubleshooting Windows Server Startup
13-3
13-12
13-24
13-30
13-41
13-1
13-2
Module Overview
The Windows Server 2008 R2 operating system provides a platform for organizations to build their
technology infrastructure on. Windows Server is designed for the dynamic and efficient management of
technology resources as well as providing effective solutions for business needs.
Windows Servers roles are commonly very critical in an organizations network infrastructure. It is critical
to assure the Windows Servers are performing as efficiently as possible in their roles. To support Windows
Server, you must maintain skills and knowledge to properly maintain an efficiently operating and
continually available server infrastructure. You also must have the ability to troubleshoot issues within that
infrastructure when they arise.
Objectives
After completing this module, you will be able to:
13-3
Lesson 1
The Windows Server startup process ensures that all aspects of a Windows Servers functionality are
checked and initiated in a way that results in a stable and properly running server. Several issues can
emerge in the startup process and the key to troubleshooting or, even better, avoiding these issues is the
knowledge of how the Windows Server startup process works.
This lesson will introduce the details of the Windows Server startup process and give you the tools you
need to identify and correct issues related to Windows Server startup.
Objectives
After completing this lesson, you will be able to:
13-4
Key Points
The Windows Server boot process is made up of a number of steps involving components both inside and
outside of the operating system environment. At first glance, startup seems to be one of the most basic
features of an operating system. However, there's nothing simple or basic about startup processes and
procedures.
Boot integrity
Firmware abstraction
13-5
The boot environment is loaded before the operating system, making the boot environment independent
of the operating system. This process ensures that the boot environment can be used to confirm the
integrity of the startup process and the operating system itself before actually starting the operating
system by starting a boot loader.
A boot loader, in its most basic form, loads the initial files required to start an operating system. In a
default installation of Windows Server 2008 R2, there is one boot loader reference stored in Windows
Boot Manager called Windows Boot Loader, which launches the Windows Server 2008 R2 operating
system. The Windows Boot Loader is stored in \Windows\System32\winload.exe and when started by
Windows Boot Manager, it begins the initial load process of the operating system.
Within the boot environment, Windows Boot Manager controls the boot process using the information in
the boot configuration data (BCD) store. Entries in the BCD store are loaded by Windows Boot Manager
and contain configuration data about the various boot loaders installed on the system including the
following:
When multiple boot loaders are referenced in the BCD store, Windows Boot Manager will prompt the user
at startup to choose which boot loader should be started. For example, a server may have Windows Server
2008 R2 installed on one partition and a client operating system like the Windows 7 operating system
installed on another partition to allow the computer to start either of the operating systems, dependent
on the needs of the user. This configuration is known as a multi-boot configuration.
Multi-boot configurations are often complicated and may require modification of the BCD store in order
to accommodate changes made to the system. These changes can be made using a command-line tool
called BCDEdit.
Note: To start BCDEdit, type BCDEdit.exe from the command prompt.
Certain aspects of the BCD store can also be modified within Windows Server 2008 R2. These settings
can be accessed by opening the System applet in Control Panel, clicking Advanced System
Settings, then clicking on the Advanced tab in the System Properties window and finally clicking
Settings under Startup and Recovery.
13-6
Once the operating system kernel has loaded, the operating system is ready to begin interaction with the
rest of the system software as well as user input, most commonly beginning with the logon.
13-7
Key Points
During the Windows startup process, the failure or malfunction of any component involved can cause the
startup process to fail or behave erratically. Events like hard disk failure, missing or corrupted files, thirdparty driver bugs or intentional or accidental damage of system files can interfere with the startup
process. Windows Server 2008 R2 provides several tools to help troubleshoot and repair components
involved in the startup process, allowing the operating system to startup correctly and efficiently.
Note: All three of these tools are available from the Windows Advanced Options Boot menu, which is
accessible by pressing the F8 key prior to the Windows Server 2008 R2 startup splash screen.
System Image Recovery allows you to restore the operating system from a backup created earlier
using Windows Server Backup.
Windows Memory Diagnostic performs memory diagnostic tests that check the systems random
access memory (RAM).
Command Prompt opens a command prompt with administrative privileges that provides full access
to the systems file system and volumes.
13-8
Note: If a system loses electrical power during the boot process, WinRE will automatically launch the
next time the system is booted.
HKLM\SYSTEM\CurrentControlSet\Services: This registry hive contains settings that control driver and
service configuration.
When you choose the Last Known Good Configuration option from the Windows Advanced Options
menu, it marks the values in the two registry hives above as failed and replaces them with the copy taken
after the last successful startup.
Safe Mode
The safe mode option allows the user to run system startup using a limited set of files, services and drivers.
With this limited configuration, it makes failure from a malfunctioning driver or service less likely and
allows you to troubleshoot from within the Windows graphical user interface (GUI) environment. On the
Windows Advanced Options menu, several options exist for starting Windows in Safe mode.
Safe mode starts loading only a basic set of files, drivers and services, including mouse, keyboard,
storage and basic video drivers. No networking services or drivers are started.
Safe Mode with Command Prompt loads the same service and driver set as Safe mode, but starts you
at the command prompt rather than in the Windows GUI.
Safe Mode with Networking starts the same as Safe mode, but adds drivers and services necessary to
provide network functionality.
Enable Boot Logging starts the boot logging process, which records all startup events to a boot log.
Enable Low-Resolution Video sets the system resolution to 640 x 480 pixels, allowing you to reset
your display resolution in the event that it was changed to a setting that rendered the system
unusable.
Disable Driver Signature Enforcement disables the default behavior in Windows Server 2008 R2 that
requires drivers loaded on startup to contain a valid digital signature.
13-9
Key Points
When issues arise with the Windows startup process, resolving those issues and getting the system back to
a bootable state as quickly as possible is your highest priority. It is important to consider which startup
tool will best diagnose and solve the issue before you begin the troubleshooting process.
The following examples of common startup issues list conditions that prevent the startup process from
completing successfully along with considerations for troubleshooting that specific problem and which
tool or tools will best assist in correcting the problem.
Symptoms. When a systems MBR is corrupted or missing, the system will halt the startup process
immediately following BIOS POST and a black screen or one of the following messages may appear:
Invalid partition table, Error loading operating system or Missing operating system.
Causes. The MBR can become corrupt due to hard disk errors, disk corruption or intentional
destruction of MBR data by a virus or malicious user.
Resolution. Launch WinRE, choose the Command Prompt option and execute bootrec/fixmbr. This
command replaces the executable code in the MBR.
BCD Misconfiguration
Symptoms. After BIOS POST, you will see a message that begins Windows could not start because
of a computer disk hardware configuration problem, Could not read from selected boot disk,
or Check boot path and disk hardware.
Causes. The BCD has been deleted, become corrupt, or no longer refers to the proper boot volume,
potentially because the addition of a partition has changed the name of the volume.
Resolution. Launch WinRE, choose the Command Prompt option, and then execute the
bootrec/scanos and bootrec/rebuildbcd commands. These commands will scan each volume
looking for Windows installations. When they discover an installation, they will ask you whether it
13-10
should be added to the BCD as a boot option and what name should be displayed for the installation
in the boot menu. For other kinds of BCD-related damage, you can also use Bcdedit.exe to perform
tasks such as building a new BCD from scratch or cloning an existing good copy.
Symptoms. System file (dynamic-link libraries (DLLs), drivers, executables) corruption typically will
cause a message on a black screen after BIOS POST that says, Windows could not start because the
following file is missing or corrupt, followed by the name of a file and a request to reinstall the file.
Causes. The volume on which a system file is located is corrupt or one or more system files have been
deleted or become corrupt.
Resolution. Boot into the Windows Recovery Environment, choose the Command Prompt option, and
then execute the chkdsk command. Chkdsk will attempt to repair volume corruption. If Chkdsk does
not report any problems, obtain a backup copy of the system file in question and replace the file.
Symptoms. Issues that occur after the Windows splash screen appears, after the desktop appears or
after you log in fall into this category and can manifest as a blue screen crash or an unresponsive
system hang.
Causes. This type of problem is commonly caused by a device driver or potential corruption of
registry information.
Resolution. The first and most straightforward method for attempting to restore a normal startup
process would be to invoke the Last Known Good Configuration. This will load the appropriate
registry information from a backup taken when the system last booted properly. This would allow for
the review of recent changes to the operating system to attempt to discover what caused the crash or
hang. If the problem is caused by a driver or service that existed on the system prior to when the Last
Known Good Configuration was taken, another solution will need to be adopted. In this case, Safe
mode may allow the system to boot properly at which point you can disable newly installed drivers or
services in an effort to determine the cause of the problem.
Question: Which tool would you use to recover a system that fails to start properly immediately following
the installation of a new network card?
Key Points
In this demonstration, you will see how to recover a system from startup failure.
Demonstration Steps:
1.
2.
13-11
13-12
Lesson 2
Organizations depend on constant and consistent access to their business information and applications. In
this environment, a server is only useful when it is operating properly and it contains the correct data. A
server that is experiencing intermittent failures, sporadically unavailable or one that contains inconsistent
data or has lost data can cause large problems for an organization, often detrimentally affecting their line
of business.
As someone responsible for the operation of your organizations servers, you need to be aware of the
variety of methods that Windows Server offers to allow for high availability, reliability and consistency as
well as how to implement these methods.
Objectives
After completing this lesson, you will be able to:
13-13
Key Points
Data is the most important digital commodity in the business world. Data hosted on an organizations
servers is most often critical to their line of business. Inventories, legal documents, and wage and
employee information are just some of the important pieces of business information data that are
frequently hosted on servers.
The retention or backup of this data is the first line of defense against any event or circumstance that
could put the security, validity or the existence of that data at risk. Events that could lead to data loss
include natural disasters like a flood, earthquake or lightning strike. Environmental issues such as fire,
plumbing malfunctions or power surges can also contribute to the loss of data. Finally, malicious or
accidental activity like hacking, file deletion, equipment theft or intentional damage often lead to data
being lost.
Backing up your companys data in Windows Server 2008 R2 is an important part of maintaining a reliable
server environment. Not only business data, as discussed above, is at risk, but data contained in the
operating system and server applications themselves need to be retained should the need to restore or
recreate them arise.
System Data
System data, such as operating system and application data, however, is almost always stored in a
consistent location on the operating system. While not always accessed or modified by employees directly
13-14
like business data, system data is critical to the operation of a server. It is important that the Windows
Server system volume, which holds the location of the Windows Server operating system files, be backed
up as well to ensure that a server is recoverable from its backups in the case of a system failure.
13-15
Key Points
Business continuity planning refers to the ongoing maintenance activity and infrastructure planning and
implementation that allow an organization to carry on their line of business in the event of a disaster or
system failure.
The ability for an organizations server infrastructure to ensure business continuity at times of crisis is a
very important aspect of server management and maintenance.
Question: What types of events could interfere with business continuity?
Question: What would the cost be to your organization if your server infrastructure was unavailable for
an hour, a day, or a week?
13-16
Key Points
Organizations have come to rely more and more on their information technology (IT) infrastructure to
support their business needs. In many cases, an organizations server infrastructure provides applications
or contains data that is critical to business operations. As a result, the availability of those applications and
the retention and safety of that data must be managed to ensure business continuity through high
availability and data recovery.
High Availability
High availability refers to the ability of a server infrastructure to remain available and operable in the
event of hardware, application or service outages within the server infrastructure itself.
Organizations that are required to meet service level agreements (SLAs) or that run applications critical to
an organizations daily business typically use high availability solutions to achieve required server uptimes.
This uptime value is often referred to as the number of 9s referred to in the percentage of that servers
total availability. It is not uncommon for companies to strive for five nines of uptime (99.999%), which
equates to less than ten minutes per year of server downtime.
High availability typically involves multiple servers configured to perform the same role or provide similar
services. If one of the servers experiences a hardware or software failure, the remaining servers continue to
provide the services.
Windows Server 2008 R2 contains several features that assist you in maintaining high availability in your
server infrastructure.
13-17
remain running and available while hardware upgrades occur or faulty hardware components are
replaced.
Failover Clustering
Failover clustering allows for a group of servers to work together to provide a set of applications or
services. Together, these servers provide a fault tolerant configuration that continues to provide its
applications and services, even if one of the servers in the cluster fails or becomes unavailable.
Data Recovery
Data recovery processes ensure that critical data is recoverable, should the data be lost, corrupted or
destroyed. This typically involves the copying or backing up of data to a device separate from the server.
These devices can be external hard disks or flash drives, tapes, or network locations. Often, these devices
are stored in a different physical location than the server being backed up in the case that the location
was physically destroyed or damaged by a disaster such as a fire or flood.
When data is lost, corrupted, or destroyed, the backed up data can then be restored to the original
location on the server; or to a separate server until the original server has been restored or rebuilt.
13-18
Key Points
NLB provides high availability and scalability for TCP/IP-based services, including Web servers, File
Transfer Protocol (FTP) servers, other mission-critical servers and services. In an NLB configuration,
multiple servers run independently, and do not share any resources. This group of servers is referred to as
a cluster. Client requests are distributed among the servers, and in the event of a server failure, NLB
detects the problem and distributes the load to another server. NLB allows you to increase network
service performance and availability.
High Availability
NLB supports high availability by redirecting incoming network traffic to working cluster hosts if a host
fails or is offline. Existing connections to an offline host are lost, but the Internet services remain available.
In most cases, for example with Web servers, client software automatically retries the failed connections,
and the clients experience a delay of only a few moments before receiving a response.
Many applications work with NLB. Generally, NLB can load balance any application or service that uses
TCP/IP as its network protocol and is associated with a specific TCP or User Datagram Protocol (UDP) port.
Some examples are listed in the following table.
Protocol
Examples
Hypertext Transfer
Protocol (HTTP) and
HTTP Secure (HTTPS)
FTP
Protocol
13-19
Examples
Performance
NLB supports server performance scaling by distributing incoming network traffic among one or more
virtual IP addresses assigned to the NLB cluster. The hosts in the cluster concurrently respond to different
client requests, even multiple requests from the same client. For example, a Web browser might obtain
each of the multiple images in a single Web page from different hosts within an NLB cluster. This speeds
up processing and shortens the response time to clients.
Scalability
NLB allows administrators to scale network services to meet client demand. New servers can be added to
a load balancing cluster without modifying the applications or reconfiguring clients. The NLB cluster does
not need to be taken offline to add new capacity, and members of the Load Balancing cluster do not need
to be based on identical hardware.
13-20
Failover Clustering
Key Points
Failover clustering is another technology in Windows Server 2008 R2 that provides for high availability. In
a failover cluster, a group of servers, or a cluster, work together to increase the availability of a set of
applications and services. Physical cables and software connect the clustered servers, referred to as nodes.
If any of the cluster nodes fail, other nodes begin to provide service to clients (a process known as
failover). With this method, system downtime is minimized and a high level of availability is provided.
Applications that are best suited for configuration in a failover cluster are applications that use a
centralized set of data. Applications like Microsoft SQL Server, Microsoft Exchange Server, and services
like Dynamic Host Configuration Protocol (DHCP), file and print, and Dynamic Name System (DNS) use
centralized data sets and are therefore ideal for being configured as a failover cluster.
Note: The failover cluster feature is only available in the Windows Server 2008 R2 Enterprise operating
system and the Windows Server 2008 R2 Datacenter operating system.
Applications or services that are added to a failover cluster must be cluster-aware in order to take
advantage of the full benefits provided by failover clustering. Cluster-aware refers to the applications
ability to register with the failover cluster in order to communicate with the cluster and take advantage of
the clusters features. Applications and services that are cluster-aware include the following:
DHCP Server
Exchange Server
File Server
Print Server
SQL Server
13-21
Note: Exchange Server 2007 and Exchange Server 2010 provide failover clustering solutions that do
not require a single data store. These versions of Exchange Server can use replication to maintain
multiple copies of the mailbox databases.
Applications that do not support cluster events are called cluster-unaware. Some cluster-unaware
applications can be configured as high availability resources and can be failed over. The following
provisions apply:
IP-based protocols are used for cluster communications. The application must use an IP-based
protocol for its network communications.
Nodes in the cluster access application data through shared storage devices. If the application isn't
able to store its data in a configurable location, the application data is not available on failover.
Client applications experience a temporary loss of network connectivity when failover occurs. If client
applications cannot retry and recover from this, they will cease to function normally.
13-22
Key Points
Providing for data recovery involves implementing a plan that includes what to backup, how often to
back it up, what media the backed up data will be stored on, where that media will be stored, and who
can backup and restore the data.
What to Back Up
Deciding what to back up is one consideration when developing a backup plan. Business information loss
may significantly disrupt business productivity. In most situations, a full data backup is desirable. The key
question for the organization is what data is vital to the company? This data may consist of customer or
client database information, payroll records, and product information.
When to Back Up
A few questions need to be answered when considering back up. Ask yourself, When do I need to
backup?, How often should backups be made? and, How long will my backup take and what time of
day will the backup take place? When asking how often backups occur, the answer depends on your
business data and how frequently it changes. An organizations sales history may only need to be backed
up monthly, but the current sales database which is constantly being updated with sales information may
need to be backed up multiple times per day. The second and third questions, regarding how long the
backup will take and when the backup should be taken are dependent on each other. Often, data being
backed up cannot be in use by users and applications during the backup process. A full backup of all
servers in a datacenter may take 15-20 hours. If your business operates on a ten hour work day, that only
leaves 14 hours to do your backup. Typically, the longer, full backup is done during off hours, perhaps on
a weekend. Then, smaller backups of specific information or critical information are taken more often
throughout the week.
13-23
13-24
Lesson 3
Windows Server 2008 R2 provides a full featured framework that allows it to maintain itself in a current
and secure state through updates.
Objectives
After completing this lesson, you will be able to:
Explain how Windows Server obtains updates using Windows Server Update Services (WSUS).
Implement WSUS.
13-25
Key Points
Globally, computing happens in an ever changing environment. New technology emerges daily, while
new ways to exploit technology seem to emerge hourly. As technology advances and security concerns
appear, your server infrastructure needs to be both prepared and protected in order to perform
efficiently.
The following questions can be asked of a static, non-updated server running Windows Server 2008 R2.
Does your server have a vulnerability to malicious code that takes advantage of potential weak spots
identified in your servers operating or application configuration?
When a new device is installed, how can you ensure that you have the most recent version of the
driver installed?
How can you be sure you are running the latest and most compatible versions of your applications?
You need to update your Windows Servers to ensure that you can avoid the pitfalls associated with the
points above, but manual configuration of a single server can be a time-consuming and tedious process,
let alone the configuration of hundreds of servers.
The key source of Windows updates is the Microsoft Update Web site. Here, a catalog of updates is stored
and available for download and installation to your computer.
Windows Server 2008 R2 contains a robust infrastructure for managing interaction with the Microsoft
Update process, but it is up to you to ensure that the tools available are tailored to your environment and
working in a way that ensures your infrastructure is secure and regularly updated.
13-26
Key Points
Updates can be applied to a variety of areas within the Windows Server infrastructure:
Core Operating System. The core files of your servers operating system must be kept up to date in
order to correct possible security vulnerabilities and maintain the most recent set of features and
functionality. New versions of executables, additional features, and updated .dll and data files are a
few of the aspects of the core operating system that may be implemented as part of an update.
Drivers. Hardware devices on your servers need to have the most recent drivers installed to ensure
that your system functions properly and that all of the components can work together as a cohesive
whole without conflicts or interruption. The way that Windows interacts with your server and the
attached hardware is governed primarily by the device drivers that Windows loads for the devices.
Old, corrupt or incompatible drivers can cause a device to function improperly and could cause
system instability or even failure.
Applications. Updates also need to be performed on applications as well. Service Packs, feature
updates, and security fixes all ensure that your applications are able to consistently provide their
associated services within your environment.
In addition to these three core areas, other aspects such as device firmware may also need to be
periodically updated.
13-27
Key Points
WSUS enables network administrators to simplify and gain greater control over the process of applying
updates to all computers in the network environment.
When WSUS is installed on a server, WSUS downloads all of the latest updates from the Microsoft Update
servers on the Internet, and then all other computers on the network are configured to download their
updates directly from the WSUS server.
In a typical WSUS implementation, instead of each computer downloading the same update files
independently, only the WSUS server downloads the files from the Microsoft Update servers. The WSUS
server downloads a copy of each available update and saves it in a local data store, making it available for
access by all of the computers on the network. Because the WSUS server has to download only one copy
of each update, the amount of bandwidth consumed by the update process is reduced drastically. WSUS
also provides administrators with the opportunity to research, evaluate, and test updates before deploying
them to the network clients.
A Windows Server Update Services server has several components and settings that are configurable to
suit the needs of your environment.
Synchronization. This setting controls when WSUS will synchronize with Internet-based Microsoft
Update servers to download new updates.
Products. This setting controls which products WSUS will download updates for. This includes
Windows server and client operating systems, as well as many Microsoft applications and server
products, such as Microsoft Office, SQL Server, Exchange Server, and many others.
Classifications. Microsoft updates come in several different classifications which identify the type and
urgency of the update. This setting allows you to select which classifications WSUS will synchronize.
Languages. By default, WSUS synchronizes only updates in the language that you specified when
installing Windows Server 2008 R2.
13-28
Approvals. This setting controls how updates are applied to clients and which classifications are set for
automatic approval and subsequent install. By default, WSUS automatically approves all security,
critical, and definition updates for servers. For clients, WSUS approves all security, critical, and
definition updates, plus service packs.
Storage. WSUS downloads only the approved updates and stores them, in Cab format, in the
C:\WSUS\WsusContent folder by default.
Server updates. By default, servers download the latest updates from the WSUS server and inform the
administrator that they are ready to install. An administrator must install them manually using the
Windows Update control panel applet.
Client updates. Clients connect to the WSUS server and download the latest updates for their
respective operating systems, and then install them automatically according to the set schedule. If
necessary, the Automatic Updates client restarts the computer when the update installations finish.
WSUS is managed with an MMC snap-in which allows you to configure settings, manage and view the
status of updates as well as add new client computers or groups to the WSUS server.
FUNCTION
Specifies the URL that Automatic Updates clients use to access the
WSUS server on the local network.
Allow non-administrators to
receive update notifications
Specifies the time interval the Automatic Updates client should wait
before restarting the computer after a user postponed a previous
restart request.
Specifies the time interval the Automatic Updates client should wait
before restarting the computer after an update installation.
Specifies the time interval the Automatic Updates client should wait
after system startup before initiating an update installation that did
not occur because the computer was offline.
Key Points
In this demonstration, you will see how to configure WSUS.
Demonstration Steps:
1.
2.
13-29
13-30
Lesson 4
When a system failure or an event that affects system performance occurs, you need to be able to repair
the problem or resolve the issue quickly and efficiently. With so many variables and possibilities in the
modern network environment, the ability to determine the root cause quickly often depends on having a
logical and comprehensive troubleshooting methodology. You also must understand the tools available to
determine the root cause and make corrections to the environment if applicable.
Objectives
After completing this lesson, you will be able to:
13-31
Key Points
Troubleshooting a problem, especially when dealing with technology, can be a multi-step process
involving a large number of potential root causes and several attempts to resolve the issue before the
actual root cause is determined. From gathering information to testing possible fixes to ensuring that fixes
work properly and can be maintained, a troubleshooting methodology can help your troubleshooting
process remain organized and efficient.
Key concepts and practices must be understood and observed throughout the troubleshooting process to
ensure that the issue is resolved in the most effective way possible.
Assessment of Impact
Understanding how an issue affects your network environment and the operations of your organization is
a very important part of the troubleshooting process. An issue that impacts critical services, such as pointof-sale operations in a busy retail store, may need to have a temporary partial fix or workaround
implemented until the root cause of the issue can be determined and corrected.
As the troubleshooting process proceeds, the temporary fix may need to be reassessed to ensure that it is
supporting the rest of the environment as effectively as possible. Finally, once the original issue has been
determined and corrected, a method for replacing the temporary fix with the permanent solution needs
to be determined and implemented in a way that has the least impact on your organizations operations.
Communication
Almost every issue you troubleshoot is going to affect at least one person in your organization. Those
affected need to know specifically how the issue will affect them going forward. In addition, they should
be informed regarding the progress of the troubleshooting process, time estimates for resolution and
process changes that may be required of them due to a temporary fix. When the issue has been corrected
and the environment returned to a completely functioning state, they also need to be notified that the
issue is resolved. All of these items fall under the category of communication.
13-32
Communication is one of the most critical components in the troubleshooting process and is often
overlooked. Communication may consist of face-to-face conversation, phone calls, e-mails or the
updating of a helpdesk ticket with troubleshooting progress.
If there are a number of people affected by an issue, your communication methods may need to be
adjusted to ensure that the information is reaching those affected as efficiently as possible. For example, if
an issue affects an entire department, you may establish one person from that department, often a
manager, to communicate directly with. Any information regarding the troubleshooting process is then
relayed by the manager to the others in the department. This ensures that you are able to focus on the
troubleshooting process, and assigns responsibility to the manager for making sure that his staff members
are aware of the status and progress of the troubleshooting process.
Documentation
Throughout the troubleshooting process, documentation must be maintained at all levels. Initial
symptoms, affected people and systems, potential causes, as well as both failed and successful attempts to
resolve the issue need to be recorded and appropriately documented to ensure that you make forward
progress in the troubleshooting process.
Failing to document the troubleshooting process could result in overlooked symptoms,
miscommunication or communication breakdown, failed solutions being attempted multiple times, or
even the return to seemingly normal operation without knowing the specifics of the resolution or if a
permanent fix was completed. Once an issue has been resolved, your proper documentation of the
resolution and the steps taken to achieve that resolution can help you to expedite the troubleshooting
process of similar issues.
13-33
Key Points
In any troubleshooting methodology, especially one where multiple people may be involved in the
troubleshooting process, it is important to have an established troubleshooting process. Using this
process, the issue raised is taken through a number of stages, each bringing the issue closer to the final
resolution.
1.
2.
3.
4.
Define the issue. The first step in the troubleshooting process is to correctly define the issue. This
means ensuring that you have obtained specific information regarding the symptoms observed by
those experiencing the issue. This could consist of physical descriptions from end users (my screen
went blank when I clicked the start button) or the observation of the issue yourself. Ensuring that you
understand the scope and the facts of the issue is very important. Incorrect or incomplete information
can lead to incorrect assumptions about troubleshooting information and could potentially result in
the elimination of all assumed root causes without an actual resolution.
Gather initial information. The next step in the process is to gather appropriate information about the
issue. Typically, this gathering consists of actions like extended observation of the symptoms, running
diagnostic tests on affected hardware and software or obtaining technical information from vendors
or suppliers of affected items.
Determine probable causes for the issue. Once the appropriate information has been gathered, a list
of probable causes needs to be recorded and typically ranked, ensuring that the most probable
causes are investigated first. As the troubleshooting process proceeds the causes are tested one by
one, it may lead to the removal of causes other than the cause being tested. It also may lead to new
causes being added to the list as a result of more information gathered during testing.
Develop an action plan. Next, you should determine an action plan to test for the most probable
cause or causes. This plan may involve one or more steps, and should be documented to ensure that
it is carried out properly and that it can be repeated if necessary later in the troubleshooting process.
Also, your development plan should allow for rollback after implementation in case the action plan
does not resolve the issue.
13-34
5.
6.
7.
8.
Implement the action plan. Once a plan has been established, the plan should be implemented and
the process documented.
Test the results of the action plan. After the implementation of the plan has been completed, you
should test the environment to determine if the issue has been corrected. You should also check to
ensure that related systems and users are not negatively impacted by the results of the action plan.
Document the results of the action plan and repeat the action plan steps if necessary. The results of
your action plan should then be documented. If the result of the action plan corrected the matter in a
satisfactory manner, you should carry on to the last step of closing the issue and finalizing the
documentation. If your action plan was unsuccessful, you should rollback the action plan steps. Then
move on to the next probable cause on the list and begin the action plan steps for that cause,
repeating the process until the cause is determined and resolution is achieved.
Record issue as resolved and finalize documentation. Once you have determined the issue as
resolved, any temporary fixes or workarounds should be removed and affected users should be
informed of the resolution. In addition, the documentation of the resolution and steps taken in the
troubleshooting process should be finalized and recorded in a manner that allows for later reference
or cataloging. This may be through a helpdesk ticketing application, a Microsoft Office Word or
Microsoft Office Excel document, or simply a written record in a notebook.
Summary
When these steps are observed and carried out properly, your troubleshooting process will follow a logical
and thorough methodology that will assist you in resolving an issue quickly and efficiently as well as
equipping you with the ability to quickly resolve the issue should it occur again in your environment.
13-35
Key Points
When you are troubleshooting issues in Windows Server 2008 R2, detailed and correct information is your
most valuable asset in determining and resolving the issue. The more information you have available to
you regarding the issue, the more likely you are to be able to determine both the most probable cause
and the most effective solution. Windows Server 2008 R2 contains several built-in tools that allow you to
gather information about the server environment and identify potential issues.
Event Viewer
Windows Event Viewer provides access to the Windows 2008 event logs. Event logs provide information
regarding system events that occur within Windows. These events include information, warning and error
messages about Windows components and installed applications.
Event Viewer provides categorized lists of essential Windows log events (application, security, setup and
system) as well as log groupings for individual installed applications and specific Windows component
categories. Individual events provide detailed information regarding the type of event that occurred,
when the event occurred, the source of the event as well as detailed technical information to assist in
troubleshooting the event.
Additionally, Event Viewer allows you to consolidate logs from multiple computers onto a centralized
computer using subscriptions. Finally, you can configure Event Viewer to perform an action based on a
specific event or events occurring. This may include sending an e-mail message, launching an application
or running a script or other maintenance action that could notify you or attempt to resolve a potential
issue.
Note: Event Viewer can be accessed by clicking the Start button, clicking Administrative Tools and
then clicking Event Viewer.
13-36
Task Manager
Windows Task Manager is the simplest and quickest way to monitor real-time resource usage and
performance information in Windows Server 2008 R2. The Task Manager provides information about
currently running applications, processes and services as well as a high-level performance view of three
system resources: CPU, memory, and network. Within Task Manager, you can also see a list of currently
logged-on users.
Note: To open the Task Manager, do one of the following:
1. Press CTRL+SHIFT+ESC.
2. Press CTRL+ALT+DEL, and then click Task Manager.
3. Right-click the taskbar, and then click Task Manager.
4. Click the Start button, and then in the Start Search box, type taskmgr.exe.
Resource Monitor
Resource Monitor provides features similar to Task Manager, but greatly enhanced. It provides a
comprehensive view of the performance of each of the key system components (CPU, disk, network, and
memory) in both a graphical and a detailed report form. Resource Monitor provides detailed information
that allows you to troubleshoot resource or performance-based issues at a very specific level.
Note: To launch Resource Monitor, do one of the following.
1. Open Task Manager, click the Performance tab, and then click Resource Monitor.
2. Click Start, and then in the Start Search box, type perfmon /res, and then press ENTER.
Performance Monitor
Windows Performance monitor is an MMC snap-in that allows you to measure and compare the
performance of a large number of system components. This information can be displayed graphically in
real time or collected and reported on for a given time period. Windows accumulates the data for these
components using objects called counters. A counter can track the information regarding a single
component or aspect of the system within Performance Monitor.
In addition to the default counters, applications installed on a Windows Server such as Microsoft SQL
Server or Microsoft Exchange Server may add their own counters to Performance Monitor, allowing you to
monitor various aspects of those application installations.
Performance Monitor is capable of monitoring a specific set of counters over a period of time for
monitoring purposes as well as the ability to view detailed reports of system performance and
configuration.
Note: To launch Performance Monitor, do the following:
Click Start , click Administrative Tools, and then click Performance Monitor.
Reliability Monitor
Reliability Monitor provides an overview of system stability and the events and changes that impact the
overall stability of a system. It tracks software installation and uninstallation, Windows failures, application
failures, and hardware failures.
13-37
Reliability Monitor calculates a System Stability Index that reflects in graph form whether unexpected
problems reduced the system's reliability. The accompanying System Stability Report provides details to
help identify the specific changes that reduced reliability.
Note: To launch Reliability Monitor, do the following:
Click Start, in the Start Search box, type perfmon /rel, and then press ENTER.
External Sources
In addition to the troubleshooting tools included with Windows, external sources such as product
manuals, vendor Web sites or community forums or discussion groups can be used to provide additional
resources for the troubleshooting process.
13-38
Key Points
Early in the troubleshooting process, you will attempt to determine the cause of the problem. Typically,
the problem will be with some component of the computer and its associated hardware, software and
environment in general. These elements can be classified into a number of system component categories.
By attempting to determine which system component is causing a problem, you are using the subtractive
approach to troubleshooting. For example, if the computer will not start, you might determine that the
cause could be hardware related, such as a hard disk failure, or operating system related, such as a
missing startup file. However, it is important to consider that a combination of components in different
categories can cause some issues. The following sections look more closely at the main system
components.
Operating System
Faults or corruptions in the system registry or with system services can result in operating systemrelated
problems. The operating system controls user and application access to the computer hardware. The
operating system is composed of device drivers, services, security components, applications, network
components, and the configuration that links these components together. However, for troubleshooting
purposes, you should consider the operating system as just the base elementsstartup files, startup
configuration components, and operating system servicesand not the security, application, or network
elements.
Operating system faults often manifest during the computer startup process. For example, if a user
accidentally deletes a critical startup file, the operating system will be unable to start. If you install a new
operating system service pack, or update, it might introduce unexpected problems. For this reason, it is
important to test all service packs and updates before you deploy them.
Hardware
For the purposes of troubleshooting, hardware-related problems include problems with the physical
computer, attached peripherals and devices, as well as device drivers related to these components.
13-39
Computers are very reliable, but certain components are more prone to failure. Components with moving
parts, such as disk drives and power supplies, tend to wear out. These problems are readily identifiable
and easily fixed.
Other hardware-related issues can occur due to incompatible devices or device conflicts. To communicate
with the rest of the computer, the operating system allocates each device a unique configuration.
Occasionally, the operating system is unable to allocate to all devices the necessary unique configuration;
this may result in device failure or even cause the computer to fail to start at all.
Network Components
You can define any network configuration as a network component. For example, the TCP/IP
configuration is a network component, so problems related to a computers IP address, subnet mask, and
default gateway are all network componentrelated. Many network component problems with server
computers can manifest at client computers, in the form of applications or operating system components
operating in an unexpected way due to lack of network connectivity. Consequently, it can be difficult to
determine precisely where a network component problem lies.
Security
When a user is unable to access a resource that the user should have access to, or conversely, when a user
can access a resource they should be restricted from, there is typically a security-related issue.
Some security-related problems can manifest as network component problems. For example, problems
with the firewall configuration might result in users being unable to access resources to which they should
have access. Data encryption and authentication issues can also result in security problems.
Problems can also occur because of users having elevated administrative rights, or excessive permissions
on important files or folders. For example, a user with Full Control of the Windows system folder may
accidentally delete sensitive system files, resulting in an unstable or unusable operating system.
Applications
Application-related problems are those specifically related to the application programs installed and used
by the users. Many of these problems result from misuse of the application by the user or from the user
attempting to do something with the application that the application does not support. Adequate user
training should minimize these sorts of problems.
If a user reports a problem with an application and misuse has not caused the problem, the problems
cause might be a software error or bug. You can consult the applications documentation to determine
whether this is a known problem and whether service packs or hot fixes exist that will eliminate the
problem.
Users that report performance problems with applications might have hardware-related problems rather
than an application problem. The computer may require more memory, or the computers disk may be
fragmented. You can determine whether a problem is hardware performance related because hardware
performance problems typically affect more than one application.
Application incompatibility issues can also cause significant problems. A specific combination of
applications running at the same time may cause operating system failures and data loss. You can avoid
application incompatibility issues by deploying only applications that you have tested in combination
together, and by restricting end users from installing additional applications.
13-40
Key Points
In this demonstration, you will see how to use various Windows troubleshooting tools.
Demonstration Steps:
1.
2.
3.
13-41
Key Points
After completing this lab, you will be able to:
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
2.
3.
4.
5.
6.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
In Hyper-V Manager, click 6420B-NYC-DC1, and in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
A number of troubleshooting tickets have been submitted to you to correct three separate issues that
exist in the Contoso, Ltd company network environment.
13-42
Supporting Documentation
Contoso Incident Record
Incident Reference Number: 501285
Called logged by
Date of call
Time of call
User
Status
John Peoples
15th May
11:45
Daniel Roth
OPEN
Incident Details:
Call logged by IT helpdesk. Branch users cannot access shared files on NYC-SVR4.
1. File shares not accessible over the network.
2. Cannot connect to NYC-SVR4 with Remote Desktop Connection.
3. Cannot ping NYC-SVR4 IP address.
4. All other network resources in the branch location are functioning properly.
Preliminary Questions:
1. Where is the best place to troubleshoot this problem from?
2. What considerations should be made regarding NYC-SVR4 and the people and services that require
the services provided by NYC-SVR4?
Assessment Questions:
1. What is the error message displayed on NYC-SVR4?
2. What could the possible causes of this error message be?
3. What tool should you use to attempt to correct the problem causing the error message?
4. How can you access these tools?
Resolution Questions:
2.
13-43
Observe the error message displayed on NYC-SVR4 and answer the Assessment Questions in the
Incident Record.
Task 3: Resolve the issue on NYC-SVR4 and complete the Incident Record
1.
Attach the Windows Server 2008 R2 Installation DVD to NYC-SVR4 using these steps.
a.
b.
c.
d.
e.
Switch to Hyper-V Manager, right click on 6420B-NYC-SVR4 and then click Settings.
In the Settings for 6420B-NYC-SVR4 dialog box, click DVD Drive in the Hardware Pane.
In the DVD Drive Pane, select Image file and then click Browse.
Navigate to C:\Program Files\Microsoft Learning\6420\Drives, click
WServer2008R2_Eval.iso and then click Open.
In the Settings for 6420B-NYC-SVR4 dialog box, click OK.
2.
3.
13-44
Supporting Documentation
Contoso Add Request
Request Reference Number: 10527
Requested By
Date of Request
Assigned to
Status
Nancy Anderson
17th May
You
OPEN
Request Details:
Configure WSUS for local distribution of updates for the New York office:
1. Install prerequisite components on NYC-SVR2.
2. Install WSUS on NYC-SVR2.
3. Configure WSUS as detailed:
Restore the WSUS backup from E:\Labfiles\WSUS\Backup.
4. Configure test client NYC-CL1 to receive updates from the newly configured WSUS server.
5. Test the configuration by installing updates on NYC-CL1.
Switch to NYC-SVR2.
Run Server Manager and add the Web Server (IIS) role with the following components
enabled:
ASP.NET
Windows Authentication
13-45
Note: There are a number of roles selected by default, no not de-select any of these roles.
2.
3.
Close the Add Roles Wizard after installation is finished and then close Server Manager.
Install Microsoft Report Viewer by doing the following.
a.
b.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
Browse to E:\Labfiles\WSUS.
Run the file WSUS30-KB972455-x64.exe to start the Windows Server Update Services 3.0 SP2 Setup
Wizard.
Install WSUS.
Use the location C:\WSUS for updates, Windows Internal Database as a WSUS database, and the
existing IIS Default Web site.
At the end of installation, the Windows Server Update Services Configuration Wizard appears. Do not
run this wizard, click Cancel to close it. You will restore configuration data using a backup in the next
steps.
13-46
Task 4: Use Group Policy to enable NYC-CL1 to obtain updates from the new WSUS
server
1.
2.
3.
4.
5.
6.
7.
8.
9.
Set the intranet update service for detecting updates and the intranet statistics server to
http://NYC-SVR2.
Task 5: Create a computer group, and add NYC-CL1 to the new group
1.
2.
3.
4.
In the Update Services window, in the console pane, expand Updates, and then click Security
Updates.
In the details pane, change the Approval filter to Any Except Declined, change the Status filter to
Any, and then click Refresh. Notice all of the updates available.
In the Security Updates pane, right-click Security Update for Windows 7 (KB981332), and then
click Approve.
Note: Entering yesterdays date will cause the update to be installed as soon as the client computers
contact the server.
Note: It may take several minutes for the Windows Update icon to appear.
On NYC-SVR2, run a Computer Detailed Status report to view updates for NYC-CL1.
Results: At the end of this exercise, you will have configured WSUS to manage updates.
13-47
13-48
Examine the Performance Monitor logs for the first issue and answer the resolution questions for Part
A.
Examine the Performance Monitor logs for the first issue and answer the resolution questions for Part
B.
Supporting Documentation
Contoso Incident Record PART A (Complete for Task 1)
Incident Reference Number: 501289
Called logged by
Date of call
Time of call
User
Status
John Peoples
19th May
12:10
Daniel Roth
OPEN
Incident Details:
Call logged by IT helpdesk. Users report NYC-SVR2 is running slow. Performance Monitor logs are stored
in E:\Labfiles\Captures\6420B-NYC-SVR2-LAB13-EX3-PARTA.blg.
Resolution Questions:
1. What do the Performance Logs for NYC-SVR2 indicate could be the source of the problem?
2. Keeping in mind your answer from question 1, what steps (using a troubleshooting methodology)
would you take to continue the troubleshooting process?
Contoso Incident Record PART B (Complete for Task 2)
Incident Reference Number: 501290
Called logged by
Date of call
Time of call
User
Status
John Peoples
20th May
13:15
Daniel Roth
OPEN
Incident Details:
Call logged by IT helpdesk. Users report NYC-SVR2 is running slow, Performance Monitor logs are stored
in E:\Labfiles\Captures\6420B-NYC-SVR2-LAB13-EX3-PARTB.blg.
Resolution Questions:
13-49
Task 1: Examine the Performance Monitor logs for the first issue and answer the
resolution questions for Part A
1.
2.
3.
4.
5.
Task 2: Examine the Performance Monitor logs for the first issue and answer the
resolution questions for Part B
1.
2.
3.
4.
5.
13-50
Review Questions
1.
2.
3.
Tools
Tool
Use for
Where to find it
BCDEdit
WinRE
/downloads/details.aspx?
FamilyId=a206ae20-2695-436c-9578403a7d46e40&displaylang=en
Safe Mode
13-51
Tool
Use for
Where to find it
Windows Server
Backup
Windows Update
computers.
device driver and Microsoft
application components.
WSUS
Event Viewer
Task Manager
Performance
Monitor
Reliability Monitor
13-52
Implementing Virtualization
Module 14
Implementing Virtualization
Contents:
Lesson 1: Overview of Virtualization Technologies
14-3
14-14
14-29
14-1
14-2
Module Overview
Almost all organizations are looking for ways to decrease the cost and complexity of providing an
Information Technology (IT) infrastructure.
Virtualization has become a key component in developing an efficient and cost effective IT strategy. This
module introduces virtualization, and it describes how virtualization relates to server, desktop, and
application environments. This module also describes how to implement server virtualization by deploying
and configuring the Hyper-V server role.
Objectives
After completing this module, you will be able to:
Implementing Virtualization
14-3
Lesson 1
Microsoft provides a complete set of products that provide virtualization solutions in many scenarios. You
can use these virtualization products in many different ways to make the IT infrastructure more efficient
and effective. This lesson provides an overview of the Microsoft virtualization solutions, and details how
you can use them to address many of todays IT infrastructure issues.
Objectives
After completing this lesson, you will be able to:
14-4
Key Points
Virtualization separates the application and operating system components that users work with from the
actual physical components that provide the application or operating system services. For example, virtual
machines provide all of the functionality of physical servers, but the operating system is not tied to any
particular piece of hardware, and can be made available where it is most convenient. Applications
traditionally have run on an operating system that is running on a particular piece of hardware. With
application and presentation virtualization, those applications may be running on a centralized server or
in a virtual environment that is completely portable to other operating systems or hardware devices.
Virtualization Solutions
Microsoft provides virtualization solutions that address most of the virtualization requirements for most
organizations.
Server virtualization. Windows Server 2008 Hyper-V and Microsoft Virtual Server 2005 R2 enable
server virtualization, so that you can run multiple virtual machines on a single physical server. This
allows greater density of resource use (hardware, utilities, space) while allowing you to maintain
operational isolation and security.
Presentation virtualization. Remote Desktop Services (RDS) in Windows Server 2008 R2 provides
presentation virtualization. RDS replaces Terminal Services, which was available in previous Windows
versions. Presentation virtualization enables you to run applications and maintain application storage
Implementing Virtualization
14-5
on centralized servers, while providing users with a familiar application interface on their
workstations. RDS provides the tools required to create a seamless environment for users so they can
run applications locally or on a remote server with very minimal differences. Microsoft extends the
concepts of presentation and desktop virtualization with Virtual Desktop Infrastructure (VDI). With
VDI, you can host client virtual machines on a Hyper-V infrastructure and provide access to the virtual
machine through RDS.
User state virtualization. User state virtualization enables users to take advantage of separating their
documents and profile information from a specific computer, which makes it easy to get working
again on a new machine in case of a stolen or dropped laptop. Profile virtualization also makes it easy
for users to move between computers, or to experience the same desktop environment when using
one of the other virtualization technologies.
14-6
Server Virtualization
Key Points
Server virtualization enables you to configure one or more virtual machines that emulate a physical
computer. Multiple virtual machines can run on one physical server, with all the virtual machines sharing
the resources available on the physical server.
Microsoft provides three products for server virtualization:
Server consolidation. Many servers that organizations deploy are underutilized. By deploying multiple
virtual machines on a much lower number of physical servers, you can increase the server resource
utilization significantly while decreasing the number of physical servers. You can deploy many virtual
machines on one physical server. In most organizations, this will result in a significant decrease in
power and space consumption in the data centers.
Service or application isolation. Server virtualization enables you to run each service or application on
an isolated operating system. This means that you can prevent one application from impacting
another application when upgrades or changes are made. This is preferable to running multiple
applications or services on a single operating system.
Implementing Virtualization
14-7
Simplified server deployment. By creating standard virtual machine builds, you can deploy new server
builds more easily. Because you are deploying virtual machines rather than physical servers, you do
not need to acquire new hardware or locate data center space and power, for each new server.
Note: You may need to invest in new server and storage hardware when first implementing server
virtualization, but an important result of server virtualization is the decrease in the number of physical
servers that your organization will need.
Increased service and application availability. Because the service or application no longer connects
directly to a specific piece of hardware, it is much easier to ensure high availability and recoverability.
With live migration in Windows Server 2008 R2, you can move a virtual machine to another physical
server with little or no perceived outage.
Multiple operating systems can run on one consistent platform. With server virtualization, you can
deploy multiple operating system technologies on a single hardware platform. For example, you can
deploy the Windows Server 2003 operating system, the Windows Server 2008 operating system, and
Linux on one Windows Server 2008 R2 Hyper-V host. Server virtualization also makes it much easier
to replace hardware when it becomes obsolete or fails.
14-8
Desktop Virtualization
Key Points
Desktop virtualization provides new options for deploying client desktops by enabling several ways to
virtualize the desktop. Traditionally, users have worked on a specific piece of hardware that is running a
single operating system and all applications.
VDI
VDI extends the concept of desktop virtualization by running client operating systems as virtual machines
on servers in the data center. This means that the virtual client computers are not running on the user
desktop, but on a centralized Hyper-V environment in the data center. Users can interact with the virtual
machines by using regular computers or thin clients, and then establishing remote desktop connections to
the virtual machines. In Windows Server 2008, VDI has been integrated with RDS to provide a consistent
client experience.
VDI enables you to centralize a users desktop for easier management. With VDI, the user can get an
individualized desktop experience with full administrative control over desktop and applications.
Implementing Virtualization
14-9
MED-V
The Microsoft Desktop Optimization Pack includes MED-V, which enhances the management of the
virtual machines that deploy to user desktops. MED-V adds four additional components on top of Virtual
PC to enable enterprise deployment of desktop virtualization.
Virtual image repository and delivery. Simplifies the process of creating, testing, delivering, and
updating virtual images.
Centralized management and monitoring. Manages the life cycle of a virtual machine.
Usage policy and data transfer control. An endpoint agent enforces usage policies for the virtual
machine
Question: When would you use each of the desktop virtualization options?
14-10
Presentation Virtualization
Key Points
Presentation virtualization runs applications on a central server, with only the application interface, mouse
movements, and keystrokes sent across the network between the central server and the client computer.
Presentation virtualization creates virtual sessions in which the executing applications project their user
interfaces remotely.
Presentation virtualization was available for several Windows Server versions as Terminal Services. In
Windows Server 2008 R2, the presentation virtualization feature is renamed to RDS.
Remote Desktop RemoteApp. RemoteApp allows single applications to be accessible through Remote
Desktop connections. With RemoteApp, an applications user interface appears on the desktop as if
that application were running locally. In fact, an application accessed via RemoteApp appears in the
task bar like a local application, and you also can launch it like one: from the Start menu, through a
shortcut, or by opening a file with the application extension.
Remote Desktop Web Access. Enables you to launch single applications and complete desktops from
a Web browser.
Remote Desktop Gateway. Encapsulates Remote Desktop Protocol (RDP) traffic in Hypertext Transfer
Protocol Secure (HTTPS). This gives users outside an organizations firewall more secure access to
internal applications without using a virtual private network (VPN).
Remote Desktop Connection Broker. Provides load balancing functionality for Terminal Services
connections and enables a user to reconnect to an existing session in a load-balanced terminal server
farm.
Implementing Virtualization
14-11
RemoteApp and Desktop Connection. This Control Panel client application allows users running
Windows 7 to easily connect to RemoteApp programs and Remote Desktops.
You can centralize your data. This means that you can store it safely on a central server rather than on
multiple desktop machines, which improves security because information is not spread across many
different systems.
You can reduce the cost of managing applications significantly. Instead of updating each application
on each individual desktop, for example, you must change only the single shared copy on the server.
Presentation virtualization also allows using simpler desktop operating system images or specialized
desktop devices, commonly called thin clients, both of which can lower management costs.
You can combine application virtualization with presentation virtualization to reduce the issues with
incompatibilities between applications. You can install App-V applications on Remote Desktop
Session Host servers and run multiple instances of potentially incompatible applications on the
centralized server.
In some cases, presentation virtualization can improve performance. For example, if a client or server
application needs to access large amounts of data from a central database, it may be quicker to run
the application on a Remote Desktop Session Host that is located close to the data, rather than pull
the data across a slow network connection to the client.
14-12
Application Virtualization
Key Points
You can use application virtualization to create virtual applications that you then can distribute to user
desktops. Each virtual application includes its own registry entries, specific dynamic-link libraries (DLLs),
and other resources. When you deploy a virtual application, it uses its own copy of these shared resources.
Because the virtual application runs in an isolated environment, incompatible applications can share the
same workstation.
App-V provides an application virtualization solution.
Benefits of App-V
App-V provides the following benefits:
App-V enables you to run potentially incompatible applications on the same client computer.
Applications commonly share various application or operating system components with other
applications on the client computer. For example, one application might require a specific version of a
DLL, while another application on that system might require a different version of the same DLL.
Installing both applications may result in one of the applications overwriting the DLL that the other
requires. With application virtualization, each application can have its own version of all required files
and settings on the client computer.
Application virtualization can make application deployment significantly easier. When you create a
virtual application, you create a single file that you can distribute to client computers. Since the
applications are encapsulated in a virtual environment, you do not need to test new applications for
conflicts with existing applications before you roll them out.
From the users perspective, a virtual application can be launched and run just like any other
application. The user can start the virtual application from the Start menu, from a desktop icon, or by
file extension association. The application appears in Task Manager. When the application is running,
you can connect to printers, network connections, and other resources just like you can from any
other application.
Implementing Virtualization
14-13
Virtual applications are easy to deploy and manage. You can stream a virtual application from a
server, on demand, so the user can download it automatically the first time he needs to use it. If you
must update an application, administrators can update the server version of the application, and the
updated files then download the next time the client computer needs to run the application.
14-14
Lesson 2
Server virtualization requires a host platform that enables you to run virtual machines. The current
product from Microsoft that provides this platform is Windows Server 2008 R2 Hyper-V. This lesson
explains how to deploy and configure the Hyper-V role.
Objectives
After completing this lesson, you will be able to:
Describe Hyper-V.
Implementing Virtualization
14-15
What Is Hyper-V?
Key Points
The Hyper-V role in Windows Server 2008 and Windows Server 2008 R2 provides software infrastructure
and basic management tools that you can use to create and manage a virtualized server computing
environment.
Hyper-V is a hypervisor-based virtualization technology. The hypervisor is the processor-specific
virtualization platform that allows multiple isolated operating systems to share a single hardware
platform.
Hyper-V is a Type 1 hypervisor. A Type-1 hypervisor is a hypervisor that is considered a bare-metal
hypervisor and runs directly on top of hardware. Type 1 hypervisors are often referred to as hardware
virtualization engines. Hyper-V is designed using a 64-bit hypervisor. The hypervisor allows multiple
virtual machines to access physical memory and CPU resources without conflicts. Also, it allows creation of
64-bit guest operating systems. In combination with virtualization-aware hardware that includes
processors using Intel VT and AMD V technology, the Hyper-V hypervisor enables high performance and
excellent scalability for guest operating systems.
Because the Hyper-V hypervisor takes advantage of Intel VT and AMD-V technology, more of the work of
virtualizing multiple operating systems is performed by the processor hardware and less needs to be
performed by the virtualization stack and hypervisor. The virtualization stack runs within the parent
partition and has direct access to hardware devices. The parent partition then creates child partitions,
which host the guest operating systems.
After the initial Windows Server 2008 R2 installation, the operating system can access the server hardware
directly. After you add the Hyper-V role, a thin hypervisor layer between the operating system and the
hardware resources is added. The currently installed operating system becomes the parent partition from
where you can create and manage child partitions. Child partitions also do not have direct access to other
hardware resources and are presented a virtual view of the resources, as virtual devices.
14-16
Drivers in the parent partition are used for accessing the server hardware. Child partitions use virtualized
devices through virtual server client (VSC) drivers, which communicate through Virtual Machine Bus
(VMBus) with Virtualization Service Providers (VSP) in the parent partition. Requests to the virtual devices
are redirected either through the VMBus or through the hypervisor to the devices in the parent partition.
The VMBus manages the requests. The VMBus is a logical inter-partition communication channel. The
parent partition hosts VSPs, which communicate over the VMBus to handle device access requests from
child partitions. Child partitions host VSCs, which redirect device requests to VSPs in the parent partition
through the VMBus.
Implementing Virtualization
14-17
Key Points
Before you can run virtual machines in Windows Server 2008 R2 Hyper-V, you must ensure that you
properly address and configure all hardware perquisites on the host computer. There are four
requirements that you must meet before you can install the Hyper-V server role successfully: You must
have:
An x64-based processor.
Hardware-assisted virtualization.
A basic input/output system (BIOS) that allows you to enable DEP and hardware-assisted
virtualization.
DEP
You must have hardware-enforced DEP enabled by configuring either the Advanced Micro Devices (AMD)
no execute bit (NX bit) or the Intel execute disable bit (XD bit).
Note: DEP provides operating system protection from applications executing code in a nonexecutable memory region; this helps to prevent malicious code from executing on your computer.
Hardware-enforced DEP provides improved protection over that available in software-enforced DEP.
Hardware Virtualization
If you want to run Hyper-V, you must have servers that are capable of running AMD Virtualization (AMDV) or Intel Virtualization Technology (Intel VT).
14-18
Note: Using hardware virtualization improves the performance of virtual machines over that offered
by software virtualization engines, such as Microsoft Virtual Server. Virtualization is improved because
the hardware, rather than the software, can handle certain critical, non-virtualizable guest operating
system requests. Hardware virtualization reduces the load on the host operating system.
After modifying the BIOS to support hardware virtualization and DEP, you may have to turn off the server
for the settings to take effect. Performing a restart may not enable the new settings. You must turn off the
computer completely, and then restart it.
Note: A new feature of Windows Server 2008 R2 Hyper-V is support for AMDs Rapid Virtualization
Indexing (RVI) and Intel's Extended Page Tables. While Hyper-V does not require these two new
features, it does provide performance improvements for processor capabilities. You can install Hyper-V
safely on older hardware if it meets DEP and hardware virtualization requirements.
Implementing Virtualization
14-19
Key Points
A virtual hard disk provides storage for a virtual machine. Within the virtual machine, the virtual hard disk
is represented as a physical disk, and the virtual machine uses it as if it were a physical disk. There are
different types of virtual hard disks (VHDs) that have various advantages and disadvantages.
Fixed-Size VHDs
Fixed-size VHDs are disks that use as much physical disk space as you specify when you create the disk.
For example, if you create a 100 gigabyte (GB) fixed-size VHD, it will use 100 GB of physical disk space.
The primary benefit with using fixed size disks is that all of the storage required for the disks is committed
when you create the disks, thus reducing the likelihood that you will over commit your storage resources.
14-20
One of the reasons for choosing fixed-size VHDs is that dynamically-expanding VHDs may not support
some applications. For example, Microsoft does not support Microsoft Exchange Server 2010 or Exchange
Server 2007 deployed on dynamically expanding VHDs.
One of the disadvantages of fixed-size disks is that the disks may take longer to move from one server to
another.
Differencing VHDs
A differencing virtual hard disk is a virtual hard disk associated with another virtual hard disk in a parentchild relationship. The differencing disk is the child and the associated virtual disk is the parent. The
parent disk can be any type of virtual hard disk. The differencing disk (the child) stores a record of all
changes made to the parent disk and provides a way to save changes without altering the parent disk. In
other words, by using differencing disks, you ensure that changes are made to the differencing disks and
not to the original virtual hard disk. You can merge changes from the differencing disk to the original
virtual hard disk, when appropriate.
The differencing hard disk expands dynamically as data intended for the parent disk is written to the
differencing disk. You should write-protect or lock the parent disk. If another process modifies the
parent disk, and does not recognize the differencing disks parent/child relationship, then all
differencing disks related to the parent disk become invalid, and any data written to them is lost. By
locking the parent disk, you can mount the disk on more than one virtual machine, similar to a readonly floppy disk or CD-ROM.
You cannot specify a size for a differencing disk. Differencing disks can grow as large as the parent
disks to which they are associated. However, unlike dynamically expanding disks, differencing disks
cannot be compacted directly. You can compact differencing disks only after merging the disk with a
dynamically-expanding parent disk.
If you are using differencing disks, it is important to have a standardized naming convention for your
virtual hard drives. It is not readily apparent from examining the virtual hard drive in Hyper-V
manager whether it is a differencing drive or a parent disk.
Pass-Through Disks
Hyper-V also allows for the use of a pass-through disk type. When you configure a virtual machine to use
a pass-through disk, the virtual machine will use an entire physical disk or volume on the host computer.
If you intend to use pass-through disks to support an operating system installation, you must store the
guest configuration file in an alternate location. This is because the operating systems installation will
consume the entire pass-through disk. For example, you could locate the configuration file on another
internal drive in the Hyper-V server itself, or if the host computer is part of a failover cluster, you can host
the configuration file on a separate cluster that provides highly available file services. Be aware that you
cannot dynamically expand pass-through disks.
Question: Describe a scenario in which you would use a dynamic disk?
Implementing Virtualization
14-21
Virtual Networks
Key Points
Virtual Network Manager gives you the ability to create a mechanism for binding virtual machines to a
physical network. Virtual Network Manager enables you to create and manage virtual networks. You can
use Virtual Network Manager to add, remove, and modify the virtual networks. Virtual Network Manager
is available from Hyper-V Manager.
When you create a virtual network, Hyper-V creates a virtual switch. The virtual switch routes traffic based
on either the media access control (MAC) addresses or the virtual local area network (VLAN) Identifiers.
The virtual switch modifies the MAC addresses of packets as it is used to route traffic with different MAC
addresses than the physical network card MAC address. The advantage is that it can bind to any 802.3
compliant physical Ethernet network adapter.
You cannot connect a virtual network to a wireless network adapter. The virtual switch changes the MAC
address of the source packet so that it does not match its own MAC address. As a result, you cannot
provide wireless networking capabilities to virtual machines, because the 802.11 standard does not
support the MAC address changes. You can attach only one virtual network to a specific physical network
adapter at a time. You cannot attach multiple virtual networks to the same physical network adapter.
When you create a virtual network:
You can associate only one Hyper-V virtual network with a single physical network adaptor.
It is bound to a physical network adapter and all other protocols are automatically unbound.
You can use it to control and secure network traffic that enters and leaves a virtual machine.
Windows Server 2008 R2 Hyper-V supports three types of virtual networks: external, internal, and private.
When you create a virtual network through either the Hyper-V Manager or Windows Management
Instrumentation (WMI), you also create a new software-based switch. There is no limit to how many virtual
networks or ports for virtual machine connections that you can create.
14-22
External. An external virtual network binds to a physical network adapter on the Hyper-V server so
that the virtual machine can have access to a physical network. When you create a new external
virtual network, Hyper-V creates a virtual network adapter on the parent partition unless you clear the
option to Allow management operating system to share this network adapter. You would use an
external connection when your virtual machine needs to access or be accessed on the corporate
network or beyond the corporate environment.
Note: When you create an external virtual network, and clear the option to Allow management
operating system to share this network adapter, the physical network adapter will be available only
for virtual machines and will not be accessible by the host computer. This is a best practice if you want
to isolate virtual machine network traffic from host network traffic. In this scenario, you must not clear
this option on at least one network adapter or not create a virtual network that uses one of the
physical network adapters to ensure that the host computer can communicate on the network.
Internal. When you create an internal virtual network, it allows the virtual machines to communicate
with each other and with the Hyper-V server, but they cannot communicate with the physical
network. This scenario is commonly used to simulate a networked environment with the base system.
An internal network might be used in a training environment.
Private. The creation of a VPN enables the virtual machines to communicate with each other, but
there is no association with any physical network adapter in the parent partition. This means that the
virtual machines can communicate with each other but not with the host computer or with other
computers on external networks. You can use private networks if you need to isolate virtual machines
for security reasons. You may also have virtual machines that are being used for testing purposes and
you do not want the virtual machines to inadvertently access the corporate network.
Question: Can you describe the steps you would use to isolate virtual machines from the physical
network?
Implementing Virtualization
14-23
Virtual Machines
Key Points
Virtual Machine Components
A virtual machine includes the following components:
Virtual processors. You can configure virtual machines with up to four virtual processors, depending
on the operating system that is running in the virtual machine. The number of virtual processors that
you can assign to a virtual machine is limited to the host computers number of processor cores, but
you can assign more virtual processors in total between running virtual machines than there are
processor cores on the host computer.
Memory. You can configure virtual machines with up to 64 GB of memory. The memory that you can
assign to virtual machines is limited by the amount of random access memory (RAM) that the host
computer has available. You cannot run virtual machines where the cumulative memory exceeds the
amount of RAM available on the host computer.
Network adapters. The virtual machine uses network adapters to connect to the external network, to
other virtual machines on the same host, or to the host computer. You can assign multiple virtual
network adapters in virtual machines.
Virtual disks. Virtual disks are .vhd files that are available to the virtual machine as the system drive or
for data storage. You have several options when configuring virtual disks. You also can create virtual
machine snapshots, which creates Automatic VHD files with an .AVHD extension.
Windows Server 2008 and Windows Server 2008 R2. All server editions are supported except for the
Windows Server 2008 R2 for Itanium-based Systems operating system edition. You can install both
64-bit and 32-bit versions and configure them with one, two, or four virtual processors.
14-24
The Windows Server 2003 Standard Edition operating system with Service Pack 2 (SP2) and the
Windows Server 2003 R2 Standard Edition operating system with SP2. All server editions are
supported except for the Windows Server 2003 Enterprise Edition for Itanium-based systems
operating system. You can install both the 64-bit and 32-bit versions and configure them with one or
two virtual processors.
The Microsoft Windows 2000 Server with SP4 operating system. Both Server and Advanced server
editions are supported and you can configure them with only one processor.
Red Hat Enterprise Linux 5.2, 5.3 and 5.4. Both x86 and x64 editions are supported but you can
configure them with only one processor. Linux Integration Components for Hyper-V are available and
supported for these versions of Linux.
SUSE Linux Enterprise Server 10 with Service Pack 1 or 2, and SUSE Linux Enterprise Server 11. Both
x86 and x64 editions are supported, but you can configure them with only one processor. Linux
Integration Components for Hyper-V are available and supported for these versions of Linux.
Windows 7, Windows Vista, and Windows XP with SP2 or later. You can configure Windows 7 virtual
machines with up to four processors. Additionally, you can configure Windows Vista and Windows XP
SP3 with one or two processors and Windows XP SP2 with one processor.
Implementing Virtualization
14-25
Key Points
You can install the Hyper-V role either on a full or Server Core installation of Windows Server 2008 R2.
Installing the Hyper-V role on a full installation of Windows Server 2008 R2 installs all of the Hyper-V
components. However, to install the Hyper-V role, you must be a member of the local Administrators
group or your administrator must give you permissions.
After you install and configure the Hyper-V role on a server running Windows Server 2008 R2, you can
manage the Hyper-V role and virtual machines by using the Hyper-V management tools. The
management tools consist of the Hyper-V Manager, which is a Microsoft Management Console (MMC)
snap-in, and Virtual Machine Connection, which provides you with direct access to a virtual machine
through a network connection.
You also can manage the Hyper-V server role and connect to a virtual machine running in Hyper-V from
remote computers. If you are running Windows Server 2008 or Windows Server 2008 R2, you can install
the Hyper-V Tools feature. You also can manage Hyper-V from a client machine by installing the Remote
Server Administration Tools management tools.
The Hyper-V Manager is the central graphical interface console that an administrator will use to manage
small Hyper-V environments. You can use the Hyper-V Manager to administer several Hyper-V servers. In
larger deployments, you should use the System Center VMM.
The Hyper-V Manager has three panes. The left pane shows the Hyper-V servers that you are managing
currently. The center pane displays the virtual machines that you have installed on the selected Hyper-V
server, as well as snapshots of highlighted virtual machines and their details. The right pane lists the
actions available for managing a virtual server and virtual machines.
14-26
Demonstration Steps:
1.
2.
3.
Implementing Virtualization
14-27
Key Points
VMM 2008 R2 enables you to administer and manage virtual environments from a central location. It also
helps increase physical server utilization and enables the VMM administrator and authorized self-service
end users to provision new virtual machines rapidly. It is a solution that solves many of the challenges
found in a virtualized infrastructure.
You specifically can use Virtual Machine Manager to:
Support Hyper-V.
VMM can integrate fully with your current Hyper-V environment, and it provides the same functionality as
Hyper-V Manager, as well as numerous extended management features. VMM takes full advantage of
Hyper-V benefits through a powerful, yet easy to use, console that streamlines many management tasks
for virtual infrastructures. Additionally, administrators can manage virtualization host servers and their
virtual resources through one unified console.
You can use VMM to manage virtualization in many business scenarios, including server consolidation,
resource provisioning, business continuity enhancement, and performance and resource optimization.
Some key benefits that VMM offers include:
Maximizes data center resources through consolidation. A typical physical server in the data center
operates at only 5 to 15 percent CPU capacity. VMM can help consolidate suitable server workloads
onto a virtual machine host infrastructure, which frees up physical resources for repurposing or
14-28
hardware retirement. By consolidating physical servers, you ensure that data center growth is less
constrained by space, electrical, and cooling requirements.
Supports for Microsoft Virtual Server and VMware ESX. With this release, VMM now manages VMware
ESX virtualized infrastructure in conjunction with the Virtual Center product. VMware versions that are
supported are VMware ESX Server 3.0 or above, VMware ESX Server 3.5i, VMware VirtualCenter (VC)
2.5 (VMware Infrastructure 3 [VI3]), and VMware vSphere 4 (VI3 features only). Now administrators
running multiple virtualization platforms can rely on one tool to manage virtually everything. Because
of VMM compatibility with VMware VI3 (through Virtual Center), the VMM now supports features
such as VMotion, and provides VMM-specific features such as Intelligent Placement to VMware
servers.
Enables Performance and Resource Optimization (PRO). PRO provides the dynamic management of
virtual resources though management packs that are PRO-enabled. Utilizing the deep monitoring
capabilities of System Center Operations Manager 2007, PRO enables administrators to establish
remedial actions that VMM will execute if a PRO identifies poor performance or pending failures in
hardware, operating systems, or applications. As an open and extensible platform, PRO encourages
partners to design custom management packs that promote compatibility of their products and
solutions with PROs powerful management capabilities.
Converts machines by converting a physical machine to a virtual one can be a daunting undertaking-slow, problematic, and typically requiring you to halt the physical server. However, the enhanced P2V
conversion in VMM means that P2V conversions will become routine. Similarly, VMM also provides a
straightforward wizard that can convert VMware virtual machines to VHDs through a quick and easy
V2V transfer process.
Provisions new machines quickly. VMM enables this efficiency by providing IT administrators with the
ability to deploy virtual machines in a fraction of the time it would take to deploy a physical server.
Through one console, VMM allows administrators to manage and monitor virtual machines and hosts
to ensure they are meeting the needs of the corresponding business groups.
Minimizes deployment guesswork with Intelligent Placement. VMM does extensive data analysis on a
number of factors before recommending which physical server should host a given virtual workload.
This is especially critical when administrators are determining how to place several virtual workloads
on the same host machine. With access to the historical data that Operations Manager 2007 provides,
the Intelligent Placement process is able to factor past performance characteristics to ensure the best
possible match between the virtual machine and its host hardware.
Delegates virtual machine management for Development and Test. This latest version of VMM
features a thoroughly reworked and improved self-service Web portal, allowing administrators to
delegate this provisioning role to authorized users while maintaining precise control over the
management of virtual machines.
Organizes virtual machine components with the library. To keep a data centers virtual house in order,
VMM provides a centralized library to store the building blocks for various virtual machines, such as
off-line machines and other virtualization components. With the librarys easy-to-use structured
format, IT administrators can quickly locate and reuse specific components, thereby remaining highly
productive and responsive to new server requests and modifications.
Provides a rich management and scripting environment with Windows PowerShell. The entire VMM
Administrator Console is built on the command-line and scripting environment, Windows PowerShell.
This version of VMM adds additional PowerShell cmdlets and view script controls, which allow
administrators to exploit customizing and automating operations at an unprecedented level.
Implementing Virtualization
14-29
Lab Setup
For this lab, you will use the available host computer environment. Before you begin the lab, you must
complete the following steps:
1.
2.
Ensure that your host computer is running and that you are logged on.
Ensure that no virtual machines are currently running.
Lab Scenario
Contoso, Ltd. has decided to introduce virtualization into their IT environment because they wish to
reduce their hardware and power expenditures for the data center. The company has started deploying
Hyper-V host computers running on Windows Server 2008 R2. You now need to create several virtual
machines on the host computers.
14-30
On your host computer, in Hyper-V Manager, create a new virtual hard disk with the following
configuration:
Name: NYC-Prod1.vhd
Maximum size: 32 GB
On your host computer, in Hyper-V Manager, create a new virtual hard disk with the following
configuration:
Type: Differencing
Name: NYC-Test1.vhd
Results: After this exercise, you should have created the required VHDs.
Implementing Virtualization
14-31
On your host computer, in Hyper-V Manager, create a new virtual machine based on the following
criteria:
Name: NYC-PROD1
Use an existing virtual disk, NYC-PROD1.vhd, that you created for production in Exercise 1.
On your host computer, in Hyper-V Manager, create a new virtual machine based on the following
criteria:
Name: NYC-TEST1
Use an existing virtual disk, NYC-TEST1.vhd, that you created for test in Exercise 1.
Results: After this exercise, you should have created the two virtual machines required for testing
purposes.
14-32
2.
3.
4.
5.
On your host computer, in Hyper-V Manager, create a new virtual hard disk with the following
configuration:
Name: NYC-Prod1-Data.vhd
Maximum size: 64 GB
Implementing Virtualization
14-33
Create a snapshot.
Apply snapshots.
In Hyper-V Manager, ensure that the NYC-TEST1 virtual machine is turned off.
Create a new snapshot of NYC-TEST1, and name it PRE-Test Snapshot.
Start NYC-TEST1, and connect to it. Log on as Administrator using the password Pa$$w0rd.
Close all open windows or dialog boxes.
On the virtual machine desktop, create a new text document called Snapshot1.txt.
Create a new snapshot of NYC-TEST1, and name it Snapshot2.
On the virtual machine desktop, create a new text document called Snapshot2.txt.
Revert the virtual machine. On the virtual machine desktop, verify that the Snapshot2.txt file is no
longer on the desktop.
Apply the PRE-Test Snapshot. Verify that the virtual machine turns off. This is the state that the
virtual machine was in when you created the snapshot.
Apply Snapshot2, and start the virtual machine. Verify that the Snapshot1.txt file is on the desktop.
Shutdown the virtual machine.
Results: After this exercise, you should have created snapshots and applied them to your virtual
machines.
14-34
Review Questions
1.
2.
3.
4.
5.
Your organization is considering implementing server virtualization using Hyper-V. What is the
primary consideration that you will need to consider when purchasing servers for this role?
What are the hardware and BIOS prerequisites to install the Hyper-V Role?
What are the differences between External, Internal, and Private virtual networks?
Where is the option to change the location of the .VHD and virtual machines?
What does it mean when the mouse pointer displays as a small dot in a virtual machine window?
Troubleshooting tip
Verify that they are using the same VLAN ID. If they are using a
compatible VLAN, then verify the IP address configuration in the
virtual machines.
When you copy a virtual hard disk file from one host to another,
the network configuration is not moved with the virtual machine.
To retain the network configuration, you need to export and then
import the virtual machine.
Implementing Virtualization
14-35
3.
You are going to deploy Hyper-V on the Windows Server 2008 R2 servers. You have concerns about
performance problems with so many virtual machines running on a server.
You have concerns about the hardware requirements to deploy Hyper-V. Another department will
create the virtual machines and then ship them to you for installation and configuration. When you
import the virtual machine into Hyper-V and attempt to start the virtual machine, you receive an
error that Hyper-V launch failed; Either VMX not present or not enabled in BIOS.
Your organization is testing a custom application. The testers report that when they install the
application on computers running an older version of the same application, they get errors. How
could you address this issue?
14-36
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will use your responses to
improve your future learning experience. Your open and honest feedback is valuable and appreciated.
L1-1
Task 2: Update the proposal document with your planned course of action
Answer the questions in the Branch Office Network Infrastructure Plan: Component Needs
Assessment.
Branch Office Network Infrastructure Plan: Component Needs Assessment
Document Author:
Date:
You
22nd March
Requirements Overview
Recommend basic infrastructure components for the implementation of the network in the new
Seattle location.
Recommend infrastructure to connect the Seattle location to the New York location.
Recommend infrastructure to allow home office users and partners access to the resources they
need from the Seattle location.
Proposals:
1. What Ethernet standard should be used for the staff offices portion of the Seattle location?
Answer: Due to the large amount of data being sent back and forth on the network, the fastest
possible Ethernet standard should be used that can be deployed in an office LAN environment.
10GBASE-T offers a throughput of 10Gbps and uses copper wire cabling as its medium, which can
be easily installed into each office as the new building is being constructed.
2. What infrastructure should be used to connect the conference room portion of the Seattle
location?
Answer: With the conference rooms size and the variance in location and mobility of users and
their laptops, a wireless infrastructure should be used for the conference room, preferably the
fastest available, 802.11n. Encryption should also be added to the wireless network, preferably
using WPAv2, the most secure and current wireless encryption protocol.
3. What components and technology would you use to connect the New York and Seattle
branches?
Answer: T1 would be a good choice. There isnt a lot of data being sent between the two offices,
and a leased T1 connection through a telecommunications provider would allow for data to be
sent between locations in a secure fashion.
4. What is the best architecture to allow both partners and home office users to access their
information using only one method of access?
Answer: An extranet could be set up, providing a server available for both partners and remote
users to exchange their files. This would provide one point of access, as well as a centralized place
to host the files that these two groups are using. A VPN solution could be considered for the
home office users, but because they only need access to a few files, an extranet would be a more
logical choice.
L1-2
L2-1
Task 2: Update the proposal document with your planned course of action
Answer the questions in the Branch Office Network Components Deployment Plan document.
Branch Office Network Components Deployment Plan
Document Reference Number: CW010210/1
Document Author
Date
Charlotte Weiss
1st Feb
Requirements Overview
To determine which components to install to connect nodes at branch offices and to connect
branches to head office.
Additional Information
High-bandwidth applications will be used in the branches.
Devices must provide for virtual local area networks (VLANs) to support project teams that span
each branch.
Traffic should be isolated in the branch except where necessary.
It should be possible to manage traffic in the branch based upon its priority.
Proposals
1.
2.
3.
4.
L2-2
L2-3
Task 2: Update the proposal document with your planned course of action
Answer the questions in the Branch Office Network Wiring Plan document.
Branch Office Network Wiring Plan
Document Reference Number: CW200210/1
Document Author
Date
Charlotte Weiss
20th Feb
Requirements Overview
Provide a wiring plan for the branch offices.
Additional Information
Quite high bandwidths are expected.
High levels of electromagnetic interference (EMI) are expected in some areas of the branches.
Cost is a limiting factor.
The solution, so far as is possible, should be future-proofed.
Proposals
1. What sort of cable would be suitable here, bearing in mind the information supplied and the plan
you outlined for network components earlier?
Answer: Switches were indicated earlier, which means coax is not feasible. Twisted-pair and fiber
cabling is indicated.
2. How will you address the issue of high levels of EMI?
Answer: Where required, install shielded twisted pair. Areas where this is not sufficient; use fiber.
3. What cable standards do you propose?
Answer: For copper, Category (Cat) 5e or higher. Cat 6 supports 10 gigabits per second (Gpbs)
Ethernet and better future-proofs the solution. For fiber, multimode fiber is cheaper and should
address the bandwidth requirements.
L2-4
L3-1
Task 2: Update the proposal document with your planned course of action
Charlotte Weiss
10th March
Requirements Overview
To design an IPv4 addressing scheme for the Contoso, Ltd R & D branch offices.
Additional Information
One router connects the three branches back to the head office.
There are three wide area network (WAN) links.
There are three branches, each of which can be configured as a single subnet.
The network address 172.16.0.0/16 is allocated to the branch offices, while the head office uses
10.10.0.0/16.
Proposals
1. How many network addresses do you need to support these requirements?
Answer: Six.
2. What class address is 172.16.0.0/16?
Answer: Class B.
3. Is this a private or public address?
Answer: Private.
4. Ed has allocated the first block of addresses to the first branch: 172.16.16.0/20. What is the next
logical subnet using this initial subnet?
Answer: 172.16.32.0/20. The next is 172.16.48.0/20.
5. What is the first and last host in this subnet?
Answer: The first host is one binary digit higher than the subnet ID while the last host is two
binary digits lower than the next subnet ID. Thus, the first host is 172.16.16.1/20 and the last is
172.16.31.254.
6. What would the subnet mask be for hosts in this subnet?
Answer: 255.255.240.0.
7. Update the Contoso Branch IP Addressing.vsd diagram to show the network addresses you will
implement in the branches; do not worry about the WAN links.
Answer: See the illustration on the next page.
L3-2
Results: After this exercise, you should have completed both the Contoso Branch IP Addressing.vsd
diagram and the Branch Office IP Addressing Scheme document.
10.
11.
12.
13.
15.
16.
17.
18.
L3-3
L3-4
4.
At the command prompt, type the following command and press ENTER:
Ipconfig /renew
Note: This might take a few minutes as the client computer attempts contact the original DHCP server,
and then any other DHCP server.
5.
At the command prompt, type the following command and press ENTER:
Ipconfig
At the command prompt, type the following command and press ENTER:
Ping nyc-dc1.contoso.com
Switch to NYC-CL1 and at the command prompt, type the following command and press ENTER:
Ipconfig /renew
At the command prompt, type the following command and press ENTER:
Ping nyc-dc1.contoso.com
L3-5
Results: After this exercise, you should have successfully verified the functionality of the DHCP server
in the head office.
Switch to NYC-DC1.
Click Start, point to Administrative Tools, and then click DNS.
In DNS Manager, expand Forward Lookup Zones, and then click on Contoso.com.
Question: What is the current IP address listed against the NYC-CL1 Host (A) record?
Answer: 10.10.0.150
7.
8.
9.
IP address: 10.10.0.51
Subnet mask: 255.255.0.0
Default gateway: 10.10.0.1
Preferred DNS server: 10.10.0.10
Switch to NYC-CL1 and at the command prompt, type the following command and press ENTER:
Ipconfig /displaydns
At the command prompt, type the following command and press ENTER:
Ping www.contoso.com
L3-6
Switch to NYC-DC1.
In DNS Manager, right-click Contoso.com and then click New Alias (CNAME).
In the New Resource Record dialog box, in the Alias name (uses parent domain if left blank) box,
type www.
In the Fully qualified domain name (FQDN) for target host box, type
nyc-dc1.contoso.com and then click OK.
Switch to NYC-CL1.
At the command prompt, type the following command and press ENTER:
Ping www.contoso.com
At the command prompt, type the following command and press ENTER:
Ipconfig /flushdns
4.
At the command prompt, type the following command and press ENTER:
Ping www.contoso.com
At the command prompt, type the following command and press ENTER:
Ipconfig /displaydns
On NYC-CL1, at the command prompt, type the following command and press ENTER:
Ipconfig /all
L3-7
L3-8
L4-1
On NYC-SVR3, click Start, point to Administrative Tools and then click Computer Management.
Under Computer Management, expand Storage, and then click Disk Management.
Right-click on the end of Disk 0 (in the black area) and choose New Simple Volume. Click Next.
Change Simple volume size in MB to 100. Click Next.
Choose Do not assign a drive letter or drive path. Click Next.
On the Format Partition page, click Next.
Click Finish.
2.
3.
4.
5.
6.
On NYC-SVR3, in Computer Management, right-click on the New Volume partition at the end of
Disk 0 and choose Change Drive Letter and Paths.
Click Add.
Change Assign the following drive letter to J: and then click OK.
Close the Computer Management console.
2.
3.
4.
Results: After this exercise, you should have a J: drive which is 100 MB in size.
On NYC-SVR3, click Start, and then type cmd. When cmd appears under Programs, right click it and
choose Run as administrator.
In the Command console, type diskpart and then press ENTER.
Type select disk 1 and then press ENTER.
Type online disk and then press ENTER.
Type attributes disk clear readonly and press ENTER.
Type convert dynamic and then press ENTER.
Type select disk 2 and then press ENTER.
Type online disk and then press ENTER.
Type attributes disk clear readonly and press ENTER.
Type convert dynamic and then press ENTER.
Type select disk 3 and then press ENTER.
Type online disk and then press ENTER.
Type attributes disk clear readonly and press ENTER.
Type convert dynamic and then press ENTER.
On NYC-SVR3, in the Command console, at the DISKPART prompt, type create volume raid
size=100 disk=1,2,3, and then press ENTER.
L4-2
On NYC-SVR3, in the Command console, at the DISKPART prompt, type select volume 4, and then
press ENTER.
Type format fs=ntfs label=r5r quick and then press ENTER.
Close the Command prompt.
2.
3.
Results: After this exercise, you should have configured a RAID 5 array in Diskpart with the label
R5R.
On NYC-SVR3, click Start, point to Administrative Tools, and then click Microsoft iSCSI Software
Target.
In the tree pane of the iSCSITarget [Microsoft iSCSI Software Target] console, right-click iSCSI
Targets, and then click Create iSCSI Target.
On the Welcome to the Create iSCSI Target Wizard page, click Next.
In the iSCSI target name box of the iSCSI Target Identification page, type LUN-01, and then click
Next.
On the iSCSI Initiators Identifiers page, click Advanced.
In the Advanced Identifiers dialog box, click Add.
In the Identifier Type box of the Add/Edit Identifier dialog box, click IP Address, in the Value box,
type 10.10.0.20, and then click OK.
In the Advanced Identifiers dialog box, click OK.
On the iSCSI Initiators Identifiers page, ensure that the IQN Identifier box displays the text, Click
Advanced button to view alternate identifiers, and then click Next.
On the Completing the Create iSCSI Target Wizard page, click Finish.
In the tree pane of the iSCSITarget [Microsoft iSCSI Software Target] console, under iSCSI Targets,
right-click Devices, and then click Create Virtual Disk.
On the Welcome to the Create Virtual Disk Wizard page, click Next.
In the File box of the File page, type C:\Disks\Disk-01.vhd, and then click Next.
In Size of virtual disk (MB) box of the Size page, type 8000, and then click Next.
On the Description page, click Next.
On the Access page, click Add.
In the Add Target dialog box, in the Target Name list, click LUN-01, and then click OK.
On the Access page, click Next.
On the Completing the Create Virtual Disk Wizard page, click Finish.
In the tree pane of the iSCSITarget [Microsoft iSCSI Software Target] console, under iSCSI Targets,
right-click Devices, and then click Create Virtual Disk.
2.
L4-3
On the Welcome to the Create Virtual Disk Wizard page of the Create Virtual Disk Wizard, click
Next.
In the File box of the File page, type C:\Disks\Disk-02.vhd, and then click Next.
In Size of virtual disk (MB) box of the Size page, type 20000, and then click Next.
On the Description page, click Next.
On the Access page, click Add.
In the Add Target dialog box, in the Target Name list, click LUN-01, and then click OK.
On the Access page, click Next.
On the Completing the Create Virtual Disk Wizard page, click Finish.
3.
4.
5.
6.
7.
8.
9.
On NYC-SVR2, on the Start menu, point to Administrative Tools, and then click iSCSI Initiator.
Click Yes.
On the Targets tab of the iSCSI Initiator Properties dialog box, in the Target box, type 10.10.0.30,
and then click Quick Connect.
In the Quick Connect dialog box, ensure that the status of
iqn.1991-05.com.microsoft:NYC-SVR3-lun-01-target is Connected, and then click Done.
On the Volumes and Devices tab, click Auto Configure. Verify that two volumes are added to the
Volume List.
In the iSCSI Initiator Properties dialog box, click OK.
2.
3.
4.
5.
On NYC-SVR2, click Start, point to Administrative Tools, and then click Server Manager.
In the tree pane of the Server Manager console, expand Storage, and then click Disk Management.
Right-click Disk 2, and then click Online.
Right-click Disk 3, and then click Online.
Right-click Disk 2, and then click Initialize Disk. Verify that both Disk 2 and Disk 3 are selected, and
then click OK.
In the Disk Management result pane, right-click the Unallocated area on Disk 2, and then click New
Simple Volume.
On the Welcome to the New Simple Volume Wizard page of the New Simple Volume Wizard, click
Next.
On the Specify Volume Size page, click Next.
On the Assign Drive Letter or Path page, next to Assign the following drive letter, click Q, and
then click Next.
On the Format Partition page, in the Volume label box, type Data1, and then click Next.
On the Completing the New Simple Volume Wizard page, click Finish.
In the Disk Management result pane, right-click the Unallocated area on Disk 3, and then click New
Simple Volume.
On the Welcome to the New Simple Volume Wizard page of the New Simple Volume Wizard, click
Next.
On the Specify Volume Size page, click Next.
On the Assign Drive Letter or Path page, next to Assign the following drive letter, click M, and
then click Next.
On the Format Partition page, in the Volume label box, type Data2, and then click Next.
On the Completing the New Simple Volume Wizard page, click Finish.
Close Server Manager.
Results: After this exercise, you should have implemented a Windows iSCSI target.
L4-4
L5-1
Read the contents of the e-mail message presented in the Lab scenario.
Attach the Windows Server 2008 R2 Installation DVD to NYC-SVR1 using these steps:
a.
b.
c.
d.
e.
Switch to Hyper-V Manager, right click on 6420B-NYC-SVR1 and then click Settings.
In the Settings for 6420B-NYC-SVR1 dialog box, click DVD-Drive in the Hardware Pane.
In the DVD-Drive pane, select Image file, and then click Browse.
Navigate to C:\Program Files\Microsoft Learning\6420\Drives, click
WServer2008R2_Eval.iso, and then click Open.
In the Settings for 6420B-NYC-SVR1 dialog box, click OK.
2.
Right-click 6420B-NYC-SVR1 and then click Connect. Click the Start button. The computer starts
and automatically begins the installation.
3. In the Install Windows dialog box, in the Language to install list, click English.
4. In the Time and currency format list, click English (United States).
5. In the Keyboard or input method list, click US and then click Next.
6. In the Install Windows dialog box, click Install now.
7. In the Operating system list, click Windows Server 2008 R2 Enterprise (Full Installation) and then
click Next.
8. On the Please read the license terms page, select the I accept the license terms check box, and
then click Next.
9. On the Which type of installation do you want? page, click Custom (advanced).
10. On the Where do you want to install Windows? page, click Next.
Note: Setup proceeds; setup copies files, expands files, installs features and updates, and completes
installation. This phase takes around twenty minutes. Your instructor might continue with other
activities during this phase.
11. At the The users password must be changed before logging on the first time prompt, click
OK.
12. In the New password box, type Pa$$w0rd.
13. In the Confirm password box, type Pa$$w0rd and then press ENTER.
14. At the Your password has been changed prompt, click OK.
Results: At the end of this exercise, you will have installed Windows Server 2008 using the instructions
provided.
L5-2
Use the Installation Configuration Tasks (ICT) to configure time zone settings as specified in the email.
a.
b.
c.
d.
2.
f.
g.
h.
i.
j.
3.
Use the ICT to configure automatic updating and feedback settings as specified in the e-mail.
a.
b.
4.
IP address: 10.10.0.100
Subnet mask: 255.255.0.0
Default gateway: 10.10.0.1
Use the ICT to configure computer name and domain settings as specified in the e-mail.
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
L5-3
Results: At the end of this exercise, you will have configured post-installation settings on a Windows
Server 2008 computer using the instructions provided.
Results: At the end of this exercise, you will have configured service startup settings using the Services
Applet.
Results: At the end of this exercise, you will have updated a device driver using Device Manager.
L5-4
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
Results: At the end of this exercise, you will have performed a rollback on a device driver using Device
Manager.
Important: Start the 6420B-NYC-DC1 virtual machine first, and ensure that it is fully started before
starting the other virtual machines.
L6-1
Read the supporting documentation to determine the server requirements of the branch offices.
Answer the questions in the Branch Office Server Deployment Recommendations document.
Complete the Deployment Proposals section of the document.
Branch Office Server Deployment Recommendations
Document Reference Number: CW040410/1
Document Author
Date
Charlotte Weiss
4th April
Requirements Overview
Deploy required server roles to the branch offices to ensure that the needs of the users are met.
Additional Information
None.
Proposals
1. How will you address the requirement that all computers can obtain an IPv4 configuration
automatically even if the link to the head office is down?
Answer: Deploy the Dynamic Host Configuration Protocol (DHCP) server role to each branch and
configure an appropriate scope for the branch.
2. How will you address the requirement that all users must be able to logon to the network even if
the link to the head office is down?
Answer: Deploy an Active Directory Domain Services (AD DS) domain controller to each
branch. Deploying a read-only domain controller (RODC) might be sensible especially where
physical security is an issue. AD DS domain controllers also require Domain Name System (DNS),
so the DNS server role must also be deployed to the branches.
3. How will you address the requirement that users need to be able to access shared files?
Answer: Deploy the File Services role.
4. How will you address the requirement that users need to be able to use shared printers?
Answer: Deploy the Print and Document Services role.
5. What kind of server best supports the needs of the database application?
Answer: An application server.
6. What roles support this kind of server?
Answer: The Application Server role provides the necessary components.
7. How will you address the requirement that the computers must obtain updates from a local
L6-2
Results: After this exercise, you should have completed the Branch Office Server Deployment
Recommendations document.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
DHCP Server
DNS Server
Note: It is necessary to add the AD DS role separately from the DNS role.
16. In the Add Roles Wizard, on the Before You Begin page, click Next and then on the Select Server
Roles page, in the Roles list, select the Active Directory Domain Services check box.
17. In the Add Roles Wizard dialog box, click Add Required Features.
18.
19.
20.
21.
L6-3
3.
4.
5.
6.
7.
8.
File Services
L6-4
Results: After this exercise, you should have deployed all required roles and features.
Lab: Implementing AD DS
L7-1
Lab: Implementing AD DS
Exercise 1: Promoting a New Domain Controller
Task: Add an additional domain controller
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
Results: After this exercise, you will have promoted a new domain controller.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
In Active Directory Users and Computers, in the Navigation pane, click Contoso.com.
Right-click Contoso.com, point to New, and then click Organizational Unit.
In the New Object Organizational Unit dialog box, in the Name box, type A Datum Merger
Team and then click OK.
Results: After this exercise, you will have created a new organizational list.
L7-2
Lab: Implementing AD DS
In Active Directory Users and Computers, right-click A Datum Merger Team, point to New and then
click User.
In the New Object User dialog box, in the First name box, type Christian.
In the Last name box, type Kemp.
In the User logon name box, type Christian and then click Next.
In the Password and Confirm password boxes, type Pa$$w0rd.
Clear the User must change password at next logon check box and then click Next.
Click Finish.
In Active Directory Users and Computers, right-click A Datum Merger Team, point to New and then
click User.
In the New Object User dialog box, in the First name box, type Tony.
In the Last name box, type Allen.
In the User logon name box, type Tony and then click Next.
In the Password and Confirm password boxes, type Pa$$w0rd.
Clear the User must change password at next logon check box and then click Next.
Click Finish.
In Active Directory Users and Computers, right-click A Datum Merger Team, point to New and then
click User.
In the New Object User dialog box, in the First name box, type Pia.
In the Last name box, type Lund.
In the User logon name box, type Pia and then click Next.
In the Password and Confirm password boxes, type Pa$$w0rd.
Clear the User must change password at next logon check box and then click Next.
Click Finish.
In Active Directory Users and Computers, right-click A Datum Merger Team, point to New and then
click User.
In the New Object User dialog box, in the First name box, type Soha.
In the Last name box, type Kamal.
In the User logon name box, type Soha and then click Next.
In the Password and Confirm password boxes, type Pa$$w0rd.
Clear the User must change password at next logon check box and then click Next.
Click Finish.
In Active Directory Users and Computers, right-click A Datum Merger Team, point to New and then
click User.
In the New Object User dialog box, in the First name box, type Oliver.
In the Last name box, type Cox.
In the User logon name box, type Oliver and then click Next.
In the Password and Confirm password boxes, type Pa$$w0rd.
Clear the User must change password at next logon check box and then click Next.
Click Finish.
In Active Directory Users and Computers, right-click A Datum Merger Team, point to New and then
click Group.
In the New Object Group dialog box, in the Group Name box, type Mergers and Acquisitions
and then click OK.
Lab: Implementing AD DS
3.
4.
L7-3
In Active Directory Users and Computers, right-click A Datum Merger Team, point to New and then
click Group.
In the New Object Group dialog box, in the Group Name box, type Merger Team Management
and then click OK.
In Active Directory Users and Computers, in the Results pane, click Christian Kemp.
Hold the CTRL key and then click Oliver Cox, Pia Lund, Soha Kamal, and Tony Allen.
Release the CTRL key, right-click Tony Allen, and then click Add to a group.
In the Select Groups dialog box, in the Enter the object names to select (examples) box, type
Mergers and Acquisitions.
5. Click Check Names and then click OK.
6. In the Active Directory Domain Services dialog box, click OK.
7. In the Results pane, double-click Tony Allen.
8. In the Tony Allen Properties dialog box, click the Member Of tab.
9. Click Add, and in the Select Groups dialog box, in the Enter the object names to select
(examples) box, type Merger Team Management.
10. Click Check Names and then click OK.
11. In the Tony Allen Properties dialog box, click OK.
In Active Directory Users and Computers, in the Navigation pane, click Computers.
In the Results pane, right-click NYC-CL1, and then click Move.
In the Move dialog box, in the Move object into container list, click A Datum Merger Team and
then click OK.
In Active Directory Users and Computers, in the Navigation pane, click
A Datum Merger Team.
In the Navigation pane, right-click on A Datum Merger Team and then click Delegate Control.
In the Delegation of Control Wizard, on the Welcome to the Delegation of Control Wizard page,
click Next.
On the Users or Groups page, click Add.
In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select
(examples): box, type Merger Team Management, click Check Names and then click OK.
On the Users or Groups page, click Next.
On the Tasks to Delegate page, select the Reset user passwords and force password change at
next logon check box and then click Next.
Click Finish.
Results: After this exercise, you will have created the necessary users accounts and groups, and
moved the users computer accounts into the OU.
Click Start, point to Administrative Tools, and then click Group Policy Management.
Expand Forest: Contoso.com, expand Domains, and then expand Contoso.com.
In the Navigation pane, right-click on Group Policy Objects, and then click New.
L7-4
Lab: Implementing AD DS
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
In the New GPO dialog box, in the Name box, type A Datum Merger Team GPO and then click OK.
Expand Group Policy Objects, right-click on A Datum Merger Team GPO, and then click Edit.
In the Group Policy Management Editor, expand User Configuration, expand Policies, expand
Windows Settings, and then click Scripts (Logon/Logoff).
In the Results pane, double-click Logon.
In the Logon Properties dialog box, click Add.
In the Add a Script dialog box, click Browse.
In the Browse dialog box, right-click in the No items match your search box, click New, and then
click Text Document.
Highlight the entire filename, including the file extension, and type logon.vbs and press ENTER.
In the Rename dialog box, click Yes.
Right-click logon.vbs and then click Edit.
In the Open File Security Warning dialog box, click Open.
In notepad, type msgbox Welcome to the A Datum Merger Team.
Click File and then click Save.
Close Notepad.
In the Browse dialog box, click Open.
In the Add a Script box, click OK.
In the Logon Properties dialog box, click OK.
Close the Group Policy Management Editor.
In Group Policy Management, in the Navigation pane, right-click A Datum Merger Team, and then
click Link an Existing GPO.
In the Select GPO dialog box, in the Group Policy objects list, click A Datum Merger Team GPO
and then click OK.
Password: Pa$$w0rd
Domain: Contoso
Lab: Implementing AD DS
6.
To connect to the virtual machine for the next modules lab, click
6420B-NYC-DC1, and then in the actions pane, click Connect.
Important: Start the 6420B-NYC-DC1 virtual machine first, and ensure that it is fully started before
starting the other virtual machines.
L7-5
L7-6
Lab: Implementing AD DS
L8-1
Read e-mail and the attached incident record with a view to determining the possible problem
causes.
Read the Contoso Network Security Policy Laptops document with a view to determine if you must
enforce any changes at the branch based on corporate policies.
Ed Meadows
10th May
10:50
Alan Brewer
OPEN
Incident Details
Call logged by Information Technology (IT) manager following enquiries at branch offices
concerning physical security problems raised by Research department manager, Alan Brewer.
Reported concerns:
1. Laptops are used by research staff and they often take these home.
2. In some branches there is no dedicated room for the servers.
3. External contract staff can connect their own computers to the research networks.
4. Staff use personal Universal Serial Bus (USB) storage devices on work computers.
Questions
1. What security policies apply to the branch office laptops as defined in the Contoso Network
Security Policy Laptops document?
Answer: All of the policies apply.
2. What security concerns do you have about the branch offices?
Answer: If users can take their laptops home, this raises several security issues. Firstly, the users
are connecting to unmanaged networks (at home or possibly elsewhere) and then reconnecting
to the corporate network. Secondly, the laptop computers are at risk of being lost or stolen.
3. How would you address the concerns you might have about the lack of dedicated server
computer rooms?
Answer: Place the servers in a location that is least likely to result in their accidental damage.
4. How would you address the concerns you might have about contractor computer use?
Answer: Implement NAP to ensure that only computers that meet the network health
requirements can connect.
L8-2
Results: After this exercise, you should have completed the incident record.
Under Security level for this zone, move the slider to High.
Select the Enable Protected Mode (requires restarting Internet Explorer) check box and then
click OK.
Close Internet Explorer.
4.
5.
6.
7.
8.
On the Contoso Intranet Home Page, click Tools, and then click Internet Options.
In the Internet Options dialog box, click the Security tab.
In the Select a zone to view or change security settings list, click Trusted sites.
Question: What is the current Security level for this zone?
Answer: Medium.
4.
5.
6.
Click Sites.
In the Trusted sites dialog box, clear the Require server verification (https:) for all sites in this
zone check box, click Add, and then click Close.
In the Internet Options dialog box, click OK.
2.
3.
4.
5.
L8-3
L8-4
Important: Start the 6420B-NYC-DC1 virtual machine first, and ensure that it is fully started before
starting the other virtual machines.
L9-1
Click Account Lockout Policy in the left hand pane of the Group Policy Management Editor window.
Double-click Account lockout threshold and type 3 into the Invalid logon attempts field.
In the Account lockout threshold Properties dialog box, click OK.
In the Suggested Value Changes window, click OK to accept the suggested values.
Close the Group Policy Management Editor window.
Close the Group Policy Management console.
Results: At the end of this exercise, you will have configured password and account lockout policy
settings.
On NYC-SVR3, click Start, click Computer, and then double-click Local Disk (C:).
On the toolbar, click New folder.
Type Research in the folder name field and press ENTER.
Double-click the Research folder.
On the toolbar, click New folder.
Type Classified in the folder name field and press ENTER.
On the toolbar, click New folder.
Type Projects in the folder name field and press ENTER.
Task 2: Assign appropriate NTFS file and folder permissions to the folder structure
1.
2.
3.
Click the Back button and then right-click the Research folder and click Properties.
In the Research Properties dialog box, click the Security tab, click Advanced.
In the Advanced Security Settings for Research dialog box, click the Change Permissions button.
L9-2
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
In the Advanced Security Settings for Research dialog box, uncheck the Include inheritable
permissions from this objects parent check box and click the Add button in the Windows
Security pop-up dialog box.
In the Advanced Security Settings for Research dialog box, click OK.
In the Advanced Security Settings for Research dialog box, click OK again.
In the Research Properties dialog box, on the Security tab, click Edit.
In the Permissions for Research dialog box, in the Group or user names box, click Users (NYCSVR3\Users) and then click the Remove button.
In the Permissions for Research dialog box, click Add.
In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object
names to select (examples) box, type Contoso\Research, click Check Names, and then click OK.
In the Group or user names box, click Research (Contoso\Research).
In the Permissions for Research dialog box, next to Full Control, select the Allow check box and
click OK.
In the Research Properties window, click OK.
Double-click the Research folder and then right-click the Classified folder and click Properties.
In the Classified Properties dialog box, on the Security tab, click Advanced.
In the Advanced Security Settings for Classified dialog box, click the Change Permissions button.
In the Advanced Security Settings for Classified dialog box, uncheck the Include inheritable
permissions from this objects parent check box and click the Add button in the Windows
Security pop-up dialog box.
Note: Clicking the Remove button here will remove all NTFS permissions for the folder, including
your permissions as Administrator. This will prohibit you from making any changes to the folder,
including assigning permissions.
18.
19.
20.
21.
22.
23.
24.
25.
26.
In the Advanced Security Settings for Classified dialog box, click OK.
In the Advanced Security Settings for Classified dialog box, click OK again.
In the Classified Properties dialog box, on the Security tab, click Edit.
In the Permissions for Classified dialog box, in the Group or user names box, click Research
Contoso\Research) and then click the Remove button.
In the Permissions for Classified dialog box, click Add.
In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object
names to select (examples) box, type Contoso\Max, click Check Names, and then click OK.
In the Group or user names box, click Max Stevens (Contoso\Max).
In the Permissions for Classified dialog box, next to Full Control, select the Allow check box and
click OK.
In the Classified Properties window, click OK.
Task 3: Share the C:\Research folder on the network and set appropriate shared folder
permissions
1.
2.
3.
4.
5.
Click the Back button, and then right-click the Research folder and click Properties.
In the Research Properties dialog box, click the Sharing tab, click Advanced Sharing.
Click the Share this folder check box, leave the Share name as Research, and then click the
Permissions button.
In the Permissions for Research dialog box, in the Group or user names box, click Everyone and
then click the Remove button.
In the Permissions for Research dialog box, click Add.
L9-3
6.
In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object
names to select (examples) box, type Contoso\Research, click Check Names, and then click OK.
7. In the Group or user names box, click Research (Contoso\Research).
8. In the Permissions for Research dialog box, next to Full Control, select the Allow check box, and
then click OK.
9. In the Advanced Sharing dialog box, click OK.
10. In the Research Properties dialog box, click Close.
11. Close Windows Explorer.
Results: At the end of this exercise, you will have assigned both NTFS file, folder and Shared folder
permissions.
On NYC-SVR3, click Start, click Computer, and then double-click Local Disk (C:).
In the right-hand pane, double-click on the Research folder.
In the right-hand pane, double-click on the Classified folder.
In the right-hand pane, right-click, point to New and then click Text Document.
Rename the New Text Document.txt file as Personal.txt.
In the left hand column, double click on Local Disk (C:) and then click on the Research folder.
In the right-hand column, right click the Classified folder and click Properties.
In the Classified Properties dialog box, click the Advanced button.
In the Advanced Attributes dialog box, check the Encrypt contents to secure data checkbox and
click OK.
10. In the Classified Properties dialog box, click OK.
11. In the Confirm Attribute Changes pop-up dialog box, ensure Apply changes to this folder,
subfolders and files is selected, then click OK.
12. Close Windows Explorer and then log off of NYC-SVR3.
L9-4
8.
9.
In the Confirm Attribute Changes pop-up dialog box, ensure Apply changes to this folder,
subfolders and files is selected, then click OK.
Close Windows Explorer.
Results: At the end of this exercise, you will have encrypted and decrypted files using EFS.
L10-1
L10-2
Ping nyc-cl1
Task 2: Configure the Dynamic Host Configuration Protocol (DHCP) Server role
1.
2.
On NYC-SVR2, click Start, point to Administrative Tools, and then click Network Policy Server.
In the navigation pane, expand Network Access Protection, expand System Health Validators,
expand Windows Security Health Validator, and then click Settings.
In the Results pane, double-click Default Configuration.
In the Windows Security Health Validator dialog box, clear all check boxes except An antivirus
application is on and then click OK.
Note: Configure only the settings for Windows 7/Windows Vista clients.
L10-3
In Network Policy Server, in the navigation pane, expand Policies and then click Network Policies.
In the Results pane, right click each of the two listed policies, and for each one, click Disable.
L10-4
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
Click Start, and in the Search box, type napclcfg.msc and then press ENTER.
In napclcfg [NAP Client Configuration (Local Computer)], in the navigation pane, click Enforcement
Clients.
In the Results pane, right-click DHCP Quarantine Enforcement Client and then click Enable.
Close napclcfg [NAP Client Configuration (Local Computer)].
Click Start, and in the Search box, type Services.msc and press ENTER.
In Services, in the Results pane, double-click Network Access Protection Agent.
In the Network Access Protection Agent Properties (Local Computer) dialog box, in the Startup
type list, click Automatic.
Click Start and then click OK.
Close Services.
Click Start, and in the Search box, type mmc, and then press ENTER.
On the File menu, click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, under Available snap-ins, click Group Policy Object
Editor, and then click Add.
In the Select Group Policy Object dialog box, click Finish, and then click OK.
In the console tree, expand Local Computer Policy, expand Computer Configuration, expand
Administrative Templates, expand Windows Components, and then click Security Center.
Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.
Close the console window. When prompted to save settings, click No.
Click Start, and in the Search box, type Network and in the Control Panel (28) list, click Network
and Sharing Center.
In Network and Sharing Center, in the left-pane, click Change adapter settings.
Right-click Local Area Connection and then click Properties.
In the Local Area Connection Properties dialog box, double-click Internet Protocol Version 4
(TCP/IPv4).
In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address
automatically.
Click Obtain DNS server address automatically and then click OK.
In the Local Area Connection Properties dialog box, click OK.
On NYC-CL1, click Start, and in the Search box, type cmd.exe and press ENTER.
At the command prompt, type the following command and press ENTER:
Ipconfig /release
3.
At the command prompt, type the following command and press ENTER:
Ipconfig /renew
4.
At the command prompt, type the following command and press ENTER:
Ipconfig /all
Results: After this exercise, you should have enabled NAP with DHCP enforcement.
L10-5
L10-6
L11-1
On NYC-DC1, click Start, click Administrative Tools, and then click Group Policy Management.
Expand Forest: Contoso.com, then expand Domains.
Expand Contoso.com.
Click Group Policy Objects.
Right-click Group Policy Objects and click New.
Name the new GPO WordPad Restriction Policy and click OK.
Right-click WordPad Restriction Policy and click Edit.
Expand Computer Configuration, then expand Policies, then expand Windows Settings, then
expand Security Settings, then expand Application Control Policies and then expand AppLocker.
Select Executable Rules, then right-click and select Create New Rule.
Click Next.
On the Permissions screen, select Deny, and then click Next.
On the Conditions screen, select Publisher, and then click Next.
Click Browse , and then click Computer.
Double click Local Disk (C:).
Double-click Program Files, then double click Windows NT, then double-click Accessories and then
select wordpad.exe and click Open.
Move the slider up to the File name: position and click Next.
Click Next again, then click Create.
Click Yes if prompted to create default rules.
In the Group Policy Editor, expand Computer Configuration, expand Windows Settings, and then
expand Security Settings.
Expand Application Control Policies.
Click AppLocker, and then right-click and select Properties.
On the Enforcement tab, under Executable rules, click the Configured checkbox and select Enforce
rules.
Click OK.
In the Group Policy Editor, expand Computer Configuration, expand Windows Settings, and then
expand Security Settings.
Click on System Services and then double-click on Application Identity.
In the Application Identity Properties dialog box, select the Define this policy setting check box.
Select Automatic under Select service startup mode and click OK.
Close Group Policy Management Editor.
L11-2
6.
7.
8.
9.
4.
5.
Note: The AppLocker policy should restrict you from running this application. If the application runs,
log off NYC-CL1 and log on again. It may take a few minutes for the policy setting to apply to NYCCL1 Once the policy setting has applied, the application will be restricted.
Results: After this exercise, you will have restricted an application by using AppLocker.
On NYC-DC1 click Start, click Administrative Tools and run the Security Configuration Wizard.
On the Welcome to the Security Configuration Wizard page, click Next.
On the Configuration Action page, select Create a new security policy, and then click Next.
On the Select Server page, accept the default server name, NYC-DC1, and click Next.
On the Processing Security Configuration Database page, you can optionally click View
Configuration Database and explore the configuration that was discovered on NYC-DC1.
Click Next.
On the Role-Based Service Configuration section introduction page, click Next.
On the Select Server Roles page, you can optionally explore the settings that were discovered on
NYC-DC1, but do not change any settings. Click Next.
On the Select Client Features page, you can optionally explore the settings that were discovered on
NYC-DC1, but do not change any settings. Click Next.
On the Select Administration and Other Options page, you can optionally explore the settings that
were discovered on NYC-DC1, but do not change any settings. Click Next.
On the Select Additional Services page, you can optionally explore the settings that were
discovered on NYC-DC1, but do not change any settings. Click Next.
On the Handling Unspecified Services page, do not change the default setting; do not change the
startup mode of the service. Click Next.
On the Confirm Service Changes page, in the View list, choose All services.
Examine the settings in the Current Startup Mode column, which reflect service startup modes on
NYC-DC1, and compare them to the settings in the Policy Startup Mode column.
In the View list, select Changed services.
Click Next.
L11-3
Click Yes.
Close the window after you have examined the policy.
In the Security Configuration Wizard, click Next.
On the Apply Security Policy page, accept the Apply later default setting, and then click Next.
Click Finish.
On NYC-DC1, click Start, in the Search programs and files box, type cmd, and then press ENTER.
Type cd c:\windows\security\msscw\policies and then press ENTER.
Type scwcmd transform /p:DC Security Policy.xml /g:DC Security Policy and then press
ENTER.
Close the Command Prompt window.
Click Start, click Administrative Tools, and then click Group Policy Management.
In the console tree expand Forest:Contoso.com, Domains, Contoso.com, and Group Policy
Objects, and then click DC Security Policy. This is the GPO created by the Scwcmd.exe command.
Click the Settings tab to examine the settings of the GPO.
Close the Group Policy Management console.
Results: After this exercise, you will have used the Security Configuration wizard to create a security
policy named DC Security Policy, and transformed the security policy to a Group Policy object named
DC Security Policy.
L11-4
4.
5.
6.
7.
8.
4.
Results: Your results should show several administrative vulnerabilities including the following:
Automatic Updates
Password Expiration
Incomplete Updates
Local Account Password Test
File System
Autologon
Guest Account
Restrict Anonymous
Administrators
Windows Firewall
Results: After this exercise, you will have used the MBSA to harden security settings.
5.
6.
In the Virtual Machines pane, click 6420B-NYC-DC1, and then in the Actions pane, click Start.
To connect to the virtual machine for the next modules lab, click
6420B-NYC-DC1, and then in the Actions pane, click Connect.
Important: Start the 6420B-NYC-DC1 virtual machine first, and ensure that it is fully started before
starting the other virtual machines.
L11-5
L11-6
L12-1
In Performance Monitor, in the Results pane, right-click NYC-SVR2 Performance, and then click
Start.
Click Start, and in the Search box, type cmd.exe and press ENTER.
At the command prompt, type the following command and press ENTER:
Fsutil file createnew bigfile 104857600
3.
At the command prompt, type the following command and press ENTER:
Copy bigfile \\nyc-dc1\c$
4.
At the command prompt, type the following command and press ENTER:
Copy \\nyc-dc1\c$\bigfile bigfile2
5.
At the command prompt, type the following command and press ENTER:
L12-2
Del bigfile*.*
6.
At the command prompt, type the following command and press ENTER:
Del \\nyc-dc1\c$\bigfile*.*
7.
At the command prompt, type the following command and press ENTER:
StressTool 95
Results: After this exercise, you should have introduced a load on your server.
L12-3
Note: If you receive an error at this point, or the values in your report are zero, repeat steps 4-9.
L12-4
L13-1
John Peoples
15th May
11:45
Daniel Roth
OPEN
Incident Details:
Call logged by information technology (IT) helpdesk. Branch users cannot access shared files on NYCSVR4.
1. File shares not accessible over the network.
2. Cannot connect to NYC-SVR4 with Remote Desktop Connection.
3. Cannot ping NYC-SVR4 IP address.
4. All other network resources in the branch location are functioning properly.
Preliminary Questions:
1. Where is the best place to troubleshoot this problem from?
Answer: If file shares, remote desktop and ping are unavailable, the troubleshooting process for this
problem will need to be done locally, in the physical location of the computer, or alternatively over
the phone with someone at the physical computer who can assist you with the troubleshooting
process.
2. What considerations should be made regarding NYC-SVR4 and the people and services that require
the services provided by NYC-SVR4?
Answer: If NYC-SVR4 performs critical services, a replacement or spare should be checked for
availability, should the troubleshooting process carry beyond the first one or two most probable
causes.
Assessment Questions:
1. What is the error message displayed on NYC-SVR4?
Answer: The Windows Boot Configuration Data file does not contain a valid OS entry.
2. What could the possible causes of this error message be?
Answer: The problem is a corrupt or damaged Boot Configuration Data (BCD) store. There is no
reference in the BCD to allow the Boot Manager to access the Windows 2008 Boot Loader.
3. What tool should you use to attempt to correct the problem causing the error message?
Answer: bcdedit.exe will allow you to view the status of the BCD store. In this case, there is no entry
for an operating system in the BCD store for NYC-SVR4. To correct this, run bootrec.exe with the
/scanos switch to find the operating system on the computer, and then run bootrec.exe with the
/rebuildbcd switch to create a new BCD store with a pointer to the boot loader for the found
operating system.
4. How can you access these tools?
Answer: By starting the computer using the Windows Server 2008 R2 Installation disc and choosing
the Repair your computer and Command Prompt options.
L13-2
2.
Answer the Preliminary Questions in the incident record (see Incident Record for answers).
In Hyper-V Manager, click 6420B-NYC-SVR4, and in the Actions pane, click Connect.
View the error message on the screen.
Answer the Assessment Questions in the Incident Record (see incident record for answers).
Task 3: Resolve the issue on NYC-SVR4 and complete the Incident Record
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
Switch to Hyper-V Manager, right click on 6420B-NYC-SVR4 and then click Settings.
In the Settings for 6420B-NYC-SVR4 dialog box, click DVD-Drive in the Hardware Pane.
In the DVD-Drive Pane, select Image file and then click Browse.
Navigate to C:\Program Files\Microsoft Learning\6420\Drives, click WServer2008R2_Eval.iso
and then click Open.
In the Settings for 6420B-NYC-SVR4 dialog box, click OK.
Switch to the NYC-SVR4 computer.
On the 6420B-NYC-SVR4 on localhost Virtual Machine Connection window toolbar, click Action
and then click Reset.
In the Reset Machine dialog box, click Reset.
When Press Any Key to boot from DVD or CD is displayed, press ENTER.
At the Install Windows dialog box, click Next.
In the Install Windows dialog box, click Repair your computer.
In the System Recovery Options dialog box, click Use recovery tools that can help fix problems
starting Windows. Click Next.
In the System Recovery Options dialog box, click Command Prompt.
At the command prompt, type the following and press ENTER:
bcdedit
15. Observe the lack of an operating system entry in the BCD Store.
16. At the command prompt, type the following and press ENTER:
bootrec /scanos
17. At the command prompt, type the following and press ENTER:
Bootrec /rebuildbcd
18.
19.
20.
21.
22.
23.
L13-3
At the Add installation to boot list prompt, press Y and then press ENTER.
Close the command prompt window.
In the System Recovery Options dialog box, click the Restart button.
Ensure that NYC-SVR4 boots properly to the logon screen.
Answer the Resolution Questions on the Incident Record (see Incident Record for answers).
Revert the NYC-SVR4 virtual machine.
Results: After this exercise, you should have used Windows tools to troubleshoot the startup process.
ASP.NET
Windows Authentication
Note: There are a number of other roles selected by default. Do not de-select any of these roles.
7.
8.
9.
10.
11.
12.
13.
14.
15.
Click Next.
Click Install.
When the installation is complete, click Close.
Close Server Manager.
Open Windows Explorer and browse to E:\Labfiles\WSUS\.
Double-click Reportviewer.exe.
In the Microsoft Report Viewer Redistributable 2008 SP1 Setup wizard, click Next.
On the License Terms page, click I have read and accept the license terms, and then click Install.
Click Finish.
L13-4
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
On the Installation Mode Selection page, ensure that Full Server installation including
Administration Console is selected, and then click Next.
On the License Agreement page, click I accept the terms of the License agreement, and then click
Next.
On the Select Update Source page, ensure that Store updates locally is selected and the path
shows C:\WSUS. Click Next.
On the Database Options page, ensure that Install Windows Internal Database on this computer
is selected, and that C:\WSUS is entered for the location of the database, and then click Next.
On the Web Site Selection page, click Next to use the existing IIS Default Web site.
On the Ready to Install Windows Server Update Services 3.0 SP2 page, click Next.
When the installation completes, click Finish.
In a few moments the Windows Server Update Services Configuration Wizard will appear.
Click Cancel.
Click Start, type CMD.exe and then press ENTER.
Type Net Stop MSSQL$Microsoft##SSEE, and then press ENTER.
In Windows Explorer, browse to E:\LabFiles\WSUS\Backup.
Click Organize, and then click Select All.
Click Organize, and then click Copy.
In the Address bar, click Computer.
Browse to C:\WSUS\.
Click Organize, and then click Paste.
In the Confirm Folder Replace dialog box, select the check box next to Do this for all current
items, and then click Yes.
In the Copy File dialog box, select the check box next to Do this for the next 1 conflicts, and then
click Copy and Replace.
When the file copy is complete, at the command prompt, type
Net Start MSSQL$Microsoft##SSEE, and then press ENTER.
Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In the tree view, expand NYC-SVR2, and then click Application Pools.
Right-click WsusPool, and then click Recycle.
Close Internet Information Services (IIS) Manager.
At the command prompt, type: cd "C:\Program Files\Update Services\Tools", and then press ENTER.
Type wsusutil reset, and then press ENTER.
Close the command prompt.
Task 4: Use Group Policy to enable NYC-CL1 to obtain updates from the new WSUS
server
1.
2.
3.
4.
5.
6.
On NYC-DC1, click Start, point to Administrative Tools, and then click Group Policy Management.
In the console pane, expand Forest: Contoso.com, expand Domains, and then click Contoso.com.
Right-click Contoso.com, and then click Create a GPO in this domain, and Link it here.
In the New GPO dialog box, type WSUS in the Name field, and then click OK.
In the details pane, right-click WSUS, and then click Edit.
In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Administrative Templates, expand Windows Components, and then click Windows
Update.
7. In the details pane, double-click Configure Automatic Updates.
8. In the Configure Automatic Updates dialog box, click Enabled, and then click Next Setting.
9. On the Specify intranet Microsoft update service location dialog box, click Enabled.
10. In the Set the intranet update service for detecting updates field, type http://NYC-SVR2.
L13-5
11.
12.
13.
14.
In the Set the intranet statistics server field, type http://NYC-SVR2, and then click Next Setting.
On the Automatic Updates detection frequency dialog box, click Enabled, and then click OK.
Close Group Policy Management Editor, and then close Group Policy Management.
Start and log on to the 6420B-NYC-CL1 virtual machine as Contoso\Administrator with the
password Pa$$w0rd.
15. On NYC-CL1, open a command prompt and type, wuauclt /a /r and then press ENTER.
Task 5: Create a computer group, and add NYC-CL1 to the new group
1.
2.
3.
4.
5.
6.
7.
8.
Switch to the NYC-SVR2 computer and open the Windows Server Update Services console.
Expand NYC-SVR2, expand Computers, and then click All Computers.
In the Actions pane, click Add Computer Group.
In the Add Computer Group dialog box, type TestComputers, and then click Add.
In the console pane, expand All Computers, and then click Unassigned Computers.
In the details pane, in the Status list, click Any, and then click Refresh.
Right-click nyc-cl1.contoso.com, and then click Change Membership.
In the Set Computer Group Membership dialog box, select the TestComputers check box, and
then click OK.
In the console pane, expand Updates, and then click Security Updates.
In the details pane, in the Approval list, click Any Except Declined.
In the Status list, click Any, and then click Refresh.
Note: Notice all of the updates available.
4.
Scroll down, right-click Security Update for Windows 7 (KB981332), and then click Approve.
Note: Do not select the x64 versions of the updates specified.
5.
In the Approve Updates dialog box, click the arrow next to All Computers, click Approved for
Install, and then click OK.
6. On the Approval Progress page, when the process is complete, click Close.
7. In the console pane, click Critical Updates.
8. In the details pane, right-click Update for Windows 7 (KB976662), and then click Approve.
9. In the Approve Updates dialog box, click the arrow next to All Computers, point to Deadline, and
then click Custom.
10. In the Choose Deadline dialog box, in the Date field, type in yesterdays date, and then click OK
twice.
Note: Entering yesterdays date will cause the update to be installed as soon as the client computers
contact the server.
11. In the Approval Progress dialog box, click Close.
L13-6
2.
At the Command Prompt, type GPUpdate /force, and then press ENTER.
Note: Wait for the policy to finish updating.
3.
4.
5.
6.
7.
At the command prompt, type wuauclt /detectnow, and then press ENTER.
The Windows Update icon appears in the notification area and automatically installs the update.
Click Start, click All Programs, and then click Windows Update.
Click View update history.
Verify that Security Update for Windows 7 (KB976662) has been installed and Security Update for
Windows 7 (KB981332) is available to be installed.
Note: It may take several minutes for the Windows Update icon to appear.
Note: Due to the limitations of the lab environment, the KB957097 update is pre-loaded on the
WSUS server to demonstrate the update process.
8.
John Peoples
19th May
12:10
Daniel Roth
OPEN
L13-7
John Peoples
20th May
13:15
Daniel Roth
OPEN
Incident Details:
Call logged by IT helpdesk. Users report NYC-SVR2 is running slow, Performance Monitor logs are stored
in E:\Labfiles\Captures\6420B-NYC-SVR2-LAB13-EX3-PARTB.blg.
Resolution Questions:
1. What do the Performance Logs for NYC-SVR2 indicate could be the source of the problem?
Answer: The explorer.exe process is consuming disk resources
2. Keeping in mind your answer from question 1, what steps (using a troubleshooting methodology)
would you take to continue the troubleshooting process?
Answer: If explorer.exe is consuming disk processes, it may be in the middle of a lengthy disk write or
read; possibly copying or moving files. To troubleshoot further, you could view the Disk tab off of the
Resource Monitor to determine what specific files explorer was using. Then you could locate the
source of the file operations and determine if they are necessary and possibly if they could be carried
out during non-business hours.
Task 1: Examine the Performance Monitor logs for the first issue and answer the
resolution questions for Part A
1.
2.
3.
4.
5.
6.
7.
8.
On NYC-SVR2, click Start, point to Administrative Tools, and then click Performance Monitor.
In the Performance Monitor console, expand Monitoring Tools, and then click Performance
Monitor.
In details pane, click the View Log Data button (CTRL+L).
In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then
click Add.
In the Select Log File dialog box, browse to E:\Labfiles\Captures.
Click 6420B-NYC-SVR2-LAB13-EX3-PARTA.blg and then click Open.
In the Performance Monitor Properties dialog box, click OK.
In the Performance Monitor details pane, click Add (CTRL+I).
L13-8
9.
In the Add Counters dialog box, under Available counters, expand Processor, and then click %
Processor Time.
10. Under Instances of selected object, click 0, and then click Add.
11. In the Add Counters dialog box, under Available counters, expand System, click Processor Queue
Length, click Add, and then click OK.
12. At the bottom of the window, click % Processor Time to view the graph of the CPU usage on NYCSVR2 and notice that:
Task 2: Examine the Performance Monitor logs for the second issue and answer the
resolution questions for Part B
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
On NYC-SVR2, click Start, point to Administrative Tools, and then click Performance Monitor.
In the Performance Monitor console, expand Monitoring Tools, and then click Performance
Monitor.
In the details pane, click View Log Data (CTRL+L).
In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then
click Add.
In the Select Log File dialog box, browse to E:\Labfiles\Captures.
Click 6420B-NYC-SVR2-LAB14-EX3-PARTB.blg and then click Open.
In the Performance Monitor Properties dialog box, click OK.
In the Performance Monitor details pane, click Add (CTRL+I).
In the Add Counters dialog box, under Available counters, expand PhysicalDisk, and then click
Avg. Disk Queue Length.
Under Instances of selected object, click 0 C:, and then click Add.
Under Available counters, click Current Disk Queue Length.
Under Instances of selected object, click 0 C:, and then click Add.
Under Available counters, click Disk Transfers/sec.
Under Instances of selected object, click 0 C:, and then click Add.
Under Available counters, expand Process, and then click IO Data Bytes/sec.
Under Instances of selected object, click <All Instances>, click Add, and then click OK.
Review the IO Data Bytes/sec values for each process. It is useful to use the Highlight button
(CTRL+H) to view each instance. Identify the process that is consuming the disk transfer capacity.
See the Incident Record for answers to the questions.
Close Performance Monitor.
Results: At the end of this exercise you will have gathered information to start the troubleshooting
process.
L13-9
L13-10
L14-1
Ensure that your host computer is running and that you are logged on.
Ensure that no virtual machines are currently running.
6.
7.
5.
6.
7.
In Hyper-V Manager, in the Actions pane, click New, and then click Hard Disk.
On the Before You Begin page, click Next.
On the Choose Disk Type page, click Differencing, and then click Next.
On the Specify Name and Location page, in the Name field, type
NYC-Test1.vhd, and in the Location field, type c:\Program Files
\Microsoft Learning, and then click Next.
On the Configure Disk page, click Browse. Browse to C:\Program Files
\Microsoft Learning\base\drives, click WS08R2- SVR2.vhd, and then click Open.
On the Configure Disk page, click Next.
On the Completing the New Virtual Disk Wizard page, click Finish.
Results: After this exercise, you should have created the required virtual hard disks (VHDs).
L14-2
7.
8.
On the Connect Virtual Hard Disk page, click Use an existing virtual hard disk, click Browse, click
NYC-PROD1.vhd, click Open, and then click Next.
On the Completing the New Virtual Machine Wizard page, click Finish.
In Hyper-V Manager, in the Actions pane, click New, and then click Hard Disk.
On the Before You Begin page, click Next.
On the Choose Disk Type page, click Dynamically expanding, and then click Next.
On the Specify Name and Location page, in the Name field, type
NYC-PROD1-Data.vhd, and in the Location field, type C:\Program Files
\Microsoft Learning, and then click Next.
5. On the Configure Disk page, change the Size to 64 GB, click Next, and then click Finish.
6. In Hyper-V Manager, in the Virtual Machines pane, right-click NYC-PROD1, and then click Settings.
7. On the Settings for NYC-PROD1 page, click SCSI Controller, click Add, and then in the Hardware
list, click SCSI Controller.
8. On the SCSI Controller pane, click Hard Drive, and then click Add.
9. In the Media section, click Browse, select NYC-PROD1-Data.vhd, and then click Open.
10. Click Apply.
11. Click Memory, and then change the RAM to 2048.
12. Click Processor, change the Number of logical processors to 2, and then click OK.
Results: After this exercise, you should have modified the virtual machine settings.
In Hyper-V Manager, ensure that the NYC-TEST1 virtual machine is turned off.
Click NYC-TEST1. In the Actions pane, under NYC-TEST1, click Snapshot.
Click the snapshot that was created, and type PRE-Test Snapshot.
4.
5.
6.
L14-3
7.
8.
Right-click the virtual machine desktop, point to New, and click Text document. Type
Snapshot1.txt, and then press ENTER.
In Hyper-V Manager, click NYC-TEST1. In the Actions pane, under
NYC-TEST1, click Snapshot.
Click the snapshot, and then type Snapshot2.
Right-click the virtual machine desktop, point to New, and click Text document. Type
Snapshot2.txt, and then press ENTER.
In Hyper-V Manager, ensure that the NYC-TEST1 virtual machine is selected.
Under NYC-TEST1, click Revert. In the Revert Snapshot dialog box, click Revert.
On the virtual machine desktop, verify that the Snapshot2.txt is no longer on the desktop.
In the Snapshots pane, under Virtual Machines, right-click PRE-Test Snapshot, and then click Apply.
In the Apply Snapshot window, click Apply.
Verify that the virtual machine turns off. This is the state the virtual machine was in when you created
the snapshot.
In the Snapshots pane, under Virtual Machines, right-click Snapshot2, and then click Apply.
In the Apply Snapshot window, click Apply. Ensure that the NYC-TEST1 virtual machine is selected,
and then on the Actions pane, click Start.
On the virtual machine desktop, verify that the Snapshot1.txt is on the desktop.
On the Action menu, click Shut Down. In the Shut Down Machine dialog box, click Shut Down.
Results: After this exercise, you should have created snapshots and applied them to your virtual
machines.
L14-4