10159A TrainerHandbook

OFFICIAL MICROSOFT LEARNING PRODUCT
10159A
Updating Your Windows Server®
2008 Technology Specialist Skills
to Windows Server® 2008 R2
Be sure to access the extended learning content on your

Course Companion CD enclosed on the back cover of the book.
ii Updating Your Windows Server® 2008 Technology Specialist Skills to Windows Server® 2008 R2
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering the subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in
the United States and/or other countries.
All other trademarks are property of their respective owners.
Product Number: 10159A

Part Number
Released: 02/2010
MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER
EDITION – Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They
apply to the Licensed Content named above, which includes the media on which you received it, if any. The
terms also apply to any Microsoft
• updates,
• supplements,
• Internet-based services, and
• support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply.
By using the Licensed Content, you accept these terms. If you do not accept them, do not use
the Licensed Content.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. “Academic Materials” means the printed or electronic documentation such as manuals,
workbooks, white papers, press releases, datasheets, and FAQs which may be included in the
Licensed Content.
b. “Authorized Learning Center(s)” means a Microsoft Certified Partner for Learning Solutions
location, an IT Academy location, or such other entity as Microsoft may designate from time to time.
c. “Authorized Training Session(s)” means those training sessions authorized by Microsoft and
conducted at or through Authorized Learning Centers by a Trainer providing training to Students
solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or
“MOC”) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions
Courseware). Each Authorized Training Session will provide training on the subject matter of one
(1) Course.
d. “Course” means one of the courses using Licensed Content offered by an Authorized Learning
Center during an Authorized Training Session, each of which provides training on a particular
Microsoft technology subject matter.
e. “Device(s)” means a single computer, device, workstation, terminal, or other digital electronic or
analog device.
f. “Licensed Content” means the materials accompanying these license terms. The Licensed
Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student
Content, (iii) classroom setup guide, and (iv) Software. There are different and separate
components of the Licensed Content for each Course.
g. “Software” means the Virtual Machines and Virtual Hard Disks, or other software applications that
may be included with the Licensed Content.
h. “Student(s)” means a student duly enrolled for an Authorized Training Session at your location.
i. “Student Content” means the learning materials accompanying these license terms that are for
use by Students and Trainers during an Authorized Training Session. Student Content may include
labs, simulations, and courseware files for a Course.
j. “Trainer(s)” means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer
and b) such other individual as authorized in writing by Microsoft and has been engaged by an
Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its
behalf.
k. “Trainer Content” means the materials accompanying these license terms that are for use by
Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content
may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and
demonstration guides and script files for a Course.
l. “Virtual Hard Disks” means Microsoft Software that is comprised of virtualized hard disks (such as
a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single
computer or other device in order to allow end-users to run multiple operating systems concurrently.
For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.
m. “Virtual Machine” means a virtualized computing experience, created and accessed using
Microsoft® Virtual PC or Microsoft® Virtual Server software that consists of a virtualized hardware
environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the
virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard
Disks will be considered “Trainer Content”.
n. “you” means the Authorized Learning Center or Trainer, as applicable, that has agreed to these
license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and
electronic), Trainer Content, Student Content, classroom setup guide, and associated media.
License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center
location or per Trainer basis.
3. INSTALLATION AND USE RIGHTS.
a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you
may:
i. either install individual copies of the relevant Licensed Content on classroom Devices only for
use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided
that the number of copies in use does not exceed the number of Students enrolled in and the
Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by
classroom Devices and only for use by Students enrolled in and the Trainer delivering the
Authorized Training Session, provided that the number of Devices accessing the Licensed
Content on such server does not exceed the number of Students enrolled in and the Trainer
delivering the Authorized Training Session.
iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to
use the Licensed Content that you install in accordance with (ii) or (ii) above during such
Authorized Training Session in accordance with these license terms.
i. Separation of Components. The components of the Licensed Content are licensed as a single
unit. You may not separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license
terms will apply to the use of those third party programs, unless other terms accompany those
programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized
Learning Center on a classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content.
You may install and Use one copy of the Licensed Content on the licensed Device solely for
your own personal training Use and for preparation of an Authorized Training Session.
B. Portable Device. You may install another copy on a portable device solely for your own
personal training Use and for preparation of an Authorized Training Session.
4. PRE-RELEASE VERSIONS. If this is a pre-release (“beta”) version, in addition to the other provisions
in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not
contain the same information and/or work the way a final version of the Licensed Content will. We
may change it for the final, commercial version. We also may not release a commercial version.
You will clearly and conspicuously inform any Students who participate in each Authorized Training
Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with
any further content, including but not limited to the final released version of the Licensed Content
for the Course.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to
Microsoft, without charge, the right to use, share and commercialize your feedback in any way and
for any purpose. You also give to third parties, without charge, any patent rights needed for their
products, technologies and services to use or interface with any specific parts of a Microsoft
software, Licensed Content, or service that includes the feedback. You will not give feedback that is
subject to a license that requires Microsoft to license its software or documentation to third parties
because we include your feedback in them. These rights survive this agreement.
c. Confidential Information. The Licensed Content, including any viewer, user interface, features
and documentation that may be included with the Licensed Content, is confidential and proprietary
to Microsoft and its suppliers.
i. Use. For five years after installation of the Licensed Content or its commercial release,
whichever is first, you may not disclose confidential information to third parties. You may
disclose confidential information only to your employees and consultants who need to know
the information. You must have written agreements with them that protect the confidential
information at least as much as this agreement.
ii. Survival. Your duty to protect confidential information survives this agreement.
iii. Exclusions. You may disclose confidential information in response to a judicial or
governmental order. You must first give written notice to Microsoft to allow it to seek a
protective order or otherwise protect the information. Confidential information does not
include information that
• becomes publicly known through no wrongful act;
• you received from a third party who did not breach confidentiality obligations to
Microsoft or its suppliers; or
• you developed independently.
d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs
you is the end date for using the beta version, or (ii) the commercial release of the final release
version of the Licensed Content, whichever is first (“beta term”).
e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta
term, and will destroy all copies of same in the possession or under your control and/or in the
possession or under the control of any Trainers who have received copies of the pre-released
version.
f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta
version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If
Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you
for such copies and distribution.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Authorized Learning Centers and Trainers:
i. Software.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft
Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced
Server and/or other Microsoft products which are provided in Virtual Hard Disks.
A. If the Virtual Hard Disks and the labs are launched through the Microsoft
Learning Lab Launcher, then these terms apply:
Time-Sensitive Software. If the Software is not reset, it will stop running based upon the
time indicated on the install of the Virtual Machines (between 30 and 500 days after you
install it). You will not receive notice before it stops running. You may not be able to
access data used or information saved with the Virtual Machines when it stops running and
may be forced to reset these Virtual Machines to their original state. You must remove the
Software from the Devices at the end of each Authorized Training Session and reinstall and
launch it prior to the beginning of the next Authorized Training Session.
B. If the Virtual Hard Disks require a product key to launch, then these terms
apply:
Microsoft will deactivate the operating system associated with each Virtual Hard Disk.
Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized
Training Session, you will obtain from Microsoft a product key for the operating system
software for the Virtual Hard Disks and will activate such Software with Microsoft using such
product key.
C. These terms apply to all Virtual Machines and Virtual Hard Disks:
You may only use the Virtual Machines and Virtual Hard Disks if you comply with
the terms and conditions of this agreement and the following security
requirements:
o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or
Devices that are accessible to other networks.
o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at
the end of each Authorized Training Session, except those held at Microsoft Certified
Partners for Learning Solutions locations.
o You must remove the differencing drive portions of the Virtual Hard Disks from all
classroom Devices at the end of each Authorized Training Session at Microsoft Certified
Partners for Learning Solutions locations.
o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or
downloaded from Devices on which you installed them.
o You will strictly comply with all Microsoft instructions relating to installation, use,
activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.
o You may not modify the Virtual Machines and Virtual Hard Disks or any contents
thereof.
o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an
Authorized Training Session will be done in accordance with the classroom set-up guide for the
Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip
art, animations, sounds, music, shapes, video clips and templates provided with the Licensed
Content solely in an Authorized Training Session. If Trainers have their own copy of the
Licensed Content, they may use Media Elements for their personal training use.
iv. iv Evaluation Software. Any Software that is included in the Student Content designated as
“Evaluation Software” may be used by Students solely for their personal training outside of the
Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft
PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for
providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree
or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of
obscene or scandalous works, as defined by federal law at the time the work is created; and
(b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training
Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those
portions of the Licensed Content that are logically associated with instruction of the Authorized
Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer
agrees: (a) that any of these customizations or reproductions will only be used for providing an
Authorized Training Session and (b) to comply with all other terms and conditions of this
agreement.
iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and
use the Academic Materials. You may not make any modifications to the Academic Materials
and you may not print any book (either electronic or print version) in its entirety. If you
reproduce any Academic Materials, you agree that:
• The use of the Academic Materials will be only for your personal reference or training use
• You will not republish or post the Academic Materials on any network computer or
broadcast in any media;
• You will include the Academic Material’s original copyright notice, or a copyright notice to
Microsoft’s benefit in the format provided below:
Form of Notice:
© 2009 Reprinted for personal reference use only with permission by Microsoft
Corporation. All rights reserved.
Microsoft, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the US and/or other countries. Other
product and company names mentioned herein may be the trademarks of their
respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed
Content. It may change or cancel them at any time. You may not use these services in any way that
could harm them or impair anyone else’s use of them. You may not use the services to try to gain
unauthorized access to any service, data, account or network by any means.
7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you
more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that
only allow you to use it in certain ways. You may not
• install more copies of the Licensed Content on classroom Devices than the number of Students and
the Trainer in the Authorized Training Session;
• allow more classroom Devices to access the server than the number of Students enrolled in and the
Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network
server;
• copy or reproduce the Licensed Content to any server or location for further reproduction or
distribution;
• disclose the results of any benchmark tests of the Licensed Content to any third party without
Microsoft’s prior written approval;
• work around any technical limitations in the Licensed Content;
• reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent
that applicable law expressly permits, despite this limitation;
• make more copies of the Licensed Content than specified in this agreement or allowed by applicable
law, despite this limitation;
• publish the Licensed Content for others to copy;
• transfer the Licensed Content, in whole or in part, to a third party;
• access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not
been authorized by Microsoft to access and use;
• rent, lease or lend the Licensed Content; or
• use the Licensed Content for commercial hosting services or general business purposes.
• Rights to access the server software that may be included with the Licensed Content, including the
Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft
intellectual property in software or devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and
regulations. You must comply with all domestic and international export laws and regulations that apply
to the Licensed Content. These laws include restrictions on destinations, end users and end use. For
additional information, see www.microsoft.com/exporting.
9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed
Content marked as “NFR” or “Not for Resale.”
10. ACADEMIC EDITION. You must be a “Qualified Educational User” to use Licensed Content marked as
“Academic Edition” or “AE.” If you do not know whether you are a Qualified Educational User, visit
www.microsoft.com/education or contact the Microsoft affiliate serving your country.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you
fail to comply with the terms and conditions of these license terms. In the event your status as an
Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is
terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this
agreement, you must destroy all copies of the Licensed Content and all of its component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-
based services and support services that you use, are the entire agreement for the Licensed
Content and support services.
13. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws
of that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
Licensed Content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed “as-is.” You bear the risk of
using it. Microsoft gives no express warranties, guarantees or conditions. You may have
additional consumer rights under your local laws which this agreement cannot change. To
the extent permitted under your local laws, Microsoft excludes the implied warranties of
merchantability, fitness for a particular purpose and non-infringement.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT
RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL,
INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
• anything related to the Licensed Content, software, services, content (including code) on third party
Internet sites, or third party programs; and
• claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in
this agreement are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre
garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont
exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de
dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation
pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de
bénéfices.
Cette limitation concerne:
• tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte,
de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel
dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne
s’appliquera pas à votre égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de
votre pays si celles-ci ne le permettent pas.
Updating Your Windows Server® 2008 Technology Specialist Skills to Windows Server® 2008 R2 ix
Acknowledgement
Microsoft Learning would like to acknowledge and thank the following for their
contribution towards developing this title. Their effort at various stages in the
development has ensured that you have a good classroom experience.
Manikandan Ambalavanan—Lead Content Developer

Manikandan is a Senior Instructional Designer at Sify Technologies Ltd. He has five
years of work experience in core instructional design and development. He has
designed and developed several application-based courses for Microsoft. He also
leads the instructional design team and ensures that the courses that are developed
for Microsoft are instructionally, editorially, and technically sound.
Sheeba Russel—Content Developer

Sheeba is an Instructional Designer at Sify Technologies Ltd. She has three years of
work experience in instructional design and development. She has designed and
developed several information technology–based courses for Microsoft.
Slavko Kukrika—Subject Matter Expert

Slavko is a Senior Consultant and Trainer at Avtenta.si. He has been certified as
MCTS in Windows Server 2008 Active Directory: Configuration; Windows Server
2008 Applications Infrastructure: Configuration; and Windows Server 2008
Network Infrastructure: Configuration. He works as a trainer and consultant, and
helps people learn, implement, and use Microsoft products.
Stan Reimer—Technical Reviewer

Stan Reimer is the President of S. R. Technical Services Inc. He works as an
enterprise consultant, trainer, and writer. Stan has designed and implemented
Exchange Server and Active Directory for many companies. Stan is the lead author
of many Microsoft Learning courses.
x Updating Your Windows Server® 2008 Technology Specialist Skills to Windows Server® 2008 R2
Contents
Module 1: Deploying and Managing Windows
Server 2008 R2
Lesson 1: Installing Windows Server 2008 R2 1-04
Lesson 2: Configuring Windows Deployment Services 1-21
Lesson 3: Migrating Server Roles, Features, and Settings to
Windows Server 2008 R2 1-37
Lab 1A: Deploying Windows Server 2008 R2 1-46
Lesson 4: Managing Windows Server 2008 R2 1-56
Lab 1B: Managing Windows Server 2008 R2 1-78
Module Reviews and Takeaways
Module 2: Configuring Active Directory in

Windows Server 2008 R2
Lesson 1: Configuring Active Directory Domain Services Features 2-4
Lab 2A: Configuring Active Directory Domain Services Features 2-35
Lesson 2: Configuring Group Policy in Active Directory Domain Services 2-46
Lesson 3: Features of Other Active Directory Server Roles 2-77
Lab 2B: Configuring Group Policy in Active Directory
Domain Services 2-86
Updating Your Windows Server® 2008 Technology Specialist Skills to Windows Server® 2008 R2 xi
Module 03: Configuring Server Virtualization by

Using Hyper-V
Lesson 1: Configuring the Features of Windows Server 2008 R2 Hyper-V 3-4
Lesson 2: Configuring Live Migration in Hyper-V 3-21
Lesson 3: System Center Virtual Machine Manager R2 3-34
Lab: Configuring Server Virtualization by Using Hyper-V 3-52
Module 4: Configuring Remote Desktop

Services and Virtual Desktop Infrastructure in
Lesson 1: Configuring Remote Desktop Services 4-4
Lesson 2: Configuring Remote Desktop Gateway 4-20
Lesson 3: Configuring Virtual Desktop Infrastructure 4-34
Lab: Configuring Remote Desktop Services and Virtual Desktop
Infrastructure in Windows Server 2008 R2 4-49
Module 5: Deploying and Configuring Remote

Access Services
Lesson 1: Overview of DirectAccess 5-4
Lesson 2: Deploying DirectAccess 5-17
Lesson 3: Configuring VPN Reconnect 5-37
Lab: Deploying and Configuring Remote Access Services 5-48
xii Updating Your Windows Server® 2008 Technology Specialist Skills to Windows Server® 2008 R2
Module 6: Configuring Windows Server 2008 R2

Features for Branch Offices
Lesson 1: Features for Optimizing Branch Office Network Access 6-4
Lesson 2: Configuring BranchCache 6-24
Lesson 3: Configuring Branch Office Security Features 6-37
Lab: Configuring Windows Server 2008 R2 Features for Branch Offices 6-59
Module 7: Configuring and Managing Windows

Server 2008 R2 Web Services
Lesson 1: Configuring and Managing IIS 7-4
Lesson 2: Configuring FTP 7-27
Lab: Configuring and Managing Windows Server 2008 R2 Web Services 7-41
Module 8: Managing Windows Server 2008 R2

with Windows PowerShell 2.0
Lesson 1: Using Windows PowerShell 8-4
Lesson 2: Managing AD DS with Windows PowerShell 8-30
Lesson 3: Managing Server Roles with Windows PowerShell 8-46
Lab: Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-56
Lab Answer Keys

Appendix
About This Course i
MCT USE ONLY. STUDENT USE PROHIBITED

About This Course
BETA COURSEWARE EXPIRES 2/08/2010
This section provides you with a brief description of the course, audience,
suggested prerequisites, and course objectives.
Course Description
This three-day instructor-led course provides knowledge on updating your
Windows Server 2008 Technology Specialist skills to Windows Server 2008 R2.
Audience
The audience of this course is IT Professionals experienced on the technologies
included in Windows Server 2008 and who have a Windows Server 2008
Technical Specialist certification or equivalent knowledge. Students taking this
course are expected to have experience in hands-on deployment and day-to-day
management of Windows-based servers for enterprise organizations.
Student Prerequisites
The students should have experience in the core Windows Server 2008 technology
specialist skills:
• Installation and Automated Deployment
• Server and Client Configuration
• Monitoring and Management Tools
• Networking
• Active Directory Domain Services
• Security
• Group Policy
• Performance Monitoring
• Troubleshooting
Course Objectives
After completing this course, students will be able to:
• Deploy and manage Windows Server 2008 R2.
• Configure Active Directory in Windows Server 2008 R2
• Configure server virtualization by using Hyper-V
About This Course ii

• Configure Remote Desktop Services and Virtual Desktop Infrastructure in

• Deploy and configure Remote Access Services
• Configure Windows Server 2008 R2 features for branch offices
• Configure and manage Windows Server 2008 R2 Web services
• Manage Windows Server 2008 R2 with Windows PowerShell 2.0
Course Outline
This section provides an outline of the course:
Module 1,"Deploying and Managing Windows Server 2008 R2" explains how to
deploy and manage Windows Server 2008 R2. This module describes the steps to
install Windows Server 2008 R2. It also explains the methods to configure
Windows deployment services and the methods to migrate server roles, features,
and settings to Windows Server 2008 R2. It further explains about the methods to
manage Windows Server 2008 R2.
Module 2, "Configuring Active Directory in Windows Server 2008 R2" explains
how to configure Active Directory in Windows Server 2008 R2.This module
explains the steps for configuring the features of Active Directory Domain Services
in Windows Server 2008 R2. It also explains the new group policy features in
Active Directory domain services in Windows Server 2008 R2. The module
describes the features of other Active Directory Server roles in Windows Server
2008 R2.
Module 3, "Configuring Server Virtualization by Using Hyper-V" explains how to
configure Server Virtualization by using Hyper-V. The module explains bout the
features of Hyper-V. It also describes how to configure Live Migration in Hyper-V
and how to effectively use System Center Virtual Machine Manager R2.
Module 4, "Configuring Remote Desktop Services and Virtual Desktop
Infrastructure in Windows Server 2008 R2" explains how to configure Remote
Desktop Services and Virtual Desktop Infrastructure. This module explains about
Remote Desktop Services and the features of Remote Desktop Services. It also
describes how to configure Remote Desktop Services for remote computers and
how to configure Virtual Desktop Infrastructure.
Module 5, "Deploying and Configuring Remote Access Services" explains how to
deploy and configure Remote Access Services. The module explains about
DirectAccess. It also explains the methods for deploying DirectAccess. It further
describes how to configure VPN Reconnect.
About This Course iii

Module 6, "Configuring Windows Server 2008 R2 Features for Branch Offices"

explains how to configure Windows Server 2008 R2 features for branch offices of a
business enterprise. This module discusses about the features for optimizing
branch office network access. It also explains how to configure the branch office
security features.
Module 7, "Configuring and Managing Windows Server 2008 R2 Web Services"
explains how to configure and manage Windows IIS and FTP.
Module 8, "Managing Windows Server 2008 R2 with Windows PowerShell 2.0"
describes how to manage Windows Server 2008 R2 with Windows PowerShell 2.0.
It further explains how to use Windows PowerShell 2.0. It also explains how to
manage Active Directory Domain Services and server roles with Windows
PowerShell.
Course Materials
The following materials are included with your kit:
• Course Handbook. A succinct classroom learning guide that provides all the
critical technical information in a crisp, tightly-focused format, which is just
right for an effective in-class learning experience.
• Lessons: Guide you through the learning objectives and provide the key points
that are critical to the success of the in-class learning experience.
• Labs: Provide a real-world, hands-on platform for you to apply the knowledge
and skills learned in the module.
• Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips
when it’s needed.
• Course CD. Provides additional resources pertaining to this course.
• Resources: Include well-categorized additional resources that give you
immediate access to the most up-to-date premium content on TechNet,
MSDN®, Microsoft Press®.
• Lab Answer Keys: Include answer keys in digital form to use during lab time.
• Virtual Machine Build Guide: Provides the step-by-step information needed to
recreate the Virtual Machine/Server images with appropriate configuration.
About This Course iv

• Send Us Your Feedback Instructions: Provide you with an opportunity to send
feedback on the all aspects of the course.

• Student Course Files: Include the Allfiles.exe, a self-extracting executable file
that contains all the files required for the labs and demonstrations.
Note To open the Web page, insert the Course CD into the CD-ROM drive, and then in the
root directory of the CD, double-click StartCD.exe.
• Course evaluation. At the end of the course, you will have the opportunity to
complete an online evaluation to provide feedback on the course, training
facility, and instructor.
To provide additional comments or feedback on the course, send e-mail to

support@mscourseware.com. To inquire about the Microsoft Certification
Program, send e-mail to mcphelp@microsoft.com.
Virtual Machine Environment

This section provides the information for setting up the classroom environment to
support the business scenario of the course.
Virtual Machine Configuration

In this course, you will use the Hyper-V environment to perform the labs.
The following table shows the role of each virtual machine used in this course:
Virtual machine Role
10159A-LON-DC1 Windows Server 2008 R2 domain

controller
10159A-LON-SVR1 Windows Server 2008 R2 member server
10159A-LON-SVR2 Windows Server 2008 R2 standalone

server
10159A-LON-CORE Windows Server 2008 R2 Server Core

domain member
About This Course v

Virtual machine Role
10159A-LON-CL1 Windows 7 domain member
10159A-LON-CL2 Windows 7 domain member
10159A-LON- This VM will be used for one of the

WS08R2 demonstrations related to installing the Windows
Server 2008 R2 operating system.
Software Configuration
The following software is installed:
• ISCSI Target 3.2 on LON-SVR1
• Windows Automatic Installation Toolkit (AIK) on LON-SVR1
Course Files
There are files associated with the labs in this course. The lab files are located in
the folder <install_folder>\Labfiles\LabXX on the student computers.
Classroom Setup
Each classroom computer will have the same virtual machine configured in the
same way. The physical host computer is part of the contoso.com domain in which
LON-DC1 is a domain controller.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a
minimum equipment configuration for trainer and student computers in all
Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which
Official Microsoft Learning Product courseware are taught.
vi
About This Course
Deploying and Managing Windows Server 2008 R2 1-1

Module 1
Deploying and Managing Windows Server 2008
R2
Contents:
Lesson 1: Installing Windows Server 2008 R2 1-04
Lesson 2: Configuring Windows Deployment Services 1-21
Lesson 3: Migrating Server Roles, Features, and Settings to
Windows Server 2008 R2 1-37
Lab 1A: Deploying Windows Server 2008 R2 1-46
Lesson 4: Managing Windows Server 2008 R2 1-56
Lab 1B: Managing Windows Server 2008 R2 1-78
1-2 Deploying and Managing Windows Server 2008 R2

Module Overview
Microsoft Windows Server® 2008 R2 is built on the foundation of Windows Server

2008, expanding existing technology and adding new features. This enables
organizations to increase the reliability and flexibility of their server infrastructures.
Windows Server 2008 R2 includes new virtualization tools, Web resources,
management enhancements, and Windows® 7 integration. In addition, it provides
a platform for a dynamic and efficiently managed data center.
Windows Server 2008 R2 is available in multiple editions to support the varying
server and workload needs. You can identify a suitable edition for your
organization by analyzing and comparing the editions, based on the technical
specifications. However, Windows Server 2008 R2 is available only for a 64-bit
platform.
To deploy Windows Server 2008 R2, you can use Windows Deployment Services
(WDS). WDS uses disk imaging that helps in automating the installation process.
In Windows Server 2008 R2, WDS supports multiple multicast streams, dynamic
driver provisioning, and virtual hard disk (VHD) deployment. Another feature in

Windows Server 2008 R2 is the Windows Server Migration Tools (WSMT) that
allows you to migrate server roles, features, operating system settings, shares, and
other data. The File Classification Infrastructure feature can considerably reduce
time for managing data on file servers.
In addition, Windows Server 2008 R2 provides enhancements in Windows
management, such as remote management with Server Manager, Best Practice
Analyzer (BPA), and SConfig on Server Core.
After completing this module, you will be able to:
• Install Windows Server 2008 R2.
• Configure Windows Deployment Services.
• Migrate server roles, features, and settings to Windows Server 2008 R2.
• Manage Windows Server 2008 R2.

Lesson 1
Installing Windows Server 2008 R2
Windows Server 2008 R2 is designed to help organizations reduce operating costs

and power consumption, and increase efficiency and performance. It also helps
provide improved branch office capabilities, new remote access experiences,
streamlined server management, and expanded Microsoft virtualization strategy for
both client and server computers. Windows Server 2008 R2 is available in several
editions—Windows Server 2008 R2 Foundation, Windows Server 2008 R2
Standard, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2
Datacenter, Windows Web Server 2008 R2, and Windows Server 2008 R2 for
Itanium-based systems. Windows Server 2008 R2 is the first Windows operating
system that runs only on 64-bit processors and supports up to 256 logical
processor cores for a single operating system instance. Windows Server 2008 R2
includes enhancements in the Windows Server® 2008 Hyper-V® server role, which
is able to address up to 64 logical cores, and supports Live Migration. These

improvements not only guarantee performance and scalability for applications and
services, but also support new types of hardware, such as solid-state devices and
boot from storage area network (SAN) or VHD files.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the editions of Windows Server 2008 R2.
• Choose an appropriate edition of Windows Server 2008 R2.
• Describe the system requirements for Windows Server 2008 R2.
• Describe virtual hard disks with native boot.
• Use virtual hard disks with native boot.
• Describe Windows Server 2008 R2 installation.
• Install Windows Server 2008 R2.

Windows Server 2008 R2 Editions
Key Points
Windows Server 2008 R2 is available in six editions to support the varying server
and workload needs of organizations.
The following table lists the Windows Server 2008 R2 editions.
Edition Description
Windows Server 2008 R2 Foundation A cost-effective advanced server platform
that is targeted at small business owners
and information technology (IT)
generalists. Windows Server 2008 R2
Foundation is a technology that provides
organizations with the base to run the
most common business applications, and
share information and resources.
Windows Server 2008 R2 Standard A most robust Windows Server operating


Edition Description
system. With built-in Web and
virtualization capabilities, it is designed to
increase the reliability and flexibility of the
server infrastructure. It helps protect
organizational data and network, save
time, and reduce costs.
Windows Server 2008 R2 Enterprise An advanced server platform that provides

cost-effective and reliable support for
critical workloads. It provides innovative
features for virtualization, power saving,
and manageability. It also helps mobile
workers to access company resources
easily.
Windows Server 2008 R2 Datacenter An enterprise-level platform for deploying

business-critical applications and large-
scale virtualization on small and large
servers. It helps improve availability and
power management, and facilitates
integrated solutions for mobile and
branch workers. It also helps reduce
infrastructure costs by consolidating
applications with unlimited virtual image
use licensing rights. Windows Server R2
2008 Datacenter provides a foundation to
build enterprise-class virtualization and
advanced solutions.
Windows Web Server 2008 R2 A Web application and services platform,

Windows Web Server 2008 R2 includes
Internet Information Services (IIS) 7.5 and
is designed as an Internet-facing server. It
provides improved administration and
diagnostic tools that help reduce
infrastructure costs when used with other
development platforms. Windows Web
Server 2008 R2 includes Web server and
Domain Name System (DNS) Server roles,
in addition to improved reliability and
scalability that allows you to manage the
most demanding environments—from a
dedicated Web server to an entire Web

Edition Description
server farm.
Windows Server 2008 R2 for Itanium- An enterprise-class platform for deploying

based systems business-critical applications, scalable
databases, line-of-business applications,
and custom applications to meet growing
business needs. It helps improve
availability with failover clustering and
dynamic hardware partitioning
capabilities.
All Windows Server 2008 R2 editions, except Windows Server 2008 R2

Foundation and Windows Server 2008 R2 for Itanium-based systems, are available
in Full Installation and Server Core Installation. Windows Server 2008 R2
Foundation and Windows Server 2008 R2 for Itanium-based systems editions are
available only in Full installation.

Discussion: Choosing an Appropriate Edition of Windows
Server 2008 R2
Key Points
You can choose the type of Windows Server 2008 R2 edition based on different
business scenarios and requirements of your organization, such as total cost of
ownership (TCO), and need for high availability features such as failover
clustering, and support.
To choose between the types of Windows Server 2008 R2 editions, you need to
identify the edition that would be most appropriate to your environment. You can
do this by analyzing and comparing the editions, based on their technical
specifications, as listed in the following table.

Specification Web Standard Enterprise Datacenter Itanium Foundation
X64 Sockets 4 4 8 64 NA 1
IA64 Sockets NA NA NA NA 64 NA
X64 RAM 32 GB 32 GB 2 TB 2 TB NA 8 GB
IA64 RAM NA NA NA NA 2TB NA
Hot Add NA NA Available Available Available NA

Memory
Hot Replace NA NA NA Available Available NA

Memory
Hot Add NA NA NA Available Available NA

Processors
Hot Replace NA NA NA Available Available NA

Processors
Failover NA NA 16 16 8 NA
Cluster Nodes
(Nodes)
Fault Tolerant NA NA Available Available Available NA

Memory Sync
Cross-File NA NA Available Available Available NA

Replication
(DFS-R)
Network NA 250 Unlimited Unlimited NA 50

Access
Connections
(RRAS)
Network NA 50 Unlimited Unlimited 2 10

Access
Connections
(IAS)
Remote NA 250 Unlimited Unlimited NA 50

Desktop

Specification Web Standard Enterprise Datacenter Itanium Foundation

Services
Gateway
Virtual Image Guest Host + 1 Host + 4 Unlimited Unlimited NA

Use Rights VM VM
Remote NA 250 Unlimited Unlimited NA 50

Desktop
Admin
Connections

System Requirements for Windows Server 2008 R2
Key Points
Windows Server 2008 R2 has system requirements similar to Windows Server
2008, but Windows Server 2008 R2 runs only on 64-bit processors. Although
Windows Server 2008 R2 can be installed on a computer with 512 megabytes
(MB) of RAM, the computer can use up to 8 gigabytes (GB) for Windows Server
2008 R2 Foundation, 32 GB for Windows Web Server 2008 R2 or Windows Server
2008 R2 Standard, and 2 TB for Windows Server 2008 R2 Enterprise or Windows
Server 2008 R2 Datacenter. System requirements vary between Full installation
and Server Core installation.
Windows Server 2008 R2 upgrade is possible from previous 64-bit server
operating systems such as Windows Server 2003 R2, Windows Server 2008 SP2,
and Windows Server 2008. It does not support upgrades from older operating
systems and cross-architecture—32-bit to 64-bit; cross-language—German to
English; and cross-edition—Windows Server 2008 Enterprise to Windows Server
2008 R2 Standard. It also does not support upgrade from Itanium-based systems.

Windows Server 2008 R2 expands CPU support to run up to 256 logical
processors in a single server. Hyper-V in Windows Server 2008 R2 can access up to

64 logical CPUs on host computers. This can help in increasing virtual machine
consolidation ratios per physical host. In addition, Hyper-V supports the latest
CPU technologies and advanced storage technologies, including SAN management
and solid state devices.
The following table displays the system requirements for Windows Server 2008
R2.
Component Requirement
Processor • Minimum: 1.4 GHz (x64 processor) or faster (Limited

1 processor for Foundation)
Memory • Minimum: 512 MB of RAM

• Maximum: 8 GB (Foundation), 32 GB (Standard, Web
Server), or 2 TB (Enterprise, Datacenter, and Itanium-
based systems)
Disk Space • Minimum: 32 GB or more

Requirements
Display and other • DVD Drive

Peripherals • Super-VGA (800 × 600) or higher-resolution monitor
• Keyboard and Microsoft® mouse or compatible
pointing device
• Internet access (fees may apply)
Question: You have Windows Server 2008 running on a 32-bit server with 4 GB of
RAM. Can you upgrade this server to Windows Server 2008 R2 Standard edition?

Virtual Hard Disks with Native Boot
Key Points
VHD file format is a publicly available format specification that allows
encapsulation of the hard disk into a single file. It can help host native file systems
and support standard disk operations. It can be used as a running operating
system without any other parent operating system, virtual machine, or Hyper-V.
Windows Server 2008 R2 simplifies image management by adding support for
virtual disks in the disk management tools. The Disk Management console can
help you create either a new VHD file with a fixed size or a dynamically expanding
VHD, which is not initialized. After creating the VHD file, you need to attach it to
the computer to make it functional. You can do this by using the Attach VHD
option. You can now create a partition and format an NTFS file system in the VHD,
considering it similar to any other hard disk. You can apply a Windows image to
the VHD and start the computer from the VHD.

The same VHD operations can also be performed by using the diskpart.exe
command. DiskPart accepts a script to automate the steps to create and format a
VHD. When you attach a VHD to a file system volume, Windows operating
systems automatically accepts the volume and provides an option to explore the
contents.
With Windows Server 2008 R2, Hyper-V now uses the new native support for
VHD in the core operating system. Native boot allows VHD to be run on a
computer without a virtual machine or Hyper-V.
Requirements
Native VHD boot has the following dependencies:
• The local disk has a system partition that contains the Windows Server 2008
R2 or Windows 7 boot-environment files and Boot Configuration Data (BCD)
store. A VHD file can be stored on the system or other partition.
• The local disk partition that contains the VHD file has enough free disk space
for expanding a dynamic VHD to its maximum size and for the page file that is
created when booting the VHD.
Benefits
The following are the benefits of native boot capabilities for VHDs:
• A single physical computer can have multiple instances of the operating
system to boot at any time without requiring separate disk partitions. Multiple
boot support is available in earlier versions of Windows operating systems;
however, each installed operating system required a separate disk partition.
• Native boot supports all three types of VHD files—fixed, dynamic, and
differencing disks.
• A differencing VHD file provides a suitable way of initializing a test
environment, performing tests, and reverting to a baseline state after testing is
complete. When the testing is complete, you can revert to the original state in
the parent VHD by discarding the differencing file and creating a new one.
• You can configure a computer for different roles.
• Servers can have multiple application workloads in separate VHD files
available and switch between workloads. The flexibility of multiple boots by
using VHD files helps to keep a previous Windows image available as a
fallback in the event of a problem with a new image.
Question: How can you access content in a VHD file?


Demonstration: How To Use Virtual Hard Disk with Native
Boot
Key Points
1. On LON-SVR1, run the following code to select and attach virtual hard disk
d:\win7.vhd to DiskPart and to assign the letter, V to it.
2. Open Windows Explorer and verify that the new drive VHD (F:) contains the
same folder structure as Windows installation.
3. Run the following code to copy the boot environment files and Boot
Configuration Data configuration from the \Windows directory to the system
partition.
4. On LON-SVR1, run the following code to copy the existing Windows Server
2008 R2 boot entry.
5. Run the following code to modify the Windows Server 2008 R2 boot entry to
point to native boot VHD file.
6. Reboot LON-SVR1 and start it from native boot virtual hard drive.

Question: What is the difference between booting a virtual machine in Hyper-V
and booting an operating system using native VHD boot?


Windows Server 2008 R2 Installation
Key Points
The installation process of Windows Server 2008 R2 has not changed considerably
from that of Windows Server 2008. Before you begin the installation process, you
need to answer a minimal number of questions; thereafter, the installation process
continues without user interaction. Several settings, such as computer name or
network settings, will be set to default values; so when you first log on, you should
configure the settings. You also need to change the Administrator password. The
Initial Configuration Tasks window will open each time you log on and you will be
prompted to change the initial settings.
Windows installation depends on imaging technology. The Sources subfolder on
the Windows Server 2008 R2 DVD contains two image files—boot.wim and
Install.wim.
Boot.wim is a file-based disk image that contains a bootable version of Windows
Preinstallation Environment (Windows PE), from which the installation is

performed. The Install.wim file contains Windows Server 2008 R2 files, which are
hardware independent and can be deployed to different hardware configurations.

The .wim file supports compression and single instancing store, which helps store
multiple images in a .wim file, considerably reduces the disk space, and eliminates
data duplication. For example, multiple Windows Server 2008 R2 editions can be
stored and deployed from the same DVD.
You can also provide additional settings during installation, if necessary, by
creating an unattended XML file and incorporate it into the installation process.
This can be very helpful for configuring Server Core. You can create the
unattended file by using the Windows System Image Manager (SIM) tool, which is
a part of Windows Automated Installation Kit (Windows AIK).
As Windows Server 2008 R2 is a modular operating system, you can install only
the features you need. When you install the operating system, all modules are
automatically copied to the hard disk drive and many features remain inactive until
you add them. You do not need the installation DVD to add features after you
install the operating system.
In Windows Server 2008 R2, you must activate your computer after you install
Windows Server 2008 R2, to use it legally. You can install Windows Server 2008
R2 and evaluate it for 60 days. If you require more time for evaluation, you can
reset and extend the evaluation period by up to 180 days for a total evaluation
period of 240 days.
Question: Is it possible to identify which Windows Server 2008 R2 editions are

contained inside the install.wim file before starting the installation?

Demonstration: How To Install Windows Server 2008 R2
Key points
1. Add Windows Server 2008 R2 to LON- WS08R2 and boot the virtual machine
from the DVD to install the Windows Server 2008 R2 Enterprise edition.
2. On LON-SVR1, mount Windows Server 2008 R2 DVD and browse through
E:\sources and verify whether the sources folder contains the Boot.wmi and
Install.wmi files.
4. Open the Windows System Image Manager tool and verify whether it contains
the same options as Windows Server 2008 R2.
Question: Before starting the installation, is it possible to view the version of the
Windows Server 2008 R2 editions which is inside the install.wim file?

Lesson 2
Configuring Windows Deployment Services
WDS enables you to deploy Windows operating systems over the network. WDS
automates and customizes the installation of operating systems through the use of
unattended installation files and disk imaging. It is one of the server roles and has
been included in Windows Server 2008. In Windows Server 2008 R2, WDS
supports enhanced multicasting, dynamic driver provisioning, and virtual hard
disk deployment features when deploying operating system images.
Lesson Objectives
• Describe Windows Deployment Services.

• Describe the enhancements in Windows Deployment Services.
• Describe Windows Deployment Services multicasting in Windows Server 2008

R2.
• Describe the deployment of driver packages.
• Create driver packages.
• Describe the deployment of virtual hard disk images.
• Deploy virtual hard disk images for Windows Server 2008 R2 images.
• Configure Windows Deployment Services for deploying Windows Server 2008
R2.

Windows Deployment Services
Key Points
WDS is a suite of components used for deploying Windows operating systems
over the network. WDS components are organized into three categories—server
components, client components, and management components, to help deploy
Windows operating system images.
• Server components. The server components comprise a Preboot Execution
Environment (PXE) server and a Trivial File Transfer Protocol (TFTP) server
for booting a client from the network. These components contain a shared
folder and an image repository, which has boot images, install images, and files
needed for network booting. The other server components are a networking
layer, a multicast component, and a diagnostics component.
• Client components. Client components comprise a graphical user interface
(GUI) that runs within Windows PE. When a user selects an operating system
image, the client components are used to communicate with the server
components to install the image.

• Management components. Management components are a set of tools such
as WDS Microsoft Management Console snap-in or wdsutil.exe, which is a

command-line tool to manage servers, operating system images, and client
computer accounts.
WDS is one of the server roles in Windows Server 2008 R2. To install WDS, the
server must be a member of an Microsoft® Active Directory® directory service
domain. To run WDS, you need to have a working DNS server on the network.
You also need a Dynamic Host Configuration Protocol (DHCP) server with active
scope on the network because WDS uses PXE, which depends on DHCP for IP
addressing.
The WDS role in Windows Server 2008 R2 has two role services. You can install
both the Deployment Server and the Transport Server role services, or you can
install only the Transport Server role service. The Deployment Server is dependent
on the core parts of the Transport Server. The Deployment Server is the most
common option because it provides the full functionality of WDS to configure and
remotely install Windows operating systems. The Transport Server role service
contains only the core networking parts and it can also operate on a stand-alone
server. The Transport Server role service provides only command-line
administration. You can use Transport Server to create multicast namespaces that
transmit data from a stand-alone server.
WDS provides an end-to-end solution for installing different operating systems
such as Windows Vista™ SP1, Windows Server 2008, Windows 7, and Windows
Server 2008 R2. WDS supports both PXE and non-PXE clients. In such an
instance, you need to boot the client with the discover image, which you can create
at the WDS server.
You can manage WDS by using the WDS Microsoft Management Console, the
WDSUtil tool or develop custom management tools. WDS in Windows Server
2008 supports only one multicast stream, where the slowest client sets the speed
for the whole stream. This has been improved in Windows Sever 2008 R2, in
which WDS supports multiple multicast streams. This helps automatically divide
transmissions into multiple streams, based on client speeds.
Question: You have prepared a standard workstation image for your environment
and now you want to deploy the image to multiple computers. What should you
do?

Enhancements in Windows Deployment Services
Key Points
WDS in Windows Server 2008 R2 has several new features and enhancements.
The following are the enhancements to WDS in Windows Server 2008 R2:
• Dynamic driver provisioning. WDS provides the ability to deploy driver
packages to client computers as part of an installation, and add driver
packages to boot images prior to deployment. Dynamic driver provisioning
eliminates the need to add driver packages manually to images by using
Windows AIK, and it minimizes the size of images, making it easier to update
and manage drivers. This is because the drivers are stored outside the images.
Dynamic driver provisioning also eliminates the need to maintain multiple
images for different hardware configurations and the need to use an
unattended installation file to add drivers.
• Virtual hard disk deployment. WDS provides the ability to deploy .vhd
images as part of an unattended installation. Only Windows 7 and Windows
Server 2008 R2 VHD images are supported and they must be added from the

command line. This allows you to standardize VHD as your common image
format, simplify image deployment by enabling physical computers to boot

from VHD images, and roll back changes when you use differencing disks.
• Additional multicasting functionality. WDS provides the ability to
automatically disconnect slow clients and divide transmissions into multiple
streams based on the client speed. It also provides support for multicasting in
environments that use IPv6.
• PXE provider for Transport Server. WDS includes a PXE provider when you
install the Transport Server role service. You can use Transport Server for
network boot, multicast data, or both, as part of an advanced configuration.
Transport Server is a stand-alone server. Therefore, when you use Transport
Server for network booting and multicasting, your environment does not need
Active Directory Domain Services (AD DS) or DNS.
• Additional Extensible Firmware Interface (EFI) functionality. WDS
supports network booting of x64-based computers with EFI. EFI includes the
auto-add functionality and DHCP referral to direct clients to a specific PXE
server. EFI also has the ability to deploy boot images by using multicasting.
Question: You have multiple client computers on which you need to deploy the
same image by using multicast. Some of these computers are slower than others.
Will slow clients bring down the speed of multicast transmission?

Windows Deployment Services Multicasting in Windows
Server 2008 R2
Key Points
Multicasting is the ability to transmit a single stream to multiple subscribers at the
same time. Using multicasting, you can deploy an image to a large number of client
computers without overburdening the network. When you create a multicast
transmission for an image, the image is sent over the network only once, thereby
drastically reducing the amount of network bandwidth that is used. The data is
transferred only when clients request data, but if the clients are not connected or if
the transmission is idle, the data will not be sent over the network.
WDS on Windows Server 2008 R2 supports the following features:
• Multiple stream transfer. This feature enables servers to group clients that
have similar bandwidth capabilities into network streams, ensuring the fastest
possible transfer rate.
• Automatic disconnect. This feature allows you to automatically disconnect
clients that fall under specified speed. The clients that are disconnected will

continue to transfer the image by using the SMB protocol or unicasting,
allowing other clients' multicast performance to increase.

There are two types of multicast transmissions:
• Auto-Cast. This option indicates that when the client requests an install image,
a multicast transmission of the selected image begins. Then, as other clients
request the same image, they are joined to the transmission that is already
started.
• Scheduled-Cast. This option sets the start criteria for the transmission based
on the number of clients that are requesting an image. With Scheduled-Cast,
only clients that join before the transmission starts, will receive the image by
using multicasting. Clients that join after the transmission will receive the
image by using unicasting. If you do not select the start criteria for the
transmission, you need to manually start it.
To create a multicast transmission, you need the following:
• Routers that support multicasting. In particular, Internet Group Membership
Protocol (IGMP) snooping should be enabled on all devices.
• At least one install image that you want to transmit on the server.
• The Boot.wim file from the product DVD for one of the following operating
systems:
• Client. Windows Vista with at least Service Pack 1 or Windows 7. You
should not use the Boot.wim from the Windows Vista DVD unless your
version of Windows Vista has SP1 integrated into the DVD. If you use the
Windows Vista Boot.wim, you will be able to create the transmission, but
users who boot into it will not be able to join the transmission.
• Server. Windows Server 2008 or Windows Server 2008 R2.
• WDS on Windows Server 2008 R2 that supports multiple streams.
• Multicast is used for deploying the install image. However, if the computer has
EFI, WDS provides the ability to deploy boot images by using multicasting.
Question: You want to deploy Windows Vista on multiple computers by using

WDS multicasting on Windows Server 2008 R2. What do you need to consider?

Deployment of Driver Packages
Key Points
In the previous versions of WDS, driver packages are manually added to the image
or unattended installation answer file are provided to add drivers during
installation. In Windows Server 2008 R2, you can use WDS to add driver packages
to the server and configure them to be deployed to client computers, along with
the install image. This functionality is only available when you are installing images
of Windows Vista SP1, Windows Server 2008, Windows 7, or Windows Server
2008 R2.
You can deploy the driver packages to clients:
• Based on the Plug-and-Play hardware of the client. You can make all
packages available to all clients, and you configure the groups so that only
those packages that match the hardware on the computer will be installed. The
Plug-and-Play functionality provides automatic configuration of hardware and
devices for Windows operating systems.

• Using filters to define which clients have access to each driver group. You
can organize your packages into driver groups and then map each group to
computers by using filters. A driver group is a collection of driver packages.
You can add filters to a driver group to make the packages in the group
available to a select group of client computers. The filters define which
computers have access to the driver group, based on the hardware of the
computer or the attributes of the selected install image. You can still configure
the packages to be installed, based on Plug and Play hardware, but you can use
the filters to further define the clients that will have access to the packages.
• In a driver group. You can deploy all the driver packages in a driver group to
a client computer. After the installation, when you connect the hardware to the
client, the device driver will be installed automatically.
The following are prerequisites for deploying driver packages:
• Windows Server 2008 R2 WDS server, configured with the following:
• The Boot image from either Windows 7 or Windows Server 2008 R2
• The Install images for Windows Vista SP1, Windows Server 2008,
Windows 7, or Windows Server 2008 R2
• Driver packages for the hardware that you want to deploy. These packages
must be extracted. The packages cannot be msi or .exe files.
Question: You need to provide drivers for new hardware for images that you are
deploying by using WDS on Windows Server 2008 R2. Do you need to integrate
these drivers to each image?

Demonstration: How to create Driver Packages
Key Points
1. On LON-SVR1, add a driver package to an existing driver group,
DriverGroup1 by using the Add Driver Package wizard.
2. Create a driver group, Network Drivers by using the Add Driver Group wizard
with the following information:
• Manufacturer Filter Type: Contoso
• OS Edition: 7
Question: Based on the har0064ware of the client, how will you deploy the
Windows 7 images to the client computers?

Deployment of Virtual Hard Disk Images
Key Points
In Windows Server 2008 R2, you can deploy VHD images of Windows 7 or
Windows Server 2008 R2 to a physical computer by using WDS. In general, you
deploy VHD images in the same way as you would deploy .wim images. However,
you can add and configure the VHD images by using only WDSUtil at the
command line and not by using WDS MMC. In addition, the VHD deployment
must be part of an automated installation.
To deploy VHD images, you need the following:
• A configured WDS server with at least one boot image. You should use the
latest Boot.wim file from the Windows Server 2008 R2 or Windows 7
installation DVD.
• WDSUtil. You should be familiar with the WDSUtil command-line tool
because this is the only method to import and configure VHD images. You

can obtain information about the commands parameters by running wdsutil/?
at the command prompt.

• A supported VHD image. The only supported operating systems are Windows
Server 2008 R2, Windows 7 Enterprise, and Windows 7 Ultimate. Fixed,
dynamic, and differencing VHD images are supported. However, the
supported image cannot contain more than one operating system, more than
one partition, applications or data, or a 64-bit operating system that is
partitioned with a GUID partition table.
To add the VHD image to the server, use the following syntax.
Wdsutil /Verbose /Progress /Add-Image /ImageFile:<path>

/ImageType:Install ImageGroup:<image group name>.
After adding the image, configure an unattended installation for the VHD image by
creating two unattended .xml files. One unattended file automates the WDS client
user interface screens, and the other automates the remaining phases of Setup. You
can author both files by using Windows SIM, which is a part of Windows AIK.
Question: You have a VHD image file that you want to deploy by using WDS. How
can you add it by using WDS MMC?

Demonstration: How To Deploy Virtual Hard Disk Images
Key Points
1. On LON-SVR1, create an image group by using the Windows Deployment
Services console.
2. Open the Command Prompt and run the following code to add the win7.vhd
image file to Windows Deployment Services.
3. Run the following code to create computer account for Computer1 and assign
a GUID to it.
4. Open content of the file d:\WDS-client.xml, Explain how you can create it, by
using Windows AIK/Windows System Image Manager.
5. Run the following code to associate an unattend file with the prestaged client.
6. Open file d:\unattend.xml and briefly discuss its content and role in
performing installation.

7. Configure an unattended installation for the image by using the Windows
Deployment Services console.
Question: How will you disconnect the slower clients from the multicast group?

Demonstration: How To Configure Windows Deployment

Services
Key Points
1. Open the Windows Deployment Services console and explain the PXE
Response, AD DS, Boot, Client, DHCP, and Multicast properties of the LON-
SVR1.Contoso.com node.
2. In the tree pane of the Windows Deployment Services console, click Drivers,
and then explain about driver provisioning.
Question: How will you add the .VHD file to Windows Deployment Services?

Lesson 3
Migrating Server Roles, Features, and Settings
to Windows Server 2008 R2
You can use the WSMT feature available in Windows Server 2008 R2 to migrate
server roles, features, operating system settings, shares, and other data from
computers that are running Windows Server 2003 R2 or SP2, Windows
Server 2008, or Windows Server 2008 R2 to computers that are running Windows
Server 2008 R2. You can migrate from 32-bit to 64-bit operating system, between
physical and virtual systems, and between Full Server and Server Core. In this
lesson, you will learn how to use these migration tools.
Lesson Objectives

• Describe migration to Windows Server 2008 R2.
• Describe the considerations for migrating to Windows Server 2008 R2.

• Describe Windows Server Migration Tools.
• Use Windows Server Migration Tools.

Overview of Migration to Windows Server 2008 R2
Key Points
When installing Windows Server 2008 R2, you can select either Upgrade or
Custom (advanced) type of installation. The Upgrade installation replaces the
previous server operating system with Windows Server 2008 R2 on the same
hardware and preserves all configuration, server roles, and data. Upgrade is
possible only on a 64-bit hardware with server operating systems such as Windows
Server 2003 R2 or SP2 and Windows Server 2008 or newer edition. In addition,
upgrade is possible only between certain server editions, but not between different
language editions or different platforms.
Custom (advanced) installation performs a clean installation. A clean installation
does not preserve settings and server roles, but preserves the previous data on the
server. You can perform a clean installation on a new partition—without a previous
operating system—to have a more stable and reliable operating system. In a clean
installation, you need to set all configurations, and add server roles and features.

Clean installation to a new server is the only option if the existing server is on a 32-
bit platform.
Windows Server Migration Tools

To automate the configuration of a newly installed server and to ease migration of
data from an old server to a new server, Windows Server 2008 R2 provides the
WSMT feature. This feature, like all others, is not installed by default. To use it, you
need to install it on the target and source servers, from where you want to migrate
server roles, operating system settings, and data. Using WSMT, you can simplify
deployment of new servers, including those that are running the Server Core
installation of Windows Server 2008 R2 and servers in virtual environment; reduce
migration downtime; increase accuracy of the migration process; and help
eliminate conflicts that could occur during the migration process.
Benefits of migration
Migration reduces risk and downtime, and provides you with the following
benefits:
• Run migration tasks while the old server is still operational.
• Migrate server roles, settings, and data at different times.
• Test the new server before removing the old server.
• Verify migration and performance before switching to the new server.
• Roll back to the old server, if any problem arises after the migration.
Question: You have a critical server that is running Windows Server 2003 SP2 on
32-bit hardware. You need to upgrade this server to Windows Server 2008 R2.
Which type of installation will you perform?

Considerations for Migrating to Windows Server 2008 R2
Key Points
Windows Server 2008 R2 supports only 64-bit hardware. Therefore, there is no in-
place upgrade for 32-bit servers. Even if existing servers are on a 64-bit platform, it
is often preferable to perform a clean installation and then migrate the settings and
data. Using WSMT, you can migrate only roles, configuration settings, and data,
but not the operating system itself. If you want to move a server from a physical
environment to a virtual environment, use the Physical-to-Virtual (P2V) migration
tool, such as the one included in System Center Virtual Machine Manager.
Operating systems supported for migration

WSMT supports Windows Server 2003 R2, Windows Server 2003 SP2, Windows
Server 2008, or Windows Server 2008 R2 as source servers; and Windows Server
2008 R2 Foundation, Standard, Enterprise, or Datacenter editions as destination
servers. It supports migrations between physical and virtual systems, but does not
support migration from a source server to a destination server that is running in a
different system user interface (UI) language. For example, you cannot use WSMT

to migrate roles, operating system settings, data, or shares from a computer that is
running Windows Server 2008 in the French language to a computer that is

running Windows Server 2008 R2 in the German language.
Server roles, features, and settings supported by WSMT

Using WSMT, you can migrate server roles such as AD DS, DHCP Server, DNS
Server, File, Print server; server feature such as BranchCache; and settings such as
Local Users and Groups, IP Configuration, and Data and Shares. You can migrate
each of these items separately, or all together.
Migration Guide
For each migration, you can use the Migration Guide documents available on
Microsoft Migration Portal, which explains the process background, how to
perform migration, and considerations for migration such as the duration of
migration, what needs to be migrated, and when should migration take place.
Question: Can you migrate a server to a virtual environment by using WSMT?


Windows Server 2008 R2 Migration Tools
Key Points
WSMT is a feature of Windows Server 2008 R2 that helps you migrate roles,
features, or other data to computers that are running Windows Server 2008 R2. To
perform migration by using WSMT, you need to first ensure that you want to
migrate from the supported server operating system. In addition, you must be a
member of the Administrators group on both source and destination servers, and
have the appropriate permissions to install WSMT. Because WSMT requires
Windows® PowerShell, which relies on Microsoft .NET Framework, you must
verify that both are installed on the source server. Then, install WSMT on the
servers. For Windows Server 2008 and Windows Server 2003 SP2, use
SmigDeploy.exe, which comes with the migration tools. You can find
SmigDeploy.exe in the \Windows\System32\ServerMigrationTools folder.

Windows PowerShell migration cmdlets
WSMT is a collection of five Windows PowerShell cmdlets. To use them, you need
to open the Windows PowerShell window and run the following command.
Add-PSSnapin Microsoft.Windows.ServerManager.Migration
The following table displays the list of Windows PowerShell migration cmdlets.
Migration cmdlet Description

Get-SmigServerFeature Discovers features available for export,
and features in the migration store
available for import
Export-SmigServerSetting Exports specified role, feature, and

operating system settings to a migration
store at the source server
Import-SmigServerSetting Imports specified role, feature, and

operating system settings from a
migration store to the destination server
Send-SmigServerData Transfers data and shares, preserving local

and domain permissions
Receive-SmigServerData Receives transferred data
You can use the Get-SmigServerFeature cmdlet to see Windows features that can
be migrated or the features that are already in the migration store, the Export-
SmigServerSetting cmdlet to export them to the migration store at the source
server, and the Import-SmigServerSetting cmdlet to import them at the destination
server. The migration store can be either local or on the network. You can use the
Send-SmigServerData and Receive-SmigServerData cmdlets for direct data transfer
from the source server to the destination server. If a server role or feature that you
are migrating is not installed on the destination server, it will be installed during
migration. After completing migration, you can uninstall WSMT by removing the
feature or running SmigDeploy /unregister command.
Question: WSMT is a collection of Windows PowerShell cmdlets. How can you

use WSMT to migrate the DHCP role from Windows Server 2003 SP2, where
Windows PowerShell is not installed?

Demonstration: How To Use Windows Server Migration
Tools
Key Points
1. In the Windows PowerShell window of LON-DC1, run the following code to
export the DHCP server role settings.
2. Navigate through C:\Export to verify that the svrmig.mig file is created
3. On LON-SVR1, open the Windows PowerShell window, run the following
code:
4. Move the svrmig.mig file from \\lon-dc1.contoso.com\export to the
C:\Migrate folder.
5. Run the following code to import the DHCP server role settings.
6. Verify whether the modifications that are made to DHCP are successfully
transferred to LON-SVR1.

Question: What should you do to use the Windows Server Migration Tools?
Lab 1A: Deploying Windows Server 2008 R2
Introduction
In this lab, you will deploy Windows Server 2008 R2. To do this, you will attach
the virtual hard disk, copy the boot configuration data, and add a native-boot
virtual hard disk to an existing boot menu. You will also configure new features in
Windows Deployment Services by creating an image group, configuring an
unattended installation for a virtual hard disk image, and adding a driver package
to an existing driver group. Finally, you will install the Windows Server Migration
Tools feature to modify the DHCP server properties and import the import the
migrated settings.

Objectives
After completing this lab, you will be able to:

• Configure and test virtual hard disk with native boot
• Configure new features in Windows Deployment Services
• Migrate Server Roles
Lab Setup
For this lab, you will use the available virtual machine environment. Before you
begin the lab, you must:
• Start the LON-DC1 virtual machine, and then log on by using the following
credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
• Start the LON-SVR1 virtual machine, and then log on by using the following
credentials:

Lab Scenario
You are a server administrator at Contoso, Ltd. Your organization is currently

using Windows Deployment Services for deploying Windows client images over
the network. Windows Server 2008 R2 provides native boot from virtual hard disk.
You can also deploy virtual hard disk by using Windows Deployment Services.
As part of your job, you need to configure and test native boot from virtual hard
disk. Then, import the virtual hard disk image and individual drivers to Windows
Deployment Services. Assign the drivers to Windows 7 and Windows Server 2008
R2 images. Finally, migrate the DHCP server role between two servers and verify
whether the settings are transferred successfully.

Exercise 1: Configuring and testing virtual hard disk with

native boot
The main tasks in this exercise are as follows:
1. Start the virtual servers.
2. Attach the virtual hard disk and copy the boot configuration data.
2. Add a native-boot virtual hard disk to an existing boot menu.
3. Reboot LON-SVR1 and boot from the virtual hard disk.
f Task 1: Start the virtual servers.

• Log on to LON-DC1 with the user name Contoso\Administrator, and the
password, Pa$$w0rd.
• Log on to LON-SVR1 with the user name Contoso\Administrator, and the
password, Pa$$w0rd.
f Task 2: Attach the virtual hard disk and copy the boot configuration
data.
• On LON-SVR1, run the following code to select and attach the virtual hard
disk d:\win7.vhd, to DiskPart, and assign the letter F, to it.
diskpart
select vdisk file=d:\win7.vhd
attach vdisk
select volume 4
assign letter F
exit
• Open Windows Explorer and verify that the new drive, VHD (F:), contains the
• Run the following code to copy the boot environment files and boot
configuration data configuration from the \Windows directory to the system
partition.
bcdboot F:\windows

f Task 3: Add a native-boot virtual hard disk to an existing boot menu.
• On LON-SVR1, run the following code to copy the existing Windows Server
2008 R2 boot entry.
bcdedit /copy {default} /d "Win7 from VHD"
• Run the following code to modify the Windows Server 2008 R2 boot entry to
bcdedit /set {guid} device vhd=[c:]\Win7.vhd

bcdedit /set {guid} osdevice vhd=[c:]\Win7.vhd
bcdedit /default {guid}
Replace {guid} with copied GUID value. Copy the GUID from the output including the
braces.
f Task 4: Reboot LON-SVR1 and boot from the virtual hard disk.
• Reboot LON-SVR1 and start it from the native boot virtual hard disk.
The system will start into Windows Server 2008 R2 Web Edition, although Windows
Server 2008 R2 Enterprise is installed on the computer.
Results: After completing this exercise, you should have attached a VHD and assigned
it a drive letter, copied and modified the existing Windows Server 2008 R2 boot entry
as a new boot entry, and rebooted the VHD.

Exercise 2: Configuring new features in Windows

Deployment Services
1. Create an image group and add a virtual hard disk image.
2. Configure an unattended installation for a virtual hard disk image.
3. Add a driver package to an existing driver group.
4. Create a driver group and define a filter.
f Task 1: Create an image group and add a virtual hard disk image.
• Log on to LON-SVR1 with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
• On LON-SVR1, create an image group by using the Windows Deployment
Services console.
• Open the Command Prompt and run the following code to add the win7.vhd
Wdsutil /Verbose /Progress /Add-Image /ImageFile:”d:\win7.vhd”

/ImageType:Install /ImageGroup:”Windows 7 image”
f Task 2: Configure an unattended installation for a virtual hard disk

image.
• Run the following code to create a computer account for Computer1 and
assign a GUID to it.
Wdsutil /Add-Device /Device:Computer1

/ID:ACEFA3E81F20694E953EB2DAA1E8B1B6
• Move the WDS-client.xml file from Allfiles (D:)\Disk to the Local Disk
(C:)\RemoteInstall\WdsClientUnattend folder.
• Run the following code to associate an unattend file with the prestaged client.
Wdsutil /Set-Device /Device:Computer1

/WDSClientUnattend:WDSClientUnattend\WDS-client.xml

• Configure an unattended installation for the image by using the Windows
f Task 3: Add a driver package to an existing driver group.

• Add a driver package to an existing driver group, DriverGroup1, by using the
Add Driver Package Wizard.
f Task 4: Create a driver group and define a filter.

• Create a driver group, Network Drivers, by using the Add Driver Group
Wizard with the following information:
• OS Edition: 7
Results: After completing this exercise, you should have created an image group in
Windows Deployment Services with the VHD images and configured an unattended
installation for the VHD image.

Exercise 3: Migrating Server Roles

1. Install the Windows Server Migration Tools feature.
2. Modify the DHCP server properties and export the server role settings.
3. Import the migrated settings and verify that they were applied.
f Task 1: Install the Windows Server Migration Tools feature.

• On LON-DC1, install Windows Server Migration Tools by using the Add
Features Wizard of the Server Manager console.
• Open the Windows PowerShell window and then run the following code to
add the Migration tool.
f Task 2: Modify DHCP server properties and export server role settings.
• On LON-DC1, open the DHCP console and set the following properties of the
DHCP server:
• Scope name: Name before migration
• Lease duration for DHCP clients: 5 hours
• In the Windows PowerShell window, run the following code to export the
DHCP server role settings.
Export-SmigServerSetting -featureID DHCP -path c:\export -Verbose
• Navigate through C:\Export to verify that the svrmig.mig file is created
f Task 3: Import the migrated settings and verify that they were applied.
• On LON-SVR1, configure the Windows Server Migration Tools feature by
using the Server Manager console.
• On LON-SVR1, open the Windows PowerShell window, and run the following
code.
• Move the svrmig.mig file from \\lon-dc1.contoso.com\export to the

C:\Migrate folder.

• Run the following code to import the DHCP server role settings.
Import-SmigServerSetting -featureid DHCP -path c:\migrate -Verbose
• Verify whether the modifications that are made to DHCP are successfully
Results: After completing this exercise, you should have installed the Windows Server
Migration Tools feature and modified the DHCP server properties to export and import
the server role settings.
Note: The answers to the exercises are on the Course Companion CD.
Before proceeding to the next lab, reset the lab environment.


Lab Review
1. What happens when you execute the bcdboot v:\windows command?

This command will copy the boot environment files and Boot Configuration Data
configuration from the \Windows directory in the VHD (V:) drive to the system
partition.
2. How will you verify the specifications of a filter?

In the Windows Deployment Services console, right-click Network Drives and
verify the specifications of the filter on the Filters tab.

Lesson 4
Managing Windows Server 2008 R2
Windows Server 2008 R2 reduces the effort for managing physical and virtual
servers by providing enhanced management consoles and automation for
repetitive day-to-day administrative tasks. It also helps provide improved branch
office capabilities, exciting new remote access experiences, streamlined server
management, and expanded Microsoft virtualization strategy for both client and
server computers. For example, you can use Server Manager in Windows Server
2008 R2 to manage remote systems, integrate BPA, and improve integration with
other management consoles. You can easily configure Server Core. In addition,
Windows Server 2008 R2 has many enhancements in Power Management and
Windows Server Backup. These enhancements provide better energy efficiency and
performance by reducing power consumption and lowering overhead costs.
Lesson Objectives

• Describe the enhancements in Server Manager.
• Describe Best Practices Analyzer.

• Use Server Manager and Best Practices Analyzer.
• Describe file classification infrastructure and file management tasks.
• Use file classification infrastructure.
• Describe power consumption management.
• Describe the backup enhancements in Windows Server 2008 R2.
• Back up Windows Server 2008 R2.
• Describe remote administration in Windows Server 2008 R2.
• Administer Windows Server 2008 R2 remotely.

Enhancements in Server Manager
Key Points
Server Manager provides a single interface for managing a server's identity and
system information, displaying server status, identifying problems with server role
configuration, and managing all roles installed on the server. In Windows Server
2008 R2, you can use Server Manager to manage remote computers from a
computer that is running Windows Server 2008 R2 or Windows 7.
The following table lists the changes to Server Manger in Windows Server 2008
R2.
Enhancement Description
Changes to server roles and features Windows Server 2008 R2 includes the
following changes to roles and features
that are available for installation by using
Server Manager:
• Roles

• Terminal Services is renamed as
Remote Desktop Services.
• Print Services is renamed as Print
and Document Services.
• Universal Description, Discovery, and
Integration (UDDI) Services is no
longer available.
• Windows Server Update Services is a
new role, available for installation on
Windows Server 2008 R2.
• Features
• Windows BranchCache, a new
feature that reduces the network
bandwidth requirements of client
computers that are located in
remote offices, is added.
• DirectAccess Management Console,
a new feature that provides
DirectAccess setup and monitoring
capability, is added.
• Ink and Handwriting Services, a new
feature that supports handwriting
recognition and the use of a pen or
stylus with a computing surface, is
added.
• Windows Server Migration Tools, a
new feature that enables migration
of server roles, features, operating
system settings, shares, and other
data from computers, is added.
• Remote Server Administration Tools
(RSAT) includes additional
administrative tools such as Active
Directory Administrative Center and
Remote Desktop (RD) Connection
Broker.
• Windows 2000 Client Support is
removed from Message Queuing.
• XPS Viewer, part of .NET Framework
3.0 features in Windows Server 2008,

is available as a stand-alone feature.
Remote management with Server In Windows Server 2008 R2, you can use
Manager Server Manager to perform some
management tasks on remote computers
that are running Windows Server 2008 R2.
To manage a computer remotely by using
Server Manager, connect Server Manager
to a remote computer in the same
manner that you would connect MMC for
other technologies.
Windows PowerShell cmdlets for Server You can use the following Windows
Manager tasks PowerShell cmdlets to install, remove, or
view information about available roles:
• Add-WindowsFeature
• Get-WindowsFeature
• Remove-WindowsFeature
Best Practices Analyzer integration You can use BPA to reduce best practice
violations by scanning one or more roles
that are installed on Windows Server 2008
R2.
• Server Core includes a new configuration tool named, SConfig, which makes
initial configuration easier. Using SConfig, you can perform tasks such as
configuring network settings, renaming computer, joining domain, configuring
firewall, configuring remote management, configuring Windows Update, and
enabling Remote Desktop.
Question: Is it possible to use Server Manager in Windows Server 2008 R2 to

remotely manage Windows Server 2008 R2 Server Core? If yes, how can you use it
for remote management?

Best Practices Analyzer
Key Points
In Windows management, best practices are guidelines that are considered the
ideal way, in normal circumstances, to configure a server. For example, a best
practice in server technologies is to keep open only those ports that are required to
communicate with other networked computers, and block unused ports. While
best practice violations are not necessarily problematic, they indicate server
configurations that can result in poor performance, poor reliability, unexpected
conflicts, increased security risks, or other potential problems.
What is Best Practices Analyzer?

BPA is a server management tool that is available in Windows Server 2008 R2. You
can use BPA to reduce best practice violations by scanning one or more roles that
are installed on Windows Server 2008 R2. BPA indicates best practice violations
through reports. You can filter or exclude results from BPA reports, and perform
BPA tasks by using Server Manager or Windows PowerShell cmdlets.

In Windows Server 2008 R2, BPA is available for the following server roles: AD DS,
Active Directory Certificate Services (AD CS), Remote Desktop Services, Web
Server (IIS), and DNS Server. BPA for additional roles and features will be added
later, through Windows Update.
Question: What must be installed on a server to get BPA? Is BPA available for all
server roles?

Demonstration: How To Use Server Manager and Best
Practices Analyzer
Key Points
1. On LON-DC1, in the Server Manager console, open the Add Roles Wizard and
then point Windows Server Update Service as new role in Windows Server
2008 R2.
2. In the Server Manager console, open the Add Features Wizard and discuss the
new features such as BranchCache, Direct Access Management Console, Ink
and Handwriting Services, and Remote Server Administration Tools which
includes additional administrative tools, Windows Server Migration Tools, and
XPS Viewer.
3. Discuss about the Events, System Services, Role Services, and Advanced Tools
roles of Active Directory Domain Services and also explain that Active

Directory Users and Computers and Active Directory Sites and Services can be
used for administering Active Directory.

4. On LON-DC1, open the Server Manager console to connect LON-DC1 to
LON-SVR1.
5. On LON-SVR1, enable the remote Management of this server from other
computers option to configure Server Manager Remote Management.
6. On LON-DC1, connect LON-DC1 to LON-SVR1 by using the Server Manager
console.
7. Verify that the Add Roles and Remove Roles options and the Add Features
and Remove Features options are not available remotely.
8. In the Server Manager console, click the Close button.
9. In the Web Server (IIS) result pane of the Server Manager console, scan Best
Practices Analyzer, show results and comment some of the BPA
results/suggestions, and then explain about the tabs, Noncompliant,
Excluded, Compliant, All.
10. Expand Roles and view the additional Roles that are available.
11. Configure LON-CORE to allow remote administration by executing the
SConfig command.
12. Log on to LON-CORE with user name contoso\administrator and the
password, Pa$$w0rd.
13. Run SConfig,and Configure Remote Management .
14. On LON-DC1, open the Server Manager console and explain that from Server
Manager you can administer Server Core remotely.
Question: Which DNS role should you add to run BPA against the remote
Windows Server 2008 R2 server?

File Classification Infrastructure and File Management Tasks
Key Points
Windows Server 2008 R2 File Classification Infrastructure (FCI) provides insight
into data by automating classification processes so that you can manage the data
more effectively and economically. FCI performs automated classification based on
the defined properties. Based on the classification, FCI performs actions such as
moving files and changing permissions. These actions are included in-the-box or
provided by partners, thereby allowing organizations to build rich end-to-end
solutions for classifying and applying policies based on the classification. FCI helps
save money and reduce risk by managing files based on their business value and
impact.
You can use FCI to identify files that:
• Contain sensitive information and are located on servers with lower
security, and move the files to servers with higher security.
• Contain sensitive information, and encrypt those files.

• Are no longer essential, and automatically remove the files from servers.
• Are not accessed frequently, and move the files to slower storage.
• Require different backup schedules, and back up the files accordingly.
• Require different backup solutions based on the sensitivity of the
information in the files.
FCI allows you to:
• Centrally define policy-based classification of the files stored on your
intranet.
• Perform file management tasks based on the file classification that you
define, rather than on information such as the location, size, or date of the
file.
• Generate reports about the types of information stored in the files on your
intranet.
• Notify content owners when a file management task is going to be
performed on their content.
• Create or purchase custom file management solutions based on FCI.
Advantages of FCI
One of the key advantages of FCI is the ability to centrally manage the classification
of files by establishing classification policies. This centralized approach allows you
to classify user files without requiring user intervention.
With no additional third-party applications, FCI provides the following benefits:
• Provides insight to data on file server. You can create automatic
classification rules that classify files according to the location or content of the
files. As a result, a new layer of efficiency is added, driving down the typical
costs associated with managing and protecting the file server.
• Reduces storage costs and eliminates old documents that have no business
value. Storing old, unused data can be a major expense for organizations.
Expiring files based on usage and business value can reduce both the cost—
storage and management, and risk—information leakage, on file servers. The in-
box FCI solution provides automatically scheduled tasks that terminate files
based on age, location, or other classification categories.
• Mitigates risk by customizing the location and method for data storage.
You can use FCI to run custom commands that automate management tasks
based on file name, age, location, or other classification categories of files. For

example, you can automatically move data based on policies for either
centralizing the location of sensitive data or for moving data to a less expensive
storage facility.
• Enables easier tracking of files. Reports can provide you with a powerful
tool to assess the risk of the wrong files being in the wrong place on your
servers. Using the built-in capabilities of FCI, you can create reports in a variety
of formats that contain details about files that have a particular classification.
You can also use the FCI reporting infrastructure to generate information that
can be used by other applications.
FCI and SharePoint Integration

You can use FCI for assigning properties in metadata to files existing on file servers
and Microsoft® Office SharePoint® for storing and sharing documents,
spreadsheets, and other files that would ordinarily be kept on a file server. The FCI
rules engine can be used to perform classification and to place files into Office
SharePoint document libraries. However, existing files within the document library
cannot be classified with FCI.
Improved file management tasks

FCI allows you to perform file management tasks based on the classifications that
you define. You can use FCI to perform common file management tasks, including:
• Grooming of data. You can automatically delete data by using policies based
on data age or classification properties to free valuable storage space and
reduce storage demand growth.
• Custom tasks. You can run custom commands based on age, location, or
other classification categories. For example, you can automatically move data
based on policies for either centralizing the location of sensitive data or for
moving data to a less expensive storage resource.
FCI contains features that enable you to automate any file management task by
using the file classifications you establish for your organization.
Question 1: How can you benefit from FCI in your environment?
Question 2: How can you use FCI features?


Demonstration: How To Use File Classification
Infrastructure
Key Points
1. On LON-SVR1, create a classification property named Confidential by using
the File Server Resource Manager console.
2. On LON-SVR1, create a classification rule to assign a value to the classification
property with the following information:
• Rule name: Find Confidential
• Scope: C:\Files
• Classification mechanism: Content Classifier
• Property name: Confidential
• Property value: Yes
• Additional Classification Parameters Name: String

• Additional Classification Parameters Value: Confidential
3. On LON-SVR1, create a File Management Task, a condition based on the file

classification, and a default schedule set with the following information:
• Task name: Restrict confidential files
• Scope: C:\Files
• Type: Custom
• Executable: c:\windows\system32\icacls.exe
• Arguments: [Source File Path] /remove:g Everyone
• Command security: Local System
• Property: Confidential
• Operator: Equal
• Value: Yes
4. On LON-SVR1, execute the Classification Rules by using the File Server
Resource Manager console with the following information:
• Select Wait for classification to complete execution
• Set Up Windows Internet Explorer 8: Ask me later
5. Execute the Classification Rules by using the File Server Resource Monitor
console and wait till the execution completes.
Question: How will you use the File Classification Infrastructure features?

Power Consumption Management
Key Points
Windows Server 2008 R2 introduces significant advancements in server power
management capabilities. The Processor Power Management (PPM) engine in
Windows Server 2008 R2 is re-written and improved, and there are additional
power-oriented Group Policy settings. They provide the ability to fine-tune the
processor’s speed and power consumption to match current demands. New
parameters for PPM further improve the power efficiency. To benefit from
improved PPM, it must be supported by your server hardware.
Core Parking
Windows Server 2008 R2 reduces processor power consumption in server
computers with multicore processors by using the Core Parking feature. The Core
Parking feature enables Windows Server 2008 R2 to reduce multicore processor
power consumption by consolidating processing onto fewer processor cores and
suspending the inactive cores. The workload of every logical core in a server is
tracked relative to all the others. The workloads of cores that are not being fully

utilized can be suspended, and their workloads are then shifted to alternate cores.
Keeping the unutilized cores in an idle state reduces the system power
consumption. When additional processing power is required, the system activates
the idle processor cores to handle the increased processing requirements.
Centralized storage
Another strategy for reducing power used by individual servers is to centralize
their storage by using a SAN, which has a higher storage-capacity-to-power-
consumption ratio than a typical server. SAN makes more efficient use of the
available disk space, because any server can have access to the available storage on
SAN. Windows Server 2008 R2 greatly improves access to storage on SANs and
supports booting from a SAN, which eliminates the need for local hard disks in the
individual server computers. As a result, power consumption decreases.
Intelligent Timer Tick Distribution

Windows Server 2008 R2 introduces Intelligent Timer Tick Distribution or Tick
Skipping. This feature extends processor idle states or deep C-states by not
activating the CPU unnecessarily, thus saving power. Only one processor handles
the periodic system timer tick; other processors are signaled only when necessary.
The amount of background work that is performed by the operating system is
reduced in Windows Server 2008 R2. This allows processors to better utilize the
deep C-states, in which the processor consumes very little energy, but requires time
to return to an operational state.
You can use most of these technologies in virtualization scenarios and maximize
the power efficiency of virtualized environments and physical systems.
Question: Do you need to configure the new Power Consumption Management

settings on each server individually?

Windows Server 2008 R2 Backup Enhancements
Key Points
Windows Server 2008 R2 contains the Windows Server Backup feature, which
provides a set of wizards and tools to perform basic backup and recovery tasks for
servers. Windows Server Backup consists of an MMC snap-in, command-line tools,
and Windows PowerShell cmdlets that provide solutions for your backup and
recovery needs. Backup and recovery features are very important for the continued
operation of the services and applications running on Windows Server 2008 R2.
Enhancements in Windows Server Backup

Enhancements in Windows Server Backup include:
• Backup of specific files and folders. In Windows Server 2008, you back up
an entire volume. In Windows Server 2008 R2, you can include or exclude
folders or individual files. You can also exclude files based on the file types.
• Incremental backup of system state. In Windows Server 2008, you can only
perform a full backup of the system state by using the wbadmin.exe utility. In

Windows Server 2008 R2, you can perform incremental backups of the system
state by using the Windows Server Backup utility, the wbadmin.exe utility, or
Windows PowerShell cmdlets.
• Scheduled backups to volumes. In Windows Server 2008, you had to
dedicate an entire physical disk to the scheduled backup. In Windows Server
2008 R2, you can perform a scheduled backup to existing volumes in
• Scheduled backups to network shared folders. You can now perform
scheduled backups to a network-shared folder, which was not possible in the
previous version.
• Backup management by using Windows PowerShell. You can manage
backup and restore tasks by using Windows PowerShell, including all
remoting scenarios. This includes the management of on-demand and
scheduled backups.
Question: Is Windows Server Backup used in your organization? Why?


Demonstration: How To Back Up Windows Server 2008 R2
Key Points
1. On LON-SVR1, perform Custom backup to the VHD drive, New Volume (E:)
• Accept Different options for backup
• Items for Backup: C:\Files
• Exclusions: C:\Files\File1.txt
2. On LON-SVR1, delete the file2.txt file from the C:\Files folder and then restore
the file2.txt file to the same location by using the Server Manager console.
• Question: Is it possible to create scheduled backup task to use existing

volume?

Remote Administration in Windows Server 2008 R2
Key Points
Windows Server 2008 R2 has several remote administration enhancements. For
example, you can use Server Manager for managing local and remote computers.
The RSAT feature of Windows Server 2008 R2 includes additional administrative
tools for remote management. As in previous versions, you can use Remote
Desktop for managing server remotely, but RemoteApp and Desktop Connections
enables you to publish administrative tools on the Start menu, only on Windows 7
or Windows Server 2008 R2 computers.
Several tools for administering Windows Server 2008 R2 are installed together
with operating system installation. Additional administrative tools are installed
when you add a server role or feature to the server. This enables you to administer
added functionality, either locally or remotely, from the computer where the same
functionality is installed. If you want to use administrative tool from the computer
without the functionality installed, such as from another Windows Server 2008 R2
server or Windows 7 workstation, you need to install the administrative tool there.

Administrative tools for administering Windows Server 2008 R2 are gathered in
the RSAT collection. RSAT is a Windows Server 2008 R2 feature and you can
download it as a separate package for Windows 7. You can install RSAT on
Windows 7 to administer Windows Server 2008 R2 remotely.
If you want to administer a Windows Server 2008 R2 server from a Windows 7
workstation, you must first download and install RSAT. After you install RSAT on
Windows 7, additional Windows features will become available in the Programs
and Features applet in Control Panel. There are many administrative tools available
in RSAT, such as Server Manager, AD DS tools, and File Services tools. After you
enable some of these tools, they will be added to the Administrative Tools folder.
If you want to administer Windows Server 2008 R2 from another Windows Server
2008 R2 server, you can add the required RSAT feature by using Server Manager.
In addition to RSAT, there are other ways to administer Windows Server 2008 R2
remotely. You can use Remote Desktop or published administrative tools, if the
Remote Desktop Services role is installed and RemoteApp is configured. You can
also use Windows PowerShell with the remote feature for remote administration.
When you perform remote administration, you must remember to configure the
appropriate exceptions in Windows Firewall.
Question: Why should you use remote administration in your environment?


Demonstration: How To Administer Windows Server 2008
R2 Remotely
Key Points
1. Add the AD DS Snap-ins and Command-line Tools and Server Manager to
Administrative Tools.
2. On LON-CL1, open the Server Manager console to connect LON-CL1 to LON-
SVR1.contoso.com.
3. Open the Active Directory Users and Computers console to verify whether you
can administer Contoso.com Active Directory from Windows 7.
• Question: How will you administer Windows Server 2008 R2 from the
workstation where you can not install Windows Server Remote
Administration Tools?

Lab 1B: Managing Windows Server 2008 R2
Introduction
In this lab, you will manage Windows Server 2008 R2 by using the Remote
Management services. To do this, you will install Remote Server Administration
Tools on Windows 7 and administer Windows Server 2008 R2 from Windows 7
workstation. You will configure the file classification properties, file management
task, and classification rule to remove the anonymous access to confidential files.
Finally, you will create and attach a virtual hard disk and create and run a backup
task to restore the files that are deleted unintentionally.
Objectives
• Use Server Manager for Remote Administration
• Remove Anonymous Access to Confidential Files Automatically
• Deal with stale data

• Use the Features in Windows Server Backup
Lab Setup
credentials:
credentials:
• Start the LON-CL1 virtual machine, and then log on by using the following
credentials:

Lab Scenario
You are server administrator at Contoso, Ltd. The servers of your organization are
located in the data center and you do not have physical access to those servers. To
acquire access to those servers and manage them remotely, you need to use the
Remote Server Administration Tools. As part of your job, you are also responsible
for the File server in a data center. The File server stores a large number of files,
many of which have been stored for a long time and are no longer needed for
business purposes. Therefore, you need to use the File Classification Infrastructure
to locate the files that are not used or required and move them to a specific folder.
You also need to ensure that anonymous users do not have access to confidential
files. In addition, you need to evaluate the new features of Windows Server Backup.

Exercise 1: Using Server Manager for Remote

Administration
The main tasks for this exercise are as follows:
2. Enable Server Manager Remote Management.
3. Use Server Manager for remote management.
4. Install Remote Server Administration Tools on Windows 7.
5. Administer Windows Server 2008 R2 from Windows 7 workstation.

• Log on to LON-DC1 with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
password, Pa$$w0rd.
• Log on to LON-CL1 with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
f Task 2: Enable Server Manager Remote Management.

• On LON-DC1, open the Server Manager console to connect LON-DC1 to
LON-SVR1.
• On LON-SVR1, enable the remote Management of this server from other
f Task 3: Use Server Manager for remote management.

• On LON-DC1, connect LON-DC1 to LON-SVR1 by using the Server Manager
console.
• Verify that the Add Roles and Remove Roles options and the Add Features
f Task 4: Install Remote Server Administration Tools on Windows 7.

• On LON-CL1, install Remote Server Administrative Tools by using the
RSAT.msi file.
• Add the AD DS snap-ins, the command-line tools, and Server Manager to

f Task 5: Administer Windows Server 2008 R2 from Windows 7
workstation.
• On LON-CL1, open the Server Manager console to connect LON-CL1 to LON-
SVR1.contoso.com.
• Open the Active Directory Users and Computers console to verify whether you
•
Results: After completing this exercise, you should have connected LON-DC1 to LON-
SVR1 to enable remote management. You should have also installed Remote Server
Administration Tools on Windows 7 to administer Windows Server 2008 R2 from
Windows 7.

Exercise 2: Removing Anonymous Access to Confidential

Files Automatically
1. Add a File Services role on LON-SVR1.
2. Configure a classification property to track the types of files.
3. Configure the classification rules to assign values to properties.
4. Configure a File Management Task.
5. Create files for classification.
6. Run the Classification Rule and File Management Task.
f Task 1: Add a File Services role on LON-SVR1.

• On LON-SVR1, add the File Services server role and File Server Resource
Manager by using the Add Roles Wizard.
f Task 2: Configure a classification property to track the types of files.

• On LON-SVR1, create a classification property named, Confidential, by using
f Task 3: Configure the classification rules to assign values to properties.

• On LON-SVR1, create a classification rule to assign a value to the classification
property, with the following information:
• Scope: C:\Files
f Task 4: Configure a File Management Task.

• On LON-SVR1, create a File Management Task, a condition based on the file

• Scope: C:\Files
• Type: Custom
• Operator: Equal
• Value: Yes
f Task 5: Create the files for classification.

• On LON-SVR1, create three files in the C:\Files folder with the following
content and assign the Everyone Read and Read & execute permissions to
those three files.
• File1.txt: Confidential
• File3.txt: c o n f i d e n t i a l
f Task 6: Run the Classification Rule and File Management Task.

• On LON-SVR1, run the Classification Rules by using the File Server Resource
Manager console, with the following information:
Review the report and verify whether the report contains the file1.txt file with
confidential.
• Run the Classification Rules by using the File Server Resource Monitor console
and wait till the execution completes.
Review the report and verify that the group with Everyone permission no longer has
access to file1.txt, because it contains Confidential information, but still has access to
file2.txt and file3.txt.

Results: After completing this exercise, you should have configured and run the
classification property, the classification rule, and the File Management Task to remove
anonymous access to confidential files.

Exercise 3: Dealing with stale data

1. Configure a File Management Task.
2. Run the File Management Task.
f Task 1: Configure a File Management Task.

• On LON-SVR1, create a File Management Task to remove the following data
that has not been modified for two years:
• Task name: Expire Stale Data
• Scope: C:\Files
• Type: File Expiration
• Number of days before task is executed to send notification: 30
• Days since last modified: 730
• Schedule Task: Monthly
f Task 2: Run the File Management Task.

• On LON-SVR1, run the File Management Task, Expire Stale Data by using the
File Server Resource Manager console and wait till the execution completes.
Review the report and verify that all expired files have been moved to the Expired folder
in drive C.
Results: After completing this exercise, you should have configured and run the File
Management Task to remove the data that has not been modified for two years.

Exercise 4: Using the Features in Windows Server Backup

1. Create and attach a virtual hard disk.
2. Create and run a backup task.
3. Verify and restore the backup.
f Task 1: Create and attach virtual hard disk.

• On LON-SVR1, create a virtual hard disk and add a simple volume to it by
using the Server Manager console, with the following information:
• Path: C:\MyDrive.vhd
• Virtual hard disk size: 1 GB
• Select Dynamically expanding
• Select Initialize Disk
• Select New Simple Volume
f Task 2: Create and run a backup task.

• On LON-SVR1, perform Custom backup to the virtual hard disk, New Volume
(E:) with the following information:

f Task 3: Verify and restore the backup.
• On LON-SVR1, delete the file2.txt file from the C:\Files folder, and then
restore the file2.txt file to the same location by using the Server Manager
console.
Results: After completing this exercise, you should have created and attached virtual
hard disk to backup and restore backup.


Lab Review
1. How will you create a default schedule set for 9:00 A.M. daily?
On the Schedule tab, click Create, and then in the Schedule dialog box, click New.
2. Which command will you use to change the NTFS permissions?

You will use the command, [Source File Path] /remove:g Everyone to pass these
parameters to the command icacls.exe and to change the NTFS permissions.

Review Questions
1. What are the advantages of Windows Server 2008 R2 Enterprise edition over
Windows Server 2008 R2 Standard edition?
2. How can you completely automate the installation of Windows Server 2008
R2 Standard?
3. How will you deploy VHD by using WDS in Windows Server 2008 R2?
4. You want to test the remote management capability of Server Manager. When
you try to connect to a remote server, you get an error. What is the probable
reason for the error?
5. How can you administer Windows Server 2008 R2 from a Windows 7
workstation?

Real-World Issues and Scenarios
1. A customer tries to upgrade Windows Server 2003 SP2 Enterprise on a 32-bit

server to Windows Server 2008 R2. During the upgrade process, the customer
gets an error. What is the most likely reason for the error and what would be
the solution?
2. A customer is not familiar with the command-line interface, but would like to
configure Windows Server 2008 Enterprise Core edition according to the
company policy and join it to the domain. How will you help the customer to
achieve the goal?
3. A customer needs to perform remote administration of Windows Server 2008
R2 by using Server Manager. The customer is not able to connect to the remote
server. What should the customer do?
Tools
Tool Use Where to find it
DiskPart The command-line hard Command Prompt

disk managing utility
Disk Management The graphical hard disk Start menu /

managing utility Administrative Tools
BCDEdit The command-line tool for Command Prompt

managing Boot
Configuration Data (BCD)
stores
Windows System Image The graphical tool for Windows Automated

Manager creating unattended Installation Kit
Windows Setup answer
files
WDSUtil The command-line utility Command Prompt after

for managing Windows the Windows Deployment
Deployment Services Services role is added
servers
WBAdmin Configures Windows Server Command Prompt after

Backup from Command the Windows Server
Prompt Backup Feature is added

Configuring Active Directory in Windows Server 2008 R2 2-1

Module 2
Configuring Active Directory in Windows Server
2008 R2
Contents:
Lesson 1: Configuring Active Directory Domain Services Features 2-4
Lab 2A: Configuring Active Directory Domain Services Features 2-35
Lesson 2: Configuring Group Policy in Active Directory Domain Services 2-46
Lesson 3: Features of Other Active Directory Server Roles 2-77
Domain Services 2-86
2-2 Configuring Active Directory in Windows Server 2008 R2

Module Overview
Active Directory Domain Services (AD DS) in Windows Server® 2008 R2 includes
many new features such as Active Directory Administrative Center, a new task-
oriented administrative tool for managing Active Directory; Best Practices Analyzer
(BPA), a management tool which helps you implement best practices in the
configuration of your Active Directory environment; and Active Directory Recycle
Bin, which is a tool for recovering deleted objects and requires Windows Server
2008 R2 forest functional mode.
Group Policy is an important management technology that has several new
features in Windows Server 2008 R2, such as System Starter GPO, AppLocker, and
advanced audit policy.
In addition to the new features in AD DS, Windows Server 2008 R2 also includes
new features in other Active Directory–related roles, such as Active Directory
Certificate Services (AD CS) and Active Directory Rights Management Services (AD
RMS). In this module, you will explore some of the most important new features in
Active Directory and their benefits, and learn how to configure and use them.

• Configure the features of AD DS in Windows Server 2008 R2.

• Configure Group Policy in AD DS in Windows Server 2008 R2.
• Describe the features of other Active Directory server roles in Windows Server
2008 R2.

Lesson 1
Configuring Active Directory Domain Services

Features
In Windows Server 2008 R2, the AD DS role includes many new features, such as
Active Directory Recycle Bin, Active Directory Web Services, and Offline Domain
Join. You can configure these features to improve Active Directory manageability,
supportability, and performance.
Lesson Objectives
• Describe Active Directory features in Windows Server 2008 R2.
• Describe Active Directory Administrative Center.
• Configure Active Directory Administrative Center.

• Describe Active Directory Best Practices Analyzer.
• Describe Active Directory Recycle Bin.

• Configure and test Active Directory Recycle Bin.
• Describe Active Directory Web Services.
• Describe managed service accounts.
• Describe offline domain join.
• Configure offline domain join.
• Describe authentication mechanism assurance.

Active Directory Features in Windows Server 2008 R2
Key Points
You can manage identities and relationships in network environments by using AD
DS. In the Windows Server 2008 R2 operating system, AD DS includes many new
features that help improve Active Directory manageability, supportability, and
performance.
AD DS in Windows Server 2008 R2 includes the following improvements:
• New domain and forest functional level. Windows Server 2008 R2 includes a
new Active Directory domain and forest functional level. Many of the new
features in AD DS, such as Active Directory Recycle Bin or authentication
mechanism assurance, require the Windows Server 2008 R2 domain or forest
functional level.
• Active Directory Administrative Center. Active Directory Administrative
Center is a task-based management console that is based on the new
Windows® PowerShell cmdlets in Windows Server 2008 R2. Active Directory

Administrative Center is designed to help reduce the administrative effort for
performing common administrative tasks.

• Active Directory module for Windows PowerShell and Windows
PowerShell cmdlets. The Active Directory module for Windows PowerShell
provides command-line scripting for administrative, configuration, and
diagnostic tasks, with a consistent vocabulary and syntax. It provides
predictable discovery and flexible output formatting. You can easily pipe
cmdlets to build complex operations.
• Active Directory Best Practices Analyzer. The Active Directory Best Practices
Analyzer (AD DS BPA), which is available in Server Manager, helps identify the
deviations from best practices and enables you to manage Active Directory
deployments effectively. BPA helps analyze Active Directory settings that cause
unexpected behavior and provide recommendations for configuring the
settings more effectively.
• Active Directory Recycle Bin. Active Directory Recycle Bin is used to undo
accidental deletions of Active Directory objects. Accidental deletion of an
object can cause business downtime. For example, if users are deleted
accidentally, they cannot log on or access corporate resources. Active Directory
Recycle Bin works for both AD DS and Active Directory Lightweight Directory
Services (AD LDS) objects. You can enable the Active Directory Recycle Bin
feature in AD DS at the forest level, but only if the AD DS forest is in Windows
Server 2008 R2 functional level. For AD LDS, all replicas must be running in a
new application mode.
• Active Directory Web Services. Active Directory Web Services (ADWS)
provides a Web service interface to Active Directory domains, AD LDS
instances, and snapshots that are running on the same Windows Server 2008
R2 server as ADWS.
• Managed service accounts. Managed service accounts provide easy
management of service accounts. The managed service accounts require
Windows Server 2008 R2 domain functional level or additional configuration
steps, and help in better management of service principal names (SPNs).
Managed service accounts also reduce service outages for manual password
resets and related issues.
• Offline domain join. Offline domain join allows you to create computer
accounts in Active Directory in advance and join computers to the domain
without contacting domain controller. When you start the computers for the
first time, they are already joined to the domain. This reduces the steps and
time required to deploy computers.

• Authentication mechanism assurance. Authentication mechanism assurance
allows applications to control resource access based on the authentication

strength and method. You can integrate various properties such as
authentication type and authentication strength to an identity. Based on the
information obtained during authentication, these identities are added to
Kerberos tickets for the use of applications. The authentication mechanism
assurance requires Windows Server 2008 R2 domain functional level.
• Active Directory Management Pack. Active Directory Management Pack
enables proactive monitoring of availability and performance of AD DS. Active
Directory Management Pack is used to discover and detect computer and
software states, and it is aligned with health state definitions. Active Directory
Management Pack requires Microsoft Systems Center Operations Manager to
run.
Question: Can you test the new Active Directory features in an existing testing
environment that includes Windows Server 2003 domain controllers?

Active Directory Administrative Center
Key Points
In Windows Server 2008 operating systems, you can use the Active Directory
Users and Computers Microsoft Management Console (MMC) snap-in to manage
and publish information in Active Directory. In addition, you can use Active
Directory Administrative Center to manage the directory objects.
What is Active Directory Administrative Center?

Active Directory Administrative Center is a new graphical user interface (GUI) tool
that is built on the Windows PowerShell technology. It provides you with an
enhanced Active Directory data management experience and helps you perform
common Active Directory object management tasks through both data-driven and
task-oriented navigation.
You can use Active Directory Administrative Center to perform the following Active
Directory administrative tasks:
• Create user accounts or manage existing user accounts.

• Create groups or manage existing groups.
• Create computer accounts or manage existing computer accounts.

• Create organizational units (OUs) and containers, or manage existing OUs.
• Connect to one or several domains or domain controllers in the same Active
Directory Administrative Center instance, and view or manage the directory
information for these domains or domain controllers.
• Filter the Active Directory data by using query-building search.
You can also use the enhanced Active Directory Administrative Center GUI to
customize Active Directory Administrative Center to suit your directory service
administration requirements. By customizing Active Directory Administrative
Center, you can improve your productivity and efficiency in performing common
Active Directory object management tasks.
To use Active Directory Administrative Center, there must be at least one Windows
Server 2008 R2 domain controller in the domain. Alternatively, you must install
Active Directory Management Gateway Service on Windows Server 2008 or
Windows Server 2003 SP2 domain controllers.
Features of Active Directory Administrative Center

Active Directory Administrative Center includes the following features:
• Administrative Center Overview page. This is the default welcome page
when you first open the Active Directory Administrative Center. The
Administrative Center Overview page consists of several tiles. Each tile has an
administrative task that you perform frequently, such as resetting a user
password, or searching through Active Directory. You can customize the
Administrative Center Overview page by displaying or hiding various tiles.
• Management of Active Directory objects across multiple domains. When
you open Active Directory Administrative Center, the domain that you are
currently logged on appears in the Active Directory Administrative Center
navigation pane. Based on the rights of your logon credentials, you can view or
manage the Active Directory objects in the local domain. You can also use the
same Active Directory Administrative Center instance and the same set of
logon credentials to view or manage Active Directory objects from any other
domain that has an established trust with the local domain.
• Active Directory Administrative Center navigation pane. You can browse
through the Active Directory Administrative Center navigation pane by using
the Tree view or the List view. The Tree view is similar to the Active Directory
Users and Computers console tree. The List view has the Column Explorer

feature, which allows you to browse through various levels of the Active
Directory hierarchy. For example, if you open a parent container in Column

Explorer, the Column Explorer displays all the child containers of the parent
container in a single column, thereby simplifying browsing of hierarchical
data.
• Active Directory Administrative Center breadcrumb bar. You can use the
breadcrumb bar to navigate directly to the container that you want to view. To
view the container, you should specify the name of the container in the
breadcrumb bar.
• Active Directory Administrative Center object property page. The object
property page consists of several property page sections and an inline preview
feature. You can display, hide, or collapse the property page sections and the
inline preview feature to customize the Active Directory Administrative Center
object property page.
• Active Directory Administrative Center query-building search: Instead of
browsing through various levels of hierarchy data, you can quickly locate
Active Directory objects by using the Active Directory Administrative Center
query-building search. When the targeted Active Directory objects are returned
as the results of a search query, you can perform the necessary administrative
tasks.
Question: How will you administer Active Directory from a Windows® 7

workstation by using Active Directory Administrative Center?

Demonstration: How To Configure Active Directory
Administrative Center
Key Points
1. Perform the following steps by using the Active Directory Administrative
Center console:
Clear the Getting Started check box: Verify that the Getting
Started pane disappears.
In Address box, enter: cn=users,dc=contoso,dc=com to verify that
the Users container is selected in the Navigation pane.
Filter the content of the window.
Add a Builtin container to the Navigation pane.
2. View the users of the name, Michael from the Finance group by using the Filter
option of the Active Directory Administrative Center console and set the
following user accounts properties:

Add criteria: Users with disabled/enabled accounts. and Users
whose password has an expiration date/no expiration date.

Query Name: Enabled-no expiry
Users with accounts in this state: enabled
In the List View of the navigation pane, under Contoso (local),
click the Finance.
In the Filter box of the Finance result pane, type Michael.
3. Create a query, Enabled-no expiry and run it against the user, Don Hall and
then modify properties of Don Hall by adding him to the Finance group.
In the Finance result pane, click on the arrow near the floppy
icon, in the New Query box, type Enabled-no expiry, and then
click Ok.
In the Finance result pane, click Clear All,
In the List View of the Navigation pane, click Users.
In the Users result pane, click Queries button, and then click
Enabled-no expiry.
In the Name list of the Users: Enabled-no expiry result pane, click
Don Hall.
In the Tasks pane, under Don Hall, click Properties.
In the Don Hall dialog box, click Add Sections, and then clear
the Extensions check box.
In the Member Of area of the Don Hall dialog box, click Add
button.
In the Enter the object names to select (examples) box of the
Select Groups dialog box, type Finance, and then press ENTER.
In the Multiple Names Found dialog box, click OK.
In the Don Hall dialog box, click OK.
In the Name list of the Users result pane, double-click Don Hall.
4. Create a new user for the Finance group with the following information:
Full name: Jay Hamlin
User SamAccountName logon: johane

Select Password never expires
Password: Pa$$w0rd
Confirm password: Pa$$w0rd
5. On LON-DC1, open the Services console to stop the Active Directory Web
Services service.
6. On LON-SVR1, open the Active Directory Administrative Center console to
verify whether the contoso domain is accessible.
7. On LON-DC1, start the Active Directory Web Services service by using the
Services console.
8. On LON-SVR1, verify whether the contoso domain is accessible after starting
the Active Directory Web Services service.
Question: How will you add a Builtin container to the Contoso.com domain?

Active Directory Best Practices Analyzer
Key Points
When you configure AD DS, you might forget to follow the best practices and rely
on the default configuration. For example, you might forget to configure PDC
emulator to synchronize time with external time source or place Global Catalog
and Infrastructure Master role on the same domain controller in multi domain
environment. This can cause problems and limit functionality. BPA can help you by
scanning the AD DS server role, compares current settings with best practices and
recommendations and suggest what should be modified to comply with them. You
can use AD DS BPA for scanning the AD DS server role on Windows Server 2008
R2, Windows 2008, Windows Server 2003, and Windows Server 2000 domain
controllers, and it provides best practices violation reports. You can filter or
exclude unwanted results from the AD DS BPA reports. You can perform AD DS
BPA tasks by using Server Manager or Windows PowerShell cmdlets.

The AD DS BPA tool is installed automatically when you install the AD DS role on a
computer that is running Windows Server 2008 R2. AD DS BPA is available on

writable domain controllers and on read-only domain controllers (RODCs).
Benefits of AD DS BPA
AD DS BPA provides the following benefits:
• Validates configuration information
• Enhances infrastructure performance and reliability
• Improves SLA compliance performance
• Focuses on common Domain Name System (DNS) issues such as analyzing
whether:
• SRV records for a domain controller are registered with its DNS Server.
• A/AAAA records of a domain controller are registered with its DNS Server.
• Domain controller has a valid host name.
• The Schema Naming Master and Domain Naming Master Flexible Single
Master Operations (FSMO) roles are on the same computer.
• The Primary Domain Controller (PDC) Emulator and Routing Information
Daemon (RID) Master roles are on the same computer.
• Each domain has at least two domain controllers.
AD DS BPA rules
AD DS BPA is available on the home page of the AD DS server role and includes
over 35 different configuration rules. AD DS BPA can scan and verify the following
AD DS configuration rules:
• DNS-related rules
• Operations master connectivity rules
• Operations master role ownership rules
• Number of controllers in the domain rule
• Required services-related rules
• Replication configuration rules
• Windows Time service (W32time) configuration rules
• Virtual machine configuration rule

• Backup and restore-related rules
Question: How does AD DS BPA help you to run Active Directory?


Active Directory Recycle Bin
Key Points
Accidental deletion of Active Directory objects is a common problem for AD DS
and AD LDS administrators. In Windows Server 2008 Active Directory domains,
you can recover accidentally deleted objects from backups by using authoritative
restore or through tombstone reanimation.
Object recovery by using the authoritative restore solution

You can use authoritative restore to ensure that the restored data is replicated
throughout the domain. However, the drawback of authoritative restore is that it
needs to be performed in Directory Services Restore Mode (DSRM). During DSRM,
the domain controller that is being restored remains offline and does not respond
to client requests.

Object recovery through tombstone reanimation
In Windows Server 2003 Active Directory and Windows Server 2008 AD DS, you
can also recover deleted objects through tombstone reanimation, because deleted
objects are not physically removed from the database immediately. Although the
object is not removed, the object's distinguished name is mangled, most of the
object's non-link-valued attributes are cleared, and the object's link-valued
attributes are physically removed. The object is then moved to a special container
in the object's naming context called Deleted Objects. The object, now called a
tombstone, becomes invisible to normal directory operations. However, it remains
in the Deleted Objects container in a logically deleted state throughout the
tombstone lifetime period.
You can reanimate and recover the tombstone anytime within the tombstone
lifetime period and activate the Active Directory object again. After the expiry of the
tombstone lifetime period, the logically deleted object is turned into a recycled
object. You cannot recover reanimated object link-valued attributes that were
physically removed and non-link-valued attributes that were cleared. Therefore,
you cannot rely on tombstone reanimation as the ultimate solution to accidental
deletion of objects.
What does Active Directory Recycle Bin do?

Active Directory Recycle Bin is a new feature in Windows Server 2008 R2 that is
built on the existing tombstone reanimation infrastructure. Active Directory
Recycle Bin helps minimize directory service downtime by enhancing the ability to
preserve and recover accidentally deleted Active Directory objects. In addition,
Active Directory Recycle Bin can be used without restoring Active Directory data
from backups, restarting AD DS, or rebooting domain controllers. When you
enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes
of the deleted Active Directory objects are preserved. The objects are then restored
as a whole to the same consistent logical state. For example, restored user
accounts automatically regain all group memberships and corresponding access
rights that they had before deletion. Active Directory Recycle Bin works for both
AD DS and AD LDS environments.
Enabling Active Directory Recycle Bin

The following are the considerations for enabling Active Directory Recycle Bin:
• Active Directory Recycle Bin is disabled by default. To enable it, you must first
raise the forest functional level of the AD DS or AD LDS environment to
Windows Server 2008 R2. This requires that all domain controllers in the
forest or all servers that host instances of AD LDS configuration sets are
running Windows Server 2008 R2.

• The process of enabling Active Directory Recycle Bin in Windows Server 2008
R2 is irreversible. After you enable Active Directory Recycle Bin in your

environment, you cannot disable it.
• When you enable Active Directory Recycle Bin, all objects that were deleted
before enabling Active Directory Recycle Bin becomes recycled objects. These
objects are no longer visible in the Deleted Objects container and they cannot
be recovered with Active Directory Recycle Bin.
Question: Can you use the Active Directory Recycle Bin feature if you have only
Windows Server 2008 and Windows Server 2008 R2 domain controllers in your
environment?

Demonstration: How To Configure and Test Active Directory
Recycle Bin
Key Points
1. On LON-DC1, set the forest functional level of Windows Server 2008 R2 to
raise the forest functional mode by using the Active Directory Domains and
Trusts tool.
2. Delete the objects, Jay Hamlin and Demo OU, to view the difference between
the deleted objects without enabling the Active Directory Recycle Bin feature.
3. Open the Administrator: Active Directory Module for Windows PowerShell
window and run the following command to view the state of the Active
Directory Recycle Bin feature.
Get-ADOptionalFeature –Filter *
4. Run the following command to enable the Active Directory Recycle Bin feature.

Enable-ADOptionalFeature “Recycle Bin Feature” –Scope

ForestOrConfigurationSet –Target contoso.com
5. Run the following command to view the state of the Active Directory Recycle
Bin feature.
6. On LON-DC1, delete the following user accounts, group account, and

organizational unit by using the Active Directory Administrative Center
console.
User accounts: Sara Davis and Ron Gabel
Group account: Finance Temporary Employees
Organizational unit: Europe
7. On LON-DC1, run the following command to view the entire content of the
Active Directory Recycle Bin feature by using the Active Directory Module for
Windows PowerShell window.
Get-ADObject –SearchBase “CN=Deleted Objects,DC=contoso,DC=com” –

ldapFilter “(objectClass=*)” –includeDeletedObjects
8. Run the following command to verify that the Sara Davis user object is in the
Recycle Bin.
Get-ADObject –Filter {Name –Like “*Sara Davis*”} –SearchScope Subtree

–includeDeletedObjects
9. Run the following command to verify that the Ron Gabel user account is in the
Recycle Bin.
Get-ADObject –Filter {Name –Like “*Ron Gabel*”} –SearchScope Subtree –

includeDeletedObjects
10. Run the following command to verify that the organizational unit, Demo is in
the Recycle Bin.
Get-ADObject –Filter {Name –Like “*Demo*”} –SearchScope Subtree –


11. Run the following command to restore the user account for Sara Davis by
using the Administrator: Active Directory Module for Windows PowerShell

window.
Restore-ADObject –Identity <objectGUID of Sara Davis>
12. Run the following command to restore the Finance Temporary Employees
group by using the Administrator: Active Directory Module for Windows
PowerShell window.
Restore-ADObject –Identity <objectGUID of Finance Temporary Employees>
13. Run the following command to restore the Europe organizational unit by
window.
Restore-ADObject –Identity <objectGUID of Europe>
14. Verify that the Sara Davis user account, Finance Temporary Employees group,
and Europe organizational unit are restored by using the Active Directory
Administrative Center console.
15. Check whether the properties of Finance Temporary Employees group are
preserved.
Question: Which command should you use to view the current state of the
Active Directory Recycle Bin feature?

Active Directory Web Services
Key Points
Active Directory Web Services (ADWS) in Windows Server 2008 R2 provides a
Web service interface to Active Directory domains, Active Directory Lightweight
Directory Services (AD LDS) instances, and Active Directory Database Mounting
Tool instances that are running on the same Windows Server 2008 R2 server as
ADWS. ADWS is used by Windows Server 2008 R2 or Windows 7 client
applications such as the Active Directory module for Windows PowerShell or
Active Directory Administrative Center. If the ADWS service on a Windows Server
2008 R2 server is stopped, client applications that use the Web service interface
cannot access and manage any directory service instances. However, applications
that use Active Directory Service Interfaces (ADSI) can still access directory service
instances.

ADWS installation and configuration
When you add the AD DS or AD LDS server role to Windows Server 2008 R2
server, ADWS is added automatically. The ADWS service is also added if you
promote Windows Server 2008 R2 server to a domain controller by running
Dcpromo.exe or if you create an AD LDS instance on Windows Server 2008 R2
server.
Configuration parameters of ADWS

The configuration parameters of ADWS determine how ADWS handles the traffic
generated by applications that manage Active Directory. These configuration
parameters are stored in the Microsoft.ActiveDirectory.WebServices.exe.config file
in the %WINDIR%\ADWS directory. You should not change the default values of
these parameters, unless they prevent you from efficiently administering directory
service instances. To function correctly, the ADWS service requires TCP port 9389
to be open on the domain controller where the ADWS service is running.
ADWS enables remote management of the directory service instance by using WS-*
protocols. Many organizations have custom tools for creating and managing user
and group accounts. These tools can be rewritten to use ADWS, which is based on
standards and provides additional security.
Active Directory Management Gateway Service

To use the client applications that use the Web service interface for managing
directory service instances that are running on Windows Server 2008–based or
Windows Server 2003 SP2–based domain controllers, you need to install the
Active Directory Management Gateway Service. The Active Directory Management
Gateway Service provides the same functionality as Active Directory Web Services
on Windows Server 2008 R2. The only difference is that the Active Directory
Management Gateway Service does not support instances of the Active Directory
Database Mounting Tool running on Windows Server 2008–based servers.
Question: Can you access Active Directory by using the Web service interface
when all domain controllers in your network are running Windows Server 2008?

Managed Service Accounts
Key Points
Service accounts
One of the security challenges for critical network applications is selecting the
appropriate type of account for the application to use. On a local computer, you
can configure the application to run as Local Service, Network Service, or Local
System. These service accounts are easy to configure and use. However, these
service accounts are shared with multiple applications and services and cannot be
managed at a domain level.
If you configure the application to use a domain account, you can isolate the
privileges for the application. You need to manually manage passwords or create a
custom solution for managing these passwords. Many Microsoft® SQL Server® and
IIS applications use this strategy to enhance security. In these deployments, service
administrators spend additional time for maintenance tasks such as managing

service passwords and SPNs, which are required for Kerberos authentication. In
addition, these maintenance tasks can disrupt services.

The two new types of service accounts available in Windows Server 2008 R2 and
Windows 7 are the managed service account and the virtual account. A managed
service account helps you to enhance security while simplifying or eliminating
password and SPN management. Virtual accounts in Windows Server 2008 R2 and
Windows 7 are managed local accounts that can access network resources by
using the credentials of a computer.
Managed service accounts

The managed service account is designed to provide applications such as SQL
Server and IIS with the ability to isolate their domain accounts and eliminate the
need for manual administration of SPN and credentials for these accounts. You can
create managed service accounts by using the PowerShell New-ADServiceAccount
cmdlet. To use managed service accounts, the client computer on which the
application or service is installed, must be running Windows Server 2008 R2 or
Windows 7.
In Windows Server 2008 R2 and Windows 7, one managed service account can be
used for services on a single computer.
Managed service accounts cannot be shared between multiple computers and
cannot be used in server clusters where a service is replicated on multiple cluster
nodes.
Windows Server 2008 R2 domains provide support for both automatic password
management and SPN management. If the domain is running in the Windows
Server 2003 mode or Windows Server 2008 mode, additional configuration steps
will be needed to support managed service accounts.
Benefits of managed service accounts

In addition to the enhanced security that is provided by having individual accounts
for critical services, the following are some important administrative benefits
associated with managed service accounts:
• Managed service accounts allow you to create a class of domain accounts that
can be used to manage and maintain services on local computers.
• Unlike regular domain accounts in which administrators must reset passwords
manually, the network passwords for these accounts can be reset
automatically.
• Unlike normal local computer and user accounts, you need not complete
complex SPN management tasks to use managed service accounts.

• Administrative tasks for managed service accounts can be delegated to non-
administrators.
Question: Can your environment benefit from managed services accounts?


Offline Domain Join
Key Points
A domain join establishes a trust relationship between a computer running a
Windows operating system and an Active Directory domain. This operation
requires state changes to AD DS and state changes on the computer that is joining
the domain.
Offline domain join is a process that joins computers running Windows 7 or
Windows Server 2008 R2 to a domain in AD DS without any network connectivity.
To perform an offline domain join, you can run the Djoin.exe command-line tool.
You can use offline domain join to add computers to a domain in locations where
there is no connectivity to a corporate network. For example, an organization
might need to deploy many virtual machines in a data center. Offline domain join
makes it possible for the virtual machines to be joined to the domain when they
initially start after the installation of the operating system. There is no additional
restart and network connectivity to the domain controller required to complete the

domain join. This helps reduce the time and effort required to complete a large-
scale computer deployment.
Benefits of offline domain join

Offline domain join provides the following benefits:
• The client computer does not require network connectivity.
• The domain controller creates a computer account without interacting with
clients.
• The Active Directory state changes are completed without any network traffic
to the computer.
• The computer state changes are completed without any network traffic to a
domain controller.
• Each set of changes can be completed at a different time.
Requirements for offline domain join

You can run Djoin.exe only on computers that run Windows 7 or Windows Server
2008 R2. You use Djoin.exe to provision computer account data into AD DS. You
also use it to insert the computer account data into the Windows directory of the
computer that needs to be joined to the domain.
To perform an offline domain join, you must have the permission to join
workstations to the domain. The Djoin.exe command can be run on an offline
Windows Server 2008 R2 or Windows 7 image, or on running operating systems
without connectivity to domain controllers.
Steps for performing an offline domain join

The offline domain join process includes the following phases:
• Run the djoin.exe/provision command to create computer account metadata
for the computer that you want to join to the domain. As part of this
command, you must specify the name of the domain to which you want to add
the computer.
• Run the djoin.exe/requestODJ command to insert the computer account
metadata into Windows directory of the destination computer.
When you start the destination computer, the computer will be added to the
domain that you specify.
Question: When would you use an offline domain join?



Demonstration: How To Configure Offline Domain Join
Key Points
1. On LON-DC1, open the Active Directory Users and Computers console to

ensure that there is no computer account named, LON-SVR2, in the
Computers container.
2. In the Command Prompt window, run the following code to provision a new
computer account.
djoin /Provision /Domain contoso.com /Machine LON-SVR2 /SaveFile

C:\share\LON-SVR2.djoin
3. Verify that the LON-SVR2 computer account has been created. Then, to
display the contents of the provisioning file, run the following command in the
Command Prompt window.
type c:\share\LON-SVR2.djoin

4. Log on to LON-SVR2 with the user name Contoso\Administrator, and the
password, Pa$$w0rd.
5. Copy the LON-SVR2.djoin from\\LON-DC1\Share of LON-DC1 to Local
disk (C:) of LON-SVR2.
6. On LON-SVR2, run the following command to add the LON-SVR2 server as a
member of the Contoso.com domain.
Djoin /RequestODJ /LoadFile c:\LON-SVR2.djoin /WindowsPath c:\windows

/LocalOS
7. Restart the LON-SVR2 server.

8. Log on to LON-SVR2 with the user name, contoso\administrator, and the
password, Pa$$w0rd and verify that LON-SVR2 is a member of the
Contoso.com domain.
Question: Why should you execute the type c:\share\LON-SVR2.djoin

command?

Authentication Mechanism Assurance
Key Points
Authentication mechanism assurance is a new AD DS feature in Windows Server
2008 R2. This feature is not enabled by default. It requires a domain functional
level of Windows Server 2008 R2, a certificate-based authentication infrastructure,
Active Directory Federation Services (AD FS), and additional configuration.
When you enable the authentication mechanism assurance, it adds an
administrator-designed universal group membership to a user's access token when
the user's credentials are authenticated during logon with a certificate-based logon
method. This allows network resource administrators to control access to
resources such as files, folders, and printers, based on whether the user logs on
with a certificate-based logon method and the type of certificate that is used for
logon.
For example, when a user logs on with a smart card, access to resources may be
different from the access when the user does not use a smart card and logs on with

the user name and password. Without authentication mechanism assurance, there
is no difference between the access token of a user who logs on with certificate-
based authentication and the access token of a user who logs on with a different
authentication method.
Authentication mechanism assurance can be beneficial for organizations that use
certificate-based authentication methods such as smart card or token-based
authentication systems. Organizations that do not use certificate-based
authentication methods will not be able to use authentication mechanism
assurance, even if they have the domain functional level set to Windows Server
2008 R2.
Using authentication mechanism assurance

The following are the steps that must be performed to use authentication
mechanism assurance:
1. Create certificates. Before you implement authentication mechanism
assurance, you must first deploy a certificate-based logon method.
2. Link certificate policies to groups. Map authentication mechanism assurance
certificates to the group memberships that the resources will use to grant
access by using Windows PowerShell cmdlets.
3. Download and test certificates. Place the appropriate certificates on the
applicable smart cards and then test how the smart cards affect the user’s
access token that is used to log on.
4. Configure federation servers and applications. Configure the Federation
Service on federation servers. Create two organization group claims to
represent the two security levels of each smart card certificate, configure two
group claims so that they map to the appropriate group in AD DS, and then
create two claim mappings.
Question: Would your company benefit from authentication mechanism

assurance?

Lab 2A: Configuring Active Directory Domain Services
Features
Introduction
In this lab, you will configure Active Directory Domain Services features. To do
this, you need to install and configure Active Directory Administration Center. You
will also install the Active Directory Recycle Bin feature to restore the Active
Directory objects that are deleted. You will also configure and test the offline
domain join feature.
Objectives
• Install and configure Active Directory Administration Center
• Configure and test Active Directory Recycle Bin
• Configure an Offline Domain Join

Lab Setup
credentials:
credentials:

Lab Scenario
You are a server administrator at Contoso, Ltd. Your organization has currently
deployed Windows Server 2008 R2 domain controller. Your organization wants to
upgrade Windows Server 2008 R2 domain controller by adding new Active
Directory features. To do this, first you need to establish an Active Directory testing
environment and then import Active Directory to the testing environment by using
the Active Directory Administration Center services. Use the Active Directory
Recycle bin feature and the offline domain join feature to restore the Active
Directory objects that are unintentionally deleted.

Exercise 1: Installing and Configuring Active Directory

Administration Center
2. Install Active Directory Administration Center.
3. Explore the Active Directory Administrative Center interface.
4. Create and modify user accounts and their properties.
5. Verify the Active Directory Web Services service.

password, Pa$$w0rd.
password, Pa$$w0rd.
f Task 2: Install Active Directory Administration Center.

• On LON-SVR1, install the Active Directory Administration Center server
feature by using the Server Manager console.
If the Server Manager window, does not appears, on the Start menu of LON-SVR1, point
to Administrative Tools, and then click Server Manager.
f Task 3: Explore the Active Directory Administrative Center interface.

• Verify the following information by using the Active Directory Administrative
Center console:
• Clear the Getting Started check box. Verify that the Getting Started pane
disappears.
• Address box: cn=users,dc=contoso,dc=com to verify that the Users
container is selected in the Navigation pane.
• Filter the content of the window.
• Add a Builtin container to the Navigation pane.

f Task 4: Create and modify user accounts and their properties.
• View the users of the name, Michael from the Finance group by using the Filter
• Add criteria: Users with disabled/enabled accounts and Users
whose password has an expiration date/no expiration date
• Query Name: Enabled-no expiry
• Users with accounts in this state: enabled
• Create a query, Enabled-no expiry and run it against the user, Jeff Ford, and
then modify properties of Jeff Ford by adding him to the Finance group.
• Create a new user for the Finance group with the following information:
• Full name: Jay Hamlin
• User SamAccountName logon: johane
• Select Password never expires
• Confirm password: Pa$$w0rd
f Task 5: Verify the Active Directory Web Services service.

• On LON-DC1, open the Services console to stop the Active Directory Web
Services service.
• On LON-SVR1, open the Active Directory Administrative Center console to
verify whether the contoso domain is accessible.
• On LON-DC1, start the Active Directory Web Services service by using the
Services console.
• On LON-SVR1, verify whether the contoso domain is accessible after starting
Results: After completing this exercise, you should have installed and activated Active
Directory Administration Center services and created a user account in it.

Exercise 2: Configuring and Testing the Active Directory

Recycle bin
1. Enable the Active Directory Recycle Bin feature.
2. Delete Active Directory objects.
3. Verify that the deleted objects are in the Recycle Bin.
4. Restore the deleted Active Directory objects.
5. Verify that the deleted object is restored.
f Task 1: Enable the Active Directory Recycle Bin feature.

• On LON-DC1, set the forest functional level of Windows Server 2008 R2 to
Trusts tool.
• Delete the objects, Jay Hamlin and Demo OU, to view the difference between
• Open the Administrator: Active Directory Module for Windows PowerShell
• Run the following command to enable the Active Directory Recycle Bin feature.

• Run the following command to view the state of the Active Directory Recycle
Bin feature.
The EnabledScopes property is now set, which indicates that the Recycle Bin Feature is
now set.

f Task 2: Delete Active Directory objects.
• On LON-DC1, delete the following user accounts, group account, and

console.
• User accounts: Sara Davis and Ron Gabel
• Group account: Finance Temporary Employees
• Organizational unit: Europe
f Task 3: Verify that the deleted objects are in the Recycle Bin.
• On LON-DC1, run the following command to view the entire content of the

Verify that two user accounts, Sara Davis and Ron Gabel, Finance Temporary Employees
group account, and Europe organizational unit are there in the Recycle Bin. Make a note
of the ObjectGUID for Sara Davis, Ron Gabel, Finance Temporary Employees, and Europe.
• Run the following command to verify that the Sara Davis user object is in the
Recycle Bin.

• Run the following command to verify that the Ron Gabel user account is in the
Recycle Bin.

• Run the following command to verify that the organizational unit, Demo is in
the Recycle Bin.


f Task 4: Restore the deleted Active Directory objects.
• Run the following command to restore the user account for Sara Davis by
window.
• Run the following command to restore the Finance Temporary Employees

PowerShell window.
• Run the following command to restore the Europe organizational unit by

window.
f Task 5: Verify that the deleted objects are restored.

• Verify that the Sara Davis user account, Finance Temporary Employees group,
• Check whether the properties of Finance Temporary Employees group are
preserved.
Results: After completing this exercise, you should have enabled the Active Directory
Recycle Bin feature.

Exercise 3: Configuring an Offline Domain Join

1. Provision a computer account for an offline domain join.
2. Verify that the computer account has been created in Active Directory.
3. Perform an Offline Domain Join.
f Task 1: Provision a computer account for an offline domain join.

• On LON-DC1, open the Active Directory Users and Computers console to
• In the Command Prompt window, run the following code to provision a new
computer account.

f Task 2: Verify that the computer account has been created in Active
Directory.
• Verify that the LON-SVR2 computer account has been created. Then, to
f Task 3: Perform an Offline Domain Join.

password, Pa$$w0rd.
• Copy the LON-SVR2.djoin from\\LON-DC1\Share of LON-DC1 to Local
• On LON-SVR2, run the following command to add the LON-SVR2 server as a

/LocalOS
• Restart the LON-SVR2 server.


• Log on to LON-SVR2 with the user name, LON_SVR2\Administrator, and the
password, Pa$$w0rd, and verify that LON-SVR2 is a member of the

Contoso.com domain.
Results: After completing this exercise, you should have created a computer account
for an offline domain join in Active Directory.


Lab Review
1. How will you enable the Active Directory Recycle Bin feature?
You need to set the forest functional level of your environment as Windows Server
2008 R2 to enable the Active Directory Recycle Bin feature. There are different
ways to raise forest functional mode, but you need to use the Active Directory
Domains and Trusts tool.
2. Which command should you use to provision a computer account for offline
domain join?
You should use the Djoin.exe command to provision a computer account for an
offline domain join.

Lesson 2
Configuring Group Policy in Active Directory

Domain Services
Group Policy is a technology that simplifies the task of managing computers and
users in an Active Directory environment. Group Policies are an important part of
every Active Directory implementation. You can centrally manage specific
configuration parameters by editing Group Policy settings and targeting Group
Policy Objects (GPO) at the intended computers or users. Windows Server 2008
R2 Group Policies are built on the well established foundation of Windows Server
2008. In addition, Group Policies provide several new and improved features such
as System Starter GPO, AppLocker, and Windows PowerShell cmdlets for
managing Group Policies in Windows Server 2008 R2.
Lesson Objectives

• Describe Group Policy.
• Describe Starter Group Policy Object.

• Describe ADMX enhancements.
• Create Starter Group Policy Object.
• Describe Group Policy Preferences.
• Use Group Policy Preferences.
• Describe AppLocker.
• Describe the differences between AppLocker and software restriction policy.
• Describe AppLocker rules.
• Describe the considerations for configuring AppLocker.
• Configure AppLocker.
• Describe advanced audit policies.

Discussion: Overview of Group Policy
Key Points
Group Policy provides an infrastructure for centralized configuration management
of the operating system and applications. In Windows Server 2008 R2, Group
Policy is built on the well established foundation of the previous version and does
not introduce major changes. Windows Server 2008 R2 Group Policy is built on
the following foundations, which are available in Windows Server 2008 and
Windows Vista™:
• Group Policy infrastructure. The Group Policies are processed by Group
Policy Client service. This service is hardened and processing is more reliable
than before, when Group Policies were processed in the Winlogon process.
• Number of Group Policy settings. Group Policy provides several settings that
you can use to centrally control Windows operating systems. Number of
settings increases with each service pack and new Windows operating system
release.

• Network Location Awareness. This feature allows Group Policy to respond
better to the changing network conditions. One of the benefits of Network

Location Awareness is that it no longer relies on the Internet Control Message
Protocol (ICMP) for policy application. The Network Location Awareness
feature ensures that client computers are responsive to the changing network
conditions and resource availability. With Network Location Awareness,
Group Policy has access to resource detection and event notification
capabilities in the operating system, such as recovery from hibernation or
standby, establishment of virtual private network (VPN) sessions, and moving
in or out of a wireless network.
• Administrative template files. Administrative template files contain markup
language that describes registry-based Group Policy. Administrative template
files use an XML-based file format, known as ADMX and ADML files. The
XML-based file format includes multilanguage support, an optional centralized
data store, and version control capabilities. Using the new administrative
template files, you can easily manage registry-based policy settings.
• Group Policy central store. Instead of storing Administrative Templates with
each Group Policy, you can create a central store on a domain controller. The
central store is a file location that is checked by the Group Policy tools. The
Group Policy tools use Administrative Templates in the central store to display
options that can be set through Group Policy. The files that are in the central
store are later replicated to all domain controllers in the domain.
• Multiple local Group Policy Objects (GPOs). Multiple local GPOs provide
greater flexibility in administering Local Group Policy Objects (LGPOs) by
enabling you to manage multiple LGPOs on a single computer. This increased
flexibility eases management of environments that involve multiple users
sharing a single computer in a workgroup environment. You can assign
multiple LGPOs to local users or built-in Administrators or Non-
Administrators groups. This feature works with domain-based Group Policy
and you can disable it through a Group Policy setting.
• Starter Group Policy Objects. Starter GPOs allow you to store a collection of
Administrative template policy settings in a single object and incorporate those
policy settings into new GPOs. When you create a GPO from a Starter GPO,
the new GPO includes all the Administrative Template policy settings and their
values defined in the Starter GPO.
• Events and logging. Group Policy is treated as separate entity with the Group
Policy service, which is a stand-alone service that runs under the Svchost
process for reading and applying Group Policy. The service includes changes
with event reporting. Group Policy event messages, which previously appeared

in the Application log, now appear in the System log. Event Viewer lists these
new messages with an event source of Microsoft Windows Group Policy. The
Group Policy operational log replaces the previous userenv logging. The
operational event log provides improved event messages specific to Group
Policy processing.

Starter Group Policy Object
Key Points
Starter GPO is a collection of configured administrative template policy settings
that you can use to create a GPO. You can store a collection of administrative
template policy settings in a single object by using Starter GPO and incorporate
these policy settings into a new GPO. You can import, export, or distribute Starter
GPOs to other environments.
When you create a GPO from a Starter GPO, the new GPO includes all of the
administrative template policy settings and their values defined in the Starter GPO.
In Windows Server 2008, if you want to use a Starter GPO, you need to first create
it, because no Starter GPO is available by default. However, in Windows Server
2008 R2, eight Starter GPOs are already available when you create the Starter GPO
container. If required, you can create additional Starter GPOs.

System Starter GPOs
System Starter GPOs are read-only Starter GPOs that provide a baseline of settings
for a specific scenario. Similar to Starter GPOs, you can use a System Starter GPO
as a template when creating a GPO, but you cannot create System Starter GPOs or
modify them.
System Starter GPOs are included in Windows Server 2008 R2 and Windows 7
with RSAT. You do not have to download System Starter GPOs and install them
separately.
System Starter GPO scenarios

In Windows Server 2008 R2, eight System Starter GPOs—four with user settings
and four with computer settings—are available for the following four scenarios:
• Windows Vista Enterprise Client (EC)
• Windows Vista Specialized Security Limited Functionality (SSLF) Client
• Windows XP Service Pack 2 (SP2) EC
• Windows XP SP2 SSLF Client
Question: How can you transfer a Starter GPO from a testing environment to a
production environment?

ADMX Enhancements
Key Points
Administrative templates (ADMX) files are registry-based policy settings that are
located under the Administrative Templates node of both the Computer and User
Configuration nodes in Group Policy Management Editor. This hierarchy is created
when the Group Policy Management console reads XML-based administrative
template files. ADMX administrative templates include multilanguage support, an
optional centralized data store, and version control capabilities. ADMX files are
divided into language-neutral and language-specific resources.
Enhancements in Group Policy Administrative Templates

In Windows Server 2008 R2 and Windows 7, Group Policy Administrative
Templates have the following enhancements:
• Improved user interface. In previous versions, the properties dialog box of an
administrative template policy setting contained the following tabs:

• Settings, for enabling or disabling a policy setting and setting additional
options
• Explain, for learning more about a policy setting
• Comment, for entering optional information about the policy setting
In Windows Server 2008 R2, these options are available at a single location in the
properties dialog box, instead of being available as three separate tabs. Moreover,
the properties dialog box is now resizable. In addition, the Explain tab, which
provides additional information about a policy setting, is now known as Help.
• Support for multistring and QWORD registry value types. In Windows
Server 2008 R2, Administrative Templates provide the support for the
multistring (REG_MULTI_SZ) and QWORD registry value types. You can
perform the following tasks by using the support for the REG_MULTI_SZ
registry value type:
• Enable a policy setting, enter multiple lines of text, and sort entries.
• Edit an existing configured setting and add new line items.
• Edit an existing configured setting and individual line items.
• Edit an existing configured setting, select one or more entries, and delete
selected entries. The entries do not have to be contiguous.
• Support for the QWORD registry value type enables you to use the
Administrative Template policy settings to manage 64-bit applications.
• New Group Policy administrative settings. Windows Server 2008 R2 and
Windows 7 with RSAT have more than 300 new administrative template policy
settings such as new settings for controlling Windows® Internet Explorer®,
Remote Desktop Services, DirectAccess, BranchCache, and Power settings.
Question: How can you configure new Group Policy Administrative Settings from
a Windows Server 2008 R2 member server or Windows 7 workstation?

Demonstration: How To Create Starter Group Policy Object
Key Points
1. Examine the Starter GPO settings by using the Group Policy Management
console to verify the following information:
Verify that there are eight Starter GPOs pre-created
Verify that Edit option is not enabled
View the settings of Starter GPO
2. On LON-DC1, create the Custom Starter GPO, Default Desktop Configuration
All Settings: Filter Options
Enable Keyword Filters
Filter for word: control panel

Clear Help Text and Comment
Disable the Display Control Panel: Enabled

3. Based on the existing Custom Starter GPO, create a group policy with the
following information:
GPO name: Desktop Configuration
Source Starter GPO: Default Desktop Configuration
Set the State
Clear Enable Keyword Filters
Configured: Yes
Question: By default, how many System Starter GPOs will be pre-created?


Group Policy Preferences
Key Points
Group Policy Preferences include more than 20 Group Policy extensions that
expand the range of configurable settings within a Group Policy Object (GPO).
These extensions are included in the Group Policy Management Editor, under the
Preferences item. Examples of the Group Policy Preferences extensions include
folder options, mapped drives, printers, scheduled tasks, services, and Start menu
settings.
Group Policy Preferences provide better targeting of client computers or users
through item-level targeting and action modes. Rich user-interfaces and standards-
based XML configurations provide flexibility over managed computers while
administering GPOs.
In addition, Group Policy Preferences allow you to deploy settings such as drive
mapping and Windows Explorer settings to client computers without restricting
the users from changing the settings. This capability allows you to decide which
settings to enforce and which settings not to enforce.

Group Policy Preferences vs. Group Policy Settings
The following table summarizes the differences between Group Policy Preferences
and Group Policy settings.
Group Policy Preferences Group Policy Settings

Enforcement • Preferences are not • Settings are enforced.
enforced. • User interface is
• User interface is not disabled.
disabled. • Settings are refreshed.
• Preferences can be
refreshed or applied
once.
Flexibility • Preference items can be • Application support and

easily created for registry creation of
settings and files. administrative templates
• Individual registry are required for policy
settings or entire registry settings.
branches can be • Policy settings cannot be
imported from a local or created to manage files
a remote computer. and folders.
Local Policy • Not available in a local • Available in a local

Group Policy. Group Policy.
Awareness • Non-Group Policy–aware • Group Policy–aware

applications are applications are
supported. required.
Storage • Original settings are • Original settings are not

overwritten. changed.
• Removing the • Stored in registry Policy
preference item does branches.
not restore the original • Removing the policy
setting. setting restores the
original settings.
Targeting and Filtering • Targeting is granular, • Filtering is based on

with a user interface for Windows Management
each type of targeting Instrumentation (WMI)
item. and requires writing
• Targeting at the WMI queries.
individual preference • Filtering at a GPO level is

Group Policy Preferences Group Policy Settings

item level is supported. supported.
User Interface • A familiar, easy-to-use • An alternative user

interface is provided for interface is provided for
configuring most most policy settings.
settings.
Group Policy Preferences support is included in Windows Server 2008 R2,

Windows Server 2008, and Windows 7. For earlier versions of operating systems,
support for Group Policy Preferences is provided by deploying Group Policy
Preferences client-side extension (CSE). Group Policy Preferences CSE is available
as a separate download from Microsoft. Group Policy Preferences CSE can be
installed on Windows XP with SP2, Windows Vista, and Windows Server 2003
with SP1.
Question: Why would you use Group Policy Preferences in your environment?

Demonstration: How To Use Group Policy Preferences
Key Points
1. On LON-DC1, create a shortcut to Notepad on the desktop on LON-CL1 by
using the Group Policy Management console with the following information:
Action: Create
Location: All Users Desktop
Target path: C:\Windows\System32\notepad.exe
Name: Notepad
Select Item-level targeting
Computer name: LON-CL1
2. Log off from LON-CL1.
3. Log on to LON-CL1 with the user name contoso\Administrator, and the
password, Pa$$w0rd.

4. Verify whether there is a shortcut to Notepad on the desktop, a preference
folder in C: drive, and P: drive is mapped to the Share on LON-DC1.
If Notepad does not on the desktop, run the command, gpupdate /force, on LON-DC1
and LON-CL1.
Question: Specify the operating systems that are recommended for installing
Group Policy preferences CSE?

AppLocker
Key Points
AppLocker is a new feature in Windows Server 2008 R2 and Windows 7.
AppLocker replaces Software Restriction Policies (SRP), which is still supported,
but only when no AppLocker policy is applied to the computer. AppLocker
contains new capabilities and extensions that reduce administrative overhead.
Using AppLocker, you can control access and use of executables such as .exe;
Windows installer packages such as .msi and .msp; scripts such as .bat, .cmd, .js,
.ps1, and .vbs; and DLL files such as .dll and .ocx.
Using AppLocker, you can perform the following functions:
• Define rules based on file attributes derived from the digital signature,
including the publisher, product name, file name, and file version. For
example, you can create rules based on the publisher attribute that is
persistent through updates, or you can create rules for a specific version of a
file.

• Assign a rule to a security group or to an individual user. You cannot assign
rules to Internet zones, individual computers, or registry paths.

• Create exceptions to rules. For example, you can create a rule that allows all
Windows processes to run, except Regedit.exe.
• Use the audit-only mode to deploy the policy, and understand its impact
before enforcing it.
• Import and export rules. Importing and exporting rules affect the entire policy.
For example, if you export a policy, all rules from the entire rule collections are
exported, including the enforcement settings for the rule collections. If you
import a policy, the existing policy is overwritten.
• Simplify creating and managing AppLocker rules by using AppLocker
PowerShell cmdlets.
AppLocker rules
AppLocker provides a simple and powerful structure through three rule types:
allow, deny, and exception.
Allow rules limit execution of applications to a known list of required applications,
and they block other applications.
Deny rules allow execution of any application, except those on a list of known,
unwanted applications.
Many organizations use a combination of allow rules and deny rules. However, an
ideal AppLocker deployment would use allow rules with built-in exceptions.
Exception rules allow you to exclude files from an allow or deny rule that would
normally be included. Using exceptions, you can create a rule to allow everything
in the Windows operating system to run, except the built-in games. Using allow
rules with exceptions provides a healthy way to build a known and good list of
applications without creating many rules.
Creation and management of AppLocker rules

AppLocker provides a robust experience through rule creation tools and wizards.
Using a step-by-step approach, you can easily create new rules, automatically
generate rules, and import and export rules. You can automatically generate rules
using a test reference machine, and then import the rules into a production
environment for general deployment. You can also export a policy to provide a
backup of production configuration or to provide documentation for compliance
purposes.

Enforcement of AppLocker rules
AppLocker uses the Application Identity service (AppIDSvc) for rule enforcement.
This service must be started for AppLocker rules to be enforced. To enforce
AppLocker policies, you need computers that are running Windows Server 2008
R2 or Windows 7 (Enterprise or Ultimate). You cannot use AppLocker rules to
manage computers running earlier versions of Windows.
Question: You have defined an AppLocker policy to deny execution of an

application and applied the policy to a Windows 7 computer. However, users are
still able to run the application. What can be the probable reason for this?

AppLocker vs. Software Restriction Policy
Key Points
Software Restriction Policies (SRPs) provide you with a mechanism for identifying
programs that are allowed or prohibited to run on a computer. SRP was originally
designed in Windows XP and Windows Server 2003 to help you limit the number
of applications that required administrator access. With the introduction of User
Account Control (UAC) and emphasis of standard user accounts, fewer
applications require administrator privileges. AppLocker was introduced to expand
the goals of the original SRP by allowing you to create a comprehensive list of
applications that should be allowed to run.
AppLocker vs. SRP

The following table provides a comparison between AppLocker and SRP.
Feature AppLocker SRP
Rule scope Specific user or group All users


Feature AppLocker SRP
Rule conditions provided File hash, path, and publisher File hash, path certificate,
rules registry path, and Internet zone
rules
Rule types provided Allow and deny Allow and deny
Default rule action Deny Allow or deny
Audit-only mode Yes No
Wizard to create multiple Yes No

rules at one time
Policy to import or export Yes No
Rule collection Yes No
PowerShell support Yes No
Custom error messages Yes No
Creation of AppLocker rules for Windows 7 computers

AppLocker rules are different from SRP rules and cannot be used to manage
computers running earlier versions of Windows operating systems. If AppLocker
rules have been defined in a GPO and clients support AppLocker, only AppLocker
rules are applied and SRP rules are ignored by the clients. Therefore, you should
define AppLocker rules in a separate GPO from SRP and link it to the
organizational unit that contains clients that do not support AppLocker. If
AppLocker and SRP rules are defined in the same GPO, Windows 7 Enterprise or
Windows 7 Ultimate, and Windows Server 2008 R2 computers will use the
AppLocker rules; but earlier versions of Windows operating systems will use the
SRP settings.
AppLocker is a feature available in Windows 7 and Windows Server 2008 R2, and
is not based on the same technology as SRP rules. Therefore, SRP rules cannot be

migrated to AppLocker rules. To migrate existing SRP rules, you must analyze
existing SRP rules and determine how they conceptually map to AppLocker rules.
Question: If you have Windows Vista SP2 and Windows 7 clients on your
network, can you use AppLocker to control the applications that can be run on the
clients?

AppLocker Rules
Key Points
AppLocker includes three rules—allow, deny, and exception—that specify the
applications that are allowed to run on a user computer. By using default
AppLocker rules, you can automatically prevent all non-administrator users from
running programs that are installed in their user profile folder.
AppLocker includes the Automatically Generate Rules wizard for automatically
generating rules. By running this wizard on reference computers and specifying a
folder that contains the files for applications that you want to create the rules for,
you can quickly create AppLocker rules automatically.
Rule collections
The AppLocker Microsoft Management Console (MMC) snap-in is organized into
four areas called rule collections. The four rule collections are executable files,
Windows Installer files, scripts, and DLL files. These collections provide an easy
method to differentiate the rules for different types of applications. When planning

your AppLocker rules deployment, you should determine the rule collections
where you will be listing the AppLocker rules.

The following table lists the file formats included in each rule collection.
Rule collection Associated file formats
Executable .exe
.com
Windows Installer .msi

.msp
Scripts .ps1 (Windows PowerShell)

.bat (Batch files)
.cmd (Command scripts)
.vbs (VBScript)
.js (JavaScript)
DLL .dll
.ocx
Note: The DLL rule collection is not enabled by default. To enable the DLL rule
collection, right-click AppLocker, and then click Properties. On the Advanced tab,
select the Enable DLL rule collection check box, and then click OK.
Rule conditions
Rule conditions are properties of files that AppLocker uses to enforce rules. Each
AppLocker rule can use a primary rule condition. AppLocker contains the
following rule conditions:
• Publisher. This condition identifies an application based on its digital
signature and extended attributes. The digital signature contains information
about the company or the publisher name that created the application. The
extended attributes, which are obtained from the binary resource, contain the
name of the product that the application is part of and the version number of
the application. You can create this type of rule for an entire product suite,
which allows the rule in most cases to still be applicable when the application
is updated.

• Path. This condition identifies an application by its location in the file system
of the computer or on the network.

• File hash. This condition identifies an application based on the unique file
hash condition that Windows cryptographically computes for each file. This
condition type is unique; so each time a publisher updates a file, you must
create a rule.
If you have multiple rules, you can merge the rules that refer to the same files or
their subsets to have fewer rules.
Question: You need to deny execution of all applications in a folder, but allow
execution of signed applications in that folder. How should you create AppLocker
rules to achieve this goal?

Considerations for Configuring AppLocker
Key Points
AppLocker can set restrictions on files that might otherwise be accessible to users.
Before enforcing AppLocker restrictions, you need to be aware of the following
considerations:
• AppLocker rules do not allow users to open or run any files that are not
specifically allowed. Therefore, you must maintain an up-to-date list of allowed
applications.
• There can be an increase in the initial number of help desk calls from the users
because of blocked applications. However, when the users identify that they
cannot run the blocked applications, the help desk calls may decrease.
• You cannot use AppLocker to manage computers running earlier versions of
Windows operating system than Windows 7. There is minimal performance
degradation because of the runtime checks.

• AppLocker is set through Group Policy. Therefore, you must be aware of
Group Policy creation and deployment.

• If AppLocker rules are defined in the same GPO as SRP rules, clients that
support AppLocker rules will apply only AppLocker rules and will ignore SRP
rules. To ensure interoperability between Software Restriction Policies rules
and AppLocker rules, you need to define Software Restriction Policies rules
and AppLocker rules in different GPOs.
• When you upgrade a computer that uses Software Restriction Policies rules to
Windows 7 or Windows Server 2008 R2, and then implement AppLocker
rules, only the AppLocker rules are enforced. Therefore, you must create a
GPO for AppLocker in an environment where both Software Restriction
Policies and AppLocker are used.
• When an AppLocker rule is set to the Audit-only mode, the rule is not
enforced. When a user runs an application that is included in the rule, the
application runs normally and the information about that application is added
to the AppLocker event log.
• You can use existing Windows Server 2003 and Windows Server 2008 domain
controllers to host the AppLocker policy. However, you cannot use Windows
Server 2003 or Windows Server 2008 computers to create AppLocker rules.
Question: You need to create a list of the applications that are used in your
company. What would be the fastest way to create that list?

Demonstration: How To Configure AppLocker
Key Points
1. Log on to LON-SVR1 with the user name CONTOSO\ jeff, and the password,
Pa$$w0rd.
2. On LON-SVR1, verify whether jeff has access to the Notepad.
3. On LON-DC1, open Active Directory Administrative Center to verify that Jeff
Ford is a member of the Restricted Users group.
4. On LON-DC1, edit Desktop Configuration to start the Application Identity
service and set Define this policy as Automatic.
5. Create an executable AppLocker rule to restrict the users from accessing
Notepad by using the Group Policy Management Editor console with the
Permissions: Deny Restricted Users
Path: %system32%\notepad.exe

Name: Notepad
Select Configure rule enforcement

Executable rules: Configured
6. On LON-SVR1, verify whether jeff has access to Notepad and then check the
reason for non accessibility.
Question: What are the different types of AppLocker rule condition?


Advanced Audit Policies
Key Points
Audit policies allow you to determine the types of events that you want to audit,
such as audit system logon, file access, and object access. Using audit policies, you
can define the type of event that will be written in Event Log.
Security auditing enhancements in Windows Server 2008 R2 and Windows 7 can
help organizations to audit compliance with important business-related and
security-related rules by tracking precisely-defined activities such as:
• A group administrator has modified the settings or data on servers that contain
financial information.
• An employee within a defined group has accessed an important file.
• The correct system access control list (SACL) is applied to every file and folder
or registry key on a computer or file share as a verifiable safeguard against
undetected access.

In the previous versions, there were only nine basic auditing settings. In Windows
Server 2008 R2 and Windows 7, you can track success and failure for 53 audit
settings. These 53 new audit settings allow you to specifically target the types of
activities you want to audit and eliminate the unnecessary auditing activities that
can make audit logs difficult to manage and decipher. In addition, you can easily
modify, test, and deploy audit policy settings to selected users and groups. This is
because Windows Server 2008 R2 and Windows 7 security audit policy can be
applied by using a domain Group Policy.
Considerations for advanced security audit policy

You can configure all versions of Windows Server 2008 R2 and Windows 7 that
can process Group Policy to use the new advanced security auditing
enhancements. However, there are a number of considerations that apply to
various tasks associated with auditing enhancements in Windows Server 2008 R2
and Windows 7:
• Creating an audit policy. To create an advanced Windows security auditing
policy, you must use a computer that runs Windows Server 2008 R2 or
Windows 7. You can also use the Group Policy Management Console (GPMC)
on a computer running Windows 7 after installing the Remote Server
Administration Tools (RSAT) to configure, deploy, and manage audit policy
settings.
• Applying audit policy settings. To apply the advanced audit policy settings
and global object access settings by using Group Policy, the client computers
must be running Windows Server 2008 R2 or Windows 7. In addition, only
computers running Windows Server 2008 R2 or Windows 7 can provide
"reason for access" reporting data. The reason for “access reporting data” is a
list of access control entries (ACEs) that provides the privileges on which the
decision to allow or deny access to the object was based.
• Developing an audit policy model. To plan advanced security audit settings
and global object access settings, you need to use GPMC that targets a domain
controller running Windows Server 2008 R2.
• Distributing the audit policy. After you develop a GPO that includes
advanced security auditing settings, you can distribute the GPO by using
domain controllers running any Windows server operating system. However,
if you cannot put client computers running Windows 7 in a separate
organizational unit (OU), you should use Windows Management
Instrumentation (WMI) filtering to ensure that the advanced policy settings
are applied only to client computers running Windows 7.

Question: Why would you prefer using advanced audit policies, instead of
ordinary audit policies?
Lesson 3
Features of Other Active Directory Server Roles
Windows Server 2008 R2 provides several new features for other Active Directory–
related server roles, such as Active Directory Certificate Services (AD CS) and
Active Directory Rights Management Services (AD RMS). AD CS includes two new
role services—Certificate Enrollment Web Service and Certificate Enrollment Policy
Web Service. AD RMS adds support for deployment and administration through
Windows PowerShell.
Lesson Objectives

• Describe the features of AD CS in Windows Server 2008.
• Describe the features of AD CS in Windows Server 2008 R2.

• Describe the features of AD RMS in Windows Server 2008 R2.

Features of Active Directory Certificate Services in Windows

Server 2008
Key Points
AD CS is the Microsoft implementation of Public Key Infrastructure (PKI). AD CS
provides customizable services for creating and managing public key certificates
used in software security systems that use public key technologies. Organizations
can use AD CS to enhance security by binding the identity of a person, device, or
service to a corresponding private key. AD CS also includes features that allow you
to manage certificate enrollment and revocation in scalable environments.
Features of AD CS
AD CS provides the following features:
• Certification Authority (CA), which:
• Configures the format and content of certificates, and issues certificates to
users, computers, and services.

• Establishes and verifies the identities of certificate holders.
• Sets policies that control how certificates are to be used.

• Revokes invalid certificates and publishes certificate revocation lists
(CRLs) to be used by certificate verifiers.
• Logs all request, issuance, renewal, and revocation transactions.
• Automated and manual tools to create, distribute, and revoke certificates.
Provides several consoles and command prompt tools, such as the Certificate
Templates MMC snap-in, the Certification Authority MMC snap-in, the
Certificates MMC snap-in, and certutil.exe command-line tool, to manage AD
CS.
• Certificate revocation services.
• Integration of CA services with Active Directory Domain Services (AD DS).
AD CS role services
AD CS has the following role services:
• CAs. You can use the root CA and subordinate CAs to issue certificates to
users, computers, and services, and to manage certificate validity.
• CA Web enrollment. The CA Web enrollment service allows users to connect
to a CA by using a Web browser to request certificates, review certificate
requests, retrieve CRLs, and perform smart card certificate enrollment.
• Online Responder. The Online Responder service implements the Online
Certificate Status Protocol (OCSP) by decoding revocation status requests for
specific certificates, evaluating the status of the certificates, and returning a
signed response that contains the requested certificate status information.
• Network Device Enrollment Service (NDES). The Network Device
Enrollment Service allows routers and other network devices that do not have
domain accounts to obtain certificates based on Simple Certificate Enrollment
Protocol (SCEP).
Question: Which applications can use and benefit from digital certificates issued
by AD CS?

Features of Active Directory Certificate Services in Windows
Server 2008 R2
Key Points
In addition to the features available in Windows Server 2008, AD CS in Windows
Server 2008 R2 introduces the following features and services that allow flexible
PKI deployments, reduce administration costs, and provide better support for
Network Access Protection (NAP) deployments:
• Certificate Enrollment Web Service and Certificate Enrollment Policy Web
Service. Certificate Enrollment Web services are new AD CS role services that
enable policy-based certificate enrollment over Hypertext Transfer Protocol
(HTTP) by using existing methods such as autoenrollment. The Web services
act as a proxy between a client computer and a CA, which makes direct
communication between the client computer and CA unnecessary, and allows
certificate enrollment over the Internet and across forests.
The Certificate Enrollment Web Service submits requests on behalf of client
computers and must be trusted for delegation. Extranet deployments of this

Web service increase the threat of network attacks, and some organizations
might not trust the service for delegation. In such instances, you can configure
the Certificate Enrollment Web Service and the issuing CA to accept only
renewal requests signed with existing certificates, which do not require
delegation. The Certificate Enrollment Web Service is available on all editions
of Windows Server 2008 R2 and can work with Enterprise CAs running on
Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003.
• Support for certificate enrollment across forests. Before the introduction of
enrollment across forests, CAs could issue certificates only to members of the
same forest, and each forest had its own PKI. With added support for
Lightweight Directory Access Protocol (LDAP) referrals, CAs in Windows
Server 2008 R2 can issue certificates across forests that have two-way trust
relationships. To implement this feature, Active Directory forests require
Windows Server 2003 forest functional level and two-way transitive trust, but
client computers running Windows XP, Windows Server 2003, Windows
Vista, and Windows 7 do not require updates to support certificate enrollment
across forests. Support for certificate enrollment across forest is available on
enterprise CAs running Windows Server 2008 R2 Enterprise or Windows
Server 2008 R2 Datacenter.
• Improved support for high-volume CAs. Organizations that have deployed
high-volume CAs, such as NAP with IPSec enforcement, can bypass CA
database operations to reduce the CA database size. NAP health certificates
typically expire within hours after being issued, and the CA might issue
multiple certificates per computer each day. By default, a record of each
request and issued certificate is stored in the CA database, but in Windows
Server 2008 R2 AD CS, you can bypass the CA database operations. Issued
certificates are not stored in the CA database, therefore, certificate revocation is
not possible. However, maintenance of CRL for a high volume of short-lived
certificates is often not practical or beneficial. As a result, some organizations
might use this feature and accept the limitations on revocation. Improved
support for high-volume CAs is available on enterprise CAs running any
edition of Windows Server 2008 R2.
Question: In what way does your organization benefit from the new AD CS
features in Windows Server 2008 R2?

Features of Active Directory Rights Management Services
Key Points
AD RMS is an information protection technology that works with AD RMS–
enabled applications to safeguard digital information from unauthorized use inside
and outside the firewall. AD RMS is designed for organizations that need to protect
sensitive and proprietary information such as financial reports, product
specifications, customer data, and confidential e-mail messages. AD RMS augments
an organization's security strategy by protecting information through persistent
usage policies, which remain with the information no matter where it is moved. AD
RMS persistently protects any binary format of data, so the usage rights remain
with the information, rather than on an organization's network. This also enables
usage rights to be enforced after the information is accessed by an authorized
recipient, both online and offline, and inside and outside the organization.
An AD RMS system includes a Windows Server 2003, Windows Server 2008 or
Windows Server 2008 R2–based server running the AD RMS server role that
handles certificates and licensing, a database server, and the AD RMS client. The

latest version of the AD RMS client is included as part of Windows 7 and Windows
Vista operating systems.
Benefits of AD RMS
Deploying an AD RMS system in an organization provides the following benefits:
• Safeguards sensitive information. You can enable AD RMS for word
processors, e-mail clients, and line-of-business applications to protect sensitive
information. Users can define permissions to open, modify, print, forward, or
take other actions with the information. Organizations can create custom
usage policy templates such as "confidential–read only" and apply it directly to
the information.
• Persistent protection. AD RMS augments existing perimeter-based security
solutions such as firewalls and access control lists (ACLs) by locking the usage
rights within the document. AD RMS also controls how information is used
even after it has been opened by intended recipients.
• Flexible and customizable technology. Independent software vendors (ISVs)
and developers can enable AD RMS for any application or enable other servers,
such as content management systems or portal servers, to work with AD RMS
to protect sensitive information. ISVs can integrate information protection into
server-based solutions such as document and records management, e-mail
gateways and archival systems, automated workflows, and content inspection.
AD RMS provides developer tools and industry security technologies such as
encryption, certificates, and authentication to help organizations create reliable
information protection solutions.
Enhancements in AD RMS
Windows Server 2008 R2 provides the following improvements to the AD RMS
server role:
• Windows PowerShell deployment. Prior to Windows Server 2008 R2, you
can add and provision the AD RMS role only through the Role Management
tool. In Windows Server 2008 R2, you can add and provision the AD RMS role
by using Windows PowerShell cmdlets.
• Windows PowerShell administration. Prior to Windows Server 2008 R2, the
AD RMS administration functionality was generally available through the Role
Management tool or with scripts. In Windows Server 2008 R2, all
administration functionality for the AD RMS role is also available through
Windows PowerShell cmdlets.

Question: What is the difference between NTFS file system permissions and AD
RMS protection of confidential content?



Domain Services
Introduction
In this lab, you will configure Group Policy in Active Directory Domain Services.
To do this, you will create a Custom Starter GPO and a Group Policy based on the
Custom Starter GPO. You will then verify the Group Policy Preferences by adding a
shortcut to Notepad, creating a new folder on drive C, and configuring drive
mapping. You will also create AppLocker rules and test the Application Control
Policy.
Objectives
• Use the Starter GPO
• Use Group Policy Preferences

• Implement Application Control Policies
Lab Setup
credentials:
credentials:
credentials:

Lab Scenario
You are a server administrator at Contoso, Ltd. Currently, your organization uses
Active Directory domain and Group Policy for centralized administration. As part
of your job, first you need to explore the new features of Windows Server 2008 R2
and check for the group policy related options. You also need to test Application
Control Policies and Group Policy Preferences.

Exercise 1: Using the Starter GPO

2. Review the existing System Starter GPO and its settings.
3. Create a Custom Starter GPO.
4. Create a new group policy based on the Custom Starter GPO.

password, Pa$$w0rd.
password, Pa$$w0rd.
password, Pa$$w0rd.
f Task 2: Review the existing System Starter GPO and its settings.
• Examine the Starter GPO settings by using the Group Policy Management
console to verify the following information:
• Verify that there are eight Starter GPOs pre-created
• Verify that the Edit option is not enabled
• View the settings of the Starter GPO
f Task 3: Create a Custom Starter GPO.

• On LON-DC1, create the Custom Starter GPO, Default Desktop Configuration
• All Settings: Filter Options
• Enable Keyword Filters
• Filter for word: control panel
• Clear Help Text and Comment
• Disable the Display Control Panel: Enabled

f Task 4: Create a new group policy based on the Custom Starter GPO.
• Based on the existing Custom Starter GPO, create a group policy with the
• GPO name: Desktop Configuration
• Source Starter GPO: Default Desktop Configuration
• Set the State
• Clear Enable Keyword Filters
• Configured: Yes
Results: After completing this exercise, you should have created a Custom Starter GPO
and a group policy based on the Custom Starter GPO.

Exercise 2: Using Group Policy Preferences

1. Add a shortcut to Notepad on the desktop.
2. Create a new folder on drive C.
3. Configure drive mapping.
4. Verify Group Policy Preferences Application.
f Task 1: Add a shortcut to Notepad on the desktop.

• On LON-DC1, create a shortcut to Notepad on the desktop on LON-CL1 by
• Action: Create
• Location: All Users Desktop
• Target path: C:\Windows\System32\notepad.exe
• Name: Notepad
• Select Item-level targeting
• Computer name: LON-CL1
f Task 2: Create a new folder on drive C.

• In the Computer Configuration node, create a new folder on drive C with the
• Action: Create
• Path: C:\Folder_Preference
• New Item: Operating System
• Product: Windows 7
f Task 3: Configure drive mapping.

• In the User Configuration node, configure the drive map to share the folder,
Data with the following information:
• Action: Create
• Location: \\LON-DC1\Share

• Select Reconnect
• Label as: Data

• Drive Letter: P
f Task 4: Verify Group Policy Preferences Application.

• Log off from LON-CL1.
• Log on to LON-CL1 with the user name, contoso\Administrator, and the
password, Pa$$w0rd.
• Verify whether there is a shortcut to Notepad on the desktop, a preference
and LON-CL1.
Results: After completing this exercise, you should have created a shortcut to Notepad
on the desktop, a new folder on drive C, and configured a drive map.

Exercise 3: Implementing Application Control Policies

1. Verify that a user can run Notepad.
2. Edit the group policy to start Application Identity service.
3. Create AppLocker rules to deny Notepad for restricted users.
4. Apply Application Control Policy and verify that the user can not run Notepad.
f Task 1: Verify that a user can run Notepad.

• Log off from LON-SVR1.
• Log on to LON-SVR1 with the user name, CONTOSO\ jefff, and the password,
Pa$$w0rd.
• On LON-SVR1, verify whether jeff has access to Notepad.
• On LON-DC1, open Active Directory Administrative Center to verify that Jeff
f Task 2: Edit the group policy to start Application Identity service.

• On LON-DC1, edit Desktop Configuration to start the Application Identity
f Task 3: Create the AppLocker rules to deny Notepad for restricted

users.
• Create an executable AppLocker rule to restrict the users from accessing
• Permissions: Deny Restricted Users
• Path: %system32%\notepad.exe
• Name: Notepad
• Select Configure rule enforcement
• Executable rules: Configured

f Task 4: Apply Application Control Policy and verify that the user can
not run Notepad.

• On LON-SVR1, verify whether Jeff has access to Notepad and then check the
Results: After completing exercise, you should have activated the Application Identity
service and created the AppLocker rules to restrict the users from accessing Notepad.
The answers to the exercises are on the Course Companion CD.


Lab Review
1. Give few examples of the Group Policy preference extensions?

Examples of the Group Policy preference extensions are folder options, mapped
drives, printers, scheduled tasks, services, and Start menu settings.
2. Which AD CS role service should you use to allow routers and other network
devices to obtain certificates based on SCEP?
You should use the Network Device Enrollment Service, role service to allow
routers and other network devices to obtain certificates based on SCEP.

Review Questions
1. You would like to upgrade one of your Windows Server 2008 domain
controllers o Windows Server 2008 R2. What must you do before you can
upgrade the domain controller?
2. Can you enable the Active Directory Recycle Bin feature if you have several
Windows Server 2008 domain controllers?
3. What benefit do managed service accounts provide?
4. Can you use an offline domain join to join a Windows Vista client computer to
the domain?
5. Can you modify or delete the System Starter GPO?

1. You demonstrated Active Directory Administrative Center to a customer
named, Tony, and he wants to use it for administering his Active Directory. All

domain controllers in Tony's organization are running Windows Server 2008.
Will Tony be able to manage Active Directory by using Active Directory

Administrative Center?
2. Kim, a customer, has Active Directory domain and all his domain controllers
are running Windows Server 2008 R2. He accidentally deleted an
organizational unit with several objects. How can he use the Active Directory
Recycle Bin feature to recover the deleted components?
3. You need to change the Windows Explorer settings for all Windows clients in
your domain. You verify that there is no Group Policy setting you could use.
What should you do?
Tools
Active Directory Task oriented tool for Installed when you add
Administrative Center managing Active Directory AD DS. It is also part of
RSAT.
Djoin.exe Command-line tool for pre- Command Prompt

creating computer account in
AD DS and offline join
computer to the domain
Gpupdate.exe Command-line tool for Command Prompt

updating user and computer
part of Group Policy
DCPromo.exe Tool for installing and Command Prompt

deleting AD DS
ADPrep.exe Utility for extending the \support\adprep folder

Active Directory schema and on Windows Server 2008
preparing the forest and R2 installation disk
domain for a new domain
controller
Configuring Server Virtualization by Using Hyper-V 3-1

Module 03
Configuring Server Virtualization by Using
Hyper-V
Contents:
Lesson 1: Configuring the Features of Windows Server 2008 R2 Hyper-V 3-4
Lesson 2: Configuring Live Migration in Hyper-V 3-21
Lesson 3: System Center Virtual Machine Manager R2 3-34
Lab: Configuring Server Virtualization by Using Hyper-V 3-52
3-2 Configuring Server Virtualization by Using Hyper-V

Module Overview
Using Windows Server® 2008 Hyper V® virtualization, you can efficiently run
multiple different operating systems in parallel on a single server, and fully use the
power of x64 computing.
In this module, you will learn how to configure the features of Hyper-V in
Windows Server® 2008 R2, such as Live Migration. You will also learn the benefits
of Live Migration. In addition, you will learn about other improvements such as
hot add or removal of SCSI storage devices, network enhancements, and improved
virtual hard disk (VHD) performance.
As Live Migration depends on failover clustering, you will learn about Cluster
Shared Volumes (CSV) and enhanced Failover Clustering Validation, which are
failover clustering enhancements in Windows Server 2008 R2.
Finally, you will review the features of System Center Virtual Machine Manager,
which is a recommended tool for managing Hyper-V in enterprise environments.

• Describe Windows Server 2008 R2 Hyper-V.
• Configure Live Migration in Hyper-V.

• Describe System Center Virtual Machine Manager R2.

Lesson 1
Configuring the Features of Windows Server

2008 R2 Hyper-V
Windows Server 2008 R2 Hyper-V helps you implement server virtualization.

Hyper-V allows you to optimize the use of your server hardware investments by
consolidating multiple servers as separate virtual machines (VMs) running on a
single physical computer.
Lesson Objectives
• Describe the features of Hyper-V in Windows Server 2008.
• Describe the Hyper-V architecture.
• Explore Hyper-V Manager Microsoft Management Console (MMC).
• Describe the features of Hyper-V in Windows Server 2008 R2.

• Describe Cluster Shared Volumes.
• Describe the enhancements in Failover Clustering Validation.

• Configure failover clustering and Cluster Shared Volumes (CSV).

Features of Hyper-V in Windows Server 2008
Hyper-V provides you with a dynamic, reliable, and scalable virtualization

platform. The platform is combined with a set of integrated tools to manage both
physical and virtual resources. Hyper-V enables the data centers of business
enterprises to be highly responsive and dynamic.
The key features of Hyper-V are:
• New and improved architecture. Hyper-V is a 64-bit hypervisor-based
virtualization technology for Windows Server. However, it is also available free
of cost, as Microsoft Hyper-V Server.
Hyper-V supports isolation, in terms of partition. A partition is a logical unit of
isolation, supported by the hypervisor, in which operating systems run. A
partition can be 32-bit or 64-bit.
• Broad operating system support. Hyper-V supports different operating
systems that can run simultaneously, including 32-bit and 64-bit systems
across different server platforms. Hyper-V supports the following operating
systems:

• Windows Server 2008 R2
• Windows Server 2008

• Windows Server 2003
• Windows 2000 Server
• Windows® 7
• Windows Vista™
• Windows XP
• Novell SUSE
• Symmetric Multiprocessors (SMP) support. Hyper-V supports a maximum
of 64 processors on Windows Server 2008 R2 and a maximum of 16
processors on Windows Server 2008. Each VM can use a minimum of one and
maximum of four virtual processors, depending on the operating system in the
VM.
• Network Load Balancing (NLB). Hyper-V includes virtual switch capabilities.
You can configure VMs to run with Windows NLB Service to balance the load
across VMs on different servers.
• Hardware sharing architecture. With Virtual Service Provider (VSP) and
Virtual Service Consumer (VSC) architecture, Hyper-V provides improved
access and utilization of core resources such as disk, networking, and video.
Certain operating systems, such as Windows Server 2008 R2 and Windows 7,
already include VSC code. For other operating systems, you need to install the
integration components manually to benefit from VSP/VSC architecture.
• Quick Migration. Hyper-V enables rapid migration of running a VM from one
physical host system to another with minimal downtime. It uses familiar high-
availability capabilities of Windows Server and System Center management
tools. Windows Server 2008 R2 adds support for Live Migration, which
enables migration or running VM without downtime.
• VM snapshots. Using Hyper-V, you can take snapshots of a VM while it is
running. A snapshot consists of virtual machine state, data, and hardware
configuration. This will help you revert to a previous point in time. VM
snapshots are typically used in development and test environments.
• Scalability. With support for multiple processors at the host level and
improved memory access within VMs, you can vertically scale up your
virtualization environment supporting a large number of VMs within a given

host and continue to leverage Live Migration for scalability across multiple
hosts.
• Extensible virtualization. Hyper-V provides standards-based Windows
Management Instrumentation (WMI) interfaces and application programming
interface (API), so third parties can build custom tools, utilities, and
enhancements for the virtualization platform.
You can use Hyper-V for:
• Server consolidation. You should consolidate servers on fewer Hyper-V hosts,
while maintaining isolation between them. This also provides better physical
hardware utilization.
• Business continuity and disaster recovery. You should reduce scheduled
and unscheduled downtime, with the ability to recover an entire computer,
including data and operating system state, to a previous point in time, last
known good configuration, or bare metal state.
• Testing and development. You should have a development or testing
environment that is identical to the production environment. You should be
able to quickly create new VMs and return them to the previous state.
• Dynamic data center. You should migrate VMs to the most suitable physical
hosts, without any downtime.
Question: In which situations do you use virtualization in your environment?


Hyper-V Architecture
Hyper-V is a hypervisor-based virtualization technology. The hypervisor is the

processor-specific virtualization platform that allows multiple isolated operating
systems to share a single hardware platform.
The virtualization stack runs within the parent partition and has direct access to
hardware devices. The parent partition then creates child partitions, which host the
guest operating systems.
After the initial Windows Server 2008 R2 installation, the operating system can
access the server hardware directly.
After you add the Hyper-V role, a thin hypervisor layer between the operating
system and the hardware resources is added. The currently installed operating
system becomes the parent partition from where you can create and manage child
partitions. Child partitions also do not have direct access to other hardware
resources and are presented a virtual view of the resources, as virtual devices.

Note: The partitions do not have access to the physical processor, nor do the partitions
manage the processor interrupts. The partitions provide a virtual view of the processor
and run in a virtual memory address region that is private to each guest partition.
Drivers in the parent partition are used for accessing the server hardware. Child
partitions use virtualized devices through VSC drivers, which communicate
through Virtual Machine Bus (VMBus) with VSPs in the parent partition. Requests
to the virtual devices are redirected either through the VMBus or through the
hypervisor to the devices in the parent partition.
The VMBus manages the requests. The VMBus is a logical inter-partition
communication channel. The parent partition hosts VSPs, which communicate
over the VMBus to handle device access requests from child partitions. Child
partitions host VSCs, which redirect device requests to VSPs in the parent partition
through the VMBus.
Enlightened I/O
Virtual devices use the enlightened I/O feature in Hyper-V, for the following:
• Storage
• Networking
• Graphics
• Input subsystems
Enlightened I/O is a specialized virtualization-aware implementation of high-level
communication protocols such as SCSI that utilize VMBus directly, bypassing any
device emulation layer. This makes communication more efficient.
Note: To make communication efficient, Hyper-V hardware assisted virtualization

requires a hypervisor and VMBus–aware enlightened guest operating system. Hyper-V
enlightened I/O and a hypervisor-aware kernel are provided through the installation of
Hyper-V integration services. Integration components, which include VSC drivers, are
available for other client operating systems.
Note: Hyper-V requires a processor that includes hardware-assisted virtualization, such

as is provided with Intel VT or AMD Virtualization (AMD-V) technology.

Question: Hyper-V is a Windows Server 2008 R2 role and requires a 64-bit server
platform. Can you install a 32-bit version of Windows 7 in the Hyper-V child
partition?

Demonstration: Exploring Hyper-V MMC
Key Points
1. Open Hyper-V Manager console and explore the administrative tasks such as
Virtual Machine, Hard Disk, Hyper-V Settings, Settings of the virtual machines,
and Virtual Network Manager.
2. Create a new snapshot, Snapshot1 for LON-SVR1, and then create a shortcut
on the desktop of LON-SVR1.
3. On LON-CL1, open the Hyper-V Manager console and explore how to
administer Hyper-V remotely by using the Connect to Server option.
Question: How will you transfer files from the physical computer to the virtual
machine when there is no network connectivity between them?

Features of Hyper-V in Windows Server 2008 R2
Hyper-V in Windows Server 2008 R2 includes features such as Live Migration,

dynamic VM storage, improved VHD performance, enhanced processor support,
and enhanced networking support.
Live Migration
Live Migration allows you to move VMs from one node of the failover cluster to
another node in the same cluster without a dropped network connection or
perceived downtime, while they are still running.
A failover cluster is a group of independent computers that work together to
increase the availability of applications and services across an environment. The
clustered servers, called nodes, are connected by physical cables, and by software.
If one of the cluster nodes fails, another node begins to provide service. This
process is known as failover clustering. Users experience minimum disruption in
services, when it comes to failover clustering.

Note that Live Migration requires the failover clustering role to be added and
configured on the servers running Hyper-V. In addition, failover clustering requires

shared storage for the cluster nodes. On a server running Hyper-V, only one Live
Migration, to or from the server, can be in progress at a given time. You cannot use
Live Migration to move multiple VMs simultaneously.
You can use the new Cluster Shared Volumes (CSV) feature of failover clustering in
Windows Server 2008 R2 with Live Migration. CSV provides increased reliability
when used with Live Migration and VMs. It also provides a single, consistent file
namespace so that all servers running Windows Server 2008 R2 view the same
storage.
With Processor Compatibility Mode, it is possible to move VMs or perform Live
Migration between different processor versions within the same processor family,
such as Intel or AMD. You can not perform Live Migration between different
processor vendors.
Dynamic VM storage
Improvements to VM storage include:
• Support for hot plug-in of the storage.
• Support for hot removal of the storage.
If required, you can reconfigure VM storage easily because the dynamic virtual
storage functionality supports adding and removing hard disks and physical disks
while the VM is running.
Note: A hot plug-in and removal of storage requires that Integration Services are present
in the guest operating system.
Improved VHD performance

The performance of the dynamically expanding VHD is improved in Hyper-V on
Windows Server 2008 R2. The performance of a fixed size VHD has also been
improved and is almost identical as native throughput. You should use fixed-size
disks for production, because they preallocate disk usage.
Enhanced processor support
Hyper-V supports up to 64 logical processors and can run up to 384 VMs with up
to 512 virtual processors.
Enhanced networking support
Improvements in networking support include:

• Support for jumbo frames. Support for jumbo frames has been extended and
is available to VMs, if the underlying physical network supports it. VMs can
use jumbo frames up to 9,014 bytes in size. Hyper-V includes jumbo frame
support on 1 GB networks and faster.
• Support for Chimney (TCP Offloads). The TCP Chimney feature offloads the
processing of network traffic from the networking stack. This feature reduces
processor usage and increases network performance.
• Support for Virtual Machine Queue (VMQ). This reduces the overhead
associated with network traffic.
These two technologies allow Hyper-V to take advantage of network offload
technologies. Instead of a core CPU processing the network packets, these packets
can be moved to the offload engine on the 10 GB network interface card (NIC),
which reduces processor usage and improves performance.
Many of the new Hyper-V features, such as VNQ, Chimney, and CPU core parking,
require compatible hardware.
Question: Will your company benefit from the new Hyper-V features in Windows
Server 2008 R2? Which new feature is most useful to you?

Cluster Shared Volumes
Failover clustering in Windows Server 2008 uses the shared-nothing storage

model. In the shared-nothing storage model, each disk is owned by a single failover
cluster node at any time and only that node can perform read/write operations on
it.
CSV is a feature of failover clustering that is available in Windows Server 2008 R2
for use with the Hyper-V role. CSV enables multiple nodes to concurrently access a
single shared volume. It provides complete transparency on which nodes actually
own a disk. CSV is a standard cluster disk containing an NTFS file system volume
that is made accessible for read and write operations to all nodes in the failover
cluster. If a VM is stored on a CSV, it can be moved without requiring any drive
ownership change, because no dismounting and remounting of CSV is required.
Using CSV, you can configure clustered VM for Quick Migration and Live
Migration.
The advantages of CSV are as follows:

• Reduced number of disks’ logical unit numbers (LUNs). You can reduce the
number of LUNs required for your VMs by using CSV. In earlier versions of
Windows operating systems, you need to have a configuration, which has one
LUN per VM because LUN was the unit of failover. In Windows Server 2008
R2, many VMs can use a single LUN and can fail over without causing the
other VMs on the same LUN to also fail over.
• Better use of disk space. Instead of placing each VHD file on a separate disk
with free space set aside just for that VHD file, you can free the space on a
CSV, which can be used by any VHD file on that LUN.
• Effortlessly track the paths of VHD files and other files. You can track the
paths of VHD files and other files used by VMs. You can specify the path
names, instead of using drive letters or Globally Unique Identifiers (GUID) to
identify disks. Using CSV, the path appears to be on the system drive of the
node, under the \ClusterStorage folder. Note that the same path can be viewed
from any node in the cluster.
• Fewer CSVs to create a configuration to support clustered VMs. For quick
validations, you can use a single CSV to create a configuration that supports
many clustered VMs. You can perform validation by running the Validate a
Configuration Wizard in the snap-in for failover clusters. With fewer LUNs,
validation can be done faster.
• No specific hardware requirements. There are no specific hardware
requirements. CSV runs on the hardware that is required for storage in a
failover cluster. Note that CSV requires an NTFS file system.
• Increased resiliency. Resiliency is increased because the cluster can respond
correctly even if connectivity between one node and the storage area network
(SAN) is interrupted, or part of a network is down. The cluster will re-route the
CSV traffic through an intact part of the SAN or network.
Note: You need to have an established network from the servers to the SAN. Usually a
separate network is used for serve–SAN traffic. If one network fails and there is another
available path from the server to the SAN, the alternative path will be used.
• Optimized for VHD access. CSV is optimized for VHD access; it is only
supported with Hyper-V and is disabled by default.
Question: How can you get Cluster Shared Volumes support on Windows Server
2008 R2?


Enhanced Failover Clustering Validation
Failover clustering is a feature available in Windows Server 2008 and Windows

Server 2008 R2 Enterprise and Datacenter Editions. You can benefit from it when
high availability is required or in migration scenarios where you use Quick
Migration or Live Migration.
Cluster validation tests
For a failover cluster solution, you must ensure that all the hardware components
are marked as "Certified for Windows Server 2008 R2." In addition, the complete
configuration, servers, network, and storage must pass all the tests in the "Validate
a Configuration,” in the Failover Cluster Manager snap-in. With the Validate a
Configuration Wizard, you can run a set of focused tests on a collection of servers
that you intend to use as nodes in a cluster. This cluster validation process tests the
underlying hardware and software directly and individually. The tests are done to
obtain an accurate assessment of how effectively you can implement failover
clustering on a given configuration. You can run Failover Cluster Validation
Wizard before, during, or after cluster deployment.

Cluster Configuration tests
In Windows Server 2008 R2, additional tests are built into the Cluster Validation
Wizard. The earlier versions of the Cluster Validation Wizard include tests that
help you test a set of servers, networks, and the attached storage before you use
them together in a cluster. The tests are also useful for re-testing a cluster after you
make a change, for example, a change to the storage configuration. These tests
continue to be available, with an additional set of tests.
The new tests are called the Cluster Configuration tests. The new tests help you
check settings that are specified within the cluster, such as the settings that affect
how the cluster communicates across the available networks. These tests help you
analyze your current configuration. You can also use the Cluster Configuration
tests to review and archive the configuration of your clustered services and
applications. Note that this includes settings for the resources within each
clustered service or application.
With these tests, you can fine-tune your cluster configuration, track the
configuration, and identify potential cluster configuration issues before they cause
downtime. This can help you optimize your configuration and compare it against
the best practices that you have identified for your organization.
Failover clustering in Windows Server 2008 R2 also provides Windows®
PowerShell cmdlets for failover clusters and support for additional clustered
services such as Distributed File System (DFS) Replication and Remote Desktop
Connection Broker.
Question: When will you use the failover clustering Validation Wizard?

Demonstration: How To Configure Failover Clustering and
Cluster Shared Volumes
Key Points
1. On the physical computer, set the following iSCSI Initiator properties to
connect the iSCSI target to the physical computer:
• Target: 192.168.10.150
• Quick Connect: iqn.1991-05.com.microsoft:LON-SVR1-lun-01-
target
2. Open the Server Manager console to create a new volume with size 15,000 MB
for Disk 1.
3. On LON-DC1, open the Server Manager console to configure the Failover
Clustering feature.
4. Open the Failover Cluster Manager console to create a cluster and run the
validation tests with the following information:

• Server name: VM-Team (physical computer name)
• Run the validation test.

• Validation Warning: No. I do not require support from Microsoft
for this cluster, and therefore do not want to run the validation
tests. When I click Next, continue creating the cluster
• Cluster Name: LON-FC
• Address: 192.168.10.15
5. On the physical computer, enable the restricted feature, Cluster Shared
Volumes for the LON-FC.Contoso.com node, and add a disk, Cluster Disk 1,
to it.
6. Add the disk, Clustered Disk 1, to the Cluster Shared Volumes of LON-
FC.Contoso.com.
7. On the physical computer, copy the Base10D-WS08Corex64-HV.vhd file from
C:\Program Files\Microsoft Learning\Base and paste it in
C:\ClusterStorage\Volume1.
Question: How will you enable Cluster Shared Volumes?

Lesson 2
Configuring Live Migration in Hyper-V
With Hyper-V Live Migration, you can move running VMs from one Hyper-V
physical host to another without any disruption of service or perceived downtime.
Live Migration is integrated with Windows Server 2008 R2 Hyper-V and Microsoft
Hyper-V Server 2008 R2. Because Hyper-V Live Migration can move running VMs
without downtime, it will facilitate greater flexibility and value. Data centers with
multiple Hyper-V physical hosts will be able to move running VMs to the best
physical computer for performance, scaling, or optimal consolidation without
impacting users. Live Migration makes it possible to keep VMs online, even during
physical host maintenance. This helps increase productivity and provides higher
availability for both users and server administrators.
Lesson Objectives
• Describe the reasons for configuring Live Migration.

• Describe the storage requirements of Live Migration.
• Describe how Live Migration works.

• Describe Live Migration internals.
• Configure Live Migration.
• Compare Live Migration with Quick Migration.

Reasons for Configuring Live Migration
Key Points
Live Migration enables dynamic scenarios such as proactive maintenance and
moving VMs to hosts with most resources available. The reasons for configuring
Live Migration include:
• Servicing hardware. At times when the physical host needs additional storage,
memory, or a basic input/output system (BIOS) update, Live Migration is an
option. Also, if the server needs to be taken offline, and you want to preserve
VM availability, you can move VMs from the server to a different physical host
to perform scheduled maintenance. This maintenance can include server
upgrade or replacement, if needed.
• Updating the host operating system. If the parent partition needs to be
updated and that update requires a reboot, you need to move the VMs from
the physical server to preserve their availability during scheduled maintenance.

This also includes all other changes to the host operating system that requires
the reboot.
• Moving a VM to an appropriate host. You can use Live Migration to move a
VM to a different host. The utilization of the physical server can increase and
it might not have enough resources available for the VMs. You can move one
or more VMs to the best physical computer for performance, scaling, or
optimal consolidation without impacting users.
Question: Why would you use Live Migration?


Requirements for Live Migration
Key Points
Hyper-V Live Migration has very similar requirements as Hyper-V Quick Migration.
For organizations already using Quick Migration, the shift to Live Migration should
be easy. The physical hosts that will participate in Live Migration must be
configured with the failover clustering feature and must use shared storage. In
addition, the physical hosts must use the same processor type. For example, to use
Live Migration to move a VM from one Hyper-V physical host to another, both
physical hosts must use processors from the same manufacturer. There are no
differences in storage requirements between Quick Migration and Live Migration.
• The following editions of Windows Server 2008 R2 support Live Migration:
• Windows Server 2008 R2 Enterprise Edition
• Windows Server 2008 R2 Datacenter Edition
• Hyper-V Server 2008 R2 also supports Live Migration
For Live Migration, you should have:

• Microsoft failover clustering on all physical hosts that will use Live Migration.
• Up to 16 physical nodes that can be cluster members and can participate in

Live Migration.
• A cluster with a dedicated network for the Live Migration traffic.
• Physical host servers that use a processor or processors from the same
manufacturer.
• Physical hosts on the same TCP/IP subnet.
• Access to shared storage for all physical hosts.
Live Migration helps you move VMs between failover cluster nodes without
perceived downtime. Live Migration requires that both nodes must be operational
and Live Migration must be initiated by you, either from the console or from the
command prompt. If nodes with the VMs fail, VMs will fail over and restart on
other Hyper-V nodes in the cluster. However, this will cause downtime for VMs
that are transferred to different nodes because the state of the VM was lost when
the node goes offline.
Note: CSV is recommended for VM storage in a cluster where Live Migration is to be

used.
Note: One Live Migration can be active between any two cluster nodes at any time. This
means that a cluster will support number_of_nodes/2 simultaneous Live Migrations. For
example, a 16-node cluster will support 8 simultaneous Live Migrations with no more
than one Live Migration session active from every node of the cluster.
Note: A dedicated 1 gigabit Ethernet connection is recommended for the Live Migration
network between cluster nodes to transfer the large number of memory pages typical for
a VM.
Question: Can Hyper-V be used on a Windows Server 2008 R2 Standard Edition

with 4 GB of random access memory (RAM)? Can this server be used for Live
Migration? Can Hyper-V Server 2008 R2 be used for Live Migration?

How Live Migration Works
Key Points
The Live Migration process is designed to move a running VM from the source
physical host to a destination physical host as quickly as possible. You can initiate
a Live Migration through one of the following methods:
• Failover Cluster Management console
• Virtual Machine Manager (VMM) administration console, if VMM is used for
managing physical hosts
• A WMI or PowerShell script
Any guest operating system supported by Hyper-V will work with the Live
Migration process. After Live Migration is initiated, the following process occurs:
• Setting up of Live Migration. In the first stage of a Live Migration, the source
physical host creates a Transmission Control Protocol (TCP) connection with
the destination physical host. This connection is used to transfer the VM

configuration data to the destination physical host. A skeleton VM is set up on
the destination physical host and memory is allocated to the destination VM.
• Transferring of memory pages from the source node to the destination
node. In the second stage of Live Migration, the memory assigned to the
migrating VM is copied over the network to the destination physical host. This
memory is referred to as the working set of the migrating VM. In addition to
copying the working set to the destination physical host, Hyper-V on the
source physical host monitors the pages in the working set. As memory pages
are modified, they are tracked and marked as being modified. During this
phase of the migration, the migrating VM continues to run. Hyper-V iterates
the memory copy process several times, and each time a smaller number of
modified pages are copied to the destination physical computer. A final
memory copy process copies the remaining modified memory pages to the
destination physical host. The source physical host transfers the register and
device state of the VM to the destination physical host. During this stage of
Live Migration, the network bandwidth available between the source and
destination physical hosts is critical to the speed of Live Migration. For this
reason, 1 GB Ethernet or faster is recommended. The faster the source
physical host can transfer the modified pages from the migrating VMs working
set, the more quickly Live Migration will complete. The Live Migration process
may be cancelled at any point before this stage of the migration.
• Moving of the storage handle from source to destination. In the fourth stage
of Live Migration, control of the storage associated with source physical host,
such as any VHD files or pass-through disks, is transferred to the destination
physical host.
• Resuming of the VM on the destination server. In the fifth stage of Live
Migration, the destination physical server now has the up-to-date working set,
and access to any storage used by the VM. At this point, the VM is resumed.
• Cleaning up of network occurs. In the final stage of Live Migration, the
migrated VM is running on the destination physical server. At this point, a
message is sent to the physical network switch, which causes it to re-learn the
media access control (MAC) addresses of the migrated VM, so that network
traffic to and from the VM can use the correct switch port.
The Live Migration process should complete in less than the TCP timeout interval
for the VM being migrated. TCP timeout intervals vary based on network topology
and other factors.

Question: Assuming that you have two identically configured VMs available for
Live Migration, in which situation would one VM be migrated faster then the
other?

How Live Migration Transfers Memory Pages
Key Points
During Live Migration, memory pages are transferred from the source node to the
destination node. In this phase, the following process happens:
• The memory assigned to the migrating VM is copied over the network to the
destination physical host.
• The worker process on source host first creates a dirty bitmap of memory
pages. Dirty bitmaps are memory pages that still need to be transferred to the
destination host. Before migrating, this contains the complete working set of
the migrating VM.
• Finally as the worker process iterates over pages and sends them to the worker
process on the destination host, the number of dirty memory pages decreases.
In addition to copying the working set to the destination host, the Hyper-V worker
process on the source host registers for modify notifications on pages to detect
subsequent changes, because the source VM is still active and possibly modifying

the memory. As memory pages are modified by the VM, they are tracked and
marked as being modified. The list of modified pages is simply the list of memory
pages that were modified after the copy of the working set was begun. The Hyper-V
worker process iterates the memory copy process several times, and each time a
smaller number of modified pages will need to be copied to the destination host. It
stops iterating when all pages are sent and no modified page is waiting to be
copied, or when it makes 5 iterations. The following variables may affect the Live
Migration speed:
• The number of modified pages on the VM to be migrated: the larger the
number of modified pages, the longer the VM will remain in a migrating state
• Network bandwidth available between source and destination physical
computers
• Hardware configuration of source and destination physical computers
• Load on source and destination physical hosts
• Available bandwidth, network, or Fiber Channel between Hyper-V physical
hosts and shared storage
Question: What will happen to Live Migration if you run an application that is
constantly modifying the memory in the VM that you want to migrate?

Demonstration: How To Configure Live Migration
Key Points
1. On the physical computer, create a virtual machine, Clustered VM, by using
the Hyper-V Manager console, with the following information:
• Select Store the virtual machine in a different location
• Location: C:\ClusterStorage\Volume1
• Memory size: 512 MB
• Connect Virtual Hard Disk: Use an existing virtual hard disk
• Location: C:\ClusterStorage\Volume1\Base10D-WS08R2Core-
HV.vhd
2. On the physical computer, configure a service or application to make the
virtual machine, Cluster VM, highly available, by using the Failover Cluster
Manager console.

Verify that Clustered VM is added under Services and applications.
Question: How will you configure the physical host machine to enable it to
participate in Live Migration?

Discussion: Live Migration vs. Quick Migration
Quick Migration is a feature of both Windows Server 2008 Hyper-V and Windows
Server 2008 R2 Hyper-V, while Live Migration is available only in Windows Server
2008 R2. Live Migration and Quick Migration both move running VMs from one
Hyper-V physical server to another. However, Quick Migration saves, moves, and
restores a VM, which results in some downtime. The Live Migration process uses a
different mechanism for moving the running VMs to new physical computers.
Windows Server 2008 Hyper-V supports Quick Migration. Windows Server 2008
R2 Hyper-V supports both Quick Migration and Live Migration. Quick Migration
and Live Migration use the same storage infrastructure, so it is easy to move from
Quick Migration to Live Migration after the servers run on Windows Server 2008
R2.


Lesson 3
System Center Virtual Machine Manager R2
Microsoft System Center Virtual Machine Manager 2008 provides centralized

administration and management of the virtual environment for your organization.
The management solution provides you with dynamic resource optimization of a
virtual infrastructure.
System Center Virtual Machine Manager 2008 helps you increase the utilization of
physical servers with intelligent placement of VMs. It provides physical-to-virtual
(P2V) and virtual-to-virtual (V2V) conversion and helps in rapid provisioning of
new VMs by providing a self-service web portal. You can create a company-wide
repository of VM building blocks with the Virtual Machine Manager library, and
you can control System Center Virtual Machine Manager 2008 through familiar
user interfaces.

Lesson Objectives

• Describe the features of System Center Virtual Machine Manager 2008.
• Describe the System Center Virtual Machine Manager 2008 Console.
• Describe Virtual Machine Manager Library.
• Describe intelligent placement of VMs.
• Describe the Self-Service portal.
• Describe the features of System Center Virtual Machine Manager 2008 R2.

Features of System Center Virtual Machine Manager 2008
Key Points
System Center Virtual Machine Manager 2008 provides a virtualization
management solution for a virtualized data center. The virtualized data center
increases physical server utilization and provides a centralized management view
of both physical and VM infrastructure.
System Center Virtual Machine Manager 2008 includes features to manage VMs
and physical VM hosts, and familiar interfaces with support for Windows
infrastructure.
Features for managing VMs

The following are the features for managing VMs:
• Intelligent placement. When you deploy a VM, System Center Virtual
Machine Manager 2008 helps you analyze performance data and resource
requirements for both the workload and the host. With this feature, you can
fine-tune placement algorithms to get the best matched deployment

recommendations. With System Center Operations Manager 2007 support,
you can also enable the PRO feature, which supports workload-aware and
application-aware resource optimization.
• Self-Service Web portal for delegated provisioning. System Center Virtual
Machine Manager 2008 provides a Web portal for delegated and rapid
provisioning of new VMs. This feature is especially useful for software test and
development teams, which often set up temporary VMs to try out new
software.
• Library. System Center Virtual Machine Manager 2008 provides a centralized
library to store and manage various VM building blocks, off-line machines, and
other virtualization components. The components include virtual hard disks,
CD or DVD media, ISO images, post-deployment customization scripts,
hardware configurations, and templates. The library helps keep VM
components organized. Using the library, you can access the following:
• Hardware profiles that include the VM hardware settings
• Operation system profiles for configuring the VM operating system
• Template Virtual Hard Disks and configurations
• ISO images
Features for managing physical VM hosts

The following are the features for managing physical VM hosts:
• Multi-vendor virtualization platform support. System Center Virtual
Machine Manager 2008 integrates multi-hypervisor management into one tool.
This is done with its support for VMs running on Windows Server 2008 with
Hyper-V, Microsoft Virtual Server, and VMware ESX infrastructure.
• Easy Identification of consolidation candidates. The first step in migrating
VM is to identify the appropriate physical host, which has enough resources
available and is suitable to accept the VM that is being migrated. The Microsoft
Assessment and Planning (MAP) Toolkit is a powerful inventory, assessment,
and reporting tool that can securely assess IT environments for various
platform migrations and virtualization. It can identify underutilized physical
servers that can be used for consolidation and generate reports and proposals
for migration to Hyper-V.
• P2V and V2V conversion. System Center Virtual Machine Manager 2008
improves the P2V and V2V experience by integrating the conversion process.

It uses the Volume Shadow Copy Service (VSS) to create the VM quickly and
without interrupting the source physical server. It can also convert existing
VMs to a Hyper-V-based VM in a VM environment
• Monitoring and reporting. System Center Virtual Machine Manager 2008
integrates tightly with System Center Operations Manager 2007 for
comprehensive monitoring and management of both physical and virtual
systems. For monitoring and reporting, you must install:
• System Center Operations Manager 2007.
• System Center Operations Manager 2007 Reporting Server.
• Virtualization Management Pack for System Center Operations Manager
2007.
Familiar interface and support for Windows infrastructure

System Center Virtual Machine Manager 2008 includes:
• Familiar interface and common foundation. Built on the System Center
Operations Manager 2007 user interface, the System Center Virtual Machine
Manager 2008 Administrator Console helps you become proficient in
managing VMs.
• Host cluster support for high availability VMs. System Center Virtual
Machine Manager 2008 is cluster-aware. It can detect and manage Hyper-V
host clusters as a single unit.
• Full scriptability through Windows PowerShell. System Center Virtual
Machine Manager 2008 is built on Windows PowerShell, an administrator-
focused command shell and a scripting language. The architecture of
PowerShell provides you with the quick construction of specific integration
solutions.
• Active Directory Domain Services (AD DS) integration. The System Center
Virtual Machine Manager 2008 integrates with AD DS to provide a secure
environment for managing access to VMs and hosts. System Center Virtual
Machine Manager 2008 also supports managing a VM host on a perimeter
network.
Interoperability of System Center Virtual Machine Manager 2008 and System
Center Operations Manager
System Center Virtual Machine Manager 2008 is used for centralized management
of both physical and VM infrastructure. System Center Operations Manager is
another server that provides end-to-end service management and helps to resolve

issues affecting the health of distributed services. System Center Virtual Machine
Manager 2008 can use System Center Operations Manager to monitor the health
and availability of the VMs and VM hosts that System Center Virtual Machine
Manager 2008 manages.
System Center Virtual Machine Manager 2008 also uses Operations Manager to
monitor the health and availability of the System Center Virtual Machine Manager
2008 server, database server, library servers, and self-service Web servers, to
provide Diagram views of the virtualized environment in the System Center Virtual
Machine Manager 2008 Administrator Console. To enable these features, you must
integrate Operations Manager with System Center Virtual Machine Manager 2008.
Integration with Operations Manager is also a prerequisite for enabling PRO in
System Center Virtual Machine Manager 2008 and for configuring reporting in
System Center Virtual Machine Manager 2008.
Question: What are the specific benefits of using System Center Virtual Machine
Manager 2008 in your organization?

System Center Virtual Machine Manager 2008 Console
Key Points
The System Center Virtual Machine Manager 2008 Administrator Console is built
on the System Center framework user interface. The console is designed to manage
large deployments with easy sorting, categorization, search, and navigation
features. The console is built on a Windows PowerShell command-line interface.
Any action in the console can be done through the Windows PowerShell
command-line. Each wizard in the user interface can also display the associated
command-line actions. In addition, the console integrates with System Center
Operations Manager 2007 to provide insight into the physical and virtual
environment.
Uses of System Center Virtual Machine Manager 2008 Administrator Console
The System Center Virtual Machine Manager 2008 Administrator Console is a GUI
that you use to:
• Create, deploy, and manage VMs.

• Monitor and manage hosts and library servers.
• Manage global configuration settings.
Installation of System Center Virtual Machine Manager 2008 Administrator

Console
You need to install the console after installing the System Center Virtual Machine
Manager 2008 server and then connect the console to the server. You can install
the console on the same computer as the System Center Virtual Machine Manager
2008 server or on a different computer. You can connect to and manage only one
System Center Virtual Machine Manager 2008 server at a time.
System Center Virtual Machine Manager 2008 console can be installed on a 32-bit
or a 64-bit edition of Windows XP SP2, Windows Vista SP1, Windows 7, Windows
Server 2003 SP2, Windows Server 2008, and Windows Server 2008 R2.
Views of System Center Virtual Machine Manager 2008 Administrator Console
The System Center Virtual Machine Manager 2008 Administrator Console provides
the following views:
• Hosts. This view provides information and options related to the managed
host systems.
• VMs. This view provides information and options related to the management
of all VMs installed on managed hosts.
• Library. This view provides information and options related to the
management of System Center Virtual Machine Manager 2008 Library Servers
and library shares.
• Jobs. This view provides information and options to manage jobs such as
creating new VMs, performing Live Migration, and so on.
• Administration. This view provides a range of options related to the
administration of the System Center Virtual Machine Manager 2008
environment.
The volume of information presented by the System Center Virtual Machine
Manager 2008 Administrator Console, especially when you are managing a large
number of managed hosts and VMs, can be an overload. To help you drill down to
specific categories of results, the console provides a filtering mechanism. The filters
are located in the middle pane on the left.
In the detailed pane, you can view information on selected objects such as
managed hosts, VMs on a selected managed host, and content of the Library or

Jobs view and their status. If you select a VM, you can view the details of the VM
and a screenshot of the same in the Detail view.
Question: When would you install the System Center Virtual Machine Manager
2008 Administrator Console on a different computer than System Center Virtual
Machine Manager 2008 server?

Virtual Machine Manager Library
Key Points
You can use the library to organize and manage all the building blocks of the
virtual data center in a single interface, including the following:
• Stored VMs
• Virtual hard disks
• CD or DVD software images, also called ISO files
• Post-deployment customization scripts
• Hardware configurations
• PowerShell scripts
• Templates
A Virtual Machine Manager Library consists of resources stored in one or more
network share folders on the Virtual Machine Manager Library Server. A System

Center Virtual Machine Manager 2008 configuration can have multiple Virtual
Machine Manager Library Servers configured.
Note: The Virtual Machine Manager Library is a repository to store a variety of VM

resources.
VM templates are created in the System Center Virtual Machine Manager 2008
Administrator Console and are stored in the Virtual Machine Manager Library. You
can use templates when creating new VMs, either from the console or from the
Self-Service portal.
The VM template usually consists of virtual hard disks and two configuration
groups that are known as profiles.
The following are the parts of a VM template:
• Hardware profile. It defines hardware configuration settings such as a CPU,
memory, network, basic input/output system (BIOS) and device resources to
be used when a new VM is created by using a template.
• Operating system profile. It defines operating system configuration settings
for a new VM created from a template. The operating system profile can define
settings such as type of operating system, computer name, administrator
password, or product key.
• VHD. It is used to create new VMs. The disks may be virtual hard disks stored
in the Virtual Machine Manager Library, or a disk from an existing VM.
You may create both hardware and guest operating system profiles independently
of the template and store them in the Virtual Machine Manager Library. After they
are stored, you may import them into new templates during the template creation
process.
Question: Why would you use templates in System Center Virtual Machine
Manager 2008?

Intelligent Placement of Virtual Machines
Key Points
VMM uses a process called Intelligent Placement to deploy the VMs to the hosts. It
analyzes performance data and resource requirements for both the workload and
the host. VMM then returns a weighted list of recommended hosts to which you
can deploy the VM. Intelligent Placement supports different hosts along with their
storage configurations. Intelligent Placement is platform aware and configuration
aware. It only recommends hosts that are clustered if high availability is needed
and only x64 capable hosts for x64 VMs.
Performance and Resource Optimization (PRO) leverages System Center
Operations Manager 2007 to monitor an end-to-end IT infrastructure. It helps you
identify whether physical hosts and their virtual machine guests operate efficiently.
Further, by using PRO, you can create operational policies. PRO can automatically
take actions based on the operational policies. When an event occurs triggering a
policy, you can configure PRO to present the recommended resolutions. You can

also configure PRO to automatically implement the preconfigured corrective
actions.
PRO can extend automated management capabilities to both Microsoft-based and
VMware-based hosts. This is because PRO is a part of System Center Virtual
Machine Manager 2008. When managing Microsoft hosts, PRO uses Quick
Migration and Live Migration in Windows Server 2008 R2 to rapidly move VMs
between hosts.
Note: PRO is built on an open and extensible framework. With PRO, organizations and
third-party developers can develop custom rules and actions for their own environments.
PRO provides an end-to-end management solution to monitor VM hosts, VM

guests, and the applications running in those guest operating systems. PRO can
notify you when predefined operational boundaries are exceeded and can then
automatically take corrective actions. For example, you can configure PRO to
monitor CPU utilization on a VM host. If the utilization exceeds a predefined
threshold, you can configure PRO to initiate either manual or automatic corrective
actions.
If PRO has been set up to use manual corrective actions, a tip, detailing a reported
problem and suggesting corrective actions, will be displayed in the System Center
Virtual Machine Manager 2008 Administrator Console. You can then implement
the corrective actions by clicking the required button in the console. The specific
corrective actions are set up by the organization. The corrective action could be to
use the Intelligent Placement and Quick Migration capabilities in System Center
Virtual Machine Manager 2008 to move a VM to a more suitable host. This enables
the organization to reduce the CPU utilization of the virtualized host.
Another scenario could be monitoring Web application usage and adding Web
server capacity automatically. In this scenario, you can use PRO and System Center
Operations Manager 2007 to set up a rule. This rule monitors the transaction
volume of the organization’s Web farm. If the transaction level exceeds the
predefined threshold, you can configure PRO to raise a tip in the System Center
Virtual Machine Manager 2008 Administrator Console. You can then implement
the tip and automatically provision a new VM to be added to the Web farm. The
new VM will contain the organization’s line-of-business (LOB) Web application.
After you get the new Web server online, there will be a drop in the transaction
levels.

Self-Service Portal
Key Points
The Virtual Machine Manager Self-Service portal is a Web site. Through this Web
site, self-service users can create and operate their own VMs within a controlled
environment. In the sessions with the Self-Service Portal, self-service users can view
only the VMs that they own. They can also view the actions that their VM
permissions allow them to perform.
A self-service policy grants certain permissions to a user or user group. The
permissions allow the user or the user groups to create, operate, manage, store,
create checkpoints for, and connect to their own VMs through the Virtual Machine
Manager Self-Service portal. Self-service policies are applied to a host group, which
means that self-service users have permissions on the physical servers in the host
group as they are defined in the self-service policy. For example, if you define in
the self-service policy that users will be able to create checkpoints, they will be able
to create checkpoints for VMs in the host group they own. When a self-service user

creates a VM, the VM is automatically placed on the most suitable host. The most
suitable host is selected in that host group based on host ratings.

A self-service policy can be created for a user or a group. You can configure a self-
service policy for a group as group ownership or individual ownership. Under
group ownership, VMs are owned, operated, and managed by the group. Under
individual ownership, the self-service policy applies a standard set of permissions
and templates to the individuals in the group. All individuals in the group own,
operate, and manage their own VMs.
Question: When would you use the Virtual Machine Manager Self-Service portal?

Features of System Center Virtual Machine Manager 2008
R2
Key Points
System Center Virtual Machine Manager 2008 R2 provides a cost-effective solution
for unified management of physical and VMs. System Center Virtual Machine
Manager 2008 R2 also provides PRO for:
• Dynamic and responsive management of virtual infrastructure.
• Consolidation of underutilized physical servers.
• Rapid provisioning of new VMs by leveraging the expertise and investments in
Windows Server technology.
System Center Virtual Machine Manager 2008 R2 provides many new features. The
features can be grouped into four categories: support for new features of Windows
Server 2008 R2, enhanced storage and cluster support, streamlined process for

managing host upgrades, and other System Center Virtual Machine Manager 2008
R2 enhancements.
Support for new features of Windows Server 2008 R2

System Center Virtual Machine Manager 2008 R2 supports the following new
features in Windows Server 2008 R2:
• Live Migration. With this feature, you can use System Center Virtual Machine
Manager 2008 R2 to migrate VMs between clustered hosts without affecting
the connected users.
• Hot addition/removal of storage. The feature aallows the addition and
removal of storage to virtualized infrastructure without interruption.
• New optimized networking technologies. System Center Virtual Machine
Manager 2008 R2 supports new Hyper-V features –Virtual Machine Queue
(VMQ) and TCP Chimney–providing increased network performance while
creating less of a CPU burden.
Enhanced storage and cluster support

The following are the enhanced storage and cluster support offered by System
Center Virtual Machine Manager 2008 R2:
• CSV. This feature helps you to place multiple VMs on a single LUN and
manage them individually. The key benefit that CSV delivers is simplified LUN
configuration. It is through the System Center Virtual Machine Manager 2008
Administrator Console that you can view one LUN containing all VMs, which
eliminates the need to create, configure, and modify LUNs for individual VMs.
• SAN migrations in and out of clustered hosts. System Center Virtual
Machine Manager 2008 R2 can automatically migrate VMs in and out of
clustered hosts by using SAN transfers. Unlike previous versions, System
Center Virtual Machine Manager 2008 R2 automatically configures the cluster
nodes to recognize new VMs coming in and exiting VMs migrating. This
feature saves you the additional burden of manual modification.
• Quick Storage Migration. You can migrate running VM files to a different
storage location on the same host with minimal or no service downtime. When
you migrate the VM to the host that is running Windows Server 2008 R2 and
use a network transfer, VMM 2008 R2 gives you the option to specify separate
storage locations for each virtual hard disk file for the virtual machine.

• Expanded support for Internet Small Computer System Interface (iSCSI)
SANs. There is now expanded support covering the majority of available iSCSI
SANs in System Center Virtual Machine Manager 2008 R2. With this feature in
System Center Virtual Machine Manager 2008 R2, you can choose from a
wider range of options when selecting a new SAN solution.
Streamlined process for managing host upgrades

The maintenance mode feature is designed to simplify the process of initiating
maintenance or upgrades to virtual hosts. System Center Virtual Machine Manager
2008 R2 provides maintenance mode. This mode is a one-step process whereby
active VMs are safely evacuated to other hosts within the cluster before
maintenance begins. You can configure maintenance mode to utilize Live
Migration if the VMs should not be interrupted. You can also configure
maintenance mode to put the VMs in a saved state if a service pause is acceptable.
Other System Center Virtual Machine Manager 2008 R2 enhancements

The following are the other System Center Virtual Machine Manager 2008 R2
enhancements:
• Automatic resolution of disjoint domains: If you have to administer System
Center Virtual Machine Manager 2008 in a separate domain, which is not a
part of the Microsoft® Active Directory® directory services forest, you have to
manually reconcile the host server name and the Domain Name System (DNS)
name; otherwise, authentication failure would occur. With System Center
Virtual Machine Manager 2008 R2, this process is automated by creation of a
custom Service Principal Name (SPN) in both Active Directory and DNS. This
feature facilitates the authentication process.
• Queuing of Live Migrations. You can perform multiple Live Migrations
without having to keep track of other Live Migrations within the cluster. When
a Live Migration is in danger of failing because of another migration already in
progress, Virtual Machine Manager 2008 R2 queues the request for later.
• Host compatibility checks. This feature provides deep compatibility checks so
you can determine if a source host is compatible with the destination host
before performing a migration. In the event of incompatibility, you can choose
to turn off certain CPU features to make the VM compatible with the host.
Question: You must use Live Migration to migrate several VMs from the same
failover cluster node. You used Failover Cluster Manager, but you were able to
initiate just one VM Live Migration. How can you start Live Migration for multiple
VMs at the same time?

Lab: Configuring Server Virtualization by Using Hyper-V
Introduction
In this lab, you will configure server virtualization by using Hyper-V. To do this,
you will create an iSCSI target, connect the iSCSI target to the physical host, create
an NTFS volume, and configure failover cluster. You will also configure CSV and
add a disk to the CSV. You will also set up a virtual machine for Live Migration by
creating a virtual machine and making it highly available.
Objectives
• Install and configure failover clustering.
• Configure CSV.
• Set up a VM for Live Migration.

Lab Setup
• Start the LON-DC1 virtual machine, and then log on by using the
following credentials:
• Start the LON-SVR1 virtual machine, and then log on by using the

Lab Scenario
You are a server administrator at Contoso, Ltd. Your organization is currently

using Hyper-V virtualization for server consolidation and is hosting multiple virtual
machines per physical server.
Physical servers must be updated and hardware configuration must be upgraded at
regular intervals. However, this causes downtime for virtual machines when they
are migrated by using Quick Migration from one physical server to another.
To overcome this issue, you need to perform physical server maintenance without
noticeable virtual machine downtown. You need to configure and test the Live
Migration feature of Windows Server 2008 R2.

Exercise 1: Installing and Configuring Failover Clustering

2. Create an iSCSI target.
3. Connect the iSCSI target to the physical host and create an NTFS volume.
4. Create and configure one node failover cluster.

password, Pa$$w0rd.
password, Pa$$w0rd.
f Task 2: Create an iSCSI target.

• On LON-SVR1, create an iSCSI target, LUN-01, by using the Microsoft iSCSI
Software Target console, with the following information:
• Identifier Type: IP Address
• Value: 192.168.10.100
• IQN Identifier: Click Advanced button to view alternate identifiers
• Create a virtual disk with the following information:
• File: C:\LUN\LUN-01.vhd
• Size of the virtual disk (MB): 20000
• Target Name: LUN-01
f Task 3: Connect the iSCSI target to the physical host and create an
NTFS volume.
• On the physical computer, set the following iSCSI Initiator properties to
• Target: 192.168.10.150
• Quick Connect: iqn.1991-05.com.microsoft:lon-svr1-lun-01-target
• Open the Server Manager console to create a new volume with size 15000 MB
for Disk 1.

f Task 4: Create and configure one node failover cluster.
• On LON-DC1, open the Server Manager console to configure the Failover

Clustering feature.
• Open the Failover Cluster Manager console to create a cluster and run the
• Run the validation test
• Address: 192.168.10.15
Results: After completing this exercise, you should have created and connected the
iSCSI target to the physical computer, created a new volume, and created and
configured a failover cluster.

Exercise 2: Configuring Cluster Shared Volumes

1. Enable CSV.
2. Add a disk to the CSV.
f Task 1: Enable Cluster Shared Volumes.

• On the physical computer, enable the restricted feature, CSV, for the LON-
FC.Contoso.com node and add a disk, Cluster Disk 1, to it.
f Task 2: Add a disk to the Cluster Shared Volumes.

• Add the disk, Clustered Disk 1, to the CSV of LON-FC.Contoso.com.
Results: After completing this exercise, you should have enabled Cluster Shared
Volumes for LON-FC.Contoso.com, and added a disk to it.

Exercise 3: Setting Up a Virtual Machine for Live Migration

1. Create a VM.
2. Make the VM highly available.
f Task 1: Create a virtual machine.

1. On the physical computer, copy the Base10D-WS08R2Core-HV.vhd file from
HV.vhd
f Task 2: Make the virtual machine highly available.

1. On the physical computer, configure a service or application to make the VM,
Cluster VM, highly available by using the Failover Cluster Manager console.
Results: After completing this exercise, you should have created a virtual machine,
Cluster VM, and made the virtual machine highly available.


Lab Review
1. Are Cluster Shared Volumes a part of Hyper-V?

No. CSV are not a part of Hyper-V, but Hyper-V uses it in high availability and
migration scenarios.
2. Which two editions of Windows Server 2008 R2 support Hyper-V Live

Migration?
The two editions of Windows Server 2008 R2 that support Hyper-V Live Migration
are Windows Server 2008 R2 Enterprise Edition and Windows Server 2008 R2
Datacenter Edition.

Review Questions
1. You have a customer who is running a legacy application on a Windows NT™
4.0 server. The customer uses this application on a physical server, but the
customer wants to consider virtualization of the server. What would you
recommend to the customer?
2. How does the interaction between the operating system and hardware change
when you add the Hyper-V role on a Windows Server 2008 R2 server?
3. You have a running VM in Windows Server 2008 R2 Hyper-V child partition.
You need do add an additional VHD to the VM. Can you add the VHD without
rebooting the VM?
4. Can you use Windows Server 2008 R2 as an iSCSI target?

5. Can you use Live Migration for migrating two VMs from the same physical
host at the same time?

1. The customer is using Hyper-V for server virtualization, but has noticed that
the mouse pointer is captured inside one of the VMs. How would you help the
customer to resolve this issue?
2. Your customer wants to virtualize a physical server. What would you suggest
to the customer?
Tools
Hyper-V Manager console Management of Hyper-V Installed when you add the
server role Hyper-V role or part of the
RSAT feature
Failover Cluster Manager Management of failover Installed when you add the
console cluster feature failover clustering feature
or part of the RSAT
feature/pack
System Center Virtual Management of System Part of System Center

Machine Manager console Center Virtual Machine Virtual Machine Manager;
Manager can be installed separately

Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2 4-1

Module 4
Configuring Remote Desktop Services and
Virtual Desktop Infrastructure in Windows
Server 2008 R2
Contents:
Lesson 1: Configuring Remote Desktop Services 4-4
Lesson 2: Configuring Remote Desktop Gateway 4-20
Lesson 3: Configuring Virtual Desktop Infrastructure 4-34
Lab: Configuring Remote Desktop Services and Virtual Desktop
Infrastructure in Windows Server 2008 R2 4-49
4-2 Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2

Module Overview
Formerly known as Terminal Services, the Remote Desktop Services (RDS) role
allows users to access applications and data on a remote computer over a network.
In Windows Server® 2008 R2, in addition to providing session-based Remote
Desktops, RDS provides enhancements in role services such as Remote Desktop
Connection Broker (RD Connection Broker) and support for Virtual Desktop
Infrastructure (VDI). In addition, users can access individual remote applications
called RemoteApps and virtual machine–based desktops. Users can consolidate
RemoteApps from multiple RDS servers, integrate it with the client Start menu, and
filter it based on group membership.
In this module, you will discuss the changes and improvements in RDS in
Windows Server 2008 R2. You will learn how RD clients access RDS applications.
In addition, you will see how RemoteApps and Remote Desktops can be integrated
with the Windows® 7 Start menu, how to filter them, and how clients may use RD
Web Access to start RemoteApps. When you implement RD Gateway, users can
securely access RDS, not only from intranet, but also over Internet, without

establishing a virtual private network (VPN) connection. In addition, you will
explore VDI and its benefits and requirements.

• Configure Remote Desktop Services for remote computers.
• Configure Remote Desktop Gateway.
• Configure Virtual Desktop Infrastructure.

Lesson 1
Configuring Remote Desktop Services
RDS provides presentation virtualization, one of the virtualization technologies

available in Windows Server 2008 R2. Using RDS, you can access remote
applications or whole virtualized desktops in the data center from anywhere and
from any device. In addition to the traditional presentation virtualization scenarios,
RDS is expanding its role to provide an extensible platform for running remote
applications and using VDI. Using the new enhancements in Remote Desktop
Client Experience, and RemoteApp and Desktop Connection, you will have
experience in working on local computers, even when you are accessing virtual
desktop remotely, in the data center.
Lesson Objectives
• Describe Remote Desktop Services (RDS).

• Describe Remote Desktop Client Experience in Windows Server 2008 R2.
• Describe the management enhancements in Remote Desktop Services.

• Describe remote application access.
• Describe RemoteApp and Desktop Connection.
• Configure RemoteApp and Desktop Connection.

Overview of Remote Desktop Services
Key Points
The RDS role in Windows Server 2008 R2 provides technologies that enable users
to access session-based desktops, virtual machine–based desktops, or remote
applications in the data center from within a corporate network and from the
Internet. RDS enables a rich-fidelity desktop or application experience, and helps
to securely connect remote users to the data center from managed or unmanaged
devices.
How does RDS work?

RDS works by enabling applications or an entire desktop to run on a server and
accessing these applications from a user's workstation. RDS sends screen images to
the user's' computer. The user's computer, in turn, sends keystrokes and mouse
movements back to the server. By doing this, RDS allows clients to run
applications or desktop environments that they might otherwise not have the
hardware or bandwidth to run. On the server, applications and desktop

environments can either run as RDS server sessions or in the context of a virtual
machine environment.
Benefits of using RDS

RDS provides you with the following benefits:
• Run an application or an entire desktop from a central location to which a user
can connect from anywhere, and control the application from different
location.
• Manage session-based desktops, applications, or virtual machine–based
desktops on centralized servers in the data center.
• Provide users with an entire desktop environment, or with their individual
applications and data which they require to complete their task.
• Provide integration of local applications and RemoteApp applications that run
on RDS hosts.
• Enable secure remote access to an entire desktop, remote application, or
virtual machine without establishing a VPN connection.
• Centrally control which RD Session hosts can be accessed, who can access
them, and control device redirection. Device redirection enables you to use
locally attached device in the RDS session.
RDS role services

All RDS role services have been renamed in Windows Server 2008 R2. The
following table lists both the earlier name and the new name of RDS and its role
services.
Previous name Name in Windows Server 2008 R2
Terminal Services Remote Desktop Services (RDS)
Terminal Server Remote Desktop Session Host (RD Session

Host)
Terminal Services Licensing (TS Licensing) Remote Desktop Licensing (RD Licensing)
Terminal Services Gateway (TS Gateway) Remote Desktop Gateway (RD Gateway)
Terminal Services Session Broker (TS Remote Desktop Connection Broker

Session Broker) (RD Connection Broker)
Terminal Services Web Access (TS Web Remote Desktop Web Access (RD Web


Access) Access)
Question: In which situations would you use RDS?
Remote Desktop Client Experience in Windows Server 2008

R2
Key Points
In Windows Server 2008 R2, Remote Desktop Client Experience has been
enhanced for computers running Windows 7 or Remote Desktop Connection
(RDC) 7.0 clients. These enhancements improve the experience of remote users,
making it more similar to the user experience when accessing resources locally.
The following enhancements are available to Remote Desktop users in Windows
Server 2008 R2:

• Windows media redirection. Provides high-quality multimedia by redirecting
Windows media files and streams so that audio and video content is sent in its
original format from the server to the client, and rendered by using the client’s
local media playback capabilities.
• True multimonitor support. Enables support for up to 16 monitors in any
size, resolution, or layout with RemoteApp and Remote Desktop. The
applications function just as they do when running locally in multimonitor
configurations.
• Audio input and recording. Supports any microphone connected to a user’s
local computer. It enables audio recording support and speech recognition for
RemoteApp and Remote Desktop. This may be useful for organizations that
use voice chat or Windows Speech Recognition.
• Windows® Aero Glass support. Provides users with the ability to use the Aero
Glass for client desktops, ensuring that the Remote Desktop sessions look and
feel like local desktop sessions.
• Enhanced bitmap redirection. Improves the remote display of 3D and other
media rich applications such as Flash and Microsoft® Silverlight™ on the
server.
• Improved audio and video synchronization. Remote Desktop Protocol
(RDP) improvements provide closer synchronization of audio and video.
• Language bar redirection. Provides users with the ability to easily and
seamlessly control the language settings in RemoteApp programs by using the
language bar.
• Task scheduler. Ensures that scheduled applications never appear to users
connecting with RemoteApp and reduces user confusion.
RDC 7.0 is included with Windows Server 2008 R2 and Windows 7. It is also
available for Windows XP SP3, Windows Vista™ SP1, and newer operating
systems.
Question: How can you benefit from the new Remote Desktop Client Experience
features?

Remote Desktop Services Management Enhancements
Key Points
While RDS improves the user experience, it also reduces the desktop and
application management effort by providing a dedicated management interface
that allows you to assign remote resources to users quickly and dynamically.
In addition to the RDS role services, RDS management tools have been renamed in
Windows Server 2008 R2. The following table lists both the earlier name and the
new name of each RDS management tool.

Terminal Services Manager Remote Desktop Services Manager
Terminal Services Configuration Remote Desktop Session Host

Configuration
TS Gateway Manager Remote Desktop Gateway Manager

Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2 4-

11
TS Licensing Manager Remote Desktop Licensing Manager
TS RemoteApp Manager RemoteApp Manager
Windows Server 2008 R2 RDS management capabilities

Windows Server 2008 R2 includes the following RDS management capabilities and
user experience improvements to help reduce administrative effort:
• RemoteApp and Desktop Connection. Users can easily connect to
RemoteApp programs and Remote Desktops by using RemoteApp and
Desktop Connection in Control Panel in Windows Server 2008 R2 and
Windows 7.
• Single administrative infrastructure. You can manage RemoteApp and
Desktop Connection, and RemoteApp and Desktop Web Access from a single
management console.
• RemoteApp User Assignment. The RemoteApp User Assignment provides
you the ability to show a customized list of RemoteApp programs specific to
the logged-on user in RD Web Access, and RemoteApp and Desktop
Connection.
• Designed for domain members and standalone computers. The RemoteApp
and Desktop Connection feature is easy to configure and use for computers
that are members of Microsoft® Active Directory® directory service domains
and for workgroup computers.
• Always up to date. After a workspace is configured, the workspace keeps itself
up to date until it is removed from the user's desktop. When you add an
application or update, it automatically appears on the user's Start menu and
the Web access page.
• Single sign-on (SSO) experience within a workspace. Ensures that only a
single logon is required to access all applications and resources with
RemoteApp and Desktop Connection.
• RemoteApp and Desktop Web Access. This capability provides full
integration with RemoteApp and Desktop Connection to ensure that a
consistent list of applications is available to users at all times, irrespective of
the desktop operating system. The default Web page provides a fresh look and
feel. It also includes a new Web-based logon with integrated SSO.

Improved management features in Windows Server 2008 R2 Remote Desktop
Services are as follows:

• Windows® PowerShell Provider. You can manage multiple servers and
repetitive tasks with Windows PowerShell. You can also script all RDS
administrative tasks, such as viewing and editing configuration settings for the
Remote Desktop Gateway or Remote Desktop server.
• Remote Desktop Services Best Practices Analyzer (RDS BPA). The BPA for
RDS helps to bring RDS into compliance with best practices. The two
categories of rules for the RDS BPA are configuration and operation.
Configuration rules are applied to identify settings that might require
modification for RDS to perform optimally. Operation rules are applied to
identify best practice–related possible causes of a role’s failure to carry out its
prescribed tasks in the enterprise.
• Profile improvements. The user profile cache quota removes the need to
delete profiles at logoff, speeding up user logon. You can configure group
policy caching across an RDS farm to speed up group policy processing during
logon.
• Microsoft Installer (MSI) compatibility. In Windows Server 2008 Terminal
Services, there were multiple MSI-related issues, which are fixed in Windows
Server 2008 R2. MSI install packages can be installed normally and each user's
installation settings are correctly propagated. It also removes the need to put
the RDS server in install mode, so that users no longer need to log off during
management operations.
• RD Connection Broker extensibility. RDS enables third-party software
manufacturers to build RDS-optimized products, such as RemoteApp and
Desktop Web Access customization or RD Connection Broker extensibility.
Question: Can users who are using client operating systems older than Windows
7 access RDS?

13
Remote Application Access

Key Points
User can access remote applications that are running on RDS in several ways. You
can connect and access a full RD Session, including full desktop and applications.
You can also publish remote applications and access them through RD Web
Access. You can either directly copy the shortcut or create a Windows Installer
package that adds shortcuts for RemoteApps to the client computer. In Windows
Server 2008 R2, you can easily combine published RemoteApps from multiple RD
Session Host servers on the same Web page. User can configure clients to access
this Web page or subscribe to it through RemoteApp and Remote Desktop in
Control Panel, which will add shortcuts to the available RemoteApps on the Start
menu and it will automatically refresh their list.
The RD Web Access role service enables users to access RemoteApp and Desktop
Connection through a Web browser. The following improvements to RD Web
Access are available in Windows Server 2008 R2:

• Forms-based authentication. Forms-based authentication is an ASP.NET
authentication service that enables applications to provide their own logon

page and perform their own credential verification. ASP.NET authenticates
users, redirects unauthenticated users to the logon page, and performs all the
necessary cookie management.
• Per user RemoteApp program filtering. RD Web Access can filter the view on
a per user account basis, so that the users logging on to RD Web Access only
view the programs that you have configured for them to view.
• SSO between RD Session Host and RD Web Access. SSO allows the users to
enter their user name and password only once when connecting to a
RemoteApp program by using RD Web Access. SSO requires that RDP files are
digitally signed by a trusted publisher. To take advantage of the SSO features,
the client must be running Remote Desktop Connection (RDC) 7.0.
• Public and private computer option. You can access the RD Web Access Web
page by public or private mode. When you select public mode, your user name
is not remembered in the Web browser and RD Web Access cookies storing
the user name times out in 20 minutes. When you select private mode, cookies
storing the user name are available for four hours. Passwords are not stored in
either public or private mode.
In Windows Server 2008 R2, RDS supports Virtual Desktop Infrastructure (VDI).
VDI is a centralized desktop delivery architecture, which centralizes the storage,
execution, and management of a Windows desktop in the data center. VDI
integrates with the Windows Server® 2008 Hyper V® server role to provide virtual
machines. You can use these virtual machines as personal virtual desktops or
virtual desktop pools by using RemoteApp and Desktop Connection. You can
assign user accounts to a unique personal virtual desktop or redirect it to a virtual
desktop pool where a virtual desktop is dynamically assigned. RD Connection
Broker creates a unified administrator experience for traditional session-based
remote desktops and new virtual machine–based remote desktops.
Question: How does a user in your environment access applications on an RD

Session Host server?

15
RemoteApp and Desktop Connection

Key Points
In Windows Server 2008, Terminal Services introduced RemoteApp programs.
These programs are accessed remotely and appear as if they are running on the
user's local computer. In Windows Server 2008 R2, RDS provides you the ability to
group and personalize RemoteApp programs and virtual desktops, and make them
available to users on the Start menu of a computer that is running Windows 7.
This new feature is called RemoteApp and Desktop Connection.
RemoteApp and Desktop Connection provides a personalized view of RemoteApp
programs, session-based desktops, and virtual desktops to users. When a user
starts a RemoteApp program or a session-based desktop, an RDS session is started
on the RD Session Host server that hosts the remote desktop or RemoteApp
program. If a user connects to a virtual desktop, a remote desktop connection is
created to the virtual machine that is running on the Remote Desktop
Virtualization Host (RD Virtualization Host) server.

RemoteApp and Desktop Connection works with a new feature of RD Web Access,
the RemoteApp and Desktop Connection feed. This feed renders RemoteApp
programs in a software-parsable XML document, instead of rendering RemoteApp
programs in the form of a Web page.
With RemoteApp and Desktop Connection, the user subscribes to a feed of
RemoteApp programs by supplying the client software with its URL. After the user
has subscribed to the feed and created a connection, the user's work is performed.
The RemoteApp and Desktop Connection client software will then ensure that the
resources in this connection are placed in the user’s Start menu.
Benefits of RemoteApp and Desktop Connection

The RemoteApp and Desktop Connection feature offers the following benefits:
• The RemoteApp programs run from the Start menu as any other application.
• Published Remote Desktop connections are included with RemoteApp
programs on the Start menu.
• Changes to the published connection, such as newly published RemoteApp
programs, are automatically reflected on the user’s Start menu, without any
effort on the user’s part.
• RemoteApp programs can be easily run with Windows search.
• Users have to log on only once to create the connection. Then, updates take
place automatically with no prompt for user credentials.
• RemoteApp and Desktop Connection does not require domain membership
for client computers.
• RemoteApp and Desktop Connection benefits from the new features in
Windows Server 2008 R2, such as Personal Desktop assignment or application
filtering.
• RemoteApp and Desktop Connection is built on standard technologies such as
XML and HTTPS, making it possible for developers to build solutions around
it. RemoteApp and Desktop Connection provides APIs for supporting other
types of resources, besides RemoteApps and Remote Desktop connections.
• You can create a client configuration file, which is .wcx, and distribute it to
users within your organization. With the client configuration file, users can
automatically configure RemoteApp and Desktop Connection. You can also
write and distribute a script to run the client configuration file. The script is
written and distributed so that RemoteApp and Desktop Connection is set up

17
automatically when the users logs on to their accounts on Windows 7

computers.
Question: When would you use RDS Web Access to access RemoteApp
applications, instead of RemoteApp and Desktop Connection?

Demonstration: How To Configure RemoteApp and

Desktop Connection
Key Points
1. On LON-DC1, add the calculator and paint programs to the list of RemoteApp
Programs by using the RemoteApp Manager console..
2. On LON-SVR1, add the Notepad.exe and WordPad programs to the list of
available RemoteApp Programs by using the RemoteApp Manager console.
3. On LON-SVR1, configure LON-DC1.contoso.com and LON-
SVR1.contoso.com as RemoteApp sources to aggregate the published
RemoteApp applications.
4. On LON-SVR1, open the RD Web Access Web page to retrieve the aggregated
list of RemoteApp applications from Remote Desktop Connection Brokers
• Domain\username: contoso\administrator

19
• Select An RD Connection Broker server

• Source name: LON-SVR1.contoso.com
5. Log on to LON-CL1 with the user name, contoso\administrator, and the
password, Pa$$w0rd.
6. On LON-CL1, log on to RD Web Access as contoso\ruser and verify whether
all four published RemoteApp applications available on the Remote Desktop
Services Web Access page.
Question: How will you create the client configuration file for setting up
RemoteApp and Desktop Connection?

Lesson 2
Configuring Remote Desktop Gateway
The Remote Desktop Gateway (RD Gateway) role service in Windows Server 2008
R2 allows authorized users to connect to resources on an internal corporate or
private network from the Internet. RD Gateway encapsulates Remote Desktop
Protocol (RDP) over HTTPS to establish a secure, encrypted connection between
the remote users and the internal network resources. By using authorization
policies such as connection authorization policies (CAPs) and resource
authorization policies (RAPs), you can control access to specific users or resources.

• Describe Remote Desktop Gateway.
• Describe how Remote Desktop Gateway works.
• Describe the security enhancements in Remote Desktop Gateway.

21
• Describe Remote Desktop Gateway configuration.

• Describe how to configure Remote Desktop Gateway.


Remote Desktop Gateway
Key Points
The RD Gateway role service allows authorized remote users to connect to RDS-
based resources, such as RD Session Host servers, RD Session Host servers
running RemoteApp programs, or computers and virtual desktops with Remote
Desktop enabled, on an internal corporate or private network from Internet-
connected devices. RD Gateway must be domain-joined and located either on the
perimeter network with domain connectivity or firewalls that allow HTTPS traffic
from Internet to the RD Gateway. RD Gateway uses the Remote Desktop Protocol
(RDP) over HTTPS to establish a secure, encrypted connection between remote
users on the Internet and the internal network resources on which their
productivity applications run. You can use RD Gateway instead of a VPN
connection when no local copy of data is required or allowed, when users require
quicker connection time, and when bandwidth or application data size makes VPN
undesirable to work with.

23
Benefits of RD Gateway
RD Gateway provides the following benefits:

• Enables remote users to connect to internal network resources over the
Internet by using an encrypted connection, without establishing VPN
connections.
• Provides a comprehensive security configuration model that enables you to
control access to specific internal network resources.
• Provides a secure and flexible RDP connection that allows users to access
resources to which their RDP host has access, and prevents remote users direct
network connectivity to all internal network resources. This helps protect the
internal resources.
• Enables remote users to connect to internal network resources that are hosted
behind firewalls on private networks and across Network Address Translation
(NAT) devices.
• Enables you to configure authorization policies to define conditions for remote
users to connect to internal network resources by using RD Gateway Manager.
For example, you can specify:
• Who can connect to network resources.
• What network resources or computer groups users can connect to.
• Whether client computers must be members of Active Directory security
groups.
• Whether device and disk redirection is allowed.
• Whether clients need to use smart card authentication or password
authentication, or whether they can use either method.
• Enables you to configure RD Gateway servers and Remote Desktop clients to
use Network Access Protection (NAP) to enhance security.
• Provides tools to help you monitor the RD Gateway connection status, health,
and events. By using RD Gateway Manager, you can specify events such as
unsuccessful connection attempts to the RD Gateway server that you want to
monitor for auditing purposes.
AD DS models for RD Gateway in perimeter network

RD Gateway must be domain-joined to successfully authenticate domain users, but
many organizations have restrictions on deploying domain members in a

perimeter network. In such situations we need to have the following AD DS model
options for RD Gateway in perimeter network:

• RD Gateway without AD DS in perimeter network. When there is no AD DS
on the perimeter network, ideally the servers on the perimeter network should
be in a workgroup, but the RD Gateway server has to be domain-joined
because it has to authenticate and authorize corporate domain users and
resources.
• RD Gateway with forest trust model. In this model, there is AD DS on the
perimeter network, which trusts the internal network forest to authenticate the
internal network forest users in the perimeter forest domain. RD Gateway is
joined to the perimeter network domain. The trust between the perimeter
network forest and the internal network forest is one-way, therefore,
configuring RD Gateway to use a central Network Policy Server, which is on
the internal network, is required in this deployment.
• RD Gateway with extended corporate forest model. In this model, there is a
read-only domain controller (RODC) on the perimeter network for the internal
network forest. RD Gateway is joined to the internal network domain and
interacts with RODC for authentication and authorization purposes.
In all three models, RD Gateway needs specific ports to be opened on the internal
firewall.
Question: In which situations would you use RD Gateway?


25
How Remote Desktop Gateway Works

Key Points
RD Gateway enables remote users to connect to internal network resources that
are hosted behind firewalls in private networks and across NATs. Security policy
and firewall configuration prevent remote users from connecting to internal
network resources across firewalls and NATs because port 3389, which is used for
RDP connections, is blocked for network security purposes. RD Gateway transmits
all RDP traffic to port 443 by using an HTTP Secure Sockets Layer/Transport Layer
Security (SSL/TLS) tunnel. Therefore, all traffic between the user's client computer
and RD Gateway is encrypted while in transit over the Internet. Because most
organizations use port 443 to enable Internet connectivity, RD Gateway takes
advantage of this network design to provide remote access connectivity across
multiple firewalls.
When data is received through an external firewall onto the perimeter network,
RD Gateway decrypts HTTPS, and contacts the domain controller to authenticate
the connection, and the network policy server to check if the user is allowed to
cross the gateway and contact the RDS host. If the user is validated and allowed,

then all of the encapsulating HTTPS information is made available to the RDS user
by RD Gateway. RD Gateway then passes the RDP traffic to the destination host
and establishes a security-enhanced connection between the user who sends the
data and the destination host.
Question: Does RD Gateway provide full end-to-end protection of RDP traffic?


27
Remote Desktop Gateway Security Enhancements
Key Points
Windows Server 2008 R2 provides the following new functionalities in RD
Gateway:
• Configurable idle and session timeouts. RD Gateway allows you to configure
idle and session timeouts on an RD Gateway server. An idle timeout provides
the ability to reclaim resources used by inactive user sessions without affecting
the user's session or data. This helps free up resources on the RD Gateway
server. The user will be able to reestablish the session by using RDC even after
being disconnected. A session timeout provides the ability to periodically
enforce new policies on active user connections. This ensures that any system
changes to user properties, such as domain accounts, Remote Desktop
connection authorization policy (RD CAP) changes, or Remote Desktop
resource authorization policy (RD RAP) changes, are enforced on existing
sessions.

• Background session authentication and authorization. After reaching a
session timeout, you can disconnect, reauthenticate, or reauthorize the remote

session. If you select the option to silently reauthenticate and reauthorize, after
a configured session timeout, it will not affect the sessions for users whose
property information has not changed, and authentication and authorization
requests will be sent in the background.
• System and logon messages. You can add system and logon messages to RD
Gateway and display the messages to the Remote Desktop user. You can use
system messages to inform users of server maintenance issues such as
shutdown and restarts, and logon messages to display a logon notice to users
before they gain access to remote resources. Users can configure RD Gateway
to only allow connections from Remote Desktop clients that support system
and logon messages. Remote Desktop clients must be running RDC 7.0 to
connect by using this setting.
• Device redirection enforcement. RD Gateway includes the option to allow
Remote Desktop clients to only connect to RD Session Host servers that
enforce device redirection. RDC 7.0 is required for device redirection to be
enforced by the RD Session Host server.
• Network Access Protection (NAP) remediation. RD Gateway enables update
of client computers that are not in compliance with the health policy. This
helps to keep managed clients in compliance with the latest software updates.
You can set CAPs so that unmanaged clients do not receive updates, and are
only provided feedback allowing users to manually update their systems.
• Pluggable authentication and authorization. Pluggable authentication
provides APIs, which can be used to write authentication and authorization
plug-ins for integration with RD Gateway. RD Gateway exposes interfaces for
authoring custom authentication and authorization plug-ins.
Question: What should you do to take advantage of the RD Gateway functionality

introduced in Windows Server 2008 R2?

29
Remote Desktop Gateway Configuration

Key Points
To function correctly, RD Gateway requires several role services and features to be
installed and running. When you install the RD Gateway role service by using
Server Manager, the following server roles and services are automatically installed
and started, if they are not already installed:
• Network Policy and Access Services (NPAS)
• Web Server Internet Information Services (IIS)
• Remote procedure call (RPC) over HTTP proxy
Configuring RD Gateway
The following are the steps to configure RD Gateway:
1. Install the RD Gateway role service. Install the RD Gateway role service by
using Server Manager. Optionally, during the installation process, you can

select an existing certificate or create a self-signed certificate. In addition, you
can create an RD CAP and an RD RAP.

2. Obtain a certificate for the RD Gateway server. By default, TLS 1.0 is used to
encrypt communications between Remote Desktop clients and RD Gateway
servers over the Internet. TLS is a standard protocol that helps to secure Web
communications on the Internet or intranets. For TLS to function correctly,
you must:
• Install an SSL-compatible X.509 certificate on the RD Gateway server.
• Ensure that the certificate name (CN) matches the DNS name that the
client uses to connect to the RD Gateway server.
If you already have an appropriate certificate on the RD Gateway server, you
can reuse it.
3. Configure a certificate for the RD Gateway server. After you obtain a
certificate, install the certificate in the Computer store on the RD Gateway
server, if the certificate is not already installed. After installing the certificate,
map the RD Gateway server certificate to the RD Gateway Web server by using
RD Gateway Manager.
4. Create an RD CAP. RD CAPs allow you to specify who can connect to an RD
Gateway server. You can specify a user group that exists on the local RD
Gateway server or in AD DS. You can also specify other conditions that users
must meet to access an RD Gateway server, for example, users must be
members of a specific security group. You can also specify that the client
computer that is initiating the connection must be a member of an Active
Directory security group. For enhanced security, you can specify whether to
disable client device redirection for all devices or just for a specific type of
device, such as a disk drive or supported Plug and Play devices.
5. Create an RD RAP. RD RAPs allow you to specify the internal network
resources that remote users can connect to through an RD Gateway server.
When you create an RD RAP, you can create a computer group on the internal
network to which you want the remote users to connect, and associate it with
the RD RAP. For example, you can specify that users are allowed to connect
only to computers in a specific group. Remote users connecting to an internal
network through an RD Gateway server are granted access to computers on
the network, if they meet the conditions specified in at least one RD CAP and
one RD RAP. Together, RD CAPs and RD RAPs provide two different levels of
authorization to provide you with the ability to configure a more specific level
of access control to computers on an internal network.

31
6. Limit the maximum number of simultaneous connections though RD

Gateway (optional). By default, no limit is set for the number of simultaneous

connections that clients can make to internal network resources through an
RD Gateway server. To optimize the RD Gateway server performance or to
ensure compliance with the connection or security policies of your
organization, you can set a limit for the number of simultaneous connections
that clients can make to network resources through an RD Gateway server.
Question: Why must you install an SSL certificate on an RD Gateway server?


Demonstration: How To Configure Remote Desktop
Gateway
Key Points
1. On LON-SVR1, import the SSL certificate, external.contoso.com to the Remote
Desktop Gateway server.
2. On LON-SVR1, create a Connection Authorization Policy (CAP) to restrict the
users from accessing the RD Gateway Server with the following information:
• Type a name for the RD CAP: Authorized Remote Users
• User group membership: RD Users
3. On LON-SVR1, create a Resource Authorization Policy to control the
connection between the internal resources and the Remote Desktop Gateway
• Type a name for the RD RAP: Authorized Target Computers
• User Groups: RD Users

33
• Network Resources: RD Web Computers

4. On LON-DC1, set external.contoso.com as the RD Gateway server by using the

RD Gateway server settings of RemoteApp Manager.
5. On LON-SVR1, set external.contoso.com as the RD Gateway server by using
the RD Gateway server settings of RemoteApp Manager.
6. On the physical computer, reconfigure LON-CL1 to connect to both the
intranet and public network with the following information:
• IP Address for public network: 131.107.0.101
• Subnet mask: 255.255.255.0
• IP Address for intranet: 192.168.10.0
• Subnet mask: 255.255.255.0
7. Open the Command Prompt window to verify that there is an access to the
external network interface of RD Gateway (IP 131.107.0.2).
8. Verify that there is no access to LON-DC1 (IP 192.178.10.1).
9. On LON-CL1, connect to RD Web Access with the user name, contoso\ruser
and the password, Pa$$w0rd.
10. Import the Trusted Root Certification Authorities certificate to connect the
published RemoteApps application, Calculator to ruser.
Question: How will you verify whether Remote Desktop client is connected to
RDS host directly or by using RD Gateway?

Lesson 3
Configuring Virtual Desktop Infrastructure
Virtual Desktop Infrastructure (VDI) is an alternative desktop delivery model that

allows users to access desktops running in the datacenter. In VDI, each user gets
access to a personal desktop from any authorized device, thereby improving
desktop flexibility. The Remote Desktop Connection Broker (RD Connection
Broker) role service provides load balancing and redundancy for Remote Desktop
users. By using RD Connection Broker, you can ensure that the session load is
evenly distributed between the various servers in the farm.
Lesson Objectives
• Describe Virtual Desktop Infrastructure.
• Describe how Virtual Desktop Infrastructure works.
• Describe the types of Virtual Desktop Infrastructure.

35
• Describe RD Connection Broker.

• Describe virtual machines for virtual desktop.

• Configure Virtual Desktop Infrastructure in Windows Server 2008 R2.

What Is Virtual Desktop Infrastructure?
Key Points
Virtual Desktop Infrastructure (VDI) is a centralized desktop delivery architecture
that allows you to centralize the storage, execution, and management of Windows
desktops in the data center. VDI enables Windows 7, Windows Vista, and other
desktop environments to run and be managed in virtual machines on a centralized
server. A user can connect to a virtual desktop with Remote Desktop Client (RDC).
Organizations often permit employees and contractors to work from home or from
an outsourced facility. These environments provide better flexibility, improved cost
control, and lower environmental footprint, but increase the demand for security
and compliance so that precious corporate data is more secure. To meet these
challenges, RD Connection Broker and flexible presentation virtualization
architecture beneath the VDI umbrella are updated. RD Connection Broker creates
a unified experience for traditional session-based remote desktops and new virtual
machine–based remote desktops.

37
Benefits of VDI
VDI provides the following benefits:

• Access to data and applications from any device
• Improved data security and compliance
• Simplified management and deployment of applications
• Improved business continuity through data centralization
• Integrated management of physical, virtual, and session-based desktops
• Quicker recovery from device malfunctions
• Centralized data storage and backup, which reduce losses from stolen devices
VDI user desktop

The two key deployment scenarios supported by VDI are persistent virtual
machines and pooled virtual machines. In persistent virtual machines, there is a
one-to-one mapping of virtual machines to users. Each user is assigned a dedicated
virtual machine, which can be personalized and customized. This preserves any
changes made by the user. You can prefer to deploy personal virtual desktops
because they provide the greatest flexibility. In pooled virtual machines, a single
image is replicated. User state can be stored through profiles and folder
redirection, but it will not continue to stay on the virtual machine after the user
logs off. In both cases, the Windows Server 2008 R2 solution supports storage of
the images on the Hyper-V host, and clients connect to the virtual machine by
using RDP.
RD Connection Broker, as part of the VDI solution, is designed as an extensible
platform for partners; it includes extensive APIs for partner value-add around
manageability and scalability of the brokering solution. Extensibility points include
the ability to create policy plug-ins, such as plug-ins for determining the
appropriate virtual machine or virtual machine pool; filter plug-ins, such as plug-
ins for preparing a virtual machine to accept RDP connections; and resource plug-
ins, such as plug-ins for placing a virtual machine on the proper host based on the
host’s load.
Each device accessing the VDI image requires the Windows Virtual Enterprise
Centralized Desktop (VECD) license.
Question: Is your organization using VDI? Which environments can considerably

benefit from implementing VDI?

Types of Virtual Desktop Infrastructure
Key Points
VDI is an alternative server-based desktop virtualization method that extends the
concept of server consolidation through virtualization to central management of
client desktops. In VDI, multiple client operating systems are running in virtual
machines on a server that remotely presents each desktop to a client device. VDI
allows central management and deployment of user desktops while providing each
user the capability to customize a unique desktop if necessary. There are various
ways to architect VDI, but in general, there are two types of VDI: personal virtual
desktops and pooled virtual desktops.
Personal virtual desktops

When using personal virtual desktop, each virtual machine is like a traditional
personal computer, where user data, settings, applications, and operating systems
are all mingled together, and each user has a unique virtual machine. If there are
100 users, there will be 100 virtual machine images. This deployment model

39
utilizes both the presentation virtualization and server virtualization. The following
are the requirements for using personal virtual desktops:

• Personal virtual desktops can only use Windows client operating systems. You
cannot install Windows Server 2008 R2 on a virtual machine and assign it as a
personal virtual desktop.
• You can assign only one personal virtual desktop at a time to a user.
• You can assign a virtual machine as a personal virtual desktop to only one user
at a time.
• The functional level of your Active Directory domain must be at least Windows
Server 2008.
• The name of the virtual machine in the Hyper-V Manager tool must match the
fully qualified domain name (FQDN) of the computer.
Pooled virtual desktops

When using pooled virtual desktops, each virtual machine is created when a user
logs on. Based on the setup in the Access Directory, a copy of a virtual machine
with an operating system is selected, created, and placed on the server. Specific
application access is granted onto that virtual machine, the user’s settings are
deployed, and the data is attached. When the user logs off, the data and settings
are saved; the virtual machine copy is either destroyed or returned to a pristine
state for future use. In such a model, the number of virtual machine images is
reduced, where one image can potentially support all users. This deployment
model utilizes user setting virtualization and application virtualization, in addition
to presentation and server virtualization. The following are the requirements for
using pooled virtual desktops:
• You must configure all virtual machines in a virtual desktop pool identically,
including the programs.
• Virtual desktops can only use Windows client operating systems. You cannot
install Windows Server 2008 R2 on a virtual machine and add it to a virtual
desktop pool.
• A virtual machine can be a member of only one virtual desktop pool at a time.
• You can make multiple virtual desktop pools available through RemoteApp
and Desktop Connection. The user sees a different icon for each virtual
desktop pool.
• Users should not save files on a virtual machine that is located in a virtual
desktop pool. If a user logs off from a virtual machine in a virtual desktop pool

and logs on to the virtual desktop pool later, the user might be connected to a
different virtual machine in the virtual desktop pool.
Question: What is the main difference between personal virtual desktops and
pooled virtual desktops?

41
How Virtual Desktop Infrastructure Works

Key Points
The way users connect to a virtual machine is based on the VDI configuration. If
VDI is configured for personal virtual desktops, users are connected to a virtual
machine in the following way:
• A user initiates the connection to the personal virtual desktop by using RD
Web Access or RemoteApp and Desktop Connection.
• The user sends the request to the RD Session Host server running in
redirection mode by using RD Web Access or RemoteApp and Desktop
Connection.
• The RD Session Host server forwards the request to the RD Connection Broker
server.
• The RD Connection Broker server queries AD DS and retrieves the name of the
virtual machine that is assigned to the requesting user account.

• The RD Connection Broker server sends a request to the RD Virtualization
Host server to start the virtual machine.

• The RD Virtualization Host server returns the IP address of the FQDN to the
RD Connection Broker server. The RD Connection Broker server then sends
this information to the RD Session Host server running in redirection mode.
• The RD Session Host server redirects the request to the client computer that
initiated the connection.
• The client computer connects to the personal virtual desktop.
If VDI is configured for pooled virtual desktops, users are connected to a virtual
machine in the following way:
• A user initiates the connection to the virtual desktop pool by using RD Web
Access or by using RemoteApp and Desktop Connection.
• The user sends the request to the RD Session Host server running in
redirection mode by using RD Web Access or RemoteApp and Desktop
Connection.
• The RD Session Host server redirects the request to the RD Connection Broker
server.
• The RD Connection Broker server verifies whether any existing session exists
for the requesting user account. If a session already exists, the RD Connection
Broker server returns the virtual machine name to the RD Session Host server
running in redirection mode. If the session does not exist, the RD Connection
Broker server sends a request to the RD Virtualization Host server to locate
and start the virtual machine. The RD Connection Broker server returns the
virtual machine name to the RD Session Host server running in redirection
mode.
• The RD Session Host server redirects the request to the client computer that
initiated the connection.
• The client computer connects to the virtual desktop pool.
Question: What are the requirements to set up a VDI?


43
Remote Desktop Connection Broker

Key Points
RD Connection Broker is a role service in Windows Server 2008 R2 that enables a
user to reconnect to an existing session in a load-balanced terminal server farm.
The RD Connection Broker role service provides the following functionality:
• Allows users to reconnect to their existing sessions in a load-balanced RD
Session Host server farm. This prevents a user with a disconnected session
from being connected to a different RD Session Host server in the farm and
starting a new session.
• Enables you to evenly distribute the session load among RD Session Host
servers in a load-balanced RD Session Host server farm.
• Provides users access to virtual desktops hosted on RD Virtualization Host
servers and to RemoteApp programs hosted on RD Session Host servers
through RemoteApp and Desktop Connection.

Connection to existing sessions
RD Connection Broker keeps track of user sessions in a load-balanced RD Session

Host server farm. The RD Connection Broker database stores session information,
including the name of the RD Session Host server where each session resides, the
session state for each session, the session ID for each session, and the user name
associated with each session. RD Connection Broker uses this information to
redirect a user who has an existing session to the RD Session Host server where
the user’s session resides.
If a user disconnects from a session intentionally or because of a network failure,
the applications that the user is running will continue to run. When the user
reconnects, RD Connection Broker is queried by the Remote Desktop client to
determine whether the user has an existing session, and if so, on which RD Session
Host server in the farm. If there is an existing session, RD Connection Broker
redirects the client to the RD Session Host server where the session exists.
RD Connection Broker Load Balancing

The RD Connection Broker Load Balancing feature enables you to distribute the
session load between servers in a load-balanced RDS server farm. When a user
without an existing session connects to an RD Session Host server in the load-
balanced RD Session Host server farm, RD Connection Broker Load Balancing
redirects the user to the RD Session Host server with the fewest sessions. If a user
with an existing session reconnects, RD Connection Broker Load Balancing
redirects the user to the RD Session Host server where the user’s existing session
resides. To distribute the session load between more powerful and less powerful
servers in the farm, you can assign a relative server weight value to a server.
Access to RemoteApp and Desktop Connection

RD Connection Broker also provides users with access to RemoteApp and Desktop
Connection. RemoteApp and Desktop Connection provides a customized view of
RemoteApp programs and virtual desktops to the users. RD Connection Broker
supports load balancing and reconnection to the existing sessions on virtual
desktops accessed by using RemoteApp and Desktop Connection. To configure the
RD Connection Broker server to support RemoteApp and Desktop Connection, use
the Remote Desktop Connection Manager tool.
Question: How can you provide users a unified view and access to RemoteApps
that are published on multiple RD Session Hosts servers?

45
Virtual Machines for Virtual Desktop

Key Points
RD Virtualization Host is a mandatory role service for VDI. It integrates with
Hyper-V to provide virtual machines by using RemoteApp and Desktop
Connection. You can configure RD Virtualization Host to assign each user a unique
virtual machine or a personal virtual desktop, or to redirect users to a shared
virtual machine pool, where a virtual machine or virtual desktop pool is
dynamically assigned.
Virtual machines that are used for virtual desktops can only use Windows client
operating systems and be members of Active Directory domain. You cannot install
Windows Server 2008 R2 on a virtual machine and use it as a virtual desktop. If
you configure virtual desktop pools, you need to identically configure virtual
machines in a virtual desktop pool, including the programs. If you use a personal
virtual desktop, you can assign only one personal virtual desktop at a time and the
domain functional level must be at least Windows Server 2008. In a personal
virtual desktop scenario, each user has its own virtual machine; while in a virtual
desktop pool scenario, the number of virtual machine images is greatly reduced

because the same image is used for multiple users. You can use Windows 7,
Windows Vista Enterprise, or an earlier operating system with support for Remote
Desktop for the client operating system for virtual machines.
After installing a virtual machine, configure it to work with RDS. You need to
configure the following on the virtual machine:
• Join the virtual machine to a domain
• Enable Remote Desktop.
• Add user accounts to the local Remote Desktop Users security group.
• Allow Remote Procedure Call (RPC).
• Create a firewall exception to allow Remote Services Management.
• Add permissions to RDP.
Question: Are there any special considerations regarding the operating system
used for virtual desktop virtual machines?

47
Demonstration: How To Configure VDI in Windows Server

2008 R2
Key Points
1. On the physical host computer, open the Server Manager console to add the
Remote Desktop Services server role and the Remote Desktop Virtualization
Host role services.
2.. Log on to LON-CL2 with the user name contoso\administrator, and the
password, Pa$$w0rd.
3. On LON-CL2, add the domain group, RD Users to the local group, Remote
Desktop Users with the following information:
• Select Allow connections only from computers using Remote Desktop
with Network Level Authentication (more secure)
• Remote Desktop Users: RD Users

4. Change the registry value of AllowRemoteRPC to 1 by using the Registry
Editor.
5. Set the firewall settings to allow the programs of Remote Service Management
through Windows Firewall.
6. Open the script file, RDS-pool of RDSConfig and the replace the computer
name with the name of the physical computer and then run the RDS-pool file.
8. On LON-SVR1, open the Remote Desktop Connection Manager console to
configure the virtual desktop with the following information:
• Server name of RD Virtualization Host Server: physical computer
name.contoso.com (name of your physical computer)
• Server name of Redirection Settings: LON-SVR1.contoso.com
• Server name of RD Web Access Server: LON-SVR1.contoso.com
• Clear the Assign personal virtual desktop checkbox
9. Create a Virtual Desktop Pool with the following information:
• Virtual Machine Name: 10159A-LON-CL2
• Display name: Contoso Virtual Desktop Pool
• Pool ID: CONTOSO_VDP
10. On LON-DC1, log on to the Remote Desktop Web page with the username,
contoso\rduser and the password, Pa$$w0rd to verify whether there is full
Remote Desktop Connection to LON-CL2.
Question: How would configuration be different if we would use Personal
Virtual Desktop instead of Virtual Desktop Pool?

49
Lab: Configuring Remote Desktop Services and Virtual

Desktop Infrastructure in Windows Server 2008 R2
Introduction
In this lab, you will configure Remote Desktop Services and Virtual Desktop
Infrastructure in Windows Server 2008 R2. To do this, you will publish
RemoteApp applications by using RemoteApp and Remote Desktop Connection
Broker. You will create CAP and RAP to publish applications for external users by
using Remote Desktop Gateway. Finally, you will configure and verify the
functionality of Virtual Desktop Pool.
Objectives
• Publish applications by using RemoteApp and Remote Desktop Connection
Broker.
• Publish applications for external users by using Remote Desktop Gateway.

• Configure Virtual Desktop Pool.
Lab Setup
credentials:
credentials:

51
Lab Scenario
You are a server administrator at Contoso, Ltd. Your organization provides

banking services to many customers. For some customers, your organization
provides home services by sending a bank representative to the customer’s
residence. To ensure that the representative can access critical applications at all
times, the organization wants you to publish specific applications on the Internet
by using Remote Desktop RemoteApp. To allow the representative to access the
application from any computer, you have to install and configure the RDS role
services, which are required to publish bank applications by using Remote
Desktop Services, on LON-DC1 and LON-SVR1 servers. You also need to configure
the RD Gateway role service on LON-SVR1 and verify that you can access
published RemoteApps from the Internet. Finally you need to check the Virtual
Desktop Infrastructure of your local intranet.
The following instructions are for configuring a test lab using a minimum number of
computers. Individual computers are required to separate the services provided on the

network and to clearly show the desired functionality. This configuration is neither
designed to reflect best practices nor does it reflect a desired or recommended

configuration for a production network. The configuration, including IP addresses and all
other configuration parameters, is designed only to work on a separate test lab network.

53
Exercise 1: Publishing Applications Using RemoteApp and


2. Review predefined group memberships.
3. Publish RemoteApp applications.
4. Configure the Group Membership on Remote Desktop Session Host servers.
5. Configure Remote Desktop Connection Broker to Aggregate RemoteApp
applications.
6. Configure Remote Desktop Web Access to use the publishing servers.
7. Test the Remote Desktop Connection Broker.
8. Configure RemoteApp application filtering.
9. Implementing RemoteApp and Desktop Connection.

• Log on to LON-DC1 with the username Contoso\Administrator, and the
password, Pa$$w0rd.
• Log on to LON-SVR1 with the username contoso\Administrator, and the
password, Pa$$w0rd.
• Log on to LON-CL1 with the user name, contoso\administrator, and the
password, Pa$$w0rd.
• Log on to LON-CL2 with the user name, contoso\administrator, and the
password, Pa$$w0rd.
f Task 2: Review predefined group memberships.

check whether Ruser is a member of RD Users and whether LON-DC1 and
LON-SVR1 are connected to the RD Web Computers.
f Task 3: Install and publish RemoteApp applications.

• On LON-DC1, install the Remote Desktop Services server role by using the
Server Manager console with the following information:

• Role Services: Remote Desktop Session Host, Remote Desktop
Connection Broker, Remote Desktop Gateway, and Remote

Desktop Web Access
• Authentication Method for Remote Desktop Session Host: Do not
require Network Level Authentication
• Licensing Mode: Configure later
• Server Authentication Certificate for SSL Encryption: Create a self-
signed certificate for SSL encryption
• Create Authorization Policies for RD Gateway: Now
• Users Groups That Can Connect Through RD Gateway: RD Users
• RD RAP for RD Gateway: RD Web Computers
• Role services: Routing and Remote Access Services
• Log on to LON-DC1 with the user name, contoso\administrator, and the
password, Pa$$w0rd.
• On LON-DC1, add the calculator and paint programs to the list of RemoteApp
Programs by using the RemoteApp Manager console.
• On LON-SVR1, install the Remote Desktop Services server role by using the
Desktop Web Access
• Server Authentication Certificate for SSL Encryption: LON-
SVR1.Contoso
• Log on to LON-SVR1 with the user name, contoso\administrator, and the
password, Pa$$w0rd.
• On LON-SVR1, add the Notepad.exe and WordPad programs to the list of

55
f Task 4: Configure the Group Membership on Remote Desktop Session

Host servers.
• On LON-DC1, add RD Web Computers to the TS Web Access Computers
group and RD Users to the Remote Desktop Users group.
• On LON-SVR1, add RD Web Computers to the TS Web Access Computers
f Task 5: Configure Remote Desktop Connection Broker to aggregate

• On LON-SVR1, configure LON-DC1.contoso.com and LON-
f Task 6: Configure Remote Desktop Web Access to use the publishing

servers.
• On LON-SVR1, open the RD Web Access Web page to retrieve the aggregated
f Task 7: Test the Remote Desktop Connection Broker.

• On LON-CL1, log on to RD Web Access as contoso\ruser and verify whether
all the four published RemoteApp applications are available on the Remote
Desktop Services Web Access page.
f Task 8: Configure RemoteApp application filtering.

• On LON-SVR1, configure contoso\administrator as domain users\domain
groups by using the User Assignment property of the RemoteApp Manager to
restrict the user from viewing the icon for RemoteApp program.
• On LON-CL1, verify that the WordPad RemoteApp program icon is no longer
available for ruser.

f Task 9: Implementing RemoteApp and Desktop Connection.
• On LON-CL1, set up a new connection with RemoteApp and Desktop

Connections by using http://LON-
SVR1.contoso.com/RDweb/Feed/webfeed.aspx as the connection URL.
• On LON-CL1, check whether the program group contains all RemoteApp
applications that you wanted to be available to the user.
Results: After this exercise, you should have published RemoteApp applications and
configured Remote Desktop Connection Broker and Remote Desktop Web Access to
aggregate RemoteApp applications and to use the publishing servers.

57
Exercise 2: Publishing Applications for External Users Using

1. Enroll a certificate for Remote Desktop Gateway.
2. Configure SSL settings for Remote Desktop Gateway.
3. Create a Connection Authorization Policy.
4. Create a Resource Authorization Policy.
5. Configure RemoteApp servers to use Remote Desktop Gateway for RemoteApp
connections.
6. Reconfigure NYC-CL1 to be on public network.
7. Connect to the published RemoteApps by using Remote Desktop Gateway.
f Task 1: Enroll a certificate for Remote Desktop Gateway.

• On LON-SVR1, create a computer account for the Certificates snap-in and
enroll the certificate with the following information:
• Select DirectAccess and More information is required to enroll for this
certificate
• Type of Subject Name: Common Name
• Value: external.contoso.com
• Type of Alternative Name: DNS
f Task 2: Configure SSL settings for Remote Desktop Gateway.

• On LON-SVR1, import the SSL certificate, external.contoso.com to the Remote
f Task 3: Create a Connection Authorization Policy.

• On LON-SVR1, create a Connection Authorization Policy (CAP) to restrict
• Type a name for the RD CAP: Authorized Remote Users

f Task 4: Create a Resource Authorization Policy.
• On LON-SVR1, create a Resource Authorization Policy to control the

f Task 5: Configure RemoteApp servers to use Remote Desktop Gateway

for RemoteApp connections.
• On LON-DC1, set external.contoso.com as the RD Gateway server by using the
• On LON-SVR1, set external.contoso.com as the RD Gateway server by using
f Task 6: Reconfigure LON-CL1 to be on public network.

• On the physical computer, reconfigure LON-CL1 to connect to both the
• Subnet mask: 255.255.255.0
• Subnet mask: 255.255.255.0
• Open the Command Prompt window to verify that there is access to the
• Verify that there is no access to LON-DC1 (IP 192.178.10.1).
f Task 7: Connect to the published RemoteApps by using Remote

Desktop Gateway.
• On LON-CL1, connect to RD Web Access with the user name, contoso\ruser
• Import the Trusted Root Certification Authorities certificate to connect to the

59
Results: After this exercise, you should have published applications for external users
by using Remote Desktop Gateway and by creating a Resource Authorization Policy.

Exercise 3: Configuring Virtual Desktop Pool

1. Configure Remote Desktop Virtualization the Host server.
2. Configure the virtual machine for Remote Desktop services.
3. Configure the Virtual Desktop Pool.
4. Verify the Virtual Desktop Pool functionality.
f Task 1: Configure Remote Desktop Virtualization Host server.

• On the physical host computer, change the settings of the computer name,
domain and workgroup to connect the contoso.com domain to the physical
host computer, and then save the states of LON-DC1, LON-SVR1, and LON-
CL1.
• Restart the physical computer.
• Log on to the physical host computer with the user name, Physical computer
name\Administrator and the password, Pa$$w0rd.
• On the physical host computer, open the Server Manager console to add the
Host role services.
f Task 2: Configure the virtual machine for Remote Desktop services.

• On the physical computer, connect 10159A-LON-CL1, 10159A-LON-SVR1,
and 10159A-LON-DC1.
• Log on to LON-CL2 with the user name contoso\administrator, and the
password, Pa$$w0rd.
• On LON-CL2, add the domain group, RD Users to the local group, Remote
• Change the registry value of AllowRemoteRPC to 1 by using the Registry
Editor.
• Set the firewall settings to allow the programs of Remote Service Management

61
• On LON-CL2, open the script file, RDS-pool of RDSConfig and the replace the
computer name with the name of the physical computer and then run the
RDS-pool file.
• Log off from LON-CL2.
f Task 3: Configuring the Virtual Desktop Pool.

• On LON-SVR1, open the Remote Desktop Connection Manager console to
name.contoso.com
• Create a Virtual Desktop Pool with the following information:
f Task 4: Verifying the Virtual Desktop Pool functionality.

• On LON-DC1, log on to the Remote Desktop Web page with the username,
contoso\ruser and the password, Pa$$w0rd to verify whether there is full
Results: After this exercise, you should have configured Remote Desktop Virtualization
Host server, the virtual machine for Remote Desktop services, and Virtual Desktop
Pool.


Lab Review
1. How will you restrict a user from viewing an icon for RemoteApp program?
You need to use the User Assignment feature of Remote Desktop Services to
restrict a user from viewing an icon for RemoteApp program.
2. How will you create the configuration files for the program groups?
You need to use Remote Desktop Connection Manager to create the configuration
files for the program groups.

63

Review Questions
1. Users in your organization need access to an application that must not be
installed locally on the client computers. How can you provide them access to
the application?
2. Can users access published RemoteApps from the Internet or from outside the
internal network?
3. How is the use of RemoteApp and Desktop Connection different from simply
accessing RemoteApp from RD Web Access?
4. Where does RD Gateway provide additional protection for RDP traffic?
5. You want to evaluate a VDI solution that is included in Windows Server 2008
R2. Which server role, besides RDS, must be available in your testing
environment?
6. Name the two types of Virtual Desktop Infrastructure?

7. You installed RDS in a testing environment. After 120 days, you are no longer
able to connect to the RDS server. What is the most probable reason for this?

1. You need to provide access to RemoteApp applications and virtual desktops
from a public network. What should you consider when evaluating the RD
Gateway feature?
2. When you implement a VDI solution for your users, what are the
considerations you should be aware of?
Tools
Remote Desktop Services GUI tool for administering Administrative Tools on

Manager Remote Desktop Services the Start menu
Remote Desktop Gateway GUI tool for managing RD Installed when you add
Manager Gateway the RD Gateway role
service
RemoteApp and Desktop GUI tool for integrating Control Panel

Connection RemoteApps and Desktop
Connection with the Start
menu
Hyper-V Manager GUI tool for managing Hyper-V Installed when you add
the Hyper-V role
Deploying and Configuring Remote Access Services 5-1

Module 5
Deploying and Configuring Remote Access
Services
Contents:
Lesson 1: Overview of DirectAccess 5-4
Lesson 2: Deploying DirectAccess 5-17
Lesson 3: Configuring VPN Reconnect 5-37
Lab: Deploying and Configuring Remote Access Services 5-48
5-2 Deploying and Configuring Remote Access Services

Module Overview
Many users access their corporate network remotely either from branch offices or
while they are traveling. Windows operating systems include built-in support for
remote access services, such as dial-up or virtual private network (VPN)
connections. Both these remote access services are supported in Windows Server®
2008 R2 and VPN is enhanced with the VPN Reconnect feature. Windows Server
2008 R2 also introduces the DirectAccess feature that provides users with the
experience of being seamlessly connected to the corporate network from any place
where there is Internet access. With DirectAccess, users are able to securely access
corporate resources such as e-mail servers, shared folders, or intranet Web sites,
without establishing a VPN connection.
In this module, you will learn about the features and benefits of DirectAccess and
how DirectAccess works. You will also learn why IPv6 network is very important in
the context of DirectAccess. However, IPv6 is not mandatory as you can use IPv6

transitioning technologies on the existing IPv4 network. You will learn how
Network Resolution Policy Table (NRPT) helps send Domain Name System (DNS)
queries to the appropriate DNS server. In addition, you will learn about the
requirements for establishing DirectAccess, and how to deploy and configure
DirectAccess.
Further, you will learn about the features and benefits of VPN Reconnect, and how
to configure it. You will also learn about Secure Socket Tunneling Protocol (SSTP),
which enables you to establish the VPN connection through firewalls.
• Describe DirectAccess.
• Deploy DirectAccess.
• Configure VPN Reconnect.

Lesson 1
Overview of DirectAccess
Organizations typically rely on VPN connections to provide remote users with

secure access to data and resources on the corporate network. VPN connections
are easy to configure and are supported by different clients. However, VPN
connections must be first established and it may require additional configuration
on the firewall. Also, VPN connections usually enable remote access to the entire
corporate network. Moreover, organizations cannot effectively manage remote
computers. To overcome such limitations in VPN connections, organizations can
implement DirectAccess, available in Windows Server 2008 R2 and Windows® 7,
to provide a seamless connection between the internal network and the remote
computer when there is an Internet connectivity. With DirectAccess, organizations
can easily manage remote computers.
In this lesson, you will learn about the features and benefits of DirectAccess. You
will also learn how DirectAccess works. Further, you will learn about the Name

Resolution Policy Table (NRPT) and the importance of enabling IPv6 in an
enterprise.
• Describe the features and benefits of DirectAccess.
• Describe how DirectAccess works.
• Describe Name Resolution Policy Table (NRPT).
• Describe how the DirectAccess client determines the type of network.
• Describe the importance of enabling IPv6 in the enterprise.

Features and Benefits of DirectAccess
Windows Server 2008 R2 and Windows 7 include a feature called DirectAccess

that enables seamless remote access to intranet resources without establishing the
VPN connection first. The DirectAccess feature also ensures seamless connectivity
on application infrastructure for internal users and remote users.
Unlike traditional virtual private networks (VPNs), which require user intervention
to initiate a connection to an intranet, DirectAccess allows any application on the
client computer to have complete access to intranet resources. DirectAccess also
allows you to specify resources and client-side applications that are restricted for
remote access.
Organizations will benefit from DirectAccess because remote computers can be
managed as if they are local computers—using the same management and update
servers—to ensure they are always up-to-date and in compliance with security and
system health policies. You can also define more detailed access control policies for
remote access when compared with current VPN solutions.

DirectAccess has the following features:
• Connects automatically to corporate intranet when connected to the Internet

• Uses various protocols, including HTTPS to establish IPv6 connectivity.
HTTPS is typically allowed through firewalls
• Supports selected server access and IP security (IPSec) authentication with an
intranet network server
• Supports end-to-end authentication and encryption
• Supports management of remote client computers
• Allows remote users to connect directly to intranet servers
DirectAccess is designed with the following benefits:
• Always-on connectivity. Whenever the user connects the client computer to
the Internet, the client computer is connected to the intranet as well. This
connectivity enables remote client computers to access and update
applications easily. It also makes intranet resources always available, and
enables users to connect to the corporate intranet from anywhere and anytime,
thereby improving their productivity and performance.
• Seamless connectivity. DirectAccess provides a consistent connectivity
experience whether the client computer is local or remote. This allows users to
focus more on productivity and less on connectivity options and process. This
consistency can reduce training costs for users and fewer support incidents.
• Bidirectional access. DirectAccess can be configured in a manner that not
only DirectAccess clients have access to intranet resources, but you can also
have access from the intranet to those DirectAccess clients. DirectAccess can be
bidirectional so that DirectAccess users have access to intranet resources, and
you can have access to DirectAccess clients when they are connecting over
public network. This ensures that the client computers are always updated
with recent security patches, the domain Group Policy is enforced, and there is
no difference whether users are in the corporate intranet or in the public
network.
• This bidirectional access also results in:
• Decreased update time
• Increased security
• Decreased update miss rate
• Improved compliance monitoring

• Improved security. Unlike traditional VPNs, DirectAccess offers many levels
of access control to network resources. This tighter degree of control allows

security architects to precisely control remote users who access specified
resources. IPSec encryption is used for protecting DirectAccess traffic so that
users can ensure that their communication is safe. You can use a granular
policy to define who can use DirectAccess, and from where.
• Integrated solution. DirectAccess fully integrates with Server and Domain
Isolation and Network Access Protection (NAP) solutions, resulting in security,
access, and health requirement policies that seamlessly integrate between
intranet and remote computers.
Question: How would your company benefit from DirectAccess?

How DirectAccess Works
Key Points
The DirectAccess connection process happens automatically, without requiring
user intervention. DirectAccess clients use the following process to connect to
intranet resources:
• The DirectAccess client computer running Windows 7 detects whether it is
connected to a network.
• The DirectAccess client computer attempts to connect to an intranet Web site
that is specified during the DirectAccess configuration. If the Web site is
available, the DirectAccess client verifies that the client computer is already
connected to the intranet and the DirectAccess connection process stops. If the
Web site is not available, the DirectAccess client verifies that the client
computer is connected to the Internet and the DirectAccess connection
process continues.

• The DirectAccess client computer connects to the DirectAccess server using
IPv6 and IPSec. If a native IPv6 network is not available, the client establishes
an IPv6-over-IPv4 tunnel by using 6to4 or Teredo. Note that the user does not
have to be logged on to the computer for this step to complete.
• If a firewall or proxy server prevents the client computer using 6to4 or Teredo
from connecting to the DirectAccess server, the client computer automatically
attempts to connect by using the IP-HTTPS protocol, which uses a Secure
Sockets Layer (SSL) connection to ensure connectivity.
• To establish the IPSec session, the DirectAccess client and server authenticate
each other by using computer certificates.
• By validating Microsoft® Active Directory® directory service group
memberships, the DirectAccess server verifies that the computer and user are
authorized to connect by using DirectAccess.
• If Network Access Protection (NAP) is enabled and configured for health
validation, the DirectAccess client obtains a health certificate from a Health
Registration Authority (HRA) located on the Internet prior to connecting to the
DirectAccess server. The HRA forwards the DirectAccess client’s health status
information to an NAP health policy server. The NAP health policy server
processes the policies defined within the Network Policy Server (NPS) and
determines whether the client is compliant with system health requirements. If
the client is compliant, the HRA obtains the health certificate for the
DirectAccess client. When the DirectAccess client connects to the DirectAccess
server, the health certificate is submitted for authentication.
• The DirectAccess server begins forwarding traffic from the DirectAccess client
to the intranet resources to which the user has been granted access.
Question: Is native IPv6 network connectivity required between the client and the
target server on the intranet, if you want to use DirectAccess?

Name Resolution Policy Table
Key Points
To separate Internet traffic from Intranet traffic for DirectAccess, Windows
Server 2008 R2 and Windows 7 include the Name Resolution Policy Table
(NRPT), a feature that allows DNS servers to be defined per DNS namespace,
rather than per interface. The NRPT stores a list of rules. Each rule defines a DNS
namespace and configuration settings that define the DNS client’s behavior for that
namespace. When a DirectAccess client is on the Internet, each name query
request is compared against the namespace rules stored in the NRPT. If a match is
found, the request is processed according to the settings in the NRPT rule.
If a name query request does not match a namespace listed in the NRPT, the
request is sent to the DNS servers configured in the TCP/IP settings for the
specified network interface. For a remote client, the DNS servers will typically be
the Internet DNS servers configured through the Internet service provider (ISP).
For a DirectAccess client on the intranet, the DNS servers will typically be the
intranet DNS servers configured through DHCP.

Single-label names, for example, http://internal, will typically have configured DNS
search suffixes appended to the name before they are checked against the NRPT.
If no DNS search suffixes are configured and the single-label name does not match
any other single-label name entries in the NRPT, the request will be sent to the
DNS servers specified in the client’s TCP/IP settings.
Namespaces, for example, internal.contoso.com, are entered into the NRPT
followed by the DNS servers to which requests matching that namespace should
be directed. If an IP address is entered for the DNS server, all DNS requests will be
sent directly to the DNS server over the DirectAccess connection. You need not
specify any additional security for such configurations. However, if a name is
specified for the DNS server, such as dns.contoso.com in the NRPT, the name must
be publicly resolvable when the client queries the DNS servers specified in its
TCP/IP settings..
The NRPT allows DirectAccess clients to use intranet DNS servers for name
resolution of internal resources and Internet DNS for name resolution of other
resources. Dedicated DNS servers are not required for name resolution.
DirectAccess is designed to prevent the exposure of your intranet namespace to the
Internet.
Some names need to be treated differently with regards to name resolution; these
names should not be resolved by using intranet DNS servers. To ensure that these
names are resolved with the DNS servers specified in the client’s TCP/IP settings,
you must add them as NRPT exemptions.
NRPT is controlled through Group Policy. When the computer is configured to use
NRPT, the name resolution mechanism first tries to use the local name cache,
second the hosts file, then NRPT, and finally sends query to the DNS servers
specified in the TCP/IP settings.
Question: How can you benefit from NRPT?


How the DirectAccess Client Determines the Type of
Network
Network location server

A network location server is an internal network server that hosts an HTTPS-based
URL. DirectAccess clients try to access network location server URL to determine
whether they are located on the intranet or on the public network. The
DirectAccess server can be also the network location server. Network location
server should be highly available and web server on network location server does
not have to be dedicated just for supporting DirectAccess clients.
It is critical that the network location server is available from each company
location, because the behavior of the DirectAccess client depends on the response
from the network location server. Branch locations may need a separate network
location server at each branch location to ensure that network location server
remains accessible even when there is a link failure between branches.

Intranet detection
When a DirectAccess client experiences a significant network change event, such
as change in link status or a new IP address, the DirectAccess client assumes that it
is not on the intranet and uses DirectAccess rules in the NRPT to determine the
location to send DNS name queries. The DirectAccess client then attempts to
resolve the fully qualified domain name (FQDN) in the URL for the network
location server. Because the NRPT has active rules for DirectAccess, the FQDN
should either match an exemption rule or no rules in the NRPT, so that the
DirectAccess client uses interface-configured DNS servers. If DirectAccess client is
not on the intranet, it will not be able to successfully resolve FQDN of the network
location server and the name resolution will fail.
If FQDN resolution is successful, the DirectAccess client attempts to connect to the
network location server. When the DirectAccess client successfully accesses the
HTTPS-based URL of the network location server, it determines that it is on the
intranet. The DirectAccess client then removes the DirectAccess NRPT rules from
the active table and the DirectAccess client uses interface-configured DNS servers
to resolve all names. If DirectAccess client cannot access network location server or
its FQDN resolution is not successful, DirectAccess client assumes that it is on the
Internet and establishes DirectAccess connection.
To reduce the traffic on the corporate network, DirectAccess separates intranet
traffic from the Internet traffic. Most VPNs send all traffic that includes traffic that
is destined for the Internet, through the VPN, which reduces both intranet and
Internet access speed. DirectAccess does not reduce the Internet access spee,
because communications to the Internet do not have to travel to the corporate
network and back to the Internet.
Question: Why is it important for the DirectAccess client to determine whether it

is on-intranet or off-intranet?

Importance of Enabling IPv6 in the Enterprise
IPv6 is a critical technology that will help ensure that the Internet can support a
large user base and a large number of IP-enabled devices. The robustness,
scalability, and limited features of IPv4 are challenged by the growing need for new
IP addresses and the rapid growth of new network-aware devices.
The important benefits of IPv6 are as follows:
• Large address space
• IPSec included
• Better support for prioritized delivery and extensibility
The DirectAccess solution requires the use of IPv6 so that DirectAccess clients have
globally routable IP addresses. For organizations that are already using IPv6, the
DirectAccess solution seamlessly extends the existing infrastructure to
DirectAccess client computers and to client computers that access Internet
resources using IPv4.

For organizations that have not deployed IPv6, DirectAccess provides a simple
method to deploy IPv6 without requiring an infrastructure upgrade. You can use
the 6to4 and Teredo IPv6 transition technologies for connectivity across the IPv4
Internet and the ISATAP IPv6 transition technology, so that DirectAccess clients
can access IPv6-capable resources across your IPv4-only intranet.
You can deploy a Network Address Translation–Protocol Translation (NAT-PT)
device so that DirectAccess client computers can access resources on your intranet
that do not support IPv6.
Question: Can you use DirectAccess to connect to the Windows Server 2003 SP2
intranet server?

Lesson 2
Deploying DirectAccess
You can deploy DirectAccess to allow remote users to connect directly to intranet
servers. This helps organizations reduce costs and simplify their network edge by
reducing the number of application-specific front-end servers that need to be
deployed.
In this lesson, you will learn about the DirectAccess requirements, discuss how to
plan the DirectAccess solution, and then learn the process of installation and
deployment of DirectAccess.
• Describe the client and server requirements for deploying DirectAccess.
• Describe the infrastructure requirements for deploying DirectAccess.
• Plan for the DirectAccess solution.
• Describe how to configure DirectAccess.

• Install and configure the DirectAccess server.
• Configure the DirectAccess client.


Client and Server Requirements
Key Points
To deploy DirectAccess, you need to ensure that the server meets the hardware and
network requirements:
• The server must be joined to an Active Directory domain.
• The server must have Windows Server 2008 R2 running.
• The server must have at least two physical network adapters installed; one is
connected to the Internet and the other is connected to the intranet.
• The server must have at least two consecutive static, public IPv4 addresses
assigned to the network adapter that is connected to the Internet.
• The server should not be placed behind a NAT.
On the DirectAccess server, you can install the DirectAccess Management Console
feature by using Server Manager. You can use the DirectAccess Management
Console to configure DirectAccess settings for the DirectAccess server and clients,

and monitor the status of the DirectAccess server. You may need more than one
DirectAccess server, depending on the deployment and scalability requirements.

To deploy DirectAccess, you also need to ensure that the client meets certain
requirements:
• The client should be joined to an Active Directory domain.
• The client should be running Windows 7 Ultimate Edition, Windows 7
Enterprise Edition, or Windows Server 2008 R2.
You cannot deploy DirectAccess on clients running Windows Vista™, Windows
Server 2008, or other earlier versions of Windows operating systems.

Infrastructure Requirements
Key Points
The following are the infrastructure requirements to deploy DirectAccess:
• Active Directory. You must deploy at least one Active Directory domain.
Workgroups are not supported.
• Group Policy. You need Group Policy for centralized administration and
deployment of DirectAccess client settings. The DirectAccess Setup Wizard
creates a set of Group Policy Objects and settings for DirectAccess clients,
DirectAccess servers, and management servers.
• DNS and domain controller. You must have at least one domain controller
and DNS server running Windows Server 2008 SP2 or Windows Server 2008
R2.
• Public key infrastructure (PKI). You need to use PKI to issue computer
certificates for authentication and health certificates when Network Access
Protection (NAP) is placed. You do not need external certificates. The Secure

Sockets Layer (SSL) certificate installed on the DirectAccess server must have a
certificate revocation list (CRL) distribution point that is reachable from the
Internet. The certificate Subject field must contain fully qualified domain name
(FQDN) that can be resolved to a public IPv4 address assigned to the
DirectAccess server by using the Internet Domain Name System (DNS).
• IPSec policies. DirectAccess utilizes IPSec policies that are configured and
administered as part of Windows Firewall with Advanced Security.
• Internet Control Message Protocol Version 6 (ICMPv6) Echo Request
traffic. You must create separate inbound and outbound rules that allow
ICMPv6 Echo Request messages. The inbound rule is required to allow
ICMPv6 Echo Request messages and is scoped to all profiles. The outbound
rule to allow ICMPv6 Echo Request messages is scoped to all profiles and is
only required if Outbound block is turned on. DirectAccess clients that use
Teredo for IPv6 connectivity to the intranet use the ICMPv6 message when
establishing communication.
• IPv6 and transition technologies. IPv6 and the transition technologies such
as Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), Teredo, and
6to4 must be available for use on the DirectAccess server. For each DNS server
running Windows Server 2008 or Windows Server 2008 R2, you need to
remove the ISATAP name from the global query block list.
Question: You have Windows Server 2003 Certificate Authority server in your
domain. Can you use the existing PKI infrastructure for DirectAccess or should you
set up the new Certificate Authority server on Windows Server 2008 R2?

Planning for DirectAccess Solution
DirectAccess is a flexible solution that can be deployed in different ways to meet

your requirements. There are three steps for planning a DirectAccess deployment:
• Choose an access model.
• Choose a scalability model.
• Choose a deployment method.
Choosing an access model

You can choose the appropriate access model for your environment based on the
description of each access model listed in the following table.

Access model Description
Full intranet access (end-to-edge) This model allows DirectAccess clients to

connect to all resources inside the intranet
by using IPSec-based tunnel policies.
These policies require authentication and
encryption, and IPSec sessions that
terminate at the IPSec Gateway. The IPSec
Gateway is hosted on the DirectAccess
server by default, but can be moved to a
separate computer. The Full Intranet
access model works with application
servers running Windows Server 2003, and
IPSec-protected traffic is kept off the
intranet. This model is similar to the
current VPN architecture, so it might be
easier to deploy in the short term.
Selected server access (modified end– This model is similar to the Full Intranet
to-edge) access model. However, communication
between the DirectAccess client and the
IPSec Gateway is protected by IPSec-
based tunnel policies requiring encryption
to the IPSec Gateway. This model also has
an additional authentication mechanism
that involves creating an additional IPSec
rule requiring ESP with NULL encryption
from the client to the application server.
This encrypts the client’s communication
to the IPSec Gateway, but authenticates
the communication until it reaches the
application server. This ensures that the
DirectAccess client communicates only
with the intended servers. This access
model also makes it easy to create
restriction policies to prevent specific
users or applications on DirectAccess
clients from accessing specific servers.
End-to-end This model extends the IPSec policies to

the application server, that is, the
DirectAccess client uses an IPSec transport
policy that requires encryption and

Access model Description

authentication that terminate at the
application server. The DirectAccess
server/IPSec Gateway simply acts as a
pass-through device, allowing the IPSec
connections to pass to the application
servers. A component on the DirectAccess
server, known as IPSec Denial of Service
Protection (DoSP), monitors the IPSec
traffic to help prevent malicious Internet
users from launching DoS attacks against
intranet resources.
Choosing a scalability model

You can choose the appropriate scalability model for your environment based on
the description of each scalability model listed in the following table.
Scalability model Description

Single server DirectAccess can be set up by using a
single server. This type of setup allows
DirectAccess to provide all of the baseline
functionality required to operate. The
purpose of DirectAccess is to provide
connectivity to remote users, though
reliability and scalability are also important.
In the single server model, all the
components of DirectAccess are hosted on
the same server computer. The benefit of
this model is a relatively simple
deployment, requiring only a single
DirectAccess server.
The limitations of this model are a single
point of failure and server performance
bottlenecks that can limit the maximum
number of concurrent DirectAccess
connections.
Multiple servers DirectAccess can be configured inside a

Windows Server® 2008 Hyper V® failover
cluster. The recommended configuration

Scalability model Description

consists of two Hyper-V hosts with failover
clustering that support a single shared
DirectAccess server in a virtual machine.
The two Hyper-V hosts will protect the
system from a single node failure for the
DirectAccess server.
The multiple server model provides
scalability, high-availability, and enhanced
management for a DirectAccess
deployment.
Choosing a deployment method

You can choose the appropriate deployment method for your environment based
on the description of each deployment method listed in the following table.
Deployment method Description
DirectAccess Management Console You configure DirectAccess server by

using DirectAccess Management
Console. DirectAccess Management
console includes four sets of
configuration settings, through which
DirectAccess is configured. The
DirectAccess Setup Wizard provides
several questions to determine how
the DirectAccess deployment should
proceed. Before the changes are
applied, you have the option of
saving the settings.
Scripted installation by using Netsh.exe You can configure DirectAccess

clients for customized DirectAccess
deployments that need to be
completely modified to meet a
unique set of needs, by using a
scripted installation with Netsh.exe
commands. These custom scripted
installations provide maximum
flexibility and the ability to create

Deployment method Description

unique solutions.
Client configuration by using Group Policy Group Policy provides a policy-based

method to create, distribute, and
apply DirectAccess settings to clients,
which allows for one-time and
ongoing enforcement of DirectAccess
settings.
Group Policy is used by DirectAccess
setup and might optionally be used in
a scripted setup. You can also
customize your DirectAccess
configuration by manually modifying
the Group Policy Objects and settings.
Question: Which of the three DirectAccess models would you use in your
environment?

DirectAccess Configuration
To configure DirectAccess, you need to perform the following steps:

1. Install Windows Server 2008 R2 on a server computer with two physical
network adapters.
2. Join the DirectAccess server to an Active Directory domain.
3. Install the DirectAccess Management feature and configure the DirectAccess
server so that it is on the perimeter network with one network adapter
connected to the Internet and at least one other network adapter connected to
the intranet. Ensure that both network adapters are enabled and have their
respective IPv4 addresses configured, if there is no native IPv6 connectivity
available. This is critical for the DirectAccess server to derive its configuration
information automatically; otherwise, detailed configuration will need to be
configured manually.
4. Verify that the ports and protocols needed for DirectAccess and ICMP Echo
Request are enabled in the firewall exceptions and opened on the perimeter
and Internet-facing firewalls.

5. The DirectAccess server needs at least two consecutive publicly addressable
static IPv4 addresses that are externally resolvable through DNS. Ensure that
you have an IPv4 address available and that you have the ability to have that
address published in your externally-facing DNS server.
6. If your have disabled IPv6 on clients and servers, enable IPv6 because it is
required for DirectAccess.
7. Create a security group in Active Directory and add all client computer
accounts that will be accessing intranet through DirectAccess.
8. Install a Web server on the DirectAccess server to enable DirectAccess clients
to determine if they are inside or outside the intranet.
9. Designate one of the server network adapters as the Internet-facing interface.
This interface will require two consecutive, public IPv4 addresses. Both these
IPv4 addresses must be assigned to the same interface.
10. On the DirectAccess server, ensure that the Internet-facing interface is
configured to be either a Public or a Private interface, depending on your
network design. Configure the intranet interfaces as Domain interfaces. No
other combinations are supported. If you have more than two interfaces,
ensure that no more than two classification types are selected.
11. Add and configure the Certificate Authority server role, create the certificate
template and CRL distribution point, publish the CRL list, and distribute the
computer certificates.
Question: Why is it important that the DirectAccess client should have access to a
CRL distribution point?

Demonstration: How To Install and Configure the
DirectAccess Server
Key Points
1. By default, the DNS server blocks name resolution queries for the ISATAP
record. As ISATAP will be used for network connectivity to internal resources,
you need to remove the ISATAP name from the DNS default global block list.
On LON-DC1, run the following command:
dnscmd /config /globalqueryblocklist wpad
2. The CRL distribution point must be resolvable and accessible from

DirectAccess clients on the intranet and on the Internet. On LON-DC1, create
a new resource record for the Forward Lookup Zone, Domain.com, with the

• Alias name: CRL
• Fully qualified domain name (FQDN) for target host: LON-

SVR1.contoso.com
3. Create shared folder on intranet server and later verify that users can access it
in the same way from intranet or over DirectAccess. On LON-DC1, create a
folder, AppData, on C: drive and set its property to share the folder.
4. In the AppData folder, create a text document, Example.txt, with some text in
it.
5. Define location, where CRL will be published. On LON-DC1, specify the
location from which users can obtain a certificate revocation list (CRL) by
using Certification Authority with the following information:
• Location: \\LON-SVR1\crldist
• Insert variables: <CRLNameSuffix> and <DeltaCRLAllowed>
• After inserting the variables append the location with .crl
• Select Publish CRLs to this location and Publish Delta CRL to this
location
6. Configure IIS to publish CRL location as a virtual directory. On LON-SVR1,
open the Internet Information Services (IIS) Manager console to add a virtual
directory to the Default Web Site with the following information:
• Alias: CRLD
• Physical path: C:\CRLDist
• Enable the Directory Browsing option for IIS
7. On LON-SVR1, set the following CRLDist share properties:
• Share this folder
• Object Types: Computers
• Enter the object names to select: LON-DC1
• Permissions for CRLDist: Enable Full Control permission for LON-
DC1 users
8. Edit the following CRLDist security Properties:

DC1 users
9. On LON-DC1, publish the CRL, CRLDist, and verify that two CRL files named,
Contoso-LON-DC1-CA.crl and Contoso-LON-DC1-CA +.crl and a web.config
file are there.
10. On LON-SVR1, open the Console1 - [Console Root] console to add and enroll
a computer certificate with the following information:
• Request Certificates: DirectAccess and More information is required
to enroll for this certificate. Click here to configure settings
• Subject name type: Common Name
• Value: LON-SVR1.contoso.com
• Alternative name type: DNS
• Friendly name of LON-SVR1.contoso.com: IP-HTTPS Certificate
11. On LON-SVR1, install the DirectAccess Management Console feature by using
the Server Manager console.
12. On LON-SVR1, open DirectAccess Management to configure the DirectAccess
setup with the following information:
Step 1
• Enter the object name to select: DirectAccess Clients
Step 2
• Interface connected to the Internet: Internet
• Interface connected to the internal network: Corpnet
• Use intermediate certificate: Contoso-LON-DC1-CA
• Certificate that will be used to secure remote client connectivity over
HTTPS: IP-HTTPS Certificate
Step 3
• Network Location server is run on the DirectAccess server
• Certificate that will be used to secure location identification: LON-
SVR1.Contoso.com

• IPv6 address of DNS Server, contoso.com:
2002:836b:2:1:0:5efe:192.168.10.1
Question: Which clients will benefit from DirectAccess?


Demonstration: How To Configure the DirectAccess Client
Key Points
1. On LON-CL1, verify whether there is access to the IIS7 Web page and the
share file, Example.
2. When you configured DirectAccess server, the wizard created two Group
Policies and linked them to the domain. To apply them, on LON-CL1, open
the command prompt and run the following command to update and view the
effective policies.
gpupdate /force
netsh name show effectivepolicy
3. To move DirectAccess client from intranet to public network, disable Corpnet

and enable the Internet network connection and then run the following
command:
ping 131.107.0.2

4. On LON-DC1, run the following command to view the Windows IP
configurations.
ipconfig
5. Run the following command to verify whether the prefix value, fe80 has been
assigned to Link-Local IPv6 Address and also view the Windows IP
configurations.
sc control iphlpsvc paramchange

ipconfig
6. On LON-CL1, run the following command to view the Windows IP

configurations.
ipconfig
7. Run the following command to verify that there is additional IPv6 Address,
2002:836b:2:1:0:5efe:192.168.10.1 and also view the Windows IP
configurations.

ipconfig
8. On LON-CL1, run the following command to check the ISATAP-based

connectivity and Verify that LON-DC1.corp.contoso.com has been resolved to
the IPv6 address, 2002:836b:2:1:0:5efe:192.168.10.1.
ipconfig /flushdns
ping 2002:836b:2:1:0:5efe:192.168.10.1
ping lon-dc1.contoso.com
9. On LON-CL1, verify that there is access to the IIS7 Web and the share file,
Example.txt.
10. On LON-DC1, edit the Default Domain Policy to create a shortcut to the
Windows Settings with the following information:
• Action: Create
• Name: ApplicationData
• Target path: \\LON-DC1\AppData

11. On LON-CL1, run the following command to update the user policy.
gpupdate /force
12. Log off and then log on to LON-CL1 with user name, contoso\administrator,
Question: How will you configure IPv6 address for Windows 7 to use
DirectAccess?

Lesson 3
Configuring VPN Reconnect
In dynamic business scenarios, it is important that users are able to access data
anytime from anywhere, securely. Users must also be able to access data
continuously. For example, users might want to securely access data on the
company's server in the head office, from a branch office, or while on the road. To
meet this requirement, you can configure the VPN Reconnect feature that is
available in Windows Server 2008 R2 and Windows 7. This enables users to
securely access the company's data by using a VPN connection, which will
automatically reconnect if connectivity is interrupted. It will also enable roaming
between different networks.
In this lesson, you will be introduced to VPN Reconnect and its key features. You
will learn to configure VPN Reconnect. You will also learn about Secure Socket
Tunneling Protocol (SSTP).

• Describe VPN Reconnect.
• Describe how to configure VPN Reconnect.

• Configure VPN Reconnect.
• Describe SSTP.

Overview of VPN Reconnect
Key Points
You can use either DirectAccess or VPNs to provide remote access in your
organizations. DirectAccess has higher network infrastructure requirements and it
is more challenging to configure when compared to VPNs. However, DirectAccess
provides constant connectivity, while for VPNs, you need to first establish the VPN
connection.
DirectAccess can replace VPN as the preferred remote access method for many
organizations. However, some organizations will continue to use VPNs along with
DirectAccess, because of high infrastructure requirements for DirectAccess and
because it may not be possible to use DirectAccess in every business situation.
Also, VPN usability has been enhanced in Windows Server 2008 R2 and Windows
7 with the introduction of the VPN Reconnect feature.
VPN Reconnect uses the Internet Key Exchange version 2 (IKEv2) technology to
provide seamless and consistent VPN connectivity. VPN Reconnect automatically
re-establishes a VPN connection when Internet connectivity is available again.

Users who connect by using a wireless mobile broadband will benefit most from
this capability.
For example, consider a user with a laptop running Windows 7. When the user
travels to work in a train, the user connects to the Internet by using a wireless
mobile broadband card and then establishes a VPN connection to the company’s
network. When the train passes through a tunnel, the Internet connection is lost.
After the train comes out of the tunnel, the wireless mobile broadband card
automatically reconnects to the Internet. With earlier versions of Windows client
and server operating systems, VPN did not reconnect automatically. Therefore, the
user needs to manually repeat the multistep process of connecting to the VPN.
This can become time consuming for mobile users with intermittent connectivity.
With VPN Reconnect, Windows Server 2008 R2 and Windows 7 automatically re-
establish active VPN connections when the Internet connectivity re-establishes.
While the reconnection might take several seconds, users will stay connected and
will have access to internal network resources.
The system requirements for using the VPN Reconnect feature are as follows:
• Windows Server 2008 R2 as a VPN server
• Windows 7 or Windows Server 2008 R2 client
• PKI infrastructure, because a computer certificate is required for a remote
connection with VPN Reconnect. Certificates issued by internal or public
CA can be used.
Question: Would a user be able to establish the VPN Reconnect connection from
the Windows Vista SP2 client computer?
Question: What is the main benefit of VPN Reconnect, compared to other VPN
protocols?

VPN Reconnect Configuration
Key Points
VPN Reconnect or IKEv2 support must be enabled on the server and the
appropriate VPN connection must be created on the client.
On the server, you must:
1. Create a user account with remote access permission.
2. Install a certificate with Server Authentication and IP security IKE intermediate
extended key usage on the VPN server. You can get the appropriate certificate
template by duplicating the IPsec template. You can request a certificate by using
the Certificates console.
3. Install Routing and Remote Access and configure it as a VPN server. Routing and
Remote Access is role service of Network Policy and Access Services server
role.

4. Configure the Network Policy Server (NPS) to grant access for Extensible
Authentication Protocol-Microsoft Challenge-Handshake Authentication

Protocol version 2 (EAP-MSCHAPv2) authentication.
On the client, you must perform the following configuration for the VPN
connection:
1. Specify the VPN server address or host name. On the general tab of VPN
connection properties, specify the VPN server. You can specify the IPv4
address, IPv6 address, or the fully qualified domain name (FQDN) of the VPN
server.
2. Specify the VPN tunnel type. On the security tab, select IKEv2 in the Type of
VPN list. VPN Reconnect supports different encryption options ranging from no
encryption to AES256. VPN Reconnect supports two types of Authentication:
Extensible Authentication Protocol (EAP) and X.509 Machine Certificates.
3. Enable Mobility. By default, the Mobility check box is enabled for VPN
Reconnect in Advanced properties. If the check box is unchecked, the client cannot
switch its local tunnel endpoint.
4. Select IPv4 and IPv6. On the Networking tab, you can select IPv4, IPv6, or
both protocols. VPN Reconnect supports both IPv4 and IPv6 internal addresses.
After the VPN connection is established, you can view the connection status on the
Details tab of the connection status page. VPN Reconnect ensures that even if the
origin address changes, the client Internal IPv4 address remains the same and the
connection persists. When the network interface connectivity is disconnected, the
mobility manager switches to the next available interface to re-establish the VPN
Reconnect connection. VPN Reconnect also maintains the connection when
switching from IPv4 to IPv6 and from the Internet to corporate network; and when
the IP address of a network interface changes.
Question: What are the requirements for configuring VPN Reconnect? In which
situations would it be helpful?

Demonstration: How To Configure VPN Reconnect
Key Points
1. On LON-CL1, enable the network connection, Internet and disable the

network connection, Corpnet by using the Network and Sharing window.
2. In the shared folder, Share, create a text document, VPNText, with some text
in it.
• Request Certificates: VPN Reconnect and More information is
required to enroll for this certificate. Click here to configure
settings

• Value: vpn.contoso.com

4. Verify that a new certificate with the name vpn.contoso.com is enrolled with
Intended Purposes of Server Authentication and IP security IKE intermediate.
5. On LON-SVR1, open the Routing and Remote Access console to configure and
enable Routing and Remote Access with the following information:
• Configuration: Remote access (dial-up or VPN)
• Name of the network interfaces: Internet
• Clear Enable security on the selected interface by setting up static
packet filters
• IP Address Assignment: From a specified range of addresses
• Start IP address: 192.168.10.200
• End IP address: 192.168.10.210
6. On LON-SVR1, launch NPS and configure the Microsoft Routing and Remote
Access server connection properties with the following information:
• Access Permission: Grant access. Grant access if the connection
request matches this policy
• Constraints: Authentication Methods
• EAP Types list: Remove Microsoft: Smart Card or other certificate
7. On LON-CL1, open the control panel and set up a new connection or network
to configure the VPN connection with the following information:
• Choose a connection option: Connect to a workplace
• How do you want to connect?: Use my Internet connection (VPN)
• Do you want to set up an Internet connection before continuing?: I'll
set up an Internet connection later
• Internet address: vpn.contoso.com
• Destination name: VPN Reconnect Connection
• User name: ruser

• Remember this password
• Domain (optional): CONTOSO

8. Set the VPN reconnect connection type property to IKEv2 and then connect it
to establish the VPN connection.
9. Verify whether there is access to the share file, VPNTest.
10. Open the command prompt and run the following command to confirm that
LON-CL1 has network connectivity.
ping vpn.contoso.com
11. On the physical computer, disconnect the network adapter of LON-CL1.

12. On LON-CL1, verify the VPN Reconnect Connection Status and check that
there is no access to network share on LON-DC1.
13. Run the following command to verify that there is no network connectivity
and the status of the VPN connection is connected.
14. On the physical computer, reconnect the network adapter of LON-CL1.

there is access to network share on LON-DC1.
16. Run the following command to verify that there is network connectivity.
Question: What will happen to the VPN Reconnect connection if you establish it
and then switch from wireless to wired connection?

Secure Socket Tunneling Protocol
Firewalls are typically configured to block PPTP and L2TP/IPSec traffic, but allow
Secure Sockets Layer (SSL) traffic because SSL is used for protecting HTTP traffic.
SSTP provides a mechanism to encapsulate PPP traffic over the SSL channel of the
HTTPS protocol so that the traffic can typically pass through firewalls. HTTPS
allows traffic to flow through TCP port 443, a port commonly used for Web access.
SSL provides transport-level security with enhanced key negotiation, encryption,
and integrity checking. SSTP is supported on Windows Server 2008, Windows
Vista SP1, and other upgrade versions of Windows operating systems.
SSTP can be especially beneficial for environments where other VPN protocols
such as PPTP or L2TP/IPSec are blocked by firewalls.
When a user initiates an SSTP-based VPN connection, the following process
occurs:

• The SSTP client establishes a TCP connection with the SSTP server between a
dynamically allocated TCP port on the SSTP client and TCP port 443 on the
SSTP server.
• The SSTP client sends an SSL Client-Hello message, indicating that the SSTP
client wants to create an SSL session with the SSTP server.
• The SSTP server sends its computer certificate to the SSTP client.
• The SSTP client:
• Validates the computer certificate.
• Determines the encryption method for the SSL session.
• Generates an SSL session key, encrypts it with the public key of the SSTP
server’s certificate, and then sends the encrypted form of the SSL session
key to the SSTP server.
• The SSTP server decrypts the encrypted SSL session key with the private key of
its computer certificate. All further communication between the SSTP client
and the SSTP server is encrypted with the negotiated encryption method and
SSL session key.
• The SSTP client sends an HTTP over SSL request message to the SSTP server.
• The SSTP client negotiates an SSTP tunnel with the SSTP server.
• The SSTP client negotiates a PPP connection with the SSTP server. This
negotiation includes authenticating the user’s credentials with a PPP
authentication method and configuring the settings for IPv4 or IPv6 traffic.
• The SSTP client starts sending IPv4 or IPv6 traffic over the PPP link.
Question: When would you use SSTP for establishing the VPN connection?

Lab: Deploying and Configuring Remote Access Services
Introduction
In this lab, you will deploy and configure Remote Access services. To do this, you
will review the existing infrastructure configuration and configure the
infrastructure services for DirectAccess. You will also configure the DirectAccess
server, verify ISATAP-based connectivity, and implement VPN recoonect.
Objectives
• Review existing infrastructure configuration
• Complete configuration of infrastructure services for DirectAccess
• Complete configuration of the DirectAccess server and verify ISATAP-based
connectivity
• Implement VPN reconnect

Lab Setup
credentials:
credentials:
credentials:

Lab Scenario
You are server administrator at Contoso, Ltd. Your organization consists of a large
mobile workforce that carries laptops to stay connected. Your organization wants
to provide secure solution to protect data transfer. To do this, you will use
DirectAccess to enable persistent connectivity, central administration, and
management of remote computers.
The infrastructure of some branch offices does not support the usage of
DirectAccess. Therefore, employees in the branch offices uses VPN connection
instead of DirectAccess to stay connected. To help employees to use VPN
connection, you need to enable the VPN Reconnect feature for them.

Exercise 1: Review Existing Infrastructure Configuration

2. Review the group policy configuration.
3. Verify that LON-CL1 is a member of the DirectAccess clients group.
4. Review the configuration of Certificate Services and Certificate Templates.
5. Review the network configuration.

password, Pa$$w0rd.
password, Pa$$w0rd.
password, Pa$$w0rd.
f Task 2: Review the group policy configuration.

• On LON-DC1, open the Group Policy Management console and verify whether
DirectAcces has separate inbound and outbound rules that allow ICMPv4
Echo Requests and traffic.
f Task 3: Verify that LON-CL1 is a member of the DirectAccess clients

group.
verify that LON-CL1 is a member of the DirectAccess Client group.
f Task 4: Review the configuration of Certificate Services and Certificate

Templates.
• On LON-DC1, verify the configurations of Active Directory Certificate Services
and Certificate Templates by using the Server Manager console.

f Task 5: Review the network configuration.
• On LON-SVR1, verify that there are two network adapters, Corpnet and
Internet, of which one is connected to the public network and the other is
connected to the private network. Also verify that there are two consecutive
static, public IPv4 addresses for the public adapter.
Results: After completing this exercise, you should have reviewed the group policy
configuration, configuration of certificate services and certificate templates, and
network configurations.

Exercise 2: Completing Configuration of Infrastructure

Services for DirectAccess

1. Configure the DNS server.
2. Create a file share on the application server.
3. Configure the CRL distribution settings.
4. Create a Web-based CRL distribution point.
5. Configure permissions on the CRL distribution point file share.
6. Publish the CRL.
7. Verify the network access from LON-CL1.
f Task 1: Configure the DNS server.

• On LON-DC1, run the following command to remove the ISATAP name from
the DNS default global block list and reset the registry property,
globalqueryblocklist.
• On LON-DC1, create a new resource record for the Forward Lookup Zone,
Domain.com, with the following information:
• Alias name: CRL
SVR1.contoso.com
f Task 2: Create a file share on the application server.

• On LON-DC1, create a folder, AppData, on C: drive and set its property to
share the folder.
• In the AppData folder, create a text document, Example.txt, with some text in
it.

f Task 3: Configure the CRL distribution settings.
• On LON-DC1, specify the location from which users can obtain a certificate
revocation list (CRL) by using Certification Authority with the following
information:
• Location: \\LON-SVR1\crldist\
location
f Task 4: Create a Web-based CRL distribution point.

• On LON-SVR1, open the Internet Information Services (IIS) Manager console
to add a virtual directory to the Default Web Site with the following
information:
• Alias: CRLD
f Task 5: Configure permissions on the CRL distribution point file share.

• On LON-SVR1, set the following CRLDist share properties:
DC1 users
• Edit the following CRLDist security Properties:
DC1 users

f Task 6: Publish the CRL.

• On LON-DC1, publish the CRL, CRLDist, and verify that two CRL files named,
file are there.
• On LON-DC1, open the Internet Explorer window and verify that there is
access to the http://crl.domain.com/crld site.
f Task 7: Verify the network access from LON-CL1.

• On LON-CL1, verify whether there is access to the IIS7 Web page and the
Results: After completing this exercise, you should have completed the configuration
of infrastructure services for DirectAccess.

Exercise 3: Completing Configuration of the DirectAccess

Server and Verify ISATAP-based connectivity

1. Obtain a computer certificate on LON-SVR1.
2. Install the DirectAccess Management Console feature.
3. Configure the DirectAccess feature on LON-SVR1.
4. Move LON-CL1 to the Internet segment.
5. Update the IPv6 settings on LON-DC1 and LON-CL1.
6. Test the ISATAP-based connectivity from LON-CL1.
7. Test the access to intranet resources from LON-CL1.
f Task 1: Obtain a computer certificate on LON-SVR1.

• On LON-SVR1, open the Console1 - [Console Root] console to add and enroll
f Task 2: Install the DirectAccess Management Console feature.

• On LON-SVR1, install the DirectAccess Management Console feature by using

f Task 3: Configure the DirectAccess feature on LON-SVR1.
• On LON-SVR1, open DirectAccess Management to configure the DirectAccess

Step 1
• Enter the object name to select: DirectAccess Client
Step 2
Step 3
SVR1.Contoso.com
2002:836b:2:1:0:5efe:192.168.10.1
f Task 4: Move LON-CL1 to the Internet segment.

• On LON-CL1, open the command prompt and run the following command to
update and view the effective policies.
gpupdate /force
• Disable the Corpnet network connection and enable the Internet network
connection and then run the following command.
ping 131.107.0.2

f Task 5: Update the IPv6 settings on LON-DC1 and LON-CL1.
• On LON-DC1, run the following command to view the Windows IP

configurations.
ipconfig
• Run the following command to verify whether the prefix value, fe80 has been
configurations.

ipconfig
• On LON-CL1, run the following command to view the Windows IP

configurations.
ipconfig
• Run the following command to verify that there is additional IPv6 Address,
configurations.

ipconfig
f Task 6: Test the ISATAP-based connectivity from LON-CL1.

• On LON-CL1, run the following command to check the ISATAP-based
ipconfig /flushdns
ping 2002:836b:2:1:0:5efe:192.168.10.1
f Task 7: Test the access to intranet resources from LON-CL1.

• On LON-CL1, verify that there is access to the IIS7 Web and the share file,
Example.txt.

• On LON-DC1, edit the Default Domain Policy to create a shortcut to the

• Action: Create
• On LON-CL1, run the following command to update the user policy.
gpupdate /force
• Log off and then log on to LON-CL1 with user name, contoso\administrator,
Before proceeding to the next exercise, reset the lab environment.
Results: After completing this exercise, you should have completed the configuration
of the DirectAccess server and verified the ISATAP-based connectivity.

Exercise 4: Implementing VPN Reconnect

1. Request the computer certificate for the VPN server.
2. Configure Routing and Remote Access.
3. Configure the Network Policy Server (NPS) to grant access for the EAP-
MSCHAPv2 authentication.
4. Configure and establish the VPN connection.
5. Simulate the connection persistence.
f Task 1: Request the computer certificate for the VPN server.

• On LON-CL1, enable the network connection, Internet and disable the
• In the shared folder, Share, create a text document, VPNTest, with some text in
it.
• On LON-SVR1, open the Console1 - [Console Root] console to add and enroll
settings
• 4. Verify that a new certificate with the name vpn.contoso.com is enrolled
with Intended Purposes of Server Authentication and IP security IKE
intermediate.

f Task 2: Configure Routing and Remote Access.
• On LON-SVR1, open the Routing and Remote Access console to configure and
packet filters
• End IP address: 192.168.10.210
f Task 3: Configure the Network Policy Server (NPS) to grant access for
the EAP-MSCHAPv2 authentication.
• On LON-SVR1, launch NPS and configure the Microsoft Routing and Remote
f Task 4: Configure and establish the VPN connection.

• On LON-CL1, open the control panel and set up a new connection or network


• Set the VPN reconnect connection type property to IKEv2 and then connect it
• Verify whether there is access to the share file, VPNTest.
• Open the command prompt and run the following command to confirm that
f Task 5: Simulate the connection persistence.

• On the physical computer, disconnect the network adapter of LON-CL1.
• On LON-CL1, verify the VPN Reconnect Connection Status and check that
• Run the following command to verify that there is no network connectivity
• On the physical computer, reconnect the network adapter of LON-CL1.

• On LON-CL1, verify the VPN Reconnect Connection Status and check that
• Run the following command to verify that there is network connectivity.
Results: After completing this exercise, you should have configure Routing and
Remote Access, configured NPS to grant the access for the EAP-MSCHAPv2
authentication, configured and established the VPN connection, and simulated the
connection persistence.



Lab Review
1. How will you install the DirectAccess Management Console feature?

You should use Server Manager to install the DirectAccess Management Console
feature.
2. Which command should you use to verify that LON-CL1 has network
connectivity?
You should use the ping vpn.contoso.com command to verify that LON-CL1 has
network connectivity.

Review Questions
1. What are the main benefits of using DirectAccess for providing remote
connectivity?
2. How do you configure DirectAccess clients?
3. How does the DirectAccess client determine whether it is connected to intranet
or the Internet?
4. What is the role of Name Resolution Policy Table (NRPT)?
5. Can you use VPN Reconnect to establish a connection from Windows 7 to the
Windows Server 2008 VPN server?

1. You are considering implementing DirectAccess in your organization. You have

already implemented Windows Server 2008 R2 servers. What are the other
considerations that you must be aware of?
2. You have tried to establish the VPN Reconnect connection, but failed. What
should you do to troubleshoot the problem?
Tools
Where to find
Tool Use for it
DirectAccess Management A graphical tool that simplifies Installed when you add
Console the configuration of the DirectAccess
DirectAccess Management Console
feature
dnscmd.exe A command-line tool used for Command Prompt

Domain Name System (DNS)
management
IPconfig.exe A command-line tool that Command Prompt

displays current TCP/IP
network configuration
Group Policy A graphical tool for Group Microsoft Management

Management Editor Policy editing Console (MMC) snap-in
Routing and Remote A graphical tool for managing Installed when you add
Access Routing and Remote Access the Routing and
Remote Access Services
role service
Configuring Windows Server 2008 R2 Features for Branch Offices 6-1

Module 6
Configuring Windows Server 2008 R2 Features
for Branch Offices
Contents:
Lesson 1: Features for Optimizing Branch Office Network Access 6-4
Lesson 2: Configuring BranchCache 6-24
Lesson 3: Configuring Branch Office Security Features 6-37
Lab: Configuring Windows Server 2008 R2 Features for Branch Offices 6-59
6-2 Configuring Windows Server 2008 R2 Features for Branch Offices

Module Overview
To meet increasing challenges in a highly competitive world, many organizations

expand their business across the globe. This expansion involves setting up branch
offices in various locations to improve logistics and facilitate business growth.
Typically, a branch office has a fewer number of users, slower WAN connectivity,
and lower physical security when compared to the head office.
Windows Server® 2008 R2 provides many features that help you meet branch
office challenges. Next Generation TCP/IP stack is very effective in using available
network bandwidth. By using the BranchCache feature in Windows Server 2008
R2 and Windows® 7 for locally caching frequently-used content on the branch
office computers, you can optimize network utilization and improve user
experience at branch offices.
Windows Server 2008 R2 includes the Read-Only Domain Controller (RODC)
feature, which is also available in Windows Server® 2008. RODC allows a read-only
copy of Microsoft® Active Directory® directory service to be placed in less secured
environments such as branch offices.

Windows Server 2008 R2 introduces support for read-only copies of information
stored in Distributed File System (DFS) replicas. You can use the read-only DFS
replicas to protect your digital assets by allowing branch offices read-only access to
information. Users cannot modify the content stored in the read-only DFS
replicated content because the information is read-only. Windows® BitLocker
protects hard disk data from unauthorized viewing and modifications in the offline
mode.
Windows Server 2008 R2 also enables delegation and distributed administration.
Administrators can use Remote Desktop for remote administration and branch
office users can benefit from improved Remote Desktop Services.
In this module, you will discuss the challenges of the branch office environment
and how to meet them by using Windows Server 2008 R2. BranchCache is an
important feature in Windows Server 2008 R2. You will learn about distributed
and Hosted Cache mode and the differences between them. You will also learn
how to configure BranchCache.
In addition, you will learn about the security challenges and how they can be
resolved through various methods, such as implementing Read-Only DFS replicas,
using BitLocker and BitLocker to Go, and benefits of Server Core.

• Describe the features for optimizing branch office network access.
• Configure BranchCache.
• Configure the branch office security features.

Lesson 1
Features for Optimizing Branch Office Network

Access
Windows Server 2008 R2 provides features that are specifically useful for branch
offices. These features, such as RODC, transparent caching, receive window auto-
tuning, BranchCache, Server Message Block (SMB) 2.0, and virtualization, help you
to optimize traffic over a slow wide area network (WAN) link, minimize the
number of servers in the branch office, provide additional security, and improve
user experience.
Windows Server 2008 R2 and Windows 7 clients can benefit from the
BranchCache feature. BranchCache is used to cache file share and Web traffic and
provide branch office users with fast access to data. You can configure a distributed
cache or Hosted Cache mode, depending on the network infrastructure and
number of users in the branch office, and reduce the WAN utilization.

Lesson Objectives

• Describe the challenges faced in branch offices.
• Describe the features for branch office network access in Windows
Server 2008.
• Describe the features for branch office network access in Windows
Server 2008 R2.
• Describe auto-tuning of the network stack.
• Describe Server Message Block 2.0.
• Describe Transparent Caching.
• Describe BranchCache.
• Compare Hosted Cache with Distributed Cache.

Discussion: Branch Office Challenges
Key Points
A head office is often a central communication hub for branch offices. Each branch
office has relatively few users.
For example, the head office for a chain of retail stores can have many employees
and be at a central location, while branch retail stores share files and data with it.
In the process of storing and retrieving data from the servers located in the head
office, the retail store management faces challenges due to slow and expensive
WAN links between head office and branch offices, high link utilization, poor
application responsiveness, and challenges regarding system management and
administration of branch offices, deployment of new computers, and optimizing
operational costs.

Features for Branch Office Network Access in Windows

Server 2008
Key Points
Windows Server 2008 provides features and technologies that help you meet key
requirements in a branch office scenario. These features and technologies provide
high security, better performance, access to a local copy of the data to avoid
latency, and operational capabilities even if the WAN link is temporarily
unavailable.
Windows Server 2008 features and technologies include:
• Next generation TCP/IP stack. Windows Server 2008 includes
implementation of the TCP/IP protocol stack known as the Next Generation
TCP/IP stack. The Next Generation TCP/IP stack is a complete redesign of the
TCP/IP functionality for both IPv4 and IPv6 that meets the connectivity and
performance needs of networking environments. The Next Generation TCP/IP
stack includes features such as receive Window auto-tuning; enhancements for
high-loss environments, and Windows filtering platform.

• Read-Only Domain Controller (RODC). RODC helps organizations
deploy a domain controller in locations where physical security cannot be

guaranteed. An RODC hosts the read-only partitions of the Active Directory
Domain Services (AD DS) database.
• BitLocker Drive Encryption. BitLocker Drive Encryption is a data
protection feature that deals with the threats of data theft or exposure that
inappropriately decommissioned computers.
• DFS Namespaces and Replicas. DFS Namespaces and DFS Replication
offer simplified, highly-available access to files, load sharing, and WAN-efficient
replication. Windows Server 2008 provides the Windows Server 2008 mode of
domain-based namespaces and includes a number of usability and
performance improvements.
• Distributed administration. With Windows Server 2008, you can
administer branch offices centrally and delegate administrative permissions to
provide distributed administration. You can also limit delegated permissions
to an RODC.
• Virtualization. By converting physical servers into virtual machines,
organizations can reduce space and hardware costs. Virtual machines are fast
to recover in a disaster scenario and increase server uptime and reliability.

Features for Branch Office Network Access in Windows

Server 2008 R2
Key Points
Windows Server 2008 R2 builds on Windows Server 2008 technologies and
introduces several new and improved features that you can use in a branch office
environment. Windows Server 2008 R2 provides all the benefits of Windows
Server 2008, such as Next Generation TCP/IP stack and improved WAN efficiency
mechanisms, including background synchronization of offline files and improved
Remote Desktop Services (RDS) experience. Windows Server 2008 R2 provides
the new feature called BranchCache.
If virtualization is used in the branch offices, Windows Server 2008 R2 provides
improved performance in Hyper-V 2.0, and better scalability and support for
Virtual Desktop Infrastructure (VDI) scenarios. Branch office users can also benefit
from improvements in RDS such as enhanced user experience, RemoteApp, and
Remote Desktops.

Networking enhancements in Windows Server 2008 R2 for branch office network
access include:
• BranchCache. BranchCache caches content from the Web and file
servers locally in the branch office. This improves the response time and
reduces WAN traffic. When another client at the same branch office requests
the same content, the client accesses it directly from the BranchCache over
local network, without using a slower WAN link.
• VPN Reconnect. VPN Reconnect is a new feature of Routing and
Remote Access Service (RRAS) that provides users with seamless and
consistent VPN connectivity by automatically reestablishing a VPN connection
if users temporarily lose the connectivity. Users who connect by using a
wireless mobile broadband can benefit most from this feature. With VPN
Reconnect, client computers automatically reestablish active VPN connections
when the Internet connectivity is reestablished. Reconnection might take
several seconds and the connection status is transparent to users.
• URL-based Quality of Service (QoS). The URL-based QoS feature
allows you to assign a priority level to traffic, based on the URL from which
the traffic originates. QoS marks IP packets with a Differentiated Services Code
Point (DSCP) number that routers then examine to determine the priority of
the packet. If packets are queued at the router, higher priority packets are sent
before the lower priority packets. With URL-based QoS, you can prioritize the
network traffic based on the source URL, in addition to prioritization based on
IP address and ports. This feature gives more control over network traffic,
ensuring that important Web traffic is processed before less-important or
remote traffic.
• Multiple active firewall profiles. Multiple active firewall profiles enable
the firewall rules that are most appropriate for each network adapter based on
the network to which it is connected. Windows firewall settings are
determined by the profile that you use. In earlier versions of Windows
operating systems, only one firewall profile is active at a time. Therefore, if
multiple network adapters were connected to different network types, you
could have only one active profile providing the most restrictive rules. In
Windows Server 2008 R2 and Windows 7, each network adapter applies the
firewall profile that is most appropriate for the type of network to which it is
connected. The type of network can be Private, Public, or Domain.
• Transparent caching and background synchronization of offline
files. The offline files feature supports transitioning to an offline mode when
the computer is on a slow network by default. This helps reduce the network
traffic while connected to your intranet because users modify the locally

cached copies of the information stored in the Offline Files local cache.
However, information stored in the Offline Files local cache is still protected,
because it is synchronized with the network shared folder.
Security enhancements in Windows Server 2008 R2 for branch office network
access include:
• Read-Only DFS replicas. A read-only replicated folder is a replicated
folder in which users cannot add or change files. This allows you to keep the
read-only folders up-to-date on a central server. Users will not be able to
modify the content, and therefore, DFS replicas are protected from accidental
deletion or modifications at branch office locations.
• BitLocker to Go. BitLocker to Go extends the features of BitLocker to
encrypt fixed disk drives to removable devices, such as removable hard disk
drives and USB keys. BitLocker to Go also helps protect the encrypted content
of the removable devices with a passphrase. You can set a policy that requires
BitLocker to Go protection of removable drives. BitLocker To Go also enables
secure sharing of data with users using earlier versions of Windows operating
systems.
Question: Do you have any special consideration to implement URL-based QoS?


Auto-Tuning of the Network Stack
Key Points
Auto-tuning allows the operating system to monitor the link conditions and
configure connections to maximize the network performance. Receive Window
Auto-Tuning enables the network stack to receive data more efficiently. The size of
Receive Window is defined by a field in the TCP packet that informs the sending
computer how much data the receiving computer can accept before confirming it.
In Windows Server 2008 and Windows Server 2008 R2, Receive Window Auto-
Tuning enables better throughput between TCP peers and increases the utilization
of network bandwidth during data transfer.
The TCP/IP stack in Windows Server 2008, Windows Server 2008 R2, Windows
Vista™, and Windows 7 supports Receive Window Auto-Tuning. Receive Window
Auto-Tuning continually determines the optimal size of receive window by
measuring the bandwidth-delay product and the application retrieve rate. Receive
Window Auto-Tuning then adjusts the maximum receive window size based on the
changing network conditions.

The TCP receive window size is the amount of data that a TCP receiver allows a
TCP sender to send before receiving an acknowledgement. After the connection is

established, the receive window size is reported in each TCP segment. Reporting
the maximum amount of data that the sender can send is a receiver-side flow
control mechanism that prevents the sender from sending data that the receiver
cannot store. A sending host can only send at a maximum the amount of data
advertised by the receiver before waiting for an acknowledgment and a receive
window size update.
In branch offices, which often have connection with higher latency, it takes time
until the sender receives the acknowledgement and continues to send data. So, on
high latency connection, only part of the bandwidth can be used. But, when the
receiver uses receive window auto-tuning, it can increase the window size, so
acknowledgements are sent less often, bandwidth utilization increases, and data is
copied faster.
Receive Window Auto-Tuning enables TCP window scaling by default, allowing up
to 16 MB of window size. As data flows over the connection, the TCP/IP stack
monitors the connection, measures the current bandwidth-delay product for the
connection and the application receive rate, and adjusts the receive window size to
optimize the throughput.
With better throughput between TCP peers, the utilization of network bandwidth
increases during data transfer. If all the applications are optimized to receive TCP
data, the overall utilization of the network can increase substantially. In such
environments, use of QoS can be very important.
Question: When you upgrade servers from Windows Server 2003 SP2 to
Windows Server 2008 R2, files are copied considerably faster over a slow WAN
link. What is the reason for that?

Server Message Block 2.0
Key Points
Server Message Block (SMB), also known as the Common Internet File System
(CIFS), is the file sharing protocol in Windows-based computers. The Windows
operating system includes an SMB client and an SMB server. In Windows Server
2008, SMB is completely redesigned and has many enhancements that are also
available in Windows Server 2008 R2.
The enhancements in SMB include:
• Support for sending multiple SMB commands within the same packet.
This reduces the number of packets sent between an SMB client and an SMB
server.
• Support for larger buffer sizes. Therefore, network stack is no longer the
bottleneck. Only the application and disk needs to be considered.

• Reducing the per-connection resource usage and increasing server
scalability. Examples include an increase in the number of concurrent open file

handles on the server and the number of file shares that a server can have.
• Support for durable handles that can withstand short interruptions in
network availability.
• Directory enumeration caching. SMB 1.0 caches only metadata on file
attributes, timestamps, and file sizes by default. SMB 2.0 also caches directory
enumeration metadata
• Support for symbolic links.
SMB 2.0 reduces network traffic in branch offices and provides better resiliency to
network outages. SMB 2.0 is enabled by default, but can fall back to SMB 1.0 if the
other computer does not support it. Computers running Windows Server 2008 R2
and Windows 7 support both SMB 1.0 and SMB 2.0. The SMB version that will be
used is determined during the SMB session negotiation.
The following table shows the version of SMB used for various combinations of
client and server computers.
SMB version
SMB Client SMB Server used
Windows Server 2008 R2, Windows Server 2008 R2, SMB 2.0
Windows 7 Windows 7
Windows Server 2008 R2, Windows XP, Windows Server SMB 1.0
Windows 7 2003
Windows XP, Windows Server Windows Server 2008 R2, SMB 1.0
2003 Windows 7
Windows Server 2008 R2, Windows Server 2008, SMB 2.0

Windows 7 Windows Vista
Question: Will you be able to use SMB 2.0 benefits when you are connecting to
Windows Server 2008 R2 from a Windows XP SP3 client computer?

Transparent Caching
Key Points
In earlier versions of Windows operating systems, to open a file across a slow
network, client computers retrieve the file from the file server, even if the file is
recently read by the same client. With Windows 7 transparent caching, client
computers cache remote files more aggressively, reducing the number of times a
client computer has to retrieve the same data from a file server. The first time a user
opens a file in a shared folder, Windows 7 reads the file from the server and stores
it in a cache on the local disk. The second and subsequent times when a user reads
the same file, the file is retrieved from the local disk cache, instead of retrieving and
reading the file from the file server.
To provide data integrity, Windows Server 2008 R2 and Windows 7 contact the
server computer and ensure that the cached copy is up-to-date. The cache is never
accessed if the server computer is unavailable. The updates to the file are written
directly to the server computer. Transparent caching is not enabled by default on
fast networks.

You can use Group Policy to enable transparent caching, improve the efficiency of
the cache, and save disk space on the client. You can configure the amount of disk
space the cache uses and prevent specific file types from being synchronized. This
provides branch office users with an experience that more closely resembles the
experience of being on the same LAN with servers. Improved cache efficiency can
also reduce utilization across WAN links.
Background synchronization for offline files

In earlier versions of Windows operating systems, user updates to files are written
to the server when the user is online. If the user is offline, the file updates are
cached on the client computer disk and synchronized with the server the next time
the user is online.
In Windows 7, synchronization can happen automatically in the background,
without requiring the user to choose between online and offline modes.
File synchronization is transparent to the user and is centrally configurable by
using Group Policy settings. You can also monitor and control file synchronization
from Sync Center. This provides reliable and transparent shared folder
synchronization, providing users with access to files on shared folders even when
they are disconnected from the network. Users need not manually synchronize
their data over slow networks. Data from client computers is backed up on the
servers.
With background synchronization, folder redirection becomes even more useful.
You can configure Group Policy settings to enable both Folder Redirection and
synchronization. Windows 7 redirects user folders to the network location and
automatically synchronizes files between the version on the client computer and
the version on the server.
When a user disconnects from the network, Windows 7 opens the local copies of
the files exactly as if the users are connected to the network, and changes get
synchronized the next time the user connects. This provides automatic network
backup of user data without user interaction. Windows 7 provides the usually
offline mode, which has similar capabilities when connected to a server across a
slow network.
In earlier versions of Windows operating systems, after the client computer
changes to the offline mode, only the files that are selected to be available offline or
the files that are cached automatically remain visible to the user. For example, if a
folder has five files and only three files are selected to be made available offline
when you are in the offline mode, the folder will appear only with those three files.
The other two files are not visible until you return to the online mode. This can
cause confusion and an inconsistent experience between the online and offline

modes. To provide consistent experience in online and offline modes, Offline Files
in Windows 7 creates a placeholder for files and folders that are not available
offline. The placeholder appears as a faint image, and it indicates to the user that a
file or folder exists in the shared folder, but it is not currently available offline.
Question: How can you configure transparent caching and enable it even on fast
networks?

BranchCache
Key Points
One of the major challenges that branch offices face is improving the performance
of intranet resources that are accessed in other locations, such as head offices or
regional data centers. Typically, branch offices are connected by WANs, which
usually have slower data rates than intranet. Reducing the network utilization on
the WAN connection provides more bandwidth for other applications and services.
The BranchCache feature in Windows Server 2008 R2 and Windows 7 reduces the
network utilization on WAN connections between branch offices and headquarters
by locally caching frequently-used files on computers in the branch office.
BranchCache improves the performance of applications that use one of the
following protocols:
• HTTP or HTTPS. The protocols used by Web browsers and other
applications.
• SMB, including signed SMB traffic. The protocol used for accessing
shared folders.

BranchCache retrieves data from a server when the client requests the data.
Because BranchCache is a passive cache, it will not increase the WAN utilization.
BranchCache only caches the read requests and will not interfere when a user
saves a file.
BranchCache improves the responsiveness of common network applications that
access intranet servers across slow WAN links. Because BranchCache does not
require any additional infrastructure, you can improve the performance of remote
networks by deploying Windows 7 to client computers and Windows Server 2008
R2 to server computers, and by enabling the BranchCache feature.
BranchCache works seamlessly alongside network security technologies, including
Secure Sockets Layer (SSL), SMB Signing, and end-to-end IP Security (IPSec). You
can use BranchCache to reduce the network bandwidth utilization and improve
application performance even if the content is encrypted.
Question: How can your organization benefit from BranchCache?


Hosted Cache vs. Distributed Cache
Key Points
BranchCache operates in one of the two modes based on the cache location:
Hosted Cache or Distributed Cache.
• Hosted Cache. The Hosted Cache mode operates by deploying a
computer that is running Windows Server 2008 R2 as a host in the branch
office. Client computers are configured with the fully qualified domain name
(FQDN) of the host computer so that they can retrieve content from the
Hosted Cache when available. If the content is not available in the Hosted
Cache, the content is retrieved from the content server by using a WAN link
and then provided to the Hosted Cache, so that the subsequent client requests
can get it from there.
• Distributed Cache. You can configure BranchCache in the Distributed
Cache mode for small branch offices. In this mode, local Windows 7 clients

keep a copy of the content and make it available to other authorized clients
that request the same data. This eliminates the need to have a server in the
branch office. However, unlike Hosted Cache mode, this configuration works
across a single subnet only. In addition, clients that hibernate or disconnect
from the network will not be able to provide content to the other requesting
clients.
When BranchCache is enabled on both the client computer and server computer,
the client computer performs the following process to retrieve data by using the
HTTP, HTTPS, or SMB protocol:
1. The client computer running Windows 7 connects to a content server
computer running Windows Server 2008 R2 in the head office and requests
content similar to the way it would retrieve content without using
BranchCache.
2. The content server computer in the head office authenticates the user and
verifies that the user is authorized to access the data.
3. The content server computer in the head office returns identifiers or hashes of
the requested content to the client computer, instead of sending the content
itself. The content server computer sends that data over the same connection
that the content would have normally been sent.
4. Using the retrieved identifiers, the client computer does the following:
• If configured to use Distributed Cache, the client computer multicasts on
the local network to find other client computers that have already
downloaded the content.
• If configured to use Hosted Cache, the client computer searches for
content availability on the Hosted Cache.
5. If the content is available in the branch office, either on one or more clients or
on the Hosted Cache, the client computer retrieves the data from within the
branch office and ensures that the data is updated and has not been tampered
with or corrupted.
6. If the content is not available in the branch office, the client computer retrieves
the content directly from the server computer at the data center, The client
computer then either makes it available on the local network to other
requesting client computers, or sends it to the Hosted Cache, where it is made
available to other client computers.
The following table shows the major differences between the two modes of
BranchCache:

Hosted Cache Distributed Cache
Data is cached at Hosted Cache server. Data is cached amongst clients.
Recommended for larger branch offices. Recommended for branch offices without
any infrastructure.
Enables branch-wide caching. Enabled on clients through Group Policy.
Cache is stored centrally. You can use the Easy to deploy.

existing server in the branch office.
Cache availability is high. Cache availability decreases with laptops

that go offline.
Question: Can you use BranchCache if both servers in the branch office are
running Windows Server 2008 and you have deployed Windows 7 to all the
branch office client computers?

Lesson 2
Configuring BranchCache
The BranchCache feature in Windows Server 2008 R2 is designed to reduce WAN

link utilization and improve application responsiveness for branch office users
who access data from servers in remote locations. Branch office client computers
use locally maintained data cache to reduce traffic over a WAN link. If you
configure the client computers to use the Distributed Cache mode, the cached
content is distributed across client computers. If you configure the client
computers to use the Hosted Cache mode, the cached content is maintained on a
server computer on the branch office network. You can customize BranchCache
settings and perform additional configuration tasks after configuring BranchCache.
You can also monitor BranchCache events, work, and performance; and query
BranchCache infrastructure to verify the configuration of servers and usage of
cache.

Lesson Objectives

• Describe the requirements for configuring BranchCache.
• Describe the server configuration for BranchCache.
• Describe the client configuration for BranchCache.
• Describe BranchCache monitoring.
• Configure BranchCache.

BranchCache Requirements
BranchCache is an optional feature in Windows Server 2008 R2. It optimizes traffic

flow between head office and branch offices, and only Windows Server 2008 R2
servers and Windows 7 clients can benefit from it. The earlier versions of Windows
operating systems will not benefit from this feature. You can cache only the content
stored on Windows Server 2008 R2 file servers or Web servers by using
BranchCache.
Requirements for using BranchCache

To use BranchCache:
• You must install the BranchCache feature or the BranchCache for Network
Files role service on the Windows Server 2008 R2 server that is hosting
the data.
• You must configure clients, either by using Group Policy or the netsh
command.

If you want to use BranchCache for caching content from the Web server, you
must install the BranchCache feature on the Web server. Additional configurations
are not needed. If you want to use BranchCache to cache content from the file
server, you must install the BranchCache for Network Files role service on the file
server, configure hash publication for BranchCache, and create BranchCache-
enabled file shares.
BranchCache is supported on Full Installation of Windows Server 2008 R2 and on
Server Core.
Requirements for Distributed Cache and Hosted Cache Modes

In the Distributed Cache mode, BranchCache works across a single subnet only. If
client computers are configured to use the Distributed Cache mode, any client
computer can search locally for the computer that has already downloaded and
cached the content by using a multicast protocol called WS-Discovery. In the
Distributed Cache mode, content servers in the head office must run Windows
Server 2008 R2 and the clients in the branch must run Windows 7 or Windows
Server 2008 R2. You should configure the client firewall to allow incoming traffic,
Hypertext Transfer Protocol (HTTP), and WS-Discovery.
In the Hosted Cache mode, the client computers are configured with the fully
qualified domain name (FQDN) of the host server to retrieve content from the
Hosted Cache. Therefore, the BranchCache host server must have a digital
certificate, which is used to encrypt communication with client computers. In the
Hosted Cache mode, content servers in the head office must run Windows Server
2008 R2. Hosted Cache in the branch must run Windows Server 2008 R2 and
client in the branch must run Windows 7. You must configure a firewall to allow
incoming HTTP traffic from the Hosted Cache server. In both cache modes,
BranchCache uses the HTTP protocol for data transfer between client computers.
Question: You have a mixed computer environment that includes Windows Vista
SP2 and Windows 7 client computers, Windows Server 2003 SP2, Windows Server
2008 SP2, and Windows Server 2008 R2 servers. Your computers are also located
in multiple sites. Can you use the BranchCache feature in this scenario?

Server Configuration for BranchCache
You can use BranchCache to cache Web content, which is delivered by HTTP or
HTTPS and also to cache shared folder content, which is delivered by the SMB
protocol. By default, BranchCache is not installed on Windows Server 2008 R2.
The following table lists the servers that you can configure for BranchCache.
Server Description
Web server To configure a Windows Server 2008 R2 Web server or an

application server that uses the Background Intelligent
Transfer Service (BITS) protocol, you should install the
BranchCache feature. You must ensure that the
BranchCache service has started. Then, you need to
configure clients which will use the BranchCache feature;
no additional configuration of Web server is needed.
File server The BranchCache for Network Files role service of the File
Services server role needs to be installed before you can

Server Description
enable BranchCache for any file shares. After you install
the BranchCache for Network Files role service, use Group
Policy to enable BranchCache on the server. You can
enable BranchCache for all shares on a file server or only
on selected shares. You also need to configure clients,
which will use BranchCache feature.
Hosted Cache server The Distributed Cache mode does not use a server in the
branch office. For the Hosted Cache mode, you must add
the BranchCache feature to the Windows Server 2008 R2
server that you can use as a Hosted Cache server. The
Hosted Cache is trusted by client computers to cache and
distribute data. For securing the communication, client
computers use transport layer security (TLS) when
communicating with the Hosted Cache server. To support
authentication, the Hosted Cache server must be
provisioned with a certificate that is trusted by clients and
is suitable for server authentication. By default,
BranchCache allocates five percent of disk space on the
active partition for hosting cache data. However, you can
change this value by using Group Policy or netsh
command.
Question: How can you enable BranchCache support on Windows Server 2008
R2 content server?

Client Configuration for BranchCache
To configure the Windows Server 2008 R2 server as a BranchCache client, you

should first install the BranchCache feature on the Windows Server 2008 R2
server. However, you do not need to install the BranchCache feature in Windows 7
because BranchCache is already included in Windows 7.
BranchCache Configuration on Client Computers

BranchCache is disabled by default on client computers. To enable and configure
BranchCache, you need to perform the following steps:
1. Enable BranchCache.
2. Enable the Distributed Cache mode or Hosted Cache mode.
3. Configure the client firewall to allow BranchCache protocols.
Enabling BranchCache
If you enable the Distributed Cache or the Hosted Cache mode without enabling
the overall BranchCache feature, the BranchCache feature will still be disabled on

the client computers. However, you can enable the BranchCache feature on a client
computer without enabling the Distributed Cache mode or the hosted cache mode.
In this configuration, the client computer uses only the local cache and does not
attempt to download from other BranchCache clients on the same subnet or from a
hosted cache server. Therefore, multiple users of a single computer can benefit
from a shared local cache in this local caching mode.
Enabling the Distributed Cache mode or hosted cache mode

You can enable the BranchCache feature on client computers either by using
Group Policy or by using the netsh command.
To configure BranchCache settings by using Group Policy, you need to perform the
following steps:
1. Open the Group Policy Management console.
2. Navigate to Computer Configuration->Policies->Administrative Templates-
>Network, and then click BranchCache.
3. Turn on BranchCache and set either the Distributed Cache mode or the hosted
cache mode.
To configure BranchCache settings by using netsh command, you need to
perform the following steps:
• Use the following netsh syntax for the distributed mode.
netsh branchcache set service mode=distributed
• Use the following netsh syntax for the hosted mode.
netsh branchcache set service mode=hostedclient location=<Hosted
Cache server>
Configuring the client firewall to allow BranchCache protocols
In the Distributed Cache mode, BranchCache clients use the HTTP protocol for
data transfer between client computers and the WS-Discovery protocol for cached
content discovery. You should configure the client firewall to allow the following
incoming rules:
• BranchCache – Content Retrieval (Uses HTTP)
• BranchCache – Peer Discovery (Uses WSD)

In the Hosted Cache mode, BranchCache clients use the HTTP protocol for data
transfer between client computers, but it does not use the WS-Discovery protocol.
In the hosted cache mode, you should configure the client firewall to allow the
incoming rule, BranchCache – Content Retrieval (Uses HTTP).
Additional configuration tasks for BranchCache

After you configure BranchCache, clients can access the cached data in
BranchCache-enabled content servers, available locally in the branch office, and
not across a slow WAN link. You can modify BranchCache settings and perform
additional configuration tasks, such as:
• Setting the cache size.
• Setting the location of hosted cache.
• Clearing the cache.
• Creating and replicating a shared key for using in a server cluster.
Question: How can you configure Windows 7 client computer to benefit from a
BranchCache?

Demonstration: How To Configure BranchCache
Key Points
1. Enable the Hash Publication for BranchCache property and Allow hash
publication only for shared folders on which BranchCache is enabled property
of Lanman Server by using the Local Group Policy Editor console.
2. On LON-DC1, set the following share properties to create a BranchCache
enabled file share:
• Advanced Sharing: Caching
• Offline Settings: Enable BranchCache
3. On LON-CL1, open the command prompt and run the following code to
apply all the group policy settings, including the BranchCache settings.
gpupdate /force

4. Run the following code to verify that BranchCache is running in the
Distributed Caching service mode and all the required network settings are
configured.
netsh branchcache show status all
apply all the group policy settings, including the BranchCache settings.
gpupdate /force
• On the Start menu of LON-CL2, click All Programs, click Accessories,

and then click Command Prompt.
• At the command prompt of the Administrator: Command Prompt
window, type the following code, and then press ENTER.
gpupdate /force

Distributed Caching service mode and all the required Network settings are
configured.
7. On LON-CL1, move the edb00002 file from \\LON-DC1.contoso.com\Share

to the desktop and verify whether the computer-attempted discovery is
running successfully in the Performance Monitor console.
8. Run the following code to check the current size of the Local Cache.

to the desktop and verify whether the computer-attempted discovery is
10. Run the following code to verify that Local Cache has Active Current Cache
Size greater than 0.


Question: Clients in the branch office and file servers in the head office are
configured for BranchCache. Will the branch office client benefit from
BranchCache when accessing file in the head office for the first time?
BranchCache Monitoring
BranchCache Monitoring
• BranchCache events monitoring. You can monitor BranchCache events
in Event Viewer. BranchCache has two types of event logs—operational logs
and audit logs. The operational log appears in the Event Viewer at Applications
and Services Logs\Microsoft\Windows\PeerDist\Operational and you can
view the audit log events in the Security log.
• Work and performance monitoring. You can monitor BranchCache
work and performance by using the BranchCache performance monitor
counters. BranchCache performance monitor counters are useful debugging
tools for monitoring BranchCache effectiveness and health. You can also use
BranchCache performance monitor for determining the bandwidth savings in

the Distributed Cache mode or in the hosted cache mode. If you have System
Center Operations Manager 2007 SP2 implemented in the environment, you

can use BranchCache Management Pack for System Center Operations
Manager 2007.
• Infrastructure querying. You can query the infrastructure by using the
netsh branchcache show status all command. The command displays the
BranchCache service status, the location of the local cache, the size of the local
cache, and the status of the firewall rules for the HTTP and WS-Discovery
protocols that BranchCache uses.
Question: Which tool should you use for monitoring BranchCache performance
and bandwidth savings?

Lesson 3
Configuring Branch Office Security Features
Windows Server 2008 R2 provides enhanced security features for securing branch
offices. These security features, such as read-only DFS replica, Read-Only Domain
Controller (RODC), Server Core, BitLocker, and BitLocker to Go, improve the
overall security of the Active Directory environment at branch offices.
You can use read-only DFS replica and RODC features to securely deploy domain
controllers at branch offices. You can deploy Server Core at branch offices to
reduce the maintenance and management requirements. With BitLocker and
BitLocker to Go data protection features, you can resolve the issues related to data
thefts, data loss, and inappropriately decommissioned computers.
Lesson Objectives
• Describe the security issues in branch offices.

• Describe Read-Only DFS Replica.
• Configure Read-Only DFS.

• Compare Read-Only DFS with BranchCache.
• Describe Read-Only Domain Controller.
• Describe the features of Server Core.
• Explore Server Core.
• Describe BitLocker and BitLocker to Go.
• Explore BitLocker to Go.

Discussion: Branch Office Security Issues
Key Points
Branch offices mostly have fewer users than a head office and do not have
appropriate physical security for computer infrastructure. Network administrators
are often not available at branch office locations to manage and maintain branch
server configuration. Branch offices use low bandwidth WAN connectivity, so
changes made in the head office take time to get replicated to branch offices. With
less physical security and inappropriate computer infrastructure, data at branch
offices can be compromised. If you do not configure security settings for branch
offices, unauthorized changes can be made to the data. Low bandwidth WAN
connectivity affects the performance and productivity at branch offices.
Resolving security issues in Windows Server 2008 R2

You can use the following Windows Server 2008 R2 features to resolve security
issues and other security-related challenges at branch office locations:

• Active Directory. Enables delegation of administrative permissions and
most of the Microsoft Management Console (MMC) applications can work on

local and remote computers. For example, Active Directory Users and
Computers tool can be used for remote management, so administration can be
performed from the head office. By using Active Directory, you can delegate
permissions to reset passwords of branch office users.
• Remote Desktop Services (RDS). Enables remote connectivity for
branch offices. By using Remote Desktop, you can administer the server
remotely, without being physically present at the branch office.
• Read-Only Domain Controller (RODC). By implementing Read-Only
Domain Controller (RODC), you can provide reasonable security to
organizational data, even with lower physical security in the branch office. This
is because RODC does not store information about passwords or other
sensitive data of users in Active Directory. You can also delegate administrative
permissions for a specific RODC.
• BitLocker. For providing an effective security measure, you can install
the BitLocker feature and encrypt the entire disk volume. With the BitLocker
feature, you can encrypt the disk content to protect it from unauthorized
access and modifications in the offline mode.
• Server Core. You can install Server Core, which provides minimal
environment for main server roles. Server Core also provides better security
and requires fewer updates than the full installation.
• Read-only DFS replica. The Distributed File System (DFS) technologies
offer wide area network efficient replication for geographically-dispersed
servers. DFS replication in Windows Server 2008 R2 provides faster
replication both for small and large files, faster initial synchronization, and
better network bandwidth utilization on high-latency networks such as WANs.
Read-only DFS replica helps you to protect data from unauthorized
modifications at the branch office locations.

Read-Only DFS Replica
Key Points
Distributed File System (DFS) namespaces and DFS replication features of
Windows Server 2008 provide simplified, highly-available access to files, load
sharing, and effective WAN replication. The DFS replication feature is used to
publish data from a central server to many branch office servers. Windows
Server 2008 R2 provides read-only replicated folders that are similar to replicated
folders in the earlier versions of Windows server operating systems, but the read-
only replicated folders do not allow any modifications or deletions of data. Read-
only DFS replicated folders are used for replicating data that should never be
changed. Read-only DFS replicated folders can be hosted only on Windows Server
2008 R2 servers, while other members of the DFS replication group can be
Windows Server 2003 R2 or newer Windows Server operating systems.
For a read-only DFS replicated folder, the DFS replication service intercepts and
inspects each file system operation. This is done by using a low-level file-system
filter. Only modifications initiated by the DFS replication service are allowed. These

modifications are typically changes and updates from the replication partners. This
ensures that the read-only replicated folders are maintained in synchronization

with read-write–enabled replicated folders on another replication group member.
All other modifications attempts are blocked. This ensures that users cannot
modify the content of the read-only DFS replicated folder locally. Volumes that do
not host read-only DFS replicated folders or volumes hosting only read-write DFS
replicated folders are ignored by the filter driver. Even if the filter driver is not
running, other Windows Server 2008 R2 DFS replication group members will
refuse the update from a read-only replication member.
Question: You have a mixed environment in which there are Windows XP,
Windows Vista, and Windows 7 client workstations. Can all these clients access
Read-Only DFS replica and will Read-Only access be effective for all clients,
including clients running earlier versions of Windows operating systems?

Demonstration: How To Configure Read-Only DFS Replica
Key Points
1. On LON-SVR1, create a DFS replication group by using the Server Manager
console with the following information:
• Replication Group Type: Multipurpose replication group
• Name of replication group: Contoso Reports
• Replication Group Members: LON-DC1;LON-SVR1
• Topology Selection: Full mesh
• Replication Group Schedule and Bandwidth: Replicate continuously
using the specified bandwidth
• Primary member: LON-DC1
• Folders to Replicate: C$\Share

• Local Path of Share on Other Members: C$\Share-Replica
2. Select Make the selected replicated folder on this member read only
3. Add a new folder, Reports, to \\Contoso.com\Namespace1 of DFS
Management and add the Share-Replica to it.
4. On LON-CL1, navigate to \\contoso.com\Namespace1\Reports and create a
new text document in the read-only DFS replica, C:\Share-Replica.
5. On LON-SVR1, change the read-only attribute of C:\Share-Replica to read-
write.
new text document in the read-write DFS replica, C:\Share-Replica.
Question: When would you use read-only DFS replica instead of read-write DFS
replica?

Read-Only DFS vs. BranchCache
Key Points
Windows Server 2008 R2 provides technologies such as read-only DFS replica and
BranchCache to help users in branch offices to quickly access the data that is
stored on the head office servers. These technologies produce similar end result
and better user experience, but have different effects on the WAN link utilization
and different client requirements. However, you need to select appropriate
technologies that will meet your requirement based on the environment and
expected business results.
Read-only DFS
If you use read-only DFS replicas, a complete copy of the content folder at the head
office is replicated to the branch offices. The content folder contains data needed in
the branch office and data that is not used in the branch offices. Read-only DFS

increases WAN link utilization because all data in the content folder is replicated to
the branch offices. If you implement read-only DFS replica, branch office users can
read, but can not change replicated data. You can define a replication schedule but
even if no user in the branch office is using the content folder, replication happens
according to the schedule set by the administrator. The read-only DFS replica
folder at branch offices occupies equivalent space as the content folder on the head
office. You can share the read-only DFS replica folders through file sharing. Read-
only DFS replica uses SMB traffic to implement file sharing.
When you configure the read-only DFS replica, any client can access the content of
the DFS replica folders without additional configuration. You do not need to
configure clients to access read-only DFS replica, because read-only DFS is
configured only on servers.
BranchCache
Unlike read-only DFS, BranchCache caches only the data that is already accessed
by the clients in the branch offices. So, WAN link utilization for BranchCache is
considerably lower than WAN link utilization for the read-only DFS. Unlike read-
only DFS, BranchCache cannot be scheduled. When clients request for data from
different branch locations, BranchCache caches data from that Web or file server. If
you use BranchCache, each client request is first directed to the server in the head
office, and then the data is cached. If another user wants to download the same
data from the head office server, the data is already available from the first client
computer or branch office server. Therefore, the data is accessed faster compared
to the first time. BranchCache supports SMB, HTTP, and HTTPS file transfer traffic.
If you have configured BranchCache in the Distributed Cache mode, data is stored
on the BranchCache clients, and a copy of the data is sent to the other clients on
request. In a Distributed Cache mode, you do not need a server to store the
BranchCache data.
If you have configured BranchCache in the Hosted Cache mode, you need to
configure the Hosted Cache server. Hosted cache mode provides more reliability
and high availability for BranchCache clients. You can use BranchCache only for
Windows 7 or Windows Server 2008 R2 clients. You need to configure clients to
use the BranchCache feature.
Question: Your company has a head office and several branch offices. File servers
in the head office are running Windows Server 2008 R2, and each branch office
has a Windows Server 2008 R2 server and Windows 7 clients. Branch office users
often access files from the head office. What would you implement if you want to
minimize the traffic between the head office and branch offices?

Read-Only Domain Controller
Key Points
Windows Server 2008 R2 provides a Read-Only Domain Controller (RODC) that
helps you easily deploy a domain controller in branch office environments where
physical security cannot be guaranteed. You can use an RODC to host read-only
partitions of the Active Directory Domain Services (AD DS) database and deploy a
domain controller more securely in branch offices that require fast and reliable
authentication services.
The following RODC functionalities help you to deal with lower physical security
in the branch offices:
• Read-only AD DS database. An RODC holds the same Active Directory
objects and attributes as a writable domain controller, except for account
passwords. However, changes cannot be made to the database that is stored

on the RODC. Changes must be made on a writable domain controller and
then replicated back to the RODC.

• RODC filtered attribute set. An RODC helps you secure sensitive data,
such as passwords, credentials, or encryption keys on the AD DS data store by
configuring a set of attributes in the schema for domain objects. For example,
some of the applications use AD DS data store to store security-related data.
For these types of applications, you can dynamically configure a set of
attributes in the schema for domain objects that will not replicate to an RODC.
This set of attributes is called the RODC filtered attribute set. Attributes that
are defined in the RODC filtered attribute set are not allowed to replicate to
any RODCs in the AD DS forest.
• Unidirectional replication. An RODC supports unidirectional
replication. So, writable domain controllers that are replication partners in a
network environment do not replicate from the RODC. Any changes or
corruption that a malicious user could make at a branch office will not be
replicated from the RODC to other parts of the AD DS forest. This
unidirectional RODC replication also reduces the workload of bridgehead
servers in the hub and the effort required to monitor replication. RODC
unidirectional replication applies to both AD DS and DFS replication of
SYSVOL.
• Credential caching. By default, an RODC does not store user or
computer credentials. However, you can use the credential caching
functionality of RODC to store the user or computer credentials. To store
credentials, you must explicitly allow caching on an RODC.
• Administrator role separation. You can delegate local administrative
permissions for an RODC to any domain user without granting that user any
user rights for the domain or other domain controllers. This permits a local
branch user to log on to an RODC and perform maintenance work on the
server, such as upgrading a driver. However, the branch office user cannot log
on to any other domain controller or perform any other administrative tasks in
the domain. The branch user can be delegated the ability to effectively manage
the RODC in the branch office without compromising the security of the other
parts of the domain.
• Read-only DNS. You can install the DNS server service on an RODC. An
RODC is able to replicate all application directory partitions that DNS uses,
including ForestDNSZones and DomainDNSZones. If the DNS server is
installed on an RODC, clients can query RODC for name resolution just as
they query other DNS servers. However, the DNS server on an RODC is read-
only and therefore does not support client updates directly.

To deploy an RODC, at least one writable domain controller in the domain must
be running Windows Server 2008 or upgrade versions of Windows server

operating systems. In addition, the functional level for the domain and forest must
be Windows Server 2003 or upgrade versions of Windows server operating
systems.
Question: Are you using RODC in your environment? If yes, why?

Server Core
Key Points
Server Core installation provides a minimal environment for running specific
server roles; it reduces the maintenance, management, and attack surface. The
Server Core installation option installs only the subsets of the executable files and
supporting dynamic link libraries, compared to full Windows Server 2008 R2
installation. For example, graphical user interface is not included in Server Core, so
Windows Explorer is not available as part of the Server Core installation. But, the
command prompt, which is the default interface for administering the server
running Server Core, is included as part of the Server Core installation. Windows
Server 2008 R2 Server Core provides .NET Framework, which is not available in
earlier versions of Windows operating systems; .NET Framework enables you to
use PowerShell or ASP.NET. It also includes a new command line configuration
utility, SConfig.exe, to easily perform initial Server Core configuration, like setting
IP configuration, domain membership, or configuring remote management.
SConfig.exe cannot be used for administering Server Core roles and features.

Server Core provides the following benefits compared to the full installation of
Windows Server 2008 R2:

• Greater stability. A Server Core installation has fewer running
processes and services than a full installation, and therefore, provides greater
stability.
• Simplified management. A Server Core installation has fewer
components to manage than a full installation, and hence, it is easier to
maintain.
• Reduced maintenance. A Server Core installation involves a few
binaries than a full installation, and thus requires less maintenance. For
example, you need to apply fewer hot fixes and security updates than a full
installation.
• Reduced memory and disk requirements. A Server Core installation
needs less memory and disk space than a full installation.
• Reduced attack surface. A Server Core has fewer system services
running on it than a full installation. Because of the reduced attack surface,
there are fewer possible vectors for malicious attacks on the server. Thus, a
Server Core installation is more secure and requires fewer software updates
than a full installation.
You can deploy Server Core in remote locations such as branch offices to overcome
security challenges such as central management, offline business, configuration
monitoring, and less physical security. For example, you can deploy Server Core as
a read-only domain controller with BitLocker for extended security at a branch
office.
After deploying Server Core at branch offices, you can manage the server locally by
using command-line tools, or remotely by using Remote Desktop connection. You
can also manage the server remotely by using the Microsoft Management Console
(MMC) or command-line tools that support remote use.
Question: How can you perform initial Server Core configuration?


Demonstration: Exploring Server Core
Key Points
Note: Before starting this, demo discard the machine and then start the machines
again.
1. On LON-CORE, configure LON-CORE to allow remote administration by
running the SConfig command.
Sconfig
2. Select options 4 and 2 and then restart LON-CORE.

3. Log on to LON-CORE with the user name, contoso\administrator, and the
password, Pa$$w0rd.

4. Run SConfig, and select the options, 5 and 13.
sconfig
5. On LON-DC1, open the Server Manager console and explain that from Server
Manager, you can administer Server Core remotely.
Question: How will you administer Server Core remotely?
Answer: You can administer Server Core remotely by using Server Manager or
other MMC snap-ins, Remote Desktop, PowerShell, or WinRM. However, before
administering Server Core remotely, you need to configure Windows Firewall to
allow remote connections.

BitLocker and BitLocker to Go
BitLocker Drive Encryption is a data protection feature that is used to deal with
data security threats in branch offices. The security threats involve lost, stolen, or
inappropriately decommissioned computers. Data on a lost or stolen computer is
vulnerable to unauthorized access either by running a software-attack tool on the
computer or by transferring the hard disk of the computer to another computer.
BitLocker helps you mitigate this unauthorized data access by enhancing file and
system protections. BitLocker also helps you protect data when BitLocker-
protected computers are decommissioned or recycled by unauthorized clients.
BitLocker provides enhanced data protection by using a Trusted Platform Module
(TPM) version 1.2. The TPM hardware component works with BitLocker to protect
user data and the computer from being tampered when it is offline. Administrators
can configure Group Policy settings to enable backup of BitLocker or TPM
recovery information in Active Directory.
You can use BitLocker on computers without a TPM to encrypt the Windows
operating system drive. To implement BitLocker without a TRM, you need to insert

a USB startup key to start the computer or resume from hibernation. However,
implementing BitLocker without a TRM does not provide computers the pre-
startup system integrity verification that is offered by BitLocker with a TPM.
In addition to TPM, BitLocker offers an option to lock the normal startup process
until the user supplies a personal identification number (PIN) or inserts a
removable device, such as a USB flash drive that contains a startup key. These
additional security measures provide multifactor authentication and ensure that
the computers will not start or resume from hibernation until you enter the correct
PIN or startup key.
For servers in a shared or potentially non-secure environment, such as branch
offices, BitLocker can be used to encrypt the operating system drive and additional
data drives on the same server.
BitLocker is an optional feature and it is not installed by default on Windows
Server 2008 R2. You need to install the BitLocker feature from the Server Manager
and the server must be restarted after the installation. You can enable BitLocker
remotely by using Windows Management Instrumentation (WMI).
BitLocker to Go is another feature available in Windows Server 2008 R2. BitLocker
to Go provides an extension of the BitLocker data protection feature to USB
storage devices. The BitLocker to Go feature also restricts the USB storage devices
with a passphrase.
Question: Why should you use the BitLocker feature in branch offices?

Optional Demonstration: Exploring BitLocker to Go
Key Points
1. Insert the USB key that is protected with BitLocker to Go.

2. On the Start menu, point to Administrative Tools, and then click Server
Manager.
3. In the tree pane of the Server Manger console, click Add Features.
4. In the Select Features page of the Add Features wizard, select BitLocker Drive
Encryption and then click Next.
5. In the Confirm Installation Selections page, click Install.
6. In the Installation Results page, click Close.
7. In the Add features Wizard message box, click Yes.
8. On the Start menu, click Control Panel.

9. In the Control Panel, click Bitlocker Driver Encryption.
10. In the Bitlocker Driver Encryption page, under Bitlocker Driver Encryption-
Bit Locker To Go, click Turn On BitLocker.
11. In the Bitlocker Driver Encryption message box, click Yes.
12. In the Bitlocker Driver Encryption (E) wizard, select Use a password to
unlock this drive checkbox.
13. In the Type your password box, type P@$$word.
14. In the Retype your password box, type P@$$word and then click Next.
15. In the Bitlocker Driver Encryption (E) page, click Save the recovery key to a
file.
16. In the Save Bitlocker Recovery Key as page, under Favorites, click Desktop.
17. In the Save Bitlocker Recovery Key as page, click Save.
18.In the Bitlocker Driver Encryption (E) page, click Next.
19. In the Bitlocker Driver Encryption (E) page, click Start Encrypting.
20. In the Bitlocker Driver Encryption message box, click Close.
21. In the Bitlocker Driver Encryption (E) window, in the Type your password to
unlock the drive box, type P@$$word.
22. In the Bitlocker Driver Encryption (E) window, click Unlock.
23. In the AutoPlay window, under General options, click Open folder to view
files using Windows Explorer link.
Bit Locker To Go, click Manage BitLocker.
25. In the Bitlocker Driver Encryption (E) window, under Select options to
manage, point to the options.
26. In the Bitlocker Driver Encryption (E) window, click Close.
Bit Locker To Go, click Turn Off BitLocker.
28. In the Bitlocker Driver Encryption message box, click Cancel.
29. On the Start menu of LON-DC1, point to Administrative Tools, and then click
Group Policy Management.

30. In the tree pane of the Group Policy Management console, expand Forest:
Contoso.com, expand Domains, and then expand Contoso.com.

31. In the tree pane, under Contoso.com, click and right-click Default Domain
Policy, and then click Edit.
32. In the tree pane of the Group Policy Management Editor console, under
Computer Configuration, expand Policies, expand Administrative
Templates: Policy definitions (ADMX files) retrieved from the local
machine, and then expand Windows Components.
33. In the tree pane, under Windows Components, click BitLocker Drive
Encryption.
34. In the BitLocker Drive Encryption result pane, view the Standard options of
Fixed Data Drives, Operating System Drives, and Removable Data Drives.
35. In the Group Policy Management Editor console, click the Close button.
36. In the Group Policy Management console, click the Close button.

Lab: Configuring Windows Server 2008 R2 Features for

Branch Offices
Introduction
In this lab, you will configure Windows Server 2008 R2 features for branch offices.
To do this, you will configure BranchCache in the Distributed Cache mode and
client firewall rules for BranchCache. You will also install the BranchCache feature
and link it to the hosted server to configure BranchCache in the Hosted Cache
mode. Finally, you will create a file share, DFS replication group, add the replicated
folder to the DFS namespace, and make read-only DFS replica to read-write and
test the client access to configure Read-Only DFS Replica.
Objective
• Configure BranchCache in Distributed Cache mode.
• Configure BranchCache in Hosted Cache mode.

• Configure Read-Only DFS Replica.
Lab Setup
• Start the LON-CL1 virtual machine, and then log on by using the
• Start the LON-CL2 virtual machine, and then log on by using the

Lab Scenario
You are a server administrator at Contoso, Ltd. Your organization has a main office
and many regional and local branch offices. Many of the branch offices are small,
do not have local IT support, and are connected to the main office by low
bandwidth WAN connections. In addition, many users travel between offices. As
part of your job, you need to use the BranchCache feature to overcome all these
issues and to enable speedy access to data. You also need to test read-only DFS to
distribute the reports of your organization to the branch offices.
The following instructions are for configuring a test lab using the minimum number of
computers. Individual computers are needed to separate the services provided on the
network and to clearly show the desired functionality. This configuration is neither
designed to reflect best practices nor does it reflect a desired or recommended
configuration for a production network. The configuration, including IP addresses and all
other configuration parameters, is designed only to work on a separate test lab network.

Exercise 1: Configuring BranchCache in Distributed Cache
Mode
2. Configure a file server to use BranchCache.
3. Simulate a slow link to the branch office.
4. Create a BranchCache enabled file share.
5 Configure clients to use BranchCache in the Distributed Cache mode.
6. Configure client firewall rules for BranchCache.
7. Apply BranchCache settings to the clients.
8. Test BranchCache in Distributed Caching mode.

• Log on to LON-DC1 with the user name, Contoso\Administrator, and
the password, Pa$$w0rd.
• Log on to LON-SVR1 with the user name, Contoso\Administrator, and
• Log on to LON-CL1 with the user name, Contoso\Administrator, and
• Log on to LON-CL2 with the user name, Contoso\Administrator, and
f Task 2: Configure a file server to use BranchCache.

• On LON-DC1, configure the file service, BranchCache, for network files
by using the Server Manager console.
• Enable the Hash Publication for BranchCache property and Allow hash
f Task 3: Simulate a slow link to the branch office.

• Create a QoS policy by using the Local Group Policy Editor console with
the following information :
• Policy name: Limit to 100 KBps

• Outbound Throttle Rate: 100 KBps
f Task 4: Create a BranchCache enabled file share.

• On LON-DC1, set the following share properties to create a
BranchCache enabled file share:
f Task 5: Configure clients to use BranchCache in the Distributed Cache

mode.
• On LON-DC1, create a new GPO, Mod 6 – BranchCache, and edit the
following BranchCache setting of the Mod 6 – BranchCache node:
• Turn on BranchCache: Enabled
• Set BranchCache Distributed Cache mode: Enabled
• Configure BranchCache for network files: Enabled
• Network latency value in milliseconds: 0
f Task 6: Configure client firewall rules for BranchCache.

• Create the Windows firewall inbound rules, BranchCache – Content
Retrieval (Uses HTTP) and BranchCache – Peer Discovery (Uses WSD) for
BranchCache.
f Task 7: Apply the BranchCache settings to the clients.

• On LON-CL1, open the command prompt and run the following code
to apply all the Group Policy settings, including the BranchCache settings.
gpupdate /force
• Run the following code to verify that BranchCache is running in the

configured.


• Open the Performance Monitor console and add the following
performance counters:
• Discovery: Attempted discoveries
• Discovery: Successful Discoveries
• SMB: Bytes from Cache
• SMB: Bytes from server
to apply all the Group Policy settings, including the BranchCache settings.
gpupdate /force
• Run the following code to verify that BranchCache is running in the

configured.
• Open the Performance Monitor console and add the following

performance counters:
f Task 8: Test BranchCache in the Distributed Caching mode.

• On LON-CL1, move the edb00002 file from \\LON-
DC1.contoso.com\Share to the desktop and verify whether the computer-
attempted discovery is running successfully in the Performance Monitor
console.
• Run the following code to check the current size of the Local Cache.
• On LON-CL2, move the edb00002 file from \\LON-

DC1.contoso.com\Share to the desktop and verify whether the computer-
attempted discovery is running successfully in the Performance Monitor
console.

• Run the following code to verify that Local Cache has Active Current
Cache Size greater than 0.
Results: After completing this exercise, you should have configured a file server to use
BranchCache, created a BranchCache enabled file share, configured inbound rules, and
configured clients to use BranchCache in the Distributed Cache mode.

Exercise 2: Configuring BranchCache in Hosted Cache

Mode
1. Configure clients to use BranchCache in the Hosted Cache mode.
2. Install the BranchCache feature.
3. Request the certificate, link it to BranchCache, and start the hosted server.
4. Configure Performance Monitor on the LON-SVR1 hosted server.
5. Test BranchCache in the Distributed Cache mode.
f Task 1: Configure clients to use BranchCache in Hosted Cache mode.

• On LON-DC1, edit the following BranchCache settings of the Mod 6 –
BranchCache node:
• Set the BranchCache Distributed Cache mode: Not Configured
• Set the BranchCache Hosted Cache mode: Enabled
to update all the Group Policy settings.
gpupdate /force
• Run the following code to verify whether Hosted Cache client and
Hosted Cache Location are configured on LON-SVR1.contoso.com.
to update all the Group Policy settings.
gpupdate /force
• Run the following code to verify the status of the BranchCache settings.
f Task 2: Install the BranchCache feature.

• On LON-SVR1, edit the Default Web Site to remove https from the Site
Bindings list by using the Internet Information Services (IIS) Manager console.

• Configure the BranchCache feature by using the Server Manager
console.
f Task 3: Request the certificate, link it to BranchCache, and start the

hosted server.
• On LON-SVR1, open the Console1 – [Console Root] console to add the
certificates snap-in to manage the computer account.
• Request a certificate, Computer, from the list of Active Directory
Enrollment Policy, and then enroll it.
• Replace the thumbprint value in the link-cert – Notepad with the
thumbprint values of the LON-SVR1.Contoso.com certificate.
• Open the command prompt and run the following code to add the SSL
certificate.
netsh http add sslcert ipport=0.0.0.0:443

certhash=63849a934ef76c948011de8d6024df1054b01e52 appid={d673f5ee-
a714-454d-8de2-492e4c1bd8f8}
• Run the following code to enable the hosted BranchCache server.
netsh branchcache set service hostedserver
f Task 4: Configure Performance Monitor on LON-SVR1 hosted server.

• On LON-SVR1, open the Performance Monitor console to add the
following performance counters:
• Discovery: Attempted discoveries, Discovery
• Successful Discoveries
f Task 5: Test BranchCache in the Distributed Cache mode.

• On LON-CL1, move the edbres00001.jrs file from \\LON-
DC1.contoso.com\Share to the Desktop.
On LON-SVR1, in the Performance Monitor console, notice that the performance value of
the SMB: Bytes from server counter increases and SMB: Bytes from the cache counter
remains the same.

• On LON-CL2, move the edbres00001.jrs file from \\LON-
On LON-SVR1, in the Performance Monitor console, view the SMB:Bytes from cache
counter to ensure that file was copied from the BranchCache cache.
• On LON-SVR1, run the following code to verify that Local Cache has
Active Current Cache Size and it is greater than 0.
Results: After completing this exercise, you should have configured clients to use
BranchCache in the Hosted Cache mode, installed the BranchCache feature, requested
and linked the certificate to BranchCache and started the hosted server, and
configured Performance Monitor on LON-SVR1.

Exercise 3: Configuring Read-Only DFS Replica

1. Add a Distributed File System role service to the LON-SVR1 server.
2. Create a file share on the LON-SVR1 server.
3. Create a DFS replication group.
4. Add a replicated folder to the DFS Namespace.
5. Test the client access to the read-only DFS replica.
6. Make the read-only DFS replica as read-write and test the client access.
f Task 1: Add a Distributed File System role service to the LON-SVR1

server.
• On LON-SVR1, open the Server Manager console to configure the
Distributed File System role services with the following information:
• Server role: File Services
• Create a DFS Namespace: Create a namespace now, using this wizard
• Namespace Type: Domain-based namespace
• User name: Administrator
f Task 2: Create a file share on the LON-SVR1 server.

• Create a folder, Share-Replica, on drive C: and set the share properties to
share the folder with everyone on your network.
f Task 3: Create a DFS replication group.

• On LON-SVR1, create a DFS replication group by using the Server
Manager console with the following information:

• Replication Group Schedule and Bandwidth: Replicate continuously
using the specified bandwidth

• Select Make the selected replicated folder on this member read only
f Task 4: Add a replicated folder to the DFS Namespace.

• Add a new folder, Reports, to \\Contoso.com\Namespace1 of DFS
f Task 5: Test the client access to the read-only DFS replica.

• On LON-CL1, navigate to \\contoso.com\Namespace1\Reports and
create a new text document in the read-only DFS replica, C:\Share-Replica.
The Destination Folder Access Denied error message appears.
f Task 6: Make the read-only DFS replica as read-write and test the
client access.
• On LON-SVR1, change the read-only attribute of C:\Share-Replica to
read-write.
• On LON-CL1, navigate to \\contoso.com\Namespace1\Reports and
create a new text document in the read-write DFS replica, C:\Share-Replica.
If you still get the Access Denied message, the change of settings is not effective yet.
Close the Reports window, wait for a few minutes, and then create the text document.
Results: After completing this exercise, you should have added the Distributed File
System role service, created file share on LON-SVR1, created a DFS replication group,
added the replicated folder to the DFS namespace, and created a text document in the
read-write DFS replica to test the client access.


Lab Review
1. What happens in the Performance Monitor, when you move the

edbres00001.jrs file from \\LON-DC1.contoso.com\Share to the Desktop on
LON-CL1?
On LON-SVR1, in the Performance Monitor console, the performance value of the
SMB: Bytes from the server counter increases and SMB: Bytes from the cache
counter remains the same.
2. Which option will you select to configure the file server to use BranchCache?
You should select the BranchCache for network files option to configure the file
server to use BranchCache.

Module Review and Takeaways
Review Questions
1. Do you need to manually configure the SMB 2.0 protocol?
2. What is the benefit of receive window auto-tuning?
3. Can you create the Read-Only DFS replica on the Windows Server 2008
server?
4. Can you use BranchCache in the Distributed Mode if the branch office has
more than one subnet?
5. Can you use BranchCache to cache content from IIS on Windows Server
2008?
6. What should you do before you use BitLocker on Windows Server 2008 R2?

1. You configured BranchCache in the Hosted mode, but users still complain that
access to files in the head office is very slow. What should you do?
2 You would like to improve user experience and access speed from the branch
office to data stored in the head office. What should you do?
Tools
• DFS Management
• Netsh.exe
• Performance Monitor
• SConfig.exe
Configuring and Managing Windows Server 2008 R2 Web Services 7-1

Module 7
Configuring and Managing Windows Server
2008 R2 Web Services
Contents:
Lesson 1: Configuring and Managing IIS 7-4
Lesson 2: Configuring FTP 7-27
Lab: Configuring and Managing Windows Server 2008 R2 Web Services 7-41
7-2 Configuring and Managing Windows Server 2008 R2 Web Services

Module Overview
Internet Information Services (IIS) is a secure, reliable, and scalable Web server
that provides an easy way to manage platforms for developing and hosting Web
applications and services. In Windows Server®2008 R2, IIS provides logical
evolution and improvements from the previous releases, but it also includes new
features such as Configuration Editor for editing IIS configuration and generating
scripts, Windows PowerShell provider for administering IIS from command
prompt, improved support for FastCGI applications, ASP.NET on Server Core,
virtual hosts name support for FTP, and FTP over Secure Sockets Layer (SSL).
IIS is available as one of the Windows Server 2008 R2 roles, but it is also available
as a separate edition, Windows Web Server 2008 R2. This module provides an
overview on the IIS features that you are already familiar with, such as modular
architecture and request pipeline, IIS configuration files, granular feature
delegation, and detailed tracing and troubleshooting tools. In addition, the module
focuses on the new features of IIS 7.5, such as Configuration Editor and Windows
PowerShell provider.

• Configure and manage IIS.

• Configure FTP.

Lesson 1
Configuring and Managing IIS
Windows Server 2008 R2 offers an updated Web Server (IIS) role, which includes
Internet Information Services (IIS) 7.5 to deploy and manage Web applications.
Windows Server 2008 R2 also provides support for .NET Framework on Server
Core.
Design goals for IIS 7.5 included improvements that enable Web administrators to
easily deploy and manage Web applications, and thereby increase both reliability
and scalability. In addition, IIS 7.5 has streamlined management capabilities and
provides more ways to customize your Web serving environment, such as IIS
Manager, scripting interface, and AppCmd command.
Lesson Objectives
• Describe Internet Information Services (IIS).

• Describe the enhancements in IIS Manager.
• Describe Windows PowerShell provider and cmdlet support.

• Configure and manage IIS.
• Describe the improvements to FastCGI support.
• Describe the IIS core features.
• Explore the core features in IIS.
• Describe rich application hosting on Server Core.
• Install ASP.NET on Server Core.
• Describe enhanced server protection.

Overview of Internet Information Services
Key Points
What Is IIS?
IIS is a scalable and high performance Web server platform in Windows Server®
2008 and Windows Server 2008 R2. The Web server is built from more than 40
modules. Modules are individual features that the server uses to process Web
requests. You can customize or replace the modules according to your
requirements. For example, IIS uses authentication modules to authenticate client
credentials, but if you want to provide just public content, you can disable all
authentication mechanisms besides Anonymous. You can administer IIS by using
the IIS Manager graphical user interface (GUI) tool, the AppCmd.exe command-
line tool, or programmatically by using the Windows Management
Instrumentation (WMI) interface or managed code.

Configuration files in IIS
IIS uses XML configuration files for storing configuration settings. Configuration
files are hierarchical and distributed. For example, you can have separate
configuration files for the whole server, Web services, individual Web site,
subfolders, and Web applications. Settings that you define at higher levels are
inherited to lower levels, and it is easy to delegate permissions to modify a specific
feature, such as the authentication mechanism used. This allows xcopy
deployment, because you can copy Web content, together with settings, to a new
Web server. IIS supports shared configuration, when several Web servers in a Web
farm share the same settings.
Delegating permissions in IIS

You can define IIS Manager users and grant them permissions to administer
features at the IIS level. You can delegate permissions for each individual feature
and grant Read Only or Read/Write permissions by using IIS Manager. You can
also use IIS Manager for local and remote administration. For remote
administration, secure HTTPS protocol is used.
Request pipeline
In Windows Server 2008 R2, monolithic request processing design was replaced
with a highly customizable request pipeline, which includes ASP.NET and many
other components for authentication, request processing, logging, or compression.
Using the pipeline, you can decide which modules to include in request
processing.
Failed Request Tracing in IIS

The Failed Request Tracing feature provides a way to find out what exactly is
happening with the Web requests sent to IIS. For example, the feature tracks the
request from the moment it enters IIS until a response is sent back, through which
modules the request was passed, and for how long it was processed. You can use
Failed Request Tracing to resolve problems such as poor performance on some
requests or authentication-related failures.
Enhanced features in IIS 7.5

The following are the key features and enhancements in IIS 7.5:
Integrated extensions
Built on the extensible and modular architecture introduced with IIS 7.0, IIS 7.5
integrates and enhances existing extensions while still providing additional
extensibility and customization.

• WebDAV and FTP. Many new features, such as integration with IIS and
support for shared and exclusive locks, are added to the WebDAV and
FTP functionality to enable Web authors to publish more reliable and
secure content. In addition, the new FTP and WebDAV modules provide
additional options for authentication, auditing, and logging.
• Request Filtering. The Request Filtering module, previously available as a
separate extension, is included in IIS 7.5. Request Filtering helps prevent
potentially harmful requests from reaching the server by allowing you to
restrict or block specific HTTP requests.
• Administration Pack modules. In IIS 7.5, extension modules, previously
available as part of the IIS Administration Pack, provide additional tools to
administer the IIS 7.5 Web server from IIS Manager. These modules
include the Configuration Editor and extensions that help you to manage
Request Filtering rules, FastCGI, and ASP.NET application settings.
Management enhancements
IIS 7.5 has the same distributed and delegated management architecture as IIS 7.0,
in addition to new administration tools.
• Best Practices Analyzer. Best Practices Analyzer (BPA) is a management
tool that can help you analyze and implement best practices in the IIS
configuration. You can access BPA by using Server Manager and Windows
PowerShell. BPA helps you to reduce best practice violations by scanning
an IIS 7.5 Web server and reporting potential configuration issues.
• Windows PowerShell provider and cmdlets. The IIS module for
Windows PowerShell allows you to perform IIS administrative tasks, and
manage IIS configuration and run-time data. In addition, a collection of
task-oriented cmdlets provide a simple way to manage Web sites, Web
applications, and Web servers.
• Configuration logging and tracing. Configuration logging and tracing
allows you to audit access to the IIS configuration and track successful or
failed modifications by enabling any new logs in Event Viewer.
Application hosting enhancements

IIS 7.5 offers a variety of new features that help increase security and improve
diagnostics. IIS 7.5 is a flexible platform for many types of Web applications, such
as ASP.NET and PHP.

• Service hardening. Built on the IIS 7.0 application pool isolation model
that increased security and reliability, every IIS 7.5 application pool runs
each process as a unique, less-privileged identity.
• Managed service accounts. In IIS 7.5, host computers that manage the
passwords for domain accounts are supported as service identities.
• Hostable Web core. Core IIS Web engine components can be consumed
or hosted by other applications such as Windows Communication
Foundation (WCF). This allows applications to service HTTP requests
directly, which is useful for enabling basic Web server capabilities for
custom applications or for debugging applications.
• Failed Request Tracing for FastCGI. In IIS 7.5, PHP developers who use
the FastCGI module can implement IIS trace calls within their
applications. Developers can then troubleshoot application errors by using
IIS Failed Request Tracing to debug the code during development.
Enhancement to .NET support on Server Core

In Windows Server 2008 R2, the Server Core installation option provides support
for the .NET Framework 2.0, 3.0, and 3.5.1 versions. This allows you to host
ASP.NET applications, perform remote management tasks from IIS Manager, and
locally run cmdlets included with the Windows PowerShell provider for IIS.
Question: You would like to enable the Basic Authentication feature for your Web
site. In the IIS Manager console, when you select the Authentication option on a
Web site, the Basic Authentication feature is unavailable. What is the most
probable reason for that?

Enhancements in IIS Manager
Key Points
What Is IIS Manager?

Internet Information Services (IIS) Manager is a primary administration tool for
managing the IIS Web server. The IIS Manager console in IIS 7.5 will be familiar to
the users of the IIS 7.0 Manager console and it is considerably different from the
administrative console in earlier IIS releases.
Enhancements in IIS Manager

In Windows Server 2008 R2, IIS Manager provides an updated navigation-based,
task-oriented, logically organized interface, with a filtering option. The Filtering
option is beneficial when you are managing Web servers with many Web sites.
Using IIS Manager, you can manage the ASP.NET and IIS configuration at one
place. IIS Manager is extensible and customizable, and provides integrated support
for the ASP.NET authorization, custom errors, FastCGI, and Request Filtering

features. IIS Manager also supports delegated and remote administration. In
Windows Server 2008 R2, IIS Manager provides the following enhancements:
• Request Filtering. Request Filteing provides filtering features, which were
previously available in a separate package, URLScan. By blocking specific
HTTP requests, Request Filter prevents potentially harmful requests from
being delivered and processed by Web applications on a Web server. The
Request Filtering user interface is part of IIS Manager and provides a GUI for
configuring the Request Filtering module.
• Configuration Editor. Configuration Editor is a new feature in IIS
Manager. You can use Configuration Editor to access and manage
configuration files by editing elements, attributes, and collections in a section.
Configuration Editor includes the following benefits:
• Schema driven: Configuration Editor is driven by the configuration
schema, which is located in the
windows\system32\inetsrv\config\schema folder. For example, you can
add additional sections to the configuration system and manage
Configuration Editor without building any additional administrative
interface.
• Additional information: Configuration Editor provides additional
information about configuration settings, such as the location where a
section is being used or the location from where a particular element in a
collection is inherited from.
• Script generation: You can use Configuration Editor to generate scripts.
By generating scripts, you can make changes to IIS configuration and
generate code to automate those changes. Configuration Editor can
generate managed code such as C#, scripting such as JavaScript, or
command-line code such as AppCmd.
• Searching: You can quickly perform scoped searches of the configuration
system for all configuration sections and the location of their use.
• Locking: You can perform advanced locking, such as locking specific
attributes, individual items in a collection, or an entire section in the
configuration system.
Question: Where can you find Configuration Editor in IIS?


Windows PowerShell Provider and Cmdlet Support
Key Points
The Windows PowerShell provider for Web Administration (IIS) is a Windows
PowerShell module that allows you to automate complex IIS 7.5 administrative
tasks, and manage IIS configuration and run-time data. In addition, a collection of
low-level and task-oriented cmdlets, such as New-Website, New-WebAppPool, and
New-WebBinding, provide a simple way to manage Web sites, Web applications,
and Web servers.
Uses of Windows PowerShell

Using Windows PowerShell, you can:
• Simplify administration by scripting common management tasks.
• Run repetitive tasks automatically.
• Consolidate key Web metrics from all Web servers in real-time.

In addition, IIS-specific cmdlets in Windows Server 2008 R2 reduce the
administrative burden for many low-level, day-to-day tasks. For example, you can
use these cmdlets to add and change configuration properties of Web sites, Web-
based applications, virtual directories, and application pools. Users who are more
familiar with Windows PowerShell can run advanced configuration tasks and even
integrate existing Windows PowerShell scripts with other Windows PowerShell
providers across different Windows Server 2008 R2 feature areas.
Scenarios for using Windows PowerShell

In IIS 7.5, you can use Windows PowerShell for:
• Adding, modifying, or deleting sites and applications.
• Migrating site settings.
• Configuring Secure Sockets Layer (SSL) and other security settings.
• Restricting access to IIS servers by allowing only requests from specific IP
addresses or subnets.
• Backing up IIS configuration and content.
For example, you need to run the following command from the Windows
PowerShell prompt to use the Web Administration module.
import-module WebAdministration
cd IIS:\
Question: Why should you use Windows PowerShell to administer an IIS Web
server?

Demonstration: How To Configure and Manage IIS
1. On LON-DC1, open the Internet Information Services (IIS) Manager console

to create a new Web site for Contoso with the following information:
• Site name: Contoso Ltd
• Physical path: C:\inetpub\contoso
• Host name: LON-DC1.contoso.com
2. Change the Web site name from Contoso Ltd. to Contoso Site by using the
Configuration Editor view script.
3. Refresh the LON-DC1 node to check whether the Web site name has changed
from Contoso Ltd to Contoso Site.
Question: How will you delegate administrative permissions in Internet

Information Services 7.5?

Improvements to FastCGI Support
Key Points
The FastCGI extension for IIS allows you to host the FastCGI applications on an
IIS Web server in a reliable way. FastCGI provides a high-performance alternative
to Common Gateway Interface (CGI), a standard way of interfacing external
applications with Web servers.
What are CGI programs?

CGI programs are executables launched by the Web server. Using these
executables, the Web server processes each request and generates dynamic
responses to the client. CGI enables executable programs that do not support
multi-threaded execution to run reliably on IIS at the rate of one request per
process. CGI programs provide poor performance because of the overhead of
starting and shutting down a process for each request.

Advantages of FastCGI
FastCGI resolves the performance issues inherent in CGI by providing a

mechanism to reuse a single process over and over again for many requests. In
addition, FastCGI maintains compatibility with non-thread-safe libraries by
providing a pool of reusable processes and ensuring that each process handles
only one request at a time. On an IIS Web server, you can use FastCGI for running
PHP applications.
Improvements to FastCGI
Windows Server 2008 R2 provides the following improvements to the FastCGI
support:
• Support in IIS Manager for administering FastCGI settings. You can use
Configuration Editor in IIS Manager to administer the FastCGI settings
from a GUI.
• Monitor file changes. In IIS 7.5, you can configure FastCGI to monitor
the modifications made to a file, for each FastCGI process pool. If a change
to the file is detected, the FastCGI module will recycle the process for the
whole process pool.
• Real-time tuning. In previous releases, you were able to define the
maximum number of FastCGI processes that could be launched for each
application pool, which is a static value. In Windows Server 2008 R2, you
can set this value to zero and the FastCGI module will automatically
adjust the maximum number of processes every few seconds, based on the
system load and number of queued requests.
• Tracing. You can use the Standard Error (STDERR) data stream to send
trace messages to the FastCGI module. If the Failed Request Tracing
feature is enabled, the trace messages are logged to the Failed Request
Tracing trace.
• Controlling FastCGI error performance based on specific errors. In
previous IIS releases, status code 500 was returned by the IIS Web server
and data received on the STDERR stream was sent as the response. In
Windows Server 2008 R2, you can configure the FastCGI module to
handle the text sent on the STDERR stream, based on the specific status
code of the error.
Question: How can you administer the FactCGI settings in IIS 7.5?


IIS Core Features
Key Points
IIS 7.5 is built on the previous release of IIS. You can view some of the new
features, whereas others are not visible on the IIS Manager administrative interface.
Therefore, you must have a good understanding on how IIS works.
Changes to the IIS core features

Based on the feedback and experience with the previous release, IIS 7.5 introduces
the following changes to the core IIS platform:
• Configuration logging and tracing. Configuration logging and tracing
allows you to audit access to the IIS configuration and track successful or
failed modifications by enabling any new logs in Event Viewer. Previous
IIS release did not include any built-in tracing mechanism for logging
configuration changes.
• Application hosting enhancements. IIS 7.5 is a more flexible and
manageable platform for Web applications such as ASP.NET and PHP

because it provides a variety of other features, such as service hardening,
support for managed service accounts, hostable Web core, and Failed
Request Tracing for FastCGI, that help increase security and improve
diagnostics.
• ASP.NET support for different common language runtime (CLR)
versions. Developers can use this functionality to switch between
multiple CLR versions. This functionality is also available in Windows
Server 2008 SP2.
• Better control over application pools. Using the new application pool
performance counters, you can set the CLR settings per application pool
and monitor performance.
• Delegatable custom errors. IIS 7.5 allows non-administrators to change
custom errors locally or remotely.
• IPv6 support for IP address restriction list. In IIS 7.5, you can define and
manage rules to allow or deny access to content, based on IPv4 or IPv6
addresses.
• Request Filtering. The Request Filtering module, previously available as
an extension for IIS 7.0, allows you to restrict or block specific HTTP
requests to prevent potentially harmful requests from reaching the server.
Request Filtering also supports request-specific rules.
• Nego2 support. Nego2support is a new authentication negotiation
mechanism. This feature provides support for LiveID providers, FedSSP,
granular Kerberos, and NT LAN Manager (NTLM).
• Support for managed service accounts. In IIS 7.5, domain accounts that
have passwords managed by the host computer are supported as service
identities. Therefore, you no longer have to worry about expiring
application pool passwords.
• Application pool identity support. Application pool identities allow you
to run application pools under a unique account, without creating and
managing domain or local accounts. In IIS 7.5, the default application
pool identity is changed from Network Service to virtual accounts. For
example, the application pool with the name, “DefaultAppPool” will run as
the virtual account “DefaultAppPool”.
Question: Do you need to use the domain user account as an identity for
application pool?


Demonstration: Exploring Core Features in IIS
1. Deny the jpg image files from being displayed on the Contoso Web page by
using the Request Filtering option.
The Contoso Ltd. real estate picture is still displayed on the Contoso Web page because
it is in .gif format.
2. Deny the gif image files from being displayed on the Contoso Web page by
The Contoso Ltd. real estate picture is not displayed on the Contoso Web page.
3. Remove both the jpg and gif files from the Request Filtering list.
4. Open the Windows PowerShell window and run the following code to import
the Active Directory module.

Import-Module ActiveDirectory
5. Run the following code to create a managed service account.
New-ADServiceAccount ContosoIIS
6. Run the following code to install the managed service account on a local
computer.
install-ADServiceAccount ContosoIIS
7. Edit the application pool, ContosoPool, to set the following properties:

• Identity: Custom account
• User name: contoso\contosoiis$
8. Refresh the Contoso Web site and check whether the Web site runs in the
context of the ContosoIIS service account.
After a few seconds, a new application pool starts and the same Home page appears as
before. This time, the Web site runs in the context of the ContosoIIS service account;
therefore, there is no need to manage its password.
Question: How will you diagnose which page takes a longer time to serve from the
Web page?

Dynamic Applications on Server Core
Key Points
In Windows Server 2008 and Windows Server 2008 R2, the Web Server (IIS) role
is available in Full Installation and Server Core.
Server Core in Windows Server 2008

In Windows Server 2008, .NET Framework is included in Full Installation, but it is
not available on Server Core. As ASP.NET depends on .NET Framework and
Windows PowerShell, Windows Server 2008 Server Core does not support
ASP.NET and supports only a subset of IIS features. However, IIS can function as a
Web server and deliver static Web content, but cannot generate dynamic content
by using ASP.NET.
Server Core in Windows Server 2008 R2

In Windows Server 2008 R2, Server Core provides support for the subsets of .NET
Framework 2.0, 3.0, and 3.5.1, including the subsets of ASP.NET. Therefore, you
can host rich and dynamic ASP.NET applications, perform remote management

tasks from IIS Manager, and locally run cmdlets included with the Windows
PowerShell provider for Web administration. The only IIS feature not available on
Server Core is the management GUI. However, you can use the management GUI
to remotely manage IIS on Server Core after enabling and configuring the Web
Management Service on Server Core.
In Windows Server 2008 R2, .NET Framework and the ASP.NET support are not
installed by default. You must run the following commands to add the Web Server
(IIS) role and the ASP.NET support on Server Core.
dism /online /enable-feature /featurename:IIS-WebServerRole

dism /online /enable-feature /featurename:IIS-WebServer
dism /online /enable-feature /featurename:IIS-CommonHttpFeatures
dism /online /enable-feature /featurename:IIS-DefaultDocument
dism /online /enable-feature /featurename:IIS-DefaultDocument
dism /online /enable-feature /featurename:IIS-Security
dism /online /enable-feature /featurename:IIS-RequestFiltering
dism /online /enable-feature /featurename:IIS-ApplicationDevelopment
dism /online /enable-feature /featurename:IIS-ISAPIFilter
dism /online /enable-feature /featurename:IIS-ISAPIExtensions
dism /online /enable-feature /featurename:IIS-NetFxExtensibility
dism /online /enable-feature /featurename:IIS-ASPNET
Note: Deployment Image Servicing and Management (DISM) is a new command line
tool for servicing Windows images. DISM replaces Package Manager and it can be used
for enabling or disabling Windows operating system features. You can also enable or
disable Windows operating system features also by using the Ocsetup tool.
Even though Windows Server 2008 R2 Server Core is exclusively a 64-bit

operating system, 32-bit applications are supported by enabling the Windows-on-
Windows 64-bit (WoW64) optional feature. If this feature is not enabled and you
try to run a 32-bit application, the application will fail. WoW64 is an optional
feature that you can uninstall if you will not run 32-bit code on Server Core.
Question: Why is it important to add the .NET Framework on Server Core?


Demonstration: How To Install ASP.NET on Server Core
1. On LON-CORE, run the following code to install Web Server role with support
for ASP.NET. This code will add all the necessary features on LON-CORE and
configure the server to allow remote administration.
Core-iis.bat
File Core-iis.bat is not a part of Windows Server 2008 R2 Server Core installation. It is
prepared for this course and it contains commands to install IIS role services and enable
IIS remote management on Server Core.
2. On LON-DC1, use the Connect to a Server option to connect LON-DC1 with

LON-CORE and to enable remote management with the following
information:
• Server name: LON-CORE.contoso.com

3. Move the BlogEngine folder from C:\inetpub to \\LON-
CORE.contoso.com\c$\inetpub.
4. Add a new Web site, ASP.NET, to the Sites node of LON-CORE.contoso.com
• Site name: ASP.NET Site
• Physical path: c:\inetpub\BlogEngine
• Host name: LON-CORE.contoso.com
Question: How can you administer Internet Information Services on Server Core?

Enhanced Server Protection
Key Points
The Web Server (IIS) role is not installed by default. When you add the Web
Server (IIS) role to a server, a minimal and locked-down installation is performed
by default. As IIS is built from over 40 modules, you can install just the modules
you need. By doing that, you not only reduce the number of components that must
be managed, patched, and maintained, you also increase security, performance,
scalability, and reliability of the Web Server (IIS) role.
Security enhancements in IIS

IIS includes several key simplifications for security management. The management
improvements include:
• Rich, delegated administration support. IIS enables you to delegate
configuration and management tasks to non-administrators in a simple
and secure manner.

• Unified authentication and authorization management. IIS allows you
to manage all types of authentications and authorizations, including

Forms authentication and URLAuthorization, in a single place, for all
types of content.
• Support for IIS Manager users. You can create IIS Manager users for Web
server. The IIS Manager users do not have Windows account and cannot
log on to the Web server.
• Built-in Request Filter. The Request Filtering module allows you to
restrict or block specific HTTP requests to prevent potentially harmful
requests from reaching the server.
• Service hardening. Built on the IIS 7.0 application pool isolation model
that increased security and reliability, every IIS 7.5 application pool runs
each process as a unique, less-privileged identity.
• Managed service accounts. In IIS 7.5, domain accounts that have
passwords managed by the host computer are now supported as service
identities.
• Best Practices Analyzer (BPA). In Windows Server 2008 R2, Server
Manager includes BPA. You can use BPA to reduce best practice violations
by scanning an IIS 7.5 Web server and reporting when potential
configuration issues are found.
Question: How can you configure IIS-related security settings?


Lesson 2
Configuring FTP
In Windows Server 2008 R2, the FTP Server 7.5 role service has been enhanced to
incorporate many new features that allow Web content creators to publish content
more easily and securely to IIS Web servers by using modern Internet publishing
standards. FTP allows hosting multiple FTP sites on the same IP address through
virtual host name support. FTP has improved user isolation, which allows you to
isolate users through per-user virtual directories and provides seamless integration
with IIS Manager for integrated management of FTP and Web sites.
Lesson Objectives
• Describe the FTP Server 7.5 features.
• Configure FTP virtual host names.
• Configure FTP user isolation.

• Configure SSL-enabled FTP sites.
• Describe the enhanced FTP logging features.


FTP Server 7.5 Features
In Windows Server 2008 R2, FTP Server is completely rewritten to provide a

robust and secure FTP solution in a Windows environment. The FTP service is
customized for Windows Server 2008 and Windows Server 2008 R2. It helps you
enable powerful publishing capabilities for your Web environment. Using the FTP
service, Web authors can publish content more easily and securely than before by
using previous FTP Server versions.
FTP Server 7.5 is available as a role service in Windows Server 2008 R2 and as a
separate download for IIS 7.0. The FTP Server 7.5 role service provides better
integration, management, authentication, and logging features for both Web
administrators and hosting companies.
Enhancements in FTP Server 7.5

FTP Server 7.5 supports the same features as previous releases, and includes the
following new features and improvements:

• Integration with IIS 7.5. FTP is tightly-integrated with IIS and IIS
Manager, and adopts the configuration store that IIS is using. Metabase
from previous IIS versions has been deprecated, and the new
configuration system is based on .NET .config XML files. This format is
easier to read and configure than the metabase, and the FTP service takes
full advantage of this design. All information for FTP is stored in a central
configuration store for IIS 7.5, known as applicationHost.config file. IIS
Manager manages both Web sites and FTP sites through the same user
interface.
• Security and support for new Internet standards. FTP service includes
support for the new Internet standards, such as IPv6, 8-bit unicode
transformation format (UTF8), and support for FTP over SSL, which is
one of the most significant features in the new FTP service. You can
implement a standard FTP service and encrypt all communication with it.
FTP also supports the use of non-Windows accounts for authentication.
By default, FTP supports two such authentication methods: Web Manager
authentication and .NET Membership authentication.
• Shared hosting improvements. The FTP service is fully integrated into
IIS. This allows you to host FTP and Web content from the same site by
simply adding an FTP binding to an existing Web site. The FTP service
supports virtual host names, which allows you to host multiple FTP sites
on the same IP address. In addition, FTP Server 7.5 has improved user
isolation, which allows you to isolate users through per-user virtual
directories.
• Improved logging and supportability. FTP logging has been enhanced to
include all FTP-related commands, unique tracking for FTP sessions, FTP
sub-statuses, and additional detail fields in FTP logs.
Question: What is the minimal number of IP addresses that must be assigned to

the Web server, if you want to host ten Web sites and seven FTP sites on the
server?

Demonstration: How To Configure FTP Virtual Host Names
1. On LON-DC1, create two FTP sites by using the Internet Information Services
(IIS) Manager with the following information:
FTP Site1
• FTP site name: FTP Site 1
• Physical path: c:\inetpub\ftproot
• IP Address: 192.168.10.1
• Enable Virtual Host Names
• Virtual Host: ftp1.contoso.com
• No SSL
• Authentication: Basic
• Allow Access to: All users
• Permission: Read

FTP Site2

• Physical path: c:\inetpub\contoso
• IP Address: 192.168.10.1
• No SSL
• Permission: Read and Write
2. Open the command prompt and run the following code to connect to the FTP
site, FTP1.
ftp ftp1.contoso.com
3. Run the following code to provide a credential.
ftp1.contoso.com|administrator
Pa$$w0rd
4. Run the following code to create a folder on the FTP1 site.
dir
mkdir FTP1
An Access Denied error message appears because you have only Read access to the
FTP1.contoso.com ftp site.
5. Run the following code to connect to the FTP site, FTP2.
6. Run the following code to provide a credential.
Pa$$w0rd

7. Run the following code to create a folder on the FTP2 site.
dir
mkdir FTP2
The error message does not appear, because you have both Read and Write permissions
to the FTP1.contoso.com ftp site.
Question: Why do you use FTP Virtual Host Names?


Demonstration: How To Configure FTP User Isolation
1. Open the Internet Information Services (IIS) Manager console and explore
FTP User Isolation.
2. Open the command prompt and run the following command to connect to the
FTP site, FTP1.
3. Run the following command to provide a credential.
ftp1.contoso.com|ruser
Pa$$w0rd
4. Run the following command to list the content of the FTP1 site.
dir

Verify whether all three subfolders of c:\inetpub\ftproot folder are listed.
5. Run the following command to close the connection with FTP1 site.
quit
6. Run the following command to connect to the FTP site, FTP1.
Pa$$w0rd
8. Run the following code to close the connection with FTP1 site.
quit
Pa$$w0rd
11. Run the following command to close the connection with FTP1 site.
quit
Pa$$w0rd
14. Run the following code to close the connection with FTP1 site.
quit

Question: When do you use FTP User Isolation?


Demonstration: How To Configure an SSL-Enabled FTP Site
1. On LON-DC1, create a computer account for the SSL certificate.

2. Verify whether the certificate with the name LON-DC1.contoso.msft is there
and then change the certificate name of LON-DC1.contoso.com to SSL
Certificate.
3. On LON-DC1, create an SSL-enabled FTP site by using the Internet
Information Services (IIS) Manager with the following information:
• FTP site name: SSL FTP Site
• IP Address: All Unassigned
• SSL Certificate: SSL Certificate

4. Set the following SSL FTP settings to configure additional SSL settings to
ensure that all user credentials are encrypted.
• SSL Policy: Custom
• Control Channel: Require only for credential
• Data Channel: Allow
5. At the command prompt, run the following command to log on to the FTP site
with the user name, Administrator, and the password, Pa$$w0rd.
ftp lon-dc1.contoso.com
You will get an Access Denied message because the SSL policy requires SSL for
credentials and the FTP client from the command line does not support it.
Question: Why do you use SSL-enabled FTP site?


Enhanced FTP Logging Features
Key Points
The FTP service in IIS 7.5 introduces improved logging and supportability features.
FTP logging has been enhanced to include all FTP-related commands, including
logging of all commands and additional detail fields in FTP logs. These new fields
include real session stamps, which allow you to parse logs to track the user activity
throughout a session. You can log the full path for requests for files or folders. This
is useful because servers typically log only the name of the file or folder, which
makes large log files difficult to read.
Access Log
When you enable logging for an FTP server, an access log is created for that server.
Every time a user requests a file, an entry is registered in the access log. Therefore,
the access log has the history of every successful and unsuccessful attempt to
retrieve file from the FTP site. Each entry has its own line in the log file, and
therefore, you can easily extract entries from the access log and compile the entries

into reports. You can get more information about the visitors of the FTP site and
their activity from these reports.
Detailed error messaging and detailed information logging

IIS 7.5 has a new option to display detailed error messages for local users. The FTP
service supports this option by providing detailed error responses when logging on
locally to an FTP server. The FTP service also logs detailed information by using
Event Tracing for Windows (ETW), which provides additional detailed
information for troubleshooting. These features simplify troubleshooting and help
hosting companies provide better support to their customers.
Question: Why is logging important?


Lab: Configuring and Managing Windows Server 2008 R2
Web Services
Introduction
In this lab, you will configure and manage Windows Server 2008 R2 Web Services.
To do this, you will create and configure a new Web site to use Request Filtering
and assign the managed service account as the application pool account. You will
also install the Web Server role with ASP.NET on server core, enable remote
management, and configure the ASP.NET Web site. Finally, you will configure FTP
virtual host names and deploy the FTP site over SSL.
Objective
• Create and configure a Web site on Windows Server 2008 R2.
• Manage ASP.NET on server core.
• Configure FTP virtual host names and deploying FTP over SSL.

Lab Setup
• Start the LON-CORE virtual machine, and then log on by using the

Scenario
You are a Web server administrator at Contoso, Ltd. Your organization is currently
using Web Server IIS and they want to upgrade it to IIS 7.5. To do this, you need to
create and configure a Web site by using IIS Manager. Then, you need to explore
ASP.NET on Server Core and configure Server Core remotely. Because the FTP
service is a part of the Web server, you also need to create FTP sites which will use
FTP over SSL access.

Exercise 1: Creating and Configuring a Web Site on

2. Create a new Web site from IIS Manager.
3. View and change the IIS settings through Configuration Manager.
4. Configure the Web site to use Request Filtering.
5. Create and assign the managed service account as the application pool
account.

1. Log on to LON-DC1 with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
2. Log on to LON-CORE with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
f Task 2: Create a new Web site from IIS Manager.

• On LON-DC1, open the Internet Information Services (IIS) Manager
console to create a new Web site for Contoso, Ltd with the following
information:
• Open the Internet Explorer to view the new Web site created for Contoso,
Ltd.
f Task 3: View and change the IIS settings through the Configuration
Manager.
• Change the Web site name from Contoso Ltd to Contoso Site by using
Configuration Editor and view the script that can be used to perform this
change.

• Refresh the LON-DC1 node to check whether the Web site name has
changed from Contoso Ltd. to Contoso Site.

• Create a new application pool in Configuration Editor and generate a
script for its creation. The application pool should be created with the
• Name: ContosoPool
• identityType: NetworkService
• View the ContosoPool application pool properties to verify that
NetworkService is listed as its Identity.
• Assign Contoso Site to run in ContosoPool application pool.
• Refresh the Home page of Contoso Site and verify whether the new
application pool starts.
f Task 4: Configure the Web site to use Request Filtering.

• Deny the jpg image files from being displayed on the Contoso Web page
by using the Request Filtering option.
The Contoso Ltd. real estate picture is still displayed on the Contoso Web page, because
• Deny the gif image files from being displayed on the Contoso Web page
by using the Request Filtering option.
• Remove both the jpg and gif files from the Request Filtering list.
f Task 5: Create and assign the managed service account as the

application pool account.
• Open the Windows PowerShell window and run the following command
to import the Active Directory module.

• Run the following command to create a managed service account.
• Run the following command to install the managed service account on a

local computer.
Install-ADServiceAccount ContosoIIS
• Edit the application pool, ContosoPool, to set the following properties:

• Refresh the Contoso Web site and check whether the Web site runs in the
context of ContosoIIS service account.
Results: After completing this exercise, you should have a created a new Web site for
Contoso Ltd, changed the IIS settings of the Web site through the Configuration
Manager, and configured the Web site to use Request Filtering. You should have also
created and assigned the managed service account as the application pool account.

Exercise 2: Managing ASP.NET on Server Core

1. Install the Web Server role with ASP.NET on Server Core and enable remote
management.
2. Configure the ASP.NET Web site.
3. Test the ASP.NET Web site on Server Core.
f Task 1: Install the Web Server role with ASP.NET on Server Core and
enable remote management.
• On LON-CORE, run the following script to install the Web Server role
with support for ASP.NET. This command will add all the necessary features
on LON-CORE and configure the server to allow remote administration.
C:\Core-iis.bat
• On LON-DC1, use the Connect to a Server option to connect to LON-

CORE and to use remote management, with the following information:
f Task 2: Configure the ASP.NET Web site.

• Copy the BlogEngine folder from C:\inetpub to \\LON-
• Create a new Web site, ASP.NET Site, at the LON-CORE server with the
• Physical path: c:\inetpub\BlogEngine

f Task 3: Test the ASP.NET Web site on Server Core.
• On LON-DC1, open the blog Web page and verify whether Windows
Server 2008 R2 Core can process the ASP.NET applications.
Results: After completing this exercise, you should have installed the Web Server role
with ASP.NET on Server Core, enabled remote management, and configured the
ASP.NET Web site. You should have verified the ASP.NET Web site on Server Core.

Exercise 3: Configuring FTP Virtual Host Names and

Deploying FTP over SSL

1. Add the FTP Server role service to LON-DC1.
2. Add the DNS server resource records.
3. Create two FTP sites that use the virtual host names.
4. Connect to the FTP sites.
5. Create an SSL-enabled FTP Site.
f Task 1: Add the FTP Server role service to LON-DC1.

• On LON-DC1, install the Web Server role service, FTP Server, by using the
Server Manager console.
f Task 2: Add the DNS server resource records.

• On LON-DC1, add two DNS resource records to the Contoso.com
Forward Lookup Zone with the following information:
DNS Record 1
• Name: FTP1
• IP address: 192.168.10.1
DNS Record 2
• Name: FTP2
• IP address: 192.168.10.1
f Task 3: Create two FTP sites that use the virtual host names.
• On LON-DC1, create two FTP sites that use virtual host names by using
the Internet Information Services (IIS) Manager with the following
information:
FTP Site1


• IP Address: 192.168.10.1
• No SSL
• Allow access to: All users
FTP Site2
• IP Address: 192.168.10.1
• No SSL
f Task 4: Connect to the FTP sites.

• Open the command prompt and run the following command to connect
to the FTP site, FTP1.
• Run the following command to provide credentials.
Pa$$w0rd
• Run the following command to create a folder on the FTP1 site.


dir
mkdir FTP1
An Authorization rules denied the access error message appears because you have only
Read access to the FTP1.contoso.com ftp site.
• Run the following command to connect to the FTP site, FTP2.
• Run the following command to provide the credentials.
Pa$$w0rd
• Run the following command to create a folder on the FTP2 site.
dir
mkdir FTP2
The error message does not appear because you have both Read and Write permissions
f Task 5: Create an SSL-enabled FTP Site.

• On LON-DC1, create a computer account for the SSL certificate.
• Verify whether the certificate with the name LON-DC1.contoso.msft is
there and then change the certificate name of LON-DC1.contoso.com to SSL
Certificate.
• On LON-DC1, create an SSL-enabled FTP site by using the Internet
• IP Address: All Unassigned

• Set the following SSL FTP settings to configure additional SSL settings to
• At the command prompt, run the following command to log on the FTP
site with the user name, Administrator, and the password, Pa$$w0rd.
credentials, and the FTP client from the command line does not support it.
Results: After completing this exercise, you should have added the FTP Server role
service to LON-DC1, created two DNS server resource records, FTP sites, and an SSL-
enabled FTP Site. You should have also connected to the FTP sites.


Lab Review
1. Which command will you use to connect to the FTP site?

You should use the ftp ftp1.contoso.com command to connect to the FTP site.
2. How will you add a DNS server resource record to the Contoso.com domain?
To add a DNS server resource record to the Contoso.com domain, right-click
Contoso.com, select the New Host option, and then provide the host and IP
address.

Key Points
Review Questions
1. Which tool will you use for remote IIS administration?
2. You are not able to find an option in IIS Manager to configure an IIS setting.
How will you configure the IIS setting?
3. You need to configure Request Filtering for your Web site, but you were not
able to find that feature in IIS Manager. What is the problem?
4. How can you install ASP.NET on Windows Server 2008 R2 Server Core?
5. What must be available before you can configure FTP over SSL?

1. What are the considerations for implementing ASP.NET on Server Core?

2. You would like to implement the new FTP server features, but you are
concerned about the requirements. What should you be aware of?
Tools
• IIS Manager
• AppCmd.exe
• FTP.exe
• DISM.exe

Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-1

Module 8
Managing Windows Server 2008 R2 with
Windows PowerShell 2.0
Contents:
Lesson 1: Using Windows PowerShell 8-4
Lesson 2: Managing AD DS with Windows PowerShell 8-30
Lesson 3: Managing Server Roles with Windows PowerShell 8-46
Lab: Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-56
8-2 Managing Windows Server 2008 R2 with Windows PowerShell 2.0

Module Overview
Windows® PowerShell is an extensible command-line shell and associated

scripting language. It integrates with the .NET Framework and provides an
environment to control and automate the administration of the Windows
operating system and the applications that run on Windows®.
Built-in Windows PowerShell commands, called cmdlets, allow administrators and
power users to manage the computers. You can use Windows PowerShell
providers to access data stores such as the registry and certificate store in the same
way the file system is accessed. In addition, Windows PowerShell has a rich
expression parser and a fully developed scripting language.
In this module, you will learn the benefits of using Windows PowerShell and some
Windows PowerShell basics. You will also learn how to configure and use
remoting to execute cmdlets on remote computers.
Windows PowerShell providers enable you to administer different areas of the
Windows operating system. You will learn how the Microsoft® Active Directory®

directory service module enables you to manage Active Directory Domain Services
(AD DS). In addition, you will learn how to manage server roles and features by
importing the Server Manager module.
• Use Windows PowerShell.
• Manage AD DS with Windows PowerShell.
• Manage server roles with Windows PowerShell.

Lesson 1
Using Windows PowerShell
Managing servers in the data center is one of the most time-consuming tasks that
IT professionals face today. To help perform such tasks, Windows Server® 2008 R2
introduces Windows PowerShell 2.0—a Windows command-line shell designed
especially for system administrators.
Windows PowerShell 2.0 introduces cmdlet, a simple, single-function command-
line tool built into the shell. Windows PowerShell 2.0 also offers several
improvements for remote management scenarios.
You can use Windows PowerShell to reduce the ongoing management of Windows
Server 2008 R2 and the administrative effort for common day-to-day operational
tasks. You can also perform administrative tasks remotely or on the server.
Lesson Objectives

• Describe the improvements in Windows PowerShell.
• Describe cmdlets and parameters.

• Describe the cmdlet output.
• Describe the Windows PowerShell pipeline.
• Describe Windows PowerShell Integrated Scripting Environment (ISE).
• Explore Windows PowerShell Integrated Scripting Environment (ISE).
• Describe the Windows PowerShell provider model.
• Describe the Windows PowerShell Remoting feature.
• Use Windows PowerShell remotely.

Windows PowerShell Improvements
Key Points
Windows PowerShell is a command-line shell and scripting language that provides
consistent vocabulary, syntax, and utilities. This helps you control system
administration tasks and accelerate automation of administrative tasks such as
performing backups or actions that typically require many clicks in the GUI. These
tasks can be simply performed in the command line. You can format, compose,
and pipeline cmdlets to perform complex tasks. Windows PowerShell is easy to
adopt, learn, and use because it works with the existing IT infrastructure, scripts,
and command-line tools. Windows PowerShell provides robust automation
capabilities that save time, speed up deployment, and reduce costs.
Windows PowerShell is a part of Windows Server 2008 R2, and it is installed by
default. Windows PowerShell 2.0 significantly enhances the earlier Windows
PowerShell version with the inclusion of more than 240 prebuilt cmdlets and a
new graphical user interface (GUI) that adds useful development features for
writing scripts. The new GUI includes colored syntax, multiline editing, selective

execution, context-sensitive help and new script debugging capabilities. Many of
the Windows Server 2008 R2 new management interfaces, such as Active Directory
Administrative Center (ADAC), are built entirely on Windows PowerShell.
Windows PowerShell is included also in Windows® 7 and the Windows Server
2008 R2 Server Core.
Improvements in Windows PowerShell

The following improvements are available in Windows PowerShell in Windows
Server 2008 R2:
• Scripting. Scripts are easy to use, share, support, and safe to operate. In
addition to the 240 prebuilt cmdlets, debugger enhancements, restricted
language, modules and transactions, and scripts simplify server automation.
• Remote management. Windows PowerShell enables remote management, the
ability to run expressions, commands, and script blocks on one computer or
hundreds of computers. You can execute code on one or more computers both
in restricted and unrestricted environments. User input or events initiate code
execution. You can also establish a session that receives remote commands
from multiple computers.
• Universal code execution model. Windows PowerShell provides more
flexibility about where and how you can run expressions, commands, and
script blocks. You can execute code on one or more computers both in
restricted and unrestricted environments. User input or events initiate code
execution.
• Server roles. Windows PowerShell 2.0 allows administrators to manage
specific Windows Server 2008 R2 roles and features, including Active
Directory, Lightweight Directory Services, Remote Desktop Services, and Web
server.
• Windows PowerShell ISE. Windows PowerShell ISE is a GUI for Windows
PowerShell. The interface allows you to run commands and write, edit, run,
test, and debug scripts in a single window. It provides up to eight independent
execution environments and includes a built-in debugger, multiline editing,
selective execution, syntax coloring, line and column numbers, and context-
sensitive help.
• Windows PowerShell modules. Windows PowerShell modules allow you to
organize your Windows PowerShell scripts and functions into independent,
self-contained units. You can package cmdlets, providers, scripts, functions,
and other files into modules that you can distribute to other users. Modules

are easy for users to install and use. Modules can include any type of file,
including audio files, images, help files, and icons.

• Background jobs. With Windows PowerShell background jobs, you can run
commands asynchronously and in the background. This helps you continue to
work in your session. You can run background jobs on a local or remote
computer, and you can store the results locally or remotely.
• Transactions. Windows PowerShell 2.0 supports transactions, which allow
you to manage a set of commands as a logical unit. A transaction can be
committed, or can be completely undone so that the affected data is not
changed by the transaction.
Question: Why would you use Windows PowerShell in your environment?


What Are Cmdlets and Parameters?
Key Points
Cmdlets are Windows PowerShell commands that do not have direct
representation in the file system. They are stored as a single script, a collection of
scripts, or a dynamic-link library (DLL) containing cmdlets or providers. Each
cmdlet performs specific and typically small tasks.
Naming cmdlets
Windows PowerShell uses a verb-noun notation for the names of cmdlets. For
example, you can run the Get-Command cmdlet to query all the cmdlets and
functions that are available in the Windows PowerShell. You can run the Get-Help
command to get help in the Windows PowerShell and also to get specific
information on each cmdlet. Windows PowerShell supports auto-completion. You
can type just the first few letters and press the TAB key to complete typing a word.

Getting additional cmdlets
Windows PowerShell 2.0 in Windows Server 2008 R2 has more than 240 prebuilt
cmdlets. You can also get additional cmdlets by loading PowerShell modules. You
can load modules by using the Get-Module cmdlet. Windows Server 2008 R2
provides several modules for administering specific features, such as AD DS, Web
servers, or server roles.
Defining alias
You can also define aliases, which are alternative names you can assign to cmdlets,
functions, scripts, or executable files. You can define an alias for any command that
you can run from the Windows PowerShell. You can get a list of aliases by running
the Get-Alias cmdlet. You can also create an alias by running the Set-Alias cmdlet.
Declaring parameters
You can declare parameters in cmdlets. The arguments of these parameters affect
the operation of cmdlets. Not all cmdlets require parameters. If cmdlets require
parameters, you should provide names that begin with a "-" symbol. You can also
abbreviate the parameters.
Types of parameters
You can declare different types of parameters in cmdlets, such as integer, string, or
date. All cmdlet parameters are either named or positional. You can either specify
them by name, by typing the parameter name or you can specify them by position,
where you specify an argument at a specific position in the command. For
example, the Get-Process cmdlet lists all running processes. You can provide the
Get-Process cmdlet with a named parameter to list just the specific process such as
the Get-Process –Name lsass. You can get the same result by abbreviating the
parameter, such as Process –N lsass. You can also specify the parameter by its
position and running the Get-Process lsass command.
Question: You heard from a colleague about the Windows PowerShell cmdlet in
Windows Server 2008 R2. You would like to test the cmdlet. However, when you
run the cmdlet inside the Windows PowerShell window, you get an error that it is
not a recognized cmdlet name. What is the probable reason for this error?

Cmdlet Output
Key Points
Unlike the commands used in traditional shells, Windows PowerShell cmdlets do
not provide output in the text format directly. Windows PowerShell cmdlets
provide zero or more objects as an output. You can gather information from an
object or can perform actions on it. The Windows PowerShell object consists of
properties and methods. Properties are information that you can gather, and
methods are actions that you can perform on the object. Windows PowerShell
formats these objects as text, giving the impression of cmdlets that provides output
in the text format.
Formatting command output

In traditional shells, each tool or command determines the format of its output.
Some tools allow you to customize the output, and they include special parameters
to control the output format. In Windows PowerShell, the cmdlets that format the
output are as follows:

• Format-List
• Format-Custom
• Format-Table
• Format-Wide
Other cmdlets in Windows PowerShell do not format the output. Therefore, you
do not need to learn the formatting routines and parameters of multiple tools. You
should only learn about the format cmdlets and their parameters.
For example, when you use the Get-Service cmdlet, the default display is a three-
column table. To change the format of the output from cmdlet, you can use the
pipeline operator (|) to send the output of the command to a format cmdlet. You
can run get-service | format-list to format the service data as a list for each service.
In this format, the data appears in a list, and there is more information about each
service.
If you have the Windows PowerShell Integrated Scripting Environment (ISE)
feature installed, you can use the following Out-GridView cmdlet to display, sort,
or filter result data.
Get-Process | Out-GridView
After results are displayed in a grid, you can sort the results by clicking the column
header, select the columns that are displayed, and filter the results.
Question: Why should you use Windows PowerShell format cmdlets?


What Is a Pipeline?
Key Points
Windows PowerShell pipeline is similar to an assembly line. When an object
moves down the pipeline, it passes through various cmdlets, and each cmdlet
makes some modification to it, until the object reaches the end of the pipeline.
When the object reaches the end of the pipeline, Windows PowerShell formats the
object as text and displays the output.
Windows PowerShell uses the pipeline to connect the output from the first cmdlet
to the input of the second cmdlet. A combination of the first cmdlet, pipe symbol
“|” and the second cmdlet builds a pipeline. You do not need to create a temporary
file to store the output from the cmdlet because the Windows PowerShell manages
the flow of data through the pipeline. The information flowing from one cmdlet to
another through the pipeline is in the form of objects. For more complex
processing, you can join a series of cmdlets by using a sequence of pipes.

For example, in the following code, you get all the processes first. Then, the second
cmdlet sorts them by the number of handles. Then, the third cmdlet formats the
output as a table. The final output shows all processes, sorted by the number of
handles and formatted as a table.
Get-Process | Sort-Object Handles | Format-Table
Question: When will you use a pipeline?


Demonstration: How To Use Windows Powershell
Key Points
1. Open the Windows PowerShell window and run the following command to
view the list of commands and its functions.
Get-Command
2. Run the following command to get help for the Get-Alias command. Also, view
the information about the Get-Alias command, such as description, synopsis,
syntax, related links, and remarks.
Get-Help Get-Alias
3. Run the following command to view the list of available alias commands.

Get-Alias
4. Run the following command to view the list of all running processes on the
server.
Get-Process
5. Run the following command to verify that there is no Processes command

available.
Processes
6. Run the following command to define a new alias and view the list of running
processes.
Set-Alias Processes Get-Process

Processes
7. Run the following command to verify that you have defined the new alias,
Processes.
Get-Alias
8. Run the following command to verify that the same help options as the Get-
Process command are available.
Get-Help Processes
9. At the command prompt of the Windows PowerShell window, run the

following command to view the list of running processes and to sort them by
their ID.
Get-Process | Sort-Object –Property id
10. Run the following command to sort the processes by their ID and to view only
the ID, Handles, and ProcessName of the running process.
Get-Process | Select-Object –Property id,Handles,ProcessName |

Sort-Object –Property id
11. Run the following command to view the first 10 running processes sorted by
their ID.

Get-Process | Sort-Object –Property id | Select-Object –First 10
12. Run the following command to format the output of the first 10 running
processes sorted by their ID.
Get-Process | Sort-Object –Property id | Select-Object –First 10 |

Format-List
13. Run the following command to obtain all running processes, sort them by ID,
store them in a variable, and display the processes stored.
$processes = Get-Process | Sort-Object –Property id

$processes
Question: How will you start Windows PowerShell on Windows Server 2008 R2?

Windows PowerShell Integrated Scripting Environment
Windows PowerShell Integrated Scripting Environment (ISE) is a host application

for Windows PowerShell. Windows PowerShell ISE supports Unicode characters
and you can run commands and write, test, and debug scripts in a single
Windows-based GUI that has:
• Multiline editing
• Tab completion
• Syntax coloring
• Selective execution
• Context-sensitive help
• Support for right-to-left languages
You can use menu items and keyboard shortcuts to perform similar tasks that you
would perform in the Windows PowerShell console. For example, if you want to

set a line breakpoint in a script when you debug a script in Windows PowerShell
ISE, right-click the line of code, and then click Toggle Breakpoint.
New features in Windows PowerShell ISE

Windows PowerShell ISE includes the following features:
• Multiline editing. To insert a blank line under the current line in the
Command pane, press SHIFT+ENTER and press ENTER after the last line to
execute the multiline command.
• Selective execution. To run part of a script, select the text you want to run,
and then click the Run Script button. Alternatively, you can press F5.
• Context-sensitive help. Depending on where the cursor is in any one of the
panes when you click Help, if there is a cmdlet topic that matches the text
around the cursor, Help opens the specific topic. If there is no match with the
context, Help opens on the default page. For example, to open the Help topic
for the Invoke-Item cmdlet in the Help file, type Invoke-Item, and then press
F1.
• Windows PowerShell tabs. Provides support for up to eight Windows
PowerShell tabs within the integrated development environment.
• Syntax coloring. Includes syntax coloring for Windows PowerShell scripts.
Cmdlet names are colored differently than arguments or comments, so it is
easier to write and read PowerShell scripts.
• Command pane. Has a Command Pane for running interactive commands
such as the Windows PowerShell console.
• Output pane. Has an Output Pane that captures the output of commands. You
can also copy and clear the contents in the Output Pane.
• Script pane. Has a script pane to create, edit, debug, and run functions,
scripts, and modules.
You can customize the appearance of Windows PowerShell ISE. It also has its own
Windows PowerShell profile, where you can store functions, aliases, variables, and
commands you use in Windows PowerShell ISE.
Windows PowerShell ISE is an optional feature of Windows Server 2008 R2. You
can install it by using the Add Features Wizard. Windows PowerShell ISE is not
available on core installations of Windows Server because it requires a user
interface.

Question: You want to explore Windows PowerShell ISE in Windows Server 2008
R2. However, you are unable to locate it on the Start menu. What should you do?

Demonstration: Exploring Windows PowerShell ISE
Key Points
1. On LON-DC1, install the Windows PowerShell Integrated Scripting

Environment (ISE) feature by using the Server Manager console.
2. Open the Windows PowerShell ISE window, view the options of Toolbar,
Script pane, Output pane, and Command pane, and test the auto completion
functionality.
3. Run the following command, and then use the slider to control display size of
the output.
Get-Process
4. Browse through
C:\Windows\System32\WindowsPowerShell\v1.0\Examples and open the
profile.ps1 to verify the syntax coloring feature.

Windows PowerShell Provider Model
Key Points
Windows PowerShell providers are .NET Framework–based programs that make
the data that is present in a specialized data store such as the file system or registry.
This data is available to the Windows PowerShell runtime so that you can view and
manage it.
The data that a provider exposes appears as a drive, and you can access the data in
a path like you would on a hard-disk drive. You can use any of the built-in cmdlets
that the provider supports to manage the data in the provider drive. You can also
use custom cmdlets that are designed especially for the data. The providers can
also add dynamic parameters to the built-in cmdlets. Note that the dynamic
parameters are available only when you use the cmdlet with the provider data.

Built-in providers
The following table displays a set of built-in providers that you can use to access
the different types of data stores.
Provider Drive Data store

Alias Alias: Windows PowerShell aliases
Certificate Cert: x509 certificates for digital signatures
Environment Env: Windows environment variables
FileSystem * File system drives, directories, and files
Function Function: Windows PowerShell functions
Registry HKLM:, HKCU: Windows registry
Variable Variable: Windows PowerShell variables
WSMan WSMan: WS-Management configuration information
* The FileSystem drives vary on each system.
You can create customized Windows PowerShell providers and install preexisting
providers. To view the list of providers available in your session, run the following
command:
Get-PSProvider
Viewing provider data

The primary benefit of a provider is that it exposes the data in a familiar and
consistent way. The model for data presentation is a file system drive. You can
view, move through, or edit the data that the provider exposes like the data on a
hard-disk drive. Therefore, the most important information about a provider is the
name of the drive that it supports. For example, you can view and move through
the data in a provider drive as you would view and move through on a file system
drive.
To view the contents of a provider drive, use the Get-Item or Get ChildItem cmdlet.
Type the drive name followed by a colon (:). For example, to view the Environment
variables, run the following code.

Get-Item Env:
You can also use familiar syntax.
dir Env:
You can view and manage the data in any drive from another drive by including
the drive name in the path. For example, to view the HKLM\Software registry key
in the HKLM: drive from another drive, run the following code.
Get-ChildItem HKLM:\Software
To open the drive, use the Set-Location cmdlet. For example, to change your
location to the root directory of the Cert: drive and view its contents, run the
following code.
Set-Location Cert:
Get-ChildItem
You can achieve the same result by using following aliases.
cd Cert:
dir
Question: How can you view Windows environment variables from Windows
PowerShell?

Windows PowerShell Remoting Feature
Key Points
Remoting is the ability to run Windows PowerShell cmdlets on remote computers.
Windows PowerShell Remoting depends on WinRM, which encrypts and secures
the data on the network. Windows PowerShell remote sessions use the HTTP or
HTTPS protocol, which is enabled through firewalls. This enables you to manage
computers across the local network or the Internet. You can execute cmdlets on
one or more computers and in restricted or unrestricted environments.
There are two types of remoting in remote management. They are as follows:
• Fan-in remoting or many-to-one remoting
• Fan-out remoting or one-to-many remoting
Fan-in remoting
Using fan-in remoting, multiple users can make secure shell connections to a single
server. Windows PowerShell is designed to support fan-in remoting in a secure,
partitioned manner. For example, an Exchange Server hosting company can

provide its customers with administrative access to their portion of a server. With
fan-in remoting, you can get a secure, remote, interactive access to the copy of
Windows PowerShell installed on a remote server. You can share static data
between sessions and send progress information to a client.
Fan-out remoting
Using fan-out remoting, you can issue a set of commands to an entire group of
remote servers simultaneously. The commands "fan out" from your workstation to
the group of servers in parallel. The commands are executed on each server, and
the results—in the form of Windows PowerShell objects—are returned to your
workstation. You can review and work with the results. Note that cmdlets can be
run asynchronously in the backgrounds of remote servers.
Windows PowerShell supports two core technologies for fan-out remoting. They
are as follows:
• Windows Management Instrumentation (WMI)
• Windows Remote Management (WinRM)
System requirements
To use Windows PowerShell Remoting, local and remote computers must use the
following components:
• Windows PowerShell 2.0 or later
• .NET Framework 2.0 or later
• Windows Remote Management 2.0
Windows Server 2008 R2 and Windows 7 meet all prerequisites for Windows
PowerShell Remoting.
How to enable Windows PowerShell Remoting?

To use Windows PowerShell Remoting, the remote computer must be configured
for remote management. You can configure the computer for remote management
by changing the default configuration of the WS-Management service by running
the Enable-PSRemoting cmdlet. This cmdlet will:
• Start or restart the WinRM service.
• Set the WinRM service type to auto-start.
• Create a listener to accept requests on any IP address.
• Enable firewall exception for WS-Management traffic.

After configuring the computer for remote management, you will be able to
establish remote connections and run remote commands on the local computer.
You will also be able to create a loopback connection on the local computer.
How to run a remote command?

To run any command on one or many remote computers, use the Invoke-
Command cmdlet. For example, to run a Get-Process cmdlet on the NYC-SVR1
and NYC-SVR2 remote computers, run the following command.
Invoke-Command -ComputerName NYC-SVR1, NYC-SVR2 {Get-Process}
Question: How should you configure a remote computer if you want to use it as a
Windows PowerShell Remoting target?

Demonstration: How To Use Windows PowerShell Remotely
Key Points
1. On LON-SVR1, run the following command to use a provider for Windows

environment variables and to add a new Windows environment variable.
cd env:
md Today –Value “Wednesday”
2. Run the following command to verify that the new variable, Today, is defined
with the value, Wednesday.
dir

3. Run the following command to use a provider for Windows registry and to
add a new Windows registry key.
cd hkcu:
md Wednesday
4. Open Registry Editor and verify that the HKCU registry hive contains the
Today key.
regedit
5. Use a provider for digital certificates and move the digital certificates to local
computer certificate store by running the following command:
cd cert:
cd localmachine\my
6. View the list of digital certificates in the computer store by running the
following command.
dir
7. Open the Certificates snap-in and verify whether the computer certificates are
the same as those from the PowerShell interface.
• On the Start menu, click Run.
• In the Open box of the Run dialog box, type mmc, and then click OK.
• On the Files menu of the Console1 - [Console Root] console, click
Add\Remove Snap-ins.
• In the Available snap-ins area of the Add or Remove Snap-ins dialog box,
in the Snap-in list, click Certificates, and then click Add.
• In the Certificates snap-in dialog box, click Computer account, and then
click Next.
• In the Select Computer dialog box, click Finish.
• In the Add or Remove Snap-ins dialog box, click OK.
• In the tree pane of the Console1 - [Console Root] console, expand
Certificates (Local Computer), expand Personal, and then click
Certificates.
• In the Console1 - [Console Root] console, click the Close button.

• In the Microsoft Management Console message box, click No.
8. On LON-DC1, open the Windows PowerShell window and run the following
command to verify that the PowerShell command cannot be executed by
default on the remote system.
Invoke-Command -ComputerName LON-SVR1 {Get-Process}
9. On LON-SVR1, run the following command to enable Windows PowerShell

remoting.
Enable-PSRemoting -Force
10. On LON-DC1, run the following command again to view the list of running
processes.
11. On LON-DC1, run the following command to view the first 10 running
processes sorted by ID.
Invoke-Command -ComputerName LON-SVR1 {Get-Process | Sort-Object –

Property id | Select-Object –First 10}
Question: How can you use PowerShell commands remotely?


Lesson 2
Managing AD DS with Windows PowerShell
Windows PowerShell is a command-line shell and scripting language that can help
you perform system administration. Windows PowerShell includes many cmdlets
such as Get-Commands and Set-Variable. You can add additional cmdlets by
importing Windows PowerShell modules. Windows Server 2008 R2 includes
several Windows PowerShell modules such as the Active Directory module, the
Server Manager module, the Web Administration module, and the Group Policy
module. You can use the Active Directory module to administer Active Directory
Domain Services (AD DS), Active Directory Lightweight Directory Services
(AD LDS) configuration sets, and Active Directory Database Mounting Tool
instances.
Lesson Objectives

• Describe the Active Directory module.
• Use the Active Directory module.

• Describe Active Directory management tasks.
• Manage user accounts.
• Manage organizational units.
• Search and modify objects.

Active Directory Module
Key Points
The Active Directory module for Windows PowerShell is a Windows PowerShell
module that consolidates a group of Active Directory–related cmdlets such as New-
ADUser, Get-ADGroup, and Remove-ADObject. You can use these cmdlets to
manage Active Directory domains, AD LDS configuration sets, and Active Directory
Database Mounting Tool instances.
In Windows Server 2000, Windows Server 2003, and Windows Server® 2008,
administrators can use a variety of command-line tools and Microsoft Management
Console (MMC) snap-ins to connect, administer, and monitor Active Directory
domains and AD LDS configuration sets. These tools are also available in Windows
Server 2008 R2, in addition to the Windows PowerShell Active Directory module.
The Windows PowerShell Active Directory module provides a set of cmdlets that
makes command-line navigation through the Active Directory tree similar to
navigating a file system. You can use familiar commands such as dir, cd, and

mkdir, and also specific AD DS cmdlets such as New-ADGroup or Get-
ADComputer.
Installing the Active Directory module

You can install the Active Directory module by using the following methods:
• The Active Directory module is installed on a Windows Server 2008 R2 server
when you install the AD DS or AD LDS server role.
• The Active Directory module is installed when you promote a Windows
Server 2008 R2 server to a domain controller by running Dcpromo.exe.
• The Active Directory module is installed as part of the Remote Server
Administration Tools (RSAT) feature on a Windows Server 2008 R2 server.
• The Active Directory module is installed as part of the RSAT feature on a
Windows 7 computer.
• The Active Directory module is installed when you install Windows
PowerShell and Microsoft .NET Framework 3.5.1.
If you want to use the Active Directory module to manage an Active Directory
domain, an AD LDS instance or configuration set, or an Active Directory Database
Mounting Tool instance, the Windows Server 2008 R2 Active Directory Web
Services (ADWS) service or the Active Directory Management Gateway service
must be available on at least one domain controller or on a server that hosts the
AD LDS instance.
After installing the Active Directory module, you can start using the Active
Directory cmdlets. To start using Active Directory cmdlets, click Start, point to
Administrative Tools, and then click Active Directory Module for Windows
PowerShell. You can also load the Active Directory module manually by running
the Import-Module ActiveDirectory command at the Windows PowerShell prompt.
After the Active Directory module is imported, you will get more than 75 Active
Directory–related cmdlets, which can be listed by running the Get-Command *-
AD* cmdlet.
The Active Directory module is available in all editions of Windows
Server 2008 R2, except Web Server and Windows Server 2008 R2 for Itanium-
Based Systems.
Question: How can you get the Active Directory module for Windows
PowerShell?


Demonstration: How To Use Active Directory Module
Key Points
command to verify that there are no Active Directory commands.
Get-Command *-ad*
2. Import the Active Directory module and then verify whether the Active
Directory commands are added by running the following command.
Get-Command *-ad*
3 Run the following command to use a provider for Active Directory and to list
the information in Active Directory.

cd AD:
dir
4. Query the information on the contoso.com domain and the domain controller
that you are using in the contoso.com domain by running the following
command.
Get-ADDomain Contoso.com
Get-ADDomainController
5. Query the information in a global catalog in the forest and the domain
password policy in the contoso.com domain by running the following
command.
Get-ADDomainController –Discover –Service “GlobalCatalog”

Get-ADDefaultDomainPasswordPolicy Contoso.com
6. Count the number of Active Directory objects and view all the computer
objects in the domain in the form of a table by running the following
command.
Get-ADObject -Filter {name -like '*'} -SearchBase

'DC=Contoso,DC=com' | Measure-Object
7. On LON-DC1, run the following command to navigate through Active

Directory.
cd “cn=users,dc=contoso,dc=com”
dir
Question: Why should you use the Active Directory module for Windows
PowerShell?

Active Directory Management Tasks
Key Points
Active Directory is a hierarchical store that can be administered in different ways.
You can use graphical tools such as Active Directory Users and Computers or
command-prompt tools such as dsadd, dsquery, or csvde for Active Directory
management. Developers can develop their own tools for managing Active
Directory by using Active Directory Services Interfaces (ADSI). The Active Directory
module for Windows PowerShell is another option. This option exposes the
hierarchical AD DS store as a disk drive, allowing you to use a familiar set of
commands such as dir, del, ren, or copy to manage Active Directory. In addition,
you can use the cmdlets in the Active Directory module to manage Active
Directory.
The following are some of the Active Directory management tasks:
• Account Management

• Group Management
• Managed Service Accounts

• Organizational Units
• Password Policies
• Optional Features
• Search\Modify Objects
• Forest and Domain Management
• Domain Controller and Operations Master Management
When you use Windows PowerShell for Active Directory management, you can
relay on all Windows PowerShell capabilities. For example, you can use pipeline
for passing output between cmdlets and performing actions on selected Active
Directory set of objects. You can also use format cmdlets to format output when
results are displayed.
You can use the New-ADUser cmdlet to create Active Directory user accounts. This
cmdlet has a default set of almost 50 properties that represent Active Directory
attributes. This enables you to populate the most common attributes when you
create a user account. If you need to populate one or more attributes that are not
represented by the default properties, you can use the OtherAttributes parameter.
Question: What are the common Active Directory management tasks in your
company?

Managing User Accounts
Key Points
You can use the Active Directory module for Windows PowerShell to manage your
user accounts in AD DS. The Active Directory module provides several cmdlets
with which you can create user account, modify user properties such as changing
telephone number, add the user to a group, or move to different organizational
unit. You can use user properties as search criteria and perform the same action on
multiple accounts. If the user account is no longer required, you can delete it.
1. On LON-DC1, create a new Active Directory user, User1, and move User1 to
the Remote Access organizational unit by running the following command.
New-ADUser User1
Move-ADObject –Identity “cn=User1,cn=Users,dc=contoso,dc=com” -
TargetPath “OU=Remote Access,dc=contoso,dc=com”

• On LON-DC1, st the command prompt, type the following command, and
then press ENTER.
New-ADUser User1
• At the command prompt, type the following command, and then press
ENTER.
Move-ADObject –Identity “cn=User1,cn=Users,dc=contoso,dc=com”

-TargetPath “OU=Remote Access,dc=contoso,dc=com”
2. Create User2 Active Directory user by running the following command.
New-ADUser User2 -Path “OU=Remote Access,DC=contoso,DC=com”
ENTER.
3. Run the following command to modify the properties of the user.
Set-ADUser User1 –GivenName “Name” –Surname “Family name”

Set-ADUser User2 –HomePage “http://www.contoso.com”
ENTER.
ENTER.
4. Open the Active Directory Users and Computers console and verify that the
First and Last names have been defined for User1.Also verify that the Home
page has been defined for User2.
• On the Start menu, point to Administrative Tools, and then click Active
Directory Users and Computers.
• In the tree pane of the Active Directory Users and Computers console,
under Contoso.com, click Remote Access.

• In the Name list of the Remote Access result pane, right-click User1, and
then click Properties.

• In the User1 Properties dialog box, click Cancel.
• In the Active Directory Users and Computers console, click the Close
button.
5. Run the following command to modify the properties of multiple users.
Get-ADUser -Filter 'Name -like "User*"' -SearchBase "OU=Remote

Access,DC=contoso,DC=com" | Set-ADUser -Description "Remote Access
User"
ENTER.

Access,DC=contoso,DC=com" | Set-ADUser -Description "Remote
Access User"
6. Open the Active Directory Users and Computers console and verify that
User1, User2 and User3 have description set to Remote Access User.
expand Contoso.com, click Remote Access.
• In the User2 Properties dialog box, click Cancel..
7. Add User 2 to the RD Users group by executing the following command:
Add-ADGroupMember -Identity “RD Users” -Member User2


ENTER.
8. In the Active Directory Users and Computers console, verify that RD Users
group (in Remote Access OU) has User2 as a member.
under Contoso.com, click Remote Access.
• In the Name list of the Remote Access result pane, right-click RD Users,
and then click Properties.
• On the Members tab of the RD Users Properties dialog box, ensure that
User2 is a member, and then click Cancel.
Question: Which are the most often used commands for managing user account
objects in Active Directory?

Demonstration: How To Manage Organizational Units
Key Points
1. On the Start menu, in the Search programs and files box, type power, and
then click Windows PowerShell.
2. Create User3 Active Directory user by running the following command.
3. On LON-DC1, run the following command to create a new Active Directory

organizational unit and to display the organizational units in Active Directory
in the form of a table.
New-ADOrganizationalUnit -Name "User Accounts" -Path

"DC=contoso,DC=com"

Get-ADOrganizationalUnit -Filter {Name -like '*'} | Format-Table

Name, DistinguishedName -A
4. Run the following command to find the organizational units that match certain
criteria and modify their description.
Get-ADOrganizationalUnit -Filter {Name -like 'User*'} | Set-

ADOrganizationalUnit -Description "User organizational unit"
5. Move a user to an organizational unit by running the following command.
Get-ADUser User2 | Move-ADObject -TargetPath “OU=User

Accounts=contoso,Dc=com”
6. Run the following command to verify whether you can delete an

organizational unit.
Remove-ADOrganizationalUnit ”OU=User Accounts=contoso,Dc=com” –

Recursive
The command will fail, because the organizational units are protected from accidental
deletion by default.
7. Delete an organizational unit by running the following command.
Set-ADorganizationalUnit ”OU=User Accounts=contoso,Dc=com” –

ProtectedFromAccidentalDeletion $False
Recursive
8. In the Active Directory Users and Computers console, verify that User
Accounts OU in contoso.com domain is no longer present.

Searching and Modifying Objects
Key Points
Windows PowerShell provides powerful cmdlets, such as Get-ADObject with Filter,
for searching Active Directory. But searching Active Directory is often not the main
goal; you need to find Active Directory objects that meet certain criteria, such as
locked-out accounts or computers at one location, and then perform actions with
them, such as enabling locked-out accounts or changing the property of multiple
objects at the same time. You can use Windows PowerShell search cmdlets and
pipe them with other cmdlets to perform the following tasks:
• Counting objects in Active Directory
Get-ADObject -Filter {name -like '*'} -SearchBase 'DC=contoso,DC=com'

| Measure-Object
• Searching for objects in a domain


Get-ADObject -Filter 'ObjectClass -eq "computer"' -SearchBase

'DC=contoso,DC=com' -Properties Name,sAMAccountName | Format-Table
Name,sAMAccountName
• Exporting objects to a comma separated value (CSV) file
Get-ADObject -Filter 'Name -like "*"' -Searchbase

'CN=Users,DC=contoso,DC=com' | Export-Csv ExportUsers.csv
• Viewing the created and last modified time stamp of an object
Get-ADObject -Filter 'ObjectClass -eq "organizationalunit"'

toso,DC=com' -Properties Created,Modified | Format-Table
Name,Created,Modified
Question: Why would you search for Active Directory objects by using Windows
PowerShell?

Lesson 3
Managing Server Roles with Windows

PowerShell
Windows Server 2008 R2 has many roles and features. You can use Server
Manager to add or remove the roles and features from the graphical user interface
(GUI). Windows Server 2008 R2 also provides the Windows PowerShell module
for Server Manager, with which you can list, add, and remove server roles and
features from command line. When you import the Server Manager PowerShell
module, you get three new cmdlets: Add-WindowsFeature, Remove-
WindowsFeature, and Get-WindowsFeature.
• Install the Server Manager module.
• Manage server roles by using Windows PowerShell cmdlets.
• Manage Group Policy by using Windows PowerShell cmdlets.

• Manage IIS by using Windows PowerShell cmdlets.

Installing Server Manager Module
Key Points
Server Manager is a tool for managing server roles, role services, and features in
Windows Server 2008 R2. You can use either the graphical version of Server
Manager, which runs by default when a member of the administrators group logs
on. You can also use the ServerManagerCmd.exe command-line tool, which is
included with the operating system. In Windows Server 2008 R2, you can use the
Server Manager module for Windows PowerShell to list, install, or remove roles,
role services, and features.
Before you can use Server Manager cmdlets, you must first import the Server
Manager module by running the following cmdlet.
Import-Module ServerManager

The Server Manager module for Windows PowerShell
The ServerManager module contains three Windows PowerShell cmdlets:

• Add-WindowsFeature. Allows you to install specific roles, role services, and
features on a computer that is running Windows Server 2008 R2. The Add-
WindowsFeature cmdlet functions similar to the Add Roles Wizard and the
Add Features Wizard, which you can start from Server Manager. In the wizard,
you can add more than one role, role service, or feature per session. All roles,
role services, or features that are required by those Windows features you want
to install are added automatically.
• Get-WindowsFeature. Helps you obtain information about role services, roles,
and features that are available on the Windows Server 2008 R2 server
computer. The cmdlet displays a list of Windows features that are installed on
the computer and features that are available for installation.
• Remove-WindowsFeature. Allows you to remove specific roles, role services,
and features on a computer that is running Windows Server 2008 R2. The
Remove-WindowsFeature cmdlet functions similar to the Remove Roles
Wizard and the Remove Features Wizard, which you can start from Server
Manager. In the wizard, you can remove more than one role, role service, or
feature per session.
The Server Manager module for Windows PowerShell and Server Manager cmdlets
are available on Server Core.
Question: When you tried to run the Get-WindowsFeature cmdlet, you got an
error stating that Get-WindowsFeature is not recognized as the name of cmdlet,
function, script file, or operable program. What is the most probable reason for the
error?

Demonstration: How To Manage Server Roles by Using

Server Manager PowerShell commands
Key Points
1. On LON-DC1, import the ServerManager PowerShell module by executing the

following command.
2. In the Windows PowerShell window, view the list of available roles, role
services and features by executing the following command:
Get-WindowsFeature
3. Run the following command to install the Windows Server Backup feature.

Add-WindowsFeature Backup
4. Run the following command to verify that Windows Server Backup feature is
installed.
Get-WindowsFeature Backup
5. Run the following command to remove the Windows Server Backup feature.
Remove-WindowsFeature Backup
Question: Can you use the Server manager module to list or add server roles on
the remote Windows Server 2008 R2 server?

Managing Group Policy by Using Windows PowerShell
Cmdlets
Key Points
You can use Windows PowerShell to automate the tasks that you typically perform
in the user interface by using the Group Policy Management Console (GPMC). The
Group Policy module in Windows Server 2008 R2 provides more than 25 cmdlets
such as New-GPO and Set-GPOLink. You can use these cmdlets to perform the
following tasks for domain-based Group Policy Objects (GPOs):
• Maintaining GPOs. You can create, remove, backup, and import GPOs.
• Associating GPOs with Active Directory containers. You can create, update,
and remove Group Policy links.
• Setting inheritance flags and permissions. You can set inheritance flags and
permissions on Active Directory organizational units (OUs) and domains.

• Configuring registry-based policy settings and Group Policy Preferences
Registry settings. You can update, retrieve, and remove registry-based policy
settings and Group Policy Preferences Registry settings.
• Creating and editing Starter GPO. You can create and edit Starter GPOs.
Before you can use Group Policy cmdlets, first import the Group Policy module by
running the following cmdlet.
Import-Module GroupPolicy
You can list the available Group Policy cmdlets by running the following cmdlet.
Get-Command *-GP*
For example, you can create a new Group Policy from a Starter GPO and link it to
an OU by running the following cmdlet.
New-GPO -Name "Test GPO" -StarterGpoName "Windows Vista EC Computer" |

New-GPLink –target “OU=Finance,DC=contoso,DC=com”
You can back up the default Domain Policy by running the following cmdlet.
Backup-GPO -Name "Default Domain Policy" -Path c:\GPOBackup
You can delete the Demo Group Policy by running the following cmdlet.
Remove-GPO -Name "Demo Group Policy"
Question: How can you verify whether the actions or changes that you performed
by using the Group Policy Windows PowerShell module were applied in your test
domain?

Demonstration: How To Manage IIS by Using Windows
PowerShell Cmdlets
Key Points
While you manage IIS, you need to set the execution policy by using the Set-
ExecutionPolicy cmdlet. This cmdlet allows you to determine the Windows
PowerShell scripts that run on your computer. Windows PowerShell has four
different execution policies:
• Restricted. No scripts can be executed. Windows PowerShell can be used only
in the interactive mode.
• AllSigned. Only scripts signed by a trusted publisher can be executed.
• RemoteSigned. Downloaded scripts must be signed by a trusted publisher
before they can be executed.

• Unrestricted. No restrictions; all Windows PowerShell scripts can be
executed.
The following are the steps to mange IIS:

1. On LON-DC1, in the Windows PowerShell ISE window, run the following
command to verify that there are no Web Administration–related commands
and to set the execution policy.
Get-Command *-web*
Set-ExecutionPolicy RemoteSigned
2. Run the following command to use a provider for Web Administration and to
display the information in Internet Information Services.
cd IIS:
dir
3. Run the following command to move to the Sites folder and list the sites on
LON-DC1.
cd Sites
dir
4. Open the Internet Information Services (IIS) Manager console and verify that
the same sites are available as those in the Windows PowerShell environment.
5. Run the following command to create a new Web site and to display the Web
sites on LON-DC1.
New-Website –Name “Demo site” –IPAddress 192.168.10.1 –

PhysicalPath “$env:systemdrive\inetpub\contoso”
dir
6. In the Internet Information Services (IIS) Manager console, verify that the new
Web site, Demo Site, is present.
7. Define the host name binding for the created Web site by running the
following command:
New-WebBinding –Name “Demo Site” –HostHeader “LON-DC1.contoso.com”


8. In the Internet Information Services (IIS) Manager console, verify that the Web
site has two bindings, one with IP Address and the other with the host name
defined.
9. Open the Internet Explorer window, connect to the new Web site, lon-
dc1.contoso.com, and then press Enter.
10. Add a virtual directory to the existing Web site by running the following
command.
New-WebVirtualDirectory –Site “Demo Site” –Name “Subfolder” –

PhysicalPath “$env:systemdrive\inetpub\wwwroot”
11. In the Internet Explorer window, connect to the http:// LON-

dc1.contoso.com/subfolder to view the default IIS Web page.
12. In the Windows PowerShell ISE window, run the following command to create
new application pool, DemoAppPool, and set the Demo Web site to
DemoAppPool.
New-WebAppPool DemoAppPool
Set-ItemProperty “IIS:\Sites\Demo Site” –name applicationPool –
value DemoAppPool
13. In the Internet Information Services (IIS) Manager console, verify that the
Demo site runs in the DemoAppPool application pool.
14. Delete the Demo Web site by running the following command:
Remove-Website –Name “Demo Site”
15. In the Internet Information Services (IIS) Manager console, verify that Demo
Site is no longer present.

Lab: Managing Windows Server 2008 R2 with Windows

PowerShell 2.0
Introduction
In this lab, you will manage Windows Server 2008 R2 with Windows PowerShell
2.0. To do this, you will use Windows PowerShell. You will work with Active
Directory by using the Active Directory PowerShell module. You will also manage
IIS by using Windows PowerShell. In addition, you will configure Server Manager
server roles and features by using Windows PowerShell.
Objectives
• Work with Active Directory by using the Active Directory PowerShell
module.

• Managing IIS by using Windows PowerShell.
• Configure Server Manager server roles and features by using Windows

PowerShell.
Lab Setup

Lab Scenario
You are a Web server administrator at Contoso, Ltd. Your organization is currently
using graphical tools to perform all administration tasks. Your organization wants
to simplify administration and automate repetitive administrative tasks. They have
decided to use Windows PowerShell for automation. To accomplish this task, you
are asked to explore PowerShell fundamentals, existing PowerShell commands,
and learn how to use pipeline and output formatting. Because Windows
PowerShell will be used also for Active Directory administration and server role
management, you need to use appropriate Windows PowerShell modules in

Exercise 1: Using Windows PowerShell

2. List and use the available commands and aliases.
3. Use pipeline and output formatting.
4. Use the Windows PowerShell providers.
5. Use the Windows PowerShell remoting.

password, Pa$$w0rd.
password, Pa$$w0rd.
f Task 2: List and use the available commands and aliases.

• Open the Windows PowerShell window and run the following command to
view the list of commands and their functions.
Get-Command
• Run the following command to get help for the Get-Alias command. Also view
Get-Help Get-Alias
• Run the following command to view the list of available alias commands.
Get-Alias
• Run the following command to view the list of all running processes on the
server.
Get-Process

• Run the following command to verify that there is no Processes command
available.
Processes
An error message appears.
• Run the following command to define a new alias and view the list of running
processes.

Processes
• Run the following command to verify that you have defined the new alias,
Processes.
Get-Alias
• Run the following command to verify that the same alias help options as the
Get-Process command are available.
Get-Help Processes
f Task 3: Use pipeline and output formatting.

• At the command prompt of the Windows PowerShell window, run the
their ID.
• Run the following command to sort the processes by their ID and to view only

• Run the following command to view the first 10 running processes sorted by
their ID.

• Run the following command to format the output of the first 10 running

Format-List
• Run the following command to obtain all running processes, sort them by ID,

$processes
f Task 4: Use the Windows PowerShell providers.

• Run the following command to use a provider for Windows environment
variables and to add a new Windows environment variable.
cd env:
md Today –Value “enter today's day”
• Run the following command to verify that the new variable, Today, is defined
dir
• Run the following command to use a provider for Windows registry and to
cd hkcu:
md Wednesday
• Open Registry Editor and verify that the HKCU registry hive contains the
Wednesday key.
regedit
• Use a provider for digital certificates and move the digital certificates to local
computer certificate store by running the following command.
cd cert:

cd localmachine\my
• View the list of digital certificates in the computer store by running the
following command.
dir
• Open the Certificates snap-in and verify whether the computer certificates are
f Task 5: Use the Windows PowerShell remoting.

• On LON-DC1, open the Windows PowerShell window and run the following
An error message appears stating that WinRM is not enabled by default on a remote
Windows Server 2008 R2 computer.
• On LON-SVR1, run the following command to enable Windows PowerShell

remoting.
• On LON-DC1, run the following command again to view the list of running
processes.
• On LON-DC1, run the following command to view the first 10 running

processes sorted by ID from LON-SVR1.


Results: After completing this exercise, you should have used the available commands
and aliases, pipeline and output formatting, Windows PowerShell providers, and
Windows PowerShell remoting.

Exercise 2: Working with Active Directory by Using the

Active Directory PowerShell Module

1. Add Windows PowerShell ISE and import the Active Directory module.
2. Use the Active Directory provider to view the objects metadata.
3. Use Windows PowerShell to work with user and group accounts.
4. Use Windows PowerShell to work with organizational units.
f Task 1: Add Windows PowerShell ISE and import the Active Directory
module.
• On LON-DC1, install the Windows PowerShell Integrated Scripting
• Open the Windows PowerShell ISE window and run the following command
to verify that there are no Active Directory commands.
Get-Command *-ad*
• Import the Active Directory module and then verify whether the Active
Get-Command *-ad*
f Task 2: Use the Active Directory provider to view the objects

metadata.
• Run the following command to use a provider for Active Directory and to list
the information in Active Directory.
cd AD:
dir

• Query the information on the contoso.com domain and the domain controller
command.
• Query the information in a global catalog in the forest and the domain
command.

• Count the number of Active Directory objects and view all the computer
command.

Get-ADObject -Filter 'ObjectClass -eq "Computer"' -SearchBase
'DC=Contoso,DC=com' -Properties Name,SamAccountName | Format-Table
Name,SamAccountName
• Run the following command to export all objects from the Users container to a
CSV file.

'CN=Users,DC=Contoso,DC=com' | Export-CSV "c:\Export.csv"
• Verify that the c:\export.csv file contains information about objects in the
Users container.
f Task 3: Use Windows PowerShell to work with user and group

accounts.
• On LON-DC1, run the following command to navigate through Active
Directory.
dir

• On LON-DC1, create a new Active Directory user, User1, and move User1 to
New-ADUser User1
• Create a User2 Active Directory user by running the following command.
• Create a User3 Active Directory user with additional attributes by running the
following command.
New-ADUser -SamAccountName User3 -Name "User 3" -AccountPassword

(ConvertTo-SecureString -AsPlainText "Pa$$w0rd" -Force) -Enabled
$true -Path “OU=Remote Access,DC=contoso,DC=com”
• Run the following command to modify the properties of the user.

• Open the Active Directory Users and Computers console and verify that the
• Run the following command to modify the properties of multiple users.

User"
• Open the Active Directory Users and Computers console and verify that
User1, User2, and User3 have the description set to Remote Access User.
• Run the following command to view the list of disabled accounts.
Search-ADAccount -AccountDisabled | where {$_.ObjectClass -eq

'user'} | Format-Table Name
• Delete the User1 account from Active Directory by running the following
command.
Remove-ADUser User1

• In the Active Directory Users and Computers console, verify that User1 is no
longer present.
• Add User 2 to the RD Users group by running the following command.
• In the Active Directory Users and Computers console, verify that RD Users
f Task 4: Use Windows PowerShell to work with organizational units.

• Run the following command to create a new Active Directory organizational
unit and to display the organizational units in Active Directory in the form of a
table.

"DC=contoso,DC=com"
• Run the following command to find the organizational units that match certain

• Move a user to an organizational unit by running the following command.

Accounts=contoso,Dc=com”
• Run the following command to verify whether you can delete an


Recursive
The command will fail because the organizational units are protected from accidental
• Delete an organizational unit by running the following command.


Set-ADorganizationalUnit ”OU=User Accounts=contoso,Dc=com” –

Recursive
• In the Active Directory Users and Computers console, verify that User
Results: After completing this exercise, you should have added Windows PowerShell
ISE and imported the Active Directory module, used the Active Directory provider to
view the objects metadata, and Windows PowerShell to work with user and group
accounts, and organizational units.

Exercise 3: Managing IIS by Using Windows PowerShell

1. Set the execution policy and load the Web Administration module.
2. Explore Web Administration, create a Web site, and define its binding.
3. Create an application pool and set the Web site to run in the created
application pool.
f Task 1: Set the Execution Policy and load the Web Administration
module.
• On LON-DC1, in the Windows PowerShell ISE window, run the following
Get-Command *-web*
• Add the Web Administration module and then view the Web Administration–
related commands by running the following command.
Import-Module WebAdministration
Get-Command *-web*
f Task 2: Explore Web Administration, create a Web site, and define its
binding.
• Run the following command to use a provider for Web Administration and to
cd IIS:
dir
• Run the following command to move to the Sites folder and list the sites on
LON-DC1.
cd Sites

dir
• Open the Internet Information Services (IIS) Manager console and verify that
• Run the following command to create a new Web site and to display the Web
sites on LON-DC1.

dir
• In the Internet Information Services (IIS) Manager console, verify that the new
• Define the host name binding for the created Web site by running the
following command.
• In the Internet Information Services (IIS) Manager console, verify that the Web
defined.
• Open the Internet Explorer window, connect to the new Web site, lon-
• Add a virtual directory to the existing Web site by running the following
command.

• In the Internet Explorer window, connect to the http:// LON-

f Task 3: Create an application pool and set the Web site to run in the
created application pool.
• In the Windows PowerShell ISE window, run the following command to create
DemoAppPool.


value DemoAppPool
• In the Internet Information Services (IIS) Manager console, verify that the
• Delete the Demo Web site by running the following command.
• In the Internet Information Services (IIS) Manager console, verify that Demo
•
Results: After completing this exercise, you should have set the execution policy and
loaded the Web Administration module, created a Web site, defined its binding,
created an application pool, and set the Web site to run in the created application
pool.

Exercise 4: Configuring Server Manager Server Roles and

Features by Using Windows PowerShell

1. Import the Server Manager module, view the server roles, and add a feature.
2. Add the server feature to the remote server.
f Task 1: Import the Server Manager module, view server roles, and add
feature.
• In the Windows PowerShell ISE window, run the following command to
import the ServerManager PowerShell module and to view the Server
Manager–related commands.
Get-Module ServerManager
• Run the following command to view the available Server Manager commands
and to view the list of server roles and features.
Get-Command *feature*
Get-WindowsFeature
• In the Server Manager console, verify that the Network Load Balancing feature
is not installed.
• Verify whether the Network Load Balancing feature has an NLB name by
running the following command.
Add-WindowsFeature NLB
• In the Server Manager console, verify that the Network Load Balancing feature
is now installed.
f Task 2: Add the server feature to the remote server.

• On LON-SVR1, open the Server Manager console and verify that the Network
Load Balancing feature is not installed.

• On LON-DC1, in the Windows PowerShell window, run the following
command to verify that the Network Load Balancing feature is not installed on
LON-SVR1, and then install it on the remote server.
Invoke-Command -ComputerName LON-SVR1 {Import-Module

ServerManager; Get-WindowsFeature}
ServerManager; Add-WindowsFeature NLB}
• On LON-SVR1, verify that the Network Load Balancing feature is now installed
Results: After completing this exercise, you should have imported the Server Manager
module, viewed the server roles, added a feature, and added the server feature to the
remote server.


Lab Review
1. Which command should you use to load the Web Administration module?
You should use the Import-Module WebAdministration command to load the
Web Administration module.
2. Which command should you use to view the list of server roles and features?
You should use the Get-WindowsFeature command to view the list of server
roles and features.

Review Questions
1. What must you install in Windows Sever 2008 R2 to be able to use Windows
PowerShell?
2. How can you find which cmdlets are available in your Windows PowerShell
environment?
3. How can you extend Windows PowerShell with additional cmdlets?
4. What is the difference between fan-in and fan-out remoting?
5. You imported the Windows PowerShell Active Directory module, but you are
still not able to manage Group Policy from Windows PowerShell. What might
be the reason for that?

1. You would like to use Windows PowerShell, but you do not know how to
start. What should you be aware of?
2. You would like to administer a remote server by using Windows PowerShell
Remoting. What should you consider before you can administer the remote
server?
Tools
• powershell.exe
• powerShell_ISE.exe
• WinRM

Deploying Windows Server 2008 R2 L1A-1

R2
Lab 1A: Deploying Windows Server
2008 R2
Exercise 1: Configuring and Testing Virtual Hard Disk with
Native Boot
Task 1: Start the virtual servers.
password, Pa$$w0rd.
• In the result pane of the Hyper-V Manager console, in the Name list of the
Virtual Machines area, right-click 10159A-LON-DC1, and then click
Connect.
• To log on to LON-DC1, click the Ctrl-Alt-Delete button.
• In the User name box, type Contoso\Administrator, in the Password
box, type Pa$$w0rd, and then click the Forward button.
2. Log on to LON-SVR1 with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
Virtual Machines area, right-click 10159A-LON-SVR1, and then click
Connect.
• To log on to LON-SVR1, click the Ctrl-Alt-Delete button.
Close the Initial Configuration Tasks window, if it appears.
Task 2: Attach the virtual hard disk and copy the boot configuration
data.
1. On LON-SVR1, run the following code to select and attach the virtual hard
disk, d:\win7.vhd, to DiskPart, and assign the letter, V, to it.
L1A-2 Deploying Windows Server 2008 R2

diskpart
attach vdisk
select volume 4
assign letter V
exit
Close the Server Manager console, if it appears.
• On the Start menu of LON-SVR1, point to All Programs, click

Accessories, and then click Command Prompt.
diskpart
• At the command prompt, type the following code, and then press ENTER.
attach vdisk
select volume 4
assign letter V
exit
2. Open Windows Explorer and verify that the new drive, VHD (F:), contains the
• On the Start menu, click Computer.
• In the Computer window, double-click Local Disk (F:).

• Verify that new drive, VHD (F:), contains the same folder structure as the
clear Windows installation (PerfLogs, Program Files, Users, Windows).

• In the Local Disk (F:) window, click the Close button.
3. Run the following code to copy the boot environment files and boot
configuration data configuration from the \Windows directory to the system
partition.
bcdboot F:\windows

bcdboot F:\windows
Task 3: Add a native-boot virtual hard disk to an existing boot menu.

1. On LON-SVR1, run the following code to copy the existing Windows Server
2008 R2 boot entry.
• On LON-SVR1, at the command prompt of the Administrator: Command

Prompt window, type the following code, and then press ENTER.
BCDedit command returns a {GUID} as an output.
2. Run the following code to modify the Windows Server 2008 R2 boot entry to

Replace {guid} with the copied GUID value. Copy the GUID from the output, including
the braces.

• In the Administrator: Command Prompt window, click the Close button.
Task 4: Reboot LON-SVR1 and boot from the virtual hard drive.
1. Reboot LON-SVR1 and start it from the native boot virtual hard disk.
The system will start into Windows 7 Enterprise Edition, although Windows Server 2008
R2 Enterprise is installed on the computer.
• On the Start menu of LON-SVR1, click the Forward arrow near Log off,
and then click Restart.
• In the Option box of the Shut Down Windows dialog box, click
Operating System: Reconfiguration (Planned), and then click OK.
• Restart LON-SVR1.
• When the computer reboots, select Windows 7 boot option, and then
press Enter.
Before proceeding to the next exercise, restart the LON-SVR1 and boot up in Windows
Server 2008 R2 Enterprise Edition operating system.
Exercise 2: Configuring New Features in Windows

Deployment Services

Task 1: Create an image group and add a virtual hard disk image.

password, Pa$$w0rd.
Connect.
Close the Server Manager console, if it appears.
2. On LON-SVR1, create an image group by using the Windows Deployment

Services console.
• On the Start menu of LON-SVR1, point to Administrative Tools, and
then click Windows Deployment Services.
• In the tree pane of the Windows Deployment Services console, expand
Servers, right-click LON-SVR1.Contoso.com, and then click Configure
Server.
• On the Before You Begin page of the Windows Deployment Services
Configuration Wizard, click Next.
• On the Remote Installation Folder Location page, click Next.
• In the System Volume Warning message box, click Yes.
• On the PXE Server Initial Settings page, click Respond to all client
computers (known and unknown), and then click Next.
• On the Operation Complete page, clear the Add images to the server
now check box, and then click Finish.
LON-SVR1.Contoso.com, click and right-click Install Images, and then
click Add Image Group.
• In the Enter a name for the image group box of the Add Image Group
dialog box, type Windows 7 image, and then click OK.
3. Open the Command Prompt and run the following code to add the win7.vhd


• On the Start menu, point to All Programs, click Accessories, and then
click Command Prompt.

• In the tree pane of the Windows Deployment Services console, right-click

Windows Deployment Services, and then click Refresh.
Verify that the Enterprise image has been added to Windows Deployment Services.
Task 2: Configure an unattended installation for a virtual hard disk

image.
1. Run the following code to create a computer account for Computer1 and
assign a GUID to it.



In AD Users and Computers, verify that the computer account is added and a GUID is
assigned to it.
2. Move the WDS-client.xml file from Allfiles (D:)\Disk to the Local Disk
(C:)\RemoteInstall\WdsClientUnattend folder.

• In the navigation pane of the pane of the Computer window, under

Computer, click Allfiles (D:).
• In the Name list of the Allfiles (D:) window, double-click Disk.
• In the Name list of the Disk window, right-click WDS-client, and then
click Copy.
• In the navigation pane of the pane of the Computer window, under
Computer, click Local Disk (D:).
• In the Name list of the Local Disk (D:) window, double-click
RemoteInstall.
• In the Name list of the RemoteInstall window, double-click
WdsClientUnattend.
• In the WdsClientUnattend window, right-click anywhere, and then click
Paste.
3. Run the following code to associate an unattend file with the prestaged client.



4. Configure an unattended installation for the image by using the Windows

LON-SVR1.Contoso.com, expand Install Images, and then click
Windows 7 image.
• In the Image Name list of the Windows 7 images result pane, right-click
Enterprise_6.1.7100, and then click Properties.
• In the Image Properties dialog box, select the Allow image to install in
unattended mode check box, and then click Select File.
• In the Select Unattended File dialog box, click Browse.

• In the navigation pane of the Select Unattended File dialog box, click
Allfiles (D:).
• In the Name list of the Allfiles (D:) window, double-click Disk.
• In the Name list of the Disk window, click WDS-unattend, and then click
Open.
• In the Select Unattended File dialog box, click OK.
• In the Image Properties dialog box, click OK.
Task 3: Add a driver package to an existing driver group.

1. Add a driver package to an existing driver group, DriverGroup1, by using the
Add Driver Package Wizard.
Drivers, and then click Add Driver Package.
• On the Driver Package Location page of the Add Driver Package Wizard,
click Select all driver packages from a folder, and then click Browse.
• In the Browse For Folder dialog box, expand Computer, expand Allfiles
(D:), and then expand Drivers.
• In the Browse For Folder dialog box, under Drivers, click dc3dh, and
then click OK.
• On the Driver Package Location page, click Next.
• On the Available Driver Packages page, click Next.
• On the Summary page, click Next.
• On the Task Progress page, click Next.
• On the Driver Groups page, click Select an existing driver group, ensure
that the DriverGroup1 option is selected, and then click Next.
This driver group by default has no filters and so all clients will have access to the
packages in this group. The packages that match with the client’s hardware will be
installed.
• On the Task Complete page, click Finish.


Task 4: Create a driver group and define a filter.
1. Create a driver group, Network Drivers, by using the Add Driver Group
Wizard with the following information:
• OS Edition: 7
Drivers, and then click Add Driver Group.
• On the Driver Group Name page of the Add Driver Group Wizard, in the
Type a name for this driver group box, type Network Drivers, and then
click Next.
• On the Client Hardware Filters page, click Add.
• In the Manufacturer Filter Type box of the Add Filter dialog box, type
Contoso, click Add, and then click OK.
• On the Client Hardware Filters page, click Next.
• On the Install Image Filters page, click Add.
• In the Filter Type box of the Add Filter dialog box, click OS Edition, type
7, click Add, and then click OK.
• On the Install Image Filters page, click Next.
• On the Packages to Install page, ensure that the Install only the driver
packages that match a client’s hardware option is selected, and then
click Next.
• On the Operation Complete page, click Finish.
• In the tree pane of the Windows Deployment Services console, under
LON-SVR1.Contoso.com, expand Drivers, right-click Network Drivers,
• On the Filters tab of the Network Drivers Properties dialog box, verify
how filters are specified and how to change the Applicability, and then
click Cancel.
Exercise 3: Migrating Server Roles

Task 1: Install the Windows Server Migration Tools feature.
1. On LON-DC1, install Windows Server Migration Tools by using the Add
Features Wizard of the Server Manager console.

• On the Start menu of LON-DC1, point to Administrative Tools, and then
click Server Manager.

• In the tree pane of the Server Manager console, click Features.
• In the Features Summary area of the Features result pane, click Add
Features.
• On the Select Features page of the Add Features Wizard, under Features,
select the Windows Server Migration Tools check box, and then click
Next.
• On the Confirm Installation Selections page, click Install.
• On the Installation Results page, click Close.
• In the Server Manager console, click the Close button.
2. Open the Windows PowerShell window and then run the following code to
add the Migration tool.
• On the Start menu, point to All Programs, click Accessories, click

Windows PowerShell, and then click Windows PowerShell.
• At the command prompt of the Administrator: Windows PowerShell
Task 2: Modify the DHCP server properties and export the server role
settings.
1. On LON-DC1, open the DHCP console and set the following properties of the
DHCP server:
• Scope name: Name before migration
• Lease duration for DHCP clients: 5 hours
• On the Start menu of the LON-DC1, point to Administrative Tools, and
then click DHCP.
• In the tree pane of the DHCP console, expand lon-dc1.contoso.com,
expand IPv4, click and right-click Scope [192.168.10.0] Contoso Scope,

• In the Scope name box of the Scope [192.168.10.0] Contoso Scope
Properties dialog box, type Name Before Migration.

• In the Lease duration for DHCP clients area, in the Days box, click 8,
ensure that Hours and Minutes boxes are 0, and then click OK.
• In the tree pane of the DHCP console, click and right-click lon-
dc1.contoso.com, point to All Tasks, and then click Stop.
• In the DHCP console, click the Close button.
2. In the Windows PowerShell window, run the following code to export the
DHCP server role settings.
Export-SmigServerSetting -featureID DHCP -path c:\export -Verbose

Export-SmigServerSetting -featureID DHCP -path c:\export -

Verbose
• At the command prompt, type the Password, as Pa$$w0rd.

• In the Administrator: Windows PowerShell window, click the Close
button.
3. Navigate through C:\Export to verify that the svrmig.mig file is created.
• In the Computer window, double-click Local Disk (C:).
• In the Name list of the Local Disk (C:) window, double-click export.
• In the Export window, verify whether the svrmig.mig file is created.
• In the Export window, click the Close button.
Task 3: Import the migrated settings and verify that they were applied.
1. On LON-SVR1, configure the Windows Server Migration Tools feature by
then click Server Manager.

Features.
select the Windows Server Migration Tools check box, and then click
Next.
2. On LON-SVR1, open the Windows PowerShell window, and run the following
code.
• On the Start menu of LON-SVR1, point to All Programs, click

Accessories, click Windows PowerShell, and then click Windows
PowerShell.
Verify that DHCP server is not installed on LON-SVR1 server.
3. Move the svrmig.mig file from \\lon-dc1.contoso.com\export to the

C:\Migrate folder.
• On the Start menu of LON-SVR1, in the Search programs and files box,
type \\lon-dc1.contoso.com\export, and then press ENTER.
• In the Name list of the export window, right-click svrmig.mig, and then
click Cut.
• In the navigation pane, under Computer, click Local Disk (C:).
• In the Name list of the Local Disk (C:) window, double-click Migrate.
• In the Migrate window, right-click anywhere, and then click Paste.
• In the Migrate window, click the Close button.

4. Run the following code to import the DHCP server role settings.
Import-SmigServerSetting -featureid DHCP -path c:\migrate -Verbose

Import-SmigServerSetting -featureid DHCP -path c:\migrate -

Verbose
• At the command prompt, type the Password, as Pa$$w0rd.

button.
5. Verify whether the modifications that are made to DHCP are successfully
• On the Start menu, point to Administrative Tools, and then click DHCP.
• In the tree pane of the DHCP console, click and right-click DHCP, and
then click Add Server.
• In the Add Server dialog box, click This authorized DHCP server, and
then click OK.
• In the tree pane, click and right-click DHCP, and then click Add Server.
• In the Add Server dialog box, click Browse.
• In the Enter the object names to select (examples) box of the Select
Computer dialog box, type LON-SVR1, and then click OK.
• In the Add Server dialog box, click OK.
• In the tree pane, right-click lon-svr1.contoso.com, point to All Tasks, and
then click Start.
• In the tree pane, right-click lon-dc1.contoso.com, point to All Tasks, and
then click Start.
• In the tree pane, expand lon-dc1.contoso.com, expand IPv4, click and
right-click Scope [192.168.10.0] Name Before Migration, and then click
Properties.
• In the Scope [192.168.10.0] Name Before Migration Properties dialog
box, click OK.
• In the DHCP console, click the Close button.

• In the Windows Deployment Services console, click the Close button.

button.
• In the Local Disk (C:) window, click the Close button.

Managing Windows Server 2008 R2 L1B-1

R2
Lab 1B: Managing Windows Server
2008 R2
Exercise 1: Using Server Manager for Remote
Administration
password, Pa$$w0rd.
Connect.
password, Pa$$w0rd.
Connect.
3. Log on to LON-CL1 with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
Connect.
L1B-2 Managing Windows Server 2008 R2

Task 2: Enable Server Manager Remote Management.

1. On LON-DC1, open the Server Manager console to connect LON-DC1 to
LON-SVR1.
An error message appears stating that the Server Manager cannot connect to lon-svr1.
• On the Start menu of LON-DC1, point to Administrator Tools, and then

• In the tree pane of the Server Manager console, click and right-click Server
Manager (LON-DC1), and then click Connect to Another Computer.
• In the Another computer box of the Connect to Another Computer
dialog box, type LON-SVR1, and then click OK.
An error message appears stating that the Server Manager cannot connect to lon-svr1.
• In the Server Manager message box, click Cancel.

2. On LON-SVR1, enable the remote management of this server from other
If the Server Manager console does not appear, on the Start menu of LON-SVR1, point
to Administrator Tools, and then click Server Manager.
• In the Server Manager (LON-SVR1) result pane of the Server Manger

console, in the Server Summary area, click Configure Server Manager
Remote Management.
• In the Configure Server Manager Remote Management dialog box, select
the Enable remote management of this server form other computers
check box, and then click OK.
Task 3: Use Server Manager for remote management.

1. On LON-DC1, connect LON-DC1 to LON-SVR1 by using the Server Manager
console.

This time connection should be successful.
• On LON-DC1, in the tree pane of the Server Manager console, click and
right-click Server Manager (LON-DC1), and then click Connect to
Another Computer.
• In the Another computer box of the Connect to Another Computer
dialog box, type LON-SVR1, and then click OK.
Compare the options that are available from Server Manager on LON-SVR1 server with
those options that are available when using remote management from LON-DC1 (click
on Server Manager (LON-SVR1) node, and then compare the options available on the
details page).
2. Verify that the Add Roles and Remove Roles options and the Add Features
• In the tree pane of the Server Manager console, right-click Roles, and then
verify that the Add Roles and Remove Roles options are not available
remotely.
• In the tree pane, right-click Features, and then verify that the Add
Features and Remove Features options are not available remotely.
Verify whether you can control the existing role, Windows Deployment Services,
remotely. Although Server Manager is connected to the remote server, other consoles
are connected to the local server by default.
Task 4: Install Remote Server Administration Tools on Windows 7.

1. On LON-CL1, install Remote Server Administrative Tools by using the
RSAT.msi file.
• On the Start menu of LON-CL1, in the Search programs and files box,
type program, and then click Programs and Features.
• In the Programs and Features window, click Turn Windows features on
or off.
• In the Windows Features dialog box, ensure that the Remote Server
Administration Tools is not present, and then click Cancel.

• In the navigation pane of the Computer window, double-click Allfiles

(D:).
• In the Name list of the Allfiles (D:) window, double-click LabFiles.
• In the Name list of the LabFiles window, double-click RSAT.
• In the Windows Update Standalone Installer message box, click Yes.
• On the Read these license terms (1 of 1) page of the Download and
Install Updates wizard, click I Accept.
• In the Windows 7 Remote Administration Tools window, click the Close
button.
• On the Installation Complete page of the Download and Install Updates
Wizard, click Close.
2. Add the AD DS snap-ins, the command-line tools, and Server Manager to
• In the Programs and Features window, click Turn Windows features on
or off.
• In the Windows Features dialog box, expand Remote Server
Administration Tools, expand Role Administration Tools, and then
expand AD DS and AD LDS Tools.
• In the Windows Features dialog box, under AD DS and AD LDS Tools,
select the AD DS Tools check box.
• In the Windows Features dialog box, under AD DS Tools, select the
Active Directory Administrative Center, AD DS Snap-ins and
Command-line Tools, Server for NIS Tools, and Server Manager check
boxes, and then click OK.
Verify that Server Manager and AD DS administrative tools are present in the
Administrative Tools of the Start menu.
• In the Programs and Features window, click the Close button.

• In the LabFiles window, click the Close button.

Task 5: Administer Windows Server 2008 R2 from Windows 7
workstation.
1. On LON-CL1, open the Server Manager console to connect LON-CL1 to LON-
SVR1.contoso.com.
• On the Start menu of LON-CL1, point to Administrative Tools, and then
If the Connect to Another Computer dialog box does not appear, in the tree pane of
the Server Manager console, click and right-click Server Manager, and then click
Connect to Another Computer.
• In the Remote computer box of the Connect to Another Computer

dialog box, type LON-SVR1.contoso.com, and then click OK.
Notice that the options that are available are the same for both Windows 7 and Windows
Server 2008 R2 server.
• In the tree pane of the Server Manager console, expand Roles, and then
click Windows Deployment Services.
View the list of roles that are installed. To administer specific roles and features, those
tools must be available locally.

2. Open the Active Directory Users and Computers console to verify whether you
Verify that you can administer Contoso.com Active Directory from Windows 7.
button.

Exercise 2: Removing Anonymous Access to Confidential
Files Automatically
Task 1: Add the File Services role on LON-SVR1.
1. On LON-SVR1, add the File Services server role and File Server Resource
Manager by using the Add Roles Wizard.
click Add Role.
• On the Before You Begin page of the Add Roles Wizard, click Next.
• On the Select Server Roles page, under Roles, select the File Services
check box, and then click Next.
• On the File Services page, click Next.
• On the Select Role Services page, under Role services, select the File
Server Resource Manager check box, and then click Next.
• On the Configure Storage Usage Monitoring page, click Next.
Task 2: Configure a classification property to track the types of files.

1. On LON-SVR1, create a classification property named, Confidential, by using
• On the Start menu of LON-SVR1, click Administrative Tools, and then
click File Server Resource Manager.
• In the tree pane of the File Server Resource Manager console, expand
Classification Management, and then click Classification Properties.
• In the Actions pane, click Create Property.
• In the Property name box of the Create Classification Property
Definition dialog box, type Confidential, in the Property Type box,
ensure that the Yes/No option is selected, and then click OK.

Task 3: Configure the classification rules to assign values to properties.
1. On LON-SVR1, create a classification rule to assign a value to the classification

property, with the following information:
• Scope: C:\Files
• On LON-SVR1, in the tree pane of the File Server Resource Manager
console, under Classification Management, click Classification Rules.
• In the Actions pane, click Create a New Rule.
• On the Rule Settings tab of the Classification Rule Definitions dialog
box, in the Rule name box, type Find Confidential, and then in the Scope
area, click Add.
• In the Browse For Folder dialog box, expand Local Disk (C:), click
Files, and then click OK.
• On the Classification tab of the Classification Rule Definitions dialog
box, in the Choose a method to assign the property value box of the
Classification mechanism area, click Content Classifier, and then click
Advanced.
• On the Additional Classification Parameters tab of the Additional Rule
Parameters dialog box, in the Name box, type String, in the Value box,
type Confidential, and then click OK.
• In the Classification Rule Definitions dialog box, click OK.
Task 4: Configure a File Management Task.

1. On LON-SVR1, create a File Management Task, a condition based on the file
• Scope: C:\Files

• Type: Custom
• Operator: Equal
• Value: Yes
console, click File Management Tasks.
• In the Actions pane, click Create File Management Task.
• On the General tab of the Create File Management Task dialog box, in
the Task name box, type Restrict confidential files, and then in the
Scope area, click Add.
• In the Browse For Folder dialog box, expand Local Disk (C:), click Files,
and then click OK.
• On the Action tab of the Create File Management Task dialog box, in the
Type box, click Custom, and then in the Executable box, type
C:\windows\system32\icacls.exe.
• In the Arguments box of the Command settings area, type [Source File
Path]\remove:g Everyone.
• In the Command security area, click Local System.
• On the Condition tab of the Create File Management Task dialog box,
click Add.
• In the Property box of the Property Condition dialog box, ensure that the
Confidential option is selected, in the Operator box, ensure that the
Equal option is selected, in the Value box, click Yes, and then click OK.
• On the Schedule tab of the Create File Management Task dialog box,
click Create.
• In the Schedule dialog box, click New, and then click OK.
This creates a default schedule set for 9:00 A.M. daily.


• In the Create File Management Task dialog box, click OK.
Task 5: Create the files for classification.

1. On LON-SVR1, create three files in the C:\Files folder with the following
content and assign the Everyone Read and Read & execute permissions to
those three files.
• File3.txt: c o n f i d e n t i a l
• On the Start menu of LON-SVR1, click Computer.
• In the Name list of the Local Disk (C:) window, double-click Files.
• In the Files window, right-click anywhere, point to New, click Text
Document, type File1, and then press ENTER.
• In the Name list of the Files window, double-click File1.
• In the File1 – Notepad window, type Confidential.
• On the File menu, click Save.
• In the File1 – Notepad window, click the Close button.
• In the File2 – Notepad window, type Confidential.
• In the File3 – Notepad window, type c o n f i d e n t i a l.

• In the Name list of the Files folder, right-click File1, and then click
Properties.
• On the Security tab of the File1 Properties dialog box, click Edit.
• In the Permissions for File1 dialog box, click Add.
Users, Computers, Service Accounts, or Groups dialog box, type
Everyone, and then click OK.
• In the Permissions for File1 dialog box, click OK.
• On the Security tab of the File1 Properties dialog box, in the Group or
user names area, click Everyone, and then click OK.
Properties.
Properties.

Task 6: Run the Classification Rule and File Management Task.
1. On LON-SVR1, run the Classification Rules by using the File Server Resource
Manager console, with the following information:
Review the report and verify whether the report contains the file1.txt file with
confidential.

console, under Classification Management, click Classification Rules.
• In the Actions pane, click Run Classification With All Rules Now.
• In the Run Classification dialog box, click Wait for classification to
complete execution, and then click OK.
• On the Welcome to Internet Explorer 8 page of the Set Up Windows
Internet Explorer 8 Wizard, click Ask me later.
• In the Internet Explorer dialog box, click Close.
• In the Internet Explorer window, click the Close button.
• In the Internet Explorer message box, click the Close all tabs.
2. Run the Classification Rules by using the File Server Resource Manager
console and wait till the execution completes.
Review the report and verify that the group with Everyone permission no longer has
access to file1.txt, because it contains Confidential information, but still has access to
file2.txt and file3.txt.
• In the tree pane of the File Server Resource Manager console, click File
Management Tasks.
• In the result pane, under Scope: C:\Files (1 Item), click Restrict
confidential files.
• In the Actions pane, under Selected File Management Tasks, click Run
File Management Task Now.

• In the Run File Management Task dialog box, click Wait for task to

• In the Windows Internet Explorer window, click the Close button.
In the Windows Explorer window, verify the NTFS permissions on all three files. You
should verify that the group with Everyone permission no longer has access to file1.txt,
because it contains Confidential information, but still has access to file2.txt and
file3.txt.
• In the File Server Resource Manager console, click the Close button.
Exercise 3: Dealing with Stale Data

Task 1: Configure a File Management Task.
1. On LON-SVR1, create a File Management Task to remove the following data,
which has not been modified for two years:
• Task name: Expire Stale Data
• Scope: C:\Files
• Type: File Expiration
• Number of days before task is executed to send notification: 30
• Days since last modified: 730
• Schedule Task: Monthly
then click File Server Resource Manager.
• In the tree pane of the File Server Resource Management console, click
File Management Tasks.
• In the Actions pane, click Create File Management Task.
• On the General tab of the Create File Management Task dialog box, in
the Task name box, type Expire Stale Data, and then in the Scope
section, click Add.

• In the Browse For Folder dialog box, expand Local Disk (C:), click Files,
and then click OK.

• On the Action tab of the Create File Management Task dialog box, in the
Expiration directory box, click Browse.
• In the Browse For Folder dialog box, expand Local Disk (C:), click
Expired, and then click OK.
• On the Notification tab of the Create File Management Task dialog box,
click Add.
• In the Number of days before task is executed to send notification box
of the Add Notification dialog box, click 30, and then click OK.
• On the Condition tab of the Create File Management Task dialog box,
select the Days since file was last modified check box, and then type
730.
• On the Schedule tab of the Create File Management Task dialog box,
click Create.
• In the Schedule dialog box, click New.
This creates a default schedule set for 9:00 A.M. daily.
• In the Schedule Task box of the Schedule dialog box, click Monthly, and
then click OK.
• In the Create File Management Task dialog box, click OK.
• In the File Server Resource Manager message box, click Yes.
Task 2: Run the File Management Task.

1. On LON-SVR1, run the File Management Task, Expire Stale Data by using the
File Server Resource Manager console and wait till the execution completes.
Review the report and verify that all expired files have been moved to the Expired folder
in drive C.


• In the Files window, sort the files by the Date modified property.
• In the File Management Tasks result pane of the File Server Resource
Manager console, in the Task Name list, right-click Expire Stale Data, and
then click Run File Management Task Now.
• In the Run File Management Task dialog box, click Wait for task to
Review the report for files affected by the File Management Task.
• In the Computer window, browse through Local Disk

(C:)\Expired\LON-SVR1.Contoso.com\Expired Stale data_(executed
date)\c$\Files, and then verify that all expired files have been moved
there.
• In the Files window, click the Close button.
• In the File Server Resource Manager console, click the Close button.
Exercise 4: Using Features in Windows Server Backup

Task 1: Create and attach a virtual hard disk.
1. On LON-SVR1, create a virtual hard disk and add a simple volume to it by
using the Server Manager console, with the following information:
• Path: C:\MyDrive.vhd
• Virtual hard disk size: 1 GB
• Select Dynamically expanding
• Select Initialize Disk
• Select New Simple Volume
• On the Start menu of the LON-SVR1 server, point to Administrative
Tools, and then click Server Manager.

• In the tree pane of the Server Manager console, expand Storage, and then
click Disk Management.

• In the Actions pane, click More Actions, and then click Create VHD.
• In the Location box of the Create and Attach Virtual Hard Disk dialog
box, type C:\MyDrive.vhd, in the Virtual hard disk size box, type 1, and
then click GB.
• In the Virtual hard disk format area, click Dynamically expanding, and
then click OK.
• In the Disk Management result pane of the Server Manager console, in the
Volume list, click (C:), right-click Disk 2, and then click Initialize Disk.
• In the Initialize Disk dialog box, click OK.
• In the Disk Management result pane of the Server Manager console, right-
click on 1023 MB Unallocated, and then click New Simple Volume.
• On the Welcome to the New Simple Volume Wizard page of the New
Simple Volume Wizard, click Next.
• On the Specify Volume Size page, click Next.
• On the Assign Drive Letter or Path page, click Next.
• On the Format Partition page, click Next.
• On the Completing the New Simple Volume Wizard page, click Finish.
Task 2: Create and run a backup task.

1. On LON-SVR1, perform Custom backup to the virtual hard disk, New Volume
(E:), with the following information:
• In the tree pane of the Server Manager console, under Storage, click
Windows Server Backup.
• In the Actions pane, click Backup Once.
• On the Backup Options page of the Backup Once Wizard, click Next.
• On the Select Backup Configuration page, ensure that the Custom
option is selected, and then click Next.

• On the Select Items for Backup page, click Add Items.
• In the Select Items dialog box, expand Local Disk (C:), select the Files
• On the Select Items for Backup page, click Advanced Settings.
• On the Exclusions tab of the Advanced Settings dialog box, click Add
Exclusions.
• In the Select Items to Exclude dialog box, expand Local Disk (C:),
expand Files, click File1.txt, and then click OK.
• In the Advanced Settings dialog box, click OK.
• On the Select Items for Backup page, click Next.
• On the Specify Destination Type page, click Next.
• On the Select Backup Destination page, in the Backup destination box,
click New Volume (F:), and then click Next.
• On the Confirmation page, click Backup.
• On the Backup Progress page, click Close.
Task 3: Verify and restore the backup.

1. On LON-SVR1, delete the file2.txt file from the C:\Files folder, and then
restore the file2.txt file to the same location by using the Server Manager
console.
• In the Name list of the Files window, right-click File2, and then click
Delete.
• In the Delete File message box, click Yes.
• In the tree pane of the Server Manager console, under Storage, click
Windows Server Backup.
• In the Actions pane, click Recover.
• On the Getting Started page of the Recovery Wizard, click Next.
• On the Select Backup Date page, click Next.

• On the Select Recovery Type page, click Next.
• On the Select Items to Recover page, in the Available items list, expand
LON-SVR1, expand Local disk (C:), click Files, and then in the Items to
recover list, click File2.txt.
• On the Select Items to Recover page, click Next.
• On the Specify Recovery Options page, click Next.
• On the Confirmation page, click Recover.
• On the Recovery Progress page, click Close.
Verify that the file2.txt file is restored to C:\Files folder.
• In the Files window, click the Close button.



Configuring Active Directory Domain Services Features L2A-1

2008 R2
Lab 2A: Configuring Active
Directory Domain Services
Features
Exercise 1: Installing and Configuring Active Directory
Administration Center
password, Pa$$w0rd.
Connect.
• To log on LON-DC1, click the Ctrl-Alt-Delete button.
password, Pa$$w0rd.
Connect.
• To log on LON-SVR1, click the Ctrl-Alt-Delete button.
f Task 2: Install Active Directory Administration Center.

1. On LON-SVR1, install the Active Directory Administration Center server
feature by using the Server Manager console.
L2A-2 Configuring Active Directory Domain Services Features

If the Server Manager window, does not appears, on the Start menu of LON-SVR1, point
to Administrative Tools, and then click Server Manager.

Features.
• On the Select Features page of the Add Features Wizard, in the Features
list, expand Remote Server Administration Tools (Installed), expand
Role Administration Tools (Installed), and then expand AD DS and AD
LDS Tools.
• On the Select Features page, in the Features list, under AD DS and AD
LDS Tools, expand AD DS Tools, and then select the Active Directory
Administrative Center check box.
• In the Add Features Wizard, click Add Required Features.
• On the Select Features page of the Add Features Wizard, click Next.
f Task 3: Explore the Active Directory Administrative Center interface.

1. Verify the following information by using the Active Directory Administrative
Center console:
• Clear the Getting Started check box: Verify that the Getting Started
pane disappears.
• Address box: cn=users,dc=contoso,dc=com to verify that the Users
container is selected in the Navigation pane.
• Filter the content of the window.
• Add a Builtin container to the Navigation pane.
then click Active Directory Administrative Center.
• In the Administrative Center Overview result pane of the Active Directory
Administrative Center console, click Add Content, and then clear the
Getting Started check box.

Verify that the Getting Started pane disappears.
• In the Navigation pane of the Active Directory Administrative Center

console, click Add Navigation Nodes.
• In the Add Navigation Nodes dialog box, click Connect to other
domains, and then click Cancel.
• In the Add Navigation Nodes dialog box, click Cancel.
• In the Address box of the Active Directory Administrative Center console,
type cn=users,dc=contoso,dc=com, and then press ENTER.
Verify that the Users container is selected in the Navigation pane.
• In the List View of the Navigation pane, click the arrow near Contoso
(local).
• In the Search box, type fi, and then click the Pin icon.
Verify that the content of the window is filtered.
• In the result pane, click the arrow near Finance, and then click the Pin
icon.
Verify that both the windows are added to the Active Directory Administrative Center
and in the navigation pane, under Contoso (local), last three OU that were accessed are
listed.
• In the Tree view of the Navigation pane, click and right-click Builtin, and
then click Connect to.
Builtin container will be added to the Navigation pane.
• In the Tree View of the Navigation pane, right-click newly added Builtin,
click Rename.
• In the Please input the new name box of the Rename dialog box, type
Precreated, and then click OK.

• In the List View of the Navigation pane, right-click Precreated, and then
click Remove.
f Task 4: Create and modify user account and properties.

1. View the users of the name, Michael from the Finance group by using the Filter
• Add criteria: Users with disabled/enabled accounts and Users
whose password has an expiration date/no expiration date
• Query Name: Enabled-no expiry
• Users with accounts in this state: enabled
• In the List View of the navigation pane, under Contoso (local), click the
Finance.
• In the Filter box of the Finance result pane, type Michael.
Verify that users with name Michael are displayed in the Management pane.
• In the Finance result pane, click Add criteria, select Users with
disabled/enabled accounts. and Users whose password has an
expiration date/no expiration date., and then click Add.
• In the Finance result pane, click disabled against and Users with
accounts in this state, and then click enabled.
• Clear the Filter box.
Verify that enabled accounts (Michael Allen) are displayed in the Management pane.
2. Create a query, Enabled-no expiry and execute it against the user, Jeff Ford and
then modify properties of Jeff Ford by adding him to the Finance group.
• In the Finance result pane, click on the arrow near the floppy icon, in the
New Query box, type Enabled-no expiry, and then click Ok.
• In the Finance result pane, click Clear All.
• In the List View of the Navigation pane, click Users.
• In the Users result pane, click Queries button, and then click Enabled-no
expiry.

• In the Name list of the Users: Enabled-no expiry result pane, click Jeff
Ford.
• In the Tasks pane, under Jeff Ford, click Properties.
• In the Jeff Ford dialog box, click Add Sections, and then clear the
Extensions check box.
• In the Member Of area of the Jeff Ford dialog box, click Add button.
Groups dialog box, type Finance, and then press ENTER.
• In the Multiple Names Found dialog box, click Finance Users, and then
click OK.
• In the Jeff Ford dialog box, click OK.
• In the Name list of the Users result pane, double-click Jeff Ford.
Verify that Extensions are not displayed for him.
• In the Jeff Ford dialog box, click Cancel.

3. Create a new user for the Finance group with the following information:
• Full name: Jay Hamlin
• User SamAccountName logon: johane
• Select Password never expires
• Confirm password: Pa$$w0rd
• In the List View of the Navigation pane, click Finance.
• In the Tasks pane, under Finance, point to New, and then click User.
• In the Account area of the Create User: dialog box, in the Full name box,
type Jay Hamlin, and then in the User SamAccountName logon box,
type jayh.
• In the Account area, click Other password options, and then select the
Password never expires check box.
• In the Password box, type Pa$$w0rd, in the Confirm password box, type
Pa$$w0rd, and then click OK.

• In the List View of the Navigation pane, click Global Search.
• In the Search box of the Global Search result pane, type jayh, and then
click Search button.
• In the Active Directory Administrative Center console, click the Close
button.
f Task 5: Verify the Active Directory Web Services service.

1. On LON-DC1, open the Services console to stop the Active Directory Web
Services service.
click Services.
• In the result pane of the Services console, in the Name list, right-click
Active Directory Web Services, and then click Stop.
2. On LON-SVR1, open the Active Directory Administrative Center console to
verify whether the Contoso domain is accessible.
Verify that there is red arrow near CONTOSO (local) domain. If you click on it, an error
message appears stating that servers with Active Directory Web Service in Contoso
domain are not available servers.

button.
3. On LON-DC1, start the Active Directory Web Services service by using the
Services console.
• On LON-DC1, in the result pane of the Services console, in the Name list,
right-click Active Directory Web Services, and then click Start.
• In the Services console, click the Close button.
4. On LON-SVR1, verify whether the Contoso domain is accessible after starting

• In the Navigation pane of the Active Directory Administrative Center
console, click Contoso (local).
Now there is no error and you are able to view domain objects.

button.
• On the Start menu, click Log off.

Exercise 2: Configuring and Testing the Active Directory

Recycle bin
f Task 1: Enable the Active Directory Recycle Bin feature.
1. On LON-DC1, set the forest functional level of Windows Server 2008 R2 to
Trusts tool.
click Active Directory Domains and Trusts.
• In the tree pane of the Active Directory Domains and Trusts console, right-
click Active directory Domains and Trusts [LON-DC1.Contoso.com],
and then click Raise Forest Functional Level.
• In the Select an available forest functional level box of the Raise forest
functional level dialog box, ensure that the Windows Server 2008 R2
option is selected, and then click Raise button.
• In the Raise forest functional level message box, click OK.
• In the Raise forest functional level message box, click OK.
• In the Active Directory Domains and Trusts console, click the Close
button.
2. Delete the objects, Jay Hamlin and Demo OU, to view the difference between
click Active Directory Users and Computers.
expand Contoso.com, and then click Finance.
• In the Name list of the Finance result pane, right-click Jay Hamlin, and
then click Delete.
• In the Active Directory Domain Services message box, click Yes.
• In the tree pane, under Finance, right-click Demo, and then click Delete.
• In the Active Directory Domain Services message box, click Yes.
3. Open the Administrator: Active Directory Module for Windows PowerShell


click Active Directory Module for Windows PowerShell.
• At the command prompt of the Administrator: Active Directory Module for
Windows PowerShell window, type the following code, and then press
ENTER.
The EnabledScopes property is currently empty, which indicates that this feature is not
enabled. The RequiredForestMode property indicates the prerequisites for enabling this
feature.
4. Run the following command to enable the Active Directory Recycle Bin feature.


ENTER.

5. Run the following command to view the state of the Active Directory Recycle
Bin feature.

ENTER.

The EnabledScopes property is now set, which indicates that the Recycle Bin Feature is
now set.
f Task 2: Delete Active Directory objects.

1. On LON-DC1, delete the following user accounts, group account, and
console.
• User accounts: Sara Davis and Ron Gabel
• Group account: Finance Temporary Employees
• Organizational unit: Europe
click Active Directory Administrative Center.
• In the Active Directory Administrative Center console, in the List View of
the Navigation pane, click Contoso (local).
• In the Contoso (local) result pane, in the Name list, double- click Finance.
• In the Name list of the Finance result pane, right-click Sara Davis, and
then click Delete.
• In the Delete Confirmation message box, click Yes.
• In the Name list of the Finance result pane, right-click Ron Gabel, and
then click Delete.
• In the Name list of the Finance result pane, right-click Finance
Temporary Employees, and then click Delete.
• In the Name list of the Finance result pane, right-click Europe, and then
click Delete.
f Task 3: Verify that the deleted objects are in the Recycle Bin.
1. On LON-DC1, run the following command to view the entire content of the


Verify that two user accounts, Sara Davis and Ron Gabel, Finance Temporary Employees
group account, and Europe organizational unit are there in the Recycle Bin. Make a note
of the ObjectGUID for Sara Davis, Ron Gabel, Finance Temporary Employees, and Europe.

ENTER.

ldapFilter “(objectClass=*)” -includeDeletedObjects
2. Run the following command to verify that the Sara Davis user object is in the
Recycle Bin.


ENTER.

3. Run the following command to verify that the Ron Gabel user account is in the
Recycle Bin.


ENTER.

4. Run the following command to verify that the organizational unit, Demo is in
the Recycle Bin.



ENTER.

f Task 4: Restore the deleted Active Directory objects.

1. Run the following command to restore user account for Sara Davis by using
the Administrator: Active Directory Module for Windows PowerShell window.

ENTER.
Restore-ADObject –Identity < objectGUID of Sara Davis >
2. Run the following command to restore the Finance Temporary Employees

PowerShell window.

ENTER.
3. Run the following command to restore the Europe organizational unit by

window.


ENTER.
• In the Administrator: Active Directory Module for Windows PowerShell

window, click the Close button.
f Task 5: Verify that the deleted objects are restored.

1. Verify that the Sara Davis user account, Finance Temporary Employees group,
• On LON-DC1, in the Active Directory Administrative Center console, in
the List View of the Navigation pane, click Finance, and then press F5.
Verify that user account for Sara Davis, Finance Temporary Employees group, and Europe
organizational unit are present.
2. Check whether the properties of Finance Temporary Employees group are

preserved.
• In the Name list of the Finance result pane, double-click Finance
Temporary Employees group and verify that its properties are preserved,
including group membership.
• In the Finance Temporary Employees dialog box, click Cancel.
button.

Exercise 3: Configuring an Offline Domain Join

f Task 1: Provision a computer account for an offline domain join.
expand Contoso.com, and then click Computers.
Ensure that there is no computer account named, LON-SVR2, in the Computers

container.
2. In the command prompt window, run the following code to provision a new
computer account.

• On the Start menu, point to All Programs, click Accessories, and then
click Command Prompt.

This command creates a computer account in Active Directory and stores the computer
account password and related information in an encoded file. It should be treated just as
securely as a plaintext password. The file contains the computer account password and
other information about the domain, including the domain name, the name of a domain
controller, and the security ID (SID) of the domain. If the blob is being transported
physically or over the network, care must be taken to transport it securely. In Windows
Server 2008 R2, Djoin.exe is a new command which is used for provisioning computer
account for offline domain join.

f Task 2: Verify that the computer account has been created in Active
Directory.
1. Verify that the LON-SVR2 computer account has been created. Then, to
• In the Active Directory Users and Computers console, click the Refresh
button.
View and verify that there is computer account LON-SVR2 in Computers container
present now.

f Task 3: Perform an Offline Domain Join.

password, Pa$$w0rd.
Connect.
2. Copy the LON-SVR2.djoin from \\LON-DC1\Share of LON-DC1 to Local
• In the Address bar, type \\lon-dc1\share, and then press ENTER.
• In the Name list of the Share window, right-click LON-SVR2.join, and
then click Copy.

• In the navigation pane, click Local Disk (C:).
• In the Local Disk (C:) widow, right-click anywhere, and then click Paste.
3. On LON-SVR2, run the following command to add the LON-SVR2 server as a

/LocalOS
• On the Start of LON-SVR2, point to All Programs, click Accessories, and

then click Command Prompt.

/LocalOS

4. Restart the LON-SVR2 server.
• On the Start menu, click the Forward arrow, and then click Restart.
• In the Option box of the Shut Down Windows dialog box, click
Operating System: Reconfiguration (Planned), and then click OK.
5. Log on to LON-SVR2 with the user name, LON_SVR2\Administrator, and the
password, Pa$$w0rd, and verify that LON-SVR2 is a member of the
Contoso.com domain.
• In the User name box, type LON_SVR2\Administrator, in the Password
• Verify that LON-SVR2 is now member of the Contoso.com domain.

Configuring Group Policy in Active Directory Domain Services L2B-1

2008 R2
Lab 2B: Configuring Group Policy
in Active Directory Domain
Services
Exercise 1: Using Starter GPO
password, Pa$$w0rd.
Connect.
password, Pa$$w0rd.
Connect.
password, Pa$$w0rd.
Virtual Machines area, right-click 10159A-LON-CL1, and then click
Connect.
• To log on LON-CL1, click the Ctrl-Alt-Delete button.
L1A-2 Configuring Group Policy in Active Directory Domain Services

f Task 2: Review the existing System Starter GPO and its settings.
1. On LON-DC1, examine the Starter GPO settings by using the Group Policy
Management console to verify the following information:
• Verify that there are eight Starter GPOs pre-created
• Verify that the Edit option is not enabled
• View the settings of Starter GPO
click Group Policy Management.
• In the tree pane of the Group Policy Management console, expand Forest:
Contoso.com, expand Domains, expand Contoso.com, and then click
Starter GPOs.
• In the Starter GPOs in Contoso.com result pane, click Create Starter
GPOs Folder.
Verify that there are already eight systems Starter GPOs pre-created. Four are for
Windows XP SP2 and four for Windows Vista. They have recommended Enterprise
Settings (EC) and Specialized Security Limited Functionality (SSLF) settings for both
platforms.
• In the tree pane of the Group Policy Management console, expand Starter
GPOs, and then click Windows Vista EC Computer.
• In the Windows Vista EC Computer result pane, click the Delegation tab,
and then ensure that Administrators have Edit settings, delete, and
modify security permissions.
• In the tree pane, under Starter GPOs, right-click Windows Vista EC
Computer.
Verify that Edit action is not enabled. Although your account has appropriate
permissions, System Starter GPOs are read-only. We can not edit their setting, but we can
delete them if we don’t need them.
• In the Windows Vista EC Computer result pane, click the Settings tab.

• In the Internet Explorer dialog box, click the Add.
• In the Trusted sites dialog box, click Add, and then click the Close
button.
• On the Settings tab of the Windows Vista EC Computer result pane, click
show all.
View the settings that are set in the Starter GPO. Also browse through settings in other
Starter GPOs.
f Task 3: Create a Custom Starter GPO.

1. On LON-DC1, create the Custom Starter GPO, Default Desktop Configuration
• All Settings: Filter Options
• Enable Keyword Filters
• Filter for word: control panel
• Clear Help Text and Comment
• Disable the Display Control Panel: Enabled
• In the tree pane of the Group Policy Management console, under
Contoso.com, right-click Starter GPOs, and then click New.
• In the Name box of the New Starter GPO dialog box, type Default
Desktop Configuration, and then click OK.
• In the tree pane, under Starter GPOs, right-click Default Desktop
Configuration, and then click Edit.
Verify that only Administrative Templates are available for Computer Configuration
and User Configuration. Other Group Policy settings are not available in Starter GPO.
• In the tree pane of the Group Policy Starter GPO Editor console, under
User Configuration, expand Administrative Templates, right-click All
Settings, and then click Filter Options.
• In the Filter Options dialog box, select the Enable Keyword Filters check
box, in the Filter for word(s) box, type control panel, and then click All
from the dropdown list.

• In the Within box, clear the Help Text and Comment check boxes, and
then click OK.
Under User Configuration, click All Settings and verify that only settings with Control
Panel in the name are listed.
• In the tree pane of the Group Policy Starter GPO Editor console, under the
Administrative Templates of User Configuration, expand Control
Panel, and then click Display.
• In the Settings list of the Display result pane, double-click Disable the
Display Control Panel.
• In the Disable the Display Control Panel dialog box, click Enabled, and
then click OK.
• In the Group Policy Starter GPO Editor console, click the Close button.
f Task 4: Create a new group policy based on the Custom Starter GPO.
1. Based on the existing Custom Starter GPO, create a group policy with the
• GPO name: Desktop Configuration
• Source Starter GPO: Default Desktop Configuration
• Set the State
• Clear Enable Keyword Filters
• Configured: Yes
• In the tree pane of the Group Policy Management console, right-click
Contoso.com, and then click Create a GPO in this domain, and Link it
here.
• In the Name box of the New GPO dialog box, type Desktop
Configuration, in the Source Starter GPO box, click Default Desktop
Configuration, and then click OK.
• In the tree pane, under Contoso.com, expand Group Policy Objects,
right-click Desktop Configuration, and then click Edit.
Verify that full set of group policy settings is available.


• In the tree pane of the Group Policy Management Editor console, under
User Configuration, expand Policies, expand Administrative

machine, and then click All Settings.
Click on State bar to sort Administrative Templates settings based on their state (Enabled,
Disabled, Not configured).
• In the tree pane, right-click All Settings, and then click Filter Options.
• In the Filter Options dialog box, clear the Enable Keyword Filters check
box, under Select the type of policy settings to display, in the
Configured box, click Yes, and then click OK.
Verify that the Disable the Display Control Panel group policy setting is listed. This
validates that Starter GPO store a collection of Administrative template policy settings in
a single object that can be used as a template when creating new GPO.
• In the Group Policy Management Editor window, click the Close the
button.

Exercise 2: Using Group Policy Preferences

f Task 1: Add a shortcut to Notepad on the desktop.
1. On LON-DC1, create a shortcut to Notepad on the desktop on LON-CL1 by
• Action: Create
• Target path: C:\Windows\System32\notepad.exe
• Name: Notepad
• Computer name: LON-CL1
Contoso.com, right-click Desktop Configuration, and then click Edit.
Computer Configuration, expand Preferences, and then expand
Windows Settings.
• In the tree pane, under Windows Settings, right-click Shortcuts, point to
New, and then click Shortcut.
• In the New Shortcut Properties dialog box, in the Action box, click
Create, and then in the Name box, type Notepad.
• In the Location box, click All Users Desktop, and then in the Target path
box, type C:\Windows\System32\notepad.exe.
• On the Common tab, select the Item-level targeting check box, and then
click Targeting.
• In the Targeting Editor dialog box, click New Item, and then click
Computer Name.
• In the Computer name box, type LON-CL1, and then click OK.
• In the New Shortcut Properties dialog box, click OK.
f Task 2: Create a new folder on drive C.

1. In the Computer Configuration node, create a new folder on drive C with the

• Action: Create
• Path: C:\Folder_Preference
• New Item: Operating System
• Product: Windows 7
Windows Settings, right-click Folders, point to New, and then click
Folder.
• In the New Folder Properties dialog box, in the Action box, click Create,
and then in the Path box, type C:\Folder_Preference.
• On the Common tab, select the Item-level targeting check box, and then
click Targeting button.
• In the Targeting Editor dialog box, click New Item, click Operating
System, ensure that in the Product box, Windows 7 option is selected,
and then click OK.
• In the New Folder Properties dialog box, click OK.
f Task 3: Configure drive mapping.

1. In the User Configuration node, configure the drive map to share the folder,
Data with the following information:
• Action: Create
• Location: \\LON-DC1\Share
• Select Reconnect
• Label as: Data
• Drive Letter: P
User Configuration, expand Preferences, and then expand Windows
Settings.
• In the tree pane, under Windows Settings, right-click Drive Maps, point
to New, and then click Mapped Drive.
• In the New Drive Properties dialog box, in the Action box, click Create,
in the Location box, type \\LON-DC1\Share, select the Reconnect check
box, and then in the Label as box, type Data.

• In the Drive Letter area, click P against Use, and then click OK.
• In the Group Policy Management Editor console, click the Close button.
f Task 4: Verify Group Policy Preferences Application.

• On the Start menu of LON-CL1, click Log off.
password, Pa$$w0rd.
3. Verify whether there is a shortcut to Notepad on the desktop, a preference
and LON-CL1.
• On the Desktop of LON-CL1, verify whether there is a shortcut to

Notepad on the desktop.
• In the Computer window, double-click Local Disk (C:), and then verify
that the Folder_Preference folder exists.
• In the Computer window, double-click Data (P:), verify that the P: drive is
mapped to the Share on LON-DC1.
• In the Local Disk (P:) window, click the Close button.

Exercise 3: Implementing Application Control Policies

f Task 1: Verify that a user can run Notepad.
1. Log off from LON-SVR1.
• On the Start menu of LON-SVR1, click Log off.
2. Log on to LON-SVR1 with the user name, Contoso\ jefff, and the password,
Pa$$w0rd.
• To log on LON-SVR1, click the Ctrl-Alt-Delete button, click Switch User
and then click Other User.
• In the User name box, type Contoso\jefff, in the Password box, type
Pa$$w0rd, and then click the Forward button.
3. On LON-SVR1, verify whether jeff has access to the Notepad.
• On the Start menu, in the Search program and files box, type notepad,
and then press ENTER.
• In the Untitled - Notepad window, click the Close button.
4. On LON-DC1, open Active Directory Administrative Center to verify that Jeff
Directory Administrative Center.
• In the List View of the Navigation pane, click Global Search.
• In the Search box of the Global Search result pane, type Restricted Users,
and then click Search.
• In the Name list of the Global Search result pane, double-click Restricted
Users.
• In the Members area of the Restricted Users dialog box, ensure that Jeff
Ford is there, and then click OK.
button.
f Task 2: Edit the group policy to start Application Identity service.

1. On LON-DC1, edit Desktop Configuration to start the Application Identity


Contoso.com, right-click Desktop Configuration, and then click Edit.
Computer Configuration, expand Policies, and then expand Windows
Settings.
• In the tree pane, under Windows Settings, expand Security Settings, and
then click System Services.
• In the Service Name list of the System Services result pane, double-click
Application Identity.
• In the Application Identity Properties dialog box, select the Define this
policy setting check box, click Automatic, and then click OK.
f Task 3: Create the AppLocker rules to deny Notepad for restricted

users.
1. Create an executable AppLocker rule to restrict the users from accessing
• Permissions: Deny Restricted Users
• Path: %system32%\notepad.exe
• Name: Notepad
• Select Configure rule enforcement
• Executable rules: Configured
Security Settings, expand Application Control Policies, and then expand
AppLocker.
• In the tree pane, under AppLocker, click Executable Rules, right-click
Executable Rules, and then click Create Default Rules.
• In the tree pane, under AppLocker, right-click Executable Rules, and then
click Create New Rule.
• On the Before You Begin page of the Create Executable Rules wizard,
click Next.
• On the Permissions page, click Deny, and then click Select.

• In the Enter the object name to select (examples) box of the Select User
or Group dialog box, type Restricted Users, press ENTER, and then click
OK.
• On the Permissions page, click Next.
• On the Conditions page, click Path, and then click Next.
• In the Path box of the Path page, type %system32%\notepad.exe, and
then click Next.
• On the Exceptions page, click Next.
• In the Name box of the Name and Description page, type Notepad, and
then click Create.
Application Control Policies, click AppLocker.
• In the Configure Rule Enforcement area of the AppLocker result pane,
click Configure rule enforcement.
• In the Executable rules box of the AppLocker Properties dialog box,
click Configured, ensure that the Enforce rules option is selected, and
then click OK.
f Task 4: Apply Application Control Policy and verify that the user can
not run Notepad.
1. On LON-SVR1, verify whether jeff has access to Notepad and then check the
• On the Start menu, in the Search program and files box, type notepad,
An error message appears stating that this program is blocked by group policy. This
confirms that Application Control Policy is effective. If the error message does not
appear, run the command, gpupdate /force, on LON-DC1 and LON-CL1.
• In the C:\Windows\System32\notepad.exe message box, click OK.

• On the Start menu, point to Administrative Tools, and then click Event
Viewer.
• In the tree pane of the Event Viewer, expand Applications and Service
Logs, expand Microsoft, and then expand Windows.

• In the tree pane, under Windows, expand AppLocker, and then click EXE
and DLL.
• In the Event ID list of the Exe and Dll result pane, double-click 8004.
• In the Event Properties - Event 8004, AppLocker message box, verify the
reason for access prohibition.
• In the Event Properties - Event 8004, AppLocker message box, click Close.
• In the Event Viewer console, click the Close button.

Configuring Server Virtualization by Using Hyper-V L3-1

Configuring Server Virtualization by Using
Hyper-V
Lab 3: Configuring Server
Virtualization by Using Hyper-V
Exercise 1: Installing and Configuring Failover Clustering
password, Pa$$w0rd.
Connect.
password, Pa$$w0rd.
Connect.
Close the Initial Configuration Tasks console if it appears.
f Task 2: Create an iSCSI target.

1. On LON-SVR1, create an iSCSI target, LUN-01, by using the Microsoft iSCSI
Software Target console, with the following information:
• Identifier Type: IP Address
L3-2 Configuring Server Virtualization by Using Hyper-V

• Value: 192.168.10.100
• IQN Identifier: Click Advanced button to view alternate identifiers

then click Microsoft iSCSI Software Target.
• In the tree pane of the iSCSITarget – [Microsoft iSCSI Software
Target\Devices] console, right-click iSCSI Targets, and then click Create
iSCSI Target.
• On the Welcome to the Create iSCSI Target Wizard page of the Create
iSCSI Target Wizard, click Next.
• In the iSCSI target name box of the iSCSI Target Identification page,
type LUN-01, and then click Next.
• On the iSCSI Initiators Identifiers page, click Advanced.
• In the Advanced Identifiers dialog box, click Add.
• In the Identifier Type box of the Add/Edit Identifier dialog box, click IP
Address, in the Value box, type 192.168.10.100, and then click OK.
• In the Advanced Identifiers dialog box, click OK.
• On the iSCSI Initiators Identifiers page, ensure that the IQN Identifier
box displays the text, “Click Advanced button to view alternate
identifiers.”, and then click Next.
• On the Completing the Create iSCSI Target Wizard page, click Finish.
2. Create a virtual disk with the following information:
• File: C:\LUN\LUN-01.vhd
• Size of the virtual disk (MB): 20000
• Target Name: LUN-01
• In the tree pane of the iSCSITarget – [Microsoft iSCSI Software
Target\Devices] console, under iSCSI Targets, right-click Devices, and
click Create Virtual Disk.
• On the Welcome to the Create Virtual Disk Wizard page of the Create
Virtual Disk Wizard, click Next.
• In the File box of the File page, type C:\LUN\LUN-01.vhd, and then click
Next.

• In Size of virtual disk (MB) box of the Size page, type 20000, and then
click Next.
• On the Description page, click Next.
• On the Access page, click Add.
• In the Add Target dialog box, in the Target Name list, click LUN-01, and
then click OK.
• On the Access page, click Next.
• On the Completing the Create Virtual Disk Wizard page, click Finish.
f Task 3: Connect the iSCSI target to the physical host and create an
NTFS volume.
1. On the physical computer, set the following iSCSI Initiator properties to
• Target: 192.168.10.150
• Quick Connect: iqn.1991-05.com.microsoft:lon-svr1-lun-01-target
• On the Start menu of the physical computer, point to Administrative
Tools, and then click iSCSI Initiator.
• On the Targets tab of the iSCSI Initiator Properties dialog box, in the
Target box, type 192.168.10.150, and then click Quick Connect.
• In the Quick Connect dialog box, ensure that the status of iqn.1991-
05.com.microsoft:lon-svr1-lun-01-target is Connected, ensure that the
iqn.1991-05.com.microsoft:lon-svr1-lun-01-target option is selected,
and then click Done.
• In the iSCSI Initiator Properties dialog box, click OK.
2. Open the Server Manager console to create a new volume with size 15000 MB
for Disk 1.
• On the Start menu of the physical host computer, point to Administrative
• In the tree pane of the Server Manager console, expand Storage, and then
click Disk Management.
• In the Disk Management result pane, right-click the 19.53 GB
Unallocated area against Disk 1, and then click New Simple Volume.

• On the Welcome to the New Simple Volume Wizard page of the New
Simple Volume Wizard, click Next.

• In the Simple volume size in MB box of the Specify Volume Size page,
type 15000, and then click Next.
• On the Assign Drive Letter or Path page, click Next.
• On the Format Partition page, leave the Volume label box empty, and
then click Next.
• On the Completing the New Simple Volume Wizard page, click Finish.
f Task 4: Create and configure one node Failover Cluster.

1. On LON-DC1, open the Server Manager console to configure the Failover
Clustering feature.
• In the tree pane of the Server Manager console, right-click Features, and
then click Add Features.
select the Failover Clustering check box, and then click Next.
2. Open the Failover Cluster Manager console to create a cluster and run the
• Run the validation test
• Address: 192.168.10.15

click Failover Cluster Manager.

• In the Actions pane of the Failover Cluster Manager console, click Create
a Cluster.
• On the Before You Begin page of the Create Cluster Wizard, click Next.
• In the Enter server name box of the Select Servers page, type VM-Team
(physical computer name), click Add, and then Next.
• On the Validation Warning page, ensure that the Yes. When I click Next,
run configuration validation tests, and then return to the process of
creating the cluster option is selected, and then click Next.
• On the Before You Begin page of the Validate a Configuration Wizard,
click Next.
• On the Testing Options page, click Next.
• On the Confirmation page, click Next.
• On the Summary page, click Finish.
• On the Validation Warning page of the Create Cluster Wizard, click No. I
do not require support from Microsoft for this cluster, and therefore
do not want to run the validation tests. When I click Next, continue
creating the cluster, and then click Next.
• In the Cluster Name box of the Access Point for Administering the
Cluster page, type LON-FC, in the Address box, type 192.168.10.15, and
then click Next.
Exercise 2: Configuring Cluster Shared Volumes

f Task 1: Enable Cluster Shared Volumes.
1. On the physical computer, enable the restricted feature, Cluster Shared
Volumes, for the LON-FC.Contoso.com node and add a disk, Cluster Disk 1,
to it.
• On the physical computer, click Start, point to Administrative Tools, and
then click Failover Cluster Manager.

• In the tree pane of the Failover Cluster Manager console, expand LON-
FC.Contoso.com, and then click LON-FC.Contoso.com.

• In the Actions pane, click Enable Cluster Shared Volumes.
• In the Enable Cluster Shared Volumes dialog box, select the I have read
the above notice check box, and then click OK.
• In the tree pane of the Failover Cluster Manager console, expand LON-
FC.Contoso.com, right-click Storage, and then click Add a disk.
• In the Add Disks to a Cluster dialog box, ensure that the Cluster Disk 1
option is selected, and then click OK.
Verify the online status of Cluster Disk 1.
f Task 2: Add a disk to the Cluster Shared Volumes.

1. Add the disk, Clustered Disk 1, to the Cluster Shared Volumes of LON-
FC.Contoso.com.
• On the physical computer, in the tree pane of the Failover Cluster
Manager console, under LON-FC.Contoso.com, right-click Cluster
Shared Volumes, and then click Add storage.
• In the Add Storage dialog box, select the Cluster Disk 1 check box, and
then click OK.
• In the tree pane of the Failover Cluster Manager console, under LON-
FC.Contoso.com, click Cluster Shared Volumes.
• In the Cluster Shared Volumes result pane, expand Cluster Disk 1, and
then verify that it has the C:\ClusterStorage\Volume1 volume.
Exercise 3: Setting Up a Virtual Machine for Live Migration
f Task 1: Create a virtual machine.

1. On the physical computer, copy the Base10D-WS08R2Core-HV.vhd file from
• On the Start menu of the physical computer, click Computer.

• In the Name list of the Local Disk (C:) window, double-click Program
Files.
• In the Name list of the Program Files window, double-click Microsoft
Learning.
• In the Name list of the Microsoft Learning window, double-click Base.
• In the Name list of the Base window, right-click Base10D-WS08R2Core-
HV.vhd, and then click Copy.
• In the Address bar, click Local Disk (C:).
• In the Name list of the Local Disk (C:) window, double-click
ClusterStorage.
• In the Name list of the ClusterStorage window, double-click Volume1.
• In the Volume1 window, right-click anywhere, and then click Paste.
HV.vhd
• On the physical computer, in the tree pane of the Hyper-V Manager
console, right-click VM-TEAM, point to New, and then click Virtual
Machine.
• On the Before You Begin page of the New Virtual Machine Wizard, click
Next.
• In the Name box of the Specify Name and Location page, type Clustered
VM, select the Store the virtual machine in a different location check
box, in the Location box, type C:\ClusterStorage\Volume1, and then
click Next.
• On the Assign Memory page, ensure that the Memory size is 512 MB,
and click Next.

• On the Configure Networking page, click Next.
• On the Connect Virtual Hard Disk page, click Use an existing virtual
hard disk, in the Location box, type
C:\ClusterStorage\Volume1\Base10D-WS08R2Core-HV.vhd, and then
click Next.
• On the Completing the New Virtual Machine Wizard page, click Finish.
• In the result pane of the Hyper-V Manager console, in the Virtual
Machines area, verify that the Clustered VM virtual machine is created.
f Task 2: Make the virtual machine highly available.

1. On the physical computer, configure a service or application to make the
virtual machine, Cluster VM, highly available by using the Failover Cluster
Manager console.
• On the physical computer, in the tree pane of the Failover Cluster
Manager console, expand LON-FC.Contoso.com, right-click Services and
applications, and then click Configure a Service or Application.
• On the Before You Begin page of the High Availability Wizard, click Next.
• On the Select Service or Application page, under Select the service or
application that you want to configure for high availability, click
Virtual Machine, and then click Next.
• On the Select Virtual Machine page, under Select the virtual machine(s)
that you want to configure for high availability, select the Clustered VM
Verify that Clustered VM is added under Services and applications.
• In the Failover Cluster Manager console, click the Close button.

Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2 L4-1

Configuring Remote Desktop Services and
Virtual Desktop Infrastructure in Windows

Server 2008 R2
Lab 4: Configuring Remote
Desktop Services and Virtual
Desktop Infrastructure in Windows
Server 2008 R2
Exercise 1: Publishing Applications Using RemoteApp and
1. Log on to LON-DC1 with the user name Contoso\Administrator, and the
password, Pa$$w0rd.
Connect.
2. Log on to LON-SVR1 with the user name contoso\Administrator, and the
password, Pa$$w0rd.
Connect.
• In the User name box, type contoso\Administrator, in the Password
password, Pa$$w0rd.
L4-2 Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2


Connect.
• To log on to LON-CL1, click the Ctrl-Alt-Delete button.
password, Pa$$w0rd.
Connect.
Task 2: Review predefined group memberships.

check whether Ruser is a member of RD Users and whether LON-DC1 and
LON-SVR1 are connected to the RD Web Computers.
expand Contoso.com, and then click Remote Access.
Ruser is a member of the RD Users group.
• In the RD Users Properties dialog box, click OK.
• In the Name list of the Remote Access result pane, right-click RD Web
Computers, and then click Properties.
• On the Members tab of the RD Web Computers Properties dialog box,
ensure that LON-DC1 and LON-SVR1 are connected to the RD Web
Computers group.
• In the RD Web Computers Properties dialog box, click OK.

button.
Task 3: Install and publish RemoteApp applications.

1. On LON-DC1, install the Remote Desktop Services server role by using the
Desktop Web Access
• Server Authentication Certificate for SSL Encryption: Create a self-
signed certificate for SSL encryption
• Create Authorization Policies for RD Gateway: Now
• Users Groups That Can Connect Through RD Gateway: RD Users
• RD RAP for RD Gateway: RD Web Computers
• Role services: Routing and Remote Access Services
• On the Start menu, point to Administrative Tools, click Server Manager.
• In the tree pane of the Server Manager console, click Roles.
• In the Roles Summary area of the Roles result pane, click Add Roles.
• On the Select Server Roles page, under Roles, select the Remote Desktop
Services check box, and then click Next.
• On the Remote Desktop Services page, click Next.
• On the Select Role Services page, under Role services, select the Remote
Desktop Session Host check box.
• In the Add Roles Wizard dialog box, click Install Remote Desktop
Session Host anyway (not recommended).
Desktop Connection Broker and Remote Desktop Gateway check boxes.
• In the Add Roles Wizard dialog box, click Add Required Role Services.

Desktop Web Access check box.

• In the Add Roles Wizard dialog box, click Add Required Role Services.
• On the Select Role Services page, click Next.
• On the Uninstall and Reinstall Applications for Compatibility page,
click Next.
• On the Specify Authentication Method for Remote Desktop Session
Host page, click Do not require Network Level Authentication, and then
click Next.
• On the Specify Licensing Mode page, ensure that the Configure later
• On the Select User Groups Allowed Access To This RD Session Host
Server page, click Next.
• On the Configure Client Experience page, click Next.
• On the Choose a Server Authentication Certificate for SSL Encryption
page, click Create a self-signed certificate for SSL encryption, and then
click Next.
• On the Create Authorization Policies for RD Gateway page, ensure that
the Now option is selected, and then click Next.
• On the Select User Groups That Can Connect Through RD Gateway
page, click Add.
Group dialog box, type RD Users, and then click OK.
• On the Select User Groups That Can Connect Through RD Gateway
page, click Next
• On the Create an RD CAP for RD Gateway page, click Next.
• On the Create an RD RAP for RD Gateway page, click Browse.
• In the Enter the object name to select (examples) box of the Select
Group dialog box, type RD Web Computers, and then click OK.
• On the Create an RD RAP for RD Gateway page, click Next.
• On the Network Policy and Access Services page, click Next.
• On the Select Role Services page, under Role services, select the Routing
and Remote Access Services check box, and then click Next.

• On the Web Server (IIS) page, click Next.

• In the Add Roles Wizard message box, click Yes.
2. Log on to LON-DC1 with the user name, contoso\administrator, and the
password, Pa$$w0rd.
• In the User name box, type contoso\administrator, in the Password
After logging on to LON-DC1, the Resume Configuration Wizard opens.
• In the Resume Configuration Wizard, click Close.

• In the Server Manager console, click Close.
3. On LON-DC1, add the calculator and paint programs to the list of RemoteApp
Programs by using the RemoteApp Manager console.
• On the Start menu of LON-DC1, point to Administrative Tools, point to
Remote Desktop Services, and then click RemoteApp Manager.
• In the Actions pane of the RemoteApp Manager console, click Add
RemoteApp Programs.
• On the Welcome to the RemoteApp Wizard page of the RemoteApp
Wizard, click Next.
• On the Choose programs to add to the RemoteApp Programs list page,
select the Calculator and Paint check boxes, and then click Next.
• On the Review Settings page, click Finish.
• In the RemoteApp Manager console, click the Close button.
5. On LON-SVR1, install the Remote Desktop Services server role by using the
Desktop Web Access


• Server Authentication Certificate for SSL Encryption: LON-
SVR1.Contoso
Services check box, and then click Next
Desktop Session Host, Remote Desktop Connection Broker, and
Remote Desktop Gateway check boxes.
Desktop Web Access check box.
• On the Uninstall and Reinstall Applications for Compatibility page,
click Next.
• On the Specify Authentication Method for Remote Desktop Session
Host page, click Do not require Network Level Authentication, and then
click Next.
• On the Specify Licensing Mode page, ensure that the Configure later
• On the Select User Groups Allowed Access To This RD Session Host
Server page, click Next.
• On the Configure Client Experience page, click Next.
• On the Choose a Server Authentication Certificate for SSL Encryption
page, in the Issued To list, click LON-SVR1.Contoso.com, and then click
Next.

• On the Create Authorization Policies for RD Gateway page, click Later,
and then click Next.

• In the Add Roles Wizard message box, click Yes.
6. Log on to LON-SVR1 with the user name, contoso\administrator, and the
password, Pa$$w0rd.
After logging on to LON-SVR1, the Resume Configuration Wizard opens.
• In the Resume Configuration Wizard, click Close.

• In the Server Manager console, click Close.
7. On LON-SVR1, add the Notepad.exe and WordPad programs to the list of
• On the Start menu of LON-SVR1, point to Administrative Tools, point to
• In the Actions pane of the RemoteApp Manager console, click Add
RemoteApp Programs.
• On the Welcome to the RemoteApp Wizard page of the RemoteApp
Wizard, click Next.
select the WordPad, and then click Browse.
• In the File name box of the Choose a program dialog box, type
C:\Windows\System32\notepad.exe, and then click Open.
click Next.
• On the Review Settings page, click Finish.

Notice that Notepad.exe and WordPad are added to the list of available RemoteApp
Programs. To separate the workload, publish different applications on different Remote

Desktop Host Session servers.
Task 4: Configure the Group Membership on Remote Desktop Session

Host servers.
1. On LON-DC1, add RD Web Computers to the TS Web Access Computers
• In the tree pane of the Server Manager console, expand Roles, expand
Active Directory Domain Services, and then expand Active Directory
Users and Computers [LON-DC1.Contoso.com].
• In the tree pane, under Active Directory Users and Computers [LON-
DC1.Contoso.com], expand Contoso.com, and then click Users.
• In the Name list of the Users result pane, right click TS Web Access
• On the Members tab of the TS Web Access Computers Properties dialog
box, click Add.
Users, Contacts, Computers, Service Accounts, or Groups dialog box,
type RD Web Computers, and then click OK.
• In the TS Web Access Computers Properties dialog box, click OK.
• In the tree pane of the Server Manager console, under Contoso.com, click
Builtin.
• In the Name list of the Builtin result pane, right click Remote Desktop
Users, and then click Properties.
• On the Members tab of the Remote Desktop Users Properties dialog
box, click Add
Users, Contacts, Computers, Service Accounts, or Groups dialog box,
type RD Users and then click OK.
• In the Remote Desktop Users Properties dialog box, click OK.

2. On LON-SVR1, add RD Web Computers to the TS Web Access Computers

• In the tree pane of the Server Manager console, expand Configuration,
expand Local Users and Groups, and then click Groups.
• In the Name list of the Groups result pane, right-click TS Web Access
• In the TS Web Access Computers Properties dialog box, click Add
Users, Computers, Service Accounts, or Groups dialog box, type RD
Web Computers, and then click OK.
• In the TS Web Access Computers Properties, click OK.
• In the Name list of the Groups result pane, right-click Remote Desktop
Users, and then click Properties.
• In the Remote Desktop Users Properties dialog box, click Add.
Users, Computers, Service Accounts, or Groups dialog box, type RD
Users, and then click OK.
• In the Remote Desktop Users Properties dialog box, click OK.
Task 5: Configure Remote Desktop Connection Broker to aggregate

1. On LON-SVR1, configure LON-DC1.contoso.com and LON-
Remote Desktop Services, and then click Remote Desktop Connection
Manager.
• In the tree pane of the Remote Desktop Connection Manager console,
click RemoteApp Sources.
• In the Actions pane, click Add RemoteApp Source.

• In the RemoteApp source name box of the Add RemoteApp Source
dialog box, type LON-DC1.contoso.com, and then click Add.

• In the Actions pane, click Add RemoteApp Source.
• In the RemoteApp source name box of the Add RemoteApp Source
dialog box, type LON-SVR1.contoso.com, and then click Add.
• In the Remote Desktop Connection Manager console, click the Close
button.
Task 6: Configure Remote Desktop Web Access to use the publishing

servers.
1. On LON-SVR1, open the RD Web Access Web page to retrieve the aggregated
Remote Desktop Services, and then click Remote Desktop Web Access
Configuration.
If the Set Up Windows Internet Explorer 8 window appears, close the Internet Explorer
window, and then open Remote Desktop Web Access Configuration again.
• On the Certificate Error: Navigation Blocked tab of the Certificate Error:

Navigation Blocked - Windows Internet Explorer window, click Continue
to this website (not recommended).
• In the Security Alert message box, select the In the future, do not show
this warning check box, and then click OK.
• In the RD Web Access - Windows Internet Explorer window, click
Certificate Error, and then click View certificates.
• In the Certificate dialog box, click Install Certificate.
• On the Welcome to the Certificate Import Wizard page of the Certificate
Import Wizard, click Next.

• On the Certificate Store page, click Place all certificates in the following
store, and then click Browse.

• In the Select Certificate Store dialog box, click Trusted Root
Certification Authorities, and then click OK.
• On the Certificate Store page, click Next.
• On the Completing the Certificate Import Wizard page, click Finish.
• In the Security Warning message box, click Yes.
• In the Certificate Import Wizard message box, click OK.
• In the Certificate dialog box, click OK.
• In the Domain\user name box of the RD Web Access - Windows Internet
Explorer window, type contoso\administrator, in the Password box,
type Pa$$w0rd, and then click Sign in.
• On the Remote Desktop Services Default Connection page, click An RD
Connection Broker server, in the Source name box, type LON-
SVR1.contoso.com, and then click OK.
The Enterprise Remote Access Web page displays the list of RemoteApp published
applications.
• In the RD Web Access - Window Internet Explorer window, click the

Close button.
Task 7: Test the Remote Desktop Connection Broker.

1. On LON-CL1, log on to RD Web Access as contoso\ruser and verify whether
all four published RemoteApp applications are available on the Remote
Desktop Services Web Access page.
• On the Start menu of LON-CL1, click All Programs, and then click
Internet Explorer.
If the Set Up Windows Internet Explorer 8 window appears, close the Internet Explorer
window, and then open it again.
• In the Address box of the Blank Page – Windows Internet Explorer

window, type https://lon-svr1.contoso.com/rdweb, and then press
ENTER.

• In the RD Web Access – Windows Internet Explorer window, right-click
ActiveX control, and then click Run Add-on.

• In the Internet Explorer – Security Warning message box, click Run.
Explorer window, type contoso\ruser, in the Password box, type
Pa$$w0rd, and then click Sign in.
Verify that all four RemoteApp published applications are displayed on the Enterprise
Remote Access Web page.
Task 8: Configure RemoteApp application filtering.

1. On LON-SVR1, configure contoso\administrator as domain users\domain
groups by using the User Assignment property of the RemoteApp Manager to
restrict the user from viewing the icon for RemoteApp program.
• In the RemoteApp Manager console, under RemoteApp Programs, in the
Name list, right-click WordPad, and then click Properties.
• On the User Assignment tab of the RemoteApp Properties dialog box,
click Specified domain users and domain groups, and then click Add.
Users or Groups dialog box, type contoso\administrator, and then click
OK.
• In the RemoteApp Properties dialog box, click OK.
2. On LON-CL1, verify that the WordPad RemoteApp program icon is no longer
available for ruser.
• On LON-CL1, in the RD Web Access - Windows Internet Explorer
window, click the Refresh button.
As ruser does not have permissions for WordPad RemoteApp, WordPad icon should be
no longer available and there should be only three RemoteApp applications available on
the Enterprise Remote Access Web page.

• On the RD Web Access tab of the RD Web Access - Windows Internet
Explorer window, click Sign out.

• In the RD Web Access - Windows Internet Explorer window, click the
Close button.
Task 9: Implementing RemoteApp and Desktop Connection.

1. On LON-CL1, set up a new connection with RemoteApp and Desktop
Connections by using http://LON-
SVR1.contoso.com/RDweb/Feed/webfeed.aspx as the connection URL.
type Remote, and then click RemoteApp and Desktop Connections.
• In the RemoteApp and Desktop Connections window, click Set up a new
connection with RemoteApp and Desktop Connections.
• On the Type the URL to set up a new connection page of the Set up a
new connection with RemoteApp and Desktop Connections wizard, in the
Connection URL box, type https://lon-
svr1.contoso.com/rdweb/feed/webfeed.aspx, and then click Next
• On the Ready to set up the connection page, click Next.
• On the You have successfully set up the following connection page,
click Finish.
Verify that there is new program group available, RemoteApp and Desktop
Connections.
• In the RemoteApp and Desktop Connections window, click the Close

button.
2. On LON-CL1, check whether the program group contains all RemoteApp
applications that are available to the user.
• On the Start menu, click All Programs, and then click RemoteApp and
Desktop Connections.
Program group contains all RemoteApp applications that are available to the user.
Configuration file for creating this program group can also be created by using the
Remote Desktop Connection Manager console.

Exercise 2: Publishing Applications for External Users Using

Task 1: Enroll for certificate for Remote Desktop Gateway.
1. On LON-SVR1, create a computer account for the Certificates snap-in and
enroll the certificate with the following information:
• Select DirectAccess and More information is required to enroll for this
certificate
• Type of Subject Name: Common Name
• Type of Alternative Name: DNS
• On the Start menu of LON-SVR1, click Run.
• On the File menu of the Console1- [Console Root] console, click
Add/Remove Snap-in.
• In the Certificates snap-in wizard, click Computer account, click Next.
• In the Select Computer wizard, click Finish.
• In the tree pane of the Console1- [Console Root] console, expand
Certificates.
• In the Actions pane, click More Actions, point to All Tasks, and then click
Request New Certificate.
• On the Before You Begin page of the Certificate Enrollment wizard, click
Next.
• On the Select Certificate Enrollment Policy page, click Next.

• On the Request Certificates page, select the DirectAccess check box, and
then click More information is required to enroll for this certificate.

Click here to configure settings.
• In the Subject name area of the Certificate Properties dialog box, in Type
box, click Common name, in the Value box, type external.contoso.com,
and then click Add.
• In the Alternative name area, in the Type box, click DNS, in the Value
box type external.contoso.com, click Add, and then click OK.
• On the Request Certificates page, click Enroll.
• On the Certificate Installation Results page, click Finish.
Verify that certificate for external.contoso.com is listed in the Certificates result pane.
• In the Console1 - [Console Root\Certificates (Local

Computer)\Personal\Certificates] console, click the Close button.
Task 2: Configure SSL settings for Remote Desktop Gateway.

1. On LON-SVR1, import the SSL certificate, external.contoso.com to the Remote
Remote Desktop Services, expand RD Gateway Manager, and then click
LON-SVR1 (Local).
• In the tree pane, under RD Gateway Manager, right-click LON-SVR1
(Local), and then click Properties.
• On the SSL Certificate tab, of the LON-SVR1 Properties dialog box, click
Import Certificate.
• In the Issued to list of the Import Certificate dialog box, click
external.contoso.com, and then click Import.
• In the LON-SVR1 Properties dialog box, click Apply.
• In the RD Gateway message box, click Yes.
• In the LON-SVR1 Properties dialog box, click OK.

Task 3: Create a Connection Authorization Policy.
1. On LON-SVR1, create a Connection Authorization Policy (CAP) to restrict the

• Type a name for the RD C AP: Authorized Remote Users
• On LON-SVR1, in the tree pane of the Server Manager console, under RD
Gateway Manager, expand LON-SVR1 (Local), expand Policies, and
then click Connection Authorization Policies.
• In the Actions pane, click Create New Policy, and then click Wizard.
• On the Create Authorization Policies for RD Gateway page of the Create
New Authorization Policies Wizard, click Next.
• In the Type a name for the RD CAP box of the Craete an RD CAP page,
type Authorized Remote Users, and then click Next.
• In the User group membership (required) area of the Select
Requirements page, click Add Group
Groups dialog box, type RD Users, and then click OK.
• On the Select Requirements page, click Next.
• On the Enable or Disable Device Redirection page, click Next.
• On the Set Session Timeouts page, click Next.
• On the RD CAP Settings Summary page, click Finish.
• On the Confirm Creation of Authorization Policies page, click Close.
Task 4: Create a Resource Authorization Policy.

1. On LON-SVR1, create a Resource Authorization Policy to control the

• On LON-SVR1 server, in the tree pane of the Server Manager console,
under Policies, click Resource Authorization Policies.

• In the Actions pane, click Create New Policy, and then click Wizard.
• On the Create Authorization Policies for RD Gateway page of the Create
New Authorization Policies Wizard, click Next.
• In the Type a name for the RD RAP box of the Create an RD RAP page,
type Authorized Target Computers, and then click Next.
• On the Select User Groups page, click Add Group.
Groups dialog box, type RD Users, and then click OK.
• On the Select User Groups page, click Next.
• On the Select Network Resources page, ensure that the Select an Active
Directory Domain Services network resource group option is selected,
and then click Browse.
Group dialog box, type RD Web Computers, and then click OK.
• On the Select Network Resources page, click Next.
• On the Select Allowed TCP Ports page, click Next.
• On the RD RAP Settings Summary page, click Finish.
• On the Confirm Creation of Authorization Policies page, click Close.
Task 5: Configure RemoteApp servers to use Remote Desktop Gateway

for RemoteApp connections.
1. On LON-DC1, set external.contoso.com as the RD Gateway server by using the
• On the Start menu of LON-DC1, point to Administrative Tools, point to
• In the Actions pane of the RemoteApp Manager console, click RD
Gateway Settings.
• On the RD Gateway tab of the RempoteApp Deployment Settings dialog
box, click Use these RD Gateway server settings, in the Server name
box, type external.contoso.com, and then click OK.

2. On LON-SVR1, set external.contoso.com as the RD Gateway server by using

• In the Actions pane of the RemoteApp Manager console, click RD
Gateway Settings.
• On the RD Gateway tab of the RempoteApp Deployment Settings dialog
box, click Use these RD Gateway server settings, in the Server name
box, type external.contoso.com, and then click OK.
Task 6: Reconfigure LON-CL1 to be on public network.

1. On the physical computer, reconfigure LON-CL1 to connect to both the
• Subnet mask: 255.255.255.0
• Subnet mask: 255.255.255.0
type network, and then click Network and Sharing Center.
• In the Network and Sharing Center window, click Change adapter
settings.
• In the Network Connections window, right-click Corpnet, and then click
Disable.
• In the Network Connections window, right-click Internet, and then click
Enable.
2. Open the Command Prompt window to verify that there is an access to the
• On the Start menu, click All Programs, click Accessories, and then click
Command Prompt.
• At the command prompt of the Administrator: Command Prompt, type
the following command, and then press ENTER.
ping 131.107.0.2

3. Verify that there is no access to LON-DC1 (IP 192.178.10.1).
ENTER.
ping 192.178.10.1

• In the Network Connections window, click the Close button.
Task 7: Connect to published RemoteApps by using Remote Desktop

Gateway.
1. On LON-CL1, connect to RD Web Access with the user name, contoso\ruser
Internet Explorer.
• In the Address box of the Blank Page - Windows Internet Explorer
window, type https://external.contoso.com/rdweb, and then press
ENTER.
• In the Domain\user name box of the RD Web Access – Windows Internet
Verify that three RemoteApp published applications (Calculator, notepad.exe and

Paint) that are available to ruser are displayed on the Enterprise Remote Access web
page.
2. Import the Trusted Root Certification Authorities certificate to connect the

• On the Enterprise Remote Access page, click Calculator.
• In the RemoteApp dialog box, click Connect.
• In the User name box of the Windows Security dialog box, type
contoso\ruser, in the Password box, type Pa$$w0rd, and then click OK.
• In the RemoteApp dialog box, click View certificate.
• On the General tab of the Certificate dialog box, click Install Certificate.

• On the Welcome to the Certificate Import Wizard page of the Certificate
Import Wizard, click Next.

• On the Certificate store page, click Place all certificates in the following
store, and then click Browse.
• In the Select Certificate Store dialog box, click Trusted Root
Certification Authorities, and then click OK.
• On the Certificate store page, click Next.
• On the Completing the Certificate Import Wizard page, click Finish.
• In the Security Warning message box, click Yes.
• In the Certificate Import Wizard message box, click OK.
• In the Certificate dialog box, click OK.
• In the RemoteApp dialog box, click Yes.
• Close the Calculator.
Exercise 3: Configuring Virtual Desktop Pool

Task 1: Configure Remote Desktop Virtualization Host server.
1. On the physical host computer, open the Server Manager console to add the
Host role services.
Services check box, and then click Next.
Desktop Virtualization Host check box, and then click Next.


Task 2: Configure the virtual machine for Remote Desktop services.

1. On the physical computer, connect 10159A-LON-CL1, 10159A-LON-SVR1,
and 10159A-LON-DC1
Tools, click Hyper-V Manager, and then click the physical computer
name.
• In the result pane of the Hyper V-Manager console, in the Name list of the
Connect.
• In the task bar, click the Hyper-V Manager icon.
• In the Name list of the Virtual Machines area, right-click 10159A-LON-
SVR1, and then click Connect.
• In the Name list of the Virtual Machines area, right-click 10159A-LON-
DC1, and then click Connect.
password, Pa$$w0rd.
3. On LON-CL2, add the domain group, RD Users to the local group, Remote
• On the Start menu of LON-CL2, right-click Computer, and then
Properties.
• In the System window, click Remote settings.

• On the Remote tab of the System Properties dialog box, click Allow
connections only from computers running Remote Desktop with

Network Level Authentication (more secure), and then click Select
Users.
• In the Remote Desktop Users dialog box, click Add.
Users or Groups dialog box, type contoso\rd users, and then click OK.
• In the Remote Desktop Users dialog box, click OK.
• In the System Properties dialog box, click OK.
4. Change the registry value of AllowRemoteRPC to 1 by using the Registry
Editor.
type regedit, and then click regedit.
• In the tree pane of the Registry Editor console, expand
HKEY_LOCAL_MACHINE, expand SYSTEM, and then expand
CurrentControlSet.
• In the tree pane, under CurrentControlSet, expand Control, and then
click TerminalServer.
• In the Name list of the Terminal Server result pane, double-click
AllowRemoteRPC.
• In the Value data box of the Edit DWORD (32-bit) Value dialog box,
type 1, and then click OK.
• In the Registry Editor console, click the Close button.
5. Set the firewall settings to allow the programs of Remote Service Management
type firewall, and then click Allow a program through Windows
Firewall.
• In the Allowed Programs window, in the Name list of the Allowed
programs and features area, select the Remote Service Management
• In the System window, click the Close button.

6. On LON-CL2, open the script file, RDS-pool of RDSConfig and the replace the
computer name with the name of the physical computer and then run the
RDS-pool file.
• On the Start menu of LON-CL2, click Computer.
• In the Name list of the Local Disk (C:) window, double-click RDSConfig.
• In the Name list of the RDSConfig window, right-click RDS-pool, and
then click Edit.
• On the Edit menu of the RDS-pool – Notepad window, click Replace.
• In the Find what box of the Replace dialog box, type Contoso\<physical
host>, in the Replace with box, type physical computer name, and then
click Replace All.
• In the Replace dialog box, click the Close button.
• In the RDS-pool – Notepad window, click the Close button.
• In the Name list of the RDSConfig window, right-click RDS-pool, and
then click Open.
• At the command prompt of the C:\Windows\system32\cmd.exe window,
type y, and then press ENTER.
• In the RDSConfig window, click the Close button.
• On the Start menu, click the Forward arrow, and then click Log off.
Task 3: Configuring the Virtual Desktop Pool.

1. On LON-SVR1, open the Remote Desktop Connection Manager console to
name.contoso.com

Remote Desktop Services, and then click Remote Desktop Connection

Manager.
• In the Actions pane of the Remote Desktop Connection Manager console,
click Configure Virtual Desktops.
• On the Before You Begin page of the Configure Virtual Desktops Wizard,
click Next.
• In the Server name box of the Specify an RD Virtualization Host Server
page, type physical computer name.contoso.com (name of your physical
computer), click Add, and then click Next.
• In the Server name box of the Configure Redirection Settings page, type
LON-SVR1.contoso.com, and then click Next.
• In the Server name box of the Specify an RD Web Access Server page,
type LON-SVR1.contoso.com, and then click Next.
• On the Confirm Changes page, click Apply.
• On the Summary Information page, clear the Assign personal virtual
desktop check box, and then click Finish.
2. Create a Virtual Desktop Pool with the following information:
• In the Actions pane of the Remote Desktop Connection Manager console,
click Create Virtual Desktop Pool.
• On the Welcome to the Create Virtual Desktop Pool Wizard page of the
Create Virtual Desktop Pool Wizard, click Next.
• In the Virtual Machine Name list of the Select Virtual Machines page,
click 10159A-LON-CL2, and then click Next.
• In the Display Name box of the Set Pool Properties page, type Contoso
Virtual Desktop Pool, in the Pool ID box, type CONTOSO_VDP, and
then click Next.
• On the Results page, click Finish.

Task 4: Verifying the Virtual Desktop Pool functionality.
1. On LON-DC1, log on to the Remote Desktop Web page with the username,
contoso\ruser and the password, Pa$$w0rd to verify whether there is full
• On the physical host computer, in the result pane of the Hyper-V Manager
console, in the Name list of the Virtual Machines area, right-click
10159A-LON-DC1, then click Connect.
• On the Start menu of LON-DC1, click All Programs, and then click
Internet Explorer.
If the Set Up Windows Internet Explorer 8 dialog box appears, click Ask me later, close
the Internet Explorer window, and then open it again.
• In the Address bar of the Blank Page – Windows Internet Explorer

window, type http://LON-SVR1.contoso.com/RDWeb, and then press
ENTER.
• In the Security Alert message box, select the In the future, do not show
this warning check box, and then click OK.
• In the Certificate Error: Navigation Blocked - Windows Internet Explorer
window, click Continue to this web site (not recommended).
• In the Internet Explorer dialog box, click Add.
• In the Trusted sites dialog box, click Add, and then click Close.
• On the Enterprise Remote Access page, click Contoso Virtual Desktop
Pool.
• In the Remote Desktop Connection dialog box, click Connect.
contoso\ruser, in the Password box, type Pa$$w0rd, and then click OK.
You should get full Remote Desktop Connection to LON-CL2 computer.


Deploying and Configuring Remote Access Services L5-1

Deploying and Configuring Remote Access
Services
Lab 5: Deploying and Configuring
Remote Access Services
Exercise 1: Review Existing Infrastructure Configuration
password, Pa$$w0rd.
Connect.
password, Pa$$w0rd.
Virtual Machines area, right-click 10159A-LON- SVR1, and then click
Connect.
• To log on to LON- SVR1, click the Ctrl-Alt-Delete button.
password, Pa$$w0rd.
Virtual Machines area, right-click 10159A-LON- CL1, and then click
Connect.
• To log on to LON- CL1, click the Ctrl-Alt-Delete button.
L5-2 Deploying and Configuring Remote Access Services

f Task 2: Reviewing the group policy configuration.
1. On LON-DC1, open the Group Policy Management console and verify whether
DirectAcces has separate inbound and outbound rules that allow ICMPv4
Echo Requests and traffic.
• In the tree pane, under Contoso.com, click and right-click Mod5 –
DirectAccess Settings, and then click Edit.
Computer Configuration, expand Policies, expand Windows Settings,
and then expand Security Settings.
• In the tree pane, under Security Settings, expand Public Key Policies,
and then select Automatic Certificate Request Settings.
• In the Automatic Certificate Request list of the Automatic Certificate
Request Settings result pane, right-click Computer, and then click
Properties.
• In the Computer Properties dialog box, ensure that Certificate Purpose
is set as Client Authentication, Server Authentication, and then click
Cancel.
Security Settings, expand Windows Firewall with Advanced Security,
expand Windows Firewall with Advanced Security, and then click
Inbound Rules.
Verify that there are two rules defined which allows Inbound ICMPv4 Echo Requests and
Inbound ICMPv6 Echo Requests traffic.
• In the tree pane, under Windows Firewall with Advanced Security, click
Outbound Rules.
Verify that there are two rules defined which allows Outbound ICMPv4 Echo Requests
and Outbound ICMPv6 Echo Requests traffic. These types of traffic must be allowed on
DirectAccess server to allow remote access.

• In the Group Policy Management console, click the Close button.
f Task 3: Verify that LON-CL1 is a member of the DirectAccess clients

group.
verify that LON-CL1 is member of the DirectAccess Client group.
expand Contoso.com, and then click Remote Access.
• In the Name list of the Remote Access result pane, right-click
DirectAccess Client, and then click Properties.
• On the Members tab of the DirectAccess Clients Properties dialog box,
ensure that the LON-CL1 computer account is a member of the
DirectAccess Client group, and then click Cancel.
button.
f Task 4: Review the configuration of Certificate Services and Certificate

Templates.
1. On LON-DC1, verify the configurations of Active Directory Certificate Services
and Certificate Templates by using the Server Manager console.
Active Directory Certificate Services, and then click Certificate
Templates (LON-DC1.Contoso.com).
• In the Name list of the Certificate Templates (LON-DC1.Contoso.com)
result pane, check the availability of DirectAccess.

f Task 5: Review the network configuration.

1. On LON-SVR1, verify that there are two network adapters, Corpnet and
Internet, of which one is connected to the public network and the other is
connected to the private network. Also verify that there are two consecutive
static, public IPv4 addresses for the public adapter.
• On the Start menu of LON-SVR1, in the Search program and files box,
settings.
• In the Network Connections window, ensure that two network
connections, Corpnet and Internet are there.
Properties.
• In the This connection uses the following items list of the Corpnet
Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4),
• In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box,
ensure that the Preferred DNS server is 192.168.10.1, and then click
Cancel.
• In the Corpnet Properties dialog box, click Cancel.
Properties.
• In the This connection uses the following items list of the Internet
Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4),
ensure that 131.107.0.2 is the IP address, and then click Advanced.
• In the Advanced TCP/IP Settings dialog box, ensure that the IP
addresses, 131.107.0.2 and 131.107.0.3 are there, and then click Cancel.
click Cancel.
• In the Internet Properties dialog box, click Cancel.

Exercise 2: Completing Configuration of Infrastructure

Services for DirectAccess
f Task 1: Configure the DNS server.
1. On LON-DC1, run the following command to remove the ISATAP name from
the DNS default global block list and reset the registry property,
globalqueryblocklist.
• On the Start menu of LON-DC1, click All Programs, click Accessories,


2. On LON-DC1, create a new resource record for the Forward Lookup Zone,
Domain.com, with the following information:
• Alias name: CRL
SVR1.contoso.com
click DNS.
• In the tree pane of the DNS console, expand LON-DC1, expand Forward
Lookup Zones, click and right-click Domain.com, and then click New
Alias (CNAME).
• In the Alias name (uses parent domain if left blank) box of the New
Resource Record dialog box, type CRL, in the Fully qualified domain
name (FQDN) for target host box, type LON-SVR1.contoso.com, and
then click OK.

• In the DNS Manager console, click the Close button.
f Task 2: Create a file share on the application server.

1. On LON-DC1, create a folder, AppData, on C: drive and set its property to
share the folder.
• On the Start menu of LON-DC1, click Computer.
• In the Local Disk (C:) window, click New Folder, type AppData, and then
press ENTER.
• In the Name list of the Local Disk (C:) window, right-click AppData, and
• On the Sharing tab of the AppData Properties dialog box, click
Advanced Sharing.
• In the Advanced Sharing dialog box, select the Share this folder check
box, and then click OK.
• In the AppData Properties dialog box, click Close.
2. In the AppData folder, create a text document, Example.txt, with some text in
it.
• In the Name list of the Local Disk (C:) window, double-click AppData.
• In the AppData window, right-click anywhere, point to New, click Text
Document, type Example.txt, and then press ENTER.
• In the Name list of the AppData window, right-click Example.txt, and
then click Open.
• In the Example.txt – Notepad window, type today's date.
• On the File menu, click Exit.
• In the AppData window, click the Close button.

f Task 3: Configure the CRL distribution settings.
1. On LON-DC1, specify the location from which users can obtain a certificate
revocation list (CRL) by using Certification Authority with the following
information:
• Location: \\LON-SVR1\crldist\
location
click Certification Authority.
• In the tree pane of the certsrv – [Certification Authority (Local)] console,
right-click Contoso-LON-DC1-CA, and then click Properties.
• On the Extensions tab of the Contoso-LON-DC1-CA Properties dialog
box, click Add.
• In the Location box of the Add Location dialog box, type \\LON-
SVR1\crldist\, in the Variable box, ensure that the <CaName> option is
selected, and then click Insert.
• In the Variable box, click <CRLNameSuffix>, and then click Insert.
• In the Variable box, click <DeltaCRLAllowed>, and then click Insert.
• In the Location box, type .crl at the end of the Location string, and then
click OK.
• On the Extensions tab of the Contoso-LON-DC1-CA Properties dialog
box, select the Publish CRLs to this location and Publish Delta CRL to
this location check boxes, and then click Apply.
• In the Certification Authority message box, click Yes.
• In the Contoso-LON-DC1-CA Properties dialog box, click OK.
f Task 4: Create a Web-based CRL distribution point.

1. On LON-SVR1, open the Internet Information Services (IIS) Manager console
to add a virtual directory to the Default Web Site with the following
information:

• Alias: CRLD

then click Internet Information Services (IIS) Manager.
• In the tree pane of the Internet Information Services (IIS) Manager
console, expand LON-SVR1 (CONTOSO\administrator), expand Sites,
right-click Default Web Site, and then click Add Virtual Directory.
• In the Alias box of the Add Virtual Directory dialog box, type CRLD, and
then click the Ellipse button next to the Physical path box.
• In the Browse For Folder dialog box, expand Local Disk (C:), click Make
New Folder, type CRLDist, press ENTER, and then click OK.
• In the Add Virtual Directory dialog box, click OK.
• In the CRLD Home result pane of the Internet Information Services (IIS)
Manager console, in the IIS area, right-click Directory Browsing, and then
click Open Feature.
• In the Actions pane, click Enable.
• In the Internet Information Services (IIS) Manager console, click the Close
button.
f Task 5: Configure permissions on the CRL distribution point file share.

1. On LON-SVR1, set the following CRLDist share properties:
DC1 users
• In the Name list of the Local Disk (C:) window, right-click CRLDist, and

• On the Sharing tab of the CRLDist Properties dialog box, click Advanced
Sharing.
• In the Advanced Sharing dialog box, select the Share this folder check
box, and then click Permissions.
• In the Permissions for CRLDist dialog box, click Add.
• In the Select Users, Computers, Service Accounts, or Groups dialog box,
click Object Types.
• In the Object Types dialog box, select the Computers check box, and
then click OK.
Users, Computers, Service Accounts, or Groups dialog box, type LON-
DC1, and then click OK.
• In the Permissions for LON-DC1 area of the Permissions for CRLDist
dialog box, select the Allow check box against Full Control, click Apply,
and then click OK.
• In the Advanced Sharing dialog box, click OK.
2. Edit the following CRLDist security Properties:
DC1 users
• On the Security tab of the CRLDist Properties dialog box, click Edit.
• In the Permissions for CRLDist dialog box, click Add.
• In the Select Users, Computers, Service Accounts, or Groups dialog box,
click Object Types.
• In the Object Types dialog box, select the Computers check box, and
then click OK.
• In the Enter the object names to select (examples) box, type LON-DC1,
and then click OK.
• In the Permissions for LON-DC1 area of the Permissions for CRLDist
dialog box, select the Allow check box against Full Control, click Apply,
and then click OK.
• In the CRLDist Properties dialog box, click Close.

f Task 6: Publish the CRL.

1. On LON-DC1, publish the CRL, CRLDist, and verify that two CRL files named,
file are there.
• On LON-DC1, in the tree pane of the certsrv – [Certification Authority
(Local)] console, expand Contoso-LON-DC1-CA, right-click Revoked
Certificates, point to All Tasks, and then click Publish.
• In the Publish CRL dialog box, ensure that the New CRL is option
selected, and then click OK.
• On the Start menu, in the Search programs and files box, type \\LON-
SVR1\CRLDist, and then press ENTER.
• In the CRLDist window, verify that there are two CRL files named
Contoso-LON-DC1-CA.crl and Contoso-LON-DC1-CA +.crl and a
web.config file.
• In the CRLDist window, click the Close button.
• In the certsrv – [Certification Authority (Local)] console, click the Close
button.
2. On LON-DC1, open the Internet Explorer window and verify that there is
access to the http://crl.domain.com/crld site.
• On the Start menu of LON-DC1, click All Programs, and then click
Internet Explorer.
window, type http://crl.domain.com/crld, and then press ENTER.
f Task 7: Verify the network access from LON-CL1.

1. On LON-CL1, verify whether there is access to the IIS7 Web page and the
Internet Explorer.

window, type http://lon-dc1, and then press ENTER.

• In the IIS7 - Windows Internet Explorer window, click the Close button.
• On the Start menu, in the Search Programs and files box, type \\lon-
dc1\appdata, and then press ENTER.
• In the Name list of the appdata window, right-click Example, and then
click Open.
• In the Example – Notepad window, click the Close button.
• In the appdata window, click the Close button.
Exercise 3: Completing Configuration of the DirectAccess

Server and Verify ISATAP-based connectivity
f Task 1: Obtain a computer certificate on LON-SVR1.
• On the File menu of the Console1 - [Console Root] console, click
Add/Remove Snap-in.
• In the Certificates snap-in wizard, click Computer account, and then click
Next.


Certificates.
• In the tree pane, under Personal, right-click Certificates, point to All
Tasks, and then click Request New Certificate.
Next.
• On the Request Certificates page, click the DirectAccess check box, and
then click More information is required to enroll for this certificate.
Click here to configure settings.
• On the Subject tab of the Certificate Properties dialog box, in the Type
box of the Subject name area, click Common Name, in the Value box,
type LON-SVR1.contoso.com, and then click Add.
• In the Type box of the Alternative name area, click DNS, in the Value
box, type LON-SVR1.contoso.com, and then click Add.
• In the Certificate Properties dialog box, click Apply, and then click OK.
• In the Issued To list of the Certificates result pane, right-click LON-
SVR1.contoso.com, and then click Properties.
• On the General tab of the LON-SVR1.contoso.com dialog box, in the
Friendly name box, type IP-HTTPS Certificate, click Apply, and then
click OK.
• In the Console1 - [Console Root\Certificates] console, click the Close
button.

f Task 2: Install the DirectAccess Management Console feature.
1. On LON-SVR1, install the DirectAccess Management Console feature by using

select the DirectAccess Management Console check box.
• In the Add Features Wizard dialog box, click Add Required Features.
• On the Select Features page, click Next.
f Task 3: Configure the DirectAccess feature on LON-SVR1.

On LON-SVR1, open DirectAccess Management to configure the DirectAccess
Step 1
• Enter the object name to select: DirectAccess Client
Step 2
Step 3
SVR1.Contoso.com

2002:836b:2:1:0:5efe:192.168.10.1
then click DirectAccess Management.
• In the tree pane of the DAMgmt - [DirectAccess] console, click Setup.
• In the DirectAccess Setup result pane, under Step 1, click Configure.
• On the DirectAccess Client Setup page of the DirectAccess Setup wizard,
click Add.
Group dialog box, type DirectAccess Client, and then click OK.
• On the DirectAccess Client Setup page, click Finish.
• On the Connectivity page of the DirectAccess Setup wizard, in the
Interface connected to the Internet box, click Internet, in the Interface
connected to the internal network box, click Corpnet, and then click
Next.
• On the Certificate Components page, under Select the root certificate to
which remote client certificates must chain, select the Use intermediate
certificate check box, and then click Browse.
• In the Windows Security dialog box, ensure that the Contoso-LON-DC1-
CA option is selected, and then click OK.
• On the Certificate Components page, under Select the certificate that
will be used to secure remote client connectivity over HTTPS, click
Browse.
• In the Windows Security dialog box, click IP-HTTPS Certificate, and
then click OK.
• On the Certificate Components page, click Finish.
• On the Location page of the DirectAccess Setup wizard, click Network
Location server is run on the DirectAccess server, click the Browse
button next to Select the certificate that will be used to secure location
identification.
• In the Windows Security dialog box, ensure that the LON-
SVR1.Contoso.com option is selected, and then click OK.

• On the Location page, click Next.
• On the DNS and Domain Controller page, ensure that the IPv6 address
of DNS Server entry for the Name Suffix, contoso.com is
2002:836b:2:1:0:5efe:192.168.10.1, and then click Next.
• On the Management page, click Finish.
• On the DirectAccess Application Server Setup page of the DirectAccess
Setup wizard, click Finish.
• In the DirectAccess Setup result pane, click Save, and then click Finish.
• In the DirectAccess Review dialog box, click Apply.
• In the DirectAccess Policy Configuration message box, click OK.
• In the DAMgmt - [DirectAccess\Setup] console, click the Close button.
f Task 4: Move LON-CL1 to the Internet segment.

1. On LON-CL1, open the command prompt and run the following command to
update and view the effective policies.
gpupdate /force

and click Command Prompt.
• At the command prompt of the Administrative: Command Prompt
window, type the following command, and then press ENTER.
gpupdate /force
ENTER.
2. Disable the Corpnet network connection and enable the Internet network
connection and then run the following command.
ping 131.107.0.2

• On the Start menu, in the Search programs and files box, type network,
and then click Network and Sharing Center.

settings.
Disable.
Enable.
ping 131.107.0.2
f Task 5: Update the IPv6 settings on LON-DC1 and LON-CL1.

1. On LON-DC1, run the following command to view the Windows IP
configurations.
ipconfig
• On LON-DC1, click All Programs, click Accessories, and click Command

Prompt.
ipconfig
2. Run the following command to verify whether the prefix value, fe80 has been
configurations.

ipconfig
ENTER.

ENTER.
ipconfig
• In the Administrative: Command Prompt window, click the Close button.

3. On LON-CL1, run the following command to view the Windows IP
configurations.
ipconfig
• On LON-CL1, at the command prompt of the Administrative: Command

Prompt window, type the following command, and then press ENTER.
ipconfig
4. Run the following command to verify that there is additional IPv6 Address,
configurations.

ipconfig
ENTER.
ENTER.
ipconfig
f Task 6: Test the ISATAP-based connectivity from LON-CL1.

1. On LON-CL1, run the following command to check the ISATAP-based

ipconfig /flushdns
ping 2002:836b:2:1:0:5efe:192.168.10.1
ENTER.
ipconfig /flushdns
ENTER.
ENTER.
ping 2002:836b:2:1:0:5efe:192.168.10.1
This is the ISATAP-based address of LON-DC1 and there are four successful replies.
ENTER.
Verify that LON-DC1.corp.contoso.com has been resolved to the IPv6 address,

2002:836b:2:1:0:5efe:192.168.10.1 and there are four successful replies.
f Task 7: Test the access to intranet resources from LON-CL1.

1. On LON-CL1, verify that there is access to the IIS7 Web and the share file,
Example.txt.
• On the Start menu of LON-CL1, click Internet Explorer.
• In the Address box of the Blank Page - Windows Internet Explorer
window, type http://lon-dc1, and then press ENTER.

Leave the Internet Explorer window open.
• On the Start menu, in the Search programs and files box, type \\LON-
DC1\AppData, and then press ENTER.
• In the Name list of the AppData window, double-click Example.txt.
View the contents of the Example.txt file.
• In the Example - Notepad window, click the Close button.

• In the AppData window, click the Close button.
2. On LON-DC1, edit the Default Domain Policy to create a shortcut to the
• Action: Create
• On LON-DC1, in the tree pane of the Group Policy Management console,
under Contoso.com, right-click Default Domain Policy, and then click
Edit.
User Configuration, expand Preferences, expand Windows Settings,
and then click Shortcuts.
• In the tree pane, under Windows Settings, right-click Shortcuts, point to
New, and then click Shortcut.
• On the General tab of the New Shortcut Properties dialog box, in the
Action box, click Create, and then in the Name box, type
ApplicationData.
• In the Target path box, type \\LON-DC1\AppData, and then click OK.
• In the Location box, click All Users Desktop, click Apply, and then click
OK.

3. On LON-CL1, run the following command to update the user policy.
gpupdate /force
• On LON-CL1, at the command prompt of the Administrator: Command

Prompt window, type the following command, and then press ENTER.
gpupdate /force

4. Log off and then log on to LON-CL1 with user name, contoso\administrator,
Before proceeding to the next exercise, reset the lab environment.
• On LON-CL1, click the Forward arrow, and then click Log off.
Exercise 4: Implementing VPN Reconnect
f Task 1: Request the computer certificate for the VPN server.

1. On LON-CL1, enable the network connection, Internet and disable the
• In the Network and Sharing window, click Change adapter settings.
Disable.

Enable.
2. In the shared folder, Share, create a text document, VPNTest, with some text in
it.
• In the Name list of the Local Disk (C:) window, double-click Share.
• In the Share window, right-click anywhere, point to New, click Text
Document, type VPNTest, and then press ENTER.
• In the Name list of the Share window, double-click VPNTest.txt.
• In the VPNTest.txt –Notepad window, type today’s date.
• In the Share window, click the Close button.
settings
• On the File menu of the Console1 – [Console Root] console, and click
Add/Remove Snap-in.
• In the Available snap-ins list of the Add or Remove Snap-ins dialog box,
click Certificates, and then click Add.

Next.
• In the tree pane of the Console1 – [Console Root] console, expand
Certificates.
• In the tree pane, under Personal, right-click Certificates, point to All
Tasks, and then click Request New Certificate.
Next.
• On the Request Certificates page, select the VPN Reconnect check box,
and then click More information is required to enroll for this
certificate. Click here to configure settings.
• On the Subject tab of the Certificate Properties dialog box, in the Type
box of the Subject name area, click Common Name, in the Value box,
type vpn.contoso.com, and then click Add.
• In the Type box of the Alternative name area, click DNS, in the Value
box, type vpn.contoso.com, click Add, click Apply, and then click OK.
4. Verify that a new certificate with the name vpn.contoso.com is enrolled with
Intended Purposes of Server Authentication and IP security IKE intermediate.
• In the Certificates result pane of the Console1 – [Console
Root\Certificates] console, in the Issued To list, right-click
vpn.contoso.com, and then click Properties.
• In the vpn.contoso.com Properties dialog box, click Cancel.
• In the Console1 – [Console Root\Certificates] console, click the Close
button.

f Task 2: Configure Routing and Remote Access.
1. On LON-SVR1, open the Routing and Remote Access console to configure and
packet filters
• End IP address: 192.168.10.210
then click Routing and Remote Access.
• In the tree pane of the Routing and Remote Access console, right-click
LON-SVR1 (local), and then click Configure and Enable Routing and
Remote Access.
• On the Welcome to the Routing and Remote Access Server Setup
Wizard page of the Routing and Remote Access Server Setup Wizard, click
Next.
• On the Configuration page, ensure that the Remote access (dial-up or
VPN) option is selected, and then click Next.
• On the Remote Access page, select the VPN check box, and then click
Next.
• On the VPN Connection page, under Network interfaces, in the Name
list, click Internet, clear the Enable security on the selected interface by
setting up static packet filters check box, and then click Next.
• On the IP Address Assignment page, click From a specified range of
addresses, and then click Next.
• On the Address Range Assignment page, click New.
• In the New IPv4 Address Range dialog box, in the Start IP address box,
type 192.168.10.200, in the End IP address box, type 192.168.10.210,
and then click OK.
• On the Address Range Assignment page, click Next.
• On the Managing Multiple Remote Access Servers page, click Next.

• On the Completing the Routing and Remote Access Server Setup
Wizard page, click Finish.

• In the Routing and Remote Access message box, click OK.
• In the Routing and Remote Access message box, click OK.
f Task 3: Configure the Network Policy Server (NPS) to grant access for
the EAP-MSCHAPv2 authentication.
1. On LON-SVR1, launch NPS and configure the Microsoft Routing and Remote
• In the tree pane of the Routing and Remote Access console, under LON-
SVR1 (local), click and right-click Remote Access Logging & Policies,
and then click Refresh.
• In the tree pane, under LON-SVR1 (local), right-click Remote Access
Logging & Policies, and then click Launch NPS.
• In the result pane of the Network Policy Server console, in the Network
Access Policies area, click Network Access Policies.
• In the Policy Name list of the Network Policies result pane, right-click
Connections to Microsoft Routing and Remote Access server, and then
click Properties.
• On the Overview tab of the Connections to Microsoft Routing and
Remote Access server Properties dialog box, in the Access Permission
area, click Grant access. Grant access if the connection request matches
this policy.
• In the Constraints list of the Constraints tab, click Authentication
Methods, in the EAP Types list, click Microsoft: Smart Card or other
certificate, and then click Remove.
• In the Connections to Microsoft Routing and Remote Access server
Properties dialog box, click OK.
• In the Network Policy Server console, click the Close button.

• In the Routing and Remote Access console, click the Close button.
f Task 4: Configure and establish the VPN connection.

1. On LON-CL1, open the control panel and set up a new connection or network
• On the Start menu of LON-CL1, click Control Panel.
• In Control Panel, click Network and Sharing Center.
• In the Network and Sharing Center window, click Set up a new
connection or network.
• On the Choose a connection option page of the Set Up a Connection or
Network wizard, click Connect to a workplace, and then click Next.
• On the How do you want to connect? page, click Use my Internet
connection (VPN).
• On the Do you want to set up an Internet connection before
continuing? page, click I'll set up an Internet connection later.
• In the Internet address box of the Type the Internet address to connect
to page, type vpn.contoso.com, in the Destination name box, type VPN
Reconnect Connection, and then click Next.
• In the User name box of the Type your user name and password page,
type the ruser, in the Password box, type Pa$$w0rd, select the

Remember this password check box, and then in the Domain (optional)
box, type CONTOSO.

• On the Type your user name and password page, click Create.
• On the The connection ready to use page, click Close.
2. Set the VPN reconnect connection type property to IKEv2 and then connect it
settings.
• In the Network Connections window, right-click VPN Reconnect
Connection, and then click Properties.
• On the Security tab of the VPN Reconnect Connection Properties dialog
box, in the Type of VPN box, click IKEv2, and then click OK.
• In the Network Connections window, right-click VPN Reconnect
Connection, and then click Connect.
• In the Connect VPN Reconnect Connection dialog box, click Connect.
3. Verify whether there is access to the share file, VPNTest.
Run.
• In the Open box of the Run dialog box, type \\LON-
DC1.contoso.com\Share, and then click OK.
• In the Name list of the Share window, right-click VPNTest, and then click
Open.
• In the VPNTest – NotePad window, click the Close button.
4. Open the command prompt and run the following command to confirm that
Command Prompt.

f Task 5: Simulate the connection persistence.

1. On the physical computer, disconnect the network adapter of LON-CL1.
• On the physical computer, in the result pane of the Hyper-V Manager
10159A-LON-CL1, and then click Settings.
• In the Settings for 10159A-LON-CL1 dialog box, click Network Adapter,
in the Network box, click Not connected, and then click OK.
• In the Settings for 10159A-LON-CL1 dialog box, click Network Adapter
DA-Internet, in the Network box, click Not connected, and then click
OK.
type \\lon-dc1.contoso.com\share, and then press ENTER.
• In the Network Error message box, click Cancel.
3. Run the following command to verify that there is no network connectivity

4. On the physical computer, reconnect the network adapter of LON-CL1.

• On the physical computer, in the result pane of the Hyper-V Manager
10159A-LON-CL1, and then click Settings.
• In the Settings for 10159A-LON-CL1 dialog box, click the second
Network Adapter, in the Network box, click DA-Internet, and then click
OK.


type \\lon-dc1.contoso.com\share, and then press ENTER.
• In the share window, click the Close button.
6. Run the following command to verify that there is network connectivity.


Configuring Windows Server 2008 R2 Features for Branch Offices L6-1

Configuring Windows Server 2008 R2 Features
for Branch Offices

Lab 6: Configuring Windows Server
2008 R2 Features for Branch
Offices
Exercise 1: Configuring BranchCache in Distributed Cache
Mode
1. Log on to LON-DC1 with the user name Contoso\Administrator, and the
password, Pa$$w0rd.
Connect.
2. Log on to LON-SVR1 with the user name Contoso\Administrator, and the
password, Pa$$w0rd.
Connect.
3. Log on to LON-CL1 with the user name Contoso\Administrator, and the
password, Pa$$w0rd.
Connect.
L6-2 Configuring Windows Server 2008 R2 Features for Branch Offices


4. Log on to LON-CL2 with the user name Contoso\Administrator, and the
password, Pa$$w0rd.
Connect.
Task 2: Configuring a file server to use BranchCache.

1. On LON-DC1, configure the file service, BranchCache for network files by
• In the tree pane of the Server Manager console, expand Roles, right-click
File Services, and then click Add Role Services.
• On the Select Role Services page of the Add Roles Wizard, under Role
Services, select the BranchCache for network files check box, and then
click Next.
2. Enable the Hash Publication for BranchCache property and Allow hash
• On the Start menu, in the Search programs and files box, type
gpedit.msc, and then press ENTER.
• In the tree pane of the Local Group Policy Editor console, under
Computer Configuration, expand Administrative Templates, expand
Network, and then click Lanman Server.

• In the Setting list of the Lanman Server result pane, right-click Hash
Publication for BranchCache, and then click Edit.

• In the Hash Publication for BranchCache dialog box, click Enabled, in
the Hash publication actions box, click Allow hash publication only for
shared folders on which BranchCache is enabled, and then click OK.
Task 3: Simulate slow link to the branch office.

1. Create a QoS policy by using the Local Group Policy Editor console with the
following information :
• Policy name: Limit to 100 KBps
• Outbound Throttle Rate: 100 KBps
• In the tree pane of the Local Group Policy Editor console, under
Computer Configuration, expand Windows Settings, right-click Policy-
based QoS, and then click Create new policy.
• On the Create a QoS policy page of the Policy-based QoS wizard, Policy
name box, type Limit to 100 KBps, select the Specify Outbound Throttle
Rate check box, type 100, and then click Next.
• On the This QoS policy applies to page, click Next.
• On the Specify the source and destination IP addresses page, click Next.
• On the Specify the protocol and port numbers page, click Finish.
• In the tree pane of the Local Group Policy Editor console, click the Close
button.
Task 4: Create a BranchCache enabled file share.

1. On LON-DC1, set the following share properties to create a BranchCache
enabled file share:
• In the Computer window, double-click Local disk (C:).
• In the Name list of the Local disk (C:) window, right-click Share, and then
click Properties.

• On the Sharing tab of the Share Properties dialog box, click Advanced
Sharing.
• In the Settings area of the Advanced Sharing dialog box, click Caching.
• In the Offline Settings dialog box, select the Enable BranchCache check
box, and then click OK.
• In the Advanced Sharing dialog box, click OK.
• In the Share Properties dialog box, click Close.
• In the Local disk (C:) window, click the Close button.
Task 5: Configure clients to use BranchCache in distributed cache

mode.
1. On LON-DC1, create a new GPO, Mod 6 – BranchCache and edit the following
BranchCache setting of the Mod 6 – BranchCache node:
• Turn on BranchCache: Enabled
• Set BranchCache Distributed Cache mode: Enabled
• Configure BranchCache for network files: Enabled
• Network latency value in milliseconds: 0
Contoso.com, expand Domains, click and right-click Contoso.com, and
then click Create a GPO in this domain, and link it here.
• In the Name box of the New GPO dialog box, type Mod 6 –
BranchCache, and then click OK.
Domains, expand Contoso.com, right-click Mod 6 – BranchCache, and
then click Edit.
machine, expand Network, and then click BranchCache.
• In the Setting list of the BranchCache result pane, right-click Turn on
BranchCache, and then click Edit.

• In the Turn on BranchCache dialog box, click Enabled, and then click
OK.
• In the Setting list of the BranchCache result pane, right-click Set
BranchCache Distributed Cache mode, and then click Edit.
• In the Set BranchCache Distributed Cache mode dialog box, click
Enabled, and then click OK.
• In the Setting list of the BranchCache result pane, right-click Configure
BranchCache for network files, and then click Edit.
• In the Configure BranchCache for network files dialog box, click
Enabled, in the Enter the round trip network latency value in
milliseconds above which network files must be cached in the branch
office box, type 0, and then click OK.
Task 6: Configure client firewall rules for BranchCache.

1. Create the Windows firewall inbound rules, BranchCache – Content Retrieval
(Uses HTTP) and BranchCache – Peer Discovery (Uses WSD) for
BranchCache.
• On LON-DC1, in the tree pane of the Group Policy Management Editor
console, under Policies, expand Windows Settings, expand Security
Settings, and then expand Windows Firewall with Advanced Security.
• In the tree pane, under Windows Firewall with Advanced Security,
expand Windows Firewall with Advanced Security, and then click
Inbound Rules.
• On the Action menu of the Group Policy management Editor console,
click New Rule.
• On the Rule Type page of the New Inbound Rule Wizard, click
Predefined, click BranchCache – Content Retrieval (Uses HTTP), and
then click Next.
• On the Predefined Rules page, click Next.
• On the Action page, click Finish to create the firewall inbound rule.
• On the Action menu of the Group Policy management Editor console,
select New Rule.
• On the Rule Type page of the New Inbound Rule Wizard, click
Predefined, click BranchCache – Peer Discovery (Uses WSD), and then
click Next.

• On the Predefined Rules page, click Next.
• On the Action page, click Finish.

• In the Group Policy management Editor console, click the Close button.
Task 7: Apply BranchCache settings to the clients.

1. On LON-CL1, open the command prompt and run the flowing code to apply
all the group policy settings including the BranchCache settings.
gpupdate /force

gpupdate /force

configured.
3. Open the Performance Monitor console and add the following performance
counters:
Performance, and then press ENTER.

• In the tree pane of the Performance Monitor console, under Monitoring
Tools, click Performance Monitor.

• In the Performance Monitor result pane, click the Delete (Delete Key)
icon.
• In the Performance Monitor result pane, click the Add (Ctrl+N) icon.
• In the Select counters from computer box of the Add Counters dialog
box, expand BranchCache, select Discovery: Attempted discoveries,
Discovery: Successful Discoveries, SMB: Bytes from Cache, and SMB:
Bytes from server, and then click Add.
• In the Add Counters dialog box, click OK.
4. On LON-CL2, open the command prompt and run the flowing code to apply
all the group policy settings including the BranchCache settings.
gpupdate /force

gpupdate /force

configured.
6. Open the Performance Monitor console and add the following performance
counters:

Performance, and then press ENTER.

icon.
• In the Select counters from computer box of the Add Counters dialog
box, expand BranchCache, select Discovery: Attempted discoveries,
Bytes from server, and then click Add.
• In the Add Counters dialog box, click OK.
Task 8: Test BranchCache in Distributed Caching mode.

to the desktop and verify whether the computer attempted discovery is
type \\LON-DC1.contoso.com\Share, and then press ENTER.
• In the Name list of the Share window, right-click edb00002, and then
click Copy.
• In the Share window, click the Minimize button.
• In the Performance Monitor console, click the Minimize button.
• In the Administrator: Command Prompt window, click the Minimize
button.
• On the Desktop, right-click anywhere, and then click Paste.
While copying the file, view the Performance Monitor graph. Notice that computer
attempted discovery is not running successfully as you are copying file to the branch office
for the first time. Also make a note how long it takes to copy file to LON-CL1.
2. Run the following code to check the current size of the Local Cache.



to the desktop and verify whether the computer attempted discovery is
• In the Name list of the Share window, right-click edb00002, and then
click Copy.
• In the Performance Monitor console, click the Minimize button.
button.
While copying the file, view the Performance Monitor graph. Notice that computer
attempted discovery is successful and file was copied much faster. Also view the SMB:Bytes
from cache counter to confirm that file was copied from the BranchCache.
4. Run the following code to verify that Local Cache has Active Current Cache
Size greater than 0.

• In the Performance Monitor console, click the Close button.

• On LON-CL1, in the Performance Monitor console, click the Close button.

Exercise 2: Configuring BranchCache in Hosted Cache

Mode
Task 1: Configure clients to use BranchCache in hosted cache mode.
1. On LON-DC1, edit the following BranchCache setting of the Mod 6 –
BranchCache node:
• Set BranchCache Distributed Cache mode: Not Configured
• Set BranchCache Hosted Cache mode: Enabled
• In the tree pane, under Contoso.com, right-click Mod 6 – BranchCache,
and then click Edit.
• In the tree pane of the Group Policy management Editor console, under
Templates: Policy definitions (ADMX files) retrieved from local
machine, expand Network, and then click BranchCache.
BranchCache Distributed Cache mode, and then click Edit.
• In the Set BranchCache Distributed Cache mode dialog box, click Not
Configured, and then click OK.
BranchCache Hosted Cache mode, and then click Edit.

• In the Set BranchCache Hosted Cache mode dialog box, click Enabled,
in the Enter the location of hosted Cache box, type LON-

SVR1.contoso.com, and then click OK.
update all the group policy settings.
gpupdate /force

and then click Command prompt.
gpupdate /force
3. Run the following code to verify whether Hosted Cache client and Hosted
Cache Location are configured LON-SVR1.contoso.com.
update all the group policy settings.
gpupdate /force

and then click Command prompt.
gpupdate /force
5. Run the following code to verify the status of the BranchCache settings.

Task 2: Install the BranchCache feature.

1. On LON-SVR1, edit the Default Web Site to remove https from the Site
Bindings list by using the Internet Information Services (IIS) Manager console.
then click Internet Information Services (IIS) Manager.
• In the Connections pane of the Internet Information Services (IIS)
Manager console, expand LON-SVR1 (CONTOSO\administrator),
expand Sites, and then click Default Web Site.
• In the Actions pane, under Edit Site, click Bindings.
• In the Type list of the Site Bindings dialog box, click https, click Remove.
• In the Site Bindings message box, click Yes.
• In the Site Bindings dialog box, click Close.
button.
2. Configure the BranchCache feature by using the Server Manager console.
• On the Start menu, point to Administrative Tools, and then click Server
Manager.
select the BranchCache check box, and then click Next.

Task 3: Request the certificate, link it to BranchCache and start Hosted

Server.
1. On LON-SVR1, open the Console1 – [Console Root] console to add the
certificates snap-in to manage the computer account.
• On the File menu of the Console1 – [Console Root] console, click
Add/Remove Snap-ins.
click Certificates, and then click Add.
• In the This snap-in will always manage certificates for page of the
Certificates snap-in wizard, click Computer account, and then click Next.
• On the Select the computer you want this snap-in to manage page, click
Finish.
2. Request a certificate, Computer from the list of Active Directory Enrollment
Policy, and then enroll then it.
• In the tree pane of the Console1 – [Console Root] console, expand
Certificates (Local Computer), expand Personal, right-click Certificates,
point to All Tasks, and then click Request New Certificate.
Next.
• On the Request Certificates page, select the Computer check box, and
then click Enroll.
3. Replace the thumbprint value in the link-cert – Notepad with the thumbprint
values of the LON-SVR1.Contoso.com certificate.
• In the tree pane of the Console1 – [Console Root] console, under
Personal, click Certificates.

• In the Issued To list of the Certificates result pane, right-click LON-
SVR1.Contoso.com (second one), and then click Open.

• On the Details tab of the Certificate dialog box, in the Field list, click
Thumbprint, select thumbprint values in the details section and copy
them to the Clipboard by pressing CTRL-C, and then click OK.
• In the Computer window, double-click Allfiles (D:).
• In the Name list of the New Volume (D:) window, right-click link-cert,
and then click Open.
• In the link-cert – Notepad window, select <thumbprint> and press SHIFT-
INSERT, which will paste thumbprint values. Delete spaces between
thumbprint values. Content of the file should look like this:

certhash=63849a934ef76c948011de8d6024df1054b01e52
appid={d673f5ee-a714-454d-8de2-492e4c1bd8f8}
• In the link-cert – Notepad window, select the entire line, and then press
CTRL-C.
4. Open the command prompt and run the following to code to add the SSL
certificate.

certhash=63849a934ef76c948011de8d6024df1054b01e52 appid={d673f5ee-
a714-454d-8de2-492e4c1bd8f8}
Command Prompt.
window, pressing SHIFT-INSERT to insert the following code:

certhash=63849a934ef76c948011de8d6024df1054b01e52
appid={d673f5ee-a714-454d-8de2-492e4c1bd8f8}
5. Run the following to code to enable the hosted BranchCache server.


Task 4: Configure Performance Monitor on LON-SVR1 hosted server.

1. On LON-SVR1, open the Performance Monitor console to add the following
performance counter:
• Discovery: Attempted discoveries, Discovery
• Successful Discoveries
• On the Start menu of LON-SVR1, in the Search programs and files box,
type Performance, and then press ENTER.
icon.
• In the Add Counters dialog box, under Select counters from computer,
expand BranchCache, click Discovery: Attempted discoveries,
Bytes from server, click Add, and then click OK.
Task 5: Test BranchCache in the Distributed Caching mode.

1. On LON-CL1, move the edbres00001.jrs file from \\LON-
On LON-SVR1, in the Performance Monitor console, notice that the performance value of
the SMB: Bytes from server counter increases and SMB: Bytes from the cache counter
remains the same.


• In the Name list of the Share window, right-click edbres00001.jrs, and
then click Copy.
button.
While copying the file, view the Performance Monitor graph on LON-SVR1. Notice that the
file is copying from the LON-DC1 file server, as counter SMB: Bytes from server increase
and counter SMB: Bytes from the cache remains the same. When you are copying file for
the first time to the branch office, so it must be copied from the file server. Also make a
note of the duration it takes to copy file to LON-CL1.
2. On LON-CL2, move the edbres00001.jrs file from \\LON-

On LON-SVR1, in the Performance Monitor console, view the SMB:Bytes from cache
counter to ensure that file was copied from the BranchCache cache.
• In the Name list of the Share window, right-click edbres00001.jrs, and
then click Copy.
button.
While copying the file, view the Performance Monitor graph on LON-SVR1. Notice that file
was copied much faster. You can view also the SMB:Bytes from cache counter, which will
confirm that file was copied from the BranchCache cache.


3. On LON-SVR1, run the following code to verify that Local Cache has Active
Current Cache Size and it is greater than 0.
• On LON-SVR1, at the command prompt of the Administrator: Command

Prompt window, type the following code, and then press ENTER.

• In the Performance Monitor console, click the Close button.
• In the New Volume (D:) window, click the Close button.
• In the Console1 – [Console Root\Certificate] console, click the Close
button.

Exercise 3: Configuring Read-Only DFS Replica
Task 1: Add Distributed File System role service to LON-SVR1 server.

1. On LON-SVR1, open the Server Manager console to configure the Distributed
File System role services with the following information:
• Server role: File Services
• Create a DFS Namespace: Create a namespace now, using this
wizard
• Namespace Type: Domain-based namespace
click Add Role.
• On the Select Server Roles page, under Roles, select the File Services
• On the File Services page, click Next.
• On the Select Role Services page, under Role services, select the
Distributed File System check box, and then click Next.
• On the Create a DFS Namespace page, ensure that the Create a
namespace now, using this wizard option is selected, and then click
Next.
• On the Select Namespace Type page, ensure that the Domain-based
namespace option is selected, and then click Next.
• On the Provide Credentials to Create a Namespace page, click Select.
Administrator, in the Password box, type Pa$$w0rd, and then click OK.
• On the Provide Credentials to Create a Namespace page, click Next.
• On the Configure Namespace page, click Next.

Task 2: Create file share on LON-SVR1 server.

1. Create a folder, Share-Replica in drive C: and set the share properties to share
the folder with everyone on your network.
• In the Local Disk (C:) window, right-click anywhere, click New Folder,
type Share-Replica, and then press ENTER.
• In the Name list of the Local Disk (C:) window, right-click Share-Replica,
• On the Sharing tab of the Share-Replica Properties dialog box, click
Share.
• On the Choose people on your network to share with page of the File
Sharing wizard, in the Type a name and then click Add, or click the
arrow to find someone box, type Everyone, click Add, and then Share.
• On the Your folder is shared page, click Done.
• In the Share-Replica Properties dialog box, click Close.
Task 3: Create DFS replication group.

1. On LON-SVR1, create a DFS replication group by using the Server Manager
console with the following information:
• Replication Group Schedule and Bandwidth: Replicate
continuously using the specified bandwidth

• Select Make the selected replicated folder on this member read
only
• On LON-SVR1, in the tree pane of the Server Manager console, expand
Roles, expand File Services, expand DFS Management, and then click
Replication.
• In the Actions pane, click New Replication Group.
• On the Replication Group Type page of the New Replication Group
Wizard, ensure that the Multipurpose replication group option is
selected, and then click Next.
• In the Name of replication group box of the Name and Domain page,
type Contoso Reports, and then click Next.
• On the Replication Group Members page, click Add.
Computers dialog box, type LON-DC1;LON-SVR1, and then click OK.
• On the Replication Group Members page, click Next.
• On the Topology Selection page, ensure that the Full mesh option is
• On the Replication Group Schedule and Bandwidth page, ensure that
the Replicate continuously using the specified bandwidth option is
• In the Primary member box of the Primary Members page, click LON-
DC1, and then click Next.
• On the Folders to Replicate page, click Add.
• In the Add Folders to Replicate dialog box, click Browse.
• In the Select a folder area of the Browse For Folder dialog box, expand
C$, click Share, and then click OK.
• In the Add Folders to Replicate dialog box, click OK.
• On the Folders to Replicate page, click Next.
• On the Local Path of Share on Other Members page, click Edit.
• In the Membership Status area of the Edit dialog box, click Enabled, and
then click Browse.
• In the Select a folder area of the Browse For Folder dialog box, expand
C$, click Share-Replica, and then click OK.

• In the Edit dialog box, select the Make the selected replicated folder on
this member read only check box, and then click OK.
• On the Local Path of Share on Other Members page, click Next.
• On the Review Settings and Create Replication Group page, click
Create.
• On the Confirmation page, click Close.
• In the Replication Delay message box, click OK.
• In the tree pane of the Server Manager console, expand Replication, and
then click Contoso Reports.
• In the Contoso Reports result pane, verify that C:\Share-Replica has
Enabled (read-only) Membership status.
Task 4: Add replicated folder to the DFS Namespace.

1. Add a new folder, Reports to \\Contoso.com\Namespace1 of DFS
• In the tree pane of the Server Manager console, under DFS Management,
expand Namespaces, and then click \\Contoso.com\Namespace1.
• In the Actions pane, click New Folder.
• In the Name box of the New Folder dialog box, type Reports, and then
click Add.
• In the Add Folder Target dialog box, click Browse.
• In the Shared folders area of the Browse for Shared Folders dialog box,
click Share-Replica, and then click OK.
• In the Add Folder Target dialog box, click OK.
• In the New Folder dialog box, click OK.
Task 5: Test the client access to read-only DFS replica.
new text document in the read-only DFS replica, C:\Share-Replica.
Destination Folder Access Denied error message appears.
type \\contoso.com\Namespace1\Reports, and then press ENTER.

• In the Reports window, right-click anywhere, point to New, and then click
Text Document.
• In the Destination Folder Access Denied message box, click Cancel.
• In the Reports window, click the Close button.
Task 6: Make read-only DFS replica to read-write and test the client
access.
1. On LON-SVR1, change the read-only attribute of C:\Share-Replica to read-
write.
• On LON-SVR1, in the tree pane of the Server Manager console, under
Replication, click Contoso Reports.
• In the Local Path list of the Contoso Reports result pane, click C:\Share-
Replica.
• In the Actions pane, under LON-SVR1 (Share), click Make read-write.
new text document in the read-write DFS replica, C:\Share-Replica.
If you still get the Access Denied message, then the change of settings is not effective yet.
Close the Reports window, wait for few minutes and then create the text document.
type \\contoso.com\Namespace1\Reports, and then press ENTER.
• In the Reports window, right-click anywhere, point to New, and then click
Text Document.
• In the Reports window, click the Close button.

Configuring and Managing Windows Server 2008 R2 Web Services L7-1

Configuring and Managing Windows Server
2008 R2 Web Services

Lab 7: Configuring and Managing Windows
Server 2008 R2 Web Services
Exercise 1: Creating and Configuring a Web Site on
password, Pa$$w0rd.
Connect.
2. Log on to LON-CORE with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
Virtual Machines area, right-click 10159A-LON-CORE, and then click
Connect.
• To log on to LON-CORE, click the Ctrl-Alt-Delete button.
f Task 2: Create a new Web site from IIS Manager.

1. On LON-DC1, open the Internet Information Services (IIS) Manager console
to create a new Web site for Contoso Ltd. with the following information:
L7-2 Configuring and Managing Windows Server 2008 R2 Web Services

click Internet Information Services (IIS) Manager.

Manager console, expand LON-DC1 (CONTOSO\Administrator), right-
click Sites, and then click Add Web Site.
• In the Site name box of the Add Web Site dialog box, type Contoso Ltd,
and then click Ellipse button near the Physical path box.
• In the Browse For Folder dialog box, expand Local Disk (C:), expand
inetpub, click contoso, and then click OK.
• In the Host name box of the Add Web Site dialog box, type LON-
DC1.contoso.com, and then click OK.
2. Open the Internet Explorer to view the new Web site created for Contoso, Ltd.
• On the Start menu, point to All Programs, and then click Internet
Explorer.
• In the Address bar of the Blank Page - Windows Internet Explorer
window, type http://lon-dc1.contoso.com, and then press ENTER.
• In the Internet Explorer dialog box, click the Close button.
The Contoso Ltd. home page will be displayed.
f Task 3: View and change the IIS settings through the Configuration
Manager.
1. Change the Web site name from Contoso Ltd. to Contoso Site by using
Configuration Editor and view the script that can be used to perform this
change.
Manager console, click LON-DC1 (CONTOSO\Administrator).
• In the LON-DC1 Home result pane, under Management, double-click
Configuration Editor.
• In the Section box of the Configuration Editor result pane, under
system.applicationHost, click sites.

• In the result pane, click (Collection), and then click the Ellipse button
near (Count=2).
• In the Items area of the Collection Editor -
system.applicationHost/sites/ dialog box, in the name list, click
Contoso Ltd.
• In the Properties area, change the name property from Contoso Ltd to
Contoso Site, and then click the Close button.
• In the Actions pane of the Internet Information Services (IIS) Manager
console, click Generate Script.
• In the Script Dialog dialog box, verify that the Managed Code (C#),
Scripting (JavaScript), and Command Line (AppCmd) tabs are there,
ensure that they contain script for renaming Web site, and then click
Close.
console, click Apply.
2. Refresh the LON-DC1 node to check whether the Web site name has changed
from Contoso Ltd. to Contoso Site.
• In the Connections pane, right-click LON-DC1
(CONTOSO\Administrator), and then click Refresh.
• In the Connections pane, expand Sites, and ensure that the site name has
changed from Contoso Ltd to Contoso Site.
Notice that Generate Script in the Actions pane is now grayed.
3. Create a new application pool in Configuration Editor and generate a script for
its creation. The application pool should be created with the following
information:
• Name: ContosoPool
• identityType: NetworkService
• In the Section box of the Configure Editor result pane, under
system.applicationHost, click applicationPools, and then click
(Collection).
• In the Actions pane, click Edit Items.

• In the Collection Editor - system.applicationHost/applicationPools/'
dialog box, click Add.

• In the Properties area, set the name property to ContosoPool.
• In the Properties area, expand processModel, and then set the
identityType property to NetworkService.
• In the Collection Editor - system.applicationHost/applicationPools/
dialog box, click the Close button.
console, click Generate Script.
• In the Script Dialog dialog box, verify that the Managed Code (C#),
Scripting (JavaScript), and Command Line (AppCmd) tabs are present,
ensure that that they contain the script for creating an application pool,
and then click Close.
4. View the ContosoPool application pool properties to verify that
NetworkService is listed as its Identity.
Manager console, under LON-DC1 (CONTOSO\Administrator), click
Application Pools.
• In the Name list of the Application Pools result pane, click ContosoPool.
• In the Actions pane, under Edit Application Pool, click Advanced
Settings.
• In the Process Model area of the Advanced Settings dialog box, ensure
that NetworkService is listed as Identity, and then click OK.
5. Assign Contoso Site to run in ContosoPool application pool.
Manager console, under Sites, click Contoso Site.
• In the Actions pane, under Edit Site, click Basic Settings.
• In the Edit Site dialog box, click Select.
• In the Application pool box of the Select Application Pool dialog box,
click ContosoPool, and then click OK.
• In the Edit Site dialog box, click OK.

6. Refresh the Home page of Contoso Site and verify whether the new application
pool starts.
• In the Home - Windows Internet Explorer window, click the Refresh
button.
After a few seconds, the new application pool starts, but the same Home page will be
displayed.
f Task 4: Configure the Web site to use Request Filtering.

1. Deny the jpg image files from being displayed on the Contoso Web page by
The Contoso Ltd. real estate picture is still displayed on the Contoso Web page, because
• In the Contoso Site Home result pane, under IIS, double-click Request
Filtering.
On the Hidden Segments tab of the Request Filtering result pane, verify that the
web.config file is listed. This is one of the IIS configuration files, and even if it is
available, users are not allowed to access it.
• In the Actions pane, click Deny File Name Extension.

• In the File name extension box of the Deny File Name Extension dialog
box, type jpg, and then click OK.
button.
The Contoso Ltd. real estate picture is still displayed, because it is in .gif format.

2. Deny the gif image files from being displayed on the Contoso Web page by

console, click Deny File Name Extension.
• In the File name extension box of the Deny File Name Extension dialog
box, type gif, and then click OK.
button.
The Contoso Ltd. real estate picture is not displayed on the Web page.
3. Remove both the jpg and gif files from the Request Filtering list.
• In the Request Filtering result pane of the Internet Information Services
(IIS) Manager console, click .gif.
• In the Actions pane, click Remove.
• In the Confirm Remove message box, click Yes.
• In the Request Filtering result pane, click .jpg.
• In the Actions pane, click Remove.
• In the Confirm Remove message box, click Yes.
button.
f Task 5: Create and assign the managed service account as the

application pool account.
import the Active Directory module.

• On the Start menu of the LON-DC1, point to All Programs, click

Accessories, click Windows PowerShell, and then click Windows
PowerShell.
2. Run the following command to create a managed service account.
ENTER.
3. Run the following command to install the managed service account on a local
computer.
ENTER.
4. Edit the application pool, ContosoPool, to set the following properties:

Manager console, under LON-DC1 (CONTOSO\Administrator), click
Application Pools.
• In the Name list of the Application Pools result pane, click ContosoPool.
• In the Actions pane, under Edit Application Pool, click Advanced
Settings.

• In the Process Model area of the Advanced Settings dialog box, click the
Browse button next to Identity.

• In the Application Pool Identity dialog box, click Custom account, and
then click Set.
• In the User name box of the Set Credentials dialog box, type
contoso\contosoiis$, and then click OK.
• In the Application Pool Identity dialog box, click OK.
• In the Advanced Settings dialog box, click OK.
5. Refresh the Contoso Web site and check whether the Web site runs in the
context of ContosoIIS service account.
button.
• In the Home - Windows Internet Explorer window click Close button.
After a few seconds, a new application pool starts and the same Home page appears as
before. This time, the Web site runs in the context of ContosoIIS service account.

button.
Exercise 2: Managing ASP.NET on Server Core

f Task 1: Install the Web Server role with ASP.NET on Server Core and
enable remote management.
1. On LON-CORE, run the following script to install the Web Server role with
support for ASP.NET. This command will add all the necessary features on
LON-CORE and configure the server to allow remote administration.
c:\Core-iis.bat

• On LON-CORE, at the command prompt of the Administrator:
C:\Windows\system32\cmd.exe window, type the following script, and

then press ENTER.
cd \
• At the command prompt, type the following script, and then press
ENTER.
C:\Core-iis.bat
2. On LON-DC1, use the Connect to a Server option to connect to LON-CORE

and to use remote management, with the following information:
• On LON-DC1, in the Connections pane of the Internet Information
Services (IIS) Manager console, right-click Start Page, and then click
Connect to a Server.
• On the Specify Server Connection Details page of the Connect to Server
wizard, in the Server name box, type LON-CORE.contoso.com, and then
click Next.
• In the User name box of the Provide Credentials page, type
Administrator, in the Password box, type Pa$$w0rd, and then click
Next.
• In the Server Certificate Alert message box, click Connect.
• On the Specify a Connection Name page, click Finish.
In the lower-right corner of the Internet Information Services (IIS) Manager, verify that
you are connected to the remote server as administrator and you are using a secure
connection.
f Task 2: Configure the ASP.NET Web site.

1. Copy the web_application folder from C:\inetpub to \\LON-

• In the Name list of the Local Disk (C:) window, double-click inetpub.
• In the Name list of the inetpub window, right-click Web_application, and
then click Copy.
• In the inetpub window, click the Close button.
• On the Start menu, in Search programs and files box, type \\LON-
CORE.contoso.com\c$\inetpub, and then press Enter.
• In the inetpub window, right-click anywhere, and then click Paste.
• In the inetpub window, click the Close button.
2. Create a new Web site, ASP.NET Site, at the LON-CORE server with the
• Physical path: c:\inetpub\Web_application
Manager console, expand LON-CORE.contoso.com (Administrator),
right-click Sites, and then click Add Web Site.
• In the Site name box of the Add Web Site dialog box, type ASP.NET Site,
in the Physical path box, type c:\inetpub\Web_application, in the Host
name box, type LON-CORE.contoso.com, and then click OK.
Verify whether the ASP.NET Site has the same configuration options as IIS on Full
Installation of Windows Server 2008 R2. In the ASP.NET Site result pane, verify that you
have the same configuration options as IIS on Full Installation of Windows Server 2008
R2.
f Task 3: Test the ASP.NET Web site on Server Core.

1. On LON-DC1, open the blog Web page and verify whether Windows Server
2008 R2 Core can process the ASP.NET applications.
• On the Start menu of LON-DC1, point to All Programs, and then click
Internet Explorer.

window, type http://LON-CORE.contoso.com, and then press ENTER.

After several seconds, the Web page from the ASP.NET application on Server Core will be
displayed. Windows Server 2008 R2 Core is able to process ASP.NET applications.
• In the http://lon-core.contoso.com - Windows Internet Explorer window,

click the Close button.
button.
• In the Internet Information Services (IIS) Manager message box, click No.
Exercise 3: Configuring FTP Virtual Host Names and

Deploying FTP over SSL
f Task 1: Add the FTP Server role service to LON-DC1.

1. On LON-DC1, install the Web Server role service, FTP Server, by using the
Server Manager console.
• In the tree pane of the Server Manager console, expand Roles, right-click
Web Server (IIS), and then click Add Role Services.
• On the Select Role Services page of the Add Role Services wizard, under
Role services, select the FTP Server check box, and then click Next.

f Task 2: Add DNS server resource records.
1. On LON-DC1, add two DNS resource records to the Contoso.com Forward

Lookup Zone with the following information:
DNS Record 1
• Name: FTP1
• IP address: 192.168.10.1
DNS Record 2
• Name: FTP2
• IP address: 192.168.10.1
• On LON-DC1, in the tree pane of the Server Manager console, under
Roles, expand DNS Server, expand DNS, and then expand LON-DC1.
• In the tree pane, under LON-DC1, expand Forward Lookup Zones, click
and right-click Contoso.com, and then click New Host (A or AAAA).
• In the Name (uses parent domain name if blank) box of the New Host
dialog box, type FTP1, in the IP address box, type 192.168.10.1, and
then click Add Host.
• In the DNS message box, click OK.
• In the Name (uses parent domain name if blank) box of the New Host
dialog box, type FTP2, in the IP address box, type 192.168.10.1, and
then click Add Host.
• In the DNS message box, click OK.
• In the New Host dialog box, click Done.
f Task 3: Create two FTP sites that use virtual host names.
1. On LON-DC1, create two FTP sites that use virtual host names by using the
Internet Information Services (IIS) Manager with the following information:
FTP Site1
• IP Address: 192.168.10.1


• No SSL
FTP Site2
• IP Address: 192.168.10.1
• No SSL
Manager console, expand LON-DC1 (CONTOSO\Administrator), right-
click Sites, and then click Add FTP Site.
• On the Site Information page of the Add FTP Site Wizard, in the FTP site
name box, type FTP Site 1, in the Physical path box, type
c:\inetpub\ftproot, and then click Next.
• On the Binding and SSL Settings page, in the IP Address box of the
Binding area, click 192.168.10.1, select the Enable Virtual Host Names
check box, and then in the Virtual Host box, type ftp1.contoso.com.
• On the Binding and SSL Settings page, click No SSL, and then click Next.
• In the Authentication area of the Authentication and Authorization
Information page, select the Basic check box.

• In the Authorization area, in the Allow access to box, click All users,
select the Read check box, and then and click Finish.
Manager console, under LON-DC1 (CONTOSO\Administrator), right-
click Sites, and then click Add FTP Site.
name box, type FTP Site 2, in the Physical path box, type
c:\inetpub\contoso, and then click Next.
• On the Binding and SSL Settings page, in the IP Address box of the
Binding area, click 192.168.10.1, select the Enable Virtual Host Names
check box, and then in the Virtual Host box, type ftp2.contoso.com.
• On the Binding and SSL Settings page, click No SSL, and then click Next.
select the Read and Write check boxes, and then and click Finish.
f Task 4: Connect to the FTP sites.

1. Open the command prompt and run the following command to connect to the
FTP site, FTP1.
• On the Start menu of LON-DC1, point to All Programs, click

Accessories, and then click Command Prompt.
2. Run the following command to provide credentials.
Pa$$w0rd
ENTER.

• At the command prompt, type the Password as Pa$$w0rd, and then press
ENTER.
3. Run the following command to create a folder on the FTP1 site.
dir
mkdir FTP1
ENTER.
dir
ENTER.
mkdir FTP1
ENTER.
quit
ENTER.

5. Run the following command to provide the credentials.
Pa$$w0rd
ENTER.
• At the command prompt, type the Password as Pa$$w0rd, and then press
ENTER.
6. Run the following command to create a folder on the FTP2 site.
dir
mkdir FTP2
The error message does not appear because you have both Read and Write permissions
ENTER.
dir
ENTER.
mkdir FTP2
ENTER.
quit
f Task 5: Create an SSL-enabled FTP Site.

1. On LON-DC1, create a computer account for the SSL certificate.
• On the Start menu of the LON-DC1, in the Search programs and files
box, type mmc, and then press ENTER.

• On the File menu of the Console1- [Console Root] console, click
Add/Remove Snap-in.
• In the Certificates snap-in wizard, click Computer account, click Next.
2. Verify whether the certificate with the name LON-DC1.contoso.msft is there
and then change the certificate name of LON-DC1.contoso.com to SSL
Certificate.
• In the tree pane of the Certificates snap-in, open Certificates (Local
Computer)\Personal\Certificates.
• In the result pane of the Certificates snap-in, verify that certificate with the
name LON-DC1.contoso.com is displayed.
• In the tree pane, right-click LON-DC1.contoso.com, and then click
Properties.
• In the Friendly name box, type SSL Certificate, and then click OK.
• In the Console1 - [Console Root\Certificates (Local
Computer)\Personal\Certificates] window, click the Close button.
3. On LON-DC1, create an SSL-enabled FTP site by using the Internet
• On LON-DC1, in the Connections pane of the Internet Information
Services (IIS) Manager console, under LON-DC1
(CONTOSO\Administrator), right-click Sites, and then click Add FTP
Site.

name box, type SSL FTP Site, in the Physical path box, type
c:\inetpub\ftproot, and then click Next.
• On the Binding and SSL Settings page, in the SSL Certificate box of the
SSL area, click SSL Certificate, and then click Next.
select the Read check box, and then and click Finish.
4. Set the following SSL FTP settings to configure additional SSL settings to
Manager console, under Sites, click SSL FTP Site.
• In the SSL FTP Site Home result pane, under FTP, double-click FTP SSL
Settings.
• In the SSL Policy area of the FTP SSL Settings page, click Custom, and
then click Advanced.
• In the Control Channel area of the Advanced SSL Policy dialog box, click
Require only for credentials, in the Data Channel area, click Allow, and
then click OK.
5. At the command prompt, run the following command to log on the FTP site
with the user name, Administrator, and the password, Pa$$w0rd.

• At the command prompt, type the user name as Administrator, and then
press ENTER.
You will get an Access Denied message, because the SSL policy requires SSL for

button.


Managing Windows Server 2008 R2 with Windows PowerShell 2.0 L8-1

Managing Windows Server 2008 R2 with

Lab 8: Managing Windows Server 2008 R2 with
Exercise 1: Using Windows PowerShell
password, Pa$$w0rd.
Connect.
password, Pa$$w0rd.
Virtual Machines area, right-click 10159A-LON- SVR1, and then click
Connect.
• To log on to LON- SVR1, click the Ctrl-Alt-Delete button.
f Task 2: List and use the available commands and aliases.

view the list of commands and their functions.
Get-Command
• On the Start menu of LON-SVR1, click All Programs, click Accessories,

click Windows PowerShell, and then click Windows PowerShell.
L8-2 Managing Windows Server 2008 R2 with Windows PowerShell 2.0

Get-Command
At the command prompt, type Add, and then press the TAB key. Verify that auto
complete will complete the command name with first available option, Add-Member.
Press TAB multiple times to verify the functionality of auto complete.
2. Run the following command to get help for the Get-Alias command. Also view
Get-Help Get-Alias
ENTER.
Get-Help Get-Alias
3. Run the following command to view the list of available alias commands.
Get-Alias
ENTER.
Get-Alias
4. Run the following command to view the list of all running processes on the
server.
Get-Process
ENTER.
Get-Process
5. Run the following command to verify that there is no Processes command

available.

Processes
ENTER.
Processes
6. Run the following command to define new alias and view the list of running
processes.

Processes
ENTER.
ENTER.
Processes
7. Run the following command to verify that you have defined the new alias,
Processes.
Get-Alias
ENTER.
Get-Alias
8. Run the following command to verify that the same alias help options as the
Get-Process command are available.

Get-Help Processes
ENTER.
Get-Help Processes
f Task 3: Use pipeline and output formatting.

1. At the command prompt of the Windows PowerShell window, run the
their ID.

2. Run the following command to sort the processes by their ID and to view only

ENTER.

3. Run the following command to view the first 10 running processes sorted by
their ID.
ENTER.
Get-Process | Sort-Object –Property id | Select-Object –First

10

4. Run the following command to format the output of the first 10 running

Format-List
ENTER.
Get-Process | Sort-Object –Property id | Select-Object –First

10 | Format-List
5. Run the following command to obtain all running processes, sort them by ID,

$processes
ENTER.
ENTER.
$processes
f Task 4: Use the Windows PowerShell providers.

1. Run the following command to use a provider for Windows environment
variables and to add a new Windows environment variable.
cd env:
ENTER.
cd env:
ENTER.

2. Run the following command to verify that the new variable, Today, is defined
dir
• At the command prompt, type the command, and then press ENTER.
dir
3. Run the following command to use a provider for Windows registry and to
cd hkcu:
md Wednesday
• At the command prompt, type the following command, and the press
ENTER.
cd hkcu:
ENTER.
md Wednesday
4. Open Registry Editor and verify that the HKCU registry hive contains the
Today key.
regedit
ENTER.
regedit
• In the tree pane of the Registry Editor console, expand

HKEY_CURRENT_USER, verify that the Wednesday key is present, and
then click the Close button.
5. Use a provider for digital certificates and move the digital certificates to local
computer certificate store by running the following command.

cd cert:
cd localmachine\my
ENTER.
cd cert:
ENTER.
cd localmachine\my
6. View the list of digital certificates in the computer store by running the
following command.
dir
ENTER.
dir
7. Open the Certificates snap-in and verify whether the computer certificates are
• On the Files menu of the Console1 - [Console Root] console, click
Add\Remove Snap-in.
• In the Certificates snap-in dialog box, click Computer account, and then
click Next.
• In the Select Computer dialog box, click Finish.
Certificates.

• In the Console1 - [Console Root\Certificates (Local Computer)\ Personal\
Certificates] console, click the Close button.

f Task 5: Use the Windows PowerShell remoting.

An error message appears stating that WinRM is not enabled by default on remote

click Windows PowerShell, and then click Windows PowerShell.
After some time you will get an error, as WinRM is not enabled by default on remote
2. On LON-SVR1, run the following command to enable Windows PowerShell

remoting.
• On LON-SVR1, at the command prompt of the Administrator: Windows

PowerShell window, type the following command, and then press ENTER.

button.

3. On LON-DC1, run the following command again to view the list of running
processes.
• On LON-DC1, at the command prompt of the Administrator: Windows

PowerShell window, type the following command, and then press ENTER.

button.
4. On LON-SVR1, run the following command to view the first 10 running
processes sorted by ID from LON-SVR1.

• On LON-SVR1, at the command prompt, type the following command,

Invoke-Command -ComputerName LON-SVR1 {Get-Process | Sort-

Object –Property id | Select-Object –First 10}

button.
Exercise 2: Working with Active Directory by Using the

Active Directory PowerShell Module
f Task 1: Add Windows PowerShell ISE and import the Active Directory
module.
1. On LON-DC1, install the Windows PowerShell Integrated Scripting

• In the tree pane of the Server Manager console, click and right-click
Features, and then click Add Features.

select the Windows PowerShell Integrated Scripting Environment (ISE)
2. Open the Windows PowerShell ISE window and run the following command
to verify that there are no Active Directory commands.
Get-Command *-ad*
• On the Start menu, in the Search programs and files box, type power,
and then click Windows PowerShell ISE.
• At the command prompt of the Administrator: Windows PowerShell ISE
Get-Command *-ad*
3. Import the Active Directory module and then verify whether the Active
Get-Command *-ad*
ENTER.
ENTER.
Get-Command *-ad*
75 Active Directory commands and Active Directory provider are displayed.


f Task 2: Use the Active Directory provider to view the objects

metadata.
1. On LON-DC1, run the following command to use a provider for Active
Directory and to list the information in Active Directory.
cd AD:
dir
• On LON-DC1, at the command prompt, type the following command, and

then press ENTER.
cd AD:
ENTER.
dir
2. Query the information on the contoso.com domain and the domain controller
command.
ENTER.
ENTER.
3. Query the information in a global catalog in the forest and the domain
command.


ENTER.
ENTER.
4. Count the number of Active Directory objects and view all the computer
command.

'DC=Contoso,DC=com' -Properties Name,SamAccountName | Format-Table
Name,SamAccountName
ENTER.

ENTER.

'DC=Contoso,DC=com' -Properties Name,SamAccountName | Format-
Table Name,SamAccountName
5. Run the following command to export all objects from the Users container to a
CSV file.

ENTER.


6. Verify that the c:\export.csv file contains information about objects in the
Users container.
• In the Name list of the Local Disk (C:) window, right-click Export.csv, and
then click Open.
• In the Windows dialog box, click Select a program from a list of
installed programs, and then click OK.
• In the Open with dialog box, click WordPad, and then click OK.
• In the Export.csv - WordPad window, click the Close button.
f Task 3: Use Windows PowerShell to work with user and group

accounts.
1. On LON-DC1, run the following command to navigate through Active
Directory.
dir

PowerShell ISE window, type the following command, and then press
ENTER.
ENTER.
dir
Open Active Directory Users and Computers and compare the output of the dir alias with
content of Users container.

2. On LON-DC1, create a new Active Directory user, User1, and move User1 to
New-ADUser User1
• On LON-DC1, at the command prompt, type the following command, and

then press ENTER.
New-ADUser User1
ENTER.
Move-ADObject –Identity “cn=User1,cn=Users,dc=contoso,dc=com”

-TargetPath “OU=Remote Access,dc=contoso,dc=com”
3. Create a User2 Active Directory user by running the following command.
ENTER.
4. Create a User3 Active Directory user with additional attributes by running the
following command.
New-ADUser -SamAccountName User3 -Name "User 3" -AccountPassword

(ConvertTo-SecureString -AsPlainText "Pa$$w0rd" -Force) -Enabled
$true -Path “OU=Remote Access,DC=contoso,DC=com”
ENTER.
New-ADUser -SamAccountName User3 -Name "User 3" -

AccountPassword (ConvertTo-SecureString -AsPlainText
"Pa$$w0rd" -Force) -Enabled $true -Path “OU=Remote
Access,DC=contoso,DC=com”
5. Run the following command to modify the properties of the user.


ENTER.
ENTER.
6. Open the Active Directory Users and Computers console and verify that the
expand Contoso.com, click Remote Access.
button.
7. Run the following command to modify the properties of multiple users.

User"



Access,DC=contoso,DC=com" | Set-ADUser -Description "Remote
Access User"
8. Open the Active Directory Users and Computers console and verify that
User1, User2, and User3 have the description set to Remote Access User.
9. Run the following command to view the list of disabled accounts.



10. Delete the User1 account from Active Directory by running the following
command.
Remove-ADUser User1
ENTER.
Remove-ADUser User1
• In the Confirm message box, click Yes.


11. In the Active Directory Users and Computers console, verify that User1 is no
longer present.
• In the Active Directory Users and Computers console, click the Remote
Access OU, and then click the Refresh icon.
• In the Remote Access result pane, verify the User1 is no longer present.
12. Add User 2 to the RD Users group by running the following command:

13. In the Active Directory Users and Computers console, verify that RD Users
User2 is a member, and then click Cancel.
f Task 4: Use Windows PowerShell to work with organizational units.

1. Run the following command to create a new Active Directory organizational
unit and to display the organizational units in Active Directory in the form of a
table.

"DC=contoso,DC=com"


"DC=contoso,DC=com"
ENTER.

Get-ADOrganizationalUnit -Filter {Name -like '*'} | Format-

Table Name, DistinguishedName -A
2. Run the following command to find the organizational units that match certain

ENTER.

3. Move a user to an organizational unit by running the following command.

Accounts,dc=contoso,Dc=com”
ENTER.

Accounts,dc=contoso,Dc=com”
4. Run the following command to verify whether you can delete an

Remove-ADOrganizationalUnit ”OU=User Accounts,dc=contoso,Dc=com” –

Recursive
ENTER.
Remove-ADOrganizationalUnit ”OU=User Accounts=contoso,Dc=com”

-Recursive


5. Delete an organizational unit by running the following command.
Set-ADorganizationalUnit ”OU=User Accounts,dc=contoso,Dc=com” –

Remove-ADOrganizationalUnit ”OU=User Accounts,dc=contoso,Dc=com” –
Recursive
ENTER.
Set-ADorganizationalUnit ”OU=User Accounts,dc=contoso,Dc=com”

–ProtectedFromAccidentalDeletion $False
ENTER.
Remove-ADOrganizationalUnit ”OU=User Accounts=contoso,Dc=com”

–Recursive

6. In the Active Directory Users and Computers console, verify that User
• In the Active Directory Users and Computers console, right-click
Contoso.com and then click the Refresh.
• In the Contoso.com result pane, ensure that User Accounts OU is no
longer present.
button.
Exercise 3: Managing IIS by Using Windows PowerShell


f Task 1: Set the execution policy and load the Web Administration
module.
1. On LON-DC1, in the Windows PowerShell ISE window, run the following
Get-Command *-web*

Get-Command *-web*
ENTER.
• In the Execution Policy Change message box, click Yes.
Web Administration module include scripts, which are not allowed by default. To allow
them, you either need to digitally sign them or set execution policy to RemoteSigned.
2. Add the Web Administration module and then view the Web Administration–
related commands by running the following command:
Get-Command *-web*
ENTER.
ENTER.
Get-Command *-web*

More than 70 Web Administration commands and Web Administration (IIS:) provider are
displayed.
f Task 2: Explore Web Administration, create a Web site, and define its
binding.
1. Run the following command to use a provider for Web Administration and to
cd IIS:
dir
ENTER.
cd IIS:
ENTER.
dir
2. Run the following command to move to the Sites folder and list the sites on
LON-DC1.
cd Sites
dir
ENTER.
cd Sites
ENTER.
dir
3. Open the Internet Information Services (IIS) Manager console and verify that


Manager console, expand LON-DC1 (CONTOSO\Administrator),
expand Sites, and verify that the same sites are available as in Windows
PowerShell Environment.
4. Run the following command to create a new Web site and to display the Web
sites on LON-DC1.

dir


ENTER.
dir
5. In the Internet Information Services (IIS) Manager console, verify that the new
• In the Internet Information Services (IIS) Manager console, right-click
Sites, click Refresh, and then verify that the new Web site, Demo Site, is
present.
6. Define the host name binding for the created Web site by running the
following command:

New-WebBinding –Name “Demo Site” –HostHeader “LON-

DC1.contoso.com”

7. In the Internet Information Services (IIS) Manager console, verify that the Web
defined.
Manager console, under Sites, click Demo Site.
• In the Actions pane, under Edit Site, click Bindings.
• In the Site Bindings dialog box, ensure that are two bindings, and then
click Close.
8. Open the Internet Explorer window, connect to the new Web site, lon-
• On the Start menu, point to All Programs, and then click Internet
Explorer.
window, type lon-dc1.contoso.com, and then press ENTER.
• New Web site will be displayed in the Home - Windows Internet Explorer
window.
9. Add a virtual directory to the existing Web site by running the following
command.



10. In the Internet Explorer window, connect to the http:// LON-

• In the Address bar of the Home - Windows Internet Explorer window,
type http:// LON-dc1.contoso.com/subfolder, and then press ENTER.

f Task 3: Create an application pool and set the Web site to run in the
created application pool.

1. In the Windows PowerShell ISE window, run the following command to create
DemoAppPool.
value DemoAppPool

ENTER.
Set-ItemProperty “IIS:\Sites\Demo Site” –name applicationPool

–value DemoAppPool
2. In the Internet Information Services (IIS) Manager console, verify that the
console, under Edit Site, click Basic Settings.
• In the Edit Site dialog box, ensure that Application Pool is
DemoAppPool, and then click Cancel.
• In the IIS - Windows Internet Explorer window, click the Refresh button.
3. Delete the Demo Web site by running the following command:

4. In the Internet Information Services (IIS) Manager console, verify that Demo

Manager console, right-click LON-DC1 (CONTOSO\Administrator), and

then click Refresh.
• In the Connections pane, under LON-DC1 (CONTOSO\Administrator),
expand Sites, and ensure that Demo Web site is no longer present.
• In the Internet Information Services (IIS) Manger console, click the Close
button.
Exercise 4: Configuring Server Manager Server Roles and

Features by Using Windows PowerShell
f Task 1: Import the Server Manager module, view server roles and add
feature.
1. In the Windows PowerShell ISE window, run the following command to
import the ServerManager PowerShell module and to view the Server
Manager–related commands.

ENTER.
2. Run the following command to view the available Server Manager commands
and to view the list of server roles and features.
Get-WindowsFeature

ENTER.
ENTER.
Get-WindowsFeature
3. In the Server Manager console, verify that the Network Load Balancing feature
is not installed.
• On the Start menu of LON-DC1 server, point to Administrative Tools,
and then click Server Manager.
• In the Features result pane, verify that the Network Load Balancing
feature is not installed.
4. Verify whether the Network Load Balancing feature has an NLB name by
running the following command.

5. In the Server Manager console, verify that the Network Load Balancing feature
is now installed.
• In the tree pane of the Server Manager console, right-click Features, click
Refresh, and then click Features.
• In the Features result pane, ensure that the Network Load Balancing
feature is now installed.
f Task 2: Add the server feature to the remote server.

1. On LON-SVR1, open the Server Manager console and verify that the Network
Load Balancing feature is not installed.


feature is not installed.
2. On LON-DC1, in the Windows PowerShell window, run the following
command to verify that the Network Load Balancing feature is not installed on
LON-SVR1 and then install it on the remote server.


PowerShell ISE window, type the following command, and then press
ENTER.

ENTER.

3. On LON-SVR1, verify that the Network Load Balancing feature is now installed
• On LON-SVR1, in the tree pane of the Server Manager console, click
Features.
feature is now installed.
• On LON-DC1, in the Server Manager console, click the Close button.
• On LON-DC1, in the Administrator: Windows PowerShell ISE window,
click the Close button.


Appendix i

What Is DNSSEC?
Domain Name System (DNS) is a hierarchical, distributed database that connects

domain names with other information, such as IP addresses. DNS allows users to
locate resources on the network by converting the readable Web site names into IP
addresses that computers can identify.
DNS is designed as an open protocol, and therefore, it is vulnerable to attackers.
The DNS infrastructure can be exposed to threats like modifying the data in DNS
response, redirecting queries for DNS names to compromised servers, or polluting
the DNS cache with malicious data. Domain Name System Security Extensions
(DNSSEC) is a collection of extensions that adds security to the DNS protocol. The
core DNSSEC extensions are specified in the Request for Comments (RFC)
documents. DNSSEC provides source authority, data integrity, and authenticated
denial of existence. Earlier versions of Windows operating systems such as
Windows Server 2003 store DNSSEC records in DNS; whereas upgrade versions of
Windows operating systems such as Windows Server 2008 R2 support digital
signing of DNS zones and DNS records, apart from storage of DNSSEC records. In
addition to digital signing, DNSSEC introduces four new resource records—
DNSKEY, RRSIG, NSEC, and DS.
DNSSEC enables DNS servers and resolvers to trust DNS responses by using the
digital signatures for validation. The DNS zone of the new resource records
contains all the digital signatures that are generated. When a resolver issues a
query for a DNS name, the corresponding digital signature is sent as the response.
The preconfigured trust anchor validates the digital signature and confirms that
the data has been returned from a trusted source and has not been modified or
tampered.
In DNSSEC, each DNS zone uses its public and private key to encrypt and decrypt
digital signatures. When a resource record in a DNS zone is signed by using a
private key, resolvers containing the public key authenticate whether the resource
record received from the DNS zone is properly authorized.
When you sign a resource record by using the private key of the DNS zone, a
private key is added to each domain name in the DNS zone, such as contoso.com.
The digital signature for that resource record is added to the DNS zone in the form
of a resource record of type SIG. When a DNS server responds positively to a query
for a DNS name, the DNS server replies with the corresponding resource records
and the SIG resource record. Resolvers are aware of the public key associated with
the requested DNS name. Resolvers receive the SIG resource record and use the
public key to authenticate the resource records. The public key of the DNS zone is
ii Appendix

stored in a new resource record of type KEY. The KEY resource records must be
provided to the resolver before the resolver authenticates the SIG resource records.
DNSSEC verifies whether the resolver has received records from a secure DNS
zone. Using DNSSEC, the resolver validates the IP address of the domain.
Appendix iii

DNSSEC on the Windows Server 2008 R2 DNS Server
DNSSEC on the Windows Server 2008 R2 DNS server allows you to sign both file-
based zones and Active Directory–integrated zones through an offline zone signing
tool. This signed zone will then be replicated by zone-transfer or AD replication to
other authoritative DNS servers. When you configure DNSSEC with a trust anchor,
a DNS server can perform DNSSEC validation on responses received on behalf of
the client.
The DNS client in Windows Server 2008 R2 and Windows 7 is a non-validating
security-aware resolver. This means that the DNS client will transfer the validation
responsibilities to its local DNS server, but the client can receive DNSSEC
responses. The behavior of the DNS client can be controlled by using a policy that
determines whether the client should check for validation results for names within
a given namespace. The client will then return the results of the query to the
application only if the validation has been successfully performed by the server.
Offline signing of static zones

The DNS server command-line management tool, Dnscmd.exe, offers offline key
generation and zone-signing capability through a signing tool. This signing tool
generates keys that are stored in certificates, for example, a self-signed certificate in
the computer certificate store. To sign a DNS zone, the zone data from a file-based
or an Active Directory–integrated zone must be copied to a temporary file. The
zone signing tool uses this file as the input and generates a signed zone file as the
output. The signed zone file includes the additional DNSKEY, RRSIG, DS, and
NSEC resource records. To host the zone from the server, the signed zone must be
imported to the DNS server by using Dnscmd.exe or DNS Manager console.
Dynamic updates are automatically disabled on a DNSSEC-signed zone. The
Windows Server 2008 R2 DNS server only supports signing of static zones. You
must use the Dnscmd.exe tool or the DNS Manager console to add more resource
records to a zone and resign the zone.
Configuration of trust anchors

A trust anchor is a preconfigured public key associated with a specific DNS zone.
Windows Server 2008 R2 supports the configuration of trust anchors by using the
DNSKEY resource records.
A validating DNS server must be configured with one or more trust anchors to
perform validation. To validate the DNSSEC data, the DNS server requires at least
iv Appendix

one trust anchor. You can also deploy additional trust anchors. You can use the
DNS server management tools such as DNS Manager and Dnscmd.exe to view and
modify trust anchors, locally or remotely. Trust anchors apply only to zones to
which they are defined.
If the DNS server runs on a domain controller, you can store trust anchors in the
forest directory partition in Active Directory Domain Services (AD DS). You can
then replicate the trust anchors to all domain controllers in the forest. On
standalone DNS servers, trust anchors are stored in the file, TrustAnchors.dns, in
%windir%\System32\DNS.
The following are the high-level steps for deploying DNSSEC on the DNS Server:
1. Identify the signing DNS servers.
2. Export the zone to a file and transfer the file to the signing DNS server.
3. Identify the Zone Signing Key (ZSK) rollover mechanism.
4. Generate the keys.
5. Sign a zone.
6. Reload the zone.
Appendix v

Demonstration: How To Deploy DNSSEC

1. On LON-DC1, open the command prompt window and run the following
command to browse through c:\windows\system32\dns.
cd c:\windows\system32\dns

cd c:\windows\system32\dns
2. Run the following command to verify that there is no Contoso.com zone file
dir
ENTER.
dir
3. Open the DNS Manager console and change the zone type of Contoso.com
Forward Lookup Zone.
• On the Start menu, point to Administrative Tools, and then click DNS.
• In the tree pane of the DNS Manager console, expand LON-DC1, expand
Forward Lookup Zones, click and right-click Contoso.com, and then
click Properties.
• On the General tab of the Contoso.com Properties dialog box, click the
Change button next to Type: Active Directory-Integrated.
• In the Change Zone Type dialog box, clear Store the zone in Active
Directory (available only if DNS server is a domain controller), and
then click OK.
• In the DNS message box, click Yes.
• In the Contoso.com Properties dialog box, click OK.
4. Run the following command to verify that the Contoso.com.dns file is there.
vi Appendix

dir
ENTER.
dir
5. Open the Console1 - [Console Root] console to add Certificates snap-in for the
computer account.
• In the Open box of the Run dialog box, type mmc, and then press
ENTER.
• On the File menu of the Console1 - [Console Root] console, click
Add/Remove Snap-in.
Next.
6. Run the following command to add MS-DNSSEC to the Certificates node.
DnsCmd /OfflineSign /GenKey /Alg rsasha1 /Length 512 /Zone

contoso.com /SSCert /FriendlyName ZSK-contoso.com

DnsCmd /OfflineSign /GenKey /Alg rsasha1 /Length 512 /Zone

contoso.com /SSCert /FriendlyName ZSK-contoso.com
• In the tree pane of the Console1 - [Console Root] console, under

Certificates (Local Computer), verify that the MS-DNSSEC node is there,
which includes self-issued certificate.
ENTER.
Appendix vii

DnsCmd /OfflineSign /SignZone /input contoso.com.dns /output

signed-contoso.txt /zone contoso.com /signkey /cert
/friendlyname ZSK-contoso.com
7. Browse through Local Disk (C:)\Windows\System32\dns and open the

singed-contos.txt file to view the DNSSEC related records.
• In the Computer window, browse through Local Disk
(C:)\Windows\System32\dns.
• In the Name list of the dns window, right-click signed-contoso.txt, and
then click Open.
• In the singed-contos.txt - Notepad window, view the DNSSEC related
records, and then click the Close button.
8. Run the following command to copy the signed-contoso.txt file to the
contoso.com.dns domain.
copy signed-contoso.txt contoso.com.dns /y
ENTER.
copy signed-contoso.txt contoso.com.dns /y
• In the tree pane of the DNS Manager console, under Forward Lookup
Zones, right-click Contoso.com, and then click Reload.
• In the DNS message box, click Yes.
• In the tree pane of the DNS console, under Forward Lookup Zone, right-
click Contoso.com, click Refresh.
• View the new NSEC records in the Forward Lookup Zones.

10159A TrainerHandbook

Uploaded by

Copyright:

Available Formats

You might also like

10159A TrainerHandbook

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

10159A TrainerHandbook

Uploaded by

Copyright:

Available Formats

OFFICIAL MICROSOFT LEARNING PRODUCT

Be sure to access the extended learning content on your

Product Number: 10159A

Manikandan Ambalavanan—Lead Content Developer

Sheeba Russel—Content Developer

Slavko Kukrika—Subject Matter Expert

Stan Reimer—Technical Reviewer

Module 2: Configuring Active Directory in

Module 03: Configuring Server Virtualization by

Module 4: Configuring Remote Desktop

Module 5: Deploying and Configuring Remote

Module 6: Configuring Windows Server 2008 R2

Module 7: Configuring and Managing Windows

Module 8: Managing Windows Server 2008 R2

Lab Answer Keys

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

Windows Server 2008 R2

MCT USE ONLY. STUDENT USE PROHIBITED

Module 6, "Configuring Windows Server 2008 R2 Features for Branch Offices"

MCT USE ONLY. STUDENT USE PROHIBITED

feedback on the all aspects of the course.

To provide additional comments or feedback on the course, send e-mail to

Virtual Machine Environment

Virtual Machine Configuration

Virtual machine Role

10159A-LON-DC1 Windows Server 2008 R2 domain

10159A-LON-SVR1 Windows Server 2008 R2 member server

10159A-LON-SVR2 Windows Server 2008 R2 standalone

10159A-LON-CORE Windows Server 2008 R2 Server Core

MCT USE ONLY. STUDENT USE PROHIBITED

Virtual machine Role

10159A-LON-CL1 Windows 7 domain member

10159A-LON-CL2 Windows 7 domain member

10159A-LON- This VM will be used for one of the

Course Hardware Level

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

Microsoft Windows Server® 2008 R2 is built on the foundation of Windows Server

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

Installing Windows Server 2008 R2

Windows Server 2008 R2 is designed to help organizations reduce operating costs

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

Windows Server 2008 R2 Editions

Windows Server 2008 R2 Standard A most robust Windows Server operating

MCT USE ONLY. STUDENT USE PROHIBITED

Windows Server 2008 R2 Enterprise An advanced server platform that provides

Windows Server 2008 R2 Datacenter An enterprise-level platform for deploying

Windows Web Server 2008 R2 A Web application and services platform,

MCT USE ONLY. STUDENT USE PROHIBITED

Windows Server 2008 R2 for Itanium- An enterprise-class platform for deploying

All Windows Server 2008 R2 editions, except Windows Server 2008 R2

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

Specification Web Standard Enterprise Datacenter Itanium Foundation

IA64 RAM NA NA NA NA 2TB NA