Professional Documents
Culture Documents
10159A TrainerHandbook
10159A TrainerHandbook
10159A TrainerHandbook
10159A
Updating Your Windows Server®
2008 Technology Specialist Skills
to Windows Server® 2008 R2
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering the subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in
the United States and/or other countries.
All other trademarks are property of their respective owners.
Released: 02/2010
MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER
EDITION – Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They
apply to the Licensed Content named above, which includes the media on which you received it, if any. The
terms also apply to any Microsoft
• updates,
• supplements,
• Internet-based services, and
• support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply.
By using the Licensed Content, you accept these terms. If you do not accept them, do not use
the Licensed Content.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. “Academic Materials” means the printed or electronic documentation such as manuals,
workbooks, white papers, press releases, datasheets, and FAQs which may be included in the
Licensed Content.
b. “Authorized Learning Center(s)” means a Microsoft Certified Partner for Learning Solutions
location, an IT Academy location, or such other entity as Microsoft may designate from time to time.
c. “Authorized Training Session(s)” means those training sessions authorized by Microsoft and
conducted at or through Authorized Learning Centers by a Trainer providing training to Students
solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or
“MOC”) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions
Courseware). Each Authorized Training Session will provide training on the subject matter of one
(1) Course.
d. “Course” means one of the courses using Licensed Content offered by an Authorized Learning
Center during an Authorized Training Session, each of which provides training on a particular
Microsoft technology subject matter.
e. “Device(s)” means a single computer, device, workstation, terminal, or other digital electronic or
analog device.
f. “Licensed Content” means the materials accompanying these license terms. The Licensed
Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student
Content, (iii) classroom setup guide, and (iv) Software. There are different and separate
components of the Licensed Content for each Course.
g. “Software” means the Virtual Machines and Virtual Hard Disks, or other software applications that
may be included with the Licensed Content.
h. “Student(s)” means a student duly enrolled for an Authorized Training Session at your location.
i. “Student Content” means the learning materials accompanying these license terms that are for
use by Students and Trainers during an Authorized Training Session. Student Content may include
labs, simulations, and courseware files for a Course.
j. “Trainer(s)” means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer
and b) such other individual as authorized in writing by Microsoft and has been engaged by an
Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its
behalf.
k. “Trainer Content” means the materials accompanying these license terms that are for use by
Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content
may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and
demonstration guides and script files for a Course.
l. “Virtual Hard Disks” means Microsoft Software that is comprised of virtualized hard disks (such as
a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single
computer or other device in order to allow end-users to run multiple operating systems concurrently.
For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.
m. “Virtual Machine” means a virtualized computing experience, created and accessed using
Microsoft® Virtual PC or Microsoft® Virtual Server software that consists of a virtualized hardware
environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the
virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard
Disks will be considered “Trainer Content”.
n. “you” means the Authorized Learning Center or Trainer, as applicable, that has agreed to these
license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and
electronic), Trainer Content, Student Content, classroom setup guide, and associated media.
License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center
location or per Trainer basis.
3. INSTALLATION AND USE RIGHTS.
a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you
may:
i. either install individual copies of the relevant Licensed Content on classroom Devices only for
use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided
that the number of copies in use does not exceed the number of Students enrolled in and the
Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by
classroom Devices and only for use by Students enrolled in and the Trainer delivering the
Authorized Training Session, provided that the number of Devices accessing the Licensed
Content on such server does not exceed the number of Students enrolled in and the Trainer
delivering the Authorized Training Session.
iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to
use the Licensed Content that you install in accordance with (ii) or (ii) above during such
Authorized Training Session in accordance with these license terms.
i. Separation of Components. The components of the Licensed Content are licensed as a single
unit. You may not separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license
terms will apply to the use of those third party programs, unless other terms accompany those
programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized
Learning Center on a classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content.
You may install and Use one copy of the Licensed Content on the licensed Device solely for
your own personal training Use and for preparation of an Authorized Training Session.
B. Portable Device. You may install another copy on a portable device solely for your own
personal training Use and for preparation of an Authorized Training Session.
4. PRE-RELEASE VERSIONS. If this is a pre-release (“beta”) version, in addition to the other provisions
in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not
contain the same information and/or work the way a final version of the Licensed Content will. We
may change it for the final, commercial version. We also may not release a commercial version.
You will clearly and conspicuously inform any Students who participate in each Authorized Training
Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with
any further content, including but not limited to the final released version of the Licensed Content
for the Course.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to
Microsoft, without charge, the right to use, share and commercialize your feedback in any way and
for any purpose. You also give to third parties, without charge, any patent rights needed for their
products, technologies and services to use or interface with any specific parts of a Microsoft
software, Licensed Content, or service that includes the feedback. You will not give feedback that is
subject to a license that requires Microsoft to license its software or documentation to third parties
because we include your feedback in them. These rights survive this agreement.
c. Confidential Information. The Licensed Content, including any viewer, user interface, features
and documentation that may be included with the Licensed Content, is confidential and proprietary
to Microsoft and its suppliers.
i. Use. For five years after installation of the Licensed Content or its commercial release,
whichever is first, you may not disclose confidential information to third parties. You may
disclose confidential information only to your employees and consultants who need to know
the information. You must have written agreements with them that protect the confidential
information at least as much as this agreement.
ii. Survival. Your duty to protect confidential information survives this agreement.
iii. Exclusions. You may disclose confidential information in response to a judicial or
governmental order. You must first give written notice to Microsoft to allow it to seek a
protective order or otherwise protect the information. Confidential information does not
include information that
• becomes publicly known through no wrongful act;
• you received from a third party who did not breach confidentiality obligations to
Microsoft or its suppliers; or
• you developed independently.
d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs
you is the end date for using the beta version, or (ii) the commercial release of the final release
version of the Licensed Content, whichever is first (“beta term”).
e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta
term, and will destroy all copies of same in the possession or under your control and/or in the
possession or under the control of any Trainers who have received copies of the pre-released
version.
f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta
version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If
Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you
for such copies and distribution.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Authorized Learning Centers and Trainers:
i. Software.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft
Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced
Server and/or other Microsoft products which are provided in Virtual Hard Disks.
A. If the Virtual Hard Disks and the labs are launched through the Microsoft
Learning Lab Launcher, then these terms apply:
Time-Sensitive Software. If the Software is not reset, it will stop running based upon the
time indicated on the install of the Virtual Machines (between 30 and 500 days after you
install it). You will not receive notice before it stops running. You may not be able to
access data used or information saved with the Virtual Machines when it stops running and
may be forced to reset these Virtual Machines to their original state. You must remove the
Software from the Devices at the end of each Authorized Training Session and reinstall and
launch it prior to the beginning of the next Authorized Training Session.
B. If the Virtual Hard Disks require a product key to launch, then these terms
apply:
Microsoft will deactivate the operating system associated with each Virtual Hard Disk.
Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized
Training Session, you will obtain from Microsoft a product key for the operating system
software for the Virtual Hard Disks and will activate such Software with Microsoft using such
product key.
C. These terms apply to all Virtual Machines and Virtual Hard Disks:
You may only use the Virtual Machines and Virtual Hard Disks if you comply with
the terms and conditions of this agreement and the following security
requirements:
o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or
Devices that are accessible to other networks.
o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at
the end of each Authorized Training Session, except those held at Microsoft Certified
Partners for Learning Solutions locations.
o You must remove the differencing drive portions of the Virtual Hard Disks from all
classroom Devices at the end of each Authorized Training Session at Microsoft Certified
Partners for Learning Solutions locations.
o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or
downloaded from Devices on which you installed them.
o You will strictly comply with all Microsoft instructions relating to installation, use,
activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.
o You may not modify the Virtual Machines and Virtual Hard Disks or any contents
thereof.
o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an
Authorized Training Session will be done in accordance with the classroom set-up guide for the
Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip
art, animations, sounds, music, shapes, video clips and templates provided with the Licensed
Content solely in an Authorized Training Session. If Trainers have their own copy of the
Licensed Content, they may use Media Elements for their personal training use.
iv. iv Evaluation Software. Any Software that is included in the Student Content designated as
“Evaluation Software” may be used by Students solely for their personal training outside of the
Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft
PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for
providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree
or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of
obscene or scandalous works, as defined by federal law at the time the work is created; and
(b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training
Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those
portions of the Licensed Content that are logically associated with instruction of the Authorized
Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer
agrees: (a) that any of these customizations or reproductions will only be used for providing an
Authorized Training Session and (b) to comply with all other terms and conditions of this
agreement.
iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and
use the Academic Materials. You may not make any modifications to the Academic Materials
and you may not print any book (either electronic or print version) in its entirety. If you
reproduce any Academic Materials, you agree that:
• The use of the Academic Materials will be only for your personal reference or training use
• You will not republish or post the Academic Materials on any network computer or
broadcast in any media;
• You will include the Academic Material’s original copyright notice, or a copyright notice to
Microsoft’s benefit in the format provided below:
Form of Notice:
© 2009 Reprinted for personal reference use only with permission by Microsoft
Corporation. All rights reserved.
Microsoft, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the US and/or other countries. Other
product and company names mentioned herein may be the trademarks of their
respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed
Content. It may change or cancel them at any time. You may not use these services in any way that
could harm them or impair anyone else’s use of them. You may not use the services to try to gain
unauthorized access to any service, data, account or network by any means.
7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you
more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that
only allow you to use it in certain ways. You may not
• install more copies of the Licensed Content on classroom Devices than the number of Students and
the Trainer in the Authorized Training Session;
• allow more classroom Devices to access the server than the number of Students enrolled in and the
Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network
server;
• copy or reproduce the Licensed Content to any server or location for further reproduction or
distribution;
• disclose the results of any benchmark tests of the Licensed Content to any third party without
Microsoft’s prior written approval;
• work around any technical limitations in the Licensed Content;
• reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent
that applicable law expressly permits, despite this limitation;
• make more copies of the Licensed Content than specified in this agreement or allowed by applicable
law, despite this limitation;
• publish the Licensed Content for others to copy;
• transfer the Licensed Content, in whole or in part, to a third party;
• access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not
been authorized by Microsoft to access and use;
• rent, lease or lend the Licensed Content; or
• use the Licensed Content for commercial hosting services or general business purposes.
• Rights to access the server software that may be included with the Licensed Content, including the
Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft
intellectual property in software or devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and
regulations. You must comply with all domestic and international export laws and regulations that apply
to the Licensed Content. These laws include restrictions on destinations, end users and end use. For
additional information, see www.microsoft.com/exporting.
9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed
Content marked as “NFR” or “Not for Resale.”
10. ACADEMIC EDITION. You must be a “Qualified Educational User” to use Licensed Content marked as
“Academic Edition” or “AE.” If you do not know whether you are a Qualified Educational User, visit
www.microsoft.com/education or contact the Microsoft affiliate serving your country.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you
fail to comply with the terms and conditions of these license terms. In the event your status as an
Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is
terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this
agreement, you must destroy all copies of the Licensed Content and all of its component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-
based services and support services that you use, are the entire agreement for the Licensed
Content and support services.
13. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws
of that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
Licensed Content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed “as-is.” You bear the risk of
using it. Microsoft gives no express warranties, guarantees or conditions. You may have
additional consumer rights under your local laws which this agreement cannot change. To
the extent permitted under your local laws, Microsoft excludes the implied warranties of
merchantability, fitness for a particular purpose and non-infringement.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT
RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL,
INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
• anything related to the Licensed Content, software, services, content (including code) on third party
Internet sites, or third party programs; and
• claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in
this agreement are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre
garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont
exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de
dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation
pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de
bénéfices.
Cette limitation concerne:
• tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte,
de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel
dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne
s’appliquera pas à votre égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de
votre pays si celles-ci ne le permettent pas.
Updating Your Windows Server® 2008 Technology Specialist Skills to Windows Server® 2008 R2 ix
Acknowledgement
Microsoft Learning would like to acknowledge and thank the following for their
contribution towards developing this title. Their effort at various stages in the
development has ensured that you have a good classroom experience.
Contents
Module 1: Deploying and Managing Windows
Server 2008 R2
Lesson 1: Installing Windows Server 2008 R2 1-04
Lesson 2: Configuring Windows Deployment Services 1-21
Lesson 3: Migrating Server Roles, Features, and Settings to
Windows Server 2008 R2 1-37
Lab 1A: Deploying Windows Server 2008 R2 1-46
Lesson 4: Managing Windows Server 2008 R2 1-56
Lab 1B: Managing Windows Server 2008 R2 1-78
Module Reviews and Takeaways
This section provides you with a brief description of the course, audience,
suggested prerequisites, and course objectives.
Course Description
This three-day instructor-led course provides knowledge on updating your
Windows Server 2008 Technology Specialist skills to Windows Server 2008 R2.
Audience
The audience of this course is IT Professionals experienced on the technologies
included in Windows Server 2008 and who have a Windows Server 2008
Technical Specialist certification or equivalent knowledge. Students taking this
course are expected to have experience in hands-on deployment and day-to-day
management of Windows-based servers for enterprise organizations.
Student Prerequisites
The students should have experience in the core Windows Server 2008 technology
specialist skills:
• Installation and Automated Deployment
• Server and Client Configuration
• Monitoring and Management Tools
• Networking
• Active Directory Domain Services
• Security
• Group Policy
• Performance Monitoring
• Troubleshooting
Course Objectives
After completing this course, students will be able to:
• Deploy and manage Windows Server 2008 R2.
• Configure Active Directory in Windows Server 2008 R2
• Configure server virtualization by using Hyper-V
About This Course ii
Course Outline
This section provides an outline of the course:
Module 1,"Deploying and Managing Windows Server 2008 R2" explains how to
deploy and manage Windows Server 2008 R2. This module describes the steps to
install Windows Server 2008 R2. It also explains the methods to configure
Windows deployment services and the methods to migrate server roles, features,
and settings to Windows Server 2008 R2. It further explains about the methods to
manage Windows Server 2008 R2.
Module 2, "Configuring Active Directory in Windows Server 2008 R2" explains
how to configure Active Directory in Windows Server 2008 R2.This module
explains the steps for configuring the features of Active Directory Domain Services
in Windows Server 2008 R2. It also explains the new group policy features in
Active Directory domain services in Windows Server 2008 R2. The module
describes the features of other Active Directory Server roles in Windows Server
2008 R2.
Module 3, "Configuring Server Virtualization by Using Hyper-V" explains how to
configure Server Virtualization by using Hyper-V. The module explains bout the
features of Hyper-V. It also describes how to configure Live Migration in Hyper-V
and how to effectively use System Center Virtual Machine Manager R2.
Module 4, "Configuring Remote Desktop Services and Virtual Desktop
Infrastructure in Windows Server 2008 R2" explains how to configure Remote
Desktop Services and Virtual Desktop Infrastructure. This module explains about
Remote Desktop Services and the features of Remote Desktop Services. It also
describes how to configure Remote Desktop Services for remote computers and
how to configure Virtual Desktop Infrastructure.
Module 5, "Deploying and Configuring Remote Access Services" explains how to
deploy and configure Remote Access Services. The module explains about
DirectAccess. It also explains the methods for deploying DirectAccess. It further
describes how to configure VPN Reconnect.
About This Course iii
Course Materials
The following materials are included with your kit:
• Course Handbook. A succinct classroom learning guide that provides all the
critical technical information in a crisp, tightly-focused format, which is just
right for an effective in-class learning experience.
• Lessons: Guide you through the learning objectives and provide the key points
that are critical to the success of the in-class learning experience.
• Labs: Provide a real-world, hands-on platform for you to apply the knowledge
and skills learned in the module.
• Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips
when it’s needed.
• Course CD. Provides additional resources pertaining to this course.
• Resources: Include well-categorized additional resources that give you
immediate access to the most up-to-date premium content on TechNet,
MSDN®, Microsoft Press®.
• Lab Answer Keys: Include answer keys in digital form to use during lab time.
• Virtual Machine Build Guide: Provides the step-by-step information needed to
recreate the Virtual Machine/Server images with appropriate configuration.
About This Course iv
Note To open the Web page, insert the Course CD into the CD-ROM drive, and then in the
root directory of the CD, double-click StartCD.exe.
• Course evaluation. At the end of the course, you will have the opportunity to
complete an online evaluation to provide feedback on the course, training
facility, and instructor.
Software Configuration
The following software is installed:
• ISCSI Target 3.2 on LON-SVR1
• Windows Automatic Installation Toolkit (AIK) on LON-SVR1
Course Files
There are files associated with the labs in this course. The lab files are located in
the folder <install_folder>\Labfiles\LabXX on the student computers.
Classroom Setup
Each classroom computer will have the same virtual machine configured in the
same way. The physical host computer is part of the contoso.com domain in which
LON-DC1 is a domain controller.
Module 1
Deploying and Managing Windows Server 2008
R2
Contents:
Lesson 1: Installing Windows Server 2008 R2 1-04
Lesson 2: Configuring Windows Deployment Services 1-21
Lesson 3: Migrating Server Roles, Features, and Settings to
Windows Server 2008 R2 1-37
Lab 1A: Deploying Windows Server 2008 R2 1-46
Lesson 4: Managing Windows Server 2008 R2 1-56
Lab 1B: Managing Windows Server 2008 R2 1-78
1-2 Deploying and Managing Windows Server 2008 R2
Module Overview
allows you to migrate server roles, features, operating system settings, shares, and
other data. The File Classification Infrastructure feature can considerably reduce
time for managing data on file servers.
In addition, Windows Server 2008 R2 provides enhancements in Windows
management, such as remote management with Server Manager, Best Practice
Analyzer (BPA), and SConfig on Server Core.
After completing this module, you will be able to:
• Install Windows Server 2008 R2.
• Configure Windows Deployment Services.
• Migrate server roles, features, and settings to Windows Server 2008 R2.
• Manage Windows Server 2008 R2.
1-4 Deploying and Managing Windows Server 2008 R2
services, but also support new types of hardware, such as solid-state devices and
boot from storage area network (SAN) or VHD files.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the editions of Windows Server 2008 R2.
• Choose an appropriate edition of Windows Server 2008 R2.
• Describe the system requirements for Windows Server 2008 R2.
• Describe virtual hard disks with native boot.
• Use virtual hard disks with native boot.
• Describe Windows Server 2008 R2 installation.
• Install Windows Server 2008 R2.
1-6 Deploying and Managing Windows Server 2008 R2
Key Points
Windows Server 2008 R2 is available in six editions to support the varying server
and workload needs of organizations.
The following table lists the Windows Server 2008 R2 editions.
Edition Description
Windows Server 2008 R2 Foundation A cost-effective advanced server platform
that is targeted at small business owners
and information technology (IT)
generalists. Windows Server 2008 R2
Foundation is a technology that provides
organizations with the base to run the
most common business applications, and
share information and resources.
Edition Description
system. With built-in Web and
virtualization capabilities, it is designed to
increase the reliability and flexibility of the
server infrastructure. It helps protect
organizational data and network, save
time, and reduce costs.
Edition Description
server farm.
Server 2008 R2
Key Points
You can choose the type of Windows Server 2008 R2 edition based on different
business scenarios and requirements of your organization, such as total cost of
ownership (TCO), and need for high availability features such as failover
clustering, and support.
To choose between the types of Windows Server 2008 R2 editions, you need to
identify the edition that would be most appropriate to your environment. You can
do this by analyzing and comparing the editions, based on their technical
specifications, as listed in the following table.
1-10 Deploying and Managing Windows Server 2008 R2
X64 Sockets 4 4 8 64 NA 1
IA64 Sockets NA NA NA NA 64 NA
X64 RAM 32 GB 32 GB 2 TB 2 TB NA 8 GB
Failover NA NA 16 16 8 NA
Cluster Nodes
(Nodes)
Key Points
Windows Server 2008 R2 has system requirements similar to Windows Server
2008, but Windows Server 2008 R2 runs only on 64-bit processors. Although
Windows Server 2008 R2 can be installed on a computer with 512 megabytes
(MB) of RAM, the computer can use up to 8 gigabytes (GB) for Windows Server
2008 R2 Foundation, 32 GB for Windows Web Server 2008 R2 or Windows Server
2008 R2 Standard, and 2 TB for Windows Server 2008 R2 Enterprise or Windows
Server 2008 R2 Datacenter. System requirements vary between Full installation
and Server Core installation.
Windows Server 2008 R2 upgrade is possible from previous 64-bit server
operating systems such as Windows Server 2003 R2, Windows Server 2008 SP2,
and Windows Server 2008. It does not support upgrades from older operating
systems and cross-architecture—32-bit to 64-bit; cross-language—German to
English; and cross-edition—Windows Server 2008 Enterprise to Windows Server
2008 R2 Standard. It also does not support upgrade from Itanium-based systems.
Deploying and Managing Windows Server 2008 R2 1-13
Component Requirement
Question: You have Windows Server 2008 running on a 32-bit server with 4 GB of
RAM. Can you upgrade this server to Windows Server 2008 R2 Standard edition?
1-14 Deploying and Managing Windows Server 2008 R2
Key Points
VHD file format is a publicly available format specification that allows
encapsulation of the hard disk into a single file. It can help host native file systems
and support standard disk operations. It can be used as a running operating
system without any other parent operating system, virtual machine, or Hyper-V.
Windows Server 2008 R2 simplifies image management by adding support for
virtual disks in the disk management tools. The Disk Management console can
help you create either a new VHD file with a fixed size or a dynamically expanding
VHD, which is not initialized. After creating the VHD file, you need to attach it to
the computer to make it functional. You can do this by using the Attach VHD
option. You can now create a partition and format an NTFS file system in the VHD,
considering it similar to any other hard disk. You can apply a Windows image to
the VHD and start the computer from the VHD.
Deploying and Managing Windows Server 2008 R2 1-15
command. DiskPart accepts a script to automate the steps to create and format a
VHD. When you attach a VHD to a file system volume, Windows operating
systems automatically accepts the volume and provides an option to explore the
contents.
With Windows Server 2008 R2, Hyper-V now uses the new native support for
VHD in the core operating system. Native boot allows VHD to be run on a
computer without a virtual machine or Hyper-V.
Requirements
Native VHD boot has the following dependencies:
• The local disk has a system partition that contains the Windows Server 2008
R2 or Windows 7 boot-environment files and Boot Configuration Data (BCD)
store. A VHD file can be stored on the system or other partition.
• The local disk partition that contains the VHD file has enough free disk space
for expanding a dynamic VHD to its maximum size and for the page file that is
created when booting the VHD.
Benefits
The following are the benefits of native boot capabilities for VHDs:
• A single physical computer can have multiple instances of the operating
system to boot at any time without requiring separate disk partitions. Multiple
boot support is available in earlier versions of Windows operating systems;
however, each installed operating system required a separate disk partition.
• Native boot supports all three types of VHD files—fixed, dynamic, and
differencing disks.
• A differencing VHD file provides a suitable way of initializing a test
environment, performing tests, and reverting to a baseline state after testing is
complete. When the testing is complete, you can revert to the original state in
the parent VHD by discarding the differencing file and creating a new one.
• You can configure a computer for different roles.
• Servers can have multiple application workloads in separate VHD files
available and switch between workloads. The flexibility of multiple boots by
using VHD files helps to keep a previous Windows image available as a
fallback in the event of a problem with a new image.
Boot
Key Points
1. On LON-SVR1, run the following code to select and attach virtual hard disk
d:\win7.vhd to DiskPart and to assign the letter, V to it.
2. Open Windows Explorer and verify that the new drive VHD (F:) contains the
same folder structure as Windows installation.
3. Run the following code to copy the boot environment files and Boot
Configuration Data configuration from the \Windows directory to the system
partition.
4. On LON-SVR1, run the following code to copy the existing Windows Server
2008 R2 boot entry.
5. Run the following code to modify the Windows Server 2008 R2 boot entry to
point to native boot VHD file.
6. Reboot LON-SVR1 and start it from native boot virtual hard drive.
Deploying and Managing Windows Server 2008 R2 1-17
Key Points
The installation process of Windows Server 2008 R2 has not changed considerably
from that of Windows Server 2008. Before you begin the installation process, you
need to answer a minimal number of questions; thereafter, the installation process
continues without user interaction. Several settings, such as computer name or
network settings, will be set to default values; so when you first log on, you should
configure the settings. You also need to change the Administrator password. The
Initial Configuration Tasks window will open each time you log on and you will be
prompted to change the initial settings.
Windows installation depends on imaging technology. The Sources subfolder on
the Windows Server 2008 R2 DVD contains two image files—boot.wim and
Install.wim.
Boot.wim is a file-based disk image that contains a bootable version of Windows
Preinstallation Environment (Windows PE), from which the installation is
Deploying and Managing Windows Server 2008 R2 1-19
Key points
1. Add Windows Server 2008 R2 to LON- WS08R2 and boot the virtual machine
from the DVD to install the Windows Server 2008 R2 Enterprise edition.
2. On LON-SVR1, mount Windows Server 2008 R2 DVD and browse through
E:\sources and verify whether the sources folder contains the Boot.wmi and
Install.wmi files.
4. Open the Windows System Image Manager tool and verify whether it contains
the same options as Windows Server 2008 R2.
Question: Before starting the installation, is it possible to view the version of the
Windows Server 2008 R2 editions which is inside the install.wim file?
Deploying and Managing Windows Server 2008 R2 1-21
Lesson 2
Configuring Windows Deployment Services
WDS enables you to deploy Windows operating systems over the network. WDS
automates and customizes the installation of operating systems through the use of
unattended installation files and disk imaging. It is one of the server roles and has
been included in Windows Server 2008. In Windows Server 2008 R2, WDS
supports enhanced multicasting, dynamic driver provisioning, and virtual hard
disk deployment features when deploying operating system images.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe Windows Deployment Services.
1-22 Deploying and Managing Windows Server 2008 R2
Key Points
WDS is a suite of components used for deploying Windows operating systems
over the network. WDS components are organized into three categories—server
components, client components, and management components, to help deploy
Windows operating system images.
• Server components. The server components comprise a Preboot Execution
Environment (PXE) server and a Trivial File Transfer Protocol (TFTP) server
for booting a client from the network. These components contain a shared
folder and an image repository, which has boot images, install images, and files
needed for network booting. The other server components are a networking
layer, a multicast component, and a diagnostics component.
• Client components. Client components comprise a graphical user interface
(GUI) that runs within Windows PE. When a user selects an operating system
image, the client components are used to communicate with the server
components to install the image.
1-24 Deploying and Managing Windows Server 2008 R2
Question: You have prepared a standard workstation image for your environment
and now you want to deploy the image to multiple computers. What should you
do?
Deploying and Managing Windows Server 2008 R2 1-25
Key Points
WDS in Windows Server 2008 R2 has several new features and enhancements.
The following are the enhancements to WDS in Windows Server 2008 R2:
• Dynamic driver provisioning. WDS provides the ability to deploy driver
packages to client computers as part of an installation, and add driver
packages to boot images prior to deployment. Dynamic driver provisioning
eliminates the need to add driver packages manually to images by using
Windows AIK, and it minimizes the size of images, making it easier to update
and manage drivers. This is because the drivers are stored outside the images.
Dynamic driver provisioning also eliminates the need to maintain multiple
images for different hardware configurations and the need to use an
unattended installation file to add drivers.
• Virtual hard disk deployment. WDS provides the ability to deploy .vhd
images as part of an unattended installation. Only Windows 7 and Windows
Server 2008 R2 VHD images are supported and they must be added from the
1-26 Deploying and Managing Windows Server 2008 R2
Question: You have multiple client computers on which you need to deploy the
same image by using multicast. Some of these computers are slower than others.
Will slow clients bring down the speed of multicast transmission?
Deploying and Managing Windows Server 2008 R2 1-27
Server 2008 R2
Key Points
Multicasting is the ability to transmit a single stream to multiple subscribers at the
same time. Using multicasting, you can deploy an image to a large number of client
computers without overburdening the network. When you create a multicast
transmission for an image, the image is sent over the network only once, thereby
drastically reducing the amount of network bandwidth that is used. The data is
transferred only when clients request data, but if the clients are not connected or if
the transmission is idle, the data will not be sent over the network.
WDS on Windows Server 2008 R2 supports the following features:
• Multiple stream transfer. This feature enables servers to group clients that
have similar bandwidth capabilities into network streams, ensuring the fastest
possible transfer rate.
• Automatic disconnect. This feature allows you to automatically disconnect
clients that fall under specified speed. The clients that are disconnected will
1-28 Deploying and Managing Windows Server 2008 R2
Key Points
In the previous versions of WDS, driver packages are manually added to the image
or unattended installation answer file are provided to add drivers during
installation. In Windows Server 2008 R2, you can use WDS to add driver packages
to the server and configure them to be deployed to client computers, along with
the install image. This functionality is only available when you are installing images
of Windows Vista SP1, Windows Server 2008, Windows 7, or Windows Server
2008 R2.
You can deploy the driver packages to clients:
• Based on the Plug-and-Play hardware of the client. You can make all
packages available to all clients, and you configure the groups so that only
those packages that match the hardware on the computer will be installed. The
Plug-and-Play functionality provides automatic configuration of hardware and
devices for Windows operating systems.
1-30 Deploying and Managing Windows Server 2008 R2
can organize your packages into driver groups and then map each group to
computers by using filters. A driver group is a collection of driver packages.
You can add filters to a driver group to make the packages in the group
available to a select group of client computers. The filters define which
computers have access to the driver group, based on the hardware of the
computer or the attributes of the selected install image. You can still configure
the packages to be installed, based on Plug and Play hardware, but you can use
the filters to further define the clients that will have access to the packages.
• In a driver group. You can deploy all the driver packages in a driver group to
a client computer. After the installation, when you connect the hardware to the
client, the device driver will be installed automatically.
The following are prerequisites for deploying driver packages:
• Windows Server 2008 R2 WDS server, configured with the following:
• The Boot image from either Windows 7 or Windows Server 2008 R2
• The Install images for Windows Vista SP1, Windows Server 2008,
Windows 7, or Windows Server 2008 R2
• Driver packages for the hardware that you want to deploy. These packages
must be extracted. The packages cannot be msi or .exe files.
Question: You need to provide drivers for new hardware for images that you are
deploying by using WDS on Windows Server 2008 R2. Do you need to integrate
these drivers to each image?
Deploying and Managing Windows Server 2008 R2 1-31
Key Points
1. On LON-SVR1, add a driver package to an existing driver group,
DriverGroup1 by using the Add Driver Package wizard.
2. Create a driver group, Network Drivers by using the Add Driver Group wizard
with the following information:
• Manufacturer Filter Type: Contoso
• OS Edition: 7
Question: Based on the har0064ware of the client, how will you deploy the
Windows 7 images to the client computers?
1-32 Deploying and Managing Windows Server 2008 R2
Key Points
In Windows Server 2008 R2, you can deploy VHD images of Windows 7 or
Windows Server 2008 R2 to a physical computer by using WDS. In general, you
deploy VHD images in the same way as you would deploy .wim images. However,
you can add and configure the VHD images by using only WDSUtil at the
command line and not by using WDS MMC. In addition, the VHD deployment
must be part of an automated installation.
To deploy VHD images, you need the following:
• A configured WDS server with at least one boot image. You should use the
latest Boot.wim file from the Windows Server 2008 R2 or Windows 7
installation DVD.
• WDSUtil. You should be familiar with the WDSUtil command-line tool
because this is the only method to import and configure VHD images. You
Deploying and Managing Windows Server 2008 R2 1-33
After adding the image, configure an unattended installation for the VHD image by
creating two unattended .xml files. One unattended file automates the WDS client
user interface screens, and the other automates the remaining phases of Setup. You
can author both files by using Windows SIM, which is a part of Windows AIK.
Question: You have a VHD image file that you want to deploy by using WDS. How
can you add it by using WDS MMC?
1-34 Deploying and Managing Windows Server 2008 R2
Key Points
1. On LON-SVR1, create an image group by using the Windows Deployment
Services console.
2. Open the Command Prompt and run the following code to add the win7.vhd
image file to Windows Deployment Services.
3. Run the following code to create computer account for Computer1 and assign
a GUID to it.
4. Open content of the file d:\WDS-client.xml, Explain how you can create it, by
using Windows AIK/Windows System Image Manager.
5. Run the following code to associate an unattend file with the prestaged client.
6. Open file d:\unattend.xml and briefly discuss its content and role in
performing installation.
Deploying and Managing Windows Server 2008 R2 1-35
Question: How will you disconnect the slower clients from the multicast group?
1-36 Deploying and Managing Windows Server 2008 R2
Key Points
1. Open the Windows Deployment Services console and explain the PXE
Response, AD DS, Boot, Client, DHCP, and Multicast properties of the LON-
SVR1.Contoso.com node.
2. In the tree pane of the Windows Deployment Services console, click Drivers,
and then explain about driver provisioning.
Question: How will you add the .VHD file to Windows Deployment Services?
Deploying and Managing Windows Server 2008 R2 1-37
Lesson 3
Migrating Server Roles, Features, and Settings
to Windows Server 2008 R2
You can use the WSMT feature available in Windows Server 2008 R2 to migrate
server roles, features, operating system settings, shares, and other data from
computers that are running Windows Server 2003 R2 or SP2, Windows
Server 2008, or Windows Server 2008 R2 to computers that are running Windows
Server 2008 R2. You can migrate from 32-bit to 64-bit operating system, between
physical and virtual systems, and between Full Server and Server Core. In this
lesson, you will learn how to use these migration tools.
Lesson Objectives
After completing this lesson, you will be able to:
1-38 Deploying and Managing Windows Server 2008 R2
Key Points
When installing Windows Server 2008 R2, you can select either Upgrade or
Custom (advanced) type of installation. The Upgrade installation replaces the
previous server operating system with Windows Server 2008 R2 on the same
hardware and preserves all configuration, server roles, and data. Upgrade is
possible only on a 64-bit hardware with server operating systems such as Windows
Server 2003 R2 or SP2 and Windows Server 2008 or newer edition. In addition,
upgrade is possible only between certain server editions, but not between different
language editions or different platforms.
Custom (advanced) installation performs a clean installation. A clean installation
does not preserve settings and server roles, but preserves the previous data on the
server. You can perform a clean installation on a new partition—without a previous
operating system—to have a more stable and reliable operating system. In a clean
installation, you need to set all configurations, and add server roles and features.
1-40 Deploying and Managing Windows Server 2008 R2
bit platform.
Benefits of migration
Migration reduces risk and downtime, and provides you with the following
benefits:
• Run migration tasks while the old server is still operational.
• Migrate server roles, settings, and data at different times.
• Test the new server before removing the old server.
• Verify migration and performance before switching to the new server.
• Roll back to the old server, if any problem arises after the migration.
Question: You have a critical server that is running Windows Server 2003 SP2 on
32-bit hardware. You need to upgrade this server to Windows Server 2008 R2.
Which type of installation will you perform?
Deploying and Managing Windows Server 2008 R2 1-41
Key Points
Windows Server 2008 R2 supports only 64-bit hardware. Therefore, there is no in-
place upgrade for 32-bit servers. Even if existing servers are on a 64-bit platform, it
is often preferable to perform a clean installation and then migrate the settings and
data. Using WSMT, you can migrate only roles, configuration settings, and data,
but not the operating system itself. If you want to move a server from a physical
environment to a virtual environment, use the Physical-to-Virtual (P2V) migration
tool, such as the one included in System Center Virtual Machine Manager.
Migration Guide
For each migration, you can use the Migration Guide documents available on
Microsoft Migration Portal, which explains the process background, how to
perform migration, and considerations for migration such as the duration of
migration, what needs to be migrated, and when should migration take place.
Key Points
WSMT is a feature of Windows Server 2008 R2 that helps you migrate roles,
features, or other data to computers that are running Windows Server 2008 R2. To
perform migration by using WSMT, you need to first ensure that you want to
migrate from the supported server operating system. In addition, you must be a
member of the Administrators group on both source and destination servers, and
have the appropriate permissions to install WSMT. Because WSMT requires
Windows® PowerShell, which relies on Microsoft .NET Framework, you must
verify that both are installed on the source server. Then, install WSMT on the
servers. For Windows Server 2008 and Windows Server 2003 SP2, use
SmigDeploy.exe, which comes with the migration tools. You can find
SmigDeploy.exe in the \Windows\System32\ServerMigrationTools folder.
1-44 Deploying and Managing Windows Server 2008 R2
WSMT is a collection of five Windows PowerShell cmdlets. To use them, you need
to open the Windows PowerShell window and run the following command.
Add-PSSnapin Microsoft.Windows.ServerManager.Migration
The following table displays the list of Windows PowerShell migration cmdlets.
You can use the Get-SmigServerFeature cmdlet to see Windows features that can
be migrated or the features that are already in the migration store, the Export-
SmigServerSetting cmdlet to export them to the migration store at the source
server, and the Import-SmigServerSetting cmdlet to import them at the destination
server. The migration store can be either local or on the network. You can use the
Send-SmigServerData and Receive-SmigServerData cmdlets for direct data transfer
from the source server to the destination server. If a server role or feature that you
are migrating is not installed on the destination server, it will be installed during
migration. After completing migration, you can uninstall WSMT by removing the
feature or running SmigDeploy /unregister command.
Tools
Key Points
1. In the Windows PowerShell window of LON-DC1, run the following code to
export the DHCP server role settings.
2. Navigate through C:\Export to verify that the svrmig.mig file is created
3. On LON-SVR1, open the Windows PowerShell window, run the following
code:
4. Move the svrmig.mig file from \\lon-dc1.contoso.com\export to the
C:\Migrate folder.
5. Run the following code to import the DHCP server role settings.
6. Verify whether the modifications that are made to DHCP are successfully
transferred to LON-SVR1.
1-46 Deploying and Managing Windows Server 2008 R2
Introduction
In this lab, you will deploy Windows Server 2008 R2. To do this, you will attach
the virtual hard disk, copy the boot configuration data, and add a native-boot
virtual hard disk to an existing boot menu. You will also configure new features in
Windows Deployment Services by creating an image group, configuring an
unattended installation for a virtual hard disk image, and adding a driver package
to an existing driver group. Finally, you will install the Windows Server Migration
Tools feature to modify the DHCP server properties and import the import the
migrated settings.
Deploying and Managing Windows Server 2008 R2 1-47
Lab Setup
For this lab, you will use the available virtual machine environment. Before you
begin the lab, you must:
• Start the LON-DC1 virtual machine, and then log on by using the following
credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
• Start the LON-SVR1 virtual machine, and then log on by using the following
credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
1-48 Deploying and Managing Windows Server 2008 R2
Lab Scenario
f Task 2: Attach the virtual hard disk and copy the boot configuration
data.
• On LON-SVR1, run the following code to select and attach the virtual hard
disk d:\win7.vhd, to DiskPart, and assign the letter F, to it.
diskpart
select vdisk file=d:\win7.vhd
attach vdisk
select volume 4
assign letter F
exit
• Open Windows Explorer and verify that the new drive, VHD (F:), contains the
same folder structure as Windows installation.
• Run the following code to copy the boot environment files and boot
configuration data configuration from the \Windows directory to the system
partition.
bcdboot F:\windows
1-50 Deploying and Managing Windows Server 2008 R2
• On LON-SVR1, run the following code to copy the existing Windows Server
2008 R2 boot entry.
• Run the following code to modify the Windows Server 2008 R2 boot entry to
point to native boot VHD file.
Replace {guid} with copied GUID value. Copy the GUID from the output including the
braces.
f Task 4: Reboot LON-SVR1 and boot from the virtual hard disk.
• Reboot LON-SVR1 and start it from the native boot virtual hard disk.
The system will start into Windows Server 2008 R2 Web Edition, although Windows
Server 2008 R2 Enterprise is installed on the computer.
Results: After completing this exercise, you should have attached a VHD and assigned
it a drive letter, copied and modified the existing Windows Server 2008 R2 boot entry
as a new boot entry, and rebooted the VHD.
Deploying and Managing Windows Server 2008 R2 1-51
f Task 1: Create an image group and add a virtual hard disk image.
• Log on to LON-SVR1 with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
• On LON-SVR1, create an image group by using the Windows Deployment
Services console.
• Open the Command Prompt and run the following code to add the win7.vhd
image file to Windows Deployment Services.
• Move the WDS-client.xml file from Allfiles (D:)\Disk to the Local Disk
(C:)\RemoteInstall\WdsClientUnattend folder.
• Run the following code to associate an unattend file with the prestaged client.
Results: After completing this exercise, you should have created an image group in
Windows Deployment Services with the VHD images and configured an unattended
installation for the VHD image.
Deploying and Managing Windows Server 2008 R2 1-53
Add-PSSnapin Microsoft.Windows.ServerManager.Migration
f Task 2: Modify DHCP server properties and export server role settings.
• On LON-DC1, open the DHCP console and set the following properties of the
DHCP server:
• Scope name: Name before migration
• Lease duration for DHCP clients: 5 hours
• In the Windows PowerShell window, run the following code to export the
DHCP server role settings.
f Task 3: Import the migrated settings and verify that they were applied.
• On LON-SVR1, configure the Windows Server Migration Tools feature by
using the Server Manager console.
• On LON-SVR1, open the Windows PowerShell window, and run the following
code.
Add-PSSnapin Microsoft.Windows.ServerManager.Migration
• Verify whether the modifications that are made to DHCP are successfully
transferred to LON-SVR1.
Results: After completing this exercise, you should have installed the Windows Server
Migration Tools feature and modified the DHCP server properties to export and import
the server role settings.
Note: The answers to the exercises are on the Course Companion CD.
Lab Review
Windows Server 2008 R2 reduces the effort for managing physical and virtual
servers by providing enhanced management consoles and automation for
repetitive day-to-day administrative tasks. It also helps provide improved branch
office capabilities, exciting new remote access experiences, streamlined server
management, and expanded Microsoft virtualization strategy for both client and
server computers. For example, you can use Server Manager in Windows Server
2008 R2 to manage remote systems, integrate BPA, and improve integration with
other management consoles. You can easily configure Server Core. In addition,
Windows Server 2008 R2 has many enhancements in Power Management and
Windows Server Backup. These enhancements provide better energy efficiency and
performance by reducing power consumption and lowering overhead costs.
Lesson Objectives
After completing this lesson, you will be able to:
Deploying and Managing Windows Server 2008 R2 1-57
Key Points
Server Manager provides a single interface for managing a server's identity and
system information, displaying server status, identifying problems with server role
configuration, and managing all roles installed on the server. In Windows Server
2008 R2, you can use Server Manager to manage remote computers from a
computer that is running Windows Server 2008 R2 or Windows 7.
The following table lists the changes to Server Manger in Windows Server 2008
R2.
Enhancement Description
Changes to server roles and features Windows Server 2008 R2 includes the
following changes to roles and features
that are available for installation by using
Server Manager:
• Roles
Deploying and Managing Windows Server 2008 R2 1-59
Enhancement Description
• Terminal Services is renamed as
Remote Desktop Services.
• Print Services is renamed as Print
and Document Services.
• Universal Description, Discovery, and
Integration (UDDI) Services is no
longer available.
• Windows Server Update Services is a
new role, available for installation on
Windows Server 2008 R2.
• Features
• Windows BranchCache, a new
feature that reduces the network
bandwidth requirements of client
computers that are located in
remote offices, is added.
• DirectAccess Management Console,
a new feature that provides
DirectAccess setup and monitoring
capability, is added.
• Ink and Handwriting Services, a new
feature that supports handwriting
recognition and the use of a pen or
stylus with a computing surface, is
added.
• Windows Server Migration Tools, a
new feature that enables migration
of server roles, features, operating
system settings, shares, and other
data from computers, is added.
• Remote Server Administration Tools
(RSAT) includes additional
administrative tools such as Active
Directory Administrative Center and
Remote Desktop (RD) Connection
Broker.
• Windows 2000 Client Support is
removed from Message Queuing.
• XPS Viewer, part of .NET Framework
3.0 features in Windows Server 2008,
1-60 Deploying and Managing Windows Server 2008 R2
Enhancement Description
is available as a stand-alone feature.
Remote management with Server In Windows Server 2008 R2, you can use
Manager Server Manager to perform some
management tasks on remote computers
that are running Windows Server 2008 R2.
To manage a computer remotely by using
Server Manager, connect Server Manager
to a remote computer in the same
manner that you would connect MMC for
other technologies.
Windows PowerShell cmdlets for Server You can use the following Windows
Manager tasks PowerShell cmdlets to install, remove, or
view information about available roles:
• Add-WindowsFeature
• Get-WindowsFeature
• Remove-WindowsFeature
Best Practices Analyzer integration You can use BPA to reduce best practice
violations by scanning one or more roles
that are installed on Windows Server 2008
R2.
• Server Core includes a new configuration tool named, SConfig, which makes
initial configuration easier. Using SConfig, you can perform tasks such as
configuring network settings, renaming computer, joining domain, configuring
firewall, configuring remote management, configuring Windows Update, and
enabling Remote Desktop.
Key Points
In Windows management, best practices are guidelines that are considered the
ideal way, in normal circumstances, to configure a server. For example, a best
practice in server technologies is to keep open only those ports that are required to
communicate with other networked computers, and block unused ports. While
best practice violations are not necessarily problematic, they indicate server
configurations that can result in poor performance, poor reliability, unexpected
conflicts, increased security risks, or other potential problems.
Active Directory Certificate Services (AD CS), Remote Desktop Services, Web
Server (IIS), and DNS Server. BPA for additional roles and features will be added
later, through Windows Update.
Question: What must be installed on a server to get BPA? Is BPA available for all
server roles?
Deploying and Managing Windows Server 2008 R2 1-63
Practices Analyzer
Key Points
1. On LON-DC1, in the Server Manager console, open the Add Roles Wizard and
then point Windows Server Update Service as new role in Windows Server
2008 R2.
2. In the Server Manager console, open the Add Features Wizard and discuss the
new features such as BranchCache, Direct Access Management Console, Ink
and Handwriting Services, and Remote Server Administration Tools which
includes additional administrative tools, Windows Server Migration Tools, and
XPS Viewer.
3. Discuss about the Events, System Services, Role Services, and Advanced Tools
roles of Active Directory Domain Services and also explain that Active
1-64 Deploying and Managing Windows Server 2008 R2
Question: Which DNS role should you add to run BPA against the remote
Windows Server 2008 R2 server?
Deploying and Managing Windows Server 2008 R2 1-65
Key Points
Windows Server 2008 R2 File Classification Infrastructure (FCI) provides insight
into data by automating classification processes so that you can manage the data
more effectively and economically. FCI performs automated classification based on
the defined properties. Based on the classification, FCI performs actions such as
moving files and changing permissions. These actions are included in-the-box or
provided by partners, thereby allowing organizations to build rich end-to-end
solutions for classifying and applying policies based on the classification. FCI helps
save money and reduce risk by managing files based on their business value and
impact.
You can use FCI to identify files that:
• Contain sensitive information and are located on servers with lower
security, and move the files to servers with higher security.
• Contain sensitive information, and encrypt those files.
1-66 Deploying and Managing Windows Server 2008 R2
• Are not accessed frequently, and move the files to slower storage.
• Require different backup schedules, and back up the files accordingly.
• Require different backup solutions based on the sensitivity of the
information in the files.
FCI allows you to:
• Centrally define policy-based classification of the files stored on your
intranet.
• Perform file management tasks based on the file classification that you
define, rather than on information such as the location, size, or date of the
file.
• Generate reports about the types of information stored in the files on your
intranet.
• Notify content owners when a file management task is going to be
performed on their content.
• Create or purchase custom file management solutions based on FCI.
Advantages of FCI
One of the key advantages of FCI is the ability to centrally manage the classification
of files by establishing classification policies. This centralized approach allows you
to classify user files without requiring user intervention.
With no additional third-party applications, FCI provides the following benefits:
• Provides insight to data on file server. You can create automatic
classification rules that classify files according to the location or content of the
files. As a result, a new layer of efficiency is added, driving down the typical
costs associated with managing and protecting the file server.
• Reduces storage costs and eliminates old documents that have no business
value. Storing old, unused data can be a major expense for organizations.
Expiring files based on usage and business value can reduce both the cost—
storage and management, and risk—information leakage, on file servers. The in-
box FCI solution provides automatically scheduled tasks that terminate files
based on age, location, or other classification categories.
• Mitigates risk by customizing the location and method for data storage.
You can use FCI to run custom commands that automate management tasks
based on file name, age, location, or other classification categories of files. For
Deploying and Managing Windows Server 2008 R2 1-67
centralizing the location of sensitive data or for moving data to a less expensive
storage facility.
• Enables easier tracking of files. Reports can provide you with a powerful
tool to assess the risk of the wrong files being in the wrong place on your
servers. Using the built-in capabilities of FCI, you can create reports in a variety
of formats that contain details about files that have a particular classification.
You can also use the FCI reporting infrastructure to generate information that
can be used by other applications.
Infrastructure
Key Points
1. On LON-SVR1, create a classification property named Confidential by using
the File Server Resource Manager console.
2. On LON-SVR1, create a classification rule to assign a value to the classification
property with the following information:
• Rule name: Find Confidential
• Scope: C:\Files
• Classification mechanism: Content Classifier
• Property name: Confidential
• Property value: Yes
• Additional Classification Parameters Name: String
Deploying and Managing Windows Server 2008 R2 1-69
Question: How will you use the File Classification Infrastructure features?
1-70 Deploying and Managing Windows Server 2008 R2
Key Points
Windows Server 2008 R2 introduces significant advancements in server power
management capabilities. The Processor Power Management (PPM) engine in
Windows Server 2008 R2 is re-written and improved, and there are additional
power-oriented Group Policy settings. They provide the ability to fine-tune the
processor’s speed and power consumption to match current demands. New
parameters for PPM further improve the power efficiency. To benefit from
improved PPM, it must be supported by your server hardware.
Core Parking
Windows Server 2008 R2 reduces processor power consumption in server
computers with multicore processors by using the Core Parking feature. The Core
Parking feature enables Windows Server 2008 R2 to reduce multicore processor
power consumption by consolidating processing onto fewer processor cores and
suspending the inactive cores. The workload of every logical core in a server is
tracked relative to all the others. The workloads of cores that are not being fully
Deploying and Managing Windows Server 2008 R2 1-71
Keeping the unutilized cores in an idle state reduces the system power
consumption. When additional processing power is required, the system activates
the idle processor cores to handle the increased processing requirements.
Centralized storage
Another strategy for reducing power used by individual servers is to centralize
their storage by using a SAN, which has a higher storage-capacity-to-power-
consumption ratio than a typical server. SAN makes more efficient use of the
available disk space, because any server can have access to the available storage on
SAN. Windows Server 2008 R2 greatly improves access to storage on SANs and
supports booting from a SAN, which eliminates the need for local hard disks in the
individual server computers. As a result, power consumption decreases.
Key Points
Windows Server 2008 R2 contains the Windows Server Backup feature, which
provides a set of wizards and tools to perform basic backup and recovery tasks for
servers. Windows Server Backup consists of an MMC snap-in, command-line tools,
and Windows PowerShell cmdlets that provide solutions for your backup and
recovery needs. Backup and recovery features are very important for the continued
operation of the services and applications running on Windows Server 2008 R2.
state by using the Windows Server Backup utility, the wbadmin.exe utility, or
Windows PowerShell cmdlets.
• Scheduled backups to volumes. In Windows Server 2008, you had to
dedicate an entire physical disk to the scheduled backup. In Windows Server
2008 R2, you can perform a scheduled backup to existing volumes in
Windows Server 2008 R2.
• Scheduled backups to network shared folders. You can now perform
scheduled backups to a network-shared folder, which was not possible in the
previous version.
• Backup management by using Windows PowerShell. You can manage
backup and restore tasks by using Windows PowerShell, including all
remoting scenarios. This includes the management of on-demand and
scheduled backups.
Key Points
1. On LON-SVR1, perform Custom backup to the VHD drive, New Volume (E:)
with the following information:
• Accept Different options for backup
• Items for Backup: C:\Files
• Exclusions: C:\Files\File1.txt
2. On LON-SVR1, delete the file2.txt file from the C:\Files folder and then restore
the file2.txt file to the same location by using the Server Manager console.
Key Points
Windows Server 2008 R2 has several remote administration enhancements. For
example, you can use Server Manager for managing local and remote computers.
The RSAT feature of Windows Server 2008 R2 includes additional administrative
tools for remote management. As in previous versions, you can use Remote
Desktop for managing server remotely, but RemoteApp and Desktop Connections
enables you to publish administrative tools on the Start menu, only on Windows 7
or Windows Server 2008 R2 computers.
Several tools for administering Windows Server 2008 R2 are installed together
with operating system installation. Additional administrative tools are installed
when you add a server role or feature to the server. This enables you to administer
added functionality, either locally or remotely, from the computer where the same
functionality is installed. If you want to use administrative tool from the computer
without the functionality installed, such as from another Windows Server 2008 R2
server or Windows 7 workstation, you need to install the administrative tool there.
1-76 Deploying and Managing Windows Server 2008 R2
the RSAT collection. RSAT is a Windows Server 2008 R2 feature and you can
download it as a separate package for Windows 7. You can install RSAT on
Windows 7 to administer Windows Server 2008 R2 remotely.
If you want to administer a Windows Server 2008 R2 server from a Windows 7
workstation, you must first download and install RSAT. After you install RSAT on
Windows 7, additional Windows features will become available in the Programs
and Features applet in Control Panel. There are many administrative tools available
in RSAT, such as Server Manager, AD DS tools, and File Services tools. After you
enable some of these tools, they will be added to the Administrative Tools folder.
If you want to administer Windows Server 2008 R2 from another Windows Server
2008 R2 server, you can add the required RSAT feature by using Server Manager.
In addition to RSAT, there are other ways to administer Windows Server 2008 R2
remotely. You can use Remote Desktop or published administrative tools, if the
Remote Desktop Services role is installed and RemoteApp is configured. You can
also use Windows PowerShell with the remote feature for remote administration.
When you perform remote administration, you must remember to configure the
appropriate exceptions in Windows Firewall.
R2 Remotely
Key Points
1. Add the AD DS Snap-ins and Command-line Tools and Server Manager to
Administrative Tools.
2. On LON-CL1, open the Server Manager console to connect LON-CL1 to LON-
SVR1.contoso.com.
3. Open the Active Directory Users and Computers console to verify whether you
can administer Contoso.com Active Directory from Windows 7.
• Question: How will you administer Windows Server 2008 R2 from the
workstation where you can not install Windows Server Remote
Administration Tools?
1-78 Deploying and Managing Windows Server 2008 R2
Introduction
In this lab, you will manage Windows Server 2008 R2 by using the Remote
Management services. To do this, you will install Remote Server Administration
Tools on Windows 7 and administer Windows Server 2008 R2 from Windows 7
workstation. You will configure the file classification properties, file management
task, and classification rule to remove the anonymous access to confidential files.
Finally, you will create and attach a virtual hard disk and create and run a backup
task to restore the files that are deleted unintentionally.
Objectives
After completing this lab, you will be able to:
• Use Server Manager for Remote Administration
• Remove Anonymous Access to Confidential Files Automatically
• Deal with stale data
Deploying and Managing Windows Server 2008 R2 1-79
Lab Setup
For this lab, you will use the available virtual machine environment. Before you
begin the lab, you must:
• Start the LON-DC1 virtual machine, and then log on by using the following
credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
• Start the LON-SVR1 virtual machine, and then log on by using the following
credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
• Start the LON-CL1 virtual machine, and then log on by using the following
credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
1-80 Deploying and Managing Windows Server 2008 R2
Lab Scenario
You are server administrator at Contoso, Ltd. The servers of your organization are
located in the data center and you do not have physical access to those servers. To
acquire access to those servers and manage them remotely, you need to use the
Remote Server Administration Tools. As part of your job, you are also responsible
for the File server in a data center. The File server stores a large number of files,
many of which have been stored for a long time and are no longer needed for
business purposes. Therefore, you need to use the File Classification Infrastructure
to locate the files that are not used or required and move them to a specific folder.
You also need to ensure that anonymous users do not have access to confidential
files. In addition, you need to evaluate the new features of Windows Server Backup.
Deploying and Managing Windows Server 2008 R2 1-81
workstation.
• On LON-CL1, open the Server Manager console to connect LON-CL1 to LON-
SVR1.contoso.com.
• Open the Active Directory Users and Computers console to verify whether you
can administer Contoso.com Active Directory from Windows 7.
•
Results: After completing this exercise, you should have connected LON-DC1 to LON-
SVR1 to enable remote management. You should have also installed Remote Server
Administration Tools on Windows 7 to administer Windows Server 2008 R2 from
Windows 7.
Deploying and Managing Windows Server 2008 R2 1-83
• Scope: C:\Files
• Type: Custom
• Executable: c:\windows\system32\icacls.exe
• Arguments: [Source File Path] /remove:g Everyone
• Command security: Local System
• Property: Confidential
• Operator: Equal
• Value: Yes
Review the report and verify whether the report contains the file1.txt file with
confidential.
• Run the Classification Rules by using the File Server Resource Monitor console
and wait till the execution completes.
Review the report and verify that the group with Everyone permission no longer has
access to file1.txt, because it contains Confidential information, but still has access to
file2.txt and file3.txt.
Deploying and Managing Windows Server 2008 R2 1-85
Results: After completing this exercise, you should have configured and run the
classification property, the classification rule, and the File Management Task to remove
anonymous access to confidential files.
1-86 Deploying and Managing Windows Server 2008 R2
Review the report and verify that all expired files have been moved to the Expired folder
in drive C.
Results: After completing this exercise, you should have configured and run the File
Management Task to remove the data that has not been modified for two years.
Deploying and Managing Windows Server 2008 R2 1-87
• On LON-SVR1, delete the file2.txt file from the C:\Files folder, and then
restore the file2.txt file to the same location by using the Server Manager
console.
Results: After completing this exercise, you should have created and attached virtual
hard disk to backup and restore backup.
Note: The answers to the exercises are on the Course Companion CD.
1. How will you create a default schedule set for 9:00 A.M. daily?
On the Schedule tab, click Create, and then in the Schedule dialog box, click New.
Review Questions
1. What are the advantages of Windows Server 2008 R2 Enterprise edition over
Windows Server 2008 R2 Standard edition?
2. How can you completely automate the installation of Windows Server 2008
R2 Standard?
3. How will you deploy VHD by using WDS in Windows Server 2008 R2?
4. You want to test the remote management capability of Server Manager. When
you try to connect to a remote server, you get an error. What is the probable
reason for the error?
5. How can you administer Windows Server 2008 R2 from a Windows 7
workstation?
Deploying and Managing Windows Server 2008 R2 1-91
Tools
Tool Use Where to find it
Module 2
Configuring Active Directory in Windows Server
2008 R2
Contents:
Lesson 1: Configuring Active Directory Domain Services Features 2-4
Lab 2A: Configuring Active Directory Domain Services Features 2-35
Lesson 2: Configuring Group Policy in Active Directory Domain Services 2-46
Lesson 3: Features of Other Active Directory Server Roles 2-77
Lab 2B: Configuring Group Policy in Active Directory
Domain Services 2-86
2-2 Configuring Active Directory in Windows Server 2008 R2
Module Overview
Active Directory Domain Services (AD DS) in Windows Server® 2008 R2 includes
many new features such as Active Directory Administrative Center, a new task-
oriented administrative tool for managing Active Directory; Best Practices Analyzer
(BPA), a management tool which helps you implement best practices in the
configuration of your Active Directory environment; and Active Directory Recycle
Bin, which is a tool for recovering deleted objects and requires Windows Server
2008 R2 forest functional mode.
Group Policy is an important management technology that has several new
features in Windows Server 2008 R2, such as System Starter GPO, AppLocker, and
advanced audit policy.
In addition to the new features in AD DS, Windows Server 2008 R2 also includes
new features in other Active Directory–related roles, such as Active Directory
Certificate Services (AD CS) and Active Directory Rights Management Services (AD
RMS). In this module, you will explore some of the most important new features in
Active Directory and their benefits, and learn how to configure and use them.
Configuring Active Directory in Windows Server 2008 R2 2-3
In Windows Server 2008 R2, the AD DS role includes many new features, such as
Active Directory Recycle Bin, Active Directory Web Services, and Offline Domain
Join. You can configure these features to improve Active Directory manageability,
supportability, and performance.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe Active Directory features in Windows Server 2008 R2.
• Describe Active Directory Administrative Center.
• Configure Active Directory Administrative Center.
Configuring Active Directory in Windows Server 2008 R2 2-5
Key Points
You can manage identities and relationships in network environments by using AD
DS. In the Windows Server 2008 R2 operating system, AD DS includes many new
features that help improve Active Directory manageability, supportability, and
performance.
AD DS in Windows Server 2008 R2 includes the following improvements:
• New domain and forest functional level. Windows Server 2008 R2 includes a
new Active Directory domain and forest functional level. Many of the new
features in AD DS, such as Active Directory Recycle Bin or authentication
mechanism assurance, require the Windows Server 2008 R2 domain or forest
functional level.
• Active Directory Administrative Center. Active Directory Administrative
Center is a task-based management console that is based on the new
Windows® PowerShell cmdlets in Windows Server 2008 R2. Active Directory
Configuring Active Directory in Windows Server 2008 R2 2-7
Question: Can you test the new Active Directory features in an existing testing
environment that includes Windows Server 2003 domain controllers?
Configuring Active Directory in Windows Server 2008 R2 2-9
Key Points
In Windows Server 2008 operating systems, you can use the Active Directory
Users and Computers Microsoft Management Console (MMC) snap-in to manage
and publish information in Active Directory. In addition, you can use Active
Directory Administrative Center to manage the directory objects.
Administrative Center
Key Points
1. Perform the following steps by using the Active Directory Administrative
Center console:
Clear the Getting Started check box: Verify that the Getting
Started pane disappears.
In Address box, enter: cn=users,dc=contoso,dc=com to verify that
the Users container is selected in the Navigation pane.
Filter the content of the window.
Add a Builtin container to the Navigation pane.
2. View the users of the name, Michael from the Finance group by using the Filter
option of the Active Directory Administrative Center console and set the
following user accounts properties:
Configuring Active Directory in Windows Server 2008 R2 2-13
Password: Pa$$w0rd
Confirm password: Pa$$w0rd
5. On LON-DC1, open the Services console to stop the Active Directory Web
Services service.
6. On LON-SVR1, open the Active Directory Administrative Center console to
verify whether the contoso domain is accessible.
7. On LON-DC1, start the Active Directory Web Services service by using the
Services console.
8. On LON-SVR1, verify whether the contoso domain is accessible after starting
the Active Directory Web Services service.
Question: How will you add a Builtin container to the Contoso.com domain?
Configuring Active Directory in Windows Server 2008 R2 2-15
Key Points
When you configure AD DS, you might forget to follow the best practices and rely
on the default configuration. For example, you might forget to configure PDC
emulator to synchronize time with external time source or place Global Catalog
and Infrastructure Master role on the same domain controller in multi domain
environment. This can cause problems and limit functionality. BPA can help you by
scanning the AD DS server role, compares current settings with best practices and
recommendations and suggest what should be modified to comply with them. You
can use AD DS BPA for scanning the AD DS server role on Windows Server 2008
R2, Windows 2008, Windows Server 2003, and Windows Server 2000 domain
controllers, and it provides best practices violation reports. You can filter or
exclude unwanted results from the AD DS BPA reports. You can perform AD DS
BPA tasks by using Server Manager or Windows PowerShell cmdlets.
2-16 Configuring Active Directory in Windows Server 2008 R2
Benefits of AD DS BPA
AD DS BPA provides the following benefits:
• Validates configuration information
• Enhances infrastructure performance and reliability
• Improves SLA compliance performance
• Focuses on common Domain Name System (DNS) issues such as analyzing
whether:
• SRV records for a domain controller are registered with its DNS Server.
• A/AAAA records of a domain controller are registered with its DNS Server.
• Domain controller has a valid host name.
• The Schema Naming Master and Domain Naming Master Flexible Single
Master Operations (FSMO) roles are on the same computer.
• The Primary Domain Controller (PDC) Emulator and Routing Information
Daemon (RID) Master roles are on the same computer.
• Each domain has at least two domain controllers.
AD DS BPA rules
AD DS BPA is available on the home page of the AD DS server role and includes
over 35 different configuration rules. AD DS BPA can scan and verify the following
AD DS configuration rules:
• DNS-related rules
• Operations master connectivity rules
• Operations master role ownership rules
• Number of controllers in the domain rule
• Required services-related rules
• Replication configuration rules
• Windows Time service (W32time) configuration rules
• Virtual machine configuration rule
Configuring Active Directory in Windows Server 2008 R2 2-17
Key Points
Accidental deletion of Active Directory objects is a common problem for AD DS
and AD LDS administrators. In Windows Server 2008 Active Directory domains,
you can recover accidentally deleted objects from backups by using authoritative
restore or through tombstone reanimation.
In Windows Server 2003 Active Directory and Windows Server 2008 AD DS, you
can also recover deleted objects through tombstone reanimation, because deleted
objects are not physically removed from the database immediately. Although the
object is not removed, the object's distinguished name is mangled, most of the
object's non-link-valued attributes are cleared, and the object's link-valued
attributes are physically removed. The object is then moved to a special container
in the object's naming context called Deleted Objects. The object, now called a
tombstone, becomes invisible to normal directory operations. However, it remains
in the Deleted Objects container in a logically deleted state throughout the
tombstone lifetime period.
You can reanimate and recover the tombstone anytime within the tombstone
lifetime period and activate the Active Directory object again. After the expiry of the
tombstone lifetime period, the logically deleted object is turned into a recycled
object. You cannot recover reanimated object link-valued attributes that were
physically removed and non-link-valued attributes that were cleared. Therefore,
you cannot rely on tombstone reanimation as the ultimate solution to accidental
deletion of objects.
Question: Can you use the Active Directory Recycle Bin feature if you have only
Windows Server 2008 and Windows Server 2008 R2 domain controllers in your
environment?
Configuring Active Directory in Windows Server 2008 R2 2-21
Recycle Bin
Key Points
1. On LON-DC1, set the forest functional level of Windows Server 2008 R2 to
raise the forest functional mode by using the Active Directory Domains and
Trusts tool.
2. Delete the objects, Jay Hamlin and Demo OU, to view the difference between
the deleted objects without enabling the Active Directory Recycle Bin feature.
3. Open the Administrator: Active Directory Module for Windows PowerShell
window and run the following command to view the state of the Active
Directory Recycle Bin feature.
Get-ADOptionalFeature –Filter *
4. Run the following command to enable the Active Directory Recycle Bin feature.
2-22 Configuring Active Directory in Windows Server 2008 R2
5. Run the following command to view the state of the Active Directory Recycle
Bin feature.
Get-ADOptionalFeature –Filter *
8. Run the following command to verify that the Sara Davis user object is in the
Recycle Bin.
9. Run the following command to verify that the Ron Gabel user account is in the
Recycle Bin.
10. Run the following command to verify that the organizational unit, Demo is in
the Recycle Bin.
12. Run the following command to restore the Finance Temporary Employees
group by using the Administrator: Active Directory Module for Windows
PowerShell window.
13. Run the following command to restore the Europe organizational unit by
using the Administrator: Active Directory Module for Windows PowerShell
window.
14. Verify that the Sara Davis user account, Finance Temporary Employees group,
and Europe organizational unit are restored by using the Active Directory
Administrative Center console.
15. Check whether the properties of Finance Temporary Employees group are
preserved.
Question: Which command should you use to view the current state of the
Active Directory Recycle Bin feature?
2-24 Configuring Active Directory in Windows Server 2008 R2
Key Points
Active Directory Web Services (ADWS) in Windows Server 2008 R2 provides a
Web service interface to Active Directory domains, Active Directory Lightweight
Directory Services (AD LDS) instances, and Active Directory Database Mounting
Tool instances that are running on the same Windows Server 2008 R2 server as
ADWS. ADWS is used by Windows Server 2008 R2 or Windows 7 client
applications such as the Active Directory module for Windows PowerShell or
Active Directory Administrative Center. If the ADWS service on a Windows Server
2008 R2 server is stopped, client applications that use the Web service interface
cannot access and manage any directory service instances. However, applications
that use Active Directory Service Interfaces (ADSI) can still access directory service
instances.
Configuring Active Directory in Windows Server 2008 R2 2-25
When you add the AD DS or AD LDS server role to Windows Server 2008 R2
server, ADWS is added automatically. The ADWS service is also added if you
promote Windows Server 2008 R2 server to a domain controller by running
Dcpromo.exe or if you create an AD LDS instance on Windows Server 2008 R2
server.
Question: Can you access Active Directory by using the Web service interface
when all domain controllers in your network are running Windows Server 2008?
2-26 Configuring Active Directory in Windows Server 2008 R2
Key Points
Service accounts
One of the security challenges for critical network applications is selecting the
appropriate type of account for the application to use. On a local computer, you
can configure the application to run as Local Service, Network Service, or Local
System. These service accounts are easy to configure and use. However, these
service accounts are shared with multiple applications and services and cannot be
managed at a domain level.
If you configure the application to use a domain account, you can isolate the
privileges for the application. You need to manually manage passwords or create a
custom solution for managing these passwords. Many Microsoft® SQL Server® and
IIS applications use this strategy to enhance security. In these deployments, service
administrators spend additional time for maintenance tasks such as managing
Configuring Active Directory in Windows Server 2008 R2 2-27
administrators.
Key Points
A domain join establishes a trust relationship between a computer running a
Windows operating system and an Active Directory domain. This operation
requires state changes to AD DS and state changes on the computer that is joining
the domain.
Offline domain join is a process that joins computers running Windows 7 or
Windows Server 2008 R2 to a domain in AD DS without any network connectivity.
To perform an offline domain join, you can run the Djoin.exe command-line tool.
You can use offline domain join to add computers to a domain in locations where
there is no connectivity to a corporate network. For example, an organization
might need to deploy many virtual machines in a data center. Offline domain join
makes it possible for the virtual machines to be joined to the domain when they
initially start after the installation of the operating system. There is no additional
restart and network connectivity to the domain controller required to complete the
2-30 Configuring Active Directory in Windows Server 2008 R2
Key Points
3. Verify that the LON-SVR2 computer account has been created. Then, to
display the contents of the provisioning file, run the following command in the
Command Prompt window.
type c:\share\LON-SVR2.djoin
Configuring Active Directory in Windows Server 2008 R2 2-33
password, Pa$$w0rd.
5. Copy the LON-SVR2.djoin from\\LON-DC1\Share of LON-DC1 to Local
disk (C:) of LON-SVR2.
6. On LON-SVR2, run the following command to add the LON-SVR2 server as a
member of the Contoso.com domain.
Key Points
Authentication mechanism assurance is a new AD DS feature in Windows Server
2008 R2. This feature is not enabled by default. It requires a domain functional
level of Windows Server 2008 R2, a certificate-based authentication infrastructure,
Active Directory Federation Services (AD FS), and additional configuration.
When you enable the authentication mechanism assurance, it adds an
administrator-designed universal group membership to a user's access token when
the user's credentials are authenticated during logon with a certificate-based logon
method. This allows network resource administrators to control access to
resources such as files, folders, and printers, based on whether the user logs on
with a certificate-based logon method and the type of certificate that is used for
logon.
For example, when a user logs on with a smart card, access to resources may be
different from the access when the user does not use a smart card and logs on with
Configuring Active Directory in Windows Server 2008 R2 2-35
is no difference between the access token of a user who logs on with certificate-
based authentication and the access token of a user who logs on with a different
authentication method.
Authentication mechanism assurance can be beneficial for organizations that use
certificate-based authentication methods such as smart card or token-based
authentication systems. Organizations that do not use certificate-based
authentication methods will not be able to use authentication mechanism
assurance, even if they have the domain functional level set to Windows Server
2008 R2.
Features
Introduction
In this lab, you will configure Active Directory Domain Services features. To do
this, you need to install and configure Active Directory Administration Center. You
will also install the Active Directory Recycle Bin feature to restore the Active
Directory objects that are deleted. You will also configure and test the offline
domain join feature.
Objectives
After completing this lab, you will be able to:
• Install and configure Active Directory Administration Center
• Configure and test Active Directory Recycle Bin
• Configure an Offline Domain Join
Configuring Active Directory in Windows Server 2008 R2 2-37
For this lab, you will use the available virtual machine environment. Before you
begin the lab, you must:
• Start the LON-DC1 virtual machine, and then log on by using the following
credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
• Start the LON-SVR1 virtual machine, and then log on by using the following
credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
2-38 Configuring Active Directory in Windows Server 2008 R2
Lab Scenario
You are a server administrator at Contoso, Ltd. Your organization has currently
deployed Windows Server 2008 R2 domain controller. Your organization wants to
upgrade Windows Server 2008 R2 domain controller by adding new Active
Directory features. To do this, first you need to establish an Active Directory testing
environment and then import Active Directory to the testing environment by using
the Active Directory Administration Center services. Use the Active Directory
Recycle bin feature and the offline domain join feature to restore the Active
Directory objects that are unintentionally deleted.
Configuring Active Directory in Windows Server 2008 R2 2-39
If the Server Manager window, does not appears, on the Start menu of LON-SVR1, point
to Administrative Tools, and then click Server Manager.
• View the users of the name, Michael from the Finance group by using the Filter
option of the Active Directory Administrative Center console and set the
following user accounts properties:
• Add criteria: Users with disabled/enabled accounts and Users
whose password has an expiration date/no expiration date
• Query Name: Enabled-no expiry
• Users with accounts in this state: enabled
• Create a query, Enabled-no expiry and run it against the user, Jeff Ford, and
then modify properties of Jeff Ford by adding him to the Finance group.
• Create a new user for the Finance group with the following information:
• Full name: Jay Hamlin
• User SamAccountName logon: johane
• Select Password never expires
• Password: Pa$$w0rd
• Confirm password: Pa$$w0rd
Results: After completing this exercise, you should have installed and activated Active
Directory Administration Center services and created a user account in it.
Configuring Active Directory in Windows Server 2008 R2 2-41
Get-ADOptionalFeature –Filter *
• Run the following command to enable the Active Directory Recycle Bin feature.
• Run the following command to view the state of the Active Directory Recycle
Bin feature.
Get-ADOptionalFeature –Filter *
The EnabledScopes property is now set, which indicates that the Recycle Bin Feature is
now set.
2-42 Configuring Active Directory in Windows Server 2008 R2
f Task 3: Verify that the deleted objects are in the Recycle Bin.
• On LON-DC1, run the following command to view the entire content of the
Active Directory Recycle Bin feature by using the Active Directory Module for
Windows PowerShell window.
Verify that two user accounts, Sara Davis and Ron Gabel, Finance Temporary Employees
group account, and Europe organizational unit are there in the Recycle Bin. Make a note
of the ObjectGUID for Sara Davis, Ron Gabel, Finance Temporary Employees, and Europe.
• Run the following command to verify that the Sara Davis user object is in the
Recycle Bin.
• Run the following command to verify that the Ron Gabel user account is in the
Recycle Bin.
• Run the following command to verify that the organizational unit, Demo is in
the Recycle Bin.
• Run the following command to restore the user account for Sara Davis by
using the Administrator: Active Directory Module for Windows PowerShell
window.
Results: After completing this exercise, you should have enabled the Active Directory
Recycle Bin feature.
2-44 Configuring Active Directory in Windows Server 2008 R2
f Task 2: Verify that the computer account has been created in Active
Directory.
• Verify that the LON-SVR2 computer account has been created. Then, to
display the contents of the provisioning file, run the following command in the
Command Prompt window.
type c:\share\LON-SVR2.djoin
Results: After completing this exercise, you should have created a computer account
for an offline domain join in Active Directory.
Note: The answers to the exercises are on the Course Companion CD.
Lab Review
1. How will you enable the Active Directory Recycle Bin feature?
You need to set the forest functional level of your environment as Windows Server
2008 R2 to enable the Active Directory Recycle Bin feature. There are different
ways to raise forest functional mode, but you need to use the Active Directory
Domains and Trusts tool.
2. Which command should you use to provision a computer account for offline
domain join?
You should use the Djoin.exe command to provision a computer account for an
offline domain join.
Configuring Active Directory in Windows Server 2008 R2 2-47
Group Policy is a technology that simplifies the task of managing computers and
users in an Active Directory environment. Group Policies are an important part of
every Active Directory implementation. You can centrally manage specific
configuration parameters by editing Group Policy settings and targeting Group
Policy Objects (GPO) at the intended computers or users. Windows Server 2008
R2 Group Policies are built on the well established foundation of Windows Server
2008. In addition, Group Policies provide several new and improved features such
as System Starter GPO, AppLocker, and Windows PowerShell cmdlets for
managing Group Policies in Windows Server 2008 R2.
Lesson Objectives
After completing this lesson, you will be able to:
2-48 Configuring Active Directory in Windows Server 2008 R2
Key Points
Group Policy provides an infrastructure for centralized configuration management
of the operating system and applications. In Windows Server 2008 R2, Group
Policy is built on the well established foundation of the previous version and does
not introduce major changes. Windows Server 2008 R2 Group Policy is built on
the following foundations, which are available in Windows Server 2008 and
Windows Vista™:
• Group Policy infrastructure. The Group Policies are processed by Group
Policy Client service. This service is hardened and processing is more reliable
than before, when Group Policies were processed in the Winlogon process.
• Number of Group Policy settings. Group Policy provides several settings that
you can use to centrally control Windows operating systems. Number of
settings increases with each service pack and new Windows operating system
release.
2-50 Configuring Active Directory in Windows Server 2008 R2
new messages with an event source of Microsoft Windows Group Policy. The
Group Policy operational log replaces the previous userenv logging. The
operational event log provides improved event messages specific to Group
Policy processing.
2-52 Configuring Active Directory in Windows Server 2008 R2
Key Points
Starter GPO is a collection of configured administrative template policy settings
that you can use to create a GPO. You can store a collection of administrative
template policy settings in a single object by using Starter GPO and incorporate
these policy settings into a new GPO. You can import, export, or distribute Starter
GPOs to other environments.
When you create a GPO from a Starter GPO, the new GPO includes all of the
administrative template policy settings and their values defined in the Starter GPO.
In Windows Server 2008, if you want to use a Starter GPO, you need to first create
it, because no Starter GPO is available by default. However, in Windows Server
2008 R2, eight Starter GPOs are already available when you create the Starter GPO
container. If required, you can create additional Starter GPOs.
Configuring Active Directory in Windows Server 2008 R2 2-53
System Starter GPOs are read-only Starter GPOs that provide a baseline of settings
for a specific scenario. Similar to Starter GPOs, you can use a System Starter GPO
as a template when creating a GPO, but you cannot create System Starter GPOs or
modify them.
System Starter GPOs are included in Windows Server 2008 R2 and Windows 7
with RSAT. You do not have to download System Starter GPOs and install them
separately.
Question: How can you transfer a Starter GPO from a testing environment to a
production environment?
2-54 Configuring Active Directory in Windows Server 2008 R2
Key Points
Administrative templates (ADMX) files are registry-based policy settings that are
located under the Administrative Templates node of both the Computer and User
Configuration nodes in Group Policy Management Editor. This hierarchy is created
when the Group Policy Management console reads XML-based administrative
template files. ADMX administrative templates include multilanguage support, an
optional centralized data store, and version control capabilities. ADMX files are
divided into language-neutral and language-specific resources.
options
• Explain, for learning more about a policy setting
• Comment, for entering optional information about the policy setting
In Windows Server 2008 R2, these options are available at a single location in the
properties dialog box, instead of being available as three separate tabs. Moreover,
the properties dialog box is now resizable. In addition, the Explain tab, which
provides additional information about a policy setting, is now known as Help.
• Support for multistring and QWORD registry value types. In Windows
Server 2008 R2, Administrative Templates provide the support for the
multistring (REG_MULTI_SZ) and QWORD registry value types. You can
perform the following tasks by using the support for the REG_MULTI_SZ
registry value type:
• Enable a policy setting, enter multiple lines of text, and sort entries.
• Edit an existing configured setting and add new line items.
• Edit an existing configured setting and individual line items.
• Edit an existing configured setting, select one or more entries, and delete
selected entries. The entries do not have to be contiguous.
• Support for the QWORD registry value type enables you to use the
Administrative Template policy settings to manage 64-bit applications.
• New Group Policy administrative settings. Windows Server 2008 R2 and
Windows 7 with RSAT have more than 300 new administrative template policy
settings such as new settings for controlling Windows® Internet Explorer®,
Remote Desktop Services, DirectAccess, BranchCache, and Power settings.
Question: How can you configure new Group Policy Administrative Settings from
a Windows Server 2008 R2 member server or Windows 7 workstation?
2-56 Configuring Active Directory in Windows Server 2008 R2
Key Points
1. Examine the Starter GPO settings by using the Group Policy Management
console to verify the following information:
Verify that there are eight Starter GPOs pre-created
Verify that Edit option is not enabled
View the settings of Starter GPO
2. On LON-DC1, create the Custom Starter GPO, Default Desktop Configuration
with the following information:
All Settings: Filter Options
Enable Keyword Filters
Filter for word: control panel
Configuring Active Directory in Windows Server 2008 R2 2-57
Key Points
Group Policy Preferences include more than 20 Group Policy extensions that
expand the range of configurable settings within a Group Policy Object (GPO).
These extensions are included in the Group Policy Management Editor, under the
Preferences item. Examples of the Group Policy Preferences extensions include
folder options, mapped drives, printers, scheduled tasks, services, and Start menu
settings.
Group Policy Preferences provide better targeting of client computers or users
through item-level targeting and action modes. Rich user-interfaces and standards-
based XML configurations provide flexibility over managed computers while
administering GPOs.
In addition, Group Policy Preferences allow you to deploy settings such as drive
mapping and Windows Explorer settings to client computers without restricting
the users from changing the settings. This capability allows you to decide which
settings to enforce and which settings not to enforce.
Configuring Active Directory in Windows Server 2008 R2 2-59
The following table summarizes the differences between Group Policy Preferences
and Group Policy settings.
Question: Why would you use Group Policy Preferences in your environment?
Configuring Active Directory in Windows Server 2008 R2 2-61
Key Points
1. On LON-DC1, create a shortcut to Notepad on the desktop on LON-CL1 by
using the Group Policy Management console with the following information:
Action: Create
Location: All Users Desktop
Target path: C:\Windows\System32\notepad.exe
Name: Notepad
Select Item-level targeting
Computer name: LON-CL1
2. Log off from LON-CL1.
3. Log on to LON-CL1 with the user name contoso\Administrator, and the
password, Pa$$w0rd.
2-62 Configuring Active Directory in Windows Server 2008 R2
If Notepad does not on the desktop, run the command, gpupdate /force, on LON-DC1
and LON-CL1.
Question: Specify the operating systems that are recommended for installing
Group Policy preferences CSE?
Configuring Active Directory in Windows Server 2008 R2 2-63
AppLocker
Key Points
AppLocker is a new feature in Windows Server 2008 R2 and Windows 7.
AppLocker replaces Software Restriction Policies (SRP), which is still supported,
but only when no AppLocker policy is applied to the computer. AppLocker
contains new capabilities and extensions that reduce administrative overhead.
Using AppLocker, you can control access and use of executables such as .exe;
Windows installer packages such as .msi and .msp; scripts such as .bat, .cmd, .js,
.ps1, and .vbs; and DLL files such as .dll and .ocx.
Using AppLocker, you can perform the following functions:
• Define rules based on file attributes derived from the digital signature,
including the publisher, product name, file name, and file version. For
example, you can create rules based on the publisher attribute that is
persistent through updates, or you can create rules for a specific version of a
file.
2-64 Configuring Active Directory in Windows Server 2008 R2
AppLocker rules
AppLocker provides a simple and powerful structure through three rule types:
allow, deny, and exception.
Allow rules limit execution of applications to a known list of required applications,
and they block other applications.
Deny rules allow execution of any application, except those on a list of known,
unwanted applications.
Many organizations use a combination of allow rules and deny rules. However, an
ideal AppLocker deployment would use allow rules with built-in exceptions.
Exception rules allow you to exclude files from an allow or deny rule that would
normally be included. Using exceptions, you can create a rule to allow everything
in the Windows operating system to run, except the built-in games. Using allow
rules with exceptions provides a healthy way to build a known and good list of
applications without creating many rules.
AppLocker uses the Application Identity service (AppIDSvc) for rule enforcement.
This service must be started for AppLocker rules to be enforced. To enforce
AppLocker policies, you need computers that are running Windows Server 2008
R2 or Windows 7 (Enterprise or Ultimate). You cannot use AppLocker rules to
manage computers running earlier versions of Windows.
Key Points
Software Restriction Policies (SRPs) provide you with a mechanism for identifying
programs that are allowed or prohibited to run on a computer. SRP was originally
designed in Windows XP and Windows Server 2003 to help you limit the number
of applications that required administrator access. With the introduction of User
Account Control (UAC) and emphasis of standard user accounts, fewer
applications require administrator privileges. AppLocker was introduced to expand
the goals of the original SRP by allowing you to create a comprehensive list of
applications that should be allowed to run.
Rule conditions provided File hash, path, and publisher File hash, path certificate,
rules registry path, and Internet zone
rules
existing SRP rules and determine how they conceptually map to AppLocker rules.
Question: If you have Windows Vista SP2 and Windows 7 clients on your
network, can you use AppLocker to control the applications that can be run on the
clients?
Configuring Active Directory in Windows Server 2008 R2 2-69
Key Points
AppLocker includes three rules—allow, deny, and exception—that specify the
applications that are allowed to run on a user computer. By using default
AppLocker rules, you can automatically prevent all non-administrator users from
running programs that are installed in their user profile folder.
AppLocker includes the Automatically Generate Rules wizard for automatically
generating rules. By running this wizard on reference computers and specifying a
folder that contains the files for applications that you want to create the rules for,
you can quickly create AppLocker rules automatically.
Rule collections
The AppLocker Microsoft Management Console (MMC) snap-in is organized into
four areas called rule collections. The four rule collections are executable files,
Windows Installer files, scripts, and DLL files. These collections provide an easy
method to differentiate the rules for different types of applications. When planning
2-70 Configuring Active Directory in Windows Server 2008 R2
Executable .exe
.com
DLL .dll
.ocx
Note: The DLL rule collection is not enabled by default. To enable the DLL rule
collection, right-click AppLocker, and then click Properties. On the Advanced tab,
select the Enable DLL rule collection check box, and then click OK.
Rule conditions
Rule conditions are properties of files that AppLocker uses to enforce rules. Each
AppLocker rule can use a primary rule condition. AppLocker contains the
following rule conditions:
• Publisher. This condition identifies an application based on its digital
signature and extended attributes. The digital signature contains information
about the company or the publisher name that created the application. The
extended attributes, which are obtained from the binary resource, contain the
name of the product that the application is part of and the version number of
the application. You can create this type of rule for an entire product suite,
which allows the rule in most cases to still be applicable when the application
is updated.
Configuring Active Directory in Windows Server 2008 R2 2-71
Question: You need to deny execution of all applications in a folder, but allow
execution of signed applications in that folder. How should you create AppLocker
rules to achieve this goal?
2-72 Configuring Active Directory in Windows Server 2008 R2
Key Points
AppLocker can set restrictions on files that might otherwise be accessible to users.
Before enforcing AppLocker restrictions, you need to be aware of the following
considerations:
• AppLocker rules do not allow users to open or run any files that are not
specifically allowed. Therefore, you must maintain an up-to-date list of allowed
applications.
• There can be an increase in the initial number of help desk calls from the users
because of blocked applications. However, when the users identify that they
cannot run the blocked applications, the help desk calls may decrease.
• You cannot use AppLocker to manage computers running earlier versions of
Windows operating system than Windows 7. There is minimal performance
degradation because of the runtime checks.
Configuring Active Directory in Windows Server 2008 R2 2-73
Question: You need to create a list of the applications that are used in your
company. What would be the fastest way to create that list?
2-74 Configuring Active Directory in Windows Server 2008 R2
Key Points
1. Log on to LON-SVR1 with the user name CONTOSO\ jeff, and the password,
Pa$$w0rd.
2. On LON-SVR1, verify whether jeff has access to the Notepad.
3. On LON-DC1, open Active Directory Administrative Center to verify that Jeff
Ford is a member of the Restricted Users group.
4. On LON-DC1, edit Desktop Configuration to start the Application Identity
service and set Define this policy as Automatic.
5. Create an executable AppLocker rule to restrict the users from accessing
Notepad by using the Group Policy Management Editor console with the
following information:
Permissions: Deny Restricted Users
Path: %system32%\notepad.exe
Configuring Active Directory in Windows Server 2008 R2 2-75
Key Points
Audit policies allow you to determine the types of events that you want to audit,
such as audit system logon, file access, and object access. Using audit policies, you
can define the type of event that will be written in Event Log.
Security auditing enhancements in Windows Server 2008 R2 and Windows 7 can
help organizations to audit compliance with important business-related and
security-related rules by tracking precisely-defined activities such as:
• A group administrator has modified the settings or data on servers that contain
financial information.
• An employee within a defined group has accessed an important file.
• The correct system access control list (SACL) is applied to every file and folder
or registry key on a computer or file share as a verifiable safeguard against
undetected access.
Configuring Active Directory in Windows Server 2008 R2 2-77
Server 2008 R2 and Windows 7, you can track success and failure for 53 audit
settings. These 53 new audit settings allow you to specifically target the types of
activities you want to audit and eliminate the unnecessary auditing activities that
can make audit logs difficult to manage and decipher. In addition, you can easily
modify, test, and deploy audit policy settings to selected users and groups. This is
because Windows Server 2008 R2 and Windows 7 security audit policy can be
applied by using a domain Group Policy.
Lesson 3
Features of Other Active Directory Server Roles
Windows Server 2008 R2 provides several new features for other Active Directory–
related server roles, such as Active Directory Certificate Services (AD CS) and
Active Directory Rights Management Services (AD RMS). AD CS includes two new
role services—Certificate Enrollment Web Service and Certificate Enrollment Policy
Web Service. AD RMS adds support for deployment and administration through
Windows PowerShell.
Lesson Objectives
After completing this lesson, you will be able to:
Configuring Active Directory in Windows Server 2008 R2 2-79
Key Points
AD CS is the Microsoft implementation of Public Key Infrastructure (PKI). AD CS
provides customizable services for creating and managing public key certificates
used in software security systems that use public key technologies. Organizations
can use AD CS to enhance security by binding the identity of a person, device, or
service to a corresponding private key. AD CS also includes features that allow you
to manage certificate enrollment and revocation in scalable environments.
Features of AD CS
AD CS provides the following features:
• Certification Authority (CA), which:
• Configures the format and content of certificates, and issues certificates to
users, computers, and services.
Configuring Active Directory in Windows Server 2008 R2 2-81
AD CS role services
AD CS has the following role services:
• CAs. You can use the root CA and subordinate CAs to issue certificates to
users, computers, and services, and to manage certificate validity.
• CA Web enrollment. The CA Web enrollment service allows users to connect
to a CA by using a Web browser to request certificates, review certificate
requests, retrieve CRLs, and perform smart card certificate enrollment.
• Online Responder. The Online Responder service implements the Online
Certificate Status Protocol (OCSP) by decoding revocation status requests for
specific certificates, evaluating the status of the certificates, and returning a
signed response that contains the requested certificate status information.
• Network Device Enrollment Service (NDES). The Network Device
Enrollment Service allows routers and other network devices that do not have
domain accounts to obtain certificates based on Simple Certificate Enrollment
Protocol (SCEP).
Question: Which applications can use and benefit from digital certificates issued
by AD CS?
2-82 Configuring Active Directory in Windows Server 2008 R2
Server 2008 R2
Key Points
In addition to the features available in Windows Server 2008, AD CS in Windows
Server 2008 R2 introduces the following features and services that allow flexible
PKI deployments, reduce administration costs, and provide better support for
Network Access Protection (NAP) deployments:
• Certificate Enrollment Web Service and Certificate Enrollment Policy Web
Service. Certificate Enrollment Web services are new AD CS role services that
enable policy-based certificate enrollment over Hypertext Transfer Protocol
(HTTP) by using existing methods such as autoenrollment. The Web services
act as a proxy between a client computer and a CA, which makes direct
communication between the client computer and CA unnecessary, and allows
certificate enrollment over the Internet and across forests.
The Certificate Enrollment Web Service submits requests on behalf of client
computers and must be trusted for delegation. Extranet deployments of this
Configuring Active Directory in Windows Server 2008 R2 2-83
might not trust the service for delegation. In such instances, you can configure
the Certificate Enrollment Web Service and the issuing CA to accept only
renewal requests signed with existing certificates, which do not require
delegation. The Certificate Enrollment Web Service is available on all editions
of Windows Server 2008 R2 and can work with Enterprise CAs running on
Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003.
• Support for certificate enrollment across forests. Before the introduction of
enrollment across forests, CAs could issue certificates only to members of the
same forest, and each forest had its own PKI. With added support for
Lightweight Directory Access Protocol (LDAP) referrals, CAs in Windows
Server 2008 R2 can issue certificates across forests that have two-way trust
relationships. To implement this feature, Active Directory forests require
Windows Server 2003 forest functional level and two-way transitive trust, but
client computers running Windows XP, Windows Server 2003, Windows
Vista, and Windows 7 do not require updates to support certificate enrollment
across forests. Support for certificate enrollment across forest is available on
enterprise CAs running Windows Server 2008 R2 Enterprise or Windows
Server 2008 R2 Datacenter.
• Improved support for high-volume CAs. Organizations that have deployed
high-volume CAs, such as NAP with IPSec enforcement, can bypass CA
database operations to reduce the CA database size. NAP health certificates
typically expire within hours after being issued, and the CA might issue
multiple certificates per computer each day. By default, a record of each
request and issued certificate is stored in the CA database, but in Windows
Server 2008 R2 AD CS, you can bypass the CA database operations. Issued
certificates are not stored in the CA database, therefore, certificate revocation is
not possible. However, maintenance of CRL for a high volume of short-lived
certificates is often not practical or beneficial. As a result, some organizations
might use this feature and accept the limitations on revocation. Improved
support for high-volume CAs is available on enterprise CAs running any
edition of Windows Server 2008 R2.
Question: In what way does your organization benefit from the new AD CS
features in Windows Server 2008 R2?
2-84 Configuring Active Directory in Windows Server 2008 R2
Key Points
AD RMS is an information protection technology that works with AD RMS–
enabled applications to safeguard digital information from unauthorized use inside
and outside the firewall. AD RMS is designed for organizations that need to protect
sensitive and proprietary information such as financial reports, product
specifications, customer data, and confidential e-mail messages. AD RMS augments
an organization's security strategy by protecting information through persistent
usage policies, which remain with the information no matter where it is moved. AD
RMS persistently protects any binary format of data, so the usage rights remain
with the information, rather than on an organization's network. This also enables
usage rights to be enforced after the information is accessed by an authorized
recipient, both online and offline, and inside and outside the organization.
An AD RMS system includes a Windows Server 2003, Windows Server 2008 or
Windows Server 2008 R2–based server running the AD RMS server role that
handles certificates and licensing, a database server, and the AD RMS client. The
Configuring Active Directory in Windows Server 2008 R2 2-85
Benefits of AD RMS
Deploying an AD RMS system in an organization provides the following benefits:
• Safeguards sensitive information. You can enable AD RMS for word
processors, e-mail clients, and line-of-business applications to protect sensitive
information. Users can define permissions to open, modify, print, forward, or
take other actions with the information. Organizations can create custom
usage policy templates such as "confidential–read only" and apply it directly to
the information.
• Persistent protection. AD RMS augments existing perimeter-based security
solutions such as firewalls and access control lists (ACLs) by locking the usage
rights within the document. AD RMS also controls how information is used
even after it has been opened by intended recipients.
• Flexible and customizable technology. Independent software vendors (ISVs)
and developers can enable AD RMS for any application or enable other servers,
such as content management systems or portal servers, to work with AD RMS
to protect sensitive information. ISVs can integrate information protection into
server-based solutions such as document and records management, e-mail
gateways and archival systems, automated workflows, and content inspection.
AD RMS provides developer tools and industry security technologies such as
encryption, certificates, and authentication to help organizations create reliable
information protection solutions.
Enhancements in AD RMS
Windows Server 2008 R2 provides the following improvements to the AD RMS
server role:
• Windows PowerShell deployment. Prior to Windows Server 2008 R2, you
can add and provision the AD RMS role only through the Role Management
tool. In Windows Server 2008 R2, you can add and provision the AD RMS role
by using Windows PowerShell cmdlets.
• Windows PowerShell administration. Prior to Windows Server 2008 R2, the
AD RMS administration functionality was generally available through the Role
Management tool or with scripts. In Windows Server 2008 R2, all
administration functionality for the AD RMS role is also available through
Windows PowerShell cmdlets.
2-86 Configuring Active Directory in Windows Server 2008 R2
Introduction
In this lab, you will configure Group Policy in Active Directory Domain Services.
To do this, you will create a Custom Starter GPO and a Group Policy based on the
Custom Starter GPO. You will then verify the Group Policy Preferences by adding a
shortcut to Notepad, creating a new folder on drive C, and configuring drive
mapping. You will also create AppLocker rules and test the Application Control
Policy.
Objectives
After completing this lab, you will be able to:
• Use the Starter GPO
• Use Group Policy Preferences
2-88 Configuring Active Directory in Windows Server 2008 R2
Lab Setup
For this lab, you will use the available virtual machine environment. Before you
begin the lab, you must:
• Start the LON-DC1 virtual machine, and then log on by using the following
credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
• Start the LON-SVR1 virtual machine, and then log on by using the following
credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
• Start the LON-CL1 virtual machine, and then log on by using the following
credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
Configuring Active Directory in Windows Server 2008 R2 2-89
Lab Scenario
You are a server administrator at Contoso, Ltd. Currently, your organization uses
Active Directory domain and Group Policy for centralized administration. As part
of your job, first you need to explore the new features of Windows Server 2008 R2
and check for the group policy related options. You also need to test Application
Control Policies and Group Policy Preferences.
2-90 Configuring Active Directory in Windows Server 2008 R2
f Task 2: Review the existing System Starter GPO and its settings.
• Examine the Starter GPO settings by using the Group Policy Management
console to verify the following information:
• Verify that there are eight Starter GPOs pre-created
• Verify that the Edit option is not enabled
• View the settings of the Starter GPO
• Based on the existing Custom Starter GPO, create a group policy with the
following information:
• GPO name: Desktop Configuration
• Source Starter GPO: Default Desktop Configuration
• Set the State
• Clear Enable Keyword Filters
• Configured: Yes
Results: After completing this exercise, you should have created a Custom Starter GPO
and a group policy based on the Custom Starter GPO.
2-92 Configuring Active Directory in Windows Server 2008 R2
If Notepad does not on the desktop, run the command, gpupdate /force, on LON-DC1
and LON-CL1.
Results: After completing this exercise, you should have created a shortcut to Notepad
on the desktop, a new folder on drive C, and configured a drive map.
2-94 Configuring Active Directory in Windows Server 2008 R2
Results: After completing exercise, you should have activated the Application Identity
service and created the AppLocker rules to restrict the users from accessing Notepad.
Review Questions
1. You would like to upgrade one of your Windows Server 2008 domain
controllers o Windows Server 2008 R2. What must you do before you can
upgrade the domain controller?
2. Can you enable the Active Directory Recycle Bin feature if you have several
Windows Server 2008 domain controllers?
3. What benefit do managed service accounts provide?
4. Can you use an offline domain join to join a Windows Vista client computer to
the domain?
5. Can you modify or delete the System Starter GPO?
Tools
Tool Use Where to find it
Active Directory Task oriented tool for Installed when you add
Administrative Center managing Active Directory AD DS. It is also part of
RSAT.
Module 03
Configuring Server Virtualization by Using
Hyper-V
Contents:
Lesson 1: Configuring the Features of Windows Server 2008 R2 Hyper-V 3-4
Lesson 2: Configuring Live Migration in Hyper-V 3-21
Lesson 3: System Center Virtual Machine Manager R2 3-34
Lab: Configuring Server Virtualization by Using Hyper-V 3-52
3-2 Configuring Server Virtualization by Using Hyper-V
Module Overview
Using Windows Server® 2008 Hyper V® virtualization, you can efficiently run
multiple different operating systems in parallel on a single server, and fully use the
power of x64 computing.
In this module, you will learn how to configure the features of Hyper-V in
Windows Server® 2008 R2, such as Live Migration. You will also learn the benefits
of Live Migration. In addition, you will learn about other improvements such as
hot add or removal of SCSI storage devices, network enhancements, and improved
virtual hard disk (VHD) performance.
As Live Migration depends on failover clustering, you will learn about Cluster
Shared Volumes (CSV) and enhanced Failover Clustering Validation, which are
failover clustering enhancements in Windows Server 2008 R2.
Finally, you will review the features of System Center Virtual Machine Manager,
which is a recommended tool for managing Hyper-V in enterprise environments.
After completing this module, you will be able to:
Configuring Server Virtualization by Using Hyper-V 3-3
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the features of Hyper-V in Windows Server 2008.
• Describe the Hyper-V architecture.
• Explore Hyper-V Manager Microsoft Management Console (MMC).
• Describe the features of Hyper-V in Windows Server 2008 R2.
Configuring Server Virtualization by Using Hyper-V 3-5
hosts.
• Extensible virtualization. Hyper-V provides standards-based Windows
Management Instrumentation (WMI) interfaces and application programming
interface (API), so third parties can build custom tools, utilities, and
enhancements for the virtualization platform.
You can use Hyper-V for:
• Server consolidation. You should consolidate servers on fewer Hyper-V hosts,
while maintaining isolation between them. This also provides better physical
hardware utilization.
• Business continuity and disaster recovery. You should reduce scheduled
and unscheduled downtime, with the ability to recover an entire computer,
including data and operating system state, to a previous point in time, last
known good configuration, or bare metal state.
• Testing and development. You should have a development or testing
environment that is identical to the production environment. You should be
able to quickly create new VMs and return them to the previous state.
• Dynamic data center. You should migrate VMs to the most suitable physical
hosts, without any downtime.
Hyper-V Architecture
manage the processor interrupts. The partitions provide a virtual view of the processor
and run in a virtual memory address region that is private to each guest partition.
Drivers in the parent partition are used for accessing the server hardware. Child
partitions use virtualized devices through VSC drivers, which communicate
through Virtual Machine Bus (VMBus) with VSPs in the parent partition. Requests
to the virtual devices are redirected either through the VMBus or through the
hypervisor to the devices in the parent partition.
The VMBus manages the requests. The VMBus is a logical inter-partition
communication channel. The parent partition hosts VSPs, which communicate
over the VMBus to handle device access requests from child partitions. Child
partitions host VSCs, which redirect device requests to VSPs in the parent partition
through the VMBus.
Enlightened I/O
Virtual devices use the enlightened I/O feature in Hyper-V, for the following:
• Storage
• Networking
• Graphics
• Input subsystems
Enlightened I/O is a specialized virtualization-aware implementation of high-level
communication protocols such as SCSI that utilize VMBus directly, bypassing any
device emulation layer. This makes communication more efficient.
platform. Can you install a 32-bit version of Windows 7 in the Hyper-V child
partition?
3-12 Configuring Server Virtualization by Using Hyper-V
Key Points
1. Open Hyper-V Manager console and explore the administrative tasks such as
Virtual Machine, Hard Disk, Hyper-V Settings, Settings of the virtual machines,
and Virtual Network Manager.
2. Create a new snapshot, Snapshot1 for LON-SVR1, and then create a shortcut
on the desktop of LON-SVR1.
3. On LON-CL1, open the Hyper-V Manager console and explore how to
administer Hyper-V remotely by using the Connect to Server option.
Question: How will you transfer files from the physical computer to the virtual
machine when there is no network connectivity between them?
Configuring Server Virtualization by Using Hyper-V 3-13
Note: A hot plug-in and removal of storage requires that Integration Services are present
in the guest operating system.
is available to VMs, if the underlying physical network supports it. VMs can
use jumbo frames up to 9,014 bytes in size. Hyper-V includes jumbo frame
support on 1 GB networks and faster.
• Support for Chimney (TCP Offloads). The TCP Chimney feature offloads the
processing of network traffic from the networking stack. This feature reduces
processor usage and increases network performance.
• Support for Virtual Machine Queue (VMQ). This reduces the overhead
associated with network traffic.
These two technologies allow Hyper-V to take advantage of network offload
technologies. Instead of a core CPU processing the network packets, these packets
can be moved to the offload engine on the 10 GB network interface card (NIC),
which reduces processor usage and improves performance.
Many of the new Hyper-V features, such as VNQ, Chimney, and CPU core parking,
require compatible hardware.
Question: Will your company benefit from the new Hyper-V features in Windows
Server 2008 R2? Which new feature is most useful to you?
3-16 Configuring Server Virtualization by Using Hyper-V
number of LUNs required for your VMs by using CSV. In earlier versions of
Windows operating systems, you need to have a configuration, which has one
LUN per VM because LUN was the unit of failover. In Windows Server 2008
R2, many VMs can use a single LUN and can fail over without causing the
other VMs on the same LUN to also fail over.
• Better use of disk space. Instead of placing each VHD file on a separate disk
with free space set aside just for that VHD file, you can free the space on a
CSV, which can be used by any VHD file on that LUN.
• Effortlessly track the paths of VHD files and other files. You can track the
paths of VHD files and other files used by VMs. You can specify the path
names, instead of using drive letters or Globally Unique Identifiers (GUID) to
identify disks. Using CSV, the path appears to be on the system drive of the
node, under the \ClusterStorage folder. Note that the same path can be viewed
from any node in the cluster.
• Fewer CSVs to create a configuration to support clustered VMs. For quick
validations, you can use a single CSV to create a configuration that supports
many clustered VMs. You can perform validation by running the Validate a
Configuration Wizard in the snap-in for failover clusters. With fewer LUNs,
validation can be done faster.
• No specific hardware requirements. There are no specific hardware
requirements. CSV runs on the hardware that is required for storage in a
failover cluster. Note that CSV requires an NTFS file system.
• Increased resiliency. Resiliency is increased because the cluster can respond
correctly even if connectivity between one node and the storage area network
(SAN) is interrupted, or part of a network is down. The cluster will re-route the
CSV traffic through an intact part of the SAN or network.
Note: You need to have an established network from the servers to the SAN. Usually a
separate network is used for serve–SAN traffic. If one network fails and there is another
available path from the server to the SAN, the alternative path will be used.
• Optimized for VHD access. CSV is optimized for VHD access; it is only
supported with Hyper-V and is disabled by default.
Question: How can you get Cluster Shared Volumes support on Windows Server
2008 R2?
3-18 Configuring Server Virtualization by Using Hyper-V
In Windows Server 2008 R2, additional tests are built into the Cluster Validation
Wizard. The earlier versions of the Cluster Validation Wizard include tests that
help you test a set of servers, networks, and the attached storage before you use
them together in a cluster. The tests are also useful for re-testing a cluster after you
make a change, for example, a change to the storage configuration. These tests
continue to be available, with an additional set of tests.
The new tests are called the Cluster Configuration tests. The new tests help you
check settings that are specified within the cluster, such as the settings that affect
how the cluster communicates across the available networks. These tests help you
analyze your current configuration. You can also use the Cluster Configuration
tests to review and archive the configuration of your clustered services and
applications. Note that this includes settings for the resources within each
clustered service or application.
With these tests, you can fine-tune your cluster configuration, track the
configuration, and identify potential cluster configuration issues before they cause
downtime. This can help you optimize your configuration and compare it against
the best practices that you have identified for your organization.
Failover clustering in Windows Server 2008 R2 also provides Windows®
PowerShell cmdlets for failover clusters and support for additional clustered
services such as Distributed File System (DFS) Replication and Remote Desktop
Connection Broker.
Question: When will you use the failover clustering Validation Wizard?
Configuring Server Virtualization by Using Hyper-V 3-21
Key Points
1. On the physical computer, set the following iSCSI Initiator properties to
connect the iSCSI target to the physical computer:
• Target: 192.168.10.150
• Quick Connect: iqn.1991-05.com.microsoft:LON-SVR1-lun-01-
target
2. Open the Server Manager console to create a new volume with size 15,000 MB
for Disk 1.
3. On LON-DC1, open the Server Manager console to configure the Failover
Clustering feature.
4. Open the Failover Cluster Manager console to create a cluster and run the
validation tests with the following information:
3-22 Configuring Server Virtualization by Using Hyper-V
With Hyper-V Live Migration, you can move running VMs from one Hyper-V
physical host to another without any disruption of service or perceived downtime.
Live Migration is integrated with Windows Server 2008 R2 Hyper-V and Microsoft
Hyper-V Server 2008 R2. Because Hyper-V Live Migration can move running VMs
without downtime, it will facilitate greater flexibility and value. Data centers with
multiple Hyper-V physical hosts will be able to move running VMs to the best
physical computer for performance, scaling, or optimal consolidation without
impacting users. Live Migration makes it possible to keep VMs online, even during
physical host maintenance. This helps increase productivity and provides higher
availability for both users and server administrators.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the reasons for configuring Live Migration.
3-24 Configuring Server Virtualization by Using Hyper-V
Key Points
Live Migration enables dynamic scenarios such as proactive maintenance and
moving VMs to hosts with most resources available. The reasons for configuring
Live Migration include:
• Servicing hardware. At times when the physical host needs additional storage,
memory, or a basic input/output system (BIOS) update, Live Migration is an
option. Also, if the server needs to be taken offline, and you want to preserve
VM availability, you can move VMs from the server to a different physical host
to perform scheduled maintenance. This maintenance can include server
upgrade or replacement, if needed.
• Updating the host operating system. If the parent partition needs to be
updated and that update requires a reboot, you need to move the VMs from
the physical server to preserve their availability during scheduled maintenance.
3-26 Configuring Server Virtualization by Using Hyper-V
the reboot.
• Moving a VM to an appropriate host. You can use Live Migration to move a
VM to a different host. The utilization of the physical server can increase and
it might not have enough resources available for the VMs. You can move one
or more VMs to the best physical computer for performance, scaling, or
optimal consolidation without impacting users.
Key Points
Hyper-V Live Migration has very similar requirements as Hyper-V Quick Migration.
For organizations already using Quick Migration, the shift to Live Migration should
be easy. The physical hosts that will participate in Live Migration must be
configured with the failover clustering feature and must use shared storage. In
addition, the physical hosts must use the same processor type. For example, to use
Live Migration to move a VM from one Hyper-V physical host to another, both
physical hosts must use processors from the same manufacturer. There are no
differences in storage requirements between Quick Migration and Live Migration.
• The following editions of Windows Server 2008 R2 support Live Migration:
• Windows Server 2008 R2 Enterprise Edition
• Windows Server 2008 R2 Datacenter Edition
• Hyper-V Server 2008 R2 also supports Live Migration
For Live Migration, you should have:
3-28 Configuring Server Virtualization by Using Hyper-V
Note: One Live Migration can be active between any two cluster nodes at any time. This
means that a cluster will support number_of_nodes/2 simultaneous Live Migrations. For
example, a 16-node cluster will support 8 simultaneous Live Migrations with no more
than one Live Migration session active from every node of the cluster.
Note: A dedicated 1 gigabit Ethernet connection is recommended for the Live Migration
network between cluster nodes to transfer the large number of memory pages typical for
a VM.
Key Points
The Live Migration process is designed to move a running VM from the source
physical host to a destination physical host as quickly as possible. You can initiate
a Live Migration through one of the following methods:
• Failover Cluster Management console
• Virtual Machine Manager (VMM) administration console, if VMM is used for
managing physical hosts
• A WMI or PowerShell script
Any guest operating system supported by Hyper-V will work with the Live
Migration process. After Live Migration is initiated, the following process occurs:
• Setting up of Live Migration. In the first stage of a Live Migration, the source
physical host creates a Transmission Control Protocol (TCP) connection with
the destination physical host. This connection is used to transfer the VM
3-30 Configuring Server Virtualization by Using Hyper-V
the destination physical host and memory is allocated to the destination VM.
• Transferring of memory pages from the source node to the destination
node. In the second stage of Live Migration, the memory assigned to the
migrating VM is copied over the network to the destination physical host. This
memory is referred to as the working set of the migrating VM. In addition to
copying the working set to the destination physical host, Hyper-V on the
source physical host monitors the pages in the working set. As memory pages
are modified, they are tracked and marked as being modified. During this
phase of the migration, the migrating VM continues to run. Hyper-V iterates
the memory copy process several times, and each time a smaller number of
modified pages are copied to the destination physical computer. A final
memory copy process copies the remaining modified memory pages to the
destination physical host. The source physical host transfers the register and
device state of the VM to the destination physical host. During this stage of
Live Migration, the network bandwidth available between the source and
destination physical hosts is critical to the speed of Live Migration. For this
reason, 1 GB Ethernet or faster is recommended. The faster the source
physical host can transfer the modified pages from the migrating VMs working
set, the more quickly Live Migration will complete. The Live Migration process
may be cancelled at any point before this stage of the migration.
• Moving of the storage handle from source to destination. In the fourth stage
of Live Migration, control of the storage associated with source physical host,
such as any VHD files or pass-through disks, is transferred to the destination
physical host.
• Resuming of the VM on the destination server. In the fifth stage of Live
Migration, the destination physical server now has the up-to-date working set,
and access to any storage used by the VM. At this point, the VM is resumed.
• Cleaning up of network occurs. In the final stage of Live Migration, the
migrated VM is running on the destination physical server. At this point, a
message is sent to the physical network switch, which causes it to re-learn the
media access control (MAC) addresses of the migrated VM, so that network
traffic to and from the VM can use the correct switch port.
The Live Migration process should complete in less than the TCP timeout interval
for the VM being migrated. TCP timeout intervals vary based on network topology
and other factors.
Configuring Server Virtualization by Using Hyper-V 3-31
Live Migration, in which situation would one VM be migrated faster then the
other?
3-32 Configuring Server Virtualization by Using Hyper-V
Key Points
During Live Migration, memory pages are transferred from the source node to the
destination node. In this phase, the following process happens:
• The memory assigned to the migrating VM is copied over the network to the
destination physical host.
• The worker process on source host first creates a dirty bitmap of memory
pages. Dirty bitmaps are memory pages that still need to be transferred to the
destination host. Before migrating, this contains the complete working set of
the migrating VM.
• Finally as the worker process iterates over pages and sends them to the worker
process on the destination host, the number of dirty memory pages decreases.
In addition to copying the working set to the destination host, the Hyper-V worker
process on the source host registers for modify notifications on pages to detect
subsequent changes, because the source VM is still active and possibly modifying
Configuring Server Virtualization by Using Hyper-V 3-33
marked as being modified. The list of modified pages is simply the list of memory
pages that were modified after the copy of the working set was begun. The Hyper-V
worker process iterates the memory copy process several times, and each time a
smaller number of modified pages will need to be copied to the destination host. It
stops iterating when all pages are sent and no modified page is waiting to be
copied, or when it makes 5 iterations. The following variables may affect the Live
Migration speed:
• The number of modified pages on the VM to be migrated: the larger the
number of modified pages, the longer the VM will remain in a migrating state
• Network bandwidth available between source and destination physical
computers
• Hardware configuration of source and destination physical computers
• Load on source and destination physical hosts
• Available bandwidth, network, or Fiber Channel between Hyper-V physical
hosts and shared storage
Question: What will happen to Live Migration if you run an application that is
constantly modifying the memory in the VM that you want to migrate?
3-34 Configuring Server Virtualization by Using Hyper-V
Key Points
1. On the physical computer, create a virtual machine, Clustered VM, by using
the Hyper-V Manager console, with the following information:
• Select Store the virtual machine in a different location
• Location: C:\ClusterStorage\Volume1
• Memory size: 512 MB
• Connect Virtual Hard Disk: Use an existing virtual hard disk
• Location: C:\ClusterStorage\Volume1\Base10D-WS08R2Core-
HV.vhd
2. On the physical computer, configure a service or application to make the
virtual machine, Cluster VM, highly available, by using the Failover Cluster
Manager console.
Configuring Server Virtualization by Using Hyper-V 3-35
Question: How will you configure the physical host machine to enable it to
participate in Live Migration?
3-36 Configuring Server Virtualization by Using Hyper-V
Quick Migration is a feature of both Windows Server 2008 Hyper-V and Windows
Server 2008 R2 Hyper-V, while Live Migration is available only in Windows Server
2008 R2. Live Migration and Quick Migration both move running VMs from one
Hyper-V physical server to another. However, Quick Migration saves, moves, and
restores a VM, which results in some downtime. The Live Migration process uses a
different mechanism for moving the running VMs to new physical computers.
Windows Server 2008 Hyper-V supports Quick Migration. Windows Server 2008
R2 Hyper-V supports both Quick Migration and Live Migration. Quick Migration
and Live Migration use the same storage infrastructure, so it is easy to move from
Quick Migration to Live Migration after the servers run on Windows Server 2008
R2.
Configuring Server Virtualization by Using Hyper-V 3-37
Key Points
System Center Virtual Machine Manager 2008 provides a virtualization
management solution for a virtualized data center. The virtualized data center
increases physical server utilization and provides a centralized management view
of both physical and VM infrastructure.
System Center Virtual Machine Manager 2008 includes features to manage VMs
and physical VM hosts, and familiar interfaces with support for Windows
infrastructure.
you can also enable the PRO feature, which supports workload-aware and
application-aware resource optimization.
• Self-Service Web portal for delegated provisioning. System Center Virtual
Machine Manager 2008 provides a Web portal for delegated and rapid
provisioning of new VMs. This feature is especially useful for software test and
development teams, which often set up temporary VMs to try out new
software.
• Library. System Center Virtual Machine Manager 2008 provides a centralized
library to store and manage various VM building blocks, off-line machines, and
other virtualization components. The components include virtual hard disks,
CD or DVD media, ISO images, post-deployment customization scripts,
hardware configurations, and templates. The library helps keep VM
components organized. Using the library, you can access the following:
• Hardware profiles that include the VM hardware settings
• Operation system profiles for configuring the VM operating system
• Template Virtual Hard Disks and configurations
• ISO images
without interrupting the source physical server. It can also convert existing
VMs to a Hyper-V-based VM in a VM environment
• Monitoring and reporting. System Center Virtual Machine Manager 2008
integrates tightly with System Center Operations Manager 2007 for
comprehensive monitoring and management of both physical and virtual
systems. For monitoring and reporting, you must install:
• System Center Operations Manager 2007.
• System Center Operations Manager 2007 Reporting Server.
• Virtualization Management Pack for System Center Operations Manager
2007.
Manager 2008 can use System Center Operations Manager to monitor the health
and availability of the VMs and VM hosts that System Center Virtual Machine
Manager 2008 manages.
System Center Virtual Machine Manager 2008 also uses Operations Manager to
monitor the health and availability of the System Center Virtual Machine Manager
2008 server, database server, library servers, and self-service Web servers, to
provide Diagram views of the virtualized environment in the System Center Virtual
Machine Manager 2008 Administrator Console. To enable these features, you must
integrate Operations Manager with System Center Virtual Machine Manager 2008.
Integration with Operations Manager is also a prerequisite for enabling PRO in
System Center Virtual Machine Manager 2008 and for configuring reporting in
System Center Virtual Machine Manager 2008.
Question: What are the specific benefits of using System Center Virtual Machine
Manager 2008 in your organization?
3-44 Configuring Server Virtualization by Using Hyper-V
Key Points
The System Center Virtual Machine Manager 2008 Administrator Console is built
on the System Center framework user interface. The console is designed to manage
large deployments with easy sorting, categorization, search, and navigation
features. The console is built on a Windows PowerShell command-line interface.
Any action in the console can be done through the Windows PowerShell
command-line. Each wizard in the user interface can also display the associated
command-line actions. In addition, the console integrates with System Center
Operations Manager 2007 to provide insight into the physical and virtual
environment.
Uses of System Center Virtual Machine Manager 2008 Administrator Console
The System Center Virtual Machine Manager 2008 Administrator Console is a GUI
that you use to:
• Create, deploy, and manage VMs.
Configuring Server Virtualization by Using Hyper-V 3-45
Question: When would you install the System Center Virtual Machine Manager
2008 Administrator Console on a different computer than System Center Virtual
Machine Manager 2008 server?
Configuring Server Virtualization by Using Hyper-V 3-47
Key Points
You can use the library to organize and manage all the building blocks of the
virtual data center in a single interface, including the following:
• Stored VMs
• Virtual hard disks
• CD or DVD software images, also called ISO files
• Post-deployment customization scripts
• Hardware configurations
• PowerShell scripts
• Templates
A Virtual Machine Manager Library consists of resources stored in one or more
network share folders on the Virtual Machine Manager Library Server. A System
3-48 Configuring Server Virtualization by Using Hyper-V
VM templates are created in the System Center Virtual Machine Manager 2008
Administrator Console and are stored in the Virtual Machine Manager Library. You
can use templates when creating new VMs, either from the console or from the
Self-Service portal.
The VM template usually consists of virtual hard disks and two configuration
groups that are known as profiles.
The following are the parts of a VM template:
• Hardware profile. It defines hardware configuration settings such as a CPU,
memory, network, basic input/output system (BIOS) and device resources to
be used when a new VM is created by using a template.
• Operating system profile. It defines operating system configuration settings
for a new VM created from a template. The operating system profile can define
settings such as type of operating system, computer name, administrator
password, or product key.
• VHD. It is used to create new VMs. The disks may be virtual hard disks stored
in the Virtual Machine Manager Library, or a disk from an existing VM.
You may create both hardware and guest operating system profiles independently
of the template and store them in the Virtual Machine Manager Library. After they
are stored, you may import them into new templates during the template creation
process.
Question: Why would you use templates in System Center Virtual Machine
Manager 2008?
Configuring Server Virtualization by Using Hyper-V 3-49
Key Points
VMM uses a process called Intelligent Placement to deploy the VMs to the hosts. It
analyzes performance data and resource requirements for both the workload and
the host. VMM then returns a weighted list of recommended hosts to which you
can deploy the VM. Intelligent Placement supports different hosts along with their
storage configurations. Intelligent Placement is platform aware and configuration
aware. It only recommends hosts that are clustered if high availability is needed
and only x64 capable hosts for x64 VMs.
Performance and Resource Optimization (PRO) leverages System Center
Operations Manager 2007 to monitor an end-to-end IT infrastructure. It helps you
identify whether physical hosts and their virtual machine guests operate efficiently.
Further, by using PRO, you can create operational policies. PRO can automatically
take actions based on the operational policies. When an event occurs triggering a
policy, you can configure PRO to present the recommended resolutions. You can
3-50 Configuring Server Virtualization by Using Hyper-V
actions.
PRO can extend automated management capabilities to both Microsoft-based and
VMware-based hosts. This is because PRO is a part of System Center Virtual
Machine Manager 2008. When managing Microsoft hosts, PRO uses Quick
Migration and Live Migration in Windows Server 2008 R2 to rapidly move VMs
between hosts.
Note: PRO is built on an open and extensible framework. With PRO, organizations and
third-party developers can develop custom rules and actions for their own environments.
Self-Service Portal
Key Points
The Virtual Machine Manager Self-Service portal is a Web site. Through this Web
site, self-service users can create and operate their own VMs within a controlled
environment. In the sessions with the Self-Service Portal, self-service users can view
only the VMs that they own. They can also view the actions that their VM
permissions allow them to perform.
A self-service policy grants certain permissions to a user or user group. The
permissions allow the user or the user groups to create, operate, manage, store,
create checkpoints for, and connect to their own VMs through the Virtual Machine
Manager Self-Service portal. Self-service policies are applied to a host group, which
means that self-service users have permissions on the physical servers in the host
group as they are defined in the self-service policy. For example, if you define in
the self-service policy that users will be able to create checkpoints, they will be able
to create checkpoints for VMs in the host group they own. When a self-service user
3-52 Configuring Server Virtualization by Using Hyper-V
Question: When would you use the Virtual Machine Manager Self-Service portal?
Configuring Server Virtualization by Using Hyper-V 3-53
R2
Key Points
System Center Virtual Machine Manager 2008 R2 provides a cost-effective solution
for unified management of physical and VMs. System Center Virtual Machine
Manager 2008 R2 also provides PRO for:
• Dynamic and responsive management of virtual infrastructure.
• Consolidation of underutilized physical servers.
• Rapid provisioning of new VMs by leveraging the expertise and investments in
Windows Server technology.
System Center Virtual Machine Manager 2008 R2 provides many new features. The
features can be grouped into four categories: support for new features of Windows
Server 2008 R2, enhanced storage and cluster support, streamlined process for
3-54 Configuring Server Virtualization by Using Hyper-V
R2 enhancements.
SANs. There is now expanded support covering the majority of available iSCSI
SANs in System Center Virtual Machine Manager 2008 R2. With this feature in
System Center Virtual Machine Manager 2008 R2, you can choose from a
wider range of options when selecting a new SAN solution.
Question: You must use Live Migration to migrate several VMs from the same
failover cluster node. You used Failover Cluster Manager, but you were able to
initiate just one VM Live Migration. How can you start Live Migration for multiple
VMs at the same time?
3-56 Configuring Server Virtualization by Using Hyper-V
Introduction
In this lab, you will configure server virtualization by using Hyper-V. To do this,
you will create an iSCSI target, connect the iSCSI target to the physical host, create
an NTFS volume, and configure failover cluster. You will also configure CSV and
add a disk to the CSV. You will also set up a virtual machine for Live Migration by
creating a virtual machine and making it highly available.
Objectives
After completing this lab, you will be able to:
• Install and configure failover clustering.
• Configure CSV.
• Set up a VM for Live Migration.
Configuring Server Virtualization by Using Hyper-V 3-57
For this lab, you will use the available virtual machine environment. Before you
begin the lab, you must:
• Start the LON-DC1 virtual machine, and then log on by using the
following credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
• Start the LON-SVR1 virtual machine, and then log on by using the
following credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
3-58 Configuring Server Virtualization by Using Hyper-V
Lab Scenario
f Task 3: Connect the iSCSI target to the physical host and create an
NTFS volume.
• On the physical computer, set the following iSCSI Initiator properties to
connect the iSCSI target to the physical computer:
• Target: 192.168.10.150
• Quick Connect: iqn.1991-05.com.microsoft:lon-svr1-lun-01-target
• Open the Server Manager console to create a new volume with size 15000 MB
for Disk 1.
3-60 Configuring Server Virtualization by Using Hyper-V
Results: After completing this exercise, you should have created and connected the
iSCSI target to the physical computer, created a new volume, and created and
configured a failover cluster.
Configuring Server Virtualization by Using Hyper-V 3-61
Results: After completing this exercise, you should have enabled Cluster Shared
Volumes for LON-FC.Contoso.com, and added a disk to it.
3-62 Configuring Server Virtualization by Using Hyper-V
Results: After completing this exercise, you should have created a virtual machine,
Cluster VM, and made the virtual machine highly available.
Lab Review
Review Questions
1. You have a customer who is running a legacy application on a Windows NT™
4.0 server. The customer uses this application on a physical server, but the
customer wants to consider virtualization of the server. What would you
recommend to the customer?
2. How does the interaction between the operating system and hardware change
when you add the Hyper-V role on a Windows Server 2008 R2 server?
3. You have a running VM in Windows Server 2008 R2 Hyper-V child partition.
You need do add an additional VHD to the VM. Can you add the VHD without
rebooting the VM?
4. Can you use Windows Server 2008 R2 as an iSCSI target?
Configuring Server Virtualization by Using Hyper-V 3-65
Tools
Tool Use Where to find it
Hyper-V Manager console Management of Hyper-V Installed when you add the
server role Hyper-V role or part of the
RSAT feature
Failover Cluster Manager Management of failover Installed when you add the
console cluster feature failover clustering feature
or part of the RSAT
feature/pack
Module 4
Configuring Remote Desktop Services and
Virtual Desktop Infrastructure in Windows
Server 2008 R2
Contents:
Lesson 1: Configuring Remote Desktop Services 4-4
Lesson 2: Configuring Remote Desktop Gateway 4-20
Lesson 3: Configuring Virtual Desktop Infrastructure 4-34
Lab: Configuring Remote Desktop Services and Virtual Desktop
Infrastructure in Windows Server 2008 R2 4-49
4-2 Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2
Module Overview
Formerly known as Terminal Services, the Remote Desktop Services (RDS) role
allows users to access applications and data on a remote computer over a network.
In Windows Server® 2008 R2, in addition to providing session-based Remote
Desktops, RDS provides enhancements in role services such as Remote Desktop
Connection Broker (RD Connection Broker) and support for Virtual Desktop
Infrastructure (VDI). In addition, users can access individual remote applications
called RemoteApps and virtual machine–based desktops. Users can consolidate
RemoteApps from multiple RDS servers, integrate it with the client Start menu, and
filter it based on group membership.
In this module, you will discuss the changes and improvements in RDS in
Windows Server 2008 R2. You will learn how RD clients access RDS applications.
In addition, you will see how RemoteApps and Remote Desktops can be integrated
with the Windows® 7 Start menu, how to filter them, and how clients may use RD
Web Access to start RemoteApps. When you implement RD Gateway, users can
securely access RDS, not only from intranet, but also over Internet, without
Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2 4-3
Lesson Objectives
After completing this lesson, you will be able to:
• Describe Remote Desktop Services (RDS).
Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2 4-5
Key Points
The RDS role in Windows Server 2008 R2 provides technologies that enable users
to access session-based desktops, virtual machine–based desktops, or remote
applications in the data center from within a corporate network and from the
Internet. RDS enables a rich-fidelity desktop or application experience, and helps
to securely connect remote users to the data center from managed or unmanaged
devices.
machine environment.
Terminal Services Licensing (TS Licensing) Remote Desktop Licensing (RD Licensing)
Terminal Services Gateway (TS Gateway) Remote Desktop Gateway (RD Gateway)
Terminal Services Web Access (TS Web Remote Desktop Web Access (RD Web
4-8 Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2
Key Points
In Windows Server 2008 R2, Remote Desktop Client Experience has been
enhanced for computers running Windows 7 or Remote Desktop Connection
(RDC) 7.0 clients. These enhancements improve the experience of remote users,
making it more similar to the user experience when accessing resources locally.
The following enhancements are available to Remote Desktop users in Windows
Server 2008 R2:
Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2 4-9
Windows media files and streams so that audio and video content is sent in its
original format from the server to the client, and rendered by using the client’s
local media playback capabilities.
• True multimonitor support. Enables support for up to 16 monitors in any
size, resolution, or layout with RemoteApp and Remote Desktop. The
applications function just as they do when running locally in multimonitor
configurations.
• Audio input and recording. Supports any microphone connected to a user’s
local computer. It enables audio recording support and speech recognition for
RemoteApp and Remote Desktop. This may be useful for organizations that
use voice chat or Windows Speech Recognition.
• Windows® Aero Glass support. Provides users with the ability to use the Aero
Glass for client desktops, ensuring that the Remote Desktop sessions look and
feel like local desktop sessions.
• Enhanced bitmap redirection. Improves the remote display of 3D and other
media rich applications such as Flash and Microsoft® Silverlight™ on the
server.
• Improved audio and video synchronization. Remote Desktop Protocol
(RDP) improvements provide closer synchronization of audio and video.
• Language bar redirection. Provides users with the ability to easily and
seamlessly control the language settings in RemoteApp programs by using the
language bar.
• Task scheduler. Ensures that scheduled applications never appear to users
connecting with RemoteApp and reduces user confusion.
RDC 7.0 is included with Windows Server 2008 R2 and Windows 7. It is also
available for Windows XP SP3, Windows Vista™ SP1, and newer operating
systems.
Question: How can you benefit from the new Remote Desktop Client Experience
features?
4-10 Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2
Key Points
While RDS improves the user experience, it also reduces the desktop and
application management effort by providing a dedicated management interface
that allows you to assign remote resources to users quickly and dynamically.
In addition to the RDS role services, RDS management tools have been renamed in
Windows Server 2008 R2. The following table lists both the earlier name and the
new name of each RDS management tool.
Question: Can users who are using client operating systems older than Windows
7 access RDS?
Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2 4-
Key Points
User can access remote applications that are running on RDS in several ways. You
can connect and access a full RD Session, including full desktop and applications.
You can also publish remote applications and access them through RD Web
Access. You can either directly copy the shortcut or create a Windows Installer
package that adds shortcuts for RemoteApps to the client computer. In Windows
Server 2008 R2, you can easily combine published RemoteApps from multiple RD
Session Host servers on the same Web page. User can configure clients to access
this Web page or subscribe to it through RemoteApp and Remote Desktop in
Control Panel, which will add shortcuts to the available RemoteApps on the Start
menu and it will automatically refresh their list.
The RD Web Access role service enables users to access RemoteApp and Desktop
Connection through a Web browser. The following improvements to RD Web
Access are available in Windows Server 2008 R2:
4-14 Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2
Key Points
In Windows Server 2008, Terminal Services introduced RemoteApp programs.
These programs are accessed remotely and appear as if they are running on the
user's local computer. In Windows Server 2008 R2, RDS provides you the ability to
group and personalize RemoteApp programs and virtual desktops, and make them
available to users on the Start menu of a computer that is running Windows 7.
This new feature is called RemoteApp and Desktop Connection.
RemoteApp and Desktop Connection provides a personalized view of RemoteApp
programs, session-based desktops, and virtual desktops to users. When a user
starts a RemoteApp program or a session-based desktop, an RDS session is started
on the RD Session Host server that hosts the remote desktop or RemoteApp
program. If a user connects to a virtual desktop, a remote desktop connection is
created to the virtual machine that is running on the Remote Desktop
Virtualization Host (RD Virtualization Host) server.
4-16 Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2
the RemoteApp and Desktop Connection feed. This feed renders RemoteApp
programs in a software-parsable XML document, instead of rendering RemoteApp
programs in the form of a Web page.
With RemoteApp and Desktop Connection, the user subscribes to a feed of
RemoteApp programs by supplying the client software with its URL. After the user
has subscribed to the feed and created a connection, the user's work is performed.
The RemoteApp and Desktop Connection client software will then ensure that the
resources in this connection are placed in the user’s Start menu.
computers.
Question: When would you use RDS Web Access to access RemoteApp
applications, instead of RemoteApp and Desktop Connection?
4-18 Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2
Key Points
1. On LON-DC1, add the calculator and paint programs to the list of RemoteApp
Programs by using the RemoteApp Manager console..
2. On LON-SVR1, add the Notepad.exe and WordPad programs to the list of
available RemoteApp Programs by using the RemoteApp Manager console.
3. On LON-SVR1, configure LON-DC1.contoso.com and LON-
SVR1.contoso.com as RemoteApp sources to aggregate the published
RemoteApp applications.
4. On LON-SVR1, open the RD Web Access Web page to retrieve the aggregated
list of RemoteApp applications from Remote Desktop Connection Brokers
with the following information:
• Domain\username: contoso\administrator
Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2 4-
• Password: Pa$$w0rd
BETA COURSEWARE EXPIRES 2/08/2010
Question: How will you create the client configuration file for setting up
RemoteApp and Desktop Connection?
4-20 Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2
The Remote Desktop Gateway (RD Gateway) role service in Windows Server 2008
R2 allows authorized users to connect to resources on an internal corporate or
private network from the Internet. RD Gateway encapsulates Remote Desktop
Protocol (RDP) over HTTPS to establish a secure, encrypted connection between
the remote users and the internal network resources. By using authorization
policies such as connection authorization policies (CAPs) and resource
authorization policies (RAPs), you can control access to specific users or resources.
Key Points
The RD Gateway role service allows authorized remote users to connect to RDS-
based resources, such as RD Session Host servers, RD Session Host servers
running RemoteApp programs, or computers and virtual desktops with Remote
Desktop enabled, on an internal corporate or private network from Internet-
connected devices. RD Gateway must be domain-joined and located either on the
perimeter network with domain connectivity or firewalls that allow HTTPS traffic
from Internet to the RD Gateway. RD Gateway uses the Remote Desktop Protocol
(RDP) over HTTPS to establish a secure, encrypted connection between remote
users on the Internet and the internal network resources on which their
productivity applications run. You can use RD Gateway instead of a VPN
connection when no local copy of data is required or allowed, when users require
quicker connection time, and when bandwidth or application data size makes VPN
undesirable to work with.
Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2 4-
Benefits of RD Gateway
BETA COURSEWARE EXPIRES 2/08/2010
Key Points
RD Gateway enables remote users to connect to internal network resources that
are hosted behind firewalls in private networks and across NATs. Security policy
and firewall configuration prevent remote users from connecting to internal
network resources across firewalls and NATs because port 3389, which is used for
RDP connections, is blocked for network security purposes. RD Gateway transmits
all RDP traffic to port 443 by using an HTTP Secure Sockets Layer/Transport Layer
Security (SSL/TLS) tunnel. Therefore, all traffic between the user's client computer
and RD Gateway is encrypted while in transit over the Internet. Because most
organizations use port 443 to enable Internet connectivity, RD Gateway takes
advantage of this network design to provide remote access connectivity across
multiple firewalls.
When data is received through an external firewall onto the perimeter network,
RD Gateway decrypts HTTPS, and contacts the domain controller to authenticate
the connection, and the network policy server to check if the user is allowed to
cross the gateway and contact the RDS host. If the user is validated and allowed,
4-26 Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2
by RD Gateway. RD Gateway then passes the RDP traffic to the destination host
and establishes a security-enhanced connection between the user who sends the
data and the destination host.
Key Points
Windows Server 2008 R2 provides the following new functionalities in RD
Gateway:
• Configurable idle and session timeouts. RD Gateway allows you to configure
idle and session timeouts on an RD Gateway server. An idle timeout provides
the ability to reclaim resources used by inactive user sessions without affecting
the user's session or data. This helps free up resources on the RD Gateway
server. The user will be able to reestablish the session by using RDC even after
being disconnected. A session timeout provides the ability to periodically
enforce new policies on active user connections. This ensures that any system
changes to user properties, such as domain accounts, Remote Desktop
connection authorization policy (RD CAP) changes, or Remote Desktop
resource authorization policy (RD RAP) changes, are enforced on existing
sessions.
4-28 Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2
Key Points
To function correctly, RD Gateway requires several role services and features to be
installed and running. When you install the RD Gateway role service by using
Server Manager, the following server roles and services are automatically installed
and started, if they are not already installed:
• Network Policy and Access Services (NPAS)
• Web Server Internet Information Services (IIS)
• Remote procedure call (RPC) over HTTP proxy
Configuring RD Gateway
The following are the steps to configure RD Gateway:
1. Install the RD Gateway role service. Install the RD Gateway role service by
using Server Manager. Optionally, during the installation process, you can
4-30 Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2
Gateway
Key Points
1. On LON-SVR1, import the SSL certificate, external.contoso.com to the Remote
Desktop Gateway server.
2. On LON-SVR1, create a Connection Authorization Policy (CAP) to restrict the
users from accessing the RD Gateway Server with the following information:
• Type a name for the RD CAP: Authorized Remote Users
• User group membership: RD Users
3. On LON-SVR1, create a Resource Authorization Policy to control the
connection between the internal resources and the Remote Desktop Gateway
with the following information:
• Type a name for the RD RAP: Authorized Target Computers
• User Groups: RD Users
Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2 4-
Lesson Objectives
After completing this lesson, you will be able to:
• Describe Virtual Desktop Infrastructure.
• Describe how Virtual Desktop Infrastructure works.
• Describe the types of Virtual Desktop Infrastructure.
Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2 4-
Key Points
Virtual Desktop Infrastructure (VDI) is a centralized desktop delivery architecture
that allows you to centralize the storage, execution, and management of Windows
desktops in the data center. VDI enables Windows 7, Windows Vista, and other
desktop environments to run and be managed in virtual machines on a centralized
server. A user can connect to a virtual desktop with Remote Desktop Client (RDC).
Organizations often permit employees and contractors to work from home or from
an outsourced facility. These environments provide better flexibility, improved cost
control, and lower environmental footprint, but increase the demand for security
and compliance so that precious corporate data is more secure. To meet these
challenges, RD Connection Broker and flexible presentation virtualization
architecture beneath the VDI umbrella are updated. RD Connection Broker creates
a unified experience for traditional session-based remote desktops and new virtual
machine–based remote desktops.
Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2 4-
Benefits of VDI
BETA COURSEWARE EXPIRES 2/08/2010
Key Points
VDI is an alternative server-based desktop virtualization method that extends the
concept of server consolidation through virtualization to central management of
client desktops. In VDI, multiple client operating systems are running in virtual
machines on a server that remotely presents each desktop to a client device. VDI
allows central management and deployment of user desktops while providing each
user the capability to customize a unique desktop if necessary. There are various
ways to architect VDI, but in general, there are two types of VDI: personal virtual
desktops and pooled virtual desktops.
utilizes both the presentation virtualization and server virtualization. The following
BETA COURSEWARE EXPIRES 2/08/2010
Question: What is the main difference between personal virtual desktops and
pooled virtual desktops?
Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2 4-
Key Points
The way users connect to a virtual machine is based on the VDI configuration. If
VDI is configured for personal virtual desktops, users are connected to a virtual
machine in the following way:
• A user initiates the connection to the personal virtual desktop by using RD
Web Access or RemoteApp and Desktop Connection.
• The user sends the request to the RD Session Host server running in
redirection mode by using RD Web Access or RemoteApp and Desktop
Connection.
• The RD Session Host server forwards the request to the RD Connection Broker
server.
• The RD Connection Broker server queries AD DS and retrieves the name of the
virtual machine that is assigned to the requesting user account.
4-42 Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2
Key Points
RD Connection Broker is a role service in Windows Server 2008 R2 that enables a
user to reconnect to an existing session in a load-balanced terminal server farm.
The RD Connection Broker role service provides the following functionality:
• Allows users to reconnect to their existing sessions in a load-balanced RD
Session Host server farm. This prevents a user with a disconnected session
from being connected to a different RD Session Host server in the farm and
starting a new session.
• Enables you to evenly distribute the session load among RD Session Host
servers in a load-balanced RD Session Host server farm.
• Provides users access to virtual desktops hosted on RD Virtualization Host
servers and to RemoteApp programs hosted on RD Session Host servers
through RemoteApp and Desktop Connection.
4-44 Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2
Question: How can you provide users a unified view and access to RemoteApps
that are published on multiple RD Session Hosts servers?
Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2 4-
Key Points
RD Virtualization Host is a mandatory role service for VDI. It integrates with
Hyper-V to provide virtual machines by using RemoteApp and Desktop
Connection. You can configure RD Virtualization Host to assign each user a unique
virtual machine or a personal virtual desktop, or to redirect users to a shared
virtual machine pool, where a virtual machine or virtual desktop pool is
dynamically assigned.
Virtual machines that are used for virtual desktops can only use Windows client
operating systems and be members of Active Directory domain. You cannot install
Windows Server 2008 R2 on a virtual machine and use it as a virtual desktop. If
you configure virtual desktop pools, you need to identically configure virtual
machines in a virtual desktop pool, including the programs. If you use a personal
virtual desktop, you can assign only one personal virtual desktop at a time and the
domain functional level must be at least Windows Server 2008. In a personal
virtual desktop scenario, each user has its own virtual machine; while in a virtual
desktop pool scenario, the number of virtual machine images is greatly reduced
4-46 Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2
Windows Vista Enterprise, or an earlier operating system with support for Remote
Desktop for the client operating system for virtual machines.
After installing a virtual machine, configure it to work with RDS. You need to
configure the following on the virtual machine:
• Join the virtual machine to a domain
• Enable Remote Desktop.
• Add user accounts to the local Remote Desktop Users security group.
• Allow Remote Procedure Call (RPC).
• Create a firewall exception to allow Remote Services Management.
• Add permissions to RDP.
Question: Are there any special considerations regarding the operating system
used for virtual desktop virtual machines?
Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2 4-
2008 R2
Key Points
1. On the physical host computer, open the Server Manager console to add the
Remote Desktop Services server role and the Remote Desktop Virtualization
Host role services.
2.. Log on to LON-CL2 with the user name contoso\administrator, and the
password, Pa$$w0rd.
3. On LON-CL2, add the domain group, RD Users to the local group, Remote
Desktop Users with the following information:
• Select Allow connections only from computers using Remote Desktop
with Network Level Authentication (more secure)
• Remote Desktop Users: RD Users
4-48 Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2
Editor.
5. Set the firewall settings to allow the programs of Remote Service Management
through Windows Firewall.
6. Open the script file, RDS-pool of RDSConfig and the replace the computer
name with the name of the physical computer and then run the RDS-pool file.
7. Log off from LON-CL2.
8. On LON-SVR1, open the Remote Desktop Connection Manager console to
configure the virtual desktop with the following information:
• Server name of RD Virtualization Host Server: physical computer
name.contoso.com (name of your physical computer)
• Server name of Redirection Settings: LON-SVR1.contoso.com
• Server name of RD Web Access Server: LON-SVR1.contoso.com
• Clear the Assign personal virtual desktop checkbox
9. Create a Virtual Desktop Pool with the following information:
• Virtual Machine Name: 10159A-LON-CL2
• Display name: Contoso Virtual Desktop Pool
• Pool ID: CONTOSO_VDP
10. On LON-DC1, log on to the Remote Desktop Web page with the username,
contoso\rduser and the password, Pa$$w0rd to verify whether there is full
Remote Desktop Connection to LON-CL2.
Question: How would configuration be different if we would use Personal
Virtual Desktop instead of Virtual Desktop Pool?
Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2 4-
Introduction
In this lab, you will configure Remote Desktop Services and Virtual Desktop
Infrastructure in Windows Server 2008 R2. To do this, you will publish
RemoteApp applications by using RemoteApp and Remote Desktop Connection
Broker. You will create CAP and RAP to publish applications for external users by
using Remote Desktop Gateway. Finally, you will configure and verify the
functionality of Virtual Desktop Pool.
Objectives
After completing this lab, you will be able to:
• Publish applications by using RemoteApp and Remote Desktop Connection
Broker.
• Publish applications for external users by using Remote Desktop Gateway.
4-50 Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2
Lab Setup
For this lab, you will use the available virtual machine environment. Before you
begin the lab, you must:
• Start the LON-DC1 virtual machine, and then log on by using the following
credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
• Start the LON-SVR1 virtual machine, and then log on by using the following
credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2 4-
Lab Scenario
The following instructions are for configuring a test lab using a minimum number of
computers. Individual computers are required to separate the services provided on the
4-52 Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2
Host servers.
• On LON-DC1, add RD Web Computers to the TS Web Access Computers
group and RD Users to the Remote Desktop Users group.
• On LON-SVR1, add RD Web Computers to the TS Web Access Computers
group and RD Users to the Remote Desktop Users group.
Results: After this exercise, you should have published RemoteApp applications and
configured Remote Desktop Connection Broker and Remote Desktop Web Access to
aggregate RemoteApp applications and to use the publishing servers.
Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2 4-
Results: After this exercise, you should have published applications for external users
by using Remote Desktop Gateway and by creating a Resource Authorization Policy.
4-60 Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2
• On LON-CL2, open the script file, RDS-pool of RDSConfig and the replace the
BETA COURSEWARE EXPIRES 2/08/2010
computer name with the name of the physical computer and then run the
RDS-pool file.
• Log off from LON-CL2.
Results: After this exercise, you should have configured Remote Desktop Virtualization
Host server, the virtual machine for Remote Desktop services, and Virtual Desktop
Pool.
1. How will you restrict a user from viewing an icon for RemoteApp program?
You need to use the User Assignment feature of Remote Desktop Services to
restrict a user from viewing an icon for RemoteApp program.
2. How will you create the configuration files for the program groups?
You need to use Remote Desktop Connection Manager to create the configuration
files for the program groups.
Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2 4-
Review Questions
1. Users in your organization need access to an application that must not be
installed locally on the client computers. How can you provide them access to
the application?
2. Can users access published RemoteApps from the Internet or from outside the
internal network?
3. How is the use of RemoteApp and Desktop Connection different from simply
accessing RemoteApp from RD Web Access?
4. Where does RD Gateway provide additional protection for RDP traffic?
5. You want to evaluate a VDI solution that is included in Windows Server 2008
R2. Which server role, besides RDS, must be available in your testing
environment?
6. Name the two types of Virtual Desktop Infrastructure?
4-64 Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2
able to connect to the RDS server. What is the most probable reason for this?
Tools
Tool Use Where to find it
Remote Desktop Gateway GUI tool for managing RD Installed when you add
Manager Gateway the RD Gateway role
service
Hyper-V Manager GUI tool for managing Hyper-V Installed when you add
the Hyper-V role
Deploying and Configuring Remote Access Services 5-1
Module 5
Deploying and Configuring Remote Access
Services
Contents:
Lesson 1: Overview of DirectAccess 5-4
Lesson 2: Deploying DirectAccess 5-17
Lesson 3: Configuring VPN Reconnect 5-37
Lab: Deploying and Configuring Remote Access Services 5-48
5-2 Deploying and Configuring Remote Access Services
Module Overview
Many users access their corporate network remotely either from branch offices or
while they are traveling. Windows operating systems include built-in support for
remote access services, such as dial-up or virtual private network (VPN)
connections. Both these remote access services are supported in Windows Server®
2008 R2 and VPN is enhanced with the VPN Reconnect feature. Windows Server
2008 R2 also introduces the DirectAccess feature that provides users with the
experience of being seamlessly connected to the corporate network from any place
where there is Internet access. With DirectAccess, users are able to securely access
corporate resources such as e-mail servers, shared folders, or intranet Web sites,
without establishing a VPN connection.
In this module, you will learn about the features and benefits of DirectAccess and
how DirectAccess works. You will also learn why IPv6 network is very important in
the context of DirectAccess. However, IPv6 is not mandatory as you can use IPv6
Deploying and Configuring Remote Access Services 5-3
Network Resolution Policy Table (NRPT) helps send Domain Name System (DNS)
queries to the appropriate DNS server. In addition, you will learn about the
requirements for establishing DirectAccess, and how to deploy and configure
DirectAccess.
Further, you will learn about the features and benefits of VPN Reconnect, and how
to configure it. You will also learn about Secure Socket Tunneling Protocol (SSTP),
which enables you to establish the VPN connection through firewalls.
After completing this module, you will be able to:
• Describe DirectAccess.
• Deploy DirectAccess.
• Configure VPN Reconnect.
5-4 Deploying and Configuring Remote Access Services
Overview of DirectAccess
enterprise.
After completing this lesson, you will be able to:
• Describe the features and benefits of DirectAccess.
• Describe how DirectAccess works.
• Describe Name Resolution Policy Table (NRPT).
• Describe how the DirectAccess client determines the type of network.
• Describe the importance of enabling IPv6 in the enterprise.
5-6 Deploying and Configuring Remote Access Services
Key Points
The DirectAccess connection process happens automatically, without requiring
user intervention. DirectAccess clients use the following process to connect to
intranet resources:
• The DirectAccess client computer running Windows 7 detects whether it is
connected to a network.
• The DirectAccess client computer attempts to connect to an intranet Web site
that is specified during the DirectAccess configuration. If the Web site is
available, the DirectAccess client verifies that the client computer is already
connected to the intranet and the DirectAccess connection process stops. If the
Web site is not available, the DirectAccess client verifies that the client
computer is connected to the Internet and the DirectAccess connection
process continues.
5-10 Deploying and Configuring Remote Access Services
IPv6 and IPSec. If a native IPv6 network is not available, the client establishes
an IPv6-over-IPv4 tunnel by using 6to4 or Teredo. Note that the user does not
have to be logged on to the computer for this step to complete.
• If a firewall or proxy server prevents the client computer using 6to4 or Teredo
from connecting to the DirectAccess server, the client computer automatically
attempts to connect by using the IP-HTTPS protocol, which uses a Secure
Sockets Layer (SSL) connection to ensure connectivity.
• To establish the IPSec session, the DirectAccess client and server authenticate
each other by using computer certificates.
• By validating Microsoft® Active Directory® directory service group
memberships, the DirectAccess server verifies that the computer and user are
authorized to connect by using DirectAccess.
• If Network Access Protection (NAP) is enabled and configured for health
validation, the DirectAccess client obtains a health certificate from a Health
Registration Authority (HRA) located on the Internet prior to connecting to the
DirectAccess server. The HRA forwards the DirectAccess client’s health status
information to an NAP health policy server. The NAP health policy server
processes the policies defined within the Network Policy Server (NPS) and
determines whether the client is compliant with system health requirements. If
the client is compliant, the HRA obtains the health certificate for the
DirectAccess client. When the DirectAccess client connects to the DirectAccess
server, the health certificate is submitted for authentication.
• The DirectAccess server begins forwarding traffic from the DirectAccess client
to the intranet resources to which the user has been granted access.
Question: Is native IPv6 network connectivity required between the client and the
target server on the intranet, if you want to use DirectAccess?
Deploying and Configuring Remote Access Services 5-11
Key Points
To separate Internet traffic from Intranet traffic for DirectAccess, Windows
Server 2008 R2 and Windows 7 include the Name Resolution Policy Table
(NRPT), a feature that allows DNS servers to be defined per DNS namespace,
rather than per interface. The NRPT stores a list of rules. Each rule defines a DNS
namespace and configuration settings that define the DNS client’s behavior for that
namespace. When a DirectAccess client is on the Internet, each name query
request is compared against the namespace rules stored in the NRPT. If a match is
found, the request is processed according to the settings in the NRPT rule.
If a name query request does not match a namespace listed in the NRPT, the
request is sent to the DNS servers configured in the TCP/IP settings for the
specified network interface. For a remote client, the DNS servers will typically be
the Internet DNS servers configured through the Internet service provider (ISP).
For a DirectAccess client on the intranet, the DNS servers will typically be the
intranet DNS servers configured through DHCP.
5-12 Deploying and Configuring Remote Access Services
search suffixes appended to the name before they are checked against the NRPT.
If no DNS search suffixes are configured and the single-label name does not match
any other single-label name entries in the NRPT, the request will be sent to the
DNS servers specified in the client’s TCP/IP settings.
Namespaces, for example, internal.contoso.com, are entered into the NRPT
followed by the DNS servers to which requests matching that namespace should
be directed. If an IP address is entered for the DNS server, all DNS requests will be
sent directly to the DNS server over the DirectAccess connection. You need not
specify any additional security for such configurations. However, if a name is
specified for the DNS server, such as dns.contoso.com in the NRPT, the name must
be publicly resolvable when the client queries the DNS servers specified in its
TCP/IP settings..
The NRPT allows DirectAccess clients to use intranet DNS servers for name
resolution of internal resources and Internet DNS for name resolution of other
resources. Dedicated DNS servers are not required for name resolution.
DirectAccess is designed to prevent the exposure of your intranet namespace to the
Internet.
Some names need to be treated differently with regards to name resolution; these
names should not be resolved by using intranet DNS servers. To ensure that these
names are resolved with the DNS servers specified in the client’s TCP/IP settings,
you must add them as NRPT exemptions.
NRPT is controlled through Group Policy. When the computer is configured to use
NRPT, the name resolution mechanism first tries to use the local name cache,
second the hosts file, then NRPT, and finally sends query to the DNS servers
specified in the TCP/IP settings.
Network
Intranet detection
When a DirectAccess client experiences a significant network change event, such
as change in link status or a new IP address, the DirectAccess client assumes that it
is not on the intranet and uses DirectAccess rules in the NRPT to determine the
location to send DNS name queries. The DirectAccess client then attempts to
resolve the fully qualified domain name (FQDN) in the URL for the network
location server. Because the NRPT has active rules for DirectAccess, the FQDN
should either match an exemption rule or no rules in the NRPT, so that the
DirectAccess client uses interface-configured DNS servers. If DirectAccess client is
not on the intranet, it will not be able to successfully resolve FQDN of the network
location server and the name resolution will fail.
If FQDN resolution is successful, the DirectAccess client attempts to connect to the
network location server. When the DirectAccess client successfully accesses the
HTTPS-based URL of the network location server, it determines that it is on the
intranet. The DirectAccess client then removes the DirectAccess NRPT rules from
the active table and the DirectAccess client uses interface-configured DNS servers
to resolve all names. If DirectAccess client cannot access network location server or
its FQDN resolution is not successful, DirectAccess client assumes that it is on the
Internet and establishes DirectAccess connection.
To reduce the traffic on the corporate network, DirectAccess separates intranet
traffic from the Internet traffic. Most VPNs send all traffic that includes traffic that
is destined for the Internet, through the VPN, which reduces both intranet and
Internet access speed. DirectAccess does not reduce the Internet access spee,
because communications to the Internet do not have to travel to the corporate
network and back to the Internet.
IPv6 is a critical technology that will help ensure that the Internet can support a
large user base and a large number of IP-enabled devices. The robustness,
scalability, and limited features of IPv4 are challenged by the growing need for new
IP addresses and the rapid growth of new network-aware devices.
The important benefits of IPv6 are as follows:
• Large address space
• IPSec included
• Better support for prioritized delivery and extensibility
The DirectAccess solution requires the use of IPv6 so that DirectAccess clients have
globally routable IP addresses. For organizations that are already using IPv6, the
DirectAccess solution seamlessly extends the existing infrastructure to
DirectAccess client computers and to client computers that access Internet
resources using IPv4.
5-16 Deploying and Configuring Remote Access Services
method to deploy IPv6 without requiring an infrastructure upgrade. You can use
the 6to4 and Teredo IPv6 transition technologies for connectivity across the IPv4
Internet and the ISATAP IPv6 transition technology, so that DirectAccess clients
can access IPv6-capable resources across your IPv4-only intranet.
You can deploy a Network Address Translation–Protocol Translation (NAT-PT)
device so that DirectAccess client computers can access resources on your intranet
that do not support IPv6.
Question: Can you use DirectAccess to connect to the Windows Server 2003 SP2
intranet server?
Deploying and Configuring Remote Access Services 5-17
Deploying DirectAccess
You can deploy DirectAccess to allow remote users to connect directly to intranet
servers. This helps organizations reduce costs and simplify their network edge by
reducing the number of application-specific front-end servers that need to be
deployed.
In this lesson, you will learn about the DirectAccess requirements, discuss how to
plan the DirectAccess solution, and then learn the process of installation and
deployment of DirectAccess.
After completing this lesson, you will be able to:
• Describe the client and server requirements for deploying DirectAccess.
• Describe the infrastructure requirements for deploying DirectAccess.
• Plan for the DirectAccess solution.
• Describe how to configure DirectAccess.
5-18 Deploying and Configuring Remote Access Services
Key Points
To deploy DirectAccess, you need to ensure that the server meets the hardware and
network requirements:
• The server must be joined to an Active Directory domain.
• The server must have Windows Server 2008 R2 running.
• The server must have at least two physical network adapters installed; one is
connected to the Internet and the other is connected to the intranet.
• The server must have at least two consecutive static, public IPv4 addresses
assigned to the network adapter that is connected to the Internet.
• The server should not be placed behind a NAT.
On the DirectAccess server, you can install the DirectAccess Management Console
feature by using Server Manager. You can use the DirectAccess Management
Console to configure DirectAccess settings for the DirectAccess server and clients,
5-20 Deploying and Configuring Remote Access Services
Infrastructure Requirements
Key Points
The following are the infrastructure requirements to deploy DirectAccess:
• Active Directory. You must deploy at least one Active Directory domain.
Workgroups are not supported.
• Group Policy. You need Group Policy for centralized administration and
deployment of DirectAccess client settings. The DirectAccess Setup Wizard
creates a set of Group Policy Objects and settings for DirectAccess clients,
DirectAccess servers, and management servers.
• DNS and domain controller. You must have at least one domain controller
and DNS server running Windows Server 2008 SP2 or Windows Server 2008
R2.
• Public key infrastructure (PKI). You need to use PKI to issue computer
certificates for authentication and health certificates when Network Access
Protection (NAP) is placed. You do not need external certificates. The Secure
5-22 Deploying and Configuring Remote Access Services
certificate revocation list (CRL) distribution point that is reachable from the
Internet. The certificate Subject field must contain fully qualified domain name
(FQDN) that can be resolved to a public IPv4 address assigned to the
DirectAccess server by using the Internet Domain Name System (DNS).
• IPSec policies. DirectAccess utilizes IPSec policies that are configured and
administered as part of Windows Firewall with Advanced Security.
• Internet Control Message Protocol Version 6 (ICMPv6) Echo Request
traffic. You must create separate inbound and outbound rules that allow
ICMPv6 Echo Request messages. The inbound rule is required to allow
ICMPv6 Echo Request messages and is scoped to all profiles. The outbound
rule to allow ICMPv6 Echo Request messages is scoped to all profiles and is
only required if Outbound block is turned on. DirectAccess clients that use
Teredo for IPv6 connectivity to the intranet use the ICMPv6 message when
establishing communication.
• IPv6 and transition technologies. IPv6 and the transition technologies such
as Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), Teredo, and
6to4 must be available for use on the DirectAccess server. For each DNS server
running Windows Server 2008 or Windows Server 2008 R2, you need to
remove the ISATAP name from the global query block list.
Question: You have Windows Server 2003 Certificate Authority server in your
domain. Can you use the existing PKI infrastructure for DirectAccess or should you
set up the new Certificate Authority server on Windows Server 2008 R2?
Deploying and Configuring Remote Access Services 5-23
Selected server access (modified end– This model is similar to the Full Intranet
to-edge) access model. However, communication
between the DirectAccess client and the
IPSec Gateway is protected by IPSec-
based tunnel policies requiring encryption
to the IPSec Gateway. This model also has
an additional authentication mechanism
that involves creating an additional IPSec
rule requiring ESP with NULL encryption
from the client to the application server.
This encrypts the client’s communication
to the IPSec Gateway, but authenticates
the communication until it reaches the
application server. This ensures that the
DirectAccess client communicates only
with the intended servers. This access
model also makes it easy to create
restriction policies to prevent specific
users or applications on DirectAccess
clients from accessing specific servers.
Question: Which of the three DirectAccess models would you use in your
environment?
5-28 Deploying and Configuring Remote Access Services
static IPv4 addresses that are externally resolvable through DNS. Ensure that
you have an IPv4 address available and that you have the ability to have that
address published in your externally-facing DNS server.
6. If your have disabled IPv6 on clients and servers, enable IPv6 because it is
required for DirectAccess.
7. Create a security group in Active Directory and add all client computer
accounts that will be accessing intranet through DirectAccess.
8. Install a Web server on the DirectAccess server to enable DirectAccess clients
to determine if they are inside or outside the intranet.
9. Designate one of the server network adapters as the Internet-facing interface.
This interface will require two consecutive, public IPv4 addresses. Both these
IPv4 addresses must be assigned to the same interface.
10. On the DirectAccess server, ensure that the Internet-facing interface is
configured to be either a Public or a Private interface, depending on your
network design. Configure the intranet interfaces as Domain interfaces. No
other combinations are supported. If you have more than two interfaces,
ensure that no more than two classification types are selected.
11. Add and configure the Certificate Authority server role, create the certificate
template and CRL distribution point, publish the CRL list, and distribute the
computer certificates.
Question: Why is it important that the DirectAccess client should have access to a
CRL distribution point?
5-30 Deploying and Configuring Remote Access Services
DirectAccess Server
Key Points
1. By default, the DNS server blocks name resolution queries for the ISATAP
record. As ISATAP will be used for network connectivity to internal resources,
you need to remove the ISATAP name from the DNS default global block list.
On LON-DC1, run the following command:
DC1 users
9. On LON-DC1, publish the CRL, CRLDist, and verify that two CRL files named,
Contoso-LON-DC1-CA.crl and Contoso-LON-DC1-CA +.crl and a web.config
file are there.
10. On LON-SVR1, open the Console1 - [Console Root] console to add and enroll
a computer certificate with the following information:
• Request Certificates: DirectAccess and More information is required
to enroll for this certificate. Click here to configure settings
• Subject name type: Common Name
• Value: LON-SVR1.contoso.com
• Alternative name type: DNS
• Value: LON-SVR1.contoso.com
• Friendly name of LON-SVR1.contoso.com: IP-HTTPS Certificate
11. On LON-SVR1, install the DirectAccess Management Console feature by using
the Server Manager console.
12. On LON-SVR1, open DirectAccess Management to configure the DirectAccess
setup with the following information:
Step 1
• Enter the object name to select: DirectAccess Clients
Step 2
• Interface connected to the Internet: Internet
• Interface connected to the internal network: Corpnet
• Use intermediate certificate: Contoso-LON-DC1-CA
• Certificate that will be used to secure remote client connectivity over
HTTPS: IP-HTTPS Certificate
Step 3
• Network Location server is run on the DirectAccess server
• Certificate that will be used to secure location identification: LON-
SVR1.Contoso.com
Deploying and Configuring Remote Access Services 5-33
2002:836b:2:1:0:5efe:192.168.10.1
Key Points
1. On LON-CL1, verify whether there is access to the IIS7 Web page and the
share file, Example.
2. When you configured DirectAccess server, the wizard created two Group
Policies and linked them to the domain. To apply them, on LON-CL1, open
the command prompt and run the following command to update and view the
effective policies.
gpupdate /force
netsh name show effectivepolicy
ping 131.107.0.2
Deploying and Configuring Remote Access Services 5-35
configurations.
ipconfig
5. Run the following command to verify whether the prefix value, fe80 has been
assigned to Link-Local IPv6 Address and also view the Windows IP
configurations.
ipconfig
7. Run the following command to verify that there is additional IPv6 Address,
2002:836b:2:1:0:5efe:192.168.10.1 and also view the Windows IP
configurations.
ipconfig /flushdns
netsh name show effectivepolicy
ping 2002:836b:2:1:0:5efe:192.168.10.1
ping lon-dc1.contoso.com
9. On LON-CL1, verify that there is access to the IIS7 Web and the share file,
Example.txt.
10. On LON-DC1, edit the Default Domain Policy to create a shortcut to the
Windows Settings with the following information:
• Action: Create
• Name: ApplicationData
• Target path: \\LON-DC1\AppData
• Location: All Users Desktop
5-36 Deploying and Configuring Remote Access Services
gpupdate /force
12. Log off and then log on to LON-CL1 with user name, contoso\administrator,
and the password, Pa$$w0rd.
Question: How will you configure IPv6 address for Windows 7 to use
DirectAccess?
Deploying and Configuring Remote Access Services 5-37
In dynamic business scenarios, it is important that users are able to access data
anytime from anywhere, securely. Users must also be able to access data
continuously. For example, users might want to securely access data on the
company's server in the head office, from a branch office, or while on the road. To
meet this requirement, you can configure the VPN Reconnect feature that is
available in Windows Server 2008 R2 and Windows 7. This enables users to
securely access the company's data by using a VPN connection, which will
automatically reconnect if connectivity is interrupted. It will also enable roaming
between different networks.
In this lesson, you will be introduced to VPN Reconnect and its key features. You
will learn to configure VPN Reconnect. You will also learn about Secure Socket
Tunneling Protocol (SSTP).
After completing this lesson, you will be able to:
5-38 Deploying and Configuring Remote Access Services
Key Points
You can use either DirectAccess or VPNs to provide remote access in your
organizations. DirectAccess has higher network infrastructure requirements and it
is more challenging to configure when compared to VPNs. However, DirectAccess
provides constant connectivity, while for VPNs, you need to first establish the VPN
connection.
DirectAccess can replace VPN as the preferred remote access method for many
organizations. However, some organizations will continue to use VPNs along with
DirectAccess, because of high infrastructure requirements for DirectAccess and
because it may not be possible to use DirectAccess in every business situation.
Also, VPN usability has been enhanced in Windows Server 2008 R2 and Windows
7 with the introduction of the VPN Reconnect feature.
VPN Reconnect uses the Internet Key Exchange version 2 (IKEv2) technology to
provide seamless and consistent VPN connectivity. VPN Reconnect automatically
re-establishes a VPN connection when Internet connectivity is available again.
5-40 Deploying and Configuring Remote Access Services
this capability.
For example, consider a user with a laptop running Windows 7. When the user
travels to work in a train, the user connects to the Internet by using a wireless
mobile broadband card and then establishes a VPN connection to the company’s
network. When the train passes through a tunnel, the Internet connection is lost.
After the train comes out of the tunnel, the wireless mobile broadband card
automatically reconnects to the Internet. With earlier versions of Windows client
and server operating systems, VPN did not reconnect automatically. Therefore, the
user needs to manually repeat the multistep process of connecting to the VPN.
This can become time consuming for mobile users with intermittent connectivity.
With VPN Reconnect, Windows Server 2008 R2 and Windows 7 automatically re-
establish active VPN connections when the Internet connectivity re-establishes.
While the reconnection might take several seconds, users will stay connected and
will have access to internal network resources.
The system requirements for using the VPN Reconnect feature are as follows:
• Windows Server 2008 R2 as a VPN server
• Windows 7 or Windows Server 2008 R2 client
• PKI infrastructure, because a computer certificate is required for a remote
connection with VPN Reconnect. Certificates issued by internal or public
CA can be used.
Question: Would a user be able to establish the VPN Reconnect connection from
the Windows Vista SP2 client computer?
Question: What is the main benefit of VPN Reconnect, compared to other VPN
protocols?
Deploying and Configuring Remote Access Services 5-41
Key Points
VPN Reconnect or IKEv2 support must be enabled on the server and the
appropriate VPN connection must be created on the client.
On the server, you must:
1. Create a user account with remote access permission.
2. Install a certificate with Server Authentication and IP security IKE intermediate
extended key usage on the VPN server. You can get the appropriate certificate
template by duplicating the IPsec template. You can request a certificate by using
the Certificates console.
3. Install Routing and Remote Access and configure it as a VPN server. Routing and
Remote Access is role service of Network Policy and Access Services server
role.
5-42 Deploying and Configuring Remote Access Services
Question: What are the requirements for configuring VPN Reconnect? In which
situations would it be helpful?
Deploying and Configuring Remote Access Services 5-43
Key Points
ping vpn.contoso.com
ping vpn.contoso.com
ping vpn.contoso.com
Question: What will happen to the VPN Reconnect connection if you establish it
and then switch from wireless to wired connection?
5-46 Deploying and Configuring Remote Access Services
Firewalls are typically configured to block PPTP and L2TP/IPSec traffic, but allow
Secure Sockets Layer (SSL) traffic because SSL is used for protecting HTTP traffic.
SSTP provides a mechanism to encapsulate PPP traffic over the SSL channel of the
HTTPS protocol so that the traffic can typically pass through firewalls. HTTPS
allows traffic to flow through TCP port 443, a port commonly used for Web access.
SSL provides transport-level security with enhanced key negotiation, encryption,
and integrity checking. SSTP is supported on Windows Server 2008, Windows
Vista SP1, and other upgrade versions of Windows operating systems.
SSTP can be especially beneficial for environments where other VPN protocols
such as PPTP or L2TP/IPSec are blocked by firewalls.
When a user initiates an SSTP-based VPN connection, the following process
occurs:
Deploying and Configuring Remote Access Services 5-47
dynamically allocated TCP port on the SSTP client and TCP port 443 on the
SSTP server.
• The SSTP client sends an SSL Client-Hello message, indicating that the SSTP
client wants to create an SSL session with the SSTP server.
• The SSTP server sends its computer certificate to the SSTP client.
• The SSTP client:
• Validates the computer certificate.
• Determines the encryption method for the SSL session.
• Generates an SSL session key, encrypts it with the public key of the SSTP
server’s certificate, and then sends the encrypted form of the SSL session
key to the SSTP server.
• The SSTP server decrypts the encrypted SSL session key with the private key of
its computer certificate. All further communication between the SSTP client
and the SSTP server is encrypted with the negotiated encryption method and
SSL session key.
• The SSTP client sends an HTTP over SSL request message to the SSTP server.
• The SSTP client negotiates an SSTP tunnel with the SSTP server.
• The SSTP client negotiates a PPP connection with the SSTP server. This
negotiation includes authenticating the user’s credentials with a PPP
authentication method and configuring the settings for IPv4 or IPv6 traffic.
• The SSTP client starts sending IPv4 or IPv6 traffic over the PPP link.
Question: When would you use SSTP for establishing the VPN connection?
5-48 Deploying and Configuring Remote Access Services
Introduction
In this lab, you will deploy and configure Remote Access services. To do this, you
will review the existing infrastructure configuration and configure the
infrastructure services for DirectAccess. You will also configure the DirectAccess
server, verify ISATAP-based connectivity, and implement VPN recoonect.
Objectives
After completing this lab, you will be able to:
• Review existing infrastructure configuration
• Complete configuration of infrastructure services for DirectAccess
• Complete configuration of the DirectAccess server and verify ISATAP-based
connectivity
• Implement VPN reconnect
Deploying and Configuring Remote Access Services 5-49
For this lab, you will use the available virtual machine environment. Before you
begin the lab, you must:
• Start the LON-DC1 virtual machine, and then log on by using the following
credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
• Start the LON-SVR1 virtual machine, and then log on by using the following
credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
• Start the LON-CL1 virtual machine, and then log on by using the following
credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
5-50 Deploying and Configuring Remote Access Services
Lab Scenario
You are server administrator at Contoso, Ltd. Your organization consists of a large
mobile workforce that carries laptops to stay connected. Your organization wants
to provide secure solution to protect data transfer. To do this, you will use
DirectAccess to enable persistent connectivity, central administration, and
management of remote computers.
The infrastructure of some branch offices does not support the usage of
DirectAccess. Therefore, employees in the branch offices uses VPN connection
instead of DirectAccess to stay connected. To help employees to use VPN
connection, you need to enable the VPN Reconnect feature for them.
Deploying and Configuring Remote Access Services 5-51
• On LON-SVR1, verify that there are two network adapters, Corpnet and
Internet, of which one is connected to the public network and the other is
connected to the private network. Also verify that there are two consecutive
static, public IPv4 addresses for the public adapter.
Results: After completing this exercise, you should have reviewed the group policy
configuration, configuration of certificate services and certificate templates, and
network configurations.
Deploying and Configuring Remote Access Services 5-53
• On LON-DC1, create a new resource record for the Forward Lookup Zone,
Domain.com, with the following information:
• Alias name: CRL
• Fully qualified domain name (FQDN) for target host: LON-
SVR1.contoso.com
• On LON-DC1, specify the location from which users can obtain a certificate
revocation list (CRL) by using Certification Authority with the following
information:
• Location: \\LON-SVR1\crldist\
• Insert variables: <CRLNameSuffix> and <DeltaCRLAllowed>
• After inserting the variables append the location with .crl
• Select Publish CRLs to this location and Publish Delta CRL to this
location
Results: After completing this exercise, you should have completed the configuration
of infrastructure services for DirectAccess.
5-56 Deploying and Configuring Remote Access Services
gpupdate /force
netsh name show effectivepolicy
• Disable the Corpnet network connection and enable the Internet network
connection and then run the following command.
ping 131.107.0.2
5-58 Deploying and Configuring Remote Access Services
ipconfig
• Run the following command to verify whether the prefix value, fe80 has been
assigned to Link-Local IPv6 Address and also view the Windows IP
configurations.
ipconfig
• Run the following command to verify that there is additional IPv6 Address,
2002:836b:2:1:0:5efe:192.168.10.1 and also view the Windows IP
configurations.
ipconfig /flushdns
netsh name show effectivepolicy
ping 2002:836b:2:1:0:5efe:192.168.10.1
ping lon-dc1.contoso.com
gpupdate /force
• Log off and then log on to LON-CL1 with user name, contoso\administrator,
and the password, Pa$$w0rd.
Results: After completing this exercise, you should have completed the configuration
of the DirectAccess server and verified the ISATAP-based connectivity.
5-60 Deploying and Configuring Remote Access Services
• On LON-SVR1, open the Routing and Remote Access console to configure and
enable Routing and Remote Access with the following information:
• Configuration: Remote access (dial-up or VPN)
• Name of the network interfaces: Internet
• Clear Enable security on the selected interface by setting up static
packet filters
• IP Address Assignment: From a specified range of addresses
• Start IP address: 192.168.10.200
• End IP address: 192.168.10.210
f Task 3: Configure the Network Policy Server (NPS) to grant access for
the EAP-MSCHAPv2 authentication.
• On LON-SVR1, launch NPS and configure the Microsoft Routing and Remote
Access server connection properties with the following information:
• Access Permission: Grant access. Grant access if the connection
request matches this policy
• Constraints: Authentication Methods
• EAP Types list: Remove Microsoft: Smart Card or other certificate
ping vpn.contoso.com
ping vpn.contoso.com
ping vpn.contoso.com
Results: After completing this exercise, you should have configure Routing and
Remote Access, configured NPS to grant the access for the EAP-MSCHAPv2
authentication, configured and established the VPN connection, and simulated the
connection persistence.
Deploying and Configuring Remote Access Services 5-63
2. Which command should you use to verify that LON-CL1 has network
connectivity?
You should use the ping vpn.contoso.com command to verify that LON-CL1 has
network connectivity.
Deploying and Configuring Remote Access Services 5-65
Review Questions
1. What are the main benefits of using DirectAccess for providing remote
connectivity?
2. How do you configure DirectAccess clients?
3. How does the DirectAccess client determine whether it is connected to intranet
or the Internet?
4. What is the role of Name Resolution Policy Table (NRPT)?
5. Can you use VPN Reconnect to establish a connection from Windows 7 to the
Windows Server 2008 VPN server?
5-66 Deploying and Configuring Remote Access Services
Tools
Where to find
Tool Use for it
DirectAccess Management A graphical tool that simplifies Installed when you add
Console the configuration of the DirectAccess
DirectAccess Management Console
feature
Routing and Remote A graphical tool for managing Installed when you add
Access Routing and Remote Access the Routing and
Remote Access Services
role service
Configuring Windows Server 2008 R2 Features for Branch Offices 6-1
Module 6
Configuring Windows Server 2008 R2 Features
for Branch Offices
Contents:
Lesson 1: Features for Optimizing Branch Office Network Access 6-4
Lesson 2: Configuring BranchCache 6-24
Lesson 3: Configuring Branch Office Security Features 6-37
Lab: Configuring Windows Server 2008 R2 Features for Branch Offices 6-59
6-2 Configuring Windows Server 2008 R2 Features for Branch Offices
Module Overview
stored in Distributed File System (DFS) replicas. You can use the read-only DFS
replicas to protect your digital assets by allowing branch offices read-only access to
information. Users cannot modify the content stored in the read-only DFS
replicated content because the information is read-only. Windows® BitLocker
protects hard disk data from unauthorized viewing and modifications in the offline
mode.
Windows Server 2008 R2 also enables delegation and distributed administration.
Administrators can use Remote Desktop for remote administration and branch
office users can benefit from improved Remote Desktop Services.
In this module, you will discuss the challenges of the branch office environment
and how to meet them by using Windows Server 2008 R2. BranchCache is an
important feature in Windows Server 2008 R2. You will learn about distributed
and Hosted Cache mode and the differences between them. You will also learn
how to configure BranchCache.
In addition, you will learn about the security challenges and how they can be
resolved through various methods, such as implementing Read-Only DFS replicas,
using BitLocker and BitLocker to Go, and benefits of Server Core.
Windows Server 2008 R2 provides features that are specifically useful for branch
offices. These features, such as RODC, transparent caching, receive window auto-
tuning, BranchCache, Server Message Block (SMB) 2.0, and virtualization, help you
to optimize traffic over a slow wide area network (WAN) link, minimize the
number of servers in the branch office, provide additional security, and improve
user experience.
Windows Server 2008 R2 and Windows 7 clients can benefit from the
BranchCache feature. BranchCache is used to cache file share and Web traffic and
provide branch office users with fast access to data. You can configure a distributed
cache or Hosted Cache mode, depending on the network infrastructure and
number of users in the branch office, and reduce the WAN utilization.
Configuring Windows Server 2008 R2 Features for Branch Offices 6-5
Key Points
A head office is often a central communication hub for branch offices. Each branch
office has relatively few users.
For example, the head office for a chain of retail stores can have many employees
and be at a central location, while branch retail stores share files and data with it.
In the process of storing and retrieving data from the servers located in the head
office, the retail store management faces challenges due to slow and expensive
WAN links between head office and branch offices, high link utilization, poor
application responsiveness, and challenges regarding system management and
administration of branch offices, deployment of new computers, and optimizing
operational costs.
Configuring Windows Server 2008 R2 Features for Branch Offices 6-7
Key Points
Windows Server 2008 provides features and technologies that help you meet key
requirements in a branch office scenario. These features and technologies provide
high security, better performance, access to a local copy of the data to avoid
latency, and operational capabilities even if the WAN link is temporarily
unavailable.
Windows Server 2008 features and technologies include:
• Next generation TCP/IP stack. Windows Server 2008 includes
implementation of the TCP/IP protocol stack known as the Next Generation
TCP/IP stack. The Next Generation TCP/IP stack is a complete redesign of the
TCP/IP functionality for both IPv4 and IPv6 that meets the connectivity and
performance needs of networking environments. The Next Generation TCP/IP
stack includes features such as receive Window auto-tuning; enhancements for
high-loss environments, and Windows filtering platform.
6-8 Configuring Windows Server 2008 R2 Features for Branch Offices
Key Points
Windows Server 2008 R2 builds on Windows Server 2008 technologies and
introduces several new and improved features that you can use in a branch office
environment. Windows Server 2008 R2 provides all the benefits of Windows
Server 2008, such as Next Generation TCP/IP stack and improved WAN efficiency
mechanisms, including background synchronization of offline files and improved
Remote Desktop Services (RDS) experience. Windows Server 2008 R2 provides
the new feature called BranchCache.
If virtualization is used in the branch offices, Windows Server 2008 R2 provides
improved performance in Hyper-V 2.0, and better scalability and support for
Virtual Desktop Infrastructure (VDI) scenarios. Branch office users can also benefit
from improvements in RDS such as enhanced user experience, RemoteApp, and
Remote Desktops.
6-10 Configuring Windows Server 2008 R2 Features for Branch Offices
access include:
• BranchCache. BranchCache caches content from the Web and file
servers locally in the branch office. This improves the response time and
reduces WAN traffic. When another client at the same branch office requests
the same content, the client accesses it directly from the BranchCache over
local network, without using a slower WAN link.
• VPN Reconnect. VPN Reconnect is a new feature of Routing and
Remote Access Service (RRAS) that provides users with seamless and
consistent VPN connectivity by automatically reestablishing a VPN connection
if users temporarily lose the connectivity. Users who connect by using a
wireless mobile broadband can benefit most from this feature. With VPN
Reconnect, client computers automatically reestablish active VPN connections
when the Internet connectivity is reestablished. Reconnection might take
several seconds and the connection status is transparent to users.
• URL-based Quality of Service (QoS). The URL-based QoS feature
allows you to assign a priority level to traffic, based on the URL from which
the traffic originates. QoS marks IP packets with a Differentiated Services Code
Point (DSCP) number that routers then examine to determine the priority of
the packet. If packets are queued at the router, higher priority packets are sent
before the lower priority packets. With URL-based QoS, you can prioritize the
network traffic based on the source URL, in addition to prioritization based on
IP address and ports. This feature gives more control over network traffic,
ensuring that important Web traffic is processed before less-important or
remote traffic.
• Multiple active firewall profiles. Multiple active firewall profiles enable
the firewall rules that are most appropriate for each network adapter based on
the network to which it is connected. Windows firewall settings are
determined by the profile that you use. In earlier versions of Windows
operating systems, only one firewall profile is active at a time. Therefore, if
multiple network adapters were connected to different network types, you
could have only one active profile providing the most restrictive rules. In
Windows Server 2008 R2 and Windows 7, each network adapter applies the
firewall profile that is most appropriate for the type of network to which it is
connected. The type of network can be Private, Public, or Domain.
• Transparent caching and background synchronization of offline
files. The offline files feature supports transitioning to an offline mode when
the computer is on a slow network by default. This helps reduce the network
traffic while connected to your intranet because users modify the locally
Configuring Windows Server 2008 R2 Features for Branch Offices 6-11
However, information stored in the Offline Files local cache is still protected,
because it is synchronized with the network shared folder.
Security enhancements in Windows Server 2008 R2 for branch office network
access include:
• Read-Only DFS replicas. A read-only replicated folder is a replicated
folder in which users cannot add or change files. This allows you to keep the
read-only folders up-to-date on a central server. Users will not be able to
modify the content, and therefore, DFS replicas are protected from accidental
deletion or modifications at branch office locations.
• BitLocker to Go. BitLocker to Go extends the features of BitLocker to
encrypt fixed disk drives to removable devices, such as removable hard disk
drives and USB keys. BitLocker to Go also helps protect the encrypted content
of the removable devices with a passphrase. You can set a policy that requires
BitLocker to Go protection of removable drives. BitLocker To Go also enables
secure sharing of data with users using earlier versions of Windows operating
systems.
Key Points
Auto-tuning allows the operating system to monitor the link conditions and
configure connections to maximize the network performance. Receive Window
Auto-Tuning enables the network stack to receive data more efficiently. The size of
Receive Window is defined by a field in the TCP packet that informs the sending
computer how much data the receiving computer can accept before confirming it.
In Windows Server 2008 and Windows Server 2008 R2, Receive Window Auto-
Tuning enables better throughput between TCP peers and increases the utilization
of network bandwidth during data transfer.
The TCP/IP stack in Windows Server 2008, Windows Server 2008 R2, Windows
Vista™, and Windows 7 supports Receive Window Auto-Tuning. Receive Window
Auto-Tuning continually determines the optimal size of receive window by
measuring the bandwidth-delay product and the application retrieve rate. Receive
Window Auto-Tuning then adjusts the maximum receive window size based on the
changing network conditions.
Configuring Windows Server 2008 R2 Features for Branch Offices 6-13
Question: When you upgrade servers from Windows Server 2003 SP2 to
Windows Server 2008 R2, files are copied considerably faster over a slow WAN
link. What is the reason for that?
6-14 Configuring Windows Server 2008 R2 Features for Branch Offices
Key Points
Server Message Block (SMB), also known as the Common Internet File System
(CIFS), is the file sharing protocol in Windows-based computers. The Windows
operating system includes an SMB client and an SMB server. In Windows Server
2008, SMB is completely redesigned and has many enhancements that are also
available in Windows Server 2008 R2.
The enhancements in SMB include:
• Support for sending multiple SMB commands within the same packet.
This reduces the number of packets sent between an SMB client and an SMB
server.
• Support for larger buffer sizes. Therefore, network stack is no longer the
bottleneck. Only the application and disk needs to be considered.
Configuring Windows Server 2008 R2 Features for Branch Offices 6-15
SMB version
SMB Client SMB Server used
Windows Server 2008 R2, Windows Server 2008 R2, SMB 2.0
Windows 7 Windows 7
Windows Server 2008 R2, Windows XP, Windows Server SMB 1.0
Windows 7 2003
Windows XP, Windows Server Windows Server 2008 R2, SMB 1.0
2003 Windows 7
Question: Will you be able to use SMB 2.0 benefits when you are connecting to
Windows Server 2008 R2 from a Windows XP SP3 client computer?
6-16 Configuring Windows Server 2008 R2 Features for Branch Offices
Key Points
In earlier versions of Windows operating systems, to open a file across a slow
network, client computers retrieve the file from the file server, even if the file is
recently read by the same client. With Windows 7 transparent caching, client
computers cache remote files more aggressively, reducing the number of times a
client computer has to retrieve the same data from a file server. The first time a user
opens a file in a shared folder, Windows 7 reads the file from the server and stores
it in a cache on the local disk. The second and subsequent times when a user reads
the same file, the file is retrieved from the local disk cache, instead of retrieving and
reading the file from the file server.
To provide data integrity, Windows Server 2008 R2 and Windows 7 contact the
server computer and ensure that the cached copy is up-to-date. The cache is never
accessed if the server computer is unavailable. The updates to the file are written
directly to the server computer. Transparent caching is not enabled by default on
fast networks.
Configuring Windows Server 2008 R2 Features for Branch Offices 6-17
the cache, and save disk space on the client. You can configure the amount of disk
space the cache uses and prevent specific file types from being synchronized. This
provides branch office users with an experience that more closely resembles the
experience of being on the same LAN with servers. Improved cache efficiency can
also reduce utilization across WAN links.
in Windows 7 creates a placeholder for files and folders that are not available
offline. The placeholder appears as a faint image, and it indicates to the user that a
file or folder exists in the shared folder, but it is not currently available offline.
Question: How can you configure transparent caching and enable it even on fast
networks?
Configuring Windows Server 2008 R2 Features for Branch Offices 6-19
Key Points
One of the major challenges that branch offices face is improving the performance
of intranet resources that are accessed in other locations, such as head offices or
regional data centers. Typically, branch offices are connected by WANs, which
usually have slower data rates than intranet. Reducing the network utilization on
the WAN connection provides more bandwidth for other applications and services.
The BranchCache feature in Windows Server 2008 R2 and Windows 7 reduces the
network utilization on WAN connections between branch offices and headquarters
by locally caching frequently-used files on computers in the branch office.
BranchCache improves the performance of applications that use one of the
following protocols:
• HTTP or HTTPS. The protocols used by Web browsers and other
applications.
• SMB, including signed SMB traffic. The protocol used for accessing
shared folders.
6-20 Configuring Windows Server 2008 R2 Features for Branch Offices
Because BranchCache is a passive cache, it will not increase the WAN utilization.
BranchCache only caches the read requests and will not interfere when a user
saves a file.
BranchCache improves the responsiveness of common network applications that
access intranet servers across slow WAN links. Because BranchCache does not
require any additional infrastructure, you can improve the performance of remote
networks by deploying Windows 7 to client computers and Windows Server 2008
R2 to server computers, and by enabling the BranchCache feature.
BranchCache works seamlessly alongside network security technologies, including
Secure Sockets Layer (SSL), SMB Signing, and end-to-end IP Security (IPSec). You
can use BranchCache to reduce the network bandwidth utilization and improve
application performance even if the content is encrypted.
Key Points
BranchCache operates in one of the two modes based on the cache location:
Hosted Cache or Distributed Cache.
• Hosted Cache. The Hosted Cache mode operates by deploying a
computer that is running Windows Server 2008 R2 as a host in the branch
office. Client computers are configured with the fully qualified domain name
(FQDN) of the host computer so that they can retrieve content from the
Hosted Cache when available. If the content is not available in the Hosted
Cache, the content is retrieved from the content server by using a WAN link
and then provided to the Hosted Cache, so that the subsequent client requests
can get it from there.
• Distributed Cache. You can configure BranchCache in the Distributed
Cache mode for small branch offices. In this mode, local Windows 7 clients
6-22 Configuring Windows Server 2008 R2 Features for Branch Offices
that request the same data. This eliminates the need to have a server in the
branch office. However, unlike Hosted Cache mode, this configuration works
across a single subnet only. In addition, clients that hibernate or disconnect
from the network will not be able to provide content to the other requesting
clients.
When BranchCache is enabled on both the client computer and server computer,
the client computer performs the following process to retrieve data by using the
HTTP, HTTPS, or SMB protocol:
1. The client computer running Windows 7 connects to a content server
computer running Windows Server 2008 R2 in the head office and requests
content similar to the way it would retrieve content without using
BranchCache.
2. The content server computer in the head office authenticates the user and
verifies that the user is authorized to access the data.
3. The content server computer in the head office returns identifiers or hashes of
the requested content to the client computer, instead of sending the content
itself. The content server computer sends that data over the same connection
that the content would have normally been sent.
4. Using the retrieved identifiers, the client computer does the following:
• If configured to use Distributed Cache, the client computer multicasts on
the local network to find other client computers that have already
downloaded the content.
• If configured to use Hosted Cache, the client computer searches for
content availability on the Hosted Cache.
5. If the content is available in the branch office, either on one or more clients or
on the Hosted Cache, the client computer retrieves the data from within the
branch office and ensures that the data is updated and has not been tampered
with or corrupted.
6. If the content is not available in the branch office, the client computer retrieves
the content directly from the server computer at the data center, The client
computer then either makes it available on the local network to other
requesting client computers, or sends it to the Hosted Cache, where it is made
available to other client computers.
The following table shows the major differences between the two modes of
BranchCache:
Configuring Windows Server 2008 R2 Features for Branch Offices 6-23
Recommended for larger branch offices. Recommended for branch offices without
any infrastructure.
Question: Can you use BranchCache if both servers in the branch office are
running Windows Server 2008 and you have deployed Windows 7 to all the
branch office client computers?
6-24 Configuring Windows Server 2008 R2 Features for Branch Offices
Configuring BranchCache
BranchCache Requirements
must install the BranchCache feature on the Web server. Additional configurations
are not needed. If you want to use BranchCache to cache content from the file
server, you must install the BranchCache for Network Files role service on the file
server, configure hash publication for BranchCache, and create BranchCache-
enabled file shares.
BranchCache is supported on Full Installation of Windows Server 2008 R2 and on
Server Core.
Question: You have a mixed computer environment that includes Windows Vista
SP2 and Windows 7 client computers, Windows Server 2003 SP2, Windows Server
2008 SP2, and Windows Server 2008 R2 servers. Your computers are also located
in multiple sites. Can you use the BranchCache feature in this scenario?
6-28 Configuring Windows Server 2008 R2 Features for Branch Offices
You can use BranchCache to cache Web content, which is delivered by HTTP or
HTTPS and also to cache shared folder content, which is delivered by the SMB
protocol. By default, BranchCache is not installed on Windows Server 2008 R2.
The following table lists the servers that you can configure for BranchCache.
Server Description
File server The BranchCache for Network Files role service of the File
Services server role needs to be installed before you can
Configuring Windows Server 2008 R2 Features for Branch Offices 6-29
Server Description
enable BranchCache for any file shares. After you install
the BranchCache for Network Files role service, use Group
Policy to enable BranchCache on the server. You can
enable BranchCache for all shares on a file server or only
on selected shares. You also need to configure clients,
which will use BranchCache feature.
Hosted Cache server The Distributed Cache mode does not use a server in the
branch office. For the Hosted Cache mode, you must add
the BranchCache feature to the Windows Server 2008 R2
server that you can use as a Hosted Cache server. The
Hosted Cache is trusted by client computers to cache and
distribute data. For securing the communication, client
computers use transport layer security (TLS) when
communicating with the Hosted Cache server. To support
authentication, the Hosted Cache server must be
provisioned with a certificate that is trusted by clients and
is suitable for server authentication. By default,
BranchCache allocates five percent of disk space on the
active partition for hosting cache data. However, you can
change this value by using Group Policy or netsh
command.
Question: How can you enable BranchCache support on Windows Server 2008
R2 content server?
6-30 Configuring Windows Server 2008 R2 Features for Branch Offices
Enabling BranchCache
If you enable the Distributed Cache or the Hosted Cache mode without enabling
the overall BranchCache feature, the BranchCache feature will still be disabled on
Configuring Windows Server 2008 R2 Features for Branch Offices 6-31
computer without enabling the Distributed Cache mode or the hosted cache mode.
In this configuration, the client computer uses only the local cache and does not
attempt to download from other BranchCache clients on the same subnet or from a
hosted cache server. Therefore, multiple users of a single computer can benefit
from a shared local cache in this local caching mode.
In the Distributed Cache mode, BranchCache clients use the HTTP protocol for
data transfer between client computers and the WS-Discovery protocol for cached
content discovery. You should configure the client firewall to allow the following
incoming rules:
• BranchCache – Content Retrieval (Uses HTTP)
• BranchCache – Peer Discovery (Uses WSD)
6-32 Configuring Windows Server 2008 R2 Features for Branch Offices
transfer between client computers, but it does not use the WS-Discovery protocol.
In the hosted cache mode, you should configure the client firewall to allow the
incoming rule, BranchCache – Content Retrieval (Uses HTTP).
Question: How can you configure Windows 7 client computer to benefit from a
BranchCache?
Configuring Windows Server 2008 R2 Features for Branch Offices 6-33
Key Points
1. Enable the Hash Publication for BranchCache property and Allow hash
publication only for shared folders on which BranchCache is enabled property
of Lanman Server by using the Local Group Policy Editor console.
2. On LON-DC1, set the following share properties to create a BranchCache
enabled file share:
• Advanced Sharing: Caching
• Offline Settings: Enable BranchCache
3. On LON-CL1, open the command prompt and run the following code to
apply all the group policy settings, including the BranchCache settings.
gpupdate /force
6-34 Configuring Windows Server 2008 R2 Features for Branch Offices
Distributed Caching service mode and all the required network settings are
configured.
5. On LON-CL2, open the command prompt and run the following code to
apply all the group policy settings, including the BranchCache settings.
gpupdate /force
gpupdate /force
configured for BranchCache. Will the branch office client benefit from
BranchCache when accessing file in the head office for the first time?
BranchCache Monitoring
BranchCache Monitoring
• BranchCache events monitoring. You can monitor BranchCache events
in Event Viewer. BranchCache has two types of event logs—operational logs
and audit logs. The operational log appears in the Event Viewer at Applications
and Services Logs\Microsoft\Windows\PeerDist\Operational and you can
view the audit log events in the Security log.
• Work and performance monitoring. You can monitor BranchCache
work and performance by using the BranchCache performance monitor
counters. BranchCache performance monitor counters are useful debugging
tools for monitoring BranchCache effectiveness and health. You can also use
BranchCache performance monitor for determining the bandwidth savings in
6-36 Configuring Windows Server 2008 R2 Features for Branch Offices
Question: Which tool should you use for monitoring BranchCache performance
and bandwidth savings?
Configuring Windows Server 2008 R2 Features for Branch Offices 6-37
Windows Server 2008 R2 provides enhanced security features for securing branch
offices. These security features, such as read-only DFS replica, Read-Only Domain
Controller (RODC), Server Core, BitLocker, and BitLocker to Go, improve the
overall security of the Active Directory environment at branch offices.
You can use read-only DFS replica and RODC features to securely deploy domain
controllers at branch offices. You can deploy Server Core at branch offices to
reduce the maintenance and management requirements. With BitLocker and
BitLocker to Go data protection features, you can resolve the issues related to data
thefts, data loss, and inappropriately decommissioned computers.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the security issues in branch offices.
6-38 Configuring Windows Server 2008 R2 Features for Branch Offices
Key Points
Branch offices mostly have fewer users than a head office and do not have
appropriate physical security for computer infrastructure. Network administrators
are often not available at branch office locations to manage and maintain branch
server configuration. Branch offices use low bandwidth WAN connectivity, so
changes made in the head office take time to get replicated to branch offices. With
less physical security and inappropriate computer infrastructure, data at branch
offices can be compromised. If you do not configure security settings for branch
offices, unauthorized changes can be made to the data. Low bandwidth WAN
connectivity affects the performance and productivity at branch offices.
Key Points
Distributed File System (DFS) namespaces and DFS replication features of
Windows Server 2008 provide simplified, highly-available access to files, load
sharing, and effective WAN replication. The DFS replication feature is used to
publish data from a central server to many branch office servers. Windows
Server 2008 R2 provides read-only replicated folders that are similar to replicated
folders in the earlier versions of Windows server operating systems, but the read-
only replicated folders do not allow any modifications or deletions of data. Read-
only DFS replicated folders are used for replicating data that should never be
changed. Read-only DFS replicated folders can be hosted only on Windows Server
2008 R2 servers, while other members of the DFS replication group can be
Windows Server 2003 R2 or newer Windows Server operating systems.
For a read-only DFS replicated folder, the DFS replication service intercepts and
inspects each file system operation. This is done by using a low-level file-system
filter. Only modifications initiated by the DFS replication service are allowed. These
6-42 Configuring Windows Server 2008 R2 Features for Branch Offices
Key Points
1. On LON-SVR1, create a DFS replication group by using the Server Manager
console with the following information:
• Replication Group Type: Multipurpose replication group
• Name of replication group: Contoso Reports
• Replication Group Members: LON-DC1;LON-SVR1
• Topology Selection: Full mesh
• Replication Group Schedule and Bandwidth: Replicate continuously
using the specified bandwidth
• Primary member: LON-DC1
• Folders to Replicate: C$\Share
6-44 Configuring Windows Server 2008 R2 Features for Branch Offices
2. Select Make the selected replicated folder on this member read only
3. Add a new folder, Reports, to \\Contoso.com\Namespace1 of DFS
Management and add the Share-Replica to it.
4. On LON-CL1, navigate to \\contoso.com\Namespace1\Reports and create a
new text document in the read-only DFS replica, C:\Share-Replica.
5. On LON-SVR1, change the read-only attribute of C:\Share-Replica to read-
write.
6. On LON-CL1, navigate to \\contoso.com\Namespace1\Reports and create a
new text document in the read-write DFS replica, C:\Share-Replica.
Question: When would you use read-only DFS replica instead of read-write DFS
replica?
Configuring Windows Server 2008 R2 Features for Branch Offices 6-45
Key Points
Windows Server 2008 R2 provides technologies such as read-only DFS replica and
BranchCache to help users in branch offices to quickly access the data that is
stored on the head office servers. These technologies produce similar end result
and better user experience, but have different effects on the WAN link utilization
and different client requirements. However, you need to select appropriate
technologies that will meet your requirement based on the environment and
expected business results.
Read-only DFS
If you use read-only DFS replicas, a complete copy of the content folder at the head
office is replicated to the branch offices. The content folder contains data needed in
the branch office and data that is not used in the branch offices. Read-only DFS
6-46 Configuring Windows Server 2008 R2 Features for Branch Offices
the branch offices. If you implement read-only DFS replica, branch office users can
read, but can not change replicated data. You can define a replication schedule but
even if no user in the branch office is using the content folder, replication happens
according to the schedule set by the administrator. The read-only DFS replica
folder at branch offices occupies equivalent space as the content folder on the head
office. You can share the read-only DFS replica folders through file sharing. Read-
only DFS replica uses SMB traffic to implement file sharing.
When you configure the read-only DFS replica, any client can access the content of
the DFS replica folders without additional configuration. You do not need to
configure clients to access read-only DFS replica, because read-only DFS is
configured only on servers.
BranchCache
Unlike read-only DFS, BranchCache caches only the data that is already accessed
by the clients in the branch offices. So, WAN link utilization for BranchCache is
considerably lower than WAN link utilization for the read-only DFS. Unlike read-
only DFS, BranchCache cannot be scheduled. When clients request for data from
different branch locations, BranchCache caches data from that Web or file server. If
you use BranchCache, each client request is first directed to the server in the head
office, and then the data is cached. If another user wants to download the same
data from the head office server, the data is already available from the first client
computer or branch office server. Therefore, the data is accessed faster compared
to the first time. BranchCache supports SMB, HTTP, and HTTPS file transfer traffic.
If you have configured BranchCache in the Distributed Cache mode, data is stored
on the BranchCache clients, and a copy of the data is sent to the other clients on
request. In a Distributed Cache mode, you do not need a server to store the
BranchCache data.
If you have configured BranchCache in the Hosted Cache mode, you need to
configure the Hosted Cache server. Hosted cache mode provides more reliability
and high availability for BranchCache clients. You can use BranchCache only for
Windows 7 or Windows Server 2008 R2 clients. You need to configure clients to
use the BranchCache feature.
Question: Your company has a head office and several branch offices. File servers
in the head office are running Windows Server 2008 R2, and each branch office
has a Windows Server 2008 R2 server and Windows 7 clients. Branch office users
often access files from the head office. What would you implement if you want to
minimize the traffic between the head office and branch offices?
6-48 Configuring Windows Server 2008 R2 Features for Branch Offices
Key Points
Windows Server 2008 R2 provides a Read-Only Domain Controller (RODC) that
helps you easily deploy a domain controller in branch office environments where
physical security cannot be guaranteed. You can use an RODC to host read-only
partitions of the Active Directory Domain Services (AD DS) database and deploy a
domain controller more securely in branch offices that require fast and reliable
authentication services.
The following RODC functionalities help you to deal with lower physical security
in the branch offices:
• Read-only AD DS database. An RODC holds the same Active Directory
objects and attributes as a writable domain controller, except for account
passwords. However, changes cannot be made to the database that is stored
Configuring Windows Server 2008 R2 Features for Branch Offices 6-49
Server Core
Key Points
Server Core installation provides a minimal environment for running specific
server roles; it reduces the maintenance, management, and attack surface. The
Server Core installation option installs only the subsets of the executable files and
supporting dynamic link libraries, compared to full Windows Server 2008 R2
installation. For example, graphical user interface is not included in Server Core, so
Windows Explorer is not available as part of the Server Core installation. But, the
command prompt, which is the default interface for administering the server
running Server Core, is included as part of the Server Core installation. Windows
Server 2008 R2 Server Core provides .NET Framework, which is not available in
earlier versions of Windows operating systems; .NET Framework enables you to
use PowerShell or ASP.NET. It also includes a new command line configuration
utility, SConfig.exe, to easily perform initial Server Core configuration, like setting
IP configuration, domain membership, or configuring remote management.
SConfig.exe cannot be used for administering Server Core roles and features.
6-52 Configuring Windows Server 2008 R2 Features for Branch Offices
Key Points
Note: Before starting this, demo discard the machine and then start the machines
again.
1. On LON-CORE, configure LON-CORE to allow remote administration by
running the SConfig command.
Sconfig
sconfig
5. On LON-DC1, open the Server Manager console and explain that from Server
Manager, you can administer Server Core remotely.
Answer: You can administer Server Core remotely by using Server Manager or
other MMC snap-ins, Remote Desktop, PowerShell, or WinRM. However, before
administering Server Core remotely, you need to configure Windows Firewall to
allow remote connections.
Configuring Windows Server 2008 R2 Features for Branch Offices 6-55
BitLocker Drive Encryption is a data protection feature that is used to deal with
data security threats in branch offices. The security threats involve lost, stolen, or
inappropriately decommissioned computers. Data on a lost or stolen computer is
vulnerable to unauthorized access either by running a software-attack tool on the
computer or by transferring the hard disk of the computer to another computer.
BitLocker helps you mitigate this unauthorized data access by enhancing file and
system protections. BitLocker also helps you protect data when BitLocker-
protected computers are decommissioned or recycled by unauthorized clients.
BitLocker provides enhanced data protection by using a Trusted Platform Module
(TPM) version 1.2. The TPM hardware component works with BitLocker to protect
user data and the computer from being tampered when it is offline. Administrators
can configure Group Policy settings to enable backup of BitLocker or TPM
recovery information in Active Directory.
You can use BitLocker on computers without a TPM to encrypt the Windows
operating system drive. To implement BitLocker without a TRM, you need to insert
6-56 Configuring Windows Server 2008 R2 Features for Branch Offices
implementing BitLocker without a TRM does not provide computers the pre-
startup system integrity verification that is offered by BitLocker with a TPM.
In addition to TPM, BitLocker offers an option to lock the normal startup process
until the user supplies a personal identification number (PIN) or inserts a
removable device, such as a USB flash drive that contains a startup key. These
additional security measures provide multifactor authentication and ensure that
the computers will not start or resume from hibernation until you enter the correct
PIN or startup key.
For servers in a shared or potentially non-secure environment, such as branch
offices, BitLocker can be used to encrypt the operating system drive and additional
data drives on the same server.
BitLocker is an optional feature and it is not installed by default on Windows
Server 2008 R2. You need to install the BitLocker feature from the Server Manager
and the server must be restarted after the installation. You can enable BitLocker
remotely by using Windows Management Instrumentation (WMI).
BitLocker to Go is another feature available in Windows Server 2008 R2. BitLocker
to Go provides an extension of the BitLocker data protection feature to USB
storage devices. The BitLocker to Go feature also restricts the USB storage devices
with a passphrase.
Question: Why should you use the BitLocker feature in branch offices?
Configuring Windows Server 2008 R2 Features for Branch Offices 6-57
Key Points
10. In the Bitlocker Driver Encryption page, under Bitlocker Driver Encryption-
Bit Locker To Go, click Turn On BitLocker.
11. In the Bitlocker Driver Encryption message box, click Yes.
12. In the Bitlocker Driver Encryption (E) wizard, select Use a password to
unlock this drive checkbox.
13. In the Type your password box, type P@$$word.
14. In the Retype your password box, type P@$$word and then click Next.
15. In the Bitlocker Driver Encryption (E) page, click Save the recovery key to a
file.
16. In the Save Bitlocker Recovery Key as page, under Favorites, click Desktop.
17. In the Save Bitlocker Recovery Key as page, click Save.
18.In the Bitlocker Driver Encryption (E) page, click Next.
19. In the Bitlocker Driver Encryption (E) page, click Start Encrypting.
20. In the Bitlocker Driver Encryption message box, click Close.
21. In the Bitlocker Driver Encryption (E) window, in the Type your password to
unlock the drive box, type P@$$word.
22. In the Bitlocker Driver Encryption (E) window, click Unlock.
23. In the AutoPlay window, under General options, click Open folder to view
files using Windows Explorer link.
24. In the Bitlocker Driver Encryption page, under Bitlocker Driver Encryption-
Bit Locker To Go, click Manage BitLocker.
25. In the Bitlocker Driver Encryption (E) window, under Select options to
manage, point to the options.
26. In the Bitlocker Driver Encryption (E) window, click Close.
27. In the Bitlocker Driver Encryption page, under Bitlocker Driver Encryption-
Bit Locker To Go, click Turn Off BitLocker.
28. In the Bitlocker Driver Encryption message box, click Cancel.
29. On the Start menu of LON-DC1, point to Administrative Tools, and then click
Group Policy Management.
Configuring Windows Server 2008 R2 Features for Branch Offices 6-59
Introduction
In this lab, you will configure Windows Server 2008 R2 features for branch offices.
To do this, you will configure BranchCache in the Distributed Cache mode and
client firewall rules for BranchCache. You will also install the BranchCache feature
and link it to the hosted server to configure BranchCache in the Hosted Cache
mode. Finally, you will create a file share, DFS replication group, add the replicated
folder to the DFS namespace, and make read-only DFS replica to read-write and
test the client access to configure Read-Only DFS Replica.
Objective
After completing this lab, you will be able to:
• Configure BranchCache in Distributed Cache mode.
• Configure BranchCache in Hosted Cache mode.
Configuring Windows Server 2008 R2 Features for Branch Offices 6-61
Lab Setup
For this lab, you will use the available virtual machine environment. Before you
begin the lab, you must:
• Start the LON-DC1 virtual machine, and then log on by using the
following credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
• Start the LON-SVR1 virtual machine, and then log on by using the
following credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
• Start the LON-CL1 virtual machine, and then log on by using the
following credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
• Start the LON-CL2 virtual machine, and then log on by using the
following credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
6-62 Configuring Windows Server 2008 R2 Features for Branch Offices
You are a server administrator at Contoso, Ltd. Your organization has a main office
and many regional and local branch offices. Many of the branch offices are small,
do not have local IT support, and are connected to the main office by low
bandwidth WAN connections. In addition, many users travel between offices. As
part of your job, you need to use the BranchCache feature to overcome all these
issues and to enable speedy access to data. You also need to test read-only DFS to
distribute the reports of your organization to the branch offices.
The following instructions are for configuring a test lab using the minimum number of
computers. Individual computers are needed to separate the services provided on the
network and to clearly show the desired functionality. This configuration is neither
designed to reflect best practices nor does it reflect a desired or recommended
configuration for a production network. The configuration, including IP addresses and all
other configuration parameters, is designed only to work on a separate test lab network.
Configuring Windows Server 2008 R2 Features for Branch Offices 6-63
Mode
The main tasks for this exercise are as follows:
1. Start the virtual servers.
2. Configure a file server to use BranchCache.
3. Simulate a slow link to the branch office.
4. Create a BranchCache enabled file share.
5 Configure clients to use BranchCache in the Distributed Cache mode.
6. Configure client firewall rules for BranchCache.
7. Apply BranchCache settings to the clients.
8. Test BranchCache in Distributed Caching mode.
gpupdate /force
performance counters:
• Discovery: Attempted discoveries
• Discovery: Successful Discoveries
• SMB: Bytes from Cache
• SMB: Bytes from server
• On LON-CL2, open the command prompt and run the following code
to apply all the Group Policy settings, including the BranchCache settings.
gpupdate /force
Results: After completing this exercise, you should have configured a file server to use
BranchCache, created a BranchCache enabled file share, configured inbound rules, and
configured clients to use BranchCache in the Distributed Cache mode.
Configuring Windows Server 2008 R2 Features for Branch Offices 6-67
gpupdate /force
• Run the following code to verify whether Hosted Cache client and
Hosted Cache Location are configured on LON-SVR1.contoso.com.
• On LON-CL2, open the command prompt and run the following code
to update all the Group Policy settings.
gpupdate /force
• Run the following code to verify the status of the BranchCache settings.
console.
On LON-SVR1, in the Performance Monitor console, notice that the performance value of
the SMB: Bytes from server counter increases and SMB: Bytes from the cache counter
remains the same.
Configuring Windows Server 2008 R2 Features for Branch Offices 6-69
On LON-SVR1, in the Performance Monitor console, view the SMB:Bytes from cache
counter to ensure that file was copied from the BranchCache cache.
• On LON-SVR1, run the following code to verify that Local Cache has
Active Current Cache Size and it is greater than 0.
Results: After completing this exercise, you should have configured clients to use
BranchCache in the Hosted Cache mode, installed the BranchCache feature, requested
and linked the certificate to BranchCache and started the hosted server, and
configured Performance Monitor on LON-SVR1.
6-70 Configuring Windows Server 2008 R2 Features for Branch Offices
f Task 6: Make the read-only DFS replica as read-write and test the
client access.
• On LON-SVR1, change the read-only attribute of C:\Share-Replica to
read-write.
• On LON-CL1, navigate to \\contoso.com\Namespace1\Reports and
create a new text document in the read-write DFS replica, C:\Share-Replica.
If you still get the Access Denied message, the change of settings is not effective yet.
Close the Reports window, wait for a few minutes, and then create the text document.
Results: After completing this exercise, you should have added the Distributed File
System role service, created file share on LON-SVR1, created a DFS replication group,
added the replicated folder to the DFS namespace, and created a text document in the
read-write DFS replica to test the client access.
Lab Review
Review Questions
1. Do you need to manually configure the SMB 2.0 protocol?
2. What is the benefit of receive window auto-tuning?
3. Can you create the Read-Only DFS replica on the Windows Server 2008
server?
4. Can you use BranchCache in the Distributed Mode if the branch office has
more than one subnet?
5. Can you use BranchCache to cache content from IIS on Windows Server
2008?
6. What should you do before you use BitLocker on Windows Server 2008 R2?
6-74 Configuring Windows Server 2008 R2 Features for Branch Offices
1. You configured BranchCache in the Hosted mode, but users still complain that
access to files in the head office is very slow. What should you do?
2 You would like to improve user experience and access speed from the branch
office to data stored in the head office. What should you do?
Tools
• DFS Management
• Netsh.exe
• Performance Monitor
• SConfig.exe
Configuring and Managing Windows Server 2008 R2 Web Services 7-1
Module 7
Configuring and Managing Windows Server
2008 R2 Web Services
Contents:
Lesson 1: Configuring and Managing IIS 7-4
Lesson 2: Configuring FTP 7-27
Lab: Configuring and Managing Windows Server 2008 R2 Web Services 7-41
7-2 Configuring and Managing Windows Server 2008 R2 Web Services
Module Overview
Internet Information Services (IIS) is a secure, reliable, and scalable Web server
that provides an easy way to manage platforms for developing and hosting Web
applications and services. In Windows Server®2008 R2, IIS provides logical
evolution and improvements from the previous releases, but it also includes new
features such as Configuration Editor for editing IIS configuration and generating
scripts, Windows PowerShell provider for administering IIS from command
prompt, improved support for FastCGI applications, ASP.NET on Server Core,
virtual hosts name support for FTP, and FTP over Secure Sockets Layer (SSL).
IIS is available as one of the Windows Server 2008 R2 roles, but it is also available
as a separate edition, Windows Web Server 2008 R2. This module provides an
overview on the IIS features that you are already familiar with, such as modular
architecture and request pipeline, IIS configuration files, granular feature
delegation, and detailed tracing and troubleshooting tools. In addition, the module
focuses on the new features of IIS 7.5, such as Configuration Editor and Windows
PowerShell provider.
Configuring and Managing Windows Server 2008 R2 Web Services 7-3
Windows Server 2008 R2 offers an updated Web Server (IIS) role, which includes
Internet Information Services (IIS) 7.5 to deploy and manage Web applications.
Windows Server 2008 R2 also provides support for .NET Framework on Server
Core.
Design goals for IIS 7.5 included improvements that enable Web administrators to
easily deploy and manage Web applications, and thereby increase both reliability
and scalability. In addition, IIS 7.5 has streamlined management capabilities and
provides more ways to customize your Web serving environment, such as IIS
Manager, scripting interface, and AppCmd command.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe Internet Information Services (IIS).
Configuring and Managing Windows Server 2008 R2 Web Services 7-5
Key Points
What Is IIS?
IIS is a scalable and high performance Web server platform in Windows Server®
2008 and Windows Server 2008 R2. The Web server is built from more than 40
modules. Modules are individual features that the server uses to process Web
requests. You can customize or replace the modules according to your
requirements. For example, IIS uses authentication modules to authenticate client
credentials, but if you want to provide just public content, you can disable all
authentication mechanisms besides Anonymous. You can administer IIS by using
the IIS Manager graphical user interface (GUI) tool, the AppCmd.exe command-
line tool, or programmatically by using the Windows Management
Instrumentation (WMI) interface or managed code.
Configuring and Managing Windows Server 2008 R2 Web Services 7-7
IIS uses XML configuration files for storing configuration settings. Configuration
files are hierarchical and distributed. For example, you can have separate
configuration files for the whole server, Web services, individual Web site,
subfolders, and Web applications. Settings that you define at higher levels are
inherited to lower levels, and it is easy to delegate permissions to modify a specific
feature, such as the authentication mechanism used. This allows xcopy
deployment, because you can copy Web content, together with settings, to a new
Web server. IIS supports shared configuration, when several Web servers in a Web
farm share the same settings.
Request pipeline
In Windows Server 2008 R2, monolithic request processing design was replaced
with a highly customizable request pipeline, which includes ASP.NET and many
other components for authentication, request processing, logging, or compression.
Using the pipeline, you can decide which modules to include in request
processing.
Integrated extensions
Built on the extensible and modular architecture introduced with IIS 7.0, IIS 7.5
integrates and enhances existing extensions while still providing additional
extensibility and customization.
7-8 Configuring and Managing Windows Server 2008 R2 Web Services
support for shared and exclusive locks, are added to the WebDAV and
FTP functionality to enable Web authors to publish more reliable and
secure content. In addition, the new FTP and WebDAV modules provide
additional options for authentication, auditing, and logging.
• Request Filtering. The Request Filtering module, previously available as a
separate extension, is included in IIS 7.5. Request Filtering helps prevent
potentially harmful requests from reaching the server by allowing you to
restrict or block specific HTTP requests.
• Administration Pack modules. In IIS 7.5, extension modules, previously
available as part of the IIS Administration Pack, provide additional tools to
administer the IIS 7.5 Web server from IIS Manager. These modules
include the Configuration Editor and extensions that help you to manage
Request Filtering rules, FastCGI, and ASP.NET application settings.
Management enhancements
IIS 7.5 has the same distributed and delegated management architecture as IIS 7.0,
in addition to new administration tools.
• Best Practices Analyzer. Best Practices Analyzer (BPA) is a management
tool that can help you analyze and implement best practices in the IIS
configuration. You can access BPA by using Server Manager and Windows
PowerShell. BPA helps you to reduce best practice violations by scanning
an IIS 7.5 Web server and reporting potential configuration issues.
• Windows PowerShell provider and cmdlets. The IIS module for
Windows PowerShell allows you to perform IIS administrative tasks, and
manage IIS configuration and run-time data. In addition, a collection of
task-oriented cmdlets provide a simple way to manage Web sites, Web
applications, and Web servers.
• Configuration logging and tracing. Configuration logging and tracing
allows you to audit access to the IIS configuration and track successful or
failed modifications by enabling any new logs in Event Viewer.
that increased security and reliability, every IIS 7.5 application pool runs
each process as a unique, less-privileged identity.
• Managed service accounts. In IIS 7.5, host computers that manage the
passwords for domain accounts are supported as service identities.
• Hostable Web core. Core IIS Web engine components can be consumed
or hosted by other applications such as Windows Communication
Foundation (WCF). This allows applications to service HTTP requests
directly, which is useful for enabling basic Web server capabilities for
custom applications or for debugging applications.
• Failed Request Tracing for FastCGI. In IIS 7.5, PHP developers who use
the FastCGI module can implement IIS trace calls within their
applications. Developers can then troubleshoot application errors by using
IIS Failed Request Tracing to debug the code during development.
Question: You would like to enable the Basic Authentication feature for your Web
site. In the IIS Manager console, when you select the Authentication option on a
Web site, the Basic Authentication feature is unavailable. What is the most
probable reason for that?
7-10 Configuring and Managing Windows Server 2008 R2 Web Services
Key Points
Windows Server 2008 R2, IIS Manager provides the following enhancements:
• Request Filtering. Request Filteing provides filtering features, which were
previously available in a separate package, URLScan. By blocking specific
HTTP requests, Request Filter prevents potentially harmful requests from
being delivered and processed by Web applications on a Web server. The
Request Filtering user interface is part of IIS Manager and provides a GUI for
configuring the Request Filtering module.
• Configuration Editor. Configuration Editor is a new feature in IIS
Manager. You can use Configuration Editor to access and manage
configuration files by editing elements, attributes, and collections in a section.
Configuration Editor includes the following benefits:
• Schema driven: Configuration Editor is driven by the configuration
schema, which is located in the
windows\system32\inetsrv\config\schema folder. For example, you can
add additional sections to the configuration system and manage
Configuration Editor without building any additional administrative
interface.
• Additional information: Configuration Editor provides additional
information about configuration settings, such as the location where a
section is being used or the location from where a particular element in a
collection is inherited from.
• Script generation: You can use Configuration Editor to generate scripts.
By generating scripts, you can make changes to IIS configuration and
generate code to automate those changes. Configuration Editor can
generate managed code such as C#, scripting such as JavaScript, or
command-line code such as AppCmd.
• Searching: You can quickly perform scoped searches of the configuration
system for all configuration sections and the location of their use.
• Locking: You can perform advanced locking, such as locking specific
attributes, individual items in a collection, or an entire section in the
configuration system.
Key Points
The Windows PowerShell provider for Web Administration (IIS) is a Windows
PowerShell module that allows you to automate complex IIS 7.5 administrative
tasks, and manage IIS configuration and run-time data. In addition, a collection of
low-level and task-oriented cmdlets, such as New-Website, New-WebAppPool, and
New-WebBinding, provide a simple way to manage Web sites, Web applications,
and Web servers.
administrative burden for many low-level, day-to-day tasks. For example, you can
use these cmdlets to add and change configuration properties of Web sites, Web-
based applications, virtual directories, and application pools. Users who are more
familiar with Windows PowerShell can run advanced configuration tasks and even
integrate existing Windows PowerShell scripts with other Windows PowerShell
providers across different Windows Server 2008 R2 feature areas.
import-module WebAdministration
cd IIS:\
Question: Why should you use Windows PowerShell to administer an IIS Web
server?
7-14 Configuring and Managing Windows Server 2008 R2 Web Services
Key Points
The FastCGI extension for IIS allows you to host the FastCGI applications on an
IIS Web server in a reliable way. FastCGI provides a high-performance alternative
to Common Gateway Interface (CGI), a standard way of interfacing external
applications with Web servers.
Improvements to FastCGI
Windows Server 2008 R2 provides the following improvements to the FastCGI
support:
• Support in IIS Manager for administering FastCGI settings. You can use
Configuration Editor in IIS Manager to administer the FastCGI settings
from a GUI.
• Monitor file changes. In IIS 7.5, you can configure FastCGI to monitor
the modifications made to a file, for each FastCGI process pool. If a change
to the file is detected, the FastCGI module will recycle the process for the
whole process pool.
• Real-time tuning. In previous releases, you were able to define the
maximum number of FastCGI processes that could be launched for each
application pool, which is a static value. In Windows Server 2008 R2, you
can set this value to zero and the FastCGI module will automatically
adjust the maximum number of processes every few seconds, based on the
system load and number of queued requests.
• Tracing. You can use the Standard Error (STDERR) data stream to send
trace messages to the FastCGI module. If the Failed Request Tracing
feature is enabled, the trace messages are logged to the Failed Request
Tracing trace.
• Controlling FastCGI error performance based on specific errors. In
previous IIS releases, status code 500 was returned by the IIS Web server
and data received on the STDERR stream was sent as the response. In
Windows Server 2008 R2, you can configure the FastCGI module to
handle the text sent on the STDERR stream, based on the specific status
code of the error.
Question: How can you administer the FactCGI settings in IIS 7.5?
Configuring and Managing Windows Server 2008 R2 Web Services 7-17
Key Points
IIS 7.5 is built on the previous release of IIS. You can view some of the new
features, whereas others are not visible on the IIS Manager administrative interface.
Therefore, you must have a good understanding on how IIS works.
support for managed service accounts, hostable Web core, and Failed
Request Tracing for FastCGI, that help increase security and improve
diagnostics.
• ASP.NET support for different common language runtime (CLR)
versions. Developers can use this functionality to switch between
multiple CLR versions. This functionality is also available in Windows
Server 2008 SP2.
• Better control over application pools. Using the new application pool
performance counters, you can set the CLR settings per application pool
and monitor performance.
• Delegatable custom errors. IIS 7.5 allows non-administrators to change
custom errors locally or remotely.
• IPv6 support for IP address restriction list. In IIS 7.5, you can define and
manage rules to allow or deny access to content, based on IPv4 or IPv6
addresses.
• Request Filtering. The Request Filtering module, previously available as
an extension for IIS 7.0, allows you to restrict or block specific HTTP
requests to prevent potentially harmful requests from reaching the server.
Request Filtering also supports request-specific rules.
• Nego2 support. Nego2support is a new authentication negotiation
mechanism. This feature provides support for LiveID providers, FedSSP,
granular Kerberos, and NT LAN Manager (NTLM).
• Support for managed service accounts. In IIS 7.5, domain accounts that
have passwords managed by the host computer are supported as service
identities. Therefore, you no longer have to worry about expiring
application pool passwords.
• Application pool identity support. Application pool identities allow you
to run application pools under a unique account, without creating and
managing domain or local accounts. In IIS 7.5, the default application
pool identity is changed from Network Service to virtual accounts. For
example, the application pool with the name, “DefaultAppPool” will run as
the virtual account “DefaultAppPool”.
Question: Do you need to use the domain user account as an identity for
application pool?
7-20 Configuring and Managing Windows Server 2008 R2 Web Services
1. Deny the jpg image files from being displayed on the Contoso Web page by
using the Request Filtering option.
The Contoso Ltd. real estate picture is still displayed on the Contoso Web page because
it is in .gif format.
2. Deny the gif image files from being displayed on the Contoso Web page by
using the Request Filtering option.
The Contoso Ltd. real estate picture is not displayed on the Contoso Web page.
3. Remove both the jpg and gif files from the Request Filtering list.
4. Open the Windows PowerShell window and run the following code to import
the Active Directory module.
7-22 Configuring and Managing Windows Server 2008 R2 Web Services
Import-Module ActiveDirectory
New-ADServiceAccount ContosoIIS
6. Run the following code to install the managed service account on a local
computer.
install-ADServiceAccount ContosoIIS
After a few seconds, a new application pool starts and the same Home page appears as
before. This time, the Web site runs in the context of the ContosoIIS service account;
therefore, there is no need to manage its password.
Question: How will you diagnose which page takes a longer time to serve from the
Web page?
Configuring and Managing Windows Server 2008 R2 Web Services 7-23
Key Points
In Windows Server 2008 and Windows Server 2008 R2, the Web Server (IIS) role
is available in Full Installation and Server Core.
PowerShell provider for Web administration. The only IIS feature not available on
Server Core is the management GUI. However, you can use the management GUI
to remotely manage IIS on Server Core after enabling and configuring the Web
Management Service on Server Core.
In Windows Server 2008 R2, .NET Framework and the ASP.NET support are not
installed by default. You must run the following commands to add the Web Server
(IIS) role and the ASP.NET support on Server Core.
Note: Deployment Image Servicing and Management (DISM) is a new command line
tool for servicing Windows images. DISM replaces Package Manager and it can be used
for enabling or disabling Windows operating system features. You can also enable or
disable Windows operating system features also by using the Ocsetup tool.
1. On LON-CORE, run the following code to install Web Server role with support
for ASP.NET. This code will add all the necessary features on LON-CORE and
configure the server to allow remote administration.
Core-iis.bat
File Core-iis.bat is not a part of Windows Server 2008 R2 Server Core installation. It is
prepared for this course and it contains commands to install IIS role services and enable
IIS remote management on Server Core.
• Password: Pa$$w0rd
3. Move the BlogEngine folder from C:\inetpub to \\LON-
CORE.contoso.com\c$\inetpub.
4. Add a new Web site, ASP.NET, to the Sites node of LON-CORE.contoso.com
with the following information:
• Site name: ASP.NET Site
• Physical path: c:\inetpub\BlogEngine
• Host name: LON-CORE.contoso.com
Question: How can you administer Internet Information Services on Server Core?
Configuring and Managing Windows Server 2008 R2 Web Services 7-27
Key Points
The Web Server (IIS) role is not installed by default. When you add the Web
Server (IIS) role to a server, a minimal and locked-down installation is performed
by default. As IIS is built from over 40 modules, you can install just the modules
you need. By doing that, you not only reduce the number of components that must
be managed, patched, and maintained, you also increase security, performance,
scalability, and reliability of the Web Server (IIS) role.
Configuring FTP
In Windows Server 2008 R2, the FTP Server 7.5 role service has been enhanced to
incorporate many new features that allow Web content creators to publish content
more easily and securely to IIS Web servers by using modern Internet publishing
standards. FTP allows hosting multiple FTP sites on the same IP address through
virtual host name support. FTP has improved user isolation, which allows you to
isolate users through per-user virtual directories and provides seamless integration
with IIS Manager for integrated management of FTP and Web sites.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the FTP Server 7.5 features.
• Configure FTP virtual host names.
• Configure FTP user isolation.
7-30 Configuring and Managing Windows Server 2008 R2 Web Services
Manager, and adopts the configuration store that IIS is using. Metabase
from previous IIS versions has been deprecated, and the new
configuration system is based on .NET .config XML files. This format is
easier to read and configure than the metabase, and the FTP service takes
full advantage of this design. All information for FTP is stored in a central
configuration store for IIS 7.5, known as applicationHost.config file. IIS
Manager manages both Web sites and FTP sites through the same user
interface.
• Security and support for new Internet standards. FTP service includes
support for the new Internet standards, such as IPv6, 8-bit unicode
transformation format (UTF8), and support for FTP over SSL, which is
one of the most significant features in the new FTP service. You can
implement a standard FTP service and encrypt all communication with it.
FTP also supports the use of non-Windows accounts for authentication.
By default, FTP supports two such authentication methods: Web Manager
authentication and .NET Membership authentication.
• Shared hosting improvements. The FTP service is fully integrated into
IIS. This allows you to host FTP and Web content from the same site by
simply adding an FTP binding to an existing Web site. The FTP service
supports virtual host names, which allows you to host multiple FTP sites
on the same IP address. In addition, FTP Server 7.5 has improved user
isolation, which allows you to isolate users through per-user virtual
directories.
• Improved logging and supportability. FTP logging has been enhanced to
include all FTP-related commands, unique tracking for FTP sessions, FTP
sub-statuses, and additional detail fields in FTP logs.
1. On LON-DC1, create two FTP sites by using the Internet Information Services
(IIS) Manager with the following information:
FTP Site1
• FTP site name: FTP Site 1
• Physical path: c:\inetpub\ftproot
• IP Address: 192.168.10.1
• Enable Virtual Host Names
• Virtual Host: ftp1.contoso.com
• No SSL
• Authentication: Basic
• Allow Access to: All users
• Permission: Read
7-34 Configuring and Managing Windows Server 2008 R2 Web Services
ftp ftp1.contoso.com
ftp1.contoso.com|administrator
Pa$$w0rd
dir
mkdir FTP1
An Access Denied error message appears because you have only Read access to the
FTP1.contoso.com ftp site.
ftp ftp2.contoso.com
ftp2.contoso.com|administrator
Pa$$w0rd
Configuring and Managing Windows Server 2008 R2 Web Services 7-35
dir
mkdir FTP2
The error message does not appear, because you have both Read and Write permissions
to the FTP1.contoso.com ftp site.
1. Open the Internet Information Services (IIS) Manager console and explore
FTP User Isolation.
2. Open the command prompt and run the following command to connect to the
FTP site, FTP1.
ftp ftp1.contoso.com
ftp1.contoso.com|ruser
Pa$$w0rd
4. Run the following command to list the content of the FTP1 site.
dir
Configuring and Managing Windows Server 2008 R2 Web Services 7-37
5. Run the following command to close the connection with FTP1 site.
quit
ftp ftp1.contoso.com
ftp1.contoso.com|ruser
Pa$$w0rd
8. Run the following code to close the connection with FTP1 site.
quit
ftp ftp1.contoso.com
ftp1.contoso.com|ruser
Pa$$w0rd
11. Run the following command to close the connection with FTP1 site.
quit
12. Run the following command to connect to the FTP site, FTP1.
ftp ftp1.contoso.com
ftp1.contoso.com|ruser
Pa$$w0rd
14. Run the following code to close the connection with FTP1 site.
quit
7-38 Configuring and Managing Windows Server 2008 R2 Web Services
4. Set the following SSL FTP settings to configure additional SSL settings to
ensure that all user credentials are encrypted.
• SSL Policy: Custom
• Control Channel: Require only for credential
• Data Channel: Allow
5. At the command prompt, run the following command to log on to the FTP site
with the user name, Administrator, and the password, Pa$$w0rd.
ftp lon-dc1.contoso.com
You will get an Access Denied message because the SSL policy requires SSL for
credentials and the FTP client from the command line does not support it.
Key Points
The FTP service in IIS 7.5 introduces improved logging and supportability features.
FTP logging has been enhanced to include all FTP-related commands, including
logging of all commands and additional detail fields in FTP logs. These new fields
include real session stamps, which allow you to parse logs to track the user activity
throughout a session. You can log the full path for requests for files or folders. This
is useful because servers typically log only the name of the file or folder, which
makes large log files difficult to read.
Access Log
When you enable logging for an FTP server, an access log is created for that server.
Every time a user requests a file, an entry is registered in the access log. Therefore,
the access log has the history of every successful and unsuccessful attempt to
retrieve file from the FTP site. Each entry has its own line in the log file, and
therefore, you can easily extract entries from the access log and compile the entries
7-42 Configuring and Managing Windows Server 2008 R2 Web Services
Web Services
Introduction
In this lab, you will configure and manage Windows Server 2008 R2 Web Services.
To do this, you will create and configure a new Web site to use Request Filtering
and assign the managed service account as the application pool account. You will
also install the Web Server role with ASP.NET on server core, enable remote
management, and configure the ASP.NET Web site. Finally, you will configure FTP
virtual host names and deploy the FTP site over SSL.
Objective
After completing this lab, you will be able to:
• Create and configure a Web site on Windows Server 2008 R2.
• Manage ASP.NET on server core.
• Configure FTP virtual host names and deploying FTP over SSL.
7-44 Configuring and Managing Windows Server 2008 R2 Web Services
For this lab, you will use the available virtual machine environment. Before you
begin the lab, you must:
• Start the LON-DC1 virtual machine, and then log on by using the
following credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
• Start the LON-CORE virtual machine, and then log on by using the
following credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
Configuring and Managing Windows Server 2008 R2 Web Services 7-45
Scenario
You are a Web server administrator at Contoso, Ltd. Your organization is currently
using Web Server IIS and they want to upgrade it to IIS 7.5. To do this, you need to
create and configure a Web site by using IIS Manager. Then, you need to explore
ASP.NET on Server Core and configure Server Core remotely. Because the FTP
service is a part of the Web server, you also need to create FTP sites which will use
FTP over SSL access.
7-46 Configuring and Managing Windows Server 2008 R2 Web Services
f Task 3: View and change the IIS settings through the Configuration
Manager.
• Change the Web site name from Contoso Ltd to Contoso Site by using
Configuration Editor and view the script that can be used to perform this
change.
Configuring and Managing Windows Server 2008 R2 Web Services 7-47
The Contoso Ltd. real estate picture is still displayed on the Contoso Web page, because
it is in .gif format.
• Deny the gif image files from being displayed on the Contoso Web page
by using the Request Filtering option.
The Contoso Ltd. real estate picture is not displayed on the Contoso Web page.
• Remove both the jpg and gif files from the Request Filtering list.
Import-Module ActiveDirectory
7-48 Configuring and Managing Windows Server 2008 R2 Web Services
New-ADServiceAccount ContosoIIS
Install-ADServiceAccount ContosoIIS
Results: After completing this exercise, you should have a created a new Web site for
Contoso Ltd, changed the IIS settings of the Web site through the Configuration
Manager, and configured the Web site to use Request Filtering. You should have also
created and assigned the managed service account as the application pool account.
Configuring and Managing Windows Server 2008 R2 Web Services 7-49
f Task 1: Install the Web Server role with ASP.NET on Server Core and
enable remote management.
• On LON-CORE, run the following script to install the Web Server role
with support for ASP.NET. This command will add all the necessary features
on LON-CORE and configure the server to allow remote administration.
C:\Core-iis.bat
• On LON-DC1, open the blog Web page and verify whether Windows
Server 2008 R2 Core can process the ASP.NET applications.
Results: After completing this exercise, you should have installed the Web Server role
with ASP.NET on Server Core, enabled remote management, and configured the
ASP.NET Web site. You should have verified the ASP.NET Web site on Server Core.
Configuring and Managing Windows Server 2008 R2 Web Services 7-51
f Task 3: Create two FTP sites that use the virtual host names.
• On LON-DC1, create two FTP sites that use virtual host names by using
the Internet Information Services (IIS) Manager with the following
information:
FTP Site1
7-52 Configuring and Managing Windows Server 2008 R2 Web Services
ftp ftp1.contoso.com
ftp1.contoso.com|administrator
Pa$$w0rd
dir
mkdir FTP1
An Authorization rules denied the access error message appears because you have only
Read access to the FTP1.contoso.com ftp site.
ftp ftp2.contoso.com
ftp2.contoso.com|administrator
Pa$$w0rd
dir
mkdir FTP2
The error message does not appear because you have both Read and Write permissions
to the FTP1.contoso.com ftp site.
• Permission: Read
• Set the following SSL FTP settings to configure additional SSL settings to
ensure that all user credentials are encrypted.
• SSL Policy: Custom
• Control Channel: Require only for credential
• Data Channel: Allow
• At the command prompt, run the following command to log on the FTP
site with the user name, Administrator, and the password, Pa$$w0rd.
ftp lon-dc1.contoso.com
You will get an Access Denied message because the SSL policy requires SSL for
credentials, and the FTP client from the command line does not support it.
Results: After completing this exercise, you should have added the FTP Server role
service to LON-DC1, created two DNS server resource records, FTP sites, and an SSL-
enabled FTP Site. You should have also connected to the FTP sites.
2. How will you add a DNS server resource record to the Contoso.com domain?
To add a DNS server resource record to the Contoso.com domain, right-click
Contoso.com, select the New Host option, and then provide the host and IP
address.
7-56 Configuring and Managing Windows Server 2008 R2 Web Services
Key Points
Review Questions
1. Which tool will you use for remote IIS administration?
2. You are not able to find an option in IIS Manager to configure an IIS setting.
How will you configure the IIS setting?
3. You need to configure Request Filtering for your Web site, but you were not
able to find that feature in IIS Manager. What is the problem?
4. How can you install ASP.NET on Windows Server 2008 R2 Server Core?
5. What must be available before you can configure FTP over SSL?
Configuring and Managing Windows Server 2008 R2 Web Services 7-57
Tools
• IIS Manager
• AppCmd.exe
• FTP.exe
• DISM.exe
7-58 Configuring and Managing Windows Server 2008 R2 Web Services
Module 8
Managing Windows Server 2008 R2 with
Windows PowerShell 2.0
Contents:
Lesson 1: Using Windows PowerShell 8-4
Lesson 2: Managing AD DS with Windows PowerShell 8-30
Lesson 3: Managing Server Roles with Windows PowerShell 8-46
Lab: Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-56
8-2 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
Module Overview
(AD DS). In addition, you will learn how to manage server roles and features by
importing the Server Manager module.
After completing this module, you will be able to:
• Use Windows PowerShell.
• Manage AD DS with Windows PowerShell.
• Manage server roles with Windows PowerShell.
8-4 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
Managing servers in the data center is one of the most time-consuming tasks that
IT professionals face today. To help perform such tasks, Windows Server® 2008 R2
introduces Windows PowerShell 2.0—a Windows command-line shell designed
especially for system administrators.
Windows PowerShell 2.0 introduces cmdlet, a simple, single-function command-
line tool built into the shell. Windows PowerShell 2.0 also offers several
improvements for remote management scenarios.
You can use Windows PowerShell to reduce the ongoing management of Windows
Server 2008 R2 and the administrative effort for common day-to-day operational
tasks. You can also perform administrative tasks remotely or on the server.
Lesson Objectives
After completing this lesson, you will be able to:
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-5
Key Points
Windows PowerShell is a command-line shell and scripting language that provides
consistent vocabulary, syntax, and utilities. This helps you control system
administration tasks and accelerate automation of administrative tasks such as
performing backups or actions that typically require many clicks in the GUI. These
tasks can be simply performed in the command line. You can format, compose,
and pipeline cmdlets to perform complex tasks. Windows PowerShell is easy to
adopt, learn, and use because it works with the existing IT infrastructure, scripts,
and command-line tools. Windows PowerShell provides robust automation
capabilities that save time, speed up deployment, and reduce costs.
Windows PowerShell is a part of Windows Server 2008 R2, and it is installed by
default. Windows PowerShell 2.0 significantly enhances the earlier Windows
PowerShell version with the inclusion of more than 240 prebuilt cmdlets and a
new graphical user interface (GUI) that adds useful development features for
writing scripts. The new GUI includes colored syntax, multiline editing, selective
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-7
the Windows Server 2008 R2 new management interfaces, such as Active Directory
Administrative Center (ADAC), are built entirely on Windows PowerShell.
Windows PowerShell is included also in Windows® 7 and the Windows Server
2008 R2 Server Core.
Key Points
Cmdlets are Windows PowerShell commands that do not have direct
representation in the file system. They are stored as a single script, a collection of
scripts, or a dynamic-link library (DLL) containing cmdlets or providers. Each
cmdlet performs specific and typically small tasks.
Naming cmdlets
Windows PowerShell uses a verb-noun notation for the names of cmdlets. For
example, you can run the Get-Command cmdlet to query all the cmdlets and
functions that are available in the Windows PowerShell. You can run the Get-Help
command to get help in the Windows PowerShell and also to get specific
information on each cmdlet. Windows PowerShell supports auto-completion. You
can type just the first few letters and press the TAB key to complete typing a word.
8-10 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
Windows PowerShell 2.0 in Windows Server 2008 R2 has more than 240 prebuilt
cmdlets. You can also get additional cmdlets by loading PowerShell modules. You
can load modules by using the Get-Module cmdlet. Windows Server 2008 R2
provides several modules for administering specific features, such as AD DS, Web
servers, or server roles.
Defining alias
You can also define aliases, which are alternative names you can assign to cmdlets,
functions, scripts, or executable files. You can define an alias for any command that
you can run from the Windows PowerShell. You can get a list of aliases by running
the Get-Alias cmdlet. You can also create an alias by running the Set-Alias cmdlet.
Declaring parameters
You can declare parameters in cmdlets. The arguments of these parameters affect
the operation of cmdlets. Not all cmdlets require parameters. If cmdlets require
parameters, you should provide names that begin with a "-" symbol. You can also
abbreviate the parameters.
Types of parameters
You can declare different types of parameters in cmdlets, such as integer, string, or
date. All cmdlet parameters are either named or positional. You can either specify
them by name, by typing the parameter name or you can specify them by position,
where you specify an argument at a specific position in the command. For
example, the Get-Process cmdlet lists all running processes. You can provide the
Get-Process cmdlet with a named parameter to list just the specific process such as
the Get-Process –Name lsass. You can get the same result by abbreviating the
parameter, such as Process –N lsass. You can also specify the parameter by its
position and running the Get-Process lsass command.
Question: You heard from a colleague about the Windows PowerShell cmdlet in
Windows Server 2008 R2. You would like to test the cmdlet. However, when you
run the cmdlet inside the Windows PowerShell window, you get an error that it is
not a recognized cmdlet name. What is the probable reason for this error?
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-11
Key Points
Unlike the commands used in traditional shells, Windows PowerShell cmdlets do
not provide output in the text format directly. Windows PowerShell cmdlets
provide zero or more objects as an output. You can gather information from an
object or can perform actions on it. The Windows PowerShell object consists of
properties and methods. Properties are information that you can gather, and
methods are actions that you can perform on the object. Windows PowerShell
formats these objects as text, giving the impression of cmdlets that provides output
in the text format.
• Format-Custom
• Format-Table
• Format-Wide
Other cmdlets in Windows PowerShell do not format the output. Therefore, you
do not need to learn the formatting routines and parameters of multiple tools. You
should only learn about the format cmdlets and their parameters.
For example, when you use the Get-Service cmdlet, the default display is a three-
column table. To change the format of the output from cmdlet, you can use the
pipeline operator (|) to send the output of the command to a format cmdlet. You
can run get-service | format-list to format the service data as a list for each service.
In this format, the data appears in a list, and there is more information about each
service.
If you have the Windows PowerShell Integrated Scripting Environment (ISE)
feature installed, you can use the following Out-GridView cmdlet to display, sort,
or filter result data.
Get-Process | Out-GridView
After results are displayed in a grid, you can sort the results by clicking the column
header, select the columns that are displayed, and filter the results.
What Is a Pipeline?
Key Points
Windows PowerShell pipeline is similar to an assembly line. When an object
moves down the pipeline, it passes through various cmdlets, and each cmdlet
makes some modification to it, until the object reaches the end of the pipeline.
When the object reaches the end of the pipeline, Windows PowerShell formats the
object as text and displays the output.
Windows PowerShell uses the pipeline to connect the output from the first cmdlet
to the input of the second cmdlet. A combination of the first cmdlet, pipe symbol
“|” and the second cmdlet builds a pipeline. You do not need to create a temporary
file to store the output from the cmdlet because the Windows PowerShell manages
the flow of data through the pipeline. The information flowing from one cmdlet to
another through the pipeline is in the form of objects. For more complex
processing, you can join a series of cmdlets by using a sequence of pipes.
8-14 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
cmdlet sorts them by the number of handles. Then, the third cmdlet formats the
output as a table. The final output shows all processes, sorted by the number of
handles and formatted as a table.
Key Points
1. Open the Windows PowerShell window and run the following command to
view the list of commands and its functions.
Get-Command
2. Run the following command to get help for the Get-Alias command. Also, view
the information about the Get-Alias command, such as description, synopsis,
syntax, related links, and remarks.
Get-Help Get-Alias
3. Run the following command to view the list of available alias commands.
8-16 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
Get-Alias
4. Run the following command to view the list of all running processes on the
server.
Get-Process
Processes
6. Run the following command to define a new alias and view the list of running
processes.
7. Run the following command to verify that you have defined the new alias,
Processes.
Get-Alias
8. Run the following command to verify that the same help options as the Get-
Process command are available.
Get-Help Processes
10. Run the following command to sort the processes by their ID and to view only
the ID, Handles, and ProcessName of the running process.
11. Run the following command to view the first 10 running processes sorted by
their ID.
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-17
12. Run the following command to format the output of the first 10 running
processes sorted by their ID.
13. Run the following command to obtain all running processes, sort them by ID,
store them in a variable, and display the processes stored.
Question: How will you start Windows PowerShell on Windows Server 2008 R2?
8-18 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
ISE, right-click the line of code, and then click Toggle Breakpoint.
R2. However, you are unable to locate it on the Start menu. What should you do?
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-21
Key Points
Get-Process
4. Browse through
C:\Windows\System32\WindowsPowerShell\v1.0\Examples and open the
profile.ps1 to verify the syntax coloring feature.
8-22 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
Key Points
Windows PowerShell providers are .NET Framework–based programs that make
the data that is present in a specialized data store such as the file system or registry.
This data is available to the Windows PowerShell runtime so that you can view and
manage it.
The data that a provider exposes appears as a drive, and you can access the data in
a path like you would on a hard-disk drive. You can use any of the built-in cmdlets
that the provider supports to manage the data in the provider drive. You can also
use custom cmdlets that are designed especially for the data. The providers can
also add dynamic parameters to the built-in cmdlets. Note that the dynamic
parameters are available only when you use the cmdlet with the provider data.
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-23
The following table displays a set of built-in providers that you can use to access
the different types of data stores.
You can create customized Windows PowerShell providers and install preexisting
providers. To view the list of providers available in your session, run the following
command:
Get-PSProvider
Get-Item Env:
dir Env:
You can view and manage the data in any drive from another drive by including
the drive name in the path. For example, to view the HKLM\Software registry key
in the HKLM: drive from another drive, run the following code.
Get-ChildItem HKLM:\Software
To open the drive, use the Set-Location cmdlet. For example, to change your
location to the root directory of the Cert: drive and view its contents, run the
following code.
Set-Location Cert:
Get-ChildItem
cd Cert:
dir
Question: How can you view Windows environment variables from Windows
PowerShell?
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-25
Key Points
Remoting is the ability to run Windows PowerShell cmdlets on remote computers.
Windows PowerShell Remoting depends on WinRM, which encrypts and secures
the data on the network. Windows PowerShell remote sessions use the HTTP or
HTTPS protocol, which is enabled through firewalls. This enables you to manage
computers across the local network or the Internet. You can execute cmdlets on
one or more computers and in restricted or unrestricted environments.
There are two types of remoting in remote management. They are as follows:
• Fan-in remoting or many-to-one remoting
• Fan-out remoting or one-to-many remoting
Fan-in remoting
Using fan-in remoting, multiple users can make secure shell connections to a single
server. Windows PowerShell is designed to support fan-in remoting in a secure,
partitioned manner. For example, an Exchange Server hosting company can
8-26 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
fan-in remoting, you can get a secure, remote, interactive access to the copy of
Windows PowerShell installed on a remote server. You can share static data
between sessions and send progress information to a client.
Fan-out remoting
Using fan-out remoting, you can issue a set of commands to an entire group of
remote servers simultaneously. The commands "fan out" from your workstation to
the group of servers in parallel. The commands are executed on each server, and
the results—in the form of Windows PowerShell objects—are returned to your
workstation. You can review and work with the results. Note that cmdlets can be
run asynchronously in the backgrounds of remote servers.
Windows PowerShell supports two core technologies for fan-out remoting. They
are as follows:
• Windows Management Instrumentation (WMI)
• Windows Remote Management (WinRM)
System requirements
To use Windows PowerShell Remoting, local and remote computers must use the
following components:
• Windows PowerShell 2.0 or later
• .NET Framework 2.0 or later
• Windows Remote Management 2.0
Windows Server 2008 R2 and Windows 7 meet all prerequisites for Windows
PowerShell Remoting.
establish remote connections and run remote commands on the local computer.
You will also be able to create a loopback connection on the local computer.
Question: How should you configure a remote computer if you want to use it as a
Windows PowerShell Remoting target?
8-28 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
Key Points
cd env:
md Today –Value “Wednesday”
2. Run the following command to verify that the new variable, Today, is defined
with the value, Wednesday.
dir
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-29
cd hkcu:
md Wednesday
4. Open Registry Editor and verify that the HKCU registry hive contains the
Today key.
regedit
5. Use a provider for digital certificates and move the digital certificates to local
computer certificate store by running the following command:
cd cert:
cd localmachine\my
6. View the list of digital certificates in the computer store by running the
following command.
dir
7. Open the Certificates snap-in and verify whether the computer certificates are
the same as those from the PowerShell interface.
• On the Start menu, click Run.
• In the Open box of the Run dialog box, type mmc, and then click OK.
• On the Files menu of the Console1 - [Console Root] console, click
Add\Remove Snap-ins.
• In the Available snap-ins area of the Add or Remove Snap-ins dialog box,
in the Snap-in list, click Certificates, and then click Add.
• In the Certificates snap-in dialog box, click Computer account, and then
click Next.
• In the Select Computer dialog box, click Finish.
• In the Add or Remove Snap-ins dialog box, click OK.
• In the tree pane of the Console1 - [Console Root] console, expand
Certificates (Local Computer), expand Personal, and then click
Certificates.
• In the Console1 - [Console Root] console, click the Close button.
8-30 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
8. On LON-DC1, open the Windows PowerShell window and run the following
command to verify that the PowerShell command cannot be executed by
default on the remote system.
Enable-PSRemoting -Force
10. On LON-DC1, run the following command again to view the list of running
processes.
11. On LON-DC1, run the following command to view the first 10 running
processes sorted by ID.
Windows PowerShell is a command-line shell and scripting language that can help
you perform system administration. Windows PowerShell includes many cmdlets
such as Get-Commands and Set-Variable. You can add additional cmdlets by
importing Windows PowerShell modules. Windows Server 2008 R2 includes
several Windows PowerShell modules such as the Active Directory module, the
Server Manager module, the Web Administration module, and the Group Policy
module. You can use the Active Directory module to administer Active Directory
Domain Services (AD DS), Active Directory Lightweight Directory Services
(AD LDS) configuration sets, and Active Directory Database Mounting Tool
instances.
Lesson Objectives
After completing this lesson, you will be able to:
8-32 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
Key Points
The Active Directory module for Windows PowerShell is a Windows PowerShell
module that consolidates a group of Active Directory–related cmdlets such as New-
ADUser, Get-ADGroup, and Remove-ADObject. You can use these cmdlets to
manage Active Directory domains, AD LDS configuration sets, and Active Directory
Database Mounting Tool instances.
In Windows Server 2000, Windows Server 2003, and Windows Server® 2008,
administrators can use a variety of command-line tools and Microsoft Management
Console (MMC) snap-ins to connect, administer, and monitor Active Directory
domains and AD LDS configuration sets. These tools are also available in Windows
Server 2008 R2, in addition to the Windows PowerShell Active Directory module.
The Windows PowerShell Active Directory module provides a set of cmdlets that
makes command-line navigation through the Active Directory tree similar to
navigating a file system. You can use familiar commands such as dir, cd, and
8-34 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
ADComputer.
Question: How can you get the Active Directory module for Windows
PowerShell?
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-35
Key Points
1. On LON-DC1, open the Windows PowerShell window and run the following
command to verify that there are no Active Directory commands.
Get-Command *-ad*
2. Import the Active Directory module and then verify whether the Active
Directory commands are added by running the following command.
Import-Module ActiveDirectory
Get-Command *-ad*
3 Run the following command to use a provider for Active Directory and to list
the information in Active Directory.
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-37
cd AD:
dir
4. Query the information on the contoso.com domain and the domain controller
that you are using in the contoso.com domain by running the following
command.
Get-ADDomain Contoso.com
Get-ADDomainController
5. Query the information in a global catalog in the forest and the domain
password policy in the contoso.com domain by running the following
command.
6. Count the number of Active Directory objects and view all the computer
objects in the domain in the form of a table by running the following
command.
cd “cn=users,dc=contoso,dc=com”
dir
Question: Why should you use the Active Directory module for Windows
PowerShell?
8-38 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
Key Points
Active Directory is a hierarchical store that can be administered in different ways.
You can use graphical tools such as Active Directory Users and Computers or
command-prompt tools such as dsadd, dsquery, or csvde for Active Directory
management. Developers can develop their own tools for managing Active
Directory by using Active Directory Services Interfaces (ADSI). The Active Directory
module for Windows PowerShell is another option. This option exposes the
hierarchical AD DS store as a disk drive, allowing you to use a familiar set of
commands such as dir, del, ren, or copy to manage Active Directory. In addition,
you can use the cmdlets in the Active Directory module to manage Active
Directory.
The following are some of the Active Directory management tasks:
• Account Management
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-39
Question: What are the common Active Directory management tasks in your
company?
8-40 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
Key Points
You can use the Active Directory module for Windows PowerShell to manage your
user accounts in AD DS. The Active Directory module provides several cmdlets
with which you can create user account, modify user properties such as changing
telephone number, add the user to a group, or move to different organizational
unit. You can use user properties as search criteria and perform the same action on
multiple accounts. If the user account is no longer required, you can delete it.
1. On LON-DC1, create a new Active Directory user, User1, and move User1 to
the Remote Access organizational unit by running the following command.
New-ADUser User1
Move-ADObject –Identity “cn=User1,cn=Users,dc=contoso,dc=com” -
TargetPath “OU=Remote Access,dc=contoso,dc=com”
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-41
New-ADUser User1
• At the command prompt, type the following command, and then press
ENTER.
• At the command prompt, type the following command, and then press
ENTER.
• At the command prompt, type the following command, and then press
ENTER.
• At the command prompt, type the following command, and then press
ENTER.
4. Open the Active Directory Users and Computers console and verify that the
First and Last names have been defined for User1.Also verify that the Home
page has been defined for User2.
• On the Start menu, point to Administrative Tools, and then click Active
Directory Users and Computers.
• In the tree pane of the Active Directory Users and Computers console,
under Contoso.com, click Remote Access.
8-42 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
• At the command prompt, type the following command, and then press
ENTER.
6. Open the Active Directory Users and Computers console and verify that
User1, User2 and User3 have description set to Remote Access User.
• On the Start menu, point to Administrative Tools, and then click Active
Directory Users and Computers.
• In the tree pane of the Active Directory Users and Computers console,
expand Contoso.com, click Remote Access.
• In the Name list of the Remote Access result pane, right-click User1, and
then click Properties.
• In the User1 Properties dialog box, click Cancel.
• In the Name list of the Remote Access result pane, right-click User2, and
then click Properties.
• In the User2 Properties dialog box, click Cancel..
7. Add User 2 to the RD Users group by executing the following command:
ENTER.
8. In the Active Directory Users and Computers console, verify that RD Users
group (in Remote Access OU) has User2 as a member.
• In the tree pane of the Active Directory Users and Computers console,
under Contoso.com, click Remote Access.
• In the Name list of the Remote Access result pane, right-click RD Users,
and then click Properties.
• On the Members tab of the RD Users Properties dialog box, ensure that
User2 is a member, and then click Cancel.
Question: Which are the most often used commands for managing user account
objects in Active Directory?
8-44 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
Key Points
1. On the Start menu, in the Search programs and files box, type power, and
then click Windows PowerShell.
2. Create User3 Active Directory user by running the following command.
4. Run the following command to find the organizational units that match certain
criteria and modify their description.
The command will fail, because the organizational units are protected from accidental
deletion by default.
8. In the Active Directory Users and Computers console, verify that User
Accounts OU in contoso.com domain is no longer present.
8-46 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
Key Points
Windows PowerShell provides powerful cmdlets, such as Get-ADObject with Filter,
for searching Active Directory. But searching Active Directory is often not the main
goal; you need to find Active Directory objects that meet certain criteria, such as
locked-out accounts or computers at one location, and then perform actions with
them, such as enabling locked-out accounts or changing the property of multiple
objects at the same time. You can use Windows PowerShell search cmdlets and
pipe them with other cmdlets to perform the following tasks:
• Counting objects in Active Directory
Question: Why would you search for Active Directory objects by using Windows
PowerShell?
8-48 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
Windows Server 2008 R2 has many roles and features. You can use Server
Manager to add or remove the roles and features from the graphical user interface
(GUI). Windows Server 2008 R2 also provides the Windows PowerShell module
for Server Manager, with which you can list, add, and remove server roles and
features from command line. When you import the Server Manager PowerShell
module, you get three new cmdlets: Add-WindowsFeature, Remove-
WindowsFeature, and Get-WindowsFeature.
After completing this lesson, you will be able to:
• Install the Server Manager module.
• Manage server roles by using Windows PowerShell cmdlets.
• Manage Group Policy by using Windows PowerShell cmdlets.
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-49
Key Points
Server Manager is a tool for managing server roles, role services, and features in
Windows Server 2008 R2. You can use either the graphical version of Server
Manager, which runs by default when a member of the administrators group logs
on. You can also use the ServerManagerCmd.exe command-line tool, which is
included with the operating system. In Windows Server 2008 R2, you can use the
Server Manager module for Windows PowerShell to list, install, or remove roles,
role services, and features.
Before you can use Server Manager cmdlets, you must first import the Server
Manager module by running the following cmdlet.
Import-Module ServerManager
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-51
Question: When you tried to run the Get-WindowsFeature cmdlet, you got an
error stating that Get-WindowsFeature is not recognized as the name of cmdlet,
function, script file, or operable program. What is the most probable reason for the
error?
8-52 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
Key Points
Import-Module ServerManager
2. In the Windows PowerShell window, view the list of available roles, role
services and features by executing the following command:
Get-WindowsFeature
3. Run the following command to install the Windows Server Backup feature.
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-53
Add-WindowsFeature Backup
4. Run the following command to verify that Windows Server Backup feature is
installed.
Get-WindowsFeature Backup
5. Run the following command to remove the Windows Server Backup feature.
Remove-WindowsFeature Backup
Question: Can you use the Server manager module to list or add server roles on
the remote Windows Server 2008 R2 server?
8-54 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
Cmdlets
Key Points
You can use Windows PowerShell to automate the tasks that you typically perform
in the user interface by using the Group Policy Management Console (GPMC). The
Group Policy module in Windows Server 2008 R2 provides more than 25 cmdlets
such as New-GPO and Set-GPOLink. You can use these cmdlets to perform the
following tasks for domain-based Group Policy Objects (GPOs):
• Maintaining GPOs. You can create, remove, backup, and import GPOs.
• Associating GPOs with Active Directory containers. You can create, update,
and remove Group Policy links.
• Setting inheritance flags and permissions. You can set inheritance flags and
permissions on Active Directory organizational units (OUs) and domains.
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-55
Registry settings. You can update, retrieve, and remove registry-based policy
settings and Group Policy Preferences Registry settings.
• Creating and editing Starter GPO. You can create and edit Starter GPOs.
Before you can use Group Policy cmdlets, first import the Group Policy module by
running the following cmdlet.
Import-Module GroupPolicy
You can list the available Group Policy cmdlets by running the following cmdlet.
Get-Command *-GP*
For example, you can create a new Group Policy from a Starter GPO and link it to
an OU by running the following cmdlet.
You can back up the default Domain Policy by running the following cmdlet.
You can delete the Demo Group Policy by running the following cmdlet.
Question: How can you verify whether the actions or changes that you performed
by using the Group Policy Windows PowerShell module were applied in your test
domain?
8-56 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
PowerShell Cmdlets
Key Points
While you manage IIS, you need to set the execution policy by using the Set-
ExecutionPolicy cmdlet. This cmdlet allows you to determine the Windows
PowerShell scripts that run on your computer. Windows PowerShell has four
different execution policies:
• Restricted. No scripts can be executed. Windows PowerShell can be used only
in the interactive mode.
• AllSigned. Only scripts signed by a trusted publisher can be executed.
• RemoteSigned. Downloaded scripts must be signed by a trusted publisher
before they can be executed.
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-57
executed.
Get-Command *-web*
Set-ExecutionPolicy RemoteSigned
2. Run the following command to use a provider for Web Administration and to
display the information in Internet Information Services.
cd IIS:
dir
3. Run the following command to move to the Sites folder and list the sites on
LON-DC1.
cd Sites
dir
4. Open the Internet Information Services (IIS) Manager console and verify that
the same sites are available as those in the Windows PowerShell environment.
5. Run the following command to create a new Web site and to display the Web
sites on LON-DC1.
6. In the Internet Information Services (IIS) Manager console, verify that the new
Web site, Demo Site, is present.
7. Define the host name binding for the created Web site by running the
following command:
site has two bindings, one with IP Address and the other with the host name
defined.
9. Open the Internet Explorer window, connect to the new Web site, lon-
dc1.contoso.com, and then press Enter.
10. Add a virtual directory to the existing Web site by running the following
command.
New-WebAppPool DemoAppPool
Set-ItemProperty “IIS:\Sites\Demo Site” –name applicationPool –
value DemoAppPool
13. In the Internet Information Services (IIS) Manager console, verify that the
Demo site runs in the DemoAppPool application pool.
14. Delete the Demo Web site by running the following command:
15. In the Internet Information Services (IIS) Manager console, verify that Demo
Site is no longer present.
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-59
Introduction
In this lab, you will manage Windows Server 2008 R2 with Windows PowerShell
2.0. To do this, you will use Windows PowerShell. You will work with Active
Directory by using the Active Directory PowerShell module. You will also manage
IIS by using Windows PowerShell. In addition, you will configure Server Manager
server roles and features by using Windows PowerShell.
Objectives
After completing this lab, you will be able to:
• Use Windows PowerShell.
• Work with Active Directory by using the Active Directory PowerShell
module.
8-60 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
Lab Setup
For this lab, you will use the available virtual machine environment. Before you
begin the lab, you must:
• Start the LON-DC1 virtual machine, and then log on by using the
following credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
• Start the LON-SVR1 virtual machine, and then log on by using the
following credentials:
• User name: Contoso\Administrator
• Password: Pa$$w0rd
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-61
Lab Scenario
You are a Web server administrator at Contoso, Ltd. Your organization is currently
using graphical tools to perform all administration tasks. Your organization wants
to simplify administration and automate repetitive administrative tasks. They have
decided to use Windows PowerShell for automation. To accomplish this task, you
are asked to explore PowerShell fundamentals, existing PowerShell commands,
and learn how to use pipeline and output formatting. Because Windows
PowerShell will be used also for Active Directory administration and server role
management, you need to use appropriate Windows PowerShell modules in
Windows Server 2008 R2.
8-62 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
Get-Command
• Run the following command to get help for the Get-Alias command. Also view
the information about the Get-Alias command, such as description, synopsis,
syntax, related links, and remarks.
Get-Help Get-Alias
• Run the following command to view the list of available alias commands.
Get-Alias
• Run the following command to view the list of all running processes on the
server.
Get-Process
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-63
available.
Processes
• Run the following command to define a new alias and view the list of running
processes.
• Run the following command to verify that you have defined the new alias,
Processes.
Get-Alias
• Run the following command to verify that the same alias help options as the
Get-Process command are available.
Get-Help Processes
• Run the following command to sort the processes by their ID and to view only
the ID, Handles, and ProcessName of the running process.
• Run the following command to view the first 10 running processes sorted by
their ID.
8-64 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
• Run the following command to format the output of the first 10 running
processes sorted by their ID.
• Run the following command to obtain all running processes, sort them by ID,
store them in a variable, and display the processes stored.
cd env:
md Today –Value “enter today's day”
• Run the following command to verify that the new variable, Today, is defined
with the value, Wednesday.
dir
• Run the following command to use a provider for Windows registry and to
add a new Windows registry key.
cd hkcu:
md Wednesday
• Open Registry Editor and verify that the HKCU registry hive contains the
Wednesday key.
regedit
• Use a provider for digital certificates and move the digital certificates to local
computer certificate store by running the following command.
cd cert:
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-65
cd localmachine\my
• View the list of digital certificates in the computer store by running the
following command.
dir
• Open the Certificates snap-in and verify whether the computer certificates are
the same as those from the PowerShell interface.
An error message appears stating that WinRM is not enabled by default on a remote
Windows Server 2008 R2 computer.
Enable-PSRemoting -Force
• On LON-DC1, run the following command again to view the list of running
processes.
Results: After completing this exercise, you should have used the available commands
and aliases, pipeline and output formatting, Windows PowerShell providers, and
Windows PowerShell remoting.
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-67
f Task 1: Add Windows PowerShell ISE and import the Active Directory
module.
• On LON-DC1, install the Windows PowerShell Integrated Scripting
Environment (ISE) feature by using the Server Manager console.
• Open the Windows PowerShell ISE window and run the following command
to verify that there are no Active Directory commands.
Get-Command *-ad*
• Import the Active Directory module and then verify whether the Active
Directory commands are added by running the following command.
Import-Module ActiveDirectory
Get-Command *-ad*
cd AD:
dir
8-68 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
that you are using in the contoso.com domain by running the following
command.
Get-ADDomain Contoso.com
Get-ADDomainController
• Query the information in a global catalog in the forest and the domain
password policy in the contoso.com domain by running the following
command.
• Count the number of Active Directory objects and view all the computer
objects in the domain in the form of a table by running the following
command.
• Run the following command to export all objects from the Users container to a
CSV file.
• Verify that the c:\export.csv file contains information about objects in the
Users container.
cd “cn=users,dc=contoso,dc=com”
dir
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-69
New-ADUser User1
Move-ADObject –Identity “cn=User1,cn=Users,dc=contoso,dc=com” -
TargetPath “OU=Remote Access,dc=contoso,dc=com”
• Create a User3 Active Directory user with additional attributes by running the
following command.
• Open the Active Directory Users and Computers console and verify that the
First and Last names have been defined for User1.Also verify that the Home
page has been defined for User2.
• Run the following command to modify the properties of multiple users.
• Open the Active Directory Users and Computers console and verify that
User1, User2, and User3 have the description set to Remote Access User.
• Run the following command to view the list of disabled accounts.
• Delete the User1 account from Active Directory by running the following
command.
Remove-ADUser User1
8-70 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
longer present.
• Add User 2 to the RD Users group by running the following command.
• In the Active Directory Users and Computers console, verify that RD Users
group (in Remote Access OU) has User2 as a member.
• Run the following command to find the organizational units that match certain
criteria and modify their description.
The command will fail because the organizational units are protected from accidental
deletion by default.
• In the Active Directory Users and Computers console, verify that User
Accounts OU in contoso.com domain is no longer present.
Results: After completing this exercise, you should have added Windows PowerShell
ISE and imported the Active Directory module, used the Active Directory provider to
view the objects metadata, and Windows PowerShell to work with user and group
accounts, and organizational units.
8-72 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
f Task 1: Set the Execution Policy and load the Web Administration
module.
• On LON-DC1, in the Windows PowerShell ISE window, run the following
command to verify that there are no Web Administration–related commands
and to set the execution policy.
Get-Command *-web*
Set-ExecutionPolicy RemoteSigned
• Add the Web Administration module and then view the Web Administration–
related commands by running the following command.
Import-Module WebAdministration
Get-Command *-web*
f Task 2: Explore Web Administration, create a Web site, and define its
binding.
• Run the following command to use a provider for Web Administration and to
display the information in Internet Information Services.
cd IIS:
dir
• Run the following command to move to the Sites folder and list the sites on
LON-DC1.
cd Sites
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-73
dir
• Open the Internet Information Services (IIS) Manager console and verify that
the same sites are available as those in the Windows PowerShell environment.
• Run the following command to create a new Web site and to display the Web
sites on LON-DC1.
• In the Internet Information Services (IIS) Manager console, verify that the new
Web site, Demo Site, is present.
• Define the host name binding for the created Web site by running the
following command.
• In the Internet Information Services (IIS) Manager console, verify that the Web
site has two bindings, one with IP Address and the other with the host name
defined.
• Open the Internet Explorer window, connect to the new Web site, lon-
dc1.contoso.com, and then press Enter.
• Add a virtual directory to the existing Web site by running the following
command.
f Task 3: Create an application pool and set the Web site to run in the
created application pool.
• In the Windows PowerShell ISE window, run the following command to create
new application pool, DemoAppPool, and set the Demo Web site to
DemoAppPool.
New-WebAppPool DemoAppPool
8-74 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
• In the Internet Information Services (IIS) Manager console, verify that the
Demo site runs in the DemoAppPool application pool.
• Delete the Demo Web site by running the following command.
• In the Internet Information Services (IIS) Manager console, verify that Demo
Site is no longer present.
•
Results: After completing this exercise, you should have set the execution policy and
loaded the Web Administration module, created a Web site, defined its binding,
created an application pool, and set the Web site to run in the created application
pool.
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-75
f Task 1: Import the Server Manager module, view server roles, and add
feature.
• In the Windows PowerShell ISE window, run the following command to
import the ServerManager PowerShell module and to view the Server
Manager–related commands.
Import-Module ServerManager
Get-Module ServerManager
• Run the following command to view the available Server Manager commands
and to view the list of server roles and features.
Get-Command *feature*
Get-WindowsFeature
• In the Server Manager console, verify that the Network Load Balancing feature
is not installed.
• Verify whether the Network Load Balancing feature has an NLB name by
running the following command.
Add-WindowsFeature NLB
• In the Server Manager console, verify that the Network Load Balancing feature
is now installed.
command to verify that the Network Load Balancing feature is not installed on
LON-SVR1, and then install it on the remote server.
• On LON-SVR1, verify that the Network Load Balancing feature is now installed
by using the Server Manager console.
Results: After completing this exercise, you should have imported the Server Manager
module, viewed the server roles, added a feature, and added the server feature to the
remote server.
1. Which command should you use to load the Web Administration module?
You should use the Import-Module WebAdministration command to load the
Web Administration module.
2. Which command should you use to view the list of server roles and features?
You should use the Get-WindowsFeature command to view the list of server
roles and features.
8-78 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
Review Questions
1. What must you install in Windows Sever 2008 R2 to be able to use Windows
PowerShell?
2. How can you find which cmdlets are available in your Windows PowerShell
environment?
3. How can you extend Windows PowerShell with additional cmdlets?
4. What is the difference between fan-in and fan-out remoting?
5. You imported the Windows PowerShell Active Directory module, but you are
still not able to manage Group Policy from Windows PowerShell. What might
be the reason for that?
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 8-79
1. You would like to use Windows PowerShell, but you do not know how to
start. What should you be aware of?
2. You would like to administer a remote server by using Windows PowerShell
Remoting. What should you consider before you can administer the remote
server?
Tools
• powershell.exe
• powerShell_ISE.exe
• WinRM
8-80 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
R2
Lab 1A: Deploying Windows Server
2008 R2
Exercise 1: Configuring and Testing Virtual Hard Disk with
Native Boot
Task 1: Start the virtual servers.
1. Log on to LON-DC1 with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
• In the result pane of the Hyper-V Manager console, in the Name list of the
Virtual Machines area, right-click 10159A-LON-DC1, and then click
Connect.
• To log on to LON-DC1, click the Ctrl-Alt-Delete button.
• In the User name box, type Contoso\Administrator, in the Password
box, type Pa$$w0rd, and then click the Forward button.
2. Log on to LON-SVR1 with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
• In the result pane of the Hyper-V Manager console, in the Name list of the
Virtual Machines area, right-click 10159A-LON-SVR1, and then click
Connect.
• To log on to LON-SVR1, click the Ctrl-Alt-Delete button.
• In the User name box, type Contoso\Administrator, in the Password
box, type Pa$$w0rd, and then click the Forward button.
Task 2: Attach the virtual hard disk and copy the boot configuration
data.
1. On LON-SVR1, run the following code to select and attach the virtual hard
disk, d:\win7.vhd, to DiskPart, and assign the letter, V, to it.
L1A-2 Deploying Windows Server 2008 R2
diskpart
select vdisk file=d:\win7.vhd
attach vdisk
select volume 4
assign letter V
exit
diskpart
• At the command prompt, type the following code, and then press ENTER.
• At the command prompt, type the following code, and then press ENTER.
attach vdisk
• At the command prompt, type the following code, and then press ENTER.
select volume 4
• At the command prompt, type the following code, and then press ENTER.
assign letter V
• At the command prompt, type the following code, and then press ENTER.
exit
2. Open Windows Explorer and verify that the new drive, VHD (F:), contains the
same folder structure as Windows installation.
• On the Start menu, click Computer.
• In the Computer window, double-click Local Disk (F:).
Deploying Windows Server 2008 R2 L1A-3
bcdboot F:\windows
bcdboot F:\windows
2. Run the following code to modify the Windows Server 2008 R2 boot entry to
point to native boot VHD file.
Replace {guid} with the copied GUID value. Copy the GUID from the output, including
the braces.
L1A-4 Deploying Windows Server 2008 R2
• At the command prompt, type the following code, and then press ENTER.
• At the command prompt, type the following code, and then press ENTER.
Task 4: Reboot LON-SVR1 and boot from the virtual hard drive.
1. Reboot LON-SVR1 and start it from the native boot virtual hard disk.
The system will start into Windows 7 Enterprise Edition, although Windows Server 2008
R2 Enterprise is installed on the computer.
• On the Start menu of LON-SVR1, click the Forward arrow near Log off,
and then click Restart.
• In the Option box of the Shut Down Windows dialog box, click
Operating System: Reconfiguration (Planned), and then click OK.
• Restart LON-SVR1.
• When the computer reboots, select Windows 7 boot option, and then
press Enter.
Before proceeding to the next exercise, restart the LON-SVR1 and boot up in Windows
Server 2008 R2 Enterprise Edition operating system.
• On the Start menu, point to All Programs, click Accessories, and then
click Command Prompt.
• At the command prompt of the Administrator: Command Prompt
window, type the following code, and then press ENTER.
Verify that the Enterprise image has been added to Windows Deployment Services.
In AD Users and Computers, verify that the computer account is added and a GUID is
assigned to it.
2. Move the WDS-client.xml file from Allfiles (D:)\Disk to the Local Disk
(C:)\RemoteInstall\WdsClientUnattend folder.
Deploying Windows Server 2008 R2 L1A-7
Allfiles (D:).
• In the Name list of the Allfiles (D:) window, double-click Disk.
• In the Name list of the Disk window, click WDS-unattend, and then click
Open.
• In the Select Unattended File dialog box, click OK.
• In the Image Properties dialog box, click OK.
This driver group by default has no filters and so all clients will have access to the
packages in this group. The packages that match with the client’s hardware will be
installed.
1. Create a driver group, Network Drivers, by using the Add Driver Group
Wizard with the following information:
• Manufacturer Filter Type: Contoso
• OS Edition: 7
• In the tree pane of the Windows Deployment Services console, right-click
Drivers, and then click Add Driver Group.
• On the Driver Group Name page of the Add Driver Group Wizard, in the
Type a name for this driver group box, type Network Drivers, and then
click Next.
• On the Client Hardware Filters page, click Add.
• In the Manufacturer Filter Type box of the Add Filter dialog box, type
Contoso, click Add, and then click OK.
• On the Client Hardware Filters page, click Next.
• On the Install Image Filters page, click Add.
• In the Filter Type box of the Add Filter dialog box, click OS Edition, type
7, click Add, and then click OK.
• On the Install Image Filters page, click Next.
• On the Packages to Install page, ensure that the Install only the driver
packages that match a client’s hardware option is selected, and then
click Next.
• On the Operation Complete page, click Finish.
• In the tree pane of the Windows Deployment Services console, under
LON-SVR1.Contoso.com, expand Drivers, right-click Network Drivers,
and then click Properties.
• On the Filters tab of the Network Drivers Properties dialog box, verify
how filters are specified and how to change the Applicability, and then
click Cancel.
Add-PSSnapin Microsoft.Windows.ServerManager.Migration
Add-PSSnapin Microsoft.Windows.ServerManager.Migration
Task 2: Modify the DHCP server properties and export the server role
settings.
1. On LON-DC1, open the DHCP console and set the following properties of the
DHCP server:
• Scope name: Name before migration
• Lease duration for DHCP clients: 5 hours
• On the Start menu of the LON-DC1, point to Administrative Tools, and
then click DHCP.
• In the tree pane of the DHCP console, expand lon-dc1.contoso.com,
expand IPv4, click and right-click Scope [192.168.10.0] Contoso Scope,
and then click Properties.
Deploying Windows Server 2008 R2 L1A-11
Task 3: Import the migrated settings and verify that they were applied.
1. On LON-SVR1, configure the Windows Server Migration Tools feature by
using the Server Manager console.
• On the Start menu of LON-SVR1, point to Administrative Tools, and
then click Server Manager.
• In the tree pane of the Server Manager console, click Features.
L1A-12 Deploying Windows Server 2008 R2
Features.
• On the Select Features page of the Add Features Wizard, under Features,
select the Windows Server Migration Tools check box, and then click
Next.
• On the Confirm Installation Selections page, click Install.
• On the Installation Results page, click Close.
• In the Server Manager console, click the Close button.
2. On LON-SVR1, open the Windows PowerShell window, and run the following
code.
Add-PSSnapin Microsoft.Windows.ServerManager.Migration
Add-PSSnapin Microsoft.Windows.ServerManager.Migration
R2
Lab 1B: Managing Windows Server
2008 R2
Exercise 1: Using Server Manager for Remote
Administration
Task 1: Start the virtual servers.
1. Log on to LON-DC1 with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
• In the result pane of the Hyper-V Manager console, in the Name list of the
Virtual Machines area, right-click 10159A-LON-DC1, and then click
Connect.
• To log on to LON-DC1, click the Ctrl-Alt-Delete button.
• In the User name box, type Contoso\Administrator, in the Password
box, type Pa$$w0rd, and then click the Forward button.
2. Log on to LON-SVR1 with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
• In the result pane of the Hyper-V Manager console, in the Name list of the
Virtual Machines area, right-click 10159A-LON-SVR1, and then click
Connect.
• To log on to LON-SVR1, click the Ctrl-Alt-Delete button.
• In the User name box, type Contoso\Administrator, in the Password
box, type Pa$$w0rd, and then click the Forward button.
3. Log on to LON-CL1 with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
• In the result pane of the Hyper-V Manager console, in the Name list of the
Virtual Machines area, right-click 10159A-LON-SVR1, and then click
Connect.
• To log on to LON-SVR1, click the Ctrl-Alt-Delete button.
L1B-2 Managing Windows Server 2008 R2
An error message appears stating that the Server Manager cannot connect to lon-svr1.
An error message appears stating that the Server Manager cannot connect to lon-svr1.
If the Server Manager console does not appear, on the Start menu of LON-SVR1, point
to Administrator Tools, and then click Server Manager.
• On LON-DC1, in the tree pane of the Server Manager console, click and
right-click Server Manager (LON-DC1), and then click Connect to
Another Computer.
• In the Another computer box of the Connect to Another Computer
dialog box, type LON-SVR1, and then click OK.
Compare the options that are available from Server Manager on LON-SVR1 server with
those options that are available when using remote management from LON-DC1 (click
on Server Manager (LON-SVR1) node, and then compare the options available on the
details page).
2. Verify that the Add Roles and Remove Roles options and the Add Features
and Remove Features options are not available remotely.
• In the tree pane of the Server Manager console, right-click Roles, and then
verify that the Add Roles and Remove Roles options are not available
remotely.
• In the tree pane, right-click Features, and then verify that the Add
Features and Remove Features options are not available remotely.
Verify whether you can control the existing role, Windows Deployment Services,
remotely. Although Server Manager is connected to the remote server, other consoles
are connected to the local server by default.
Verify that Server Manager and AD DS administrative tools are present in the
Administrative Tools of the Start menu.
workstation.
1. On LON-CL1, open the Server Manager console to connect LON-CL1 to LON-
SVR1.contoso.com.
• On the Start menu of LON-CL1, point to Administrative Tools, and then
click Server Manager.
If the Connect to Another Computer dialog box does not appear, in the tree pane of
the Server Manager console, click and right-click Server Manager, and then click
Connect to Another Computer.
Notice that the options that are available are the same for both Windows 7 and Windows
Server 2008 R2 server.
• In the tree pane of the Server Manager console, expand Roles, and then
click Windows Deployment Services.
View the list of roles that are installed. To administer specific roles and features, those
tools must be available locally.
Verify that you can administer Contoso.com Active Directory from Windows 7.
• In the Active Directory Users and Computers console, click the Close
button.
L1B-6 Managing Windows Server 2008 R2
Files Automatically
Task 1: Add the File Services role on LON-SVR1.
1. On LON-SVR1, add the File Services server role and File Server Resource
Manager by using the Add Roles Wizard.
• On the Start menu of LON-SVR1, point to Administrative Tools, and
then click Server Manager.
• In the tree pane of the Server Manager console, right-click Roles, and then
click Add Role.
• On the Before You Begin page of the Add Roles Wizard, click Next.
• On the Select Server Roles page, under Roles, select the File Services
check box, and then click Next.
• On the File Services page, click Next.
• On the Select Role Services page, under Role services, select the File
Server Resource Manager check box, and then click Next.
• On the Configure Storage Usage Monitoring page, click Next.
• On the Confirm Installation Selections page, click Install.
• On the Installation Results page, click Close.
• In the Server Manager console, click the Close button.
• Executable: c:\windows\system32\icacls.exe
• Arguments: [Source File Path] /remove:g Everyone
• Command security: Local System
• Property: Confidential
• Operator: Equal
• Value: Yes
• On LON-SVR1, in the tree pane of the File Server Resource Manager
console, click File Management Tasks.
• In the Actions pane, click Create File Management Task.
• On the General tab of the Create File Management Task dialog box, in
the Task name box, type Restrict confidential files, and then in the
Scope area, click Add.
• In the Browse For Folder dialog box, expand Local Disk (C:), click Files,
and then click OK.
• On the Action tab of the Create File Management Task dialog box, in the
Type box, click Custom, and then in the Executable box, type
C:\windows\system32\icacls.exe.
• In the Arguments box of the Command settings area, type [Source File
Path]\remove:g Everyone.
• In the Command security area, click Local System.
• On the Condition tab of the Create File Management Task dialog box,
click Add.
• In the Property box of the Property Condition dialog box, ensure that the
Confidential option is selected, in the Operator box, ensure that the
Equal option is selected, in the Value box, click Yes, and then click OK.
• On the Schedule tab of the Create File Management Task dialog box,
click Create.
• In the Schedule dialog box, click New, and then click OK.
Properties.
• On the Security tab of the File1 Properties dialog box, click Edit.
• In the Permissions for File1 dialog box, click Add.
• In the Enter the object names to select (examples) box of the Select
Users, Computers, Service Accounts, or Groups dialog box, type
Everyone, and then click OK.
• In the Permissions for File1 dialog box, click OK.
• On the Security tab of the File1 Properties dialog box, in the Group or
user names area, click Everyone, and then click OK.
• In the Name list of the Files folder, right-click File2, and then click
Properties.
• On the Security tab of the File2 Properties dialog box, click Edit.
• In the Permissions for File2 dialog box, click Add.
• In the Enter the object names to select (examples) box of the Select
Users, Computers, Service Accounts, or Groups dialog box, type
Everyone, and then click OK.
• In the Permissions for File2 dialog box, click OK.
• On the Security tab of the File2 Properties dialog box, in the Group or
user names area, click Everyone, and then click OK.
• In the Name list of the Files folder, right-click File3, and then click
Properties.
• On the Security tab of the File3 Properties dialog box, click Edit.
• In the Permissions for File3 dialog box, click Add.
• In the Enter the object names to select (examples) box of the Select
Users, Computers, Service Accounts, or Groups dialog box, type
Everyone, and then click OK.
• In the Permissions for File3 dialog box, click OK.
• On the Security tab of the File3 Properties dialog box, in the Group or
user names area, click Everyone, and then click OK.
Managing Windows Server 2008 R2 L1B-11
1. On LON-SVR1, run the Classification Rules by using the File Server Resource
Manager console, with the following information:
• Select Wait for classification to complete execution
• Set Up Windows Internet Explorer 8: Ask me later
Review the report and verify whether the report contains the file1.txt file with
confidential.
Review the report and verify that the group with Everyone permission no longer has
access to file1.txt, because it contains Confidential information, but still has access to
file2.txt and file3.txt.
• In the tree pane of the File Server Resource Manager console, click File
Management Tasks.
• In the result pane, under Scope: C:\Files (1 Item), click Restrict
confidential files.
• In the Actions pane, under Selected File Management Tasks, click Run
File Management Task Now.
L1B-12 Managing Windows Server 2008 R2
In the Windows Explorer window, verify the NTFS permissions on all three files. You
should verify that the group with Everyone permission no longer has access to file1.txt,
because it contains Confidential information, but still has access to file2.txt and
file3.txt.
• In the File Server Resource Manager console, click the Close button.
• In the Schedule Task box of the Schedule dialog box, click Monthly, and
then click OK.
• In the Create File Management Task dialog box, click OK.
• In the File Server Resource Manager message box, click Yes.
Review the report and verify that all expired files have been moved to the Expired folder
in drive C.
• In the File Management Tasks result pane of the File Server Resource
Manager console, in the Task Name list, right-click Expire Stale Data, and
then click Run File Management Task Now.
• In the Run File Management Task dialog box, click Wait for task to
complete execution, and then click OK.
• In the Windows Internet Explorer window, click the Close button.
Review the report for files affected by the File Management Task.
• In the Select Items dialog box, expand Local Disk (C:), select the Files
check box, and then click OK.
• On the Select Items for Backup page, click Advanced Settings.
• On the Exclusions tab of the Advanced Settings dialog box, click Add
Exclusions.
• In the Select Items to Exclude dialog box, expand Local Disk (C:),
expand Files, click File1.txt, and then click OK.
• In the Advanced Settings dialog box, click OK.
• On the Select Items for Backup page, click Next.
• On the Specify Destination Type page, click Next.
• On the Select Backup Destination page, in the Backup destination box,
click New Volume (F:), and then click Next.
• On the Confirmation page, click Backup.
• On the Backup Progress page, click Close.
• On the Select Items to Recover page, in the Available items list, expand
LON-SVR1, expand Local disk (C:), click Files, and then in the Items to
recover list, click File2.txt.
• On the Select Items to Recover page, click Next.
• On the Specify Recovery Options page, click Next.
• On the Confirmation page, click Recover.
• On the Recovery Progress page, click Close.
2008 R2
Lab 2A: Configuring Active
Directory Domain Services
Features
Exercise 1: Installing and Configuring Active Directory
Administration Center
f Task 1: Start the virtual servers.
1. Log on to LON-DC1 with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
• In the result pane of the Hyper-V Manager console, in the Name list of the
Virtual Machines area, right-click 10159A-LON-DC1, and then click
Connect.
• To log on LON-DC1, click the Ctrl-Alt-Delete button.
• In the User name box, type Contoso\Administrator, in the Password
box, type Pa$$w0rd, and then click the Forward button.
2. Log on to LON-SVR1 with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
• In the result pane of the Hyper-V Manager console, in the Name list of the
Virtual Machines area, right-click 10159A-LON-SVR1, and then click
Connect.
• To log on LON-SVR1, click the Ctrl-Alt-Delete button.
• In the User name box, type Contoso\Administrator, in the Password
box, type Pa$$w0rd, and then click the Forward button.
• In the List View of the Navigation pane, click the arrow near Contoso
(local).
• In the Search box, type fi, and then click the Pin icon.
• In the result pane, click the arrow near Finance, and then click the Pin
icon.
Verify that both the windows are added to the Active Directory Administrative Center
and in the navigation pane, under Contoso (local), last three OU that were accessed are
listed.
• In the Tree view of the Navigation pane, click and right-click Builtin, and
then click Connect to.
• In the Tree View of the Navigation pane, right-click newly added Builtin,
click Rename.
• In the Please input the new name box of the Rename dialog box, type
Precreated, and then click OK.
L2A-4 Configuring Active Directory Domain Services Features
click Remove.
Verify that users with name Michael are displayed in the Management pane.
• In the Finance result pane, click Add criteria, select Users with
disabled/enabled accounts. and Users whose password has an
expiration date/no expiration date., and then click Add.
• In the Finance result pane, click disabled against and Users with
accounts in this state, and then click enabled.
• Clear the Filter box.
Verify that enabled accounts (Michael Allen) are displayed in the Management pane.
2. Create a query, Enabled-no expiry and execute it against the user, Jeff Ford and
then modify properties of Jeff Ford by adding him to the Finance group.
• In the Finance result pane, click on the arrow near the floppy icon, in the
New Query box, type Enabled-no expiry, and then click Ok.
• In the Finance result pane, click Clear All.
• In the List View of the Navigation pane, click Users.
• In the Users result pane, click Queries button, and then click Enabled-no
expiry.
Configuring Active Directory Domain Services Features L2A-5
Ford.
• In the Tasks pane, under Jeff Ford, click Properties.
• In the Jeff Ford dialog box, click Add Sections, and then clear the
Extensions check box.
• In the Member Of area of the Jeff Ford dialog box, click Add button.
• In the Enter the object names to select (examples) box of the Select
Groups dialog box, type Finance, and then press ENTER.
• In the Multiple Names Found dialog box, click Finance Users, and then
click OK.
• In the Jeff Ford dialog box, click OK.
• In the Name list of the Users result pane, double-click Jeff Ford.
• In the Search box of the Global Search result pane, type jayh, and then
click Search button.
• In the Active Directory Administrative Center console, click the Close
button.
Verify that there is red arrow near CONTOSO (local) domain. If you click on it, an error
message appears stating that servers with Active Directory Web Service in Contoso
domain are not available servers.
Now there is no error and you are able to view domain objects.
Get-ADOptionalFeature –Filter *
Get-ADOptionalFeature –Filter *
The EnabledScopes property is currently empty, which indicates that this feature is not
enabled. The RequiredForestMode property indicates the prerequisites for enabling this
feature.
4. Run the following command to enable the Active Directory Recycle Bin feature.
• At the command prompt, type the following code, and then press ENTER.
5. Run the following command to view the state of the Active Directory Recycle
Bin feature.
Get-ADOptionalFeature –Filter *
Get-ADOptionalFeature –Filter *
L2A-10 Configuring Active Directory Domain Services Features
now set.
f Task 3: Verify that the deleted objects are in the Recycle Bin.
1. On LON-DC1, run the following command to view the entire content of the
Active Directory Recycle Bin feature by using the Active Directory Module for
Windows PowerShell window.
Configuring Active Directory Domain Services Features L2A-11
Verify that two user accounts, Sara Davis and Ron Gabel, Finance Temporary Employees
group account, and Europe organizational unit are there in the Recycle Bin. Make a note
of the ObjectGUID for Sara Davis, Ron Gabel, Finance Temporary Employees, and Europe.
2. Run the following command to verify that the Sara Davis user object is in the
Recycle Bin.
3. Run the following command to verify that the Ron Gabel user account is in the
Recycle Bin.
4. Run the following command to verify that the organizational unit, Demo is in
the Recycle Bin.
L2A-12 Configuring Active Directory Domain Services Features
Windows PowerShell window, type the following code, and then press
ENTER.
Verify that user account for Sara Davis, Finance Temporary Employees group, and Europe
organizational unit are present.
2. In the command prompt window, run the following code to provision a new
computer account.
• On the Start menu, point to All Programs, click Accessories, and then
click Command Prompt.
• At the command prompt of the Administrator: Command Prompt
window, type the following code, and then press ENTER.
This command creates a computer account in Active Directory and stores the computer
account password and related information in an encoded file. It should be treated just as
securely as a plaintext password. The file contains the computer account password and
other information about the domain, including the domain name, the name of a domain
controller, and the security ID (SID) of the domain. If the blob is being transported
physically or over the network, care must be taken to transport it securely. In Windows
Server 2008 R2, Djoin.exe is a new command which is used for provisioning computer
account for offline domain join.
Configuring Active Directory Domain Services Features L2A-15
Directory.
1. Verify that the LON-SVR2 computer account has been created. Then, to
display the contents of the provisioning file, run the following command in the
Command Prompt window.
type c:\share\LON-SVR2.djoin
• In the Active Directory Users and Computers console, click the Refresh
button.
View and verify that there is computer account LON-SVR2 in Computers container
present now.
type c:\share\LON-SVR2.djoin
• In the Local Disk (C:) widow, right-click anywhere, and then click Paste.
3. On LON-SVR2, run the following command to add the LON-SVR2 server as a
member of the Contoso.com domain.
2008 R2
Lab 2B: Configuring Group Policy
in Active Directory Domain
Services
Exercise 1: Using Starter GPO
f Task 1: Start the virtual servers.
1. Log on to LON-DC1 with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
• In the result pane of the Hyper-V Manager console, in the Name list of the
Virtual Machines area, right-click 10159A-LON-DC1, and then click
Connect.
• To log on LON-DC1, click the Ctrl-Alt-Delete button.
• In the User name box, type Contoso\Administrator, in the Password
box, type Pa$$w0rd, and then click the Forward button.
2. Log on to LON-SVR1 with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
• In the result pane of the Hyper-V Manager console, in the Name list of the
Virtual Machines area, right-click 10159A-LON-SVR1, and then click
Connect.
• To log on LON-SVR1, click the Ctrl-Alt-Delete button.
• In the User name box, type Contoso\Administrator, in the Password
box, type Pa$$w0rd, and then click the Forward button.
3. Log on to LON-CL1 with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
• In the result pane of the Hyper-V Manager console, in the Name list of the
Virtual Machines area, right-click 10159A-LON-CL1, and then click
Connect.
• To log on LON-CL1, click the Ctrl-Alt-Delete button.
L1A-2 Configuring Group Policy in Active Directory Domain Services
f Task 2: Review the existing System Starter GPO and its settings.
1. On LON-DC1, examine the Starter GPO settings by using the Group Policy
Management console to verify the following information:
• Verify that there are eight Starter GPOs pre-created
• Verify that the Edit option is not enabled
• View the settings of Starter GPO
• On the Start menu of LON-DC1, point to Administrative Tools, and then
click Group Policy Management.
• In the tree pane of the Group Policy Management console, expand Forest:
Contoso.com, expand Domains, expand Contoso.com, and then click
Starter GPOs.
• In the Starter GPOs in Contoso.com result pane, click Create Starter
GPOs Folder.
Verify that there are already eight systems Starter GPOs pre-created. Four are for
Windows XP SP2 and four for Windows Vista. They have recommended Enterprise
Settings (EC) and Specialized Security Limited Functionality (SSLF) settings for both
platforms.
• In the tree pane of the Group Policy Management console, expand Starter
GPOs, and then click Windows Vista EC Computer.
• In the Windows Vista EC Computer result pane, click the Delegation tab,
and then ensure that Administrators have Edit settings, delete, and
modify security permissions.
• In the tree pane, under Starter GPOs, right-click Windows Vista EC
Computer.
Verify that Edit action is not enabled. Although your account has appropriate
permissions, System Starter GPOs are read-only. We can not edit their setting, but we can
delete them if we don’t need them.
• In the Windows Vista EC Computer result pane, click the Settings tab.
Configuring Group Policy in Active Directory Domain Services L2B-3
• In the Trusted sites dialog box, click Add, and then click the Close
button.
• On the Settings tab of the Windows Vista EC Computer result pane, click
show all.
View the settings that are set in the Starter GPO. Also browse through settings in other
Starter GPOs.
Verify that only Administrative Templates are available for Computer Configuration
and User Configuration. Other Group Policy settings are not available in Starter GPO.
• In the tree pane of the Group Policy Starter GPO Editor console, under
User Configuration, expand Administrative Templates, right-click All
Settings, and then click Filter Options.
• In the Filter Options dialog box, select the Enable Keyword Filters check
box, in the Filter for word(s) box, type control panel, and then click All
from the dropdown list.
L1A-4 Configuring Group Policy in Active Directory Domain Services
Under User Configuration, click All Settings and verify that only settings with Control
Panel in the name are listed.
• In the tree pane of the Group Policy Starter GPO Editor console, under the
Administrative Templates of User Configuration, expand Control
Panel, and then click Display.
• In the Settings list of the Display result pane, double-click Disable the
Display Control Panel.
• In the Disable the Display Control Panel dialog box, click Enabled, and
then click OK.
• In the Group Policy Starter GPO Editor console, click the Close button.
f Task 4: Create a new group policy based on the Custom Starter GPO.
1. Based on the existing Custom Starter GPO, create a group policy with the
following information:
• GPO name: Desktop Configuration
• Source Starter GPO: Default Desktop Configuration
• Set the State
• Clear Enable Keyword Filters
• Configured: Yes
• In the tree pane of the Group Policy Management console, right-click
Contoso.com, and then click Create a GPO in this domain, and Link it
here.
• In the Name box of the New GPO dialog box, type Desktop
Configuration, in the Source Starter GPO box, click Default Desktop
Configuration, and then click OK.
• In the tree pane, under Contoso.com, expand Group Policy Objects,
right-click Desktop Configuration, and then click Edit.
Click on State bar to sort Administrative Templates settings based on their state (Enabled,
Disabled, Not configured).
• In the tree pane, right-click All Settings, and then click Filter Options.
• In the Filter Options dialog box, clear the Enable Keyword Filters check
box, under Select the type of policy settings to display, in the
Configured box, click Yes, and then click OK.
Verify that the Disable the Display Control Panel group policy setting is listed. This
validates that Starter GPO store a collection of Administrative template policy settings in
a single object that can be used as a template when creating new GPO.
• In the Group Policy Management Editor window, click the Close the
button.
L1A-6 Configuring Group Policy in Active Directory Domain Services
• Path: C:\Folder_Preference
• Select Item-level targeting
• New Item: Operating System
• Product: Windows 7
• In the tree pane of the Group Policy Management Editor console, under
Windows Settings, right-click Folders, point to New, and then click
Folder.
• In the New Folder Properties dialog box, in the Action box, click Create,
and then in the Path box, type C:\Folder_Preference.
• On the Common tab, select the Item-level targeting check box, and then
click Targeting button.
• In the Targeting Editor dialog box, click New Item, click Operating
System, ensure that in the Product box, Windows 7 option is selected,
and then click OK.
• In the New Folder Properties dialog box, click OK.
• In the Group Policy Management Editor console, click the Close button.
If Notepad does not on the desktop, run the command, gpupdate /force, on LON-DC1
and LON-CL1.
or Group dialog box, type Restricted Users, press ENTER, and then click
OK.
• On the Permissions page, click Next.
• On the Conditions page, click Path, and then click Next.
• In the Path box of the Path page, type %system32%\notepad.exe, and
then click Next.
• On the Exceptions page, click Next.
• In the Name box of the Name and Description page, type Notepad, and
then click Create.
• In the tree pane of the Group Policy Management Editor console, under
Application Control Policies, click AppLocker.
• In the Configure Rule Enforcement area of the AppLocker result pane,
click Configure rule enforcement.
• In the Executable rules box of the AppLocker Properties dialog box,
click Configured, ensure that the Enforce rules option is selected, and
then click OK.
f Task 4: Apply Application Control Policy and verify that the user can
not run Notepad.
1. On LON-SVR1, verify whether jeff has access to Notepad and then check the
reason for non accessibility.
• On the Start menu, in the Search program and files box, type notepad,
and then press ENTER.
An error message appears stating that this program is blocked by group policy. This
confirms that Application Control Policy is effective. If the error message does not
appear, run the command, gpupdate /force, on LON-DC1 and LON-CL1.
and DLL.
• In the Event ID list of the Exe and Dll result pane, double-click 8004.
• In the Event Properties - Event 8004, AppLocker message box, verify the
reason for access prohibition.
• In the Event Properties - Event 8004, AppLocker message box, click Close.
• In the Event Viewer console, click the Close button.
Hyper-V
Lab 3: Configuring Server
Virtualization by Using Hyper-V
Exercise 1: Installing and Configuring Failover Clustering
f Task 1: Start the virtual servers.
1. Log on to LON-DC1 with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
• In the result pane of the Hyper-V Manager console, in the Name list of the
Virtual Machines area, right-click 10159A-LON-DC1, and then click
Connect.
• To log on LON-DC1, click the Ctrl-Alt-Delete button.
• In the User name box, type Contoso\Administrator, in the Password
box, type Pa$$w0rd, and then click the Forward button.
2. Log on to LON-SVR1 with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
• In the result pane of the Hyper-V Manager console, in the Name list of the
Virtual Machines area, right-click 10159A-LON-SVR1, and then click
Connect.
• To log on LON-SVR1, click the Ctrl-Alt-Delete button.
• In the User name box, type Contoso\Administrator, in the Password
box, type Pa$$w0rd, and then click the Forward button.
click Next.
• On the Description page, click Next.
• On the Access page, click Add.
• In the Add Target dialog box, in the Target Name list, click LUN-01, and
then click OK.
• On the Access page, click Next.
• On the Completing the Create Virtual Disk Wizard page, click Finish.
f Task 3: Connect the iSCSI target to the physical host and create an
NTFS volume.
1. On the physical computer, set the following iSCSI Initiator properties to
connect the iSCSI target to the physical computer:
• Target: 192.168.10.150
• Quick Connect: iqn.1991-05.com.microsoft:lon-svr1-lun-01-target
• On the Start menu of the physical computer, point to Administrative
Tools, and then click iSCSI Initiator.
• On the Targets tab of the iSCSI Initiator Properties dialog box, in the
Target box, type 192.168.10.150, and then click Quick Connect.
• In the Quick Connect dialog box, ensure that the status of iqn.1991-
05.com.microsoft:lon-svr1-lun-01-target is Connected, ensure that the
iqn.1991-05.com.microsoft:lon-svr1-lun-01-target option is selected,
and then click Done.
• In the iSCSI Initiator Properties dialog box, click OK.
2. Open the Server Manager console to create a new volume with size 15000 MB
for Disk 1.
• On the Start menu of the physical host computer, point to Administrative
Tools, and then click Server Manager.
• In the tree pane of the Server Manager console, expand Storage, and then
click Disk Management.
• In the Disk Management result pane, right-click the 19.53 GB
Unallocated area against Disk 1, and then click New Simple Volume.
L3-4 Configuring Server Virtualization by Using Hyper-V
• In the Name list of the Local Disk (C:) window, double-click Program
Files.
• In the Name list of the Program Files window, double-click Microsoft
Learning.
• In the Name list of the Microsoft Learning window, double-click Base.
• In the Name list of the Base window, right-click Base10D-WS08R2Core-
HV.vhd, and then click Copy.
• In the Address bar, click Local Disk (C:).
• In the Name list of the Local Disk (C:) window, double-click
ClusterStorage.
• In the Name list of the ClusterStorage window, double-click Volume1.
• In the Volume1 window, right-click anywhere, and then click Paste.
2. On the physical computer, create a virtual machine, Clustered VM, by using
the Hyper-V Manager console, with the following information:
• Select Store the virtual machine in a different location
• Location: C:\ClusterStorage\Volume1
• Memory size: 512 MB
• Connect Virtual Hard Disk: Use an existing virtual hard disk
• Location: C:\ClusterStorage\Volume1\Base10D-WS08R2Core-
HV.vhd
• On the physical computer, in the tree pane of the Hyper-V Manager
console, right-click VM-TEAM, point to New, and then click Virtual
Machine.
• On the Before You Begin page of the New Virtual Machine Wizard, click
Next.
• In the Name box of the Specify Name and Location page, type Clustered
VM, select the Store the virtual machine in a different location check
box, in the Location box, type C:\ClusterStorage\Volume1, and then
click Next.
• On the Assign Memory page, ensure that the Memory size is 512 MB,
and click Next.
L3-8 Configuring Server Virtualization by Using Hyper-V
• On the Connect Virtual Hard Disk page, click Use an existing virtual
hard disk, in the Location box, type
C:\ClusterStorage\Volume1\Base10D-WS08R2Core-HV.vhd, and then
click Next.
• On the Completing the New Virtual Machine Wizard page, click Finish.
• In the result pane of the Hyper-V Manager console, in the Virtual
Machines area, verify that the Clustered VM virtual machine is created.
button.
If the Set Up Windows Internet Explorer 8 window appears, close the Internet Explorer
window, and then open Remote Desktop Web Access Configuration again.
The Enterprise Remote Access Web page displays the list of RemoteApp published
applications.
If the Set Up Windows Internet Explorer 8 window appears, close the Internet Explorer
window, and then open it again.
Verify that all four RemoteApp published applications are displayed on the Enterprise
Remote Access Web page.
As ruser does not have permissions for WordPad RemoteApp, WordPad icon should be
no longer available and there should be only three RemoteApp applications available on
the Enterprise Remote Access Web page.
Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2 L4-13
Verify that there is new program group available, RemoteApp and Desktop
Connections.
Program group contains all RemoteApp applications that are available to the user.
Configuration file for creating this program group can also be created by using the
Remote Desktop Connection Manager console.
L4-14 Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2
Verify that certificate for external.contoso.com is listed in the Certificates result pane.
ping 131.107.0.2
Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2 L4-19
• At the command prompt, type the following command, and then press
ENTER.
ping 192.178.10.1
computer name with the name of the physical computer and then run the
RDS-pool file.
• On the Start menu of LON-CL2, click Computer.
• In the Computer window, double-click Local Disk (C:).
• In the Name list of the Local Disk (C:) window, double-click RDSConfig.
• In the Name list of the RDSConfig window, right-click RDS-pool, and
then click Edit.
• On the Edit menu of the RDS-pool – Notepad window, click Replace.
• In the Find what box of the Replace dialog box, type Contoso\<physical
host>, in the Replace with box, type physical computer name, and then
click Replace All.
• In the Replace dialog box, click the Close button.
• On the File menu, click Save.
• In the RDS-pool – Notepad window, click the Close button.
• In the Name list of the RDSConfig window, right-click RDS-pool, and
then click Open.
• At the command prompt of the C:\Windows\system32\cmd.exe window,
type y, and then press ENTER.
• In the RDSConfig window, click the Close button.
7. Log off from LON-CL2.
• On the Start menu, click the Forward arrow, and then click Log off.
1. On LON-DC1, log on to the Remote Desktop Web page with the username,
contoso\ruser and the password, Pa$$w0rd to verify whether there is full
Remote Desktop Connection to LON-CL2.
• On the physical host computer, in the result pane of the Hyper-V Manager
console, in the Name list of the Virtual Machines area, right-click
10159A-LON-DC1, then click Connect.
• On the Start menu of LON-DC1, click All Programs, and then click
Internet Explorer.
If the Set Up Windows Internet Explorer 8 dialog box appears, click Ask me later, close
the Internet Explorer window, and then open it again.
Services
Lab 5: Deploying and Configuring
Remote Access Services
Exercise 1: Review Existing Infrastructure Configuration
f Task 1: Start the virtual servers.
1. Log on to LON-DC1 with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
• In the result pane of the Hyper-V Manager console, in the Name list of the
Virtual Machines area, right-click 10159A-LON-DC1, and then click
Connect.
• To log on to LON-DC1, click the Ctrl-Alt-Delete button.
• In the User name box, type Contoso\Administrator, in the Password
box, type Pa$$w0rd, and then click the Forward button.
2. Log on to LON-SVR1 with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
• In the result pane of the Hyper-V Manager console, in the Name list of the
Virtual Machines area, right-click 10159A-LON- SVR1, and then click
Connect.
• To log on to LON- SVR1, click the Ctrl-Alt-Delete button.
• In the User name box, type Contoso\Administrator, in the Password
box, type Pa$$w0rd, and then click the Forward button.
3. Log on to LON-CL1 with the user name, Contoso\Administrator, and the
password, Pa$$w0rd.
• In the result pane of the Hyper-V Manager console, in the Name list of the
Virtual Machines area, right-click 10159A-LON- CL1, and then click
Connect.
• To log on to LON- CL1, click the Ctrl-Alt-Delete button.
• In the User name box, type Contoso\Administrator, in the Password
box, type Pa$$w0rd, and then click the Forward button.
L5-2 Deploying and Configuring Remote Access Services
1. On LON-DC1, open the Group Policy Management console and verify whether
DirectAcces has separate inbound and outbound rules that allow ICMPv4
Echo Requests and traffic.
• On the Start menu of LON-DC1, point to Administrative Tools, and then
click Group Policy Management.
• In the tree pane of the Group Policy Management console, expand Forest:
Contoso.com, expand Domains, and then expand Contoso.com.
• In the tree pane, under Contoso.com, click and right-click Mod5 –
DirectAccess Settings, and then click Edit.
• In the tree pane of the Group Policy Management Editor console, under
Computer Configuration, expand Policies, expand Windows Settings,
and then expand Security Settings.
• In the tree pane, under Security Settings, expand Public Key Policies,
and then select Automatic Certificate Request Settings.
• In the Automatic Certificate Request list of the Automatic Certificate
Request Settings result pane, right-click Computer, and then click
Properties.
• In the Computer Properties dialog box, ensure that Certificate Purpose
is set as Client Authentication, Server Authentication, and then click
Cancel.
• In the tree pane of the Group Policy Management Editor console, under
Security Settings, expand Windows Firewall with Advanced Security,
expand Windows Firewall with Advanced Security, and then click
Inbound Rules.
Verify that there are two rules defined which allows Inbound ICMPv4 Echo Requests and
Inbound ICMPv6 Echo Requests traffic.
• In the tree pane, under Windows Firewall with Advanced Security, click
Outbound Rules.
Verify that there are two rules defined which allows Outbound ICMPv4 Echo Requests
and Outbound ICMPv6 Echo Requests traffic. These types of traffic must be allowed on
DirectAccess server to allow remote access.
Deploying and Configuring Remote Access Services L5-3
1. On LON-DC1, specify the location from which users can obtain a certificate
revocation list (CRL) by using Certification Authority with the following
information:
• Location: \\LON-SVR1\crldist\
• Insert variables: <CRLNameSuffix> and <DeltaCRLAllowed>
• After inserting the variables append the location with .crl
• Select Publish CRLs to this location and Publish Delta CRL to this
location
• On the Start menu of LON-DC1, point to Administrative Tools, and then
click Certification Authority.
• In the tree pane of the certsrv – [Certification Authority (Local)] console,
right-click Contoso-LON-DC1-CA, and then click Properties.
• On the Extensions tab of the Contoso-LON-DC1-CA Properties dialog
box, click Add.
• In the Location box of the Add Location dialog box, type \\LON-
SVR1\crldist\, in the Variable box, ensure that the <CaName> option is
selected, and then click Insert.
• In the Variable box, click <CRLNameSuffix>, and then click Insert.
• In the Variable box, click <DeltaCRLAllowed>, and then click Insert.
• In the Location box, type .crl at the end of the Location string, and then
click OK.
• On the Extensions tab of the Contoso-LON-DC1-CA Properties dialog
box, select the Publish CRLs to this location and Publish Delta CRL to
this location check boxes, and then click Apply.
• In the Certification Authority message box, click Yes.
• In the Contoso-LON-DC1-CA Properties dialog box, click OK.
Sharing.
• In the Advanced Sharing dialog box, select the Share this folder check
box, and then click Permissions.
• In the Permissions for CRLDist dialog box, click Add.
• In the Select Users, Computers, Service Accounts, or Groups dialog box,
click Object Types.
• In the Object Types dialog box, select the Computers check box, and
then click OK.
• In the Enter the object names to select (examples) box of the Select
Users, Computers, Service Accounts, or Groups dialog box, type LON-
DC1, and then click OK.
• In the Permissions for LON-DC1 area of the Permissions for CRLDist
dialog box, select the Allow check box against Full Control, click Apply,
and then click OK.
• In the Advanced Sharing dialog box, click OK.
2. Edit the following CRLDist security Properties:
• Object Types: Computers
• Enter the object names to select: LON-DC1
• Permissions for CRLDist: Enable Full Control permission for LON-
DC1 users
• On the Security tab of the CRLDist Properties dialog box, click Edit.
• In the Permissions for CRLDist dialog box, click Add.
• In the Select Users, Computers, Service Accounts, or Groups dialog box,
click Object Types.
• In the Object Types dialog box, select the Computers check box, and
then click OK.
• In the Enter the object names to select (examples) box, type LON-DC1,
and then click OK.
• In the Permissions for LON-DC1 area of the Permissions for CRLDist
dialog box, select the Allow check box against Full Control, click Apply,
and then click OK.
• In the CRLDist Properties dialog box, click Close.
L5-10 Deploying and Configuring Remote Access Services
2002:836b:2:1:0:5efe:192.168.10.1
• On the Start menu of LON-SVR1, point to Administrative Tools, and
then click DirectAccess Management.
• In the tree pane of the DAMgmt - [DirectAccess] console, click Setup.
• In the DirectAccess Setup result pane, under Step 1, click Configure.
• On the DirectAccess Client Setup page of the DirectAccess Setup wizard,
click Add.
• In the Enter the object name to select (examples) box of the Select
Group dialog box, type DirectAccess Client, and then click OK.
• On the DirectAccess Client Setup page, click Finish.
• In the DirectAccess Setup result pane, under Step 2, click Configure.
• On the Connectivity page of the DirectAccess Setup wizard, in the
Interface connected to the Internet box, click Internet, in the Interface
connected to the internal network box, click Corpnet, and then click
Next.
• On the Certificate Components page, under Select the root certificate to
which remote client certificates must chain, select the Use intermediate
certificate check box, and then click Browse.
• In the Windows Security dialog box, ensure that the Contoso-LON-DC1-
CA option is selected, and then click OK.
• On the Certificate Components page, under Select the certificate that
will be used to secure remote client connectivity over HTTPS, click
Browse.
• In the Windows Security dialog box, click IP-HTTPS Certificate, and
then click OK.
• On the Certificate Components page, click Finish.
• In the DirectAccess Setup result pane, under Step 3, click Configure.
• On the Location page of the DirectAccess Setup wizard, click Network
Location server is run on the DirectAccess server, click the Browse
button next to Select the certificate that will be used to secure location
identification.
• In the Windows Security dialog box, ensure that the LON-
SVR1.Contoso.com option is selected, and then click OK.
Deploying and Configuring Remote Access Services L5-15
• On the DNS and Domain Controller page, ensure that the IPv6 address
of DNS Server entry for the Name Suffix, contoso.com is
2002:836b:2:1:0:5efe:192.168.10.1, and then click Next.
• On the Management page, click Finish.
• In the DirectAccess Setup result pane, under Step 4, click Configure.
• On the DirectAccess Application Server Setup page of the DirectAccess
Setup wizard, click Finish.
• In the DirectAccess Setup result pane, click Save, and then click Finish.
• In the DirectAccess Review dialog box, click Apply.
• In the DirectAccess Policy Configuration message box, click OK.
• In the DAMgmt - [DirectAccess\Setup] console, click the Close button.
gpupdate /force
netsh name show effectivepolicy
gpupdate /force
• At the command prompt, type the following command, and then press
ENTER.
2. Disable the Corpnet network connection and enable the Internet network
connection and then run the following command.
ping 131.107.0.2
L5-16 Deploying and Configuring Remote Access Services
ping 131.107.0.2
ipconfig
ipconfig
2. Run the following command to verify whether the prefix value, fe80 has been
assigned to Link-Local IPv6 Address and also view the Windows IP
configurations.
• At the command prompt, type the following command, and then press
ENTER.
Deploying and Configuring Remote Access Services L5-17
• At the command prompt, type the following command, and then press
ENTER.
ipconfig
ipconfig
ipconfig
4. Run the following command to verify that there is additional IPv6 Address,
2002:836b:2:1:0:5efe:192.168.10.1 and also view the Windows IP
configurations.
• At the command prompt, type the following command, and then press
ENTER.
• At the command prompt, type the following command, and then press
ENTER.
ipconfig
ipconfig /flushdns
netsh name show effectivepolicy
ping 2002:836b:2:1:0:5efe:192.168.10.1
ping lon-dc1.contoso.com
• At the command prompt, type the following command, and then press
ENTER.
ipconfig /flushdns
• At the command prompt, type the following command, and then press
ENTER.
• At the command prompt, type the following command, and then press
ENTER.
ping 2002:836b:2:1:0:5efe:192.168.10.1
This is the ISATAP-based address of LON-DC1 and there are four successful replies.
• At the command prompt, type the following command, and then press
ENTER.
ping lon-dc1.contoso.com
• On the Start menu, in the Search programs and files box, type \\LON-
DC1\AppData, and then press ENTER.
• In the Name list of the AppData window, double-click Example.txt.
gpupdate /force
gpupdate /force
• On LON-CL1, click the Forward arrow, and then click Log off.
• In the User name box, type Contoso\Administrator, in the Password
box, type Pa$$w0rd, and then click the Forward button.
Enable.
• In the Network Connections window, click the Close button.
2. In the shared folder, Share, create a text document, VPNTest, with some text in
it.
• On the Start menu of LON-DC1, click Computer.
• In the Computer window, double-click Local Disk (C:).
• In the Name list of the Local Disk (C:) window, double-click Share.
• In the Share window, right-click anywhere, point to New, click Text
Document, type VPNTest, and then press ENTER.
• In the Name list of the Share window, double-click VPNTest.txt.
• In the VPNTest.txt –Notepad window, type today’s date.
• On the File menu, click Save.
• On the File menu, click Exit.
• In the Share window, click the Close button.
3. On LON-SVR1, open the Console1 - [Console Root] console to add and enroll
a computer certificate with the following information:
• Request Certificates: VPN Reconnect and More information is
required to enroll for this certificate. Click here to configure
settings
• Subject name type: Common Name
• Value: vpn.contoso.com
• Alternative name type: DNS
• Value: vpn.contoso.com
• On the Start menu of LON-SVR1, click Run.
• In the Open box of the Run dialog box, type mmc, and then click OK.
• On the File menu of the Console1 – [Console Root] console, and click
Add/Remove Snap-in.
• In the Available snap-ins list of the Add or Remove Snap-ins dialog box,
click Certificates, and then click Add.
L5-22 Deploying and Configuring Remote Access Services
Next.
• In the Select Computer wizard, click Finish.
• In the Add or Remove Snap-ins dialog box, click OK.
• In the tree pane of the Console1 – [Console Root] console, expand
Certificates (Local Computer), expand Personal, and then click
Certificates.
• In the tree pane, under Personal, right-click Certificates, point to All
Tasks, and then click Request New Certificate.
• On the Before You Begin page of the Certificate Enrollment wizard, click
Next.
• On the Select Certificate Enrollment Policy page, click Next.
• On the Request Certificates page, select the VPN Reconnect check box,
and then click More information is required to enroll for this
certificate. Click here to configure settings.
• On the Subject tab of the Certificate Properties dialog box, in the Type
box of the Subject name area, click Common Name, in the Value box,
type vpn.contoso.com, and then click Add.
• In the Type box of the Alternative name area, click DNS, in the Value
box, type vpn.contoso.com, click Add, click Apply, and then click OK.
• On the Request Certificates page, click Enroll.
• On the Certificate Installation Results page, click Finish.
4. Verify that a new certificate with the name vpn.contoso.com is enrolled with
Intended Purposes of Server Authentication and IP security IKE intermediate.
• In the Certificates result pane of the Console1 – [Console
Root\Certificates] console, in the Issued To list, right-click
vpn.contoso.com, and then click Properties.
• In the vpn.contoso.com Properties dialog box, click Cancel.
• In the Console1 – [Console Root\Certificates] console, click the Close
button.
• In the Microsoft Management Console message box, click No.
Deploying and Configuring Remote Access Services L5-23
1. On LON-SVR1, open the Routing and Remote Access console to configure and
enable Routing and Remote Access with the following information:
• Configuration: Remote access (dial-up or VPN)
• Name of the network interfaces: Internet
• Clear Enable security on the selected interface by setting up static
packet filters
• IP Address Assignment: From a specified range of addresses
• Start IP address: 192.168.10.200
• End IP address: 192.168.10.210
• On the Start menu of LON-SVR1, point to Administrative Tools, and
then click Routing and Remote Access.
• In the tree pane of the Routing and Remote Access console, right-click
LON-SVR1 (local), and then click Configure and Enable Routing and
Remote Access.
• On the Welcome to the Routing and Remote Access Server Setup
Wizard page of the Routing and Remote Access Server Setup Wizard, click
Next.
• On the Configuration page, ensure that the Remote access (dial-up or
VPN) option is selected, and then click Next.
• On the Remote Access page, select the VPN check box, and then click
Next.
• On the VPN Connection page, under Network interfaces, in the Name
list, click Internet, clear the Enable security on the selected interface by
setting up static packet filters check box, and then click Next.
• On the IP Address Assignment page, click From a specified range of
addresses, and then click Next.
• On the Address Range Assignment page, click New.
• In the New IPv4 Address Range dialog box, in the Start IP address box,
type 192.168.10.200, in the End IP address box, type 192.168.10.210,
and then click OK.
• On the Address Range Assignment page, click Next.
• On the Managing Multiple Remote Access Servers page, click Next.
L5-24 Deploying and Configuring Remote Access Services
f Task 3: Configure the Network Policy Server (NPS) to grant access for
the EAP-MSCHAPv2 authentication.
1. On LON-SVR1, launch NPS and configure the Microsoft Routing and Remote
Access server connection properties with the following information:
• Access Permission: Grant access. Grant access if the connection
request matches this policy
• Constraints: Authentication Methods
• EAP Types list: Remove Microsoft: Smart Card or other certificate
• In the tree pane of the Routing and Remote Access console, under LON-
SVR1 (local), click and right-click Remote Access Logging & Policies,
and then click Refresh.
• In the tree pane, under LON-SVR1 (local), right-click Remote Access
Logging & Policies, and then click Launch NPS.
• In the result pane of the Network Policy Server console, in the Network
Access Policies area, click Network Access Policies.
• In the Policy Name list of the Network Policies result pane, right-click
Connections to Microsoft Routing and Remote Access server, and then
click Properties.
• On the Overview tab of the Connections to Microsoft Routing and
Remote Access server Properties dialog box, in the Access Permission
area, click Grant access. Grant access if the connection request matches
this policy.
• In the Constraints list of the Constraints tab, click Authentication
Methods, in the EAP Types list, click Microsoft: Smart Card or other
certificate, and then click Remove.
• In the Connections to Microsoft Routing and Remote Access server
Properties dialog box, click OK.
• In the Network Policy Server console, click the Close button.
Deploying and Configuring Remote Access Services L5-25
ping vpn.contoso.com
• On the Start menu, click All Programs, click Accessories, and then click
Command Prompt.
• At the command prompt of the Administrator: Command Prompt
window, type the following code, and then press ENTER.
Deploying and Configuring Remote Access Services L5-27
ping vpn.contoso.com
ping vpn.contoso.com
ping vpn.contoso.com
ping vpn.contoso.com
ping vpn.contoso.com
Sharing.
• In the Settings area of the Advanced Sharing dialog box, click Caching.
• In the Offline Settings dialog box, select the Enable BranchCache check
box, and then click OK.
• In the Advanced Sharing dialog box, click OK.
• In the Share Properties dialog box, click Close.
• In the Local disk (C:) window, click the Close button.
OK.
• In the Setting list of the BranchCache result pane, right-click Set
BranchCache Distributed Cache mode, and then click Edit.
• In the Set BranchCache Distributed Cache mode dialog box, click
Enabled, and then click OK.
• In the Setting list of the BranchCache result pane, right-click Configure
BranchCache for network files, and then click Edit.
• In the Configure BranchCache for network files dialog box, click
Enabled, in the Enter the round trip network latency value in
milliseconds above which network files must be cached in the branch
office box, type 0, and then click OK.
gpupdate /force
gpupdate /force
• At the command prompt, type the following code, and then press ENTER.
3. Open the Performance Monitor console and add the following performance
counters:
• Discovery: Attempted discoveries
• Discovery: Successful Discoveries
• SMB: Bytes from Cache
• SMB: Bytes from server
• On the Start menu, in the Search programs and files box, type
Performance, and then press ENTER.
Configuring Windows Server 2008 R2 Features for Branch Offices L6-7
gpupdate /force
gpupdate /force
• At the command prompt, type the following code, and then press ENTER.
6. Open the Performance Monitor console and add the following performance
counters:
• Discovery: Attempted discoveries
• Discovery: Successful Discoveries
• SMB: Bytes from Cache
• SMB: Bytes from server
L6-8 Configuring Windows Server 2008 R2 Features for Branch Offices
While copying the file, view the Performance Monitor graph. Notice that computer
attempted discovery is not running successfully as you are copying file to the branch office
for the first time. Also make a note how long it takes to copy file to LON-CL1.
2. Run the following code to check the current size of the Local Cache.
While copying the file, view the Performance Monitor graph. Notice that computer
attempted discovery is successful and file was copied much faster. Also view the SMB:Bytes
from cache counter to confirm that file was copied from the BranchCache.
4. Run the following code to verify that Local Cache has Active Current Cache
Size greater than 0.
gpupdate /force
gpupdate /force
3. Run the following code to verify whether Hosted Cache client and Hosted
Cache Location are configured LON-SVR1.contoso.com.
• At the command prompt, type the following code, and then press ENTER.
4. On LON-CL2, open the command prompt and run the following code to
update all the group policy settings.
gpupdate /force
gpupdate /force
5. Run the following code to verify the status of the BranchCache settings.
L6-12 Configuring Windows Server 2008 R2 Features for Branch Offices
• At the command prompt, type the following code, and then press ENTER.
• In the link-cert – Notepad window, select the entire line, and then press
CTRL-C.
• On the File menu, click Save.
• On the File menu, click Exit.
4. Open the command prompt and run the following to code to add the SSL
certificate.
• On the Start menu, click All Programs, click Accessories, and then click
Command Prompt.
• At the command prompt of the Administrator: Command Prompt
window, pressing SHIFT-INSERT to insert the following code:
• At the command prompt, type the following code, and then press ENTER.
On LON-SVR1, in the Performance Monitor console, notice that the performance value of
the SMB: Bytes from server counter increases and SMB: Bytes from the cache counter
remains the same.
L6-16 Configuring Windows Server 2008 R2 Features for Branch Offices
While copying the file, view the Performance Monitor graph on LON-SVR1. Notice that the
file is copying from the LON-DC1 file server, as counter SMB: Bytes from server increase
and counter SMB: Bytes from the cache remains the same. When you are copying file for
the first time to the branch office, so it must be copied from the file server. Also make a
note of the duration it takes to copy file to LON-CL1.
On LON-SVR1, in the Performance Monitor console, view the SMB:Bytes from cache
counter to ensure that file was copied from the BranchCache cache.
• On the Start menu of LON-CL2, in the Search programs and files box,
type \\LON-DC1.contoso.com\Share, and then press ENTER.
• In the Name list of the Share window, right-click edbres00001.jrs, and
then click Copy.
• In the Share window, click the Minimize button.
• In the Administrator: Command Prompt window, click the Minimize
button.
• On the Desktop, right-click anywhere, and then click Paste.
While copying the file, view the Performance Monitor graph on LON-SVR1. Notice that file
was copied much faster. You can view also the SMB:Bytes from cache counter, which will
confirm that file was copied from the BranchCache cache.
3. On LON-SVR1, run the following code to verify that Local Cache has Active
Current Cache Size and it is greater than 0.
only
• On LON-SVR1, in the tree pane of the Server Manager console, expand
Roles, expand File Services, expand DFS Management, and then click
Replication.
• In the Actions pane, click New Replication Group.
• On the Replication Group Type page of the New Replication Group
Wizard, ensure that the Multipurpose replication group option is
selected, and then click Next.
• In the Name of replication group box of the Name and Domain page,
type Contoso Reports, and then click Next.
• On the Replication Group Members page, click Add.
• In the Enter the object names to select (examples) box of the Select
Computers dialog box, type LON-DC1;LON-SVR1, and then click OK.
• On the Replication Group Members page, click Next.
• On the Topology Selection page, ensure that the Full mesh option is
selected, and then click Next.
• On the Replication Group Schedule and Bandwidth page, ensure that
the Replicate continuously using the specified bandwidth option is
selected, and then click Next.
• In the Primary member box of the Primary Members page, click LON-
DC1, and then click Next.
• On the Folders to Replicate page, click Add.
• In the Add Folders to Replicate dialog box, click Browse.
• In the Select a folder area of the Browse For Folder dialog box, expand
C$, click Share, and then click OK.
• In the Add Folders to Replicate dialog box, click OK.
• On the Folders to Replicate page, click Next.
• On the Local Path of Share on Other Members page, click Edit.
• In the Membership Status area of the Edit dialog box, click Enabled, and
then click Browse.
• In the Select a folder area of the Browse For Folder dialog box, expand
C$, click Share-Replica, and then click OK.
Configuring Windows Server 2008 R2 Features for Branch Offices L6-21
this member read only check box, and then click OK.
• On the Local Path of Share on Other Members page, click Next.
• On the Review Settings and Create Replication Group page, click
Create.
• On the Confirmation page, click Close.
• In the Replication Delay message box, click OK.
• In the tree pane of the Server Manager console, expand Replication, and
then click Contoso Reports.
• In the Contoso Reports result pane, verify that C:\Share-Replica has
Enabled (read-only) Membership status.
• On the Start menu of LON-CL1, in the Search programs and files box,
type \\contoso.com\Namespace1\Reports, and then press ENTER.
L6-22 Configuring Windows Server 2008 R2 Features for Branch Offices
Text Document.
• In the Destination Folder Access Denied message box, click Cancel.
• In the Reports window, click the Close button.
Task 6: Make read-only DFS replica to read-write and test the client
access.
1. On LON-SVR1, change the read-only attribute of C:\Share-Replica to read-
write.
• On LON-SVR1, in the tree pane of the Server Manager console, under
Replication, click Contoso Reports.
• In the Local Path list of the Contoso Reports result pane, click C:\Share-
Replica.
• In the Actions pane, under LON-SVR1 (Share), click Make read-write.
2. On LON-CL1, navigate to \\contoso.com\Namespace1\Reports and create a
new text document in the read-write DFS replica, C:\Share-Replica.
If you still get the Access Denied message, then the change of settings is not effective yet.
Close the Reports window, wait for few minutes and then create the text document.
• On the Start menu of LON-CL1, in the Search programs and files box,
type \\contoso.com\Namespace1\Reports, and then press ENTER.
• In the Reports window, right-click anywhere, point to New, and then click
Text Document.
• In the Reports window, click the Close button.
f Task 3: View and change the IIS settings through the Configuration
Manager.
1. Change the Web site name from Contoso Ltd. to Contoso Site by using
Configuration Editor and view the script that can be used to perform this
change.
• In the Connections pane of the Internet Information Services (IIS)
Manager console, click LON-DC1 (CONTOSO\Administrator).
• In the LON-DC1 Home result pane, under Management, double-click
Configuration Editor.
• In the Section box of the Configuration Editor result pane, under
system.applicationHost, click sites.
Configuring and Managing Windows Server 2008 R2 Web Services L7-3
near (Count=2).
• In the Items area of the Collection Editor -
system.applicationHost/sites/ dialog box, in the name list, click
Contoso Ltd.
• In the Properties area, change the name property from Contoso Ltd to
Contoso Site, and then click the Close button.
• In the Actions pane of the Internet Information Services (IIS) Manager
console, click Generate Script.
• In the Script Dialog dialog box, verify that the Managed Code (C#),
Scripting (JavaScript), and Command Line (AppCmd) tabs are there,
ensure that they contain script for renaming Web site, and then click
Close.
• In the Actions pane of the Internet Information Services (IIS) Manager
console, click Apply.
2. Refresh the LON-DC1 node to check whether the Web site name has changed
from Contoso Ltd. to Contoso Site.
• In the Connections pane, right-click LON-DC1
(CONTOSO\Administrator), and then click Refresh.
• In the Connections pane, expand Sites, and ensure that the site name has
changed from Contoso Ltd to Contoso Site.
3. Create a new application pool in Configuration Editor and generate a script for
its creation. The application pool should be created with the following
information:
• Name: ContosoPool
• identityType: NetworkService
• In the Section box of the Configure Editor result pane, under
system.applicationHost, click applicationPools, and then click
(Collection).
• In the Actions pane, click Edit Items.
L7-4 Configuring and Managing Windows Server 2008 R2 Web Services
pool starts.
• In the Home - Windows Internet Explorer window, click the Refresh
button.
• In the Internet Explorer dialog box, click Close.
After a few seconds, the new application pool starts, but the same Home page will be
displayed.
The Contoso Ltd. real estate picture is still displayed on the Contoso Web page, because
it is in .gif format.
• In the Contoso Site Home result pane, under IIS, double-click Request
Filtering.
On the Hidden Segments tab of the Request Filtering result pane, verify that the
web.config file is listed. This is one of the IIS configuration files, and even if it is
available, users are not allowed to access it.
The Contoso Ltd. real estate picture is still displayed, because it is in .gif format.
L7-6 Configuring and Managing Windows Server 2008 R2 Web Services
The Contoso Ltd. real estate picture is not displayed on the Contoso Web page.
The Contoso Ltd. real estate picture is not displayed on the Web page.
3. Remove both the jpg and gif files from the Request Filtering list.
• In the Request Filtering result pane of the Internet Information Services
(IIS) Manager console, click .gif.
• In the Actions pane, click Remove.
• In the Confirm Remove message box, click Yes.
• In the Request Filtering result pane, click .jpg.
• In the Actions pane, click Remove.
• In the Confirm Remove message box, click Yes.
• In the Home - Windows Internet Explorer window, click the Refresh
button.
• In the Internet Explorer dialog box, click Close.
Import-Module ActiveDirectory
Import-Module ActiveDirectory
New-ADServiceAccount ContosoIIS
• At the command prompt, type the following command, and then press
ENTER.
New-ADServiceAccount ContosoIIS
3. Run the following command to install the managed service account on a local
computer.
Install-ADServiceAccount ContosoIIS
• At the command prompt, type the following command, and then press
ENTER.
Install-ADServiceAccount ContosoIIS
After a few seconds, a new application pool starts and the same Home page appears as
before. This time, the Web site runs in the context of ContosoIIS service account.
c:\Core-iis.bat
Configuring and Managing Windows Server 2008 R2 Web Services L7-9
cd \
• At the command prompt, type the following script, and then press
ENTER.
C:\Core-iis.bat
In the lower-right corner of the Internet Information Services (IIS) Manager, verify that
you are connected to the remote server as administrator and you are using a secure
connection.
• In the Name list of the Local Disk (C:) window, double-click inetpub.
• In the Name list of the inetpub window, right-click Web_application, and
then click Copy.
• In the inetpub window, click the Close button.
• On the Start menu, in Search programs and files box, type \\LON-
CORE.contoso.com\c$\inetpub, and then press Enter.
• In the inetpub window, right-click anywhere, and then click Paste.
• In the inetpub window, click the Close button.
2. Create a new Web site, ASP.NET Site, at the LON-CORE server with the
following information:
• Site name: ASP.NET Site
• Physical path: c:\inetpub\Web_application
• Host name: LON-CORE.contoso.com
• In the Connections pane of the Internet Information Services (IIS)
Manager console, expand LON-CORE.contoso.com (Administrator),
right-click Sites, and then click Add Web Site.
• In the Site name box of the Add Web Site dialog box, type ASP.NET Site,
in the Physical path box, type c:\inetpub\Web_application, in the Host
name box, type LON-CORE.contoso.com, and then click OK.
Verify whether the ASP.NET Site has the same configuration options as IIS on Full
Installation of Windows Server 2008 R2. In the ASP.NET Site result pane, verify that you
have the same configuration options as IIS on Full Installation of Windows Server 2008
R2.
After several seconds, the Web page from the ASP.NET application on Server Core will be
displayed. Windows Server 2008 R2 Core is able to process ASP.NET applications.
f Task 3: Create two FTP sites that use virtual host names.
1. On LON-DC1, create two FTP sites that use virtual host names by using the
Internet Information Services (IIS) Manager with the following information:
FTP Site1
• FTP site name: FTP Site 1
• Physical path: c:\inetpub\ftproot
• IP Address: 192.168.10.1
Configuring and Managing Windows Server 2008 R2 Web Services L7-13
select the Read check box, and then and click Finish.
• In the Connections pane of the Internet Information Services (IIS)
Manager console, under LON-DC1 (CONTOSO\Administrator), right-
click Sites, and then click Add FTP Site.
• On the Site Information page of the Add FTP Site Wizard, in the FTP site
name box, type FTP Site 2, in the Physical path box, type
c:\inetpub\contoso, and then click Next.
• On the Binding and SSL Settings page, in the IP Address box of the
Binding area, click 192.168.10.1, select the Enable Virtual Host Names
check box, and then in the Virtual Host box, type ftp2.contoso.com.
• On the Binding and SSL Settings page, click No SSL, and then click Next.
• In the Authentication area of the Authentication and Authorization
Information page, select the Basic check box.
• In the Authorization area, in the Allow access to box, click All users,
select the Read and Write check boxes, and then and click Finish.
ftp ftp1.contoso.com
ftp ftp1.contoso.com
ftp1.contoso.com|administrator
Pa$$w0rd
• At the command prompt, type the following command, and then press
ENTER.
Configuring and Managing Windows Server 2008 R2 Web Services L7-15
ftp1.contoso.com|administrator
• At the command prompt, type the Password as Pa$$w0rd, and then press
ENTER.
3. Run the following command to create a folder on the FTP1 site.
dir
mkdir FTP1
An Authorization rules denied the access error message appears because you have only
Read access to the FTP1.contoso.com ftp site.
• At the command prompt, type the following command, and then press
ENTER.
dir
• At the command prompt, type the following command, and then press
ENTER.
mkdir FTP1
An Authorization rules denied the access error message appears because you have only
Read access to the FTP1.contoso.com ftp site.
• At the command prompt, type the following command, and then press
ENTER.
quit
ftp ftp2.contoso.com
• At the command prompt, type the following command, and then press
ENTER.
ftp ftp2.contoso.com
L7-16 Configuring and Managing Windows Server 2008 R2 Web Services
ftp2.contoso.com|administrator
Pa$$w0rd
• At the command prompt, type the following command, and then press
ENTER.
ftp2.contoso.com|administrator
• At the command prompt, type the Password as Pa$$w0rd, and then press
ENTER.
6. Run the following command to create a folder on the FTP2 site.
dir
mkdir FTP2
The error message does not appear because you have both Read and Write permissions
to the FTP1.contoso.com ftp site.
• At the command prompt, type the following command, and then press
ENTER.
dir
• At the command prompt, type the following command, and then press
ENTER.
mkdir FTP2
• At the command prompt, type the following command, and then press
ENTER.
quit
Add/Remove Snap-in.
• In the Available snap-ins area of the Add or Remove Snap-ins dialog box,
in the Snap-in list, click Certificates, and then click Add.
• In the Certificates snap-in wizard, click Computer account, click Next.
• In the Select Computer wizard, click Finish.
• In the Add or Remove Snap-ins dialog box, click OK.
2. Verify whether the certificate with the name LON-DC1.contoso.msft is there
and then change the certificate name of LON-DC1.contoso.com to SSL
Certificate.
• In the tree pane of the Certificates snap-in, open Certificates (Local
Computer)\Personal\Certificates.
• In the result pane of the Certificates snap-in, verify that certificate with the
name LON-DC1.contoso.com is displayed.
• In the tree pane, right-click LON-DC1.contoso.com, and then click
Properties.
• In the Friendly name box, type SSL Certificate, and then click OK.
• In the Console1 - [Console Root\Certificates (Local
Computer)\Personal\Certificates] window, click the Close button.
• In the Microsoft Management Console message box, click No.
3. On LON-DC1, create an SSL-enabled FTP site by using the Internet
Information Services (IIS) Manager with the following information:
• FTP site name: SSL FTP Site
• Physical path: c:\inetpub\ftproot
• SSL Certificate: SSL Certificate
• Authentication: Basic
• Allow access to: All users
• Permission: Read
• On LON-DC1, in the Connections pane of the Internet Information
Services (IIS) Manager console, under LON-DC1
(CONTOSO\Administrator), right-click Sites, and then click Add FTP
Site.
L7-18 Configuring and Managing Windows Server 2008 R2 Web Services
name box, type SSL FTP Site, in the Physical path box, type
c:\inetpub\ftproot, and then click Next.
• On the Binding and SSL Settings page, in the SSL Certificate box of the
SSL area, click SSL Certificate, and then click Next.
• In the Authentication area of the Authentication and Authorization
Information page, select the Basic check box.
• In the Authorization area, in the Allow access to box, click All users,
select the Read check box, and then and click Finish.
4. Set the following SSL FTP settings to configure additional SSL settings to
ensure that all user credentials are encrypted.
• SSL Policy: Custom
• Control Channel: Require only for credential
• Data Channel: Allow
• In the Connections pane of the Internet Information Services (IIS)
Manager console, under Sites, click SSL FTP Site.
• In the SSL FTP Site Home result pane, under FTP, double-click FTP SSL
Settings.
• In the SSL Policy area of the FTP SSL Settings page, click Custom, and
then click Advanced.
• In the Control Channel area of the Advanced SSL Policy dialog box, click
Require only for credentials, in the Data Channel area, click Allow, and
then click OK.
• In the Actions pane of the Internet Information Services (IIS) Manager
console, click Apply.
5. At the command prompt, run the following command to log on the FTP site
with the user name, Administrator, and the password, Pa$$w0rd.
ftp lon-dc1.contoso.com
You will get an Access Denied message because the SSL policy requires SSL for
credentials, and the FTP client from the command line does not support it.
Configuring and Managing Windows Server 2008 R2 Web Services L7-19
ftp lon-dc1.contoso.com
• At the command prompt, type the user name as Administrator, and then
press ENTER.
You will get an Access Denied message, because the SSL policy requires SSL for
credentials, and the FTP client from the command line does not support it.
Get-Command
Get-Command
At the command prompt, type Add, and then press the TAB key. Verify that auto
complete will complete the command name with first available option, Add-Member.
Press TAB multiple times to verify the functionality of auto complete.
2. Run the following command to get help for the Get-Alias command. Also view
the information about the Get-Alias command, such as description, synopsis,
syntax, related links, and remarks.
Get-Help Get-Alias
• At the command prompt, type the following command, and then press
ENTER.
Get-Help Get-Alias
3. Run the following command to view the list of available alias commands.
Get-Alias
• At the command prompt, type the following command, and then press
ENTER.
Get-Alias
4. Run the following command to view the list of all running processes on the
server.
Get-Process
• At the command prompt, type the following command, and then press
ENTER.
Get-Process
Processes
• At the command prompt, type the following command, and then press
ENTER.
Processes
6. Run the following command to define new alias and view the list of running
processes.
• At the command prompt, type the following command, and then press
ENTER.
• At the command prompt, type the following command, and then press
ENTER.
Processes
7. Run the following command to verify that you have defined the new alias,
Processes.
Get-Alias
• At the command prompt, type the following command, and then press
ENTER.
Get-Alias
8. Run the following command to verify that the same alias help options as the
Get-Process command are available.
L8-4 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
Get-Help Processes
• At the command prompt, type the following command, and then press
ENTER.
Get-Help Processes
2. Run the following command to sort the processes by their ID and to view only
the ID, Handles, and ProcessName of the running process.
• At the command prompt, type the following command, and then press
ENTER.
3. Run the following command to view the first 10 running processes sorted by
their ID.
• At the command prompt, type the following command, and then press
ENTER.
• At the command prompt, type the following command, and then press
ENTER.
5. Run the following command to obtain all running processes, sort them by ID,
store them in a variable, and display the processes stored.
• At the command prompt, type the following command, and then press
ENTER.
• At the command prompt, type the following command, and then press
ENTER.
$processes
cd env:
md Today –Value “enter today's day”
• At the command prompt, type the following command, and then press
ENTER.
cd env:
• At the command prompt, type the following command, and then press
ENTER.
L8-6 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
2. Run the following command to verify that the new variable, Today, is defined
with the value, Wednesday.
dir
• At the command prompt, type the command, and then press ENTER.
dir
3. Run the following command to use a provider for Windows registry and to
add a new Windows registry key.
cd hkcu:
md Wednesday
• At the command prompt, type the following command, and the press
ENTER.
cd hkcu:
• At the command prompt, type the following command, and then press
ENTER.
md Wednesday
4. Open Registry Editor and verify that the HKCU registry hive contains the
Today key.
regedit
• At the command prompt, type the following command, and then press
ENTER.
regedit
cd cert:
cd localmachine\my
• At the command prompt, type the following command, and then press
ENTER.
cd cert:
• At the command prompt, type the following command, and then press
ENTER.
cd localmachine\my
6. View the list of digital certificates in the computer store by running the
following command.
dir
• At the command prompt, type the following command, and then press
ENTER.
dir
7. Open the Certificates snap-in and verify whether the computer certificates are
the same as those from the PowerShell interface.
• On the Start menu, click Run.
• In the Open box of the Run dialog box, type mmc, and then click OK.
• On the Files menu of the Console1 - [Console Root] console, click
Add\Remove Snap-in.
• In the Available snap-ins area of the Add or Remove Snap-ins dialog box,
in the Snap-in list, click Certificates, and then click Add.
• In the Certificates snap-in dialog box, click Computer account, and then
click Next.
• In the Select Computer dialog box, click Finish.
• In the Add or Remove Snap-ins dialog box, click OK.
• In the tree pane of the Console1 - [Console Root] console, expand
Certificates (Local Computer), expand Personal, and then click
Certificates.
L8-8 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
An error message appears stating that WinRM is not enabled by default on remote
Windows Server 2008 R2 computer.
After some time you will get an error, as WinRM is not enabled by default on remote
Windows Server 2008 R2 computer.
Enable-PSRemoting -Force
Enable-PSRemoting -Force
processes.
f Task 1: Add Windows PowerShell ISE and import the Active Directory
module.
1. On LON-DC1, install the Windows PowerShell Integrated Scripting
Environment (ISE) feature by using the Server Manager console.
• On the Start menu of LON-DC1, point to Administrative Tools, and then
click Server Manager.
L8-10 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
Get-Command *-ad*
• On the Start menu, in the Search programs and files box, type power,
and then click Windows PowerShell ISE.
• At the command prompt of the Administrator: Windows PowerShell ISE
window, type the following command, and then press ENTER.
Get-Command *-ad*
3. Import the Active Directory module and then verify whether the Active
Directory commands are added by running the following command.
Import-Module ActiveDirectory
Get-Command *-ad*
• At the command prompt, type the following command, and then press
ENTER.
Import-Module ActiveDirectory
• At the command prompt, type the following command, and then press
ENTER.
Get-Command *-ad*
cd AD:
dir
cd AD:
• At the command prompt, type the following command, and then press
ENTER.
dir
2. Query the information on the contoso.com domain and the domain controller
that you are using in the contoso.com domain by running the following
command.
Get-ADDomain Contoso.com
Get-ADDomainController
• At the command prompt, type the following command, and then press
ENTER.
Get-ADDomain Contoso.com
• At the command prompt, type the following command, and then press
ENTER.
Get-ADDomainController
3. Query the information in a global catalog in the forest and the domain
password policy in the contoso.com domain by running the following
command.
ENTER.
• At the command prompt, type the following command, and then press
ENTER.
Get-ADDefaultDomainPasswordPolicy Contoso.com
4. Count the number of Active Directory objects and view all the computer
objects in the domain in the form of a table by running the following
command.
• At the command prompt, type the following command, and then press
ENTER.
• At the command prompt, type the following command, and then press
ENTER.
5. Run the following command to export all objects from the Users container to a
CSV file.
• At the command prompt, type the following command, and then press
ENTER.
Users container.
• On the Start menu, click Computer.
• In the Computer window, double-click Local Disk (C:).
• In the Name list of the Local Disk (C:) window, right-click Export.csv, and
then click Open.
• In the Windows dialog box, click Select a program from a list of
installed programs, and then click OK.
• In the Open with dialog box, click WordPad, and then click OK.
• In the Export.csv - WordPad window, click the Close button.
• In the Local Disk (C:) window, click the Close button.
cd “cn=users,dc=contoso,dc=com”
dir
cd “cn=users,dc=contoso,dc=com”
• At the command prompt, type the following command, and then press
ENTER.
dir
Open Active Directory Users and Computers and compare the output of the dir alias with
content of Users container.
L8-14 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
New-ADUser User1
Move-ADObject –Identity “cn=User1,cn=Users,dc=contoso,dc=com” -
TargetPath “OU=Remote Access,dc=contoso,dc=com”
New-ADUser User1
• At the command prompt, type the following command, and then press
ENTER.
• At the command prompt, type the following command, and then press
ENTER.
4. Create a User3 Active Directory user with additional attributes by running the
following command.
• At the command prompt, type the following command, and then press
ENTER.
• At the command prompt, type the following command, and then press
ENTER.
• At the command prompt, type the following command, and then press
ENTER.
6. Open the Active Directory Users and Computers console and verify that the
First and Last names have been defined for User1.Also verify that the Home
page has been defined for User2.
• On the Start menu, point to Administrative Tools, and then click Active
Directory Users and Computers.
• In the tree pane of the Active Directory Users and Computers console,
expand Contoso.com, click Remote Access.
• In the Name list of the Remote Access result pane, right-click User1, and
then click Properties.
• In the User1 Properties dialog box, click Cancel.
• In the Name list of the Remote Access result pane, right-click User2, and
then click Properties.
• In the User2 Properties dialog box, click Cancel.
• In the Active Directory Users and Computers console, click the Close
button.
7. Run the following command to modify the properties of multiple users.
8. Open the Active Directory Users and Computers console and verify that
User1, User2, and User3 have the description set to Remote Access User.
• On the Start menu, point to Administrative Tools, and then click Active
Directory Users and Computers.
• In the Name list of the Remote Access result pane, right-click User1, and
then click Properties.
• In the User1 Properties dialog box, click Cancel.
• In the Name list of the Remote Access result pane, right-click User2, and
then click Properties.
• In the User2 Properties dialog box, click Cancel.
• In the Name list of the Remote Access result pane, right-click User3, and
then click Properties.
• In the User3 Properties dialog box, click Cancel.
9. Run the following command to view the list of disabled accounts.
10. Delete the User1 account from Active Directory by running the following
command.
Remove-ADUser User1
• At the command prompt, type the following command, and then press
ENTER.
Remove-ADUser User1
longer present.
• In the Active Directory Users and Computers console, click the Remote
Access OU, and then click the Refresh icon.
• In the Remote Access result pane, verify the User1 is no longer present.
12. Add User 2 to the RD Users group by running the following command:
13. In the Active Directory Users and Computers console, verify that RD Users
group (in Remote Access OU) has User2 as a member.
• In the Name list of the Remote Access result pane, right-click RD Users,
and then click Properties.
• On the Members tab of the RD Users Properties dialog box, ensure that
User2 is a member, and then click Cancel.
• At the command prompt, type the following command, and then press
ENTER.
L8-18 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
2. Run the following command to find the organizational units that match certain
criteria and modify their description.
• At the command prompt, type the following command, and then press
ENTER.
• At the command prompt, type the following command, and then press
ENTER.
The command will fail, because the organizational units are protected from accidental
deletion by default.
• At the command prompt, type the following command, and then press
ENTER.
deletion by default.
• At the command prompt, type the following command, and then press
ENTER.
• At the command prompt, type the following command, and then press
ENTER.
module.
1. On LON-DC1, in the Windows PowerShell ISE window, run the following
command to verify that there are no Web Administration–related commands
and to set the execution policy.
Get-Command *-web*
Set-ExecutionPolicy RemoteSigned
Get-Command *-web*
• At the command prompt, type the following command, and then press
ENTER.
Set-ExecutionPolicy RemoteSigned
Web Administration module include scripts, which are not allowed by default. To allow
them, you either need to digitally sign them or set execution policy to RemoteSigned.
2. Add the Web Administration module and then view the Web Administration–
related commands by running the following command:
Import-Module WebAdministration
Get-Command *-web*
• At the command prompt, type the following command, and then press
ENTER.
Import-Module WebAdministration
• At the command prompt, type the following command, and then press
ENTER.
Get-Command *-web*
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 L8-21
displayed.
f Task 2: Explore Web Administration, create a Web site, and define its
binding.
1. Run the following command to use a provider for Web Administration and to
display the information in Internet Information Services.
cd IIS:
dir
• At the command prompt, type the following command, and then press
ENTER.
cd IIS:
• At the command prompt, type the following command, and then press
ENTER.
dir
2. Run the following command to move to the Sites folder and list the sites on
LON-DC1.
cd Sites
dir
• At the command prompt, type the following command, and then press
ENTER.
cd Sites
• At the command prompt, type the following command, and then press
ENTER.
dir
3. Open the Internet Information Services (IIS) Manager console and verify that
the same sites are available as those in the Windows PowerShell environment.
L8-22 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
• At the command prompt, type the following command, and then press
ENTER.
dir
5. In the Internet Information Services (IIS) Manager console, verify that the new
Web site, Demo Site, is present.
• In the Internet Information Services (IIS) Manager console, right-click
Sites, click Refresh, and then verify that the new Web site, Demo Site, is
present.
6. Define the host name binding for the created Web site by running the
following command:
site has two bindings, one with IP Address and the other with the host name
defined.
• In the Connections pane of the Internet Information Services (IIS)
Manager console, under Sites, click Demo Site.
• In the Actions pane, under Edit Site, click Bindings.
• In the Site Bindings dialog box, ensure that are two bindings, and then
click Close.
8. Open the Internet Explorer window, connect to the new Web site, lon-
dc1.contoso.com, and then press Enter.
• On the Start menu, point to All Programs, and then click Internet
Explorer.
• In the Address bar of the Blank Page - Windows Internet Explorer
window, type lon-dc1.contoso.com, and then press ENTER.
• In the Internet Explorer dialog box, click Close.
• New Web site will be displayed in the Home - Windows Internet Explorer
window.
9. Add a virtual directory to the existing Web site by running the following
command.
New-WebAppPool DemoAppPool
Set-ItemProperty “IIS:\Sites\Demo Site” –name applicationPool –
value DemoAppPool
New-WebAppPool DemoAppPool
• At the command prompt, type the following command, and then press
ENTER.
2. In the Internet Information Services (IIS) Manager console, verify that the
Demo site runs in the DemoAppPool application pool.
• In the Actions pane of the Internet Information Services (IIS) Manager
console, under Edit Site, click Basic Settings.
• In the Edit Site dialog box, ensure that Application Pool is
DemoAppPool, and then click Cancel.
• In the IIS - Windows Internet Explorer window, click the Refresh button.
3. Delete the Demo Web site by running the following command:
4. In the Internet Information Services (IIS) Manager console, verify that Demo
Site is no longer present.
Managing Windows Server 2008 R2 with Windows PowerShell 2.0 L8-25
f Task 1: Import the Server Manager module, view server roles and add
feature.
1. In the Windows PowerShell ISE window, run the following command to
import the ServerManager PowerShell module and to view the Server
Manager–related commands.
Import-Module ServerManager
Get-Module ServerManager
Import-Module ServerManager
• At the command prompt, type the following command, and then press
ENTER.
Get-Module ServerManager
2. Run the following command to view the available Server Manager commands
and to view the list of server roles and features.
Get-Command *feature*
Get-WindowsFeature
L8-26 Managing Windows Server 2008 R2 with Windows PowerShell 2.0
ENTER.
Get-Command *feature*
• At the command prompt, type the following command, and then press
ENTER.
Get-WindowsFeature
3. In the Server Manager console, verify that the Network Load Balancing feature
is not installed.
• On the Start menu of LON-DC1 server, point to Administrative Tools,
and then click Server Manager.
• In the tree pane of the Server Manager console, click Features.
• In the Features result pane, verify that the Network Load Balancing
feature is not installed.
4. Verify whether the Network Load Balancing feature has an NLB name by
running the following command.
Add-WindowsFeature NLB
Add-WindowsFeature NLB
5. In the Server Manager console, verify that the Network Load Balancing feature
is now installed.
• In the tree pane of the Server Manager console, right-click Features, click
Refresh, and then click Features.
• In the Features result pane, ensure that the Network Load Balancing
feature is now installed.
• At the command prompt, type the following command, and then press
ENTER.
3. On LON-SVR1, verify that the Network Load Balancing feature is now installed
by using the Server Manager console.
• On LON-SVR1, in the tree pane of the Server Manager console, click
Features.
• In the Features result pane, ensure that the Network Load Balancing
feature is now installed.
• In the Server Manager console, click the Close button.
• On LON-DC1, in the Server Manager console, click the Close button.
• On LON-DC1, in the Administrator: Windows PowerShell ISE window,
click the Close button.
What Is DNSSEC?
provided to the resolver before the resolver authenticates the SIG resource records.
DNSSEC verifies whether the resolver has received records from a secure DNS
zone. Using DNSSEC, the resolver validates the IP address of the domain.
Appendix iii
DNSSEC on the Windows Server 2008 R2 DNS server allows you to sign both file-
based zones and Active Directory–integrated zones through an offline zone signing
tool. This signed zone will then be replicated by zone-transfer or AD replication to
other authoritative DNS servers. When you configure DNSSEC with a trust anchor,
a DNS server can perform DNSSEC validation on responses received on behalf of
the client.
The DNS client in Windows Server 2008 R2 and Windows 7 is a non-validating
security-aware resolver. This means that the DNS client will transfer the validation
responsibilities to its local DNS server, but the client can receive DNSSEC
responses. The behavior of the DNS client can be controlled by using a policy that
determines whether the client should check for validation results for names within
a given namespace. The client will then return the results of the query to the
application only if the validation has been successfully performed by the server.
DNS server management tools such as DNS Manager and Dnscmd.exe to view and
modify trust anchors, locally or remotely. Trust anchors apply only to zones to
which they are defined.
If the DNS server runs on a domain controller, you can store trust anchors in the
forest directory partition in Active Directory Domain Services (AD DS). You can
then replicate the trust anchors to all domain controllers in the forest. On
standalone DNS servers, trust anchors are stored in the file, TrustAnchors.dns, in
%windir%\System32\DNS.
The following are the high-level steps for deploying DNSSEC on the DNS Server:
1. Identify the signing DNS servers.
2. Export the zone to a file and transfer the file to the signing DNS server.
3. Identify the Zone Signing Key (ZSK) rollover mechanism.
4. Generate the keys.
5. Sign a zone.
6. Reload the zone.
Appendix v
cd c:\windows\system32\dns
cd c:\windows\system32\dns
2. Run the following command to verify that there is no Contoso.com zone file
dir
• At the command prompt, type the following command, and then press
ENTER.
dir
3. Open the DNS Manager console and change the zone type of Contoso.com
Forward Lookup Zone.
• On the Start menu, point to Administrative Tools, and then click DNS.
• In the tree pane of the DNS Manager console, expand LON-DC1, expand
Forward Lookup Zones, click and right-click Contoso.com, and then
click Properties.
• On the General tab of the Contoso.com Properties dialog box, click the
Change button next to Type: Active Directory-Integrated.
• In the Change Zone Type dialog box, clear Store the zone in Active
Directory (available only if DNS server is a domain controller), and
then click OK.
• In the DNS message box, click Yes.
• In the Contoso.com Properties dialog box, click OK.
4. Run the following command to verify that the Contoso.com.dns file is there.
vi Appendix
dir
• At the command prompt, type the following command, and then press
ENTER.
dir
5. Open the Console1 - [Console Root] console to add Certificates snap-in for the
computer account.
• On the Start menu, click Run.
• In the Open box of the Run dialog box, type mmc, and then press
ENTER.
• On the File menu of the Console1 - [Console Root] console, click
Add/Remove Snap-in.
• In the Available snap-ins area of the Add or Remove Snap-ins dialog box,
in the Snap-in list, click Certificates, and then click Add.
• In the Certificates snap-in wizard, click Computer account, and then click
Next.
• In the Select Computer wizard, click Finish.
• In the Add or Remove Snap-ins dialog box, click OK.
6. Run the following command to add MS-DNSSEC to the Certificates node.
• At the command prompt, type the following command, and then press
ENTER.
• In the tree pane of the DNS Manager console, under Forward Lookup
Zones, right-click Contoso.com, and then click Reload.
• In the DNS message box, click Yes.
• In the tree pane of the DNS console, under Forward Lookup Zone, right-
click Contoso.com, click Refresh.
• View the new NSEC records in the Forward Lookup Zones.