6293A-ENU TrainerHandbook

O F F I C I A L
M I C R O S O F T
L E A R N I N G
P R O D U C T
6293A Troubleshooting and Supporting

Windows 7 in the Enterprise
ii
Troubleshooting and Supporting Windows 7 in the Enterprise
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2011 Microsoft Corporation. All rights reserved. Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty /Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners.
Product Number: 6293A Part Number X17-55452 Released: 05/2011
iii
iv
vi
vii
viii
ix
Acknowledgments
Microsoft Learning would like to acknowledge and thank the following for their contribution towards developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.
Andrew J. Warren Author

Andrew Warren (MCSE, MCITP, and MCT) has more than 22 years of experience in the IT industry, many of which have been spent in writing and teaching. He has been involved as the subject matter expert (SME) for the 6430B course for Windows Server 2008 and the technical lead on a number of other courses. He also has been involved in TechNet sessions on Microsoft Exchange Server 2007. Based in the United Kingdom, he runs his own IT training and education consultancy.
Byron Wright Author

Byron Wright is a partner in a consulting firm, where he performs network consulting, computer systems implementation, and technical training. Byron is also a sessional instructor for the Asper School of Business at the University of Manitoba, teaching management information systems and networking. Byron has authored and co-authored a number of books on Windows servers, Windows Vista, and Exchange Server, including the Windows Server 2008 Active Directory Resource Kit.
Tony Northrup Technical Reviewer

Tony Northrup, an MCSE, MCTS, and CISSP, is a longtime Windows consultant and author. Tony began programming before the release of Windows 1.0 in 1985. For the last 15 years, he has focused on Windows administration and development. Tony is the coauthor of more than 20 books, including the Windows 7 Resource Kit and the MCITP Self-Paced Training Kit (Exam 70-685): Windows 7 Enterprise Desktop Support Technician.
xi
Contents
Module 1: Implementing a Troubleshooting Methodology
Lesson 1: Introduction to the EDST Job Role Lesson 2: Overview of Troubleshooting Steps 1-3 1-14
Module 2: Troubleshooting Startup Issues

Lesson 1: Overview of the Windows 7 Recovery Environment Lesson 2: Configuring and Troubleshooting Startup Settings Lesson 3: Troubleshooting Operating System Services Issues Lab: Troubleshooting Startup Issues 2-3 2-17 2-33 2-39
Module 3: Using Group Policy to Centralize Configuration

Lesson 1: Overview of Group Policy Application Lesson 2: Resolving Client Configuration Failures and GPO Application Issues Lab: Using Group Policy to Centralize Configuration 3-3 3-16 3-27
Module 4: Troubleshooting Hardware Device, Device Driver, and Performance Issues

Lesson 1: Overview of Hardware Troubleshooting Lesson 2: Troubleshooting Physical Failures Lesson 3: Monitoring Reliability and Performance Lesson 4: Configuring Performance Options in Windows 7 Lesson 5: Troubleshooting Device Driver Failures Lab A: Resolving Hardware Device and Device Driver Issues Lab B: Troubleshooting Performance-Related Issues 4-3 4-19 4-27 4-34 4-43 4-61 4-68
Module 5: Troubleshooting Network Connectivity Issues

Lesson 1: Determining Network Settings Lesson 2: Troubleshooting Network Connectivity Issues Lab: Troubleshooting Network Connectivity Issues 5-3 5-9 5-35
Module 6: Troubleshooting Remote Connectivity Issues

Lesson 1: Troubleshooting VPN Connectivity Issues Lesson 2: Using Remote Desktop Lesson 3: Troubleshooting User Issues by Using Remote Assistance Lesson 4: Troubleshooting NAP Issues Lesson 5: Troubleshooting DirectAccess Issues Lab: Resolving Remote Connectivity Issues 6-3 6-25 6-34 6-40 6-52 6-61
xii
Module 7: Troubleshooting Logon and Resource Access Issues

Lesson 1: Troubleshooting User Logon Issues Lesson 2: Troubleshooting User Profile Issues Lesson 3: Troubleshooting File Access Issues Lesson 4: Troubleshooting File Permissions Issues Lesson 5: Troubleshooting Printer Access Issues Lab: Troubleshooting Logon and Resource Access Issues 7-3 7-13 7-19 7-28 7-36 7-44
Module 8: Troubleshooting Security Issues

Lesson 1: Recovering Files Encrypted by EFS Lesson 2: Recovering BitLocker-Protected Drives Lesson 3: Troubleshooting Internet Explorer and Content Access Issues Lab: Troubleshooting Security Issues 8-3 8-15 8-23 8-32
Module 9: Troubleshooting Operating System and Application Issues

Lesson 1: Troubleshooting Application Installation Issues Lesson 2: Troubleshooting Application Operations Issues Lesson 3: Applying Application and Windows Updates Lab: Troubleshooting Operating System and Application Issues 9-3 9-14 9-23 9-32
Lab Answer Keys

Module 2 Lab: Troubleshooting Startup Issues Module 3 Lab: Using Group Policy to Centralize Configuration Module 4 Lab: Resolving Hardware Device and Device Driver Issues Module 5 Lab: Troubleshooting Network Connectivity Issues Module 6 Lab: Resolving Remote Connectivity Issues Module 7 Lab: Troubleshooting Logon and Resource Access Issues Module 8 Lab: Troubleshooting Security Issues Module 9 Lab: Troubleshooting Operating System and Application Issues L2-1 L3-5 L4-9 L5-19 L6-25 L7-29 L8-39 L9-45
About This Coursexiii
About This Course

This section provides you with a brief description of the course, audience, suggested prerequisites, and course objectives.
Course Description
This course is designed for Information Technology (IT) professionals who have experience with Windows XP and Windows Vista who work as Windows 7 Enterprise Desktop Support Technicians (EDSTs) in Tier 2 support environments. The goal of this training is to enable these individuals to support the Windows 7 operating system and solve technical troubleshooting problems in a Windows 7 and Windows Server 2008 R2 networking environment. The course builds on skills attained in Course 6292A: Installing and Configuring Windows Course 6420B: Fundamentals of Windows Server 2008 .
7 Client and
This course will not cover deployment scenarios and Tier 3 escalations, including comprehensive Group Policy configuration, and domain administration and deployment. Course 6294A covers deployment scenarios and support. By the courses end, students will have been exposed to the process of establishing and using a troubleshooting methodology, and the EDST job role and responsibilities. Additionally, students will be exposed to various troubleshooting tools and techni ques that enable them to address the following Windows 7 issues in an ente rprise network environment: Startup Group Policy Hardware and device drivers Performance Network connectivity Remote connectivity User profile and logon Security Applications
Audience
Primary audience: DST in an Enterprise IT organization Secondary audience: DST in an upper MORG (medium organization) with approximately 475 personal computers
EDSTs are experienced IT profession als who focus on a broad range of issues that relate to desktop operating systems, desktop applications, mobile devi ces, networking, and hardware support. EDSTs must combine technical expertise with problem-solvin g and decision-making skills, and possess a deep understanding of their business and technical environments, so that they can resolve support issues quickly. They consider all variables, justify resoluti ons with a logical troubleshooting approach, and relate tradeoffs to business and technical requirements and constraints. EDSTs are resp onsible primarily for the maintenance and support of PC desktops, installing and testing line-of-business applications on end users computers, and making changes to user desktops or reimages, as necessary.
xiv
About This Course
EDSTs have used previous versions of Windows desktop operating systems and may have experience with Windows Server operating systems. Their job requires them to stay knowledgeable and skilled with using new versions and updates of technology, as their business environment dictates. They conduct most server management tasks remotely by using Terminal Server or other administration tools installed on their local workstation.
Student Prerequisites
In addition to their professional experience, students technical knowledge: who attend this training should have the following
Networking fundamentals, including TCP/IP, User Datagram Protocol (UDP), and Domain Name System (DNS) Active Directory Domain Services (AD DS) principles and management Windows Server 2008 fundamentals Windows client fundamentals
Fundamentals of using the Microsoft
Office 2010 or Microsoft Office 2007 systems
Students who attend this training can meet the prerequisites by attending the following courses, or by obtaining equivalent knowledge and skills: Course 6292A: Installing and Configuring Windows Course 6420B: Fundamentals of Windows Server

7 Client
2008
Course Objectives
After completing this course, students will be able to: Describe the processes of establishing and using a troubleshooting methodology, and define the EDST job role and responsibilities. Troubleshoot startup issues on a Windows 7 computer. Troubleshoot client-configuration failures and Group Policy object (GPO) application issues. Troubleshoot hardware device and device driver issues. Troubleshoot network connectivity issues. Troubleshoot remote connectivity issues. Troubleshoot logon and resource access issues. Troubleshoot security system issues, such as Encrypting File Systems (EFS), BitLocker Encryption, and file permissions. Troubleshoot operating system and applications issues. Troubleshoot performance issues.
Drive
About This Coursexv
Course Outline
This section provides an outline of the course: Module 1 , Implementing a Troubleshooting Methodology describes the steps involved in establishing and using a typical troubleshooting methodology. It also covers the job role and responsibilities of the EDST. Module 2 , Troubleshooting Startup Issu es describes how to use Windows 7 recovery tools to troubleshoot startup problems. Additionally, it provides the information to configure and troubleshoot startup settings, and to troublesho ot operating system services. Module 3 , Using Group Policy to Centralize Configuration describes Group Policy application. It also covers steps to troubleshoot both client configuration failures and GPO application issues. Module 4 , Troubleshooting Hardware Device, Device Driver, and Performance Issues helps students troubleshoot issues related to hardware devices and device drivers by identifying basic hardware-related issues. Additionally, the module he lps students determine hardware failu re issues, and the problems that device drivers can cause. Finally, this module provides guidance on how to configure performance options in Windows 7, as well as monitor reliability and performance of Windows 7 computers. Module 5 , Troubleshooting Network Connecti vity Issues describes how to tr oubleshoot issues related to network connectivity by providing the steps to determine the network configuration of client computers, and then to troubleshoot network connections. Module 6 , Troubleshooting Remote Connectivity Issues describes how to troubleshoot remote connectivity issues. This module instructs students on how to configure and troubleshoot virtual private network (VPN) connections, as well as how to use Remote Desktop and Re mote Assistance to assist users. This module also covers the troubleshooting steps for Network Access Protection (NAP) and DirectAccess issues. Module 7 , Troubleshooting Logon and Resource Access Issues describes how to use troubleshooting tools and methods to troubleshoot user profile and lo gon scripts issues, and issu es with file and printer access. Module 8 , Troubleshooting Security Issues describes how to troubleshoot issues related to security systems such as EFS, BitLocker, an d file permissions. The module instructs students how to troubleshoot and recover files encrypted with EFS and BitLocker-protected drives. In this module, students also troubleshoot file permissions, content access issues, and Windows Internet Explorer issues. Module 9 , Troubleshooting Operating System and Application Issues describes how to troubleshoot issues related to operating system features and ap plications, including application installation and operation issues. This module also addresse s applying application and Windows updates.
xvi
About This Course
Course Materials
The following materials are included with your kit: Course Handbook A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience. Lessons : Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience. Labs : Provide a real-world, hands-on platform for in the module. Module Reviews and Takeaways knowledge and skills retention. you to apply the knowledge and skills learned
: Provide improved on-the-job reference material to boost
Lab Answer Keys : Provide step-by-step lab solution guidance at your finger tips when its needed.
Course Companion Content on the http://www.microsoft.com/learning/companionmoc/ Site: Searchable, easy-to-navigate digita l content with integrated premiu m on-line resources designed to supplement the Course Handbook. Modules : Include companion content, such as questions and answers, detailed demo steps and additional reading links, for each lesson. Additionally, they include Lab Review questions and answers and Module Reviews and Takeaways sections, which contain the review questions and answers, best practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios with answers. Resources : Include well-categorized additional resources that give you immediate access to the most up-to-date premium content on TechNet, MSDN , Microsoft Press . : Includes the
Student Course files on the http://www.microsoft.com/learning/companionmoc/ Site Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and demonstrations.
Course evaluation At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the co urse, training facility, and instructor. To provide additional comments or feedback on the course, send e-mail to support@mscourseware.com. To inquire about the Mi crosoft Certification Program, send e-mail to mcphelp@microsoft.com.
About This Coursexvii
Virtual Machine Environment

This section provides the information for setting up the virtual machine environment.
Virtual Machine Configuration

In this course, you will use Hyper-V deployed on Windows Server 2008 to perform the labs. The following table shows the role of each virtual machine used in this course: Virtual machine 6293A-NYC-DC1 6293A-NYC-CL1 6293A-NYC-CL2 6293A-NYC-CL3 6293A-NYC-SVR1 6293A-NYC-SVR2 Role Windows Server 2008 DC in Contoso domain Windows 7 Client in Contoso domain Windows 7 Client in Contoso domain Windows 7 Client in Contoso domain Windows Server 2008 domain member Windows Server 2008 domain member
Software Configuration
The following software is installed on each VM: Windows Server 2008 R2 Enterprise Windows 7 Enterprise
Classroom Setup
Each classroom computer will have the same set of virtual machines configured in the same way. All of the virtual machines are deployed on each student computer.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught. Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor Dual 120 gigabyte (GB) hard disks 7200 RM Serial ATA (SATA) or better* 4 GB random access memory (RAM) or better DVD drive Network adapter Super VGA (SVGA) 17-inch monitor Microsoft Mouse or compatible pointing device Sound card with amplified speakers
*Striped
1-1
Module 1
Implementing a Troubleshooting Methodology
Contents:
Lesson 1: Introduction to the EDST Job Role Lesson 2: Overview of Troubleshooting Steps 1-3 1-14
1-2
Module Overview
It is important that you understand the responsibilities of an Enterprise Desktop Support Technician (EDST), the benefits of developing a troubleshooting methodology, and the benefits of following the procedures that your methodology defines.
Objectives
After completing this module, you will be able to: Describe the job role of the EDST. Describe the steps of a typical troubleshooting methodology.
1-3
Lesson 1
Introduction to the EDST Job Role
As an EDST, your job is to act as an escalation point for problems that help-desk personnel cannot resolve; to support end users directly; and to troubleshoot various problems. However, an EDSTs responsibilities involve much more than simply fixing problems. An EDST must be able to: Listen, either to an end user or to the help-desk staff. Gather and interpret information. Diagnose and resolve problems, or escalate problems. Properly document a problems resolution in the manner that company policy dictates.
The goal of this lesson is to introduce you to the EDST role and describe how an EDST best supports end users, both directly and indirectly, in a Windows 7 environment.
Objectives
After completing this lesson, you will be able to: Describe the EDST job role. Describe the desktop support environment. Describe how to interact with end users. Explain the benefits of a troubleshooting methodology.
1-4
What Is the EDSTs Role?
As an EDST, your job is to increase end-user productivity by troubleshooting and trying to solve the computer and system issues that end users experience. This requires that you understand your role in the support environment. An EDST must fulfill a number of roles in the support environment. A good EDST possesses technical expertise in addition to nontechnical aptitude, such as excellent interpersonal skills, that enable the EDST to build rapport with both end users and other members and users of the support environment. As an EDST, someone may describe you as: A good troubleshooter, who is able to isolate an issue quickly by performing specific diagnostic tasks. A knowledgeable resource, who is familiar with relevant products, and is able to perform hardware and software installation tasks, system monitoring, and maintenance. An effective communicator, because help-desk staff and end users typically are not calling you for social reasons. Rather, they may be distressed or upset, and you will need to manage these interpersonal and technical interactions simultaneously and effectively. An information source, because even if you do not know the answer, you need to know where to get the answer and when to escalate a problem.
The Position of EDSTs within the Technical Support Structure

Organizations typically structure their technical support into several different tiers in which the lowest tier handles end-user issues and the highest tier handles the most complex issues. Typically, new requests are assigned to tier 1 (often referred to as the help desk), where personnel categorize the problems and attempt to resolve them. If the help desk cannot resolve the request, staff within the help desk follow prescribed guidance within the organizations troubleshooting methodology and escalates it to tier 2 personnel.
1-5
As an EDST, your position is located in tier 2. The following table provides an overview of a typical technical support structure. Tier Tier 1, help desk Role Support Description Supports day-to-day client operating systems, applications, and hardware troubleshooting. Follows prescriptive guidelines, and provides end-user phone support. Provides day-to-day server and software troubleshooting. Manages and supports the organizations operating systems. Responds to help desk requests when problems are escalated. Analyzes and designs within a single technology and then implements the technology. Handles complex troubleshooting, including escalations from administrators. Analyzes and designs enterprises.
Tier 2, administrator Tier 3, engineer
Operational
Tactical
Tier 4, architect
Strategic
The Scope of the EDST Role

As an EDST, your first step is to identify the scope of the problem. Because the end user reports the problem to the help desk, you can use the valuable information in the help-desk incident report to determine whether the issue is within the scope of your job role.
Note Most organizations implement some form of help-desk incident management system; this database is often referred to as a help-desk ticketing system. The purpose of the help-desk ticketing system is to provide a single point for recording, tracking, and updating reported problems as support staff attempts to resolve them. If the issue is outside that scope, you should escalate it to a higher tier levelsystems engineers or architects, as appropriate. You must troubleshoot and provide information about many aspects of the Windows 7 operating system that is beyond the responsibility of the help desk, such as: Resolving more complex installation and connectivity issues. Configuring and troubleshooting desktop environments for end users. Troubleshooting multiple boot or multiuser computers. Installing, configuring, and troubleshooting more complex hardware.
As an EDST, you should use proper procedures to document the incident. You also must operate within the organizations Service Level Agreements (SLAs), such as resolving a problem within a certain timeframe or within a specific budget. In contrast, an EDST does not have to perform tasks that engineers typically perform, such as complex analysis or design.
1-6
Typical EDST Responsibilities

As a tier 2 technical support employee, your job is to provide support for the help desk. At a high level, you should be prepared to perform the following tasks: Perform general troubleshooting of the operating system and installed applications. Provide customer service, including listening to the end user or help desk, refining the definition of the problem and solving the problem, and, where possible, educating the end user on how to avoid the problem in the future. Install, configure, and upgrade software, including applications and operating systems. Monitor and maintain systems. Update the documentation associated with an end users call, and then close or escalate a call, per company policy and time limits set forth by SLAs.
1-7
Examining the Desktop Support Environment
You will encounter two types of networks in a corporate support environment: workgroups and domains. In both environments, end users can share common resources, such as files, folders, and printers. These environments also provide security measures to secure and protect end users personal data, and your organizations network resources and data, from outside forces. Despite their similarities, there are important differences between workgroups and domains, which this section details.
Workgroups
Workgroups, which are logical groupings of networked computers that share resources, are often referred to as peer-to-peer networks. The workgroup is the easiest network to set up and maintain, but it is the least secure. Each computer maintains its own local security database, which contains the valid user accounts for logging on to that computer. The user accounts secure the data on each computer, and protect the computer from unwanted access, but because no single computer provides centralized security of user accounts for all of the networks computers, the network is decentralized.
Note Workgroups typically are configured for home networks, small home offices, and small businesses in which the computers are in close proximity to one another and are sometimes connected by using a hub, switch, or router. Because workgroups are not the most secure option for a network, larger corporations typically do not use them.
Domains
Domains are logical groupings of networked computers that share a common database of users and centrally managed security on a single server, known as a domain controller, or a group of servers (domain controllers). A single domain must have one or more domain controllers, and these computers provide Active Directory Domain Services (AD DS), such as access to resources, security, and a single point of administration.
1-8
Domains are logical groupings, which you configure independent of the networks actual physical structure. Domains can span a building, city, state, country, or even the globe. You also can configure them for a small office, and you can connect a domains computers by virtual private network (VPN), Ethernet, broadband, satellite, or wireless connections.
Note Larger companies and corporations typically configure domains because they are the most secure option for a network, they offer centralized security and management, and they are extensible. Smaller companies generally do not use domains because domains are more expensive, and require more attention than workgroups.
1-9
Interacting with End Users
The ability to interact effectively with both end users and the staff of the help desk is vital to an EDSTs success. You also must know how to talk to people with various levels of experience. For example, you need to know how to ask questions, how to interpret what end users say, and how to suggest changes. You must know where to search for answers to problems, and how to apply and document the solutions to those problems. End users must be satisfied with your solutions and believe that you treated them fairly and with respect. There are many types of end users. Each end user has expertise in different areas, and each end user has varying degrees of expertise. It is important that you can identify an end users expertise level when you are working in an EDST role to avoid alienating the end user. For example, reminding a technologically experienced end user to turn on the printer may cause the end user frustration. It is still necessary to ensure that the basics have been checked, however, because even technically experienced end users sometimes forget to turn on their printers.
Obtain Information from the End User

End users often are unable to provide a detailed description of their issue, or they may be reluctant to explain the circumstances that caused the problem. When necessary, you must ask questions that help you determine why the problem occurred.
Note Many organizations provide a script for help desk staff to use when performing initial problem classification. This will help you and the help desk progress through all the fundamental questions that can help to classify the problem. Ensure you check the incident record in the ticketing system before you question the end user yourself otherwise you might be repeating questions asked by the help desk.
1-10
Determine the Answer to These Who Questions

If the incident record does not provide the following information, ask the end user: Who was operating the computer when the problem first occurred? Who else is operating the computer, and have they experienced similar problems?
Also, check the ticketing system to determine: Who has worked on this problem, or one like it, previously? Who has the same problem on another computer?
Determine the Answer to These When Questions

The following when questions help you determine when a problem occurred and establish a timeline of activities that might relate to the problem. Check the open incident record to determine: When did this problem first occur, and has it occurred since? When was an application last installed, updated, or removed on the computer? When was new hardware last installed on the computer? When were disk maintenance tasks last performed?
Determine the Answer to These What Questions

The following what questions help you gather information about what the help desk thinks may be the cause of the problem, and also learn the solutions, if any, the help desk has already attempted. Check the open incident record to determine: What does the help desk suspect might be the problem? What steps have the help desk already taken to attempt resolution, if any? What suggestions have the help desk received regarding a possible resolution?
Note Bear in mind that the help-desk staff may know the problems cause, but may lack the administrative permissions to fix it.
Determine the Answer to These How and Why Questions

The following questions can often identify a solution quickly. Check the open incident record to determine: How does the help desk think that the problem occurred? Why does the help desk think that the problem occurred?
Note The help-desk staff may have experienced similar or identical problems, and therefore may know the cause. As you work through these questions with the help desk, and where necessary, the end users, document the answers carefully in the incident record in the ticketing system, listen to everything said, be polite and professional, and make notes of possible solutions as they occur.
1-11
If necessary, leave the situation for a few minutes to digest the information, and then check company documentation, online support, or other resources for answers. It is likely that the end user with whom you work has spoken to the help desk before. If the end users expectations were not met, the end user may have lost trust in the desktop support process. As an EDST, you are in a unique position to determine if there is a value gap between what the end user expects and what the end user receives, and to ensure that each end users needs are met. In general, however, end users expect the EDST to: Diagnose the problem. End users expect you to grasp the nature of their problems quickly based on the information that they provide to the help desk and directly to you, regardless of the end users experience levels. Explain the plan of action. After you have diagnosed the problem, end users expect you to have a plan of action that entails a logical sequence of steps that either you or the end users can implement quickly. Keep end users informed about the troubleshooting process. End users want to know what you are doing to troubleshoot their problems, if the plan of action is working, and how close you are to solving their problems. Teach end users how to solve the problems and how to avoid them in the future. End users want to understand how their problems occur, and how they can solve the problem without desktop support in the future.
Note It may not be necessary to ask all these questions. In addition, the answers to preceding questions may determine the order of the subsequent questions.
1-12
What Is a Troubleshooting Methodology?
The particulars of various troubleshooting methodologies can vary, and the processes involved in troubleshooting computer-related problems are not precise. Most methodologies share some common processes and procedures, which this topic aims to identify.
Classify
When an end user first discovers and reports a computer problem, a series of classification processes begins. During these processes, you gather information from the end user in an attempt to establish the problems nature and scope. The initial discussion might reveal information that results in an immediate resolution to the problem, but with more complex or serious problems, you must continue to troubleshoot the issue to arrive at a resolution. Problems that affect many end users, rather than a few, are more serious in terms of their impact on organizational productivity, and you must resolve them more quickly. Classification allows you time to determine the scope and impact of problems so that you can prioritize them. Even if you are immediately able to resolve the problem, you must log the problem by using the methodology that your organization has in place. Appropriate logging procedures ensure that you do not lose any incident reports. Access to detailed incident reports allows organizations to monitor their information technology (IT) systems more effectively and make informed decisions about those systems.
1-13
Test
When you have prioritized and logged a reported incident, the testing phase starts. During the testing phase, you use a number of processes to determine the probable cause of a reported problem. You might start by listing the possible causes. Typically, you might try to divide and isolate these possible causes. In computer systems, dividing and isolating possible causes might mean making a distinction between: Server and workstation-related issues. Hardware and software. Operating system and applications.
In this way, you can eliminate possible causes, which eventually enables you to determine probable causes. When you reduce the list of possible causes to a manageable number, you can start a testing process. The aim of the testing process is to determine the probable cause from your list of potential causes. One method you can use is to reproduce the problem in a test environment. If you can reproduce a problem easily, you likely can determine the probable cause. If a problem is more difficult to reproduce, you must study your results, and then you may need to modify your initial thoughts about the problems probable cause.
Escalate
In the event that you cannot find a resolution during the initial testing phase, you must either consult additional documentation or escalate the problem. If you suspect that the issue stems from a component, you can escalate the problem to the components manufacturer. For other issues, if have more internal resources to call upon, you can escalate the problem in your organization. Your organization should have an established process for handing off reported incidents to your organizations second-tier support staff. The second-tier support staff then asks questions to classify the problems scope and assign it a priority level.
Report
When you resolve an incident, you must document the resolution. It is important to record any changes to your IT systems configuration. Additionally, problems have a habit of occurring more than once, and when you document them properly, you can save time resolving subsequent occurrences of the same problem.
1-14
Lesson 2
Overview of Troubleshooting Steps
Any sort of troubleshooting methodologyregardless of whether you are troubleshooting computers, plumbing systems, or automobile engineshas a common set of processes and procedures, including the following: Incidents pass through a series of processes that are designed to resolve problems as quickly and efficiently as possible. Classification, testing, escalation, and reporting provide the backbone of any troubleshooting methodology. The methodology evolves over time, as technologies change and new tools become available.
This lesson details the stages of a troubleshooting methodology, and how you can develop best practices for problem reporting, initial data collection, implementing a plan of action, and recording incident resolution.
Objectives
After completing this lesson, you will be able to: Identify the stages in a common troubleshooting methodology. Discuss elements of common troubleshooting methodologies. Describe the process of problem reporting. Describe the process of initial data collection. Determine and use best practices for developing an action plan.
1-15
Describe the process of implementing an action plan. Describe the process of recording the problem resolution. Discuss the benefits of using a methodology.
1-16
Examining the Stages in a Troubleshooting Methodology
When you begin to troubleshoot a problem, you should define the steps clearly that you need to take resolve the problem.
Report the Problem

The reporting process begins when an end user first calls the help desk. When the end user reports a problem, the help desk staff must record the details of the problem and ask the end user pertinent questions to help determine the scope of the problem. The answers to these questions can help them to prioritize the problem. It is important that support staff keeps the end user informed of progress throughout the entire troubleshooting process, starting with this first reporting stage, when the help-desk explains to the end user what the next step is in the process.
Gather Information
It is possible that the support staff might resolve the reported problem during the initial reporting stage; this often happens with relatively simple problems. If it is not possible to resolve the issue immediately, support staff must gather more information about the problem in an effort to identify possible causes. You can use monitoring tools, examine event logs, or simply ask the end user additional questions in an effort to gather additional information.
Develop an Action Plan

When there is sufficient information, you can attempt to determine the cause of the problem. There are two possible approaches. The linear approach is a methodology that reveals the root cause of a problem quickly by taking you through a logical series of steps. Start with the problem statement, and then proceed in a methodical manner until you uncover the problems source.
1-17
The subtractive approach is a methodology in which you form a mental picture of the computers system components. Separate the components in two halves along a testable line. For example, is it a hardware component or a network component that is causing the problem? Then, test to see on which side of the line the problem falls, and then continue in the same manner until you isolate the problem component.
Whichever approach you take, the aim of this stage is to isolate the cause of the problem. When you feel you have determined the cause, you must test your assumptions. If the tests prove inconclusive, you must continue until you determine the real cause. After your tests prove the cause of a problem, you must plan your course of action. For instance, if the problem requires that you replace a disk in a server, you must order the new disk, determine a suitable time to perform the replacement, back up existing data on the old disk, shut down the server, physically install the new disk, and perform a restore of the data to the new disk.
Implement the Action Plan

After planning your course of action, you must implement the plan. When implementing a plan of action to resolve serious problems, you must consider the impact on service availability of any changes that you want to make. Larger organizations implement change management procedures, and you must adhere to these procedures. Before you make any configuration changes, consider how much of your reconfiguration work you can undertake using remote management tools and utilities. You can resolve many problems with remote management techniques, and thereby avoid the need to work on the end users computer physically. However, you cannot resolve all problems by using remote management tools, so sometimes, a visit to the end users computer is necessary.
Document the Correction

When you resolve a problem successfully, you must document the resolution. This documentation involves a number of processes, depending upon your technical support infrastructure. At the very least, you must inform the end user that you resolved the problem, and if a logging system is in use, you must close the incident. Many organizations use documentation to provide information about their IT systems configuration. In the event that you reconfigured something to resolve a problem, you must update the supporting documentation to reflect the changes that you made. Additionally, during the information-gathering stage, it often is useful to examine incident logs to determine whether anyone else has reported a problem similar to the one on which you are working. Finding whether another technician has documented a similar problem is possible only if, at incident closure, you document what you did to resolve a problem.
1-18
Discussion: Common Components of Troubleshooting Methodologies
Your instructor will assign you a role in your organization, and during this discussion, you will consider the benefits of a troubleshooting methodology for your role. The roles are: End users. Help-desk support staff. Desktop support staff. Managers and planners.
During your discussion, create a list of benefits for your organizational role. To help facilitate a useful discussion, you might consider how a troubleshooting methodology results in the following outcomes: Faster problem resolution Improved productivity Better accountability Improved communications Better update management
When you complete your discussion, share your conclusions with the class.
1-19
The Process of Problem Reporting
It is important to ensure that a well-understood process exists in your organization for the proper reporting of support problems.
Problem Detected
The process of reporting a support problem starts with an end user detecting a problem with the computer hardware, operating system, or an application. If the problem is intermittent, the end user may take no immediate action. If the problem occurs again, the end user may take further action. End users may attempt to resolve the problem themselves or contact the help desk for assistance.
Self-Help
Whenever possible, encourage end users to help themselves. You can help end users resolve some problems quickly if the end user stops and thinks about the event that just occurred. Always provide adequate training for your end users. Not only does this allow them to get the most from their applications, but it also means that they are less likely to encounter problems and are more likely to resolve many problems themselves, without contacting the help desk.
Contact the Help Desk

No matter how much training or encouragement end users receive, there are always problems that they cannot resolve themselves. It is important to provide a proper procedure for contacting the help desk and to ensure that your end users understand this procedure. During this phase, record the details of the problem. You should consider using a database in which to record details of the reported problem, and you then can update the help-desk ticketing system incident record that pertains to the problem as you work toward a resolution.
1-20
If you lack the skills necessary to resolve the reported problem, assign the problem to other individuals in your organization. For complex problems, you might assemble a specialist team to resolve the problem. Update the incident record in the ticketing database to help track information about activity that you, or others, have performed in relation to the reported problem.
Classification and Initial Support

After an end user has contacted the help desk, attempt to classify the problem, and then determine the scope and urgency of the problem. You can do this by asking the end user very specific questions about the problem. Questions might include the following: Who else has the same problem? If the problem is widespread, this points to a more general problem and is less likely to be the end users particular computer. Additionally, problems affecting many end users are more urgent than those affecting only one end user. When did you first notice the problem? For example, it might be that the computer never worked properly. It is very useful to know if the computer never worked properly, because this might indicate a problem with deployment rather than usage. What changed around the same time you noticed the problem? If the end user has recently installed new applications or updated drivers, and the problem arose after these changes, it is possible that the changes contributed to the problem that the end user is reporting.
During this phase, you might determine a probable cause of the reported problem, but be careful not to jump to a conclusion because you might waste a lot of time and resources. Your goal during this phase is to define the problem accurately.
Escalation
When a problem requires escalation between support tiers or to external vendors, ensure that you record an appropriate level of detail to pass to the next support level. It is very helpful to have an escalation procedure that is clearly defined to ensure that you can do this efficiently. The procedure may contain the following information: A precise description of the reported problem. A record of any error messages associated with the problem. A record of the resolution attempts that support staff make, and the results of each attempted fix. A record relating to any diagnostics tools that support staff use. The length of time that can elapse before you must escalate the problem.
You might consider escalation to external vendors when: You cannot resolve the problem. You have insufficient internal resources to resolve the problem. Your organization does not have the required skills to resolve the problem. You have identified the probable cause of the problem, and it lies with a specific third-party component.
Whenever you escalate a problem, always retain ownership of the problem, and use the database record to track progress toward a resolution. Also ensure that you provide any necessary assistance to other support tiers and external vendors.
1-21
Resolution
After you determine a probable cause and develop an action plan, you should perform an assessment of this plan. The assessment should include: Liaison with any specialist support staff involved in the plans implementation. Completion of any required requests according to change-management procedures. Analysis of the possible impact of the proposed changes on the IT infrastructure. Details of any testing of the proposed plan. Details of plans to roll back the changes in the event that they do not achieve the desired result.
After you assess the proposed action plan, you can execute it. In the event that the action plan does not resolve the problem, consider whether to roll back the changes you have made according to the action plan assessment. You also must revisit the classification phase, because it is possible that the initial diagnosis and classification were incorrect.
Close the Problem

After you resolve the problem successfully, you must close it. To close a problem, update any database records that relate to it, and indicate that you implemented a permanent resolution for the problem, and then close the database record.
1-22
The Process of Initial Data Collection
Collecting information about a reported problem is vitally important. By following a precise, logical series of steps, you can define the nature of the problem clearly, and then work toward establishing a precise cause.
Question
The process starts when an end user follows a defined procedure to contact the help desk, typically by sending an e-mail or making a phone call. Members of the help desk team must question the end user clearly and precisely about the problems symptoms so that they can begin defining the cause of the problem.
Listen
When an end user reports a problem to you, listen carefully to what the user has to say. Often, as the user responds to your questions, and repeats the history of a problem, he or she might unwittingly reveal its cause. By asking users to start from the beginning and explain exactly what they were doing immediately prior to noticing the problem, and what they were doing when they noticed the problem, you may determine the problems cause.
Note It is important to record the problem, and any pertinent information that the user communicates to you, in a database. You will use the database record that you create throughout the problem life cycle to record progress toward a resolution.
1-23
Consult
When you record all of the pertinent information from the user, your next task is to determine the cause of the reported problem. Start by consulting existing documentation about known problems. It is quite possible that the problem has occurred before. If this is the case, you can move quickly toward a resolution, and then close the incident.
Research
If existing documentation does not reveal any probable causes, you must perform some research. You can perform this research using a variety of sources. For example, you might search the Microsoft Support Knowledge Base for information about the problem. You also may search online forums for related material to aid in problem resolution. If you are unable to determine probable causes from this initial research, you can also perform information gathering using the tools provided in the Windows 7 operating system, including those in the following table. Tool Remote Assistance Use With Remote Assistance, users can request and receive help by using just one mechanism. The administrator that is providing remote assistance uses Remote Assistance to take control of a problem computer remotely, while the user remains logged on while watching what the administrator is doing on the screen. You can use Remote Desktop to take remote control of a problem computer. The logged-on user is disconnected, and the console is locked. You can use Event Viewer as a single interface for viewing log files on the problem computer. These logs provide information about applications, system events, and security-related matters. With Device Manager, you can examine and change the configuration of hardware devices and device drivers. With Network Diagnostics, you can troubleshoot and diagnose network-related problems. With Windows System Information, you can examine a computers configuration with a single tool. You can also use the Microsoft Windows System Information tool to produce configuration reports. Provide access to a variety of command-line tools that you can use to assist with the research process, including ipconfig, netstat, winrm, and winrs.
Remote Desktop
Event Viewer
Device Manager Network Diagnostics Windows System Information
Command-Line Tools
Develop
After you determine a probable cause, you must develop an action plan, which the next topic describes.
1-24
Best Practices for Developing an Action Plan
Simple problems are easy to resolve quickly, and they might not require much consideration in terms of an action plan. For example, an end user reports that he has forgotten his password. Your action plan includes opening Active Directory Users and Computers, and resetting the password. However, more complex or serious problems require careful consideration.
Analyze the Available Data

Before you start making configuration changes, analyze the available data to ensure that you have determined the problems probable cause.
Review the Documentation

Review any documentation related to the fix that you propose. For example, if the fix that you propose requires the installation of a service pack, review the documentation related to the service pack.
Escalate to Build a Test Environment

If the proposed fix or workaround involves significant reconfiguration work, or if problems arise during the fix, this could affect the users productivity. You may need to escalate the problem so that a test environment can be built that closely resembles the production system, and so that appropriate support personnel use this test environment for testing your plan of action.
Note Virtualization technologies (such as Windows Virtual PC) provide a convenient way to build test environments without having to invest significantly in additional hardware or software.
1-25
Consider the Impact of Changes

If you need to perform significant reconfiguration work to resolve problems that are more complex, the changes that you plan to make can have an impact on many areas of your organization. However, it is likely that problems of this nature are escalated to Tier 3 support staff.
Plan for Rollback

If you implement a fix or workaround, and it does not resolve the problem as expected, you might consider rolling back the fix. Performing a rollback is not necessary, but it may be desirable in certain circumstances. For example, if the fix involves applying an update, removal of the update might be acceptable. If, however, the fix involves upgrading applications to include new features that might be useful to other end users, it might be desirable to leave the new applications installed rather than revert to the older application. You can use the test environment to practice implementing a rollback of your proposed fix or workaround.
Note Although the steps for the action plan in the slide are numbered, you might not complete the steps in this order.
1-26
Implementing an Action Plan
Keep in mind that the specific stages of your plan of action may vary because of the complexities or circumstances of a specific problem.
Implement in a Test Environment

Before you attempt a fix on the production system, implement your plan of action in your test environment. Bear in mind that the process of changing some aspect of a computers configuration might result in a fix for a specific problem, but might also introduce other problems. For example, if you apply a security update to the operating system to resolve a security problem, the update may make applications behave differently. When you are satisfied that you can introduce the fix or workaround without causing additional problems and that it fixes the reported problem, proceed to the next stage.
Note Simple problems might not require this testing stage.
Consult Change Management

Large organizations implement change-management procedures to ensure that every member of the support staff performs all changes to the IT infrastructure in a similar and appropriate manner, according to guidelines, and with adequate documentation following any changes. If your organization uses a change-management procedure, you must determine what is required of you when implementing your fix or workaround. Consult the relevant documentation, and when necessary, discuss the proposed changes with the appropriate staff.
1-27
Resolve the Problem

Help-desk staff often can resolve common problems quickly, without having to involve product specialists. Less common or more complicated problems often require the escalation to either desktop-support specialists or external vendors, and occasionally require the creation of a specialist team that includes people possessing the range of skills necessary to resolve a particular issue. When possible, consider the use of remote management tools and utilities because these often result in quicker problem resolutions.
Monitor and Evaluate

If a fix or workaround takes time to complete, and involves a number of stages, you are required to monitor progress toward the problems resolution. It is important that you evaluate the data that you collect during this monitoring process to determine whether you are any nearer to a solution. If data indicates that a solution is not available, you might want to reconsider your plan of action.
Report and Document

Whether you resolve the problem successfully, you must document all the steps that you took in an attempt to resolve it, and then document the results. If you log the incident in a database to track the status of a reported problem, you must update the record to reflect whether you resolve the problem and whether you close the incident. The next topic looks more closely at the process of recording a problems resolution.
1-28
Recording the Problem Resolution
In most support organizations, a process exists to properly record and document a problem that a user reports. Typically, the help-desk staff records the reported incident into a database. When a problem is resolved, you must close the reported incident, and then communicate the resolution to the user who reported the problem.
Update the Current Documentation

If the problem has exposed flaws in the current IT infrastructure, working practices, or other areas, you must update the current documentation with information about these flaws and the relevant fixes or workarounds. For example, if you install a service pack for an operating system throughout the organization to fix an application-compatibility issue, you must record information in the current infrastructure-related documentation about both the compatibility issue and the installation process for the service pack.
Create New Documentation

Complex and serious problems quite often require significant changes in the infrastructure, so you must create the necessary documentation to support these changes. For example, if you install a new version of an application to resolve a problem, updating the existing documentation is insufficient, because the new application may have new features, and therefore may work differently than the old version. You must provide both users and administrators with the new information that they require to work with the new application.
Log the Resolution

You must update any database records associated with an incident. The update should include the resolution and other relevant information about the fix or workaround required to resolve the problem. Also, you should not consider a problem resolved until the resolution is documented in a manner that aids future incident resolution.
1-29
Finally, you must update the incident record as closed.
Communicate with the End user

You must let the end user who reported the problem originally know that you resolved the problem. If the user must take any special measures or steps to bypass the problem, you must communicate these steps or procedures. If you made significant changes to the infrastructure, users might require additional training.
Log Preventative Measures

Problems have a habit of recurring. It is very important that you document the problem, the problems cause, and the steps required to resolve it. Proper documentation ensures that, in the future, other support engineers faced with similar incidents can discover a probable cause and a recommended solution early in the troubleshooting process.
Note Microsoft provides guidance in incident management within the Microsoft Operations Framework (MOF).
1-30
Discussion: The Benefits of Applying Troubleshooting Stages by Using a Methodology
Your instructor will initiate a classroom discussion in the form of a brainstorming session. Please consider the stages of a troubleshooting methodology, and share your own experiences with the class. During the discussion, feel free to make practical recommendations on the following topics: How does your organization apply the troubleshooting stages? How much do self-help telephone and Web portals help users? Who does the data collecting, and how do they do it? How does your organization handle communications between the first- and second-tier support staff and the end user? How much can you achieve remotely? How do you typically communicate problem resolutions to other support staff to help resolve future problems?
2-1
Module 2
Troubleshooting Startup Issues
Contents:
Lesson 1: Overview of the Windows 7 Recovery Environment Lesson 2: Configuring and Troubleshooting Startup Settings Lesson 3: Troubleshooting Operating System Services Issues Lab: Troubleshooting Startup Issues 2-3 2-17 2-33 2-39
2-2
Module Overview
Corruptions in the system registry, or issues with device drivers or system services, often cause startuprelated problems. Therefore, systematic troubleshooting is essential so that you can determine the underlying cause of the problem quickly and efficiently. This module describes how to identify and troubleshoot issues that affect the operating systems ability to start, and how to identify problematic services that are running on the operating system. It also describes how to use the Microsoft Windows 7 operating system advanced troubleshooting tools, collectively known as the Microsoft Windows Recovery Environment (Windows RE).
Objectives
After completing this module, you will be able to: Use Windows 7 recovery tools to troubleshoot startup problems. Configure and troubleshoot startup settings. Troubleshoot operating system services.
2-3
Lesson 1
Overview of the Windows 7 Recovery Environment
To recover computers that are running Windows 7 and that will not start, or which are starting with errors, you must recognize what the operating system looks like when it is starting properly. Additionally, a good working knowledge of the recovery tools that Windows 7 provides should enable you to identify and resolve problems that relate to startup issues.
Objectives
After completing this lesson, you will be able to: Describe the Windows 7 startup architecture. Explain the repair and recovery options available in Windows 7. Describe the recovery tools available at the command prompt in Windows RE. Describe how to use Windows RE to check and fix the startup environment. Describe the System Restore process in Windows. Access System Restore to fix the startup environment.
2-4
Windows 7 Startup Architecture
The Windows 7 boot loader architecture provides a quick and secure mechanism for starting the Windows operating system. The boot loader architecture has three main components: The Windows Boot Manager (Bootmgr.exe) The Windows operating system loader (Winload.exe) The Windows resume loader (Winresume.exe)
Windows Boot Manager

As the computer starts, Bootmgr.exe loads first, and then reads the Boot Configuration Data (BCD), which is a database of startup configuration information that the hard disk stores in a format similar to the registry.
Note The BCD provides a firmware-independent mechanism for manipulating boot environment data for any type of Windows system. Windows Vista and later versions of Windows use the BCD to load the operating system or to run boot applications such as memory diagnostics. Its structure is very like a registry key, although it should not be managed with the registry editor. Bootmgr.exe replaces much of the functionality of the NTLDR bootstrap loader that Windows XP and earlier versions of the Windows operating system use. Bootmgr.exe is a separate entity, and it is unaware of other startup operations of the operating system; it switches the processor into 32-bit or 64-bit protected mode, prompts the user for which operating system to load (if multiple operating systems are installed), and it can start NTLDR if you have Windows XP or earlier installed.
2-5
Windows Operating System Loader

Winload.exe is the operating system boot loader that Windows Boot Manager invokes. Winload.exe loads the operating system kernel (ntoskrnl.exe) and (boot-class) device drivers, which, combined with Bootmgr.exe, makes it functionally equivalent to NTLDR. Winload.exe initializes memory and loads drivers that should start, and then transfers control to the kernel.
Note Boot-class device drivers have a start value of zero in the registry.
Windows Resume Loader

If the BCD contains information about a current hibernation image, Bootmgr.exe passes that information to Winresume.exe, and then Bootmgr.exe exits, and Winresume.exe takes over. Winresume.exe reads the hibernation image file, and uses it to return the operating system to its prehibernation running state.
Windows 7 Startup Process

When you switch on a computer, the startup process loads the basic input/output system (BIOS). When it loads the BIOS, the system accesses the boot disks Master Boot Record (MBR), followed by the drives boot sector. The Windows 7 startup process has seven steps: 1. The BIOS performs a Power On Self-Test (PoST). From a startup perspective, the BIOS enables the computer to access peripherals, such as hard disks, keyboards, and the computer display, prior to loading the operating system. The computer uses information in the BIOS to locate an installed hard disk, which should contain a master boot record. The computer calls and loads Bootmgr.exe, which then locates an active drive partition on sector 0 of the discovered hard disk. Bootmgr.exe reads the BCD file from the active partition, gathers information about the machines installed operating systems, and then displays a boot menu, if necessary. Bootmgr.exe transfers control to winload.exe, or it calls winresume.exe for a resume operation. If winload.exe selects a down-level operating system, such as Windows XP Professional, Bootmgr.exe transfers control to NTLDR. Otherwise, winload.exe initializes memory and loads drivers that are set to begin at startup. These drivers are for fundamental hardware components, such as disk controllers and peripheral bus drivers. Winload.exe then transfers control to the kernel of the operating system, ntoskrnl.exe. The kernel initializes, and then higher-level drivers and services are loaded. During this phase, you will see the screen switch to graphical mode as the Windows subsystem is initialized. The operating system displays the logon splash screen, and a user logs on to the computer.
2.
3. 4.
5.
6. 7.
Note Until a user has logged on, startup is not considered successful.
2-6
Windows Startup Recovery Options
If your computer fails to start correctly, you can use a number of tools to help resolve the problem.
Windows Recovery Environment

Windows RE is a recovery platform that is based on the Windows Preinstallation Environment (Windows PE). Windows RE was new for Windows Vista, and replaced the Recovery Console in Windows XP. Windows RE provides two main functions: Diagnoses and repairs startup problems automatically by using the Startup Repair tool. Provides a centralized platform for additional advanced recovery tools.
Accessing Windows RE
To access Windows RE: 1. 2. 3. Insert the Windows 7 DVD, and then start the computer. When prompted, run the Windows 7 DVD Setup program. After you configure language and keyboard settings, select the Repair your computer option, which scans the computer for Windows installations and then presents you with a troubleshooting tools menu.
Note Windows RE is also accessible from the hard disk. This is a more convenient method for accessing Windows RE. However, bear in-mind that with certain failed startup conditions, Windows RE is not available from the hard disk.
2-7
Automatic Failover
Windows 7 provides an on-disk Windows RE. A computer that is running Windows 7 can fail over automatically to the on-disk Windows RE if it detects a startup failure. During startup, the Windows loader sets a status flag that indicates when the boot process starts. The Windows loader clears this flag before it displays the Windows logon screen. If the startup fails, the loader does not clear the flag. Consequently, the next time the computer starts, Windows loader detects the flag, assumes that a startup failure has occurred, and then launches Windows RE instead of Windows 7. The advantage of automatic failover to Windows RE Startup Repair is that you may not need to check the problematic computer when a startup problem occurs. Note that the computer must start successfully for the Windows loader to remove the flag. If the computers power is interrupted during the startup sequence, the flag is not removed, and automatic Startup Repair is initiated. Bear in-mind that this automatic failover requires the presence of both the Windows boot manager and the Windows loader. If either of these elements of the startup environment is missing or corrupt, automatic failover cannot function, and you must initiate a manual diagnosis and repair of the computers startup environment.
Advanced Boot Options

Windows 7 provides advanced boot options that you can use to start the operating system in advanced troubleshooting modes, including: Repair your computer Safe mode Safe mode with networking Safe mode with command prompt Enable log booting Enable low resolution video (640 X 480) Last Known Good Configuration (advanced) Debugging Mode Disable automatic restart on system failure Disable Driver Signature Enforcement Start Windows normally
Note The next lesson covers Advanced Boot Options in detail.
2-8
Recovery Tools Available in Windows RE
Windows RE provides access to five tools that you can use to help recover your computers startup environment.
Startup Repair
The Startup Repair tool in Windows RE provides a simple and effective way for you to resolve most common startup problems. The following sections describe Startup Repair tool functions. Replace or Repair Disk Metadata. Disk metadata consists of several components, including the boot sector and the MBR. If these files are missing or corrupt, the startup process fails. If you suspect that an issue has damaged or deleted these files, use Startup Repair to check for problems with the disk metadata. Startup Repair automatically checks and, if necessary, repairs the disk metadata. Damage to the disk metadata often occurs because of unsuccessful attempts to install multiple operating systems on a single computer. Another possible cause of metadata corruption is a virus infection. Repair Boot Configuration Settings. Windows XP and earlier Windows operating system versions stored the boot configuration information in Boot.ini, a simple text file. However, Windows 7 uses a configuration store that is in the C:\Boot. If the boot configuration data is damaged or deleted, the operating system fails to start. The Startup Repair tool checks and, if necessary, rebuilds the BCD, by scanning for Windows installations on the local hard disks, and then storing the necessary BCD.
2-9
Resolve Incompatible Driver Issues. Installing a new hardware device and its associated device driver often causes Windows to start incorrectly. The Startup Repair tool performs device driver checks as part of its analysis of your computer. If Startup Repair detects a driver problem, it uses System Restore points to attempt a resolution, by rolling back configuration to a known working state.
Note Even if you do not manually create restore points in Windows 7, installing a new device driver automatically causes Windows 7 to create a restore point prior to the installation.
System Restore
Windows 7 provides System Restore capabilities that you can access from the System Tools folder. If you have a system failure or another significant problem with your computer, you can use System Restore to return your computer to an earlier state. The primary benefit of System Restore is that it restores your system to a workable state without reinstalling the operating system or causing data loss. Additionally, if the computer does not start successfully, you can use System Restore by booting in Windows RE from the product DVD.
System Image Restore

System Image Restore replaces your computers current operating system with a complete computer backup that you created previously and that you stored as a system image. You can use this tool only if you have made a recent complete backup of your computer. You should use this tool only if other methods of recovery are unsuccessful; this is because it is a very intrusive recovery method that overwrites everything on the computer.
Windows Memory Diagnostics

You can use this tool if you suspect that your computer has a physical memory problem. The Windows Memory Diagnostics Tool produces a report if it detects that your computer has memory-related problems.
Command Prompt
Windows 7 uses a Command Prompt tool from the Windows RE tool set as its command-line interface. The Command Prompt tool is more powerful than the Recovery Console, and its features are similar to the command prompt that is available when Windows 7 is running normally. Resolve Problems with a Service or Device Driver. If a computer that is running Windows 7 experiences problems with a device driver or Windows service, use the Command Prompt tool to attempt a resolution. For example, if a device driver fails to start, use the command prompt to install a replacement driver, or disable the existing driver from the registry. If the Netlogon service fails to start, type Net Start Netlogon at the command prompt. You also can use the SC tool (SC.exe) command-line tool to start and stop services. Recover Missing Files. The Command Prompt tool also enables you to copy missing files to your computers hard disk from original source media, such as the Windows 7 product DVD or USB memory stick.
2-10
Access and Configure the BCD. Windows 7 uses a BCD store to retain information about the operating systems that you install on the local computer. You can access this information by using the BCDEdit.exe tool at the command prompt. You also can reconfigure the store, if necessary. For example, you can reconfigure the default operating system on a dual-boot computer with the BCDEdit.exe /default id command. Repair the Boot Sector and MBR. If the boot sector or MBR on the local hard disk is damaged or missing, a computer that is running Windows 7 will fail to start successfully. You can launch the Bootrec.exe program at the command prompt to resolve problems with the disk metadata. Run Diagnostic and Troubleshooting Tools. The Command Prompt tool provides access to many programs that you can access from Windows 7 during normal operations. These programs include several troubleshooting and diagnostics tools, such as the registry editor (Regedit.exe), a disk and partition management tool (Diskpart.exe), and several networking configuration tools (Net.exe, Ipconfig.exe, and Netcfg.exe). Another option is to load Task Manager (Taskmgr.exe), which you can use to determine which programs and services are running currently.
Note Windows PE is not a complete operating system. Therefore, when you use the Command Prompt tool in Windows RE, remember that not all programs that work in Windows will work at the command prompt. Additionally, because there are no logon requirements for Windows PE and Windows RE, Windows restricts the use of some programs for security reasons, including many that administrators typically run.
2-11
Demonstration: Examine the Startup Environment with Windows RE
In this demonstration, you will see how to examine the Windows 7 startup environment. To perform this procedure, the instructor must start the computer from the product DVD, and then select the Repair your computer option. The instructor will demonstrate how to use the command prompt and startup repair tools.
Demonstration Steps
1. 2. 3. 4. 5. 6. 7. 8. Use the Hyper-V Manager console to mount the product DVD. Restart the virtual machine. Boot into the setup program, and then select Repair your computer. Open the recovery Command Prompt. Determine where the C drive files are stored. Test some typical command-line tools, such as net start. Use Regedit.exe, sc.exe, and bootrec.exe. Close the command prompt, and then restart the computer.
2-12
Windows System Restore
Windows 7 enables System Restore features automatically. System Restore takes snapshots of your computer system, and then saves them as restore points. These restore points represent a point in time for the computers configuration when it was running successfully. Once you enable System Restore points, Windows 7 creates them automatically when the following actions occur: You install a new application or driver You uninstall or install certain programs You install updates
Windows 7 also creates them: Once daily. Manually, whenever you choose to create them. Automatically, if you choose to use System Restore to restore to a previous restore point. In this instance, System Restore creates a new restore point before it restores the system to a previous state. This provides you with a recovery option should the restore operation fail or result in issues. Windows RE does not create a restore point for the current state if you are in Safe mode and you restore to a previous state.
Note To create a restore point manually, go to the System Protection tab on the Computer property sheet, and then click the Create button.
2-13
Perform Driver Rollbacks

You may use System Restore when you install a device driver that results in a computer that is unstable or that fails to operate entirely. Earlier Windows versions had a mechanism for driver rollback, but it required the computer to start successfully from Safe mode. With Windows 7 computers, you can use System Restore to perform driver rollback by accessing the restore points, even when the computer does not start successfully.
Protect Against Accidental Deletion of Programs

System Restore also provides protection against accidental deletion of programs. System Restore creates restore points when you add or remove programs, and it keeps copies of application programs (file names with an .exe or .dll extension). If you accidentally delete an .exe file, you can use System Restore to recover the file by selecting a recent restore point prior to when you deleted the program.
Note If you disable System Restore, Windows deletes all existing restore points.
2-14
Practice: Fixing the Startup Environment by Accessing System Restore
In this practice, you will create a system restore point. You then will use both Windows 7 and Windows RE to apply the restore point.
Instructions
For this practice, you will use the available virtual machine environment. Both 6293A-NYC-DC1 and 6293A-NYC-CL1 should be running. Before you begin the practice, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat steps 2 and 3 for 6293A-NYC-CL1.
2-15
Detailed Steps Task 1: Verify that System Restore is enabled

1. 2. Switch to NYC-CL1. Log on by using the following credentials: 3. 4. 5. 6. User name: NYC-CL1\WSAdmin Password: Pa$$w0rd
Click Start, right-click Computer, and then click Properties. In System, click System protection. In the System Properties dialog box, click Local Disk (C:) (System), and then click Configure. In the System Protection for Local Disk (C:) dialog box, click Restore system settings and previous versions of files, and then click OK.
Task 2: Create a system restore point

1. 2. 3. 4. In the System Properties dialog box, click Create. In the System Protection dialog box, type Initial restore point, and then click Create. In the System Protection dialog box, click Close. In the System Properties dialog box, click OK.
Task 3: Access System Restore from Windows 7

1. 2. 3. 4. Click Start, and then in the Search box, type System Restore. In the Programs (1) list, click System Restore. In the System Restore dialog box, click Next. The restore point you created should be listed. Click Cancel.
Task 4: Access System Restore from Windows RE

1. 2. 3. 4. 5. 6. 7. Click Start, and in the Search box, type shutdown /r, and then press Enter. Windows restarts. When the virtual machine is restarting, when the Press any key to boot from CD or DVD message appears, press Spacebar. Setup loads. When prompted, in the Install Windows dialog box, click Next. On the Install now page, click Repair your computer. In the System Recovery Options dialog box, click Next. In the System Recovery Options dialog box, click System Restore. In the System Restore dialog box, click Next. The restore point you created should be listed.
2-16
Task 5: Apply a restore point

1. 2. 3. 4. 5. In the System Restore dialog box, select Initial restore point, and then click Next. On the Confirm your restore point page, click Finish. In the Warning dialog box, click Yes. In the System Restore message dialog box, click Restart. Log on by using the following credentials: 6. User name: NYC-CL1\WSAdmin Password: Pa$$w0rd
In the System Restore dialog box, click Close.
To prepare for the next practice

When you finish, leave the virtual machines running.
2-17
Lesson 2
Configuring and Troubleshooting Startup Settings
To troubleshoot a Windows 7 computer that fails to start properly, you must understand the boot process, and the role of the BCD store in troubleshooting. This lesson describes the BCD store and how it controls the boot process flow, and it also describes the tools and utilities that you can use to configure the Windows 7 boot process.
Objectives
After completing this lesson, you will be able to: Describe the role of the BCD Store. Describe the BCD settings. Repair the BCD Store by using the BCDEdit tool. Describe the MSConfig tool. Configure startup settings by using the MSConfig tool. Explain the advanced boot options available in Windows 7.
2-18
What Is the Role of the Windows 7 BCD Store?
The BCD store is an extensible database of objects and elements that can include information about a current hibernation image, and special configuration options for booting Windows 7 or an alternate operating system. The BCD provides an improved mechanism for describing boot configuration data for new firmware models. The boot sector loads Bootmgr.exe, which in turn accesses the BCD, and then uses that information to display a boot menu to the user (if multiple boot options exist) and to load the operating system. These parameters were previously in the Boot.ini file (in BIOS-based operating systems) or in the nonvolatile RAM (NVRAM) entries in operating systems based on an Extensible Firmware Interface (EFI)). However, Windows 7 replaces the boot.ini file and NVRAM entries with the BCD. This file is more versatile than boot.ini, and it can apply to computer platforms that do not use the BIOS to start the computer. You also can apply it to firmware models, such as computers that are based on EFI. Windows 7 stores the BCD as a registry hive. For BIOS-based systems, the BCD registry file is in the active partition \Boot directory. For EFI-based systems, the BCD registry file is on the EFI system partition.
2-19
Understanding the BCD Configuration Settings
Depending on what you want to change, you can use the following tools to modify the BCD: Startup and recovery. The Startup and recovery dialog box enables you to select the default operating system if you have multiple operating systems installed on your computer. You also can change the time-out value. These settings are on the Advanced tab in the System Properties dialog box. System Configuration Utility (MSConfig.exe). MSConfig.exe is an advanced tool that enables you to select the following startup options: Debug. Enables kernel-mode debugging for device driver development. Safe boot. Enables you to select: Safe boot: Minimal. On startup, opens the Windows graphical user interface (Windows Explorer) in safe mode running only critical system services. Networking is disabled. Safe boot: Alternate shell. On startup, opens the Windows command prompt in safe mode running only critical system services. Networking and the graphical user interface are disabled. Safe boot: Active Directory Domain Services (AD DS) repair. On startup, opens the Windows graphical user interface in safe mode running critical system services and AD DS. Safe boot: Network. On startup, opens the Windows graphical user interface in safe mode running only critical system services. Networking is enabled.
Boot log. Records startup information into a log file. No GUI boot. Does not display the Windows Welcome screen when starting.
2-20
Base video. Uses a generic video display adapter driver. Number of processors. Limits the number of processors used on a multiprocessor system.
BCDEdit.exe. You can use BCDEdit, a command-line tool, to change the BCD, such as removing entries from the list that displays operating systems. This advanced tool is for administrators and IT professionals. BCDEdit.exe is a command-line tool that replaces Bootcfg.exe in Windows 7. BCDEdit.exe currently enables you to: Add entries to an existing BCD store. Modify existing entries in a BCD store. Delete entries from a BCD store. Export entries to a BCD store. Import entries from a BCD store. List currently active settings. Query a particular type of entries. Apply a global change (to all the entries). Change the default time-out value.
Typical reasons to manipulate the BCD with BCDEdit.exe include: Adding a new hard disk to your Windows 7 computer, changing the logical drive numbering. Installing additional operating systems on your Windows 7 computer, creating a multiboot configuration. Deploying Windows 7 to a new computer with a blank hard disk, requiring you to configure the appropriate boot store. Performing a backup of the BCD. Restoring a corrupted BCD.
The following table provides additional information about the command-line syntax for BCDEdit.exe. Command Description
Commands that operate on a store /createstore /export /import Creates a new empty BCD store Exports the contents of the system BCD store to a specified file Restores the state of the system BCD store from a specified file
Commands that operate on boot entries in a store /copy /create /delete Makes copies of boot entries Creates new boot entries Deletes boot entries
2-21
(continued) Command Description
Commands that operate on element /deletevalue /set Deletes elements from a boot entry Creates or modifies a boot entrys elements
Commands that control output /enum Lists the boot entries in a store
Commands that control Boot Manager /bootsequence /default /displayorder /timeout /toolsdisplayorder Specifies a one-time boot sequence Specifies the default boot entry Specifies the order in which Boot Manager displays its menu Specifies the Boot Manager Timeout value Specifies the order in which Boot Manager displays the tools menu
Commands that control Emergency Management Services /bootems /ems /emssettings Enables or disables Emergency Management Services (EMS) for a specified boot application Enables or disables EMS for an operating system boot entry Specifies global EMS parameters
Commands that control debugging /bootdebug /dbgsettings /debug Enables or disables boot debugging for a boot application Specifies global debugger parameters Enables or disables kernel debugging for an operating system boot entry
Commands that modify other commands /store /v Specifies the BCD store upon which a command acts Displays boot entry identifiers in full, rather than using well-known identifiers
2-22
BootRec.exe. Use the bootrec.exe tool with the /rebuildbcd option in Windows RE to rebuild the BCD. You must run bootrec.exe in Windows RE. If rebuilding the BCD does not resolve the startup issue, you can export and delete the BCD, and then run this option again. By doing this, you ensure that the BCD rebuilds completely.
Note You can also use the BCD WMI provider to make changes to the BCD by using scripts. The MCD WMI provider is a management interface and is the only programmatic interface available for BCD.
2-23
Practice: Using BCDEdit to Configure the BCD Store
In this practice, you will modify the startup environment of the NYC-CL1 computer. By using BCDEdit.exe, you will modify the boot environment before you use Windows RE to launch the command prompt repair tool. You then will use BCDEdit.exe and Bootrec.exe to repair the startup environment.
Instructions
For this practice, you will use the available virtual machine environment. Both 6293A-NYC-DC1 and 6293A-NYC-CL1 should be running.
Detailed Steps Task 1: Examine the boot environment

1. 2. 3. 4. 5. Switch to NYC-CL1. Click Start, right-click Computer, and then click Properties. In System, click Advanced system settings. In the System Properties dialog box, under Startup and Recovery, click Settings. The default operating system is displayed with the startup options. Click OK, and then in the System Properties dialog box, click OK.
Task 2: Use BCDEdit to manipulate the boot environment

1. 2. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as Administrator. In the User Account Control window, click Yes.
2-24
3.
At the command prompt, type the following command, and then press Enter:
Bcdedit /enum
4. 5.
Note the locations of Bootmgr.exe, Winload.exe, and the osdevice. At the command prompt, type the following command, and then press Enter:
Bcdedit /export C:\bcdback
The boot configuration data is exported to a file named Bcdback. 6. At the command prompt, type the following command, and then press Enter:
Bcdedit /delete {bootmgr} /f
7.
Shutdown /r
The computer restarts. Do not boot from CD or DVD. The boot fails with a BCD error.
Task 3: Repair the BCD

1. 2. 3. 4. 5. 6. 7. Press ESC to restart the computer. While the virtual machine is restarting, and the Press any key to boot from CD or DVD message appears, press Spacebar. Setup loads. When prompted, in the Install Windows dialog box, click Next. On the Install now page, click Repair your computer. In the System Recovery Options dialog box, click No. You will repair the BCD manually. In the System Recovery Options dialog box, click Use recovery tools that can help fix problems starting Windows, and then click Next. In the System Recovery Options dialog box, click Command Prompt. At the command prompt, type the following command, and then press Enter:
E:
8.
Cd\windows\system32
9.
Bcdedit /enum
10. At the command prompt, type the following command, and then press Enter:
Bootrec /rebuildBcd
11. When prompted, press A at the command prompt, and then press Enter.
2-25
12. Switch to the System Recovery Options dialog box, and then click Restart. 13. Log on by using the following credentials: User name: NYC-CL1\WSAdmin Password: Pa$$w0rd

2-26
Configuring Environments with the System Configuration Tool
The System Configuration Tool (MSConfig.exe) automates the troubleshooting steps that assist you in diagnosing issues with your systems configuration. When you use this tool, you can change the way Windows 7 boots, and you can select options to prevent services and programs from loading during the Windows startup process. You can reset or change the Windows 7 configuration settings easily to include preferences for the following: Startup options Services that you want to start during the startup process Programs that you want to load during the startup process
Changes you make are undone if later you select the Normal startup option, unless you select the check box titled Make All Boot Settings Permanent. The System Configuration utility dialog box has five tabs: General. Enables you to select the startup environment. You can choose between Normal, Diagnostic, or Selective startup. Boot. Enables you to select boot options, such as Safe boot, No GUI boot, and Base video, and to select Advanced options, such as selecting the number of processors that you want to use, setting the maximum memory available, or locking PCI (Peripheral Component Interconnect) devices to resources.
2-27
Services. Provides a list of all services that start when the computer boots, and their current status, which is Running or Stopped. You can enable or disable individual services at boot time to troubleshoot services that might be contributing to startup problems. You can select the option to Hide all Microsoft services, which enables you to identify nonstandard services that might be causing a startup problem. Startup. Enables you to view and select which applications to run at startup. Two features on the Startup tab include the Manufacturer heading, which can help you identify an application, and the Date Disabled heading, which can help you keep track of the date on which you disabled a startup application. Tools. Provides an easy method to launch various system tools. For example, you can change the settings for User Account Control, launch the Action CTab, and access Computer Management and other system tools.
2-28
Practice: Manage the Startup Environment with System Configuration
In this practice, you determine which operating system services are running. Using MSConfig.exe, you will disable the Windows Firewall service, and then select Safe Mode. After restarting NYC-CL1, you will permanently disable Windows Defender. Finally, you will start Windows 7 normally, and then verify that these services are running correctly.
Instructions
Detailed Steps Task 1: Determine which services are running

1. 2. 3. Switch to the NYC-CL1 computer. Click Start, point to All Programs, click Accessories, and then click Command Prompt. At the command prompt, type the following command, and then press Enter:
Net start
4.
Verify that Windows Firewall is listed.
Task 2: Disable a service, and perform a clean restart of the computer

msconfig
2.
In the System Configuration dialog box, click the Services tab, and then locate the Windows Firewall service.
2-29
3. 4. 5. 6. 7.
Clear the Windows Firewall check box, and then click Apply. Click the Boot tab. Under Boot options, select the Safe boot check box, and then click OK. In the System Configuration dialog box, click Restart. Log on by using the following credentials: User name: NYC-CL1\WSAdmin Password: Pa$$w0rd
Task 3: Verify that the service is disabled

1. 2. 3. Click Start, right-click Computer, and then click Manage. Expand Services and Applications, and then click Services. In the list of services, click Windows Firewall, and verify that it is disabled.
Task 4: Permanently disable a service from Safe mode

1. 2. 3. In the list of services, double-click Windows Defender. In the Startup type list, click Disabled, and then click OK. Close Computer Management.
Task 5: Configure Windows 7 to start normally

1. 2. 3. 4. Click Start, and in the Search box, type msconfig, and then press Enter. In the System Configuration dialog box, select the General tab, click Normal startup, and then click OK. In the System Configuration dialog box, click Restart. Log on by using the following credentials: User name: NYC-CL1\WSAdmin Password: Pa$$w0rd
Task 6: Verify service status

1. 2. 3. 4. 5. Click Start, right-click Computer, and then click Manage. Expand Services and Applications, and then click Services. In the list of services, click Windows Firewall, and then verify that it is running. In the list of services, click Windows Defender, and then verify that it is disabled. Close Computer Management.
2-30
To prepare for the lab

When you finish, revert the virtual machines to their initial state by completing the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-CL1.
2-31
Advanced Boot Options in Windows 7
Windows 7 provides advanced boot options that you can use to start the operating system in an advanced troubleshooting mode. To access the Advanced Boot Options menu, you must press F8 during the startup process. This troubleshooting boot mode enables you to start a computer that is experiencing problems, or is unable to perform a normal boot. The following options are available from the boot menu: Repair your computer. Displays a collection of system recovery tools addressing startup problems. You also can run diagnostics, and restore the system. Safe mode. Starts Windows with a minimal set of drivers and services. This is one of the most useful boot options, because it allows access to the operating system when a high-level service or application prevents a normal boot. This enables you to perform diagnostics and fix the problem. Safe mode with networking. Starts Windows in Safe mode, and includes the network drivers and services that you need to access the Internet or other network computers. Safe mode with command prompt. Starts Windows in Safe mode with a command prompt window rather than the usual Windows interface. You typically use this when other startup options do not work. Enable log booting. Creates the ntbtlog.txt file, which can be useful for advanced troubleshooting. This file lists all drivers that Windows installs during startup. Enable low resolution video (640 X 480). Starts Windows using your current video driver, and low resolution and refresh rate settings. Use this mode to reset your display settings.
2-32
Last Known Good Configuration (advanced). Starts Windows with the last successful registry and driver configuration. This is useful if a driver issue is preventing the computer from properly starting. This does not repair corrupt or missing files. Debugging Mode. Starts Windows in an advanced troubleshooting mode intended for IT professionals and system administrators. Debugging enables you to examine the behavior of the operating systems device drivers. This is especially useful when Windows stops unexpectedly, as it may provide additional information for driver developers. Disable automatic restart on system failure. Prevents Windows from restarting automatically if an error causes Windows to fail. Choose this option only if the computer loops through the startup process repeatedly by failing to start correctly, and then attempting another restart. Disable Driver Signature Enforcement. Allows you to install drivers that contain improper signatures. Start Windows normally. Starts Windows in normal mode.
2-33
Lesson 3
Troubleshooting Operating System Services Issues
Failures of an operating system service often result in problems that are not severe enough to prevent the computer from starting, but that restrict functionality. Therefore, it is important that you understand how to identify and rectify service-related startup problems.
Objectives
After completing this lesson, you will be able to: Describe operating system services. Identify failed services by using Windows 7 tools. Explain how to use tools and utilities to disable services.
2-34
Operating System Services
It is important to understand the differences between software applications, operating system services, and hardware devices and their associated device drivers. Applications operate at a high level by integrating with the computer user, and at a lower level by integrating with the operating system. You install applications after you install the operating system, and you must start applications manually to use them. Operating system services are part of the operating system rather than something that you install after the operating system deploys. Additionally, operating system services function with no user action. In fact, they start before a user logs on to the computer. The difference between operating system services and device drivers is that device drivers interact directly with hardware devices or components. Generally, a system service interacts with other software components in the operating system. From a management perspective, the difference between device drivers and services is more obvious: you use Device Manager to manage device drivers, and you use the services Microsoft Management Console (MMC) snap-in to manage system services.
2-35
Identifying Failed Services
When troubleshooting a computer that has problems with its operating system services, the operating system may return an error after you log on to the computer. This error message may indicate that a service failed to start. Windows 7 provides several tools that can help you determine which operating system service failed to start correctly. Because some services are dependent on other services or drivers to start successfully, you always should consider that the failure of one service might be related to, or caused by, the failure of another service.
Event Viewer
Windows 7 includes a tool called Event Viewer that allows you to examine certain log files that provide information about applications, system events, and security-related matters. Event Viewer provides access to the Windows logs, and also to applications and services logs. The following information summarizes the information that you can access from the Windows logs. Application. The application log contains events that applications generate. For example, a database program records a file error in the application log, and the program developer decides which events to record. Security. The security log records security events, such as valid and invalid logon attempts, and events related to resource use, such as creating, opening, or deleting files. An administrator specifies which events Windows 7 records in the security log by creating a domain-wide audit policy. System. The system log contains events that the system components in Windows 7 generate. For example, if a driver or other system component fails to load during startup, Windows 7 records this failure in the system log. Windows 7 predetermines the event types that the system components log. For example, event ID 7036 identifies a service startup or shutdown.
2-36
If you encounter problems with service startup, examine the system and application logs for related events. Windows 7 logs the following three events: Information events Warning events Error events
When you troubleshoot startup problems with services, pay special attention to error events that the system log records. All users can access the application and system logs, but only members of the local Administrators group can use the security log.
Log Files
In addition to the logs accessible from Event Viewer, Windows 7 records other events in other log files. For example, use MSConfig.exe to configure Windows 7 to record a boot log file when it starts. The boot log file, Ntbtlog.txt, is stored in the Windows folder. It contains a list of all drivers and some services that start during the boot process. In a problem occurs with a service, activate boot logging, and then examine the log.
Note You also can activate boot logging from the Advanced Startup Options menu, which is accessible by pressing F8 during the start sequence.
Stop Codes
If the Windows 7 operating system experiences a system failure, it may display a stop code on a blue screen. The stop code may contain the name of the device driver or service that is causing the system failure, as well as information to help you diagnose the reason for the failure. Windows 7 records information related to the system failure in a system log file called a memory dump file, which is located in Windows\System32. Examine the contents of this memory dump file to help determine the reason for the system failure.
Action Center
Action Center provides a consolidated tool that enables you to track and repair reported problems. You also can configure Action Center to determine how your computer reports problems. Additionally, you can use Action Center to examine problems that Windows reports.
Online Reporting
Action Center contains a link that you can use to check online for solutions to problems. The link submits information regarding the problem to Microsoft. Online reporting of problems is a valuable way to help Microsoft identify issues with Windows 7 and create targeted product updates.
2-37
Disabling Services
After you determine which service is causing the startup problem, you can disable it. Depending on the circumstances, you can disable a service in several ways:
Safe Mode
If the Windows 7 computer does not start normally, try to start the computer in Safe Mode. Safe Mode is accessible from the Advanced Boot Options menu, but you also can activate Safe Mode from MSConfig.exe. In Safe Mode, a minimal set of services load during the startup process. However, these services are sufficient to load the operating system. You then can use standard operating system tools, such as Control Panel, Computer Management, Registry Editor, the services MMC snap-in, and Event Viewer, to troubleshoot the service startup problem.
Last Known Good Configuration

If you add or reconfigure a new service, Windows 7 updates the System hive in the computers configuration database or registry. If the reconfiguration or addition of a new service results in an unstable or unusable system, you should roll back the change. One way to do this is to use Last Known Good Configuration, which is accessible from the Advanced Boot Options menu. Use Last Known Good Configuration to roll back the computer registry System hive to an earlier working version. Because the System hive contains information related to the starting of services, rolling back the change to the System hive might help you resolve the problem without requiring you to disable the newly-installed service manually.
Note Once you logon to your computer, the Last Known Good configuration is overwritten with the Current configuration and the ability to use Last Known Good as a recovery option is no longer available.
2-38
Command Prompt Recovery Tool

If you can start the operating system either normally or in Safe Mode, you can access the command prompt. If you cannot start the operating system, you can access the Command Prompt recovery tool from Windows RE. At the command prompt, use either the Net command or SC.exe to manually start, stop, activate, and disable services.
System Configuration Utility

Use MSConfig.exe to specify which services you want to run on startup. MSConfig.exe displays a list of services that start automatically, and you can selectively disable services. You also can use this tool to start the computer in Safe mode, and to configure additional startup characteristics while you troubleshoot the computer.
Remote Tools
If you can start Windows 7, but installed services do not start correctly, you might be able to troubleshoot the services remotely. You can use most of the built-in management consoles to connect to a remote machine and configure settings. The following list summarizes several remote tools that are available in Windows 7: Remote Assistance. Use Remote Assistance to offer help to a user with a computer experiencing service-related problems. You can connect to the users computer, and then use troubleshooting tools to diagnose and fix the problem. Remote Desktop. Use Remote Desktop to connect to a computer with a service-related problem. You can use Remote Desktop to connect to, and take control of, the users computer, and then use troubleshooting tools to diagnose and fix the problem. Windows Remote Shell (WinRS). Use this shell tool to manage another computer remotely. WinRS operates in the context of Windows Remote Management (WinRM) which is the Microsoft implementation of the WS-Management protocol. Custom Management Consoles. You can add most administrative snap-ins to custom management consoles, to connect to specific remote computers, and to configure settings on those computers.
2-39
Lab: Troubleshooting Startup Issues
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6293A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat steps 2 and 3 for 6293A-NYC-CL1.
2-40
Lab Scenario
The help desk has received a number of trouble tickets that they cannot resolve, and they have passed those tickets to you. You need to determine how to resolve each problem, and then document your solution. For this project, you must complete the following tasks: Read the help-desk tickets. Plan a course of action. Attempt to resolve the problems. Document successful resolutions.
2-41
Exercise 1: Resolving a Startup Problem (1)

Scenario
In this exercise, you will attempt to fix a computer that is running Windows 7. The computer does not start successfully. You have an open help-desk ticket to help you determine the likely cause of the problem. The main tasks for this exercise are: 1. 2. 3. 4. Read the help-desk Incident Record for Incident 601237. Update the Plan of Action section of the Incident Record. Simulate the problem. Attempt to resolve the problem.
Supporting Documentation
Incident Record Incident Reference Number: 601237 Date of Call Time of Call User Status February 21 10:45 Adam Carter (Production Department) OPEN
Incident Details Adam Carter has reported that his computer will not start properly. Additional Information Adam has been trying to install an additional operating system on his computer so that he can run a specific line-of-business application. He abandoned the installation after getting only partly through the process. Since then, his computer displays the following error message when it starts: Windows Boot Manager. File: \Boot\BCD Status: 0xc0000034 Info: The Windows Boot Configuration Data file is missing required information. Plan of Action
Resolution
2-42
Task 1: Read the help-desk Incident Record for Incident 601237

Read the help-desk Incident Record for Incident 601237.
Task 2: Update the Plan of Action section of the Incident Record

1. 2. Read the Additional Information section of the Incident Record. Update the Plan of Action section of the Incident Record with your recommendations.
Task 3: Simulate the problem

1. 2. Switch to NYC-CL1. Log on by using the following credentials: 3. 4. User name: Contoso\Administrator Password: Pa$$w0rd
Run the D:\Labfiles\Mod02\Scenario1.vbs script. Wait while NYC-CL1 restarts.
Task 4: Attempt to resolve the problem

1. 2. 3. Attempt to resolve the problem by using your knowledge of the startup architecture and the tools available for troubleshooting the startup environment. Update the Resolution section of the Incident Record. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance. To repeat or exit the exercise, revert the virtual machine environment.
Note It is not necessary to revert the virtual machines before proceeding to the next exercise. 4. If necessary, revert your virtual machines by using the following procedure: On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-CL1. In Hyper-V Manager, click 6293A-NYC-DC1. In the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts.
2-43
Repeat these steps for 6293A-NYC-CL1. On NYC-CL1, log on by using the following credentials: User name: NYC-CL1\WSAdmin Password: Pa$$w0rd
Results: At the end of this exercise, you will have resolved the first startup problem and documented your solution.
2-44

Scenario
In this exercise, you will attempt to fix a computer that is running Windows 7. The computer does not start successfully. You have an open help-desk ticket to help you determine the likely cause of the problem. The main tasks for this exercise are: 1. 2. 3. 4. Read the help-desk Incident Record for Incident 601338. Update the Plan of Action section of the Incident Record. Simulate the problem. Attempt to resolve the problem.
Incident Record Incident Reference Number: 601338 Date of Call Time of Call User Status February 23 13:30 Martin Berka (Marketing Department) OPEN
Incident Details Martin contacted the help desk after attempting to install a new hard disk driver. Since the attempt, his computer does not start correctly. Additional Information Help desk staff recorded the following message: A problem has been detected, and Windows has been shut down to prevent damage to your computer. Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Technical information: *** STOP: 0x0000007B (0x8078BB58,0xC0000034,0x0000000,0x00000000) Plan of Action
Resolution
2-45
Task 1: Read the help-desk Incident Record 601338

Read the help-desk Incident Record for incident 601338.


1. 2. 3. Switch to the NYC-CL1 computer. Run the D:\Labfiles\Mod02\Scenario2.vbs script. Wait while NYC-CL1 restarts.

1. 2. 3. Using your knowledge of the startup architecture, and tools available for troubleshooting the startup environment, attempt to resolve the problem. Update the Resolution section of the Incident Record. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance. To repeat or exit the exercise, revert the virtual machine environment.
Note It is not necessary to revert the virtual machines at this point. 4. If necessary, revert your virtual machines by using the following procedure: On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-CL1. In Hyper-V Manager, click 6293A-NYC-DC1. In the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Repeat these steps for 6293A-NYC-CL1. On NYC-CL1, log on by using the following credentials: User name: NYC-CL1\WSAdmin Password: Pa$$w0rd
Results: At the end of this exercise, you will have resolved the startup problem and documented your solution.
2-46
To prepare for the next module

When you finish the lab, revert the virtual machines to their initial state by completing the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-CL1.
2-47
Module Review and Takeaways
Review Questions
1. 2. After installing a new video driver, your users computer becomes unstable and will not start correctly. What would you try first to resolve this problem? The boot environment of a users computer is corrupt, and you suspect a virus. Before you can run virus removal tools, you must recover the boot environment. What command-line tool(s) could you use? Your user adds a new hard disk to the computer, which changes the computers partition numbering. To enable the computer to start, the user needs you to change the BCD. What tool would you use? A user has reported a problem to the help desk. They are experiencing problems with starting their computer after a new device driver was added. You decide to start the computer by using a minimal boot, but want to configure that from Windows before restarting. What tool could you use? A system service is causing startup problems, and your help-desk user has started the problematic computer into Windows RE. What command-line tools, accessible from Windows RE, enable you to control the startup of services? The help desk recently installed a new device driver on a computer. A stop code is generated along with a blue screen during startup. What recovery mechanism would you try first?
3. 4.
5.
6.
2-48
Tools
Tool BCDEdit.exe sc.exe MSConfig.exe Windows RE Safe Mode Bootrec.exe Sysinternals Suite Use for Viewing and configuring the BCD store Managing services Managing services and the startup environment Where to find it Command-line Command-line Windows
Troubleshooting Windows 7 Elements available on hard disk (automatic computers failover) and the product DVD Troubleshooting startup Managing the boot environment Advanced configuration and troubleshooting Accessible from the Advanced Boot Options menu Command-line Download from the Microsoft TechNet website
3-1
Module 3
Using Group Policy to Centralize Configuration
Contents:
Lesson 1: Overview of Group Policy Application Lesson 2: Resolving Client Configuration Failures and GPO Application Issues Lab: Using Group Policy to Centralize Configuration 3-3 3-16 3-27
3-2
Module Overview
Group Policy is an essential tool that you can use to configure the computer systems in an enterprise environment. With Group Policy, you can quickly and easily apply configuration settings centrally. This is faster and more practical than configuring hundreds or thousands of computers manually. In most cases, a server administrator administers an organizations Group Policy, rather than desktop support staff. However, it is important for desktop support staff to understand how Group Policy works and how to identify when an organization is not applying Group Policy objects (GPOs) properly.
Objectives
After completing this module, you will be able to: Describe Group Policy application. Troubleshoot client configuration failures and GPO application issues.
3-3
Lesson 1
Overview of Group Policy Application
You can manage GPOs centrally, and store them on domain controllers. Client computers download GPOs and apply them in specific ways, so it is important for you to understand how Windows 7 processes them so that you can identify when Windows 7 is not processing correctly.
Objectives
After completing this lesson, you will be able to: Describe Group Policy options for deploying configuration settings. Describe how Windows 7 processes GPOs. Describe Group Policy inheritance. Describe the application of Group Policy. Describe synchronous and asynchronous processing of GPOs. Describe loopback processing. Configure Group Policy in Active Directory Domain Services (AD DS).
3-4
Group Policy Options for Deploying Configuration Settings
Group Policy contains thousands of settings for configuring Windows 7. Each Windows 7 computer has a local Group Policy that you can edit to configure these settings. However, when you are managing client computers in an enterprise environment, it is not practical to modify the local Group Policy manually on each computer. Instead, you use AD DS to distribute GPOs. By default, Windows 7 computers download GPOs at startup and every 90 minutes thereafter.
Note A local GPO applies to all local and domain users. The user settings in a GPO that AD DS distributes do not apply to local users. Inside a GPO, there are User Configuration settings and Computer Configuration settings. The User Configuration settings apply to user accounts, and the Computer Configuration settings apply to computer accounts. If the user account and computer account are in different organizational units (OUs), a single GPO may apply to the user who logs on, but not to the computer itself, and vice versa. Within the User Configuration and Computer Configuration, there are policies and preferences. Polices are Microsoft Windows configuration setting that are enforced on the client; preferences are settings that are applied to the client, but the user has the option to change them. Preferences include items such as drive mappings and printers.
3-5
Processing GPOs
Windows 7 applies Group Policy for computers when users start the computers, and applies Group Policy for users when the user logs on to the computer. Computer and user settings are refreshed at regular, configurable intervals, and the default refresh interval is every 90 minutes. You also can force an update by running GPUpdate.exe at a command prompt. Group Policy Objects are processed in the following order: 1. 2. 3. 4. Local GPOs Site-level GPOs Domain-level GPOs Organizational Unit (OU) GPOs, including any nested OUs, starting with the OU further from the user or computer object
GPOs that are applied to higher-level containers pass through to all sub-containers in that part of the Active Directory tree. For example, a policy setting that is applied to an OU also applies to any child OUs below it. The local GPO is processed first, and the organizational unit to which the computer or user belongs is processed last. The last GPO processed is the effective setting. Other factors that can influence the processing of GPOs include: Security filtering. An individual GPO can have security filtering applied which controls which users and computers are able to apply the GPO. By using security filtering, you limit a GPO to a specific group of users or computers. By default, Windows 7 applies a GPO to Authenticated Users, which allows all users and computers to apply it. Windows Management Instrumentation (WMI) filtering. You can link a WMI filter to an individual GPO, which restricts to which computers the GPO applies. You can base a WMI filters parameters on a wide variety of characteristics such as installed software or hardware. An error in creating a WMI query in a WMI filter may result in a GPO not applying to any computers.
3-6
Slow link processing. By default, some GPO settings are not applied over slow links500 kilobits per second (Kbps) or lessbecause it may take too long to download them. Administrative templates and security settings are processed regardless of link speed. This may result in roaming users with portable computers having a slightly different experience when they are not in the office and connected to the corporate network.
3-7
Group Policy Inheritance
You can create and link GPOs to users and computers at a site, domain, or OU. When you apply multiple GPOs to users and computers, this aggregates the settings in the GPOs. For most policy settings, the GPO with the highest precedence and that contains the specific setting determines the settings final value. For a few settings, the final value is actually the combination of values across GPOs. GPOs that Windows 7 processes last have the highest precedence. GPOs follow the Local, Site, Domain, or OU rule for processing: first the local GPO, then site, the domain, and lastly the OU, including nested OUs, which are OUs that have another OU as their parent. In the case of nested OUs, GPOs associated with the parent OUs are processed prior to GPOs associated with the child OUs. In this processing order, Windows 7 applies local GPOs first but they have the least precedence. Windows 7 processes OUs last, and they have the highest precedence. Several Group Policy options can alter this default inheritance behavior. These options include: Link Order: The precedence order for GPOs linked to a given container. The GPO link with a Link Order of one has the highest precedence on that container. Changing the Link Order has no effect unless GPOs that link to the same location have conflicting settings. Enforced: The ability to specify that a GPO takes precedence over any GPOs that link to child containers. Additionally, a GPO that Windows 7 enforces at the domain level overrides a GPO that it enforces at an OU. You typically enforce a GPO to ensure that computers use company-wide settings, and that departmental administrators do not override these settings by creating a GPO. Block Inheritance: The ability to prevent an OU or domain from inheriting GPOs from any of its parent containers. Note that Enforced GPO links will always be inherited. You typically use blocking inheritance to allow a department to manage Group Policy settings separate from the rest of the organization.
3-8
Link Enabled: The ability to specify whether Windows 7 processes a specific GPO link for the container to which it links. When you do not enable a link, Windows 7 does not process the GPO. This is typically done during troubleshooting when you want to disable processing of a GPO to eliminate it as a source of configuration errors.
3-9
Discussion: Group Policy Application
Woodgrove Bank has a single domain with OUs that represent three regional offices. In each regional office, there is a single Computers OU that contains all computer accounts for that region. The organization stores user accounts for each region in various OUs based on workgroups. Each region has the following workgroups: Retail Commercial Managers
Discussion Questions
1. 2. 3. 4. 5. How would you use a GPO to distribute an application only to users in a single region? You link the GPO to the computers OU in that region. Which settings are applied? Why might it be a benefit for roaming users to link printer distribution to a site rather than a specific OU? How can you configure security settings in a GPO and ensure that they applied to all regions? The home page for users is defined in a GPO that is linked to the domain. The home page points at the company intranet. The managers have a new web-based application that should being defined as their home page. This should be distributed by GPO. How can you do this?
3-10
Synchronous and Asynchronous Processing of GPOs
By default, Group Policy processing on Windows servers is synchronous, which means that Windows servers complete the Group Policy processing for computers before they present the Ctrl+Alt+Delete dialog box, and that the Group Policy processing for users completes before the shell is active and available for the user to interact with it. By default, Group Policy processing on client computers is asynchronous. Typically, client computers do not wait for the network to initialize fully at startup and logon. The client computers log on existing users by using cached credentials, which results in a shorter logon period. Windows 7 applies Group Policy in the background after the network becomes available. If a user with a roaming profile, home directory, or user-object logon script logs on to a computer, the computer always waits for the network to initialize before completing the log on. If a user has never logged on to the computer before, the computer always waits for the network to initialize, because there are no cached credentials.
Multiple Logons Sometimes Required

Extensions such as Software Installation and Folder Redirection take two logons to apply changes. To operate safely, these extensions require that no users are logged on. Windows must process the extensions in the foreground before users are actively using the computer. Additionally, changes that users make to the user object, such as adding a roaming profile path, home directory, or user-object logon script, can require the application of two logons. To guarantee the application of Folder Redirection, Software Installation, or roaming user profile settings in just one logon, you should enable the policy setting that ensures Windows waits for the network to become available before applying policy.
3-11
Time Limit for Group Policy Processing

Under synchronous processing, there is a time limit of 60 minutes for all Group Policy settings to finish processing on the client. Any client-side extensions that do not finish within 60 minutes receive a signal to stop, which means that Windows may not fully apply associated policy settings. There is no setting to control this time-out period or behavior.
3-12
Loopback Processing
Typically, when you apply GPOs to users, the same set of user policy settings applies to those users regardless of the computers that they use. The Group Policy loopback feature applies user policy settings in the GPOs that relate to a computer account, which would normally only apply computer policy settings. By enabling the loopback processing policy setting in a GPO, you can configure user policy settings to apply on a specific computer, regardless of which user logs on. This means that you can apply different user settings when a user logs on to a computer that this setting affects. When you use this option, you must ensure that you enable the computer and user sections of the GPO. You can set the loopback processing policy setting by using the User Group Policy loopback processing mode setting, which is located at Computer Settings\Administrative settings\System\Group Policy. There are two modes available: Merge mode: In this mode, Windows gathers the list of GPOs for the user during the logon process. Then, it gathers the list of GPOs for the computer. Next, Windows adds the list of GPOs for the computer to the end of the users GPOs. As a result, the computers GPOs have a higher precedence than those of the user. Replace mode: In this mode, Windows does not gather the list of GPOs for the user. Instead, it uses only the list of GPOs based on the computer object, and then it applies the User Configuration settings from this list to the user.
In certain closely managed environment, such as for terminal servers, it is appropriate to enable loopback processing. You also would use this setting for special-use computers, such as those in public places, computer labs, and classrooms, where you want the user experience to be specific to the environment.
3-13
Practice: Using the Group Policy Management Console
In this practice, you will: Install the Group Policy Management Console (GPMC) on NYC-CL1. Use the GPMC to create a new GPO. Configure a new GPO to create a Desktop shortcut. Update Group Policy on NYC-DC1.
Note Some of the tasks that you perform to complete this practice may not typically be the responsibility of Tier 2 support staff. However, it is useful to learn the procedure.
3-14
Instructions
For this practice, you will use the available virtual machine environment. Before you begin the practice, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat steps 2 through 4 for 6293A-NYC-CL1.
Detailed Steps Task 1: Install the Group Policy Management Console on NYC-CL1
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-CL1, click Start, type \\NYC-DC1\D$\Labfiles\Mod09\Software, and then press Enter. In Windows Explorer, double-click x86fre_GRMRSAT_MSU.msu. This file is the Remote Server Administration Tools (RSAT) for Windows 7. In the Windows Update Standalone Installer window, click Yes to install. In the Download and Install Updates window, click I accept. In the Windows 7 Remote Administration Tools window, read the instructions, and then close the window. In the Download and Install Updates window, click Close. Close Windows Explorer. Click Start, and then click Control Panel. In Control Panel, click Programs, and then click Programs and Features.
10. In Programs and Features, click Turn Windows features on or off. 11. In the Windows Features window, expand Remote Server Administration Tools, expand Feature Administration Tools, select the Group Policy Management Tools check box, and then click OK. 12. Close the Programs and Features window.
Task 2: Use the Group Policy Management Console to create a new GPO
1. 2. 3. 4. On NYC-CL1, click Start, point to Administrative Tools, and then click Group Policy Management. Expand Forest: Contoso.com, expand Domains, expand Contoso.com, and then click Contoso.com. Notice that the Default Domain Policy links to the root of the Contoso.com domain. Right-click Contoso.com, and then click Create a GPO in this domain, and Link it here. In the New GPO window, in the Name box, type Preferences, and then click OK.
3-15
Task 3: Configure a new GPO to create a desktop shortcut

1. 2. 3. 4. 5. 6. 7. In the left pane, click the Preferences GPO link. Click OK to close the warning dialog box. On the Scope tab, verify that no WMI filters are applied. On the Settings tab, verify that no settings are defined in this GPO. In the left pane, right-click Preferences to display the context menu. Notice that the link is enabled but not enforced. In the context menu, click Edit. In the Group Policy Management Editor window, review the available information. Notice that there are two categories of settings, User Configuration and Computer Configuration, which are divided further into Policies and Preferences. Under User Configuration, expand Preferences, expand Windows Settings, and then click Shortcuts. Right-click Shortcuts, point to New, and then click Shortcut.
8. 9.
10. In the New Shortcut Properties window, enter the following information, and then click OK: Name: Notepad Target type: File System Object Location: Desktop Target Path: C:\Windows\System32\notepad.exe
11. Close the Group Policy Management Editor. 12. Close the GPMC.
Task 4: Update Group Policy on NYC-CL1

1. 2. 3. 4. On NYC-CL1, click Start, point to All Programs, click Accessories, and then click Command Prompt. At the command prompt, type gpupdate /force, and then press Enter. The /force option makes sure that all policies are applied rather than just updates. When the Group Policy update is complete, close the command prompt. Notice that the Notepad shortcut appears on the desktop.

3-16
Lesson 2
Resolving Client Configuration Failures and GPO Application Issues
Most issues that relate to the application of GPOs are due to incorrect configurations on the part of an administrator. Despite the fact that you, as a desktop support person, may not be able to resolve GPO application issues, it is important that you can identify them. After you identify an issue with the configuration of Group Policy application, you may need to escalate the issue to a server administrator who has the necessary permissions to resolve the issue.
Objectives
After completing this lesson, you will be able to: Discuss reasons for client configuration failures that incorrectly configured GPOs cause. Explain how to resolve common client configuration issues that result from the application of GPOs. Describe Group Policy troubleshooting tools. Demonstrate how to use Group Policy application troubleshooting tools. Explain how to resolve Group Policy application failures.
3-17
Discussion: Reasons for GPO Application Issues
A GPO application issue is any situation where a GPO does not have the effect on users or computers that you expect. Common symptoms of GPO application issues are: GPO settings, such as security restrictions or drive mapping, are not being applied to specific users or computers. Unexpected GPO settings are being applied to users or computers. GPO settings are being applied to a user differently based on physical location or computers.
Because a GPO can affect many users and computers, administrators should test the configuration of GPOs thoroughly before applying them. Even after testing, there may be situations in which settings in a GPO do not apply to users and computers in the ways that you expect. Question: What are some of the reasons that GPO settings might not apply as you think they should?
3-18
Ways to Resolve GPO Application Issues
GPO application issues often result from configuration errors. In many cases, it is just a matter of identifying and resolving the configuration error. One of the most common errors is linking a new GPO to an incorrect location. To avoid this error, you should verify that a GPO with user settings links to the user objects location, and verify that a GPO with computer settings links to the computer objects location. If you want user settings in a GPO to apply only when the user logs on to a particular computer or group of computers, you must enable loopback processing for those computers. After you enable loopback processing, the user settings in the GPOs that apply to the computer account are processed. When a new GPO is applied it may not take effect immediately. By default, GPOs are processed every 90 minutes on client computers. However, you can force it to take effect immediately by running gpupdate.exe /force at a command prompt. If you update a GPO and it does not take effect, you may need to restart the computer, because some settings apply correctly only during the computer startup process. Finally, if GPOs do not take effect for remote users, you can disable slow link processing. However, if you disable slow link processing it may result in slow logons because large GPOs download over a slow connection. This is of particular concern when you use GPOs for software distribution.
3-19
Tools for Troubleshooting GPO Application
To troubleshoot GPO application issues, you should understand how Windows applies GPOs so that you can identify at what point in that process the issue is occurring. The following table lists some tools that you can use for troubleshooting GPO application issues. Troubleshooting tool Resultant Set of Policy (RSoP) Description RSoP is the best tool for determining which GPOs apply to a user and computer. Group Policy Modeling reports predict the policies that will be applied at a specific client. Group Policy Results reports collect information directly from the client to show the policies that are in effect, and include key policy events that are logged at that client. This tool is part of the GPMC, and you can add it to a Windows 7 computer as a feature after you download and install the Remote Server Administration Tools. You can use RSoP information to verify that the expected GPOs are applying to a specific user and computer. A command-line tool that displays RSoP data. You can specify a specific user and computer account when you run the tool. This tool identifies information that relates to the installation of software by using a GPO. This tool is part of the Windows XP Service Pack 2 (SP2) support tools, but works with Windows 7. You can use this tool to identify whether a GPO that distributes software is applied to a computer by reviewing the software available for installation.
GPResult.exe Addiag.exe
3-20
(continued) Troubleshooting tool Group Policy preferences logging and tracing Description You can enable logging and tracing for various types of Group Policy preferences. When you enable this, each type of log saves event data to a log file. You can review these logs to help identify the cause of application issues with Group Policy preferences, such as a drive mapping or printer not being created. This logging is much more detailed than Event Viewer. Windows 7 and Windows Vista include an event log specifically for Group Policy. This log can help you identify whether the client is using slow link processing and whether Windows is applying GPOs.
Event Viewer
Windows 7 includes rsop.msc, which provides RSoP data similar to what is available in the GPMC. However, to perform queries for nonlocal computers and users that are not logged on locally, the tool requires updates to Windows Firewall on the target computer to allow WMI requests. You can use Group Policy to enable the necessary predefined firewall rules or use the command netsh advfirewall set rule group=windows management instrumentation (wmi) new enable=yes.
3-21
Practice: Using GPO Application Troubleshooting Tools
You can use several tools to perform GPO application troubleshooting. It is important that you have some hands-on experience enabling and using these tools. In this practice, you will use GPO application troubleshooting tools to review how the tools work.
Note Some of the tasks that you perform in this practice may not typically be the responsibility of Tier 2 support staff. However, it is useful to learn the procedure.
3-22
Instructions
Detailed Steps Task 1: Use GPMC to verify settings are configured in a GPO
1. 2. 3. On NYC-CL1, click Start, point to Administrative Tools, and then click Group Policy Management. If necessary, click the Preferences GPO link, and then click OK to clear the warning message. On the Settings tab, under User Configuration, beside Shortcuts, click show. Notice that the list includes the shortcut that you created in the previous practice.
Task 2: Enable Group Policy Preferences logging and tracing

1. 2. 3. 4. On NYC-DC1, click Start, point to Administrative Tools, and then click Group Policy Management. In the GPMC, expand Forest: Contoso.com, expand Domains, expand Contoso.com, and then click Contoso.com. Right-click Preferences, and then click Edit. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Administrative Templates, expand System, expand Group Policy, and then click Logging and tracing.
Note These settings are not visible from Group Policy Management on NYC-CL1 because it is using different administrative templates. 5. 6. 7. 8. 9. In the right pane, double-click Configure shortcuts preference logging and tracing. In the Configure Shortcuts preference logging and tracing window, click Enabled. In Options, in the Event logging box, click Informational, Warnings, and Errors. In the Tracing box, click On, and then click OK. Close the Group Policy Management Editor.
Task 3: Perform Group Policy Modeling

1. 2. 3. 4. 5. 6. 7. On NYC-CL1, in the GPMC, click Group Policy Modeling. Right-click Group Policy Modeling, and then click Group Policy Modeling Wizard. In the Group Policy Modeling Wizard, click Next. On the Domain Controller Selection page, click Next. On the User and Computer Selection page, in User information, click User, click Browse, type Adam, and then click OK. In Computer information, click Computer, click Browse, type NYC-CL1, click OK, and then click Next. On the Advanced Simulation Options page, review the available options, and then click Next.
3-23
8. 9.
On the Alternative Active Directory Paths page, review the available options, and then click Next. On the User Security Groups page, review the available options, and then click Next.
10. On the Computer Security Groups page, review the available options, and then click Next. 11. On the WMI filters for Users page, review the available options, and then click Next. 12. On the WMI filters for Computers page, review the available options, and then click Next. 13. On the Summary of Selections page, click Next, and then click Finish. 14. In the Adam on NYC-CL1 report, on the Summary tab, under Computer Configuration Summary, beside Group Policy Objects, click show. 15. Beside Applied GPOs, click show. 16. Under User Configuration Summary, beside Group Policy Objects, click show. 17. Beside Applied GPOs, click show. 18. Beside Denied GPOs, click show. 19. Close the GPMC.
Task 4: Use RSoP to view current configuration information

1. 2. On NYC-CL1, click Start, type rsop.msc, and then press Enter. After the Resultant Set of Policy Window opens, read the name of the user and the computer to which the policy applies. By default, it queries the information for the currently logged-on user of the local computer. Right-click Computer Configuration, and then click Properties. This displays the GPOs from which this computer obtained its settings. In the Computer Configuration Properties window, select the Display all GPOs and filtering status check box. This allows you to see GPOs that are not being applied to due security filtering or WMI filtering. Select the Display scope of management check box. This allows you to see where each GPO is linked. Click Cancel. Close RSoP. Click No at the Microsoft Management Console prompt.
3. 4.
5. 6. 7.
Task 5: Use GPResult to view GPOs applied to a computer

1. 2. 3. 4. On NYC-CL1, click Start, type cmd, and then press Enter. At the command prompt, type gpresult /r, and then press Enter. Scroll through and read the RSoP data. Notice that the local computer and locally logged-on user were used for the analysis. Leave the command prompt open for the next task.
3-24
Task 6: Review events in the Group Policy event log

1. 2. 3. On NYC-CL1, click Start, type event, and then click Event Viewer. In the left pane, expand Applications and Services Logs, expand Microsoft, expand Windows, expand Group Policy, and then click Operational. Review the recent events in the log. Event ID 4004 indicated that manual processing was started. Event ID 5311 indicates that no loopback processing is enabled. Event ID 5312 indicates which GPOs were applicable.

When you finish, revert the virtual machines to their initial state by completing the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-CL1.
3-25
Resolving GPO Application Failures
When you troubleshoot GPO application failures, first verify that the client computer is connected to the network properly, and that it is authenticated. If a computer is unable to contact the domain, it is unable to apply GPOs. You can verify the computers authentication by either ensuring that the user can access network resources, or by looking in the event logs for errors related to network connectivity or computer account authentication. Alternatively, you can run gpupdate /force to verify that GPOs are downloading.
Verify That the Client Computer is Connected and Authenticated

If the client computer is not connected to the network properly and authenticated, you need to resolve this first. Possible resolutions may include: Fix the network cabling. Ensure it is using a proper IP address. Verify the Domain Name System (DNS) configuration. Rejoin the domain to fix the computer account.
Verify That the GPO is Assigned Properly to the Computer or User

You should verify that the GPO is assigned properly to the computer or user by using RSoP or GPResult.exe. If these tools show that the GPO is being applied to the computer and user, then you know that the link to the GPO is configured properly. If RSoP shows that the GPO is not applied to the computer and user, you need to determine if the GPO is linked to the correct location. You also need to confirm that the user and computer accounts are in the correct location. You may need to escalate this task to someone with the necessary administrative permissions.
3-26
Verify the Configuration of the GPO with the Proper Settings

If the GPO appears to be linked properly, you should verify the configuration of the GPO to ensure that the proper settings are configured in the GPO. It is possible that an administrator created the GPO, and linked it correctly, but did not configure it correctly. One item to verify is whether loopback processing is enabled in the environments that use it. Depending on your permissions to manage Group Policy, you may need to escalate this task.
3-27
Lab: Using Group Policy to Centralize Configuration
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat steps 2 through 4 for 6293A-NYC-CL1 and 6293A-NYC-CL2.
Lab Scenario
The help desk has received a number of trouble tickets that relate to GPO application. Because you are the desktop support technician that is the most experienced with Group Policy, the tickets have been assigned to you.
3-28
Exercise 1: Resolve Group Policy Application (1)

Scenario
In this exercise, you will resolve the reported GPO application problem that Tier 1 help-desk staff could not resolve. The main tasks for this exercise are: 1. 2. 3. Read the help-desk Incident Record for Incident 602085. Update the Plan of Action section of the Incident Record. Attempt to resolve the problem.
Incident Record Incident Reference Number: 602085 Date of Call Time of Call User Status Feb 25 14:45 Alan Brewer (Research) OPEN
Incident Details User reports that research lab configuration is not being applied properly to a new computer named NYC-CL1. Additional Information User reports that a new computer being used in the research computer lab is not configured properly. All other computers in the lab, such as NYC-LAB1, have the standardize settings properly applied. I have verified that the computer is joined to the domain properly. Looking at NYC-LAB1, I can see that there is a desktop shortcut for the Analysis application. If this icon appears on the desktop, then we know that the settings are being applied properly. This setting should apply regardless of the user that logs on. Plan of Action
Resolution


3-29

1. 2. 3. Attempt to resolve the problem by using your knowledge of GPO application issues and troubleshooting. Update the Resolution section of the Incident Record. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance. To repeat or exit the exercise, revert the virtual machine environment.
Note It is not necessary to revert the virtual machines at this point. 4. If necessary, revert your virtual machines by using the following procedure: On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-CL1. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat these steps for 6293A-NYC-CL1.
Results: At the end of this exercise, you will have resolved the GPO application problem.
3-30

Scenario
In this exercise, you will resolve the reported hardware problem that Tier 1 help-desk staff could not resolve. The main tasks for this exercise are: 1. 2. 3. 4. Read the help-desk Incident Record for Incident 602086. Update the Plan of Action section of the Incident Record. Simulate the problem. Attempt to resolve the problem.
Incident Details User reports that his drive mapping has not been updated with the new file share for his department. Additional Information The user (Alan) is not receiving the drive mapping (R:) for the new research department share on his computer NYC-CL2. Other people in his department are not experiencing any issues. I have checked with the Active Directory administrators, and his computer account is in the correct OU. So the location of the computer account is not an issue. I also verified that he can access the files manually by using the Universal Naming Convention (UNC) path at \\NYC-DC1\Research. We rebooted the computer with no improvement. Plan of action
Resolution
Note The password used for Alan and all other user accounts is Pa$$w0rd.
3-31



1. 2. 3. Switch to the NYC-CL1 computer. Run the D:\Labfiles\Mod03\Scenario2.vbs script. This script causes NYC-CL2 to restart. Wait while NYC-CL2 restarts.

1. 2. 3. On NYC-CL2, attempt to resolve the problem by using your knowledge of GPO application issues and troubleshooting. Update the Resolution section of the Incident Record. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance. To repeat or exit the exercise, revert the virtual machine environment.
Note It is not necessary to revert the virtual machines at this point. 4. If necessary, revert your virtual machines by using the following procedure: On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-CL1 and 6293-NYC-CL2. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat these steps for 6293A-NYC-CL1 and 6293-NYC-CL2.
3-32

When you finish the lab, revert the virtual machines to their initial state by completing the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-CL1 and 6293A-NYC-CL2.
3-33
Review Questions
1. You do not have permission to log on to domain controllers in your organization. However, you would like to perform Group Policy Modeling using the GPMC. How can you use GPMC on a Windows 7 computer? Your organization has a computer lab that is used for training. When users log on to computers in this lab, they should have only lab-specific settings. The instructor in the lab this week is indicating that users are not getting the default home page for the Web application that they are using for training. You know that a new GPO for the lab was created last Friday. What is the most likely cause of this problem? A new user in accounting called the help desk to explain that she does not have the departments standard drive mappings. These drive mappings are configured by using Group Policy Preferences. What is the most likely cause of this problem?
2.
3.
3-34
Tools
Tool Group Policy Management Console GPUpdate.exe GPResult.exe RSoP.msc Event Viewer Use for Managing GPOs Where to find it Remote Server Administrative Tools for Windows 7 Command-line Command-line Microsoft Management Console (MMC) snapin Administrative Tools
Triggering an update of GPOs View GPOs applied to a computer View GPOs applied to a computer View events in event logs related to Group Policy
4-1
Module 4
Troubleshooting Hardware Device, Device Driver, and Performance Issues
Contents:
Lesson 1: Overview of Hardware Troubleshooting Lesson 2: Troubleshooting Physical Failures Lesson 3: Monitoring Reliability and Performance Lesson 4: Configuring Performance Options in Windows 7 Lesson 5: Troubleshooting Device Driver Failures Lab A: Resolving Hardware Device and Device Driver Issues Lab B: Troubleshooting Performance-Related Issues 4-3 4-19 4-27 4-34 4-43 4-61 4-68
4-2
Module Overview
Devices have become complex, multifunction peripherals that have evolved from hardware that you install in your computer to hardware that you connect to your computer via Universal Serial Bus (USB), Bluetooth wireless technology, and Wi-Fi. To support users with computers running Windows 7, you must understand how to troubleshoot hardware devices and drivers. Conducting proactive monitoring of your Windows 7 computers can often help you avoid performancerelated problems. To support your users, it is important that you understand how to optimize Windows 7, and how to collect and interpret data that pertains to performance characteristics.
Objectives
After completing this module, you will be able to: Identify basic hardware-related issues. Determine hardware failure issues. Monitor reliability and performance of Windows 7 computers. Configure performance options in Windows 7. Determine problems that device drivers cause.
4-3
Lesson 1
Overview of Hardware Troubleshooting
This lesson provides an overview of troubleshooting hardware-related problems, and discusses specific considerations for using USB and cordless devices on computers that are running Windows 7.
Objectives
After completing this lesson, you will be able to: Describe hardware-related problems. Describe the considerations for using USB devices. Describe how you can use the built-in diagnostic tools to gather hardware information. Explain Event Forwarding and Subscriptions. Determine how best to approach hardware problems Apply the guidelines for troubleshooting hardware-related problems.
4-4
Hardware-Related Problems
Hardware problems occur when a hardware device fails or there is a failure of a device driver that the hardware device uses. When you are troubleshooting hardware-related problems, you first must determine whether the underlying cause of the hardware failure is because of a device or driver failure.
Failure of Physical Hardware

A computer contains several hardware components, such as hard disk drives, a power supply, the motherboard, the video controller, and so on. If a single component or a combination of components fails, this can prevent the computer from functioning correctly. However, you can take preventive measures to minimize the possibility that your hardware will fail. These preventative measures include ensuring that you operate hardware components in the environmental conditions that the components vendor recommends. For example, avoid using hardware components in areas with high volumes of dust or high temperatures, unless the hardware was specifically designed for such environments. Some components are more prone to failure than others. Often, the components most susceptible to failure are those with moving parts, such as hard-disk drives, cooling fans, power supplies, and optical drives.
Failure of Device Drivers

A device driver can fail for three reasons: Operating system version incompatibility. Drivers developed for previous Windows operating system versions might not be completely compatible with Windows 7. To avoid incompatibility issues, always check for a Windows 7 version of the driver, and use it if available. Note Windows Vista drivers should work in Windows 7.
4-5
Driver bugs. Although hardware vendors use every precaution to ensure that device drivers are free from error, there occasionally are problems. Ensure that you obtain the latest driver version from the manufacturer, particular if the manufacturer has one in which it has fixed previous driver issues. Check that the device driver carries a signature from a trusted certificate-signing authority. 32-bit and 64-bit issues. Windows 7 is available in both 32-bit and 64-bit editions. Drivers that manufacturers develop for the 32-bit edition do not work with the 64-bit editions, and vice versa. Make sure that you obtain the appropriate device driver from the hardware vendor. You will be unable to install the wrong platform driver.
4-6
Considerations for USB Devices
Early hardware devices required that you have specialized knowledge and tools to install them on your computer. However, USB devices are much more convenient, and require no special skills or tools to install. You simple install your new hardware by plugging the device into a free USB port, and then following the on-screen instructions to install the driver and related software. But this convenience poses a number of risks, including to your networks security and reliability of the drivers manufacturer. USB devices represent a potential security risk to your network because a malicious user could place sensitive or confidential network data onto a mobile device, such as an external hard disk, and then remove it from the workplace. Because of the relative simplicity of USB device installation, USB devices can increase management overhead, and so controlling use of these devices has become an important consideration for administrators. As the number and variety of these devices increases, so do the associated support and maintenance costs. Many organizations restrict employee use of USB devices because of security and management reasons. However, implementing restrictions on USB devices can affect user productivity, and can have a significant impact on the hardware troubleshooting process if person performing the troubleshooting wrongly diagnoses these restrictions as hardware faults. Windows 7 uses two methods to control device installation: device identification strings and device setup classes.
4-7
Device Identification Strings

Hardware manufacturers assign one or more device identification strings to each device. These identification strings are in the setup information (.inf) file in the driver package. During device initialization, Windows 7 retrieves these device identification strings, and matches them to corresponding identification strings in the INF file.
Note You can download and use the DevCon command-line tool to determine the device identification string for a USB device. Identification strings are either general or specific. If specific, they identify the devices exact make and model. There are two types of device identification strings: Hardware identifiers. Hardware identifiers provide an exact match between a device and a driver package. The first string in the device identifier list is the individual devices specific identifier. Additional strings in the list identify the device in more general terms, so Windows 7 can install a different device revision driver, if the correct one is not available. Compatible identifiers. Windows 7 uses compatible identifiers to select a device driver only if the driver store has no available drivers for any of the hardware identifiers that Windows 7 retrieves from the device. These strings are optional, and they are listed in decreasing order of suitability if the hardware manufacturer provides them. Typically, the strings are generic, and identify the hardware device at the component level, such as a Small Computer System Interface (SCSI) hard-disk drive. This enables Windows 7 to select a generic SCSI driver for the disk drive, but may result in limited device functionality and slower read/write performance.
Multifunction devices are physical devices that include more than one logical device. Manufacturers assign hardware identifiers to each logical device. To control installation of multifunction devices, you specifically must allow or deny all hardware identifiers for each multifunction device. The following is the relevant portion of an .inf file that Microsoft provides for a keyboard device driver.
[MsMfg] ;========= Microsoft USB Internet Keyboard (IntelliType Pro) %HID\VID_045E&PID_002D&MI_00.DeviceDesc%=MicrosoftKBD_Dev,HID\VID_045E&PID_002D&MI_00 ;========= Microsoft USB Wireless MultiMedia Keyboard (IntelliType Pro) - with Wireless Optical Mouse %HID\VID_045E&PID_005F&MI_00.DeviceDesc%=MicrosoftKBD_Dev,HID\VID_045E&PID_005F&MI_00 ;========= Microsoft USB Wireless MultiMedia Keyboard (106/109) (IntelliType Pro) - with Wireless Optical Mouse %HID\VID_045E&PID_0061&MI_00.DeviceDesc%=MicrosoftKBD_Dev_109,HID\VID_045E&PID_0061&MI_0 0 ;========= Microsoft USB Wireless Natural MultiMedia Keyboard (IntelliType Pro) - with Wireless Optical Mouse %HID\VID_045E&PID_0063&MI_00.DeviceDesc%=MicrosoftKBD_Dev,HID\VID_045E&PID_0063&MI_00
Device Setup Classes

The device setup class groups devices that you install and configure in the same way. A globally unique identifier (GUID) represents each device setup class. The manufacturer of a device driver package assigns the device setup class, and then Windows 7 builds a memory-tree structure that contains the GUIDs for all devices that it detects, including that of any bus that you attach to the device. Group Policy allows you to specify the device class for which you allow or disallow installation.
4-8
The following is the relevant portion of an .inf file that Microsoft provides for a keyboard device driver.
[Version] CatalogFile.NT= type32.cat ;Digital Signing Signature="$Windows NT$" ;All Platforms Class=Keyboard ClassGUID={4d36e96b-e325-11ce-bfc1-08002be10318} Provider=Microsoft LayoutFile=layout.inf DriverVer=06/29/2010, 8.0.219.0
Controlling USB Device Access

Windows 7 enables you to use Group Policy to control access to your computer by USB devices. It does this by: Preventing users from installing any device. Allowing users to install only devices that are on an approved list. Preventing users from installing devices that are on a prohibited list. Deny read or write access to users for removable devices or those that use removable media.
Restricting USB device installations can benefit hardware support in several ways: Simpler data security. By limiting the devices that users can install, you can reduce the risk of data theft by implementing easily understood and supported procedures. For example, allowing users to connect only USB flash drives that are password protected provides additional protection for data that users transfer from the corporate network. Reduced support costs. You can ensure that users only install devices that your help desk. This benefit reduces support costs and user confusion.
However, controlling USB device installation may cause issues, including: Misdiagnosed faults. Unless policy restrictions are simple, consistent, and easily understood by users and information technology (IT) staff may diagnose a restriction as a hardware problem. Policy management. Some manufacturers use a range of identifiers for similar device models. When you have a batch of such devices, you may have difficulty supporting policy restrictions based on identifiers, and the success of these policies may be inconsistent. For example, although a batch of devices from a single vendor may appear identical, you should check each device identifier to verify that the same identifier is used for the batch. If there is a range of identifiers, you need to modify your Group Policy settings to include all of these identifiers.
4-9
Considerations for Cordless Devices
Users can connect many peripherals and devices to their computers by using cordless connections. Two prominent cordless technologies exist to facilitate these connections: Bluetooth and Wi-Fi.
Troubleshooting Cordless Devices

When you are troubleshooting cordless devices, keep in mind that any problems that devices encounter might be due to cordless connectivity rather than with the actual devices. For example, many laptop computers allow users to disable the Wi-Fi and Bluetooth ports, primarily to conserve battery power. You must ensure that all ports are enabled and, in the case of Bluetooth, configured to be discoverable during the process of pairing the device with the users computer. If you cannot connect a device successfully by using a Wi-Fi or Bluetooth connection, perform the following steps: Enable the Wi-Fi and/or Bluetooth receivers in the computers settings for the basic input/output system (BIOS). Turn on the Wi-Fi and/or Bluetooth receiver by using the computers switches. Use Device Manager to verify, and if necessary update, the drivers for the computers Wi-Fi and/or Bluetooth modules. For Bluetooth devices, run Bluetooth Settings to configure: Discovery. Enable discovery to ensure that the computer is visible. Additionally, you might need to enable discovery (sometimes also known as visibility) on peripheral devices.
4-10
Connections. Enable the Allow Bluetooth devices to connect to this computer setting. Optionally, you can select the Alert me when a new Bluetooth device wants to connect setting. Pairing. In addition to the above settings, some peripherals require that you pair them to your computer. This process requires that the computer and the device exchange a passcode, or key, to establish the partnership. You may need to establish this process at either the computer or peripheral end.
Note The device manufacturer often defines a devices passcode. For example, a Bluetooth headset does not provide you with a mechanism for defining a passcode. However, 0000 often is the default passcode. For more information, refer to the vendor documentation. For Wi-Fi devices, follow standard wireless troubleshooting techniques: Ensure that the devices are close enough for the signals to communicate. Configure the devices to use the same wireless protocol and security settings. Investigate possible sources of interference.
Note Some Bluetooth peripheral devices, such as mice and keyboards, often come with a small Bluetooth module that you insert into your computer by using a USB port. This USB Bluetooth module allows you to use cordless devices without needing a built-in Bluetooth module.
4-11
Gathering Hardware Information
Windows 7 includes a number of tools that you can use to gather information about the hardware installed on a computer. By becoming familiar with the functionality offered by these tools, you can identify the most appropriate tool for a particular hardware monitoring or troubleshooting scenario.
Event Viewer
Event Viewer is the starting point for troubleshooting hardware failures. You should check the system log and the application log for information, warnings, or errors that hardware devices or device drivers generate. Use Event Viewer to show logs on remote computers and on the local machine. Event Viewer contains many features that earlier operating systems did not make available, including: Several new logs. Access logs for many individual components and subsystems. View multiple logs. You can filter for specific events across multiple logs, which makes it easier to investigate issues and troubleshoot problems that might appear in several logs. Customized views. You can use filtering to narrow searches to only events which interest you. You also can save these filtered views. Tasks scheduled to run in response to events. Event Viewer integrates with Task Scheduler to allow automated responses to events. Create and manage event subscriptions from remote computers, and then stores them locally.
Note To collect events from remote computers, you must create an exception in Windows Firewall to permit Windows Event Log Management.
4-12
Event Viewer tracks information in several different logs, which provide detailed information, including: A description of the event. An event identification number. The component or subsystem that generated the event. Information, warning, or error status. The time of the occurrence. The users name on whose behalf the event occurred. The computer on which the event occurred. A link to Microsoft TechNet for more information about the event.
The Event Viewer has many built-in logs, including those in the following table. Built-in log Application log Description and use These events are classified as error, warning, or information, depending on the events severity: An error is a significant problem, such as data loss. A warning is an event that is not necessarily significant, but which may indicate a possible future problem. An information event describes the successful operation of a program, driver, or service. Security log This log reports the results of auditing when it is enabled. Audit events are described as successful or failed, depending on the event. An example is whether a user trying access a file was successful. This log contains events related to application setup. General events are logged by Windows components and services, which classifies the events as error, warning, or information. Events logged by system components are predetermined by Windows. This log stores events collected from remote computers. To collect events from remote computers, you must create an event subscription.
Setup log System log
Forwarded events
Applications and Services logs are a new category of event logs that store events from a single application or component rather than events that might have system-wide impact. This category of logs includes four subtypes: Admin Operational Analytic Debug
Admin logs are of interest to Information Technology (IT) professionals who use the Event Viewer to troubleshoot problems. These logs provide guidance about how to respond to issues, and primarily target end users, administrators, and support personnel. The events found in the Admin logs indicate a problem with a well-defined solution that an administrator can implement.
4-13
Events in the Operational log also are useful for IT professionals, but they likely require more interpretation. You can use operational events for analyzing and diagnosing a problem or occurrence, and trigger tools or tasks based on the problem or occurrence. Analytic and Debug logs are not as user-friendly. Analytic logs store events that trace an issue, and they often log a high volume of events. Developers use debug logs when debugging applications.
Note By default, Windows 7 hides and disables both Analytic and Debug logs.
System Information
The System Information tool displays information about a computer, including complete reports on installed hardware. You can use the System Information tool to look for hardware resource conflicts, and to determine the resources that a hardware device is using, including the interrupt request (IRQ) line, memory address range, and the base input/output (I/O) address range.
Device Manager
Device Manager displays information about the hardware installed on your computer, including hardware resource settings and driver information.
Reliability and Performance Monitors

The Reliability and Performance Monitor console includes two monitoring tools: The Reliability Monitor displays Windows 7 reliability over time, and any hardware failures that have occurred. You can use the Reliability Monitor to identify hardware failure trends, so that you can replace a device that fails periodically. The Performance Monitor displays and collects performance information related to hardware devices installed on the local computer and on remote computers. You can use this information to track performance deterioration that might be a warning sign of potential hardware failure.
Memory Diagnostics
Windows 7 offers features that help improve system reliability, which improves long-term system performance. If the Windows 7 Memory Diagnostics tool detects a faulty memory module or parity error, it displays a message in the system tray that prompts the user to diagnose and fix the problem. You can use Memory Diagnostics to check the computers memory during the startup process. You can choose to restart the computer immediately and perform the check, or to schedule the memory check during the next computer restart. If you select an immediate check, ensure that you save any work in progress, and close any open windows before restarting the computer.
Note
You must have administrative rights to run the Memory Diagnostics tool.
Action Center
Windows 7 includes the Action Center, which provides a single point of reference for reliability issues. From the Action Center, you can launch diagnostic tools to troubleshoot hardware problems.
4-14
Remote Desktop
An administrator can use Remote Desktop to collect hardware information about a remote computer on the network. For example, you could use Remote Desktop to run tools that cannot connect to a remote computer, such as System Information or Reliability Monitor.
Centralized Inventory
Using additional products, including those from both Microsoft and third-parties, you can gather hardware information from devices across your enterprise network and store the analysis centrally.
4-15
Event Forwarding
Windows 7 can collect copies of events from multiple remote computers, and then store them locally. To specify which events to collect, you can create an event subscription. Subscriptions specify which events Windows 7 collects, and into which logs Windows 7 stores them locally. The forwarded events log exists for this purpose, but Windows 7 can forward events to any log. Once a subscription is active and Windows collects events, you can view and manipulate forwarded events just like other locally stored events. The subscription functionality depends on the Windows Remote Management (WinRM) service and the Windows Event Collector (Wecsvc) service. Both of these services must be running on computers that are participating in the forwarding and collecting process. Before you can create a subscription to collect events on a computer, you must configure both the collecting computer (collector) and each computer from which events are collected (source).
Enabling Subscriptions
To enable subscriptions, perform the following tasks: On each source computer, execute the following command at an elevated command prompt to enable WinRM:
winrm quickconfig
On the collector computer, type the following command at an elevated command prompt to enable the Wecsvc:
wecutil qc
4-16
Add the computer account of the collector computer to the local Administrators group on each of the source computers. This configures the computers to forward and collect events.
Note When you click on Subscriptions in Event Viewer, Windows 7 offers to start and configure wecsvc. Note You cannot use Event Viewer to create a subscription while it is connected to a remote computer.
4-17
Discussion: Approaches to Troubleshooting Hardware
Consider the following questions that relate to troubleshooting hardware. Discuss with the class how you approach hardware troubleshooting. Provide any hints and tips you have about your approach and how you handle the end-to-end process.
Discussion Questions
1. 2. 3. A user is unable to connect their cordless mouse to their portable computer. What would you check first? You just added a new video display to a users computer. The resolution of the display is very low, despite being capable of displaying at 1680x1050. What would you check? A users computer has repeatedly frozen. When this occurs, the computer accepts no input from keyboard or mouse, and all processing stops. What would you suspect as the problem, and what steps would you try to resolve the issue?
4-18
Best Practices for Troubleshooting Hardware Issues
Outside of component failure, hardware-related problems usually occur when you install a new hardware device or update a device driver. Common symptoms of a hardware-related problem include spontaneous computer restarts and error messages on a blue screen. Verify that the computer carries the Compatible with Windows 7 logo, and that the hardware components are on the Windows Marketplace Tested Products list. If a problematic hardware component is not on the Windows Marketplace Tested Products list, replace it with a listed component. Remove or disable recently installed device drivers. If you have recently installed a third-party driver or software package, try removing or disabling it to prevent it from loading, and then restart the computer. If that does not fix the problem, contact the hardware vendor, and ensure that you have the latest available driver. If you are using the latest version of the driver, contact the hardware vendor, and log the issue as a support incident. Use driver rollback to return to a previous driver version. If a failure occurs after installing an updated device driver, use the driver rollback feature to return to the previous working driver version: Access driver rollback from within Device Manager. Start your computer in Safe Mode, if necessary, to access driver rollback.
Use vendor support. Ensure that you have adequate support agreements and escalation procedures with the hardware vendor, and then take advantage of this support if a hardware failure occurs. Many hardware vendors offer extended support options, and will replace failed hardware components within a certain period, which your organizations Service Level Agreements (SLAs) should specify. Establish an incident recording procedure. It often is difficult for users to determine the exact sequence of events that lead to failures. Many IT help desks adopt scripts that facilitate logical interviewing techniques to determine whether users made changes to their computers prior to the failure. Using a consistent procedure for recording incidents also aids with diagnosing problems.
4-19
Lesson 2
Troubleshooting Physical Failures
Hardware failures can be catastrophic unless you plan for device failure and replacement. You should have procedures in place so that you can replace failed devices efficiently, especially for your most vulnerable devices.
Objectives
After completing this lesson, you will be able to: Apply device replacement considerations. Explain the most vulnerable hardware devices. Apply the guidelines for replacing hardware.
4-20
Considerations for Replacing Devices
Many organizations have SLAs and warranties with hardware vendors in place. Before replacing defective hardware, consider any procedures that those SLAs detail before you can obtain replacement hardware. Consideration of these factors may enable you to fix the hardware problem more quickly, and reduce the impact on your users productivity and the organizations budget.
Service Level Agreements

A SLA can specify what to do when hardware fails, and how to log a failure incident with your organizations service desk. The SLA also can dictate the expected response and replacement time for device replacement. Procedures also must be in place to ensure that sufficient spare hardware devices are available. Some companies maintain a definitive hardware list, and spares for each device on this list.
Warranties
Most hardware vendors include a warranty with their products. The warranty generally lasts for an initial period, such as 12 months, and covers the hardware against failure during this period. A basic warranty usually stipulates a next-business-day response for device replacement. For a fee, most hardware vendors offer additional warranty services with shorter response and replacement times. A typical option may specify a four-hour telephone response time, with an engineer scheduled to visit the site within eight hours to provide an on-site fix. Ensure that SLAs are covered by the warranty agreements or other contracts with the manufacturer or hardware vendor.
Escalation Procedures
Providing appropriate escalation procedures and resources can be as simple as providing a contact telephone number for the hardware vendor, but also can include providing a customer account number for the vendor, a particular contact name, and any pertinent contract details. This makes service-desk staff aware of agreed-upon response times.
4-21
Issues with Data Security

If you need to replace a hard disk due to a hardware problem, you might need to return the broken disk to the manufacturer. If this is the case, check the security requirements for removing sensitive or confidential data from the hard disk before you return it.
4-22
What Are the Most Vulnerable Devices?
In order to pinpoint why a computer is experiencing a problem, it is important to be able to identify if a hardware component or device is the source of the problem. Knowing which devices are most susceptible to failure can help accelerate the diagnosis. Knowing more the conditions under which vulnerable devices are most likely to fail can help you avoid those conditions. You can use reliability measures to calculate the probability of failure. One such measure is mean time between failures (MTBF). MTBF is the average time interval, usually expressed in thousands or tens of thousands of hours, before a component fails and requires service.
Hard-Disk Drives
There are five main reasons why hard-disk drives fail, leading to potential data loss or corruption: Logical failure. Examples of logical errors include invalid entries in a file allocation table (FAT) or master file table (MFT) on the NTFS file system volume. Logical failures are the least severe type of failure, and you typically can fix them by running the Chkdsk command-line tool with the /f switch. However, logical errors also can cause corruption and file system loss on a severely fragmented drive. In such cases, you may need specialized tools to fix the problem. Mechanical failure. Platters, which are one or more rotating, magnetically-coated disks, store data on a hard disk. Data is accessed through read/write heads mounted on rotating mechanical arms. One of the most common mechanical failures occurs when the read/write heads of the hard disk come in contact, momentarily or continuously, with the hard-disk platters. Additionally, physical shock, computer movement, static electricity, power surges, or mechanical read/write head failure can cause head crashes. Hard-disk drives also may fail because of motor problems.
4-23
Electronic failure. An electronic failure is a problem with the hard disks controller board. If the controller fails, the disk may be undetectable by the system BIOS. Additionally, electronic failure can occur because of electrical surges that damage the controller board or because of defective board components. However, you often can recover data because the disk platters and other mechanical components remain undamaged. Firmware failure. Hard-disk firmware is code that controls the hardware. It is often stored on a flash memory chip on the hard-disk controller board. If the firmware becomes corrupt or unreadable, the computer may be unable to communicate with the disk. Bad sector. Bad sectors can be logical or physical. A lost cluster is an example of a logical bad sector that you typically can repair with software tools. Shock or vibrations often cause physical bad sectors. Most hard-disk drives have firmware that marks bad sectors, and as long as the damage is minor, no data is lost. You can use drive-monitoring tools to determine when the number of physical bad sectors is critical enough to replace the drive.
Optical Drives
Optical drives such as CD and DVD drives tend to have shorter life spans than other hardware devices, and the MTBF is lower than that for a hard-disk drive. Most hardware manufacturers provide a one-year guarantee on optical drives and a three-year guarantee on hard-disk drives. The media quality in optical drives is a significant factor in than optical drives lifespan: Higher-quality media can increase the device lifespan. Unclean media may reduce the lifespan.
Software settings also can affect optical drives. Using a high-maximum write speed can result in a greater number of irreparable and subsequently unusable discs, compared to using slower write speeds. Optical drives can fail due to vibration, because they require precise optical alignment in the device to work properly. You can cause vibration by moving the computer while it is in use, or by operating the computer in a location that is not stable. Excessive dust also can damage optical drives.
Cooling Fans
The most common cause of failure of cooling fans is dust building up inside the computer and around the fan area. This accumulation can lead to failures in the fan bearings, motor, or power supply.
CPUs and GPUs

CPUs and graphics processing units (GPUs) are devices least likely to fail. However, you can overheat and damage the CPU if you attempt to overclock the CPU. Overheating also can occur because of a failure with the cooling fan. Additionally, power spikes and static electricity discharge can cause CPU failures.
System Memory
Memory problems can occur as a result of heat, power surges, or static electricity. You can use the Windows 7 Memory Diagnostics tool to help identify and resolve memory issues.
4-24
Power Supplies
The power supply converts regular current into low-DC voltage that the computer can use. A failing power supply can cause erratic behavior, including computers restarting randomly, memory errors, or power being supplied to some devices and not others. Symptoms of power supply problems can include: No indicator lights, disk action, or screen display. On/Off indicator lights are visible, but there is no disk action or screen display. The system produces a continuous beep.
4-25
Guidelines for Replacing Hardware
To minimize the risk of a replacement device failing, adhere to the following guidelines: When you install a device, take care to minimize the risk of damage during the installation process. Eliminate support issues by choosing replacement devices that are compatible with Windows 7.
Root Cause Analysis

Before replacing failed hardware devices, determine the cause of the root failure so that you can prevent this issue from damaging the replacement device. The root cause could be environmental, leading to heat or moisture-related failures. For example, devices placed in direct sunlight with poor ventilation, or in a damp location where there might be condensation, may fail after a short time. Alternatively, the root cause could be behavioral, such as users knocking or kicking the computer.
Static Electricity Issues

Because of the risks that static electricity poses to devices such as system memory, it is important that you observe static electricity guidelines and train your IT staff accordingly. Initiate compulsory maintenance procedures, and ensure that you use antistatic kits, which are inexpensive and available from numerous hardware manufacturers. Hardware vendors operate professional hardware-qualification programs that include detailed information about antistatic maintenance precautions. Additionally, ensure that IT staff wears grounding straps when working with sensitive components.
4-26
Windows 7 Compatibility
When you buy a new computer, check for the Compatible with Windows 7 logo. The hardware in a Windows 7 Compatible computer has been tested to run the Windows 7 operating system with no problems. When buying hardware devices for a computer that is running Windows 7, check that the hardware has the approval of the Windows Logo Program for Windows 7. This means that the hardware has been tested for Windows 7 compatibility, and that it is listed on the Windows Marketplace website. Windows Marketplace is an online service that replaces the previous Hardware Compatibility List (HCL).
4-27
Lesson 3
Monitoring Reliability and Performance
You can use several methods to collect performance data from your organizations computers. You should use whichever methods suit your organizations requirements. Real-time monitoring of computers is useful when you want to determine the effect of performing a specific action, or to troubleshoot specific events. This type of monitoring also can help you to ensure that you are meeting Service Level Agreements (SLAs). Analyzing historical data can be useful for tracking trends over time, determining when to relocate resources, and deciding when to invest in new hardware to meet your organizations changing requirements. You should use historical performance data to assist you when you plan future workstation requirements. If you intend to gather data for historical comparison, it is important to establish a performance baseline. Windows 7 provides tools that enable you to identify performance problems. It is important that you know how to use these performance tools to support your users.
Objectives
After completing this lesson, you will be able to: Identify bottlenecks by using the Resource Monitor Screen, which provides real-time information. Monitor real-time activity with the Performance Monitor. Generate reports by using Data Collector Sets. Describe the Reliability Monitor.
4-28
What Is Resource Monitor?
Resource Monitor provides a snapshot of system performance. Since the four key system components are processor, memory, disk, and network, Resource Monitor provides a summary of these four components and a detailed tab for each. If a users computer is running slowly, you can use Resource Monitor to view current activity in each of the four component areas, and make a determination about which of the key components might be causing a performance bottleneck.
Using Resource Monitor

When the Resource Monitor first opens, the initial view is of the Overview tab. Displayed on the right hand side are four graphs: CPU, Disk, Network, and Memory. You can examine these graphs, looking for excessive peaks in CPU, Disk, Network, or Memory activity. In the main pane, you can examine details about each component by expanding each components information list. Each process running in the computer is listed, as well as information about each process resource consumption. For example, the number of threads and the percentage of CPU capacity being used displays for each running process. Having determined that a particular component usage is bottlenecked, use the appropriate component tab to view more information. Remember that a snapshot of current activity, which Resource Monitor provides, only tells a partial story. For instance, you might see a peak in activity, which is not representative of average performance.
4-29
What Is Performance Monitor?
Performance Monitor enables you to view current performance statistics, or to view historical data that you gather by using Data Collector Sets, which several upcoming topics detail. Windows 7 enables you to monitor operating system performance through performance objects and counters in the objects. Windows 7 collects data from counters in various ways, including: A real-time snapshot value. The total since the last computer startup. An average over a specific time interval. An average of last values. Number per second. Maximum value. Minimum value.
Performance Monitor works by providing you with a collection of objects and counters that record data about computer resource usage. There are many counters that you can research and monitor to meet your specific requirements.
Primary Processor Counters

CPU counters are a feature of the computers CPU that stores the count of hardware-related events. Processor>% Processor Time displays the percentage of elapsed time that the specified thread used the processor to execute instructions, which are the processors basic unit of execution in a processor. A thread is the object that executes instructions. Code executed to handle some hardware interrupts and trap conditions is included in this count.
4-30
Processor>Interrupts/sec displays the rate, in incidents per second, at which the processor received and serviced hardware interrupts. System>Processor Queue Length displays an approximate number of threads each processor is servicing. The processor queue length, sometimes called processor queue depth, reported by this counter is an instantaneous value that is representative only of a current snapshot of the processor. Therefore, you must observe this counter over a long period of time to see trends in data. Additionally, the System\Processor Queue Length counter is reporting a total queue length for all processors, not a length per processor.
Primary Memory Counters

The Memory performance object consists of counters that describe the behavior of the computers physical and virtual memory. Physical memory is the amount of random access memory (RAM) on the computer, and virtual memory is the space in physical memory and on disk. Many of the memory counters monitor paging, which is the movement of pages of code and data between disk and physical memory. Memory>Pages/sec. displays the number of hard page faults per second. A hard page fault occurs when the requested memory page cannot be located in RAM because it currently exists in the paging file. An increase in this counter indicates that more paging is occurring, which suggests a lack of physical memory.
Primary Disk Counters

The Physical Disk performance object consists of counters that monitor hard or fixed disk drives. Disks store file, program, and paging data. They are read to retrieve these items, and are written to record changes to them. The total values of physical disk counters are the total of all values of the logical disks (or partitions) into which they are divided: The Physical Disk>%Disk time counter indicates how busy a particular disk is. A counter approaching 100 percent indicates that the disk is busy nearly all of the time, and a performance bottleneck may be imminent. The Physical Disk>Average Disk Queue Length counter indicates how many disk requests are waiting to be serviced by the Windows 7 input/output (I/O) manager at a given moment. The longer the queue, the less satisfactory the disk throughput, which is the total amount of traffic that passes a given point on a network connection per a unit of time.
Primary Network Counters

Most workloads, which are the amount of processing that the computer does at a given time, require access to production networks to ensure communication with other applications and services, and to communicate with users. Network requirements include elements such as throughput and the presence of multiple network connections. Workloads might require access to several different networks that must remain secure. Examples include connections for: Public network access. Networks for performing backups and other maintenance tasks. Dedicated remote-management connections.
4-31
Network adapter teaming for performance and failover. Connections to the physical host computer. Connections to network-based storage arrays.
By monitoring the network performance counters, you can evaluate your networks performance. The Network Interface>Current Bandwidth counter indicates the current bandwidth being consumed on the network interface in bits per second (bps). Most network topologies have maximum potential bandwidths quoted in megabits per second (Mbps). For example, Ethernet can operate at bandwidths of 10 Mbps, 100 Mbps, 1 gigabyte (GB) per second, and higher. To interpret this counter, divide the value given by 1,048,576 which return the number in megabits per second. If the value approaches the maximum potential bandwidth of the network, consider implementing a switched network or upgrading to a network that supports higher bandwidths. The Network Interface >Output Queue Length counter indicates the current length of the output packet queue on the selected network interface. A growing value, or one which is consistently higher than two, may indicate a network bottleneck, which you should investigate.
4-32
What Are Data Collector Sets?
A Data Collector Set is the foundation of Windows 7 performance monitoring and reporting in Performance Monitor. Data Collector Sets enable you to gather system and performance-related statistics for analysis by using tools within Performance Monitor or third-party tools. While it is useful to analyze current performance activity on a Windows 7 computer, you might find it more useful to collect performance data over a period of time, and then analyze and compare it with data that you gathered previously. This data comparison enables you to make determinations about resource usage, as well as plan for growth, and identify potential performance problems. Data Collector Sets can contain the following types of data collectors: Performance counters. Provide workstation performance data. Event trace data. Provides information about system activities and events, which often is useful for troubleshooting. System configuration information. Enables you to record the current state of registry keys and to record changes to those keys.
You can create a Data Collector Set from a template, from an existing set of data collectors in a Performance Monitor view, or by selecting individual data collectors, and then setting each individual option in the Data Collector Set properties.
4-33
What Is Reliability Monitor?
Reliability Monitor provides you with a system-stability overview and trend analysis. Additionally, it provides detailed information about individual events that may affect the systems overall stability, such as software installations, operating-system updates, and hardware failures. It begins collecting data when the system installs. You can use Reliability Monitor to help answer important question about changes on a users computer, such as software installations, driver updates, and application failures. Reliability Monitor records these changes, and it may indicate recent system changes. The monitor displays a line chart with points on it that represent dates and icons that indicate events such as errors, warnings, and informational occurrences. Clicking on a point shows you event details for that day. Event details are categorized into: Application failures. Windows failures. Miscellaneous failures. Warnings. Information.
System Stability Index

Reliability Monitor calculates a System Stability Index that reflects whether unexpected problems reduced the system reliability. This index is based on a value that is set at 10 at installation. This value decreases as problems occur, and increases as time passes without problems.
4-34
Lesson 4
Configuring Performance Options in Windows 7
It is important to optimize your users Windows 7 computers to enhance performance, rather than waiting to take action when the computers perform badly.
Objectives
After completing this lesson, you will be able to: Describe how Windows uses resources, which can affect throughput. Describe the process of configuring paging to optimize performance. Describe implementing power management to optimize performance. Optimize disk performance.
4-35
How Windows Uses Key System Components
The four main hardware components that you should monitor in a Windows 7-based computer are: Processor Disk Memory Network
Understanding how the operating system utilizes these four key hardware components, and how they interact, can help you understand how to optimize workstation performance. When monitoring performance, you should consider: The measurement of all key components in your users workstation. The workstation role and workload to determine which hardware components are likely to restrict performance. The ability to increase workstation performance by adding power or reducing the number of applications that the user is running.
Processor
One important factor in determining your computers overall processor capacity is processor speed, which is determined by the number of operations that it performs over a specific time period. Computers with multiple processors, or processors with multiple cores, generally perform processor-intensive tasks with greater efficiency, and as a result, are faster, than single processor or single-core processor computers. Processor architecture is also important. 64-bit processors can access more memory and have a significant positive effect on performance. This is true especially when applications running on your users workstations require a large amount of memory.
4-36
Disk
Hard disks store programs and data. Consequently, the throughput of a workstations disk affects its speed, especially when the workstation is performing disk-intensive tasks. Most hard disks have moving parts, and it takes time to position the read/write heads over the appropriate disk sector to retrieve the requested information. By selecting faster disks, and by using collections of disks to optimize access times, you can alleviate the potential for the disk subsystem to create a performance bottleneck. It also is important to remember that Windows 7 moves information on the disk into memory before it uses it. If there is a surplus of memory, the Windows 7 operating system creates a file cache for items recently written to, or read from, disks. Installing additional memory in a workstation often improves the disk subsystem performance, because accessing the cache is faster than moving the information into memory.
Memory
Programs and data load from disk into memory before the program manipulates the data. In workstations that run multiple programs, or where datasets are very large, installing more memory can improve workstation performance. Windows 7 uses a memory model which does not reject excessive memory requests. Instead, Windows 7 handles them by using a process known as paging. During paging, Windows 7 moves the data and programs in memory that processes are not currently using to the paging file on the hard disk. This frees up physical memory to satisfy the excessive memory requests, but because a hard disk is comparatively slow, it has a negative effect on workstation performance. By adding more memory, and by using a 64-bit processor architecture that supports larger memory, you can reduce the need for paging.
Network
You easily can underestimate how a network that is performing poorly can affect workstation performance, because it is not as easy to see or to measure as the other workstation components. However, the network is a critical component for performance monitoring, because network devices store so many of the application programs and data being processed.
Understanding Bottlenecks
A performance bottleneck occurs when a computer is unable to service the current requests for a specific resource. The resource might be a key component, such as a disk, memory, processor, or network. Alternatively, the shortage of a component within an application package also may cause a bottleneck. By using performance-monitoring tools on a regular basis, and comparing the results to your baseline and to historical data, you can identify performance bottlenecks before they impact users. Once you identify a bottleneck, you must decide how to remove it. Your options for removing a bottleneck include: Running fewer applications. Adding additional resources to the computer.
4-37
A computer suffering from a severe resource shortage may stop processing user requests, which requires immediate attention. However, if your computer experiences a bottleneck but still operates within acceptable limits, you might decide to defer any changes until you resolve the situation, or until you have an opportunity to take corrective action. Question: Which hardware components are most likely to restrict performance for a Windows 7 computer?
4-38
Optimizing Performance by Configuring Windows Paging
For most single-disk-drive computers running Windows 7, it typically is adequate to leave the pagefile settings at the default values. Under normal circumstances, you gain little benefit by adjusting these values. However, if your Windows 7 computer has more than one disk, you may gain a performance benefit by following these guidelines: Create the paging file on a different physical disk than the operating system disk. Paging is a diskintensive task. If you distribute the disk load across all of your computers available disks, you minimize the likelihood of performance bottlenecks affecting the disk subsystem. By optimizing the disk subsystem, you can make the paging process as efficient as possible. Configure a fixed-size paging file. A paging file that can grow on the disk might encompass fragmented areas of the disk volume. By configuring a fixed-size paging file, you can ensure that the paging file does not encompass fragmented areas. Ensure that the disk volume is not fragmented when you create the paging file. If you want to create a fixed-size paging file on a computer that already has a paging file, ensure that you do not create a paging file that encompasses fragmented areas of the disk. Additionally, you must configure the computer to use no paging, and then defragment the volumes, before you create a fixed-size paging file. When you configure the paging file, ensure that its size is sufficiently large. Recommendations specify that an initial paging file should be equivalent to the amount of installed memory, and a maximum paging file size that is equal to twice the initial value. Consequently, you should create a fixed-size paging file that is equal or twice the size of the physical memory.
Note For computers with 2 GB of physical memory running 32-bit versions of Windows 7, there is no particular benefit in configuring a paging file larger than 2 GB.
4-39
Optimizing Power Management Settings
Portable computer users want to conserve their computers battery life, while maintaining optimum system performance. This is not a concern for users of desktop computers. However, by default, Windows 7 uses the same initial power management settings for both portable and desktop computers, even though the requirements for the two computer types are different.
Power Plans
In Windows 7, you can use power plans to help you maximize computer and battery performance. By using power plans, you can change a variety of system settings to optimize power or battery usage, depending on the scenario. There are three default power plans, which the following table outlines. Power plan Power saver plan High performance plan Description This plan saves power on a mobile computer by reducing system performance, which maximizes battery life. This plan provides the highest level of performance on a mobile computer by adapting processor speed to your work or activity, and by maximizing system performance. Windows 7 uses the Balanced power plan by default. This plan balances energy consumption and system performance by adapting the computers processor speed to your activity.
Balanced
4-40
Each plan provides alternate settings for AC or DC power. The three plans differ with regards to power and performance, as follows: The power saver plan reduces power usage by lowering the performance. The high performance plan causes your computer to consume more power by increasing system performance. The balanced plan provides the best balance between power and performance.
Optimizing Performance
When configuring power options to optimize performance, use the following guidelines: For desktop computers, you should consider changing the power plan to use the High performance plan. To optimize performance, you can create your own power plan by configuring the settings manually as follows: a. b. c. From Power Options, click Create a power plan. Select High performance as a template. Configure specific options, including: Turn off hard disk after: Never Minimum processor state: 100%
Avoid Hibernate and Hybrid Sleep options. These power-saving options work by saving the computer state, or part of the computer state, to the hard disk in a file called Hiberfil.sys. This can cause fragmentation on your hard disk, and Windows 7 Defragmenter cannot defragment this file.
4-41
Optimizing Disk Performance
Most hard disks have moving parts, and are consequently slower than other storage technologies. To optimize disk subsystem throughput, consider the general points in the following table. Optimization task Ensure that you enable write-caching. Minimize the frequency of paging. Distribute the memory load across all available disks. Implement faster disks. Why you might use it You can use Device Manager to examine the properties of any installed disks and to verify that write-caching is enabled. Adding physical memory to a computer that is paging excessively reduces the load on the disk subsystem. If your computer has multiple physical disks, consider distributing diskintensive activities across these disks. For example, you can install the operating system and applications on one disk, the paging file on another, and your data files on a third disk. Disk speed is measured in revolutions per minute (rpm), and average seek times are measured in milliseconds. Install disks 7200 rpm disks or faster, and choose disks with the lowest seek time. SSD disks use flash memory technology and have no moving parts. They can operate faster than more traditional disks, but they are more expensive. Research the specific vendor and model of disk carefully. Some disks provide higher write performance, some provide higher read performance, and some provide neither, providing power-saving benefits instead.
Consider using solidstate disks (SSDs).
4-42
(continued) Optimization task Consider implementing a performanceenhancing disk array. Why you might use it You can combine physical disks into a single volume, distributing the disk activity across all the disks in the array. Windows 7 provides a capability in Disk Management to combine disks in this manner. However, it often is better to buy a disk array from a storage vendor, and handle the data striping by using the hardware in the array. You can use either the built-in disk defragmentation tool or third-party tools, some of which support the defragmentation of files such as Hiberfil.sys and Pagefile.sys. Note that the likelihood of disk volume fragmentation increases as the disk volume becomes filled.
Defragment volumes that are used heavily.
4-43
Lesson 5
Troubleshooting Device Driver Failures
A driver is a small software program that allows the computer to communicate with hardware or devices. A hardware device works only if its device driver is installed correctly and functioning properly. Remember that drivers are specific to operating systems. A driver failure can render even the most sophisticated and expensive device useless. Malfunctioning device drivers also can affect other hardware and may stop the computer from operating properly. This lesson focuses on troubleshooting problems related to hardware device drivers, which can include: Disabling and removing device drivers. Verifying driver signatures. Installing or reinstalling drivers manually.
Objectives
After completing this lesson, you will be able to: Describe management of device drivers. Describe methods for disabling device drivers. Install and remove device drivers. Describe the process to remove unsigned drivers. Describe how to extract drivers. Extract and install drivers into the driver store. Manage legacy devices. Manage driver installation by using Group Policy settings.
4-44
Managing Device Drivers
Windows 7 makes it possible for users to install their own device drivers, but this can potentially introduce security and reliability problems. As an administrator, you can copy driver packages to a protected area of a users computer, called the driver store. A standard user, without any special user rights, then can install drivers from the driver store. You also can configure the client computer to search particular local or network folders automatically when a new device is attached, so that Windows does not prompt the user to insert media. The driver store, in conjunction with driver signing, increases computer security by ensuring that standard users can install only those driver packages that you authorize and trust.
Driver Packages
A driver package is a set of files that make up a driver. The driver package includes: The .inf file. Any files that the .inf file references. The catalog (.cat) file that contains the digital signature of the device driver.
Installing a driver is a two-stage process: 1. 2. Install the driver package into the driver store. You must use administrator credentials to perform this step. Attach the device, and install the driver. A standard user can perform this step.
4-45
Driver Store
The driver store is the Windows 7 driver repository. Because the driver store is a trusted location, when compatible hardware is connected, Windows 7 installs the appropriate driver automatically from the stores cache of device drivers. Because standard users can install any device driver from the driver store, users can install common hardware accessories without calling the help desk. An original equipment manufacturer (OEM) or IT administrator can preload the driver store with the necessary drivers for commonly used peripheral devices. The driver store is located in systemroot\System32\DriverStore. During hardware installation, if there is no appropriate driver either in the driver store or available from Windows Update, and the user does not have a device driver on removable media, then Windows 7 reports an unknown device.
Driver Signing
Because device drivers run with system-level privileges and can access anything on the computer, it is critical to trust device drivers that are installed. Trust, in this context, includes two main principles: Authenticity: a guarantee that the package came from its claimed source. Integrity: an assurance that the package is completely intact and was not modified after its release.
Digital signatures allow administrators and end users who are installing Windows-based software to know that a legitimate publisher is providing the software package. It is an electronic security mark that indicates the softwares publisher, and displays a message if someone changes the original contents of the driver package. If a publisher signs a driver, you can be confident that the driver comes from that publisher and has not been altered. A digital signature uses the organizations digital certificate to encrypt specific details about the package. The encrypted information in a digital signature includes a thumbprint for each file that the package includes. A special cryptographic algorithm generates the thumbprint. This is known as a hashing algorithm. The algorithm generates a code that only the files contents can create, and changing a single bit in the file changes the thumbprint. After the file generates the thumbprints, the publisher combines them into a catalog and encrypts them. Microsoft uses digital signatures to indicate that a driver is certified for use with Windows 7. Windows 7 checks for a drivers digital signature during installation, and prompts the user if no signature is available. As the domain administrator, you should configure Group Policy to block the installation of device drivers that do not have a digital signature. The signature file is stored as a .cat file with the driver file. Use the Sigverif.exe tool to scan for unsigned drivers on a computer that runs Windows 7.
4-46
Disabling Device Drivers
If you have determined that the probable cause of a reported problem is with a device driver, you might find it necessary to disable that particular device driver. Windows 7 has several methods that you can use to disable device drivers.
Disabling Device Drivers Using Device Manager

You can disable a device driver through a graphical user interface (GUI) by using the Device Manager tool as follows. 1. 2. Open Device Manager. Right-click the device driver that you want to disable, and then click Disable.
The difference between disabling a device and uninstalling it is that when you disable a device, you are disabling only the drivers. The hardware configuration does not change, and the driver software is not removed from the computer as it would be if you uninstall the device.
Note If a device appears to have failed, and Device Manager displays a problem with the device, you can uninstall the device. Windows then detects the device, and installs the driver again. This may resolve the problem.
Disabling Device Drivers from a Command Prompt

You also can disable a device driver from a command prompt by using the DevCon command-line tool. For example, to disable all devices that have a hardware identifier that ends in MSLOOP, at a command prompt, type devcon disable *MSLOOP. You also can use DevCon to list devices with their status and associated hardware resources.
4-47
Disabling Device Drivers Remotely

You can use Remote Desktop to connect to a remote computer running Windows 7, and then use Device Manager or DevCon to disable a device driver the same way you would on a local computer.
Disabling Device Drivers in Safe Mode

When you start a computer in safe mode, only a minimal number of device drivers start, including: Drivers for CD-ROM or DVD-ROM Floppy disk Hard disk Keyboard Mouse Video Graphics Adapter (VGA) devices
Start the computer in Safe Mode if the failure of a device driver is preventing the operating system from starting. You then can troubleshoot the device driver, which might involve disabling the problem device before you attempt to restart the computer in Normal Mode.
4-48
Practice: Managing Device Drivers
In this practice, you will install a new driver, which then creates a problem with the computers configuration. You will attempt to roll back the driver by shutting down the computer and accessing the Advanced Boot Options menu to select Last Known Good.
Instructions
For this practice, you will use the available virtual machine environment. Before you begin the practice, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6293A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: 5. 6. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat steps 2 and 3 for 6293A-NYC-CL1. Log on by using the following credentials: User name: NYC-CL1\WSAdmin Password: Pa$$w0rd
4-49
Detailed Steps Task 1: Install a new device driver

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-CL1. Click Start, right-click Computer, and then click Properties. In System, click Device Manager. In Device Manager, expand Keyboards, and then click Standard PS/2 Keyboard. Right-click Standard PS/2 Keyboard, and then click Properties. In the Standard PS/2 Keyboard Properties dialog box, click the Resources tab. You can see the IRQ and I/O Range that the device is using. Click the Driver tab. You can see there is no option to roll back the driver. Click Update Driver. In the Update Driver Software Standard PS/2 Keyboard Wizard, click Browse my computer for driver software.
10. On the Browse for driver software on your computer page, click Let me pick from a list of device drivers on my computer. 11. On the Select the device driver you want to install for this hardware page, click Have Disk. 12. In the Install From Disk dialog box, in the Copy manufacturers files from box, type D:\Labfiles\Mod04\keyboard driver\type32, and then click OK. 13. In the Model list, click Microsoft Keyboard Elite for Bluetooth (106/109) (IntelliType Pro), and then click Next. 14. In the Update Driver Warning dialog box, click Yes, and when prompted, click Close. 15. In the Microsoft Keyboard Elite for Bluetooth (106/109) (IntelliType Pro) dialog box, click Close. 16. In the System Settings Change dialog box, click Yes.
Task 2: Roll back the driver

1. After the computer restarts, attempt to log on with the following credentials: User name: NYC-CL1\WSAdmin Password: Pa$$w0rd
You are not successful, and you cannot use Ctrl+Alt+Delete keyboard shortcut because the driver is incompatible. 2. 3. On your host, in the 6293A-NYC-CL1 on Localhost Virtual Machine Connection dialog box, on the Action menu, click Shut Down. On your host, in the 6293A-NYC-CL1 on Localhost Virtual Machine Connection dialog box, on the Action menu, click Start.
4-50
4.
While the computer is starting up, press F8 immediately to access the Advanced Boot Options menu.
Note You can use Last Known Good to roll back the driver. You also can use Safe Mode, and roll back the drive manually. Additionally, if you enable System Restore, you can use a restore point to roll back to a point-in-time prior to the driver update. In this instance, Safe Mode will be unsuccessful because the keyboard driver will still be used, which prevents you from logging on. 5. 6. In the Advanced Boot Options menu, select Last Known Good Configuration (advanced), and then press Enter. After the computer restarts, attempt to log on with the following credentials: 7. 8. 9. User name: NYC-CL1\WSAdmin Password: Pa$$w0rd
Click Start, right-click Computer, and then click Properties. In System, click Device Manager. In Device Manager, expand Keyboards, and then click Standard PS/2 Keyboard.
10. Right-click Standard PS/2 Keyboard, and then click Properties. 11. In the Standard PS/2 Keyboard Properties dialog box, click the Driver tab. You can see there is no option to roll back the driver. This is because Last Known Good has rolled back the driver.
Note If you log on after restarting when you have installed or updated a driver, Last Known Good no longer is a viable option. This is because Last Known Good is overwritten with the CurrentControlSet during the logon process. 12. Click OK, and then close all open windows.

When you finish the practice, leave both virtual machines running.
4-51
Managing Unsigned Drivers
Device driver packages can include a digital signature. You should not allow anyone to install unsigned device drivers on computers that are running Windows 7. By default, only administrators can install unsigned device drivers. You can use Group Policy to prevent anyone else from installing unsigned drivers.
Driver Signatures
A devices hardware manufacturer typically provides a driver signature, but you also can use a Software Publishing Certificate (SPC), if your organization has one, to add your own digital signature to drivers that you have tested and that you trust. Unsigned device drivers could cause stability issues that you experience on a computer after installing a new hardware device. Identifying and removing unsigned device drivers is an essential step in the troubleshooting process.
Signature Verification Tool

Use the signature verification command-line tool (Sigverif) to locate unsigned device drivers in the system area of the Windows 7 computer. Sigverif writes the scan results to a log file that includes the system file, the signature file, and the publisher of the signature file. The log file shows any unsigned device drivers. To remove an unsigned device driver, do the following: 1. 2. 3. 4. 5. Run Sigverif to scan for unsigned drivers, and then review the resulting log file. Create a temporary folder for unsigned driver storage. Manually move any unsigned drivers from systemroot\System32\Drivers into the temporary folder. Disable or uninstall the associated hardware device(s). Restart the computer.
4-52
If this resolves the problem, then the unsigned driver most likely was causing the problem. You then should try to obtain a signed driver from the hardware vendor, or replace the hardware with a device that is compatible with Windows 7. You also can obtain a basic list of signed and unsigned device drivers from a command prompt by running the driverquery command with the /si switch.
4-53
Extracting Device Drivers
When you install a device driver from an INF-based installation or from a setup application, the driver package is copied automatically into the package store. However, you also can extract device drivers manually by using the new Windows 7 Pnputil.exe tool. Pnputil.exe is an important troubleshooting tool that you can use to add driver packages, remove unnecessary or problem driver packages, and list all the driver packages that are in the driver store.
Manual Driver Extraction

Manually add a driver to the Windows 7 driver store with the Pnputil.exe tool by using the following procedure: 1. 2. 3. 4. Obtain a digitally signed driver package. Log on as Administrator, and then opening a command prompt window. Run pnputil.exe -a package_name. Windows 7 checks the drivers integrity and digital signature, and then copies the driver into the driver store.
Note The Pnputil.exe tool only runs at a command prompt with elevated user rights. The tool cannot invoke the User Account Control dialog box.
4-54
Managing the Driver Store

Use the Pnputil.exe command-line tool to manage the driver store. You can use Pnputil.exe to both add and remove packages from the driver store, and to list third-party packages already in the store. Pnputil.exe performs the following tasks: Adds a driver to the driver store. Adds a driver to the driver store, and installs the driver in the same operation. Deletes a driver from the driver store. Lists all drivers in the driver store.
The following table shows the Pnputil.exe command-line syntax. Command Line pnputil.exe a d:\usbcam\USBCAM.inf pnputil.exe a c:\drivers\*.inf pnputil.exe i a a:\usbcam\USBCAM.inf pnputil.exe e pnputil.exe d oem0.inf pnputil.exe f d oem0.inf Details Add a package that USBCAM.inf specifies. Add all packages in C:\drivers. Add and install a driver package. List all third-party packages. Delete package oem0.inf. Force deletion of package oem0.inf.
4-55
Practice: Installing a Driver into the Driver Store
In this practice, you will install a driver into the driver store. This makes the driver available for standard users to install, if necessary. First, you will see that a standard user, Adam, lacks the permissions to install drivers. Next, you add the driver to the store.
Instructions
Detailed Steps Task 1: Attempt to install a driver as a standard user

1. Log off NYC-CL1, and then log on with the following credentials: 2. 3. 4. 5. User name: Adam Password: Pa$$w0rd Domain: Contoso
Click Start, and then click Computer. In Computer, double-click Allfiles (D:), double-click Labfiles, double-click Mod04, double-click mouse driver, and then double-click point32. Right-click point32 (the setup information file), and then click Install. You are prompted to provide administrator credentials. Click No.
4-56
Task 2: Extract and install the driver into the driver store
1. Log off, and then log on with the following credentials: 2. 3. User name: NYC-CL1\WSAdmin Password: Pa$$w0rd
Click Start, and in the Search box, type cmd.exe, and then press Enter. At the command prompt, type the following command, and then press Enter:
D:
4.
Cd\labfiles\mod04\mouse driver\
5.
Pnputil a point32\*.inf
6.
Pnputil e
7.
You can see the newly installed driver.
Note A standard user now would plug in the hardware device. The driver would be available automatically. This is not possible within the virtual machine environment.

When you finish the practice session, revert the virtual machines to their initial state by completing the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps for 6293A-NYC-CL1.
4-57
Managing Legacy Device Drivers
If you have a hardware device that does not come with a Windows 7 driver, consider different factors before deciding to use a legacy device driver. Legacy drivers that were developed for previous Windows versions might not work in Windows 7, or they might cause interoperability problems with other devices.
Compatibility Issues
Obtain a device driver written specifically for Windows 7 to maximize the benefit of the architectural improvements. Otherwise, check with the hardware vendor to find out if there are known issues when using a driver designed for earlier Windows versions on a computer that is running Windows 7. Compatibility issues can include: Installation. The driver might not install in the same way as in previous Windows versions. For example, the user access protection feature may complicate the Windows 7 Finish-Install process. Loading. The driver might not load the same way as in previous Windows versions. For example, the 64-bit Windows 7 editions do not load unsigned drivers. Run time. The driver might not run the same way as in previous Windows versions. Run-time compatibility problems include a range of issues that can occur during run time. Some issues are quite serious, and others are relatively minor. Functionality. The driver runs, but its behavior might differ significantly from that in earlier Windows versions. For example, Network Driver Interface Specification (NDIS) 5.x drivers must go through a translation layer that reduces their performance. Similarly, display drivers for the Windows XP operating system, which are based on the display driver model of the Microsoft Windows 2000 Server operating system, may function in Windows 7. However, upon use, they may not display premium content such as HD-DVD video, and cannot support the Microsoft Windows Aero user experience.
4-58
Testing Issues
If you cannot obtain a device driver written for Windows 7, you can try a Windows Vista or Windows XP driver. Thoroughly test any driver not written specifically for Windows 7 prior to using it with Windows 7. Many driver-installation errors can occur when you use a device driver that was not developed specifically for Windows 7, particularly in the following categories: References and paths for .inf files. Access control list (ACL) restrictions.
The following table lists common installation error messages that you may encounter during testing. Error 80070002:ERROR_FILE_NOT_FOUND Problem The driver package .inf file references a file that is missing or does not exist.
80070003:ERROR_PATH_NOT_FOUND The driver package .inf file specifies a tag file path that is missing or does not exist. 80070005:ERROR_ACCESS_DENIED 800F0233:SPAPI_E_INVALID_TARGET 8028006E:CMIeInfinvalidSourcePath The driver package is in a location that has an ACL that is too restrictive. The driver package has one or more incorrect tag file references in the .inf file. The driver package does not specify the correct path in the .inf file.
4-59
Demonstration: How to Use Group Policy to Manage Driver Installation
You can use Group Policy objects (GPO) to configure a number of settings that control installation of devices and device drivers. The following table identifies the relevant Group Policy settings. In Group Policy, under Computer Configuration, select Policies, Administrative Templates, System, Driver Installation. Group Policy setting Description
Allow non-administrators to install Enables users to install specified device drivers. You can determine drivers for these device setup the appropriate driver setup class by examining the .inf file that is classes provided as part of a device driver. Turn off Windows Update device driver search prompt Determines whether the administrator is prompted to search Windows Update for drivers during device installation.
In Group Policy, under Computer Configuration, select Policies, Administrative Templates, System, Device Installation\Device Installation Restrictions. Group Policy setting Allow administrators to override Device Installation Restrictions policies Allow installation of devices using drivers that match these device setup classes Description Enables members of the Administrators group to install or update drivers for devices, regardless of policy settings. Enables the installation of devices that match the specified setup class GUIDs.
4-60
(continued) Group Policy setting Prevent installation of devices using drivers that match these device setup classes Display a custom message when a policy setting prevents installation Display a custom message title when a policy setting prevents device installation Allow installation of devices that match any of these device identifiers Prevent installation of devices that match any of these device identifiers Time (in seconds) to force reboot when required for policy changes to take effect Prevent installation of removable devices Prevent installation of devices not described by other policy settings Description Prevents the installation of devices that match the specified setup class GUIDs. Allows the administrator to define a customized message that displays when a policy setting prevents device installation. Allows the administrator to define a customized message title that displays when a policy setting prevents device installation. Enables the installation of devices that match the device identifiers that you specify. Prevents the installation of devices that match the device identifiers that you specify. Enables you to define the time that the computer waits to restart after a device installation. Enables you to prevent users from installing removable devices. Enables you to ensure that users cannot install any drivers, even if there are no policies restricting installation.
In this demonstration, you will see how to: Modify Group Policy settings to control device installation.
Demonstration Steps
1. 2. Open Group Policy Management console. Modify the Default Domain Policy with device installation restriction policy settings.
4-61
Lab A: Resolving Hardware Device and Device Driver Issues
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6293A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat steps 2 through 4 for 6293A-NYC-CL1.
Lab Scenario
The help desk has received a number of trouble tickets that relate to device driver installation. Your manager has asked you to determine why devices are causing so many issues, and to suggest a possible solution. You then must implement the solution within the network. For this project, you must complete the following tasks: Read the help-desk ticket. Resolve all hardware-related problems. Control device installation by using Group Policy.
4-62
Supporting Documentation Charlotte Weiss

From: Sent: To: Subject: Attachments: Charlotte, Here it is. Let me know if you need anything else. Kind regards, Ed ----- Original Message ----From: Charlotte Weiss [Charlotte@contoso.com] Sent: 12 Feb 2011 17:01 To: Ed@contoso.com Subject: Device-related problems Ed, Have you got that incident report you promised me at the management meeting recently? I want to get the EDSTs to take a look at it, check out the problem, and then figure out why weve been getting so many issues. Charlotte Ed Meadows [Ed@contoso.com] 13 Feb 2011 09:13 Charlotte@contoso.com Re: Device-related problems Incident Reports
4-63
Exercise 1: Resolving Hardware Issues

Scenario
In this exercise, you will resolve the reported hardware problem that Tier 1 help-desk staff could not resolve. The main tasks for this exercise are: 1. 2. 3. 4. Read the help-desk Incident Record for Incident 602101. Update the Plan of Action section of the Incident Record. Simulate the problem. Attempt to resolve the problem.
Incident Record Incident Reference Number: 602101 Date of Call Time of Call User Status March 1 10:03 Bobby Moore (Production Department) OPEN
Incident Details User reports that his computer mouse is nonfunctional. Additional Information User reports that he attempted to install a new mouse, but abandoned the installation midway through the process. I attended the users computer and was unable to resolve the problem, as the mouse was totally nonfunctional. System Restore unavailable as currently disabled. Plan of Action
Resolution


4-64

1. 2. 3. Switch to the NYC-CL1 computer. Run the D:\Labfiles\Mod04\Scenario1.vbs script. Wait while the NYC-CL1 computer restarts.

Note It is easier to use the keyboard in a virtual machine if you switch to full-screen mode. To do this, on your host computer, press Ctrl+Alt+Break. If you are unsure, ask your instructor for assistance. 1. 2. 3. Using your knowledge of the devices and drivers, and the troubleshooting tools available for devices and drivers, attempt to resolve the problem. Update the Resolution section of the Incident Record. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance. To repeat or exit the exercise, revert the virtual machine environment.
Note It is not necessary to revert the virtual machines before proceeding to the next exercise. 4. If necessary, revert your virtual machines by using the following procedure: On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-CL1. In Hyper-V Manager, click 6293A-NYC-DC1. In the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Repeat these steps for 6293A-NYC-CL1.
Results: At the end of this exercise, you will have resolved the hardware problem.
4-65
Exercise 2: Configuring Group Policy to Control Device Installation (Optional)

Scenario
Users in the Research department need to be able to install specific device types to complete their research projects. However, it is important that users in other departments install only printer drivers. In this exercise, you will configure Group Policy to facilitate these requirements. The main tasks for this exercise are: 1. 2. 3. 4. Read the email from Ed Meadows. Configure the administrators setting. Configure the ability for users to install printer devices. Configure the Research Department device settings.
Supporting Documentation Charlotte Weiss

From: Sent: To: Subject: Charlotte, Can you update the Group Policy to support the following requirements? The Tier 3 guys are overloaded at the moment, so although I realize this is out of scope for you, it would be a real help. Research department needs to be able to install devices for setup class Mouse, Keyboard, and Printer. All other departments must be restricted to install only printers. I want to be sure that drivers not defined by any other policy are restricted. Administrators are not to be affected by any restrictions. Thanks, Ed Ed Meadows [Ed@contoso.com] 5 March 2011 10.20 Charlotte@contoso.com GPO changes
Task 1: Read the email from Ed Meadows

1. 2. 3. Read the email in the Supporting Documentation section. Determine a Plan of Action. Answer the questions in the GPO planning document.
4-66
4.
If necessary, discuss your plans with the class. GPO Planning Document Reference: CW050511/1 Date March 5
Details Update GPO settings to: Restrict all users to be able to install printer drivers only Enable Research Department users to install Printers, Mice, and Keyboard device drivers Do not restrict administrators from installing any drivers Additional Information Use as few GPOs as possible
Plan of Action 1. How many GPOs do you envision using? 2. To which containers will you link these GPOs? 3. How do you plan to configure the restriction for all users? 4. How will you accommodate the requirement to support the Research Departments needs? 5. How will you accommodate the administrator requirement?
Task 2: Configure the administrators setting

Note Some of the tasks that you perform to complete this exercise may not typically be the responsibility of Tier 2 support staff. However, it is useful to see the completed scenario. 1. 2. 3. Switch to NYC-DC1. Open Group Policy Management, and then open the Default Domain Policy for editing. Modify the following settings in accordance with your action plan: Under Computer Configuration, expand Policies, Administrative Templates, System, Device Installation, and then click Device Installation Restrictions. Enable: Allow administrators to override Device Installation Restriction policies.
4-67
Task 3: Configure the ability for users to install printer devices

Enable and configure: Allow installation of devices using drivers that match these device setup classes. Locate the GUID in the faxca003.INF file in the D:\Labfiles\Mod04\fax folder on NYC-CL1.
Hint Map a network drive from NYC-DC1 to \\NYC-CL1\d$\ so that you can copy and paste GUIDs into the GPO.
Task 4: Configure the device settings for the Research Department

1. 2. Create and link a new GPO to the Research organizational unit (OU). Give the new GPO the name GPO Research Department device settings. Configure the settings for this new GPO: Open GPO Research Department device settings for editing. In Group Policy Management Editor, under Computer Configuration, expand Policies, Administrative Templates, System, Device Installation, and then click Device Installation Restrictions. Enable and configure: Allow installation of devices using drivers that match these device setup classes. Locate the GUID in the type32.INF and point32.INF files in the relevant subfolders in the D:\Labfiles\Mod04\ folder on NYC-CL1.
3.
Close all open windows.
Note Due to restrictions within the virtual machine environment, you cannot properly test these restrictions.
Results: At the end of this exercise, you will have planned and implemented GPOs to support the device installation requirements.

4-68
Lab B: Troubleshooting Performance-Related Issues (Optional)
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6293A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat these steps 2 through 4 for 6293A-NYC-CL1.
Lab Scenario
A user reports performance-related problems with his computer. The help desk is unable to determine the problem. You must investigate to ascertain which computer component the problem is affecting, and then make recommendations about a solution or mitigation. For this project, you must complete the following tasks: Read the help-desk tickets. Plan a course of action.
4-69
Attempt resolution of the problems. Document successful resolutions. Incident Record Incident Reference Number: 604121 Date of Call Time of Call User Status July 27 10:41 Dylan Miller (Research Department) OPEN
Incident Details Dylan contacted the help desk reporting problems with his computer. It has been running slowly, and activities that used to take a few seconds are taking much longer. Additional Information We must determine which components are affected in Dylans computer, and then make recommendations about how to solve or mitigate these performance bottlenecks. Plan of Action
Resolution
4-70
Exercise: Troubleshooting a Performance Problem

Scenario
In this exercise, you will establish a baseline for performance, and then compare the problematic computer against the data to help determine what component the performance problem is affecting. The main tasks for this exercise are: 1. 2. 3. 4. 5. 6. Establish a performance baseline. View the baseline report. Read the help-desk Incident Record for Incident 604121. Update the Plan of Action section of the Incident Record. Create load on the computer. Identify performance bottlenecks in the computer.
Task 1: Establish a performance baseline

1. 2. 3. Switch to NYC-CL1. Open Performance Monitor. Create a user-defined Data Collector Set with the following properties: Name: Contoso Baseline Create manually (Advanced) Performance counter Sample interval: 1 second Counters to include: 4. 5. 6. 7. Memory > Pages/sec Network Interface > Packets/sec Physical Disk > % Disk Time Physical Disk > Avg. Disk Queue Length Processor > % Processor Time System > Processor Queue Length
Start the Data Collector Set. Open Microsoft Office Word 2007. Open Microsoft Office Excel 2007 and Microsoft Office PowerPoint 2007. Close all Office applications, and in Performance Monitor, stop the Contoso Baseline data collector set.
Task 2: View the baseline report

1. 2. In Performance Monitor, locate Reports > User Defined > Contoso Baseline. Click on the report that has a name that begins with NYC-CL1_.
4-71
3. 4.
View the data as a report. Record the component details in the following table. Recorded component usage Memory Pages per second Network Interface Packets per second Physical Disk % Disk Time Physical Disk Avg. Disk Queue Length Processor % Processor Time System Processor Queue Length


Update the Plan of Action section of the Incident Record with your recommendations.
Task 5: Create load on the computer

1. 2. 3. Switch to the NYC-CL1 computer. Switch to Performance Monitor. In the navigation pane, right-click Contoso Baseline, and then click Start. Run the D:\Labfiles\Mod04\Scenario2.vbs script.
Task 6: Identify performance bottlenecks in the computer

1. 2. 3. 4. 5. 6. 7. Open Resource Monitor. Which components are under strain? After a few minutes, close the two instances of C:\Windows\System32\cmd.exe launched by the script. Switch to Performance Monitor, and stop the Contoso Baseline data collector set. In Performance Monitor, locate Reports > User Defined > Contoso Baseline. Click on the second report that has a name that begins with NYC-CL1_. View the data as a report.
4-72
8.
Record the component details in the following table. Recorded component usage Memory Pages per second Network Interface Packets per second Physical Disk % Disk Time Physical Disk Avg. Disk Queue Length Processor % Processor Time System Processor Queue Length
9.
In your opinion, which components are the most seriously affected?
10. Complete the Resolution section of the incident record with your recommendations. If asked to do so, discuss your results with the class. Results: At the end of this exercise, you will determine the components affected on the users computer, and then discuss solutions and mitigations with the class.
To revert the virtual machines

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-CL1.
4-73
Review Questions
1. 2. 3. If you do not configure device restrictions in GPOs, what security risks do USB removable storage devices pose? What two methods can you use to restrict specific device installation through GPO? Users are complaining that when they visit customer sites, they are unable to connect to their customers printers because of device-installation restrictions. What two possible actions could you take? Users on the help desk have tried to install a new driver for a user in the marketing department to enable them to use their new scanner. The driver is not part of the driver store and Group Policy prohibits installation of additional drivers. What GPO setting would you recommend changing in order to enable the installation of this driver? You decide to install this driver into the driver store. Assuming the driver is in the D:\scanner folder and the driver INF file is called Scanner.inf, what command would you use? Your user complains of poor performance. You discover that the disk component is bottlenecked. Before you rush out and purchase faster disks, what should you check? After you complete your check, what else could you do to improve the disk throughput on your users computer? You need to view the application log on another computer without visiting that computer. How could you do this?
4.
5. 6. 7. 8.
4-74
Tools
Tool Sigverif.exe Driverquery.exe Pnputil.exe Resource Monitor Performance Monitor Use for Verify device drivers signatures Managing device drivers from the command prompt Extract, install, and manage drivers in the driver store Viewing current performance data and activity Viewing both current and historical performance-related data Where to find it Command-line Command-line Command-line Start menu Start menu
5-1
Module 5
Troubleshooting Network Connectivity Issues
Contents:
Lesson 1: Determining Network Settings Lesson 2: Troubleshooting Network Connectivity Issues Lab: Troubleshooting Network Connectivity Issues 5-3 5-9 5-35
5-2
Module Overview
Configuring network settings is a common administrative task that, in many organizations, can account for a significant percentage of the overall administrative effort. The Windows 7 operating system includes several tools that can help you set up and troubleshoot both wired and wireless network connections more efficiently. To support your organizations network infrastructure, it is important that you understand how to configure and troubleshoot network connections.
Objectives
After completing this module, you will be able to: Determine the network configuration of client computers. Troubleshoot network connections.
5-3
Lesson 1
Determining Network Settings
The network architecture in Windows 7 simplifies network management and the configuration of network connections. By learning about this architecture, and the tools that Windows 7 provides for troubleshooting network connections, you will be better prepared to configure network clients and support your users.
Objectives
After completing this lesson, you will be able to: Describe the new network components in Windows 7. Explain how Windows 7 determines network topology.
5-4
Networking Components of Windows 7
Windows 7 includes several new tools for creating, managing, and troubleshooting both wired and wireless network connections.
Network and Sharing Center

The Network and Sharing Center is the main user interface for the management of network connections. The Network and Sharing Center provides a clear view of the status for any wired or wireless connection. It includes a network map feature that shows a topological diagram of the local network and any other connected networks. You also can launch Network Explorer to help you find and browse network resources easily.
Network Location Categories

A network location category classifies the network connections so you can configure network security through Microsoft Windows Firewall. The operating system groups and classifies the connections into Public, Private, or Domain categories. Windows 7 automatically configures the firewall and file-sharing settings based on the specified network location categories, which include: The Public category is the default network location type when the computer is not connected to a domain. Public category settings are the most restrictive, and help protect the computer when you connect it to an untrustworthy network. For example, all types of file and printer sharing are turned off in the Public category. Use the Public category for networks that have direct connections to the Internet or those that allow unmanaged clients to connect, such as wireless hot spot networks.
Note Windows 7, by default, initially assigns the Public category to all network connections.
5-5
The Private category applies only if a user with local Administrator rights manually assigns it to a network that you set previously to Public. Use the Private network location category only for a trusted network. You must assign the Private network location category only for a network connection that the public cannot directly access. A local administrator must assign this category, and Windows remembers the assignment the next time you connect to the network. Windows describes the Private network location category in one of two ways: Home network. If all computers connected to the network are at your home, then select the Home Private network location category. Work network: If all computers connected to the network are at your workplace, then select the Work Private network location category.
The Domain category applies when a computer that is running Windows 7 connects to a network, and then authenticates to a domain controller that is in the computers domain.
Windows 7 is capable of assigning a separate network location category to each connected network interface. For example, if you connect your computer to your corporate network by using a virtual private network (VPN) that you initiate from a Wi-Fi hot spot, such as a coffee shop, then Windows 7 assigns two network location categories: private for the corporate VPN and public for the Wi-Fi hot spot.
Note By default, on computers that are not joined to a domain, changing the network location requires administrative privileges. By default, on domain-joined computers, changing the network location does not require administrative privileges.
Network Setup Wizard

Windows 7 provides a user-friendly interface called the Network Setup Wizard to help you configure network settings. Windows 7 recognizes any unconfigured network devices on the computer, and then automates the process of adding and configuring them. The Network Setup Wizard also recognizes any wireless networks in range of the computer, and makes the process of configuring them simple and intuitive. You can save network settings to a universal serial bus (USB) flash drive for use when configuring additional computers. Saving network settings to a USB device makes configuring similar new computers and devices quick and easy. You also can use the Network Setup Wizard to enable sharing documents, photos, music, and other files across your network.
NDF
The NDF (Network Diagnostics Framework) provides a single, unified set of technologies to assist in troubleshooting and diagnosing network problems. By using the NDF, you can diagnose and repair network problems in the context of the application that experienced the problem. Additionally, with NDF, users can diagnose and attempt to resolve their own issues automatically before they call the help desk. The NDF can help reduce the total cost of ownership and the volume of calls to the help desk.
5-6
Network Map
Network Map displays a topological map of the local network and any connected networks. Network Map makes it easy to see the connections between devices on your network by clearly differentiating between wired and wireless connections. It helps optimize the network for best performance, and is extremely useful in troubleshooting network problems, because it displays a real-time view of the connections that are available to your computer.
Network Explorer
Network Explorer displays a view of all of the computers, devices, and printers on the network. You can customize the icons for various network devices, if the manufacturer allows customization. Use Network Explorer to perform limited remote computer management, such as adjusting settings or controlling music playback.
5-7
How Windows 7 Discovers Network Topology
Windows 7 computers use the new Network Discovery feature to generate accurate network topologies with Network Map. During the troubleshooting process, Network Map enables you to view the real-time status of any wired or wireless network connections.
Network Discovery
A computer running Windows 7 uses Network Discovery to find other computers and devices on the network. The first time you connect to a network, use the Set Network Location dialog box to classify the type of network to which you are connected. After you classify the network location category, Windows 7 activates the appropriate security settings.
Note You can turn Network Discovery on or off from within the Advanced sharing settings from the Network and Sharing Center.
Link Layer Topology Discovery

Network Discovery uses Link Layer Topology Discovery (LLTD), which works with both wired and wireless connections. By using Network Discovery and file sharing, a computer that is running Windows 7 can discover and access files and shared devices on other networked, LLTD-capable devices. Network Discovery and file sharing also allow other networked, LLTD-capable devices to discover your computer, and access files and shared devices. Windows 7 supports LLTD through the Link-Layer Topology Discovery Mapper service. The Link-Layer Topology Discovery Mapper service includes two components: the Link-Layer Discovery Responder, which enables your computer to be located on the network, and the Link-Layer Discovery I/O Driver, which discovers and locates other computers and devices on the network.
5-8
Windows 7 supports automatic discovery of LLTD-capable devices. In combination with Universal Plug and Play (UPnP) support, Windows 7 classifies the device capabilities, uses a unique embedded icon to represent the device, and accurately positions it on the network map. UPnP-certified devices automatically connect to each other over the network without the need for user configuration or centralized servers.
Note Not all hardware devices support LLTD. Check with the vendor for updated firmware releases that include LLTD support. Network Map relies on LLTD to build the network topology, and it only displays LLTD-capable devices. You can access a devices properties by right-clicking its icon in Network Map. The device properties include additional support information for the device, such as a link to the manufacturers website. You can also see the media access control (MAC) address, IP address, and device serial number. Double-click a device icon in Network Map to open the devices presentation URL, or to open the devices embedded administration webpage.
5-9
Lesson 2
To support the users in your organization, it is important that you know what tools Windows 7 provides to help you troubleshoot network connections. Additionally, understanding the correct procedure with which to tackle common network problems will help you resolve them more quickly.
Objectives
After completing this lesson, you will be able to: Explain the role of Windows Network Diagnostics. Apply best practices for troubleshooting wired network configurations. Apply best practices for troubleshooting wireless network configurations. Identify issues related to IP version 4 (IPv4) configurations. Describe resolving IPv4 network problems by using troubleshooting. Describe host name resolution. Describe troubleshooting Domain Name System (DNS). Apply the considerations for issues related to IP version 6 (IPv6). Describe how to perform advanced network reporting. Use the Problem Steps Recorder.
5-10
Windows Network Diagnostics
Windows Network Diagnostics is an NDF tool that you activate when you encounter a network error. The NDF is the common troubleshooting architecture in Windows 7. End users can use Windows Network Diagnostics to diagnose and troubleshoot an issue before they call their organizations help desk. The following are some examples of events that Windows Network Diagnostics can detect: Incorrect TCP/IP address information. Mismatched workgroup settings. Incorrect Windows Firewall settings. Incorrect network hardware configuration.
You can use one or more of the options in Windows Network Diagnostics to diagnose and repair network connection issues. Additionally, Windows Network Diagnostics supports rich, detailed logging to the event log, so that you can diagnose network connection issues easily. This reduces support costs and helps minimize user downtime by decreasing the time necessary to fix a network problem.
Windows Network Diagnostics Process

Windows Network Diagnostics uses the following process when it tries to determine a problems root cause in Windows 7: 1. 2. An application or system component reports a problem with a TCP/IP connection. The user receives both an error message and a prompt to start Windows Network Diagnostics. Windows Network Diagnostics passes the problem parameters to the Network Diagnostics engine. The Network Diagnostics engine activates helper classes to try to determine the problems cause, and then displays a list of descriptions of possible causes and repair options. If there is only one repair option, the Network Diagnostics engine runs the suggested repair.
5-11
3.
If there are multiple repair options, the user selects an option, and the Network Diagnostics engine requests the appropriate helper class to perform the repair. Windows Network Diagnostics reactivates helper classes to try to determine if the cause of the problem is still valid. If Network Diagnostics resolves the problem, Windows Network Diagnostics displays a message noting that the problem is fixed. If Windows Network Diagnostics does not resolve the problem, it prompts the user to select other repair options, if available. If Network Diagnostics does not resolve the problem, and no other repair options are available, the Network Diagnostics Engine reactivates helper classes to try to determine the problems cause.
4.
5.
You can access Windows Network Diagnostics manually from the Action Center. In Action Center, click Troubleshooting, and then click Network and Internet. You can then choose from the following network troubleshooting tests: Internet Connections Shared Folders HomeGroup Network Adapter Incoming Connections Connection to a Workplace Using DirectAccess
5-12
Troubleshooting Wired Networks
Determine the Scope of the Problem

Additional information about the problem helps you resolve network connection issues. If you are troubleshooting a wired network connection, ask yourself the following questions: How many users is the problem affecting? If the problem is affecting several users, this suggests a server-side or network infrastructure problem rather than a client-side networking problem. Is the problem persistent for the users that are affected? Intermittent problems can be more difficult to reproduce and troubleshoot. Does removing a problematic computer from the network solve the problem for other users? The computer that you remove from the network may be generating a fault on the network.
Determine TCP/IP Configuration

Determining the Windows 7 computers TCP/IP configuration also can help you troubleshoot a network problem. You can determine the TCP/IP configuration in three ways: From Network and Sharing Center, select Change adapter settings, display the network connection properties, select either Internet Protocol Version 6 (TCP/IPv6) or Internet Protocol Version 4 (TCP/IPv4), as required, and then view the protocol properties. Open a command prompt. Type the IPConfig /all command to view the IPv4 Address and IPv6 Address configurations. Use the following command to save the IPv4 and IPv6 configuration information as a text file for future reference:
IPConfig /all >c:\IPConfig.txt
This command creates a text file in the root of drive C that contains the IPConfig command output.
5-13
Use the Netsh command to display specific configuration information. For example, to display the TCP/IP configuration for IPv4 only, type the following command:
netsh interface ipv4 show config
You also can use the Netsh command to display specific IPv6 configuration information:
netsh interface ipv6 show addresses
Determine the Network Hardware Configuration

The last step in gathering information to help troubleshoot a connection problem with a wired network is to determine your connections properties. To do this, you must verify that the computer that is running Windows 7 has a valid local network segment IP address. Determine your wired network adapter properties by using Device Manager. To determine the hardware configuration for the computers network adapter, including the make and model, follow these steps: 1. 2. 3. From Control Panel, open Device Manager, expand Network adapters, and then view the installed network adapter properties. Click the Details tab to view the Device description property value. This value displays the network adapter make and model. From the Advanced tab, in the Property list, click a property to view or edit its value.
To view information about the driver used for the network adapter, follow these steps: 1. 2. 3. In the wired network card properties, click the Driver tab. Click Driver Details to view the full path to the driver file. Update or roll back the driver, as necessary.
5-14
Troubleshooting Wireless Networks
Use the NDF

Use the Network Diagnostics Framework (NDF) to troubleshoot wireless connections. If a wireless connection is unsuccessful, start Windows Network Diagnostics to diagnose the problem and display a list of possible fixes.
Review Authentication and Encryption Configuration

Windows 7 simplifies the process of configuring and troubleshooting wireless networks. The most common issues affecting wireless network configuration are mismatches between the client and the access point or authenticator with regards to authentication and encryption settings.
Note An authenticator is an authentication service that the access point uses to perform the wireless authentication and encryption. A configuration mismatch in the authentication and encryption settings between the client and the wireless access point can lead to problems with wireless connections. Windows 7 includes support for Wi-Fi Protected Access 2 (WPA2) encryption that allows for more secure wireless connections. You should take advantage of WPA2 by upgrading your wireless access points to support WPA2.
5-15
The following table summarizes the wireless authentication and encryption standards that are available in Windows 7. Security type Open Shared (not recommended) WPA-Personal Authentication No authentication (open) No authentication (open) No authentication Encryption No encryption Shared key WPA with a pre-shared key (also known as a pass phrase) Temporal Key Integrity Protocol (TKIP) or Advanced Encryption Standard (AES) WPA TKIP or AES WPA2 with a pre-shared key TKIP or AES WPA2 TKIP or AES Wired Equivalent Privacy (WEP) or Dynamic WEP
WPA-Enterprise
Institute of Electrical and Electronics Engineers, Inc. (IEEE) 802.1x authentication No authentication
WPA2-Personal
WPA2-Enterprise
IEEE 802.1x authentication
802.1x
IEEE 802.1x authentication
Configure wireless network connections manually or by using Group Policy. To determine the wireless network settings, either review the wireless network connection settings or examine the Group Policy settings. To view or configure wireless network Group Policy settings, open Group Policy Management, expand Computer Configuration, expand Windows Settings, expand Security Settings, and then select Wireless Network (IEEE 802.11) Policies. You can create or edit wireless network Group Policy objects (GPOs) for Windows 7, Windows Vista, and Windows XP client computers. The following table lists the settings that Group Policy enables you to configure. Setting Infrastructure/Ad Hoc Connect automatically when this network is in range Connect to a more preferred network if available Connect even if the network is not broadcasting Network Name(s) (SSID) Description Defines the connection type as either Ad Hoc (peer-to-peer), or Infrastructure, which requires a wireless access point (WAP). Automatically connects clients affected by this policy to the configured network. Enabled by default. Ensures that the more preferred networks take precedence. Enabled by default. Enables a client computer to connect to the network even if the service set identifier (SSID) is not broadcast. Disabled by default. Identifies the WAP.
5-16
(continued) Authentication Encryption Select a network authentication method Specifies the authentication method. WPA2-Enterprise is the default. Specifies the encryption mechanism. AES is the default. Enables you to define how computers authenticate using the Remote Authentication Dial-In User Service (RADIUS) server in your organization. For use with WPA2-Enterprise, WPA-Enterprise, and 802.1X authentication methods. Specifies the authentication mode. User, Computer, and Guest authentication modes are available.
Authentication mode
Note Many of the settings that the previous table describes apply only to infrastructure network GPOs. Ensure that the authentication and encryption method that you select on the client, or that you configure by the policy, matches the access point capability.
Verify Wireless Address Allocation

A wireless connection, like any other connection, needs an IP address. You must configure the WAP with a scope of IP addresses for the connecting clients. You must have sufficient IP addresses in the scope to allocate addresses for the number of clients that are connecting to the network. To determine whether a Windows 7based client has obtained an IP address, at the command prompt, type IPConfig /all command, and then review the address given to the wireless connection. If Windows 7 allocated a 169.254.x.y (Automatic Private Internet Protocol) address to the interface, the operating system indicates that the client was unable to obtain a valid IP address from the WAP.
5-17
Troubleshooting IPv4 Connectivity
When you experience network connectivity problems, follow a logical troubleshooting process by using the available Windows 7 tools. Your troubleshooting process can consist of the following steps: 1. 2. 3. Consult Windows Network Diagnostics. Use IPConfig to check local IP configuration. Use the ping command to diagnose two-way communication with a remote system. Additionally, consider using the PortQry Command Line Port Scanner (Portqry.exe) and the Telnet terminal program to test connectivity to a specific application.
Note 4. 5.
You must enable the Telnet feature on Windows 7.
Use the tracert and pathping command-line tools to identify each hop, or router, between two systems. Use the NSlookup administrative tool to verify the DNS configuration.
General Network Diagnostics

Use Windows Network Diagnostics to perform diagnostic procedures when Windows 7 encounters a network connection problem. Windows Network Diagnostics analyzes the problem and, if possible, presents a solution or a list of possible causes. If Windows Network Diagnostics cannot fix the problem, use the tools and procedures included in this topic to troubleshoot the problem further.
5-18
Checking Local IP Configuration

To determine the local IP configuration, use the IPConfig /all command. This command provides information about the local computer, including the following: IP address Subnet mask Host name DNS server configuration DNS suffixes MAC address How the IP configuration was obtained, for example, whether the IP configuration was obtained by using the Dynamic Host Configuration Protocol (DHCP)
After running the IPConfig /all command, compare the IPConfig output with the IPConfig output of another computer that is in the same subnet as the problematic host. When studying the output, remember that: The IP address must be in the same host range for the given subnet as the other local computer, while being unique within the subnet. The subnet mask must match that of the other local host. If the subnet mask does not match, the computer has an incorrect network ID that can cause communication failures, particularly to remote subnets. The default gateway must match that of the other local host. If the default gateway is incorrect or missing, the computer cannot communicate with remote subnets. If the DNS server is incorrect or missing, the computer might not resolve names, and communication can fail.
Because DHCP configures most computers, if the configuration does not match that of the other local host, verify that the computer can obtain an IP address correctly by: 1. 2. 3. Opening an elevated command prompt, and releasing the existing address by using the IPConfig /release command. Renewing the address by using the IPConfig /renew command. Reviewing the local IP configuration by using the IPConfig /all command.
If the host currently has an IP address in the range 169.254.0.0 to 169.254.255.254, the computer probably failed to obtain a dynamically assigned address. This Automatic Private IP Addressing (APIPA) indicates one of three problems: Connecting to the DHCP server DHCP server configuration One of the DHCPs scopes
5-19
Verifying Two-Way Communication

If the computer has a valid IP configuration but cannot communicate with one or more remote hosts, verify connectivity with the portqry, ping, and telnet commands. Portqry reports on the current port status of TCP and User Datagram Protocol (UDP) ports on a computer against which you run it. When you run portqry, the output returns one of the following responses about ports on the target: Listening. A process is listening on the computers port that you select. Portqry.exe received a response from the port. Not Listening. No process is listening on the target systems target port. Portqry.exe receives an Internet Control Message Protocol (ICMP) Destination Unreachable - Port Unreachable message back from the target UDP port. Alternatively, if the target port is a TCP port, portqry receives a TCP acknowledgement packet with the Reset flag set. Filtered. The port on the computer that you select is being filtered. Portqry.exe did not receive a response from the port. A process may or may not be listening on the port. By default, Portqry.exe queries TCP ports three times, and queries UDP ports one time before a report indicates that the port is filtered.
Portqry can query a single port, an ordered list of ports, or a sequential range of ports. For example, the following command tries to resolve Microsoft.com to an IP address, and then queries TCP port 25 on the corresponding host:
portqry -n microsoft.com -p tcp -e 25
The ping tool confirms two-way communication between two computers. This means that if the ping tool fails, the local computers configuration may not be the problems cause. You can use ping to ensure communication with a logical process, such as: 1. 2. 3. 4. Ping the remote computer. Ping the remote gateway. Ping the local IP address. Ping the loopback address 127.0.0.1.
When using the ping tool, remember that: You can ping both the computers name and IP address. If you ping the IP address successfully, but not the name, it indicates that the name resolution is failing. If you successfully ping the name, but the response does not resolve the fully qualified domain name (FQDN) name, the resolution did not use DNS. This means a process, such as broadcasts or Windows Internet Name Service (WINS) was used to resolve the name, and applications that require DNS may fail. A Request Timed Out message indicates that there is a known route to the destination computer, but that the configuration is incorrect for one or more computers or routers along the path including the source and destination. Use pathping or tracert to help find the problem. A Destination Host Unreachable message may indicate that the system cannot find a route to the destination system, and therefore, does not know where to send the packet on the next hop. If you verify that the local IP configuration is correct, use pathping and tracert to help isolate the routing problem.
5-20
If you can successfully ping a remote host but cannot communicate with the applications installed on the host, verify that the application is accessible from your local computer. For example, a firewall might be blocking your communication attempt, or the remote host is not listening on the appropriate port. The telnet and portqry tools can help identify issues that relate to blocked or nonresponsive ports.
Identify Each Hop between Two Systems

You can use pathping and tracert to identify each hop between the source and destination systems. If communication fails, these utilities can help you identify how many hops are successful, and at which hop the system communication fails. Although tracert records the hops through which packets travel, pathping provides more information about the routing process. Ping and pathping both use ICMP packets to test connectivity to every router between the local host and the remote destination host. Pathping then calculates statistics about the routes used and the routers involved, including the hop number, round-trip time, packet loss, host names, and IP addresses or intermediate hosts. To test routing connectivity to a remote host with pathping, open a command prompt, and type the following command:
Pathping www.microsoft.com
The output displays all hops between local host and destination host, and then the statistical output.
Verify DNS Configuration

NSlookup enables you to ensure that the DNS server is available, and contains a record for the computer with which you are attempting to communicate. This functionality is vital, because even if the computer is available, if DNS is not working correctly, you might not be able to communicate by using computer names.
Verify Port Availability

If you can successfully communicate with a remote host by using ping, but cannot access an application on the remote host, it is possible that the remote host is not listening for your request on the expected port, or that local or remote firewalls are blocking your request. To determine whether the remote computer is listening on the expected port, use either the portqry or telnet tools. For example, to determine if the HTTP port is accessible, type the following command from an elevated command prompt:
PortQry n server e 80
The result will look something like this:

TCP port 80 (http service): LISTENING
A message that the port is FILTERED or NOT LISTENING can indicate that a firewall along the path between the two hosts is blocking the request, or that the application uses a different port or has failed on the remote host. If other hosts on the local subnet can communicate successfully, the problem probably exists within the local firewall configuration settings.
5-21
You also can use telnet to verify that a port is listening. For example, if you want to verify Simple Mail Transfer Protocol (SMTP) functionality, you can open a Telnet session to port 25 on the destination host. Open a command prompt, and type telnet. From the Microsoft Telnet prompt, type the following command:
Open nyc-dc1.contoso.com 25
If the port is available, you will receive a message similar to this:

220 site.contoso.com Microsoft Exchange Server
Note To troubleshoot applications by using telnet and portqry, you must understand which ports your applications use. In addition to Portqry.exe and Telnet.exe, you can use netstat.exe to discover information about ports in use between your client computer and other remote systems. The following command lists the active connections on your client computer:
Netstat n
Determine Firewall Configuration

If you cannot communicate successfully with a remote application, verify that the local firewall is not blocking your attempt, before troubleshooting the application itself. To determine which firewall rules are active, open Windows Firewall with Advanced Security, and click the Monitoring node. The Monitoring section lists the active rules. Determine if any rules are responsible for blocking your connection attempt. Remember that the network location category might be responsible for your connectivity problem because the public category is more restrictive than the private category. If you configure the network with the wrong network location category, use the Network and Sharing Center to reconfigure the network category.
Intermittent problems
When users report inconsistent or intermittent problems, you might need to approach the troubleshooting process slightly differently. For example, if a users e-mail application functions while their web browsing does not, this suggests a specific problem with web browsing rather than with the network connectivity itself. The problem might lie with the client-side application, the browser, or the network components through which web-browsing traffic passes, such as firewalls, Network Address Translation (NAT) devices, and routers.
5-22
Demonstration: How to Troubleshoot IPv4 Connectivity
In this demonstration, you will see how to: Verify the IP configuration. Test connectivity. Verify the firewall configuration.
Demonstration Steps
1. 2. 3. 4. 5. 6. Use IPConfig.exe to verify the configuration. View the Local Area Connection properties. Use Netsh.exe to verify the configuration. Use ping.exe and Netstat.exe to verify connectivity. Open a webpage, and use Netstat.exe to view the active ports. Use Windows Firewall with Advanced Security and Netsh advfirewall to view the firewalls configuration.
5-23
Troubleshooting Name Resolution
Host names are assigned to computers running TCP/IP to make the computers easier to identify. Host name resolution is the process of resolving a host name to its corresponding IP address. Although Windows 7 computers actually support two namesthe host name and a NetBIOS computer nameit is the host name that is most relevant in modern IP-based networks. Windows 7 typically enables NetBIOS by default, and derives the NetBIOS name automatically from the computers host name.
Note You can use the nbtstat command-line tool to view NetBIOS names associated with your computer, and to troubleshoot NetBIOS over TCP/IP.
What Is a Host Name?

The host name forms part of the FQDN. For example, if a computers host name is nyc-cl1, and it is part of the contoso.com domain, the FQDN for that computer will be nyc-cl1.contoso.com.
Note The host name is up to 255 characters in length, and can contain alphanumeric characters, periods, and hyphens. The FQDN, including the host name, cannot exceed 255 characters in length. The domain portion of the FQDN is the DNS suffix. The computers primary DNS suffix is the name of the domain within which it is a member.
5-24
For computers that are not part of a domain, you can view the primary DNS suffix from the DNS Suffix and NetBIOS Computer Name dialog box that you access from the System Properties dialog box on the Computer Name tab. By default, a non-domain member computer has no primary DNS suffix.
Note You can assign a separate DNS suffix to each individual network connection. View or edit the connection-specific DNS suffixes from the Advanced TCP/IP Settings page that is accessible from the IPv4 or the IPv6 for the relevant network connection.
The Host Name Resolution Process

The operating system resolves host names either by using a local text file called hosts, or by using DNS. Additionally, if you enable NetBIOS on the computer, Windows 7 also uses NetBIOS name resolution methods when resolving host names. During the host name resolution process, Windows 7: 1. 2. 3. 4. 5. 6. 7. Checks whether the host name is the same as the local host name. Searches the DNS resolver cache. Sends a DNS request to its configured DNS servers. Converts the host name to a NetBIOS name, and then checks the local NetBIOS name cache. Contacts its configured WINS servers. Broadcasts as many as three NetBIOS Name Query Request messages on the directly attached subnet. Searches the LMHOSTS file.
Note Windows 7 appends the primary and connection-specific suffixes to all names that it is resolving. If name resolution is unsuccessful initially, Windows 7 applies parent suffixes of the primary DNS suffix. For example, if the DNS resolver attempts to resolve the name seacl1, Windows 7 appends the .contoso.com suffix to attempt resolution. If that is unsuccessful, the operating system appends .com to the name, and attempts resolution again. You can configure this behavior from the Advanced TCP/IP Settings page. The primary tools for troubleshooting host name resolution are IPConfig and Nslookup.
Note You should perform standard network troubleshooting techniques, such as running NDF and verifying basic connectivity, before you begin to test name resolution. When you troubleshoot name resolution, you must understand what name resolution methods the computer is using, and in what order the computer uses them. Be sure to clear the DNS resolver cache between resolution attempts.
5-25
If you cannot connect to a remote host, and you suspect a name-resolution problem, troubleshoot name resolution by: 1. Opening an elevated command prompt, and then clearing the DNS resolver cache by typing the following command:
IPConfig /flushdns
2.
Attempt to ping the remote host by its IP address. This helps identify whether the issue is because of name resolution. If the ping succeeds with the IP address, but fails by its host name, the problem pertains to name resolution.
Note The remote host must allow inbound ICMP echo packets through its firewall for this test to be viable. 3. Attempt to ping the remote host by its hostname, using the FQDN followed by a period. For example, type the following command at the command prompt:
Ping nyc-cl1.contoso.com.
4. 5.
If the ping is successful, the problem likely does not relate to name resolution. If the ping is unsuccessful, edit the C:\windows\system32\drivers\etc\hosts text file, and add the appropriate entry to the end of the file. For example, add this line, and then save the file:
10.10.0.21nyc-cl1.contoso.com
6.
Perform the Ping-by-host-name test again. Name resolution should now be successful. Verify that the name resolved correctly by examining the DNS resolver cache. Do this by typing the following at a command prompt:
IPConfig /displaydns
7. 8.
Remove the entry that you added to the hosts file, and then clear the resolver cache once more. At the command prompt, type the following command, and then examine the contents of the filename.txt file to identify the failed stage in name resolution:
Nslookup.exe d2 nyc-cl1.contoso.com. > filename.txt
You should understand how to interpret the output so that you can identify whether the nameresolution problem exists with the client computers configuration, the name server, or the configuration of records within the name server-zone database.
5-26
In the first section of the following output sample, the client resolver performs a reverse lookup to determine the DNS server host name. You can view the query 10.0.10.10.in-addr.arpa, type = PTR, class = IN in the QUESTIONS section. The returned result, name = nyc-dc1.contoso.com, identifies the host name of the petitioned DNS server:
-----------SendRequest(), len 41 HEADER: opcode = QUERY, id = 1, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, QUESTIONS: 10.0.10.10.in-addr.arpa, type = PTR, class = IN ----------------------Got answer (73 bytes): HEADER: opcode = QUERY, id = 1, rcode = NOERROR header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 1, authority records = 0, additional = 0 QUESTIONS: 10.0.10.10.in-addr.arpa, type = PTR, class = IN ANSWERS: -> 10.0.10.10.in-addr.arpa type = PTR, class = IN, dlen = 20 name = nyc-dc1.contoso.com ttl = 1200 (20 mins) -----------Server: nyc-dc1.contoso.com Address: 10.10.0.10
additional = 0
5-27
In the following section, the client resolver performs a recursive query of the DNS server for the host nyc-cl1.contoso.com, type = A, class = IN. The returned result is in the ANSWERS section, which is shown below. Note that the answer also includes a time-to-live (TTL) value, which determines how long the record is valid:
-----------SendRequest(), len 36 HEADER: opcode = QUERY, id = 2, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, QUESTIONS: nyc-cl1.contoso.com, type = A, class = IN ----------------------Got answer (52 bytes): HEADER: opcode = QUERY, id = 2, rcode = NOERROR header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 1, authority records = 0, additional = 0 QUESTIONS: nyc-cl1.contoso.com, type = A, class = IN ANSWERS: -> nyc-cl1.contoso.com type = A, class = IN, dlen = 4 internet address = 10.10.0.21 ttl = 1200 (20 mins)
additional = 0
5-28
In the remaining section, the client resolver performs a query for the IPv6 address of the sea-cl1 host, as indicated in the QUESTIONS section. This query returns no information, as the lack of an ANSWERS section below indicates:
-----------SendRequest(), len 36 HEADER: opcode = QUERY, id = 3, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, QUESTIONS: nyc-cl1.contoso.com, type = AAAA, class = IN ----------------------Got answer (91 bytes): HEADER: opcode = QUERY, id = 3, rcode = NOERROR header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 0, authority records = 1, additional = 0 QUESTIONS: nyc-cl1.contoso.com, type = AAAA, class = IN AUTHORITY RECORDS: -> contoso.com type = SOA, class = IN, dlen = 43 ttl = 3600 (1 hour) primary name server = nyc-dc1.contoso.com responsible mail addr = hostmaster.contoso.com serial = 45 refresh = 900 (15 mins) retry = 600 (10 mins) expire = 86400 (1 day) default TTL = 3600 (1 hour) -----------Name: nyc-cl1.contoso.com Address: 10.10.0.21
additional = 0
If you can resolve a computers name successfully, but you cannot connect to an application on that computer, investigate whether the local or remote firewalls are blocking your attempt.
Additional NSlookup commands

To look up different data types within the DNS by using NSlookup.exe, use the set type or set q command at the command prompt. For example, to query for the mail exchanger data, type the following:
Nslookup > Set q=mx > Mailhost
The output might look something like this:

Server: nyc-dc1.contoso.com Address: 10.10.0.1 mail.contoso.com MX preference = 0, mail exchanger = mail.contoso.com mail.contoso.com internet address = 10.10.0.5
5-29
To query another name server directly, use the server or lserver commands to switch to that name server. The lserver command uses the local server to get the address of the server to which you want to switch, while the server command uses the current default server to get the address. For example:
Nslookup > server 10.10.0.20
The output might look something like this:

Default Server: nyc-dc2.contoso.com Address: 10.10.0.20
5-30
Demonstration: How to Troubleshoot Name Resolution
In this demonstration, you will see how to: View entries in the local name cache. Test name resolution.
Demonstration Steps
1. 2. 3. 4. Use IPConfig.exe to view and purge the host name cache. Create a test record in hosts file. Use nslookup to verify name resolution process. Use NBTSTAT to view NetBIOS name cache.
5-31
Considerations for IPv6 Networks
Windows 7 enables the IPv6 stack by default, and it is the preferred transport for communication.
IPv4 Functionality
The Windows 7 IPv6 stack does not impair IPv4 functionality, and enables better network connectivity for applications that support IPv6. IPv6 connections can use IPv6 transition technologies such as Teredo to operate behind routers that use NAT, without requiring NAT configuration or application modification.
Disabling IPv6
If your applications function in a purely IPv4 environment, you might consider disabling IPv6. You cannot uninstall IPv6, but you can disable it in two ways: In the Local Area Connection Properties dialog box, in the list under This connection uses the following items, clear the Internet Protocol version 6 (TCP/IPv6) check box.
5-32
Create a registry key named HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\tcpip6\Parameters\DisabledComponents. Set the value for this registry key in accordance with the following table. Configuration combination Disable all tunnel interfaces Disable all local area network (LAN) and Point-to-Point Protocol (PPP) interfaces Disable all LAN, PPP, and tunnel interfaces Use IPv4 in preference to IPv6 Disable IPv6 over all interfaces, and use IPv4 in preference to IPv6 Disabled components value 0x1 0x10 0x11 0x20 0xFF
Troubleshooting IPv6
The steps for troubleshooting an IPv6 connection are similar to those for troubleshooting an IPv4-based connection. You can use many of the IPv4 troubleshooting tools to gather information to help troubleshoot IPv6 connection problems.
5-33
Advanced Network Reporting
Perform advanced networking tests only when: The NDF fails to fix the problem, and the additional manual steps that this module details do not resolve the problem. Microsoft Help and Support recommends it.
In Windows 7, the NDF and Event Tracing for Windows (ETW) integrate more closely than they did in previous Windows versions. This enables diagnostics to log network events and packets in a single file. Collecting all necessary information in a single step provides an efficient method of troubleshooting network connectivity issues. When you run Windows Network Diagnostics, a diagnostics session log is created and stored automatically in Action Center/Troubleshooting/View History. Each diagnostic session generates a report with diagnostics results. Windows 7 categorizes NDF and network tracing events that pertain to a specific issue, and then outputs them to an Event Trace Log (ETL) file. Consequently, you can examine the entire transaction, from end to end, as a single collection of events.
Note You can analyze the data in the ETL file by using a number of tools, such as Network Monitor, Event Viewer, the Netsh trace convert command, or Tracerpt.exe. Windows 7 includes a new Netsh context, Netsh trace. Netsh trace integrates with NDF and Network Tracing, and enables you to perform comprehensive tracing, network packet capturing, and filtering.
5-34
Problem Steps Recorder
Problem Steps Recorder (PSR) is an in-built troubleshooting tool that enables you record screen activity and user actions, and optionally comments, into a diagnostic file. The PSR tool saves the output as a zip file containing an MHTML document that you can view in Windows Internet Explorer. You can launch PSR from the command line or else from the Search box in Windows 7.
5-35
Lab: Troubleshooting Network Connectivity Issues
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: CONTOSO
Repeat these steps 2 to 4 for 6293A-NYC-SVR1, 6293A-NYC-CL1, and 6293A-NYC-CL2.
5-36
Lab Scenario
Contoso is planning the deployment of branch servers. As part of this process, the deployment team has been configuring the first branch server, NYC-SVR1, with the necessary network infrastructure services. You are not involved in this project. However, since the project kick off, there have been a number of network-related problems. For this project, you must complete the following tasks: Read the help-desk tickets. Plan a course of action. Attempt resolution of the problems. Document successful resolutions of the problems.
5-37
Exercise 1: Troubleshooting a Network Problem (1)

Scenario
Scott Bishop has called the help desk complaining that he cannot log onto his computer, which is a laptop in the production department. In this exercise, you will investigate why Scott is unable to log on to his computer. The main tasks for this exercise are: 1. 2. 3. 4. Read the help-desk Incident Record for incident 603211. Update the Plan of Action section of the Incident Record with your recommendations. Simulate the problem. Attempt to resolve the problem. Incident Record Incident Reference Number: 603211 Date of Call Time of Call User Status April 2 13:32 Scott Bishop (Production Department) OPEN
Incident Details Scott cannot log on to his computer. Additional Information Error message: There are currently no logon servers available to service the logon request. Plan of Action
Resolution

Task 2: Update the Plan of Action for Incident Record 603211

5-38

1. 2. Switch to the NYC-CL1 computer. Run the D:\Labfiles\Mod05\Scenario1.vbs script.
Note Ignore any error messages in the script. 3. 4. Wait while NYC-CL1 restarts. Log on using the following credentials: 5. User name: Scott Password: Pa$$w0rd Domain: Contoso
You are unsuccessful. What is the error message?

Note Some of the tasks that you perform to resolve this problem may not typically be the responsibility of Tier 2 support staff. However, it is useful to see the problem resolution. 1. 2. 3. Using your knowledge of Windows 7 network technologies, and tools available for troubleshooting network connections, attempt to resolve the problem. Update the Resolution section of the incident record. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance. To repeat or exit the exercise, revert the virtual machine environment.
Note It is not necessary to revert the virtual machines at this point. 4. If necessary, revert your virtual machines by using the following procedure: On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-CL1, 6293A-NYC-SVR1, and 6293A-NYC-CL2. In Hyper-V Manager, click 6293A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts.
5-39
Log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat these steps for 6293A-NYC-CL1, 6293A-NYC-SVR1, and 6293A-NYC-CL2.
Results: At the end of this exercise, you will have logged on successfully by using the user account.
5-40

Scenario
Scott Bishop has called the help desk complaining that he cannot access the corporate intranet site, located on NYC-DC1. In this exercise, you will resolve the problem with connecting to the Contoso intranet that Scott is experiencing. The main tasks for this exercise are: 1. 2. 3. 4. Read the Help-Desk Incident Record for incident 603213. Update the Plan of Action section of the Incident Record with your recommendations. Simulate the problem. Attempt to resolve the problem. Incident Record Incident Reference Number: 603213 Date of Call Time of Call User Status April 2 14:20 Scott Bishop (Production Department) OPEN
Incident Details Scott is unable to access the intranet server. URL required: http://intranet IP configuration seems appropriate for subnet location. Additional Information Error message: Internet Explorer cannot display the webpage. Plan of Action
Resolution


5-41

1. 2. 3. Switch to the NYC-CL1 computer. You are logged on as Scott. On the Taskbar, click Internet Explorer. In the Address bar, type http://intranet, and then press Enter.

Note Some of the tasks you perform to resolve this problem may not be part of a Tier 2 support persons responsibilities; however, it is useful to see the problem resolution. 1. 2. 3. Using your knowledge of Windows 7 network technologies, and the tools that are available for troubleshooting network connections, attempt to resolve the problem. Update the Resolution section of the incident record. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance. To repeat or exit the exercise, revert the virtual machine environment.
Note It is not necessary to revert the virtual machines at this point. 4. If necessary, revert your virtual machines by using the following procedure: On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-CL1, 6293A-NYC-SVR1, and 6293A-NYC-CL2. In Hyper-V Manager, click 6293A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat these steps for 6293A-NYC-CL1, 6293A-NYC-SVR1, and 6293A-NYC-CL2. Switch to NYC-CL1 and log on using the following credentials: User name: Scott Password: Pa$$w0rd Domain: Contoso
Results: At the end of this exercise, you will have resolved the connectivity problem.
5-42

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-SVR1, 6293A-NYC-CL1, and 6293A-NYC-CL2.
5-43
Review Questions
1. 2. 3. You must reconfigure a client computers IPv4 configuration, but you do not have time to visit the computer. What tool could you use, from the command line, to reconfigure the client computer? To run the command-line tools, what would you need to do at the remote computer? A client computer has obtained an IP address of 169.254.1.37. What would you do?
Tools
Tool PortQry.exe Telnet.exe IPConfig.exe Ping.exe Netstat.exe Nslookup.exe Use for Verifying listening ports on IPv4 network Troubleshoot IPv4 applications View and troubleshoot IP configuration Verify connectivity in IP networks View information about active connections Troubleshoot host name resolution Where to find it Download from Microsoft download website Command line Command line Command line Command line Command line
5-44
(continued) Tool NBTSTAT.exe Netsh.exe Tracert.exe Problem Steps Recorder Use for Troubleshoot NetBIOS name resolution Configure IP settings Tracing tool Recording tool Where to find it Command line Command line Command line Search/Run box
6-1
Module 6
Troubleshooting Remote Connectivity Issues
Contents:
Lesson 1: Troubleshooting VPN Connectivity Issues Lesson 2: Using Remote Desktop Lesson 3: Troubleshooting User Issues by Using Remote Assistance Lesson 4: Troubleshooting NAP Issues Lesson 5: Troubleshooting DirectAccess Issues Lab: Resolving Remote Connectivity Issues 6-3 6-25 6-34 6-40 6-52 6-61
6-2
Module Overview
To support your organizations mobile workforce, it is important that you understand how to configure and troubleshoot technologies that enable remote users to connect to your organizations network infrastructure. These technologies can include virtual private networks (VPNs), Network Access Protection (NAP), and Windows 7 DirectAccess.
Objectives
After completing this module, you will be able to: Configure and troubleshoot VPN connections. Use Remote Desktop. Use Remote Assistance. Troubleshoot NAP issues. Troubleshoot DirectAccess issues.
Troubleshooting Remote Connectivity Issues 6-3
Lesson 1
Troubleshooting VPN Connectivity Issues
A VPN provides a point-to-point connection between components of a private network, through a public network, such as the Internet. Tunneling protocols enable a VPN client to establish and maintain a connection to a virtual port that is listening on a VPN server. To properly support a VPN environment within your organization, it is important that you understand how to configure and troubleshoot VPNs.
Objectives
After completing this lesson, you will be able to: Describe a VPN. Describe VPN tunneling protocols. Describe the VPN negotiation process. Create and configure a VPN connection. Describe network policies. Describe how to troubleshoot VPN connections. Describe VPN reconnect.
6-4
What Is a Virtual Private Network?
A VPN emulates a point-to-point connection between components of a private network, through a public network, such as the Internet. To emulate this point-to-point link, the VPN client encapsulates the data and prefixes it with a header. The header provides routing information that enables the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the VPN client encrypts data, which helps to ensure confidentiality. Without encryption keys, packets intercepted on the shared or public network are indecipherable. The link, or VPN connection, is where the VPN client encapsulates and encrypts private data. There are two types of VPN connections: Remote access VPN Site-to-site VPN
Remote Access VPN

Remote access VPN connections enable your organizations users who are working from home, at a customer site, or from a public wireless access point, to access a server on your organizations private network by using the infrastructure that a public network provides, such as the Internet. From the users perspective, the VPN is a point-to-point connection between the computer, which is the VPN client, and your organizations server. The exact infrastructure of the shared or public network is irrelevant, because it appears logically as if it is sending the data over a dedicated private link.
Site-to-Site VPN
Site-to-site VPN connections, which are also known as router-to-router VPN connections, enable your organization to have routed connections between separate offices, or between your office and another organization over a public network. This helps maintain secure communications. A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link. When networks connect over the Internet, a router forwards packets to another router across a VPN connection. To the routers, the VPN connection operates as a data-link layer link. A site-to-site VPN connection connects two portions of a private network. The VPN server provides a routed connection to the network to which the VPN server is attached. The calling router (the VPN client) authenticates itself to the answering router (the VPN server). Then, if you are using mutual authentication, the answering router authenticates itself to the calling router. In a site-to site VPN connection, the packets sent from either router across the VPN connection typically do not originate at the routers.
Properties of VPN Connections

VPN connections that use the Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol with Internet Protocol Security (L2TP/IPsec), and Secure Socket Tunneling Protocol (SSTP) share the following properties: Encapsulation Authentication Data encryption
Note The next topic covers these tunneling protocols.
Encapsulation
With VPN technology, private data is encapsulated with a header that contains routing information that allows the data to traverse the transit network.
Authentication
Authentication for VPN connections takes three different forms, including: User-level authentication by using Point-to-Point Protocol (PPP) authentication. To establish the VPN connection, the VPN server authenticates the VPN client that is attempting the connection by using a PPP user-level authentication method, and then verifies that the VPN client has the appropriate authorization. If you use mutual authentication, the VPN client also authenticates the VPN server, which provides protection against computers that are masquerading as VPN servers. Computer-level authentication by using Internet Key Exchange (IKE). The particulars of various troubleshooting methodologies can vary, and the processes involved in troubleshooting computer-related problems are not precise. Most methodologies share some common processes and procedures, which this topic aims to identify.
6-6
Any sort of troubleshooting methodologyregardless of whether you are troubleshooting computers, plumbing systems, or automobile engineshas a common set of processes and procedures, including the following: Incidents pass through a series of processes that are designed to resolve problems as quickly and efficiently as possible. Classification, testing, escalation, and reporting provide the backbone of any troubleshooting methodology. The methodology evolves over time, as technologies change and new tools become available. To establish an IPsec security association, the VPN client and the VPN server use the IKE protocol to exchange either computer certificates or a preshared key. In either case, the VPN client and server authenticate each other at the computer level. Computer-certificate authentication is recommended because it is a much stronger authentication method than computer-level authentication, which occurs only for L2TP/IPsec connections.
Data origin authentication and data integrity. To verify that the data sent on the VPN connection originated at the connections other end, and was not modified in transit, the data contains a cryptographic checksum based on an encryption key known only to the sender and the receiver. Data origin authentication and data integrity are only available for L2TP/IPsec connections.
Data Encryption
To ensure the confidentiality of data as it traverses the shared or public transit network, the sender encrypts the data, and the receiver decrypts it. The encryption and decryption processes will not work unless both the sender and the receiver use the same encryption key. Furthermore, intercepted packets sent along the VPN connection in the transit network are unintelligible to anyone who does not have this common encryption key. The encryption keys length is an important security parameter. You can use computational techniques to determine the encryption key, which requires more computing power and computational time as the encryption keys get larger. Using the largest possible key size helps ensure data confidentiality.
VPN Tunneling Protocols
To troubleshoot VPNs, you first must understand the various VPN configuration options, including the selection of the appropriate VPN tunneling protocols.
PPTP
Point-to-Point Tunneling Protocol (PPTP) enables you to encrypt and encapsulate multiprotocol traffic in an IP header that you send across an IP network, or across a public IP network, such as the Internet. You can use PPTP for remote access or site-to-site VPN connections. When using the Internet as the VPN on a public network, the PPTP server is a PPTP-enabled VPN server, with one interface on the Internet and a second interface on the intranet.
L2TP
Layer 2 Tunneling Protocol with Internet Protocol Security (L2TP) enables you to encrypt multiprotocol traffic for transfer over any medium that supports point-to-point datagram delivery, such as IP or asynchronous transfer mode (ATM). L2TP is a combination of PPTP and Layer 2 Forwarding (L2F), and combines the best features of both. Unlike PPTP, the Microsoft implementation of L2TP does not use MPPE to encrypt PPP datagrams; it uses IPsec in Transport Mode for encryption services. The combination of L2TP and IPsec is known as L2TP/IPsec.
SSTP
Secure Socket Tunneling Protocol (SSTP) is a new tunneling protocol that uses the Secure Hypertext Transfer Protocol (HTTPS) protocol over TCP port 443 to pass traffic through firewalls and web proxies that might block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol. The use of PPP allows support for strong authentication methods, such as Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). SSL provides transport-level security with enhanced key negotiation, encryption, and integrity checking.
6-8
IKEv2
Internet Key Exchange version 2 (IKEv2) uses the IPsec Tunnel Mode protocol over UDP port 500. Because of its support for mobility (MOBIKE), IKEv2 is much more resilient to changing network connectivity, which makes it a good choice for mobile users who move between access points and who switch between wired and wireless connections. An IKEv2 VPN provides resilience to the VPN client when the client moves from one wireless hotspot to another or when it switches from a wireless to a wired connection. This ability is a requirement of VPN Reconnect.
Note IKEv2 is the default VPN tunneling protocol in Windows 7.
VPN Authentication Methods
The authentication of access clients is an important security concern. Authentication methods typically use an authentication protocol that is negotiated during the connection establishment process. Often, the reason a VPN does not connect is a mismatch between authentication settings in the VPN client, the VPN server, or the Network Policies. It is important to understand the various VPN authentication methods.
PAP
Password Authentication Protocol (PAP) uses plaintext passwords, and is the least secure authentication protocol. You would use PAP for negotiation only if the remote access client and remote access server cannot negotiate a more secure form of validation. Windows Server 2008 R2 includes PAP to provide support for older VPN clients.
CHAP
The Challenge Handshake Authentication Protocol (CHAP) is a challenge-response authentication protocol that uses the industry-standard Message Digest 5 (MD5) hashing scheme to encrypt the response. Various vendors of network access servers and clients use CHAP. A server running routing and remote access supports CHAP to enable authentication of remote access clients that require it. Because CHAP requires the use of a reversibly encrypted password, you should consider using another authentication protocol, such as MS-CHAP version 2.
MS-CHAPv2
Microsoft Challenge Handshake Authentication Protocol (MS-CHAPv2) is a one-way, encrypted password, mutual-authentication process that avoids the need to store passwords using reversible encryption.
6-10
EAP
An Extensible Authentication Protocol (EAP) authentication scheme is known as an EAP type. Both the remote access client and the authenticator must support the same EAP type for successful authentication to occur. EAP-TLS is an EAP type that you use in certificate-based security environments. If you use smart cards for remote access authentication, you must use the EAP-TLS authentication method. The EAP-TLS exchange of messages provides mutual authentication, negotiation of the encryption method, and encrypted key determination between the remote access client and the authenticator. EAP-TLS provides the strongest authentication and key determination method.
PEAP
Protected Extensible Authentication Protocol (PEAP) uses TLS to create an encrypted channel between an authenticating PEAP client, such as a wireless computer, and a PEAP authenticator, such as a Network Policy Server (NPS) or Remote Authentication Dial-in User Service (RADIUS) server. PEAP does not specify an authentication method. However, it provides additional security for other EAP authentication protocols, such as EAP-MSCHAPv2, that can operate through the TLS encrypted channel that PEAP provides. PEAP is an authentication method for 802.11 wireless client computers. However, VPN and other remote access clients do not support it.
Smart Cards
Using smart cards for user authentication is the strongest form of authentication in the Windows Server 2008 family of products. For remote access connections, you must use EAP with the smart card or other certificate (TLS) EAP type, also known as EAP-TLS. To use smart cards for remote access authentication, you must: Configure remote access on the remote access server. Install a computer certificate on the remote access server computer. Configure the smart card or other certificate (TLS) EAP type in network policies. Enable smart card authentication on the dial-up or VPN connection on the remote access client.
Demonstration: How to Create a VPN Connection
In this demonstration, you will see how to configure a VPN connection. This process involves configuring some server-side settings that a Tier 2 support person typically would not configure.
Demonstration Steps
1. 2. 3. 4. 5. From NYC-DC1, using Active Directory Users and Computers, verify the dial-in permission for Adam Carter. From NYC-SVR1, open Server Manager, and then install the Network Policy and Access Services role. Configure VPN Access with Routing and Remote Access on NYC-SVR1. On NYC-CL1, create a VPN connection. Test the connection. There is no matching policy, and the test fails.
6-12
What Are Network Policies?
Network policies determine whether a connection attempt is successful. Network policies also define connection characteristics for successful connections, such as day and time restrictions, session idledisconnect times, and other settings. Network policies are sets of conditions, constraints, and settings that enable you to designate who is authorized to connect to your network, and the circumstances under which they can, or cannot, connect. Additionally, deploying NAP adds a health policy to the network policy configuration so that NPS performs client health checks during the authorization process. You can view network policies as rules, and each rule has a set of conditions and settings. NPS compares the rules conditions to the properties of connection requests. If a match occurs between the rule and the connection request, NPS applies the settings that you define in the rule.
When you configure multiple network policies in NPS, they are an ordered set of rules. NPS checks each connection request against the lists first rule, then the second, and so on, until a match is found. The diagram below shows this process:
Note Once NPS finds a matching rule, it disregards further rules. Therefore, it is important that you order your network policies appropriately. Each network policy has a Policy State setting that allows you to enable or disable the policy. When you disable a network policy, NPS does not evaluate the policy when authorizing connection requests.
Network Policy Properties

Each network policy has four categories of properties: 1. 2. 3. 4. Overview Conditions Constraints Settings
Properties in the Overview category allow you to specify whether to enable the policy; whether the policy grants or denies access; and whether a specific network connection method, or type of network access server, is required for connection requests. Overview properties also enable you to specify whether to ignore the dial-in properties of user accounts in Active Directory Domain Services (AD DS). If you select this option, NPS uses only the network policys settings to determine whether to authorize the connection.
6-14
Properties in the Conditions category allow you to specify the conditions that the connection request must have to match the network policy. If the conditions configured in the policy match the connection request, NPS applies the network-policy settings to the connection. For example, if you specify the network access server IP version 4 (IPv4) address (NAS IPv4 Address) as a condition of the network policy, and then NPS receives a connection request from a NAS that has the specified IP address, the condition in the policy matches the connection request. Constraints are additional parameters of the network policy that are required to match the connection request. If the connection request does not match a constraint, NPS automatically rejects the request, and then denies the request. Unlike the NPS response to unmatched conditions in the network policy, if a constraint is not matched, NPS does not evaluate additional network policies. Settings allow you to specify the properties that NPS applies to the connection request if it finds matches for all of the policys network policy conditions. When you add a new network policy using the NPS Microsoft Management Console (MMC) snap-in, you must use the New Network Policy Wizard. After you create a network policy by using the wizard, you can customize the policy by double-clicking it in NPS to obtain the policy properties. NPS uses network policies and the dial-in properties of user accounts to determine whether to authorize a connection request to your network. You can configure a new network policy in either the NPS MMC snap-in or the Routing and Remote Access Service MMC snap-in.
Creating Your Policy

When you use the New Network Policy Wizard to create a network policy: NPS uses the value that you specify as the network connection method to configure the Policy Type condition automatically. If you keep the default value of Unspecified, NPS evaluates the network policy that you create for all network connection types through any type of network access server. If you specify a network connection method, NPS evaluates the network policy only if the connection request originates from the type of network access server that you specify. For example, if you specify Remote Desktop Gateway, NPS evaluates the network policy only for connection requests that originate from Remote Desktop Gateway servers. On the Specify Access Permission page, you must select Access granted if you want the policy to allow users to connect to your network. If you want the policy to prevent users from connecting to your network, select Access denied. If you want user account dial-in properties in AD DS to determine access permission, you can select the Access is determined by User Dial-in properties (which override NPS policy) check box.
Note To complete the following procedure, you must be a member of either the Domain Admins group or the Enterprise Admins group.
Adding a Network Policy by Using the Windows Interface

To add a network policy by using the Windows interface: 1. 2. 3. 4. Open the NPS console, and expand Policies. In the console tree, right-click Network Policies, and then click New. The New Network Policy Wizard opens. Use the New Network Policy Wizard to create a policy. Configure the Network Policy properties, which the following section describes.
Configure Your Policys Properties

Once you create your policy, you can use the policys Properties dialog box to view or reconfigure its settings.
Network Policy Properties: Overview Tab

From the Overview tab of the Properties sheet for a network policy, or while running the New Network Policy Wizard, you can configure the following: Policy name. Type a friendly and meaningful name for the network policy. Policy State. Designate whether to enable the policy. Access Permission. Designate whether the policy grants or denies access. Also, specify whether NPS should ignore the dial-in properties of user accounts in AD DS when using the policy to perform the connection attempts authorization.
Note If you have many user accounts in AD DS, consider configuring the dial-in properties of user accounts to control network access through network policy. However, you can accomplish the same result for individual policies by configuring them to ignore dial-in properties of user accounts. The following table details network connection methods that you can use to create a connection request. Network connection method Unspecified Description Specifies that NPS must evaluate the network policy for all connection requests that originate from any type of network access server, and for any connection method. Specifies that NPS must evaluate the network policy for connection requests that originate from servers that are running Remote Desktop Gateway. Specifies that NPS must evaluate the network policy for connection requests that originate from a computer that is running the Routing and Remote Access service configured as a dial-up or VPN server. If you use another dial-up or VPN server, the server must support the RADIUS protocol and the authentication protocols that NPS provides for dial-up and VPN connections. Specifies that NPS must evaluate the network policy for connection requests that originate from servers that are running DHCP. Specifies that NPS must evaluate the network policy for connection requests that originate from servers that are running the Health Registration Authority. Specifies that NPS must evaluate the network policy for connection requests that originate from servers that are running HCAP.
Remote Desktop Gateway
Remote Access Server (VPNDial-up)
Dynamic Host Configuration Protocol (DHCP) Server Health Registration Authority
Host Credential Authorization Protocol (HCAP) server
Network Policy Properties: Conditions Tab

You must configure at least one condition for every network policy. NPS provides several groups of conditions that enable you to clearly define the properties that the connection request that NPS receives must have to match the policy.
6-16
The following table outlines the available groups of conditions. Condition group Groups Description Enables you to specify the user or computer groups that you configure in AD DS, and specify the groups to which you want the network policys other rules to apply when group members attempt to connect to the network. Enables you to integrate your NPS NAP solution with Cisco Network Admission Control. To use these conditions, you must deploy Cisco Network Admission Control and NAP. You also must deploy an HCAP server running both Internet Information Services (IIS) and NPS. Enables you to specify, at a weekly interval, whether to allow connections on a specific set of days and times. For example, you can configure this condition to allow access to your network only between the hours of 08:00 and 17:00, Monday through Thursday. With this condition value, users whose connection requests match all conditions of the network policy cannot connect to the network on Fridays, Saturdays, Sundays, and during other weekdays between the hours of 17:00 and 08:00, but they can connect between Monday and Thursday between 08:00 and 17:00. Conversely, you can specify the days and times during which you want to deny network connections, which means that users can access your network only on the unspecified days and times. For example, if you configure this condition to deny connections on Sundays, users cannot connect at any time on Sundays, but they can connect Monday through Saturday at any time. Includes several settings, such as Identity Type, MS-Service Class, NAP-Capable Computers, Operating System, and Policy Expiration. Note The Identity Type condition is for NAP DHCP and IPsec deployments to allow client health checks in circumstances where NPS does not receive an AccessRequest message that contains a value for the User-Name attribute. In these circumstances, client health checks are performed, but authentication and authorization are not. Connection Properties RADIUS Client Properties Gateway Includes several settings, such as Access Client IPv4 Address, Access Client IPv6 Address, Authentication Type, Allowed EAP Types, Framed Protocol, Service Type, and Tunnel Type. Includes several settings, such as Calling Station ID, Client Friendly Name, Client IPv4 Address, Client IPv6 Address, Client Vendor, and MS RAS Vendor. Includes several settings, such as Called Station ID, NAS Identifier, NAS IPv4 Address, NAS IPv6 Address, and NAS Port Type.
HCAP
Day and Time Restrictions
NAP
Important Client computers, such as laptops and other computers that are running clientoperating systems, are not RADIUS clients. RADIUS clients are network access serverssuch as wireless access points, 802.1X authenticating switches, VPN servers, and dial-up servers because they use the RADIUS protocol to communicate with RADIUS servers, such as NPS servers.
Network Policy Properties: Constraints Tab

Constraints are optional network policy parameters that differ from network policy conditions in one substantial way: when a condition does not match a connection request, NPS continues to evaluate other configured network policies to find a match for that connection request. When a constraint does not match a connection request, NPS does not evaluate further network policies; instead, it rejects the connection request, and then denies network access to the user or computer. The following table describes the constraints that you can configure in network policy. Constraint Authentication Methods Idle Timeout Session Timeout Called Station ID Day and time restrictions NAS Port Type Description Enables you to specify the authentication methods that are required for the connection request to match the network policy. Enables you to specify the maximum time, in minutes, that the network access server can remain idle before the connection disconnects. Enables you to specify the maximum amount of time, in minutes, that a user can be connected to the network. Enables you to specify the telephone number of the dial-up server that clients use to access the network. Enables you to specify when users can connect to the network. Enables you to specify the allowable access media types that users can use to connect to the network.
Network Policy Properties: Settings Tab

NPS applies the settings that you configure in the network policy to the connection, only if all of the conditions and constraints that you configure in the policy match the connection requests properties. The available groups of settings that you can configure are: RADIUS attributes, which are described in: Request for Comments (RFC) 2865 RFC 2866 RFC 2867 RFC 2868 RFC 2869 RFC 3162
RFCs and Internet drafts for vendor-specific attributes (VSAs) define additional RADIUS attributes.
Important If you plan to return to RADIUS clients any additional RADIUS attributes or VSAs with the responses to RADIUS requests, you must add the RADIUS attributes or VSAs to the appropriate network policy.
6-18
With NAP Enforcement, you can specify how you want to: Enforce NAP. Remediate server groups. Troubleshoot URLs. Use auto-remediation. Routing and Remote Access.
These settings include: Multilink and Bandwidth Allocation Protocol (BAP) IP filters Encryption IP settings
Troubleshooting VPNs
In general, when you are troubleshooting, it is important that you verify that the settings for the clientside tunneling protocol and authentication protocols match those configured on the Routing and Remote Access server and the Network Policy Server. Also ensure that the client is attempting to connect to the correct Routing and Remote Access server. When using an authentication protocol that requires a certificate, you may discover that your users are unable to connect because an inappropriate certificate is configured on the Routing and Remote Access server. If you suspect this is the problem, try reconfiguring to use an authentication protocol that does not require certificates. If this is successful, then examine the certificates used, and then verify that the certificate purpose and subject names are appropriate for your configuration.
Logging
Aside from general troubleshooting techniques, you also can enable logging for Remote Access. Remote Access Service (RAS) trace logs can help you troubleshoot RAS connection-related issues. To enable RAS logging, run the command:
netsh ras diagnostics set rastracing * enabled
Windows creates and stores the trace logs in the %windir%\tracing folder. You can flush the logs with the following command:
netsh ras diagnostics set rastracing * disabled
6-20
Some of the trace log files that help diagnose problems are: PPP.log RASMAN.log IASHLPR.log RASIPCP.log
Note RAS Trace logs can be difficult to interpret, and you may need to escalate them to the appropriate experts so that they can debug them. For additional troubleshooting help, you also can check the Event Viewer System log, and look for events with the sources of RemoteAccess or Rasman.
Examining Common Connectivity Issues

This section lists common issues that you may encounter when connecting to a Remote Access Server from Windows 7: Error 800: VPN server is unreachable Cause: PPTP/L2TP/SSTP packets from the VPN client cannot reach the VPN server. Solution: Ensure the appropriate ports are open on the firewall: PPTP: For PPTP traffic, configure the network firewall to open TCP port 1723 and to forward IP protocol 47 for GRE traffic to the VPN server. L2TP: For L2TP traffic, configure the network firewall to open UDP port 1701 and to allow IPsec ESP formatted packets (IP protocol 50). SSTP: For SSTP, enable TCP 443.
Error 721: Remote computer is not responding Cause: This issue can occur if the network firewall does not permit GRE traffic (IP protocol 47). PPTP uses GRE for tunneled data. Solution: Configure the network firewall between the VPN client and the server to permit GRE. Additionally, make sure that the network firewall permits TCP traffic on port 1723. Both of these conditions must be met to establish VPN connectivity by using PPTP.
Note The firewall might reside on or in front of the VPN client, or in front of the VPN server. Error 741/742: Encryption mismatch error Cause: These errors occur if the VPN client requests an invalid encryption level or if the VPN server does not support an encryption type that the client requests. Solution: Check the properties on the Security tab of the VPN connection on the VPN client. If Require data encryption (disconnect if none) is selected, clear the selection, and retry the connection. If you are using NPS, check the encryption level in the network policy in the NPS console or policies on other RADIUS servers. Ensure that the encryption level that the VPN client requested is selected on the VPN server.
Resolving General Remote Access VPN Connection Problems

To resolve general problems with establishing a remote access VPN connection: Using the ping command, verify that the host name is being resolved to its correct IP address. The ping itself might not be successful due to packet filtering that is preventing the delivery of Internet Control Message Protocol (ICMP) messages to and from the VPN server. Verify that the credentials of the VPN client, which consist of user name, password, and domain name, are correct, and that the VPN server can validate them. Verify that the user account of the VPN client is not locked out, expired, disabled, or that the time the connection is being made does not correspond to the configured logon hours. If the password on the account has expired, verify that the remote access VPN client is using MS-CHAP v2. MS-CHAP v2 is the only authentication protocol that Windows Server 2008 R2 provides that allows you to change an expired password during the connection process. For an administrator-level account with an expired password, reset the password using another administrator-level account. Verify that the user account has not been locked out due to remote access account lockout. Verify that the Routing and Remote Access service is running on the VPN server. Verify that the VPN server is enabled for remote access from the General tab in the properties of a VPN server in the Routing and Remote Access snap-in. Verify that the WAN Miniport (PPTP) and WAN Miniport (L2TP) devices are enabled for inbound remote access from the properties of the Ports object in the Routing and Remote Access snap-in. Verify that the VPN client, the VPN server, and the network policy corresponding to VPN connections are configured to use at least one common authentication method. Verify that the configuration of the VPN client and the network policy corresponding to VPN connections use at least one common encryption strength. Verify that the connections parameters have permission through network policies.
L2TP/IPsec Authentication Issues

The following list describes the most common reasons that L2TP/IPsec connections fail: No certificate. By default, L2TP/IPsec connections require that, for IPsec peer authentication, an exchange of computer certificates occur between the remote access server and remote access client. Check the Local Computer certificate stores of the remote access client and remote access server using the Certificates snap-in to ensure that a suitable certificate exists. Incorrect certificate. The VPN client must have a valid computer certificate installed that was issued by a certification authority (CA) that follows a valid certificate chain from the issuing CA to a root CA that the VPN server trusts. Additionally, the VPN server must have a valid computer certificate installed that was issued by a CA that follows a valid certificate chain from the issuing CA to a root CA that the VPN client trusts.
6-22
A NAT device exists between the remote access client and remote access server. If there is a NAT between a Microsoft Windows 2000, Windows Server 2003, or Windows XP-based L2TP/IPsec client, and a Windows Server 2008 L2TP/IPsec server, you cannot establish an L2TP/IPsec connection unless both the client and server support IPsec NAT-T. A firewall between the remote access client and remote access server. If there is a firewall between a Windows L2TP/IPsec client and a Windows Server 2008 R2 L2TP/IPsec server, and you cannot establish an L2TP/IPsec connection, verify that the firewall allows forwarding of L2TP/IPsec traffic.
EAP-TLS Authentication Issues

When you use EAP-TLS for authentication, the VPN client submits a user certificate and the authenticating server (the VPN server or the RADIUS server) submits a computer certificate. To enable the authenticating server to validate the VPN clients certificate, the following must be true for each certificate in the certificate chain that the VPN client sends: The current date must be within the certificates validity dates. When certificates are issued, they are issued with a range of valid dates, before which they cannot be used and after which they are considered expired. The certificate has not been revoked. Issued certificates can be revoked at any time. Each issuing CA maintains a list of certificates that are not considered valid by publishing an up-to-date certificate revocation list (CRL). By default, the authenticating server checks all certificates in the VPN clients certificate chain (the series of certificates from the VPN client certificate to the root CA) for revocation. If any of the chains certificates have been revoked, certificate validation fails. For the VPN client to validate the authenticating servers certificate for either EAP-TLS authentication, the following must be true for each certificate in the certificate chain that the authenticating server sends: The certificate must have a valid digital signature. CAs digitally sign certificates that they issue. The VPN client verifies the digital signature of each certificate in the chain, with the exception of the root CA certificate, by obtaining the public key from the certificates issuing CA and mathematically validating the digital signature.
What Is VPN Reconnect?
In dynamic business scenarios, users must be able to access data securely at any time, from anywhere, and be able to access it continuously, without interruption. For example, users might want to access data securely on the companys server while in the head office, or from a branch office, or while on the road. To meet this requirement, you can configure the VPN Reconnect feature that is available in Windows Server 2008 R2 and Windows 7. This enables users to access the companys data securely by using a VPN connection, which reconnects automatically if connectivity is interrupted. It also enables roaming between different networks. VPN Reconnect uses the IKEv2 technology to provide seamless and consistent VPN connectivity. VPN Reconnect automatically reestablishes a VPN connection when Internet connectivity becomes available. Users who connect by using a wireless mobile broadband benefit most from this capability. Consider a user with a laptop that is running Windows 7. When the user travels to work in a train, the user connects to the Internet by using a wireless mobile broadband card, and then establishes a VPN connection to the companys network. When the train passes through a tunnel, the Internet connection is lost. After the train comes out of the tunnel, the wireless mobile broadband card reconnects automatically to the Internet. With earlier versions of Windows client and server operating systems, VPN did not reconnect automatically. Therefore, users had to repeat the VPN connection process manually each time their connection was lost. This was time-consuming for mobile users who often experienced intermittent network connectivity. VPN Reconnect enables Windows Server 2008 R2 and Windows 7 to reestablish active VPN connections automatically when the network reestablishes Internet connectivity. Even though the reconnection might take several seconds, users stay connected and have uninterrupted access to internal network resources.
6-24
The system requirements for using the VPN Reconnect feature are: Windows Server 2008 R2 as a VPN server. Windows 7 or Windows Server 2008 R2 client. Public key infrastructure (PKI), because a computer certificate is required for a remote connection with VPN Reconnect. You can use certificates that either an internal or public CA issues.
To enable VPN Reconnect, after selecting IVEv2 as your preferred tunneling protocol, select the Advanced Properties, and ensure that you enable the Mobility setting and configure the Network outage time (default is 30 minutes).
Lesson 2
Using Remote Desktop
The Remote Desktop Protocol (RDP) provides remote display and input capabilities over network connections for Windows-based applications. It is important that you understand how to enable, configure, and troubleshoot Remote Desktop connections to support your organizations users.
Objectives
After completing this lesson, you will be able to: Describe how to enable Windows Remote Desktop. Enable Remote Desktop. Describe how to configure Remote Desktop by using Group Policy. Apply best practices for troubleshooting issues with Remote Desktop connections.
6-26
Overview of Windows Remote Desktop
The Remote Desktop Connection feature, simply called Remote Desktop, is a technology that uses RDP, and allows you to connect to a remote computers console. The Remote Desktop client is installed in Windows 7, but is not enabled by default.
Enabling Remote Desktop

You can enable Remote Desktop in the System Properties dialog box, on the Remote tab. Access System properties through Control Panel, or by right-clicking Computer, and then clicking Properties. Remote Desktop has three settings: Dont allow connections to this computer. This is the default setting, in which remote connections are disabled. Allow connections from computers running any version of Remote Desktop (less secure). If you are unsure of the version for the remote desktop client software, this is the best choice. Allow connections only from computers running Remote Desktop with Network Level Authentication. This setting limits connections to computers that are running the Windows XP operating system with Service Pack 3 (SP3), Windows 7, and the Windows Server 2008 operating system or newer.
Remote Desktop Permissions

By default, if you enable Remote Desktop, any Administrators group member can make a Remote Desktop connection. Administrators can grant remote access to other users by adding them to the Remote Desktop Users group on the local computer.
Important Granting a user remote access by adding them to the Remote Desktop Users group does not grant administrative rights to that user it simply allows them to make the connection.
Remote Desktop uses RDP over TCP port 3389. By default, once you enable Remote Desktop, authorized users can connect from any computer that is running the appropriate Remote Desktop client software. You can use Windows Firewall to limit which computers can access port 3389.
Note
You can change the listening port for Remote Desktop by editing the registry.
Remote Desktop Security

By default, the client and server negotiate to use the highest encryption that both client and server understand. For example, if a client that connects can only handle 64-bit encryption, then that is the sessions encryption level. When possible, the entire Remote Desktop session is encrypted at 128-bits for data transmissions in both the client-to-server and server-to-client direction. Use Group Policy to enforce high encryption, as necessary.
Using Remote Desktop

The Remote Desktop Connection client software is built into Windows 7. This Remote Desktop version supports NLA to provide more secure communications. To launch Remote Desktop, from the Start menu, click All Programs, click Accessories, and then click Remote Desktop Connection. You also can type mstsc.exe in the Search box to launch a remote session. To connect to the remote computer, you can type in the name or the IP address of the remote computer. You will be asked for credentials when you connect. If another user is logged on when you attempt to connect, that user has 30 seconds to refuse to allow your connection. If the logged-on user allows your connection or does not respond, your connection will occur successfully. The following table lists the client options that you can configure by using the Options tabs on the Remote Desktop Connection dialog box. Tab General Display Local Resources Programs Experience Advanced Options Enter the computer and user name, and whether to save the connection as an RDP file. Choose the remote displays screen size and color quality. Use remote computer resources in your session, such as the printer or clipboard. Configure a program to start automatically following a remote connection. Configure the way you want the remote session to appear visually. The more features that you add, the more bandwidth it takes. Tell the Remote Desktop client how to behave if the RDP server fails to prove its authenticity. You can choose whether to connect without warning or to receive a warning, and whether you want to connect or prevent the connection.
You can configure Remote Desktop connections, then save them to RDP files, and then distribute them to users. You can open these files in Remote Desktop.
6-28
Practice: Enabling Remote Desktop
In this practice, you will enable and configure Remote Desktop. This involves configuring Windows Firewall rules.
Instructions
For this practice, you will use the available virtual machine environment. 6293A-NYC-DC1, 6293A-NYC-SVR1, and 6293A-NYC-CL1 should be running.
Detailed Steps
Task 1: Configure the Windows Firewall

1. 2. Switch to NYC-CL1. Log off, and then log on by using the following information: 3. 4. 5. 6. 7. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Click Start, and then in the Search box, type Firewall. In the Programs list, click Windows Firewall. In the Windows Firewall dialog box, click Allow a program or feature through Windows Firewall. In the Name list, select the Remote Desktop check box, and then select the check boxes for the Domain, Home/Work, and Public profiles. Click OK. Close Windows Firewall.
Task 2: Enable Remote Desktop

1. 2. 3. 4. 5. 6. 7. 8. Click Start, right-click Computer, and then click Properties. Click Remote settings. Under Remote Desktop, click Allow connections from computers running any version of Remote Desktop (less secure). Click Select Users, click Add. In the Select Users or Groups dialog box, in the Enter the object names to select (examples) box, type Adam, click Check Names, and then click OK. In the Remote Desktop Users dialog box, click OK. In the System Properties dialog box, click OK. Close all open windows and log off.
Task 3: Use Remote Desktop

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-DC1. Click Start, point to All Programs, point to Accessories, and then click Remote Desktop Connection. In the Remote Desktop Connection dialog box, in the Computer box, type nyc-cl1, and then click Options. Click the Advanced tab. Under Server authentication, in the If server authentication fails list, click Connect and dont warn me. Click Connect. In the Windows Security dialog box, click User another account. In the User name box, type Adam, in the Password box, type Pa$$w0rd, and then click OK. Click Start, right-click Computer, and then click Properties.
10. Notice the computer name. 11. Log off the remote desktop session. 12. Close all open windows on NYC-DC1. 13. Switch to the NYC-CL1 virtual machine. 14. Notice you have been logged off. 15. Log on as Contoso\Adam with a password of Pa$$w0rd.
6-30

When you finish the practice session, revert the virtual machines to their initial state by completing the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for both 6293A-NYC-SVR1 and 6293A-NYC-CL1.
Configuring Remote Desktop by Using GPOs
You can use Group Policy to control Remote Desktop behavior across your organization. You also can control all aspects of Remote Desktop through policy settings for Remote Desktop Services. Access policy settings for the computer by using Group Policy Management, and then edit the appropriate policy by expanding Computer Configuration, expanding Policies, expanding Administrative Templates, expanding Windows Components, and then expanding Remote Desktop Services. Computer policy settings for Remote Desktop include the policies that the following table details. Policy setting for the computer Remote Desktop Connection Client>Do not allow passwords to be saved Remote Desktop Connection Client>Prompt for credentials on client computer Description This controls whether users can save passwords on this computer from Remote Desktop Services clients. When you enable this setting, a user is prompted on the client computer instead of on the terminal server to provide credentials for a remote connection to a remote desktop server. If user credentials are saved and available on the client computer, the user is not prompted to provide credentials. When enabled, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer using Remote Desktop Services.
Remote Desktop Session Host>Connections>Allow users to connect remotely using Remote Desktop Services
6-32
(continued) Policy setting for the computer Remote Desktop Session Host >Device and Resource Redirection Description This policy contains settings for each of the different resources, such as audio and clipboard. Specifies whether to prevent data redirection from these devices to the remote client in a Remote Desktop Services session. If you enable this setting, all communications between clients and terminal servers during remote connections must use the encryption method that this setting specifies. By default, the encryption level is set to High. This policy controls session time limits for disconnected, idle, and active sessions, and controls whether to terminate sessions when limits are reached.
Remote Desktop Session Host >Security>Set client connection encryption level Remote Desktop Session Host >Session Time Limits
You can access policy settings for the user by expanding User Configuration, expanding Policies, expanding Administrative Templates, expanding Windows Components, and then expanding Terminal Services. The following table lists the options for user policy settings for Remote Desktop. Policy setting for the user Description
Remote Desktop This policy controls whether users can save passwords on this computer Connection Client>Do not from Remote Desktop Services clients. allow passwords to be saved Remote Desktop Session Host >Remote Session Environment> Start a program on connection Remote Desktop Session Host>Session Time Limits This policy specifies a program to run automatically when a user logs on to a remote computer. By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting. Enabling this setting overrides the Start Program settings set by the server administrator or user. This policy controls session time limits for disconnected, idle, and active sessions, and controls whether to terminate sessions when users reach these limits.
Troubleshooting Remote Desktop
Remote Desktop sessions typically are successful. However, a number of things can go wrong during the connection and authentication process. This section and the following table discuss some of the most common issues. Issue Cannot connect to the remote computer Cause Check the Windows 7 edition. Home editions do not allow inbound, remote connections. Verify that the Windows Firewall is allowing traffic to port 3389. If the target computer is behind a Network Address Translation (NAT) device, configure port forwarding through NAT to the target computer. Check the system properties, and ensure that Remote Desktop is enabled on the target computer. Ensure that the target computer is not in sleep mode or hibernation. Ensure that the user who is attempting to connect has permission to make a connection. Remote computer cannot be found Verify that the computer name is correct. Verify that the address record on the DNS server is correct. Try using the IP address instead of the name. Ensure the clipboard is selected as a local resource.
Unable to copy text from the remote computer
6-34
Lesson 3
Troubleshooting User Issues by Using Remote Assistance
Remote Assistance is a built-in tool that allows users to control another operating system by connecting to it remotely. Windows Remote Assistance is a useful tool for providing remote assistance when users need help. Remote Assistance is available in all Windows 7 editions.
Objectives
After completing this lesson, you will be able to: Describe the new Remote Assistance features. Describe how to offer or request Remote Assistance. Create and respond to an invitation for Remote Assistance. Describe how to configure Remote Assistance through Group Policy.
Using Remote Assistance to Assist Your Users
When you connect to a users computer with Remote Assistance, you can see their desktop, any open documents, and any visible private information. Remote Assistance creates a chat session between you and the user to communicate via text messages. Additionally, if the user allows you to control his or her computer by remotely operating his or her mouse and keyboard, you can perform various administrative functions, such as deleting files or changing settings. When you ask to share control of the desktop, a check box is visible. When the user selects this checkbox, it enables you to respond to User Account Control prompts. You can respond to requests for administrator consent or administrator credentials, such as a user name or password. You then can run administrator-level programs without the users participation. For you or another helper to share the control of a computer, the user must grant permission. Likewise, if the user wants to stop you or another helper from sharing control, they can click Cancel, and then click Stop sharing, or press E. You can offer Remote Assistance to users in anticipation of users requesting assistance from you. This is useful in situations where you predict that users may require assistance, such as after you deploy a new application or implement a new procedure. The Help and Support Center provides links to assist helpers in offering Remote Assistance to users. By using the computer name or IP address, you can send an invitation to the user. A remote session begins when the user accepts the request.
6-36
Remote Assistance in Windows 7
Remote Assistance provides a way for users to get the help they need, and makes it easier and less costly for corporate help desks to assist users. Remote Assistance enables users to invite you to connect to their computers so that you can view their desktops when they need assistance. With the users permission, the helper can even share control of the users computer to resolve issues remotely. Windows 7 enables Remote Assistance by default. In Windows XP, you can access Remote Assistance only through Help and Support. In Windows 7, the Help and Support Center still provides a link to Remote Assistance, but Remote Assistance also appears as a stand-alone application. It is in the Maintenance section of All Programs on the Start menu, or you can launch it by executing msra.exe.
Sending an Invitation
A user who needs assistance can initiate a Remote Assistance session by sending an invitation to the helper. The following table lists the methods by which users can send invitations. Invitation method Instant messaging Email Description Use Windows Messenger to send the invitation. The Tools menu lists an option to request Remote Assistance. Email the invitation to the helper. Remote Assistance automatically launches a blank email form. If the user does not have an email client configured, then Windows Mail prompts for configuration. Save the invitation to a file in a network location that the helper can access. You can use the Help and Support Center links to assist in saving the invitation as a file.
Saving a file
After creating the invitation, the user must create a password to protect the invitation. The requester must transmit the password to the helper in a separate communication. A Remote Assistance window then appears and waits for an incoming connection. Do not close this window, or the helper will be unable to respond. Administrators can control many aspects of the invitation, such as how long an invitation remains valid, and whether someone can control the computer remotely. These settings are in the Advanced section of the Remote tab in System Properties. The default settings allow remote control, and invitations are valid for six hours.
Note
You must configure Windows Firewall to allow communication through port 3389.
Accepting an Invitation
After the recipient receives your invitation, the recipient can respond by saving and then opening the attached file, and then entering the password. Remote Assistance creates an encrypted connection either over the Internet or over the network that connects the computers. The requesting user has to click Yes to complete the transaction.
6-38
Demonstration: How to Use Remote Assistance (Optional)
In this demonstration, you will see how to use Remote Assistance to help to resolve a users problem with an Office feature.
Demonstration Steps
1. 2. 3. 4. 5. 6. 7. On NYC-CL1, create a Microsoft Office Word document. Request remote assistance. From NYC-DC1, provide remote assistance. Start a chat session with the user. Take remote control of the users computer. Demonstrate the required feature to the user. Close remote assistance.
Configuring Remote Assistance by Using GPOs
You can manage some aspects of Remote Assistance by using Group Policy. Configure Group Policy objects (GPOs) on the local computer or in AD DS to control the Remote Assistance behavior. You can access Remote Assistance policy settings by expanding Computer Configuration, expanding Policies, expanding Administrative Templates, expanding System, and then expanding Remote Assistance. The following table lists the Remote Assistance policy settings. Policy setting Allow only Vista or newer connections Turn on session logging Turn on bandwidth optimization Solicited Remote Assistance Offer Remote Assistance Description This policy generates Remote Assistance invitations with improved encryption. This setting does not affect Remote Assistance connections that are initiated by instantmessaging contacts or by unsolicited Offer Remote Assistance. Turn logging on. Log files are located in the users Documents folder under Remote Assistance. This policy improves performance in low bandwidth scenarios. This setting scales incrementally from No optimization to Full optimization. Enable Solicited Remote Assistance on this computer. Disabling this setting prevents users from asking for Remote Assistance. You also can configure invitation time limits, and whether to allow remote control. Turn on Offer (Unsolicited) Remote Assistance on this computer. You must enable this policy for users to receive unsolicited Remote Assistance.
6-40
Lesson 4
Troubleshooting NAP Issues
Network Access Protection (NAP) enables you to create customized health-requirement policies to validate computer health before allowing access or communication. NAP also updates compliant computers automatically to ensure ongoing compliance and limit the access of noncompliant computers to a restricted network until they become compliant. Understanding how NAP works enables you to determine why client computers are unable to connect to your organizations network resources when they are not compliant.
Objectives
After completing this lesson, you will be able to: Describe the function of NAP. Describe the components required to enable NAP. Describe how to use NAP within your organization. Configure client-side NAP settings. Troubleshoot NAP.
What Is NAP?
NAP for Windows Server 2008 R2, Windows 7, and Windows Vista, provides components and an application programming interface (API) that help you enforce compliance with your organizations health-requirement policies for network access or communication. NAP enables you to create solutions for validating computers that connect to your networks, and it provides the necessary updates or access to necessary health-update resources. Additionally, it limits the access or communication of noncompliant computers. You can integrate NAPs enforcement features with software from other vendors or with custom programs. You also can customize the health-maintenance solution that developers within your organization may develop and deploy, whether for monitoring the computers that are accessing the network for health policy compliance, automatically updating computers with software updates to meet health-policy requirements, or limiting the access to a restricted network of computers that do not meet health-policy requirements. It is important to remember that NAP does not protect a network from malicious users. Rather, it helps you maintain the health of your organizations networked computers automatically, which in turn helps maintain your networks overall integrity. For example, if a computer has all the software and configuration settings that the health policy requires, the computer is compliant, and will have unlimited network access. However, NAP does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or engaging in other inappropriate behavior.
6-42
Aspects of NAP
NAP has three important and distinct aspects: Health state validation. When a computer attempts to connect to the network, NAP validates the computers health state against the health-requirement policies that the administrator defines. You also can define what to do if a computer is not compliant. In a monitoring-only environment, NAP evaluates the health state of all computers, and then logs the compliance state of each computer for analysis. In a limited access environment, computers that comply with the health-requirement policies have unlimited network access. Computers that do not comply with health-requirement policies may have access which is limited to a restricted network. Health policy compliance. You can help ensure compliance with health-requirement policies by choosing to update noncompliant computers automatically with missing software updates or configuration changes through management software, such as Microsoft System Center Configuration Manager. In a monitoring-only environment, computers will have network access before they are updated with required updates or configuration changes. In a limited access environment, noncompliant computers have limited access until the updates and configuration changes are complete. In both environments, computers that are compatible with NAP can become compliant automatically, and you can define exceptions for computers that are not compatible with NAP. Limited access. You can protect your networks by limiting the access of noncompliant computers. You can base limited network access on a specific amount of time, or on what resources the noncompliant computer can access. In the latter case, you define a restricted network containing health update resources, and the limited access will last until the noncompliant computer comes into compliance. You also can configure exceptions so that computers that are not compatible with NAP do not have their network access limited.
Components of NAP
The following table lists the components of a NAP-enabled network infrastructure. Components NAP clients NAP enforcement points Description Computers that support the NAP platform for system health-validated network access or communication. Computers or network-access devices that use NAP, or that you can use with NAP, to require evaluation of a NAP clients health state, and then provide restricted network access or communication. NAP enforcement points use a Network Policy Server (NPS) that is acting as a NAP health policy server to evaluate the health state of NAP clients, whether network access or communication is allowed, and the set of remediation actions that a noncompliant NAP client must perform. NAP enforcement points include the following: Health Registration Authority (HRA). This is a computer that runs Windows Server 2008 R2 and IIS, and that obtains health certificates from a certification authority (CA) for compliant computers. VPN server. A computer that runs Windows Server 2008 R2, and Routing and Remote Access, and that enables VPN intranet connections via remote access. DHCP server. A computer that runs Windows Server 2008 R2 and the DHCP Server service, and that provides automatic IPv4 address configuration to intranet DHCP clients. Network access devices. These are Ethernet switches or wireless access points that support Institute of Electrical and Electronics Engineers, Inc. (IEEE) 802.1X authentication.
6-44
(continued) Components NAP health policy servers Description These are computers that run Windows Server 2008 R2 and the NPS service, and that store health-requirement policies and provide health-state validation for NAP. NPS is the replacement for the Internet Authentication Service (IAS), and the Remote Authentication Dial-In User Service (RADIUS) server and proxy that Windows Server 2003 provides. NPS also acts as an authentication, authorization, and accounting (AAA) server for network access. When acting as an AAA server or NAP health policy server, NPS typically runs on a separate server for centralized configuration of network access and health-requirement policies. The NPS service runs also on Windows Server 2008-based NAP enforcement points that do not have a built-in RADIUS client, such as an HRA or DHCP server. However, in these configurations, the NPS service is acting as a RADIUS proxy to exchange RADIUS messages with a NAP health policy server. These computers provide the current systems health state for NAP health policy servers. An example of these would be a health-requirement server for an antivirus program that tracks the latest version of the antivirus signature file. This Windows directory service stores account credentials and properties, and stores Group Policy settings. Although not required for health-state validation, Active Directory is required for IPsec-protected communications, 802.1Xauthenticated connections, and remote access VPN connections. This is a separate logical or physical network that contains remediation servers and NAP clients with limited access. These are computers that contain health update resources that NAP clients can access to remediate their noncompliant state. Examples include antivirus signature distribution servers and software update servers. These are computers placed on the restricted network when they do not comply with health-requirement policies.
Health requirement servers AD DS
Restricted network Remediation servers NAP clients with limited access
Discussion: How Would You Use NAP?
The need to enforce client health requirements varies between organizations. Some organizations have already implemented a solution, while others are just evaluating it. NAP is the Microsoft solution for enforcing client health requirements. NAP has the following enforcement methods: DHCP VPN 802.1x IPsec TS Gateway Question: Can you envision using NAP? If so, what NAP enforcement method would be suitable?
6-46
Configuring Client-Side NAP Settings
You should remember these basic guidelines when you configure NAP clients: Some NAP deployments that use Windows Security Health Validator require that you enable Security Center. The Network Access Protection service is required when you deploy NAP to NAP-capable client computers. You must also configure the NAP enforcement clients on the NAP-capable computers.
Enable Security Center in Group Policy

You can use this procedure to enable Security Center on NAP-capable clients by using Group Policy. Some NAP deployments that use Windows Security Health Validator require Security Center.
Note To complete this procedure, you must be a member of one of the following groups on the local computer: Domain Admins, Enterprise Admins, or Administrators. To enable Security Center in Group Policy: 1. 2. 3. Open the Group Policy Management console, and then click Add. In the Select Group Policy Object dialog box, click Finish, and then click OK. In the console tree, double-click Local Computer Policy, double-click Computer Configuration, double-click Administrative Templates, double-click Windows Components, and then double-click Security Center. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.
4.
Enable the Network Access Protection Service on Clients

You can use this procedure to enable and configure NAP service on NAP-capable client computers. When you deploy NAP, you must enable this service.
Note To complete this procedure, you must be a member of one of the following groups on the local computer: Domain Admins, Enterprise Admins, or Administrators. To enable the NAP service on client computers: 1. 2. 3. Click Start, click Control Panel, click System and Security, click Administrative Tools, and then double-click Services. In the services list, scroll down to, and then double-click, Network Access Protection Agent. In the Network Access Protection Agent Properties dialog box, change Startup Type to Automatic, and then click OK.
Enable and Disable NAP Enforcement Clients

You can use this procedure to enable or disable one or more NAP enforcement clients on NAP-capable computers. These clients may include: DHCP Enforcement Client Remote Access Enforcement Client EAP Enforcement Client IPsec Enforcement Client TS Gateway Enforcement Client
To enable and disable NAP Enforcement Clients: 1. 2. Open the NAP client configuration console: click Start, click All Programs, click Accessories, click Run, type NAPCLCFG.MSC, and then click OK. Click Enforcement Clients. In the details pane, right-click the enforcement client that you want to enable or disable, and then click Enable or Disable.
Note To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider performing this procedure by using the Run as command.
6-48
Best Practices for Troubleshooting NAP
When a NAP-capable client attempts to connect to your network, several NAP components assess its health.
Troubleshooting Procedure
If a problem occurs when a client attempts a connection, you can troubleshoot the connection by using the following procedures: Determine that all the client-side components are running. You should ensure that Windows Security Center is enabled, and that the client-side NAP Enforcement clients are configured correctly. Determine the requirements of the system health validator (SHV). Reasons that the client is not compliant may include the absence of a firewall or absence of installed security updates which are current. Verify that the settings of the health policies are appropriate. The health policy determines network access by assessing the client against the SHV requirements. You should verify that the health policy grants the appropriate access. Verify that the client matches the conditions and constraints on the health policy. You should ensure that the clients settings meet the health policy conditions and constraints that you configure. Check to ensure that the client is NAP-capable. The client will only connect if it is NAP-capable.
NAP Tracing
You can use the NAP Client Configuration snap-in to configure NAP tracing, in addition to troubleshooting by using the preceding general troubleshooting procedures. NAP tracing records NAP events in a log file, which you can use for troubleshooting and maintenance. You also can use tracing logs to evaluate your networks health and security. You can configure three levels of tracing: Basic, Advanced, and Debug.
You should enable NAP tracing when: You troubleshoot NAP problems. You evaluate the overall health and security of your organizations computers.
There are two tools available for configuring NAP tracing: The NAP Client Configuration console is part of the Windows user interface. The command-line tool, netsh.
Using the Windows User Interface

To enable or disable NAP tracing using the Windows user interface and specify the level of detail that the tracing records: 1. 2. 3. Open the NAP Client Configuration console by clicking Start, clicking Programs, clicking Accessories, clicking Run, typing napclcfg.msc, and then clicking OK. In the console tree, right-click NAP Client Configuration (Local Computer), and then click Properties. In the NAP Client Configuration (Local Computer) Properties dialog box, choose Enabled or Disabled.
Note To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. As a security best practice, consider performing this operation using the Run As command. 4. If enabled is chosen, under Specify the level of detail at which the tracing logs are written, select Basic, Advanced, or Debug.
Using a Command-Line Tool

To use a command-line tool to enable or disable NAP tracing and to specify the level of detail that the tracing records: 1. 2. Open a command prompt by clicking Start, clicking All Programs, clicking Accessories, and clicking Command Prompt. The following are your options for enabling or disabling NAP tracing, and configuring NAP tracing: To enable NAP tracing and configure for basic or advanced logging, type: netsh nap client set tracing state=enable level =[advanced or basic]. To enable NAP tracing for debug information, type: netsh nap client set tracing state=enable level =verbose. To disable NAP tracing, type: netsh nap client set tracing state=disable.
Note To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. As a security best practice, consider performing this operation using the Run As command.
6-50
Viewing Log Files

To view the log files, navigate to the %systemroot%\tracing\nap directory, and open the particular trace log that you want to view.
Using Netsh Commands

You can use the netsh NAP command to help you to troubleshoot NAP issues. The following commands are particularly useful:
netsh NAP client show state
This command displays the status of a NAP client, including the: Restriction state. Status of enforcement clients. Status of installed Secure Hash Algorithm (SHAs). Trusted server groups that are configured.
netsh NAP client show config
This command displays the local configuration settings on a NAP client, including: Cryptographic settings. Enforcement client settings. Trusted server-groups settings. Client-tracing settings that have been configured.
netsh NAP client show group
This command displays the Group Policy configuration settings on a NAP client, including: Cryptographic settings. Enforcement client settings. Trusted server groups settings. Client tracing settings that are configured.
NAP Event Logs

NAP services record NAP-related events into the Windows event logs. To view these events, open Event Viewer, and select Custom Views. Select Server Roles, and then select Network Policy and Access Services.
The events in the following table provide information about NAP services running on an NPS server. Event ID 6272 Description Network Policy Server granted access to a user. Network Policy Server denied access to a user. Network Policy Server discarded the request for a user. Network Policy Server quarantined a user. Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. Network Policy Server granted full access to a user because the host met the defined health policy. Cause Occurs when a NAP client is successfully authenticated and, depending on its health state, obtains full or restricted access to the network. Occurs when there is a problem with authentication or authorization, and the problem is associated with a reason code. Occurs if there is a configuration problem. It can occur if RADIUS client settings are incorrect, or if NPS cannot create accounting logs. Occurs when the client-access request matches a network policy that is configured with a NAP enforcement setting of Allow limited access. Occurs when the client-access request matches a network policy that is configured with a NAP enforcement setting of Allow full network access for a limited time when the date specified in the policy has passed.
16273
6274
6276
6277
6278
Occurs when the client access request matches a network policy that is configured with a NAP enforcement setting of Allow full network access.
6-52
Lesson 5
Troubleshooting DirectAccess Issues
Organizations often rely on VPN connections to provide remote users with secure access to data and resources on the corporate network. VPN connections are easy to configure, and several different clients support them. However, users must establish VPN connections before they can use these clients, which may require additional configuration of the corporate firewall. Additionally, VPN connections usually enable remote access to the entire corporate network, and typically organizations cannot manage remote computers effectively. To manage remote computers easily and overcome limitations in VPN connections, organizations can implement DirectAccess, which provides a seamless connection between the internal network and the remote computer, as long as there is an Internet connection.
Note DirectAccess is available in Windows Server 2008 R2 and Windows 7.
Objectives
After completing this lesson, you will be able to: Describe DirectAccess. Describe how DirectAccess works. Configure DirectAccess. Troubleshoot DirectAccess Connectivity.
What Is DirectAccess?
Windows Server 2008 R2 and Windows 7 include a feature called DirectAccess that enables seamless remote access to intranet resources without users having to first establish a VPN connection. The DirectAccess feature also ensures seamless connectivity for internal users and remote users on application infrastructure. Unlike traditional VPNs that require user intervention to initiate a connection to an intranet, DirectAccess enables any application on the client computer to have complete access to intranet resources. DirectAccess also enables you to specify resources and client-side applications that are restricted for remote access. Organizations benefit from DirectAccess because remote computers can be managed as if they are local computersusing the same management and update serversto ensure they are always current and in compliance with security and system health policies. You also can define more detailed access-control policies for remote access when compared with defining access control policies in VPN solutions. DirectAccess has the following features: Automatically connects the client computer to the corporate intranet when it is connected to the Internet. Uses various protocols, including HTTPS, to establish IP version 6 (IPv6) connectivity. HTTPS typically is allowed through firewalls. Supports selected server access and IPsec authentication with an intranet network server. Supports end-to-end authentication and encryption. Supports management of remote client computers. Allows remote users to connect directly to intranet servers.
6-54
DirectAccess has the following benefits: Always-on connectivity. Whenever the user connects the client computer to the Internet, the client computer is connected to the intranet also. This connectivity enables remote client computers to access and update applications easily, makes intranet resources always available, and enables users to connect to the corporate intranet from anywhere and anytime which maximizes their productivity and performance. Seamless connectivity. DirectAccess provides a consistent connectivity experience, regardless of whether the client computer is local or remote. This allows users to focus more on productivity and less on connectivity options and process. This consistency can reduce both costs for user training and support incidents. Bidirectional access. You can configure DirectAccess so that DirectAccess clients have access to intranet resources, and computers on the intranet have access from the intranet to those DirectAccess clients. This enables DirectAccess to be bidirectional, so that DirectAccess users have access to intranet resources, and you can have access to DirectAccess clients when they are connecting over a public network. This ensures that the client computers always have the most recent security updates, as well as enforcement of the domains Group Policy, and that there is no difference whether users are on the corporate intranet or on the public network. This bidirectional access also results in: Decreased update time. Increased security. Decreased update miss rate. Improved compliance monitoring.
Improved security. Unlike traditional VPNs, DirectAccess offers many levels of access control to network resources. This tighter degree of control allows security architects to precisely control remote users who access specified resources. IPsec encryption is used for protecting DirectAccess traffic so that users can ensure that their communication is safe. You can use a granular policy to define who can use DirectAccess, and from where. Integrated solution. DirectAccess fully integrates with Server and Domain Isolation and NAP solutions, resulting in the seamless integration of security, access, and health requirement policies between the intranet and remote computers.
How Does DirectAccess Work?
The DirectAccess connection process happens automatically, without requiring user intervention. DirectAccess clients use the following process to connect to intranet resources: The DirectAccess client computer that is running Windows 7 detects whether it is connected to a network. The DirectAccess client computer attempts to connect to an intranet website that is specified during the DirectAccess configuration. If the website is available, the DirectAccess client verifies that the client computer is connected to the intranet, and the DirectAccess connection process stops. If the website is not available, the DirectAccess client verifies that the client computer is connected to the Internet, and the DirectAccess connection process continues. The DirectAccess client computer connects to the DirectAccess server using IPv6 and IPsec. If a native IPv6 network is not available, the client establishes an IPv6-over-IPv4 tunnel by using 6to4 or Teredo. Note that the user does not have to be logged on to the computer for this step to occur. If a firewall or proxy server prevents the client computer from using 6to4 or Teredo from connecting to the DirectAccess server, the client computer attempts to connect automatically by using the IPHTTPS protocol, which uses an SSL connection to ensure connectivity. To establish the IPsec session, the DirectAccess client and server authenticate each other by using computer certificates. By validating AD DS group memberships, the DirectAccess server verifies that the computer and user are authorized to connect by using DirectAccess. If you enable and configure NAP for health validation, the DirectAccess client obtains a health certificate from an HRA located on the Internet prior to connecting to the DirectAccess server.
6-56
The HRA forwards the DirectAccess clients health status information to an NAP health policy server. The NAP health policy server processes the policies that the NPS defines, and then determines whether the client is compliant with systems health requirements. If the client is compliant, the HRA obtains the health certificate for the DirectAccess client. When the DirectAccess client connects to the DirectAccess server, the health certificate is submitted for authentication. The DirectAccess server begins forwarding traffic from the DirectAccess client to the intranet resources to which the user has been granted access.
Configuring DirectAccess
To configure DirectAccess, you need to perform the following steps: 1. 2. 3. Install Windows Server 2008 R2 on a server computer with two physical network adapters. Join the DirectAccess server to an Active Directory domain. Install the DirectAccess Management feature, and configure the DirectAccess server so that it is on the perimeter network with one network adapter connected to the Internet and at least one other network adapter connected to the intranet. Ensure that both network adapters are enabled and have their respective IPv4 addresses configured, if there is no native IPv6 connectivity available. This is critical for the DirectAccess server to derive its configuration information automatically. Otherwise, you will need to configure detailed configuration manually. Verify that the ports and protocols necessary for DirectAccess and ICMP Echo Request are enabled in the firewall exceptions, and are opened on the perimeter and Internet-facing firewalls. The DirectAccess server needs at least two consecutive public, static IPv4 addresses that can be resolved externally through DNS. Ensure that you have an IPv4 address available, and that you have the ability to publish that address in your externally-facing DNS server. If you have disabled IPv6 on clients and servers, enable IPv6 because DirectAccess requires it. Create a security group in Active Directory, and then add all client computer accounts that will be accessing the intranet through DirectAccess. Install a web server on the DirectAccess server to enable DirectAccess clients to determine if they are inside or outside the intranet. Designate one of the server network adapters as the Internet-facing interface. This interface will require two consecutive, public IPv4 addresses. You must assign both of these IPv4 addresses to the same interface.
4. 5.
6. 7. 8. 9.
6-58
10. On the DirectAccess server, ensure that you configure the Internet-facing interface to be either a public or a private interface, depending on your network design. Configure the intranet interfaces as Domain interfaces. DirectAccess supports no other combinations. If you have more than two interfaces, ensure that you select no more than two classification types. 11. Add and configure the Certificate Authority server role, create the certificate template and the CRL distribution point, publish the CRL list, and then distribute the computer certificates.
Troubleshooting DirectAccess Client Issues
The process that you would use to troubleshooting the DirectAccess server configuration is beyond the scope of an EDST. However, you do need to understand how to troubleshoot DirectAccess from the clients perspective. If you have difficulty locating a specific server on the internal network, it may not have an IPv6 address. All servers that you can access by using DirectAccess must have an IPv6 address. The following is the general process for troubleshooting DirectAccess clients: 1. 2. 3. 4. 5. 6. Verify that the client version is Windows 7 Enterprise Edition or Windows 7 Ultimate Edition. Those are the only supported versions. Verify that the client is joined to the domain. The computer account also must be a member of the security groups selected for access during server-side configuration. Verify that the client has downloaded the necessary GPOs with DirectAccess configuration information. You can use RSoP to verify that the correct GPO has been applied. Verify IPv6 connectivity with the DirectAccess server by using the ping protocol to verify connectivity to the servers IPv6 address. Verify that the client is correctly identifying whether it is on the internal network or the Internet. Use the netsh dnsclient show state command, and then read the Machine location field. Verify that clients on the Internet are not using the domain profile, by using Windows Firewall with Advanced Security or the netsh advfirewall monitor show currentprofile command.
6-60
7. 8.
Verify that connected clients can resolve DNS names on the internal network. Use NSLookup to verify that a DNS name can be resolved to an IPv6 address. Verify that IPsec connectivity has been negotiated successfully. Use Windows Firewall with Advanced Security to view IPsec connections, or use the netsh advfirewall monitor show mmsa and netsh advfirewall monitor show qmsa commands.
Lab: Resolving Remote Connectivity Issues
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6293A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat these steps two through four for 6293A-NYC-SVR2 and 6293A-NYC-CL1.
Lab Scenario
A user reported a recent problem connecting to the corporate intranet from his home. He cannot connect to the intranet, and receives the error that the help-desk ticket documents. The help desk checked the basic network settings, but is unsure how to proceed. For this project, you must complete the following tasks: Read the help-desk ticket. Plan a course of action. Attempt a resolution of the problem. Document a successful resolution of the problem.
6-62
Exercise: Resolving a Remote Connectivity Problem

Scenario
In this exercise, you will investigate the cause of the VPN connectivity failure. The main tasks for this exercise are: 1. 2. 3. 4. Read the help-desk Incident Record for Incident 603321. Update the Plan of Action section of the Incident Record. Simulate the problem. Attempt to resolve the problem.
Incident Record Incident Reference Number: 603321 Date of Call Time of Call User Status May 5 08:05 Max Stevens (Research Department) OPEN
Incident Details Max reports that he cannot connect to the corporate intranet site from home. He uses a preconfigured VPN. The intranet site is accessible when Max connects his computer locally in the Contoso domain. Additional Information The intranet site is accessible when Max connects his computer locally in the Contoso domain. VPN settings for Contoso home users: Users connecting using VPN must use EAP authentication. The preferred RAS server is NYC-SVR2. NAP has been implemented in Contoso in recent weeks using VPN enforcement. IPv4 filters restrict connectivity to remediation servers. Plan of Action
Resolution



1. 2. 3. 4. Switch to the NYC-CL1 computer. Run the D:\Labfiles\Mod06\Scenario1.vbs script. Wait while the computer restarts. Log on by using the following credentials: 5. 6. User name: NYC-CL1\WSAdmin Password: Pa$$w0rd
Attempt to connect using the Contoso VPN. Log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
7.
What error message do you see?

Note Some of the tasks that you perform to resolve this problem may not typically be the responsibility of Tier 2 support staff. However, it is useful to see the problem resolution. 1. 2. 3. 4. Using your knowledge of remote connectivity issues, and tools available for troubleshooting the remote networking environment, attempt to resolve the problem. Update the Resolution section of the incident record. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance. To repeat or exit the exercise, revert the virtual machine environment. If necessary, revert your virtual machines by using the following procedure: On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-SVR2 and 6293A-NYC-CL1. In Hyper-V Manager, click 6293A-NYC-DC1. In the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts.
6-64
Log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat these steps for 6293A-NYC-SVR2 and 6293A-NYC-CL1. For NYC-CL1, log on by using the following credentials: User name: NYC-CL1\WSAdmin Password: Pa$$w0rd
Results: At the end of this exercise, you will have resolved the remote connectivity problem.

When you finish the practice session, revert the virtual machines to their initial state by completing the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-SVR2 and 6293A-NYC-CL1.
Review Questions
1. Users are complaining that they are unable to connect to the corporate network using VPNs following recent firewall configuration changes. The team responsible for implementing security policies has determined that only TCP port 443 is allowed through into the internal network. Which tunneling protocol supports this restriction? A user from accounts has attempted to connect to the corporate network using a VPN, and keeps receiving error 800. To help resolve the issue, what would you attempt? What tools could you use to help resolve the preceding problem? You have a VPN server with two configured network policies. The first has a condition that grants access to members of the Contoso group, to which everyone in your organization belongs, but has a constraint of day and time restrictions for office hours only. The second policy had a condition of membership of the Domain Admins group and no constraints. Why are administrators being refused connections out of office hours, and what can you do about it?
2. 3. 4.
Tools
Tool MSTSC.exe MSRA.exe Use for Remote Desktop Connections Remote Assistance Where to find it Start Menu Start Menu
7-1
Module 7
Troubleshooting Logon and Resource Access Issues
Contents:
Lesson 1: Troubleshooting User Logon Issues Lesson 2: Troubleshooting User Profile Issues Lesson 3: Troubleshooting File Access Issues Lesson 4: Troubleshooting File Permissions Issues Lesson 5: Troubleshooting Printer Access Issues Lab: Troubleshooting Logon and Resource Access Issues 7-3 7-13 7-19 7-28 7-36 7-44
7-2
Module Overview
It is essential that users gain access to all of the resources that they need to perform their jobs, such as the data stored in their profiles, their files, and access to their printers. The first step in gaining access to these resources is a successful logon. User profiles, file access, and printer access all have unique issues that can affect the user experience negatively. You need to be able to troubleshoot and resolve issues related to all of these areas.
Objectives
After completing this module, you will be able to: Troubleshoot user logon issues. Troubleshoot user profile issues. Troubleshoot file access issues. Troubleshoot file permissions issues. Troubleshoot printer access issues.
7-3
Lesson 1
Troubleshooting User Logon Issues
To troubleshoot the logon process successfully, you need a thorough understanding of the logon process, including how Windows 7 uses cached credentials, and Active Directory Domain Services (AD DS) password and user policies. Additionally, you must be aware of the methods that you can use to identify the cause of logon issues.
Objectives
After completing this lesson, you will be able to: Discuss potential problems in the logon process. Describe the logon process. Describe cached credentials. Configure password policies and user properties. Describe methods to identify logon errors.
7-4
Discussion: Causes of Logon Issues
Your users must be able to log on successfully so that they can access the files, printers, and other resources that they require to do their jobs. There are a wide variety of reasons that a user might not be able to log on. Question: What are some logon problems that users may experience?
7-5
What Is the Logon Process?
The logon process authenticates both computer and user accounts. Domain controllers perform the authentication: During the startup process for computer accounts. When the user logs on for user accounts.
At startup, a computer queries the configured Domain Name System (DNS) server to find domain controllers that are available to perform authentication. If you configure your Active Directory sites properly, a computer uses domain controllers in the local physical location for authentication, which is much faster than authenticating to a domain controller in another physical location. If you do not configure the list of DNS servers on a Windows 7 computer appropriately, then it cannot obtain a list of domain controllers, and the following may occur: Authentication fails. The user is unable to access the local computer or network resources. Windows 7 uses cached credentials. The user is able to access the local computer and may be able to access some network resources. Authentication is very slow but successful. This occurs when a suitable domain controller is on the local subnet, and the client computer can locate the domain controller by using NetBIOS broadcasts.
During the logon process, Windows assigns a security token for both the computer and the user accounts. The security token contains a list of groups of which the computer or user account is a member. Windows uses this list of groups to identify permissions when the computer or user attempts to access resources. If you add a computer or user account to a group, you must ensure that you reauthenticate the account to update the security token with group membership.
7-6
Cached Credentials
Cached credentials allow users to authenticate to a local computer by using domain credentials when a domain controller is unavailable to perform authentication. Cached credentials are useful particularly for a roaming user who works on a laptop computer. When you use cached credentials, the user can log on to a local computer by using the cached domain logon credentials, even when the users computer is not connected to the domain. Users must have cached credentials to access offline files and folders when they are not connected to the network. When a domain controller is available and then a user logs on to a Windows 7 computer successfully, Windows 7 creates and stores cached credentials locally. Windows 7 updates cached credentials each time a user logs on to the domain.
Note If a user has not authenticated successfully to the domain from a computer since their last password change, the cached credentials still contain the previous password. The user must logon by using the previous password when using those cached credentials. If a user does not have cached credentials on a computer, and the domain controller is unavailable, then Windows 7 cannot authenticate the user. In most cases, Windows 7 notifies the user when cached credentials are used during the logon process. By default, Windows 7 caches the credentials of the last 10 user accounts to log onto a specific computer, and you can modify this number either by editing the registry (HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Windows NT\CurrentVersion\Winlogon\cachedlogonscount) or by using Group Policy (Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive Logon: Number of previous logons to cache).
7-7
The default number of cached credentials that Windows 7 can store is ten, however you can configure Windows 7 to store up to a maximum of 50. If you set the number of cached credentials to zero, then Windows 7 must contact a domain controller before users can obtain access to the local computer.
Note You should be aware of any modifications that you organization makes to the default configuration of cached credentials.
7-8
Group Policy Settings That Affect User Logon
In a corporate environment, password policies define the configuration of user passwords. Although domain administrators configure password policies, you should know the available password policy options so that you recognize when they are affecting the ability of users to log on.
Group Policy
You configure password policies in Group Policy, which contains settings for account lockout. When you enable account lockout, a user that attempts to log on using an incorrect password is locked out after a defined number of attempts. It is important to remember that account lockouts can occur based on attempted logons to any system that authenticates users to AD DS. The most common scenario is users logging on at workstations, but account lockout also applies to applications such as Outlook Web App. The following table lists important Group Policy settings that can affect user logons. Setting Enforce password history Maximum password age Minimum password age Description When enforce password history is enabled, users cannot reuse passwords. Maximum password age is the longest span of time that a password can exist before it must be changed by the user. Minimum password age is the minimum amount of time that a user must keep a password. Default setting By default, Group Policy remembers 24 passwords. By default, users must change their password every 42 days. By default, user must keep a password for one day. This prevents users from cycling quickly through a list of passwords and defeating the password history requirement.
7-9
(continued) Setting Minimum password length Passwords must meet complexity requirements Description Minimum password length is the minimum number of characters in the password used by domain users. If Passwords must meet complexity requirements is enabled, users must create complex passwords that include uppercase and lowercase characters, numbers, and symbols. This defines the number of invalid logon attempts that users can make before Windows locks their account. When you enable Account lockout threshold, you can define the period within which the invalid attempts must occur, and how long the account remains locked. Default setting By default, a minimum length of seven characters is required. Three of the four elements must be present. This is enabled by default.
Account lockout threshold
The default value is 0, which means accounts never become locked.
Note Windows Server 2008 introduced the ability to configure fine-grained password polices for individual groups and users by using password policies. Fine-grained password policies enable you to specify multiple password policies, and apply different password restrictions and account-lockout policies to different sets of users within a single domain. Please note that configuration of fine-grained password policies is beyond this courses scope.
7-10
User Account Settings That Affect User Logon
AD DS stores user accounts, which network administrators or other support staff, such as help desk, manage. Each user account has settings that are relevant to the logon process. You need to be aware of these settings so that you can identify them as potential sources of logon issues, and then escalate the issue to the appropriate group in your organization. The following table lists user account settings that can impact user logon. Setting User logon name Unlock account User must change password at next logon. User cannot change password Password never expires Description This is the username that should be used when logging on. If you believe that an account is locked due to invalid logon attempts, use this check box to unlock the account. When this setting is enabled, the user must change their password during the next log on. If the user does not change their password, they may not be able to log on. If this setting is enabled, the user cannot change their password. This setting overrides any requirements to change a password in the domain password policy. This setting is typically used only for service accounts. When this setting is enabled, the user cannot be forced to change their password. This setting overrides any requirements to change a password in the domain password policy. This setting often is used for service accounts, but may also be used for some users that are exempt from changing passwords for political reasons.
7-11
(continued) Setting Account is disabled Description Enabling this setting prevents users from logging on using this account. This setting is typically used when an employee is out of the office for a long period of time or when an employee is terminated. When this setting is enabled a user is required to use a smart card to perform logons. Requiring a smart card enhances security in environments with infrastructure to support smartcard-based logons. Allows configuration of a date after which an account is disabled. Typically used only for contract employees or other temporary staff.
Smart card is required for interactive logon Account expires
7-12
Methods to Identify Logon Errors
You can resolve most of errors that relate to logons quickly, once you identify the problem. You can use the following methods and tools to help you troubleshoot logon errors: On-screen errors. Most user logon errors provide an accurate description on the screen. However, many users may not interpret these messages correctly. Often viewing the error yourself is more accurate than relying on a users description of it. Active Directory Users and Computers. You can use this tool to verify the users logon name and if the account is disabled. You also can use this tool to unlock the account and reset the password, if necessary. Event logs. You can use Event Viewer to view event logs that may give some indication why a logon error is occurring. The Security logs on a computer or on a domain controller that indicates if authentication errors are occurring. The System log of a computer indicates if the computer account is not authenticating correctly.
If a user is able to log on, but is unable to access network resources, the logon process might be using the users cached credentials. If this happens, you should verify network connectivity for the computer, and verify that the computer account is authenticating properly. If your organization does not restrict user logon to specific computers, the user can attempt to log on to a second computer, which identifies whether the authentication issue pertains to a specific computer. You can use the results of this test to limit your troubleshooting to appropriate items. For example, if the issue is not computer-specific, then it is not a local computer configuration issue.
7-13
Lesson 2
Troubleshooting User Profile Issues
User profiles contain user settings that configure a computer for use by a specific user. In some cases, you can configure roaming profiles to enable a user to retain their settings when they work on more than one computer. You must understand user profiles, and how to troubleshoot them, to configure computers correctly for users.
Objectives
After completing this lesson, you will be able to: Describe user profiles and their contents. Describe roaming user profiles. Discuss user profile issues. Configure default profiles.
7-14
User Profiles and Their Contents
A user profile is a collection of user-specific settings in Windows 7. Each user has a folder in C:\Users that contains the users profile. The profile folders in C:\Users are named after the user account. For example, if the user account is Adam, then the profile folder is C:\Users.Adam. In some cases, you can append the domains name to the profile, if the account name conflicts with an existing local user. A user profile contains: User-specific registry settings (user.dat) Application configuration files (AppData) Desktop Start Menu Favorites My Documents Downloads Other folders that specific applications create
Windows 7 also has a public profile that it stores in C:\Users\Public. All users profiles include the contents of this public profile when a user logs on. For example, if you create a shortcut in C:\Users\Public\Desktop, it appears on the desktop of all users that log on to that computer. For this reason, some applications store system-wide configuration information in the public profile.
7-15
Roaming User Profiles
Windows 7 profiles are local by default, which means that Windows 7 stores them only on the local computer. If a user logs on to a second computer, none of that users settings are configured on the second computer, and any customization in the profile is not available. For example, application configurations, such as that for Microsoft Office Outlook or customizations in Microsoft Office Word, are not available on the new computer. You can use roaming profiles to allow users to roam between computers and still access their configuration settings. A network file shares stores the roaming profile, and when a user logs on to a new computer, Windows copies the roaming profile from the network file share to the local computer. When the user logs off, Windows saves the profile locally, and then uploads it to the network file share.
Using Mandatory Profiles

A mandatory profile is a read-only roaming user profile. You can use a mandatory profile to ensure that users do not change configuration settings. When the user logs on, Windows copies the mandatory profile from the server to the local computer, just like a regular roaming user profile. However, when the user logs off, Windows does not update the mandatory profile on the network share. In most cases, multiple users share a mandatory roaming profile.
7-16
Configuring a Roaming Profile

To configure a users profile to become a roaming profile, provide a profile path in the properties of the user account. To change a roaming user profile into mandatory profile, rename the ntuser.dat file in the profile to ntuser.man. If you copy a profile, be sure to use the Copy To functionality in the Profiles window of Advanced System Settings. This ensures that Windows updates the security permissions, which allows other users to access the profile.
Note You should never copy a profile by using a simple file copy, because Windows does not update security permissions properly.
7-17
Discussion: Issues with User Profiles
Because user profiles contain the user-specific configuration settings for Windows 7, the configuration of user profiles has a high impact on user satisfaction. If user profiles are not working correctly, the user may not have settings such as drive mappings, desktop shortcuts, and application settings. Question: What are some of the issues that can occur that relate to user profiles?
7-18
Default User Profiles
The first time that users log on to computers, Windows 7 creates their profiles by copying the default profile on the local computers. All of the files and settings in the default profile become part of the user profile, including the user-specific registry settings in NTUSER.DAT. If users move to a new computer, they will lose all of their profile customizations, and will have to use a default profile unless you use Windows Easy Transfer or the User State Migration Tool to migrate profile contents to the new computer. Windows 7 stores the default profile in C:\Users\Default, which is a system folder that is not visible normally. Modifying the default profile allows you to configure settings for users before they log on initially to a computer. Simple modifications, such as adding a desktop shortcut, are easy to accomplish by placing the appropriate file in the default profile. Modifying the registry settings in the default profile is relatively complex. The method that Microsoft supports to modify the default profile (including the registry) is to run sysprep.exe, a tool that prepares a computer for imaging. Sysprep.exe copies the current administrative profile to be the default profile. It is not possible to copy and paste another profile over the default profile, as was possible in earlier Windows versions.
Note Because changes to the default profile do not propagate to user profiles after the first logon, we do not recommend that you configure user profiles by modifying the default profile. For this reason, most organizations use Group Policy to configure user environments instead of modifying the default profile.
7-19
Lesson 3
Troubleshooting File Access Issues
One of the most common tasks that users perform is to access and modify documents, which requires that users have access to those documents. Most users access documents over the network by using mapped drives. You can configure mapped drives manually, by using logon scripts, and by using Group Policy Preferences. When users disconnect from the network, they can use offline files and folders to continue working on cached copies of network documents. You need to understand and be able to troubleshoot all of these methods for accessing files.
Objectives
After completing this lesson, you will be able to: Discuss issues with file access. Describe how you can configure drive mappings manually. Describe how you can use logon scripts for drive mappings. Create a drive mapping by using Group Policy Preferences. Describe offline files and folders. Describe how to troubleshoot offline files and folders. Describe folder redirection.
7-20
Discussion: Issues with File Access
Most organizations store files centrally on a file share. Users can access files shares by using a Universal Naming Convention (UNC) path, but that is too complex for most users. Typically, users are given a drive mapping that connects them to a file share. Windows 7 also provides the option to redirect folders and use offline files and folders. Question: What are some of the issues that can occur with file access?
7-21
Configuring Drive Mappings Manually
Drive mapping provide an easy way for users to access network files. It is common for organizations to have standardized drive mappings for access to network files. For example, drive S maps to a shared folder with shared files, and drive H maps to a users home folder. You can create drive mappings manually for users on their computer. However, Windows does not retain drive mappings that you create manually for multiple logon sessions, unless you check the Reconnect at logon option during creation, which makes the drive mapping persistent. Windows stores persistent drive mappings in the user profile. Configuring drive mappings manually typically is beneficial and prudent only for very small organizations. It is time-consuming and not efficient to create drive mappings manually in each user profile, because changing drive mappings requires you to visit each users computer.
Note Creating a drive mapping does not configure the necessary permissions so that a user can access and modify files. You must configure permissions in a separate step.
7-22
Using Logon Scripts to Configure Drive Mappings
One common way to implement drive mappings is by using logon scripts. You can configure a logon script in the properties of a user or in a Group Policy object (GPO). Logon scripts that reference user properties are in the Netlogon share of each domain controller. Logon scripts that are configured in a Group Policy object are stored as part of the Group Policy object on the Sysvol folder of domain controllers. The main benefits of using logon scripts for drive mappings are: Cross-computer application. A logon script runs on each computer to which a user logs on. This ensures that the drive mapping appears on each computer to which the user logs on, without having to use roaming profiles. Simplified updates. When you need to update drive mapping, you only have to update a single, central logon script, rather than having to update multiple user profiles individually and manually. Increased flexibility. You can configure scripts to perform drive mappings that are specific to users, groups, and computers.
The syntax for creating drive mappings varies depending on the type of logon script that you are using. Two of the most common types of logon scripts are batch files (.bat) and Visual Basic Scripting Edition (VBScript) (.vbs). Windows Server 2008 R2 and Windows 7 add the ability to user Windows PowerShell for logon scripts. The following examples map drive S to \\Server1\SharedData.
7-23
The syntax for mapping a drive in a batch file is:

net use S: \\Server1\SharedData
The syntax for mapping a drive in VBScript is:

Set objNetwork = CreateObject("WScript.Network") objNetwork.MapNetworkDrive "S:",\\Server1\SharedData
The syntax for mapping a drive in PowerShell is:

$network = $(New-Object -Com WScript.Network) $network.MapNetworkDrive("S:", "\\Server1\SharedData")
7-24
Demonstration: Using Group Policy Preferences for Drive Mappings
Windows Server 2008 introduced Group Policy Preferences that you can use to map network drives. Mapping drives with Group Policy Preferences provides all of the benefits of centralized control that logon scripts provide, but are simpler to implement because you do not need to memorize the correct syntax. In this demonstration, you will see how to use a Group Policy preference to map a drive letter for the Marketing group.
Demonstration Steps
1. 2. 3. 4. 5. 6. On NYC-DC1, open Group Policy Management. Create a new GPO linked to the domain. Edit the GPO, and then browse to \User Configuration\Preferences\Windows Settings \Drive Maps. Create a new Mapped Drive for \\NYC-DC1\Marketing that uses the letter M. On the Common tab of the Drive Map, enable Item-level targeting. Target the Drive Map to the Marketing security group.
7-25
What Are Offline Files?
Offline files are a Windows 7 feature that caches copies of network files on the local computer. When the network is available, users work on the network version of the file, and then update the local version automatically. When the network is unavailable, users work automatically on the local version of the file. To the user, it appears that they are working on the network version of the file. When the network becomes available again, Window 7 updates the network version of the file. Each time that users connect to a shared folder that is enabled for offline files, Windows 7 scans for changes to files that are cached locally, and then updates the cached copies, as necessary. If the network version of a file and the locally cached version of a file are both modified, a sync conflict occurs. When a sync conflict occurs, users receive an error symbol on the Sync Center icon in the notification area. Many users may not notice this icon, and even if they notice it, they may not know how to respond to it. When a sync conflict occurs, users must view sync conflicts in Sync Center to resolve them. If users do not resolve sync conflicts, Windows 7 does not upload the local computers cached document to the network, and the network version of the document never downloads to that computer. This creates a situation in which there are two versions of the document. However, users typically are unaware of this. In Sync Center, users can choose which version of a file to keep when a sync conflict occurs. Alternatively, users can choose to keep both versions of a file. You must teach users how to use Sync Center to select which version to keep. In many cases, the users should keep both versions of the file, and then synchronize the content between them manually. Sync Center also may show you sync errors. Sync errors occur when Windows cannot sync with a particular location. This typically occurs when the location, such as a file share, is unavailable to the user. Review the specific error message to determine the course of action necessary to correct a sync error.
7-26
Troubleshooting Offline Files
Synchronization errors are the main problem that occurs related to offline files. However, there may also be situations where offline files are not available. If offline files are not available, you should verify the following: Offline files are enabled in Windows 7. By default, offline files are enabled in Windows 7, but may have been disabled manually by the user or by a Group Policy object. Offline files are enabled on the share. It is possible that the share is not configured to allow offline files. In such as case, users cannot use the files offline. A shared volume for many users may have offline files disabled to avoid conflicts. The user cached the file. The default configuration for a file share specifies that only files specifically selected for offline use are cached. If the user did not manually select that the file should be made available offline, then it is not. A file share can be configured so that all files that are accessed are cached. The user is logged on with a domain account. A user must be logged on by using the same credentials as were used when the files were made available offline for the files to be available offline. If the user is logged on by using a local user account when not connected to the domain then files are not available offline. Cached credentials should be used when disconnected from the domain.
7-27
What Is Folder Redirection?
Folder redirection centralizes storage of some user profile folders on a network file share instead of in the local profile. Unlike roaming profiles, the folders are not synchronized between the network file share and the local computer. The content for redirected folders exists only on a network file share. This means that large amounts of data can exist in a redirected folder without affecting logon times. Some reasons to use folder redirection include: Ensuring My Documents is backed up. Many users save documents in My Documents by default. If this is on the local hard drive, Windows 7 may never back up these files. However, you can redirect the contents of My Documents to a home folder or a shared network drive. Minimizing the size of roaming profiles. Redirecting folders takes them out of a roaming profile. This reduces the size of roaming profiles, which results in better logon performance.
You can configure folder redirection manually or by using a GPO. For example, for the My Documents folder, you can configure redirection on the Location tab in the properties of My Documents, or by using a GPO. When you redirect a folder, you have the option to copy the files from the current location to the new location. If you forget to copy the files, they are not available to the user. The files continue to exist in the old location, and users can copy them at a later time.
Troubleshooting Folder Redirection

The most common issue that occurs when you configure folder redirection manually is that you forget to reconfigure it when you assign a user to a new computer, or when you disable folder redirection by accident. If you configure folder redirection by using Group Policy, the most common issue that occurs is that the Group Policy object does not apply to the user properly. This typically occurs because the user account is not in the correct organizational unit (OU).
7-28
Lesson 4
Troubleshooting File Permissions Issues
Objectives
After completing this lesson, you will be able to: Describe shares and share permissions. Describe permissions for NTFS file systems. Describe permission inheritance for NTFS. Describe the interaction between NTFS and share permissions. Calculate effective permissions. Troubleshoot permissions for file access.
7-29
Shares and Share Permissions
When you share a folder, the files in that folder and its subfolders are accessible over a network. You can use share permissions to control access to a shares contents and control what actions users can take with them. Share permissions apply when users go through the share to access files over the network. The share permissions also are consistent for all share contents. Share permissions cannot vary by file or folder. The share permissions are: Full control. Allows all permissions, including the ability to change permissions. Read. Allows users to read existing files, but not modify them or create new files. Change. Allows users to create new files or delete, modify, and read existing files.
When you assign permissions, you can set each permission to Allow, or to Deny. For example, you can assign a read permission of Allow to a group, while assigning a single user in the group a read permission of Deny, which denies that user read permissions. You can configure file shares on Windows 7 computers or on network servers.
Note Most organizations store all files on a network server that a network administrator manages. The default share permissions on a file share vary, depending on the version of Windows that is sharing the folder, and by how you create the shared folder. Incorrectly configured share permissions are most likely to occur when you create a new share or when you move a share to a new server.
7-30
NTFS Permissions
You can use NTFS permissions to control which users or groups can access or modify files and folders on partitions that you format with NTFS. These permissions are much more flexible than share permissions, because you can assign them individually for each file or folder, as necessary. NTFS permissions apply when users access files locally or over the network. In most cases, the default NTFS permissions that you configure on a Windows 7 computer are sufficient and require no modification. For example, NTFS permissions define a user profile as a users private workspace, which is the configuration that most users desire. However, you typically configure custom permissions for a network file share to allow only users that you specify to access specific files. To modify NTFS permissions, you must assign the full control NTFS permission to a folder or file. The one exception is for file and folder owners: the owner of a file or folder can modify NTFS permissions even if they do not have any current NTFS permissions. Administrators are able to take ownership of files and folders to make modifications to NTFS permissions. There are both basic and advanced NTFS permissions. You most commonly use the basic permissions. With advanced NTFS permissions, you have very fine control over access to files and folders, but they are complex to manage.
7-31
The following table lists the basic NTFS permissions. Permission Full control Modify Read and Execute List folder contents Read Write Parameters Allows all permissions, including the ability to modify NTFS permissions and take ownership. Allows all file and folder modification activities, except modification of NTFS permissions and taking ownership. Allows execution of a file. When applied to folders, it also allows the listing of folder contents. Allows the listing of a folders contents. This applies only to folders. Allows the reading of file contents and attributes. Allows the modification of file contents and attributes, but not NTFS permissions or ownership. This does not allow file deletion. For a folder, this allows the creation of new files in the folder.
7-32
NTFS Permission Inheritance
By using permissions inheritance, you can set NTFS permissions on a folder, and NTFS applies those permissions to that folders files and subfolders automatically. This means that you can set NTFS permissions for an entire folder structure at a single point, and when you need to modify them, you can modify them at a single point. You can block permissions inheritance if you want to restrict access to a subdirectory. For example, say you assign change permissions to all accounting users for the ACCT folder. On the subfolder WAGES, you can block the inherited permissions from the ACCT folder, so that only a few specific users have access to the WAGES folder. When you block permissions inheritance, you have the option to copy existing permissions or begin with blank permissions. If you want to restrict a particular group or user, then copying existing permissions simplifies the configuration process. You also can add permissions to files and folders below the initial point of inheritance, without modifying the original permissions assignment. You do this to grant a specific user or group a different file access than its inherited permissions.
7-33
Interaction of Share and NTFS Permissions
When you combine NTFS and share permissions, whichever permission is most restrictive applies. For example, if you assign a user Full Control NTFS permissions to a file, but that user is accessing the file through a share with Read permission, the user has read access only to the file. To simplify permission assignment, you can grant the Everyone group Full control share permission to all shares, and use only NTFS permissions to control access. Restrict share permissions to the minimum necessary to provide an extra security layer in case you configure NTFS permissions incorrectly.
7-34
Demonstration: Calculating Effective Permissions
Effective permissions are the permissions any user actually has to a file or folder, which may be different from the permissions that you assign or grant to a specific user. User and group permissions combine to determine effective permissions. For example, you assign a user Read permission, and then you assign Change permission to a group of which the user is a member. The effective permissions of the user are Change. When you combine permissions, Deny permission overrides Allow permission. For example, if you assign a group Change permission to a folder, and you deny a user that is a member of that group Change permission for the same folder, the user is ultimately denied the Change permission for the folder.
Note Calculations for effective permissions include only NTFS permissions. If effective permissions are correct, but a user still does not have the necessary access to a file, verify the share permissions are correct. In this demonstration, you will see how to calculate effective permissions.
Demonstration Steps
1. 2. 3. 4. On NYC-CL1, open the Properties of C:\Program Files. On the Security tab, open the Advanced security settings. On the Effective Permissions tab, select Contoso\Adam, and then read the effective permissions. Select Contoso\Administrator, and then read the effective permissions.
7-35
Troubleshooting File Access Permissions
If you connect a client computer properly to a network, then most network file access problems are due to permissions that you configure incorrectly. This is most likely to occur for new users or during the creation of new file shares. The first troubleshooting step that you should perform is checking the users effective NTFS permissions. If the effective permissions are not what you expect them to be, you must identify how to assign the correct permissions to that user. In most cases, you assign a group the appropriate NTFS permissions, so your first step is to verify that the user is a member of the correct group(s). When you are evaluating NTFS permissions, be aware that the Deny permission overrides the Allow permission. For example, if your group has the Modify permission set to Allow, and a user in that group has the Modify permission set to Deny, the user is denied the Modify permission. If the effective NTFS permissions are correct, then you should verify that the share permissions are configured correctly. Share permission can limit the ability of users to access and modify files, even if the appropriate NTFS permissions are assigned. For example, if you assign a group Read share permission and Modify NTFS permission, the members of the group are limited to Read permission. To simplify the interaction of share and NTFS permissions, many organizations assign the Everyone group Full Control share permission. This means that NTFS permissions control access to files.
7-36
Lesson 5
Troubleshooting Printer Access Issues
When users finish working with documents, they often print them. If users cannot print their documents, they may become frustrated. To ensure that printing is available to users, and that it functions correctly, you must understand the Windows 7 printing architecture and how to install printers. You also need to understand how to install printer drivers and how location-aware printing works.
Objectives
After completing this lesson, you will be able to: Discuss issues related to printer access. Describe the Windows 7 printing architecture. Describe methods to install printers. Describe the installation of printer drivers on clients. Add a printer driver to a network printer. Describe how location-aware printing works.
7-37
Discussion: Printer Access Issues
Printing is one of the core network services that your organization provides to users. When users cannot print properly, they typically become frustrated and often call the help desk. Question: What are some the issues that can arise that relate to printing?
7-38
Windows 7 Printing Architecture
Windows Vista and Windows Server 2008 introduced a new printing process based on XLM Paper Specification (XPS). This printing process included a number of improvements in print quality and color management, and it lowered processing requirements. Windows Server 2008 R2 and Windows 7 continue to use XPS-based printing, which is used only by newer applications that are using the Windows Presentation Foundation (WPF) Application Programming Interface (API). Windows 7 is backward compatible with printing based on Graphics Device Interface (GDI) that Win32 applications use. Windows 7 also supports using GDI-based printer drivers. If necessary, Windows 7 converts a print job from GDI to XPS, or from XPS to GDI. Some older printer drivers written for Windows XP were written to function in Kernel mode, and do not work with Windows 7, which does not allow applications to run in Kernel mode. Many older print drivers written for Windows XP work with Windows 7. However, you should obtain a printer driver specifically written for Windows 7 if one is available.
7-39
Methods for Installing Network Printers
One of the most important tasks when you are configuring network printing is the installation of printers on client computers. There are several ways to install printers on Windows 7 client computers, which the following table details. Installation method Manually browse to a server Description Users or administrators can install network printers on a Windows 7 client computer by browsing to a print server, and then double-clicking the icon for the shared printer. The drawback to this method is that it relies on users knowing which server is sharing the printer, which is not the case in most organizations. When a printer is shared, the print administrator has the option to list the printer in AD DS. Users that run the Add Printer Wizard can search AD DS to locate the printer. The printer can also be configured with a location property that makes it easier to locate an appropriate printer. You can use the Print Management administrative tool that is available on Windows Server 2008 print servers, Windows Vista, and Windows 7 to add printers to a GPO for distribution to computers or users. The GPO applies to users and computers based on the Active Directory OU to which the GPO is linked.
Manually search Active Directory
GPO configured by Print Management
7-40
(continued) Installation method Group Policy Preferences Description You can use Group Policy Preferences to distribute printers to users and computers by using a GPO. Group Policy Preferences are more flexible than a GPO that you configure by using Print Management because you can target printers that you distribute as Group Policy Preferences based on criteria such as security groups, Lightweight Directory Access Protocol (LDAP) queries, IP address range, and OU.
Manual methods for printer installation generally are not scalable in even mediums-sized organizations. It is too time-consuming to add and remove the required printers manually to users computers.
7-41
Installing Printer Drivers on Clients
Installation of printer drivers, and the permissions required to install printer drivers, vary depending on how you install the printer. Standard users have the necessary permissions to install both local and network printers, but not to add new printer drivers. When you add a new local printer, Windows 7 searches for an appropriate printer driver in the driver cache. If Windows 7 does not find an appropriate driver in the driver cache, standard users are unable to install the printer. To allow a standard user to install the printer, you may add an appropriate printer driver to the driver cache by using pnputil.exe. Alternatively, you can edit the local security policy to allow standard users to load and unload device drivers. Using a print server makes the installation of printer drivers much easier to manage. When you install network printers from a print server, Windows 7 downloads the printer driver from the print server, and then installs it. This is true even if a standard user is adding the printer manually.
7-42
Demonstration: Adding a Printer Driver to a Network Printer
Windows 7 computers download printer drivers from the print server during the printer installation process. You must ensure that a print server has appropriate drivers available for various types of client computers. For example, the 64-bit version of Windows 7 requires a different driver than the 32-bit version. If the print server is an older version of Windows, such as Windows Server 2003, you may need to use the Print Management administrative tool on a newer version of Windows, such as Windows 7, to add the appropriate driver to the print server. In this demonstration, you will see how to add a printer driver for a network printer.
Demonstration Steps
1. 2. 3. 4. 5. 6. 7. On NYC-DC1, open Server Manager. Add the Print and Document Services role with the Print Server role service. Open the Print Management administrative tool. Create a new printer using an existing printer port with all default settings. Open the Properties of the new printer. On the Sharing tab open the Additional Drivers. Start the installation of an x86 driver for the printer, and then Cancel the installation.
7-43
Location-Aware Printing
Location-aware printing helps roaming users move between locations, while maintaining access to the correctly configured default printer. As users connect to a new network, they can set the default printer for that network. The next time they reconnect to that network, the default print setting changes automatically to the default printer that they defined previously for that specific network. When a Windows 7 computer connects to a new network, it identifies the media access control (MAC) address of the default gateway. Windows 7 uses this address as a unique identifier for the network. If your organizations network equipment changes, and the MAC address of the default gateway changes, Windows 7 identifies the network as a new network. This may cause the default printer to be set incorrectly for the network. You should make users aware of this possibility when changing a networks default gateway.
7-44
Lab: Troubleshooting Logon and Resource Access Issues
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat steps 2 and 3 for 6293A-NYC-CL1 and 6293A-NYC-CL2. Do not log on until directed to do so.
Lab Scenario
The help desk has received a number of trouble tickets that relate to file access. Because you are the desktop support technician that is the most experienced with file access, the tickets have been assigned to you.
7-45
Exercise 1: Troubleshooting Offline Files

Scenario
In this exercise, you will troubleshoot and attempt to resolve the reported offline files problem that Tier 1 help-desk staff could not resolve. The main tasks for this exercise are: 1. 2. 3. Read the help-desk Incident Record for Incident 602567. Update the Plan of Action section of the Incident Record. Attempt to resolve the problem.
Incident Record Incident Reference Number: 602567 Date of Call Time of Call User Status March 25 14:45 Alan Brewer (Research) OPEN
Incident Details A user with a laptop computer reports that offline files are not synchronizing properly when he disconnects from the network. Additional Information User reports that when he roams in the office and reconnects to the wired network, his updated files are not synchronizing properly. This is a problem, because other users also have access to these files, and if the files are not synchronized, users have to look through the files and merge changes manually, which is time-consuming. Steps to recreate the problem: 1. On NYC-CL1, create and open a file on the research share at \\NYC-DC1\Research. 2. Modify the contents of the file, and then save it. 3. Keep the file open, and then disconnect from the network. 4. Modify the contents of the file, and then save it. 5. Reconnect the computer to the network and close the file. 6. On NYC-CL2, open the file on the research share, and then verify that the latest changes are not synchronized. Plan of Action
Resolution
7-46



1. Using your knowledge of offline files issues and troubleshooting, attempt to resolve the problem. 2. 3. To perform your troubleshooting, you first need to recreate the issues, and then verify the problem. To simulate disconnecting from the network, you can disable the network adapter in NYC-CL1.
Update the Resolution section of the Incident Record. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance. To repeat or exit the exercise, revert the virtual machine environment.
Note It is not necessary to revert the virtual machines before proceeding to the next exercise. 4. If necessary, revert your virtual machines by using the following procedure: On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-CL1 and NYC-CL2. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
Results: After this exercise, you will have resolved a problem with offline files not synchronizing properly
7-47
Exercise 2: Troubleshooting a Missing Drive Mapping

Scenario
In this exercise, you will resolve the reported missing drive mapping problem that Tier 1 help-desk staff could not resolve. The main tasks for this exercise are: 1. 2. 3. 4. Read the help-desk Incident Record for Incident 602568. Update the Plan of Action section of the Incident Record. Simulate the problem. Attempt to resolve the problem.
Incident Record Incident Reference Number: 602568 Date of Call Time of Call User Status March 25 15:03 Max Stevens (Research) OPEN
Incident Details User reports that he does not have access to the research share. Additional Information User reports that he started his job last week, and does not have access to the research share, which is at \\NYC-DC1\Research. He is logging on to NYC-CL1. I walked the user through accessing the share by using the UNC path. This is an acceptable short-term solution. However, this user should have the drive letter R mapped to the research share like other users. Drive mappings have been converted to Group Policy Preferences. Ive confirmed that the user account is in the correct OU. Other research users like Alan Brewer have no problems with the drive mapping. Plan of Action
Resolution

7-48


1. 2. 3. 4. Log on to the NYC-CL1 computer as Contoso\Administrator with the password of Pa$$w0rd. Run the D:\Labfiles\Mod07\Scenario2.vbs script. Click OK to close the window, indicating that the script is complete. Log off NYC-CL1.

1. 2. 3. Using your knowledge of drive mapping issues and troubleshooting, attempt to resolve the problem. Update the Resolution section of the Incident Record. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance. To repeat or exit the exercise, revert the virtual machine environment.
Note It is not necessary to revert the virtual machines before proceeding to the next exercise. 4. If necessary, revert your virtual machines by using the following procedure: On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-CL1. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
Results: After this exercise, you will have resolved a problem with a missing drive mapping.
7-49
Exercise 3: Troubleshooting Missing Files in My Documents

Scenario
In this exercise, you will resolve the reported missing files problem that Tier 1 help-desk staff could not resolve. The main tasks for this exercise are: 1. 2. 3. Read the help-desk Incident Record for Incident 602093. Update the Plan of Action section of the Incident Record. Attempt to resolve the problem.
Incident Record Incident Reference Number: 602093 Date of Call Time of Call User Status March 26 09:00 Preeda Ola (Research) OPEN
Incident Details User reports that files are missing from the My Documents folder after being given a new computer with our standard operating system configuration. Additional Information The user has a new workstation configured with our default image. We have trained users not to save information into My Documents, and have warned them that the files in My Documents are not backed up. I logged onto the users old computer, and no files were in his My Documents folder. Eventually, we found the files in his home folder, which was mapped to drive H. I dont know how it was configured before, but this user wants My Documents to include the files in his home drive instead of accessing them through drive H. Because this user is a department head, we need to do this. Plan of Action
Resolution


7-50

1. 2. 3. Using your knowledge of folder redirection issues and troubleshooting, attempt to resolve the problem. Update the Resolution section of the Incident Record. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance. To repeat or exit the exercise, revert the virtual machine environment.
Note It is not necessary to revert the virtual machines before proceeding to the next exercise. 4. If necessary, revert your virtual machines by using the following procedure: On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-CL1. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
Results: After this exercise, you will have resolved a problem with missing files in My Documents.
7-51
Exercise 4: Troubleshooting a File Access Issue

Scenario
In this exercise, you will troubleshoot and attempt to resolve the reported security issue in Windows Internet Explorer 8 that Tier 1 help-desk staff could not resolve. The main tasks for this exercise are: 1. 2. 3. 4. Read the help-desk Incident Record for Incident 603033. Update the Plan of Action section of the Incident Record. Simulate the problem. Attempt to resolve the problem.
Incident Record Incident Reference Number: 603033 Date of Call Time of Call User Status April 4 12:20 Alan Brewer (Research) OPEN
Incident Details New peer-based application for research is not working properly. Additional Information The research department is semiautonomous for Information Technology (IT). Department members install and run many of their own applications, and they store data on their local workstations. Additionally, they back up their workstations daily to prevent data loss. They have a new application, which they installed on all workstations, that is not functioning properly. The installation instructions indicate that there must be a file share to which all computers have read/write permissions. All computers are configured to use \\NYC-CL1\Modeling as the file share. The file share is created, but users do not appear to have the proper permissions. The application generates the error Shared data access error. I connected to \\NYC-CL1\Modeling and verified that I could not create or modify files from my computer. Plan of Action
Resolution
7-52



1. 2. Log on to the NYC-CL1 computer as Contoso\Administrator with the password of Pa$$w0rd. Run the D:\Labfiles\Mod07\Scenario4.bat script.

1. 2. 3. 4. Using your knowledge of file security, attempt to resolve the problem. Update the Resolution Section of the Incident Record. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance. To repeat or exit the exercise, revert the virtual machine environment. If necessary, revert your virtual machines by using the following procedure: On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-CL1. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
Results: After this exercise, you will have configured a share successfully with read/write permissions for users in the Research group.

7-53
Review Questions
1. A user has called the help desk and complained about not being able to access some files. After the call was passed to you, you determined that the user was not added to the correct group. After adding the user to the correct group, the user is still unable to access the files. What other step is required? You are distributing new laptop computers to executives in your organization. Is any additional configuration required to allow them to log on by using their domain user account and password when they are out of the office? Your organization has recently introduced roaming user profiles to support users who move between computers that are in cubicles. Some users report very slow logon and logoff times. Where would you start the troubleshooting process? You are distributing new laptop computers to executives in your organization. You have redirected the My Documents folder to each users home folder to ensure that the information is backed up. What feature do you need to implement to allow the executives to access these files when they are travelling without access to the network? A colleague has configured a new network printer with an IP address. He wants users to print directly to the printer over the network rather than print by using a print server. Users will add this printer manually, only if it is required. Why is the configuration a concern? One department in your organization is using a new application that creates two folders in the root of the drive C. One folder is for the program executables, the other folder is for program data. What files permissions do you need to configure for these folders?
2.
3.
4.
5.
6.
7-54
Tools
Tool Effective Permissions Use for Determining effective NTFS permission for a user Where to find it Advanced Security Settings
8-1
Module 8
Troubleshooting Security Issues
Contents:
Lesson 1: Recovering Files Encrypted by EFS Lesson 2: Recovering BitLocker-Protected Drives Lesson 3: Troubleshooting Internet Explorer and Content Access Issues Lab: Troubleshooting Security Issues 8-3 8-15 8-23 8-32
8-2
Module Overview
Windows 7 uses a wide range of security functions to secure data, including both Encrypting File System (EFS) and BitLocker Drive Encryption. Windows Internet Explorer also has a large number of security configuration options. You also use file permissions to limit file access, usually on file servers, to authorized users. In this module, you will learn how to work with all of these features.
Objectives
After completing this module, you will be able to: Recover files encrypted by using EFS. Recover BitLocker-protected drives. Troubleshoot Internet Explorer and content access issues.
8-3
Lesson 1
Recovering Files Encrypted by EFS
You can use EFS to encrypt files on portable computers. If your organization uses EFS, you must be aware of how to recover EFS-encrypted files in case the person who encrypted the files originally cannot recover them.
Objectives
After completing this lesson, you will be able to: Describe how EFS encrypts files and stores encryption keys. Describe how you can generate user certificates for EFS. Describe how you can back up EFS certificates. Describe how data recovery works for EFS-encrypted files. Describe how to resolve common EFS issues. Configure a data recovery agent and recover an EFS-encrypted file.
8-4
How EFS Works
EFS is a feature that you can use to encrypt files stored on a partition that you format with NTFS file system. After a file is encrypted by using EFS, only authorized users can access it. An authorized user can open the file as if it were unencrypted. Users who do not have the authorization to access it will receive an access denied message when they try to open the file. To protect your files, EFS uses a combination of two encryption methods, which Windows 7 applies sequentially: 1. 2. Symmetric key encryption, which encrypts the file. Public key encryption, which then protects the symmetric key.
Symmetric Encryption
Symmetric encryption is the typical method of encrypting large amounts of data, and uses the same key to encrypt and decrypt a file. This type of encryption is faster and stronger than public key encryption. However, the difficulty of securing the key during a cross-network transfer requires additional security for the symmetric key.
Public Key Encryption

EFS uses public key encryption to protect the symmetric key that is required to decrypt the file contents. Each user certificate contains a public key that encrypts the symmetric key, so that only the user with the private key can access the symmetric key.
The File Encryption Process

The following section describes the file encryption process: When a user encrypts a file, EFS generates a file encryption key (FEK) to encrypt the data. EFS encrypts the FEK with the users public key, and then stores it with the file. This ensures that only the user who holds the matching private key can decrypt the file. After a user encrypts a file, the file remains encrypted for as long as you store it on the disk.
8-5
To decrypt files, the user can open the file, remove the encryption attribute, or decrypt the file by using the cipher tool. When this occurs, EFS decrypts the FEK by using the users private key, and then decrypts the data by using the FEK.
You can use the cipher command-line tool to perform various EFS actions, such as encrypting and decrypting files. Use the /? option with the cipher tool to view detailed information about the available options. The syntax for decrypting a file is:
Cipher /D filename
Note In addition to the user that encrypted the file, EFS encrypts additional copies of the symmetric key with the public key of the recovery agent and any other authorized users.
8-6
Obtaining Certificates for EFS
EFS uses public key encryption to secure the FEK that encrypts file contents. Public key encryption uses digital certificates that contain a public key and a private key. To use EFS, users must obtain a digital certificate.
Self-Signed Certificates
By default, EFS generates a user certificate with a key pair automatically for a user if one does not exist already. Because of this, users can encrypt files with no administrative setup. When you encrypt a file on the local computer, EFS stores the self-signed certificate in the local user profile. When EFS encrypts a file on a file server, it stores the self-signed certificate in a user profile on the server.
Using self-signed certificates is very easy to implement, but difficult to manage, because certificates are stored in many locations, and there is no centralized control.
CA-Issued Certificates
Windows Server 2008 includes the Active Directory Certificate Services (AD CS) role that you can use to issue EFS certificates to users, or you can use a third-party certification authority (CA) to issue EFS certificates to users. The primary benefit of issuing certificates from an internal CA is manageability: administrators have the ability to control which users have certificates and the length of time that certificates remain valid. Additionally, with an internal CA, you can issue as many certificates as necessary with no incremental cost. A third-party CA offers the same manageability benefits as an internal CA. However, you pay a fee for each certificate that a CA issues, which is a significant disadvantage. Unlike some other certificate-related security, the trusted nature of a certificate that a third-party CA issues is not relevant for EFS.
8-7
Backing Up EFS Certificates
You should back up the user certificate that EFS uses to secure a file, because if you do not back up the certificate and it is lost, access to the file is lost. Another advantage to backing up the user certificate is that you can import it on a different computer. Once you import the certificate, you can use it to access encrypted files. The most common scenario for using EFS is the default configuration where you use a self-signed certificate. In this scenario, the EFS certificate that is required to decrypt the file exists only in the local user profile. The user receives a prompt to back up the certificate, but EFS does not enforce backing up. Users also can back up the certificate manually by using the Certificates Microsoft Management Console (MMC) snap-in. In the default configuration, when you store an EFS-encrypted file on a server, the certificate exists only on the server, and you must include it in the server backup. When you use AD CS as an internal CA, user certificates publish automatically to Active Directory Domain Services (AD DS). The certificate becomes a property of the user object, but does not include the private key. Since the private key is required to recover the certificate and decrypt files, on its own, the certificate published in AD DS does not allow you to recover the certificate and decrypt files. You must perform another step. When a network administrator wants to recover the entire certificate, including the private key, the administrator must enable a key recovery agent. This agent then enables recovery of the certificate from the CA. The key recovery agent is able to recover the entire certificate, including the private key. If a user works from multiple computers, you must ensure that the certificate imports to every computer. Because certificates are stored in user profiles, you can use roaming user profiles to move the certificates between computers. As an alternative, network administrators can implement a system called credential roaming to allow certificates to move between computers when a user logs on.
8-8
Using a Data Recovery Agent to Recover EFS-Encrypted Files
Backing up a user certificate is one method you can use to recover EFS-encrypted files. First back up the user certificate, import it into another profile, and then use it to decrypt the file. This method is difficult to implement if your organization has many users. A better method to use in that case is to implement a recovery agent. A recovery agent is an individual who is authorized to decrypt all files that are encrypted with EFS. The default recovery agent is the domain administrator, though you can delegate this responsibility to any user. When you add a new recovery agent through Group Policy, Windows 7 adds the recovery agent automatically to all newly encrypted files. However, it does not add the recovery agent to existing encrypted files. The recovery agent for a file is set at the time that you encrypt the file. Therefore, you must access the encrypted file, and then save it to update the recovery agent. You also can use the cipher command to force an update of the recovery agent.
Note To update the recovery agent on a file, run cipher /u filename. This command also updates user encryption keys if necessary.
8-9
You should ensure that the certificate for a recovery agent always exports with the private key, and you should keep it in a secure location that you can back up. There are two reasons to back up the recovery key: 1. To secure against system failure. The domain administrator private key that Windows uses by default for EFS recovery is stored only on the domains first controller. If anything were to happen to this domain controller, then EFS recovery would be impossible. To make the recovery key portable. The recovery key may not be available to the recovery agent on all computers. You must install the recovery key in the recovery agents profile. If you do not use roaming profiles, then you can export and import the recovery key to update the recovery agents profile on a specific computer.
2.
8-10
Resolving Common EFS Issues
Most EFS issues relate to the inability of users to encrypt or decrypt files. The following table lists common issues and resolutions related to using EFS. Issue A user is unable to open a file that he has encrypted. Resolution This is most common when a user roams between computers and the private key is not present on all computers. To resolve this, use roaming profiles or import the certificate and private key manually on the new computer. This is expected behavior unless the user that encrypted the file explicitly shared the file with the second user. To resolve this issue, have the original user share the file with the second user or use a recovery agent to decrypt the file. This is expected behavior. If you need to encrypt the file, then you must decompress it. The recovery agent for a file is not updated unless you modify it. Use the cipher /u command to update batches of files. However, you must be capable of decrypting the file to update the recovery agent information. If you are not using certificates from a certification authority and you want to allow EFS to be used on a file share, then you must configure the file server computer account to be trusted for delegation in the computer accounts properties. This is by design. You can use EFS only for files that you store on NTFS-formatted drives.
A user is unable to open a file that was encrypted by another user.
A user is unable to encrypt a file that has been compressed by using NTFS compression. After you configure a new recovery agent, you cannot access older files with the new recovery agent. Users are unable to encrypt files on a file share, but can encrypt files locally.
Users are unable to encrypt files on FAT formatted partitions.
8-11
Practice: Encrypting and Recovering a File
You can configure a recovery agent by using a Group Policy object (GPO). First, you import a certificate into the GPO, and then the user with the private key corresponding to that certificate is able to decrypt EFS encrypted files. The certificates in the GPO do not contain the private key. In this practice, you will identify an EFS recovery agent, and then use the recovery agent certificate to recover an encrypted file.
Instructions
For this practice, you will use the available virtual machine environment. Before you begin the practice, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6293A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat steps 1-3 for 6293A-NYC-CL1. Do not log on until directed to do so.
8-12
Detailed Steps Identify a recovery agent

1. 2. 3. 4. On NYC-DC1, click Start, point to Administrative Tools, and then click Group Policy Management. In the Group Policy Management window, expand Forest: Contoso.com, expand Domains, expand Contoso.com, and then click Group Policy Objects. In the right-pane, right-click Default Domain Policy, and then click Edit. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Public Key Policies, and then click Encrypting File System. Notice that a recovery agent exists, by default, for EFS.
Encrypt a file
1. 2. 3. 4. 5. 6. 7. 8. On NYC-CL1, logon as Adam with a password of Pa$$w0rd. Right-click the desktop, point to New, and then click Microsoft Office Word Document. Type MySecureFile, and then press Enter to rename the file. Right-click MySecureFile, and then click Properties. In the MySecureFile Properties window, on the General tab, click Advanced. In the Advanced Attributes window, select the Encrypt contents to secure data check box, and then click OK. In the MySecureFile Properties window, click OK. In the Encryption Warning window, click Encrypt the file only, and then click OK. Wait a few moments for the file to encrypt.
Note Encrypted files have a green filename in Windows Explorer, but not on the desktop.
Back up a user certificate

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-CL1, click Start, type mmc, and then press Enter. In the Console1 window, click File, and then click Add/Remove Snap-in. In the Add or Remove Snap-ins window, click Certificates, and then click Add. In the Add or Remove Snap-ins window, click OK. In the Console1 window, expand Certificates Current User, expand Personal, and then click Certificates. Double-click the Adam Carter certificate, and then read the information. Notice that the certificate was just created, and that you have a private key for this certificate. In the Certificate window, click OK. Right-click the Adam Carter certificate, point to All Tasks, and then click Export. In the Certificate Export Wizard, click Next.
10. On the Export Private Key page, click Yes, export the private key, and then click Next.
8-13
11. On the Export file format page, click Next to accept the default selections.
Note In step 11, if you select the option to Delete the private key if the export is successful, then you cannot decrypt files after the export. 12. On the Password page, type Pa$$w0rd in both boxes, and then click Next. 13. On the File to Export page, type D:\EFSCertificateBackup.pfx, and then click Next. 14. On the Completing the Certificate Export Wizard page, click Finish. 15. Click OK to clear the success message. 16. Close Console1, and do not save the settings. 17. Log off NYC-CL1.
Attempt to view an encrypted file

1. 2. 3. 4. 5. On NYC-CL1, logon as Contoso\Administrator with a password of Pa$$w0rd. Click Start and click Computer. In Windows Explorer, browse to C:\Users\Adam\Desktop, and then double-click MySecureFile.docx. Click OK to clear the message indicating you do have access privileges to the file. Close Microsoft Office Word.
Note Administrator is unable to open the file even though Administrator is the recovery agent because the necessary private key is not present on NYC-CL1. The private key is located only on NYC-DC1.
Export the recovery agent certificate

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start, type mmc, and then press Enter. In the Console1 window, click File, and then click Add/Remove Snap-in. In the Add or Remove Snap-ins window, click Certificates, and then click Add. In the Certificates snap-in window, verify that My user account is selected, and then click Finish. In the Add or Remove Snap-ins window, click OK. In the Console1 window, expand Certificates Current User, expand Personal, and then click Certificates. Right-click the Administrator certificate, point to All Tasks, and then click Export. In the Certificate Export Wizard, click Next. On the Export Private Key page, click Yes, export the private key, and then click Next.
10. On the Export file format page, click Next to accept the default selections. 11. On the Password page, type Pa$$w0rd in both boxes, and then click Next.
8-14
12. On the File to Export page, type C:\AdminCert.pfx, and then click Next. 13. On the Completing the Certificate Export Wizard page, click Finish. 14. Click OK to clear the success message. 15. Close Console1, and do not save the settings.
Import the recovery agent certificate

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-CL1, click Start, type mmc, and then press Enter. In the Console1 window, click File, and then click Add/Remove Snap-in. In the Add or Remove Snap-ins window, click Certificates, and then click Add. In the Certificates snap-in window, verify that My user account is selected, and then click Finish. In the Add or Remove Snap-ins window, click OK. In the Console1 window, expand Certificates Current User, and then click Personal. Right-click Personal, point to All Tasks, and then click Import. In the Certificate Import Wizard window, click Next. On the File to Import page, in the File name box, type \\NYC-DC1\C$\AdminCert.pfx, and then click Next.
10. On the Password page, in the Password box, type Pa$$w0rd. 11. Select the Mark this key as exportable check box, and then click Next. 12. On the Certificate Store page, click Next. 13. On the Completing the Certificate Import Wizard page, click Finish. 14. Click OK to clear the success message. 15. Close Console1, and do not save the settings.
Recover an encrypted file

1. 2. 3. 4. 5. 6. 7. 8. On NYC-CL1, in Windows Explorer, double-click MySecureFile.docx. Notice that you can open the file. Close Microsoft Word. Right-click MySecureFile.docx, and then click Properties. In the MySecureFile.docx Properties window, on the General tab, click Advanced. In the Advanced Attributes window, clear the Encrypt contents to secure data check box, and then click OK. In the MySecureFile.docx Properties window, click OK. Notice that the filename is black instead of green because it no longer is encrypted. Close all open windows on both computers.

8-15
Lesson 2
Recovering BitLocker-Protected Drives
You can use BitLocker to encrypt entire partitions, and you typically use it on portable computers where there is a risk of the computer being lost. You cannot access data on a drive that users encrypt with BitLocker by using utilities, by resetting the local Administrator password, or by placing the encrypted drive in an alternate computer. You must understand how to recover drives that users encrypt with BitLocker in case the encryption keys become inaccessible after a hardware failure.
Objectives
After completing this lesson, you will be able to: Describe how BitLocker stores encryption keys and protects data. Describe how BitLocker uses a Trusted Platform Module (TPM). Describe how data recovery works for BitLocker. Encrypt a partition by using BitLocker. Describe how to use BitLocker To Go.
8-16
The BitLocker Encryption Process
BitLocker is a feature in Windows 7 that encrypts entire partitions. The primary purpose of BitLocker is to protect the data on a hard drive that you remove from a computer, but it also protects the integrity of boot files. You typically use BitLocker for portable computers, which users are most likely to lose. To enable BitLocker, a Windows 7 computer must have at least two partitions. The system volume contains the boot files for Windows 7, and the boot volume contains the operating system files. Windows 7 creates this type of partition structure automatically during installation, unless an unattended installation file provides alternate instructions. BitLocker uses several encryption keys to protect the partitions on which it is enabled. When you enable BitLocker, the following process is performed: 1. 2. 3. BitLocker creates a Full Volume Encryption Key (FVEK) for each volume and uses it to encrypt each volume. This key never changes because it would take too long to re-encrypt the partition. BitLocker encrypts each FVEK and stores it on the system partition. It reads each FVEK during startup, and uses them to decrypt the volumes and allow Windows to start. BitLocker generates a Volume Master Key (VMK) which is used to encrypt the FVEKs. This key is read during startup, and is required to access the FVEKs.
For additional security, you can require a password during startup, which provides a second layer of security to the logon process.
Note
BitLocker typically has less than a 10 percent performance impact on disk activity.
8-17
BitLocker and TPMs
A TPM is a chip on a computer system board for storing encryption keys and certificates, and it is a trusted location for that computer. The preferred configuration for BitLocker is to store the VMK in a TPM. During startup, BitLocker retrieves the VMK from the TPM and uses it to decrypt the FVEKs for encrypted volumes. Not all computers have a TPM. Some vendors only implement a TPM on their business-class computers. If you use BitLocker on a computer without a TPM, the VMK is stored on a Universal Serial Bus (USB) flash drive instead of stored on the computer. This USB drive must be present during Windows 7 startup. This is somewhat risky because a lost flash drive means that you cannot start the computer.
8-18
Recovering a BitLocker-Protected Drive
BitLocker encrypted drives become inaccessible if the VMK for a computer system cannot be accessed. This can occur if: The TPM in a computer fails. You move the drives to a different computer. Removable media that contains the VMK is lost.
When you enable BitLocker, it generates a 256-bit recovery key and a 48-digit recovery password. BitLocker provides you with the options to print the recovery password key, save the recovery password to a file, or save both to a USB flash drive. You can use either the recovery key or the recovery password to decrypt the drive when the VMK is no longer available. You also can store the recovery password in AD DS, also. To do this, you must enable the option by using Group Policy. This is a scalable solution, and much better than requiring administrators to store the recovery password during the encryption process. BitLocker stores BitLocker recovery passwords in the properties of the computer account. You can view them by using the BitLocker Recovery Password Viewer, which the Remote Server Administration Toolkit for Windows Server 2008 R2 includes, and which you can install on Windows 7. It extends the functionality of Active Directory Users and Computers so that you can view the BitLocker recovery password in the properties of a computer account.
Note The Group Policy setting to store BitLocker recovery passwords in Active Directory is \Computer Configuration\Policies\Administrative Templates\Windows Components \BitLocker Drive Encryption\Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista).
8-19
To recover an encrypted operating system drive, you must use the Windows recovery console that is accessible during startup or by booting from the Windows 7 installation DVD. In the recovery console, you can provide the USB flash drive with the recovery key or type the recovery password. Drives that do not contain the operating system prompt you for the recovery information when you attempt to use them from within the operating system.
Note If you are typing the recovery password, you typically need to use the function keys. For example, pressing F1 is equivalent to pressing 1. Your final option for recovering BitLocker encrypted drives is to use a data recovery agent. Similar to a recovery agent in EFS, a data recovery agent for BitLocker has a certificate that BitLocker uses to access encrypted drives. You configure a data recovery agent by importing its certificate into a GPO. To configure a data recovery agent by using Group Policy you must configure two settings: Enable Allow data recovery agent in \Computer Configuration\Policies \Administrative Templates\Windows Components\BitLocker Drive Encryption \drivetype Drives\Choose how BitLocker-protected drivetype drives can be recovered. Import a data recovery agent in \\Computer Configuration\Policies\Windows Settings \Security Settings\Public Key Policies\BitLocker Drive Encryption.
8-20
Demonstration: Encrypting a Partition by Using BitLocker
You can use BitLocker to encrypt entire disk volumes. In most cases, a TPM is used to store the encryption keys for BitLocker. However, not all computers have a TPM. In such a case, you can store the encryption keys on a USB flash drive or a floppy disk. In this demonstration, you will see how to configure BitLocker when a TPM is not available.
Demonstration Steps
1. 2. 3. 4. On the virtual host, verify that BitLocker.vfd is attached to the floppy drive of NYC-CL1. On NYC-CL1, open the local Group Policy by using gpedit.msc. Browse to Computer Configuration\Administrative Templates\Windows Components \BitLocker Drive Encryption\Operating System Drives. Configure Require additional authentication at startup. 5. 6. 7. 8. Enabled Allow BitLocker without a compatible TPM
Open BitLocker Drive Encryption in Control Panel. Attempt to Turn On BitLocker for C:. At a command prompt, enable BitLocker by entering manage-bde.exe -on C: -rp -sk A:. Read the recovery key at the command prompt.
8-21
9.
Restart NYC-CL1, and log on as Contoso\Administrator.
10. Open Windows Explorer, and then open Manage BitLocker for Local Disk (C:). 11. Save the recovery key to A:. 12. Open the BitLocker Recovery Key text file stored on A:, and then read the recovery key.
8-22
BitLocker To Go
BitLocker To Go is a new feature in Windows 7. You can use it to encrypt removable storage that you want to use on other computers. It safeguards the data while it is in transport, which ensures that if the removable storage is lost, the person who finds it cannot access the data. When you enable BitLocker To Go for removable media, you are prompted to use either a password or a smart card to unlock the drive. Using a password makes it simple to unlock the removable storage on other computers because anyone with the password can unlock it. Requiring a smart card is more complicated because you must have a smart card, and then the computer that you use to unlock the removable storage also requires a smart-card reader. Windows 7 computers can read and modify removable storage that you encrypt by using BitLocker To Go. Windows XP and Windows Vista computer can read data from removable storage that you encrypt by using BitLocker To Go if users use the BitLocker To Go Reader. All removable storage that you encrypt by using BitLocker To Go includes the reader, which is accessible before you decrypt the content. The recovery options for BitLocker To Go are the same as for standard drives. You can save recovery keys to a file, publish recovery keys to AD DS, or use a data recovery agent.
8-23
Lesson 3
Troubleshooting Internet Explorer and Content Access Issues
Internet Explorer is commonly used to access web-based applications, many of which are business critical. You must understand how to troubleshoot issues with Internet Explorer and content access to ensure that users are able to continue using these web-based applications.
Objectives
After completing this lesson, you will be able to: Describe authentication for web-based applications hosted on Internet Information Services (IIS). Describe Internet Explorer security zones. Describe what add-ons do for Internet Explorer. Describe how to troubleshoot common Internet Explorer issues. Configure Internet Explorer.
8-24
Authentication to IIS
Many organizations use web-based intranets and applications as an important part of their business. These websites are not just collections of webpages, but rather they are components of an organizations critical business infrastructure. Windows Server hosts many websites Windows Server by using IIS. When you troubleshoot issues with access to web-based applications, you must know which authentication methods are available to you. The following authentication methods are commonly used: Basic. This type of authentication sends the username and password in cleartext over the network, and it provides the best compatibility through firewalls, and between various browser and web servers. You always should secure Basic authentication by using Secure Sockets Layer (SSL), which you configure on the server. You can identify SSL-secured websites by the lock icon that displays in Internet Explorer. Additionally, the address for SSL secured websites start with https://. Windows. This type of authentication uses either Windows Challenge/Response, also known as NT Local Area Network Manager (NTLM), or Kerberos authentication. In either case, Internet Explorer automatically encrypts the username and password as they pass over the network. In some cases, Windows authentication does not pass properly through firewalls.
The primary benefit of using Windows authentication is the ability for workstation credentials to pass automatically to the web server. However, this is possible only when you are using a single label name for the server that you are accessing. For example: http://webserver. Digest. This type of authentication is an Internet standard that secures credentials automatically during the authentication process. You typically use it for external users. Certificate mapping. This type of authentication maps a certificate to a user, and enables the user to authenticate by presenting that certificate. This is more secure than the process of requiring a username and password, however, it is more difficult to implement and rarely used.
8-25
Internet Explorer Security Zones
Internet Explorer includes security zones that allow you to control security settings for groups of websites. Depending on the security zone in which a website is included, Internet Explorer enables you to use different security settings. For example, some zones enable Protected Mode or do not allow ActiveX controls.
Note Protected Mode in Internet Explorer prevents code on websites from affecting the operating system by isolating Internet Explorer processes and limiting their permissions. The security zones are: Internet. This zone is the default zone for all websites. It has medium-high security settings, which enables users to perform most tasks. However, users may receive prompts to accept some riskier behaviors. Intranet. This zone is only for websites that have a single label name. It has medium-low security settings that allow most websites to run without any end-user prompts, because it assumes the sites are trustworthy. Additionally, it does not use Protected Mode. Trusted sites. This zone has no websites, by default. You must add sites manually to the Trusted sites zone, and it has medium security settings, which enables users to run most web-based applications. It does not use Protected Mode. Typically, you use this zone for web-based applications that are hosted externally. Restricted sites. This zone has no websites, by default. You must add sites manually to the Restricted sites zone. This zone has high security settings, and is suitable for browsing websites that you are concerned may contain malware (malicious software).
8-26
Other Internet Explorer settings that may be a concern for web-based applications include: Privacy settings. The privacy settings in Internet Explorer control the use of cookies, which some webbased applications use to track user states. You can allow cookies specifically from a website that hosts a web-based application, so that the application performs properly. Pop-up Blocker. The purpose of the Pop-up Blocker in Internet Explorer is to prevent annoying advertisements from displaying. However, some web-based applications use these pop-ups, so you may need to allow them for websites that are hosting a web-based application. Advanced settings. Individual web-based applications may require unusual security settings that you can adjust only in Advanced settings. For example, an externally hosted website may require the use of an older version of SSL.
8-27
Internet Explorer Add-Ons
You can extend the functionality of Internet Explorer by installing add-ons. One of the most important uses of add-ons is displaying content on webpages that Internet Explorer does not understand natively. For example, add-ons may help display non-HTML document formats or video within a webpage. You can use the Manage Add-ons function in Internet Explorer to view the installed add-ons so that you can disable them. If Internet Explorer is experiencing performance problems, you can disable add-ons that you think may be responsible. One of the most common causes of Internet Explorer performance issues is users installing toolbars. Removing third-party toolbars often improves performance. However, some toolbars do not uninstall properly. As a final option, you can reset Internet Explorer settings, which reverts Internet Explorer to its default state.
8-28
Troubleshooting Common Internet Explorer Issues
Most issues related to Internet Explorer and security are easy to resolve. A key part of the troubleshooting process for accessing websites is identifying the following: Which computers are affected? One computer or all computers? Which users are affected? One user or all users? Which are affected users located? Internal, external, or both? Which versions of Internet Explorer are experiencing the problem?
These questions help you isolate what is causing the problem: a firewall, server configuration, or Internet Explorer configuration. The following table lists some common ways that you can resolve problems related to accessing websites and web-based applications. Issue Users are unable to access a website. Users are being prompted for credentials when accessing an internal website configured to use Windows authentication. Users are unable to use a webbased application because Internet Explorer security or Protected Mode is blocking required functionality. Resolution Verify that there is proper network connectivity, and that a firewall or proxy is not blocking the website. Verify that users are accessing the website by using a single label domain name. Also, verify that users are accessing the website from an internal domain joined computer. If the web-based application is from a trusted source, then add the website to Trusted sites. This disables protected mode and allows many web-based applications to function properly.
8-29
(continued) Issue A web-based application is not retaining settings properly between screens or between sessions. A web-based application is not opening new windows that are required for proper operation. Internet Explorer is running more slowly than normal and may be displaying unusual information on webpages. Users are unable to view embedded contentsuch as audio or videoin a website. Internet Explorer is experiencing unusual problems authenticating to a website or accessing website content. Resolution Ensure that privacy settings allow the web-based application to set cookies.
Ensure that pop-up blocker allows the necessary windows to open by adding the website to the list of allowed sites. Disable any unauthorized add-ons that may be malware.
Install the necessary add-on for Internet Explorer that is required to view the content. Clear the Internet Explorer browsing history, including temporary Internet files, cookies, and passwords.
Internet Explorer is not displaying Clear the temporary Internet files and then press F5 to refresh, or updated website content that you press Ctrl+F5 to force a refresh of a single website in the cache. know has been updated. An older website is not displaying properly in Internet Explorer 8. Enable Compatibility View for the website. This may also be required for some web-based applications. Compatibility View renders the website as though you are using an older version of Internet Explorer. If the website is trusted, users can choose Continue to this website (not recommended). This error occurs because the certificate installed on the server is not trusted. This may result from expired certificates, users accessing websites by using the wrong DNS name, or by using self-signed certificates. You can import a self-signed certificate on the client computer to remove this error. Reset Internet Explorer settings. This can resolve unexplained problems with Internet Explorer, but causes the loss of all customizations such as Favorites and changes to other configuration settings. If other malware continues to exist on the computer, Internet Explorer may be infected again.
When accessing a secure website with https, users get the error There is a problem with the websites security certificate.
Malware is installed as an add-on that you cannot remove.
8-30
Practice: Configuring Internet Explorer
The two most common problems that users experience with Internet Explorer are poor performance and the inability to access web-based content. To resolve performance problems, you can manage Internet Explorer add-ons, and reset Internet Explorer settings. To resolve issues accessing content, you can configure the Pop-up blocker and privacy settings. In some cases, clearing the Internet Explorer history can also resolve content access issues. In this practice, you will configure various Internet Explorer options and features.
Instructions
Detailed Steps
Manage Pop-up Blocker

1. 2. 3. 4. On NYC-CL1, on the taskbar, click Internet Explorer. In Internet Explorer, click Tools, point to Pop-up Blocker, and then click Pop-up Blocker Settings. In the Pop-up Blocker Settings window, in the Address of website to allow box, type webapp.contoso.com, and then click Add. Click Close.
Manage Internet Explorer add-ons

1. 2. 3. On NYC-CL1, in Internet Explorer, click Tools, and then click Manage Add-ons. In the Show box, verify that Currently loaded add-ons is selected. Click the Research add-on, and then click Disable.
8-31
4. 5.
In the Show box, select Run without permission. Take note of the large list installed by default. Click Close.
Clear Internet Explorer history

1. 2. 3. On NYC-CL1, in Internet Explorer, click Tools, and then click Internet Options. In the Internet Options window, on the General tab, in the Browsing history area, click Delete. In the Delete Browsing History window, read the default selections, and then click Delete.
Manage Privacy settings

1. 2. 3. 4. On NYC-CL1, in Internet Explorer, in the Internet Options window, click the Privacy tab. In the Settings area, click Sites. In the Per Site Privacy Actions window, in the Address of website box, type webapp.contoso.com and click Allow. Click OK.
Reset Internet Explorer settings

1. 2. 3. 4. 5. 6. On NYC-CL1, in Internet Explorer, in the Internet Options window, click the Advanced tab. In the Reset Internet Explorer settings area, click Reset. In the Reset Internet Explorer Settings window, read the information, and then click Reset. In the Reset Internet Explorer Settings window, click Close. In the Internet Explorer window, read the message, and then click OK. Close Internet Explorer.

When you finish the practice session, revert the virtual machines to their initial state by completing the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 1-3 for 6293A-NYC-CL1.
8-32
Lab: Troubleshooting Security Issues
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
The help desk has received a number of trouble tickets that relate to security. Because you are the desktop support technician that has the most experience with security, the tickets have been assigned to you.
8-33
Exercise 1: Recovering a BitLocker-Protected Drive

Scenario
In this exercise, you will troubleshoot and attempt to resolve the reported BitLocker problem that Tier 1 help-desk staff could not resolve. The main tasks for this exercise are: 1. 2. 3. 4. Read the help-desk Incident Record for Incident 603012. Update the Plan of Action section of the Incident Record. Attach the encrypted drive to NYC-CL1. Attempt to resolve the problem.
Incident Record Incident Reference Number: 603012 Date of Call Time of Call User Status Incident Details
Executive user is reporting that she has data that is encrypted with BitLocker Drive Encryption that she needs to recover from a failed laptop.
April 3 09:34 Susanna Stubberod (Production) OPEN
Additional Information The user uses her personal laptop to work on company documents. The laptop had a secondary hard drive on which she stored the documents. She encrypted all drives with BitLocker to secure them. Internal laptops are configured with a recovery agent to simplify data recovery. Because this is a personal laptop, using a recovery agent is not an option. She has given us the encrypted drive, and a printout she made after the drive was encrypted. She has requested that we configure the drive so that she can attach it to another computer easily by placing the drive in an external USB enclosure. Preferably, it should require only a password to unlock. Plan of Action
Resolution
8-34
Printed Document from Susanna

BitLocker Drive Encryption Recovery Key: The recovery key is used to recover the data on a BitLocker protected drive. To verify that this is the correct recovery key, compare the identification with what appears on the recovery screen: Recovery key identification: AE409B77-DCD9-49 Full recovery key identification: AE409B77-DCD9-49EB-AE01-69A2283F845F BitLocker Recovery Key: 622732-532620-653312-417406-161304-327305-677292-111034

1. 2. Read the help-desk Incident Record for Incident 603012. Read the printed document from Susanna.

Task 3: Attach the encrypted drive to NYC-CL1

1. 2. 3. 4. 5. 6. 7. 8. 9. On the host computer, ensure that 6293A-NYC-CL1 is shut down. Click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, right-click 6293A-NYC-CL1, and then click Settings. In the Settings for 6293A-NYC-CL1 window, click IDE Controller 1. In the right-pane, ensure that Hard Drive is selected, and then click Add. In the Media area, click Browse. Browse to C:\Program Files\Microsoft Learning\6293\Drives, click BitLockerRecovery.vhd, and then click Open. Click OK. Start the 6293A-NYC-CL1 virtual machine, and then log on as NYC-CL1\WSAdmin with the password of Pa$$w0rd. If you are prompted to restart NYC-CL1, click Restart Now.

1. 2. 3. Using your knowledge of BitLocker, attempt to resolve the problem. Update the Resolution Section of the Incident Record. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance. To repeat or exit the exercise, revert the virtual machine environment.
Note It is not necessary to revert the virtual machines before proceeding to the next exercise.
8-35
4.
If necessary, revert your virtual machines by using the following procedure: On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-CL1. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
Results: After this exercise, you will have recovered a BitLocker-protected drive.
8-36
Exercise 2: Troubleshooting an Internet Explorer Security Issue

Scenario
In this exercise, you will troubleshoot and attempt to resolve the reported security issue in Internet Explorer that Tier 1 help-desk staff could not resolve. The main tasks for this exercise are: 1. 2. 3. 4. Read the help-desk Incident Record for Incident 603026. Update the Plan of Action section of the Incident Record. Simulate the problem. Attempt to resolve the problem.
Incident Record Incident Reference Number: 603026 Date of Call Time of Call User Status April 4 12:20 Sten Faerch (Marketing) OPEN
Incident Details User is being prompted for security credentials when accessing the intranet site. Additional Information When the user attempts to access the corporate intranet by using http://nyc-dc1.contoso.com, he is prompted for credentials. I coached him through the process of entering his credentials as Contoso\Sten and his password. This authenticates him successfully, and he can use this as a short-term workaround, but he does not want to be prompted. I asked him to check if other users in his department were having the same issue, and he told me that they said No. He is the only user having this issue. After he authenticates, everything is fine. When the issue is resolved, please configure the corporate intranet as his home page. Plan of Action
Resolution


8-37
Task 3: Simulate the problem.

1. 2. Switch to the NYC-CL1 computer. Log on by using the following credentials: 3. 4. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Run the D:\Labfiles\Mod08\Scenario2.vbs script. Log off NYC-CL1.

1. 2. 3. Using your knowledge of Internet Explorer security, attempt to resolve the problem. Update the Resolution Section of the Incident Record. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance. To repeat or exit the exercise, revert the virtual machine environment.
Note It is not necessary to revert the virtual machines before proceeding to the next exercise. 4. If necessary, revert your virtual machines by using the following procedure: On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-CL1. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
Results: After this exercise, you will have authenticated successfully to the intranet website, without requiring the user to enter credentials.
8-38

8-39
Review Questions
1. An employee that the organization recently dismissed had used EFS to encrypt files on a domainjoined portable computer. The user account is deleted from the domain, and no backup of the user account exists. No specific configuration of EFS has been performed. Can you recover the EFS encrypted files? You just received a new batch of 10 laptop computers that do not have a TPM. Is it still possible to protect the hard drive contents by using BitLocker? One of the users in your organization wants to use BitLocker To Go when transporting files between work and home on a USB flash drive. The user has Windows XP on his computer at home. Is it practical to use BitLocker To Go when one of the computers is running Windows XP? A user in purchasing accesses various websites to order supplies. She is concerned that her actions on these sites may be insecure. What two ways can she identify a website as using Secure Sockets Layout (SSL) to encrypt data communications?
2. 3.
4.
Tools
Tool Certificates snap-in cipher.exe manage-bde.exe Use for Exporting certificates for backup Performing EFS functions on batches of files Managing BitLocker functions, including some not available in the graphical interface Where to find it MMC command-line command-line
9-1
Module 9
Troubleshooting Operating System and Application Issues
Contents:
Lesson 1: Troubleshooting Application Installation Issues Lesson 2: Troubleshooting Application Operations Issues Lesson 3: Applying Application and Windows Updates Lab: Troubleshooting Operating System and Application Issues 9-3 9-14 9-23 9-32
9-2
Module Overview
Computer users require applications for every task they perform, including editing documents, querying databases, and generating reports. Supporting the installation and operations of applications is a critical part of desktop support. To ensure that applications continue to function correctly, and to prevent security issues, you must also apply updates in a timely way.
Objectives
After completing this module, you will be able to: Troubleshoot application installation issues. Troubleshoot application operation issues. Apply application and Microsoft Windows updates.
9-3
Lesson 1
Troubleshooting Application Installation Issues
Most large organizations automate application installation from a central location. However, desktopsupport personnel are involved in application deployment during initial development of the deployment process and when troubleshooting failed installations. You must know how to identify the reasons why an application installation fails, and know how to resolve any issues that prevent application installation.
Objectives
After completing this lesson, you will be able to: Describe application deployment methods. Describe application deployment issues. Describe methods to identify application dependencies. Describe methods for resolving deployment issues. Describe methods for troubleshooting Windows installer issues. Control application installation with Windows 7 AppLocker policies.
9-4
Methods for Deploying Applications
Deploying applications is a critical part of supporting users. Generally, you should automate the application deployment process. This simplifies the process from the users perspective. Methods for deploying applications include: Manual installation. This method requires that the person installing the applicationa user or support personknow the location of the application setup files, and then initiate the installation. This method of installation is suitable only when you are installing applications on a small number of computers. Group Policy. This method uses a Group Policy object (GPO) to automate application installation from a network share. You can make applications available for users to select, or you can configure applications so they install automatically for specific users or on specific computers. To automate the installation process completely, some applications require you to create a transform file (.mst) to automate the installation process. Microsoft System Center Configuration Manager 2007. This method uses the application deployment capabilities of Configuration Manager 2007 to automate application installation from a network share. The main benefits of Center Configuration Manager 2007, versus deployment by using Group Policy, are increased flexibility and detailed reporting. You also can use Center Configuration Manager 2007 to distribute application updates.
9-5
Virtualized applications. With the RemoteApp feature in Windows Server 2008 R2, you can avoid having applications installed on desktop computers. An icon on the user desktop opens a Remote Desktop Protocol (RDP) session to a server that hosts the application. The application is remotecontrolled in a Window. This simplifies application updates because you must update only a single central copy of the application. This method works best with applications that need to access data in a central location.
Note In Windows Server 2008, the RemoteApp feature was named Terminal Services RemoteApp (TS RemoteApp). Inclusion in operating system image. Many organizations include common applications in the base operating-system image that they deploy on desktop computers. With this method, you can avoid having a specific deployment process for the application. However, it does result in increased image maintenance over time as your organization releases application updates and new application versions.
9-6
Discussion: Application Deployment Issues
Application deployment may fail for a variety of reasons, including the configuration of the deployment process or of the computer on which you deploy the application. Understanding the reasons why applications fail to deploy helps you resolve the issues preventing installation. Question: What are some reasons that application deployment or installation may fail?
9-7
Identifying Application Dependencies
Many applications require specific operating-system features to function properly. For example, many applications require a specific version of the .NET Framework. Additionally, some applications use the functionality of other applications to function properly. For example, some financial applications use Microsoft Excel to perform calculations. There are several ways to identify application dependencies, including: Documentation. Most vendors provide installation documentation that clearly defines the application requirements. By reading the documentation before attempting to perform an installation, you can ensure that all application dependencies are in place. Contact the vendor. If the vendor does not provide installation documentation that defines the application requirements, you can request them from the vendors application support department. Errors during installation. Most software performs checks during installation to verify that the computer on which the software is installed meets all application requirements. If an application dependency is not in place, then the application generates an error to indicate which dependency is missing.
In most cases, software does not install at all if the application dependencies are not in place. Setup stops, and the software-installation program generates an error that requests installation of all prerequisites before another installation attempt occurs. However, some applications install even if the application dependencies are not met. In those cases, the user encounters errors while operating the software, rather than during installation.
9-8
Resolving Application Deployment Issues
The ability to resolve application deployment issues depends on your understanding of the issues cause. Once you understand why an application is not deploying properly, you can determine the correct methods to resolve the issue.
Methods for Resolving Application Deployment Issues

The following are methods for resolving application deployment issues: Run as Administrator. For application installations that do not properly elevate permissions to perform installation, you can elevate permissions manually by right-clicking the installation file, and then selecting Run as Administrator. Install the necessary dependencies. If you cannot install an application because of missing dependencies, then you must install the necessary dependencies. If the missing dependency affects multiple computers, you need to determine the best way to deploy the missing dependency to all computers. You may need to update the base image, which deploys with the dependency.
Note You can enable features by using the Programs and Features in Control Panel, or by typing dism.exe at a command prompt. This command also enables features in images. Application Compatibility Toolkit (ACT). ACT is a suite of tools that Microsoft provides that simplify the installation and execution of older applications on newer versions of Windows. One use for ACT is to generate an inventory of installed applications, and then evaluate whether those applications experience issues when running on Windows 7. You typically would use ACT during migration to a new operating system. Correct configuration of AppLocker. If AppLocker is blocking the installation of legitimate applications, then you need to adjust the configuration of AppLocker rules.
9-9
Troubleshooting Windows Installer Issues
Windows Installer is the service in Windows 7 that performs application installations. During application installation, you may receive error messages, such as: The Windows Installer Service could not be accessed. Windows Installer Service could not be started. Could not start the Windows Installer service on the Local Computer.
One source of Windows Installer issues is applications that do not complete installing or uninstalling. In some cases, restarting the computer may force the operation to proceed. However, you may need to reinstall or repair the application before you are able to remove it. In a worst-case scenario, you may need to remove an application manually, including its registry entries. To troubleshoot Windows Installer issues: 1. 2. 3. 4. Verify that Windows Installer is functioning by running msiexec at a command prompt. Verify that the Windows Installer service is configured to start manually, and that it starts without errors. Update to the latest version of Windows Installer. Reregister Windows Installer by using the following commands:
Msiexec /unregister Msiexec /register
9-10
In rare cases, it is possible that another application that is running is preventing the softwares installation or removal. You can disable services and applications that start automatically to attempt to identify a problem application.
9-11
Practice: Controlling Application Installation by Using AppLocker
AppLocker is one way to control application installation. By using AppLocker you can control the installation of applications based on file path, publisher, or file hash. If you choose to create the default rules, they: Allow members of the Everyone group to install all digitally signed Windows Installer files. Allow members of the Everyone group to install All Windows installer files in %systemroot%\Windows\Installer. Allow members of the Administrators group to install all Windows Installer files.
In this practice, you will use Group Policy to deploy an application and configure AppLocker rules for Windows Installer.
Instructions
For this practice, you will use the available virtual machine environment. Before you begin the practice, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6293A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat steps 1-4 for 6293A-NYC-CL1.
9-12
Detailed Steps Configure an application for deployment by using Group Policy

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start, type cmd, and press Enter. At the command prompt, type net share software=D:\Labfiles\Mod09\Software and press Enter. Close the command prompt. Click Start, point to Administrative Tools, and then click Group Policy Management. In Group Policy Management, expand Forest: Contoso.com, expand Domains, expand Contoso.com, and then click Contoso.com. Right-click Contoso.com, and then click Create a GPO in this domain, and Link it here. In the New GPO window, in the Name box, type Software, and then click OK. Right-click Software, and then click Edit. In the Group Policy Management Editor window, under User Configuration, expand Policies, and then expand Software Settings.
10. Right-click Software installation, point to New, and then click Package. 11. In the Open window, browse to \\NYC-DC1\Software, click XmlNotepad.msi, and then click Open. 12. In the Deploy Software window, click Assigned, and then click OK.
Note You have assigned the application to all of the organizations users. You can trigger installation by linking it to the opening of a file with a specific extension, or users can trigger it manually.
Enable the Application Identity Service

1. 2. 3. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then click System Services. Double-click Application Identity. In the Application Identity Properties window, select the Define this policy setting check box, click Automatic, and then click OK.
Note The Application Identity Service is required to evaluate AppLocker rules. If this service is not running, then AppLocker rules have no effect.
Configure Default AppLocker Rules for Windows Installer

1. 2. 3. In the Group Policy Management Editor window, under Computer Configuration, under Security Settings, expand Application Control Policies, and then click AppLocker. Read the information that displays. In the Overview area, click Windows Installer Rules. Notice that no rules are configured automatically.
9-13
4. 5.
Right-click Windows Installer Rules, and then click Create Default Rules. Review the default rules.
Install an Application from Group Policy

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-CL1, click Start, type cmd, and then press Enter. At the command prompt, type gpupdate /force, and then press Enter. Close the command prompt. Log off and then log on as Adam with a password of Pa$$w0rd. Click Start, type Programs, and then click Programs and Features. In the Programs and Features window, click Install a program from the network. Right-click XML Notepad 2007, and then click Install. Notice that the installation process begins. In the XML Notepad 2007 Setup window, click Cancel, and then click Yes. Click Finish and then close the Control Panel window.
10. Log off NYC-CL1.

9-14
Lesson 2
Troubleshooting Application Operations Issues
An application operation issue is any instance in which an application is not operating as a user expects. Desktop-support personnel should identify the source of an application operation issue, and then resolve it.
Objectives
After completing this lesson, you will be able to: Describe application operation issues. Describe how to identify application errors. Describe methods of resolving application operation issues. Describe the ACT. Resolve an application compatibility issue by using ACT.
9-15
Issues Related to Application Operations
An application operation issue is any situation in which an application does not perform properly from the users perspective. Some of the issues that you or your users may encounter include: Missing features. You can use many applications to select which features to install. An applications default installation options may not include the features that all users require. Incorrect configuration. An applications post-installation default settings may not be appropriate, so you can customize the applications settings, such as the default locations for saving files and folders, to fit your needs. Poor performance. Applications may run slower than users expect. This can happen either when users perform a specific task or during regular application use. Errors. Any error that the application displays on-screen is an application operation issue. Incorrect database connection settings. Some applications use a backend database as a data store. If you do not configure the connection to the database correctly, the application cannot function correctly. Application blocking by AppLocker. You can configure AppLocker to allow or block applications on Windows 7 computers. If AppLocker is blocking a legitimate application, then you must try to resolve the issue.
9-16
Identifying Application Operations Issues
Issues with application operations impact users ability to perform their jobs. You must identify and troubleshoot these issues as quickly and as accurately as possible. Before you deploy an application widely, you should put it through a testing process that includes common user activities. Desktop-support staff often performs this testing. During testing, the application may not function as you expect, which triggers the need for further troubleshooting. After you deploy an application, users are the most common source for information about issues with application operations, because they report their computer-related issues to the help desk. When you investigate issues with application operations, you can use both on-screen error messages and event logs. In some cases, these provide enough information to resolve the issue. In other cases, you may need to perform more research. Additional research may include: Searching the vendor website. Searching the Internet. Contacting vendor support.
9-17
Resolving Application Operations Issues
Your success in resolving an issue with application operations depends on your accuracy in defining the issue, and then determining how to resolve it. Some ways to resolve issues with application operations include: Install a needed feature. If an application feature that a user requires is missing, then you can install it. Ultimately, you must determine if other users require that feature, and determine the best way to accommodate them. You might need to update the applications installation process or update an operating-system image that contains the application. Reconfigure an application. If you configure an application incorrectly, you can reconfigure it so that it meets the defined specifications. If multiple users require the reconfiguration, you need to determine the best way to update multiple computers. You may decide to update Group Policy, update the application deployment process, or update an operating-system image that contains the application. Repair or reinstall an application. If an application is experiencing errors or is unable to start, repairing the application may resolve the issue. Repairing an application updates the application files to the correct version, and rewrites required computer-specific registry entries, but does not affect userspecific registry entries. If an application repair does not resolve the problem, try reinstalling the application. Apply application updates. Application updates resolve application operation issues that the applications vendor identifies. Installing application updates in a timely way may prevent some issues with application operations from occurring in your environment, and may also resolve performance issues.
9-18
Upgrade the application to a newer version. Some issues with application operations require you to upgrade to a newer version of the application. For example, to increase performance and access more memory, you may need to upgrade an application to a 64-bit version. New features also are available in newer versions. Depending on how you license the application, there often is a fee associated with obtaining a newer version of an application. Identify performance issues and bottlenecks. Performance issues that users report reported typically are very vague. You need to define the source of a performance issue accurately by using tools such as Performance Monitor. Improving performance may require hardware upgrades or by recommending that users run few applications simultaneously on the computer. You also may need to adjust users performance expectations. Reconfigure AppLocker rules. If AppLocker rules are preventing a legitimate application from running, you must reconfigure those rules to allow the application to run, by allowing the application path, the publisher, or the hash value.
9-19
What Is the Application Compatibility Toolkit?
The ACT is a set of tools that you can use to inventory applications, analyze compatibility of applications, and mitigate compatibility issues. Organizations typically use ACT when planning a new operating-system deployment, to ensure that all application function properly. ACT includes features such as: A database of known application compatibility issues and resolutions. The Compatibility Administrator, which provides compatibility fixes (previously known as shims) that enable older applications to run on newer Windows versions. The Setup Analysis Tool, which monitors an applications installation process and identifies issues that relate to installation. The Internet Explorer Compatibility Test, which monitors web-based applications, and then identifies issues that newer versions of Windows Internet Explorer experience. The Standard User Analyzer (SUA) identifies any issues that relate to running an application as a standard user. The Update Compatibility Evaluator identifies any issues that relate to implementing new Windows updates.
9-20
Practice: Resolving an Application Compatibility Issue by Using ACT
ACT includes the Standard User Analyzer Wizard that you can use to determine whether applications run correctly for a standard Windows 7 user. The Standard User Analyzer Wizard monitors an application when you run it. If the application experiences errors, then the Standard User Analyzer Wizard creates mitigations that allow the application to run properly. You then can distribute the mitigations to all computers that will use that application. In this practice, you will capture and test mitigations for the Stock Viewer application.
Instructions
Detailed Steps
Note Stock Viewer is a demonstration application that ACT includes. However, this demonstration uses the same process that you would use to resolve issues with any application.
Verify the application issue

1. 2. 3. 4. On NYC-CL1, log on as Adam with a password of Pa$$w0rd. Click Start, point to All Programs, click Microsoft Application Compatibility Toolkit, click Demo Application, and then click Stock Viewer. In the Permission denied window, click OK. Close Stock Viewer.
9-21
Capture mitigations for Stock Viewer

1. 2. Click Start, point to All Programs, click Microsoft Application Compatibility Toolkit, click Developer and Tester Tools, and then click Standard User Analyzer Wizard. In the Standard User Analyzer Wizard window, click Browse for Application, browse to C:\Program Files\Microsoft Application Compatibility Toolkit \Compatibility Administrator (32-bit)\Demo Application\StockViewer, click StockViewer, and then click Open. Click Launch. In the User Account Control window, provide the credentials NYC-CL1\WSAdmin with a password of Pa$$w0rd. Click Yes. In the Permission denied window, click OK. Click the Trends button, and then click OK to clear the error message. Click the Tools menu, and then click Options. Click Continue to clear the error message. Close Stock Viewer.
3. 4. 5. 6. 7. 8. 9.
10. In Standard User Analyzer, click No to indicate that the application encountered errors.
Test mitigations for Stock Viewer

1. 2. 3. 4. 5. 6. In Standard User Analyzer, click Launch. Click the Trends button. Click the Tools menu, and then click Options. Click OK to clear the dialog box. Close Stock Viewer. In Standard User Analyzer, click Yes to indicate that the application encountered no errors.
Export mitigations as an MSI file

1. 2. 3. 4. 5. In Standard User Analyzer, click Export. In the Save Mitigations As msi package window, in the left pane, click Desktop and then click Save. Click OK to close the message about saving the MSI file. In Standard User Analyzer Wizard, click Exit. Review the files on the desktop. StockViewer.exe.msi is on the desktop. This file contains the mitigations that allow StockViewer.exe to run.
9-22

When you finish the practice session, revert the virtual machines to their initial state by completing the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 1-3 for 6293A-NYC-CL1.
9-23
Lesson 3
Applying Application and Windows Updates
Deploying updates is an important part of application and operating-system maintenance. Most organizations automate deployment of updates to ensure that they occur in a timely way. Windows Server Updates Services (WSUS) is a tool that enables you to manage deployment of updates to Windows 7 computers. You must configure clients to use WSUS to ensure that they receive updates.
Objectives
After completing this lesson, you will be able to: Discuss why application updates are important. Describe methods of applying application updates. Describe how WSUS works. Describe the process of configuring clients to use WSUS. Describe how to manage WSUS. Describe how to use Windows Update. Describe the process of troubleshooting Windows Update issues.
9-24
Discussion: Why Are Application Updates Important?
Question: Why are application updates important?
9-25
Methods of Applying Application Updates
All organizations have a wide variety of applications. You must be aware of how your organization provides software updates to both applications and operating systems.
Applying Application Updates

You can apply application updates: Manually. You can download and apply updates manually. However, this is not an efficient method for larger organizations. You should automate a process to ensure that it occurs consistently. By using Automatic Updates. Automatic Updates downloads updates for Windows 7 and some common Windows applications such as Microsoft Office 2010. Using Automatic Updates enables you to ensure that updates are downloaded and applied automatically, on a specific schedule. The drawback of Automatic Updates is that there is no approval process to ensure that an update does not negatively impact applications in your organization. By using WSUS. WSUS is an automated solution that downloads updates from Microsoft Update, but does not deliver them to computers until an administrator approves the updates. This gives you the opportunity to test updates before they are applied. By using Configuration Manager 2007 or other third-party tools. Configuration Manager 2007 and other third-party tools provide an automated way to deploy updates that are available from Microsoft Update and other vendors. By using application specific update tools. Many vendors include update functionality in their applications. These tools help the update process by prompting users to install updates. However, in many cases, standard users do not have the necessary permissions to install updates. Also, users may decline updates if they do not understand the prompts.
9-26
How WSUS Works
WSUS is a scalable solution for distributing Windows Updates and application updates. Depending on your organizations needs, you can install WSUS on a single server, or you can configure it in a hierarchy of WSUS servers. The general process for how WSUS works is: 1. 2. 3. 4. 5. WSUS downloads updates from Microsoft Update. Updates are approved for a pilot group of computers. The pilot group of computers downloads and applies updates from WSUS. Updates are approved for all computers. The remaining computers download and apply updates from WSUS.
Controlling the Update Process

When you use WSUS to distribute updates, WSUS downloads the updates from Microsoft Update only once. When you compare using WSUS with downloading updates individually for many computers, WSUS reduces Internet traffic significantly. The approval requirement for updates provides administrators with an opportunity to test updates, and to ensure that a new update does not have a negative impact on existing applications. Microsoft rigorously tests the updates available on Microsoft Update, but is not able to replicate and test all environments. You should pay special attention to negative impacts from updates on any custom software and unique software that your organization develops internally. Another method that you can use to control the update process is to organize computers into multiple computer groups, which is useful for controlling the distribution of updates to specific workgroups or computer types. For example, you could create a computer group for servers, and then create another group for Windows client computers. You then could approve the update either separately for each computer group, or for all computers.
9-27
Configuring Clients to Use WSUS
Windows 7 includes Automatic Updates, which is a built-in tool that allows computers to download and apply software updates automatically. In the default configuration, Automatic Updates obtains the updates from Microsoft Update, which provides Windows and application updates from Microsofts website. After you implement WSUS, clients do not automatically begin using the WSUS server for updates. You must configure clients to use the WSUS server as a source for updates, rather than Microsoft Update. To configure clients to use the WSUS server, use a GPO in Computer Configuration\Policies \Administrative Templates\Windows Components\Windows Update. You can use a GPO to configure: The source for automatic updates. Whether new WSUS clients are added automatically to a computer group. How often automatic updates are detected. What time of day updates are applied.
9-28
WSUS Administration
You use the Update Services administrative tool to administer WSUS. This tool is installed on the WSUS server as part of the WSUS installation process. The nodes in Update Services let you configure various aspects of WSUS, including: Updates. This node allows you to view and manage the updates that WSUS identifies. You can control whether WSUS downloads updates, identify where WSUS applies updates, and approve updates for installation. Computers. Computers that contact the WSUS server appear in this node. After a computer is visible in this node, you can place the computer into a computer group. Downstream Servers. This node is useful for larger organizations that want to configure synchronization of updates between WSUS servers. This enables you to have a central point to which WSUS downloads all updates and then distributes them to other WSUS servers. Synchronizations. This node provides status information about synchronization attempts with Microsoft Update. You should check this node if new updates are not appearing in the updates node. Reports. This node provides a variety of reports containing installation location for updates. Options. This node enables you to configure various WSUS settings, including for which products you want to download updates, and how often synchronization occurs.
9-29
Working with Windows Update
You can use Windows Update in Control Panel to manage the updates that are applied to a computer running Windows 7. In most organizations, the configuration of Windows Update is managed by using Group Policy. However, there may be some cases where mobile computers or computers in remote sites are configured manually. Windows Update includes the following options: Check for updates. In most cases, updates are downloaded daily on a schedule, but you can force Windows Update to check for updates if you believe a new update is available and you want to download it immediately. Change settings. The settings for Windows Update define the download and install schedule. In most cases the updates install after-hours when no users are working on the computers. View update history. This option allows you to view all of the updates that successfully installed on the computer, and those that failed to install properly. For each update listed, you can view details about it and a brief description of the installed update. The details contain a link to a more detailed description on Microsofts website that you can use during troubleshooting. Restore hidden updates. You can choose not to install an update, as long as the update is available and is not set to automatically install. After you do this, the update becomes hidden and no longer appears in the list of available updates. If you decide later that the update should be installed, you can use the restore hidden updates option to make it visible and available for installation. Installed Updates. You can use this option to display a list of all updates that you installed on the computer, including the installation date for each update. Installed Updates also gives you the option to uninstall each update installation. Typically, you should only uninstall updates when you believe a recently installed update is causing issues with Windows 7 or an application.
You typically use the options in Windows Update during troubleshooting, or use them for computers that are not using WSUS for updates. Updates that are installed by WSUS can also be uninstalled by WSUS.
9-30
Troubleshooting Windows Update Issues
When Windows Update is not working properly new updates are not applied to computers running Windows 7. This can result in security issues and prevent stability issues from being resolved. To troubleshoot Windows Update, use the following steps: 1. Verify that Windows Update is enabled. Windows Update must be enabled for updates to be downloaded and applied. If your organization is using a GPO to configure Windows Update and it is not enabled, then you must determine why the GPO is not being applied properly. Verify that updates are being installed automatically. To ensure that users do not need to manually choose when to install updates, they should be configured to install automatically. Verify that recommended updates are being installed. If recommended updates are not configured to be installed then only critical updates are installed. This means that many updates are missed.
2. 3.
If you are using WSUS to distribute updates, you should also perform the following steps: 1. Verify that the client is registered on the WSUS server. A WSUS server can only distribute updates to registered clients. Clients are registered the first time they communicate with the WSUS server. If the client is not registered, then it is likely not configured correctly for communication with the WSUS server. Verify that the client is configured in the appropriate computer group. WSUS updates are approved for specific computer groups. If a client computer is in the wrong computer group, then it will not obtain the appropriate updates. Verify that an update has been approved for the appropriate computer group. If the update has not been approved for the correct computer group then it will not be installed on client computers.
2.
3.
9-31
4.
Verify that the WSUS server is reachable over the network. If the WSUS configuration appears to be correct, there may be a network problem that is preventing Windows 7 from communicating with the WSUS server. To verify connectivity to Windows Update or a WSUS server, you can use the command wuauclt.exe /detectnow which forces the immediate detection of available updates. Also, you can use wuauclt.exe /resetauthorization to force a client to detect group-membership changes immediately on the WSUS server rather than waiting for WSUS to detect the changes, which can take up to one hour.
9-32
Lab: Troubleshooting Operating System and Application Issues
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Repeat steps 2 and 3 for 6293A-NYC-CL1 and 6293A-NYC-CL2.
Lab Scenario
The help desk has received a number of trouble tickets that relate to applications. Because you are the desktop-support technician that has the most experience with application issues, the tickets have been assigned to you.
9-33
Exercise 1: Troubleshooting Windows Updates

Scenario
In this exercise, you will troubleshoot and attempt to resolve a Windows update problem that Tier 1 helpdesk staff could not resolve.
Note Some of the tasks that you perform to complete this exercise may not typically be the responsibility of Tier 2 support staff. However, it is useful to see the completed scenario. The main tasks for this exercise are: 1. 2. 3. Read the help-desk Incident Record for Incident 603193. Update the Plan of Action section of the Incident Record. Attempt to resolve the problem.
Incident Record Incident Reference Number: 603193 Date of Call Time of Call User Status April 14 08:20 All computers OPEN
Incident Details Client computers and servers are not obtaining Windows updates from the new WSUS server. Additional Information The new WSUS server is implemented, and it is successfully downloading updates from Microsoft update. However, the updates are not being delivered to client computers. We recently blocked access to Microsoft update for client computers to ensure that they were using the WSUS server for updates. You can force connectivity to the WSUS server by running wuauclt.exe /detectnow on the client computer. You can verify that the client connected to the WSUS server by checking the WindowsUpdateClient event log for Event ID 26. You also can verify that the computer is listed in the Windows Automatic Updates Services administrative tool on NYC-DC1. Plan of Action
Resolution

9-34


1. 2. 3. Using your knowledge of WSUS configuration, attempt to resolve the problem. Update the Resolution section of the Incident Record. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance. To repeat or exit the exercise, revert the virtual machine environment.
Note It is not necessary to revert the virtual machines at this point. 4. If necessary, revert your virtual machines by using the following procedure: On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-CL1. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
Results: After this exercise, you will have resolved the issue with Windows updates.
9-35
Exercise 2: Troubleshooting AppLocker Policy Application

Scenario
In this exercise, you will troubleshoot and attempt to resolve a reported problem with an AppLocker policy application that Tier 1 help-desk staff could not resolve.
Note Some of the tasks that you perform to complete this exercise may not typically be the responsibility of Tier 2 support staff. However, it is useful to see the completed scenario. The main tasks for this exercise are: 1. 2. 3. 4. Read the help-desk Incident Record for Incident 603210. Update the Plan of Action section of the Incident Record. Simulate the problem. Attempt to resolve the problem.
Incident Record Incident Reference Number: 603210 Date of Call Time of Call User Status April 14 11:33 Marketing Manager OPEN
Incident Details Unauthorized applications are being used on computers. Additional Information We have recently implemented AppLocker policies to control the use of applications. In testing, the default rules were configured, which prevented most unauthorized applications from running. A manager has reported that several of his staff are playing games that are not authorized. It appears that the users have brought in the games on USB flash drives. I browsed Adam Carters profile on NYC-CL1, and he has a game stored in the Downloads folder. Please identify why these are not being blocked in production like they were in testing. Plan of Action
Resolution

9-36


1. 2. Switch to the NYC-CL1 computer. Run the D:\Labfiles\Mod09\Scenario3.vbs script. NYC-CL1 will reboot when you run this script.

1. 2. 3. Using your knowledge of AppLocker configuration, attempt to resolve the problem. Update the Resolution section of the Incident Record. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance. To repeat or exit the exercise, revert the virtual machine environment.
Results: After this exercise, you will have prevented unauthorized applications from starting.
9-37
Exercise 3: Troubleshooting Application Startup

Scenario
In this exercise, you will troubleshoot and attempt to resolve a reported problem with an AppLocker policy application that Tier 1 help-desk staff could not resolve.
Note Some of the tasks that you perform to complete this exercise may not typically be the responsibility of Tier 2 support staff. However, it is useful to see the completed scenario. The main tasks for this exercise are: 1. 2. 3. Read the help-desk Incident Record for Incident 603220. Update the Plan of Action section of the Incident Record. Attempt to resolve the problem.
Incident Details An authorized application is not able to run. Additional Information After resolving incident 603220, it appears that a legitimate application is being blocked. The Marketing Manager is reporting that Adam is no longer able to run his game on NYC-CL1, but now also cannot run an XML editing application. The executable for this application is located in C:\XMLNotepad. Please identify why the application is not running, and then resolve the issue. Plan of Action
Resolution


9-38

1. 2. 3. Using your knowledge of AppLocker configuration, attempt to resolve the problem. Update the Resolution section of the Incident Record. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance. To repeat or exit the exercise, revert the virtual machine environment.
Results: After this exercise, you will have resolved the problem with application startup.

9-39
Review Questions
1. Your manager has provided you with a new application that you need to install for users in the Production department. To ensure that you can install it on all the computers, you need a list of installation prerequisites. Where can you find the prerequisites? A colleague is concerned that because standard users cannot install applications, you then cannot automate installation. Why is this not a concern? A new application has been deployed for Marketing department users. For several users, the application is not starting, and then it closes silently. What sources will you use to determine the problems source? Before deploying Windows 7 computers to the Marketing department, you find during testing that an older application experiences errors. What can you use to help identify the problems source and mitigate it? Your organization implements many non-Microsoft applications. A colleague has proposed using WSUS to deploy application and operating-system updates. Are there any potential issues that may arise if you use WSUS?
2. 3.
4.
5.
9-40
Tools
Tool System Center Configuration Manager 2007 TS RemoteApp Use for Deploying applications and application updates Deploying applications without installing them on a client Where to find it You must install additional software
You must install additional software on a server You must install additional software
Application Identifying and mitigating older Compatibility Toolkit applications that do not run properly on Windows 7 Msiexec.exe Windows Server Update Services To interact directly with Windows Installer Deploying updates to computers
Command-line Role installed on Windows Server 2008
9-41
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience. Please work with your training provider to access the course evaluation form. Microsoft will keep your answers to this survey private and confidential and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.
L2-1
Lab: Troubleshooting Startup Issues


Incident Record Incident Reference Number: 601237 Date of Call Time of Call User Status February 21 10:45 Adam Carter (Production Department) OPEN
Incident Details Adam Carter has reported that his computer will not start properly. Additional Information Adam has been trying to install an additional operating system on his computer so that he can run a specific line-of-business application. He abandoned the installation after getting only partly through the process. Since then, his computer displays the following error message when it starts: Windows Boot Manager. File: \Boot\BCD Status: 0xc0000034 Info: The Windows Boot Configuration Data (BCD) file is missing required information. Plan of Action 1. Visit with the user, and view the error on his computer. 2. Insert product DVD, and restart the computer. 3. Use Microsoft Windows Recovery Environment (RE) to recover the startup environment automatically.

1. 2. Switch to NYC-CL1. Log on by using the following credentials: 3. 4. User name: Contoso\Administrator Password: Pa$$w0rd
Run the D:\Labfiles\Mod02\Scenario1.vbs script. Wait while NYC-CL1 restarts.
L2-2

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-CL1. On your host computer, in the 6293A-NYC-CL1 on localhost Virtual Machine Connection dialog box, on the Media menu, point to DVD Drive, and then click Insert Disk. In the Open dialog box, in the File name box, type C:\Program Files\Microsoft Learning \6293\Drives\Windows7.iso, and then click Open. On the Action menu, click Turn Off. In the dialog box, click Turn Off. On the Action menu, click Start. When you see the Press any key to boot from CD or DVD message, press Spacebar. Setup loads. When prompted, in the Install Windows dialog box, click Next. On the Install now page, click Repair your computer. In the System Recovery Options dialog box, click Repair and restart.
10. Log on by using the following credentials: User name: NYC-CL1\WSAdmin Password: Pa$$w0rd
Resolution
1. 2. Corrupted BCD resulted in failure to start correctly. Used DVD to repair BCD automatically.
Lab: Troubleshooting Startup Issues L2-3


Incident Record Incident Reference Number: 601338 Date of Call Time of Call User Status February 23 13:30 Martin Berka (Marketing Department) OPEN
Incident Details Martin contacted the help desk after attempting to install a new hard disk driver. Since the attempt, his computer does not start correctly. Additional Information Help-desk staff recorded the following message: A problem has been detected, and Windows has been shut down to prevent damage to your computer. Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Technical information: *** STOP: 0x0000007B (0x8078BB58,0xC0000034,0x0000000,0x00000000) Plan of Action 1. Visit the user, and attempt to recreate the problem on his computer. 2. Based on the error, use one of the following tools to recover the system: Safe Mode, Windows RE, Last Known Good, and similar tools.

1. 2. 3. Switch to NYC-CL1. Run the D:\Labfiles\Mod02\Scenario2.vbs script. If necessary, in the User Account Control window, click Yes. Wait while NYC-CL1 restarts.

1. 2. 3. On your host computer, in the 6293A-NYC-CL1 on localhost Virtual Machine Connection dialog box, on the Media menu, point to DVD Drive, and then click Eject Windows7.iso. On the Action menu, click Turn Off. On the Action menu, click Start.
L2-4
4.
Immediately press F8. The Advanced Boot Options menu loads. Note If the Advanced Boot Options menu does not display, ask your instructor for assistance.
5.
Select Last Known Good Configuration (advanced), and then press Enter.
Resolution
1. 2. Used Last Known Good Configuration to recover. Safe mode and Windows RE were unsuccessful.

L3-5
Lab: Using Group Policy to Centralize Configuration


Incident Details User reports that research lab configuration is not being applied properly to a new computer named NYC-CL1. Additional Information User reports that a new computer being used in the research computer lab is not configured properly. All other computers in the lab, such as NYC-LAB1, have the standardize settings applied properly. I have verified that the computer is properly joined to the domain. Looking at NYC-LAB1, I can see that there is a desktop shortcut for the Analysis application. If this icon appears on the desktop, then we know that the settings are being applied properly. This setting should apply regardless of the user that logs on. Plan of Action 1. Verify configuration for NYC-LAB1, and ensure that NYC-CL1 has the same configuration. 2. Resultant Set of Policy (RSoP) from Group Policy Modeling will provide configuration information for NYC-LAB1.

1. 2. Switch to the NYC-DC1 computer. Log on using the following credentials: 3. 4. 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. In Active Directory Users and Computers, expand Contoso.com, and then click Computers. Right-click NYC-CL1, and then click Move.
L3-6
6. 7. 8. 9.
In the Move window, expand Research, click Lab, and then click OK. Close Active Directory Users and Computers. Restart NYC-CL1. Log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
10. Verify that the desktop shortcut for the Analysis application exists.
Resolution
1. 2. 3. RSoP from Group Policy Modeling indicates that NYC-LAB1 has a Group Policy object (GPO) named ResearchLab applied. ResearchLab GPO is linked to Contoso.com/Research/Lab. NYC-CL1 is located in the Computers container, and will not apply the ResearchLab GPO. Moved NYC-CL1 computer account to the Contoso.com/Research/Lab, and then rebooted the computer.
Lab: Using Group Policy to Centralize Configuration L3-7


Incident Details User reports that his drive mapping has not been updated with the new file share for his department. Additional Information The user (Alan) is not receiving the drive mapping (R:) for the new research department share on his computer NYC-CL2. Other people in his department are not experiencing any issues. I have checked with the Active Directory administrators, and his computer account is in the correct OU. So the location of the computer account is not an issue. I also verified that he can manually access the files by using the UNC path at \\NYC-DC1\Research. We rebooted the computer with no improvement. Plan of Action 1. Visit the users computer and attempt to determine why the new policy is not being applied. 2. First, run gpupdate.exe to see the error.

1. 2. 3. 4. Switch to the NYC-CL1 computer. Run the D:\Labfiles\Mod03\Scenario2.vbs script. This script causes NYC-CL2 to restart. Close all open windows on NYC-CL1. Wait while NYC-CL2 restarts.

1. 2. Switch to the NYC-CL2 computer. Log on using the following credentials: 3. 4. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Click Start, right-click Computer, and then click Properties. In the System window, in the Computer name, domain, and workgroup settings area, click Change settings.
L3-8
5. 6. 7. 8. 9.
In the System Properties window, on the Computer Name tab, click Change. In the Computer Name/Domain Changes window, click Workgroup. In the Workgroup box, type TEMP, and then click OK. Click OK to acknowledge the warning. Click OK to clear the welcome message.
10. Click OK to clear the message about restarting. 11. In the System Properties window, on the Computer Name tab, click Change. 12. In the Computer Name/Domain Changes window, click Domain. 13. In the Domain box, type Contoso.com, and then click OK. 14. In the Windows Security window, log on as Administrator with a password of Pa$$w0rd. 15. Click OK to clear the welcome message. 16. Click OK to clear the message about restarting. 17. In the System Properties window, click Close. 18. Click Restart Now. 19. Log on using the following credentials: User name: Alan Password: Pa$$w0rd Domain: Contoso
20. Click Start, and then click Computer. 21. Verify that the drive letter R: is mapped to the research share.
Resolution
1. 2. 3. 4. Ran GPUpdate, and saw error related to processing for computer account. Group Policy event log indicated that account information could not be retrieved. The System event log had a NETLOGON error indicating that the computer password may a problem. Rejoined the domain and problem is resolved, the user was logging on with cached credentials.

L4-9

Exercise 1: Resolving Hardware Issues

Incident Record Incident Reference Number: 602101 Date of Call Time of Call User Status March 1 10:03 Bobby Moore (Production Department) OPEN
Incident Details User reports that his computer mouse is nonfunctional. Additional Information User reports that he attempted to install a new mouse, but abandoned the installation midway through the process. I visited the users computer and was unable to resolve the problem, as the mouse was totally nonfunctional. System Restore unavailable as currently disabled. Plan of Action Visit users computer, and attempt to resolve the problem by trying driver rollback, if necessary, with Safe Mode.

1. 2. 3. Switch to the NYC-CL1 computer. Run the D:\Labfiles\Mod04\Scenario1.vbs script. Wait while the NYC-CL1 computer restarts.

1. Switch to the NYC-CL1 computer.
Note On your host, in the 6293A-NYC-CL1 on localhost Virtual Machine Connection windows, in the View menu, click Full Screen Mode.
L4-10
2.
Log on using the following credentials: User name: NYC-CL1\WSAdmin Password: Pa$$w0rd
3. 4. 5. 6. 7. 8. 9.
Press the Windows key, and in the Search box, type Device Manager, and then press Enter. Press Tab. Use the cursor keys to navigate to Microsoft PS/2 Mouse. Press Alt+Enter. In the Microsoft PS/2 Mouse Properties dialog box, press Tab until the General tab is highlighted. Use the cursor key to select the Driver tab. Press Alt+U.
10. In the Confirm Device Uninstall dialog box, press Enter. 11. Repeat steps 5 through 10 for the HID-compliant mouse. 12. Press the Windows key, and in the Search box, type shutdown /r, and then press Enter. Wait while the NYC-CL1 computer restarts 13. Log on using the following credentials: User name: NYC-CL1\WSAdmin Password: Pa$$w0rd
14. Open Device Manager, and then verify that the mouse is now functioning.
Resolution
1. 2. 3. 4. Last Known Good, Safe Mode unsuccessful. Driver roll back and System Restore both unavailable. Manually uninstalled mouse and restarted computer resolved issue. Suggest we enable System Restore on all computers, and control driver installation for users.
Results: At the end of this exercise, you will have resolved the hardware problem.
L4-11
Exercise 2: Configuring Group Policy to Control Device Installation (Optional)

Task 1: Read the email from Ed Meadows
1. 2. 3. 4. Read the email in the supporting documentation section. Determine a course of action. Answer the questions in the Group Policy object (GPO) Planning Document. If necessary, discuss your plans with the class. GPO Planning Document Reference: CW050511/1 Date March 5
Details Update GPO settings to: Restrict all users to be able to install only printer drivers. Enable Research Department users to install printers, mice, and keyboard device drivers. Do not restrict administrators from installing any drivers. Additional Information Use as few GPOs as possible Plan of Action 1. How many GPOs do you envision using? Answers will vary, but two could be used. The Default Domain Policy could support the all users restriction and the administrator nonrestriction. A new GPO could be used to support the Research Department requirements. 2. To which containers will you link these GPOs? The Default Domain Policy is linked to the Contoso.com domain. The new GPO could be linked to the Research Department organization unit (OU). 3. How do you plan to configure the restriction for all users? Configure the Default Domain Policy to enable installation of printers by using the Allow nonadministrators to install drivers for the setting for device setup classes. 4. How will you accommodate the requirement to support the Research Departments needs? Either install the drivers into the driver store on each Research department computer, or configure the Research GPO with permissions to install drivers of the globally unique identifier (GUID) of the specified setup class for mouse, printer, and keyboard. Use this setting: Allow installation of devices using drivers that match these device setup classes. 5. How will you accommodate the administrator requirement? Configure the Allow administrators to override Device Installation Restrictions policies setting in the Default Domain Policy.
L4-12
Task 2: Configure the administrators setting

Note Some of the tasks you perform to complete this exercise may not be part of a Tier 2 support persons responsibilities; however, it is useful to see the completed scenario. 1. 2. 3. 4. Switch to NYC-DC1. Click Start, point to Administrative Tools, and then click Group Policy Management. Expand Forest: Contoso.com, expand Domains, expand Contoso.com, right-click Default Domain Policy, and then click Edit. In the Group Policy Management Editor, under Computer Configuration, expand Policies, Administrative Templates, System, Device Installation, and then click Device Installation Restrictions. In the right-pane, double-click Allow administrators to override Device Installation Restriction policies. In the Allow administrators to override Device Installation Restriction policies dialog box, click Enabled, and then click OK.
5. 6.
Task 3: Configure the ability for users to install printer devices

1. 2. 3. 4. 5. 6. 7. 8. 9. In the right-pane, double-click Allow installation of devices using drivers that match these device setup classes. In the Allow installation of devices using drivers that match these device setup classes dialog box, click Enabled, and then click Show. Leave the window open. Click Start, and in the Search box, type \\NYC-CL1\d$\Labfiles\Mod04\fax, and then press Enter. In Fax, double-click faxca003.inf. In Notepad, locate the line that starts ClassGUID. Select the GUID including the {} brackets, and then copy it. Close Notepad. Switch back to the Group Policy Management Editor.
10. In the Show Contents dialog box, click the cursor into the Value text box, and then paste the GUID. 11. Click OK twice.
Task 4: Configure the device settings for the Research Department

1. 2. 3. 4. Close the Group Policy Management Editor. In Group Policy Management, click Research. Right-click Research, and then click Create a GPO in this domain, and Link it here. In the New GPO dialog box, in the Name box, type Research Department device settings, and then click OK.
L4-13
5. 6.
Expand Research, right-click Research Department device settings, and then click Edit. In Group Policy Management Editor, under Computer Configuration, expand Policies, Administrative Templates, System, Device Installation, and then click Device Installation Restrictions. In the right-pane, double-click Allow installation of devices using drivers that match these device setup classes. In the Allow installation of devices using drivers that match these device setup classes dialog box, click Enabled, and then click Show. Leave the window open.
7. 8. 9.
10. Switch to Windows Explorer, and in the address bar, click Mod04. 11. In Windows Explorer, double-click mouse driver. 12. Double-click point32, and then double-click point32.inf. 13. In Notepad, locate the line that starts ClassGUID. 14. Select the GUID including the {} brackets, and then copy it. 15. Close Notepad. 16. Switch back to the Group Policy Management Editor. 17. In the Show Contents dialog box, click the cursor into the Value text box, and then paste the GUID into it. 18. Switch to Windows Explorer, and in the address bar, click Mod04. 19. In Windows Explorer, double-click keyboard driver. 20. Double-click type32, and then double-click type32.inf. 21. In Notepad, locate the line that starts ClassGUID. 22. Select the GUID including the {} brackets, and then copy it. 23. Close Notepad. 24. Switch back to Group Policy Management Editor. 25. In the Show Contents dialog box, click the cursor into the Value text box, and then paste the GUID into it. Notice that this is the same setup class GUID. 26. Click OK twice. 27. Close the Group Policy Management Editor. 28. Close the Group Policy Management console.
Note Due to restrictions within the virtual machine environment, you cannot properly test these restrictions.
Results: At the end of this exercise, you will have planned and implemented GPO to support the device installation requirements.
L4-14
To prepare for the next lab

L4-15
Lab B: Troubleshooting Performance-Related Issues (Optional)

Exercise: Troubleshooting a Performance Problem
Task 1: Establish a performance baseline
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-CL1. Click Start, and in the Search box, type Performance, and then press Enter. In Performance Monitor, in the navigation pane, expand Data Collector Sets. Expand User Defined, right-click User Defined, point to New, and then click Data Collector Set. In the Create new Data Collector Set wizard, on the How would you like to create this new data collector set? page, in the Name box, type Contoso Baseline. Click Create manually (Advanced), and then click Next. On the What type of data do you want to include? page, select the Performance counter check box, and then click Next. On the Which performance counters would you like to log? page, in the Sample interval box, type 1, and then click Add. In the Available counters list, expand Memory, select Pages/sec, and then click Add.
10. In the Available counters list, expand Network Interface, select Packets/sec, and then click Add. 11. In the Available counters list, expand Physical Disk, select % Disk Time, and then click Add. 12. Under Physical Disk, select Avg. Disk Queue Length, and then click Add. 13. In the Available counters list, expand Processor, select % Processor Time, and then click Add. 14. In the Available counters list, expand System, select Processor Queue Length, click Add, and then click OK. 15. On the Which performance counters would you like to log? page, click Next. 16. On the Where would you like the data to be saved? page, click Next. 17. On the Create the data collector set page, click Finish. 18. In Performance Monitor, in the navigation pane, right-click Contoso Baseline, and then click Start. 19. Click Start, point to All Programs, click Microsoft Office, and then click Microsoft Office Word 2007. 20. Click Start, point to All Programs, click Microsoft Office, and then click Microsoft Office Excel 2007. 21. Click Start, point to All Programs, click Microsoft Office, and then click Microsoft Office PowerPoint 2007. 22. Close all open Microsoft Office applications, and then switch to Performance Monitor. 23. In the navigation pane, right-click Contoso Baseline, and then click Stop.
L4-16
Task 2: View the baseline report

1. 2. 3. In Performance Monitor, in the navigation pane, expand Reports, expand User Defined, expand Contoso Baseline, and click on the report that has a name that begins with NYC-CL1_. View the chart. On the menu bar, click the drop-down arrow, and then click Report. Record the component details below: Recorded component usage Memory Pages per second Network Interface Packets per second Physical Disk % Disk Time Physical Disk Avg. Disk Queue Length Processor % Processor Time System Processor Queue Length


Incident Record Incident Reference Number: 604121 Date of Call Time of Call User Status July 27 10:41 Dylan Miller (Research Department) OPEN
Incident Details Dylan contacted the help desk to report problems with his computer. It has been running slowly, and application processes that used to take a few seconds now take much longer. Additional Information We must determine which components are affected in Dylans computer, and then make recommendations about how to solve or mitigate these performance bottlenecks. Plan of Action Visit the computer, and run performance-monitoring tools to ascertain which components (memory, disk, CPU, and network) are bottlenecked. Gathering statistics by using the existing Contoso Baseline data collector set enables us to compare current data to that collected previously. Tools to use: Resource Monitor to gain a quick insight into whats going on. Performance Monitor data collector sets and reports.
L4-17
Task 5: Create load on the computer

1. 2. 3. Switch to the NYC-CL1 computer. Switch to Performance Monitor. In the navigation pane, right click Contoso Baseline, and then click Start. Run the D:\Labfiles\Mod04\Scenario2.vbs script.
Task 6: Identify performance bottlenecks in the computer

1. 2. Click Start, and in the Search box, type Resource Monitor, and then press Enter. In Resource Monitor, which components are under strain? Answer: CPU and Disk are heavily used. 3. 4. 5. 6. 7. 8. After a few minutes, close the two instances of C:\Windows\System32\cmd.exe that the script launched. Switch to Performance Monitor. In the navigation pane, right-click Contoso Baseline, and then click Stop. In Performance Monitor, in the navigation pane, expand Reports, expand User Defined, expand Contoso Baseline, and then click on the second report that has a name that begins with NYC-CL1_. View the chart. On the menu bar, click the drop-down arrow, and then click Report. Record the component details below: Recorded component usage Memory Pages per second Network Interface Packets per second Physical Disk % Disk Time Physical Disk Avg. Disk Queue Length Processor % Processor Time System Processor Queue Length In your opinion, which components are affected the most? Answer: The script is affecting the memory, and the disk. However, no resources are approaching limits, although paging is becoming excessive. 9. Complete the resolution section of the incident record with your recommendations. If asked to do so, discuss your results with the class.
Resolution
Add processor capacity to the computer, or run the programs on a more powerful computer. Adding memory would be beneficial. Results: At the end of this exercise, you will have determined the components affected on the users computer, and then discussed solutions and mitigations with the class.
L4-18
To revert the virtual machines

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6421B-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6421B-NYC-CL1.
L5-19
Lab: Troubleshooting Network Connectivity Issues


Incident Record Incident Reference Number: 603211 Date of Call Time of Call User Status April 2 13:32 Scott Bishop (Production Department) OPEN
Incident Details Scott cannot log on to his computer. Additional Information Error message: There are currently no logon servers available to service the logon request. Plan of Action 1. Visit the users computer, and reproduce the problem. 2. Logon as administrator, and attempt to resolve the problem. 3. Things to check: Basic IP configuration of the workstation and other computers. Verify whether the issue is affecting other computers.

1. 2. Switch to the NYC-CL1 computer. Run the D:\Labfiles\Mod05\Scenario1.vbs script.
Note Ignore any error messages in the script. 3. Wait while NYC-CL1 restarts.
L5-20
4.
Log on using the following credentials: User name: Scott Password: Pa$$w0rd Domain: Contoso
5.
You are unsuccessful. What is the error message? Answer: There are currently no logon servers available to service the logon request.

Note Some of the tasks that you perform to resolve this problem may not typically be the responsibility of Tier 2 support staff. However, it is useful to see the problem resolution. 1. Log on using the following credentials: 2. 3. User name: NYC-CL1\WSAdmin Password: Pa$$w0rd
Click Start, and in the Search box, type cmd.exe, and then press Enter. At the command prompt, type the following command, and then press Enter:
Ipconfig.exe /all
4.
From which server has your computer obtained an IPv4 address? Answer: 10.10.14.1
5.
What is your IP address? Answer: 10.10.14.2
6.
What is your subnet mask? Answer: 255.255.255.0
Note Typically, an Enterprise administrator might perform the following tasks. 7. 8. 9. Switch to NYC-DC1. Click Start, and in the Search box, type cmd.exe, and then press Enter. At the command prompt, type the following command, and then press Enter:
Ipconfig.exe /all
10. In which subnet is the domain controller located? Answer: 10.10.0.0/16 11. Switch to the NYC-SVR1 computer. 12. Click Start, and in the Search box, type cmd.exe, and then press Enter.
Lab: Troubleshooting Network Connectivity Issues L5-21
Ipconfig.exe /all
14. What is the IP address of NYC-SVR1? Answer: 10.10.14.1 15. Is this server providing Dynamic Host Configuration Protocol (DHCP) services? Answer: Yes. It is the same IP that you specified on NYC-CL1. 16. At the command prompt, type the following command, and then press Enter:
Net stop dhcpserver
17. Switch to the NYC-DC1 computer. 18. At the command prompt, type the following command, and then press Enter:
Net start dhcpserver
19. Switch to the NYC-CL1 computer. 20. At the command prompt, type the following command, and then press Enter:
Ipconfig /release
21. Restart the computer. Wait for the NYC-CL1 computer to restart. 22. Log on using the following credentials: User name: Scott Password: Pa$$w0rd Domain: Contoso
Resolution
1. 2. 3. 4. NYC-SVR1 had been started and is running a DHCP server in the head office. This conflicted with the head office DHCP server. NYC-CL1 obtained an address from the new server. However, this configuration is appropriate only for the branch office, not the head office. The problem was resolved by stopping the DHCP server on NYC-SVR1, restarting the DHCP service on NYC-DC1, and restarting NYC-CL1 so that it could obtain a valid IPv4 configuration.
Other possible solutions include manually configuring NYC-CL1 with a similar configuration to NYC-CL2. Results: At the end of this exercise, you will have logged on successfully by using the user account.
L5-22


Incident Record Incident Reference Number: 603213 Date of Call Time of Call User Status April 2 14:20 Scott Bishop (Production Department) OPEN
Incident Details Scott is unable to access the intranet server. URL required: http://intranet. IP configuration seems appropriate for subnet location. Additional Information Error message: Internet Explorer cannot display the webpage. Plan of Action 1. Visit the users workstation. 2. Verify the IP version 4 (IPv4) configuration. 3. Determine connectivity from another workstation. 4. If this issue is affecting only Scotts workstation, then investigate his computers settings. 5. If this issue is affecting multiple workstations, then investigate the intranet server settings.

1. 2. 3. Switch to the NYC-CL1 computer. You are logged on as Scott. On the Taskbar, click Internet Explorer. On the Set Up Windows Internet Explorer 8 prompt, click Ask me later. In the Address bar, type http://intranet, and then press Enter.

1. 2. 3. 4. Switch to the NYC-CL2 computer. You are logged on as Administrator. On the Taskbar, click Internet Explorer. On the Set Up Windows Internet Explorer 8 prompt, click Ask me later. In the Address bar, type http://intranet, and then press Enter. Click Start, and in the Search box, type cmd.exe, and then press Enter.
Lab: Troubleshooting Network Connectivity Issues L5-23
5.
Ping intranet
6.
Nslookup d1 intranet > file.txt
7.
Notepad file.txt
8.
What is the answer to the question intranet.Contoso.com? Answer: Ncy-dc1.Contoso.com
9.
At the command prompt, type the following command, and then press ENTER:
Ping ncy-dc1.Contoso.com
10. What do you suspect is the likely cause of the problem? Answer: The Domain Name System (DNS) record on the server is wrong.
Note Typically, an Enterprise administrator might perform the following tasks. 11. Switch to NYC-DC1. 12. Click Start, point to Administrative Tools, and then click DNS. 13. In DNS Manager, expand Forward Lookup Zones, expand Contoso.com, and then in the right-pane, double-click intranet. 14. In the intranet Properties dialog box, in the Full qualified domain name (FQDN) for target host: box, type nyc-dc1.contoso.com, and then click OK. 15. Switch to NYC-CL1. 16. In Windows Internet Explorer, press F5.
Resolution
An incorrect Alias record was created in the DNS zone for Contoso. Clients could not connect to the Intranet on NYC-DC1. Editing the record corrected the problem. Results: At the end of this exercise, you will have resolved the connectivity problem.
L5-24

When you finish the lab, revert the virtual machines to their initial state by completing the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-SVR1, 6293A-NYC-CL1, and 6293A-NYC-CL2.
L6-25

Exercise: Resolving a Remote Connectivity Problem

Incident Record Incident Reference Number: 603321 Date of Call Time of Call User Status May 5 08:05 Max Stevens (Research Department) OPEN
Incident Details Max reports that he cannot connect to the corporate intranet site from home. He uses a preconfigured virtual private network (VPN). The intranet site is accessible when Max connects his computer locally in the Contoso domain. Additional Information The intranet site is accessible when Max connects his computer locally in the Contoso domain. VPN settings for Contoso home users: Users connecting using VPN must use Extensible Authorization Protocol (EAP) authentication. The preferred Remote Access Service (RAS) server is NYC-SVR2. Network Access Protection (NAP) has been implemented in Contoso in recent weeks using VPN enforcement. IP version 4 (IPv4) filters restrict connectivity to remediation servers. Plan of Action 1. Visit the users workstation, and attempt to reproduce the problem. 2. Verify that the VPN settings match those of the server. 3. Determine whether the companys NAP policy is affecting the computers ability to connect.

1. 2. 3. 4. Switch to the NYC-CL1 computer. Run the D:\Labfiles\Mod06\Scenario1.vbs script. Wait while the computer restarts. Log on using the following credentials: 5. User name: NYC-CL1\WSAdmin Password: Pa$$w0rd
Click Start, in the Search box, type Network and Sharing, and then press Enter.
L6-26
6. 7. 8.
In Network and Sharing Center, click Change adapter settings. In Network Connections, right-click Contoso VPN, and then click Connect. Log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
9.
What error message do you see? Answer: Error 812. The connection was prevented because of a policy configured on your RAS/VPN server.
10. Click Close.

Note Some of the tasks that you perform to resolve this problem may not typically be the responsibility of Tier 2 support staff. However, it is useful to see the problem resolution. 1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, in the Search box, type services.msc, and then press Enter. In Services, in the Name list, double-click Network Access Protection Agent. In the Network Access Protection Agent Properties (Local Computer) dialog box, in the Startup type list, click Automatic. Click Apply, click Start, and then click OK. In Services, in the Name list, double-click Windows Firewall. In the Windows Firewall Properties (Local Computer) dialog box, in the Startup type list, click Automatic. Click Apply, click Start, and then click OK. In Services, in the Name list, double-click Security Center. In the Security Center Properties (Local Computer) dialog box, in the Startup type list, click Automatic.
10. Click Apply, click Start, and then click OK. 11. Close Services. 12. Switch to Network Connections. 13. In Network Connections, right-click Contoso VPN, and then click Connect. 14. Log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
15. On the Taskbar, click Internet Explorer.
L6-27
16. In the Address bar, type http://nyc-dc1, and then press Enter. 17. Do you see the Website? Answer: Yes
Resolution
1. 2. 3. 4. The client settings did not match those that NAP requires. Start the Security Center. Start the NAP Agent. Start Microsoft Windows Firewall.
Results: At the end of this exercise, you will have resolved the remote connectivity problem.

When you finish the lab, revert the virtual machines to their initial state by completing the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6293A-NYC-SVR2 and 6293A-NYC-CL1.
L7-29

Exercise 1: Troubleshooting Offline Files

Incident Record Incident Reference Number: 602567 Date of Call Time of Call User Status March 25 14:45 Alan Brewer (Research) OPEN
Incident Details A user with a laptop computer reports that offline files are not synchronizing properly when he disconnects from the network. Additional Information User reports that when he roams in the office and reconnects to the wired network, his updated files are not synchronizing properly. This is a problem, because other users also have access to these files, and if the files are not synchronized, users have to look through the files and merge changes manually, which is time-consuming. Steps to recreate the problem: 1. On NYC-CL1, create and open a file on the research share at \\NYC-DC1\Research. 2. Modify the contents of the file, and then save it. 3. Keep the file open, and then disconnect from the network. 4. Modify the contents of the file, and then save it. 5. Reconnect the computer to the network and close the file. 6. On NYC-CL2, open the file on the research share, and then verify that the latest changes are not synchronized. Plan of Action 1. Recreate the problem to verify the steps. 2. Open Sync Center to view any potential synchronization issues.
L7-30

1. 2. Switch to the NYC-CL1 computer. Log on by using the following credentials: 3. 4. 5. 6. 7. 8. 9. User name: Alan Password: Pa$$w0rd Domain: Contoso
Click Start, type \\NYC-DC1\Research, and then press Enter. In Windows Explorer, right-click an open area, point to New, and then click Microsoft Office Word Document. Type TestDocument, and then press Enter to rename the file. Double-click TestDocument to open it. Click OK to close the Microsoft Office Word window with an error. In the User Name box, click OK. In TestDocument, type Changes while online, and then click Save.
10. Click Start, type adapter, and then click View network connections. 11. In the Network Connections window, right-click Local Area Connection 3, and then click Disable. 12. When prompted, provide the credentials of Administrator with a password of Pa$$w0rd. 13. In TestDocument, on a new line, type Offline changes, and then click Save. 14. In the Network Connections window, right-click Local Area Connection 3, and then click Enable. 15. When prompted, provide the credentials of Administrator with a password of Pa$$w0rd. 16. Close the network connections window. 17. Close Microsoft Office Word. 18. Switch to the NYC-CL2 computer. 19. Log on by using the following credentials: User name: Preeda Password: Pa$$w0rd Domain: Contoso
20. Click Start, type \\NYC-DC1\Research, and then press Enter. 21. Double-click TestDocument. 22. Click OK to close the Microsoft Office Word window with an error. 23. In the User Name window, click OK. Notice that only the online changes are here, and that the file did not synchronize. 24. Close Microsoft Word. 25. Switch to NYC-CL1. 26. Click Start, type Sync Center, and then press Enter.
L7-31
27. In Sync Center, right-click Offline Files, and then click Sync Offline Files. 28. Switch to NYC-CL2. 29. Double-click TestDocument, and then verify that the offline changes are synchronized. 30. Log off of all virtual machines.
Resolution
1. Forcing synchronization in Sync Center caused the offline file to update. Logging off and then logging also causes the file to update because there is no conflict with a changed version on the server. You should inform the user that he must modify his procedures to ensure that his files synchronize.
2.
Results: After this exercise, you will have resolved a problem with offline files not synchronizing properly.
L7-32
Exercise 2: Troubleshooting a Missing Drive Mapping


Incident Record Incident Reference Number: 602568 Date of Call Time of Call User Status March 25 15:03 Max Stevens (Research) OPEN
Incident Details User reports that he does not have access to the research share. Additional Information User reports that he started his job last week, and does not have access to the research share, which is at \\NYC-DC1\Research. He is logging on to NYC-CL1. I walked the user through accessing the share by using the Universal Naming Convention (UNC) path. This is an acceptable short-term solution. However, this user should map drive letter R to the research share like other users. Drive mappings have been converted to Group Policy Preferences. I confirmed that the user account is in the correct organizational unit (OU). Other research users, like Alan Brewer, have no problems with the drive mapping. Plan of Action 1. Determine which Group Policy is applying the Group Policy Preferences. 2. Review the configuration of the Group Policy. 3. Review the configuration of the Max Stevens account, and compare it to Alan Brewers.
L7-33

1. 2. 3. 4. Log on to the NYC-CL1 computer as Contoso\Administrator with the password of Pa$$w0rd. Run the D:\Labfiles\Mod07\Scenario2.vbs script. Click OK to close the window indicating that the script is complete. Log off of NYC-CL1.

1. 2. Switch to the NYC-DC1 computer. Log on by using the following credentials: 3. 4. 5. 6. 7. 8. 9. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. In Active Directory Users and Computers, expand Contoso.com, and then click Research. In the right-pane, double-click the Research group. In the Research Properties window, on the Members tab, click Add. In the Select Users, Contacts, Computers, Service Accounts, or Groups window, type Max, and then click OK. Click OK, and then close Active Directory Users and Computers. Switch to the NYC-CL1 computer.
10. Log on by using the following credentials: User name: Max Password: Pa$$w0rd Domain: Contoso
11. Click Start, and then click Computer. 12. Verify that the drive letter R maps to the research share. 13. Log off of NYC-CL1.
Resolution
The mapping for drive R is being targeted to the Research security group. Max was not a member of the Research security group. Adding Max as a member of the research security group resolved the problem. Results: At the end of this exercise, you will have resolved the Group Policy object (GPO) application problem.
L7-34
Exercise 3: Troubleshooting Missing Files in My Documents


Incident Record Incident Reference Number: 602093 Date of Call Time of Call User Status March 26 9:00 Preeda Ola (Research) OPEN
Incident Details User reports that files are missing from the My Documents folder after he received a new computer that has the organizations standard operating-system configuration. Additional Information The user has a brand new workstation configured with our default image. We have trained users not to save information into My Documents, and have warned them that file in My Documents are not backed up. I logged onto the users old computer, and no files were in his My Documents folder. Eventually, we found the files in his home folder, which he had mapped to drive H. I dont know how it was configured before, but this user wants My Documents to include the files in his home drive instead of accessing them through drive H. Because this user is a department head, we need to do this. Plan of Action 1. Verify that the users files are located in drive H. 2. Redirect My Documents to drive H.
L7-35

1. 2. Switch to the NYC-CL1 computer. Log on by using the following credentials: 3. 4. 5. 6. 7. 8. 9. User name: Preeda Password: Pa$$w0rd Domain: Contoso
Click Start, and then click Computer. In Windows Explorer, under Libraries, expand Documents, and then click My Documents. Right-click My Documents, and then click Properties. In the My Documents Properties window, on the Location tab, type H:\, and then click Apply. In the Move Folder window, click No. Click OK to close the My Documents Properties window. Verify that My Documents is now redirected to Preedas home folder.
Resolution
The users old computer had the My Documents folder redirected to drive H. When the new computer was deployed, My Documents was not redirected because it is not part of the standard configuration. Redirecting My Documents to drive H resolved the issue. Results: After this exercise, you will have resolved a problem with missing files in the My Documents folder.
L7-36
Exercise 4: Troubleshooting a File Access Issue


Incident Record Incident Reference Number: 603033 Date of Call Time of Call User Status April 4 12:20 Alan Brewer (Research) OPEN
Incident Details New peer-based application for research is not working properly. Additional Information The research department is semiautonomous for Information Technology (IT). They install and run a lot of their own applications. They also store data on their local workstations. The workstations are backed up daily to ensure that no data is lost. They have a new application that they have installed on all of the workstations that is not functioning properly. The installation instructions indicate that there must be a file share to which all computers have read and write permissions. All computers are configured to use \\NYC-CL1\Modeling as the file share. The file share is created, but users do not appear to have the proper permissions. The application generates the error Shared data access error. I connected to \\NYC-CL1\Modeling, and then verified that I could not create or modify files from my computer. Only members of the research group should be able to change these files. Plan of Action 1. Review NTFS permissions, and verify effective permissions. 2. Review share permissions.
L7-37

1. 2. Log on to the NYC-CL1 computer as Contoso\Administrator with the password of Pa$$w0rd. Run the D:\Labfiles\Mod07\Scenario4.bat script.

1. 2. If necessary, switch to the NYC-CL1 computer. Log on by using the following credentials: 3. 4. 5. 6. 7. 8. 9. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Click Start, and then click Computer. In Windows Explorer, browse to C:\. Right-click Modeling, and then click Properties. Click the Sharing tab. In the Modeling Properties window, click Advanced Sharing. In the Advanced Sharing window, click Permissions. In the Permissions for Modeling window, click Remove, and then click Add. In the Select Users, Computers, Service Accounts, or Group window, type Research, and then click OK.
10. In the Permissions for Modeling window, click Research, select the Allow Full Control permission, and then click OK. 11. In the Advanced Sharing window, click OK. 12. In the Modeling Properties window, click Close. 13. Start the 6293A-NYC-CL2 computer. 14. Log on by using the following credentials: User name: Alan Password: Pa$$w0rd Domain: Contoso
15. Click Start, type \\NYC-CL1\Modeling, and then press Enter. 16. In Windows Explorer, right-click an empty area, point to New, and then click Text Document. 17. Type TestDoc, and then press Enter to rename the document.
L7-38
Resolution
OR 1. 2. 3. 4. Modify the share permissions to give the Everyone group full control. Prevent NTFS permissions from being inherited to the Modeling folder, and then copy existing permissions. Remove Authenticated Users NTFS permissions for the Modeling folder. Add Modify permission for the Research group to the Modeling folder. Modify the share permissions to remove the Everyone group, and then give the research group full control.
Results: At the end of this exercise, you will have successfully configured a share with read and write permissions for users in the Research group.

L8-39
Lab: Troubleshooting Security Issues

Exercise 1: Recovering a BitLocker-Protected Drive
1. 2. Read the help-desk Incident Record for incident 603012. Read the printed document from Susanna.

1. 2. Read the Additional Information section of the Incident Record. Update the Plan of Action section of the Incident Record with your recommendations. Incident Record Incident Reference Number: 603012 Date of Call Time of Call User Status April 3 09:34 Susanna Stubberod (Production) OPEN
Incident Details Executive user is reporting that she has data that is encrypted with BitLocker Drive Encryption that she needs to recover from a failed laptop. Additional Information The user uses her personal laptop to work on company documents. The laptop had a secondary hard drive on which she stored the documents. She encrypted all drives with BitLocker to secure them. Internal laptops are configured with a recovery agent to simplify data recovery. Because this is a personal laptop, using a recovery agent is not an option. She has given us the encrypted drive and a printout she made after the drive was encrypted. She has requested that we configure the drive so that she can attach it easily to another computer by placing the drive in an external Universal Serial Bus (USB) enclosure. Preferably, it should require only a password to unlock. Plan of Action 1. Attach the encrypted drive to a Windows 7 computer. 2. Use the recovery key from the printout to decrypt the drive. 3. Configure the use of a password to view drive content.
Task 3: Attach the encrypted drive to NYC-CL1

1. 2. 3. 4. On the host computer, ensure that 6293A-NYC-CL1 is shut down. Click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, right-click 6293A-NYC-CL1, and then click Settings. In the Settings for 6293A-NYC-CL1 window, click IDE Controller 1.
L8-40
5. 6. 7. 8. 9.
In the right-pane, ensure that Hard Drive is selected, and then click Add. In the Media area, click Browse. Browse to C:\Program Files\Microsoft Learning\6293\Drives, click BitLockerRecovery.vhd, and then click Open. Click OK. Start the 6293A-NYC-CL1 virtual machine, and then log on as NYC-CL1\WSAdmin with the password of Pa$$w0rd. If you are prompted to restart NYC-CL1, click Restart Now.

1. 2. Switch to the NYC-CL1 computer. Log on by using the following credentials: 3. 4. 5. 6. 7. 8. 9. User name: WSAdmin Password: Pa$$w0rd Domain: NYC-CL1
Click Start, and then click Computer. Right-click Local Disk (F:), and then click Unlock Drive. On the Unlock this drive using your recovery key page, click Type the recovery key. On the Enter your recovery key page, type 622732-532620-653312-417406-161304-327305677292-111034, and then click Next. On the You now have temporary access to this drive page, click Manage BitLocker. On the Select options to manage page, click Add a password to unlock the drive. In the Type your password and Retype your password boxes, type Pa$$w0rd, and then click Next.
10. On the Select options to manage page, click Close. 11. On the You now have temporary access to this drive page, click Finish. 12. Close all open windows.
Resolution
1. 2. 3. Attached encrypted drive to a Windows 7 computer. Used the recovery key from the printout to decrypt the drive. Configured use of a password to view the drives content.
Results: At the end of this exercise, you will have recovered a BitLocker-protected drive.
Lab: Troubleshooting Security Issues L8-41
Exercise 2: Troubleshooting an Internet Explorer Security Issue


1. 2. Read the Additional Information section of the Incident Record. Update the Plan of Action section of the Incident Record with your recommendations. Incident Record Incident Reference Number: 603026 Date of Call Time of Call User Status April 4 12:20 Sten Faerch (Marketing) OPEN
Incident Details User is being prompted for security credentials when accessing the intranet site. Additional Information When the user attempts to access the corporate intranet by using http://nyc-dc1.contoso.com, he is prompted for credentials. I coached him through the process of entering his credentials as Contoso\Sten and his password. This authenticates him successfully, and he can use it as a short-term work-around, but he does not want to be prompted. I asked him to check if other users in his department were having the same issue, and he told me that they said No. He is the only user. After he authenticates, everything is fine. When the issue is resolved, please configure the corporate intranet as his home page. Plan of Action 1. Visit the user, and view the problem. 2. Review the Windows Internet Explorer configuration.

1. 2. Switch to the NYC-CL1 computer. Log on by using the following credentials: 3. 4. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Run the D:\Labfiles\Mod08\Scenario2.vbs script. Log off of NYC-CL1.
L8-42

1. 2. Switch to the NYC-CL1 computer. Log on by using the following credentials: 3. 4. 5. 6. 7. 8. 9. User name: Sten Password: Pa$$w0rd Domain: Contoso
Click the Internet Explorer icon on the taskbar. At the Set Up Windows Internet Explorer 8 prompt, click Ask me later. In the Internet Explorer window, in the Address bar, type http://nyc-dc1.contoso.com, and then press Enter. When prompted for credentials, click Cancel. In the Address bar, type http://nyc-dc1, and then press Enter. In the status bar, verify that the site is recognized as the Local intranet. Click the down arrow beside the home page icon, and then click Add or Change Home page. In the Add or Change Home Page window, click Use this webpage as your only home page, and then click Yes.
10. Close Internet Explorer. 11. Log off of NYC-CL1.
Resolution
1. Instruct the user to use a single label URL to access the intranet site. This allows Internet Explorer to recognize the site as an intranet site to which it can automatically pass the local workstation credentials. Configure http://nyc-dc1 as the home page.
2. OR 1. 2. OR 1. 2.
Manually add http://nyc-dc1.contoso.com to intranet sites list. Configure http://nyc-dc1.contoso.com as home page.
Manually add http://nyc-dc1.contoso.com to trusted sites, and then configure trusted sites to allow automatic logon with current user name and password. Configure http://nyc-dc1.contoso.com as the home page.
Results: After this exercise, you will have authenticated successfully to the intranet website, without requiring the user to enter credentials.
Lab: Troubleshooting Security Issues L8-43

L9-45

Exercise 1: Troubleshooting Windows Updates
Task 1: Read help-desk Incident Record 603193

Incident Record Incident Reference Number: 603193 Date of Call Time of Call User Status April 14 08:20 All computers OPEN
Incident Details Client computers and servers are not obtaining Windows updates from the new Windows Server Updates Services (WSUS) server. Additional Information The new WSUS server is implemented, and it is successfully downloading updates from Microsoft update. However, the updates are not being delivered to client computers. We recently blocked access to Microsoft update for client computers to ensure that they were using the WSUS server for updates. You can force connectivity to the WSUS server by running wuauclt.exe /detectnow on the client computer. You can verify that the client connected to the WSUS server by checking the WindowsUpdateClient event log for Event ID 26. You also can verify that the computer is listed in the Windows Automatic Updates Services administrative tool on NYC-DC1. Plan of Action 1. Identify if the computer is registered in WSUS. 2. Run wuauclt.exe /detectnow to force contact with the WSUS server. 3. Review the WindowsUpdateClient event log. 4. Verify creation of a GPO to configure Automatic Updates on computers.
L9-46

1. 2. Switch to the NYC-DC1 computer. Log on by using the following credentials: 3. 4. 5. 6. 7. 8. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Click Start, point to Administrative Tools, and then click Group Policy Management. In Group Policy Management, expand Forest: Contoso.com, expand Domains, and then expand Contoso.com. Right-click Contoso.com, and then click Create a GPO in this domain, and Link it here. In the New GPO window, in the Name box, type WSUS, and then click OK. Right-click WSUS, and then click Edit. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Administrative Templates, expand Windows Components, and then click Windows Update. In the right-pane, double-click Specify intranet Microsoft update service location.
9.
10. In Specify intranet Microsoft update service location, click Enabled. 11. In the Set the intranet update service for detecting updates and Set the intranet statistics server boxes, type http://NYC-DC1, and then click OK. 12. Double-click Configure Automatic Updates. 13. In the Configure Automatic Updates window, click Enabled, and then click OK. 14. Close all open windows. 15. Switch to the NYC-CL1 computer. 16. Log on by using the following credentials: User name: WSAdmin Password: Pa$$w0rd Domain: Contoso
17. Click Start, type cmd, and then press Enter. 18. At the command prompt, type gpupdate / force, and then press Enter. 19. At the command prompt, type wuauclt.exe /detectnow, and then press Enter. 20. On NYC-DC1, click Start, point to Administrative Tools, and then click Windows Server Update Services. 21. Expand NYC-DC1, expand Computers, and then click All Computers. 22. In the Status box, select Any, and then click Refresh. The computer NYC-CL1 is listed. 23. Close the Update Services window.
L9-47
Resolution
Set up a GPO to configure Automatic Updates properly so that computers use http://NYC-DC1. Results: At the end of this exercise, you will have resolved the issue with Windows updates.
L9-48
Exercise 2: Troubleshooting AppLocker Policy Application

Task 1: Read help-desk Incident Record 603210

Incident Details Unauthorized applications are being used on computers. Additional Information We have recently implemented Windows 7 AppLocker policies to control the use of applications. In testing, the default rules were configured, which prevented most unauthorized applications from running. A manager has reported that several of his staff are playing games that are not authorized. It appears that the users have brought in the games on Universal Serial Bus (USB) flash drives. I browsed Adam Carters profile on NYC-CL1, and he has a game stored in the Downloads folder. Please identify why these are not being blocked in production like they were in testing. Plan of Action 1. Verify that the game in the Downloads folder will run. 2. Verify that the AppLocker rules for executables block the files in the Downloads folder. 3. Check the Application Identity service to verify that it is running.

1. 2. Switch to the NYC-CL1 computer. Run the D:\Labfiles\Mod09\Scenario3.vbs script. NYC-CL1 will reboot when you run this script.

1. 2. Switch to the NYC-DC1 computer. Log on by using the following credentials: 3. 4. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Click Start, point to Administrative Tools, and then click Group Policy Management. In Group Policy Management, expand Forest: Contoso.com, expand Domains, and then click Contoso.com.
L9-49
5. 6. 7. 8. 9.
Right-click Application Control, and then click Edit. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then click System Services. Right-click Application Identity, and then click Properties. In the Application Identity Properties window, select the Define this policy setting check box, click Automatic, and then click OK. Close all open Windows.
Resolution
Configure a GPO so that the Application Identity service starts automatically.
Results: At the end of this exercise, you will have prevented unauthorized applications from starting.
L9-50
Exercise 3: Troubleshooting Application Startup


Incident Details An authorized application is not able to run. Additional Information After resolving incident 603220, it appears that a legitimate application is being blocked. The Marketing Manager is reporting that Adam is no longer able to run his game on NYC-CL1, but now also cannot run an XML editing application. The executable for this application is located in C:\XMLNotepad. Please identify why this application is not able to run, and then resolve the issue. Plan of Action 1. Verify that XML notepad in C:\XMLNotepad is blocked. 2. Review the AppLocker event log to verify that AppLocker is the issue. 3. Review the AppLocker rules, and then update them as required.

1. Switch to the NYC-DC1 computer. 10. Log on by using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
11. Click Start, point to Administrative Tools, and then click Group Policy Management. 12. In Group Policy Management, expand Forest: Contoso.com, expand Domains, and then click Contoso.com. 13. Right-click Application Control, and then click Edit. 14. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Application Control Policies, expand AppLocker, and then click Executable Rules. 15. Right-click Executable Rules, and then click Create New Rule. 16. In the Create Executable Rules window, click Next.
L9-51
17. On the Permissions page, click Next to Allow Everyone to run the application. 18. On the Conditions page, click Path, and then click Next. 19. In the Path box, type C:\XMLNotepad\XmlNotepad.exe, and then click Next. 20. On the Exceptions page, click Next. 21. On the Name and Description page, click Create. 22. Close all open windows.
Resolution
Configure an AppLocker rule to allow the application in C:\XMLNotepad to run.
Results: At the end of this exercise, you will have resolved the problem with application startup.

When you finish the lab, revert the virtual machines to their initial state by completing the following steps: 1. On the host computer, start Hyper-V Manager.
23. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert. 24. In the Revert Virtual Machine dialog box, click Revert. 25. Repeat these steps for 6293A-NYC-CL1 and 6293A-NYC-CL2.

6293A-ENU TrainerHandbook

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

6293A-ENU TrainerHandbook

Enviado por

Direitos autorais:

Formatos disponíveis

O F F I C I A L

6293A Troubleshooting and Supporting

Troubleshooting and Supporting Windows 7 in the Enterprise

Product Number: 6293A Part Number X17-55452 Released: 05/2011

Troubleshooting and Supporting Windows 7 in the Enterprise

Troubleshooting and Supporting Windows 7 in the Enterprise

Troubleshooting and Supporting Windows 7 in the Enterprise

Troubleshooting and Supporting Windows 7 in the Enterprise

Troubleshooting and Supporting Windows 7 in the Enterprise

Troubleshooting and Supporting Windows 7 in the Enterprise

Troubleshooting and Supporting Windows 7 in the Enterprise

Troubleshooting and Supporting Windows 7 in the Enterprise

Andrew J. Warren Author

Byron Wright Author

Tony Northrup Technical Reviewer

Troubleshooting and Supporting Windows 7 in the Enterprise

Module 2: Troubleshooting Startup Issues

Module 3: Using Group Policy to Centralize Configuration

Module 4: Troubleshooting Hardware Device, Device Driver, and Performance Issues

Module 5: Troubleshooting Network Connectivity Issues

Module 6: Troubleshooting Remote Connectivity Issues

Troubleshooting and Supporting Windows 7 in the Enterprise

Module 7: Troubleshooting Logon and Resource Access Issues

Module 8: Troubleshooting Security Issues

Module 9: Troubleshooting Operating System and Application Issues

Lab Answer Keys

About This Coursexiii

About This Course

About This Course

Fundamentals of using the Microsoft

Office 2010 or Microsoft Office 2007 systems

About This Coursexv

About This Course

: Provide improved on-the-job reference material to boost

About This Coursexvii

Virtual Machine Environment

Virtual Machine Configuration

Course Hardware Level

Troubleshooting and Supporting Windows 7 in the Enterprise

Implementing a Troubleshooting Methodology

Introduction to the EDST Job Role

Troubleshooting and Supporting Windows 7 in the Enterprise

What Is the EDSTs Role?

The Position of EDSTs within the Technical Support Structure

Implementing a Troubleshooting Methodology

Tier 2, administrator Tier 3, engineer

The Scope of the EDST Role

Troubleshooting and Supporting Windows 7 in the Enterprise

Typical EDST Responsibilities

Implementing a Troubleshooting Methodology

Examining the Desktop Support Environment

Troubleshooting and Supporting Windows 7 in the Enterprise

Implementing a Troubleshooting Methodology

Interacting with End Users

Obtain Information from the End User

Troubleshooting and Supporting Windows 7 in the Enterprise

Determine the Answer to These Who Questions

Determine the Answer to These When Questions

Determine the Answer to These What Questions

Determine the Answer to These How and Why Questions

Implementing a Troubleshooting Methodology

Troubleshooting and Supporting Windows 7 in the Enterprise