Você está na página 1de 125

O F F I C I A L

M I C R O S O F T

L E A R N I N G

P R O D U C T

6430B
Planning for Windows Server 2008
Servers
Companion Content

Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2009 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at
http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks
of the Microsoft group of companies. All other marks are property of their respective owners.

Product Number: 6430B


Released: 11/2009

Planning Windows Server 2008 Deployment

Module 1
Planning Windows Server 2008 Deployment
Contents:
Lesson 1: Overview of Change Management

Lesson 3: Performing a Single-Server Installation

Lesson 4: Automating Windows Server 2008 Deployment

Module Reviews and Takeaways

10

1-1

1-2

Planning for Windows Server 2008 Servers

Lesson 1

Overview of Change Management


Contents:
Question and Answers

Planning Windows Server 2008 Deployment

1-3

Question and Answers


Discussion: What Is Change Management?
Question: What is change?
Answer: Change is any deliberate modification, introduction, or elimination of an information
technology component that may impact an information technology service level or affect the
environments ability to function.
Question: How does your organization address change management?
Answer: Answers will vary. Some student organizations will have a formal change management
process. These are typically larger organizations. Students from smaller organizations may not have a
formal process.
Question: Are there some situations where change management is more important than others?
Answer: Change management is important for all changes, to prevent unintended consequences.
However, for those changes that are likely to impact many users or high-profile users, change
management is even more critical. Changes to mission-critical software, such as a messaging system,
also tend to be more critical than changes to noncritical software, such as for a backup server.
Question: What are the benefits of a formal change management process?
Answer: The following are the benefits of a formal change management process:

Other organizational stakeholders are aware of changes and can gauge the impact on their
systems and staff.

Multiple changes are coordinated to ensure that they do not conflict.

Formalizing the change process ensures that it is consistent so that mistakes are not made.

Change management provides additional review of changes and allows time for additional
planning, if required. Changes without a formal review are often poorly thought out. Not
every alternative is considered.

For an IT professional, using the change management process can serve to deflect blame in
situations in which there are problems during a change.

Recovering from change problems can be simplified because a formal back-out plan can be
included as part of the change management process.

Question: Are there situations in which the normal change process cannot be followed?
Answer: Yes, there are emergency situations in which services are broken and the full change
management process cannot be followed. However, there should be an emergency change process in
place to handle those situations. For example, if a critical service is down, it is not realistic for a
detailed technical plan for troubleshooting and repair to be documented and approved. The first

1-4

Planning for Windows Server 2008 Servers

priority is repairing the failed service. However, the changes made when repairing the service should
be documented and evaluated afterwards to ensure there will be no negative effects on other
services.

Considerations for Managing Change


Question: Do you like using change management procedures?
Answer: Answers will vary, but most IT staff do not like the bureaucracy involved in the change
management process.
Question: Do you see the value in using change management procedures in your organization?
Answer Answers will vary, but in most cases students will see some value in creating a more stable
system.

Planning Windows Server 2008 Deployment

Lesson 3

Performing a Single-Server Installation


Contents:
Question and Answers

1-5

1-6

Planning for Windows Server 2008 Servers

Question and Answers


Considerations for Performing Server Upgrades
Question: What is the biggest risk in performing an upgrade?
Answer: When you perform an upgrade, there is no rollback option after the upgrade is complete. If
an application is not functional after the upgrade, you will experience a service outage until you
repair the application. To mitigate this risk you should perform a full backup of a server before
upgrading.

Planning Windows Server 2008 Deployment

Lesson 4

Automating Windows Server 2008 Deployment


Contents:
Question and Answers

Detailed Demo Steps

1-7

1-8

Planning for Windows Server 2008 Servers

Question and Answers


What Is the Microsoft Deployment Toolkit?
Question: Why would you use MDT in addition to WAIK or WDS?
Answer: WAIK and WDS are tools for deployment. MDT provides additional guidance on best
practices for deployment. Using best practices results in faster deployments with less service outages.
Also, if your organization has SCCM or SMS, it provides additional options for deployment.

Planning Windows Server 2008 Deployment

1-9

Detailed Demo Steps


Demonstration: Creating an Answer File
1.

On SEA-DC1, log on as Administrator with a password of Pa$$w0rd.

2.

Click Start, point to All Programs, click Microsoft Windows AIK, and then click Windows
System Image Manager.

3.

In the Windows System Image Manager window, right-click Select a Windows image or
catalog file, and then click Select Windows Image.

4.

In the Select a Windows Image window, in the Files of type box, select Catalog files.

5.

Browse to the D:\Labfiles\Mod01 folder, click INSTALL_WINDOWS LONGHORN


SERVERENTERPRISE.CLG, and then click Open. These catalog files are included on the Windows
Server 2008 installation media. You can also create a catalog from a WIM file.

6.

In the Answer File area, right-click Create or open an answer file, and then click New Answer
File. The seven components listed correspond with passes during Windows setup. Settings must
be added to the correct pass to be effective. For example, you can partition a disk only during the
windowsPE pass.

7.

In the Windows Image area, expand Components, expand x86_Microsoft-Windows-Setup,


expand DiskConfiguration, right-click Disk, and click Add Setting to Pass 1 windowPE. Notice
that these settings now appear in the answer file.

8.

In the Disk Properties area, in the DiskID box, type 0. This specifies that actions will be
performed on the first disk on the primary IDE channel.

9.

In the WillWipeDisk box, select true. This specifies that all existing partitions will be erased from
the disk.

10. In the Answer File area, Expand Disk[DiskID=0], right-click Create Partitions, and click
Insert New CreatePartition.
11. In the CreatePartition Properties area, in the Order box, type 1. This specifies the order of
operations for creating partitions.
12. In the Size box, type 40960. This setting is in megabytes (MB).
13. In the Type box, select Primary.
14. In the Windows Image area, right-click x86_Microsoft-Windows-Shell-Setup, and then click
Add Setting to Pass 4 specialize.
15. In the Microsoft-Windows-Shell-Setup Properties area, in the ProductKey box, type 1234512345-12345-12345-12345.
16. In the ComputerName box, type *. This generates a randomized computer name that can be
changed after installation.
17. Click the File menu, and then click Save Answer File.
18. In the Save As window, in the File name box, type unattend.xml, and then click Save.
19. Close Windows System Image Manager.

1-10

Planning for Windows Server 2008 Servers

Module Reviews and Takeaways


Review questions
1.

Why is change management important when deploying Windows Server 2008?

2.

When selecting a version of Windows Server 2008, which factors should you take into account?

3.

Is it better to upgrade an existing server or migrate to new hardware?

4.

In which situations is automated deployment preferred to a manual installation?

Common issues related to deploying Windows Server 2008


Identify the causes for the following common issues related to Windows Server 2008, and fill in the
troubleshooting tips. For answers, refer to the relevant lessons in the module.
Issue

Troubleshooting Tip

Application incompatibility
Device driver availability
Servers requiring activation

Real-world issues and scenarios


1.

You want to install Windows Server 2008 as a host for virtualization. This server will host three
virtual machines. Which is the most cost-effective version of Windows Server 2008 to obtain?

2.

You have a line-of-business application that runs on a 32-bit server with Windows Server 2003
Standard Edition. You would like to migrate this server to a 64-bit edition of Windows Server
2008 to take advantage of increased memory. What process should you use to ensure that
downtime is limited?

3.

You are deploying Windows Server 2008 on ten servers in three locations. To simplify
documentation and management, you would like all ten servers to have the same configuration.
How does automating server deployment help to ensure that the configuration is the same for all
ten servers?

Best practices related to Windows Server 2008 deployment


Supplement or modify the following best practices for your own work situations:

Remember to consider CALs when upgrading to Windows Server 2008.

In virtualized environments, consider using Windows Server 2008 Datacenter to simplify server
licensing.

Choose a 64-bit version of Windows Server 2008 if necessary drivers and software are
compatible. This also helps with greater memory access.

When possible, perform a migration to Windows Server 2008 rather than an upgrade.

When deploying Windows Server 2008 to multiple computers, consider the use of automated
deployment.

Planning Windows Server 2008 Deployment

1-11

Tools
Tool

Use For

Where to Find It

Microsoft Solution
Accelerators

Obtaining tools and guidance for


deploying Microsoft technologies

On the TechNet Web site.

Microsoft
Assessment and
Planning Toolkit

Identifying whether your


organization is ready to deploy
Windows Server 2008

On the Microsoft Assessment and Planning


Toolkit page on the TechNet Web site.

Windows
Automated
Installation Kit

Automating the installation of


Windows Server 2008

On the Automated Installation Kit (AIK) for


Windows Vista SP1 and Windows Server 2008
page on the Microsoft Web site.

Windows
Deployment
Services

Centrally creating and deploying


Windows Server 2008 images

A server role in Windows Server 2008

Microsoft
Deployment Toolkit

Planning and performing


automated installations of
Windows Server 2008

On the Microsoft Deployment Toolkit page on


the TechNet Web site

Planning Network Infrastructure for Windows Server 2008

2-1

Module 2
Planning Network Infrastructure for Windows Server 2008
Contents:
Lesson 1: Planning IPv4 Addressing

Lesson 2: Planning for Name Resolution Services

Lesson 3: Determining the Need for WINS

13

Lesson 5: Planning an IPv4 to IPv6 Transition Strategy

18

Module Reviews and Takeaways

20

2-2

Planning for Windows Server 2008 Servers

Lesson 1

Planning IPv4 Addressing


Contents:
Question and Answers

Detailed Demo Steps

Additional Reading

Planning Network Infrastructure for Windows Server 2008

2-3

Question and Answers


Discussion: Selecting an Appropriate IPv4 Addressing Scheme
Question. Contoso.com has implemented IPv4 throughout the organization. It is currently
implementing a new head office building. The office will host 5,000 computers distributed fairly
evenly across 10 floors of these offices. What address class would suit this scenario?
Answer. Any class would be suitable with CIDR; however, a class B network with subnetting is the
most logical choice.
Question. Analysis of the network traffic at the existing head office shows that the maximum number
of hosts per subnet should be around 100. How many subnets are required, and assuming a network
address for the whole site of 172.16.0.0, what mask should you use to ensure sufficient support for
the required subnets?
Answer. At least 50 subnets are needed. To express 50 subnets, you will need 6 bits in the mask. 2^6
yields 64, while 2^5 provides only 32 subnets.
Question. Assuming the network address for the head office is 172.16.0.0/19, what mask would you
assign to each subnet?
Answer. The mask would be 25 bits, and would be expressed in decimal as 255.255.255.128.
Question. How many hosts can you have in each subnet based on your selected mask?
Answer. There are 7 bits remaining for hosts, which allows for 2^7-2 hosts, which is 126. If the subnet
mask was 26 bits, that would provide for only 62 hosts and the requirement is for a maximum of 100.
However, a mask of 26 bits would support 128 subnets and can be considered as a valid
configuration.
Question. Assuming you implement the mask you determined for each subnet, what would the first
subnet address be?
Answer. With a 6 bit subnet mask, the actual decimal mask would be 255.255.255.128. The first
subnet would be 172.16.0.0/26. If you opted for a 7 bit mask, then again, the first subnet would be
172.16.0.0/27, but the decimal mask would be 255.255.255.192.
Question. What are the first and last host addresses for the first subnet?
Answer. With a 6 bit subnet mask, the first host in the first subnet would be 172.16.0.1/26 and the
last host would be 172.16.0.126/26. Using a 7 bit mask, the first host would be 172.16.0.1/27, while
the last host would be 172.16.0.62/27.

Demonstration: Allocating IPv4 Addresses with DHCP


Question: Why is it important to authorize DHCP servers?
Answer: To ensure that only appropriate DHCP servers are enabled on the network.

2-4

Planning for Windows Server 2008 Servers

Detailed Demo Steps


Demonstration: Allocating IPv4 Addresses with DHCP
Task 1 - Deploy the DHCP server role
1.

Start the 6430B-SEA-DC1 virtual machine.

2.

When the virtual machine has started, start the 6430B-SEA-SVR1 virtual machine.

3.

Switch to the SEA-SVR1 computer.

4.

Log on to the SEA-SVR1 virtual machine as ADATUM\administrator with a password of


Pa$$w0rd.

5.

Click Start, and then click Server Manager.

6.

In Server Manager, in the console, click Roles.

7.

In the results pane, under Roles Summary, click Add Roles.

8.

In the Add Roles Wizard, click Next.

9.

On the Select Server Roles page, in the Roles list, select the DHCP Server check box, and then
click Next.

10. On the DHCP Server page, click Next.


11. On the Select Network Connection Bindings page, click Next.
12. On the Specify IPv4 DNS Server Settings page, in the Preferred DNS Server IPv4 Address
box, type 10.10.0.10, and then click Next.
13. On the Specify IPv4 WINS Server Settings page, click Next.
14. On the Add or Edit DHCP Scopes page, click Next.
15. On the Configure DHCPv6 Stateless Mode page, click Disable DHCPv6 stateless mode for
this server, and then click Next.
16. On the Authorize DHCP Server page, click Next.
17. On the Confirm Installation Selections page, click Install.
18. On the Installation Results page, click Close.

Task 2 - Create the first scope


1.

Click Start, click Administrative Tools, and then click DHCP.

2.

In the DHCP Console, expand sea-svr1.adatum.com, expand IPv4, and then click IPv4.

3.

Right-click IPv4, and then click New Scope.

4.

In the New Scope Wizard, click Next.

5.

On the Scope Name page, in the Name box, type Subnet 1 80 %, and then click Next.

6.

On the IP Address Range page, in the Start IP address box, type 10.10.16.1.

7.

In the End IP address box, type 10.10.31.254.

8.

In the Length box, type 20, and then click Next.

Planning Network Infrastructure for Windows Server 2008

9.

On the Add Exclusions page, in the Start IP address box, type 10.10.28.1.

10. In the End IP address box, type 10.10.31.254, click Add, and then click Next.
11. On the Lease Duration page, click Next.
12. On the Configure DHCP Options page, click Next.
13. On the Router (Default Gateway) page, in the IP address box, type 10.10.31.254, click Add,
and then click Next.
14. On the Domain Name and DNS Servers page, in the Parent domain box, type adatum.com.
15. In the Server name box, type SEA-DC1, and then click Resolve.
16. Click Add, and then click Next.
17. On the WINS Servers page, click Next.
18. On the Activate Scope page, click Next, and then click Finish

Task 3 - Create the second scope


1.

In the DHCP Console, right-click IPv4, and then click New Scope.

2.

In the New Scope Wizard, click Next.

3.

On the Scope Name page, in the Name box, type Subnet 2 20 %, and then click Next.

4.

On the IP Address Range page, in the Start IP address box, type 10.10.32.1.

5.

In the End IP address box, type 10.10.47.254.

6.

In the Length box, type 20, and then click Next.

7.

On the Add Exclusions page, in the Start IP address box, type 10.10.32.1.

8.

In the End IP address box, type 10.10.43.255, click Add, and then click Next.

9.

On the Lease Duration page, click Next.

10. On the Configure DHCP Options page, click Next.


11. On the Router (Default Gateway) page, in the IP address box, type 10.10.47.254, click Add,
and then click Next.
12. On the Domain Name and DNS Servers page, in the Parent domain box, type adatum.com.
13. In the Server name box, type SEA-DC1, and then click Resolve.
14. Click Add, and then click Next.
15. On the WINS Servers page, click Next.
16. On the Activate Scope page, click Next, and then click Finish.

2-5

2-6

Planning for Windows Server 2008 Servers

Additional Reading
What Is a Subnet?
For more information, see Address Allocation for Private Internets.

Planning the Deployment of DHCP Servers

Configuring scopes

DHCP Best Practices

Planning Network Infrastructure for Windows Server 2008

Lesson 2

Planning for Name Resolution Services


Contents:
Question and Answers

Detailed Demo Steps

Additional Reading

12

2-7

2-8

Planning for Windows Server 2008 Servers

Question and Answers


Demonstration: Deploying the DNS Server Role
Question: What is the difference between a DNS subdomain and a delegated zone?
Answer: A DNS subdomain is part of the logical name space, whereas a delegated zone is the DNS
database that is configured to support the subdomain.

Planning Network Infrastructure for Windows Server 2008

2-9

Detailed Demo Steps


Demonstration: Deploying the DNS Server Role
Task 1 Deploy the DNS server role
1.

On SEA-SVR1, switch to Server Manager.

2.

In Server Manager, in the console, click Roles.

3.

In the results pane, under Roles Summary, click Add Roles.

4.

In the Add Roles Wizard, click Next.

5.

In the Roles list, select the DNS Server check box, and then click Next.

6.

On the DNS Server page, click Next.

7.

On the Confirm Installation Selections page, click Install.

8.

On the Installation Results page, click Close.

Task 2 Create a delegation


1.

Switch to the SEA-DC1 virtual machine.

2.

Log on to the SEA-DC1 virtual machine as ADATUM\administrator with a password of


Pa$$w0rd.

3.

Click Start, click Administrative Tools, and then click DNS.

4.

In the DNS console, expand Forward Lookup Zones, and then expand Adatum.com.

5.

Right-click Adatum.com, and then click New Delegation.

6.

In the New Delegation Wizard, click Next.

7.

On the Delegated Domain Name page, in the Delegated domain box, type south, and then
click Next.

8.

On the Name Servers page, click Add.

9.

In the Server fully qualified domain name (FQDN) box, type sea-svr1.south.adatum.com, in
the IP Address list, type 10.10.0.100, and then click Resolve.
Note: This generates an error because the server, SEA-SVR1, has not yet been configured
with that suffix. Proceed.

10. In the DNS dialog box, click OK.


11. In the New Name Server Record dialog box, click OK.
12. On the Name Servers page, click Next, and then click Finish

Task 3 Reconfigure the DNS suffix of the local computer


1.

Switch to the SEA-SVR1 virtual machine.

2.

Click Start, right-click Computer, and then click Properties.

3.

In System, click Advanced system settings.

4.

In the System Properties dialog box, click the Computer Name tab.

2-10

Planning for Windows Server 2008 Servers

5.

Click Change, and then click More.

6.

On the DNS Suffix and NetBIOS Computer Name page, clear the Change primary DNS suffix
when domain membership changes check box.

7.

In the Primary DNS suffix of this computer box, type south.adatum.com, and then click OK.

8.

In the Computer Name/Domain Changes dialog box, click OK.

9.

In the You must restart your computer to apply these changes dialog box, click OK.

10. In the System Properties dialog box, click Close.


11. In the Microsoft Windows dialog box, click Restart Now.
12. Log on to the SEA-SVR1 virtual machine as SEA-SVR1\administrator with a password of
Pa$$w0rd

Task 4 Create the south.adatum.com zone


1.

On the SEA-SVR1 virtual machine, click Start, click Administrative Tools, and then click DNS.

2.

In DNS Manager, expand SEA-SVR1, expand Forward Lookup Zones, right-click Forward
Lookup Zones, and then click New Zone.

3.

In the New Zone Wizard, click Next.

4.

On the Zone Type page, click Primary zone, and then click Next.

5.

On the Zone Name page, in the Zone name box, type south.adatum.com, and then click Next.

6.

On the Zone File page, click Next.

7.

On the Dynamic Update page, click Allow both nonsecure and secure dynamic updates, click
Next, and then click Finish.

Task 5 Reconfigure the DNS server for Local Area Connection


1.

Click Start, right-click Network, and then click Properties.

2.

In Network and Sharing Center, click Manage network connections.

3.

Right-click Local Area Connection, and then click Properties.

4.

Double-click Internet Protocol Version 4 (TCP/IPv4).

5.

In the Preferred DNS server box, type 127.0.0.1, and then click OK.

6.

In the Local Area Connection Properties dialog box, click Close.

7.

Click Start, and then click Command Prompt.

8.

At the Command Prompt, type nslookup sea-dc1.adatum.com, and then press ENTER.
Note: This does not provide a result.

Task 6 Configure forwarding


1.

Switch to DNS Manager.

2.

In the console, right-click SEA-SVR1, and then click Properties.

3.

Click the Forwarders tab.

Planning Network Infrastructure for Windows Server 2008

2-11

4.

Click Edit, and in the IP addresses of forwarding servers list, type 10.10.0.10, and then press
ENTER.

5.

Click OK.

6.

In the SEA-SVR1 Properties dialog box, click OK.

7.

Switch to the Command Prompt.

8.

At the Command Prompt, type nslookup sea-dc1.adatum.com, and then press ENTER.

2-12

Planning for Windows Server 2008 Servers

Additional Reading
Planning Your DNS Namespace

DNS Namespace Planning

Designing a DNS Namespace

What Is DNS Forwarding?

Understanding forwarders

Planning Network Infrastructure for Windows Server 2008

Lesson 3

Determining the Need for WINS


Contents:
Question and Answers

14

Detailed Demo Steps

15

Additional Reading

17

2-13

2-14

Planning for Windows Server 2008 Servers

Question and Answers


Demonstration: Deploying the WINS Feature
Question: What NetBIOS records does a typical Windows computer register with its WINS server?
Answer: computer name [00h] - the workstation service, and computer name [20h] - the server
service

Demonstration: Implementing the GlobalNames Zone


Question: Can you enable dynamic update on the GlobalNames zone?
Answer: No, because the records must be manually maintained. If dynamic name mapping for singlelabel names is important, consider implementing WINS.

Planning Network Infrastructure for Windows Server 2008

Detailed Demo Steps


Demonstration: Deploying the WINS Feature
Task 1 Deploy the WINS feature
1.

Switch to the SEA-DC1 virtual machine.

2.

Click Start, and then click Server Manager.

3.

In the console, click Features.

4.

In the results pane, under Features Summary, click Add Features.

5.

In the Features list, select the WINS Server check box, and then click Next.

6.

On the Confirm Installation Selections page, click Install.

7.

When prompted, click Close.

Task 2 Reconfigure the WINS settings for Local Area Connection


1.

Click Start, right-click Network, and then click Properties.

2.

In Network and Sharing Center, click Manage network connections.

3.

Right-click Local Area Connection, and then click Properties.

4.

Double-click Internet Protocol Version 4 (TCP/IPv4).

5.

Click Advanced, and then click the WINS tab.

6.

In the Advanced TCP/IP Settings dialog box, click Add.

7.

In the WINS server box, type 10.10.0.10, and then click Add.

8.

In the Advanced TCP/IP Settings dialog box, click OK.

9.

In the Internet Protocol Version 4 (TCP/IPv4) dialog box, click OK.

10. In the Local Area Connection Properties dialog box, click Close.
Note: sometimes this dialog box displays an OK prompt.
11. Click Start, and then click Command Prompt.
12. At the Command Prompt, type NBTSTAT RR, and then press ENTER

Task 3 Examine registered WINS records


1.

Click Start, click Administrative Tools, and then click WINS.

2.

In WINS, expand SEA-DC1 [10.10.0.10], and then click Active Registrations.

3.

Right-click Active Registrations, and then click Display Records.

4.

Click Find Now.

Demonstration: Implementing the GlobalNames Zone


Task 1 - Enable GlobalNames zone
1.

On SEA-DC1, switch to the command prompt.

2-15

2-16

Planning for Windows Server 2008 Servers

2.

At the Command Prompt, type dnscmd . /config /enableglobalnamessupport 1, and then


press ENTER.

3.

Switch to DNS Manager.

4.

In the console, right-click Forward Lookup Zones, and then click New Zone.

5.

Click Next, and on the Zone Type page, click Primary zone, and then click Next.

6.

On the Active Directory Zone Replication Scope page, click Next.

7.

On the Zone Name page, in the Zone name box, type GlobalNames, and then click Next.

8.

On the Dynamic Update page, click Next, and then click Finish.

9.

In the console, click GlobalNames.

Task 2 Enable WINS-lookup for Adatum.com zone.


1.

Right-click Adatum.com, and then click Properties.

2.

Click the WINS tab.

3.

Select the Use WINS forward lookup check box.

4.

In the IP address box, type 10.10.0.10, click Add, and then click OK.

Planning Network Infrastructure for Windows Server 2008

Additional Reading
When Is WINS Required?

Windows 2000 Server Windows Internet Naming Service (WINS) Overview

Why you still run Windows Internet Naming Service (WINS)

WINS Considerations

WINS Components

What Is the GlobalNames Zone?

DNS Server GlobalNames Zone Deployment document

2-17

2-18

Planning for Windows Server 2008 Servers

Lesson 5

Planning an IPv4 to IPv6 Transition Strategy


Contents:
Additional Reading

19

Planning Network Infrastructure for Windows Server 2008

Additional Reading
What Is the IPv6 Address Space?

Introduction to IP Version 6

IPv6 Transition Technologies

IPv6 Transition Technologies

RFC 2893: Transition Mechanisms for IPv6 Hosts and Routers

2-19

2-20

Planning for Windows Server 2008 Servers

Module Reviews and Takeaways


Review questions
1.

What is the host range of addresses in the 172.16.16.0/21 subnet?


Answer: 172.16.16.1 > 172.16.23.254

2.

You intend to deploy the DHCP server role where necessary throughout your routed network.
What considerations should you bear in mind?
Answer: You should remember that routers must be RFC-compliant to forward DHCP packets. In
addition, to provide for fault tolerance, you must configure multiple DHCP servers and observe
the 80/20 rule.

3.

What is the difference between a subdomain in a DNS zone, and a delegated zone?
Answer: The former has no name servers of its own, while the latter has authoritative name
servers of its own.

4.

What are the advantages of Active Directory integrated zones?


Answer: Zone transfers are automatic, handled by the Active Directory replication process. These
transfers are more secure than traditional zone transfers.

5.

When planning WINS, how many servers should you consider deploying?
Answer: Generally, for larger organizations, at least two, both of which are replication partners;
this provides for fault tolerance of NetBIOS name registration, renewal, release, and querying.

Planning for Active Directory

Module 3
Planning for Active Directory
Contents:
Lesson 1: Selecting a Domain and Forest Topology

Lesson 2: Selecting a Domain and Forest Functional Level

Lesson 3: Planning Identity and Access Services in Active Directory

Lesson 4: Implementing Active Directory in the Physical Network

11

Module Reviews and Takeaways

16

3-1

3-2

Planning for Windows Server 2008 Servers

Lesson 1

Selecting a Domain and Forest Topology


Contents:
Question and Answers

Additional Reading

Planning for Active Directory

3-3

Question and Answers


Discussion: Selecting an Active Directory Topology
Question. What are your initial thoughts about a forest topology?
Answer. Answers will vary, but there is currently nothing to indicate that multiple forests are required.
Question. How many domains do you envisage using?
Answer. Answers will vary, but four domains are indicated. An empty forest root for Fabrikam, and
three regional domains.
Question. How many sites do you imagine will be required?
Answer. Answers will vary, and a specific number cannot be defined without knowing more about
the branch and national offices. However, one site should be configured for each location.
Question. Do you think that more than one tree is indicated?
Answer. Answers will vary, but nothing indicates a requirement for multiple trees.
Question. How many forests do you envisage?
Answer. Answers will vary, but it appears likely that two forests are required; the existing Contoso
forest and the new forest for Fabrikam. It is possible that objects from the Contoso forest could be
migrated to a new domain in the Fabrikam forest at a later stage. It is probably undesirable to use the
Contoso forest and add a new tree for Fabrikam; this is because the forest root would not be located
in the Fabrikam worldwide headquarters.
Question. How does implementing Exchange Server affect your plans?
Answer. Answers will vary; Exchange Server 2007 is deployed as a forest-level application; this means
that only one Exchange Server organization can reside within a single forest. You would need to
conduct research to determine if there was any reason to imagine that each region required a
different Exchange Server organization. Also bear in mind that Exchange Server requires significant
modifications to the Active Directory schema. Whenever you plan to deploy an application that
requires schema changes shortly after deploying Active Directory, plan to make the schema changes
with the initial Active Directory deployment.
Question. How many forests do you envisage?
Answer. Answers will vary, but including the Contoso forest, it appears that four forests are required;
one for each region.
Question. How many domains are required?
Answer. Answers will vary; however, one domain for each region should suffice.
Question. How many trusts will you need to create?

3-4

Planning for Windows Server 2008 Servers

Answer. Answers will vary; a forest trust relationship is required between each forest.

Planning for Active Directory

Additional Reading
Considerations for Designing a Forest Infrastructure

Download the Infrastructure Planning and Design Guide Series

3-5

3-6

Planning for Windows Server 2008 Servers

Lesson 2

Selecting a Domain and Forest Functional Level


Contents:
Question and Answers

Detailed Demo Steps

Planning for Active Directory

3-7

Question and Answers


Demonstration: Modifying the Functional Level
Question: You recently raised the domain functional level of the sales.adatum.com domain; however,
now you want to revert to the Windows Server 2003 domain functional level. Is this possible, and if so,
how?
Answer: It is not easy to revert to a lower functional level. You must restore Active Directory. For this
reason, it is important to ensure that you only ever raise the domain functional level when you are
quite sure you will not need to change your mind.

3-8

Planning for Windows Server 2008 Servers

Detailed Demo Steps


Demonstration: Modifying the Functional Level
Task 1 Raise the domain functional level
1.

Start the 6430B-SEA-DC1 virtual machine.

2.

When the virtual machine has started, start the 6430B-SEA-SVR1 virtual machine. You will need
this VM for subsequent demonstrations.

3.

Switch to the SEA-DC1 computer.

4.

Click Start, point to Administrative Tools, and then click Active Directory Users and
Computers.

5.

In the console, right-click Adatum.com and then click Raise domain functional level.

6.

In the Raise domain functional level dialog box, in the Select an available domain functional
level list, click Windows Server 2008, and then click Raise.

7.

In the Raise domain functional level dialog box, click OK.

8.

In the subsequent Raise domain functional level dialog box, click OK.

9.

Close Active Directory Users and Computers.

Task 2 Raise the forest functional level


1.

Click Start, point to Administrative Tools, and then click Active Directory Domains and
Trusts.

2.

In the console, right-click Active Directory Domains and Trusts [SEA-DC1.Adatum.com], and
then click Raise Forest Functional Level.

3.

In the Raise forest functional level dialog box, in the Select an available forest functional
level list, click Windows Server 2008, and then click Raise.

4.

In the Raise forest functional level dialog box, click OK.

5.

In the subsequent Raise forest functional level dialog box, click OK.

6.

Close Active Directory Domains and Trusts.

Planning for Active Directory

Lesson 3

Planning Identity and Access Services in Active


Directory
Contents:
Additional Reading

10

3-9

3-10

Planning for Windows Server 2008 Servers

Additional Reading
What Is AD RMS?

AD RMS Documentation Roadmap

Planning for Active Directory

Lesson 4

Implementing Active Directory in the Physical


Network
Contents:
Question and Answers

12

Detailed Demo Steps

13

3-11

3-12

Planning for Windows Server 2008 Servers

Question and Answers


Demonstration: Creating a Site
Question: What is the default replication schedule and interval for the DEFAULTIPSITELINK object?
Answer: The schedule is always, and the interval is every 180 minutes (3 hours).

Demonstration: Deploying an RODC


Question: Why is it desirable to not cache administrator passwords on an RODC?
Answer: It is not secure to cache the passwords for sensitive or powerful user accounts.

Planning for Active Directory

3-13

Detailed Demo Steps


Demonstration: Creating a Site
Task 1 Create a site object
1.

On the SEA-DC1 virtual machine, click Start, point to Administrative Tools, and then click Active
Directory Sites and Services.

2.

In the console, expand Sites, right-click Sites, and then click New Site.

3.

In the New Object Site dialog box, in the Name box, type Branch-Office-1.

4.

In the Link Name list, click DEFAULTIPSITELINK, and then click OK.

5.

In the Active Directory Domain Services dialog box, click OK.

Task 2 Configure the replication interval and schedule


1.

In the console, expand Inter-Site Transports, expand IP, and then click IP.

2.

In the results pane, in the list, right-click DEFAULTIPSITELINK, and then click Properties.

3.

In the DEFAULTIPSITELINK Properties dialog box, in the Replicate every list, type 15, and then
click Change Schedule.

4.

In the Schedule for DEFAULTIPSITELINK dialog box, click Sunday, and then click Replication
Not Available.

5.

Click Cancel.

6.

In the DEFAULTIPSITELINK Properties dialog box, click OK.

7.

Close Active Directory Sites and Services.

Demonstration: Deploying an RODC


Task 1 Prepare the forest
1.

ON SEA-DC1, click Start, and then click Command Prompt.

2.

At the Command Prompt, type E: and then press ENTER.

3.

At the Command Prompt, type cd\5118\adprep, and then press ENTER.

4.

At the Command Prompt, type adprep /rodcprep, and then press ENTER.

5.

Close the Command Prompt.

Task 2 Promote the new domain controller


1.

Switch to the SEA-SVR1 computer.

2.

Log on to the SEA-SVR1 virtual machine as ADATUM\administrator with a password of


Pa$$w0rd.

3.

Click Start, and in the Start Search box, type dcpromo, and then press ENTER.

4.

In the Active Directory Domain Services Installation Wizard, select the Use advanced mode
installation check box, and then click Next.

5.

On the Operating System Compatibility page, click Next.

3-14

Planning for Windows Server 2008 Servers

6.

On the Choose a Deployment Configuration page, click Existing forest, and then click Next.

7.

On the Network Credentials page, click Next.

8.

On the Select a Domain page, click Next.

9.

On the Select a Site page, in the Sites list, click Branch-Office-1, and then click Next.

10. On the Additional Domain Controller Options page, select the Read-only domain controller
(RODC) check box, and then click Next.

Note: Leave the other check boxes selected.


11. In the Static IP assignment dialog box, click Yes, the computer will use a dynamically assigned
IP address (not recommended).
12. On the Specify the Password Replication Policy page, click Next.
13. On the Delegation of RODC Installation and Administration page, click Next.
14. On the Install from Media page, click Next.
15. On the Source Domain Controller page, click Next.
16. On the Location for Database, Log Files, and SYSVOL page, click Next.
17. On the Directory Services Restore Mode Administrator Password page, in the Password box,
type Pa$$w0rd.
18. In the Confirm password box, type Pa$$w0rd, and then click Next.
19. On the Summary page, click Next.
20. In the Active Directory Domain Services Installation Wizard dialog box, select the Reboot on
completion check box.

Task 3 Configure the password replication policy


1.

When SEA-SVR1 has restarted, log on to the SEA-SVR1 virtual machine as


ADATUM\administrator with a password of Pa$$w0rd.

2.

Switch to the SEA-DC1 virtual machine.

3.

Click Start, point to Administrative Tools, and then click Active Directory Users and
Computers.

4.

In the console, expand Domain Controllers.

5.

In the results pane, right-click SEA-SVR1, and then click Properties.

6.

In the SEA-SVR1 Properties dialog box, click the Password Replication Policy.

7.

Click Add, and in the Add Groups, Users and Computers dialog box, click Allow passwords
for the account to replicate to this RODC, and then click OK.

8.

In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select
box, type SalesGG, click Check Names, and then click OK.

9.

In the SEA-SVR1 Properties dialog box, click Apply, and then click Advanced.

10. In the Advanced Password Replication Policy for SEA-SVR1 dialog box, click the Resultant
Policy tab.

Planning for Active Directory

3-15

11. Click Add, and in the Select Users, Computers, or Groups dialog box, in the Enter the object
names to select box, type Joe, click Check Names, and then click OK.
12. Click Close.
13. In the SEA-SVR1 Properties dialog box, click OK

3-16

Planning for Windows Server 2008 Servers

Module Reviews and Takeaways


Review questions
1.

In a multidomain network, why is the global catalog server important?


Answer: It enables applications to query for information about Active Directory objects that are
homed in other domains without the need to query a domain controller from that domain. For
example, in Exchange Server, the Hub Transport server uses the global catalog to determine the
membership of distribution groups.

2.

From a security perspective, what is the difference between implementing a forest with two trees,
and implementing two forests with forest trusts established between them?
Answer: In the dual tree configuration, there is a single forest-wide Enterprise Admins universal
security group; membership of this group enables you to perform administration in either tree. In
the dual forest configuration, there are two separate Enterprise Admins universal groups;
administration is quite separate.

3.

Why would you implement shortcut trusts between domains?


Answer: Shortcut trusts are implemented between domains within a forest to expedite logon
process. This is especially useful in multiple tree forests.

4.

What domain functional level is required to support the redirection of the default Users and
Computers containers?
Answer: Windows Server 2003.

5.

You are concerned about the reliability of using FRS to replicate the SYSVOL folder between
domain controllers. What domain functional level must you select in order to use DFS?
Answer: Windows Server 2008.

6.

During the creation of a site object, with which other object must you associate it?
Answer: A site link.

Planning for Group Policy

Module 4
Planning for Group Policy
Contents:
Lesson 1: Planning Group Policy Application

Lesson 2: Planning Group Policy Processing

Lesson 3: Planning the Management of Group Policy Object

Lesson 4: Planning the Management of Client Computers

Module Reviews and Takeaways

10

4-1

4-2

Planning for Windows Server 2008 Servers

Lesson 1

Planning Group Policy Application


Contents:
Detailed Demo Steps

Planning for Group Policy

4-3

Detailed Demo Steps


Demonstration: Reviewing and Modifying Group Policy Settings
To review or modify the settings in a GPO
1.

On SEA-DC1, log on as Administrator with a password of Pa$$w0rd.

2.

Click Start, point to Administrative Tools, and then click Group Policy Management.

3.

If necessary, expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then
click Default Domain Policy. Note that Default Domain Policy is linked here.

4.

If a warning message is displayed, select the Do not show this message again check box, and
then click OK.

5.

Click the Settings tab, and then expand the setting under Computer Configuration. This shows
only the settings that are configured.

6.

Right-click Default Domain Policy, and then click Edit. The Group Policy Management Editor
displays all settings whether they are configured or not.

7.

Expand Policies and explain the types of settings that are in each category.

8.

Expand Preferences and explain what preferences are.

9.

Close all open windows.

4-4

Planning for Windows Server 2008 Servers

Lesson 2

Planning Group Policy Processing


Contents:
Detailed Demo Steps

Planning for Group Policy

4-5

Detailed Demo Steps


Demonstration: Modifying Group Policy Processing
1.

On SEA-DC1, log on as Administrator with a password of Pa$$w0rd.

2.

Click Start, point to Administrative Tools, and then click Group Policy Management.

3.

If necessary, expand Adatum.com, and click Default Domain Policy.

4.

Right-click Default Domain Policy to display the context menu. Note that this is where you can
enforce the policy.

5.

Right-click Adatum.com to display the context menu. Note that this is where you can block
policy inheritance. In this case, it would block policy inheritance from sites.

6.

Click Default Domain Policy, and then click the Scope tab. Note the security filtering area
where the list of security principles is located. Authenticated Users is the default configuration for
security filtering.

7.

Click the WMI Filters container.

8.

Right-click the WMI Filters container, and then click New.

9.

In the Name box, type 1 GB RAM.

10. Click Add.


11. In the Query box, type Select * from Win32_LogicalMemoryConfiguration where
TotalPhysicalMemory > 1024000, and then click OK.
12. In the New WMI Filter window, click Save.
13. Click Default Domain Policy, click the Scope tab, and then view the WMI Filtering drop down
list. The new WMI filter is available.
14. Right-click Default Domain Policy, and click Edit.
15. Browse to Computer Configuration\Policies\Administrative Templates\System\Group
Policy, and double-click User Group Policy loopback processing mode.
16. Click Enabled and display the two modes that are available.
17. Click Cancel and close all open windows.

4-6

Planning for Windows Server 2008 Servers

Lesson 3

Planning the Management of Group Policy Object


Contents:
Question and Answers

Planning for Group Policy

4-7

Question and Answers


Discussion: Managing Group Policy
Question: Who is responsible for managing group policy in your organization?
Answer: Many smaller organizations will have users with Domain Admins membership responsible for
this. Ask whether delegation could be used by their organization. Larger organizations have often
delegated this task.
Question: Does your organization back up GPOs?
Answer: Many smaller organizations perform only a full back up. Larger organizations may have a
formal process for backing up group policy. Ensure that students understand why they would want to
back up GPOs separately.
Question: Does your organization have a need to standardize GPOs by using starter policies?
Answer: Most smaller organizations will have a limited number of GPOs and consequently no need
for starter GPOs. Larger organizations may use starter GPOs for different departments or locations.

4-8

Planning for Windows Server 2008 Servers

Lesson 4

Planning the Management of Client Computers


Contents:
Detailed Demo Steps

Planning for Group Policy

Detailed Demo Steps


Demonstration: Using Group Policy Preferences
To configure group policy preferences:
1.

On SEA-DC1, log on as Administrator with a password of Pa$$w0rd.

2.

Click Start, point to Administrative Tools, and then click Group Policy Management.

3.

If necessary, expand Adatum.com, and then click Group Policy Objects.

4.

Right-click Group Policy Objects, and then click New.

5.

In the New GPO window, in the Name box, type Preferences, and then click OK.

6.

Right-click Preferences, and then click Edit.

7.

Under User Configuration, expand Preferences, expand Windows Settings, and then click
Drive Maps.

8.

Right-click Drive Maps, point to New, and then click Mapped Drive.

9.

In the Location box, type \\SEA-DC1\ITData.

10. In the Drive Letter area, select J.


11. Click the Common tab, select the Item-level targeting check box, and then click Targeting.
12. Click New Item, and then click Organizational Unit.
13. Click the Browse button, click IT Admins, and then click OK.
14. In the Targeting Editor window, click OK.
15. In the New Drive Properties window, click OK.
16. Close all open windows.

4-9

4-10

Planning for Windows Server 2008 Servers

Module Reviews and Takeaways


Review questions
1.

What are some of the ways you can speed up group policy processing?
Answer: You can speed up group policy processing by limiting the number of GPOs that are
processed. Also, you should disable portions of a GPO that are not used. For example, disable the
user portion of a GPO that only contains computer settings.

2.

How can you modify how group policy is processed and applied?
Answer: You can modify how group policy is processed and applied by using enforcement,
blocking inheritance, and by using loopback.

3.

Is it possible to delegate group policy management for just an OU?


Answer: Yes, you can delegate the ability to create GPO links to a single OU. However, GPOs are
created in a separate container and granting permission to create GPOs will be for the entire
domain. If you need to tightly control GPO creation, the GPO can be created by a central
administrator and then permission to edit the GPO can be delegated.

Common issues related to a particular technology area in the module


Identify the causes for the following common issues related to a particular technology area in the module
and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue

Troubleshooting tip

A GPO is not being


applied after creation

Run GPupdate.exe on the client to force GPOs to be updated. This avoids


the potential 90-minute refresh interval on non-domain controllers.

Group policy is not


applying as expected

Use Group Policy Results in Group Policy Management to view the GPOs
that are being applied.

You are unsure how


changes will affect group
policy application

Use Group Policy Modeling in Group Policy Management to view the


results of potential changes to network speed, loopback processing, site,
security group membership, and WMI filters.

Real-world issues and scenarios


1.

You have configured a kiosk with an application for controlling manufacturing equipment. You
would like all users on the kiosk to have the same configuration regardless of the organizational
unit that their user object resides in. How will you accomplish this?
Answer: You can use loopback processing to apply user settings from a GPO that applies to a
computer. In this case, the user settings in a GPO that applies to the kiosk computer object will
replace the user settings that apply to the users object.

2.

In the past, you have created customized ADM templates and they were automatically included
with the GPO on SYSVOL. This allowed the GPO to be properly edited from any location. You
have now created a customized ADMX template and realize that it is stored locally. Others will
not be able to edit the GPO. How can you resolve this?

Planning for Group Policy

4-11

Answer: Create a central store for ADMX templates by using GPMC. Then place the customized
ADMX template in the central store. The central store is replicated to all domain controllers and
will be available for anyone editing the GPO.
3.

Your organization has no formal plan in place for backing up GPOs. Only a full backup, including
system state, is being performed each day. How can you improve this?
Answer: It is very difficult to recover GPOs from the system state of a domain controller. You can
manually back up GPOs by using the GPMC. Or, you can schedule backups to run daily or weekly
by using the BackupAllGPOs.wsf script in C:\Program Files\GPMC\Scripts.

Best practices related to a particular technology area in this module


Supplement or modify the following best practices for your own work situations:

Use group policy to manage settings on computers rather than manually configuring each
computer.

Disable unnecessary parts of GPOs to increase processing speed.

Plan your Active Directory OU structure with group policy in mind.

Use security filtering and WMI filtering for more flexible GPO application.

Use loopback processing for special use computers such as kiosks and Terminal Servers.

Use starter GPOs to simplify the creation of new GPOs with similar settings.

Back up GPOs before modifying them.

Delegate the management of GPOs to OU administrators that are affected by them. For example,
delegate the management of GPOs for a region to an administrator for that region. This can
include linking and modifying the GPOs.

Redirect folders to a server to simplify recovery if a client computer fails.

Tools
Tool

Use for

Group Policy
Management

GPResult.exe

ADMX Migrator

BackupAllGPOs.wsf

Where to find it

Creating
and
managing
GPOs

Administrative Tools

Troubleshoo
ting GPO
application

C:\Windows\System32

Converts
customized
ADM
templates to
ADMX
templates

http://go.microsoft.com/fwlink/?LinkID=164211&clcid=0x
409

Script that
can be used

C:\Program Files\GPMC\Scripts

4-12

Planning for Windows Server 2008 Servers

to create
scheduled
backups of
GPOs

Planning Application Servers

Module 5
Planning Application Servers
Contents:
Lesson 2: Supporting Web-Based Applications

Lesson 3: Supporting SQL Server Databases

Lesson 4: Deploying Client Applications

Module Reviews and Takeaways

5-1

5-2

Planning for Windows Server 2008 Servers

Lesson 2

Supporting Web-Based Applications


Contents:
Detailed Demo Steps

Planning Application Servers

5-3

Detailed Demo Steps


Demonstration: Configuring IIS
1.

On SEA-DC1, log on as Administrator with a password of Pa$$w0rd.

2.

Click Start, point to Administrative Tools, and then click Internet Information Services (IIS)
Manager.

3.

In the left pane, expand SEA-DC1 and then expand Sites. Point out Application Pools and the
Default Web site.

4.

Click Default Web Site, and then in the Actions pane, click Bindings. Note that only http is
used.

5.

Click Close.

6.

In the left pane, click SEA-DC1, and then double-click Server Certificates.

7.

In the Action pane, click Create Self-Signed Certificate.

8.

In the Specify a friendly name for the certificate box, type SSL Cert, and then click OK.

9.

Click Default Web Site and then in the Actions pane, click Bindings. Note that only http is
used.

10. In the Site Bindings window, click Add.


11. In the Add Site Binding window, in the Type box, select https.
12. In the SSL Certificate box, select SSL Cert, and then click OK.
13. In the Site Bindings window, click Close.
14. In the left pane, click Application Pools. Note that only one application pool is created by
default.
15. In the Actions pane, click Add Application Pool.
16. In the Name box, type Intranet, and then click OK.
17. In the Actions menu, click Advanced Settings. Note that the identity is NetworkService. This is
the account used to run scripts in the application pool.
18. Click OK to close the window.
19. In the left pane, expand Default Web Site, right-click Intranet, and then click Convert to
application.
20. In the Add Application window, click the Select button.
21. In the Select Application Pool window, in the Application pool box, select Intranet, and then
click OK.
22. Click OK to add the application. Notice that the icon for the Intranet folder has changed.

5-4

Planning for Windows Server 2008 Servers

Lesson 3

Supporting SQL Server Databases


Contents:
Detailed Demo Steps

Planning Application Servers

5-5

Detailed Demo Steps


Demonstration: SQL Server Management Tools
1.

On SEA-DC1, log on as Administrator with a password of Pa$$w0rd.

2.

Click Start, point to All Programs, click Microsoft SQL Server 2008, and then click SQL Server
Management Studio.

3.

In the Connect to Server window, explain the options to the students. In particular, note that it is
connecting to an instance named SQLEXPRESS.

4.

Click Connect.

5.

Click the View menu, and then click Object Explorer Details. This provides a view more like
Windows Explorer.

6.

In Object Explorer, expand Databases, and then click System Databases. These databases are
used by SQL Server for internal tasks and are present on every SQL Server instance.

7.

Right-click Databases, and then click Attach.

8.

In the Attach Databases window, click the Add button.

9.

Browse to D:\Labfiles\Mod05\AdventureWorksDB\AdventureWorksLT2008_Data.mdf, and


then click OK.

10. In the Attach Databases window, click OK.


11. In Object Explorer, expand AdventureWorksLT2008, and then click Database Diagrams. A
warning occurs indicating that the database owner is not valid.
12. Click OK to clear the error message.
13. Right-click AdventureWorksLT2008, click Properties, and then click Files.
14. In the Owner box, type Adatum\Administrator, and then click OK.
15. Click Database Diagrams, and then click Yes to create the necessary objects.
16. Right-click Database Diagrams, and then click New Database Diagram.
17. In the Add Table window, press the CTRL key and select all tables except for BuildVersion and
ErrorLog, click Add, and then click Close.
18. Scroll through the diagram and explain that this shows how data is linked between the tables of
the database.
19. Close the database diagram, and do not save the changes.
20. In Object Explorer, right-click SEA-DC1\SQLEXPRESS, click Properties, and then click Security.
Note that Windows Authentication mode is being used.
21. Click Cancel.
22. In Object Explorer, expand Security, expand Logins, and then double-click
Adatum\Administrator.
23. In the Login Properties ADATUM\Administrator window, click Server Roles. Note that
ADATUM\Administrator has sysadmin, which gives full system permissions.

5-6

Planning for Windows Server 2008 Servers

24. Click User Mapping. Note that ADATUM\Administrator is mapped to the dbo user in the
AdventureWorksLT2008 database.
25. Click Cancel.
26. Under AdventureWorksLT2008, expand Security, and then click Users. Note that
ADATUM\Administrator is not listed but the dbo user is listed.
27. Double-click dbo. Notice that dbo is a member of the db_owner role, which provided full
administrative permissions.
28. Click Cancel.
29. Close all open windows.

Planning Application Servers

Lesson 4

Deploying Client Applications


Contents:
Detailed Demo Steps

5-7

5-8

Planning for Windows Server 2008 Servers

Detailed Demo Steps


Demonstration: Deploying an Application by Using Group Policy
1.

On SEA-DC1, log on as Administrator with a password of Pa$$w0rd.

2.

Click Start, and then click Computer.

3.

Browse to D:\Labfiles, right-click Mod05, and then click Share.

4.

In the box, type Domain Users, click Add, and then click Share.

5.

Click Done, and then close the Explorer window.

6.

Click Start, point to Administrative Tools, and then click Group Policy Management.

7.

Expand Forest: Adatum.com, expand Domains, expand Adatum.com and then click Group
Policy Objects.

8.

Right-click Group Policy Objects, and then click New.

9.

In the New GPO window, in the Name box, type Applications, and then click OK.

10. Right-click Applications, and then click Edit.


11. Under User Configuration, expand Policies, expand Software Settings, and then click
Software installation.
12. Right-click Software installation, point to New, and then click Package.
13. Browse to \\SEA-DC1\Mod05, click CalcPlus.msi, and then click Open.
14. In the Deploy Software windows, click Assigned, and then click OK.
15. Right-click Microsoft Calculator Plus, and then click Properties.
16. On the Deployment tab, click Install this application at logon.
17. In the Installation user interface options area, click Basic, and then click OK.
18. Close the Group Policy Management Editor window.
19. Right-click Adatum.com and then click Link an Existing GPO.
20. Click Applications, and then click OK.
21. Close Group Policy Management.

Optionally, test the software delivery


1.

Log on to SEA-CL1 as Adatum\Administrator with a password of Pa$$w0rd.

2.

Click Start, point to All Programs, click Microsoft Calculator Plus, and then click Microsoft
Calculator Plus.

3.

If the application does not appear, use gpupdate to refresh the Group Policy settings on
SEA-CL1, log off, and then log on again.

Close Microsoft Calculator Plus.

Planning Application Servers

5-9

Module Reviews and Takeaways


Review questions
1.

How can you provide access to a client server application over the Internet and still have
acceptable performance?

2.

Why do you need to consider transaction logs when planning backup and recovery for SQL
Server?

3.

How can you isolate Web applications so that a programming error in one does not affect
another?

Common issues related to terminal server licensing


Identify the causes for the following common issues related to Terminal Server licensing and fill in the
troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue

Troubleshooting tip

A Windows Server 2008 Terminal Server stops allowing connections


after 120 days.
User CALs are not being consumed by a Terminal Server.
Device CALs are not being consumed by a Terminal Server.

Real-world issues and scenarios


1.

A Web-based application is considered critical for your organization. How can you increase the
availability of this application?

2.

Your organization does not have backup software with an agent for SQL Server. The agent for
SQL Server has been ordered, but will not arrive for several weeks. In the meantime, how can you
backup the SQL Server database without stopping the database?

3.

Your organization has implemented a Web-based application. Authentication for this application
is based on Active Directory accounts. When users access the application, they are prompted for
credentials. How can you eliminate the prompt for credentials?

Best practices related to supporting traditional applications


Supplement or modify the following best practices for your own work situations:

Simplify user logons by integrating authentication with Active Directory when possible.

Use Terminal Services with RemoteApp to avoid the need to install a client application on each
computer.

Use Terminal Services to provide access to an application for roaming users or remote offices.

Understand the business impact of an application when planning maintenance.

Planning File and Print Services

Module 6
Planning File and Print Services
Contents:
Lesson 1: Planning and Deploying the File Services Role

Lesson 2: Managing Storage

Lesson 3: Planning and Implementing the Distributed File System

10

Module Reviews and Takeaways

12

6-1

6-2

Planning for Windows Server 2008 Servers

Lesson 1

Planning and Deploying the File Services Role


Contents:
Question and Answers

Detailed Demo Steps

Additional Reading

Planning File and Print Services

6-3

Question and Answers


Considerations for EFS Backup Strategy
Question: What planning documentation is there in your organization for EFS? How can you ensure
that this documentation is updated and modified?
Answer: Answers will vary and depend on what your specific organizations requirements are, but
there should be a documented plan which outlines the drivers behind the backup and restore
strategy and the processes that are in place as well as details for when and how that plan has and will
be tested.

Demonstration: Deploying the File Services Role


Question: What other methods can you use for configuring a shared folder and securing it?
Answer: Answers will vary. You can use the command-line tool Net Share to create shared folders,
and in addition you can use the CACLS command to secure folders. You can also use the Share and
Storage Management snap-in.

6-4

Planning for Windows Server 2008 Servers

Detailed Demo Steps


Demonstration: Deploying the File Services Role
Task 1: Start the virtual machines, and then log on
1.

On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then
click 6430B. The Lab Launcher starts.

2.

In the Lab Launcher, next to 6430B-SEA-DC1, click Launch.

3.

In the Lab Launcher, next to 6430B-SEA-SVR1, click Launch.

4.

In the Lab Launcher, next to 6430B-SEA-CL1, click Launch.

5.

Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd.

6.

Log on to 6430B-SEA-SVR1 as ADATUM\Administrator with the password Pa$$w0rd.

7.

Log on to 6430B-SEA-CL1 as ADATUM\Administrator with the password Pa$$w0rd.

8.

Minimize the Lab Launcher window.

Task 2: Deploy the required server roles at the branch server


1.

Switch to the SEA-SVR1 computer.

2.

Click Start, and then click Server Manager.

3.

In Server Manager, in the navigation tree, click Roles.

4.

In the results pane, under Roles Summary, click Add Roles.

5.

In the Add Roles Wizard, on the Before You Begin page, click Next.

6.

On the Select Server Roles page, in the Roles list, select both the File Services and Print
Services check boxes, and then click Next.

7.

On the Print Services page, click Next.

8.

On the Select Role Services page, click Next.

9.

On the File Services page, click Next.

10. On the Select Role Services page, select the File Server Resource Manager check box, and
then click Next.
11. On the Configure Storage Usage Monitoring page, click Next.
12. On the Confirm Installation Selections page, click Install.
13. On the Installation Results page, click Close.
14. Close Server Manager.

Task 3: Create, secure, and share the Transport-data folder


1.

Click Start, click Computer, and then double-click Local Disk (C:).

2.

Click Organize, and then click New Folder.

3.

Type Transport-data, and then press ENTER.

4.

Right-click Transport-data, and then click Properties.

Planning File and Print Services

6-5

5.

In the Transport-data Properties dialog box, on the Security tab, click Advanced.

6.

In the Advanced Security Settings for Transport-data dialog box, click Edit, clear the Include
inheritable permissions from this objects parent check box, and then click Copy.

7.

In the Advanced Security Settings for Transport-data dialog box, click OK.

8.

Click OK again, and in the Transport-data Properties dialog box, click Edit.

9.

In the Permissions for Transport-data dialog box, in the Group or user names list, click Users
(SEA-SVR1\Users), and then click Remove.

10. Click Add, and in the Select Users, Computers, or Groups dialog box, in the Enter the object
names to select (examples): box, type TransportGG, click Check Names, and then click OK.
11. In the Permissions for Transport-data dialog box, in the Permissions for TransportGG list,
select the Allow/Modify check box, and then click OK.
12. In the Transport-data Properties dialog box, click the Sharing tab.
13. Click Advanced Sharing, and in the Advanced Sharing dialog box, select the Share this folder
check box, and then click Permissions.
14. In the Permissions for Transport-data dialog box, select the Allow/Full Control check box,
and then click OK.
15. In the Advanced Sharing dialog box, click OK.
16. In the Transport-data Properties dialog box, click the Close.
17. Close Windows Explorer.

6-6

Planning for Windows Server 2008 Servers

Additional Reading
Planning Encrypting File System (EFS)

Encrypting File System

Considerations for EFS Backup Strategy

For more information about EFS, see Data Encryption Toolkit for Mobile PCs.

For more information about planning for EFS, see the Plan Data Encryption section of Server
Deployment.

Planning File and Print Services

Lesson 2

Managing Storage
Contents:
Question and Answers

Detailed Demo Steps

6-7

6-8

Planning for Windows Server 2008 Servers

Question and Answers


Demonstration: Using FSRM to Manage Storage
Question: How could you benefit from using quotas in your organization?
Answer: Answer will vary.
Question: How could you benefit from using file screens in your organization?
Answer: Answer will vary.

Planning File and Print Services

6-9

Detailed Demo Steps


Demonstration: Using FSRM to Manage Storage
Task 1: Configure quotas on the branch server
1.

Switch to the SEA-SVR1 computer.

2.

Click Start, point to Administrative Tools, and then click File Server Resource Manager.

3.

In File Server Resource Manager (Local), expand Quota Management, and then click Quotas
Templates.

4.

Click Quotas, right-click Quotas, and then click Create Quota.

5.

In the Create Quota dialog box, in the Quota path box, type C:\Transport-data.

6.

Click Auto apply template and create quotas on existing and new subfolders.

7.

Click Create.

Task 2: Configure a file screen for the branch server


1.

In the navigation tree, expand File Screening Management, and then click File Screens.

2.

Click File Screen Templates.

3.

Click File Groups.

4.

Click File Screens.

5.

Right-click File Screens, and then click Create File Screen.

6.

In the Create File Screen dialog box, in the File screen path box, type C:\Transport-data, and
in the list, click Monitor Executable and System Files. Then click Create.

Task 3: Configure FSRM options


1.

In the navigation tree, right-click File Server Resource Manager (Local), and then click
Configure Options.

2.

Scroll along the tabs, and then click the File Screen Audit tab.

3.

Select the Record file screening activity in auditing database check box, and then click OK.

6-10

Planning for Windows Server 2008 Servers

Lesson 3

Planning and Implementing the Distributed File


System
Contents:
Additional Reading

11

Planning File and Print Services

Additional Reading
What Is DFS?

Distributed File System Technology Center

Overview of the Distributed File System Solution in Microsoft Windows Server 2003 R2

About Remote Differential Compression

Considerations for Planning DFS Replication

Distributed File System Replication: Frequently Asked Questions

6-11

6-12

Planning for Windows Server 2008 Servers

Module Reviews and Takeaways


Review questions
1.

Which File Services server role supports UNIX users?


Answer: Services for Network File System.

2.

Why is using Public folder sharing inappropriate for many organizations?


Answer: It does not provide sufficient administrative control; for example, there are limited folder
permissions available.

3.

Do you need to enable network discovery to be able to map network drives?


Answer: No. Network discovery enables users to browse the network for servers and shared
folders and other resources, but you can map a network drive at any time if you know its UNC
name.

4.

What RAID configuration would you recommend to provide a good balance between fault
tolerance and performance for an organization on a tight budget?
Answer: Answers will vary, but RAID 5 might be suitable.

5.

Why would you implement a soft quota limit?


Answer: For reporting purposes. Using soft quota limits enables you to record the storage
consumed by users without imposing a hard limit. This might be an approach to consider when
you first decide to implement quotas.

6.

What notifications can you configure for when users approach their quota thresholds?
Answer: Send e-mail notifications; Log an event; Run a command or script; Generate storage
reports.

7.

What is the benefit of using templates for file screens or quotas?


Answer: You can adjust the template and have it update the quotas based upon the template;
on-going quota and file screen maintenance is consequently easier.

8.

What are the primary benefits of a SAN over DAS?


Answer: Highly effective resource sharing; better storage utilization; hardware consolidation and
availability.

9.

What is the primary advantage of a domain-based DFS namespace?


Answer: Fault tolerance of the namespace can be provided without the need to implement
clustering of the file services role.

10. How can fault tolerance of the content in a DFS namespace be provided?
Answer: By adding multiple namespace targets and configuring replication.

Planning Server and Network Security

Module 7
Planning Server and Network Security
Contents:
Lesson 2: Planning for Windows Firewall with Advanced Security

Module Reviews and Takeaways

7-1

7-2

Planning for Windows Server 2008 Servers

Lesson 2

Planning for Windows Firewall with Advanced


Security
Contents:
Detailed Demo Steps

Planning Server and Network Security

7-3

Detailed Demo Steps


Demonstration: Windows Firewall Rules Configuration Options
1.

On SEA-DC1, log on as Administrator with a password of Pa$$w0rd.

2.

Click Start, point to Administrative Tools, and click Windows Firewall with Advanced
Security.

3.

Right-click Windows Firewall with Advanced Security to display the context menu. Describe
the Import Policy, Export Policy, and Restore Defaults options to students.

4.

In the context menu, click Properties. Explain that this is where you can configure the default
option (block or allow) for inbound and outbound rules for each profile.

5.

Click Cancel.

6.

In the left pane, click Inbound Rules and then double-click the first rule in the list.

7.

Click the Programs and Services tab. Explain that this tab is used to select specific programs
affected by this rule.

8.

Click the Users and Computers tab. Explain that these options only apply when a connection
security rule provides user and computer information from IPSsc authentication by using
Kerberos.

9.

Click the Protocols and Port tab. Explain that this tab is used to configure specific ports and
protocol types affected by the rule.

10. Click the Scope tab. Explain that this tab is used to configure specific IP addresses that the rule
applies to.
11. Click the Advanced tab. Explain that this tab allows you to control which profiles the rule applies
to.
12. Click Cancel.
13. In the left pane, click Connection Security Rules, right-click Connection Security Rules, and
then click New Rule.
14. On the Rule Type page, click Server-to-server and then click Next.
15. On the Endpoint page, accept the default values of Any IP address and click Next. This creates
a rule that applies to all communication.
16. On the Requirements page, accept the default value of Request authentication for inbound
and outbound connections and then click Next. Note that this is the option you should select
during initial testing to prevent a server from becoming unavailable on the network.
17. On the Authentication Method page, click Advanced and then click Customize.
18. In the First authentication area, click Add.
19. In the First Authentication Method window, click Computer (Kerberos V5) and click OK.
20. Click OK and then click Next.
21. On the Profile page, click Next. This applies the rule to all profiles.
22. In the Name box, type Request authentication for all connections and then click Finish.
23. Close Windows Firewall with Advanced Security.

7-4

Planning for Windows Server 2008 Servers

Module Reviews and Takeaways


Review questions
1.

How does Defense-in-Depth help you identify and mitigate risks?

2.

What is the default configuration for outbound rules in Windows Firewall?

3.

How can you identify when viruses or malware have infected a computer?

4.

How does UAC prevent viruses and malware from infecting a computer?

5.

Which type of IPsec authentication is required to configure firewall rules based on users and
computers?

Common issues related to remote access


Identify the causes for the following common issues related to remote access and fill in the
troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue

Troubleshooting Tip

A VPN connection is blocked by a hotel firewall


A specific user is unable to log on even though he or she is a member of a
group that is allowed access
Troubleshooting is difficult because logs are located separately on each
VPN server
Configuration is time-consuming because network policies must be
created on each VPN server

Real-world issues and scenarios


1.

You have recently created a standardized list of firewall rules that you want to apply to all
Windows Vista computers in your organization. What is the best way to do this?

2.

You have recently migrated your servers to Windows Server 2008. After the migration,
administrators are being prompted for permission each time they run an administrative tool on
the server. A colleague suggests that this functionality be disabled because it is annoying. How
do you respond?

3.

Your organization has recently had a security breach on a Web-based application server. In
addition to analyzing how this problem occurred, you need to evaluate security overall for this
server. What areas do you need to consider as you identify risks to this server?

4.

Your organization has recently reviewed NAP as a potential method for preventing malware from
entering the network. Based on the initial evaluation, your manager has asked you to identify the
type of NAP enforcement that would be most appropriate for your organization. Your
organization would like to begin with the simplest implementation possible for internal users.
What type of NAP enforcement should you use?

Best practices related to planning protection against viruses and malware

Planning Server and Network Security

7-5

Supplement or modify the following best practices for your own work situations:

Use real-time protection to prevent viruses and malware from infecting a computer. Scheduled
scans find malware only after it is already on the computer.

Use scheduled scans to find malware missed by real-time scanning because the signature files did
not include the malware at the time of infection.

Use antivirus software that can be centrally managed.

Update antivirus definitions at least once per day.

Use quarantine instead of removal for infected files.

Do not disable UAC, particularly for administrators. Disabling UAC also disables Protected Mode
in Internet Explorer.

Planning Server Administration

Module 8
Planning Server Administration
Contents:
Lesson 1: Selecting the Appropriate Administration Tool

Lesson 2: Planning Server Core Administration

Lesson 3: Delegating Administration

Module Reviews and Takeaways

14

8-1

8-2

Planning for Windows Server 2008 Servers

Lesson 1

Selecting the Appropriate Administration Tool


Contents:
Question and Answers

Detailed Demo Steps

Planning Server Administration

Question and Answers


Demonstration: Administering a Server from the Command Line
Question: How would you accomplish the task of updating users office location by using Active
Directory Users and Computers? For example, if all users with a specific office location of London
were moving to Windsor?
Answer: Answers will vary, but might include creating a Saved Query in Active Directory Users and
Computers; the query would search for the appropriate users. You could then select all the users in
the search result and update the office property.

8-3

8-4

Planning for Windows Server 2008 Servers

Detailed Demo Steps


Demonstration: Demonstration: Administering a Server from the
Command Line
Task 1: Start the virtual machines, and then log on
2.

On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then
click 6430B. The Lab Launcher starts.

3.

In the Lab Launcher, next to 6430B-SEA-DC1, click Launch.

4.

In the Lab Launcher, next to 6430B-SEA-SVR1, click Launch.

5.

Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd.

6.

Log on to 6430B-SEA-SVR1 as ADATUM\Administrator with the password Pa$$w0rd.

7.

Minimize the Lab Launcher window.

Task 2: Use Netsh to configure network settings


1.

Switch to the SEA-SVR1 computer.

2.

Click Start, and then click Command Prompt.

3.

At the Command Prompt, type Netsh interface ipv4 set address name=Local Area
Connection source=static address=10.10.0.100 mask=255.255.0.0 gateway=10.10.0.10 1,
and then press ENTER.

4.

At the Command Prompt, type Netsh interface ipv4 set dns name=Local Area Connection
source=static address=10.10.0.10 primary, and then press ENTER.

Task 3: Use Netdom to perform administration tasks


1.

At the Command Prompt, type netdom query workstation, and then press ENTER.

2.

At the Command Prompt, type netdom query pdc, and then press ENTER.

3.

At the Command Prompt, type netdom query ou, and then press ENTER.

Task 4: Use winrs


1.

At the Command Prompt, type winrs r:sea-dc1 ipconfig, and then press ENTER.

2.

Switch to the SEA-DC1 computer.

3.

Click Start, and then click Command Prompt.

4.

At the Command Prompt, type winrm quickconfig, and then press ENTER.

5.

At the Command Prompt, type y, and then press ENTER.

6.

Switch to the SEA-SVR1 computer.

7.

At the Command Prompt, type winrs r:sea-dc1 ipconfig, and then press ENTER.

Task 5: Install Windows PowerShell


1.

Click Start, and then click Server Manager.

2.

In Server Manager, in the navigation tree, click Features.

Planning Server Administration

3.

In the results pane, under Features Summary, click Add Features.

4.

In the Add Features Wizard, on the Select Features page, select the Windows PowerShell
check box, and then click Next.

5.

On the Confirm Installation Selections page, click Install, and then when prompted, click
Close.

6.

Close Server Manager.

8-5

Task 6: Navigation with Windows PowerShell


1.

Click Start, point to All Programs, click Windows PowerShell 1.0, and then click Windows
PowerShell.

2.

At the Windows PowerShell Command Prompt, type cd cert:, and then press ENTER.

3.

At the Windows PowerShell Command Prompt, type dir, and then press ENTER.

4.

At the Windows PowerShell Command Prompt, type cd hklm:, and then press ENTER.

5.

At the Windows PowerShell Command Prompt, type dir, and then press ENTER.

6.

At the Windows PowerShell Command Prompt, type cd c:, and then press ENTER.

Task 7: PowerShell Functions


1.

At the Windows PowerShell Command Prompt, type get-command, and then press ENTER.

2.

At the Windows PowerShell Command Prompt, type function commands {get-command}, and
then press ENTER.

3.

At the Windows PowerShell Command Prompt, type commands, and then press ENTER.

Task 8: Using PowerShell Scripts


1.

At the Windows PowerShell Command Prompt, type notepad test.ps1, and then press ENTER.

2.

In the Notepad dialog box, click Yes.

3.

In Notepad, type get-command.

4.

Click File, click Save, and then close Notepad.

5.

At the Windows PowerShell Command Prompt, type test.ps1, and then press ENTER.

6.

At the Windows PowerShell Command Prompt, type ./test.ps1, and then press ENTER.

7.

At the Windows PowerShell Command Prompt, type get-executionpolicy, and then press
ENTER.

8.

At the Windows PowerShell Command Prompt, type set-executionpolicy remotesigned, and


then press ENTER.

9.

At the Windows PowerShell Command Prompt, type ./test.ps1, and then press ENTER.

Task 9: Formatting output


1.

At the Windows PowerShell command Prompt, type get-service, and then press ENTER.

2.

At the Windows PowerShell command Prompt, type get-service | ft status,name, and then
press ENTER.

8-6

Planning for Windows Server 2008 Servers

3.

At the Windows PowerShell command Prompt, type get-service | select-object name, and then
press ENTER.

4.

At the Windows PowerShell command Prompt, type get-service | where-object {$_.status eq


running}, and then press ENTER.

5.

At the Windows PowerShell command Prompt, type get-service | where-object {$_.status eq


running} | ft displayname, and then press ENTER.

6.

At the Windows PowerShell command Prompt, type exit, and then press ENTER.

Task 10: Using the DS tools


1.

Switch to the SEA-DC1 computer.

2.

At the Command Prompt, type dsquery user name s*, and then press ENTER.

3.

Click Start, point Administrative Tools, and then click Active Directory Users and Computers.

4.

In Active Directory Users and Computers, click Research.

5.

In the results pane, double-click Suroor Fatima.

6.

Click Cancel.

7.

Switch to the command prompt.

8.

At the Command Prompt, type dsquery user name s* | dsmod user office Redmond,
and then press ENTER.

9.

Switch to Active Directory Users and Computers, and in the results pane, double-click Suroor
Fatima.

10. Click Cancel.


11. Close Active Directory Users and Computers.

Planning Server Administration

Lesson 2

Planning Server Core Administration


Contents:
Question and Answers

8-7

8-8

Planning for Windows Server 2008 Servers

Question and Answers


Discussion: When to Deploy Server Core
Question: A number of Windows PowerShell scripts have been developed in order to make changes
to an application that is to be installed on one branch server. Is Server Core suitable?
Answer: No, Server Core does not support Windows PowerShell.
Question: Could this role be supported by a Server Core deployment?
Answer: Yes, AD DS is supported by Server Core.
Question: It is important that data about the servers be collected by Contosos third-party SNMPmanagement information system. Does this preclude the use of Server Core?
Answer: No, Server Core supports the SNMP feature.
Question: What do you propose as a server solution for Northwind Traders? Include the roles and
features required to support your proposal?
Answer: Deploy Server Core with the following roles: AD DS, DHCP, DNS, File Services, and Print
Services. Install the following feature: BitLocker Drive Encryption.

Planning Server Administration

Lesson 3

Delegating Administration
Contents:
Question and Answers

10

Detailed Demo Steps

11

8-9

8-10

Planning for Windows Server 2008 Servers

Question and Answers


Demonstration: Delegating Administrative Tasks
Question: Would you recommend delegating common tasks directly to user accounts? Why or why
not?
Answer: No, the best practice would be to delegate to a group of which an appropriate user is a
member. That way, if the users job role changes, they can be removed from the group without the
need to change all the delegated permissions.

Planning Server Administration

8-11

Detailed Demo Steps


Demonstration: Delegating Administrative Tasks
Task 1: Delegate by using group membership
1.

Switch to the SEA-SVR1 computer.

2.

Click Start, right-click Computer, and then click Manage.

3.

In Server Manager, in the navigation tree, expand Configuration, expand Local Users and
Groups, and then click Groups.

4.

In the Groups list, double-click Power Users.

5.

In the Power Users Properties dialog box, click Add, and in the Select Users, Computers, or
Groups dialog box, in the Enter the object names to select (examples) box, type Josh, click
Check Names, and then click OK.

6.

In the Power Users Properties dialog box, click OK.

Task 2: Delegate common tasks within Active Directory


1.

Switch to the SEA-DC1 computer.

2.

Click Start, point to Administrative Tools, and then click Active Directory Users and
Computers.

3.

In Active Directory Users and Computers, click the Sales organizational unit.

4.

Right-click Sales, and then click Delegate Control.

5.

In the Delegation of Control Wizard, click Next.

6.

On the Users or Groups page, click Add.

7.

In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select
(examples) box, type Josh, click Check Names, and then click OK.

8.

On the Users or Groups page, click Next.

9.

On the Tasks to Delegate page, in the Delegate the following common tasks list, select the
following check boxes, and then click Next:

Create, delete, and manage user accounts

Reset user passwords and force password change at next logon

Read all user information

10. On the Completing the Delegation of Control Wizard page, click Finish.

Task 3: View and modify Active Directory object permissions directly


1.

In Active Directory Users and Computers, click View, and then click Advanced Features.

2.

Right-click Sales, and then click Properties.

3.

In the Sales Properties dialog box, click the Security tab, and then click Advanced.

4.

In the Advanced Security Settings for Sales dialog box, click Add.

8-12

Planning for Windows Server 2008 Servers

5.

In the Select User, Computer, or Group dialog box, in the Enter the object name to select
(examples) box, type Josh, click Check Names, and then click OK.

6.

In the Permission Entry for Sales dialog box, in the Permissions list, select the following check
boxes, and then click OK:

Create Computer objects/Allow

Delete Computer objects/Allow

7.

In the Advanced Security Settings for Sales dialog box, click Add.

8.

In the Select User, Computer, or Group dialog box, in the Enter the object name to select
(examples) box, type Josh, click Check Names, and then click OK.

9.

In the Permission Entry for Sales dialog box, in the Apply to list, click Descendant Computer
objects.

10. In the Permissions list, click Full control/Allow, and then click OK.
11. In the Advanced Security Settings for Sales dialog box, click OK.
12. In the Sales Properties dialog box, click OK.

Task 4: Test the delegated permissions


1.

Switch to the SEA-SVR1 computer.

2.

Log off, and then log on as ADATUM\Josh with the password Pa$$w0rd.

3.

Click Start, and then click Server Manager.

4.

In the User Account Control dialog box, in the User name box, type administrator.

5.

In the Password box, type Pa$$w0rd, and then click OK.

6.

In Server Manager, click Features, and then in the results pane, click Add Features.

7.

In the Add Features Wizard, on the Select Features page, expand Remote Server
Administration Tools.

8.

Expand Role Administration Tools, and then select the Active Directory Domain Services
Tools check box.

9.

Click Next, and then click Install.

10. Click Close, and in the Add Features Wizard, click Yes.
11. Log on as ADATUM\Josh with the password Pa$$w0rd.
12. Click Start, point to Administrative Tools, and then click Active Directory Users and
Computers.
13. In the User Account Control dialog box, in the Password box, type Pa$$w0rd, and then click
OK.
14. In Active Directory Users and Computers, expand Adatum.com, and then click the Sales
organizational unit.
15. In the results pane, double-click Tom Higginbotham.
16. Click Cancel, right-click Sales, click New, and then click User.
17. In the New Object User dialog box, click Cancel.

Planning Server Administration

18. In the navigation tree, click Research.


19. In the results pane, double-click Suroor Fatima.
20. Click Cancel.
21. Right-click Research. There is no option to click New.
22. Close Active Directory Users and Computers.

8-13

8-14

Planning for Windows Server 2008 Servers

Module Reviews and Takeaways


Review questions
Question: Which administrative tool(s) could you use to add server roles?
Answer: Server Manager, the Initial Configuration Tasks wizard, ServerManagerCmd.exe, and Ocsetup.exe.
Question: Which command-line tool(s) enables you to import objects into the Active Directory directory
service?
Answer: LDIFDE and CSVDE.
Question: You have enabled Remote Desktop Connections on a server in your corporate network and yet
you are unable to access that server remotely. What possible reasons for this failure could there be?
Answer: You have the wrong security credentials; your account has not been granted Remote Desktop
access; the firewall between you and the server prevents TCP port 3389 (used for RDP connections); you
have specified the incorrect server name or IP address during the connection attempt; your Remote
Desktop Connection client is incapable of supporting Network Level Authenticationand perhaps that is
a requirement for the server.
Question: There is no need to configure Windows Firewall on Server Core because it is disabled by
default, and Group Policy settings can be used to configure the firewall. True or false?
Answer: False. The firewall is enabled by default and must be configured to enable remote management.
Question: Automatic updates are enabled on Server Core by using the Netsh Updates context. True or
False?
Answer: False. The scregedit.wsf command is used: Cscript c:\windows\system32\scregedit.wsf /AU 4

Planning and Implementing Monitoring and Maintenance

Module 9
Planning and Implementing Monitoring and
Maintenance
Contents:
Lesson 1: Planning Monitoring Tasks

Lesson 2: Calculating a Server Baseline

Lesson 3: Tools for Monitoring Server Performance

Module Reviews and Takeaways

9-1

9-2

Planning for Windows Server 2008 Servers

Lesson 1

Planning Monitoring Tasks


Contents:
Additional Reading

Planning and Implementing Monitoring and Maintenance

Additional Reading
Planning for Event Monitoring

For more information about SCOM 2007, see the Microsoft System Center Operations Manager
Web site.

For more information about the Dynamic Systems Initiative, see Dynamic Systems Initiative
Overview White Paper on the Microsoft Web site.

9-3

9-4

Planning for Windows Server 2008 Servers

Lesson 2

Calculating a Server Baseline


Contents:
Additional Reading

Planning and Implementing Monitoring and Maintenance

Additional Reading
Common Performance Metrics
For more information about common performance metrics, see Performance Tuning Guidelines for
Windows Server 2008 on the Windows Hardware Developer Central Web site.

9-5

9-6

Planning for Windows Server 2008 Servers

Lesson 3

Tools for Monitoring Server Performance


Contents:
Additional Reading

Planning and Implementing Monitoring and Maintenance

Additional Reading
Windows Server 2008 Monitoring Tools
For more information about SCOM 2007, see the white paper Introducing Microsoft System Center
Operations Manager 2007 on the Microsoft Download Center Web site.

9-7

9-8

Planning for Windows Server 2008 Servers

Module Reviews and Takeaways


Review questions
1.

What are the benefits of monitoring server performance?


Answer:

2.

Capacity planning

Identifying and removing performance bottlenecks

Improving server troubleshooting

What are some of the tasks that you should undertake when you create a performance baseline for a
server?
Answer:

3.

Use WSRM to create a data collector set.

Use WSRM to identify when server capacity is high and low.

Ensure that the server is working under normal operating conditions.

What are the advantages of using a range of monitoring tools?


Answer:

4.

It is possible to collect data in real time

You can use historical data analysis to identify performance trends

Various Windows events can be consolidated by using tools such as SCOM 2007.

What are the advantages of measuring specific performance counters?


Answer:

5.

Troubleshooting specific server issues

Identifying malfunctioning hardware

Identifying software application issues

What are the advantages of using alerts to identify performance issues?


Answer:

Administrators can react quickly to problems.

WSRM can make use of WMI to alert administrators.

WSRM can start a data collector set on an alert.

Planning High Availability and Disaster Recovery

Module 10
Planning High Availability and Disaster Recovery
Contents:
Lesson 1: Choosing a High-Availability Solution

Lesson 2: Planning a Backup and Restore Strategy

Module Reviews and Takeaways

10-1

10-2

Planning for Windows Server 2008 Servers

Lesson 1

Choosing a High-Availability Solution


Contents:
Additional Reading

Planning High Availability and Disaster Recovery

10-3

Additional Reading
What Is Failover Clustering?
For more information on failover clusters, see Windows Server 2008 Technical Library.

Failover Cluster Requirements


For more information about iSCSI, see the iSCSI FAQ on the Microsoft Web site.
For information about hardware compatibility for Windows Server 2008, see the Windows Server catalog.
For information about the maximum number of servers that you can have in a failover cluster, see the
Edition Comparison by Technical Specification page of the Windows Server 2008 Web site.

10-4

Planning for Windows Server 2008 Servers

Lesson 2

Planning a Backup and Restore Strategy


Contents:
Question and Answers

Additional Reading

Planning High Availability and Disaster Recovery

10-5

Question and Answers


Discussion: Backup Considerations
Question: To whom should you restrict backup operations?
Answer: A group with members trusted to be able to logon interactively at a server. The built-in
Backup Operators local group has already been assigned the necessary privileges to perform these
operations. Either add users directly to the group, or else use a global group that contains the
designated users, and add it to the Backup Operators local group.
Question: Why is using the Shadow Copies facility not a replacement for formal backups?
Answer: Answers will vary, but include that Shadow copies are only available for NTFS volumes; on
single volume servers, the disk is a single point of failure for all data and all shadow copies; burst I/O
can result in the loss of shadow copies.
Question: What are the disadvantages of tape media?
Answer: Tapes wear out; the data is accessed in a linear way, which can slow restoration operations;
tapes are generally slower than other media.
Question: How frequently should you back up critical data?
Answer: It depends on how often it changes; if the data is static, there is little point in performing
daily backups. If the data changes, you must consider how much data you could afford to lose, and
that should be the interval between backups. If you cannot afford to lose any data, you must look to
data solutions that support online replication; in these scenarios, multiple copies of the data are
synchronized.

10-6

Planning for Windows Server 2008 Servers

Additional Reading
Shadow Copy Considerations

For more information on restoring a previous version of a file or folder, see Windows Server 2008
Help Topic: How do I restore a previous version of a file or folder?

For more information on best practices for shadow copies of shared folders, see Best Practices
for Shadow Copies of Shared Folders.

Planning High Availability and Disaster Recovery

10-7

Module Reviews and Takeaways


Review questions
1.

You plan to deploy a Web farm. You want to provide a fault tolerant front end for client computers
connecting from the Internet. Which would be the most suitable technology?
Answer: Network Load Balancing. This provides for load balancing and high availability of front-end
services. To provide high availability of the back end, consider using failover clustering.

2.

You want to implement a RAID solution that provides good read performance and reasonable fault
tolerance; however, lower cost is a factor. Which RAID standard(s) would be suitable?
Answer: RAID 5 probably provides the best balance between cost and fault tolerance. It also provides
for reasonable read operations.

3.

Which editions of Windows Server 2008 support the failover clustering feature?
Answer: Enterprise Edition and Datacenter Edition.

4.

Where do you store shared folders that are part of a File Server cluster?
Answer: On a shared storage device such as an iSCSI SAN.

5.

Shadow copies work on the principal of providing incremental copies of configured volumes at the
block level. True or False?
Answer: False. They provide differential copies.

Planning Virtualization

Module 11
Planning Virtualization
Contents:
Module Reviews and Takeaways

11-1

11-2

Planning for Windows Server 2008 Servers

Module Reviews and Takeaways


Review questions
1.

What is the difference between a microkernelized hypervisor and a monolithic hypervisor?

2.

What are the benefits of using virtualization for server consolidation?

3.

How does VMM simplify the provisioning of new servers?

4.

Where are the virtual disks stored when a host cluster is implemented?

Common issues related to virtual machine performance


Identify the causes for the following common issues related to virtual machine performance and fill in the
troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue

Troubleshooting tip

Insufficient disk performance


Insufficient processing performance
Insufficient network performance

Real-world issues and scenarios


1.

You are an IT architect at a large insurance provider with seven physical locations, 12,000 users,
and 220 servers. Your organization wants to use server virtualization to reduce management and
hardware costs by combining existing servers on new hardware. What criteria will you use when
you select servers for consolidation?

2.

You are an IT architect at a large insurance provider. You have migrated many important
applications to VMs and want to increase the availability of those VMs. How can availability of
VMs be increased when you use Hyper-V?

3.

You are the manager responsible for controlling the process that is used for testing new
application updates and releases at a large insurance provider. In the past, you have maintained
development, test, and production servers for all applications. This resulted in hundreds of servers
being stored in the data center. How can you use Hyper-V to reduce hardware costs for
development and testing?

Best practices related to selecting virtualization candidates


Supplement or modify the following best practices for your own work situations:

Select candidates with low CPU utilization.

Select candidates with low memory utilization.

For initial conversion, select low-impact servers.

Select candidates with older hardware.

Use VMM reporting to locate virtualization candidates.

Planning for Windows Server 2008 Servers

Resources
Contents:
Microsoft Learning

R-1

R-2

Planning for Windows Server 2008 Servers

Microsoft Learning
This section describes various Microsoft Learning programs and offerings.

Microsoft Skills Assessments


Describes the skills assessment options available through Microsoft.

Microsoft Learning
Describes the training options available through Microsoft face-to-face or self-paced.

Microsoft Certification Program


Details how to become a Microsoft Certified Professional, Microsoft Certified Database
Administrators, and more.

Microsoft Learning Support

To provide comments or feedback about the course, send e-mail to


support@mscourseware.com.

To ask about the Microsoft Certification Program (MCP), send e-mail to


mcphelp@microsoft.com

Planning for Windows Server 2008 Servers

R-3

Send Us Your Feedback


You can search the Microsoft Knowledge Base for known issues at Microsoft Help and Support before
submitting feedback. Search using either the course number and revision, or the course title.

Note Not all training products will have a Knowledge Base article if that is the case, please ask your
instructor whether or not there are existing error log entries.

Courseware Feedback
Send all courseware feedback to support@mscourseware.com. We truly appreciate your time and effort.
We review every e-mail received and forward the information on to the appropriate team. Unfortunately,
because of volume, we are unable to provide a response but we may use your feedback to improve your
future experience with Microsoft Learning products.

Reporting Errors
When providing feedback, include the training product name and number in the subject line of your email. When you provide comments or report bugs, please include the following:

Document or CD part number

Page number or location

Complete description of the error or suggested change

Please provide any details that are necessary to help us verify the issue.

Important All errors and suggestions are evaluated, but only those that are validated are added to the
product Knowledge Base article.

Você também pode gostar