20411b-question and answers

8/10/2019 20411B-Question and Answers

http://slidepdf.com/reader/full/20411b-question-and-answers 1/153

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

20411BAdministering

Windows Server® 2012



Information in this document, including URL and other Internet Web site references, is subject to change

without notice. Unless otherwise noted, the example companies, organizations, products, domain names,

e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with

any real company, organization, product, domain name, e-mail address, logo, person, place or event is

intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the

user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in

or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,

photocopying, recording, or otherwise), or for any purpose, without the express written permission of

Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property

rights covering subject matter in this document. Except as expressly provided in any written license

agreement from Microsoft, the furnishing of this document does not give you any license to these

patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and

Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding

these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a

manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links

may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not

responsible for the contents of any linked site or any link contained in a linked site, or any changes or

updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission

received from any linked site. Microsoft is providing these links to you only as a convenience, and the

inclusion of any link does not imply endorsement of Microsoft of the site or the products contained

therein.

© 2012 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty

/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are

property of their respective owners

Product Number: 20411B

Released: 12/2012

http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx








MICROSOFT LICENSE TERMSMICROSOFT INSTRUCTOR-LED COURSEWARE

These license terms are an agreement between Microsoft Corporation (or based on where you live, one of itsaffiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which

includes the media on which you received it, if any. These license terms also apply to Trainer Content and anyupdates and supplements for the Licensed Content unless other terms accompany those items. If so, those termsapply.

BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.

If you comply with these license terms, you have the rights below for each license you acquire.

1. DEFINITIONS.

a. “Authorized Learning Center” means a Microsoft IT Academy Program Member, Microsoft LearningCompetency Member, or such other entity as Microsoft may designate from time to time.

b. “Authorized Training Session” means the instructor-led training class using Microsoft Instructor-LedCourseware conducted by a Trainer at or through an Authorized Learning Center.

c. “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center ownsor controls that is located at an Authorized Learning Center’s training facilities that meets or exceeds thehardware level specified for the particular Microsoft Instructor-Led Courseware.

d. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training Sessionor Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.

e. “Licensed Content” means the content accompanying this agreement which may include the MicrosoftInstructor-Led Courseware or Trainer Content.

f. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training sessionto End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as aMicrosoft Certified Trainer under the Microsoft Certification Program.

g. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course thateducates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-LedCourseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.

h. “Microsoft IT Academy Program Member” means an active member of the Microsoft IT AcademyProgram.

i.

“Microsoft Learning Competency Member” means an active member of the Microsoft Partner Networkprogram in good standing that currently holds the Learning Competency status.

j. “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as MicrosoftOfficial Course that educates IT professionals and developers on Microsoft technologies.

k. “MPN Member” means an active silver or gold-level Microsoft Partner Network program member in goodstanding.



l. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic devicethat you personally own or control that meets or exceeds the hardware level specified for the particularMicrosoft Instructor-Led Courseware.

m. “Private Training Session” means the instructor-led training classes provided by MPN Members forcorporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.

These classes are not advertised or promoted to the general public and class attendance is restricted toindividuals employed by or contracted by the corporate customer.

n. “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy ProgramMember to teach an Authorized Training Session, and/or (ii) a MCT.

o. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and additionalsupplemental content designated solely for Trainers’ use to teach a training session using the MicrosoftInstructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainerpreparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-release course feedback form. To clarify, Trainer Content does not include any software, virtual harddisks or virtual machines.

2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy per user basis , such that you must acquire a license for each individual that accesses or uses the LicensedContent.

2.1 Below are five separate sets of use rights. Only one set of rights apply to you.

a. If you are a Microsoft IT Academy Program Member:i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft

Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware isin digital format, you may install one (1) copy on up to three (3) Personal Devices. You may notinstall the Microsoft Instructor-Led Courseware on a device you do not own or control.

ii. For each license you acquire on behalf of an End User or Trainer, you may either:1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End

User who is enrolled in the Authorized Training Session, and only immediately prior to thecommencement of the Authorized Training Session that is the subject matter of the MicrosoftInstructor-Led Courseware being provided, or

2. provide one (1) End User with the unique redemption code and instructions on how they canaccess one (1) digital version of the Microsoft Instructor-Led Courseware, or

3. provide one (1) Trainer with the unique redemption code and instructions on how they canaccess one (1) Trainer Content,

provided you comply with the following:iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid

license to the Licensed Content,iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed

copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training

Session,v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instructor-

Led Courseware will be presented with a copy of this agreement and each End User will agree thattheir use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreementprior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be requiredto denote their acceptance of this agreement in a manner that is enforceable under local law prior totheir accessing the Microsoft Instructor-Led Courseware,

vi. you will ensure that each Trainer teaching an Authorized Training Session has their own validlicensed copy of the Trainer Content that is the subject of the Authorized Training Session,



vii. you will only use qualified Trainers who have in-depth knowledge of and experience with theMicrosoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught forall your Authorized Training Sessions,

viii. you will only deliver a maximum of 15 hours of training per week for each Authorized TrainingSession that uses a MOC title, and

ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources

for the Microsoft Instructor-Led Courseware.

b. If you are a Microsoft Learning Competency Member: i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft


ii. For each license you acquire on behalf of an End User or Trainer, you may either:1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End

User attending the Authorized Training Session and only immediately prior to thecommencement of the Authorized Training Session that is the subject matter of the MicrosoftInstructor-Led Courseware provided, or

2. provide one (1) End User attending the Authorized Training Session with the unique redemption

code and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led Courseware, or

3. you will provide one (1) Trainer with the unique redemption code and instructions on how theycan access one (1) Trainer Content,


license to the Licensed Content,iv. you will ensure that each End User attending an Authorized Training Session has their own valid

licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the AuthorizedTraining Session,

v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-LedCourseware will be presented with a copy of this agreement and each End User will agree that theiruse of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior toproviding them with the Microsoft Instructor-Led Courseware. Each individual will be required todenote their acceptance of this agreement in a manner that is enforceable under local law prior totheir accessing the Microsoft Instructor-Led Courseware,

vi. you will ensure that each Trainer teaching an Authorized Training Session has their own validlicensed copy of the Trainer Content that is the subject of the Authorized Training Session,

vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that isthe subject of the Microsoft Instructor-Led Courseware being taught for your Authorized TrainingSessions,

viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that isthe subject of the MOC title being taught for all your Authorized Training Sessions using MOC,

ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, andx. you will only provide access to the Trainer Content to Trainers.



c. If you are a MPN Member: i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft


ii. For each license you acquire on behalf of an End User or Trainer, you may either:

1.

distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) EndUser attending the Private Training Session, and only immediately prior to the commencementof the Private Training Session that is the subject matter of the Microsoft Instructor-LedCourseware being provided, or

2. provide one (1) End User who is attending the Private Training Session with the uniqueredemption code and instructions on how they can access one (1) digital version of theMicrosoft Instructor-Led Courseware, or

3. you will provide one (1) Trainer who is teaching the Private Training Session with the uniqueredemption code and instructions on how they can access one (1) Trainer Content,


license to the Licensed Content,iv. you will ensure that each End User attending an Private Training Session has their own valid licensed

copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led

Courseware will be presented with a copy of this agreement and each End User will agree that theiruse of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior toproviding them with the Microsoft Instructor-Led Courseware. Each individual will be required todenote their acceptance of this agreement in a manner that is enforceable under local law prior totheir accessing the Microsoft Instructor-Led Courseware,

vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensedcopy of the Trainer Content that is the subject of the Private Training Session,

vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that isthe subject of the Microsoft Instructor-Led Courseware being taught for all your Private TrainingSessions,

viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is thesubject of the MOC title being taught for all your Private Training Sessions using MOC,

ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, andx. you will only provide access to the Trainer Content to Trainers.

d. If you are an End User:For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for yourpersonal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access theMicrosoft Instructor-Led Courseware online using the unique redemption code provided to you by thetraining provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up tothree (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.

e. If you are a Trainer.i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the

form provided to you on one (1) Personal Device solely to prepare and deliver an AuthorizedTraining Session or Private Training Session, and install one (1) additional copy on another PersonalDevice as a backup copy, which may be used only to reinstall the Trainer Content. You may notinstall or use a copy of the Trainer Content on a device you do not own or control. You may alsoprint one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized TrainingSession or Private Training Session.



ii. You may customize the written portions of the Trainer Content that are logically associated withinstruction of a training session in accordance with the most recent version of the MCT agreement.If you elect to exercise the foregoing rights, you agree to comply with the following: (i)customizations may only be used for teaching Authorized Training Sessions and Private TrainingSessions, and (ii) all customizations will comply with this agreement. For clarity, any use of

“customize” refers only to changing the order of slides and content, and/or not using all the slides orcontent, it does not mean changing or modifying any slide or content.

2.2

Separation of Components. The Licensed Content is licensed as a single unit and you may notseparate their components and install them on different devices.

2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you maynot distribute any Licensed Content or any portion thereof (including any permitted modifications) to anythird parties without the express written permission of Microsoft.

2.4 Third Party Programs and Services. The Licensed Content may contain third party programs orservices. These license terms will apply to your use of those third party programs or services, unless otherterms accompany those programs and services.

2.5 Additional Terms. Some Licensed Content may contain components with additional terms,conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses alsoapply to your use of that respective component and supplements the terms described in this agreement.

3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject matter is based on a pre-release version of Microsoft technology (“Pre-release”), then in addition to theother provisions in this agreement, these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version ofthe Microsoft technology. The technology may not work the way a final version of the technology willand we may change the technology for the final version. We also may not release a final version. Licensed Content based on the final version of the technology may not contain the same information asthe Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide youwith any further content, including any Licensed Content based on the final version of the technology.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly orthrough its third party designee, you give to Microsoft without charge, the right to use, share andcommercialize your feedback in any way and for any purpose. You also give to third parties, withoutcharge, any patent rights needed for their products, technologies and services to use or interface withany specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. Youwill not give feedback that is subject to a license that requires Microsoft to license its software,technologies, or products to third parties because we include your feedback in them. These rightssurvive this agreement.

c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning

Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content onthe Pre-release technology upon (i) the date which Microsoft informs you is the end date for using theLicensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of thetechnology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”).Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copiesof the Licensed Content in your possession or under your control.



4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you somerights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you morerights despite this limitation, you may use the Licensed Content only as expressly permitted in thisagreement. In doing so, you must comply with any technical limitations in the Licensed Content that onlyallows you to use it in certain ways. Except as expressly permitted in this agreement, you may not: access or allow any individual to access the Licensed Content if they have not acquired a valid license

for the Licensed Content, alter, remove or obscure any copyright or other protective notices (including watermarks), branding

or identifications contained in the Licensed Content, modify or create a derivative work of any Licensed Content, publicly display, or make the Licensed Content available for others to access or use, copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or

distribute the Licensed Content to any third party, work around any technical limitations in the Licensed Content, or reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the

Licensed Content except and only to the extent that applicable law expressly permits, despite thislimitation.

5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to

you in this agreement. The Licensed Content is protected by copyright and other intellectual property lawsand treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in theLicensed Content.

6.

EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the LicensedContent. These laws include restrictions on destinations, end users and end use. For additional information,see www.microsoft.com/exporting.

7. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it.

8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail

to comply with the terms and conditions of this agreement. Upon termination of this agreement for anyreason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content inyour possession or under your control.

9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the LicensedContent. The third party sites are not under the control of Microsoft, and Microsoft is not responsible forthe contents of any third party sites, any links contained in third party sites, or any changes or updates tothird party sites. Microsoft is not responsible for webcasting or any other form of transmission receivedfrom any third party sites. Microsoft is providing these links to third party sites to you only as aconvenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third partysite.

10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and

supplements are the entire agreement for the Licensed Content, updates and supplements.

11. APPLICABLE LAW. a. United States. If you acquired the Licensed Content in the United States, Washington state law governs

the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of lawsprinciples. The laws of the state where you live govern all other claims, including claims under stateconsumer protection laws, unfair competition laws, and in tort.



b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of thatcountry apply.

12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the lawsof your country. You may also have rights with respect to the party from whom you acquired the LicensedContent. This agreement does not change your rights under the laws of your country if the laws of your

country do not permit it to do so.

13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAYHAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENTCANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT ANDITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROMMICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UPTO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,

LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.

This limitation applies too anything related to the Licensed Content, services, content (including code) on third party Internet

sites or third-party programs; ando claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,

or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. Theabove limitation or exclusion may not apply to you because your country may not allow the exclusion orlimitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in thisagreement are provided below in French.

Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clausesdans ce contrat sont fournies ci-dessous en français.

EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Touteutilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantieexpresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection duesconsommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garantiesimplicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.

LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES

DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommagesdirects uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autresdommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.Cette limitation concerne:

tout ce qui est relié au le contenu sous licence, aux services ou au contenu (y compris le code)figurant sur des sites Internet tiers ou dans des programmes tiers; et.

les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilitéstricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.



Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Sivotre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoiresou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votreégard.

EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits

prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votrepays si celles-ci ne le permettent pas.

Revised September 2012



Deploying and Maintaining Server Images 1-1

Module 1

Deploying and Maintaining Server Images

Contents:

Lesson 1: Overview of Windows Deployment Services 2

Lesson 2: Implementing Deployment with Windows Deployment Services 4

Lesson 3: Administering Windows Deployment Services 6

Module Review and Takeaways 9



1-2 Administering Windows Server® 2012

Lesson 1

Overview of Windows Deployment Services

Contents:

Question and Answers 3




Question and Answers

Windows Deployment Services Components

Question: What is the advantage of multicasting as opposed to unicasting in volume deployment

scenarios?

Answer: With multicasting, network traffic is managed more effectively.

Discussion: How to Use Windows Deployment Services

Question: The A. Datum Corporation IT staff is about to deploy Windows Server 2012 to various branch

offices. The following information has been provided to the IT staff by management:

• The configuration of the various branch office servers is expected to be fairly consistent.

• There is no requirement to upgrade settings from existing servers, as these are new branch offices

with no current IT infrastructure in place.

• Automation of the deployment process is important, as there are many servers to deploy.

How would you use Windows Deployment Services to aid deployment?

Answer: Answers may vary, but important points to consider are to:

• Use answer files to automate the image selection process during deployment.

• Use answer files to automate the responses during setup, including domain-joining.

• Create a custom image using the steps provided in the preceding topic.

• Capture the image and upload to Windows Deployment Services.

• Configure Windows Deployment Services to use custom naming.

• Configure PXE Server to respond to client requests automatically, and start deployment without the

installer having to press F12 to commence the deployment.

Question: A. Datum Corporation wants to deploy several dozen new servers in their head offices. Theseservers will be installed with Windows Server 2012. The following information has been provided to the IT

staff by management:

• The configuration of the various servers is expected to vary slightly; there are two basic server

configurations: full server, and Server Core.

• Managing network traffic is critical, as the network is near capacity.

How would you advise staff at A. Datum to proceed with the deployment?

Answer: Answers might vary, but points to consider should include:

• Create two custom images, and capture them to the Windows Deployment Services server.

• Configure multicast transmission on the Windows Deployment Services server(s) to enable efficient

use of the network bandwidth.




Lesson 2

Implementing Deployment with WindowsDeployment Services

Contents:Question and Answers 5





Managing Deployments with Windows Deployment Services

Question: What is the advantage of defining a client naming policy?

Answer: For unknown clients, a client naming policy saves the administrator from having to remember

previously allocated computer names during the deployment process.




Lesson 3

Administering Windows Deployment Services

Contents:

Demonstration 7




Demonstration

Demonstration: How to Administer Images

Demonstration Steps

Install and configure the Windows Deployment Services role

1. Switch to the LON-SVR1 computer.

2. In Server Manager, click Manage, and then click Add Roles and Features.

3. In the Add Roles and Features Wizard window, click Next.

4. On the Select installation type page, click Next.

5. On the Select destination server page, click Next.

6. On the Select server roles page, select the Windows Deployment Services check box.

7. In the Add Roles and Features Wizard window, click Add Features.

8.

On the Select server roles page, select click Next.9. On the Select features page, click Next.

10. On the WDS page, review the information presented, and then click Next.

11. On the Select role services page, click Next.

12. On the Confirm installation selections page, click Install.

13. On the Installation Results page, click Close.

14. In Server Manager, click Tools, and then click Windows Deployment Services.

15. In the Windows Deployment Services console, expand Servers.

16.

Right-click LON-SVR1.Adatum.com, and then click Configure Server. Click Next.17. On the Install Options page, click Next.

18. On the Remote Installation Folder Location page, click Next.

19. In the System Volume Warning dialog box, click Yes.

20. On the PXE Server Initial Settings page, click Respond to all client computers (known and unknown),

and then click Next.

21. On the Operation Complete page, clear the Add images to the server now check box, and then

click Finish.

Add a boot image

1.

In Windows Deployment Services, in the console tree, expand LON-SVR1.Adatum.com.

2. Right-click Boot Images, and then click Add Boot Image.

3. In the Add Image Wizard, on the Image File page, click Browse.

4. In the Select Windows Image File dialog box, in the navigation pane, click Computer, double click

DVD Drive (D:), double-click sources, and then double click boot.wim.

5. On the Image File page, click Next.

6. On the Image Metadata page, click Next.

7. On the Summary page, click Next.




8. On the Task Progress page, click Finish.

Add an install image

1. In the Windows Deployment Services console, right-click Install Images, and then click Add Image

Group.

2.

In the Add Image Group dialog box, in the Enter a name for the image group field, type WindowsServer 2012, and then click OK.

3. In the Windows Deployment Services console, right-click Windows Server 2012, and then click Add

Install Image.

4. In the Add Image Wizard, on the Image File page, click Browse.

5. In the File name text box, type D:\sources\install.wim, and then click Open.

6. On the Image File page, click Next.

7. On the Available Images page, clear all check boxes except Windows Server 2012

SERVERSTANDARDCORE, and then click Next.

8.

On the Summary page, click Next.9. On the Task Progress page, click Finish.

10. Minimize the Windows Deployment Services window.

Demonstration: How to Configure Multicast Transmission

Demonstration Steps

1. On LON-SVR1, in Windows Deployment Services, in the console tree, right-click Multicast

Transmissions, and then click Create Multicast Transmission.

2. In the Create Multicast Transmission Wizard, on the Transmission Name page, in the Type a name

for this transmission field, type Windows Server 2012 Branch Servers, and then click Next.

3. On the Image Selection page, in the Select the image group that contains the image list, click

Windows Server 2012.

4. In the Name list, click Windows Server 2012 SERVERSTANDARDCORE, and then click Next.

5. On the Multicast Type page, verify that Auto-Cast is selected, and then click Next.

6. Click Finish.




Module Review and Takeaways

Review Question(s)

Question: Windows Deployment Services supports two types of multicast transmission. Which type is

suitable for minimizing total network traffic during deployment to a fixed number of clients?

Answer: The configuration of scheduled-cast is such that it waits for a threshold number of clients before

starting and deploying simultaneously, which makes it better for a fixed number of clients. This is

especially true if deployment occurs at different times for different computers. Autocast loops around

while client computers are connected. If clients do not connect simultaneously, the Windows Deployment

Services server transmits the image multiple times. This may consume large amounts of network

bandwidth.

Question: How is Windows ADK useful with Windows Deployment Services deployments?

Answer: Windows ADK provides tools, such as ImageX.exe, Sysprep.exe, and Windows SIM that enable

you to manage images for use by Windows Deployment Services. For example, you can use Windows SIM

to create and configure answer files to automate Windows Deployment Services deployments. You also

can use Sysprep to generalize a capture image for Windows Deployment Services. Additionally, WindowsADK provides a number of Windows PE images and management tools.

Question: What steps are necessary to automate the end-to-end deployment process?

Answer: The following steps are required:

1. Configure your PXE boot policy to Always Continue PXE boot.

2. Configure a default boot image.

3. Create and associate an answer file for your Windows Deployment Services client unattend file.

4. Create and associate an answer file for an install image.

5. Configure clients to boot from hard disk and then PXE, to avoid boot loop.

6. If necessary, configure multicast transmission.

Tools

Tool What it is used for Where to find it

WindowsDeploymentServices console

Administering Windows Deployment Services Server Manager - Tools

WDSutil.exe Command-line management of WindowsDeployment Services

Command line

Windows ADK Managing image files and creating answerfiles

Download fromMicrosoft.com

Dism.exe Offline and online servicing of images Windows ADK

Netsh.exe Command-line tool for managing network-related settings

Command line



Configuring and Troubleshoot ing Domain Name System 2-1

Module 2

Configuring and Troubleshooting Domain Name System

Contents:

Lesson 1: Installing the DNS Server Role 2

Lesson 2: Configuring the DNS Server Role 4

Lesson 3: Configuring DNS Zones 6

Lesson 4: Configuring DNS Zone Transfers 8

Lesson 5: Managing and Troubleshooting DNS 10


Lab Review Questions and Answers 13




Lesson 1

Installing the DNS Server Role

Contents:

Demonstration 3




Demonstration

Demonstration: Installing the DNS Server Role

Demonstration Steps

1.

Switch to LON-SVR1, and sign in as Adatum\Administrator with the password Pa$$w0rd.

2. If necessary, on the taskbar, click Server Manager.

3. In Server Manager, in the navigation pane, click Dashboard, and then in the details pane, click Add

roles and features.

4. In the Add Roles and Features Wizard, click Next.

5. On the Select installation type page, click Role-based or feature-based installation, and then

click Next.


7. On the Select server roles page, in the Roles list, select the DNS Server check box.

8.

In the Add Roles and Features Wizard dialog box, click Add Features.

9. On the Select server roles page, click Next.

10. On the Select features page, click Next.

11. On the DNS Server page, click Next.


13. After the role is installed, click Close.




Lesson 2

Configuring the DNS Server Role

Contents:

Demonstration 5




Demonstration

Demonstration: Configuring the DNS Server Role

Demonstration Steps

Configure DNS server properties1. Switch to LON-DC1.

2. If necessary, sign in as Adatum\Administrator with the password Pa$$w0rd.

3. In Server Manager, click Tools, and then click DNS.

4. In DNS Manager, expand LON-DC1, select and then right-click LON-DC1, and then click Properties.

5. In the LON-DC1 Properties dialog box, click the Forwarders tab.

6. On the Forwarders tab, click Edit. You can configure forwarding here. Click Cancel.

7. Click the Advanced tab. You can configure options including securing the cache against pollution.

8.

Click the Root Hints tab. You can see the configuration for the root hints servers here.

9. Click the Debug Logging tab, and then select the Log packets for debugging check box. You can

configure debug logging options here.

10. Clear the Log packets for debugging check box, and then click the Event Logging tab.

11. Click Errors and Warnings.

12. Click the Monitoring tab. You can perform simple and recursive tests against the server by using the

Monitoring tab. Select the A simple query against this DNS server check box, and then click Test

Now.

13. Click the Security tab. You can define permissions on the DNS infrastructure here. Click OK .

Configure conditional forwarding1. In the navigation pane, click Conditional Forwarders.

2. Right-click Conditional Forwarders, and then click New Conditional Forwarder.

3. In the New Conditional Forwarder dialog box, in the DNS Domain box, type contoso.com.

4. Click the <Click here to add an IP Address or DNS Name> box. Type 131.107.1.2, and then press

Enter. Validation will fail since this is just an example configuration.

5. Click OK .

Clear the DNS cache

• In the navigation pane, right-click LON-DC1, and then click Clear Cache.




Lesson 3

Configuring DNS Zones

Contents:

Demonstration 7




Demonstration

Demonstration: Creating Zones

Demonstration Steps

Create a reverse lookup zone1. On LON-DC1, in DNS Manager, in the navigation pane, click Reverse Lookup Zones.

2. Right-click Reverse Lookup Zones, and then click New Zone.

3. In the New Zone Wizard, click Next.

4. On the Zone Type page, click Primary zone, and then click Next.

5. On the Active Directory Zone Replication Scope page, click Next.

6. On the Reverse Lookup Zone Name page, click IPv4 Reverse Lookup Zone, and then click Next.

7. On the second Reverse Lookup Zone Name page, in the Network ID: box, type 172.16.0, and then

click Next.

8. On the Dynamic Update page, click Next.

9. On the Completing the New Zone Wizard page, click Finish.

Create a forward lookup zone

1. Switch to LON-SVR1.

2. Pause your mouse pointer in the lower-left corner of the display, and then click Start.

3. From Start, click DNS.

4. In DNS Manager, in the navigation pane, expand LON-SVR1, and then click Forward Lookup

Zones.

5.

Right-click Forward Lookup Zones and then click New Zone.

6. In the New Zone Wizard, click Next.

7. On the Zone Type page, click Secondary zone, and then click Next.

8. On the Zone Name page, in the Zone name: box, type Adatum.com, and then click Next.

9. On the Master DNS Servers page, in the Master Servers list, type 172.16.0.10, and then press Enter.

10. Click Next, and on the Completing the New Zone Wizard page, click Finish.




Lesson 4

Configuring DNS Zone Transfers

Contents:

Demonstration 9




Demonstration

Demonstration: Configuring DNS Zone Transfers

Demonstration Steps

Enable DNS zone transfers1. Switch to LON-DC1.

2. In DNS Manager, in the navigation pane, expand Forward Lookup Zones.

3. Right-click Adatum.com, and then click Properties.

4. In the Adatum.com Properties dialog box, click the Zone Transfers tab.

5. Select the Allow zone transfers check box, and then click Only to servers listed on the Name

Servers tab.

6. Click Notify, and in the Notify dialog box, click Servers listed on the Name Servers tab. Click OK .

7. Click the Name Servers tab, and then click Add.

8. In the New Name Server Record dialog box, in the Server fully qualified domain name (FQDN)

box, type LON-SVR1.Adatum.com, and then click Resolve. Click OK .

9. In the Adatum.com Properties dialog box, click OK .

Update the secondary zone from the master server


2. In DNS Manager, in the navigation pane, expand Forward Lookup Zones.

3. Refresh the display, click and then right-click Adatum.com, and then click Transfer from Master.

You might need to perform this step a number of times before the zone transfers. Also, note that the

transfer might occur automatically before you perform these steps manually.

Update the primary zone, and then verify the change on the secondary zone

1. Switch to LON-DC1.

2. In DNS Manager, right-click Adatum.com, and then click New Alias (CNAME).

3. In the New Resource Record dialog box, in the Alias name (uses parent domain if left blank) box,

type intranet.

4. In the Fully qualified domain name (FQDN) for target host box, type LON-dc1.adatum.com, and

then click OK .


6.

In DNS Manager, click Adatum.com

7. Right-click Adatum.com, and then click Transfer from Master. The record may take some time to

appear. You might need to refresh the display.




Lesson 5

Managing and Troubleshooting DNS

Contents:

Demonstration 11




Demonstration

Demonstration: Managing DNS Records

Demonstration Steps

Configure TTL1. Switch to LON-DC1.

2. In DNS Manager, right-click Adatum.com, and then click Properties.

3. In the Adatum.com Properties dialog box, click the Start of Authority (SOA) tab.

4. In the Minimum (default) TTL box, type 2, and then click OK .

Enable and configure scavenging and aging

1. Right-click LON-DC1, and then click Set Aging/Scavenging for All Zones.

2. In the Set Aging/Scavenging Properties dialog box, select the Scavenge stale resource records

check box, and then click OK .

3. In the Server Aging/Scavenging Confirmation dialog box, select the Apply these settings to the

existing Active Directory-integrated zones check box, and then click OK .

Demonstration: Testing the DNS Server Configuration

Demonstration Steps

1. On LON-DC1, pause your mouse pointer in the lower-left of the display, and then click Start.

2. Type cmd, and then press Enter.

3. At the command prompt, type the following command, and then press Enter:

nslookup –d2 LON-svr1.Adatum.com

4. Review the information provided by nslookup.





Review Question(s)

Question: You are deploying DNS servers into an Active Directory domain, and your customer requires

that the infrastructure is resistant to single points of failure. What must you consider while planning the

DNS configuration?

Answer: You must ensure that you deploy more than one DNS domain controller into the network.

Question: What is the difference between recursive and iterative queries?

Answer: A client issues a recursive query to a DNS server. It can have only two possible replies: the IP

address of the domain requested, or host not found. An iterative query resolves IP addresses through the

hierarchal DNS namespace. An iterative query returns an authoritative answer or the IP address of a server

that is on the next level down in the DNS hierarchy.

Question: What must you configure before a DNS zone can be transferred to a secondary DNS server?

Answer: You must configure DNS zone transfers to allow the secondary zone server to transfer from the

primary zone.Question: You are the administrator of a Windows Server 2012 DNS environment. Your company recently

acquired another company. You want to replicate their primary DNS zone. The acquired company is using

Bind 4.9.4 to host their primary DNS zones. You notice a significant amount of traffic between the

Windows Server 2012 DNS server and the Bind server. What is one possible reason for this?

Answer: Bind 4.9.4 does not support IXFR. Each time a change occurs in the Bind zone, it has to replicate

the entire zone to a computer that is running Windows Server 2012 to remain updated.

Question: You must automate a DNS server configuration process so that you can automate the

deployment of Windows Server 2012. What DNS tool can you use to do this?

Answer: You can use dnscmd.exe for this purpose.

Tools

Tool Use for Where to find it

Dnscmd.exe Configure DNS server role Command-line

Dnslint.exe Test DNS server Download from the Microsoft website andthen use from the command-line

Nslookup.exe Test DNS name resolution Command-line

Ping.exe Simple test of DNS nameresolution

Command-line

Ipconfig.exe Verify and test IP functionalityand view or clear the DNS clientresolver cache

Command-line




Lab Review Questions and Answers

Lab: Configuring and Troubleshooting DNS

Question: In the lab, you were required to deploy a secondary zone because you were not going to

deploy any additional domain controllers. If this condition changed, meaning LON-SVR1 was a domain

controller, how would that change your implementation plan?

Answer: You could install the AD DS and DNS roles, and then you would not need to configure any

zones or zone transfers.



Maintaining Active Directory Domain Services 3-1

Module 3

Maintaining Active Directory Domain Services

Contents:

Lesson 4: Administering AD DS ......................................................................................................... 2

Lesson 5: Managing the AD DS Database ..................................................................................... 5

Module Review and Takeaways ......................................................................................................... 7




Lesson 4

Administering AD DS

Contents:Demonstration 3




Demonstration

Demonstration: Managing AD DS by Using Management Tools

Demonstration Steps

Active Directory Users and ComputersView Objects

1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.

2. In Active Directory Users and Computers, double-click the Adatum.com domain.

3. Double-click the Computers container to see the computer objects in the container.

4. Double-click the Research OU. Note the User and Group objects within the Research OU.

Refresh the view

1. Right-click the Adatum.com domain, and then click Refresh.

2.

In the toolbar, click the white and green Refresh icon.

Create objects

1. Right-click the Computers container, click New, and then click Computer.

2. In the Computer name field, type LON-CL4, and then click OK .

Configure object attributes

1. In Active Directory Users and Computers, click the Computers container.

2. Right-click LON-CL4, and then click Properties.

3. In the LON-CL4 Properties window, click the Member Of tab.

4.

On the Member Of tab, click Add, type Research, and then click OK .

5. Click OK to close the LON-CL4 Properties window.

View all object attributes

1. In Active Directory Users and Computers, in the menu toolbar, click View, and then click Advanced

Features.

2. Click the Computers container, right-click LON-CL4, and then click Properties.

3. Click the Attribute Editor tab, and then scroll through the Attributes list. Click Cancel.

Active Directory Administrative Center

Navigation

1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative

Center.

2. Click Adatum (local), click Dynamic Access Control, and then click Global Search.

3. In the navigation pane, click the tab for Tree View.

4. Double-click Adatum (local) to expand the Adatum.com domain.

Perform administrative tasks

1. In Active Directory Administrative Center, click Overview.

2. In the Reset Password section, in the User name field, type Adatum\Adam.




3. In the Password and Confirm password fields, type Pa$$w0rd.

4. Clear the check box for User must change password at next log on, and then click Apply.

5. In the Global Search section, type Rex in the Search field, and then press Enter.

Use the Windows PowerShell History Viewer

1.

In Active Directory Administrative Center, click the Windows PowerShell History toolbar at thebottom of the screen.

2. View the details for the Set-ADAccountPassword cmdlet used to perform the most recent task.

3. On LON-DC1, close all open windows.

Windows PowerShell

Create a group

1. In Server Manager, click Tools, and then click Active Directory Module for Windows PowerShell.

2. At the PowerShell prompt, type the following, and then press Enter:

New-ADGroup –Name “SalesManagers”–GroupCategory Security –GroupScope Global –DisplayName “Sales Managers” –Path ”CN=Users,DC=Adatum,DC=com”

3. In Server Manager, click Tools, and then click Active Directory Administrative Center.

4. In Active Directory Administrative Center, double-click Adatum (local), and then, in the details pane,

scroll down, and double-click the Users container.

5. Confirm that the SalesManagers group is present in the Users container.

Move an object to a new OU

1. Switch to the PowerShell prompt.

2. At the PowerShell prompt, type the following command, and then press Enter:

Move-ADObject “CN=SalesManagers,CN=Users,DC=Adatum,DC=com” –TargetPath

“OU=Sales,DC=Adatum,DC=com”

3. Switch to Active Directory Administrative Center.

4. In Active Directory Administrative Center, double-click Adatum (local), and then, in the details pane,

scroll down and double-click the Sales OU.

5. Confirm that the SalesManagers group has been moved to the Sales OU.




Lesson 5

Managing the AD DS Database

Contents:

Demonstration 6




Demonstration

Demonstration: Performing AD DS Database Maintenance

Demonstration Steps

Stop AD DS

1. On LON-DC1, on the taskbar, click the Server Manager shortcut.

2. In Server Manager, click Tools, and then click Services.

3. In the Services window, right-click Active Directory Domain Services, and then click Stop.

4. In the Stop Other Services dialog box, click Yes.

Perform an offline defragmentation of the AD DS database

1. On LON-DC1, on the taskbar, click the Windows PowerShell shortcut.

2. In the command window, type ntdsutil, and then press Enter.

3.

At the ntdsutil.exe: prompt, type the following command, and then press Enter:

activate instance NTDS

4. At the ntdsutil.exe: prompt, type the following command, and then press Enter:

files

5. At the file maintenace: prompt, type the following command, and then press Enter:

compact to C:\

Check the integrity of the offline database

1.

At the file maintenace: prompt, type the following command, and then press Enter:

Integrity

2. At the file maintenace: prompt, type the following command, and then press Enter:

quit

3. At the ntdsutil.exe: prompt, type the following command, and then press Enter:

Quit

4. Close the command prompt window.

Start AD DS

1. On the taskbar, click the Server Manager shortcut.

2. In Server Manager, click Tools, and then click Services.

3. In the Services window, right-click Active Directory Domain Services, and then click Start.

4. Confirm that the Status column for Active Directory Domain Services is listed as Running.





Best Practices

Best Practices for Administering AD DS

•

Do not virtualize all domain controllers on the same hypervisor host or server.• Virtual machine snapshots provide an excellent reference point or quick recovery method, but you

should not use them as a replacement for regular backups. They also will not allow you to recover

objects by reverting to an older snapshot.

• Use RODCs when physical security makes a writable domain controller unfeasible.

• Use the best tool for the job. Active Directory Users and Computers is the most commonly used tool

for managing AD DS, but it is not always the best. You can use Active Directory Administrative Center

for performing large-scale tasks or those tasks that involve multiple objects. You also can use the

Active Directory module for Windows PowerShell to create reusable scripts for frequently repeated

administrative tasks.

• Enable Active Directory Recycle Bin if your forest functional level supports the functionality. It can be

invaluable in saving time when recovering accidentally deleted objects in AD DS.

Review Question(s)

Question: Which AD DS objects should have their credentials cached on an RODC located in a remote

location?

Answer: Typically, you would cache credentials for user, service, and computer accounts located remotely,

and which require authentication to AD DS.

Question: What benefits does Active Directory Administrative Center provide over Active Directory Users

and Computers?

Answer: Active Directory Administrative Center is built on Windows PowerShell, so you can perform tasks

on a larger scale with more flexibility. You also can use the Active Directory Administrative Center to

administer components like Active Directory Recycle Bin and fine-grained password policies, unlike ActiveDirectory Users and Computers.

Tools

Tool Used for Where to find it

Hyper-V Manager Managing virtualized hosts on WindowsServer 2012

Server Manager - Tools

Active Directorymodule for WindowsPowerShell

Managing AD DS through scripts and fromthe command line


Active Directory Usersand Computers

Managing objects in AD DS Server Manager – Tools

Active DirectoryAdministrative Center

Managing objects in AD DS, enabling andmanaging the Active Directory Recycle Bin


Ntdsutil.exe Managing AD DS snapshots Command prompt

Dsamain.exe Mounting AD DS snapshots for browsing Command prompt



Managing User and Service Accounts 4-1

Module 4

Managing User and Service Accounts

Contents:

Lesson 1: Automating User Account Management 2

Lesson 2: Configuring Password-Policy and User-Account Lockout Settings 6

Lesson 3: Configuring Managed Service Accounts 8





Lesson 1

Automating User Account Management

Contents:


Demonstration 3





Importing User Accounts with LDIFDE

Question: What advantages does LDIFDE have over the Comma-Separated Values Data Exchange tool

when managing user accounts in an AD DS environment?

Answer: LDIFDE is capable of modifying data as well as performing the import and export of data.

Demonstration

Demonstration: Exporting Users Accounts with Comma-Separated ValuesData Exchange Tool

Demonstration Steps

1. On LON-DC1, click to the Start screen.

2. From the Start screen, type cmd, and then press Enter.

3.

In the command prompt window, type the following command, and then press Enter:

csvde -f E:\Labfiles\Mod04\UsersNamedRex.csv -r "(name=Rex*)" -l

DN,objectClass,sAMAccountName,sn,givenName,userPrincipalName

4. Open E:\LABFILES\Mod04\UsersNamedRex.csv in Notepad.

5. Examine the file, and then close Notepad.

6. Close all open windows on LON-DC1.

Demonstration: Importing User Accounts with the Comma-SeparatedValues Data Exchange Tool

Demonstration Steps1. On LON-DC1, on the taskbar, click Windows Explorer.

2. In Windows Explorer, in the navigation pane, expand Computer, expand Allfiles (E:), expand

Labfiles, and then click Mod04.

3. In Windows Explorer, right-click NewUsers.csv, and then click Open With.

4. In the Open With window, click Notepad.

5. In Notepad, view the contents of NewUsers.csv. Note the user names and the location specified for

the users, which is the IT organizational unit (OU).

6. Close Notepad.

7.

On LON-DC1, click to the Start screen,

8. From the Start screen, type cmd, and then press Enter.

9. In the Command Prompt window, type the following command, and then press Enter:

csvde -i -f E:\Labfiles\Mod04\NewUsers.csv –k

10. On the taskbar, click Server Manager.

11. In the Server Manager window, click Tools, and then click Active Directory Users and Computers.

12. In Active Directory Users and Computers window, expand Adatum.com, and then click IT OU.




13. Ensure that Albert Carter and Steven Meadows have been imported into the IT OU.

14. Right-click Albert Carter, and then click Reset Password.

15. In the Reset Password window, type Pa$$w0rd in the New password and Confirm password fields,

and then click OK . Click OK in the confirmation window.

16.

In Active Directory Users and Computers, right-click Albert Carter, and then click EnableAccount.

17. Click OK in the confirmation window.

18. Repeat steps 14 through 17 for Steven Meadows.


Demonstration: Importing User Accounts with LDIFDE

Demonstration Steps

1. On LON-DC1, on the taskbar, click Windows Explorer.

2.

In Windows Explorer, in the navigation pane, expand Computer, expand Allfiles (E:), expandLabfiles, and then click Mod04.

3. In Windows Explorer, right-click NewUsers.ldf , and then click Open With.

4. Click the Try an app on this PC link.


6. In Notepad, view the contents of NewUsers.ldf . Note the user names and the location specified for

the users (the IT OU).

7. Close Notepad.

8. On LON-DC1, click to the Start screen.

9.

From the Start screen, type cmd, and then press Enter.

10. In the command prompt window, type the following command, and then press Enter:

ldifde -i -f E:\Labfiles\Mod04\NewUsers.ldf -k

11. On the taskbar, click Server Manager.

12. In the Server Manager window, click Tools, and then click Active Directory Users and Computers.

13. In the Active Directory Users and Computers window, expand Adatum.com, and then click IT OU.

14. Ensure that Darryl Hamilton and Amandeep Patel have been imported into the IT OU.

15. Right-click Darryl Hamilton, and then click Reset Password.

16. In the Reset Password window, type Pa$$w0rd in the New password and Confirm password fields,

and then click OK . Click OK in the confirmation window.

17. In Active Directory Users and Computers, right-click Darryl Hamilton, and then click Enable

Account.

18. Click OK in the confirmation window.

19. Repeat steps 15 through 18 for Amandeep Patel.





Demonstration: Importing User Accounts with Windows PowerShell

Demonstration Steps

1. On LON-DC1, on the taskbar, click Server Manager.

2. In Server Manager, click Tools, and then click Active Directory Users and Computers.

3.

In Active Directory Users and Computers, right-click Adatum.com, click New, and then click

Organizational Unit.

4. In the Name field, type Import Users. Click OK .

5. Close Active Directory Users and Computers.

6. On the taskbar, click Windows Explorer.

7. In Windows Explorer, in the navigation pane, expand Computer, expand Allfiles (E:), expand

Labfiles, and then click Mod04.

8. In Windows Explorer, right-click ImportUsers.ps1, and then click Open With.


10. In Notepad, view the contents of ImportUsers.ps1.

11. Next to $impfile, change path and filename to csv to E:\Labfiles\Mod04\ImportUsers.csv, and

then save the file.

12. Close Notepad.

13. In Server Manager, click Tools, and then click Active Directory Module for Windows PowerShell.

14. In the Active Directory module for Windows PowerShell window, type the following commands, and

then press Enter after each command. When prompted to change the execution policy press enter to

accept the default option of Y:

Set-ExecutionPolicy remotesigned

E:\Labfiles\Mod04\importusers.ps1

15. At the password prompt, type Pa$$w0rd, and then press Enter.

16. Close the Active Directory module for Windows PowerShell window.

17. In Server Manager, click Tools, and then click Active Directory Users and Computers.

18. In the Active Directory Users and Computers window, expand Adatum.com, and then click the

ImportUsers OU.

19. Ensure that Todd Rowe and Seth Grossman have been imported into the ImportUsers OU.





Lesson 2

Configuring Password-Policy and User-AccountLockout Settings

Contents:Question and Answers 7





Configuring User Account Policies

Question: Why would you use secpol.msc to configure local account policy settings for a Windows Server

2012 computer instead of using domain- based Group Policy account-policy settings?

Answer: Local security policy settings provide enhanced account security if a Windows Server 2012

computer is not joined to a domain, and therefore unable to apply Group Policy-based domain account-

policy settings. This may be a permanent solution, or you can use it to protect a computer between the

time when Windows Server 2012 is installed, and when it joins the domain and has the domain-based

account policy settings applied.




Lesson 3

Configuring Managed Service Accounts

Contents:

Demonstration 9




Demonstration

Demonstration: Configuring Managed Service Accounts by Using WindowsPowerShell

Demonstration StepsCreate the Key Distribution Services (KDS) root key for the domain

1. On LON-DC1, from Server Manager, open the Active Directory Module for Windows Powershell

console.

2. At the prompt, type the following command, and then press Enter:

Add-KDSRootKey –EffectiveTime ((Get-Date).AddHours(-10))

Create and associate a managed service account


New-ADServiceAccount –Name SampleApp_SVR1 –DNSHostname LON-DC1.Adatum.com -PrincipalsAllowedToRetrieveManagedPassword LON-SVR1$


Add-ADComputerServiceAccount –identity LON-SVR1 –ServiceAccount SampleApp_SVR1


Get-ADServiceAccount -Filter *

4. Verify that the SampleApp_SVR1 service account is listed.

Install a managed service account

1. On LON-SVR1, from Server Manager, open the Active Directory Module for Windows Powershell

console.


Install-ADServiceAccount -Identity SampleApp_SVR1

3. Click the Server Manager shortcut on the Windows Taskbar.

4. In Server Manager, on the Menu toolbar, click Tools, and then click Services.

5. In the Services console, right-click Application Identity, and then click Properties.

Note: The Application Identity service is used as an example. In a production environment,

you would use the actual service that should be assigned the managed service account.

6. In the Application Identity Properties dialog box, click the Log On tab.

7. On the Log On tab, click This account, and then type Adatum\SampleApp_SVR1$.

8. Clear the password for both the Password and Confirm password boxes, and then click OK .

9. Click OK at all prompts.





Review Question(s)

Question: In what scenario could a user have multiple Password Settings Objects applied to their account

without actually having a Password Settings Objects linked to their user account?

Answer: Password Settings Objects can be linked to groups. If a user is a member of one or more groups

to which Password Settings Objects are linked, any Password Settings Objects applied to those groups will

be linked to the user account. However, only the Password Settings Objects with the lowest precedence

value will apply its settings to the user’s account.

Question: What benefit do Managed Service Accounts provide compared to standard user accounts used

for services?

Answer: Managed Service Accounts provide managed password changes that do not require

administrator intervention.

Tools

Tool What it is used for Where to find it

Comma-SeparatedValues Data Exchangetool

Importing and exporting users byusing .csv files

Command prompt: csvde.exe

LDIFDE Importing, exporting, andmodifying users by using .ldf files

Command prompt: ldifde.exe

Local Security Policy Configuring local account-policysettings

Secpol.msc

Group Policy

Management console

Configuring domain Group Policy

account-policy settings

Server Manager – Tools

Active DirectoryAdministrative Center

Creating and managing PasswordSettings Objects

Server Manager – Tools

Active Directorymodule for WindowsPowerShell

Creating and Managing ManagedService Accounts


Common Issues and Troubleshooting Tips

Common Issue Troubleshooting Tip

User accounts contained in a .csv file fail toimport when using the Comma-SeparatedValues Data Exchange tool.

Ensure the structure of the .csv file matches the syntaxof your Comma-Separated Values Data Exchange toolcommand, especially if the .csv file is exported from anon-AD DS source.

User password settings are not applying asexpected.

Check for the application of Password Settings Objects.In the case of multiple Password Settings Objects,ensure that precedence is configured properly and thatPassword Settings Objects have been applied to theappropriate users and groups.





The New-ADServiceAccount cmdlet failswith key-related messages.

Ensure that the KDS root key has been created byusing the Add-KDSRootKey cmdlet, and the –EffectiveTime parameter for the key is at least 10hours earlier than the current time.



Implementing a Group Policy Infrastructure 5-1

Module 5

Implementing a Group Policy Infrastructure

Contents:

Lesson 1: Introducing Group Policy 2

Lesson 3: Group Policy Scope and Group Policy Processing 4

Lesson 4: Troubleshooting the Application of GPOs 8






Lesson 1

Introducing Group Policy

Contents:

Demonstration 3




Demonstration

Demonstration: How to Create a GPO and Configure GPO Settings

Demonstration Steps

Use the Group Policy Management Console (GPMC) to create a new GPO1. Switch to LON-DC1, and sign in as Adatum\Administrator with the password Pa$$w0rd.

2. In Server Manager, click Tools, and then click Group Policy Management.

3. If necessary, expand Forest: Adatum.com, expand Domains, and then expand Adatum.com.

4. Select and then right-click the Group Policy Objects folder, and then click New.

5. In the New GPO dialog box, in the Name field, type Desktop, and then click OK .

Configure Group Policy settings

1. In Group Policy Management, Expand the Group Policy Objects folder, right-click the Desktop

policy, and then click Edit.

2. In Group Policy Management Editor, under Computer Configuration, expand Policies, expand

Windows Settings, expand Security Settings, expand Local Policies, and then click Security

Options.

3. In the details pane, double-click Interactive logon: Do not display last user name.

4. In the Interactive logon: Do not display last user name Properties dialog box, select the Define

this policy setting check box, click Enabled, and then click OK .

5. Under the Security Settings node, click System Services.

6. In the details pane, double-click Windows Installer.

7. In the Windows Installer Properties dialog box, select Define this policy setting check box, and

then click OK .

8. Under User Configuration, expand Policies, expand Administrative Templates, and then click

Start Menu and Taskbar.

9. In the details pane, double-click Remove Search link from Start Menu.

10. In the Remove Search link from Start Menu dialog box, click Enabled, and then click OK .

11. Under the Administrative Templates folder, expand Control Panel, and then click Display.

12. In the details pane, double-click Hide Settings tab.

13. In the Hide Settings tab dialog box, click Enabled, and then click OK .

14.

Close all open windows on LON-DC1.




Lesson 3

Group Policy Scope and Group Policy Processing

Contents:

Demonstration 5




Demonstration

Demonstration: How to Link GPOs

Demonstration Steps

Create and edit two GPOs1. On LON-DC1, if necessary, open Server Manager.

2. In Server Manager, click Tools, and then click Group Policy Management.

3. In the Group Policy Management window, Expand Forest: Adatum.com, Domains, and

Adatum.com, right-click the Group Policy Objects container, and then click New.

4. In the New GPO window, type Remove Run Command in the Name field, and then click OK .

5. In the Group Policy Management window, right-click the Group Policy Objects container, and then

click New.

6. In the New GPO window, type Do Not Remove Run Command in the Name field, and then click

OK .

7. Expand Group Policy Objects and right-click the Remove Run Command GPO, and then click Edit.

8. In Group Policy Management Editor under User Configuration, expand Policies, expand

Administrative Templates, click Start Menu and Taskbar, and then double-click Remove Run

menu from Start Menu.

9. In the Remove Run menu from Start Menu window, click Enabled, and then click OK .

10. Close the Group Policy Management Editor.

11. Right-click the Do Not Remove Run Command GPO, and then click Edit.

12. In Group Policy Management Editor under User Configuration, expand Policies, expand

Administrative Templates, click Start Menu and Taskbar, and then double-click Remove Runmenu from Start Menu.

13. In the Remove Run menu from Start Menu window, click Disabled, and then click OK . Close the

Group Policy Management Editor.

Link the GPOs to different locations

1. In the Group Policy Management window, right-click the Adatum.com domain node in the left pane,

and then click Link an Existing GPO.

2. In the Select GPO window, click Remove Run Command, and then click OK . The Remove Run

Command GPO is now attached to the Adatum.com domain.

3.

Click and drag the Do Not Remove Run Command GPO on top of the IT OU.4. In the Group Policy Management window, click OK to link the GPO.

5. Click the IT OU in the left pane, and then click the Group Policy Inheritance tab in the right pane.

The Group Policy Inheritance tab shows the order of precedence for the GPOs.

Disable a GPO link

1. In the left pane, right-click the Remove Run Command link that is listed under Adatum.com, and

then click Link Enabled to clear the check mark. Refresh the Group Policy Inheritance pane for the IT

OU and then notice the results in the right pane. The Remove Run Command GPO no longer is listed.




Delete a GPO link

1. In the left pane, expand the IT OU, right-click the Do Not Remove Run Command link, and then

click Delete. Click OK in the popup window.

2. Click the IT OU in the left pane, and then click the Group Policy Inheritance tab in the right pane.

Verify the removal of the Do Not Remove Run Command and the absence of the Remove Run

Command GPOs.

3. In the left pane, right-click the Remove Run Command GPO that is listed under Adatum.com, and

then click Link Enabled to re-enable the link. Refresh the Group Policy Inheritance window for the IT

OU, and then notice the results in the right pane.

4. Close the Group Policy Management console.

Demonstration: How to Filter Policies

Demonstration Steps

Create a new GPO, and link it to the IT organizational unit

1.

On LON-DC1, from Server Manager, click Tools, and then click Group Policy Management.

2. In the Group Policy Management window, expand Forest: Adatum.com, expand Domains, expand

Adatum.com, and then click the IT organizational unit.

3. Right-click IT, and then click Create a GPO in this domain, and Link it here.

4. In the New GPO window, type Remove Help menu in the Name field, and then click OK .

5. In the Group Policy Management window, expand Group Policy Objects, right-click the Remove

Help menu GPO, and then click Edit.

6. In the Group Policy Management Editor under User Configuration, expand Policies, expand

Administrative Templates, click Start Menu and Taskbar, and then double-click Remove Help

menu from Start Menu.

7. In the Remove Help menu from Start menu window, click Enabled, and then click OK .

8. Close the Group Policy Management Editor window.

Filter Group Policy application by using security group filtering

1. Expand IT, and then click the Remove Help menu GPO link.

2. In the Group Policy Management Console message box, click OK .

3. In the right-hand pane, under Security Filtering, click Authenticated Users, and then click Remove.

4. In the confirmation dialog box, click OK .

5. In the details pane, under Security Filtering, click Add.

6. In the Select User, Computer, or Group dialog box, type Ed Meadows, and then click OK .

Filter the Group Policy application by using WMI filtering

1. In the Group Policy Management window, right-click WMI Filters, and then click New.

2. In the New WMI Filter dialog box, in the Name field, type XP Filter.

3. In the Queries pane, click Add.

4. In the WMI Query dialog box, in the Query field, type the following:

Select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP Professional"




5. Click OK .

6. In the New WMI Filter dialog box, click Save.

7. Right-click the Group Policy Objects folder, and then click New.

8. In the New GPO window, type Software Updates for XP in the Name field, and then click OK .

9.

Expand the Group Policy Objects folder, and then click the Software Updates for XP GPO.

10. In the right-hand pane, under WMI Filtering, in the This GPO is linked to the following WMI Filter

list, select XP Filter.

11. In the confirmation dialog, click Yes.





Lesson 4

Troubleshooting the Application of GPOs

Contents:

Demonstration 9




Demonstration

Demonstration: How to Perform What-If Analysis with the Group PolicyModeling Wizard

Demonstration StepsUse GPResult.exe to create a report

1. On LON-DC1, open the Start screen.

2. Right-click the Start screen, and then click All apps.

3. In the Apps list, click Command Prompt.

4. In the Administrator: Command Prompt window, type cd desktop, and then press Enter.

5. In the Administrator: Command Prompt window, type the following, and press Enter:

GPResult /r

6.

Review the output in the command window.

7. In the Administrator: Command Prompt window, type the following, and then press Enter:

GPResult /h results.html

8. Close the command prompt window, and then double-click the results.html file on the desktop.

9. In the Internet Explorer window, view the results of the report.

10. Close Internet Explorer.

Use the Group Policy Reporting Wizard to create a report

1. Open Server Manager, click Tools, and then click Group Policy Management.

2. In the Group Policy Management window, right-click Group Policy Results, and then click Group

Policy Results Wizard.

3. In the Group Policy Results Wizard, click Next.

4. On the Computer Selection page, click Next.

5. On the User Selection page, click Next.

6. On the Summary of Selections page, click Next.

7. On the Completing the Group Policy Results Wizard page, click Finish.

8. Review the Group Policy results.

9.

Expand the Group Policy Results folder, right-click the Administrator on LON-DC1 report, and then

click Save Report.

10. In the Save GPO Report dialog box, click Desktop, and then click Save.

Use the Group Policy Modeling Wizard to create a report

1. Right-click the Group Policy Modeling folder, and then click Group Policy Modeling Wizard.

2. In the Group Policy Modeling Wizard, click Next.

3. On the Domain Controller Selection page, click Next.




4. On the User and Computer Selection page, under User information, click User, and then click

Browse.

5. In the Select User dialog box, type Ed Meadows, and then click OK .

6. Under Computer information, click Browse.

7.

In the Choose Computer Container dialog box, expand Adatum, click IT, and then click OK .8. On the User and Computer Selection page, click Next.

9. On the Advanced Simulation Options page, click Next.

10. On the Alternate Active Directory Paths page, click Next.

11. On the User Security Groups page, click Next.

12. On the Computer Security Groups page, click Next.

13. On the WMI Filters for Users page, click Next.

14. On the WMI Filters for Computers page, click Next.

15.

On the Summary of Selections page, click Next.16. On the Completing Group Policy Modeling Wizard page, click Finish.

17. Review the report.

18. Close all open windows.





Review Question(s)

Question:

1. You have assigned a logon script to an OU via Group Policy. The script is located in a shared network

folder named Scripts. Some users in the OU receive the script, whereas others do not. What might be

the possible causes?

2. What GPO settings are applied across slow links by default?

3. You need to ensure that a domain level policy is enforced, but the Managers global group needs to

be exempt from the policy. How would you accomplish this?

Answer:

1. Security permissions might be a problem. If some users do not have read access to shared network

folder where scripts are stored, they will not be able to apply policy. Also, security filtering on GPO

might be the cause for this problem.

2.

Registry policy and Security policy are applied even when a slow link is detected. You cannot changethis setting.

3. Set the link to be enforced at the domain level, and use security group filtering to deny Apply Group

Policy permission to the Administrators group.

Tools


Group policy reportingRSoP

Reporting information about thecurrent policies being deliveredto clients.

Group Policy Management Console

GPResult A command-line utility thatdisplays RSoP information.

Command-line utility

GPUpdate Refreshing local and ActiveDirectory Domain Services (ADDS)-based Group Policy settings.


Dcgpofix Restoring the default GroupPolicy objects to their originalstate after initial installation.


GPOLogView Exporting Group Policy-relatedevents from the system and

operational logs into text, HTML,or XML files. For use withWindows Vista®, Windows 7, andnewer versions.


Group PolicyManagement scripts

Sample scripts that perform anumber of differenttroubleshooting andmaintenance tasks.






Group Policy settings are not applied to allusers or computers in OU where GPO isapplied

Check security filtering on GPO

Check WMI filters on GPO

Group Policy settings sometimes need tworestarts to apply

Enable wait for network before logon option





Lab: Implementing a Group Policy Infrastructure

Question: Which policy settings are already being deployed by using Group Policy in your organization?

Answer: Answers will vary.

Question: Many organizations rely heavily on security group filtering to scope Group Policy Objects

(GPOs), rather than linking GPOs to specific organizational units (OUs). In these organizations, GPOs

typically are linked very high in the Active Directory logical structure—to the domain itself or to a first-

level OU. What advantages do you gain by using security group filtering rather than GPO links to manage

a GPO’s scope?

Answer: The fundamental problem of relying on OUs to scope the application of GPOs is that an OU is a

fixed, inflexible structure within Active Directory®, and that a single user or computer can only exist within

one OU. As organizations get larger and more complex, configuration requirements are difficult to match

in a one-to-one relationship with any container structure. With security groups, a user or computer can

exist in as many groups as necessary, and you can add or remove them easily without impacting the

security or management of the user or computer account.Question: Why might it be useful to create an exemption group—a group that is denied the Apply Group

Policy permission—for every GPO that you create?

Answer: There are very few scenarios in which you can be guaranteed that all of the settings in a GPO

always will need to apply to all users and computers within its scope. By having an exemption group, you

will always be able to respond to situations in which a user or computer must be excluded. This can also

help in troubleshooting compatibility and functionality problems. Sometimes, specific GPO settings can

interfere with the functionality of an application. To test whether the application works on a "pure"

installation of Windows®, you might need to exclude the user or computer from the scope of GPOs, at

least temporarily for testing.

Question: Do you use loopback policy processing in your organization? In which scenarios and for which

policy settings can loopback policy processing add value?

Answer: Answers will vary. Scenarios could include in conference rooms and kiosks, on virtual desktop

infrastructures, and in other standard environments.

Question: In which situations have you used Resultant Set of Policy (RSoP) reports to troubleshoot Group

Policy application in your organization?

Answer: The correct answer will be based on your own experience and situation.

Question: In which situations have you used, or could you anticipate using, Group Policy modeling?

Answer: The correct answer will be based on your own experience and situation.



Managing User Desktops with Group Policy 6-1

Module 6

Managing User Desktops with Group Policy

Contents:

Lesson 1: Implementing Administrative Templates 2

Lesson 2: Configuring Folder Redirection and Scripts 5

Lesson 3: Configuring Group Policy Preferences 9

Lesson 4: Managing Software with Group Policy 12






Lesson 1

Implementing Administrative Templates

Contents:

Demonstration 3




Demonstration

Demonstration: Configuring Settings with Administrative Templates

Demonstration Steps

Filter Administrative Template policy settings1. Switch to LON-DC1.

2. Sign in as Adatum\Administrator with the password Pa$$w0rd.

3. From Server Manager, click Tools, and then click Group Policy Management.

4. In the console tree, expand Forest: Adatum.com, Domains, and Adatum.com, and then click the

Group Policy Objects container.

5. Right-click the Group Policy Objects container, and then click New.

6. In the New GPO dialog box, in the Name field, type GPO1, and then click OK .

7. In the details pane, right-click GPO1, and then click Edit. The Group Policy Management Editor

appears.

8. In the console tree, expand User Configuration, expand Policies, and then click Administrative

Templates.

9. Right-click Administrative Templates, and then click Filter Options.

10. Select the Enable Keyword Filters check box.

11. In the Filter for word(s) text box, type screen saver.

12. In the drop-down list next to the text box, select Exact, and then click OK . Administrative Templates

policy settings are filtered to show only those that contain the words screen saver . Spend a few

moments examining the settings that you have found.

13. In the console tree, under User Configuration, right-click Administrative Templates, and then click

Filter Options.

14. Clear the Enable Keyword Filters check box.

15. In the Configured drop-down list, select Yes, and then click OK . Administrative Template policy

settings are filtered to show only those that have been configured (enabled or disabled). No settings

have been enabled.

16. In the console tree, under User Configuration, right-click Administrative Templates, and clear the

Filter On option.

Add comments to a policy setting

1.

In the console tree, expand User Configuration, Policies, Administrative Templates, and ControlPanel, and then click Personalization.

2. Double-click the Enable screen saver policy setting.

3. In the Comment section, type Corporate IT Security Policy implemented with this policy in

combination with Password Protect the Screen Saver, and then click OK .

4. Double-click the Password protect the screen saver policy setting. Click Enabled.

5. In the Comment section, type Corporate IT Security Policy implemented with this policy in

combination with Enable screen saver, and then click OK .




Add comments to a GPO

1. In the console tree of the Group Policy Management Editor, right-click the root node, GPO1 [LON-

DC1.ADATUM.COM], and then click Properties.

2. Click the Comment tab.

3. Type Adatum corporate standard policies. Settings are scoped to all users and computers in

the domain. Person responsible for this GPO: your name. This comment appears on the Details

tab of the GPO in the Group Policy Management Console (GPMC).

4. Click OK , and then close the Group Policy Management Editor.

Create a new GPO by copying an existing GPO

1. In the GPMC console tree, click the Group Policy Objects container, right-click GPO1, and then click

Copy.

2. Right-click the Group Policy Objects container, click Paste, and then click OK .

3. Click OK .

Create a new GPO by importing settings that were exported from another GPO1. In the GPMC console tree, click the Group Policy Objects container, right-click GPO1, and then click

Back Up.

2. In the Location: box, type c:\ , and then click Back Up.

3. When the backup finishes, click OK .

4. In the GPMC console tree, right-click the Group Policy Objects container, and then click New.

5. In the Name: box, type ADATUM Import, and then click OK .

6. In the GPMC console tree, right-click the ADATUM Import GPO, and then click Import Settings. The

Import Settings Wizard appears.

7.

Click Next three times.

8. Select GPO1, and then click Next two times.

9. Click Finish, and then click OK .





Lesson 2

Configuring Folder Redirection and Scripts

Contents:


Demonstration 6





Settings for Configuring Folder Redirection

Question: Users in the same department often sign in to different computers. They need access to their

Documents folder. They also need data to be private. What folder redirection setting would you choose?

Answer: Create a folder for each user under the root path. This creates a Documents folder to which only

the user has access.

Demonstration

Demonstration: Configuring Folder Redirection

Demonstration Steps

Create a shared folder

1. On LON-DC1, on the taskbar, click File Explorer.

2.

In the navigation pane, click Computer.

3. In the details pane, double-click Local Disk (C:), and then on the Home tab, click New folder.

4. In the Name box, type Redirect and then press Enter.

5. Right-click the Redirect folder, click Share with, and then click Specific people.

6. In the File Sharing dialog box, click the drop-down arrow, select Everyone, and then click Add.

7. For the Everyone group, click the Permission Level drop-down arrow, and then click Read/Write.

8. Click Share, and then click Done.

9. Close the Local Disk (C:) window.

Create a GPO to redirect the Documents folder1. Pause the mouse pointer in the lower right of the display, and then click Start.

2. Click Administrative Tools, and then double-click Group Policy Management.

3. Expand Forest: Adatum.com, and then expand Domains.

4. Right-click Adatum.com, and then click Create a GPO in this domain and Link it here.

5. In the New GPO dialog box, in the Name box, type Folder Redirection, and then click OK .

6. Expand Adatum.com, right-click Folder Redirection GPO, and then click Edit.

7. In the Group Policy Management Editor, under User Configuration, expand Policies, expand

Windows Settings, and then expand Folder Redirection.

8. Right-click Documents, and then click Properties.

9. In the Document Properties dialog box, on the Target tab, next to Setting, click the drop-down

arrow, and then select Basic – Redirect everyone’s folder to the same location.

10. Ensure the Target folder location box is set to Create a folder for each user under the root path.

11. In the Root Path box, type \\LON-DC1\Redirect, and then click OK .

12. In the Warning dialog box, click Yes.





Test folder redirection

1. Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.

2. On the Start screen, type cmd.exe, and then press Enter.


gpupdate/force


Y


6. From the Start screen, click Desktop.

7. Right-click the desktop, and then click Personalize.

8. In the navigation pane, click Change desktop icons.

9.

In Desktop Icon Settings, select the User’s Files check box, and then click OK .10. On the desktop, double-click Administrator.

11. Right-click My Documents and then click Properties.

12. In the My Document Properties dialog box, note that the location of the folder is now the Redirect

network share in a subfolder named for the user.

13. Sign out of LON-CL1.

Demonstration: Configuring Scripts with GPOs

Demonstration Steps

Create a logon script to map a network drive1. On LON-DC1, point to the lower right-hand corner, and then click Start.

2. From the Start screen, type Notepad, and then press Enter.

3. In Notepad, type the following command:

Net use t: \\LON-dc1\Redirect

4. Click the File menu, and then click Save.

5. In the Save As dialog box, in the File name box, type Map.bat.

6. In the Save as type: list, select All Files (*.*).

7.

In the navigation pane, click Desktop, and then click Save.

8. Close Notepad.

9. On the desktop, right-click the Map.bat file, and then click Copy.

Create and link a GPO to use the script, and then store the script in the Netlogonshare

1. Open Server Manager.

2. From Server Manager, click Tools, and then click Group Policy Management.

3. Expand Forest: Adatum.com, and then expand Domains.




4. Right-click Adatum.com, and then click Create a GPO in this domain and link it here.

5. In the New GPO dialog box, in the Name box, type DriveMap, and then click OK .

6. Expand Adatum.com, right-click the Drivemap GPO, and then click Edit.

7. In the Group Policy Management Editor, under User Configuration, expand Policies, expand

Windows Settings, and then click Scripts (Logon/Logoff).8. In the details pane, double-click Logon.

9. In the Logon Properties dialog box, click Show Files. This opens the Netlogon share in Computer.

10. In the details pane, right-click a blank area, and then click Paste.

11. Close the Logon window.

12. In the Logon Properties dialog box, click Add.

13. In the Add a Script dialog box, click Browse.

14. Click the Map.bat script, and then click Open.

15.

Click OK twice to close all dialog boxes.16. Close the Group Policy Management Editor and the Group Policy Management console.

Sign in to the client to test the results

1. On LON-CL1, sign in as Adatum\Administrator with the password Pa$$word.

2. Click Desktop, and on the taskbar, click File Explorer.

3. Verify that you have a drive mapped to \\Lon-dc1\redirect by examining the navigation pane.





Lesson 3

Configuring Group Policy Preferences

Contents:

Demonstration 10




Demonstration

Demonstration: Configuring Group Policy Preferences

Demonstration Steps

Configure a desktop shortcut with Group Policy preferences1. On LON-DC1, from Server Manager, open the Group Policy Management console.

2. In the Group Policy Management console, click the Group Policy Objects folder, and in the details

pane, right-click the Default Domain Policy, and then click Edit.

3. Expand Computer Configuration, expand Preferences, expand Windows Settings, right-click

Shortcuts, point to New, and then click Shortcut.

4. In the New Shortcut Properties dialog box, in the Action list, select Create.

5. In the Name box, type Notepad.

6. In the Location box, click the arrow, and then select All Users Desktop.

7. In the Target path box, type C:\Windows\System32\Notepad.exe.

Target the preference

1. On the Common tab, select the Item-level targeting check box, and then click Targeting.

2. In the Targeting Editor dialog box, click New Item, and then click Computer Name.

3. In the Computer name box, type LON-CL1, and then click OK twice.

Configure a new folder with Group Policy preferences

1. Under Windows Settings, right-click Folders, point to New, and then click Folder.

2. In the New Folder dialog box, in the Action list, select Create.

3.

In the Path field, type C:\Reports.

Target the preference

1. On the Common tab, select the Item-level targeting check box, and then click Targeting.

2. In the Targeting Editor dialog box, click New Item, and then click Operating System.

3. In the Product list, select Windows 8, and then click OK twice.


Test the preferences


2.

Type cmd.exe, and then press Enter.

3. At the command prompt, type the following command, and then press Enter.:

gpupdate /force


Y


6. From Start, click Desktop.




7. Verify the presence of the Notepad shortcut on the desktop.

8. On the taskbar, click File Explorer.

9. Verify the presence of the C:\Reports folder.




Lesson 4

Managing Software with Group Policy

Contents:






How Windows Installer Enhances Software Distribution

Question: Do users need administrative rights to install applications manually that have MSI files?

Answer: Yes. Only MSI files delivered through Group Policy use the Windows Installer service. If a user

attempts to install an MSI file manually, they need administrative rights.

Question: What are some disadvantages of deploying software through Group Policy?

Answer:

Some of the disadvantages include:

• Large applications generate a lot of network traffic.

• You cannot control when the installation will occur.

• Laptop users are not able to connect to the distribution point when they are not connected to the

LAN.

•

The CSE that delivers software does not function over a slow link, by default.





Best Practices

Best Practices Related to Group Policy Management

•

Include comments on GPO settings• Use a central store for Administrative Templates when having clients with Windows Vista, Windows 7,

and Windows 8

• Use Group Policy preferences to configure settings that are not available in the Group Policy set of

settings

• Use Group Policy software installation to deploy packages in .msi format to a large number of users

or computers

Review Question(s)

Question: Why do some Group Policy settings take two logons before going into effect?

Answer: Users typically sign in with cached credentials before Group Policy can apply to the current

session. The settings will take effect at the next logon.Question: How can you support Group Policy preferences on Windows XP?

Answer: You must download and install the CSEs for Group Policy preferences.

Question: What is the benefit of having a central store?

Answer: A central store is a single folder in SYSVOL that holds all the .ADMX and .ADML files that are

required. After you have set up the central store, the Group Policy Management Editor recognizes it, and

then loads all Administrative Templates from the central store instead of from the local machine.

Question: What is the main difference between Group Policy settings and Group Policy preferences?

Answer: GPO settings enforce some setting on client side, and disable client interface for modification.

However, Group Policy preferences provide settings, and allow the client to modify them.

Question: What is the difference between publishing and assigning software through Group Policy?

Answer: If you assign software to user or computer, it will be installed without asking users whether they

want to install it. Publishing software will allow user to decide whether to install software.

Question: Can you use Windows PowerShell scripts as startup scripts?

Answer: Only computers that are running Windows Server 2008 R2 or Windows 7 (or newer) can run

Windows PowerShell scripts.



You have configured folder redirection foran OU, but none of the user’s folders arebeing redirected to the network location.When you look in the root folder, youobserve that a subdirectory named foreach user has been created, but they areempty.

The problem is most likely permission-related. GroupPolicy creates the user’s named subdirectories, but theusers do not have enough permission to create theirredirected folders inside them.

You have assigned an application to anOU. After multiple logons, users report that

The problem may be permission-related. Users needRead access to the software distribution share. Another





no one has installed the application. possibility is that the software package was mapped byusing a local path instead of a UNC.

You have a mixture of Windows XP andWindows 8 computers. After configuringseveral settings in the AdministrativeTemplates of a GPO, users with WindowsXP operating system report that somesettings are being applied and others arenot.

Not all new settings apply to earlier systems such asWindows XP. Check the setting itself to see to whichoperating systems the setting applies.

Group Policy preferences are not beingapplied.

Check the preference settings for item-level targetingor incorrect configuration.





Lab: Managing User Desktops with Group Policy

Question: Which options can you use to separate user's redirected folders to different servers?

Answer: You can use Advanced folder redirection to choose different shared folders, on different servers,

for different security groups.

Question: Can you name two methods you could use to assign a GPO to selected objects within an OU?

Answer: You could use WMI Filters to define a criterion for applying Group Policy, such as whether or not

the machine is a laptop or operating system, or you could use permissions on the GPO itself to allow or

deny GPO settings to users or computers.

Question: You have created Group Policy preferences to configure new power options. How can you

ensure that they will be applied only to laptop computers?

Answer: Use item-level targeting to apply the preference to portable computers. Then, the preference will

be applied if the hardware profile of the computer identifies it as a portable computer.



Configuring and Troubleshoot ing Remote Access 7-1

Module 7

Configuring and Troubleshooting Remote Access

Contents:

Lesson 2: Configuring VPN Access 2

Lesson 3: Overview of Network Policies 7






Lesson 2

Configuring VPN Access

Contents:

Demonstration 3




Demonstration

Demonstration: How to Configure VPN Access

Demonstration Steps

Configure Remote Access as a VPN server1. Sign in to LON-RTR as Adatum\Administrator with the password Pa$$w0rd.

2. If necessary, on the taskbar, the click Server Manager icon.

3. In the Details pane, click Add roles and features.


5. On the Select installation type page, click Role-based or feature based installation, and then click

Next.


7. On the Select server roles page, select the Network Policy and Access Services check box.

8. Click Add Features, and then click Next twice.

9. On the Network Policy and Access Services page, click Next.

10. On the Select role services page, verify that the Network Policy Server check box is selected, and

then click Next.


12. Verify that the installation was successful, and then click Close.

13. Close the Server Manager window.

14. Pause your mouse pointer in the lower left of the taskbar, and then click Start.

15.

On the Start menu, click Network Policy Server.

16. In Network Policy Manager, in the navigation pane, right-click NPS (Local), and then click Register

server in Active Directory.

17. In the Network Policy Server message box, click OK .

18. In the subsequent Network Policy Server dialog box, click OK .

19. Leave the Network Policy Server console window open.


21. In Start, click Administrative Tools, and then double-click Routing and Remote Access. If the

Enable DirectAccess Wizard starts, click Cancel and then click OK .

22. In the Routing and Remote Access console, right-click LON-RTR (local), and then click Disable

Routing and Remote Access.

23. In the dialog box, click Yes.

24. In the Routing and Remote Access console, right-click LON-RTR (local), and then click Configure

and Enable Routing and Remote Access.

25. Click Next, click Remote access (dial-up or VPN), and then click Next.

26. Select the VPN check box, and then click Next.




27. Click the Local Area Connection 2 network interface, clear the Enable security on the selected

interface by setting up static packet filters check box, and then click Next.

28. On the IP Address Assignment page, click From a specified range of addresses, and then click

Next.

29. On the Address Range Assignment page, click New. In the Start IP address field, type

172.16.0.100, in the End IP address field, type 172.16.0.110, and then click OK .

30. Verify that 11 IP addresses were assigned for remote clients, and then click Next.

31. On the Managing Multiple Remote Access Servers page, click Next.

32. Click Finish.

33. In the Routing and Remote Access dialog box, click OK .

34. If prompted, click OK again.

Configure a VPN Client

1. Switch to LON-CL2.

2.

Sign in as Adatum\Administrator with the password of Pa$$w0rd.

3. Click Start, type Control, and then in the Apps list, click Control Panel.

4. In Control Panel, click Network and Internet, click Network and Sharing Center, and then click Set

up a new connection or network .

5. On the Choose a connection option page, click Connect to a workplace, and then click Next.

6. On the How do you want to connect page, click Use my Internet connection (VPN).

7. Click I’ll set up an Internet connection later.

8. On the Type the Internet address to connect to page, in the Internet address box, type 10.10.0.1.

9.

In the Destination name box, type Adatum VPN.10. Select the Allow other people to use this connection check box, and then click Create.

11. In the Network And Sharing Center window, click Change adapter settings.

12. Right-click the Adatum VPN connection, click Properties, and then click the Security tab.

13. On the Security tab, in the Type of VPN list, click Point to Point Tunneling Protocol (PPTP).

14. Under Authentication, click Allow these protocols, and then click OK .

15. In the Network Connections window, right-click the Adatum VPN connection, and then click

Connect/Disconnect.

16. In the Networks list on the right, click Adatum VPN, and then click Connect.

17. In Network Authentication, in the User name text box, type Adatum\Administrator.

18. In the Password text box, type Pa$$w0rd, and then click OK .

19. Wait for the VPN connection to be made. Your connection is unsuccessful. You receive an error

relating to authentication issues. This will be addressed in a later demonstration.





Demonstration: How to Create a Connection Profile

Demonstration Steps

Install CMAK

1. If necessary, on LON-CL2, sign in as Adatum\administrator with the password Pa$$w0rd.


3. In Start, type Control, and then in the Apps list, click Control Panel.

4. In Control Panel, click Programs.

5. In Programs, click Turn Windows features on or off .

6. In Windows® Features, select the RAS Connection Manager Administration Kit (CMAK) check box,

and then click OK .

7. Click Close.

Create a connection profile

1.

In Control Panel, click Control Panel Home.

2. In the View by list, click Large icons.

3. Click Administrative Tools, and then double-click Connection Manager Administration Kit.

4. In the Connection Manager Administration Kit Wizard, click Next.

5. On the Select the Target Operating System page, click Windows Vista or above, and then click

Next.

6. On the Create or Modify a Connection Manager profile page, click New profile, and then click

Next.

7. On the Specify the Service Name and the File Name page, in the Service name text box, type

Adatum HQ, in the File name text box, type Adatum, and then click Next.

8. On the Specify a Realm Name page, click Do not add a realm name to the user name, and then

click Next.

9. On the Merge Information from Other Profiles page, click Next.

10. On the Add Support for VPN Connections page, select the Phone book from this profile check

box.

11. In the VPN server name or IP address text box, type 10.10.0.1, and then click Next.

12. On the Create or Modify a VPN Entry page, click Next.

13. On the Add a Custom Phone Book page, clear the Automatically download phone book updates

check box, and then click Next.

14. On the Configure Dial-up Networking Entries page, click Next.

15. On the Specify Routing Table Updates page, click Next.

16. On the Configure Proxy Settings for Internet Explorer page, click Next.

17. On the Add Custom Actions page, click Next.

18. On the Display a Custom Logon Bitmap page, click Next.

19. On the Display a Custom Phone Book Bitmap page, click Next.

20. On the Display Custom Icons page, click Next.




21. On the Include a Custom Help File page, click Next.

22. On the Display Custom Support Information page, click Next.

23. On the Display a Custom License Agreement page, click Next.

24. On the Install Additional Files with the Connection Manager profile page, click Next.

25.

On the Build the Connection Manager Profile and Its Installation Program page, click Next.

26. On the Your Connection Manager Profile is Complete and Ready to Distribute page, click Finish.

Examine the created profile

1. Open Windows Explorer.

2. In Windows Explorer, expand drive C, expand Program Files, expand CMAK , expand Profiles,

expand Windows Vista and above, and then expand Adatum. These are the files that you must

distribute.





Lesson 3

Overview of Network Policies

Contents:

Demonstration 8




Demonstration

Demonstration: How to Create a Network Policy

Demonstration Steps

Create a VPN policy based on Windows Groups condition1. Switch to LON-RTR.

2. Switch to Network Policy Server.

3. In Network Policy Server, expand Policies, and then click Network Policies.

4. In the details pane, right-click the policy at the top of the list, and then click Disable.

5. In the details pane, right-click the policy at the bottom of the list, and then click Disable.

6. In the navigation pane, right-click Network Policies, and then click New.

7. In the New Network Policy Wizard, in the Policy name text box, type Adatum VPN Policy.

8.

In the Type of network access server list, click Remote Access Server(VPN-Dial up), and then clickNext.

9. On the Specify Conditions page, click Add.

10. In the Select condition dialog box, click Windows Groups, and then click Add.

11. In the Windows Groups dialog box, click Add Groups.

12. In the Select Group dialog box, in the Enter the object name to select (examples) text box, type

Domain Admins, and then click OK .

13. Click OK again, click Next.

14. On the Specify Access Permission page, click Access granted, and then click Next.

15.

On the Configure Authentication Methods page, click Next.

16. On the Configure Constraints page, click Next.

17. On the Configure Settings page, click Next.

18. On the Completing New Network Policy page, click Finish.

Test the VPN

1. Switch to LON-CL2.


3. In Start, type Control, and then in the Apps list, click Control Panel.

4.

In Control Panel, click Network and Sharing Center.

5. In Network and Sharing Center, click Change adapter settings.

6. In the Network Connections window, right-click the Adatum VPN connection, and then click

Connect/Disconnect.

7. In the Networks list on the right, click Adatum VPN, and then click Connect.

8. In Network Authentication, in the User name text box, type Adatum\Administrator.

9. In the Password text box, type Pa$$word, and then click OK .

10. Wait for the VPN connection to be made.




Module Review and TakeawaysQuestion: Your organization wants to implement a cost effective solution that interconnects two branch

offices with your head office. In what way could VPNs play a role in this scenario?

Answer: You could implement VPNs in a site-to-site configuration over the Internet to provide the

necessary routing capabilities.

Question: The IT manager at your organization is concerned about opening too many firewall ports to

facilitate remote access from users that are working from home through a VPN. How could you meet the

expectations of your remote users while allaying your manager’s concerns?

Answer: Implement SSTP as the tunneling protocol. This implements a connection by using HTTPS. This

protocol relies on TCP port 443, a port that is typically already open on corporate firewalls to facilitate

connections to other applications and services—for example, Microsoft Outlook® Web App, and Web

services.

Question: You have a VPN server with two configured network policies. The first has a condition that

grants access to members of the Contoso group, to which everyone in your organization belongs, but has

a constraint of Day and Time restrictions for office hours only. The second policy had a condition of

membership of the Domain Admins group and no constraints. Why are administrators being refusedconnections out of office hours, and what can you do about it?

Answer: Administrators are also members of the Contoso group, and therefore the first policy condition is

met. The second policy is not processed. The solution is either to remove the administrators from the

Contoso group, or change the policy order so that the administrator policy is first in the list.

Question: How does the DirectAccess client determine if it is connected to the intranet or the Internet?

Answer: When you configure the DirectAccess server, you need to determine the computer that will be a

NLS. The NLS should be a highly-available web server. Based on the response from this web server, the

DirectAccess client determines if it is connected to the intranet or the Internet.

Question: What is the use of an NRPT?

Answer: The NRPT stores a list of DNS namespaces and their corresponding configuration settings. These

settings define the DNS server to contact, and the DNS client behavior for that namespace.

Tools


Services.msc Managing Windows services Administrative Tools

Launch from Run

Gpedit.msc Editing the local Group Policy Launch from Run

Mmc.exe Creating and managing the MicrosoftManagement Console Launch from Run

Gpupdate.exe Managing Group Policy application Run from a command-line





Lab A: Configuring Remote Access

Exercise 1: Configuring VPN Clients

Question: In the lab, you configured the VPN server to allocate an IP address configuration by using astatic pool of addresses. Is there an alternative, and if so, what is it?

Answer: Yes, you could use a DHCP server on the internal network to allocate addresses.


Question: If you use the alternative solution, how many addresses are allocated to the VPN server at one

time?

Answer: The DHCP server allocates the VPN server blocks of 10 addresses at a time to allocate to remote

clients.


Question: In the lab, you configured a policy condition of tunnel type and a constraint of a day and time

restriction. If there were two policies—the one you created plus an additional one that had a condition of

membership of the Domain Admins group and constraints of tunnel type (PPTP or L2TP)—why might

your administrators be unable to connect out of office hours?

Answer: The administrators are affected by the first policy, because they are using the tunnel type of

either PPTP or L2TP. Change the policy order.

Lab B: Configuring DirectAccess

Question: Why would you use a GPO to configure certificate deployment?

Answer: You would use a GPO to quickly deploy the required certificates to the DirectAccess clients with

the least amount of effort.

Question: How do you install the DirectAccess feature?

Answer: You use Server Manager to install the Remote Access role, which provides the configuration

option for DirectAccess. Alternatively, you could also install this role by using the Windows PowerShell

command-line interface.



Installing, Configuring, and Troubleshoot ing the Network Policy Server Role 8-1

Module 8

Installing, Configuring, and Troubleshooting the NetworkPolicy Server Role

Contents:

Lesson 1: Installing and Configuring a Network Policy Server 2

Lesson 2: Configuring RADIUS Clients and Servers 5

Lesson 4: Monitoring and Troubleshooting a Network Policy Server 8






Lesson 1

Installing and Configuring a Network Policy Server

Contents:

Additional Reading 3

Demonstration 3




Additional Reading

What Is a Network Policy Server?

Note: You might want to draw a diagram that shows the relationship between these

elements. Use this link to see a sample diagram:

RADIUS Proxy http://go.microsoft.com/fwlink/?LinkID=214827&clcid=0x409

Demonstration

Demonstration: Installing the Network Policy Server Role

Demonstration Steps

Install the NPS Role




4. In the details pane, click Add roles and features.



Next.



9.

Click Add Features, and then click Next twice.



then click Next.




Register NPS in AD DS

1.

Pause your mouse pointer in the lower-left of the taskbar, and then click Start.2. Click Network Policy Server.

3. In Network Policy Manager, in the navigation pane, right-click NPS (Local), and then click Register

server in Active Directory.

4. In the Network Policy Server message box, click OK .

5. In the subsequent Network Policy Server dialog box, click OK .

6. Leave the Network Policy Server console window open.

http://go.microsoft.com/fwlink/?LinkID=214827&clcid=0x409







Demonstration: Configuring General NPS Settings

Demonstration Steps

Configure a RADIUS server for VPN connections

1. On LON-DC1, in the Network Policy Server console, in the Getting Started details pane, open the

drop-down list under Standard Configuration, and then click RADIUS server for Dial-Up or VPNConnections.

2. Under Radius server for Dial-Up or VPN Connections, click Configure VPN or Dial-Up.

3. In the Configure VPN or Dial-Up Wizard, click Virtual Private Network (VPN) Connections, accept

the default name, and then click Next.

4. On the RADIUS clients page, click Add.

5. In the New RADIUS Client dialog box, in the Friendly Name box, type LON-RTR, and then click

Verify.

6. In the Verify Address dialog box, in the Address box, type LON-RTR, click Resolve, and then click

OK .7. In the New RADIUS Client dialog box, in the Shared secret and Confirm shared secret boxes, type

Pa$$w0rd, and then click OK .

8. On the Specify Dial-Up or VPN Server page, click Next.

9. On the Configure Authentication Methods page, ensure that the Microsoft Encrypted Authentication

version 2 (MS-CHAPv2) check box is selected, and then click Next.

10. On the Specify User Groups page, click Next.

11. On the Specify IP Filters page, click Next.

12. On the Specify Encryption Settings page, click Next.

13.

On the Specify a Realm Name page, click Next.

14. On the Completing New Dial-Up or Virtual Private Network Connections and RADIUS clients page,

click Finish.

Save the configuration

1. Pause your mouse pointer in the lower-left of the taskbar, and then click Start.

2. In Start, click Windows PowerShell.

3. At the Windows PowerShell® command prompt, type the following command, and then press Enter:

Export-NpsConfiguration –path lon-dc1.xml

4.

At the Windows PowerShell command prompt, type the following command, and then press Enter:

Notepad lon-dc1.xml

5. Scroll through the file, and then discuss the contents. Close the file.




Lesson 2

Configuring RADIUS Clients and Servers

Contents:

Demonstration 6




Demonstration

Demonstration: Configuring a RADIUS Client

Demonstration Steps

1.

Switch to LON-RTR.


3. Pause your mouse pointer in the lower-left of the taskbar, and then click Start.

4. On the Start screen, click Administrative Tools, and then double-click Routing and Remote Access.

5. If required, at the Enable DirectAccess Wizard dialog box, click Cancel. Click OK .

6. In the Routing and Remote Access console, right-click LON-RTR (local), and then click Disable

Routing and Remote Access.

7. In the dialog box, click Yes.

8. In the Routing and Remote Access console, right-click LON-RTR (local), and then click Configure

and Enable Routing and Remote Access.

9. Click Next, select Remote access (dial-up or VPN), and then click Next.

10. Select the VPN check box, and then click Next.

11. Click the network interface called Local Area Connection 2. Clear the Enable security on the selected

interface by setting up static packet filters check box, and then click Next.

12. On the IP Address Assignment page, select From a specified range of addresses, and then click Next.

13. On the Address Range Assignment page, click New. Type 172.16.0.100 next to Start IP address

and 172.16.0.110 next to End IP address, and then click OK . Verify that 11 IP addresses were

assigned for remote clients, and then click Next.

14.

On the Managing Multiple Remote Access Servers page, click Yes, setup this server to work with a

RADIUS server, and then click Next.

15. On the RADIUS Server Selection page, in the Primary RADIUS server box, type LON-DC1.

16. In the Shared secret box, type Pa$$w0rd, and then click Next.

17. Click Finish.

18. In the Routing and Remote Access dialog box, click OK .

19. If prompted again, click OK .

Demonstration: Creating a Connection Request Policy

Demonstration Steps

1. Switch to the LON-DC1 computer.

2. Switch to Network Policy Server console.

3. In Network Policy Server, expand Policies, and then click Connection Request Policies. Notice the

presence of the Virtual Private Network (VPN) Connections policies. The wizard created these

automatically when you specified the NPS role of this server.

4. Right-click Connection Request Policies, and then click New.

5. In the New Connection Request Policy Wizard, in the Policy name box, type Adatum VPN.




6. In the Type of network access server list, click Remote Access Server (VPN-Dial up), and then click

Next.


8. In the Select condition dialog box, select NAS Port Type, and then click Add.

9.

In the NAS Port Type dialog box, select the Virtual (VPN) check box, and then click OK . Click Next.10. On the Specify Connection Request Forwarding page, click Next.

11. On the Specify Authentication Methods page, click Next.

12. On the Configure Settings page, click Next.

13. On the Completing Connection Request Policy Wizard page, click Finish.

14. In the Connection Request Policies list, right-click Adatum VPN, and then click Move Up.

15. Ensure that the Adatum VPN policy has a processing order of 1. If not, repeat step 14.




Lesson 4

Monitoring and Troubleshooting a Network PolicyServer

Contents:Additional Reading 9




Additional Reading

Methods Used to Monitor NPS

Note: To interpret logged data, view the information on the Microsoft TechNet website:

Interpret NPS Database Format Log Files









Review Question(s)

Question: How can you make the most effective use of the NPS logging features?

Answer: You can make the most effective use of the NPS logging features by performing the following

tasks:

• Turn on logging (initially) for both authentication and accounting records. Modify these selections

after you determine what is appropriate for your environment.

• Ensure that you configure event logging with sufficient capacity to maintain your logs.

• Back up all log files on a regular basis, because you cannot recreate them when they become

damaged or are deleted.

• Use the RADIUS Class attribute to track usage and simplify the identification of which department or

user to charge for usage. Although the Class attribute, which is automatically generated, is unique for

each request, duplicate records might exist in cases where the reply to the access server is lost and the

request is resent. You might need to delete duplicate requests from your logs to track usageaccurately.

• To provide failover and redundancy with SQL Server logging, place two computers that are running

SQL Server on different subnets. Use the SQL Server Create Publication Wizard to configure database

replication between the two servers.

Question: What consideration must you follow if you choose to use a nonstandard port assignment for

RADIUS traffic?

Answer: If you do not use the RADIUS default port numbers, you must configure exceptions on the

firewall for the local computer to allow RADIUS traffic on the new ports.

Question: Why must you register the NPS server in Active Directory?

Answer: When NPS is a member of an Active Directory domain, NPS performs authentication by

comparing user credentials that it receives from network access servers with the user-account credentials

that Active Directory stores. NPS authorizes connection requests by using network policy and by checking

user account dial-in properties in Active Directory. You must register the NPS server in Active Directory to

have permission to access user-account credentials and dial-in properties.

Tools


Network PolicyServer

Managing and creatingNetwork Policy

Network Policy Server on the AdministrativeTools menu

Netsh command-line tool

Creating administrative scriptsfor configuring and managingthe Network Policy Server role

In a Command Prompt window, type

netsh –c nps to administer from a commandprompt

Event Viewer Viewing logged informationfrom application, system, andsecurity events

Event Viewer on the Administrative Toolsmenu



Installing, Configuring, and Troubleshooting the Network Policy Server Role 8-11


Lab: Installing and Configuring a Network Policy Server

Question: What does a RADIUS proxy provide?

Answer: When you use NPS as a RADIUS proxy, NPS forwards connection requests to NPS or other

RADIUS servers for processing. Because of this, the domain membership of the NPS proxy is irrelevant. The

proxy does not need to be registered in the AD DS because it does not need access to the dial-in

properties of user accounts. Additionally, you do not need to configure network policies on an NPS proxy,

because the proxy does not perform authorization for connection requests. The NPS proxy can be a

domain member or it can be a stand-alone server with no domain membership.

Question: What is a RADIUS client, and what are some examples of RADIUS clients?

Answer: A NAS is a device that provides some level of access to a larger network. A NAS using a RADIUS

infrastructure is a RADIUS client, sending connection requests and accounting messages to a RADIUS

server for authentication, authorization, and accounting.

Examples of RADIUS clients are:

• Network access servers that provide remote access connectivity to an organization network or the

Internet. An example is a computer that is running Windows Server 2012 and the Routing and

Remote Access service, which provides either traditional dial-up or VPN remote-access services to an

organization’s intranet.

• Wireless access points that provide physical layer access to an organization’s network by using

wireless-based transmission and reception technologies.

• Switches that provide physical-layer access to an organization’s network, by using traditional LAN

technologies such as Ethernet.

• RADIUS proxies that forward connection requests to RADIUS servers that are members of a remote

RADIUS server group that you configure on the RADIUS proxy.



Implementing Network Access Protection 9-1

Module 9

Implementing Network Access Protection

Contents:

Lesson 3: Configuring NAP 2

Lesson 4: Monitoring and Troubleshooting NAP 8






Lesson 3

Configuring NAP

Contents:

Demonstration 3




Demonstration

Demonstration: Configuring NAP

Demonstration Steps

Install the NPS server role1. Switch to LON-DC1 and sign in as Adatum\administrator with the password Pa$$w0rd.


3. In the details pane, click Add roles and features.



Next.



8. Click Add Features, and then click Next twice.



then click Next.




Configure NPS as a NAP health policy server

1.

Pause your mouse pointer in the lower-left corner of the taskbar, and then click Start.

2. On the Start screen, click Network Policy Server.

3. In the navigation pane, expand Network Access Protection, expand System Health Validators,

expand Windows Security Health Validator, and then click Settings.

4. In the right pane under Name, double-click Default Configuration.

5. In the navigation pane, click Windows 8/Windows 7/Windows Vista.

6. In the details pane, clear all check boxes except the A firewall is enabled for all network

connections check box.

7. Click OK to close the Windows Security Health Validator dialog box.

Configure health policies

1. In the navigation pane, expand Policies.

2. Right-click Health Policies and then click New.

3. In the Create New Health Policy dialog box, under Policy name, type Compliant.

4. Under Client SHV checks, verify that Client passes all SHV checks is selected.

5. Under SHVs used in this health policy, select the Windows Security Health Validator check box.

6. Click OK .




7. Right-click Health Policies and then click New.

8. In the Create New Health Policy dialog box, under Policy Name, type Noncompliant.

9. Under Client SHV checks, select Client fails one or more SHV checks.

10. Under SHVs used in this health policy, select the Windows Security Health Validator check box.

11.

Click OK .

Configure network policies for compliant computers

1. In the navigation pane, under Policies, click Network Policies.

2. Important: Disable the two default policies found under Policy Name by right-clicking the policies,

and then clicking Disable.

3. Right-click Network Policies and then click New.

4. On the Specify Network Policy Name and Connection Type page, under Policy name, type

Compliant-Full-Access, and then click Next.


6. In the Select condition dialog box, double-click Health Policies.

7. In the Health Policies dialog box, under Health policies, select Compliant, and then click OK .

8. On the Specify Conditions page, click Next.

9. On the Specify Access Permission page, click Next.

10. On the Configure Authentication Methods page, clear all check boxes, select the Perform

machine health check only check box, and then click Next.

11. Click Next again.

12. On the Configure Settings page, click NAP Enforcement. Verify that Allow full network access is

selected, and then click Next.13. On the Completing New Network Policy page, click Finish.

Configure network policies for noncompliant computers

1. Right-click Network Policies, and then click New.

2. On the Specify Network Policy Name And Connection Type page, under Policy name, type

Noncompliant-Restricted, and then click Next.


4. In the Select condition dialog box, double-click Health Policies.

5. In the Health Policies dialog box, under Health policies, select Noncompliant, and then click OK .

6. On the Specify Conditions page, click Next.

7. On the Specify Access Permission page, verify that Access granted is selected, and then click Next.

8. On the Configure Authentication Methods page, clear all check boxes, select the Perform

machine health check only check box, and then click Next.

9. Click Next again.

10. On the Configure Settings page, click NAP Enforcement. Click Allow limited access.

11. Clear the Enable auto-remediation of client computers check box.

12. Click Next, and then click Finish.




Configure the DHCP server role for NAP

1. Pause your mouse pointer in the lower-left corner of the taskbar, and then click Start.

2. In Start, click Administrative Tools, and then double-click DHCP.

3. In DHCP, expand LON-DC1.Adatum.com, expand IPv4, right-click Scope [172.16.0.0] Adatum, and

then click Properties.

4. In the Scope [172.16.0.0] Adatum Properties dialog box, click the Network Access Protection tab,

click Enable for this scope, and then click OK .

5. In the navigation pane, under Scope [172.16.0.0) Adatum, click Policies.

6. Right-click Policies, and then click New Policy.

7. In the DHCP Policy Configuration Wizard, in the Policy Name box, type NAP Policy, and then click

Next.

8. On the Configure Conditions for the policy page, click Add.

9. In the Add/Edit Condition dialog box, in the Criteria list, click User Class.

10.

In the Operator list, click Equals.

11. In the Value list, click Default Network Access Protection Class, and then click Add.

12. Click OK , and then click Next.

13. On the Configure settings for the policy page, click No, and then click Next.

14. On the subsequent Configure settings for the policy page, in the Vendor class list, click DHCP

Standard Options.

15. In the Available Options list, select the 006 DNS Servers check box.

16. In the IP address box, type 172.16.0.10, and then click Add.

17. In the Available Options list, select the 015 DNS Domain Name check box.

18. In the String value box, type restricted.adatum.com, and then click Next.

19. On the Summary page, click Finish.

20. Close DHCP.

Configure client NAP settings

1. Switch to the LON-CL1 computer, and then sign in as Adatum\administrator with the password

Pa$$w0rd.

2. On the Start screen, type napclcfg.msc, and then press Enter.

3. In NAPCLCFG – [NAP Client Configuration (Local Computer)], in the navigation pane, click

Enforcement Clients.

4. In the results pane, right-click DHCP Quarantine Enforcement Client, and then click Enable.

5. Close NAPCLCFG – [NAP Client Configuration (Local Computer)].

6. Pause your mouse in the lower-left of the taskbar, and then click Start.

7. On the Start screen, type Services.msc, and then press Enter.

8. In Services, in the results pane, double-click Network Access Protection Agent.

9. In the Network Access Protection Agent Properties (Local Computer) dialog box, in the Startup

type list, click Automatic.




10. Click Start, and then click OK .


12. On the Start screen, type gpedit.msc, and then press Enter.

13. In the console tree, expand Local Computer Policy, expand Computer Configuration, expand

Administrative Templates, expand Windows Components, and then click Security Center.14. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK .

15. Close the console window.

16. Pause your mouse pointer in the lower-right of the taskbar, and then click Settings.

17. In the Settings list, click Control Panel.

18. In Control Panel, click Network and Internet.

19. In Network and Internet, click Network and Sharing Center.

20. In Network and Sharing Center, in the left pane, click Change adapter settings.

21.

Right-click Local Area Connection, and then click Properties.22. In the Local Area Connection Properties dialog box, double-click Internet Protocol Version 4

(TCP/IPv4).

23. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address

automatically.

24. Click Obtain DNS server address automatically, and then click OK .

25. In the Local Area Connection Properties dialog box, click OK .

Test NAP


2.

On the Start screen, type cmd.exe, and then press Enter.


Ipconfig

4. Switch to services.

5. In Services, in the results pane, double-click Windows Firewall.

6. In the Windows Firewall Properties (Local Computer) dialog box, in the Startup type list, click

Disabled.

7. Click Stop, and then click OK .

8.

In the System Tray area, click the Network Access Protection pop-up warning. Review the

information in the Network Access Protection dialog box. Click Close.

Note: You may not receive a warning in the System Tray area, depending upon the point

at which your computer becomes non-compliant.


Ipconfig




10. Notice that the computer has a subnet mask of 255.255.255.255 and a Domain Name System (DNS)

Suffix of restricted.Adatum.com. Leave all windows open.




Lesson 4

Monitoring and Troubleshooting NAP

Contents:

Demonstration 9




Demonstration

Demonstration: Configuring NAP Tracing

Demonstration Steps

Configure tracing from the GUI1. Switch to LON-CL1.


3. On the Start screen, type napclcfg.msc, and then press Enter.

4. In the NAPCLCFG – [NAP Client Configuration (Local Computer)] console, in the navigation pane,

right-click NAP Client Configuration (Local Computer) from the console tree, and then click

Properties.

5. On the General tab, click Enabled, and in the Basic list, click Advanced, and then click OK .

Configure tracing from the command line

1. Switch to the command prompt.


netsh nap client set tracing state = enable





Review Question(s)

Question:

What are the three main client configurations that you need to configure for most NAP deployments?

Answer:

Some NAP deployments that use Windows Security Health Validator require that you enable Security

Center. The Network Access Protection service is required when you deploy NAP to NAP-capable client

computers. You also must configure the NAP enforcement clients on the NAP-capable computers.

Question: You want to evaluate the overall health and security of the NAP enforced network. What do

you need to do to start recording NAP events?

Answer: NAP trace logging is disabled by default, but you should enable it if you want to troubleshoot

NAP-related problems or evaluate the overall health and security of your organization’s computers. You

can use the NAP Client Management console or the netsh command-line tool to enable logging

functionality.Question: On a client computer, what steps must you perform to ensure that its health is assessed?

Answer: You must perform the following steps to ensure that it can be assessed for health:

• Enable the NAP enforcement client.

• Enable the Security Center.

• Start the NAP agent service.

Tools

Tool Use For Where to find it

Services Enable and configure the NAP serviceon client computers.

Click Start, click Control Panel, click Systemand Maintenance, click AdministrativeTools, and then double-click Services.

Netsh nap Using netsh, you can create scripts toconfigure a set of NAP automatically,and display the configuration andstatus of the NAP client service.

Open a command window withadministrative rights, and then type netsh –c nap. You can type help to get a full list ofavailable commands.

GroupPolicy

Some NAP deployments that useWindows Security Health Validatorrequire that Security Center isenabled.

Enable the Turn on Security Center(Domain PCs only) setting in theComputer Configuration/AdministrativeTemplates/Windows Components/Security

Center sections of Group Policy.





Lab: Implementing NAP

Question: The DHCP NAP enforcement method is the weakest enforcement method in Windows Server

2012. Why is it a less preferable enforcement method than other available methods?

Answer: It is less preferable because a manually assigned IP address on the client machine circumvents

DHCP NAP enforcement.

Question: Could you use the remote access NAP solution alongside the IPsec NAP solution? What benefit

would this scenario provide?

Answer: Yes. You can use one or all of the NAP solutions in an environment. One benefit is that this

solution would use IPsec to secure communication on the intranet, and not just the tunnel between the

Internet host and the Routing and Remote Access server.

Question: Could you have used DHCP NAP enforcement for the client? Why or why not?

Answer: No. It would not have worked, because the IP addresses assigned to the Routing and Remote

Access client are coming from a static pool on the Routing and Remote Access server itself.



Optimizing File Services 10-1

Module 10

Optimizing File Services

Contents:

Lesson 1: Overview of FSRM 2

Lesson 2: Using FSRM to Manage Quotas, File Screens, and Storage Reports 5

Lesson 3: Implementing Classification and File Management Tasks 8

Lesson 4: Overview of DFS 11

Lesson 5: Configuring DFS Namespaces 13

Lesson 6: Configuring and Troubleshooting DFS-R 16






Lesson 1

Overview of FSRM

Contents:


Demonstration 3





Understanding Capacity Management Challenges

Question: What capacity management challenges have you experienced or are you experiencing in your

environment?

Answer: While answers may vary, guide the students toward a conversation that involves incorporating

the points in this topic as they relate to their specific examples.

Demonstration

Demonstration: How to Install and Configure FSRM

Demonstration Steps

Install the FSRM role service

1. Sign in to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.

2.

In Server Manager, click Manage, and then click Add Roles and Features.3. In the Add Roles and Features Wizard, click Next.

4. Confirm that role-based or feature-based installation is selected, and then click Next.

5. Confirm that LON-SVR1.Adatum.com is selected, and then click Next.

6. On the Select server roles page, expand File and Storage Services (Installed), expand File and

SCSI Services, and then select the File Server Resource Manager check box.

7. In the pop-up window, click Add Features.

8. Click Next twice to confirm role service and feature selection.


10. When the installation completes, click Close.

Specify FSRM configuration options

1. In Server Manager, click Tools, and then click File Server Resource Manager.

2. In the File Server Resource Manager window, in the navigation pane, right-click File Server Resource

Manager (Local), and then click Configure Options.

3. In the File Server Resource Manager Options window, click the File Screen Audit tab, and then select

the Record file screening activity in auditing database check box.

4. Click OK to close the File Server Resource Manager Options window.

Manage FSRM by using Windows PowerShell1. On the taskbar, click the Windows PowerShell icon.

2. At the Windows PowerShell command prompt, type the following, and then press Enter:

set-FSRMSetting -SMTPServer “LON-SVR1” –AdminEmailAddress “[email protected]” –

FromEmailAddress “[email protected]”

3. Close the Windows PowerShell window.

4. In the File Server Resource Manager window, in the navigation pane, right-click File Server Resource

Manager (Local), and then click Configure Options.




5. On the Email Notifications tab, review the configured options to confirm that they are the same as

the options specified in the Set-FSRMSettings command.





Lesson 2

Using FSRM to Manage Quotas, File Screens, andStorage Reports





Demonstration

Demonstration: Using FSRM to Manage Quotas and File Screens, and toGenerate On-Demand Storage Reports

Demonstration StepsCreate a quota

1. Sign in to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.



4. In File Server Resource Manager, expand the Quota Management node, and then click Quota

Templates.

5. Right-click the 100 MB Limit template, and then click Create quota from template.

6. In the Create Quota window, click Browse.

7.

In the Browse for Folder window, expand Allfiles (E:), expand Labfiles, expand Mod10, click Data,

and then click OK .

8. In the Create Quota window, click Create.

9. In the File Server Resource Manager window, click Quotas to view the newly created quota.

Test a quota

1. On the taskbar, click the Windows PowerShell icon.

2. In the Windows PowerShell window, type the following commands, and press Enter after each line:

E:

cd \labfiles\Mod10\data

Fsutil file createnew largefile.txt 130000000

3. Observe the message returned: Error: There is not enough space on the disk .

4. Close the Windows PowerShell window.

Create a file screen

1. In the File Server Resource Manager window, expand the File Screening Management node, and

then click File Screen Templates.

2. Right-click the Block Image Files template, and then click Create File Screen from Template.

3. In the Create File Screen window, click Browse.

4.

In the Browser for Folder window, expand Allfiles (E:), expand Labfiles, expand Mod10, click Data,and then click OK .

5. In the Create File Screen window, click Create.

Test a file screen

1. Open Windows Explorer.

2. In the Windows Explorer window, expand Allfiles (E:), expand Labfiles, and then click Mod10.

3. In Windows Explorer, click the Home tab, click New Item, and then click Bitmap Image.

4. Type testimage, and the press Enter.




5. The file will be created successfully.

6. Right-click testimage, and then click Copy.

7. Right-click Data, and then click Paste.

8. You will receive a message that you need permission to perform this action. Click Skip to clear the

message.9. Close Windows Explorer.

Generate a storage report

1. In File Server Resource Manager, in the navigation pane, click and right-click Storage Reports

Management, and then click Generate Reports Now.

2. In the Storage Reports Task Properties window, select the Large Files check box.

3. Click the Scope tab, and then click Add.

4. In the Browse for Folder window, click Allfiles (E:), and then click OK .

5. In the Storage Reports Task Properties window, click OK .

6. In the Generate Storage Reports window, click OK to generate the report.

7. In the window that displays, double-click the html file and examine the report.

8. Close the report window.

9. Close the Interactive window.

10. Close the File Server Resource Manager window.





Lesson 3

Implementing Classification and File ManagementTasks





Demonstration

Demonstration: How to Configure Classification Management

Demonstration Steps

Create a Classification Property

1. On LON-SVR1, on the toolbar, click the Server Manager shortcut.


3. In File Server Resource Manager, expand the Classification Management node, and then click

Classification Properties.

4. Right-click Classification Properties, and then click Create Local Property.

5. In the Create Local Classification Property window, in the Name field, type Confidential, and in the

Description field ,type Assigns a confidentiality value of Yes or No.

6. Under Property type, click the drop-down list box, and then select Yes/No.

7.

In the Create Local Classification Property window, click OK .

Create a Classification Rule

1. In File Server Resource Manager, click the Classification Rules node.

2. Right-click the Classification Rules node, and then click Create Classification Rule.

3. In the Rule name field, type Confidential Payroll Documents.

4. In the Description field, type Classify documents containing the word payroll as confidential.

5. Click the Scope tab.

6. In the Scope section, click the Add button.

•

In the Browse for Folder window, expand Allfiles (E:), expand Labfiles, click Mod10, and then click

OK .

7. In the Create Classification Rule window, click the Classification tab.

8. In the Classification method area, click the drop-down list box, and then click Content Classifier.

9. In the Property section, choose a Property name of Confidential and a Property value of Yes, and

then click the Configure button.

10. On the Parameters tab, below the Expression Type column, click the drop down menu and then

select String.

11. Double-click in the Expression column, and then type payroll, and then click OK .

12.

In the Create Classification Rule window, click OK .

Modify the Classification Schedule

1. Right-click the Classification Rules node, and then click Configure Classification Schedule.

2. In the File Server Resource Manager Options window, ensure the Automatic Classification tab is

selected.

3. In the Schedule window, click the Enable fixed schedule check box.

4. In the Run at field, type 8:30 AM, select Sunday, and then click OK .

5. Right-click the Classification Rules node, and then click Run Classification With All Rules Now.




6. In the Run Classification window, click Wait for classification to complete, and then click OK .

7. View the report, and ensure that January.txt is listed at the bottom of the report.

8. In a Windows® Explorer window, click drive E, expand Labfiles, expand Mod10, and then double-

click the Data folder.

9.

In the Data folder, double-click the file January.txt, and then view its contents.10. Close all open windows on LON-SVR1.

Demonstration: How to Configure File Management Tasks

Demonstration Steps

Create a File Management Task

1. On LON-SVR1, on the taskbar, click the Server Manager shortcut.


3. In File Server Resource Manager, select and then right-click the File Management Tasks node, and

then click Create File Management Task .

4. In the Task name field, type Expire Confidential Documents.

5. In the Description field, type Move confidential documents to another folder.

6. Click the Scope tab.

7. In the Scope section, click the Add button.

8. Expand Allfiles (E:), expand Labfiles, expand Mod10, click Data, and then click OK .

Configure a File Management Task to expire documents

1. In the Create File Management Task window, click the Action tab.

2. On the Action tab, under Type, select File expiration.

3. In Expiration directory, type E:\Labfiles\Mod10\Expired.

4. In the Create File Management Task window, click the Condition tab.

5. On the Condition tab, under the Property conditions section, click the Add button.

6. In the Property Condition window, click the Property drop-down list box, and select Confidential.

Click the Operator drop-down list box, and select Equal. Click the Value drop-down list box, select

Yes, and then click OK .

7. In the Create File Management Task window, click the Schedule tab.

8. Select the Sunday check box.

9.

In the Create File Management Task window, click OK .

10. Right-click the Expire Confidential Documents task, and then click Run File Management Task

Now.

11. In the Run File Management Task window, choose Wait for task to complete, and then click OK .

12. View the generated report, ensuring that January.txt is on the list.

13. Open the E:\Labfiles\Mod10\Expired folder, and view the contents. The contents will include folders

representing the server name and previous location of the expired content.





Lesson 4

Overview of DFS

Contents:

Additional Reading 13

Demonstration 13




Additional Reading

What Is Data Deduplication?

Additional Reading: Data Deduplication Overview

http://go.microsoft.com/fwlink/?linkID=270996

Demonstration

Demonstration: How to Install the DFS Role

Demonstration Steps

Install the DFS role


2.

On the taskbar, click Server Manager.3. In Server Manager, click Manage, and then click Add Roles and Features.


5. On the Select installation type page, click Next.


7. On the Select server roles page, expand File and Storage Services, expand File and SCSI Services,

and then select the DFS Namespaces check box.

8. In the Add Roles and Features pop-up window, click Add Features.

9. Select the DFS Replication check box, and then click Next.

10. On the Select features page, click Next.


12. When the installation completes, click Close.

13. Close Server Manager.







Lesson 5

Configuring DFS Namespaces

Contents:

Demonstration 15




Demonstration

Demonstration: How to Create Namespaces

Demonstration Steps

Create a new namespace



3. In Server Manager, click Tools, and then click DFS Management.

4. In the DFS Management console, click Namespaces.

5. Right-click Namespaces, and then click New Namespace.

6. In the New Namespace Wizard, on the Namespace Server page, under Server, type LON-SVR1, and

then click Next.

7. On the Namespace Name and Settings page, under Name, type Research, and then click Next.

8. On the Namespace Type page, ensure that both Domain-based namespace and Enable Windows

Server 2008 mode are selected, and then click Next.

9. On the Review Settings and Create Namespace page, click Create.

10. On the Confirmation page, verify that the create namespace task is successful, and then click Close.

11. In the console, expand the Namespace node, and then click \\Adatum.com\Research. Review the

four tabs in the details pane.

12. In the console, right-click \\Adatum.com\Research, and then click Properties. Review the General,

Referrals, and Advanced tab options.

13. Click OK to close the \\Adatum.com\Research Properties dialog box.

Create a new folder and folder target

1. In the DFS Management console, right-click \\Adatum.com\Research, and then click New Folder.

2. In the New Folder dialog box, under Name, type Proposals.

3. In New Folder dialog box, under Folder targets, click Add.

4. In the Add Folder Target dialog box, type \\LON-SVR1\Proposal_docs, and then click OK .

5. In the Warning dialog box, click Yes to create the shared folder.

6. On the Create Share dialog box, configure the following, and then click OK .

• Local path of shared folder: C:\Proposal_docs

• Shared folder permissions: Administrators have full access; other users have read and write

permissions

7. In the Warning dialog box, click Yes to create the folder.

8. Click OK to close the New Folder dialog box.

9. In the console, expand \\Adatum.com\Research, and then click Proposals. Notice that currently

there is only one Folder Target. To provide redundancy, a second folder target may be added with

DFS Replication configured.

10. To test the namespace, open Windows Explorer, and in the address bar, type

\\Adatum.com\Research, and then press Enter. The Proposals folder displays.




Lesson 6

Configuring and Troubleshooting DFS-R

17

Contents:

Demonstration




Demonstration

Demonstration: How to Configure DFS-R

Demonstration Steps

Create a new folder target for replication


2. In DFS Management, right-click the Proposals folder, and then click Add Folder Target.

3. In the New Folder Target dialog box, type \\LON-SVR4\Proposal_docs, and then click OK .

4. In the Warning dialog box, click Yes to create the shared folder.

5. On the Create Share dialog box, in the Local path of shared folder field, type C:\Proposal_docs.

6. In the Shared folder permissions field, select Administrators have full access; other users have

read and write permissions, and then click OK .

7. In the Warning dialog box, click Yes to create the folder.

8. In the Replication dialog box, click Yes to create a replication group. The Replicate Folder Wizard

starts.

Create a new replication group

1. In DFS Management, in the Replicate Folder Wizard, on both the Replication Group and

Replicated Folder Name page, accept the default settings, and then click Next.

2. On the Replication Eligibility page, take note that LON-SVR4 and LON-SVR1 are both eligible as

DFS-R members. Click Next.

3. On the Primary Member page, select LON-SVR1 as the primary member, and then click Next.

4. On the Topology Selection page, leave the default selection of Full mesh, which will replicate all

data between all members of the replication group.

If you had three or more members within the replication group, you can also choose Hub and spoke,

which allows you to configure a publication scenario where data is replicated from a common hub to

the rest of the members. You can also choose No topology, which allows you to configure the

topology at a later time.

5. Upon reviewing all the selections, click Next.

6. On the Replication Group Schedule and Bandwidth page, leave the default selection of Replicate

continuously, and then configure the setting to use Full bandwidth. Note that you can also choose

a specific schedule to replicate during specified days and times. Click Next.

7. On the Review Settings and Create Replication Group page, click Create.

8. On the Confirmation page, ensure that all tasks are successful, and then click Close. Take note of the

Replication Delay warning, and then click OK .

9. In the console, expand Replication.

10. Under Replication, click Adatum.com\research\proposals. Click and review each of the tabs in the

details pane.





Review Question(s)

Question: How do FSRM templates for quotas and file screens provide a more efficient FSRM

management experience?

Answer: Templates enable administrators to create quotas and file screens quickly, based on predefined

templates. You also can use templates to manage child quotas in a one-to-many manner. To change the

file size for several quotas created from the template, you only need to change the template.

Question: Why does DFS-R make a more efficient replication platform than FRSM?

Answer: DFS-R uses an advanced delta-based heuristic, which only replicates modified portions of the file

system, whereas FRSM always replicates the complete file. DFS-R also uses RDC to reduce replication-

based network traffic.





Lab A: Configuring Quotas and File Screening Using FSRM

Question: What criteria needs to be met to use FSRM for managing a server’s file structure?

Answer: The servers must be running Windows Server 2003 SP1 or newer. If you want to use File

Classification Infrastructure, you must be running Windows Server 2008 R2 or newer. Additionally, you

must format the volumes on which you perform FSRM operations with NTFS.

Question: In what ways can classification management and file-management tasks decrease

administrative overhead when dealing with a complex file and folder structure?

Answer: Classification management and file-management tasks can allow administrators to automate the

manual classification and modification of files on a file server. Rather than inspecting files manually, and

performing manual file operations, administrators can set up File Classification Infrastructure to classify

files, and then perform the necessary operations on those files by using file management tasks.

Lab B: Implementing DFS

Question: What are the requirements for deploying a namespace in Windows Server 2008 mode?

Answer: The domain must use Windows Server 2008 domain functional level, and all namespace servers

must be running Windows Server 2008.

Question: What are the benefits of hosting a namespace on several namespace servers?

Answer: Hosting a namespace on several namespace servers increases availability if a namespace server

fails. Users will still be able to access the namespace by using one of the remaining namespace servers. If a

namespace is hosted on a single server, and that server becomes unavailable, clients will not be able to

use namespace links to access shared folders on the network.



Configuring Encryption and Advanced Auditing 11-1

Module 11

Configuring Encryption and Advanced Auditing

Contents:

Lesson 1: Encrypting Files by Using Encrypting File System 2

Lesson 2 : Configuring Advanced Auditing 5






Lesson 1

Encrypting Files by Using Encrypting File System

Contents:

Demonstration 3




Demonstration

Demonstration: Encrypting a File by Using EFS

Demonstration Steps

Verify that a computer account supports EFS on a network share1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.

2. In Active Directory Users and Computers, if necessary, expand Adatum.com, and then click Domain

Controllers.

3. Right-click LON-DC1, and then click Properties.

4. In the LON-DC1 Properties dialog box, on the Delegation tab, verify that Trust this computer for

delegation to any service (Kerberos only) is selected, and then click Cancel. This setting is on by

default for domain controllers, but needs to be enabled for most file servers to support EFS.

5. Close Active Directory® Users and Computers.

Use EFS to encrypt a file on a network share1. On LON-CL1, log on as Adatum\Doug with a password of Pa$$w0rd.

2. On the Start screen, type \\LON-DC1\Mod11Share, and then press Enter.

3. In Windows® Explorer, right-click an open area, point to New, and then click Microsoft Word

Document.

4. Type MyEncryptedFile, and then press Enter to name the file.

5. Double-click MyEncryptedFile to open it.

6. If necessary, click OK to set the user name. Click Don’t make changes and then click OK .

7. In the document, type My secret data, and then click the Save button.

8. Close Microsoft® Word.

9. Right-click MyEncryptedFile, and then click Properties.

10. In the MyEncryptedFile Properties dialog box, on the General tab, click Advanced.

11. In the Advanced Attributes dialog box, select the Encrypt contents to secure data check box, and

then click OK .

12. In the MyEncryptedFile Properties dialog box, click OK .


View the certificate used for encryption

1.

On LON-DC1, in the Windows Explorer window, expand Computer, expand drive C, and then click

Users. Notice that Doug has a profile on the computer. This is where the self-signed certificate is

stored. It cannot be viewed in the Microsoft Management Console (MMC) Certificates snap-in unless

Doug logs on locally to the server.

2. In the Windows Explorer window, type C:\Users\Doug\Appdata\ and then press Enter.

3. Expand Roaming, expand Microsoft, expand SystemCertificates, expand My, and then expand

Certificates. This is the folder that stores the self-signed certificate for Doug.

Test access to an encrypted file

1. On LON-CL1, log on as Adatum\Alex with a password of Pa$$w0rd.




2. On the Start screen, type \\LON-DC1\Mod11Share, and then press Enter.

3. Double-click MyEncryptedFile.

4. If necessary, click OK to set the user name.

5. Click OK to clear the access denied message.

6.

Click Don’t make changes, click OK .

7. Close Microsoft Word.




Lesson 2

Configuring Advanced Auditing

Contents:

Demonstration 6




Demonstration

Demonstration: Configuring Advanced Auditing

Demonstration Steps

Create and edit a GPO for audit policy configuration1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.

2. In Group Policy Management, double-click Forest: Adatum.com, double-click Domains, double-

click Adatum.com, right-click Group Policy Objects, and then click New.

3. In the New GPO window, type File Audit in the Name field, and then press Enter.

4. Double-click the Group Policy Objects container, right-click File Audit, and then click Edit.

5. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand

Windows Settings, expand Security Settings, expand Advanced Audit Policy Configuration,

expand Audit Policies, and then click Object Access.

6.

Double-click Audit Detailed File Share.

7. In the Properties window, select the Configure the following events check box.

8. Select the Success and Failure check boxes, and then click OK .

9. Double-click Audit Removable Storage.

10. In the Properties window, select the Configure the following events check box.

11. Select the Success and Failure check box, and then click OK .


13. Close Group Policy Management.




Module Review and TakeawaysQuestion: Some users are encrypting files that are stored on network shares to protect them from other

departmental users with NTFS permissions to those files. Is this an effective way to prevent users from

viewing and modifying those files?

Answer: Yes. An EFS–encrypted file cannot be opened or modified by unauthorized users. By default, only

the user that encrypted the file and the recovery agent can decrypt the file.

Question: Why might EFS be considered a problematic encryption method in a widely-distributed

network file server environment?

Answer: EFS encryption is based primarily on personal certificates, which are commonly stored in a user

profile. The ability to decrypt files relies strictly on access to the certificate in the profile, which may not be

available, depending on the computer to which the user is logging on.

Question: You have configured an audit policy by using Group Policy to apply to all of the file servers in

your organization. After enabling the policy and confirming that the Group Policy settings are being

applied, you discover that no audit events are being recorded in the event logs. What is the most likely

reason for this?

Answer: To audit file access, you must configure files or folders to audit specific events. If you do not do

so, the audit events will not be recorded.

Tools

Tool Used to Where to find it?

Group PolicyManagementConsole

Manage GPOs containing audit policysettings


Event Viewer View audit policy events Server Manager - Tools





Lab: Configuring Encryption and Advanced Auditing

Question: In Exercise 1, Task 1, why were you asked to generate a new Data Recovery Agent certificate by

using the AdatumCA certification authority (CA)?

Answer: The AdatumCA CA is recognized as a trusted authority for computers that are joined to the

domain. Generating the certificate from AdatumCA makes the certificate more portable and more

convenient to use than a self-signed certificate that are generated from a Windows Server 2012 computer.

Question: What are the benefits of placing servers in an organizational unit (OU), and then applying audit

policies to that OU?

Answer: You can target specific servers to record audit events, rather than having the auditing process

apply across the entire enterprise. This is especially important when auditing records a large amount of

events. Writing a large amount of events to physical disks on all servers in the organization could cause

significant performance issues.

Question: What is the reason for applying audit policies across the entire organization?

Answer: If you are trying to pinpoint a general problem, or if you are unsure where a specific event is

occurring, targeting a larger group of servers may be necessary to capture the event. In this case, event

filtering can be used to search for a specific audit event.



Implementing Update Management 12-1

Module 12

Implementing Update Management

Contents:







Review Question(s)

Question: A colleague has argued that all updates to the Windows operating system should be applied

automatically when they are released. Do you recommend an alternative process?

Answer: All updates should be tested before they are applied in a production environment. That is, you

should first deploy updates to a set of test computers by using WSUS.

Question: Your organization implements several applications that are not Microsoft applications. A

colleague has proposed using WSUS to deploy application and operating system updates. Are there any

potential issues with using WSUS?

Answer: Yes. WSUS is an excellent tool for deploying updates for Microsoft applications such as Microsoft

Office and Windows operating system updates. However, WSUS does not deploy updates for all Microsoft

applications, and it does not deploy updates for non-Microsoft applications. Microsoft System Center

2012 Configuration Manager is a better choice when you need to deploy updates for non-Microsoft

applications.

Question: Why is WSUS easier to manage in an AD DS domain?

Answer: WSUS takes advantage of the AD DS OU structure for deploying client settings through Group

Policy. You can also use Group Policy settings to configure client-side targeting to determine the WSUS

group membership of a client computer.

Tools

Tool Use Where to find it

WSUS Administrationconsole

Administer WSUS Server Manager - Tools

Windows PowerShellWSUS cmdlets Administer WSUS from thecommand–line interface Windows PowerShell



Implementing Update Management 12-3


Lab: Implementing Update Management

Question: You created a separate group for the Research department. Why would you configure a

separate group for part of your organizations’ computers?

Answer: The Research department may have special considerations or security practices that require a

different process for testing and approving updates than the rest of the organization. In addition, other

departments may have administrators that have been delegated the responsibility for managing the

update approval process.

Question: What is the advantage of configuring a downstream WSUS server?

Answer: If the main WSUS and the downstream server are connected by a slow wide area network (WAN)

connection, the downstream WSUS server only downloads the updates once for the client computers it

services, instead of each client computer downloading the update individually over the WAN connection

from the main WSUS server.



Monitoring Windows Server 2012 13-1

Module 13

Monitoring Windows Server 2012

Contents:

Lesson 2: Using Performance Monitor 2

Lesson 3: Monitoring Event Logs 7






Lesson 2

Using Performance Monitor

Contents:

Demonstration 3




Demonstration

Demonstration: Capturing Counter Data with a Data Collector Set

Demonstration Steps

Create a data collector set1. Switch to the LON-SVR1 computer.



4. In Start, type Perf , and in the Apps list, click Performance Monitor.

5. In Performance Monitor, in the navigation pane, expand Data Collector Sets, and then click User

Defined.

6. Right-click User Defined, point to New, and then click Data Collector Set.

7. In the Create New Data Collector Set Wizard, in the Name box, type LON-SVR1 Performance.

8. Click Create manually (Advanced), and then click Next.

9. On the What type of data do you want to include? page, select the Performance counter check

box, and then click Next.

10. On the Which performance counters would you like to log? page, click Add.

11. In the Available counters list, expand Processor, click % Processor Time, and then click Add >>.

12. In the Available counters list, expand Memory, click Pages/sec, and then click Add >>.

13. In the Available counters list, expand PhysicalDisk , click % Disk Time, and then click Add >>.

14. Click Avg. Disk Queue Length, and then click Add >>.

15.

In the Available counters list, expand System, click Processor Queue Length, and then click Add

>>.

16. In the Available counters list, expand Network Interface, click Bytes Total/sec, click Add >>, and

then click OK .

17. On the Which performance counters would you like to log? page, in the Sample interval box,

type 1, and then click Next.

18. On the Where would you like the data to be saved? page, click Next.

19. On the Create the data collector set? page, click Save and close, and then click Finish.

20. In Performance Monitor, in the results pane, right-click LON-SVR1 Performance, and then click

Start.

Create a disk load on the server

1. Pause over your mouse in the lower-left of the taskbar, and then click Start.

2. In Start, type Cmd, and in the Apps list, click Command Prompt.


Fsutil file createnew bigfile 104857600





Copy bigfile \\LON-dc1\c$


Copy \\LON-dc1\c$\bigfile bigfile2

6.

At the command prompt, type the following command, and then press Enter:

Del bigfile*.*


Del \\LON-dc1\c$\bigfile*.*

8. Close the command prompt.

Analyze the resulting data in a report

1. Switch to Performance Monitor.

2.

In the navigation pane, right-click LON-SVR1 Performance, and then click Stop.3. In Performance Monitor, in the navigation pane, click Performance Monitor.

4. On the toolbar, click View log data.

5. In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then

click Add.

6. In the Select Log File dialog box, double-click Admin.

7. Double-click LON-SVR1 Performance, double-click the SVR1_date-000001 folder, and then

double-click DataCollector01.blg.

8. Click the Data tab, and then click Add.

9.

In the Add Counters dialog box, in the Available counters list, expand Memory, click Pages/sec,and then click Add >>.

10. Expand Network Interface, click Bytes Total/sec, and then click Add >>.

11. Expand PhysicalDisk , click %Disk Time, and then click Add >>.

12. Click Avg. Disk Queue Length, and then click Add >>.

13. Expand Processor, click %Processor Time, and then click Add >>.

14. Expand System, click Processor Queue Length, click Add >>, and then click OK .

15. In the Performance Monitor Properties dialog box, click OK .

16.

On the toolbar, click the down arrow, and then click Report.

Demonstration: Configuring an Alert

Demonstration Steps

Create a data collector set with an alert counter

1. On LON-SVR1 computer, in Performance Monitor, in the navigation pane, expand Data Collector

Sets, and then click User Defined.

2. Right-click User Defined, point to New, and then click Data Collector Set.

3. In the Create New Data Collector Set Wizard, in the Name box, type LON-SVR1 Alert.




4. Click Create manually (Advanced), and then click Next.

5. On the What type of data do you want to include? page, click Performance Counter Alert, and

then click Next.

6. On the Which performance counters would you like to monitor? page, click Add.

7.

In the Available counters list, expand Processor, click %Processor Time, click Add >>, and thenclick OK .

8. On the Which performance counters would you like to monitor? page, in the Alert when list,

click Above.

9. In the Limit box, type 10, and then click Next.

10. On the Create the data collector set? page, click Finish.

11. In the navigation pane, expand the User Defined node, and then click LON-SVR1 Alert.

12. In the results pane, right-click DataCollector01, and then click Properties.

13. In the DataCollector01 Properties dialog box, in the Sample interval box, type 1, and then click the

Alert Action tab.14. Select the Log an entry in the application event log check box, and then click OK .

15. In the navigation pane, right-click LON-SVR1 Alert, and then click Start.

Generate a server load that exceeds the configured threshold


2. Click to the Start screen, type Cmd, and then in the Apps list, click Command Prompt

3. At the command prompt, type the following commands, and then press Enter:

C:

Cd\Labfiles

4. At the command prompt, type the following commands, and then press Enter:

StressTool 95

5. Wait one minute to allow generation of alerts.

6. Press Ctrl+C.

7. Close the command prompt.

Examine the event log for the resulting event


2.

In Start, type Event, and in the Apps list, click Event Viewer.

3. In Event Viewer, in the navigation pane, expand Applications and Services, expand Microsoft,

expand Windows, expand Diagnosis-PLA, and then click Operational.

4. Examine the log for performance-related messages. These have an Event ID of 2031. Leave Event

Viewer running.




Demonstration: Viewing Reports in Performance Monitor

Demonstration Steps

View a performance report

1. On LON-SVR1, in Performance Monitor, in the navigation pane, expand Reports, expand User

Defined, and then click LON-SVR1 Performance.

2. Expand the folder beneath LON-SVR1 Performance. The previous collection process of the data

collector set generated this report. You can change from the chart view to any other supported view.





Lesson 3

Monitoring Event Logs

Contents:

Demonstration 8




Demonstration

Demonstration: Creating a Custom View

Demonstration Steps

View Server Roles custom views1. On LON-SVR1, open to Event Viewer.

2. In the navigation pane, expand Custom Views, expand Server Roles, and then click Web Server

(IIS). This is the Web Server role-specific custom view.

Create a custom view

1. In the navigation pane, right-click Custom Views, and then click Create Custom View.

2. In the Create Custom View dialog box, select the Critical, Warning, and Error check boxes.

3. In the Event logs list, expand Windows Logs, and then select the System and Application check

boxes. Click the mouse back in the dialog box, and then click OK .

4. In the Save Filter to Custom View dialog box, in the Name box, type Adatum Custom View, and

then click OK .

5. In Event Viewer, in the right pane, view the events that are visible within your custom view.

Demonstration: Configuring an Event Subscription

Demonstration Steps

Configure the source computer




4. In Start, type Cmd, and in the Apps list, click Command Prompt.


winrm quickconfig

Note: The service is already running.

6. Pause your mouse in the lower left of the taskbar, and then click Start.

7. Click Administrative Tools, and then double-click Active Directory Users and Computers.

8.

In Active Directory Users and Computers, in the navigation pane, expand Adatum.com, and thenclick Builtin.

9. In the results pane, double-click Administrators.

10. In the Administrators Properties dialog box, click the Members tab.

11. Click Add, and in the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box,

click Object Types.

12. In the Object Types dialog box, select the Computers check box, and then click OK .

13. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in the Enter

the object names to select box, type LON-SVR1, and then click OK .




14. In the Administrator Properties dialog box, click OK .

Configure the collector computer


2. Pause your mouse in the lower left of the taskbar and then click Start.

3.

In Start, type Cmd, and in the Apps list, click Command Prompt.


Wecutil qc

5. When prompted, type Y, and then press Enter.

Create and view the subscribed log

1. In Event Viewer, in the navigation pane, click Subscriptions.

2. Right-click Subscriptions, and then click Create Subscription.

3. In the Subscription Properties dialog box, in the Subscription name box, type LON-DC1 Events.

4. Click Collector Initiated, and then click Select Computers.

5. In the Computers dialog box, click Add Domain Computers.

6. In the Select Computer dialog box, in the Enter the object name to select box, type LON-DC1, and

then click OK .

7. In the Computers dialog box, click OK .

8. In the Subscription Properties – LON-DC1 Events dialog box, click Select Events.

9. In the Query Filter dialog box, select the Critical, Warning, Information, Verbose, and Error check

boxes.

10.

In the Logged list, click Last 30 days.

11. In the Event logs list, select Windows Logs. Click the mouse back in the Query Filter dialog box,

and then click OK .

12. In the Subscription Properties – LON-DC1 Events dialog box, click OK .

13. In Event Viewer, in the navigation pane, expand Windows Logs.

14. Click Forwarded Events.

15. Examine any listed events.





Review Question(s)

Question: What significant counters should you monitor in Performance Monitor?

Answer: You should monitor the following:

• Processor > % Processor Time

• System > Processor Queue Length

• Memory > Pages/sec

• Physical Disk > % Disk Time

• Physical Disk > Avg. Disk Queue Length

Question: Why is it important to monitor server performance periodically?

Answer: By monitoring server performance, you can perform capacity planning, identify and remove

performance bottlenecks, and assist with server troubleshooting.

Question: Why should you use performance alerts?

Answer: By using alerts, you can react more quickly to emerging performance-related problems, perhaps

before they have a chance to impinge on users’ productivity.

Tools


Fsutil.exe Configuring and managing the file system Command line

PerformanceMonitor

Monitoring and analyzing real-time andlogged performance data

Start menu

Logman.exe Managing and scheduling performance-counter and event-trace log collections

Command line

ResourceMonitor

Monitoring the use and performance of CPU,disk, network, and memory in real time

Start menu

Event Viewer Viewing and managing event logs Start menu

Task Manager Identifying and resolving performance-relatedproblems

Start menu





Lab: Monitoring Windows Server® 2012

Question: During the lab, you collected data in a data collector set. What is the advantage of collecting

data in this way?

Answer: By collecting data in data collector sets, you can analyze and compare the data against historical

data, and then derive conclusions regarding server capacity.



Send Us Your FeedbackYou can search the Microsoft Knowledge Base for known issues at Microsoft Help and Support before

submitting feedback. Search using either the course number and revision, or the course title.

Note Not all training products will have a Knowledge Base article – if that is the case, please

ask your instructor whether or not there are existing error log entries.

Courseware Feedback

Send all courseware feedback to [email protected]. We truly appreciate your time and effort.

We review every e-mail received and forward the information on to the appropriate team. Unfortunately,

because of volume, we are unable to provide a response but we may use your feedback to improve your

future experience with Microsoft Learning products.

Reporting Errors

When providing feedback, include the training product name and number in the subject line of your e-

mail. When you provide comments or report bugs, please include the following:

1. Document or CD part number

2. Page number or location

3. Complete description of the error or suggested change

Please provide any details that are necessary to help us verify the issue.

Important All errors and suggestions are evaluated, but only those that are validated are

dd d t th d t K l d B ti l