MCSE 70-290, Windows Server 2003 Network Infrastructure

Security groups, however, are not capable of directly receiving Group Policy, but they can control access to network resources and filter Group Policy settings, as well as set per- missions. This can get a little confusing when you combine it with OUs, because in a way it seems almost like having double groups. But keep in mind that the purpose of OUs is to gather objects at a granular level for the purpose of administration. The primary purpose of security groups, however, is to set permissions and capabilities.

In fact, most seasoned administrators will create a security group that is designed to control permissions for a specific organizational unit. For instance, say you’re in a company that has four telemarketing managers who need to control an OU of a dozen printers. Rather than giving each user permission to control the OU, you could assign the users to a group and then assign that group Full Control over that OU. Normally, the group that has full control over the OU is known as the OU owner .

An OU owner has complete authority over a specific OU and all children that reside within that OU (remember, OUs can be nested). In the enterprise, this is often done to aid in the process of delegation, which will be discussed in more detail later in this chapter. But suffice it to say for the moment, OU delegation occurs when an OU owner is responsible for administrating that OU, therefore becoming an OU administrator .

Whenever you create a group in Windows Server 2008, whether that group is a security group or a distribution group, the group is defined somewhere within the Active Directory forest. And that scope, once defined, shows the limitations of that group and where it can reach within the forest. When you create a group in Windows Server 2008 using the Active Directory Users and Computers tool, Windows Server presents you with three different choices of scope for your security groups if you are running in native mode: domain local, global, and universal. If you are not running native mode and are instead running in mixed mode, you will have access to two groups: domain local and global.

Some of the classic examples of Group Policy deployments include removing access to the Control Panel, adding software to the default Start menu, and granting the ability to install said pieces of software without the direct need of an administrator. The full scope of Group Policy, however, is so broad that it probably couldn’t be covered in a single book. If it could, it would probably be a fairly tremendous tome that you could use as a barricade to stop a charging elephant.

In fact, in the real world, a good share of your time in the enterprise is going to be spent administering and creating group policies to deploy to various users throughout your enterprise —actually, not just users, but computers, printers, pieces of software, and several different servers. This is because Group Policy is a huge undertaking, and if it isn’t imple- mented properly, it can have drastic results on your enterprise. Just imagine how happy your boss would be if he suddenly received a call in the morning from your CEO claiming that, for some reason, she can no longer access her email and all of her office software no longer appears on the Start menu. It wouldn’t be a happy phone call. Thus, for the certifica- tion exam, you’re expected to have a very firm grip of Group Policy and the impact it can have throughout the enterprise at all deployment levels.

In this chapter, I’ll cover Group Policy by explaining the important background you need to establish before you institute even your first Group Policy object: the administrative model. An effective administrative model is a network design that facilitates the organiza- tion of users, computers, and objects into compartmentalized and easily accessible orga- nizational units (OUs) that will create a simple infrastructure that you can use for more complex enterprises at any level of granularity. By the end of this chapter, I’ll have laid the framework for Chapter 6, “Planning and Designing Group Policy.”

When using TS Licensing per-user mode, administrators can monitor licenses that are being propagated through a network via a particular license server. This allows administra- tors to check for EULA compliance as well as proper usage of particular licenses throughout the enterprise. Windows Server 2008 can also produce a per-user license usage report via the TS Licensing Manager, which is useful if an administrator suspects that some licenses are being used improperly throughout their enterprise.

A couple of issues tend to come up when using Terminal Services Licensing. You’ll want to know the following two event IDs when administering a licensing server:Event ID 28: “TS Licensing Service is unable to report status to the Service Control Manager” This event sounds a lot more complicated than it really is. All event ID 28 means is that Terminal Services is unable to connect to the Service Control Manager. More often than not, the best solution for this is to reboot the server and make certain that the TS Licensing role has started.

Event ID 37: “TS Licensing Cannot Start. The following error occurred: %1!s!3”Fun with cryptic errors! Normally, this event occurs when certain groups are given incorrect permissions. You can resolve this problem by making sure the correct permissions are established. If all else fails and the security is set correctly, rebooting will most likely fix the issue.

MegaCorp, an international import/export corporation that specializes in foodstuffs, has recently signed a contract with the FoodInventory corporation to purchase a new inventory tracking program that monitors the thousands of containers of foodstuffs shipped by MegaCorp every year. The FoodInventory program is Terminal Services-capable so that field agents throughout the organization can add and subtract inventory amounts to the current fiscal year ’s spreadsheet.MegaCorp is an organization with several hundred employees. However, the IT needs of the organization are very low, because most agents are field agents and need to log on to the server to update inventory only once every few days. However, there are still a great many employees to keep track of.

The process of upgrading and migrating is like most things involving the Windows world. It is complicated in explanation but relatively simple in practice. When you’re thinking about migrating, remember that there are no direct upgrade paths between any version of Windows without Active Directory and Windows Server 2008. Furthermore, you need to remember the steps involved with upgrading a machine from Windows 2000 Server to Windows Server 2008.

But most important, you need to be familiar with using the Active Directory Migration Tool. The best way to do that is to follow the exercises in this book and to play with the ADMT on your own. Setting up a home lab is a very good idea. Or, if you don’t have a home lab, running practical exercises at your office may be advisable. But don’t make any changes that you can’t undo, and never experiment on a production environment that could be catastrophic.

Beyond migrating, one of the pillars of this exam is understanding trusts in all of their complexity. Unless you’ve built, used, and experimented with trusts heavily, the exam will probably confuse you. A full understanding of trusts is also required for your job when you actually become the person who this exam and technology was designed for: an enterprise administrator. As referenced earlier, it’s rare that you’ll run across a one domain, or even one-forest, architecture. Currently, infrastructures are complex animals and require a great amount of due care and due diligence. Make sure that before you attempt these in the real world that you’ve mastered them in your own lab your employers and fellow employees will thank you.

Trusts play a tremendous factor in the exam. You need to be able to spout off the advantages of different types of trusts and show where they belong in the infrastructure and how they should be implemented.Understand the limits and advantages of migration.Migration can’t solve everything. You need to be familiar with what you can and cannot do with migration, as well as the proce- dure for doing it. Practice migrating several user accounts and groups between your domain controllers before you take the exam.

Virtualization is quickly becoming a hot topic. The potential for consolidation is tremendous, thus it will get more and more important.After reading this chapter, you should have a good understanding of the Hyper-V architecture and what it requires to install Hyper-V.

The section about installation and configuration covered various basic aspects of config- uring the virtualization environment. You learned about the different types of virtual networks that are available, the options for installing the Hyper-V role, and the various types of virtual hard disks that you can use to optimize virtualization for your specific scenario. You also learned how to configure virtual machines using the Hyper-V environment and how to create your own virtual datacenter on top of your Hyper-V machines. We showed you how to create and manage virtual machines, how to use Virtual Machine Connection to remotely control a virtual machine, and how to install Hyper-V Integration Components. And you learned how to export and import virtual machines as well as how to do snapshots of your virtual machine.

If you have never worked with virtualization software before, the information in this chapter may have been completely new to you. You should now be well prepared to try out Hyper-V in your own environment.

Understand Hyper-V’s architecture. When you have a good understanding of Hyper-V’s architecture, especially when an operating system in a virtual machine is hypervisor aware versus non-hypervisor aware, you have a solid understanding of what is important from an architectural perspective. You should know about the Hyper-V Integration Components and how they change the behavior of a virtual machine. Also know which operating systems the integration components are available for.

Know the hardware and software requirements as well as how to install Hyper-V. Hyper-V requires an x64-based processor and Data Execution Protection (DEP), and hardware assisted virtualization must enabled.

Don’t forget this! Also remember that you can install Hyper-V two ways: using Server Manager or using the command line in Server Core.

Understand virtual networks and virtual hard disks. Virtual networks and hard disks are the two most tested topics. You definitely should know the types of virtual networks available (i.e., external, internal only, and private virtual network) as well as all types of virtual hard disks (i.e., dynamically expanding, fixed size, differential, and physical or pass- through). You should be able to apply the correct one when needed. Don’t forget the Edit Virtual Hard Disk Wizard, which is also a good source for questions in the exam.

This section will explain how to move virtual machines between host computers or move them to a different drive. This is quite different to previous versions of Microsoft’s virtualization software. To move a virtual machine in Virtual Server 2005, you stopped the machine and moved its configuration file (VMC) as well as its virtual hard disk file (VHD) to the target location and then changed the VMC file to point to the VHD file.

Using Hyper-V, you cannot move the configuration files anymore. You need to use the Export feature to export the virtual machine and then use Import on the target machine to import the virtual machine to Hyper-V.

To export a virtual machine, it must be either in Off or Saved state. Open Hyper-V Manager, select the virtual machine you want to export and either right-click on the virtual machine and select Export or click on Export on the virtual machine name’s pane. You will see the Export Virtual Machine dialog box.

In this dialog box, you can set the export path for the virtual machine and choose whether to export your virtual machine state data or not.Because Hyper-V will use the exported files after importing them, you should store the export directly on the target machine’s disks and not on a file share.

Once you check Don’t Export Virtual Machine State Data, only the virtual machine’s configuration files will be exported. The virtual hard disk and snapshots will not be exported. In the export path, a folder with the name of the virtual machine is created along with

Virtual Machines This includes the virtual machine configuration files as well as the virtual machine state if the machine is saved.If you exported the state data, this folder will include your virtual hard disks VHD file(s).

If you exported the state data, this folder will include all snapshot files.Once the virtual machine finishes exporting, you can move the export folder to the target machine if you did not store it directly on the server’s disks. Open Hyper-V Manager and click Import Virtual Machine, which is located in Actions pane.

Creating and Deploying a Windows Installer Package for TS RemoteApp Programs

Now that you have installed an application that will be used for a TS RemoteApp program, you need to know how to deploy a package that contains the TS RemoteApp program con- nection information. There are two different ways to package TS RemoteApp programs: a Windows Installer ?le ( MSI ) or a Remote Desktop ?le ( RDP ). The focus in this section will be on using an MSI ?le because most administrators are used to using group policies to deploy Windows Installer packages to client computers. In order for the client computer to run these packages, they must be running RDC 6.0 or 6.1. In Exercise 2.12, you will follow the procedures to package TS RemoteApp programs.

Packaging a TS RemoteApp Program

Follow these steps to package a TS RemoteApp Program.

1. In TS RemoteApp Manager, under RemoteApp Programs, select the application for which you will create a package.

2. In the Actions pane, click Create Windows Installer Package.

3. In the RemoteApp Wizard, click Next on the Welcome screen.

4. On the Specify Package Settings screen, you can change the default location to save packages to as well as the server name, the RDP port, the TS Gateway setting and cer- ti?cate settings. (TS Gateway and certi?cate settings are discussed later in this chapter.)

5. Click Next.

6. On the Con?gure Distribution Package page, you will place the RemoteApp program into the user ’s Start menu under a folder named Remote Programs, and you can also select Desktop. This screen also speci?es whether or not to take over client exten- sions. What this means is that whenever the user opens a ?le with this extension, it will automatically launch the RemoteApp program. This setting is necessary only when the application is not installed locally on the client.

7. Click Next.

8. Review Settings, click Finish.

By default, the package will be save in C:\Program Files\Pack Programs with a .rap. msi ?lename extension. Now that you have the .rap.msi ?le, Group Policy procedures can be used to deploy the package to users within the domain.

Using TS RemoteApp in large environments

There are some rules that should be considered when using TS RemoteApp in a large server farm. First, think about applications that are similar in nature or share data using Dynamic Data Exchange, DDE (for example, copy and paste); these should reside on the same server. Second, place silo applications that con?ict with other applications onto separate terminal servers; your users will thank you in long run by not complaining about poor performance or errors in their sessions. Third, consider other factors that are not technology related, such as groups like HR always wanting their applications segregated from everyone else. A good rule of thumb is an 80/20 split. Try to maintain and keep the software consistent on the majority of the terminal servers with the main subset of your applications, usually MS Of ?ce and the like.

Three things must occur to enable Desktop Composition. First, you must enable Desk- top Experience on the Windows 2008 Terminal Services server. Second, you must use the Windows Vista theme on the Windows 2008 TS server. Third, you must enable Desktop Composition on the Windows Vista host client.

It is important to note that the Windows Vista client must have the hard-ware capable of supporting Windows Aero to benefit from the Desktop Composition feature. However, the 2008 TS server does not need to have hardware that is capable of running Windows Aero.

Enabling the Desktop Experience Feature

Follow these steps to install Desktop Experience on Windows Server 2008

1.Open Server Manager. Click Start-Administrative Tools-Server Manager.

2.Right-click Features and select Add Feature from the menu.

3.Check Desktop Experience in the Feature Wizard.

4.Click Next.

5.Verify that the Desktop Experience feature is checked and click Install.

6.Reboot after installation is complete.

Starting the Themes Service

Follow these steps to start the Themes service for Windows Server 2008

1.Click Start-Administrative Tools-Services.

2. Right-click Themes and choose Properties.

3. On the General tab, change the startup type to Automatic.

4.Click Apply.

5.Click-Administrative Tools-Services.

6. Double-click Themes.

7. On the General tab, change the startup type to Automatic.

8. Click OK.

9. Right-click Themes and choose Start to start the Themes service.

Now that you have enabled the Themes service, you must select the Windows Vista theme.

Setting the Theme on Windows Server 2008

Follow these steps to set the Theme on Windows Server 2008

1.Click Start-Control Panel-Personalization-Theme.

2. On the Themes tab, change the theme to Windows Vista.

3.Click OK.

The ?nal step is to enable Desktop Composition and Themes on the client.

Making Desktop Composition Available on a Vista Client

Follow these steps to enable Desktop Composition on a Vista client

1.Click Start-All Programs-Accessories-Remote Desktop Connection. (It is also
possible to start the RDC client software by typing mstsc in the run line.)

2. In the Remote Desktop Connection dialog box, click Options.

3. On the Experience tab, check Desktop Composition and Themes.

4.Click Connect to launch the new session.

Remember that Windows Aero will require more resources on your terminal server, so careful consideration must be made on how many concurrent user connections a single terminal server ’s hardware will be able to support. This will be critical to overall user experience and server performance.

Network Attached Storage (NAS)

The concept of a Network Attached Storage (NAS) solution is that it is a low-cost device for storing data and serving ?les through the use of an Ethernet LAN connection. A NAS device accesses data at the ? le level via a communication protocol such as NFS, CIFS, or even HTTP, which is very different from iSCSI or FC Fibre Channel storage devices that access the data at the block level. NAS devices are best used in ?le storing applications, and it does not require a storage expert to install and maintain the device. In most cases, the only setup that is required is an IP address and an Ethernet connection.

Managing SANs

In the following sections, we will discuss the tools in Windows Server 2008 that will help manage the various aspects of storage: Storage Manager for SANs (SMfS) and Storage Explorer. These tools are used independently of one another, but they both provide a very powerful and centralized interface to administer a storage environment. Storage Manager for SANs manages the physical storage arrays; conversely, Storage Explorer views and manages the Fibre Channel and iSCSI connections available in the environment.

Virtual Disk Service (VDS)

Virtual Disk Server (VDS) has been created to ease the administration efforts of managing all the various type of storage devices. Many storage hardware providers used their own applications for installation and management, and this made administering all these various devices very cumbersome. VDS is a set of application programming interfaces (APIs) that provide a centralized interface for managing all the various storage devices. The native VDS API enables the management of disks and volumes at an OS level, and hardware- vendor-supplied APIs manage the storage devices at a RAID level. These are known as software and hardware providers.

A software provider is host based and interacts with Plug and Play Manager because each disk is discovered and operates on volumes, disks, and disk partitions. VDS includes two software providers: basic and dynamic. The basic software provider manages basic disks with no fault tolerance, whereas the dynamic software providers manage dynamic disks with fault management. A hardware provider translates the VDS APIs into instructions speci?c to the storage hardware. This how storage management applications are able to communicate with the storage hardware to create LUNs or Fibre Channel HBAs to view the WWN. The following are Windows Server 2008 storage management applications that use VDS: Disk Management snap-in This application con ?gures and manages the disk drives on the host computer. You have already seen this application in use when you initialized disks and created volume sets.

Windows Server 2008 Storage Services

The Welcome page of the New Spanned Volume Wizard appears and explains the type of volume set chosen. Click Next.

The Select Disks page appears. Select the disk that will be included with the volume set and click Add. Repeat this process until all the desired disks have been added.

The Assign Drive Letter or Path page appears. From here you can select the desired drive letter for the volume, mount the volume in an empty NTFS folder, or choose to not assign a drive letter. The new volume is labeled as E.

The Format Volume page appears. Choose to format the new volume.

If the disks have not been converted to dynamic, you will be asked to convert the disks. Click Yes.

The new volume will appear as a healthy spanned dynamic volume with the new available disk space of new volume set.

Storage in Windows Server 2008

Built into Windows Server 2008 is the ability to support drive sets and arrays using Redun- dant Array of Independent Disks (RAID) technology. RAID can be used to enhance data performance, or it can be used to provide fault tolerance to maintain data integrity in case of a hard disk failure. Windows Server 2008 supports three different types of RAID tech- nologies: RAID-0, RAID-1, and RAID-5.

RAID-0 is also known as disk striping. Disk striping is using two or more volumes on independent disks created as a single striped set. There can be a maximum of 32 disks. In a striped set, data is divided into blocks that are disturbed sequentially across all the drives in the set. With RAID-0, disk striping, you get very fast read and write performance because multiple blocks of data can be accessed off of multiple drives simultaneously. However, RAID-0 does not offer the ability to maintain data integrity during a single disk failure. In other words, RAID-0 is not fault tolerant; a single disk event will cause the entire striped set to be lost, and it will have to be re-created through some type of recovery process, such as a tape backup.
Windows Server 2008 Storage Services

RAID-1 is also known as disk mirroring. Disk mirroring is two logical volumes on two separate identical disks created as a duplicate disk set. Data is written on two disks at the same time; that way, in the event of a disk failure, data integrity is maintained and avail-able. Although this fault tolerance gives administrators data redundancy, it comes with a price because it diminishes the amount of available storage space by half. For example, if an administrator wants to create a 300GB mirrored set, they would have to install two 300GB hard drives into the server, thus doubling the cost for the same available space.