HOW TO USE THIS MODULE

Welcome to the Module “SET-UP SERVER”. This module contains training

materials and activities for you to complete.

The unit of competency “SETTING-UP SERVER” contains knowledge,

skills and attitudes required for a Computer System Servicing NC II course.

You are required to go through a series of learning activities in order to

complete each of the learning outcomes of the module. In each learning outcome
there are Information Sheets, Task Sheets, and Job Sheets. Follow these
activities on your own and answer the Self-Check at the end of each learning
activity.

If you have questions, don’t hesitate to ask your Trainer for assistance.

Recognition of Prior Learning (RPL)

You may already have some of the knowledge and skills covered in this
module because you have:
o Been working for some time
o Already have completed training in this area.

If you can demonstrate to your Trainer that you are competent in a

particular skill or skills, talk to him/her about having them formally recognized
so you don’t have to do the same training again. If you have a qualification or
Certificate of Competency from previous trainings show it to your teacher. If the
skills you acquired are still current and relevant to this module, they may
become part of the evidence you can present for RPL. If you are not sure about
the currency of your skills, discuss it with your Trainer.

After completing this module ask your Trainer to assess your competency.
Result of your assessment will be recorded in your competency profile. All the
learning activities are designed for you to complete at your own pace.

Inside this module you will find the activities for you to complete followed by
relevant information sheets for each learning outcome. Each learning outcome
may have more than one learning activity.

Page 1 of 123
Page 2 of 123
Program/Course : COMPUTER SYSTEM SERVCING NCII
Unit of Competency : SET-UP SERVER
Module : SETTING-UP SERVER

INTRODUCTION:
This module covers the knowledge, skills and attitudes needed to set-up
computer servers for LANs and SOHO systems. It consists of competencies to
set-up user access and configures network services as well as to perform testing,
documentation and pre-deployment procedures.

SUMMARY OF LEARNING OUTCOME

LO 1. Set-up user access

LO 2. Configure network services
LO 3. Perform testing, documentation and pre-deployment procedures

Page 3 of 123
 LEARNING EXPERIENCES

LEARNING OUTCOME NO.1

Set-up user access

Learning Activities Special Instructions

Read Information Sheets CO3.1-1 in
Network Operating System (NOS) In this learning outcome you
features learn about:

Answer Self-Check CO3.1-1 in  Network Operating

Network Operating System (NOS) System (NOS) features
features  File Services
 User access level
Compare your answer in Answer Key configuration
CO3.1-1 “Network Operating System  Setting-up client/user
(NOS) features” access and security

Read Information Sheets CO3.1-2 in

File Services
Read every Information
Answer Self-Check CO3.1-2 in File carefully and answer the
Services Answer sheet, with the
guidance of your trainer
Compare your answer in Answer Key
CO3.1-2 “File Services”

Perform Task Sheets CO3.1-2

Check performance criteria check list
CO3.1-2
Read Information Sheets CO3.1-3 in
User access level configuration

Answer Self-Check CO3.1-3 in User

access level configuration
Compare your answer in Answer Key
CO3.1-3 “User access level
configuration”

Perform Task Sheets CO3.1-3

Check performance criteria check list
CO3.1-3

Page 4 of 123
Read Information Sheets 3.1-4 in
Setting-up client/user access and
security

Answer Self-Check 3.1-4 in Setting-

up client/user access and security

Compare your answer in Answer Key

3.1-4 “Setting-up client/user access
and security”

Task Sheets CO3.1-4 in Setting-up

client/user access and security

Perform Task Sheets CO3.1-4

Check performance criteria check list
CO3.1-4

Page 5 of 123
Page 6 of 123
 INFORMATION SHEETS CO3.1-1
“Network Operating System (NOS) features”
I. Domain Name System

Without DNS, computers would have a very tough time communicating with
each other. However, most Windows administrators still rely on WINS for name
resolution on local area networks and some have little or no experience with
DNS.

As many of you are probably aware, the Domain Name System (DNS) is now the
name resolution system of choice in Windows. Without it, computers would have
a very tough time communicating with each other. However, most Windows
administrators still rely on the Windows Internet Name Service (WINS) for name
resolution on local area networks and some have little or no experience with
DNS. If you fall into this category, read on. We'll explain how to install, configure,
and troubleshoot a Windows Server 2008 DNS server.

If you've ever used the Internet, it's a good bet that you've used the Domain
Name System, or DNS, even without realizing it. DNS is a protocol within the
set of standards for how computers exchange data on the Internet and on many
private networks, known as the TCP/IP protocol suite. Its basic job is to turn a
user-friendly domain name like "howstuffworks.com" into an Internet Protocol
(IP) address like 70.42.251.42 that computers use to identify each other on the
network. It's like your computer's GPS for the Internet.

Computers and other network devices on the Internet use an IP address to route
your request to the site you're trying to reach. This is similar to dialing a phone
number to connect to the person you're trying to call. Thanks to DNS, though,
you don't have to keep your own address book of IP addresses. Instead, you just
connect through a domain name server, also called a DNS server or name
server, which manages a massive database that maps domain names to IP
addresses.

Whether you're accessing a Web site or sending e-mail, your computer uses a
DNS server to look up the domain name you're trying to access. The proper term
for this process is DNS name resolution, and you would say that the DNS server
resolves the domain name to the IP address. For example, when you enter
"http://www.howstuffworks.com" in your browser, part of the network
connection includes resolving the domain name "howstuffworks.com" into an IP
address, like 70.42.251.42, for HowStuffWorks' Web servers.

Page 7 of 123
You can always bypass a DNS lookup by entering 70.42.251.42 directly in your
browser (give it a try). However, you're probably more likely to remember
"howstuffworks.com" when you want to return later. In addition, a Web site's IP
address can change over time, and some sites associate multiple IP addresses
with a single domain name.

Without DNS servers, the Internet would shut down very quickly. But how does
your computer know what DNS server to use? Typically, when you connect to
your home network, Internet service provider (ISP) or WiFi network, the modem
or router that assigns your computer's network address also sends some
important network configuration information to your computer or mobile device.
That configuration includes one or more DNS servers that the device should use
when translating DNS names to IP address.

So far, you've read about some important DNS basics. The rest of this article
dives deeper into domain name servers and name resolution. It even includes an
introduction to managing your own DNS server. Let's start by looking at how IP
addresses are structured and how that's important to the name resolution
process.

Short for Domain Name System (or Service or Server), an Internet service that
translates domain names into IP addresses. Because domain names are
alphabetic, they're easier to remember. The Internet however, is really based
on IP addresses. Every time you use a domain name, therefore, a DNS service
must translate the name into the corresponding IP address. For example, the
domain name www.example.com might translate to198.105.232.4. The DNS
system is, in fact, its own network. If one DNS server doesn't know how to
translate a particular domain name, it asks another one, and so on, until the
correct IP address is returned.

Installation

You can install a DNS server from the Control Panel or when promoting a
member server to a domain controller (DC) (Figure A). During the promotion, if
a DNS server is not found, you will have the option of installing it. In you
command prompt or just click “START” and click “RUN” and then type
“DCPROMO”.

Page 8 of 123
Figure A - Domain controller

To install a DNS server from the Control Panel, follow these steps:

 From the Start menu, select | Control Panel | Administrative Tools |

Server Manager.
 Expand and click Roles (Figure B).
 Choose Add Roles and follow the wizard by selecting the DNS role (Figure
C).
 Click Install to install DNS in Windows Server 2008 (Figure D).

Page 9 of 123
Figure B - Expand and click Roles

Figure C - DNS role

Page 10 of 123
Figure D - Install DNS

II. Dynamic Host Configuration Protocol

Introduction

Dynamic Host Configuration Protocol (DHCP) is a core infrastructure service on

any network that provides IP addressing and DNS server information to PC
clients and any other device. DHCP is used so that you do not have to statically
assign IP addresses to every device on your network and manage the issues that
static IP addressing can create. More and more, DHCP is being expanded to fit
into new network services like the Windows Health Service and Network Access
Protection (NAP). However, before you can use it for more advanced services, you
need to first install it and configure the basics. Let’s learn how to do that.

Installing Windows Server 2008 DHCP Server

Installing Windows Server 2008 DCHP Server is easy. DHCP Server is now a
“role” of Windows Server 2008 – not a windows component as it was in the past.

To do this, you will need a Windows Server 2008 system already installed and
configured with a static IP address. You will need to know your network’s IP
address range, the range of IP addresses you will want to hand out to your PC
clients, your DNS server IP addresses, and your default gateway. Additionally,

Page 11 of 123
you will want to have a plan for all subnets involved, what scopes you will want
to define, and what exclusions you will want to create.

To start the DHCP installation process, you can click Add Roles from the Initial
Configuration Tasks window or from Server Manager Roles Add Roles.

Page 12 of 123
Figure 1: Adding a new Role in Windows Server 2008

Page 13 of 123
When the Add Roles Wizard comes up, you can click Next on that screen.
Next, select that you want to add the DHCP Server Role, and click Next.

Figure 2: Selecting the DHCP Server Role

If you do not have a static IP address assigned on your server, you will get a
warning that you should not install DHCP with a dynamic IP address.

At this point, you will begin being prompted for IP network information, scope
information, and DNS information. If you only want to install DHCP server with
no configured scopes or settings, you can just click Next through these
questions and proceed with the installation.

On the other hand, you can optionally configure your DHCP Server during this
part of the installation.

Chose to take this opportunity to configure some basic IP settings and configure
my first DHCP Scope.

The network connection binding and asked to verify it, like this:

Page 14 of 123
Figure 3: Network connection binding

What the wizard is asking is, “what interface do you want to provide DHCP
services on?” take default and clicked Next.

Next, enter my Parent Domain, Primary DNS Server, and Alternate DNS
Server (as you see below) and clicked Next.

Page 15 of 123
Figure 4: Entering domain and DNS information

Click NOT to use WINS on network and click Next.

Then, I will promoted to configure a DHCP scope for the new DHCP Server. Configure
an IP address range of 192.168.1.50-100 to cover the 25+ PC Clients on your local
network. To do this, click Add to add a new scope. As you see below, for this purpose
name the Scope WBC-Local, configured the starting and ending IP addresses of
192.168.1.50-192.168.1.100, subnet mask of 255.255.255.0, default gateway of
192.168.1.1, type of subnet (wired), and activated the scope.

Page 16 of 123
Figure 5: Adding a new DHCP Scope

Back in the Add Scope screen, click Next to add the new scope (once the DHCP
Server is installed).

Chose to Disable DHCPv6 stateless mode for this server and click Next.

Then confirmed DHCP Installation Selections (on the screen below) and
click Install.

Page 17 of 123
Figure 6: Confirm Installation Selections

After only a few seconds, the DHCP Server was installed and I saw the window,
below:

Page 18 of 123
Figure 7: Windows Server 2008 DHCP Server Installation succeeded

Click Close to close the installer window, then moved on to how to manage my
new DHCP Server.

How to Manage your new Windows Server 2008 DHCP Server

Like the installation, managing Windows Server 2008 DHCP Server is also
easy. Back in my Windows Server 2008Server Manager, under Roles, Click on
the new DHCP Server entry.

Figure 8: DHCP Server management in Server Manager

Page 19 of 123
However, to really configure the DHCP Server and see what clients have
obtained IP addresses, Go to the DHCP Server MMC. To do this, go to Start à
Administrative Tools à DHCP Server, like this:

Figure 9: Starting the DHCP Server MMC

Page 20 of 123
When expanded out, the MMC offers a lot of features. Here is what it looks like:

Figure 10: The Windows Server 2008 DHCP Server MMC

The DHCP Server MMC offers IPv4 & IPv6 DHCP Server info including all
scopes, pools, leases, reservations, scope options, and server options.

If you go into the address pool and the scope options, you can see that the
Configuration we made when we installed the DHCP Server did, indeed, work.
The scope IP address range is there, and so are the DNS Server & default
gateway.

Page 21 of 123
Figure 11: DHCP Server Address Pool

Figure 12: DHCP Server Scope Options

Page 22 of 123
 SELF-CHECK CO3.1-1

Network Operating System (NOS) features

1. What is the CLI command to start installing DNS Network Operating features
in Windows 2008r2?

a. dcpromo
b. dqpromote
c. dcprom

2. What the acronym for DNS.

a. Domain Name System

b. Domain Nomenclature System
c. Dual Name System

3. What is the acronym for DHCP.

a. Dynamic Host Control Protocol

b. Dynamic Host Configuration Protocol
c. Dual Host Configuration Protocol

Page 23 of 123
 Answer Key CO3.1-1

1. a. dcpromo

2. a. Domain Name System.

3. b. Dynamic Host Configuration Protocol

Page 24 of 123
 TASK SHEET CO3.1-1 “Network Operating System (NOS) features”

Title: Configure DNS and DHCP

Performance Objective: Adding roles to the server. The student

should be able to configure DNS and DCHP

Supplies/Materials : RJ45 connector, UTP Cable

Equipment : 1 PC Server, 1 PC, Switch.

Steps/Procedure:
1. Install DNS name your FQDN to “kenzhindrei.local”
2. Install DHCP role and configure your IP range 223.10.5.100 –
223.10.5.200

Assessment Method: Demonstration, Oral Questioning.

Page 25 of 123
Performance Criteria Checklist CO3.1-1 “Network Operating System (NOS)
features”

CRITERIA
YES NO
Did you….
1. Did the student properly configured and installed
DHCP
2. Did the student properly configured and installed
DNS?

Page 26 of 123
Learning Experiences

LEARNING OUTCOME NO.2

Configure Network Services

Learning Activities Special Instructions

Read Information Sheets 3.2-1
in Computer servers and
functions
Answer Self-Check 3.2-1 in
Computer servers and
functions
Compare your answer in
Answer Key 3.2-1 “Computer
servers and functions”
Read Information Sheets 3.2-2
in Types of Network services
In this learning outcome you learn
about:
 Computer servers and
functions
 Types of Network services
 Server configuration
 Network services
configuration
 Modules/add-ons
installation and updates
procedures
 Testing Network Services

Answer Self-Check 3.2-2 in

Types of Network services Read every Information carefully and
Compare your answer in answer the Answer sheet, with the
Answer Key 3.2-2 “Types of guidance of your trainer.
Network services”

Read Information Sheets 3.2-2

in Server configuration

Answer Self-Check 3.2-2 in

Types of Server configuration
Compare your answer in
Answer Key 3.2-2 “Server
configuration”

Task Sheets CO3.2-3 in Server

configuration

Perform Task Sheets CO3.2-3

Check performance criteria
check list CO3.2-3

Page 27 of 123
Read Information Sheets 3.2-4
in Network services
configuration

Answer Self-Check 3.2-4 in

Network services configuration

Compare your answer in

Answer Key 3.2-4 “Network
services configuration”

Task Sheets CO3.2-4 in

Network services configuration

Perform Task Sheets CO3.2-4

in Network services
configuration
Check performance criteria
check list CO3.2-4 “Network
services configuration”
Read Information Sheets 3.2-5
in Web
applications/technologies
Answer Self-Check 3.2-5 in
Web applications/technologies
configuration

Compare your answer in

Answer Key 3.2-5 “Web
applications/technologies
configuration”

Task Sheets CO3.2-5 in

Modules/add-ons installation
and updates procedures
Perform Task Sheets CO3.2-5
in Modules/add-ons
installation and updates
procedures
Check performance criteria
check list CO3.2-5 in
Modules/add-ons installation
and updates procedures

Page 28 of 123
Read Information Sheets 3.2-6
in Installing and configuring
modules/add-ons

Answer Self-Check 3.2-6 in

Installing and configuring
modules/add-ons

Compare your answer in

Answer Key 3.2-6 “Installing
and configuring modules/add-
ons

Task Sheets CO3.2-6 in Testing

Network Services

Perform Task Sheets CO3.2-6

Testing Network Services
Check performance criteria
check list CO3.2-6 Testing
Network Services

Page 29 of 123
 INFORMATION SHEETS CO3.1-2
“FILE SERVICES”

Managing Files

Many types of documents, including financial spreadsheets, business

plans, and sales presentations, must be shared on your network while
remaining protected from unauthorized access. Windows Server 2008 R2
offers a suite of technologies to provide both availability and security for
documents. To control access, use NTFS fie permissions and Encrypting
File System (EFS). To provide redundancy, create a Distributed File System
(DFS) namespace and use replication to copy files between multiple
servers. You can use quotas to ensure that no single user consumes more
than his or her share of disk space (which might prevent other users from
saving files). Shadow copies and backups allow you to quickly recover from
data corruption and hardware failures. This chapter describes how to use
each of these technologies and explains the Windows Server 2008 R2 File
Services server role.

Objectives in this chapter:

■ Configure a file server.
■ Configure Distributed File System (DFS).
■ Manage file server resources.
■ Configure backup and restore.

Lessons in this chapter:

■ Lesson 1: Managing File Security
■ Lesson 2: Sharing Folders
■ Lesson 3: Backing Up and Restoring Files

Managing file security

Much of an organization’s most confidential data is stored in files and folders.

Windows Server 2008 R2, along with most recent business versions of windows,
provide three technologies for controlling access to files, folders, and volumes:
NTFS fie permissions, EFS, and BitLocker. The operating system uses NTFS fie
permissions to determine which users can read or change files and folders. NTFS

Page 30 of 123
fie permissions work only when the operating system is running,
however. To protect data when someone steals a hard drive or an entire
computer, you must use encryption. EFS encrypts individual files and folders on
a per-user basis, whereas BitLocker encrypts entire volumes and can help
protect system files. The sections that follow give more information about these
three technologies.

NTFS File Permissions

NTFS file permissions determine which users can view or update files. For
example, you would use NTFS fie permissions to grant your Human Resources
group access to personnel files while preventing other users from accessing those
files. The default NTFS fie permissions for user and system folders are designed
to meet basic needs. These default permissions for different fie types are:

■ user files Users have full control permissions over their own files.
Administrators also have full control. Other users who are not administrators
cannot read or write to a user’s files.

■ system files Users can read, but not write to, the %SystemRoot% folder and
subfolders. Administrators can add and update files. This allows administrators,
but not users, to install updates and applications.

■ Program files Similar to the system files permissions, the %ProgramFiles%

folder permissions are designed to allow users to run applications and allow only
administrators to install applications. Users have read access, and
administrators have full control. Additionally, any new folders created in the root
of a disk will grant administrators full control and users read access.
The default fie and folder permissions work well for desktop environments. File
servers, however, often require you to grant permissions to groups of users to
allow collaboration. For example, you might want to create a folder that all
Marketing users can read and update but that users outside the Marketing
group cannot access. Administrators can assign users or groups any of the
following permissions to a file or folder:

■ List folder Contents Users can browse a folder but not necessarily open the
files in it.

■ Read Users can view the contents of a folder and open files. If a user has Read
but not Read & Execute permission for an executable fie, the user will not be
able to start the executable.

Page 31 of 123
■ Read & Execute In addition to the Read permission, users can run
applications.

■ write Users can create files in a folder but not necessarily read them. This
permission is useful for creating a folder in which several users can deliver files
but not access each other’s files or even see what other files exist.

■ modify Users can read, edit, and delete files and folders.

■ full Control Users can perform any action on the fie or folder, including
creating and deleting it as well as modifying its permissions.

To protect a file or folder with NTFS, follow these steps:

1. Open Windows Explorer (for example, by clicking Start and then choosing
Computer).

2. Right-click the file or folder, and then choose Properties. The Properties
dialog box for the file or folder appears.

3. Click the Security tab.

4. Click the Edit button. The Permissions dialog box appears.

5. If the user you want to configure access for does not appear in the Group Or
User Names list, click Add. Type the user name, and then click OK.

6. Select the user you want to configure access for. Then, select the check
boxes for the desired permissions in the Permissions For Users list, as shown
in Figure 1.2 Denying access always overrides allowed access. For example, if
Mary is a member of the Marketing group and you allow full control access for
Mary and then deny full control access for the Marketing group, Mary’s
effective permissions will be to deny full control.

Page 32 of 123
7. Repeat steps 5 and 6 to configure access for additional users.
8. Click OK twice.
Additionally, there are more than a dozen special permissions that you can
assign to a user or group. To assign special permissions, click the Advanced
button on the Security tab of the file or Administrator Properties dialog box, as
shown in Figure 1-3. To configure NTFS fie permissions from a command prompt
or script, use the icacls command. For complete usage information, type icacls
/? at a command prompt. NTFS fie permissions are in effect whether users are
logged on locally or accessing folders across the network.

Page 33 of 123
Figure 1.3

A user who does not have NTFS permissions to read a folder or fie will not see
it listed in the directory contents. This feature, known as Access-based
Enumeration (ABE), was introduced with Windows Server 2003 Service Pack 1.

Encrypting File System

NTFS provides excellent protection for files and folders as long as Windows is
running. However, an attacker who has physical access to a computer can start
the computer from a different operating system (or simply reinstall Windows) or
remove the hard disk and connect it to a different computer. Any of these very
simple techniques would completely bypass NTFS security, granting the attacker
full access to files and folders. EFS protects files and folders by encrypting them
on the disk. If an attacker bypasses the operating system to open a files, the files
appears to be random, meaningless bytes. Windows controls access to the
decryption key and provides it only to authorized users.

Page 34 of 123
The sections that follow describe how to configure EFS. Another data
encryption technology, BitLocker, encrypts entire volumes and helps prevent
operating system files from being maliciously modified. BitLocker is described
at the end of this lesson.

Protecting Files and Folders with EFS

To protect a file or folder with EFS, follow these steps:

1. Open Windows Explorer (for example, by clicking Start and then choosing
Computer).
2. Right-click the file or folder, and then click Properties. The Properties dialog
box appears.
3. On the General tab, click Advanced. The Advanced Attributes dialog box
appears.
4. Select the Encrypt Contents to Secure Data check box.
5. Click OK twice.
If you encrypt a folder, Windows automatically encrypts all new files in the
folder. Windows Explorer shows encrypted files in green. The first time you
encrypt a file or folder, Windows might prompt you to back up your fie
encryption key, as shown in Figure 1-3. Choosing to back up the key launches
the Certificate Export Wizard, which prompts you to password-protect the
exported key and save it to a file. Backing up the key is very important for
stand-alone computers, because if the key is lost, the files are inaccessible. In
Active Directory environments, you should use a data recovery agent (DRA), as
described later in this section, to recover files.

Figure 1.3

Page 35 of 123
Sharing folders
One of the most common ways for users to collaborate is by storing documents
in shared folders. Shared folders allow any user with access to your network and
appropriate permissions to access files. Shared folders also allow documents to
be centralized, where they are more easily managed than they would be if they
were distributed to thousands of client computers.

Although all versions of Windows since Windows for Workgroups 1.4 have
supported file sharing, Windows Server 2008 R2 includes the File Services server
role, which provides a robust set of features for sharing folders and managing
shared files. With the improved disk quota capability, Windows can notify users
and administrators when individual users consume too much disk space. DFS
provides a centralized directory structure for folders shared from multiple
computers and is capable of automatically replicating files between folders for
redundancy. Offline Files automatically copies shared files to mobile computers
so that users can access the files while disconnected from the network.

Installing the File Services Server Role

Windows Server 2008 R2 can share folders without adding any server roles.
However, adding the File Services server role adds useful management tools
along with the ability to participate in DFS namespaces, configure quotas,
generate storage reports, and other capabilities. To install the File Services server
role, follow these steps:

1. In Server Manager, select and then right-click Roles. Choose Add Role. The
Add Roles Wizard appears.
2. On the Before You Begin page, click Next.
3. On the Server Roles page, select the File Services check box. Click Next.
4. On the File Services page, click Next.
5. On the Select Role Services page, select from the following roles:

■ file server Although not required to share files, adding this core role service
allows you to use the Share And Storage Management snap-in.

■ Distributed file system Enables sharing files by using the DFS namespace
and replicating files between DFS servers. If you select this role service, the
wizard will prompt you to configure a namespace.

■ file server Resources manager Installs tools for generating storage reports,
configuring quotas, and defining fie screening policies. If you select this role
service, the wizard will prompt you to enable storage monitoring on the local
disks.

Page 36 of 123
■ services for network file system Provides connectivity for UNIX client
computers that use Network File System (NFS) for fie sharing. Note that most
modern UNIX operating systems can connect to standard Windows fie shares, so
this service is typically not required.

■ windows search service Indexes files for faster searching when clients connect
to shared folders. This role service is not intended for enterprise use. If you select
this role service, the wizard will prompt you to enable indexing on the local disks.

■ windows server 2003 file services Provides services compatible with

computers running Windows Server 2003.

■ branchCache for network files Caches shared files on servers at branch

offices to reduce bandwidth usage on your Wide Area Network (WAN).

6. Respond to any roles service wizard pages that appear.

7. On the Confirmation page, click Install.
8. On the Results page, click Close.

You can access the File Services tools by using the Roles\File Services node in
Server Manager. The sections that follow provide more information about these
role services.

Folder Sharing

You can share folders across the network to allow other computers to access
them, as if the computers were connected to a local disk. Sharing Folders from
Windows Explorer The simplest way to share a folder is to right-click the folder
in Windows Explorer, choose Share With, and then choose Specific People. As
shown in Figure 1.4, the File Sharing dialog box appears and allows you to select
the users who will have access to the folder. Click Share to create the shared
folder, and then click Done.

Page 37 of 123
Figure 1.4

Using this interface you, can select either Read or Read/Write permissions. The
following section describes a different technique for sharing folders that provides
more permissions flexibility.

Sharing Folders by Using the Provision A Shared Folder Wizard

Using the Provision A Shared Folder Wizard, you can share folders, configure
quotas, and specify security by following these steps:

1. In Server Manager, right-click Roles\File Services\Share And Storage

Management, and then choose Provision Share. The Provision A Shared Folder
Wizard appears.

2. On the Shared Folder Location page, click the Browse button to select the
folder to share. Click OK. Click Next.

3. On the NTFS Permissions page, you can choose to edit the NTFS fie system
permissions for the shared folder. If you want to change the current permissions,
select Yes, and then, if necessary, click Edit Permissions. Configure the NTFS
permissions as necessary, and then click OK. Click Next.

4. On the Share Protocols page, you can choose whether to share the folder by
using Windows protocol (indicated as SMB, which stands for Server Message
Block) or using a UNIX protocol (indicated as NFS, or Network File System).
Typically, SMB will suffice, even for UNIX clients. NFS is available only when the
Services For Network File System role service is installed. Click Next.

Page 38 of 123
5. On the SMB Settings page, click Advanced if you want to change the default
settings for the number of simultaneous users permitted, offline files, or access-
based enumeration. Access-based enumeration hides shared folders that a user
does not have permission to access. Click Next.

6. On the SMB Permissions page, as shown in Figure 1.5, select the permissions
you want to assign.

To define custom permissions, select Users And Groups Have Custom Share
Permissions, and then click the Permissions button. Click Next.

7. On the Quota Policy page, select the Apply Quota check box if you want to
define a quota. Then, select a quota template. Click Next.

8. On the File Screen Policy page, select the Apply File Screen check box if you
want to allow only specific types of files in the folder. Then, select the file screen
you want to use. Click Next.

9. On the DFS Namespace Publishing page, select the Publish The SMB Share
To A DFS Namespace check box if desired. Then, provide the DFS namespace
information. Click Next.

Page 39 of 123
10. On the Review Settings And Create Share page, click Create. Then click
Close.

Page 40 of 123
 Task Sheets CO3.1-2 in File Services

Title: File Server Role – Folder Sharing

Performance Objective: The student should install File services role

and share folder over the network

Supplies/Materials : RJ45 connector, UTP Cable

Equipment : 1 PC Server, 1 PC, Switch.

Steps/Procedure:
1. Install Files Services Role on Windows 2008 server r2
2. Create a folder on Drive “C:” and name it “Shared Folder”.
3. Configure the folder from the Security and sharing so that the users
can access the folder.

Assessment Method: Demonstration, Oral Questioning.

Page 41 of 123
 Performance Criteria Checklist CO3.1-2 in File Services
CRITERIA
YES NO
Did you….
1. Did the student properly installed File Services Role?

2. Did the student properly configured and created a

shared folder on Drive C:?
3. Did the Student properly assign security and
permission to the folder?

Page 42 of 123
Learning Experiences

LEARNING OUTCOME NO.3

Perform Testing, Documentation, and Pre-Deployment

Procedures
Learning Activities
Read Information Sheets 3.3-1
in Pre-deployment procedures
and practices
Answer Self-Check 3.3-1 in
Pre-deployment procedures
and practices
Compare your answer in
Answer Key 3.3-1 “Pre-
deployment procedures and
practices”
Read Information Sheets 3.3-2
Testing procedures
Answer Self-Check 3.3-1 in
Testing procedures
Special Instructions
In this learning outcome you learn
about:
 Pre-deployment procedures
and practices
 Testing procedures
 Enterprise policies and
procedures
Read every Information carefully and
answer the Answer sheet, with the
guidance of your trainer.

Compare your answer in

Answer Key 3.3-2 “Testing
procedures
”

Task Sheets CO3.3-2 in Testing

procedures

Perform Task Sheets CO3.3-2

in Testing procedures

Check performance criteria

check list CO3.2-2 Testing
procedures

Page 43 of 123
Read Information Sheets 3.3-3
Enterprise policies and
procedures
Answer Self-Check 3.3-3in
Enterprise policies and
procedures

Compare your answer in

Answer Key 3.3-3 “Enterprise
policies and procedures
”

Page 44 of 123
 INFORMATION SHEETS CO3.1-3

User access level configuration

“Creating Objects in Active Directory”

Active Directory is a directory service, and it is the role of a directory service to

maintain information about enterprise resources, including users, groups, and
computers. Resources are divided into OUs to facilitate manageability and
visibility—that is, they can make it easier to find objects. In this lesson, you learn
how to create OUs, users, groups, and computers. You also learn important skills
to help you locate and fid objects when you need them.
If you are experienced with Active Directory, you can review the first few sections
in this lesson quickly, but you might want to pay particular attention to the later
sections, beginning with “Finding Objects in Active Directory,” because they will
help you make better use of Active Directory tools. The practice exercises at the
end of this lesson are important for you to complete, because they create some
of the objects that will be used in future practices.

Creating an Organizational Unit

Organizational units (OUs) are administrative containers within Active Directory

that are used to collect objects that share common requirements for
administration, configuration, or visibility. What this means will become more
clear as you learn more about OU design and management. For now, just
understand that OUs provide an administrative hierarchy similar to the folder
hierarchy of a disk drive: OUs create collections of objects that belong together
for administration. The term administration is emphasized here because OUs are
not used to assign permissions to resources—that is what groups are for. Users
are placed into groups that are given permission to resources. OUs are
administrative containers within which those users and groups can be managed
by administrators.

To create an organizational unit:

1. Open the Active Directory Users And Computers snap-in.

2. Right-click the Domain node or the OU node in which you want to add the
new OU, point to New, and then click Organizational Unit.

3. Type the name of the organizational unit. Be sure to follow the naming
conventions of your organization.

4. Select Protect Container From Accidental Deletion. You’ll learn more about
this option later in this section.

Page 45 of 123
5. Click OK. OUs have other properties that can be useful to configure. These
properties can be set after the object has been created.

6. Right-click the OU and click Properties. Follow the naming conventions and
other standards and processes of your organization.
You can use the Description field to explain the purpose of an OU.
If an OU represents a physical location, such as an office, the OU’s address
properties can be useful. You can use the Managed By tab to link to the user or
group that is responsible for the OU. Click the Change button under the Name
box. You’ll learn about the Select Users, Contacts, Or Groups dialog box later in
this lesson. The remaining contact information on the Managed By tab is
populated from the account specified in the Name box. The Managed By tab is
used solely for contact information—the specified user or group does not gain
any permissions or access to the OU.

7. Click OK.

Windows Server 2008 introduced a new option when creating an OU: Protect
Container From Accidental Deletion. This option adds a safety switch to the OU
so that it cannot be accidentally deleted. Two permissions are added to the OU:
Everyone::Deny::Delete and Everyone::Deny::Delete Subtree. No user, not even
an administrator, will be able to delete the OU and its contents accidentally. It
is highly recommended that you enable this protection for all new OUs.

If you want to delete the OU, you must first turn off the safety switch. To delete
a protected OU, follow these steps:

1. In the Active Directory Users And Computers snap-in, click the View menu
and select Advanced Features.
2. Right-click the OU and click Properties.
3. Click the Object tab. If you do not see the Object tab, you did not enable
Advanced Features in step 1.
4. Clear the check box labeled Protect Object From Accidental Deletion.
5. Click OK.
6. Right-click the OU and click Delete.
7. You are prompted to confirm that you want to delete the OU. Click Yes.
8. If the OU contains any other objects, you are prompted by the Confirm
Subtree Deletion dialog box to confirm that you want to delete the OU and all
the objects it contains. Click Yes.

Page 46 of 123
Creating a User Object

To create a new user in Active Directory, perform the following steps. Be certain
to follow the naming conventions and processes specified by your organization.
1. Open the Active Directory Users And Computers snap-in.

2. In the console tree, expand the node that represents your domain (for
instance, contoso.com) and navigate to the OU or container (for example, Users)
in which you want to create the user account.

3. Right-click the OU or container, point to New, and then click User. The New
Object – User dialog box appears, as shown in Figure 1.5.
4. In First Name, type the user’s fist name.

5. In Initials, type the user’s middle initial(s). Note that this property is, in fact,
meant for the initials of a user’s middle name, not the initials of the user’s fist
and last name.
6. In Last Name, type the user’s last name.

7. The Full Name field is populated automatically. Make modifications to it if

necessary. The Full Name field is used to create several attributes of a user
object, most notably the common name (CN), and to display name properties.
The CN of a user is the name displayed in the details pane of the snap-in. It must
be unique within the container or OU. Therefore, if you are creating a user object
for a person with the same name as an existing user in the same OU or container,
you must enter a unique name in the Full Name field.

8. In User Logon Name, type the name that the user will log on with and, from
the drop-down list, select the user principle name (UPN) suffix that will be
appended to the user logon name following the @ symbol.

Page 47 of 123
Figure 1.5

User names in Active Directory can contain some special characters (including
periods, hyphens, and apostrophes), which allows you to generate accurate user
names such as O’Hara and Smith-Bates. However, certain applications can have
other restrictions, so it is recommended that you use only standard letters and
numerals until you have fully tested the applications in your enterprise for
compatibility with special characters in logon names. You can manage the list of
available UPN suffixes by using the Active Directory Domains And Trusts snap-
in. Right-click the root of the snap-in, Active Directory Domains And Trusts,
choose Properties, and then use the UPN Suffixes tab to add or remove suffixes.
The DNS name of your Active Directory domain will always be available, because
a suffix and cannot be removed.

9. In the User logon name (Pre–Windows 2000) box of the Active Directory Users
And Computers snap-in, enter the pre–Windows 2000 logon name, often called
the down level logon name
10. Click Next.

11. Enter an initial password for the user in the Password and Confirm
Password boxes.

12. Select the User Must Change Password At Next Logon check box. It is
recommended that you always select this option so that the user can create a
new password unknown to the IT staff. Appropriate support staff members can
always reset the user’s password at a future date if they need to log on as the
Page 48 of 123
user or access the user’s resources. However, only users should know their
passwords on a day-to-day basis.

13. Click Next.

14. Review the summary and click Finish. The New Object – User interface allows
you to configure a limited number of account-related properties such as name
and password settings. However, a user object in Active Directory supports
dozens of additional properties. These can be configured after the object has been
created.
15. Right-click the user object that you created and click Properties.

16. Configure user properties. Be certain to follow the naming conventions and
other standards of your organization.

17. Click OK.

Creating a Group Object

Groups are an important class of object because they are used to collect users,
computers, and other groups to create a single point of management. The most
straightforward and common use of a group is to grant permissions to a shared
folder. If a group has read access to a folder, for example, any of the group’s
members can read the folder. You do not have to grant read access directly to
each individual member; you can manage access to the folder simply by adding
and removing members of the group.

To create a group:

1. Open the Active Directory Users And Computers snap-in.

2. In the console tree, expand the node that represents your domain (for
instance, contoso.com) and navigate to the OU or container (such as Users) in
which you want to create the group.

3. Right-click the OU or container, point to New, and then click Group.

The New Object – Group dialog box appears, as shown in Figure 1.6.

4. Type the name of the new group in the Group Name box. Most organizations
have naming conventions that specify how group names should be created. Be
sure to follow the guidelines of your organization. By default, the name you type
is also entered as the pre–Windows 2000 name of the new group. It is very highly
recommended that you keep the two names the same.

Page 49 of 123
5. Do not change the name in the Group Name (Pre–Windows 2000) box.

6. Choose the Group type.

 A Security group can be given permissions to resources. It can also be

configured as an email distribution list.

 A Distribution group is an email-enabled group that cannot be given

permissions to resources and is, therefore, used only when a group is an
email distribution list that has no possible requirement for access to
resources.

Figure 1.6

7. Select the Group Scope.

 A Global group is used to identify users based on criteria such as job

function, location, and so on.

 A Domain Local group is used to collect users and groups who share
similar resource access needs, such as all users who need to be able to
modify a project report.

 A Universal group is used to collect users and groups from multiple

domains.

Page 50 of 123
Note: that if the domain in which you are creating the group object is at a mixed or interim domain functional level,
you can select only Domain Local or Global scopes for security groups.

8. Click OK. Group objects have several properties that are useful to
configure. These can be specified after the object has been created.

9. Right-click the group and click Properties.

10. Configure the properties of the group. Be sure to follow the naming
conventions and other standards of your organization. The group’s
Members and Member Of tabs specify who belongs to the group and
what groups the group itself belongs to. The group’s Description field,
because it is easily visible in the details pane of the Active Directory Users
And Computers snap-in, is a good place to summarize the purpose of the
group and the contact information for individuals responsible for deciding
who is and is not a member of the group. The group’s Notes field can be
used to provide more detail about the group. The Managed By tab can be
used to link to the user or group that is responsible for the group. Click
Change under the Name box. To search for a group, you must first
click Object Types and select Groups. The Select User, Contact, Or Group
dialog box is discussed later in this lesson. The remaining contact
information on the Managed By tab is populated from the account
specified in the Name box. The Managed By tab is typically used for contact
information so that if a user wants to join the group, you can decide who
in the business should be contacted to authorize the new member.
However, if you select the Manager Can Update Membership List option,
the account specified in the Name box is given permission to add and
remove members of the group. This is one method for delegating
administrative control over the group.

11. Click OK.

Page 51 of 123
 Task Sheets CO3.1-3 in User access level configuration

Title: User access level

Performance Objective: The student should create Organizational,

Group, and User Unit

Supplies/Materials :

Equipment : 1 PC Server with Windows 2008 server

installed, 1 PC, Switch.

Steps/Procedure:
1. Create an OU named Mygroup in the Active Directory User and
Computers snap-in.

2. Inside the OU Mygroup create a user named kenzhindrei dingal

with logon name kdbdingal. (the student will provide the
password).

Assessment Method: Demonstration, Oral Questioning.

Page 52 of 123
Performance Criteria Checklist CO3.1-3 in User access level configuration
CRITERIA
YES NO
Did you….
1. Did the student created an OU named Mygroup

2. Did the student created a user inside OU Mygroup?

Page 53 of 123
 INFORMATION SHEETS 3.1-4
Setting-up client/user access and security

Administering User Accounts

In this chapter, you will learn how to apply tools and techniques to
automate the creation and management of users and to locate and
manipulate user objects and their attributes. Along the way, you will be
introduced to Microsoft Windows PowerShell, which represents the
future of command-line-based and automated administration for Windows
technologies. You will learn a variety of options for performing each of the
most common administrative tasks. The certification exam will expect you
to have a very basic understanding of the purpose and syntax of
command-line utilities and Windows PowerShell. However, this chapter
goes beyond the expectations of the exam to provide a solid introduction
to scripting and automation. Practice what you learn in this chapter, not
because you’ll need to be a scripting guru to pass the exam, but because
the more you can automate those tedious administrative tasks, the more
you can elevate your productivity and your success.

Lessons in this chapter:

Lesson 1: Automating the Creation of User Accounts

Lesson 2: Administering with Windows PowerShell and Active Directory

Administrative Center

Lesson 3: Supporting User Objects and Accounts

Automating the Creation of User Accounts

Users in a domain often share many similar properties. For example, all sales
representatives can belong to the same security groups, log on to the network
during similar hours, and have home folders and roaming profiles stored on the
same server. When you create a new user, you can simply copy an existing user
account rather than create a blank account and populate each property.
Since the days of Microsoft Windows NT 4.0, Windows has supported the concept
of user account templates. A user account template is a generic user account
prepopulated with common properties. For example, you can create a template
account for sales representatives that is preconfigured with group memberships,
logon hours, a home folder, and a roaming profile path.

Page 54 of 123
To create a user account template, simply create a user account and prepopulate
appropriate attributes. We recommend that you use a naming standard that
makes templates easy to find. For example, configure the full name of the user
with an underscore (_) as the first character, such as _Sales User. The
underscore prefix will cause all templates to appear at the top of the list of users
in an organizational unit (OU).

NOTE DISABLE TEMPLATE USER ACCOUNTS

The template account should not be used to log on to the network, so be sure
to disable the account.

1. Right-click the template user account, and then click Copy. The Copy Object
– User Wizard appears.

2. In the First Name box, type the user’s fist name.

3. In the Last Name box, type the user’s last name.

4. Modify the Full Name value if necessary.

5. In the User Logon Name box, type the user logon name, and then select the
appropriate user principal name (UPN) suffix in the drop-down list.

6. In the User Logon Name (Pre-Windows 2000) box, type the user’s pre–Windows
2000 user name, and then click Next.

7. In Password and Confirm Password, type the user’s password.

8. Select the appropriate password options.

9. If the user account from which the new user account was copied was disabled,
clear the Account Is Disabled check box to enable the new account.

10. Click Next, and then click Finish.

After a user is created by copying the template, you can view and modify its
attributes in the Properties dialog box of the new account. It’s important to
realize that not all attributes are copied from the template. The list below
summarizes the attributes that are copied from the template, grouped by the
tabs in the Properties dialog box.

 General tab No properties are copied from the General tab.

Page 55 of 123
 
Address tab P.O. box, city, state or province, ZIP or postal code, and
country
or region are copied. Note that the street address itself is not copied.

Account tab Logon hours, logon workstations, account options, and
account
expiration are copied.

Profile tab Profile path, logon script, home drive, and home folder path
are copied.

Organization tab Department, company, and manager are copied.

Member Of tab Group membership and primary group are copied.

Using Active Directory Command-Line Tools

DSQuery, one of a suite of Active Directory command-line tools collectively called

DS commands. The following DS commands are supported in Windows Server
2008 R2:

DSAdd Creates an object in the directory.

DSGet Returns specified attributes of an object.

DSMod Modifies specified attributes of an object.

DSMove Moves an object to a new container or OU.

DSRm Removes an object, all objects in the subtree beneath a container object,
or both.

DSQuery Performs a query based on parameters provided at the command line

and returns a list of matching objects. By default, the result set is presented as
the distinguished names (DNs) of each object, but you can use the –o parameter
with modifiers such as dn, rdn, upn, or samid to receive the results as DNs,
relative DNs, user principal names (UPNs), or pre–Windows 2000 logon names
(security accounts manager [SAM] IDs). Most of the DS commands take two
modifiers after the command itself: the object type and the object’s DN. For
example, the following command adds a user account for Mike Fitzmaurice:

dsadd user "cn=Mike Fitzmaurice, ou=User Accounts, dc=contoso, dc=com"

Page 56 of 123
The object type, user, immediately follows the command. After the object type is
the object’s DN. When the object’s DN includes a space, surround the DN with
quotes. The following command removes the same user:

dsrm "cn=Mike Fitzmaurice, ou=User Accounts, dc=contoso,dc=com"

DS commands that read or manipulate attributes of objects include Dsquery.exe,

Dsget. exe, and Dsmod.exe. To specify an attribute, include it as a parameter
after the object’s DN. For example, the following command retrieves the home
folder path for Mike Fitzmaurice:

dsget user "cn=Mike Fitzmaurice, ou=User Accounts, dc=contoso,dc=com" –

hmdir

The parameter of a DS command that represents an attribute, for example,

hmdir, is not always the same as the name of the attribute in the Active Directory
Users And Computers snap-in or in the schema.

Creating Users with DSAdd

Use the DSAdd command to create objects in Active Directory. The DSAdd User
command creates a user object and accepts parameters that specify properties
of the user. The following command shows the basic parameters required to
create a user account:

dsadd user "User DN" -samid "pre-Windows 2000 logon name" -pwd {Password
| *} -mustchpwd yes

The -pwd parameter specifies the password. If it is set to an asterisk (*), you are
prompted for a user password. The -mustchpwd parameter specifies that the user
must change the password at next logon. DSAdd User accepts several
parameters that specify properties of the user object. The following command
creates a user with some of the more important fields populated:

dsadd user "cn=Amy Strande, ou=User Accounts, dc=contoso, dc=com" -samid

Amy.Strande
-fn Amy -ln Strande -display "Strande, Amy" -pwd Pa$$w0rd -desc
"Vice President, IT"

Most parameter names are self-explanatory: -email, -profie, and -company, for
example. Type dsadd user /? or search the Windows Server 2008 R2 Help and
Support Center for thorough documentation of the DSAdd User parameters.

Page 57 of 123
 Task Sheets CO3.1-3 in User access level configuration

Title: Setting-up client/user access and security

Performance Objective: The student should perform how to add users

using COMMAND LINE TOOLS

Supplies/Materials :

Equipment : 1 PC Server with Windows 2008 server

installed, 1 PC, Switch.

Steps/Procedure:
1. Using the command line add user named “ric dingal”
organization unit “battousai” password “samurai_x”

Assessment Method: Demonstration, Oral Questioning.

Page 58 of 123
Performance Criteria Checklist CO3.1-3 in User access level configuration
CRITERIA
YES NO
Did you….
1. Did the student create a user OU and password using
command line tools?

Page 59 of 123
 INFORMATION SHEETS CO3.2-1
“Computer Servers and Functions”
What are server roles, role services, and features?

This section defines the terms role, role service, and feature as they apply to
Windows Server 2008 R2.

Roles

A server role is a set of software programs that, when they are installed and
properly configured, lets a computer perform a specific function for multiple
users or other computers within a network. Generally, roles share the following
characteristics.

 They describe the primary function, purpose, or use of a computer. A

specific computer can be dedicated to perform a single role that is heavily
used in the enterprise, or may perform multiple roles if each role is only
lightly used in the enterprise.

 They provide users throughout an organization access to resources

managed by other computers, such as Web sites, printers, or files that are
stored on different computers.

 They typically include their own databases that can queue user or
computer requests, or record information about network users and
computers that relates to the role. For example, Active Directory Domain
Services includes a database for storing the names and hierarchical
relationships of all computers in a network.

 As soon as they are properly installed and configured, roles function

automatically. This allows the computers on which they are installed to
perform prescribed tasks with limited user commands or supervision.

Role services

Role services are software programs that provide the functionality of a role. When
you install a role, you can choose which role services the role provides for other
users and computers in your enterprise. Some roles, such as DNS Server, have
only a single function, and therefore do not have available role services. Other
roles, such as Remote Desktop Services, have several role services that can be
installed, depending on the remote computing needs of your enterprise.

Page 60 of 123
 You can consider a role as a grouping of closely related, complementary role
services, for which, most of the time, installing the role means installing one or
more of its role services.

Features

Features are software programs that, although they are not directly parts of
roles, can support or augment the functionality of one or more roles, or improve
the functionality of the server, regardless of which roles are installed. For
example, the Failover Clustering feature augments the functionality of other
roles, such as File Services and DHCP Server, by allowing them to join server
clusters for increased redundancy and improved performance. Another feature,
Telnet Client, lets you communicate remotely with a telnet server over a network
connection, a functionality that enhances the communication options of the
server.

Windows Server 2008 is designed around certain roles and features. A role is a
primary duty that a server performs. For example, you typically would point at
a server and say "that's my domain controller (DC) and DNS server." A feature is
something that helps a server perform its primary duty (Windows Backup,
network load balancing). Certain roles are comprised of sub-elements called Role
Services, which are distinct units of functionality. For example, within the role
of Terminal Services, is the TS Gateway and TS Licensing Role Services (among
others). Please note that Server 2008 Web Edition has only the Web Server role.
Also note that WINS isn't a role in Server 2008, it's a feature (see also, "Control
Windows Server 2008 Roles and Features" and "Windows Server 2008 in
Perspective").

The Server 2008 roles are as follows:

 Active Directory Certificate Services. Provides the services for creating and
managing public key certificates used in most aspects of security today,
including HTTP Security (HTTPS), which is vital to many Windows Roles;
Wireless network security; VPNs; IPsec; Encrypting File System (EFS); and other
software security systems that require encryption or digital signatures.
 Active Directory Domain Services. Previously known as just Active Directory,
AD Domain Services stores information about users, computers, and other
devices on the network in a security boundary known as a domain. With
resources and users being members of a domain or trusted hierarchy of domains

Page 61 of 123
 known as a forest, access to company wide information is secure and no burden
on the user.
 Active Directory Federation Services (ADFS). Provides Web single-sign-on
(SSO) capabilities across separate organizations, allowing authentication across
multiple Web applications in various companies using a single user account.
ADFS accomplishes this by securely federating, or sharing, user identities and
access rights, in the form of digital claims, between partner organizations once
a federation trust has been established.
 Active Directory Lightweight Directory Services. Previously known as Active
Directory Application Mode (ADAM), Active Directory Lightweight Directory
Services provides a directory service that organizations can use to store
information specific to an application that is separate from the organization's
main AD. Active Directory Lightweight Directory Services runs as a non-OS
service and doesn't require deployment on a DC, with multiple Active Directory
Lightweight Directory Services instances supported on a single server.
 Active Directory Rights Management Services. Provides very granular
protection on supported documents via AD RMS-enabled applications to not only
protect documents and other digital information but also to control the actions
that authorized consumers of the information can do.
 Application Server. Comprises a number of components that are responsible
for the deployment and managing of .NET Framework 3.0 applications. These
components include the .NET Framework, Web Server (IIS) Support, Message
Queuing, COM+ Network Access, TCP Port Sharing, Distributed Transactions
and Windows Process Activation Service Support.
 Dynamic Host Configuration Protocol (DHCP) Server. Allows servers to assign
or lease IP addresses to computers and other devices that are enabled as DHCP
clients on the network.
 DNS Server. DNS is used to resolve host names to IP addresses, both IPv4 and
IPv6.
 Fax Server. Sends and receives faxes, and allows you to manage fax resources
such as jobs, settings, reports, and fax devices on this computer or on the
network.
 File Services. Provides technologies for storage management, which includes
control of the types of files stored on a server via file screens and powerful quotas,
file replication, distributed namespace management, NFS, and support for UNIX
clients.
 Hyper-V. Provides the services that you can use to create and manage virtual
machines (VMs) and their resources. Hyper-V will ship within 180 days of the
Server 2008 launch, but a beta version is supplied with the 2008 RTM.
 Network Policy and Access Services. Delivers a variety of methods to provide
users with local and remote network connectivity, to connect network segments,

Page 62 of 123
 and to allow network administrators to centrally manage network access and
client health policies. With Network Access Services, you can deploy VPN servers,
dial-up servers, routers, and 802.11 protected wireless access. You can also
deploy RADIUS servers and proxies, and use Connection Manager
Administration Kit to create remote access profiles that allow client computers
to connect to your network.
 Print Services. Enables the management of print servers and printers. A print
server reduces administrative and management workload by centralizing printer
management tasks. Also part of Print Services is the Print Management Console,
which streamlines the management of all aspects of printer server management
including the ability to remotely scan a subnet for printers and automatically
create the necessary print queues and shares.
 Terminal Services. Enables users to access Windows-based programs that are
installed on a terminal server or to access the Windows desktop from almost any
computing device that supports the RDP protocol. Users can connect to a
terminal server to run programs and to use network resources on that server.
Server 2008 has technologies that allow the RDP traffic necessary for
communication with a terminal server from a client to be encapsulated in HTTPS
packets, which means all communication is via port 443 so no special holes are
required in the firewall for access to terminal servers within an organization from
the Internet.
 Universal Description, Discovery, and Integration (UDDI) Services. UDDI
Services provides description, discovery, and integration capabilities for sharing
information about Web services within an organization's intranet, between
business partners on an extranet, or on the Internet.
 Web Server (IIS). Enables sharing of information on the Internet, intranets, or
extranets. It's a unified Web platform that integrates IIS 7.0, ASP.NET, and
Windows Communication Foundation. IIS 7.0 also features enhanced security,
simplified diagnostics, and delegated administration.
 Windows Deployment Services (WDS). Used to install and configure Windows
OSs that are stored in the Windows Imagine format remotely on computers via
Pre-boot Execution Environment (PXE) boot ROMs.

Features

.NET Framework 3.5.1. The .NET Framework 3.5.1 builds incrementally on the
features added in the .NET Framework 3.0, such as enhancements to Windows
Workflow Foundation (WF), Windows Communication Foundation (WCF),
Windows Presentation Foundation (WPF) and Windows CardSpace.
BitLocker Drive Encryption. BitLocker Drive Encryption helps protect data on
lost, stolen or inappropriately decommissioned computers by encrypting the

Page 63 of 123
volume and checking the integrity of early boot components. Data is only
decrypted if those components are successfully verified and the encrypted drive
is located in the original computer. Integrity checking requires a compatible
trusted platform module (TPM).

Group Policy Management. Group Policy Management makes it easier to

deploy, manage, and troubleshoot Group Policy implementations. The standard
tool is Group Policy Management Console (GPMC), a scriptable Microsoft
Management Console (MMC) snap-in that provides a single administrative tool
for managing Group Policy across the enterprise.

Network Load Balancing. Network Load Balancing (NLB) distributes traffic

across several servers, by using the TCP/IP networking protocol. NLB is
especially useful for ensuring that stateless applications, such as a Web server
that is running IIS, are scalable by adding additional servers as the load
increases.

Remote Server Administration Tools. Remote Server Administration Tools

enables remote management of Windows Server 2008 and Windows
Server 2008 R2 from a computer running Windows Server 2008 R2 by allowing
you to run some of the management tools and snap-ins for roles, role services,
and features on a remote computer.

SMTP Server. Simple Mail Transfer Protocol (SMTP) Server supports the transfer
of e-mail messages between e-mail systems.

Internet Printing Client. Internet Printing Client enables users to connect and
print to printers on the local network or over the Internet by using Internet
Printing Protocol (IPP). You can use the Internet Printing Client and IPP to
connect to the shared printer by using a Web browser (if the print server has the
Internet Printing role service installed), or by using the Network Printer
Installation Wizard.

Multipath I/O. Multipath I/O (MPIO), together with the Microsoft Device Specific
Module (DSM) or a third-party DSM, provides support for using multiple data
paths to a storage device on Windows.

Quality Windows Audio Video Experience (qWave). Quality Windows Audio

Video Experience (qWave) is a networking platform for audio and video (AV)
streaming applications on IP-based home networks. qWave improves AV
streaming performance and reliability by ensuring network quality-of-service for
AV applications. It provides admission control, run time monitoring and
enforcement, application feedback, and traffic prioritization. On Windows Server
platforms, qWave provides only rate-of-flow and prioritization services.

Page 64 of 123
Message Queuing. Message Queuing provides guaranteed message delivery,
efficient routing, security, and priority-based messaging between applications.
Message Queuing also accommodates message delivery between applications
that run on different operating systems, use dissimilar network infrastructures,
are temporarily offline, or that are running at different times.

Page 65 of 123
Self-Check 3.2-1 in Computer servers and functions

_______________1. Feature of Windows 2008 server allows

you to run some of the management tools
and snap-ins for roles, role services, and
features on a remote computer.
_______________2. Role of Windows 2008 server used to
install and configure Windows OSs that
are stored in the Windows Imagine format
remotely on computers via Pre-boot
Execution Environment (PXE) boot ROMs.
_______________3. A scriptable Microsoft Management
Console (MMC) snap-in that provides a
single administrative tool for managing
Group Policy across the enterprise.
_______________4. A feature of Windows server 2008 enhance
Windows Workflow Foundation (WF),
Windows Communication Foundation
(WCF), Windows Presentation Foundation
(WPF) and Windows CardSpace.
_______________5. A feature of Windows 2008 server supports
the transfer of e-mail messages between e-
mail systems.

Page 66 of 123
 Answer Key 3.2-1 “Computer servers and functions”

1. Remote Server Administration Tools

2. Windows Deployment Services

3. Group Policy Management

4. .NET Framework 3.5.1

5. SMTP Server

Page 67 of 123
 INFORMATION SHEETS CO3.2-2

“Types of Network Services”

The following contains detailed information about networking products and

features for the IT professional to design, deploy, and maintain Windows
Server® 2008 R2 and Windows Server 2008.

802.1X Authenticated Wired Access. Windows Server® 2008 provides features

that you can use to deploy Institute of Electrical and Electronic Engineers (IEEE)
802.1X authenticated wired service for IEEE 802.3 Ethernet network clients. In
combination with the 802.1X-capable Ethernet switches and other Windows
Server 2008 services that you deploy on your network, you can use these
Windows Server 2008 features to control who can access your network.
You can also use features in Windows Server 2008 to define the local area
network (LAN) adapter connectivity and security settings that your clients use
for connection attempts. For example, Network Policy Server (NPS) allows you to
create and enforce network access policies for authentication, and authorization,
and client health. The Wired Network (IEEE 802.3) Policies in Windows
Server 2008 Group Policy enable you to configure your network client computers
with the security and connectivity settings that they must use to connect to your
network.

The Network Policy and Access Services (NPAS) server role is a logical
grouping of the following related network access technologies:

 Network Policy Server (NPS)

 Routing and Remote Access Service (RRAS)

 Health Registration Authority (HRA)

 Host Credential Authorization Protocol (HCAP)

These technologies are the role services of the NPAS server role. When you
install the NPAS server role, you can install one or more role service while
running the Add Roles Wizard.

TCP/IP. Transmission Control Protocol/Internet Protocol (TCP/IP) is an

industry standard suite of protocols that is designed for large networks
consisting of network segments that are connected by routers. TCP/IP is the core
protocol suite that is used on the Internet.
Many TCP/IP application protocols were designed to access and transfer data
between dissimilar systems. These protocols include HTTP, FTP, and Telnet.
TCP/IP components in Windows allow standards-based connectivity to other
operating system platforms.

Page 68 of 123
Microsoft Windows Server 2008 R2, Windows 7, Windows Server 2008, and
Windows Vista include a complete redesign of the TCP/IP protocol suite. The
TCP/IP redesign supports both Internet Protocol version 4 (IPv4) and Internet
Protocol version 6 (IPv6) to meet the connectivity and performance requirements
of today's networked environments.

802.1X Authenticated Wireless Access. Windows Server® 2008 provides

features that you can use to deploy Institute of Electrical and Electronic
Engineers (IEEE) 802.1X authenticated wireless service for IEEE 802.11 wireless
network clients. In combination with the 802.1X-capable wireless access points
(APs) and other Windows Server 2008 services that you deploy on your network,
you can use these Windows Server 2008 features to control who can access your
network.
You can also use features in Windows Server 2008 to define the wireless network
adapter connectivity and security settings that your wireless clients use for
connection attempts. For example, Network Policy Server (NPS) allows you to
create and enforce network access policies for authentication, authorization, and
client health. The Wireless Network (IEEE 802.11) Policies in Windows
Server 2008 Group Policy enable you to configure your network client computers
with the security and connectivity settings that they must use to connect to your
network.

Quality of Service. Policy-based QoS in Windows Server® 2008 allows you to

define the priority of traffic, negotiate finer service levels with bandwidth
providers, and control bandwidth costs. QoS policies are applied to a user login
session or a computer as part of a Group Policy object (GPO) that is linked to an
Active Directory container such as a domain, site, or organizational unit (OU).
Policy-based QoS allows you to:

 Define the priority of traffic: You can configure a QoS policy to mark
outbound network traffic by using a specific Differentiated Services Code
Point (DSCP) value, as defined in RFC 2474.

 Manage the use of bandwidth: You can configure a QoS policy with a
throttle rate for outbound traffic. With throttling, the QoS components
limit the aggregate outgoing network traffic that matches the QoS policy
settings to a specified rate.

Page 69 of 123
High-Speed Networking Features. High-speed networking features include TCP
Chimney Offload, Virtual Machine Chimney, Virtual Machine Queue, receive-
side scaling, and Network Direct Memory Access (NetDMA). These features can
improve network and operating system performance, and are available in
Windows Server® 2008 R2. TCP Chimney Offload, receive-side scaling, and
NetDMA are also available in Windows Server® 2008.

Netware Migration. By providing a complete set of migration services and tools,

Windows Services for NetWare version 5.03 can help your organization migrate
its Novell NetWare operating system to a Windows Server 2008 R2 operating
system.

Windows Services for NetWare 5.03 does not run on the Windows
Server 2008 R2 operating systems. However, you can still use it to migrate to an
infrastructure based on Windows Server 2008 R2 by using a server running
Windows Server 2003 R2 with Service Pack 2 (SP2) as a member domain
controller.

The following tools in Windows Services for NetWare 5.03 can help simplify your
organization’s adoption of Windows Server 2008 R2 and facilitate its migration
to Windows Server 2008 R2 from NetWare:

Telnet. Microsoft® Windows 7, Windows Server® 2008 R2, Windows Vista®,

and Windows Server® 2008 include Telnet Client and Server components. By
using Telnet Client and Server, you can create a remote command console
session on a host. You can run command line programs, and scripts in a remote
command console session just as if you were locally logged on to the host and
using a local Command Prompt window.

Page 70 of 123
 SELF-CHECK CO3.2-2
Types of Network services

Provide the meaning of the following acronyms

1. NPS

2. RRAS

3. HRA

4. HCAP

5. TCP/IP

6. QoS

7. NetDMA

8. GPO

Page 71 of 123
 Answer Key CO3.2-2

1. Network Policy Server

2. Routing and Remote Access Service

3. Health Registration Authority

4. Host Credential Authorization Protocol

5. Transmission Control Protocol/Internet Protocol

6. Quality of Service

7. Network Direct Memory Access

8. Group Policy Object

Page 72 of 123
 INFORMATION SHEETS CO3.2-2
Server Configuration

If you've just installed Windows Server 2008, and are trying to get connected to
the internet via wireless you'll have no end of problems as it just will not see
any wireless networks no matter what driver you install for your wireless
card.

The reason is because Wireless is disabled by default in Windows Server 2008.

To resolve it, do as follows

in Server manager scroll down to Features Summary and click on Add

Features.

Page 73 of 123
When the Select Features window appears, scroll down to Wireless LAN Service, and place a
checkmark in there.

Page 74 of 123
you'll be informed that the server may need a restart... click install to continue

the wireless LAN installation service will be initialized.

click close to continue and then browse your wireless networks as normal.

Page 75 of 123
choose one to connect to and then you are done !

Page 76 of 123
 Task Sheets CO3.2-3 in Server configuration

Title: Enabling Wireless feature of Windows 2008 server

Performance Objective: The student should configure and enable

wireless networking

Supplies/Materials :

Equipment : 1 PC Server with Windows 2008 server ,

wireless router, access point, installed, 1 PC,
Switch. laptop

Steps/Procedure:
1. In the Server Manager enable Wireless Network feature.
2. Connect the laptop pc using Wireless Network

Assessment Method: Demonstration, Oral Questioning.

Page 77 of 123
Page 78 of 123
 Performance Criteria Checklist CO3.2-3 in Server configuration
CRITERIA
YES NO
Did you….
1. Did the student enabled and configures wireless
feature of Windows 2008 server
2. Did the student connect the laptop pc to the network
using wireless network?

Page 79 of 123
 Information Sheets 3.2-4
Network Services Configuration

Installing the Print and Document Services Server Role

Windows Server 2008 R2 can share printers without adding any server roles.
However, adding the Print And Document Services server role adds the Print
Management snap-in, which simplifies printer configuration. To install the Print
And Document Services server role, follow these steps:

1. In Server Manager, right-click Roles, and then choose Add Roles. The Add
Roles Wizard appears.

2. If the Before You Begin page appears, click Next.

3. On the Server Roles page, select the Print And Document Services check
box. Click Next.

4. On the Print And Document Services page, click Next.

5. On the Select Role Services page, select the appropriate check boxes for the
following roles, and then click Next:

■ Print server Installs the Print Management snap-in, described later in this
lesson. This is sufficient for allowing Windows and many non-Windows clients
to print.

■ LPD service Allows clients to print using the Line Printer Daemon (LPD)
protocol, which is commonly used by UNIX clients. To act as an LPD client, you
must install the Line Printer Remote (LPR) Port Monitor feature, as described in
“Installing Printers” later in this chapter.

■ Internet Printing Allows clients to print using Internet Printing Protocol (IPP)
and creates a website where users can manage print jobs using their web
browsers. This role service requires Internet Information Services (IIS).

■ Distributed scan server Allows you to manage network scanners, configure

scan processes, and route documents from network scanners to the correct
destination. If you to install this role service, you need to create an Active
Directory account for it, generate an SSL certificate, and specify an email server.

Page 80 of 123
6. If you are prompted to install the Web Server (IIS) role service, click Add
Required Role Services, and then click Next.

7. If the Specify Service Account page appears because you chose to install the
Distributed Scan Server role service, specify a domain user account that has
permissions to scan processes in Active Directory Domain Services and to specify
the scan destinations. Typically, you should create a new account specifically for
this purpose. Click Next.

8. If the Specify Temporary Folder Settings page appears because you chose to
install the Distributed Scan Server role service, select a folder to temporarily
store scan files and specify a size limit for the folder. Click Next.

9. If the Specify E-Mail Server For Scan Server page appears because you chose
to install the Distributed Scan Server role service, specify your Simple Mail
Transport Protocol (SMTP) server. Click Next.

10. If the Choose A Server Authentication Certificate For SSL Encryption page
appears because you chose to install the Distributed Scan Server role service.

11. If the Web Server (IIS) page appears because you selected the Internet
Printing role service, click Next. Then, on the Select Role Services page, configure
the required IIS role services by using the default settings, and click Next again.

12. On the Confirm Installation Selections page, click Install.

13. On the Installation Results page, click Close.

14. If prompted, restart the computer. Before attempting to use the Print And
Document Services management tools, close and reopen Server Manager. You
can access the Print And Document Services tools by using the Roles\Print And
Document Services node in Server Manager.

Sharing Printers

You can share printers by using both Control Panel and the Print Management
snap-in. From Control Panel, right-click the printer, choose Printer Properties,
and then select the Sharing tab. To share a printer by using the Print
Management snap-in, right-click the printer, and then choose Manage Sharing.
Whichever method you choose, you will see a dialog box resembling 1.7. To share
the printer, select the Share This Printer check box. Select the Render Print Jobs
On Client Computers check box to allow clients to handle the processor-intensive
rendering process, or clear the check box to push the processing to the print
server. Select the List. In The Directory check box to allow the printer to be found
in Active Directory. To add a driver for a processor type other than the operating
system’s default, click the Additional Driver’s button. Then, click OK. If the

Page 81 of 123
client’s operating system uses the same driver as the server, the client can
automatically download the driver the first time the client connects to the
printer. If a client requires a different driver—for example, if a client computer
uses a 32-bit version of Windows and the
server uses a 64-bit version of Windows—you should install the additional driver
on the server to allow the client to automatically install the driver. From the
Sharing tab, click the Additional Drivers button, select the check boxes for the
platforms you want to support, click OK, and then select the printer driver.

Page 82 of 123
Page 83 of 123
Configuring Print Server and Printer Permissions

In a manner that is similar to configuring NTFS fie permissions, you can

configure printer and print server permissions. For example, you could use
printer permissions to grant only your Human Resources group access to print
to a departmental printer and grant IT the right to manage the printer. To
configure the permissions for either the print server or the printer, right-click
the object in the Print Management console, and then click Properties. Then,
select the Security tab. By default, everyone can print to a printer and view the
print server. Users can manage their own documents in the print queue but not
documents of other users. Administrators can manage any user’s documents in
the print queue and configure the printer itself. You can configure the following
printer permissions:

■ Print Users can print.

■ manage Printers Users can change printer configuration settings.

■ manage Documents Users can remove documents that have been submitted
to the printer. Print servers also have the Print, Management Printers, and
Manage Documents permissions. However, these options define only the default
settings for new printers that you create. Changing these permissions does not
impact any existing printers. In addition to the default printer permissions, you
can configure the following print server permissions to delegate management to
non administrators:

■ view server Users can view the server and shared printers.

■ manage server Users can manage the print server features. Print server and
printer permissions are in effect regardless of whether users are logged on locally
or are accessing folders across the network.

Page 84 of 123
 Task Sheets CO3.2-4 in Network Services Configuration
Title: Enabling Wireless feature of Windows 2008 server

Performance Objective: The student should configure Server Role

Supplies/Materials :

Equipment : 1 PC Server with Windows 2008 server ,

wireless router, access point, installed, 1 PC,
Switch. Laptop, Network Printer

Steps/Procedure:
1. In the Server Manager enable Print and Document Services
2. Connect printer to the server and install
3. Using Printer Sharing share printer so users can access the
printer

Assessment Method: Demonstration, Oral Questioning.

Page 85 of 123
Performance Criteria Checklist CO3.2-4 in Network Services Configuration
CRITERIA
YES NO
Did you….
1. Did the student enabled Print and Document Services?

2. Did the student installed the printer and connect it to

the server?
3. Did the student successfully shared the printer?

Page 86 of 123
Page 87 of 123
 INFORMATION SHEETS 3.2-5
“Web Applications”

Install ISS 7.5 on Windows Server 2008 r2

IIS is one of the Windows Server® server roles. IIS can be installed through the
graphical user interface (GUI) by using the new Server Manager interface after
the Windows Server operating system is installed. Server Manager provides a
single dashboard to install or uninstall server roles and features. Server Manager
also gives an overview of all currently installed roles and features. When IIS is
chosen from the Server Manager, the basic components and services needed for
IIS are automatically selected.

1. Click Start -> All Programs -> Administrative Tools -> Server Manager.

2. In the Server Manager window, scroll down to Roles Summary, and then
click Add Roles. The Add Roles Wizard will start with a Before You Begin page.
The wizard asks for verification of the following:

a. The administrator account has a strong password.

Page 88 of 123
b. The network settings, such as IP addresses, are configured.

c. The latest security updates from Windows® Update are installed.

3. Select Web Server (IIS) on the Select Server Roles page. An introductory
page will open with links for further information.

Note: When you use the Add Roles Wizard to install IIS, you get the default
installation, which has a minimum set of role services. If you need additional IIS
role services, such as Application Development or Health and Diagnostics,
make sure to select the check boxes associated with those features in the Select
Role Services page of the wizard.

4. Select the IIS services to be installed on the Select Role Services page. Add
only the modules necessary. In this case, ASP.NET is selected, and a description
of ASP.NET appears in the right pane. Once desired modules are added,
click Next.

Page 89 of 123
5. Add any required role services.

6. IIS is now installed with a default configuration for hosting ASP.NET on

Windows Server. Click Close to complete the process.

Page 90 of 123
7. Confirm that the Web server works by using http://localhost.

Note: Install only the absolutely necessary IIS services to minimize the IIS installation footprint. This
also minimizes the attack surface, which is one of the benefits of IIS 7 and above.

Page 91 of 123
 Self-Check 3.2-5
Web Applications/Technologies Configuration

1. Give the functions and uses of WEB ISS.

Page 92 of 123
Answer Sheet 3.2-5 in Web Applications/Technologies Configuration
IIS is the Web Server (IIS) role in Windows Server® 2008 R2, and the Web server
in Windows® 7. By using IIS administration tools, such as IIS Manager, you can
configure settings for Web servers, sites, and applications.

Page 93 of 123
Task Sheets CO3.2-5 in Modules/add-ons installation and
updates procedures
Title: Installing WEB ISS

Performance Objective: The student should install WEB ISS

Supplies/Materials :

Equipment : 1 PC Server with Windows 2008 server

Steps/Procedure:
1. In the Server Manager Add WEB ISS role
2. Check installed role using browser

Assessment Method: Demonstration, Oral Questioning.

Page 94 of 123
Performance Criteria Checklist CO3.2-5 in Modules/add-ons installation and
updates procedures
CRITERIA
YES NO
Did you….
1. Did the student successfully installed WEB IIS

2. Did the student checked the installed IIS using

browser?

Page 95 of 123
 INFORMATION SHEETS CO3.2-6
”Testing Network Services”

PERFORMING A TELNET TEST TO VERIFY NETWORK

CONNECTION

Overview

Sometimes the CrashPlan app can't make an active network connection even if
the Internet appears to be working. This is because CrashPlan relies on specific
ports to be open. Telnet is a great tool for network troubleshooting, either for
computer-to-computer backups or backups to the cloud. The intent is to use the
Telnet client to test connectivity on the correct ports so as to rule out any sort of
issue with firewalls, anti-virus products, or other network issues.

What Are Ports?

Ports are specific gateways for Internet traffic to travel over. It's similar to a large
hallway with many doors leading outside. If a door is locked, you cannot access
the outside world. CrashPlan relies on specific doors to be open. These are
different than your Internet browser requires. So, if your email and Youtube work
properly, but CrashPlan does not, you should make sure that the proper ports
are open.

Considerations

We are not trying to create an actual Telnet session, so you should be able to
run the test even if Telnet access (TCP 23) is “blocked” on the computer.

Tips For Using Telnet To Isolate The Issue

 If the Telnet test passes, there probably isn't an issue with the network. However,
some firewall and anti-virus applications are capable of blocking connections on
a per-application basis, so please ensure that CrashPlan has an exception
configured in your security software.
 Try disabling your firewall and any security software. If the test passes with the
firewall and/or security software disabled, then you know you have a

Page 96 of 123
 configuration issue with your software firewall or security software. Consult your
manufacturer documentation on how to configure an exception for CrashPlan on
TCP port 4242 or 443.
 With your software firewall or security software still disabled, check the router
configuration. Consult your router manufacturer's documentation to make sure
your router is configured properly to allow the connection. Test again after
making any modifications to the router configuration.
 Try bypassing your router completely and plugging your computer directly into
your modem instead. This will help rule out the router as a possible issue.

Using Telnet

Once you have the address, open a command prompt on the source computer:

 Windows: Start > Run > Type: cmd.exe

If you are using Windows Vista, 7, or 8, you must first install Telnet

Enter the command:

telnet address_of_destination 443

Example:

telnet central.crashplan.com 443

If Telnet successfully connects, the following encrypted connection string (a

bunch of unintelligible text) displays:

telnet central.crashplan.com 443

Trying 50.93.246.47...

Connected to central.crashplan.com.

Page 97 of 123
 Escape character is '^]'.

?cA-
18782|com.code42.messaging.security.SecurityProviderReadyMessage??"???Q
??????OM???`q?ʯ??N??6C:

If Telnet cannot successfully connect, you may see connection refused, no

response, or some other response.

Computer-To-Computer Destinations

Before You Begin

To use Telnet, you need to know the destination computer's IP address. You can
view the IP address from either the source or destination computer's CrashPlan
app.

 From the source: Go to Backup, click the destination's name.

 From the destination: Go to Backup, click the source's name.
There are two IP addresses displayed:

 Internal (displayed first): Use if the computers are on the same network or at
the same location
 Public: Use this address if the computers are on different networks or at
different location

Using Telnet
Once you have the IP address, open a command prompt on the source
computer:

 Windows: Start > Run > Type: cmd.exe

If you are using Windows Vista, 7, or 8, you must first install Telnet
 Mac: Utilities > Terminal
 Linux: Terminal
Computer-to-computer backups use port 4242, so use the telnet command on
that port.

Enter the command:

Page 98 of 123
 telnet IP_address_of_destination_computer 4242
Example:

telnet 54.162.1.10 4242

If Telnet can successfully connect, you will see an encrypted connection string
(a bunch of unintelligible text):
telnet 54.162.1.10 4242

Trying 54.162.1.10…

Connected to 54.162.1.10. Escape character is '^]'.

??d???t”??Y+???+|???Ø‘?d6#?еW?{?????6߉?D!@g?????l?????>?]??b6`Û›??g
ֲ$d?c΋?

If Telnet cannot successfully connect, you may see connection refused, no

response, or some other response.

Installing Telnet on Windows Vista, Windows 7, and Windows 8

Telnet is not installed by default in Windows Vista or newer; so if you try to run
it you will get the message "'Telnet' is not recognized as an operable program or
batch file." To install Telnet, please follow these instructions:

1. Click Start then select Control Panel

2. Select Programs and Features
3. Select Turn Windows features on or off
4. Select the Telnet Client option
5. Click OK

Page 99 of 123
 Self-Check CO3.2-6
Testing Network Services

1. What is a telnet network service?

a. network testing tool used to analyze client-to-client, computer-to-
computer or even testing a domain client?
b. A network Telecommunication tool to test network connectivity?
c. A GUI to install software?

2. What are ports?

a. Are specific gateways for Internet traffic to travel over.
b. Are modules to plug in your devices
c. They are part of Operating System

Page 100 of 123

 Answer Key CO3.2-6

1. a. is network testing tool used to analyze client-to-client, computer-to-

computer or even testing a domain client.
2. b. are specific gateways for Internet traffic to travel over. It's similar to a
large hallway with many doors leading outside. If a door is locked, you cannot
access the outside world.

Page 101 of 123

 INFORMATION SHEETS CO3.3-1
“ Pre-deployment procedures and practices”

Planning the deployment of AD-DNS-01

Following are key planning steps before installing Active Directory Domain
Services (AD DS) and DNS on AD-DNS-01.

Planning the name of the forest root domain

A first step in the AD DS design process is to determine how many forests your
organization requires. A forest is the top-level AD DS container, and consists of
one or more domains that share a common schema and global catalog. An
organization can have multiple forests, but for most organizations, a single forest
design is the preferred model and the simplest to administer.
When you create the first domain controller in your organization, you are
creating the first domain (also called the forest root domain) and the first forest.
Before you take this action using this guide, however, you must determine the
best domain name for your organization. In most cases, the organization name
is used as the domain name, and in many cases this domain name is registered.
If you are planning to deploy Web servers for your customers or partners, choose
a domain name and ensure that the domain name is not already in use.

Planning the forest functional level

While installing AD DS, you must choose the forest functional level that you want
to use. Domain and forest functionality, introduced in Windows Server 2003
Active Directory, provides a way to enable domain- or forest-wide Active Directory
features within your network environment. Different levels of domain
functionality and forest functionality are available, depending on your
environment. Forest functionality enables features across all the domains in
your forest. The following forest functional levels are available:

 Windows 2000. This forest functional level supports Windows NT 4.0,

Windows 2000, and Windows Server 2003 domain controllers.

 Windows Server 2003. This forest functional level supports only

Windows Server 2003 domain controllers and domain controllers that are
running later versions of the Windows Server operating system.

 Windows Server 2008. This forest functional level supports only domain
controllers that are running Windows Server 2008 and later versions of
the Windows Server operating system.

Page 102 of 123

  Windows Server 2008 R2. This forest functional level supports Windows
Server 2008 R2 domain controllers and domain controllers that are
running later versions of the Windows Server operating system.

If you are deploying a new domain in a new forest and all of your domain
controllers will be running Windows Server 2008 R2, it is recommended that you
configure AD DS with the Windows Server 2008 R2 forest functional level during
AD DS installation.

Planning static IP addresses

Before configuring each computer with a static IP address, you must plan your
subnets and IP address ranges. In addition, you must determine the IP addresses
of your DNS and WINS servers. If you plan to install a router that provides access
to other networks, such as additional subnets or the Internet, you must know
the IP address of the router, also called a default gateway, for static IP address
configuration.
The following table provides example values for static IP address configuration.

Configuration items: Example values:

IP address 192.168.0.3

Subnet mask 255.255.255.0

Default gateway 192.168.0.10

Preferred DNS server 192.168.0.1

Alternate DNS server 192.168.0.7

Preferred WINS server 192.168.0.2

Alternate WINS server 192.168.0.8

Page 103 of 123

Planning DHCP servers and DHCP forwarding

Because DHCP messages are broadcast messages, they are not forwarded
between subnets by routers. If you have multiple subnets and want to provide
DHCP service for each subnet, you must do one of the following:

 Install a DHCP server on each subnet

 Configure routers to forward DHCP broadcast messages across subnets

and configure multiple scopes on the DHCP server, one scope per subnet.

In most cases, configuring routers to forward DHCP broadcast messages is more

cost effective than deploying a DHCP server on each physical segment of the
network.

Planning IP address ranges

Each subnet must have its own unique IP address range. These ranges are
represented on a DHCP server with scopes.
A scope is an administrative grouping of IP addresses for computers on a subnet
that use the DHCP service. The administrator first creates a scope for each
physical subnet and then uses the scope to define the parameters used by
clients.
A scope has the following properties:

 A range of IP addresses from which to include or exclude addresses used

for DHCP service lease offerings.

 A subnet mask, which determines the subnet for a given IP address.

 A scope name assigned when it is created.

 Lease duration values, which are assigned to DHCP clients that receive
dynamically allocated IP addresses.

 Any DHCP scope options configured for assignment to DHCP clients, such
as DNS server IP address, router/default gateway IP address, and WINS
server IP address.

 Reservations are optionally used to ensure that a DHCP client always

receives the same IP address.

Before deploying your servers, list your subnets and the IP address range you
want to use for each subnet.

Page 104 of 123

Planning subnet masks

Network IDs and host IDs within an IP address are distinguished by using a
subnet mask. Each subnet mask is a 32-bit number that uses consecutive bit
groups of all ones (1) to identify the network ID and all zeroes (0) to identify the
host ID portions of an IP address.

For example, the subnet mask normally used with the IP address
131.107.16.200 is the following 32-bit binary number:
11111111 11111111 00000000 00000000

This subnet mask number is 16 one-bits followed by 16 zero-bits, indicating

that the network ID and host ID sections of this IP address are both 16 bits in

Address
Bits for subnet mask Subnet mask
class

Class A 11111111 00000000 00000000 00000000 255.0.0.0

Class B 11111111 11111111 00000000 00000000 255.255.0.0

Class C 11111111 11111111 11111111 00000000 255.255.255.0

length. Normally, this subnet mask is displayed in dotted decimal notation as

The following table displays subnet masks for the Internet address classes.

When you create a scope in DHCP and you enter the IP address range for the
scope, DHCP provides these default subnet mask values. Typically, default
subnet mask values (as shown in the preceding table) are acceptable for most
networks with no special requirements and where each IP network segment
corresponds to a single physical network.

In some cases, you can use customized subnet masks to implement IP

subnetting. With IP subnetting, you can subdivide the default host ID portion of
an IP address to specify subnets, which are subdivisions of the original class-
based network ID. By customizing the subnet mask length, you can reduce the
number of bits that are used for the actual host ID. To prevent addressing and
routing problems, you should make sure that all TCP/IP computers on a network
segment use the same subnet mask and that each computer or device has a
unique IP address.

Page 105 of 123

Planning exclusion ranges

You can exclude IP addresses from distribution by the DHCP server by creating
an exclusion range for each scope. You should use exclusions for all devices that
are configured with a static IP address. The excluded addresses should include
all IP addresses that you assigned manually to other servers, non-DHCP clients,
diskless workstations, or Routing and Remote Access and PPP clients. It is
recommended that you configure your exclusion range with extra addresses to
accommodate future network growth. The following table provides an example
exclusion range for a scope with an IP address range of
192.168.0.1 - 192.168.0.254.

Configuration items: Example values:

Exclusion range Start IP Address 192.168.0.1

Exclusion range End IP Address 192.168.0.15

Planning TCP/IP static configuration

Certain devices, such as routers, DHCP servers, and DNS servers, must be
configured with a static IP address. In addition, you might have additional
devices, such as printers, that you want to ensure always have the same IP
address. List the devices that you want to configure statically for each subnet,
and then plan the exclusion range you want to use on the DHCP server to ensure
that the DHCP server does not lease the IP address of a statically configured
device. An exclusion range is a limited sequence of IP addresses within a scope,
excluded from DHCP service offerings. Exclusion ranges assure that any
addresses in these ranges are not offered by the server to DHCP clients on your
network.
For example, if the IP address range for a subnet is 192.168.0.1 through
192.168.0.254 and you have ten devices that you want to configure with a static
IP address, you can create an exclusion range for the 192.168.0.x scope that
includes ten or more IP addresses: 192.168.0.1 through 192.168.0.15.
In this example, you use ten of the excluded IP addresses to configure servers
and other devices with static IP addresses and five additional IP addresses are

Page 106 of 123

left available for static configuration of new devices that you might want to add
in the future. With this exclusion range, the DHCP server is left with an address
pool of 192.168.0.16 through 192.168.0.254. Additional example configuration
items for AD DS and DNS are provided in the following table.

Configuration items: Example values:

Network Connect Bindings Local Area

Connection 2

DNS Server Settings AD-DNS-01

Preferred DNS server IP address 192.168.0.1

Alternate DNS server IP Address 192.168.0.6

WINS Server Settings, specify the IP address of your 192.168.0.2

preferred WINS server, only if WINS is deployed on the
network.

Alternate WINS server IP Address 192.168.0.12

Add Scope dialog box values:  Primary

Subnet
 Scope Name:
 192.168.0.1
 Starting IP Address
 192.168.0.254
 Ending IP Address:
 255.255.255.0
 Subnet Mask
 192.168.0.11
 Default Gateway (optional)
 Wired (Lease
 Subnet Type duration will
be 6 days)

IPv6 DHCP Server Operation Mode

Page 107 of 123

 SELF-CHECK CO3.3-1
Pre-deployment Procedures and Practices

Instructions: Identify the correct IP for the start IP and ending IP

Configuration items: Example values:

Network Connect Bindings Local Area

Connection 2

DNS Server Settings AD-DNS-01

Preferred DNS server IP address 192.168.0.1

Alternate DNS server IP Address 192.168.0.6

WINS Server Settings, specify the IP address of your 192.168.1.2

preferred WINS server, only if WINS is deployed on the
network.

Alternate WINS server IP Address 192.168.0.12

Add Scope dialog box values:  Primary

Subnet
 Scope Name:
 192.168.0.1
 Starting IP Address
 192.128.1.254
 Ending IP Address:
 255.255.255.0
 Subnet Mask
 192.168.0.11
 Default Gateway (optional)
 Wired (Lease
 Subnet Type duration will
be 6 days)

Page 108 of 123

 Answer Key CO3.3-1

Configuration items: Example values:

Network Connect Bindings Local Area

Connection 2

DNS Server Settings AD-DNS-01

Preferred DNS server IP address 192.168.0.1

Alternate DNS server IP Address 192.168.0.6

WINS Server Settings, specify the IP address of your 192.168.1.2

preferred WINS server, only if WINS is deployed on the
network.

Alternate WINS server IP Address 192.168.0.12

Add Scope dialog box values:  Primary

Subnet
 Scope Name:
 192.168.0.1
 Starting IP Address
 192.168.0.254
 Ending IP Address:
 255.255.255.0
 Subnet Mask
 192.168.0.11
 Default Gateway (optional)
 Wired (Lease
 Subnet Type duration will
be 6 days)

Page 109 of 123

 Information Sheets CO3.3-2
Testing Procedures

Configure How a Service Is Started

Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server
2012

Services are often run with default settings — for example, a service might be
disabled automatically at startup. You can use the Services snap-in to change
the default settings for a service. This is useful if you are troubleshooting
service failures or if you need to change the security account under which a
service runs.

Membership in Account Operators or Domain Admins , Enterprise Admins ,

or equivalent, is the minimum required to complete this procedure. Review the
details in "Additional considerations" in this topic.
Configuring how a service is started

 Using the Windows interface

 To configure how a service is started using the command line

To configure how a service is started using the Windows interface

1. Click Start , click in the Start Search box, type services.msc , and then
press ENTER.

2. Optionally, export and save a list of the existing settings. To do this, right-
click Services , select Export List , and save the settings list.

3. In the details pane, right-click the service that you want to configure, and
then click Properties .

4. On the General tab, in Startup type,

click Automatic , Manual , Disabled , or Automatic (Delayed Start) .

5. To specify the user account that the service can use to log on, click the Log
On tab, and then do one of the following:
o To specify that the service uses the Local System account,
click Local System account .

o To specify that the service uses the Local Service account, click This
account , and then type NT AUTHORITY\LocalService .

Page 110 of 123

 o To specify that the service uses the Network Service account,
click This account , and then
type NT AUTHORITY\NetworkService .

o To specify another account, click This account , click Browse , and

then specify a user account in the Select User dialog box. When you
are finished, click OK .

6. Type the password for the user account in Password and in Confirm
password , and then click OK . If you select the Local Service account or
Network Service account, do not type a password.

To configure how a service is started using the command line

 You can also manage services using the sc config command. For more
information about the options available, open a command prompt and
type sc config /? . For examples and detailed descriptions of the
command-line options, see the command-line reference
at http://go.microsoft.com/fwlink/?linkid=53528.

Additional considerations

 To perform this procedure, you must be a member of the Account

Operators group, the Domain Admins group, the Enterprise Admins
group, or you must have been delegated the appropriate authority. As a
security best practice, consider using Run as to perform this procedure.

 Changing the default service settings might prevent key services from
running correctly. It is especially important to use caution when changing
the Startup Type and Log On As settings of services that are configured
to start automatically.

 In most cases, we recommend that you do not change the Allow service
to interact with desktop setting. If you allow the service to interact with
the desktop, any information that the service displays on the desktop will
also be displayed on an interactive user's desktop. A malicious user could
then take control of the service or attack it from the interactive desktop.

 The Local Service account and Network Service account are configured
with a null password. The password information you supply is ignored.

 We recommend that user accounts that are used to log on as a service

have the Password never expires check box selected in
their Properties dialog box and that they have strong passwords.

 If account lockout policy is enabled and the account is locked out, the
service will not start.

Page 111 of 123

 If you enable or disable a service and you encounter a problem starting
the computer, you can start the computer in Safe Mode. In Safe Mode, core
services that are required to start the operating system are started in a
default scheme, regardless of any changes that are made to the service
settings. After the computer is in Safe Mode, you can change the service
configuration or restore the default configuration.

 If you specify an account that does not have permission to log on as a

service, the Services snap-in automatically grants the appropriate
permissions to that account on the computer that you are managing.

Page 112 of 123

 SELF-CHECK 3.3-1 in
Testing procedures

True or False.
To configure services in Windows 2008 server, The command line tool to
execute the services window is services.mmc?

Page 113 of 123

Page 114 of 123
 Answer Key 3.3-2
1. False - services.msc

Page 115 of 123

Page 116 of 123
 Task Sheets CO3.3-2 in Testing Procedures

Title: Testing Procedures

Performance Objective: The student should perform and learn how to

enable and disable services

Supplies/Materials :

Equipment : 1 PC Server with Windows 2008 server

installed

Steps/Procedure:
1. In Windows 2008 server click Start and Run or click
window key + R
2. then type services.msc
3. Disable Remote Desktop Services

Assessment Method: Demonstration, Oral Questioning.

Page 117 of 123

Performance Criteria Checklist CO3.3-2 in Testing procedures

CRITERIA
YES NO
Did you….
1. Did the student successfully click RUN?

2. Did the student executed services.msc?

3. Did the student disabled the Remote Desktop Services?

Page 118 of 123

 Information Sheets CO3.3-3
“Enterprise Policies and Procedures”

Procedure : Installing the Configuration Storage server

The Configuration Storage server stores the configuration information for all of
the arrays in the enterprise. This procedure describes how to install the
Configuration Storage server. Perform this procedure on the computer that you
have designated as the Configuration Storage server, CS-1 in this walk-through.

Installing the Configuration Storage server

1. On the Configuration Storage server (Main-Storage), log on to the domain

as EnterpriseAdmin.

2. Insert the ISA Server CD into the CD drive, or run ISAautorun.exe from
the shared network drive.

3. In Microsoft ISA Server Setup, click Install ISA (Internet Security

Acceleration) Server.

4. After the setup program prompts that it has completed determining the
system configuration, on the Welcome page, click Next.

5. If you accept the terms and conditions stated in the user license
agreement, click I accept the terms in the license agreement, and then
click Next.

6. Type your customer information, and then click Next.

7. On the Setup Scenarios page, select Install Configuration Storage

server, and then click Next.

8. On the Component Selection page, you can review the settings, and then
click Next.

9. On the Enterprise Installation Options page, select Create a new ISA

Server enterprise, and then click Next.

Page 119 of 123

10. On the New Enterprise Warning page, click Next. This page warns
you not to install more than one enterprise. Because you are creating a
new enterprise, you can ignore the warning.

11. On the Create a New Enterprise page, provide a name and

description for the enterprise. In this walk-through, the enterprise will be
called Fabrikam. You can provide a description of the enterprise
(optional). Click Next.

13. On the Enterprise Deployment Environment page, you have the

option of installing a digital certificate to enable encrypted communication
between the Configuration Storage server and the computer running ISA
Server services. All communication between computers running ISA Server
services and Configuration Storage servers in a single domain is encrypted.
We recommend that you use this option when your computers running
ISA Server services are in a workgroup, or are in a domain other than that
in which the Configuration Storage server is located, and there is no trust
relationship between the domains. In this walk-through, the Configuration
Storage server and the computers running ISA Server services are in the
same domain, so you can leave the default selection, I am deploying in a
single domain or in domains with trust relationships. Click Next.

Page 120 of 123

13. On the Ready to Install the Program page, click Install to begin the
installation.

14. After the installation is complete, select Invoke ISA Management

when the wizard closes, and then click Finish.

15. In the ISA Server console, expand the Enterprise node, and expand
the Enterprise Policies node. Note that there is one policy listed,
the Default Policy. Click Default Policy and look at the rules in the
details pane. There is one enterprise policy rule, a rule that denies all
traffic, that is applied after array level rules. This rule ensures that unless
access is specifically allowed, ISA Server denies it. Other than this
enterprise policy rule, in the Default Policy, only array rules will apply.

16. Click the Enterprise Networks node. The details pane displays the
default enterprise networks. Note that there are no networks defined that
are specific to the IP address ranges in your enterprise. Click
the Arrays node. Note that this node is empty, because an array has not
yet been created.

Page 121 of 123

 SELF-CHECK CO3.3-3
“Enterprise Policies and Procedures”

Which Statement is true about Enterprise Development Environment

a. Router communication between computers running ISA Server
services and Configuration Storage servers in a single domain is
encrypted.
b. Network communication between computers running ISA Server
services and Configuration Storage servers in a single domain is
encrypted.
c. All communication between computers running ISA Server services
and Configuration Storage servers in a single domain is encrypted.

Page 122 of 123

 Answer Key CO3.3-3

a. All communication between computers running ISA Server services

and Configuration Storage servers in a single domain is encrypted.

Page 123 of 123