MCSE 70-291: IT Certification Article

You can see a good example of group scope in Will Panek ’s MCTS Windows Server 2008 Active Directory Configuration Study Guide, published by Sybex.Domain local groups are groups that are created from accounts that can come from any domain but that access only those resources on the local domain. All too often people try to make this a lot more complicated than it is, but that really is all there is to it. As a simple example, if you have a domain local group on the server Domain 1, you can easily add accounts from Domain 2 into the domain local group, but it can access resources only on Domain 1!

Keep this in mind for the exam. Domain local accounts are actually a very secure (arguably the most secure) form of account. Because of this, Micro- soft likes to ask questions about them on the exam.The next group type is a global group. And the easiest way to think about a global group is that it is effectively the opposite of a domain local group. A global group can access resources on any domain, but it can contain accounts only from its unique domain. A great example of when you might use something like this is when you have three engineers in the engineering department who need access to a die cutter in another domain. Rather than set permissions for each engineer, you could simply create a global group for the engineers, place them in it, and give them access to the die cutter on the other domain with ease.

A universal group is the only group type that is available in Windows Server 2008 native mode. However, universal groups are certainly the most robust. A universal group can con- tain membership from any domain, and it can access resources in any domain. This type of group is useful to administrators, but it shouldn’t be used excessively at the enterprise level. It’s all too tempting to just add every group to universal status and remove the need for granular administration. However, there is a downside to universal groups in that any change that affects the group is placed in the global catalog and then replicated throughout the entire infrastructure, which can create some serious bottlenecks.

Within Active Directory, each of these objects can be assigned various permissions through the use of access control lists. Permissions are binary in nature; that is, something is either allowed or not allowed.

And beyond each permission, every object is assigned an object owner , who can control how each of these permissions are set, along with administrators with control levels higher than the object owner. Furthermore, Active Directory object control and permissions can be delegated to other users so that they can manage them themselves. At the enterprise level, this is common because it simply isn’t practical for administrators to be responsible for every- day tasks, such as changing a password, for thousands of users. Accordingly, delegations can be assigned to various organizational units to administer other objects and free up load on the administrator.

Every object within Active Directory contains a certain amount of authorization data that secures the object. This information is included in the security descriptor, which, according to the Microsoft documentation on Active Directory delegation best practices, includes the following:Owner This is the current owner of the object’s SID. Group This is the SID for the current owner’s group.Discretionary access control list (DACL) According to Microsoft, this is a list of zero or more ACEs that specify who has what access to the object.System access control list (SACL) This is the list of access controls that are used for auditing.

Access control entities (ACEs) are Active Directory conventions that give specific permis- sions for object access; ACEs are compiled into access control lists and can take one of six values per ACE:Additionally, ACEs contain permissions that are further refined by a series of standard permissions. This includes such values as Read Control, Standard Delete, and more permis- sions than I can include in this chapter. Suffice it to say, ACEs provide a fine-layered and very granular amount of control for individual objects.

Know where, when, and how to use the Active Directory Migration Tool. This is probably the most important point in this chapter to remember for the exam. Know how to use the ADMT and where you need to be to acquire your source and target domains. You can’t just run the ADMT from anywhere.Be aware of the limits of an RODC.RODCs need to be installed where they have access to a writable domain controller running Windows Server 2008 that also has access to an infrastructure running at least Windows Server 2003 forest and domain functional levels.Know where to place RODCs and Server Core installations.Remember to place RODCs where you have access to a writable domain controller and in branch offices; they’re built for it. On Server Core installations, you can place these where you have need for a low- intensity, long-life box that won’t need access to advanced features such as PowerShell.

In reference to an enterprise, “planning for Terminal Services” refers to the process of ensuring the accessibility and availability of virtualized applications on Windows Server 2008, all the way from simple Remote Desktop connections to highly available and highly scalable applica- tions. Furthermore, on the enterprise level you are also concerned with the licensing of these applications. You do this through the distribution of licenses prepurchased from Microsoft for particular applications that are necessary throughout your infrastructure. In this chapter, I will briefly review the components, features, and aspects of Terminal Services and then discuss a strategy for implementing and designing a virtualization solution for your enterprise.

Although you’ve most likely seen all these components on your 70-643 exam, before you jump into planning, design, and licensing strategies for a Windows enterprise, it’s a good idea to review these components in case you haven’t used any of them in a while. Understanding how to deploy a complex Terminal Services (TS) infrastructure or licensing scheme requires that you intimately understand each of these components and their various purposes.

Delete Snapshot Deleting a snapshot is like deleting a backup file. You will be no longer able to restore to that point in time. Deleting a single snapshot does not affect any other snapshots that you made for this virtual machine. You will delete only the selected snap- shot. However, sometimes when you do delete a snapshot, the system needs to merge the differencing disks. This occurs in the background when the virtual machine is not running. The user does not see when it happens.

Delete Snapshot Subtree This will delete the selected snapshot and all snapshots that are hierarchically underneath it. If you delete a snapshot with only one sub-snapshot, the con- figuration and saved state files for the snapshot will be deleted and the snapshot’s differencing disks will be merged. If you have more sub-snapshots, merging will not take place.

Applying a Snapshot To recover a snapshot, follow these steps.

1.Click Start Administrative Tools Hyper-V Manager.

2.In Hyper-V Manager, in the Virtual Machines pane, click the virtual machine for which you created a snapshot.

3.In the Snapshots pane, select First Snapshot.

4.In the First Snapshot pane, under Actions pane, click Apply. In the Apply Snapshot window, click Apply.

5.Quick Migration

In combination with Windows Server 2008’s clustering support in Enterprise and Data- center editions, Quick Migration enables high availability features for virtual machines, so if one server fails, its workload can be picked up by another node member with minimal interruption in user access.

Basically, each virtual machine is defined as a virtual machine application on a cluster node. Once the cluster node goes down, another cluster node can take over the virtual machine. Unfortunately this means that in the event of failure, the system state of the virtual machine is lost because it does a normal bootup with the virtual machine. Planned failover saves the current state, moves it, and then restores it on the target side correctly. This topic is too complicated for the 70-643 exam, but we wanted you to understand the basic concept so you would know that this feature is available in Hyper-V.

The Import Virtual Machine dialog box asks you for the path to the exported virtual machine and allows you to decide if you want to reuse the old virtual machine ID.You want to reuse old virtual machine IDs if you’re moving all virtual machines from a host to a new target machine. The virtual machines are practically the same as on the source system. However, you do not want to reuse old virtual machine IDs if you used Export to clone a virtual machine.

Because Hyper-V uses the import folder as the new target folder for the imported virtual machine, an exported virtual machine can be imported only once. Of course, if you copy the files to a different location before importing them, you can overcome this limitation.

When you import a virtual machine with state data, Hyper-V will use the import path for the virtual hard disks as well as snapshots in its virtual machine configuration XML. Thus, you’re able to import an exported machine only once. For that reason, the import folder should already be on the host’s target disk.

You receive this warning because the virtual machine has probably one or more hard drives configured that now point to no VHD file. You need to correct these settings before starting the virtual machine to have this work.

With virtual machine snapshots, you can save a copy of the virtual machine at any point in time, including while the virtual machine is running. You can take multiple snapshots of a virtual machine and then revert it to any previous state by applying a snapshot.

Using snapshots makes it easier to diagnose the cause of errors by reducing the number of times you need to repeat a task or sequence within a virtual machine. The benefit is obvious; if you use snapshots to revert to a previous virtual machine configuration, you do not need to copy virtual machines to keep a state. Thus it is a quick and easy way to back up a certain state of your virtual machine.

You can create a snapshot when a virtual machine is in a running, saved, or turned-off state. It’s only from a paused state that you cannot perform a snapshot.

Installing TS Web Access

Follow these steps to install TS Web Access.

1.Open Server Manager. Click Start-Administrative Tools-Server Manager.

2. Click Roles and Expand.

3. Right click Terminal Server and click Add Roles Services.

4. Select TS Web Access. If all the roles required for TS Web Access are not installed, you will receive a prompt to install them. Click Add Required Role Services.

5. Click Next.

6. If installing IIS is required, click Next on the Introduction to Web Server page.

7.On the Roles Services Selections for IIS page, click Next.

8. On the Con?rm Installation Selections page, click Install.

9. On the Installation Results page, verify that the installation was successful and
click Close.

If the TS RemoteApp server and the TS Web Access server are separate, the computer account of the TS Web Access server must be added the TS Web Access Computer security group on the TS RemoteApp server. In Exercise 2.15, you’ll add the computer account to the TS Web Access group.

Adding the Computer Account of the TS Web Access Server to the TS RemoteApp Server

Follow these steps to add the computer account to the TS Web Access group.

1.Click Start-Administrative Tools-Computer Management.

2. Expand Local Users and Groups and click Groups.

3. Double-click TS Web Access Computers.

4. Click Add.

5. Click Objects Types, select Computers, and click OK.

6. Type the computer name of the TS Web Access server and click OK.

7. Click OK.

By default, the TS Web Access website is http:///ts , where < server_name> is the NetBIOS or the fully quali ?ed domain name of the TS Web Access server. Launching the site, you can see the TS RemoteApp programs that are TS Web Access enabled. Fig- ure 2.4 shows the TS Web Access page with the available program list.

When you launch an application as a TS RemoteApp and launch an application from the local computer, it becomes very dif ?cult to tell the difference between the TS RemoteApp and the local application. Figure 2.5 shows WordPad launched as a TS RemoteApp and launched locally.

Microsoft Point of Service for .NET Device Redirection

Microsoft Point of Service (POS) for .NET Device Redirection allows peripheral devices such as bar code scanners and magnetic card readers to interface with Terminal Services for Windows 2008. Microsoft POS for .NET 1.1 is available to download at the Microsoft Download Center. Once it’s installed, the Terminal Services UserMode Port Redirector service must be restarted.

Terminal Services Easy Print

Microsoft has improved printing in Terminal Services for Windows 2008 by adding Ter- minal Services Easy Print and group polices that enable the redirection of only the default client printer. In the past, the client computer and the Terminal Services server had to have the proper driver installed in order to successfully print. Now matching the drivers on the two different systems is no longer necessary because the TS Easy Print driver proxies all requests to the client’s actual driver. This feature will please many administrators who had to support printer drivers in the previous version of Terminal Services. Another perk for administrators is that TS Easy Print will increase the scalability and decrease the complex- ity of the TS server by limiting the number of printers the spooler has to enumerate. When a TS session is created, Winlogon will redirect a particular printer instead of redirecting all printers. The last bene?t of TS Easy Print is that administrators will appreciate the support for legacy print drivers.

Although TS Easy Print has decreased administrator headaches with printing in Ter- minal Services, only a select client base will receive its bene?t. TS Easy Print is available only on client computers running Windows Vista SP1 or Windows Server 2008 using the RDC 6.1 and either the Microsoft .NET Framework 3.0 Service Pack 1 or Microsoft .NET Framework 3.5 or later.

Single Sign-On for Terminal Services

With Single Sign-On for Terminal Services, a domain user can enter their credentials once and gain access to a terminal server or their remote application. The current credentials of the logged-on user will be passed to the connecting TS server without the user having to retype their password. To use Single Sign-On (SSO), the client must be running on Windows Vista or another Windows 2008 Server machine, the user must have the appropri- ate rights to log on, and the client computer and TS server must be in the same domain. Exercise 2.8 demonstrates the process to con ?guring the Authentication level of Windows Server 2008.

Configuring Authentication of a Windows 2008 Terminal Server

Follow these steps to set Authentication type for Window Sever 2008 Terminal Server.

1.Open Terminal Server Con?guration. Click Start- Administrative Tools
- Terminal Services-Terminal Services Con?guration.

2. Under Connections, right-click RDP-TCP and choose Properties.

3. On the General tab, verify that the Security Layer value is either Negotiate or SSL (TLS 1.0) and then click OK.

Device Redirection

The following sections are about the device redirection framework for Windows Server 2008. Device redirection gives users the ability to connect physical devices on their local computer and use them within their Terminal Services session. The ?rst section discusses Plug and Play device redirection for media players and digital cameras based on the Picture Transfer Proto- col (PTP). The second section introduces Microsoft Point of Services for .NET device redirection. In third section, we discuss printing redirection with TS Easy Print.

Plug and Play Device Redirection for Media Players and Digital Cameras

New to Windows Server 2008 and RDC 6.0 is the ability to redirect speci ?c Plug and Play (PNP) Windows portable devices. These devices include media players and digital cameras based on the Media Transfer Protocol (MTP) and the Picture Transfer Protocol (PTP), respectively. Plug and Play device redirection allows applications to access devices whether the application is running in a TS remote desktop or with TS RemoteApp.

Another new feature is the ability to attach Plug And Play devices after a session has already been established with the Devices that I plug in later option within the Remote Desktop Connection client software. When a new session is launched, Plug and Play noti- ?cations will appear in the Taskbar on the client computer. The newly detected device is attached to that particular session and is not accessible from any other session. Exercise 2.7 walks us through the process of enabling Plug and Play device redirection.

Redirect Plug and Play Devices

Follow these steps to enable Plug and Play device redirection.

1.Click Start-All Programs-Accessories-Remote Desktop Connection. (It is also
possible to start the RDC client software by typing mstsc in the run line.)

2. In the Remote Desktop Connection dialog box, click Options.

3. On the Local Resources tab, click More.

4. Under Local devices and resources expand Supported Plug and Play Devices.

5. Choose the device you want to redirect.

6. To make Plug and Play device that you will plug in later available, select the Devices that I plug in later check box.

7. Click Connect to launch the new session.

DiskPart is a command-line utility that con ?gures and manages disks, volumes, and partitions on the host computer. It can also be used to script many of the storage management commands. DiskPart is a very robust tool and should be studied on your own because it beyond the scope of this book. Figure 1.6 shows the various commands and their function for the DiskPart utility.

FIGURE 1. 6 DiskPart commands

DiskRAID is also a scriptable command-line utility that con?gures and manages hardware RAID storage systems. However, at least one VDS hardware provider must be installed for DiskRAID to be functional. DiskRAID is another useful utility and should be studied on your own because it’s beyond the scope of this book.

Storage Manager for SANs Storage Manager for SANs is a graphical user interface utility that is used to manage SANs. It will be discussed further in the following section.

Storage Manger for SANs (SMfS)

Storage Manager for SANs is a utility that is used to create and manage LUNs on both Fibre Channel and iSCSI storage arrays that support Virtual Disk Service (VDS). A LUN is similar to a volume in that it is a logical representation of a disk drive that is a part of a storage array. A SAN using Storage Manager simpli ?es the management of these resources in a SAN environment because it is a centralized location were LUNs can be assigned access and control privileges even though Fibre Channel and iSCSI use different types of hardware and network protocols.

To use Storage Manager for SANs, you must make sure the server and the storage array
meet the following requirements:

The server must have the Storage Manager for SANs feature installed. The storage array must support VDS.

The VDS hardware provider’s software for the storage array must be installed on the server.

The storage array must be directly attached or accessible over the network.

In order to manage an iSCSI array through Storage Manager for SANs, you must install an iSCSI initiator on the server.

Exercise 1.8 demonstrates the procedures for installing the Storage Manager for SANs feature on Windows Server 2008.

Installing Storage Manager for SANs

Follow these steps to install Storage Manager for SANs:

1.Click Start-Administrative Tools-Server Manager.

2. Right-click Features and select Add Features.

3. In the Add Features Wizard, check Storage Manager for SANs and click Next.

RAID-5 is also known as disk striping with parity. With disk striping with parity, you use three or more disks (with a maximum of 32) striped across all the disks with an additional block of error-correction called parity, which is used to reconstruct the data in the event of a disk failure. RAID-5 has slower write performance than the other RAID types because the OS must calculate the parity information for each stripe that is written, but the read performance is equivalent to a stripe set, RAID-0, because the parity informa- tion is not read. Like RAID-1, RAID-5 comes with additional cost considerations. For every RAID-5 set, roughly an entire hard disk is consumed for storing the parity information. For example, a minimum RAID-5 set requires three hard disks, and if those disks are 300GB each, approximately 600GB of disk space is available to the OS and 300GB is consumed by parity information, which equates to 33.3 percent of the available space. Similarly, in a ?ve-disk RAID-5 set of 300GB disks, approximately 1200GB of disk space is available to the OS, which means that 20 percent of the total available space is consumed by the parity information. The words roughly and approximately are used when calculating disk space because a 300GB disk will really be only about 279GB of space. This is because vendors de? ne a gigabyte as one billion bytes, but the OS de?nes it as 2^30(1,073,741,824) bytes. Also remember that ?le systems and volume managers have overhead as well. Table 1.1 breaks down the various aspects of the supported RAID types in Window Server 2008.

Storage in Windows Server 2008

RAID-1 total available disk space is calculated by taking one half of the sum of both disks in the disk set, and RAID-5 total available disk space is calculated by subtracting the space of one entire disk from the sum of all the disks in the disk set.

Creating RAID Sets

Now that you understand the fundamental concepts of RAID sets and how to use them, we can now look at the creation of RAID sets in Windows Server 2008. The process of creating a RAID set is the same as the process for creating a simple or spanned volume set except for the minimum disk requirements associated with each RAID type. Creating a mirrored volume set is the same as creating a volume set, as shown in Exercise 1.3, except you will select New Mirrored Volume in the fourth step. It is after the disk select wizard appears that you’ll begin to see the difference. Since a new mirrored volume is being created, the volume requires two disks. During the disk select process, if only one disk is selected, the Next button will be unavailable because the disk minimum has not been met. Refer to Figure 1.1 to view the Select Disks page of the New Mirrored Wizard during the creation of a new mirrored volume and notice that the Next button is not available.