Note Answers Mwd
Answers to these questions and explanations of why each answer choice is right or wrong are located in the Answers section at the end of the book. 1. NAP using the IPsec enforcement method has been deployed at your organization. You are attempting to resolve a problem. A computer, running Windows Vista, that you are working on has antivirus software that is six weeks out of date, yet the computer is able to obtain a system health certificate and can successfully connect to protected servers ....
WSUS on Disconnected Networks
Some organizations have networks partitioned from the Internet but which also host computers that need updates regularly applied. Although you can apply updates to all these computers manually, some isolated networks have so many hosts on them that such an approach is impractical. In this situation, you can deploy WSUS in disconnected mode, which enables you to use WSUS when the WSUS server is unable to obtain updates from an upstream server. In essence, you transfer updates and metadata from...
Capturing Data with Network Monitor
To capture network data from the Network Monitor interface, click Create A New Capture Tab. Clicking Play starts a capture, clicking Pause pauses a capture, and clicking Stop finishes a capture. You are most likely to use Network Monitor when trying to diagnose a network-related problem with the server on which you have installed the network monitor. When doing this, start a Network Monitor capture, attempt to replicate the problem, finish the capture, and then analyze the capture data....
Terminal Services Gateway
Terminal Services Gateway enables you to access RDP servers on your protected network from clients on the Internet without implementing a full VPN solution. Although you will use this technology primarily to grant remote access to Terminal Services servers, it is also possible to allow Remote Desktop access to clients and servers through TS Gateway. Hence, a person can connect from his or her home computer over the Internet to his or her workstation or to a Terminal Services server in the...
Note Semantic Database Analysis
You can optionally carry out a further check on the Ntds.dit database by performing a semantic database analysis. This analyzes data with respect to Active Directory semantics similar to checking a program file for syntax errors. To carry out this check directly after you have checked integrity, type quit to exit from the file maintenance prompt. At this point, the AD DS database is still stopped, and the activate instance is set to ntds. Enter semantic database analysis, followed by go fixup....
Ftp
functionality, 729, 731 managing authentication, 739 removing, 732 security considerations, 740 FTP7 authentication, 739 functionality, 729, 731, 749-750 installing, 750 SSL support, 740 FTP File Transfer Protocol Anonymous authentication, 739 Basic authentication, 740 changing security settings, 739 CRL distribution points, 367 File Server Resource Manager, 745-749 IIS 6 Management Console, 647 IIS permissions, 742-743 IP address restrictions, 743-744 managing authentication, 733, 739, 740...
More Info Windows Authentication
To learn more about Windows authentication, see the following page on TechNet 1. What is the default authentication protocol Windows Server 2008 uses in a domain environment 2. To which Active Directory objects can you apply fine-grained password policies Quick Check Answers 1. Kerberos version 5 is the default authentication protocol. NTLMv2 is used when Kerberos version 5 cannot be used. 2. Fine-grained password policies can be applied to user accounts and global security groups.
Establishing an IPsec Connection
The Internet Key Exchange IKE protocol establishes SAs dynamically between IPsec peers . IKE sets up a mutually agreeable policy that defines the SA . This policy defines security services, protection mechanisms, and cryptographic keys between communicating peers . In establishing the SA, IKE provides the security keys and negotiation for the AH and ESP IPsec security protocols . IKE performs a two-phase negotiation operation, each phase with its own SAs . Phase 1 negotiation is known as main...
Note Communicate With The Other Administrator
If you are setting up a federation partnership with another organization, your first step should be to get in touch with your counterpart in that organization to determine how you will exchange policy files while setting up the partnership. In the case study, the tailspintoys.com account domain uses the following Windows Server 2008 servers in its AD FS deployment TailspinToysDC The AD DS domain controller for tailspintoys.com. TailspinToysFed The federation server for tailspintoys.com . This...
Note Providing Backup Redundancy
If you have multiple external disks connected to a server, you can write the same backup to each disk during the same backup operation. This provides redundancy if a target disk fails. You must also decide how frequently particular volumes are backed up . You can use Storage Reports to discover how often files on a particular volume are altered. A folder that holds marketing brochures that are updated only occasionally does not need to be backed up every night. If you move this shared folder to...
Booting into Directory Services Restore Mode
Three methods of booting into DSRM exist. The first is to press F8 during the boot process and then to select Directory Services Restore Mode from the prompt, as shown in Figure 8-7. Choose Advanced Options for Windows Setup Use the arrow keys to highlight your choice. Safe Mode with Networking Safe Mode with Command Prompt Enable low-resolution video 640x480 Last Known Good Configuration advanced Disable automatic restart on system failure Disable Driver Signature Enforcement Description Start...
Case Scenario Create AD LDS Instances 1
1. Instance names identify the instance on the local computer as well as name the files that make up the instance and the service that supports it. You should therefore always use meaningful names to identify instances, for example, the name of the application that is tied to the instance. Names cannot include spaces or special characters. 2. Install a data drive on each server that hosts AD LDS instances. The servers will be hosting directory stores, and these stores should not be placed on a...
Creating URL Authorization Rules
You must enable UrlAuthorizationModule to enable URL authorization. Authorization rules can be configured for specific Web sites, for specific Web applications, and for specific files based on a complete URL path . URL authorization rules use inheritance so that lower-level objects inherit authorization settings from their parent objects unless these settings are specifically overridden . To configure authorization settings, open IIS Manager and select the appropriate object in the left pane....
Isolation Policies
Through isolation policies, you can partition sets of computers on the network by using network authentication and encryption policies. Only computers that meet a specific set of criteria are able to communicate with computers subject to isolation policies . Although it is possible to configure isolation policies on a computer-by-computer basis, using either the WFAS console or netsh in the advfirewall consec context because isolation policies usually apply to multiple computers, it is best to...
Using netsh Commands
You can configure scopes and reservations through the DHCP console, but many administrators prefer to use the command prompt . This is the only method available to configure settings on Server Core, which does not implement GUIs. As with most configuration settings, you use netsh commands. For example, to add the server Glasgow to a list of authorized DHCP servers, you would enter the command To add a scope named GlasgowScope with a 10.0. 0 . 0 24 IPv4 network address, you would enter this...
Chapter Lesson Review Answers Lwy
A. Correct To resolve this problem, you need to change the DHCP settings available through the Windows Deployment Services server settings. From here, you can configure WDS not to listen on port 67 and configure DHCP option 60. You can configure DHCP option 60 by modifying Windows Deployment Services server settings. B. incorrect This problem is related to the port WDS listens on, not to DNS server settings. C. incorrect This problem is related to the port WDS listens on. The configuration...
Terminal Services Profiles
The default Terminal Services settings create user profiles whenever a new user connects for the first time. A problem that many administrators encounter is that when large numbers of users use a particular Terminal Services server, user profile data takes a large amount of disk space. There are two solutions to this problem. The first is to limit the size of users' Terminal Services profiles by implementing quotas. The most comprehensive way of implementing quotas is by using File System...
Securing Sites with IP Address Restrictions
You can prevent or allow specific computers, groups of computers, or domains access to FTP sites, directories, or files. For example, if an FTP server on your domain contains internal files that should be accessed only by company employees, you can grant access only to Domain Users and prevent Internet users from connecting to the server. Sometimes, however, the situation is more complex. An FTP server might be accessible both to internal users and through the Internet, but you want to block...
Note Windows Server Enhancement
In Windows Server 2003 R2, the export and import of policies in Federation Services was performed manually. This could lead to errors. In Windows Server 2008 AD FS, you use the graphical interface to perform the task. Sometimes an organization that is an account partner in a federation partnership wants to support user access from the Internet but, for privacy and security reasons, does not want to list its name in a drop-down list. If you do not want to include your organization name in the...
Info Bsk
Use the same technique to add the C instance of the PhysicalDisk Avg. Disk Queue Length counter. This counter indicates how many I O operations are waiting for the hard drive to become available. If the value of this counter is larger than twice the number of spindles in a disk array, the physical disk itself might be the bottleneck. Use the same technique to add the Memory Cache Bytes counter. This counter indicates the amount of memory being used for the file system cache. There might be a...
Case Scenario Monitoring Computers for Low Disk Space 1
1. You can use Event Forwarding to transfer low disk space events to a central server. You can then monitor this event log to identify computers with low disk space. You can attach a task that informs you that a low disk space event has been logged. 2. Windows XP with Service Pack 2 and WS-Management 1.1 installed, Windows Server 2003 R2 with WS-Management 1.1.installed, Windows Server 2003 with Service Pack 1 or later and WS-Management 1.1installed, Windows Vista, and Windows Server 2008 all...
Configuring an Extranet URL
When you want to extend your AD RMS infrastructure to for example mobile users external to your network, configure an extranet URL. Do this on a server that is a member of the root cluster, using an account that has AD RMS Enterprise Administrators credentials . The account you used to install the AD RMS roles has these credentials, provided you subsequently logged off and then logged back on again To configure an extranet URL, open Server Manager, expand Roles Active Directory Rights...
W
WAIK Windows Automated Installation Kit creating custom boot images, 566 downloading, 564 functionality, 563 WAN wide area network DPM 2007 support, 406 netsh advfirewall command, 88 variable length subnet masks, 6-7 X.25 standard, 64 WAPs wireless access points ad hoc networks, 169 adding as RADIUS clients, 174 functionality, 168 IEEE 802.11 standards, 168 Network Device Enrollment Service, 380 RADIUS support, 127 static routing, 65 WLAN authentication, 170 WAS Windows Process Activation...
Managing AD RMS Certificates
When you install the of AD RMS server role, you create certificates by default You must configure certificate durations based on your rights-protection policies. You can specify the duration of rights account certificates, enable certification of server services, enable certification for mobile devices, and authenticate clients through smart cards In particular, you must set the validation period for the RAC. To modify RAC duration, you log on to a server that is a member of the root cluster...
Authoritative Restore
After a nonauthoritative restore, objects deleted after the backup was taken will again be deleted when the restored domain controller replicates with other domain controllers in the domain. On every other domain controller, the object is marked as deleted, so when replication occurs, the local copy of the object will also be marked as deleted. The authoritative restore process marks the deleted object in such a way that when replication occurs, the object is restored across the domain Remember...
Info Vmi
FIGURE 12-11 Windows System Resource Manager console. FIGURE 12-11 Windows System Resource Manager console. You can use the accounting function in WSRM to track how processes running on Windows Server 2008 consume resources. You can configure WSRM to track resource usage on a per-user, per-application, or per-session basis. Using this information, you can make more-informed choices about how to tune a Terminal Services server to meet the needs of the users in your organization best. When you...
Note Lesson One Practice
If you have completed the practice at the end of Lesson 1, skip the rest of the steps in this practice and move on to Exercise 2. 8. Open the Server Manager console . Select and then right-click the Roles node . Select Add Roles Click Next 9. On the Select Server Roles page, select the Network Policy And Access Services check box, and then click Next. 10. Review the information on the Network Policy And Access Services page, and then click Next 11. On the Role Services page, select Network...
Case Scenario Configuring Message Size and SMTP Traffic Limitations
You have set up an SMTP virtual server on a Windows Server 2008 Web server. Performance on this server is deteriorating because of the volume of e-mail traffic. Answer the following questions. 1. How can you reduce the SMTP traffic caused by users sending very large attachments 2. One particular user sends a very large number of e-mails, although very few of these have excessively large attachments. How can you limit this traffic 3. Another user habitually clicks Send All when sending internal...
Case Scenario Monitoring Computers for Low Disk Space
You are a domain administrator employed by Northwind Traders. Recently, a number of your users have had problems downloading files and e-mail because the space on their local disks had reached a critical limit. You want to create a proactive method of identifying low disk space problems on client computers on your network so you can ask your desktop support technicians to free disk space on client computers before critical limits are reached. Answer the following questions 1. How do you monitor...
Note Answers Wvd
Answers to these questions and explanations of why each answer choice is right or wrong are located in the Answers section at the end of the book. 1. You have just created a customized level 2 certificate template based on the default level 1 user certificate template . On which of the following operating systems can you install a CA that supports this customized template Choose three . Each correct answer presents a complete solution. A. Windows 2000 Advanced Server B. Windows Server 2008...
Directory Security Settings
You can configure settings on the Directory Security tab, shown in Figure 14-3, to restrict access to an FTP site based on IPv4 address information. By default, all computers can access the site. You can add new entries for specific computers or groups of computers and change the default setting to either Granted Access or Denied Access. For example, in an intranet scenario, you might want to limit access to a specific FTP site to clients that are coming from the network of a partner ISP. All...
Netsh Commands for IPsec
As with almost all administrative functions, you can use the network shell command netsh instead of graphical tools to administer IPsec . However, the netsh ipsec context, which you might have used to administer Windows Server 2003 IPsec, is not the best tool for Windows Server 2008. The netsh ipsec static and netsh ipsec dynamic contexts are still provided, but they are for compatibility with previous versions of Windows. They do not enable you to manage or interact with any of the IPsec...
More Info Domain Isolation
For more information about domain isolation in Windows Server 2008, see http technet Windows Server 2008 introduces connection security rules, which facilitate implementing IPsec for authenticated communication on a network. Windows Server 2008 gives you the option of enforcing connection security rules through a Group Policy object GPO in the WFAS node Connection security rules evaluate network traffic and then block, allow, or negotiate security for messages based on the criteria you...
More Info Password Filters
For more information on password filters, see the following document on MSDN You can configure all the Active Directory settings that relate to password policies and account lockout settings by using fine-grained password policies The other two fine-grained password settings determine which users or groups the settings link to and a precedence value used to resolve conflicts . All these settings are stored within a Password Settings Object PSO . PSOs are stored in the Password Settings...
Note Accessing A Web Server
It is most unlikely that nonadministrators, and especially not IIS Manager user accounts, will log on to a Web server interactively. Such users will access Web sites and applications To create such an account, open IIS Manager and select the node for your server in the Connections pane. Double-click IIS Manager Users in Features View and, on the IIS Manager Users page, click Add User in the Actions pane. Type a username in the User Name text box in the Add User dialog box and type a password in...
Info Tdc
C Computer and User using Kerberos V5 C Computer using Kerberos V5 C User using Kerberos V5 Computer certificate from this certification authority C Computer and User using Kerberos V5 C Computer using Kerberos V5 C User using Kerberos V5 Computer certificate from this certification authority r Accept only health certificates C Advanced Learn more about IPsec settings What are the default values FIGURE 2-31 Setting IPsec defaults . ICMp exemptions You can use this setting on the IPsec Settings...
Case Scenario Wingtip Toys Terminal Services Deployment
You are in the process of deploying Windows Server 2008 to computers with the Terminal Services role service installed at Wingtip Toys. Wingtip Toys has a two-domain forest, east. wingtiptoys.internal and west.wingtiptoys.internal. After a series of trials to benchmark server performance, you have concluded that each server supports a maximum of 50 concurrent sessions. Approximately 220 users require access to Terminal Services. You will deploy only four servers during the initial rollout. You...
Configuring IPsec Settings for Connection Security Rules
You can define IPsec settings in the WFAS node of a GPO or in the WFAS console. To access these settings, first open the Properties dialog box of the Windows Firewall with Advanced Security node, as shown in Figure 2-29 . _if Glasgow OU GPO Glasgow, contoso. Internal Policy B P Computer Configuration E Q Policies SI Software Settings El l3 Windows Settings gj Scripts Startup Shutdown E i Security Settings SI Account Policies SI jn Local Policies B 2i Event Log El Restricted Groups El System...
Note Ftp Installation
You must uninstall FTP6 before installing FTP7. When you download the appropriate file, you cannot specify that it should run automatically on download because User Account Control blocks access to the applicationHost config file. Instead, run it from an elevated command prompt or use one of the following commands msiexec i ftp7_x86_rtw.msi for 32-bit m siexec i ftp7_x64_rtw.msi for 64-bit During installation, you can include some or all the following features Common Files This provides common...
Lesson Windows Firewall with Advanced Security
Windows Server 2008 ships with a firewall enabled by default In this lesson, you learn about Windows Firewall with Advanced Security and the features it includes that differentiate it from earlier firewall software included with Microsoft Windows operating systems such as Microsoft Windows Server 2003. You learn how to create inbound and outbound firewall rules, configure rule scope, and configure connection security rules, a technology that is new to Windows Vista and Windows Server 2008....
Authentication and Domain Controller Placement in a Branch Office
Many organizational structures consist of a hub site and several branch offices that connect to the hub site over WAN links . These links can be congested, expensive, slow, or unreliable . Users in the branch office must be authenticated by AD DS to access resources in the domain. One or more domain controllers placed in the branch office would avoid the need to authenticate over a WAN link and would speed up authentication . Typically, a hub site is maintained by qualified IT staff and...
Lease Duration
In the days before private addressing and NAT, there was a sound argument for keeping lease durations short. If you had only a limited number of IP addresses to lease and you had a long duration, then a faulty computer taken out of service would retain its lease for a long time, until the lease expired. As a result, DHCP could run out of IP addresses to lease . Private IP ranges have no shortage of IP addresses . The 10 . 0. 0.0 8 range has over 17 million . Therefore, this problem no longer...
Configuring CrossDNS References
Each forest is independent of the other, and their DNS servers do not know about each other You therefore need to configure the DNS servers in each forest with cross-DNS references that refer to the servers in the other forest . The simplest method is to specify forwarders from one domain to the other and vice versa. Figure 6-3 shows an IPv4 address of one DNS server being added to the Forwarders tab on the DNS server in the other forest. FIGURE 6-3 Specifying the IPv4 address of a DNS...
J Oob
FIGURE 7-11 Enabling the KRA template . 5. From the Start menu, click Run, type mmc, and then click OK. Dismiss the UAC dialog box and add the Certificates snap-in for your user account . 6. Expand the Certificates - Current User node . 7. Right-click the Personal store, select All Tasks, and then select Request New Certificate . In the Certificate Enrollment Wizard, select the Key Recovery Agent check box and click Enroll. Click Finish when the certificate installation completes . 8. Return to...
Network Address Translation
NAT enables you to use a host that has two or more network adapters to share an Internet connection with hosts on a private network. NAT differs from routing in that, whereas it allows hosts on the private network, it does not allow hosts on the Internet direct access to hosts on the private network. Port forwarding is an exception to this rule . You learn about port forwarding later in this lesson . Windows Server 2008 provides two types of NAT NAT through Routing and Remote Access and NAT...
Certificate Practice Statements
A certificate practice statement is a policy document that defines the process through which a CA issues certificates . Committees that include systems administrators and the company legal team usually create certificate practice statements . Certificate practice statements are created in conjunction with certificate policies . A certificate policy is a formal document that describes the certificates issued by the CA and the responsibility of the organization that manages the CA with respect to...
More Info Web Administration Tools And Techniques
For more information about the Web administration tools and techniques provided by IIS7, see Centralized configuration management Large organizations typically support a considerable number of IIS installations. Sometimes you need to deploy a number of Web servers with the same configuration settings. In previous versions of IIS, you often needed to connect to each server and manage its configuration individually. IIS7 shares configuration information across server farms. IIS7 security accounts...
Case Scenario Using Active Directory Technologies 1
1. You can use AD DS to upgrade the internal directory service and update the central authentication and authorization store. 2. To support applications in the extranet, you implement identity federation with AD FS. 3. You should implement the AD FS federated Web SSO design in this scenario. 4. The applications are installed at Margie's Travel, which is therefore the resource partner. 5. To support the Windows-based applications in the extranet, you need access to a directory store. You should...
Note Answers
Answers to these questions and explanations of why each answer choice is right or wrong are located in the Answers section at the end of the book. 1. Which type of IPv6 address is equivalent to a public unicast IPv4 address 2. A node has an fe80 6b 28c 16a7 d43a link-local IPv6 address. What is its corresponding solicited-node address 3. Which protocol uses ICMPv6 messages to manage the interaction of neighboring nodes
Customizing Data Collector Sets
A custom data collector set logs only the performance data defined in the template you chose. To add your own data sources to a data collector set, you must update it after you create it. To add a performance data source such as a performance counter to a data collector set, right-click the data collector set, select New, and then select Data Collector. The Create New Data Collector wizard opens. On the What Type Of Data Collector Would You Like To Create page, specify the data collector name,...