Visit us at w w w. s y n g r e s s . c o m Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fi t the demands of our cus tomers. We are also committed to extending the utility of the book you purchase via additional materials available from our Web site.

  SOLUTIONS WEB SITE

To register your book, visit www.syngress.com/solutions. Once registered, you can

access our solutions@syngress.com Web pages. There you may fi nd an assortment

of valueadded features such as free e-books related to the topic of this book, URLs

of related Web sites, FAQs from the book, corrections, and any updates from the

author(s).

  ULTIMATE CDs

Our Ultimate CD product line offers our readers budget-conscious compilations of

some of our best-selling backlist titles in Adobe PDF form. These CDs are the per-

fect way to extend your reference library on key topics pertaining to your area of

expertise, including Cisco Engineering, Microsoft Windows System Administration,

CyberCrime Investigation, Open Source Security, and Firewall Confi guration, to

name a few.

  DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in downloadable

Adobe PDF form. These e-books are often available weeks before hard copies, and

are priced affordably.

  SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at signifi cant savings.

  SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations. Contact us at sales@syngress.com for more information.

  CUSTOM PUBLISHING

Many organizations welcome the ability to combine parts of multiple Syngress

books, as well as their own content, into a single volume for their own internal

use. Contact us at sales@syngress.com for more information.use. Contact us at

sales@syngress.com for more information.

  This page intentionally left blank

  Technical Editor

  Tony Piltzecker Naomi Alpern Tariq Azad Dustin Hannifi n Shawn Tooley Elsevier, Inc., the author(s), and any person or fi rm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work

is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state

to state.

In no event will Makers be liable to you for damages, including any loss of profi ts, lost savings, or other

incidental or consequential damages arising out from the Work or its contents. Because some states do

not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

  You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and fi les. _{® ®}

Syngress Media and Syngress , are registered trademarks of Elsevier, Inc. Brands and product names

mentioned in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER

  001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 BPOQ48722D 005 CVPLQ6WQ23 006 VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010 IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc.

  Elsevier, Inc.

  30 Corporate Drive Burlington, MA 01803 The Real MCITP Exam 70-646 Prep Kit Copyright © 2008 by Elsevier, Inc. All rights reserved. Printed in the United States of America.

  

Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced

or distributed in any form or by any means, or stored in a database or retrieval system, without the

prior written permission of the publisher, with the exception that the program listings may be

entered, stored, and executed in a computer system, but they may not be reproduced for publication.

  Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

  ISBN 13: 978-1-59749-248-5 Publisher: Andrew Williams Page Layout and Art: SPI Acquisitions Editor: David George Copy Editor: Michelle Huegel Technical Editor: Tony Piltzecker Indexer: Nara Wood Project Manager: Gary Byrne Cover Designer: Michael Kavish For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights, at Syngress Publishing; email m.pedersen@elsevier.com.

  Technical Editor Tony Piltzecker (CISSP, MCSE, CCNA, CCVP, Check Point CCSA, Citrix

  CCA), author and technical editor of Syngress Publishing’s MCSE Exam

  70-296 Study Guide and DVD Training System and How to Cheat at Managing

Microsoft Operations Manager 2005, is an independent consultant based in Boston, MA.

  Tony’s specialties include network security design, Microsoft operating system and applications architecture, and Cisco IP telephony implementations. Tony’s background includes positions as systems practice manager for Presidio Networked Solutions, IT manager for SynQor Inc, network architect for Planning Systems, Inc., and senior networking consultant with Integrated Information Systems. Along with his various certifi cations, Tony holds a bachelor’s degree in business administration. Tony currently resides in Leominster, MA, with his wife, Melanie, and his daughters, Kaitlyn and Noelle.

  v

  Contributing Authors Naomi J. Alpern currently works for Microsoft as a consultant

  specializing in Unifi ed Communications. She holds many Microsoft certifi cations, including an MCSE and MCT, as well as additional industry certifi cations such as Citrix Certifi ed Enterprise Administrator, Security+, Network+, and A+. Since the start of her technical career she has worked in many facets of the technology world, including IT administration, technical training, and, most recently, full-time consulting. She likes to spend her time reading cheesy horror and mystery novels when she isn’t browsing the Web. She is also the mother of two fabu- lous boys, Darien and Justin, who mostly keep her running around like a headless chicken.

  Tariq Bin Azad is the Principal Consultant and Founder of

  NetSoft Communications Inc., a consulting company located in Toronto, Canada. He is considered a top IT professional by his peers, coworkers, colleagues, and customers. He obtained this status by continuously learning and improving his knowledge and information in the fi eld of information technology. Currently, he holds more than 100 certifi cations, including MCSA, MCSE, MCTS, MCITP (Vista, Mobile 5.0, Microsoft Communications Server 2007, Windows 2008, and Microsoft Exchange Server 2007), MCT, CIW-CI, CCA, CCSP, CCEA, CCI, VCP, CCNA, CCDA, CCNP, CCDP, CSE, and many more. Most recently, Tariq has been concentrating on Microsoft Windows 2000/2003/2008, Exchange 2000/2003/2007, Active Directory, and Citrix implementations. He is a professional speaker and has trained architects, consultants, and engineers on topics such as Windows 2008 Active Directory, Citrix Presentation Server, and Microsoft Exchange 2007. In addition to owning and operating an independent consulting company, Tariq works as a Senior Consultant and has utilized his training skills in numerous workshops, corporate

  vi vi trainings, and presentations. Tariq holds a Bachelor of Science in Information Technology from Capella University, USA, a Bachelor’s degree in Commerce from University of Karachi, Pakistan, and is working on his ALMIT (Master’s of Liberal Arts in Information Technology) from Harvard University, in Cambridge, MA. Tariq has been a coauthor on multiple books, including the best-selling MCITP:

  Microsoft Exchange Server 2007 Messaging Design and Deployment Study

Guide: Exams 70-237 and 70-238 (ISBN: 047018146X) and The Real

MCTS/MCITP Exam 640 Preparation Kit (ISBN: 978-1-59749-235-5).

  Tariq has worked on projects or trained for major companies and organizations, including Rogers Communications Inc., Flynn Canada, Cap Gemini, HP, Direct Energy, Toyota Motors, Comaq, IBM, Citrix Systems Inc., Unicom Technologies, Amica Insurance Company, and many others. He lives in Toronto, Canada, and would like to thank his father, Azad Bin Haider, and his mother, Sitara Begum, for his lifetime of guidance for their understanding and support to give him the skills that have allowed him to excel in work and life.

  Dustin Hannifi n (Microsoft MVP—Offi ce SharePoint Server) is a

  systems administrator with Crowe Chizek and Company LLC. Crowe (www.crowechizek.com), one of the nation’s leading public accounting and consulting fi rms. Under its core purpose of “Building Value with _®

  Values ,” Crowe assists both public and private companies in reaching their goals through services ranging from assurance and fi nancial advi- sory to performance, risk, and tax consulting. Dustin currently works in Crowe’s Information Services delivery unit, where he plays a key role in maintaining and supporting Crowe’s internal information technology (IT) infrastructure. His expertise resides in various Microsoft products, including Offi ce SharePoint Server, System Center Operations Manager, Active Directory, IIS, and Offi ce Communications Server. Dustin holds a bachelor’s degree from Tennessee Technological University and is a founding member of the Michiana IT Professionals Users Group. He regularly contributes to technology communities, including his blog (www.technotesblog.com) and Microsoft newsgroups. Dustin, a Tennessee native, currently resides in South Bend, IN.

  vii

  Shawn Tooley owns a consulting fi rm, Tooley Consulting Group,

  LLC, that specializes in Microsoft and Citrix technologies, for which he is the principal consultant and trainer. Shawn also works as network administrator for a hospital in northeastern Ohio. Shawn’s certifi cations include Microsoft Certifi ed Trainer (MCT), Microsoft Certifi ed System Engineer (MCSE), Citrix Certifi ed Enterprise Administrator, Citrix Certifi ed Sales Professional, HP Accredited System Engineer, IBM XSeries Server Specialist, Comptia A+, and Comptia Certifi ed Trainer. In his free time he enjoys playing golf.

  viii

  Contents

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Chapter 1 Planning for Server Deployment . . . . . . . . . . . . . . . . . . . . . . 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Planning for Installation or Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Selecting a Windows 2008 Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Rollback Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Implementing BitLocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Planning for Infrastructure Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Address Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Name Resolution (DNS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 DNS Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Reverse Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Planning For Global Naming Zones . . . . . . . . . . . . . . . . . . . . . . . . 23 DNS Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Planning for Dynamic DNS (DDNS) . . . . . . . . . . . . . . . . . . . . . . . 26 Scavenging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Planning For DNS Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Network Access Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Planning for NAP Enforcement Methods . . . . . . . . . . . . . . . . . . . . 27 Planning For DHCP NAP Enforcement . . . . . . . . . . . . . . . . . . . . . 29 Planning For IPSec NAP Enforcement . . . . . . . . . . . . . . . . . . . . . . 29 Planning For 802.1x NAP Enforcement . . . . . . . . . . . . . . . . . . . . . 30 Planning For VPN NAP Enforcement . . . . . . . . . . . . . . . . . . . . . . . 30 Planning for NAP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Health Policy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Health Requirement Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Health Registration Authority Servers . . . . . . . . . . . . . . . . . . . . 31 Planning for NAP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Planning Forests and Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Planning Domain Controller Placement . . . . . . . . . . . . . . . . . . . . . 35 Planning Active Directory Sites and Site Links . . . . . . . . . . . . . . . . 36 Planning Organizational Unit Design . . . . . . . . . . . . . . . . . . . . . . . 38 Delegating Authority to Organizational Units . . . . . . . . . . . . . . . 39 Planning for Automated Server Deployment . . . . . . . . . . . . . . . . . . . . . . . 42

  ix

  x Contents

  Planning for Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Planning for Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

  Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . 76 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

  File and Print Server Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Publishing Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

  Storage Quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Planning for Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Indexing Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Storage Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Understanding Availability Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

  Share Level Permissions vs File/Folder Permissions . . . . . . . . . . . . . 62 Providing Access to Users and Groups. . . . . . . . . . . . . . . . . . . . . . . 63 Allow and Deny . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

  Planning for File and Print Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Working with Access Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

  Resilience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

  IIS 7 Core Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 FTP, POP3, and SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Windows SharePoint Services 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . 59

  Standard Server Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Automation and Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Certifi cate Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

  IIS Delegation and Remote Administration . . . . . . . . . . . . . . . . . . . 58

  IIS Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

  Web Farms and Web Site Availability. . . . . . . . . . . . . . . . . . . . . . . . 57

  Planning Application Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Planning for Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

  Planning Root, Subordinate, and Intermediate Certifi cate Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

  Introduction to Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . 54 Planning Certifi cate Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Chapter 2 Planning for Server Management . . . . . . . . . . . . . . . . . . . . 83 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Developing a Management Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

  Contents xi

  Remote Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Remote Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Server Management Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

  Windows Powershell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Windows Deployment Services (WDS) . . . . . . . . . . . . . . . . . . . . . . 92 Windows Reliability and Performance

  Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Server Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

  ServerManagerCMD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Delegating Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

  Delegating Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100 Delegating Active Directory Objects . . . . . . . . . . . . . . . . . . . . . . . . . .102 Application Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103

  Planning a Group Policy Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107 Understanding Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109 Types of Group Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109

  Local Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110 Non-Local Group Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . .113

  Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119 Network Location Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . .122

  User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123 Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124

  Planning for GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125 Site, Domain, and OU Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . .126 Group Policy Processing Priority . . . . . . . . . . . . . . . . . . . . . . . . . .128

  Creating and Linking Group Policy Objects . . . . . . . . . . . . . . . . . . . . . . .130 Creating Stand-Alone GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131 Linking Existing GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131 Creating and Linking at One Time . . . . . . . . . . . . . . . . . . . . . . . . . . .133

  Controlling Application of Group Policies . . . . . . . . . . . . . . . . . . . . . . . . .134 Enforce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134 Block Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138 GPO Backup and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140

  Group Policy Results and Group Policy Modeling . . . . . . . . . . . . .141 Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .151 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153

  xii Contents

  Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160

  

Chapter 3 Monitoring and Maintaining Servers . . . . . . . . . . . . . . . . . 161

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162 Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162 OS Level Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164 Windows Server Update Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166 WSUS 3.0 SP1 Deployment on Microsoft Windows 2008 Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169 Microsoft WSUS 3.0 Service Pack 1 Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183 Confi gure Microsoft WSUS 3.0 Service Pack 1 Automatic Updates for Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189 Application Patching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196 Monitoring for Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199 Monitoring Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202 Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208 Event and Service Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217 Trending and Baseline Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220 Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .226 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231

Chapter 4 Security and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234 Remote Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235 Installing and Confi guring NPAS . . . . . . . . . . . . . . . . . . . . . . . . . . . .237 Routing and Remote Access Service . . . . . . . . . . . . . . . . . . . . . . . . . .237 Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242 Remote Access Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243 Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244 PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244 L2TP/IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247 SSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247 Network Access Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248 Working with NAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249 Network Layer Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249 NAP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250

  Contents xiii

  NAP Enforcement Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251 Active Directory Domain Services . . . . . . . . . . . . . . . . . . . . . . . . .252 NAP Health Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252 Health Requirement Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254 Restricted Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254 Software Policy Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255

  Server Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256 Windows Firewall Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257

  Working with Built-in Firewall Exceptions . . . . . . . . . . . . . . . . . . .261 Creating Manual Firewall Exceptions . . . . . . . . . . . . . . . . . . . . . . .263

  Advanced Confi guration of the Windows Firewall . . . . . . . . . . . . . . . .267 Modifying IPsec Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .270

  Key Exchange (Main Mode) . . . . . . . . . . . . . . . . . . . . . . . . . . .272 Data Protection (Quick Mode) . . . . . . . . . . . . . . . . . . . . . . . . .273 Authentication Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274

  Creating Connection Security Rules . . . . . . . . . . . . . . . . . . . . . . .279 Confi guring a Server-to-Server Connection

  Security Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284 Creating Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285 Monitoring the Windows Firewall . . . . . . . . . . . . . . . . . . . . . . . . .290

  Data Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291 BitLocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292 Encrypted File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294

  Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295 Auditing AD DS and LDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296 Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298

  Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .303 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308

Chapter 5 Planning for Server Virtualization . . . . . . . . . . . . . . . . . . . 309 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310 Understanding Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310 Server Consolidation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313 Quality Assurance and Development Testing Environments . . . . . . . . . .314 Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317 Microkernelized vs. Monolithic Hypervisor . . . . . . . . . . . . . . . . . . . . .318 Monolithic Hypervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318

  xiv Contents

  Microkernel Hypervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .320 Detailed Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321

  Parent Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323 Child Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325 Guest Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325

  Guest with Enlightened Operating System . . . . . . . . . . . . . . . . .325 Guest with Partially Enlightened Operating System . . . . . . . . . . .326 Legacy Guest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326

  Application Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326 Microsoft Server Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327 Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330

  Confi guration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331 Installing the Virtualization Role on Windows Server 2008 . . . . . . . . . .332 Confi guring Virtual Servers with Hyper-V . . . . . . . . . . . . . . . . . . . . .344 Server Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354 Competition Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356 Server Placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358

  System Center Virtual Machine Manager 2007 . . . . . . . . . . . . . . . . . . . . .360 Virtual Machine Manager Administrator Console . . . . . . . . . . . . . . . . .362 Windows PowerShell Command-Line Interface . . . . . . . . . . . . . . . . . .364 System Center Virtual Machine Manager Self Service

  Web Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364 Virtual Machine Manager Library . . . . . . . . . . . . . . . . . . . . . . . . . . . .365 Migration Support Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366 Virtual Machine Creation Process Using SCVMM. . . . . . . . . . . . . . . .367 Managing Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368 Stand-Alone Virtualization Management Console . . . . . . . . . . . . . . . . .369 Managing Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370 Managing VMware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374

  Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .381 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .387

Chapter 6 Application and Data Provisioning . . . . . . . . . . . . . . . . . . . 389 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390 Provisioning Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391 Terminal Server Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391 Terminal Server Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391

  Contents xv

  Terminal Services Gateway Server. . . . . . . . . . . . . . . . . . . . . . . . . .402 Terminal Services Session Broker . . . . . . . . . . . . . . . . . . . . . . . . . .409 Terminal Services RemoteApp . . . . . . . . . . . . . . . . . . . . . . . . . . . .413

  Resource Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .419 Microsoft Windows System Resource Manager . . . . . . . . . . . . . . . .420

  Application Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .424 Microsoft SoftGrid Application Virtualization . . . . . . . . . . . . . . . . .425

  System Center Confi guration Manager 2007 . . . . . . . . . . . . . . . . . . . . . . .426 Introduction to SCCM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .427 Hardware Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .436 Software Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .439 Application Management and Deployment . . . . . . . . . . . . . . . . . . . . .443 OS Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446

  Provisioning Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447 Working with Shared Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447 Offl ine Data Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449

  Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .452 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .454 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .456 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .458 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461

Chapter 7 Planning for Business Continuity

  

and High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463

  Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464 Planning for Storage Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465

  Self Healing NTFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .466 Multipath I/O (MPIO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .467 Data Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .468

  Share and Storage Management Console . . . . . . . . . . . . . . . . . . . . .468 Storage Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .469 Storage Manager for SANs Console . . . . . . . . . . . . . . . . . . . . . . . .470

  Data Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .471 Group Policy Control over Removable Media . . . . . . . . . . . . . . . .471 BitLocker Drive Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472

  BitLocker Volume Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . .474 BitLocker Management Options . . . . . . . . . . . . . . . . . . . . . . . .474 Using BitLocker for the Safe Decommissioning of Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .475

  Data Collaboration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .476

  xvi Contents

  Planning for High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481 Failover Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481

  Architectural Details of Windows 2008 Failover Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .482

  Multi-Site Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .498 Service Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499 Service Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .501 Data Accessibility and Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . .501

  Failover Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .502 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .502

  Distributed File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .503 Virtualization and High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . .504

  Planning for Backup and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .505 Data Recovery Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .520 Server Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .521

  WinRE Recovery Environment Bare Metal Restore . . . . . . . . . . . .522 Command Line Bare Metal Restore . . . . . . . . . . . . . . . . . . . . . . . .523

  Recovering Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .523 Backup Methods for Directory Services . . . . . . . . . . . . . . . . . . . . .523 Backup Types for Directory Services . . . . . . . . . . . . . . . . . . . . . . . .524 Recovery Methods for Directory Services . . . . . . . . . . . . . . . . . . . .524

  Directory Services Restore Mode Recovery . . . . . . . . . . . . . . . .524 Non-Authoritative Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . .525 Authoritative Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .527

  Object Level Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .527 Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .535 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .535 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .540 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .543 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .546

  

Appendix Self Test Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547

  Chapter 1: Planning for Server Deployment . . . . . . . . . . . . . . . . . . . . . . .548 Chapter 2: Planning for Server Management . . . . . . . . . . . . . . . . . . . . . . .553 Chapter 3: Monitoring and Maintaining Servers . . . . . . . . . . . . . . . . . . . .564 Chapter 4: Security and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .568 Chapter 5: Planning for Server Virtualization . . . . . . . . . . . . . . . . . . . . . . .572 Chapter 6: Application and Data Provisioning . . . . . . . . . . . . . . . . . . . . . .577 Chapter 7: Planning for Business Continuity and High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .582

  

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589

  Foreword

  This book’s primary goal is to help you prepare to take and pass Microsoft’s exam number 70–646, Windows Server 2008 Server Administrator. Our secondary purpose in writing this book is to provide exam candidates with knowledge and skills that go beyond the minimum requirements for passing the exam and help to prepare them to work in the real world of Microsoft computer networking.

  

What Is Professional Series Exam 70–646?

  Professional Series Exam 70–646 is the fi nal requirement for those pursuing

  Microsoft Certifi ed Information Technology Professional (MCITP): Server Administrator

  certifi cation for Windows Server 2008. The server administrator is responsible for the operations and day-to-day management of an infrastructure of servers for an enterprise organization. Windows server administrators manage the infrastructure, Web, and IT application servers. Candidates for this certifi cation are IT profes- sionals who want to be known as leaders and problem solvers in a current or future role in an organization that uses Windows Server 2008.

  However, not everyone who takes Exam 70–646 will have practical experience in IT management. Many people will take this exam after classroom instruction or self-study as an entry into the networking fi eld. Many of those who do have job experience in IT will not have had the opportunity to work with all of the tech- nologies or be involved with the infrastructure or management issues covered by the exam. In this book, our goal is to provide background information that will help you to understand the concepts and procedures described even if you don’t have the requisite experience, while keeping our focus on the exam objectives.

  xvii

  xviii Foreword

  Exam 70–646 covers the complex concepts involved with administering a network environment that is built around Microsoft’s Windows Server 2008. The exam includes the following task-oriented objectives:

  ■

  Planning for Server Deployment This includes planning server installations and upgrades, planning for automated server deployment, planning infrastructure services server roles, planning application servers and services, and planning fi le and print server roles.

  ■

  Planning for Server Management This includes planning server management strategies, planning for delegated administration, and planning and implementing group policy strategy.

  ■

  Monitoring and Maintaining Servers This includes implementing patch management strategy, monitoring servers for performance evalu- ation and optimization, and monitoring and maintaining security and policies.

  ■

  Planning Application and Data Provisioning This includes data and application provisioning.

  ■

  Planning for Business Continuity and High Availability This includes planning storage, planning high availability, and planning for backup and recovery.

  N OTE

In this book, we have tried to follow Microsoft’s exam objectives as

closely as possible. However, we have rearranged the order of some

topics for a better fl ow and included background material to help you

understand the concepts and procedures that are included in the

objectives.

  Path to MCTS/MCITP/MS Certifi ed Architect

  Microsoft certifi cation is recognized throughout the IT industry as a way to dem- onstrate mastery of basic concepts and skills required to perform the tasks involved in implementing and maintaining Windows-based networks. The certifi cation

  Foreword xix

  program is constantly evaluated and improved, and the nature of information technology is changing rapidly. Consequently, requirements and specifi cations for certifi cation can also change rapidly. This book is based on the exam objectives as stated by Microsoft at the time of writing; however, Microsoft reserves the right to make changes to the objectives and to the exam itself at any time. Exam candi- dates should regularly visit the Certifi cation and Training Web site at www.microsoft. com/learning/mcp/default.mspx for the most updated information on each Microsoft exam.

  Microsoft presently offers three basic levels of certifi cation on the technology level, professional level, and architect level:

  ■

  Technology Series This level of certifi cation is the most basic, and it includes the Microsoft Certifi ed Technology Specialist (MCTS) certifi cation. The MCTS certifi cation is focused on one particular Microsoft technology. There are 19 MCTS exams at the time of this writing. Each MCTS certifi cation consists of one to three exams, does not include job-role skills, and will be retired when the technology is retired. Microsoft Certifi ed Technology Specialists will be profi cient in implementing, building, troubleshooting, and debugging a specifi c Microsoft technology.

  ■

  Professional Series This is the second level of Microsoft certifi cation, and it includes the Microsoft Certifi ed Information Technology

  Professional (MCITP) and Microsoft Certifi ed Professional

Developer (MCPD) certifi cations. These certifi cations consist of one

  to three exams, have prerequisites from the Technology Series, focus on a specifi c job role, and require an exam refresh to remain current. The MCITP certifi cation offers nine separate tracks as of the time of this writing. There are two Windows Server 2008 tracks, Server Administrator and Enterprise Administrator. To achieve the Server Administrator MCITP for Windows Server 2008, you must successfully complete one Technology Series exam and one Professional Series exam. To achieve the Enterprise Administrator MCITP for Windows Server 2008, you must successfully complete four Technology Series exams and one Professional Series exam.

  ■

  Architect Series This is the highest level of Microsoft certifi cation, and it requires the candidate to have at least 10 years’ industry experience.

  xx Foreword

  Candidates must pass a rigorous review by a review board of existing architects, and they must work with an architect mentor for a period of time before taking the exam.

  OTE N

Those who already hold the MCSA or MCSE in Windows 2003 can

upgrade their certifi cations to MCITP Server Administrator by passing one upgrade exam and one Professional Series exam. Those who already hold the MCSA or MCSE in Windows 2003 can upgrade their certifi cations to MCITP Enterprise Administrator by passing one upgrade exam, two Technology Series exams, and one Professional Series exam.

  Prerequisites and Preparation