MCTS Guide to Microsoft Windows 7 Chapter 13 Enterprise Computing At a Glance Instructor’s Manual Table of Contents Overview Objectives Teaching Tips Quick Quizzes Class Discussion Topics Additional Projects Additional Resources Key Terms 13-1 MCTS Guide to Microsoft Windows 7 13-2 Lecture Notes Overview Chapter 13 explains Enterprise Computing. Students will learn about Active Directory and how to use Group Policy to control Windows 7. Next, students will control device installation with Group Policy settings and plan enterprise deployments of Windows 7. Chapter 13 also describes enterprise deployment tools for Windows 7. In addition, students will use Windows Server Update Services to apply updates. Finally, Chapter 13 explains Network Access Protection. Chapter Objectives • • • • • • • Understand Active Directory Use Group Policy to control Windows 7 Control device installation with Group Policy settings Plan enterprise deployments of Windows 7 Describe enterprise deployment tools for Windows 7 Use Windows Server Update Services to apply updates Understand Network Access Protection Teaching Tips Active Directory 1. Explain that Active Directory expands on the domain concept by linking domains in logical structures named trees, and multiple trees into forests. 2. Define domain controllers as servers that hold a copy of Active Directory information and are responsible for authenticating users when they log on to a workstation. Domain controllers also respond to requests for other domain information such as printer information or application configuration. Teaching Tip Learn more about Active Directory at: http://learnthat.com/2008/07/introductionto-active-directory/. Active Directory Structure 1. Define a domain as a central security database that is used by all computers that are members of the domain. It stores information about user accounts and computers. Active Directory uses the same naming convention for domains and objects as DNS. MCTS Guide to Microsoft Windows 7 13-3 2. Explain that each domain can be subdivided into organizational units (OUs). OUs allow you to organize the objects in a domain and can be used for delegating management permissions. Organizational units can be used to apply Group Policies. Use Figure 13-1 to illustrate your explanation. 3. Explain that you can create more complex Active Directory structures by combining multiple domains into a tree and multiple trees into a forest. 4. Describe some of the reasons to use multiple domains, including: a. Decentralized administration b. Unreliable WAN links c. Multiple password policies 5. Define forest root domain as the first Active Directory domain created in an organization. When multiple domains exist in a forest, trust relationships are generated automatically between the domains. Use Figure 13-2 to illustrate your explanation. 6. Mention that in a forest, each domain trusts its own parent and subdomains. Use Figure 13-3 to illustrate your explanation. Teaching Tip Read more about the structure of an Active Directory at: http://technet.microsoft.com/en-us/library/cc978008.aspx. 7. Explain that within Active Directory, Windows servers can be either a member server or a domain controller. 8. Explain that member servers are integrated into Active Directory, and can participate in the domain by sharing files and printers with domain users. 9. Define domain controller as a server that stores a copy of Active Directory information. Active Directory Partitions 1. Explain that to make Active Directory more manageable, it is divided into these partitions: a. Domain partition that holds the user accounts, computers accounts, and other domain-specific information b. Configuration partition that holds general information about the Active Directory forest c. Schema partition that holds the definitions of all objects and object attributes for the forest 2. Explain that application partitions can also be created by an administrator to hold application-specific information. A global catalog server is a domain controller that holds a subset of the information in all domain partitions. MCTS Guide to Microsoft Windows 7 Teaching Tip 13-4 Read more about Active Directory Application Partitions at: http://articles.techrepublic.com.com/5100-6345_11-5746279.html. Active Directory Sites and Replication 1. Explain that Active Directory uses multimaster replication. This means that Active Directory information can be changed on any domain controller, and those changes will be replicated to other domain controllers. Teaching Tip Read more about multimaster replication at: www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/ distrib/dsbh_rep_fgtk.mspx?mfr=true. 2. Explain that an Active Directory site is defined by IP subnets. Within a site, Active Directory replication is uncontrolled. Between sites, Active Directory replication is controlled by site links. Active Directory and DNS 1. Mention that one of the most common configuration problems in Active Directory networks is incorrect DNS configuration on servers and workstations. 2. Explain that Active Directory stores information about domain controllers and other services in DNS. Incorrect DNS configuration can result in: a. Slow user logons b. Inability to apply group policies c. Failed replication between domain controllers Joining a Domain 1. Explain that when a workstation joins a domain, it’s integrated into the security structure for the domain. Administration of the workstation can be performed centrally by using Group Policy. 2. Describe the security changes that occur when a workstation joins a domain, including: a. Domain Admins group becomes a member of the local Administrators group b. Domain Users group becomes a member of the local Users group c. Domain Guests group becomes a member of the local Guests group 3. Mention that the process of joining a workstation to a domain creates a computer account. After a workstation is joined to the domain, it synchronizes time with domain controllers in the domain. MCTS Guide to Microsoft Windows 7 13-5 Group Policy 1. Explain that Group Policy can be used to centrally manage the configuration of a Windows 7 computer. 2. Describe some of the Group Policy settings you can configure, including: a. Desktop settings, such as wallpaper and the ability to right-click b. Security settings, such as the ability to log on locally c. Logon, logoff, startup, and shutdown scripts d. Folder redirection to store My Documents on a network server e. Software distribution 3. Mention that Group Policy settings used by Windows 7 are contained in a Group Policy object (GPO). 4. Define Group Policy object (GPO) as a collection of registry settings applied to the Windows 7 computer. Use Figure 13-4 to illustrate your explanation. 5. Explain that settings in a GPO are divided into user settings and computer settings. User settings are applied to any user accounts in the OU. Computer settings in the GPO are applied to any computer accounts in the OU. Use Figure 13-5 to illustrate your explanation. Group Policy Inheritance 1. Explain that Group Policy objects can be linked to the Active Directory domains, OUs, and Active Directory sites. Each Windows 7 computer can have local Group Policy objects. 2. Explain that GPOs are applied in the following order: a. Local computer b. Site c. Domain d. Parent OU e. Child OU 3. Mention that all of the individual GPO settings are inherited by default. At each level, more than one GPO can be applied to a user or computer. 4. Describe the steps to determine which policy settings to apply, including: a. If there is no conflict, the settings for all policies are applied b. If there is a conflict, later settings overwrite earlier settings c. If the settings in a computer policy and user policy conflict, apply settings from the computer policy MCTS Guide to Microsoft Windows 7 13-6 Group Policy Enhancements in Windows 7 1. Explain that Windows 7 processes group policies with a new Group Policy service. Some of the benefits include: a. Group Policy settings can be applied without any reboots b. Performance is increased and resource usage is reduced for Group Policy processing c. Group policy events are logged to the System log instead of the Application log d. Information about Group Policy applications is logged to a Group Policy Operational log 2. Mention that Group Policy Preferences introduce a way to configure a number of Windows 7 features that may have required scripting in the past. 3. Mention that Windows 7 allows you to have multiple local GPOs and consequently have distinct settings for different users, even in a workgroup environment. Quick Quiz 1 1. You can create more complex Active Directory structures by combining multiple domains into a tree and multiple trees into a(n) ____. Answer: forest 2. A(n) ____ is a domain controller that holds a subset of the information in all domain partitions. Answer: global catalog server 3. Active Directory uses ____. This means that Active Directory information can be changed on any domain controller, and those changes will be replicated to other domain controllers. Answer: multimaster replication 4. ____ is a feature integrated with Active Directory that can be used to centrally manage the configuration of a Windows 7 computer. Answer: Group Policy Controlling Device Installation 1. Explain that you can prevent device installation in Windows 7. For example, you can prevent installation of USB-based storage to prevent data from leaving the premises. Device Identification 1. Explain that Windows 7 uses a device identification string and device setup class to properly install a new device. MCTS Guide to Microsoft Windows 7 13-7 2. Explain that a device often reports multiple device identification strings. Hardware ID is the most specific device identification string. Multiple hardware IDs allow the best available driver to be installed. Compatible IDs are another device identification string that is used to find appropriate drivers. Use Figure 13-6 to illustrate your explanation. Teaching Tip Read more about device identification strings at: http://msdn.microsoft.com/en-us/library/ff541224(VS.85).aspx. 3. Explain that device setup classes are used during the installation process for a new device to describe how the installation should be performed. Device setup classes identify a generic type of device rather than a specific make or model. 4. Mention that some devices have multiple GUIDs defined if they are a multifunction device. Teaching Tip Read more about device setup classes at: http://www.osronline.com/ddkx/install/setup-cls_1wpz.htm. Device Installation Group Policy Settings 1. Mention that Windows 7 includes nine group policy settings specifically to control device installation. Use Figure 13-7 to illustrate your explanation. 2. Describe the Group Policy settings that control device installation: a. Allow administrators to override Device Installation Restriction policies b. Allow installation of devices using drivers that match these device setup classes c. Prevent installation of devices using drivers that match these device setup classes d. Display a custom message when installation is prevented by a policy setting e. Display a custom message title when device installation is prevented by a policy setting f. Allow installation of devices that match any of these device IDs g. Prevent installation of devices that match any of these device IDs h. Time (in seconds) to force reboot when required for policy changes to take effect i. Prevent installation of removable devices j. Prevent installation of devices not described by other policy settings Removable Storage Group Policy Settings 1. Mention that additional Group Policy settings can be used to control access specifically to different types of removable storage. Use Figure 13-8 to illustrate your explanation. MCTS Guide to Microsoft Windows 7 13-8 2. Describe the types of devices you can control, including: a. CD and DVD b. Custom Classes c. Floppy Drives d. Removable Disks e. All Removable Storage classes f. Tape Drives g. Windows Portable Devices (WPD) Deployment Planning 1. Explain that the formal process for implementing Windows 7 should include the following steps: a. Define the scope and goals of the project b. Assess the existing computer systems c. Plan the new computer system configuration d. Determine a deployment process e. Test the deployment process f. Deploy Windows 7 Scope and Goals 1. Explain that organizations should not change computer systems for the sake of change. There must be significant benefits to the organization. 2. Explain that the scope for a Windows 7 migration project defines which computers should be upgraded. It also defines the data that is to be migrated. Existing Computer Systems 1. Explain that existing computer systems in the organization must be evaluated to ensure that they support Windows 7. This evaluation is composed of two parts: a. Hardware evaluation b. Software evaluation New Configuration 1. Explain that in some cases, the default configuration of Windows 7 is sufficient for organizational needs. In many more cases, the organization customizes the default configuration of Windows 7 to match its needs. 2. Mention that applications must also be selected as part of the configuration planning. MCTS Guide to Microsoft Windows 7 13-9 Deployment Process Selection 1. Explain that you can choose to either upgrade the existing operating system or perform a clean installation. An upgrade retains all of the existing computer settings possible including user files, applications, and application settings. A clean installation allows you to standardize your configuration rather than using existing settings. 2. Describe the following potential installation methods: a. Boot from DVD b. Run an unattended setup from a network share or DVD c. Imaging d. Windows Deployment Services e. Systems Management Server Test Deployment 1. Mention that you must thoroughly test the deployment process. 2. Explain that the first part of the testing process should be done in a test lab. Then, you should perform a test pilot to designated users within the organization. Users and computers selected should be representative of the users and computers in the overall organization. Deployment 1. Mention that in most cases, deployment will not be done over a single night or a single weekend. 2. Explain that in most cases, deployment will be done by department, region, building, or floor. Breaking the deployment into smaller phases reduces the risk of failure. Enterprise Deployment Tools 1. Mention that many tools are available to help in the deployment of Windows 7, including ImageX, Sysprep, Windows System Image Manager (WSIM), Windows PE, and Windows Easy Transfer. 2. This section describes the following additional tools: a. User State Migration Tool (USMT) b. Windows Deployment Services (WDS) c. System Center Configuration Manager (SCCM) d. Microsoft Deployment Toolkit (MDT) e. VHD boot MCTS Guide to Microsoft Windows 7 13-10 User State Migration Tool 1. Explain that USMT performs approximately the same tasks as Windows Easy Transfer. USMT migrates user settings, documents, and application configuration settings. USMT has a command-line interface and a graphical interface. 2. Mention that the configuration of USMT is done by editing the XML files MigApp.xml, MigUser.xml, MigSys.xml, and Config.xml. 3. Use Figure 13-9 to describe the following steps in the USMT migration process: a. Use ScanState on the source computer to collect settings and files b. Install Windows 7 on the destination computer c. Use LoadState on the destination computer to import settings and files 4. Explain that when ScanState is used to collect settings and files, they are stored in an intermediate location. All applications should be installed on the destination computer before LoadState is used. 5. Explain that the Config.xml file is generated by running ScanState.exe with the /genconfig option. It captures all of the settings that are being migrated. You can edit this file to control which of the settings are actually migrated when ScanState.exe is run. You can use multiple Config.xml files to control the migration process in different ways for users with different needs. Teaching Tip Read more about the User State Migration Tool at: http://technet.microsoft.com/en-us/library/dd560801(WS.10).aspx. Windows Deployment Services 1. Define Windows Deployment Services (WDS) as an updated version of the Remote Installation Services (RIS) that automates the installation of Windows clients. 2. Describe the following WDS requirements: a. Active Directory b. DHCP c. DNS d. An NTFS partition on the WDS server e. Windows Server 2003 SP1 with RIS installed f. Administrative credentials 3. Describe the following WDS image types: a. Install image b. Boot image c. Capture images d. Discover image MCTS Guide to Microsoft Windows 7 13-11 4. Use Figure 13-10 to describe the following steps involved in the WDS deployment process: a. Enable PXE in the client computer and configure it to boot from network first b. Reboot the workstation and press F12 to perform a PXE boot c. The workstation obtains an IP address from a DHCP server and contacts the WDS server d. Select a PXE boot image if required e. The boot image is downloaded to a RAM disk on the client computer and Windows PE is booted f. Select an install image to deploy from the menu g. ImageX runs to deploy the install image Teaching Tip Read more about Windows Deployment Services (WDS) at: http://technet2.microsoft.com/windowsserver2008/en/servermanager/windowsde ploymentservices.mspx. System Center Configuration Manager 1. Define SCCM as a solution from Microsoft to control the configuration of Windows computers. 2. Describe the main tasks you can accomplish with SCCM: a. Inventory b. Standardized configuration c. Software deployment d. Operating system deployment e. Software updates Microsoft Deployment Toolkit 1. Define the Microsoft Deployment Toolkit (MDT) as a solution that helps you configure scripted installations of operating systems and applications. 2. Explain that you can use MDT with SCCM or on its own. MTD also includes a wide range of documentation about the deployment Windows 7. VHD Boot 1. Define VHD Boot as a new feature in Windows 7 that allows the operating system to be installed to and booted from a virtual hard disk (VHD) file instead of a disk partition. 2. Mention that VHD may be useful for power users in large enterprises with a virtualized desktop environment. 3. Mention that VHD boot can also be used to simplify dual booting. MCTS Guide to Microsoft Windows 7 13-12 Windows Server Update Services 1. Define Windows Server Update Services (WSUS) 3.0 as a server component that contacts Microsoft Update and downloads updates rather than each client computer downloading updates. 2. Explain that WSUS is very efficient for network utilization since each update is downloaded only once and stored on the WSUS server. Client computers are configured to contact a WSUS server for updates. Teaching Tip Read more about Windows Server Update Services (WSUS) at: http://technet.microsoft.com/en-us/wsus/default.aspx. WSUS Update Process 1. Explain that you can organize computers into groups to control the update process, and generate reports to view which computers have been updated and which have not. 2. Explain that you can test updates before they are generally applied to workstations, which significantly reduces the risk of an update causing system down time. 3. Use Figure 13-11 to describe the WSUS update process. 4. Mention that WSUS update process still relies on the client computers to trigger the installation of updates. You can configure rules on the WSUS server. WSUS Updates 1. Explain that WSUS obtains updates from Microsoft Update for the following products: a. Windows clients and servers (including 64-bit) b. Exchange Server c. SQL Server d. Microsoft Office e. Microsoft Data Protection Manager f. Microsoft ForeFront g. Windows Live h. Windows Defender Network Access Protection 1. Define Network Access Protection (NAP) as a system that enforces requirements for client health before allowing client computers to connect to the network. Client and server components are required for NAP. MCTS Guide to Microsoft Windows 7 13-13 2. Mention that NAP is not intended to block network intruders or protect the network from malicious users. Teaching Tip Read more about Network Access Protection (NAP) at: http://technet.microsoft.com/en-us/network/bb545879.aspx. Enforcements Mechanisms 1. Describe the enforcement mechanisms integrated with NAP, including: a. IPsec b. 802.1X c. VPN d. DHCP e. RADIUS Quick Quiz 2 1. When a new device is installed into a Windows 7 computer, the operating system uses a(n) ____ and device setup class to properly install the new device. Answer: device identification string 2. ____ are used during the installation process for a new device to describe how the installation should be performed. Answer: Device setup classes 3. ____ is an updated version of the Remote Installation Services (RIS) found in Windows 2000 Server and Windows Server 2003. Answer: Windows Deployment Services (WDS) Windows Deployment Services WDS 4. ____ is a system that enforces requirements for client health before allowing client computers to connect to the network. Answer: Network Access Protection (NAP) Network Access Protection NAP Class Discussion Topics 1. Briefly describe the following components of an Active Directory: a. Domains b. Domain controller c. Organizational Units d. Trees and forests MCTS Guide to Microsoft Windows 7 13-14 2. What is Network Access Protection (NAP)? What are its benefits from a security point of view? Additional Projects 1. Use the Internet to read more about Active Directory and its structure. Then, write a step-by-step guide for designing the Active Directory logical structure. You can use the following link as a starting point: http://technet.microsoft.com/en-us/library/cc759186(WS.10).aspx. 2. Use the Internet to read more about the User State Migration Tool (USMT) and write a step-by-step guide to migrate to Windows 7 through the USMT. You can use the following link as a starting point: http://technet.microsoft.com/en-us/windows/aa905115.aspx. Additional Resources 1. Active Directory: http://en.wikipedia.org/wiki/Active_Directory 2. Domain Controller Roles: Active Directory: http://technet.microsoft.com/en-us/library/cc786438(WS.10).aspx 3. Designing the Active Directory Structure: http://technet.microsoft.com/en-us/library/cc960542.aspx 4. Multi-master replication: http://technet.microsoft.com/en-us/library/cc961784.aspx 5. Group Policy management for IT pros: http://windows.microsoft.com/en-US/windows7/Group-Policy-management-for-IT-pros 6. User State Migration Tools: www.microsoft.com/windowsxp/using/setup/expert/russel_november19.mspx 7. Windows Server Update Services: http://technet.microsoft.com/en-us/wsus/bb466208.aspx 8. Network Access Protection: http://msdn.microsoft.com/en-us/library/aa369712(VS.85).aspx MCTS Guide to Microsoft Windows 7 13-15 Key Terms Active Directory—A directory of network information about users, computers, and applications that links multiple domains together. Active Directory site—A set of IP subnets representing a physical location that is used by Active Directory to control replication. application partition—An Active Directory partition created by an administrator to hold and replicate application-specific information. It is replicated only to specified domain controllers. configuration partition—The Active Directory partition that holds general information about the Active Directory forest and application configuration information. It is replicated to all domain controllers in the Active Directory forest. device identification string—One or more identifiers included in a hardware device that is used by Windows 7 to locate and install an appropriate driver for a hardware device. device setup class—An identifier included with a hardware device driver that describes how the device driver is to be installed. domain—A logical grouping of computers and users in Active Directory. domain controller—A server that holds a copy of Active Directory information. domain partition—The Active Directory partition that holds domain-specific information, such as user and computer accounts, that is replicated only between domain controllers within the domain. forest—Multiple Active Directory trees with automatic trust relationships between them. forest root domain—The first domain created in an Active Directory forest. global catalog server—A domain controller that holds a subset of the information in all domain partitions for the entire Active Directory forest. Group Policy—A feature integrated with Active Directory that can be used to centrally manage the configuration of Windows 2000, Windows XP, and Windows 7 clients. Group Policy object (GPO)—A collection of Group Policy settings that can be applied to client computers. Group Policy service—The service responsible for retrieving and applying GPOs for a Windows 7 computer. member server—A server that is joined to an Active Directory domain, but does not hold a copy of Active Directory information. Microsoft Deployment Toolkit (MDT)—A set of best practices, scripts, and tools to help automate the deployment of Windows operating systems. multimaster replication—A replication system where updates can be performed on any server and are replicated to all other servers. Network Access Protection (NAP)—A system that enforces requirements for client health before allowing client computers to connect to the network. organizational unit (OU)—A container within a domain that is used to create a hierarchy that can be used to organize user and computer accounts and apply group policies. schema partition—Holds the definition of all Active Directory objects and their attributes. It is replicated to all domain controllers in the Active Directory forest. MCTS Guide to Microsoft Windows 7 13-16 System Center Configuration Manager (SCCM)—A software package that can perform inventory, implement a standardized configuration, deploy software, deploy operating systems, and deploy software updates. tree—A group of Active Directory domains that share the same naming context and have automatic trust relationships among them. User State Migration Tool (USMT)—A utility with both a command-line and graphical interface that is used to migrate user settings, files, and application configuration from a source computer to a destination computer. Windows Deployment Services (WDS)—A Windows Server service that is used to simplify the process of applying images to computers. Windows Server Update Services (WSUS)—A Windows Server application that is used to control the process of downloading and applying updates to Windows 2000, Windows XP, and Windows 7 clients.