Teaching Tips

advertisement
MCTS Guide to Microsoft Windows 7
Chapter 13
Enterprise Computing
At a Glance
Instructor’s Manual Table of Contents

Overview

Objectives

Teaching Tips

Quick Quizzes

Class Discussion Topics

Additional Projects

Additional Resources

Key Terms
13-1
MCTS Guide to Microsoft Windows 7
13-2
Lecture Notes
Overview
Chapter 13 explains Enterprise Computing. Students will learn about Active Directory
and how to use Group Policy to control Windows 7. Next, students will control device
installation with Group Policy settings and plan enterprise deployments of Windows 7.
Chapter 13 also describes enterprise deployment tools for Windows 7. In addition,
students will use Windows Server Update Services to apply updates. Finally, Chapter
13 explains Network Access Protection.
Chapter Objectives
•
•
•
•
•
•
•
Understand Active Directory
Use Group Policy to control Windows 7
Control device installation with Group Policy settings
Plan enterprise deployments of Windows 7
Describe enterprise deployment tools for Windows 7
Use Windows Server Update Services to apply updates
Understand Network Access Protection
Teaching Tips
Active Directory
1. Explain that Active Directory expands on the domain concept by linking domains in
logical structures named trees, and multiple trees into forests.
2. Define domain controllers as servers that hold a copy of Active Directory information
and are responsible for authenticating users when they log on to a workstation. Domain
controllers also respond to requests for other domain information such as printer
information or application configuration.
Teaching
Tip
Learn more about Active Directory at: http://learnthat.com/2008/07/introductionto-active-directory/.
Active Directory Structure
1. Define a domain as a central security database that is used by all computers that are
members of the domain. It stores information about user accounts and computers.
Active Directory uses the same naming convention for domains and objects as DNS.
MCTS Guide to Microsoft Windows 7
13-3
2. Explain that each domain can be subdivided into organizational units (OUs). OUs allow
you to organize the objects in a domain and can be used for delegating management
permissions. Organizational units can be used to apply Group Policies. Use Figure 13-1
to illustrate your explanation.
3. Explain that you can create more complex Active Directory structures by combining
multiple domains into a tree and multiple trees into a forest.
4. Describe some of the reasons to use multiple domains, including:
a. Decentralized administration
b. Unreliable WAN links
c. Multiple password policies
5. Define forest root domain as the first Active Directory domain created in an
organization. When multiple domains exist in a forest, trust relationships are generated
automatically between the domains. Use Figure 13-2 to illustrate your explanation.
6. Mention that in a forest, each domain trusts its own parent and subdomains. Use Figure
13-3 to illustrate your explanation.
Teaching
Tip
Read more about the structure of an Active Directory at:
http://technet.microsoft.com/en-us/library/cc978008.aspx.
7. Explain that within Active Directory, Windows servers can be either a member server
or a domain controller.
8. Explain that member servers are integrated into Active Directory, and can participate in
the domain by sharing files and printers with domain users.
9. Define domain controller as a server that stores a copy of Active Directory information.
Active Directory Partitions
1. Explain that to make Active Directory more manageable, it is divided into these
partitions:
a. Domain partition that holds the user accounts, computers accounts, and other
domain-specific information
b. Configuration partition that holds general information about the Active
Directory forest
c. Schema partition that holds the definitions of all objects and object attributes for
the forest
2. Explain that application partitions can also be created by an administrator to hold
application-specific information. A global catalog server is a domain controller that
holds a subset of the information in all domain partitions.
MCTS Guide to Microsoft Windows 7
Teaching
Tip
13-4
Read more about Active Directory Application Partitions at:
http://articles.techrepublic.com.com/5100-6345_11-5746279.html.
Active Directory Sites and Replication
1. Explain that Active Directory uses multimaster replication. This means that Active
Directory information can be changed on any domain controller, and those changes will
be replicated to other domain controllers.
Teaching
Tip
Read more about multimaster replication at:
www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/
distrib/dsbh_rep_fgtk.mspx?mfr=true.
2. Explain that an Active Directory site is defined by IP subnets. Within a site, Active
Directory replication is uncontrolled. Between sites, Active Directory replication is
controlled by site links.
Active Directory and DNS
1. Mention that one of the most common configuration problems in Active Directory
networks is incorrect DNS configuration on servers and workstations.
2. Explain that Active Directory stores information about domain controllers and other
services in DNS. Incorrect DNS configuration can result in:
a. Slow user logons
b. Inability to apply group policies
c. Failed replication between domain controllers
Joining a Domain
1. Explain that when a workstation joins a domain, it’s integrated into the security
structure for the domain. Administration of the workstation can be performed centrally
by using Group Policy.
2. Describe the security changes that occur when a workstation joins a domain, including:
a. Domain Admins group becomes a member of the local Administrators group
b. Domain Users group becomes a member of the local Users group
c. Domain Guests group becomes a member of the local Guests group
3. Mention that the process of joining a workstation to a domain creates a computer
account. After a workstation is joined to the domain, it synchronizes time with domain
controllers in the domain.
MCTS Guide to Microsoft Windows 7
13-5
Group Policy
1. Explain that Group Policy can be used to centrally manage the configuration of a
Windows 7 computer.
2. Describe some of the Group Policy settings you can configure, including:
a. Desktop settings, such as wallpaper and the ability to right-click
b. Security settings, such as the ability to log on locally
c. Logon, logoff, startup, and shutdown scripts
d. Folder redirection to store My Documents on a network server
e. Software distribution
3. Mention that Group Policy settings used by Windows 7 are contained in a Group Policy
object (GPO).
4. Define Group Policy object (GPO) as a collection of registry settings applied to the
Windows 7 computer. Use Figure 13-4 to illustrate your explanation.
5. Explain that settings in a GPO are divided into user settings and computer settings. User
settings are applied to any user accounts in the OU. Computer settings in the GPO are
applied to any computer accounts in the OU. Use Figure 13-5 to illustrate your
explanation.
Group Policy Inheritance
1. Explain that Group Policy objects can be linked to the Active Directory domains, OUs,
and Active Directory sites. Each Windows 7 computer can have local Group Policy
objects.
2. Explain that GPOs are applied in the following order:
a. Local computer
b. Site
c. Domain
d. Parent OU
e. Child OU
3. Mention that all of the individual GPO settings are inherited by default. At each level,
more than one GPO can be applied to a user or computer.
4. Describe the steps to determine which policy settings to apply, including:
a. If there is no conflict, the settings for all policies are applied
b. If there is a conflict, later settings overwrite earlier settings
c. If the settings in a computer policy and user policy conflict, apply settings from
the computer policy
MCTS Guide to Microsoft Windows 7
13-6
Group Policy Enhancements in Windows 7
1. Explain that Windows 7 processes group policies with a new Group Policy service.
Some of the benefits include:
a. Group Policy settings can be applied without any reboots
b. Performance is increased and resource usage is reduced for Group Policy
processing
c. Group policy events are logged to the System log instead of the Application log
d. Information about Group Policy applications is logged to a Group Policy
Operational log
2. Mention that Group Policy Preferences introduce a way to configure a number of
Windows 7 features that may have required scripting in the past.
3. Mention that Windows 7 allows you to have multiple local GPOs and consequently
have distinct settings for different users, even in a workgroup environment.
Quick Quiz 1
1. You can create more complex Active Directory structures by combining multiple
domains into a tree and multiple trees into a(n) ____.
Answer: forest
2. A(n) ____ is a domain controller that holds a subset of the information in all domain
partitions.
Answer: global catalog server
3. Active Directory uses ____. This means that Active Directory information can be
changed on any domain controller, and those changes will be replicated to other domain
controllers.
Answer: multimaster replication
4. ____ is a feature integrated with Active Directory that can be used to centrally manage
the configuration of a Windows 7 computer.
Answer: Group Policy
Controlling Device Installation
1. Explain that you can prevent device installation in Windows 7. For example, you can
prevent installation of USB-based storage to prevent data from leaving the premises.
Device Identification
1. Explain that Windows 7 uses a device identification string and device setup class to
properly install a new device.
MCTS Guide to Microsoft Windows 7
13-7
2. Explain that a device often reports multiple device identification strings. Hardware ID is
the most specific device identification string. Multiple hardware IDs allow the best
available driver to be installed. Compatible IDs are another device identification string
that is used to find appropriate drivers. Use Figure 13-6 to illustrate your explanation.
Teaching
Tip
Read more about device identification strings at:
http://msdn.microsoft.com/en-us/library/ff541224(VS.85).aspx.
3. Explain that device setup classes are used during the installation process for a new
device to describe how the installation should be performed. Device setup classes
identify a generic type of device rather than a specific make or model.
4. Mention that some devices have multiple GUIDs defined if they are a multifunction
device.
Teaching
Tip
Read more about device setup classes at:
http://www.osronline.com/ddkx/install/setup-cls_1wpz.htm.
Device Installation Group Policy Settings
1. Mention that Windows 7 includes nine group policy settings specifically to control
device installation. Use Figure 13-7 to illustrate your explanation.
2. Describe the Group Policy settings that control device installation:
a. Allow administrators to override Device Installation Restriction policies
b. Allow installation of devices using drivers that match these device setup classes
c. Prevent installation of devices using drivers that match these device setup
classes
d. Display a custom message when installation is prevented by a policy setting
e. Display a custom message title when device installation is prevented by a policy
setting
f. Allow installation of devices that match any of these device IDs
g. Prevent installation of devices that match any of these device IDs
h. Time (in seconds) to force reboot when required for policy changes to take
effect
i. Prevent installation of removable devices
j. Prevent installation of devices not described by other policy settings
Removable Storage Group Policy Settings
1. Mention that additional Group Policy settings can be used to control access specifically
to different types of removable storage. Use Figure 13-8 to illustrate your explanation.
MCTS Guide to Microsoft Windows 7
13-8
2. Describe the types of devices you can control, including:
a. CD and DVD
b. Custom Classes
c. Floppy Drives
d. Removable Disks
e. All Removable Storage classes
f. Tape Drives
g. Windows Portable Devices (WPD)
Deployment Planning
1. Explain that the formal process for implementing Windows 7 should include the
following steps:
a. Define the scope and goals of the project
b. Assess the existing computer systems
c. Plan the new computer system configuration
d. Determine a deployment process
e. Test the deployment process
f. Deploy Windows 7
Scope and Goals
1. Explain that organizations should not change computer systems for the sake of change.
There must be significant benefits to the organization.
2. Explain that the scope for a Windows 7 migration project defines which computers
should be upgraded. It also defines the data that is to be migrated.
Existing Computer Systems
1. Explain that existing computer systems in the organization must be evaluated to ensure
that they support Windows 7. This evaluation is composed of two parts:
a. Hardware evaluation
b. Software evaluation
New Configuration
1. Explain that in some cases, the default configuration of Windows 7 is sufficient for
organizational needs. In many more cases, the organization customizes the default
configuration of Windows 7 to match its needs.
2. Mention that applications must also be selected as part of the configuration planning.
MCTS Guide to Microsoft Windows 7
13-9
Deployment Process Selection
1. Explain that you can choose to either upgrade the existing operating system or perform
a clean installation. An upgrade retains all of the existing computer settings possible
including user files, applications, and application settings. A clean installation allows
you to standardize your configuration rather than using existing settings.
2. Describe the following potential installation methods:
a. Boot from DVD
b. Run an unattended setup from a network share or DVD
c. Imaging
d. Windows Deployment Services
e. Systems Management Server
Test Deployment
1. Mention that you must thoroughly test the deployment process.
2. Explain that the first part of the testing process should be done in a test lab. Then, you
should perform a test pilot to designated users within the organization. Users and
computers selected should be representative of the users and computers in the overall
organization.
Deployment
1. Mention that in most cases, deployment will not be done over a single night or a single
weekend.
2. Explain that in most cases, deployment will be done by department, region, building, or
floor. Breaking the deployment into smaller phases reduces the risk of failure.
Enterprise Deployment Tools
1. Mention that many tools are available to help in the deployment of Windows 7,
including ImageX, Sysprep, Windows System Image Manager (WSIM), Windows PE,
and Windows Easy Transfer.
2. This section describes the following additional tools:
a. User State Migration Tool (USMT)
b. Windows Deployment Services (WDS)
c. System Center Configuration Manager (SCCM)
d. Microsoft Deployment Toolkit (MDT)
e. VHD boot
MCTS Guide to Microsoft Windows 7
13-10
User State Migration Tool
1. Explain that USMT performs approximately the same tasks as Windows Easy Transfer.
USMT migrates user settings, documents, and application configuration settings. USMT
has a command-line interface and a graphical interface.
2. Mention that the configuration of USMT is done by editing the XML files MigApp.xml,
MigUser.xml, MigSys.xml, and Config.xml.
3. Use Figure 13-9 to describe the following steps in the USMT migration process:
a. Use ScanState on the source computer to collect settings and files
b. Install Windows 7 on the destination computer
c. Use LoadState on the destination computer to import settings and files
4. Explain that when ScanState is used to collect settings and files, they are stored in an
intermediate location. All applications should be installed on the destination computer
before LoadState is used.
5. Explain that the Config.xml file is generated by running ScanState.exe with the
/genconfig option. It captures all of the settings that are being migrated. You can edit
this file to control which of the settings are actually migrated when ScanState.exe is run.
You can use multiple Config.xml files to control the migration process in different ways
for users with different needs.
Teaching
Tip
Read more about the User State Migration Tool at:
http://technet.microsoft.com/en-us/library/dd560801(WS.10).aspx.
Windows Deployment Services
1. Define Windows Deployment Services (WDS) as an updated version of the Remote
Installation Services (RIS) that automates the installation of Windows clients.
2. Describe the following WDS requirements:
a. Active Directory
b. DHCP
c. DNS
d. An NTFS partition on the WDS server
e. Windows Server 2003 SP1 with RIS installed
f. Administrative credentials
3. Describe the following WDS image types:
a. Install image
b. Boot image
c. Capture images
d. Discover image
MCTS Guide to Microsoft Windows 7
13-11
4. Use Figure 13-10 to describe the following steps involved in the WDS deployment
process:
a. Enable PXE in the client computer and configure it to boot from network first
b. Reboot the workstation and press F12 to perform a PXE boot
c. The workstation obtains an IP address from a DHCP server and contacts the
WDS server
d. Select a PXE boot image if required
e. The boot image is downloaded to a RAM disk on the client computer and
Windows PE is booted
f. Select an install image to deploy from the menu
g. ImageX runs to deploy the install image
Teaching
Tip
Read more about Windows Deployment Services (WDS) at:
http://technet2.microsoft.com/windowsserver2008/en/servermanager/windowsde
ploymentservices.mspx.
System Center Configuration Manager
1. Define SCCM as a solution from Microsoft to control the configuration of Windows
computers.
2. Describe the main tasks you can accomplish with SCCM:
a. Inventory
b. Standardized configuration
c. Software deployment
d. Operating system deployment
e. Software updates
Microsoft Deployment Toolkit
1. Define the Microsoft Deployment Toolkit (MDT) as a solution that helps you configure
scripted installations of operating systems and applications.
2. Explain that you can use MDT with SCCM or on its own. MTD also includes a wide
range of documentation about the deployment Windows 7.
VHD Boot
1. Define VHD Boot as a new feature in Windows 7 that allows the operating system to be
installed to and booted from a virtual hard disk (VHD) file instead of a disk partition.
2. Mention that VHD may be useful for power users in large enterprises with a virtualized
desktop environment.
3. Mention that VHD boot can also be used to simplify dual booting.
MCTS Guide to Microsoft Windows 7
13-12
Windows Server Update Services
1. Define Windows Server Update Services (WSUS) 3.0 as a server component that
contacts Microsoft Update and downloads updates rather than each client computer
downloading updates.
2. Explain that WSUS is very efficient for network utilization since each update is
downloaded only once and stored on the WSUS server. Client computers are configured
to contact a WSUS server for updates.
Teaching
Tip
Read more about Windows Server Update Services (WSUS) at:
http://technet.microsoft.com/en-us/wsus/default.aspx.
WSUS Update Process
1. Explain that you can organize computers into groups to control the update process, and
generate reports to view which computers have been updated and which have not.
2. Explain that you can test updates before they are generally applied to workstations,
which significantly reduces the risk of an update causing system down time.
3. Use Figure 13-11 to describe the WSUS update process.
4. Mention that WSUS update process still relies on the client computers to trigger the
installation of updates. You can configure rules on the WSUS server.
WSUS Updates
1. Explain that WSUS obtains updates from Microsoft Update for the following products:
a. Windows clients and servers (including 64-bit)
b. Exchange Server
c. SQL Server
d. Microsoft Office
e. Microsoft Data Protection Manager
f. Microsoft ForeFront
g. Windows Live
h. Windows Defender
Network Access Protection
1. Define Network Access Protection (NAP) as a system that enforces requirements for
client health before allowing client computers to connect to the network. Client and
server components are required for NAP.
MCTS Guide to Microsoft Windows 7
13-13
2. Mention that NAP is not intended to block network intruders or protect the network
from malicious users.
Teaching
Tip
Read more about Network Access Protection (NAP) at:
http://technet.microsoft.com/en-us/network/bb545879.aspx.
Enforcements Mechanisms
1. Describe the enforcement mechanisms integrated with NAP, including:
a. IPsec
b. 802.1X
c. VPN
d. DHCP
e. RADIUS
Quick Quiz 2
1. When a new device is installed into a Windows 7 computer, the operating system uses
a(n) ____ and device setup class to properly install the new device.
Answer: device identification string
2. ____ are used during the installation process for a new device to describe how the
installation should be performed.
Answer: Device setup classes
3. ____ is an updated version of the Remote Installation Services (RIS) found in Windows
2000 Server and Windows Server 2003.
Answer: Windows Deployment Services (WDS)
Windows Deployment Services
WDS
4. ____ is a system that enforces requirements for client health before allowing client
computers to connect to the network.
Answer: Network Access Protection (NAP)
Network Access Protection
NAP
Class Discussion Topics
1. Briefly describe the following components of an Active Directory:
a. Domains
b. Domain controller
c. Organizational Units
d. Trees and forests
MCTS Guide to Microsoft Windows 7
13-14
2. What is Network Access Protection (NAP)? What are its benefits from a security point
of view?
Additional Projects
1. Use the Internet to read more about Active Directory and its structure. Then, write a
step-by-step guide for designing the Active Directory logical structure. You can use the
following link as a starting point:
http://technet.microsoft.com/en-us/library/cc759186(WS.10).aspx.
2. Use the Internet to read more about the User State Migration Tool (USMT) and write a
step-by-step guide to migrate to Windows 7 through the USMT. You can use the
following link as a starting point:
http://technet.microsoft.com/en-us/windows/aa905115.aspx.
Additional Resources
1. Active Directory:
http://en.wikipedia.org/wiki/Active_Directory
2. Domain Controller Roles: Active Directory:
http://technet.microsoft.com/en-us/library/cc786438(WS.10).aspx
3. Designing the Active Directory Structure:
http://technet.microsoft.com/en-us/library/cc960542.aspx
4. Multi-master replication:
http://technet.microsoft.com/en-us/library/cc961784.aspx
5. Group Policy management for IT pros:
http://windows.microsoft.com/en-US/windows7/Group-Policy-management-for-IT-pros
6. User State Migration Tools:
www.microsoft.com/windowsxp/using/setup/expert/russel_november19.mspx
7. Windows Server Update Services:
http://technet.microsoft.com/en-us/wsus/bb466208.aspx
8. Network Access Protection:
http://msdn.microsoft.com/en-us/library/aa369712(VS.85).aspx
MCTS Guide to Microsoft Windows 7
13-15
Key Terms
 Active Directory—A directory of network information about users, computers, and
applications that links multiple domains together.
 Active Directory site—A set of IP subnets representing a physical location that is used
by Active Directory to control replication.
 application partition—An Active Directory partition created by an administrator to
hold and replicate application-specific information. It is replicated only to specified
domain controllers.
 configuration partition—The Active Directory partition that holds general information
about the Active Directory forest and application configuration information. It is
replicated to all domain controllers in the Active Directory forest.
 device identification string—One or more identifiers included in a hardware device
that is used by Windows 7 to locate and install an appropriate driver for a hardware
device.
 device setup class—An identifier included with a hardware device driver that describes
how the device driver is to be installed.
 domain—A logical grouping of computers and users in Active Directory.
 domain controller—A server that holds a copy of Active Directory information.
 domain partition—The Active Directory partition that holds domain-specific
information, such as user and computer accounts, that is replicated only between
domain controllers within the domain.
 forest—Multiple Active Directory trees with automatic trust relationships between
them.
 forest root domain—The first domain created in an Active Directory forest.
 global catalog server—A domain controller that holds a subset of the information in all
domain partitions for the entire Active Directory forest.
 Group Policy—A feature integrated with Active Directory that can be used to centrally
manage the configuration of Windows 2000, Windows XP, and Windows 7 clients.
 Group Policy object (GPO)—A collection of Group Policy settings that can be applied
to client computers.
 Group Policy service—The service responsible for retrieving and applying GPOs for a
Windows 7 computer.
 member server—A server that is joined to an Active Directory domain, but does not
hold a copy of Active Directory information.
 Microsoft Deployment Toolkit (MDT)—A set of best practices, scripts, and tools to
help automate the deployment of Windows operating systems.
 multimaster replication—A replication system where updates can be performed on
any server and are replicated to all other servers.
 Network Access Protection (NAP)—A system that enforces requirements for client
health before allowing client computers to connect to the network.
 organizational unit (OU)—A container within a domain that is used to create a
hierarchy that can be used to organize user and computer accounts and apply group
policies.
 schema partition—Holds the definition of all Active Directory objects and their
attributes. It is replicated to all domain controllers in the Active Directory forest.
MCTS Guide to Microsoft Windows 7
13-16
 System Center Configuration Manager (SCCM)—A software package that can
perform inventory, implement a standardized configuration, deploy software, deploy
operating systems, and deploy software updates.
 tree—A group of Active Directory domains that share the same naming context and
have automatic trust relationships among them.
 User State Migration Tool (USMT)—A utility with both a command-line and
graphical interface that is used to migrate user settings, files, and application
configuration from a source computer to a destination computer.
 Windows Deployment Services (WDS)—A Windows Server service that is used to
simplify the process of applying images to computers.
 Windows Server Update Services (WSUS)—A Windows Server application that is
used to control the process of downloading and applying updates to Windows 2000,
Windows XP, and Windows 7 clients.
Download