Академический Документы
Профессиональный Документы
Культура Документы
20688D
L E A R N I N G
P R O D U C T
O F F I C I A L
ii
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2014 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty
/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are
property of their respective owners
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1.
DEFINITIONS.
a. Authorized Learning Center means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.
b. Authorized Training Session means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.
c.
Classroom Device means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Centers training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. End User means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. Licensed Content means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.
f.
Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.
g. Microsoft Instructor-Led Courseware means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. Microsoft IT Academy Program Member means an active member of the Microsoft IT Academy
Program.
i.
Microsoft Learning Competency Member means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.
j.
MOC means the Official Microsoft Learning Product instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.
k. MPN Member means an active Microsoft Partner Network program member in good standing.
l.
Personal Device means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.
m. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.
n. Trainer means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. Trainer Content means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Prerelease course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2.
USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.
2.1
Below are five separate sets of use rights. Only one set of rights apply to you.
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.
c.
ii.
You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
customize refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included
for your information only.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
3.
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c.
Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (Pre-release term).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
4.
SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
publicly display, or make the Licensed Content available for others to access or use,
copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.
6.
EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.
7.
SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.
8.
TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.
9.
LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.
10.
ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
11.
APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
12.
LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
13.
14.
LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si
votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre
gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre
pays si celles-ci ne le permettent pas.
Revised July 2013
Acknowledgments
xii
Microsoft Learning wants to acknowledge and thank the following for their contribution toward
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Byron Wright is a partner in a consulting firm, where he performs network consulting, computer-systems
Implementation, and technical training. Byron is also a sessional instructor for the Asper School of
Business at the University of Manitoba, where he teaches management information systems and
networking. Byron has authored and coauthored a number of books on Windows Server operating
systems, Windows client operating systems, and Microsoft Exchange Server, including the Windows
Server 2008 Active Directory Resource Kit. To recognize Byrons commitment to sharing knowledge
with the technical community, he has been given the Microsoft Most Valuable Professional (MVP) award
for Exchange Server.
Krystle Portocarrero is a trainer and consultant with a wide variety of Microsoft Certified System Engineer
(MCSE) and Microsoft Certified IT Professional (MCITP) certifications in addition to several other industry
certifications. She has experience working with a wide range of Microsoft technologies, focusing on
enterprise network infrastructure and architecture design for enterprise collaboration. Krystle has worked
in several capacities with Microsoft, from technical reviewer on Microsoft courseware to subject matter
expert for multiple Microsoft certification exams.
Contents
Module 1: Implementing a Troubleshooting Methodology
Lesson 1: Overview of Windows 8.1
1-2
1-11
1-22
2-2
2-13
2-22
2-25
2-29
2-36
3-2
3-12
3-17
3-29
3-32
3-37
4-2
4-6
4-9
4-16
5-2
5-9
5-30
6-2
6-9
6-19
xiii
7-2
7-8
7-12
7-19
8-2
8-11
8-22
8-25
8-33
9-2
9-7
9-21
9-25
10-2
10-7
10-13
10-19
11-2
11-9
11-15
11-18
11-24
11-31
11-34
12-2
12-8
12-21
12-24
12-28
xiv
13-2
13-6
13-15
13-18
L1-1
L2-3
L2-6
L3-9
L4-13
L5-19
L6-23
L7-27
L7-31
L8-35
L8-37
L9-41
L10-45
L11-53
L11-56
L12-59
L13-63
L13-65
xv
Course Description
xvii
This course will provide you with the knowledge and skills to troubleshoot, maintain, and recover
Windows 8.1. You will work through resolving technical issues pertaining to Windows 8.1 installation
and migration, and activation. You will also learn about Windows 8.1 profiles, settings and device
synchronization, and local and remote network access. Finally, you will learn about access to applications,
authentication, and access to data and printers. This course will also provide guidelines and considerations
that will help you manage performance issues, apply updates, protect Windows 8.1 from malware and
viruses, and recover Windows 8.1 if necessary.
Note Microsoft has renamed SkyDrive to OneDrive and SkyDrive Pro to OneDrive for
Business, and the course content uses the updated names. However, the virtual machines
in this course use the original release of Windows 8.1 Enterprise Edition that refers to
the formerly used terms SkyDrive and SkyDrive Pro. Because of this, in the labs and
demonstrations, you might see a discrepancy between the course content and the user
interface in the virtual machines.
Audience
This course is intended for Enterprise Desktop Support Technicians (EDST), who are experienced
information technology (IT) Professionals who provide support for a broad range of technical issues for
Windows operating systems, devices, cloud services, applications, networking, and hardware support. This
course is also appropriate for candidates preparing for Microsoft exam 70-688, Managing and
Maintaining Windows 8.1.
This course requires that you meet the following prerequisites:
Understanding of networking fundamentals, including TCP/IP, User Datagram Protocol (UDP), and
Domain Name System (DNS)
Active Directory Domain Services (AD DS) principles, and fundamentals of AD DS management
Understanding of the public key infrastructure (PKI) components, and working knowledge of the
fundamentals of Active Directory Certificate Services (AD CS)
Windows client operating system fundamentals, such as a working knowledge of Windows XP,
Windows Vista, Windows 7, Windows 8, or a combination thereof
Fundamentals of management and experience using Microsoft Office 2013 or Office 2010
Windows Automated Installation Kit (Windows AIK) components including the concepts and
fundamentals for: Windows Preinstallation Environment (Windows PE), Windows System Image
Manager (Windows SIM), Volume Activation Management Tool (VAMT), ImageX, User State Migration
Tool (USMT), and Deployment Image Servicing and Management (DISM)
Course Objectives
After completing this course, students will be able to:
xviii
Troubleshoot startup settings, Windows operating system services, and recover drives encrypted with
BitLocker Drive Encryption.
Use Remote Desktop, Remote Assistance, and Windows PowerShell remoting to manage remote
computers.
Describe how to apply Group Policy Objects (GPOs) to computers and resolve client-side
configuration failures and GPO application issues.
Troubleshoot user sign-in issues and the application of user desktop settings.
Troubleshoot virtual private network (VPN) connections, Network Access Protection (NAP), and
DirectAccess.
Troubleshoot file access issues, file permissions issues, and printer access issues.
Troubleshoot desktop app installation and compatibility, Windows Store apps, and Internet Explorer,
and configure Client Hyper-V.
Monitor and configure performance options in Windows 8.1, protect Windows 8.1 from malicious
software and viruses, and update Windows 8.1.
Recover files in Windows 8.1, and recover a computer running Windows 8.1.
Course Outline
The course outline is as follows:
Module 1, Implementing a Troubleshooting Methodology" introduces the new Windows 8.1 features
and interface, and the enhancements it provides over previous versions of the Windows client operating
system. This module also describes the process of developing and applying a troubleshooting
methodology for Windows 8.1.
Module 2, Troubleshooting Startup Issues" explains how to identify and troubleshoot issues that
affect the Windows 8.1 operating systems ability to start, and how to detect problematic services that
are running on the operating system. It also describes how to use the Windows 8.1 operating system
advanced troubleshooting tools, collectively known as the Windows Recovery Environment (Windows RE).
Module 3, Troubleshooting Hardware and Device Drivers" explains how to troubleshoot physical
hardware failures and hardware device drivers. It also describes how to monitor Windows 8.1 reliability
and configure the registry.
Module 4, Troubleshooting Remote Computers" explains how to how to connect to remote computers,
and where possible, to manage those computers remotely. It describes three ways in which you can
remotely connect to and manage remote computers: Remote Desktop, Windows Remote Assistance, and
Windows PowerShell remoting.
xix
Module 5, Resolving Network Connectivity Issues" explains how to configure network settings and
determine the network configuration of client computers. It also explains how to troubleshoot network
connections.
Module 6, Troubleshooting Group Policy" describes how Group Policy is useful in applying configuration
settings to multiple computers from a central location. It also describes how to resolve client-side
configuration failures and GPO application issues.
Module 7, Troubleshooting User Settings" focuses on user settings and how they can simplify user
experiences. It examines problems that can occur when users sign in, and also describes how to
troubleshoot the application of user settings
Module 8, Configuring and Troubleshooting Remote Connectivity" describes the use of VPNs, NAP, and
DirectAccess. It also explains common problems with their implementation and usage, and provides a
number of possible mitigations for those problems.
Module 9, Troubleshooting Resource Access within a Domain" covers the causes of issues such as
users inability to access or modify files, and difficulty accessing printers. This module also provides
troubleshooting information that you can use to help users who are having file access issues, file
permission issues, or printer access issues.
Module 10, Configuring and Troubleshooting Resource Access for Clients That Are Not Domain
Members" describes how to troubleshoot features that you can use to access files and applications
remotely. It explains how to configure Workplace Join and Work Folders. It also includes information on
configuring and troubleshooting access to OneDrive.
Module 11, Troubleshooting Applications" examines the issues that affect users abilities to install and
run desktop apps and Windows Store apps. This module also covers the ways in which students can
resolve Internet Explorerrelated issues.
Module 12, Maintaining Windows 8.1" describes procedures to monitor performance of computers that
are running Windows 8.1, protect them from malware, and ensure that they remain up-to-date with the
latest operating system updates and security fixes. It also explains how these procedures provide for the
ongoing maintenance of Windows 8.1.
Module 13, Recovering Windows 8.1" explains how to recover a computer by restoring system settings
instead of reinstalling the operating system and apps. It also describes how to use various tools to back up
and recover data.
Course Materials
The following materials are included with your kit:
Course Handbook: A succinct classroom learning guide that provides the critical technical
information in a crisp, tightly-focused format, which is essential for an effective in-class learning
experience.
Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
Module Reviews and Takeaways: Provide on-the-job reference material to boost knowledge
and skills retention.
xx
Modules: Include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and
answers and Module Reviews and Takeaways sections, which contain the review questions and
answers, best practices, common issues and troubleshooting tips with answers, and real-world
issues and scenarios with answers.
Resources: Include well-categorized additional resources that give you immediate access to the
most current premium content on TechNet, MSDN, or Microsoft Press.
Course evaluation: At the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
This section provides the information for setting up the classroom environment to support the business
scenario of the course.
Role
LON-DC1
LON-SVR1
LON-RTR
LON-CL1
LON-CL3
LON-CL4
LON-CL5
Software Configuration
The following software is installed on each virtual machine:
Windows Assessment and Deployment Kit (Windows ADK) for Windows 8.1
StockViewer app
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
xxi
xxii
64-bit Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor (2.8
gigahertz (GHz) dual core or more recommended)
Dual 500 gigabyte (GB) hard disks, 7200 RPM Serial ATA (SATA) or faster. Each hard disk must be
configured as a separate drive labeled Drive C and Drive D.
Network adapter
In addition, the instructor computer must be connected to a projection display device that supports
1,280 x 1,024 pixels, with 16-bit color.
Move your mouse to the lower right corner of the desktop to open a menu with:
Windows+C keys: Opens the same menu as moving the mouse to the lower right corner.
Module 1
Implementing a Troubleshooting Methodology
Contents:
Module Overview
1-1
1-2
1-11
1-22
1-25
Module Overview
Windows 8.1 is the latest Microsoft client operating system. It provides several new features and
capabilities, and it builds on the core functionality of Windows 7 to provide a stable client experience
across a number of processor architectures. Additionally, Windows 8.1 provides many improvements and
enhancements over Windows 8 Release to Manufacturing (RTM). As an enterprise support technician, you
must understand these new features and know how to use them to improve productivity within your
organization. It also is important that you know how to troubleshoot the Windows 8.1 operating system
properly. This module introduces the new Windows 8.1 features and interface, and describes the process
of developing and applying a troubleshooting methodology for Windows 8.1.
Objectives
After completing this module, you will be able to:
Lesson 1
Windows 8.1 can operate across a range of devices, including tablets and other touch-enabled computers.
To optimize your users experience, you can select between a number of editions of Windows 8.1, and a
number of processor architectures. This lesson describes the supported processor platforms and devices,
and the new features in Windows 8.1. It also provides you with information about the operating systems
architecture.
Lesson Objectives
After completing this lesson, you will be able to:
Desktop computers. This is the traditional computing platform that offers powerful performance but
limited mobility. To improve user productivity, you can combine desktop computers with touch
screens.
Laptop computers. Modern laptops computers can have a touch screen, which enables users to
perform tasks much more quickly than they would if they were using a traditional mouse. You can
convert some laptop computers into tablets through screen rotation, although these types of device
are not as portable as pure tablets.
Convertible laptops. These devices are tablet computers that come with a docking station that has a
keyboard and additional ports, such as universal serial bus (USB) and video expansion ports. When
separated from its docking station, this type of device provides all of the convenience of a tablet.
When on its docking station, this type of device enables users to work in a more traditional fashion.
Some docking stations also have an additional battery.
11-inch tablets. These tablets are comparatively large, and you may find them more often on
convertible laptops with some kind of docking station.
10-inch tablets. Comparable in size with the Apple iPad, these tablets often are stand-alone devices,
although they sometimes include a keyboard cover. The Microsoft Surface 2 and Microsoft Surface
Pro 2 are both 10-inch tablets, and come with one of two optional keyboard covers. These types of
devices offer the best portability.
8-inch tablets. Microsoft recently modified the base video requirements of the Windows 8.1 operating
system to enable support for smaller screens with potentially lower screen resolutions. There are a
number of devices available now, or will be in the near future, that support this form factor. This type
of device, similar to the Apple iPad Mini, provides optimum portability. However, it may pose
challenges for certain types of use. For example, using an 8-inch tablet for heavy typing typically is
not an easy task, and you can find better devices for this purpose.
Note: It is important to understand that these are broad device categories, and some
devices do not fall into one category only.
After users select the type of device that suits their requirements, they may have additional needs. The
following factors affect the type of tablet or convertible device that a user may choose:
Battery life. This is a critical factor for some users. Many devices in the first generation of Windows
tablets used Intel Atom processors, which provided extended battery life. However, while these
devices provided solid performance, the Atom was not suited for heavy processing tasks.
Processor performance. Some Windows equipped tablets use Intel Core i5 or even Core i7 processors.
These processors are capable of a much higher workload, but they typically consume more power.
Screen size and resolution. Smaller and therefore more portable devices have smaller screen sizes. It
is not easy working with high resolutions on small screens, because users may find it difficult to
interpret the content on the screen. To help mitigate this issue, the screen resolution may be reduced.
For example, typical screen resolution for 10-inch Intel Atom-based tablets is 1366x768.
Memory. Many tablets with Atom processors have 2 gigabytes (GB) of available memory. This is
sufficient for relatively light workloads, but may not be adequate for heavy workloads. Core i5 and
Core i7 devices can have as much as 8 GB of memory installed, thereby providing support for much
heavier workloads.
Storage. Unlike desktop computers, and even some laptops, tablets come with a fixed storage
capacity. Smaller devices come with less storage, and 32 GB of storage capacity is typical for small
tablets. Some vendors provide the option to customize the storage when the user purchases their
device. Before making a decision on the amount of storage they require, users must think about how
they are going to be using a device. Fortunately, almost every Windows tablet provides some means
to expand the available storage by using secure digital (SD) or Micro SD cards, and in some cases,
support for USB storage devices.
Note: Although some vendors of tablet devices offer cloud-based storage, it is important
to remember that the amount of local storage is the capacity of your device, particularly when
you are not online.
Support Issues
The type of support issues that you encounter may vary based on the type of device being used. For
example, storage problems are more prevalent for tablet computers, because storage is more constrained.
In addition, users may choose to use cloud-based storage with their tablets, which may be less relevant for
desktop computer devices.
An increasing number of users want to connect their own devices to corporate networks. This practice
raises additional support concerns by introducing security issues and device management issues.
Windows 8.1. Windows 8.1 is the edition that contains only the key operating-system features. This
edition can run applications such as the Microsoft Office suite, and is appropriate for deployment in
home offices and small business environments that do not require features such as BitLocker Drive
Encryption, and DirectAccess. From a planning perspective, it is important to note that you cannot
join computers that are running this edition of Windows 8.1 to an Active Directory Domain Services
(AD DS) domain, and you can activate this Windows 8.1 edition only with a retail license key.
Windows 8.1 Pro. The Windows 8.1 Pro edition includes features such as BitLocker, Client
Hyper-V, Domain Join, Group Policy, and Boot from VHD. This edition of Windows 8.1 is suitable
for small and medium-sized businesses that do not require technologies such as AppLocker,
BranchCache, DirectAccess, and Windows To Go to meet business objectives. You can use
Windows 8.1 Pro with retail license keys and with volume licensing options such as Multiple
Activation Keys (MAKs) and Key Management Service (KMS) keys.
Windows 8.1 Enterprise. Windows 8.1 Enterprise is the edition of Windows 8.1 that you are most
likely to deploy in large business environments. This edition includes all the features that are available
in the Windows 8.1 operating system, including being able to be joined to an AD DS domain, to
edition-specific features such as AppLocker, BranchCache, DirectAccess, Windows To Go. This edition
also has the ability to sideload Windows Store apps. You can activate Windows 8.1 Enterprise only by
using a volume license key.
The following table represents the key features available in each edition of Windows 8.1.
Feature
Windows 8.1
Windows 8.1
Enterprise
4 GB
4 GB
4 GB
128 GB
512 GB
512 GB
Workplace Join
Work Folders
Remote Desktop
Client only
Domain Join
Group Policy
Hyper-V
Only on x64
Only on x64
AppLocker
BranchCache
DirectAccess
Windows To Go
Understanding Windows RT
Windows Runtime (RT) is designed specifically to run apps that are built on the Windows RT platform,
and it is available only as a preinstalled operating system on tablets and similar devices with Advanced
RISC Machines (ARM) processors. ARM provides a lightweight form factor with excellent battery life,
specifically for mobile devices. Windows RT is preloaded with touch-optimized versions of Microsoft
Office applications, and is limited to running Windows Store apps. Devices that are running Windows RT
cannot be members of AD DS domains, but can use Workplace Join and work folders.
Note: It is important to remember that Windows 8.1 is available for ARM-based devices.
Each Windows 8.1 edition is available in both 32-bit and 64-bit versions. The 64-bit versions of
Windows 8.1 are designed to work with computers that utilize the 64-bit processor architecture. Though
the 64-bit versions are similar in features to their 32-bit counterparts, there are several advantages to
using a 64-bit version of Windows 8.1, including:
Improved performance. The 64-bit processors can process more data for each clock cycle. Therefore,
you can scale your applications to run faster. However, to benefit from this improved processor
capacity, you must install a 64-bit edition of the operating system.
Enhanced memory. A 64-bit operating system can use random access memory (RAM) more
efficiently, and it can address memory more than 4 GB. This is unlike all 32-bit operating systems,
including all 32-bit editions of Windows 8.1, which are limited to 4 GB of addressable memory.
Improved device support. Although 64-bit processors have been available for some time, in the past
it was difficult to obtain third-party drivers for commonly used devices, such as printers, scanners,
and other common office equipment. Since the release of the 64-bit versions of Windows 7, the
availability of drivers for these devices has improved greatly. Because Windows 8.1 is built on the
same kernel as Windows 7, most of the drivers that work with Windows 7 also work with Windows 8.
Improved security. The architecture of 64-bit processors enables a more secure operating system
environment through kernel patch protection, mandatory kernel-mode driver signing, and Data
Execution Prevention (DEP).
Support for the Hyper-V feature. Only the 64-bit versions of Windows 8.1 support this feature.
Hyper-V requires 64-bit processor architecture that supports second level address translation.
Note: The 64-bit versions of Windows 8.1 do not support the 16-bit Windows on Windows
environment. If your organization requires earlier versions of 16-bit applications, they will not run
natively on 64-bit versions of Windows 8.1. One solution is to run the application within a virtual
environment by using Hyper-V.
Cloud integration. Windows 8 provides increased integration with cloud-based services and
information. Users signing in to a Windows 8 computer can connect instantly to the information and
settings that are important to them. Windows 8 ensures a consistent user experience across any
computer, regardless of the computers location.
Reset and refresh your PC. By using the Reset and Refresh feature, users and information technology
(IT) staff can return a computer to a specific default state, or recover Windows 8 from errors or
corrupt operating-system files:
o
Reset your PC removes all personal data, apps, and settings from the PC, and reinstalls Windows.
Refresh your PC keeps all personal data, Windows Store apps, and other important settings, and
reinstalls Windows, retaining the user experience and user data.
Windows To Go. This feature enables you to supply a fully functioning copy of Windows 8 that can
start and run from a USB storage device. When users boot from a Windows To Goenabled USB
device, they get a complete Windows 8 experience, and all of their applications, files, and settings.
Remote Desktop Services. Windows 8 now includes Remote Desktop Services (RDS) capability, which
enables multiple users to connect remotely to the same computing infrastructure, each in an isolated
session. You can use Windows 8 in Virtual Desktop Infrastructure (VDI) scenarios to provide robust
and universal access to Windows 8 desktops.
Client Hyper-V. Client Hyper-V on Windows 8 provides a flexible and high-performing client
virtualization environment. You can leverage this environment to use a single computer to test
applications and IT scenarios in multiple operating-system configurations. By using Client Hyper-V,
IT departments can provide a consolidated and efficient virtual environment through virtual machine
compatibility with Windows Server 2012. Client Hyper-V is available in Windows 8 Pro and
Windows 8 Enterprise.
Support for multiple processor architectures. Windows 8 is the first Windows operating system to
provide support for both the x86 and the ARM platform. Windows 8 runs on PCs in addition to
tablets and similar devices, thereby providing users with very pervasive access to the Windows 8
environment.
Workplace Join. Enables a device to neither completely join, nor completely be removed from the
domain. With Workplace Join, your users can work on the devices that they choose, and still have
access to enterprise network resources. You can control access to resources and provide a finer level
of control over devices that register through Workplace Join.
Work Folders. Work Folders enable a user to synchronize their data from their network user folder to
their device. When you implement Work Folders, locally-created files also synchronize to the network
folder location. The client computing device does not need to be domain-joined to access this shared
content.
Mobile Device Management. Once users enroll their devices, they join them to the Windows Intune
management service and get access to the company portal. This provides them with a consistent user
experience for access to their applications and data, which enables them to manage their own
devices. You have improved management over these devices, and can manage them as mobile
devices without having to deploy a full management client.
Web Application Proxy. This server-side feature enables publishing of access to corporate resources
to Windows 8.1 devices, and enforces multifactor authentication. Additionally, this feature applies
conditional access policies to verify user and device identity before granting access to resources.
Mobility Improvements
Virtual private network (VPN). In addition to the Microsoft VPN client, Windows 8.1 supports a
number of VPN clients from other vendors, including:
o
FirePass f5 client
Mobile broadband. Windows 8.1 provides support for embedded wireless radio. This support helps to
improve power efficiency, and to reduce the size of some devices.
Broadband tethering. You can turn your Windows 8.1 device into a Wi-Fi hotspot.
Auto-triggered VPN. If an app requires access to your companys intranet, Windows 8.1 can
automatically trigger a VPN connection.
Security Improvements
Remote Business Data Removal. With Windows 8.1 and Windows Server 2012 R2, you can use Remote
Business Data Removal to classify and flag corporate files, and to differentiate between these files
and user files. With this classification, the remote wipe of a Windows 8.1 device will not remove userowned data when securing or removing corporate data on the device.
Improved biometrics. Windows 8.1 provides a number of improvements in the area of biometrics,
including the use of Windows sign-in, remote access, and user account control. Furthermore, you can
configure biometric authentication to enable Windows Store access.
Pervasive device encryption. Device encryption is enabled by default, and you can configure
additional BitLocker protection. In addition, you can enable additional management capability on the
Pro and Enterprise editions of Windows 8.1. When your users use a Microsoft account, Windows 8.1
encrypts and protects devices automatically.
Malware resistance. Windows Defender now includes network-behavior monitoring that can help to
detect and prevent the execution of known and unknown malware.
Device lockdown. The Assigned Access feature enables you to restrict the Windows Store application
experience on a device to a specific subset of apps, or even to a single app. This could be a line-ofbusiness (LOB) app in a kiosk scenario, or a set of educational apps for children in a school setting.
Many other operating-system changes aim to improve the user experience. This includes small but
significant changes, such as the new Boot to Desktop feature, which is for those users who prefer the
traditional desktop user interface.
Operating-system kernel
At the lowest level of the operating system, the operating system kernel consists of the Windows kernel
itself and low-level device drivers. The kernel is responsible for taking operating system requests from
system services. It then translates those requests into instructions for the computer hardware, including
the CPU, memory, and hardware devices, to perform.
When the operating system starts up, it is the kernel and its related low-level device drivers that initialize
first. The operating-system services then start.
System services
Operating-system services are part of the operating system rather than something that you install after
the operating system deploys. Additionally, operating-system services function with no user action. In fact,
they start before a user signs in to the computer.
Although both operating system services and device drivers are software, the difference between them is
that device drivers interact directly with hardware devices or components. Generally, a system service
interacts with other software components in the operating system.
Note: From a management perspective, the difference between device drivers and services
is more obvious. You can use Device Manager to manage device drivers, and you use the services
Microsoft Management Console (MMC) snap-in to manage system services.
System services include various executive services that provide distinct functions within the operating
system, including:
The virtual memory manager deals with virtualization of memory within the operating system.
Other components with the executive handle other aspects of the operating system.
The API sets enable Windows to support different types of apps. The Windows RT APIs enable the
operating system to run Windows Store apps, whereas Win32 and related API sets enable the
operating system to run traditional desktop apps.
Understanding Applications
At the upper level of the operating system, applications operate by integrating with the computer user,
and at a lower level by integrating with the operating-system services. You install applications after you
install the operating system, and you must start applications manually to use them.
Lesson 2
Whether you are troubleshooting computers, plumbing systems, or automobile engines, any
troubleshooting methodology has a common set of processes and procedures, including the following:
You perform a set of processes that typically resolve problems as quickly and efficiently as possible.
Classification, testing, escalation, and reporting provide the backbone of any troubleshooting
methodology.
The methodology evolves over time, as technologies change and new tools become available.
This lesson details the stages of a troubleshooting methodology. Additionally, it explains how you can
develop best practices for problem reporting, initial data collection, implementing a plan of action, and
recording incident resolution.
Lesson Objectives
After completing this lesson, you will be able to:
It is important that help-desk staff keeps the end user informed of progress throughout the entire
troubleshooting process. This starts with the first stage of problem reporting, when the help-desk staff
explains to the end user what the next step is in the process.
Gathering Information
The help desk staff may resolve the reported problem during the initial phone call or reporting stage.
This often happens with relatively simple problems. However, if it is not possible to resolve the issue
immediately, the help-desk staff must gather more information about the problem to help identify
possible causes. To gather additional information, you can use monitoring tools, examine event logs, or
simply ask the end user additional questions.
The linear approach is a methodology that reveals the root cause of a problem quickly by taking you
through a logical series of steps. Start with the problem statement, and then proceed in a methodical
manner until you uncover the problems source.
The subtractive approach is a methodology in which you form a mental picture of the computers
system components. Separate the components into two halves along a testable line. For example, you
might ask yourself whether a hardware component or a network component is causing the problem.
You then would perform tests to determine on which side of the line the problem falls, and then
continue in the same manner until you isolate the problem component.
At this stage, regardless of the approach you take, your aim is to isolate the problems cause. When you
feel you have determined the cause, you must test your assumptions. If the tests prove inconclusive, you
must continue testing until you determine the real cause. After your tests prove the problems cause,
you must plan your course of action. For instance, if the problem requires that you replace a disk in a
server, you must:
1.
2.
3.
4.
5.
6.
After planning your course of action, you must implement the plan. If you are implementing a plan of
action to resolve serious problems, you must consider the impact on service availability of any changes
that you want to make. Larger organizations implement change-management procedures, and you must
adhere to these procedures.
Before you make any configuration changes, consider how much of your reconfiguration work you can
undertake by using remote management tools and utilities. You can resolve many problems with remotemanagement techniques, and thereby avoid the need to work on the end users computer physically.
However, you cannot resolve all problems by using remote-management tools, and sometimes, a visit to
the end users computer is necessary.
When you resolve a problem successfully, you must document the resolution. This documentation
involves a number of processes, depending upon your technical support infrastructure. At the very least,
you must inform the end user that you resolved the problem, and if a logging system is in use, you must
close the incident on the log.
Many organizations use documentation to provide information about their IT systems configuration. In
the event that you reconfigure the users computer to resolve a problem, you must update the supporting
documentation to reflect the changes that you made.
Additionally, during the information-gathering stage, it often is useful to examine incident logs to
determine whether anyone else has reported a problem similar to the one on which you are working.
Finding whether another technician has documented a similar problem is possible only if, at incident
closure, technicians document what they did to resolve a problem.
End users
Improved productivity
Better accountability
Improved communications
When you complete your discussion, share your conclusions with the class.
Detecting Problems
No matter how much training or encouragement end users receive, there always are problems that they
cannot resolve themselves. It is important to provide a proper procedure for contacting the help desk, and
even more important to ensure that your end users understand this procedure. During this phase, the
help-desk personnel should record the problems details. You should consider using a database in which
to record details of the reported problem. You then can update the incident record in the help-desk
ticketing system that pertains to the problem. This helps you work toward a resolution.
If you lack the skills necessary to resolve the reported problem, assign the problem to other individuals in
your organization. For complex problems, you might assemble a specialist team to resolve the problem.
Update the incident record in the ticketing database to help track information about activity that you, or
others, perform in relation to the reported problem.
After an end user contacts the help desk, help-desk staff should attempt to classify the problem, and then
determine the problems scope and urgency. You and your fellow help-desk staff can do this by asking
end users very specific questions about their problems. Questions might include the following:
Who else has the same problem? If the problem is widespread, this points to a more general problem
and is less likely to be the end users particular computer. Additionally, problems affecting many end
users are more urgent than those that affect only one end user.
When did you first notice the problem? For example, it might be that the computer never worked
properly. It is very useful to know if the computer never worked properly, because this might indicate
a problem with deployment rather than usage.
What changed around the same time that you noticed the problem? If the end user recently installed
new applications or updated drivers, and the problem arose after these changes, it is possible that the
changes contributed to the problem that the end user is reporting.
During this phase, you might determine a probable cause of the reported problem, but be careful not to
jump to any conclusions. This could waste significant time and resources. Your goal during this phase is to
define the problem accurately.
When a problem requires escalation between support tiers or to external vendors, ensure that you record
an appropriate level of detail to pass to the next support level. It is very helpful to have a clearly defined
escalation procedure to ensure that you can do this efficiently. The procedure may contain the following
information:
A record of the resolution attempts that support staff made, and the results of each attempted fix.
The length of time that can elapse before you must escalate the problem.
Your organization does not have the required skills to resolve the problem.
You have identified the problems probable cause, and it lies with a specific non-Microsoft
component.
Whenever you escalate a problem, always retain ownership of the problem, and use the database record
to track progress toward a resolution. Additionally, ensure that you provide any necessary assistance to
other support tiers and external vendors.
After you determine a probable cause and develop an action plan, you should perform an assessment of
this plan, which should include:
Details regarding any liaisons with any specialist support staff that helped implement the plan.
Details of plans to roll back the changes if they do not achieve the desired result.
After you assess the proposed action plan, you can execute it. In the event that the action plan does not
resolve the problem, consider whether to roll back the changes you have made according to the actionplan assessment. You also must revisit the classification phase, because it is possible that the initial
diagnosis and classification were incorrect.
After you resolve the problem successfully, you must close it. To close a problem, update any database
records that relate to it, and indicate that you implemented a permanent resolution for the problem. You
then can close the database record.
End users often are unable to provide a detailed description of their issues, or they may be reluctant to
explain the circumstances that caused the problem. When necessary, you must ask questions that help
you determine why the problem occurred. The following sections identify typical questions that may help
to determine the nature of the problem.
Who was operating the computer when the problem first occurred?
Who else is operating the computer, and have they experienced similar problems?
The following when questions help you determine when a problem occurred and establish a timeline of
activities that may relate to the problem. Check the open incident record to determine:
When this problem first occurred, and when it has since occurred.
When an application was installed, updated, or removed last from or on the computer.
The following what questions help you gather information about what the help-desk staff thinks may be
the problems cause, and also help you learn the solutions, if any, that the help-desk staff attempted
already. Check the open incident record to determine:
What steps have the help-desk staff already taken to attempt resolution, if any?
What suggestions have the help desk received regarding a possible resolution?
How does the help desk think that the problem occurred?
Why does the help desk think that the problem occurred?
Listening
When an end user reports a problem to you, listen carefully to what the user has to say. Often, as the user
responds to your questions, and repeats the history of a problem, he or she might reveal its cause. By
asking users to start from the beginning and explain exactly what they were doing immediately prior to
noticing the problem, and what they were doing when they noticed the problem, you may determine the
problems cause.
Note: It is important to record the problem in a database, along with any pertinent
information that the user communicates to you. You will use the database record that you create
throughout the problem life cycle to record progress toward a resolution.
When you record all of the pertinent information from the user, your next task is to determine the cause
of the reported problem. Start by consulting existing documentation about known problems. It is quite
possible that the problem has occurred before. If this is the case, you can move toward a resolution
quickly, and then close the incident.
If existing documentation does not reveal any probable causes, you must perform some research. You can
perform this research by using a variety of sources. For example, you might search the Microsoft Support
Knowledge Base for information about the problem. You also may search online forums for related
material to aid in problem resolution.
After you determine a probable cause, you must develop an action plan, which the next topic describes.
Review any documentation that relates to the fix that you are proposing. For example, if the fix that you
propose requires the installation of a service pack, review the documentation that relates to the service
pack.
If the proposed fix or workaround involves significant reconfiguration work, or if problems arise during
the fix, this could affect the users productivity. You may need to escalate the problem so that appropriate
support personnel can build a test environment that closely resembles the production system. You then
would use this test environment to test your plan of action.
Note: Virtualization technologies provide a convenient way to build test environments
without having to invest significantly in additional hardware or software.
If you need to perform significant reconfiguration work to resolve problems that are more complex, the
changes that you plan to make may impact many areas of your organization. It is likely that problems of
this nature are escalated to Tier 3 support staff.
For example, if the fix involves applying an update, removal of the update might be acceptable. However,
if the fix involves upgrading applications to include new features that might be useful to other end users,
it might be desirable to leave the new applications installed rather than revert to the older application.
You can use the test environment to practice implementing a rollback of your proposed fix or
workaround.
Note: Although the slide includes numbered steps for the action plan it depicts, you might
not complete the steps in the order that the slide lists.
For example, if you apply a security update to the operating system to resolve a security problem, the
update may make applications behave differently. When you feel that you can introduce the fix or
workaround without causing additional problems, and that it fixes the reported problem, proceed to the
next stage. Simple problems might not require this testing stage.
Large organizations implement change-management procedures to ensure that every member of the
support staff performs all changes to the IT infrastructure in a similar and appropriate manner, according
to specific guidelines, and with adequate documentation about any changes. If your organization uses a
change-management procedure, you must determine what it requires when you implement your fix or
workaround. Consult the relevant documentation, and when necessary, discuss the proposed changes
with the appropriate staff.
Help-desk staff often can resolve common problems quickly, without having to involve product specialists.
Less common or more complicated problems often require the escalation to either desktop-support
specialists or external vendors, and occasionally require the creation of a specialist team that includes
people possessing the range of skills necessary to resolve a particular issue. When possible, consider the
use of remote-management tools, because these often result in quicker problem resolutions.
If a fix or workaround takes time to complete, and involves a number of stages, you must monitor
progress toward the problems resolution. It is important that you evaluate the data that you collect
during this monitoring process, so that you can determine whether you are close to a solution. If data
indicates that a solution is not available, you might want to reconsider your plan of action.
Whether you resolve the problem successfully, you must document all of the steps that you took in an
attempt to resolve it, and then document the results. If you log the incident in a database to track a
reported problems status, you must update the record to reflect whether you resolve the problem and
whether you close the incident. The next topic looks more closely at the process of recording a problems
resolution.
Complex and serious problems often require significant infrastructure changes, so you must create the
necessary documentation to support these changes. For example, if you install a new version of an
application to resolve a problem, updating the existing documentation is insufficient. This is because the
new application may have new features, and therefore may work differently than the old version. You
must provide both users and administrators with the new information that they require to work with the
new application.
You must update any database records associated with an incident. The update should include the
resolution and other relevant information about the fix or workaround required to resolve the problem.
Furthermore, you should not consider a problem resolved until the resolution is documented in a manner
that aids future incident resolution. Finally, you must update the incident record as closed.
You must let the end user who reported the problem originally know that you resolved the problem. If the
user must take any special measures or steps to bypass the problem, you must communicate these steps
or procedures. If you made significant changes to the infrastructure, users might require additional
training.
Problems have a habit of recurring. It is very important that you document the problem, its cause, and the
steps necessary to resolve it. Proper documentation ensures that, in the future, other support engineers
faced with similar incidents can discover a probable cause and a recommended solution early in the
troubleshooting process.
How does your organization handle communications between the first-tier and second-tier support
staff and the end user?
How do you communicate problem resolutions to other support staff to help resolve future
problems?
A. Datum has a Tier 1 help desk that resolves the most simple user problems. When the help desk cannot
resolve user problems, help-desk staff assigns the trouble tickets to Tier 2 Desktop Support Technicians.
You are one of the Tier 2 Desktop Support Technicians for A. Datum. You retrieve trouble tickets assigned
to you and document their resolution.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 20 minutes
Virtual machines: None required.
For this lab, you do not need any virtual machines.
A user has reported a problem with their upgrade to Windows 8.1 Pro. They initiated the upgrade by
using the Windows Store. You must attempt to determine the nature of the problem and then suggest a
plan of action for attempting a solution.
Incident Record (sample)
Incident Reference Number: 701338
Date of Call
Time of Call
User
February 23
13:30
Adam Barr (Marketing Department)
OPEN
Incident Details
Adam contacted the help desk after attempting to upgrade to Windows 8.1 by using the Windows Store.
The computer is his, but he wants to use it to access corporate documents.
Additional Information
The installation proceeded most of the way through, as far as the user could tell. However, the video
screen does not have the correct resolution. The icons and text are very big.
Plan of Action
Resolution
2.
3.
Discuss recommendations.
4.
Discuss with the class, questions that you might ask the user so that you can develop a plan of action.
2.
Results: After completing this exercise, you should have developed a plan of action for the resolution of
the users reported problem.
Module 2
Troubleshooting Startup Issues
Contents:
Module Overview
2-1
2-2
2-13
2-22
2-25
2-29
2-36
2-40
Module Overview
Corruptions in the system registry often cause startup-related problems. Issues with device drivers or
system service scan also cause these problems. Therefore, systematic troubleshooting is essential so that
you can determine the underlying cause of the startup problem quickly and efficiently.
This module describes how to identify and troubleshoot issues that affect the Windows 8.1 operating
systems ability to start, and how to identify problematic services that are running on the operating
system. It also describes how to use the Windows 8.1 operating system advanced troubleshooting tools,
collectively known as the Windows Recovery Environment (Windows RE).
Objectives
After completing this module, you will be able to:
Lesson 1
To recover Windows 8.1 computers that do not start, or those that are starting with errors, you must
recognize what the operating system looks like when it is starting properly. Additionally, a good working
knowledge of the recovery tools that Windows 8.1 provides should enable you to identify and resolve
problems that relate to startup issues.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the recovery tools available at the command prompt in Windows RE.
Access the Windows 8.1 System Restore tool to fix the startup environment.
As the computer starts, Bootmgr.exe loads first, and then reads the Boot Configuration Data (BCD), which
is a database of startup configuration information that the hard disk stores in a format similar to the
registry.
Note: The BCD provides a firmware-independent mechanism for manipulating the boot
environment data for any type of Windows operating system. Windows Vista and newer
Windows versions use the BCD to load the operating system or to run boot applications, such as
memory diagnostics. Its structure is very similar to a registry key, although you should not
manage it with the Registry Editor (regedit.exe).
Bootmgr.exe replaces much of the functionality of the NT Loader (NTLDR) bootstrap loader that
Windows XP and earlier versions of the Windows operating system use. Bootmgr.exe is a separate entity,
and it is unaware of other startup operations in the Windows operating system. Bootmgr.exe switches the
processor into 32-bit or 64-bit protected mode, prompts the user for which operating system to load (if
multiple operating systems are installed), and starts NTLDR if you have Windows XP or an earlier Windows
operating system installed.
Winload.exe is the operating system boot loader that Windows Boot Manager invokes. Winload.exe loads
the operating system kernel (ntoskrnl.exe) and (BOOT_START) device drivers, which, combined with
Bootmgr.exe, makes it functionally equivalent to NTLDR. Winload.exe initializes memory, loads drivers
that should start, and then transfers control to the kernel.
If the BCD contains information about a current hibernation image, Bootmgr.exe passes that information
to Winresume.exe. Bootmgr.exe exits, and Winresume.exe then starts. Winresume.exe reads the
hibernation image file, and uses it to return the operating system to its prehibernation running state.
When you turn on a computer, the startup process loads the basic input/output system (BIOS), or on more
modern computers, the Unified Extensible Firmware Interface (UEFI). When it loads the UEFI or the BIOS,
the system accesses the master boot record (MBR) of the boot disk, followed by the boot sector of the
drive startup.
The Windows 8.1 cold startup process has seven steps:
1.
The UEFI or BIOS performs a power-on self test (POST). From a startup perspective, the BIOS enables
the computer to access peripherals, such as hard disks, keyboards, and the computer display, prior to
loading the operating system.
2.
The computer uses information in the UEFI or BIOS to locate an installed hard disk, which should
contain a MBR. The computer calls and loads Bootmgr.exe, which then locates an active drive
partition on sector 0 of the discovered hard disk.
3.
Bootmgr.exe reads the BCD file from the active partition, gathers information about the machines
installed operating systems, and then displays a boot menu, if necessary.
4.
Bootmgr.exe either transfers control to winload.exe or calls winresume.exe for a resume operation. If
winload.exe selects an older operating system, such as Windows XP Professional, then Bootmgr.exe
transfers control to NTLDR.
5.
Otherwise, winload.exe initializes memory and loads drivers that are set to begin at startup. These
drivers (that have a start value of 0 configured in the registry, and are called BOOT_START drivers),
are for fundamental hardware components such as disk controllers and peripheral bus drivers.
Winload.exe then transfers control to the operating system kernel, ntoskrnl.exe.
6.
The kernel initializes, and then higher-level drivers (except BOOT_START and services), load. During
this phase, you will see the screen switch to graphical mode as the session manager (Smss.exe)
initializes the Windows subsystem.
7.
The operating system loads the Winlogon service, which displays the sign-in screen. Once the user
signs in to the computer, the Windows Explorer tool loads.
Secure Boot is a Windows 8.1 feature on UEFI-based devices that can help to increase the security of your
device by helping to prevent unauthorized software from running on your device during the startup
process. Secure Boot verifies that each piece of software has a valid digital signature. This verification
applies to the operating system itself.
When you activate Secure Boot on a device, the device checks each piece of software against databases of
known good signatures maintained in the firmware. The firmware will only run software that it deems to
be safe by using this process.
The Windows 8.1 Secure Boot process requires firmware based on UEFI. The Secure Boot process utilizes
UEFI to prevent unknown or potentially unwanted operating-system boot loaders (such as firmware
rootkits) from launching between the systems firmware start and the Windows 8.1 operating system start.
Secure Boot is not mandatory for Windows 8.1, but it greatly increases the integrity of the boot process.
Windows RE
Windows RE is a recovery platform based on the
Windows Preinstallation Environment (Windows
PE). Windows RE provides two main functions:
Accessing Windows RE
To access Windows RE:
1.
Insert the Windows 8.1 DVD, and then start the computer.
2.
3.
After you configure language and keyboard settings, select the Repair your computer option, which
scans the computer for Windows installations, and then presents you with a Choose an option menu.
Click Troubleshoot.
Automatic Failover
Windows 8.1 provides an on-disk version of Windows RE. A computer that is running Windows 8.1 can fail
over automatically to the on-disk Windows RE if it detects a startup failure.
During startup, the Windows OS Loader sets a status flag that indicates when the boot process starts.
Winload.exe clears this flag before it displays the Windows sign in screen. If the startup fails, the loader
does not clear the flag. Consequently, the next time the computer starts, Windows OS Loader detects the
flag, assumes that a startup failure has occurred, and then launches Windows RE instead of Windows 8.1.
The advantage of automatic failover to Windows RE Startup Repair is that you may not need to check the
problematic computer when a startup problem occurs.
Note: Note that the computer must start successfully for the Windows OS Loader to
remove the status flag. If there is an interruption to the computers power during the startup
sequence, the Windows OS Loader does not remove the flag, and instead initiates Startup Repair
automatically.
Remember that this automatic failover requires the presence of both the Windows Boot Manager and the
Windows OS Loader. If either of these elements is missing or corrupt, automatic failover cannot function,
and you must initiate a manual diagnosis and repair of the computers startup environment.
Enable debugging
You will learn more about these troubleshooting modes during the next lesson.
Refresh your PC
Reset your PC
Advanced options
Refresh Your PC
This option enables you to retain your personal data, Windows Store apps, and settings, but replaces the
Windows 8.1 operating system. This is useful when it is important to retain user-related files and settings,
but you do not have the time to determine the specific cause of or resolve a startup problem.
Note: Because user settings may have created the startup problem from which you are
attempting to recover, the Refresh your PC option does not restore all settings. For example, this
option does not restore file associations, display settings, and Windows Firewall settings during
the refresh process.
Remember that using Refresh your PC does not recover your computer to a specific point in time.
Consequently, it is likely that, following recovery, you will have to perform additional tasks, such as
installing desktop apps. Therefore, it might be wise to attempt other methods from recovering from a
startup problem first.
Note: It is possible to use the Recimg.exe command-line tool to create a refresh image,
which then enables you to refresh your computer to a specific point in time. This process will also
add Program Files and Program Files (x86) to the image, which enable you to retain your desktop
apps after a refresh operation.
Reset Your PC
This option removes all user data and settings, and apps, and then reinstalls Windows 8.1. You should
select this option when you do not need to retain user data or settings. By using this setting, you revert
your computer to the deployment default settings.
As a method of recovering from a startup problem, Reset your PC is not ideal because it removes all user
data and settings. It will almost certainly resolve the startup problem. Consider using other recovery
methods before resorting to Reset your PC.
Note: If your computer has more than one drive when you launch Reset your PC, you can
choose to remove files from all drives, or only from the drive where Windows 8.1 is installed.
When you launch Reset your PC, you are prompted to:
Just remove my files. Use this option if you intend to keep your computer, but want to reset it to its
factory defaults.
Fully clean the drive. Choose this option if you want to wipe the drive completely in order to recycle
the computer. This process can take much longer.
Advanced Options
The following are tools you can access from the Advanced options menu in Troubleshooting.
System Restore
Windows 8.1 also provides System Restore capabilities that you can access from the System Tools folder. If
you have a system failure or another significant problem with your computer, you can use System Restore
to return your computer to an earlier state.
The primary benefit of System Restore is that it restores your system to a workable state without
reinstalling the operating system or causing data loss. Additionally, if the computer does not start
successfully, you can use System Restore by booting Windows RE from the product DVD. System Restore
is a preferable method of recovering from startup problems. You should attempt to use it before
considering either Refresh your PC or Reset your PC. Consider that using System Restore may resolve a
startup issue, but the computer may require additional configuration to bring it back to the correct state
following recovery.
You can create System Restore points by using the System Restore link in Recovery in Control Panel. First,
you must enable System Protection. You can do so by performing the following steps:
1.
In Control Panel, click Recovery, and then click Configure System Restore.
2.
On the System Protection tab, click Configure, and then click Turn On System Protection.
System Image Recovery replaces your computers current operating system with a complete computer
backup that you created previously, and which you stored as a system image. You can use this tool only
if you have made a recovery drive of your computer. You should use this tool only if other methods of
recovery are unsuccessful, because it is a very intrusive recovery method that overwrites everything on the
computer.
Startup Repair
The Startup Repair tool in Windows RE provides a simple and effective way for you to resolve most
common startup problems. The following sections describe Startup Repair tool functions:
Replace or Repair Disk Metadata. Disk metadata consists of several components, including the boot
sector and the MBR. If these files are missing or corrupt, the startup process fails. If you suspect that
an issue has damaged or deleted these files, use Startup Repair to check for problems with the disk
metadata. Automatic Repair checks and, if necessary, repairs the disk metadata automatically.
Damage to the disk metadata often occurs because of unsuccessful attempts to install multiple
operating systems on a single computer. Another possible cause of metadata corruption is a virus
infection.
Repair Boot Configuration Settings. Windows XP and earlier Windows operating system versions
stored the boot configuration information in Boot.ini, a simple text file. However, Windows 8.1 uses
a configuration store that is in the C:\Boot folder.
If the boot configuration data is damaged or deleted, the operating system fails to start. The Startup
Repair tool then checks and, if necessary, rebuilds the BCD by scanning for Windows installations on
the local hard disks, and then storing the necessary BCD.
Resolve Incompatible Driver Issues. Installing a new hardware device and its associated device driver
often causes Windows operating systems to start incorrectly.
The Automatic Repair tool performs device driver checks as part of its analysis of your computer. If
Automatic Repair detects a driver problem, it uses System Restore points to attempt a resolution by
rolling back configuration to a known working state.
Note: Even if you do not create restore points manually in Windows 8.1, installing a new
device driver automatically causes Windows 8.1 to create a restore point prior to the installation.
The Startup Repair tool should be your primary startup recovery mechanism. It is the least invasive and
requires the least manual configuration following recovery.
Command Prompt
Windows 8.1 uses the Command Prompt window from the Windows RE tool set as its command-line
interface. The Command Prompt tool is more powerful than the Recovery Console command-line
interface from early Windows operating system versions The Windows RE Command Prompt features
are similar to the Command Prompt window that is available when Windows 8.1 is running normally:
Resolve Problems with a Service or Device Driver. If a computer that is running Windows 8.1
experiences problems with a device driver or Windows service, use the Windows RE Command
Prompt window to attempt a resolution. For example, if a device driver fails to start, use the
command prompt to install a replacement driver, or to disable the existing driver from the registry. If
the Netlogon service fails to start, at the command prompt, type Net Start Netlogon. You also can use
the SC tool (SC.exe) command-line tool or the Windows PowerShell start-service and stop-service
cmdlets to start and stop services.
Recover Missing Files. The Windows RE Command Prompt tool also enables you to copy missing files
to your computers hard disk from original source media, such as the Windows 8.1 product DVD or
universal serial bus (USB) flash drive.
Access and Configure the BCD. Windows 8.1 uses a BCD store to retain information about the
operating systems that you install on the local computer. You can access this information by using
the BCDEdit.exe tool at the command prompt. You also can reconfigure the store, if necessary. For
example, you can reconfigure the default operating system on a dual-boot computer with the
BCDEdit.exe /default id command.
Repair the Boot Sector and MBR. If the boot sector or MBR on the local hard disk is damaged or
missing, a computer that is running Windows 8.1 will fail to start successfully. You can launch the
Bootrec.exe program at the command prompt to resolve problems with the disk metadata.
Run Diagnostic and Troubleshooting Tools. The Command Prompt tool provides access to many
programs that you can access from Windows 8.1 during normal operations. These programs include
several troubleshooting and diagnostics tools, such as the registry editor (Regedit.exe), a disk and
partition management tool (Diskpart.exe), and several networking configuration tools (Net.exe,
Ipconfig.exe, and Netcfg.exe). Another option is to load Task Manager (Taskmgr.exe), which you can
use to determine which programs and services are running currently.
Note: Windows PE is not a complete operating system. Therefore, when you use the
Command Prompt tool in Windows RE, remember that not all programs that work in a Windows
operating system will work at the command prompt. Additionally, because there are no logon
requirements for Windows PE and Windows RE, Windows restricts the use of some programs for
security reasons, including many that administrators typically run.
Preparation Steps
For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Demonstration Steps
Launch Windows RE
1.
Restart 20688D-LON-CL1.
2.
When prompted to Press any key to boot from CD or DVD, press the space bar. The computer
boots into Windows Setup.
3.
4.
5.
6.
7.
On the Advanced options page, notice the four tools that are available.
2.
3.
At the command prompt, type list disk, and then press Enter.
4.
At the command prompt, type list volume, and then press Enter.
5.
6.
7.
At the command prompt, type dir, and then press Enter. This is the system drive.
8.
9.
At the command prompt, type net start, and then press Enter. A list of running services is returned.
10. At the command prompt, type sc query, and then press Enter. A list of services and their current
status is returned.
11. At the command prompt, type regedit, and then press Enter. The Registry Editor opens.
12. Close the Registry Editor.
13. At the command prompt, type exit, and then press Enter.
2.
3.
4.
On the Startup Repair page, click Windows 8.1. Automatic startup repair begins.
5.
2.
3.
2.
3.
4.
5.
Completion steps
After you have completed the practice session, leave the virtual machines running for the next
practice session.
System Restore
Windows 8.1 enables System Restore features
automatically. System Restore takes snapshots of
your computer system, and then saves them as
restore points. These restore points represent a
point in time for the computers configuration
when it was running successfully. Using System
Restore does not affect user data.
After you enable System Restore points,
Windows 8.1 creates them automatically when the
following actions occur:
Automatically, if you choose to use System Restore to restore to a previous point in time.
In this last instance, System Restore creates a new restore point before it restores the system to a previous
state. This provides you with a recovery option should the restore operation fail or result in issues.
Windows RE does not create a restore point for the current state if you are in safe mode and you restore
to a previous state.
You may use System Restore when you install a device driver that results in a computer that is unstable,
or that fails to operate entirely. Earlier Windows operating system versions had a mechanism for driver
rollback, but it required the computer to start successfully from safe mode.
With Windows 8.1 computers, you can use System Restore to roll back drivers by accessing the System
Restore points, even when the computer does not start successfully.
System Restore also provides protection against accidental deletion of programs. When you add or
remove programs, System Restore creates restore points, and keeps copies of application programs (file
names with an .exe or .dll extension). If you accidentally delete an executable (.exe) file, you can use
System Restore to recover the file by selecting a recent restore point prior to when you deleted the
program.
Note: If you use System Restore to restore your computer to a previous point in time, be
aware that it may affect connectivity to the computers domain. Specifically, if the computers
password has changed since the restore point was created, your computer will be unable to sign
in to the domain. In this instance, you must reset the computers secure channel with the domain.
You can do this by using the Windows PowerShell Reset-MachineAccountPassword cmdlet.
You can also use Netdom and Active Directory Users and Computers.
Preparation Steps
For this practice session, you need to use the available virtual machine environment. The required virtual
machines should already be running. If they are not, you must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Demonstration Steps
Create a restore point
1.
2.
3.
4.
5.
In the System Properties dialog box, click the System Protection tab, and then click Create.
6.
In the System Protection dialog box, in the text box, type Initial System Restore Point, and then
click Create.
7.
Right-click Start, point to Shut down or sign out, and then click Restart.
2.
When prompted to Press any key to boot from CD or DVD, press the spacebar.
3.
4.
5.
6.
2.
3.
4.
On the Restore your computer to the state it was in before the selected event page, in the
unnamed drop-down list box, click Initial System Restore Point, and then click Next.
5.
6.
In the Once started, System Restore cannot be interrupted. Do you want to continue? dialog
box, click Yes. The system restore process begins.
Note: System Restore can take an extended period of time.
7.
8.
After your computer has restarted, sign in as Adatum\administrator with the password Pa$$w0rd.
9.
Completion steps
After you have completed the practice session, leave the virtual machines running for the next
practice session.
Lesson 2
To troubleshoot a Windows 8.1 computer that fails to start properly, you must understand the startup
process, and the role of the BCD store in troubleshooting. This lesson describes the BCD store and how it
controls the startup process flow. It also describes the tools and utilities that you can use to configure the
Windows 8.1 startup process.
Lesson Objectives
After completing this lesson, you will be able to:
Use the System Configuration tool and the Advanced Startup options.
However, Windows 8.1 replaces the boot.ini file and NVRAM entries with the BCD store. This file is more
versatile than boot.ini, and it can apply to computer platforms that do not use BIOS to start the computer.
You also can apply the BCD store to firmware models, such as computers that are based on EFI.
Windows 8.1 stores the BCD as a registry hive. For BIOSbased systems, the BCD registry file is in the
active partition \Boot directory. For EFIbased systems, the BCD registry file is on the EFI system partition.
Safe boot: Minimal. On startup, opens Windows Explorer in safe mode, which means it runs
only critical system services. Networking is disabled.
Safe boot: Alternate shell. On startup, opens the Windows command prompt in safe mode,
and runs only critical system services. Networking and Windows Explorer are disabled.
Safe boot: Active Directory repair. On startup, opens Windows Explorer in safe mode, and
runs only critical system services and Active Directory Domain Services (AD DS). Safe boot
performs no function on a client operating system.
Safe boot: Network. On startup, opens Windows Explorer in safe mode, and runs only critical
system services. Networking is enabled.
No GUI boot. Does not display the Windows Welcome screen when starting.
Advanced options:
Maximum memory. Artificially limits the available random access memory (RAM).
BCDEdit.exe. You can use BCDEdit.exe, a command-line tool, to change the BCD, including removing
entries from the list that displays operating systems. This advanced tool is for administrators and IT
professionals. BCDEdit.exe replaces Bootcfg.exe.
The BCDEdit tool currently enables you to:
o
Adding a new hard disk to your Windows 8.1 computer, and changing the logical drive
numbering.
Installing additional operating systems on your Windows 8.1 computer to create a multiboot
configuration.
Deploying Windows 8.1 to a new computer with a blank hard disk, requiring you to configure the
appropriate boot store.
The following table provides additional information about the command-line syntax for BCDEdit.exe.
Command
Description
/export
/import
/create
/delete
/set
/default
Command
Description
/displayorder
/toolsdisplayorder
/timeout
/dbgsettings
/debug
/v
/bootems
/ems
/emssettings
BootRec.exe. You use BootRec.exe with the /rebuildbcd option to rebuild the BCD. You must run
Bootrec.exe in Windows RE. If rebuilding the BCD does not resolve the startup issue, you can export
and delete the BCD, and then run this option again. By doing this, you ensure that the BCD rebuilds
completely.
Preparation Steps
For this practice session, you need to use the available virtual machine environment. The required virtual
machines should already be running. If they are not, you must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Demonstration Steps
Access advanced startup options
1.
2.
3.
4.
Click Recovery.
5.
6.
7.
On the Advanced options page, click Command Prompt. Your computer restarts into the
Command Prompt mode.
2.
3.
At the command prompt, type bcdedit /enum, and then press Enter. This lists the available boot
options in the store.
2.
At the command prompt, type bootrec /scanos, and then press Enter. This command scans the
partitions for viable operating systems.
3.
At the command prompt, type bootrec /rebuildbcd, and then press Enter. This command rebuilds
the boot store automatically.
4.
2.
Completion steps
After you have completed the practice session, leave the virtual machines running for the next
practice session.
Startup options
If you select the Make All Boot Settings Permanent check box, any changes that you make using
MSConfig will be permanent. If you do not select this check box, then any changes are undone if later you
select the Normal startup option.
The System Configuration dialog box has five tabs:
General. Use the settings on this tab to select the startup environment. You can choose between
Normal, Diagnostic, or Selective startup.
Boot. Use the settings on this tab to select boot options, such as Safe boot, No GUI boot, and Base
video. On this tab, you also can select Advanced options, such as selecting the number of processors
that you want to use, setting the maximum memory available, or locking peripheral component
interconnect (PCI) devices to resources.
Services. You use this tab to view a list of all services that start when the computer boots, and
their current status, which is either Running or Stopped. You can use this tab to enable or disable
individual services at boot time to troubleshoot services that might be contributing to startup
problems. You also can select the option to Hide all Microsoft services, which enables you to identify
nonstandard services that might be causing a startup problem.
Startup. Use this tab to access a link to the Startup tab in Task Manager.
Tools. Use this tab as method shortcut to launch various system tools. For example, you can change
the settings for User Account Control, launch the Action tab, and access Computer Management and
other system tools.
2.
3.
4.
Click Recovery.
5.
6.
Once your computer restarts, on the Choose an option page, click Troubleshoot.
7.
8.
From the Advanced options page, you can access the following tools:
9.
System Restore
Startup Repair
Command Prompt
Startup Settings
10. When your computer restarts, at the Startup Settings window, you can select the appropriate
advanced startup option by selecting the appropriate numeric key.
Note: If the operating system does not start, use Windows RE to access these advanced
startup options.
Available Options
The following options are available from the boot menu:
Enable debugging. Starts the Windows operating system in an advanced troubleshooting mode
intended for information technology (IT) professionals and system administrators. Debugging enables
you to examine the behavior of the Windows operating systems device drivers. This is especially
useful if the operating system stops unexpectedly, as it may provide additional information for driver
developers.
Enable log booting. Creates the Ntbtlog.txt file, which can be useful for advanced troubleshooting.
This file lists all drivers that the Windows operating system installs during startup.
Enable low-resolution video. Starts the Windows operating system using your current video driver,
with low resolution and refresh rate settings. Use this mode to reset your display settings.
Enable safe mode. Starts the Windows operating system with a minimal set of drivers and services.
This is one of the most useful boot options, because it provides access to the operating system when
a high-level service or application prevents a normal boot. This enables you to perform diagnostics
and fix the problem.
Enable safe mode with networking. Starts the Windows operating system in safe mode, and includes
the network drivers and services that you need to access the Internet or other network computers.
Enable safe mode with command prompt. Starts the Windows operating system in safe mode with a
Command Prompt window, rather than the Windows GUI interface. You typically use this when other
startup options do not work.
Disable driver signature enforcement. Allows you to install drivers that contain improper signatures.
Disable early launch anti-malware protection. Prevents low-level anti-malware protection from
running. Early launch anti-malware protection loads an anti-malware driver before all non-Microsoft
boot drivers and applications, to test them and prevent unapproved drivers from loading.
Disable automatic restart after failure. Prevents the Windows operating system from restarting
automatically if an error causes the operating system to fail. Choose this option only if the computer
loops through the startup process repeatedly by failing to start correctly, and then attempting
another restart.
Preparation Steps
For this practice session, you need to use the available virtual machine environment. The required virtual
machines should already be running. If they are not, you must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Demonstration Steps
Load the System Configuration tool
1.
On LON-CL1, on the Start screen, type msconfig.exe, and then press Enter.
2.
On the Boot tab, select the Safe boot check box, and then click OK.
2.
When the computer has restarted, sign in as Adatum\Administrator with the password Pa$$w0rd.
2.
Notice that the desktop is modified to include Safe Mode in each corner.
3.
2.
In the System Configuration dialog box, on the General tab, click Normal startup, and then
click OK.
3.
4.
When the computer has restarted, sign in as Adatum\Administrator with the password Pa$$w0rd.
5.
2.
3.
4.
Click Recovery.
5.
6.
7.
8.
9.
10. When the computer has restarted, on the Startup Settings page, press Enter to start normally. You
will not use any of the Startup Settings during this practice.
Completion steps
1.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Lesson 3
Failures of an operating system service often result in problems that are not severe enough to prevent the
computer from starting, but are enough to restrict functionality. Therefore, it is important that you
understand how to identify and resolve service-related startup problems.
Lesson Objectives
After completing this lesson, you will be able to:
Operating system services are part of the operating system rather than something that you install after
the operating system deploys. Additionally, operating system services function with no user action. In fact,
they start before a user logs on to the computer.
The difference between operating system services and device drivers is that device drivers interact directly
with hardware devices or components, while generally, an operating system service interacts with other
software components in the operating system. From a management perspective, the difference between
device drivers and operating system services is more obvious. You use Device Manager to manage device
drivers, and you use the services Microsoft Management Console (MMC) snap-in to manage system
services.
Event Viewer
Windows 8.1 includes a tool called Event Viewer, which allows you to examine certain log files that
provide information about applications, system events, and security-related matters. Event Viewer
provides access to the Windows logs, and to applications and services logs.
The Windows logs files provide the following information:
Application log. The application log contains events that applications generate. For example, a
database program records a file error in the application log, and the program developer decides
which events to record.
Security log. The security log records security events, such as valid and invalid logon attempts, and
events related to resource use, such as creating, opening, or deleting files. An administrator specifies
which events Windows 8.1 records in the security log by creating a domain-wide audit policy.
System log. The system log contains events that the system components in Windows 8.1 generate. For
example, if a driver or other system component fails to load during startup, Windows 8.1 records this
failure in the system log. Windows 8.1 predetermines the event types that the system components
log.
When you troubleshoot startup problems with services, pay special attention to error events that the
system log records. All users can access the application and system logs, but only members of the local
Administrators group can use the security log.
If you encounter problems with service startup, examine the system and application logs for related
events.
Windows 8.1 logs the following three events:
Information events
Warning events
Error events
Log Files
In addition to the logs accessible from Event Viewer, Windows 8.1 records other events in other log files.
For example, use MSConfig.exe to configure Windows 8.1 to record a boot log file when it starts. The boot
log file, Ntbtlog.txt, is stored in the Windows folder. It contains a list of all drivers and some services that
start during the boot process. If a problem occurs with a service, activate boot logging, and then examine
the log.
Stop Codes
If the Windows 8.1 operating system experiences a system failure, it may display a stop code on a blue
screen. The stop code may contain the name of the device driver or service that is causing the system
failure, and may contain information to help you diagnose the reason for the failure. Windows 8.1 records
contain information related to the system failure in a system log file (called a memory dump file), which is
located in Windows\System32. Examine the contents of this memory dump file to help determine the
reason for the system failure.
Action Center
Action Center is a consolidated tool that enables you to track and repair reported problems. You also can
configure Action Center to determine how your computer reports problems. Additionally, you can use
Action Center to examine problems that Windows reports.
Disabling Services
After you determine which service is causing the
startup problem, you can disable it. Depending on
the circumstances, you can disable a service in
several ways:
Safe Mode
If you can start the operating system either normally or in safe mode, you can access the command
prompt. If you cannot start the operating system, you can access the Command Prompt recovery tool
from Windows RE. At the command prompt, use either the net command or SC.exe to start, stop, activate,
and disable services manually.
Use MSConfig.exe to specify which services you want to run on startup. MSConfig.exe displays a list of
services that start automatically, and you can selectively disable services. You also can use this tool to start
the computer in Safe mode, and to configure additional startup characteristics while you troubleshoot the
computer. To run the System Configuration tool, you must sign in with administrative rights.
A number of users have reported startup problems to the help desk. You must investigate these problems
and attempt resolutions.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 45 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Adam tried to install an additional operating system on his computer to run a specific lineof-business
application. He did not get far in the installation process before abandoning the attempt. Since then,
Adam receives an error message on startup that begins with: Your PC needs to be repaired, the Boot
Configuration Data file is missing required information.
Incident Record
Incident Reference Number: 722137
Date of Call
Time of Call
User
Status
September 29
10:45
Adam Barr (Marketing Department)
OPEN
Incident Details
Adam Barr has reported that his computer will not start properly.
Incident Record
Additional Information
Adam had been trying to install an additional operating system on his computer so that he could
run a specific line-of-business application. He abandoned the installation after getting only partly
through the process. Since then, his computer displays the following error message when it starts:
Recovery
Your PC needs to be repaired
The Boot Configuration Data file is missing required information.
File: \Boot\BCD
Status: 0xc0000034
You will need to use the recovery tools on your installation media. If you do not have any installation
media (such as a disc or USB flash drive), contact your system administrator or PC manufacturer.
Plan of Action
Resolution
2.
3.
4.
Task 1: Read the help desk Incident Record for Incident 722137
2.
Update the Plan of Action section in the Incident Record with your recommendations.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
Attempt to resolve the problem by using your knowledge of the startup architecture and the tools
available for troubleshooting the startup environment.
2.
3.
If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment and begin again.
Results: After completing this exercise, you should have resolved the startup problem.
Another user has been trying to install new devices and has experienced a problem following a recent
driver update. The computer starts up with errors. You visit the user computer to verify the problem and
then attempt to resolve it.
Incident Record
Incident Reference Number: 722140
Date of Call
Time of Call
User
Status
September 30
13:30
Chris Sells (Research Department)
OPEN
Incident Details
Chris contacted the help desk after attempting to install a new hard disk driver.
Since the attempt, his computer does not start correctly.
Additional Information
Help desk staff recorded the following message:
:(
Your PC ran into a problem and needs to restart. Were just collecting some error info, and then you
can restart. (0% complete)
If youd like to know more, you can search online later for this error: INACCESSIBLE_BOOT_DEVICE
Plan of Action
Resolution
2.
3.
4.
Task 1: Read the help desk Incident Record for Incident 722140
2.
Update the Plan of Action section in the Incident Record with your recommendations.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
1.
Attempt to resolve the problem by using your knowledge of the startup architecture and the tools
available for troubleshooting the startup environment.
2.
3.
If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment and begin again.
Results: After completing this exercise, you should have successfully resolved a startup problem.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Lesson 4
BitLocker helps protect computers that are lost or stolen from data theft or exposure, and offers
more secure data deletion when computers are decommissioned. Data on a lost or stolen computer is
vulnerable to unauthorized access, either by running a software attack tool against it, or by transferring
the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access on
lost or stolen computers by combining two major data-protection procedures: encrypting the entire
Windows operating system volume on the hard disk, and encrypting multiple fixed volumes.
Lesson Objectives
After completing this lesson, you will be able to:
Describe BitLocker.
Overview of BitLocker
BitLocker provides additional protection for a
computer operating system and any data that is
stored on the operating system volume. It helps
ensure that data stored on a computer remains
encrypted, even if someone tampers with the
computer while the operating system is not
running.
BitLocker Drive Encryption performs two functions that provide both offline data protection and systemintegrity verification:
It encrypts all data stored on the Windows operating system volume (and configured data volumes).
This includes the Windows operating system, hibernation and paging files, applications, and data that
applications use.
BitLocker also provides an umbrella protection for non-Microsoft applications, which benefits the
applications automatically when they are installed on the encrypted volume.
It is configured, by default, to use a TPM to help ensure the integrity of early startup components by
ensuring that no one has made any modifications to the trusted boot path, such as BIOS, boot sector,
and boot manager. Once the TPM has verified that there are no changes, it releases the decryption
key to the Windows OS Loader. If TPM does detect changes, it locks any BitLocker-protected volumes,
so they remain protected even if someone tampers with the computer when the operating system is
not running.
Note: The Windows 8.1 installation process partitions the computers hard disk to enable
the use of BitLocker.
Locking the system when it is tampered with. If anyone has tampered with monitored files, the system
does not start. This alerts the user to the tampering because the system fails to start as usual. In the
event that system lockout occurs, BitLocker offers a simple recovery process.
In conjunction with the TPM, BitLocker verifies the integrity of early startup components. This helps
prevent additional offline attacks, such as attempts to insert malicious code into these components. This
functionality is important because the components in the earliest part of the startup process must be
available in an unencrypted format so that the computer can start.
Note: You may need to enable the TPM functionality in your computers BIOS.
If an attacker can gain access to the startup process components, they can change the code in these
components, and then get access to the computer even though the data on the disk was encrypted. Once
the attacker gains access to confidential information such as the BitLocker keys or user passwords, the
attacker can circumvent BitLocker and other Windows security protections.
BitLocker does not require a TPM. However, only a computer with a TPM can provide the additional
security of prestartup system-integrity verification. Perform the following steps to determine if a computer
has a TPM version 1.2 chip:
1.
Open Control Panel, click System and Security, and then click BitLocker Drive Encryption.
2.
In the lower left corner, click TPM Administration. The TPM Management on Local Computer
console opens. If the computer does not have the TPM 1.2 chip, the Compatible TPM cannot be
found message displays.
Note: On computers that do not have TPM 1.2, you can still use BitLocker to encrypt the
Windows operating system volume. However, this implementation does not include a TPM, and
requires the user to insert a USB startup key to start the computer or resume from hibernation. It
also does not provide the prestartup system integrity verification that BitLocker provides when
working with a TPM.
A 48-digit number divided into eight groups. During recovery, use the function keys to type this
password into the BitLocker Recovery Console.
A recovery key in a format that the BitLocker Recovery Console can read directly.
Making the BitLocker encrypted drive a secondary drive to another computer to recover its data.
If BitLocker enters a locked state, you will need the recovery password to unlock the encrypted data on
the volume. A recovery password is unique to a particular BitLocker encryption, and you cannot use it to
recover encrypted data from any other BitLocker encryption session.
A computer's password ID is a 32-character password unique to a computer name. You can find the
password ID under a computer's property settings, which you can use to locate passwords stored in
AD DS. To locate a password, the following conditions must be met:
Prior to searching for and providing a BitLocker recovery password to a user, confirm that the person is
the account owner and is authorized to access data on the computer in question.
You search for the password in Active Directory Users and Computers by using one of the following:
Drive label
Password ID
When you search by drive label, after locating the computer, right-click the drive label, click Properties,
and then click the BitLocker Recovery tab to view associated passwords.
To search by password ID, right-click the domain container, and then click Find BitLocker Recovery
Password. In the Find BitLocker Recovery Password dialog box, enter the first eight characters of the
password ID in the Password ID field, and then click Search.
Examine the returned recovery password to ensure that it matches the password ID that the user provides.
Performing this step helps to verify that you have obtained the correct unique recovery password.
BitLocker for Windows 8.1 provides data recovery agent support for all protected volumes. This provides
users with the ability to recover data from any BitLocker and BitLocker To Go device when the data is
inaccessible. This technology assists in the recovery of corporate data on a portable drive using the key
created by the enterprise.
Data recovery agent support allows you to dictate that all BitLocker-protected volumes (such as operating
system, fixed, and new portable volumes), are encrypted with an appropriate data recovery agent. The
data recovery agent is a new key protector that is written to each data volume so that authorized IT
administrators will always have access to BitLocker-protected volumes.
Enable BitLocker.
Preparation Steps
For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Demonstration Steps
Configure required GPO settings
1.
2.
3.
In the Local Group Policy Editor, expand Computer Configuration, expand Administrative
Templates, expand Windows Components, and then expand BitLocker Drive Encryption.
4.
5.
6.
In the Require additional authentication at startup dialog box, click Enabled, and then click OK.
7.
8.
9.
At the command prompt, type gpupdate /force, and then press Enter.
Enable BitLocker
1.
On LON-CL1, on the desktop, on the Taskbar, click the File Explorer icon.
2.
3.
4.
In the Format Floppy Disk Drive (A:) dialog box, click Start, and then click OK.
5.
6.
7.
In the results pane, right-click Local Disk (C:), and then click Turn on BitLocker.
8.
In the BitLocker Drive Encryption (C:) dialog box, click Enter a password. This is necessary because
the virtual machine does not support USB flash drives.
9.
On the Create a password to unlock this drive page, in the Enter your password and Reenter
your password boxes, type Pa$$w0rd, and then click Next.
10. On the How do you want to back up your recovery key? page, click Save to a file.
11. In the Save BitLocker recovery key as dialog box, click Floppy Disk Drive (A:).
2.
3.
Click Media, point to Diskette Drive, and then click Insert Disk.
4.
5.
On the 20688D-LON-CL1 virtual machine, in the Save BitLocker recovery key as error message
dialog box, click OK.
6.
7.
1.
During the restart sequence, when the BitLocker screen displays, in the Enter the password to
unlock this drive box, type Pa$$w0rd, and then press Enter.
2.
3.
4.
5.
6.
Right-click Local Disk (C:), and then click Manage BitLocker. Notice that the drive is now being
encrypted.
7.
8.
In This PC, double-click Floppy Disk Drive (A:), and then double-click the file that starts BitLocker
Recovery Key.
9.
Write down the recovery key that displays in the file. You will need this for the lab, so write carefully.
Completion steps
After you have completed the practice session, leave the virtual machines running for the lab.
BitLocker To Go
If a laptop is lost or stolen, the loss of data
typically has more impact than the loss of the
computer asset. As more people use removable
storage devices, they can lose data without
losing a PC. BitLocker To Go provides enhanced
protection against data theft and exposure by
extending BitLocker Drive Encryption support to
removable storage devices, such as USB flash
drives. You manage BitLocker To Go through
Group Policy.
Password: This is a combination of letters, symbols, and numbers the user will enter to unlock the
drive.
Smart card: In most cases, a users organization issues the smart card, and a user enters a smart card
PIN to unlock the drive.
After choosing the unlock method, users must print or save their recovery key. You can store this 48-digit
key in AD DS, so that you can access it if another unlock method fails, such as when users forget their
passwords. Finally, users must confirm their unlock selections to begin encryption.
When you insert a BitLocker-protected drive into your computer, Windows will detect that the drive is
encrypted automatically, and then will prompt you to unlock it.
Note: If a user forgets the passphrase for the device, he or she can use the I forgot my
passphrase option from the BitLocker Unlock Wizard to recover it. Clicking this option displays a
recovery password ID that the user supplies to an administrator, who then uses the password ID
to obtain the devices recovery password. This recovery password can be stored in AD DS and
recovered with the BitLocker Recovery Password tool.
A user contacts the help desk explaining that he cannot start his computer. You identify the problem as
relating to BitLocker. You must visit the users computer and attempt to recover the hard drive so that the
user can start his computer. After recovery, you must provide new BitLocker keys and passwords.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 20 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. The virtual machines should
already be running from the preceding practice session. If they are not, you must complete the following
steps and then complete the preceding practice session:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Dan cannot start his computer. He has logged a call with the help desk. Your job is to resolve the incident.
A work colleague has determined a plan of action. You must attempt a resolution based on this plan.
Incident Record
Incident Reference Number: 722151
Date of Call
Time of Call
User
Status
September 30
14:27
Dan Park (Sales Department)
OPEN
Incident Details
Dan cannot remember his BitLocker password and cannot start his computer.
Additional Information
The user has a recovery key somewhere, but has no idea what to do with it.
(Write the recovery key you recorded at the end of the last practice session below)
Recovery Key:
Plan of Action
Visit the users computer and verify the problem.
Locate the recovery key.
Attempt to recover the drive by entering the recovery key.
Resolution
2.
3.
4.
Task 1: Read the help desk Incident Record for Incident 722151
1.
Read the Additional Information section of the Incident Record. Update it with the recovery key you
recorded earlier.
2.
On LON-CL1, right-click Start, point to Shut down or sign out, and then click Restart.
b.
During the restart sequence, when the BitLocker Drive Encryption screen displays, in the Enter
the password to unlock this drive text box, type wrong password, and then press Enter.
Notice that you cannot access the computer with the password the user has provided.
Attempt to resolve the problem by using your knowledge of BitLocker and the tools available for
troubleshooting it.
2.
3.
If you are unable to resolve the problem, ask your instructor for additional guidance.
Results: After completing this exercise, you should have recovered a BitLocker-encrypted drive and
enabled the computer to startup.
2.
3.
4.
Results: After you have completed this exercise, you should have created a new BitLocker password.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Module 3
Troubleshooting Hardware and Device Drivers
Contents:
Module Overview
3-1
3-2
3-12
3-17
3-29
3-32
3-37
3-43
Module Overview
Devices have become complex, multifunction peripherals that have evolved from hardware that you
install in your computer to hardware that you connect to your computer using USB, Bluetooth wireless
technology, and Wi-Fi. To support users with computers running Windows 8.1, you must understand how
to troubleshoot hardware devices and drivers.
Objectives
After completing this module, you will be able to:
Lesson 1
This lesson provides an overview of troubleshooting hardware-related problems, and discusses specific
considerations for using USB and cordless devices on computers that are running Windows 8.1. It is
important that you understand common hardware-related problems so that you can support your users.
Lesson Objectives
After completing this lesson, you will be able to:
Explain how you can use built-in diagnostic tools to gather hardware information.
Hardware-Related Problems
Hardware problems occur when a hardware
device fails or there is a failure of a device driver
that the hardware device uses. When you are
troubleshooting hardware-related problems,
you first must determine whether the underlying
cause of the hardware failure is because of a
device failure, or a device driver failure.
Some components are more prone to failure than others are. Often, the components most susceptible to
failure are those with moving parts, such as hard disk drives, cooling fans, power supplies, and optical
drives.
Note: Many tablet devices are equipped with solid-state drives, which have no moving
parts and are less susceptible to physical failure.
Operating system version incompatibility. Drivers developed for previous Windows operating system
versions might not be entirely compatible with Windows 8.1. To avoid incompatibility issues, always
check for a Windows 8.1 driver version, and use it if available.
Driver bugs. Although hardware vendors use every precaution to ensure that device drivers are free
from error, occasionally problems occur. Ensure that you obtain the latest driver version from the
manufacturer, particularly if the new version fixes previous driver issues. Verify that the device driver
carries a signature from a trusted certificate-signing authority.
32-bit and 64-bit issues. Windows 8.1 is available in both 32-bit and 64-bit editions. Drivers that
manufacturers develop for the 32-bit edition do not work with the 64-bit editions, and vice versa.
Make sure that you obtain the appropriate device driver from the hardware vendor. You will be
unable to install the wrong platform driver.
Because of the relative simplicity of USB device installation, users are installing an increasing number of
USB devices more frequently. As the number and variety of these devices increases, so do the associated
support and maintenance costs. Therefore, controlling use of these devices has become an important
consideration for administrators.
Many organizations restrict employee use of USB devices because of security and management reasons.
However, implementing restrictions on USB devices can affect user productivity. It also can have a
significant impact on hardware troubleshooting if person performing the troubleshooting wrongly
diagnoses these restrictions as hardware faults.
Windows 8.1 uses two methods to control USB device installation: device identification strings, and device
setup classes.
Hardware identifiers. Hardware identifiers provide an exact match between a device and a device
driver package. The first string in the device identifier list is the individual devices specific identifier.
Additional strings in the list identify the device in more general terms. This allows Windows 8.1 to
install a different device revision driver if the correct one is not available.
Compatible identifiers. Windows 8.1 uses compatible identifiers to select a device driver only if the
driver store has no available drivers for any of the hardware identifiers that Windows 8.1 retrieves
from the device. These strings are optional, and they are listed in decreasing order of suitability if the
hardware manufacturer provides them. Typically, the strings are generic and identify the hardware
device at the component level, such as a Small Computer System Interface (SCSI) hard disk drive. This
enables Windows 8.1 to select a generic SCSI driver for the disk drive, but may result in limited device
functionality and slower read/write performance.
Multifunction devices are physical devices that include more than one logical device. Manufacturers assign
hardware identifiers to each logical device so that it can manage part of the functionality of the physical
device. For example, an all-in-one scanner/printer/fax might have different device identification strings
for each function. To control installation of multifunction devices, you specifically must allow or deny all
hardware identifiers for each multifunctional device. Not doing so could cause unexpected results from
only some of the logical devices that have drivers installed for the one physical device.
The following code snippet is the relevant portion of an .inf file that Microsoft provides for a keyboard
device driver.
[MsMfg]
;========= Microsoft USB Internet Keyboard (IntelliType Pro)
%HID\VID_045E&PID_002D&MI_00.DeviceDesc%=MicrosoftKBD_Dev,HID\VID_045E&PID_002D&MI_00
;========= Microsoft USB Wireless MultiMedia Keyboard (IntelliType Pro) - with Wireless
Optical Mouse
%HID\VID_045E&PID_005F&MI_00.DeviceDesc%=MicrosoftKBD_Dev,HID\VID_045E&PID_005F&MI_00
;========= Microsoft USB Wireless MultiMedia Keyboard (106/109) (IntelliType Pro) - with
Wireless Optical Mouse
%HID\VID_045E&PID_0061&MI_00.DeviceDesc%=MicrosoftKBD_Dev_109,HID\VID_045E&PID_0061&MI_00
;========= Microsoft USB Wireless Natural MultiMedia Keyboard (IntelliType Pro) - with
Wireless Optical Mouse
%HID\VID_045E&PID_0063&MI_00.DeviceDesc%=MicrosoftKBD_Dev,HID\VID_045E&PID_0063&MI_00
To interpret the preceding and subsequent configuration files, use the following key:
VID = Vendor ID
PID = Product ID
The device setup class groups devices that you install and configure in the same way. For example, all
keyboards belong to the Keyboard device setup class, and they use the same co-installer when installed. A
GUID represents each device setup class. The manufacturer of a device driver package assigns the device
setup class, and then Windows 8.1 builds a memory-tree structure that contains the GUIDs for all devices
that it detects, including that of any bus that you attach to the device. You can use Group Policy to specify
the device class for which you allow or disallow installation.
The following code snippet is the relevant portion of an .inf file that Microsoft provides for a keyboard
device driver.
[Version]
CatalogFile.NT= type32.cat
;Digital Signing
Signature="$Windows NT$"
;All Platforms
Class=Keyboard
ClassGUID={4d36e96b-e325-11ce-bfc1-08002be10318}
Provider=Microsoft
LayoutFile=layout.inf
DriverVer=06/29/2010, 8.0.219.0
In Windows 8.1, you can use Group Policy to control USB device access to your computer. Group Policy
does this by:
Denying read or write access to users for removable devices or for those that use removable media.
Restricting USB device installation can benefit hardware support in several ways:
Simpler data security. By limiting the devices that users can install, you can reduce the risk of data
theft by implementing simple and supported procedures. For example, allowing users to connect only
USB flash drives that are password protected provides additional protection for data that users
transfer from the corporate network.
Reduced support costs. You can ensure that users only install devices that your help desk has
preapproved and tested. This benefit reduces support costs and user confusion.
Misdiagnosed faults. Unless policy restrictions are simple, consistent, and easily understood by users
and IT staff, the IT staff may diagnose a restriction as a hardware problem.
Policy management. Some manufacturers use a range of identifiers for similar device models. When
you have a batch of such devices, you may have difficulty supporting policy restrictions based on
identifiers. Consequently, the success of these policies may be inconsistent. For example, although a
batch of devices from a single vendor may appear identical, you should check each device identifier
to verify that the same identifier is used for the entire batch. If there is a range of identifiers, you will
need to modify your Group Policy settings to include all of these identifiers.
Note: Another consideration for USB devices is the version of USB on your computing
device. Many modern computers provide both USB 2 and USB 3 ports for peripheral devices.
However, some tablet devices provide only USB 2 ports. If your peripheral requires a USB 3
connection, then you will be unable to use that device with a USB 2 port.
2.
Turn on the Wi-Fi and/or Bluetooth receiver by using the computers switches or keyboard shortcuts.
Note: On some computers, you cannot independently enable or disable Wi-Fi and
Bluetooth.
3.
Ensure that Flight mode is off as this disables all radio receivers.
4.
Use Device Manager to verify, and if necessary update the drivers for the computers Wi-Fi and/or
Bluetooth modules.
5.
Discovery. Enable discovery to ensure that the computer is visible. Additionally, you might need
to enable Discovery (sometimes also known as visibility) on peripheral devices.
b.
Connections. Enable the Allow Bluetooth devices to find this PC setting. Optionally, you can
select the setting to Alert me when a new Bluetooth device wants to connect.
c.
Pairing. In addition to the above settings, some peripherals require that you pair them to your
computer. This process requires that the computer and the device exchange a passcode or key to
establish the partnership. You may need to establish this process at either the computer or the
peripheral end.
Note: The device manufacturer often defines a devices passcode. For example, a Bluetooth
headset does not provide you with a mechanism for defining a passcode. However, 0000 often is
the default passcode. For more information, refer to the vendor documentation.
6.
Ensure that the devices are close enough for the signals to communicate.
Configure the devices to use the same wireless protocol and security settings.
Note: Some Bluetooth peripheral devices (such as wireless mice and keyboards), often
come with a small Bluetooth module that you insert into a USB port on your computer. This USB
Bluetooth module allows you to use cordless devices without needing a built-in Bluetooth
module.
Event Viewer
The Event Viewer has many built-in logs, including those in the following table.
Built-in log
Application log
This log contains events that are classified as error, warning, or information,
depending on the events severity:
An error is a significant problem, such as data loss.
A warning is an event that is not necessarily significant, but which may
indicate a possible future problem.
An information event describes the successful operation of a program,
driver, or service.
Security log
This log reports the results of auditing, when it is enabled. Audit events are
described as successful or failed, depending on the event. An example is
whether a user who is trying to access a file is successful.
Setup log
System log
This log contains general events that are logged by Windows components
and services. Events are classified as error, warning, or information. Events
logged by system components are predetermined by the Windows
operating system.
Forwarded events
This log stores events collected from remote computers. To collect events
from remote computers, you first must create an event subscription.
Applications and Services logs are a new category of event logs that store events from a single application
or component rather than events that might have system-wide impact. This category of logs includes four
subtypes:
Admin. Admin logs are of interest to IT professionals who use the Event Viewer to troubleshoot
problems. These logs provide guidance about how to respond to issues, and primarily target end
users, administrators, and support personnel. The events found in the Admin logs indicate a problem
with a well-defined solution that an administrator can implement.
Operational. Events in the Operational log also are useful for IT professionals, but they likely require
more interpretation. You can use operational events for analyzing and diagnosing a problem or
occurrence, and trigger tools or tasks based on the problem or occurrence.
Analytic and Debug. Analytic and Debug logs are not as user-friendly. Analytic logs store events that
trace an issue, and they often log a high volume of events. Developers use debug logs when
debugging applications.
System Information
The System Information tool displays information about a computer, including reports on installed
hardware. You can use the System Information tool to look for hardware resource conflicts, and to
determine the resources that a hardware device is using, including the interrupt request (IRQ) line,
memory address range, and the base input/output (I/O) address range.
Device Manager
Device Manager displays information about the hardware installed on the computer, including hardware
resource settings and driver information. You can also use Device Manager to perform driver rollback,
check for hardware changes, enable and disable drivers, and where necessary, uninstall drivers.
Reliability Monitor. The Reliability Monitor displays Windows 8.1 reliability over time, and any
hardware failures that have occurred. You can use the Reliability Monitor to identify hardware failure
trends so that you can be more proactive in your administration. This can help you to replace a device
suffering periodic failures before it fails altogether.
Performance Monitor. The Performance Monitor displays and collects performance information
related to hardware devices that are installed on a local computer and on remote computers. You can
use this information to track performance deterioration that might be a warning sign of potential
hardware failure.
The Windows Memory Diagnostics Tool can detect and resolve physical memory problems automatically.
If the Windows Memory Diagnostics Tool detects a faulty memory module or parity error, it displays a
message in the system tray that prompts the user to diagnose and fix the problem.
You can use Windows Memory Diagnostics to check the computers memory during the startup process.
You can choose to restart the computer immediately and perform the check, or to schedule the memory
check during the next computer restart. If you select an immediate check, ensure that you save any work
in progress, and close any open windows before restarting the computer.
Action Center
Windows 8.1 includes the Action Center, which provides a single point of reference for reliability issues.
From the Action Center, you can launch diagnostic tools to troubleshoot hardware problems.
Remote Desktop
An administrator can use Remote Desktop to collect hardware information about a remote computer on
the network. For example, you could use Remote Desktop to run tools that cannot connect to a remote
computer, such as System Information or Reliability Monitor. In a large network, it is important to be able
to connect to remote computers to perform hardware diagnostics without having to physically access the
users computers.
Centralized Inventory
Using additional products, including those from both Microsoft and other parties, you can gather
hardware information from devices across your enterprise network, and then store the analysis centrally.
Remove or disable recently installed device drivers. If you have recently installed another companys
device driver or software package, try removing or disabling the driver to prevent it from loading, and
then restarting the computer. If that does not fix the problem, contact the hardware vendor, and
ensure that you have the latest available driver. If you are using the latest version of the driver,
contact the hardware vendor and log the issue as a support incident.
Use driver rollback to return to a previous driver version. If a failure occurs after installing an updated
device driver, use the driver rollback feature to return to the previous working driver version. To roll
back a device driver:
o
Note: If driver rollback is not possible, consider using System Restore to restore the
computers configuration to a previous point in time. Remember that using System Restore will
most likely rectify the driver problem, but will also revert other settings.
Consider upgrading the computers BIOS or firmware. This is a relatively straightforward process and
can usually be achieved in the Windows operating system by using a vendor-supplied tool. After
applying a BIOS or firmware update, you also might need to update some of the system device
drivers.
Use vendor support. Ensure that you have adequate support agreements and escalation procedures
with the hardware vendor, and then utilize this support if a hardware failure occurs. Many hardware
vendors offer extended support options, and will replace failed hardware components within a certain
period. You should have support options specified in your organizations service level agreements
(SLAs).
Establish an incident recording procedure. Users often find it difficult to determine the exact
sequence of events that led to failures. Many IT help desks adopt scripts that facilitate logical
interviewing techniques to determine whether users made changes to their computers prior to the
failure. Using a consistent procedure for recording incidents also aids with diagnosing problems.
Lesson 2
Hardware failures can be catastrophic unless you plan for device failure and replacement. You should have
procedures in place so that you can troubleshoot failed devices efficiently, particularly for your most
vulnerable devices such as hard disk drives and memory.
Lesson Objectives
After completing this lesson, you will be able to:
SLAs
An SLA can specify what to do when hardware
fails, and how to log a failure incident with your
organizations service desk. The SLA also can dictate the expected response and replacement time for
device replacement.
Procedures also must be in place to ensure that sufficient spare hardware devices are available. Some
companies maintain a definitive hardware list, and spares for each device on this list.
Warranties
Most hardware vendors include a warranty with their products. The warranty generally lasts for an initial
period (such as twelve months), and covers the hardware against failure during this time. A basic warranty
usually stipulates a next-business-day response for device replacement. For a fee, most hardware vendors
offer additional warranty services with shorter response and replacement times. A typical option may
specify a four-hour telephone response time, with an engineer scheduled to visit the site within eight
hours to provide an on-site fix. Ensure that SLAs cover warranty agreements or other contracts with the
manufacturer or hardware vendor.
Escalation Procedures
Providing appropriate escalation procedures and resources can be as simple as providing a contact
telephone number for the hardware vendor. However, most procedures also should include providing a
customer account number for the vendor, a particular contact name, and any pertinent contract details.
This makes service-desk staff aware of agreed-upon response times.
If you need to replace a hard disk due to a hardware problem, you might need to return the broken disk
to the manufacturer. If this is the case, check the security requirements for removing sensitive or
confidential data from the hard disk before you return it.
Logical failure. Examples of logical failures include invalid entries in a file allocation table (FAT) or
master file table (MFT) on the NTFS file system volume. Logical failures are the least severe type of
failure. However, logical errors also can cause corruption and file system loss on a severely
fragmented drive. In such cases, you may need specialized tools to fix the problem.
Mechanical failure. Platters (one or more rotating, magnetically coated disks), store data on a hard
disk. Data is accessed through read/write heads mounted on rotating mechanical arms. One of the
most common mechanical failures occurs when the read/write heads of the hard disk come in contact
(momentarily or continuously), with the hard disk platters. Additionally, physical shock, computer
movement, static electricity, power surges, or mechanical read/write head failure can all cause head
crashes. Hard disk drives also may fail because of motor problems.
Electronic failure. An electronic failure is a problem with the hard disks controller board. If the
controller fails, the disk may be undetectable by the system BIOS. Additionally, electronic failure can
occur because of electrical surges that damage the controller board or because of defective board
components. However, you often can recover data because the disk platters and other mechanical
components remain undamaged.
Firmware failure. Hard disk firmware is code that controls the hardware. Often, it is stored on a flash
memory chip on the hard disk controller board. If the firmware becomes corrupt or unreadable, the
computer may be unable to communicate with the disk.
Bad sector. Bad sectors can be logical or physical sectors. A lost cluster is an example of a logical bad
sector that typically you can repair with software tools. Shock or vibrations often cause physical bad
sectors. Most hard disk drives have firmware that marks bad sectors, and so long as the damage is
minor, no data is lost. You can use drive-monitoring tools to determine when the number of physical
bad sectors is critical enough to replace the drive.
Note: Some disks implement Self-Monitoring Analysis and Reporting Technology. This
technology enables the operating system to monitor the hard disk proactively, checking for
reliability issues before they can result in data loss.
Solid-State Drives
Many devices, including tablets and some laptops, have solid-state drives (SSDs). This technology differs
from traditional hard drives and offers benefits to users in terms of physical device size, speed, and to
some extent, power consumption.
Although there are no moving parts, SSDs can fail, often resulting in data loss. Every time the operating
system writes to an SSD drive, memory cells are used to store the data. These cells can wear out after time,
resulting in errors or even drive failure. The more you use a drive, the sooner it will wear out.
Some drives offer error checking memory cells, which can help to mitigate data errors, and some users
report more problems with larger drives. However, it is important not to consider SSDs as a fail-safe
storage solution.
Power Supplies
The power supply converts regular current into low, direct current (DC) voltage that the computer can
use. A failing power supply can cause erratic behavior, including computers restarting randomly, memory
errors, or power being supplied to some devices and not others.
Symptoms of power supply problems can include:
On/Off indicator lights are visible, but there is no disk action or screen display.
Optical Drives
Optical drives such as CD and DVD drives tend to have shorter life spans compared to other hardware
devices, and the MTBF is lower than that for a hard disk drive. Most hardware manufacturers provide a
one-year guarantee on optical drives and a three-year guarantee on hard drives.
The media quality in optical drives is a significant factor in the optical drives lifespan:
Software settings also can affect optical drives. Using a high maximum write speed can result in a greater
number of irreparable and subsequently unusable disks, compared to using slower write speeds.
Optical drives can fail due to vibration because they require precise optical alignment in the device to
work properly. You can cause vibration by moving the computer while it is in use, or by operating the
computer in a location that is not stable. Excessive dust also can damage optical drives, which can be an
environmental factor.
Cooling Fans
The most common cause of cooling fan failures is dust building up inside the computer and around the
fan area. This accumulation can lead to failures in the fan bearings, motor, or power supply.
Central processing units (CPUs) and graphics processing units (GPUs) are the devices least likely to fail.
However, you can overheat and damage the CPU if you attempt to overclock the CPU. Overheating also
can occur because of a failure with the cooling fan. Additionally, power spikes and static electricity
discharge can cause CPU failures.
System Memory
Memory problems can occur because of heat, power surges, or static electricity. You can use the Windows
Memory Diagnostics Tool to help identify and resolve memory issues.
Batteries. Laptop computers and tablets have batteries installed in them. Although battery technology
has improved dramatically over the last few years, they still have a limited life. When your device
battery begins to degrade, consider replacing it.
Common signs of impending battery failure include:
o
Note: Although almost all laptops support the ability for the user to replace the battery,
this is not the case with all tablets. Some tablets require the manufacturer or service agent to
replace the battery.
Docking stations. Many users rely on docking stations in order to use their Windows 8.1 devices. This
is especially true for smaller form factor devices such as Ultrabooks and tablets, by which the docking
station connects devices with peripherals such as keyboards and monitors. Failure of these
intermediate devices can result in loss of productivity for the user.
Displays. Modern laptop and tablet displays are very reliable, but they can fail. Generally, failure of a
laptop or tablet display is something that will likely require manufacturer replacement. Before acting
on a possible display failure, eliminate all other causes, including device drivers and the graphics card
or system board.
Because of the risks that static electricity poses to devices such as system memory, it is important that you
observe static electricity guidelines and train your IT staff accordingly. Initiate compulsory maintenance
procedures, and ensure that you use antistatic kits, which are inexpensive and available from numerous
hardware manufacturers. Hardware vendors operate professional hardware-qualification programs that
include detailed information about antistatic maintenance precautions. Additionally, ensure that IT staff
wears grounding straps when working with sensitive components.
When you buy a new computer, check for the Compatible with Windows 8.1 logo. The hardware in a
Windows 8.1 compatible computer has been tested and verified that its components are optimized to run
the Windows 8.1 operating system.
When buying hardware devices for a computer that is running Windows 8.1, check that the hardware has
the approval of the Windows Logo Program for Windows 8.1. This means that the hardware has been
tested for Windows 8.1 compatibility, and that it is listed on the Windows Marketplace website. Windows
Marketplace is an online service that replaces the previous Hardware Compatibility List (HCL).
Note: Discover which devices are compatible with Windows 8.1 by visiting the Windows
Compatibility Center at http://go.microsoft.com/fwlink/?LinkId=214077.
Note: Some devices, especially tablets, do not support user replacement of failed parts.
Typically, you will need to return the device to the manufacturer or their service agent to have
parts replaced.
Lesson 3
A driver is a small software program that allows a computer to communicate with its hardware or devices.
A hardware device works only if its device driver is installed correctly and functioning properly. Drivers are
specific to operating systems.
A driver failure can render even the most sophisticated and expensive device useless. Malfunctioning
device drivers also can affect other hardware, and may stop the computer from operating properly.
This lesson focuses on troubleshooting problems related to hardware device drivers, which can include:
Lesson Objectives
After completing this lesson, you will be able to:
Driver Packages
A driver package is a set of files that make up a driver. The driver package includes:
The catalog (.cat) file that contains the digital signature of the device driver.
1.
Install the driver package into the driver store. You must use administrator credentials to perform this
step.
2.
Attach the device, and install the driver. A standard user can perform this step.
Driver Store
The driver store is the Windows 8.1 driver repository. Because the driver store is a trusted location, when
you connect compatible hardware, Windows 8.1 installs the appropriate driver automatically from the
stores cache of device drivers.
Because standard users can install any device driver from the driver store, users can install common
hardware accessories without calling the help desk. An OEM or IT administrator can preload the driver
store with the necessary drivers for commonly used peripheral devices. The driver store is located at
systemroot\System32\DriverStore.
During hardware installation, Windows 8.1 will report an unknown device if:
Driver Signing
Digital signatures allow administrators and end users who are installing Windows-based software to know
that a legitimate publisher is providing the software package. A digital signature is an electronic security
mark that indicates the softwares publisher, and displays a message if someone changes the original
contents of the driver package. If a publisher signs a driver, then you can be more confident that the
driver comes from that publisher and has not been altered.
2.
The difference between disabling a device and uninstalling it is that when you disable a device, you are
disabling only the drivers; the hardware configuration does not change, and the driver software is not
removed from the computer, which it would be if you uninstall the device.
Note: If a device appears to have failed and Device Manager displays a problem with the
device, you can uninstall the device. Windows then detects the device, and installs the driver
again. This may resolve the problem.
You also can disable a device driver from a command prompt by using the DevCon command-line tool.
For example, to disable all devices that have a hardware identifier that ends in MSLOOP, at a command
prompt, type devcon disable *MSLOOP. You also can use the DevCon tool to list devices, their status,
and associated hardware resources.
For more information on the DevCon tool, refer to the following webpage:
The DevCon command-line utility functions as an alternative to Device Manager
http://go.microsoft.com/fwlink/?LinkId=335914
Get-Device
Get-Driver
Get-Numa
Enable-Device
Disable-Device
Floppy disk
Hard disk
Keyboard
Mouse
VGA devices
If the failure of a device driver is preventing the operating system from starting, you can start the
computer in safe mode. You then can troubleshoot the device driver, which might involve disabling the
problem device before you attempt to restart the computer in normal mode.
Administrators and end users who are installing Windows-based software can use digital signatures
to verify that a legitimate publisher has provided the software package. The signature is an electronic
security mark that indicates the publisher of the software, and whether someone has changed the driver
packages original contents. If a publisher signs a driver, this indicates that the driver comes from that
publisher and has not been altered.
A digital signature uses the organization's digital certificate to encrypt specific details about the package.
The encrypted information in a digital signature includes a thumbprint for each file included with the
package. A special cryptographic algorithm referred to as a hashing algorithm generates this thumbprint.
The algorithm generates a code that only that files contents can create. Changing a single bit in the file
changes the thumbprint. After the thumbprints are generated, they are combined together into a catalog,
and then encrypted.
Note: 64-bit Windows 8.1 versions require that all drivers be digitally signed.
If your organization has a Software Publishing Certificate, you can use that to add your own digital
signature to drivers that you have tested and that you trust. If you experience stability problems after you
install a new hardware device, an unsigned device driver might be the cause.
Note: To disable the enforcement of driver signatures, access the Advanced Boot Options
menu, and then select Disable driver signature enforcement. The procedure for accessing the
Advanced Boot Options menu is described in the next topic.
You can use the Signature Verification tool (Sigverif.exe) to check if unsigned device drivers are in the
system area of a computer. Sigverif.exe writes the results of the scan to a log file that includes the system
file, the signature file, and the signature files publisher. The log file shows any unsigned device drivers as
unsigned. You then can choose whether to remove the unsigned drivers.
To remove an unsigned device driver, follow these steps:
1.
2.
3.
4.
Manually move any unsigned drivers from systemroot\System32\Drivers into the temporary folder.
5.
6.
If this resolves the problem, try to obtain a signed driver from the hardware vendor or replace the
hardware with a device that is Windows 8capable.
You can obtain a basic list of signed and unsigned device drivers from a command prompt by running the
driverquery command with the /si switch.
Note: Some hardware vendors use their own digital signatures so that drivers can have a
valid digital signature, even if Microsoft has not tested them. The Sigverif report lists the vendors
for each signed driver. This can help you identify problem drivers issued by particular vendors.
Because device driver software runs as a part of the operating system, it is critical that only known and
authorized device drivers are permitted to run. Signing and staging device driver packages on client
computers provide the following benefits:
Improved security. You can allow standard users to install approved device drivers without
compromising computer security or requiring help desk assistance.
Reduced support costs. Users can only install devices that your organization has tested and is
prepared to support. Therefore, you can maintain computer security as you simultaneously reduce
help desk demands.
Better user experience. A driver package that you stage in the driver store works automatically when
the user plugs in the device. Alternatively, driver packages that you place on a shared network folder
can be discovered whenever the operating system detects a new hardware device. In both cases, the
user is not prompted prior to installation.
On each computer, Windows 8.1 maintains a store for digital certificates. As the computer administrator,
you can add certificates from trusted publishers. If a package is received for which a matching certificate
cannot be found, Windows 8.1 requires confirmation that the publisher is trusted. By placing a certificate
in the certificate store, you inform the Windows operating system that packages signed by that certificate
are trusted.
You can use Group Policy to deploy the certificates to client computers. Using Group Policy, you can have
the certificate installed automatically on all managed computers in a domain, organizational unit (OU), or
site.
Note: It is unusual to install a root certificate into the Trusted Root Certification Authority
store simply to support driver signing.
2.
3.
4.
Windows 8.1 checks the drivers integrity and digital signature, and then copies the driver into the
driver store.
Note: The Pnputil.exe tool only runs at a command prompt with elevated user rights. The
tool cannot invoke the User Account Control dialog box.
Add a driver to the driver store and install the driver in the same operation.
Details
pnputil.exe a d:\usbcam\USBCAM.inf
pnputil.exe a c:\drivers\*.inf
pnputil.exe i a a:\usbcam\USBCAM.inf
pnputil.exe e
pnputil.exe d oem0.inf
pnputil.exe f d oem0.inf
Note: You also can choose to distribute drivers by adding them to the operating system
images that your organization uses. To do this, use the DISM.exe tool to mount the image that
you wish to modify and then inject the driver. Finally, commit the changes.
1.
2.
3.
Preparation Steps
For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Microsoft Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Demonstration Steps
Update a device driver
1.
If necessary, sign in to the LON-CL1 virtual machine as Adatum\Administrator with the password
Pa$$w0rd.
2.
On the Start screen, type This PC, right-click This PC, and then click Manage.
3.
4.
Expand Keyboards, right-click Standard PS/2 Keyboard, and then click Update Driver Software.
5.
In the Update Driver Software Standard PS/2 Keyboard dialog box, click Browse my computer
for driver software.
6.
On the Browse for driver software on your computer page, click Let me pick from a list of
device drivers on my computer.
7.
In the Show compatible hardware list, click PC/AT Enhanced PS/2 Keyboard (101/102 Key), and
then click Next.
8.
Click Close.
9.
In the System Settings Change dialog box, click Yes to restart the computer.
Sign in to the LON-CL1 virtual machine as Adatum\Administrator with the password Pa$$w0rd.
2.
Type This PC, right-click This PC, and then click Manage.
3.
4.
Expand Keyboards, right-click PC/AT Enhanced PS/2 Keyboard (101/102 Key), and then click
Properties.
5.
In the PC/AT Enhanced PS/2 Keyboard (101/102 Key) Properties dialog box, click the Driver tab,
and then click Uninstall.
6.
7.
In the System Settings Change dialog box, click Yes to restart the computer.
8.
Sign in to the LON-CL1 virtual machine as Adatum\Administrator with the password Pa$$w0rd.
9.
Type This PC, in the results section, right-click This PC, and then click Manage.
11. Expand Keyboards, click Standard PS/2 Keyboard, and verify that you have successfully uninstalled
the driver.
12. Close Computer Management.
Click Start.
2.
Type cmd, right-click Command Prompt, and then click Run as administrator.
3.
At the Command Prompt, type the following command, and then press Enter:
pnputil a
D:\Labfiles\Mod03\Intellipoint\ipoint\setup64\files\driver\point64\point64.inf
4.
In the Command Prompt, type the following command, and then press Enter:
pnputil e
5.
Take note of the published name for the driver that you just installed into the store.
6.
Completion steps
After you complete this practice session, leave the virtual machines running for the next practice
session.
Compatibility Issues
Installation. The device driver might not install in the same way as in previous Windows operating
system versions. For example, the user access protection feature may complicate the Windows 8.1
finish-install process.
Loading. The device driver might not load the same way as in previous Windows operating system
versions. For example, the 64-bit Windows 8.1 editions do not load unsigned drivers.
Run time. The device driver might not run the same way as in previous Windows operating system
versions. Run-time compatibility problems include a range of issues that can occur during run time.
Some issues are quite serious, while others are relatively minor.
Functionality. The device driver may run, but its behavior might differ significantly from that in earlier
Windows operating system versions. For example, network driver interface specification (NDIS) 5.x
drivers must go through a translation layer that reduces their performance. Similarly, display drivers
for the Windows XP operating system, which are based on the display driver model of the Microsoft
Windows 2000 Server operating system, may function in Windows 8.1. However, upon use, they may
not display premium content such as high definition (HD)-DVD video.
To access the GPOs, in Group Policy, under Computer Configuration, select Policies, Administrative
Templates, System, Driver Installation.
The following table identifies the relevant Group Policy settings.
Group Policy setting
Description
In Group Policy, under Computer Configuration, select Policies, Administrative Templates, System,
Device Installation\Device Installation Restrictions. The following table identifies the relevant Group
Policy settings.
Group Policy setting
Description
Description
Preparation Steps
For this practice session, you need to use the available virtual machine environment. These virtual
machines should be running from the preceding practice session. If they are not, before you begin the
practice session, you must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Demonstration Steps
Modify Group Policy settings
1.
2.
3.
Note: Although you are editing the Default Domain Policy, it would be more usual to
create a new GPO and link it to the domain.
4.
5.
6.
In Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Administrative Templates, expand System, expand Device Installation, and then click Device
Installation Restrictions.
7.
In the right-pane, double-click Allow installation of devices using drives that match these device
setup classes.
8.
In the Allow installation of devices using drives that match these device setup classes dialog
box, click Enabled, and then click Show.
9.
Click File Explorer, in the address bar, type D:\Labfiles\Mod03\, and then press Enter.
2.
3.
Double-click ipoint.
4.
Double-click setup64.
5.
Double-click files.
6.
Double-click driver.
7.
8.
9.
Select and copy the GUID, including the opening and closing brackets {}.
1.
2.
In the Show Contents dialog box, click in the Value text box, and then paste the GUID into it.
3.
Click OK twice.
4.
5.
6.
7.
Click Enabled, and in the Detail Text text box, type Adatum Policy restricts installation of certain
devices, and then click OK.
8.
Completion steps
After you have completed the practice session, revert the virtual machines in preparation for the lab:
1.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Lesson 4
Monitoring Reliability
Reliability is a measure of how a system conforms to expected behavior. A system that often deviates from
the behavior that you configure or expect indicates poor reliability. Typical factors that adversely affect
system reliability include:
Application failures.
Hardware failures.
This lesson identifies tools that you can use in Windows 8.1 to help identify and resolve reliability issues.
Lesson Objectives
After completing this lesson, you will be able to:
Task Manager
In Windows 8.1, Task Manager has been enhanced
to provide more information that helps you
identify and resolve reliability problems. Task
Manager includes the following tabs:
App history. Displays statistics and resource consumption by application. This information can prove
useful for identifying a specific application that is consuming an excessive amount of resources.
Startup. Displays the items that are configured to run at startup. You can choose to disable any of the
listed programs.
Users. Displays resource consumption on a per-user basis. You can also expand the user view to see
more detailed information about the specific processes that a user is running.
Details. Lists all the processes that are running on the server and provides statistics about their CPU,
memory, and other resource consumption. You can use this tab to manage the running processes. For
example, you can stop a process, stop a process and all its related processes, and change the priority
values of processes. By changing the priority of a process, you determine how much CPU time the
process can consume. By increasing the priority, you allow the process to request more CPU time.
Services. Provides a list of the installed Windows services together with related information, including
whether the service is running and what the processor identity value of the running service is. You can
start and stop services by using the list on the Services tab.
Generally, you can consider using Task Manager when a reliability problem first becomes apparent. For
example, you might examine the startup items to determine whether a particular program is causing
problems after it has started.
To access Task Manager, press the Ctrl+Alt+Del keys, and then click Task Manager.
Reliability Monitor
You can use Reliability Monitor to view a
computers reliability and problem history. You
can track events such as application and operating
system failures against other events such as
software updates and application installation. This
gives you the ability to determine at a glance if a
particular change in system reliability is associated
with a change in the computers configuration.
The System Stability chart provides a running
chart that will display up to 365 days worth of
reliability data. The chart lists a system stability
index for each day, with the index rising when no problems are encountered, and falling when problems
are recorded.
The stability report provides you with information on the following items:
Application failures
Windows failures
Miscellaneous failures
Warnings
Information
You can track these events against informational events that include:
Application installation
Application uninstallation
You can also review problem reports. Problem reports allow you to view data on:
Memory problems
Driver problems
Application failures
Miscellaneous failures
The help desk has received a number of trouble tickets that relate to device drive installation. Your
manager has asked you to look into the reason why so many problems relate to devices and to suggest a
possible solution. You must then implement the solution within the network.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 60 minutes
Virtual machines: 20688D-LON-DC1, 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
October 1
3:30
Bobby Moore (Development Department)
OPEN
Incident Details
Bobby reports that his computer mouse is nonfunctional.
Additional Information
User reports that he attempted to install a new mouse, but abandoned the installation midway
through the process.
I attended the users computer and was unable to resolve the problem, as the mouse was
completely nonfunctional.
Plan of Action
Resolution
2.
3.
4.
Task 1: Read the help desk Incident Record for Incident 722201
2.
Update the Plan of Action section of the Incident Record with your recommendations.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
Attempt to resolve the problem by using your knowledge of the startup architecture and the tools
available for troubleshooting the startup environment.
2.
3.
If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Note: When you have completed the exercise, change the virtual machine back from full
screen mode. In the 20688D-LON-CL1 on localhost window, click Restore Down.
Results: When you have completed this exercise, you should have resolved the hardware issue.
Users in the Research department need to be able to install specific device driver types to complete their
research projects. However, it is important that users in other departments install only printer drivers.
Supporting Documentation
April Reagan
From:
Ed Meadows [Ed@adatum.com]
Sent:
5 October 10.20
To:
April@adatum.com
Research department needs to be able to install devices for setup class Mouse, Keyboard, and Printer.
I want to be sure that drivers not defined by any other policy are restricted.
October 5
Details
Update GPO settings to:
Restrict all users to install printer drivers only.
Enable Research Department users to install Printers, Mice, and Keyboard device drivers.
Do not restrict administrators from installing any drivers.
Additional Information
Use as few GPOs as possible.
Plan of Action
How many GPOs do you envision using?
How will you accommodate the requirement to support the Research Departments needs?
2.
3.
Results: After you have completed this exercise, you should have configured GPOs to control device
installation.
When you have completed the lab, leave the virtual machines running for the next practice session.
Lesson 5
Usually, you do not need to make direct changes to the registry. In fact, making direct changes to the
registry risks introducing errors that may result in applications or devices behaving incorrectly, or even
resulting in your computer being unable to start at all.
However, as IT professionals engaged in troubleshooting, on occasion you might be required to work
directly with the registry by performing imports and exports of settings, and making edits of registry
settings.
This lesson explores the structure of the registry, and explains the tools that you can use to work with the
registry.
Lesson Objectives
After completing this lesson, you will be able to:
Hives
The top-level hives are described in the following
table.
Hive
HKEY_CLASSES_ROOT
Purpose
Hive
Purpose
HKEY_CURRENT_USER
This hive contains the configuration information for the currently signedin user. Items such as the users Windows operating system color scheme
and font settings are stored in relevant values below this hive. When
referencing this hive for the purposes of editing the registry, this hive is
sometimes referred to as HKCU. This hive is a shortcut to a key stored in
HKEY_USERS.
HKEY_LOCAL_MACHINE
This is probably the most important hive and the one to which you are
likely to make most direct edits. Sometimes abbreviated to HKLM, this
hive stores all the computer-related configuration settings.
HKEY_USERS
HKEY_CURRENT_CONFIG
This hive contains information about the current hardware profile that
was used by the local computer during system startup. You do not
generally make edits to this hive, and so you can disregard this hive.
Most likely, you will only ever make direct changes to the values stored within the hives
HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER.
Note: Although the registry is a hierarchical database of values structured in hives,
keys, and subkeys, the actual registry database is stored on the local file system in the
C:\Windows\System32\Config. There is no requirement for you to access these files directly.
To maintain structure within the database, like settings are collected into a series of folders and subfolders
known as keys and subkeys. This makes it easier and accurate when you wish to reference a particular
registry value: you can specify a pathname by declaring the appropriate hive, key, subkey (or subkeys),
and value. For example:
HKCU\Control Panel\Desktop\Wallpaper is the value (Wallpaper) that stores the name and location of
a users desktop wallpaper.
Values
Values define the behavior of the operating system and are stored, as previously stated, in subkeys and
keys. There are a number of different types of values, depending upon the type of data that is stored
within. For example, you may wish to store text values, numerical data, variables, and so forth. The
following table lists the more common types of registry values.
Value type
Data type
Description
REG_BINARY
Binary
REG_DWORD
DWORD
REG_SZ
String
REG_EXPAND_SZ
Expandable
string
REG_MULTI_SZ
Multiple
strings
When you decide to make a direct change to the registry, you must be accurate about the value name, its
type, and its full registry path including all subkeys, keys, and the appropriate hive. Failure to do this will
result in your changes not having the desired effect, and in addition may result in the computer failing to
work properly, or indeed at all.
For more guidance, refer to the following webpage:
Windows registry information for advanced users
http://go.microsoft.com/fwlink/?LinkId=335915
must make the change across hundreds of computers, you may decide to use Windows PowerShell or
another bulk-editing tool to make the change. The following sections describe ways in which you can
make edits to a registry.
Note: As a best practice, back up the registry before making edits. You can either export
the specific key you are editing, or use a tool such as System Restore to capture a restore point.
Registry Editor
The Registry Editor is probably the easiest and most direct way to make changes to the registry. You can
use the Registry Editor to:
Search the registry for a given value entry, value name, subkey, or key.
Note: To manage a remote registry, from the registry editor, click File, and then click
Connect Network Registry. In the Select Computer dialog box, type the name of the remote
computer, and then click OK. You must have administrative credentials on the remote computer,
and the remote computers firewall must be configured to allow for remote management.
To access the Registry Editor, open an elevated command prompt, type regedit.exe, and then press Enter.
REG Files
You also can use a structured text file with a .reg extension (a registry entries file) to merge values into the
registry. The file will look like the following example:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\atapi]
"Start"=dword:00000001
Note: This particular .reg file edits the Start value stored in the HKEY_LOCAL_MACHINE
\SYSTEM\ControlSet001\services\atapi path, and assigns it the DWORD value of 1.
After you have created the .reg file, you can import the settings by:
Running a simple script that loads the file. The following command imports the settings stored in
setting1.reg without prompting the user to confirm:
regedit /s C:\Registry\setting1.reg > nul
Opening the Registry Editor and using the import option to access the appropriate .reg file.
Windows PowerShell
Windows PowerShell provides you with a registry provider. This represents the registry much like a file
system, displaying each key and subkey much as you might see folders and subfolders represented in the
file system of drive C.
For example, to see the contents of the HKEY_LOCAL_MACHINE hive, open an elevated Windows
PowerShell command prompt, and then type the following command:
Get-ChildItem -Path hklm:\
2.
Use the Set-ItemProperty cmdlet to assign a new value to the registry property.
For example:
Set-Location HKCU:\Software\Example
Set-ItemProperty . examplevaluename "assigned value"
In the preceding code snippet, assigned value is assigned to the value called examplevaluename in the
registry path, HKEY_CURRENT_USER\Software\Example.
For more information on using Windows PowerShell to edit the registry, refer to:
Working with Registry Keys
http://go.microsoft.com/fwlink/?LinkId=335918
Note: By using administrative templates (.adm and .admx files), you can make changes to
the registry, and then propagate those changes with GPOs.
Preparation Steps
For this practice session, you need to use the available virtual machine environment. These should still be
running after the completion of the lab. If they are not, you before you begin the practice session, you
must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Demonstration Steps
Export a registry key
1.
2.
3.
In the Registry Editor, click HKEY_LOCAL_MACHINE, expand SOFTWARE, expand Microsoft, expand
Windows NT, expand CurrentVersion, and then click Winlogon.
4.
5.
6.
In the File name text box, type Winlogon, and then click Save.
2.
3.
Scroll down the file, and locate the line that begins with DisableCAD.
4.
5.
6.
2.
3.
In the Registry Editor error dialog box, click OK. An error is expected as some of the settings are in
use.
4.
5.
Scroll down the details pane, and verify that the DisableCAD value is now zero.
6.
Right-click Start, point to Shut down or sign out and then click Sign out.
7.
Completion steps
1.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Module 4
Troubleshooting Remote Computers
Contents:
Module Overview
4-1
4-2
4-6
4-9
4-16
4-21
Module Overview
When managing computers, you must know how to connect to remote computers and, where possible,
how to manage those computers remotely. This is especially important in large networked environments
or in situations where the workforce is distributed across multiple locations. Visiting a users computer to
help to resolve problems is often time consuming and impractical.
You can use most management tools such as Event Viewer, Computer Management, Device Manager,
Print Management, Services, and the registry editor to connect to and manage remote computers. Doing
so is not much different from using the same tools to manage your local computer. Therefore, the focus
of this module is on using tools specifically designed to facilitate remote management connections.
This module explores three ways in which you can remotely connect to and manage remote computers:
Remote Desktop, Windows Remote Assistance, and Windows PowerShell remoting.
Objectives
After completing this module, you will be able to:
Lesson 1
The Remote Desktop Protocol (RDP) provides remote display and input capabilities over network
connections for Windows-based applications. To support your organizations remote users, you need to
understand how to enable, configure, and use Remote Desktop connections.
Lesson Objectives
After completing this lesson, you will be able to:
Dont allow connections to this computer. This is the default setting, in which remote connections are
disabled.
Allow remote connections to this computer. If you are unsure of the version of the remote desktop
client software, this is the best choice.
Allow connections only from computers running Remote Desktop with Network Level Authentication.
This setting limits connections to computers that are running operating systems more recent than the
Windows XP operating system with Service Pack 2 (SP2).
Network Level Authentication completes user authentication before the user establishes a remote
desktop connection and the sign in screen appears. This is more secure, and can help protect the
remote computer from hackers and malware. The advantages of Network Level Authentication are:
o It requires fewer remote computer resources initially.
o It can help provide better security by reducing the risk of denial-of-service attacks.
By default, if you enable Remote Desktop, any member of the Administrators group can make a Remote
Desktop connection. Administrators can grant remote access to other users by adding them to the
Remote Desktop Users group on the local computer.
Remote Desktop uses RDP over TCP port 3389. By default, once you enable Remote Desktop, authorized
users can connect from any computer that is running the appropriate Remote Desktop client software.
You can use Windows Firewall to limit which computers can access port 3389.
By default, the client and server negotiate to use the highest encryption level that both the client and
server understand. For example, if a client that connects can only handle 64-bit encryption, then that is
the sessions encryption level. When possible, the entire Remote Desktop session is encrypted at 128-bits
for data transmissions in both the client-to-server and server-to-client directions. Use Group Policy to
enforce high encryption, as necessary.
The Remote Desktop Connection client software is built into Windows 8.1. This Remote Desktop version
supports Network Level Authentication to provide more secure communications.
To launch Remote Desktop Connection, from the Start screen, type Remote Desktop Connection, and
then press Enter. You also can type mstsc.exe in the Search box to launch a remote session.
To connect to the remote computer, you can type in either the name or the IP address of the remote
computer. When you connect, you will be asked for credentials. If another user is already signed in when
you attempt to connect, that user has 30 seconds to refuse to allow your connection. If the signed-in user
allows your connection or does not respond, your connection will occur successfully.
The following table lists the client options that you can configure by using the various tabs in the Remote
Desktop Connection dialog box.
Tab
Option
General
Enter the computer and user name, and select whether to save the
connection as an RDP file.
Display
Local Resources
Programs
Experience
Configure the way you want the remote session to appear visually. The
more features that you add, the more bandwidth it utilizes.
Advanced
Tell the Remote Desktop client how to behave if the RDP server fails to
prove its authenticity. You can choose whether to connect without
warning or to receive a warning, and whether you want to connect or
prevent the connection.
You can configure Remote Desktop connections, save them to RDP files, and then distribute them to
users. You can then open these files in Remote Desktop.
Description
These policies control session time limits for disconnected, idle, and
active sessions, and controls whether to terminate sessions when
limits are reached.
You can access policy settings for the user by expanding User Configuration, expanding Policies,
expanding Administrative Templates, expanding Windows Components, and then expanding Remote
Desktop Services.
The following table lists the options for user policy settings for Remote Desktop.
Policy setting for the user
Description
Lesson 2
Remote Assistance is a built-in tool that you can use to control another operating system by connecting
to it remotely. Windows Remote Assistance is a useful tool for providing remote assistance when users
need help.
Lesson Objectives
After completing this lesson, you will be able to:
For you or another helper to share the control of a computer, the user must grant permission. Likewise, if
the user wants to stop you or another helper from sharing control, they can click Cancel, and then click
Stop sharing, or, alternatively, press the E key.
You can offer Remote Assistance to users in anticipation of users requesting assistance from you. This is
useful in situations where you predict that users may require assistance, such as after you deploy a new
application or implement a new procedure.
The Help and Support Center provides links to assist helpers in offering Remote Assistance to users. By
using the computer name or IP address, you can send an invitation to the user. A remote session begins
when the user accepts the request.
Sending an Invitation
A user who needs assistance can initiate a Remote Assistance session by sending an invitation to the
helper.
The following table lists the methods by which users can send invitations.
Invitation method
Description
Saving a file
Save the invitation to a file in a network location that the helper can
access. You can use the Help and Support Center links to assist in saving
the invitation as a file.
When you create an invitation, a password is created and displays in a Windows Remote Assistance dialog
box. The requester must communicate the password to the helper in a separate message or phone call.
The Windows Remote Assistance dialog box remains open and waits for an incoming connection. The user
must not close this window, or the helper will be unable to respond.
Administrators can control many aspects of the invitation, such as how long an invitation remains valid,
and whether someone can control the computer remotely. These settings are in the Advanced section of
the Remote tab in System Properties. The default settings allow remote control, and invitations are valid
for six hours.
Accepting an Invitation
After receiving your invitation, the recipient can respond by saving and then opening the attached file,
and then entering the password. Remote Assistance creates an encrypted connection either over the
Internet or over the network that connects the computers. The requesting user has to click Yes to
complete the transaction.
Note: When you use Remote Assistance, you can choose to connect by using Easy Connect.
When you use Easy Connect, Remote Assistance generates a temporary password that the person
you are helping gives to you. You can use the password to connect directly to that person's
computer. When the connection is made, contact information is exchanged between your
computer and the other persons computer. This information will allow you to quickly connect in
the future without using the password.
Description
Lesson 3
Using Remote Desktop or Remote Assistance to manage remote computers is not always the most
convenient or practical solution. These technologies can make large-scale or automated management
difficult. Windows PowerShell addresses these issues with remote administration, also known as remoting.
Remoting lets you run Windows PowerShell commands for automated or interactive remote management
by using Windows Remote Management. Windows Remote Management is a Microsoft implementation
of the Web Services for Management protocol. Windows Remote Management enables you to:
Take control of a remote Windows PowerShell session to run commands directly on that computer.
Lesson Objectives
After completing this lesson, you will be able to:
One-to-One remoting: In this scenario, you connect to a single remote computer and run shell
commands on it, exactly as if you had signed in to the computer and opened a Windows PowerShell
window.
One-to-Many remoting or Fan-Out remoting: In this scenario, you issue a command that will be
executed on one or more remote computers in parallel. You are not working with each remote
computer interactively. Rather, your commands are issued and executed in a batch, and the results
are returned to your computer for your use.
Many-to-One remoting or Fan-In remoting: In this scenario, multiple administrators make remote
connections to a single computer. Typically, those administrators will have differing permissions on
the remote computer, and might be working in a restricted session within the shell. This scenario
usually requires custom development of the restricted session, which will not be covered further in
this course.
Remoting Requirements
Remoting requires that both Windows PowerShell
and Windows Remote Management be installed
on your local computer and on any remote
computers to which you want to connect.
You also must enable Windows PowerShell
remoting. It is enabled by default in Windows
Server 2012 R2, but you must enable it on
Windows 8.1. To enable remoting, use the
following procedure:
Verify the status of the Windows Remote
Management service. To start Windows Remote
Management and configure the Firewall settings,
open Windows PowerShell, type the following command, and then press Enter:
Winrm quickconfig
Windows Remote Management is a Microsoft implementation of Web Services for Management, which is
a set of protocols that has been widely adopted across different operating systems. As the name implies,
Web Services for Management and Windows Remote Management use web-based protocols. An
advantage to these protocols is that they use a single, definable port, making them easier to pass
through firewalls than older protocols that randomly selected a port. Windows Remote Management
communicates via HTTP. By default, Windows Remote Management and Windows PowerShell remoting
use TCP port 5985 for incoming unencrypted connections, and TCP port 5986 for incoming encrypted
connections. Applications that use Windows Remote Management, such as Windows PowerShell, can also
apply their own encryption to the data that is passed to the Windows Remote Management service.
Windows Remote Management supports authentication, and uses the AD DS native Kerberos protocol by
default in a domain environment. Kerberos does not pass credentials across the network, and it supports
mutual authentication to ensure that incoming connections are coming from valid computers.
Any files and other resources necessary to run a particular command must be on the remote computer
because the remoting commands do not copy any resources. However, you can run local scripts. This is
because the scripts contents are sent to the remote computer, rather than the script file itself. Information
Technology (IT) professionals must have permission to:
Invoke-Command
Enter-PSSession
Exit-PSSession
Disconnect-PSSession
Receive-PSSession
Connect-PSSession
When you run commands on multiple computers, be aware of differences between the remote
computers, such as differences in operating systems, file system structures, and the system registries. For
example, the default home folder can vary depending on the version of the Windows operating system
that is installed. This location is stored in the %homepath% environment variable ($env:homepath). If
no home folder is assigned, the system assigns a default local home folder to the user account. This is
generally located on the root directory where the operating system files are installed as the initial version.
Temporary session
Persistent session
For a temporary session, you start the session, run the commands, and then end the session. Variables
or functions defined within commands are no longer available after you close the connection. This is an
efficient method for running a single command or several unrelated commands, even on a large number
of remote computers. To create a temporary connection, use the Invoke-Command cmdlet with the
ComputerName parameter, to specify the remote computers. Then use theScriptBlock parameter to
specify the command. For example, the following command runs Get-EventLog on the Client01
computer:
Invoke-Command ComputerName LON-CL1 ScriptBlock {Get-EventLog log system}
To create a persistent connection with another computer, use the New-PSWorkflowSession cmdlet. For
example, the following command creates a session on a remote computer, and saves the session in the $s
variable:
$s = New-PSWorkflowSession ComputerName LON-CL1
Use the Enter-PSSession cmdlet to connect to and start an interactive session. For example, after you
open a new session on LON-CL1, the following command starts an interactive session with the computer:
Enter-PSSession $s
Once you enter a session, the Windows PowerShell command prompt on your local computer changes to
indicate the connection, for example:
[LON-CL1]: PS C:\>
The interactive session remains open until you close it. This enables you to run as many commands as are
required. To end the interactive session, type Exit-PSSession.
Beginning with Windows PowerShell 3.0, persistent sessions are saved on the remote computer. You
can use the Disconnect-PSSession cmdlet to disconnect your client connection and leave the persistent
session active. To retrieve a list of your persistent sessions on LON-CL1, you can run the following cmdlet:
Get-PSSession ComputerName LON-CL1
You can retrieve the results of your disconnected session by using the Receive-PSSession cmdlet. You
also can reconnect to a disconnected session by using the Connect-PSSession cmdlet.
You can establish a One-to-One remoting session by using the Windows PowerShell Integrated Scripting
Environment (ISE), and clicking the New Remote Windows PowerShell Tab option on the File menu. You
also can establish a remote Windows PowerShell session by using the Enter-PSSession cmdlet. For
example, to open a remote Windows PowerShell session on a computer named LON-CL1, you would
use the following syntax:
Enter-PSSession ComputerName LON-CL1
You can establish a One-to-Many remoting session by using the Invoke-Command cmdlet. To run the
Get-EventLog cmdlet, use the following command:
Invoke-Command ScriptBlock { Get-EventLog System Newest 5 }
Because the session uses a persistent connection, you can run another command in the same session, and
use the $c variable. The following command counts the number of commands saved in $c:
Invoke-Command -Session $s -ScriptBlock {$c.count}
To interrupt a command, press the Ctrl+C keys. The interrupt request is passed to the remote computer,
where it terminates the remote command.
Several cmdlets have a ComputerName parameter that lets you retrieve objects from remote computers.
Because these cmdlets do not use Windows PowerShell remoting to communicate, you can use the
ComputerName parameter in these cmdlets on any computer that is running Windows PowerShell. You
do not have to configure the computers for Windows PowerShell remoting, or fulfill the system
requirements for remoting.
The following table provides more information about the ComputerName parameter.
Command
Description
Get-Command ParameterName
ComputerName
Get-Help <cmdlet-name>
-parameter ComputerName
You can run commands on more than one remote computer at a time. For temporary connections, the
Invoke-Command cmdlet accepts multiple computer names. For persistent connections, the Session
parameter accepts multiple Windows PowerShell sessions. The number of remote connections is limited
by the computer resources and their capacity to establish and maintain multiple network connections.
To run a remote command on multiple computers, include all computer names in the ComputerName
parameter with the Invoke-Command cmdlet, and separate the names with commas as demonstrated in
the following example:
Invoke-Command -ComputerName LON-CL1, LON-CL2, LON-CL3 -ScriptBlock {Get-Culture}
You can also run a command in multiple Windows PowerShell sessions. The following commands create
Windows PowerShell sessions on LON-CL1, LON-CL2, and LON-CL3, and then run a Get-Culture
command in each Windows PowerShell session:
$s = New-PSSession -ComputerName LON-CL1, LON-CL2, LON-CL3
Invoke-Command -Session $s -ScriptBlock {Get-Culture}
To include the local computer in the list of computers, type the name of the local computer or a period (.)
or localhost. To help manage resources on the local computer, Windows PowerShell includes a percommand throttling feature that limits the number of concurrent remote connections established for each
command. The default is 32 or 50 connections depending on the cmdlet. You can use the ThrottleLimit
parameter to set a custom limit.
The throttling feature is applied to each command and not to the entire session or to the computer.
When you are running commands concurrently in several temporary or persistent connections, the
number of concurrent connections is the sum of the concurrent connections in all sessions. To find
cmdlets with a ThrottleLimit parameter, use the following script:
Get-Command ParameterName ThrottleLimit
The results of the script are returned to the local computer. By using the FilePath parameter, you do not
need to copy any files to the remote computers.
Some tasks that IT professionals perform and that use Windows PowerShell include:
Running a command on all computers to check if the anti-virus software service is stopped, and to
restart it automatically, if necessary.
Opening a data file and passing the contents into a preformatted output file, like an HTML page or
Microsoft Excel spreadsheet.
The IT manager has called a meeting with the help desk staff. The manager explains that, wherever
possible, staff should be using remote management techniques to help resolve users computer problems.
This will help resolve problems more quickly, and will help to reduce support costs.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 45 minutes
Virtual machines: 20688D-LON-DC1, 20688D-LON-CL1, and 20688D-LON-CL3
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Microsoft Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
2.
On LON-CL1, open Windows Firewall, and verify that the Remote Desktop program is allowed
through the firewall for all network location profiles (Domain, Private, and Public).
2.
In Control Panel, in System and Security, click Allow remote access, and then select the following
options:
o
3.
4.
5.
Specify the computer to which you will connect as LON-CL1, and then click Show Options.
6.
7.
Under Server authentication, in the If server authentication fails list, click Connect and dont
warn me.
Connect to LON-CL1. When prompted, enter the user name Adatum\Adam and the password
Pa$$w0rd.
2.
3.
Close the Remote Desktop session, and then close all open windows.
4.
Results: After completing this exercise, you should have successfully used Remote Desktop to manage a
remote computer.
A user contacts the help desk to report a problem with Microsoft Word. They are uncertain how to use the
commenting feature in Word. You have been assigned to resolve the incident. Rather than visit the users
computer, you decide to use Remote Assistance to help to resolve the problem. You telephone the user
and explain to them how to initiate a Remote Assistance request.
The main tasks for this exercise are as follows:
1.
2.
3.
Switch to LON-CL1.
2.
3.
Open Remote Settings, and then when prompted by User Account Control, specify administrative
credentials.
2.
3.
4.
5.
Switch to LON-CL3.
2.
Retrieve the remote assistance request file and enter the password.
3.
4.
Take remote control and direct the user how to create a comment in a Word document.
5.
Create a chat window and ask the user if they are satisfied with the offered solution.
6.
Results: After completing this exercise, you should have successfully used Remote Assistance to manage a
remote computer.
Your manager wants you to test the process of using Windows PowerShell to perform remote
management. You decide to create a test environment using the LON-CL1 and LON-CL3 virtual machines.
The main tasks for this exercise are as follows:
1.
2.
Switch to LON-CL1.
2.
3.
4.
5.
6.
7.
At the Windows PowerShell prompt, type the following command, and then press Enter:
Winrm quickconfig
8.
When prompted, press Y, and then press Enter, and then press Y, and then press Enter again.
9.
At the Windows PowerShell prompt, type the following command, and then press Enter:
Enable-PSRemoting -Force
Switch to LON-DC1.
2.
3.
At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command ComputerName LON-CL1 ScriptBlock {Get-EventLog log system}
4.
At the Windows PowerShell prompt, type the following command, and then press Enter:
$s = New-PSWorkflowSession ComputerName LON-CL1
5.
At the Windows PowerShell prompt, type the following command, and then press Enter:
Enter-PSSession $s
6.
At the Windows PowerShell prompt, type the following command, and then press Enter:
exit
7.
At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command -Session $s -ScriptBlock {$c = Get-command}
8.
At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command -Session $s -ScriptBlock {$c.count}
9.
At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command -ComputerName LON-CL1, LON-CL3 -ScriptBlock {Get-Culture}
10. At the Windows PowerShell prompt, type the following command, and then press Enter:
$s = New-PSWorkflowSession -ComputerName LON-CL1, LON-CL3
11. At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command -Session $s -ScriptBlock {$c = Get-command}
12. At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command -Session $s -ScriptBlock {$c.count}
Results: After completing this exercise, you should have successfully established a remoting session and
performed remote management of LON-DC1 with Windows PowerShell cmdlets.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Module 5
Resolving Network Connectivity Issues
Contents:
Module Overview
5-1
5-2
5-9
5-30
5-36
Module Overview
Configuring network settings is a common administrative task that in many organizations can account for
a significant percentage of overall administrative effort. Windows 8.1 includes several tools that you can
use to set up and troubleshoot both wired and wireless network connections more efficiently. To support
your organizations network infrastructure, it is important that you understand how to configure and
troubleshoot network connections.
Objectives
After completing this module, you will be able to:
Lesson 1
Lesson Objectives
After completing this lesson, you will be able to:
Network Charm
You can access the Network charm by clicking
the network symbol in the system tray from the
desktop. You can then enable or disable wireless
network connections, and by right-clicking a
connection, you can view network connection
properties. You also can access and enable
Airplane mode.
The Network and Sharing Center is the main user interface for managing network connections. It provides
a clear view of the status for any wired or wireless connection, and you can use it to create additional
network connections by using a wizard-driven interface. The Network and Sharing Center also provides
links for accessing other network-related tools, including:
Internet Options
Windows Firewall
A network location category classifies network connections so that you can configure network security
through Windows Firewall. The Windows 8.1 operating system groups and classifies network connections
into Public, Private, and Domain categories. Windows 8.1 automatically configures the firewall and filesharing settings based on the specified network location categories, which include:
Public. When a computer is not connected to a domain, this category is the default network location
type. Public category settings are the most restrictive, and help protect the computer when you
connect it to an untrustworthy network. For example, all types of file and printer sharing are turned
off in the Public category. Use the Public category for networks that have direct connections to the
Internet or those that allow unmanaged clients to connect, such as wireless hot spot networks.
Note: By default, Windows 8.1 assigns the Public category to all network connections.
The Private category. The Private category applies only if a user with local Administrator rights
manually assigns it to a network that you set previously to Public. Use the Private network location
category only for a trusted network. You must assign the Private network location category only for
a network connection that the public cannot access directly. A local administrator must assign this
category, and Windows remembers the assignment the next time you connect to the network.
Windows describes the Private network location category in one of two ways:
Home network. If all computers connected to the network are at your home, then select the
Home Private network location category.
Work network: If all computers connected to the network are at your workplace, then select the
Work Private network location category.
The Domain category. The Domain category applies when a computer that is running Windows 8.1
connects to a network, and then authenticates to a domain controller that is in the computers
domain.
Windows 8.1 is capable of assigning a separate network location category to each connected network
interface. For example, if you connect your computer to your corporate network by using a virtual private
network (VPN) that you initiate from a wireless network hot spot (such as a coffee shop), then Windows
8.1 assigns two network location categories: Private for the corporate VPN, and Public for the wireless
network hot spot.
Note: By default, changing the network location on domain-joined computers does not
require administrative privileges. However, changing the network location for computers that are
not joined to a domain requires administrative privileges.
Homegroups
A homegroup is a collection of computers that are deployed on a home network and share resources
such as files and printers. When your computer is part of a homegroup, you can share images, media files,
documents, and printer devices with others in your homegroup. Once you enable a homegroup, you can
then define which libraries you will share, such as Pictures, Documents, or Videos.
You can enable a homegroup only on network interfaces that are defined as part of a private network
location profile. To provide for basic security, you can enable a password on your homegroup.
Note: Although domain-joined computers cannot create homegroups, they can connect to
existing homegroups.
Windows 8.1 provides a user-friendly interface called the Network Setup Wizard that you can use to
configure network settings. Windows 8.1 recognizes any unconfigured network devices on the computer,
and then automates the process of adding and configuring them. The Network Setup Wizard also
recognizes any wireless networks in range of the computer, and then guides you through the process of
configuring them.
You can save network settings to a USB flash drive for use when configuring additional computers. Saving
network settings to a USB device makes configuring similar new computers and devices quicker. You also
can use the Network Setup Wizard to enable sharing across your network for documents, photos, music,
and other files.
NDF
The Network Diagnostics Framework (NDF) provides a single, unified set of technologies to assist in
troubleshooting and diagnosing network problems. By using the NDF, you can diagnose and repair
network problems in the context of the application that experienced the problem. Additionally, with the
NDF, users can diagnose and attempt to resolve their own issues automatically before they call the help
desk. The NDF can help reduce the total cost of ownership and the volume of calls to the help desk. To
access the NDF, from within the Network and Sharing Center, click Troubleshoot problems.
Network Explorer
Network Explorer displays a view of all of the computers, devices, and printers on the network. You
can customize the icons for various network devices, if the manufacturer allows customization. You
use Network Explorer to perform limited remote computer management, such as adjusting settings or
controlling music playback. To access Network Explorer, from Control Panel (Category View) click Network
and Internet, and then click View network computers and devices.
Network Discovery
Windows 8.1 computers use network discovery to generate accurate network topologies with network
map. During the troubleshooting process, you can use network map to view the real-time status of any
wired or wireless network connections.
Note: For the network map to function, you must enable network discovery.
A computer running Windows 8.1 uses network discovery to find other computers and devices on the
network. The first time you connect to a network, use the Set Network Location dialog box to classify
the type of network to which you are connected. After you classify the network location category,
Windows 8.1 activates the appropriate security settings.
Network discovery uses Link Layer Topology Discovery, which works with both wired and wireless
connections. By using network discovery and file sharing, a computer that is running Windows 8.1 can
discover and access files and shared devices on other networked, Link Layer Topology Discoverycapable
devices. Network discovery and file sharing also allow other networked, Link Layer Topology Discovery
capable devices to discover your computer, and access files and shared devices.
Windows 8.1 supports Link Layer Topology Discovery through the Link-Layer Topology Discovery Mapper
service. The Link-Layer Topology Discovery Mapper service includes two components: the Link-Layer
Topology Discovery Responder, which enables your computer to be located on the network, and the
Link-Layer Topology Discovery Mapper I/O driver, which discovers and locates other computers and
devices on the network.
Windows 8.1 supports automatic discovery of Link Layer Topology Discoverycapable devices. In
combination with UPnP support, Windows 8.1 classifies the device capabilities, uses a unique, embedded
icon to represent the device, and accurately positions it on the network map. UPnPcertified devices
connect automatically to each other over the network, without the need for user configuration or
centralized servers.
Event Viewer
IPConfig
Ping
Tracert
NSLookup
Pathping
Unified Tracing
Windows PowerShell
Event Viewer
Event logs are files that record significant events on a computer, such as when a process encounters an
error. IP conflicts are reflected in the system log and might prevent services from starting. When these
events occur, Windows records the event in an appropriate event log. You can use Event Viewer to read
the log. When you troubleshoot errors on Windows 8.1, you can view the events in the event logs to
determine the cause of the problem.
You can use Event Viewer to access the Application, Security, Setup, and System logs under the Windows
Logs node. When you select a log and then select an event, a preview pane under the event list contains
details of the specified event. To help diagnose network problems, look for errors or warnings in the
System log related to network services.
You use Windows Network Diagnostics to diagnose and correct networking problems. In the event of a
Windows 8.1 networking problem, the Diagnose Connection Problems option helps diagnose and repair
the problem. Windows Network Diagnostics then presents a possible description of the problem and a
potential remedy. The solution may require manual intervention from the user.
IPConfig
The IPConfig command displays the current TCP/IP network configuration. Additionally, you can use
IPConfig to refresh Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS)
settings. For example, you might need to flush the DNS cache. The following table provides a brief
description of some of the IPConfig command switches.
Command
Description
ipconfig /all
ipconfig /release
ipconfig /renew
ipconfig /displaydns
Command
Description
ipconfig /flushdns
ipconfig /registerdns
Ping
You use the Ping command to verify IP-level connectivity to another TCP/IP computer. This command
sends and receives Internet Control Message Protocol (ICMP) echo request messages, and displays the
receipt of corresponding echo reply messages. The Ping command is the primary TCP/IP command used
to troubleshoot connectivity.
Note: Firewalls might block the ICMP requests. As a result, you may receive false negatives
when using ping as a troubleshooting tool.
Tracert
The Tracert tool determines the path taken to a destination computer by sending ICMP echo requests.
The path displayed is the list of router interfaces between a source and a destination. This tool also
determines which router has failed, and what the latency, or speed, is. These results may not be accurate if
the router is busy, because the router will assign the packets a low priority.
Pathping
The Pathping command traces a route through the network in a manner similar to the Tracert tool.
However, Pathping provides more detailed statistics on the individual steps, or hops, through the
network. The command can provide greater detail because it sends 100 packets for each router, which
enables it to establish trends.
NSLookup
The NSLookup tool displays information that you can use to diagnose the DNS infrastructure. You can
use the tool to confirm connection to the DNS server, and that the required records exist.
Unified Tracing
The Unified Tracing feature simplifies the process of gathering relevant data to assist in troubleshooting
and debugging network connectivity problems. Data is collected across all layers of the networking stack,
and then grouped into activities across the following individual components:
Configuration information
State information
Windows PowerShell
You also can use Windows PowerShell cmdlets for configuring and troubleshooting network settings.
The following table lists some of the network-related Windows PowerShell cmdlets and their purpose.
Cmdlet
Purpose
Get-NetIPAddress
Get-NetIPv4Protocol
Get-NetIPInterface
Set-NetIPAddress
Set-NetIPv4Protocol
Set-NetIPInterface
Get-NetRoute
Test-Connection
Resolve-Dnsname
Get-NetConnectionProfile
Clear-DnsClientCache
Get-DnsClient
Get-DnsClientCache
Get-DnsClientGlobalSetting
Retrieves global DNS client settings, such as the suffix search list.
Get-DnsClientServerAddress
Register-DnsClient
Set-DnsClient
Set-DnsClientGlobalSetting
Configures global DNS client settings, such as the suffix search list.
Set-DnsClientServerAddress
Lesson 2
Lesson Objectives
After completing this lesson, you will be able to:
Troubleshoot DNS.
2.
3.
4.
Test Communications
The first step in troubleshooting a network problem is identifying the scope of the problem. The causes
of a problem that affects a single user will most likely differ from a problem that affects all users. If a
problem affects only a single user, then the problem is likely related to the configuration of that one
computer. If a problem affects all users, then the problem is likely either a server configuration issue or a
network configuration issue. If a problem affects only a group of users, then you need to determine the
common denominator among that group of users.
Additional information about the problem helps you resolve network connection issues. If you are
troubleshooting a wired network connection, ask yourself the following questions:
How many users is the problem affecting? If the problem is affecting several users, this suggests a
server-side or network infrastructure problem rather than a client-side networking problem.
Is the problem persistent for the users that are affected? Intermittent problems can be more difficult
to reproduce and troubleshoot.
Does removing a problematic computer from the network solve the problem for other users? The
computer that you remove from the network may be generating a fault on the network.
The second step is to determine the computers IP configuration. Determining the Windows 8.1
computers TCP/IP configuration also can help you troubleshoot a network problem. You can determine
the TCP/IP configuration in one of four ways:
From Network and Sharing Center, select Change adapter settings, display the network connection
properties, select either Internet Protocol Version 6 (TCP/IPv6) or Internet Protocol Version 4
(TCP/IPv4), as required, and then view the protocol properties.
Open a command prompt. Type the IPConfig /all command to view the IPv4 address and IPv6
address configurations. Use the following command to save the IPv4 and IPv6 configuration
information as a text file for future reference:
IPConfig /all >c:\IPConfig.txt
This command creates a text file in the root of drive C that contains the IPConfig command output.
Use the Netsh command to display specific configuration information. For example, to display the
TCP/IP configuration for IPv4 only, type the following command:
netsh interface ipv4 show config
You also can use the Netsh command to display specific IPv6 configuration information:
netsh interface ipv6 show addresses
Use the following Windows PowerShell cmdlet to determine the computers IP configuration:
Get-netipaddress
From Network and Sharing Center, click Change adapter settings, and then view the installed
network adapters.
2.
3.
4.
In the Physical adapter Properties dialog box, click the Details tab to view the Device description
property value. This value displays the network adapter make and model.
5.
From the Advanced tab, in the Property list, click a property to view or edit its value.
To view information about the driver used for the network adapter, follow these steps:
1.
In the Physical adapter Properties dialog box, click the Driver tab.
2.
Click Driver Details to view the full path to the driver file.
3.
Note: For wired networks, remember also to check the physical infrastructure. This might
include the wire that connects a computer to the nearest wiring port, and connections in the
wiring closet.
Test Communications
Having verified the local computers network configuration, you now may need to perform some basic
connectivity tests to help identify where the problem lies. A possible process is discussed later in this
lesson, but will include these fundamental elements:
1.
2.
3.
4.
2.
3.
b.
4.
Verify that security settings match. To ensure that wireless communications are secure, both the
network client and the wireless access point negotiate authentication and encryption settings before
they begin to communicate. You must verify these settings.
5.
To help you address the additional requirements for determining the wireless network configuration, use
the following tools and procedures.
Use the NDF to troubleshoot wireless connections. If a wireless connection is unsuccessful, start Windows
Network Diagnostics to diagnose the problem and display a list of possible fixes.
A configuration mismatch in the authentication and encryption settings between the client and the
wireless access point can lead to problems with wireless connections. Windows 8.1 includes support for
Wi-Fi Protected Access 2 (WPA2) encryption that allows for more secure wireless connections. You should
utilize WPA2 by upgrading your wireless access points to support WPA2. The following table summarizes
the wireless authentication and encryption standards that are available in Windows 8.1.
Security type
Authentication
Encryption
Open
No authentication (open)
No encryption
No authentication (open)
Shared key
WPA-Personal
WPA-Enterprise
WPA2-Personal
WPA2-Enterprise
802.1x
To determine the wireless network settings, either review the wireless network connection settings or
examine the Group Policy settings. To view or configure wireless network Group Policy settings, open
Group Policy Management, expand Computer Configuration, expand Policies, expand Windows Settings,
expand Security Settings, and then click Wireless Network (IEEE 802.11) Policies. You can create or edit
wireless network Group Policy Objects (GPOs) for:
The Windows Vista operating system and newer Windows client operating system releases
The following table lists the settings that Group Policy enables you to configure.
Setting
Description
Infrastructure/Ad Hoc
Encryption
Authentication mode
Ensure that the authentication and encryption method that you select on the client, or that you configure
by the policy, matches the access point capability.
A wireless connection, like any other connection, needs an IP address. You must configure the wireless
access point with a scope of IP addresses for the connecting clients. You must have sufficient IP addresses
in the scope to allocate addresses for the number of clients that are connecting to the network.
To determine whether a Windows 8.1based client has obtained an IP address, at a command prompt,
type IPConfig /all, and then review the address given to the wireless connection. If Windows 8.1 has
allocated a 169.254.x.y (Automatic Private Internet Protocol) address to the interface, the operating
system indicates that the client was unable to obtain a valid IP address from the wireless access point.
2.
3.
4.
5.
6.
7.
To determine the local IP configuration, use the IPConfig /all command or the Get-NetIPAddress and
Get-NetIPv4Protocol Windows PowerShell cmdlets. These commands provides information about the
local computer, including the following:
IP address
Subnet mask
Host name
DNS suffixes
How the IP configuration was obtained, for example, whether the IP configuration was obtained by
using DHCP
After running these commands, compare the output of another computer that is in the same subnet as
the problematic host. When studying the output, remember that:
The IP address must be in the same host range for the given subnet as the other local computer,
while being unique within the subnet.
The subnet mask must match that of the other local host. If the subnet mask does not match, then
the computer has an incorrect network ID that can cause communication failures, particularly to
remote subnets.
The default gateway must match that of the other local host. If the default gateway is incorrect or
missing, then the computer cannot communicate with remote subnets.
If the DNS server is incorrect or missing, the computer might not resolve names, and communication
can fail.
Because DHCP configures most computers, if the configuration does not match that of the other local
host, verify that the computer can obtain an IP address correctly by using the following procedure:
1.
Open an elevated command prompt, and release the existing address by using the IPConfig /release
command.
2.
3.
If the host currently has an IP address in the range 169.254.0.0 to 169.254.255.254, the computer most
likely failed to obtain a dynamically assigned address. This Automatic Private IP Addressing (APIPA)
indicates one of three problems:
If the computer has a valid IP configuration but cannot communicate with one or more remote hosts,
verify connectivity with the Portqry, Ping, Telnet, and Windows PowerShell cmdlets.
The Portqry command reports on the current port status of Transmission Control Protocol (TCP) and User
Datagram Protocol (UDP) ports on a computer against which you run it. When you run Portqry, the
output returns one of the following responses about ports on the target:
Listening. A process is listening on the computers port that you select. Portqry received a response
from the port.
Not Listening. No process is listening on the target systems target port. Portqry receives an
ICMP Destination Unreachable - Port Unreachable message back from the target UDP port.
Alternatively, if the target port is a TCP port, Portqry receives a TCP acknowledgement packet with
the Reset flag set.
Filtered. The port on the computer that you select is being filtered. Portqry did not receive a
response from the port. A process may or may not be listening on the port. By default, Portqry
queries TCP ports three times, and queries UDP ports one time before a report indicates that the port
is filtered.
Portqry can query a single port, an ordered list of ports, or a sequential range of ports. For example, the
following command tries to resolve Microsoft.com to an IP address, and then queries TCP port 443 (the
port used by a listening web server for Secure Sockets Layer (SSL) requests) on the corresponding host:
portqry -n microsoft.com -p tcp -e 443
In this second example, the command sends a query to the directory service on LON-DC1 to verify that it
is listening:
portqry -n lon-dc1.adatum.com -e 389 -p udp
The Ping tool confirms two-way communication between two devices. This means that if Ping fails, the
local computers configuration may not be the problems cause. You can use Ping (or the Windows
PowerShell cmdlet test-connection) to ensure communication with a logical process, such as:
Note: When you ping the loopback address, you are not testing the network interface card
(NIC), but the TCP stack.
When using the Ping tool (or test-connection PowerShell cmdlet), remember that:
You can ping both the computers name and IP address. If you ping the IP address successfully, but
not the name, it indicates that the name resolution is failing. If you successfully ping the name, but
the response does not resolve the fully qualified domain name (FQDN) name, the resolution did not
use DNS. This means that a process, such as broadcasts or Windows Internet Name Service (WINS)
was used to resolve the name, and applications that require DNS may fail.
A Request Timed Out message indicates that there is a known route to the destination computer, but
that the configuration is incorrect for one or more computers or routers along the pathincluding
the source and destination devices. Use Pathping or Tracert to help find the problem.
A Destination Host Unreachable message may indicate that the system cannot find a route to the
destination system, and therefore, does not know where to send the packet on the next hop. If you
verify that the local IP configuration is correct, use Pathping and Tracert to help isolate the routing
problem.
If you can successfully ping a remote host but cannot communicate with the applications installed on the
host, verify that the application is accessible from your local computer. For example, a firewall might be
blocking your communication attempt, or the remote host is not listening on the appropriate port. The
telnet and Portqry tools can help identify issues that relate to blocked or nonresponsive ports.
You can use Pathping and Tracert to identify each hop between the source and destination systems. If
communication fails, these tools can help you identify how many hops are successful, and at which hop
the system communication fails.
Although Tracert records the hops through which packets travel, Pathping provides more information
about the routing process. Ping and Pathping both use ICMP packets to test connectivity to every router
between the local host and the remote destination host. Pathping then calculates statistics about the
routes used and the routers involved, including the hop number, round-trip time, packet loss, host names,
and IP addresses or intermediate hosts. To test routing connectivity to a remote host with Pathping, open
a command prompt, and type the following command:
Pathping www.microsoft.com
The output displays all hops between local host and destination host, and the statistical output.
You can use NSLookup to ensure that the DNS server is available. NSLookup contains a record for the
computer with which you are attempting to communicate. This functionality is vital, because even if the
computer is available, if DNS is not working correctly you might not be able to communicate by using
computer names.
If you can communicate successfully with a remote host by using the Ping tool, but cannot access an
application on the remote host, it is possible that the remote host is not listening for your request on the
expected port, or that local or remote firewalls are blocking your request.
To determine whether the remote computer is listening on the expected port, use either the Portqry or
telnet tools.
Note: Portqry must be downloaded from the Microsoft Download website.
For example, to determine if the HTTP port is accessible, type the following command from an elevated
command prompt:
PortQry n server e 80
A message that the port is FILTERED or NOT LISTENING can indicate either that a firewall along the path
between the two hosts is blocking the request, or that the application uses a different port or has failed
on the remote host. If other hosts on the local subnet can communicate successfully, the problem most
likely exists within the local firewall configuration settings.
You also can use telnet to verify that a port is listening. For example, if you want to verify Simple Mail
Transfer Protocol (SMTP) functionality, you can open a Telnet session to port 25 on the destination host.
Open a command prompt, and type telnet. From the Microsoft Telnet prompt, type the following
command:
Open LON-dc1.adatum.com 25
Note: To troubleshoot applications by using telnet and Portqry, you must understand
which ports your applications use.
In addition to Portqry and telnet, you can use the Netstat command to discover information about ports
in use between your client computer and other remote systems. The following command lists the active
connections on your client computer:
Netstat n
If you cannot communicate successfully with a remote application, before troubleshooting the application
itself, verify that the local firewall is not blocking your attempt. To determine which firewall rules are
active, open Windows Firewall with Advanced Security, and then click the Monitoring node. The
Monitoring section lists the active rules. Determine if any rules are responsible for blocking your
connection attempt.
Remember that the network location category might be responsible for your connectivity problem,
because the public category is more restrictive than the private category. If you configure the network
with the wrong network location category, use the Network and Sharing Center to reconfigure the
network category.
Intermittent Problems
When users report inconsistent or intermittent problems, you might need to approach the
troubleshooting process slightly differently. For example, if a users email application functions while their
web browsing does not, this suggests a specific problem with web browsing rather than with the network
connectivity itself. The problem might lie with the client-side application, the browser, or the network
components through which web-browsing traffic passes, such as firewalls, Network Address Translation
(NAT) devices, and routers.
Test connectivity.
Preparation Steps
For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Microsoft Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Demonstration Steps
View IPv4 configuration from a GUI
1.
Switch to LON-CL1.
2.
Press the Windows + S keys, in the Search box, type Control, and then click Control Panel.
3.
4.
5.
In Network and Sharing Center, to the right of the Adatum.com Domain network, click
London_Network.
6.
In the London_Network Status dialog box, click Details. This window displays the same
configuration information for this adapter as the Ipconfig command would display.
7.
8.
In the London_Network Status dialog box, click Properties. You can configure protocols in this
window.
9.
Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. You can configure the IP
address, subnet mask, default gateway, and Domain Name System (DNS) servers in this window.
10. Click Advanced. In the Advanced TCP/IP Settings window, you can configure additional settings, such
as additional IP addresses, DNS settings, and Windows Internet Name Service (WINS) servers for
NetBIOS name resolution.
11. Close all open windows without modifying any settings.
Click Start.
2.
3.
At the Windows PowerShell command prompt, type Get-NetIPAddress and then press Enter.
4.
At the Windows PowerShell command prompt, type Get-NetIPv4Protocol and then press Enter.
5.
At the command prompt, type netsh interface ipv4 show config, and then press Enter. The current
IPv4 configuration is displayed.
6.
At the Windows PowerShell command prompt, type ipconfig /all, and then press Enter.
Test connectivity
1.
At the Windows PowerShell command prompt, type test-connection LON-DC1, and then press
Enter.
2.
At the command prompt, type netstat -n, and then press Enter. Observe and describe the active
connections to 172.16.0.10. Most connections to services are transient.
3.
If no connections appear, then create a connection. To create a connection, click Start, type
\\LON-DC1, and then press Enter.
4.
5.
At the command prompt, type netstat -n, and then press Enter. Identify the services that LON-CL1
had connections to on LON-DC1.
6.
7.
In Windows Internet Explorer, in the Address bar, type http://LON-DC1, and then press Enter.
8.
9.
At the command prompt, type netstat n, and then press Enter. Identify the additional open
connections.
1.
Click Start, type Windows Firewall, and then click Windows Firewall.
2.
3.
In Windows Firewall with Advanced Security, expand Monitoring, and then click Firewall. These are
the active firewall rules.
4.
5.
At the command prompt, type netsh advfirewall firewall show rule name=all dir=in, and then
press Enter.
6.
7.
2.
3.
4.
5.
6.
In Network and Sharing Center, to the right of the Adatum.com Domain network, click
London_Network.
7.
In the London_Network Status dialog box, click Properties. In this window, you can configure
protocols.
8.
9.
In the Properties dialog box, click Obtain an IP address automatically. Notice that when you click
this, the Alternate Configuration tab becomes available.
11. Click the Alternate Configuration tab. Configuration information on this tab is used when no DHCP
server is available.
12. Click OK to save the changes.
13. In the London_Network Properties dialog box, click Close.
14. In the London_Network Status dialog box, click Details. Notice that DHCP is enabled, and that the
IP address of the DHCP server displays.
15. Close all open windows.
Completion Steps
After you have completed the practice session, leave the virtual machines running for the next
practice session.
For computers that are not part of a domain, you can view the primary DNS suffix from the DNS Suffix
and NetBIOS Computer Name dialog box. You access this dialog box from the System Properties dialog
box on the Computer Name tab. By default, a non-domain member computer has no primary DNS suffix.
Note: You can assign a separate DNS suffix to each individual network connection. You
view or edit the connection-specific DNS suffixes from the Advanced TCP/IP Settings page that is
accessible from the IPv4 or the IPv6 for the relevant network connection.
When you troubleshoot name resolution, you must understand what name resolution methods the
computer is using, and in what order the computer uses them. The operating system resolves host names
either by using a local text file named hosts, or by using DNS. During the host name resolution process,
Windows 8.1:
1.
Checks whether the host name is the same as the local host name.
2.
3.
Note: Windows 8.1 appends the primary and connection-specific suffixes to all names that
it is resolving. If initially the name resolution is unsuccessful, Windows 8.1 applies parent suffixes
of the primary DNS suffix. For example, if the DNS resolver attempts to resolve the name LONCL1, Windows 8.1 appends the .adatum.com suffix to attempt resolution. If that is unsuccessful,
the operating system appends .com to the name, and attempts to resolve it once again. You can
configure this behavior from the Advanced TCP/IP Settings page.
The primary tools for troubleshooting host name resolution are IPConfig and NSLookup, and their
Windows PowerShell equivalents Get-NetIPAddress, Get-NetIPv4Protocol, and Resolve-dnsname.
Note: You should perform standard network troubleshooting techniques, such as running
NDF and verifying basic connectivity, before you begin to test name resolution.
Be sure to clear the DNS resolver cache between resolution attempts.
Open an elevated command prompt, and then clear the DNS resolver cache by typing the following
command:
IPConfig /flushdns
Note: Alternately, you can use the Windows PowerShell cmdlet Clear-DnsClientCache.
2.
Attempt to verify connectivity to a remote host by using its IP address. This helps you identify
whether the issue is because of name resolution. You can use the Ping command or the testconnection Windows PowerShell cmdlet. If the Ping command succeeds with the IP address but fails
by the host name, the problem is with name resolution.
Note: Remember that the remote host must allow inbound ICMP echo packets through its
firewall for this test to be viable.
3.
Attempt to verify connectivity to the remote host by its hostname, using the FQDN followed by a
period. For example, type the following command at the command prompt:
Test-connection LON-cl1.adatum.com.
If the test is successful, the problem likely does not relate to name resolution.
5.
If the test is unsuccessful, edit the C:\windows\system32\drivers\etc\hosts text file, and add the
appropriate entry to the end of the file. For example, add this line, and then save the file:
172.16.0.51
LON-cl1.adatum.com
6.
Perform the test-by-host-name procedure again. Name resolution should now be successful.
7.
Examine the DNS resolver cache to verify that the name resolved correctly. To examine the DNS
resolver cache, type the following command at a command prompt:
IPConfig /displaydns
Note: You can also use the Windows PowerShell cmdlet Get-DnsClientCache.
8.
Remove the entry that you added to the hosts file, and then clear the resolver cache once more.
At the command prompt, type the following command, and then examine the contents of the
filename.txt file to identify the failed stage in name resolution:
NSLookup.exe d2 LON-cl1.adatum.com. > filename.txt
You should understand how to interpret the NSLookup command output so that you can identify
whether the name resolution problem exists with the client computers configuration, the name server,
or the configuration of records within the name server-zone database. In the first section of the following
output sample, the client resolver performs a reverse lookup to determine the DNS server host name.
You can view the query 10.0.16.172.in-addr.arpa, type = PTR, class = IN in the QUESTIONS section. The
returned result, name = LON-dc1.adatum.com, identifies the host name of the petitioned DNS server:
-----------SendRequest(), len 41
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
10.0.16.172.in-addr.arpa, type = PTR, class = IN
----------------------Got answer (73 bytes):
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
10.0.16.172.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 10.0.16.172.in-addr.arpa
type = PTR, class = IN, dlen = 20
name = LON-dc1.adatum.com
ttl = 1200 (20 mins)
-----------Server: LON-dc1.adatum.com
Address: 172.16.0.10
In the following section, the client resolver performs a recursive query of the DNS server for the host
LON-cl1.adatum.com, type = A, class = IN. The returned result is in the ANSWERS section, which displays
in the following section. Note that the answer also includes a time-to-live (TTL) value, which determines
how long the record is valid:
-----------SendRequest(), len 36
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
LON-cl1.adatum.com, type = A, class = IN
----------------------Got answer (52 bytes):
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
LON-cl1.adatum.com, type = A, class = IN
ANSWERS:
-> LON-cl1.adatum.com
type = A, class = IN, dlen = 4
internet address = 172.16.0.51
ttl = 1200 (20 mins)
In the remaining section, the client resolver performs a query for the IPv6 address of the lon-cl1 host, as
indicated in the QUESTIONS section. This query returns no information, as the lack of an ANSWERS
section in the following example indicates:
-----------SendRequest(), len 36
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
LON-cl1.adatum.com, type = AAAA, class = IN
----------------------Got answer (91 bytes):
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
LON-cl1.adatum.com, type = AAAA, class = IN
AUTHORITY RECORDS:
-> adatum.com
type = SOA, class = IN, dlen = 43
ttl = 3600 (1 hour)
primary name server = LON-dc1.adatum.com
responsible mail addr = hostmaster.adatum.com
serial = 45
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
-----------Name: LON-cl1.adatum.com
Address: 172.16.0.51
If you can resolve a computers name successfully but you cannot connect to an application on that
computer, investigate whether the local or remote firewalls are blocking your attempt.
Note: Responses from name servers will be either authoritative or non-authoritative. An
authoritative response is one from a DNS server that hosts the records that you are querying. A
non-authoritative response is one from a server that does not host the petitioned record, but is
able to respond with records stored in its cache.
To look up different data types within the DNS by using NSLookup, use the set type or set q command
at the command prompt. For example, to query for the mail exchanger data, type the following:
NSLookup
> Set q=mx
> Mailhost
To query another name server directly, use the server or lserver commands to switch to that name server.
The lserver command uses the local server to get the address of the server to which you want to switch,
whereas the server command uses the current default server to get the address. For example:
NSLookup
> server 172.16.0.20
The output might look something like this:
Default Server: LON-dc2.adatum.com
Address: 172.16.0.20
Preparation Steps
For this practice session, you will need to use the available virtual machine environment. Before you begin
the practice session, you must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Demonstration Steps
View and clear the name cache
1.
Switch to LON-CL1.
2.
Click Start.
3.
4.
At the Windows PowerShell command prompt, type ipconfig /displaydns, and then press Enter.
5.
At the Windows PowerShell command prompt, type Get-DnsClientCache, and then press Enter.
6.
At the Windows PowerShell command prompt, type ipconfig /flushdns, and then press Enter.
7.
At the Windows PowerShell command prompt, type Clear-DnsClientCache, and then press Enter.
8.
At the Windows PowerShell command prompt, type ipconfig /displaydns, and then press Enter.
At the Windows PowerShell command prompt, type test-connection lon-dc1, and then press Enter.
2.
At the Windows PowerShell command prompt, type Get-DnsClientCache | fl, and then press Enter.
3.
At the Windows PowerShell command prompt, type ipconfig /displaydns, and then press Enter.
2.
Scroll to the end of the file, type 172.16.0.10 intranet, and then press Enter.
3.
4.
Close Notepad.
At the Windows PowerShell command prompt, type test-connection intranet, and then press Enter.
2.
At the Windows PowerShell command prompt, type Get-DnsClientCache | fl, and then press Enter.
3.
At the Windows PowerShell command prompt, type nslookup LON-DC1, and then press Enter.
2.
At the Windows PowerShell command prompt, type Resolve-Dnsname LON-DC1 | fl, and then press
Enter.
3.
At the Windows PowerShell command prompt, type nslookup d1 LON-DC1 > file.txt, and then
press Enter.
4.
At the command prompt, type notepad file.txt, and then press Enter.
5.
6.
Completion Steps
After you have completed the practice session, leave the virtual machines running for the next
practice session.
Disabling IPv6
If your applications function in a purely IPv4
environment, you might consider disabling IPv6.
You cannot uninstall IPv6, but you can disable it by performing the following step:
In the Ethernet Properties dialog box, in the list under This connection uses the following items, clear
the Internet Protocol version 6 (TCP/IPv6) check box.
Note: Avoid disabling IPv6 unless there is no alternative, because other network
functionality may be affected.
Troubleshooting IPv6
The steps for troubleshooting an IPv6 connection are similar to those for troubleshooting an IPv4based
connection. You can use many of the IPv4 troubleshooting tools to gather information to help
troubleshoot IPv6 connection problems.
Preparation Steps
For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Demonstration Steps
Capture network traffic with Microsoft Message Analyzer
1.
2.
3.
4.
At the Windows PowerShell prompt, type Clear-DnsClientCache, and then press Enter.
5.
6.
In the Microsoft Message Analyzer Wizard, on the Welcome to Microsoft Message Analyzer page,
click Do not update items, and then click OK.
7.
In the navigation pane, click Capture/Trace, and then in the Trace Scenarios section, click Firewall.
8.
9.
At the Windows PowerShell prompt, type ping LON-DC1.adatum.com, and then press Enter.
In Microsoft Message Analyzer, in the results pane, select the first ICMP packet group.
2.
In the result pane, click the plus (+) sign beside the selected packet group. Verify that it includes both
Echo Request and Echo Reply packets. This is a ping request.
3.
On the Microsoft Message Analyzer toolbar, in the View Filter section, type the following into the box:
*DestinationAddress == 172.16.0.10
2.
In the View Filter section, click Apply Filter. Verify that the packets are now being filtered to show
only packets that match the filter.
3.
4.
Completion Steps
After you have completed the practice session, leave the virtual machines running for the lab.
The help desk at A. Datum Corporation has received a number of network trouble tickets that they cannot
resolve. They have passed on these trouble tickets to you. You need to determine how to resolve each of
these problems, and then document your solution.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 60 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. These virtual machines should still
be running from the preceding practice session. If they are not, before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Password: Pa$$w0rd
Domain: Adatum
5.
6.
You must now complete the practice session entitled: Determining Network Settings.
Note: This is only necessary if you restarted your virtual machines since completing the
practice session entitled: Determining Network Settings.
October 21
14:02
Colin Wilcox (Research Department)
OPEN
Incident Details
Colin called the help desk. He is unable to connect to a server resource.
Additional Information
The resource is \\LON-DC1\Research. It is unavailable to Colin, and other users are affected as well.
Colin restarted his computer when he returned from lunch. Prior to lunch, he had no problem.
Plan of Action
Resolution
2.
Discuss recommendations.
3.
4.
Task 1: Read the help desk Incident Record for incident 723012
2.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
1.
Attempt to resolve the problem by using your knowledge of the network architecture and the tools
available for troubleshooting the network environment.
2.
3.
If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Results: After completing this exercise, you should have resolved the network-related problem.
A user has reported a networking-related problem to the help desk. You must investigate and attempt a
resolution.
Incident Record
Incident Reference Number: 723101
Date of Call
Time of Call
User
Status
October 22
09:01
Colin Wilcox (Research Department)
OPEN
Incident Details
Colin is unable to access any network resources.
Additional Information
Colin is the only one affected in his department.
He cannot access the Research data folder on LON-DC1.
He cannot open a web browser connection to http://lon-dc1.
Plan of Action
Resolution
2.
Discuss recommendations.
3.
4.
Task 1: Read the help desk Incident Record for incident 723101
2.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
Attempt to resolve the problem by using your knowledge of the network architecture and the tools
available for troubleshooting the network environment.
2.
3.
If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Results: After completing this exercise, you will have resolved the network-related problem.
Carol Troup is the Research manager for A. Datum in Cambridge, United Kingdom. She has decided that
providing wireless access for users in her department will increase productivity. As a result, wireless
network access points have been deployed and configured throughout her department.
Some weeks later, Carol placed a call to the help desk. The Cambridge Research wireless networks are a
success, but there have been ongoing problems with intermittent connections. Additionally, some staff
members can connect to the A. Datum corporate network from the parking lot. This represents a security
issue.
Incident Record
Incident Reference Number: 723123
Date of Call
Time of Call
User
Status
October 23
11:15
Carol Troup (Research Department)
OPEN
Incident Details
There are intermittent connection problems from computers connecting to the Cambridge Research
department.
Some users can connect to the Cambridge wireless access points from the parking lot.
Some users cannot connect to the wireless network at all.
Additional Information
None.
Plan of Action
How will you verify that these problems are occurring?
What do you suspect is causing these problems?
How will you resolve these problems?
Resolution
Task 1: Read the help desk Incident Record for incident 723123
2.
Results: After completing this exercise, you should have successfully developed a plan of action for the
resolution of these incidents.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Module 6
Troubleshooting Group Policy
Contents:
Module Overview
6-1
6-2
6-9
6-19
6-24
Module Overview
Group Policy is an essential tool that you can use to configure the computer systems in an enterprise
environment. With Group Policy, you can quickly apply configuration settings to multiple computers from
a central location. This is faster and more practical than configuring hundreds or thousands of computers
manually.
In most cases, a server administrator administers an organizations Group Policy, rather than desktop
support staff. However, desktop support staff should to understand how Group Policy works, and how to
identify when an organization is not applying Group Policy Objects (GPOs) properly.
Objectives
After completing this module, you will be able to:
Lesson 1
You can manage GPOs centrally, and store them on domain controllers. Client computers download GPOs
and apply them in specific ways. It is important for you to understand how Windows 8.1 processes GPOs
so that you can identify when Windows 8.1 is not processing them correctly.
Lesson Objectives
After completing this lesson, you will be able to:
Explain how to configure Group Policy in Active Directory Domain Services (AD DS).
Within the User Configuration and Computer Configuration settings, there are policies and preferences.
Polices are Windows operating system configuration setting that are enforced on the client; preferences
are settings that are applied to the client, but that the user has the option to change. Preferences include
items such as drive mappings and printer selection.
Note: On a given computer, a local GPO applies to all local and domain users. However,
user settings in a GPO that AD DS distributes do not apply to local users.
Processing GPOs
Windows 8.1 applies Group Policy to computers
when users start the computers, and applies
Group Policy to users when the user logs on to
the computer. Computer and user settings are
refreshed at regular, configurable intervals. The
default refresh interval is every 90 minutes.
However, you can also force an update by running
GPUpdate.exe at a command prompt.
Group Policy Objects are processed in the
following order:
1.
Local GPOs
Note: The local GPO is the least influential object in an AD DS environment because its
settings can be overwritten by GPOs that are associated with sites, domains, and organizational
units. In a nonnetworked environment, or in a networked environment that does not have a
domain controller, the local GPO settings are more important because other GPOs do not
overwrite them. Stand-alone computers use only local GPOs to control the environment.
Each Windows 8.1 computer has one local GPO that contains default computer and user settings,
regardless of whether the computer is part of an AD DS environment. In addition to this default
local GPO, you can create custom local user GPOs. You can maintain these local GPOs by using
the Group Policy Object Editor snap-in.
2.
Site-level GPOs
3.
Domain-level GPOs
4.
OU GPOs, including any nested OUs, starting with the OU furthest from the user or computer object
GPOs that are applied to higher-level containers pass through to all sub-containers in that part of the
Active Directory tree. For example, a policy setting that applies to an OU also applies to any child OUs
below it. The local GPO is processed first, and the OU to which the computer or user belongs is processed
last. The last GPO processed is the effective setting.
Other factors that can influence GPOs processing include:
Security filtering. An individual GPO can have security filtering applied that controls which users and
computers are able to apply the GPO. By using security filtering, you limit a GPO to a specific group
of users or computers. By default, Windows 8.1 applies a GPO to Authenticated Users, which allows all
users and computers to apply it.
Windows Management Instrumentation (WMI) filtering. You can link a WMI filter to an individual
GPO, which restricts to which computers the GPO applies. You can base a WMI filters parameters on
a wide variety of characteristics, such as installed software or hardware. An error in creating a WMI
query in a WMI filter may result in a GPO not applying to any computers.
Slow link processing. By default, some GPO settings are not applied over slow links because it may
take too long to download them. Slow links are defined as 500 kilobits per second (Kbps) or less.
Administrative templates and security settings are processed regardless of link speed. This may result
in roaming users with portable computers having a slightly different experience when they are not in
the office and connected to the corporate network.
Fast sign-in optimization. This feature is enabled by default to help speed up the sign-in process.
When enabled, Group Policy settings apply asynchronously when the computer starts and when the
user signs in. Consequently, the operating system does not wait for the network to be fully initialized
at startup and sign-in. Existing users sign in by using cached credentials, which results in shorter signin times. Group Policy is applied after the network becomes available. However, this can result in
GPOs not applying as expected.
Link Order. Link Order defines the precedence order for GPOs linked to a given container. Changing
the Link Order has no effect unless GPOs that link to the same location have conflicting settings. The
GPO link with a Link Order of 1 has the highest precedence on that container.
Enforced. The Enforced value defines whether a GPO takes precedence over any GPOs that link to
child containers. Additionally, a GPO that Windows 8.1 enforces at the domain level overrides a GPO
that it enforces at an OU. You typically enforce a GPO to ensure that computers use company-wide
settings, and that departmental administrators do not override these settings by creating a GPO.
Block Inheritance. Block Inheritance is the ability to prevent an OU or domain from inheriting GPOs
from any of its parent containers. Note that OUs and domains will always inherit Enforced GPO links.
You typically use Block Inheritance to allow a department to manage Group Policy settings separate
from the rest of the organization.
Link Enabled. Link Enabled is the ability to specify whether Windows 8.1 processes a specific GPO link
for the container to which it links. When you do not enable a link, Windows 8.1 does not process the
GPO. Typically, you do this during troubleshooting when you want to disable processing of a GPO to
eliminate it as a source of configuration errors.
Retail
Commercial
Managers
Loopback Processing
By default, a users settings come from GPOs
scoped to the user object in AD DS. Regardless
of which computer the user logs on to, the
resultant set of policies that determine the users
environment is the same. There are situations,
however, in which you might want to configure
a user differently, depending on the computer
he or she uses. For example, you might want to
standardize and lock user desktops when users
sign in to computers in closely managed
environments, such as conference rooms,
reception areas, laboratories, classrooms, and
kiosks.
Imagine a scenario in which you want to enforce a standard corporate appearance for Windows-based
desktops on all the computers in conference rooms and other public areas of your office. How will you
manage this configuration centrally by using Group Policy? Policy settings that configure desktop
appearance are located in the User Configuration node of a GPO. Therefore, by default, the settings apply
to users, regardless of the computer to which they log on. Default policy processing does not provide a
way to scope user settings to apply them to computers, regardless of which user logs on. This is where
loopback policy processing can be useful.
Loopback policy processing alters the default algorithm that the Group Policy Client uses to obtain
the ordered list of GPOs that should apply to a users configuration. When you use loopback policy
processing, user configuration is not determined by the User Configuration node of GPOs that are scoped
to the user object. Instead, user configuration can be determined by the User Configuration node policies
of GPOs that are scoped to the computer object.
Like all policy settings, the Configure user Group Policy loopback processing mode policy setting can be
set to Not Configured, Enabled, or Disabled.
The Configure user Group Policy loopback processing mode policy setting is located in the Computer
Configuration\Policies\Administrative Templates\System\Group Policy folder. You access this folder from
the Group Policy Management Editor window.
When enabled, the policy can specify the Replace or Merge mode:
Replace. In this case, the GPO list already obtained for the computer at computer startup replaces the
GPO list for the user. The settings in the User Configuration policies of the computers GPOs apply to
the user.
Replace mode is useful in a situation such as a classroom where users should receive a standard
configuration, rather than in a less managed environment.
Merge. In this case, the GPO list obtained for the computer at computer startup is appended to the
GPO list obtained for the user when logging on. Because the GPO list obtained for the computer is
applied later, settings in GPOs on the computers list have precedence if they conflict with settings in
the users list.
This mode is useful for applying additional settings to users typical configurations. For example, you
might allow a user to receive the users typical configuration when logging on to a computer in a
conference room or reception area, but replace the wallpaper with a standard bitmap, and disable the
use of certain applications or devices.
Note: When you combine loopback processing with security group filtering, applying user
settings during policy refresh uses the computers credentials to determine which GPOs to apply
as part of the loopback processing. However, the logged-on user also must have Apply Group
Policy permission for the GPO to be applied successfully. Also, note that the loopback processing
flag is configured on a per-session basis, rather than per GPO.
Use the Group Policy Management Console (GPMC) to create a new GPO.
Preparation Steps
For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Demonstration Steps
Use the Group Policy Management Console (GPMC) to create a new GPO
1.
On LON-CL1, click the Desktop tile, double-click Administrative Tools, and then double-click
Group Policy Management.
2.
Expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then click Adatum.com.
3.
Click the Linked Group Policy Objects tab. Notice that the Default Domain Policy and Marketing
GPOs link to the root of the Adatum.com domain.
4.
Right-click Adatum.com, and then click Create a GPO in this domain, and Link it here.
5.
In the New GPO dialog box, in the Name box, type Preferences, and then click OK.
2.
Click Preferences.
3.
4.
5.
On the Settings tab, verify that no settings are defined in this GPO.
6.
In the left pane, right-click Preferences. Notice in the context menu that the link is enabled but not
enforced.
7.
8.
In the Group Policy Management Editor window, review the available information. Notice that there
are two categories of settings, User Configuration and Computer Configuration, which are divided
further into Policies and Preferences.
9.
Under User Configuration, expand Preferences, expand Windows Settings, and then click
Shortcuts.
Action: Create
Name: Notepad
Location: Desktop
2.
At the command prompt, type gpupdate /force, and then press Enter. The /force option ensures
that all policies are applied and not just updates.
3.
When the Group Policy update completes, close the Command Prompt window.
4.
Completion steps
After you have completed the practice session, leave the virtual machines running for the next
practice session.
Lesson 2
Most issues that relate to the application of GPOs are due to incorrect configurations on the part of an
administrator. Despite the fact that you, as a desktop support person, may not be able to resolve GPO
application issues, it is important that you can identify them. After you identify an issue with a Group
Policy application configuration, you may need to escalate the issue to a server administrator who has the
necessary permissions to resolve the issue.
Lesson Objectives
After completing this lesson, you will be able to:
Discuss reasons for client configuration failures caused by incorrectly configured GPOs.
Explain how to resolve common client configuration issues that result applying GPOs.
Because a GPO can affect many users and computers, administrators should test GPO configurations
thoroughly before applying them. Even after testing, you may encounter situations in which settings in a
GPO do not apply to users and computers in the ways that you expect.
Question: What are some of the reasons that GPO settings might not apply as you think
they should?
When a new GPO is applied, it may not take effect immediately. By default, GPOs are processed every
90 minutes on client computers. However, you can force the GPO to take effect immediately by running
gpupdate.exe /force at a command prompt.
If you update a GPO and it does not take effect, you may need to restart the computer. Some settings
apply correctly only during the computer startup process.
Finally, if GPOs do not take effect for remote users, you can disable slow link processing. However,
disabling this setting may result in slow sign-ins, because large GPOs will now download over a slow
connection. This is of particular concern when you use GPOs for software distribution.
GPResult.exe
To help you analyze the cumulative effect of GPOs and policy settings on a user or computer in your
organization, use the Group Policy Results Wizard in the GPMC. If you want to understand exactly which
policy settings apply to a user or a computer and why they were applied, use the Group Policy Results
Wizard.
The Group Policy Results Wizard can access the WMI provider on a local or remote computer that is
running Window Vista or newer Windows client operating systems. The WMI provider can report
everything there is to know about the way Group Policy applies to the system. It knows when processing
occurs, which GPOs are applied, which GPOs are not applied and why, errors that are encountered, and
the exact policy settings and source GPOs that take precedence.
To run an RSoP report, right-click Group Policy Results in the GPMC console tree, and then click Group
Policy Results Wizard.
The wizard prompts you to select a computer. It then connects to the WMI provider on that computer
and provides a list of users that have logged on to it. You then can select one of the users, or you can skip
RSoP analysis for user configuration policies.
The wizard produces a detailed RSoP report in dynamic HTML format. If Internet Explorer Enhanced
Security Configuration is set, you will be prompted to allow the console to display the dynamic content.
You can expand or collapse each section of the report by clicking the Show or Hide link, or by doubleclicking the heading of the section.
The report displays on three tabs:
Summary. The Summary tab displays the status of Group Policy processing at the last refresh. You can
identify information that was collected about the system, the GPOs that were applied and denied,
security group membership that might have affected GPOs filtered with security groups, WMI filters
that were analyzed, and the status of Client-side extensions.
Settings. The Settings tab displays the RSoP settings that apply to the computer or user. This
tab shows you exactly what has happened to the user through the effects of your Group Policy
implementation. You can learn a tremendous amount of information from the Settings tab, although
some data is not reported, including Internet Protocol security (IPsec), wireless, and disk quota policy
settings.
Policy Events. The Policy Events tab displays Group Policy events from the target computers event
logs.
After you generate an RSoP report with the Group Policy Results Wizard, you can right-click the report
to rerun the query, print the report, or save the report as an .xml file or an .html file that maintains the
dynamic expanding and collapsing sections. You can open both file types with Internet Explorer, so the
RSoP report is portable outside the GPMC.
If you right-click the node of the report itself, under the Group Policy Results node in the console tree,
you can switch to Advanced View. In Advanced View, RSoP displays by using the RSoP snap-in, which
displays all applied settings, including IPsec, wireless, and disk quota policies.
The gpresult command is the command-line version of the Group Policy Results Wizard. gpresult uses
the same WMI provider as the Group Policy Results Wizard, produces the same information, and, in fact,
enables you to create the same graphical reports. When you run the gpresult command, you are likely to
use the following options.
Switch
Explanation
/s <COMPUTER>
/u <USERNAME>
/p [<PASSWORD>]
/user [<TARGETDOMAIN>\]<TARGETUSER>
/f
/r
/v
/z
/?
Group Policy Operational log. This log provides detailed information about Group Policy processing.
To find Group Policy logs, open the Event Viewer snap-in or console, and look for the System and
Application logs in the Windows Logs node. The Group Policy Operational log is found at
Applications And Services Logs\Microsoft \Windows\GroupPolicy\Operational.
Preparation Steps
For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Demonstration Steps
Use gpresult.exe to create a report
1.
2.
3.
In the Command Prompt window, at a command prompt, type gpresult /r, and then press Enter.
4.
5.
At the command prompt, type the following command, and then press Enter:
GPResult /h c:\results.html
6.
7.
8.
9.
10. View the report results and then close Internet Explorer.
2.
3.
In the Group Policy Management window, right-click Group Policy Results, and then click Group
Policy Results Wizard.
4.
5.
6.
7.
8.
On the Completing the Group Policy Results Wizard page, click Finish.
9.
10. Expand the Group Policy Results folder, right-click the Administrator on LON-CL1 report, and then
click Save Report.
11. In the Save GPO Report dialog box, click Desktop, and then click Save.
Right-click the Group Policy Modeling folder, and then click Group Policy Modeling Wizard.
2.
3.
4.
On the User and Computer Selection page, under User information, click User, and then click
Browse.
5.
In the Select User dialog box, type Ed Meadows, and then click OK.
6.
7.
In the Choose Computer Container dialog box, expand Adatum, click IT, and then click OK.
8.
9.
2.
In the details pane, click the Policy Events tab, and then review the events.
3.
4.
On the desktop, double-click Administrative Tools, and then double-click Event Viewer.
5.
In the console tree, expand Windows Logs, and then click the System log.
6.
7.
8.
9.
In the console tree, expand Applications and Services Logs, expand Microsoft, expand Windows,
expand Group Policy, and then click Operational.
10. Review the events, and then close all open windows.
Completion steps
After you have completed the practice session, revert the virtual machines in preparation for the lab:
1.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
If the client computer is not connected to the network properly and if it is not authenticated, you need to
resolve this first. Possible resolutions may include:
You should verify that the GPO is assigned properly to the computer or user by using RSoP or gpresult. If
these tools show that the GPO applies to the computer and user, then you know that the link to the GPO
is configured properly.
If RSoP shows that the GPO is not applied to the computer and user, you need to determine if the GPO is
linked to the correct location. You also need to confirm that the user and computer accounts are in the
correct location. You may need to escalate this task to someone with the necessary administrative
permissions.
If the GPO appears to be linked properly, you should verify that the GPO configuration has the proper
settings configured. It is possible that an administrator created and linked the GPO correctly, but did not
configure it correctly. One item to verify is whether loopback processing is enabled in the environments
that use it. Depending on your permissions to manage Group Policy, you may need to escalate this task.
If you have added a new group or changed the membership of a group that is used to filter the GPO, that
change must also replicate. Furthermore, the change must be in the security token of the computer and
the user, which requires a restart for the computer to update its group membership, or a logoff and logon
for the user to update its group membership.
Refresh happens at startup for computer settings, at sign-in for user settings, and every 90120 minutes
thereafter by default.
Note: Remember that the practical impact of the Group Policy refresh interval is that when
you make a change in your environment, it will be, on average, 4560 minutes before the change
starts to take effect.
By default, Windows 8.1 clients perform only background refreshes at startup and logon, which
means that a client might start up and a user might sign in without receiving the latest policies from
the domain. We highly recommend that you change this default behavior so that policy changes
implement in a managed, predictable way. Enable the policy setting called Always Wait For Network At
Startup And Logon for all Windows clients. The setting is located in Computer Configuration\Policies
\Administrative Templates\System\Logon. Be sure to read the policy settings explanatory text. Note that
this does not affect the startup or logon time for computers that are not connected to a network. If the
computer detects that it is disconnected, it does not wait for a network.
Sign In or Restart
Although most settings apply during a background policy refresh, some client-side extensions do not
apply the setting until the next startup or sign-in event. For example, newly added startup and logon
script policies do not run until the next computer startup or sign-in. Software installation will occur at the
next startup if the software is assigned in computer settings. Changes to Folder Redirection policies will
not take effect until the next sign-in.
When you experiment with Group Policy processing, you might need to initiate a Group Policy refresh
manually so that you do not have to wait for the next background refresh. You can use the gpupdate
command to initiate a Group Policy refresh. Used on its own, this command triggers processing identically
to a Group Policy background refresh. Both computer policy and user policy are refreshed. Use the
/target:computer or /target:user parameter to limit the refresh to computer or user settings,
respectively. During background refresh, by default, settings apply only if the GPO has been updated.
The /force switch causes the system to reapply all settings in all GPOs scoped to the user or computer.
Some policy settings require a logoff or restart before they take effect. The /logoff and /boot switches of
gpupdate cause a logoff or restart, respectively. You can use these switches when you apply settings that
require a logoff or restart.
For example, the command that will cause a total refresh application, and if necessary, restart and logon,
to apply updated policy settings is:
gpupdate /force /logoff /boot
Most Client-Side Extensions Do Not Reapply Settings if the GPO Has Not Changed
Remember that most client-side extensions apply settings in a GPO only if the GPO version has changed.
This means that if a user can change a setting that Group Policy specified originally, the setting will not be
brought back into compliance with the settings that the GPO specifies until the GPO changes. Fortunately,
a nonprivileged user cannot change most policy settings. However, if a user is an administrator of his or
her computer, or if the policy setting affects a part of the registry or the system that the user has
permissions to change, this could be a real problem.
You have the option of instructing each client-side extension to reapply the settings of GPOs, even if the
GPOs have not been changed. You can configure the processing behavior of each client-side extension in
the policy settings found in Computer Configuration\Administrative Templates\System\Group Policy.
The help desk has received a number of incident reports that relate to GPO application. Because you are
the desktop support technician who has the most experience with Group Policy, these tickets have been
assigned to you. In this lab, you will resolve the reported GPO application problems that Tier 1 helpdesk
staff could not resolve.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20688D-LON-DC1, 20688D-LON-CL1, and 20688D-LON-CL3
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
In this exercise, you will resolve the reported GPO application problem that Tier 1 helpdesk staff could not
resolve.
Incident Record
Incident Reference Number: 723151
Date of Call
Time of Call
User
Status
October 29
15:27
Anil
OPEN
Incident Details
User reports that the Research computer lab configuration is not applying properly to a new
computer named LON-CL3.
Additional Information
User reports that a new computer in the Research computer lab is not configured properly. The
standardized settings are applying correctly to all other Research lab computers, such as LON-LAB1.
I have verified that the computer is joined to the domain properly.
Looking at LON-LAB1, I can see that there is a desktop shortcut for the Research Lab application. If
this icon appears on the desktop, then we know that the settings are applying properly. This setting
should apply regardless of the user who signs in.
Plan of Action
Resolution
Note: There is no LON-LAB1 computer in the virtual machine environment. However, it does
exist in the Adatum.com domain.
The main tasks for this exercise are as follows:
1.
2.
3.
Task 1: Read the help desk Incident Record for incident 723151
2.
Update the Plan of Action section of the Incident Record with your recommendations.
Password: Pa$$w0rd
Domain: Adatum
2.
3.
Verify that the Desktop shortcut for the Research Lab application does not display. It should display
for any account.
4.
Using your knowledge of Windows Server GPOs, and the tools available for troubleshooting GPOs,
attempt to resolve the problem.
5.
To verify the correct solution, on LON-CL3, sign in by using the following credentials:
o
Password: Pa$$w0rd
Domain: Adatum
6.
7.
8.
9.
If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
Results: After completing this exercise, you will have successfully resolved Group Policy Object (GPO)
application issues.
In this exercise, you will resolve the reported GPO application problem that Tier 1 helpdesk staff could not
resolve.
Incident Record
Incident Reference Number: 723160
Date of Call
Time of Call
User
Status
October 30
16:10
Adam Barr (Marketing Department)
OPEN
Incident Details
User reports that his desktop settings are not applying as per his departmental standards.
Additional Information
The user (Adam) is not receiving group policy settings on his computer LON-CL1.
Other people in his department are not experiencing any issues. I have checked with the Active
Directory administrators, and his computer account is in the correct location (Computers).
Therefore, the location of the computer account is not an issue.
It appears as if GPOs are not applying, as gpupdate did not work.
We rebooted the computer with no improvement.
Plan of Action
Resolution
2.
3.
4.
Task 1: Read the help desk Incident Record for incident 723160
2.
Update the Plan of Action section of the Incident Record with your recommendations.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
2.
Attempt to resolve the problem by using your knowledge of Group Policies, and by using the tools
available for troubleshooting GPOs and their application on client computers.
3.
4.
If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Results: After completing this exercise, you will have successfully resolved GPO application issues.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Module 7
Troubleshooting User Settings
Contents:
Module Overview
7-1
7-2
7-8
7-12
7-18
7-22
Module Overview
Users should be are able to sign in quickly to gain access to their resources. When their personal settings
also are available on their Windows 8.1 device, this simplifies the users experience with the Windows
operating system environment. In this module, you will examine problems that can occur when users sign
in, and you will also learn about how to troubleshoot the application of user settings.
Objectives
After completing this module, you will be able to:
Lesson 1
To troubleshoot the sign-in process successfully, you must have a thorough understanding of the process,
including how Windows 8.1 uses cached credentials, and Active Directory Domain Services (AD DS)
password and user policies. Additionally, you must be aware of the methods that you can use to identify
the cause of sign-in problems.
Lesson Objectives
After completing this lesson, you will be able to:
Explain password policies and user properties that can impact the sign-in process.
If you do not configure the list of DNS servers on a Windows 8.1 computer appropriately, it cannot obtain
a list of domain controllers, and the following events might occur:
Authentication fails. The user is unable to access the local computer or network resources.
Windows 8.1 uses cached credentials. The user is able to access the local computer and might be able
to access some network resources.
Authentication is very slow but successful. This occurs when a suitable domain controller is on the
local subnet, and the client computer can locate the domain controller only by using NetBIOS
broadcasts.
During the sign-in process, Windows assigns a security token to both the computer and the user accounts.
The security token contains a list of groups of which the computer or user account is a member. Windows
uses this list of groups to identify permissions when the computer or user attempts to access resources. If
you add a computer or user account to a group, you must ensure that you reauthenticate the account to
update the security token with group membership.
Note: To reauthenticate a computer, you must restart the computer. To reauthenticate the
user account, the user must sign out and then sign in again.
Cached Credentials
Cached credentials allow users to authenticate to
a local computer by using domain credentials
when a domain controller is unavailable to
perform authentication. Cached credentials are
useful particularly for a roaming user who works
on a laptop computer. When you use cached
credentials, the user can sign in to a local
computer by using the cached domain sign-in
credentials, even when the users computer is not
connected to the domain. Users must have cached
credentials to access offline files and folders when
they are not connected to the network.
When a domain controller is available and a user signs in to a Windows 8.1 computer successfully,
Windows 8.1 creates and stores cached credentials locally. Windows 8.1 updates cached credentials each
time a user signs in to the domain.
Note: If users have not authenticated successfully to the domain from a computer since
their last password change, the cached credentials still contain the previous password. Users must
sign in by using the previous password when they use those cached credentials.
If a user does not have cached credentials on a computer, and the domain controller is unavailable,
Windows 8.1 cannot authenticate the user. By default, Windows 8.1 caches the credentials of the last 10
user accounts to sign into a specific computer. You can modify this number by using one of the following
two options:
Edit the registry. You can edit the registry, which is located atHKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows NT\Current Version\Winlogon\cachedlogonscount.
Use Group Policy. You can use a Group Policy setting, which is located at Computer Configuration
\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive Logon:
Number of previous sign-ins to cache. By setting this value to zero, you disable cached logons.
The default number of cached credentials that Windows 8.1 can store is 10. However, you can configure
Windows 8.1 to store up to a maximum of 50 cached credentials. If you set the number of cached
credentials to zero, Windows 8.1 must contact a domain controller before users can obtain access to the
local computer.
Locked account. If a user attempts to sign in with an incorrect password too often, the account
is locked for a period of time. When the account is locked, the user is unable to sign in even with
the correct password. When an account is locked, it can be unlocked by an administrator with
appropriate Active Directory permissions, or the user can wait until the account unlocks automatically,
which is typically after 15 to 30 minutes.
Expired account. The user accounts for many contract workers are configured to expire on the date
when the contract ends. Sometimes contracts are renewed and the expiration date on the account is
not updated. After the expiration date, the users cannot sign in, so the expiration date of the user
account must be changed.
Deleted account. User accounts that are deleted accidentally by network administrators must be
undeleted (if the feature has been configured from the Active Directory Recycle Bin), restored from a
backup, or re-created.
Signing in with a local account. Ensure that users with domain user accounts are logging on to the
domain.
Using a Microsoft account. As when using a local account, ensure that if users have a domain account,
they use the domain account rather than a Microsoft account.
Corrupted computer account. When a computer account is no longer valid for a domain, users
cannot use that computer account to access domain resources because the computer is not trusted
by the domain. To resolve this problem, reset the computer account to rejoin the computer to the
domain.
Incorrect DNS settings. When a computer is configured to use an incorrect DNS server, the computer
cannot find domain controllers to perform the sign-in process. To resolve this problem, configure the
computer to use an appropriate DNS server.
General networking problems. Network connectivity issues can make domain controllers unavailable
to service user sign-in requests.
Description
Default setting
Password Policy\Enforce
password history
Password Policy\Maximum
password age
Password Policy\Minimum
password age
Password Policy\Minimum
password length
Password Policy\Passwords
must meet complexity
requirements
Setting
Account Lockout
Policy\Account lockout
threshold
Description
This defines the number of invalid
sign-in attempts that users can
make before Windows locks their
account. When you enable Account
Lockout threshold, you can define
the period within which the invalid
attempts must occur, and how long
the account remains locked.
Default setting
Each user account has settings that are relevant to the sign-in process. You need to be aware of these
settings so that you can identify them as potential sources of sign-in issues, and then escalate the issue to
the appropriate group in your organization.
Setting
Description
This is the user name that should be used when signing in.
Unlock account
When you enable this setting, the user must change his or her
password during the next sign in. If the user does not change
their password, he or she may not be able to sign in.
If you enable this setting, the user cannot change their password.
This setting overrides any requirements to change a password in
the domain password policy. You typically use this setting only
for service accounts.
Account is disabled
Enabling this setting prevents users from signing in and using this
account. You typically use this setting when an employee is out
of the office for a long period of time, or when an employee is
terminated.
Account expires
Note: You can also use Windows PowerShell to query user account status and to reset
these properties. For example, use the Get-ADUser cmdlet to retrieve user account properties,
the Unlock-ADAccount cmdlet to unlock a user account, and the Set-ADUser enabled $true
cmdlet to enable a user account.
If you wish to use these cmdlets from a Windows 8.1 client computer, install Remote Server
Administration Tools (RSAT) on that computer to install the necessary Windows PowerShell
cmdlets.
Event logs. You can use Event Viewer to view event logs that may give some indication of why a signin error is occurring. The Security logs on a computer or on a domain controller indicate if
authentication errors are occurring. The computers System log indicates if the computer account is
not authenticating correctly.
If a user is able to sign in but is unable to access network resources, the sign-in process might be using
the users cached credentials. If this happens, you should verify network connectivity for the computer,
and verify that the computer account is authenticating properly.
If your organization does not restrict user sign in to specific computers, the user can attempt to sign in to
a second computer, which identifies whether the authentication issue pertains to a specific computer. You
can use the results of this test to limit your troubleshooting to appropriate items. For example, if the issue
is not computer-specific, then it is not a local computer configuration issue.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following procedure:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Microsoft Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
A user has reported that she cannot sign in from her laptop, LON-CL1. You have been assigned the helpdesk incident record and are assigned to resolve the problem.
Incident Record
Incident Reference Number: 723411
Date of Call
Time of Call
User
Status
November 5
09:27
Alex Darrow (Marketing Department)
OPEN
Incident Details
Alex cannot sign in to her laptop this morning. An error message displays: The trust relationship
between this workstation and the primary domain failed.
Incident Record
Additional Information
Alex has not been in the office for a while, but sign-in worked fine last time she was here.
No one else is affected by the problem.
I reset her user account password, and that has made no difference.
I checked that the domain controller LON-DC1 is online, and it is fine.
The local account, LON-CL1\Admin (password is Pa$$w0rd), might be useful for troubleshooting this
computer.
Plan of Action
Resolution
2.
3.
4.
Task 1: Read the help desk Incident Record for incident 723411
2.
Update the Plan of Action section of the Incident Record with your recommendations.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
Attempt to resolve the problem by using your knowledge of potential sign-in problems, and by using
the tools that you can use to troubleshoot those problems.
2.
3.
If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment, and begin again.
Results: After you have completed this exercise, you should have resolved the sign-in problem.
Aidan, one of the senior managers, has called the help desk to report a problem signing in. You have been
assigned to resolve this problem. He has called the help desk twice since the call was logged, so it is
urgent that you resolve the issue.
Incident Record
Incident Reference Number: 723423
Date of Call
Time of Call
User
Status
November 6
13:47
Aidan Delaney (Manager)
OPEN
Incident Details
Aidan called to report a problem signing in. Turns out that quite a few of the management team are
experiencing problems. Error message There are currently no logon servers available to service the
logon request.
Additional Information
The management team computers are connected to their own subnet with their own local domain
controller, LON-DC1.
Some of the management team can still sign in, but most cannot.
You may need the local account LON-CL1\Admin (password is Pa$$w0rd) to sign in at Mr. Delaneys
computer.
A few network-related issues were reported in that subnet this morning, with failure to locate
resources by URL name.
Plan of Action
Resolution
2.
3.
4.
Task 1: Read the help desk Incident Record for incident 723423
2.
Update the Plan of Action section of the Incident Record with your recommendations.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
Attempt to resolve the problem by using your knowledge of potential sign-in problems, and by using
the tools that you can use to troubleshoot those problems.
2.
3.
If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment and begin again.
Results: After you have completed this exercise, you should have resolved the sign-in problem
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Lesson 2
User profiles contain user settings that configure a computer for use by a specific user. In some cases,
you can configure roaming profiles to enable a user to retain their settings when they work on more than
one computer. To configure computers correctly for users, you must understand user profiles and how to
troubleshoot them. Some organizations implement Folder Redirection. It is important that you understand
this technology, how it impacts user settings, and how to troubleshoot it.
Lesson Objectives
After completing this lesson, you will be able to:
Set of folders. For each user who signs in, a separate subfolder with the users name is created in the
Users folder. This folder is a container for applications, user settings, and data that are organized in
the following various subfolders:
o
Desktop
Favorites
Documents
Downloads
Windows 8.1 also has a public profile that it stores in C:\Users\Public. All user profiles include the contents
of this public profile when a user logs on. For example, if you create a shortcut in C:\Users\Public\Desktop,
it displays on the desktop of all users who sign in to that computer. For this reason, some applications
store system-wide configuration information in the public profile.
To configure a users roaming profile, provide a profile path in the user account properties. If you copy a
profile, be sure to use the Copy To functionality in the Profiles window of Advanced System Settings. This
ensures that Windows 8.1 updates the security permissions, which allows other users to access the profile.
Note: A mandatory profile is a read-only roaming user profile. You can use a mandatory
profile to ensure that users do not change configuration settings. When the user signs in,
Windows copies the mandatory profile from the server to the local computer, in the same
manner as a standard roaming user profile. However, when the user signs out, Windows discards
any profile changes. In most cases, multiple users share a mandatory roaming profile. Instead of
using mandatory profiles, most organizations use Folder Redirection to achieve a standard
desktop.
Start screen
Appearance
Desktop personalization
Installed apps
App data
Language preferences
When you first use your Microsoft account on a device, you can configure which of these settings you
wish to synchronize on the device. To do this, select Change PC settings from the Settings charm, and
then click Sync your settings.
Note: Network administrators can use Group Policy Object (GPO) to restrict which of these
settings can be synchronized. To control synchronization, open the Group Policy Management
Editor for the appropriate GPO, and then navigate to Computer Configuration\Policies
\Administrative Templates\Windows Components\Sync your settings.
Corrupted roaming profiles. A corrupted roaming profile results when there are problems saving
changes to a roaming profile during sign out. Typically this occurs because an application has not
closed correctly. When a profile is corrupted, it might not be updated the next time a user signs in, or
the user may receive a prompt asking whether to use the local profile or the network profile.
Default profiles do not have corporate standard settings. The first time users sign in, their profile is
created from the default profile. The default profile on a computer does not contain application
settings and customizations, such as a default save location in Microsoft Word. As a result, the user
profile must be updated after it is created.
Machine specific settings do not roam. Whereas a roaming user profile enables user settings to move
between computers, the roaming user profile does not contain any computer-specific settings such as
applications or hardware drivers. Some user settings, such as shortcuts to applications, might not be
valid on all computers to which a user signs in. Invalid shortcuts still display, but they have an icon
indicating that they are invalid. Registry settings for non-existent applications are ignored.
Minimizing the size of roaming profiles. Redirecting folders removes them from a roaming profile.
This reduces the size of roaming profiles, which results in better sign-in performance.
You can configure Folder Redirection manually or by using a GPO. For example, for the Documents folder,
you can configure redirection on the Location tab in the properties of the Documents folder, or by using a
GPO.
When you redirect a folder, you have the option to copy the files from the current location to the new
location. If you forget to copy the files, they will not be available to the user.
Note: If you forget to copy the files, the files continue to exist in the old location, and users
can copy them at a later time.
Although a network administrator typically enables and configures Folder Redirection, it is important that
you understand the basics of configuring this feature.
You use GPOs to configure Folder Redirection. To configure Folder Redirection, open Group Policy
Management, locate the appropriate GPO, and then open it for editing. Next, expand the User
Configuration node, expand Windows Settings and then expand Folder Redirection. You can select
each folder in turn and configure its redirection settings. When you have finished, the Folder Redirection
settings will apply to those users whose user accounts are stored either in a container to which this GPO is
linked, or in a container that inherits the GPO settings from a parent container.
Note: For more information on how to apply and filter GPOs, refer to Module 6.
The main folders that you can redirect are Desktop and Documents. You can then configure the Pictures,
Music, and Videos folders to follow the location you configure for Documents.
When you configure Folder Redirection, you have a number of options, including:
Basic Redirection. In this option, by default, each user is given exclusive access to a subfolder that is
created off the configured root folder for the redirection. For example, you may choose a folder
called \\LON-DC1\USERS as the Root Path. Each user would be granted full control over a subfolder
created with their name underneath this root. For example: \\LON-DC1\Users\Adam.
Advanced Redirection. With Advanced Redirection, you can specify a different redirection for each
security group affected by the folder redirection policy. For example, you might add the Sales
group and the Marketing group to the redirection policy, with each using a different UNC path:
\\LON-DC1\Sales and \\LON-DC1\Marketing, for instance. Beneath these folders, by default, a folder
for each user account within the group is created. Again, that user is granted exclusive access to her
or his own subfolder.
Note: There are more options that you can configure, but these are outside the scope of
this course.
When you configure Folder Redirection, the optimal method is to create the subfolder structure and
shared folder structure before you configure the GPOs folder redirection. This results in the correct
configuration of folder permissions.
A GPO with user settings is not linked to a location where the user account resides.
A GPO with computer settings is not linked to a location where the computer account resides.
A computer is not able to communicate with a domain controller to download the GPO due to:
o
Note: Client-side extensions run on client computers to process GPOs. Different client-side
extensions process different GPO settings. For example, a client-side extension exists to process
Group Policy Preferences.
AD DS replication or SYSVOL replication is not functioning between domain controllers that are
handling the distribution of the GPOs to client computers.
Blocked inheritance
Enforcement
Link order
If the problem does not relate to GPO application, then consider whether the folder redirection policy has
been set up correctly, and whether the users and groups that use the policy have the correct file
permissions on the redirected folders.
When Folder Redirection is first established, the current contents of the users local folders are copied to
the new location by default. If users claim that files are missing, verify whether the files were copied, and if
so, whether they were copied to the correct location.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
You have been asked to examine the problem in a help-desk incident record that the help-desk staff have
been unable to resolve. You must determine a course of action and then attempt resolution.
Incident Record
Incident Reference Number: 723425
Date of Call
Time of Call
User
Status
November 7
08:42
Boris Gresak (Marketing Department)
OPEN
Incident Details
Boris reports that his Documents folder is not available.
Incident Record
Additional Information
All servers are operational, and other departments are not affected.
Boris cannot see his old files, and new files are showing as offline and not synced.
Suspect that the culprit is Folder Redirection.
Plan of Action
Resolution
2.
3.
Create the Folder Redirection infrastructure and then simulate the problem.
4.
2.
Update the Plan of Action section of the Incident Record with your recommendations.
Task 3: Create the Folder Redirection infrastructure and then simulate the problem
1.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
5.
6.
7.
8.
In the New GPO dialog box, in the Name text box, type Folder Redirection, and then click OK.
9.
10. In the Group Policy Management Editor, expand User Configuration, expand Policies, expand
Windows Settings, expand Folder Redirection, and then click Folder Redirection.
11. Right-click Documents, and then click Properties.
12. In the Documents Properties dialog box, in the Setting list, click Advanced Specify locations for
various user groups.
14. In the Specify Group and Location dialog box, in the Security Group Membership text box, type
Marketing.
15. Press the Tab key.
16. In the Target Folder Location list, click Create a folder for each user under the root path.
17. In the Root Path text box, type \\lon-dc1\Departments\Marketing, and then click OK.
18. In the Documents Properties dialog box, click OK.
19. In the Warning dialog box, click Yes.
20. Close the Group Policy Management Editor.
Note: You will configure only the Marketing department for this lab.
21. Right-click Start, and then click Command Prompt.
22. At the command prompt, type gpupdate /force, and then press Enter.
23. When prompted, press Y, and then press Enter to close the Command window and sign out.
24. Sign in as Adatum\Boris with the password Pa$$w0rd.
25. Click Desktop.
26. Right-click the desktop, and then click Personalize.
27. In the Personalization window, click Change desktop icons.
28. In the Desktop Icons Settings dialog box, select the Users Files check box, and then click OK.
29. Close the Personalization window.
30. On the desktop, double-click Boris Gresak.
31. Right-click Documents, and then click Properties. Notice that the folder is redirected, and then
click OK
32. Sign out.
33. Sign in by using the following credentials:
o
Password: Pa$$w0rd
34. Run the D:\Labfiles\Mod07\Scenario3b.vbs script. Wait until the script completes.
35. Sign out.
36. Sign in by using the following credentials:
o
Password: Pa$$w0rd
2.
3.
If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Results: After completing the exercise, you should have resolved the Folder Redirection problem
successfully.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Module 8
Configuring and Troubleshooting Remote Connectivity
Contents:
Module Overview
8-1
8-2
8-11
8-22
8-25
8-33
8-37
Module Overview
It is becoming increasingly important for users to access corporate resources and applications remotely.
To better support these user needs, you must be familiar with virtual private networks (VPNs), Network
Access Protection (NAP), and DirectAccess. This module explains these technologies, describes common
problems with their implementation and usage, and then provides a number of possible mitigations for
those problems.
Objectives
After completing this module, you will be able to:
Troubleshoot NAP.
Lesson 1
VPNs provide a secure way of accessing your internal data and applications from user devices that attach
to the Internet. To support a VPN environment within your organization, you must understand tunneling
protocols, VPN authentication, and server-side configuration options. This lesson describes these
technologies.
Lesson Objectives
After completing this lesson, you will be able to:
Describe VPNs.
Describe common error codes that are encountered while troubleshooting VPNs.
Overview of VPNs
A VPN provides a connection between
components of a private network, through a
public network such as the Internet. Tunneling
protocols enable a VPN client to establish and
maintain a connection to a virtual port that is
listening on a VPN server.
To emulate the point-to-point link, the VPN
client encapsulates the data and prefixes it with a
header. The header provides routing information
that enables the data to traverse the shared or
public network to reach its endpoint.
To emulate a private link, the VPN client encrypts
data, which helps to ensure confidentiality. Without encryption keys, packets that are intercepted on a
shared or public network are indecipherable. The VPN client encapsulates and encrypts private data on
the private link, or on the VPN connection.
There are two types of VPN connections:
Site-to-site VPN
From a users perspective, the exact infrastructure of the shared or public network is irrelevant because it
appears logically as if it is sending the data over a dedicated private link.
Site-to-Site VPN
Site-to-site VPN connections, which are also known as router-to-router VPN connections, enable your
organization to have routed connections between separate offices, or between your office and another
organization over a public network. This helps maintain secure communications.
A routed VPN connection across the Internet operates logically as a dedicated wide area network (WAN)
link. When networks connect over the Internet, a router forwards packets across a VPN connection to
another router.
A site-to-site VPN connection connects two portions of a private network. The VPN server provides a
routed connection to the network to which the VPN server is attached. The calling router (the VPN
initiator) authenticates itself to the answering router (the VPN responder). Then, if you use mutual
authentication, the answering router authenticates itself to the calling router.
In a site-to site VPN connection, the packets sent from either router across the VPN connection typically
do not originate at the routers; in other words, the site-to-site connection is not visible to the computers
that use the link.
VPN connections that use the Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol
with Internet Protocol security (L2TP/IPsec), and Secure Socket Tunneling Protocol (SSTP), have the
following properties:
Encapsulation. With VPN technology, private data is encapsulated with a header that contains routing
information that allows the data to traverse the transit network.
Authentication. Authentication for VPN connections takes the following three forms:
Data origin authentication and data integrity. To verify that the data sent on the VPN connection
originated at the other end of the connection and was not modified in transit, the data contains a
cryptographic checksum based on an encryption key known only to the sender and the receiver.
Data origin authentication and data integrity are only available for L2TP/IPsec connections.
Data encryption. To ensure the confidentiality of data as it traverses the shared or public transit
network, the sender encrypts the data, and the receiver decrypts it. The encryption and decryption
processes depend on the sender and the receiver both using a common encryption key.
Packets that are intercepted in the transit network are unintelligible to anyone who does not have the
common encryption key. The encryption keys length is an important security parameter. You can use
computational techniques to determine the encryption key. However, such techniques require more
computing power and computational time as the encryption keys get larger. Therefore, it is important
to use the largest possible key size to ensure data confidentiality.
PPTP
You can use PPTP for remote access and site-tosite VPN connections. When using the Internet as
the VPN public network, the PPTP server is a PPTPenabled VPN server with one interface on the Internet,
and a second interface on the intranet.
PPTP enables you to encrypt and encapsulate data in an IP header multiprotocol traffic that is then sent
across an IP network or a public IP network, such as the Internet.
L2TP
L2TP enables you to encrypt multiprotocol traffic to send over any medium that supports point-to-point
datagram delivery, such as IP or asynchronous transfer mode (ATM). L2TP is a combination of PPTP
and Layer Two Forwarding (L2F). L2TP represents the best features of PPTP and L2F. Unlike PPTP, the
Microsoft implementation of L2TP does not use Microsoft Point-to-Point Encryption to encrypt PPP
datagrams. Instead, L2TP relies on IPsec in transport mode for encryption services. The combination of
L2TP and IPsec is known as L2TP/IPsec.
To utilize L2TP/IPsec, both the VPN client and server must support L2TP and IPsec. Client support for
L2TP is built into remote access clients on the following Windows client operating systems: Windows 8.1,
Windows 8, Windows 7, Windows Vista, and Windows XP. VPN server support for L2TP is built into
members of the Windows Server 2012, Windows Server 2008, and Windows Server 2003 families.
SSTP
SSTP is a tunneling protocol that uses the HTTPS protocol over TCP port 443 to pass traffic through
firewalls and web proxies, which otherwise might block PPTP and L2TP/IPsec traffic. SSTP provides a
mechanism to encapsulate PPP traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol.
The use of PPP allows support for strong authentication methods, such as Extensible Authentication
Protocol-Transport Layer Security (EAP-TLS). SSL provides transport-level security with enhanced key
negotiation, encryption, and integrity checking.
When a client tries to establish an SSTP-based VPN connection, SSTP first establishes a bidirectional HTTPS
layer with the SSTP server. Over this HTTPS layer, the protocol packets flow as a data payload.
IKEv2
IKE version 2 (v2) uses the IPsec tunnel mode protocol over User Datagram Protocol (UDP) port 500. IKEv2
supports mobility, making it a good protocol choice for a mobile workforce. IKEv2-based VPNs enable
users to move easily between wireless hotspots, or between wireless and wired connections.
IKEv2 is supported only on computers that run Windows 8.1, Windows 8, Windows Server 2012 R2,
Windows Server 2012, Windows 7, and Windows Server 2008 R2. IKEv2 is the default VPN tunneling
protocol in Windows 7, Windows 8, and Windows 8.1.
PAP
CHAP
MS-CHAP V2
MS-CHAP v2 is a one-way, encrypted password, mutual-authentication process that works as follows:
1.
The authenticator, which can be the remote access server or the computer that is running Network
Policy Server (NPS), sends a challenge to the remote access client. The challenge consists of a session
identifier and an arbitrary challenge string.
2.
The remote access client sends a response that contains a one-way encryption of the received
challenge string, the peer challenge string, the session identifier, and the user password.
3.
The authenticator checks the response from the client and sends back a response that contains an
indication of the success or failure of the connection attempt and an authenticated response based
on: the sent challenge string, the peer challenge string, the clients encrypted response, and the user
password.
4.
The remote access client verifies the authentication response, and if correct, uses the connection. If
the authentication response is not correct, the remote access client terminates the connection.
EAP
With the Extensible Authentication Protocol (EAP), an arbitrary authentication mechanism authenticates a
remote access connection. The remote access client and the authenticator, which can be either the remote
access server or the Remote Authentication Dial-In User Service (RADIUS) server, negotiate the exact
authentication scheme to use. Routing and Remote Access service (RRAS) includes support for EAP-TLS by
default. You can plug in other EAP modules to the server that is running RRAS to provide other EAP
methods.
Other Options
In addition to the previously mentioned authentication methods, you can enable two other options when
selecting an authentication method:
Unauthenticated Access. Strictly speaking, this is not an authentication method, but rather the lack of
one. Unauthenticated access allows remote systems to connect without authentication. You should
never enable this option in a production environment, however, as it leaves your network at risk.
Nonetheless, this option can sometimes be useful for troubleshooting authentication issues in a test
environment.
Machine Certificate for IKEv2. Select this option if you want to use VPN Reconnect.
Note: VPN Reconnect uses the IKEv2 technology to provide consistent VPN connectivity.
Users who connect by using a wireless mobile broadband will benefit most from this capability.
With VPN Reconnect, Windows 8.1 devices reestablish active VPN connections automatically
when Internet connectivity reestablishes after a connection is lost. Even though the reconnection
might take several seconds, users do not have to reinstate the connection manually or
authenticate again to access internal network resources.
Network Policies
Network policies determine whether a connection
attempt is successful. If the connection attempt
is successful, the network policy then defines
connection characteristicssuch as day and time
restrictions and session idle-disconnect times.
Network policies are sets of conditions, constraints,
and settings that enable you to designate who is
authorized to connect to a network, and the
circumstances under which they can or cannot
connect. Additionally, when you deploy NAP, a
health policy is added to the network policy
configuration so that your NPS performs client
health checks during the authorization process.
You can view network policies as rules, with each rule having a set of conditions and settings. NPS
compares the rules conditions to the properties of connection requests. If a match occurs between the
rule and the connection request, the settings that you define in the rule are applied to the connection.
When you configure multiple network policies in NPS, they are an ordered set of rules. NPS checks each
connection request against the lists first rule, then the second, and so on until a match is found.
Note: After NPS discovers a matching rule, it disregards further rules. Therefore, it is
important to order your network policies appropriately.
Each network policy has a policy state setting that allows you to enable or disable the policy. When you
disable a network policy, NPS does not evaluate that policy when authorizing connection requests.
When NPS performs authorization of a connection request, it compares the request with each network
policy in the ordered list of policies, starting with the first policy and moving down the list.
If NPS finds a policy in which the conditions match the connection request, NPS uses the matching policy
and the dial-in properties of the user account to perform authorization.
If you configure the dial-in properties of the user account to grant or control access through network
policy, and if NPS authorizes the connection request, NPS applies the settings that you configure in the
network policy to the connection in the following way:
If NPS does not find a network policy that matches the connection request, NPS rejects the
connection unless the dial-in properties on the user account are set to grant access.
If the dial-in properties of the user account are set to deny access, NPS rejects the connection request.
The default network policies deny access to all users. This ensures that only users to which you have
specifically granted access are allowed access. To allow users access, you create additional network
policies with conditions that match authorized users.
When planning your network policies, consider how you want the constraints and conditions to control
the connection from particular groups of users, and then choose appropriate conditions to enable these
settings to have an effect on those users.
For example, suppose you have the following two objectives:
You want to allow members of the administrators group to connect at any time of the week, but insist
on an L2TP tunneltype connection.
You want all other users to connect with any tunnel type, but only on weekends.
You must consider how to implement two network policies to achieve this objective. If you configure a
condition of Any time of the week, in addition to administrators, all other user connection attempts will
match this condition, and subsequently the settings within the policy. Therefore, you might consider
creating a condition that looks for membership in the Domain Admins group, and then a constraint of
an L2TP tunneltype. You will require a second policy to address the needs of all other users.
L2TP. For L2TP traffic, configure the network firewall to open UDP port 1701, and to allow IPsec
encapsulating security payloadformatted packets (IP Protocol 50).
Cause. This issue can occur if the network firewall does not permit GRE traffic (IP Protocol 47). PPTP
uses GRE for tunneled data.
Solution. Configure the network firewall between the VPN client and the server to permit GRE.
Additionally, ensure that the network firewall permits TCP traffic on port 1723. Both of these
conditions must be met to establish VPN connectivity by using PPTP.
Note: The firewall might be on or in front of the VPN client, or in front of the VPN server.
Cause. These errors occur if the VPN client requests an invalid encryption level or if the VPN server
does not support an encryption type that the client requests.
Solution. Check the properties on the Security tab of the VPN connection on the VPN client. If
Require data encryption (disconnect if none) is selected, clear the selection and retry the connection.
If you are using NPS, check the encryption level in the network policy in the NPS console, or check
the policies on other RADIUS servers. Ensure that the encryption level that the VPN client requested is
selected on the VPN server.
No certificate. By default, for IPsec peer authentication, L2TP/IPsec connections require that an
exchange of computer certificates occur between the remote access server and remote access client.
Check the Local Computer certificate stores of both the remote access client and the remote access
server that are using the Certificates snap-in to ensure that a suitable certificate exists.
Incorrect certificate. The VPN client must have a valid computer certificate installed, which was issued
by a trusted certification authority (CA) that follows a valid certificate chain from the issuing CA to a
root CA. Additionally, the VPN server must have a valid computer certificate installed that was issued
by a CA that follows a valid certificate chain from the issuing CA to a root CA, and that the VPN client
trusts.
A network address translation (NAT) device exists between the remote access client and remote
access server. If there is a NAT between a Windows Server 2008 L2TP/IPsec server and a Windows
2000 Server, Windows Server 2003, or Windows XPbased L2TP/IPsec client, you cannot establish an
L2TP/IPsec connection unless the client and server support IPsec NAT traversal (NAT-T).
A firewall exists between the remote access client and the remote access server. If there is a firewall
between a Windows L2TP/IPsec client and a Windows Server 2012 L2TP/IPsec server, and if you
cannot establish an L2TP/IPsec connection, verify that the firewall allows forwarding of L2TP/IPsec
traffic.
When you use EAP-TLS for authentication, the VPN client submits a user certificate and the authenticating
server (the VPN server or the RADIUS server) submits a computer certificate. To enable the authenticating
server to validate the VPN clients certificate, the following must be true for each certificate in the
certificate chain that the VPN client sends:
The current date must be within the certificates validity dates. When certificates are issued, they are
issued with a range of valid dates before which they cannot be used, and after which they are
considered expired.
The certificate has not been revoked. Issued certificates can be revoked at any time. Each issuing
CA maintains a list of certificates that are not considered valid, and publishes an up-to-date certificate
revocation list. By default, the authenticating server checks all certificates in the VPN clients
certificate chain (the series of certificates from the VPN client certificate to the root CA) for
revocation. If any of the chains certificates have been revoked, certificate validation fails.
The certificate has a valid digital signature. CAs digitally sign certificates that they issue. The
authenticating server verifies the digital signature of each certificate in the chain, with the exception
of the root CA certificate, by obtaining the public key from the certificates issuing CA and
mathematically validating the digital signature.
For a VPN client to validate an authenticating servers certificate for either EAP-TLS authentication,
the following must be true for each certificate in the certificate chain that the authenticating server
sends:
o
Verify that the user account of the VPN client is not locked out, expired, disabled. Verify also that
the time that the connection is being made is not in conflict with the configured logon hours. If the
password on the account has expired, verify that the remote access VPN client is using MS-CHAP v2.
MS-CHAP v2 is the only authentication protocol that Windows Server 2012 provides that allows you
to change an expired password during the connection process.
Verify that the VPN server is enabled for remote access from the VPN server Properties dialog box
General tab.
Verify that the WAN miniport PPTP and WAN miniport L2TP devices are enabled for inbound remote
access from the properties of the Ports object in the RRAS snap-in.
Verify that the VPN client, the VPN server, and the network policy that correspond to VPN
connections are configured to use at least one common authentication method.
Verify that the VPN client and the network policy that correspond to VPN connections are configured
to use at least one common encryption strength.
Verify that the connections parameters have permission through network policies.
Lesson 2
Troubleshooting NAP
Your network is only as secure as the least-secure computer that is attached to it. Many programs and
tools exist to help you secure your network-attached computers, such as antivirus or malware detection
software. However, if the software on some of your computers is not up to date or not enabled or
configured correctly, these computers continue to pose a security risk.
Computers that remain within an office environment and always connect to the same network are
relatively simple to keep configured and updated. Computers that connect to different networks,
particularly unmanaged networks, are less easy to control. For example, it is more difficult to control
laptop computers that connect to customer networks or public Wi-Fi hotspots. Furthermore, unmanaged
computers that attempt to connect remotely to your network, such as computers that connect from
homes, also pose a security risk.
You can use NAP to create customized health requirement policies to validate the health of a computer
before allowing it to access or communicate with a network. Additionally, NAP updates compliant
computers automatically to ensure their ongoing compliance, and NAP limits noncompliant computer
access to a restricted network until they become compliant.
If your organization implements NAP, you must understand this technology to troubleshoot issues that
relate to NAP.
Lesson Objectives
After completing this lesson, you will be able to:
Describe NAP.
What Is NAP?
NAP provides components and an application
programming interface (API) that can help enforce
compliance with your organizations health
requirement policies for network access or
communication. NAP defines a healthy computer
as one that conforms with a health policy. The
health policy might define characteristics such as
whether the computer has:
A firewall enabled.
You can use NAP to create solutions for validating computers that connect to your networks, and to
provide needed updates or access to requisite health update resources. Additionally, NAP enables you to
limit the access or communication of noncompliant computers.
You can integrate NAPs enforcement features with software from other vendors, or with custom
programs.
Remember that NAP does not protect a network from hackers. Rather, it helps you automatically maintain
the health of your organizations networked computers, which in turn helps maintain your networks
overall integrity. For example, if a computer has all of the software and configuration settings that the
health policy requires, the computer is compliant and will have unlimited network access. However, NAP
will not prevent an authorized user with a compliant computer from uploading a malicious program to
the network or engaging in other inappropriate behavior.
To validate the health state. When a computer attempts to connect to the network, NAP validates the
computers health state against the health requirement policies that the administrator defines. You
also can define what to do if a computer is not compliant.
In a monitoring-only environment, all computers have their health state evaluated, and NAP logs
the compliance state of each computer for analysis. In a limited access environment, computers that
comply with the health requirement policies have unlimited network access. Computers that do not
comply with health requirement policies could find their access limited to a restricted network.
To enforce health policy compliance. You can help ensure compliance with health requirement
policies by automatically selecting to update noncompliant computers with missing software updates
or configuration changes. This can be done through management software such as Microsoft System
Center 2012 R2 Configuration Manager.
In a monitoring-only environment, NAP will ensure that computers update their network access
before they receive required updates or configuration changes. In a limited access environment,
noncompliant computers have limited access until the updates and configuration changes are
complete. In both environments, computers that are compatible with NAP can become compliant
automatically, and you can define exceptions for computers that are not NAP-compatible.
To limit network access. You can protect your networks by limiting noncompliant computer
access. You can base limited network access on a specific amount of time, or on what resources the
noncompliant computer can access. In the latter case, you define a restricted network that contains
health update resources, and the limited access will last until the noncompliant computer comes into
compliance. You also can configure exceptions so that computers that are not compatible with NAP
do not have limited network access.
Remote access VPN connections. VPN enforcement requires that a computer be compliant to obtain
unlimited network access through a remote access VPN connection. For noncompliant computers,
network access is limited through a set of IP packet filters that the VPN server applies to the VPN
connection.
DHCP address configurations. Dynamic Host Configuration Protocol (DHCP) enforcement requires
that a computer be compliant to obtain an unlimited access Internet Protocol version 4 (IPv4) address
configuration from a DHCP server. For noncompliant computers, network access is restricted with an
IPv4 address configuration that limits access to the restricted network.
These network access or communication methods, or NAP enforcement methods, are useful separately or
together for limiting noncompliant computer access or communication. A server that runs NPS in
Windows Server 2012 acts as a health policy server for all of these NAP enforcement methods.
Roaming Laptops
Desktop Computers
Although users typically do not remove their desktop computers from company buildings, they still can
present a threat to your network. To minimize this threat, you must maintain these computers with the
most recent updates and required software. Otherwise, these computers are at risk of infection from
websites, email, files from shared folders, and other publicly accessible resources. You can use NAP to
automate health state checks to verify each desktop computers compliance with health requirement
policies. You can check log files to determine which computers do not comply. Additionally, by using
management software, you can generate automatic reports and automatically update noncompliant
computers. When you change health requirement policies, you can configure NAP to provision computers
automatically with the most recent updates.
Visiting Laptops
Organizations frequently need to allow consultants, business partners, and guests to connect to their
private networks. The laptops that these visitors bring into your organization might not meet system
health requirements and can present health risks. NAP enables you to determine which visiting laptops
are noncompliant and limit their access to restricted networks. Typically, you would not require or provide
any updates or configuration changes for visiting laptops. You can configure Internet access for visiting
laptops, but not for other organizational computers that have limited access.
Unmanaged home computers that are not a member of a companys Active Directory Domain
Services (AD DS) domain can connect to a managed company network through VPN. Unmanaged home
computers provide an additional challenge because you cannot physically access these computers. Lack
of physical access makes enforcing compliance with health requirements, such as the use of antivirus
software, more difficult. However, you can use NAP to verify the health state of a home computer every
time it makes a VPN connection to the company network, and to limit its access to a restricted network
until it meets system health requirements.
Note: Both roaming laptops and unmanaged home computers can become part of the
managed infrastructure of your organization by using DirectAccess connections. You can
implement NAP with DirectAccess to ensure the health compliance of such computers.
2.
In the console tree, double-click Local Computer Policy, double-click Computer Configuration,
double-click Administrative Templates, double-click Windows Components, and then double-click
Security Center.
3.
Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.
When you deploy NAP, you must enable the NAP service on NAP-capable client computers. You can use
the following procedure to enable and configure NAP service on NAP-capable client computers.
Note: To complete this procedure, you must be a member of the Domain Admins group,
the Enterprise Admins group, or the Administrators group on the local computer.
To enable the NAP service on client computers, perform the following procedure:
1.
Open Control Panel, click System and Security, click Administrative Tools, and then double-click
Services.
2.
In the services list, scroll through, and then double-click Network Access Protection Agent.
3.
In the Network Access Protection Agent Properties dialog box, change Startup Type to
Automatic, and then click OK.
2.
3.
In the details pane, right-click the enforcement client that you want to enable or disable, and then
click Enable or Disable.
Note: To perform this procedure, you must be a member of the Administrators group on
the local computer, or you must have been delegated the appropriate authority. If the computer
is joined to a domain, members of the Domain Admins group will be able to perform this
procedure.
Restriction state
The following command displays the local configuration settings on a NAP client, including:
Cryptographic settings
The following command displays the Group Policy configuration settings on a NAP client, including:
Cryptographic settings
Tracing
IASNAP.LOG. Contains information about NAP processes, NPS authentication, and NPS authorization.
Windows 8.1 includes two tools for configuring NAP tracing: the NAP Client Configuration console, which
is part of the Windows user interface, and the netsh command-line tool.
You can use the NAP Client Configuration console to enable or disable NAP tracing and to specify the
level of recorded detail. To do this, perform the following procedure:
1.
2.
In the console tree, right-click NAP Client Configuration (Local Computer), and then click
Properties.
3.
In the NAP Client Configuration (Local Computer) Properties dialog box, select either Enabled or
Disabled.
Note: To perform this procedure, you must be a member of the Administrators group on
the local computer, or you must have been delegated the appropriate authority. As a security
best practice, consider performing this operation by using the Run As command.
4.
If you select the Enabled check box, under Specify the level of detail at which the tracing logs are
written, click either Basic, Advanced, or Debug.
Using Netsh
To use a command-line tool to enable or disable NAP tracing, and to specify the level of recorded detail,
perform the following steps:
1.
2.
To enable NAP tracing and configure for basic or advanced logging, type the following
command.
netsh nap client set tracing state=enable level =[advanced or basic]
To enable NAP tracing for debug information, type the following command.
netsh nap client set tracing state=enable level =verbose
Note: To perform this procedure, you must be a member of the Administrators group on
the local computer, or you must have been delegated the appropriate authority. As a security
best practice, consider performing this operation by using the Run As command.
To view the log files, go to the %systemroot%\tracing\nap directory, and then open the particular trace
log that you want to view.
Event ID 6273. Network Policy Server denied access to a user. Occurs when an authentication or
authorization problem arises, which is associated with a reason code.
Event ID 6274. Network Policy Server discarded the request for a user. Occurs when a configuration
problem arises, if the RADIUS client settings are incorrect, or if NPS cannot create accounting logs.
Event ID 6276. Network Policy Server quarantined a user. Occurs when the client access request
matches a network policy that is configured with a NAP enforcement setting of Allow Limited Access.
Event ID 6277. Network Policy Server granted access to a user, but put it on probation because the
host did not meet the defined health policy. Occurs when the client access request matches a network
policy that is configured with a NAP enforcement setting of Allow Full Network Access For A Limited
Time When The Date Specified In The Policy Has Passed.
Event ID 6278. Network Policy Server granted full access to a user because the host met the defined
health policy. Occurs when the client access request matches a network policy that is configured with
a NAP enforcement setting of Allow Full Network Access.
Preparation Steps
For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Demonstration Steps
Configure NPS as a NAP Health Policy Server
1.
Switch to LON-DC1.
2.
In Server Manager, click Tools and then click Network Policy Server.
3.
In the navigation pane, expand Network Access Protection, expand System Health Validators,
expand Windows Security Health Validator, and then click Settings.
4.
5.
6.
In the details pane, clear all check boxes except the A firewall is enabled for all network
connections check box.
7.
1.
2.
3.
In the Create New Health Policy dialog box, under Policy name, type Compliant.
4.
Under Client SHV checks, verify that the Client passes all SHV checks is selected.
5.
Under SHVs used in this health policy, select the Windows Security Health Validator check box,
and then click OK.
6.
7.
In the Create New Health Policy dialog box, under Policy Name, type Noncompliant.
8.
Under Client SHV checks, click Client fails one or more SHV checks.
9.
Under SHVs used in this health policy, select the Windows Security Health Validator check box,
and then click OK.
2.
Disable the two default policies found under Policy Name by right-clicking the policies, and then
clicking Disable.
3.
4.
On the Specify Network Policy Name and Connection Type page, under Policy name, type
Compliant-Full-Access, and then click Next.
5.
6.
7.
In the Health Policies dialog box, under Health policies, click Compliant, and then click OK.
8.
9.
10. On the Configure Authentication Methods page, clear all check boxes, select the Perform
machine health check only check box, and then click Next twice.
11. On the Configure Settings page, click NAP Enforcement. Verify that Allow full network access is
selected, and then click Next.
12. On the Completing New Network Policy page, click Finish.
2.
On the Specify Network Policy Name and Connection Type page, under Policy name, type
Noncompliant-Restricted, and then click Next.
3.
4.
5.
In the Health Policies dialog box, under Health policies, select Noncompliant, and then click OK.
6.
7.
On the Specify Access Permission page, verify that Access granted is selected, and then click Next.
8.
On the Configure Authentication Methods page, clear all check boxes, select the Perform
machine health check only check box, and then click Next twice.
9.
On the Configure Settings page, click NAP Enforcement, and then click Allow limited access.
10. Clear the Enable auto-remediation of client computers check box, click Next, and then click
Finish.
2.
In DHCP, expand LON-DC1.Adatum.com, expand IPv4, right-click Scope [172.16.0.0] Adatum, and
then click Properties.
3.
In the Scope [172.16.0.0] Adatum Properties dialog box, click the Network Access Protection tab,
click Enable for this scope, and then click OK.
4.
5.
6.
In the DHCP Policy Configuration Wizard, in the Policy Name text box, type NAP Policy, and then
click Next.
7.
8.
In the Add/Edit Condition dialog box, in the Criteria list, click User Class.
9.
10. In the Value list, click Default Network Access Protection Class, and then click Add.
11. Click OK, and then click Next.
12. On the Configure settings for the policy page, click No, and then click Next.
13. On the Configure settings for the policy page, in the Vendor class list, click DHCP Standard
Options.
14. In the Available Options list, select the 006 DNS Servers check box.
15. In the IP address field, type 172.16.0.10, and then click Add.
16. In the Available Options list, select the 015 DNS Domain Name check box.
17. In the String value text box, type restricted.adatum.com, and then click Next.
18. On the Summary page, click Finish.
19. Close DHCP.
Completion Steps
After you have completed the practice session, leave the virtual machines running for the lab.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 25 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. The virtual machines must still be
running from the preceding practice session. If they are not, before you begin the lab, you must complete
the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Password: Pa$$w0rd
Domain: Adatum
5.
6.
You must then complete the preceding practice session to get the virtual machines into the correct
state for this lab.
November 7
16:02
Josh Bailey (Research department)
OPEN
Incident Details
Josh is able to connect to the corporate network even though NAP is being enforced and the client
computer is not compliant.
Additional Information
The computer is not configured for NAP.
Plan of Action
2.
3.
4.
Test NAP.
Task 1: Read the help desk Incident Record for incident 723467
2.
Update the Plan of Action section of the Incident Record with your recommendations.
Switch to LON-CL1.
2.
Open napclcfg.msc, and then enable the DHCP Quarantine Enforcement Client on LON-CL1.
3.
Open services.msc, and then start the Network Access Protection Agent service.
4.
5.
Use the local Group Policy Management Console to enable the Security Center.
6.
2.
3.
In the notification area, click the Network Access Protection pop-up warning.
Note: Depending on the point at which your computer becomes noncompliant, you might
not receive a warning in the notification area. However, you may proceed.
4.
Review the information in the Network Access Protection dialog box, and then click Close.
5.
6.
Notice that the computer has a subnet mask of 255.255.255.255 and a Domain Name System (DNS)
suffix of restricted.Adatum.com.
7.
Results: After completing this exercise, you should have configured the client computer for NAP.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Lesson 3
Troubleshooting DirectAccess
The DirectAccess feature in Windows Server 2012 and Windows 8.1 enables remote access to intranet
resources without first establishing a user-initiated VPN connection. DirectAccess also helps to ensure
seamless connectivity to the application infrastructure for both internal users and remote users.
Unlike traditional VPNs that require user intervention to initiate a connection to an intranet, DirectAccess
enables any application that supports Internet Protocol version 6 (IPv6) on the client computer to have
complete access to intranet resources. DirectAccess also enables you to specify resources and client-side
applications that are restricted for remote access. You should understand this technology to support
connectivity for DirectAccess users.
Lesson Objectives
After completing this lesson, you will be able to:
Describe DirectAccess.
Overview of DirectAccess
Organizations that utilize DirectAccess provide
a way for IT staff to manage remote computers
in the same way that they would manage local
computers. By using the same management and
update servers, you can ensure that remote
computers are always up-to-date and in
compliance with your security and system health
policies. You can also define more detailed access
control policies for remote access when compared
with defining access control policies in VPN
solutions.
DirectAccess offers the following features:
Uses various protocols, including HTTPS, to establish IPv6 connectivityHTTPS typically is allowed
through firewalls and proxy servers.
Supports selected server access and end-to-end IPsec authentication with intranet network servers.
Always-on connectivity. Whenever a user connects a client computer to the Internet, the client
computer is also connected to the intranet. This connectivity enables remote client computers to
access and update applications more easily. It also makes intranet resources always available, and
enables users to connect to the organizations intranet from anywhere at any time, thereby improving
their productivity and performance.
Bidirectional access. You can configure DirectAccess in a way that the DirectAccess clients have
access to intranet resources, and you can have access from the intranet to those DirectAccess clients.
Therefore, DirectAccess can be bidirectional. This ensures that client computers receive recent security
updates, the domain Group Policy is enforced, and there is no difference whether users are on the
organizational intranet or on a public network. This bidirectional access also results in:
o
Increased security.
Manage-out support. Provides the ability to enable only remote management functionality in the
DirectAccess client. This new sub-option of the DirectAccess Client Configuration Wizard automates
policy deployments that are used for managing the client computer. Manage-out support does not
implement any policy options that allow users to connect to the network for file or application access.
Manage-out support is unidirectional, and provides incoming-only access for administration purposes
only.
Improved security. Unlike traditional VPNs, DirectAccess offers many levels of access control to
network resources. This gives security architects tighter, more precise control over remote users
who access specified resources. You can use a detailed policy to define which specific user can use
DirectAccess, and the location from which the user can access it. You can use IPsec encryption for
protecting DirectAccess traffic so that users can ensure that their communication is safe.
Integrated solution. DirectAccess integrates with server isolation, domain isolation, and NAP solutions,
resulting in the integration of security, access, and health requirement policies between the intranet
and remote computers.
DirectAccess Components
To deploy and configure DirectAccess, your
organization must support the following
infrastructure components:
DirectAccess server
DirectAccess clients
Internal resources
An AD DS domain
Group Policy
DNS server
NAP server
DirectAccess Server
The DirectAccess server can be any computer that meets the following conditions:
Is joined to a domain
This server provides authentication services for DirectAccess clients and acts as an IPsec tunnel mode
endpoint for external traffic. The new remote access server role allows centralized administration,
configuration, and monitoring for both DirectAccess and VPN connectivity.
Compared with the previous implementation in Windows Server 2008 R2, the new wizard-based setup
simplifies DirectAccess management for small and medium-sized organizations. The wizard does so by
removing the need for full PKI deployment and removing the requirement for two consecutive public IPv4
addresses for the physical adapter that is connected to the Internet. In Windows Server 2012, the wizard
detects the actual implementation state of the DirectAccess server. The wizard automatically selects the
best deployment, thereby not showing the administrator the complexity of manually configuring IPv6
transition technologies.
DirectAccess Clients
A DirectAccess client can be any domain-joined computer that runs the Enterprise edition of the
Windows 7, Windows 8, or Windows 8.1 operating systems.
Note: With off-premise provisioning, you can join the client computer in a domain without
connecting the client computer in your internal premises.
The DirectAccess client computer connects to the DirectAccess server by using IPv6 and IPsec. If a native
IPv6 network is not available, the client establishes an IPv6-over-IPv4 tunnel by using 6to4 or Teredo.
Note that the user does not have to be logged on to the computer for this step to complete.
If a firewall or proxy server prevents the client that is using 6to4 or Teredo from connecting to the
DirectAccess server, the client computer automatically attempts to connect by using the IP-HTTPS
protocol, which uses an SSL connection to ensure connectivity.
A DirectAccess client uses the network location server to determine its location. If the client computer can
connect securely to the network location server by using HTTPS, the client computer assumes it is on the
intranet, and the DirectAccess policies are not enforced. If the network location server is not contactable,
the client assumes it is on the Internet. The network location server is installed on the DirectAccess server
with the Web server role.
Note: The URL for the network location server distributes by using Group Policy Object
(GPO).
Internal Resources
You can configure any IPv6-capable application that is running on internal servers or client computers to
be available for DirectAccess clients. For older applications and servers that do not have IPv6 support,
such as Windows Server 2003 or other non-Microsoft operating systems, Windows Server 2012 includes
native support for a protocol translation (NAT64) and name resolution (DNS64) gateway to convert IPv6
communication from a DirectAccess client to IPv4 for internal servers.
Note: You can also configure DirectAccess by using Microsoft Forefront Unified Access
Gateway.
You must deploy at least one AD DS domain that at a minimum is running at a Windows Server 2003
domain functional level. DirectAccess provides integrated multiple-domain support, which allows client
computers from different domains to access resources that might be located in different trusted domains.
Group Policy
You need to use Group Policy for the centralized administration and deployment of DirectAccess settings.
The Getting Started Wizard creates a set of GPOs and settings for DirectAccess clients, the DirectAccess
server, and selected servers.
PKI
PKI deployment is optional for simplified configuration and management. DirectAccess enables client
authentication requests to be sent over a HTTPS-based Kerberos proxy service that is running on the
DirectAccess server. This eliminates the need for establishing a second IPsec tunnel between clients and
domain controllers. The Kerberos proxy will send Kerberos requests to domain controllers on behalf of the
client.
However, for a full DirectAccess configuration that allows NAP integration, two-factor authentication, and
force tunneling, you still must implement certificates for authentication for every client that will
participate in DirectAccess communication.
DNS Server
When using Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), you must use at least Windows
Server 2008 R2, Windows Server 2008 with the Q958194 hotfix, Windows Server 2008 SP2 or newer, or a
non-Microsoft DNS server that supports DNS message exchanges over the ISATAP.
NAP Servers
NAP is an optional component of the DirectAccess solution that allows you to provide compliance
checking, and to enforce security policy for DirectAccess clients over the Internet. DirectAccess provides
the ability to configure NAP health checks directly from the setup user interface.
Verify that the client is running a supported operating system. A DirectAccess client computer
must be running Windows 7 Ultimate, Windows 7 Enterprise, Windows 8 Enterprise, Windows 8.1
Enterprise, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2.
Note: If you configured DirectAccess by using the Getting Started Wizard, the DirectAccess
client computer must be running Windows 8, Windows 8.1, Windows Server 2012, or Windows
Server 2012 R2.
2.
Verify that the client computer is part of an AD DS domain within your forest.
3.
Verify that the client computer belongs to a suitable AD DS security group for the purposes of
applying GPOs for DirectAccess. The appropriate group is configured during the setup of
DirectAccess.
4.
Verify that the two client GPOs are created and configured correctly. Use the Group Policy
troubleshooting tools to verify the correct application of GPOs for DirectAccess.
5.
Check that the server configuration GPOs are applying to the DirectAccess server. Again, use standard
GPO troubleshooting tools and techniques.
6.
Check IPv6 connectivity from the DirectAccess client to the DirectAccess server. IPv6 connectivity is
required for DirectAccess.
7.
Also, check that the DirectAccess client has IPv6 connectivity to the intranet DNS servers. The
DirectAccess client must be able to use these servers to resolve intranet fully qualified domain names
(FQDNs).
8.
Verify that the DirectAccess client has correctly determined its location as being on the Internet. You
can use the netsh dnsclient show state command to make this determination. The determined
network location displays in the Machine Location field.
In addition to the command shown above, you can use the following Netsh commands to troubleshoot
DirectAccess connectivity issues:
Netsh interface Teredo show state. This command is useful for determining whether the client-side
GPOs have successfully applied.
Netsh interface httpstunnel show interface. Displays detailed information about the IP-HTTPS
adapter on your computer. Enables you to see the name of the IP-HTTPS listener that runs on your
DirectAccess server, in addition to whether the adapter is currently connected.
Netsh namespace show policy. Should display the same information as you entered into the Name
Resolution Policy Table during the setup process on your DirectAccess server. If it does not, it means
that the GPOs have not applied to the local computer yet.
Netsh namespace show effectivepolicy. When the DirectAccess client is external, the output
mirrors the output from the netsh namespace show policy command. When the DirectAccess client
is internal, the output says Note: DirectAccess settings would be turned off when computer is inside
corporate network.
Netsh advfirewall show currentprofile. Shows which Windows Firewall profile is active. The IPsec
tunnels are only enabled on the Public and Private profiles. If the Domain profile is active, then
DirectAccess is not enabled.
Windows PowerShell
You can use the following Windows PowerShell cmdlets to investigate DirectAccess client problems:
You can also use the DirectAccess Connectivity Assistant 2.0. In Windows 8.1, you can access this tool from
the Networks list. Click the networking icon in the notification area to access the Networks list. This tool
enables you to:
Obtain DirectAccess connectivity information so that you can view DirectAccess connectivity status
from a client computer.
Obtain diagnostic and troubleshooting information. The tool helps users to reconnect to an
organizational network if problems occur. The tool creates diagnostics information that you can use
to help diagnose a connectivity problem.
Preparation Steps
For this practice session, you need to use the available virtual machine environment. Before you begin the
lab, you must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Demonstration Steps
Verify network configuration on LON-RTR
1.
Switch to LON-RTR.
2.
In Server Manager, click Tools, and then click Routing and Remote Access.
3.
In the Routing and Remote Access console, in the navigation pane, right-click LON-RTR (local), and
then click Disable Routing and Remote Access.
4.
Click Yes in Routing and Remote Access dialog box. This step is needed to disable the Routing and
Remote Access that was preconfigured for this lab.
5.
6.
7.
In the Network Connections window, verify that there are two network adapters: London_Network
and Internet.
8.
In the Network Connections window, right-click the London_Network adapter, and then click
Disable.
9.
In the Network Connections window, right-click the London_Network adapter, and then click
Enable.
Switch to LON-DC1.
2.
In Server Manager, click Tools, and then click Active Directory Users and Computers.
3.
In the Active Directory Users and Computers console tree, right-click Adatum.com, click New, and
then click Organizational Unit.
4.
In the New Object Organizational Unit dialog box, in the Name box, type DA_Clients OU, and
then click OK.
5.
In the Active Directory Users and Computers console tree, expand Adatum.com, right-click
DA_Clients OU, click New, and then click Group.
6.
In the New Object - Group dialog box, in the Group name box, type DA_Clients.
7.
Under Group scope, ensure that Global is selected, and under Group type, ensure that Security is
selected, and then click OK.
8.
9.
In the DA_Clients Properties dialog box, click the Members tab, and then click Add.
10. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object
Types, select the Computers check box, and then click OK.
11. In the Enter the object names to select (examples) box, type LON-CL3, and then click OK.
12. Verify that LON-CL3 is displays under Members, and then click OK.
13. Close the Active Directory Users and Computers console.
Switch to LON-RTR.
2.
In Server Manager, click Tools, and then select Remote Access Management.
3.
In the Remote Access Management console, under Configuration, click DirectAccess and VPN.
4.
5.
6.
Verify that Edge is selected, and in Type the public name or IPv4 address used by clients to
connect to the Remote Access server box, type 131.107.0.10, and then click Next.
7.
8.
On the Remote Access Review page, verify that two GPO objects are created, Direct Access Server
Settings and DirectAccess Client settings.
9.
10. Select Domain Computers (Adatum\Domain Computers), and then click Remove.
11. Click Add, type DA_Clients, and then click OK.
12. Clear the Enable DirectAccess for mobile computers only check box, and then click Next.
13. On the DirectAccess Client Setup page, click Finish.
14. On the Remote Access Review page, click OK.
15. On the Configure Remote Access page, click Finish to finish the DirectAccess Wizard.
16. In the Applying Getting Started Wizard Settings dialog box, click Close.
Completion steps
After you have completed the practice session, leave the virtual machines running for the lab.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 20 minutes
Virtual machines: 20688D-LON-DC1, 20688D-LON-SVR1, 20688D-LON-RTR, and 20688D-LON-CL3
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. The virtual machines should still
be running from the preceding practice session. If they are not, before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Password: Pa$$w0rd
Domain: Adatum
5.
6.
7.
You then must complete the preceding practice session to get the virtual machines into the correct
state for this lab.
November 8
10:22
Josh Bailey (Research department)
OPEN
Incident Details
DirectAccess is not configured on Joshs computer, and he cannot access intranet resources from his
home network.
Additional Information
Josh cannot connect to intranet resources from home.
His computer, LON-CL3, must be configured for DirectAccess.
Plan of Action
2.
3.
4.
Task 1: Read the help desk Incident Record for incident 723469
2.
Update the Plan of Action section of the Incident Record with your recommendations.
1.
Start the 20688D-LON-CL3 virtual machine, and then sign in as Adatum\Administrator with the
password Pa$$w0rd.
2.
In the Command Prompt window, run the following commands to verify that the correct policies are
applying to the DirectAccess client:
gpupdate /force
gpresult /r
3.
You should see the DirectAccess Client Settings GPO listed under Applied Group Policy Objects.
4.
5.
6.
7.
2.
IP address: 131.107.0.50
3.
4.
5.
6.
7.
Notice the IP address for Tunnel adapter iphttpsinterface starts with 2002. This is an IP-HTTPS
address.
8.
9.
Verify that DNS Effective Name Resolution Policy Table Settings present two entries for adatum.com
and Directaccess-NLS.Adatum.com.
10. At the Windows PowerShell command prompt, type the following command, and then press Enter.
Get-DAClientExperienceConfiguration
Notice that the client is connected via IPHttps. In the Connection Details pane, in the lower-right of
the screen, note the use of Kerberos for the Machine and the User. If no data shows, restart LON-CL3,
and then sign in as Adatum\Administrator with the password Pa$$w0rd. Then repeat step 4 and 9
and 10 above.
13. Close all open windows.
Results: After completing this exercise, you should have configured the client-side settings for
DirectAccess and tested access to internal resources.
2.
In the Virtual Machines list, right-click 20688D-LON-CL3, and then click Revert.
3.
4.
Module 9
Troubleshooting Resource Access within a Domain
Contents:
Module Overview
9-1
9-2
9-7
9-21
9-25
9-29
Module Overview
To perform their jobs effectively, users need to have access to all of the resources that they require. For
example, users must have access to the data stored in their files, and have access to their printers. File and
printer access have unique issues that can negatively affect the user experience. You must be able to
troubleshoot and resolve issues related to both of these areas.
This module covers the causes of these issues, such as users inability to access or modify files, and
difficulty accessing printers. This module also provides troubleshooting information that you can use to
help users who are having file access issues, file permission issues, or printer access issues.
Objectives
After completing this module, you will be able to:
Lesson 1
One of the most common tasks that users perform is accessing and modifying documents. To perform this
task, users must have access to those documents. Most users access documents over the network by using
mapped drives. You can configure mapped drives manually, by using logon scripts, and by using Group
Policy Preferences. You must understand and be able to troubleshoot these methods for accessing files.
Lesson Objectives
After completing this lesson, you will be able to:
Disconnected network drives. After signing in, drive mappings can display as disconnected. This
typically is due to network connectivity problems.
Folders not redirected properly. If you do not configure folder redirection properly, then users are
unable to access their files. For example, if you do not redirect the Documents folder to a network
location, Windows 8.1 uses the default local Documents folder in the user profile. This typically is
because of an incorrect folder redirection configuration.
Incorrect file system permissions or shared folder permissions. Users that do not have appropriate
permissions cannot access their files. Often, this may be a result of incorrect permission assignment or
incorrect group membership.
Typically, configuring drive mappings manually is beneficial and prudent only for very small organizations.
It is time-consuming and inefficient to create drive mappings manually in each user profile, because
changing drive mappings requires you to visit each users computer.
Note: Creating a drive mapping does not configure the necessary permissions so that a
user can access and modify files. You must configure permissions in a separate step.
Simplified updates. When you need to update drive mapping, you only have to update a single,
central logon script, rather than having to update multiple user profiles individually and manually.
Increased flexibility. You can configure scripts to perform drive mappings that are specific to users,
groups, or computers.
The syntax for creating drive mappings varies depending on the type of logon script that you are using.
Two of the most common types of logon scripts are batch files (.bat) and Microsoft Visual Basic
Scripting Edition (VBScript) (.vbs). In Windows 8.1, you can also use Windows PowerShell for logon
scripts.
Note: Whether you decide to use scripts to create users drive mappings, or use GPO
Preferences, you must use Group Policy to distribute these settings to your users. This means that
failure to apply the drive mapping can be related to generic GPO application problems. For
further information about troubleshooting the application of GPOs, please see Module 6:
Troubleshooting Group Policy.
Preparation Steps
For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Microsoft Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Demonstration Steps
Configure a drive mapping with Group Policy Preferences
1.
2.
3.
4.
In the console tree, expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then
click the Group Policy Objects container.
5.
In the Group Policy Objects folder, in the details pane, right-click the Default Domain Policy, and
then click Edit.
Note: It is not usual to edit the Default Domain Policy to store drive mappings.
6.
Expand User Configuration, expand Preferences, expand Windows Settings, right-click Drive
Maps, point to New, and then click Mapped Drive.
7.
In the New Drive Properties dialog box, in the Action list, click Create.
8.
9.
On the Common tab, select the Item-level targeting check box, and then click Targeting.
2.
In the Targeting Editor dialog box, click New Item, and then click Security Group.
3.
4.
In the Select Group dialog box, in the Enter the object name to select (examples) text box, type
Adatum\Research and then click OK.
5.
2.
At the command prompt, type the following command, and then press Enter:
gpupdate /force
3.
Restart LON-CL1.
4.
5.
6.
7.
Note: If a Welcome to the Research Lab dialog box displays, this is a user assigned logon
script. Click OK to close the dialog box.
Completion Steps
After you have completed the practice session, revert the virtual machines running in preparation for the
lab:
1.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Lesson 2
The most common way that users collaborate is by using network file shares. Consequently, supporting
collaboration is an important part of your job. Your users might create documents that they share only
with departmental users, or they may work with a remote team member who needs access to those files.
Because of collaboration requirements, you must understand how to support shared folders in a network
environment.
You can control access to file shares with file share permissions, and with file and folder permissions.
Understanding how to determine effective permissions is essential to securing your files. You can use file
system permissions to define the level of access that users have to files that are available on your network,
or that are available locally on your Windows 8.1 computer.
Lesson Objectives
After completing this lesson, you will be able to:
You do not have to configure file sharing on separate folders. Just move or copy the file or folder that you
want to share on the network to the Public folder on your Windows 8.1 client.
There are several different ways in which you can share folders with others on a network:
Through the Microsoft Management Console (MMC) snap-in entitled Shared Folders
You can use the MMC Shared Folders snap-in to manage all file shares centrally on a computer. Use the
Shared Folders snap-in to create file shares and set permissions, and to view and manage open files and
the users who are connected to the computers file shares. Additionally, you can view the properties for
the folder, which would allow you to perform actions such as specifying folder permissions.
When you are creating a new share, the Shared Folders snap-in opens the Create a Shared Folder Wizard.
By default, the share name will be the same as the folder name, and all users have read access Share
permissions.
Using the Share with option from the context menu or ribbon.
Using the Share with option from the context menu or ribbon
The Share with option is a simple and fast way to share a folder. When you right-click a folder and then
click Share with, a shortcut menu displays. You can use this shortcut menu to either stop sharing the
folder, or share the folder with specific people. When you share with specific people, you can click
Everyone, or share the folder with specific groups by typing their names. After selecting who you want
to share the folder with, you can set either Read or Read\Write permissions. Note that the file system
permissions are configured automatically based on what you selected. The share name will be the same
as the folder name.
Using the Properties dialog box provides two options. You can click the Share button, which then presents
the same dialog box as Share with Specific people. You also can click the Advanced Sharing button and
specify the share name. The default name is the same as the folder name, and you can specify share
permissions as Full Control, Change, or Read. In addition, because you are in the Properties dialog box,
you can click the Security tab and set folder permissions.
This command will create a simple share, which uses the share name that you specify, and which grants all
authenticated users Read permissions. The following table describes some additional command-line
options that you can use.
Option
Description
/Grant:user permission
Allows you to specify Read, Change, or Full Share permissions for the
specified user.
/Users:number
Allows you to limit the number of users that can connect to the share.
/Remark:text
/Cache:option
sharename /Delete
The Computer Management tool is a collection of MMC snap-ins that include the Shared Folders Snap-in.
Using the Computer Management tool, you can:
View and manage user sessions from remote computers connected to shared folders on the local
computer.
View and manage open files in the shared folders on the local computer.
Windows PowerShell provides several cmdlets that you can use to manage shares in Windows 8.1. The
Windows PowerShell command for creating a share is:
New-SmbShare Name ShareName Path C:\LocalFolder
Description
Get-SmbShare
Set-SmbShare
Remove-SmbShare
Get-SmbShareAccess
Get-Acl
Retrieves the access control list (ACL) (this cmdlet is not new).
Grant-SmbShareAccess
Set-Acl
Sets the ACL for a specified resource (this cmdlet is not new).
Basic folder sharing is the simplest form of folder sharing, because it enables users to share a folder
quickly and simply. You create basic folder shares by using File Explorer. To share a folder this way, rightclick the folder, point to Share with, and then click Specific people. You can also use the Net share
command without any additional options.
You can use advanced sharing to maintain more control over the Folder sharing process. To use advanced
sharing, use the following procedure:
1.
2.
3.
4.
The maximum number of concurrent connections to the folder. The default setting is 20
concurrent connections.
Shared folder permissions. The default permissions are Read permissions for the group
Everyone.
Caching options. The default caching option allows user-selected files and programs to be
available offline. You can disable offline files and programs, or configure files and programs to be
available offline automatically.
You can also access advanced sharing by using the Net share command with additional options.
When you turn on Public folder sharing in Windows 8.1, anyone with an account on your computer, or a
PC on your network, can access the contents of these folders. To share something, copy or move it into
one of these public folders.
By default, Windows 8.1 provides the following Public folders:
Documents
Music
Pictures
Videos
You can view these folders by launching File Explorer, and then clicking Libraries to expand the folders.
By default, Public folder sharing is not enabled. However, files stored in the Public folder hierarchy are
available to all users who have an account on a given computer and can sign in to it locally.
To configure Windows 8.1 to allow access to the Public folders from the network, access the Change
advanced sharing settings link in the Network and Sharing Center, under the All Networks section. You
can either:
Turn on sharing, so that anyone with network access can read and write files in the Public folders.
Turn off Public folder sharing (people logged in to this computer can still access these folders).
Public folder sharing does not allow users to fine-tune sharing permissions, but it does provide a simple
way for users to make their files available to others. When you enable public folder sharing, the system
group Everyone is granted full control permissions for the share and the underlying folder permissions.
When you share a folder, you must decide the permissions that a user or group will have when they
access the folder through the share. These permissions are known as shared folder permissions. The
permissions that you can use to secure a shared folder depend on the way in which you share a folder.
In Windows 8.1, basic sharing permissions offer two choices:
Note: When you use basic sharing, the permissions you assign are also assigned to the
underlying folder structure by using folder permissions. This provides for a simple and quick way
of securing and sharing a folder.
Advanced sharing in Windows 8.1 enables you to configure slightly different permissions:
Change. Users can perform most actions on files within the shared folder.
Full Control. Users can perform all actions on files within the shared folder.
Note: When you use advanced sharing, the permissions that you assign are assigned to
the shared folder only, and not to the underlying folder. Although more time-consuming, this
method provides more control over the assignment of permissions. Keep in mind that when
using advanced sharing, the default shared folder permission is Read, which is assigned to the
Everyone group.
Shared folder permissions. Shared folder permissions allow security principals, such as users, to access
shared resources from across the network. Shared folder permissions are only in effect when a user
accesses a resource from the network.
Note: The next lesson covers this topic in greater detail.
File system permissions. File system permissions are always in effect, whether a user accesses the file
by connecting across the network or by signing in to the local machine on which the resource is
located. You can grant permissions to a file or folder for a named group or user.
Each NTFS or ReFS file and folder has an ACL with a list of users and groups that are assigned permissions
to the file or folder. Each entry in the ACL is an access control entry that identifies the specific permissions
granted to a user or group.
Special permissions provide a finer degree of control for assigning access to files and folders.
However, special permissions are more complex to manage than standard permissions.
Description
Full Control
Modify
Read and write accessthis applies to the object and any child objects by
default. The specific permissions that make up Modify permissions are
Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read
Extended Attributes, Create Files/Write Data, Create Folders/Append Data,
Write Attributes, Write Extended Attributes, Delete, and Read Permissions.
Folder content can be viewed, files can be read, and programs can be
startedthis applies to the object and any child objects by default. The
specific permissions that make up Read and Execute permissions are Traverse
Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended
Attributes, and Read Permissions.
Read
Read-only accessthis applies to the object and any child objects by default.
The specific permissions that make up Read permissions are List Folder/Read
Data, Read Attributes and Read Extended Attributes.
Write
Folder and file content can be changedthis applies to the object and
any child objects by default. The specific permissions that make up Write
permissions are Create Files/Write Data, Create Folders/Append Data, Write
Attributes, and Write Extended Attributes.
Special permissions
Note: Groups or users that are granted Full Control on a folder can delete any files in that
folder, regardless of the permissions protecting the file.
To modify file permissions, you must be given the Full Control permission for a folder or file. The one
exception is for file and folder owners. The owner of a file or folder can modify file or folder permissions,
even if they do not have any current file or folder permissions. Administrators can take ownership of files
and folders to make modifications to file and folders permissions.
Special permissions give you a finer degree of control for assigning access to files and folders. However,
special permissions are more complex to manage than standard permissions. The following table defines
the special permissions for which you can provide custom configuration for each file and folder.
File permissions
Description
Traverse Folder/Execute
File
The List Folder permission allows or denies the user from viewing file names
and subfolder names in the folder. The List Folder permission applies only to
folders and affects only the contents of that folder. This permission is not
affected if the folder on which you are setting the permission is listed in the
folder list.
The Read Data permission applies only to files, and allows or denies the user
from viewing data in files.
Read Attributes
The Read Attributes permission allows or denies the user from viewing the
attributes of a file or folder, such as read-only and hidden attributes. The file
system defines the attributes.
Read Extended
Attributes
The Read Extended Attributes permission allows or denies the user from
viewing the extended attributes of a file or folder. Extended attributes are
defined by programs, and they can vary by program.
The Create Files permission applies only to folders, and allows or denies the
user from creating files in the folder.
The Write Data permission applies only to files, and allows or denies the user
from making changes to the file and overwriting existing content.
Create Folders/Append
Data
The Create Folders permission applies only to folders, and allows or denies
the user from creating folders in the folder.
The Append Data permission applies only to files, and allows or denies the
user from making changes to the end of the file but not from changing,
deleting, or overwriting existing data.
Write Attributes
The Write Attributes permission allows or denies the user from changing the
attributes of a file or folder, such as read-only or hidden. The file system
defines the attributes.
The Write Attributes permission does not imply that you can create or
delete files or folders. It includes only the permission to make changes to
the attributes of a file or folder.
File permissions
Description
Write Extended
Attributes
The Write Extended Attributes permission allows or denies the user from
changing the extended attributes of a file or folder. Programs define the
extended attributes, which can vary by program.
The Write Extended Attributes permission does not imply that the user can
create or delete files or folders. It includes only the permission to make
changes to the attributes of a file or folder.
The Delete Subfolders and Files permission applies only to folders and
allows or denies the user from deleting subfolders and files, even if the
Delete permission is not granted on the subfolder or file.
Delete
The Delete permission allows or denies the user from deleting the file or
folder. If the user has not been assigned Delete permission on a file or
folder, he or she still can delete the file or folder if the user is granted the
Delete Subfolders and Files permission on the parent folder.
Read Permissions
Read permissions allows or denies the user from reading permissions about
the file or folder, such as Full Control, Read, and Write.
Change Permissions
Take Ownership
The Take Ownership permission allows or denies the user from taking
ownership of the file or folder. The owner of a file or folder can change
permissions on it, regardless of any existing permissions that protect the file
or folder.
Permissions inheritance allows the folder permissions that are set on a folder to be applied automatically
to files that users create in that folder and its subfolders. This means that you can set permissions for an
entire folder structure at a single point. If you have to modify the permissions, you then only have to
perform the change at that single point.
For example, if you create a folder named MyFolder, all subfolders and files created within MyFolder
inherit that folders permissions automatically. Therefore, MyFolder has explicit permissions, whereas all
subfolders and files within it have inherited permissions.
You also can add permissions to subfolders and files below the initial point of inheritance, without
modifying the original permissions assignment. This grants a specific user or group a different file access
than the inherited permissions.
If the Allow or Deny check boxes associated with each of the permissions are unavailable (grayed out), the
file or folder has inherited permissions from the parent folder. There are three ways to make changes to
inherited permissions:
Make the changes to the parent folder, and then the file or folder will inherit these permissions.
Select the opposite permission (Allow or Deny) to override the inherited permission.
Choose not to inherit permissions from the parent object. You then can make changes to the
permissions, or remove the user or group from the Permissions list of the file or folder.
You also can deny permissions explicitly. For example, Alice might not want Bob to be able to read her
file, even though he is a member of the Marketing group. She can exclude Bob by explicitly denying him
permission to read the file. This is typically how explicit denies are used to exclude a subset (such as
Bob) from a larger group (such as Marketing) which has permission to perform an operation.
Note that using explicit denials increases the complexity of the authorization policy, which can create
unexpected errors. For example, you might want to allow domain administrators to perform an action but
deny domain users. If you attempt to implement this by explicitly denying domain users, you also deny
any domain administrators who also are domain users. Though it is sometimes necessary, you should try
to avoid using explicit denials.
In most cases, Deny overrides Allow unless a folder is inheriting conflicting settings from different parents.
When this occurs, the setting inherited from the parent closest to the object in the subtree will have
precedence.
Note: Inherited Deny permissions do not prevent access to an object if the object has an
explicit Allow permission entry. Explicit permissions take precedence over inherited permissions,
even inherited Deny permissions.
Only inheritable permissions are inherited by child objects. When you set permissions on the parent
object, you can choose whether folders, subfolders, and files can inherit permissions. Perform the
following steps to assign inheritable permissions:
1.
In File Explorer, right-click the file or subfolder, click Properties, click the Security tab, and then click
Advanced.
2.
In the Advanced Security Settings for name dialog box, the Inherited From column displays from
where the permissions are inherited. The Applies to column lists the folders, subfolders, or files to
which the permissions apply.
3.
Double-click the user or group for which you want to adjust permissions.
4.
In the Permissions Entry for name dialog box, click the Applies to drop-down list box, and then
click one of the following options:
o
5.
Subfolders only
Files only
Click OK in the Permission Entry for name dialog box, click OK in the Advanced Security Settings
for <name> dialog box, and then click OK in the Properties dialog box.
If the Special Permissions entry in Permissions for User or Group is grayed out, this means that a special
permission is selected. It does not imply that this permission is inherited.
After you set permissions on a parent folder, new files and subfolders that are created in the folder inherit
these permissions. You can block permission inheritance to restrict access to these files and subfolders. For
example, all accounting users may be assigned Modify permission to the Accounting folder. However, on
the subfolder Wages, you can block inherited permissions and allow only a few specific users access to the
folder.
Note: When permissions inheritance is blocked, you have the option to copy existing
permissions, or to begin with blank permissions. If you want to restrict only a particular group or
user, then copying existing permissions simplifies the configuration process.
To prevent a child file or folder from inheriting a permission on a parent folder, when you set up
permissions for the parent folder, select This folder only in the Applies to list box.
To prevent a folder or file from inheriting permissions from a parent folder, perform the following steps:
1.
In File Explorer, right-click the file or subfolder, click Properties, click the Security tab, and then click
Advanced.
2.
In the Advanced Security Settings for file or folder dialog box, click Disable inheritance.
3.
In the Block Inheritance dialog box, select any of the following options:
4.
Cancel
Click OK in the Advanced Security Settings for name dialog box, and then click OK on the
Properties page.
In addition to the appropriate shared folder permissions, users must have the appropriate file system
permissions for each file and subfolder in a shared folder to access those resources.
When file system permissions and shared folder permissions are combined, the resulting permission is
the most restrictive of the effective shared folder permissions, or the effective file system permissions.
When accessing content through a share, the Share permissions on a folder apply to that folder, to all
files in that folder, to subfolders, and to all files in those subfolders.
Note: If the guest user account is enabled on your computer, the Everyone group includes
anyone. As a best practice, remove the Everyone group from any permission lists, and replace it
with the Authenticated Users group.
The following analogy can be helpful in understanding what happens when you combine file system
permissions and Share permissions. When you are working with a shared folder, you must always go
through the shared folder to access its files over the network. Therefore, you can think of the shared
folder permissions as a filter that only allows users to perform those actions that are acceptable to the
Share permissions. All file system permissions that are less restrictive than the Share permissions are
filtered out, so that only the most restrictive permissions remain.
For example, if the share permission is set to Read, then the most that you can do is read through the
share, even if individual file permission is set to Full Control. If you are configuring the share permission to
Modify, then you are allowed to read or modify the share. If the file permission is set to Full Control, then
the Share permissions filter the effective permission to Modify.
Question: If a user has Full Control file system permissions to a file but is accessing the file
through a share with Read permission, what will be the effective permission the user will
have on the file?
Question: If you want a user to view all files in a shared folder, but the user can modify only
certain files in the folder, what permissions should you give the user?
Question: Identify a scenario at your organization where it might be necessary to combine
file system permissions and Share permissions. What is the reason for combining
permissions?
The Effective Access feature determines the permissions a user or group has on an object by calculating
the permissions that are granted to the user or group. The calculation takes into account the permissions
in effect from group membership and any of the permissions inherited from the parent object. It looks up
all domain and local groups in which the user or group is a member.
Note: The Effective Access feature always includes the Everyone group when calculating
effective permissions, provided the selected user or group is not a member of the Anonymous
Logon group.
The Effective Access feature produces only an approximation of the permissions that a user has. The actual
permissions the user has may differ, because permissions can be granted or denied based on how a user
signs in. The permissions that are specific to how a user signs in cannot be determined by the Effective
Access feature, because the user may not sign in. Therefore, the effective permissions it displays reflect
only those permissions specified by the user or group, and not the permissions specified by the logon. For
example, if a user is connected to a computer through a file share, then the logon for that user is marked
as a Network Logon. Permissions can be granted or denied to the well-known security ID (SID) Network,
which the connected user receives. This way, a user has different permissions when signed in locally than
when logged on over a network.
You can view effective access in the Advanced Security Settings for folder dialog box. You can access this
dialog box from a folders Properties dialog box, by clicking the Advanced button on the Security tab. You
also can access it directly from the Share menu on the ribbon in File Explorer.
When you are evaluating file system permissions, be aware that the Deny permission overrides the Allow
permission. For example, if your group has the Modify permission set to Allow, and a user in that group
has the Modify permission set to Deny, the user is denied the Modify permission.
If the effective file system permissions are correct, then you should verify that the Share permissions are
configured correctly. Share permission can limit the ability of users to access and modify files, even if
the appropriate file system permissions are assigned. For example, if you assign a group Read share
permission and Modify file system permission, the members of the group are limited to Read permission.
To simplify the interaction of share and file system permissions, many organizations assign the Everyone
group Full Control share permission. This means that file system permissions control access to files.
When troubleshooting permissions, use the following procedure to help to determine the problem:
1.
2.
b.
c.
d.
b.
Lesson 3
When users finish working with documents, they often print them. Users who cannot print their
documents often become frustrated. To ensure that printing is available to users and that it functions
correctly, you must understand the Windows 8.1 printing architecture and how to install printers. You also
must understand how to install printer drivers and how location-aware printing works.
Lesson Objectives
After completing this lesson, you will be able to:
A printer is not available automatically to users. Users can become frustrated when they have to
install their own printers. This can be a problem, particularly when you replace older printers and
need to update the printers for all users.
The default printer is not appropriate. Roaming users need to use different printers depending on
their location. If the default printer is static, then the user is forced to select the appropriate printer
each time.
A user is unable to install a printer driver. Roaming users often need to install printers in remote
locations. However, standard users do not have permission to add new printer drivers.
Users are unable to locate a printer with a published location in Active Directory Domain Services
(AD DS). When a printer is shared on a server, it can be published in AD DS, enabling users to locate
printers by searching AD DS. If the printer is not listed in the correct location, or if the AD DS sites and
subnet objects do not match the physical network topology, then users will not be able to locate
these printers.
Windows 8.1 detects printers that you connect to your computer, and if the driver is available in the driver
store, it installs the driver for the printer automatically. However, Windows 8.1 might not detect printers
that connect by using older ports, such as serial or parallel ports, or network printers. In these cases, you
must configure the printer port manually.
Installing a Driver
The printer driver is a software interface that enables your computer to communicate with the printing
device. Without a printer driver, the printer that connects to your computer will not work properly. The
printer driver is responsible for converting the print job into a page-description language (PDL) that the
printer can use to print the job. The most common PDLs are PostScript, Printer Control Language (PCL),
and XML Paper Specification (XPS).
In most cases, drivers come with the Windows operating system. Alternatively, you can find them by
going to Windows Update in Control Panel, and checking for updates.
Note: If your organization does not allow automatic updates from Windows Update, you
must use alternative methods to distribute printer drivers.
If the Windows operating system does not have the driver you need, you can find it on the disk that came
with the printer, or on the manufacturer's website.
If the Windows operating system does not recognize your printer automatically, you must configure the
printer type during the installation process. The Printer Setup Wizard presents you with an extensive list of
currently installed printer types. However, if your printer is not on the list, you must obtain and install the
necessary driver.
Note: You can preinstall printer drivers into the driver store, thereby making them available
in the printer list by using the Pnputil.exe command-line tool.
When you connect a new printer to your computer, the Windows application attempts to find and install
a software driver for the printer. Occasionally, you might see a notification that a driver is unsigned or
altered, or that Windows cannot install it. You have a choice whether to install a driver that is unsigned or
has been altered since it was signed.
Note: Many USB printers require that you install the printer driver before you attach the
printer. Failure to follow this procedure can result in the printer failing to function correctly.
Check the product documentation before attaching the printer to your computer.
Once you initiate a print job, you can view, pause, or cancel the job through the print queue. The print
queue displays what is printing, or what is waiting to print. It also displays information such as job status,
who is printing what, and how many unprinted pages remain. From the print queue, you can view and
maintain the print jobs for each printer.
You can access the print queue from the Print Management MMC snap-in through the See whats
printing option on the Devices and Printers page in Control Panel. Documents that are listed first will be
the first to print.
Note: A corrupted print job can stall print queue processing. It is necessary to delete
such a corrupted job to allow other queued print jobs to process. Consider that if the user that
submitted the corrupted print job tries to print again, the queue may stall once more.
Open the print queue for the specific printer by performing the steps outlined previously.
2.
To cancel an individual print job, right-click the print job you want to remove, and then click Cancel.
3.
To cancel all print jobs, click the Printer menu, and then click Cancel All Jobs. The item currently
printing might finish, but the remaining items will be cancelled. To cancel other users print jobs, you
must have at least Manage Documents permissions on the printer object.
Note: If you are unable to delete a stalled print job, you can stop the Print Spooler service
and then delete the spool files manually. You can then restart the Print Spooler service. Use the
Services.msc management console to start and stop the Print Spooler service. You can find the
spool files in the C:\Windows\System32\Spool folder.
Open the print queue for the specific printer by performing the steps outlined previously.
2.
To pause or resume an individual print job, right-click the print job, and then click Pause or Resume.
3.
To pause all print jobs, click the Printer menu, and then click Pause Printing. To resume printing,
click Resume Printing.
If you need to restart a print job (for example, if the print job is printing in the wrong color ink or on the
wrong paper), you can restart it by using the following steps:
1.
Open the print queue for the specific printer by performing the steps outlined previously.
2.
If you are printing multiple items, you can change the order in which they print. To reorder the jobs in the
print queue:
1.
Open the print queue for the specific printer by performing the steps outlined previously.
2.
3.
Click the General tab, and then drag the Priority slider left or right to change its print order. Items
with higher priority print first.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Dana Birkby does not have access to the Marketing shared folder when she signs in. You must determine
why, and then take the appropriate corrective action.
Incident Record
Incident Reference Number: 723307
Date of Call
Time of Call
User
Status
October 20
11:47
Dana Birkby (Marketing Department)
OPEN
Incident Details
User reports that she does not have access to the Marketing shared folder.
Incident Record
Additional Information
User reports that she started her job last week, and does not have access to the Marketing shared
folder, which is at \\LON-DC1\Marketing. She is signing in to LON-CL1.
I walked the user through accessing the share by using the Universal Naming Convention (UNC) path.
This is an acceptable short-term solution. However, this user should map drive letter M to the
Marketing shared folder like other users in that department.
Drive mappings are assigned using a Windows PowerShell script by using GPOs. I confirmed that the
user account is in the correct organizational unit (OU).
Other research users such as Adam Barr are experiencing no problems with the drive mapping.
Plan of Action
Resolution
2.
Discuss recommendations.
3.
4.
Task 1: Read the help desk Incident Record for Incident 723307
2.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
Attempt to resolve the problem by using your knowledge of GPOs and logon scripts.
2.
3.
If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Results: After completing this exercise, you should have resolved a file access issue.
Users in the Marketing department have a data folder to which they should have exclusive access. Some
users from the Research department have recently been accessing content from these folders. You must
determine how that is possible, and then take corrective action.
Incident Record
Incident Reference Number: 723308
Date of Call
Time of Call
User
Status
October 20
12:05
Adam Barr (Marketing Department)
OPEN
Incident Details
Users from other departments seem to have access to the departmental data folder.
Additional Information
The user, Adam, reports that non-Marketing users have access to Marketing data in the
\\lon-dc1\Marketing shared folder.
I signed in as Adam, a member of the Marketing department. He has appropriate access. However, I
also signed in as Allie Bellew, from Research. Although I had to manually create a drive mapping, I
could then access files in the Marketing share. However, I could not save files to this share.
Plan of Action
Resolution
2.
Discuss recommendations.
3.
4.
Task 1: Read the help desk Incident Record for Incident 723308
2.
Switch to LON-CL1.
2.
3.
4.
Note: Theoretically, this mapping should not work as Allie is not in the Marketing group.
However, the mapping is successful.
1.
Attempt to resolve the problem by using your knowledge of file permissions and shared folder access.
2.
3.
If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Results: After completing this exercise, you should have resolved a file access issue.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Module 10
Configuring and Troubleshooting Resource Access for
Clients That Are Not Domain Members
Contents:
Module Overview
10-1
10-2
10-7
10-13
10-19
10-25
Module Overview
Users in most organizations often request access to organizational resources from devices other than the
computer in their office. Resources such as email have been available from outside the organization for
many years. Access to other resources such as files and applications is largely restricted from outside the
organization. The Windows Server 2012 R2 and Windows 8.1 operating systems include features to
access files and applications remotely.
Objectives
After completing this module, you will be able to:
Lesson 1
10-2 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members
Workplace Join is a new feature in Windows Server 2012 R2 that you can use to enhance security when
users access applications remotely. When you use Workplace Join, you can identify devices used to access
applications and ensure that applications are accessed only from known devices, such as a users home
computer or smartphone. It is also important to control the use of personal devices of users in the
workplace, known as the Bring Your Own Device (BYOD) scenario, which is becoming common in many
organizations. Understanding how Workplace Join works is essential in troubleshooting issues with access
to applications.
Lesson Objectives
After completing this lesson, you will be able to:
Overview of BYOD
In the past, organizations had strict control on
the devices they allowed to access enterprise
resources. Devices such as smartphones were
standardized and needed approval for use on
corporate networks. Organizations restricted
devices to enforce security and to provide
standardized support for known devices.
BYOD is a new trend in enterprise organizations.
BYOD is a scenario where employees select a
device of their choosing and access enterprise
resources, such as applications. The device is
often owned and managed only by the employee.
Employees are often reimbursed for a portion of the device cost.
Allowing BYOD in the enterprise often results in employees that are more productive. Selecting a device
such as a smartphone is a very personal decision. Using a device that they are comfortable with makes
employees more productive and more satisfied with the device.
For an organization, allowing BYOD shifts some of the device-management costs to the employee. For
example, the employee now manages signing up and maintaining a service contract. However, there are
some challenges with BYOD:
Security for application access. When any device is allowed to access enterprise resources, it becomes
more difficult to secure access to the resources.
Security for enterprise data. When employees personal devices contain enterprise data, the security
of that data becomes a concern. Is it possible to wipe the data if the device is lost or after the
employee leaves the organization?
Support. It might be more difficult to provide support for multiple platforms. You need to ensure that
your help desk personnel are trained to work with all of the common device platforms rather than
just the corporate standard.
Claims-Aware Applications
An application must include the ability to support the use of claims. The application must also be
configured to trust a specific instance of AD FS. An application only trusts claims from specifically defined
AD FS servers.
Some common examples of claims-aware applications are Microsoft Office 365, Microsoft SharePoint
Server, and custom applications developed by using Windows Identity Foundation. All of these
applications can be configured to trust claims that AD FS provides for authentication.
A benefit of claims-based authentication is the ability to distribute responsibility for authentication and
providing claims. For example, an application in your organization could provide access to users from a
partner organization based on authentication that AD FS performs in the partner organization. This avoids
the need for users to have a second set of credentials. For example, when claims-based authentication is
used, users can authenticate to Office 365 by using the same user name and password that they use for
AD DS.
Device Registration
To perform a Workplace Join, devices contact the Device Registration Service. This service runs on an
AD FS server on the internal network. To expand support for Workplace Join outside a corporate network,
you use Web Application Proxy. Web Application Proxy installs in the perimeter network of your
organization and proxies Workplace Join requests to the AD FS server.
Note: Web Application Proxy is a new feature in Windows Server 2012 R2.
The following clients support the Workplace Join feature:
10-4 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members
During the Workplace Join process, you are prompted to provide your email address and password. The
required information is actually your user principal name (UPN) and not your email address. To simplify
this process, we strongly recommended that the UPN for users match their email address.
Windows devices automatically locate the server for Workplace Join based on the provided UPN. The
server used for Workplace Join is enterpriseregistration.upndomainname.com. You need to configure
Domain Name System (DNS) to properly resolve this record to the IP address of your AD FS server or
Web Application Proxy that is configured to support Workplace Join.
The certificate for the AD FS server and Web Application Proxy needs to include the
enterpriseregistration.upndomainname.com domain name. The configuration process is simpler if you
include this name in the certificate that is used during the installation of AD FS and Web Application
Proxy instead of changing the certificate after installation.
To perform a Workplace Join for an iOS device, you need to set up a configuration profile on the iOS
device. An iOS configuration profile is created by providing an XML file. For a Workplace Join, the XML file
is delivered by a website. This is referred to as over-the air profile delivery.
The website that is used by iOS devices to download the configuration profile is located on the AD FS
server where the Device Registration Service is enabled. An example of a URL that is used to configure an
iOS device is https://adfs.adatum.com/enrollmentserver/otaprofile.
On the website, you are prompted to sign in by using your email address as a user name. Similar to the
process for devices that run the Windows operating system, you should enter your UPN rather than your
email address. After signing in, you install the profile on the iOS device. If the iOS device requires a PIN to
unlock the device, you are prompted to enter the PIN before the profile is installed.
Certificates on Devices
The Workplace Join process places a certificate on the device. The device uses this certificate to prove its
identity. This certificate is used to authenticate to the object that is created for the device in AD DS.
2.
3.
Access the Workplace settings from the Start screen on the client computer.
4.
In the Workplace settings, enter the email address/UPN of the user, and then click Join.
5.
When prompted, the user must authenticate. By default, the email address/UPN from the previous
screen displays. However, you can also enter credentials in the domain\user name format.
6.
7.
When Workplace Join is complete, you can verify that it was successful.
Note: The option to turn on device management enables a device to start by using
Windows Intune to manage the device. You must have Windows Intune configured to use this
option.
8.
In Active Directory Administrative Center, you can view the objects for devices enabled with the
Workplace Join feature in the RegisteredDevices organizational unit (OU).
9.
In the properties of the registered device, you can verify that the displayName attribute matches the
name of the computer that is registered.
10-6 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members
Verify that
enterpriseregistration.upndomain.com
resolves to the correct IP address. It is possible
to configure the internal resolution and
external resolution separately. For internal
devices, the name should resolve to the IP
address of the AD FS server. For external
devices, the name should resolve to the IP
address of the Web Application Proxy in the
perimeter network.
Verify that the AD FS certificate is trusted and a CRL is accessible. You can use a web browser to
access enterprise registration.upndomain.com and view the certificate. The properties of the certificate
include the CRL distribution point location.
Workplace Join is per user on each device. If a device supports multiple user profiles, remember that
Workplace Join performed by one user is not valid for another user. On a shared device, each user
needs to perform a Workplace Join.
Ensure that the UPN entered during Workplace Join is correct. Many users might become confused
and use an email address that is different from their UPN, resulting in an authentication failure. We
recommend to have the UPN for users match their email address to avoid this issue.
Applications must support Workplace Join. Workplace Join is not a generic functionality that is
recognized by all applications. An application must be claims-aware and designed to use claims that
are related to Workplace Joined devices. For example, an application could differentiate between
Workplace Joined devices and non-Workplace Joined devices and restrict available information based
on this.
You can configure AD FS to allow authentication only from devices that have completed a Workplace
Join. For example, if you use AD FS for authentication to Office 365, access to Office 365 would be
possible only from the devices that are enabled with the Workplace Join feature.
Application authentication changes after Workplace Join. After Workplace Join, application
authentication caches on the device for seven days by default. Users are prompted for authentication
credentials only on their first attempt to access an application and then not again for seven days. If
credentials should cache for a shorter period, you must adjust the timeout on the AD FS server.
Check event logs on Workplace Join clients, the Web Application Proxy server, and the AD FS server
for clues as to why Workplace Join is failing. If all clients are experiencing errors, it is likely because of
a configuration problem on the servers. If only a single client is experiencing errors, it is most likely a
client configuration issue.
Use the Best Practices Analyzer for Web Application Proxy to identify potential configuration errors.
This is most beneficial when Workplace Join is working properly for internal devices but not external
devices.
Lesson 2
Work Folders are a new feature in Windows Server 2012 R2 that you can use to synchronize data between
a file server and multiple devices. You can synchronize data to domain member computers, computers
that are not domain members, and smartphones. Understanding how Work Folders function enables you
to troubleshoot any synchronization problems that occur for users.
Lesson Objectives
After completing this lesson, you will be able to:
By using Work Folders, users always have access to the most current version of their files from anywhere.
For example, you can save a file to your Work Folder on your office computer. When you arrive home,
you can open the file from a copy that replicated to your home computer, which is configured to use
Work Folders. This is an improvement over Offline Files, which is relevant only for mobile computers that
are domain members.
Note: At RTM for Windows Server 2012 R2 and Windows 8.1, only Windows 8.1 was
supported as a Work Folders client. Additional Work Folders client support is expected for
Windows 8, Windows 7, and other device operating systems such as iOS.
Because Work Folders are in a file share, you can consider using Work Folders as a replacement for user
home folders. Work Folders provide a single location for personal files just like a home folder, but Work
Folders also provide the advantage of synchronization across devices. You can even provide users with a
mapped drive letter to their Work Folder if you have configured the share appropriately.
OneDrive and OneDrive for Business are services that function similar to Work Folders. OneDrive is hosted
in the cloud environment with limited configurability. OneDrive for Business can be hosted in the cloud or
in an on-premises SharePoint Server 2013 implementation, and it has greater configurability. Work
Folders is hosted internally, and you have complete control over the files, including backups and the
ability to provide file share-based access to the files. OneDrive and OneDrive for Business provide the
ability to share files and work on data as a team. Work Folders are only for individual data and do not
support sharing files between users.
10-8 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members
Auto Discovery
When you manually configure a device for Work Folders, you are prompted for an email address.
This email address is used to create a URL for accessing Work Folders. The domain name from the email
address prepends with workfolders to create the URL. For example, if you enter Sunil@adatum.com, the
URL that is used is https://workfolders.adatum.com. If this URL does not resolve to the server with Work
Folders installed, then auto discovery fails.
If your organization has multiple Work Folders servers, you can still use auto discovery. When the initial
Work Folders server authenticates a user, it looks up the msDS-SyncServerUrl attribute on the user
object and directs the client to the Work Folders server at that URL. You can also modify this attribute to
direct users to a new Work Folders server if you move Work Folders for a specific set of users.
URL Entry
If auto discovery fails during device configuration, you are prompted for a URL where Work Folders
are installed. This can be useful if you have multiple Work Folders servers and do not have the
msDS-SyncServerUrl attribute configured on the user object. This can also be useful if you have
not configured a DNS host record for workfolders in your domain.
Group Policy
You can use Group Policy to configure devices with the URL of a Work Folders server. When you use
Group Policy to configure the URL of a Work Folders server, users are not prompted for an email address
or a URL when they set up Work Folders on their device.
When you use Group Policy to configure Work Folders, you have the option to force automatic setup.
If you force automatic setup, users are not given the option to select where Work Folders data will be
stored on the local device. Work Folders data will be stored in the default location of
%USERPROFILE%\WorkFolders.
You can force automatic setup for Work Folders by using a computer policy or a user policy. A user policy
takes effect for specified users on all devices that they access. A computer policy takes effect for all users
on that device.
You can use Web Application Proxy to enhance the security of Web Folders by using AD FS. When you
integrate Web Folders authentication with AD FS, you can use the following additional benefits:
You can make Workplace Join mandatory for devices that access Work Folders. This restricts
connectivity to Work Folders to authorized devices.
You can implement multifactor authentication. AD FS has the ability to integrate multifactor
authentication as part of the authentication process.
If you choose to integrate Windows Azure Multi-Factor Authentication with AD FS, you can implement
the following methods for additional authentication:
Phone calls. When this method is used, you receive a call on your phone to confirm your
authentication. You press the # (pound) symbol to confirm after receiving the call.
Text messages. When this method is used, you receive a text message with a passcode. You respond
to the text message and include the passcode.
Mobile app. When this method is used, an authentication prompt appears in the mobile app that you
must acknowledge.
Auto Discovery
Auto discovery for external devices works the same as it does for internal devices. The device resolves the
workfolders host name in your domain and contacts it. This Work Folders server then directs users to the
URL that is specified in the msDS-SyncServerUrl attribute in their user object. If you have multiple Work
Folders servers, you must ensure that all URLs are available through the reverse proxy.
10-10 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members
When you select to encrypt Work Folders, the data on the devices is encrypted by using Encrypting File
System (EFS). The data on the file server is not encrypted. This enhances security on devices that use
Work Folders and mitigates the risk of data being accessed if a device is lost or stolen. For example, it
is relatively easy to access files on a laptop computer by removing the drive and attaching it to another
computer. However, if the files are encrypted, then the data that was synchronized by Work Folders is not
accessible
Selective Wipe
Windows 8.1 supports the selective wipe of corporate data. This can be done by using integration with
Microsoft Exchange Server or Windows Intune. The wipe process does not remove all user data as many
other solutions do. Only organizational data is removed by a selective wipe. This is important for BYOD
scenarios where users have personal data on their device. When users leave your organization, it is simple
to remove only the organizational data from all of their devices.
Any application that is designed for selective wipe can use it. Work Folders is designed to work with
selective wipe. Selective wipe works by revoking access to data that is protected by EFS. Work Folders can
be wiped selectively only when you have chosen to encrypt Work Folders.
When you select the policy to lock the screen and require a password, devices that use Work Folders lock
the screen after 15 minutes and require a password of at least six characters to unlock. Additionally, if
there are 10 unsuccessful sign-in attempts, the device is locked out. This level of security is essential when
organizational data synchronizes to a device. You should make users aware that this policy will be in place
after Work Folders is configured on their device.
The Automatically lock screen, and require a password policy can only be applied to computers when
the user who is subject to the policy is a local administrator on the device. Typically, this is not the case for
domain-joined laptop computers. If a user is not a local administrator, you will see the error: Sync
Stopped. Blocked by security policies.
Certificates
From a device, you can view the details of a certificate that is installed on a Work Folders server by
accessing it with a web browser. In the web browser, you have the option to view certificate details for a
site that you are connected to by using HTTPS. The steps for viewing the certificate vary depending on the
web browser that you use.
Details in the certificate that you can verify include:
Subject and subject alternative names. The fully qualified domain name (FQDN) that devices use to
communicate with the Work Folders server must be included in the certificate. If the Work Folders
server is the initial point of contact for auto discovery, the workfolders.domainname.com name also
needs to be included.
Issuing CA. You can verify which CA issued the certificate and whether that CA is trusted by the
device.
Certificate validity dates. Each certificate contains starting and ending dates that define when the
certificate is valid. If the certificate is not valid, the certificate must be renewed on the Work Folders
server or the Web Application Proxy.
File Management
Because Work Folders data is stored on a file server, all of the typical file management functions for a file
server can be performed on Work Folders data. Some of the tasks that can be performed on the file server
include:
Quotas. You can configure quotas on the Work Folder on the file share. When the quota is reached,
you can notify an administrator or prevent the user from saving additional files.
File screening. You can configure file screening to monitor or prevent storage of file types. File type
identification is based on file extension.
Classification and Right Management Services (RMS). You can configure the file server to perform
classification of files and apply RMS templates based on file classification. The RMS-protected files
synchronize to the devices.
Synchronization
If employees use Work Folders from within a virtual machine, be aware that the use of snapshots is not
supported. Reverting a virtual machine to a snapshot can cause synchronization errors. Restoring files
from backups is supported.
10-12 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members
It is unlikely that a user will change a file on two separate devices before replication occurs. However, this
might occur if a device is offline and not synchronizing. When a conflict occurs, the second file to replicate
to the Work Folders server has the name of the device it originated on appended to the file name. This
allows a user to easily identify any files where a replication conflict has occurred. When a replication
conflict occurs, the user must verify the contents of the files to determine which file to keep or what data
from each file should be merged together.
Troubleshooting Synchronization
If a user is unable to synchronize files in Work Folders, you should verify that:
Quotas or file screening is not preventing synchronization. To prevent this, consider configuring
quotas and file screening to provide notifications only.
The file size is less than 10 gigabytes (GB). Work Folders does not synchronize individual files larger
than 10 GB.
There is sufficient free space on the volume that contains the Work Folders data. If the Work Folders
data is stored on the system drive, it stops synchronizing when there is 5 GB of free space. If the Work
Folders data is stored on a data drive, it will take up all the space on the drive.
Note: You can review dedicated Work Folders event logs on client computers when
troubleshooting Work Folders configuration and synchronization.
Lesson 3
OneDrive and OneDrive for Business are two different services that you can use to synchronize files.
OneDrive stores data in the cloud environment, whereas OneDrive for Business stores data in a specialized
SharePoint library. You can find the OneDrive for Business SharePoint library in Microsoft SharePoint
Online or in an on-premises implementation of SharePoint Server 2013. You need to be aware of how
each of these services work to understand which option is appropriate for your users and how to
troubleshoot the use of these services.
Lesson Objectives
After completing this lesson, you will be able to:
Describe OneDrive.
Explain how to synchronize data by using the OneDrive for Business Windows Sync client.
Overview of OneDrive
OneDrive is a free consumer-oriented service for
synchronizing files to the cloud environment and
between devices. You are provided with 7 GB of
data storage at no charge, with an option to
purchase additional storage. You can use
OneDrive on your computers or smartphone.
The OneDrive desktop app also has an option that allows you to retrieve any file remotely from a
computer with the app installed. In the OneDrive desktop app settings, enable the Let me use OneDrive
to fetch any of my files on this PC setting.
The following operating systems support the OneDrive desktop app:
Windows 8
Windows 7
Windows Vista with Service Pack 2 (SP2) and the Platform Update for Windows Vista
Windows Server 2008 SP2 and the Platform Update for Windows Server 2008
10-14 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members
You can share documents in OneDrive with other people. If you have Office 2013, you can collaborate
with other users and edit documents at the same time. Other versions of Microsoft Office do not have this
capability.
The OneDrive app for Windows Phone can be used on Windows Phone 7.5 and Windows Phone 8. It
provides the highest level of functionality with the ability to view and edit files. The OneDrive apps for iOS
and Android allow you to view and upload files, but do not automatically synchronize downloaded files.
Authentication
To sign in to OneDrive, you need to create a Microsoft account. This Microsoft account is created and
managed by each user individually. There is no option to manage Microsoft accounts as an organization.
By default, the OneDrive desktop app authenticates and signs in each time you sign in to your computer.
If this functionality is disabled and you forget to sign in, your files will not synchronize with OneDrive. You
are also unable to sign in to OneDrive and synchronize files if there are problems with your Internet
connectivity.
Document Library
Storage Capacity
In SharePoint Online, OneDrive for Business is limited to 25 GB by default, but you can purchase
additional space up to a maximum of 100 GB. For an on-premises installation of SharePoint Server 2013,
the system administrator determines the size of OneDrive for Business.
Sharing Files
OneDrive for Business allows you to share files with users in your organization and outside your
organization. You can configure the sharing and permissions for individual files and folders in OneDrive
for Business. Documents that are shared with individual users appear in their Shared with Me view in
OneDrive for Business.
You can share a file with Everyone by placing it in the Shared with Everyone folder. Alternatively, you can
set the permissions on a file or folder. When a file is shared with Everyone, they need to search for the file
or you need to send an email notification that includes the URL for the file.
Note: Files that are shared with Everyone are also shared with users outside your
organization. Instead of Everyone, consider using the Everyone except external users permission
where appropriate.
The OneDrive for Business Windows Sync client creates a synchronization relationship with OneDrive
for Business. Once configured, a folder is created on the local computer with the synchronized files. The
folder on the local computer is accessible from Favorites in File Explorer. The name of the favorite varies
depending on from where the data synchronizes:
OneDrive for Business. This favorite contains files that synchronize from OneDrive for Business in an
on-premises implementation of SharePoint Server 2013.
OneDrive@Company. This favorite contains files that synchronize from OneDrive for Business in
SharePoint Online.
SharePoint. This favorite contains files that synchronize from document libraries in team sites.
Synchronization Process
The OneDrive for Business Windows Sync client synchronizes data every 10 minutes. If the SharePoint
server is too busy to service synchronization requests, the client reschedules synchronization, and the user
is not informed. If synchronization to the server is slow, you should verify that the SharePoint server is not
overloaded.
Synchronization of Microsoft Word, Microsoft Office Excel, and Microsoft Office PowerPoint files are
differential. Only changed portions of these file types synchronize. When other file types change, the
entire file synchronizes.
10-16 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members
Offline viewing. The OneDrive for Business app does not automatically synchronize documents to the
iOS device. You must manually select to download specific documents for offline viewing. Edits to the
downloaded document do not synchronize back to OneDrive for Business.
Document editing. When you are online, you can edit documents by using Office Mobile or another
application. Saving the document saves the changes to OneDrive for Business.
Share documents and folders. You can share documents and folders with other users and configure
the permissions for those users.
Browser Support
Platforms that do not have an app for OneDrive for Business can access OneDrive for Business by using a
web browser that SharePoint Server 2013 supports. SharePoint Server 2013 supports the following web
browsers:
The OneDrive for Business Windows Sync client supports a maximum file size of approximately
2 GB for downloads. Ensure that all files that you try to synchronize are smaller than 2 GB.
The OneDrive for Business Windows Sync client supports a maximum data size of 250 megabytes
(MB) for uploading. This limit applies to any number of files added at a time. If you need to upload
more than 250 MB of data, add files in groups that are less than 250 MB.
For SharePoint libraries, the site administrator can configure whether SharePoint sites, files, and
folders can be made available offline. If they cannot be made available offline, an error generates
when you try to synchronize the library. If this occurs, contact the site administrator to verify that
permissions are configured correctly.
Files and folders cannot synchronize if they contain restricted characters. Restricted characters for file
names and folder are ~ # % & * : < > ? /\ {} |. If any file or folder contains restricted characters,
rename the file or folder.
Files are blocked from uploading if the file type is blocked in SharePoint. For example, media files
such as videos might be blocked. Verify that the file type you are uploading is not blocked.
Network connectivity errors might result in partially downloaded folders. If the download error is a
result of network connectivity problems, the error should be resolved when network connectivity is
fixed.
Note: If a folder is partially downloaded, do not delete the folder. If you attempt to delete
a partially downloaded folder, you will delete the folder and its contents from the server and all
other synchronized clients.
Synchronization conflicts occur when you edit a synchronized copy of the document while another
user edits an online version of the document. This occurs if you are using Office 2010 to edit the
synchronized version of the document. If you use Office 2013 applications, the changes merge in the
online version without a conflict. In general, you should use Office 2013 to edit synchronized
documents.
Characteristic
OneDrive
Work Folders
Consumer/personal
Yes
No
No
No
Yes
Yes
Yes
Yes
No
No
Yes
No
Data location
Public cloud
SharePoint/Office 365
File server
No
On-premises
Yes
No
Yes
Yes
Option to require
Workplace Join
No
If using AD FS for
authentication
Yes
10-18 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members
A. Datum Corporation has recently implemented new technologies to support BYOD in the organization.
There are new implementations of Workplace Join, Work Folders, and OneDrive for Business. You were
the desktop support representative who was involved in the project that implemented these new
technologies.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 75 minutes
Virtual machines: 20688D-LON-DC1, 20688D-LON-CL1, and 20688D-LON-CL4
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
The system administrators have created a new infrastructure by using Windows Server 2012 R2 to support
web-based applications. AD FS has been implemented with Web Application Proxy to provide protection
and authentication. One of the new features that this configuration provides is support for Workplace
Join. As a matter of policy, certificates for all external services are obtained from a trusted CA on the
Internet.
Initially, Workplace Join is being used for the Sales and Ordering application. This application needs to be
available for sales people while they are on the road. In the past, a simple reverse proxy protected the
10-20 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members
application, and it was accessible from any device. Now, Workplace Join is being used to enhance security
so that the application can be accessed only from known devices.
You need to review the implementation of Workplace Join and create a short orientation for the help desk
and other desktop support staff.
The main tasks for this exercise are as follows:
1.
2.
Read the scenario to identify how A. Datum Corporation has implemented Workplace Join.
2.
3.
Can desktop support perform a Workplace Join during initial device configuration?
4.
5.
What issues are likely to prevent Workplace Join from completing properly?
6.
Results: After completing this exercise, you should have created an outline that can be used for training
help desk and desktop support staff on the configuration of Workplace Join.
A. Datum executives have been frustrated by using a virtual private network (VPN) to access their personal
data remotely. The VPN works most of the time, but occasionally, firewalls in some locations prevent their
laptops from signing in to the VPN. They also want their data to be available from their smartphones and
tablets, which do not have VPN functionality.
To provide the executives with access to personal data, you implemented Work Folders. At this time, there
is only a single Work Folders server, but the system has been designed to use auto discover and support
multiple Work Folders servers. The system also has been designed to use Windows Azure Multi-Factor
Authentication to enhance security from external locations.
To simplify access to Work Folders data in the office, executives have been given a mapped drive letter to
their
Work Folder. This folder replaces their existing home folders. Data from the home folders has been copied
into the Work Folder for each user.
You need to review the implementation of Workplace Join and create a short orientation for the help desk
and other desktop support staff.
The main tasks for this exercise are as follows:
1.
2.
Read the scenario to identify how A. Datum has implemented Work Folders.
2.
3.
4.
5.
Which user property defines the URL used to access Work Folders?
6.
What happens if executives do not have their smartphones available during authentication?
Results: After completing this exercise, you will have created an outline for training help desk and
desktop support staff on Work Folders configuration.
The Research department at A. Datum has been using an on-premises implementation of SharePoint
Server 2013 for document management. Some of the researchers are collaborating with researchers in
other organizations and need to have remote access to their files. In some cases, they need to share files
with users who are inside and outside the organization.
OneDrive for Business has been implemented to support external access to these files. Sharing of files in
OneDrive for Business is allowed, but other document libraries are not available for local synchronization.
After completing this exercise, you will have created an outline for training help desk and desktop support
staff on OneDrive for Business configuration.
The main tasks for this exercise are as follows:
1.
2.
Read the scenario to identify how A. Datum has implemented OneDrive for Business.
2.
3.
What software is required for Windows 8.1 computers to synchronize files with OneDrive for
Business?
4.
5.
Are there file size limitations that the researchers should be aware of for synchronization?
Results: After completing this exercise, you will have created an outline for training help desk and
desktop support staff on OneDrive for Business configuration.
10-22 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members
You are implementing Work Folders for the executives in your organization. The executive user accounts
are in the Managers OU and are members of the Managers group. You are configuring Work Folders on
LON-DC1 to support both domain-joined and devices that are not domain members.
The main tasks for this exercise are as follows:
1.
2.
3.
4.
5.
6.
7.
Configure Domain Name System (DNS) for clients that are not domain members.
8.
9.
On LON-DC1, in Server Manager, start the Add Roles and Features Wizard from the Manage menu.
2.
In the Add Roles and Features Wizard, select the following options:
3.
Server: LON-DC1.adatum.com
Server role: File and Storage Services\File and iSCSI Services\Work Folders
2.
On the Work Folders page, create a new sync share with the following settings:
3.
Server: LON-DC1
Verify that members of the Managers group appear in the Users box.
2.
3.
4.
Identify the value of the Thumbprint property for the Work Folders Certificate.
5.
6.
At the command prompt, type netsh http add sslcert ipport=0.0.0.0:443 certhash=thumbprint
appid={CE66697B-3AA0-49D1-BDBD-A25C8359FD5D} certstorename=MY, and then press
Enter.
Note: You can copy the thumbprint value from the Windows PowerShell command prompt
by selecting the value, right-clicking the selection, and then click Copy. To paste the thumbprint
value at the command prompt, right-click, and then click Paste.
7.
8.
Note: The certificate that was created in advance for this task contains the names
lon-dc1.adatum.com and workfolders.adatum.com.
On LON-DC1, in Server Manager, open Group Policy Management from the Tools menu.
2.
In Group Policy Management, browse to the Managers OU in the Adatum.com domain, and then
click Create a GPO in this domain, and Link it here. Use the following setting:
o
Name: WorkFolders
3.
4.
Edit Specify Work Folders settings and use the following settings:
o
Enabled
2.
3.
4.
2.
3.
Open the advanced properties of Test, and then verify that encryption is enabled.
Task 7: Configure Domain Name System (DNS) for clients that are not domain
members
1.
2.
3.
In the Adatum.com zone, create a new alias record with the following settings:
o
10-24 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members
1.
On LON-DC1, in Server Manager, open the Active Directory Administrative Center tool.
2.
3.
4.
In the Extensions section, on the Attribute Editor tab, edit the msDS-SyncServerUrl attribute, and
then add the value https://lon-dc1.adatum.com.
2.
3.
4.
Password: Pa$$w0rd
Notice that a view of Work Folders has opened, and it contains the Test document that you created
earlier.
Results: After completing this exercise, you will have configured Work Folders for the A. Datum
executives.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Module 11
Troubleshooting Applications
Contents:
Module Overview
11-1
11-2
11-9
11-15
11-18
11-24
11-31
11-34
11-43
Module Overview
Users require apps for every task they perform, including editing documents, querying databases, and
generating reports. Supporting the installation and operation of apps is a critical part of the desktop
support role. Windows 8.1 supports the installation and use of two types of apps: Desktop apps, and
Windows Store apps. This module examines the issues, including application compatibility issues that
affect users abilities to install and run these two types of apps. This module also covers the ways in which
students can resolve Windows Internet Explorerrelated issues.
Objectives
After completing this module, you will be able to:
Lesson 1
Most large organizations automate application installation from a central location. However, desktop
support personnel are involved in application deployment during initial development of the deployment
process and during the troubleshooting of failed installations. Therefore, you must know how to identify
the reasons why a desktop app installation fails, and know how to resolve any issues that prevent
installation.
Lesson Objectives
After completing this lesson, you will be able to:
Group Policy. This method uses a Group Policy Object (GPO) to automate desktop app installation
from a network share. You can make desktop apps available for users to select, or you can configure
desktop apps so they install automatically for specific users, or on specific computers. To automate
the installation process completely, some desktop apps require you to create a transform file (.mst).
Microsoft System Center 2012 Configuration Manager. This method uses the application deployment
capabilities of Configuration Manager to automate desktop app installation from a network share.
The main benefits of using Configuration Manager versus deployment by using Group Policy are
increased flexibility and detailed reporting. You also can use Configuration Manager to distribute
application updates.
Windows Intune. Windows Intune provides an application deployment solution that organizations
can use to target remote users, including users who spend time on the road or use organizational
computers to work from home offices.
Virtualized applications. With the RemoteApp feature in Windows Server 2012 R2, you can avoid
having apps installed on desktop computers. An icon on the user desktop opens a Remote Desktop
Protocol (RDP) session to a server that hosts the app. The app is remote-controlled in a window. This
simplifies updates, because you must update only a single central copy of the app. This method works
best with desktop apps that need to access data in a central location.
Inclusion in a Windows operating system image. Many organizations include common applications
in the base Windows operating system image that they deploy on desktop computers. With this
method, you can avoid having a specific deployment process for the desktop app. However, this
method also results in increased image maintenance over time as your organization releases updates
and new versions of the desktop app.
Contact the vendor. If the vendor does not provide installation documentation that defines the
desktop app requirements, you can request them from the vendors application support department.
Investigate errors during installation. Most software performs checks during installation to verify that
the computer on which the software is installed meets all desktop app requirements. If a dependency
is not in place, then the desktop app generates an error to indicate which dependency is missing.
In most cases, software does not install at all if the desktop app dependencies are not in place.
Setup stops, and the software installation program generates an error that requests installation of all
prerequisites prior to another installation attempt. However, some desktop apps will install even if the
dependencies are not met. In those cases, the user encounters errors while operating the software, rather
than during installation.
Install the necessary dependencies. If you cannot install a desktop app because of missing
dependencies, then you must install the necessary dependencies. If the missing dependency affects
multiple computers, you need to determine the best way to deploy the missing dependency to all
computers. You may need to update the base image, which deploys with the dependency.
Note: You can enable features by using Programs and Features in Control Panel, or by
typing dism.exe at a command prompt. This command-line tool also enables features in images.
Application Compatibility Toolkit (ACT). ACT is a suite of tools that Microsoft provides to simplify the
installation and execution of older applications on newer versions of Windows operating systems.
One use for ACT is to generate an inventory of installed applications, and then evaluate whether
those applications experience issues when running on Windows 8.1. You typically would use ACT
during migration to a new operating system.
Correct configuration of AppLocker. If AppLocker is blocking legitimate desktop apps from installing,
then you must adjust the configuration of AppLocker rules.
Msiexec.exe /i \\lon-dc1\apps\app1.msi
During app installation, you may receive error messages, such as:
Could not start the Windows Installer service on the Local Computer.
One source of Windows Installer issues is apps that do not complete installing or uninstalling. In some
cases, restarting the computer may force the operation to proceed. However, you may need to reinstall or
repair the app before you are able to remove it. In a worst-case scenario, you may need to remove an app
manually, including its registry entries.
To troubleshoot Windows Installer issues:
1.
2.
Verify that the Windows Installer service is configured to start manually, and that it starts without
errors.
3.
4.
In rare cases, another application that is running may be preventing the softwares installation or removal.
You can disable services and applications that start automatically to attempt to identify a problem
application.
Note: You can also use Windows Installer to update and repair installed desktop apps.
AppLocker Benefits
You can use AppLocker to specify exactly what is allowed to run on user PCs and devices. This allows users
to run the applications, installation programs, and scripts that they require to be productive, while still
providing the security, operational, and compliance benefits of application standardization.
AppLocker can be useful for organizations that want to:
Limit the number and types of files that are allowed to run, by preventing unlicensed software or
malware from running, and by restricting the ActiveX controls that are installed.
Reduce the total cost of ownership by ensuring that workstations are homogeneous across an
enterprise and that users are running only the software and apps that the enterprise approves.
AppLocker Rules
You can prevent many problems in your work environment by controlling which apps a user can run.
AppLocker lets you do just this by creating rules that specify exactly which apps a user is allowed to run,
and can be configured to continue to function even when apps are updated.
Because AppLocker is an additional Group Policy mechanism, IT professionals and system administrators
need to be comfortable with Group Policy creation and deployment. This makes AppLocker ideal for
organizations that currently use Group Policy to manage their Windows 8.1 computers or have per-user
application installations.
To author AppLocker rules, there is a new AppLocker Microsoft Management Console (MMC) snap-in in
the Group Policy Management Console (GPMC). This snap-in offers an improvement to the process of
creating AppLocker rules. AppLocker provides several rule-specific wizards. You can use one wizard to
create a single rule and another wizard to generate rules automatically, based on your rule preferences
and the folder that you select. The four wizards that AppLocker offers administrators to author rules are:
Executable Rules.
Script Rules.
At the end of each wizard, you can review the list of analyzed files. You can then modify the list to remove
any file before rules are created for the remaining files. You can also receive useful statistics about how
often a file has been blocked, or test the AppLocker policy for a specific computer.
Preparation Steps
For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Demonstration Steps
Create a new installer rule
1.
2.
3.
In the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings, and
then expand Security Settings.
4.
5.
Click Windows Installer Rules, right-click Windows Installer Rules, click Create New Rule, and
then click Next.
6.
On the Permissions page, click Deny, and then click the Select button.
7.
In the Select User or Group dialog box, in the Enter the object names to select (examples) text
box, type Sales. Click Check Names, click OK, and then click Next.
8.
9.
10. In the Open dialog box, in the File name text box, type \\lon-dc1\sales\XmlNotepad.msi, and then
click Open.
11. Click Next.
12. Click Next again, and then click Create.
Completion steps
After you have completed the practice session, leave the virtual machines running for the next
practice session.
Lesson 2
A desktop app operation issue is any instance in which the desktop app is not operating as a user expects.
Desktop support personnel should identify the source of an application operation issue, and then resolve
it. This lesson explores common desktop app operations issues and suggests mitigations for these issues.
Lesson Objectives
After completing this lesson, you will be able to:
Poor performance. Apps may run slower than users expect. This can happen either when users
perform a specific task or during regular application use.
Errors. Any error that the app displays on-screen is a desktop app operation issue.
Incorrect database connection settings. Some desktop apps use a server database as a data store. If
you do not configure the connection to the database correctly, the app cannot function correctly.
App blocking by AppLocker. You can configure AppLocker to allow or block applications on Windows
8.1 devices. If AppLocker is blocking a legitimate desktop app, then you must try to resolve the issue.
Reconfigure an app. If you configure a desktop app incorrectly, you can reconfigure it so that it meets
the defined specifications. If multiple users require the reconfiguration, you need to determine the
best way to update multiple computers. You may decide to update Group Policy, update the app
deployment process, or update an operating system image that contains the app.
Repair or reinstall an app. If a desktop app is experiencing errors or is unable to start, repairing the
app may resolve the issue. Repairing an app updates the app files to the correct version, and rewrites
the required computer-specific registry entries. It does not, however, affect user-specific registry
entries. If an app repair does not resolve the problem, try reinstalling the app.
Apply app updates. App updates resolve desktop app operation issues that the applications vendor
identifies. Installing app updates in a timely manner may prevent some issues with desktop app
operations from occurring in your environment, and may also resolve performance issues.
Upgrade the app to a newer version. Some issues with app operations require you to upgrade to
a newer version of the app. For example, to increase performance and access more memory, you
may need to upgrade an app to a 64-bit version. New features also are available in newer versions.
Depending on how you license the app, there may be a fee associated with obtaining a newer version
of an app.
Identify performance issues and bottlenecks. Performance issues that users report are typically
very vague. You need to accurately define the source of a performance issue by using tools such as
Performance Monitor. Improving performance may be dependent on hardware upgrades, or on users
running fewer applications simultaneously on the computer. You also may need to adjust users
performance expectations.
Reconfigure AppLocker rules. If AppLocker rules are preventing a legitimate desktop app from
running, you must reconfigure those rules to allow the desktop app to run by allowing the app path,
the publisher, or the hash value.
The Setup Analysis Tool, which monitors an applications installation process and identifies issues that
relate to installation.
The Internet Explorer Compatibility Test Tool, which monitors web-based applications, and then
identifies issues that newer Internet Explorer versions may experience.
The Standard User Analyzer, which identifies any issues that relate to running an application as a
standard user.
The Update Compatibility Evaluator, which identifies any issues that relate to implementing new
Windows operating system updates.
Preparation Steps
For this practice session, you need to use the available virtual machine environment. The required virtual
machines should still be running. If they are not, before you begin the practice session, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and then in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Demonstration Steps
Identify compatibility issues
1.
2.
3.
4.
5.
On the Stock Viewer toolbar, click Trends. In the Error dialog box, click OK.
6.
On the Tools menu, click Options. In the Unhandled exception has occurred dialog box, click
Continue.
7.
8.
9.
10. In File Explorer, right-click StockViewer, and then click Run as administrator.
11. In the User Account Control box, provide the following credentials, and then click Yes:
o
Password: Pa$$w0rd
2.
On the Start screen, beneath the desktop tile, click the down arrow.
3.
4.
In the Compatibility Administrator (32-bit) New Database (1) [Untitled_1] dialog box, rightclick New Database(1) [Untitled_1], and then click Rename.
5.
6.
In the Compatibility Administrator window, right-click AdatumACT [Untitled_1]*, click Create New,
and then click Application Fix.
7.
In the Create New Application Fix Wizard, in the Name of the program to be fixed field, type
StockViewer.
8.
Click Browse.
9.
11. On the Compatibility Modes page, select the Run this program in compatibility mode for check
box, click the drop-down list, and then click Windows XP.
12. In the Additional compatibility modes section, scroll down, select the RunAsAdmin check box, and
then click Next.
13. On the Compatibility Fixes page, click Next.
14. On the Matching Information page, click Finish.
15. In the Compatibility Administrator window, click Save.
16. In the Save Database window, browse to d:\labfiles\mod11\.
17. In the File name field, type AdatumACT, and then click Save.
18. Close the Compatibility Administrator window.
19. Sign out of LON-CL1.
2.
On the Start screen, type cmd, right-click Command Prompt, and then click Run as administrator.
3.
In the User Account Control dialog box, enter the following credentials, and then click Yes:
o
Password: Pa$$w0rd
4.
5.
6.
7.
In the User Account Control dialog box, enter the following credentials, and then click Yes:
o
Password: Pa$$w0rd
8.
9.
Completion steps
After you have completed the practice session, revert the virtual machines in preparation for the lab:
1.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
The help desk has passed you an incident record. You must resolve the problems documented on this
ticket, and then update the record with the resolution.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL3
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Microsoft Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Your manager has come to you indicating that there are reports of staff in one department loading
programs that are unauthorized. Your manager indicates that the AppLocker policies in place should be
preventing this, and that you should investigate why this is happening.
Incident Record
Incident Reference Number: 723401
Date of Call
Time of Call
User
Status
October 21
13:22
Karin Lamb (Sales Department)
OPEN
Incident Details
Users are installing unauthorized apps in the Sales department.
Additional Information
Karin Lamb, one of the sales managers, has reported that users are installing unauthorized desktop
apps.
The AppLocker policies that are in place do not appear to be working.
You must determine why these policies are not being enforced.
Plan of Action
Resolution
2.
Discuss recommendations.
3.
4.
Task 1: Read the help desk Incident Record for incident 723401
2.
Switch to LON-CL3.
2.
Password: Pa$$w0rd
3.
Run \\lon-dc1\Sales\XmlNotepad.msi.
4.
When the installation starts, click Cancel. This shows that the AppLocker policy is not being enforced.
5.
Sign out.
Attempt to resolve the problem by using your knowledge of AppLocker and GPO application.
2.
3.
If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Results: After completing this exercise, you should have successfully resolved the AppLocker policy
application problem.
2.
In the Virtual Machines list, right-click 20688D-LON-CL3, and then click Revert.
3.
4.
Lesson 3
Windows Store apps do not consume much memory or make excessive processor demands. In addition,
Windows Store apps run in full-screen mode in the new Windows user interface (UI). It is important that
you know how to manage user access to the Windows Store, which enables you to control the installation
and use of these apps.
Lesson Objectives
After completing this lesson, you will be able to:
Describe sideloading.
The design of the Windows Store enables users to access and install Windows Store apps. Windows Store
apps are not like desktop apps such as Microsoft Office 2013 applications. Rather, they are full-screen,
immersive apps that can run on a number of device types, including x86, x64, and ARM platforms.
Windows Store apps can communicate with one another and with the Windows 8.1 operating system,
so that it is easier to search for and share information such as photographs. When you install a Windows
Store app, users can see tiles, some of which update continuously with live app information or status.
When users connect to the Windows Store, the initial page they see is known as the landing page. This
page makes it easy to locate and receive information on apps. Windows Store divides apps into categories
such as Games, Entertainment, and Music & Videos.
Users also can use context-sensitive search by using the Windows 8.1 Search charm to search the
Windows Store for specific Windows Store apps. For example, if a user needs an app that provides videoediting capabilities, the user can tap or click the Search charm, type the search text string, and then click
Store. The Windows Store returns suitable apps from which the user can choose.
Installing Windows Store apps is easy for users. A single click on the appropriate app in the Windows
Store app list is usually all that is needed to install the app. The app installs in the background, so the user
can continue browsing the Windows Store. After the app installs, a tile for the app appears on the users
Start screen.
Windows 8.1 checks the Windows Store daily for updates for installed Windows Store apps. When updates
for installed apps are available, Windows 8.1 updates the Store tile on the Start screen with a number
that indicates how many updates are available. When the user selects the Store tile and connects to the
Windows Store, the user can choose to update one, several, or all of their installed apps for which updates
are available.
Note: By default, Windows updates installed apps automatically, but users can change this
setting if they choose instead to update specific apps.
Many users have multiple devices, such as both desktop and laptop computers. Windows Store allows five
installs of a single app to enable users to run an app on all of their devices. If users attempt to install an
app on a sixth device, they are prompted to remove the app from another device.
From the Start screen, run gpedit.msc, and then load the Local Group Policy Editor.
2.
Under Local Computer Policy, expand User Configuration, expand Administrative Templates,
expand Windows Components, and then click Store.
3.
4.
In the Turn off the Store application dialog box, click Enabled, and then click OK.
5.
When you disable the Windows Store, the following message displays when users attempt to access the
Store tile on the Start screen: Windows Store isnt available on this PC.
Note: You also can use domain-based GPOs to disable the Windows Store for specific
computers, users, or groups of users.
Managing Updates
IT administrators have limited control over updates for installed Windows Store apps. It is not possible for
you to configure automatic app updates. You also cannot control which updates are available.
Note: You can use GPOs to download updates automatically, but users still must initiate
the installation process.
Sideloading Apps
Many larger organizations want to distribute to
client computers apps that are for internal use
only. These line-of-business (LOB) apps are not
available in Windows Store. Therefore, you must
provide another method for distributing and
installing these LOB apps. Sideloading provides
a mechanism for distributing LOB apps to your
client computers without using the Windows
Store.
To sideload apps, you can use the dism.exe
command-line tool, Windows Intune, System
Center 2012 R2 Configuration Manager, and
Windows PowerShell to add, list, and remove LOB apps. The following procedure uses GPOs and
Windows PowerShell.
Enabling Sideloading
To enable sideloading, you must perform the following procedure to configure the appropriate GPO
settings:
1.
2.
Under Local Computer Policy, in the left pane, expand Computer Configuration, expand
Administrative Templates, expand Windows Components, and then click App Package
Deployment.
3.
4.
In the Allow all trusted apps to install dialog box, click Enabled, and then click OK.
After you configure GPOs, you can install your apps, which are packaged in .appx files. To install a single
app for a user, perform the following steps:
1.
To install the package, at the Windows PowerShell command prompt, type the following command,
and then press Enter:
add-appxpackage H:\apps\apps1.appx
2.
To add a package to a Windows operating system image by using Dism.exe, perform one of the
following tasks:
o
Open an elevated command prompt, type the following command, and then press Enter:
DISM /Online /Add-ProvisionedAppxPackage /PackagePath:H:\apps\App1.appx
/SkipLicense
At the Windows PowerShell command prompt, type the following command, and then press
Enter:
Add-AppxProvisionedPackage -Online -FolderPath H:\apps\Appx
Note: Your LOB apps must be signed digitally, and can only be installed on computers that
trust the certification authority (CA) that provided the apps signing certificates.
If you need to remove a single installed app for the current user, at the Windows PowerShell command
prompt, type the following cmdlet, and then press Enter:
Remove-AppxPackage Package1
If you must remove a provisioned app (one that is available but not installed) and prevent its installation
for new users, run either of the following commands:
1.
At the Windows PowerShell command prompt, type the following command, and then press Enter:
Remove-AppxProvisionedPackage -Online -PackageName MyAppxPkg
2.
Alternatively, you can open an elevated command prompt, type the following command, and then
press Enter:
DISM.exe /Online /Remove-ProvisionedAppxPackage
/PackageName:microsoft.app1_1.0.0.0_neutral_en-us_ac4zc6fex2zjp
Note: You can use the preceding command to remove built-in apps.
2.
3.
4.
5.
Click Choose an account, and then select the account that you want to restrict.
6.
Click Choose an app, and then select the installed app to which you want to restrict the account.
7.
When the user signs in to the computer, they will only be able to access the assigned app.
Note: To sign in as another user when you are signed in as the restricted user, click the
Windows key five times rapidly. Once you are signed in as a non-restricted user, you can disable
the setting by configuring the account to Dont use assigned access.
Configuring AppLocker
To enable AppLocker restrictions for the Windows Store apps, you must configure the appropriate GPO
settings by performing the following procedure:
1.
2.
Under Local Computer Policy in the left pane, expand Computer Configuration, expand Windows
Settings, expand Security Settings, expand Application Control Policies, expand AppLocker, and
then click Packaged app Rules.
3.
Right-click Packaged app Rules, and then click Create New Rule.
4.
Use the Create Packaged app Rules Wizard to configure the app restriction policy with the following
settings:
a.
b.
c.
ii.
iii.
d.
Define exceptions.
e.
5.
Create the default rule. This default rule has a lower precedence, but enables all signed packaged
apps to run. To create the default rule, right-click Packaged app Rules, and then click Create
Default Rules.
6.
Choose the enforcement level. By default, policies are not enforced. To enforce policies, right-click the
AppLocker node, and then click Properties.
7.
In the AppLocker Properties dialog box, select the Configured check box adjacent to Packaged app
Rules. In the list, depending on your requirements select either Enforce rules or Audit only, and then
click OK.
You must also start the Application Identity service on all computers affected by your AppLocker policy.
This service identifies apps, and then processes the AppLocker policies against the identified apps. You can
enable this service by opening Services.msc, and then selecting the Application Identity service. Configure
the service for automatic startup, and then start the service manually. You can also start the service by
configuring the setting through a GPO.
Note: The only edition of Windows 8.1 that supports AppLocker is Windows 8.1 Enterprise.
Lesson 4
You can use Internet Explorer 11 to access both intranet and Internet websites. It is becoming widely used
as a common interface to web-based applications. Consequently, it is important that you understand how
to troubleshoot Internet Explorer settings to ensure that these websites and applications are accessible to
your users.
Lesson Objectives
After completing this lesson, you will be able to:
Compatibility View
Internet Explorer 11 provides an automatic
Compatibility View. Whenever it detects a website
that uses older standards, Compatibility View
implements an earlier Internet Explorer engine
to display web pages. This can help to improve
compatibility with web applications designed for
earlier Internet Explorer versions.
If you cannot see the Compatibility View button
in the Internet Explorer Address bar, this means
that Internet Explorer 11 has detected that the
webpage has loaded correctly. You do not need
to activate Compatibility View.
The following list is of the main features in Compatibility View:
Internet websites display in Internet Explorer 11 Standards Mode by default. Use the Compatibility
View button to fix sites that render differently than expected.
Internet Explorer 11 remembers sites that have been set to Compatibility View so that the button only
needs to be pressed once for a site. After that, the site is always rendered in Compatibility View,
unless it is removed from the list.
Intranet websites display in Compatibility Mode by default. This means that internal websites created
for earlier Internet Explorer versions will work.
You can use Group Policy to set a list of websites to be rendered in Compatibility View.
Switching in and out of Compatibility View occurs without requiring that the user restart the Internet
Explorer browser.
The Compatibility View button only displays if it is not clearly stated how the website is to be rendered. In
other cases, such as viewing intranet sites or viewing sites with a <META> tag / HTTP header indicating
Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, or Internet Explorer 11 standards, the button is
hidden. When Compatibility View is activated, the page refreshes, depending on the computers speed.
Intranet. This zone is only for websites that have a single label name. It has medium-low security
settings that allow most websites to run without any end-user prompts, because it assumes the sites
are trustworthy. Additionally, this zone does not use Protected Mode.
Trusted sites. This zone has no websites, by default. You must add sites manually to the Trusted
sites zone. This zone has medium security settings, which enables users to run most web-based
applications. It does not use Protected Mode. Typically, you use this zone for web-based applications
that are hosted externally.
Restricted sites. This zone has no websites, by default. You must add sites manually to the Restricted
sites zone. This zone has high security settings, and is suitable for browsing websites that you are
concerned may contain malware.
Other Internet Explorer settings that may be a concern for web-based applications include:
InPrivate Browsing. InPrivate Browsing helps protect data and privacy by preventing browsing history,
temporary Internet files, form data, cookies, usernames, and passwords from being stored or retained
locally by the browser. This leaves virtually no evidence of browsing or search history because the
browsing session does not store session data.
From the enterprise and IT professional perspective, InPrivate Browsing is inherently more secure than
using Delete Browsing History to maintain privacy, because there are no logs kept or tracks made
during browsing. InPrivate Browsing is a proactive feature, because it enables you to control what is
tracked in a browsing session. Some users may use InPrivate Browsing in an attempt to conceal their
tracks when browsing to prohibited or non-work websites. However, you have full manageability
control, and you can use Group Policy to configure how InPrivate Browsing is used in your
organization.
Pop-up Blocker. The purpose of the Pop-up Blocker in Internet Explorer is to prevent unsolicited
advertisements from displaying. However, some web-based applications use these pop-ups, so you
may need to allow them for websites that are hosting a web-based application.
Advanced settings. Individual web-based applications may require unusual security settings that you
can adjust only in Advanced settings. For example, an externally hosted website may require the use
of an older version of Secure Sockets Layer (SSL).
One of the most common causes of Internet Explorer performance issues is users installing toolbars.
Removing non-Microsoft toolbars often improves performance. However, some toolbars do not uninstall
properly. As a final option, you can reset Internet Explorer settings, which reverts Internet Explorer to its
default state.
To manage add-ons, from the Internet Explorer menu, click Tools, and then click Manage add-ons. In the
Manage Add-Ons dialog box, select the add-ons that you want to disable.
Are both the desktop app and Windows Store app versions affected?
These questions help you isolate what is causing the problem: a firewall, server configuration, or Internet
Explorer configuration.
The following table lists some common ways that you can resolve problems related to accessing websites
and web-based applications.
Issue
Resolution
Issue
Resolution
Note: There are two versions of Internet Explorer in Windows 8.1: the desktop version and
the Windows Store version. These versions behave differently, and in some cases, websites that
do not display correctly in one version of Internet Explorer 11 will work fine in the other. When
troubleshooting Internet Explorer 11 issues on Windows 8.1, consider verifying the problem exists
in both versions. This may help to identify the cause of the problem.
Download a file.
Preparation Steps
For this practice session, you need to use the available virtual machine environment. Before you begin the
lab, you must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Demonstration Steps
Verify Compatibility View settings
1.
2.
3.
4.
In Internet Explorer, right-click the star to the right of the home symbol, and then click Menu bar.
5.
On the menu bar, click Tools, and then click Compatibility View settings.
6.
In the Internet Explorer Address bar, type http://LON-DC1, and then press Enter.
2.
Click the down arrow next to the Address bar to confirm that the address you typed in it is stored.
3.
4.
In the Internet Options dialog box, on the General tab, under Browsing history, click Delete.
5.
In the Delete Browsing History dialog box, clear the Preserve Favorites website data check box
and then click Delete.
6.
7.
Click the down arrow next to the Address bar to confirm that there are no addresses stored in the
Address bar.
Note: Bing may appear as a favorite in this list. Disregard it.
2.
In the Internet Explorer Address bar, type http://LON-DC1, and then press Enter.
3.
Confirm the address you entered is not stored by clicking on the down arrow next to the Address bar.
4.
2.
In the Manage Add-ons window, in the Add-on types pane, click Search Providers.
3.
4.
5.
6.
Download a file
1.
In the Internet Explorer Address bar, type http://lon-dc1, and then press Enter.
2.
3.
4.
5.
6.
7.
Close Excel.
8.
Completion steps
After you have completed the practice session, leave the virtual machines running for the next lab.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 20 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. These should be running from the
preceding practice session. If they are not, before you begin the lab, you must complete the following
steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
A user is being prompted for credentials when they access an intranet site. When the user attempts to
access the corporate intranet by using http://lon-dc1.adatum.com, he is prompted for credentials. By
entering his credentials and his password, he is authenticated successfully. He can use this form of access
as a short-term workaround, but he does not want to be prompted. No one else is having the issue. After
he authenticates, everything is fine.
Incident Record
Incident Reference Number: 723407
Date of Call
Time of Call
User
Status
October 25
08:32
Josh Bailey (Research Department)
OPEN
Incident Details
User is being prompted for security credentials when accessing the intranet site.
Additional Information
When the user attempts to access the corporate intranet by using http://LON-DC1.Adatum.com, he is
prompted for credentials.
I coached him through the process of entering his credentials as Adatum\Josh and his password. This
authenticates him successfully, and he can use this as a short-term workaround, but he does not want
to be prompted.
I asked him to check if other users in his department were having the same issue, and he told me that
they were not. He is the only user having this issue. After he authenticates, everything works fine.
When the issue is resolved, please configure the corporate intranet as his home page.
Plan of Action
Resolution
2.
Discuss recommendations.
3.
4.
Task 1: Read the help desk Incident Record for incident 723407
2.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
Attempt to resolve the problem by using your knowledge of Internet Explorer and security settings.
2.
3.
If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Results: After you have completed the exercise, you should have successfully resolved the Internet
Explorer authentication issue.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Lesson 5
Hyper-V virtualization technology has been providing virtualized environments on Windows Server
computers since Windows Server 2008. Windows 8.1 is the first Windows client version to include Client
Hyper-V. Client Hyper-V is a feature in Windows 8.1 that enables the same core virtualization technology
that Windows Server 2012 R2 offers. . This lesson will introduce you to the Client Hyper-V functionality in
Windows 8.1, and to scenarios that may benefit from a virtual environment.
Lesson Objectives
After completing this lesson, you will be able to:
Virtual machines are configured to share physical resources from the host machine, and represent those
virtualized resources as usable components to the virtual machines operating system. For example, one
computer with one network adapter may have five different virtual machines that are running in Hyper-V.
In each of those virtual machines, a virtualized network adapter is associated with the single physical
network adapter. This enables five virtual machines to have individual media access control (MAC)
addresses, be assigned individual IP addresses, and gain network access. Similar virtualization happens
with other hardware components, such as the processor, memory, and hard disks.
Client Hyper-V uses the same virtualization engine as Hyper-V in Windows Server 2012 R2, and contains
the same core feature set. The primary scenario for Client Hyper-V is for developers and IT pros to create
new virtualized workloads, develop new Windows PowerShell automation, or even create new virtual
switch extensions. Client Hyper-V replaces the Virtual PC feature available previously in Windows 7, and
has some significant differences in functionality:
Compatibility with Hyper-V on Windows Server. Client Hyper-V supports the same standard
functionality as Hyper-V on Windows Server. You can import and export virtual machines and virtual
hard disks between Hyper-V and Client Hyper-V in most situations, without any requirement for
conversion or modification.
Support for 64-bit guest virtual machines. Client Hyper-V can provide both 32-bit and 64-bit
virtualized hardware environments for guest virtual machines. Virtual PC supports only 32-bit
virtualized hardware.
Note: Although Client Hyper-V can support 32-bit guest operating systems, you can
enable the Client Hyper-V feature only on 64-bit editions of Windows 8.1 Pro and Windows 8.1
Enterprise.
Note: The Client Hyper-V role on Windows 8.1 supports many of the features that are
available with Hyper-V on Windows Server 2012 R2, but does not support enterprise features
such as virtual machine migration. Client Hyper-V also does not support publishing applications
that are installed on the virtual machine guest to the host operating systems Start menu. This is a
feature that is present in Windows XP Mode feature in Windows 7, and which uses Virtual PC.
Client Hyper-V
(Windows 8.1)
Hyper-V
(Windows Server 2012 R2)
Hyper-V Replica
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Network virtualization
Up to 64 terabytes (TB) per virtual disk
Yes
Yes
Yes
Yes
Feature
Client Hyper-V
(Windows 8.1)
Hyper-V
(Windows Server 2012 R2)
Yes
Yes
Yes
Yes
Yes
Yes
The primary tool for management within the Client Hyper-V environment is Hyper-V Manager. Hyper-V
Manager is a console that is based on the Microsoft Management Console (MMC). It provides complete
access to Client Hyper-V functionality in Windows 8.1. Hyper-V in Windows Server 2012 R2 also uses
Hyper-V Manager, so any experience in either Windows operating system will correspond directly to the
other.
The other graphical tool that installs with Client Hyper-V is the Virtual Machine Connection tool. You can
use Virtual Machine Connection to connect to a virtual machine by using an interface that is similar to
Remote Desktop Connection. Virtual Machine Connection does not require you to use a Hyper-V console
to connect to a virtual machine. You can use the Hyper-V Virtual Machine Connection to connect to local
virtual machines and virtual machines hosted on other computers that are running Hyper-V virtual
machines.
Note: Both Hyper-V Manager and the Virtual Machine Connection tool become available if
you select the Hyper-V GUI Management Tools option when activating the Hyper-V feature in
Windows 8.1.
The Hyper-V module for Windows PowerShell enables you to manage Client Hyper-V by using Windows
PowerShell cmdlets. The Hyper-V module can be useful for scripting Client Hyper-V management, or for
managing remote Client Hyper-V installations, especially when you are managing nondomain clients.
Note: You can view the entire list of Windows PowerShell cmdlets that relate to Hyper-V by
running the following cmdlet from a Windows PowerShell command-line interface:
Get-Command -Module Hyper-V
Memory. You must have at least 4 gigabytes (GB) of physical memory in your computer to support
Client Hyper-V.
The memory in your computer is dynamically allocated and unallocated as required by the virtual
machines. You can run several virtual machines on your Windows 8.1 host, if it meets this minimum
memory requirement. Depending on the specific requirements of your virtual machines, you might
need to install more physical memory.
Storage. Client Hyper-V supports the same storage migration capability that is included in Hyper-V
in Windows Server 2012 or Windows Server 2012 R2. This means that you can store your virtual
machines independently of the underlying storage. Additionally, you can move storage for your
virtual machines between local drives, to a USB drive, or to a remote file share without needing to
stop the virtual machine.
Processor. Your computer must have an x64 processor that supports hardware-assisted virtualization
and Data Execution Prevention.
Additionally, Client Hyper-V requires a 64-bit processor architecture that supports second-level
address translation. Second-level address translation reduces the overhead incurred during the
virtual-to-physical address mapping process performed for virtual machines.
Move virtual machines from Hyper-V. If you encounter problems with a virtual machine in your
production Hyper-V environment on Windows Server 2012, you can copy that virtual machine from
your production environment, import it into Client Hyper-V, perform the required troubleshooting,
and then copy it back into the production environment.
Automatic save and resume. With Client Hyper-V, you can use Hyper-V virtualization, wireless
network adapters, and sleep states on your desktop computer. For example, if you run Client Hyper-V
on a laptop, and then close the lid, the virtual machines that are running go into a saved state, and
resume when the machine wakes.
Use a variety of management tools. Virtual machine tools that are created for Hyper-V in Windows
Server operating systems, such as System Center 2012 Virtual Machine Manager (VMM), Physical-toVirtual (P2V), and the Windows Sysinternals Disk2VHD tool, also work in Client Hyper-V.
Create a multi-machine test environment. Using virtual-machine networking, you can create a
multiple-machine environment for test, development, and demonstration that is secure and that does
not affect the production network.
You can mount and boot virtual hard disks from a USB storage drive. You can use these virtual hard
disks as a virtual machine by using Client Hyper-V when you use a computer that runs Windows 8.1
Pro or Windows 8.1 Enterprise.
Use preconfigured virtual hard disks to test new Microsoft software. Microsoft.com hosts a large
number of ready-to-use .vhd files that you can import into Hyper-V or Client Hyper-V. After you
import a file, the virtual hard disks provide a functional test version of the specific product for
evaluation. With these virtual hard disk files, there is no need to upgrade or configure operating
systems, or download and install applications; the file is ready to use the first time that you start up
your virtual machine.
2.
3.
4.
5.
6.
Users can now run their legacy app without having to maintain separate legacy hardware or older
operating systems.
Note: You can use the Systeminfo.exe command-line tool to determine many of these
factors. For example, if a suitable hypervisor is detected, this is reported.
If you fix your startup environment, perhaps by using the Startup Repair tool, it is possible that a
required setting in your Boot Configuration Data (BCD) store will be reset, with the result that the
hypervisor will not run. You can check for the presence of the appropriate setting by using the
following procedure:
a.
b.
c.
d.
If this setting is missing, you must run bcdedit /set hypervisorlaunchtype auto and then restart
your computer.
A network installation of a virtual machine fails. The virtual machine may be using a network adapter
instead of a legacy network adapter. Alternatively, you did not connect the legacy network adapter to
the correct external network. Verify the network settings for the virtual machine.
Inability to move mouse cursor from the virtual machine window. Integration services are not
installed. As a temporary fix, press the Ctrl+Alt+Left Arrow keys. As a longer term solution, install the
integration services.
Hyper-V specific devices. Client Hyper-V does not present synthetic components to the virtual
machine as actual hardware. It presents them to the operating system on the virtual machine as
a functionality that the device driver can use. Newer operating systems such as Windows 8 and
Windows 8.1, support such functionality by default when running in virtual machines. For other
operating systems, you need to install integration services to support them. Synthetic devices are
not available during startup, and you cannot start a virtual computer from them.
Creating a virtual machine in Hyper-Manager is a wizard-based process that prompts you for necessary
information to create the virtual machine. When creating a virtual machine, you must specify several
virtual machine settings at the time of creation:
Virtual machine name. The name that you specify identifies the virtual machine in Hyper-V Manager,
and also is used in the naming of various virtual machinerelated files.
Virtual machine location. By default, a virtual machine is created and located on a computers system
drive. If your computer has multiple physical hard disks, you typically can increase the performance of
your virtual machine by placing it on a disk that is separate from the system disk. For computers with
solid-state drives (SSDs), this is not as effective.
Virtual machine generation. Before Client Hyper-V in Windows 8.1, Hyper-V only supported what
today is known as Generation 1 virtual machines. You now can create Generation 2 virtual machines,
which include support for secure boot, and which can be started either from a small computer system
interface (SCSI) virtual disk or by using a network adapter. If you want to use a Generation 2 virtual
machine, you must install at least Windows Server 2012 or a 64-bit version of Windows 8 or newer to
the virtual machine. After the virtual machine is created, you cannot change its generation.
Memory. The amount of memory that you specify will be assigned to a virtual machine from the
available physical memory on your Windows 8.1 computer. You also can configure a virtual machine
to use Dynamic Memory.
Network connection. Your virtual machine can have one or more virtual network adapters. By default,
a new virtual machine is created with a single network adapter that can be connected to a virtual
switch. You can create a virtual switch that will connect virtual machines to an external network
through a physical network adapter, or you can create a self-contained virtual switch to provide an
isolated network environment. Alternatively, you might choose not to connect a virtual machine to
any virtual switch.
Virtual hard-disk location. By default, a single virtual hard disk is created in the same directory that is
specified for the virtual machine location. You also might choose to use a preexisting virtual hard disk
that has been created. For example, many Microsoft products are available for trial purposes in
preconfigured .vhd files.
Operating system installation media. Unless you are attaching a virtual hard disk that already has
an installed operating system, you will need to install an operating system on your virtual machine.
You can specify an .iso image CD/DVD file to use as installation media, or you can attach a physical
CD/DVD drive from the host machine to the virtual machine, and then install the operating system
from that media.
Open Hyper-V Manager from the Start screen by typing Hyper-V Manager, and then press Enter.
2.
In Hyper-V Manager, in the Actions pane, click New, and then click Virtual Machine.
3.
4.
On the Specify Name and Location page, in the Name field, type the name of your virtual machine.
Select where you want to store the virtual machine and its associated virtual hard disks, and then click
Next.
5.
On the Specify Generation page, select if you want to create a Generation 1 or Generation 2
virtual machine, and then click Next.
6.
On the Assign Memory page, in the Memory field, specify the amount of memory to assign the
virtual machine, select if you want to use Dynamic Memory, and then click Next.
7.
On the Configure Networking page, in the Connection list, select the appropriate network switch,
and then click Next.
8.
On the Connect Virtual Hard Disk page, create a new virtual hard disk or use an existing virtual hard
disk file that you have created already, and then click Next.
9.
On the Installation Options page, select from where you want to install an operating system on the
virtual machine, and then click Next.
10. On the Completing the New Virtual Machine Wizard page, click Finish.
If you want to create a new virtual machine by using Windows PowerShell, you can run the New-VM
cmdlet. You should be aware that the New-VM cmdlet has a limited set of options, but you can modify
and customize a virtual machine after you create it. You can create a new virtual machine by performing
the following procedure:
1.
On the Windows 8.1 computer, on the Start screen, type powershell, right-click Windows
PowerShell, and then click Run as administrator. Click Yes in the User Account Control dialog box.
2.
In the Administrator: Windows PowerShell window, run the following cmdlet to create a Generation
1 virtual machine named Windows 8.1 with 4 GB of memory, with its files stored in C:\VMs folder,
with a 100 GB virtual hard disk named Disk1.vhdx, and connected to a virtual switch named Private:
New-VM Name Windows 8.1 Generation 1 MemoryStartupBytes 4GB Path C:\VMs
NewVHDPath C:\VMs\Windows 8.1\Disk1.vhdx -NewVHDSizeBytes 100GB SwitchName Private
You do not require any virtual machines for this practice session. You must, however, configure your host
to boot from a virtual hard disk. As an alternative, if you have a laptop that is running Windows 8.1 and
that supports the Client Hyper-V feature, you can perform the demonstration on that machine.
Preparation Steps
For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.
2.
At this point, Windows 8.1 starts from the .vhd file, and a brief system configuration will take place.
When startup completes, the Windows 8.1 Start screen displays.
Demonstration Steps
1.
2.
On LON-CL5, on the Start screen, type Control, click Control Panel, and then click Programs.
3.
Click Programs and Features, and then in the Programs and Features window, click Turn Windows
Features on or off.
4.
In the Windows Features window, select the Hyper-V check box, and then click OK.
5.
In the Windows completed the requested changes window, click Restart Now.
6.
7.
8.
On LON-CL5, on the Start Screen, type Hyper-V, and then click Hyper-V Manager.
9.
In Hyper-V Manager, right-click LON-CL5, and then click Virtual Switch Manager.
10. In the Virtual Switch Manager window, in the Create virtual switch section, click Private, and then
click Create Virtual Switch.
11. In the Virtual Switch Properties section, in the Name field, type Private Network, and then
click OK.
12. In Hyper-V Manager, right-click LON-CL5, point to New, and then click Virtual Machine.
13. In the New Virtual Machine Wizard, click Next.
14. On the Specify Name and Location page, in the Name field, type Windows 8.1 Test, and then click
Next.
15. On the Specify Generation page, make sure Generation 1 is selected, and then click Next.
16. On the Assign Memory page, in the Startup memory field, type 1024, and then click Next.
17. On the Configure Networking page, in the Connection drop-down list box, click Private Network,
and then click Next.
18. On the Connect Virtual Hard Disk page, click Next.
19. On the Installation Options page, click Next.
20. On the Completing the New Virtual Machine Wizard page, click Finish.
21. In the Hyper-V Manager window, click LON-CL5.
22. In the Virtual Machines section, right-click Windows 8.1 Test, and then click Checkpoint. After a
few seconds, confirm that a new checkpoint displays in the Checkpoints section for Windows 8.1
Test.
23. Close Hyper-V Manager.
Completion steps
After you have completed the practice session, restart your computer:
1.
2.
In the Choose an operating system window, click Windows Server 2012 R2.
Module 12
Maintaining Windows 8.1
Contents:
Module Overview
12-1
12-2
12-8
12-21
12-24
12-28
12-40
Module Overview
Maintaining your computers running the Windows 8.1 operating system is important to ensure their
continued reliability and performance. Once you have activated Windows on your computers, you must
establish procedures to monitor their performance, protect them from malicious software, sometimes
called malware, and ensure that they remain up-to-date with the latest operating system updates and
security fixes. This module discusses how to provide for the ongoing maintenance of Windows 8.1
operating systems.
Objectives
After completing this module, you will be able to:
Lesson 1
The Windows 8.1 operating system requires product activation. You must validate each Windows 8.1
license through an online activation service provided by Microsoft, by phone, through Key Management
Service (KMS), or through Active Directory Domain Services (AD DS). Activation helps provide protection
from software piracy, and it helps you to manage operating system and application instances within your
organization.
Lesson Objectives
After completing this lesson, you will be able to:
Describe activation.
What Is Activation?
All editions of Windows 8.1 require activation.
Activation confirms the status of a Windows
product and ensures that the product key has
not been compromised. The activation process
links the softwares product key to a particular
installation of that software on a device. If the
device hardware changes considerably, you must
activate the software again.
Retail. Any Windows 8.1 product purchased at a retail store comes with one unique product key that
you type in during product installation. You use the product key to complete activation after
installing the Windows 8.1 operating system.
OEM. OEM system builders typically sell computer systems that include a customized build of
Windows 8.1. You can perform OEM activation by associating the Windows operating system to the
computer system BIOS.
Microsoft Volume Licensing (volume activation). Microsoft Volume Licensing is a series of software
licensing programs that are tailored to the size and purchasing methods of your organization.
Volume customers set up volume licensing agreements with Microsoft. These agreements include
Windows upgrade benefits and other benefits related to value-added software and services.
Microsoft Volume Licensing customers use Volume Activation Services to assist in activation tasks,
which consist of Active Directorybased activation, KMS, and multiple activation key (MAK) models.
You can view the Windows 8.1 activation status on the System properties page, or by running the
following command at a command prompt:
cscript C:\windows\system32\slmgr.vbs -dli
KMS. With KMS, organizations can perform local activation for computers in a management
environment without connecting to Microsoft individually. By default, the Enterprise editions of
Windows 8.1 and Windows Server 2012 R2 connect to a system that hosts the KMS service, which in
turn requests activation. KMS usage is targeted for managed environments where more than 25 client
computers, or more than five servers use KMS activation.
Active Directorybased activation. This is a role service that allows you to use AD DS to store
activation objects. This can greatly simplify the task of maintaining volume activation services for a
network. You can use Active Directorybased activation to activate only computers that are joined to
AD DS, and activation requests are processed during client computer startup. Any computer running
Windows 8, Windows Server 2012, or a newer Windows operating system with a generic VLK that
joins to the domain will activate automatically and without user interaction. Computers will stay
activated for as long as they remain members of the domain and maintain periodic contact with a
domain controller. Activation takes place after the licensing service starts.
MAK activation. MAK activation uses product keys that can activate only a specific number of
computers. If the use of volume licensing media is not controlled, excessive activations can result
in the depletion of the activation pool, and no further computers can be activated. You do not use
MAKs to install the Windows 8.1 operating system, but rather to activate it after installation. You can
use MAKs to activate any Windows 8.1 edition. MAK activation is not time-limited.
Note: You can use the Volume Activation Management Tool (VAMT) to automate and
centrally manage the volume and retail-activation process for Windows operating systems,
Microsoft Office software, and certain other Microsoft products. VAMT manages volume
activation by using MAK or KMS. VAMT is a standard Microsoft Management Console (MMC)
snap-in, and it is available as part of Windows Assessment and Deployment Toolkit (Windows
ADK).
You cannot use Active Directory-based activation with non-Microsoft directory services.
The AD DS schema must be at the Windows Server 2012 or higher level to store activation
objects.
Domain controllers that run older versions of Windows Server can activate clients after the AD DS
schema has been extended to Windows Server 2012 or higher level.
Active Directorybased activation is forest-wide, and you only need to implement it once, even if the
forest contains multiple domains.
There are no threshold limits that must be met before computers can be activated by using
Active Directory-based activation.
Client computers that are not activated attempt to connect with the KMS host every two hours.
To stay activated, client computers must renew their activation by connecting to the KMS host at least
once every 180 days.
After activation, client computers attempt to renew their activation every seven days. After each
successful connection, the expiration extends to the full 180 days.
Client computers connect to the KMS host for activation by using anonymous remote procedure
calls (RPCs) over TCP/IP and by using default port 1688. You can configure this port information.
The connection is anonymous, enabling workgroup computers to communicate with the KMS host.
You might need to configure the firewall and the router network to pass communications for the
Transmission Control Protocol (TCP) port that will be used.
MAK activation is recommended for computers that rarely or never connect to the corporate network
and for environments where the number of physical computers that need activation does not meet
the KMS activation threshold.
MAK Independent. MAK Independent activation requires that each computer connect
independently and activate with Microsoft over the Internet or by telephone. This method is best
suited for computers within an organization that do not have a connection to the corporate
network.
MAK Proxy. MAK Proxy activation enables a centralized activation request on behalf of multiple
computers with one connection to Microsoft. This method is suitable for environments where
security concerns restrict direct access to the Internet or to the corporate network.
Ensure that computers can communicate with domain controllers. This includes network connectivity
and DNS name resolution.
Ensure that there is at least one activation object in AD DS, in the Configuration partition. If there are
two activation objectsone for client and one for server operating systemsyou can safely delete
the client object because the server object will activate both clients and servers.
Active Directorybased activation is available only for domain-joined computers. If you remove a
computer from the domain, activation will fail on the next activation attempt.
Verify the activation status. You can verify activation status by looking for the Windows is activated
message in the System properties. You also can run the slmgr.vbs -dli command.
Ensure that the KMS service (SRV) resource record is present in Domain Name System (DNS), and that
DNS does not restrict dynamic updates. If DNS restrictions are intentional, you will have to provide
the KMS host Write permission to the DNS database, or you will have to create the SRV records
manually.
Note: You can use the Nslookup.exe command-line tool to query these records.
How to verify that SRV DNS records have been created for a domain controller
http://go.microsoft.com/fwlink/?LinkId=335916
Ensure that firewalls and routers do not block TCP port 1688.
If your computer will not activate, verify that the minimum number of clients required for activation
have contacted the KMS host. Until the KMS host has a count of 25, it will not activate Windows
clients, including Windows 8.1.
Display the client Windows Application Event log for event numbers 12288, 12289, and 12290 for
possible troubleshooting information.
Verify the activation status. You can verify activation status by looking for the Windows is activated
message in the System properties. You also can run the slmgr.vbs -dli command. Slmgr.vbs is the
Windows Software Licensing Management tool. You can use the following switches with slmgr.vbs:
Switch
Meaning
For retail editions and volume systems with a KMS host key or a MAK
installed, /ato prompts Windows to attempt online activation.
For systems with a Generic Volume License Key installed, this
prompts an attempt at KMS activation. Systems that have been set to
suspend automatic KMS activation attempts (/stao) still attempt KMS
activation when /ato is run.
The parameter [Activation ID] expands /ato support to identify a
Windows edition installed on the computer.
Switch
Meaning
Display the activation expiration date for the product. By default, this
refers to the current Windows operating system edition and is
primarily useful for KMS clients, because MAK and retail activation is
perpetual.
Specifying the [Activation ID] parameter displays the activation
expiration date of the specified edition associated with that
Activation ID.
/rearm
This option resets the activation timers. The /rearm process is also
called by sysprep /generalize.
You can locate further information about additional command-line switches for use with slmgr.vbs at
the following website.
Slmgr.vbs Options for Volume Activation
http://go.microsoft.com/fwlink/?LinkId=393028
If your computer will not activate over the Internet, ensure that an Internet connection is available
and that the computer is configured with the correct TCP/IP settings. You also might need to set a
proxy configuration from your web browser. If the computer cannot connect to the Internet, try
telephone activation.
If Internet and telephone activation both fail, you will need to contact the Microsoft Product
Activation Center.
Lesson 2
A computer system that performs at a low efficiency level can cause problems in the work environment.
This can potentially reduce user productivity and consequently increase user frustration. Windows 8.1
helps you to determine the potential causes of poor performance, and then uses the appropriate tools to
help resolve the performance issues.
Lesson Objectives
After completing this lesson, you will be able to:
Describe how Windows 8.1 uses important system resources, such as memory and processor.
Performance Considerations
Decreased computer system performance is a
common source of user complaints. Performance
is a measure of how quickly a computer
completes application and system tasks.
Performance problems can occur when available
resources are lacking. Computers respond slowly
for several reasons, including disorganized files,
unnecessary software that consumes resources,
too many startup programs, or perhaps even
malware or a virus. Factors that can influence
computer system performance include:
Out-of-date or inappropriate drivers for system components and peripherals, including the graphics
subsystem.
Processor
Disk
Memory
Network
Understanding how the operating system utilizes these four key hardware components and how they
interact can help you better optimize computer workstation performance. When monitoring workstation
performance, you should consider:
The workstation role and its workload, to determine which hardware components are likely to restrict
performance.
The ability to increase workstation performance by adding power or reducing the number of
applications that the user is running.
Processor
One important factor in determining your computers overall processor capacity is processor speed.
Processor speed is determined by the number of operations that the processor performs over a specific
time period. Computers with multiple processors, or processors with multiple cores generally perform
processor-intensive tasks with greater efficiency, and as a result, are faster than single processor or singlecore processor computers.
Processor architecture is also important. 64-bit processors can access more memory and have a significant
positive effect on performance. This is true especially when applications running on your users
workstations require a large amount of memory.
Disk
Hard disks store programs and data. Consequently, the throughput of a workstations disk affects its
speed, especially when the workstation is performing disk-intensive tasks. Many hard disks have moving
parts, and it takes time to position the read/write heads over the appropriate disk sector to retrieve the
requested information.
Note: Most Windows 8.1 tablet devices use solid-state drives (SSDs), which have no moving
parts.
By selecting faster disks, and by using collections of disks to optimize access times (redundant array of
independent disks (RAID)), you can alleviate the potential for the disk subsystem to create a performance
bottleneck.
Windows 8.1 moves information on the disk into memory before it uses it. Therefore, if a surplus of
memory exists, the Windows 8.1 operating system creates a file cache for items recently written to, or read
from, disks. Installing additional memory in a workstation often improves the disk subsystem performance,
because accessing the cache is faster than moving the information into memory.
Finally, consider the type of work for which the device will be used. Different work profiles use disks in a
different way. For example, some applications read from a disk more frequently that they write to the disk
(read-intensive), and therefore good read performance is important; other applications are more writeintensive.
Note: SSDs have different read and write performance profiles. Determine the workload
profile, and then attempt to match the disks performance profile to optimize the devices
performance.
Memory
Programs and data load from disk into memory before the program manipulates the data. In workstations
that run multiple programs, or where datasets are very large, installing more memory can improve
workstation performance.
Windows 8.1 uses a memory model that does not reject excessive memory requests. Instead, Windows 8.1
manages them by using a process known as paging. During paging, Windows 8.1 moves the data and
programs in memory that processes are not currently using, to the paging file on the hard disk. This
frees up physical memory to satisfy the excessive memory requests. However, because a hard disk is
comparatively slow, it has a negative effect on workstation performance. By adding more memory, and by
using a 64-bit processor architecture that supports larger memory, you can reduce the need for paging.
Network
You can easily underestimate how a network that is performing poorly can affect workstation
performance, because it is not as easy to see or to measure as the other workstation components.
However, the network is a critical component for performance monitoring, because network devices store
so many of the application programs and data being processed.
Understanding Bottlenecks
A performance bottleneck occurs when a computer is unable to service the current requests for a specific
resource. The resource might be a key component, such as a disk, memory, processor, or network.
Alternatively, the shortage of a component within an application package also may cause a bottleneck.
By using performance-monitoring tools on a regular basis, and by comparing the results to your baseline
and to historical data, you can identify performance bottlenecks before they impact users.
Once you identify a bottleneck, you must decide how to remove it. Your options for removing a
bottleneck include:
A computer suffering from a severe resource shortage may stop processing user requests. This situation
requires immediate attention. However, if your computer experiences a bottleneck but still operates
within acceptable limits, you might decide to defer any changes until you resolve the situation, or until
you have an opportunity to take corrective action.
Note: As you identify and resolve a performance problem that is affecting one system
component, another component may become affected. Therefore, performance monitoring is an
ongoing process.
Question: Which hardware components are most likely to restrict performance for a
Windows 8.1 computer?
Task Manager
You can use the Performance tab in Task Manager
to help to identify performance problems. The
Performance tab displays a summary of CPU and
memory usage, and network statistics.
Resource Monitor
Resource Monitor provides a snapshot of system performance. Because the four key system components
are processor, memory, disk, and network, Resource Monitor provides a summary of these four
components and a detailed tab for each. If a users computer is running slowly, you can use Resource
Monitor to view current activity in each of the four component areas. You can then make a determination
about which of the key components might be causing a performance bottleneck.
When the Resource Monitor first opens, the initial view is of the Overview tab. On the right side are
four graphs: CPU, Disk, Network, and Memory. You can examine these graphs, looking for excessive
peaks in CPU, Disk, Network, or Memory activity. In the main pane, you can examine details about
each component by expanding each components information list. Each process that is running on the
computer is listed, in addition to information about resource consumption for each process. For example,
the number of threads and the percentage of CPU capacity being used displays for each running process.
Having determined that a particular component usage is bottlenecked, use the appropriate component
tab to view more information.
Remember that a snapshot of current activity, which Resource Monitor provides, only tells a partial story.
For instance, you might see a peak in activity, which is not representative of average performance.
Performance Monitor
Performance Monitor is an MMC snap-in that you can use to obtain system performance information. You
can use this tool to analyze the performance effect that applications and services have on your computer,
and you can use it to obtain an overview of system performance or collect detailed information for
troubleshooting.
Monitoring Tools
Reports
Monitoring tools
Monitoring Tools contains the Performance Monitor, which provides a visual display of built-in Windows
performance counters, either in real time or as historical data. The Performance Monitor includes the
following features:
Performance Monitor uses performance counters to measure the systems state or activity, while the
operating system or individual applications may include performance counters. Performance Monitor
requests the current value of performance counters at specified time intervals. You can add performance
counters to the Performance Monitor by dragging and dropping the counters, or by creating a custom
data collector set.
Performance Monitor features multiple graph views that enable you to have a visual review of
performance log data. You can create custom views in Performance Monitor that you can export as
data collector sets for use with performance and logging features.
A data collector set organizes multiple data collection points into a single, portable component. You can
use a data collector set on its own, group it with other data collector sets and incorporate it into logs, or
view it in the Performance Monitor.
You can configure a data collector set to generate alerts when it reaches thresholds.
You also can configure a data collector set to run at a scheduled time, for a specific length of time, or
until it reaches a predefined size. For example, you can run the data collector set for 10 minutes every
hour during working hours to create a performance baseline. You also can set the data collector to restart
when set limits are reached, so that a separate file will be created for each interval.
You can use data collector sets and Performance Monitor tools to organize multiple data collection
points into a single component that you can use to review or log performance. Performance Monitor also
includes default data collector set templates to help system administrators begin the process of collecting
performance data that is specific to a server role or monitoring scenario.
In Performance Monitor, beneath the Data Collector Sets node, you can use the User Defined node to
create your own data collector sets. You can specify which specific objects and counters you want to
include in the set for monitoring. To help you select appropriate objects and counters, you are also
provided with templates to use for monitoring. These include:
System Diagnostics. Selects objects and counters that report the status of hardware resources,
system response time, and processes on the local computer, along with system information and
configuration data. The report provides guidance on ways to optimize the computers responsiveness.
System Performance. Generates reports that detail the status of local hardware resources, system
response times, and processes.
WDAC Diagnostics. Enables you to trace debug information for Windows Data Access Components
(Windows DAC).
Note: It is not necessary for Performance Monitor to be still running for data to be
collected into a data collector set.
Reports
Use the Reports feature to view and generate reports from a set of counters that you create by using data
collector sets.
Sysinternals Tools
In addition to the built-in performance monitoring tools in Windows 8.1, you also can download and use
the Sysinternals suite of tools. You can use a number of these tools to monitor performance:
DiskMon. Enables the computer to capture all hard disk activity, and acts like a software disk activity
light in the system tray.
PageDefrag. Enables you to defragment your paging files and registry hives.
Process Explorer. Enables you to determine which files, registry keys, and other objects processes have
open, which DLLs they have loaded, and more. This tool also displays who owns each process.
Process Monitor. Enables you to monitor file system, registry, process, thread, and dynamic-link
library (DLL) activity in real-time.
Sysinternals Suite
http://go.microsoft.com/fwlink/?LinkId=393007
Diagnose problems.
By using data collector sets, you can establish a baseline to use as a standard for comparison. Create a
baseline when you first configure the computer, at regular intervals of typical usage, and when you make
any changes to the computers hardware or software configuration. If you have appropriate baselines, you
can determine which resources are affecting your computers performance.
Performance impacts can occur because of the number of counters being sampled and the frequency
with which sampling occurs. Therefore, it is important to test the number of counters and the frequency
of data collection. This helps you determine the right balance between your environments needs and the
provision of useful performance information. For the initial performance baseline, however, you should
use the highest number of counters possible and the highest frequency available. The following table
shows the commonly used performance counters.
Counter
Usage
This counter measures the percentage of time the disk was idle
during the sample interval. If this counter falls below 20 percent,
the disk system is saturated. You should consider replacing the
current disk system with a faster one.
This counter indicates how many I/O operations are waiting for
the hard drive to become available. If the value is larger than
two times the number of spindles, it means that the disk itself
may be the bottleneck.
This counter indicates the amount of memory that the filesystem cache is using. There may be a disk bottleneck if this
value is greater than 300 megabytes (MB).
Counter
Usage
Memory\Available Mbytes
This counter measures the size, in bytes, of the paged pool. This
is an area of system memory for objects that can be written to
disk when they are not being used. There may be a memory leak
if this value is greater than 250 MB (or 170 MB with the /3 GB
switch).
This counter measures the rate at which pages are read from, or
written to, the disk to resolve hard-page faults. If the value is
greater than 1,000 as a result of excessive paging, there may be
a memory leak.
This counter measures the rate at which bytes are sent and
received over each network adapter, including framing
characters. The network is saturated if you discover that more
than 70 percent of the interface is consumed.
Counter
Usage
Process\Handle Count
Process\Thread Count
Process\Private Bytes
Practice Session
In this practice session, you will:
Examine a report.
Preparation Steps
For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Microsoft Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Demonstration Steps
Open Performance Monitor
1.
2.
3.
In the Performance Monitor window, click the Performance Monitor node. Notice that only
% Processor Time is displayed by default.
On the toolbar, click the plus (+) symbol to add an additional counter.
2.
In the Available counters area, expand PhysicalDisk, and then click % Idle Time.
3.
In the Instances of selected object box, click 1 C:, click Add, and then click OK.
4.
5.
In the left pane, expand Data Collector Sets, and then click User Defined.
2.
Right-click User Defined, point to New, and then click Data Collector Set.
3.
In the Name box, type CPU and Disk Activity, and then click Next.
4.
In the Template Data Collector Set box, click Basic, and then click Next. We recommend that you
use a template.
5.
Click Next to accept the default storage location for the data.
6.
Click Open properties for this data collector set, and then click Finish.
7.
In the CPU and Disk Activity Properties dialog box, on the General tab, you can configure general
information about the data collector set and the credentials that the data collector set uses when it is
running.
8.
Click the Directory tab. This tab lets you define information on how the collected data is stored.
9.
Click the Security tab. This tab lets you configure which users can change this data collector set.
10. Click the Schedule tab. This tab lets you define when the data collector set is active and collecting
data.
11. Click the Stop Condition tab. This tab lets you define when data collection is stopped, based on time
or data that is collected.
12. Click the Task tab. This tab lets you run a scheduled task when the data collector set stops. You can
use this to process the collected data.
13. Click Cancel. Notice that there are three kinds of logs in the right pane:
o
Performance Counter collects data that you can view in Performance Monitor.
Kernel Trace collects detailed information about system events and activities.
14. In the right pane, double-click Performance Counter. Notice that all Processor counters are
collected, by default.
15. Click Add.
16. In the Available counters area, click PhysicalDisk, click Add, and then click OK. All the counters for
the PhysicalDisk object are now added. Click OK.
17. In the left pane, right-click CPU and Disk Activity, and then click Start.
Examine a report
1.
Wait a few moments for the data collector set to stop automatically.
2.
Right-click CPU and Disk Activity, and then click Latest Report.
3.
Review the report, which shows the data that is collected by the data collector set.
4.
Completion Steps
After you have completed the practice session, leave the virtual machines running for the lab.
Some video adapters use shared system memory. This means that the memory that would otherwise
be available for servicing applications is being used by the video adapter for display purposes. Some
computers come equipped with video adapters that use dedicated onboard memory for display purposes,
ensuring that more memory is available for applications.
Optimize Paging
For most single disk drive computers running Windows 8.1, it typically is adequate to leave the paging file
settings at the default values. However, you may gain a small performance benefit by following these
guidelines:
Create the paging file on a different physical disk than the operating system disk. Paging is a
disk-intensive task. If you distribute the disk load across all of your computers available disks, you
minimize the likelihood of performance bottlenecks affecting the disk subsystem. By optimizing
the disk subsystem, you can make the paging process as efficient as possible.
Configure a fixed-size paging file. A paging file that can grow on the disk might encompass
fragmented areas of the disk volume. By configuring a fixed-size paging file, you can ensure that
the paging file does not encompass fragmented areas.
Ensure that the disk volume is not fragmented when you create the paging file. If you want to create
a fixed-size paging file on a computer that already has a paging file, ensure that you do not create a
paging file that encompasses fragmented areas of the disk. Additionally, before you create a fixedsize paging file, you must configure the computer to use no paging, and then defragment the
volumes.
When you configure the paging file, ensure that its size is sufficiently large. Recommendations specify
that an initial paging file should be equivalent to the amount of installed memory, and a maximum
paging file size that is equal to twice the initial value. Consequently, you should create a fixed-size
paging file that is equal to or twice the size of the physical memory.
Note: To access these paging options, from the Start screen, right-click This PC, and then
click Properties. Click Advanced system settings, and then under Performance, click Settings. Click
the Advanced tab, and then click Change.
Note: For computers with 2-GB of physical memory running 32-bit versions of
Windows 8.1, there is no particular benefit in configuring a paging file larger than 2 GB.
A number of Windows 8.1 tablets that are running on Intel Atom processors are equipped
with 2 GB of memory and run 32-bit versions of Windows 8.1.
Optimization
task
Minimize the
frequency of
paging
Adding physical memory to a computer that is paging excessively reduces the load
on the disk subsystem.
Implement
faster disks
Disk speed is measured in revolutions per minute (rpm), and average seek times
are measured in milliseconds. Install disks 7200 rpm or faster, and select disks with
the lowest seek time.
Consider using
SSDs
SSDs use flash memory technology and have no moving parts. They can operate
faster than more traditional disks, but they are more expensive. Research the
specific vendor and model of disk carefully. Some disks provide higher write
performance, and some provide higher read performance.
Optimization
task
Defragment
volumes that
are used heavily
You can use either the built-in disk Optimize Drives tool or another companys
tools, some of which support the defragmentation of files such as Hiberfil.sys and
Pagefile.sys. Note that the likelihood of disk volume fragmentation increases as the
disk volume becomes filled.
Note: Windows 8.1 optimizes drives automatically once a week.
Note: Try to avoid defragmenting SSDs. It most likely provides very little (if
any), performance benefit and increases disk usage. As discussed in Module 3,
some SSDs have a lifetime imposed by the number of writes performed on the disk.
Ensure that you
enable writecaching
You can use Device Manager to examine the properties of any installed disks, and
to verify that write-caching is enabled.
Distribute the
memory load
across all
available disks
A user reports performance-related issues with his computer. The help desk is unable to determine the
problem. You must investigate to ascertain which computer component the problem is affecting, and
then make recommendations about a solution or mitigation.
Objectives
After completing this lab, you will be able to:
Resolve a performance related problem.
Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. The required virtual machines
should already be running. If they are not, before you begin the lab, you must complete the following
steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
November 05
17:37
Carol Troup (Managers)
OPEN
Incident Record
Incident Details
Carols computer was performing well a few days ago, but recently she has complained that its
performance has degraded. Tasks such as loading Microsoft Office take much longer than they
used to.
Additional Information
The computer, LON-CL1, is running Windows 8.1 and has Microsoft Office 2013 installed.
Plan of Action
Resolution
2.
3.
Discuss recommendations.
4.
5.
2.
Performance counter
Counters to include:
3.
Start the data collector set, and then start the following programs:
o
4.
5.
6.
In Performance Monitor, locate Reports > User Defined > Adatum Baseline, and click the report
that has a name that begins with LON-CL1.
7.
Task 2: Read the help desk Incident Record for incident 723499
2.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
2.
3.
If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Results: After completing this exercise, you should have identified the performance bottleneck.
When you have finished the lab, leave the virtual machines running for the next practice session.
Lesson 3
Windows Defender helps to protect your computer from spyware and other forms of malware. In
Windows 8.1, Windows Defender integrates with Action Center to provide a consistent means of alerting
you when action is required. Windows Defender also provides an improved user experience when you are
scanning for spyware or manually checking for updates. Additionally, in Windows 8.1, Windows Defender
has less impact on overall system performance, even though it continues to deliver continuous, real-time
monitoring.
Lesson Objectives
After completing this lesson, you will be able to:
Explain how to use Windows Defender to help to protect against malware and virus threats.
To protect your computers and your network infrastructure from the damage and disruption that malware
can cause, you must formulate a strategy to protect your computers. Implementing user policies, antimalware and antivirus software, encrypting network traffic, and other protective measures work together
to shield your computers and your network from security threats.
Alert levels help you determine how to respond to spyware and unwanted software. You can configure
Windows Defender behavior when a scan identifies unwanted software. You also are alerted if software
attempts to change important Windows settings.
To help prevent spyware and other unwanted software from running on the computer, turn on Windows
Defender real-time protection.
Windows Defender includes automatic scanning options that provide on-demand scanning for malicious
software. The following table identifies scanning options.
Scanning
option
Description
Quick Scan
Checks the areas that malicious software (including viruses, spyware, and unwanted
software), are most likely to infect.
Full Scan
Checks all the files on your hard disk and all running programs.
Custom Scan
As a best practice, you should schedule a daily Quick Scan. At any time, if you suspect that spyware has
infected a computer, run a Full Scan.
When you run a scan, the progress displays on the Windows Defender Home page. When Windows
Defender detects a potentially harmful file, it moves the file to a quarantine area. It does not allow the
ile to run, or allow other processes to access it. After the scan is complete, you can choose to remove or
restore quarantined items, and maintain the Allowed list. The History page lists the quarantined items.
Click View details to see all items. Review each item, and individually remove or restore each. Alternatively,
if you want to remove all quarantined items, click Remove all.
Scan archive files. Scanning these locations might increase the time required to complete a scan, but
spyware and other unwanted software can install itself and attempt to hide in these locations.
Scan removable drives. Use this option to scan the contents of removable drives, such as USB flash
drives.
Create a system restore point. Use this option before applying actions to detected items. Because you
can set Windows Defender to remove detected items automatically, selecting this option allows you
to restore system settings.
Allow all users to view the full History results. Use this option to allow all users that sign into this
computer to see the scanning history. If you do not select this option, users will only see scan results
that relate to their files.
Remove quarantined files after <Time>. Use this option to remove quarantined files after a set period
of time. When you enable this option, the default period is one month, but you can set it from one
day to three months.
Send file samples automatically when further analysis is required. Use this option to send samples
automatically to Microsoft to help determine whether detected items are, in fact, malicious.
Preparation Steps
For this practice session, you need to use the available virtual machine environment. These should already
be running from the lab, but if they are not, before you begin the practice session, you must complete the
following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Demonstration Steps
Perform a quick scan
1.
2.
3.
On the Windows Defender Home tab, verify that the Quick scan option is selected, and then click
Scan now.
4.
2.
In the File Explorer address bar, type D:\Labfiles\Mod12\Malware, and then press Enter.
3.
In the Malware folder, double-click Sample.txt in Notepad. The Sample.txt file contains a text string
used to test malware detection.
4.
In Notepad, in the Sample.txt file, delete both instances of <remove> (including the angle brackets
and the blank line before and after the string of remaining text).
5.
6.
Close Notepad.
7.
8.
In Windows Defender, on the Home tab, click Custom, and then click Scan now.
9.
In the Windows Defender dialog box, select the Allfiles (D:) check box, and then click OK.
10. Verify that Windows Defender detects the potential malware in the text file. You may not receive a
notification. You can also verify that the D:\Labfiles\Mod12\Malware folder no longer contains the
Sample.txt file.
11. In Windows Defender, click the History tab.
12. Click Quarantined items, and then click View details.
13. Click Remove all.
2.
3.
Completion Steps
After you have completed the practice session, revert the virtual machines running in preparation for
the next module:
1.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Lesson 4
To keep computers that are running Windows 8.1 stable and protected, you must update them regularly
with the latest security updates and fixes. Windows Update enables you to download and install important
and recommended updates automatically, instead of visiting the Windows Update website. To utilize
Windows Update effectively, you must be aware of the configuration options that Windows Update has
available, and you must be able to guide users on how to configure these options.
Lesson Objectives
After completing this lesson, you will be able to:
Explain why application updates and Windows operating system updates are important.
Describe how you can use Windows Server Update Services (WSUS) to manage updates.
Explain how to use Group Policy Objects (GPOs) to configure Windows Update settings.
Consistency is important, and you can simplify the troubleshooting process by ensuring that all
computers are using the same version of software, and contain the same updates and fixes.
Windows Update
Windows Update is a service that provides software updates that keep your computer up-to-date and
protected. On the Windows Update page, you can review the important and optional updates that are
available for your computer.
You can configure Windows Update to download and install updates for your computer automatically, or
you can decide to install updates manually. You must configure computers that are running Windows 8.1
to download and install updates automatically to ensure that the computer has the most up-to-date and
protected configuration possible. You can turn on Automatic Updates during the initial Windows 8.1
setup, or you can configure it later.
Windows Update downloads your computers updates in the background while you are online. If your
Internet connection is interrupted before an update downloads fully, the download process resumes when
the connection becomes available.
Note: By default, Windows 8.1 will download and install updates automatically.
Note: Windows Update also can update non-Microsoft software components.
Microsoft System Center 2012 Configuration Manager performs many configuration managementbased
tasks in an enterprise, including update management. You can use Configuration Manager to incorporate
WSUS into your configuration management environment and to provide greater control over update
scheduling, deployment, and reporting. Configuration Manager also can be used to deploy non-Microsoft
updates.
Windows Intune
Windows Intune is a management tool. One feature of Windows Intune is central update management.
With Windows Intune, you can send out updates. These updates can include updates for both Windows
operating systems, and non-Microsoft updates for non-Microsoft apps. With Windows Intune, you can
perform the following tasks:
Approve and deploy updates after they have been tested, and not immediately after updates have
been released.
Uninstall updates.
Deploy both Microsoft updates and non-Microsoft updates in the same way.
Windows Intune also provides you with reports that inform you about which updates the clients require,
which updates are pending, and which updates are already installed.
Microsoft updates are made available through Windows Intune automatically, as soon as they are released
to Windows Update. However, with non-Microsoft updates, you must obtain and upload the updates to
Windows Intune cloud storage before you can approve and deploy them to client computers.
In the simplest configuration, a small organization can have a single WSUS server that downloads updates
from the Microsoft Update website. The WSUS server then distributes the updates to computers that are
configured to obtain automatic updates from the WSUS server. You must approve the updates before
clients can download them.
Larger organizations can create a hierarchy of WSUS servers. In this scenario, a single centralized WSUS
server obtains updates from Microsoft Update, and other WSUS servers obtain updates from the
centralized WSUS server.
You can organize computers into groups to simplify the approval of updates. For example, you can
configure a pilot group to be the first set of computers that you use for testing updates.
WSUS can generate reports to help monitor update installation. These reports can identify which
computers have not applied recently approved updates. Based on these reports, you can investigate why
updates are not being applied.
The update management process allows you to manage and maintain WSUS and the updates retrieved by
WSUS. This process is a continuous cycle during which you can reassess and adjust the WSUS deployment
to meet changing needs. The four phases in the update management process are:
Assess
Identify
Deploy
The goal of the assess phase is to set up a production environment that supports update management for
routine and emergency scenarios. The assess phase is an ongoing process that you use to determine the
most efficient topology for scaling the WSUS components. As your organization changes, you might
identify a need to add more WSUS servers in different locations.
After you identify the relevant updates, you need to evaluate whether they work properly in your
environment. There is always the possibility that the specific combination of software in your environment
might have problems with an update.
To evaluate updates, you should have a test environment in which you can apply updates to verify
proper functionality. During this time, you might identify dependencies that are required for an update to
function properly, and you can plan any changes that you need to make. You can achieve this if you use
one or more computer groups for testing purposes. For example, you may have a computer group with
client computers that run all the operating systems and applications that are updated by using WSUS. You
can use another computer group for servers that run the different applications and operating systems that
are updated by WSUS. Before you deploy updates to the entire organization, you can push updates to
these computer groups, and then test them. Only after making sure they work as expected should you
move on to the deploy phase.
After you have thoroughly tested an update and determined any dependencies, you can approve it
for deployment in the production network. Ideally, you should approve the update for a pilot group of
computers before approving the update for the entire organization. You also can configure WSUS to use
automatic updates. (Automatic updates are discussed in the next topic.)
When a software update is applied to an app that is in use, Windows 8.1 can save the apps data,
close the app, update the app, and then restart the app. Windows 8.1 might prompt the user to
accept Microsoft Software License Terms when the app restarts.
Note: You can configure Windows 8.1 devices to use a WSUS server instead of defaulting
to Windows Update, either by using GPOs, or manually changing the settings of each individual
device. To use GPOs, configure the Specify intranet Microsoft update service location setting.
For more details, see the topic Configuring Update Settings with GPOs.
Use Configuration Manager for larger environments that have more than 100 systems.
The recommended settings are set to download and install updates automatically at 03:00 daily. If the
computer is turned off, the installation will be done the next that the computer turns on. By using the
recommended settings, users do not have to search for critical updates or worry that critical fixes may be
missing from their computers.
Change Settings
From the Windows Update page, you also have access to the Change Settings features. On the Change
Settings page, you can select from four settings:
Check for updates but let me choose whether to download and install them
As a best practice, you should choose to have updates install automatically, so that Windows will install
important updates as they become available. However, if you do not want updates to install or download
automatically, you can select instead to be notified when updates apply to your computer, so that you can
download and install them yourself. For example, if you have a slow Internet connection or your work is
interrupted because of automatic updates, you can configure Windows to check for updates, but then
download and install them yourself later.
Managing Updates
Generally, applying updates does not create
problems with most computers. However,
occasionally, an installed update may conflict
with the unique combination of installed
hardware and software in one of your users
computers. This can result in a reliability problem.
When this occurs, you can use Windows Update
to review installed updates, and where necessary,
uninstall an update.
Uninstall Updates
If you need to remove an update that has been installed, from the View update history page, click
Installed Updates. You can then view all the installed updates, and where necessary, you can right-click an
update, and then click Uninstall.
Hide Updates
If the update attempts to reinstall at a later time, you can hide the update. To hide an update that you do
not want to install, from Windows Update, click the link for the available updates. Right-click the update
that you do not want to install, and then click Hide update.
If you have resolved the underlying problem with the update you uninstalled, and you now want to
reinstall it, you first must unhide the update. From Windows Update, in the left pane, click Restore hidden
updates.
If you enable this policy setting, Install Updates and Shut Down will not display as a choice in the
Shut Down Windows dialog box, even if updates are available for installation when the user selects
the Shut Down option in the Start menu.
If you disable or do not configure this policy setting, the Install Updates and Shut Down option will
be available in the Shut Down Windows dialog box if updates are available when the user selects
the Shut Down option in the Start menu.
Do not adjust default option to Install Updates and Shut Down in Shut Down Windows
dialog box.
You can use this policy setting to manage whether the Install Updates and Shut Down option is the
default choice in the Shut Down Windows dialog box.
If you enable this policy setting, the user's last shutdown choice (such as Hibernate, or Restart) is the
default option in the Shut Down Windows dialog box, regardless of whether the Install Updates
and Shut Down option is available in the What do you want the computer to do? list.
If you disable or do not configure this policy setting, the Install Updates and Shut Down option will
be the default option in the Shut Down Windows dialog box, if updates are available for installation
when the user selects the Shut Down option in the Start menu.
Enabling Windows Update Power Management to automatically wake up the system to install
scheduled updates.
This policy specifies whether the Windows Update will use the Windows Power Management features
to automatically wake up your system from hibernation if updates need to be installed.
Windows Update will wake up your system automatically only if you configure Windows Update to
install updates automatically. If the system is in hibernation when the scheduled install time occurs,
and there are updates to be applied, then Windows Update will use the Windows Power
Management feature to wake the system automatically to install the updates.
The system will not wake unless there are updates to be installed. If the system is on battery power,
when Windows Update wakes it up, it will not install updates, and the system will automatically return
to hibernation in two minutes.
This setting lets you specify whether to enable automatic updates on your computer. If you enable
this service, you must select one of the four options in the Group Policy setting:
o
When Windows finds updates that apply to your computer, an icon displays in the status area,
with a message that updates are ready for download.
Clicking the icon or the message provides the option to select the specific updates that you want
to download. Windows then downloads your selected updates in the background.
When the download completes, the icon displays in the status area again, with notification that
the updates are ready for installation. Clicking the icon or message provides the option to select
which updates to install.
o
Windows finds updates that apply to your computer, and then downloads these updates in the
background, so that the user is not notified or interrupted during this process.
When the download completes, the icon displays in the status area, with notification that the
updates are ready for installation. Clicking the icon or message provides the option to select
which updates to install.
o
If any of the updates require a restart to complete the installation, the Windows operating system
will restart the computer automatically. If a user is signed in to the computer when the Windows
operating system is ready to restart, the user will be notified and given the option to delay the
restart.
o
With this option, the local administrators will be allowed to use the Automatic Updates control
panel to select a configuration option. For example, administrators can choose their own
scheduled installation time. Local administrators will not be allowed to disable Automatic
Updates configuration.
To use the Configure Automatic Updates setting, click Enabled, and then select one of the options
(2, 3, 4, or 5). If you select 4, you can set a recurring schedule. If you do not specify a schedule, all
installations will occur every day at 03:00.
If the status is set to Enabled, Windows recognizes when the computer is online, and then uses its
Internet connection to search Windows Update for updates that apply to your computer.
If the status is set to Disabled, you must manually download and install any updates that are
available on Windows Update.
If the status is set to Not Configured, use of Automatic Updates is not specified at the Group Policy
level. However, an administrator can still configure Automatic Updates through Control Panel.
This setting specifies an intranet server to host updates from Microsoft Update. You can then use this
update service to update your networks computers automatically.
This setting lets you specify a server on your network to function as an internal update service. The
Automatic Updates client will search this service for updates that apply to the computers on your
network.
To use this setting, you must set two server name values:
o
The server from which the Automatic Updates client detects and downloads updates
If the status is set to Enabled, the Automatic Updates client connects to the specified intranet
location, instead of Windows Update, to search for and download updates. Enabling this setting
means that end users in your organization do not have to go through a firewall to get updates, and it
gives you the opportunity to test updates before deploying them.
If the status is set to Disabled or Not Configured, and if Automatic Updates is not disabled by policy
or user preference, the Automatic Updates client connects directly to the Windows Update site on the
Internet.
This policy specifies the hours that Windows will use to determine how long to wait before checking
for available updates. The exact wait time is determined by using the hours that you specify in this
policy, minus zero to twenty percent of the hours specified. For example, if you specify this policy for
a 20-hour detection frequency, then all clients to which this policy is applied will check for updates
anywhere between 16 and 20 hours.
If the status is set to Enabled, Windows will check for available updates at the specified interval.
If the status is set to Disabled or Not Configured, Windows will check for available updates at the
default interval of 22 hours.
Non-administrative users will be able to install all optional, recommended, and important updates
for which they received a notification. Users will not see a User Account Control window and do not
require elevated permissions to install these updates, except in the case of updates that contain User
Interface, End User License Agreement, or Windows Update setting changes.
If you disable or do not configure this policy setting, then only administrative users will receive
update notifications. By default, this policy setting is disabled.
If the Configure Automatic Updates policy setting is disabled or not configured, then the Elevate
Non-Admin policy setting has no effect.
Enhanced notification messages convey the value of optional software, and promote its installation
and use. This policy setting is intended for use in loosely managed environments in which you allow
the end user access to the Microsoft update service.
If you enable this policy setting, a notification message will appear on the user's computer when
featured software is available. The user can click the notification to open the Windows Update
application and get more information about the software, or install it. The user also can click Close
this message or Show me later to defer the notification as appropriate. In Windows 8.1, this policy
setting will only control detailed notifications for optional applications.
If you disable or do not configure this policy setting, Windows 8.1 users will not be offered detailed
notification messages for optional applications. By default, this policy setting is disabled. If you are
not using the Microsoft update service, then the Software Notifications policy setting has no effect. If
the Configure Automatic Updates policy setting is disabled or is not configured, then the Software
Notifications policy setting has no effect.
This setting specifies whether Automatic Updates will automatically install certain updates that neither
interrupt Windows services, nor restart Windows. If the status is set to Enabled, Automatic Updates
will install these updates immediately once they are downloaded and ready to install.
If the status is set to Disabled, such updates will not be installed immediately. If the Configure
Automatic Updates policy is disabled, this policy has no effect.
This setting specifies whether Automatic Updates will deliver both important and recommended
updates from the Windows Update service. When this policy is enabled, Automatic Updates will install
recommended and important updates from Windows Update. When disabled or not configured,
Automatic Updates will continue to deliver important updates if it is already configured to do so.
This setting specifies that to complete a scheduled installation, Automatic Updates will wait for the
computer to be restarted by any user who is signed in, instead of causing the computer to restart
automatically.
If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a
scheduled installation, if a user is signed in to the computer. Instead, Automatic Updates will notify
the user to restart the computer.
This setting specifies the amount of time for Automatic Updates to wait before prompting the user
again to restart and complete the update process.
If the status is set to Enabled, a scheduled restart will occur in the specified number of minutes after
the previous prompt for restart was postponed.
If the status is set to Disabled or Not Configured, the default interval is 10 minutes.
This setting specifies the amount of time for Automatic Updates to wait before proceeding with a
scheduled restart.
If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the
installation is finished.
If the status is set to Disabled or Not Configured, the default wait time is 15 minutes.
If the status is set to Not Configured, a missed scheduled installation will occur one minute after the
computer next starts.
If the status is set to Enabled, the specified target group information is sent to the intranet Microsoft
Update service. The service uses this information to determine which updates must be deployed to
the computer.
If the intranet Microsoft update service supports multiple target groups, this policy can specify
multiple group names separated by semicolons. Otherwise, you must specify a single group.
If the status is set to Disabled or Not Configured, no target group information will be sent to the
intranet Microsoft update service.
Uninstall Updates
The simplest way to remove a problematic
update is to uninstall it. From Control Panel, click
Windows Update, click View update history, and
then click Installed Updates. You can then rightclick the suspect update, and then click Uninstall.
Note: To ensure that the update is not
reapplied, you must hide it from the list of available updates.
If you are unsure which update has caused a problem, you can use System Restore to restore the
computers configuration to an earlier point in time. This will, of course, potentially remove many updates.
You will then have to determine which updates to hide to prevent deployment, and which to allow to
install.
Note: If you choose to use Windows Intune or WSUS, you can deploy updates to test
computers prior to deploying them to your production environment. This can help to ensure that
the updates do not introduce functionality or reliability problems.
Module 13
Recovering Windows 8.1
Contents:
Module Overview
13-1
13-2
13-6
13-15
13-18
13-21
Module Overview
Protecting the data on your computer systems from accidental loss or corruption is an important role for
administrators. To recover your computer from some types of problems, restoring system settings can be
easier than reinstalling the computers operating system and apps.
Windows 8.1 provides several tools that you can use to back up important data files and to recover a
computer. To support your users, it is important that you understand how to use these file backup and
system recovery tools.
Objectives
After completing this module, you will be able to:
Lesson 1
Although you might implement a file-recovery strategy for user data that is stored on network file servers
or network-accessible storage devices, you must remember that users often save their work to local
storage. Consequently, you must be prepared to provide some method of local file recovery, so that if
these data files become corrupt or you delete them accidentally, you can recover them.
Lesson Objectives
After completing this lesson, you will be able to:
After you enable File History, it saves a copy of your files every hour to the designated location. Windows
8.1 then saves these versions indefinitely, by default. However, you can configure the save duration and
the length of time that Windows 8.1 will retain the versions.
File History backs up the following folders:
Contacts
Desktop
Favorites
Documents
Music
Pictures
Videos
Note: You cannot add top-level folders to this list, but you can define exceptions from this
list for files and data that you do not want to back up.
To recover files, you can click Restore personal files from within File History, and then select the file
from the folders or libraries in your backup. Alternatively, you can recover files directly from File Explorer.
Navigate to the folder that contained a deleted file, and then on the ribbon, click the History button. The
File History opens, and lists the recoverable files.
Note: You may need to expand the ribbon to view the History option.
Windows Backup
Windows 8.1 does not provide a graphical interface to the Windows Backup tool that was provided in
earlier versions of Windows, including Windows 8. However, if you wish, you can still use this backup tool
from the command line to perform backup and restore operations.
You can use the WBadmin start backup command to create a backup. The following command will back
up the entirety of drive C to drive D:
WBadmin start backup BackupTarget:D: -Include:C:
You can use the WBadmin start recovery command to restore a backup that you previously created. For
example, to recover backup from March 31, 2013, taken at 10:00 A.M., of volume E:, type:
WBadmin start recovery -version:03/31/2013-10:00 -itemType:Volume -items:e:
Note: Windows 8.1 does not include Windows 7 File Recovery features that were included
in Windows 8.
Preparation Steps
For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following procedure:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Microsoft Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Demonstration Steps
Create and edit a Microsoft Word document
1.
2.
3.
4.
5.
In the documents folder, right-click an area of free space, point to New, and then click Microsoft
Word Document.
6.
7.
8.
9.
In the First things first Wizard, click Ask me later, and then click Accept.
10. Click Next three times, and then click All done.
11. In Word, type This is my file, and then press the Ctrl+S keys.
12. Close Word.
2.
3.
In Control Panel, click System and Security, and then click File History.
4.
5.
In the File History window, click Advanced settings, review the options, and then click Cancel.
6.
7.
8.
9.
Double-click the Administrator@Adatum.com folder, which is the File History backup folder.
10. Double-click the LON-CL1 folder, and notice that it contains the backed-up files.
2.
3.
In File Explorer, on the ribbon, click the Home tab, and then click History.
4.
In Documents File History, right-click Recovery file.docx, and then click Restore.
5.
In File Explorer, notice that the Word document has been recovered.
6.
Completion Steps
After you have completed the practice session, leave the virtual machines running for the next
practice session.
Lesson 2
When a users computer has functionality issues, or when it does not start correctly or does not start at all,
you must consider how best to recover the computer. Generally, you will want to select the least invasive
and least destructive means of recovery for a given situation. This lesson explores the recovery tools that
Windows 8.1provides, identifies when to use a particular tool, and discusses considerations for using each
recovery tool.
Lesson Objectives
After completing this lesson, you will be able to:
Explain the process of creating and using a system image for recovery.
Advanced Options
If users experience a problem with their computer
that cannot be fixed easily, you might need to
consider using one of the several recovery tools
that Widows 8.1 provides. You can access the
following recovery tools from the Advanced
options menu in Windows 8.1:
System Restore
Startup Repair
Command Prompt
Startup Settings
b.
c.
d.
Click Recovery, and then in the details pane, under Advanced startup, click Restart now.
e.
When the computer has restarted, on the Choose an option page, click Troubleshoot, and then
click Advanced options. You can then select one of the options previously listed.
2.
Insert the Windows 8.1 product DVD (or other bootable media) and start the computer.
b.
When prompted to Press any key to boot from CD or DVD, press a key. Windows Recovery
Environment (Windows RE) starts.
c.
In Windows Setup, click Next, and then click Repair your computer.
d.
On the Choose an option page, click Troubleshoot, and then click Advanced options. You can
then select one of the options listed above.
Note: If you choose the second method to access Advanced options, the Startup Settings
option is unavailable.
All apps and drivers installed before the selected restore point are restored to their state at that point.
The users personal files are not affected by the restore operation.
Before you can use System Restore to recover a computer, you must enable System Restore. To enable
System Restore, perform the following procedure:
1.
From Start, click the Desktop tile, and then press Windows+C.
2.
3.
4.
5.
6.
Click Turn on system protection, and then configure the amount of disk space to reserve for system
restore points.
a.
b.
c.
d.
e.
In System Properties, on the System Protection tab, click System Restore. System Restore starts.
f.
g.
Use the most recent restore point that you think will yield a successful restore. Doing so
minimizes any post-restoration work that you might have to undertake. If you are unsure of the
impact of selecting a particular restore point, click Scan for affected programs. System Restore
presents you with a summary of programs and drivers affected by the restoration process. This
can help you determine which programs and drivers you must restore manually after System
Restore completes.
h.
2.
If you cannot start your computer normally, use the following procedure:
a.
Insert the Windows 8.1 product DVD (or other bootable media), and start the computer.
b.
When prompted to Press any key to boot from CD or DVD, press a key. Windows RE starts.
c.
In Windows Setup, click Next, and then click Repair your computer.
d.
On the Choose an option page, click Troubleshoot, and then click Advanced options.
e.
f.
On the Choose a target operating system page, select the appropriate installation. Usually,
only a single operating system is installed, and normally, you would click Windows 8.1. System
Restore starts to scan for restore points.
g.
h.
i.
At the Once started, System Restore cannot be interrupted prompt, click Yes.
Note: As a safety precaution, you can undo any System Restore operation that you
perform. To revert a restore point, click Undo System Restore and follow the onscreen prompts.
This reverts the previously applied restore point.
Considerations
System restore provides you a convenient way to resolve computer functionality, startup, and
configuration problems without necessarily identifying the cause of the problem. However, System
Restore will roll back the entire configuration of a computer, irrespective of the nature of the problem.
Therefore, consider alternatives to using System Restore where possible. For example, to resolve a device
driver problem, consider using the driver rollback feature.
Note: If you use System Restore to restore your computer to a previous point in time,
be aware that it is possible that connectivity to the computers domain might be affected.
Specifically, if the computers password has changed since the restore point was created,
your computer will be unable to sign in to the domain. In this instance, you must reset the
computers secure channel with the domain. You can do this by using the Windows PowerShell
Reset-MachineAccountPassword cmdlet.
You can also use Netdom and Active Directory Users and Computers.
Note: For additional information about System Restore, see Module 2: Troubleshooting
Startup Issues in this course.
Use the Recovery Drive Wizard to create your system image. You will need a removable drive, such as a
USB flash drive, to store the system image. Everything on the target drive is deleted when you initiate the
option to create a system image.
If your computer does not start correctly or starts with significant problems, and you have a system image,
you can use it to recover your computer. To start the recovery process, start your computer from the
product DVD, and then when prompted, select Repair your computer.
Note: You also can access System Image Recovery from within Windows 8.1 by selecting
Update & recovery from Change PC settings. Click Recovery, and then, under Advanced startup,
click Restart now. When the computer has started into recovery mode, complete the following
instructions to apply a system image.
Click Troubleshoot, click Advanced options, and then click System Image Recovery. Select the target
operating system to recover (there is usually only one to choose). The Re-image your computer wizard
starts and scans the computer for valid system images. At this point, insert the flash drive that you used to
store the system image, and then follow the onscreen instructions to recover your computer.
Considerations
Keep in mind that using a system image to recover your computer is destructive. Everything on the
target computer is erased as part of the reimaging process. If you can recover your computer using a less
destructive process, you should consider it. However, using a system image is convenient because you do
not have to consider what went wrong with the computer. You can just restore it in its entirety to the
point in time when you created the system image backup.
Note: You can choose the Refresh your PC option to recover a computer that does not
start correctly, without erasing the entire computer.
Refresh Your PC
Use the Refresh your PC option when your
computer has suffered significant configuration
problems or errors and is not running correctly.
If you suspect a driver issue, always attempt to
resolve that by using the less destructive options,
such as driver rollback, or by using System Restore
and choosing a recent restore point.
When you perform a refresh, the following takes
place:
b.
c.
d.
Click Recovery, and then in the details pane, under Refresh your PC without affecting your
files, click Get started.
e.
2.
f.
g.
At the Ready to refresh your PC prompt, click Refresh. Your computer restarts and the Refresh
process begins.
Insert the Windows 8.1 product DVD (or other bootable media), and start the computer.
b.
When prompted to Press any key to boot from CD or DVD, press a key. Windows RE starts.
c.
In Windows Setup, click Next, and then click Repair your computer.
d.
On the Choose an option page, click Troubleshoot, and then click Refresh your PC.
e.
On the Choose a target operating system page, click the target operating system. Typically,
only a single operating system is installed, so you would click Windows 8.1.
f.
g.
On the All ready to go page, click Refresh. The Refresh your PC process begins.
The Refresh your PC option is not as destructive as performing the Reset your PC option. However,
although your Windows Store apps, personal files, and personalization settings are retained, all your
desktop apps are removed, and all your computers configuration settings are reverted to their initial,
post-installation state.
You must reinstall any desktop apps and reapply any updates and configuration changes you made
since the computer was first installed with Windows 8.1.
Unlike when you use System Image Recovery, you do not need a backup to perform a refresh.
Reset Your PC
Use the Reset your PC option when you wish to
revert your computer to its post-installation
settings, or when you want to recycle your
computerperhaps to allow a different user to
use the computer. The Reset your PC option is
very destructive, and when you perform a reset,
the following takes place:
1.
2.
b.
c.
d.
Click Recovery, and then in the details pane, under Remove everything and reinstall
Windows, click Get started.
e.
f.
On the Your PC has more than one drive page, click either:
i.
Only the drive where Windows is installed. This wipes the operating system drive and
retains the content of other drives.
ii.
g.
i.
Just remove my files. Use this option if you intend to continue using the computer after it
has been reset.
ii.
Fully clean the drive. Choose this option if you want the reset process to perform a lowlevel disk clean during the reset. This can take longer, but it is the recommended option if
you intend to give your computer to someone else.
On the Ready to reset your PC page, click Reset. The Reset your PC process begins.
h.
2.
Insert the Windows 8.1 product DVD (or other bootable media) and start the computer.
b.
When prompted to Press any key to boot from CD or DVD, press a key. Windows RE starts.
c.
In Windows Setup, click Next and then click Repair your computer.
d.
On the Choose an option page, click Troubleshoot and then click Reset your PC.
e.
On the Choose a target operating system page, click the target operating system. Usually, only
one operating system is installed, and so generally, you click Windows 8.1.
f.
g.
Optionally, if your computer has more than one drive, on the Your PC has more than one drive
page, click either:
i.
ii.
All drives.
On the Do you want to fully clean your drive? page, click either:
h.
i.
i.
ii.
All your Windows Store apps and desktop apps are removed.
2.
Your personal files, personalization settings, and all your computers configuration settings are
reverted to their initial, post-installation state.
3.
4.
You must reinstall any Windows Store and desktop apps, and then reapply any updates and
configuration changes you made since the computer was first installed with Windows 8.1.
5.
Unlike when you use System Image Recovery, you do not need a backup to perform a reset.
Preparation Steps
For this practice session, you need to use the available virtual machine environment. These machines
should be running from the previous practice session. If they are not, before you begin the practice
session, you must complete the following procedure:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Demonstration Steps
Initiate the Refresh your PC process
1.
Switch to LON-CL1.
2.
Click Start.
3.
On the Start screen, press the Windows+C keys, and then click Settings.
4.
5.
6.
In Update and recovery, click Recovery, and then in the details pane, under Refresh your PC
without affecting your files, click Get started.
7.
8.
9.
At the Ready to refresh your PC prompt, click Refresh. Your computer restarts and the Refresh
process begins.
Note: Because this process takes an extended time, you will not complete it.
Password: Pa$$w0rd
Domain: Adatum
Right-click Start, point to Shut down or sign out, and then click Restart.
2.
When prompted to Press any key to boot from CD or DVD, press a key.
3.
In Windows Setup, click Next, and then click Repair your computer.
4.
On the Choose an option page, click Troubleshoot, and then click Reset your PC.
5.
6.
7.
On the Your PC has more than one drive page, click All drives.
8.
On the Do you want to fully clean your drive? page, click Fully clean the drive.
9.
On the All ready to go page, click Reset. The Reset your PC process begins.
Note: Wait until the reset process has begun, and then revert your virtual machines in
preparation for the lab, by following the instructions above.
Completion Steps
After you have completed the practice session, revert the virtual machines in preparation for the lab:
1.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
A user has reported a problem with his computer. The help desk has investigated the incident, and has
escalated the problem to you for resolution.
Note: The problem reported and its solution may have nothing to do with the content
discussed in this module.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following procedure:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
December 1
09:01
Josh Bailey (Research Department)
OPEN
Incident Details
Josh cannot sign into his computer using a domain account.
Additional Information
LON-CL1, Joshs computer, is domain-joined.
Josh has been using his laptop while working outside of the office, and he says he might have
reconfigured some network settings to connect to another network.
I cannot connect remotely to the device. It does not appear to be on the network at all.
The local account LON-CL1\ADMIN (password is Pa$$w0rd) allows Josh to sign in locally, but there is
no network function.
Plan of Action
Resolution
2.
3.
4.
2.
Update the Plan of Action section of the Incident Record with your recommendations.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
Attempt to resolve the problem by using your knowledge of the recovery techniques and tools in
Windows 8.1.
2.
3.
If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment and begin again.
Results: When you have completed this exercise, you should have recovered the Windows 8.1 computer.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following procedure:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
The help desk has passed you this ticket that they have been unable to resolve. You must read the details
and develop a plan of action before you attempt to resolve the problem.
Incident Record
Incident Reference Number: 723625
Date of Call
Time of Call
User
Status
December 2
17:32
Arlene Huff (Sales Department)
OPEN
Incident Details
Arlene has been unable to access some media files that she has on a CD.
Additional Information
Arlene can use the disc on her colleagues machines, just not her own.
I remotely connected to Arlenes laptop, and the CD/DVD device is not showing in This PC, but the
CD device spins up physically when a disc is inserted. It appears that Windows just cannot see it.
I determined that a number of recent driver updates were applied to Arlenes computer.
Plan of Action
Resolution
2.
3.
4.
2.
Update the Plan of Action section of the Incident Record with your recommendations.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
1.
Attempt to resolve the problem by using your knowledge of troubleshooting Windows 8.1.
2.
3.
If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment and begin again.
Results: When you have completed this exercise, you should have recovered the Windows 8.1 computer.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Course Evaluation
Your evaluation of this course will help Microsoft understand
the quality of your learning experience.
Please work with your training provider to access the course
evaluation form.
Microsoft will keep your answers to this survey private and
confidential and will use your responses to improve your
future learning experience. Your open and honest feedback
is valuable and appreciated.
Read help-desk Incident Record 701338 in the exercise scenario in the Student Handbook.
With the class, discuss the questions that you might ask the user so that you can develop a plan of
action, including:
o
Who was operating the computer when the problem first occurred?
Who else is operating the computer, and have they experienced similar problems?
When did this problem first occur, and has it occurred since?
When was an application last installed, updated, or removed from or on the computer?
What steps have the help desk already taken to attempt resolution, if any?
What suggestions have the help desk received regarding a possible resolution?
How does the help desk think that the problem occurred?
Why does the help desk think that the problem occurred?
Read the Additional Information section of the Incident Record in the exercise scenario in the Student
Handbook.
2.
Attempt a remote connection to the users computer, but if necessary, visit the users computer.
b.
Results: After completing this exercise, you should have developed a plan of action for the resolution of
the users reported problem.
Read the help desk Incident Record 722137 in the student handbook exercise scenario.
Read the Additional Information section of the Incident Record in the student handbook exercise
scenario.
2.
Update the Plan of Action section in the Incident Record with your recommendations:
a.
b.
Insert the Windows 8.1 product DVD, and restart the computer.
c.
Use Windows Recovery Environment (Windows RE) to recover the startup environment
automatically.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
2.
Stop 20688D-LON-CL1:
a.
b.
Start 20688D-LON-CL1:
o
3.
When prompted to Press any key to boot from CD or DVD, press the space bar. Notice that the
computer boots into Windows setup.
4.
5.
6.
7.
8.
9.
At the command prompt, type bootrec /rebuildbcd, and then press Enter.
Password: Pa$$w0rd
Results: After completing this exercise, you should have resolved the startup problem.
Read the help desk Incident Record 722140 in the student handbook exercise scenario.
Read the Additional Information section in the Incident Record in the student handbook exercise
scenario.
2.
Update the Plan of Action section in the Incident Record with your recommendations:
a.
b.
Insert the Windows 8.1 product DVD, and restart the computer.
c.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
2.
Stop 20688D-LON-CL1:
a.
b.
Start 20688D-LON-CL1:
o
L2-4
3.
When prompted to Press any key to boot from CD or DVD, press the space bar. Notice that the
computer boots into Windows Setup.
4.
5.
6.
7.
8.
9.
13. In the Once started, System Restore cannot be interrupted. Do you want to continue? dialog
box, click Yes. Notice that the system restore process begins.
Note: System Restore can take an extended period of time.
14. When prompted, click Restart.
15. Once your computer has restarted, sign in as Adatum\administrator with the password Pa$$word.
16. Update the Resolution section in the Incident Record:
o
Results: After completing this exercise, you should have successfully resolved a startup problem.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Read the help desk Incident Record 722151 in the student handbook exercise scenario.
L2-6
1.
Read the Additional Information section of the Incident Record. Update it with the recovery key you
recorded earlier.
2.
On LON-CL1, right-click Start, point to Shut down or sign out, and then click Restart.
2.
During the restart sequence, when the BitLocker Drive Encryption screen displays, in the Enter the
password to unlock this drive text box, type wrong password, and then press Enter. Notice that
you cannot access the computer with the password the user has provided.
2.
On the BitLocker recovery page, in the Enter the recovery key for this drive text box, type the
recovery key you recorded earlier, and then press Enter.
Note: You do not need to type the hyphens in the recovery key, because the Windows
operating system adds them.
3.
Entered the recovery key, and was able to start Windows normally.
Results: After completing this exercise, you should have recovered a BitLocker-encrypted drive and
enabled the computer to startup.
2.
3.
4.
5.
6.
7.
In the BitLocker Drive Encryption (C:) dialog box, click Reset a forgotten password.
8.
On the Create a password to unlock this drive page, in the Enter your password and Reenter
your password boxes, type Pa$$w0rd2, and then click Finish.
9.
In the Your password has been changed dialog box, click OK.
10. On LON-CL1, right-click Start, point to Shut down or sign out, and then click Restart.
11. During the restart sequence, when the BitLocker screen displays, in the Enter the password to
unlock this drive box, type Pa$$w0rd2, and then press Enter. Notice that Windows starts normally.
Do not sign in.
Results: After you have completed this exercise, you should have created a new BitLocker password.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Read the help desk incident record 722201 in the student handbook exercise scenario.
Read the Additional Information section of the Incident Record in the Student Handbook.
2.
Update the Plan of Action section of the Incident Record with your recommendations:
o
Visit the users computer and attempt to resolve the problem by trying driver rollback, if
necessary with Safe Mode.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
Switch to LON-CL1.
Password: Pa$$w0rd
Note: The computer mouse does not work. Trying to roll back the driver is unsuccessful.
Using Safe mode does not work. System Restore is the only means to resolve this driver issue.
3.
The mouse is not working. Type cmd.exe, and then press Enter.
4.
At the command prompt, type shutdown /r, and then press Enter.
5.
During the restart, when prompted to Press any key to boot from CD or DVD, press the space bar.
The computer boots into Windows Setup.
6.
7.
8.
9.
Resolution
1.
Attempted to uninstall the mouse manually and restarted computer failed to resolve issue.
2.
Used msconfig.exe to access Safe Mode. Mouse not functional in Safe Mode.
3.
4.
Note: When you have completed the exercise, change the virtual machine back from full
screen mode. In the 20688D-LON-CL1 on localhost window, click Restore Down.
Results: When you have completed this exercise, you should have resolved the hardware issue.
L3-10
2.
3.
Answer the questions in the Group Policy Object (GPO) planning document:
o
Answer: Answers will vary, but you could use two. The Default Domain Policy could support both
the all users restriction and the administrators nonrestriction. A new GPO could support the
Research Department requirements.
o
Answer: The Default Domain Policy is linked to the Adatum.com domain. You could link the new
GPO to the Research Department organization unit (OU).
o
Answer: Configure the Default Domain Policy to enable printer installation by using the setting:
Allow non-administrators to install drivers for the setting for device setup classes.
o
How will you accommodate the requirement to support the Research Departments needs?
Answer: Either install the drivers into the driver store on each Research department computer, or
configure the Research GPO with permissions to install drivers of the GUID of the specified setup
class for mouse, printer, and keyboard. Use this setting: Allow installation of devices using drivers
that match these device setup classes.
o
Answer: Configure the Allow administrators to override Device Installation Restrictions policies
setting in the Default Domain Policy.
Results: After you have completed this exercise, you should have configured GPOs to control device
installation.
When you have completed the lab, leave the virtual machines running for the next practice session.
2.
Press the Windows+C keys, click Settings, and then click Control Panel.
3.
4.
5.
In the Name list, locate Remote Desktop and select the Domain, Private, and Public check boxes,
and then click OK.
6.
7.
In System Properties, under Remote Desktop, click Allow remote connections to this computer.
8.
9.
In the Select Users or Groups dialog box, in the Enter the object names to select (examples) box,
type Adam, click Check Names, and then click OK.
13. Switch to the LON-CL3 virtual machine, and, if necessary, sign in as Adatum\Administrator with the
password Pa$$w0rd.
14. On the Start screen, type mstsc, and then press Enter.
15. In the Remote Desktop Connection dialog box, in the Computer text box, type LON-CL1, and then
click Show Options.
16. Click the Advanced tab.
17. Under Server authentication, in the If server authentication fails list, click Connect and dont
warn me.
2.
3.
In the User name text box, type Adatum\Adam. In the Password text box, type Pa$$w0rd, and
then click OK.
4.
5.
Switch to LON-CL1.
6.
7.
Switch to LON-CL3.
8.
9.
L4-14
Results: After completing this exercise, you should have successfully used Remote Desktop to manage a
remote computer.
2.
3.
On the Start screen, under the Desktop tile, click the down arrow.
4.
5.
In the First things first dialog box, click Ask me later, and then click Accept.
6.
In the Welcome to your new Office Wizard, click Next three times, and then click All done.
7.
8.
9.
On the ribbon, click the File tab, and then click Save.
Click Start.
2.
On the Start screen, below the Desktop tile, click the down arrow.
3.
4.
5.
If prompted, in the User Account Control dialog box, in the User name text box, type
administrator.
6.
In the Password text box, type Pa$$w0rd, and then click Yes.
7.
Verify that the Allow Remote Assistance connections to this computer check box is selected, and
then click OK.
8.
Close System.
9.
Click Start.
12. On the How do you want to invite your trusted helper page, click Save this invitation as a file.
13. On the Save as page, in the File name field, type \\LON-dc1\Share\Adams-Invite, and then click
Save.
14. Write down the password.
2.
On the taskbar, click File Explorer, navigate to \\LON-DC1\share, and then double-click
Adams-Invite.msrcincident.
3.
In the Remote Assistance dialog box, in the Enter password box, type the password that you wrote
down in the previous task, and then click OK.
4.
5.
6.
7.
8.
9.
Results: After completing this exercise, you should have successfully used Remote Assistance to manage a
remote computer.
Switch to LON-CL1.
2.
3.
4.
5.
6.
7.
At the Windows PowerShell prompt, type the following command, and then press Enter:
Winrm quickconfig
8.
When prompted, press Y, and then press Enter, and then press Y, and then press Enter again.
9.
At the Windows PowerShell prompt, type the following command, and then press Enter:
Enable-PSRemoting -Force
Switch to LON-DC1.
2.
3.
At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command ComputerName LON-CL1 ScriptBlock {Get-EventLog log system}
4.
At the Windows PowerShell prompt, type the following command, and then press Enter:
$s = New-PSWorkflowSession ComputerName LON-CL1
5.
At the Windows PowerShell prompt, type the following command, and then press Enter:
Enter-PSSession $s
6.
At the Windows PowerShell prompt, type the following command, and then press Enter:
exit
7.
At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command -Session $s -ScriptBlock {$c = Get-command}
8.
At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command -Session $s -ScriptBlock {$c.count}
9.
At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command -ComputerName LON-CL1, LON-CL3 -ScriptBlock {Get-Culture}
L4-16
10. At the Windows PowerShell prompt, type the following command, and then press Enter:
$s = New-PSWorkflowSession -ComputerName LON-CL1, LON-CL3
11. At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command -Session $s -ScriptBlock {$c = Get-command}
12. At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command -Session $s -ScriptBlock {$c.count}
Results: After completing this exercise, you should have successfully established a remoting session and
performed remote management of LON-DC1 with Windows PowerShell cmdlets.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Read the help desk incident record 723012 in the Student Handbook Exercise Scenario.
Read the Additional Information section of the Incident Record in the Student Handbook Exercise
Scenario.
2.
b.
c.
Attempt to connect to the same resource from other computers in the Research department.
d.
e.
The fact that others are being affected suggests a server-side problem.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
2.
3.
At the Windows PowerShell command prompt, type Get-NetIPAddress, and then press Enter.
Notice that the IPv4 address has the prefix 169.254.
4.
At the Windows PowerShell command prompt, type ipconfig /renew, and then press Enter. Notice
that this is unsuccessful.
5.
Switch to LON-DC1.
6.
In Server Manager, click Tools, and then click DHCP. Notice that the server is not available.
7.
Close DHCP.
8.
Click Start.
9.
10. In the Services list, right-click DHCP Server, and then click Start.
11. In Server Manager, click Tools, and then click DHCP. The server is available.
The client was unable to contact the dynamic host configuration protocol (DHCP) server to
obtain an IP configuration.
Restarted the DHCP service, and then renewed the IP configuration on the client.
Results: After completing this exercise, you should have resolved the network-related problem.
Read the help desk Incident Record 723101 in the Student Handbook Exercise Scenario.
Read the Additional Information section of the Incident Record in the Student Handbook Exercise
Scenario.
2.
b.
c.
d.
e.
The fact that Colin is the only affected user suggests a client-side problem.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
L5-20
2.
3.
At the Windows PowerShell command prompt, type Get-DnsClientCache, and then press Enter.
Notice that records are returned.
4.
At the Windows PowerShell command prompt, type Clear-DnsClientCache, and then press Enter.
5.
At the command prompt, type test-connection lon-dc1, and then press Enter. Notice that this is
unsuccessful.
6.
At the command prompt, type Get-DnsClientCache | fl, and then press Enter. Notice that the wrong
IP address is returned for LON-DC1.
7.
At the Windows PowerShell command prompt, type nslookup LON-DC1, and then press Enter.
Notice that the correct record is returned from the Domain Name System (DNS) server.
8.
9.
Scroll to the end of the file, delete 172.16.0.1 lon-dc1, and then press Enter.
12. At the Windows PowerShell command prompt, type Clear-DnsClientCache, and then press Enter.
13. At the Windows PowerShell command prompt, type test-connection lon-dc1, and then press Enter.
14. At the Windows PowerShell command prompt, type Get-DnsClientCache | fl, and then press Enter.
You can now see the correct record for LON-DC1 in the cache.
15. At the Windows PowerShell command prompt, type Resolve-Dnsname LON-DC1 | fl, and then press
Enter. This is successful.
16. Click File Explorer.
17. In the File Explorer address bar, type \\LON-DC1\Research, and then press Enter. The folder opens.
Note: You may be prompted to sign in. If so, sign in as Adatum\administrator with the
password Pa$$w0rd.
18. Close File Explorer.
19. Click Internet Explorer.
20. In the Windows Internet Explorer Address bar, type http://lon-dc1, and then press Enter. This
connection attempt is now successful.
21. Update the Resolution section of the Incident Record with the following comments:
o
The client had an incorrect entry in the hosts file. Since this entry is used to populate the DNS
resolver cache, the client could not resolve the host name LON-DC1.
Removed the entry, and the client was able to connect to resources.
Results: After completing this exercise, you will have resolved the network-related problem.
Read the help desk Incident Record 723123 in the Student Handbook Exercise Scenario.
Read the Additional Information section of the Incident Record in the Student Handbook Exercise
Scenario.
2.
Clients may fail to connect because their computers are not configured with the appropriate
wireless settings.
Some wireless access points may be in the wrong place, enabling connections from the
parking lot.
L5-22
i.
Examine the location for sources of interference and where possible, move the wireless
access points from these areas.
ii.
iii.
Consider moving the wireless access points. In addition, consider the selected wireless
channel, antennas, use of wireless repeaters, and updating drivers and/or firmware. Also,
ensure certificate-based authentication and a high level of encryption is being used to help
to ensure security.
Results: After completing this exercise, you should have successfully developed a plan of action for the
resolution of these incidents.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Read the help desk incident record 723151 in the student handbook exercise scenario.
Read the Additional Information section of the Incident Record in the student handbook exercise
scenario.
2.
Update the Plan of Action section of the Incident Record with your recommendations:
a.
Verify configuration for LON-LAB1, and ensure that LON-CL3 has the same configuration.
b.
Resultant Set of Policy (RSoP) from Group Policy Modeling will provide configuration information
for LON-LAB1.
2.
Password: Pa$$w0rd
Domain: Adatum
3.
4.
Verify that the Desktop shortcut for the Research application is not present. It should display for any
account.
5.
6.
In Server Manager, click Tools, and then click Active Directory Users and Computers.
7.
In Active Directory Users and Computers, expand Adatum.com, and then click Computers.
8.
9.
In the Move window, expand Research, click Lab, and then click OK.
Password: Pa$$w0rd
Domain: Adatum
16. At the command prompt, type gpupdate /force, and then press Enter.
17. Right-click Start, point to Shut down or sign out, and then click Sign out.
18. On LON-CL3, sign in by using the following credentials:
o
Password: Pa$$w0rd
Domain: Adatum
RSoP from Group Policy Modeling indicates that LON-LAB1 has a GPO named ResearchLabs
applied. ResearchLabs GPO is linked to Adatum.com/Research/Lab.
LON-CL3 is located in the Computers container and will not apply the ResearchLabs GPO.
Results: After completing this exercise, you will have successfully resolved Group Policy Object (GPO)
application issues.
L6-24
Read the help desk incident record 723160 in the student handbook exercise scenario.
Read the Additional Information section of the Incident Record in the student handbook exercise
scenario.
2.
Update the Plan of Action section of the Incident Record with your recommendations:
a.
Visit the users computer and attempt to determine why the new policy is not being applied.
b.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
2.
Password: Pa$$w0rd
3.
4.
At the command prompt, type gpupdate /force, and then press Enter. Notice that Group Policy fails
to update.
5.
6.
Type This PC, right-click This PC, and then click Properties.
7.
In the System Properties dialog box, in the Computer name, domain, and workgroup settings
area, click Change settings.
8.
In the System Properties dialog box, on the Computer Name tab, click Change.
9.
10. In the Workgroup text box, type TEMP, and then click OK.
11. Click OK to acknowledge the warning.
12. Click OK to clear the welcome message.
13. Click OK to clear the message about restarting.
14. In the System Properties dialog box, on the Computer Name tab, click Change.
15. In the Computer Name/Domain Changes dialog box, click Domain.
16. In the Domain text box, type Adatum.com, and then click OK.
17. In the Windows Security window, sign in as Administrator with the password Pa$$w0rd.
18. Click OK to clear the welcome message.
19. Click OK to clear the message about restarting.
20. In the System Properties dialog box, click Close, and then click Restart Now.
21. Sign in by using the following credentials:
o
Password: Pa$$w0rd
Right-click Start.
At the command prompt, type gpupdate /force, and then press Enter.
L6-26
a.
Ran GPUpdate, and saw error related to processing for computer account.
b.
Group Policy event log indicated that account information could not be retrieved.
c.
The System event log had a NETLOGON error indicating that the computer password may be a
problem.
d.
Rejoined the domain and problem is resolved. The user was logging on with cached credentials.
Results: After completing this exercise, you will have successfully resolved GPO application issues.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Read the help desk incident record 723411 in the Student Handbook Exercise Scenario.
Read the Additional Information section of the Incident Record in the Student Handbook Exercise
Scenario.
2.
Update the Plan of Action section of the Incident Record with your recommendations:
a.
b.
c.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
Password: Pa$$w0rd
5.
Type This PC, right-click This PC, and then click Properties.
6.
In the System window, in the Computer name, domain, and workgroup settings area, click
Change settings.
7.
In the System Properties dialog box, on the Computer Name tab, click Change.
8.
9.
11. If prompted, in the Windows Security window, sign in as Administrator with the password
Pa$$w0rd.
12. Click OK to clear the welcome message.
13. Click OK to clear the message about restarting.
14. In the System Properties dialog box, on the Computer Name tab, click Change.
15. In the Computer Name/Domain Changes dialog box, click Domain.
16. In the Domain text box, type Adatum.com, and then click OK.
17. In the Windows Security window, sign in as Administrator with the password Pa$$w0rd.
18. Click OK to clear the welcome message.
19. Click OK to clear the message about restarting.
20. In the System Properties dialog box, click Close.
21. Click Restart Now.
22. Sign in using the following credentials:
o
Password: Pa$$w0rd
23. Notice that this time you are able to sign in.
24. Update the Resolution section of the Incident Record.
a.
b.
Rejoined the computer to the domain. This reset the computer account password and sign in was
successful.
Results: After you have completed this exercise, you should have resolved the sign-in problem.
L7-28
Read the help desk incident record 723423 in the Student Handbook Exercise Scenario.
Read the Additional Information section of the Incident Record in the Student Handbook Exercise
Scenario.
2.
Update the Plan of Action section of the Incident Record with your recommendations:
a.
b.
c.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
Password: Pa$$w0rd
5.
Switch to LON-DC1.
6.
7.
8.
9.
Switch to LON-CL1.
Password: Pa$$w0rd
b.
Switched to domain controller and restarted the Domain Name System (DNS) service, which had
stopped.
c.
d.
e.
Lack of DNS service meant no domain controller could be located for sign-in.
Results: After you have completed this exercise, you should have resolved the sign-in problem
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
L7-30
Read the help-desk incident record 723425 in the Student Handbook Exercise Scenario.
Read the Additional Information section of the Incident Record in the Student Handbook Exercise
Scenario.
2.
Update the Plan of Action section of the Incident Record with your recommendations:
a.
b.
c.
ii.
iii.
iv.
Task 3: Create the Folder Redirection infrastructure and then simulate the problem
1.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
5.
6.
7.
8.
In the New GPO dialog box, in the Name text box, type Folder Redirection, and then click OK.
9.
10. In the Group Policy Management Editor, expand User Configuration, expand Policies, expand
Windows Settings, expand Folder Redirection, and then click Folder Redirection.
11. Right-click Documents, and then click Properties.
12. In the Documents Properties dialog box, in the Setting list, click Advanced Specify locations for
various user groups.
13. Click Add.
L7-32
14. In the Specify Group and Location dialog box, in the Security Group Membership text box, type
Marketing.
15. Press the Tab key.
16. In the Target Folder Location list, click Create a folder for each user under the root path.
17. In the Root Path text box, type \\lon-dc1\Departments\Marketing, and then click OK.
18. In the Documents Properties dialog box, click OK.
19. In the Warning dialog box, click Yes.
20. Close the Group Policy Management Editor.
Note: You will configure only the Marketing department for this lab.
21. Right-click Start, and then click Command Prompt.
22. At the command prompt, type gpupdate /force, and then press Enter.
23. When prompted, press Y, and then press Enter to close the Command window and sign out.
24. Sign in as Adatum\Boris with the password Pa$$w0rd.
25. Click Desktop.
26. Right-click the desktop, and then click Personalize.
27. In the Personalization window, click Change desktop icons.
28. In the Desktop Icons Settings dialog box, select the Users Files check box, and then click OK.
29. Close the Personalization window.
30. On the desktop, double-click Boris Gresak.
31. Right-click Documents, and then click Properties. Notice that the folder is redirected, and then
click OK
32. Sign out.
33. Sign in by using the following credentials:
o
Password: Pa$$w0rd
34. Run the D:\Labfiles\Mod07\Scenario3b.vbs script. Wait until the script completes.
35. Sign out.
36. Sign in by using the following credentials:
o
Password: Pa$$w0rd
42. In Notepad, type This is my file, and then close the file.
43. Click Save when prompted.
44. In the Address bar, click Boris Gresak.
45. Right-click Documents, and then click Properties. Click the Offline Files tab.
46. Verify that the folder is showing as offline and not synced.
47. Sign out.
Switch to LON-DC1.
2.
3.
4.
5.
6.
7.
In the Advanced Sharing dialog box, select the Share this folder check box.
8.
Click Permissions, click Full Control Allow, and then click OK twice.
9.
10. In File Explorer, double-click Departments, right-click Marketing, and then click Properties.
11. In the Marketing Properties dialog box, click the Security tab.
12. On the Security tab, click Edit.
13. In the Permissions for Marketing dialog box, click Add.
14. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object
names to select (examples) box, type Marketing, and then click OK.
15. In the Permissions for Marketing dialog box, select the Full control Allow check box, and then
click OK.
16. In the Error Applying Security dialog box, click Continue.
17. In the Marketing Properties dialog box, click OK.
18. Switch to LON-CL1.
19. Sign in by using the following credentials:
o
Password: Pa$$w0rd
23. In the Properties dialog box, click the Offline Files tab. Notice that Files are showing as in sync, and
the folder is online. Note that it might take a few moments for the status to change.
24. Sign out.
L7-34
a.
The file share was lost, and the file permissions on the marketing folder were missing. This
prevented synchronization of Boriss files to the redirected folder.
b.
Added the shared folder for departments, and reset the file permissions for Marketing subfolder.
c.
Results: After completing the exercise, you should have resolved the Folder Redirection problem
successfully.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Read the help desk Incident Record 723467 in the Student Handbook exercise scenario.
Read the Additional Information section of the Incident Record in the Student Handbook exercise
scenario.
2.
Update the Plan of Action section of the Incident Record with your recommendations:
a.
b.
c.
Switch to LON-CL1, and then sign in as Adatum\administrator with the password Pa$$w0rd.
2.
3.
In NAPCLCFG [NAP Client Configuration (Local Computer)], in the navigation pane, click
Enforcement Clients.
4.
In the results pane, right-click DHCP Quarantine Enforcement Client, and then click Enable.
5.
6.
7.
8.
In the Services console, in the results pane, double-click Network Access Protection Agent.
9.
In the Network Access Protection Agent Properties (Local Computer) dialog box, in the Startup
type list, click Automatic.
18. In the London_Network Properties dialog box, double-click Internet Protocol Version 4
(TCP/IPv4).
L8-36
19. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address
automatically.
20. Click Obtain DNS server address automatically, and then click OK.
21. In the London_Network Properties dialog box, click OK or Close.
2.
At the command prompt, type the following command, and then press Enter:
Ipconfig
3.
Switch to Services.
4.
5.
In the Windows Firewall Properties (Local Computer) dialog box, in the Startup type list, click
Disabled.
6.
7.
8.
In the notification area, click the Network Access Protection pop-up warning.
9.
Review the information in the Network Access Protection dialog box, and then click Close.
Note: Depending on the point at which your computer becomes noncompliant, you might
not receive a warning in the notification area. However, you may proceed.
10. At the command prompt, type the following command, and then press Enter:
Ipconfig
11. Notice that the computer has a subnet mask of 255.255.255.255 and a Domain Name System (DNS)
suffix of restricted.Adatum.com.
Results: After completing this exercise, you should have configured the client computer for NAP.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Read the help desk Incident Record 723469 in the Student Handbook exercise scenario.
Read the Additional Information section of the Incident Record in the Student Handbook exercise
scenario.
2.
Update the Plan of Action section of the Incident Record with your recommendations:
a.
b.
c.
2.
Password: Pa$$w0rd
Domain: Adatum
3.
On LON-CL3, click Desktop, right-click Start, and then click Command Prompt.
4.
At the command prompt, type gpupdate /force, and then press Enter.
5.
To verify that the correct GPO is being applied to the client, at the command prompt, type gpresult
/r, and then press Enter. You should see the DirectAccess Client Settings GPO listed under Applied
Group Policy Objects.
6.
7.
In Internet Explorer, in the Address bar, type http://LON-SVR1.adatum.com, and then press Enter.
8.
9.
2.
3.
4.
In the Internet Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4).
5.
Click Use the following IP address, and then change the network settings:
o
IP address: 131.107.0.50
L8-38
6.
7.
8.
9.
In Internet Explorer, in the Address bar, type http://LON-SVR1.adatum.com, and then press Enter.
15. Verify that DNS Effective Name Resolution Policy Table Settings present two entries for adatum.com
and Directaccess-NLS.Adatum.com.
16. At the command prompt, type the following command, and then press Enter.
Powershell
17. At the Windows PowerShell command prompt, type the following command, and then press Enter.
Get-DAClientExperienceConfiguration
20. In the console pane, click Remote Client Status. Notice that client is connected via IPHttps. In the
Connection Details pane, in the lower-right of the screen, note the use of Kerberos for the Machine
and the User.
Note: If no data is displayed, restart LON-CL3, sign in as Adatum\Administrator with the
password Pa$$w0rd. Then repeat steps 8 and 9 before continuing from step 18.
Results: After completing this exercise, you should have configured the client-side settings for
DirectAccess and tested access to internal resources.
2.
In the Virtual Machines list, right-click 20688D-LON-CL3, and then click Revert.
3.
4.
Read the help desk Incident Record 723307 in the Student Handbook Exercise scenario.
Read the Additional Information section of the Incident Record in the Student Handbook Exercise
scenario.
2.
b.
c.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
2.
3.
4.
5.
In File Explorer, verify the presence of a drive mapping for drive M to \\lon-dc1\Marketing.
6.
7.
8.
9.
10. In File Explorer, verify the lack of a drive mapping for drive M to \\lon-dc1\Marketing.
11. Sign out of LON-CL1.
12. Sign back in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.
L9-42
20. In the Logon Properties dialog box, click the PowerShell Scripts tab. Verify the presence of a script,
and then click Cancel.
21. Close the Group Policy Management Editor.
22. You can see that the Marketing GPO is linked to the domain. In the Details pane, you can see that the
Marketing group has the necessary permissions to apply the policy.
23. Close Group Policy Management.
24. In Administrative Tools, double-click Active Directory Users and Computers.
25. In Active Directory Users and Computers, expand Adatum.com, click Marketing, and then doubleclick Dana Birkby.
26. In the Dana Birkby Properties dialog box, click the Member Of tab. Notice that Dana does not
belong to the Marketing group. Click Add.
27. In the Select Groups dialog box, type Marketing, and then click OK.
28. In the Dana Birkby Properties dialog box, click OK.
29. Close all open windows, and sign out.
30. Sign in as Adatum\Dana with the password Pa$$w0rd.
31. Click the Desktop tile, and on the desktop, click the File Explorer icon.
32. In File Explorer, verify the presence of the drive mapping to the Marketing folder.
33. Sign out.
34. Update the Resolution section of the Incident Record with the following comment:
o
The mapping for drive M is being scoped (by security group filtering) to the Marketing security
group. Dana was not a member of the Marketing security group. Adding her as a member of the
Marketing security group resolved the problem.
Results: After completing this exercise, you should have resolved a file access issue.
Read the help desk Incident Record 723308 in the Student Handbook Exercise scenario.
Read the Additional Information section of the Incident Record in the Student Handbook Exercise
scenario.
2.
b.
Switch to LON-CL1.
2.
3.
4.
Note: Theoretically, this mapping should not work as Allie is not in the Marketing group.
However, the mapping is successful.
Switch to LON-DC1.
2.
3.
4.
In File Explorer, navigate to drive E, right-click Marketing, and then click Properties.
5.
6.
7.
In the Advanced Sharing dialog box, click Permissions. Verify that the permissions are granted to
Everyone Full Control.
8.
9.
10. On the Security tab, click Advanced, and then click the Effective Access tab.
11. On the Effective Access tab, click Select a user.
12. In the Select User, Computer, Service Account, or Group dialog box, type Allie, and then click OK.
13. Click View effective access.
14. Verify that Allie has Read permissions, and then click Cancel.
15. In the Marketing Properties dialog box, click Advanced.
16. In the Advanced Security Settings for Marketing dialog box, click Disable inheritance.
17. Click Convert inherited permissions into explicit permissions on this object, and then click OK.
L9-44
22. In the Select User, Computer, Service Account, or Group dialog box, type Allie, and then click OK.
23. Click View effective access.
24. Verify that Allie has no permissions.
25. Click Select a user.
26. In the Select User, Computer, Service Account, or Group dialog box, type Adam, and then
click OK.
27. Click View effective access.
28. Verify that Adam has Full control permissions. Click OK, and then click Close.
29. Update the Resolution section of the Incident Record with the following comment:
o
The inherited permissions on E:\Marketing included the Users group having Read permissions.
This was removed.
Results: After completing this exercise, you should have resolved a file access issue.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
L10-45
Read the scenario to identify how A. Datum Corporation has implemented Workplace Join.
Answer: Workplace Join is required for access to the Sales and Ordering application. However, this
might expand to other applications in the future.
2.
Answer: Workplace Join creates an object in AD DS for the device. This behaves similarly to a domain
member computer, and access can be restricted to domain member devices. This means that the
application cannot be accessed from random locations.
3.
Can desktop support perform a Workplace Join during initial device configuration?
Answer: No. If a single device is used by more than one user, each user must perform a Workplace
Join. Workplace Join uniquely identifies the combination of a user and a device. A certificate is placed
on the device for that user and device combination. The certificate is then used during authentication.
4.
Answer: Users need to provide their user principal name (UPN) during Workplace Join. This UPN is
used to authenticate the user during the Workplace Join process. The domain portion of the UPN is
also used to identify the server that the device connects to for Workplace Join. The device connects to
deviceregistration.domainname.com.
5.
What issues are likely to prevent Workplace Join from completing properly?
Answer: Some of the common issues that might be encountered during Workplace Join include:
o
Users entering an incorrect UPN. Some users might be confused and enter their email address
instead.
Lack of network connectivity. If the device is having network connectivity problems, then
Workplace Join will fail.
Certificate trust issues. The certificates are from a trusted certification authority (CA) on the
Internet. So, this will not be a common issue. However, when new certificates are implemented,
some computers or devices might need updates to have the proper trusted root CA.
Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members
6.
L10-46
Results: After completing this exercise, you should have created an outline that can be used for training
help desk and desktop support staff on the configuration of Workplace Join.
Read the scenario to identify how A. Datum has implemented Work Folders.
2.
Answer: The home drive data does not synchronize with Work Folders. The home drive location
becomes the Work Folders. The mapped drive letter provided to executives for their home folder is
the server location that stores Work Folders data.
3.
4.
Answer: Auto discovery has been configured for Work Folders. So, during initial configuration,
executives provide their email addresses. The domain portion of the email address is used to locate
the server at workfolders.domainname.com.
5.
Which user property defines the URL used to access Work Folders?
Answer: Each user account has an msDS-SyncServerURL attribute that defines the Work Folders
server for that user. This attribute must be configured manually when multiple Work Folders servers
are implemented and auto discovery is used.
6.
What happens if executives do not have their smartphones available during authentication?
Answer: If executives do not have their smartphones, they will not be able to authenticate. This is the
purpose of multifactor authentication. As an alternative access solution, executives could use the
virtual private network (VPN) and access their home drives.
Results: After completing this exercise, you will have created an outline for training help desk and
desktop support staff on Work Folders configuration.
Read the scenario to identify how A. Datum has implemented Microsoft OneDrive for Business.
2.
Answer: OneDrive for Business stores data in a specialized document library within SharePoint Server
2013 or SharePoint Online. A. Datum has implemented OneDrive for Business as part of an onpremises installation of SharePoint Server 2013. This allows A. Datum to retain complete control over
its data, perform backups, and archive data.
3.
What software is required for Windows 8.1 computers to synchronize files with OneDrive for
Business?
Answer: The OneDrive for Business Windows Sync client can synchronize data to Windows
computers. The client supports Windows 7, Windows 8, Windows Server 2008 R2, and Windows
Server 2012.
4.
Answer: Yes. An app is available for iOS devices. In addition, any web browser that is supported by
SharePoint Server 2013 can access OneDrive for Business. In addition, to recent versions of Internet
Explorer, most major browsers such as Google Chrome, Safari, and Mozilla Firefox are supported.
5.
Are there file size limitations that the researchers should be aware of for synchronization?
Answer: There are several limitations that the researchers should be aware of:
o
The OneDrive for Business Windows Sync client supports a maximum of 20,000 files in OneDrive
for Business.
Results: After completing this exercise, you will have created an outline for training help desk and
desktop support staff on OneDrive for Business configuration.
On LON-DC1, in Server Manager, click Manage, and then click Add Roles and Features.
2.
In the Add Roles and Features Wizard, on the Before you begin page, click Next.
3.
On the Select Installation Type page, click Role-based or feature-based installation, and then
click Next.
4.
On the Select destination server page, click Select a server from the server pool, click
LON-DC1.adatum.com, and then click Next.
Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members
L10-48
5.
On the Select server roles page, expand File and Storage Services (2 of 12 Installed), expand File
and iSCSI Services (1 of 11 Installed), and then select the Work Folders check box.
6.
7.
8.
9.
On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services, and then
click Work Folders.
2.
On the Work Folders page, click To create a sync share for Work Folders, start the New Sync
Share Wizard.
3.
In the New Sync Share Wizard, on the Before you begin page, click Next.
4.
5.
In the Enter a local path box, type C:\ExecutiveWF, and then click Next.
6.
7.
On the Specify the structure for user folders page, click User alias, and then click Next.
8.
On the Enter the sync share name page, in the Name box, type ExecutiveWF, and then click Next.
9.
10. In the Select User or Group dialog box, in the Enter the object name to select box, type
Managers, and then click OK.
11. On the Grant sync access to groups page, click Next.
12. On the Device Policies page, clear the Automatically lock screen, and require a password check
box, select the Encrypt Work Folders check box, and then click Next.
13. On the Confirm selections page, read the summary, and then click Create.
14. After the sync share is created, click Close.
15. In Server Manager, on the Work Folders page, verify that the members of the Managers group are
listed in the Users box.
2.
3.
4.
Identify the value of the Thumbprint property for the Work Folders Certificate.
5.
6.
At the command prompt, type netsh http add sslcert ipport=0.0.0.0:443 certhash=thumbprint
appid={CE66697B-3AA0-49D1-BDBD-A25C8359FD5D} certstorename=MY, and then press
Enter.
Note: You can copy the thumbprint value from the Windows PowerShell command prompt
by selecting the value, right-clicking the selection, and then click Copy. To paste the thumbprint
value at the command prompt, right-click, and then click Paste.
7.
8.
Note: The certificate that was created in advance for this task contains the names londc1.adatum.com and workfolders.adatum.com.
On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2.
3.
Right-click Managers, and then click Create a GPO in this domain, and Link it here.
4.
In the New GPO dialog box, in the Name box, type WorkFolders, and click OK.
5.
6.
In the Group Policy Management Editor, in the navigation pane, under User Configuration, expand
Policies, expand Administrative Templates, expand Windows Components, and then click Work
Folders.
7.
8.
9.
In the Work Folders URL box, type https://lon-dc1.adatum.com, and then click OK.
2.
On the Start screen, type work, and then click Work Folders.
3.
4.
5.
In the Accept security policies window, select the I accept these policies on my PC check box, and
then click Set up Work Folders.
6.
7.
8.
2.
3.
Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members
L10-50
4.
5.
6.
In the Advanced Attributes dialog box, verify that the Encrypt content to secure data check box is
selected, and then click OK.
7.
8.
Task 7: Configure Domain Name System (DNS) for clients that are not domain
members
1.
2.
In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com.
3.
4.
In the New Resource Record dialog box, in the Alias name box, type workfolders.
5.
In the Fully qualified domain name (FQDN) for target host box, type lon-dc1.adatum.com, and
then click OK.
6.
On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.
2.
In Active Directory Administrative Center, in the Global Search box, type Aidan, and then press Enter.
3.
4.
In the Aidan Delaney window, click Extensions, and then click the Attribute Editor tab.
5.
6.
In the Multi-valued String Editor dialog box, in the Value to add box, type
https://lon-dc1.adatum.com, click Add, and then click OK.
7.
8.
2.
On the Start screen, type work, and then click Work Folders.
3.
4.
In the Enter work email window, in the Work email address box, type aidan@adatum.com, and
then click Next.
5.
6.
7.
In the Accept security policies window, select the I accept these policies on my PC check box, and
then click Set up Work Folders.
8.
9.
Notice that a view of Work Folders has opened, and it contains the Test document that you created
earlier.
Results: After completing this exercise, you will have configured Work Folders for the A. Datum
executives.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
L11-53
Read the help desk incident record 723401 in the Student Handbook Exercise Scenario.
Read the Additional Information section of the Incident Record in the student handbook exercise
scenario.
2.
b.
Sign in as member of the Sales group and verify the application of the AppLocker restriction
policy.
c.
If policy is not applying, use Group Policy Object (GPO) troubleshooting techniques to determine
why.
d.
Assuming that the GPO is applying, then examine settings of AppLocker policy itself.
e.
ii.
iii.
Switch to LON-CL3.
2.
Password: Pa$$w0rd
3.
4.
5.
When installation starts, click Cancel. This shows that the AppLocker policy is not being enforced.
6.
Sign out.
2.
Click Desktop.
3.
On the desktop, double-click Administrative Tools, and then double-click Group Policy
Management.
4.
Troubleshooting Applications
L11-54
5.
6.
In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, expand Application Control Policies, expand
AppLocker, and then click Windows Installer Rules.
7.
Right-click Windows Installer Rules, and then click Create Default Rules.
8.
9.
In the Deny Properties dialog box, click the Path tab, click Browse Files.
10. In the File name box, type \\lon-dc1\sales, and then press Enter.
11. In the Open dialog box, double-click XmlNotepad.msi and then click OK.
12. In the navigation pane, right-click AppLocker, and then click Properties.
13. In the AppLocker Properties dialog box, under Windows Installer rules, select the Configured
check box, and then click OK.
14. In the navigation pane, click System Services.
15. Double-click Application Identity.
16. In the Application Identity Properties dialog box, select the Define this policy setting check box,
click Automatic, and then click OK.
17. Close the Group Policy Management Editor.
18. Close Group Policy Management.
19. On the desktop, in the Administrative Tools window, double-click Active Directory Users and
Computers.
20. In Active Directory Users and Computers, expand Adatum.com, and then click Computers.
21. Right-click LON-CL3, and then click Move.
22. In the Move dialog box, click Sales, and then click OK.
23. Right-click Start and then click Command Prompt.
24. At the command prompt, type gpupdate /force, and then press Enter.
25. At the command prompt, type shutdown /r, and then press Enter.
26. When LON-CL3 has restarted, sign in by using the following credentials:
o
Password: Pa$$w0rd
30. Update the Resolution section of the Incident Record with the following comments:
o
Results: After completing this exercise, you should have successfully resolved the AppLocker policy
application problem.
2.
In the Virtual Machines list, right-click 20688D-LON-CL3, and then click Revert.
3.
4.
Troubleshooting Applications
Read the help desk incident record 723407 in the Student Handbook Exercise Scenario.
Read the Additional Information section of the Incident Record in the student handbook exercise
scenario.
2.
Visit the users computer and view the problem. This could probably be done remotely.
b.
c.
d.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
2.
3.
4.
In the Internet Explorer window, in the Address bar, type http://lon-dc1.adatum.com, and then
press Enter.
5.
6.
In the Internet Explorer Address bar, type http://lon-dc1, and then press Enter.
7.
Right-click the star on the toolbar, and then click Menu bar.
8.
9.
In the Internet Options dialog box, on the General page, click Use current.
10. Click the Security tab. You can see that the http://lon-dc1 is a Local intranet site.
11. In the Internet Options dialog box, click OK.
12. Close Internet Explorer.
L11-56
13. Update the Resolution section of the Incident Record with the following three options to resolve the
problem:
a.
Instruct the user to use a single label URL to access the intranet site. This allows Internet Explorer
to recognize the site as an intranet site to which it can automatically pass the local workstation
credentials.
b.
c.
d.
e.
Manually add http://lon-dc1.adatum.com to trusted sites, and then configure trusted sites to
allow automatic logon with current user name and password.
f.
Results: After you have completed the exercise, you should have successfully resolved the Internet
Explorer authentication issue.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
L12-59
2.
3.
4.
5.
Expand User Defined, right-click User Defined, point to New, and then click Data Collector Set.
6.
In the Create new Data Collector Set Wizard, on the How would you like to create this new data
collector set? page, in the Name text box, type Adatum Baseline.
7.
8.
On the What type of data do you want to include? page, select the Performance counter check
box, and then click Next.
9.
On the Which performance counters would you like to log? page, in the Sample interval field,
type 1, and then click Add.
10. In the Available counters list, expand Memory, click Pages/sec, and then click Add.
11. In the Available counters list, expand Network Interface, select Packets/sec, and then click Add.
12. In the Available counters list, expand Physical Disk, click % Disk Time, and then click Add.
13. Under Physical Disk, click Avg. Disk Queue Length, and then click Add.
14. In the Available counters list, expand Processor, click % Processor Time, and then click Add.
15. In the Available counters list, expand System, click Processor Queue Length, click Add, and then
click OK.
16. On the Which performance counters would you like to log? page, click Next.
17. On the Where would you like the data to be saved? page, click Next.
18. On the Create the data collector set page, click Finish.
19. In Performance Monitor, in the navigation pane, right-click Adatum Baseline, and then click Start.
20. Click Start.
21. Click the Down Arrow, and then click Word 2013.
22. In Microsoft Word, in the Microsoft Office Activation Wizard, click Close.
23. Click Start.
24. Click the Down Arrow, and then click Excel 2013.
25. Click Start.
26. Click the Down Arrow, and then click PowerPoint 2013.
27. Close all open Microsoft Office 2013 apps, and then switch to Performance Monitor.
28. In the navigation pane, right-click Adatum Baseline, and then click Stop.
29. In Performance Monitor, in the navigation pane, expand Reports, expand User Defined, expand
Adatum Baseline, and then click the report that has a name that begins with LON-CL1.
30. View the chart. On the menu bar, click the drop-down arrow, and then click Report.
31. Record the following values:
o
Task 2: Read the help desk Incident Record for incident 723499
Read the help desk Incident Record 723499 in the Student Handbook Exercise Scenario.
Read the Additional Information section of the Incident Record in the Student Handbook Exercise
Scenario.
2.
b.
Load Performance Monitor to collect performance data by using a data collector set.
c.
d.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
2.
3.
4.
5.
At the command prompt, type perfmon /res and then press Enter.
6.
L12-60
Answers will vary depending upon usage scenario and host configuration, although CPU and network
are likely to be heavily used.
7.
After a few minutes, in the Windows Script Host prompt, click OK.
8.
9.
10. In the navigation pane, right-click Adatum Baseline, and then click Stop.
11. In Performance Monitor, in the navigation pane, expand Reports, expand User Defined, expand
Adatum Baseline, and then click on the second report that has a name that begins with LON-CL1.
12. View the chart.
13. On the menu bar, click the drop-down arrow, and then click Report.
14. Record the component details:
o
The script is affecting the CPU and network. The CPU is approaching 95 percent utilization, and the
System Processor Queue Length is 5.
16. Close all open windows and programs and return to the Start screen.
17. Update the Resolution section of the Incident Record with the following comment:
o
Results: After completing this exercise, you should have identified the performance bottleneck.
When you have finished the lab, leave the virtual machines running for the next practice session.
L13-63
Read the help-desk incident record 723623 in the Student Handbook Exercise Scenario.
Read the Additional Information section of the Incident Record in the Student Handbook Exercise
Scenario.
2.
Update the Plan of Action section of the Incident Record with your recommendations:
a.
b.
c.
d.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
Switch to LON-CL1, and if necessary, sign in as LON-CL1\Admin with the password Pa$$w0rd.
2.
3.
Press the Windows+C keys, click Settings, and then click Control Panel.
4.
5.
6.
7.
8.
9.
10. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address
automatically.
11. Click Obtain DNS server address automatically, and then click OK.
The network settings were wrong, and the network adapter had become disabled.
b.
c.
d.
L13-64
Results: When you have completed this exercise, you should have recovered the Windows 8.1 computer.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.
Read the help-desk incident record 723625 in the Student Handbook Exercise Scenario.
Read the Additional Information section of the Incident Record in the Student Handbook Exercise
Scenario.
2.
Update the Plan of Action section of the Incident Record with your recommendations:
a.
b.
c.
Restart the computer and determine whether the CD/DVD drive is accessible before Windows
loads, which would suggest a driver problem.
d.
e.
Alternatively, if a physical device failure has occurred, then replace the drive unit.
Switch to LON-CL1.
2.
Password: Pa$$w0rd
3.
4.
2.
3.
Right-click Start, point to Shut down or sign out, and then click Restart.
4.
When prompted to Press any key to boot from CD or DVD, press a key.
5.
6.
In Windows Setup, click Next, and then click Repair your computer.
7.
On the Choose an option page, click Troubleshoot, and then click Advanced options.
8.
9.
L13-66
a.
Because the CD/DVD drive was accessible before Windows started, that suggests a driver issue.
b.
Driver rollback was unavailable, and uninstalling the driver did not work.
c.
The next least-invasive solution was to try System Restore, assuming there was a recent restore
point. I checked, and a restore point was created just prior to the driver update. I used that to
recover the computer.
Results: When you have completed this exercise, you should have recovered the Windows 8.1 computer.
2.
In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
3.
4.