Академический Документы
Профессиональный Документы
Культура Документы
Section Objectives
Section Overview
The business environment is constantly changing. The operating systems that run smoothly are the
ones that can efficiently and securely operate under some of the most hostile and volatile
conditions. The client operating systems installed within large enterprise networks must be
manageable, both remotely and centrally. Windows Server products and Windows 7 client
operating systems can do this for you. This section introduces the server-side technologies
available with Windows Server 2008 R2 and the enterprise abilities of Windows 7. This
information helps you understand what you can do in your own network to make your job easier
and your data more available and secure.
6-2
Administering
Adminnistering
and Maintaining Windows 7
Global
Gloobal Knowledge Training LLC L
LL
DNS Overview
DNS is one of the most important services in Active Directory environments. The DNS (Domain
Name System) is a service that translates user-friendly names into their associated numerical IP
addresses. DNS eliminates the need to remember all of the IP addresses for the systems
throughout an environment. Of course, this is crucial in communicating with systems on the
Internet since there are millions of IP addresses.
DNS is also required for communication with the outside world due to the Internets total reliance
on DNS as a name resolution platform.
The tight integration of DNS within Active Directory as a naming standard has enormous
advantages. The fact that you need to use only one name resolution service for either internal or
external name resolution greatly simplifies the administration process.
Figure 158 lists the subjects that are described in this topic.
DNS is a critical service for Active Directory. In fact, without DNS the Active Directory service
cannot function. DNS is used to find the addresses for Active Directory hosts and resources.
Special SRVs dynamically register these services in the DNS database.
DNS is also used to register sites for Active Directory. Widely dispersed environments use sites to
provide boundaries between physical locations.
6-4
Administering
Adminnistering
and Maintaining Windows 7
Global
Gloobal Knowledge Training LLC L
LL
DNS is not the only method available to resolve names to IP addresses. Over the years, various
systems utilized several other types of name resolution. Windows Server 2008 R2 still supports
these alternative name resolution mechanisms for backward compatibility.
Hosts file
Since the early days of UNIX operating systems, Hosts files have been used to resolve names into
IP addresses. The Hosts file is a standard text file with host names and addresses created manually
for name resolution. The text file resides locally on every host and does not automatically update
when names or IP addresses on the network change.
Hosts files have a format like the following:
10.0.0.101 skunk
10.0.0.102 panda
10.0.0.125 tiger
NetBIOS
Originally, IBM introduced the NetBIOS naming standard for its mainframe environments. Later
Microsoft adopted this standard for its LAN Manager series of operating systems (of which
Windows Server 2008 is a descendant). NetBIOS was never meant for use in the large
environments where it is currently deployed. With a 15-character maximum to identify computers,
and no hierarchy, NetBIOS quickly runs into capacity problems.
Initially, NetBIOS name resolution was entirely broadcast-based. This meant that every computer
that wanted to communicate using those names had to exist on the same network segment.
Microsoft introduced LMHosts files as a way to initially integrate NetBIOS into the world of
TCP/IP, and allow NetBIOS resolution to reach computers on distant networks. Like the Hosts
file, LMHosts is a static file that must be updated by hand.
Microsoft later introduced WINS as a centralized name resolution resource that dynamically
updates with the latest names and IP addresses of the computers throughout the environment.
However, WINS still relies on the 15 character or less, non-hierarchical structure.
DNS
DNS was introduced as an RFC standard in the mid-1980s to address the problems facing the
burgeoning Internet (still known as the ARPANET at that time). The network grew so rapidly that
the simple Hosts files just could not keep up. DNS was developed as a hierarchical, distributed
database of names. Although centralized, initially DNS was maintained manually. The latest
versions of DNS, however, can dynamically update with new or modified host names and IP
addresses. DNS focuses on the capacity and overhead issues that have plagued other name
resolution services.
A DNS name is made up of several components (shown in Figure 161) that represent the
hierarchical namespace of DNS. Analyzing these components is helpful in understanding the
structure of DNS and helps when troubleshooting DNS problems.
FQDN
The FQDN (fully qualified domain name) refers to the combination of all of the naming
components together. A domain name is fully qualified when the host, second-level, top-level, and
root portions of the name are combined.
Host
The host portion of the DNS name is the identity of the computer or computers that the name
relates to. This may not be the only identity for that computer. Other aliases or host names could
also point to the IP address of the computer.
6-6
Administering
Adminnistering
and Maintaining Windows 7
Global
Gloobal Knowledge Training LLC L
LL
Second Level
The second level (sometimes called a sub-domain) is a subdivision of the DNS namespace. This
further compartmentalizes the DNS architecture into identifiers that represent the organizations
and entities that make up the namespace.
Top Level
The top-level names categorize different portions of the DNS namespace into collections of
different types of organizations. They also represent different parts of the world. Thousands of
top-level domain names, such as .us, .fr, .jp, .tw, and others, represent all of the different
countries around the world. The most recognized top-level domain names are those used for
businesses and organizations throughout the United States, such as .com, .net, .org, and so on.
Several widely known governmental top-level domain names, such as .gov, .mil, .edu, and many
others also exist.
Root
The root of the DNS namespace is simply the dot (.) at the end of every FQDN. Sometimes it is
not written or typed, but it is always there in the DNS hierarchy and is always used in name
resolution. Fifteen DNS servers process root queries. From there, all other queries are processed.
DNS is also the name resolution mechanism of the Internet. If DNS had not been developed, the
Internet would not exist as it does today. Imagine remembering 72.21.210.250 as the Internet IP
address instead of http://www.amazon.com. Imagine remembering the IP addresses for the
hundreds of Web sites you currently visit. Internet DNS is identical to the DNS you may use in
your network environment; however, it is designed to support hundreds of millions of users with
billions of queries for name resolution.
The Internet name resolution mechanism provides external access to your resources. So if you are
a large company, you can make your products available to the world, not just your local area. DNS
is the one service or mechanism that is single-handedly responsible for the explosion of the
Internet, besides the arrival of the personal computer.
DNS also helps to find other types of resources, not just Web sites or server names. DNS can also
provide access to many other types of resources and services within the network. These resources
are made available through the use of DNS resource records such as:
6-8
Administering
Adminnistering
and Maintaining Windows 7
Global
Gloobal Knowledge Training LLC L
LL
DNS can both help and hurt a network. If you are not careful with its implementation and design,
you can inadvertently expose all of your internal resources to the outside world. Businesses can
operate in a safe manner because of the development of private name resolution techniques. You
can create private and public DNS namespace so that your internal resources are safe from the
outside world and your internal users can still access the Internet namespace.
Private name resolution starts with a private top-level domain name. Therefore, instead of using
the typical .com, .edu, .org, and so forth, you can configure a private TLD that is not accepted as a
valid top-level domain name. For example, you can assign local, internal, or private as the
domain name of all of your internal resources. Currently, 20 approved TLDs exist with countless
country designations that can also be used as TLDs. Of course, you have to complete the advanced
configurations to the Windows Server 2008 R2 DNS server so the internal clients can access the
Internet address space.
In the Active Directory environment, SRVs (service location records) locate the critical services
that are necessary for directory service functionality. Domain controllers automatically update the
DNS database with the following record types:
Kerberos
LDAP
Global catalog
Clients and servers also use DNS to determine which site they are in and the servers running the
critical services that they should communicate with.
6-10
Administering
Adminnistering
and Maintaining Windows 7
Global
Gloobal Knowledge Training LLC L
LL
Troubleshooting Tools
Many tools are available for troubleshooting the Windows 7 operating system in general. A few of
these tools are more focused on resolving issues with DNS. The following topics describe these
tools.
Adapter Status
The Adapter Status and corresponding Network Connection Details are useful for displaying basic
information related to the network card and its IP address settings. This tool is sometimes easier to
perform when troubleshooting with another individual over the phone.
Ping
The Ping tool is the ubiquitous connectivity testing utility found on almost any TCP/IP-based
operating system. This tool is not strictly for name resolution troubleshooting. However, if you use
the Ping tool against a name, expect to see the corresponding IP address echoed back. If not, name
resolution may be failing.
6-12
Administering
Adminnistering
and Maintaining Windows 7
Global
Gloobal Knowledge Training LLC L
LL
Active Directory is a distributed database that stores information about objects such as user
accounts. It also provides information about network resources and application data for directory-
enabled applications and services. You can organize Active Directory into a hierarchical structure
that reflects the layout of your organization and possibly matches the DNS architecture as well.
Active Directory promotes the use of a single-sign-on to the environment for ease of use and a
more top-down administrative model. Within an Active Directory forest, you can permit a user
access to resources that exist on any computer in any domain.
Following topics describe the goals, objects, and architecture of Active Directory as well as the
naming standards used by Active Directory.
Active Directory is very flexible and extensible. The Active Directory platform has many potential
uses. Following is a description of the most important goals for Active Directory.
Authenticate Users
Before gaining access to any part of the Active Directory infrastructure, users must prove their
identity. It is the responsibility of the DC (domain controller) to provide this authentication.
Before anyone is allowed access, the DC must check the users credentials against the Active
Directory database. If the information provided is correct, the user receives a TGT as the pass to
get STs before accessing any resources.
6-14
Administering
Adminnistering
and Maintaining Windows 7
Global
Gloobal Knowledge Training LLC L
LL
The heart of Active Directory is a database that stores meaningful object information. The Active
Directory contains many different object types. Administrators create and interact with only a
handful of the following objects:
Users: User accounts are the most prominent object within Active Directory. They
establish the list of known individuals allowed to log on to the system.
Groups: Groups are very important in the reduction of administrative overhead.
Collecting users together into groups allows the administrator to assign privileges to
the group instead of each individual.
Computers: Administrators either create computer objects ahead of time or when a
computer joins the domain. Computers use computer objects to participate in the
domains security context.
Contacts: Contacts do not have a user name and cannot log on to the domain
environment. Administrators use contacts to establish e-mail aliases for individuals
outside the organization.
Printers: Printer objects exist within the directory as a convenient method to locate a
shared printer within the network.
Shared folders: Shared folders are for convenience. A shared folder in Active
Directory points to physical shared folder on a server or workstation. Creating a shared
folder in Active Directory does not create the shared folder on the target computer. The
destination shared folder must already exist.
Active Directory is made of a collection of components that work at different hierarchical levels.
You should understand the designations of these levels even when you are implementing an
Active Directory structure of a smaller size:
Forest: A forest could be a single domain. However, the word forest generally depicts
something larger. A forest could be made up of two or more trees with different
namespaces, for example hq.local and widget.com. Trees and domains in the forest are
bound together by links known as trusts.
Tree: A tree is a collection of one or more domains in the same namespace, for
example hq.local. Domains in the tree are linked together by trust relationships.
Domain: The domain is the basic building block and security boundary for the Active
Directory environment. The domain also establishes a storage area for Active Directory
objects within the DCs in that domain.
Global catalog: The GC for an Active Directory forest summarizes all the objects
stored on each domain in the forest. Since each domain contains its own database
separate from other domains, the GC binds multiple domain directories into one larger
searchable directory.
Organizational unit: OUs are containers in which other objects, such as users and
groups, are stored. OUs are a very important organizational technique for dealing with
very large numbers of objects. It is difficult to manage thousands of user accounts all in
one flat list. Instead, gather objects into meaningful subdivisions called OUs that you
can manage more efficiently.
Domain controller: A DC is a computer that runs the Active Directory service and is
able to answer logon requests and queries about objects. The DC replicates any
changes to the Active Directory database to and from other DCs for redundancy.
Site: Sites provide an indication of the physical architecture of the environment.
Usually administrators establish sites for each physical location, and then place a GC
on a DC within each of the sites. Sites provide a foundation for replication and for
local logons.
6-16
Administering
Adminnistering
and Maintaining Windows 7
Global
Gloobal Knowledge Training LLC L
LL
Naming Standards
Active Directory uses a combination of different naming technologies to provide access to the
directory database:
DNS: DNS is one of the most important pieces of the Active Directory puzzle. Not
only does DNS provide the host name to TCP/IP address resolution necessary to
communicate with all of the Active Directory Services, it also provides the naming
structure for Active Directory itself.
DNS is critical in locating the LDAP, Kerberos, and global catalog resources necessary
for domain functionality through the use of SRV records.
LDAP: LDAP is used to query and access the directory database. LDAP is an open
standard used by other vendors for their own directory services and follows a common
access scheme. Using LDAP, other network computers and services can leverage
Active Directory for their own purposes.
X.500: The X.500 standard is a naming specification that defines the hierarchical
structure of a directory database. Active Directory loosely conforms to the X.500
specifications making it easier to convert objects from other directory services to
Active Directory and vice versa.
The X.500 specification lays out the use of containment qualifiers for the different
levels of the hierarchy. The following is an example of an X.500 DN.
cn=Jane Doe, ou=Sales, o=hq, l=atl, st=ga, c=us
cn: common name
ou: organizational unit
o: organization
l: locality
st: state
c: country
Active Directory naming architecture: When Microsoft first designed Active
Directory, it did not adopt the entire X.500 naming scheme for the Active Directory
database. Instead, the developers took part of the X.500 architecture (the cn= and ou=)
and appended the naming scheme used on the Internet today: DNS. The DNS domain
name information, for example gk.com, is turned into a series of dc= qualifiers.
The following is an example of an Active Directory DN:
cn=JaneD, ou=Sales, dc=atl, dc=hq, dc=local
Administering and Maintaining W Windows
indows 7
6-17
To take advantage of single sign-on, Group Policy, security, resource access, and the many other
features of Active Directory, the user's computer must join the Active Directory domain.
Following is a description of how to join a Windows 7 client computer to the Active Directory
Domain environment, how to change the computer identify, the placement of the computer object,
and how to log on to the domain.
Requirements to Join
To join an Active Directory domain, the computer must be configured with a proper DNS server
address that allows the client to contact a domain controller. The user must log on to the local
computer as a local administrator equivalent.
It is not necessary, however, to log on as an administrator from the domain. A normal user can
join computers to the domain up to 10 times. Domain administrators and enterprise administrators
can join an unlimited number of times.
6-18
Administering
Adminnistering
and Maintaining Windows 7
Global
Gloobal Knowledge Training LLC L
LL
When you join the domain, by default, the computer object is placed in the Computers container.
The domain administrator can move this later. It is also possible to create the computer object
ahead of time in an OU that is appropriate. When the computer joins the domain later, it
immediately adopts any group policies on the OU that the computer is in.
6-20
Administering
Adminnistering
and Maintaining Windows 7
Global
Gloobal Knowledge Training LLC L
LL
In Windows 7, the account name of the last logged on user displays by default on the logon
screen. To log on as a different user, or to force a domain versus local logon, click the Switch
User button, and then select Other User. You can then type any valid user name for the local
computer or for the domain.
If you type a user account name that does not exist on the local computer, the context
automatically changes to the domain that the computer belongs to. You can also specify the
context in the following ways:
HQ\Joe
Joe@hq.local
It is not always convenient or desirable to use domain management tools on the server console.
Instead, it is possible to install the tools on a Windows 7 console that you can use for
administration.
However, when these tools are unavailable, or the computer you are using is not a domain
member, other methods of remote administration are available.
Figure 176 lists the subjects that are described in this topic.
An Active Directory environment has several possible options for remote management:
Remote command-line tools: Many command-line tools are available to use against
either the local computer or remote computers. To find out if a tool has remote
management capabilities, run the command with a /? switch, and look for a server or
computer name switch that allows you to change the focus of the command.
Remote Desktop: Any computer with a Remote Desktop client can connect to the
server and run tools and utilities as if sitting at the server console. This is a great option
for non-domain member computers, and for non-Windows computers.
Windows 7 MMC tools: Most of the built-in MMC tools have the ability to focus on
remote computers. The Computer Management Console is one example.
RSAT: Dozens of additional MMC tools are available in the Remote Server
Administration Tools package. This is a free download from Microsoft.
6-22
Administering
Adminnistering
and Maintaining Windows 7
Global
Gloobal Knowledge Training LLC L
LL
To install the RSAT, go to the Microsoft Web site and search for RSAT. Choose the version that
matches your version of Windows (32 bit or 64 bit), and download it. To install the package, run
the MSU file and follow the prompts.
After installing the RSAT MSU file, the tools do not appear on the administrative tools listing by
default. You must add the individual RSAT tools that you need, or add them all.
To add the RSAT tools, follow these steps:
1. Click Start, Control Panel, and Programs and Features.
2. Click the Turn Windows Features on or off link.
3. Scroll down to the Remote Server Administration Tools section.
4. Expand and select each individual check box for the items you need.
Note
The list of RSAT tools do not automatically select the lower check
boxes when you select an item higher on the list. You must select
each individual item to install it.
6-24
Administering
Adminnistering
and Maintaining Windows 7
Global
Gloobal Knowledge Training LLC L
LL
Microsoft introduced Group Policy with Windows 2000 as a replacement for the system policies
of older Windows environments. The system policies used in the past were very inflexible and
difficult to reverse once put in place.
The new Group Policy in Windows Server 2008 builds upon the foundation established with
Windows 2000. Group Policy enhancements made in Windows Server 2003 were minor compared
to the new features and hundreds of new settings in Group Policy for Windows Server 2008.
Group Policy may be enhanced with new features but the basic architecture remains the same. To
properly deploy and troubleshoot Group Policy, you must understand its capabilities and
components.
This topic describes the Group Policy features of Windows 7 in the Active Directory environment.
Policies are very important to the network administrator. Policies allow you to pass down many
security or configuration settings to your Windows 7 workstations in a centralized manner, which
makes it easy for you to administer the network. Without policies, you would literally have to visit
thousands of computers either through remote access technologies or by traveling to the location
of the computer, which is not efficient and very costly.
Windows 7 provides you access to several types of policies and utilities for creating and managing
them. Windows 7 provides the local security policy and the Group Policy settings that are passed
down from your Windows Server 2008 R2 computers.
Helpful Hint
You can find many important configuration items in the Windows 7
local security policy, such as the UAC and the Windows Firewall with
Advanced Features.
Figure 181 lists the subjects that are described in this topic.
6-26
Administering
Adminnistering
and Maintaining Windows 7
Global
Gloobal Knowledge Training LLC L
LL
Each Group Policy object is broken down into two primary sections:
In the previous Group Policy Management Editor, the Administrative Templates section for both
the user or computer configurations contained most of the desktop settings and restrictions. Now,
there are two new layers:
6-28
Administering
Adminnistering
and Maintaining Windows 7
Global
Gloobal Knowledge Training LLC L
LL
Integrating Windows 7 with Active Directory
Local Policies
Local policies are those settings configured only on the local computer. These are usually
implemented on a stand-alone or workgroup computer.
Use the Group Policy Management Editor or gpedit.msc tool to edit local policies.
Security Policies
One section within Group Policy deals specifically with security settings. The security policies
section contains settings that can be used to secure or lock down computers in the environment
through Group Policy instead of having to implement those settings on each individual system.
The main headings of the security policy are:
Security Settings Password Policy and Account Lockout Policy: Contains the
password history, password age, password length, complexity requirements, and
encryption options
Local Policies Audit Policy, User Rights Assignments and Security Options:
Contains the auditing settings, user rights to the system, and UAC settings
Windows Firewall with Advanced Security: Contains the inbound and outbound rule
creation, IPSec security rules, and NAP rules
Network List Manager Policies: Contains the policy settings that control the listing of
identified, unidentified, all networks, and identifying networks
Public Key Policies: Contains EFS policies, BitLocker Drive Encryption policies, and
certificate settings
Software Restriction Policies: Allows and blocks software from the network
Application Control Policies: Contains AppLocker policies
IP Security Policies on Local Computer: Contains the wizard for creating IP security
policies
Advanced Audit Policy Configuration: Contains 40 or more advanced audit policies
for many categories and subcategories such as auditing file shares, registry, and the file
system
6-30
Administering
Adminnistering
and Maintaining Windows 7
Global
Gloobal Knowledge Training LLC L
LL
Folder Redirection
The process of folder redirection makes it possible to store a user's personal My Documents files
on a server instead of locally. The user is unaware of this change, and the documents are also
cached on the user's local hard drive using offline synchronization.
You can also set up many other folders for folder redirection:
AppData (Roaming): Contains files used to store some application configuration data.
Desktop: Contains all files and shortcuts stored on the Windows desktop.
Start Menu: Refers to the Personal section of the Start Menu with all of the program
groups and shortcuts. (You cannot redirect the All Users section.)
Documents: Contains the bulk of any user-created files. (Formerly known as My
Documents)
Pictures: Stores photos by default. You can reduce replication traffic by disabling
some of these less work-related folders.
Music: Stores music by default. You can reduce replication traffic by disabling some
of these less work-related folders.
Videos: Stores videos by default. You can reduce replication traffic by disabling some
of these less work-related folders.
Favorites: Stores Internet favorites to Web sites.
Contacts: Refers to the built-in contacts database for Windows Vista.
Downloads: Stores files downloaded through Windows Messenger and other programs
by default.
Links: Stores quick shortcuts to other folders in the personal and public folders of
the user.
Searches: Stores predefined search criteria for new files, recently viewed files,
recently changed documents, and so forth.
Saved Games: Stores the users games. Some games are now designed to save the
users games here by default.
Software Deployment
A powerful feature of Group Policy is the ability to distribute software packages and to restrict
access to unauthorized software. Other more powerful tools also provide these features, such as
Microsoft Systems Management Server, but for the small to mid-sized environment, the built-in
software management tools in Group Policy may be all that are needed.
6-32
Administering
Adminnistering
and Maintaining Windows 7
Global
Gloobal Knowledge Training LLC L
LL
Published packages are optional. The end user must install published packages using
Add/Remove Programs on Windows XP and Windows Server 2003, or using Programs and
Features on Windows Vista, Windows 7, and Windows Server 2008.
Software Restrictions
Because of the growing threat of viruses and rogue software, tight control over the software that
users run is greatly needed. Antivirus software is certainly a necessity, but it only catches known
software threats. Any new viruses or Trojan horses that slip under the radar can still be a huge
problem. You can use the Software Restriction feature of Group Policy to prevent users from
running prohibited or malicious programs, or prevent certain programs from starting.
The following topics describe the software restriction and AppLocker policies.
Hash Rule
A hash rule is a more secure mechanism used to permit or deny access to specific files. An MD5
hash is a unique value generated from the bits and bytes of the file. This value is unique among
files. You can use this value to identify whether or not the file is allowed to run. Unfortunately, a
very knowledgeable individual can circumvent the hash rule by hex-editing the file in question and
changing it by a tiny amount.
Certificate Rule
The certificate rule is by far the most secure, but also the most cumbersome to implement. To
properly implement certificate rules, a PKI must be in place to generate and verify certificates.
To use a certificate rule, a special code-signing certificate must be issued by a Certification
Authority. The private key portion of the certificate is then used to sign the files that are allowed
to run. The public key portion of the certificate is then made available to all who need to use the
signed files.
The certificate rules are normally used in a situation where no software is allowed to run except
those files signed by a trusted code-signing certificate. This exclusive model requires constant
oversight as new software or revisions to existing software come along. It is, however, the most
secure computing model available.
AppLocker Policies
Microsoft provided software restriction policies in Windows XP to control the software allowed to
run on computers in the environment. A new, more advanced version of software restriction
policies, AppLocker, is now available for Windows Server 2008 R2 and Windows 7.
The following are AppLocker features:
More powerful publisher rules: AppLocker has the ability to create a rule for a
product name. This eliminates the need to regenerate the hash rule for every update of
an application. Based on publisher, product name, file name, or version, this
information is taken from the digital signature of the application.
Simplified rule processing structure: AppLocker removes the complex precedence
rules for different rule types. Now, all deny rules take precedence over allow rules.
User rules for non-interactive logons: With AppLocker, a help desk administrator
who is remotely administering a user's desktop has the rules enforced whether they are
interactively logged on or not.
Separate policies for .exe files, .msi files, scripts, and DLLs: In AppLocker,
executable rules apply to executable code; path rules created for executable programs
do not apply to DLLs. To control DLL behavior, simply create a DLL rule.
Auditing mode: In AppLocker, enable an audit-only mode to watch or track the
AppLocker process without actually blocking access to files.
Wizard for rule creation: In AppLocker, use a rule creation wizard to generate rules
that allow all applications in a specified folder to run.
6-34
Administering
Adminnistering
and Maintaining Windows 7
Global
Gloobal Knowledge Training LLC L
LL
Logon Scripts
In the past, actions that could not be configured as Group Policy settings were performed by logon
scripts. More and more of these settings are now incorporated into Group Policy as individual
configurable items.
For instance, historically, logon scripts were used to create a mapped network drive for users at
logon. With Windows 7 and Windows Server 2008 R2, Group Policy now contains a User
Configuration, Preferences, Windows Settings, Drive Maps option that allows you to configure
the mapped drives.
In addition to logon scripts, Group Policy can also provide computer startup and shutdown scripts
that execute when the computer starts, or is shut down. These can be cleanup or maintenance
related activities.
Using familiar batch file programming or VBScript, you can still write scripts. However, it is now
possible to design the scripts using Windows PowerShell. Since Windows PowerShell is now
automatically installed on Windows 7 and Windows Server 2008 R2, Windows PowerShell scripts
will be more common in the future.
ADMX Templates
ADMX files contain the settings that are represented in the Administrative Templates section of
a Group Policy. These templates, as their name implies, are based on standard XML and have an
.admx file extension. This file type replaced the .adm standard for administrative templates.
Windows 7 stores these .admx files in the %Windir%\Policy Definitions folder. If you need to,
you can also download additional policy definitions directly from Microsoft.
These policies are passed down to the Windows 7 workstations from a Windows Server 2008 R2
central store. A central store is a location that lives within the SYSVOL folder. You need to create
the central store only once. The store is then replicated to all of the other domain controllers via
the replication process.
The central store contains a root-level folder that houses all of the non-language-specific policy
definitions and lower level folders that contain any language-specific policy definitions. You can
copy the .admx files into the appropriate location using any copy method, such as Xcopy or copy
and paste.
6-36
Administering
Adminnistering
and Maintaining Windows 7
Global
Gloobal Knowledge Training LLC L
LL
You can open .admx or .adm files with any text editor, including Notepad. However, you must
ensure that your text editor does in fact understand the .xml syntax. You can also use Visual
Studio or the easy-to-use and navigate XML Notepad 2007. This is a simple and free download
from the Microsoft software download site.
Group Policy, as you learned, affects many different computer and user settings. It is important to
realize that Group Policy also affects many different locations. Administrators can apply policies
to many locations, such as the Active Directory site, domain, and the OU. Remember,
administrators can also configure local policy on the workstations as well.
Administrators need to figure out how all of these policies may or may not affect each other.
Microsoft has provided a simple Group Policy application procedure.
The acronym is: LSDOU (Local, Site, Domain, Organizational Unit). This simply states that
policies are applied to the Windows 7 workstations in that order.
1. Local: Local policies are applied first. Local policies apply only to the local computer
or workstation.
2. Site: ADDS site policies are applied second. Site policies apply to the subnet IDs that
match the site that the computer or user is located within.
3. Domain: ADDS domain policies are applied third. Domain policies apply to all users
and computers in the same domain.
4, OU: ADDS OU policies are applied last. OU policies apply to all users and computers
in the OU that the policy is linked to. Sometimes OUs are nested within other OUs
because they are easy to manage this way. Any policies within the nested OUs are
applied one at a time after the initial OU policy.
The Group Policy application model is a simple one to master, until policies start to conflict. For
example, a domain administrator applies a policy to the domain that prevents access to Windows 7
Control Panel. However, a branch office administrator has a policy that allows access to Windows 7
Control Panel of the OU that he or she is responsible for. What happens? Again, Microsoft has an
easy-to-understand rule of Group Policy precedence. The rule simply states that the policy that is
applied last wins. So in the previous example where the OU lives within the domain, the users
within the OU would not be affected by the policy and they would have access to Control Panel.
6-38
Administering
Adminnistering
and Maintaining Windows 7
Global
Gloobal Knowledge Training LLC L
LL
To manage group policies most effectively, there should be a good foundation to apply them to.
This foundation normally exists as a hierarchy of OUs within the domain environment. Group
policies certainly can be applied to the site and the domain levels, but the real power of Group
Policy is in being able to apply it in a granular fashion.
When applying a GPO to an OU structure, it is important to remember that a policy applied at a
parent OU is automatically inherited by all child and grandchild OUs. This default behavior
should be leveraged so that settings that really should apply to a broad range of users and
computers are applied at a higher parent level, while settings that should affect only a subset of
accounts are applied at a child OU. Structuring the OUs appropriately can make this process
much easier.
Sometimes this normal inheritance process can be limiting. For that reason, there are three ways to
disrupt the inheritance of higher-level policies:
Contradictory Settings
If a child OU has the need to opt out of a particular Group Policy setting, a new GPO can be
created at that level that has the opposite setting. The last policy applied in the processing
sequence wins.
Block Inheritance
When a very large number of settings are configured at a higher level and many of them should
not apply to a child OU, enable the Block Inheritance attribute on the OU so that no policies from
above apply.
Enforce
The Enforce option is applied at higher levels of the policy architecture to ensure that certain
policies cannot be overridden or be blocked. The Enforce option is applied to an individual GPO.
Depending on the options you enable, some GPOs can be overridden or blocked while others can
be made mandatory. The Enforce option always wins.
There are several tools, some graphical and some command-line based, that are used in managing
and troubleshooting the Group Policy process. The following topics describe these tools.
GPMC.msc
The Group Policy Management Console is the primary tool for viewing and managing all of the
policies that exist in a given Active Directory forest. All of the sites, domains and OUs can be
viewed from one console interface. The tool also displays a listing of all GPOs defined in each
domain, even if they are not currently applied to anything.
In addition to displaying the structure of the group policies, the GPMC tool allows the
administrator to quickly see which policy settings are being applied at each level of the OU
structure without opening each policy in the Group Policy Management Editor.
There are also built-in tools for viewing Group Policy modeling and Group Policy results. These
tools are invaluable in testing and troubleshooting policy application.
Gpedit.msc
The Group Policy Management Editor is a tool that can be launched from within the Group Policy
Management console, or stand-alone. When launched by itself, the local policies of a computer
can be viewed.
Using the editor, you can view and modify all of the policy settings within a GPO. Many settings
within the editor are simply On, Off or Not Configured. Other settings may require selections
from drop-down lists, while others may require text entry.
Gpupdate.exe
The Group Policy Update tool is a command-line tool used to force policy application. When
troubleshooting policies, it may sometimes be necessary to apply policies ahead of the normal
refresh interval of 30 to 90 minutes.
6-40
Administering
Adminnistering
and Maintaining Windows 7
Global
Gloobal Knowledge Training LLC L
LL
Gpresult.exe
The Group Policy Results tool is a command-line tool that can display all of the policy settings
that are active for a computer or user. The output from the tool can be redirected to a file for later
viewing.
RSoP Snap-in
Another tool that can be used to troubleshoot policy application is the Resultant Set of Policy
Snap-in. This tool displays policies in a graphical fashion much like that of the Group Policy
Management Editor. The RSoP snap-in has largely been replaced by similar functionality built
into the Group Policy Management Console.
In the past, the GPMC was a feature pack download for Windows Server 2003. Now, the GPMC
is the standard tool for managing group policies.
Acronyms
The following acronyms are used in this section:
Global
Gloobal Knowledge Training LLC L
LL
Section Review
Summary
The DNS Service is used to resolve DNS domain names into their corresponding IP
addresses. This is the naming standard used for the Internet at large and also for the
internal Active Directory environment.
Windows Server 2008 R2 Active Directory stores object information, authenticates
user identification, and implements group and security policies. The heart of Active
Directory is a distributed database that stores meaningful object information for the
Users, Groups, Computers, Contacts, Printers, and Shared folders objects. Active
Directory is made up of the following hierarchical collection of components: Forest,
Tree, Domain, Global catalog, Organizational Unit, Domain controller, and Site.
Before joining an Active Directory domain, the following requirements must be met:
The computer must be configured with a proper DNS server address.
The server address must allow the client to contact a domain controller.
The user must log on as a local administrative or equivalent.
To join an Active Directory, follow these steps:
1. Click Start, right-click Computer, and then select Properties.
2. Click the Change Settings link, and then click the Change button.
3. Select the Domain option, type the name of the domain you want to join, and then
click OK.
4. Type user name and password and then click OK.
5. Restart the computer.
To configure and edit Windows 7 local security policies, open the gpedit.msc console
and expand Computer Configuration, Windows Settings, and Security Settings.
To remotely administer Active Directory, use the following Windows 7 Active
Directory tools :
Tool Description
Remote command-line Remotely manages either the local computer or the remote
tools computers; many command-line tools are available
Remote Desktop Connects to the server and runs tools and utilities as if sitting at
server console
Windows 7 MMC tools Focuses on remote computer management; the Computer
Management Console is one example of the many tools available
RSAT Downloads and installs dozens of remote server MMC tools for
free; each tool must be enabled in the administrative tools listing.
Figure 196: Windows 7 Active Directory Tools
ADMX templates house policy definitions for the Administrative Templates section
of a Group Policy. Using ADMX templates, you can configure thousands of possible
desktop and user settings.
6-44
Administering
Adminnistering
and Maintaining Windows 7
Global
Gloobal Knowledge Training LLC L
LL
To configure the Windows 7 Group Policy objects, open the gpmc.msc and either edit
an existing Group Policy object, or create a new one.
The four levels at which Group Policy objects can be applied are:
Local: These policies apply to the local computer or workstation.
Site: These policies apply to the subnet IDs that match the site that the computer
or user is located within.
Domain: These policies apply to all users and computers in the same domain.
Organizational Unit: These policies apply to all users and computers in the OU
that the policy is linked to.
Knowledge Check
1. Which of the following examples are fully qualified DNS names? (Choose all that apply.)
a. www.mycompany.westernstates.local
b. http://joe.com
c. Http://joe.com
d. Server1.managementdept.newyorkcity.manhattan.us
e. Server21
2. How are ADMX templates used to configure Administrative Templates settings?
3. Susan Winters has been tasked to configure the network settings on 34 Windows 7 computers. She
logs on to her Windows 7 management workstation named wks1.ziffcom.local. She clicks the
Start button and then types LOC in the Search box. She opens the local security policy as an
administrator. Has she begun to handle this task correctly?
4. Which criteria must be met before you can join an Active Directory domain?
8. What are the main goals of Windows Server 2008 R2 Active Directory? (Choose all that apply).
a. Stores object information
b. Authenticates user identification
c. Distributes software packages
d. Implements group and security policies
9. Briefly describe the process used to configure the Windows 7 local policy.
6-46
Administering
Adminnistering
and Maintaining Windows 7
Global
Gloobal Knowledge Training LLC L
LL
7. Match each Windows 7 Active Directory tool with its correct description. Write the letter of the
description in the Answer column.
8. What are the main goals of Windows Server 2008 R2 Active Directory? (Choose all that apply).
a. Stores object information
b. Authenticates user identification
c. Distributes software packages
d. Implements group and security policies
9. Briefly describe the process used to configure the Windows 7 local policy.
Open the gpedit.msc console and expand Computer Configuration, Windows Settings, and
Security Settings to configure and edit Windows 7 local security policies.
6-48
Administering
Adminnistering
and Maintaining Windows 7
Global
Gloobal Knowledge Training LLC L
LL