Академический Документы
Профессиональный Документы
Культура Документы
PACKAGE
References/Further Reading
Performance Criteria Checklist
Operation/Task/Job Sheet
Self Check
Information Sheet
Learning Experiences
Module
Module Content
Content
Module
List of Competencies
Content
Module Content
Module Content
Front Page
In our efforts to standardize CBLM, the
above parts are recommended for use in
Competency Based Training (CBT) in
Technical Education and Skills
Development Authority (TESDA)
Technology Institutions. The next
sections will show you the components
and features of each part.
Sector:
ELECTRONICS
Qualification:
COMPUTER SYSTEM SERVICING NC II
Unit of Competency: INSTALL AND CONFIGURE COMPUTER SYSTEM
Module Title: Installing and Configuring Computer System
MANILA, PHILIPPINES
You need to complete this module before you perform the module on (Diagnose
and troubleshoot computer systems).
List of Competencies
1 Install and configure computer systems Installing and configuring computer systems ELC724331
MODULE DESCRIPTOR: This unit covers the outcomes required in installing and
configuring desktop and workstation computers systems.
It consists of competencies to assemble computer
hardware, install operating system and drivers for
peripherals/devices, and install application software as
well as to conduct testing and documentation.
LEARNING OUTCOMES:
At the end of this module you MUST be able to:
LO1. Assemble computer hardware
LO2. Prepare installer
LO3. Install operating system and drivers for peripherals/ devices
LO4. Install application software
LO5. Conduct testing and documentation
Introduction to Server
Learning Objectives:
After reading this INFORMATION SHEET, YOU MUST be able to:
1. What is Server
2. Types of Server
3. Size of Server
INTRODUCTION TO SERVER
A server is a system (software and suitable computer hardware) that responds to requests
across a computer network to provide, or help to provide, a network service. Servers can be
run on a dedicated computer, which is also often referred to as "the server", but many
networked computers are capable of hosting servers. In many cases, a computer can
provide several services and have several servers running.
The term server is used quite broadly in information technology. Despite the many server-
branded products available (such as server versions of hardware, software or operating
systems), in theory any computerized process that shares a resource to one or more client
processes is a server. To illustrate this, take the common example of file sharing. While the
existence of files on a machine does not classify it as a server, the mechanism which shares
these files to clients by the operating system is the server.
Similarly, consider a web server application (such as the multiplatform "Apache HTTP
Server"). This web server software can be run on any capable computer. For example, while
a laptop or personal computer is not typically known as a server, they can in these situations
fulfill the role of one, and hence be labeled as one. It is, in this case, the machine's role that
places it in the category of server.
In the hardware sense, the word server typically designates computer models intended for
hosting software applications under the heavy demand of a network environment. In this
server configuration one or more machines, either a computer or a computer appliance,
share information with each other with one acting as a host for the other
SERVER HARDWARE
Hardware requirement for servers vary, depending on the server application. Absolute CPU
speed is not quite as critical to a server as it is to a desktop machine. Servers' duties to
provide service to many users over a network lead to different requirements such as fast
network connections and high I/O throughout. Since servers are usually accessed over a
network, they may run in headless mode without a monitor or input device. Processes that
are not needed for the server's function are not used. Many servers do not have a graphical
user interface (GUI) as it is unnecessary and consumes resources that could be allocated
elsewhere. Similarly, audio and USB interfaces may be omitted.
Specific to the Web, a web server is the computer program (housed in a computer) that
serves requested html pages or files. A Web client is the requesting program associated with
the user. The Web Browser in your computer is a client that requests HTML files from Web
servers.
TYPES OF SERVER
Catalog server a central search point for information across a distributed network
Game server a server that video game clients connect to in order to play online together
Mobile Server or Server on the Go is an Intel Xeon processor based server class laptop
form factor computer.
Proxy server acts as an intermediary for requests from clients seeking resources from other
servers
Stand-alone server a server on a Windows network that neither belongs to nor governs a
Windows domain
Web server a server that HTTP clients connect to in order to send commands and receive
responses along with data contents
Server-oriented operating systems tend to have certain features that make them more
suitable for the server environment, such as:
Ability to reconfigure and update both hardware and software to some extent without restart
Advanced backup facilities to permit regular and frequent online backups of critical data
Tight system security, with advanced user, resource, data, and memory protection.
Server-oriented operating systems can, in many cases, interact with hardware sensors to
detect conditions such as overheating, processor and disk failure, and consequently alert an
operator or take remedial measures themselves.
Rack server
Tower server
Blade server
Mobile server
CONCLUSION From the above basic study, Server is a system (software and suitable
computer hardware) that responds to requests across a computer network to provide, or
help to provide, a network services.
Using Vistas installation routine is a major benefit, especially for a server OS. Administrators
can partition the systems hard drives during setup. More importantly, they can install the
necessary AHCI or RAID storage drivers from a CD/DVD or even a USB thumb drive. Thus,
error-prone floppies can finally be sent to the garbage bin.
Note: Windows Server 2008 can also be installed as a Server Core installation, which is a
cut-down version of Windows without the Windows Explorer GUI. Because you dont have
the Windows Explorer to provide the GUI interface that you are used to, you configure
everything through the command line interface or remotely using a Microsoft Management
Console (MMC). The Server Core can be used for dedicated machines with basic roles such
as Domain controller/Active Directory Domain Services, DNS Server, DHCP Server, file
server, print server, Windows Media Server, IIS 7 web server and Windows Server
Virtualization virtual server. For Server Core installations please see my Installing
Windows Server 2008 Core article.
To use Windows Server 2008 you need to meet the following hardware requirements:
Component Requirement
Processor Minimum: 1GHz (x86 processor) or 1.4GHz (x64 processor)
Recommended: 2GHz or faster Note: An Intel Itanium 2 processor is
required for Windows Server 2008 for Itanium-based Systems
Memory Minimum: 512MB RAM Recommended: 2GB RAM or greater
Maximum (32-bit systems): 4GB (Standard) or 64GB (Enterprise and
Datacenter) Maximum (64-bit systems): 32GB (Standard) or 2TB
(Enterprise, Datacenter and Itanium-based Systems)
Available Disk Minimum: 10GB Recommended: 40GB or greater Note: Computers
Space with more than 16GB of RAM will require more disk space for paging,
hibernation, and dump files
Drive DVD-ROM drive
Display and Super VGA (800 x 600) or higher-resolution monitor Keyboard
Peripherals Microsoft Mouse or compatible pointing device
Upgrade notes:
I will not discuss the upgrade process in this article, but for your general knowledge, the
upgrade paths available for Windows Server 2008 shown in the table below:
1. Insert the appropriate Windows Server 2008 installation media into your DVD drive. If
you dont have an installation DVD for Windows Server 2008, you can download one for free
from Microsofts Windows 2008 Server Trial website.
3. When prompted for an installation language and other regional options, make your
selection and press Next.
5. Product activation is now also identical with that found in Windows Vista. Enter
your Product ID in the next window, and if you want to automatically activate Windows the
moment the installation finishes, click Next.
6. Because you did not provide the correct ID, the installation process cannot determine
what kind of Windows Server 2008 license you own, and therefore you will be prompted
to select your correct version in the next screen, assuming you are telling the truth and will
provide the correct ID to prove your selection later on.
8. Read and accept the license terms by clicking to select the checkbox and pressing Next.
10. In the Where do you want to install Windows?, if youre installing the server on a regular
IDE hard disk, click to select the first disk, usually Disk 0, and click Next.
If youre installing in a Virtual Machine environment, make sure you read the Installing the
Virtual SCSI Controller Driver for Virtual Server 2005 on Windows Server 2008
If you must, you can also click Drive Options and manually create a partition on the
destination hard disk.
11. The installation now begins, and you can go and have lunch. Copying the setup files
from the DVD to the hard drive only takes about one minute. However, extracting and
uncompressing the files takes a good deal longer. After 20 minutes, the operating system is
installed. The exact time it takes to install server core depends upon your hardware
specifications. Faster disks will perform much faster installs Windows Server 2008 takes
up approximately 10 GB of hard drive space.
12. Then the server reboots youll be prompted with the new Windows Server 2008 type of
login screen. Press CTRL+ALT+DELto log in.
15. You will be prompted to change the users password. You have no choice but to
press Ok.
17. Someone thought it would be cool to nag you once more, so now youll be prompted to
accept the fact that the password had been changed. Press Ok.
Next, for the initial configuration tasks please follow my other Windows Server 2008 articles
found on the Related Windows Server 2008 Articles section below.
Installation
Open Server Manager and click on roles, this will bring up the Roles Summary on the right
hand side where you can click on the Add Roles link.
This will bring up the Add Roles Wizard where you can click on next to see a list of available
Roles. Select Active Directory Domain Services from the list, you will be told that you need to
add some features, click on the Add Required Features button and click next to move on.
A brief introduction to Active Directory will be displayed as well as a few links to additional
resources, you can just click next to skip past here and click install to start installing the
binaries for Active Directory.
Configuration
Open up Server Manager, expand Roles and click on Active Directory Domain Services. On
the right hand side click on the Run the Active Directory Domain Services Installation Wizard
(dcpromo.exe) link.
The message that is shown now relates to older clients that do not support the new
cryptographic algorithms supported by Server 2008 R2, these are used by default in Server
2008 R2, click next to move on.
Now you can name your domain, we will be using a .local domain the reason why will be
explained in an upcoming article.
We want to include DNS in our installation as this will allow us to have an AD Integrated DNS
Zone, when you click next you will be prompted with a message just click yes to continue.
Choose a STRONG Active Directory Restore Mode Password and click next twice to kick off
the configuration.
When its done you will be notified and required to reboot your PC.
As many of you are probably aware, the Domain Name System (DNS) is now the name
resolution system of choice in Windows. Without it, computers would have a very tough time
communicating with each other. However, most Windows administrators still rely on
the Windows Internet Name Service (WINS) for name resolution on local area networks and
some have little or no experience with DNS. If you fall into this category, read on. We'll explain
how to install, configure, and troubleshoot a Windows Server 2008 DNS server.
This blog post is also available in PDF form as a TechRepublic Download and as
a TechRepublic Photo Gallery.
Installation
You can install a DNS server from the Control Panel or when promoting a member server to
a domain controller (DC) (Figure A). During the promotion, if a DNS server is not found, you
will have the option of installing it.
Figure A
To install a DNS server from the Control Panel, follow these steps:
From the Start menu, select | Control Panel | Administrative Tools | Server Manager.
Expand and click Roles (Figure B).
Choose Add Roles and follow the wizard by selecting the DNS role (Figure C).
Click Install to install DNS in Windows Server 2008 (Figure D).
Figure B
DNS role
Figure D
Install DNS
After installing DNS, you can find the DNS console from Start | All Programs | Administrative
Tools | DNS. Windows 2008 provides a wizard to help configure DNS.
When configuring your DNS server, you must be familiar with the following concepts:
A forward lookup zone is simply a way to resolve host names to IP addresses. A reverse
lookup zone allows a DNS server to discover the DNS name of the host. Basically, it is the
exact opposite of a forward lookup zone. A reverse lookup zone is not required, but it is easy
to configure and will allow for your Windows Server 2008 Server to have full DNS functionality.
When selecting a DNS zone type, you have the following options: Active Directory (AD)
Integrated, Standard Primary, and Standard Secondary. AD Integrated stores the database
information in AD and allows for secure updates to the database file. This option will appear
only if AD is configured. If it is configured and you select this option, AD will store and replicate
your zone files.
A Standard Primary zone stores the database in a text file. This text file can be shared with
other DNS servers that store their information in a text file. Finally, a Standard Secondary zone
simply creates a copy of the existing database from another DNS server. This is primarily used
for load balancing.
1. Select DNS from the Administrative Tools folder to open the DNS console.
2. Highlight your computer name and choose Action | Configure a DNS Server... to launch
the Configure DNS Server Wizard.
3. Click Next and choose to configure the following: forward lookup zone, forward and
reverse lookup zone, root hints only (Figure E).
4. Click Next and then click Yes to create a forward lookup zone (Figure F).
5. Select the appropriate radio button to install the desired Zone Type (Figure G).
6. Click Next and type the name of the zone you are creating.
7. Click Next and then click Yes to create a reverse lookup zone.
8. Repeat Step 5.
9. Choose whether you want an IPv4 or IPv6 Reverse Lookup Zone (Figure H).
10. Click Next and enter the information to identify the reverse lookup zone (Figure I).
11. You can choose to create a new file or use an existing DNS file (Figure J).
12. On the Dynamic Update window, specify how DNS accepts secure, nonsecure, or no
dynamic updates.
13. If you need to apply a DNS forwarder, you can apply it on the Forwarders window.
(Figure K).
14. Click Finish (Figure L).
Figure E
Figure F
Figure G
Figure H
IPv4 or IPv6
Figure I
Figure J
Figure K
Figure L
You have now installed and configured your first DNS server, and you're ready to add records
to the zone(s) you created. There are various types of DNS records available. Many of them
you will never use. We'll be looking at these commonly used DNS records:
The Start of Authority (SOA) resource record is always first in any standard zone. The Start of
Authority (SOA) tab allows you to make any adjustments necessary. You can change the
primary server that holds the SOA record, and you can change the person responsible for
managing the SOA. Finally, one of the most important features of Windows 2000 is that you
can change your DNS server configuration without deleting your zones and having to re-create
the wheel (Figure M).
Figure M
Change configuration
Name Servers specify all name servers for a particular domain. You set up all primary and
secondary name servers through this record.
1. Select DNS from the Administrative Tools folder to open the DNS console.
2. Expand the Forward Lookup Zone.
3. Right-click on the appropriate domain and choose Properties (Figure N).
4. Select the Name Servers tab and click Add.
5. Enter the appropriate FQDN Server name and IP address of the DNS server you want
to add.
Figure N
Name Server
A Host (A) record maps a host name to an IP address. These records help you easily identify
another server in a forward lookup zone. Host records improve query performance in multiple-
zone environments, and you can also create a Pointer (PTR) record at the same time. A PTR
record resolves an IP address to a host name.
1. Select DNS from the Administrative Tools folder to open the DNS console.
2. Expand the Forward Lookup Zone and click on the folder representing your domain.
3. From the Action menu, select New Host.
Figure O
A Pointer (PTR) record creates the appropriate entry in the reverse lookup zone for reverse
queries. As you saw in Figure H, you have the option of creating a PTR record when creating
a Host record. If you did not choose to create your PTR record at that time, you can do it at
any point.
1. Select DNS from the Administrative Tools folder to open the DNS console.
2. Choose the reverse lookup zone where you want your PTR record created.
3. From the Action menu, select New Pointer (Figure P).
4. Enter the Host IP Number and Host Name.
5. Click OK.
Figure P
A Canonical Name (CNAME) or Alias record allows a DNS server to have multiple names for
a single host. For example, an Alias record can have several records that point to a single
server in your environment. This is a common approach if you have both your Web server and
your mail server running on the same machine.
1. Select DNS from the Administrative Tools folder to open the DNS console.
2. Expand the Forward Lookup Zone and highlight the folder representing your domain.
3. From the Action menu, select New Alias.
4. Enter your Alias Name (Figure Q).
5. Enter the fully qualified domain name (FQDN).
6. Click OK.
Figure Q
Mail Exchange records help you identify mail servers within a zone in your DNS database.
With this feature, you can prioritize which mail servers will receive the highest priority. Creating
MX records will help you keep track of the location of all of your mail servers.
1. Select DNS from the Administrative Tools folder to open the DNS console.
2. Expand the Forward Lookup Zone and highlight the folder representing your domain.
3. From the Action menu, select New Mail Exchanger.
4. Enter the Host Or Domain (Figure R).
5. Enter the Mail Server and Mail Server Priority.
6. Click OK.
Host or Domain
You can create many other types of records. For a complete description, choose Action | Other
New Records from the DNS console (Figure S). Select the record of your choice and view the
description.
Figure S
When troubleshooting DNS servers, the nslookup utility will become your best friend. This
utility is easy to use and very versatile. It's a command-line utility that is included within
Windows 2008. With nslookup, you can perform query testing of your DNS servers. This
information is useful in troubleshooting name resolution problems and debugging other server-
related problems. You can access nslookup (Figure T) right from the DNS console.
Figure T
One of the first things to do in a new network is to create Users, also called User Objects. As
long as you know the information about the user you need to create, the process will take no
time at all.
This is a task we want to do from a Domain Controller, and you should have the
Administrative Tools in your Start menu next to the Control Panel link. Well choose
the Active Directory Users and Computers snap-in.
Once were inside the Active Directory Users and Computers snap-in, well need to expand
the domain in which we want to create the user, and right-click on the Usersfolder. Well then
select New|User.
Once weve created a user, there are many things that well need to do with them in order for
them to be useful, like adding permissions and security groups, but at least the operation for
spawning them is simple and straightforward.
Create User folders in Windows Server 2008 R2 and add them to Active Directory
Date Developed: March 2017 Document No: CSS NCII- 0001
COMPUTER
SYSTEMS Issued by:
Developed by:
SERVICING MSIT Solutions Inc.
NCII JAYSON S. BARTE
Revision # 01
Share Permissions:
This walk through takes for granted that this server is a part of an active directory environment.
i. Create a folder named Users (this can be anywhere on the server but I will put it in D:\)
ii. Right-click on this folder and select Properties.
iii. Select the Sharing tab
6. Click OK.
7. Close out the Share and storage management console
Active Directory:
If you now browse to the Users$ share folder on the server you created it on. You will notice
a folder in it with the users username as the folder name. If you check the permissions for
the folder the right permissions have automatically been applied. This technique
will definitely save you lots of time as if you were doing it via old net use scripts.
Congratulations you have successfully added a user folder share and added it to a user.
Please note that this can be done to multiple users at once, all you do is select all the users
in active directory and add the user share to the users.
Note
You can also create a GPO from a Starter GPO. For more information, see Create a New
GPO from a Starter GPO.
1. In the GPMC console tree, right-click Group Policy Objects in the forest and domain
in which you want to create a GPO.
2. Click New .
3. In the New GPO dialog box, specify a name for the new GPO, and then click OK .
1. In the GPMC console tree, double-click Group Policy Objects in the forest and
domain containing the GPO that you want to edit.
2. Right-click the GPO, and then click Edit .
3. In the console tree, edit the settings as appropriate.
Important
The Default Domain Policy GPO and Default Domain Controllers Policy GPO are
vital to the health of any domain. As a best practice, you should not edit the
Default Domain Controllers Policy GPO or the Default Domain Policy GPO,
except in the following cases:
Additional considerations
When you create a GPO, it will not have an effect until it is linked to a site, domain, or
organizational unit (OU).
By default only domain administrators, enterprise administrators, and members of the
Group Policy creator owners group can create and edit GPOs.
To edit IPSec policy settings from within a GPO, you must be a member of the
domain administrators group.
You can also edit a GPO by right-clicking the name of the GPO in any container in
which it is linked, and then clicking Edit .
If you are an IT pro who has never used Group Policy to control computer configurations,
this white paper is for you. Group Policy is the essential way that most organizations enforce
settings on their computers. It is flexible enough for even the most complex scenarios;
however, the essential features are easy to use in simple scenarios, which are more
common.
This white paper is an introduction to Group Policy. It first provides an overview of what you
can do with Group Policy, and then it describes essential concepts that you must know. For
example, what is a Group Policy object (GPO)? What does inheritance mean? With the
fundamentals out of the way, this white paper provides step-by-step instructions, with plenty
of screenshots, for the most common Group Policy tasks.
This guide is for Group Policy novices. As much as possible, it uses plain English to
describe Group Policy concepts in simple ways. Group Policy pros should see Group
Policy Planning and Deployment Guide on TechNet for more technically detailed
information.
For a downloadable version of this document, see Group Policy for Beginners in the
Microsoft Download Center.
Group Policy is simply the easiest way to reach out and configure computer and user
settings on networks based on Active Directory Domain Services (AD DS). If your business
is not using Group Policy, you are missing a huge opportunity to reduce costs, control
configurations, keep users productive and happy, and harden security. Think of Group Policy
as touch once, configure many.
The requirements for using Group Policy and following the instructions that this white paper
provides are straightforward:
The network must be based on AD DS (that is, at least one server must have the AD
DS role installed). To learn more about AD DS, see Active Directory Domain
Services Overview on TechNet.
Computers that you want to manage must be joined to the domain, and users that
you want to manage must use domain credentials to log on to their computers.
Although this white paper focuses on using Group Policy in AD DS, you can also configure
Group Policy settings locally on each computer. This capability is great for one-off scenarios
or workgroup computers, but using local Group Policy is not recommended for business
networks based on AD DS. The reason is simple: Domain-based Group Policy centralizes
management, so you can touch many computers from one place. Local Group Policy
requires that you touch each computernot an ideal scenario in a large environment. For
more information about configuring local Group Policy, see Local Group Policy Editor on
TechNet.
Windows 7 enforces the policy settings that you define by using Group Policy. In most
cases, it disables the user interface for those settings. Additionally, because Windows 7
stores Group Policy settings in secure locations in the registry, standard user accounts
cannot change those settings. So, by touching a setting one time, you can configure and
enforce that setting on many computers. When a setting no longer applies to a computer or
user, Group Policy removes the policy setting, restoring the original setting and enabling its
user interface. The functionality is all quite amazing and extremely powerful.
Standard user accounts are user accounts that are members of the local Users group
and not the local Administrators group. They have a restricted ability to configure system
settings. Windows 7 better supports standard user accounts than earlier Windows
versions, allowing these accounts to change the time zone, install printers, repair network
connections, and so on. Deploying standard user accounts is a best practice, and you do
so by simply not adding user accounts to the local Administrators group. Windows 7
automatically adds the Domain Users group to the local Users group when you join the
computer to the domain.
You can manage all aspects of Group Policy by using the Group Policy Management
Console (GPMC). Figure 1 shows the GPMC, and this white paper will refer to this figure
many times as you learn about important Group Policy concepts.
You start the GPMC from the Start menu: Click Start, All Programs, Administrative
Tools, Group Policy Management. You can also click Start, type Group Policy
Management, and then click Group Policy Management in the Programs section of the
Start menu. Windows Server 2008 and Windows Server 2008 R2 include the GPMC when
they are running the AD DS role. Otherwise, you can install the GPMC on Windows Server
2008, Windows Server 2008 R2, or Windows 7 as described in the section Installing the
GPMC in Windows 7, later in this white paper.
GPOs contain policy settings. You can think of GPOs as policy documents that apply their
settings to the computers and users within their control. If GPOs are policy documents, then
the GPMC is like Windows Explorer. You use the GPMC to create, move, and delete GPOs
just as you use Windows Explorer to create, move, and delete files.
In the GPMC, you see all the domains GPOs in the Group Policy objects folder. In Figure 1,
the callout number 1 shows three GPOs for the domain corp.contoso.com domain. These
GPOs are:
Accounting Security. This is a custom GPO created specifically for Contoso, Ltd.
Default Domain Controller Policy. Installing the AD DS server role creates this
policy by default. It contains policy settings that apply specifically to domain
controllers.
Default Domain Policy. Installing the AD DS server role creates this policy by
default. It contains policy settings that apply to all computers and users in the
domain.
At the top level of AD DS are sites and domains. Simple implementations will have a single
site and a single domain. Within a domain, you can create organizational units (OUs). OUs
are like folders in Windows Explorer. Instead of containing files and subfolders, however,
they can contain computers, users, and other objects.
For example, in Figure 1 you see an OU named Departments. Below the Departments OU,
you see four subfolders: Accounting, Engineering, Management, and Marketing. These are
child OUs. Other than the Domain Controllers OU that you see in Figure 1, nothing else in
the figure is an OU.
What does this have to do with Group Policy links? Well, GPOs in the Group Policy objects
folder have no impact unless you link them to a site, domain, or OU. When you link a GPO to
a container, Group Policy applies the GPOs settings to the computers and users in that
container. In Figure 1, the callout number 1 points to two GPOs linked to OUs:
The first GPO is named Default Domain Policy, and this GPO is linked to the domain
corp.contoso.com. This GPO applies to every computer and user in the domain.
The second GPO is named Accounting Security, and this GPO is linked to the OU
named Accounting. This GPO applies to every computer and user in the Accounting
OU.
In the GPMC, you can create GPOs in the Group Policy objects folder and then link them
two steps. You can also create and link a GPO in one step. Most of the time, you will simply
create and link a GPO in a single step, which the section Creating a GPO, later in this
white paper, describes.
For example, if you create a GPO named Windows Firewall Settings and link it to the
corp.contoso.com domain in Figure 1, the settings in that GPO apply to all of the OUs you
see in the figure: Departments, Accounting, Engineering, Management, Marketing, and
Domain Controllers. If instead you link the GPO to the Departments OU, the settings in the
GPO apply only to the Departments, Accounting, Engineering, Management, and Marketing
OUs. It does not apply to the entire domain or the Domain Controllers OU. Moving down one
level, if you link the same GPO to the Accounting OU in Figure 1, the settings in the GPO
apply only to the Accounting OU, as it has no child OUs. In the GPMC, you can see what
GPOs a container is inheriting by clicking the Group Policy Inheritance tab (callout number 1
in Figure 2).
So, what happens if multiple GPOs contain the same setting? This is where order of
precedence comes into play. In general, the order in which Group Policy applies GPOs
determines precedence. The order is site, domain, OU, and child OUs. As a result, GPOs in
child OUs have a higher precedence than GPOs linked to parent OUs, which have a higher
precedence than GPOs linked to the domain, which have a higher precedence than GPOs
linked to the site. An easy way to think of this is that Group Policy applies GPOs from the top
down, overwriting settings along the way. In more advanced scenarios, however, you can
override the order of precedence.
You can also havewithin a single OUmultiple GPOs that contain the same setting. Like
before, the order in which Group Policy applies GPOs determines the order of precedence.
In Figure 2, you see two GPOs linked to the domain corp.contoso.com: Windows Firewall
Date Developed: March 2017 Document No: CSS NCII- 0001
COMPUTER
SYSTEMS Issued by:
Developed by:
SERVICING MSIT Solutions Inc.
NCII JAYSON S. BARTE
Revision # 01
Settings and Default Domain Policy. Group Policy applies GPOs with a lower link order after
applying GPOs with a higher link order. In this case, it will apply Windows Firewall Settings
after Default Domain Policy. Just remember that a link order of 1 is first priority, and a link
order of 2 is second priority. You can change the link order for a container by clicking the up
and down arrows as shown by callout number 2 in Figure 2.
Note
As you are probably realizing by now, Group Policy is a remarkably versatile tool.
However, Group Policy provides the opportunity to make things overly complicated. In
simple environments, such as labs and small businesses, there is nothing wrong with
linking all of your GPOs to the domain. Keep it simple. There should be a justification for
complication. In Figure 1, if you wanted to create a GPO and link it only to the
Engineering and Marketing OUs, the justification should be that the GPO contains
settings that apply only to those two departments and should not be applied to any other
department. If you cannot make this justification, then keep things simple by linking the
GPO one time to the domain.
To this point, you have learned about GPOs. You have learned that GPMC is to GPOs and
OUs as Windows Explorer is to files and folders. GPOs are the policy documents. At some
point, you are going to have to edit one of those documents, though, and the editor you use
is the Group Policy Management Editor (GPME), which Figure 3 shows. You open a GPO in
the GPME by right-clicking it in the GPMC and clicking Edit. Once you are finished, you
simply close the window. The GPME saves your changes automatically, so you do not have
to save.
Within the Computer Configuration and User Configuration folders, you see two subfolders
(callout numbers 3 and 4 in Figure 3):
Preferences. Preferences contains preference settings that you can use to change
almost any registry setting, file, folder, or other item. By using preference settings,
you can configure applications and Windows features that are not Group Policy
aware. For example, you can create a preference setting that configures a registry
value for a third-party application, deletes the Sample Pictures folder from user
profiles, or configures an .ini file. You can also choose whether Group Policy
enforces each preference setting or not. However, standard user accounts can
change most preference settings that you define in the User Configuration folder
between Group Policy refreshes. You can learn more about preference settings by
reading the Group Policy Preferences Overview.
When you are first learning Group Policy, most of the settings that you will configure will be
in the Administrative Templates folders. These are registry-based policy settings that Group
Policy enforces. They are different from other policy settings for two reasons. First, Group
Policy stores these settings in specific registry locations, called the Policies branches, which
standard user accounts cannot change. Group Policyaware Windows features and
applications look for these settings in the registry. If they find these policy settings, they use
the policy settings instead of the regular settings. They often disable the user interface for
those settings as well.
Second, administrative template files, which have the .admx extension, define templates for
these settings. These templates not only define where policy settings go in the registry but
also describe how to prompt for them in the GPME. In the Group Policy setting that Figure 4
shows, for example, an administrative template file defines help text, available options,
supported operating systems, and so on.
When you edit a policy setting, you are usually confronted with the choices that callout
numbers 1 to 3 indicate in Figure 4. In general, clicking:
Enabled writes the policy setting to the registry with a value that enables it.
Disabled writes the policy setting to the registry with a value that disables it.
Not Configured leaves the policy setting undefined. Group Policy does not write the
policy setting to the registry, and so it has no impact on computers or users.
Generalizing what enabled and disabled means for every policy setting is not possible. You
can usually read the help text, shown in callout number 5, to determine exactly what these
choices mean. You must also be careful to read the name of the policy setting. For example,
some policy settings say, Turn on feature X, whereas other policy settings say, Turn off
feature Y. Enabled and disabled have different meanings in each case. Until you are
comfortable, make sure you read the help text for policy settings you configure.
Some policy settings have additional options that you can configure. Callout number 4 in
Figure 4 shows the options that are available for the Group Policy refresh interval policy
setting. In most cases, the default values match the default values for Windows. As well, the
help text usually gives detailed information about the options you can configure.
As you learned in the previous section, GPOs contain both computer and user settings.
Group Policy applies:
Group Policy also refreshes GPOs on a regular basis, ensuring that Group Policy applies
new and changed GPOs without waiting for the computer to restart or the user to log off. The
period of time between these refreshes is called the Group Policy refresh interval, and the
default is 90 minutes with a bit of randomness built in to prevent all computers from
refreshing at the same time. If you change a GPO in the middle of the day, Group Policy will
apply your changes within about 90 minutes. You dont have to wait until the end of the day,
when users have logged off of or restarted their computers. In advanced scenarios, you can
change the default refresh interval.
Note
You can manually update Group Policy any time by using the command Gpupdate.exe.
For example, after updating a GPO, you might want to refresh Group Policy on a
computer in order to test your changes without waiting for the Group Policy refresh
interval. For step-by-step instructions, see the section titled Updating Clients later in this
white paper.
You have now learned the essential Group Policy concepts. You know that a GPO is like a
document that contains policy settings. You manage GPOs by using the GPMC and you edit
them by using the GPME.
You also know that you link GPOs to AD DS sites, domains, and OUs to apply the GPOs
settings to those containers. Domains, OUs, and child OUs inherit settings from their
parents, but duplicate settings in GPOs linked to child OUs have precedence over the same
settings in GPOs linked to parent OUs, which have precedence over GPOs linked to the
domain, and so on.
You also know that within a site, domain, or OU, the link order determines the order of
precedence (the smaller the number, the higher the precedence). Last, you have an
essential understanding of how to edit GPOs and what types of settings they contain.
Now that you know the essential concepts, you are ready to learn the essential tasks. This
section describes how to create, edit, and delete GPOs. It describes many other tasks, as
well. For each task, youll find an explanation of its purpose and step-by-step instructions
with screenshots at each step.
Note
A feature of the Microsoft Desktop Optimization Pack (MDOP) called Advanced Group
Policy Management (AGPM) extends Group Policy with new capabilities such as offline
Creating a GPO
You create a GPO by using the GPMC. There are two ways to create a GPO:
Create a GPO in the Group Policy objects folder, and then link it to the domain or
OU.
The instructions in this section describe how to create and link a GPO in one step.
You can start with a blank GPO, which the instructions describe, or you can use a starter
GPO. Starter GPOs are an advanced topic that you can learn about in Working with Starter
GPOs.
In the GPMC, you can open GPOs in the GPME to edit them within any container. To see all
of your GPOs, regardless of where you link them, use the Group Policy objects folder to edit
them.
To edit a GPO in the domain, an OU, or the Group Policy objects folder
Linking a GPO
Date Developed: March 2017 Document No: CSS NCII- 0001
COMPUTER
SYSTEMS Issued by:
Developed by:
SERVICING MSIT Solutions Inc.
NCII JAYSON S. BARTE
Revision # 01
If you create and link GPOs in one step, you do not have to manually link GPOs to the
domain or OUs. However, if you create a GPO in the Group Policy objects folder or unlink a
GPO and want to restore it, you will need to manually link the GPO. The easy way to link a
GPO is to simply drag the GPO from the Group Policy objects folder and drop it onto the
domain or OU to which you want to link it.
Unlinking a GPO
You unlink a GPO when you no longer want to apply it to the domain or OU (or its child
OUs). You can later restore the link, as the section titled Linking a GPO described.
Unlinking a GPO from a domain or OU does not delete the GPO. It only deletes the link.
After unlinking a GPO, you can still find it in the Group Policy objects folder in the GPMC.
Deleting a GPO
Deleting a GPO is not the same as unlinking a GPO from a domain or OU. You delete GPOs
within the Group Policy objects folder. Doing so removes not only the links but also the GPO
itself.
Note
Updating Clients
While editing, testing, or troubleshooting GPOs, you do not need to wait for the Group Policy
refresh interval (90 minutes, by default). You can manually update Group Policy on any
client computer by running Gpupdate.exe. Gpupdate.exe supports many command-line
options, which you can learn about by typing gpupdate.exe /? in a Command Prompt
windows In most cases, however, you can follow the instructions in this section to update
Group Policy.
Backing up important files is an important practice, and GPOs are no exception. If you
erroneously change or accidentally delete a GPO, you can quickly restore it from a backup.
By using the GPMC, you can back up GPOs to any location.
1 In the
GPMC, click
the Group
Policy
objectsfold
er.
2 Right-click
the GPO
that you
want to
back up,
and
click Back
Up.
4 In
the Backup
dialog box,
confirm the
results and
click OK.
Restoring GPOs
Windows Server 2008 and Windows Server 2008 R2 include the GPMC when they are
running the AD DS role. Otherwise, you can install the GPMC on Windows Server 2008,
Windows Server 2008 R2, or Windows 7. You install the GPMC by downloading the Remote
Server Administration Tools for Windows 7 with Service Pack 1 (SP1) and installing either of
the following files on the computer:
Installing the update only adds the feature to Windows. You must also turn on the Group
Policy Management Tools feature using Programs and Features in the Control Panel. The
instructions in this section describe how to install the update as well as how to enable the
Group Policy Management Tools.
1. Windows6.1-KB958830-x64-
RefreshPkg.msu
2. Windows6.1-KB958830-x86-
RefreshPkg.msu
Conclusion
You have come a long way. You have learned important Group Policy concepts such as
GPOs, links, inheritance, and so on. You have also learned how to use the GPMC and the
GPME to perform essential tasks such as creating, editing, and deleting GPOs.
When you are ready to learn more about Group Policy and broaden your skills, Microsoft has
numerous resources available for you. First, the Group Policy resource page on the
Windows Server TechCenter is a one-stop shop for any technical content related to Group
Policy. It provides numerous getting-started guides as well as videos. For Group Policy
guidance specific to Windows 7, visit the Windows Client Security and Control zone.