328 Chapter 6 N Monitoring and Maintaining Print and File Servers 16. You manage two Windows Server 2008 servers in a medium-sized domain. The domain functional level is Windows Server 2003. You want to configure a replication group so that data folders on one member server are identical to the data folders on another member server. What service will accomplish this? A. DFS B. FRS C. WDS D. DNS 17. You are an administrator in a domain running several Windows Server 2008 file servers. You want to stand up a DFS server to organize the shares on all the servers onto a single DFS namespace. Further, you want to place this DFS server into a cluster for fault tolerance. What type of DFS should you configure? A. Stand-alone B. Domain-based C. FRS-based D. Windows Server 2008 mode–based 18. You are an administrator in a domain running several Windows Server 2008 file servers. You have two DFS servers in your organization, and you want to create a single DFS namespace that is stored on each of the DFS servers. What type of DFS should you configure? A. Stand-alone B. Domain-based C. FRS-based D. Multiple root–based 19. You administer a Windows Server 2008 file server that hosts multiple shares. You have learned that some users are storing copyrighted files (such as pirated MP3s) on some of the shares. You want to prevent the storage of these types of files and also have access to reports that can show information on your shares. What should you add? A. DFS B. FRS C. FSRM D. WSRM 93157c06.indd 328 8/7/08 10:34:33 PM Answers to Review Questions 329 20. Your company has a headquarters located in Virginia Beach and three branch offices located in surrounding cities. The branch offices are connected to the main office via WAN links. Each office has a Windows Server 2008 file server, and each office needs access to an up-to-date Projects folder. The Projects folder must remain available even if a single server fails and even if one of the WAN links fails. Network traffic over the WAN links must be minimized. What should you do? A. Create a stand-alone DFS namespace using the full mesh topology for DFS replication. B. Create a stand-alone DFS namespace using the hub and spoke topology for DFS replication. C. Create a domain-based DFS namespace using the full mesh topology for DFS replication. D. Create a domain-based DFS namespace using the hub and spoke topology for DFS replication. 93157c06.indd 329 8/7/08 10:34:33 PM 330 Chapter 6 N Monitoring and Maintaining Print and File Servers Answers to Review Questions 1. B. You should add Joe to the Server Operators group. This will allow him to create shares and do other administrative tasks on the domain controller without granting him adminis- trative rights to the domain. Neither the Power Users group nor the Local Administrators groups exists on a domain controller. Adding Joe to the Domain Administrators group would grant him significant privileges and violate a basic security tenet of least privilege. 2. C. The Co-owner role is granted Full Control permissions and Modify permissions. There isn’t such a thing as a Full Control role, but Full Control permissions can be granted. You can’t add someone to the Owner role. Instead, someone is an owner if she created an object or she took ownership of an object. The Contributor role would not grant the ability to modify permissions. 3. D. The Contributor role is granted permissions necessary to create files within a share. The Reader role would allow users to only read files, not make any changes. The Creator-Owner isn’t a role, but a Windows group used to identify the user who created an object. Owners can modify permissions. There is no such role as Modifier. 4. C. The Reader role is granted permissions necessary to read files within a share. There is no such role as a DL_Reader or Read permissions. The Contributor role would allow users to make modifications to the files, but only read permissions should be granted. 5. A. With offline files, Sally’s data will be synchronized to her laptop when she logs on and logs off. This will give her access to her data files no matter where she is located. For Sally to access the data on the server, it must already be shared. Posting a CEO’s data on a web server (Internet Information Services) wouldn’t be very safe and wouldn’t necessarily give her access to her data from anywhere. A virtual private network connection is a possibility but would be much more complex and expensive to implement. Using offline files is a simpler solution. 6. D. By selecting Optimized for Performance, you ensure that data changes are synchro- nized down to the client but not synchronized back up to the server. The Offline Settings page does not have a One-Way Caching selection, but Optimized for Performance works as one-way caching. If you selected Deny Write for either NTFS or share permissions, users wouldn’t be able to create files or make changes to files on the share. Although that may or may not be desirable, the question only wanted to stop synchronization. 7. D. The File Server Resource Manger (FSRM) allows you to implement quotas on a volume or folder basis. Since a share is created from a folder, you could implement a quota restric- tion on the folder that is used for the Sales share. The Windows System Resource Manager (WSRM) is used to limit the amount of CPU and memory resources that an application is using. Distributed File System (DFS) is used to replicate data or create a virtual folder namespace. Windows Deployment Services (WDS) is used to automate deployments of operating systems. 93157c06.indd 330 8/7/08 10:34:33 PM Answers to Review Questions 331 8. D. The File Server Resource Manger (FSRM) allows you to implement quotas on a volume or folder basis. Once a quota is reached, you can configure the response to send an email, log an entry in the application log, run a command, or run a report. You can’t create quotas from Server Manager. Although you can create quotas in Computer Management and Windows Explorer, you can’t create events (such as sending an email, running a command, or running a report) in response to the threshold being reached. You can configure it only to log an entry in the application log. 9. D. To cause shared printers to be listed in Active Directory, you’d right-click the printer in Print Management and select List in Directory. A GPO is not needed, and there is no such thing as a Printers container. If the printer isn’t published to Active Directory Domain Services, you won’t be able to locate it in Active Directory Domain Services. Print Management doesn’t have an Enable Searching selection for printers. 10. B. A print server has one print spooler for all printers. To change it, you’d select the prop- erties of the print server, not the printer. There is no way to change the spooler from the printer’s property page or via the installation wizard. Since you can move the spooler, say- ing it can’t be moved is incorrect. 11. A, C. To use DFS, you must be in Windows Server 2008 domain functional level. If repli- cation was originally done with File Replication Service (FRS), then you must migrate FRS to DFS. Since one of the servers was just upgraded from Windows Server 2003 and no other changes were done to the domain, the domain functional level could not be Windows Server 2008. This also means that replication is currently being done with FRS. You would need to raise the domain functional level to Windows Server 2008 and migrate FRS to DFS. The forest functional level does not matter. There is no DFS role. 12. D. The File Services role needs to be installed in order to add the DFS service. The Win- dows System Resource Manager (WSRM) is used to limit the amount of CPU and memory resources that an application is using. Windows Software Update Services (WSUS) is used to deploy updates to computers, and Windows Deployment Services (WDS) is used to auto- mate deployments of operating systems. 13. A. The Windows search service is a File Services role service that can be added to increase performance of searches on a file server. Indexing is an older Windows Server 2003 search service that could be added, but the Windows search service performs better. It would not make sense to copy the centralized data to 100 different systems. Asking users to limit searches isn’t a reasonable request when there’s a technical method to improve searches. 14. B. File Replication Service (FRS) is being used for replication of the sysvol folder (Group Policy files and scripts). Distributed File System (DFS) replication of sysvol is supported only when the domain functional level is Windows Server 2008. Since some domain controllers are running Windows Server 2003, the domain functional level cannot be Windows Server 2008. Windows Deployment Services (WDS) is used to automate deployments of operating systems. Windows Software Update Services (WSUS) is used to deploy updates to computers. 93157c06.indd 331 8/7/08 10:34:34 PM 332 Chapter 6 N Monitoring and Maintaining Print and File Servers 15. A. You should configure Distributed File System (DFS) replication. Specifically, you’d create a replication group including both servers as member servers with replicated folders. A DFS namespaces doesn’t necessarily replicate data but instead provides a method of organizing content in a single namespace to make it easier for the user. File Replication Service (FRS) was the file replication service used for data prior to Windows Server 2003 R2. As a side note, FRS is still used for replication of the Active Directory sysvol folder on domain control- lers in domains where the domain functional level is less than Windows Server 2008 domain functional level and even on some domains where the level has been raised to Windows Server 2008 domain functional level. 16. A. The Distributed File Service (DFS) can be used to replicate data in a replication group on servers running Windows Server 2008. The File Replication Services (FRS) was used to replicate data in DFS on operating systems earlier than Windows Server 2003 R2. The sentence “The domain functional level is Windows Server 2003” is meaningless in this context; it matters only when discussing the replication of Active Directory’s sysvol folder, but the question specified data folders. Windows Deployment Services (WDS) is used to automate the deployment of operating systems. Dynamic Naming Service (DNS) is used to provide name resolution of host names. 17. A. To support a cluster, you must use a stand-alone Distributed File System (DFS) server. Domain-based DFS does not support clusters. File Replication Service (FRS) is considered legacy and wouldn’t be used for Windows Server 2008 file servers. You can choose either Win- dows Server 2000 mode or Windows Server 2008 mode with domain-based DFS servers, but these choices are not available with a stand-alone DFS server. 18. B. A domain-based Distributed File System (DFS) namespace can be stored on one or more DFS servers. A stand-alone DFS namespace can be stored on only one DFS server. File Replication Service (FRS) is considered legacy and wouldn’t be used for Windows Server 2008 file servers. There is no such thing as a multiple-root DFS server. 19. C. The File Server Resource Manager (FSRM) gives you access to several tools, including the ability to screen files and view reports. The Distributed File System (DFS) allows you to create DFS namespaces and use DFS replication but doesn’t include the capability of screening files. The File Replication Service (FRS) is considered legacy and only replicates files. The Windows System Resource Manager (WSRM) is used to limit the amount of CPU and memory resources that an application is using. 20. D. A domain-based Distributed File System (DFS) namespace can be used to easily replicate content from one server to other servers by using DFS replication. The hub and spoke topology will minimize network traffic over the WAN links since the remote offices won’t need to repli- cate to each other. A stand-alone DFS namespace can be stored on only one DFS server, so it wouldn’t work. A full mesh topology would require each branch office to be connected to every other branch office so network traffic would not be minimized. 93157c06.indd 332 8/7/08 10:34:34 PM Chapter 7 Planning Terminal Services Servers MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Planning for Server Deployment Plan Infrastructure Services Server Roles. May include but  is not limited to: address assignment, name resolution, network access control, directory services, application services, certificate services. Planning Application and Data Provisioning Provision Applications. May include but is not limited  to: presentation virtualization, terminal server infra- structure, resource allocation, application virtualization alternatives, application deployment, System Center Configuration Manager. Provision Data. May include but is not limited to: shared  resources, offline data access. 93157c07.indd 333 8/8/08 9:29:49 AM Terminal Services (TS) is a key application server role you should understand. It includes several TS services that allow you to host full desktops or single applications. Although Terminal Services is most often hosted on a server within your network specifi- cally for internal users, you can also use some of the TS technologies to provide access to inter- nal resources via the Internet. Using services such as TS Web Access, you can allow users to remotely run TS Remote- App applications via the Internet. TS Gateway allows users to access internal resources via the Internet. When providing access to resources via the Internet, you’ll also use Internet Information Services 7.0 (IIS 7.0). In this chapter, you’ll learn about the different TS server services and IIS 7.0. You’ll notice in the list of objectives that address assignment, name resolu- tion, directory services, and certificate services are listed in the Planning for Server Deployment section, and presentation virtualization, resource allo- cation, System Center Configuration Manager, and offline data access are listed in Planning Application and Data Provisioning. Chapter 2, “Planning Server Deployments,” covers presentation virtualization. Chapter 3, “Using Windows Server 2008 Management Tools,” covers resource allocation and System Center Configuration Manager. Chapter 4, “Monitoring and Maintain- ing Network Infrastructure Servers,” covers address assignment and name resolution. Chapter 5, “Monitoring and Maintaining Active Directory,” covers directory services and Certificate Services. Chapter 6, “Monitoring and Main- taining Print and File Servers,” covers offline data access. Terminal Services Servers Terminal Services is a server role in Windows Server 2008. It provides users with access to either Windows-based programs or a full Windows desktop located on a server. The full features of TS are experienced only on computers running Windows Vista or Windows Server 2008, but Terminal Services does support Windows XP and Windows Server 2003 products. Figure 7.1 shows the big picture of how Terminal Services runs. The terminal server would be heavy on resources such as memory, processing power, disk space, and network capacity. Multiple clients can connect to the server, and their session will run completely within the server. 93157c07.indd 334 8/8/08 9:29:50 AM Terminal Services Servers 335 FIGURE 7.1 Running Terminal Services on a server Client1Client1 Client2 Client3 TS1 TS1 Server Memory Client3 Session Server OS Client1 Session Client2 Session In the figure, you can see that each client is running a session on the server. This session could be an individual application or a complete desktop session. Why would you want to do such as thing? Imagine a large insurance company. I envision dozens of operators (maybe more) in a huge room just sitting and waiting for you to call for an insurance quote. Once you call and ask your questions, they begin typing information into a computer program so they can give you an accurate quote. This computer program is highly specialized for that insurance company only, otherwise known as a line - of-bu siness application. You could deploy the application to the computers for each person answering phones. However, if you needed to make a change, you’d need to change each system. On the other hand, if you deployed the application to a terminal server, you would need to make the change in only one location. Terminal Services can be used by administrators to remotely administer servers and also by end users. Except for TS Web Access, the Terminal Services role does not need to be installed to remotely administer a server. For a review of how this is done, take a look at Chapter 3. Another reason to use Terminal Services is when users need to run separate versions of an application. Some applications can’t run two versions side by side on the same oper- ating system. As an example, Outlook 2003 and Outlook 2007 can’t be installed on the same system. However, a user may want to run Outlook 2007 on their system but occasionally use Outlook 93157c07.indd 335 8/8/08 9:29:50 AM 336 Chapter 7  Planning Terminal Services Servers 2003. By using Terminal Services, Outlook 2003 can be installed for users, allowing them to run both versions. When looking at Terminal Services, you should be aware of the following terms and services: Terminal server This is the server that hosts the Terminal Services role. You can host full Windows desktops on this server or individual applications. TS RemoteApp Any application that has been configured to run within a Terminal Services session is referred to as a RemoteApp program. TS RemoteApp programs can be configured with or without TS Web Access. When configured without TS Web Access, a TS RemoteApp program will run in its own window on the user’s desktop (as long as the user is running Windows Vista or Server 2008). TS Gateway TS Gateway is a role service available after the TS role has been installed. It allows authorized remote users to connect to resources on an internal network via the Internet. In other words, the TS Gateway is the gateway to other computers. Remote users can connect to terminal servers, terminal servers running RemoteApp programs, or com- puters with Remote Desktop enabled. TS Session Broker The TS Session Broker is used in larger implementations of Terminal Services where multiple terminal servers are configured in a load-balanced terminal server farm. TS Session Broker stores session state information allowing a user who disconnects to reconnect to the same server. Disconnected users will be able to reconnect to the same ses- sion without any loss of data. TS Web Access TS Web Access is a role service within the Terminal Services role. With TS Web Access configured, users can connect from a web browser to the remote desktop of a server or a client computer. Programs that can run in the browser via TS Web Access are known as TS RemoteApp applications. TS RemoteApp programs are accessible over the Internet or over an intranet using Internet technologies. TS Licensing Terminal Services client access licenses (TS CALs) are required for devices and clients that will access a TS server. TS Licensing is a management system used to man- age TS CALs. TS Licensing can be used to install, issue, and monitor the availability of TS CALs on a TS server. When Terminal Services is first installed, you are granted a 120-day grace period for licensing. During that grace period you can determine how many licenses you’ll need and purchase them. After the grace period expires, users will no longer be able to access the terminal server. Users are able to access a Terminal Services server from within a network or over the Internet. Terminal Services Role The first step in configuring a terminal server is to add the Terminal Services role. You can add all the supporting services at the same time or install Terminal Services first and then add the supporting services later. 93157c07.indd 336 8/8/08 9:29:51 AM Terminal Services Servers 337 If you want to install Terminal Services specifically to allow users to run specific applica- tions from within your network, you should take the following steps: 1. Add the Terminal Services role. (No additional role services are required.) 2. Change the installation mode to install applications. 3. Install an application. 4. Change the installation mode to execute applications. When using a terminal server for applications, it’s highly recommended that you install the terminal server services first before installing the appli- cations. If you install a terminal server after applications are installed, it’s possible the applications won’t work in a multiuser environment. At this point, users will be able to access the terminal server, and each user can have their own desktop. However, if you want users to be able to launch an application within their own desktop, you can configure the application as a TS RemoteApp. The steps required to configure an application as a RemoteApp are as follows: 1. Add the application as a RemoteApp using the TS RemoteApp Manager. 2. Create a remote desktop configuration file (.rdp file) or a Windows Installer package within the TS RemoteApp Manager. 3. Use the .rdp file or the Windows Installer package to deploy the application to users. A remote desktop file (.rdp) holds custom settings used to launch a remote desktop session. A user could double-click the .rdp file to launch the Remote Desktop Connection application, and it will be launched with the settings in the .rdp file. At this point, users will have access to the remote applications either from the desktop or from the Start menu: Start  All Programs  Remote Programs. The first time the program is launched, it is installed for the user. After it is installed, it looks like it’s running on the end user’s system. Network Level Authentication Before adding the Terminal Services role, you should understand the basics of Network Level Authentication (NLA). NLA is new to Windows Server 2008. It provides enhanced security for the terminal server by authenticating the client before a TS session begins. Although it’s still possible to enable connections without NLA, it exposes the TS server to increased risk from malicious users and malicious software. The requirements to use NLA are as follows: The terminal server must be running Windows Server 2008.  The client computer must be using at least Remote Desktop Connection 6.0 (RDC 6.0).  93157c07.indd 337 8/8/08 9:29:51 AM [...]... a Windows Server 20 08 server For users who connect with Windows Vista, it is possible for the Windows Server 20 08 Terminal Services session to emulate a Windows Vista desktop experience To support this, you must add the Desktop Experience feature to the terminal server via the Add Features link in Server Manager Once the Desktop Experience feature is installed, Windows Vista applications (such as Windows. .. dependency on HTTP This allows non-HTTP applications to be hosted on IIS The TS Gateway server must be running Windows Server 20 08 Clients accessing the network via TS Gateway must be one of the following: NN Windows Vista SP1 NN Windows XP SP3 NN Windows XP SP2 with RDC 6.0 installed NN Windows Server 20 08 NN Windows Server 2003 (with SP 1 or SP2) and RDC 6.0 Microsoft has created a video and a “test-drive”... be installed on the same Windows Server 20 08 server Client computers that access TS Web Access must support Remote Desktop Connection 6.1 RDC 6.1 includes an ActiveX control that is required to launch TS RemoteApp applications RDC 6.1 is included with the following operating systems: NN Windows XP SP3 NN Windows Vista SP1 NN Windows Server 20 08 Interestingly, the TS Web Access server does not need to... days on Windows Server 20 08 servers During the grace period, a terminal server can accept connections without licenses The grace period begins the first time a terminal server accepts a client connection When a permanent TS Cal is issued by a license server to a client connecting to a terminal server, the grace period ends even if the 120-day grace period hasn’t been reached 93157c07.indd 352 8/ 8/ 08 9:29:55...3 38 NN Chapter 7    Planning Terminal Services Servers n The client computer must be able to support the Credential Security Support Provider (CredSSP) protocol Windows Vista and Windows Server 20 08 clients use RDC 6.0 and support the CredSSP protocol by default If you’re supporting down-level clients (such as Windows XP and Windows Server 2003), you need to do some checks: NN Windows XP... functionality? (Choose all that apply.) A Windows XP SP1 B Windows Vista SP1 C Windows Server 2003 SP1 D Windows Server 20 08 11 You manage a Terminal Services server farm that includes five terminal servers You need to ensure that if a user’s session is disconnected before they log off, they are able to reconnect to the same session What should you ensure is included in the server farm? A TS Gateway B TS RemoteApp... feature available in Windows Server 20 08 Its ability to throttle the CPU and memory resource usage on a per-user or per-session basis can be very valuable on a high-capacity terminal server The following are the two primary resource-allocation policies that would be used for a terminal server: NN 93157c07.indd 342 Equal_per_user NN Equal_per_session 8/ 8/ 08 9:29:52 AM Terminal Services Servers   343 The... B TS Gateway C IIS 7.0 D WSRM 14 You are managing a Windows Server 20 08 server named SRV1 that is running both SQL Server and IIS 7.0 You’ve found that during SQL Server peak times, IIS is frequently slow What can you use to ensure resources are divided equally between IIS and SQL? A FSRM B WSRM C TS Gateway D TS Web Access 93157c07.indd 363 8/ 8/ 08 9:29:57 AM ... exercise In the graphic, the Windows PE Tools Command Prompt and Windows System Image Manager programs (installed from the Windows Automated Installation Kit) are selected Click Next 93157c07.indd 344 8/ 8/ 08 9:29:53 AM Terminal Services Servers   345 E x e r c i s e 7 2   ( c o n t i n u e d ) If you didn’t install an application using a Windows Installer file, you can select the Server Manager application... 341 8/ 8/ 08 9:29:52 AM 342  Chapter 7    Planning Terminal Services Servers n You can also use the command line to enter installation mode and execute mode The process is as follows: 1 From the command line, enter Change user /install 2 Install the application 3 From the command line, enter Change user /execute Vista Desktop Experience When users connect to a terminal server on Windows Server 20 08, the . terminal server on Windows Server 20 08, the look and feel is that of a Windows Server 20 08 server. For users who connect with Windows Vista, it is possible for the Windows Server 20 08 Terminal. Domain-based C. FRS-based D. Windows Server 20 08 mode–based 18. You are an administrator in a domain running several Windows Server 20 08 file servers. You have two DFS servers in your organization,. domain functional level is Windows Server 20 08. Since some domain controllers are running Windows Server 2003, the domain functional level cannot be Windows Server 20 08. Windows Deployment Services