Tagged: MCTS

MCTS 70-646 Plan and implement group policy strategy

Plan and implement group policy strategy

Starter Group Policy Objects (GPO)

Starter GPOs are baseline templates you can use when building GPOs. Starter GPOs can be exported to other domains too. Starter GPOs are backed up and restored using the backup all and manage backups via the starter GPOs node.

Starter GPOs can only contain administrative template settings.

Group Policy backup and Recovery

Standard group policies can be backed up and restored from within the group policy objects node.

Group Policy Strategy

The best advice with Group Policy is to keep it simple; avoid too much inheritance blocking, organisational units with lots of GPOs, many organisational units linking to the same GPO, monolithic GPOs which change frequently and implement functional GPO where necessary i.e. where changes are frequent; this will speed up the client side extension processing.

It is recommended you disable the user and computer configuration portion of a policy if it is not used; note this is unlikely to speed up processing, the group policy client still has to query Active Directory to check if that portion of the policy is disabled.

The Group Policy ADMX files should be stored in a central store this stores domain controllers storing redundant copies of the same data. The central store should be configured with sysvol; to configure the central store create a policyDefinitions folder and copy the admx policy files to it, create a en-us folder within the policyDefinitions folder and copy the adml language files.

Starter Group Policy Objects should be used to create standardised combinations of administrative templates.

Troubleshooting Group Policy

The first step is to check the core configuration i.e. the computer is connected to the network, can you ping it, can you resolve DNS names, is the system clock within the limits defined by kerberos. Some of the above checks will also test services e.g. resolving DNS confirms the DNS service is working, logging onto the domain confirms the AD DS is working. Remember the core services for group policy are AD DS, DNS and TCP/IP.

Tools such as gpotool.exe, rsop.msc and gpresult.exe can be used to verify what policies are being or not being applied. rsop.msc can point towards why policies are not applied. gpotool.exe can be used to verify policies are correct.

The operational logs within Windows event viewer are also very useful when reviewing which policies have been applied and how long they took.

When policies are not being applied or take an inordinate amount of time to apply it is always good to understand how the group policy process works.

First of all the group policy client queries the nearest Domain Controller to get a list of Group Policy Object which apply to the logged in user and computer.

Next the client side extension processing starts; the newer Windows operating systems use Network Location Awareness (NLA) to determine whether they’re within the domain or on a public internet connection. NLA uses the connection specific DNS information and the NetworkName registry key, if they’re the same the client attempts to query the domain controller using LDAP.

Once NLA deems the client computer to be in the domain the group policy client reads the CSE information from the registry then the group policy client uses LDAP to search for GPOs with the gpLink attribute.

The group policy client then checks whether the user or computer has permission to read the GPO, finally the group policy client reads the gpt.ini to determine if the policy has been updated; it uses information within the client registry to determine this.

MCTS 70-646 Plan for delegated administration

Plan for delegated administration

The main reason for delegation of administration is to give specific administrative rights to specific users or groups.

Delegated control

Delegation can be applied within AD DS by configuring access control entries on organisational units; this can be accomplished using the GUI (dsa.msc) or dsacls.exe or PowerShell Active Directory modules. Delegation can be configured using a wizard, this allows administrators to quickly apply delegation for common tasks. Alternatively you can configure the OU ACEs manually to create more granular and customised delegation. I’ve blogged previously about AD DS delegation see here Existing delegation configuration can be time consuming to troubleshoot if the delegation hasn’t been defined within a change control system for example. In this scenario you can reset the delegated settings to default. Use dsacls.exe “OU=[Name],DC=[Domain],DC=[Tld]” /resetDefaultDACL or Click default within the advanced security settings of a particular OU you wish to reset.

Group membership delegation

Group membership delegation can be configured by assigning the managed by attribute; In Windows Server 2008 this can be a group, Windows Server 2003 only allows users or contacts.

Delegated Authentication

This allows a computer to impersonate a user to access resources. When the domain and forest functional level are at least Windows Server 2003 then the computer objects have a delegation tab; this allows you to trust the computer for delegation to any service using kerberos or specific services; selecting specific services is known as constrained delegation. An account which has been marked sensitive cannot be delegated; this should be the configuration applied to administrative accounts.

Role-based Access Control (RBAC)

Microsoft products such as Exchange Server, SQL Server and System Center Operations Manager 2007 R2 have RBAC; this allows you to assign administrative privileges within an application to standard Windows accounts.

Microsoft IIS 7 and 7.5 have configuration delegation functionality allowing a web site owner or application owner to have full control over their portion of the web server within reducing security.

Authorisation Manager

Authorisation Manager allows developers to create roles and scopes for their applications; applying the principles of role-based access control. Authorisation Manager can use SQL Server databases, AD DS, AD LDS or XML to store the roles, scopes, role membership etc.

MCTS 70-646 Plan server management strategies

Plan server management strategies

Server Manager Console

Displays the roles and features that are installed on that particular computer.


servermanagercmd is the command line version of server manager but Microsoft are pushing Windows PowerShell and the ServerManager module instead.

Microsoft Management Console

Microsoft Management Snap-ins are available for all roles and features that are installed; some roles will require Remote Server Administration Toolkit (RSAT) to be installed e.g. Active Directory users and computers etc.

Emergency Management Services (EMS)

EMS allows you to connect to a system via serial using telnet or similar (Hyper terminal). EMS can be used when a computer has frozen or locked up on start up or shutdown; may be a runaway process has made the computer unresponsive.

EMS must be enabled before you need to use it, ideally before it is deployed into production. EMS is enabled using BCDEDIT.

Remote Desktop

Remote Desktop allows members of the administrators and remote desktop users group to remotely connect; this doesn’t apply to domain controllers though, only administrators can connect remotely.

Remote desktop for administration allows two concurrent connections. If the computer you’re connecting to has Remote Desktop Services installed then use /admin to connect to an administrative session; if Remote Desktop Services is not installed then /admin is not needed.

You must be a member of the local administrators group to connect to an administrative session.

More information here

PowerShell Remoting

PowerShell remoting improves classic remoting functionality; classic remoting uses remoting built into the cmdlets, the remoting technology is generally (RPC) Remote Procedure Call and (DCOM) Distributed COM. Classic remoting also uses transparent authentication i.e. it uses the credentials used to run the PowerShell code.

You can identity classic remoting cmdlets using

Get-Help * -Parameter ComputerName

Alternatively you can use:

Get-Command Where-Object {$_.Parameters.Keys -contains ‘ComputerName’ -and $_.Parameters.Keys -notcontains ‘Sessions’}

The alternative command will filter out Windows PowerShell remoting cmdlets.

Windows PowerShell remoting uses the WinRM service to execute PowerShell code in a separate session on the remote system; Windows PowerShell remoting is enabled by running Enable-PSRemoting from an elevated prompt. Enable-PSRemoting starts the WinRM service if it is not running, sets up a listener on TCP 5985 and creates a firewall exception for inbound connections.

Windows PowerShell remoting uses Kerberos Authentication by default but if you’re using a peer-to-peer network or connecting to hosts outside of your trusted domain you’ll need to define a trusted host or connect via HTTPS.

Trusted hosts can be added to the trustedhosts file using

Set-Item wsman:\localhost\client\trustedhosts * -Force

Windows PowerShell remoting uses either invoke-command, Enter-PSSession or New-PSSession; New-PSSession allows you to use implicit remoting with the help of Enter-PSSession whereas invoke-command is explicit remoting.

Remote Administration Tools for Non-Administrators

In general non-administrators should be provided with MMC console snapins to administer servers rather than giving non-administrators remote desktop access.

Another method would be Telnet; Telnet is ideal for low bandwidth connections. Telnet Server can be configured by running tlntadmn.exe once the feature has been installed.

Windows Event Logs

More on Windows Event logs can be found here.

MCTS 70-646 Provision data

Provision data

Data availability can be achieved through…

…hardware redundancy e.g. RAID, multiple power supplies which connect to different power feeds which are protected by different UPSs. Network redundancy should be configured too e.g. multiple network cards (possibly teamed) to different switches (think you need 802.3ad / 802.1ax support).

…server redundancy e.g. using DFS, application replication e.g. Microsoft SQL server database mirroring or failover clustering.

…site redundancy e.g. redundant connectivity links or maybe DFS namespace configuration with replication.

Shared resources

Data availability through shared resources using DFS namespaces and DFS replication; more here

Another way to share and collaborate would be using SharePoint; SharePoint 2010 foundation is available as part of Windows Server 2008 R2 licence.

Offline data access

Data availability through offline files; more here

MCTS 70-646 Plan for backup and recovery

Plan for backup and recovery

Major changes since NTBackup

  • Windows Server backup no longer supports tape media
  • Windows Server backup on Windows Server 2008 does not support scheduled optical or remote share backups; Windows Server 2008 R2 does support scheduled remote share backups but with the caveat of only one backup being stored.
  • The smallest backup object is a volume
  • Only NTFS volumes can be backed up
  • Backups are stored as VHD files
  • Windows Server backup on Windows Server 2008 R2…
  • …supports the inclusion or exclusion of files, file types and paths.
  • …incremental backup forever
  • …system state backup use shadow copy versions to minimise the backup set size

The backup operator role can only schedule adhoc backups; full administrator rights are required to configured scheduled backups.

Ideally backup sets should be kept offsite and where data is encrypted, encryption recovery keys should be kept with the backup set too. If using a disaster recovery site then adequate resource should be available; one benefit of Windows Server backup is that backup files are stored as VHD files, so virtualisation at the disaster recovery site is a viable solution.

Recovery strategy

Windows Server backup can restore applications that have Volume Shadow Service writer functionality in a more simplified manner; Windows Server backup will restore the application data, configuration settings and application program.

File recovery where duplicates exists will either overwrite, make a copy or ignore.

Server Recover Strategy

Complete server recovery requires you boot from the installation DVD and select repair; this will enter into Windows Recovery Environment (WinRE), from here you can select a backup to restore. This restore can also be used on differing hardware. NOTE full recovery requires the new disk be at least the same size as the original.

Directory Service Recovery strategy

Active Directory Authoritative restores require you restart the domain controller in Directory Services Restore Mode. Once in *DSRM restore the system state backup then start ntdsutil activating the ntds instance. Type authoritative restore, restore subtree “OU=OUName,DC=Domain,DC=com”, once the **authoritative restore is complete restart the domain controller. NOTE: authoritative restores are only valid if you have more than one domain controller i.e a non-authoritative restore would do the trick.

*an easy way to get into DSRM is by modifying the boot database, use:

bcdedit /set safeboot dsrepair

then when the restore is complete

bcdedit /deletevalue safeboot

**During a authoritative restore you will be notified of numerous ldif files which contain back links i.e. group membership, etc. note these then use:

ldifde.exe -L -K [path to file]\ldif.filename

Tombstone lifetime by default is 180 days, you cannot recover anything older than the tombstone lifetime. The tombstone lifetime was previously 60 days in Windows Server 2003 RTM.


Performing Authoritative Restore of Active Directory Objects

Object level recovery

Volume shadow copies for shared folders functionality allows end users to recover deleted or corrupted files. Shadow copies can be used on non-shared folders too.

A maximum of 64 shadow copies can be created, if the disk holding the shadow copies is out of disk space then the oldest shadow copy will be deleted. The default space available for shadow copies is 10% of available disk space and the default schedule is 7am every weekday.

Active Directory objects can be restored individually using Active Directory snapshots created with ntdsutil or system state backups.

To restore an object from a system state backup first restore the system state redirecting the restore to an empty volume, then mount the ntds.dit database using dsamain.exe, use ldp.exe to restore the AD DS object.

To restore an object from a ntdsutil snapshot, mount the snapshot using ntdsutil, mount the ntds.dit database using dsamain.exe then use use ldp.exe to restore the AD DS object.

Object level recovery of objects using authoritative restores type restore object rather restore authoritative.

Windows Server 2008 R2 domain controllers running forest functional level Windows Server 2008 R2 have the AD recycle bin functionality; the recycle bin is enabled via PowerShell and requires you restore object using PowerShell; objects deleted before AD recycle bin was enabled will be missing linked value replication information i.e. group membership.

MCTS 70-646 Plan file and print server roles

Plan file and print server roles

Access permissions

Share permissions apply to remote users and NTFS permissions apply to both remote and local users; a remote user will be restricted to the most restrictive permission. NTFS permissions can be cumulative i.e. a user has specific permissions but that user is also a member of a group with other defined permissions. Permissions applied to the user override group permissions if there is a conflict and deny permissions override allow permissions.

Windows Server 2008 file services also has Access Based Enumeration (ABE); this functionality hides files and or folders from users who have no access to them.

Printer management requires Manage Printers, Print, Manage Documents and Manage Server. Printer queue management just requires Manage Documents, Manage Printers and Print.

Storage quotas

Storage quota are defined at the disk level, quota can be defined for specific users or groups or completed disabled for a user or group.

Quotas have hard and soft limits; hard limits stop users saving or copying files to a volume when over quota whereas soft limits just warn users.

Quotas can be defined on folders using FSRM; FSRM has hard and soft limits too but also can be defined on volumes, folders and shares. FSRM quotas should be defined via templates i.e. that is the best practice.


DFS-R is used to replicate data; it can be used with or without DFS-N e.g. replicating web content between servers within a web farm.

DFS-R uses Remote Differential Compression (RDC) to minimise the data replicated e.g. modifications to data are replicated not the whole file. Cross file RDC can use other files to construct a file to minimise WAN replication traffic; cross file RDC is only supported in Enterprise and Datacenter editions.


The Windows Search service in Windows Server 2008 and 2008 R2 replaces the legacy indexing service; the legacy indexing service should only be used if you have bespoke applications that depend on it. Microsoft Windows Vista and Windows 7 clients work out-of-the-box with the Windows Search service whereas earlier client such as XP require the ‘Microsoft Search Client’. Indexing should only be configured on storage which contains shares or file shares. Indexing is configured via the Control Panel > Indexing Options.

File storage policy

FSRM has file screening functionality which can be used to define what can and cannot be stored on the file system e.g. mp3s but you could also define an exception for a particular group.

Storage reports can be configured to the show largest files, most accessed files, duplicates etc, you may be able to use this for scheduling maintenance.


Offline files allow access to network content whilst you’re offline; useful say if you’re working on a large file you can forcefully go offline, work on the file and then go back online to sync the changes. Internet Information Services shared configuration can benefit from offline file functionality too.

Offline files are configured via the share advanced share settings caching options. Note that redirected folders are automatically configured as offline.

You can encrypt offline files via Sync Center > Manage Offline Files > Encryption or Computer Configuration\Administrative Templates\Network\Offline Files\Encrypt the Offline Files cache.

Offline files enhancements in Windows Server 2008 R2

  • Fast first logon
  • Background sync
  • Exclusion list
  • Transparent caching

Distributed File System Namespaces (DFS-N) and Distributed File System Replication (DFS-R) can be used together to provide file share availability locally and geographically.

DFS-N allows you to consolidate multiple file shares from multiple servers into a single namespace. You can then use DFS-R to replicate this file share content to other file servers.

Geographic DFS namespaces can be used so users access their local file server to access content replicated from other sites.

Printer pooling allows you to effectively load balance printing; If you have the same printer or at least the printers which can use the same printer driver then you can pool printers. These printers are managed via one queue and can survive printers failing i.e. one printer breaking will not stop the printer pool working.

Printer publishing

Render print job on the client; this is the default an the most efficient; if you leave this to the print server then you could end up over burdening the print server.

Print filters can be configured to report on specific printer states e.g. printers with paper jams, offline or error. Print filters are only available to Windows Server 2008 and 2008 R2.

Printer can be published to Active Directory automatically if the print server is Windows Server 2008 R2 and the group policies ‘Automatically publish new printers in Active Directory’ and ‘Allow printers to be published’ are enabled.

Alternatively you can publish printers to Active Directory using the list in directory option; this will make it searchable or Deploy using Group Policy; here you can deploy it to the whole domain or specific OUs.

MCTS 70-646 Provision applications

Provisioning Applications

Application deployment

Installation methods range from manual installation through to using something like (SCCM) System Center Configuration Manager. Manual installations are impractical in large environments but may be suitable for installation of software in a small or branch office with no servers or domain. Scripted deployments can be used for zero or lite touch installations but requires good scripting skills and can be potentially time consuming to maintain.

Other automated deployment methods are (GPSI) Group Policy Software Installation and SCCM; group policy can be used to assign msi packages to AD DS user and computer accounts or publish msi packages to AD DS user accounts. GPSI doesn’t have any deployment scheduling or bandwidth throttling functionality.

SCCM can be used to deploy zero touch installations, upgrade Windows Server 2003 to Windows Server 2008, schedule application deployment using Wake On Lan (WOL) if required. SCCM can also deploy traditional executables.

Plan App-V deployment

App-V creates an separate partition space for each application; this allows conflicting and non-RD compatible applications to be deployed on the same RD session host.

App-V is part of the Microsoft Desktop Optimisation Pack. App-V applications can be deployed as msi installers thus making them compatible with GPSI.

App-V only streams the active part of the application to maximise the responsiveness.

Plan virtual application deployment

Remote App allows for applications to be accessed remotely but with the look and feel of a local installation. Remote App applications can be deployed to users and configured to trigger when a user opens a particular file e.g. Word would open when a user opened a .doc file; this functionality does require the Remote App to be deployed via a msi installer.

The Remote App applications are deployed on a RD session host so users will require ‘allow logon through RDS’ or be a member of the Remote Desktop Users group. Remote App applications can also be presented to the user as rdp shortcuts or via the RD Web Access website.

Plan web application deployment

Web Application deployment methods are WebDAV using HTTP or HTTPS and FTP (FTP in IIS 7.5 can utilise SSL).

WebDAV is a per site configuration and can be installed as a role in Windows Server 2008 R2.

FTP is a role service of the Web Server role; FTP can be configured on a per site basis or per server.

Microsoft Web Deploy 3.0  can be used to package visual studio applications for deployment as well as keep web farm in sync.

More Web Infrastructure information here

MCTS 70-646 Plan application servers and services

Plan application servers and services

Planning Remote Desktop Infrastructure

Remote Desktop Services has the following benefits:

  • User workstations run a minimal amount of software.
  • Data is centralised i.e. may be at HQ rather at the branch office.
  • The host operating system updates, anti-virus and anti-spyware updates are deployed at the Remote Desktop session host server.
  • Application updates are performed centrally.

Depending on the number of users and the applications hosted you may need one or more RD session host servers in one or more locations e.g. a heavily utilised, high bandwidth application used by 20 branch office staff would more than likely warrant a RD session host server at the branch office, whereas 10 users running a word processing application would probably be accessed across the WAN.

Planning RD session host server software

Application compatibility is paramount if you’re to successfully deploy remote applications.

Applications should be installed using change usermode but most applications will auto detect they’re being installed on a RD session server.

Applications which are RD compatible have the following characteristics

  • Multi user
  • Application configuration should be saved to the users profile
  • No users can write to the HKLM registry key

RD licensing

Licensing server scopes

  • Workgroup
    • only available to workgroup computers, workgroup servers and clients can discover the licence server automatically
  • Domain
    • Domain RD session host computers and clients can automatically acquire Client Access Licences.
  • Forest
    • Forest RD session host computers and client can automatically acquire Client Access Licences; this is the recommended for central licence management.

licence server activation installs a digital certificate to validate the server ownership and identity. The methods of activation are:

  • Automatic (requires SSL)
  • Web browser (must browse to a web page) – cannot be used with deactivation
  • Telephone

Temporary licenses are valid for 90 days

Licence types

  • Device – assigned to a device; can be reclaimed 52 to 89 days after being issued. 20% of licenses issued to a particular operating system can be revoked at any one time.
  • User – assigned to a user; user CALs are not enforced by RD licensing.

RD licence server backup

When a licence server has been restored any unissued licenses will need re-validating.

A Windows Server 2008 R2 licence server is backwards compatible with Windows Server 2008, Windows Server 2003 and Windows 2000 Server Terminal Services session host servers.

RD Session Host Configuration

Configuration of the RD session host is performed within the RD session host configuration > RDP-TCP > Properties window.

The default security layer is negotiate; negotiate will use SSL if a certificate is installed, the default encryption level is client compatible; client compatible negotiates an encryption level that both the client and server support. High encryption uses 128 bit encryption and is supported by RDC 5.2 client software. Low encryption only encrypts data between client and server.

The no. of sessions and the network adapter which RDS will respond on is configured within the network adapter tab.

When performing maintenance the user logon mode should be changed to ‘prevent new logons’ within the RD session host configuration > edit settings.

One of the most important configurations is connection and session configuration as these directly affect the capacity of the RD session host. Session configuration determines when Active, Idle or disconnected sessions should be disconnected or ended respectively.

Group Policy objects

Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Services/RD Session Host to configure Connections, device and resource redirection, licensing, printer redirection, profiles, remote session environment, security, session limits, temporary folders and RD connection broker.

RD Web Access

This role service allows client to connect to a RD session host via a browser. The role service requires IIS and the Windows Process Activation service.

Compatible clients are XP SP2 and later.

RD Connection broker

This role service maintains user sessions within a database, so if a user is disconnected they will be reconnected. RD connection broker is used in conjunction with DNS round robin, Microsoft NLB or hardware load balancers which support RD connection broker routing tokens. If you’re using a hardware load balancer then then RD connection broker should use token redirection not IP address redirection.

Connection broker can only load balance Windows Server 2008 or 2008 R2 Terminal / Remote Desktop session host servers. Connection broker requires clients be using at least RDC 5.2.

The RD session servers must be made a member of the Session Directory computers group.

RD gateway server

RD Virtualisation Host

This role service allows you to present Hyper-V virtual machines as virtual desktops via Remote Desktop Services.

Monitoring RDS

RDS can be monitored using either performance monitor (perfmon) or (WSRM) Windows System Resource Manager.

Performance monitor provides a number of counters to track memory and processor usage per session and active, inactive and total sessions.

WSRM provides a means of distribute the load evenly e.g

  • Equal_Per_User ensures each user is allocated equal resources; useful when users can have more than one session.
  • Weighted_Remote_Sessions allow processes to be grouped according to the priority assigned to the user account.
  • Equal_Per_Session ensures each session is allocated equal resources; should be used in conjunction with limiting users to a single session.

MCTS 70-646 Plan infrastructure services server roles

Plan infrastructure services server roles

IPv4 / IPv6

IPv4 and IPv6 can be found here

IPv6 stateless autoconfiguration:

Generates a link-local address

Test whether the link-local address is unique within that subnet (DAD) (Duplicate Address Detection)

If it is unique then it assigns itself that address

Contacts the local router (Router Solicitation Message)

Gets network prefix, address lifetime, next hop etc. from router advertisement. (DAD occurs again to ensure the auto configured global address is unique)

Stateless configuration doesn’t assign DNS server addresses, for this purpose DHCPv6 can be configured to assign DNS server addresses.

IPv4-to-IPv6 transition:

Dual stack v4 and v6 addresses.

Use transition technologies – Internet (teredo and 6to4) intranet (ISATAP)


DNS in Windows Server 2008 R2 has DHCP filters which allows the administrator to filter out MAC addresses which can or cannot get an IP address from DHCP.

DHCP can be configured to dish out IPv6 DNS server addresses and DNS domain names in a stateless environment whereas in a stateful IPv6 environment DHCPv6 can dish out IP addresses, gateway address, DNS server addresses etc.


Primary read-only zones are new and used when a RODC is deployed.

DNS client cache refreshes every 15 minutes.

DNS stub zones contain the Name Server record and Start of Authority record for a delegated DNS zone. The A glue record contains the Name Server IP address. Stub zones minimise the replication of zones; the local DNS server maintains a list of NS and glue A records.

DNS now supports DNS background zone loading; this allows the DNS server to service requests whilst the zone is still loading; incoming client requests are prioritised and loaded on demand.

Microsoft attempt to finally replace WINS in GlobalNames; this functionality allows you to map a flat name to a FQDN within DNS. GlobalNames are not dynamically updated thus should be used where IP addresses are static. Other use cases are: applications cannot support FQDNs, DNS servers are running Windows Server 2008 / 2008 R2 or you’re decomissioning WINS.

GlobalNames is enabled as follows:

dnscmd . /config /enableglobalnamessupport 1

Network Access Control

Network Access Protection is a features in Windows Server 2008 that controls access to network resources based on a client computers identity and compliance.

NAP uses the clients security center (Vista / XP SP3) as reference e.g. is the Windows firewall enabled etc.

NAP enforcement is configured via group policy (Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration\Enforcement Clients  and Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Network Access Protection Agent); create a group which contains the NAP client computers and filter the GPO using GPO security filtering. The configuration can be viewed on the client by running netsh as below.

netsh nap client show state

NAP events can be viewed via Event Viewer\Application and Service Logs\Microsoft\Windows\Network Access Protection\Operational

DHCP enforcement

DHCP enforcement ensure clients are healthy i.e. they have met the health policy requirements before being given an IP address lease; the caveat of this enforcement method is a user with adminisrator privileges could statically assign themselves an IP address to bypass this enforcement method.

DHCP enforcement requires DHCP server options from the Default Network Access Protection and Default User Classes. If the DHCP server is installed on a different server to the NPS role, then the DHCP server should be configured as a remote RADIUS client.

Non compliant and non NAP capable client should have defined remediation servers which allow access to resources which they can use to become healthy or NAP capable e.g. a workgroup client computer receiving DHCP leases from a NAP scope will be deemed non NAP capable until it has been joined to the domain and downloaded the necessary policies and has the necessary group membership.

IPsec enforcement

IPsec enforcement ensures computers are healthy before being able to communicate with corporate resources; this enforcement method is tamper resistant as the client computer requires a health certificate from a Health Registration Authority CA. This method allows end-to-end encryption too.

IPsec enforcement requires a Domain Controller, preferably an Enterprise Certificate Authority and a standalone issuing Certificate Authority, Health Registration Authority (HRA) and Network Policy Server. The standalone CA issues system health authentication certificates via the HRA server.

Client or server computers which are exempt from IPsec communication should have the system health authentication certificate auto-enrolled.

The NPS server should have a computer certificate enrolled to encrypt communication with the HRA website; this website has two roles, one to authenticate domain computers using Windows Authentication and two non domain computers using Anonymous authentication. Anonymous clients will need to trust the Root certificate authority or which ever CA issued the SSL certificate for the HRA website.

When configuring NAP you would need to configure a RADIUS client if the HRA role is installed anywhere other than where the NPS role is installed.

NAP IPsec enforcement requires an additional group policy object configuring (Computer Configuration\Policies\Windows Settings\Security Settings\NAP Client Configuration\Trusted Server Groups\) with the Url of the HRA server e.g. https://%5Bfqdn%5D/DomainHRA/hcsrvext.dll.

It is possible to configure HRA auto-discovery but this requires DNS srv records and auto-discovery registry keys configured on the client.

VPN enforcement

VPN enforcement ensures computers are healthy before allowing them to access the corporate network via the VPN server.

VPN enforcement requires a domain controller, Certificate services, RADIUS server (NPS), VPN (RRAS) and DHCP to issue IP addresses to VPN clients.

VPN enforcement client settings configured via group policy depend on the client operating systems (Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration\Enforcement Clients\Remote Access Enforcement Client (XP/Vista) and \EAP Quarantine Enforcement Client (Windows 7))

Additional Information

Step-by-step guides here

more information here too.



  • PPTP – lowest security, easiest to configure and uses MS-CHAPv2
  • L2TP – requires computer certificates, works with IPv6 and uses IPsec for authentication, data integrity and encryption. Heterogeneous.
  • SSTP – requires the endpoint certificate be trusted by client machines, uses SSL for authentication, data integrity and encryption thus uses TCP port 443 which allows the VPN to traverse proxies, NAT and firewalls; requires Windows Server 2008 and Vista SP1 and later though. The CRL distribution point must be accessible from the internet.
  • IKEv2 – Enables clients to utilise VPN reconnect functionality. Requires at least Windows 7 and Windows Server 2008 R2. Uses UDP port 500. IKEv2 is the default connection the Windows 7 VPN client will try.

By default a VPN client will access all of its resources via the VPN tunnel, if you want to use split tunnelling configure the VPN connection TCP/IP properties to not use the default gateway on the remote network.

If you’re using DHCP to issue VPN clients with an address you can use the ‘Default Routing and Remote Access Class’ options.

Authentication Mechanisms

EAP-TLS – requires the RAS server be a member of the domain.

MS-CHAPv2 – default authentication and encryption protocol.

EAP-MD5-CHAP – generally used with non-Microsoft clients.

Certificate Services

Certificate service can issue certificate which are used for code signing, driver signing, email signing, web site traffic encryption, data encryption i.e. IPsec and EFS, wireless authentication and smartcards.

Key differences between external and internal certificate authorities

  • external certificate authorities are commonly trusted i.e. the  root certificates are shipped with the major operating system vendors.

Internal certificate authorities

  • Standalone
    • No AD DS requirement
    • manual requests and manual approval
    • no certificate templates
    • manually install root certificate in client computer stores
    • generally the root certificate authority which is switched off once subordinate certificates have been issued
  • Enterprise
    • Requires AD DS which in turn supports auto enrolment
    • smartcards and authentication tokens can be issued to validate user credentials
    • certificates and certificate revocation lists are published to AD DS
    • certificate template types 2 and 3 are available for customising certificates
    • certificate requests can get information from AD DS in order to submit the certificate request on behalf of the client

Certificate authority certificates

NOTE: No certificate can be issued an expiry date which exceeds the certificate in the chain above it.

Root certificate

The root certificate should use a strong hash algorithm e.g. SHA256 (XP has issues with SHA2 algorithms) and a 4096 bit key length (unless using legacy applications might have to use 2048 bit). The validity of the certificate should be less than its expected lifetime.

Intermediate certificate (subordinate)

Intermediate certificate authorities should use a smaller key length and less computational hash algorithm than the root certificate but the validity should be significantly less too. Should be okay to reuse the same key.

Issuing certificate (subordinate)

Issuing certificate authorities should use smaller key length (if applicable) and less computational hash algorithm, again validity should be significantly less. It is also a good idea to issue a new key when renewing the issuing certificate this creates a new certificate revocation list which should speed up crl look ups.

Expiring and newly generated certificates can co-exist which allows you to renew the root, intermediate or issuing certificates before they expire.

Credential roaming

This allows user certificates and private keys to roam with the user i.e. the desktops they logon to. So when that user encrypts a document, connects to a wireless network which is secured using certificates and RADIUS or connects a website which requires client certificates for authentication the same certificate is used no matter which desktop they use.

Credential roaming only works with x.509 type 3 certificates (these are new in Server 2008) that have RSA or DSA key pairs; I think the following cryptographic providers are all use RSA or DSA:

  • Microsoft Base Cryptographic Provider
  • Microsoft Enhanced Cryptographic Provider
  • Microsoft DSS Cryptographic Provider
  • Microsoft Base and Diffie-Hellman Cryptographic Provider
  • sChannel Cryptographic Provider

Credential roaming is implemented by turning on a user group policy object i.e. User Configuration > Windows Settings > Public Key Policies > Certificates Services Client – Credential Roaming. More information here and here.

When the user logs off a particular desktop their certificates, private keys and credentials are removed too.


By default a standalone CA is configured to mark certificate requests as pending.

Certificate autoenrollment allows certificates to be deployed to computers, service account and users without their knowledge. To configure autoenrollment you must have enterprise or domain administrator privleges.

The first step to configuring auto-enrollment is by configuring certificate templates with AD CS with read, enroll and autoenroll permissions. If a certificate is being renewed then read and enroll the only permissions required. There is more information in the certificates template section.

Finally configure a autoenrollment policy within the domain i.e. configure a GPO for Certificate Services Client – Auto-Enrollment.


Authority Information Access is used by clients to build a certificate chain for a particular certificate. AIA is also used to publish information about the OCSP.

Certificate revocation

Certificate revocation distribution points must be configured before issuing any certificates in order for the distribution points to be included in the issued certificates.

The CRL contains the whole revocation list and the delta CRL contains the revocation changes.

When you revoke a certificate you are unable to unrevoke it unless the certificate was revoked with the reason of ‘Certificate Hold’.

OCSP – to retrieve a OCSP response signing certificate the OCSP service account should be granted enroll permission.


Microsoft’s online responder service uses Online Certificate Status Protocol (OCSP) to manage certificate revocation in diverse environments.

OSCP is used mostly where:

  1. clients do not have high speed connections to download CRLs or for clients who connect remotely.
  2. certificate revocation checking activity peaks at specific times e.g. user logon or sending signed email.
  3. a non-Microsoft CA is used.
  4. information about all revoked or suspended certificate should be limited and certificate revocation information should be provided on a request by request basis.

Basics of the online responder

  • Receives certificate revocation check, decodes and verifies the request (after local cache and OCSP cache has been checked) 
  •  OCSP checks local CRL and a cached copy of the most recent CRL issued by the CA
  • If the above step fails the OCSP retrieves a CRL from the CA
  • OCSP Web proxy encodes the response and sends the information back to the client

Certificate templates

General properties of the certificate template allows you to configure whether to publish issued certificates to Active Directory, this allows user to locate another users public key before they encrypt a file or email or to stop duplicate certificates being issued to users and computers for the same purpose. AD DS can also be used to populate information required for the certificate request such as the common name and publish the CRL too.

You can configured the validity and renewal periods too.

The certificate template extensions determine the certificate template rules (assurance), application policy (what the certificate can be used for e.g. web server), key usage (what specific task is can be used for e.g. server authentication / client authentication), key archival (are the keys for this certificate archived in the CA database should the private key be lost? useful for EFS certificate templates where you have key recovery agent in place) and basic constraints which e.g. define that an issuing CA can only issue user certificates not CA certificates.

The request handing of a certificate template determines its intended purpose (encryption, signature, both or signature and smartcard),  its archive settings e.g. can the private key be exported, user input settings e.g. require input or enroll with no input), key size and cryptographic provider.

The cryptography of a certificate template determines its algorithm (RSA, DSA or ECDH), key size, providers, hash algorithms (SHA#, MD# or AES#) and

The subject names of a certificate template determines whether the subject name is built from AD DS i.e. common name and distinguished name or supplied in the certificate request.

You can configure the template for high volume scenario by selecting ‘do not store certificates and requests in the CA database’. These are primarily used with NAP and IPsec enforcement.

Directory Services

Active Directory components

  • Forest – Contains one or more trees and makes up a single instance of Active Directory
  • Trees – contiguous namespace i.e. domain.com > one.domain.com > corp.one.domain.com etc.
  • Domains – security boundary for authentication etc.
  • Sites – defined geographically locations within a domain

A global catalog is a distributed data repository which contains a partial representation of every object in every domain.


Must receive updates from a Windows Server 2008 writable domain controller which hosts the PDC emulator FSMO role.

Only one RODC can exist per domain per site.

More here

MCTS 70-646 Plan for automated server deployment

Plan for automated server deployment

Deployment methods

  • Install From Media (IFM)
  • Automated / Unattended using xml based answer files
  • network install using winpe; this can be automated too
  • WDS
    • Zero or lite touch (requires scripting skills)
    • uses boot.wim and install.wim of Vista, Windows 7, Server 2008 and 2008 R2
    • Automated installs using xml based answer files
  • System Center Configuration Manager
    • Zero touch
    • Can perform upgrades too

XML answer files can be created using the System Image Manager (SIM) from the Windows Automated Installation Kit (WAIK). When pointing SIM at a wim file use the wim file off the DVD not the wim within WDS.

WDS deployment

  • Requirements
    • NTFS volumes
    • DHCP (if on same server WDS should be configured not to listen on UDP 67)
    • DNS
    • AD DS
    • client should have PXEclient option deployed via DHCP
  • PXE boot
    • respond to all
    • respond to none
    • respond to known i.e. prestaged within AD DS
  • Multicast support
    • multicast can be configured via the GUI or WDSUtil
    • Scheduled or auto-cast; auto-cast starts when the first client requests an image, other clients can join at any point in the image deployment.
    • multicast requires clients have disk space available to receive wim image (unicast deployment streams the image file)
  • Images
    • Imagex and peimg are used to customise images e.g. add drivers
    • WIM files use single instance technology to reduce the amount of space required to store Windows Server images.
    • Hardware independent
    • non-destructive deployment
  • Image types
    • Install
    • boot
    • discover (for non-PXE network adapters)
    • capture (capture syspreped images)