PARTS OF A COMPETENCY-BASED LEARNING MATERIAL Refe Refere renc nces es Furt Furthe herr Rea Readi din n Performance Criteria Checklist O eration Task Job Sh Sheet Self Self Che Check ck Answe Answerr Ke Self Check Information Sheet Learnin Ex eriences Learning Outcome Summary
Module Module Content Content Module List List of of Com Co Content m eten etenci cies es Module Content
Module Content Front Pa Pa e
COMPUTER SYSTEMS SERVICING NCII
In our efforts to standardize CBLM, the above parts are recommended for use in Competency Based Training (CBT) in Technical Education and Skills Development Authority (TESDA) Technology Technology Institutions. Institutions. The next sections will show you the components and features of each part.
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
COMPETENCY-BASED LEARNING MATERIAL
S ector: ec tor: ELECTRONICS
Qualification: COMPUTER SYSTEM SERVICING NC II
Unit of C ompet ompetency: ency: INSTALL AND CONFIGURE COMPUTER SYSTEM Module Title Ti tle:: Installing and Configuring Computer System MANILA, PHILIPPINES
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
HOW TO USE THIS COMPETENCY BASED LEARNING LEARNING MATERIAL
(Computer er Sys tem S ervicing NC II) . This module Welcome to the module in (Comput contains training materials and activities for you to complete. The unit of competency "(Ins tall contains tall and Config C onfig ure C omput omputer er S ys tem )” contains (Computer er S ys tem S ervicing NC II) . knowledge, skills and attitudes required for (Comput You are required to go through a series of learning activities in order to complete each learning outcome of the module. In each learning outcome are Information S heets , S elf-C heck hec k s , Operat Oper ation ion S heets or Tas Tas k S heet heets . Follow these activities on your own. If you have questions, don’t hesitate to ask your facilitator f or assistance.
The goal of this course is the development of practical skills. To gain these skills, you must learn basic concepts and terminologies. For the most part, you'll get this information from the Information Sheets and suggested resources and references This module is prepared to help you achieve the required competency, in "(Ins tall talling ing and C onfig uring C omput omputer er S ys tem) tem) ". This will be the source of information for you to acquire knowledge and skills in this particular competency independently and at your own pace, with minimum supervision or help from your trainer. Remember to:
Work through through all the information and complete complete the the activities in each each section. section. Read information information sheets sheets and and complete complete the self-check. Suggested Suggested references are included to supplement the materials provided in this module. Most probably probably your your trainer will also be your your supervisor supervisor or or manager. He/she is there there to support you and show you the correct way to do things. You will be given plenty of opportunity to ask questions questions and practice on the job. Make sure you practice your new skills during regular work shifts. This way you will improve both your speed and memory and also your confidence. Use the Self-checks, Operation Sheets Sheets or Task Sheets Sheets at the end of each section to test your own progress. When you feel confident that you have had had sufficient skill, ask your Trainer to evaluate you. The results of your assessment will be recorded in your Progress Chart and Accomplishment Chart.
You need to complete this module before you perform the module on (Diagnose
and troubles troubles hoot comput computer er s ys tems tems ).
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
COMPUTER SYSTEM SEVICING NC II COMPETENCY-BASED LEARNING MATERIALS List of Competencies No.
Unit of Competency
1
Install and configure computer systems
Installing and configuring computer systems ELC724331
2
Set-up Computer Networks
Setting-up Computer Networks
ELC724332
3
Set-up Computer Servers
Setting-up Computer Servers
ELC724333
4
Maintain and Repair Computer Systems and Networks
Maintaining and Repairing Computer Systems and Network
ELC724334
COMPUTER SYSTEMS SERVICING NCII
Module Title
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Code
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
MODULE CONTENT UNIT OF COMPETENCY:
Install and Configure Computer System;
MODULE TITLE:
Installing and Configuring Computer System
MODULE DESCRIPTOR:
This unit covers the outcomes required in installing and configuring desktop and workstation computers systems. It consists of competencies to assemble computer hardware, install operating system and drivers for peripherals/devices, and install application software as well as to conduct testing and documentation.
NOMINAL DURATION: 40 hours
LEARNING OUTCOMES:
At the end of this module you MUST be able to: LO1. Assemble computer hardware LO2. Prepare installer LO3. Install operating system and drivers for peripherals/ devices LO4. Install application software LO5. Conduct testing and documentation
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Learning Experiences Learning Outcome 1 INSTALL NETWORK CABLES
Learning Activities
Special Instructions If you have some problem on the content of the information sheet don’t hesitate to approach your facilitator. You may also Participate in the group discussion to OH’s Policies Procedure
Read Information Sheet 1.1.1 to OH’s Policies Procedure
If you feel that you are now knowledgeable on the content of the information sheet, you can now answer self-check provided in the module. Compare your answer to the answer key 1.1.1 If you got 100% correct answer in this self-check, you can now move to the next information sheet. If not review the information sheet and go over the selfcheck again.
Answer Self-assessment 1.1.1
If you have some problem on the content of the information sheet don’t hesitate to approach your facilitator. Read Information Sheet 1.1.2
If you feel that you are now knowledgeable on the content of the information sheet, you can now answer self-check provided in the module. Compare your answer to the answer key 1.1.2 If you got 100% correct answer in this self-check, you can now move to the next information sheet. If not review the information sheet and go over the selfcheck again.
Answer self-check 1.1.2
If you have some problem on the content of the information sheet don’t hesitate to approach your facilitator. Read Information Sheet 1.1.3
If you feel that you are now knowledgeable on the content of the information sheet, you can now answer self-check provided in the module. Compare your answer to the answer key 1.1.3 If you got 80% correct answer in this self-check, you can now move to the
Answer self-check 1.1.3
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
next task sheet. If not review the information sheet and go over the self-check again. If you have some problem on the content of the information sheet don’t hesitate to approach your facilitator. Read Information Sheet 1.1.4
If you feel that you are now knowledgeable on the content of the information sheet, you can now answer self-check provided in the module. Compare your answer to the answer key 1.1.4 If you got 100% correct answer in this self-check, you can now move to the next Learning Outcome. If not review the information sheet and go over the selfcheck again.
Answer self-check 1.1.4
If you have some problem on the content of the information sheet don’t hesitate to approach your facilitator. Read Information Sheet 1.1.5
If you feel that you are now knowledgeable on the content of the information sheet, you can now answer self-check provided in the module. Compare your answer to the answer key 1.1.5. If you got 100% correct answer in this self-check, you can now move to the next Learning Outcome. If not review the information sheet and go over the selfcheck again. If you have some problem on the content of the information sheet don’t hesitate to approach your facilitator. You may also Participate in the group discussion
Answer Self-check 1.1.5
Read Information Sheet 1.2.1
If you feel that you are now knowledgeable on the content of the information sheet, you can now answer self-check provided in the module. Compare your answer to the answer key 1.2.1 If you got 100% correct answer in this self-check, you can now move to the next Learning Outcome. If not review the information sheet and go over the selfcheck again. If you have some problem on the content of the information sheet don’t hesitate to approach your facilitator. You may also Participate in the group discussion
Perform Task sheet 1.2.1
Read Information Sheet 1.2.2
If you feel that you are now knowledgeable on the content of the information sheet, you COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
can now answer self-check provided in the module. Compare your answer to the answer key 1.2.2 If you got 100% correct answer in this self-check, you can now move to the next Learning Outcome. If not review the information sheet and go over the selfcheck again. If you have some problem on the content of the information sheet don’t hesitate to approach your facilitator.
Answer Self-check 1.2.2
Read Information Sheet 1.3.1
If you feel that you are now knowledgeable on the content of the information sheet, you can now answer self-check provided in the module. Compare your answer to the answer key 1.3.1 If you got 100% correct answer in this self-check, you can now move to the next Learning Outcome. If not review the information sheet and go over the selfcheck again.
Answer Self-check 1.3.1
If you have some problem on the content of the information sheet don’t hesitate to approach your facilitator. Read Information Sheet 1.3.2
If you feel that you are now knowledgeable on the content of the information sheet, you can now answer self-check provided in the module. Compare your answer to the answer key 1.3.2 If you got 100% correct answer in this self-check, you can now move to the next Learning Outcome. If not review the information sheet and go over the selfcheck again.
Answer Self-check 1.3.2
If you have some problem on the content of the information sheet don’t hesitate to approach your facilitator. Read Information Sheet 1.4.1
If you feel that you are now knowledgeable on the content of the information sheet, you can now answer self-check provided in the module. Compare your answer to the answer key 1.4.1 If you got 100% correct answer in this self-check, you can now move to the next Learning Outcome. If not review the information sheet and go over the selfcheck again.
Answer Self-check 1.4.1
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
If you have some problem on the content of the information sheet don’t hesitate to approach your facilitator. Read Information Sheet 1.4.2
If you feel that you are now knowledgeable on the content of the information sheet, you can now answer self-check provided in the module. Compare your answer to the answer key 1.4.2 If you got 100% correct answer in this self-check, you can now move to the next Learning Outcome. If not review the information sheet and go over the selfcheck again.
Answer Self-check 1.4.2
If you have some problem on the content of the information sheet don’t hesitate to approach your facilitator. Read Information Sheet 1.5.1
If you feel that you are now knowledgeable on the content of the information sheet, you can now answer self-check provided in the module. Compare your answer to the answer key 1.5.1 If you got 100% correct answer in this self-check, you can now move to the next Learning Outcome. If not review the information sheet and go over the selfcheck again.
Answer Self-check 1.5.1
If you have some problem on the content of the information sheet don’t hesitate to approach your facilitator. Read Information Sheet 1.5.2
If you feel that you are now knowledgeable on the content of the information sheet, you can now answer self-check provided in the module. Compare your answer to the answer key 1.5.2 If you got 100% correct answer in this self-check, you can now move to the next Learning Outcome. If not review the information sheet and go over the selfcheck again.
Answer Self-check 1.5.2
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Information Sheet 3.1.1 Introduction to Server Learning Objectives:
After reading this INFORMATION SHEET, YOU MUST be able to: 1. What is Server 2. Types of Server 3. Size of Server
INTRODUCTION TO SERVER
A server is a system (software and suitable computer hardware) that responds to requests across a computer network to provide, or help to provide, a network service. Servers can be run on a dedicated computer, which is also often referred to as "the server", but many networked computers are capable of hosting servers. In many cases, a computer can provide several services and have several servers running. The term server is used quite broadly in information technology. Despite the many serverbranded products available (such as server versions of hardware, software or operating systems), in theory any computerized process that shares a resource to one or more client processes is a server. To illustrate this, take the common example of file sharing. While the existence of files on a machine does not classify it as a server, the mechanism which shares these files to clients by the operating system is the server. Similarly, consider a web server application (such a s the multiplatform "Apache HTTP Server"). This web server software can be run on any capable computer. For example, while a laptop or personal computer is not typically known as a server, they can in these situations fulfill the role of one, and hence be labeled as one. It is, in this case, the machine's role that places it in the category of server. In the hardware sense, the word server typically designates computer models intended for hosting software applications under the heavy demand of a network environment. In this server configuration one or more machines, either a computer or a computer appliance, share information with each other with one acting as a host for the other SERVER HARDWARE
Hardware requirement for servers vary, depending on the server application. Absolute CPU speed is not quite as critical to a server as it is to a desktop machine. Servers' duties to provide service to many users over a network lead to different requirements such as fast network connections and high I/O throughout. Since servers are usually accessed over a network, they may run in headless mode without a monitor or input device. Processes that are not needed for the server's function are not used. Many servers do not have a graphical user interface (GUI) as it is unnecessary and consumes resources that could be allocated elsewhere. Similarly, audio and USB interfaces may be omitted. WHAT SERVER PROVIDES COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
In the client/server programming model, a server is a program that awaits and fulfills requests from client programs in the same or other computers. A given application in a computer may function as a client with requests for services from other programs and also as a server of requests from other programs. Specific to the Web, a web server is the computer program (housed in a computer) that serves requested html pages or files. A Web client is the requesting program associated with the user. The Web Browser in your computer is a client that requests HTML files from Web servers. TYPES OF SERVER • Application server a server dedicated to running certain software applications • Catalog server a central search point for information across a distributed network • Communications server carrier -grade computing platform for communications networks • Compute server, a server intended for intensive (esp. scientific) computations • Database server provides database services to other computer programs or computers • Fax server provides fax services for clients • File server provides remote access to files • Game server a server that video game clients connect to in order to play on line together • Home server a server for the home • Mail server handles transport of and access to email • Mobile Server or Server on the Go is an Intel Xeon processor based server class laptop
form factor computer. • Name server or DNS • Print server provides printer services • Proxy server acts as an intermediary for requests from clients seeking resources from other
servers • Sound server provides multimedia broadcasting, streaming. • Stand-alone server a server on a Windows network that neither belongs to nor governs a
Windows domain • Web server a server that HTTP clients connect to in order to send commands and receive
responses along with data contents
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
SERVER OPERATING SYSTEM • Server -oriented operating systems tend to have certain features that make them more
suitable for the server environment, such as: • GUI not available or optional • Ability to reconfigure and update both hardware and software to some extent without rest art • Advanced backup facilities to permit regular and frequent online backups of critical data • Transparent data transfer between different volumes or devices • Flexible and advanced networking capabilities • Automation capabilities such as daemons i n UNIX and services in Windows • Tight system security, with advanced user, resource, data, and memory protection.
Server-oriented operating systems can, in many cases, interact with hardware sensors to detect conditions such as overheating, processor and disk failure, and consequently alert an operator or take remedial measures themselves. DIFFERENT SIZE OF SERVER
Rack server Tower server Miniature (home) servers Mini Rack server Blade server Mobile server CONCLUSION From the above basic study, Server is a system (software and suitable computer hardware) that responds to requests across a computer network to provide, or help to provide, a network services. • It has provided a Reduction in usage of paper Records. • Communication and security to data has been increased • Ease of reliability have been added by server for users • Managing data is now much easier. How to Install Windows Server 2008 Step by Step COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Installing Windows Server 2008 is pretty straightforward and is very much like installing Windows Vista, but I thought I’d list the necessary steps here for additional information. For those of you who have never installed Vista before, the entire installation process is different than it used to be in previous Microsoft operating systems, and notably much easier to perform. Using Vista’s installation routine is a major benefit, especially for a server OS. Administrators can partition the system’s hard drives during setup. More importantly, they can install the
necessary AHCI or RAID storage drivers from a CD/DVD or even a USB thumb drive. Thus, error-prone floppies can finally be sent to the garbage bin. Note: Windows Server 2008 can also be installed as a Server Core installation, which is a cut-down version of Windows without the Windows Explorer GUI. Because you don’t have
the Windows Explorer to provide the GUI interface that you are used to, you configure everything through the command line interface or remotely using a Microsoft Management Console (MMC). The Server Core can be used for dedicated machines with basic roles such as Domain controller/Active Directory Domain Services, DNS Server, DHCP Server, file server, print server, Windows Media Server, IIS 7 web server and Windows Server Virtualization virtual server. For Server Core install ations please see my “Installing Windows Server 2008 Core” article. To use Windows Server 2008 you need to meet the following hardware requirements: Component
Requirement
Processor
• Minimum: 1GHz (x86 processor) or 1.4GHz (x64 processor) •
Recommended: 2GHz or faster Note: An Intel Itanium 2 processor is required for Windows Server 2008 for Itanium-based Systems Memory
• Minimum: 512MB RAM • Recommended: 2GB RAM or greater •
Maximum (32-bit systems): 4GB (Standard) or 64GB (Enter prise and Datacenter) • Maximum (64-bit systems): 32GB (Standard) or 2TB (Enterprise, Datacenter and Itanium-based Systems) Available Disk Space
• Minimum: 10GB • Recommended: 40GB or greater Note : Computers
Drive
DVD-ROM drive
Display and Peripherals
• Super VGA (800 x 600) or higher -resolution monitor • Keyboard •
with more than 16GB of RAM will require more disk space for paging, hibernation, and dump files
Microsoft Mouse or compatible pointing device
Upgrade notes:
I will not discuss the upgrade process in this article, but for your general knowledge, the upgrade paths available for Windows Server 2008 shown in the table below: If you are currently running:
You can upgrade to:
Windows Server 2003 Standard Edition (R2, Service Pack 1 or Service Pack 2)
Full Installation of Windows Server 2008 Standard Edition
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Full Installation of Windows Server 2008 Enterprise Edition Windows Server 2003 Enterprise Edition (R2, Service Pack 1 or Service Pack 2)
Full Installation of Windows Server 2008 Enterprise Edition
Windows Server 2003 Datacenter Edition (R2, Service Pack 1 or Service Pack 2)
Full Installation of Windows Server 2008 Datacenter Edition
Follow this procedure to install Windows Server 2008: 1. Insert the appropriate Windows Server 2008 installation media into your DVD drive. If you don’t have an installation DVD for Windows Server 2008, you can download one for free from Microsoft’s Windows 2008 Server Trial website . 2. Reboot the computer.
3. When prompted for an installation language and other regional options, make your selection and press Next.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
4. Next, press Install Now to begin the installation process.
5. Product activation is now also identical with that found in Windows Vista. Enter your Product ID in the next window, and if you want to automatically activate Windows the moment the installation finishes, click Next.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
If you do not have the Product ID available right now, you can leave the box empty, and click Next. You will need to provide the Product ID later, after the server installation is over. Press No.
6. Because you did not provide the correct ID, the installation process cannot determine what kind of Windows Server 2008 license you own, and therefore you will be prompted to select your correct version in the next screen, assuming you are telling the truth and will provide the correct ID to prove your selection later on.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
7. If you did provide the right Product ID, select the Full version of the right Windows version you’re prompted, and click Next.
8. Read and accept the license terms by clicking to select the checkbox and pressing Next.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
9. In the “Which type of installation do you want? ” window, click the only available option – Custom (Advanced).
10. In the “Where do you want to install Windows?”, if you’re installing the server on a regular IDE hard disk, click to select the first disk , usually Disk 0, and click Next.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
If you’re installing on a hard disk that’s connected to a SCSI controller, click Load Driver and insert the media provided by the controller’s manufacturer. If you’re installing in a Virtual Machine environment, make sure you read the “Installing the Virtual SCSI Controller Driver for Virtual Server 2005 on Windows Server 2008”
If you must, you can also click Drive Options and manually create a partition on the destination hard disk. 11. The installation now begins, and you can go and have lunch. Copying the setup files from the DVD to the hard drive only takes about one minute. However, extracting and uncompressing the files takes a good deal longer. After 20 minutes, the operating system is installed. The exact time it takes to install server core depends upon your hardware specifications. Faster disks will perform much faster installs… Windows Server 2008 takes up approximately 10 GB of hard drive space.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
The installation process will reboot your computer, so, if in step #10 you inserted a floppy disk (either real or virtual), make sure you remove it before going to lunch, as you’ll find the server hanged without the ability to boot (you can bypass this by configuring the server to boot from a CD/DVD and then from the hard disk in the booting order on the server’s BIOS)
12. Then the server reboots you’ll be prompte d with the new Windows Server 2008 type of login screen. Press CTRL+ALT+DEL to log in.
13. Click on Other User. COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
14. The default Administrator is blank , so just type Administrator and press Enter.
15. You will be prompted to change the user’s password. You have no choice but to press Ok .
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
16. In the password changing dialog box, leave the default password blank (duh, read step #15…), and enter a new, complex, at-least-7-characters-long new password twice. A password like “topsecret” is not valid (it’s not complex), but one like “T0pSecreT!” sure is.
Make sure you remember it.
17. Someone thought it would be cool to nag you once more, so now you’ll be prompted to accept the fact that the password had been changed. Press Ok .
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
18. Finally, the desktop appears and that’s it, you’re logged on and can begin working. You will be greeted by an assistant for the initial server configuration, and after performing some initial configuration tasks, you will be able to start working. Next, for the initial configuration tasks please follow my other Windows Server 2008 articles found on the Related Windows Server 2008 Articles section below.
How to Install Active Directory On Windows Server 2008 R2 COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Active Directory is essential to any Microsoft network built on the client-server network model – it allows you to have a central sever called a Domain Cont roller (DC) that does authentication for your entire network. Instead of people logging on to the local machines they authenticate against your DC. Let’s take a look at how to install Microsoft’s Active Directory. Installation
Open Server Manager and click on roles, this will bring up the Roles Summary on the right hand side where you can click on the Add Roles link.
This will bring up the Add Roles Wizard where you can click on next to see a list of available Roles. Select Active Directory Domain Services from the list, you will be told that you need to add some features, click on the Add Required Features button and click next to move on.
A brief introduction to Active Directory will be displayed as well as a few links to additional resources, you can just click next to skip past here and click install to start installing the binaries for Active Directory.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
When the installation is finished you will be shown a success message, just click close.
Configuration
Open up Server Manager, expand Roles and click on Active Directory Domain Services. On the right hand side click on the Run the Active Directory Domain Services Installation Wizard (dcpromo.exe) link.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
This will kick off another wizard, this time to configure the settings for you domain, click next to continue.
The message that is shown now relates to older clients that do not support the new cryptographic algorithms supported by Server 2008 R2, these are used by default in Server 2008 R2, click next to move on.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Choose to create a new domain in a new forest.
Now you can name your domain, we will be using a .local domain the reason why will be explained in an upcoming article.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Since this is the first DC in our domain we can change our forest functional level to Server 2008 R2.
We want to include DNS in our installation as this will allow us to have an AD Integrated DNS Zone, when you click next you will be prompted with a message just click yes to continue.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
You will need to choose a place to store log files, it is a best practice to store the database and SYSVOL folder on one drive and the log files on a sep arate drive, but since this is in a lab environment I will just leave them all on the same drive.
Choose a STRONG Active Directory Restore Mode Password and click next twice to kick off the configuration.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
You will be able to see what components are being installed by looking in the following box.
When its done you will be notified and required to reboot your PC.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
That’s all there is to it guys, now you have a working installation of Active Directory.
As many of you are probably aware, the Domain Name System (DNS) is now the name resolution system of choice in Windows. Without it, computers would have a very tough time communicating with each other. However, most Windows administrators still rely on the Windows Internet Name Service (WINS) for name resolution on local area networks and some have little or no experience with DNS. If you fall into this category, read on. We'll explain how to install, configure, and troubleshoot a Windows Server 2008 DNS server. This blog post is also available in PDF form as a TechRepublic Download and as a TechRepublic Photo Gallery . Installation
You can install a DNS server from the Control Panel or when promoting a member server to a domain controller (DC) (Figure A). During the promotion, if a DNS server is not found, you will have the option of installing it.
Figure A COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Domain controller
To install a DNS server from the Control Panel, follow these steps:
From the Start menu, select | Control Panel | Administrative Tools | Server Manager. Expand and click Roles (Figure B). Choose Add Roles and follow the wizard by selecting the DNS role (Figure C). Click Install to install DNS in Windows Server 2008 (Figure D).
Figure B
Expand and click Roles
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Figure C
DNS role Figure D
Install DNS
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
DNS console and configuration
After installing DNS, you can find the DNS console from Start | All Programs | Administrative Tools | DNS. Windows 2008 provides a wizard to help configure DNS. When configuring your DNS server, you must be familiar with the following concepts:
Forward lookup zone Reverse lookup zone Zone types
A forward lookup zone is simply a way to resolve host names to IP addresses. A reverse lookup zone allows a DNS server to discover the DNS name of the host. Basically, it is the exact opposite of a forward lookup zone. A reverse lookup zone is not required, but it is easy to configure and will allow for your Windows Server 2008 Server to have full DNS functionality. When selecting a DNS zone type, you have the following options: Active Directory (AD) Integrated, Standard Primary, and Standard Secondary. AD Integrated stores the database information in AD and allows for secure updates to the database file. This option will appear only if AD is configured. If it is configured and you select this option, AD will store and replicate your zone files. A Standard Primary zone stores the database in a text file. This text file can be shared with other DNS servers that store their information in a text file. Finally, a Standard Secondary zone simply creates a copy of the existing database from another DNS server. This is primarily used for load balancing. To open the DNS server configuration tool: 1. Select DNS from the Administrative Tools folder to open the DNS console. 2. Highlight your computer name and choose Action | Configure a DNS Server... to launch the Configure DNS Server Wizard. 3. Click Next and choose to configure the following: forward lookup zone, forward and reverse lookup zone, root hints only (Figure E). 4. Click Next and then click Yes to create a forward lookup zone (Figure F). 5. Select the appropriate radio button to install the desired Zone Type (Figure G). 6. Click Next and type the name of the zone you are creating. 7. Click Next and then click Yes to create a reverse lookup zone. 8. Repeat Step 5. 9. Choose whether you want an IPv4 or IPv6 Reverse Lookup Zone (Figure H). 10. Click Next and enter the information to identify the reverse lookup zone (Figure I). 11. You can choose to create a new file or use an existing DNS file (Figure J). 12. On the Dynamic Update window, specify how DNS accepts secure, nonsecure, or no dynamic updates. 13. If you need to apply a DNS forwarder, you can apply it on the Forwarders window. (Figure K). 14. Click Finish (Figure L). Figure E
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Configure Figure F
Forward lookup zone
Figure G
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Desired zone Figure H
IPv4 or IPv6
Figure I
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Reverse lookup zone Figure J
Choose new or existing DNS file Figure K
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Forwarders window Figure L
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Finish Managing DNS records
You have now installed and configured your first DNS server, and you're ready to add records to the zone(s) you created. There are various types of DNS records available. Many of them you will never use. We'll be looking at these commonly used DNS records:
Start of Authority (SOA) Name Servers Host (A) Pointer (PTR) Canonical Name (CNAME) or Alias Mail Exchange (MX)
Start of Authority (SOA) record
The Start of Authority (SOA) resource record is always first in any standard zone. The Start of Authority (SOA) tab allows you to make any adjustments necessary. You can change the primary server that holds the SOA record, and you can change the person responsible for managing the SOA. Finally, one of the most important features of Windows 2000 is that you can change your DNS server configuration without deleting your zones and having to re-create the wheel (Figure M). Figure M
Change configuration COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Name Servers
Name Servers specify all name servers for a particular domain. You set up all primary and secondary name servers through this record. To create a Name Server, follow these steps: 1. 2. 3. 4. 5.
Select DNS from the Administrative Tools folder to open the DNS console. Expand the Forward Lookup Zone. Right-click on the appropriate domain and choose Properties (Figure N). Select the Name Servers tab and click Add. Enter the appropriate FQDN Server name and IP address of the DNS server you want to add.
Figure N
Name Server Host (A) records
A Host (A) record maps a host name to an IP address. These records help you easily identify another server in a forward lookup zone. Host records improve query performance in multiplezone environments, and you can also create a Pointer (PTR) record at the same time. A PTR record resolves an IP address to a host name. To create a Host record: 1. Select DNS from the Administrative Tools folder to open the DNS console. 2. Expand the Forward Lookup Zone and click on the folder representing your domain. 3. From the Action menu, select New Host. COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
4. Enter the Name and IP Address of the host you are creating (Figure O). 5. Select the Create Associated Pointer (PTR) Record check box if you want to create the PTR record at the same time. Otherwise, you can create it later. 6. Click the Add Host button. Figure O
A Host (A) record Pointer (PTR) records
A Pointer (PTR) record creates the appropriate entry in the reverse lookup zone for reverse queries. As you saw in Figure H, you have the option of creating a PTR record when creating a Host record. If you did not choose to create your PTR record at that time, you can do it at any point. To create a PTR record: 1. 2. 3. 4. 5.
Select DNS from the Administrative Tools folder to open the DNS console. Choose the reverse lookup zone where you want your PTR record created. From the Action menu, select New Pointer (Figure P). Enter the Host IP Number and Host Name. Click OK.
Figure P
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
New Pointer Canonical Name (CNAME) or Alias records
A Canonical Name (CNAME) or Alias record allows a DNS server to have multiple names for a single host. For example, an Alias record can have several records that point to a single server in your environment. This is a common approach if you have b oth your Web server and your mail server running on the same machine. To create a DNS Alias: 1. 2. 3. 4. 5. 6.
Select DNS from the Administrative Tools folder to open the DNS console. Expand the Forward Lookup Zone and highlight the folder representing your domain. From the Action menu, select New Alias. Enter your Alias Name (Figure Q). Enter the fully qualified domain name (FQDN). Click OK.
Figure Q
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Alias Name Mail Exchange (MX) records
Mail Exchange records help you identify mail servers within a zone in your DNS database. With this feature, you can prioritize which mail servers will receive the highest priority. Creating MX records will help you keep track of the location of all of your mail servers. To create a Mail Exchange (MX) record: 1. 2. 3. 4. 5. 6.
Select DNS from the Administrative Tools folder to open the DNS console. Expand the Forward Lookup Zone and highlight the folder representing your domain. From the Action menu, select New Mail Exchanger. Enter the Host Or Domain (Figure R). Enter the Mail Server and Mail Server Priority. Click OK.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Figure R
Host or Domain Other new records
You can create many other types of records. For a complete description, choose Action | Other New Records from the DNS console (Figure S). Select the record of your choice and view the description. Figure S
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Create records from the DNS console Troubleshooting DNS servers
When troubleshooting DNS servers, the nslookup utility will become your best friend. This utility is easy to use and very versatile. It's a command-line utility that is included within Windows 2008. With nslookup, you can perform query testing of your DNS servers. This information is useful in troubleshooting name resolution problems and de bugging other serverrelated problems. You can access nslookup (Figure T) right from the DNS console. Figure T
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Information Sheet 3.1.2 Creating of User and Share Folder Learning Objectives:
After reading this INFORMATION SHEET, YOU MUST be able to: 1. How To Create User 2. How Share Folder with Permission How to Create a New User in Server 2008
One of the first things to do in a new network is to create Users, also called User Objects. As long as you know the information about the user you need to create, the process will take no time at all. This is a task we want to do from a Domain Controller, and you should have the Administrative Tools in your Start menu next to the Control Panel link. We’ll choose the Active Directory Users and Computers snap-in.
Once we’re inside the Active Directory Users and Computers snap-in, we’ll need to expand the domain in which we want to create the user, and right-click on the Usersfolder. We’ll then
select New|User.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
The New Object – User box will pop up and require you to put in the user’s name and create the user logon. You’ll need to use a standard method of creating user logon names , as this will cause much less confusion in the future. If you have a small network, you may want to just stick to using the first initial and last name because it’s shorter. If you anticipate that your network will grow quite large, the standard advice is to use the full first and last name separated by a period, as we’ve done below.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Next we’ll give the user an initial password, and make sure to have them change it as soon
as they first logon.
When we’re finished, we’ll get a nice summary of our work. COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
When we go back to the Users folder in the domain, we can see our newly created user.
Once we’ve created a user, there are many things that we’ll need to do with them in order for
them to be useful, like adding permissions and security groups, but at least the operation for spawning them is simple and straightforward. Create User folders in Windows Server 2008 R2 and add them to Active Directory Date Developed: March 2017 Document No : CSS NCII- 0001 COMPUTER Issued by: SYSTEMS Developed by: SERVICING MSIT Solutions Inc. JAYSON S. BARTE NCII Revision # 01
Share Permissions:
This walk through takes for granted that this server is a part of an active directory environment. i. ii. iii.
Create a folder named Users (this can be anywhere on the server but I will put it in D:\) Right-click on this folder and select Properties. Select the Sharing tab
iv.
Click Advanced Sharing.
v.
Check “Share this folder” . COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
vi.
Add a $ sign to the end of the Share name so it says Users$. (This makes this s hare
invis ible when browsi ng the network) vii.
Click on the Permissions button.
viii. ix.
Remove the Everyone group. Click Add, and add the following groups: Administrators, System, Authenticated Users . For each group (there should be three) give them full permissions (select allow under full control).
x.
xi.
Click OK.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
NTFS Permissions:
i.
Select the tab Security.
ii.
Select Advanced button.
iii. iv. v.
Select change permissions. Uncheck “Include inheritable permissions from this object’s parent” . Click on Add when the warning prompt pops up.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
vi. vii. viii. ix.
x. xi.
Select Users and hit remove (Do this for both if you have two field with user permissions) Select Add and add the Authenticated Users group. At Apply To: Select: This folder only. For the permissions select allow for: Traverse folder / execute file, List folder/read data, Read attributes, Read extended attributes, Read permissions.
Click OK, Click OK, and Click OK again. Now your Security tab should look like the image below. COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Share and Storage Management:
1.
Go to Start > Administrative Tools > Share and storage management .
2. Select the share you just created: Users$. 3. Right click and select Properties. 4. Click on the Advanced button.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
5. Check the check box Enable access-based enumeration.
6. Click OK. 7. Close out the Share and storage management console
Active Directory: On Your Domain Controller. COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
1. 2. 3. 4. 5. 6. 7.
Go to Start > Administrative tools > Active directory users and computers. Navigate to the User you want to add the User folder to. Right click and select properties on the user. Select the profile tab. Under the section Home folder: Select the Connect radio button. Select the letter U:\ In the To: Text area type: \\YOURSERVER\Users$\%username%(if your server with the share’s name is joe it would be \\JOE\Users$\%username%) 8. Click OK 9. Close Active Directory Users and Computers. If you now browse to the Users$ share folder on the server you created it on. You will notice a folder in it with the users username as the folder name. If you check the permissions for the folder the right permissions have automatically been applied. This technique will definitely save you lots of time as if you were doing it via old net use scripts. Congratulations you have successfully added a user folder share and added it to a user. Please note that this can be done to multiple users at once, all you do is select all the users in active directory and add the user share to the users.
Information Sheet 3.1.3 Creating of GPO and Managing GPO Learning Objectives:
After reading this INFORMATION SHEET, YOU MUST be able to: 1. Add Edit of Group Policy Object 2. Managing Group Policy Object Creating and editing a Group Policy object
Create a Group Policy object Edit a Group Policy object
Note
You can also create a GPO from a Starter GPO. For more information, see Create a New GPO from a Starter GPO. To create a Group Policy object 1. In the GPMC console tree, right-click Group Policy Objects in the forest and domain in which you want to create a GPO. 2. Click New . 3. In the New GPO dialog box, specify a name for the new GPO, and then click OK . COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
To edit a Group Policy object 1. In the GPMC console tree, double-click Group Policy Objects in the forest and domain containing the GPO that you want to edit. 2. Right-click the GPO, and then click Edit . 3. In the console tree, edit the settings as appropriate.
Important
The Default Domain Policy GPO and Default Domain Controllers Policy GPO are vital to the health of any domain. As a best practice, you should not edit the Default Domain Controllers Policy GPO or the Default Domain Policy GPO, except in the following cases:
o
o
Account policy settings are required to be configured in the Default Domain GPO. If you install applications on domain controllers requiring modifications to User Rights or Audit policy settings, you must modify the policy settings in the Default Domain Controllers Policy GPO.
Additional considerations
When you create a GPO, it will not have an effect until it is linked to a site, domain, or organizational unit (OU). By default only domain administrators, enterprise administrators, and members of the Group Policy creator owners group can create and edit GPOs. To edit IPSec policy settings from within a GPO, you must be a member of the domain administrators group. You can also edit a GPO by right-clicking the name of the GPO in any container in which it is linked, and then clicking Edit .
Group Policy for Beginners If you are an IT pro who has never used Group Policy to control computer configurations, this white paper is for you. Group Policy is the essential way that most organizations enforce settings on their computers. It is flexible enough for even the most complex scenarios; however, the essential features are easy to use in simple scenarios, which are more common. This white paper is an introduction to Group Policy. It first provides an overview of what you can do with Group Policy, and then it describes essential concepts that you must know. For example, what is a Group Policy object (GPO)? What does inheritance mean? With the fundamentals out of the way, this white paper provides step-by-step instructions, with plenty of screenshots, for the most common Group Policy tasks. COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Note
This guide is for Group Policy novices. As much as possible, it uses plain English to describe Group Policy concepts in simple ways. Group Policy pros should see Group Policy Planning and Deployment Guide on TechNet for more technically detailed information. For a downloadable version of this document, see Group Policy for Beginners in the Microsoft Download Center. Overview of Group Policy Group Policy is simply the easiest way to reach out and configure computer and user settings on networks based on Active Directory Domain Services (AD DS). If your business is not using Group Policy, you are missing a huge opportunity to reduce costs, control configurations, keep users productive and happy, and harden security. Think of Group Policy as “touch once, configure many.” The requirements for using Group Policy and following the instructions that this white paper provides are straightforward:
The network must be based on AD DS (that is, at least one server must have the AD DS role installed). To learn more about AD DS, see Active Directory Domain Services Overview on TechNet. Computers that you want to manage must be joined to the domain, and users that you want to manage must use domain credentials to log on to their computers. You must have permission to edit Group Policy in the domain.
Although this white paper focuses on using Group Po licy in AD DS, you can also configure Group Policy settings locally on each computer. This capability is great for one-off scenarios or workgroup computers, but using local Group Policy is not recommended for business networks based on AD DS. The reason is simple: Domain-based Group Policy centralizes management, so you can touch many computers from one place. Local Group Policy requires that you touch each computer —not an ideal scenario in a large environment. For more information about configuring local Group Policy, see Local Group Policy Editor on TechNet. Windows 7 enforces the policy settings that you define by using Group Policy. In most cases, it disables the user interface for those settings. Additionally, because Windows 7 stores Group Policy settings in secure locations in the registry, standard user accounts cannot change those settings. So, by touching a setting one time, you can configure and enforce that setting on many computers. When a setting no longer applies to a computer or user, Group Policy removes the policy setting, restoring the original setting and enabling its user interface. The functionality is all quite amazing and extremely powerful.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Note
Standard user accounts are user accounts that are members of the local Users group and not the local Administrators group. They have a restricted ability to configure system settings. Windows 7 better supports standard user accounts than earlier Windows versions, allowing these accounts to change the time zone, install printers, repair network connections, and so on. Deploying standard user accounts is a best practice, and you do so by simply not adding user accounts to the local Administrators group. Windows 7 automatically adds the Domain Users group to the local Users group when you join the computer to the domain. Essential Group Policy Concepts You can manage all aspects of Group Policy by using the Group Policy Management Console (GPMC). Figure 1 shows the GPMC, and this white paper will refer to this figure many times as you learn about important Group Policy concepts.
Figure 1. Group Policy Management Console
You start the GPMC from the Start menu: Click Start, All Programs, Administrative Tools, Group Policy Management. You can also click Start, type Group Policy Management, and then click Group Policy Management in the Programs section of the Start menu. Windows Server 2008 and Windows Server 2008 R2 include the GPMC when they are running the AD DS role. Otherwise, you can install the GPMC on Windows Server 2008, Windows Server 2008 R2, or Windows 7 as described in the section “Installing the GPMC in Windows 7,” later in this white paper.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Group Policy objects GPOs contain policy settings. You can think of GPOs as policy documents that apply their settings to the computers and users within their control. If GPOs are policy documents, then the GPMC is like Windows Explorer. You use the GPMC to create, move, and delete GPOs just as you use Windows Explorer to create, move, and delete files. In the GPMC, you see all the domain’s GPOs in the Group Policy objects folder. In Figure 1,
the callout number 1 shows three GPOs for the domain corp.contoso.com domain. These GPOs are:
Accounting Security. This is a custom GPO created specifically for Contoso, Ltd.
Default Domain Controller Policy. Installing the AD DS server role creates this
policy by default. It contains policy settings that apply specifically to domain controllers.
Default Domain Policy. Installing the AD DS server role creates this policy by
default. It contains policy settings that apply to all computers and users in the domain. Group Policy Links At the top level of AD DS are sites and domains. Simple implementations will have a single site and a single domain. Within a domain, you can create organizational units (OUs). OUs are like folders in Windows Explorer. Instead of containing files and subfolders, however, they can contain computers, users, and other objects. For example, in Figure 1 you see an OU named Departments. Below the Departments OU, you see four subfolders: Accounting, Engineering, Management, and Marketing. These are child OUs. Other than the Domain Controllers OU that you see in Figure 1, nothing else in the figure is an OU. What does this have to do with Group Policy links? Well, GPOs in the Group Policy objects folder have no impact unless you link them to a site, domain, or OU. When you link a GPO to a container, Group Policy applies the GPO’s settings to the computers and users in that container. In Figure 1, the callout number 1 points to two GPOs linked to OUs:
The first GPO is named Default Domain Policy, and this GPO is linked to the domain corp.contoso.com. This GPO applies to every computer and user in the domain. The second GPO is named Accounting Security, and this GPO is linked to the OU named Accounting. This GPO applies to every computer and user in the Accounting OU.
In the GPMC, you can create GPOs in the Group Policy objects folder and then link them— two steps. You can also create and link a GPO in one step. Most of the time, you will simply create and link a GPO in a single step, which the section “Creating a GPO,” later in this white paper, describes. Group Policy Inheritance COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
As the previous section hinted, when you link a GPO to the domain, th e GPO applies to the computers and users in every OU and child OU in the domain. Likewise, when you link a GPO to an OU, the GPO applies to the computers and users in every child OU. This concept is called inheritance. For example, if you create a GPO named Windows Firewall Settings and link it to the corp.contoso.com domain in Figure 1, the settings in that GPO apply to all of the OUs you see in the figure: Departments, Accounting, Engineering, Management, Marketing, and Domain Controllers. If instead you link the GPO to the Departments OU, the settings in the GPO apply only to the Departments, Accounting, Engineering, Management, and Marketing OUs. It does not apply to the entire domain or the Domain Controllers OU. Moving down one level, if you link the same GPO to the Accounting OU in Figure 1, the settings in the GPO apply only to the Accounting OU, as it has no child OUs. In the GPMC, you can see what GPOs a container is inheriting by clicking the Group Policy Inheritance tab (callout number 1 in Figure 2).
Figure 2. Group Policy inheritance and precedence
So, what happens if multiple GPOs contain the same setting? This is where order of precedence comes into play. In general, the order in which Group Policy applies GPOs determines precedence. The order is site, domain, OU, and child OUs. As a result, GPOs in child OUs have a higher precedence than GPOs linked to parent OUs, which have a higher precedence than GPOs linked to the domain, which have a higher precedence than GPOs linked to the site. An easy way to think of this is that Group Policy applies GPOs from the top down, overwriting settings along the way. In more advanced scenarios, however, you can override the order of precedence. You can also have—within a single OU—multiple GPOs that contain the same setting. Like before, the order in which Group Policy applies GPOs determines the order of precedence. In Figure 2, you see two GPOs linked to the domain corp.contoso.com: Windows Firewall COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Settings and Default Domain Policy. Group Policy applies GPOs with a lower link order after applying GPOs with a higher link order. In this case, it will apply Windows Firewall Settings after Default Domain Policy. Just remember that a link order of 1 is first priority, and a link order of 2 is second priority. You can change the link order for a container by clicking the up and down arrows as shown by callout number 2 in Figure 2.
Note
As you are probably realizing by now, Group Policy is a remarkably versatile tool. However, Group Policy provides the opportunity to make things overly complicated. In simple environments, such as labs and small businesses, there is nothing wrong with linking all of your GPOs to the domain. Keep it simple. There should be a justification for complication. In Figure 1, if you wanted to create a GPO and link it only to the Engineering and Marketing OUs, the justification should be that the GPO contains settings that apply only to those two departments and should not be applied to any other department. If you cannot make this justification, then keep things simple by linking the GPO one time to the domain. Group Policy Settings To this point, you have learned about GPOs. You have learned that GPMC is to GPOs and OUs as Windows Explorer is to files and folders. GPOs are the policy documents. At some point, you are going to have to edit one of those documents, though, and the editor you use is the Group Policy Management Editor (GPME), which Figure 3 shows. You open a GPO in the GPME by right-clicking it in the GPMC and clicking Edit. Once you are finished, you simply close the window. The GPME saves your changes automatically, so you do not have to save.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Figure 3. Group Policy Management Editor
In Figure 3, callout numbers 1 and 2 point to Computer Configuration and User Configuration, respectively. The Computer Configuration folder contains settings that apply to computers, regardless of which users log on to them. These tend to be system and security settings that configure and control the computer. The User Configuration folder contains settings that apply to users, regardless of which computer they use. These tend to affect the user experience. Within the Computer Configuration and User Configuration folders, you see two subfolders (callout numbers 3 and 4 in Figure 3):
Policies. Policies contains policy settings that Group Policy enforces.
Preferences. Preferences contains preference settings that you can use to change
almost any registry setting, file, folder, or other item. By using preference settings, you can configure applications and Windows features that are not Group Policy – aware. For example, you can create a preference setting that configures a registry value for a third-party application, deletes the Sample Pictures folder from user profiles, or configures an .ini file. You can also choose whether Group Policy enforces each preference setting or not. However, standard user accounts can change most preference settings that you define in the User Configuration folder between Group Policy refreshes. You can learn more about preference settings by reading the Group Policy Preferences Overview. When you are first learning Group Policy, most of the settings that you will configure will be in the Administrative Templates folders. These are registry-based policy settings that Group Policy enforces. They are different from other policy settings for two reasons. First, Group Policy stores these settings in specific registry locations, called the Policies branches, which standard user accounts cannot change. Group Policy –aware Windows features and applications look for these settings in the registry. If they find these policy settings, they use the policy settings instead of the regular settings. They often disable the user interface for those settings as well. Second, administrative template files, which have the .admx extension, define templates for these settings. These templates not only define where policy settings go in the registry but also describe how to prompt for them in the GPME. In the Group Policy setting that Figure 4 shows, for example, an administrative template file defines help text, available options, supported operating systems, and so on.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Figure 4. Group Policy setting
When you edit a policy setting, you are usually confronted with the choices that callout numbers 1 to 3 indicate in Figure 4. In general, clicking:
Enabled writes the policy setting to the registry with a value that enables it.
Disabled writes the policy setting to the registry with a value that disables it.
Not Configured leaves the policy setting undefined. Group Policy does not write the
policy setting to the registry, and so it has no impact on computers or users. Generalizing what enabled and disabled means for every policy setting is not possible. You can usually read the help text, shown in callout number 5, to determine exactly what these choices mean. You must also be careful to read the name of the policy setting. For example, some policy settings say, “Turn on feature X,” whereas other policy settings say, “Turn off feature Y.” Enabled and disabled have different meanings in each case. Until you are comfortable, make sure you read the help text for policy settings you configure. Some policy settings have additional options that you can configure. Callout number 4 in Figure 4 shows the options that are available for the Group Policy refresh interval policy setting. In most cases, the default values match the default values for Windows. As well, the help text usually gives detailed information about the options you can configure. Group Policy Refresh As you learned in the previous section, GPOs contain both computer and user sett ings. Group Policy applies:
Computer settings when Windows starts. COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
User settings after the user logs on to the computer.
Group Policy also refreshes GPOs on a regular basis, ensuring that Group Policy applies new and changed GPOs without waiting for the computer to restart or the user to log off. The period of time between these refreshes is called the Group Policy refresh interval, and the default is 90 minutes with a bit of randomness built in to prevent all computers from refreshing at the same time. If you change a GPO in the middle of the day, Group Policy will apply your changes within about 90 minutes. You don’t have to wait until the end of the day, when users have logged off of or restarted their computers. In advanced scenarios, you can change the default refresh interval.
Note
You can manually update Group Policy any time by using the command Gpupdate.exe. For example, after updating a GPO, you might want to refresh Group Policy on a computer in order to test your changes without waiting for the Group Policy refresh interval. For step-by-step instructions, see the section titled “Updating Clients” later in this white paper. Essential Group Policy Tasks You have now learned the essential Group Policy concepts. You know that a GPO is like a document that contains policy settings. You manage GPOs by using the GPMC and you edit them by using the GPME. You also know that you link GPOs to AD DS sites, domains, and OUs to apply the GPOs’
settings to those containers. Domains, OUs, and child OUs inherit settings from their parents, but duplicate settings in GPOs linked to child OUs have precedence over the same settings in GPOs linked to parent OUs, which have precedence over GPOs linked to the domain, and so on. You also know that within a site, domain, or OU, the link order determines the order of precedence (the smaller the number, the higher the precedence). Last, you have an essential understanding of how to edit GPOs and what types of settings they contain. Now that you know the essential concepts, you are ready to learn the essential tasks. This section describes how to create, edit, and delete GPOs. It describes many other tasks, as well. For each task, you’ll find an explanation of its purpose and step -by-step instructions with screenshots at each step.
Note
A feature of the Microsoft Desktop Optimization Pack (MDOP) called Advanced Group Policy Management (AGPM) extends Group Policy with n ew capabilities such as offline
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
editing, version control, and role-based delegation. Any organization can benefit from using AGPM to manage Group Policy. For more information about AGPM, see Enhancing Group Policy through change management. management. Creating a GPO You create a GPO by using the GPMC. There are two ways to create a GPO:
Create and link a GPO in one step. Create a GPO in the Group Policy objects folder, and then link it to the domain or OU.
The instructions in this section describe how to create and link a GPO in one step. You can start with a blank GPO, which the instructions describe, or you can use a starter GPO. Starter GPOs are an advanced topic that you can learn about in Working with Starter GPOs.. GPOs To create and link a GPO in the domain or an OU
1
In the GPMC, right-click the domain or OU in which you want to create and link a GPO, and click Create a GPO in this domain, and Link it here.
2
In the Name box on the New GPO dialog box, type a descriptive name for the GPO, and then click OK.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Editing a GPO In the GPMC, you can open GPOs in the GPME to edit them within any container. To see all of your GPOs, regardless of where you link them, use the Group Policy objects folder to edit them. To edit a GPO in the domain, an OU, or the Group Poli cy objects folder
1
In the left pane of the GPMC, click Group Policy objects to display all the domain’s GPOs in the right pane. Alternatively, you can click the domain or any OU to display that container’s GPOs in the right pane.
2
In the right pane of the GPMC, right-click the GPO that you want to edit, and click Edit to open the GPO in the GPME.
3
In the GPME, edit the Group Policy settings that you want to change, and close the GPME window when finished. You do not have to save your changes, because the GPME saves your changes automatically.
Linking a GPO COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
If you create and link GPOs in one step, you do not have to manually link GPOs to the domain or OUs. However, if you create a GPO in the Group Policy objects folder or unlink a GPO and want to restore it, you will need to manually link the GPO. The easy way to link a GPO is to simply drag the GPO from the Group Policy objects folder and drop it onto the domain or OU to which you want to link it. To link a GPO to a domain or OU
1
In the GPMC, right-click the domain or OU to which you want to link the GPO, and then click Link an Existing GPO.
2
In the Select GPO dialog box, click the GPO that you want to link to the domain or OU, and then click OK.
Unlinking a GPO You unlink a GPO when you no longer want to apply it to the domain or OU (or its child OUs). You can later restore the link, as the section titled “Linking a GPO” described. Unlinking a GPO from a domain or OU does not delete the GPO. It only deletes the link. After unlinking a GPO, you can still find it in the Group Policy objects folder in the GPMC. To unlink a GPO from a domain or OU
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
1
In the GPMC, click the domain or OU containing the GPO that you want to unlink.
2
Right-click the GPO that you want to unlink from the domain or OU, and click Delete.
3
In the Group Policy Management dialog box, click OK.
Deleting a GPO Deleting a GPO is not the same as unlinking a GPO from a domain or OU. You delete GPOs within the Group Policy objects folder. Doing so removes not only the links but also the GPO itself.
Note
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Consider backing up the GPO before deleting it. The section titled “Backing Up GPOs” describes how to back up GPOs. The section titled “Restoring GPOs” describes how to
restore them from a backup. To delete a GPO from the Group Policy objects folder
1
In the GPMC, click the Group Policy objects folder.
2
In the right pane of the GPMC, right-click the GPO that you want to delete, and click Delete.
3
In the Group Policy Management dialog box, click Yes to confirm that you want to delete the GPO and its links.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
4
In the Delete dialog box, confirm that the deletion was successful, and click OK.
Updating Clients While editing, testing, or troubleshooting GPOs, you do not need to wait for the Group Policy refresh interval (90 minutes, by default). You can manually update Group Policy on any client computer by running Gpupdate.exe. Gpupdate.exe supports many command-line options, which you can learn about by typing gpupdate.exe /? in a Command Prompt windows In most cases, however, you can follow the instructions in this section to update Group Policy. To manually update Group Policy by using Gpupdate.exe
1
Click Start, type cmd, and press Enter to open a Command Prompt window.
2
At the Command Prompt, type gpupdate and press Enter . Gpupdate.exe will update any changed settings. You can force Gpupdate.exe to update all settings, whether or not they have changed recently, by typing gpupdate /force and pressing Enter . COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Backing Up GPOs Backing up important files is an important practice, and GPOs are no exception. If you erroneously change or accidentally delete a GPO, you can quickly restore it from a backup. By using the GPMC, you can back up GPOs to any location. To back up a GPO to a folder
1 In the GPMC, click the Group Policy objectsfold er.
2 Right-click the GPO that you want to back up, and click Back Up.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
3 In the Locatio nbox of the Back Up Group Policy objectdialo g box, type the path of the folder to which you want to back up the GPO. You can also click Brows e to choose a folder. Also, in the Descrip tionbox, type a brief description of the GPO, and then click Back Up.
4 In the Backup dialog box, confirm the results and click OK.
Restoring GPOs
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
By using the GPMC, you can restore any previous version of a GPO that you have backed up. The instructions in this section describe how to restore one or more GPOs from a backup folder. To restore a previously backed-up GPO
1
In the GPMC, click the Group Policy objects folder to see the GPOs in the domain.
2
Right-click the Group Policy objects folder, and click Manage Backups.
3
In the Backup location list of the Manage Backups dialog box, click a backup location that you’ve previously used. You can also click Browse to choose a folder containing GPO backups.
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
4
In the Backed up GPOs list, choose one or more GPOs that you want to restore, and click Restore. If you see multiple versions of each GPO and want to see only the most recently backed-up version of each GPO, select the Show only the latest version of each GPOcheck box.
5
In the Restore dialog box, confirm that the operation was successful, and click OK.
Installing the GPMC in Windows 7 Windows Server 2008 and Windows Server 2008 R2 include the GPMC when they are running the AD DS role. Otherwise, you can install the GPMC on Windows Server 2008, Windows Server 2008 R2, or Windows 7. You install the GPMC by downloading the Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1) and installing either of the following files on the computer: 1. Windows6.1-KB958830-x64-RefreshPkg.msu. Install this package on x64 computers, including those running Windows Server 2008 R2. 2. Windows6.1-KB958830-x86-RefreshPkg.msu. Install this package on x86 computers. Installing the update only adds the feature to Windows. You must also turn on the Group Policy Management Tools feature using Programs and Features in the Control Panel. The instructions in this section describe how to install the update as well as how to enable the Group Policy Management Tools. COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
To install the Remote Server Administration Tools for Windows 7 with SP1
1
Run either of the following files that you previously downloaded: 1. Windows6.1-KB958830-x64RefreshPkg.msu 2. Windows6.1-KB958830-x86RefreshPkg.msu Then, click Yes to install the update.
2
On the Read these license terms (1 of 1) page, review the license terms, and if you accept, click I Accept.
3
On the Installation complete page, click Close.
To turn on the Group Policy Management Tools feature
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
1
Click Start, type windows features, and click Turn Windows features on or off in the Control Panelsection of the Start menu.
2
In the Windows Features dialog box, select the Group Policy Management Tools check box, and click OK. Group Policy Management Tools is under Remote Service Administration Tools, Feature Administration Tools.
Conclusion You have come a long way. You have learned important Group Policy concepts such as GPOs, links, inheritance, and so on. You have also learned how to use the GPMC and the GPME to perform essential tasks such as creating, editing, and deleting GPOs. When you are ready to learn more about Group Policy and broaden your skills, Microsoft has numerous resources available for you. First, the Group Policy resource page on the Windows Server TechCenter is a one-stop shop for any technical content related to Group Policy. It provides numerous getting-started guides as well as videos. For Group Policy guidance specific to Windows 7, visit the Windows Client Security and Control zone. `
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01
Self-Check 1.5.2 Enumeration
What are the Five 5s 1-5 What are the Three 3rs 6-8 Things you can do to reduce the waste 9-16
COMPUTER SYSTEMS SERVICING NCII
Date Developed: March 2017
Developed by: JAYSON S. BARTE
Document No : CSS NCII- 0001 Issued by: MSIT Solutions Inc. Revision # 01