Chapter 1 – Understanding And Configuring IP

APIPA – 169.254.0.0 /16

Unicast - always /64 (64bit network, 64bit host)
Global address – 2000::/3 (corresponds to public address in Ipv4)
Link – local address – fe80 (corresponds to APIPA) “%3“ zone ID – distinguishes multiple network
adapters connected to different network segment
Unique local address – fd00::/8 or fc00::/8 (corresponds to private Ipv4 addresses – routable locally)
Loopback address - ::1
ISATAP tunneling protocol – ISATAP router as an address translator from Ipv4 to Ipv6 and vice versa
6to4 – host--> 6to4 router--> 6to4 relay --> Ipv6 host (Ipv4 embedded in Ipv6)
Toredo – for clients behind an Ipv4 NAT (used as a last resort) client, server, relay, host specific relay

Chapter 2 – Configuring Name Resolution

Types – DNS (requires network-wide configuration for both servers and clients) , NetBIOS (used in
workgroups), Link Local Multicas Name Resolution (LLMNR – used in workgroups)
LLMNR – Network Discovery must be enabled(only for Vista and Win Server 2008),uses multicast Ipv6
for the local subnet,it's preferable to NetBIOS,doesn't work for Ipv4 by default,small service no config
NetBIOS – for older Windows,by default for Ipv4,low security,for smaller netoworks, three methods:
NetBIOS broadcasts – local network query for the owner to respond with it's Ipv4 address
WINS –directory of computer names and their associated IP addresses,works beyond the local subnet
Lmhosts file – static local database stored in %SystemRoot%\System32\Drivers\Etc, must be
manually created, used as a last resort, contains a NetBIOS name and a corresponding IP address
NetBIOS node types – broadcast (b-node),point-to-point (p-node), mixed (m-node), hybrid (h-node)
Broadcast – uses broadcast, only locally significant because routers don't forward broadcasts
Point-to-point - direct communication with WINS server to resolve names, doesn't use broadcast
Mixed – uses broadcast first and then WINS queries if broadcast is not successful
Hybrid – uses WINS queries frist and then broadcast if the WINS server doesn't respond
Current node status can be viewed from the command prompt using the ipconfig /all command.
DNS – enables location of computers and other resources by name, for large networks
DNS namespace– unique root which can have any number of subdomains with their own subdomains
DNS names – a node is identified by the FQDN, organization ICANN assigns globally unique identifiers
Types of domains – organizational (.org, .com, .edu, .net), geographical (.it – Italy), reverse – special
Private Domain Namespace – DNS namespace based on a private set of root servers independent of
the Internet's DNS namespace, you can create your own root server or servers and any subdomain,
they can not be resolved on the internet
DNS Components – server, zones, resolvers, resource records
DNS Server - a computer that runs a server program, it resolves name resolution queries by clients
DNS Zones – a zone is a contiguous portion of a namespace for which a server is authoritative, a
server can be authoritative for one or more zones. Zone data is stored in text files or in Active
Directory.
DNS Resolvers – a service that uses the DNS protocol to query information from DNS servers
Resource Records – DNS database entries that are used to answer DNS client queries. Types of
records are: Ipv4 host address (A), Ipv6 host address (AAAA), alias (CNAME), pointer (PTR), mail
exchanger (MX), service location (SRV)
CNAME – allows you to use more than one name to point to a single host
MX – to locate a mail server within a zone – multiple MX records for fault tolerance
SRV – used to locate specific services in a domain (created automatically, but for fault tolerance –
manually)
DNS recursion – the process of a DNS server querying other DNS servers on behalf of the original
qunerying client
Iteration – a proces where a DNS client makes repeated queries to different DNS servers
Root Hints – used for DNS recursion, they contain information where to begin searching for names in
the DNS domain namespace, a list of preliminary resource records, they are by default preconfigured
in Windows Server 2008 and stored in WINDOWS\System32\Dns folder (Cache.dns)
DNS Caching – a way to improve performance of DNS by reducing DNS query traffic on the network
DNS Client Cache – whenever a DNS client service starts a Hosts file is created with name-to-IP
mappings located in WINDOWS\System32\Drivers\Etc
DNS Server Cache – temporary resource records cache, info from the process of answering queries
for DNS clients, this cache is cleared whenever the DNS service server stops but you can also do it
manually with Dnscmd /clearcache at command prompt
Cache has Time To Live Values (TTL) which applies to all cached resource records (client or server)
which is by default 1 hour and can be manipulated.
Deploying a DNS Server – on a domain controller, on a stand alone or member server, on server core
Deploying a DNS Server on a Domain Controller – Active Directory Doain Services (AD DS) is tightly
integrated with DNS, DNS is required for locating resources like domain controllers
When deploying a DNS server within an AD domain it's tipically on a domain controller which
requires very little or no configuration. To promote the server to a domain controller for a new or
existing domain run a program Dcpromo.exe.
Deploying a DNS Server on a Stand-alone or Member Server – Your name resolution infrastrukture
might require such DNS installation. This is done without the use od Dcpromo.
To install a DNS server use the Add Roles Wizzard in Server Manager. You are required to configure
the server manually, mainly the forward lookup zones.
Deploying a DNS Server on a Server Core Installation of Windows Server 2008 – you can do it by using
Dcpromo with AD DS. Type dcpromo /unattend:<unattendfile> where unattendfile is the name of a
Dcpromo.exe answer file. You can create that file on any other computer running Windows Server
2008.
To install on a stand-alone or member server type start /w ocsetup DNS-Server-Core-Role, to
remove the role type start /w ocsetup DNS-Server-Core /uninstall
To manage the core server you have to connect to the DNS manager on another computer running a
full server installation.
Configuring a Caching-only DNS Server – obtained over time, check cache first for already stored
answer, faster response time,server cache remains alive until TTL is exceeded or DNS server restarted
Caching-only servers do not host any zones and are not authoritative.
Configuring Server Properties – configure settings that apply to the DNS server and it's hosted zones
Interfaces Tab – allows you to specify which of the local computer's IP addresses the DNS server
should listen to for DNS requests, if your server has multiple network adapters
Riit Hints Tab – contains a copy of information found in WINDOWS\System32\Dns\Cache.dns file, for
internet names this file can stay the same but for a private network Cache.dns should be deleted
Forwarders Tab – allows you to configure the local DNS server to forward DNS queries it recieves to
upstream DNS servers, called forwarders. With this tab you can specify the IP address of upstream
DNS servers to which queries should be directed to if the local DNS fails.
DNS server configured for forwarding uses forwards only after it has determined that it cannot
resolve a query using its authoritative data or cached data.
When To Use Forwarders – when you don't want DNS servers communicating directly with external
servers, or to allow DNS clients and servers inside a firewall to resolver external names securely
When to Use Conditional Forwarding – queries for specific domains are forwarded to specific DNS
servers, use it when two separate networks merge
Conditional forwarding reduces zone transfer traffic, provides zone data that is always up to date and
allows for simple configuration and maintainance. To configure it, you use conditional forwarders
container in tge DNS Manager.
Configuring DNS Client Settings
006 DNS Server option for DNS Server list
015 DNS Domain option for connection-specific DNS suffix (useful if you have 2 network adapters)
Host record – returns the address of a computer when you query using it's name
Pointer record – found in the reverse lookup zones, does opposite of the host records, it returns the
name of the computer when you query using its IP address
Ipconfig /registerdns – to force a DNS client to attempt dynamic registration of its resource records
Ipconfig /renew – to force an update
Viewing and Clearing the DNS Client Cache – ipconfig /displaydns to view, ipconfig /flushdns to clear

Chapter 3 – Configuring a DNS Zone Infrastructure

A DNS zone is created automatically when you install a DNS server with a domain controller.
Howeveryou have to configure zones manually if you're doing a different kind of installation.
Zone types – Primary (option to store in AD), Secundary, Stub (option to store in AD)
Primary zones – master copy of a zone is stored in a local file (standard zone) or in AD Domain
Services. If stored in a local file it's named zone_name.dns and located in the %Systemroot
%\System32\Dns folder.
Secondary zones - read only copy of a primary zone or another secundary zone, to offload DNS query
traffic, when the primary DNS server is unavailable, it cannot be stored in AD DS
Stub zones – similar to secondary zones but it contains only those resource records necessary to
identify the authoritative DNS servers for the master zone – to improve namre resolution and
simplify DNS administration
Creating a Forward or Reverse Lookup Zone
In forward lookup zones, DNS servers map FQDNs to IP addresses while in reverse lookup zones, DNS
servers map IP addresses to FQDNs.
Configuring Dynamic Update Settings
Secure updates – only from AD domain member computers and from the same computer that
originally performed the registration
Nonsecure updates – allow updates from any computer
Start of Authority (SOA) records refresh interval is by default 15min. Increasing the refresh interval
decreases zone transfer traffic.
Retry interval – normally less than the refresh interval, default is 10min
Expires After – the interval in which the secondary server will continue to respod to queries without
contact to it's master server, default values is one day
Minimum TTL – the time to live for all resource records in the zone, default values is one hour
TTL for this record – overrides the default value and let's you configure the TTL of the present SOA
resource record
Enabling DNS to use WINS resolution – a special WINS service record pointing to that WINS server is
added to the zone. You can also specify WINS in a reverse lookup zone which created a WINS-R
resource record in the zone.
Aging and Scavenging – process of using timestamps to track the age of dynamically registered
resource records.
Scavenging – deleting outdated resource records. It can occure only when aging is enabled. To enable
aging for a particular zone, you have to enable it on both the server lever and zone level.
Timestamping – manually created resource record recieve a time stamp of „0“ and they will not be
aged. AD integrated zones by default enable timestamping for dynamically registered records.
For Scavenging the no refresh interval is 7 days and the refresh interval is also 7 days which means
the records can be scavenged after 14 days by default.
Storing DNS Data in the Domain Partition – replication to all domain controllers in general in the local
domain which creates unnecessary replication trafic but must be used if DNS data is to be replicated
to computers running Windows server 2000
Choosing Zone Replication Scope – the partition in which a zone is stored determines the replication
scope
Using Dcpromo, the zone is automatically stored in DomainDnsZones partition but using the new
zone wizzard you have 4 options:
To All DNS Servers in This Forest – stores the new zone in the ForestDnsZones partition
To All DNS Servers in This Domain – stores the new zone in the DomainDnsZones partition
To All Domain Controllers in This Domain – stores the zone in the domain partition
To All Domain Controllers Specified in The Scope of This Directory Partition – stores the zone in the
user-created application directory partition specified in the drop-down list box, you must manually
enlist that domain controller in the partition
Creating Custom Application Directory Partitions
Dnscmd servername /createdirectorypartition FQDN – to create the partition
Dnscmd servername /enlistdirectorypartition FQDN – to enlist other DNS servers in the partition
For a local server name use a dot „.“.
Zone Transfer initiation – three events
1. When the refresh interval of the primary zone's SOA resorce record expires
2. When a server hosting a secondary zone boots up
3. When a change occurs in the cofiguration of the primary zone and it's set to notify a
secondary zone of zone updates
Enabling Zone Transfers – to any server (least secure), only to servers listed on the name servers tab
(restricts zone transfers to secondary DNS servers that have an NS record and are authoritative) ,
only to the following servers (a list of secondary servers)
Manually Updating a Secondary Zone – reload (reloads the secondary zone from local storage),
transfer from master (check the serial number), reload from master (regardles of the serial number)
Implementing Stub Zones – Stub zone is a copy of a zone that contains only the most basic records in
the master zone. It's purpose is to enable the local DND server to forward queries to the
authoritative name server. Zone delegaton.
You can use stub zones to keep delegated zone information current (keep an updated list of name
servers current) and to improve name resolution across domains.

Chapter 4 – Creating a DHCP infrastrukture

The DHCP address assignment process – broadcast DHCP discover, respond with DHCP offer, respond
with DHCP request, confirm with DHCP ack
By default, lease time is 6 or 8 days. After half the remaining lease period the client attempts to
renew it's IP address and after 87.5% of lease time if the DHCP is still not awailable, DHCP client
attempts to locate a new DHCP server.
Ipconfig /release – assigned IP address becomes awailable again
DHCP server should directly be connected to each subnet it provides addresses for, unless a DHCP
Relay Agent is being used.
DHCP Options - 003 Router – list of Ipv4 addresses for router on the same subnet as DHCP clients
006 DNS Servers – IP address for DNS name servers that DHCP clients can contact and resolve a query
015 DNS Domain Name – domain name that DHCP clients use when resolving unqualified names –
allows clients to perform dynamic DNS updates
044 WINS/NBNS Servers – Ipv4 address of primary and secondary WINS server for DHCP clients
046 WINS/NBT Node Type – preferred NetBIOS name resolution method for DHCP clients (b&h node)
051 Lease – assigns a special lease duration only to remote access clients
Before a DHCP server can lease addresses you first need to authorize it and activate the DHCP scope.
Reservation binds an IP address to the MAC address of a host.
Additional DHCP optons – server level, scope level, reservation leve (inheritance in that order)
Ipconfig /setclassid “local area connection“ SampleID – configure a connection with the class ID
Installing and Configuring DHCP on a Server Core Installation
Start /w ocsetup DHCPServerCore – install the DHCP server role
Net start dhcpdiscover – start the DHCP Server service
Sc confic dhcpserver start= auto – start the DHCP service automatically
Netsh interface ipv4 set address “local area connection“ dhcp – DHCP client for Ipv4
Netsh interface ipv4 set dnsserver “local area connection“ dhcp – obtain a DNS server address

Chapter 5 – Configuring IP Routing

Examining Network Routes – TraceRT (quicker response), PathPing (detailed and reliable analysis)
Route print – view the routing table output
224.0.0.0 – multicast address
Route –p add 10.2.2.0 MASK 255.255.255.0 192.168.1.2 – add a permanent route
If route is not persistent, it will be deleted next time the computer is restarted.
Route add – to configure a static route

Chapter 6 – Protecting Network Traffic with IPSec

You can manage IPSec through Local Security Policy, Group Policy, or command-line tools.
IPSec provides data authentication (origin authentication, data integrity, anti-replay protection) and
encryption.Every IPSec policy is composed of one or more IPSec Policy rules that determine when
and how IP traffic should be protected. Every policy rule is associated with one IP filter list and one
filter action.
Possible filter actions are: block, permit, or negotiate security.
You configure connection security rules in Windows Firewall with Advanced Security (WFAS) or in
WFAS node in Server Manager. For multiple clients on the network you can use Group Policy.
Security Associations
Security for SA is provided by the two IPSec protocols: Authentication Header (AH) and Encapsulating
Security Payload (ESP). You can use either one or both. If you need encryption use ESP, if not...
AH – provides data origin authentication, data integrity,anti-replay protection for the entire IP packet
ESP – provides data encryption, data origin authentication, data integrity, anti-replay protection for
the ESP payload
How IPSec Connections Are Established – via the Internet Key Protocol (IKE) – two-phase negotiation
Phase 1 – main mode, Phase 2 – quick mode
Using IPSec in Tunnel Mode – by default IPSec operates in transport mode but you can also use
tunnel mode
With tunnel mode, the entire IP packet is protected and then encapsulated with an additional,
unprotected IP header.
Authentication methods for IPSec – Kerberos (Active Directory), Certificates, Preshared Key
Kerberos (AD) – the default authentication method in AD, IPSec within a single AD forest
Certificates – used in a production environment where Kerberos is unavailable, each host must
obtain and install a computer certificate
Preshared Key – password shared by peers used to encrypt and decrypt data, they are stored in plain
text on each computer or in AD which reduces security, it's recommended for usage only in
nonproduction environments such as test networks
Assigning a Predefined IPSec Policy – Client(respond only – it will never iniciate an IPSec
communication but it will respod to it), Server(request security – encryption is preffered but not
required), Secure Server (require security – for secure communications)

Chapter 7 – Connecting to Networks

Internet Connection Sharing – for home and small offices
Routing And Remote Access Services – for organizations with a routed intranet
Troubleshooting NAT – by default RRAS NAT component logs NAT errors to the System event log,
viewable in Server Manager at Diagnostics\Event Viewer\Windows Logs\System
Wireless Network Standards
802.11b – 11Mbps (3-4Mbps realistic), can connect to almost any network (backward compatable)
802.11g – 54Mbps (10-15Mbps realistic), works in two modes (mixed or 802.11g only)
802.11n – 250Mbps (much smaller realistic bw), backward-compatable to all, including 802.11a
802.11a – 5.4GHz range instead of 2.4GHz
Wireless Security Standards – no security, WEP (64 or 128bit, easily hackable), WPA (significantly
stronger than WEP), WPA-PSK (pre-shared static key, known as WPA-personal, for home usage),
WPA-EAP (known as WPA -enterprise, passes authentication to a RADIUS server), WPA2 (updated
version of WPA, offers WPA2-PSK and WPA2-EAP)
Order by strength(best to worst): WPA2-EAP, WPA-EAP, WPA2-PSK, WPA-PSK, WEP 128bit,WEP 64bit
Wireless Network Modes – Infrastructure (wireless access point acts as a central hub to wireless
clients), Ad hoc mode (established between 2 or more wireless clients without a wireless access point
– short lived connections)
Authenticating Wireless Networks Using Win Server 2008 – computer only,user only, computer&user
Configuring the RADIUS Server - in Server Manager add roles  network policy and access services
On the Configure An Authentication Method page, select one of the following methods:
Microsoft: Protected EAP (PEAP) – requires you to install a computer certificate on the RADIUS and a
computer or user certificate on all wireless clients,use an enterprise PKI as the AD Certificate Services
Microsoft: Smart Card Or Other Certificate – essentially the same as PEAP, certificates are provided
using a smart card
Microsoft: Secured Password (EAP-MSCHAP v2) – requires computer certificates to be installed on all
RADIUS servers, clients use domain credentials to authenticate
Configuring RADIUS Proxy
All RADIUS servers are connected to one RADIUS Proxy which determines to which domain to
forward the request to. You can also use it to load-balance requests accross multiple RADIUS servers.
Monitoring RADIUS Server Logons – using event viewer, analyzing the RADIUS log file (located in
%SystemRoot%\system32\LogFiles with the filename IN<date>.log), enabling trace logging on the
server (very detailed,to enable: netsh ras set tr * en, log file at %SystemRoot%\Tracing\IASNAP.log)
Connecting to Remote Networks – Dial-up connections, Virtual Private Networks (VPN) connections
Dial-up Connections – traditional, largely outdated, requires a separate physical circuite to the server
Pros: no internet connection required, minimal privacy risks, predictable performance
Cons: high cost for scalability (as many phone lines as many users you have), poor bandwidth
Virtual Private Networks – uses public internet, requires a single connection
Pros: higher bandwidth potential, minimal cost
Cons: internet connection required, poor latency, poor efficiency with dial-up connections
Configuring VPN connections – PPTP, L2TP, SSTP
Point-to-Point Tunneling Protocol (PPTP) – uses PPP for user lever authentication and Microsoft
Point-to-Point encryption, it doesn't require a client certificate while using PEAP-MS-CHAP v2, EAP-
MS-CHAP v2, MS-CHAP v2 for authentication
Layer Two Tunneling Protocol (L2TP) – open standard (MS and non-MS OS), uses PPP authentication
for user level and IPSec for computer level peer authentication, data authentication, data integrity
and data encryption. It requires certificates, can be used over Ipv6, implemented with AD CS.
Secure Socket Tunneling Protocol (SSTP) – uses PPP authentication for user level and HTTP
encapsulation over a Secure Socket Layer (SSL) for data authentication, data integrity and data
encryption.Supported only by Windows Server 2008 and Vista SP1, requires certificates. AD CS impl.
Troubleshooting VPN Connetion Problems – events added to the System event log, ipconfig to test

Chapter 8 – Configuring Windows Firewall and Network Access Protection

Firewall Profiles – Domain (when a computer is in AD), Private (must be specifically specified,
otherwise it isn't used), Public (the default profile when a domain controller is unavailable)
By default Windows firewall allows all outbound traffic but in server 2008 you can filter it. By default,
outbound rules are enabled for: DHCP, DNS, GPO, Ipv6, and Internet Group Management (IGMP).
Configuring Firewall Settings with Group Policy
Managing Windows Firewall Settings using GPO for computers running Vista or server 2008 by using
two nodes:
Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall With
Advanced Security\Windows Firewall With Advanced Security – applies settings only to computers
running Vista and Server 2008, more detailed configuration of firewall rules
Computer Configuration\Policies\Administrative Templates\Network\Network
Connections\Windows Firewall – applies settings to computer running XP, Server 2003, Vista, and
Server 2008 (less flexible than the WFAS but settings appy to all versions of Windows Firewall)
For best result create separate GPOs for Vista/server 2008 and XP/server 2003 and use WMI queries
to target the GPOs to computers running the appropriate version of Windows.
Logging for Windows Firewall – by default when logs are enabled, they are written to %SystemRoot%
\System32\LogFiles\Firewall\Pfirewall.log and stores only the last 4KB of data
Netstat -a -b – to examine which ports are listening for active connections
Configuring Network Access Protection (NAP) – computers must meet specific health requirements
Enforcement Types – Ipsec connection security, 802.1X access points, VPN servers, DHCP servers
Ipsec Connection Security – requires clients to perform a NAP health chack before they can recieve a
health certificate, for eg. you can allow noncompliant computers to connect to the web but not to a
file server, or to allow healthy computers to comunicate only to other healthy servers. At least two
Cas are required for redundancy. Other PKIs will not work. Ipsec is high level of security.
802.1X Access Points – uses ethernet switches or wireless access points that support 802.1X
authentication. Compliant computers are granted full access and noncompliant computers are
redirected to a remediation portion of a network or completely prevented to connect. It uses two
methods to control which level of access computers recieve:
An access control list (ACL) – a set of Ipv4 or Ipv6 packet filters configured on the 802.1X AP
A virtual LAN – a group of ports on a switch grouped together to form a separate network
VPN Servers – enforces NAP for remote access connections using a VPN server running Windows
Server 2008 and Routing And Remote Access, it can apply a set of packet filters to limit access for
noncompliant computers separately for Ipv4 and Ipv6
DHCP Server – uses a computer running Server 2008 and the DHCP server service that provides IP
addresses to intranet clients, only compliant clients recieve an IP address that grants full network
access, noncompliant computers are granted an IP address with a subnet mask of 255.255.255.255
and no default gateway
If the health status of NAP clients changes, the NAP client performs a new health evaluation using a
DHCP renewal.
System Health Agents and System Health Validators – SHA, SHV
System Health Agents (SHAs) – components that contain a description of the health of the client
computer, custom SHAs can be created to provide more complex reporting
System Health Validators (SHVs) - components that analyze the SoH generated by the SHA and
creathe the SoH Response, NAP uses the SoHR to determine the level of access and whether remedy
is necessary
Planning a NAP Deployment – testing (test the NAP), monitoring (notifies the administrator if the
computer fails to meet health requirements but does not prevent it from connecting), limited access
(NAP enforcement)
Installing HRA Role Service (HRA) – used with Ipsec enforcement , at least 2 HRAs should be used for
fault tolerance, the following must be configured:
A certificate authority (if one does not already exist) – HRA requires a certification authority rinning
Server 2008 certificate services
A web application – Add Role Services Wizzard creates a Web application named DomainHRA under
the default Web site in IIS (Internet Information Services)
To configure HRA, in Server Manager right-click Roles\Network Policy And Access services\Health
Registration Authority\Certification Authority and choose Add Certification Authority.
Configuring NAP Clients – after configuring the NPS server you must configure clients for NAP, the
easiest way is through GPO settings in the Computer Configuration\Policies\Windows
Settings\Security Settings\Network Access Protection\NAP Client Configuration node
Client NAP settings has three nodes: Enforcement Clients, User Interface Settings, Health Registration
Settings
Additionally, you must start the Network Access Protection Agent service on all client computers.
Netsh nap client show state – view client's configuration
Netsh nap client set enforcement 79617 enable –to enable the DHCP Quarantine enforcement client
NAP logging – allows you to identify noncompliant computers which is particularly important during
the initial stages of a NAP deployment
It also enables you to identify computers that would be unable to connect to the network if NAP
enforcement were enabled.
To configure NAP logging right-click Roles\Network Policy And Access Services\NPS and choose
Properties. To view NPS events you can use Windows Logs\Security event log available inServer
Manager at Diagnostics\Event Viewer\Windows Logs\Security.
Netsh nap client set tracing enable level=verbose – to enable tracing for extremely detailed info
Trace logs are stored in %SystemRoot\Tracing folder.

Chapter 9 – Managing Software Updates

Windows Server Update Services (WSUS) – allows you to download, approve, and distribute the
updates through your organization
Typically the best way to distribute updates is through GPO, windows update settings are located at
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update
Typically, redundancy is not required for WSUS servers, however you should backup the database.
Planning the WSUS Installation – you will need to make several key decisions:
Update source – either directly from Microsoft or from another WSUS server
Approval and configuration replication – for multiple WSUS servers
Update storage –either store updates locally(minimul 6GB of free space) or direct download from MS
Database – list of updates (at least 3GB (~1GB in reality) of space for WSUS internal db installation),
the database is located at C:\WSUS\UpdateServicesDbFiles\SUSDB.mdf
Web site selection – WSUS requires IIS to retrive updates using HTTP or you can create your own site
Languages – to minimize disk space, use only the languages you need
Products – updates can be for the OS but also for MS applications, choose which ones you need
WSUS is a free download available at http://www.microsoft.com/wsus
How To Configure Computer Groups – testing (to veryfy the update distribution), pilot (deploy
updates to a computer-savvy group), production (if the pilot deployment goes well)
You can configure computer groups in two ways: Server-side targeting (for small organizations) and
Client-side targeting (for larger organizations) – using the update services console
How to Troubleshoot WSUS – the application event log, C:\Program Files\Update Services\Log
Files\Change.txt (non detailed entries), C:\Program Files\Update Services\Log Files
\SoftwareDistribution.txt (extremely detailed log for debugging by MS support)
Net stop wauserv – stop Windows update service Net start wauserv – start Win update service
Wauclt /a – to make Windows Update begin querying the WSUS server

Chapter 10 – Monitoring Computers

Configuring the Forwarding Comnputer
winrm quickconfig – to configure the Windows Remote Management service
net localgroup “Event log Readers“ <computer_name>$@domain_name> /add – add the computer
account of the collector group to the Event log Readers group on each forwarding computer
net localgroup “Event log Readers“ [email protected] /add – to add the computer SERVER1 in
the contoso.com domain
wecutil qc – to configure the Windows Event Collector service
winrm quickconfig –transport:https – to configure Event forwarding to use HTTPS
Monitoring Performance and Reliability
To use performance monitor, select Diagnostics\Reliability And Performance\Monitoring Tools
\Performance Monitor.
Graph can be viewed in 3 forms: Line (defualt), histogram bar, report (text report).
Data Collector Sets – gather system information and store it in a data file
Default location to store data is %SystemDrive%\perflogs\Admin\.
Using Network Monitor – to troubleshoot complex problems
Capturing Network Data Using a Command Prompt – go to C:\Program Files\Microsoft Network
Monitor 3 (by default) and run NMCap /network * /capture /file filename.cap (this captures all
traffic on all network interfaces)
NMCap /network * /capture “DNS“ /file filename.cap – example how to catch DNS data
NMCap /network * /DisableLocalOnly /capture /file filename.cap – capture in P-Mode (all traffic
visible to the computer, not just broadcast traffic or network traffic)

Chapter 11 – Managing Files

To control access, use NTFS file permissions and Encrypting File System (EFS). To provide redundancy,
create a Distributed File System (DFS) namespace and use replication to copy files between multiple
servers.
Managing File Security
NTFS File Permissions – User files (full control for users and admins), System files (allows admins but
noone else to install apps and updates),Program files(similar to system files, admins have full control)
Encrypting File System (EFS) – encrypt files and folders on the disk
You can use EFS with GPO. To encrypt offline files use: Computer Configuration\Policies
\Administrative Templates\Network\Offline Files\Encrypt the Offline Files Cache
You can also disable indexing of encrypted files using: Computer
Configuration\Policies\Administrative Templates\Windows Components\Search\Allow Indexing Of
Encrypted Files
To recover encrypted files, EFS supports Data Recovery Agent (DRA). You can create multiple DRAs.
Sharing Folders – uses Distributed File System (DFS) to create a namespace of shared folders on
multiple servers
On the Select Role Services, several roles are available:
File Server – not required to share files but allows you to use the Share And Storage Management
Distribute File System – enables sharing folders and replicates files between DFS servers
File Server Resources Manager – tools for generating storage reports, configuring quotas, and
defining the screening policy (enables storage monitoring on local disks)
Services for Network File System – provides connectivity for UNIX clients that use Network File
System(NFS) for file sharing(most new UNIX systems don't need this and can connect directly to Win)
Windows Searching Services – indexes files for faster searching (enable indexing on local disks)
Windows Server 2003 File Services – provides services compatibility with Server 2003 computers
Using Quotas – to manage available disk space to each user (prevent users from filling the disk)
Creating Quota Templates – 100MB limit, 200MB limit reports to user, 200MB limit with 50MB
extension, 250MB extended limit, Monitor 200GB volume usage, Monitor 500MB share
You can also create your own quota template by editing one of the standard templates.
Dirquota quota add /Path:C:\Shared /Source Template:“200 MB Limit Reports To User“ -standard
Dirquota quota add/Path:C:\Shared /Limit:100MB /Type:Hard – hard limit of 100MB
Sharing Folders from Windows Explorer – right click on a file and choose Share, you have several
options: Reader (read access only), Contributor (read and write), Co-owner (change file permissions,
full read and write access), Owner ( assigned to the user who creates the share, full control)
Sharing Folders from a Command Prompt – using the command net share
Net share – to view the existing shared folders
Net share ShareName=Path [/GRANT:user,[READ|CHANGE|FULL] ][/CACHE:Manual|Documents|
Programs|None] – to create a share
Net share Files=C:\Shared – shares C:\Shared folder
Net share Files /DELETE – to remove a share
Net share /? – for complete usage information
Connecting to Shared Folders – if you share folder Docs on the server MyServer: \\MyServer\Docs
Net use Z: \\MyServer\Docs - map the Z drive to the shared folder
Creating a DFS Namespace – single or multiple
After creating it int he Server Manager, you can adjust settings in the Properties dialog box. 3 tabs:
General – description for the namespace
Refferals – gives you control over how multiple targets in a refferal list are ordered. Options are
Random Order, Lowest Cost, Exclude Targets Outside Of The Client's Site (if you would rather have
clients fail rather than accessing a target in a different Active Directory site)
Advanced – two pooling configurations: Optimize For Consistency (query the primary domain
controller) or Optimize For Scalability (query the closest domain controller)
Configuring DFS from a cmd or a script
dfsutil domain <domain_name> - to view the DFS roots in a domain
dfsutil server <server_name> - to view the roots in a specific server
dfsutil target \\<domain_name>\<namespace_root> - to view targets in a namespace
dsfutil link \\<domain_name>\<namespace_root>\<folder> - to view the targets for a folder
dfsutil client siteinfo <client_name> - to view which Active Directory site a client participates in
Backing up and Restoring Files – it can back up and recover files and entire volumes
Shadow Copies – allow backup software to access files that are in use
Vssadmin create shadow /For=C: - creates a shadow copy of a C:\ volume
Vssadmin list shadowstorage – to view the storage curently allocated to shadow copies
Vssadmin list shadows – to view available shadows and the time they were created
Vsadmin revert shadow /Shadow={56036723-cdcc-49ef-98a4-445b1645770e} – to revert to a
previous shadow copy you have to specify the shadow copy ID
Wbadmin start backup –backupTarget:L: -include:C: -quiet – initiate a backup from a cmd

Chapter 12 – Managing Printers

Print Services server role adds the Print Management Snap-in which simplifies printer configuration.
You can choose between setting up a Print Server, LPD Service (unix), and Internet Printing (print
using IPP with a Web browser, it requires IIS).
Administrators can manage any user's documents in the print queue but not other user's documents.
You can configure the following permissions: Print (users can print), Manage Printers (users can
change printer congifuration), Manage Documents (users can remove documents in the queue).
Migrating Printers – quickly migrate a print server to another computer
You can also migrate printers from a command prompt using the PrintBRM tool which is located in
the %SystemRoot%\System32\spool\tools folder.
Printbrm –b –f printers.printerexport – export printers to a file
Printbrm –r –f printers.printerexport – to import printers at a cmd or from a script
Monitoring Printers – monitor printer usage in real time using the Performance Monitor snap-in
Most useful counters: Job errors and out of paper errors, jobs and jobs spooling, total pages printed
and total jobs printed.