10

Special Program for Technical Vocational Education

COMPUTER SYSTEMS
SERVICING

LEARNING MATERIAL
Quarter 2

Developed by: School Year:

DIANA P. CUIZON 2020 - 2021
 TANZA NATIONAL TRADE SCHOOL
Technical Vocational Education
SPTVE Computer Systems Servicing
Weekly Learning Activity Sheets

Table of Contents Pages Date/Duration

Introduction 4
PRE-TEST 5
Quarter 2: SETTING UP COMPUTER SERVERS
LO 2: Configure network services
Lesson 1 Setting up Client/User Security 11 Week 1
Activity Sheet 1.1 11
Pre-Test 1.1 12
Activity Sheet 1.2 13
Information Sheet 1.1 14
Operation Sheet 1.1 18
Activity Sheet 1.3 24
Self-Check 1.1 25
Assignment Sheet 1.1 26

Lesson 2 Creating Users to Domain 27 Week 2

Activity Sheet 2.1 27
Pre-Test 2.1 28
Activity Sheet 2.2 29
Information Sheet 2.1 30
Information Sheet 2.2 42
Operation Sheet 2.1 44
Activity Sheet 2.3 48
Self-Check 2.1 49
Assignment Sheet 1.1 51

Lesson 3 Designing a Group Policy Infrastructure 52 Week 3

Activity Sheet 3.1 52
Pre-Test 3.1 53
Activity Sheet 3.2 54
Information Sheet 3.1 54
Operation Sheet 3.1 63
Activity Sheet 3.3 70
Self-Check 3.1 71
Assignment Sheet 3.1 72

2
LO 3: Perform testing, documentation, and pre-deployment procedures
Lesson 4 Using Folder Redirection 73 Week 4 - 5
Activity Sheet 4.1 73
Pre-Test 4.1 74
Activity Sheet 4.2 75
Information Sheet 4.1 76
Operation Sheet 4.1 84
Activity Sheet 4.3 92
Self-Check 4.1 93
Assignment Sheet 4.1 94

Lesson 5 Print and Document Services Deployment 95 Week 6 -7

Activity Sheet 5.1 95
Pre-Test 5.1 96
Activity Sheet 5.2 97
Information Sheet 5.1 98
Information Sheet 5.2 105
Activity Sheet 5.3 124
Self-Check 5.1 125
Assignment Sheet 5.1 126

Lesson 6 Configuring and Testing Remote Desktop Sharing 127 Week 8

Activity Sheet 6.1 127
Pre-Test 6.1 128
Activity Sheet 6.2 129
Information Sheet 6.1 130
Operation Sheet 6.1 133
Self-Check 6.1 143
Assignment Sheet 6.1 144

PRE-TEST Answer Key 145

References 147

3
 Introduction

In this learning material, there will be two (2) most essential learning
competencies that you will encounter: (1) Configure network services and (2) Perform
testing, documentation, and pre-deployment procedures. The two most essential
learning competencies contain sub-topics that discuss the details on setting up
computer servers.

The competencies for this learning material are:

LO 2: Configure network services

2.1 Check normal server function in accordance with manufacturer’s
instructions
2.2 Install and update required modules/add-ons on NOS installation
procedures
2.3 Confirm network services based on user/system requirements
2.4 Check operation of network services based on user/system requirements
2.5 Respond to unplanned events or conditions in accordance with established
procedures

LO 3: Perform testing, documentation, and pre-deployment procedures

3.1 Undertake pre-deployment procedures based on enterprise policies and
procedures
3.2 Undertake operation and security check based on end-user requirements
3.3 Prepare reports according to enterprise policies and procedures
3.4 Complete reports according to enterprise policies and procedures

4
 Pre-Test

Direction: Choose the correct answer from the given choices. Write your answer on a
separate sheet of paper.

1. This involves setting up and maintaining account information for users and
computers.
A. Authentication C. Confidentiality
B. Identification D. Integrity
2. Used to determine the access rights of a user or computer during the current
session.
A. Authentication C. Confidentiality
B. Identification D. Integrity
3. Encryption as data crosses exposed portions of a network.
A. Authentication C. Confidentiality
B. Identification D. Integrity
4. Help to ensure that the content of a message or data file has not been modified
when it travels over a network.
A. Authentication C. Confidentiality
B. Identification D. Integrity
5. Used to prove that the message was sent, that it was delivered, and that it was
received.
A. Trust C. Nonrepudiation
B. Computer name D. Audit entries
6. Allows or disallows authentication traffic to flow between two or more domains.
A. Trust C. Nonrepudiation
B. Computer name D. Audit entries
7. Used to identify system use and misuse, and to diagnose system behavior.
A. Trust C. Nonrepudiation
B. Computer name D. Audit entries
8. A unique name that identifies the computer to a computer network.
A. Trust C. Nonrepudiation

5
B. Computer name D. Audit entries
9. Microsoft's term for a peer-to-peer local area network.
A. Domain C. Forest Owners
B. OU Owners D. Workgroup

10. Collection of administratively defined objects that share a common directory

database.
A. Domain C. Forest Owners
B. OU Owners D. Workgroup
11. Responsible for creating organizational unit (OU) designs for their domains.
A. Domain C. Forest Owners
B. OU Owners D. Workgroup
12. Data managers who control a subtree of objects in Active Directory Domain
Services.
A. Domain C. Forest Owners
B. OU Owners D. Workgroup
13. Provide administrative autonomy and the means to control visibility of objects in
the directory.
A. Account OU C. Executive Sponsor
B. Organizational Unit D. Resource OU
14. Contain user, group, and computer objects.
A. Account OU C. Executive Sponsor
B. Organizational Unit D. Resource OU
15. Contain resources and the accounts that are responsible for managing those
resources.
A. Account OU C. Executive Sponsor
B. Organizational Unit D. Resource OU
16. Understands the business value of the deployment, supports the project at the
executive level, and can help resolve conflicts across the organization.
A. Account OU C. Executive Sponsor
B. Organizational Unit D. Resource OU

6
17. Provides technical expertise to assist with the process of designing and deploying
AD DS.
A. Administrators C. Architect
B. Owners D. Project Manager
18. Facilitates cooperation across business units and between technology
management groups.
A. Administrators C. Architect
B. Owners D. Project Manager
19. Responsible for communicating to administrators the tasks required for the
implementation of the Active Directory design such as the creation of new domain
controllers within the forest.
A. Administrators C. Architect
B. Owners D. Project Manager
20. Responsible for implementing the design on the network according to the design
specifications.
A. Administrators C. Architect
B. Owners D. Project Manager
21. Responsible for planning and long-term maintenance of the Active Directory
infrastructure
A. Site Topology Owner C. Service Owners
B. DNS For AD DS Owner D. Data Owners
22. Responsible for the maintenance of the information stored in the directory.
A. Site Topology Owner C. Service Owners
B. DNS For AD DS Owner D. Data Owners
23. Individual who has a thorough understanding of the existing DNS infrastructure
and the existing namespace of the organization.
A. Site Topology Owner C. Service Owners
B. DNS For AD DS Owner D. Data Owners
24. Familiar with the physical structure of the organization network, including mapping
of individual subnets, routers, and network areas that are connected by means of
slow links.
A. Site Topology Owner C. Service Owners

7
B. DNS For AD DS Owner D. Data Owners
25. Enables Active Directory–based change and configuration management of user
and computer settings on computers running a member of the Microsoft®
Windows® Server or Microsoft Windows® families of operating systems.
A. File and Storage Services C. Group Policy
B. Group Policy Management Console D. Group Policy Object Editor
26. Used to create a Group Policy object
A. File and Storage Services C. Group Policy
B. Group Policy Management Console D. Group Policy Object Editor
27. Used to edit a new Group Policy object.
A. File and Storage Services C. Group Policy
B. Group Policy Management Console D. Group Policy Object Editor
28. Includes technologies that help you set up and manage one or more file servers,
which are servers that provide central locations on your network where you can
store files and share them with users.
A. File and Storage Services C. Group Policy
B. Group Policy Management Console D. Group Policy Object Editor
29. Enables you to redirect the location of specific folders within user profiles to a new
location, such as a shared network location.
A. x64-based or x86-based computer C. Target tab
B. Group Policy Management Console D. Folder Redirection
30. Where you can configure Folder Redirection to redirect specific user profile folders,
as well as edit Folder Redirection policy settings.
A. x64-based or x86-based computer C. Target tab
B. Group Policy Management Console D. Folder Redirection
31. Hardware requirements for folder redirection.
A. x64-based or x86-based computer C. Target tab
B. Group Policy Management Console D. Folder Redirection
32. Enables you to select the location of the redirected folder on a network or in the
local user profile.
A. x64-based or x86-based computer C. Target tab
B. Group Policy Management Console D. Folder Redirection

8
33. This setting enables you to redirect everyone's folder to the same location and will
be applied to all users included in the Group Policy object.
A. Advanced—Specify locations for various user groups
B. Basic—Redirect everyone's folder to the same location
C. Redirect to the following location
D. Redirect to the local user profile location
34. This option will use an explicit path to the redirection location.
A. Advanced—Specify locations for various user groups
B. Basic—Redirect everyone's folder to the same location
C. Redirect to the following location
D. Redirect to the local user profile location
35. This option will move the location of the folder to the local user profile under
the Users folder.
A. Advanced—Specify locations for various user groups
B. Basic—Redirect everyone's folder to the same location
C. Redirect to the following location
D. Redirect to the local user profile location
36. This setting enables you to specify redirection behavior for the folder based on the
security group memberships for the GPO.
A. Advanced—Specify locations for various user groups
B. Basic—Redirect everyone's folder to the same location
C. Redirect to the following location
D. Redirect to the local user profile location
37. No changes are being made to the current location of this folder.
A. Fax Service Manager C. Not configured
B. Print Management D. Scan Management
38. This snap-in enables you to manage printers, print queues, printer drivers, and
printer connections.
A. Fax Service Manager C. Not configured
B. Print Management D. Scan Management

9
39. This snap-in enables you to manage scanners and scan processes. Scan
processes allow you to define how to process scanned documents, and then route
them to network folders, SharePoint sites, and to e-mail recipients.
A. Fax Service Manager C. Not configured
B. Print Management D. Scan Management
40. This snap-in enables you to configure fax devices for incoming and outgoing fax
traffic, specify who can use a fax device, set routing rules for incoming and
outgoing faxes, and configure a fax archiving policy.
A. Fax Service Manager C. Not configured
B. Print Management D. Scan Management

10
 LESSON 1 Setting Up Client/User Access and Security

Learning Objectives
At the end of the lesson, the learner should be able to:
a. Identify users in the network.
b. Setup Client/User security
c. Understand the importance of Client/ User security

ACTIVITY SHEET 1.1

Technical Terms

Direction: Try to find ten terminologies related to the lesson.

11
 Pre-Test 1.1

Direction: Choose the correct answer from the given choices. Write your answer on a
separate sheet of paper.

A. Audit entries F. Identification

B. Authentication G. Integrity
C. Computer name H. Nonrepudiation
D. Confidentiality I. Trust
E. Domain J. Workgroup

1. A unique name that identifies the computer to a computer network.

2. Allows or disallows authentication traffic to flow between two or more domains.
3. Collection of administratively defined objects that share a common directory
database.
4. Encryption as data crosses exposed portions of a network.
5. Help to ensure that the content of a message or data file has not been modified
when it travels over a network.
6. Microsoft's term for a peer-to-peer local area network.
7. This involves setting up and maintaining account information for users and
computers.
8. Used to determine the access rights of a user or computer during the current
session.
9. Used to identify system use and misuse, and to diagnose system behavior.
10. Used to prove that the message was sent, that it was delivered, and that it was
received.

12
 ACTIVITY SHEET 1.2
Let Us Review

Answer the following questions on a separate sheet of paper or on your portfolio

notebook.
1. How do we use dcpromo?
2. What is the role of ADDS?
3. What is the role of a DNS?
4. What is the role of DHCP?
5. What is an DHCP Scope?

13
 INFORMATION SHEET 1.1
Security information for Active Directory

Active Directory® provides a secure directory environment for your organization

using built-in logon authentication and user authorization, which are core features of
the Local Security Authority (LSA). Logon authentication and user authorization are
available by default and provide immediate protection for network access and network
resources.

Protecting access to the network

Active Directory requires confirmation of the identity of a user before allowing

access to the network, a process known as authentication. Users only need to provide
a single sign-on to the domain (or to trusted domains) to gain access to the network.
Once Active Directory confirms the identity of the user, the LSA on the authenticating
domain controller generates an access token that determines what level of access that
user has on network resources.

Active Directory supports a number of secure Internet-standard protocols and

authentication mechanisms used to prove identity upon logon, including Kerberos V5,
X.509 v3 certificates, smart cards, public key infrastructure (PKI) and Lightweight
Directory Access Protocol (LDAP) using Secure Sockets Layer (SSL).

Authentication between domains occurs through trusts. A trust is a relationship

established between two or more domains to allow users in one domain to be
authenticated by a domain controller in another domain.

Trust relationships can be transitive or nontransitive but must always be present in

order for users in one domain to access shared resources in another domain.

In addition to securing network access through authentication, Active Directory helps

to protect shared resources by facilitating user authorization. Once a user logon has

14
been authenticated by Active Directory, the user rights assigned to the user through
security groups and the permissions assigned on the shared resource will determine
if the user will be authorized to access that resource. This authorization process
protects shared resources from unauthorized access and permits access to only
authorized users or groups.

Windows Security Collection

As organizations expand the availability of network data, applications, and

systems, it becomes more challenging to ensure the security of the network
infrastructure. Security technologies in the Microsoft Windows Server operating
system enable organizations to better protect their network resources and
organizational assets in increasingly complex environments and business scenarios.

Fundamental Security Principles

Windows Server security technologies address fundamental security

requirements that help meet the complex security needs of organizations of all types
and sizes. Windows Server security is based on the following fundamental principles:

• Identification. To help ensure that only the appropriate users and computers have
access to resources, it is first necessary to identify users and computers on the
network. This involves setting up and maintaining account information for users
and computers, preferably in a single, easy-to-access location so that it is easy to
set up, modify, and maintain. The user name generally is a unique identifier.

• Authentication. The authentication process validates the authentication data of a

user or computer against the information in a database. This authentication data can
include the user name, logon domain, password, and other credentials. After a user
or computer has been authenticated, the operating system examines the privileges
that are assigned to the user account. The information relating to the user in the
account database is used to create an access token, which is then used to determine
the access rights of a user or computer during the current session.

15
• Authorization and access control. Access rights to a given resource are validated
based on access control lists (ACLs) associated with the resource. The contents of
the access token are compared to the contents of the ACL in order to determine the
rights of the user in regard to the resource.

• Confidentiality. Confidentiality helps prevent the intentional or unintentional

disclosure of data or of the actions that a user is performing on the data — for example,
a withdrawal from a bank account. Confidentiality is typically accomplished by means
of encryption as data crosses exposed portions of a network.

• Integrity. Integrity services help to ensure that the content of a message or data file
has not been modified when it travels over a network.

• Nonrepudiation. Nonrepudiation, an extension of authentication and integrity,

prevents a user from denying, after the fact, that they sent a message or signed a
document. It can also be used to prove that the message was sent, that it was
delivered, and that it was received.

• Trusts. Logical relationships are established between domains, by means of trusts,

to allow pass-through authentication, in which one domain accepts the logon
authentications of the other domain. A trust either allows or disallows authentication
traffic to flow between two or more domains.

• Audit entries. Audit entries represent data that is recorded in the security event log
of a server or workstation when specified system, application, and security-related
events take place. Audit entries provide valuable data about system operations, which
can be used to identify system use and misuse, and to diagnose system behavior.

Security Architecture

The Windows Server security infrastructure consists of the following components:

• Logon and authentication technologies. Logon and authentication technologies

include a variety of protocols, including Kerberos version 5 authentication, NTLM,
Secure Sockets Layer/Transport Layer Security (SSL/TLS), and Digest; as well as
features such as Stored User Names and Passwords that enable single sign-on (SSO)
and reduced sign-on (RSO).

16
• Authorization and access control technologies. The ACL-based impersonation
model and a new roles-based protected subsystem model enable extremely flexible
and manageable authorization and access control strategies.

• Data security technologies. Encrypting File System (EFS), Internet Protocol

security (IPSec), system key utility (Syskey), and Routing and Remote Access
Services (RRAS) provide additional security for data under a variety of special
circumstances.

• Group Policy technologies. Group Policy options that can enhance security
management include security policy and software restriction policies.

• Trust technologies. Trusts can be established between domains and across forests
to improve security and business processes for complex organizations.

• Public key infrastructure (PKI) technologies. Certificates, Certificate Services,

and certificate policy-enabled qualified subordination can be used to support a variety
of application-specific security solutions.

Each of these sets of technologies can be used in conjunction with the other sets of
technologies — such as networking and storage — to enable secure network-enabled
business processes.

17
 OPERATION SHEET 1.1
Join Computer to Domain

1. To get started Save all work and close all programs first.

2. Click the Start button, right click the mouse over Computer and
select Properties.

18
3. In Computer Name, Domain and Workgroup Settings, select Change
Settings.

4. Select the Computer Name tab in the System Properties dialog box then add a
Computer description.

19
5. Next to 'To rename this computer...', click Change.

6. Change the Computer Name and press OK.

20
7. Select Member of Domain or Workgroup - enter the name and press OK.

8. Click OK at the Restart Computer dialog box.

21
9. Enter the Windows Security permission requirement.

22
10. To apply changes click OK, then select 'Restart Now'.

23
 ACTIVITY SHEET 1.3
How Do I Change A Computer Name And Domain
Or Workgroup In Windows 7?
Direction: Arrange the following procedures in their proper order. Use the ALPHABET
to arrange them correctly.

1. Select the Computer Name tab in the System Properties dialog box then add
a Computer description.
2. Select Member of Domain or Workgroup - enter the name and press OK.
3. Save all work and close all programs first.
4. Next to 'To rename this computer...', click Change.
5. In Computer Name, Domain and Workgroup Settings, select Change
Settings.
6. To apply changes click OK, then select 'Restart Now'.
7. Click OK at the Restart Computer dialog box.
8. Enter the Windows Security permission requirement.
9. Click the Start button, right click the mouse over Computer and
select Properties.
10. Change the Computer Name and press OK.

24
 SELF CHECK 1.1

Direction: Choose the correct answer from the given options. Write your answers on
a separate sheet of pad paper.

A. Workgroup F. Domain
B. Trust G. Confidentiality
C. Nonrepudiation H. Computer name
D. Integrity I. Authentication
E. Identification J. Audit entries

11. This involves setting up and maintaining account information for users and
computers.
12. Used to determine the access rights of a user or computer during the current
session.
13. Encryption as data crosses exposed portions of a network.
14. Help to ensure that the content of a message or data file has not been modified
when it travels over a network.
15. Used to prove that the message was sent, that it was delivered, and that it was
received.
16. Allows or disallows authentication traffic to flow between two or more domains.
17. Used to identify system use and misuse, and to diagnose system behavior.
18. A unique name that identifies the computer to a computer network.
19. Microsoft's term for a peer-to-peer local area network.
20. Collection of administratively defined objects that share a common directory
database.

25
 ASSIGNMENT SHEET 1.1

Direction: On your portfolio notebook, write your insight about the lesson

I understand that __________________________________

I realize that _____________________________________

26
 LESSON 2 Creating Users to Domain

Learning Objectives
At the end of the lesson, the learner should be able to:
a. Identify the deployment project participants
b. Create an Organizational Unit Design
c. Know the importance of creating organizational unit for the application of
Group Policy

ACTIVITY SHEET 2.1

Technical Terms

Direction: Try to find ten terminologies related to our lesson.

27
 Pre-Test 2.1

Direction: Choose the correct answer from the given choices. Write your answer on a
separate sheet of paper.

A. Site Topology Owner I. Forest Owner

B. Service Owners J. Executive Sponsor
C. Resource OU K. DNS For AD DS Owner
D. Project Manager L. Data Owners
E. Owners M. Architect
F. OU Owners N. Administrators
G. OU O. Account OU
H. Forest Owner

1. Responsible for creating organizational unit (OU) designs for their domains.
2. Data managers who control a subtree of objects in Active Directory Domain
Services.
3. Provide administrative autonomy and the means to control visibility of objects
in the directory.
4. Contain user, group, and computer objects.
5. Contain resources and the accounts that are responsible for managing those
resources.
6. Understands the business value of the deployment, supports the project at the
executive level, and can help resolve conflicts across the organization.
7. Provides technical expertise to assist with the process of designing and
deploying AD DS.
8. Facilitates cooperation across business units and between technology
management groups.
9. Responsible for communicating to administrators the tasks required for the
implementation of the Active Directory design such as the creation of new
domain controllers within the forest.
28
 10. Responsible for implementing the design on the network according to the
design specifications.
11. Responsible for planning and long-term maintenance of the Active Directory
infrastructure
12. Responsible for the maintenance of the information stored in the directory.
13. Senior information technology (IT) manager in the organization who is
responsible for the Active Directory deployment process
14. Individual who has a thorough understanding of the existing DNS infrastructure
and the existing namespace of the organization.
15. Familiar with the physical structure of the organization network, including
mapping of individual subnets, routers, and network areas that are connected
by means of slow links.

ACTIVITY SHEET 2.2

Let Us Review

Direction: Answer the following questions on your portfolio notebook.

1. How does the Active Directory protects the network?

2. What are the different fundamental security principles?

29
 INFORMATION SHEET 2.1
Identifying the Deployment Project Participants

The first step in establishing a deployment project for Active Directory Domain Service
(AD DS) is to establish the design and deployment project teams that will be
responsible for managing the design phase and deployment phase of the
Active Directory project cycle. In addition, you must identify the individuals and groups
who will be responsible for owning and maintaining the directory after the deployment
is completed.

• Defining project-specific roles

• Establishing owners and administrators

• Building project teams

Defining project-specific roles

An important step in establishing the project teams is to identify the individuals who
are to hold project-specific roles. These include the executive sponsor, the project
architect, and the project manager. These individuals are responsible for running the
Active Directory deployment project.

After you appoint the project architect and project manager, these individuals establish
channels of communication throughout the organization, build project schedules, and
identify the individuals who will be members of the project teams, beginning with the
various owners.

Executive sponsor

Deploying an infrastructure such as AD DS can have a wide-ranging impact on an

organization. For this reason, it is important to have an executive sponsor who
understands the business value of the deployment, supports the project at the
executive level, and can help resolve conflicts across the organization.

Project architect

30
Each Active Directory deployment project requires a project architect to manage the
Active Directory design and deployment decision-making process. The architect
provides technical expertise to assist with the process of designing and deploying
AD DS.

Note

If no existing personnel in your organization have directory design experience, you

might want to hire an outside consultant who is an expert in Active Directory design
and deployment.

The responsibilities of the Active Directory project architect include the following:

• Owning the Active Directory design

• Understanding and recording the rationale for key design decisions

• Ensuring that the design meets the business needs of the organization

• Establishing consensus between design, deployment, and operations teams

• Understanding the needs of AD DS–integrated applications

The final Active Directory design must reflect a combination of business goals and
technical decisions. Therefore, the project architect must review design decisions to
ensure that they align with business goals.

Project manager

The project manager facilitates cooperation across business units and between
technology management groups. Ideally, the Active Directory deployment project
manager is someone from within the organization who is familiar with both the
operational policies of the IT group and the design requirements for the groups that
are preparing to deploy AD DS. The project manager oversees the entire deployment
project, beginning with design and continuing through implementation, and makes

31
sure that the project stays on schedule and within budget. The responsibilities of the
project manager include the following:

• Providing basic project planning such as scheduling and budgeting

• Driving progress on the Active Directory design and deployment project

• Ensuring that the appropriate individuals are involved in each part of the design
process

• Serving as single point of contact for the Active Directory deployment project

• Establishing communication between design, deployment, and operations

teams

• Establishing and maintaining communication with the executive sponsor

throughout the deployment project

Establishing owners and administrators

In an Active Directory deployment project, individuals who are owners are held
accountable by management to make sure that deployment tasks are completed and
that Active Directory design specifications meet the needs of the organization. Owners
do not necessarily have access to or manipulate the directory infrastructure directly.
Administrators are the individuals responsible for completing the required deployment
tasks. Administrators have the network access and permissions necessary to
manipulate the directory and its infrastructure.

The role of the owner is strategic and managerial. Owners are responsible for
communicating to administrators the tasks required for the implementation of the
Active Directory design such as the creation of new domain controllers within the
forest. The administrators are responsible for implementing the design on the network
according to the design specifications.

In large organizations, different individuals fill owner and administrator roles; however,
in some small organizations, the same individual might act as both the owner and the
administrator.

Service and data owners

32
Managing AD DS on a daily basis involves two types of owners:

• Service owners who are responsible for planning and long-term maintenance
of the Active Directory infrastructure and for ensuring that the directory
continues to function and that the goals established in service level agreements
are maintained

• Data owners who are responsible for the maintenance of the information stored
in the directory. This includes user and computer account management and
management of local resources such as member servers and workstations.

It is important to identify the Active Directory service and data owners early so that
they can participate in as much of the design process as possible. Because the service
and data owners are responsible for the long-term maintenance of the directory after
the deployment project is finished, it is important for these individuals to provide input
regarding organizational needs and to be familiar with how and why certain design
decisions are made. Service owners include the forest owner, the Active Directory
Domain Naming System (DNS) owner, and the site topology owner. Data owners
include organizational unit (OU) owners.

Service and data administrators

The operation of AD DS involves two types of administrators: service administrators

and data administrators. Service administrators implement policy decisions made by
service owners and handle the day-to-day tasks associated with maintaining the
directory service and infrastructure. This includes managing the domain controllers
that are hosting the directory service, managing other network services such as DNS
that are required for AD DS, controlling the configuration of forest-wide settings, and
ensuring that the directory is always available.

Service administrators are also responsible for completing ongoing Active Directory
deployment tasks that are required after the initial Windows Server 2008
Active Directory deployment process is complete. For example, as demands on the
directory increase, service administrators create additional domain controllers and
establish or remove trusts between domains, as needed. For this reason, the
Active Directory deployment team needs to include service administrators.

33
You must be careful to assign service administrator roles only to trusted individuals in
the organization. Because these individuals have the ability to modify the system files
on domain controllers, they can change the behavior of AD DS. You must ensure that
the service administrators in your organization are individuals who are familiar with the
operational and security policies that are in place on your network and who understand
the need to enforce those policies.

Data administrators are users within a domain who are responsible both for
maintaining data that is stored in AD DS such as user and group accounts and for
maintaining computers that are members of their domain. Data administrators control
subsets of objects within the directory and have no control over the installation or
configuration of the directory service.

Data administrator accounts are not provided by default. After the design team
determines how resources are to be managed for the organization, domain owners
must create data administrator accounts and delegate them the appropriate
permissions based on the set of objects for which the administrators are to be
responsible.

It is best to limit the number of service administrators in your organization to the

minimum number required to ensure that the infrastructure continues to function. The
majority of administrative work can be completed by data administrators. Service
administrators require a much wider skill set because they are responsible for
maintaining the directory and the infrastructure that supports it. Data administrators
only require the skills necessary to manage their portion of the directory. Dividing work
assignments in this way results in cost savings for the organization because only a
small number of administrators need to be trained to operate and maintain the entire
directory and its infrastructure.

For example, a service administrator needs to understand how to add a domain to a

forest. This includes how to install the software to convert a server into a domain
controller and how to manipulate the DNS environment so that the domain controller
can be merged seamlessly into the Active Directory environment. A data administrator
only needs to know how to manage the specific data that they are responsible for such
as the creation of new user accounts for new employees in their department.

34
Deploying AD DS requires coordination and communication between many different
groups involved in the operation of the network infrastructure. These groups should
appoint service and data owners who are responsible for representing the various
groups during the design and deployment process.

Once the deployment project is complete, these service and data owners continue to
be responsible for the portion of the infrastructure managed by their group. In an
Active Directory environment, these owners are the forest owner, the DNS for AD DS
owner, the site topology owner, and the OU owner. The roles of these service and
data owners are explained in the following sections.

Forest owner

The forest owner is typically a senior information technology (IT) manager in the
organization who is responsible for the Active Directory deployment process and who
is ultimately accountable for maintaining service delivery within the forest after the
deployment is complete. The forest owner assigns individuals to fill the other
ownership roles by identifying key personnel within the organization who are able to
contribute necessary information about network infrastructure and administrative
needs. The forest owner is responsible for the following:

• Deployment of the forest root domain to create the forest

• Deployment of the first domain controller in each domain to create the domains
required for the forest

• Memberships of the service administrator groups in all domains of the forest

• Creation of the design of the OU structure for each domain in the forest

• Delegation of administrative authority to OU owners

• Changes to the schema

• Changes to forest-wide configuration settings

• Implementation of certain Group Policy policy settings, including domain user

account policies such as fine-grained password and account lockout policy

• Business policy settings that apply to domain controllers

35
 • Any other Group Policy settings that are applied at the domain level

The forest owner has authority over the entire forest. It is the forest owner’s
responsibility to set Group Policy and business policies and to select the individuals
who are service administrators. The forest owner is a service owner.

DNS for AD DS owner

The DNS for AD DS owner is an individual who has a thorough understanding of the
existing DNS infrastructure and the existing namespace of the organization.

The DNS for AD DS owner is responsible for the following:

• Serving as a liaison between the design team and the IT group that currently
owns the DNS infrastructure

• Providing the information about the existing DNS namespace of the

organization to assist in the creation of the new Active Directory namespace

• Working with the deployment team to make sure that the new DNS
infrastructure is deployed according to the specifications of the design team and
that it is working properly

• Managing the DNS for AD DS infrastructure, including the DNS Server service
and DNS data

The DNS for AD DS owner is a service owner.

Site topology owner

The site topology owner is familiar with the physical structure of the organization
network, including mapping of individual subnets, routers, and network areas that are
connected by means of slow links. The site topology owner is responsible for the
following:

• Understanding the physical network topology and how it affects AD DS

• Understanding how the Active Directory deployment will impact the network

36
 • Determining the Active Directory logical sites that need to be created

• Updating site objects for domain controllers when a subnet is added, modified,
or removed

• Creating site links, site link bridges, and manual connection objects

The site topology owner is a service owner.

OU owner

The OU owner is responsible for managing data stored in the directory. This individual
needs to be familiar with the operational and security policies that are in place on the
network. OU owners can perform only those tasks that have been delegated to them
by the service administrators, and they can perform only those tasks on the OUs to
which they are assigned. Tasks that might be assigned to the OU owner include the
following:

• Performing all account management tasks within their assigned OU

• Managing workstations and member servers that are members of their

assigned OU

• Delegating authority to local administrators within their assigned OU

The OU owner is a data owner.

Building project teams

Active Directory project teams are temporary groups that are responsible for
completing Active Directory design and deployment tasks. When the Active Directory
deployment project is complete, the owners assume responsibility for the directory,
and the project teams can disband.

The size of the project teams varies according to the size of the organization. In small
organizations, a single person can cover multiple areas of responsibility on a project
team and be involved in more than one phase of the deployment. Large organizations
might require larger teams with different individuals or even different teams covering
the different areas of responsibility. The size of the teams is not important as long as

37
all areas of responsibility are assigned, and the design goals of the organization are
met.

Identifying potential forest owners

Identify the groups within your organization that own and control the resources
necessary to provide directory services to users on the network. These groups are
considered potential forest owners.

The separation of service and data administration in AD DS makes it possible for the
infrastructure IT group (or groups) of an organization to manage the directory service
while local administrators in each group manage the data that belongs to their own
groups. Potential forest owners have the required authority over the network
infrastructure to deploy and support AD DS.

For organizations that have one centralized infrastructure IT group, the IT group is
generally the forest owner and, therefore, the potential forest owner for any future
deployments. Organizations that include a number of independent infrastructure IT
groups have a number of potential forest owners. If your organization already has an
Active Directory infrastructure in place, any current forest owners are also potential
forest owners for new deployments.

Select one of the potential forest owners to act as the forest owner for each forest that
you are considering for deployment. These potential forest owners are responsible for
working with the design team to determine whether or not their forest will actually be
deployed or if an alternate course of action (such as joining another existing forest) is
a better use of the available resources and still meets their needs. The forest owner
(or owners) in your organization are members of the Active Directory design team.

Establishing a design team

The Active Directory design team is responsible for gathering all the information
needed to make decisions about the Active Directory logical structure design.

The responsibilities of the design team include the following:

• Determining how many forests and domains are required and what the
relationships are between the forests and domains

38
 • Working with data owners to ensure that the design meets their security and
administrative requirements

• Working with the current network administrators to ensure that the current
network infrastructure supports the design and that the design will not adversely
affect existing applications deployed on the network

• Working with representatives of the security group of the organization to ensure

that the design meets established security policies

• Designing OU structures that permit appropriate levels of protection and the

proper delegation of authority to the data owners

• Working with the deployment team to test the design in a lab environment to
ensure that it functions as planned and modifying the design as needed to
address any problems that occur

• Creating a site topology design that meets the replication requirements of the
forest while preventing overload of available bandwidth.

• Working with the deployment team to ensure that the design is implemented
correctly

The design team includes the following members:

• Potential forest owners

• Project architect

• Project manager

• Individuals who are responsible for establishing and maintaining security

policies on the network

During the logical structure design process, the design team identifies the other
owners. These individuals must start participating in the design process as soon as
they are identified. After the deployment project is handed off to the deployment team,
the design team is responsible for overseeing the deployment process to ensure that
the design is implemented correctly. The design team also makes changes to the
design based on feedback from testing.

39
Establishing a deployment team

The Active Directory deployment team is responsible for testing and implementing the
Active Directory logical structure design. This involves the following tasks:

• Establishing a test environment that sufficiently emulates the production

environment

• Testing the design by implementing the proposed forest and domain structure
in a lab environment to verify that it meets the goals of each role owner

• Developing and testing any migration scenarios proposed by the design in a

lab environment

• Making sure that each owner signs off on the testing process to ensure that the
correct design features are being tested

• Testing the deployment operation in a pilot environment

When the design and testing tasks are complete, the deployment team performs the
following tasks:

• Creates the forests and domains according to the Active Directory logical
structure design

• Creates the sites and site link objects as needed based on the site topology
design

• Ensures that the DNS infrastructure is configured to support AD DS and that

any new namespaces are integrated into the existing namespace of the
organization

The Active Directory deployment team includes the following members:

• Forest owner

• DNS for AD DS owner

• Site topology owner

• OU owners

40
The deployment team works with the service and data administrators during the
deployment phase to ensure that members of the operations team are familiar with the
new design. This helps to ensure a smooth transition of ownership when the
deployment operation is completed. At the completion of the deployment process, the
responsibility for maintaining the new Active Directory environment passes to the
operations team.

Documenting the design and deployment teams

Document the names and contact information for the people who will participate in the
design and deployment of AD DS. Identify who will be responsible for each role on the
design and deployment teams. Initially, this list includes the potential forest owners,
the project manager, and the project architect. When you determine the number of
forests that you will deploy, you might need to create new design teams for additional
forests. Note that you will need to update your documentation as team memberships
change and as you identify the various Active Directory owners during the design
process.

41
 INFORMATION SHEET 2.2
Creating an Organizational Unit Design

Forest owners are responsible for creating organizational unit (OU) designs for their
domains. Creating an OU design involves designing the OU structure, assigning the
OU owner role, and creating account and resource OUs.

Initially, design your OU structure to enable delegation of administration. When the

OU design is complete, you can create additional OU structures for the application of
Group Policy to the users and computers and to limit the visibility of objects.

OU owner role

The forest owner designates an OU owner for each OU that you design for the domain.
OU owners are data managers who control a subtree of objects in Active Directory
Domain Services (AD DS). OU owners can control how administration is delegated
and how policy is applied to objects within their OU. They can also create new subtrees
and delegate administration of OUs within those subtrees.

Because OU owners do not own or control the operation of the directory service, you
can separate ownership and administration of the directory service from ownership
and administration of objects, reducing the number of service administrators who have
high levels of access.

OUs provide administrative autonomy and the means to control visibility of objects in
the directory. OUs provide isolation from other data administrators, but they do not
provide isolation from service administrators. Although OU owners have control over

42
a subtree of objects, the forest owner retains full control over all subtrees. This enables
the forest owner to correct mistakes, such as an error in an access control list (ACL),
and to reclaim delegated subtrees when data administrators are terminated.

Account OUs and resource OUs

Account OUs contain user, group, and computer objects. Forest owners must create
an OU structure to manage these objects and then delegate control of the structure to
the OU owner. If you are deploying a new AD DS domain, create an account OU for
the domain so that you can delegate control of the accounts in the domain.

Resource OUs contain resources and the accounts that are responsible for managing
those resources. The forest owner is also responsible for creating an OU structure to
manage these resources and for delegating control of that structure to the OU owner.
Create resource OUs as needed based on the requirements of each group within your
organization for autonomy in the management of data and equipment.

Documenting the OU design for each domain

Assemble a team to design the OU structure that you use to delegate control over
resources within the forest. The forest owner might be involved in the design process
and must approve the OU design. You might also involve at least one service
administrator to ensure that the design is valid. Other design team participants might
include the data administrators who will work on the OUs and the OU owners who will
be responsible for managing them.

It is important to document your OU design. List the names of the OUs that you plan
to create. And, for each OU, document the type of OU, the OU owner, the parent OU
(if applicable), and the origin of that OU.

43
 OPERATION SHEET 2.1
Creating User to Domain

Here are the procedures:

1. Open Server Manager, click Roles, select ADDS, select ADS as computer.
2. Right click your Domain.
3. Select New, Organizational Unit. Assign the name for Organizational Unit
object.

44
4. Assign the name for Organizational Unit object.
OU: Student

5. Right click Organizational Unit, select New, User.

Note: Right click OU: Student, not User. Your User must be inside your created
OU. The image shows that the User OU is selected not the Student OU.

45
6. Type First name, Last name, Full name and User logon name. Click Next.
Remember not to forget your User logon name.

7. Assign password, then on the checkbox select Password Never Expires, click
Next, then Finish. Remember not to forget your Password.

46
47
 ACTIVITY SHEET 2.3

Direction: On a separate sheet of paper, or on your portfolio notebook do the following:

1. Create an Active Directory deployment team which includes the following members:
a. Forest owner
b. DNS for AD DS owner
c. Site topology owner
d. OU owners
2. Document the names and contact information for the people who will participate in
the design and deployment of AD DS.
Rubrics:
Formatting 5 points
Relevance 5 points
Total Score: 10 points

48
 SELF CHECK 2.1

Direction: Choose the letter of the correct answer. Write your answer on a separate
sheet of paper.

A. Account OU I. Organizational Unit

B. Administrators J. OU Owners
C. Architect K. Owners
D. Data Owners L. Project Manager
E. DNS For AD DS Owner M. Resource OU
F. Executive Sponsor N. Service Owners
G. Forest Owner O. Site Topology Owner
H. Forest Owners

1. Contain resources and the accounts that are responsible for managing those
resources.
2. Contain user, group, and computer objects.
3. Data managers who control a subtree of objects in Active Directory Domain
Services.
4. Facilitates cooperation across business units and between technology
management groups.
5. Familiar with the physical structure of the organization network, including
mapping of individual subnets, routers, and network areas that are connected
by means of slow links.
6. Individual who has a thorough understanding of the existing DNS infrastructure
and the existing namespace of the organization.
7. Provide administrative autonomy and the means to control visibility of objects
in the directory.

49
8. Provides technical expertise to assist with the process of designing and
deploying AD DS.
9. Responsible for communicating to administrators the tasks required for the
implementation of the Active Directory design such as the creation of new
domain controllers within the forest.
10. Responsible for creating organizational unit (OU) designs for their domains.
11. Responsible for implementing the design on the network according to the
design specifications.
12. Responsible for planning and long-term maintenance of the Active Directory
infrastructure
13. Responsible for the maintenance of the information stored in the directory.
14. Senior information technology (IT) manager in the organization who is
responsible for the Active Directory deployment process
15. Understands the business value of the deployment, supports the project at the
executive level, and can help resolve conflicts across the organization.

50
 ASSIGNMENT SHEET 2.1

Direction: On your portfolio notebook, write your insight about the lesson

I understand that __________________________________

I realize that _____________________________________

51
 LESSON 3 Designing a Group Policy Infrastructure

Learning Objectives
At the end of the lesson, the learner should be able to:
a. Describe Group Policy
b. Design an OU that supports Group Policy
c. Define Group Policy Objectives
d. Recognize Group Policy Management Console

ACTIVITY SHEET 3.1

Technical Terms

Direction: Try to identify the words related to our lesson.

1. UORGP IYOLCP

2. JTECOB

3. ITNTEGSS

4. TMGENENMAA LENOCSO

5. UTUFNCATSRERIR

6. LINANNGP

7. IDGENS

8. ESETBOIJCV

9. ELOUAATIVN

10. CATCSIEPR

52
 Pre-Test 3.1

Direction: Read each statement carefully. Write whether the statement is TRUE or the
statement is FALSE in a separate sheet of pad paper.

1. Define your objectives for deploying Group Policy.

2. Determine the Number of GPOs to use in defining objectives.
3. Determine the purpose of each GPO
4. Determine the types of policy settings contained in each GPO, and the
appropriate policy settings for users and computers
5. Ensure that your Active Directory design supports the application of Group
Policy.
for the Microsoft Management Console (MMC), which you can start from GPMC
6. Group Policy enables Active Directory–based change and configuration
management of user and computer settings on computers running a member
of the Microsoft® Windows® Server or Microsoft Windows® families of
operating systems.
7. Group Policy to help manage server computers, by configuring many server-
specific operational and security settings.
8. The Group Policy settings that you create are contained in a Group Policy
object
9. To create a GPO, use the Group Policy Object Editor snap-in.
10. To edit a new GPO, use the Group Policy Management Console
11. Use GPMC to make backups of your GPOs on an annual basis.
12. Use GPMC to manage Group Policy across the organization.
13. Do not modify the default domain policy or default domain controller policy
unless necessary. Instead, create a new GPO at the domain level and set it to
override the default settings in the default policies.
14. Define a meaningful naming convention for GPOs that clearly identifies the
purpose of each GPO.
15. Designate only one administrator per GPO. This prevents one administrator’s
work from being overwritten by another’s.

53
 ACTIVITY SHEET 3.2
Let Us Review

Direction: Answer the following questions on your portfolio notebook.

Enumerate the steps in establishing a deployment project in an Organizational Unit.

INFORMATION SHEET 3.1

Group Policy Infrastructure

Group Policy enables Active Directory–based change and configuration management

of user and computer settings on computers running a member of the Microsoft®

Windows® Server or Microsoft Windows® families of operating systems. You use

Group Policy to define configurations for groups of users and computers, including

policy settings for registry-based policies, software installation, scripts, folder

redirection, Remote Installation Services, Internet Explorer maintenance, and security.

You can also use Group Policy to help manage server computers, by configuring many

server-specific operational and security settings.

The Group Policy settings that you create are contained in a Group Policy object

(GPO). To create a GPO, use the Group Policy Management Console (GPMC). To

54
edit a new GPO, use the Group Policy Object Editor snap-in for the Microsoft

Management Console (MMC), which you can start from GPMC. By using GPMC to

link a GPO to selected Active Directory system containers — sites, domains, and

organizational units (OUs) — you apply the policy settings in the GPO to the users

and computers in those Active Directory containers.

To guide your Group Policy design decisions, you need a clear understanding of your

organization’s business needs, service level agreements, and security, network, and

IT requirements. By analyzing your current environment and users’ requirements,

defining the business objectives you want to meet by using Group Policy, and following

this chapter’s guidelines for designing a Group Policy infrastructure, you can establish

the approach that best supports your organization’s needs.

Planning your Group Policy Design

When you plan your Group Policy design, ensure that your Active Directory design

supports the application of Group Policy. Then you need to clearly define your

objectives for deploying Group Policy. Specifically, understand any service-level

agreements and administrative issues that pertain to Group Policy and consider your

business requirements and how Group Policy can help you achieve them. Finally,

incorporate any operational, interoperability and software installation considerations

into your plan. Figure 3.1 illustrates the steps in the Group Policy planning process.

55
Figure 3.1 Group Policy Planning

Designing an OU Structure that Supports Group Policy

In an Active Directory environment, you assign Group Policy settings by linking GPOs

to sites, domains, or organizational units (OUs). Typically, most GPOs are assigned

at the organizational unit level, so be sure your OU structure supports your Group

Policy-based client-management strategy. You might also apply some Group Policy

settings at the domain level, particularly those such as password policies, which only

take effect if applied at the domain level. Very few policy settings are likely to be

applied at the site level. A well-designed OU structure, reflecting the administrative

structure of your organization and taking advantage of GPO inheritance, simplifies the

application of Group Policy. For example, it can prevent needing to duplicate certain

policies so that the policies can be applied to different parts of the organization, or

56
having to link the same GPO to multiple Active Directory containers to achieve your

objectives. If possible, create OUs to delegate administrative authority as well as to

help implement Group Policy.

OU design requires balancing requirements for delegating administrative rights –

independent of Group Policy needs – and the need to scope the application of Group

Policy. The following OU design recommendations address delegation and scope

issues:

Delegating administrative authority You can create OUs within a domain and delegate

administrative control for specific OUs to particular users or groups. Your OU structure

might be affected by requirements to delegate administrative authority. For more

information about planning for delegation of Active Directory administrative authority,

see "Designing the Active Directory Logical Structure" in Designing and Deploying

Directory and Security Services of this kit.

Applying Group Policy An OU is the lowest-level Active Directory container to which

you can assign Group Policy settings.

Think primarily about the objects you want to manage when you approach the design

of an OU structure. You might want to create a structure that has OUs organized by

workstations, servers, and users near the top level. Depending on your administrative

model, you might consider geographically based OUs either as children or parents of

the other OUs, and then duplicate the structure for each location to avoid replicating

57
across different sites. Add OUs below these only if doing so makes the application of

Group Policy clearer, or if you need to delegate administration below these levels.

By using a structure in which OUs contain homogeneous objects, such as either user

or computer objects but not both, you can easily disable those sections of a GPO that

do not apply to a particular type of object. This approach to OU design, illustrated in

Figure 3.2, reduces complexity and improves the speed at which Group Policy is

applied. Keep in mind that GPOs linked to the higher layers of the OU structure are

inherited by default, which reduces the need to duplicate GPOs or to link a GPO to

multiple containers.

Note that the default Users and Computers containers cannot have Group Policy

applied to them until you use the new Redirusr.exe and Redircomp.exe tools. When

designing your Active Directory structure, the most important considerations are ease

of administration and delegation.

Figure 3.2 Example OU Structure

58
Defining Your Group Policy Objectives

When you plan the deployment of Group Policy, identify your specific business

requirements and how Group Policy can help achieve them. You can then determine

the most appropriate policy settings and configuration options to meet your

requirements.

The objectives for each Group Policy implementation vary depending on user location,

job needs, computer experience, and corporate security requirements. For example,

in some cases, you might remove functionality from users’ computers to prevent them

from modifying system configuration files (which might disrupt computer performance),

or you might remove applications that are not essential for users to perform their jobs.

In other cases, you might use Group Policy to configure operating system options,

specify Internet Explorer maintenance settings, or establish a security policy.

Having a clear understanding of your current organizational environment and

requirements helps you design a plan that best meets your organization’s

requirements. Collecting information about the types of users (such as process

workers and data entry workers) and existing and planned computer configurations is

essential. Based on this information, you can define your Group Policy objectives.

Evaluating Existing Corporate Practices

To help you identify the appropriate Group Policy settings to use, begin by evaluating

current practices in your corporate environment, including such things as:

• User requirements for various types of users.

59
 • Current IT roles, such as the various administrative duties divided amongst

administrator groups.

• Existing corporate security policies.

• Other security requirements for your server and client computers.

• Software distribution model.

• Network configuration.

• Data storage locations and procedures.

• Current management of users and computers.

Defining Group Policy Objectives

Next, as part of defining the goals for Group Policy, determine the following:

• Purpose of each GPO

• Owner of each GPO – the person who requested the policy and who is

responsible for it

• Number of GPOs to use

• Appropriate container to link each GPO (site, domain, or OU)

• Types of policy settings contained in each GPO, and the appropriate policy

settings for users and computers

• When to set exceptions to the default processing order for Group Policy

• When to set filtering options for Group Policy

• The software applications to install and their locations

• What network shares to use for redirecting folders

• The location of logon, logoff, startup, and shutdown scripts to execute

Establishing Group Policy Operational Guidelines

60
As you design and implement your Group Policy solution, it is also important to plan

for the ongoing administration of Group Policy.

Establishing administrative procedures to track and manage GPOs can ensure that all

changes are implemented in a prescribed manner.

To simplify and regulate ongoing management of Group Policy, it is recommended

that administrators:

• Always stage Group Policy deployments using the following pre-deployment

process:

1. Use Group Policy Modeling to understand how a new GPO will

interoperate with existing GPOs.

2. Deploy new GPOs in a test environment modeled after your production

environment.

3. Use Group Policy Results to understand which GPO settings actually

are applied in your test environment.

• Use GPMC to make backups of your GPOs on a regular basis.

• Use GPMC to manage Group Policy across the organization.

• Do not modify the default domain policy or default domain controller policy

unless necessary. Instead, create a new GPO at the domain level and set it to

override the default settings in the default policies.

• Define a meaningful naming convention for GPOs that clearly identifies the

purpose of each GPO.

• Designate only one administrator per GPO. This prevents one administrator’s

work from being overwritten by another’s.

Windows Server 2003 and GPMC allow you to delegate permission to edit and link

GPOs to different groups of administrators. Without adequate GPO control procedures

61
in place, delegated administrators can duplicate GPO settings, or create GPOs that

conflict with settings set by another administrator or that are not in accordance with

corporate standards. Such conflicts might adversely affect the users’ desktop

environment, generate increased support calls, and make troubleshooting GPOs more

difficult.

62
 OPERATION SHEET 3.1
Using Group Policy Management Console

A Microsoft Management Console (MMC)-based tool that uses scriptable interfaces

to manage Group Policy. The 32-bit and 64-bit versions are included with Windows

Server R2 with Service Pack 1 (SP1) and Windows Server 2012 R2.

Why use the GPMC?

The GPMC lets you:

• Import, export, copy, paste, backup and restore GPOs.

• Search for existing GPOs.

• Create reports, including providing the Resultant Set of Policy (RSoP) data in

HTML reports that you can save and print.

• Use simulated RSoP data to prototype your Group Policy before implementing

it in the production environment.

• Obtain RSoP data to view your GPO interactions and to troubleshoot your

Group Policy deployment.

• Create migration tables to let you import and copy GPOs across domains and

across forests. Migration tables are files that map references to users, groups,

computers, and Universal Naming Convention (UNC) paths in the source GPO

to new values in the destination GPO.

• Create scriptable interfaces to support all of the operations available within the

GPMC. You can't use scripts to edit individual policy settings in a GPO.

63
Here's a list of the policy settings you can use, based on the configuration type.

You can start Group Policy Management Console (GPMC) using one of two methods.

To start GPMC

Do either of the following:

• Press the Windows logo key + R to open the RUN dialog box.

Type gpmc.msc in the text box, and then click OK or press ENTER.

• Click Start, click All Programs, click Accessories, and then click

Run. Type gpmc.msc in the text box, and then click OK or press ENTER.

You can use the Group Policy Management Console (GPMC) to create and edit Group

Policy objects (GPOs)

Every AD domain has two default GPOs:

• Default Domain Policy, which is linked to the domain

64
 • Default Domain Controllers Policy, which is linked to the domain controller’s

OU

You can see all the GPOs in a domain by clicking the Group Policy Objects container

in the left pane of GPMC.

Figure 3.3. Interface of the Group Policy Management Console

Create a New Group Policy Object

Don’t change either the Default Domain Controllers Policy or the Default Domain

Policy. The best way to add your own settings is to create a new GPO. There are two

ways to create a new GPO:

• Right-click the domain, site or OU to which you want to link the new GPO and

select Create a GPO in this domain, and Link it here… When you save the

new GPO, it will be linked and enabled immediately.

65
 • Right-click the Group Policy Objects container and select New from the menu.

You will need to manually link the new GPO by right-click a domain, site or OU

and selecting Link an Existing GPO. You can do this at any time.

Regardless of how you create a new GPO, in the New GPO dialog you must give the

GPO a name, and you can choose to base it on an existing GPO. See the next section

for information about the other options.

Edit a Group Policy Object

To edit a GPO, right click it in GPMC and select Edit from the menu. The Active

Directory Group Policy Management Editor will open in a separate window.

Figure 3.4. Interface of the Group Policy Management Editor

66
GPOs are divided into computer and user settings. Computer settings are applied

when Windows starts, and user settings are applied when a user logs in. Group Policy

background processing applies settings periodically if a change is detected in a GPO.

Policies vs Preferences

User and computer settings are further divided into Policies and Preferences:

• Policies do not tattoo the registry — when a setting in a GPO is changed or the

GPO falls out of scope, the policy setting is removed and the original value is

used instead. Policy settings always supersede an application’s configuration

settings and will be greyed out so that users cannot modify them.

• Preferences tattoo the registry by default, but this behavior is configurable for

each preference setting. Preferences overwrite an application’s configuration

settings but always allow users to change the configuration items. Many of the

configurable items in Group Policy Preferences are those that might have been

previously configured using a login script, such as drive mappings and printer

configuration.

You can expand Policies or Preferences to configure their settings. These settings will

then be applied to computer and user objects that fall into the GPO’s scope. For

example, if you link your new GPO to the domain controller’s OU, the settings will be

applied to computer and user objects located in that OU and any child OUs. You can

use the Block Inheritance setting on a site, domain or OU to stop GPOs that are linked

to parent objects from being applied to child objects. You can also set the Enforced

flag on individual GPOs, which overrides the Block Inheritance setting and any

configuration items in GPOs that have higher precedence.

67
GPO Precedence

Multiple GPOs can be linked to domains, sites and OUs. When you click on one of

these objects in GPMC, a list of linked GPOs will appear on the right on the Linked

Group Policy Objects tab. If there is more than one linked GPO, GPOs with a higher

link order number take priority over settings configured in GPOs with a lower number.

You can change the link order number by clicking on a GPO and using the arrows on

the left to move it up or down. The Group Policy Inheritance tab will show all applied

GPOs, including those inherited from parent objects.

Figure 3.5. Information about all applied GPOs in GPMC

Advanced Group Policy Management

Advanced Group Policy Management (AGPM) is available as part of the Microsoft

Desktop Optimization Pack (MDOP) for Software Assurance customers. Unlike

GPMC, AGPM is a client/server application where the server component stores GPOs

68
offline, including a history for each GPO. GPOs managed by AGPM are called

controlled GPOs because they are managed by the AGPM service and administrators

can check them in and out, much like you might check files or code in and out of

GitHub or a document management system.

AGPM provides greater control over GPOs than is possible with GPMC. In addition to

providing version control, it enables you to assign roles like Reviewer, Editor and

Approver to Group Policy administrators, which helps you implement strict change

control throughout the entire GPO lifecycle. AGPM auditing also gives greater insight

into Group Policy changes.

69
 ACTIVITY SHEET 3.3

Direction: Use the ALPHABET to arrange the procedures in their proper order. Write

your answers on a separate sheet of pad paper.

To create a Group Policy object

1. In the New GPO dialog box, specify a name for the new GPO, and then click

OK.

2. In the GPMC console tree, right-click Group Policy Objects in the forest and

domain in which you want to create a GPO.

3. Click New.

To edit a Group Policy object

4. Right-click the GPO, and then click Edit.

5. In the GPMC console tree, double-click Group Policy Objects in the forest and

domain containing the GPO that you want to edit.

6. In the console tree, edit the settings as appropriate.

To delete a GPO

7. When prompted to confirm the deletion, click OK.

8. Right-click the GPO, and then click Delete.

9. In the Group Policy Management Console (GPMC) console tree, double-click

Group Policy Objects in the forest and domain containing the Group Policy

object (GPO) that you want to delete.

10. How to start a GPMC?

70
 SELF CHECK 3.1

Direction: Read each statement carefully. Write whether the statement is TRUE or the
statement is FALSE in a separate sheet of pad paper.
1. Group Policy enables Active Directory–based change and configuration
management of user and computer settings on computers running a member
of the Microsoft® Windows® Server or Microsoft Windows® families of
operating systems.
2. Group Policy to help manage server computers, by configuring many server-
specific operational and security settings.
3. To create a GPO, use the Group Policy Object Editor snap-in.
4. To edit a new GPO, use the Group Policy Management Console
for the Microsoft Management Console (MMC), which you can start from GPMC
5. The Group Policy settings that you create are contained in a Group Policy
object
6. Ensure that your Active Directory design supports the application of Group
Policy.
7. Define your objectives for deploying Group Policy.
8. Determine the Number of GPOs to use in defining objectives.
9. Determine the purpose of each GPO
10. Determine the types of policy settings contained in each GPO, and the
appropriate policy settings for users and computers
11. Use GPMC to make backups of your GPOs on an annual basis.
12. Use GPMC to manage Group Policy across the organization.
13. Do not modify the default domain policy or default domain controller policy
unless necessary. Instead, create a new GPO at the domain level and set it to
override the default settings in the default policies.
14. Define a meaningful naming convention for GPOs that clearly identifies the
purpose of each GPO.
15. Designate only one administrator per GPO. This prevents one administrator’s
work from being overwritten by another’s.

71
 ASSIGNMENT SHEET 2.1

Direction: On your portfolio notebook, write your insight about the lesson

I understand that __________________________________

I realize that _____________________________________

72
 LESSON 4 Using Folder Redirection

Learning Objectives
At the end of the lesson, the learner should be able to:
a. Understand Folder Redirection
b. Specify the Location of Folders in a User Profile
c. Deploy Folder Redirection

ACTIVITY SHEET 4.1

Technical Terms

Direction: Try to identify the words related to our lesson.

1. EILF
2. ERTOSAG
3. RELOFD
4. RODEEITCINR
5. NATILOOC
6. OEPRTPERIS
7. UCFNRGEOI
8. SITETNG
9. YLIOPC
10. LFPOEIR

73
 Pre-Test 4.1

Direction: Choose the correct answer from the given choices. Write your answers on
a separate sheet of paper.

A. x64-based or x86-based F. Group Policy Management

computer Console
B. Target tab G. Folder Redirection
C. Redirect to the local user profile H. File and Storage Services
location I. Basic—Redirect everyone's
D. Redirect to the following folder to the same location
location J. Advanced—Specify locations
E. Not configured for various user groups

1. Includes technologies that help you set up and manage one or more file
servers, which are servers that provide central locations on your network where
you can store files and share them with users.
2. Enables you to redirect the location of specific folders within user profiles to a
new location, such as a shared network location.
3. Where you can configure Folder Redirection to redirect specific user profile
folders, as well as edit Folder Redirection policy settings.
4. Hardware requirements for folder redirection.
5. Enables you to select the location of the redirected folder on a network or in the
local user profile.
6. This setting enables you to redirect everyone's folder to the same location and
will be applied to all users included in the Group Policy object
7. This option will use an explicit path to the redirection location.
8. This option will move the location of the folder to the local user profile under
the Users folder.
9. This setting enables you to specify redirection behavior for the folder based on
the security group memberships for the GPO.
10. No changes are being made to the current location of this folder.

74
 ACTIVITY SHEET 4.2
Let Us Review

Direction: Answer the following questions on your portfolio notebook.

1. How do you plan for a Group Policy Design? (5 points)

2. How will you evaluate existing corporate practices? (5 points)

3. How to define or make Group Policy objectives? (5 points)

75
 INFORMATION SHEET 4.2
Folder Redirection Overview

File and Storage Services includes technologies that help you set up and manage one
or more file servers, which are servers that provide central locations on your network
where you can store files and share them with users. If your users need access to the
same files and applications, or if centralized backup and file management are
important to your organization, you should set up one or more servers as a file server
by installing the File and Storage Services role and the appropriate role services.

Practical applications
• Folder Redirection, Offline Files, and Roaming User Profiles - Use to
redirect the path of local folders (such as the Documents folder) or an entire
user profile to a network location, while caching the contents locally for
increased speed and availability.
Folder Redirection enables you to redirect the location of specific folders within user
profiles to a new location, such as a shared network location. Folder redirection is used
in the process of administering user profiles and roaming user profiles. You can
configure Folder Redirection using the Group Policy Management Console to redirect
specific user profile folders, as well as edit Folder Redirection policy settings.
Hardware requirements
Folder Redirection, Offline Files, and Roaming User Profiles require an x64-based or
x86-based computer, and they are not supported by Windows on ARM (WOA)-based
computers.
Software requirements
To designate primary computers, your environment must meet the following
requirements:
• The Active Directory Domain Services (AD DS) schema must be updated to
include of up to Windows Server 2012 schema additions

76
 • Client computers must run Windows 7, Windows 10, Windows 8.1, Windows 8,
Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2012
and be joined to the Active Directory domain that you are managing.

User settings and user files are normally stored in the local user profile, under
the Users folder. The files in local user profiles are accessible only from the current
computer, which makes it difficult for users who use more than one computer to work
with their data and synchronize settings between multiple computers. Two different
technologies exist to address this problem: Roaming Profiles and Folder Redirection.
Both of these technologies have their advantages, and they can be used separately
or together to create a seamless user experience from one computer to another. They
also provide additional options for administrators managing user data.
Folder Redirection allows administrators to redirect the path of a folder to a new
location. The location can be a folder on the local computer or a directory on a network
file share. Users have the ability to work with documents on a server as if the
documents were based on a local drive. The documents in the folder are available to
the user from any computer on the network. Folder Redirection is located
under Windows Settings in the console tree when editing domain-based Group
Policy using the Group Policy Management Console (GPMC). The path is [Group
Policy Object Name]\User Configuration\Policies\Windows Settings\Folder
Redirection.

77
You can use the Group Policy Management Console to redirect folders in Windows
Vista and folders in earlier Windows operating systems:

Windows 7 Equivalent Folder in Earlier Windows Operating System

AppData/Roaming Application Data

Contacts N/A

Desktop Desktop

Documents My Documents

Downloads N/A

Favorites N/A

Links N/A

Music N/A

Pictures My Pictures

Saved Games N/A

Searches N/A

Start Menu Start Menu

Videos N/A

Advantages of Folder Redirection

• Even if a user logs on to various computers on the network, their data is always
available.
• Offline File technology (which is turned on by default) gives users access to the
folder even when they are not connected to the network. This is particularly
useful for people who use portable computers.
• Data that is stored in a network folder can be backed up as part of routine
system administration. This is safer because it requires no action on the part of
the user.
• If you use Roaming User Profiles, you can use Folder Redirection to reduce the
total size of your Roaming Profile and make the user logon and logoff process
more efficient in terms of time for the end user. When you deploy Folder

78
 Redirection with Roaming User Profiles, the data synchronized via Folder
Redirection is not part of the roaming profile and is synchronized in the
background using Offline Files after the user has logged on. As a result the user
does not need to wait for this data to be synchronized at logon/logoff as is the
case with Roaming User Profiles.
• Data that is specific to a user can be redirected to a different hard disk on the
user's local computer from the hard disk that holds the operating system files,
making the user's data safer in case the operating system has to be reinstalled.
• As an administrator, you can use Group Policy to set disk quotas, limiting the
amount of space that is taken up by user profile folders.

Selecting a Folder Redirection target

The Target tab of the folder's Properties box enables you to select the location of the
redirected folder on a network or in the local user profile. You can choose between the
following settings:
• Basic—Redirect everyone's folder to the same location. This setting
enables you to redirect everyone's folder to the same location and will be
applied to all users included in the Group Policy object (GPO). For this setting
you have the following options in specifying a target folder location:
o Create a folder for each user under the root path. This option will
create a folder in the form \\server\share\User Account Name\Folder
Name. Each user will get a unique path to their redirected folder.
• Redirect to the following location. This option will use an explicit path to the
redirection location. This can cause multiple users to share the same path to
the redirected folder.
• Redirect to the local user profile location. This option will move the location
of the folder to the local user profile under the Users folder.
• Advanced—Specify locations for various user groups. This setting enables
you to specify redirection behavior for the folder based on the security group
memberships for the GPO.
• Follow the Documents folder. This option is available only for
the Music, Pictures, and Videos folders. This option resolves any issues
related to naming and folder structure differences between Windows Vista and
earlier Windows operating systems. If you choose this option, you will not be
79
 able to configure any additional redirection options or policy removal options for
these folders and settings will be inherited from the Documents folder.
• Not configured. This is the default setting. This setting specifies that policy-
based folder redirection has been removed for that GPO and the folders will be
redirected to the local user profile location or stay where they are based on the
redirection options selected if any existing redirection policies have been set.
No changes are being made to the current location of this folder.

Configuring additional settings for the redirected folder

In the Settings tab in the Properties box for a folder, you can enable these settings:
• Grant the user exclusive rights. This setting is enabled by default and is a
recommended setting. This setting specifies that the administrator and other
users to not have permissions to access this folder.
• Move the contents of [FolderName] to the new location. This setting moves
all the data the user has in the local folder to the shared folder on the network.
• Also apply redirection policy to Windows 2000, Windows 2000 Server,
Windows XP, and Windows Server 2003 operating systems. This enables
folder redirection to work with both Windows Vista and earlier Windows
operating systems. This option applies only to redirectable folders in earlier
Windows operating systems, which are the Application Data, Desktop, My
Documents, My Pictures, and Start Menu folders.
• Policy Removal. The following table summarizes the behavior of redirected
folders and their contents when the GPO no longer applies, based on your
selections for policy removal. The following policy removal options are available
in the Settings tab, under Policy Removal.

Policy Removal Selected setting Result

option
Redirect the Enabled • The folder returns to its user profile location.
folder back to the
user profile • The contents are copied, not moved, back to
location when the user profile location.
policy is removed
• The contents are not deleted from the
redirected location.

• The user continues to have access to the

contents, but only on the local computer.

80
Policy Removal Selected setting Result
option
Redirect the Disabled • The folder returns to its user profile location.
folder back to the
user profile • The contents are not copied or moved to the
location when user profile location.
policy is removed

Note
If the contents of a folder are not copied to the user
profile location, the user cannot see them.
Leave the folder Either Enabled or Disabled • The folder remains at its redirected location.
in the new
location when • The contents remain at the redirected location.
policy is removed
• The user continues to have access to the
contents at the redirected folder.

Specify the Location of Folders in a User Profile

You can use Group Policy to specify another location (in other words, "redirect" the
location) for folders within user profiles. You can redirect folders either to one location
for everyone or to various locations based on the security group membership of users.
You can also configure additional settings for the redirected folder. The settings you
can configure include whether to grant exclusive user rights to the folder, move the
contents of the folder to the new location, apply redirection policy to earlier Windows
operating systems, or specify system behavior if the policy is removed.

To specify the location of folders in a user profile

1. In the Group Policy Management Console (GPMC) tree, right-click the Group
Policy object (GPO) that is linked to the site, domain, or organizational unit that
contains the users whose user profile folders you want to redirect, and then
click Edit.
2. In the Group Policy Management Editor window, right-click the user profile
folder you want to redirect. The path to the user profile folder is User
Configuration\Policies\Windows Settings\Folder
Redirection\UserProfileFolderName
3. In the Target tab, under Settings, choose one of the following settings, follow
the steps for that setting, and then click OK:

81
Basic—Redirect everyone's folder to the same location
1. Under Target folder location, select a location.
2. If you want to redirect the folder to a specific location, select Create a
folder for each user under the root path or Redirect to the following
location, and then click Browse to specify a location.
3. If you want to specify additional redirection settings for the folder, click
the Settings tab to configure any of the following settings, and then
click OK:
o Grant the user exclusive rights to the folder (selected by default).
o Move the contents of the folder to the new location (selected by default).
o Apply redirection policy from Windows Vista to earlier Windows operating
systems.
o Specify policy removal settings (Leave the folder in the new location
when policy is removed is selected by default).
Advanced—Specify locations for various user groups
a. Under Security Group Membership, click Add.
b. Under Security Group Membership, click Browse to find the security
group.
c. Under Target folder location, select a location.
d. If you want to redirect the folder to a specific location, select Create a
folder for each user under the root path or Redirect to the following
location, and then click Browse to specify a location.
e. If you want to specify additional redirection settings for the folder, click
the Settings tab to configure any of the following settings, and then
click OK:
o Grant the user exclusive rights to [FolderName] (selected by default).
o Move the contents of [FolderName] to the new location (selected by
default).
o Also apply redirection policy to Windows 2000, Windows 2000
Server, Windows XP, and Windows Server 2003 operating systems.
o Specify Policy Removal settings (Leave the folder in the new location
when policy is removed is selected by default).

82
Follow the documents folder

This option is available only for the Music, Pictures, and Videos folders. This
selection will follow any settings you make for the Documents folder, and resolves
any issues related to naming and folder structure differences between Windows Vista
and earlier Windows operating systems. If you choose this option, you will not be able
to configure any additional redirection options or policy removal options for these
folders and settings will be inherited from the Documents folder.
Not configured
This is the default setting. No changes will be made to the current location of this
folder.
Additional considerations
• To complete this procedure, you must be logged on as a member of the Domain
Administrators security group, the Enterprise Administrators security group, or
the Group Policy Creator Owners security group.
• You can also use the Group Policy Management Console to configure the
following Folder Redirection policy settings:
o Use localized subfolder names when redirecting Start and My
Documents—This policy is located in the following paths: Computer
Configuration\Policies\Administrative Templates\System\Folder
Redirection, or User Configuration\Policies\Administrative
Templates\System\Folder Redirection.
o Do not automatically make redirected folders available offline—This
policy is located in the following path: User
Configuration\Policies\Administrative Templates\System\Folder
Redirection.

83
 OPERATION SHEET 4.1
Deploy Folder Redirection

Prerequisites
Hardware requirements
Folder Redirection requires an x64-based or x86-based computer; it is not supported
by Windows® RT.
Software requirements
Folder Redirection has the following software requirements:
• To administer Folder Redirection, you must be signed in as a member of the
Domain Administrators security group, the Enterprise Administrators security
group, or the Group Policy Creator Owners security group.
• Client computers must run Windows 10, Windows 8.1, Windows 8, Windows 7,
Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or
Windows Server 2008.
• Client computers must be joined to the Active Directory Domain Services (AD
DS) that you are managing.
• A computer must be available with Group Policy Management and Active
Directory Administration Center installed.
• A file server must be available to host redirected folders.
o If the file share uses DFS Namespaces, the DFS folders (links) must
have a single target to prevent users from making conflicting edits on
different servers.
o If the file share uses DFS Replication to replicate the contents with
another server, users must be able to access only the source server to
prevent users from making conflicting edits on different servers.
o When using a clustered file share, disable continuous availability on the
file share to avoid performance issues with Folder Redirection and
Offline Files. Additionally, Offline Files might not transition to offline
mode for 3-6 minutes after a user loses access to a continuously

84
 available file share, which could frustrate users who aren’t yet using the
Always Offline mode of Offline Files.
Step 1: Create a folder redirection security group

If your environment is not already set up with Folder Redirection, the first step is to
create a security group that contains all users to which you want to apply Folder
Redirection policy settings.

To create a security group for Folder Redirection

1. Open Server Manager on a computer with Active Directory Administration

Center installed.
2. On the Tools menu, click Active Directory Administration Center. Active
Directory Administration Center appears.
3. Right-click the appropriate domain or OU, click New, and then click Group.
4. In the Create Group window, in the Group section, specify the following
settings:
o In Group name, type the name of the security group, for example: Folder
Redirection Users.
o In Group scope, click Security, and then click Global.
5. In the Members section, click Add. The Select Users, Contacts, Computers,
Service Accounts or Groups dialog box appears.
6. Type the names of the users or groups to which you want to deploy Folder
Redirection, click OK, and then click OK again.

Step 2: Create a file share for redirected folders

If you do not already have a file share for redirected folders, use the following
procedure to create a file share on a server running Windows Server 2012.

To create a file share on Windows Server 2012

1. In the Server Manager navigation pane, click File and Storage Services, and
then click Shares to display the Shares page.
2. In the Shares tile, click Tasks, and then click New Share. The New Share
Wizard appears.
3. On the Select Profile page, click SMB Share – Quick. If you have File
Server Resource Manager installed and are using folder management
properties, instead click SMB Share - Advanced.
4. On the Share Location page, select the server and volume on which you
want to create the share.
5. On the Share Name page, type a name for the share (for example, Users$)
in the Share name box.
6. On the Other Settings page, clear the Enable continuous availability
checkbox, if present, and optionally select the Enable access-based
enumeration and Encrypt data access checkboxes.
7. On the Permissions page, click Customize permissions…. The Advanced
Security Settings dialog box appears.

85
 8. Click Disable inheritance, and then click Convert inherited permissions
into explicit permission on this object.
9. Set the permissions as described Table 1 and shown in Figure 1, removing
permissions for unlisted groups and accounts, and adding special permissions
to the Folder Redirection Users group that you created in Step 1.

Figure 4.1 Setting the permissions for the redirected folders share

10. If you chose the SMB Share - Advanced profile, on the Management
Properties page, select the User Files Folder Usage value.
11. If you chose the SMB Share - Advanced profile, on the Quota page, optionally
select a quota to apply to users of the share.
12. On the Confirmation page, click Create.

86
Table 4.1 Required permissions for the file share hosting redirected folders

User Account Access Applies to

System Full control This folder,
subfolders and
files
Administrators Full Control This folder only
Creator/Owner Full Control Subfolders and
files only
Security group of users needing to put data on List folder / read This folder only
share (Folder Redirection Users) data1

Create folders /
append data1

Read attributes1

Read extended
attributes1

Read
permissions1
Other groups and accounts None (remove)

Step 3: Create a GPO for Folder Redirection

If you do not already have a GPO created for Folder Redirection settings, use the
following procedure to create one.
To create a GPO for Folder Redirection
1. Open Server Manager on a computer with Group Policy Management installed.
2. From the Tools menu click Group Policy Management. Group Policy
Management appears.
3. Right-click the domain or OU in which you want to setup Folder Redirection and
then click Create a GPO in this domain, and Link it here.
4. In the New GPO dialog box, type a name for the GPO (for example, Folder
Redirection Settings), and then click OK.
5. Right-click the newly created GPO and then clear the Link Enabled checkbox.
This prevents the GPO from being applied until you finish configuring it.

87
 6. Select the GPO. In the Security Filtering section of the Scope tab,
select Authenticated Users, and then click Remove to prevent the GPO from
being applied to everyone.
7. In the Security Filtering section, click Add.
8. In the Select User, Computer, or Group dialog box, type the name of the
security group you created in Step 1 (for example, Folder Redirection Users),
and then click OK.
9. Click the Delegation tab, click Add, type Authenticated Users, click OK, and
then click OK again to accept the default Read permissions

Step 4: Configure folder redirection with Offline Files

After creating a GPO for Folder Redirection settings, edit the Group Policy settings to
enable and configure Folder Redirection, as discussed in the following procedure.
To configure Folder Redirection in Group Policy
1. In Group Policy Management, right-click the GPO you created (for
example, Folder Redirection Settings), and then click Edit.
2. In the Group Policy Management Editor window, navigate to User
Configuration, then Policies, then Windows Settings, and then Folder
Redirection.
3. Right-click a folder that you want to redirect (for example, Documents), and
then click Properties.
4. In the Properties dialog box, from the Setting box click Basic - Redirect
everyone’s folder to the same location.
5. In the Target folder location section, click Create a folder for each user
under the root path and then in the Root Path box, type the path to the file
share storing redirected folders, for example: \\fs1.corp.contoso.com\users$
6. Click the Settings tab, and in the Policy Removal section, optionally
click Redirect the folder back to the local userprofile location when the
policy is removed (this setting can help make Folder Redirection behave
more predictably for adminisitrators and users).
7. Click OK, and then click Yes in the Warning dialog box.

88
Step 5: Enable the Folder Redirection GPO
Once you have completed configuring the Folder Redirection Group Policy settings,
the next step is to enable the GPO, permitting it to be applied to affected users.
To enable the Folder Redirection GPO
1. Open Group Policy Management.
2. Right-click the GPO that you created, and then click Link Enabled. A checkbox
appears next to the menu item.
Step 6: Test Folder Redirection

To test Folder Redirection, sign in to a computer with a user account configured for
Folder Redirection. Then confirm that the folders and profiles are redirected.

To test Folder Redirection

1. Sign in to a primary computer (if you enabled primary computer support) with a
user account for which you have enabled Folder Redirection.
2. If the user has previously signed in to the computer, open an elevated
command prompt, and then type the following command to ensure that the
latest Group Policy settings are applied to the client computer:

Copy

gpupdate /force

3. Open File Explorer.

4. Right-click a redirected folder (for example, the My Documents folder in the
Documents library), and then click Properties.
5. Click the Location tab, and confirm that the path displays the file share you
specified instead of a local path.

89
Appendix A: Checklist for deploying Folder Redirection
APPENDIX A: CHECKLIST FOR DEPLOYING FOLDER
REDIRECTION

1. Prepare domain

- Join computers to domain

- Create user accounts

2. Create security group for Folder Redirection

- Group name:

- Members:

3. Create a file share for redirected folders

- File share name:

4. Create a GPO for Folder Redirection

- GPO name:

5. Configure Folder Redirection and Offline Files policy settings

- Redirected folders:

- Windows 2000, Windows XP, and Windows Server 2003 support enabled?

- Offline Files enabled? (enabled by default on Windows client computers)

- Always Offline Mode enabled?

- Background file synchronization enabled?

- Optimized Move of redirected folders enabled?

6. (Optional) Enable primary computer support

- Computer-based or User-based?

- Designate primary computers for users

- Location of user and primary computer mappings:

- (Optional) Enable primary computer support for Folder Redirection

90
- (Optional) Enable primary computer support for Roaming User Profiles

7. Enable the Folder Redirection GPO

8. Test Folder Redirection

91
 ACTIVITY SHEET 4.3

Direction: Summarize procedures for the following task:

1. Create folder and shared folder with security (5 points)

Refer to previous lesson about file and folder sharing.
2. Create group policy for folder re-direction (10 points)
3. Test re-direction/home directory (5 points)

92
 SELF CHECK 4.1

Direction: Choose the correct answer from the given choices. Write your answers on
a separate sheet of paper.

A. Advanced—Specify locations F. Not configured

for various user groups G. Redirect to the following
B. Basic—Redirect everyone's location
folder to the same location H. Redirect to the local user profile
C. File and Storage Services location
D. Folder Redirection I. Target tab
E. Group Policy Management J. x64-based or x86-based
Console computer

11. Includes technologies that help you set up and manage one or more file
servers, which are servers that provide central locations on your network where
you can store files and share them with users.
12. Enables you to redirect the location of specific folders within user profiles to a
new location, such as a shared network location.
13. Where you can configure Folder Redirection to redirect specific user profile
folders, as well as edit Folder Redirection policy settings.
14. Hardware requirements for folder redirection.
15. Enables you to select the location of the redirected folder on a network or in the
local user profile.
16. This setting enables you to redirect everyone's folder to the same location and
will be applied to all users included in the Group Policy object
17. This option will use an explicit path to the redirection location.
18. This option will move the location of the folder to the local user profile under
the Users folder.
19. This setting enables you to specify redirection behavior for the folder based on
the security group memberships for the GPO.
20. No changes are being made to the current location of this folder.

93
 ASSIGNMENT SHEET 4.1

Direction: On your portfolio notebook, write your insight about the lesson

I understand that __________________________________

I realize that _____________________________________

94
 LESSON 5 Print and Document Services Deployment

Learning Objectives
At the end of the lesson, the learner should be able to:
a. Describe Print and Document Services
b. Describe how to install and configure Print Server
c. Manage printers and printer server in a netwrok

ACTIVITY SHEET 3.1

Technical Terms

Direction: Try to identify the words related to our lesson.

95
 Pre-Test 5.1

Direction: Choose carefully from the given options. Write the correct letter of your
answer on a separate sheet of paper.

A. Server Manager F. Print Services Tools

B. Scan Management G. Print queue
C. Printer driver H. Print Management
D. Printer I. Fax Service Manager
E. Print Services role J. Deploy with Group Policy

1. This snap-in enables you to manage printers, print queues, printer drivers, and
printer connections.
2. This snap-in enables you to manage scanners and scan processes. Scan
processes allow you to define how to process scanned documents, and then
route them to network folders, SharePoint sites, and to e-mail recipients.
3. This snap-in enables you to configure fax devices for incoming and outgoing
fax traffic, specify who can use a fax device, set routing rules for incoming and
outgoing faxes, and configure a fax archiving policy.
4. Server Manager to install the Print Services server role, optional role services,
and features
5. This installs the Print Management snap-in and configures the server to be a
print server.
6. Installs the Print Management snap-in, but it does not configure the server to
be a print server.
7. To deploy printer connections to users or computers by using Group Policy in
Print Management.
8. Software on a computer that converts the data to be printed to a format that
a printer can understand.
9. List of printer output jobs held in a reserved memory area. It maintains the most
current status of all active and pending print jobs.
10. Device that accepts text and graphic output from a computer and transfers the
information to paper, usually to standard size sheets of paper.
96
 ACTIVITY SHEET 5.2
Let Us Review

Direction: Answer the following questions on your portfolio notebook.

1. What is Group Policy?

2. When do we use the Group Policy Management Console and Group Policy Editor

Snap-in?

97
 INFORMATION SHEET 5.1
Print, Scan, Fax Server Installation Guide

This guide describes how to install and configure Print Server, Distributed

Scan Server, and Fax Server on a single computer running Windows Server 2008 R2.

Print Server and Distributed Scan Server are role services included in the Print and

Document Services server role, and Fax Server is a role. You can use Print Server,

Distributed Scan Server, and Fax Server to help you automate document processes

in your organization and provide a central administration point for sharing and

managing network printers, scanners, and fax devices.

You can install these features using the Add Roles Wizard. However,

after you complete the wizard, you must add, share, and configure network printers,

scanners, and fax devices separately. As part of installation, associated Microsoft

Management Console (MMC) snap-ins, services, and other tools are installed. You

can use these tools to perform the additional sharing and configuration tasks.

To perform all tasks described in this topic, you must be a member of the

Administrators group, or you must have been delegated the appropriate permissions.

This guide contains the following sections:

• Step 1: Installing software components

• Step 2: Configuring the server

• Step 3: Adding and sharing print, scan, and fax devices

Step 1: Installing software components

You can use the Add Roles Wizard in Server Manager to install the Print and
Document Services role (needed for the Print Server and Distributed Scan Server

98
role services), the Fax Server role, associated role services, MMC snap-ins, and
tools.

The following MMC snap-ins are installed:

• Print Management. This snap-in enables you to manage printers, print

queues, printer drivers, and printer connections.

• Scan Management. This snap-in enables you to manage scanners and scan
processes. Scan processes allow you to define how to process scanned
documents, and then route them to network folders, SharePoint sites, and to e-
mail recipients.
• Fax Service Manager. This snap-in enables you to configure fax devices for
incoming and outgoing fax traffic, specify who can use a fax device, set routing
rules for incoming and outgoing faxes, and configure a fax archiving policy.

You can also use these snap-ins to define user and group security permissions for
accessing and using network printers, scan processes, and fax devices.

Important

You must install Print Server first before you can install Fax Server.

This section contains the following instructions:

• To install the Print and Document Services role

• To install the Fax Server role

To install the Print and Document Services role

1. Click Start, point to Administrative Tools, and then click Server Manager.
2. In the left pane of Server Manager, right-click Roles, and then click Add
Roles.
3. In the Add Roles Wizard, on the Select Server Roles page, select the check
box for Print and Document Services.
4. On the Add Role Services page, select the Distributed Scan Server check
box. Follow the instructions in the wizard to configure the scan server service
account, e-mail server information, temporary scan folder and size, and server
authentication certificate. This installs the Distributed Scan Server role service
and Scan Management snap-in, and configures the server to be a scan
server.

99
 5. On the same page, select the Print Server check box. This installs the Print
Server role service and Print Management snap-in, and configures the server
to be a print server.
6. If you want to allow users to manage print jobs on this server, also check
the Internet Printing check box. This creates a Web site hosted by Internet
Information Services (IIS) that users can access with a Web browser.
7. If you want to allow non-Windows-based users to print to shared printers on
this server, also check the LPD Service check box.
8. Follow the detailed instructions in the Add Roles Wizard to configure the print
server and scan server service accounts, storage folders, certificates, and
user security permissions.

You will now need to run the Add Roles Wizard again to install the Fax Server role.
(If you have not installed the Print and Document Services role yet, you must follow
the prior procedure before you install the Fax Server role.)

Before you begin installing the Fax Server role, make sure that any modem devices
have been installed on the server. If you plan to install a new modem device, you
can save time by installing it before you set up the Fax Server role. We recommend
that you install the Fax Server role locally—not by using a Remote Desktop
connection. (You can install the Fax Server role remotely, but you need to make sure
that local resource sharing is turned off.)

To install the Fax Server role

1. In the left pane of Server Manager, right-click Roles, and then click Add
Roles.
2. In the Add Roles Wizard, on the Select Server Roles page, select the Fax
Server check box. This installs the Fax Server role page, Fax Service
Manager, the Fax service, and the Fax printer.
3. Follow the instructions in the wizard to set up the Fax Server service account
and fax users.
4. Continue through the wizard until you reach the Confirm Installation
Selections page and review the choices that you made. Click Install.
5. After the wizard closes, to confirm the installation of the Fax printer,
click Start, click Run, and then type: control printers.
6. Confirm that a printer named Fax exists. If it does not, then restart the
computer. (Or, if you cannot restart the computer, stop and restart the Print
Spooler service instead. To do this, in Services, in the right pane, right-
click Print Spooler, and click Stop. Then right-click Print Spooler again, and
click Start.)

Step 2: Configuring the server

Part of the configuration of the server takes place during installation. However, there
are a few issues that might apply to your environment that involve post-configuration,
including the following:

• In order to support client computers that use different processor architectures

than Print Server, you must install additional printer drivers. For example, if

100
 your server is running a 64-bit version of Windows and you want to support
client computers running 32-bit versions of Windows, you must install x86-
based drivers for each printer.
• To detect Web Services on Devices (WSD) printers and scanners to view and
monitor them on your network, network discovery must be enabled. To detect
WSD printers, the PnP-X IP Bus Enumerator service must also be running.
• Write and List permissions are needed to run scan processes. The Read
permission is needed to read scan processes stored in Active Directory
Domain Services (AD DS). You should consider removing any unneeded
permissions from the Distributed Scan Server service account.
• For the fax server, you may need to configure phone and modem settings.

This section contains the following instructions:

• To add client printer drivers to the print server

• To detect WSD printers and scanners on the network
• To configure settings for the scan server
• To configure phone and modem settings for the fax server

To add client printer drivers to the print server

1. Click Start, point to Administrative Tools, and then click Print

Management.
2. In the left pane, click Print Servers, click the print server object, and then
click Printers.
3. In the center pane, right-click the printer you want to add additional printer
drivers to, and then click Manage Sharing.
4. Click Additional Drivers. The Additional Drivers dialog box appears.
5. Select the check box of the processor architecture for the drivers that you
want to add.
6. If the print server does not already have the appropriate printer drivers in its
driver store, Windows prompts you for the location of the driver files.
Download and extract the appropriate driver files, and then in the dialog box
that appears, specify the path to the .inf file of the driver.

To detect WSD printers and scanners on the network

1. To enable network discovery of printers and scanners, click Start,

click Control Panel, and then click Network and Internet.
2. On the Network and Internet page, click Network and Sharing Center.
3. On the Network and Sharing Center page, click Change advanced sharing
settings.
4. On the Advanced sharing settings page, click the Domain drop-down
arrow, click Turn on network discovery, and then click Save changes.
5. Then, to start the PnP-X IP Bus Enumerator service, click Start,
click Administrative Tools and then click Services.
6. In the center pane, right-click PnP-X IP Bus Enumerator, and then
click Start.

101
To configure settings for the scan server

1. To open Server Manager, click Start, point to Administrative Tools, and then
click Server Manager.
2. In the left pane, click Roles and then click Print and Document Services.
3. In the right pane, click Scan Server Configuration Wizard.
4. Follow the instructions in the Scan Server Configuration Wizard to change the
scan server service account, e-mail server information, temporary scan folder
and size, server authentication certificate, and the scan server security option.
5. After the scan server is configured, download the Active Directory Schema
Extensions LDF file to your domain controller if you have a Windows
Server 2003 or Windows Server 2008 domain environment. This LDF file
extends the AD DS schema to include scan process container objects. Scan
process information is stored in AD DS. After you apply this schema, the scan
servers you set up in the domain will work with the new schema.

To configure phone and modem settings for the fax server

1. To open Phone and Modem Options, click Start, click Run, and then
type: control telephony.
2. In the Location Information dialog box, enter information for your
country/region, area/city code, carrier code, dialing an outside line, and
whether you use tone or pulse dialing.

Step 3: Adding and sharing print, scan, and fax devices

Now you are ready to add and share devices.

You can use the MMC snap-ins to manage printers, scanners, and fax devices that
are located on the same subnet as your server.

This section contains the following instructions:

• To add a network printer to the print server

• To add a network scanner to the scan server
• To add and share a fax printer for network users

102
To add a printer by IP address or host name, you must be a member of the local
Administrators group or must be granted the Manage Server and View Server
permissions.

To add a network printer to the print server

1. Click Start, point to Administrative Tools, and then click Print

Management.
2. In left pane, click Print Servers, click the print server object, right-
click Printers, and then click Add Printer.
3. On the Printer Installation page of the Network Printer Installation Wizard,
click Search the network for printers, and then click Next. If prompted,
specify which driver to install for the printer.

You can use the Scan Management snap-in to add scanners that you want to
manage on your network.

To add a network scanner to the scan server

1. Click Start, point to Administrative Tools, and then click Scan Management.
2. In the left pane, click Scan Management, right-click Managed Scanners, and
then click Manage.
3. To add a scanner, in the Add or Remove Scanners dialog box, type the host
name, IP address, or URI of the scanner, and then click Add.

When you install the Fax Server role, a local fax printer connection, Fax, is
automatically created in the Printers folder in Control Panel. If you have installed the
Fax Server role and already have a fax printer installed, you should follow the steps in
the following procedure to share the printer so that users can connect to it.

After you install the Fax Server role, you can access the Windows Fax and Scan
feature by clicking Start, and then clicking All Programs. On a fax server, you can
use Windows Fax and Scan to send faxes, add accounts, and to monitor the incoming
fax queue, the inbox, and the outbox. Users who are using computers running
Windows Vista Business, Windows Vista Enterprise, Windows Vista Ultimate, and

103
certain versions of Windows 7 can use this feature to send faxes and configure fax
receipts.

To add and share a fax printer for network users

1. Click Start, click All Programs, and then click Windows Fax and Scan.
2. Click Tools, and then click Fax Accounts.
3. In Fax Accounts, click Add to open Fax Setup.
4. On the Choose a fax modem or server page, click Connect to a fax modem.
5. You may be asked to install a modem. To do this, follow the instructions in the
Add Hardware Wizard.
6. On the Choose a modem name page, type a name for the fax modem, and then
click Next. The default name is Fax Modem.
7. On the Choose how to receive faxes page, click the option that you prefer.
8. The new fax modem should appear in Fax Accounts, under Account Name.
9. Then, to share the printer that has been created, click Start, and then
click Control Panel.
10. Under Hardware, click View devices and printers.
11. In the list of printers, right-click Fax, click Printer properties, click
the Sharing tab, select Share this printer, and then type a name for the printer
that you want your network users to see.
12. If you want to enable users with computers running different versions of Windows
to use this printer, click Additional Drivers to install the needed drivers.
13. In Additional Drivers, select the check box for the architecture that you want to
support. You are prompted to provide a path to the driver. Provide the path to
the %Systemdrive%\Windows\System32\DriverStore\FileRepository\prnms0
02.inf* file on a computer for the architecture that you want to support.
14. To confirm that the files were copied properly, in Windows Explorer, navigate
to %Systemdrive%\Windows\System32\spool\drivers\ and look for the folder
that contains the files for the selected architectures.

104
 INFORMATION SHEET 5.2
Print Management Step-by-Step Guide

There are two primary tools that you can use to administer a Windows
print server in Windows Server® 2008: Server Manager and Print Management. You
can use Server Manager to install the Print Services server role, optional role services,
and features. Server Manager also displays print-related events from Event Viewer
and includes an instance of the Print Management snap-in, which can administer the
local server only.
Print Management provides a single interface that administrators can use
to efficiently administer multiple printers and print servers and is the primary focus of
this document. You can use Print Management to manage printers on computers that
are running Microsoft® Windows® 2000, Windows XP, Windows Server® 2003,
Windows Vista®, or Windows Server 2008.

What Is Print Management?

The Print Management snap-in is available in the Administrative Tools

folder on computers running Windows Vista Business, Windows Vista Enterprise,

Windows Vista Ultimate and Windows Server 2008. You can use it to install, view, and

manage all of the printers and Windows print servers in your organization.

Print Management provides current details about the status of printers

and print servers on the network. You can use Print Management to install printer

connections to a group of client computers simultaneously and to monitor print queues

remotely. Print Management can help you find printers that have an error condition by

using filters. It can also send e-mail notifications or run scripts when a printer or print

server needs attention. On printers that provide a Web-based management interface,

Print Management can display more data, such as toner and paper levels.

105
Note

To manage a remote print server, you must be a member of the Print Operators or

Server Operators groups, or the local Administrators group on the remote print server.

You do not need these credentials to monitor remote print servers, though some

functionality will be disabled.

Who Should Use Print Management?

This guide is targeted at the following audiences:

• Print Administrators and Help Desk professionals.

• Information Technology (IT) planners and analysts who are evaluating the

product.

• Enterprise IT planners and designers.

Benefits of Print Management

Print Management saves the print administrator a significant amount of time installing

printers on client computers and managing and monitoring printers. Tasks that can

require up to 10 steps on individual computers now can be accomplished in 2 or 3

steps on multiple computers simultaneously and remotely.

By using Print Management with Group Policy, you can automatically make printer

connections available to users and computers in your organization. In addition, Print

Management can automatically search for and install network printers on the local

subnet of your local print servers.

In This Guide

• Requirements for Print Management

• Security Requirements

• Deploying Printers and Print Servers

• Managing Printers and Print Servers

106
 • Additional Resources

Requirements for Print Management

To use Print Management on Windows Server 2008, you must install the print server

role on the computer where you want to use Print Management. On computers running

Windows Vista, the Print Management snap-in is automatically installed and available

through Microsoft Management Console (MMC).

To deploy printer connections by using Group Policy, your environment must meet the

following requirement:

• The Active Directory Domain Services (AD DS) schema must use a Windows

Server 2003 R2 or Windows Server 2008 schema version.

We recommend that you first use the steps provided in this guide in a test lab

environment. Use this step-by-step guide along with accompanying documentation to

implement Windows server features. For more information, see Additional Resources

later in this guide.

Security Requirements

To manage a remote print server, you must be a member of the Print Operators or

Server Operators groups, or the local Administrators group on the remote print server.

You do not need these credentials to monitor remote print servers, though some

functionality will be disabled.

To use Print Management (Printmanagement.msc) with Group Policy, you must be a

member of the local Administrators group and have write access to Group Policy

objects (GPOs) in the AD DS domain or the organizational unit (OU) to which you want

to deploy printer connections.

107
It is good practice for administrators to use an account with restrictive permissions to

perform routine, non-administrative tasks and to use an account with broader

permissions only when performing specific administrative tasks.

Deploying Printers and Print Servers

The following sections provide information about how to deploy printers and print

servers:

1. Step 1: Install and Open Print Management

2. Step 2: Add and Remove Print Servers

3. Step 3: Migrate Print Servers

4. Step 4: Add Network Printers Automatically

5. Step 5: Deploy Printers by Using Group Policy

6. Step 6 List and Remove Printers from Active Directory Domain Services

Step 1: Install and Open Print Management

Print Management is installed by default on computers running Windows Vista

Business, Windows Vista Enterprise, and Windows Vista Ultimate, but it is not
installed on computers running Windows Server 2008. Use one of the following
methods to install the Print Management snap-in on a computer running Windows
Server 2008:

• From Server Manager, use the Add Roles Wizard to install the Print
Services role. This installs the Print Management snap-in and configures the
server to be a print server.
• From Server Manager, use the Add Features Wizard to install the Print
Services Tools option of the Remote Server Administration Tools feature.
The Print Services Tools option installs the Print Management snap-in, but it
does not configure the server to be a print server.

To open Print Management on a computer running Windows Vista or Windows

Server 2008, in the Administrative Tools folder, double-click Print Management.

108
Step 2: Add and Remove Print Servers

Print Management (Printmanagement.msc) allows you to manage printers that are

running on print servers running Windows 2000 or later.

Note

The print server role must be installed and you must be a member of the Administrators

group to perform these procedures.

To add print servers to Print Management

1. Open the Administrative Tools folder, and then double-click Print

Management.

2. In the Print Management tree, right-click Print Management, and then

click Add/Remove Servers.

3. In the Add/Remove Servers dialog box, under Specify print server, in Add

server, do one of the following:

o Type the name.

o Click Browse to locate and select the print server.

4. Click Add to List.

5. Add as many print servers as you want, and then click OK.

To remove print servers from Print Management

1. Open the Administrative Tools folder, and then double-click Print

Management.

2. In the Print Management tree, right-click Print Management, and then

click Add/Remove Servers.

3. In the Add/Remove Servers dialog box, under Print servers, select one or

more servers, and click Remove.

109
Step 3: Migrate Print Servers

You can use the Printer Migration Wizard or the Printbrm.exe command-line tool to

export print queues, printer settings, printer ports, and language monitors, and then

import them on another print server running a Windows operating system. This is an

efficient way to consolidate multiple print servers or replace an older print server.

Note

The Printer Migration Wizard and the Printbrm.exe command-line tool were

introduced in Windows Vista. They replace Print Migrator 3.1.

Migrating print servers

• Migrate print servers using Print Management

• Migrate print servers using a command prompt

To migrate print servers by using Print Management

1. Open the Administrative Tools folder, and then click Print Management.

2. In the Print Management tree, right-click the name of the computer that contains

the printer queues that you want to export, and then click Export printers to a

file. This launches the Printer Migration Wizard.

3. On the Select the file location page, specify the location to save the printer

settings, and then click Next to save the printers.

4. Right-click the destination computer on which you want to import the printers,

and then click Import printers from a file. This launches the Printer Migration

Wizard.

5. On the Select the file location page, specify the location of the printer settings

file, and then click Next.

6. On the Select import options page, specify the following import options:

110
 o Import mode. Specifies what to do if a specific print queue already exists

on the destination computer.

o List in the directory. Specifies whether to publish the imported print

queues in the Active Directory Domain Services.

o Convert LPR Ports to Standard Port Monitors. Specifies whether to

convert Line Printer Remote (LPR) printer ports in the printer settings file

to the faster Standard Port Monitor when importing printers.

7. Click Next to import the printers.

To migrate print servers by using a command prompt

1. To open a Command Prompt window, click Start, click All Programs,

click Accessories, right-click Command Prompt, and then click Run as

administrator.

2. Type:

Copy

CD %WINDIR%\System32\Spool\Tools

Printbrm -s \\<sourcecomputername> -b -f <filename>.printerExport

3. Type:

Copy

Printbrm -s \\<destinationcomputername> -r -f <filename>.printerExport

TO MIGRATE PRINT SERVERS BY USING A COMMAND PROMPT

Value Description

<sourcecomputername> The Universal Naming Convention (UNC) name of the

source or destination computer.

111
TO MIGRATE PRINT SERVERS BY USING A COMMAND PROMPT

Value Description

<destinationcomputername> The Universal Naming Convention (UNC) name of the

destination computer.

<filename> The file name for the printer settings file. Use the

.printerExport or .cab file extensions.

Additional considerations
• The Printer Migration Wizard and Printbrm.exe can import custom forms and
color profiles to the local computer only, and they do not support printer settings
that are exported using the Print Migrator tool.
• The Printer Migration Wizard and Printbrm.exe can import and export printers
on computers running Windows 2000, Windows XP, Windows Server 2003,
Windows Vista, or Windows Server 2008. However, some drivers might not
import properly on some operating systems. For example, computers running
Windows 2000 do not support x64-based printer drivers.
• You can use the Task Scheduler feature of Windows to schedule the
Printbrm.exe tool to regularly export or import printers. You can use this feature
to supplement system backups.
Step 4: Add Network Printers Automatically
Print Management (Printmanagement.msc) can automatically detect all the printers
that are located on the same subnet as the computer on which you are running Print
Management, install the appropriate printer drivers, set up the queues, and share the
printers.
To automatically add network printers to a printer server
1. Open the Administrative Tools folder, and then double-click Print
Management.
2. In the Printer Management tree, right-click the appropriate server, and then
click Add Printer.

112
 3. On the Printer Installation page of the Network Printer Installation Wizard,
click Search the network for printers, and then click Next. If prompted,
specify which driver to install for the printer.
Note
To detect network printers on the same subnet as a remote server, use Remote
Desktop to log on to the print server, open Print Management and add the network
printer.
Step 5: Deploy Printers by Using Group Policy
You can use Print Management (Printmanagement.msc) with Group Policy to
automatically deploy printer connections to users or computers and install the
appropriate printer drivers. This method of installing a printer is useful in a laboratory,
classroom, or branch office setting where most computers or users need to access the
same printers. It is also a useful method for deploying printer drivers to users who are
not members of the local Administrators group and are running Windows Vista.
To deploy printer connections by using Group Policy, your environment must meet the
following requirement:
• The Active Directory Domain Services (AD DS) schema must use a Windows
Server 2003 R2 or Windows Server 2008 schema version.
To deploy printer connections by using Group Policy, use the following sections:
• Deploy printer connections
• Change driver installation security for printers deployed using Group Policy
Deploy printer connections
To deploy printer connections to users or computers by using Group Policy, use
the Deploy with Group Policy dialog box in Print Management. This adds the printer
connections to a Group Policy object (GPO).
To deploy printers to users or computers by using Group Policy
1. Open the Administrative Tools folder, and then double-click Print
Management.
2. In the Print Management tree, under the appropriate print server,
click Printers.
3. In the Results pane, right-click the printer that you want to deploy, and then
click Deploy with Group Policy.
4. In the Deploy with Group Policy dialog box, click Browse, and then choose
or create a new GPO for storing the printer connections.
113
 5. Click OK.
6. Specify whether to deploy the printer connections to users, or to computers:
o To deploy to groups of computers so that all users of the computers can
access the printers, select the The computers that this GPO applies
to (per machine) check box.
o To deploy to groups of users so that the users can access the printers
from any computer they log onto, select the The users that this GPO
applies to (per user) check box.
7. Click Add.
8. Repeat steps 3 through 6 to add the printer connection setting to another GPO,
if necessary.
9. Click OK.
Note
For per-computer connections, Windows adds the printer connections when the user
logs on. For per-user connections, Windows adds the printer connections during
background policy refresh. If you remove the printer connection settings from the GPO,
Windows removes the corresponding printers from the client computer during the next
background policy refresh or user logon.
Change driver installation security settings for printers deployed using Group
Policy
The default security settings for Windows Vista and Windows Server 2008 allow a user
who is not a member of the local Administrators group to install only trustworthy
printer drivers, such as those provided with Windows operating systems or in digitally
signed printer-driver packages.
To allow users who are not members of the local Administrators group to install
printer connections that are deployed using Group Policy and include printer drivers
that are not digitally signed, you must configure the Point and Print Restrictions Group
Policy settings. If you do not configure these Group Policy settings, users might need
to provide the credentials of someone who belongs to the local Administrators group.
Note
The following procedure assumes that you are using the version of the Group Policy
Management Console (GPMC) that is included with Windows Server 2008. To install
GPMC on Windows Server 2008, use the Add Features Wizard in Server Manager. If
you are using a different version of GPMC, the steps might vary slightly.
114
To change driver installation security settings for printers that are deployed by
using Group Policy
1. Open the GPMC.
2. Open the GPO where the printer connections are deployed, and navigate
to User Configuration, Policies, Administrative Templates, Control Panel,
and then Printers.
3. Right-click Point and Print Restrictions, and then click Properties.
4. Click Enabled.
5. Clear the following check boxes:
o Users can only point and print to these servers
o Users can only point and print to machines in their forest
6. In the When installing drivers for a new connection box, select Do not
show warning or elevation prompt.
7. Scroll down, and in the When updating drivers for an existing
connection box, select Show warning only.
8. Click OK.
After configuring these settings, all users are able to receive printer connections and
the drivers to their user accounts by using Group Policy, without prompts or warning.
Users receive a warning before updated drivers from the print server are installed, but
they do not need to belong to the local Administrators group to install the updated
drivers.
Step 6 List and Remove Printers from Active Directory Domain Services
Listing printers in Active Directory Domain Services (AD DS) makes it easier for users
to locate and install printers. After you install printers on a printer server, you can use
Print Management to list them in AD DS.
You can list more than one printer simultaneously. You may want to set up a filter to
show all of the printers that you want to list or remove, so that you can easily select all
of the printers at the same time.
To list or remove printers in AD DS
1. Open the Administrative Tools folder, and then double-click Print
Management.
2. In the Print Management tree, under the appropriate print server, click Printers.
3. In the Results pane, right-click the printer that you want to list or remove, and
then click List in Directory or Remove from Directory.
115
Managing Printers and Print Servers
The following sections provide information about how to manage printers and print
servers by using Print Management:
• Update and Manage Printer Drivers
• Control Printer Driver Installation Security
• Create a New Printer Filter
• View Extended Features for Your Printer
You can perform bulk operations on all the printers on a particular server or all the
printers under a particular filter. You can perform the following actions on multiple
printers simultaneously:
• Pause or resume printing
• Cancel all jobs
• List or remove printers from AD DS
• Delete printers
You can also export a list of drivers, forms, ports, or printers by clicking More
Actions in the Actions pane, and then clicking Export List.
Update and Manage Printer Drivers
The following sections provide information about how to perform a variety of tasks
when you update or manage printer drivers on a print server:
• Add drivers for client computers running 32-bit or 64-bit versions of Windows
• Update or change printer drivers
• Remove drivers
Add drivers for client computers running 32-bit or 64-bit versions of Windows
To support client computers that use different processor architectures than the print
server, you must install additional drivers. For example, if your print server is running
a 64-bit version of Windows and you want to support client computers running 32-bit
versions of Windows, you must add x86-based drivers for each printer.
To add client printer drivers to the print server
1. Right-click the printer to which you want to add additional printer drivers, and
then click Manage Sharing.
2. Click Additional Drivers. The Additional Drivers dialog box appears.
3. Select the check box of the processor architecture for which you want to add
drivers.

116
For example, if the print server is running an x64-based edition of Windows, select
the x86 check box to install 32-bit version printer drivers for client computers running
32-bit versions of Windows.
4. If the print server does not already have the appropriate printer drivers in its
driver store, Windows prompts you for the location of the driver files. Download
and extract the appropriate driver files, and then in the dialog box that appears,
specify the path to the .inf file of the driver.
Note
You might not be able to extract some printer drivers without installing them. If this is
the case, log on to a client computer that uses the same processor architecture as the
printer drivers that you want to add to the print server, and install those printer drivers.
Then use Print Management from the client computer to connect to the print server,
and add the additional drivers from the Additional Drivers dialog box. Windows
automatically uploads the drivers from the client computer to the print server.
Update or change printer drivers
To update or change the printer drivers for a printer, use the following procedure. Client
computers automatically download and install the updated printer drivers the next time
they attempt to print to the printer.
Note
When installing printer drivers that are provided by the device manufacturer, follow the
instructions provided with the printer driver instead of using this procedure.
To update or change printer drivers for a printer
1. Right-click the printer with the driver that you want to change or update, and
then click Properties.
2. Click the Advanced tab.
3. Select a new driver from the Driver box, or click New Driver to install a new
printer driver.
This option is provided for the following situations:
• To change a driver to a compatible driver designed specifically for the same
printer
• To set up a queue prior to hardware arrival
• For troubleshooting purposes
For example, you can sometimes use this option to create additional queues using
drivers that try to detect the device on queue creation if the device isn’t yet available.
117
If you already have the driver installed on the computer, you can sometimes do this
by creating the additional queue(s) using a very basic placeholder driver such as the
‘generic / text only’ driver, then swap the queue to the new driver.
However, if a non-compatible driver is selected using this method, it is possible that
some printer features may not work correctly until the correct driver is returned.
When you switch the driver for a printer, the system and driver (if it is designed to do
so) attempts to merge the printer preference settings for the old printer driver with the
printer preference settings for the new printer driver. This is to try to preserve the user's
printing preference settings. However, if some settings from the old printer driver are
not supported by the new printer driver, this approach can lead to inconsistencies.
Upgrading a driver on a queue from one version to the next version of the same driver
is the recommended approach, since the newer version of the same driver is expected
to be compatible with its older versions. Changing drivers within a family (for example,
Model 1000 pro to Model 1000 pro plus) also should work fine, but it is not guaranteed
in every case. Some settings could be lost, or the default settings could be different
on the new queue. If you need to change the driver completely, either to a different
vendor, class of device, or even from an in-box driver to an IHV-provided driver, the
recommended method is to create a new queue and then delete the old one.
Remove printer drivers
When you install a printer driver on a computer that is running Windows Vista or
Windows Server 2008, Windows first installs the printer driver to the local driver store,
and then installs it from the driver store.
When removing printer drivers, you have the option to delete only the printer driver or
remove the entire printer-driver package. If you delete the printer driver, Windows
uninstalls the printer driver, but leaves the printer-driver package in the driver store to
allow you to reinstall the driver at some point. If you remove the printer-driver package,
Windows removes the package from the driver store, completely removing the printer
driver from the computer.

118
To remove printer drivers from a server, use the following procedure:
To remove printer drivers
1. Delete any printers on the print server that use the driver that you want to delete,
or change the driver that is used by each printer to another driver.
2. In the Print Management tree, click Drivers.
3. Remove only the driver (which leaves the driver .inf file and related files on the
server), or remove the printer-driver package:
o To delete only the installed driver files, right-click the driver and then
click Delete.
o To remove the driver package from the driver store, completely removing
the driver from the computer, right-click the driver and then
click Remove driver package.
Control Printer Driver Installation Security
The default security settings for Windows Vista and Windows Server 2008 allow users
who are not members of the local Administrators group to install only trustworthy
printer drivers, such as those provided with Windows or in digitally signed printer-driver
packages. This helps ensure that users do not install untested or unreliable printer
drivers or drivers that have been modified to contain malicious code (malware).
However, it means that sometimes users cannot install the appropriate driver for a
shared printer, even if the driver has been tested and approved in your environment.
The following sections provide information about how to allow users who are not
members of the local Administrators group to connect to a print server and install
printer drivers that are hosted by the server:
• Installing printer-driver packages on the print server
• Using Group Policy to deploy printer connections to users or computers
• Using Group Policy to modify printer driver security settings
Installing printer-driver packages on the print server
Printer-driver packages are digitally signed printer drivers that install all the
components of the driver to the driver store on client computers (if the server and the
client computers are running Windows Vista or Windows Server 2008). Additionally,
using printer-driver packages on a print server that is running Windows Vista or
Windows Server 2008 enables users who are not members of the
local Administrators group to connect to the print server and install or receive
updated printer drivers.
119
To use printer-driver packages, on a print server that is running Windows Server 2008
or Windows Vista, download and install the appropriate printer-driver packages from
the printer vendor.
Note
You can also download and install printer-driver packages from a print server to client
computers that are running Windows Server 2003, Windows XP, and Windows 2000.
However, the client computers do not check the driver's digital signature or install all
components of the driver into the driver store because the client operating system
does not support these features.
Using Group Policy to deploy printer connections to users or computers
Print Management can be used with Group Policy to automatically add printer
connections to the Printers folder, without the user requiring local Administrator
privileges.
Using Group Policy to modify printer driver security settings
You can use the Point and Print Restrictions Group Policy setting to control how users
can install printer drivers from print servers. You can use this setting to permit users
to connect to only specific print servers that you trust. Because this prevents users
from connecting to other print servers that could potentially host malicious or untested
printer drivers, you can disable printer driver installation warning messages without
adversely compromising security.
Carefully evaluate your users' printing needs before limiting which print servers they
can connect to. If users occasionally need to connect to shared printers in a branch
office or another department, make sure to include those printer servers on the list (if
you trust the printer drivers that are installed on the servers).
You can also use the Point and Print Restrictions setting to disable warning prompts
entirely, although this disables the enhanced printer driver installation security of
Windows Vista and Windows Server 2008 for these users.
Note
The following procedure assumes that you are using the version of the Group Policy
Management Console (GPMC) that is included with Windows Server 2008. To install
GPMC on Windows Server 2008, use the Add Features Wizard of Server Manager. If
you are using a different version of GPMC, the steps might vary slightly.

120
To modify the Point and Print Restrictions setting
1. Open the Group Policy Management Console (GPMC).
2. In the GPMC console tree, navigate to the domain or organizational unit (OU)
that stores the user accounts for which you want to modify printer driver security
settings.
3. Right-click the appropriate domain or OU, click Create a GPO in this domain,
and Link it here, type a name for the new GPO, and then click OK.
4. Right-click the GPO that you created and then click Edit.
5. In the Group Policy Management Editor tree, click User Configuration,
click Policies, click Administrative Templates, click Control Panel, and then
click Printers.
6. Right-click Point and Print Restrictions, and then click Properties.
To permit users to connect only to specific print servers that you trust:
1. In the Point and Print Restrictions dialog box, click Enabled.
2. Select the Users can only point and print to these servers check box if it is
not already selected.
3. In the text box, type the fully qualified server names to which you want to allow
users to connect. Separate each name with a semi-colon.
4. In the When installing drivers for a new connection box, choose Do not
show warning or elevation prompt.
5. In the When updating drivers for an existing connection box, choose Show
warning only.
6. Click OK.
Note
To disable driver installation warning messages and elevation prompts on computers
that are running Windows Vista and Windows Server 2008, in the Point and Print
Restrictions dialog box, click Disabled, and then click OK. This disables the
enhanced printer driver installation security of Windows Vista and Windows Server
2008.
Create a New Printer Filter
Filters display only those printers that meet a certain set of criteria. For example, it
might be helpful to filter for printers with certain error conditions or those printers in a
group of buildings regardless of the print server they use. Filters are stored in the

121
Custom Printer Filters folder in the Print Management tree and are dynamic, so the
data is always current.
Four default filters are provided with Print Management (Printmanagement.msc). For
each filter that you create, you have the option to set up an e-mail notification or to run
a script when the conditions of the filter are met. This is useful when you want to be
alerted about printer problems, particularly in an organization with multiple buildings
and administrators.
For example, you can set up a filter of all printers managed by a particular print server
where the status does not equal Ready. Then, if a printer changes from the Ready
status to any other status, the administrator could receive a notification e-mail from
Print Management.
Note
The print server role must be installed and you must be a member of
the Administrators group to perform these procedures.
To set up and save a filtered view
1. Open the Administrative Tools folder, and then double-click Print
Management.
2. In the Print Management tree, right-click the Custom Printer Filters folder, and
then click Add New Printer Filter. This will launch the New Printer Filter
Wizard.
3. On the Printer Filter Name and Description wizard page, type a name for the
printer filter. The name will appear in the Custom Printer Filters folder in the
Print Management tree.
4. In Description, type an optional description.
5. To display the number of printers that satisfy the conditions of a filter, select
the Display the total number of printers next to the name of the printer
filter check box
6. Click Next.
7. On the Define a printer filter wizard page, do the following:
1. In the Field list, click the print queue or printer status characteristic.
2. In the Condition list, click the condition.
3. In the Value box, type a value.
4. Continue adding criteria until your filter is complete, and then click Next.

122
8. On the Set Notifications (Optional) wizard page, do one or both of the
following:
o To set an e-mail notification, select the Send e-mail notification check
box, and type one or more recipient and sender e-mail addresses. An
SMTP server must be specified to route the message. Use the
format account@domain and semicolons to separate multiple accounts.
o To set a script to run, select the Run script check box, and then type the
path where the script file is located. To add more arguments, type them
in Additional arguments.
9. Click Finish.

123
 ACTIVITY SHEET 5.3

Direction: Arrange the following in their proper order by using the alphabet. Write your
answers on a separate sheet of pad paper.

1. At CLIENT: go to server→ double click printer→ print a document using share

printer
2. Check deployment printer
3. Devices and Printers→ Add local printer→ share printer
4. Right click printer→ deploy with group policy→ browse→ locate domain→
browse for GPO→ deploy with group policy→ check the 2 boxes→ add→
apply→ ok→ ok
5. Server Manager→ Roles→ Print and Document Services→ Custom Filters→
All printers

124
 SELF CHECK 5.1

Direction: Choose carefully from the given options. Write the correct letter of your
answer on a separate sheet of paper.

A. Deploy with Group Policy F. Print Services role

B. Fax Service Manager G. Printer
C. Print Management H. Printer driver
D. Print queue I. Scan Management
E. Print Services Tools J. Server Manager

1. This snap-in enables you to manage printers, print queues, printer drivers, and printer
connections.
2. This snap-in enables you to manage scanners and scan processes. Scan processes allow
you to define how to process scanned documents, and then route them to network folders,
SharePoint sites, and to e-mail recipients.
3. This snap-in enables you to configure fax devices for incoming and outgoing fax traffic,
specify who can use a fax device, set routing rules for incoming and outgoing faxes, and
configure a fax archiving policy.
4. Server Manager to install the Print Services server role, optional role services, and
features
5. This installs the Print Management snap-in and configures the server to be a print server.
6. Installs the Print Management snap-in, but it does not configure the server to be a print
server.
7. To deploy printer connections to users or computers by using Group Policy in Print
Management.
8. Software on a computer that converts the data to be printed to a format that a printer can
understand.
9. List of printer output jobs held in a reserved memory area. It maintains the most current
status of all active and pending print jobs.
10. Device that accepts text and graphic output from a computer and transfers the information
to paper, usually to standard size sheets of paper.

125
 ASSIGNMENT SHEET 5.1

Direction: On your portfolio notebook, write your insight about the lesson

I understand that __________________________________

I realize that _____________________________________

126
 Configuring and Testing Remote Desktop
LESSON 7 Sharing

Learning Objectives
At the end of the lesson, the learner should be able to:
a. Recognize Remote Desktop Services
b. Familiarize with Remote Desktop deployment
c. Understand Remote Desktop connection

ACTIVITY SHEET 6.1

Technical Terms

Direction: Try to identify the words related to our lesson.

1. OEMRET
2. TECNOIONNC
3. TSKPEOD
4. LRWAFIEL
5. NOESISS
6. HSTO
7. OLREORTNCL
8. NAOCCTU
9. NRNTEETI
10. OOOLCTPR

127
 Pre-Test 6.1

Direction: Choose carefully from the given options. Write the correct answers on a
separate sheet of paper.

A. Administrative Tools F. Performance

B. Cost G. Remote Desktop Connection
C. Domain Controller H. Remote Desktop Services
D. Fault Tolerance I. Security
E. Network and Sharing Center J. Windows Firewall

1. Provides technologies that enable users to access Windows-based programs

that are installed on a Remote Desktop Session Host (RD Session Host)
server, or to access the full Windows desktop.
2. The initial setup and sustained cost of this scenario.
3. How the scenario supports the resiliency of the infrastructure, which ultimately
affects the availability of the system.
4. How the scenario affects the performance of the infrastructure.
5. Security application created by Microsoft and built into Windows, designed to
filter network data transmissions to and from your Windows system and block
harmful communications and/or the programs that are initiating them.
6. Whether the scenario has a positive or negative impact on overall
infrastructure security.
7. Server that responds to authentication requests and verifies users on
computer networks.
8. Folder in Control Panel that contains tools for system administrators and
advanced users.
9. The control panel from which most of the networking settings and tasks can
be launched in Windows 7, Windows 8.1 and Windows 10.
10. Microsoft technology that allows a local computer to connect to and control a
remote PC over a network or the Internet.

128
 ACTIVITY SHEET 6.2
Let Us Review

Direction: Answer the following questions on your portfolio notebook.

1. What is Print Services Role?

2. How do you deploy a printer to network using Group Policy?

129
 INFORMATION SHEET 6.1
Remote Desktop Services in Windows Server
2008 R2

Remote Desktop Services in Windows Server® 2008 R2 provides technologies that

enable users to access Windows-based programs that are installed on a Remote
Desktop Session Host (RD Session Host) server, or to access the full Windows
desktop. With Remote Desktop Services, users can access an RD Session Host
server from within a corporate network or from the Internet.

Remote Desktop Services: Deployment

Remote Desktop Services in Windows Server 2008 R2, formerly Terminal Services
in Windows Server 2008, lets you efficiently deploy and maintain software in an
enterprise environment. You can easily deploy programs from a central location.
Because you install the programs on the RD Session Host server and not on the
client computer, programs are easier to upgrade and to maintain. Use the following
resources to design, deploy, or migrate Remote Desktop Services.
Remote Desktop Services Design Guide
• Understanding the Remote Desktop Session Host Design Process
• Understanding the RemoteFX Design Process
• Mapping Your Deployment Goals to a Remote Desktop Session Host Design
• Mapping Your Deployment Goals to a RemoteFX Design
• Evaluating RemoteFX Design Examples
Remote Desktop Services Deployment Guide
• Planning to Deploy Remote Desktop Services
• Implementing Your Remote Desktop Services Design Plan
• Checklist: Implementing a Virtual Desktop Infrastructure Design
• Checklist: Implementing a Session-based Design
• Deploying Remote Desktop Session Host
• Deploying a Simple Virtual Desktop Infrastructure

130
 • Configuring Publishing
• Accessing Remote Desktop Services from the Internet
• Deploying Remote Desktop Connection Broker
• Deploying Remote Desktop Licensing
• Deploying Microsoft RemoteFX
Remote Desktop Services Migration Guide
• Remote Desktop Services Migration: Overview
• Remote Desktop Session Host Role Service Migration
• Remote Desktop Virtualization Host Role Service Migration
• Remote Desktop Connection Broker Role Service Migration
• Remote Desktop Web Access Role Service Migration
• Remote Desktop Licensing Role Service Migration
• Remote Desktop Gateway Role Service Migration
Related resources
• Remote Desktop Protocol Performance Improvements in Windows Server
2008 R2 and Windows 7
• Deploying a Virtualized Session-Based Remote Desktop Services Solution
• Remote Desktop Services in Windows Server 2008 R2
Implementing Your Remote Desktop Services Design Plan
Consider the following factors before you implement your design plan:
• Complexity: The complexity of the scenario relative to other scenarios.
• Cost: The initial setup and sustained cost of this scenario.
• Fault tolerance: How the scenario supports the resiliency of the
infrastructure, which ultimately affects the availability of the system.
• Performance: How the scenario affects the performance of the infrastructure.
• Scalability: The impact that the scenario has on the scalability of the
infrastructure.
• Security: Whether the scenario has a positive or negative impact on overall
infrastructure security.
How to implement your Remote Desktop Services design by using this guide
The next step in implementing your design is to determine in what order each of the
deployment tasks must be performed. This guide uses checklists to help you walk
through the various server and application deployment tasks that are required to
implement your design plan. Parent and child checklists are used as necessary to
131
represent the order in which tasks for a specific Remote Desktop Services design
must be performed.
Use the following parent checklists in this section of the guide to become familiar
with the deployment tasks for implementing your organization's Remote Desktop
Services design:
• Checklist: Implementing a Virtual Desktop Infrastructure Design
• Checklist: Implementing a Session-based Design
To implement Microsoft® RemoteFX™, use the checklists for deploying a Virtual
Desktop Infrastructure (VDI), or Remote Desktop Services with session-based
desktops and perform the tasks for RemoteFX.

132
 OPERATION SHEET 2.5
Installing Remote Desktop Session Host Step-by-
Step Guide

This step-by-step guide walks you through the process of setting up a working Remote
Desktop Services infrastructure in a test environment. During this process, you create
an Active Directory® domain, install the Remote Desktop Session Host (RD Session
Host) role service, and configure the Remote Desktop Connection client computer.
After you’ve completed this process, you can use the test lab environment to learn
about Remote Desktop Services technology on Windows Server® 2008 R2 and
assess how it might be deployed in your organization.
This guide includes the following topics:
• Step 1: Setting Up the Infrastructure
• Step 2: Installing and Configuring Remote Desktop Session Host
• Step 3: Verifying Remote Desktop Session Host Functionality
The goal of a Remote Desktop Session Host (RD Session Host) server is to host
Windows-based programs or the full Windows desktop for Remote Desktop Services
clients. Users can connect to an RD Session Host server to run programs, to save
files, and to use resources on that server.
Step 1: Setting Up the Infrastructure
Applies To: Windows 7, Windows Server 2008 R2
To prepare your Remote Desktop Services test environment in the CONTOSO
domain, you must complete the following tasks:
• Install and configure the domain controller (CONTOSO-DC)
• Install and configure the RD Session Host server (RDSH-SRV)
• Install and configure the Remote Desktop Connection client computer
(CONTOSO-CLNT)
Use the following table as a reference when setting up the appropriate computer
names, operating systems, and network settings that are required to complete the
steps in this guide.

133
Computer Operating system IP settings DNS settings
name requirement

CONTOSO- Windows Server® 2008 R2 IP address: Configured by DNS server

DC 10.0.0.1 role
Subnet mask:
255.255.255.0

RDSH-SRV Windows Server 2008 R2 IP address: Preferred:

10.0.0.2 10.0.0.1
Subnet mask:
255.255.255.0

CONTOSO- Windows® 7 IP address

CLNT 10.0.0.3
Subnet mask:
255.255.255.0

Install and configure the domain controller (CONTOSO-DC)

To configure the domain controller CONTOSO-DC by using Windows Server 2008 R2,
you must:
• Install Windows Server 2008 R2.
• Configure TCP/IP properties.
• Install and configure Active Directory Domain Services (AD DS).
First, install Windows Server 2008 R2 on a stand-alone server.
To install Windows Server 2008 R2
1. Start your computer by using the Windows Server 2008 R2 product CD.
2. When prompted for a computer name, type CONTOSO-DC.
3. Follow the rest of the instructions that appear on your screen to finish the
installation.
Next, configure TCP/IP properties so that CONTOSO-DC has an IPv4 static IP
address of 10.0.0.1.
To configure TCP/IP properties
1. Log on to CONTOSO-DC with the CONTOSO-DC\Administrator account.

134
 2. Click Start, click Control Panel, click Network and Internet, click Network
and Sharing Center, click Change adapter settings, right-click Local Area
Connection, and then click Properties.
3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and
then click Properties.
4. Click Use the following IP address. In the IP address box, type 10.0.0.1. In
the Subnet mask box, type 255.255.255.0 and then click OK.
5. On the Networking tab, click OK, and then close the Local Area Connection
Properties dialog box.
Next, configure the computer as a domain controller by using Windows
Server 2008 R2.
To configure CONTOSO-DC as a domain controller by using Windows
Server 2008 R2
1. Click Start, and then click Run. In the Run box, type dcpromo and then
click OK.
2. On the Welcome to the Active Directory Domain Services Installation
Wizard page, click Next.
3. On the Operating System Compatibility page, click Next.
4. On the Choose a Deployment Configuration page, click Create a new
domain in a new forest, and then click Next.
5. On the Name the Forest Root Domain page, in the FQDN of the forest root
domain box, type contoso.com and then click Next.
6. On the Set Forest Functional Level page, in the Forest functional level box,
select Windows Server 2008 R2, and then click Next.
7. On the Additional Domain Controller Options page, ensure that the DNS
server check box is selected, and then click Next.
8. Click Yes to create a delegation for this DNS server, and then continue.
9. On the Location for Database, Log Files, and SYSVOL page, click Next.
10. In the Password and Confirm password boxes, type a strong password, and
then click Next.
11. On the Summary page, review your selections, and then click Next to start the
installation.
12. When the installation is complete, click Finish, and then click Restart Now.

135
Configure user accounts
In this section you create the user accounts and groups in the CONTOSO domain.
First, create a user account named Morgan Skinner in Active Directory Domain
Services.
To create a user account
1. Log on to CONTOSO-DC as the domain administrator account,
CONTOSO\Administrator.
2. Click Start, point to Administrative Tools, and then click Active Directory
Users and Computers.
3. In the console tree, expand contoso.com.
4. Right-click Users, point to New, and then click User.
5. In the New Object – User dialog box, type Morgan Skinner in the Full
name box and mskinner in the User logon name box, and then click Next.
6. In the New Object – User dialog box, type a password of your choice in
the Password and Confirm password boxes. Clear the User must change
password at next logon check box, click Next, and then click Finish.
Install and configure the RD Session Host server (RDSH-SRV)
To configure the member server, RDSH-SRV, you must:
• Install Windows Server 2008 R2.
• Configure TCP/IP properties.
• Join RDSH-SRV to the contoso.com domain.
First, install Windows Server 2008 R2 as a stand-alone server.
To install Windows Server 2008 R2
1. Start your computer by using the Windows Server 2008 R2 product CD.
2. When prompted for a computer name, type RDSH-SRV.
3. Follow the rest of the instructions that appear on your screen to finish the
installation.
Next, configure TCP/IP properties so that RDSH-SRV has a static IP address of
10.0.0.2. In addition, configure the DNS server by using the IP address of CONTOSO-
DC (10.0.0.1).
To configure TCP/IP properties
1. Log on to RDSH-SRV with the RDSH-SRV\Administrator account or another
user account in the local Administrators group.

136
 2. Click Start, click Control Panel, double-click Network and Sharing Center,
click Change adapter settings, right-click Local Area Connection, and then
click Properties.
3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and
then click Properties.
4. Click Use the following IP address. In the IP address box, type 10.0.0.2, and
in the Subnet mask box, type 255.255.255.0.
5. Click Use the following DNS server addresses. In the Preferred DNS
server box, type 10.0.0.1.
6. Click OK, and then close the Local Area Connection Properties dialog box.
Next, join RDSH-SRV to the contoso.com domain.
To join RDSH-SRV to the contoso.com domain
1. Log on to the RDSH-SRV computer as the CONTOSO\Administrator user
account.
2. Click Start, right-click Computer, and then click Properties.
3. Under Computer name, domain, and workgroup settings, click Change
settings.
4. On the Computer Name tab, click Change.
5. In the Computer Name/Domain Changes dialog box, click Domain, and then
type contoso.com.
6. Click More, and in the Primary DNS suffix of this computer box,
type contoso.com.
7. Click OK, and then click OK again.
8. When a Computer Name/Domain Changes dialog box appears prompting
you for administrative credentials, provide the credentials for
CONTOSO\Administrator, and then click OK.
9. When a Computer Name/Domain Changes dialog box appears welcoming
you to the contoso.com domain, click OK.
10. When a Computer Name/Domain Changes dialog box appears telling you
that the computer must be restarted, click OK, and then click Close.
11. Click Restart Now.
Install and configure the Remote Desktop Connection client computer
(CONTOSO-CLNT)
To configure CONTOSO-CLNT, you must:
137
 • Install Windows 7.
• Configure TCP/IP properties.
• Join CONTOSO-CLNT to the contoso.com domain.
To install Windows 7
1. Start your computer by using the Windows 7 product CD.
2. Follow the instructions that appear on your screen, and when prompted for a
computer name, type CONTOSO-CLNT.
Next, configure TCP/IP properties so that CONTOSO-CLNT has a static IP address
of 10.0.0.3. In addition, configure the DNS server of CONTOSO-DC (10.0.0.1).
To configure TCP/IP properties
1. Log on to CONTOSO-CLNT with a user account that is a member of the local
Administrators group.
2. Click Start, click Control Panel, click Network and Internet, and then
click Network and Sharing Center.
3. Click Change adapter settings, right-click Local Area Connection, and then
click Properties.
4. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and
then click Properties.
5. Click Use the following IP address. In the IP address box, type 10.0.0.3, and
in the Subnet mask box, type 255.255.255.0.
6. Click Use the following DNS server addresses. In the Preferred DNS
server box, type 10.0.0.1.
7. Click OK, and then close the Local Area Connection Properties dialog box.
Next, join CONTOSO-CLNT to the contoso.com domain.
To join CONTOSO-CLNT to the contoso.com domain
1. Click Start, right-click Computer, and then click Properties.
2. Under Computer name, domain, and workgroup settings, click Change
settings.
3. On the Computer Name tab, click Change.
4. In the Computer Name/Domain Changes dialog box, click Domain, and then
type contoso.com.
5. Click More, and in the Primary DNS suffix of this computer box,
type contoso.com.
6. Click OK, and then click OK again.
138
 7. When a Computer Name/Domain Changes dialog box appears prompting
you for administrative credentials, provide the CONTOSO\Administrator
credentials, and then click OK.
8. When a Computer Name/Domain Changes dialog box appears welcoming
you to the contoso.com domain, click OK.
9. When a Computer Name/Domain Changes dialog box appears telling you
that the computer must be restarted, click OK, and then click Close.
10. Click Restart Now.
Step 2: Installing and Configuring Remote Desktop Session
Host
To install and configure a Remote Desktop Session Host (RD Session Host) server,
you must add the RD Session Host role service. Windows Server® 2008 R2 includes
the option to install the RD Session Host role service by using Server Manager. This
topic covers the installation and configuration of the RD Session Host role service on
the RDSH-SRV computer in the CONTOSO domain.
Membership in the local Administrators group, or equivalent, on the RD Session
Host server that you plan to configure, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group
memberships at Local and Domain Default
Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To install the RD Session Host role service
1. Log on to RDSH-SRV as CONTOSO\Administrator.
2. Open Server Manager. To open Server Manager, click Start, point
to Administrative Tools, and then click Server Manager.
3. Under Roles Summary, click Add Roles.
4. On the Before You Begin page of the Add Roles Wizard, click Next.
5. On the Select Server Roles page, select the Remote Desktop
Services check box, and then click Next.
6. On the Introduction to Remote Desktop Services page, click Next.
7. On the Select Role Services page, select the Remote Desktop Session
Host check box, and then click Next.
8. On the Uninstall and Reinstall Applications for Compatibility page,
click Next.

139
 9. On the Specify Authentication Method for Remote Desktop Session
Host page, click Require Network Level Authentication, and then click Next.
Note
If client computers that are running Windows® XP will use this RD Session Host
server, select Do not require Network Level Authentication.
10. On the Specify Licensing Mode page, select Configure later, and then
click Next.
Note
For the purposes of this guide, a Remote Desktop licensing mode is not configured.
For use in a production environment, you must configure a Remote Desktop licensing
mode. For more information about configuring a Remote Desktop Licensing (RD
Licensing) server, see the Deploying Remote Desktop Licensing Step-by-Step
Guide (https://go.microsoft.com/fwlink/?LinkId=141175).
11. On the Select User Groups Allowed Access To This Remote Desktop
Session Host Server page, click Next.
12. On the Configure Client Experience page, click Next.
13. On the Confirm Installation Selections page, verify that the RD Session Host
role service will be installed, and then click Install.
14. On the Installation Results page, you are prompted to restart the server to
finish the installation process. Click Close, and then click Yes to restart the
server.
15. After the server restarts and you log on to the computer as
CONTOSO\Administrator, the remaining steps of the installation finish. When
the Installation Results page appears, confirm that installation of the
RD Session Host role service succeeded, and then click Close to close the
RD Session Host configuration window. Also, close Server Manager.
Note
You may see warnings on the Installation Results page. For the purposes of this guide,
these warnings can be ignored.
The RD Session Host role service is now installed. For users to be able to connect to
this server, you must add the user accounts to the local Remote Desktop Users group
on RDSH-SRV. For the purposes of this guide, we will add Morgan Skinner to the local
Remote Desktop Users group. In a production environment, you should create an
Active Directory Domain Services (AD DS) group, add this group to the Remote
140
Desktop Users group, and then add the user accounts that should have access to the
RD Session Host server to the AD DS group.
Membership in the local Administrators group, or equivalent, on the RD Session
Host server that you plan to configure, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group
memberships at Local and Domain Default
Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To add Morgan Skinner to the Remote Desktop Users group
1. Log on to RDSH-SRV as CONTOSO\Administrator.
2. Click Start, point to Administrative Tools, and then click Computer
Management.
3. Expand Local Users and Groups, and then click Groups.
4. Right-click Remote Desktop Users, and then click Add to Group.
5. In the Remote Desktop Users dialog box, click Add.
6. In the Select Users, Computers, Service Accounts, or Groups dialog box,
in the Enter the object names to select box, type mskinner and then
click OK.
7. Click OK to close the Remote Desktop Users dialog box.
Step 3: Verifying Remote Desktop Session Host Functionality
• 07/02/2012
• 2 minutes to read
Applies To: Windows 7, Windows Server 2008 R2
To verify the functionality of the RD Session Host deployment, log on to CONTOSO-
CLNT as Morgan Skinner and use Remote Desktop Connection (RDC) to connect to
the RD Session Host server (RDSH-SRV).
To connect to RDSH-SRV by using RDC
1. Log on to CONTOSO-CLNT as Morgan Skinner.
2. Click Start, point to All Programs, point to Accessories, and then
click Remote Desktop Connection.
3. When the Remote Desktop Connection dialog box appears, type rdsh-srv in
the Computer box, and then click Connect.
4. In the Windows Security dialog box, type the password for contoso\mskinner,
and then click OK.

141
 5. If the connection is successful, a Windows desktop will appear on the screen
for RDSH-SRV.
You have successfully deployed and demonstrated the functionality of RD Session
Host on Remote Desktop Services by using the simple scenario of connecting to an
RD Session Host server with a standard user account by using Remote Desktop
Connection. You can also use this deployment to explore some of the additional
capabilities of Remote Desktop Services through additional configuration and testing.

142
 SELF CHECK 6.1

Direction: Choose carefully from the given options. Write the correct answers on a
separate sheet of paper.

Windows Firewall Network and Sharing Center

Security Fault Tolerance
Remote Desktop Services Domain Controller
Remote Desktop Connection Cost
Performance Administrative Tools

1. Provides technologies that enable users to access Windows-based programs that

are installed on a Remote Desktop Session Host (RD Session Host) server, or to
access the full Windows desktop.
2. The initial setup and sustained cost of this scenario.
3. How the scenario supports the resiliency of the infrastructure, which ultimately affects
the availability of the system.
4. How the scenario affects the performance of the infrastructure.
5. Security application created by Microsoft and built into Windows, designed to filter
network data transmissions to and from your Windows system and block harmful
communications and/or the programs that are initiating them.
6. Whether the scenario has a positive or negative impact on overall infrastructure
security.
7. Server that responds to authentication requests and verifies users on computer
networks.
8. Folder in Control Panel that contains tools for system administrators and advanced
users.
9. The control panel from which most of the networking settings and tasks can be
launched in Windows 7, Windows 8.1 and Windows 10.
10. Microsoft technology that allows a local computer to connect to and control a remote
PC over a network or the Internet.

143
 ASSIGNMENT SHEET 2.1

Direction: On your portfolio notebook, write your insight about the lesson

I understand that __________________________________

I realize that _____________________________________

144
PRE-TEST ANSWER KEY
1. B
2. A
3. C
4. D
5. C
6. A
7. D
8. B
9. D
10. A
11. C
12. B
13. B
14. A
15. D
16. C
17. C
18. D
19. B
20. A
21. C
22. D
23. B
24. A
25. C
26. B
27. D
28. A
29. D
30. B
31. A
32. C
33. B
145
34. C
35. D
36. A
37. C
38. B
39. D
40. A

146
REFERENCES:

LO1 Client to Domain

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2003/cc728372(v=ws.10)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2003/cc759279(v=ws.10)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2003/cc779033(v=ws.10)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2003/cc784886(v=ws.10)

https://helpdeskgeek.com/how-to/windows-join-domain/

https://www.thinlabs.com/faq/windows-7-change-computer-domain-workgroup-name

https://www.youtube.com/watch?v=jUUjAkjzV9U

https://www.varonis.com/blog/active-directory-domain-

services/#:~:text=Active%20Directory%20Domain%20Services%20(AD%20DS)%20

are%20the%20core%20functions,%2C%20LDAP%2C%20and%20rights%20manag

ement.

https://thewordsearch.com/puzzle/1318632/user-access-and-security/

LO2 Users to Domain

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2008-r2-and-2008/cc732532(v=ws.10)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2008-r2-and-2008/cc770377(v=ws.10)

147
http://puzzlemaker.discoveryeducation.com/code/BuildWordSearch.asp

https://www.youtube.com/watch?v=O04m3yz2lJ0

LO3 Group Policy

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2003/cc786524(v=ws.10)?redirectedfrom=MSDN

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2003/cc786212(v=ws.10)

https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/group-policy-

and-group-policy-mgmt-console-ie11

https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/group-policy-

and-local-group-policy-editor-ie11

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2003/cc779159(v=ws.10)

https://blog.netwrix.com/2019/04/18/group-policy-

management/#:~:text=The%20Group%20Policy%20Management%20Console,of%2

0Microsoft%20Windows%20Server%20Manager.

https://blog.netwrix.com/wp-content/uploads/2019/04/Group-Policy-Management-

Interface-of-the-Group-Policy-Management-Console.png

https://blog.netwrix.com/wp-content/uploads/2019/04/Group-Policy-Management-

Interface-of-the-Group-Policy-Management-Editor.png

https://blog.netwrix.com/wp-content/uploads/2019/04/Group-Policy-Management-

Information-about-all-applied-GPOs-in-GPMC.png

148
https://www.education.com/worksheet-generator/reading/word-scramble/

LO4 Configuring and Testing Folder Redirection

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2012-r2-and-2012/hh831487(v=ws.11)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2008-r2-and-2008/dd463985(v=ws.10)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2008-r2-and-2008/gg277982(v=ws.10)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2008-R2-and-2008/cc732275(v=ws.10)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2008-R2-and-2008/cc771969(v=ws.10)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2012-R2-and-2012/jj649074(v=ws.11)

https://www.education.com/worksheet-generator/reading/word-scramble/

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2012-R2-and-2012/jj649078(v=ws.11)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2012-R2-and-2012/images/jj649078.6e9f23c0-4ba6-4442-8b71-

b0abad741a15(ws.11).jpeg

LO5 Configuring and Testing File and Printer Sharing Deployment

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2008-R2-and-2008/cc731636(v=ws.10)#getting-started-and-deployment

149
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2008-R2-and-2008/ee791910(v=ws.10)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2008-R2-and-2008/cc753109(v=ws.10)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2008-R2-and-2008/ee524015(v=ws.10)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2008-R2-and-2008/cc766474(v=ws.10)

https://en.wikipedia.org/wiki/Printer_driver

https://www.techopedia.com/definition/8966/print-queue

https://whatis.techtarget.com/definition/printer

LO6 Configuring and Testing Remote Desktop Sharing

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2008-R2-and-2008/ff710421(v=ws.10)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2008-R2-and-2008/dd647502(v=ws.10)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2008-R2-and-2008/ff710489(v=ws.10)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2008-R2-and-2008/dd883274(v=ws.10)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2008-R2-and-2008/dd883253(v=ws.10)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-

2008-R2-and-2008/dd883266(v=ws.10)

150
https://docs.microsoft.com/en-us/windows/client-management/administrative-tools-

in-windows-

10#:~:text=Administrative%20Tools%20is%20a%20folder,of%20Windows%20you%

20are%20using.

https://www.digitalcitizen.life/what-network-and-sharing-

center#:~:text=Simply%20put%2C%20the%20Network%20and,holds%20a%20very

%20important%20place.

https://www.varonis.com/blog/domain-controller/

https://www.techopedia.com/definition/27731/remote-desktop-connection-rdc-

microsoft-windows

https://www.education.com/worksheet-generator/reading/word-scramble/

151
152