C H A P T E R 1 Planning a Managed Environment Many organizations are moving towards a highly managed compting environment based on a configration management infrastrctre that is designed to redce the cost of managing a diverse set of organizational needs. The Microsoft Windows Server 2003 operating system incldes a set of configration management technologies collectively known as IntelliMirror that yo can se to centrally manage configrations for sers and compters. IntelliMirror and Grop Policy combine the advantages of centralized compting with the performance and flexibility of distribted compting. This book explains how to design and deploy a centrally managed distribted compting environment. In This Chapter Overview of Deploying a Managed Environment Process...2 Developing a Deployment Plan... 16 Defining the Scope of Yor Configration Management Project... 17 Assessing Yor Crrent Environment... 18 Determining Yor Reqirements for Configration Management Technologies... 28 Designing Managed Configrations... 37 Designing Yor Organizational Unit Strctre... 44 Testing Yor Configration Management Design... 45 Staging and Deploying Yor Design to the Prodction Environment... 48 Additional Resorces... 48 Related Information For more information abot designing and deploying yor Active Directory directory service infrastrctre, see Planning an Active Directory Deployment Project and Designing the Active Directory Logical Strctre in Designing and Deploying Directory and Secrity Services of this kit. For more information abot Grop Policy, see the Distribted Services Gide of the Microsoft Windows Server 2003 Resorce Kit (or see the Distribted Services Gide on the Web at http://www.microsoft.com/reskit).
2 Chapter 1 Planning a Managed Environment Overview of Deploying a Managed Environment Process The IntelliMirror technologies inclded in Microsoft Windows 2000, Microsoft Windows XP, and Windows Server 2003 operating systems provide the capabilities for directory-based configration management. By sing IntelliMirror on the server and the client, yo can ensre that a ser s data, applications, and settings remain constant throghot the ser s environment. Yo also se Grop Policy to centralize the process for deploying and managing secrity for servers rnning Windows 2000 and Windows Server 2003 and clients rnning Windows 2000 and Microsoft Windows XP Professional. Together, Active Directory and Grop Policy provide the fondation for IntelliMirror. Based on the Grop Policy settings yo specify, IntelliMirror can deploy, recover, restore, and replace ser s data, software, and personal settings. Yo can set policy definitions once and rely on the system to apply the policy settings withot frther administrative intervention. By sing IntelliMirror, yo can centralize and simplify the management of sers, servers, desktops, and secrity. The term configration management as sed in this gide refers to a sbset of technologies in Windows Server 2003 (and Windows 2000) that administrators can se as part of their overall infrastrctre for change and configration management. By sing the IntelliMirror management technologies provided in Windows 2000 and later, yo can design configrations for servers, desktops, and sers. Microsoft has developed gidelines yo can se to help yo effectively design, develop, deploy, operate, and spport soltions bilt on Microsoft technologies. The gidelines are organized into two integrated frameworks, Microsoft Operations Framework (MOF) and Microsoft Soltions Framework (MSF). The gidelines inclde white papers, operations gides, assessment tools, best practices, case stdies, templates, spport tools, and services. MOF provides technical gidance that enables organizations to achieve system reliability, availability, spportability, and manageability of IT soltions. MOF addresses the people, process, technology, and management isses pertaining to operating complex, distribted, heterogeneos IT environments. For more information abot MOF, see the Microsoft Operations Framework (MOF) link on the Web Resorces page at http://www.microsoft.com/windows/reskits/webresorces. For more information abot Microsoft Soltions Framework, see the Microsoft Soltions Framework link on the Web Resorces page at http://www.microsoft.com/windows/reskits/webresorces. Advantages of Using IntelliMirror IntelliMirror refers to the ability to provide sers with consistent access to their applications, application settings, roaming ser profiles, and ser data, from any managed compter even when they are disconnected from the network. IntelliMirror is delivered via a set of Windows featres that enable IT administrators to implement standard compting environments for grops of sers and compters.
Overview of Deploying a Managed Environment Process 3 IntelliMirror can significantly boost ser prodctivity and satisfaction by doing the following: Allowing sers to contine working efficiently in intermittently connected or disconnected scenarios by enabling ninterrpted access to ser and configration data nder these conditions. Delivering a consistent compting environment to sers from any compter when their desktop or laptop compter is navailable or in scenarios where sers are not assigned a specific compter. Minimizing data loss by enabling centralized backp of ser data and configration files by the IT organization. Minimizing ser downtime by enabling atomated installation and repair of applications. Implementing IntelliMirror also boosts administrator efficiency and redces IT costs by doing the following: Eliminating the need to manally configre ser settings, install applications, or transfer ser files to provide sers access to their compting environments on any compter. Enabling scenarios where sers don t have an assigned compter bt log on to any available compter in a pool of compters. This helps redce hardware and administration costs. Easing the IT task of implementing centralized backp of ser files while satisfying need for these files to be available on the ser s compter. Redcing spport costs by sing Windows Installer to atomatically repair broken application installations. IntelliMirror is implemented by means of a set of Windows featres, inclding Active Directory, Grop Policy, Software Installation, Windows Installer, Folder Redirection, Offline Folders, and Roaming User Profiles. Deploying IntelliMirror technologies for configration management provides the following advantages. User data management IntelliMirror facilitates the centralized backp and restore of ser data. Storing the sers data on servers simplifies data backp and secrity and ensres that data is protected and highly available. Users can access their data from any compter on the network. User data management relies on Active Directory, Grop Policy, Folder Redirection, Offline Files, and disk qotas. User settings management Using the ser settings management capabilities, yo can manage ser settings and preferences (sch as ser-defined screen colors and display fonts) and make them available to sers regardless of which networked compter the sers log on to. Yo can centrally define managed configrations for sers and mirror ser settings to the network. User settings management relies on Active Directory, Grop Policy, Roaming User Profiles, Folder Redirection, Offline Files, and Synchronization Manager. Secrity settings Using Grop Policy, yo can manage the following types of secrity options for sers, clients, servers, and domain controllers: Internet Protocol secrity (IPSec), secrity settings, software restrictions policies, and wireless network policies.
4 Chapter 1 Planning a Managed Environment Grop Policy based software installation Using Grop Policy based software installation, yo can manage software installation throghot an application s life cycle. Yo can centrally manage software installation, repairs, pdates, and removal. Internet Explorer policy settings Using Microsof Internet Explorer policy settings yo can cstomize the appearance of the browser, define connection settings, and define cstom Universal Resorce Locators (URLs), secrity settings, and program associations. Scripts Yo can specify scripts to rn when the compter starts and shts down and when sers log on or log off. Remote setp and configration Using Remote Installation Services (RIS), yo can simplify operating system installations by remotely setting p and configring operating system installations on compters throghot the enterprise. To ensre the sccess of yor managed environment deployment, yo mst create a configration management plan that defines the resorces to be managed and the processes that yo are implementing. Yo start yor deployment plan by defining yor bsiness objectives for change and configration management and determining the scope of yor configration management deployment in terms of the sers and resorces yo need to manage. In the first phase, yo also need to perform an assessment of yor crrent environment and determine the reqirements for configration management. Next, determine which IntelliMirror configration management technologies meet yor bsiness reqirements, and then design managed configrations for the varios types of sers and compters in yor organization based on those reqirements. Before yo deploy configration management technologies into yor prodction environment, yo mst flly test yor designs in a controlled test environment, and then review yor test reslts to determine whether the systems meet the design reqirements. It is strongly recommended that yo stage yor deployment of Grop Policy and related technologies. For more information abot staging, see Staging Grop Policy Deployments in this book. After yo complete the testing of yor design in a controlled environment, yo can deploy to prodction. To learn abot sing the Windows Server 2003 Grop Policy Management Console (GPMC) to facilitate testing and staging yor deployments of Grop Policy, see Designing a Grop Policy Infrastrctre in this book. IntelliMirror Deployment Process Deploying IntelliMirror configration management technologies entails several processes. Yo begin yor deployment plan by establishing yor bsiness objectives and identifying the resorces to be managed, and then yo define the scope of yor project and evalate yor crrent environment in terms of the resorces yo need to manage and yor reqirements for configration management technologies. Based on these reqirements, yo design managed configrations, determine the scope of application of yor soltion, test, and then stage and deploy yor soltion.
Overview of Deploying a Managed Environment Process 5 What this Gide Contains Planning how yo organize sers and compters in Active Directory containers and how yo apply Grop Policy settings to manage them is an integral part of IntelliMirror. To help gide yor design decisions for creating managed desktop configrations, yo need a clear nderstanding of the appropriate technologies to se and the processes involved in implementing a desktop management soltion that meets yor bsiness needs. Althogh it is anticipated that yo will read only those chapters in this gide that apply to yor particlar deployment needs, be aware that the IntelliMirror technologies rely on Grop Policy and Active Directory for their delivery. Therefore, it is recommended that yo read Designing a Grop Policy Infrastrctre in addition to the chapters that pertain to yor particlar deployment. Each chapter is intended to assist yo in planning, designing, testing, deploying, and implementing managed desktop configrations sing IntelliMirror technologies. Designing a Grop Policy Infrastrctre Provides information abot the process of defining yor Grop Policy objectives and designing a Grop Policy infrastrctre. Read Designing a Grop Policy Infrastrctre before yo deploy Grop Policy based soltions that are described in other chapters in this book. Staging Grop Policy Deployments Discsses the processes for creating and testing yor Grop Policy deployments in a controlled test environment. For example, Staging Grop Policy Deployments explains how to create a test domain that mirrors a prodction domain by sing the sample scripts provided with the Grop Policy Management Console. Yo can perform incremental policy changes in the test environment, verify yor changes, and then se the Import fnctionality of GPMC and migration tables to migrate the Grop Policy objects (GPOs) yo created to the prodction domain. Deploying Secrity Policy Discsses incorporating the Windows 2003 Server Grop Policy secrity featres into yor overall secrity strategy to protect yor corporate environment. Deploying Secrity Policy explains how to evalate existing secrity policies, determine the level of risk acceptable for yor environment, and deploy secrity policies. Deploying Software Update Services Discsses how to se Microsoft Software Update Services (SUS) to collect, approve, and distribte critical Windows patches to resolve known secrity vlnerabilities and stability isses on compters rnning Windows XP; and Windows Server 2003 operating systems. Deploying Software Update Services gides yo throgh the process of designing and deploying servers rnning SUS within yor intranet.
6 Chapter 1 Planning a Managed Environment Migrating User State Discses how to se the ser state migration tools inclded in Windows Server 2003 to save and restore ser data and settings when yo move client compters to the Windows XP operating system from earlier versions of Windows. Migrating User State gides yo throgh the processes of planning and implementing ser state migration to conserve IT staff time, preserve important data, and minimize costs while maintaining ser prodctivity. Implementing User State Management Discsses the processes involved in implementing ser data and ser settings management technologies to set p, manage, and control the availability of ser data and personal settings across yor network. IntelliMirror allows data and settings to be available to sers even when their compters are disconnected from the network. Implementing User State Management helps yo plan, test, and configre managed desktop configrations by sing Roaming User Profiles, Folder Redirection, Offline Files and synchronization, and disk qotas and ser profile qotas. Deploying a Managed Software Environment Discsses the process of deploying a managed software environment sing the software installation extension of Grop Policy. By sing Grop Policy based software installation, yo create a controlled environment that provides on-demand software installation and atomatic repair of applications. Deploying a Managed Software Environment explains how to se Grop Policy based software deployment to manage software throghot all phases of the software administration life cycle. Deploying a Simple Managed Environment Discsses the process of combining the IntelliMirror technologies to create a simple managed environment. Deploying a Simple Managed Environment gides yo throgh the steps reqired to deploy a complete IntelliMirror soltion, which yo can se sed as an initial prodction environment for a small organization, or a test environment for a larger organization. Smmary of Job Aids As spplement to this book, yo can se job aids, sch as worksheets and checklists, which are designed to help yo collect data for planning yor configration management deployments. Each worksheet is created for the type of information yo need for planning, sch as qestions to answer, points to consider, and tables to help yo organize yor information. Yo can modify the designated job aids to develop yor configration management designs as appropriate for yor organization s needs. For worksheets to assist yo with the deployment processes discssed in this book, see Additional Resorces, later in this chapter.
Overview of Deploying a Managed Environment Process 7 Introdction to IntelliMirror Configration Management Technologies When yo se Windows XP and Windows 2000 clients, and Microsoft Windows 2000 Server and Windows Server 2003 networks with Active Directory installed, yo can take fll advantage of IntelliMirror and Grop Policy management featres. Active Directory and Grop Policy provide the fondation for IntelliMirror. Based on the Grop Policy settings yo specify, IntelliMirror can deploy, recover, restore, and replace ser s data, software, and personal settings. Table 1.1 lists the IntelliMirror core featres, the technologies that enable these featres, and the advantages of sing IntelliMirror. Table 1.1 IntelliMirror Featres, Advantages, and Technologies IntelliMirror Featre Advantages Technologies Used User Data Management User Settings Management Compter Settings Management Software Installation Data is protected and highly available. Users can access their data from any compter on the network. For example, if yo redirect specific ser data folders, sch as the My Docments folder, to a network location, and then making this location available to the sers for offline se, sers can access to their data wherever they log on. Yo can also manage configration settings for Internet Explorer by sing Grop Policy. Users get their preferred desktop configration from any compter on the network. Their preferences and settings for the desktop and applications are available wherever they log on. Yo can se Grop Policy to define options for compters, inclding secrity and network settings. For example, yo can set options sch as remote assistance, system restore, Windows file protection, and Terminal Services. Yo can centrally manage software installations, pdates, repairs and removal. Active Directory Grop Policy Offline Files Folder Redirection Synchronization Manager Disk Qotas Enhancements to the Windows shell Active Directory Grop Policy Offline Files Roaming User Profiles Enhancements to the Windows shell Active Directory Users and Compters snap-in Grop Policy Active Directory Grop Policy Windows Installer
8 Chapter 1 Planning a Managed Environment IntelliMirror Technologies Active Directory and Grop Policy together provide the fondation for IntelliMirror. The following technologies enable the IntelliMirror featres. Active Directory Windows based directory service stores information abot objects on a network and makes this information available to administrators and sers. By sing Active Directory, yo can view and manage network objects on their network from a single location, and sers can access permitted network resorces by sing a single logon. The Active Directory Users and Compters Microsoft Management Console (MMC) snap-in is the recommended tool for managing Active Directory objects, inclding organizational nits (OUs), sers, contacts, grops, compters, printers, and shared file objects. Grop Policy The infrastrctre within Active Directory that enables directory-based configration management of ser and compter settings on compters rnning Microsoft Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition operating systems and Windows 2000 and Windows XP Professional operating systems. The Grop Policy settings that yo create are contained in a Grop Policy object (GPO). To create a GPO, se the Grop Policy Object Editor snap-in for the MMC, which can be started from the Grop Policy Management Console MMC snap-in (GPMC). The GPMC tool provides nified management of all aspects of Grop Policy across an enterprise, inclding cross-forest management. Using GPMC, yo can manage all GPOs, Windows Management Instrmentation (WMI) filters, and permissions in yor network. GPMC consists of the following: a set of scriptable interfaces for managing Grop Policy, the Grop Policy Modeling Wizard for planning Grop Policy deployments prior to implementing them in the prodction environment, the Grop Policy Reslts Wizard for viewing GPO interaction and for trobleshooting Grop Policy deployments, and a new MMC snap-in that gives yo the ability to manage Grop Policy across yor organization throgh a single ser interface. For more information abot Grop Policy and GPMC, see Designing a Grop Policy Infrastrctre in this book. Yo can download GPMC from the Microsoft Download Center; see the Grop Policy Management Console link on the Web Resorces page at http://www.microsoft.com/windows/reskits/webresorces. Yo can se GPMC to manage both Windows 2000 and Windows Server 2003 based domains with Active Directory. By sing GPMC to link a GPO to selected Active Directory system containers sites, domains, and OUs yo can apply the GPO s policy settings to the sers and compters in those Active Directory containers.
Overview of Deploying a Managed Environment Process 9 Yo can se Grop Policy to configre policy settings for the following: Registry-based policy settings The Administrative Templates extension contains all registrybased policy settings, inclding those for the Windows 2000 or Windows Server 2003 operating systems and their components as well as any registry-based policy settings provided by applications. Yo se these policies to mandate registry settings that control the behavior and appearance of the desktop, the operating system components, and applications that provide registry-based policy. Secrity settings Yo can set secrity options for compters and sers within the scope of a Grop Policy object. Yo can define local compter, domain, and network secrity settings. Scripts Yo can se scripts to atomate tasks when the compter starts and shts down, and when the ser logs on and logs off. Yo can se any langage spported by Windows Scripting Host. These inclde the Microsoft Visal Basic development system, Scripting Edition (VBScript), JavaScript, Perl, and MS-DOS -style batch files (.bat and.cmd). Folder Redirection Yo can redirect special folders on Windows 2000 Professional and Windows XP from their defalt ser profile location to an alternate location on the network. These special folders inclde My Docments, My Pictres, Application Data, Desktop, and the Start men. Software installation Yo can centrally manage software in yor organization. Yo can assign and pblish software to sers and assign software to compters. Microsoft Internet Explorer Maintenance Yo can manage and cstomize Internet Explorer on compters rnning Windows 2000, Windows XP, and Windows Server 2003. Yo can also export settings for Microsoft Windows 95, Windows 98, and Windows NT version 4.0 clients (the settings are exported into an.ins and.cab file format for those platforms). Administrators can set options for browser ser interface, connections, Uniform Resorce Locators (URLs), proxy settings, secrity zones, and the Favorites folder and the Links bar. Remote Installation Services Remote Installation Services (RIS) is sed to control the behavior of the Remote Operating System Installation featre as displayed to client compters. User profiles A ser profile describes the desktop compting configration for a specific ser, inclding the ser s environment and preferred settings. The ser profile is created when a ser first logs on to a compter rnning Windows XP, Windows 2000, Windows NT, or Windows Server 2003. A ser profile consists of a grop of settings and files, which defines the environment that the system loads when a ser logs on. It incldes all the ser-specific configration settings, sch as application settings, screen colors, network connections, printer connections, and mose settings.
10 Chapter 1 Planning a Managed Environment The following ser profiles are available in Windows Server 2003, Windows XP, and Windows 2000 Server and Microsoft Windows 2000 Professional: Local ser profile. This is created the first time that a ser logs on to a compter. The local ser profile is stored on a compter s hard disk. Any changes made to the local ser profile are specific to the compter on which the changes are made. Roaming ser profile. A copy of the local profile is copied to and stored on a server share. This profile is downloaded every time that a ser logs on to any compter on the network, and any changes made to a roaming ser profile are synchronized with the server copy when the ser logs off. Mandatory ser profile. A type of profile that administrators can se to specify particlar settings for sers. Only system administrators can make changes to mandatory ser profiles. Changes that a ser makes to desktop settings are lost when the ser logs off. Offline Files Offline Files complements Folder Redirection. By sing Offline Files, sers can disconnect from the network and contine working on the files as if they were still connected. When the compter is offline, the files and folders appear in the same directory as they do online as if they still resided in the same location on the network. The ser can then edit files even when not connected to the network. The next time the ser connects to the network, the offline changes are synchronized with the network share. Folder Redirection By sing Folder Redirection, sers and administrators can redirect the path of a folder to a new location. The new location can be a folder on the local compter or a directory on a network share. Users can work with docments on a server as if the docments were based on the local drive. For example, yo can redirect the My Docments folder (typically stored on the local hard disk) to a network location. The docments in the folder are available to the ser from any compter on the network. Synchronization Manager When sing Offline Files, sers can se Synchronization Manager to synchronize all network resorces. Users can set Synchronization Manager to atomatically synchronize some or all resorces. For example, sers can set certain files and folders to be synchronized every time they log on or off the network. Synchronization Manager qickly scans the system for any changes, and if it detects changes, only the resorces that have changed are pdated, speeds p the synchronization process. Disk qotas Yo can set disk qotas to track and manage the amont of disk space sed on the servers containing sers redirected folders. Yo can specify a disk qota limit and a disk qota warning level. If a ser exceeds their designated qota limit, the ser is prevented from storing additional files on the volme withot first clearing some disk space. Yo can configre the disk qota system to log a system event when the sers reach their qota warning level.
Overview of Deploying a Managed Environment Process 11 Software Update Services SUS is a server component that yo can install on a server rnning Windows 2000 or Windows Server 2003 to allow small and medim enterprises to bring critical pdates from Windows Update inside their firewalls for distribtion to compters rnning Windows 2000, Windows XP, and Windows Server 2003. Yo can se SUS to download the latest operating system patches to an intranet server, test the patches in yor operating environment, select the patches yo want to deploy to specific compters, and then deploy the patches. User State Migration tool If yo are performing a large deployment of the Windows XP Professional operating system, se the User State Migration tool (USMT) to atomate the migration of ser state information. By sing USMT, yo can migrate sers personal display properties, folder and taskbar options, Internet browser and mail settings, as well as specific files or entire folders (sch as My Docments, My Pictres, and Favorites) from their old compter to their new one. The USMT tool is inclded on the Windows Server 2003 CD in the \ValeAdd\Msft\USMT folder. For more information abot migrating ser state information, see Migrating User State in this book. For more information abot sing USMT, see the User State Migration Tool link on the Web Resorces page at http://www.microsoft.com/windows/reskits/webresorces. Remote Installation Services Yo can se RIS to install the base operating system on a new compter or to replace a system that has failed. By sing RIS yo can do sch installations or replacements withot visiting the individal compter. Clients mst spport remote booting by means of the Pre-Boot exection Environment (PXE) ROM. For client compters that do not have a remote boot enabled ROM, yo can se a remote-startp floppy disk; these clients mst have a Peripheral Component Interconnect (PCI) based network adapter. Yo can centrally set client configration options for Remote Installation Services by sing Grop Policy. The remote operating system installation featre ses Active Directory, Grop Policy, Dynamic Host Configration Protocol (DHCP), and RIS. To facilitate compter replacement, yo can se RIS to install the operating system, Grop Policy based software installation to recover applications, Roaming User Profiles to restore ser profiles, and Folder Redirection to manage files centrally. Yo can se IntelliMirror featres separately or yo can combine them depending on yor bsiness and organizational reqirements. IntelliMirror Implementation Examples The examples that follow se some typical events at any organization to illstrate how the implementation of the IntelliMirror configration management featres in Windows Server 2003 impacts the compting environment. Example sitations illstrate how the featres and technologies of IntelliMirror can address typical desktop management needs.
12 Chapter 1 Planning a Managed Environment Setting p the New Employee s Compter Example A new ser logs on to a new compter and finds docments and shortcts already on the desktop. These shortcts link to common files, data, and URLs that are sefl to all sers. Some examples of docments and shortcts are the employee handbook or shortcts to the ser s departmental gidelines and procedres or to the intranet. Also, if yor compters come to yo withot an operating system, or if yo have yor own cstomized operating system installation, yo can completely atomate the installation of the client operating system for the new employee by sing RIS. No technician is reqired to visit the compter. For more information abot sing RIS, see the Remote Installation Services (RIS) link on the Web Resorces page at http://www.microsoft.com/windows/reskits/webresorces. Implementing the Setting p of a New Employee s Compter Example A defalt domain ser profile and Grop Policy are sed to configre the new ser s environment based on the ser s job reqirements. The administrator created a cstomized defalt domain profile that applies to all new domain sers the first time they log on. When the sers log on, they receive the cstomized settings from this profile. The advantage for the administrator of sing a defalt domain profile is that all new sers start from a base configration that the administrator has chosen. Then, as the ser personalizes the desktop settings, these settings are saved in the ser s profile, which is stored either locally, or in a roaming ser profile in a predetermined location on the network. By implementing roaming ser profiles, yo can provide the ser with the reqired bsiness information and settings whenever needed. Logging on the First Time Example A new employee logs on for the first time and sees that reqired software, sch as Microsoft Word, on the Start men. When the new ser selects Word on the Start men, or doble-clicks a Word docment, Word is installed on demand. Implementing a First Time Logon Example Software Installation is implemented primarily throgh the se of Grop Policy and the Windows Installerservice. Based on the ser s Active Directory location and the Grop Policy object applied, the ser is assigned Word. IntelliMirror ensres that the necessary and correct items assigned to the ser appear in the Start men. Using Grop Policy, the administrator can assign or pblish differently configred versions of the same application to different grops of sers. When the ser starts Word or opens an employee handbook in Word for the first time, the Windows Installer service checks to see if the application is installed on the local compter. If not, Windows Installer downloads and installs the necessary files for Word to rn and sets p the necessary local ser and compter settings. Althogh Windows Installer contines to check each time the application is invoked, it does not attempt to reinstall or repair the application nless necessary files are missing.
Overview of Deploying a Managed Environment Process 13 Making Offline Files Accessible to a Portable Compter Example A portable-compter ser working at the office creates a nmber of docments and saves them to the My Docments folder. After saving the docments, the ser logs off, disconnects from the network, and takes the portable compter on a trip. While on the trip and off the network, the ser contines to edit the docments saved earlier in My Docments. Implementing Making Offline Files Accessible to a Portable Compter Example In this sitation, the docments are simltaneosly saved to a network location and cached to the local compter in a process that is transparent to the ser. This action takes place becase the network folder is configred to be available offline. This configration creates a copy of the network folder s contents on the local compter. The ser can then access the data offline. By combining Offline Files with Folder Redirection, yo can keep ser data files backed p and secre on a centrally managed server. If a folder is both redirected and set to offline, that folder receives the benefits of being secre on a server drive, accessible by any compter the ser logs on to, and remains available on the ser s compter even if the network becomes inaccessible. Retrning to the Corporate Network In this example, the ser who ses a portable compter retrns to the office and logs on to the network. Becase the ser made changes to files while working offline, a reminder ballon appears over the notification area showing that the changed files are being synchronized with the network files. In this sitation, IntelliMirror technology identifies that the data in My Docments has changed and atomatically pdates the version on the network. User Data Management and User Settings Management technologies are sed to allow sers to work on files offline and atomatically pdate network versions of those files when they later reconnect to the network. Offline Files allows sers to work on network files when not actally connected to the network. The Synchronization Manager coordinates synchronization of any changes between the offline version of a file and the network version. Synchronization Manager helps yo manage the mltiser se of network files. If mltiple sers modify the same network file, IntelliMirror notifies the sers abot the conflict and offers several resoltion methods. The ser can save the network version, the local version, or both versions. If both versions are to be kept, the ser is asked for a new file name to store one of the versions. Setting p a Shared Compter Environment Example Users work in a department, sch as a call center or IT spport environment, where they se different compters from day to day. A ser is working on a docment late one night when the shift ends. The ser saves the docment and logs off the compter. The next day the ser logs on to a different compter and connects to the network. The desktop has the same appearance and configration as the compter sed the previos night. The ser resmes working on the same docment that was saved in the My Docments folder the previos night.
14 Chapter 1 Planning a Managed Environment Implementing Setting Up a Shared Compter Environment Example A ser s desktop was configred to se Roaming User Profiles so that a copy of the ser s working environment was stored on a network server. When the ser logged onto the compter, the ser s existing preferences, shortcts, and docments were copied to the local compter. The ser was able to contine working as if sing the original compter. A variation of this example is when one ses Roaming User Profiles in conjnction with Folder Redirection. This approach saves downloading time becase the redirected folders do not need to be copied down to each compter. Users can have the same work environment and access to the same docments from any compter on the network. Changes that the ser makes on one compter are synchronized with the other compter the next time the ser logs on. Replacing a Compter Example The compter that a ser is working on sddenly has a complete hardware failre. The ser calls the technical spport, and a new compter with only the Windows XP operating system installed arrives. Withot frther technical assistance, the ser plgs in the new compter, connects it to the network, starts it, and can immediately log on. The ser finds that the desktop has the same configration as the compter it replaced the same color scheme, screensaver, application icons, shortcts, and preferences. More importantly, all the ser s data files have been restored. Implementing the Replacement of a Compter Example IntelliMirror helps the ser qickly get a compter installed and rnning with a minimm of spport becase data and settings are stored independently of any specific compter. By sing Roaming User Profiles, Folder Redirection, and Grop Policy, yo can make the ser s data, settings, and applications available wherever the ser logs on to the network. In this example, the soltion is not limited to getting the ser a new compter. Instead, the ser cold also move to another compter in the office becase all of the ser s data, settings, and environment are mirrored on the network. The featres of IntelliMirror can be sed separately or combined to address the range of needs, from minor configration changes and pdates to complete disaster recovery. This example only addresses IntelliMirror featres. In this case, the spport department shipped a compter that was preloaded with Windows XP Professional. However, by sing RIS, it is also possible to send ot compter hardware that has not been preloaded or configred. In that case, RIS can install Windows XP Professional after the compter is on site. Implementing a Cstomized Home Page URL for all Domain Users Example Yo are an administrator and yo want to stiplate that the home page in Internet Explorer is configred to se the URL address of yor organization s intranet home page for all domain sers. Implementing the Cstomized Home Page Example In this example, a GPO is created, and policy settings are defined to se a cstomized home page URL. The GPO is linked at the domain level to ensre it applies to all sers in that domain.
Overview of Deploying a Managed Environment Process 15 Managing Desktops in Non Active Directory Environments The availability of configration management tools and featres differs depending on whether yor network operates exclsively in an Active Directory environment or in another network environment. In a non Active Directory environment, yo can se other tools, sch as Microsoft Systems Management Server (SMS) for managing software distribtion, the Internet Explorer Administration Kit for managing Internet Explorer settings, and System Policy (for Windows 95, Windows 98, and Windows NT 4.0) for managing registry-based settings. In addition, each local compter rnning Windows 2000, Windows XP Professional, Microsoft Windows XP 64-Bit Edition, or a Windows Server 2003 operating system has exactly one local Grop Policy object (LGPO), even if it does not participate in a domain. Althogh it is possible to set a variety of settings by sing the LGPO, the System Policy scales more easily to a large nmber of clients. The LGPO can be sefl if yo only need to apply certain settings to a small nmber of clients rnning Windows XP in a Windows NT 4.0 domain. Note that a local GPO does not spport Folder Redirection or Grop Policy based Software Installation, and some secrity settings are not available in local GPOs. Table 1.2 smmarizes how desktop management tools differ between Active Directory and non Active Directory environments. Table 1.2 Desktop Management Tools and Featres in Active Directory and Non Active Directory Environments Management Task Active Directory Non Active Directory Configre registry-based settings for compters and sers Manage local, domain, and network secrity Centrally install, pdate, and remove software Manage Internet Explorer configration settings after deployment Administrative templates deployed by sing Grop Policy Administrative templates, deployed sing local Grop Policy object (LGPO) Secrity settings deployed by sing Grop Policy Secrity Settings deployed LGPO SMS Grop Policy based software distribtion Internet Explorer Maintenance in the Grop Policy Object Editor snap-in Internet Explorer Maintenance deployed by sing LGPO Internet Explorer Administration Kit (IEAK) System Policy LGPO LGPO SMS LGPO IEAK (contined)
16 Chapter 1 Planning a Managed Environment Table 1.2 Desktop Management Tools and Featres in Active Directory and Non Active Directory Environments (contined) Management Task Active Directory Non Active Directory Apply scripts dring ser logon/logoff and compter startp/shtdown Centrally manage sers folders and files on the network Centrally manage ser settings on the network Logon/logoff and startp/shtdown scripts can be centrally configred in Grop Policy or independently by sing the LGPO Folder Redirection in conjnction with Offline Files and Folders Roaming User Profiles LGPO System Policy Maniplation of registry settings Roaming User Profiles (for Windows domains) Developing a Deployment Plan To se the IntelliMirror technologies for managing configrations effectively, yo mst develop a plan that defines the resorces to be managed and the management processes to be implemented. To ensre the sccess of yor deployment of the technologies for managing configrations, yo need to do the following: Analyze yor organization s crrent configration management process. When yo develop yor configration management infrastrctre, determine how yor organization crrently manages its compting environment. Determine goals for yor managed environment deployment. As yo begin yor design process, establish the criteria that define the sccess of yor managed environment project. The bsiness reqirements of the varios organizational grops of sers may differ, and sccess, therefore, means different things to each grop. For example, a system administrator might consider a project sccessfl if it reslts in a redction in the ten most common spport calls, althogh for a department manager, sccess incldes increased ser prodctivity. It is important that yo set achievable and measrable goals, and that yo review them periodically to track yor progress. Design yor soltion for configration management by sing the IntelliMirror technologies to meet yor bsiness reqirements. Follow a process to implement a configration management infrastrctre. Analyze yor bsiness reqirements, service level agreements, secrity, network, and IT reqirements, and then determine the appropriate technologies to se to meet yor reqirements. By following the gidelines in this book for designing yor configration management infrastrctre, yo can establish the approach that best sits yor organization s needs.
Defining the Scope of Yor Configration Management Project 17 Create a configration management team. The majority of change and configration management deployments are likely to have cross-fnctional bondaries, so as part of preparing yor deployment, it is important to conslt with varios fnctional teams in yor organization and ensre they participate dring analysis, design, test, and implementation phases as appropriate. A recommended option is to se the Microsoft Soltions Framework (MSF) team model. In the MSF model, small mltidisciplinary teams are created, and team members share responsibilities to focs on the project. Yo can align yor team with the MSF model by inclding the six roles in the change and configration management design team. Prodct Management. Ensres the goals of the project are met. Program Management. Facilitates the team and manages resorces. Development. Designers and implementers of the CCM infrastrctre. Testing. Ensres all isses are known before the release of the design. Logistics Management. Treats physical reqirements of the deployment. User Edcation. Designs ser and team training materials. For more information abot the Microsoft Soltions Framework Team Model, see the Microsoft Soltions Framework link on the Web Resorces page at http://www.microsoft.com/windows/reskits/webresorces. Defining the Scope of Yor Configration Management Project It is important to identify both the organizational and the technical scope for yor configration management deployment. The primary prpose is to deploy a configration management infrastrctre to meet the needs of a defined set of sers and to manage a clearly defined compting environment. Defining the scope is important both to set ser expectations and concrete goals for the project. Organizational Scope To nderstand the configration management reqirements of an organization, yo need to identify the organizational strctre and determine organizational goals. Yo can create a map of yor organization to show a representation of its logical hierarchy (an organizational chart). This chart is sefl as an inpt to the design process as it defines natral bondaries within the bsiness, which might fnction as separation points in the se of IntelliMirror technologies. The breakdown of the organization s resorces incldes all levels of job roles. Use the job roles as inpt when yo categorize sers by job type.
18 Chapter 1 Planning a Managed Environment Resorces to be Managed The technical scope for deploying a configration management infrastrctre involves all compting resorces to be managed, inclding hardware and software. It is sefl to develop a diagram of the network to serve as a logical representation of servers and services within the network. Work with the network administrators and the Active Directory deployment team to obtain this information. The diagram needs to illstrate the following information: Location of domain controllers and member servers Site configration Link speed within and across sites Servers that provide specific services, sch as Domain Naming Services (DNS) and DHCP Interfaces with infrastrctre elements otside the scope of configration management, sch as firewalls, networking eqipment, and systems rnning other operating systems Use the network diagram to indicate which components of the compting environment are to be managed by the configration management infrastrctre and which components are to remain nmanaged. Assessing Yor Crrent Environment Assessing yor crrent environment is the first step toward identifying how IntelliMirror can meet yor desktop management needs. To identify the areas where IntelliMirror can provide the most benefit for yor organization, examine how yo perform yor desktop management tasks. For example, evalate how yor IT staff handles common desktop management sitations sch as the following: New applications that need to be made available to sers as qickly as possible. Users who move from one location to another and mst retain access to their primary applications and data even on a different compter. Users who travel freqently and have intermittent network access, sometimes over slow links. New employees who reqire a newly configred compter that incldes all their reqired applications. Users who receive new compters and need to have an operating system installed, along with their applications and data.
Assessing Yor Crrent Environment 19 Use this process as a starting point to define the tasks yor IT grop performs for configration management. Yo need to determine: How yor organization crrently performs the tasks associated with change and configration management How yor organization crrently manages desktops After yo determine how yor organization manages desktops, yo can create a flowchart or table to identify the most common and freqently occrring desktop management tasks that yor IT department performs. Evalating Yor Desktop Management Processes Analyzing yor crrent configration management processes helps yo to identify ways yo can improve service and redce yor total cost of ownership (TCO). Yo need to assess yor desktop environment and evalate the crrent methods yor organization ses for installing operating system, applications and service packs. Yo also need to evalate the backp processes in place and determine the level of secrity to provide for desktops. For a worksheet to help yo evalate yor desktop environment, see Worksheet A.4 Assessing Yor Crrent Desktop Environment (DMEUSE_4.doc) on the Microsoft Windows Server 2003 Deployment Kit companion CD (or see Worksheet A.4 Assessing Yor Crrent Desktop Environment on the Web at http://www.microsoft.com/reskit). Large organizations typically spport hndreds of software applications as well as mltiple versions of operating systems. To help redce the cost associated with client compting, yo can implement standards for corporate-wide software sch as virs protection, e-mail, word processing, and spreadsheets and then retire obsolete or nnecessary software. To develop yor client application standards, examine the operating system types and the versions yor organization has installed, the commercial applications yor organization ses (sch as word processing software), and the line-of-bsiness applications that yor corporation has developed for tasks sch as managing clients or filling orders. For a worksheet to help yo assess yor organization s software standards, see Worksheet A.5 Evalating Software Standards (DMEUSE_5.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Worksheet A.5 Evalating Software Standards on the Web at http://www.microsoft.com/reskit).
20 Chapter 1 Planning a Managed Environment Evalating Compter and User Roles It is recommended that yo configre a ser s environment according to the ser s job or role in the organization. Yo can then specify the secrity and other configration settings for different types of compters sch as member servers and desktops. The Grop Policy settings yo define for each grop of sers and compters shold be based on their bsiness reqirements. Domain controllers and member servers If yo have different types of member servers, sch as Microsoft Exchange 2000 Server, terminal servers, or file and print servers, it is likely that yo need to define and create different Grop Policy objects to configre the settings on each type of server. For example, when managing terminal servers, yo need to ensre that yo apply ser settings Grop Policy based on the compter that the ser logs on to. To achieve this, consider sing the Grop Policy setting for loopback policy processing. (The User Grop Policy loopback processing mode policy setting is an advanced option that applies ser settings based on the location of the compter object.) To simplify trobleshooting and problem solving, place the domain controllers and the different types of member servers into separate organizational nits and allocate Grop Policy objects accordingly. Desktops Different compters reqire different policy settings based on their roles. To spport these differences, yo need to create Grop Policy objects that configre each compter according to its role. To se IntelliMirror to create configrations for compters, yo need to consider things sch as whether a given compter is configred to allow mltiple sers to log on. Yo also need to determine if the compter retains or discards ser profiles between ser sessions and if the compter provides local storage space for copies of offline files. Categorizing Users by Job Types and Location Categorizing sers in yor organization according to their job reqirements, compter experience, and location is an important part of the process of developing Grop Policy objects for managing the varios desktop configrations sers reqire. Several ser types can be sed to describe the majority of job roles in most organizations. Every ser has specific job-based needs for data management, and sers often have mltiple roles. For example, a high-performance ser might also perform the tasks of a knowledge ser. For each ser category, consider what type of configration options to allow sers to make on their compters. Determine if sers shold rn with User or Power User privileges, whether sers can install software, or make desktop configration changes. For example, yo might allow highperformance sers to change the desktop colors, and yo probably want to prevent data-entry workers from making any desktop configration changes.
Assessing Yor Crrent Environment 21 High-performance sers High-performance sers engineers, graphic artists, and software developers, for example rely on information technology (IT) to do jobs that are often project- or process-driven. They typically reqire highly specialized applications. It is recommended that sch sers store their data on corporate servers even thogh they might also need access to local storage on a disk for performance. However, local data is not backed p. Users need permanent access to their data regardless of their location. Knowledge workers Knowledge sers reqire IT to collect data from many sorces, convert the data into information, and commnicate the information to spport decision-making transactions. Knowledge workers jobs are typically project-driven, reqiring both personal prodctivity and specialized applications. For example, this category incldes exective staff, financial analysts, consltants, researchers, and reporters. Knowledge workers mainly store data on corporate servers. Users tend to share their working data with others in their department or with those working on the same project. Process workers Process workers in cstomer service, claims and loan processing, for example se IT to add vale to a process. These sers perform repetitive process-driven tasks, which reqire personal prodctivity and yor organization s cstomized applications. These sers data is typically stored on corporate servers, and they might have limited writeaccess to the local compter. In some cases, it might be appropriate to se a flly locked-down desktop. Data-entry workers Data-entry jobs processing airline reservations, making order entries, and typing transcriptions reqire IT to transcribe data from one medim to another and to add vale to data by making it available for other ses. Data-entry sers have no access to disk drives, CD-ROM drives, or the local file system, and their data is stored on corporate servers. Users might share workstations with sers on other shifts or with temporary workers. In addition to categorizing sers according to their IT service reqirements, yo need to identify them by the locations from which they access the corporate network to perform their jobs. Location categories are largely independent of the ser types already defined in this section. Stationary sers Stationary sers access the corporate network by sing local area network (LAN) links. Their compters have permanent LAN connections and high-speed links to connect to the sers data on local servers. The natre and volme of the sers work is fairly predictable. Therefore, their needs for IT services can be easily anticipated.
22 Chapter 1 Planning a Managed Environment Roaming sers Roaming sers access the corporate network by sing LAN links. They have permanent LAN connections when working locally, bt if they roam between sites, they might have restricted network bandwidth back to some servers. They need to access their data from mltiple workstations from many different areas in the same physical location. Mobile sers Mobile sers need to access the network at different times and locations by dial-p connections, varying LAN connections, or across a wide area network (WAN) link. Therefore, network services mst be accessible at any time. The following characteristics apply to mobile sers: Their compters are often connected by slow or intermittent network links. The bandwidth, qality, and consistency of their network connections are highly variable. Users data and settings need to be saved locally when the sers work offline. The sers data and settings might be synchronized to a file server. The availability of different types of services depends on whether the sers are connected to the corporate network and on the speed and reliability of their connections. Remote sers Remote sers are occasionally connected by slow or intermittent network links, bt they connect by sing the same link each time. They need access to the corporate network at their convenience. Therefore, network services mst be accessible at any time. Users need to save data and settings locally, which might not be synchronized to a file server. Two other important considerations to take into accont when analyzing yor sers and yor organization for desktop management are secrity and corporate policy. Yo need to consider how yo can protect yor desktops from possible secrity threats. Also, yo need to consider how yor desktop management plans might affect the corporate cltre. For more information, see Determining Corporate Policies later in this chapter.
Assessing Yor Crrent Environment 23 Evalating Yor Secrity Reqirements The secrity reqirements for managed desktops in yor organization are an essential part yor configration management deployment. Examine both the internal and the external secrity threats that might exist. Internal threats range from accidental damage that yor sers might case to their desktops to intentionally malicios actions. External threats inclde virses, hackers, or persons with malicios intent. Some things to consider as yo plan for desktop secrity inclde: What ser secrity level is appropriate for sers to have on their compters? Three fndamental levels of secrity are granted to sers by membership in one of these grops: Users, Power Users, and Administrators. Membership in the Users grop gives the most protection from a nmber of external threats, sch as virses, and it limits the damage that a ser can accidentally or intentionally case to their compters. However, ser level permissions have the most incompatibility problems with older applications. Take particlar care before yo give sers privileged access to compters that they share with other employees. What type of systems do the workstations need to interoperate with? They might need to interoperate with Windows NT 4.0 servers, UNIX server message block (SMB) servers, or other types of servers. Interoperability with older systems means that some secrity yo might se in a pre Windows Server 2003 environment mst be relaxed. Do sers have to provide any level of spport on their own compters, or do they have to configre their own compters? Users who se portable compters and provide their own spport might reqire administrator rights on their compters. Other high-performance sers, sch as developers, might also need administrative rights. A series of secrity templates is spplied with Windows Server 2003 that yo can se to manage secrity configrations. For more information abot deploying Windows Server 2003 secrity, see Deploying Secrity Policy in this book or see Planning a Secre Environment in Designing and Deploying Directory and Secrity Services of this kit.
24 Chapter 1 Planning a Managed Environment Determining Corporate Policies Desktop management has both political and technical conseqences. Depending on the crrent corporate policy and the cltre of yor organization, implementing restrictive desktop configrations can either be straightforward or complicated. Often, the more centralized the crrent IT strctre and standards are, the easier it is to gain ser acceptance of more restrictive desktop configrations. For example, organizations that have implemented system policies in Windows NT 4.0 to configre common managed desktops might find that sers accept qite restrictive policies in Windows 2000 and later. However, organizations moving from an nmanaged Windows NT 4.0 environment (or from a Windows 95 or Windows 98 environment) might enconter resistance to increased restrictions. This can delay or challenge yor efforts to impose new or restrictive managed configrations. This does not mean that an organization with a distribted administration and policy strctre cannot benefit from IntelliMirror desktop management. The majority of IntelliMirror featres are not readily visible to the ser, and many sch as Offline files and application pblishing, for example are enabling rather than restricting technologies. Yo can actally save time and resorces by taking time to careflly examine the benefits of imposing a particlar restriction and weigh it against the potential costs of resistance. Where the benefits otweigh the costs, yo might want to think abot a ser edcation program (as part of the migration training) so that sers nderstand the motivation behind the policy settings. For more information edcating sers, see Preparing Users for Deployment later in this chapter. Assessing Network and Storage Reqirements The availability of network bandwidth can affect how Grop Policy settings are applied. It is also important to have sfficient network bandwidth available between servers and workstations when yo deploy Roaming User Profiles, Offline Files, and Folder Redirection. Collecting information abot yor network infrastrctre and network traffic patterns helps yo plan yor deployment of IntelliMirror technologies. To plan for disk space allocation, yo need to determine the disk storage that the sers and compters in yor organization reqire.
Assessing Yor Crrent Environment 25 Evalate Yor Network Infrastrctre Evalate how yor network infrastrctre meets yor ser-demand for bandwidth. If some of yor sers connect to yor network over slow or intermittent commnication links, the placement of yor distribtion points and other servers assmes even greater importance in yor planning. Determine if any areas of yor network are problematic. Where remote sers are highly managed, yo might jstify the cost of pgrading the commnication link. By defalt, when Windows Server 2003 detects a slow link, it does not apply all Grop Policy objects to the remote ser or compter. For example, secrity settings and administrative templates are applied, bt software installation and scripts are not. The reliability and speed of yor local- and widearea commnication links inflence yor placement of servers and the management fnctionality yo are able to offer to sers. Offline Files, Folder Redirection, and Roaming User Profiles all transfer data files across yor network. Software installation sends applications. By testing and piloting, yo can best determine the amont of data that passes over yor network as a reslt of implementing these technologies. The central networking qestions yo need to answer when deploying IntelliMirror inclde: What changes do yo need to make in the physical, logical, and site topology of yor network to spport these technologies? Does yor network have the correct protocols to spport these technologies? Is yor network bandwidth within and between sites sfficient to spport IntelliMirror featres? Yo also need to collect the following data: The nmber of clients at each location served. Correlate the placement of servers, roters, and domain controllers to the clients serviced by each device. Remember to inclde mobile clients. Configration information abot network devices sch as modems, roters, and hbs. Note whether yor roters are configred to pass on broadcast packets. This information is sefl when deciding where to place software distribtion points.
26 Chapter 1 Planning a Managed Environment Evalate Yor Network Traffic Patterns Becase IntelliMirror operations involve sending information across yor network, knowing the pattern and load of network traffic is essential for planning. Collect the following data abot yor network traffic patterns: Bandwidth demands sch as peak tilization and percentage tilization. Usage patterns. Establish whether all sers log on and off at the same time, or whether ser logon time is spread more evenly. Yo can estimate the network load generated by software installation by noting: Whether installation of the software is mandatory (assigned) or optional (pblished), and whether the assignment is to a ser or to a compter. The size of the software package that is installed. The placement of the software distribtion point in relation to the targeted sers. If yo assign software to a compter, the software installation takes place when the compter is restarted. When yo perform large deployments to grops of compters, the workload on yor network increases sbstantially when the sers start their compters. Consider performing sch deployments so that yo minimize disrptions to sers. Assigning software to be available on-demand to a ser places a shortct to the software on the ser s Start men, bt the software is not actally installed ntil the ser starts the application. Yo can also se the Install this application at logon option to install software the next time the ser starts the compter, or after the ser logs off and then back on. To some degree the load is spread ot as sers install the software whenever they reqire it. However, in the case of largescale deployments to many sers, a significant nmber of sers might install the assigned software within the same time period. Yo can spread ot demand on bandwidth over time by pblishing software to sers so that each ser decides when or if to install the package. Yo also need to consider the impact of Roaming User Profiles and Folder Redirection on the network loads. If possible, try to minimize the bandwidth impact of synchronizing ser data and profiles to network file servers by placing the servers so that data traveling back and forth is localized to the network segment instead of traveling over yor entire network or across slow links.
Assessing Yor Crrent Environment 27 Evalate Storage Reqirements When implementing IntelliMirror technologies, yo need to allocate server storage space to hold ser data and settings. Allocating server storage space for ser data and ser settings is complicated by the variety of files (both in nmber and size) that each ser stores on a network server. Yo need to determine the following: Type of ser yo are spporting Typical desktop environment in yor organization IntelliMirror technologies yo are deploying Recording this information helps yo estimate how mch server storage space yo need to allocate for ser data and profiles. Althogh yo can se Disk Qotas to limit the amont of server disk space available to each ser, yo can also choose to set a limit bt not enforce it. In that case, Windows Server 2003 logs a system event whenever a ser ses more than the specified amont of disk space. Yo can then examine the logs to estimate the amont of disk space that yo need for storing ser data and settings. To calclate yor server capacity needs when yo se Folder Redirection, begin by listing the folders yo need to redirect to the network. For example, yo can redirect any of the following folders for each ser: My Docments folder, Desktop, Application Data folder, and the Start men. Then determine how mch local disk space yor sers data consmes in the specified folders. Yo can gather this information by writing scripts (VBScript, WMI qeries, or Perl, for example). Or yo can se other inventory tools to gather file size data, filtering for the specified directories and known data files extensions sch as.doc and.xls. Use this information to estimate the server storage space needed for Folder Redirection. If possible, minimize the impact on bandwidth of synchronizing ser data and profiles to network file servers. To do this, place the servers so that the data traveling back and forth is localized to the network segment, instead of traveling over yor entire network or across slow links. Track and control the total nmber of sers saving data files to each server, and track how mch data is being stored. Yo can control the disk space sed to store ser data and settings by imposing disk qotas or controlling the size of a ser s profile. Yo can monitor and enforce the size of a ser s profile by setting profile qotas. If a ser s profile is larger than the size yo specify, the ser is prevented from logging off ntil the ser redces the amont of disk space sed by that profile. Testing and piloting IntelliMirror featres on a sample grop of sers can provide valable information abot the average and median profile size of yor sers. If yo se Roaming User Profiles while redirecting the My Docments folder of yor roaming sers, yo might not want to impose profile qotas. The reason is that files sch as cstom dictionaries (size otside ser s control) are written to the ser profile. Imposing profile qotas can frstrate sers who cannot control the size or nmber of files in their profile.
28 Chapter 1 Planning a Managed Environment Evalating Service Level Agreements Many IT organizations find that the best way to maintain service level agreements with varios departments within an organization is to strctre services by levels. For example, an organization might define service level agreements (SLAs) that specify the maximm amont of time allowed for the logon screen in Windows 2000 to appear (when the workstation is trned on) or for the ser to have access to the desktop after sccessflly logging on. Yo might categorize yor services by basic and cstom services. Basic services are a predetermined set of services yo agree to provide to a bsiness nit for a specified cost. Yo can have several levels of basic services, each with its own assigned cost. Basic services might inclde standard hardware and software configrations for desktop compters. Cstom services are additional specialized services that a bsiness nit might reqest. When a bsiness nit reqests cstom services, yo have a specified charge-back rate for them. Cstom services might inclde special software configrations created for a ser with niqe needs. Determining Yor Reqirements for Configration Management Technologies To ensre that yor design spports the administrative reqirements of yor organization, begin by determining yor organization s crrent administrative practices and the existence of any administrative bondaries, technical or political, that might impact the design. To determine yor specific administrative reqirements, yo can ask a nmber of qestions abot the crrent configration management tasks and methods, docment the responses, and collect data. This will help yo define the goals of yor configration management infrastrctre. Evalate the administrative tasks yo crrently perform when installing operating systems, managing ser settings and data, compters, and software distribtion. Operating System Installations Assess how yor organization manages operating system installations and pgrades, inclding the following: Nmber of operating system installations that are performed per month Freqency of operating system pgrades Time to install or pgrade a client compter Atomation processes sed to redce the time reqired for installations or pgrades
Determining Yor Reqirements for Configration Management Technologies 29 User Settings and Data Management Managing ser settings reqires that yo assess the levels of control sers need to have over their environment and how ser profiles are stored. If a policy is crrently in place, determine the bsiness reqirements it meets. When yo examine the organizational reqirements for ser data and settings management, determine whether a different strategy can improve ser prodctivity and redce the need for IT intervention. Managing ser data reqires that yo consider which configration management technologies can be implemented to improve the process of managing ser data. To do this, docment yor reqirements for the following: Backp procedres for ser data Types of sers who reglarly se more than one compter and ways that improved data access can enhance their job performance Amont of time and money spent recovering and recreating data when hardware or software problems case a compter failre Potential amont of lost revene to the organization if a catastrophic loss of ser data occrs Need for sers to take server-based data with them off site. Mobile and remote sers have different reqirements de to the transient natre of their network connections and distance from spport staff. Compter Settings Management Analyze the administrative tasks yo crrently perform to manage compter settings, sch as secrity and network configration settings. Yo need to ensre that yo provide appropriate, secre compter configrations based on the bsiness reqirements of yor organization. Yo shold evalate isses sch as ser athentication, access to resorces, and network settings. Athentication and access to resorces Determine how sers are crrently athenticated to the network and their compters, what resorces sers are permitted to access, and to which grops they belong. By sing Grop Policy, yo can define secrity settings to manage mltiple compters. Yo can create a secrity policy by importing a secrity template to a Grop Policy object. Secrity settings inclde options for administering the following: accont policies, local policies, Event log settings, membership in restricted grops, startp and permissions for system services, and registry and file system access control list (ACLs) permissions. Yo can also specify policy settings for IPSec, software restriction policies, pblic key policies, and wireless network (IEEE 802.11) configrations. Administrative rights reqirements Determine whether the sers have to configre and spport their own compters. For example, sers who have to provide their own spport (sch as sers who se portable compters) might reqire administrator rights on their compters. Other highperformance sers, sch as developers, might also need to se administrative rights.
30 Chapter 1 Planning a Managed Environment Interoperability in mixed server environments Determine the type of systems with which the sers workstations need to interoperate, sch as Windows NT 4.0 servers, UNIX server message block servers, or other types of servers. To spport interoperability with older systems means that some secrity settings yo might se in a pre Windows 2000 environment mst be relaxed. Network settings Determine whether yo need to set p specific network settings on a percompter basis DNS or proxy settings, for example. Scripts Determine the types of scripts to se when a compter starts or shts down. Yo can se both VBScript (.vbs) and JScript (.js) scripts. Internet Explorer maintenance To manage Internet Explorer settings for compters, yo can se Grop Policy for the following: secrity zones, proxy settings, controlling the installation of Internet Explorer components by sers, and displaying or hiding the Internet Explorer splash screen. Users privileges on the local compter Establish whether a ser, or set of sers, shold be a member of the Users, Power Users, or Administrators grop. Note Typically, for secrity prposes, it is not recommended that sers log on to their compters with administrative credentials. If sers need to perform administrative tasks on their compter, the sers can se the Rn as command to perform sch tasks. Software Distribtion Evalate the crrent methods yor organization ses for deploying and managing software throghot the software lifecycle. Inclde the following considerations: How applications are deployed, whether the methods sed are adeqate, and whether the software distribtion is too wide in its scope. How applications are sed, and the common spport isses that arise. How often applications are pgraded, and how pgrades are performed. How applications are removed, and whether fll removal is achieved. For more information abot managing configrations by sing IntelliMirror technologies, see the following chapters in this book: Designing a Grop Policy Infrastrctre for information abot deploying Grop Policy to manage grops of sers and compters. Implementing User State Management for information abot managing ser data and ser settings.
Determining Yor Reqirements for Configration Management Technologies 31 Deploying Secrity Policy for information abot managing secrity settings. Deploying a Managed Software Environment for information abot sing Grop Policy to deploy software. Deploying Software Update Services for information abot sing Microsoft SUS to manage the deployment of Windows patches. After yo identify yor bsiness needs, yo can determine which featres are most sefl for yor organization. Identifying the IntelliMirror Technologies That Meet Yor Configration Management Needs Yo can se the following IntelliMirror technologies to improve yor configration management processes: User data management User settings management Compter settings management Software management Remote operating system installations User Data Management Ensring that data remains available is a leading concern for most organizations. What happens to ser data when a hard disk fails? Who ensres that sers back p their files on a timely basis? Too often, ser data backps are not performed, and important files are lost if the ser s hard disk fails. Other concerns inclde the availability of ser s data, whether or not sers have access to their data if they move to a different compter on the network, or if they are only intermittently connected to the network. Using the appropriate IntelliMirror desktop management technologies, yo can ensre that sers can access their data from any compter wherever they log on, whether online or offline. Yo can back p ser data centrally and provide fast compter replacement in disaster recovery sitations.
32 Chapter 1 Planning a Managed Environment By sing IntelliMirror to manage ser data, yo provide the following advantages: Yo can provide improved protection of ser data by ensring that local data is also redirected or copied to a network share, providing a central location for administratormanaged backps. This capability helps to enforce corporate directives sch as to place all important data on servers. Yo can ensre that the most p-to-date versions of a ser s data reside on both the local compter and on the server. Local caching maintains data on the local compter even when it is not connected to the network. This ensres that data is available to the ser, even when the ser is working offline. When a ser roams to another compter on the network, the ser s data can follow. This provides increased accessibility becase sers can se any compter on the network to access their data. Implementing ser data management relies on some or all of the following technologies: Active Directory Grop Policy Roaming User Profiles Folder Redirection Offline Files DFS (Distribted File System) EFS (Encrypting File System) Disk qotas For more information abot how to implement ser data management technologies, see Implementing User State Management in this book. User Settings Management In most organizations, new and existing sers who change compters often need help from the IT department initially to configre their compters. By sing the IntelliMirror technologies to manage ser settings, yo can centrally define compting environments for grops of sers and compters so that sers atomatically get the correct configrations for their jobs. Yo can also restore ser settings if a compter fails to ensre that a ser s desktop settings follow the ser if they roam to another compter. By managing ser state, yo can accomplish the following: Redce spport calls by providing a preconfigred desktop environment appropriate for the ser s job. Save time and cost for compter replacement. Help sers work more efficiently by providing a consistent, secre, preconfigred desktop environment, no matter where they work.
Determining Yor Reqirements for Configration Management Technologies 33 The settings yo can manage inclde: Desktop configrations Secrity settings Langage settings Application settings Scripts (for when a compter starts or shts down and when a ser logs on or logs off) Administrators can also redirect any of the special folders in a ser profile to a network share. Then the same ser profiles are available wherever a ser logs on. User settings, like ser data, can follow the ser regardless of where that ser logs on. Administrators se settings to cstomize and control sers compting environments and to grant or deny the sers the ability to cstomize their own compting environments. These settings can be applied to both sers and compters. When sers have permission, they often cstomize the style and defalt settings of their compting environment to sit their needs and work habits. Settings contain three basic types of information: ser and administrative information, temporary information, and data that is specific to the local compter. For example: User settings inclde items sch as Internet Explorer favorites, qick links, cookies, and the Microsoft Otlook Express personal Web address book or backgrond bitmap. Temporary information incldes items sch as the ser s personal Internet Explorer cache. Local compter settings inclde items sch as the folders and files marked for offline se. Yo se the following technologies to implement ser settings management: Active Directory Grop Policy Offline Files Synchronization manager Folder Redirection Roaming User Profiles For more information abot how to implement User Settings Management, see Implementing User State Management in this book.
34 Chapter 1 Planning a Managed Environment Compter Settings Management Grop Policy provides nmeros settings to help yo manage the compters and servers in yor organization. By sing Grop Policy, yo can manage the following types of settings for compters: Secrity settings Yo configre secrity settings on compters to protect resorces on the compters or the network. Accont policies Defined on compters, they determine how ser acconts interact with the compter or the domain. This incldes password policy for domain or local acconts, accont lockot policy, and Kerberos policy. Local policies Inclde adit policy, ser rights policy, and secrity options. Pblic key policies Incldes Encrypting File System policy settings. Software restriction policies Used to protect yor compting environment by identifying and specifying which applications are allowed to rn on compters. Internet Protocol secrity Provides protection against private network or Internet attacks. IPSec ses cryptographic secrity services to ensre private, secre data transmission over Internet Protocol (IP) networks. Scripts Yo can specify scripts to rn when the compter starts p or shts down. Windows components Yo can specify policy settings for NetMeeting, Internet Explorer, Task Schedler, Terminal Services, Windows Installer, and Windows Messenger. System Yo can specify policy settings for User Profiles, Scripts (to determine how scripts rn), Logon, Disk Qotas, Net Logon, Grop Policy (to specify how Grop Policy shold be processed), Remote Assistance, Error Reporting, Windows File Protection, Remote Procedre Call, and Windows Time Service. Network Yo can specify policy settings for DNS Client, Offline Files, Network Connections, QoS Packet Schedler, and SNMP. Printers Yo can specify policy settings for printers sch as allowing printers to be pblished to or deleted from Active Directory or Web-based printing.
Determining Yor Reqirements for Configration Management Technologies 35 Software Management User prodctivity is enhanced when sers have all of the software applications that enable them to perform their jobs efficiently. It is also important that IT tracks applications that are no longer being sed, or are ot of date, and makes sre those are phased ot. The IT grop determines when to stop spporting software that is no longer sefl. In some cases, the best soltion is to remove the obsolete application instead of risk compatibility isses and other problems that can reslt from its contined se. Application management tasks can be extremely labor intensive. That is why many organizations want to atomate them for large grops or even for all client compters at one time. Microsoft provides several software deployment soltions. By evalating yor bsiness objectives for deploying software, the types of reqirements yor soltion mst meet, and the types of client operating systems in yor organization, yo can determine the most appropriate method for deploying software. Grop Policy based software installation Yo can se Grop Policy based software installation to install software applications when a compter is started, when the ser logs on, or on demand. This approach is sitable for small and medim organizations that have deployed Active Directory, and whose client compters are Windows 2000 Professional or later. Yo can also se Grop Policy based software installation to pgrade deployed applications or remove earlier applications that are no longer reqired. Yo can ensre that a ser cannot install any software from local media, sch as a CD-ROM, or disk, or other napproved applications. The Grop Policy based software installation featre also provides for the following sitations: If a ser inadvertently deletes files from an application, the application repairs itself. If a ser moves from one compter to another, the software remains available to the ser. If an application is not installed on a ser s compter, and the ser tries to open a docment associated with that application, the application is atomatically installed and the docment opens. Yo can apply software installation policy settings to sers or compters in yor Active Directory strctre. Yo can also se Grop Policy to set software restrictions to help protect the compter environment from qestionable or nknown software. Grop Policy based software installation does have some basic limitations, inclding the inability to schedle installation, manage network bandwidth, or provide feedback on the stats of the installation. Consider sing Systems Management Server if yo need to provide schedled installations, manage network se, perform hardware and software inventory, or monitor installation stats. For more information abot deploying software by sing Grop Policy based software installation, see Deploying a Managed Software Environment in this book.
36 Chapter 1 Planning a Managed Environment Systems Management Server SMS is appropriate for medim and large organizations that se client compters rnning Windows 2000 or earlier. SMS does not reqire Active Directory. SMS provides advanced capabilities sch as inventory-based targeting, stats reporting, server- and client-side schedling, mltisite facilities, complex targeting, centralized hardware and software inventory, remote diagnostic tools, software metering, software distribtion-point poplation and maintenance, spport for Windows 95, Windows 98, Windows NT 4.0, Windows 2000, and Windows XP clients, and enhanced software deployment featres. For more information abot SMS, see the Microsoft Systems Management Server link on the Web Resorces page at http://www.microsoft.com/windows/reskits/webresorces. Software Update Services SUS is a method for qickly acqiring and distribting critical Windows patches to compters in yor organization. Yo can se Software Update Services to download the latest critical or secrity patches, test the patches, and efficiently deploy the patches to the appropriate compters. Yo can se these services on compters rnning the following operating systems: Windows 2000, Windows XP, and Windows Server 2003. For more information abot sing Software Update Services, see Deploying Software Update Services in this book. Remote Operating System Installations Yo can se the Remote Installation featre to perform a new installation of Windows on Preboot exection Environment (PXE) remote boot-enabled client compters throghot yor organization. An administrator does not have to visit the new compter to install a new operating system and core applications. Yo can provide a cstomized, flly atomated installation process from a remote sorce. When the compter is trned on, the ser presses F12 to initiate the operating system installation process. The compter then starts from a network server that spports RIS. Yo can se RIS servers sing RIsetp and RIPrep to deploy all editions of Windows 2000 (except Microsoft Windows 2000 Datacenter Server), Windows XP Professional, and all editions of Windows Server 2003 (except Windows Server 2003, Datacenter Edition). Yo can also se RIS servers sing RIsetp to deploy Windows XP 64-Bit Edition and the 64-bit versions of Windows Server 2003. Yo se the following technologies to implement Remote Installation: Active Directory Grop Policy DNS DHCP RIS
Designing Managed Configrations 37 Designing Managed Configrations Many help desk calls occr after sers attempt to pgrade and install nonstandard hardware and software. By creating standards, and designing and deploying managed configrations in yor organization, yo can specify which applications sers can access and which featres are available, based on sers job types, services provided by the IT department, and the needs of yor corporate environment. Yo can limit nnecessary access to system fnctionality to decrease the nmber of problems sers might inadvertently case. For example, yo can se Grop Policy to prevent sers from accessing varios storage devices sch as floppy disk drives, hard disks, or CD-ROMs. By sing secrity policy or ACLs, yo can also secre objects, sch as system files and the registry, so that yor sers cannot gain access to them. Implementing standard configrations can reslt in increased ser prodctivity by redcing the incidence of compter-related problems. Also, becase standard configrations are easier to trobleshoot or replace, they bring abot a redction in spport costs. Mapping Managed Configrations to User and Compter Roles After yo categorize sers by their job reqirements and locations, and determine the types of servers and clients in yor organization, yo can determine how best to combine these categories with other organizational considerations to create managed configrations for yor organization. Managed configrations can be mapped to the ser categories as described in Categorizing Users by Job Types and Location earlier in this chapter. Yo can design configrations to address the specific bsiness reqirements of yor organization. The following examples illstrate how yo can se IntelliMirror featres to create managed configrations. Highly Managed Use the highly managed configration for process workers whose work reqires highly restricted configrations with only a few applications. This configration is sitable for marketing, processing claims and loans, and serving cstomers. A highly managed desktop has the following characteristics: Users working different shifts can share the compter. Each ser needs a niqe logon accont. Users can cstomize a limited nmber of application-specific settings. Users can access their data from any compter. User data is stored on server shares, and sers do not store data locally
38 Chapter 1 Planning a Managed Environment Table 1.3 lists the featres that yo can se to design a highly managed configration. Table 1.3 Featres Used for a Highly Managed Configration Featre Roaming User Profiles Folder Redirection Offline Files Software installation Disk qotas Software installation Secrity context and template Comments User settings are available at any compter on the network to which the sers log on. Yo can remove cached copies of the roaming ser profile when the sers log off by sing Grop Policy. Redirect My Docments to a network share. Designated files are cached locally to ensre that in event of network disconnection, the sers can contine to work on these important files. Core applications are installed on all laptops (these applications are assigned). Optional applications are available for sers to install locally (these applications are pblished). Yo can se disk qotas on the servers that contain redirected folders so that individal sers cannot se excessive amonts of disk space. Yo can assign core applications to sers. Optional applications are available for sers to install locally (these applications are pblished). User or Power User. The secre workstation secrity template is sed as the basis for this configration. Lightly Managed Use for high-performance sers who reqire a lot of control over their compters, in an organization where highly managed desktops are not acceptable to sers, or where desktop management is highly delegated. The lightly managed desktop has a minimal set of restrictions that help redce desktop spport costs and ser down time: Users can cstomize most settings that affect them bt are prevented from making nathorized system changes. Users can log on to any compter on the network and access their data. User data is saved on server shares and is not stored locally.
Designing Managed Configrations 39 Table 1.4 lists the featres that yo can se for creating a lightly managed configration. Table 1.4 Featres Used for Configring a Lightly Managed Configration Featre Roaming User Profiles Redirected Folders and Offline Files Software Installation Disk qotas Secrity context and template Comments Users get the same settings on any compter they se. Any files that yo redirect mst also be set as offline files, so that the sers can contine to work on their files even when their compter is not connected to the network. Core applications are installed on all laptops (these applications are assigned). Optional applications are available for sers to install locally (these applications are pblished). Use disk qotas on the servers that contain redirected folders so that individal sers cannot exhast available shared disk space. User or Power User. The secre workstation secrity template is sed as the basis for this configration. Mobile User A mobile ser configration is appropriate for managing mobile sers traveling sers who often se portable compters. Mobile sers typically log on to the same compter, and they connect by both high speed and low speed. The following characteristics apply to mobile-ser desktops: Can be configred so that sers have access to ser data whether the compter is connected to or not connected to the network. Can save data locally or on network servers. Can be configred so that sers can disconnect from the network withot logging off or shtting down, and to have data files synchronized atomatically.
40 Chapter 1 Planning a Managed Environment Table 1.5 smmarizes the configration management featres yo can se to create a mobile ser configration. Table 1.5 Featres Used for a Mobile User Configration Featre User profiles Folder Redirection Ability for ser to cstomize Software installation Grop Policy settings Secrity context and template Explanation Use the following criteria to determine which type of profile to se: If the ser reglarly connects to the network by sing a fast link and if yo want to back p ser state or they se mltiple compters, se a roaming ser profile. If the ser rarely connects by a fast link, se a local profile. If the ser roams to LAN-connected compters in the domain and also has a portable compter, se a roaming ser profile. Redirect the My Docments folder so that sers can access centrally stored data and docments from anywhere. Redirected folders are atomatically made available offline, to provide access when sers are not connected to the network. Permit cstomizations within certain gidelines so that sers can personalize their work environment bt are prevented from making changes to critical system settings. Core applications are installed on all laptops. Administrators assign these applications. Optional applications are available for sers to install locally (these applications are pblished). Use Grop Policy settings to create the managed environment. User or Power User. The highly secre workstation secrity template is sed as the basis for this configration. Mltiser The mltiser desktop is appropriate for environments sch as a niversity laboratory, pblic compting center, or a library where sers might be allowed to save some cstomizations, sch as desktop wallpaper and color scheme preferences, bt are prevented from changing hardware or connection settings. A mltiser configration has the following characteristics: The system is mostlyrestricted, bt some personal settings are allowed. Users can log on and se a configred roaming profile. Users share this compter with other sers either by having a niqe logon accont or by sing a Gest accont. User data is saved on server shares, and sers do not store data locally.
Designing Managed Configrations 41 Table 1.6 lists the featres yo can se for a mltiser configration. Table 1.6 Featres of a Mltiser Configration Featre Mltiple sers Roaming User Profiles Folder Redirection Ability for ser to cstomize Assigned applications Pblished applications Grop Policy settings Secrity context and template Comments Users share this compter. Each ser has a niqe logon accont. Makes ser settings available from any compter and enables administrators to easily replace compters withot losing their configration. When the ser logs off, the local cached version of the profile is removed to preserve disk space. User data is saved on server shares and Grop Policy is set to prevent sers from storing data locally. Redirect My Docments, Desktop, and Application Data. Most of the system is locked down, bt some personal settings are available. Core applications common to all sers are assigned to the compter. Other applications are available for on-demand install by means of ser assignment. Applications are available for sers to install from Add or Remove Programs in Control Panel. Grop Policy settings are sed to create the managed environment. User. Based on the highly secre workstation secrity template. Kiosk The term kiosk in this context refers to a pblic workstation that rns only one application and one ser accont, rns nattended, and atomatically logs on. Users are nknown to the kiosk owner and do not provide logon credentials. A kiosk workstation is highly secre, simple to operate. Users can not change the defalt settings. Use the kiosk desktop in a pblic area where mltiple sers access the compter or where yo want to prevent sers from making any cstomizations. For example, the kiosk is freqently sed in airports where passengers check in and view their flight information. The following characteristics apply to the kiosk desktop: The system is highly restricted by applying policy settings. Users cannot cstomize the installed applications. Users cannot save data to the compter locally or to the network. The compter can be in a stand-alone environment withot any network connectivity. Users cannot add or remove applications. Users are anonymos, and all sers share the same ser accont.
42 Chapter 1 Planning a Managed Environment Table 1.7 lists the featres yo can se for a kiosk configration. Table 1.7 Featres of a Kiosk Configration Featre Comments User profile type Folder Redirection Ability for ser to cstomize Assigned applications Secrity context and template Local. Not sed. No ser cstomizations are permitted. Use policy settings to prevent sers from accessing the Taskbar and Start men. One application is assigned to the compter. User. The highly secre workstation secrity template is sed as the basis for this configration. Task Station Use the task station desktop an entry terminal for orders on a manfactring floor or in a call center, for example for data entry workers when yo need dedicated compters to rn a single application. A task station configration has the following characteristics: The compter is dedicated to rnning a single application. Users on different shifts often share compters. Each ser has a niqe logon accont. Many sers roam between mltiple compters that rn the same single application. User data is saved on server shares and can be stored locally.
Designing Managed Configrations 43 Table 1.8 lists the featres yo can se to configre a task station desktop. Table 1.8 Featres of a Task Station Configration Featre Comments Mltiple sers Roaming User Profiles Folder Redirection Ability for ser to cstomize Assigned applications Secrity context and template Users share this compter. Each ser has a niqe logon accont. Makes ser settings available from any compter and enables administrators to easily replace compters withot losing their configration. When the ser logs off, the local cached version of the profile is removed to preserve disk space. Redirect My Docments and Application Data. No ser cstomizations are permitted. Yo can also se policy settings to prevent sers from accessing the Taskbar and Start men. Typically one application is assigned to the compter. No pblished applications are made available for sers to install. User. The highly secre workstation secrity template is sed as a basis for this configration. Configrations for Compter Replacement To simplify compter replacement and to minimize interrption to sers, yo can store the ser data and settings independently of any specific compter. By sing Roaming User Profiles and Folder Redirection, yo can ensre that the sers data, settings, and applications are available wherever the sers log on. Yo can also simplify setting p a new managed compter on yor network by sing RIS to create standardized operating system configrations. Yo can create a cstomized image of a Windows XP Professional or Windows 2000 Professional desktop from a sorce compter. Yo can save that desktop image to the RIS server, and then se that preconfigred image to set p mltiple desktops. Yo can only inclde the operating system in the image or a pre-configred desktop image that incldes both the operating system and a standard, locally installed desktop application.
44 Chapter 1 Planning a Managed Environment Designing Yor Organizational Unit Strctre When yo plan yor configration management soltion, ensre that yo design an OU strctre that facilitates the management of Grop Policy. The OU hierarchy does not need to mirror yor organization s departmental hierarchy. Create every OU to have a defined prpose, sch as delegation of athority or application of Grop Policy. Bsiness needs mst drive the OU hierarchy. By delegating administrative athority, yo can designate grops of sers to have control over the sers and compters or other objects in an OU. An OU is the smallest Active Directory container to which yo can assign Grop Policy settings. Note Redirsr.exe (for ser acconts) and redircomp.exe (for compter acconts) are two new tools inclded with Windows Server 2003 to assist with the application of Grop Policy to new ser and compter acconts. These tools are located in %windir%\system32. New ser and compter acconts are created in the CN=Users and CN=Compters containers by defalt. It is not possible to apply Grop Policy directly to these containers. By rnning Redirsr.exe and Redircomp.exe once for each domain, the domain administrator can specify OUs into which all new ser and compter acconts are placed at the time of creation. This allows administrators to manage these nassigned acconts by sing Grop Policy before the administrators assign them to the OU in which they are finally placed. It is recommended that the OUs sed for new ser and compter acconts be highly restricted by means of linked GPOs to increase secrity arond new acconts. For more information abot redirecting the Users and Compters containers, see article Q324949, Redirecting the Users and Compters Containers in Windows Server 2003 Domains, in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resorces page at http://www.microsoft.com/windows/reskits/webresorces. For more information abot the redirsr.exe and redircomp.exe tools, see the Redirecting Users and Compters link on the Web Resorces page at http://www.microsoft.com/windows/reskits/webresorces.
Testing Yor Configration Management Design 45 Application of Grop Policy Yo can link GPOs to sites, domains, and OUs to implement Grop Policy settings as broadly or as narrowly in the organization as necessary. Keep in mind how Grop Policy is applied when yo determine the scope of application of Grop Policy objects: The policy settings in Grop Policy objects are inherited, cmlative, and apply to all sers and compters in an Active Directory container. Grop Policy objects are processed in the following order: local GPO, site, domain, and OU. By defalt, Grop Policy inheritance is evalated starting with the Active Directory container farthest from the compter or ser object. The Active Directory container closest to the compter or ser overrides Grop Policy set in a higher-level Active Directory container nless yo set the No Override option for that GPO. If yo link more than one GPO to an Active Directory container, the GPO processing order (priority) is as follows: the GPO highest in the Grop Policy Object Links list, displayed in the Grop Policy page of the Active Directory container s Properties page, has precedence by defalt. If yo set the No Override option in one or more of the GPOs, the highest GPO that is set to No Override takes precedence. For information abot creating an Active Directory strctre see Designing the Active Directory Logical Strctre in Designing and Deploying Directory and Secrity Services of this kit. For more information abot defining the scope of application of Grop Policy, see Designing a Grop Policy Infrastrctre in this book. Testing Yor Configration Management Design Before deploying yor management soltions to a wide base, flly test yor design in a test lab environment. Minimally, yor test environment consists of at least two domain controllers, a member server, two or more workstations, and possibly a mobile compter connected by means of a slow link. If yo are testing software installation throgh Grop Policy, inclde one or more servers set p as software distribtion points. By setting p a test-to-prodction environment deployment process and sing featres of the Grop Policy Management Console, yo can ensre that yo provide a reliable and consistent configration management soltion. Docment the testing network as well as all steps reqired to set it p. If new hardware, sch as a new server, is being added to yor organization s network, se this same hardware in yor test deployment if possible.
46 Chapter 1 Planning a Managed Environment To minimize variables and to ensre that testing does not interfere with yor organization s network services, keep the testing network on its own, isolated LAN. Note If there is a network server that yo cannot simlate, sch as a database service, yo might need to temporarily connect the testing network to the organization s network to verify that the deployment interacts with this service as expected. Use this approach only if yo have no other options available for verifying the interaction of the deployment with the service. After completing tests in a controlled environment, select a grop of sers to pilot yor configration. Keep the sers to a manageable nmber. A pilot can expose nexpected problems on a small scale so that yo can resolve them before deploying on a large scale. Verify that the deployed technology is operating as expected. If yo perform an iterated deployment, deploy and test it in phases, and then emphasize the testing of the final configration. Yo can perform two types of testing: Proof of concept testing Pilot testing When condcting sch tests, be prepared to iterate if necessary. Depending on the scope of any design pdates, yo might want to repeat the proof of concept or pilot stage before proceeding frther. Condcting Proof of Concept Testing Proof of concept testing provides the opportnity to try ot a design in a controlled environment and to identify any potential major problems or challenges prior to condcting a pilot with sers. Use a Test Environment Condcting a proof of concept test reqires a test environment that can be configred to simlate the intended configration for yor prodction environment. Typically, this is a small-scale simlation that is also large enogh to demonstrate the core strctres and policy settings that yo have designed. Primary aspects of condcting a proof of concept test are to give a representative sample of sers and administrators access to the test environment and to confirm that the design meets their reqirements and expectations. Involve the Design Team Ensre that all members of the design team have the opportnity to review the Proof of Concept and are confident that it meets the design objectives.
Testing Yor Configration Management Design 47 Condcting Pilot Testing Yo can condct a pilot test to try ot a design with a controlled nmber of sers. This enables yo to captre refinements that have not been identified dring the design phase, and to highlight any isses that have not previosly been seen dring the proof of concept phase. In some circmstances, yo can se pilot testing to check system performance and resilience nder realser conditions. Carrying ot a pilot test involves tasks, starting with selecting the appropriate sers. Selecting the appropriate sers Typically, it is good practice to select sers who have volnteered to participate in the pilot, instead of imposing the test on them. Volnteer sers are more likely to be flly involved in the pilot, and take the time to test the configrations. Providing pre-pilot training In any pilot, it is essential to provide adeqate ser training before deploying the system, and to set expectations abot what is reqired from the sers dring the test phase. For example, yo need to tell sers who to contact if they enconter problems and how to provide feedback. Deploying the pilot When deploying the pilot, it is good practice to involve any implementation team that is reqired to implement the final systems. The team can then identify isses in advance and plan how to solve them. Reviewing and refining After condcting the pilot, perform a review of the process to ascertain whether the systems met the design reqirements. This helps yo identify any improvements yo need to consider for inclsion in the final design. For more information abot how to stage, test, and deploy yor configration management deployments, see Staging Grop Policy Deployments in this book. Preparing Users for Deployment Desktop management changes the way many sers interact with their compters. It might also change how they access their data, where their settings are stored, how they install software, and which software they can access. As yo begin to implement new desktop management standards, it is important to develop a plan to edcate and spport yor sers. If yo create standard desktops, yo need to let sers know well in advance what changes are planned and how yo plan to implement those changes. In addition, yo need to train sers, as well as IT and spport staff, to se the new featres. Resorces that sers can refer to for information when qestions arise, sch as a corporate Web site or newsletter, can help to ease the transition. Yo also need to think abot how sers might perceive yor new management processes. For example, a common phrase many IT professionals se to describe a highly managed desktop is locked down. Althogh system administrators and IT professionals nderstand this phrase, many sers might not like the idea of the IT department locking down their desktops. As yo train yor sers, emphasize how a managed environment provides vale. For example, sers are likely to appreciate the convenience of atomatic software installation and repair.
48 Chapter 1 Planning a Managed Environment Yo also need to determine how yo will provide ser spport dring the transition. As yo begin to implement new featres, determine what percentage of yor staff will spport pgraded sers and the escalation procedres the spport staff will se. Make sre to docment the problems that sers enconter as yo implement different parts of yor plan. That information helps yo spport the next set of sers. Staging and Deploying Yor Design to the Prodction Environment The importance of staging yor deployments of Grop Policy can not be overemphasized. After yo have performed incremental policy changes in the test environment and verified yor changes, yo can begin to migrate the Grop Policy objects yo created to yor prodction domain by sing the migrate fnctionality and the migration tables inclded in GPMC. As yo begin to implement desktop management services in yor organization, look for the desktop management technology that provides the greatest benefit to yor organization. Implement that service before yo begin to implement others. This gives yo the opportnity to test one set of technologies relative to the technologies already in place before yo implement another set. For example, yo might decide that protecting and backing p ser data wold provide the greatest benefit to yor organization. Yo might then choose to implement Folder Redirection in yor company so that all ser data is centrally stored on a server, facilitating backp. After yo deploy Folder Redirection to yor sers, yo can reevalate whether additional IntelliMirror technologies sch as Roaming User Profiles or Software Installation and Maintenance is appropriate to implement next. By following the processes described in Staging Grop Policy Deployments in this book, yo can ensre that yo provide a predictable, consistent configration management soltion. Additional Resorces These resorces contain additional information and tools related to this chapter. Related Information Deploying a Simple Managed Environment in this book for an example of how IntelliMirror technologies are sed to create a simple managed environment for yor sers. Designing the Active Directory Logical Strctre in Designing and Deploying Directory and Secrity Services of this kit. The Distribted Services Gide of the Windows Server 2003 Resorce Kit (or see the Distribted Services Gide on the Web at http://www.microsoft.com/reskit) for more information abot Grop Policy.
Additional Resorces 49 Designing RIS Installations in Atomating and Cstomizing Installations of this kit. Designing a Grop Policy Infrastrctre in this book. Staging Grop Policy Deployments in this book. Deploying Secrity Policy in this book. Deploying Software Update Services in this book. Migrating User State in this book. Implementing User State Management in this book. Deploying a Managed Software Environment in this book. Deploying a Simple Managed Environment in this book. Related Job Aids Worksheet A.1 Identifying Primary Client Spport Tasks (DMEUSE_1.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Worksheet A.1 Identifying Primary Client Spport Tasks on the Web at http://www.microsoft.com/reskit). Worksheet A.2 Assessing User Data Management Tasks (DMEUSE_2.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Worksheet A.2 Assessing User Data Management Tasks on the Web at http://www.microsoft.com/reskit). Worksheet A.3 Assessing User Settings Management Tasks (DMEUSE_3.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Worksheet A.3 Assessing User Settings Management Tasks on the Web at http://www.microsoft.com/reskit). Worksheet A.4 Assessing Yor Crrent Desktop Environment (DMEUSE_4.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Worksheet A.4 Assessing Yor Crrent Desktop Environment on the Web at http://www.microsoft.com/reskit). Worksheet A.5 Evalating Software Standards (DMEUSE_5.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Worksheet A.5 Evalating Software Standards on the Web at http://www.microsoft.com/reskit). Worksheet A.6 Analyzing Yor Users by Job Fnction (DMEUSE_6.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Worksheet A.6 Analyzing Yor Users by Job Fnction on the Web at http://www.microsoft.com/reskit). Worksheet A.7 Classifying Yor Users (DMEUSE_7.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Worksheet A.7 Classifying Yor Users on the Web at http://www.microsoft.com/reskit). Worksheet A.8 Managing Different Types of Users (DMEUSE_8.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Worksheet A.8 Managing Different Types of Users on the Web at http://www.microsoft.com/reskit). Worksheet A.9 Evalating yor Secrity Reqirements (DMEUSE_9.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Worksheet A.9 Evalating Yor Secrity Reqirements on the Web at http://www.microsoft.com/reskit).
50 Chapter 1 Planning a Managed Environment Worksheet A.10 Considering Common Configrations (DMEUSE_10.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Worksheet A.10 Considering Common Configrations on the Web at http://www.microsoft.com/reskit). Worksheet A.11 Training Needs for Varios Workers (DMEUSE_11.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Worksheet A.11 Training Needs for Varios Workers on the Web at http://www.microsoft.com/reskit). Worksheet A.12 Updating Network Docmentation (DMEUSE_12.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Worksheet A.12 Updating Network Docmentation on the Web at http://www.microsoft.com/reskit). Worksheet A.13 Docmenting Servers (Example) (DMEUSE_13.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Worksheet A.13 Docmenting Servers (Example on the Web at http://www.microsoft.com/reskit). Worksheet A.14 Docmenting Client Compters (DMEUSE_14.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Worksheet A.14 Docmenting Client Compters on the Web at http://www.microsoft.com/reskit). Worksheet A.15 Docmenting Clients (Example) (DMEUSE_15.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Worksheet A.15 Docmenting Clients (Example) on the Web at http://www.microsoft.com/reskit). Worksheet A.16 Evalating Network Infrastrctre (DMEUSE_16.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Worksheet A.16 Evalating Network Infrastrctre on the Web at http://www.microsoft.com/reskit). Worksheet A.17 Docmenting Network Infrastrctre (DMEUSE_17.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Worksheet A.17 Docmenting Network Infrastrctre on the Web at http://www.microsoft.com/reskit). Worksheet A.18 Evalating Network Traffic Patterns (DMEUSE_18.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Worksheet A.18 Evalating Network Traffic Patterns on the Web at http://www.microsoft.com/reskit). Worksheet A.19 Monitoring Network Performance with System Monitor (DMEUSE_19.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Worksheet A.19 Monitoring Network Performance with System Monitor on the Web at http://www.microsoft.com/reskit).