it academy lesson plan 2008 - gc mandi bahauddin server 2008 active... · working with functional...

2008 IT ACADEMY LESSON PLAN

Microsoft Windows Server

Active Directory

Microsoft Windows Server 2008 Active Directory—Lesson Plans

Microsoft Windows Server 2008 Active Directory: Lesson Plans

Introduction

Preparing to teach a course on Microsoft Windows Server 2008 Active Directory Configuration, based on Exam 70-640: TS: Active Directory Configuration for the first time can be a challenge requir-ing careful planning and organization. The Microsoft IT Academy provides these lesson plans to help you save time, skillfully manage the teaching environment, and successfully communicate the in-tended lesson. The lesson plans are flexible and have been created in a concise format of small teachable units to allow you to use them with any textbook. To support a textbook-independent teaching style, each lesson plan contains suggested demonstrations and explanations. These lesson plans have been developed to be independent of a predefined lesson schedule. Wheth-er the course is taught in a one-semester or one-quarter term format, we suggest the following class format: a 60-minute lesson lecture followed by a 120-minute lab (hands-on performance) session. This model is recommended in order to increase student performance and enhance the knowledge and skills gained through active participation in the course.

Each lesson plan includes:

Learning Goals for each lesson.

Learning Objectives that may be observed throughout the lesson.

Lecture Outline that details what to present in each class.

Quick Quiz of multiple choice and true/false type questions.

Lesson Exercises and Lesson Projects are provided at the end of each Lesson Plan to di-rectly connect the student with the materials that have just been covered in class. The projects can be used independent of a textbook or as an assessment to determine skill mastery. To simplify the scoring process, an annotated answer key for each exercise and project is included to adequately determine if the learning objective was accomplished through process of lecture and activity.

Microsoft Video Resources at the end of each unit provide links to video resources availa-

ble for classroom use at no charge through your IT Academy membership. They can be used in class or by students as self-paced instruction or as lesson reinforcement outside of class.


Lesson 1: An Introduction to Active Directory Domain Services

Learning Goals//The goal of this lesson is to introduce students

to the Windows Server 2008 Active Directory Domain Services

(AD DS) and to point out the benefits of AD DS. The student will

learn about the features of AD DS.

Learning Objectives Upon completion of this lesson, students will be able to un-

derstand:

Active Directory domain service Active Directory security Components of Active Directory Active Directory naming standards Working with functional levels in Active Directory

Lesson Introduction Explain that Microsoft Windows Server 2008 includes Active

Directory Services that assist the administrator in managing

and securing the network. Student will learn what Active Di-

rectory is and the components of AD and its functional levels.

What is Active Directory

Domain Services?

Instructors should do the following:

Explain that directory services allow network administra-tors to define, manage, access, and secure network re-sources.

Point out that the two components of Windows Server 2008 that provide directory services are Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

Explain that AD DS provides full directory services and is commonly referred to as Active Directory.

Explain that AD LDS is a flexible platform that offers Active Directory functionality without the full overhead.

Point out that any computer configured to use Active Di-rectory DS role is considered to be a domain controller.

Explain that the ability of Active Directory to keep all net-work domain controllers apprised of changes to the system is called replication.

Point out that the process of a domain controller trans-mitting replication information to another domain control-ler is called outbound replication.


Point out that the process of a domain controller receiving updates from Active Directory via another domain con-troller is called inbound replication.

Explain that Active Directory is used to simplify the securi-ty management of network resources and to extend in-teroperability with applications and devices.

What is Active Directory

Security?


Point out that interoperability with prior versions of Mi-crosoft Windows Active Directory Service is available in Windows Server 2008 through domain functional levels.

Explain that Windows Server 2008 no longer supports the use of Windows NT domain controllers.

Explain that Windows Server 2008 provides single sign-on access to any server on the domain.

Explain that Active Directory offers a redundant solution and creates a fault tolerant system in the event of server failure or network connectivity failure.

Point out that the Active Directory databases file (ntds.dit) is the common database file that is replicated to other do-main controllers when changes occur.

Explain that Windows Server 2008 includes a Read-Only Do-main Controller (RODC) option, which maintains a copy of the ntds.dit file that cannot be modified. This file increases security for branch-office deployments.

Explain that Publishing is a way to make an object available to the network as a resource listed in the Active Directory.

What Are the

Components of Active

Directory?


Explain that components in Active Directory provide flexi-bility through design, scalability, administration, and securi-ty.

Point out that objects in Active Directory are categorized as container objects or leaf objects.

Explain that a container object is an object that houses oth-er objects.

Explain that a leaf object cannot contain other objects and typically refers to a printer, folder, user, or group.

Point out that the largest container object in Active Direc-tory is called a forest.

Explain that a forest enables a user to access resources across an entire Active Directory forest using a single logon.


Point out that for efficiency, partitions are used to divide in-formation into naming contexts (NC).

Explain that the two NCs that are replicated forest-wide and stored in the ntds.dit file are the Schema NC and Configura-tion NC.

Point out that the Schema NC contains rules and definitions for creating and modifying object classes within Active Di-rectory.

Point out that the Configuration NC contains information regarding the physical topology of the network.

Explain that each domain controller stores a copy of the Do-main NC that consists of user, computer, and other infor-mation for a particular Active Directory domain.

Explain that within a forest, Active Directory further divides to create administrative boundaries.

Point out that a domain tree is a logical grouping of network resources and devices that contain one or more domains.

Explain that the Active Directory global catalog is not consid-ered a formal partition but should be replicated throughout the forest.

Point out that the Active Directory can contain one or more organizational units (OUs) that can further subdivide users and resources.

Explain that an OU is a container that represents a logical grouping of resources that have similar security guidelines.

Point out that OUs are nested in hierarchical fashion, allow-ing a parent OU to contain one or more child OUs.

Explain that the administration of an OU can be delegated to a department supervisor or manager to allow that person to manage daily resource access tasks.

Explain that the Application Partition allows administrators to fine-tune administration by designating where infor-mation will be replicated to in the domain or forest.

Explain that each resource in Active Directory is represented as an object and each object has a set of attributes.

Explain that objects in Active Directory are defined in the Active Directory schema.

Point out that a schema is a master database containing definitions of all objects in the Active Directory.

Explain that a schema is created from two components: the object and its attributes.

Explain that common attributes for all objects include a unique name, a globally unique identifier (GUID), required object attributes, and optional object attributes.


Point out that a site in Active Directory is defined as one or more IP subnets that are connected.

Explain that replication within a site takes place at regular-ly scheduled intervals that are defined by the administra-tor.

Explain that the Knowledge Consistency Checker (KCC) au-

What Are the Active

Directory Naming

Standards?


Explain that the Lightweight Directory Access Protocol (LDAP) has become industry standard, since it enables data exchange between directory services and applications.

Point out that LDAP defines the naming of all objects in the Active Directory database.

Explain that a Distinguished Name (DN) defines an object in the Active Directory structure through its hierarchical path.

Point out that the LDAP Naming Attributes include the Com-mon Name, Organizational Unit Name, and Domain Compo-nents.

Explain that the Domain Name System (DNS) is Active Direc-tory’s default name resolution method.

Point out that the configuration of DNS is critical for proper functioning of Active Directory.

Explain that DNS is a distributed name resolution service that provides name resolution for Active Directory domain and computer host name–to–IP address mappings on the network.

Point out that computers are assigned an IP address and a DNS host name at installation.

Explain that Active Directory relies on DNS to be a locator service for clients on the network.

Explain that SRV records are the locator records within DNS that allow the client to locate an Active Directory domain controller.

Explain that without SRV records, clients will be unable to authenticate against Active Directory.


Working with Functional

Levels in Active

Directory?


Point out that functional levels may be changed in Active Directory for a single domain within a multi-domain envi-ronment, allowing for rolling upgrades.

Explain that changing functional levels is an irreversible ac-tion that can be undone only through a systemwide restore.

Explain that the following are functional levels available in Windows Server 2008: Windows 2000 Native, Windows Server 2003, and Windows Server 2008.

Point out that the following functionality is available for the Windows 2000 Native level: Install from Media, Application partitions, Drag-and-drop user interface, Global Group nesting and Universal Security groups, and SIDHistory.

Point out that with the Windows Server 2003 functional lev-el, the Windows 2000 Native level function is available as well as the following additional functions: lastLogon-timestamp attributes, Passwords and inetOrgPerson ob-jects, and Domain rename.

Point out that the Windows 2000 functional level is the de-fault forest functional level for Windows Server 2008 and includes the following features: Install from Media, Univer-sal group caching, and Application Directory Partitions.

Point out that the Windows Server 2003 functional level in-cludes all Windows Server 2000 features as well as the fol-lowing: Improved replication of group objects, Dynamic aux-iliary class objects, User objects can be converted to inet-OrgPerson objects, Schema deactivations, Domain rename, Cross-forest trusts permitted, and Improved Intersite Topol-ogy Generator (ISTG).

Discuss the guidelines that are important for raising a forest level in Windows Server 2008.

Explain that trust relationships are used in Windows Server 2008 to allow access to multiple domains across enterprise networks.

Point out that in a trust relationship, administrators from one domain grant access to resources for administrators from another domain.

Explain that a shortcut trust or direct path between two do-mains may be created to expedite the process of creating a trust relationship.

Explain that although an external trust can be created, al-

lowing users in the trusting domain to have access to a

trusted domain, it is a one-way trust. Users in the trusted

domain may not access the trusting domain.


Explain that a cross-forest trust can be created, allowing us-ers in domains running at least Windows Server 2003 func-tional levels to establish either one-way or two-way rela-tionships.

Lesson Quiz True/False

1. Active Directory utilizes a single-master database, with all updates and changes made on the primary domain control-ler.

2. A domain is the largest container object in Active Directory. 3. By default, security settings applied to an organizational

unit will be inherited by all child organizational units. 4. Active Directory uses SRV records in DNS to locate domain

controllers and global catalog servers. 5. Each domain within a single Active Directory forest will

have its own individual Schema.

Multiple Choice

1. Which of the following are valid container objects in Active Directory? Choose three.

a) Organizational units b) Forests c) Domains d) Security groups

2. The Schema database contains what two types of infor-

mation? a) Object attributes b) User names c) Object classes d) Active Directory containers

3. Active Directory uses what protocol for the basis of its nam-ing format?

a) NetBios b) DNS c) Answer Choice d) LDAP


4. What is the default forest functional level in Windows Serv-er 2008 Active Directory?

a) Windows Server 2003 b) Windows Server 2000 c) Windows Server 2000 Mixed d) Windows Server 2008

5. What type of trust can be created to improve performance between two Active Directory domains within the same for-est that may be separated by a slow WAN link?

a) External trust b) Two-way transitive trust c) Shortcut trust d) Direct domain trust

Quiz Answers True/False

1. False. Active Directory utilizes a multi-master database. 2. False. A forest is the largest container object in Active Direc-

tory. 3. True. 4. True. 5. False. The Schema is defined at the forest level for all do-

mains in a forest.

Multiple Choice

1. A, B, C 2. A, C 3. D 4. B 5. C

Class Projects Lesson 1—Exercise 1

List and explain the three partitions or naming contexts that

are present on each domain controller. Explain how each is

replicated.

Explain what an application partition is used for.

List eight types of objects that can be contained in an organiza-

tional unit.


Lesson 1—Project 1

List and explain the three domain functional levels supported in

Windows Server 2008 Active Directory. What features are sup-

ported with each functional level? Give an example of when

each functional level would be appropriate.

What are the three forest functional levels supported in Win-

dows Server 2008 Active directory? How do forest functional

levels differ from domain functional levels?

Microsoft Video Resources Windows Server 2008 R2 Quick Look—Active Directory Admin-istrative Center This video provides a quick look at Active Directory Administra-

tive Center, the new administrative tool in Windows Server

2008 R2.

Length: 6:25

Windows Server 2008 R2 Quick Look—System Health Report A quick look at System Health Report, a tool in Windows Server

2008 R2 that helps you analyze your servers and provides you

with prescriptive system diagnosis.

Length: 4:36

http://technet.microsoft.com/en-us/windowsserver/ee895054.aspx




Lesson 2: Implementation of Active Directory

Learning Goals//The goal of this lesson is to guide students

through the implementation of Windows Server 2008 Active

Directory Domain Services (AD DS). Point out that students will

use the components of AD DS that were discussed previously.

Learning Objectives Upon completion of this lesson, students will be able to under-

stand:

Active Directory requirements Installing Active Directory Raising functional levels

Additional Active Directory installation tasks

Explain that Microsoft Windows Server 2008 implementation

requires students to understand the system prerequisites that

must be in place. Students will learn how to create a new Ac-

tive Directory forest, domain tree, and domain.

Understanding Active

Directory Requirements


Explain the importance of being familiar with the Windows Server 2008 Central Administrative Interface.

Demonstrate and describe the Central Administrative Inter-face to students.

Point out that Active Directory is installed by configuring one or more domain controllers.

Explain that the Active Directory Installation Wizard (dcpromo) is used to guide the installation scenarios of:

Adding a domain controller to an existing environ-ment.

Creating an entirely new forest structure. Adding a child domain to an existing domain. Adding a new domain tree to an existing forest. Demoting domain controllers and eventually remov-

ing a domain or forest.

Lesson Introduction


Point out that Active Directory may be installed on a full version of Windows Server 2008, Server Core, or a new in-stallation option in Windows Server 2008.

Explain the following requirements for installing Active Di-rectory:

The user must have an administrator account and password on the local machine.

An NT File System (NTFS) partition for the SYSVOL folder structure must be set up.

The NTFS partition must contain a minimum of 200 MB of free space.

A minimum of 50 MB of file space is necessary to store the transaction log files.

TCP/IP (Transmission Control Protocol/Internet Pro-tocol) must be installed and configured.

An Authoritative DNS Server for the DNS domain must be established.

The user must know the potential size of the Active Directory database.

Explain that it is advisable to gather all data needed for the Active Directory installation prior to beginning. The follow-ing are needed:

Local administrator password Domain controller type Domain name Location for the AD database and log files Location for the SYSVOL folder structure Where DNS will be installed Directory Services Restore Mode (DSRM) password Installation CD or network location of the installation

files Installation of the most up-to-date service packs and

Installing Active

Directory


Point out that the forest root domain is the first Active Directory Domain.

Explain that child and additional domain trees may be added to the forest root domain.

Explain that the dcpromo.exe command will launch the AD Installation Wizard.

Point out that the first domain controller installed will house the Flexible Single Master Operations (FSMO) roles, which are server roles that work together to en-sure multimaster functionality.


Demonstrate how to install a new Active Directory forest using the Server Manager.

Point out that when installation is complete, the computer must be rebooted to configure the new domain controller.

Explain the significance of verifying the correct installation and configuration of DNS.

Explain that the administrator must verify that the following DNS items were created during installation:

Application directory partition Aging and scavenging for zones Forward lookup zones and SRV records Reverse lookup zones

Explain that it is important to know that: DNS Application directory partitions were created. It is necessary to be a member of the Enterprise Ad-

min group to create or modify an application directo-ry partition.

An application directory partition can be created manually if it was not created through the installa-tion wizard.

Point out that aging and scavenging are processes for clean-ing up the DNS database after DNS records become out of date.

Demonstrate how to configure aging and scavenging through the DNS Tool found in the Administrative Tools Folder.

Explain that the administrator must verify that appropriate DNS records were created during the installation wizard.

Point out that Forward Lookup Zones are used for name resolution in computer host name–to–IP address mappings.

Demonstrate how to verify the creation of a Forward Lookup Zone through the Administrative Tools Folder.

Point out that each SRV record created in Active Directory contains the following:

Protocol Domain name Time-to-live Priority Weight Port

Demonstrate how to verify zone and record creation using the Administrative Tools Folder.

Explain that Dynamic Updates must be selected in order for domain controllers to register their records with DNS.


Demonstrate how to verify that dynamic updates are se-lected through Active Directory Properties.

Explain that Reverse Lookup Zones answer queries in which a client provides an IP address and DNS resolves the IP address to a host name.

Demonstrate how to create a reverse lookup zone through the Administrative Tools Folder.

Raising Functional

Levels


Explain that the purpose of raising functional levels in Active Directory is to enable administrators to take advantage of more advanced features.

Explain that domain and forest functional levels provide backward compatibility with previous versions of Windows Server.

Point out that the key requirements for raising functional levels include knowing:

This is a one-way operation. Each domain is handled independently. The forest functional level cannot be raised until all

domains in the forest are raised to a minimum of the domain functional level.

The administrator must be logged in as a member of the Domain Admins group to raise a domain.

The administrator must be logged in as a member of the Enterprise Admins group to raise the forest.

Demonstrate how to raise the domain functional level using tools in the Administrative Tools Folder.

Demonstrate how to raise the forest functional level using tools in the Administrative Tools Folder.

Explain that to provide fault tolerance, a second domain controller should be added to each domain.

Demonstrate how to add a second domain controller to the forest root domain using administrative credentials on the existing Active Directory domain.


Additional Active

Directory Installation

Tasks


Explain that the Windows Server 2008 Server Core is an en-vironment for running only specific services and roles.

Point out that Server Core runs without the use of a graph-ical user interface (GUI).

Demonstrate how to install Active Directory on Server Core using administrative credentials on the existing Active Direc-tory domain.

Explain that removing Active Directory from an Active Direc-tory domain is done for troubleshooting purposes or to de-commission older hardware.

Demonstrate how to remove Active Directory using the ad-ministrative credentials on the existing Active Directory do-main.

Explain that a read-only domain controller (RODC) is a high-security domain controller suitable for deployment in a branch office.

Demonstrate how to configure a read-only domain control-ler using administrative credentials on the domain where the RODC is be added.

Point out that it is possible to run a staged installation of an RODC at a central location and then permit the administra-tor to complete the installation.

Demonstrate how to set up a staged installation of an RODC using the tools available in the Administrative Tools Folder.

Demonstrate how to complete a staged installation of an RODC as the remote administrator.

Explain that if a writable domain controller is ever compro-mised, it is necessary to decommission an RODC to mini-mize damage.

Demonstrate how to decommission an RODC using the op-tions available in Active Directory.

Point out that it may be necessary to modify the Active Di-rectory Schema to support in-house applications.

Discuss how students should plan for changes to the Active Directory Schema by understanding that:

Schema extensions are replicated to all domain con-trollers.

Default system classes cannot be modified. Classes and attributes added to the Schema cannot

be removed. Triggers will replicate the modification throughout

the forest.


Latency should be anticipated before all domain con-trollers contain consistent Schema information.

Explain that the Active Directory Schema may be extended for commercial applications manually using a snap-in.

Demonstrate how to install the Schema management snap-in by logging in as a member of the Schema Admins group.

Explain that Active Directory Lightweight Directory Services (AD LDS) allows directory-enabled applications to store data in the Active Directory Schema.

Demonstrate how to configure AD LDS by logging in as a member of the local Administrators group.

Point out that trust relationships are necessary to enable resource accessibility between domains and forests.

Discuss the four types of trusts that can be established: Shortcut trusts Cross-forest trusts External trusts Realm trusts

Demonstrate how to create a trust relationship by logging in as a member of the Domain Admins group on the local domain.

Demonstrate how to verify a trust relationship using Active Directory by logging in as a member of the Domain Admins group.

Demonstrate how to verify a trust relationship using NET-DOM by logging in as a member of the Domain Admins group.

Demonstrate how to revoke a trust relationship using Active Directory Domains and Trusts by logging in as a member of the Domain Admins group.

Demonstrate how to revoke a trust relationship using NET-DOM by logging in as a member of the Domain Admins group.

Explain that a User Principal Name (UPN) is stored in the global catalog and is available forest-wide.

Demonstrate how to change the default suffix for user prin-cipal names by logging in as a member of the Enterprise Ad-mins group.



1. The Active Directory Installation Wizard can be launched by

issuing the dcpromo.exe command.

2. After installing Active Directory and DNS, one of the post-

installation tasks requires creating the DNS Application Di-

rectory Partition.

3. When installing Microsoft DNS, Forward Lookup and Re-

verse Lookup Zones are configured by default.

4. The Server Core version of Windows Server 2008 does not

utilize a GUI interface and must be administered through the

Command Line.

5. Active Directory Lightweight Directory Services is designed

for small branch offices that don’t need the entire suite of

Active Directory Services.

Multiple Choice

1. To configure DNS to automatically clean up old DNS rec-

ords, you should configure:

a) Stale Resource Record Cleanup

b) Forward Lookup Zone Cleanup

c) Aging/Scavenging

d) DNS Record age limits

2. Which of the following are valid zone types that can be se-

lected when configuring Microsoft DNS? Choose three.

a) Stub Zone

b) Active Directory Zone

c) Secondary Zone

d) Primary Zone

3. Which level of Active Directory credential is required to

raise the forest functional level?

a) Domain Administrator

b) Forest Administrator

c) Enterprise Administrator

d) Any of the above

4. Which two of the choices below are unique to a Windows

Server 2008 Read Only Domain Controller?

a) Outbound only replication

b) Locally stored password replication policy

c) Inbound replication only

d) Must contain all FSMO roles


5. Which of the following are types of manual trusts that can

be created in a Windows Server 2008 environment? Choose

all that apply.

a) Realm trust

b) Shortcut trust

c) Cross-forest trust

d) External trust


1. True.

2. False. The DNS Application Directory Partition is created

automatically during the AD and DNS installation process.

3. False. Only Forward Lookup zones are configured by de-

fault.

4. True.

5. False. The ASLDS role is used primarily by developers.

Multiple Choice

1. C

2. A, C, D

3. C

4. B, C

5. A, B, C, D


Explain the items that should be verified in DNS to ensure that

the Active Directory installation process has correctly config-

ured the DNS Services.

Explain what a DNS SRV record is used for. List and explain the

six pieces of information stored with most SRV records.



You are a network administrator for ABC Corp. Your environ-

ment consists of three locations, one of which does not have

highly skilled IT engineers and is not as secure as you would like

it. There are 1,000 users spread throughout the three locations.

You have been asked to set up an Active Directory environment

using Windows Server 2008. Explain how you would recom-

mend setting up the environment. How many and what types

of domain controllers would you put in each location? How

would you configure DNS?

Microsoft Video Links Windows Server 2008 R2 Quick Look—Server Core This video provides a quick overview to help you as an adminis-

trator in Windows Server 2008 R2, particularly a couple of en-

hancements inside Windows Server Core.

Length: 5:07

Windows Server 2008 R2 Quick Look—Active Directory Admin-istrative Center This video provides a quick look at Active Directory Administra-

tive Center, the new administrative tool in Windows Server

2008 R2.

Length: 6:25





Lesson 3: Using Active Directory Sites

Learning Goals//The goal of this lesson is to guide students

through Active Directory Sites. Point out that students will

learn about replication and site management.

Learning Objectives Upon completion of this lesson, students will be able to:

Understand Active Directory Sites Understand Active Directory Site replication Understand Active Directory Site management

Lesson Introduction Explain that working with Microsoft Windows Server 2008 Ac-

tive Directory Sites requires that students understand the pur-

pose of sites and site replication. Students will learn the differ-

ences in replication types, how to implement a plan for man-

agement of a site, and monitoring site replication to prevent

errors. Students will also learn that site replication is the tool

used to sustain an efficient and consistent Active Directory en-

vironment.

Understanding Active

Directory Sites


Explain that replication is the process of duplicating Active Directory information between domain controllers for fault tolerance and redundancy.

Explain that Active Directory Sites allow administrators to control replication traffic.

Point out that Active Directory replicates through intrasite and intersite replication.

Explain that intrasite replication is the replication of domain controllers that reside on the same Active Directory site.

Explain that intersite replication is the replication of domain controllers that reside on different Active Directory sites.

Explain that intersite replication is compressed to reduce bandwidth usage.


Point out that Active Directory sites have the following characteristics:

Defined by IP Subnets. Multiple sites are joined by site links. Replication is organized by defined groups of servers. Clients query the site information within DNS, at lo-

gon, to determine the domain controller to access. Sites are independent of logical structure.

Understanding

Replication


Explain that Active Directory creates a replication topology so that all writeable domain controllers can communicate AD information with each other.

Point out that one of the following conditions must be met for replication to occur:

An object is added to or removed from Active Directory. The value of an attribute has changed. The name of an object has changed. Explain that an Update Sequence Number (USN) is main-

tained to keep track of any changes to the domain control-ler.

Point out that in addition to the USN, a Version ID with each Active Directory attribute keeps track of how many times the attribute has been changed.

Explain that Active Directory uses the Version ID and USN as tie-breakers to determine which attributes to keep and which to discard.

Explain that the final tie-breaker is the time stamp. Point out that Active Directory will designate a bridgehead

server to act as a gatekeeper to supervise site-to-site repli-cation.

Explain that convergence describes the amount of time re-quired for replication to occur.

Explain that prior to Intrasite Replication, the Knowledge Consistency Checker (KCC) maps the logical network topolo-gy between domain controllers.

Point out that the KCC will select replication partners for a domain controller and create connection objects between domain controllers and the new partner.

Explain that linked-value replication (LVR) triggers group member replication due to changes in functional levels.


Point out that the primary principle for KCCs is the “Rule of Three,” which states that no single domain controller should be more than three hops away from any domain controller that can originate a change to the Active Directo-ry database.

Point out that the KCC will run every 15 minutes and ana-lyzes the best path and placement for connection objects.

Point out that intrasite replication minimizes latency to al-low for quick changes.

Explain that KCC creates a dual counter-rotating ring that reroutes traffic if a domain controller in the ring fails.

Explain that domain controllers use change notification to inform one another of changes that need to be replicated. Point out that some operations will generate an urgent rep-


Point out that the administrator may create and manage additional sites to better control the replication traffic.

Demonstrate how to rename the default first-site name us-ing the Active Directory Sites and Services MMC Snap-in.

Demonstrate how to create a new site using Active Directo-ry Sites and Services.

Demonstrate how to create a new subnet to correspond with any new physical segment on the network.

Point out that Active Directory Sites must use intersite repli-cation to enable global network communication.

Explain that a site link is a logical, transitive connection be-tween two sites that mirrors the routed connections be-tween networks and allows for replication.

Point out that one site within the Active Directory environ-ment must run the intersite topology generator (ISTG), which enables bridgehead server selection and mapping of the topology.

Explain that cost, schedule, and frequency control the be-havior of replication traffic over a site link.

Demonstrate how to create a new site link object through Active Directory Sites and Services.

Explain that when appropriate protocols must be selected when configuring replication.

Point out that Remote Procedure Calls over Internet Proto-col (RPC over IP) and Simple Mail Transport Protocol (SMTP) are the two possible protocols for replication.

Understanding Site

Management


Explain that RPC over IP is the default protocol for all repli-cation traffic and is commonly used to communicate with network services.

Explain that SMTP should be used when a direct or reliable IP connection is not available and is the standard messaging protocol.

Explain that a bridgehead server is designated to minimize the bandwidth required for intersite replications, since this is a bandwidth intensive process.

Explain that the administrator may select to override the default bridgehead server and create a preferred bridge-head server list.

Demonstrate how to designate preferred bridgehead serv-ers through Active Directory Sites and Services.

Point out that domain controllers from different sites can communication through the site link bridge.

Explain that the site link bridge is enabled by default. Demonstrate how to disable automatic site link bridging

through Active Directory Sites and Services. Demonstrate how to create a manual site link bridge

through Active Directory Sites and Services. Point out that administrators may have to force or manage

replication due to an Active Directory problem. Demonstrate how to refresh the intrasite replication topol-

ogy through Active Directory Sites and Services. Demonstrate how to determine which server holds the ISTG

(Intersite Topology Generator) role through Active Directory Sites and Services.

Demonstrate how to force manual replication, between two Domain Controllers to correct errors or inconsistencies, through Active Directory Sites and Services.

Point out that many issues can be prevented by monitoring the replication activity.

Explain out that two tools for monitoring replication are Dcdiag and Repadmin.

Explain that the following can be accomplished with Dcdiag: Perform connectivity and replications tests Report DNS registration problems Analyze the permissions required for replication Analyze the state of domain controllers within the

forest


Explain that the following can be accomplished with Repad-min:

View the replication topology from each domain controller

Manually create a replication topology Force replication between domain controllers View the replication metadata


1. While intrasite replication occurs almost immediately, inter-

site replication occurs at a configured interval, which by de-

fault is every 180 minutes.

2. Active Directory sites replicate the logical structure of the

environment and can contain only one Active Directory do-

main.

3. The bridgehead server in an Active Directory site receives

replication updates from all domain controllers in remote

sites.

4. Intrasite replication uses the Knowledge Consistency Check-

er (KCC) to determine replication paths.

5. In a multi-site environment, each domain controller runs the

Intersite Topology Generator to determine site replication

paths.

Multiple Choice

1. Active Directory sites are based on which of the following?

a) Domain structure

b) Forest Structure

c) IP subnets

d) DNS naming

2. Active Directory replication occurs when all of the follow-

ing occur except:

a) The name of an object changes

b) A client PC logons to the domain

c) An objected is added or removed from Active Direc-

tory

d) The value of an attribute has changed


3. What is the connection called that connects two sites and

enables replication to occur?

a) Site Bridge

b) Transitive trust

c) Route Path

d) Site Link

4. Which two of the following protocols can be used for inter-

site replication?

a) DNS

b) IP

c) SNMP

d) IPX/SPX

5. Which two of the following tools can be used to monitor

and manage Active Directory sites?

a) Dcdaig

b) Netdiag

c) Nslookup

d) Repadmin


1. True.

2. False. AD sites represent the physical structure of the envi-

ronment and may contain multiple domains.

3. False. Bridgehead servers communicate only the bridgehead

server in the remote sites for replication information.

4. True.

5. False. One domain controller within each site runs the ISTG

process.

Multiple Choice

1. C

2. B

3. D

4. B

5. A, D



Explain how Active Directory keeps track of changes to the

ntds.dit file and handles changes that are replicated. What

three factors can be used to determine if a replicated change

should be added by the receiving domain controller?

List and explain the three attributes that should be configured

when creating a site link in a multiple site environment.


Explain in detail the intrasite and intersite replication process.

Include in your definition the replication protocols used, factors

used to determine which replication protocol is appropriate,

replication interval, how replication partners are determined,

how compression is used or not used, etc.

Microsoft Video

Resources

Windows Server 2008 R2 Quick Look—Active Directory Ad-ministrative Center

This video provides a quick look at Active Directory Adminis-

trative Center, the new administrative tool in Windows Server

2008 R2.

Length: 6:25

Windows Server 2008 R2 Quick Look—System Health Report

A quick look at System Health Report, a tool in Windows Serv-

er 2008 R2 that helps you analyze your servers and provides

you with prescriptive system diagnosis.

Length: 4:36





Lesson 4: Using Global Catalog and Flexible Single Master Operations (FSMO) Roles

Learning Goals//The goal of this lesson is to explain the im-

portant role of the global catalog server in Active Directory.

Point out that students will also learn about the Flexible Single

Master Operations role in Active Directory domains and forest.


Understand the global catalog Understand Flexible Single Master Operations (FSMO) roles Understand site management

Lesson Introduction Explain that Microsoft Windows Server 2008 Active Directory’s

global catalog and Flexible Single Master Operation (FSMO)

roles are important roles in the accurate functionality of Active

Directory. Students will learn about the placement of the glob-

al catalog, and how to add or remove a global catalog. Student

will also learn the function of Relative Identifier, Infrastructure

Master, Primary Domain Controller Emulator, Domain Naming,

and Schema Master FSMO roles in the Active Directory domain

and forest.

Understanding the

Global Catalog


Explain that the global catalog houses a subset of forest-wide Active Directory objects and is a central repository of object copies.

Point out that complete object copies and partial copies of objects from other domains within the same forest are re-ferred to as partial attribute sets (PAS).

Explain that by default the first domain controller installed on a forest houses the global catalog server.

Point out that the four main functions of the global catalog are:

Facilitating searches for objects in the forest. Resolving User Principal Names (UPN).


Maintaining universal group membership information. Maintaining a copy of all objects in the domain. Explain that a universal group contains users, groups, and

computers from any domain in the forest. Explain that when an attribute is indexed, it is stored in the

PAS and replicated to all global catalogs. Explain that if a global catalog server is not available, then

universal global memberships are stored on the local do-main controller. This is called universal group membership caching.

Point out the following benefits of universal caching: Eliminates the need for a global catalog in remote

locations Provides better logon performance for users with

cached information Minimizes WAN usage for replication traffic

Demonstrate how to enable universal group membership caching using Active Directory Sites and Services.

Point out that the following guidelines will help the admin-istrator determine if an additional global catalog server is needed:

Each site should contain a global catalog server to facilitate user logons.

The amount of bandwidth necessary to replicate the global catalog information should be considered.

The domain controller must have ample hard drive space to house the global catalog.

The site containing port 3268, the port used for Ac-tive Directory object searches, must also be the site containing the global catalog server.

Demonstrate how to configure an additional global catalog server using Active Directory Sites and Services.

Understanding Flexible

Single Master

Operations (FSMO)

Roles


Explain that FSMO includes specialized roles such as sche-ma management or adding and removing additional do-mains from an Active Directory forest.

Explain that Active Directory supports a total of five FSMO roles, and their functionality is distributed among domain-wide and forest-wide FSMOs.


Point out that the three domain-specific FSMO roles that are:

Relative Identifier (RID) Master Infrastructure Master Primary Domain Controller (PDC) Master

Explain that the Relative Identifier (RID) Master is related to the domain that it was created for and is assigned to an ob-ject at creation.

Point out that RIDs are a part of the object’s security identi-fier (SID).

Explain that the Infrastructure Master is responsible for replicating changes to an object’s SID or distinguished name (DN).

Point out that the Infrastructure Master replicates changes to all domains that have a trust relationship with the source domain.

Explain that the Primary Domain Controller (PDC) emulator is responsible for the following tasks:

Time management synchronization within an Active Directory Domain

Managing edits to Group Policy Objects Managing replication of security-sensitive account

replication events Explain that the following Active Directory time synchroni-

zation processes are used to assist in conflict resolution: Client and member services within a domain will syn-

chronize their clocks against the domain controller that authenticated them.

Domain controllers in each domain will synchronize their time against the PDC Emulator of their domain.

The PDC Emulator of each domain in the forest will synchronize its time against the PDC Emulator of the forest root domain.

The PDC Emulator of the forest root domain can ob-tain its time from the internal clock.

Point out that the two roles in Active Directory that have forest-wide authority are:

Domain Naming Master Schema Master

Explain that the Domain Naming Master role is held by only one domain controller in the forest, and this role verifies the uniqueness of the name to the forest.

Explain that the Schema Master role is the manager for all schema modifications that take place in the Active Directo-ry.


Point out that the following should be considered when de-termining the locations for the FSMO role:

Number of domains that will be part of the domain Physical structure of the network Number of domain controllers that will be available

on each domain Point out that the two attributes used to describe a domain

controller are: Highly available High capacity

Explain that highly available domain controllers are central-ly located and contain additional hardware to keep the con-troller functioning properly.

Explain that high-capacity domain controllers have great processing ability and more memory, and are available through faster network access.

Point out that the two techniques used to manage FSMO role outages are:

Role transfer Role seizure

Explain that role transfer occurs when the FSMO is moved from one domain controller to another.

Explain that role seizure occurs when a forced transfer of FSMO from one domain controller to another occurs due to failure.

Demonstrate how to view the RID Master, PDC Emulator, or Infrastructure Master FSMO Role holders using the Active Directory Users and Computer MMC Snap-in.

Demonstrate how to view the Domain Naming Master FSMO Role holder through Active Directory Domains and Trusts.

Demonstrate how to view the Schema Master FSMO Role holder through the Active Directory Schema Snap-in.

Demonstrate how to transfer the RID Master, PDS Emula-tor, or Infrastructure Master FSMO Role through the Active Directory Users and Computers MMC Snap-in.

Demonstrate how to transfer the Domain Naming Master FSMO Role through Active Directory Domains and Trusts snap-in.

Demonstrate how to transfer the Schema Master FSMO Role through the Active Directory Schema Snap-in.

Demonstrate how to seize an FSMO Role through the com-mand prompt.



1. A global catalog server will contain a complete copy of its

Domain NC, but not information about other domains in the

forest.

2. For redundancy, it is recommended that each domain have at

least two RID Masters.

3. If a user object, John Doe, is deleted and then re-created lat-

er exactly as it was before being deleted, it will receive the

same GUID as the original John Doe.

4. The Domain Naming Master is a domain-specific FSMO

role that has responsibility for ensuring that all names within

a domain are unique.

5. If the RID Master fails, the failure will not be visible until

the domain controller runs out of RIDS that were previously

assigned by the RID Master.

Multiple Choice

1. What feature of Windows Server 2008 can allow remote

members of Universal groups to log on to the domain when

a local global catalog server is not available?

a) Two-way transitive trusts between domains

b) Local cached credentials

c) Universal Group Caching

d) RID Master

2. Which three of the following FSMO roles are domain specif-

ic?

a) Relative Identifier (RID) Master

b) Schema Master

c) Primary Domain Controller (PDC) Emulator

d) Infrastructure Master

3. Which two of the following five FSMO roles have forest-

wide authority?

a) Domain Naming Master

b) RID Master

c) Schema Master

d) Infrastructure Master


4. It’s considered a best practice to run which two of the fol-

lowing FSMO roles on the same domain controller?

a) Schema Master

b) PDC Emulator

c) Domain Name Master

d) RID Master

5. Which of the following procedures would be used to recover

from a domain controller failure when the domain controller

was running one or more of the FSMO roles?

a) Role Seizure

b) Role Transfer

c) Role Migration

d) Role Failover


1. False. A global catalog server contains a complete copy of

its domain NC and a partial attribute set for all other do-

mains in the forest.

2. False. There can only be one RID Master per domain.

3. False. When an object is deleted, the GUID will never be

used again.

4. False. The Domain Naming Master is a forest-wide FSMO

role that is responsible for the creation of domains, domain

trees, and application data partitions.

5. True.

Multiple Choice

1. C

2. A, C, D

3. A, C

4. B, D

5. A


List and explain the four primary functions of a global catalog

server.


List and explain the five FSMO roles in a Windows Server 2008

forest. Explain which FSMO roles are domain specific and which

are forest wide.


You are the Active Directory administrator for a multi-domain

Active Directory forest with five locations. What factors should

you consider when determining the placement and number of

global catalog servers? What factors should you consider when

determining where to place the FSMO roles?

Microsoft Video

Resources

Active Directory Domain Services in Microsoft Windows Server 2008 Demonstrates new features and enhancements that are fo-cused around the fundamentals: improved security, reliability, performance, reduced operational complexity, and increased deployment flexibility. This session presents the Windows Server 2008 features in Active Directory. Length: 48:06

http://technet.microsoft.com/en-us/windowsserver/cc439419.aspx



Lesson 5: Administration of Active Directory

Learning Goals//The goal of this lesson is to explain the man-

agement of users and groups in Active Directory. Point out

that students will also learn how to configure and manage the-

se accounts.


Understand user accounts Understand group accounts Understand special identity groups and local groups Develop a group implementation plan

Lesson Introduction Explain that Microsoft Windows Server 2008 Active Directory

Domain Services tasks include the administration of users and

groups to enable network access. Students will learn the de-

tails of users and group accounts. Students will also learn

about special identity groups and local groups. The task of cre-

ating a group implementation plan will be discussed and

demonstrated during this lesson.

Understanding User

Accounts


Explain that the user account in Active Directory is used to provide access to resources.

Point out that authentication verifies a user’s identity through Active Directory.

Explain that there are three types of user accounts in Win-dows Server 2008:

Local accounts Domain accounts Built-in user accounts

Point out that a local account can access the local computer only and is stored in the Security Account Manager data-base on the local computer.

Point out that domain accounts are used to access Active Directory resources or other network resources. This ac-count information is stored in Active Directory.

Point out that built-in user accounts are automatically cre-ated at the installation of Microsoft Windows Server 2008.


Explain that a built-in administrator account has full control of files and management on the local computer.

Point out the following built-in administrator account guide-lines that should be considered:

Rename the administrator account. Set a strong password. Limit knowledge of administrator passwords to only

a few individuals. Do not use the administrator account for daily non-

administrative tasks. Explain that Windows Server 2008 provides a built-in guest

account that may be used for temporary network access. Point out the following built-in guest account guidelines

that should be considered: Rename the guest account after enabling it for use. Set a strong password.

Understanding Group

Accounts


Explain that groups are used in Windows Server 2008 to make network permissions more manageable.

Point out that groups enable the administrator to apply a set of permissions to multiple users.

Explain that an access token is created at logon for each us-er. These tokens identify users and their appropriate permis-sions.

Point out that a user may be a member of more than one group, which is called group nesting.

Point out that when users are a member of one group and that group becomes a member of another group, they are automatically given the new group’s permissions. This is called nested membership.

Explain that two characteristics that define a group are group type and group scope.

Point out that group type determines how a group is used in Active Directory, and the two group types that are stored in an Active Directory database are:

Distribution groups Security groups

Explain that distribution groups are used for the distribution of information.

Explain that security groups are used for granting access per-missions for resources.


Explain that group scope controls the objects that can be contained in a group.

Point out that group scopes for Active Directory are: Domain local groups Global groups Universal groups

Explain that domain local groups include user accounts, computer accounts, global groups, and universal groups for the same domain.

Explain that global groups include user accounts, computer accounts, global groups, and universal groups for the same domain as a global group.

Explain that universal groups include user accounts, com-puter accounts, global groups, and universal groups for an-ywhere in the forest.

Point out that group nesting refers to groups that are add-ed as members of other groups.

Explain that built-in security groups are created when Win-dows Server 2008 Active Directory is installed with a set of predefined network related tasks.

Demonstrate how to view groups using the Active Directo-ry Users and Computers Snap-in.

Understanding Special

Identity Groups and

Local Groups


Explain that administrators cannot modify the mem-berships of, or view the membership list of, users in special identity groups.

Explain that a local group is a group of users who are specific to one local machine.

Point out that the Everyone group is a special identity group that contains all authenticated users .


Developing a Group

Implementation Plan


Explain that a group implementation plan should be devel-oped to accommodate changes within the organization.

Point out that group implementation plans should include the following:

Who has the ability and responsibility to create, de-lete, and manage groups

How domain local and universal groups are to be used

A policy that states guidelines for creating new groups and deleting old groups

Naming standards document to keep group names consistent

Standards for group nesting Point out that the creation of Active Directory objects is a

common task for administrators. Explain that the following are the commonly used methods

for creating multiple users and groups: Batch files Comma-Separated Value Directory Exchange

(CSVDE) LDAP Data Interchange Format Directory Exchange

(LDIFDE) Windows Script Host (WSH)

Demonstrate how to create users, computers, and groups using Windows Server 2008 local administrator credentials.

Demonstrate how to create users, computers, and groups using Windows Server 2008 domain administrator creden-tials.

Point out that batch files can be created using a text editor. Explain that batch files may be created, deleted, viewed, or

modified using the Dsadd command at the Windows Server 2008 command line.

Explain that Comma-Separated Value (CSV) files may be used to import and export information from Microsoft Excel or Exchange to the Active Directory Database.

Explain that the LDIFDE utility provides the ability to modify existing records in Active Directory.

Explain that the Windows Scripting Host (WSH) offers the flexibility to run scripts from a Windows interface or a com-mand prompt.



1. Microsoft Best Practice recommends deleting the guest ac-

count for security reasons.

2. Distribution groups are used to assign permissions.

3. The Dsadd command can be used in a batch file to create

bulk user accounts.

4. Group nesting refers to adding users to multiple security

groups.

5. Domain Local Groups can be used to grant permissions to

resources on any computer that is joined to the Active Di-

rectory Domain.

Multiple Choice

1. What are the three types of user accounts in Active Directo-

ry?

a) Built-in user accounts

b) Special Identity user accounts

c) Local user accounts

d) Domain user accounts

2. Windows Server 2008 utilizes which two of the following

group types?

a) Distribution group

b) Global group

c) Security group

d) Local group

3. Active Directory in Windows Server 2008 supports which

three of the following group scopes?

a) Domain Local group

b) Distribution group

c) Global group

d) Universal groups

4. Windows Server 2008 offers several tools for managing or

creating bulk objects in Active Directory. Which of the tools

listed below provides the ability to add, modify, and delete

Active Directory Objects?

a) LDIFDE

b) Batch files

c) CSVDE

d) WSH


5. Which of the following groups is disabled by default?

a) Anonymous users

b) Guest

c) Administrators

d) Everyone

True/False

1. False. The Guest account, like the Administrator account,

cannot be deleted. It’s considered a best practice to rename

the Guest account.

2. False. Security groups are used to assign permissions.

3. True.

4. False.

5. True.

Multiple Choice

1. A, C, D

2. A, C

3. A, C, D

4. A

5. B

Quiz Answers


List and explain four best practices for securing a local or do-

main security account.

Explain what is meant by group nesting. What is meant by the

acronym AGUDLP?



Explain how Active Directory uses default groups. Explain

when each of the following groups is created and how users

become members.

Account Operators

Administrators

Guest

DHCP Administrators

Domain Users

Explain how special identity groups are used in Windows Serv-

er 2008. How do users become members of a special identity

group? How do you view the members of a special identity

group?

Microsoft Video

Resources

Provide users with seamless corporate network access from anywhere with Windows 7, Windows Server 2008 R2, and Di-rectAccess Remote users? Mobile users? People working from home, from

the coffee shop, from the airport? How do you provide them

with secure connections that are easy to use and deploy while

still maintaining the integrity of your network? Windows 7 and

Windows Server 2008 R2 provide the answer with DirectAc-

cess. This video presents a walk-through of the configuration of

DirectAccess and discusses the requirements for deploying it in

your network.

Length: 30:30





Allowing External Users to Manage IIS7 Web Applications Web servers often need remote administration by an external

consultant. Many companies outsource web development ac-

tivities and as a result, they need to grant external users access

to manage both content and configuration on their web serv-

ers. IIS 7 includes a new management service which addresses

this need, and TS RemoteApp provides a secure way to make

management tools available outside the firewall. This demo

shows how you can configure the management service, work

with feature delegation, and connect to IIS Manager from out-

side the firewall using TS RemoteApp.

Length: 10:16

Use Group Policy in Windows Vista and Windows Server 2008 An examination of the improvements and changes in Group

Policy management in Windows Vista and Windows Server

2008. Includes a look at the new format of Group Policy tem-

plates, the central store, and multiple local group policies, then

drills down into device management using Group Policy.

Length: 18:06


http://technet.microsoft.com/en-us/windowsserver/dd443650


Using Group Policy with Windows and Windows Server 2008

A scenario-based walk-through using a series of demonstra-

tions to offer an in-depth understanding of new and enhanced

Group Policy functions in Windows Vista, as well as plans for

the Windows Server 2008 timeframe. This session showcases

Windows Vista as a Windows Vista Group Policy administrative

workstation. Learn about new Group Policy features in Win-

dows Vista, including the new format and functionality of Ad-

ministrative Template (ADMX) files (and interop with legacy

ADM files), the ADMX central store, improved awareness of

changing network conditions, using multiple local Group Policy

Objects (MLGPOs), and Group Policy Management Console

(GPMC) integration into the operating system. Demos include

using the new event viewer ("Crimson"), along with showcasing

a selection of the hundreds of new policy settings delivered

with Windows Vista. Finally, we provide an introduction to the

products acquired from DesktopStandard and discuss their fu-

ture availability and roadmap.

Length: 60:03



Lesson 6: Security Planning and Administrative Delegation of Active Directory

Learning Goals//The goal of this lesson is to explain that cre-

ating a secure Active Directory environment is a critical respon-

sibility of the administrator. Point out that students will also

learn the tasks of creating and working with organization units

as well as delegating administrative control of resources.


Implement Account Security Plan an organizational unit strategy


requires that all accounts access the network through a secure

password. Discuss with students the importance of having an

organizational policy for user name and password creation.

Explain to students that securing the administrative side of Ac-

tive Directory is necessary to prevent hackers from gaining un-

authorized access to the network. Describe how organization-

al units are used to secure administrative resources.

Implementing Account

Security


Explain that user account security is an important aspect of a secure network.

Point out that the network administrator will create guide-lines for the user name scheme, and it is extremely im-portant that the organization strictly follow the guidelines.

Explain that Windows Server 2008 requires that all user ac-counts be accompanied with a secure password.

Explain that a password is an alphanumeric sequence of characters that must accompany the user name to gain ac-cess to network resources.

Point out the following best practices for protecting your password:

Keep documented password in a secure location. Do not share your password with anyone.


Do not save passwords to your computer to enable easy access.

Always use suggested standards for a strong, secure passwords.

Explain that a strong password is a password that is created with a secure combination of characters and length to make it difficult for a hacker to discover.

Point out that password-cracking is any attempt to discover another user’s password.

Explain that dictionary attacks are automated password cracking tools used to attempt every combination of a set of characters to crack a password.

Explain that strong passwords include the following charac-teristics:

Minimum of eight characters in length Contains at least one uppercase and one lowercase

letter, one numeral, and one non-alphabetic charac-ter

Differs significantly from previous passwords Explain that securing the administrator password is critical,

since a hacker with access to the administrator password can do extensive damage.

Point out that using the Run as Administrator option through a standard user account is the preferred method for performing administrative tasks and reducing risk.

Demonstrate how to use Run as from the GUI while logged in as a Windows Server 2008 member.

Demonstrate how to use Run as from the command line while logged in as a domain administrator.

Planning an

Organizational Unit

Strategy


Explain that organizational units (OUs) can include the Ac-tive Directory objects.

Explain that OUs can be created to represent the company’s functional foundation.

Point out that organizational units are created for the fol-lowing reasons:

They represent the functional and geographical mod-el of the company and its resources.

They delegate administrative control over a contain-er’s resources to lower-level or branch office adminis-trators.

They apply consistent configurations across the or-ganization for group policy.


Explain that OUs can be nested to create a solid structure, but nesting should be done with careful planning and cau-tion.

Point out that delegating authority at the OU level will allow access only to the OU and its hierarchy.

Explain that the Delegation of Control Wizard is a simple interface to delegate permissions.

Demonstrate how to delegate administrative control of an OU through Active Directory Users and Computers.

Demonstrate how to verify and remove delegated permis-sions using Active Directory Users and Computers.

Explain that objects may be moved between OUs for admin-istrative or business purposes.

Point out that the Drag-and-Drop method or move menu options may be used in the Active Directory Users and Com-puters window.

Demonstrate how to move an object between OUs using Drag-and-Drop in the Active Directory Users and Computers window.

Demonstrate how to move an object between OUs using the move option in the Active Directory Users and Comput-ers window.


1. A default configuration of Active Directory in Windows

Server 2008 allows for user accounts with no password to

log on to the domain.

2. A dictionary attack is an attempt to hack a computer by try-

ing all combinations of characters.

3. Organizational units are units in Active Directory that cannot

be nested.

4. Organizational units are most often used in a decentralized

administration model.

5. When an object is moved from one OU to another, OU per-

missions that were assigned directly to the object will remain

the same.


Multiple Choice

1. Which of the following should be included when configuring

a strong password policy? Choose all that apply.

a) Enforce minimum password length

b) Set a minimum password age

c) Set password history

d) Require multiple types of characters

2. Microsoft best practices require strong passwords to have

which three of the following characteristics?

a) At least six characters in length

b) Contain at least three of the following: uppercase let-

ters, lowercase letters, numbers, and non-alphabetic

characters

c) Differ from previously used passwords

d) Not contain your username

3. Which two of the following commands allow a user logged

on with a standard user account to perform administrative

functions?

a) Run As Administrator (Command Line)

b) Run as (GUI)

c) Run as Administrator (GUI)

d) Run as (Command Line)

4. Which two of the following can be used to move objects be-

tween organizational units in Active Directory?

a) Copy and paste

b) Drag and drop

c) Move

d) Delete and recreate

5. Which Windows Server 2008 services must be started in or-

der for the Run as or Run as Administrator service to func-

tion?

a) Logon service

b) Run as service

c) Authentication service

d) Secondary Logon service



1. False. Windows Server 2008 requires that user accounts

have passwords.

2. True.

3. False. OUs can be nested.

4. True.

5. True.

Multiple Choice

1. A, B, C, D

2. B, C, D

3. C, D

4. B, C

5. D


Describe the components of strong password policy that

meets Microsoft best practices.


Explain why an administrator would need to create and use or-

ganizational units in Active Directory. What advantages do or-

ganizational units offer that security groups do not?

Microsoft Video

Resources

Windows Server 2008 Read-Only Domain Controllers—Password Replication Policies Read-only domain controllers (RODCs) are a new feature in Windows Server 2008, allowing domain controllers to be de-ployed in locations where security might otherwise be a con-cern (e.g., branch offices). This video provides a look at the password replication policies that are used to control creden-tials stored on RODCs.

Length: 4:58

http://technet.microsoft.com/en-us/windowsserver/dd443651.aspx



Securing Branch Office User Accounts

In this demo you will see several ways that user accounts in a

branch office can be secured. Branch offices traditionally are

places of high risk for domain controllers. Placing domain con-

trollers in branch offices is good for functionality and produc-

tivity, but bad for security. This demo shows how you can

place a domain controller in a branch office and take

measures to make branch office accounts more secure. The

demo uses a combination of BitLocker, RODC, fine-grained

password policies using a tool from Special Operations Soft-

ware, and admin role separation to achieve this goal.

Length: 12:08



Lesson 7: An Introduction to Group Policy

Learning Goals//The goal of this lesson is to explain the basics

of Group Policy Objects. Point out that student will also learn

to use the Group Policy Management Console to configure

Group Policy settings.

Learning Objectives Upon completion of this lesson, students will be able to un-

derstand:

The basics of Group Policy Group Policy architecture Configuring Group Policy


uses Group Policy to control settings across the network. Stu-

dents will learn to describe the Group Policy Container and

Group Policy Templates. Students will also learn to use the

Group Policy Management Console to configure Group Policy

settings.

The Basics of Group

Policy


Explain that Group Policy is used to control settings across the network.

Point out that the following can be managed using Group Policy:

Registration-based policies Software installation policies Folder redirection Offline file storage Scripts Windows Deployment Services (WDS)

Explain that Group Policies can be linked to sites, domains, or OUs and apply the settings to all users and computers within these Active Directory containers.

Point out that Security Group filtering allows for Group Poli-cy Objects to be applied to one or more groups within a container.


Explain that the benefits of Group Policy can be measured in return on investment and total cost of ownership.

Explain that user benefits include: Users can access files, even when the network is not

available. User environments can be created to look consistent

throughout the network. User files can be redirected to server locations for

backup purposes. Applications can be maintained automatically.

Explain that administrative benefits include: Administrators have control over centralized configu-

ration. Automatic application repairs are available. Centralized administration of user files. Rapid deployment of new settings for group policy.

Group Policy

Architecture


Explain that Group Policy Objects (GPO) contain all of the Group Policy settings within a site, domain, or OU.

Point out that the GPO must be associated with the con-tainer to which it is applied.

Explain that there are three types of GPOs: Local GPOs Domain GPOs Starter GPOs

Explain that the following are characteristics of a local GPO: They contain fewer options. Fewer security settings are available. When local and nonlocal GPOs have a conflict, the

local GPO is overwritten by the nonlocal GPO. Point out that the container for the nonlocal GPO is stored

in the following two locations: Group Policy Container (GPC) Group Policy Template (GPT)

Explain that the Group Policy Container (GPC) is an Active Directory object that stores the properties of the GPO.

Explain that the GPT is stored in the Policies subfolder and stores policy settings, security settings, and script files.

Point out that the Group Policy Container (GPC) includes sub-containers that hold the GPC policy information.


Demonstrate how to view the Group Policy Container using Active Directory Users and Computers.

Explain that the Group Policy Templates folder is created and contains all of the policy’s settings and information.

Point out that the Group Policy Management Console is a snap-in used to create and modify Group Policies and their settings.

Demonstrate how to create and link a GPO to an OU using the command prompt.

Explain that GPO inheritance is when the group policy is ap-plied to all domains on a site that contains multiple do-mains.

Configuring Group

Policy


Explain that configuring Group Policy enables you to cus-tomize the configuration of a user’s desktop, environment, and security settings.

Point out that the Group Policy settings are divided into two categories:

Computer configuration User configuration

Explain that the computer and user configuration contain three sub-nodes or extensions, in order to further organize the group.

Point out that the three sub-nodes are: Software settings Windows settings Administrative templates

Explain that Group Policy processing depends upon the or-der in which the policies are applied.

Point out that policies affect the containers that they are linked to in the following ways:

Site-linked policies affect all domains within a site. Domain-linked policies affect all users and computers

within a domain. OU-linked policies affect all objects within the OU.

Explain that policies are processed in the following order: Local policies Site policies Domain policies OU policies

Point out that domains, sites, and OUs can have multiple group policies linked to them.


Explain that policies can be applied to containers and the user and computer objects that they reside.

Discuss the steps necessary to implement settings for an assigned GPO to a computer.

Point out that the exceptions to Group Policy are to allow greater control and flexibility over the final settings.

Point out that exceptions in Group Policy include: Enforcement Block Policy Inheritance Lookback Processing


1. Security group filtering allows administrators to apply

Group Policy settings to one or more security groups within

a container.

2. By default, settings in a local GPO will override settings

from nonlocal GPOs.

3. The Group Policy Management Console divides Group Poli-

cy settings into two subcategories: Computer Configuration

and User Configuration.

4. Group Policy Objects that are linked at the domain level

must also be linked at the OU level if you would like the GP

setting to affect objects contained in the OU.

5. Group policy settings are applied to a computer on startup in

an asynchronous manner.

Multiple Choice

1. Group Policy settings can be linked to which three of the fol-

lowing?

a) Site

b) Group

c) Organizational Unit

d) Domain

2. Which three of the following are valid types of Group Policy

Objects?

a) Starter GPO

b) Local GPO

c) Universal GPO

d) Domain GPO


3. Which two of the following default Group Policy objects are

created when Active Directory is installed?

a) Default Computer Policy

b) Default User Policy

c) Default Domain Policy

d) Default Domain Controller Policy

4. Which of the following are valid exception configuration set-

tings for Group Policy processing?

a) Apply all

b) Block Policy Inheritance

c) Loopback Processing

d) Enforce

5. Which Windows Server 2008 Group Policy feature allows

administrators to automatically install an operating system to

a workstation?

a) Software Installation Services

b) Windows Deployment Services

c) RIS

d) GHOST


1. True.

2. False. Nonlocal GPO settings are domain settings, and over-

ride local GPO settings.

3. True.

4. False. Group settings linked at the domain level are will af-

fect all objects within the Domain including objects are lo-

cated in an OU.

5. False. Group policy setting are applied to a computer syn-

chronously at start up.

Multiple Choice

1. A, C, D

2. A, B, D

3. C, D

4. B, C, D

5. B



List and explain eight managed settings that can be defined us-

ing Group Policy.

List and explain the three sub-nodes that are available for con-

figuration under the user configuration and computer configu-

ration areas of the Group Policy Management Console.


Explain in what order GPOs are applied. How are conflicting

settings handled?

Microsoft Video

Resources

Windows Server 2008 Read-Only Domain Controllers—Password Replication Policies Show the class the information in this video and explain that the video takes a look at the password replication policies that are used to control credentials stored on RODCs.

Securing Branch Office User Accounts Show the class the information in this video and explain that

the video demonstrates how you can place a domain controller

in a branch office, and take measures to make branch office ac-

counts more secure. The demo uses a combination of BitLock-

er, RODC, fine-grained password policies using a tool from Spe-

cial Operations Software, and admin role separation to achieve

this goal.





Lesson 8: Configuring Users and Groups using Group Policy

Learning Goals//The goal of this lesson is to explain how con-

figuring Group Policy Objects is necessary for maintaining and

securing the user and computer environments. Point out that

students will learn more about using group policies to manage

the use of computers and control users.

Learning Objectives Upon completion of this lesson, students will be able to

understand:

Configuring security policies with Group Policy Planning and configuring other policies


uses Group Policy to control settings across the network as

well as controlling users and computers on the network. Stu-

dents will learn to control environments using account policies

and audit policies.

Configuring Security

Policies Using Group

Policy


Explain that Group Policy is used for centralized manage-ment of security settings.

Point out that security settings govern: How users and computers are authenticated to the

network How resources are allocated Group membership policies How user and group activities are recorded in event

logs Point out that the security settings applied in the policies

node include public key policies and software restriction pol-icies.

Explain that account policies dictate how a user interacts with a computer or a domain.

Explain that fine-grained password policies (FGPP) can be used to override the domain-wide policy and can be applied to multiple users and computers or groups.


Point out that the three subcategories found within account policies for security settings are:

Password policies Account lockout policies Kerberos policies

Demonstrate how to define a domain-wide account policy using Group Policy Management Console.

Demonstrate how to configure a domain-wide account lock-out policy using Group Policy Management Console.

Point out that in order to enable FGPP, the Password Settings Object (PSO) must be configured.

Explain that one or more PSOs may be created within a do-main.

Explain that in domain accounts, the Kerberos policy allows settings to be configured for Active Directory authentication functions.

Point out that Kerberos is a default mechanism for authenti-cating domain users in Windows Server 2008.

Demonstrate how to configure the Kerberos policy using Group Policy Management Console.

Planning and

Configuring Other

Policies


Explain that local policies allow administrators to set user privileges on the local computer that govern what users can do on that computer.

Explain that auditing allows administrators to track events that take place on a local computer and are important parts of monitoring and managing activities.

Point out that local policy settings in GPOs have three sub-categories:

User rights assignment Security options Audit policy

Explain that user rights assignment is extensive and includes settings for items that pertain to rights needed by users to perform system-related tasks.

Explain that the security options category includes security settings related to interactive logon, digital signing of data, restrictions of access to some storage devices, unsigned driver installation behavior, and logon dialog box behavior.

Discuss that an audit policy allows administrators to log both successful and failed security events.


Explain that auditing is used to track user activities and sys-tem activities.

Point out the following guidelines to help in planning an audit policy:

Audit only pertinent items Archive security logs to provide a documented histo-

ry Configure the size of your security logs carefully

Explain that security logs can be configured to monitor the

following:

System errors

Policy change events

Account management events

Logon events

Account logon events

Point out that configuring objects for auditing is necessary

when either Audit Directory Service Access or Audit Object

Access has been configured.

Demonstrate how to configure an audit policy using Group

Policy Management Console.

Demonstrate how to configure an active directory object for

auditing using the Active Directory Users and Computers

Snap-in.

Demonstrate how to configure files and folders for auditing

using Windows Explorer properties.

Point out that customizing event log policies allows admin-

istrators to configure settings that control each log.

Demonstrate how to customize event log policies using the

Administrative Tools Event Viewer window.

Explain that restricted group settings allow the administrator

to specify the group membership list.

Explain that the system services category is used to config-

ure the startup and security settings for services running on

a computer.

Explain that folder redirection is applied to a group policy

folder that is located within the User Configuration node of

a Group Policy.

Demonstrate how to configure folder restrictions by creating

a Group Policy Object.

Explain that configuring offline files is a separate Group

Policy category that can allow files to be available to users

even when not connected to the Internet.

Explain that disk quotas are set to limit the amount of space

available on a server for user data.


Demonstrate how to configure disk quotas through the local

disk properties.

Demonstrate how to configure disk quotas using Group Poli-

cy.

Point out that the following are types of refresh policies :

Computer configuration Group Policy refresh interval

Domain controllers Group Policy refresh interval

User configuration Group Policy refresh interval

Explain that manually refreshing Group Policy is used when

modified settings need to be applied immediately.

Demonstrate how to optimize Group Policy processing using

the Group Policy Management Console.


1. In Windows Server 2008, only a single password policy can

be set at the domain level.

2. Audit policies can be configured under local policies to con-

trol settings for the Event Log on a computer.

3. Restricted groups can be used to remove users from groups to

which they were added using Active Directory Users and

Computers.

4. Group Policy can be configured to make user files stored on a

network share available when the network connection is

down by configuring the File Caching Group Policy option.

5. Windows Server 2008 supports Disk Quota configuration on

the NTFS and FAT file systems.

Multiple Choice

1. Which of the following are the three Account Policy subcate-

gory configuration options?

a) Password policies

b) Account lockout policies

c) Kerberos policies

d) Account security policies

2. To monitor successful logon attempts to a domain controller,

you should configure Group Policy to manage which type of

events?

a) System events

b) Domain logon events

c) Account logon events

d) Logon events


3. System Services can be configured with all of the following

startup options except:

a) Enabled

b) Automatic

c) Manual

d) Disabled

4. Folder redirection can be used to redirect the contents of a

folder to a network location using group policy. What are the

three configuration options for folder redirections?

a) Basic—Redirect Everyone’s folder to the same loca-

tion

b) Advanced—Specify location for various users

c) Advanced—Specify location for various user groups

d) Not Configured

5. Domain Controller Group Policy settings will refresh by de-

fault every ________ minutes.

a) 90

b) 5

c) 2

d) 15


1. False. Windows Server 2008 supports fine-grained password

policies, allowing multiple password policies in a single do-

main.

2. True.

3. True.

4. False. You would need to configure the Offline Files Group

Policy settings.

5. False. Disk Quota configuration supports the NTFS file sys-

tem only.

Multiple Choice

1. A, B, C

2. D

3. D

4. B, C, D

5. C



List and explain the options available for configuring disk quo-

tas using Group Policy.


Explain what settings can be configured under the Account Pol-

icy Settings area. How do these options differ from the settings

that were available in Windows Server 2003?

Microsoft Video

Resources

Windows Server 2008 Read-Only Domain Controllers—Password Replication Policies Read-only domain controllers (RODCs) are a new feature in Windows Server 2008, allowing domain controllers to be de-ployed in locations where security might otherwise be a con-cern (e.g., branch offices). This video takes a look at the pass-word replication policies that are used to control credentials stored on RODCs.

Length: 4:58

Securing Branch Office User Accounts Show the class the information in this video and explain that the

video demonstrates how you can place a domain controller in a

branch office, and take measures to make branch office ac-

counts more secure. The demo uses a combination of BitLocker,

RODC, fine-grained password policies using a tool from Special

Operations Software, and admin role separation to achieve this

goal.

Length: 12:08





Lesson 9: Software Installation with Group Policy

Learning Goals//The goal of this lesson is to explain the pro-

cess of installing software using Group Policy.


Manage software with Group Policy Customize software installation using Group Policy


can use Group Policy to perform software installations. This

procedure includes the ability to create software restriction

policies and run application installations from a user computer.

Managing Software

with Group Policy


Explain that Group Policy can be used to install, up-grade, patch, or remove software applications at com-puter startup.

Point out that software that is deemed out of date is a part of the software life cycle.

Explain that there are four phases of the software life cycle:

Planning Implementation Maintenance Removal

Point out that the Windows Installer uses Group Poli-cy to install and manage software that is packaged as an .msi file.

Explain that patch files are used to apply service packs and hotfixes to installed software through Group Poli-cy.

Explain that repackaging some software packages is necessary if the software does not provide .msi sup-port. This enables the administrator to take ad-vantage of the Windows Installer Technology.


Point out that third-party package-creation application may be used to repackage software for use with Windows In-staller.

Explain that a .zap file may be created when a repackaging option is not available and a Windows Installer file is not available.

Point out that .zap files are created in a text editor and function similarly to an .ini file.

Explain that prior to deploying software using Group Policy, a distribution share must be created.

Point out that the distribution share creates a shared folder location where users can download the software from a network location.

Explain that a GPO must be created to include software in-stallation and then determine if the Assign or Publish option will be used.

Point out that when an application is designated for a spe-cific user, it is advertised on the user’s Start Menu.

Explain that publishing an application is available only under the User Configuration\Policies\Software Settings\Software Installation extension.

Demonstrate how to configure software installation de-faults using the Group Policy Management Editor window.

Demonstrate how to create a new software installation package using the Group Policy Management Editor win-dow.

Customizing Software

Installation


Explain that using the Windows Installer Package properties window enables the administrator to customize the settings associated with the installation package.

Point out that the General tab of the Properties window allows the administrator to change the default name of the package.

Point out that the Deployment tab of the Properties win-dow allows the administrator to change the deployment type, deployment options, and installation user interface options.

Demonstrate how to access the Properties windows of the Windows Installer Package.

Explain that allowing users to choose applications that they prefer provides a level of control over their working envi-ronment.


Explain that configuring software restriction policies pre-vents potentially harmful applications from running.

Point out that the basic strategies for enforcing restrictions are:

Unrestricted Disallowed Basic User

Demonstrate how to modify the default security level using the Group Policy Management Editor window.

Explain that configuring software restriction rules enables conditions to be specified by which application programs can be executed or denied.

Point out that the four types of software restriction rules are:

Hash rule Certificate rule Path rule Network zone rule

Demonstrate how to access the window to configure en-forcement properties.

Demonstrate how to access the window to configure desig-nated file types properties.

Demonstrate how to access the window to configure trust-ed publishers properties.


Windows Server 2008 Software Installation Policies can be

used to install only application packages with an .msi file

extension.

The distribution point for a Software Installation Policy

must be located in the same domain as the users or comput-

ers that the policy will apply to.

Choosing to publish an application will allow users to in-

stall an application if needed.

Software Installation Policies can be used to uninstall appli-

cations as well as install applications.

The default setting for Software Restriction Policies is Dis-

allow.


Multiple Choice

1. When configuring software Installation Policies to automati-

cally install an application at startup, the administrator

should choose to ______________ the application to the

computer.

a) Assign

b) Enforce

c) Publish

d) Automate

2. When an application is published to a user, the user can in-

stall the application by_________________________

(choose two).

a) No interaction is required; the application will be in-

stalled at logon

b) No interaction is required; the application will be in-

stalled at startup

c) Selecting the application from the Start Menu

d) Clicking on a file with an extension that requires a

published application

3. Which three of the following are security levels available

when using a Software Restriction Policy?

a) Basic User

b) Unrestricted

c) Disallowed

d) Answer Choice

4. Software Restriction Policy rules can be configured to use

which of the following when determining what applications

are allowed to run on the network? Choose all that apply.

a) Hash Rule

b) Path Rule

c) Certificate Rule

d) Network Zone Rule

5. You are attempting to create a Software Installation policy,

but an .msi installer package is not available. What other

type of install file can be used?

a) .xls

b) .txt

c) .zap

d) .exe



1. True.

2. False. The distribution point can be located in the same do-

main or forest, but can also be located in another forest as

long as a two-way forest trust exists.

3. True.

4. True.

5. False. The default setting is unrestricted.

Multiple Choice

1. A

2. C, D

3. A, B, C

4. A, B, C, D

5. C


Explain the four phases of the software life cycle.


Explain how software installation policies and software re-

striction policies should be used in a Windows Server 2008 en-

vironment.

Explain the four types of rules that can be established when us-

ing software restriction policies.


Microsoft Video

Resources


Length: 4:58.







this goal.

Length: 12:08





Lesson 10: Planning a Group Policy Management and Implementation Policy


cess of planning and implementing Group Policy management

within Active Directory.

Learning Objectives Upon completion of this lesson, students will be able to under-

stand:

Management of Group Policy Customizing other Group Policy settings

Lesson Introduction Explain that Microsoft Windows Server 2008 Active Direc-tory manages Group Policy through a Group Policy Man-agement Console. The console allows for unified manage-ment across the organization and “what-if” scenarios for planning potential environment changes.

Management of Group

Policy

Instructors should do the following Explain that the Group Policy Management Snap-in is a

tool for managing Windows Server 2008 and offers a single point of administration for Group Policy.

Point out that Group Policy Management includes the following functionality:

Importing and copying GPO settings to and from the file system

Backup and restoration of GPOs, available in Group Policy Management

Resultant Set of Policy Hypertext Markup Language Search for GPOs Search for individual settings GPMC is natively installed with Windows Server

2008


Demonstrate how to view the Group Policy Management MMC Snap-in.

Point out that GPM allows administrators to create and modify policies from the container on which they are linked.

Point out that the following features are available on each tab of the GPO:

Scope Details Settings Delegation

Demonstrate how to view the scope of a Group Policy Ob-ject.

Demonstrate how to configure a starter GPO using Group Policy Management MMC console.

Customizing Other

Group Policy Settings


Explain that Group Policy settings will be applied to child ob-jects within the domain.

Point out that Blocking Group Policy Inheritance can be used to prevent policy settings from applying to child ob-jects.

Explain that Group Policy Filtering refines the GPO to in-clude or exclude certain users, groups, and computers.

Explain that the two options for preventing restrictive poli-cies from applying to administrators are:

Remove the ACE entry for the authenticated users group that grants, reads, and applies group policy permissions.

Set the apply group policy ACE to deny specific groups that you want to exclude from group policy.

Demonstrate how to configure security group filtering using the Group Policy Management MMC Snap-in.

Explain that Windows Management Instrumentation (WMI) is a component of the Microsoft Windows operating system that provides management information to the enterprise environment.

Demonstrate how to configure WMI filtering using the Group Policy Management MMC Snap-in.

Explain that Resultant Set of Policy (RSoP) is the sum of poli-cies applied to a user and computer after all files, security group permissions, and inheritance settings have finished processing.


Point out that the RSoP wizard assists administrators in de-termining the effects of policies on users and computers.

Explain that the planning modes of RSoP allow administra-tors to simulate the effect of policy settings prior to imple-mentation.

Explain that the logging mode of RSoP allows administrators to query existing policies in the hierarchy that are linked to sites, domains, domain controllers, and OUs.

Demonstrate the use of the Resultant Set of Policy wizard. Explain that Group Policy Modeling is used to simulate the

effect of policy on the user environment. Demonstrate how to create a Group Policy modeling query

using Administrative Tools. Point out that Group Policy Results is equivalent to the Log-

ging mode within the RSoP MMC Snap-in. Demonstrate how to create a Group Policy Results query in

Administrative Tools. Explain that GPResult is a command-line tool that allows

you to create and display an RSoP query from the command line.


1. As with Windows Server 2003, the Group Policy Manage-

ment Console is an add-on snap-in that must be downloaded

and installed from the Microsoft website.

2. WMI Filtering can be used to control the application of

GPOs based on criteria such as disk space or processor capa-

bilities.

3. The Resultant Set of Policies provides administrators with

the tools to simulate the effect of GPO settings before actual-

ly applying the settings in productions.

4. The Group Policy Modeling feature in the Group Policy

Management Console produces results similar to running the

RSoP Snap-in in planning mode

5. A WMI filter can be linked to only one GPO.


Multiple Choice

1. When viewing an individual GPO using the Group Policy

Management Console, which tab would display the status,

such as Enabled?

a) Details

b) Scope

c) Settings

d) Delegation

2. Which two filtering options allow administrators to control

the application of GPOs?

a) Organizational unit filtering

b) Computer and user filtering

c) Security group filtering

d) WMI filtering

3. Which two tools can be used to display the net effect of all

group policies assigned to a user or computer?

a) Resultant Set of Policy Wizard

b) Net Effect Wizard

c) Group Policy Wizard

d) GP Result

4. Which Resultant Set of Policies mode is useful for under-

standing the effect of combined policies on users and com-

puters?

a) Planning Mode

b) Results Mode

c) GPResults Mode

d) Logging Mode

5. Which command line tool provides the ability to create a Re-

sultant Set of Policy query?

a) GPResult.exe

b) GPupdate.exe

c) GPdisplay.exe

d) RSoP.exe



1. False. GPMC is natively installed in Windows Server 2008.

2. True.

3. True.

4. True.

5. False. WMI filters can be linked to multiple GPOs.

Multiple Choice

1. B

2. C, D

3. A, D

4. D 5. A


Explain the functions that can be performed using the Group

Policy Management Console.


As an Active Directory administrator, one of your jobs is to sim-

plify the application of internal IT policies to user and comput-

ers. Explain how this can be accomplished using the following:

Group Policy, inheritance of GPO settings, blocking of inher-

itance of GPO

Microsoft Video

Resources

Windows Server 2008 Read-Only Domain Controllers—

Password Replication Policies

Read-only domain controllers (RODCs) are a new feature in

Windows Server 2008, allowing domain controllers to be de-

ployed in locations where security might otherwise be a con-

cern (e.g., branch offices). In this video Mark Wilson takes a

look at the password replication policies that are used to con-

trol credentials stored on RODCs.

Length: 4:58.




Securing Branch Office User Accounts

Show the class the information in this video and explain that






this goal.

Length: 12:08



Lesson 11: Active Directory Maintenance, Troubleshooting, and Disaster Recovery


cesses and tools used to monitor, troubleshoot, and maintain

Active Directory.

Learning Objectives Upon completion of this lesson, students will understand:

Management of Group Policy Restoring Active Directory Monitoring Active Directory Troubleshooting Active Directory


requires that the network administrator be able to monitor,

troubleshoot, back up, and restore Active Directory Domain

Services. Students will learn the vital importance of monitoring

and troubleshooting Active Directory to ensure reliability.

Maintaining Active

Directory


Explain that maintenance and monitoring procedures for Active Directory ensure that the system runs smoothly.

Point out that the Active Directory database is based on the Extensible Storage Engine (ESE) format.

Point out that the ESE format is responsible for managing changes to the Active Directory Database.

Point out that requests for creation or modification of data-base objects are made through the following process:

Active Directory writes a transaction to the transac-tion buffer.

Active Directory writes the transaction to the trans-action log.

Active Directory writes the transaction from the transaction buffer to the ntds.dit database.

Active Directory compares the database with the change to the edbx.log file.

Active Directory updates the edb.chk checkpoint file.


Point out that modifications and changes can affect data-base performance and data integrity.

Explain that fragmentation may occur to the data, which causes data to be divided into pieces in various locations on the disk.

Explain that defragmentation is the process of rearranging fragmented data and placing it in a more efficient location on the disk.

Point out that online defragmentation is an automatic pro-cess that occurs during the garbage collection process, which removes all tombstones from the database.

Explain that offline defragmentation is a manual process of defragmenting the Active Directory database in addition to reducing its size.

Demonstrate how to perform an offline defragmentation using your Directory Services Restore Mode password.

Demonstrate how to move the Active Directory Database and Log Files using your Directory Services Restore Mode password.

Explain that backing up Active Directory is essential to en-sure that data and operating system information is backed up in the event of failure.

Point out that in order to back up Active Directory, the Win-dows Server Backup must be installed from the Server Man-ager Console.

Point out that a backup may also be performed from the command line using Windows PowerShell.

Explain that Windows Server 2008 permits manual backups or scheduled backups to be performed.

Point out that the critical volumes in Active Directory should be backed up rather than only backing up system state da-ta.

Demonstrate how to perform a manual Active Directory Backup by logging in to the Domain Controller.

Demonstrate how to configure scheduled Active Directory Backups by logging in to the Domain Controller.

Point out that Windows Server 2008 provides the ability to restore the Active Directory database.


Restoring Active

Directory


Point out that Windows Server 2008 provides the ability to restore the Active Directory database.

Explain that Active Directory replication provides fault toler-ance in the event of a hardware or software failure.

Explain that Windows Server 2008 provides several restora-tive methods for Active Directory.

Point out that wbadmin is a command line component to perform a non-authoritative restore in Active Directory.

Point out that the Ntdsutil command line utility performs an authoritative restore.

Explain that an authoritative restore will be necessary if an object or container within Active Directory is inadvertently deleted and needs to be restored.

Demonstrate how to perform an authoritative restore at the command prompt window.

Monitoring Active

Directory


Explain that monitoring Active Directory is an essential task in network administration.

Point out that adequate monitoring of Active Directory pro-vides the following benefits:

Early alerts to potential problems Improved system reliability Fewer support calls to the helpdesk Improved system performance

Explain that the Windows Event Viewer records all system events for security, application, and directory service logs.

Demonstrate how to view the Directory Services Event Log. Explain that the Reliability and Performance Monitor tool

allows the administrator to collect real-time information for which permissions are granted.

Point out that performance objects contain performance counters associated with the category that the administra-tor monitors.

Demonstrate how to use the reliability and performance monitor found in Administrative Tools.


Troubleshooting Active

Directory


Explain that monitoring Active Directory is an essential task in network administration.

Point out that configuring Active Directory diagnostic event logging requires that the administrator be able to edit the registry.

Point out that the following values indicate the level of log-ging that will occur for Active Directory:

0 (None): Critical Events and Error Events. 1 (Minimal): Very high level events. 2 (Basic): Slightly more detailed information than the

lowest level. 3 (Extensive): More detailed information than the

lowest level, like steps performed to complete a task. 4 (Verbose): More detailed that the previous reports

and is narrowed to the problem or a specific service. 5 (Internal): Logs all events, include debug strings and

configuration changes.


1. Online defragmentation runs every 12 hours by default on all

domain controllers as a part of the garbage collection pro-

cess.

2. Performing an offline defragmentation of a domain control-

ler running Windows Server 2008 requires that you restart

the server and boot to the Directory Services Restore mode.

3. Windows Server supports two types of backups: Manual

Backups and Scheduled Backups.

4. A non-authoritative restore can be used to recover a deleted

item after replication has deleted the item from all other do-

main controllers.

5. Dcdaig is a command line tool that can be used to examine the state of domain controllers as well as troubleshooting Domain Controller issues.


Multiple Choice

1. What two features must be installed to enable the ability to perform Active Directory backups from the command line?

a) Windows PowerShell b) Backup Exec c) ADBackup d) Windows Server Backup

2. What should you do on a Windows Server 2008 Domain Controller to ensure that you are backing up system state data?

a) Choose System State on the backup options b) Choose Backup AD System State on the backup op-

tions c) Choose critical volumes on the backup options d) Nothing, system state data is backed up by default

3. Which command line tool can be used to perform an au-thoritative restore of Active Directory?

a) Wbadmin b) Ntdsutil c) Windows Backup d) Windows PowerShell

4. Which two of the following Windows Server 2008 tools can be used to monitor the health of Active Directory?

a) Event Viewer b) Reliability and Performance Monitor c) Memory Diagnostic Tools d) Component Services

5. Which command line tool can be used to verify replication consistency between replication partners?

a) Dcdaig b) Netdom c) Repadmin d) Dsacls



1. True. 2. False. Windows Server 2008 offers the feature of Restarta-

ble Active Directory Domain Services that can be used to stop the Active Directory Service. DSRM can also be used, but it is no longer a requirement.

3. True. 4. False. Recovering a deleted item after replication would re-

quire an Authoritative Restore. 5. True.

Multiple Choice

1. A, D 2. C 3. B 4. A, B 5. C


Explain what is backed up when you choose to back up critical

volumes using Windows Backup. Why is it important to back up

the critical volumes on Domain Controllers?


Explain the differences between an Authoritative Restore and a

Non Authoritative Restore. Give examples of when each would

be appropriately used.

Explain what tools can be used from a command line to per-

form an authoritative and non-authoritative restore of Active

Directory.


Microsoft Video

Resources


Length: 4:58







this goal.

Length: 12:08





Lesson 12: Configuring Name Resolution and Additional Services

Learning Objectives

Learning Goals//The goal of this lesson is to provide students

with in-depth knowledge of Domain Name Server (DNS) name

resolution.

Upon completion of this lesson, students will understand:

DNS name resolution Configuring additional services


uses DNS for name resolution and that this tool is used for de-

ployment and administration of a functional Active Directory

infrastructure. Students will learn about DNS Zones and deploy

additional services within the Active Directory environment.

DNS Name Resolution Instructors should do the following:

Explain that name resolution is an essential function on all Transmission Control Protocol/Internet Protocol (TCP/IP) networks.

Point out that the network administrator will determine computer names at the time that the network is set up.

Explain that DNS is the name resolution mechanism com-puters use for all Internet communication and is primarily used in Active Directory.

Point out that one method of resolving names is to use a host file.

Explain that the host table in the host files consists of the IP address, host name, and comments.

Discuss how DNS maintains an extensive list of IP addresses and hosts through a distributed database.

Point out that DNS consists of the following three elements: DNS namespace Name servers Resolvers


Explain that the DNS name resolution process consists of a resolver submitting a name resolution request to its desig-nated DNS server.

Explain that a DNS domain is an administrative entity that consists of a group of hosts, usually a combination of com-puters, routers, printers, and other TCP/IP-enabled devices.

Point out that the following are DNS configuration items: Resource records Start of Authority (SOA) Name Server (NS) Host (A) Host (AAA) Canonical Name (CNAME) Host Information (HINFO) Mail Exchanger (MX) Pointer (PTR) Service Record (SRV)

Explain that the hierarchy levels of the DNS domain namespace make it possible to locate an authoritative source for any domain name.

Point out that root name servers are at the top of the do-main hierarchy.

Explain that other top-level domains include: Com Net Org Edu Mil Gov Int Biz

Explain that to create authoritative sources for your Inter-net domain, the administrator can deploy the organization’s own DNS servers.

Discuss the process of DNS name resolution on the Internet. Point out that caching is a process that can speed up the

DNS name resolution process. Explain that a referral is the process where one DNS server

sends a name resolution request to another DNS server. Explain that the two types of name resolution requests are

recursive query and iterative query. Discuss the process of name resolution. Explain that reverse name resolution is the process of con-

verting an IP address into a DNS name.


Explain that since most organizations provide an internal network and external Internet presence, resources must be carefully managed to provide seamless access to resources.

Explain that the following strategies will help in managing internal and external domains:

Use the same domain name internally and externally (highly discouraged)

Create separate and unrelated internal and external domains

Make the internal domain a subdomain of the exter-nal domain

Explain that as the server performs client name resolutions, it builds up a cache of DNS information.

Point out that a DNS server that contains no zones and hosts no domains is a caching-only server.

Point out that a forwarder is a DNS server that receives que-ries from other DNS servers and is configured to forward them.

Explain that conditional forwarding is available in Windows Server 2008 to enable administrators to forward queries based upon the domain specified in the name resolution request.

Explain that a DNS zone is an administrative entity on the DNS server that represents a discrete portion of the DNS namespace.

Point out that zone types specify the servers that store the zone database and the information it contains:

Primary zone Secondary zone Stub zone

Point out that the administrator can configure standard DNS zones for the transfer from primary zones to secondary zones.

Demonstrate how to configure a standard DNS zone using Administrative Tools.

Explain that a full zone transfer is performed when a new DNS server is created on the network to obtain a full copy of all resource records for the zone.

Point out that Windows Server 2008 also supports incre-mental zone transfer (IXFR), which is a revised DNS zone transfer process for intermediate changes.

Explain that if Active Directory is run on the network, you must have at least one DNS server on the network that sup-ports the SRV resource record.


Point out that Active Directory conserves bandwidth by replicating only the DNS data that has changed since the last replication.

Explain that Windows Server 2008 replicates the database for a zone stored in Active Directory to all the other do-main controllers running the DNS service in the Active Di-rectory domain where the primary zone is located.

Demonstrate how to configure a custom application direc-tory partition at the Windows Command Prompt.

Explain that after DNS servers are configured, the client computers must be configured.

Demonstrate how to configure DNS client settings manual-ly using the Server Manager.

Demonstrate how to configure DNS/WINS Integration using Administrative Tools.

Configuring Additional

Services


Explain that Windows Server 2008 offers additional services that increase security and functionality of the Active Direc-tory Network.

Explain that Active Directory Rights Management Service (AD RMS) is a Windows Server 2008 service that you can use to protect sensitive data on a Windows network.

Explain that Active Directory Federation Services (AD FS) al-lows administrators to configure single sign-on for a web-based application across multiple organizations.

Point out that AD FS configuration consists of the following two organizations:

Resource organizations Account organizations

Point out that the following components are available when installing AD FS:

AD FS Federation Service AD FS Federation Services Proxy Claims-aware agent Windows token–based agent



1. Windows Server 2008 supports the Windows Internet Nam-ing Service (WINS) for NetBIOS to IP address resolutions.

2. The .com domain is an example of a root domain. 3. DNS zone transfers are always initiated by the secondary

master DNS server. 4. Active Directory Rights Management is an Active Directory

service that can provide owners of data with the ability to control who can access the data.

5. Active Directory Federation Services relies on the existence of Active Directory trusts between domains to function properly.

Multiple Choice

1. Which type of DNS record provides IP addresses to DNS name mapping?

a) Host record b) Pointer record c) SRV record d) Name server record

2. What are the two types of queries DNS can perform? a) Primary b) Secondary c) Recursive d) Iterative

3. A _________________ DNS server does not host any DNS zones but can be used to resolve queries.

a) Primary b) Caching-only c) Forwarder d) Secondary

4. Which of the following are valid DNS zone types in Windows Server 2008 DNS?

a) Stub zone b) Secondary c) SRV zone d) Primary


5. What type of DNS record does an Active Directory client use to locate a domain controller?

a) Host b) PTR c) SRV d) MX


1. True. 2. False. The .com domain is a top-level domain, not a root

domain. 3. True. 4. True. 5. False. Trusts are not required with Active Directory Federa-

tion Services.

Multiple Choice

1. B 2. C, D 3. B 4. A, B, D 5. C


Explain the three elements of a Domain Name System.

List at least five different types of DNS records that could be

used in an Active Directory environment.


DNS can be configured to perform two types of queries: recur-

sive and iterative. Explain what is meant by each and when

each would be used.


Explain the following terms:

Caching-only DNS server DNS Forwarder Conditional Forwarding

Give an example of when each might be used.

Microsoft Video

Resources

Windows Server 2008 Read-Only Domain Controllers—Password Replication Policies Read-only domain controllers (RODCs) are a new feature in Windows Server 2008, allowing domain controllers to be de-ployed in locations where security might otherwise be a con-cern (e.g., branch offices). This video takes a look at the pass-word replication policies that are used to control credentials stored on RODCs. Length: 4:58







this goal.

Length: 12:08





Lesson 13: Configuring Active Directory Certificate Services

Learning Goals//The goal of this lesson is to provide students

with knowledge about the technology used in private key in-

frastructure.

Learning Objectives Upon completion of this lesson, students will understand:

The basics of Active Directory Certificate Services Configuring Certificate Services


Certificate Services offers features that enable parties to com-

municate securely through private key infrastructure. Students

will learn to design and deploy private key infrastructure within

Windows Server 2008.

Introduction Active

Directory Certificate

Services


Explain that Active Directory Certificate Services (AD CS) provides a user account or modifies access rights as a user’s role changes within an organization and de-provisions a us-er account when the user’s relationship with an organiza-tion ends.

Point out that a public key infrastructure (PKI) includes fea-tures that allow two parties to communicate securely through the use of a mathematical algorithm called public key cryptography (PKC).

Explain that public key cryptography stores a piece of infor-mation called the public key for each user and computer participating in a PKI.

Point out that each user account and computer also con-tains private key information, which is known only to the individual computer or user account.

Discuss the terminology that is associated with public key infrastructure.


Point out that the Windows Server 2008 Active Directory Certificate Services includes the following features:

Certification Authority (CA) Web enrollment Online responder Network Device Enrollment Service (NDES)

Point out that a standalone CA and an enterprise CA are de-ployed with public key infrastructure.

Demonstrate installing Active Directory Certificate Services after logging on to the CA Member Service.

Configuring Certificate

Services


Explain that one or more online responders can be config-ured to make revocation information available for one or more CAs.

Demonstrate how to configure certificate revocation by log-ging in to the CA as the default administrator.

Demonstrate how to configure certificate templates by log-ging into the CA as an administrator.

Point out that certificate enrollment may be configured in a number of ways, depending on the setup of the organiza-tion.

Point out that PKI certificates enable the following to be set up as automatic distributions:

Certificate templates Group Policy Certificate request wizard Certification Authority Web Enrollment Point out that certificate templates may be config-

ured as: Full control Read Write Enroll Autoenroll

Demonstrate how to manage certificate enrollment by log-ging in to the domain controller.

Explain that Windows Server 2008 provides the ability to create a wireless network policy to address the security as-pects of implementing wireless clients on a network.

Point out that using public key policies for wireless net-works provides the administrator with more control in es-tablishing rules and guidelines governing the issuance and maintenance of wireless access to the network.


Point out that the following settings are available in the public key policies category:

Encrypting file system (EFS) Automatic certificate request Trusted root certification authorities Enterprise Trust Certificate services client-auto-enrollment

Explain that CA server settings are used for key archival and recovery, assigning administrative roles, and backing up and restoring the CA database.

Explain that one risk is that users will lose the private keys associated with their certificates.

Explain that key recovery agents are used to restore escrow copies of a private key.

Demonstrate how to configure key archival and recovery by logging in to the domain controller.

Explain that multiple predefined certificate roles can each perform a specific set of tasks.

Point out that the predefined roles are: CA Administrator Certificate managers Backup operators Auditors


1. A stand-alone Certificate Authority in Windows Server 2008 does not integrate with Active Directory.

2. The Encrypted File System (EFS) does not require the use of a Recovery Agent to recover lost encryption keys.

3. An online responder can be used to provide certificate revo-cation information when a traditional CRL is not available.

4. In a Windows Server 2008 PKI environment, the domain ad-ministrator is the single Active Directory user account that can have Key Recovery Agent capabilities.

5. The Online Responder Service can be installed only on a Windows Server 2008 server running the Enterprise or Data Center versions.


Multiple Choice

1. Which of the following is a type of CA that integrates with Active Directory and can allow automatic enrollment of computer and user certificates?

a) Enterprise CA b) Active Directory CA c) Standalone CA d) Private CA

2. Certificate enrollment in a Windows Server 2008 environ-ment can be used to automate PKI certificate distributions using which of the following methods? Choose all that ap-ply.

a) Certificate Authority Web Enrollment b) Certificate Templates c) Certificate Request Wizard d) Group Policy

3. Which of the following allows an administrator to define and distribute a list of trusted external CAs, known as a Cer-tificate Trust List (CTL)?

a) Root CA b) Certificate Services c) Key Distribution Agent d) Enterprise Trust

4. Windows Server 2008 supports two-factor authentication through the use of ____________________________?

a) Certificate services b) Digital signatures c) Smart cards d) Auto enrollment

5. Which protocol is used to allow network devices to enroll for PKI certificates?

a) TCP/IP b) SCEP c) DNS d) HTTP



1. True. 2. False. A Recovery Agent is required to recover a lost EFS en-

cryption key. 3. True. 4. False. Multiple user accounts can be set up as Key Recovery

Agents. 5. True.

Multiple Choice

1. A 2. A, B, C, D 3. D 4. C 5. B


Explain the difference between a stand-alone CA and an Enter-

prise CA.

Discuss the role each of the following plays in a PKI environ-

ment: Root CA, Subordinate CA, and Intermediate CA.


List and explain the four predefined security roles in a Windows

Server 2008 Certificate Services environment.


Microsoft Video

Resources


Length: 4:58.







this goal.

Length: 12:08




it academy lesson plan 2008 - gc mandi bahauddin server 2008 active... · working with functional...

Documents