6425C ENU Companion

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

6425C Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services

Companion Content

2 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.

© 2011 Microsoft Corporation. All rights reserved.

Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Product Number: 6425C

Part Number: X16-23526

Released: 05/2011

Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 3


Module 1 Introducing Active Directory® Domain Services

Contents: Lesson 1: Overview of Active Directory, Identity, and Access 8

Lesson 2: Active Directory Components and Concepts 10

Lesson 3: Install Active Directory Domain Services 14

Module Reviews and Takeaways 16

Lab Review Questions and Answers 18


Lesson 1

Overview of Active Directory, Identity, and Access

Contents: Additional Reading 9


Additional Reading

Information Protection • Microsoft Identity and Access Solutions

Authentication and Authorization • Logon and Authentication Technologies

• Authorization and Access Control Technologies

Authorization • Logon and Authentication Technologies

• Authorization and Access Control Technologies

http://go.microsoft.com/fwlink/?LinkId=168485�






Lesson 2

Active Directory Components and Concepts

Contents: Detailed Demonstration Steps 11

Additional Reading 12


Detailed Demonstration Steps

Demonstration: Active Directory Schema

Detailed demonstration steps 1. Start 6425C-NYC-DC1 and log on as Administrator with the password, Pa$$w0rd.

2. Open D:\AdminTools\ADConsole.msc. Expand Active Directory, and then expand Active Directory Schema.

3. Review the Attributes container. Attributes are definitions of a property and of its behavior. While scrolling through attributes, notice a couple of attributes whose purpose (if not name) is familiar. Open the Properties of each.

• objectSID

• sAMAccountName. Most admins call this the “user name”. This attribute defines the type of an attribute (string in this case)

• unicodePwd

• member. Attributes can be multivalued. When used with a group, it is the list of one or more members.

• description

4. Open the Classes container. While scrolling through, review the already familiar object classes, including user, computer, and group. Object classes are created by referring to attributes in the “pool” of attributes that you just saw.

5. Open the group object class and demonstrate that it refers to the member attribute.


Additional Reading

Active Directory Data Store • You will learn more about the partitions of Active Directory and about SYSVOL throughout this

course. DNS is a focus of Module 11, and the PAS is examined in detail in Module 13. The contents of SYSVOL are explored in Module 6 and the objects stored in the Configuration are covered in Module 13. The objects in the Domain partition are covered in Modules 3-6 and database maintenance and administration tasks are detailed in Modules 10 and 14.

Domain Controllers • Domain Controllers are discussed throughout this course, but Modules 11 and 12 are focused

specifically on domain controller administration and placement. Module 10 discusses RODCs.

Demonstration: Active Directory Schema • What Is the Active Directory Schema?

Organizational Units • Modules 6 and 8 of this course examine the purpose, management, and design of organizational

units.

Domain • You will learn more about domains throughout this course, and Module 15 focuses on the design

considerations related to how many domains you should have in your enterprise.

Forest • The concepts and design of a multidomain forest are discussed in Module 15.

Tree • The concepts and design of a multidomain forest are discussed in Module 15.

Replication • Active Directory Replication is detailed in Module 12. SYSVOL replication is discussed in Module 10.

Sites • Active Directory site and subnet objects are the focus of Module 13.

Global Catalog • The global catalog is explored in detail in Module 12.

Functional Levels • Functional levels are detailed in Module 15.

DNS and Application Partitions • DNS is covered in Module 11.



Trust Relationships • Trust relationships are discussed in Module 15.


Lesson 3

Install Active Directory Domain Services



Additional Reading

Prepare to Create a New Forest with Windows Server 2008 R2 • This list comprises the settings that you will be prompted to configure when creating a domain

controller. There are a number of additional considerations regarding the deployment of AD DS in an enterprise setting. See the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkID=214181

for more information.


Module Reviews and Takeaways

Review questions 1. What is the main difference between authentication and authorization?

Answer: Authentication is the process of providing credentials from user to identity store or an authentication service. By performing authentication, no right to access resource is granted. Authentication only confirms the identity of a user. On the other hand, authorization is a process of granting rights to access a specific resource based on an ACL. To proceed with authorization, authentication must first be performed.

2. Why is global catalog important in a multidomain environment?

Answer: Because the domain controllers in your domain will not contain information about objects in other domains, you must rely on the global catalog, which has the indexed, partial attribute set for all objects in other domains.

3. Which tools can you use to install AD DS?

Answer: First, you must use Server Manager to install the AD DS role, and then, you should run dcpromo to make the server a domain controller*.

Common Issues and Troubleshooting Tips

Issue Troubleshooting Tip

Dcpromo wizard cannot perform installation of AD DS

You must be the local administrator to perform the Active Directory installation

You cannot start dcpromo.exe You must first install AD DS role by using Server Manager

You cannot raise forest to the Windows Server 2008 R2functional level

Check that all domains in the forest are raised to the Windows Server 2008 R2 functional level

Best Practices Related to AD DS • Use a strong password for Directory Service Restore Mode.

• Make all domain controllers into Global Catalog servers.

• Use static IP addresses for domain controllers.


Tools

Tool Use to Where to find it

Server Manager Adding AD DS role Administrative Tools

Initial Configuration Tasks • Performing post-installation tasks on Windows Server 2008 R2

Type Oobe.exe in the Run window

Dcpromo.exe • Installing Active Directory Domain Services and making the server a domain controller

Type dcromo.exe in the Run window or use Server Manager to run the tool


Lab Review Questions and Answers Question: What can you do with the Initial Configuration Tasks console?

Answer: This console is used to perform some basic administrative tasks such changing time zone or computer name.

Question: What must you do before starting the dcpromo wizard?

Answer: You must add the Active Directory Domain Services role.

Question: Which tool is used to raise the domain functional level?

Answer: The Active Directory Domains and Trusts tool is used to raise the domain functional level.


Module 2 Administering Active Directory Securely and Efficiently

Contents: Lesson 1: Work with Active Directory Administration Tools 20

Lesson 2: Custom Consoles and Least Privilege 22

Lesson 3: Find Objects in Active Directory 26

Lesson 4: Use Windows PowerShell to Administer Active Directory 30




Lesson 1

Work with Active Directory Administration Tools



Additional Reading

Active Directory Administration Snap-ins • Active Directory Domain Services

• Managing Active Directory from MMC

• Install the Active Directory Schema snap-in

What Is the Active Directory Administrative Center? • Active Directory Administrative Center: Getting Started

Find Active Directory Administration Tools • Remote Server Administration Tools Pack




http://go.microsoft.com/fwlink/?LinkID=214182�



Lesson 2

Custom Consoles and Least Privilege





Demonstration: Create a Custom MMC Console for Administering Active Directory

Detailed demonstration steps Start 6425C-NYC-DC1.

Log on to NYC-DC1 as Pat.Coleman_Admin, with the password,Pa$$w0rd. Open the Run box and run the following command with administrative credentials: D:\Labfiles\Lab02a\Lab02a_Setup.bat. This command unregisters the schema mmc snap-in.

In this demonstration, create a custom MMC console with all four Active Directory management snap-ins. This demonstration is a preview of an upcoming lab.

1. Click the Start button. In the Search programs and files box, type mmc.exe, and then press ENTER. Click Yes in the User Account Control dialog box. An empty MMC console appears. Maximize it.

2. Click File, and then click Add/Remove Snap-in.

3. If snap-ins are missing, install RSAT and turn on the snap-ins.

4. In the Add Or Remove Snap-ins dialog box, click Active Directory Users and Computers from the Available Snap-ins list, and then click the Add button to add it to the Selected Snap-ins list.

5. Repeat for Active Directory Sites and Services and Active Directory Domains and Trusts.

6. Notice that the Active Directory Schema snap-in is not available to add. Click OK to close the Add or Remove Snap-ins dialog box.

7. Register the Schema management snap-in: Open a command prompt as administrator, type regsvr32.exe schmmgmt.dll, and then press Enter. Click OK. Close the command prompt.

8. Return to the MMC console and click File, and then click Add/Remove Snap-in.

9. Add the Active Directory Schema snap-in.

10. Click OK to close the Add Or Remove Snap-ins dialog box.

11. Click File, click Save, and save the console as C:\AdminTools\ADConsole.msc. Be sure to save the console to a new folder. In the next demo, you will open the console with a different user account that will not have access to your Desktop or Document folders.

12. Close MMC.

Demonstration: Secure Administration with User Account Control and Run As Administrator

Detailed demonstration steps 1. Log off from NYC-DC1.

2. Log on with user-level credentials: CONTOSO\Pat.Coleman, with the password, Pa$$w0rd.

3. Open the C:\AdminTools folder you created in the previous demonstration.

4. Right-click the ADConsole.msc console and click Run as administrator.


5. Enter the credentials of your administrative account, CONTOSO\Pat.Coleman_Admin, with the password, Pa$$w0rd.

6. Click Yes.

7. Optionally, open Task Manager and click Show processes from all users. Enter the same credentials: CONTOSO\Pat.Coleman_Admin; Pa$$w0rd.

The administrator account (Pat.Coleman_Admin) may not have immediate access to the Desktop, Documents, or other folders that the user account (Pat.Coleman) has access to. If Pat.Coleman (user) saves the console to a location accessible only to that account, and starts it from there, the moment the process is elevated to the administrator (Pat.Coleman_Admin) account, it can no longer access the console.

8. At the end of the demo, log off from NYC-DC1 and log back on as Contoso\Pat.Coleman_Admin, with the password, Pa$$w0rd.


Additional Reading

Demonstration: Create a Custom MMC Console for Administering Active Directory • Add, Remove, and Organize Snap-ins and Extensions in MMC 3.0

Secure Administration with Least Privilege, Run As Administrator, and User Account Control • Using Run as

Demonstration: Secure Administration with User Account Control and Run As Administrator • Using Run as





Lesson 3

Find Objects in Active Directory





Demonstration: Use the Select Users, Contacts, Computers, Service Accounts, or Groups Dialog Box

Detailed demonstration steps If not already started, start 6425C-NYC-DC1 and log on as Pat.Coleman_Admin, with the password, Pa$$w0rd.

Add users to the Instructors group (in the Groups\Role OU) by using the Members tab of the group.

1. Open Active Directory Users and Computers and then browse to the Groups\Role OU. Open the Properties of the Instructors security group and perform the following:

2. On the Members tab, click Add. Type linda;joan and click Check Names. This demonstrates a full first name and partial first name, and that semicolons delimit multiple users.

Add a user to the Instructors group by using the Add To Group command of the user.

1. Browse to the User Accounts\Employees OU.

2. Right-click Pat Coleman and click Add to a group. Type Instrand click Check Names. This demonstrates the resolution of a group. Note that Computers are not included by default. Click OK.

3. Set up the scenario: You want to deploy Microsoft Office Visio® to NYC-CL1. It is licensed per computer, not per user, so the deployment of Visio should be targeted to a computer object (like most software). You have a group that represents the computers that should have Visio.

4. Open the APP_Visio group from the Groups\Application OU.

5. On the Members tab, try to add NYC-CL1. Point out that it fails.

6. Try again. This time, click the Object Types button and select Computers.

Demonstration: Use Saved Queries

Detailed demonstration steps Create a saved query called All User Objects that returns all user objects in the domain.

1. In Active Directory Users and Computers, right-click Saved Queries, point to New, and then click Query.

Note that saved queries can “virtualize” your view of your Active Directory: It doesn't matter where an object is located (for example, in the Employees, Contractors, or Admin Identities OUs), just that it meets search criteria.

Create a saved query called Non-Expiring Passwords that returns user objects with passwords that do not expire.

1. Right-click Saved Queries, point to New, and then click Query

2. In the New Query dialog box, type Non-Expiring Passwords in the Name box.

3. Click Define Query. Select the Non expiring passwords check box. Click OK twice.


Note that all users in the sample domain are set to non-expiring passwords for the purpose of the course only.

Demonstration: Find Objects by Using Active Directory Administrative Center

Detailed demonstration steps If not already started, start 6425C-NYC-DC1 and log on to NYC-DC1 as Pat.Coleman_Admin, with the password, Pa$$w0rd.

Create a saved query called Global Catalog servers that returns all Global Catalog Servers in the domain.

1. In Active Directory Administrative Center, in the left-hand pane, click Global Search.

2. In the Global Search pane, click Add criteria.

3. Select the check box next to Computers running as a given domain controller type.

4. Click Add.

5. Click the Any domain controllers link and then choose Global catalogs.

6. Click Search.

Note that any domain controller that is configured as a Global Catalog is displayed.

7. Click the Save button.

8. In the text box, type Global Catalog Servers, and then click OK.

9. Click the Queries button to view the saved query.

10. Log off from NYC-DC1 when you are finished the demonstration.


Additional Reading

Options for Locating Objects • Search Active Directory



Lesson 4

Use Windows PowerShell to Administer Active Directory





Demonstration: Manage Users and Groups by Using Windows PowerShell

Detailed demonstration steps

Note You require the 6425C-NYC-DC1 virtual machine to complete this demonstration. Log on to the virtual machine as Contoso\Administrator with the password of Pa$$w0rd.

1. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Module for Windows PowerShell.

2. To create a new OU, type the following command.

new-adorganizationalunit Test1 new-adorganizationalunit Test2

3. To create a new user type the following (Note: by default the user will be created in the Users container if no other option is specified. For this demo, the account is created in the New Users OU.):

new-aduser -name TestUser1 -department IT -city "New York" -organization "Contoso"

4. To move the user to another OU, type the following command.

get-aduser -filter 'Name -eq "TestUser1"' | move-adobject -targetpath "ou=Test2,dc=contoso,dc=com"

5. To get a group and view its members, type the following command.

get-adgroup -filter "Name -eq 'Domain Admins'" get-adgroup -filter "Name -eq 'Domain Admins'" | get-adgroupmember

6. To add a new user to a group, type the following command.

add-adgroupmember "Marketing" testuser1

7. To set the password and enable a user account, type the following command.

Set-ADAccountPassword testuser1 -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Pa$$w0rd1" -Force) get-aduser -filter 'Name -eq "TestUser1"' | enable-adaccount


Additional Reading

Windows PowerShell Cmdlets for Active Directory • Active Directory Administration with Windows PowerShell




Review questions 1. What are the four main snap-ins used for Active Directory administration?

Answer: Active Directory Users and Computers, Active Directory Sites and Services, Active Directory Domains and Trusts, and Active Directory Schema.

2. Is the Active Directory Administrative Center based upon an MMC?

Answer: No, it is based upon Windows PowerShell.

3. List some of the tasks that can be performed with Windows PowerShell.

Answer:

• User, Computer, and Group Management

• Organizational Unit Management

• Password Policy Management

• Object Search and Modification

• Forest and Domain Management

• Domain Controller and Operations Master Management

• Managed Service Account Management

Tools

Tool Use to Where to find it

Active Directory Users and Computers

• Managing an Active Directory domain

• Administrative Tools

Active Directory Administrative Center

• Managing an Active Directory domain


Windows PowerShell • Managing an Active Directory domain


Windows Server 2008 R2 Features Introduced in this Module

Windows Server 2008 R2 feature Description

Active Directory Administrative Center

Used to manage Active Directory Domain Services

Active Directory Module for Windows PowerShell

Used to manage Active Directory Domain Services by using Windows PowerShell


Lab Review Questions and Answers Question: Which snap-in are you most likely to use on a day-to-day basis to administer Active Directory?

Answer: Answers will vary. Most students will use Active Directory Users and Computers regularly, to administer users, computers, and groups.

Question: When you build a custom MMC console for administration in your enterprise, what snap-ins will you add?

Answer: Answers will vary. The answer will depend on students' job responsibilities and experience level.

Question: In your work, what scenarios require you to search Active Directory?

Answer: The correct answer will be based on your own experience and situation.

Question: What types of saved queries can you create to help you perform your administrative tasks more efficiently?



Module 3 Managing Users and Service Accounts

Contents: Lesson 1: Create and Administer User Accounts 36

Lesson 2: Configure User Object Attributes 39

Lesson 3: Automate User Account Creation 43

Lesson 4: Create and Configure Managed Service Accounts 45




Lesson 1

Create and Administer User Accounts





Demonstration: Create a User Object

Detailed demonstration steps Before performing this demonstration open Windows Explorer and browse to D:\Labfiles\Lab03a. Run the Lab03a_Setup command with administrative credentials.

Create a user account:

1. Expand contoso.com and then expand the User Accounts OU.

2. Right-click the Employees OU, point to New, and then click User.

3. In First name, type the user’s first name: Chris.

4. In Last name, type the user’s last name: Mayo.

5. In User logon name, type the user’s logon name: Chris.Mayo.

6. In the User logon name (pre-Windows 2000) text box, enter the pre-Windows 2000 logon name: Chris.Mayo.

7. Click Next.

8. Type Pa$$w0rd in the Password and Confirm password boxes.

• The default password policy for an Active Directory domain requires a password of seven or more characters. Additionally, the password must contain three of four character types: uppercase (A-Z), lowercase (a-z), numeric (0-9), and non-alphanumeric (for example, !@#$%). The password cannot contain any of the user’s name or logon name attributes.

• Optionally, attempt to create the user account with a password that does not meet the policy, so that students can see the error that appears.

• In a production environment, you should use a unique, strong password for each user account that you create.

9. Ensure that User must change password at next logon is selected, and then click Next.

10. Review the summary and click Finish.


Additional Reading

Create Users with Windows PowerShell • Creating a user with Windows PowerShell

Demonstration: Create a User Object • Active Directory Users and Computers Help: Managing Users

• Create a New User Account

Name Attributes • Object Names

Account Attributes • User Properties - Account Tab

• http://go.microsoft.com/fwlink/?LinkID=214193








Lesson 2

Configure User Object Attributes





Demonstration: Create a User Template

Detailed demonstration steps 1. Right-click the Employees OU, point to New, and then click User.

2. Leave the First name and Last name boxes empty.

3. In the Full name box, type _Sales User.

4. Note that the underscore prefix will put the template at the top of the user list in the OU, making it easier to find.

5. In the User Logon name box, type: Template.Sales.

6. In the User logon name (pre-Windows 2000) text box, enter the pre-Windows 2000 logon name: Template.Sales.

7. Click Next.

8. Type Pa$$w0rd in the Password and Confirm password boxes.

9. Ensure that User must change password at next logon is selected.

10. Select Account is disabled.

11. Click Next.

12. Review the summary and click Finish.

13. Right-click _Sales User, and then click Properties.

14. Click the Member Of tab.

15. Click Add.

16. Type Sales and click OK.

17. The Multiple Names Found dialog box appears. Select Sales and click OK.

18. Click the Organization tab.

19. In Department, type Sales.

20. In Company, type Contoso, Ltd.

21. Click the Change button in the Manager section.

22. Type Anibal Sousa and click OK.

23. Click the Account tab.

24. In the Account Expires section, click End Of, and then select the last day of the current year.

25. Click OK.

Creating a user from the template

1. Right-click _Sales User, and then click Copy.

2. In First name, type Amy.

3. In Last name, type Strande.


4. In User logon name, type Amy.Strande.

5. Confirm that the User logon name (pre-Windows 2000) is also Amy.Strande, and click Next.

6. In Password and Confirm password, type Pa$$w0rd.

7. Clear Account is disabled.

8. Click Next, review the summary, then click Finish.


Additional Reading

Modify User Attributes by Using Windows PowerShell • Setting a User’s Profile Attributes

• Modifying an Attribute for Several Users at Once

Demonstration: Create a User Template • Copy a User Account





Lesson 3

Automate User Account Creation



Additional Reading

Export Users with CSVDE •

•

CSVDE

Import Users with CSVDE

LDAP QuerySyntax

•

Import Users with LDIFDE

CSVDE

•

Import Users with Windows PowerShell

LDIFDE

•

Creating a Large Quantity of Users







Lesson 4

Create and Configure Managed Service Accounts



Additional Reading

Challenges of Using Standard User Accounts for Services • What’s New in Service Accounts in Windows Server 2008 and Windows 7

What Is a Managed Service Account? • Managed Service Accounts

Configure and Administer Managed Service Accounts • PowerShell Commands for Managed Service Accounts






Review questions 1. Which administration tool should you use to create and manage user accounts within your

organization?

Answer: Answers will vary; however, options include Active Directory Users and Computers, Active Directory Administrative Center, or the Active Directory Module for Windows PowerShell.

2. Which user account attributes will be important to use within your network environment?

Answer: Answers will vary, but possible answers should be based upon attributes listed in the user account properties.



Active Directory Module for Windows PowerShell

Used to run Active Directory cmdlets for administering various AD DS tasks

Managed Service Accounts Used to automate password and SPN management for service accounts used by applications and services


Lab Review Questions and Answers Question: In this lab, which attribute can be modified to prompt for the password when you are creating a user account with Windows PowerShell?

Answer: AccountPassword (Read-Host –AsSecurestring “AccountPassword”)

Question: What happens when you create a user account that has a password that does not meet the requirements of the domain?

Answer: The account is created, but it is disabled. It cannot be enabled until a password that meets the requirements of the domain is configured.

Question: What are the options for modifying the attributes of new and existing users?

Answer: Multiselecting users and opening the Properties dialog box, using the DSMod command, and creating a user account based on a user account template.

Question: What methods have you learned for modifying attributes of new and existing users?

Answer: Multiselecting users and opening the Properties dialog box, by using the DSMod command, and then creating a user account based on a user account template.

Question: What scenarios lend themselves to importing users with CSVDE and LDIFDE?

Answer: If you are importing a large number of users, CSVDE and LDIFDE add significant value. Also, CSVDE and LDIFDE give you the ability to configure most user attributes, unlike templates, which support a very limited number of attributes.

Question: You need to obtain a list of all the managed service accounts in the domain. Which command would you use?

Answer: The Get-ADServiceAccount cmdlet would be used to obtain a list of managed service accounts in the domain.

Question: Which cmdlet can be used to reset the password of a managed service account?

Answer: The Reset-ADServiceAccountPassword cmdlet would be used to reset a password of a specific managed service account.


Module 4 Managing Groups

Contents: Lesson 1: Overview of Groups 50

Lesson 2: Administer Groups 52

Lesson 3: Best Practices for Group Management 57




Lesson 1

Overview of Groups



Additional Reading

Role-Based Management: Role Groups and Rule Groups • For more information about role-based management, see Windows Administration Resource Kit:

Productivity Solutions for IT Professionals by Dan Holme (Microsoft Press, 2008).

Define Group Naming Conventions • For more information about managing groups effectively, see Windows Administration Resource Kit:

Productivity Solutions for IT Professionals by Dan Holme (Microsoft Press, 2008).

Default Groups For more information about protected accounts, see:

• Knowledge Base article 817433 at

• Knowledge Base article 840001 at

• If you want to search the Internet for resources, use the keyword, adminSDHolder.

• Microsoft TechNet provides an exhaustive reference to the default groups in a domain and to the default local groups.

• For reference information about local and domain groups, go to

• For reference information about default local groups, go to

• Default groups

• Windows Server 2008 Future Resources








Lesson 2

Administer Groups





Demonstration: Create a Group Object


Note You require the 6425C-NYC-DC1 virtual machine to complete this demonstration. Log on to the virtual machine as Contoso\Administrator with the password of Pa$$w0rd.

Create a group by using Active Directory Users and Computers

1. Open the Active Directory Users and Computers snap-in.

2. In the console tree, expand the node that represents your domain such as contoso.com, and navigate to the OU or container (such as Users) in which you want to create the group. For the purpose of this demo, use the Groups\Role OU.

3. Right-click the Role OU, point to New, and then click Group.

The New Object - Group dialog box appears

4. Type the name of the new group in the Group name box. For the purpose of this demonstration, type ITConsultants for the name of group.

Most organizations have naming conventions that specify how group names should be created. Be sure to follow the guidelines of your organization.

By default, the name you type is also entered as the Group name (pre-Windows® 2000). It is very highly recommended that you keep the two names the same.

5. Do not change the name in the Group name (pre-Windows 2000) box.

6. Choose the Group type.

• A Security group is a group that can be given permissions to resources. It can also be configured as an e-mail distribution list.


• A Distribution group is an e-mail–enabled group that cannot be given permissions to resources and is therefore used only when a group is an e-mail distribution list that has no possible requirement for access to resources. For this demo, click Security

7. Select the Group scope.

• A Global group is typically used to identify users based on criteria such as job function, location, etc.

• A Domain local group is used to collect users and groups who share similar resource access needs, such as all users who need to be able to modify a project report.

• A Universal group is typically used to collect users and groups from multiple domains. For this demo, click Global.

8. Click OK.

Group objects have a number of properties that are useful to configure. These can be specified after the object has been created.

Configure Group Properties:

1. Right-click the ITConsultants group, and then click Properties.

2. Enter the properties for the group.

• Be sure to follow the naming conventions and other standards of your organization.

• The group’s Members and Member Of tabs specify who belongs to the group and what groups the group itself belongs to.

• The group’s Description field, because it is easily visible in the details pane of the Active Directory Users and Computers snap-in, is a good place to summarize the purpose of the group and the contact information for the individual(s) responsible for deciding who is and is not a member of the group.

• The group’s Notes field can be used to provide more detail about the group.

• The Managed By tab can be used to link to the user or group that is responsible for the group. The contact information on the Managed By tab is populated from the account specified in the Name box. The Managed By tab is typically used for contact information so that if a user wants to join the group, you can decide who in the business should be contacted to authorize the new member. However, if you select the Manager can update membershipList option, the account specified in the Name box will be given permission to add and remove members of the group. This is one method to delegate administrative control over the group.

To change the user or group that is referred to on the Managed By tab, click the Change button underneath the Name box. By default, the Select User, Contact, or Group dialog box that appears does not, despite its name, search for groups. To search for groups, you must first click the Object Types button and select Groups.

3. Click OK.

Change Group Scope using Windows PowerShell with Active Directory Module:

1. Open Windows PowerShell with Active Directory Module from Administrative Tools in Start Menu. Be sure to open as administrator.


2. When command line environment is opened, type the following command, and then press ENTER. Set-ADGroup -Identity ITConsultants –GroupScope Universal

3. Open Active Directory Users and Computers console and check if the group scope is changed from Global to Universal.


Additional Reading

Demonstration: Create a Group Object • Create a New Group



Lesson 3

Best Practices for Group Management



Additional Reading

Protect Groups from Accidental Deletion • For more information about recovering deleted groups and their memberships, go to:

Knowledge Base article 840001




Review questions 1. Members of a Sales department in a company that has branches in multiple cities travel frequently

between domains. How will you provide these members with access to printers on various domains that are managed by using domain local groups?

Answer: In this situation, you can create a group with domain local scope and assign it permission to access the printer. Put the Sales user accounts in a group with global scope, and then add this group to the group having domain local scope. When you want to give the Sales users access to a new printer, assign the group with domain local scope permission to access the new printer. All members of the group with global scope automatically receive access to the new printer.

2. You are responsible for managing accounts and access to resources for your group members. A user in your group transfers into another department within the company. What should you do with the user’s account?

Answer: Although your company may have an HR representative with AD DS permissions to move user accounts, the best solution involves having the user account moved into the appropriate OU of the new department. In this manner, the Group Policies associated with the new department will be enforced. If applying the correct Group Policies is important, the user’s account should be disabled until somebody with appropriate security permissions can move it into the new OU.

3. Which group scope can be assigned permissions in any domain or forest?

Answer: Universal groups scope can be assigned permission in any domain or forest.

Common Issues Related to Group Management

Issue Troubleshooting tip

Cannot convert group scope Check if conversion scenario is supported.

Cannot add group to another group

Check if desired nesting scenario is supported.

Cannot create group in AD DS Check if you have necessary permissions to create group objects.

Real-World Issues and Scenarios • A project manager in your department is starting a group project that will continue for the next year.

Several users from your department and other departments will be dedicated to the project during this time. The project team must have access to the same shared resources. The project manager must be able to manage the user accounts and group accounts in AD DS. However, you do not want to give the project manager permission to manage anything else in AD DS. What is the best way to do this?

Answer: Create a new global security group. Add the project members to the group. Create a new OU outside your department’s OU. Assign full control of the OU to the project manager. Add the global group to the new OU. Add resources to the OU, such as shared files and printers. Keep track of the project, and delete the global group when the work finishes. You can keep the OU if another project requires it. However, you should delete it if there is no immediate need for it.


Best Practices for Group Management • When managing access to resources, try to use both rule and role groups.

• Use Universal groups only when necessary because they add weight to replication traffic.

• Use Windows PowerShell with Active Directory Module for batch jobs on groups.

• Avoid adding users to Built-in and Default Groups.

Tools

Tool Use Where to find it


• Manage groups Administrative Tools

Windows Power Shell with Active Directory Module

• Manage groups Installed as Windows Feature

DS utilities • Manage groups Command line


Feature Description

Windows PowerShell with Active Directory Module

New administration utility for Active Directory, based on Windows PowerShell


Lab Review Questions and Answers Question: Describe the purpose of global groups in terms of role-based management.

Answer: Global groups are generally used to define roles.

Question: What types of objects can be members of global groups?

Answer: Global groups can include as members users and other roles (global groups) from the same domain.

Question: Describe the purpose of domain local groups in terms of role-based management of resource access.

Answer: Domain local groups are generally used to define a scope of management, such as managing a level of access to a resource.

Question: What types of objects can be members of domain local groups?

Answer: Domain local groups can contain roles (global groups) and individual users from any trusted domain in the same forest or an external forest, as well as other domain local groups in the same domain. Finally, domain local groups can contain universal groups from anywhere in the forest.

Question: If you have implemented role-based management and are asked to report who can read the Sales folders, what command would you use to do so?

Answer: You would use the DSGet command.

Question: What are some benefits of using the Description and Notes fields of a group?

Answer: Better documented groups are easier to find and understand and are less likely to be misused for purposes other than their intended purpose.

Question: What are the advantages and disadvantages of delegating group membership?

Answer: Delegating group membership allows IT to get "out of the middle." In most organizations, when a user needs access to a resource, he or she contacts IT, IT contacts the business owner to get approval, and then IT adds the user to the groups. Delegating allows the request to go straight to the business owner, who can then make the change to the group.


Module 5 Managing Computer Accounts

Contents: Lesson 1: Create Computers and Join the Domain 63

Lesson 3: Offline Domain Join 65




Lesson 1

Create Computers and Join the Domain

Contents: Question and Answers 64


Question and Answers

Secure Computer Creation and Joins Question: What two factors determine whether you can join a computer account to the domain?

Answer: To join a computer to a prestaged account, you must be given permission on the account to join it to the domain. If the account is not prestaged, the ms-DS-MachineAccountQuota attribute will determine the number of computers you can join to the domain in the default computer container without explicit permission.


Lesson 3

Offline Domain Join

Contents: Question and Answers 66

Detailed Demonstration Steps 67


Question and Answers

Process for Performing an Offline Domain Join Question: What is the content of the text file that is created during a djoin provisioning process?

Answer: This file contains sensitive data that is needed to establish a relationship between a computer and a domain. The data includes the machine account password and other information about the domain, including the domain name, the name of a domain controller, and the SID of the domain.



Demonstration: Perform an Offline Domain Join


Note You require the 6425C-NYC-DC1 virtual machine to complete this demonstration.

1. Log on to NYC-DC1 as Contoso\Administrator, with the password, Pa$$w0rd.

2. Open a Command Prompt with administrative privileges.

3. Type the following command and press Enter.

djoin /provision /domain contoso.com /machine NYC-CL2 /savefile NYC-CL2.txt

4. Ensure that the command is completed successfully.

5. Open the Active Directory Users and Computers console, navigate to New Computers OU and ensure that NYC-CL2 account is created there. The next step would be to perform the djoin /requestodj /loadfile command on the workstation or drive that is being provisioned. You will perform this step in the lab.



Review questions 1. What is the main difference between the Computers container and an OU?

Answer: You cannot create an OU within a Computers container, so you cannot subdivide the Computers OU. Also, you cannot link a Group Policy object to a container. Because of this, we recommend that you move the newly created computer account from the Computers container to an OU.

2. When should you reset a computer account? Why is it better to reset the computer account than to disjoin and rejoin it to the domain?

Answer: You should reset a computer account when the computer is no longer able to authenticate to the domain. That can happen if the operating system is reinstalled, the computer is restored from backup, or the password is out of sync interval. If you just disjoin the computer from a domain and rejoin it instead of resetting the computer account, you risk losing the computer account altogether, which results in the computer’s SID being lost, and more importantly, its group memberships. When you rejoin the domain, even though the computer has the same name, the account has a new SID, and all the group memberships of the previous computer object must be re-created.

3. In an Offline Domain Join, what should you do after you provision a new computer account to the domain by using the djoin.exe utility?

Answer: After a new computer account is provisioned, you should transfer the blob text file, with the domain and computer account information, to the destination computer that should be joined to the domain. Then, you should run djoin.exe with /the requestODJ switch.

Common Issues Related to Computer Account Management


The computer cannot be joined to the domain.

• Check if the domain controller is available.

• Check the IP address and DNS settings on a client computer.

• Check if the account that is being used to join the computer to the domain has appropriate privileges to join computer to domain.

Group Policy is not applied to the computer after it is joined to the domain.

Check if the computer account is still in the Computers container. You cannot link GPOs to this container.

The Offline Domain Join is not working as expected.

• Check if the name of the provisioned computer account is the same as the name of the computer being joined to the domain.

• Make sure that you do not use the /localos switch if you are mounting a drive from the destination computer.

Real-World Issues and Scenarios 1. You are working as an IT technician in Contoso, Ltd. You are managing the Windows Server based

infrastructure. You have to find a method for joining new Windows 7 based computers to a domain during the installation process without intervention of a user or an administrator.

Answer: The best way to do this will be to first provision the computer accounts to AD DS by using the djoin utility with the /provision switch, and after that to use an unattended setup to perform the installation. By using a utility such as Windows System Image Manager, you can perform an unattended


domain join during an operating system installation by providing information that is relevant to the domain join in an Unattend.xml file.

Best Practices for Group Management • Always provision a computer account before joining computers to a domain and place them in

appropriate OUs.

• Redirect the default Computer container to another location.

• Reset the computer account, instead of just doing a disjoin and rejoin.

• Integrate the Offline Domain Join functionality with unattended installations.

Tools

Tool Use Where to find it


Computer account management

Administrative Tools

CSVDE,LDIFDE Importing computer accounts in AD DS

Windows Server 2008 command prompt

Djoin.exe Offline domain join Windows Server 2008 command prompt




New administration utility for Active Directory, based on Windows PowerShell

Offline Domain Join New feature in Windows Server 2008 R2 and Windows 7 that allows you to join machines to domain even when they don't have network connection to domain controller


Lab Review Questions and Answers Question: What did you learn about the pros and cons of various approaches to creating computer accounts in an AD DS domain?

Answer: Answers may vary depending on your own experience and situation.

Question: What are the two credentials that are necessary for any computer to join a domain?

Answer: The necessary credentials are the local credentials that are in the local Administrators group of the computer, and domain credentials that have permissions to join a computer to the computer account.

Question: What insights did you gain into the issues and procedures regarding computer accounts and administering computer accounts through their life cycle?

Answer: Answers will vary based on your own experience and situation.


Module 6 Implementing a Group Policy Infrastructure

Contents: Lesson 1: Understand Group Policy 72

Lesson 2: Implement GPOs 75

Lesson 3: Manage Group Policy Scope 79

Lesson 4: Group Policy Processing 81




Lesson 1

Understand Group Policy





Demonstration: Exploring Group Policy Settings

Detailed demonstration steps 1. Switch to NYC-DC1.

2. In the GPMC, right-click the CONTOSO Standards GPO, and then click Edit.

3. Spend time exploring the settings that are available in a GPO. Do not make any changes.

4. Review the division between Computer Configuration and User Configuration.

5. Notice the timing with which computer and user settings are applied.

6. Examine the various policy categories and policy settings.


Additional Reading

Review the Components of Group Policy TechNet contains detailed technical and operational guides to Group Policy, including the following:

• Windows Server Group Policy

• How Core Group Policy Works

• Deploying Group Policy Using Windows Vista

• Summary of New or Expanded Group Policy Settings

• What's New in Group Policy in Windows Vista








Lesson 2

Implement GPOs





Demonstration: Create, Link, and Edit GPOs

Detailed demonstration steps Create a GPO

1. Start 6425C-NYC-DC1.

2. Log on to NYC-DC1 as Pat.Coleman with the password Pa$$w0rd.

3. Run Group Policy Management with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.

4. In the console tree, expand Forest: contoso.com, Domains, and contoso.com, and then click the Group Policy Objects container.

5. In the console tree, right-click the GroupPolicyObjects container, and then click New.

6. In Name: type CONTOSO Standards, and then click OK

Open a GPO for editing

1. In the details pane of the Group Policy Management console (GPMC), right-click the CONTOSO Standards GPO, and then click Edit.

The Group Policy Management Editor (GPME) appears.

2. Close the GPME.

Link a GPO

1. In the GPMC console tree, right-click the contoso.com domain, and then click Link an Existing GPO.

2. Select CONTOSO Standards and click OK.

Delegate the management of GPOs

1. In the GPMC console tree, click the contoso.com domain.

2. In the details pane, click the Delegation tab.

3. Review the default delegation.

4. In the GPMC console tree, expand the Group Policy Objects container, and then click the CONTOSO Standards GPO.

5. In the details pane, click the Delegation tab.

6. Review the default delegation.

7. Run Active Directory Users and Computers with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.

8. In the console tree, click the Users container.

9. In the details pane, double-click the Group Policy Creator Owners group, and then click the Members tab.

10. Review the default membership.

Delete a GPO


1. In the GPMC console tree, in the Group Policy Objects container, right-click the CONTOSO Standards GPO, and then click Delete.

2. Click No.

Discuss the default connection to the PDC Emulator

1. In the GPMC console tree, right-click the contoso.com domain, and then click Change Domain Controller.

2. Review the default settings.


Additional Reading

Local GPOs • Multiple Local Group Policy objects

• Step-by-Step Guide to Managing Multiple Local Group Policy Objects

Manage GPOs and Their Settings • GPO Operations

• Backing up, Restoring, Migrating, and Copying GPOs






Lesson 3

Manage Group Policy Scope



Additional Reading

WMI Filters For more information on WMI and for examples of WMI filters, go to:

• WMI filtering using GPMC

• Windows Management Instrumentation (WMI) software development kit (SDK)




Lesson 4

Group Policy Processing



Additional Reading

Slow Links and Disconnected Systems • How Core Group Policy Works




Review questions 1. You have assigned a logon script to an OU via Group Policy. The script is located in a shared network

folder named Scripts. Some users in the OU receive the script, whereas others do not. What might be the possible causes?

Answer: Security permissions might be a problem. If some users do not have read access to shared network folder where scripts are stored, they will not be able to apply policy. Also, security filtering on GPO might be the cause for this problem.

2. What GPO settings are applied across slow links by default?

Answer: Registry policy and Security policy are always applied even when a slow link is detected. This setting cannot be changed.

3. You need to ensure that a domain level policy is enforced, but the Managers global group needs to be exempt from the policy. How would you accomplish this?

Answer: Set the link to be enforced at the domain level, and use security group filtering to deny Apply Group Policy permission to the Administrators group.

Common Issues Related to Group Policy Management


Group Policy settings are not applied to all users or computers in OU where GPO is applied

• Check security filtering on GPO

• Check WMI filters on GPO

Group policy settings sometimes need two restarts to apply

• Enable wait for network before logon option

Best Practices Related to Group Policy Management • Name Group Policy objects, so you can easily identify them by name

• Apply Group Policy Object as high as possible in AD DS hierarchy

• Use Block Inheritance and Enforced options only when really necessary

• Make comments on GPO settings

Tools

Tool Use for Where to find it

Group policy reporting RSoP

Reporting information about the current policies being delivered to clients.

Group Policy Management Console

GPResult A command-line utility that displays RSoP information.

Command-line utility

GPUpdate Refreshing local and AD Command-line utility



DS-based Group Policy settings.

Dcgpofix Restoring the default Group Policy objects to their original state after initial installation.


GPOLogView Exporting Group Policy-related events from the system and operational logs into text, HTML, or XML files. For use with Windows Vista, Windows 7, and later versions.


Group Policy Management scripts

Sample scripts that perform a number of different troubleshooting and maintenance tasks.


Lab Review Questions and Answers Question: Which policy settings are already being deployed by using Group Policy in your organization?

Answer: Answers will vary.

Question: Which policy settings did you discover that you might want to implement in your organization?


Question: Many organizations rely heavily on security group filtering to scope GPOs, rather than linking GPOs to specific OUs. In these organizations, GPOs are typically linked very high in the Active Directory logical structure—to the domain itself or to a first-level OU. What advantages are gained by using security group filtering rather than GPO links to manage the scope of the GPO?

Answer: The fundamental problem of relying on OUs to scope the application of GPOs is that an OU is a fixed, inflexible structure within Active Directory, and that a single user or computer can only exist within one OU. As organizations get larger and more complex, configuration requirements are difficult to match in a one-to-one relationship with any container structure. With security groups, a user or computer can exist in as many groups as necessary, and can be added and removed easily without impacting the security or management of the user or computer account.

Question: Why might it be useful to create an exemption group—a group that is denied the Apply Group Policy permission—for every GPO you create?

Answer: There are very few scenarios in which you can be guaranteed that all of the settings in a GPO will always need to apply to all users and computers within its scope. By having an exemption group, you will always be able to respond to situations in which a user or computer must be excluded. This can also help in troubleshooting compatibility and functionality problems. Sometimes, specific GPO settings can interfere with the functionality of an application. In order to test whether the application works on a "pure" installation of Windows, you might need to exclude the user or computer from the scope of GPOs, at least temporarily for testing.

Question: Do you use loopback policy processing in your organization? In which scenarios and for which policy settings can loopback policy processing add value?

Answer: Answers will vary. Scenarios including conference rooms, kiosks, virtual desktop infrastructures, and other "standard" environments should certainly be mentioned.

Question: In which situations have you used RSoP reports to troubleshoot Group Policy application in your organization?


Question: In which situations have you used, or could you anticipate using, Group Policy modeling?


Question: Have you ever diagnosed a Group Policy application problem based on events in one of the event logs?



Module 7 Managing User Desktop with Group Policy

Contents: Lesson 1: Implement Administrative Templates 87

Lesson 2: Configure Group Policy Preferences 91

Lesson 3: Manage Software with GPSI 94




Lesson 1

Implement Administrative Templates




Demonstration: Work with Settings and GPOs

Detailed demonstration steps Use Filter Options to locate polices in Administrative Templates

1. Switch to NYC-DC1.


3. In the console tree, expand Forest: contoso.com, Domains, and contoso.com, and then click the Group Policy Objects container.

4. In the details pane, right-click the 6425C GPO, and then click Edit.

The Group Policy Management Editor appears.

5. In the console tree, expand User Configuration, expand Policies, and then click Administrative Templates.

6. Right-click Administrative Templates, and then click Filter Options.

7. Select the Enable Keyword Filters check box.

8. In the Filter for word(s) text box, type screen saver.

9. In the drop-down list next to the text box, select Exact, and click OK.

Administrative Templates policy settings are filtered to show only those that contain the words screen saver.

10. Spend a few moments examining the settings that you have found.

11. In the console tree, right-click Administrative Templates under User Configuration, and then click Filter Options.

12. Clear the Enable Keyword Filters check box.

13. In the Configured drop-down list, select Yes, and then click OK.

Administrative Template policy settings are filtered to show only those that have been configured (enabled or disabled).

14. Spend a few moments examining those settings.

15. In the console tree, right-click Administrative Templates under User Configuration and clear the Filter On option.

Add comments to a policy setting

1. In the console tree, expand User Configuration, Policies, Administrative Templates, and Control Panel, and then click Personalization.

2. Double-click the Enable screen saver policy setting.

3. In the Comment section, type Corporate IT Security Policy implemented with this policy in combination with Password Protect the Screen Saver, and click OK.

4. Double-click the Password protect the screen saver policy setting.


5. In the Comment section, type Corporate IT Security Policy implemented with this policy in combination with Enable screen saver, and click OK.

Add comments to a GPO

1. In the console tree of the Group Policy Management Editor, right-click the root node, 6425C[NYC-DC1.CONTOSO.COM], and then click Properties.

2. Click the Comment tab.

3. Type Contoso corporate standard policies. Settings are scoped to all users and computers in the domain. Person responsible for this GPO: your name.

This comment appears on the Details tab of the GPO in the GPMC.

4. Click OK and then close the Group Policy Management Editor.

Create a new GPO from a starter GPO

1. In the console tree of the GPMC, click the Starter GPOs container.

2. In the details pane, click the Create Starter GPOsFolder button.

3. In the console tree, right-click the Starter GPOs container, and then click New.

4. In Name: type CONTOSO Starter GPO, and then click OK.

5. In the details pane, right-click CONTOSO Starter GPO, and then click Edit.

The Group Policy Management Editor appears. Review and edit the settings as desired.

6. Close the Group Policy Starter GPO Editor.

7. In the details pane, right-click CONTOSO Starter GPO, and then click New GPO From Starter GPO.

8. In Name: type CONTOSO Desktop, and then click OK.

Create a new GPO by copying an existing GPO

1. In the GPMC console tree, expand the Group Policy Objects container, right-click the CONTOSO Desktop GPO, and then click Copy.

2. Right-click the Group Policy Objects container, click Paste, and then click OK.

3. Click OK.

Create a new GPO by importing settings that were exported from another GPO

1. In the GPMC console tree, expand the Group Policy Objects container, right-click the CONTOSODesktop GPO, and then click Back Up.

2. In Location: type D:\Labfiles\Lab07c, and then click Back Up.

3. When the backup finishes, click OK.

4. In the GPMC console tree, right-click the Group Policy Objects container, and then click New.

5. In Name: type CONTOSO Import, and then click OK.

6. In the GPMC console tree, right-click the CONTOSO Import GPO, and then click Import Settings.

The Import Settings Wizard appears.

7. Click Next three times.

8. Select CONTOSO Desktop, and then click Next two times.


9. Click Finish, and then click OK.


Lesson 2

Configure Group Policy Preferences





Demonstration: Configure Group Policy Preferences

Detailed demonstration steps 1. On 6425C-NYC-DC1, in GPMC, click the Group Policy Objects folder, in the details pane, right-click

the Default Domain Policy, and then click Edit.

2. Expand Computer Configuration, expand Preferences, expand Windows Settings, right-click Shortcuts, point to New, and then click Shortcut.

3. In the New Shortcut Properties dialog box, select Create from the Action list.

4. In the Name box, type Notepad.

5. In the Location box, click the arrow, and then select All Users Desktop.

6. In the Target path box, type C:\Windows\System32\Notepad.exe.

7. On the Common tab, select the Item-level targeting check box, and then click Targeting.

8. In the Targeting Editor dialog box, click New Item, and then click Computer Name.

9. In the Computer name box, type NYC-CL1, and then click OK twice.

10. Under Windows Settings, right click Folders, point to New, and then click Folder.

11. In the New Folder dialog box, select Create from the Action list.

12. In the Path field, type C:\Reports.

13. On the Common tab, select the Item-level targeting check box, and then click Targeting.

14. In the Targeting Editor dialog box, click New Item, and then click Operating System.

15. In the Product list, click Windows Server 2008 R2, and then click OK twice.


Additional Reading

Differences Between Group Policy Preferences and Settings • For an overview of Group Policy preferences, see

http://go.microsoft.com/fwlink/?LinkID=177480&clcid=0x409�


Lesson 3

Manage Software with GPSI





Demonstration: Create a Software Distribution Point

Detailed demonstration steps 1. Start 6425C-NYC-DC1 and log on as Pat.Coleman with the password, Pa$$w0rd.

2. Start 6425C-NYC-SVR1, but do not log on.

3. Switch to NYC-DC1.


5. In the console tree, expand the contoso.com domain and the Groups OU, and then click the Application OU.

6. Right-click the Application OU, point to New, and then click Group.

7. Type APP_XML Notepad, and then press Enter.

8. In the console tree, expand the contoso.com domain and the Servers OU, and then click the File OU.

9. In the details pane, right-click NYC-SVR1, and then click Manage.

The Computer Management console opens, focused on NYC-SVR1.

10. In the console tree, expand System Tools and Shared Folders, and then click Shares.

11. Right-click Shares, and then click New Share. The Create a Shared Folder Wizard appears.

12. Click Next.

13. In the Folder Path box, type C:\Software, and then click Next.

A message appears asking if you want to create the folder.

14. Click Yes.

15. Accept the default Share name, Software, and then click Next.

16. Click Customize permissions, and then click Custom.

17. Click Security.

18. Click Advanced.

The Advanced Security Settings dialog box appears.

19. Click Change Permissions.

20. Clear the Include inheritable permissions from this object's parent option.

A dialog box appears asking if you want to Add or Remove inherited permissions.

21. Click Add.

22. Select the first permission assigned to the Users group, and then click Remove.

23. Select the remaining permission assigned to the Users group, and then click Remove.

24. Select the permission assigned to Creator Owner, and then click Remove.


25. Click OK two times to close the Advanced Security Settings dialog boxes.

26. In the Customize Permissions dialog box, click the Share Permissions tab.

27. Select the Full Control check box.

The security management best practice is to configure least privilege permissions in the ACL of the resource, which will apply to users, regardless of how users connect to the resource, at which point you can use the Full Control permission on the SMB shared folder. The resultant access level will be the more restrictive permissions defined in the ACL of the folder.

28. Click OK.

29. Click Finish.

30. Click Finish to close the wizard.

31. Click Start, click Run, type \\NYC-SVR1\c$, and then press Enter.

The Connect to NYC-SVR1 dialog box appears.

32. In the User name box, type CONTOSO\Pat.Coleman_Admin.

33. In the Password box, type Pa$$w0rd, and then press Enter.

A Windows Explorer window opens, focused on the root of the drive C on NYC-SVR1.

34. Open the Software folder.

35. Click New folder.

A new folder is created and is in "rename mode."

36. Type XML Notepad, and then press Enter.

37. Right-click the XML Notepad folder, and then click Properties.

38. Click Security.

39. Click Edit.

40. Click Add. The Select Users, Computers, Service Accounts, or Groups dialog box appears.

41. Type APP_XML Notepad, and then press Enter.

The group is given the default, Read & Execute permission.

42. Click OK twice to close all open dialog boxes.

43. Open the XML Notepad folder.

44. Open the D:\Labfiles\Lab07c folder in a new window.

45. Right-click XMLNotepad.msi, and then click Copy.

46. Switch to the Windows Explorer window, displaying \\NYC-SVR1\c$\Software\XML Notepad.

47. Right-click in the empty details pane, and then click Paste.

XML Notepad is copied into the folder on NYC-SVR1.

48. Close all open Windows Explorer windows.

49. Close the Computer Management console.


Additional Reading

Software Deployment Options • Group Policy Software Installation overview




Review questions 1. What is the benefit of having Central Store?

Answer: Central Store is a single folder in SYSVOL that holds all the .ADMX and .ADML files that are required. After you have set up Central Store, the GPME recognizes it and loads all administrative templates from Central Store instead of from the local machine.

2. What is the main difference between Group Policy Settings and Group Policy Preferences?

Answer: While GPO settings enforce some setting on client side, and disable client interface for modification, Group Policy preferences provide settings but still allows client to modify it.

3. What is the difference between publishing and assigning software through GPSI?

Answer: If you assign software to user or computer it will be installed without asking user if he wants to install it. Publishing software will allow user to decide if software will be installed or not.

Common Issues Related to Group Policy Management


Group Policy Preferences are not being applied.

Check the preference settings for item targeting or incorrect configuration.

Group Policy Software installation does not work for some users

Check security settings on network share where software installation package resides

Check scoping of Group Policy Object

Real-World Issues and Scenarios Question: You have a number of logon scripts that map network drives for users. Not all users need these drive mappings, so you must ensure that only the right users get the mappings. You want to move away from using these scripts.

Answer: You can achieve this by using Group Policy preferences. There is an option to configure drive mapping, and you can use Preferences Targeting to distribute right mappings to appropriate users.

Best Practices Related to Group Policy Management • Make comments on GPO settings

• Use Central Store for Administrative templates when having clients with Windows Vista and Windows 7

• Use Group Policy preferences to configure settings not available in Group Policy set of settings

• Use Group Policy Software Installation to deploy packages in .msi format to a large number of users or computers.

Tools


Group policy reporting RSoP

Reporting information about the current policies being delivered




to clients.

GPResult A command-line utility that displays RSoP information.


GPUpdate Refreshing local and AD DS-based Group Policy settings.


Dcgpofix Restoring the default Group Policy objects to their original state after initial installation.


GPOLogView Exporting Group Policy-related events from the system and operational logs into text, HTML, or XML files. For use with Windows Vista and later versions.



Lab Review Questions and Answers Question: Describe the relationship between administrative template files (both .ADMX and .ADML files) and the GPME.

Answer: .ADMX files create the user interface for the GPME and determine the registry values that are applied when a policy setting is defined. .ADML files provide language-specific elements (the text) in the user interface.

Question: When does an enterprise get a central store? What benefits does it provide?

Answer: A central store is manually created by adding a PolicyDefinitions folder to \\domain\sysvol\domain\Policies. A central store provides a single point of management for administrative templates and reduces the size of Group Policy templates (GPTs).

Question: What are the advantages of managing Group Policy from a client running the latest version of Windows? Do the settings you manage apply to the previous versions of Windows?

Answer: If you manage Group Policy with a client running the latest version of Windows, you will be able to use the latest administrative templates, and you will be able to view settings that apply to this and all previous versions of Windows. The policy settings you configure will apply not based on the version of Windows from which you manage Group Policy, but rather on the versions of Windows to which the policy setting can apply.

Question: What is the alternate method of providing drive mapping to users, instead of using Preferences?

Answer: You can use the logon script configured in ordinary Group Policy settings.

Question: If you apply a Group Policy preferences setting, can you change this setting on the client side?

Answer: Yes, because Group Policy preferences do not enforce settings and also not block user interface.

Question: Consider the NTFS permissions you applied to the Software and XML Notepad folders on NYC-SVR1. Explain why these least privilege permissions are preferred to the default permissions.

Answer: The default permissions on a new NTFS folder include inherited permissions that are not least privilege. First, the USERS group is given the ability to add files and folders. In a software distribution folder, only administrators who need to add new applications should have the ability to add files and folders. Second, CREATOR OWNER special identity is given full control. This means that whoever adds a file or folder gets an explicit permission that allows full control, which may or may not be appropriate for each file and folder added to a software deployment point. Third, the USERS group is also given the ability to read all files and folders, which will allow them to install any software in the software distribution folder. Because most software is licensed per computer or per user, you can improve your compliance by allowing only a specified group to read the installation files for each application. The SOFTWARE folder (the root) gives access (full control) only to Administrators and System. The application subfolder, for example, XML Notepad, gives read access to a group that is allowed to install the application, such as APP_XML Notepad. Those users can get to the subfolder even though they do not have access to the SOFTWARE folder. Windows allows all authenticated users the "traverse folders" privilege by default, which allows users to


navigate to a specific subfolder to which they have access even if they do not have permission to a parent folder. The least privilege ACLs used in this Lab are a perfect example of the value of this user right.

Question: Consider the methods used to scope the deployment of XML Notepad: Assigning the application to computers, filtering the GPO to apply to the APP_XML Notepad group that contains only computers, and linking the GPO to the Client Computers OU. Why is this approach advantageous for deploying most software? What would be the disadvantage of scoping software deployment to users rather than to computers?

Answer: Most software is licensed per computer, so it is important to deploy such applications scoped to computers, rather than to users. The result is the same—the application is deployed to the computers of the users who require the application. If you were to deploy an application to users, it would "follow" the users to whichever computers they logged on to. For example, if a user is logged on to a conference room computer or to a colleague's computer, the application would be installed on those computers as well. By scoping to a group of computers, and linking the GPO to a high-level OU (or even to the domain), it gives you maximum flexibility to deploy the application to whichever computers require it.


Module 8 Managing Enterprise Security and Configuration with Group Policy Settings

Contents: Lesson 1: Manage Group Membership by Using Group Policy Settings 103

Lesson 2: Manage Security Settings 107

Lesson 4: Software Restriction Policy and AppLocker 110




Lesson 1

Manage Group Membership by Using Group Policy Settings





Demonstration: Delegate Administration by Using Restricted Groups Policies

Detailed demonstration steps 1. Start 6425C-NYC-DC1 and log on as Pat.Coleman with the password Pa$$w0rd.

2. On NYC-DC1 click Start, point to Administrative Tools and run Group Policy Management with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.

3. In the console tree, expand Forest:contoso.com, Domains and contoso.com, and then click the Group Policy Objects container.

4. Right-click the Group Policy Objects container, and then click New.

5. In the Name box, type Corporate Help Desk, and then click OK.

6. In the details pane, right-click Corporate Help Desk, and then click Edit.


7. In Group Policy Management Editor, go to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups.

8. Right-click Restricted Groups and click Add Group.

9. Click Browse and, in the Select Groups dialog box, type the name of the group you want to add to the Administrators group—for example, CONTOSO\Help Desk—and click OK.

10. Click OK to close the Add Group dialog box.

A Properties dialog box appears.

11. Click Add next to the This group is a member of section.

12. Type Administrators, and click OK.

The Properties group policy setting should look similar to the dialog box on the left of the side-by-side dialog boxes shown earlier.

13. Click OK again to close the Properties dialog box.

Delegating the membership of the local Administrators group in this manner adds the group specified in step 9 to that group. It does not remove any existing members of the Administrators group. The Group Policy setting simply tells the client, “Make sure this group is a member of the local Administrators group.” This allows for the possibility that individual systems could have other users or groups in their local Administrators group. This group policy setting is also cumulative. If multiple GPOs configure different security principals as members of the local Administrators group, all will be added to the group.

To take complete control of the local Administrators group, follow these steps:

Demonstration Steps 1. In Group Policy Management Editor, go to Computer Configuration\Windows

Settings\SecuritySettings\Restricted Groups.

2. Right-click Restricted Groups, and click Add Group.

3. Type Administrators, and click OK.


A Properties dialog box appears.

4. Click Add next to the Members of this group section.

5. Click Browse and enter the name of the group you want to make the sole member of the Administrators group—for example, CONTOSO\Help Desk—and click OK.

6. Click OK again to close the Add Member dialog box.

The group policy setting Properties should look similar to the dialog box on the left of the side-by-side dialog boxes shown earlier.

7. Click OK again to close the Properties dialog box.

When you use the Members setting of a restricted groups policy, the Members list defines the final membership of the specified group. The steps just listed result in a GPO that authoritatively manages the Administrators group. When a computer applies this GPO, it adds all members specified by the GPO and removes all members not specified by the GPO, including Domain Admins. Only the local Administrator account will not be removed from the Administrators group because Administrator is a permanent and irremovable member of Administrators.


Additional Reading

Define Group Membership with Group Policy Preferences • Group Policy Management Console Help, "Local Users and Groups Extension"


Lesson 2

Manage Security Settings





Demonstration: Create and Deploy Security Templates

Detailed demonstration steps 1. Start 6425C-NYC-DC1.


3. Click Startand in the search box, type mmc.exe and press Enter. When prompted, supply administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.

4. Click File, and then click Add/Remove Snap-in.

5. In the Available snap-ins list, select Security Templates, then click Add.

6. Click OK.

7. Click File, and then click Save.

The Save As dialog box appears.

8. Type C:\Security Management, and then press Enter.

9. In the console tree, expand Security Templates.

10. Right-click C:\Users\Pat.Coleman_Admin\Documents\Security \Templates, and then click New Template.

11. Type DC Remote Desktop, and then click OK.

12. Click Start, point toAdministrative Tools and run Group Policy Management with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.

13. In the console tree, expand Forest:contoso.com, Domains, and contoso.com, and then click the Group Policy Objects container.

14. In the details pane, right-click the Corporate Help Desk, and then click Edit.


15. In the console tree, expand Computer Configuration,Policies,Windows Settings,and then click Security Settings.

16. Right-click Security Settings, and then click Import Policy.

17. Select the DC Remote Desktop template, and then click Open.


Additional Reading

Configure the Local Security Policy • Server Security Policy Settings

Manage Security Configuration with Security Templates • For full details regarding Secedit.exe and its switches, see

Security Configuration Wizard • Security Configuration Wizard





Lesson 4

Software Restriction Policy and Applocker





Demonstration: How to Configure Application Control Policies


Note You require the 6425C-NYC-DC1 and 6425C-NYC-CL1 virtual machines to complete this demonstration. Log on to the 6425C-NYC-DC1 as Contoso\Administrator, with the password, Pa$$w0rd. Do not start NYC-CL1 until directed to do so.

Create a GPO to enforce the default AppLocker Executable rules.

1. On NYC-DC1, click Start, click Administrative Tools, and then click Group Policy Management.

2. Apply the GPO to the Contoso.com domain.

3. In the Group Policy Management window, expand Forest: Contoso.com.

4. Expand Domains.

5. Expand Contoso.com.

6. Expand Group Policy Objects.

7. Drag the WordPad Restriction Policy GPO on top of the Contoso.com domain container.

8. Click OK to link the GPO to the domain.

9. Close the Group Policy Management console.

10. Click Start, in the Search programs and files box, type cmd, and then press Enter.

11. In the Command Prompt window, type gpupdate /force, and then press Enter. Wait for the policy to be updated.

Test the AppLocker rule.

1. Start and then log on to the NYC-CL1 as Contoso\Alan.Brewer, with the password, Pa$$w0rd.

2. Click Start, in the Search programs and files box, type cmd, and then press Enter.

3. In the Command Prompt window, type gpupdate /force, and press Enter. Wait for the policy to be updated.

4. Click Start, click All programs, click Accessories, and then click WordPad.

5. Click OK when prompted with a message.


Additional Reading

What Is a Software Restriction Policy? • Using Software Restriction Policies to Protect Against Unauthorized Software

Overview of Application Control Policies

• AppLocker Overview

• AppLocker Walkthrough






Review questions 1. Describe the procedure used to apply a security template to a computer.

Answer: Use the Security Configuration And Analysis snap-in to create a database. Import the template into the database, and then apply the database settings to the computer by using the Configure Computer Now command.

2. Why must AppLocker rules be defined in a GPO separate from SRP rules?

Answer: AppLocker rules are completely separate from SRP rules and cannot be used to manage pre-Windows 7 computers. The two policies are also separate. If AppLocker rules have been defined in a GPO, only those rules are applied. Therefore, define AppLocker rules in a separate GPO to ensure interoperability between SRP and AppLocker policies.

Windows Server 2008 R2 Features Introduced in This Module


AppLocker Used to control how users can access and use applications


Lab Review Questions and Answers Question: Using only restricted groups policies, what should you do to ensure that the only members of the local Administrators group on a client computer are the Help Desk in the site-specific Support group and to remove any other members from the local Administrators group?

Answer: This is a tricky question and requires some creative thinking. You can configure a Members policy setting for the Administrators group that adds the Administrator account. This would have the effect of cleaning out all other group members, and of course the Administrator account is already a member of the Administrator forest and cannot be removed. Then, you can configure restricted group policy settings for the Help Desk and the site-specific Support groups, as you did in the Lab. Alternately, you could use a Local Group preference configured to delete all member users and groups.

Question: Describe a situation where you would use both security templates and the Security Configuration Wizard to secure a server.

Answer: Security templates contain some settings that are not available to the Security Configuration Wizard, such as restricted groups, for example. If you need to incorporate these additional settings, you can import a configured security template into the Security Configuration Wizard, and convert it to a GPO.

Question: What are the three major steps required to configure auditing of file system and other object access?

Answer: The three major steps are:

1. Configure auditing settings on the file/folder SACL. 2. Enable audit policy for object access in a GPO scoped to the server. 3. Examine event log audit entries.

Question: What systems should have auditing configured? Is there a reason not to audit all systems in your enterprise? What types of access should be audited, and by whom should they be audited? Is there a reason not to audit all access by all users?

Answer: Auditing should reflect IT security and usage policies. Auditing not only puts a (small) burden on the performance of a system, but also generates excessive “noise” that can make finding the “important” events even harder. What, who, and when auditing is performed should be aligned with why auditing is being performed—as driven by your business requirements.

Question: How can you permit access to only a specific set of applications for a set of computers in your environment?

Answer: Place the computers in an OU, create a GPO, and link it to the OU. In the GPO, configure the default AppLocker rules to block applications. Then, allow the applications you want the computers to have access to.


Module 9 Securing Administration

Contents: Lesson 1: Delegate Administrative Permissions 116

Lesson 2: Audit Active Directory Administration 120




Lesson 1

Delegate Administrative Permissions





Demonstration: Assign a Permission by Using the Advanced Security Settings Dialog Box

Detailed Demonstration Steps 1. Start 6425C-NYC-DC1and log on as Pat.Coleman with the password Pa$$w0rd.

2. Click Start, point to Administrative Tools, and run Active Directory Users and Computers with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.

3. Click the View menu and select Advanced Features.

4. Right-click an object such as a user account, and then choose Properties. For this example use Jeff Ford located in the User Accounts\Employees OU.

5. Click the Security tab.

6. Click the Advanced button.

7. Click the Add button.

If you have User Account Control enabled, you may need to click Edit, and perhaps enter the administrative credentials to make the Add button will appear.

8. In the Select dialog box, select the security principal to which permissions will be assigned.

It is an important best practice to assign permissions to groups, not to individual users.

In this example, select your Help Desk group, and then press ENTER. The Permission Entry dialog box appears.

9. Configure the permissions you want to assign.

For this example, on the Object tab, scroll down the list of Permissions, and then click Allow: Reset password.

10. Click OK to close each dialog box.

Demonstration: Delegate Administrative Tasks with the Delegation of Control Wizard

Detailed Demonstration Steps 1. On NYC-DC1click Start, point to Administrative Tools and run Active Directory Users and

Computers with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.

2. Right-click the node (domain or OU) for which you want to delegate administrative tasks or control, and choose Delegate Control.

In this example, select the Employees OU.

The Delegation of Control Wizard appears, to guide you through the required steps.

3. Click Next.

You will first select the administrative group to which you are granting privileges.


4. In the Users or Groups page, click the Add button.

a. Use the Select dialog box to select the group, and then click OK. For this example use the Help Desk group.

5. Click Next.

You will next specify the task you wish to assign to that group.

6. On the Tasks to Delegate page, select the task.

In this example, select Reset User Passwords and Force Password Change at Next Logon.

7. Click Next.

8. Review the summary of the actions that have been performed, and click Finish.

The Delegation of Control Wizard applies the ACEs that are required to enable the selected group to perform the specified task.


Additional Reading

Understand Effective Permissions • The best way to manage delegation in Active Directory is through role-based access control.

Although this approach will not be covered on the certification exam, it is well worth understanding for real-world implementation of delegation. See the Windows® Administration Resource Kit: Productivity Solutions for IT Professionals by Dan Holme (Microsoft® Press, 2008) for more information.

Design an OU Structure to Support Delegation • See the Windows Administration Resource Kit: Productivity Solutions for IT Professionals by Dan

Holme (Microsoft Press, 2008) for much more detail regarding OU design.


Lesson 2

Audit Active Directory Administration





Demonstration: Advanced Audit Policies

Detailed Demonstration Steps To configure an advanced domain logon audit policy setting

1. Start 6425C-NYC-DC1and log on as Pat.Coleman with the password Pa$$w0rd

2. Click Start, point to Administrative Tools, and then click Group Policy Management. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.

3. In the console tree, double-click Forest: contoso.com, double-click Domains, and then double-click contoso.com.

4. Right-click Default Domain Policy, and then click Edit.

5. Double-click Computer Configuration, double-click Policies, and then double-click Windows Settings.

6. Double-click Security Settings, double-click Advanced Audit Policy Configuration, and then double-click Audit Policies.

7. Browse through sub-categories, show how to configure them. For example, open Account Logon sub-node and show how you can configure four various types of auditing for Account Logon event. Open each setting and show Explain tab with setting description.

8. Click Global Object Access Auditing.

9. Double-click File System, and then select the Define this policy setting check box. Click Configure button

10. Click the Add button and add a user account of your choice here. Click Ok.

11. In Auditing Entry for Global File SACL, place a check mark in Successful and Failed column for List folder/read data and Create files /write data options.

Note When you use Advanced Audit Policy Configuration settings, you need to confirm that these settings are not overwritten by basic audit policy settings. The following procedure shows how to prevent conflicts by blocking the application of any basic audit policy settings.

To ensure that Advanced Audit Policy Configuration settings are not overwritten:

1. Double-click Security Settings, open Local Policies, and then click Security Options.

2. Double-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings, and then click Define this policy setting.

3. Click Enabled, and then click OK.


Additional Reading

Enable Audit Policy • AD DS Auditing Step-by-Step Guide

Advanced Audit Policies • Advanced Security Audit Policy Settings





Review questions Question: How does the Active Directory Users and Computers console indicate that you do not have permissions to perform a particular administrative task?

Answer: The console has different ways of indicating that you do not have permissions to perform a certain task. In some cases, the command that you cannot perform is trimmed (hidden) by the Active Directory Users and Computers snap-in. For example, when you tested whether Aaron Painter could create a new user in the Employees OU, the New menu was not available. In other cases, the command appears but you receive an error message if you attempt to perform it. For example, when Aaron Painter tried to disable Jeff Ford's account or reset Pat Coleman's administrative account password, the command was executed but returned an error message because Aaron's access was denied.

Question: What is the benefit of a two-tiered, role-based management group structure when assigning permissions in Active Directory?

Note Role-based management is a detailed topic. There are other aspects of role-based management such as discipline and auditing that are required to ensure that the members of a group such as AD_UserAccounts_Support have the permissions they are supposed to have. You also need to ensure that the members of this group have no other permissions, and that no other users or groups have been delegated the same permissions.

Answer: There are several benefits. First, it allows you to change "who can do what" without changing a single ACL in Active Directory. If another group or user needs to be able to reset Employee passwords, simply add that group (or user) to the AD_UserAccounts_Support group. Second, it makes it easier to report delegation. If you list the members (including nested users) of AD_UserAccounts_Support, you instantly know who has permission to reset passwords for users in the User Accounts OU. In other words, role-based management helps overcome some of the difficulties that were identified with reporting.

Question: What is the main benefit of using new Advanced Audit Policies?

Answer: New Audit policies provide much more detailed control over auditing and reporting, which enables administrators to narrow their search for specific information in Security Logs. Also, new policies provide some additional possibilities for auditing such as Global Object Access auditing, and also provide some additional information like in Reason for Access auditing.

Common Issues related to Secure Administration


There is no un-delegate command or wizard after you finish delegation of control

Use DACL of OU where you delegated administrative control to remove identities whom you want to un-delegate

Reason for Access auditing is not working Check whether you have enabled Audit Handle Manipulation setting and that you are running Windows 7 or Windows Server 2008 R2.


Best Practices Related to Secure Administration • Use Delegation of Control Wizard to delegate administrative control instead of placing users in

built-in administrative groups.

• Use Advanced Audit Policies for better and more granular audit control.

• Avoid using the block inheritance option when configuring permissions.

Tools

Tool Used for Where to find it


Editing security policy Administrative Tools

Delegation of Control Wizard

Delegating administrative control over OU


Auditpol Configuring auditing Command-line utility



Advanced Audit Policies New settings in Group Policy object for more detailed auditing of various system events

Global Object Access Auditing Method to audit on server level instead on object level

Reason for access reporting New feature that allows administrators to see why someone was able to access a resource that is being audited.


Lab Review Questions and Answers Question: When you evaluated the effective permissions for April Meyer on the User Accounts OU, why didn't you see permissions such as Reset Password in this list? Why did the permission appear when you evaluated effective permissions for Aaron Painter on Aaron Lee's user account?

Answer: The Effective Permissions list is showing the permissions that apply to the selected object, which in the first case is an organizational unit. One cannot reset the password of an organizational unit, so that permission is not available to be evaluated.

When you assign permissions to reset passwords on the OU, the permission does not actually apply to the OU itself; rather it applies to descendent user objects within the OU. The OU is a container, so permissions are available that specify what types of objects can be created in the OU.

When you examined permissions on Aaron Lee's user account, the Reset permission appeared because it is available for user accounts.

Question: Does Windows make it easy to answer the following questions:

• Who can reset user passwords?

• What can XXX do as an administrator?

Answer: Lead a discussion that addresses the difficulty of reporting delegation. The user interfaces and command-line tools are neither detailed nor "administrator-friendly" enough to be useful reporting tools.

Question: What is the impact of resetting the ACL of an OU back to its schema-defined default?

Answer: You don't necessarily know what permissions are applied to the OU unless you find some way to do detail reporting. Moreover, you don't necessarily know why those permissions were assigned to the OU or by whom. There may be good reasons for some custom and explicit permissions, and removing them may cause something in your environment to break. For example, when you install Microsoft Exchange Server, explicit permissions are applied to certain Active Directory objects.

Question: What details are captured by Directory Services Changes auditing that are not captured by Directory Service Access auditing?

Answer: Directory Services Changes auditing captures important details, including the specific attribute that is changed and the change that was made.

Question: Which type of administrative activities would you want to audit by using Directory Services Changes auditing?

Answer: Lead a discussion to elicit suggestions from students. Pose the question: Why not audit all changes in Active Directory? Answer: The volume of event log entries would make finding particularly important changes difficult. Guide students to an understanding that the configuration of Directory Services auditing should be driven by the requirements of an organization's IT Security policies and procedures.


Module 10 Improving the Security of Authentication in an AD DS Domain

Contents: Lesson 1: Configure Password and Lockout Policies 127

Lesson 3: Configure Read-Only Domain Controllers 132




Lesson 1

Configure Password and Lockout Policies





Demonstration: Configure Domain Account Policies

Detailed Demonstration Steps 1. Start 6425C-NYC-DC1and log on to NYC-DC1 as Pat.Coleman with the password Pa$$w0rd.


3. In the console tree, expand Forest:contoso.com, Domains, and contoso.com.

4. Right-click Default Domain Policy underneath the domain, contoso.com and click Edit.

• You may be prompted with a reminder that you are changing the settings of a GPO. If so, click OK.

• Group Policy Management Editor opens.

5. In the console tree, expand Computer Configuration, Policies, Windows Settings, Security Settings, and Account Policies, and then click Password Policy.

6. Double-click the following policy settings in the console details pane and configure the settings as indicated:

• Enforce password history: 20 passwords remembered

• Maximum password age: 90 Days

• Minimum password age: 7 days

• Minimum password length: 8 characters

• Password must meet complexity requirements: Enabled

7. Close the Group Policy Management Editor window.

8. Close the Group Policy Management window.

Demonstration: Configure Fine-Grained Password Policy

Detailed Demonstration Steps 1. Run Active Directory Users and Computers with administrative credentials and verify that the

Current domain functional level is Windows Server 2008. User name Pat.Coleman_Admin and password Pa$$w0rd.

2. Run ADSI Edit, with administrative credentials, user namePat.Coleman_Admin and password Pa$$w0rd.

3. Right-click ADSI Edit, and then click Connect To.

4. Accept all defaults. Click OK.

5. In the console tree, click Default Naming Context.

6. In the console tree, expand Default Naming Context, and then expand DC=contoso,DC=com, and then click CN=System.

7. In the console tree, expand CN=System, and then click CN=Password Settings Container.


All PSOs are created and stored in the Password Settings Container (PSC).

8. Right-click CN=Password Settings Container, point to New, and then click Object.

The Create Object dialog box appears. It prompts you to select the type of object to create. There is only one choice: msDS-PasswordSettings—the technical name for the object class referred to as a PSO.

9. Click Next.

You are then prompted for the value for each attribute of a PSO. The attributes are similar to those found in the domain account policies.

10. Configure each attribute as indicated below. Click Next after each attribute.

• cn:My Domain Admins PSO. This is the common name of the PSO.

• msDS-PasswordSettingsPrecedence:1. This PSO has the highest possible precedence.

• msDS-PasswordReversibleEncryptionEnabled:False. The password is not stored using reversible encryption.

• msDS-PasswordHistoryLength:30. The user cannot reuse any of the last 30 passwords.

• msDS-PasswordComplexityEnabled:True. Password complexity rules are enforced.

• msDS-MinimumPasswordLength:15. Passwords must be at least 15 characters long.

• msDS-MinimumPasswordAge:1:00:00:00. A user cannot change his or her password within one day of a previous change. The format is d:hh:mm:ss (days, hours, minutes, seconds).

• msDS-MaximumPasswordAge:45:00:00:00. The password must be changed every 45 days.

• msDS-LockoutThreshold:5. Five invalid logons within the time frame specified by XXX (the next attribute) will result in account lockout.

• msDS-LockoutObservationWindow:0:01:00:00. Five invalid logons (specified by the previous attribute) within one hour will result in account lockout.

• msDS-LockoutDuration:1:00:00:00. An account, if locked out, will remain locked for one day, or until it is unlocked manually. A value of zero will result in the account remaining locked out until an administrator unlocks it.

11. Click Finish and close ADSI Edit.

12. Run Active Directory Users and Computers as before and in the console tree, expand the System container.

If you do not see the System container, then click the View menu of the MMC console, and ensure that Advanced Features is selected.

13. In the console tree, click the Password Settings Container.

14. Right-click My Domain Admins PSO, click Properties and then click the Attribute Editor tab.

15. In the Attributes list, select msDS-PSOAppliesTo, and then click Edit.

The Multi-valued Distinguished Name With Security Principal Editor dialog box appears.

16. Click Add Windows Account.

The Select Users, Computers, or Groups dialog box appears.


17. Type Domain Admins, and then press Enter.

18. Click OK twice to close the open dialog boxes.

19. In the console tree, expand the contoso.com domain and the Admins OU, and then click the Admin Identities OU.

20. Right-click Pat Coleman (Administrator) and click Properties.

21. Click the Attribute Editor tab.

22. Click the Filter button, and click the Constructed option, so that it is selected.

23. Open the value of the msDS-ResultantPSO attribute.


Additional Reading

Configure the Domain Password and Lockout Policy •

Fine-Grained Password and Lockout Policy

Windows Server 2003 Security Guide Chapter 3: The Domain Policy:

•

Demonstration: Configure Fine-Grained Password Policy

AD DS: Fine-Grained Password Policies:

•

AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide:





Lesson 3

Configure Read-Only Domain Controllers





Demonstration: Configure a Password Replication Policy

Detailed Demonstration Steps Provision a Read-Only Domain Controller Account and delegate permissions

Note Before performing this demonstration, if the Domain Controller object for BRANCHDC01 does not yet exist, pre-create it on NYC-DC1 using these steps:


2. In the console tree, expand the contoso.com domain, and then click the Domain Controllers OU.

3. Right-click Domain Controllers and click Pre-create Read-only Domain Controller Account. The Active Directory Domain Services Installation Wizard appears.

4. Click Next.

5. On the Operating System Compatibility page, click Next.

6. On the Network Credentials page, click Next.

7. On the Specify the Computer Name page, type BRANCHDC01, and then click Next.

8. On the Select a Site page, click Next.

9. On the Additional Domain Controller Options page, click Next. Note that the Read-only domain controller option is selected and cannot be cleared. That is because, of course, you launched the wizard by choosing to pre-create a read-only domain controller account.

10. On the Delegation of RODC Installation and Administration page, click the Set button. The Select User or Computer dialog box appears.

11. Type Aaron.Painter_Admin, and then press Enter.

12. Click Next.

13. Review your selections on the Summary page, and then click Next.

14. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.

Configure a password replication policy

1. Start 6425C-NYC-DC1 log on as Pat.Coleman with the password Pa$$w0rd.


3. In the console tree, click the Domain Controllers OU.

4. Right-click BRANCHDC01 and click Properties.

5. Click the Password Replication Policy tab and view the default policy.

6. Click Cancel to close the BRANCHDC01 properties.

7. In the Active Directory Users and Computers console tree, click the Users container.


8. Double-click Allowed RODC Password Replication Group.

9. Click the Members tab.

10. Examine the default membership of Allowed RODC Password Replication Group.

11. Click OK.

12. Double-click Denied RODC Password Replication Group.

13. Click the Members tab.

14. Click Cancel to close the Denied RODC Password Replication Group properties.

Demonstration: Administer RODC Credentials Caching

Detailed Demonstration Steps: 1. In the Active Directory Users and Computers console tree, click the Domain Controllers OU.

2. In the details pane, right-click BRANCHDC01, and then click Properties.

3. Click the Password Replication Policy tab.

4. Click Advanced. The Advanced Password Replication Policy for BRANCHDC01 dialog box appears. The Policy Usage tab displays Accounts whose passwords are stored on this Read-Only Domain Controller.

5. From the drop-down list, select Accounts Whose Passwords Are Stored On This Read-Only Domain Controller.

6. From the drop-down list, select Accounts that have been authenticated to this Read-only Domain Controller.

7. Click the Resultant Policy tab, and then click Add. The Select Users or Computers dialog box appears.

8. Type Chris.Gallagher, and then press Enter.

9. Click the Policy Usage tab.

10. Click Prepopulate Passwords.The Select Users or Computers dialog box appears.

11. Type the name of the account you want to prepopulate (for example, type Chris.Gallagher), and then click OK.

12. Click Yes to confirm that you want to send the credentials to the RODC. The following message typically appears: Passwords for all accounts were successfully prepopulated. Note that for this demonstration the BRANCHDC01 is not running as so an error is observed. Click OK.

13. Click Close.


Additional Reading

Installing an RODC •

Administrative Role Separation

For details regarding other options for installing an RODC, including delegated installation see

•

RODCs are a valuable new feature for improving authentication and security in branch offices. Be sure to read the detailed documentation on the Microsoft Web site at






Review Questions Question: In your organization, a number of users deal with confidential files on a regular basis. You need to ensure that all these users have strict account polices enforced. The user accounts are scattered across multiple OUs. How would you accomplish this with the least administrative effort?

Answer: Create a shadow global group and place all the appropriate users into that group. Then create and assign a PSO to the group.

Question: Where should you define the default password and account lockout policies for user accounts in the domain?

Answer: Configure the baseline password and account lockout policies in the Default Domain Policy GPO.

Question: What would be the disadvantage of auditing all successful and failed logons on all machines in your domain?

Answer: Such an audit policy would generate a tremendous amount of audit entries across every machine in your domain. Managing the security event logs and locating the events that indicate potential problems would be very difficult. It is best to align your audit policy with specific, narrowly-targeted auditing goals and requirements of your organization.

Question: What are the advantages and disadvantages of prepopulating the credentials for all users and computers in a branch office to that branch's RODC?

Answer: There is no clear-cut answer to this question. Use it to review the strategic role of an RODC. By prepopulating the credentials of users and computers in the branch RODC cache, you ensure that authentication performance is maximized (on the first logon—after that, the credential would have been cached because the users are on the Allow list anyway); and you ensure that, if the WAN link is unavailable on the first logon, users can authenticate. The disadvantage is that, should there be a breach of physical security on the RODC, those credentials are exposed even if the users have not yet logged on in the branch.

Common Issues Related to Authentication in Active Directory


User is not forced to change the password even if that setting is configured in Default Domain Policy.

Check the user account properties in Active Directory Users and Computers. The Password never expires option might be enabled for that specific user.

User or group does not have the right PSO applied.

Check if you have created multiple PSOs and linked them on the same user or group. If that is correct, you should check the Precedence value.

You cannot deploy an RODC. Check if you have at least one Windows Server 2008 or Windows Server 2008 R2 Domain Controller.

Check if the domain functional level is Windows Server 2003.


Real World Issues and Scenarios Question: You must ensure that all users change their password every 30 days. Company procedures specify that if a user's password will expire while the user is out of the office, the user may change the password prior to departure. You must account for a user who is out of the office for up to two weeks. Additionally, you must ensure that a user cannot reuse a password within a one-year time period. How would you configure account policies to accomplish this?

Answer: One possible solution is to define minimum password age to the value of two weeks, enforce password change every 30 days, and to set password history to remember 24 last passwords.

• Max password age: 30 days

• Min password age: 16 days (answers between 14 and 17 are acceptable) to account for a user who leaves the office exactly two weeks before the password expires, and wants to change the password

• Enforce password history: 22 (answers between 21 and 27 are acceptable) to account for the possibility that a user might change the password every Min password age (14-17 days) for the entire year. Password history must be (365 days per year/Min password age)

Best Practices Related to Authentication in an AD DS Domain • Use Default Domain Policy GPO to specify general password and account lockout policies that will

apply for most users.

• Use fine-grained password policy to specify password and account lockout policies for specific users and groups with administrative privileges.

• Do not enable all options for auditing because you will have many security logs, which will be hard to search. Use advanced audit logging to have more granular control.

• Deploy RODCs in sites where physical security is an issue.

Tools


Group Policy Management console

• Editing and managing group policy objects


ADSI Edit • Creating Password Setting Objects


Dcpromo • Creating and managing domain controllers



Feature Description

Advanced Audit Policies New settings in Group Policy object for more detailed auditing of various system events


Lab Review Questions and Answers Question: What are the best practices for managing PSOs in a domain?

Answer: Each PSO must fully define the appropriate password and account lockout policies, because PSOs do not "merge." Link PSOs to global groups, and not to individual user accounts. Ensure that each PSO has a unique precedence value

Question: How can you define a unique password policy for all the service accounts in the Service Accounts OU?

Answer: PSOs cannot be linked to an OU. You must create a global group that contains the accounts that are in the Service Accounts OU. You can then link a PSO to that group.

Question: You have been asked to audit attempts to log on to desktops and laptops in the Finance division by using local accounts such as Administrator. What type of audit policy do you set, and in what GPO(s)?

Answer: You will need to enable auditing for successful and failed account logon events. However, the accounts you are interested in are local accounts, which are authenticated by the local security authority on each desktop and laptop. Therefore, you will need to enable auditing in a GPO that is scoped to apply to the desktops and laptops in the Finance division. The settings do not need to be scoped to domain controllers.

Question: Why should you ensure that the password replication policy for a branch office RODC has, in its Allow list, the accounts for the computers in the branch office as well as the users?

Answer: Computers must authenticate to the domain as well as users, so the logic is the same as with users: you want to improve authentication performance over the WAN and ensure that authentication can continue even if the WAN link is unavailable.

Question: What would be the most manageable way to ensure that computers in a branch are in the Allow list of the RODC's password replication policy?

Answer: Create a group for computers, for example Branch Office Computers.


Module 11 Configuring Domain Name System

Contents: Lesson 2 : Integration of AD DS, DNS, and Windows 140

Lesson 3 : Advanced DNS Configuration and Administration 143




Lesson 2

Integration of AD DS, DNS, and Windows




Demonstration: SRV Resource Records Registered by AD DS Domain Controllers

Detailed Demonstration Steps If the virtual machines are not already started, perform these steps.

1. Start 6425C-NYC-DC1and log on as Pat.Coleman with the password Pa$$w0rd.

2. Open D:\Labfiles\Lab11b.

3. Run Lab11b_Setup.bat with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.The lab setup script runs. When it is complete, press any key to continue.

4. Close the Windows Explorer window, Lab11b.

5. Start 6425C-NYC-DC2.


7. Start 6425C-BRANCHDC02. Do not log on. Wait for BRANCHDC02 to complete startup before continuing.

When all the virtual machines are ready, perform the following steps

1. On 6425C-NYC-DC1, run DNS Management with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.

2. In the console tree, expand NYC-DC1, Forward Lookup Zones, and contoso.com, and then click the _tcp node. Examine the SRV records.

3. In the console tree, expand NYC-DC1, Forward Lookup Zones, contoso.com, _sites, Default-First-Site-Name, and then click the _tcp node. Examine the SRV records.

4. Run Command Prompt with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.

5. Type nslookup, and then press Enter.

6. Type set type=srv, and then press Enter.

7. Type _ldap._tcp.contoso.com, and then press Enter. Type Exit and then press Enter.

8. Switch to DNS Manager.

9. In the console tree, expand NYC-DC1, Forward Lookup Zones, and contoso.com, and then click the _tcp node.

10. Right-click the SRV records for NYC-DC1.contoso.com, and then click Delete.

11. Switch to Command Prompt.

12. Type net stop netlogon, and then press Enter.

13. Type net start netlogon and then press Enter.

14. Switch to DNS Manager.

15. In the console tree, right-click the _tcp node, and then click Refresh. Examine the SRV records for NYC-DC1.contoso.com.


16. Click Start, and in the Start Search box, type notepad.exe.

Note You should run this with administrative credentials to open the netlogon file in the next step.

17. Click File, click Open, type %systemroot%\system32\config\netlogon.dns in the File Name box, and then press Enter

18. Examine the default SRV records.


Lesson 3

Advanced DNS Configuration and Administration



Additional Reading

Resolving Single-Label Names •

•

Providing Single-Label DNS Name Resolution

Deploying the GlobalNames Zone




Module Review and Takeaways

Review Questions Question: You are conducting a presentation for a potential client about the advantages of using Windows Server 2008 R2. What are the new features that you would point out when discussing the Windows Server 2008 R2 DNS server role?

Answer: You would point out DNS Security Extensions, DNS Devolution, DNS Cache Locking and DNS Socket Pool.

Question: You are deploying DNS servers into an Active Directory domain, and your customer requires that the infrastructure is resistant to single points of failure. What must you consider while planning the DNS configuration?

Question: You must automate a DNS server configuration process so that you can automate the deployment of Windows Server 2008. Which DNS tool can you use to do this?

Answer: You can use dnscmd.exe.

Common Issues Related to DNS


Client can sometimes cache invalid DNS records

Clear the DNS cache

Zone transfer is not working Ensure that the server trying to transfer the zone is permitted in the primary zone configuration

Ensure that a firewall or other port-management devices that reside between the two DNS servers are not blocking Port 53 UDP.

DNS server performs slowly Use Performance Monitor to identify the load on the server that DNS requests generate. It may be necessary to split the load or create additional subzones.

Real-World Issues and Scenarios • DNS and Active Directory trusts

When creating trusts between two Active Directory domains, the ability for domain A to lookup records in domain B (and vice versa) is tied to the configuration of the DNS infrastructure. Active Directory domains are accessible rarely on the Internet. Therefore, you need conditional forwarders, stub zones, or secondary zones to replicate the DNS infrastructure across domains and forests.

• Secure zones against zone dumping

By default, zone transfers are disabled in Windows Server 2008. When configuring zone transfers, it is a best practice to specify the IP address of the servers to which you want to transfer zone data. Do not select the Allow zone transfer to Any Server, especially if the server is on the Internet. With this option enabled, it is possible to dump the entire zone, which can provide a significant amount of information about the network to possible attackers.

Best Practices Related to DNS • If you are using Active Directory, use directory-integrated storage for your DNS zones. This offers

increased security, fault tolerance, and simplified deployment and management.


• Disable recursion for servers that do not answer client queries or communicate by using forwarders. As DNS servers communicate amongst themselves by using iterative queries, this ensures that the server responds only to queries that are intended for it.

• Consider the use of secondary zones to assist in off-loading DNS query traffic wherever appropriate.

• Enter the correct email address of the responsible person for each zone you add to, or manage on, a DNS server. Applications use this field to notify DNS administrators for a variety of reasons. For example, query errors, incorrect data returned in a query, and security problems are a few ways in which this field can be used. Although most Internet email addresses contain the “@”symbol to represent the word “at” in email, this symbol must be replaced with a period (.) when entering an email address for this field. For example, instead of “[email protected],” you would use “administrator.microsoft.com.”

Tools


DNS Management Console

• DNS administration and management Administrative Tools

Nslookup • Use to perform query testing of the DNS domain namespace.


Dnscmd • Use this command-line interface to manage DNS servers. This utility is useful in scripting batch files to help automate routine DNS management tasks or to perform simple unattended setup and configuration of new DNS servers on your network.


Ipconfig • Use this command to view and modify IP configuration details that the computer uses. This utility includes additional command-line options to provide help in troubleshooting and supporting DNS clients.


DNSlint • Provides several automated tests to verify that DNS servers and resource records are configured properly and pointing to valid services.

• You can download this command from Microsoft at http://go.microsoft.com/fwlink /?LinkID=214201


Windows Server 2008 R2 Features Introduced in This Module

Feature Description

DNS Enhancements in Windows Server 2008 R2

New features in DNS that allow administrators to configure digital signing of DNS responses, cache locking, devolution and socket pooling.

http://go.microsoft.com/fwlink�


Lab Review Questions and Answers Question: If you did not configure forwarders on NYC-DC2, what would be the result for clients that use NYC-DC2 as their primary DNS server?

Answer: They cannot resolve names other than those in the contoso.com domain (zone).

Question: What would happen to clients' ability to resolve names in the development.contoso.com domain if you had chosen a stand-alone DNS zone, rather than an Active Directory–integrated zone? Why would this happen? What should you do to solve this problem?

Answer: Clients who query the other DNS server would be unable to resolve names in the zone, because the server would not receive a replica of the zone. This could be solved by making the zone Active Directory–integrated, by hosting a secondary zone on the other DNS server, or by creating a stub zone that refers queries to the server hosting the development.contoso.com zone.

Question: In this lab, you used a stub zone and a conditional forwarder to provide name resolution between two distinct domains. What other options you could have used?

Answer: You could create a secondary zone in each domain that hosts a copy of the zone from the other. If the domains have delegations in the top-level .com domain, you could use root hints and standard DNS recursive queries to get them to resolve names in each other’s domains.


Module 12 Administering AD DS Domain Controllers

Contents: Lesson 1: Domain Controller Installation Options 149

Lesson 2: Install a Server Core Domain Controller 151




Lesson 1

Domain Controller Installation Options



Additional Reading

Unattended Installation Options and Answer Files •

Prepare an Existing Domain for Windows Server 2008 Domain Controllers

For a complete reference of dcpromo parameters and unattended installation options, see

•

•

Running Adprep.exe

•

ADPrep

Remove a Domain Controller

Windows Server 2008: Appendix of Changes to Adprep.exe to Support AD DS

•

•

For detailed steps for removing a domain controller, see

See article 216498 in the Microsoft Knowledge Base for information about performing metadata cleanup. The article is located at









Lesson 2

Install a Server Core Domain Controller



Additional Reading

Understand Server Core •

•

Server Core Installation Option

Server Core Configuration Commands

What's New in the Server Core Installation Option

• Appendix of Unattended Installation Parameters






Review Questions Question: In which scenario will you have the option to choose domain and forest functional level during dcpromo wizard?

Answer: This option will be available only during installation of first domain controller in domain/forest.

Question: How can you easily prepare an unattended file for domain controller installation?

Answer: You can do it by running dcpromo.exe on full version of Windows Server 2008 or 2008 R2, and by exporting configured settings at the end of wizard.

Question: How can you say that RID master is not working?

Answer: If the RID master fails, eventually you will be prevented from creating new security principals. For example, you will not be able to create new user objects. However, this might not happen immediately. Domain Controllers will contact RID master after they spend all SIDs from last allocation.

Question: If you seize the operations master role, can you bring online the original operation master?

Answer: Only if the failed domain controller was the PDC emulator or infrastructure master. Schema, domain naming, and RID master role holders cannot be brought back online if the role was seized while the domain controller was offline. Instead, the failed domain controller must be demoted or, preferably, reinstalled entirely while offline. After the server is back online, it can be re-promoted to a domain controller and, at that time, the operations master role can be transferred gracefully to it.

Common Issues Related to Administering AD DS Domain Controllers


Cannot raise domain or forest functional level

Check whether all domain controllers are running same version of operating system that is equal to domain functional level. If forest case, check that all domains are running same functional level that is equal to desired forest functional level

You cannot transfer one or more operation masters roles

Check whether the current role master is online. If not, you must seize the role instead transferring it.

You cannot install role or feature on Server Core

Check whether the role that you want to install is supported on Server Core, as this version supports only limited number of roles and features.

You cannot add additional domain controller to current AD DS infrastructure

• Check whether there is at least one domain controller available

• Check DNS functionality

• Check IP settings

Best Practices Related to Administering AD DS Domain Controllers • Always install at least two domain controllers per one domain to achieve high availability.

• Use the Server Core domain controller when using role-centric servers, and to maintain higher security and easier management.


• Distribute operations masters roles on several servers. Be sure to co-locate compatible roles.

• Use DFS-R for SYSVOL replication.

Tools



• Managing operation masters

• Managing domain functional level

• Creating and managing AD objects


Active Directory Domains and Trusts

• Managing domain and forest functional level

• Trust management


Dcpromo.exe • Installation and configuration of Active Directory Domain Services

You can run it manually

Server Manager • AD DS role installation Administrative Tools

Active Directory Schema Management

• Managing schema master role

Must be added as a separate snap-in



New Server Core roles and Features

In Windows Server 2008 R2, new roles and features are provided for Server Core installation


Lab Review Questions and Answers Question: Why would you choose to use an answer file or a dcpromo.exe command line to install a domain controller rather than the Active Directory Domain Services Installation Wizard?

Answer: Automation of installation, consistency (always using the same options in a script versus hoping that an admin uses the correct options), documentation (the script “documents” how the domain controller was installed), andServer Core installation.

Question: In which situations does it make sense to create a domain controller using installation media?

Answer: When the replication of Active Directory to the new domain controller will be problematic from a performance or network impact perspective.

Question: Did you find the configuration of Server Core to be particularly difficult?

Answer: Answers will vary, some administrators may find difficult to perform initial configuration using just command line utilities.

Question: What are the advantages of using Server Core for domain controllers?

Answer: Reduced system requirements, reduced attack surface (vulnerability) and therefore increased security.

Question: If you transfer all roles before taking a domain controller offline, is it okay to bring the domain controller back online?

Answer: Yes

Question: When you enable global catalog, what actually happens on that domain controller?

Answer: The domain controller that is designated as global catalog, in addition to its full, writable domain directory partition replica, also starts to store a partial, read-only replica of all other domain directory partitions in the forest.

Question: On which level would you enable Universal Group Membership Caching?

Answer: It is enabled on site level.

Question: What would you expect to be different between two enterprises, one which created its domain initially with Windows 2008 domain controllers, and one that migrated to Windows Server 2008 from Windows Server 2003?

Answer: In a domain that was created with Windows 2008 in the first place, the SYSVOL share will refer to a folder named SYSVOL that is replicated with DFS-R. In a domain that was created with domain controllers prior to Windows 2008, SYSVOL will be replicated with FRS, until it has been migrated. After that point, the SYSVOL share will refer to a folder named SYSVOL_DFSR.

Question: What must you be aware of while migrating from the Prepared to the Redirected state?

Answer: While migrating from the Prepared to the Redirected state, any changes made to SYSVOL must be manually duplicated in SYSVOL_DFSR.


Module 13 Managing Sites and Active Directory® Replication

Contents: Lesson 1: Configure Sites and Subnets 157

Lesson 2: Configure Replication 159




Lesson 1

Configure Sites and Subnets



Additional Reading

How Client Locates Domain Controller •

For more information about domain controller location, see



Lesson 2

Configure Replication



Additional Reading

Bridgehead Servers •

Bridge Server Selection




Review Questions Question: Why is it important that all subnets are identified and associated with a site in a multisite enterprise?

Answer: The process of locating domain controllers and other services can be made more efficient by referring clients to the correct site, based on the client’s IP address and the definition of subnets. If a client has an IP address that does not belong to a site, the client will query for all DCs in the domain, and that is not at all efficient. In fact, a single client can be performing actions against domain controllers in different sites, which (if those changes have not replicated yet) can lead to very strange results. It is very important that each client knows what site it is in, and that’s achieved by ensuring that DCs can identify what site a client is in.

Question: What are the advantages and disadvantages of reducing the intersite replication interval?

Answer: Convergence is improved. Changes made in one site are replicated more quickly to other sites. There are actually few, if any, disadvantages. If you consider that the same changes must replicate whether they wait 15 minutes or 3 hours to replicate, it’s really a matter of timing of replication rather than the quantity of replication. However, in some extreme situations, it’s possible that allowing a smaller number of changes to happen more frequently might be less preferable than allowing a large number of changes to replicate less frequently.

Question: What is the purpose of bridgehead server?

Answer: The bridgehead server is responsible for all replication into and out of the site for a partition. Instead of replicating all domain controllers from one site with all domain controllers in another site, bridgehead servers are used to handle intersite replication.

Question: Which protocol can be used as an alternative for Active Directory replication? What is the disadvantage of using it?

Answer: SMTP can be used. Disadvantage is the inability to replicate domain partition.

Common Issues Related to Managing Sites and Replication


Client cannot locate domain controller in its site.

• Check whether all SRV records for domain controller are present in DNS.

• Check whether the domain controller has an IP address from subnet that is associated to that site.

Replication between sites does not work.

• Check whether site links are configured correctly

• Check replication schedule

• Check whether firewall between sites permits traffic for AD replication

Replication between two Domain Controllers in the same site does not work.

• Check whether both domain controllers appear in same site

• Check whether Active Directory on domain controllers is operational.


Best Practices Related to Managing Active Directory Sites and Replication

You should implement the following best practices when you manage Active Directory sites and replication in your environment:

• Always provide at least one Global Catalog per site.

• Be sure that all sites have appropriate subnets associated.

• Do not setup long intervals without replication when you configure replication schedules for intersite replication.

• Avoid using SMTP as a protocol for replication.

• Do not use universal groups unless necessary because they create additional replication traffic.

Tools


Active Directory Sites and services

• Manage site objects

• Manage site links

• Manage replication


ADSI Edit • View and manage Active Directory partitions


Repadmin • Monitoring and managing replication


dcdiag • Reports on the overall health of replication and security for Active Directory Domain Services



Lab Review Questions and Answers Question: You have a site with 50 subnets, each with a subnet address of 10.0.x.0/24, and you have no other 10.0.x.0 subnets. What should you do to make it easier to identify the 50 subnets and associate them with a site?

Answer: Define a single subnet, 10.0.0.0/16.

Question: Is the procedure you performed in Exercise 2 enough to create a "hub and spoke" replication topology, which ensures that all changes from branches are replicated to the headquarters before being replicated to other branches? If not, what should be done?

Answer: You must disable “Bridge all site links.”


Module 14 Managing Sites and Active Directory® Replication

Contents: Lesson 1: Monitor Active Directory 165

Lesson 2: Manage the Active Directory Database 168

Lesson 3: Active Directory Recycle Bin 172

Lesson 4: Back Up and Restore AD DS and Domain Controllers 176




Lesson 1

Monitor Active Directory





Demonstration: Monitor AD DS

Detailed Demonstration Steps: Create a new Data Collector Set named Custom Active Directory.

1. If it is not already started Launch the virtual machine 6425C-NYC-DC1 and log on as Contoso\Pat.Coleman_Admin with Password Pa$$w0rd

2. Open Performance Monitor and then add the server baseline counters.

3. Add some of the Active Directory counters, and then start the Data Collector Set.

4. Perform some activity to generate statistics.

5. Stop the Data Collector Set, and then look at the user-defined report.

6. In the system container, start the Active Directory Diagnostics Data Collector Set.

7. Perform some activity to generate statistics.

8. Stop the Data Collector Set, and then look at the system-defined report.

Demonstration: Using Active Directory Best Practices Analyzer

Detailed demonstration Steps: 1. Log on to 6425C-NYC-DC1 as Contoso\Pat.Coleman_Admin with Password Pa$$w0rd

2. Open Server Manager console

3. In left console pane, expand Roles and click on Active Directory Domain Services role

4. In central pane, scroll down to the Best Practices Analyzer section

5. Click Scan This Role and wait until scanning is completed

6. Review events that showed up in Noncompliant tab. Emphasize that some events have severity Error and some are Warning

7. Right click any event and select Properties

8. Show the detailed description of event. Click Close

9. Right click any event and select Exclude Result. Show that event now appears in Excluded tab

10. Click Compliant tab and show events that appear there.

11. Close Server Manager.


Additional Reading

Performance Monitor •

Data Collector Sets

Using Performance Monitor

•

Creating Data Collector Sets




Lesson 2

Manage the Active Directory Database

Contents: Questions and Answers 169

Detailed Demonstration Steps 170



Questions and Answers

Active Directory Database Files Question: What other Microsoft services use a transactional model for making database changes? How does the AD DS model compare to these other services?

Answer: Both Microsoft Exchange Server and Microsoft SQL Server® use the transaction model. The AD DS model is very similar in all cases, although some details, such as the size of the transaction logs, vary. For example, in Exchange Server 2007, the transaction logs are only 1 MB in size.

Perform Database Maintenance Question: How often will you need to perform an offline defragmentation of your AD DS databases in your environment?

Answer: Most organizations will have to perform an offline defragmentation only when they need to optimize database usage. In general, you will do this only when the amount of data that you are storing in the AD DS database on a domain controller decreases significantly.

Demonstration: AD DS Database Maintenance Question: Why is it necessary to stop AD DS before defragmenting?

Answer: The database needs to be closed completely before it can be overwritten. An online database may have locked records that are being written to, thus preventing file modification.

Question: Why is it necessary to compact the database to a temporary directory first?

Answer: Compacting the database actually creates a contiguous copy, which will be used to overwrite the fragmented original.



Demonstration: AD DS Database Maintenance

Detailed Demonstration Steps: To stop or start the AD DS service:

1. If it is not already started, start the virtual machine 6425C-NYC-DC1 and log on as Contoso\Pat.Coleman_Admin with Password Pa$$w0rd

2. Click Start, click Administrative Tools, and then click Services.

3. Right-click Active Directory Domain Services, and then select Stop from the context menu.

4. In the Stop Other Services dialog box, click Yes.

To perform an offline defrag of the Advanced Directory database while in an AD DS stopped state:

1. Click Start, click Run, type CMD, and then press Enter.

2. In the command window, type ntdsutil, and then press Enter. Click Yes.

3. At the ntdsutil: prompt, type Activate Instance NTDS, and then press Enter.

4. At the ntdsutil: prompt, type files, and then press Enter.

5. At the file maintenance: prompt, type compact to drive:\ LocalDirectoryPath (where drive:\ LocalDirectoryPath is the path to a location on the local computer), and then press Ctrl+C to break the process. It takes too long to demonstrate.

6. Next, you would copy NTDS.dit to a “backup” location, along with the logs (*.log), and then you would delete the logs (*.log).

7. Next, check the integrity of the newly compacted database. Type integrity to check the integrity of the newly compacted database, but press Ctrl+C to break the process.

To move the AD DS database:

8. In the File Maintenance command window, type move db to pathname, and then press Ctrl+C to break the process. Explain that the NTDS.dit file would be moved to the new location and permissions would be set accordingly

To restart AD DS:

9. In the Services MMC, right-click Active Directory Domain Services, and then click Start.


Additional Reading

Active Directory Database Files •

NTDSUtil

How the Data Store Works

•

•

Data Store Tools and Settings

Demonstration: AD DS Database Maintenance

How to remove data in Active Directory after an unsuccessful domain controller demotion

•

Active Directory Snapshots

Compact the Directory Database File (Offline Defragmentation)

• Active Directory Domain Services Database Mounting Tool (Snapshot Viewer or Snapshot Browser) Step-by-Step Guide

Restore Deleted Objects •

End-to-End Scenario That Uses the Active Directory Database Mounting Tool









Lesson 3

Active Directory Recycle Bin





Demonstration: Restore Deleted Objects with Active Directory Recycle Bin

Detailed Demonstration Steps: Before performing this demonstration, run the script located at D:\Labfiles\Lab14a\Lab14a_Setup.bat.

1. On NYC-DC1, click Start, point to Administrative Tools and then click Active Directory Domainsand Trusts.

2. Right click Active Directory Domains and Trusts and click Raise Forest Functional Level.

3. Check the value of Current forest functional level. If it is not set to Windows Server 2008 R2, proceed to the next step. If it is, click OK and close the Active Directory Domains and Trust console.

4. In a Select an available forest functional level drop-down list, select Windows Server 2008 R2.

5. Click Raise.

6. In the Warning window, click OK.

7. In confirmation window, click OK.

8. Close the Active Directory Domains and Trust console.

Enable the Active Directory Recycle Bin Feature 1. Click Start, click Administrative Tools, and then right-click Active Directory Modulefor Windows

PowerShell. Click Run as administrator, and then click Yes.

2. Type the following command, and then press Enter.

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=contoso,DC=com’ –Scope ForestOrConfigurationSet –Target ‘contoso.com’

3. Type y and press Enter,

4. After command prompt is returned to you, close the PowerShell window,

Delete an object 1. Open the Active Directory Users and Computers console from Administrative Tools.

2. Expand Contoso.com and expand User Accounts and then click the Employees organizational unit.

3. In the central pane, right-click Aaron Lee and select Delete.

4. In the confirmation window, click Yes.

5. Close Active Directory Users and Computers.

Restore Deleted Object by using LDP.exe 1. To open Ldp.exe, click Start, and in the search box type ldp.exe. Under Programs, right-click

ldp.exe and then click Run as administrator. Click Yes.

2. On the Options menu, click Controls.


3. In the Controls dialog box, expand the Load Predefined menu, click Return deleted objects, and then click OK.

4. To verify that the Deleted Objects container is displayed:

• To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connection, click Connect, click OK, and then under Connection, click Bind, and then click OK.

• Click View, click Tree, and in BaseDN, type DC=contoso,DC=com, and then click OK

• In the console tree, double-click the root distinguished name (also known as DN) and locate the CN=Deleted Objects, DC=contoso,DC=com container. Expand that object and ensure that Aaron Lee object appears below it.

5. Right-click the CN=Aaron Lee,... object, and click Modify

6. In the Edit Entry Attribute box, type isDeleted.

7. Under Operation, click Delete, and then click Enter.

8. In the Edit Entry Attribute box, type distinguishedName.

9. In the Values box, type the original distinguished name, which is CN=Aaron Lee,OU=Employees, OU=User Accounts,DC=contoso,DC=com.

10. Under Operation, click Replace.

11. Ensure that the Extended check box is selected, click Enter, and then click Run.

12. Click Close.

13. From Administrative Tools, open the Active Directory Users and Computers console

14. Expand Contoso.com and expand User Accounts and then click the Employees organizational unit.

15. Ensure that the Aaron Lee user object exists and that all attributes like group membership are retained.


Additional Reading

What Is Active Directory Recycle Bin? •

Active Directory Recycle Bin Step-by-Step Guide

http://technet.microsoft.com/en-us/library/dd392261(WS.10).aspx�


Lesson 4

Back Up and Restore AD DS and Domain Controllers





Demonstration: Backing Up AD DS

Detailed Demonstration Steps: Before performing this demonstration, you will need to open Server Manager and install the Windows Server Backup Features on NYC-DC1.

1. On NYC-DC1, open the Windows Server Backup snap-in.

2. Click the Backup Once link. The Backup Once Wizard appears.

3. On the Backup Options page, ensure that Different options is selected, and then click Next.

4. On the Select Backup Configuration page, click Custom, and then click Next.

5. On the Select Items for Backup page, click Add Items.

6. On the Select Items dialog box, click System state, and then click OK. Click Next.

7. On the Specify Destination Type page, click Next.

8. On the Select Backup Destination page, click Next.

9. On the Confirmation page, click Backup.


Additional Reading

Backup and Recovery Tools •

•

Backup and Recovery Overview for Windows Server 2008

•

Windows Server Backup

•

Windows Server Backup Step-by-Step Guide for Windows Server 2008

Overview of AD DS and Domain Controller Backup

Backing Up Your Server

•

Additional Backup and Recovery Tools

AD DS Backup and Recovery Step-by-Step Guide

For more information about WinRE and the other tools on this slide, go to:

• Backup and Recovery Overview for Windows Server 2008









Review Questions Question: Why is it necessary to stop AD DS before defragmenting?

Answer: The database needs to be closed completely before it can be overwritten. An online database may have locked records that are being written to, thus preventing file modification.

Question: Why is it necessary to compact the database to a temporary directory first?

Answer: Compacting the database actually creates a contiguous copy, which will be used to overwrite the fragmented original.

Question: Which tool should be used to clean up metadata from offline domain controller?

Answer: You should use ntdsutil for this purpose.

Question: What should you do before starting to use Active Directory Recycle Bin?

Answer: You should check if your forest functional level in on Windows Server 2008 R2, and you must enable Active Directory Recycle Bin feature by using Windows PowerShell or by using ldp.exe.

Question: What kind of restore can you perform with Active Directory?

Answer: You can perform authoritative restore, nonauthoritative restore and restore of single objects with Active Directory Recycle Bin,

Common Issues Related to Directory Service Continuity


Active Directory is responding slowly to client requests

Enable performance monitoring on AD DS–related counters

You suspect that Active Directory is not configured according to best practices

Run Active Directory Best Practices analyzer

You want to be able to quickly restore accidentally deleted objects

Enable Active Directory Recycle Bin feature

Best Practices Related to Directory Service Continuity • Use Performance Monitoring tools to monitor Active Directory counters.

• Always establish a baseline before starting to make decisions based on monitoring results.

• Use the ability to stop and start AD DS when Domain Controller is online instead of restarting to the Directory Service Restore Mode.

• Perform a backup of Active Directory database as often as possible.


Tools


Performance Monitor • Monitoring of system objects from performance aspect


Reliability Monitor • Monitoring events that affect system stability and reliability


Event Viewer • Reviewing logged events on server or workstation


Active Directory with PowerShell Module

• Active directory administration


Ldp.exe • Management of Active Directory objects

Can be started from run window

Ntdsutil • Management of Active Directory database


Active Directory Domains and Trusts

• Management of forest and domain functional levels and trusts


Windows Server Backup

• Backup and restore of files and Active Directory




Active Directory Best Practices Analyzer

Windows Server 2008 R2 provides a new tool to analyze Active Directory configuration

Active Directory Recycle Bin Windows Server 2008 R2 Active Directory provides a feature that enables object restoration after accidental deletion


Lab Review Questions and Answers Question: In which situations do you currently use, or plan to use event subscriptions as a monitoring tool?


Question: To which events or performance counters would you consider attaching email notifications or actions? Do you use notifications or actions currently in your enterprise monitoring?


Question: In which other situations should you mount a snapshot of Active Directory?

Answer: If you discover a problem with Active Directory that will require restoring a backup, you might want to look at snapshots to determine just how far back you need to go to restore. After you’ve found the snapshot in which the correct data resides, you can restore the backup taken on the same date.

Question: What are the disadvantages of restoring a deleted object with a tool such as LDP?

Answer: You must repopulate all attributes.

Question: Will it be possible to restore these deleted objects if they were deleted before Active Directory Recycle Bin has been enabled?

Answer: Yes, but only as tombstone objects, without most of attributes or by using authoritative restore of A D DS

Question: In which scenarios is Windows PowerShell a more appropriate method for object restoration?

Answer: If we were restoring multiple objects, power shell is much more convenient method because of possibility to pipeline commands so we can restore multiple objects with just one command.

Question: What type of domain controller and directory service backup plan do you have in place? What do you expect to put in place after having completed this lesson and this Lab?


Question: When you restore a deleted user (or an OU with user objects) by using authoritative restore, will the objects be exactly the same as before? Which attributes might not be the same?

Answer: Answers may vary somewhat, but the question is designed to frame a discussion of group membership. A user’s group membership is not an attribute of the user object but rather of the group object. When you authoritatively restore a user, you are not restoring users’ membership in groups. The user was removed from the member attribute of groups when it was deleted. So the restored user will not be a member of any groups other than its primary group. In order to restore group memberships, you would have to consider authoritatively restoring groups as well. This may or may not always be desirable, because when you authoritatively restore the groups you return their membership to the day on which the backup was made.


Module 15 Managing Multiple Domains and Forests

Contents: Lesson 2 : Manage Multiple Domains and Trust Relationships 183




Lesson 2

Manage Multiple Domains and Trust Relationships





Demonstration: Create a Trust The steps for creating trusts are similar across categories of trusts. You must be a member of the Domain Admins or Enterprise Admins group to create a trust successfully.

To create a trust relationship:

1. Open the Active Directory Domains and Trusts snap-in.

2. Right-click the domain that will participate in one side of the trust relationship, and click Properties.

You must be running Active Directory Domains and Trusts with credentials that have permissions to create trusts in this domain.

3. Click the Trusts tab.

4. Click the New Trust button.

The New Trust Wizard guides you through the creation of the trust.

5. On the Trust Name page, type the DNS name of the other domain in the trust relationship, and then click Next.

6. If the domain you entered is not within the same forest, you will be prompted to select the type of trust, which will be one of the following:

• Forest

• External

• Realm

If the domain is in the same forest, the wizard knows it is a shortcut trust.

7. If you are creating a realm trust, you will be prompted to indicate whether the trust is transitive or nontransitive. (Realm trusts are discussed later in this lesson.)

8. On the Direction Of Trust page, select one of the following:

• Two-Way.This establishes a two-way trust between the domains.

• One-Way: Incoming. This establishes a one-way trust in which the domain you selected in step 2 is the trusted domain, and the domain you entered in step 5 is the trusting domain.

• One-Way: Outgoing. This establishes a one-way trust in which the domain you selected in step 2 is the trusting domain, and a domain you entered in step 5 is the trusted domain.

9. Click Next.

10. On the Sides Of Trust page, select one of the following:

• Both this domain and the specified domain. This establishes both sides of the trust. This requires that you have permission to create trusts in both domains.

• This domain Only. This creates the trust relationship in the domain you selected in step 2. An administrator with permission to create trusts in the other domain must repeat this process to complete the trust relationship.

• The next steps will depend on the options you selected in steps 8 and 10. The steps will involve one of the following:


• If you selected Both this domain and the specified domain, you must enter a user name and password with permissions to create the trust in the domain specified in step 5.

• If you selected This Domain Only, you must enter a trust password. A trust password is entered by administrators on each side of a trust to establish the trust. The passwords should not be the administrators’ user account passwords. Instead, each should be a unique password used only for creating this trust. The passwords are used to establish the trust, and then the domains change them immediately.

11. If the trust is an outgoing trust, you are prompted to choose one of the following:

• Selective Authentication

• Domain-Wide Authentication or Forest-Wide Authentication, depending on whether the trust type is an external trust or a forest trust, respectively.

12. The New Trust Wizard summarizes your selections on the Trust Selections Complete page. Click Next.

The wizard creates the trust.

13. The Trust Creation Complete page appears. Verify the settings, and then click Next.

You will then have the opportunity to confirm the trust. This option is useful if you have created both sides of the trust or if you are completing the second side of a trust.

If you selected Both this domain and the specified domain in step 8, the process is complete. If you selected This domain only in step 8, the trust relationship will not be complete until an administrator in the other domain completes the process:

• If the trust relationship you established is a one-way outgoing trust, an administrator in the other domain must create a one-way incoming trust.

• If the trust relationship you established is a one-way incoming trust, an administrator in the other domain must create a one-way outgoing trust.

• If the trust relationship you established is a two-way trust, an administrator in the other domain must create a two-way trust.


Additional Reading

Define Your Forest and Domain Structure •

•

For more information about the security considerations related to domain and forest design, see “Best Practices for Delegating Active Directory Administration” at

Demonstration: Create a Trust

For more information about planning the architecture of an AD DS enterprise see

•

Forest Trusts

Detailed procedures for creating each type of trust are available at

•

You can learn about the DNS requirements for a forest trust at








Review questions Question: If a there is a trust within a forest, and the resource is not in the user’s domain, how does the domain controller use the trust relationship to access the resource?

Answer: The domain controller uses the trust relationship with its parent and refers the user’s computer to a domain controller in its parent domain. This attempt to locate a resource continues up the trust hierarchy, possibly to the forest root domain, and down the trust hierarchy, until contact occurs with a domain controller in the domain where the resource exists.

Question: Your organization has a Windows Server 2008 forest environment, but it has just acquired another organization with a Windows 2000 forest environment that contains a single domain. Users in both organizations must be able to access resources in each other’s forest. What type of trust do you create between the forest root domain of each forest?

Answer: You will need to implement an external trust, because Windows 2000 does not support forest trusts. Only Windows Server 2003 or later supports forest trusts.

Question: A user from Contoso attempts to access a shared folder in the Tailspin Toys domain and receives an Access Denied error. What must be done to provide access to the user?

Answer: A trust relationship must be established in which Tailspin Toys trusts Contoso, and then the user (or a group to which the user belongs) must be given permission to the shared folder in the Tailspin Toys domain.

Question: Can you raise the domain functional level of a domain to Windows Server 2008 when other domains contain domain controllers running Windows Server 2003?

Answer: Yes. Domain functional levels within a forest can be different.



Windows Server 2008 R2 domain and forest functional levels

Used to enable Windows Server 2008 R2-specific features


Lab Review Questions and Answers Question: How would you configure a forest trust with another organization if the organization does not provide you with their administrator credentials?

Answer: You would be able to configure and verify one side of the trust only. Administrators in the other organization must configure the trust in their domain.

Question: What is the main benefit of Selective Authentication?

Answer: The ability to restrict which resources are available over the trust.


Send Us Your Feedback You can search the Microsoft Knowledge Base for known issues at Microsoft Help and Support before submitting feedback. Search using either the course number and revision, or the course title.

Note Not all training products will have a Knowledge Base article – if that is the case, please ask your instructor whether or not there are existing error log entries.

Courseware Feedback Send all courseware feedback to [email protected]. We truly appreciate your time and effort. We review every e-mail received and forward the information on to the appropriate team. Unfortunately, because of volume, we are unable to provide a response but we may use your feedback to improve your future experience with Microsoft Learning products.

Reporting Errors When providing feedback, include the training product name and number in the subject line of your e- mail. When you provide comments or report bugs, please include the following:

1. Document or CD part number

2. Page number or location

3. Complete description of the error or suggested change

Please provide any details that are necessary to help us verify the issue.

Important All errors and suggestions are evaluated, but only those that are validated are added to the product Knowledge Base article.


mailto:[email protected]�

6425C ENU Companion

Documents

Transcript of 6425C ENU Companion