Mcts 70-640 6425A

OFFICIAL
MICROSOFT
LEARNING
PRODUCT
6425A
Configuring Windows Server 2008 Active Directory Domain Services

Be sure to access the extended learning content on your Course Companion CD enclosed on the back cover of the book.
BETA COURSEWARE. EXPIRES 4/11/2008
ii
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2007 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, ActiveX, Excel, Internet Explorer, Jscript, MSDN, NetMeeting, PowerPoint, SharePoint, SQL Server, Visual Basic, Visual Studio, Win32, Windows, Windows Media, Windows NT, Windows PowerShell, Windows Server and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Technical Reviewer: John Policelli
Product Number: 6425A Part Number: N/A Released: 10/2007
MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS COURSEWARE BLENDED LEARNING COURSE - STUDENT EDITION
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the licensed content named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft updates, supplements, Internet-based services, and support services
for this licensed content, unless other terms accompany those items. If so, those terms apply. By using the licensed content, you accept these terms. If you do not accept them, do not use the licensed content. If you comply with these license terms, you have the rights below.
1. OVERVIEW.
Licensed Content. The licensed content includes software, printed materials, academic materials (online and electronic), and associated media. License Model. The licensed content is licensed on a per copy per device basis.
2. INSTALLATION AND USE RIGHTS. a. Licensed Device. The licensed device is the device on which you use the licensed content. You
may install and use one copy of the licensed content on the licensed device. primary user of the licensed device.
b. Portable Device. You may install another copy on a portable device for use by the single c. Separation of Components. The components of the licensed content are licensed as a single
unit. You may not separate the components and install them on different devices.
d. Third Party Programs. The licensed content may contain third party programs. These license
terms will apply to your use of those third party programs, unless other terms accompany those programs.
3. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS. a. Media Elements and Templates. You may use images, clip art, animations, sounds, music,
shapes, video clips and templates provided with the licensed content solely for your personal training use. If you wish to use these media elements or templates for any other purpose, go to www.microsoft.com/permission to learn whether that use is allowed. labs, tests, datasheets and FAQs), you may copy and use the academic materials. You may not make any modifications to the academic materials and you may not print any book (either
b. Academic Materials. If the licensed content contains academic materials (such as white papers,
electronic or print version) in its entirety. If you reproduce any academic materials, you agree that:
The use of the academic materials will be only for your personal reference or training use You will not republish or post the academic materials on any network computer or broadcast in
any media;
You will include the academic materials original copyright notice, or a copyright notice to
Microsofts benefit in the format provided below: Form of Notice: 2007 Reprinted for personal reference use only with permission by Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the US and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.
c. Distributable Code. The licensed content may contain code that you are permitted to distribute
in programs you develop if you comply with the terms below.
i.
Right to Use and Distribute. The code and text files listed below are Distributable Code. REDIST.TXT Files. You may copy and distribute the object code form of code listed in REDIST.TXT files. Sample Code. You may modify, copy, and distribute the source and object code form of code marked as sample. Third Party Distribution. You may permit distributors of your programs to copy and distribute the Distributable Code as part of those programs.
ii. Distribution Requirements. For any Distributable Code you distribute, you must
add significant primary functionality to it in your programs; require distributors and external end users to agree to terms that protect it at least as much as this agreement; display your valid copyright notice on your programs; and indemnify, defend, and hold harmless Microsoft from any claims, including attorneys fees, related to the distribution or use of your programs.
iii. Distribution Restrictions. You may not

alter any copyright, trademark or patent notice in the Distributable Code; use Microsofts trademarks in your programs names or in a way that suggests your programs come from or are endorsed by Microsoft; distribute Distributable Code to run on a platform other than the Windows platform; include Distributable Code in malicious, deceptive or unlawful programs; or modify or distribute the source code of any Distributable Code so that any part of it becomes subject to an Excluded License. An Excluded License is one that requires, as a condition of use, modification or distribution, that the code be disclosed or distributed in source code form; or others have the right to modify it.
4. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the licensed
content. It may change or cancel them at any time. You may not use these services in any way that could harm them or impair anyone elses use of them. You may not use the services to try to gain unauthorized access to any service, data, account or network by any means.
5. SCOPE OF LICENSE. The licensed content is licensed, not sold. This agreement only gives you some
rights to use the licensed content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the licensed content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the licensed content that only allow you to use it in certain ways. You may not disclose the results of any benchmark tests of the licensed content to any third party without Microsofts prior written approval; work around any technical limitations in the licensed content; reverse engineer, decompile or disassemble the licensed content, except and only to the extent that applicable law expressly permits, despite this limitation; make more copies of the licensed content than specified in this agreement or allowed by applicable law, despite this limitation; publish the licensed content for others to copy; rent, lease or lend the licensed content; or use the licensed content for commercial licensed content hosting services. Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or devices that may access the server.
6. BACKUP COPY. You may make one backup copy of the licensed content. You may use it only to
reinstall the licensed content.
7. TRANSFER TO ANOTHER DEVICE. You may uninstall the licensed content and install it on another
device for your use. You may not do so to share this license between devices.
8. TRANSFER TO A THIRD PARTY. The first user of the licensed content may transfer it and this
agreement directly to a third party. Before the transfer, that party must agree that this agreement
applies to the transfer and use of the licensed content. The first user must uninstall the licensed content before transferring it separately from the device. The first user may not retain any copies.
9. EXPORT RESTRICTIONS. The licensed content is subject to United States export laws and
regulations. You must comply with all domestic and international export laws and regulations that apply to the licensed content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting. content marked as NFR or Not for Resale.
10. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or licensed 11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if
you fail to comply with the terms and conditions of these license terms. Upon any termination of this agreement, you must destroy all copies of the licensed content and all of its component parts. services and support services that you use, are the entire agreement for the licensed content and support services.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based
13. APPLICABLE LAW. a. United States. If you acquired the licensed content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the licensed content in any other country, the laws
of that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the licensed content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED AS-IS. YOU BEAR
THE RISK OF USING IT. MICROSOFT GIVES NO EXPRESS WARRANTIES, GUARANTEES OR CONDITIONS. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT EXCLUDES THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER
FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES. anything related to the licensed content, software, services, content (including code) on third party Internet sites, or third party programs; and claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.
This limitation applies to
It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages. Please note: As this licensed content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French. Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en franais. EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues. LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices. Cette limitation concerne: tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre gard. EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays si celles-ci ne le permettent pas.
ix
Contents
Module 1: Implementing Active Directory Domain Services
Lesson 1: Installing Active Directory Domain Services Lesson 2: Deploying Read-Only Domain Controllers Lesson 3: Configuring AD DS Domain Controller Roles Lab: Implementing Read-Only Domain Controllers and Managing Domain Controller Roles 1-3 1-14 1-22 1-29
Module 2: Configuring Domain Name Service for Active Directory Domain Services
Lesson 1: Overview of Active Directory Domain Services and DNS Integration Lesson 2: Configuring Active Directory Integrated Zones Lesson 3: Configuring Read-Only DNS Zones Lab: Configuring AD DS and DNS Integration 2-3 2-11 2-19 2-23
Module 3: Configuring Active Directory Objects and Trusts

Lesson 1: Configuring Active Directory Objects Lesson 2: Strategies for Using Groups Lesson 3: Automating AD DS Object Management Lab A: Configuring Active Directory Objects Lesson 4: Delegating Administrative Access to AD DS Objects Lesson 5: Configuring AD DS Trusts Lab B: Configuring Active Directory Delegation 3-3 3-14 3-20 3-28 3-42 3-50 3-59
Module 4: Configuring Active Directory Sites and Replication

Lesson 1: Overview of Active Directory Domain Services Replication Lesson 2: Overview of AD DS Sites and Replication Lesson 3: Configuring and Monitoring AD DS Replication Lab: Configuring Active Directory Sites and Replication 4-3 4-13 4-22 4-31
Module 5: Creating and Configuring Group Policies

Lesson 1: Overview of Group Policies Lesson 2: Configuring the Scope of Group Policy Objects Lesson 3: Evaluating the Application of Group Policy Objects Lesson 4: Managing Group Policy Objects Lesson 5: Delegating Administrative Control of Group Policies Lab: Creating and Configuring GPOs 5-3 5-15 5-26 5-31 5-38 5-42
Module 6: Configuring User Environments Using Group Policies

Lesson 1: Configuring Group Policy Settings 6-3 Lesson 2: Configuring Scripts and Folder Redirection Using Group Policies 6-7 Lesson 3: Configuring Administrative Templates 6-15 Lesson 4: Deploying Software Using Group Policy 6-22 Lab: Configuring User Environments Using Group Policies 6-32
Module 7: Implementing Security Using Group Policies

Lesson 1: Configuring Security Policies Lesson 2: Implementing Fine-Grained Password Policies Lesson 3: Restricting Group Membership and Access to Software Lesson 4: Managing Security by Using Security Templates Lab: Implementing Security Using Group Policies 7-3 7-13 7-19 7-26 7-33
Module 8: Implementing an Active Directory Domain Services Monitoring Plan

Lesson 1: Monitoring Active Directory Domain Services Using Event Viewer Lesson 2: Monitoring Active Directory Domain Servers Using Reliability and Performance Monitor Lesson 3: Configuring Active Directory Domain Services Auditing Lab: Configuring Active Directory Sites and Replication 8-3 8-10 8-20 8-25
xi
Module 9: Implementing an Active Directory Domain Services Maintenance Plan

Lesson 1: Maintaining the AD DS Domain Controllers Lesson 2: Backing Up Active Directory Domain Services Lesson 3: Restoring Active Directory Domain Services Lab: Implementing an Active Directory Domain Services Maintenance Plan 9-3 9-14 9-18 9-29
Module 10: Troubleshooting Active Directory, DNS, and Replication Issues

Lesson 1: Troubleshooting Active Directory Domain Services Lesson 2: Troubleshooting DNS Integration with Active Directory Domain Services Lesson 3: Troubleshooting Active Directory Replication Lab: Troubleshooting Active Directory, DNS and Replication Issues 10-3 10-9 10-15 10-22
Module 11: Troubleshooting Group Policy Issues

Lesson 1: Introduction to Group Policy Troubleshooting Lesson 2: Troubleshooting Group Policy Applications Lesson 3: Troubleshooting Group Policy Settings Lab: Troubleshooting Group Policy Issues 11-3 11-10 11-17 11-25
Module 12: Implementing an Active Directory Domain Services Infrastructure

Lesson 1: Overview of the AD DS Domain Lesson 2: Planning a Group Policy Strategy Lab A: Deploying Active Directory Domain Services Lab B: Configuring Forest Trusts Lab C: Designing a Group Policy Strategy 12-3 12-7 12-9 12-23 12-31
About This Course
About This Course

This section provides you with a brief description of the course, audience, suggested prerequisites, and course objectives.
Course Description
The purpose of this 5-day course is to teach Active Directory Technology Specialists how to configure Active Directory Domain Services in a distributed environment, implement Group Policies, perform backup and restore, and monitor and troubleshoot Active Directory related issues. After completing this course, students will be able to implement and configure Active Directory domain services in their enterprise environment.
Audience
The primary audience for this course are Active Directory Technology Specialists, Server Administrators, and Enterprise Administrators who want to learn how to implement Active Directory in a distributed environment, secure domains using Group Policies, and perform backup, restore, and monitor and troubleshoot Active Directory configuration to ensure trouble free operation.
Student Prerequisites
This course requires that you meet the following prerequisites: Basic understanding of networking. For example, how TCP/IP functions, addressing, name resolution (Domain Name System [DNS]/Windows Internet Name Service [WINS]), and connection methods (wired, wireless, virtual private network [VPN]), NET+ or equivalent knowledge. Intermediate understanding of network operating systems. For example, Windows 2000, Windows XP, Windows Server 2003 etc, the Windows Vista operating system client (nice to have). An awareness of security best practices. For example, file system permissions, authentication methods, workstation and server hardening methods etc. Basic knowledge of server hardware. A+ or equivalent knowledge. Some experience creating objects in Active Directory.
ii
About This Course
Foundation course (6424A: Fundamentals of Windows Server 2008 Active Directory) or equivalent knowledge. Basic concepts of backup and recovery in a Windows Server Environment. For example, backup types, backup methods, backup topologies etc. (information covered in 6420A: Fundamentals of Windows Server 2008 Network Infrastructure and Application Platform).
Course Objectives
After completing this course, students will be able to: Implement Active Directory Domain Services (AD DS). Configure DNS for AD DS. Configure Active Directory objects and trusts. Configure Active Directory sites and replication. Create and configure Group Policies. Configure user environments using Group Policies. Implement security using Group Policies. Implement an AD DS monitoring plan. Implement an AD DS maintenance plan. Troubleshoot Active Directory, DNS, and replication issues. Troubleshoot Group Policy issues. Implement an AD DS infrastructure.
About This Course
iii
Course Outline
This section provides an outline of the course: Module 1: This module discusses the prerequisite hardware and software required for implementing Active Directory Domain Services, as well as the process for installing it. It also defines what a read-only domain controller (RODC) is and how to install it. Module 2: This module covers DNS configuration specific to Active Directory. Module 3: This module discusses how to implement and configure AD DS objects and trusts. Module 4: This module covers how to create and configure sites to manage replication. Module 5: This module covers how Group Policy objects (GPOs) work and how to create and apply GPOs. Module 6: This module discusses how to configure user desktop settings by using Group Policies. Module 7: This module describes how to configure security settings and apply them using GPOs. Module 8: This module describes how to monitor AD DS infrastructure and services. Module 9: This module discusses how to perform maintenance, backup, and recovery of Active Directory servers and objects. Module 10: This module covers how to troubleshoot and resolve issues related to Active Directory, DNS, and replication. Module 11: This module describes how to troubleshoot and resolve issues related to Group Policy. Module 12: This module is a day-long lab. You are given scenarios that will help you learn how to create a solution from start to end.
iv
About This Course
Course Materials
The following materials are included with your kit: Course handbook. The Course handbook contains the material covered in class. It is meant to be used in conjunction with the Course Companion CD. Course Companion CD. The Course Companion CD contains the full course content, including expanded content for each topic pages, full lab exercises and answer keys, topical and categorized resources and Web links. It is meant to be used both inside and outside the class.
Note To access the full course content, insert the Course Companion CD into the CDROM drive, and then in the root directory of the CD, double-click StartCD.exe.
Course evaluation. At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor.
To provide additional comments or feedback on the course, send e-mail to support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail to mcphelp@microsoft.com.
About This Course
Virtual Machine Environment

This section provides the information for setting up the classroom environment to support the business scenario of the course.
Virtual Machine Configuration

In this course, you will use Microsoft Virtual Server 2005 to perform the labs.
Important: At the end of each lab, you must close the virtual machine and must not save any changes. To close a virtual machine without saving the changes, perform the following steps: 1. On the host computer, click Start, point to All Programs, point to Microsoft Virtual Server, and then click Virtual Server Administration Website. 2. Under Navigation, click Master Status. For each virtual machine that is running, point to the virtual machine name, and, in the context menu, click Turn off Virtual Machine and Discard Undo Disks. Click OK.
The following table shows the role of each virtual machine that this course uses:
Virtual machine 6425A-SEA-DC1 6425A-SEA-DC2 6425A-SEA-SVR1 6425A-NYC-CL1 6425A-MIA-RODC 6425A-NYC-SVR2 Role Domain controller in the WoodgroveBank.com domain Domain controller in the WoodgroveBank.com domain Member server Windows Vista computer in the WoodgroveBank.com domain 6425A-MIA-RODC Windows Server 2008 Server core computer
vi
About This Course
Software Configuration
The following software is installed on each virtual machine: Windows Server 2008 Enterprise; Windows Vista
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught. This course requires a computer that meets or exceeds hardware level 5, which specifies a 2.4gigahertz (minimum) Pentium 4 or equivalent CPU, at least 2 gigabytes (GB) of RAM, 16 megabytes (MB) of video RAM, and a 7200 RPM 40-GB hard disk.
Implementing Active Directory Domain Services
1-1
Module 1
Contents:
Lesson 1: Installing Active Directory Domain Services Lesson 2: Deploying Read-Only Domain Controllers Lesson 3: Configuring AD DS Domain Controller Roles Lab: Implementing Read-Only Domain Controllers and Managing Domain Controller Roles 1-3 1-14 1-22 1-29
1-2
6425A: Configuring Windows Server 2008 Active Directory Domain Services
Module Overview
Active Directory Domain Services (AD DS) is installed as a server role in Windows Server 2008. You have several choices to make when you install AD DS and run the Active Directory Installation Wizard. You must choose whether to create a new domain or add a domain controller to an existing domain. You also have the option of installing AD DS on a server running Windows Server 2008 Server Core or installing read-only domain controllers. After deploying the domain controllers, you also must manage special domain controller roles, such as the global catalog and operations masters.
1-3
Lesson 1:
Installing Active Directory Domain Services
Windows Server 2008 provides several ways to install and configure Active Directory Domain Services. This lesson describes the standard AD DS installation, and then also describes some of the other options that are available when performing the installation.
1-4
Requirements for Installing AD DS
Key Points
To install Active Directory Domain Services, the server must meet the following requirements: Windows Server 2008 operating system must be is installed. AD DS can only be installed on the following editions: Windows Server 2008, Standard Edition Windows Server 2008, Enterprise Edition Windows Server 2008, Datacenter edition
Additional Reading
Active Directory Domain Services Help: Installing Active Directory Domain Services Microsoft Technet article: Requirements for Installing AD DS
1-5
What Are Domain and Forest Functional Levels?
Key Points
In Windows Server 2008, forest and domain functionality provides a way to enable forest-wide or domain-wide Active Directory features in your network environment. Different levels of forest and domain functionality are available, depending on domain and forest functional level.
Additional Reading
Active Directory Domain Services Help: Set the domain or forest functional level Microsoft Technet article: Appendix of Functional Level Features
1-6
AD DS Installation Process
Key Points
To configure a Windows Server 2008 domain controller, you must install the AD DS server role and run the Active Directory Domain Services Installation wizard. Do this using one of the following processes: Install the Server role by using Server Manager, and then run the installation wizard by running DCPromo or the installation wizard from Server Manager. Run DCPromo from the Run command or a command prompt. This will install the AD DS server role and then start the installation wizard.
Additional Reading
Active Directory Domain Services Help: Installing Active Directory Domain Services Microsoft Technet article: Installing a New Windows Server 2008 Forest and Scenarios for Installing AD DS
1-7
Advanced Options for Installing AD DS
Key Points
Some of the Active Directory Domain Services Installation Wizard pages appear only if you select the Use advanced mode installation check box on the Welcome page of the wizard or by running DCPromo with the /adv switch. If you do not run the installation wizard in advanced mode, the wizard uses default options that apply to most configurations. Question: When would you use the advanced options mode in your organization?
Additional Reading
Active Directory Domain Services Help: Use advanced mode installation Microsoft Technet article: What's New in AD DS Installation and Removal
1-8
Installing AD DS from Media
Key Points
Before you can use backup media as the source for installing a domain controller, use Ntdsutil.exe to create the installation media. Question: Which types of installation media will you use in your organization?
Additional Reading
Microsoft Technet article: Installing AD DS from Media
1-9
Demonstration: Verifying the AD DS installation
Question: What steps would you take if you noticed that the domain controller installation failed?
Additional Reading
Microsoft Technet article: Verifying an AD DS Installation Microsoft Technet article: Verifying Active Directory Installation
1-10
Upgrading to Windows Server 2008 AD DS
Key Points
To install a new Windows Server 2008 domain controller in an existing Windows 2000 Server or Windows Server 2003 domain, complete the following steps: If the domain controller is the first Windows Server 2008 domain controller in the forest, you must prepare the forest for Windows Server 2008 by extending the schema on the schema operations master. To extend the schema, run adprep /forestprep. The adprep tool is located on the Windows Server 2008 installation media. If the domain controller is the first Windows Server 2008 domain controller in a Windows 2000 Server domain, you must first prepare the domain by running adprep /domainprep /gpprep on the infrastructure master. The gpprep switch adds inheritable access control entry (ACEs) to the Group Policy Objects (GPO) that are located in the SYSVOL shared folder and synchronizes the SYSVOL shared folder among the controllers in the domain.
1-11
If the domain controller is the first Windows Server 2008 domain controller in a Windows Server 2003 domain, you must prepare the domain by running adprep /domainprep on the infrastructure master. After you install a writeable domain controller, you can install an RODC in the Windows Server 2003 forest. Before doing this, you must prepare the forest by running adprep /rodcprep. You can run adprep /rodcprep on any computer in the forest. If the RODC will be a global catalog server, then you must run adprep /domainprep in all domains in the forest, regardless of whether the domain runs a Windows Server 2008 domain controller. By running adprep /domainprep in all domains, the RODC can replicate global catalog data from all domains in the forest and then advertise as a global catalog server.
Additional Reading
Active Directory Domain Services Help: Installing Active Directory Domain Services Microsoft Technet article: Installing a New Windows Server 2008 Forest: Microsoft Technet article: Scenarios for Installing AD DS
1-12
Installing AD DS on a Server Core Computer
Key Points
To install AD DS on a Windows Server 2008 computer running Server Core, you must use an unattended setup. Windows Server 2008 Server Core does not provide a graphical user interface (GUI) so you cannot run the Active Directory Domain Services installation wizard. To perform an unattended install of AD DS, use an answer file and the following syntax with the Dcpromo command: Dcpromo /answer[:filename] Where filename is the name of your answer file.
Additional Reading
Microsoft Technet article: Appendix of Unattended Installation Parameters
1-13
Discussion: Common Configuration for AD DS
Key Points
After installing a domain controller, you may need to perform additional tasks in your environment. You can access checklists for the following common configurations for AD DS in Server Manager, under Resources and Support.
Additional Reading
AD DS Help: Common Configurations for Active Directory Domain Services
1-14
Lesson 2:
Deploying Read-Only Domain Controllers
One of the important new features in Windows Server 2008 is the option to use read-only domain controllers (RODCs). RODCs provide all of the functionality that clients require while providing additional security for domain controllers deployed in branch offices. When configuring RODCs, you can specify which user account passwords will be cached on the server and configure delegated administrative permissions for the domain controller. This lesson describes how to install and configure RODCs.
1-15
What Is a Read-Only Domain Controller?
Key Points
An RODC is a new type of domain controller that Windows Server 2008 supports. An RODC hosts read-only partitions of the AD DS database. This means that no changes can ever be made to the database copy that the RODC stores, and all AD DS replication uses a one-way connection from a domain controller that has a writeable database copy to the RODC.
Additional Reading
Microsoft Technet article: AD DS: Read-Only Domain Controllers
1-16
Read-Only Domain Controller Features
Key Points
See the list on the slide.
Additional Reading
Microsoft Technet article: AD DS: Read-Only Domain Controllers Microsoft Technet article: Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008 Beta 3
1-17
Preparing to Install the RODC
Key Points
Before you can install an RODC, you must prepare the AD DS environment by completing the following steps: Configure the domain and forest functional level Plan for Windows Server 2008 domain controller availability Prepare the forest and domain
Additional Reading
AD DS Help: Delegate read-only domain controller installation and administration Microsoft Technet article: AD DS: Read-Only Domain Controllers Microsoft Technet article: Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008 Beta 3
1-18
Installing the RODC
Key Points
The RODC installation is almost identical to the installation of AD DS on a domain controller with a writeable copy of the database. However there are a few extra steps.
Additional Reading
AD DS Help: Delegate read-only domain controller installation and administration Microsoft Technet article: Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008 Beta 3
1-19
Delegating the RODC Installation
Key Points
You can delegate the installation of an RODC by performing a two stage installation. Question: What are the benefits of delegating an RODC installation?
Additional reading
AD DS Help: Delegate read-only domain controller installation and administration Microsoft Technet article: AD DS: Read-Only Domain Controllers: Microsoft Technet article: Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008 Beta 3:
1-20
What Are Password Replication Policies?
Key Points
When deploy an RODC, you can configure a Password Replication Policy for the RODC. The Password Replication Policy acts as an access control list (ACL) that determines if an RODC is permitted to cache a password. The Password Replication Policy lists the accounts that you are allowing explicitly to be cached and those that you are not. The passwords for any accounts are not actually cached on the RODC until after the first time the user or computer account is authenticated through the RODC.
Additional Reading
AD DS Online Help: Specify Password Replication Policy
1-21
Demonstration: Configuring Administrator Role Separation and Password Replication Policies
Questions: What is an alternative way to configure administrator role separation and password replication policies? Your organization has deployed two RODCs. How would you configure the password replication policy if you wanted the credentials for all user accounts and computer accounts except for administrators and executives to be cached on both RODCs?
Additional Reading
AD DS Help: Specify Password Replication Policy
1-22
Lesson 3:
Configuring AD DS Domain Controller Roles
All domain controllers in a domain are essentially equal, meaning they all contain the same data and provide the same services. However, you also can assign special roles to domain controllers to provide additional services or address scenarios in which only one domain controller should provide services at any given time. This lesson describes how to configure and manage global catalog servers and operations masters.
1-23
What Are Global Catalog Servers?
Key Points
The global catalog is a partial, read-only replica of all domain directory partitions in a forest. The global catalog is a partial replica because it includes only a limited set of attributes for each of the forests objects. By including only the attributes that are used the most for searching, the database of a single global catalog server can represent every object in every domain in the forest. The global catalog server hosts the global catalog and its domain information. Active Directory configures the first domain controller automatically in the forest as a global catalog server. You can add global catalog functionality to other domain controllers or change the default location of the global catalog to another domain controller.
Additional Reading
Microsoft Technet article: Domain Controller Roles
1-24
Modifying the Global Catalog
Key Points
Sometimes you may want to customize the global catalog server to include additional attributes. By default, for every object in the forest, the global catalog server contains an objects most common attributes. Applications and users can query these attributes. For example, you can find a user by first name, last name, email address, or other common properties
Additional Reading
Microsoft Technet article: Domain Controller Roles (Global Catalog Partial Attribute Set section)
1-25
Demonstration: Configuring Global Catalog Servers
Questions: What types of errors or user experiences would lead you to investigate whether you needed to configure another server as a global catalog server? What are reasons why you would choose to replicate an attribute to the global catalog?
Additional Reading
Microsoft Technet article: To add an attribute to the global catalog
1-26
What Are Operations Master Roles?
Key Points
Active Directory is designed as a multimaster replication system. However, for certain directory operations, only a single authoritative server is required. The domain controllers that perform specific roles are known as operations masters. The domain controllers that hold operations master roles are designated to perform specific tasks to ensure consistency and to eliminate the potential for conflicting entries in the Active Directory database.
Additional Reading
Microsoft Technet article: To add an attribute to the global catalog
1-27
Demonstration: Managing Operation Master Roles
Questions: Under what circumstances might you need to seize an operations master role immediately rather than wait a few hours for a domain controller currently holding the role to be repaired? You are deploying the first domain controller in a new domain that will be a new domain tree in the WoodgroveBank.com forest. What operations master roles will this server hold by default?
Additional Reading
Microsoft Technet article: Manage Operations Master Roles
1-28
How Windows Time Service Works
Key Points
The Windows Time service, also known as W32Time, synchronizes the date and time for all computers running on a Windows Server 2008 network. The Windows Time service uses the Network Time Protocol (NTP) to ensure highly accurate time settings throughout your network. You also can integrate the Windows Time service with external time sources.
Additional Reading
Microsoft Technet article: Windows Time Service Technical Reference Microsoft Technet article: Configuring a time source for the forest
1-29
Lab: Implementing Read-Only Domain Controllers and Managing Domain Controller Roles
Scenario: Woodgrove Bank has begun their deployment of Windows Server 2008. The organization has deployed several domain controllers at the corporate headquarters and is preparing to deploy domain controllers in several branch offices. The Enterprise Administrator created a design that requires read-only domain controllers to be deployed on servers running Windows Server 2008 in all branch offices. Your task is to deploy a domain controller in a branch office that meets these requirements.
1-30
Exercise 1: Evaluating Forest and Server Readiness for Installing an RODC

Woodgrove Bank has begun their deployment of Windows Server 2008. The organization has deployed several domain controllers at the corporate headquarters and is now preparing to deploy domain controllers in several of the branch offices. The Enterprise Administrator has created a design that requires read-only domain controllers to be deployed on servers running Windows Server 2008 in all branch offices. Your task is to deploy a domain controller in a branch office that meets these requirements
Note: Due to the limitations of the virtual lab environment, you will be installing the RODC in the same site as the existing domain controllers. In a production environment, you would complete the same steps even if the RODC was in a different site.
The main tasks are as follows: 1. 2. 3. 4. 5. 5. Start 6425A-NYC-DC1 and log on as Administrator. Start 6425A-NYC-SVR1 and log on as Administrator. Start 6425A-NYC-SVR1 and log on as Administrator. Verify the forest and domain functional level are compatible with an RODC deployment. Verify the availability of a writeable domain controller running Windows Server 2008. Configure the computer account settings for the RODC.
Task 1: Start 6425A-NYC-DC1 and log on as Administrator

Start 6425A-NYC-DC1 and log on as Administrator using the password Pa$$w0rd.
1-31

Task 3: Start 6425A-NYC-SVR1 and log on as Administrator

Start 6425A-NYC-SVR1 and log on as Administrator using the password Pa$$w0rd.
Task 3: Verify the forest and domain functional level are compatible with an RODC deployment
1. 2. On NYC-DC1, open Active Directory Users and Computers. Right-click WoodgroveBank.com and verify that the domain functional level and the forest functional level are set to Windows Server 2003.
Task 4: Verify the availability of a writeable domain controller running Windows Server 2008
1. 2. In Active Directory Users and Computers, check the properties for NYC-DC1. Verify that the operating system name is Windows Server 2008 Enterprise.
Task 5: Configure the computer account settings for the RODC

1. 2. 3. On NYC-SVR1, open Server Manager. Click Change System Properties, and on the Computer Name tab, change the computer name to TOR-DC1. Restart the computer.
Result: At the end of this exercise, you will have verified that the domain and the computer are ready to install an RODC.
1-32
Exercise 2: Installing and Configuring an RODC

You will install the RODC server role on the Windows Server 2008 computer. To do this, you will prestage the computer account that the RODC will use. As part of the prestaging, you will configure an administrative group with permissions to install the domain controller. After the installation is complete, you will verify that the installation completed successfully. You also will configure password-replication policies for users that log on to the domain controller. The main tasks are as follows: 1. 2. 3. 4. 5. Pre-stage the computer account for the RODC. Log on to TOR-DC1 as Administrator. Install the RODC using the existing account. Use WoodgroveBank\Axel as the account with credentials to perform the installation. Verify the successful installation of the domain controller. Configure a password replication policy that enables credential caching for all user accounts in Toronto.
Task 1: Pre-stage the computer account for the RODC

1. 2. 3. On NYC-DC1, open Active Directory Users and Computers. Right-click the Domain Controllers organization unit and click Pre-create Read-only Domain Controller account. Complete the Active Directory Domain Services Installation Wizard using the following selections: a. b. c. Use advanced mode installation Use the current credentials. Computer name: TOR-DC1
d. Default site e. f. Install only the DNS and RODC options Delegate permission to install the RODC to Axel Delgado
1-33
Task 2: Log on to TOR-DC1 as Administrator

Log on as Administrator using the password Pa$$w0rd.
Task 3: Install the RODC using the existing account. Use WoodgroveBank\Axel as the account with credentials to perform the installation
1. 2. On TOR-DC1, open a command prompt and type dcpromo /UseExistingAccount:Attach, and then press ENTER: Complete the Active Directory Domain Services Installation Wizard using the following selections: a. b. c. Use advanced mode installation Provide Axel as the alternative credential Use TOR-DC1 as the computer name
d. Use NYC-DC1.WoodgroveBank.com as the source domain controller e. f. 3. Accept the default location for the Database, Log Files, and SYSVOL files. Use Pa$$w0rd as the Directory Services Restore Mode Administrator Password
Reboot the computer when the installation finishes.
Task 4: Verify the successful installation of the domain controller

1. 2. 3. 4. 5. After NYC-SRV1 restarts, log on as Axel with a password of Pa$$w0rd. In Server Manager, verify that Active Directory Domain Services server role is installed. Verify that all required services are running. In Active Directory Users and Computers, verify that TOR-DC1 is listed in the Domain Controllers organizational unit. Verify that you do not have permission to add or remove domain objects.
1-34
6. 7. 8. 9.
In Active Directory Sites and Services, verify that TOR-DC1 is listed in the Servers list for the Default-First-Site-Name. Check the NTDS Settings for TOR-DC1. Confirm that connection objects have been created. Check the NTDS Settings for NYC-DC1. Confirm that no connection objects have been created for replication with TOR-DC1. Open Event Viewer. In the Directory Service log, locate and view a message with an event ID of 1128. This event ID verifies that a replication connection object has been created between NYC-DC1 and TOR-DC1.
Task 5: Configure a password replication policy that enables credential caching for all user accounts in Toronto
1. 2. On NYC-DC1, in Active Directory Users and Computers, access the TORDC1 Properties dialog box. Add all of the Toronto groups to the Password replication policy.
Result: At the end of this exercise, you will have installed an RODC and configured the RODC password replication policy for the RODC.
1-35
Exercise 3: Configuring AD DS Domain Controller Roles

You will configure the RODC installed in the previous exercise as a global catalog server. You also will assign operation master roles to an additional domain controller in the domain. The main tasks are as follows: 1. 2. 3. 4. Use Active Directory Sites and Services to configure TOR-DC1 as a global catalog server. Configure NYC-DC2 as the infrastructure master and domain naming master for the WoodgroveBank.com domain. Add the Department attribute to the global catalog. Shut down all virtual machines.
Task 1: Use Active Directory Sites and Services to configure TOR-DC1 as a global catalog server
1. 2. On NYC-DC1, in Active Directory Sites and Services, locate the TOR-DC1 computer account. Access the NTDS Settings, and select the Global Catalog check box.
Task 2: Configure NYC-DC2 as the infrastructure master and domain naming master for the WoodgroveBank.com domain
1. 2. 3. On NYC-DC1, in Active Directory Users and Computers, change the consoles focus to NYC-DC1.WoodgroveBank.com and then click OK. Right-click WoodgroveBank.com, and then click Operations Masters. Transfer the infrastructure master role to NYC-DC2.WoodgroveBank.com. On NYC-DC2, open Active Directory Domains and Trusts. Access the Operations Master settings and transfer the domain naming operations master role to NYC-DC2.
1-36
Task 3: Add the Department attribute to the global catalog

1. 2. 3. On NYC-DC1, use the regsvr32 schmmgmt.dll to register the Active Directory Schema snap-in. Create a new MMC and add the Active Directory Schema snap-in. In the Active Directory Schema, access the Department attribute and configure the attribute to replicate to the Global Catalog.
Task 4: Shut down all virtual machines and discard any changes
Result: At the end of this exercise, you will have configured a global catalog server and configure AD DS domain controller roles.
1-37
Module Review and Takeaways
Review Questions
1. You are deploying a domain controller in a branch office. The branch office does not have a highly secure server room so you are concerned about the security of the server. What two Windows Server 2008 features can you take advantage of to enhance the security of the domain controller deployment? You must create a new domain by installing a domain controller in your Active Directory infrastructure. You are reviewing the inventory list of available servers for this purpose. Which of the following computers could be used as a domain controller? A. Windows Server 2008 Web Edition, NTFS files system, 1 gigabyte (GB) free hard disk space, TCP/IP. B. Windows Server 2008 Enterprise Edition, NTFS files system, 500 megabyte (MB) free hard disk space, TCP/IP.
2.
1-38
C. Windows Server 2008 Server Core Enterprise Edition, NTFS files system, 1GB free hard disk space, TCP/IP. D. Windows Server 2008 Standard Edition, NTFS files system, 500 MB free hard disk space, TCP/IP. 3. You are deploying an RODC in branch office. You need to ensure that all users in the branch office can authenticate even if the WAN connection from the branch office is not available. Only the users who normally log on in the branch office should be able to do this? How would you configure the password replication policy? You need to install a domain controller by using the install from media option. What steps do you need to take to complete this process? Will you be deploying RODCs in your AD DS environment? Describe the deployment scenario. You are deploying a domain controller in a branch office. The office has a WAN connection to the main office that has very little available bandwidth and is not very reliable. Should you configure the branch office domain controller as a global catalog server?
4. 5. 6.
Considerations
Keep the following considerations in mind when you are implementing RODCs and managing domain controller roles: You can install the AD DS Server role on all Windows Server 2008 editions except Windows Server 2008 Web Server Edition. Consider installing a RODC on a Windows Server 2008 Server Core computer to provide additional security for your domain environment. To install AD DS on a Server Core computer, you must use an unattended installation. Plan the password replication policies carefully in your organization. If you enable credential caching for most of the accounts in your domain, you will increase the impact to your organization if the RODC is compromised. If you do not enable any credential caching, you increase the impact to the branch office location if the WAN link to the main office is not available.
1-39
In most cases, deploying a global catalog server in a site will improve the logon experience for users. However, deploying a global catalog in a remote office also increases the network utilized for replication. Operation master roles provide important services on a network but the services are not usually time critical. Most of the time, if a domain controller holding an operation master role fails, you do not immediately need to seize the role to another domain controller if the failed server can be repaired within a few hours.
Configuring Domain Name Service for Active Directory Domain Services
2-1
Module 2
Contents:
Lesson 1: Overview of Active Directory Domain Services and DNS Integration Lesson 2: Configuring Active Directory Integrated Zones Lesson 3: Configuring Read-Only DNS Zones Lab: Configuring AD DS and DNS Integration 2-3 2-11 2-19 2-23
2-2
Module Overview
Domain Name System (DNS) is an integral part of Active Directory for Windows Server 2008. By understanding the relationship between these applications, you can troubleshoot Active Directory and increase security, while providing clients with the full functionality of DNS.
2-3
Lesson 1:
Overview of Active Directory Domain Services and DNS Integration
Windows Server 2008 requires that a DNS infrastructure is in place before you install Active Directory. Understanding how DNS and Active Directory are integrated, and how client computers use DNS during logon, will help you resolve problems related to DNS, such as client logon issues.
2-4
Active Directory Domain Services and DNS Namespace Integration
Key Points
Domains and computers are represented by resource records in the DNS namespace and by Active Directory objects in the Active Directory namespace. All Active Directory domains must have corresponding DNS domains with identical domain names. Clients rely on DNS to resolve computer host names to IP addresses in order to locate domain controllers and other computers that provide Active Directory and other network services. Active Directory requires DNS, but not any particular type of DNS server. Therefore, there may be multiple DNS servers of different types. Question: What is the relationship between Active Directory domain names and DNS zone names?
2-5
Additional Reading:
Active Directory integration DNS integration
2-6
What Are Service Resource Locator Records?
Key Points
For Active Directory to function properly, client computers must be able to locate servers that provide specific services, such as authenticating logon requests and providing Telnet or Session Initiated Protocol (SIP) services. Active Directory clients and domain controllers use Service (SRV) resource records to determine the IP addresses of computers that provide those services. Also, Active Directory siteaware applications, such as Microsoft Exchange, use SRV resource records. Question: In the following example of two SRV resource records. Which record will be used by a client querying for an SIP service? _sip._tcp.example.com. 86400 IN SRV 10 60 5060 Lcs1.contoso.com. _sip._tcp.example.com. 86400 IN SRV 50 20 5060 Lcs2.contoso.com.
2-7
Additional Reading
Managing resource records RFC 2782 - A DNS RR for specifying the location of services (DNS SRV)
2-8
Demonstration: SRV Resource Records Registered by AD DS Domain Controllers
Questions: What is the benefit of replicating the mscdcs zone to the entire forest? How could one SRV resource record be given preference over another?
2-9
How Service Resource Locator Records Are Used
Key Points
Domain client computers use the locator application programming interface (API) to locate a domain controller by querying DNS. If SRV resource records are not available to identify domain controllers, logons may fail. All computers -- including both workstations such as the Windows XP Professional operating system and Windows Vista operating system, and servers such as the Windows Server2003 operating systems and the Windows Server 2008 operating systems -- use the same process to locate domain controllers.
Additional Reading
How Domain Controllers Are Located in Windows XP Domain Controller Location Process
2-10
Integration of Service Locator Records and Active Directory Sites
Key Points
During a search for a domain controller, the Locator attempts to find a domain controller in the site closest to the client. The domain controller uses the information stored in Active Directory to determine the closest site. In most cases, the domain controller that first responds to the client will be in the same site as the client. But in cases where a computer has physically moved to a different site, or the domain controller in the local site is unavailable, there is a process to find a different domain controller. During Net Logon startup, the Net Logon service on each domain controller enumerates the site objects in the Configuration container. Net Logon uses the site information to build an in-memory structure that is used to map IP addresses to site names.
Additional Reading
Finding a Domain Controller in the Closest Site
2-11
Lesson 2:
Configuring Active Directory Integrated Zones
Integrating Active Directory and DNS zones can simplify DNS administration by replicating DNS zone information as part of the Active Directory replication. It also provides benefits like secure dynamic updates, and aging and scavenging of stale resource records.
2-12
What Are Active Directory Integrated Zones?
Key Points
One benefit of integrating DNS and Active Directory is the ability to integrate DNS zones into an Active Directory database. A zone is a portion of the domain namespace that has a logical grouping of resource records, which allows zone transfers of these records to operate as one unit.
Additional Reading
Active Directory integration
2-13
What Are Application Partitions in AD DS?
Key Points
Three major partitions contain Active Directory information: The schema partition, which replicates schema information to the entire forest The configuration partition, which replicates information about the physical structure to the entire forest The domain partition, which replicates domain information to all domain controllers in a given domain
Additional Reading
DNS zone replication in Active Directory
2-14
Options for Configuring Application Partitions for DNS
Key Points
You can change the scope of DNS replication anytime by using the DNS Microsoft Management Console (MMC) or the DNSCMD command-line tool. You have the following replication choices when using the DNS MMC: To all DNS servers in this forest To all DNS servers in this domain (this is the default storage location) To all domain controllers in this domain (this is the domain information partition) To all domain controllers hosting a particular application partition
Additional Reading
DNS zone replication in Active Directory
2-15
How Dynamic Updates Work
Key Points
Dynamic updates enable DNS client computers to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need to administer zone records manually, especially for clients that frequently move or change locations and that use Dynamic Host Configuration Protocol (DHCP) to obtain an IP address.
Additional Reading
Dynamic update
2-16
How Secure Dynamic DNS Updates Work
Key Points
Secure dynamic updates work like dynamic updates, with the following exception: the authoritative name server accepts updates only from clients and servers that are authenticated and joined to the Active Directory domain in which the DNS server is located. As the slide shows, the client first attempts a non-secure update. If that attempt fails, the client then attempts to negotiate a secure update. If the client has been authenticated to Active Directory, the update will succeed. Question: What are the benefits of using Active Directory integrated DNS zones?
2-17
Demonstration: Configuring AD DS Integrated Zones
Questions: How could you prevent a computer from registering in the DNS database? What would be the implications of not allowing dynamic updates? When using secure dynamic updates, how can you control which clients are allowed to update DNS records?
2-18
How Background Zone Loading Works
Key Points
A DNS server running Windows Server 2008 loads zone data from Active Directory in the background while it restarts so that it can respond to data requests from other zones.
Additional Reading
DNS Server Role
2-19
Lesson 3:
Configuring Read-Only DNS Zones
You can provide additional security by configuring read-only DNS zones -- while clients still have the full functionality of the Active Directory name resolution -because only an administrator can change read-only DNS zones. Unauthorized personnel will not be able to alter records on the read-only domain controller (RODC).
2-20
What Are Read-Only DNS Zones?
Key Points
When installing a Windows Server 2008 RODC you are prompted with DNS Server installation options. The default option is to install a primary read-only form of DNS Server locally on the RODC, which replicates the existing AD-integrated zone for the domain specified and adds the local IP address as the preferred DNS server in the local TCP/IP settings. This ensures that the DNS server running on the RODC has a full read-only copy of any DNS zones.
Additional Reading
DNS Server Role
2-21
How Read-Only DNS Works
Key Points
When a computer becomes an RODC, it replicates a full read-only copy of all application directory partitions that DNS uses, including the domain partition, ForestDNSZones, and DomainDNSZones. This ensures that the DNS server running on the RODC has a full read-only copy of any DNS zones stored on a centrally located domain controller in those directory partitions. The administrator of an RODC can view the contents of a primary read-only zone. However, the administrator can change the contents only by changing the zone on a DNS server with a writable copy of the DNS database. Question: How does RODC increase security?
Additional Reading
DNS Server Role
2-22
Discussion: Comparing DNS Options for Branch Offices
Key Points
Answer the questions in a classroom discussion.
Additional Reading
How DNS Works
2-23
Lab: Configuring AD DS and DNS Integration
Scenario: Woodgrove Bank is an enterprise that has offices located in several cities throughout the world. Woodgrove Bank has business relationships with two other entities, Fabrikam Inc. and Contoso Inc. Woodgrove Bank has acquired copies of the DNS zone files for these entities. All employees in the Woodgrove Bank forest need access to the DNS records for Contoso Inc. Only employees in the Woodgrove Bank domain need access to the DNS files for Fabrikam Inc. The branch office of Woodgrove Bank has a read-only domain controller. This domain controller will be configured to support the DNS server service and all forest-wide and domain-wide DNS zones. The enterprise administrator has created a design document for the DNS configuration. The design includes configuring AD DS integrated zones, configuring DNS dynamic updates, and configuring read-only DNS zones.
2-24
Exercise 1: Configuring Active Directory Integrated Zones

In this exercise, you will configure the DNS zones for the Woodgrove Bank environment to meet the design requirements. You will verify the SRV resource records that each domain controller has registered and create a new SRV resource record to support the Telnet protocol. You also will modify DNS zones to examine the difference between Active Directory integrated zones and standard zones, and will configure dynamic updates and the scope of replication. You then will use the ADSI Edit management console to view the DNS records stored in the domain partition. The main tasks are as follows: 1. 2. 3. 4. 5. 6. 7. Start the domain controller and log on as Administrator. Examine the SRV resource records. Create a new SRV resource record to support the Telnet protocol on NYCSRV2. Create two new zones based on the zone files for Fabrikam and Contoso. Configure the two new zones to be Active Directory integrated, and ensure that no dynamic updates are allowed. Configure the scope of replication for the Contoso zone to be forest wide and the Fabrikam zone to be domain wide. Use ADSI Edit.exe to view the Active Directory integrated DNS zones.
Task 1: Start NYC-DC1 and log on as Administrator

Start NYC-DC1 and log on as Administrator with a password of Pa$$w0rd
Task 2: Examine the SRV resource records

1. 2. 3. 4. 5. Open the DNS management console, expand the Forward Lookup Zones and then click on _msdsc.woodgrovebank.com. Expand the GC>_TCP folder. Expand the DC>_TCP folder. Open the Properties of the _msdsc.woodgrovebank.com. Close the Properties page.
2-25
Task 3: Create a new SRV resource record to support the Telnet protocol on NYC-SRV2
1. 2. 3. 4. 5. Right click the _msdsc.woodgrovebank.com zone and then click Other New Records Select the Service Location (SRV) record type and then click Create Record. In the Service field, select _telnet from the drop-down list. In the Host offering this service field, type NYC-SRV2.woodgrovebank.com and then click OK. Click Done.
Task 4: Create two new zones based on the zone files for Fabrikam and Contoso
1. Use Windows Explorer to copy the Contoso.com.dns and the Fabrikam.com.dns files from D:\6425\Mod02\Labfiles to C:\Windows\System32\DNS. Leave Windows Explorer open. Use the DNS management console to create a new primary standard zone named Contoso.com using the existing file Contoso.com.dns. Create a new primary standard zone named Fabrikam.com using the existing file Fabrikam.com.dns
2. 3.
Task 5: Configure the Contoso and Fabrikam zones to be active directory integrated and ensure that no dynamic updates are allowed
1. 2. 3. 4. 5. Open the property page for Contoso.com. Change the zone type to be stored in Active Directory. Return to Windows Explorer. Notice the Contoso.com.dns zone file is no longer in the DNS folder. It is now stored in Active Directory. Return to the property page for the Woodgrovebank.com zone. Set Dynamic updates to be None. Repeat steps 1-4 for the Fabrikam.com zone.
2-26
Task 6: Configure the scope of replication for the Contoso zone to be forest wide and the Fabrikam zone to be domain wide
1, 2. 3. 4. Open the property page for Contoso.com Change the replication scope to be To all DNS servers in this forest. Open the property page for Fabrikam.com. Ensure the scope of replication for the Fabrikam zone is To all DNS servers in this domain.
Task 7 - Use ADSI Edit.exe to view the Active Directory integrated DNS zones
1, 2. 3. 4. 5. 6. 7. From the Run command, launch the adsiedit.msc. Right click ADSI Edit and click Connect to In the Connection Point section, choose Select or type a Distinguished Name or Naming Context. Type DC=DomainDNSZones,DC=WoodgroveBank,DC=Com and then click OK. Expand the naming context and then expand CN=MicrosoftDNS and then click DC=Woodgrovebank.com and examine the records. Double click the record for NYC-DC1. When was the record created? Close all property pages and close the ADSI management console.
Result: At the end of this exercise, you will have created Active Directory integrated DNS zones.
2-27
Exercise 2: Configuring Read-Only DNS Zones

In this lab, you will configure a read-only DNS zone on an RODC, and you will test dynamic updates and administrative updates. The main tasks are to configure a read-only DNS zone on the RODC to support Fabrikam. The main tasks are as follow: 1. 2. 3. 4. Start and log on to MIA-RODC as Administrator. Install the DNS Server service. Configure the DNS server to support all domain-wide and forest-wide zones. Shut down all virtual machines, and discard any changes.
Task 1: Start and log on to the MIA-RODC

Start and log on to the read-only domain controller as Administrator with a password of Pa$$w0rd.
Task 2: Install the DNS Server service

Use the Start /w Ocsetup DNS-Server-Core-Role to install the DNS server role.
2-28
Task 3: Configure the DNS server to support all domain-wide and forest-wide zones.
1. 2. 3. 4. From the Command Prompt, type the following command: Dnscmd /enlistdirectorypartition DomainDnsZones.woodgrovebank.com Then type the following command. Dnscmd /enlistdirectorypartition ForestDnsZones.woodgrovebank.com Switch to NYC-DC1 and open the DNS management console. Add the MIA-RODC computer to the DNS console and ensure that all DNS zones appear.
Task 4: Shut down all virtual machines, and discard changes
Result: At the end of this exercise, you will have configured the DNS server to support all domain-wide and forest-wide zones.
2-29
Review Questions
1. 2. 3. How does a client computer determine what site it is in? List at least three benefits of Active Directory integrated zones. In the following example of two SRV resource records. Which record will be used by a client querying for an SIP service? 4. 5. 6. 7. 8. _sip._tcp.example.com. 86400 IN SRV 10 60 5060 Lcs1.contoso.com. _sip._tcp.example.com. 86400 IN SRV 50 20 5060 Lcs2.contoso.com.
What permissions are required to create DNS application directory partitions? What utilities are available to create application partitions? What is the default state of dynamic updates for an Active Directory integrated zone? What is the default state of dynamic updates for a standard primary zone? What groups have permission to perform secure dynamic updates?
2-30
Considerations
When configuring AD DS and DNS integration, keep the following considerations in mind: Because of the dependency Windows Server 2008 and Active Directory clients have on DNS, the first step in troubleshooting Active Directory issues often is to troubleshoot DNS. Service locator records are critical to Active Directory functioning properly. Service locator records need to be highly available. Windows Server 2008 can operate with any compatible DNS server, but Active Directory integrated zones provide additional features and security. Active Directory integrated zones can be replicated to domain wide or forest wide, or to specific domain controllers via custom application partitions. Internal DNS records should be kept separate from public DNS records. Dynamic updates lighten the administrative overhead of maintaining the DNS zone database. Dynamic updates can be limited to Authenticated Users. Background zone loading will reduce the time for DNS servers to become available after a restart. You can use read-only DNS in conjunction with read-only domain controllers to provide security while still providing required client functionality.
Configuring Active Directory Objects and Trusts
3-1
Module 3
Contents:
Lesson 1: Configuring Active Directory Objects Lesson 2: Strategies for Using Groups Lesson 3: Automating AD DS Object Management Lab A: Configuring Active Directory Objects Lesson 4: Delegating Administrative Access to AD DS Objects Lesson 5: Configuring AD DS Trusts Lab B: Configuring Active Directory Delegation 3-3 3-14 3-20 3-28 3-42 3-50 3-59
3-2
Course 6425A: Configuring Windows Server 2008 Active Directory Domain Services
Module Overview
After the initial deployment of Active Directory Domain Services (AD DS), the most common tasks for an AD DS administrator are configuring and managing AD DS objects. In most organizations, each employee is issued a user account, which is added to one or more groups in Active Directory. The user and group accounts enable access to Windows Server-based network resources such as Web sites, mailboxes, and shared folders. This module describes how to perform many of these administrative tasks and the options for delegating or automating these tasks. This module also describes how to configure and manage Active Directory trusts.
3-3
Lesson 1:
Configuring Active Directory Objects
One of your primary tasks as a Windows Server 2008 administrator is to manage AD DS objects. In most organizations, the AD DS administrators are the only people with appropriate permissions to create and modify these objects. This lesson provides an overview of the objects that you can create in AD DS, and describes how to create and configure these objects.
3-4
Types of AD DS Objects
Key Points
You can create several different types of objects in Active Directory Additional reading
Additional Reading
Active Directory Users and Computers Help
3-5
Demonstration: Configuring AD DS User Accounts
Questions: How would you create several user objects with the same settings for attributes such as department and office location? Under what circumstances would you disable a user account rather than delete the user account?
3-6
AD DS Group Types
Key Points
AD DS supports two group types.
Additional Reading
3-7
AD DS Group Scopes
Key Points
Windows Server 2003 supports the group scopes shown on the slide.
Additional Reading
Active Directory Users and Computers Help: Managing Groups
3-8
Default AD DS Groups
Key Points
Windows Server 2008 provides many built-in groups, which are created automatically when you install an Active Directory domain. You can use built-in groups to manage access to shared resources and to delegate specific Active Directory administrative roles. For example, you could put the user account of an AD DS administrator into the Account Operators group to allow the administrator to create user accounts and groups.
Additional Reading
Microsoft Technet Default Groups Active Directory Domain Services Technical Reference
3-9
AD DS Special Identities
Key Points
Servers running Windows Server 2008 include several special identities in addition to the groups in the Users and Built-in containers. These identities generally are referred to as special groups or special identities.
Additional Reading
Microsoft Technet article: Special identities of ADM (Administrative Template) Files in Windows
3-10
Discussion: Using Default Groups and Special Identities
Scenario
Woodgrove Bank has more than 100 servers worldwide. You must determine whether you can use default groups or whether you must create groups, and then assign specific user rights or permissions to the groups to perform the following Administrative tasks. You must assign default groups, special identities, or create new groups for the following tasks. List the name of the default group that has the most restrictive user rights for performing the following actions, or determine whether you must create a new group: 1. 2. 3. 4. Backing up and restoring domain controllers Backing up, but not restoring, files on member servers Creating groups in the Sales organizational unit Granting access to a shared folder to which all Woodgrove Employees need access
3-11
5. 6. 7. 8. 9.
Granting administrative permissions to the user currently logged on to a client computer without granting access to any other computers Granting help-desk employees with access to control the desktop remotely Providing administrative access to all computers in the entire domain Providing access to a shared folder named Data on a server named Den-SRV1 Managing the print queue of a specific print servers printer
10. Configuring network settings on a member server
3-12
Demonstration: Configuring AD DS Group Accounts
Questions: What options are available for changing an AD DS groups scope and type? What are the benefits of assigning group managers? Is this a setting that you would configure in your organization?
Additional Reading
Active Directory Users and Computers Help: Managing Groups
3-13
Demonstration: Configuring Additional AD DS Objects
Questions: What are the reasons why you would create organizational units? What are the benefits and limitations of using printer objects and shared folder objects in AD DS?
Additional Reading
3-14
Lesson 2:
Strategies for Using Groups
AD DS groups are used to simplify AD DS management when assigning access to resources. Rather than assigning access to resources by using user accounts, it is much more efficient to add the users to groups and then assign access to the groups. However, because of the variety of group options and AD DS deployment options, you can use several different strategies when configuring groups.
3-15
Options for Assigning Access to Resources
Key Points
One of the primary reasons for creating users and groups in AD DS is so that users can gain access to shared resources, such as shared folders, printers, Windows SharePoint Services sites, or applications.
Additional Reading
Microsoft Technet article: Selecting a Resource Authorization Method
3-16
Using Account Groups to Assign Access to Resources
Key Points
When you use just account groups to assign access to resources, you add all user accounts to the groups, and then assign the group a set of access permissions. For example, an administrator can put all accounting user accounts into a global group called GG-All Accountants and assign this group with permissions to a shared resource. In a single domain environment, you can use domain local groups, global groups, or universal groups to assign access to resources.
Additional Reading
Microsoft Technet article: AG/ACL Method
3-17
Using Account Groups and Resource Groups
Key Points
When you use account groups and resource groups, you add users with similar access requirements into account groups, and then add the account groups as members to a resource group to which you granted specific resource-access permissions. This strategy provides the most flexibility while reducing the complexity of assigning access permissions to the network. This method is used most commonly by large organizations for controlling access to resources.
Additional Reading
Microsoft Technet article: AG/RG Method
3-18
Discussion: Using Groups in a Single-Domain or MultipleDomain Environment
Read the scenarios, and create a plan for configuring groups and assigning access to resources in each scenario.
Example 1
Contoso, Ltd., has a single domain that is located in Paris, France. Contoso, Ltd., managers need access to the Inventory database to perform their jobs. Question: What do you do to ensure that the managers have access to the Inventory database?
3-19
Example 2
Contoso, Ltd. has determined that all Accounting division personnel must have full access to the accounting data. Also, Contoso, Ltd., executives must be able to view the data. Contoso, Ltd. wants to create the group structure for the entire Accounting division, which also includes the Accounts Payable and Accounts Receivable departments.
Question: What do you do to ensure that the managers have the required access and that there is a minimum of administration?
Example 3
Contoso, Ltd., has expanded to include operations in South America and Asia, and now contains three domains: the Contoso.com domain, the Asia.contoso.com domain, and the SA.contoso.com domain. You need to grant all IT managers, across all domains, access to the Admin_tools shared folder in the Contoso domain. You also need to grant the IT managers access to other resources in the future. Question: How can you achieve the desired result with the least amount of administrative effort?
3-20
Lesson 3:
Automating AD DS Object Management
In most cases, you are likely to create and configure AD DS objects on an individual basis. However, in some cases, you may need to create or modify the configuration for many objects simultaneously. For example, if your organization hires a large group of new employees, you may want to automate the new-accounts configuration process. If your organization moves to a new location, you may want to automate the task of assigning new addresses and phone numbers to all users. This lesson describes how to manage multiple AD DS objects.
3-21
Tools for Automating AD DS Object Management
Key Points
Windows Server 2008 provides a number of tools that you can use to create or modify multiple user accounts automatically in Active Directory. Some of these tools require that you use a text file that contains information about the user accounts that you want to create. You also can create Windows PowerShell scripts to add objects or make changes to objects in Active Directory.
3-22
Configuring AD DS Objects Using Command-Line Tools
Key Points
Use these command-line tools to configure AD DS objects.
3-23
Managing User Objects with LDIFDE
Key Points
You can use the Ldifde command-line tool to create and make changes to multiple accounts. When you use the Ldifde tool, you will use a line-separated text file to provide the commands input information.
Additional Reading
Microsoft Technet article: LDIFDE
3-24
Managing User Objects with CSVDE
Key Points
You can use the Csvde command-line tool to create multiple accounts in Active Directory. You only can use the Csvde tool to create accounts, not to change them.
Additional Reading
Microsoft Technet article: CSVDE
3-25
What Is Windows Powershell?
Key Points
Windows PowerShell is an extensible scripting and command-line technology that developers and administrators can use to automate tasks in a Windows environment. Windows PowerShell uses a set of small commands that each perform a specific task, but you also can combine multiple commands to perform complex administrative tasks.
Additional Reading
Microsoft Support: Windows PowerShell 1.0 Documentation Pack
3-26
Windows Powershell Cmdlets
Key Points
Windows Powershell is easy to learn because the use of Cmdlets. Pipelining is consistent across all Cmdlets.
Additional Reading
Windows PowerShell 1.0 Documentation Pack
3-27
Demonstration: Configuring Active Directory Objects Using Windows Powershell
Questions: What are the advantages and disadvantages of modifying Active Directory objects by using Windows Powershell scripts? How can you address the disadvantages?
Additional Reading
Windows PowerShell Blog Microsoft Technet article: Scripting with Windows PowerShell
3-28
Lab A: Configuring Active Directory Objects
Scenario: Woodgrove Bank has several requirements for managing AD DS objects. The organization frequently hires interns who must have limited permissions and whose accounts must be set to expire automatically when the internship is complete. User accounts also must be configured with a standard configuration that includes settings such as user profile settings and mapped drives for home folders. The organization also requires AD DS groups that will be used to assign permissions to a variety of network resources. As much as possible, the organization would like to automate the user and group management tasks.
3-29
Exercise 1: Delegating Control of AD DS Objects

In this exercise, you will install the AD DS management tools on a Windows Vista computer. Then you will use these tools to configure several AD DS objects based on a information that the HR department provides. These tasks include creating new user accounts and modifying existing user accounts. The HR department has requested the following changes in AD DS: Create new user accounts for Kerim Hanif and Jun Cao. Both user accounts should be created in the ITAdmins OU. Modify the user account for Dana Birkby.
The main tasks are as follows: 1. 2. 3. 4. 5. 6. Start the 6425A-NYC-DC1 virtual machine and log on as Administrator. Start the 6425A-NYC-CL1 virtual machine and log on as Administrator. Install the Windows Server 2008 management tools on the NYC-CL1 computer. Create new user accounts. Modify existing user accounts. Shut down 6425A-LON-DC1 and delete all changes.
Task 1: Start the 6425A-NYC-DC1 virtual machine and log on as Administrator

Start 6425A-NYC-DC1 and then log on as Administrator using the password Pa$$w0rd.
Task 2: Start the 6425A-NYC-CL1 virtual machine and then log on as Administrator
Start 6425A-NYC-CL1 and then log on as Administrator using the password Pa$$w0rd.
3-30
Task 3: Install the Windows Server 2008 management tools on the NYC-CL1 computer
Follow the steps in the Windows Server 2008 management tools installation guide
Task 4: Create new user accounts

1.
On NYC-DC1, open Active Directory Users and Computers. In the ITAdmins OU, create a new user with the following parameters: First name: Kerim Last name: Hanif Full name: Kerim Hanif User logon name: Kerim Password: Pa$$w0rd Clear the User must change password at next logon check box
2.
3.
On NYC-DC1, use the Dsadd command-line tool to create a new user account for Jun Cao. The syntax for the Dsadd command is: dsadd user "cn=username,ou=ouname,dc=domainname,dc=com" -samid logonname -pwd password desc description
3-31
Task 5: Modify existing user accounts

1. 2. 3. 4. On NYC-DC1, create a new folder on the D drive named HomeDirs. Share the folder and configure Domain Users with Contributor permissions. In the HomeDirs folder, create a new folder named Marketing. In Active Directory Users and Computers, locate Dana Birkbys account and modify the user properties as follows: Verify that Shay cannot create a user in the ITAdmins OU. a. On the General tab, set: b. c. Telephone number: 555-555-0100 Office: Head Office E-mail: Dana@WoodgroveBank.com
On the Dial-in tab, set: Network Access Permission: Allow access
On the Account tab, set: Logon Hours: Configure logon hours to be permitted between 8:00 A.M. and 5:00 P.M, and then click OK.
d. On the Profile tab, set: Home folder: Map H drive to:
\\NYC-DC1\HomeDirs\Marketing\%username% 5. 6. In Windows Explorer, browse to D:\HomeDirs\Marketing. Ensure that a folder named Dana was created in the folder. On NYC-CL1, log off and then log on as Dana using a password of Pa$$w0rd. Confirm that the H: drive has been mapped correctly and that Dana has permission to create files in her home folder.
Result: At the end of this exercise, you will have delegated the administrative tasks for the Toronto office.
3-32
Exercise 2: Implementing an AD DS Group Strategy

In this exercise, you will review the requirements for creating groups at Woodgrove Bank. You then will create the required groups and configure group nesting. The main tasks are as follows: 1. 2. 3. 4. 5. Log on to the 6425A-LON-DC1 virtual machine. Review the group requirements documentation and create a group implementation strategy. Discuss the group implementation strategy. Create groups required by the group implementation strategy. Nest groups required by the group implementation strategy.
Task 1: Start the 6425A-LON-DC1 virtual machine and logon as Administrator

Start 6425A-LON-DC1 and log on as Administrator using the password Pa$$w0rd.
3-33
Task 2: Review the group requirements documentation and create a group implementation strategy
Woodgrove Bank needs to configure access to shared folders for the organizations executives. The organization has implemented a shared folder on NYC-DC1 named ExecData. The following table lists the folders in the ExecData folder and their purposes:
Folder ExecData Contents \HeadOffice \Branch \Corp ExecData\HeadOfficeReports Contains confidential information related to head office operations and personnel. Executives in the head office and the NYC branch offices should be able to read and write information from this folder. Contains confidential information related to branch office operations and personnel. A separate folder has been created for each branch office. Executives from the head office should have read access to all of the branch office folders. Branch office managers should have full access only to their branchs folder. Contains information that relates to Woodgrove Bank operations. All executives and branch office managers should have full control of this folders files.
ExecData\BranchReports
ExecData\Corp
The Woodgrove Bank executive team is distributed as follows: Executives may be based in any location. Executives are based in North America, Europe, and Asia. Each branch has one or more branch managers. Branches are located in Miami, New York, Toronto, London, and Tokyo.
3-34
The AD DS planning group has established the following naming scheme for AD DS groups: Three-character location code: NYC, TOR, MIA, LON, and TOK For groups that contain accounts from multiple domains, use the location code WGB For groups that do not have a specific location, include the domain name in the group name For account groups, use the department name: BranchManagers, Executives This is followed by the group type: GG, UG For resource groups, use the resource name: EX_HOReports, EX_LON_BranchReports, EX_Corp. This is followed by the level of access FC, RO. Determine which global groups you need to create: Determine the logical groupings of the organizations users. Do not be concerned with the permissions that users require, just the groups of users. Document a group name for each group of users. Record your decisions in the Global Group Planning table below.
1.
2.
Determine which local groups you need to create: Determine which permissions are required on each resource. Do not be concerned with who requires the permission, just the permission itself. Document a group name for each type of permission. Record your decisions on the Local Group Planning table below
3. 4.
Determine which groups you need to nest. Document the group nesting configuration in the Group Nesting Planning table below. Determine how you would configure share level permissions for ExecData folder.
3-35
Global Group Planning Table

Organizational Group Group Name
Local Group Planning Table

Resource ExecData\HeadOfficeReports ExecData\BranchReports\NYC ExecData\BranchReports\Toronto ExecData\BranchReports\Miami ExecData\BranchReports\London ExecData\BranchReports\Tokyo ExecData\Corp Access Requirement Group Names
3-36
Group Nesting Planning Table

Domain local group name Nested groups
Task 3:Discuss the group implementation strategy Task 4: Create groups required by the group implementation strategy
Note: To simplify the implementation process, some of the required groups may already have been created. In addition, you configure the required groups for only the WoodgroveBank.com and the EMEA.WoodgroveBank.com.
1. 2. 3. 4.
On NYC-DC1, in Active Directory Users and Computers, verify that all of the global groups required to assign permission have been created. On LON-DC1, in Active Directory Users and Computers, verify that all of the global groups required to assign permission have been created. On NYC-DC1, create the required universal groups based on the group implementation strategy. Create the universal groups in the Executives OU. Create the required domain local groups based on the group implementation strategy.
3-37
Task: Nest groups required by the group implementation strategy

On NYC-DC1, nest the groups required to meet the group implementation strategy.
Task 6: Shut down 6425A-LON-DC1 and delete all changes

In the Virtual Server Administration Web site, shut down 6425A-LON-DC1 and discard the undo disk.
Result: At the end of this exercise, you will have implemented a group implementation strategy.
3-38
Exercise 3: Automating the Management of AD DS Objects

In this exercise, you will use the Windows Server 2008 tools to automate the AD DS object management tasks. These tools include CSVDE to create new user accounts, LDIFDE to modify existing user accounts, and Windows Powershell to create and configure user accounts. You will modify files or scripts that the enterprise administrator provides to perform the bulk administration tasks. Woodgrove Bank is opening a new Houston branch. The HR department has provided you with a file that includes all of the new users that are being hired for the Houston location. You need to import the user accounts into Active Directory. You also need to activate and assign passwords to all of the accounts. You also need to modify the user properties for the Houston users by updating the city information. Woodgrove Bank also is planning on starting a Research and Development department in the NYC location. You need to create a new OU for the research and development (R&D) department in the Woodgrove Bank domain, and import and configure new user accounts into AD DS. The main tasks are as follows: 1. 2. 3. 4. Modify and use the Importusers.csv file to import a group of users into AD DS. Modify and run the ActivateUser.vbs script to enable the imported user accounts and assign a password to each account. Modify and use the Modifyusers.ldf file to prepare for modifying the properties for a group of users into AD DS. Modify and run the CreateUsers.ps1 script to add new users to AD DS.
3-39
Task 1: Modify and use the Importusers.csv file to import a
group of users into AD DS

1. On NYC-DC1, browse to D:\Mod03\6425\Labfiles and open ImportUsers.csv with Notepad. Examine the header information required to create OUs and user accounts. Copy and paste the contents of the Users.txt file into the ImportUsers.csv file, starting with the second line. Save the file as C:\import.csv. At the command prompt, type CSVDE I F C:\import.csv and then press ENTER. In Active Directory Users and Computers, verify that the Houston OU and five child OUs were created, and that several user accounts were created in each OU.
2. 3. 4.
Task 2: Modify and run the ActivateUser.vbs script to enable
the imported user accounts and assign a password to each account

1. 2. 3. On NYC-DC1, in D:\Mod03\6425\Labfiles, edit Activateusers.vbs. Modify the container value in the second line to: OU=BranchManagers,OU=Houston DC=WoodgroveBank,DC=com. Modify the container values in the additional lines at the end of the script to include the following OUs, and then save the file: 4. 5. OU=CustomerService,OU=Houston,DC=WoodgroveBank,DC=com OU=Executives,OU=Houston,DC=WoodgroveBank,DC=com OU=Investments,OU=Houston,DC=WoodgroveBank,DC=com OU=ITAdmins,OU=Houston,DC=WoodgroveBank,DC=com
Double-click Activateusers.vbs. In Active Directory Users and Computers, browse to the Houston OU. Confirm that user accounts in all child OUs are activated.
3-40
Task 3: Modify and use the Modifyusers.ldf file to prepare to
modify the properties for a group of users into AD DS

1. On NYC-DC1, export all of the user accounts in the Houston child OUs by using the LDIFDE f c:\ Modifyusers.ldf d "OU=Houston,DC=WoodgroveBank,DC=com" r "objectClass=user" l physicalDeliveryOfficeName command. Edit the C:\Modifyusers.ldf file. On the Edit menu, use the Replace option to replace all instances of changetype: add with changetype: modify. After each changetype line, add the following lines: replace: physicalDeliveryOfficeName physicalDeliveryOfficeName: Houston At the end of the entry for each user, add a dash () followed by a blank line. Save the file as C:\ldifimport.ldf. At the command prompt, type ldifde I f c:\ldifimport.ldf and then press ENTER. In Active Directory Users and Computers, verify that the Office attribute for the user accounts in Houston has been updated with the Houston location.
2. 3. 4.
5. 6. 7. 8.
3-41
Task 4: Modify and run the CreateMultipleUsers.ps1 script to
add new users to AD DS

1. 2. 3. 4. 5. On NYC-DC1, in D:\6425\Labfiles\Mod03, edit CreateMultipleUsers.ps1. In two places, change ADOUName to R&D. Change Path to CSV file to C:\6425 \Mod03\Labfiles \Createusers.csv. Save the changes to the file. Start Windows PowerShell, and at the PS prompt, type C:\6425\Labfiles\Mod03\Createusers.ps1 and press ENTER. In Active Directory Users and Computers, verify that the R&D OU was created and that the OU has been populated with user accounts that have the correct attributes.
Result: At the end of this exercise, you will have examined several options for automating the management of user objects.
3-42
Lesson 4:
Delegating Administrative Access to AD DS Objects
Many of the AD DS administration tasks are quite easy to perform, but can be quite repetitive. One of the options available in Windows Server 2008 AD DS is to delegate some of those administrative tasks to other administrators or users. By delegating control, you can enable these users to perform specific AD DS management tasks without granting them more permissions than they need.
3-43
Active Directory Object Permissions
Key Points
Active Directory object permissions secure resources by enabling you to control which administrators or users can access individual objects or object attributes, and the type of access they have. You use permissions to assign administrative privileges for an organizational unit or a hierarchy of organizational units to manage Active Directory objects. Questions: What are the risks with using special permissions to assign AD DS permissions? What would permissions would a user have on an object if you granted them full control permission, and denied the user write access?
3-44
Additional Reading
Microsoft Technet article: Access control in Active Directory Microsoft Technet article: Assign, change, or remove permissions on Active Directory objects or attributes
3-45
Demonstration: Active Directory Domain Services Object Permission Inheritance
Questions: What would happen to an objects permissions if you moved the object from one OU to another if the OUs had different permissions applied? What would happen if you removed all permissions from an OU when you blocked inheritance and did not assign any new permissions?
Additional Reading
Microsoft Technet article: Assign, change, or remove permissions on Active Directory objects or attributes
3-46
What Are Effective Permissions?
Key Points
You can use the Effective Permissions tool to determine the permissions for an Active Directory object. This tool calculates the permissions that are granted to the specified user or group, and takes into account the permissions that are in effect from group memberships and any permissions inherited from parent objects.
Additional Reading
Microsoft Technet article: Effective Permissions tool
3-47
What Is Delegation of Control?
Key Points
Delegation of control is the ability to assign management responsibility of Active Directory objects to another user or group. Delegated administration helps to ease the administrative burden of managing your network by distributing routine administrative tasks to multiple users. With delegated administration, you can assign basic administrative tasks to regular users or groups. For example, you could give supervisors the right to modify group memberships in their department. By delegating administration, you give groups in your organization more control of their local network resources. You also help secure your network from accidental or malicious damage by limiting the membership of administrator groups
3-48
Discussion: Scenarios for Delegating Control
Answer the questions on the slide as a class.
3-49
Demonstration: Configuring Delegation of Control
3-50
Lesson 5:
Configuring AD DS Trusts
Many organizations that deploy AD DS will deploy only one domain. However, larger organizations, or organizations that need to enable access to resources in other organizations or business units, may deploy several domains, in the same AD DS forest or a separate forest. For users to access resources between the domains, you must configure the domains or forests with trusts. This lesson describes how to configure and manage trusts in an AD DS environment.
3-51
What Are AD DS Trusts?
Key Points
Trusts allow security principals to traverse their credentials from one domain to another, and are necessary to allow resource access between domains. When you configure a trust between domains, a user can be authenticated in their domain and their security credentials then can be used to access resources in a different domain.
3-52
AD DS Trust Options
Key Points
The table on the slide describes the trusts options supported by Windows Server 2008. Questions: If you were going to configure a trust between a Windows Server 2008 domain and a Windows NT 4.0 domain, what type of trust would you need to configure? If you need to share resources between domains, but do not want to configure a trust, how could provide access to the shared resources? A user located in a different domain in your forest needs permission to create GPOs in your domain. What is the best way to accomplish this?
Additional Reading
Active Directory Domains and Trusts Help: Managing Trusts
3-53
How Trusts Work Within a Forest
Key Points
When you set up trusts between domains within the same forest, across forests, or with an external realm, information about these trusts is stored in Active Directory so you can retrieve it when necessary. A trusted domain object (TDO) stores this information. The TDO stores information about the trust, such as the trust transitivity and type. Whenever you create a trust, a new TDO is created and stored in the System container in the trusts domain.
Additional Reading
Active Directory Domains and Trusts Help: Managing Trusts
3-54
How Trusts Work Between Forests
Key Points
Windows Server 2008 supports cross-forest trusts, which allow users in one forest to access resources in another forest. When a user attempts to access a resource in a trusted forest, Active Directory must first locate the resource. After the resource is located, the user can be authenticated and allowed to access the resource.
Additional Reading
Microsoft Technet article: How Domains and Forests Work
3-55
Demonstration: Configuring Trusts
Questions: What is the difference between a shortcut trust and an external trust? When you set up a forest trust, what information will need to be available in DNS in order for the forest trust to work?
Additional Reading
Active Directory Domains and Trusts Help: Create a shortcut trust, Create an external trust, Create a forest trust
3-56
What Are User Principal Names?
Key Points
A user principal name is a logon name that is used only to log on to a Windows Server 2008 network. There are two parts to a user principal name, which are separated by the @ signfor example, suzan@WoodgroveBank.com: The user principal name prefix, which in this example is suzan. The user principal name suffix, which in this example is WoodgroveBank.com. By default, the suffix is the name of the domain in which the user account was created. You can use the other domains in the network, or additional suffixes that you created, to configure other suffixes for users. For example, you may want to configure a suffix to create user logon names that match users e-mail addresses.
Additional Reading
Microsoft Technet article: Active Directory naming
3-57
What Are the Selective Authentication Settings?
Key Points
Another option for restricting authentication across trusts in a Windows Server 2008 forest is selective authentication. With selective authentication, you can restrict which computers in your forest that another forests users can access.
Additional Reading
Microsoft Technet article: Enable selective authentication over a forest trust Microsoft Technet article: Grant the Allowed to Authenticate permission on computers in the trusting domain or forest
3-58
Demonstration: Configuring Advanced Trust Settings
Key Points
Another option for restricting authentication across trusts in a Windows Server 2008 forest is selective authentication. With selective authentication, you can restrict which computers in your forest users in another forest can access. Questions: What would happen if you configured a new UPN suffix in a forest after a trust had been configured with another forest that had the same UPN suffix? In what situations would you implement selective authentication?
Additional Reading
Microsoft Technet article: Enable selective authentication over a forest trust Microsoft Technet article: Grant the Allowed to Authenticate permission on computers in the trusting domain or forest
3-59
Lab B: Configuring Active Directory Delegation
Scenario: To optimize the use of AD DS administrator time, Woodgrove Bank would like to delegate some administrative tasks to junior administrators. These administrators will be granted access to manage user and group accounts in different OUs. Woodgrove Bank also has established a partner relationship with Fabrikam Ltd. Some users in each organization must be able to access resources in the other organization. However, the access between organizations must be limited to as few users and as few servers as possible.
3-60
Exercise 1: Delegating Control of AD DS Objects

In this exercise, you will delegate control of AD DS objects for other administrators. You also will test the delegate permissions to ensure that administrators can perform the required actions, but cannot perform other actions. Woodgrove Bank has decided to delegate administrative tasks for the Toronto office. In this office, the branch managers must be able to create and manage user and group accounts. The customer service personnel must be able to reset user passwords and configure some user information, such as phone numbers and addresses. The main tasks are as follows: 1. 2. 3. 4.
Assign full control of users and groups in the Toronto OU.
Assign rights to reset passwords and configure private user information in the Toronto OU. Verify the effective permissions assigned for the Toronto OU. Test the delegated permissions for the Toronto OU.
Task 1: Assign full control of users and groups in the Toronto OU

1. 2. On NYC-DC1, run the Delegation of Control Wizard on the Toronto OU. Assign the right to Create, delete and manage user accounts and the Create, delete and manage groups to the Tor_BranchManagersGG.
Task 2: Assign rights to reset passwords and configure private
user information in the Toronto OU

1. 2. 3. 4. On NYC-DC1, run the Delegation of Control Wizard on the Toronto OU. Assign the right to Reset user passwords and force password change at next logon to the Tor_CustomerServiceGG group. Run the Delegation of Control Wizard again. Chose the option to create a custom task. Assign the Tor_CustomerServiceGG group permission to change personal information only for user accounts.
3-61
Task 3: Verify the effective permissions assigned for the
Toronto OU
1.
In Active Directory Users and Computers, enable viewing of Advanced Features. Access the Advanced Security Settings for the Toronto OU. Check the effective permissions for Shay Bashay. Shay is a member of the Tor_BranchManagersGG group. Verify that Shay has permissions to create and delete user and group accounts. Access the advanced security settings for Berend Otten, located in the CustomerService OU in the Toronto OU. Verify that Berend has permissions to create and delete user and group accounts. Tor_CustomerServiceGG group. Verify that Helge has permissions to reset passwords and permission to write personal attributes.
2. 3.
4.
5. Check the effective permissions for Helge Hoening. Helge is a member of the
Task 4: Enable Domain Users to log on to domain controllers

Note: This step is included in the lab to enable you to test the delegated permissions. As a best practice, you should install the administration tools on a Windows workstation rather than enable Domain Users to log on to domain controllers.
1. 2. 3. 4. 5.
On NYC-DC1, start Group Policy Management and edit the Default Domain Controllers Policy. In the Group Policy Management Editor window, access the User Rights Assignment folder. Double-click Allow log on locally. In the Allow log on locally Properties dialog box, click Add User or Group. Grant the Domain Users group the log on locally right. Open a command prompt, and type GPUpdate /force and press ENTER.
3-62
Task 5: Test the delegated permissions for the Toronto OU

1. 2. 3. 4. 5. 6. 7. Log on to NYC-DC1 as Shay with the password of Pa$$w0rd. Start Active Directory Users and Computers, and verify that Shay can create a new user in the Toronto organizational unit. Verify that Shay can create a new group in the Toronto OU. Verify that Shay cannot create a user in the ITAdmins OU. Log off NYC-DC1 and log on as Helge with a password of Pa$$w0rd. In Active Directory Users and Computers, verify that Helge does not have permissions to create any new objects in the Toronto OU. Verify that Helge can reset user passwords and configure user properties, such as the office and telephone number.
Result: At the end of this exercise, you will have delegated the administrative tasks for the Toronto office.
3-63
Exercise 2: Configuring AD DS Trusts

In this exercise, you will configure trusts based on trust-configuration design that the enterprise administrator provides. You also will test the trust configuration to ensure that the trusts are configured correctly. Woodgrove Bank has initiated a strategic partnership with Fabrikam.. Users at Woodgrove Bank will need to have access to several file shares and applications running on several servers at Fabrikam. Users from Fabrikam only should be able to access shares on NYC-SVR1 The main tasks are as follows: 1. 2. 3. 3. 4. 5. Start the 6425A-VAN-DC1 virtual machine and log on as Administrator. Start the 6425A-NYC-SVR1 virtual machine and log on as Administrator. Configure the Network and DNS Settings to enable the forest trust Configure a forest trust between WoodgroveBank.com and NorthwindTraders.com. Configure selective authentication for the forest trust to enable access to only NYC-DC2. Test the selective authentication.
Task 1: Start the 6425A-VAN-DC1 virtual machine and logon as Administrator

Start 6425A-VAN-DC1 and log on as Administrator using the password Pa$$w0rd.
3-64
Task 2: Start the 6425A-NYC-SVR1 virtual machine and logon as Administrator

1. On VAN-DC1, modify the Local Area Network properties to change the IP address to 10.10.0.110, the Default gateway to 10.10.0.1, and the Preferred DNS server to 10.10.0.110. Click OK, and close the open dialog boxes. In DNS Manager, add a conditional forwarder to forward all queries for Woodgrovebank.com to 10.10.0.10. In Active Directory Domains and Trusts raise the domain and forest level to Windows Server 2003. On NYC-DC1, in the DNS Manager console, add a conditional forwarder to forward all queries for Fabrikam.com to 10.10.0.110. Close the DNS Manager console
2. 3. 4. 5.
Task 3: Configure a forest trust between WoodgroveBank.com and Fabrikam.com

1. 2. 3. 4. 5. 6. On NYC-DC1, start Active Directory Domains and Trusts from the Administrative Tools folder. Right-click WoodgroveBank.com and then click Properties. Start the new trust wizard and configure a forest trust with Fabikam.com. Configure both sides of the trust. Use Administrator@Fabrikam.com to verify the trust. Accept the default s setting of domain-wide authentication for both domains. Confirm both trusts.
3-65
Task 4: Configure selective authentication for the forest trust to enable access to only NYC-DC2 and NYC-CL1 .
1. 2. In Active Directory Domains and Trusts, modify the incoming trust from NorthwindTraders.com to use selective authentication. In Active Directory Users and Computers, access NYC-DC2s properties. On the Security tab, grant the MarketingGG group from Fabrikam.com permission to authenticate to this server. Access NYC-CL1s properties. On the Security tab, grant the MarketingGG group from Fabrikam.com permission to authenticate to this server.
3.
Task 5: Test the selective authentication

1. Log on to the NYC-CL1 virtual machine as Adam@fabrikam.com using a password of Pa$$w0rd. Adam is a member of the MarketingGG group at Fabrikam. He is able to log on to a computer in the WoodgroveBank.com domain because of the trust between the two forests and because he has been allowed to authenticate to NYC-CL1. Try to access the \\NYC-DC2\Netlogon folder. Josh should be able to access the folder. Try to access the \\NYC-DC1\Netlogon folder. Josh should not be able to access the folder because the server is not configured for selective authentication.
2. 3.
Shut down all virtual machines and discard any changes
Result: At the end of this exercise, you will have configured trusts based on a trust configuration design.
3-66
Review Questions
1. You are responsible for managing accounts and access to resources for your groups members. A user in your group leaves the company, and you expect a replacement for that employee in a few days. What should you do with the previous users account? You need to create several hundred computer accounts in AD DS so that the accounts can be pre-configured for a unattended installation. What is the best way to do this? A user reports that she cannot log on to her computer. The error message indicates that the trust between the computer and the domain is broken. How will you fix the problem? You have created a global group called Helpdesk, which contains all the help desk accounts. You want the help desk personnel to be able to perform any operation on local desktop computers, including taking ownership of files. Which is the best built-in group to use?
2.
3.
4.
3-67
5.
The BranchOffice_Admins group has been granted full control of all user accounts in the BranchOffice_OU. What permissions would the BranchOffice_Admins have to a user account that was moved from the BranchOffice_OU to the HeadOffice_OU? Your organization has a Windows Server 2008 forest environment, but it has just acquired another organization with a Windows 2000 forest environment that contains a single domain. Users in both organizations must be able to access resources in each others forest. What type of trust do you create between the forest root domain of each forest?
6.
Considerations for Configuring Active Directory Objects

Supplement or modify the following best practices for your own work situations: Create a naming scheme for AD DS objects before starting the AD DS deployment. For example, you need to plan how you will create user logon names and devise your group-naming strategy. It is much easier to plan the naming strategies early in the AD DS deployment rather than change the names after deployment. Plan your AD DS group strategy before deploying AD DS. When planning the group strategy, consider the organizations plans for future growth. Even if the organization only has a small number of users in a single domain, you may want to implement an account group/resource group strategy if the organization has an aggressive growth strategy or is likely to establish key partnerships that may require forest trusts. Look for opportunities to automate AD DS management tasks. It can take considerable time to create csvde and ldifde files, or to write VBScript or Windows Powershell scripts. However, once these tools are in place, they can save a great deal of time. Another option for decreasing workload for AD DS administrators is to delegate tasks. One strategy for determining what tasks to delegate is to analyze what tasks take the most time for AD DS administrators. If mundane tasks, such as creating user accounts, resetting passwords, or updating user information, take a significant amount of time, consider delegating those specific tasks to other users.
3-68
Tools
Use the following tools when configuring AD DS objects and trusts:
Tool Server Manager Use for Where to find it Click Start, and then point to Administrative Tools. Click Server Manager. Click Start, and then point to Administrative Tools. Click Active Directory Users and Computers. Click Start, and then point to Administrative Tools. Click Active Directory Domains and Trusts. These are installed by default and are accessible at a command prompt. Windows Powershell is available as a download from Microsoft. After installing Windows Powershell, all cmdlets are accessible through the command shell.
Accessing the AD DS
management tools in a single console.
Active Directory Users and Computers
Creating and configuring all

AD DS objects.
Active Directory Domains and Trusts
Creating and configuring

trusts.
Command line tools (including Csvde and Ldifde) Windows Powershell
Creating and configuring AD

DS objects
Writing scripts that can

automate AD DS object management
Configuring Active Directory Sites and Replication
4-1
Module 4
Contents:
Lesson 1: Overview of Active Directory Domain Services Replication Lesson 2: Overview of AD DS Sites and Replication Lesson 3: Configuring and Monitoring AD DS Replication Lab: Configuring Active Directory Sites and Replication 4-3 4-13 4-22 4-31
4-2
Module Overview
In a Windows Server 2008 Active Directory Domain Services (AD DS) environment, you can deploy multiple domain controllers in the same domain or in other domains in the same forest. The AD DS information replicates automatically between all of the domain controllers. Understanding how AD DS replication works enables you to manage replication network traffic and ensure the consistency of AD DS data across your network.
4-3
Lesson 1:
Overview of Active Directory Domain Services Replication
When a user or an administrator performs an update to AD DS, the AD DS database on one domain controller is updated. That update then replicates to all other domain controllers in the domain, and in some cases, to all other domain controllers in the forest. AD DS uses a multimaster replication model, which means that you can make most changes on any domain controller and the changes will replicate to all other domain controllers. This lesson describes how AD DS replication works in Windows Server 2008.
4-4
How AD DS Replication Works
Key Points
The slide describes how the different components in AD DS replication work.
Additional Reading
Active Directory Sites and Services Help: Understanding Sites, Subnets, and Site Links Microsoft Technet article: Replication Model Components: Microsoft Technet article: How the Active Directory Replication Model Works
4-5
How AD DS Replication Works Within a Site
Key Points
Within a single site, a notification from the sending domain controller initiates the replication process. When a database change is made, the sending computer notifies a replication partner that changes are available. The replication partner pulls the changes from the sending domain controller using a remote procedure call (RPC) connection. After replication is complete, the sending domain controller waits three seconds and then notifies another replication partner, which also pulls the changes. By default, a domain controller will wait for 15 seconds after a change is made and then begin replicating the changes to other domain controllers in the same site.
Additional Reading
Active Directory Sites and Services Help: Understanding Sites, Subnets, and Site Links Microsoft Technet article: How the Active Directory Replication Model Works
4-6
Resolving Replication Conflicts

Key Points
There are three conflict types: Attribute value. This conflict occurs when the same attribute on an object is modified on two domain controllers at the same time. Adding an object or modifying an object on one domain controller at the same time that the container object for the object is deleted on another domain controller. Adding objects with the same relative distinguished name into the same container.
Additional Reading
Microsoft Technet article: How the Active Directory Replication Model Works
4-7
Optimizing Replication
Key Points
During replication, domain controllers use multiple paths for sending and receiving updates. Although using multiple paths provides both fault tolerance and improved performance, it can result in updates being replicated to the same domain controller more than once along different replication paths. To prevent these repeated replications, AD DS replication uses propagation dampening. Propagation dampening is the process of reducing the amount of unnecessary data from traveling from one domain controller to another.
Additional Reading
4-8
What Are Directory Partitions?
Key Points
The AD DS database is separated logically into directory partitions -- a schema partition, a configuration partition, domain partitions, and application partitions. Each partition is a unit of replication, and each partition has its own replication topology.
Additional Reading
Microsoft Technet article: How the Data Store Works (Directory Partition section) How the Active Directory Replication Model Works e
4-9
What Is Replication Topology?
Key Points
The replication topology is the route by which replication data travels throughout a network. To create a replication topology, AD DS must determine which domain controllers replicate data with other domain controllers. Question: Which application partitions are created by default in AD DS?
Additional Reading
Microsoft Technet article: What Is Active Directory Replication Topology?
4-10
How Directory Partitions and the Global Catalog Are Replicated
Key Points
Replication of the schema and configuration partitions follows the same process as all other directory partitions. However, because these partitions are forest-wide rather than domain-wide, you can create the connection objects for these partitions between any two domain controllers, regardless of the domain controllers domain. All domain controllers in the forest are included in the replication topology for these partitions.
Additional Reading
Microsoft Technet article: What Is Active Directory Replication Topology?
4-11
How the Replication Topology Is Generated
Key Points
When you add domain controllers to a site, AD DS uses the Knowledge Consistency Checker (KCC) to establish a replication path between domain controllers.
Additional Reading
4-12
Demonstration: Creating and Configuring Connection Objects
Question: When would you configure connection objects manually?
4-13
Lesson 2:
Overview of AD DS Sites and Replication
Within a single site, AD DS replication happens rapidly and automatically, without regard for network utilization. However, some organizations have multiple locations that are connected by slow network connections. You can use AD DS sites to control replication and other types of AD DS traffic across these network links.
4-14
What Are AD DS Sites and Site Links?
Key Points
You use sites to control replication traffic, logon traffic, and client computer requests to the global catalog server.
Additional Reading
Active Directory Sites and Services Help: Understanding Sites, Subnets, and Site Links
4-15
Discussion: Why Implement Additional Sites?
Additional Reading
Active Directory Sites and Services Help: Understanding Sites, Subnets, and Site Links
4-16
Demonstration: Configuring AD DS Sites
Questions: What would happen to the replication topology if you moved a domain controller from one site to another site? You move a domain controller to a new site by using Active Directory Sites and Services. Six hours later you determine that the domain controller is not replicating with any other domain controller. What should you check?
Additional Reading
Active Directory Sites and Services Help: Create a Site, Create a Subnet
4-17
How Replication Works Between Sites
Key Points
Within a site, you have very little control over the AD DS replication process. When you implement multiple sites in an AD DS forest, you also can configure AD DS replication to ensure optimal network utilization.
4-18
Comparing Replication Within Sites and Between Sites
Key Points
See the slide for comparisons.
Additional Reading
Active Directory Sites and Services Help: Understanding Replication Between Sites Microsoft Technet article: What Is Active Directory Replication Topology?
4-19
Demonstration: Configuring AD DS Site Links
Questions If all of the locations in your organization are connected by a wide area network that has the same available bandwidth, do you need to create additional site links? Your organization has two sites and a single domain. Can you use SMTP as the replication protocol between the two sites?
Additional Reading
Active Directory Sites and Services Help: Create a Site Link
4-20
What Is the Inter-site Topology Generator?
Key Points
The KCC on one domain controller in the site is designated as the sites Inter-Site Topology Generator (ISTG). There is only one ISTG per site regardless of how many domains or other directory partitions the site has. ISTG is responsible for calculating the sites ideal replication topology.
Additional Reading
4-21
How Unidirectional Replication Works
Key Points
Because no changes are written directly to the read-only domain controller (RODC), no changes originate at the RODC. Accordingly, writable domain controllers that are replication partners do not have to pull changes from the RODC. This means that any changes or corruption that a malicious user might make at branch locations cannot replicate from the RODC to the forest. This also reduces the workload of the hubs bridgehead servers and the effort required to monitor replication.
Additional Reading
Microsoft Technet article: AD DS: Read-Only Domain Controllers:
4-22
Lesson 3:
Configuring and Monitoring AD DS Replication
Once you have configured the sites and site links for your AD DS environment, you can configure AD DS replication. AD DS in Windows Server 2008 provides several options that you can use to manage how replication will flow between sites. Because AD DS replication is so critical to your environment, you also need to know how to monitor AD DS replication.
4-23
What Is a Bridgehead Server?
Key Points
The bridgehead server in an AD DS replication topology is the single domain controller in each site that is responsible for sending and receiving replicated data with other sites. The bridgehead server from the originating site collects all of the replication changes in its site and then sends them to the receiving sites bridgehead server, which replicates the changes to all of the sites domain controllers. By default, the ISTG identifies one domain controller in each site as the bridgehead server for each site link. If that bridgehead server becomes unavailable, the ISTG identifies another domain controller as the bridgehead server.
Additional Reading
Microsoft Technet article:How the Active Directory Replication Model Works
4-24
Demonstration: Configuring Bridgehead Servers
Question: Your organization has two sites and two domains in the same forest with domain controllers for both domains in both sites. You configure one domain controller in each site as the preferred bridgehead server. Some time later you notice that the domain controllers for one of the domains are not replicating across the site link. What do you need to do to fix this?
Additional Reading
Microsoft Technet article: Managing Intersite Replication
4-25
Demonstration: Configuring Replication Availability and Frequency
Questions: You configure site links between the New York site and the Toronto site, and between the New York site and the London site. The New York-Toronto site link is available from 2 am to 5 am EST. The New York-London site link is available from 8 pm to 11 pm EST. You create a new user in Toronto. When will the new user appear in AD DS on a domain controller in London? Your organization has 4 sites. All of your sites are included in the DefaultIPSiteLink. You would like to modify the replication schedule for all of the sites so that replication between sites happens every 15 minutes. What should you do?
Additional Reading
Active Directory Sites and Services Help: Configure Intersite Replication
4-26
What Is Site Link Bridging?
Key Points
By default, all AD DS site links are transitive or bridged. That means that if site A has a common site link with site B, site B also has a common site link with site C, and the two site links are bridged. Domain controllers in site A can replicate directly with domain controllers in site C, even though there is no site link between sites A and C. You can modify the default site link bridging configuration by disabling site-link bridging and then configuring site link bridging only for those site links that should be transitive.
Additional Reading
4-27
Demonstration: Modifying Site Link Bridges
Question: Your organization has five sites. Four of the sites are connected by Wide Are Network (WAN) links with surplus network bandwidth, while one of the sites is connected to the other sites by a WAN link with very little available bandwidth. You disable site link bridging in your organization, and then realize that it is taking much longer than usual to replicate AD DS changes between sites. What should you do to optimize replication between the four sites with available bandwidth while minimizing the network utilization to the site with less available bandwidth?
Additional Reading
4-28
What Is Universal Group Membership Caching
Key Points
One of the issues that you may need to address when configuring AD DS replication is whether to deploy global catalog servers in each site. Because global catalog servers are required when users log on to the domain, deploying a global catalog server in each site optimizes the user experience. However, deploying a global catalog server in a site results in additional replication traffic, which may be an issue if the network connection between AD DS sites has limited bandwidth. In these scenarios, you can deploy domain controllers running Windows Server 2008 and then enable universal group membership caching for the site.
Additional Reading
Microsoft Technet article: Planning Global Catalog Server Placement
4-29
Demonstration: Configuring Universal Group Membership Caching
Additional Reading
Microsoft Technet article: Cache universal group memberships
4-30
Demonstration: Tools for Monitoring and Managing Replication
Questions: Under what circumstance might you want to know which domain controller is the ISTG in a site? What information is available in the command line tools that is not available through the GUI tools?
4-31
Lab: Configuring Active Directory Sites and Replication
Scenario: Woodgrove Bank has multiple offices throughout the world. To optimize client logon traffic and manage AD DS replication, the enterprise administrator has created a new design for configure AD DS sites and for configuring replication between sites. You need to create AD DS sites and configure replication based on the enterprise administrators design, and monitor site replication and ensure that all components required for replication are functional. The current site design at Woodgrove Bank has not been modified from the default. Other than the default site, no AD DS sites or site links are configured.
4-32
The enterprise administrator has created the following site design: New York has a 1.544 Mbps wide area network (WAN) connection to London that has 50% available bandwidth. New York and Tokyo also are connected by a 1.544 Mbps WAN connection that has 50% available bandwidth. Any changes made to AD DS in any of these three locations should be replicated to the other locations within one hour. Miami is connected to New York through a 256 kbps WAN connection that has less than 20% available bandwidth during regular business hours. Changes made to AD DS in any site in the organization should not be replicated to Miami during regular business hours. The domain controller in Miami should receive updates only from a New York domain controller. Domain controllers in New York, Tokyo, and London can receive updates from any domain controller in one of these three sites. The domain controller in Miami is not configured as a global catalog server because of concerns with global catalog replication. To minimize the network traffic required for authentication, you should enable universal groupmembership caching for the Miami site. You should configure each company location as a separate site, with a site name of CityName-Site. You should name site links using the following format: CityName-CityNameSite-Link. The network-address configurations for each company location are as follows: New York 10.10.0.0/16 London 10.20.0.0/16 Miami 10.30.0.0/16 Tokyo 10.40.0.0/16
Note: Due to the virtual lab limitations, you will be configuring the sites only for the New York, London, and Miami locations.
4-33
Exercise 1: Configuring AD DS Sites and Subnets

In this exercise, you will modify the existing site configuration based on the enterprise administrators design. The tasks include creating new subnets and sites, creating site links, and moving servers into the appropriate sites. The main tasks are as follows: 1. 2. 3. 4. 5. 6. Start the 6425A-NYC-DC1 virtual machine and log on as Administrator. Start the 6425A-LON-DC1 virtual machine and log on as Administrator. Start the 6425A-MIA-RODC virtual machine and log on as Administrator. Start the 6425A-NYC-RAS virtual machine and log on as Administrator. Verify the current site configuration and replication topology. Create the AD DS sites.
Task 1: Start the 6425A-NYC-DC1 virtual machine and log on as Administrator Start 6425A-NYC-DC1 and log on as Administrator using the password
Pa$$w0rd.
Task 2: Start the 6425A-LON-DC1 virtual machine and log on as Administrator Start 6425A-LON-DC1 and log on as Administrator using the password
Pa$$w0rd.
Task 3: Start the 6425A-MIA-RODC virtual machine and log on as Administrator

Start 6425A-MIA-RODC and log on as Administrator with a password of Pa$$w0rd.
Task 4: Start the 6425A-NYC-RAS virtual machine and log on as Administrator

Start 6425A-NYC-RAS and log on as Administrator with a password of Pa$$w0rd.
4-34
Task 5: Verify the current site configuration and replication topology

1. 2. 3. 4. On NYC-DC1, open Active Directory Sites and Services and access the NTDS Settings properties for NYC-DC1. Verify the connection objects configured on NYC-DC1. Confirm that the connection objects are used to replicate all relevant directory partitions. Verify that the connections are configured to always replicate and check for updates every hour. Examine the connection objects configured on MIA-RODC. Verify that the RODC only has inbound replication partners and no outbound replication partners.
Task 6: Create the AD DS sites

1. 2. 3. In Active Directory Sites and Services, rename the Default-First-Site-Name to NewYork-Site. Create new sites named Miami-Site, London-Site, and Tokyo-site. Create new subnet objects with the following properties: 4. Prefix: 10.10.0.0/16, Site: NewYork-Site Prefix: 10.20.0.0/16, Site: London-Site Prefix: 10.30.0.0/16, Site: Miami-Site Prefix: 10.40.0.0/16, Site: Tokyo-Site
Verify that the correct subnets are associated with each site.
Result: At the end of this exercise, you will configure AD DS sites and subnets and linked the subnets to the appropriate sites.
4-35
Exercise 2: Configuring AD DS Replication

In this exercise, you will configure AD DS replication between sites. The tasks include creating new site links, configuring site-link bridging, and moving the domain controllers to the appropriate sites. The main tasks are as follows: 1. 2. 3. 4. 5. Create the site links. Configure site link bridging. Modify the domain controller IP address configuration. Move the domain controllers into the appropriate sites. Configure global catalog caching for the Miami site.
Task 1: Create the site links

1. In Active Directory Sites and Services, rename the DefaultIPSiteLink to NewYork-London-Site-Link. Configure the site link to include only the NewYork-Site and London-Site, and to replicate every 30 minutes. Right-click NewYork-London-Site-Link and click Properties. Create a new site link named NewYork-Tokyo-Site-Link that includes the NewYork-Site and Tokyo-Site, and that replicates every 30 minutes. Create another new site link named NewYork-Miami-Site-Link that includes the NewYork-Site and Miami-Site. Modify the schedule for the site link to not allow replication between 7 a.m. and 7 p.m., Monday to Friday.
2. 3. 4.
Task 2: Configure site link bridging

1. 2. In Active Directory Sites and Services, turn off site-link bridging for the IP site links. Create a new site-link bridge named NewYork-London-Tokyo-Site-LinkBridge that includes all sites except the Miami-Site.
4-36
Task 3: Modify the domain controller IP address configuration

1. On LON-DC1, access the Local Area Connection properties. Change the IPaddress configuration to use an IP address of 10.20.0.110 and a default gateway to 10.11.0.1. Ensure that you can ping 10.10.0.10 from LON-DC1, and force the server to register its IP address in DNS. On MIA-RODC, in the command prompt window, use the Netsh interface ipv4 show interfaces to identify the Idx value assigned to the Local Area Connection. Use the netsh interface ipv4 set address name="ID" source=static address=10.30.0.15 mask=255.255.0.0 gateway=10.30.0.1 command to change the IP address for MIA-RODC. Ensure that you can ping 10.10.0.10 from MIA-RODC, and force the server to register its IP address in DNS. On NYC-DC1, verify that the IP addresses for LON-DC1 and MIA-RODC have been updated in DNS.
2. 3.
4.
5. 6.
Task 4: Move the domain controllers into the appropriate sites

1. 2. On NYC-DC1, in Active Directory Sites and Services, move LON-DC1 from the NewYork-Site to the London-Site. Move MIA-RODC from the NewYork-Site to the Miami-Site.
Task 5: Configure global catalog caching for the Miami site

1. 2. On NYC-DC1, in Active Directory Sites and Services, access the NTDS Site Settings properties for the Miami-Site. Enable Universal Group Membership Caching and configure the cache to be refreshed from the NewYork-Site.
Result: At the end of this exercise, you will configure AD DS replication.
4-37
Exercise 3: Monitoring AD DS Replication

In this exercise, you will monitor AD DS replication between sites. You will use DCDiag and NLTest to check for server availability, use Repadmin to configure AD DS objects, and use Replmon to monitor the replication between sites. The main tasks are as follows: 1. 2. 3. 4. 5. Verify that the replication topology has been updated. Verify that replication is working between sites. Use DCDiag to verify the replication topology. Use Repadmin to verify successful replication. Shut down all virtual machines and delete all changes.
Task 1: Verify that the replication topology has been updated

1. 2. 3. 4. 5. 6. On NYC-DC1, in Active Directory Sites and Services, access the NTDS Settings for NYC-DC1 and force the server to check the replication topology. Access the NTDS Settings for LON-DC1 in the London-Site and force it to check the replication topology. This will take a few moments to complete. Access the NTDS Setting for MIA-RODC in the Miami-Site and force it to check the replication topology. This will take a few moments to complete. Access the NTDS Site Settings properties for the NewYork-Site and verify that NYC-DC1 is configured as the Inter-Site Topology Generator. Verify that LON-DC1 is the ISTG for the London site. Access the NTDS Site Settings for the Miami-Site and verify that MIA-RODC is not listed as the ISTG. Because MIA-RODC is a RODC, it cannot operate as a bridgehead server or an ISTG.
4-38
Task 2: Verify that replication is working between sites

1. 2. 3. 4. On NYC-DC1, in Active Directory Sites and Services, access the NTDS Settings for NYC-DC1. In the details pane, verify that a connection object has been created between NYC-DC1 and LON-DC1. Force replication on the connection object. Access the connection object configured on LON-DC1 between LON-DC1 and NYC-DC1. Force replication on the connection object. On NYC-DC1, in Active Directory Users and Computers, in the Users container, create a new user with a first name and logon name of TestUser and a password of Pa$$w0rd. In Active Directory Sites and Services, access the connection object configured on MIA-RODC between NYC-DC1 and MIA-RODC. Force replication on the connection object. In Active Directory Users and Computers, change the focus to MIARODC.WoodgroveBank.com. In the Change Domain Controller dialog box, click MIARODC.WoodgroveBank.com and click OK. Verify that the TestUser account has been replicated to MIA-RODC.
5.
6. 7.
Task 3: Use DCDiag to verify the replication topology

1. On NYC-DC1, at a command prompt, type DCDiag /test:replications to verify that NYC-DC1 passes all replication tests.
Note: There will be replication errors listed because NYC-DC2 and TOK-DC1 are not running and replication has been attempted.
2.
Use DCDiag with the /s servername option to verify that LON-DC1 passed all test related to replication.
Hint: Look for the Starting test: Replications section in the screen output.
4-39
Task 4: Use Repadmin to verify successful replication

1. On NYC-DC1, at the command prompt, type repadmin /showrepl and verify that all directory partitions were updated successfully during the last replication update. At the command prompt, type repadmin /showrepl MIARODC.WoodgroveBank.com and verify that all directory partitions were updated successfully during the last replication update. At the command prompt, type repadmin /bridgeheads and verify that NYCDC1 and LON-DC1 are listed as bridgehead servers for their site. At the command prompt, type repadmin /replsummary and examine the replication summary, and then close the command prompt.
2.
3. 4.
Task 5: Shut down all virtual machines and delete all changes
Connect to the Virtual Server Administration site and shut down all virtual machines without saving changes.
Result: At the end of this exercise, you will have verified that AD DS replication is working.
4-40
Review Questions
1. 2. How can you minimize the chances of creating a replication conflict in your organization? You have deployed nine domain controllers in the same domain. Five of these domain controllers are in one site, while four are in a different site. You have not modified the default-replication frequency for intra-site and inter-site replication. You create a user account on one domain controller. What is the maximum amount of time it will take for that user account to be replicated to all of the domains controllers? You add a new domain controller to an existing domain in your forest. Which AD DS partitions will be modified as a result?
3.
4-41
4.
Your organization has one domain with three sites -- a head-office site and two branch-office sites. Domain controllers in the branch-office sites can communicate with domain controllers at the head office, but cannot communicate directly with domain controllers in the other branch office due to firewall restrictions. How can you configure the site-link architecture in AD DS to integrate the firewall and ensure that the KCC will not create a connection automatically between the branch-office sites? Your organization has a head office and 20 branch offices. Each office is configured as a separate site. You have three domain controllers deployed at the head office. One of the domain controllers at the head office has a faster processor and more memory than the other two. You want to ensure that the AD DS replication workload is assigned to the more powerful computer. What should you do?
5.
Considerations for Configuring AD DS Sites and Replication

Supplement or modify the following best practices for your own work situations: In an organization with a single site, you can almost always just accept the default replication configuration. Although you can modify the default notification times for AD DS replication, there is rarely any reason to do so. In organization with multiple sites, you must plan the site design to optimize WAN utilization by minimizing Active Directory replication and client logon traffic. Use preferred bridgehead servers only if you want to exclude some domain controllers in the site from being bridgehead servers. Some domain controllers may not be powerful enough to replicate reliably between sites. Otherwise, allow the intersite topology generator to automatically select bridgehead servers. The site configuration and domain controller locations within sites can be modified after deployment. If you discover that your AD DS replication is inefficient, or your organization expands, it is easy to modify the AD DS replication process by adding or removing sites, or modifying the site link configuration. AD DS replication traffic between sites is compressed. This means that in all but the largest organizations, replication traffic will not consume a great deal of network bandwidth between sites.
4-42
Tools
Use the following tools when configuring AD DS sites and replication:
Tool Server Manager Use for Accessing the AD DS management tools in a single console. Creating and configuring sites, subnets, moving domain controllers between sites, and forcing replication. Gathering data about the current replication topology and status and creating new replication objects Gathering data about domain controllers including replication partners and status Where to find it Click Start, and then point to Administrative Tools. Click Server Manager. Click Start, and then point to Administrative Tools. Click Active Directory Users and Computers. Installed by default and accessible at a command prompt.
Active Directory Sites and Services
Repadmin
DCDiag
Installed by default and accessible at a command prompt.
Creating and Configuring Group Policies
5-1
Module 5
Contents:
Lesson 1: Overview of Group Policies Lesson 2: Configuring the Scope of Group Policy Objects Lesson 3: Evaluating the Application of Group Policy Objects Lesson 4: Managing Group Policy Objects Lesson 5: Delegating Administrative Control of Group Policies Lab: Creating and Configuring GPOs 5-3 5-15 5-26 5-31 5-38 5-42
5-2
Module Overview
Administrators face increasingly complex challenges in managing the Information Technology (IT) infrastructure. You must deliver and maintain customized desktop configurations for more types of workers, such as mobile users, information workers, or others assigned to strictly defined tasks, such as data entry. Group Policy and the Active Directory services infrastructure in Windows Server 2008 enable IT administrators to automate management of users and computers, which simplifies administrative tasks and reduces IT costs. Administrators can efficiently implement security settings, enforce IT policies, and distribute software consistently across a given site, domain, or range of organizational units (OUs). In this module, you will learn how to use Group Policies to manage your IT infrastructure.
5-3
Lesson 1:
Overview of Group Policies
This lesson introduces you to how you can use Group Policies to simplify managing computers and users in an Active Directory environment. You will learn how Group Policies are structured and applied, and about some of the exceptions to using Group Policies. This lesson also discusses Group Policy features that are included with Windows Server 2008, which also will help simplify computer and user management.
5-4
What Are Group Policies?
Key Points
Group Policy is a Microsoft technology that supports one-to-many management of computers and users in an Active Directory environment. By editing Group Policy objects (GPOs) policy settings, and targeting the GPO at the intended computers or users, you can manage specific configuration parameters centrally. In this way, you can manage potentially thousands of computers or users by changing a single GPO. Group Policy can control many aspects of a target objects environment, including the registry, NTFS file system security, audit and security policy, software installation and restriction, desktop environment, logon/logoff scripts, etc. One policy may be associated with multiple containers in Active Directory through linking. Conversely, multiple policies may link to one container. Question: When would local Group Policies be useful in a domain environment?
Additional Reading
Microsoft Technet article: Windows Server Group Policy
5-5
Group Policy Settings
Key Points
Group Policy has thousands of configurable settings (approximately 2,400). These settings can affect nearly every area of the computing environment. You cannot apply all of the settings to all versions of Windows operating systems. For example, many of the new settings that came with Windows XP Service Pack (SP) 2 only applied to that operating system, like software restriction policies. In turn, many of the hundreds of new settings only apply to Windows Vista and Windows Server 2008. If a computer has a setting applied that it cannot process, it simply ignores it. Question: Which of the new features will you find the most useful in your
environment?
5-6
Additional Reading
Microsoft Technet article: Summary of New or Expanded Group Policy Settings Microsoft Technet article: What's New in Group Policy in Windows Vista and Windows Server 2008?
5-7
How Group Policies Are Applied
Key Points
Clients initiate Group Policy application by requesting Group Policy settings from Active Directory. When Group Policy is applied to a user or computer, the client component interprets the policy and makes the appropriate environment changes. These components are known as Group Policy client-side extensions. As Group Policy is processed, the Winlogon process passes the list of GPOs that must be processed to each Group Policy client-side extension. The extension uses the list to process the appropriate policy, when applicable. Question: What would be some advantages and disadvantages to lowering the refresh interval?
Additional Reading
Microsoft Technet article: Windows Server Group Policy
5-8
Exceptions to Group Policy Processing
Key Points
Different factors can change the normal Group Policy processing behavior, such as logging on using a slow connection. Also, different types of connections or operating systems handle Group Policy processing differently. Question: How is Network Location Awareness (NLA) better than Internet Control Message Protocol (ICMP) in the proper application of group policy?
Additional Reading
Controlling Client-Side Extensions by Using Group Policy
5-9
Group Policy Components
Key Points
You can use Group Policy templates to create and configure Group Policy settings, which the GPOs store. The GPOs in turn are stored in the SYSVOL container in Active Directory. The SYSVOL container acts as a central repository for the GPOs. In this way, one policy may be associated with multiple Active Directory containers through linking. Conversely, multiple policies may link to one container. Group policy has three major components. Group policy templates Group policy container Group policy objects
5-10
What Are ADM and ADMX Files?
Key Points ADM Files

Traditionally, ADM files have been used to define the settings the administrator can configure through Group Policy. Each successive Windows operating system and service pack has included a newer version of these files. ADM files use their own markup language. Because of this, it is difficult to customize ADM files. The ADM templates are located in the %SystemRoot%\Inf folder.
ADMX Files
Windows Vista and Windows Server 2008 introduce a new format for displaying registry-based policy settings. Registry-based policy settings are defined using a standards-based XML file format known as ADMX files. These new files replace ADM files. Group Policy tools on Windows Vista and Windows Server 2008 will continue to recognize custom ADM files you have in your existing environment, but will ignore any ADM file that ADMX files have superseded.
5-11
Question: How could you tell if a GPO was created or edited using ADM or ADMX files?
Additional Reading
Microsoft Technet article: Managing Group Policy ADMX Files Step-by-Step Guide Microsoft Support: Location of ADM (Administrative Template) Files in Windows
5-12
What Is the Central Store?
Key Points
For domain-based enterprises, administrators can create a central store location of ADMX files that is accessible by anyone with permission to create or edit GPOs. The Group Policy Object Editor on Windows Vista and Windows Server 2008 automatically reads and displays Administrative Template policy settings from ADMX files that the central store caches and ignores the ones stored locally. If the domain controller is not available, then the local store is used. You must create the central store, and update it manually, on a domain controller. The use of ADMX files is dependant on the computers operating system where you are creating or editing the GPO. Therefore, the domain controller can be a server with Windows Server 2000, 2003, or 2008. The File Replication Service (FRS) will replicate it to that domains other controllers.
5-13
Question: What would be the advantage of creating the central store on the PDC emulator?
Additional Reading
Microsoft Support: How to create a Central Store for Group Policy Administrative Templates in Window Vista
5-14
Demonstration: Configuring Group Policy Objects
Question: When you open the GPMC on your Windows XP computer, you do not see the new Windows Vista settings in the Group Policy Editor. Why not?
5-15
Lesson 2:
Configuring the Scope of Group Policy Objects
There are many techniques in Group Policy that allow administrators to manipulate how Group Policy is applied. You can control the default processing order of policies through enforcement, blocking inheritance, security filtering, and Windows Management Instrumentation (WMI) filters or using the loopback feature. In this lesson, you will learn about these techniques.
5-16
Group Policy Processing Order
Key Points
The GPOs that apply to a user or computer do not all have the same precedence. Group Policies are applied in a particular order. This order means that settings that are processed first may be overwritten by settings that are processed later. For example, a policy that restricts access to Control Panel applied at the domain level could be reversed by a policy applied at the OU level for that particular OU. Question: Your organization has multiple domains spread over multiple sites. You want to apply a Group Policy to all users in two different domains. What is the best way to accomplish this?
Additional Reading
Microsoft Technet article: Group Policy processing and precedence
5-17
What Are Multiple Local Group Policies?
Key Points
In Microsoft operating systems prior to Windows Vista, there was only one user configuration available in the local Group Policy. That configuration was applied to all users logged on from the local computer. This is still true, but Windows Vista and Windows Server 2008 have an added feature. In Windows Vista and Windows Server 2008, it now is possible to have different user settings for different local users, although there remains only one computer configuration available that affects all users. Question: When would multiple local group policies be useful in a domain environment?
Additional Reading
Microsoft Technet article: Step-by-Step Guide to Managing Multiple Local Group Policy Objects
5-18
Options for Modifying Group Policy Processing
Key Points
There may be occasions when the normal behavior of Group Policy is not desirable. For example, certain users or groups may need to be exempt from restrictive Group Policies or a Group Policy should be applied only to computers with certain hardware or software characteristics. By default, all Group Policies apply to the Authenticated Users group in a given container, but you can modify that behavior through various methods. Question: You have created a restrictive desktop policy and linked it to the Finance OU. The Finance OU has several child OUs that have separate GPOs that reverse some of your desktop restrictions. How would you ensure that all users in the Finance department receive your desktop policy?
Additional Reading
Microsoft Technet article: Controlling the Scope of Group Policy Objects using GPMC
5-19
Demonstration: Configuring Group Policy Object Links
Question: True or false if a GPO is linked to multiple containers, altering the settings for one of those links will only affect that container.
5-20
Demonstration: Configuring Group Policy Inheritance
Question: Your domain has two domain-level policies, GPO1 and GPO2. You need to ensure that all OUs receive GPO1, but GPO2 should not affect two of the OUs. How could you accomplish this?
5-21
Demonstration: Filtering Group Policy Objects Using Security Groups
Question: You want to ensure that a specific policy linked to an OU will only affect the members of the Managers global group. How would you accomplish this?
5-22
Demonstration: Filtering Group Policy Objects Using WMI Filters
Question: You need to deploy a software application that requires computers to have more than 1 GB or RAM. What is the best way to accomplish this?
5-23
How Does Loopback Processing Work?
Key Points
Normally, user policy settings are derived entirely from the GPOs associated with the user account based on it's location in the Active Directory. Loopback processing directs the system to apply an alternate set of user settings for the computer to any user who logs on to a computer affected by this policy. This policy is intended for special-use computers where you must modify the user policy based on the computer that is being used, for example, computers in public areas or classrooms. When loopback is applied, it will affect all users, except local users. Loopback operates using the following two modes: Merge mode Replace mode
Additional Reading
Microsoft Technet article: Loopback processing with merge or replace Microsoft Technet article: Loopback processing of Group Policy
5-24
Discussion: Configuring the Scope of Group Policy Processing
Scenario
Use the following scenario information for your discussion. All domain computers that have Windows XP Professional installed will have a software application distributed through group policy. All domain users will have the Run menu removed from the Start menu. The Admin OU will be exempt from this restriction. The Managers security group will also be exempt from this restriction. The Mortgages OU will have further desktop restrictions applied.
5-25
Questions: What are the advantages to using security group filtering over blocking inheritance to prevent group policies from being applied? What are the advantages to using security group filtering over blocking inheritance to prevent group policies from being applied?
5-26
Lesson 3:
Evaluating the Application of Group Policy Objects
System administrators need to know how policy settings affect computers and users in a managed environment. This information is essential when planning policy for a network and when debugging existing policy. Obtaining the information can be a complex task when you consider the many combinations of sites, domains, and organizational units that are possible, and the many types of Group Policy settings that can exist. Further complicating the task are securitygroup filtering and the inheritance, blocking, and enforcement of Group Policies. The GPResult command-line tool and the Group Policy Management Console (GPMC) provide reporting features to simplify these tasks.
5-27
What Is Group Policy Reporting?
Key Points
Group Policy Reporting is a feature of Group Policy that makes implementation and troubleshooting easier. Two main troubleshooting tools are the GPResult.exe command-line tool and the Group Policy Results wizard in the GPMC. The Group Policy Results feature allows administrators to determine the resultant policy set that was applied to a given computer and/or user that logged on to that computer. Although these tools are similar, they each provide different information. Question: You want to know which domain controller delivered Group Policy to a client. Which utility would you use to find that out?
Additional Reading
Microsoft resources: Gpresult Microsoft Technet article: Group Policy Results (Administering Group Policy with Group Policy Management Console)
5-28
What Is Group Policy Modeling?
Key Points
Another method for testing Group Policy is to use the Group Policy Modeling Wizard in the GPMC to model environment changes before you actually make them. The Group Policy Modeling Wizard calculates the simulated net effect of GPOs. Group Policy Modeling also simulates such things as security group membership, WMI filter evaluation, and the effects of moving user or computer objects to a different OU or site. You also can specify slow-link detection, loopback processing, or both when using the Group Policy Modeling Wizard. The Group Policy Modeling process actually runs on a domain controller in your Active Directory domain. Because the wizard never queries the client computer, it cannot take local policies into account.
5-29
Question: What simulations can be performed with the Group Policy Modeling Wizard? Choose all that apply. A. Loopback processing B. Moving a user to a different domain in the same forest. C. Security group filtering D. Slow link detection E. WMI filtering F. All of the above
Additional Reading
Microsoft Technet article: Using Group Policy Modeling and Group Policy Results to Evaluate Group Policy Settings
5-30
Demonstration: How to Evaluate the Application of Group Policies
Question: A user reports that they are unable to access Control Panel. Other users in the department can access Control Panel. What tools might you use to troubleshoot the problem?
5-31
Lesson 4:
Managing Group Policy Objects
GPMC provides mechanisms for backing up, restoring, migrating, and copying existing GPOs. This is very important for maintaining your Group Policy deployments in the event of error or disaster. It helps you avoid manually recreating lost or damaged GPOs and having to again go through the planning, testing, and deployment phases. Part of your ongoing Group Policy operations plan should include regular backups of all GPOs. GPMC also provides for copying and importing GPOs, both from the same domain and across domains.
5-32
GPO Management Tasks
Key Points
Like critical data and Active Directory related resources, you must back up Group Policy to protect the integrity of Active Directory and GPOs. The GPMC provides the basic backup and restore options, but also provides additional control over GPOs for administrative purposes. Question: You perform regular backups of GPOs. An administrator has inadvertently changed a number of settings on the wrong GPO. What is the quickest way to fix the problem?
Additional Reading
Windows Server Library: Backing up, Restoring, Migrating, and Copying GPOs Microsoft Technet article: Import using GPMC
5-33
What Is a Starter GPO?
Key Points
Starter GPOs store a collection of Administrative Template policy settings in a single object. Starter GPOs only contain Administrative Templates. You can import and export Starter GPOs to distribute them to other areas of your enterprise.
Additional Reading
Help Topics: Working with Starter GPOs
5-34
Demonstration: How to Copy a GPO
Question: What is the advantage of copying a GPO and linking it to an OU over linking the original GPO to multiple OUs?
5-35
Demonstration: Backing up and Restoring GPOs
Question: What permissions are required to back-up a GPO?
5-36
Demonstration: Importing a GPO
Question: What is the purpose of a migration table?
5-37
Migrating Group Policy Objects
Key Points
The ADMX Migrator allows you to convert custom ADM templates into ADMX templates. The associated ADML file also is created. Converted files are saved into the users documents folder by default. Once you create the new files, copy the ADMX file into the PolicyDefinitions folder, or the central store, and copy the ADML file into the appropriate subfolder. The new administrative templates then become available in the GPMC.
Additional Reading
Microsoft Web site: ADMX Migrator
5-38
Lesson 5:
Delegating Administrative Control of Group Policies
In a distributed environment, it is common to have different groups delegated to perform different administrative tasks. Group Policy management is one of the administrative tasks that you can delegate.
5-39
Options for Delegating Control of GPOs
Key Points
Delegation allows the administrative workload to be distributed across the enterprise. One group could be tasked with creating and editing GPOs, while another group performs reporting and analysis duties. A separate group might be in charge of WMI filters. The following Group Policy tasks can be independently delegated: Creating Group Policy objects Editing Group Policy objects Managing Group Policy links for a site, domain, or OU Perform Group Policy Modeling analyses on a given domain or OU Read Group Policy Results data for objects in a given domain or OU Create WMI filters in a domain
5-40
Question: You perform regular backups of GPOs. An administrator has inadvertently changed a number of settings on the wrong GPO. What is the quickest way to fix the problem?
Additional Reading
Microsoft Technet article: Delegating Group Policy
5-41
Demonstration: How to Delegate Administrative Control of GPOs
Question: A user located in a different domain in your forest needs permission to create GPOs in your domain. What is the best way to accomplish this?
5-42
Lab: Creating and Configuring GPOs
Scenario: The Woodgrove Bank has decided to implement group policies to manage user desktops and to configure computer security. The organization has already implemented an OU configuration that includes top-level OUs group by location with additional OUs within each location OU for different departments. User accounts are located in the same container as their workstation computer accounts. Server computer accounts are spread throughout various OUs. The enterprise administrator has created a GPO deployment plan. You have been asked to create Group Policy objects so that certain policies can be applied to all domain objects. Some policies are considered mandatory. You also want to create policy settings that will apply only to subsets of the domains objects, and you want to have separate policies for computer settings and user settings. You must delegate GPO administration to administrators within each company location.
Note: Some of the tasks in this lab are designed to illustrate GPO management techniques and settings and may not always follow best practices.
5-43
Group Policy Requirements

Domain users will not have access to the Run Menu. The policy will apply to all users except users in the IT Admin OU. Executives will not have access to the desktop display settings. The NYC, Miami and Toronto branch users will not have access to the Control Panel. All branch managers will be exempt from this restriction. All domain computers will have a mandatory baseline security policy applied that does not display the name of the last logged on user Computers running Windows Vista or Windows XP will have additional settings applied to wait for the network at startup. Users in the administrators group will have the URL for Microsoft support added to their Favorites. Kiosk computers in the branch offices will have loopback processing enabled.
5-44
Exercise 1: Creating and Configuring Group Policy Objects

You will create and link the GPOs specified by the enterprise administrators design. Tasks include modifying the default domain policy, creating policies linked to specific OUs and sites. The main tasks are as follows: 1. 2. 3. 4. Start and log on to NYC-DC1. Create the group policies. Configure the policies. Link the GPOs.
Task 1: Start and log on to NYC-DC1

Start and log on to NYC-DC1 as Administrator with a password of Pa$$w0rd.
Task 2: Create the group policies

Use the GPMC to perform the following: Create a group policy named Restrict Control Panel. Create a group policy named Restrict Desktop Display. Create a group policy named Restrict Run Command. Create a group policy named Baseline Security. Create a group policy named Vista and XP Security Create a group policy named Admin Favorites Create a group policy named Kiosk Computer Security
5-45
Task 3: Configure the policies

1. 2. 3. 4. 5. 6. 7. Edit the Restrict Run Command GPO to prevent access to the Run Menu. Edit the Baseline Security GPO so that the name of the last logged on user is not displayed. Edit the Server Security GPO to exempt Administrators from User Account Control prompts on computers running Windows Server 2008. Edit the Admin Favorites GPO to include the URL for Microsoft tech support http://support.microsoft.com in the Internet Favorites. Edit the Restrict Control Panel GPO to prevent user access to Control Panel. Edit the Restrict Desktop Display GPO to prevent access to the desktop display settings. Edit the Kiosk Computer Security GPO to use loopback processing, and to hide and disable all items on the desktop for the logged on user.
Task 4: Link the GPOs

Use the GPMC to perform the following: Link the Restrict Run Command GPO to the domain container. Link the Baseline Security GPO to the domain container Link the Vista and XP Security GPO to the domain container Link the Kiosk Computer Security GPO to the domain container Link the Admin Favorites GPO to the Admin OU Link the Restrict Control Panel GPO to the NYC, Miami and Toronto OUs Link the Restrict Desktop Display GPO to the Executive OU.
Result: At the end of this exercise, you will have created and configured GPOs.
5-46
Exercise 2: Managing the Scope of GPO Application

In this exercise, you will configure the scope of GPO settings based on the enterprise administrators design. Tasks include disabling portions of GPOs, blocking and enforcing inheritance, applying filtering based on security groups and WMI filters. The main tasks are as follows: 1. 2. 3. 4. 5. 6. 7. Configure group policy management for the domain container. Configure group policy management for the IT Admin OU. Configure group policy management for the branch OUs. Create and apply a WMI filter for the Server Security GPO. Verify the successful installation of the domain controller. Configure a password replication policy that enables credential caching for all user accounts in Toronto. Verify that the password replication policy has enabled credential caching.
Task 1: Configure group policy management for the domain container

1. 2. 3. Configure the Baseline Security link to be Enforced. Disable the User side of the policy. Configure the Vista and XP Security link to be Enforced. Use security group membership filtering to configure the Kiosk Computer Security GPO to apply only to the Kiosk Computers global group.
5-47
Task 2: Configure group policy management for the IT Admin OU

Block inheritance at the IT Admin OU to exempt the executive users from the Restrict Run Command GPO.
Task 3: Configure group policy management for the branch OUs

Use security group membership filtering to configure the Restrict Control Panel GPO to deny the Apply group policy permission to the following groups: Miami_BranchManagersGG NYC_BranchManagersGG Toronto_BranchManagersGG
Result: At the end of this exercise, you will have configured the scope of GPO settings.
5-48
Exercise 3: Verifying GPO Application

In this exercise, you will test the application of GPOs to ensure that the GPOs are being applied as specified in the design. Students will log in as specific users, and also use Group Policy Modeling and RSOP to verify that GPOs are being applied correctly. The main tasks are as follows: 1. 2. 3. 4. 5. 6. 7. Start NYC-CL1. Verify that a Miami branch user is receiving the correct policy. Verify that a Miami Branch Manager is receiving the correct policy. Verify that a user in the IT Admin OU is receiving the correct policy. Verify that a user in the Executive OU user is receiving the correct policy. Verify that the username does not appear. Use group policy modeling to test kiosk computer settings.
Task 1: Start NYC-CL1 Task 2: Verify that a Miami branch user is receiving the correct policy
1. 2. 3. 4. 5. Log on to NYC-CL1 as Anton with a password of Pa$$w0rd Ensure that there is no link to the Run menu in the Accessories folder on the Start Menu Ensure that there is no link to Control Panel on the Start Menu Ensure that you can access the desktop display settings Log off.
5-49
Task 3: Verify that a Miami Branch Manager is receiving the correct policy
1. 2. 3. 4. Log on to NYC-CL1 as Roya with a password of Pa$$w0rd. Ensure that there is no link to the Run menu in the Accessories folder on the Start Menu Ensure that a link to Control Panel appears on the Start Menu Log off.
Task 4: Verify that a user in the IT Admin OU is receiving the correct policy
1. 2. 3. 4. 5. Log on to NYC-CL1 as Betsy with a password of Pa$$w0rd. Ensure that a link to the Run menu appears in the Accessories folder on the Start Menu. Ensure that a link to Control Panel appears on the Start Menu. Launch Internet Explorer and open the Favorites. Ensure that the link to Tech Support appears. Log off
Task 5: Verify that a user in the Executive OU user is receiving the correct policy
1. 2. 3. 4. Log on to NYC-CL1 as Chase with a password of Pa$$w0rd Ensure that there is no link to the Run menu in the Accessories folder on the Start Menu Ensure that a link to Control Panel appears on the Start Menu Ensure that there is no access to the desktop display settings.
Hint: When you attempt to access display settings you will receive a message informing you that this has been disabled.
5.
Log off.
5-50
Task 6: Verify username does not appear

Verify that the last logged on username does not appear.
Task 7: Use group policy modeling to test kiosk computer settings

1. 2. 3. 4. 5. 6. Log on to NYC-DC1 as Administrator with a password of Pa$$w0rd. Launch the GPMC and right click the Group Policy Modeling folder, click Group Policy Modeling Wizard and then click Next twice. On the User and Computer Selection screen, click Computer and enter NYCCL1, and click then Next three times. In the Computer Security Groups screen click Add. In the Select Groups dialog box, type Kiosk Computers and then click Next. In the WMI Filters for Computers screen, click Next twice and then click Finish and view the report.
Result: At the end of this exercise, you will have tested and verified a GPO application.
5-51
Exercise 4: Managing GPOs

In this exercise, you will use the GPMC to back up, restore, and import GPOs. The main tasks are as follows: 1. 2. 3. 4. Backup an individual policy. Back up all GPOs. Delete and restore an individual GPO. Import a GPO.
Task 1: Backup an individual policy

1. 2. 3. 4. In the GPMC, open the Group Policy Objects folder Right click the Restrict Control Panel policy and then click Backup Browse to D:\6425\GPOackup. Click Backup and then click OK after the backup succeeds.
Task 2: Back up all GPOs

1. 2. Right click the Group Policy Objects folder and then click Back Up All. Ensure that D:\6425\GPOackup is the location. Confirm the deletion.
Task 3: Delete and restore an individual GPO

1. 2. 3. 4. Right click the Admin Favorites policy and then click Delete. Click Yes and then click OK when the deletion succeeds. Right click the Group Policy Objects folder and then click Manage Backups. Restore the Admin Favorites GPO. Confirm that the Admin Favorites policy appears in the Group Policy Objects folder.
5-52
Task 4: Import a GPO

1. 2. 3. 4. 5. 6. 7. 8. 9. Create a new GPO named Import in the Group Policy Objects folder. Right click the Import GPO and then click Import Settings. In the Import Settings Wizard, click Next. On the Backup GPO screen, click Next. Ensure the Backup folder location is D:\6425\GPOackup and then click Next. On the Source GPO screen click Restrict Control Panel and then click Next. Finish the wizard. Click OK when the import succeeds Click the Import GPO, click the Settings tab and then ensure that the Control Panel setting is Enabled.
Result: At the end of this exercise, you will have backed up, restored, and imported GPOs.
5-53
Exercise 5: Delegating Administrative Control of GPOs

In this exercise, you will delegate administrative control of GPOs based on the enterprise administrator design. Tasks include configuring permissions to create, edit and link GPOs. You will then test the permissions configuration.. The main tasks are as follows: 1. 2. 3. 4. 5. Grant Betsy the right to create GPOs in the domain. Delegate the right to edit the Import GPO to Betsy. Delegate the right to link GPOs to the Executives OU to Betsy. Enable Domain Users to log on to domain controllers. Test the delegation.
Task 1: Grant Betsy the right to create GPOs in the domain

1. 2. Select the Group Policy Objects folder and then click the Delegation tab and then click Add. In the Select Users dialog box type Betsy in the Object name field and then click OK.
Task 2: Delegate the right to edit the Import GPO to Betsy

1. 2. 3. In the Group Policy Objects folder, select the Import GPO, click the Delegation tab and then click Add. In the Select Users dialog box, type Betsy in the Object name field and then click OK. In the Add Group or User dialog box, select Edit Settings from the dropdown list and then click OK.
Task 3: Delegate the right to link GPOs to the Executives OU to Betsy

1. 2. 3. Select the Executives OU and the click the Delegation tab and then click Add. In the Select Users dialog box type Betsy in the Object name field and then click OK. In the Add Group or User dialog box select This container only and then click OK.
5-54
Task 4: Enable Domain Users to log on to domain controllers

Note: This step is included in the lab to enable you to test the delegated permissions. As a best practice, you should install the administration tools on a Windows workstation rather than enable Domain Users to log on to domain controllers.
1. 2. 3. 4. 5.
On NYC-DC1, start Group Policy Management and edit the Default Domain Controllers Policy. In the Group Policy Management Editor window, access the User Rights Assignment folder. Double-click Allow log on locally. In the Allow log on locally Properties dialog box, click Add User or Group. Grant the Domain Users group the log on locally right. Open a command prompt, and type GPUpdate /force and press ENTER.
Task 5: Test the delegation

1. 2. 3. 4. 5. 6. 7. Log on to NYC-CL1 as Betsy Create a Group Policy Management Console. Right click the Group Policy Objects folder and then click New. Create a new policy named Test. This operation will succeed. Right click the Import GPO and then click Edit. This operation will succeed Right click the Executives OU and link the Test GPO to it. This operation will succeed. Close the GPMC.
Result: At the end of this exercise, you will have backed up, restored, and imported GPOs.
5-55
Considerations
Keep the following considerations in mind when creating and configuring Group Policies: Multiple local group policies ADMX and ADML files replace ADM files Methods to control group policy, inheritance, filtering, enforcement Group policy tools and reporting
5-56
Review Questions
1. 2. You want to force the application of certain group policy settings across a slow link. What can you do? You need to ensure that a domain level policy is enforced, but the Managers global group needs to be exempt form the policy. How would you accomplish this? You want all GPOs that contain user settings to have certain administrative templates enabled. You need to be able to send those policies to other administrators in the enterprise. What is the best approach? You want to control access to removable storage devices on all client workstations through group policy. Can you use group policy to do this?
3.
4.
Configuring User Environments Using Group Policies
6-1
Module 6
Contents:
Lesson 1: Configuring Group Policy Settings Lesson 2: Configuring Scripts and Folder Redirection Using Group Policies Lesson 3: Configuring Administrative Templates Lesson 4: Deploying Software Using Group Policy Lab: Configuring User Environments Using Group Policies 6-3 6-7 6-15 6-22 6-32
6-2
Module Overview
This module introduces the job function of configuring the user environment using Group Policy. Specifically, this module provides the skills and knowledge that you need to use Group Policy to configure Folder Redirection, as well as how to use scripts. You also will learn how Administrative Templates affect Windows Vista and Windows Server 2008, and how to deploy software using Group Policy.
6-3
Lesson 1:
Configuring Group Policy Settings
Group Policy can deliver many different types of settings. Some setting are simply a matter of turning them on while others are more complex to configure. This lesson will describe how to configure the various Group Policy settings.
6-4
Options for Configuring Group Policy Settings
Key Points
For a Group Policy setting to have an effect, you must configure it. Most Group Policy settings have three states. They are: Enabled Disabled Not Configured
You also must configure values for some Group Policy settings. For example, you need to configure restricted group-membership needs values for the groups and users.
6-5
Question: A domain level policy restricts access to the Control Panel. You want the users in the Admin organizational unit (OU) to have access to the Control Panel, but you do not want to block inheritance. How could you accomplish this?
Additional Reading
Microsoft Technet article: How Core Group Policy Works
6-6
Demonstration: Configuring Group Policy Settings Using the Group Policy Editor
Question: How could you prevent a lower-level policy from reversing the setting of a higher-level policy?
6-7
Lesson 2:
Configuring Scripts and Folder Redirection Using Group Policies
Windows Server 2008 enables you to use Group Policy to deploy scripts to users and computers. You also can redirect folders that the users profile includes from the users local hard disks to a central server.
6-8
What Are Group Policy Scripts?
Key Points
You can use scripts to perform any number of tasks. There may be actions that you need performed every time a computer starts or shuts down, or when users log off or on. For example, you can use scripts to clean up desktops when users log off and shut down computers, or delete the contents of temporary directories or clear the pagefile to make the environment more secure. Question: You keep logon scripts in a shared folder on the network. How could you ensure that the scripts will always be available to users from all locations?
6-9
Additional Reading
Microsoft Technet article: The Two Sides of Group Policy Script Extension Processing Microsoft Technet article: The Two Sides of Group Policy Script Extension Processing (Part2) Microsoft Support: Overview of Logon, Logoff, Startup, and Shutdown Scripts in Windows 2000
6-10
Demonstration: Configuring Scripts with Group Policies
Question: What other method could you use to assign logon scripts to users?
6-11
What Is Folder Redirection?
Key Points
When you redirect folders, you change the folders storage location from the local hard disk on the users computer to a shared folder on a network file server. After you redirect a folder to a file server, it still appears to the user as if it is stored on the local hard disk. Folder Redirection makes it easier for you to manage and back up data. By redirecting folders, you can ensure user access to data regardless of the computers to which they log on. Question: List some disadvantages of folder redirection.
Additional Reading
Microsoft Technet article: What Is Folder Redirection Extension? MSDN: IE7 in Vista: Folder Redirection for Favorites on the Same Machine Microsoft Download: Managing Roaming User Data Deployment Guide
6-12
Folder Redirection Configuration Options
Key Points
There are three available settings for Folder Redirection: none, basic, and advanced. Basic folder redirection is for users who must redirect their folders to a common area or users who need their data to be private. Advanced redirection allows you to specify different network locations for different Active Directory security groups. Question: Users in the same department often log on to different computers. They need access to their My Documents folder. They also need the data to be private. What folder redirection setting would you choose?
Additional Reading
Microsoft Technet article: Recommendations for Folder Redirection
6-13
Options for Securing Redirected Folders
Key Points
You must create a shared network folder manually to store the redirected folders. Folder Redirection can create the users redirected folders for you. When you use this option, the correct permissions are set automatically. If you manually create folders, you must know the correct permissions. Question: What steps could you take to protect the data while it is in transit between the client and the server?
Additional Reading
Microsoft Support: Folder Redirection feature in Windows Windows Server Library: Security Considerations when Configuring Folder Redirection
6-14
Demonstration: Configuring Folder Redirection
Question: Users in the same department want to have each others Internet favorites available to everyone in the department. What folder redirection options would you choose?
6-15
Lesson 3:
Configuring Administrative Templates
The Administrative Template files provide the majority of available policy settings, which are designed to modify specific registry keys. This is known as registry-based policy. For many applications, the use of registry-based policy that the Administrative Template files deliver is the simplest and best way to support centralized management of policy settings. In this lesson, you will learn how to configure Administrative Templates.
6-16
What Are Administrative Templates?
Key Points
Administrative Templates allow you to control the environment of the operating system and user experience. There are two sets of Administrative Templates: one for users and one for computers. Administrative Templates are the primary means of configuring the client computers registry settings through Group Policy. Administrative Templates are a repository of registry-based changes. By using the Administrative Template sections of the GPO, you can deploy hundreds of modifications to the computer (the HKEY_LOCAL_MACHINE hive in the registry) and user (the HKEY_CURRENT_USER hive in the registry) portions of the Registry
6-17
Question: What sections of the Administrative Templates will you find most useful in your environment?
Additional Reading
Microsoft Technet article: Using Administrative Template Files with RegistryBased Group Policy Microsoft Technet article: Administrative Templates Extension Technical Reference
6-18
Demonstration: Configuring Administrative Templates
Question: You need to ensure that Windows Messenger is never allowed to run on a particular computer. How could you use Administrative Templates to implement this?
6-19
Modifying Administrative Templates
Key Points
Because ADMX files are XML based, you can use any text editor to edit or create new ADMX files, but there also are programs that are XML-aware, like Microsoft Visual Studio, that administrators or developers can use to create or modify ADMX files.
Additional Reading
Microsoft Technet article: Creating a Custom Base ADMX File Microsoft Downloads: Group Policy Sample ADMX Files
6-20
Demonstration: Adding Administrative Templates for Office Applications
Question: Can you still use custom ADM files to deliver Group Policy settings in Windows Server 2008?
6-21
Discussion: Options for Using Administrative Templates
6-22
Lesson 4
Deploying Software Using Group Policy
Windows Server 2008 includes a feature called Software Installation and Maintenance that uses Active Directory Domain Services (AD DS) and Group Policy and the Microsoft Windows Installer service to install, maintain, and remove software on your organizations computers.
6-23
Options for Deploying and Managing Software by Using Group Policies
Key Points
The software life cycle consists of four phases: preparation, deployment, maintenance, and removal. You can apply Group Policy settings to users or computers in a site, domain, or an organizational unit to install, upgrade, or remove software automatically. By applying Group Policy settings to software, you can manage the various phases of software deployment without deploying software on each computer individually. Question: What types of applications would you deploy via Group Policy in your environment?
6-24
Additional Reading
Microsoft Support: How to use Group Policy to install software remotely in Windows 2000 Microsoft Technet article: Use Group Policy Software Installation to deploy the 2007 Office system
6-25
How Software Distribution Works
Key Points
To enable Group Policy to deploy and manage software, Windows Server 2008 uses the Windows Installer service. This component automates the installation and removal of applications by applying a set of centrally defined setup rules during the installation process Question: What are some disadvantages of deploying software through Group Policy?
Additional Reading
Microsoft Support: How to use Group Policy to install software remotely in Windows 2000
6-26
Options for Installing Software
Key Points
There are two deployment types available for delivering software to clients. Administrators can either install software for users or computers in advance or give users the option to install the software when they require it. Users do not share deployed applications, meaning an application you install for one user through Group Policy will not be available to that computers other users. Each user needs his or her own instance of the application. Question: What is an advantage of publishing an application over assigning it?
Additional Reading
Microsoft Technet article: Group Policy Software Installation overview
6-27
Demonstration: Configuring Software Distribution
Question: What types of applications would be useful to assign to the computer rather than the user?
6-28
Options for Modifying the Software Distribution
Key Points
Software Installation in Group Policy includes options for configuring deployed software. You can categorize programs that are published in Control Panel and associate file name extensions with applications. You also can add modifications to deployed software.
Additional Reading
Microsoft Technet article: Specify categories for applications to be managed Microsoft Technet article: Best practices for Group Policy Software Installation, Specify automatic installation options based on file name extension section Microsoft Technet article: Add or remove modifications for an application package
6-29
Demonstration: Modifying Software Distribution
Question: You want to deploy an administrative utility to members of the Domain Admins security group. These utilities should be available from any computer that an administrator logs onto, but only installed when necessary. What is the best approach to accomplish this?
Additional Reading
Microsoft Technet article: Upgrade or remove an application Microsoft Technet article: Set Group Policy Software Installation defaults
6-30
Maintaining Software Using Group Policies
Key Points
Occasionally a software package will need to be upgraded to a newer version. The Upgrades tab allows you to upgrade a package using the GPO. You also may redeploy a package if the original Microsoft Windows Installer file has been modified. You can remove software packages if they were delivered originally using Group Policy. Removal also can be mandatory or optional. Question: Your organization is upgrading to a newer version of a software package. Some users in the organization require the old version. How would you deploy the upgrade?
Additional Reading
6-31
Discussion: Evaluating the Use of Group Policies to Deploy Software
Question: You want to deploy an administrative utility to members of the Domain Admins security group. These utilities should be available from any computer that an administrator logs onto, but only installed when necessary. What is the best approach to accomplish this?
Additional Reading
6-32
Lab: Configuring User Environments Using Group Policies
Scenario
Woodgrove Bank has decided to implement group policies to manage user desktops. The organization already has implemented an organizational unit (OU) configuration that includes top-level OUs grouped by location, with additional OUs within each location for different departments. User accounts are located in the same container as their workstation computer accounts. Server computer accounts are spread throughout various OUs. The enterprise administrator has created a GPO design that will be used to manage the user desktop environment. You have been asked to configure Group Policy objects so that specific settings are applied to user desktops and computers
Some of the tasks in this lab are designed to illustrate GPO management techniques and settings, but may not always follow best practices.
6-33
Exercise 1: Configuring Scripts and Folder Redirection

Scenario You have been tasked to create a script that will map a network drive to the shared folder named Data on NYC-DC1. Then you will use Group Policy to assign the script to all users in Toronto, Miami, and NYC OUs. The script needs to be stored in a highly available location. You also will set permissions to share and secure a folder on NYC-DC1. The Documents folder for all members of the Executive OU will be redirected there. The main tasks for this exercise are: 1. 2. 3. 4. 5. Start the 6425A-NYC-DC1 virtual machine and log on as Administrator. Create a logon script to map to the Data shared folder. Use Group Policy to copy the script to the NetLogon share and assign the script to the appropriate OUs. Share and secure a folder for the Executives group. Redirect the Documents folder for the Executives group.

1. 2. Open the Virtual Server Remote Control Client and double-click 6425ANYC-DC1. Log on to NYC-DC1 as Administrator using the password Pa$$w0rd.
Task 2: Create a logon script to map to the Data shared folder

1. 2. 3. Launch Notepad.exe. In Notepad, type Net Use J: \\NYC-DC1\Data. Close and save the file as C:\Map.bat. Ensure the Save as type field is All Files.
6-34
Task 3: Use Group Policy to copy the script to the NetLogon share and assign the script to the appropriate OUs
1. 2. 3. 4. Open Windows Explorer, copy C:\map.bat to the clipboard and then close Windows Explorer. Launch the GPMC and then create a new Group Policy named Logon Script. Edit the policy by expanding User Configuration, expanding Windows Settings and then clicking Scripts (Logon/Logoff). Open the Properties of the Logon Script GPO, click Show Files, right-click, click Paste to copy the script from the clipboard to the scripts folder, and then close Explorer. In the Logon Properties, click Add. In the Add a Script dialog box, click Browse. In the Browse dialog box, select the Map.bat file. Close the Group Policy Management editor. Link the Logon Script policy to the Miami, NYC, and Toronto OUs.
5. 6. 7. 8. 9.
Task 4: Share and secure a folder for the Executives group

1. 2. 3. 4. 5. 6. 7. In Windows Explorer, open the Properties of the Execs folder. Click the Sharing tab and then click Advanced Sharing. Check the Share this folder checkbox and then click Permissions. Remove the Everyone group. Add the Executives Woodgrove GG and then grant them Full Control. Click the Security tab and then click Advanced. On the Permissions tab, click Edit, clear the checkbox beside Include inheritable permissions from this objects parent, and then copy the permissions. Remove all users and groups except Creator Owner and System. Add the Executives_WoodgroveGG and then assign List folder/Read data and Create Folders/Append data permissions to This Folder only.
8. 9.
10 Close the properties and then close Windows Explorer.
6-35
Task 5: Redirect the Documents folder for the Executives group

1. 2. 3. 4. 5. Create a new GPO named Executive Redirection. Edit the policy: expand User Configuration, expand Windows Settings, expand Folder Redirection, right-click Documents and then click Properties. On the Target tab, configure the Setting to be Basic-Redirect everyones folder to the same location. Leave the target folder location at the default settings and then type \\NYCDC1\Execs in the Root Path field. Link the policy to the Executives OU.
Result: At the end of this exercise, you will have configured scripts and folders redirection.
6-36
Exercise 2: Configuring Administrative Templates

You have been asked to create and assign Group Policy Administrative Templates to control the computer and user environment. All computers will have the following settings applied: Allow remote inbound administration Slow link detection set to 800 kps
Computers in the Miami, Toronto, and NYC OUs will prevent the installation of removable devices. Computers in the Executive OU will have offline files encrypted. All domain users will have the following settings applied: The registry editing tools will be prohibited The clock will be removed from the taskbar
Additionally, users in the Miami, Toronto, and NYC OUs will have the following settings applied: Profiles will be limited to 1GB Windows Sidebar will be turned off
The main tasks in this exercise are: 1. 2. 3. 4. 5. Modify the Default Domain Policy to contain the settings for all computers. Create and assign a policy to prevent the installation of removable devices for branch computers. Create and assign a policy to encrypt offline files for executive computers Create and assign a domain-level policy for all domain users. Create and assign a policy to limit profile size and turn off Windows Sidebar for branch users.
6-37
Task 1: Modify the Default Domain Policy to contain the settings for all computers
1. 2. In the GPMC, edit the Default Domain Policy. Expand Computer Configuration, expand Administrative Templates, expand Network, expand Network Connections, expand Windows Firewall, and then expand Domain Profile. In the details pane, double-click Windows Firewall: Allow inbound remote administration exception. Enable the policy for the localsubnet in the Allow unsolicited incoming messages from these IP addresses: Expand Computer Configuration, expand Administrative Templates, expand System, and then expand Group Policy. Enable Group Policy slow link detection to be 800kps.
3. 4. 5.
Task 2: Create and assign a policy to prevent the installation of removable devices for branch computers
1. 2. Create a new Group Policy named Prevent Removable Devices. Edit the policy by expanding Computer Configuration, expand Administrative Templates, expand System, expand Device Installation, expand Device Installation Restrictions. Enable the Prevent installation of removable devices setting. Link the Prevent Removable Devices policy to the Miami, NYC, and Toronto OUs.
3. 4.
Task 3: Create and assign a policy to encrypt offline files for executive computers
1. 2. 3. 4. Create a new Group Policy named Encrypt Offline Files. Edit the policy by expanding Computer Configuration, expanding Administrative Templates, expanding Network, and expanding Offline Files. Enable the Encrypt the Offline Files cache. Link the policy to the Executives OU.
6-38
Task 4: Create and assign a domain level policy for all domain users
1. 2. 3. 4. 5. 6. Create a new Group Policy named All Users Policy. Expand User Configuration, expand Administrative Templates, and then expand System. Enable the Prevent access to registry editing tools setting. Expand User Configuration, expand Administrative Templates, and then expand Start Menu and Taskbar. Enable the Remove Clock from the system notification area. Link the policy to the Woodgrovebank.com domain.
Task 5: Create and assign a policy to limit profile size and turn off Windows Sidebar for branch users
1. 2. 3. 4. 5. 6. Create a new Group Policy named Branch Users Policy. Edit the policy by expanding User Configuration, expanding Administrative Templates, expanding System and then expanding User Profiles. Enable the Limit profile size with a value of 1000000. Expand User Configuration, expand Administrative Templates, expand Windows Components, and then expand Windows Sidebar. Enable the Turn off Windows Sidebar setting. Link the Branch Users Policy policy to the Miami, NYC, and Toronto OUs.
Result: At the end of this exercise, you will have configured Administrative Templates.
6-39
Exercise 3: Verifying GPO Application

Scenario: You will log on as various domain users to test the application of Group Policy. You will also use Group Policy Resultant Set of Policy (RSoP) to verify that GPOs are being applied correctly. The main tasks in this exercise are: 1. 2. 3. 4. Start the 6425A-SEA-CL1 virtual machine, log on as Woodgrovebank\Administrator, and then observe the applied settings. Log on as a user in the Executives OU and observe the applied settings. Log on as a user in a Branch Office and observe the applied settings. Use the GPMC on NYC-DC1 to use Group Policy results to observe the applied settings.
Task 1: Start the 6425A-SEA-CL1 virtual machine, log on as Woodgrovebank\Administrator and observe the applied settings
1. 2. 3. 4. Open the Virtual Server Remote Control Client and then double-click 6425A-SEA-CL1. Log on to SEA-CL1 as Administrator using the password Pa$$w0rd. Ensure that the Clock is not displayed in the Notification area. Logoff SEA-CL1.
Task 2: Log on as a user in the Executives OU and observe the applied settings
1. 2. 3. 4. 5. Log on to SEA-CL1 as Tony using the password Pa$$w0rd. Ensure that the Clock is not displayed in the Notification area. Click Start, right-click the Documents folder and then click Properties. Ensure the location is \\nyd-dc1\execs. Click Start, type Regedt32 in the search box and then press ENTER. Ensure that Registry editing has been disabled. Ensure that the Windows Sidebar is displayed. Log off SEA-CL1.
6-40
Task 3: Log on as a user in a Branch Office and observe the applied settings
1. 2. 3. 4. 5. 6. Log on to SEA-CL1 as Roya using the password Pa$$w0rd. Ensure that the Clock is not displayed in the Notification area Click Start, right-click the Documents folder and then click Properties. Ensure the location is C:\Users\Roya. Click Start, type Regedt32 in the search box and then press Enter. Ensure that Registry editing has been disabled. Ensure that the Windows Sidebar is not displayed. Click Start, and then open Computer. Ensure that the Data share is mapped to the J: drive letter. Log off SEA-CL1.
Task 4: Use the GPMC on NYC-DC1 to use Group Policy results to observe the applied settings
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, restore the GPMC. Right-click Group Policy Results and then click Group Policy Results Wizard. Select the SEA-CL1 computer. Select Woodgrovebank\Tony as the user. On the Summary screen, click Next and then click Finish. In the Group Policy Results report summary, expand the Group Policy Objects section. Click the Settings tab. Expand Administrative Templates. Close the GPMC. Delete the changes on all virtual machines and then shutdown.
Result: At the end of this exercise, you will have verified a GPO application.
6-41
Considerations
When configuring user environments using Group Policies, keep the following in mind: Policy settings that are Enabled enforce a setting. Policy settings that are Disabled reverse a setting. Policy settings that are Not Configured are not affected by Group Policy. Scripts can be applied to the user or computer via Group Policy. Scripts can be written in multiple languages. Storing scripts in the NetLogon share makes them highly available. Certain folders can be redirected from the users profile to a shared folder on the network.
6-42
Different security groups can be redirected to different network locations. Administrative Templates apply settings by modifying the registry for the user and computer. ADMX files can be customized. Software can be distributed via Group Policy through .MSI files. Software can be published to users or assigned to users or computers. Software assigned to users is specific to that user. Software assigned to computers is available to all users on that computer. Software can be modified and maintained through Group Policy. Software can be removed through Group Policy.
Review Questions
1. You have assigned a logon script to an OU via Group Policy. The script is located in a shared network folder named Scripts. Some OU users receive the script while others do not. What might be causing this? What steps could you take to prevent these types of problems from reoccurring? You have two logon scripts assigned to users -- script1 and script2. Script2 depends on script1 completing successfully. Your users report that script2 never runs. What is the problem and how would you correct it?
2. 3.
Implementing Security Using Group Policies
7-1
Module 7
Contents:
Lesson 1: Configuring Security Policies Lesson 2: Implementing Fine-Grained Password Policies Lesson 3: Restricting Group Membership and Access to Software Lesson 4: Managing Security by Using Security Templates Lab: Implementing Security Using Group Policies 7-3 7-13 7-19 7-26 7-33
7-2
Module Overview
Failure to have adequate security policies can lead to many risks for an organization. A well designed security policy helps to protect an organizations investment in business information and internal resources, like hardware and software. Having a security policy in itself is not enough, however. You must implement the policy for it to be effective. You can leverage Group Policy to standardize security to control the environment.
7-3
Lesson 1:
Configuring Security Policies
Group Policy provides settings you can use to implement security in your organization. For example, you can use these settings to secure passwords, startup, and permissions for system services. In this lesson, you will learn the knowledge and skills you need to configure security policies.
7-4
What Are Security Policies?
Key Points
Security policies are rules that protect resources on computers and networks. Group Policy allows you to configure many of these rules as Group Policy settings. For example, you can configure password policies as part of Group Policy. Group Policy has a large security section to configure security for both users and computers. This way, you can apply security consistently across organizational units (OUs) in Active Directory by defining security settings in a Group Policy object that is associated with a site, domain, or OU.
Additional Reading
Microsoft Technet article: Security Settings Microsoft Technet article: Group Policy Security Settings
7-5
What Is the Default Domain Security Policy?
Key Points
The default domain policy is linked to the domain and therefore affects all objects in the domain unless a Group Policy object (GPO) that you applied at a lower level blocks or overrides these settings. This policy has very few settings configured by default. Although the Default Domain Policy has all the settings and capabilities of any GPO, it is recommended that you use this policy only to deliver Account Policies. You should create other GPOs to deliver other settings.
Additional Reading
Microsoft Technet article: Windows Server 2003 Security Guide Chapter 3: The Domain Policy
7-6
What Are the Account Policies?
Key Points
Account policies protect your organizations accounts and data by mitigating the threat of brute force guessing of account passwords. In Windows operating systems, and many other operating systems, the most common method for authenticating a users identity is to use a secret password. Securing your network environment requires that all users utilize strong passwords. Password policy settings control the complexity and lifetime of passwords. You can configure password policy settings through Group Policy.
Additional Reading
Microsoft Technet article: Account Passwords and Policies
7-7
What Are Local Policies?
Key Points
Every Windows 2000 or later computer has exactly one Local Group Policy Object (LGPO). In this object, Group Policy settings are stored on individual computers, regardless of whether they are part of an Active Directory environment. The LGPO is stored in a hidden folder named %windir%\system32\Group Policy. This folder does not exist until you configure an LGPO.
Additional Reading
Microsoft Resources: Local Group Policy
7-8
What Are Network Security Policies?
Key Points
Automating client computer-configuration settings is an essential step to reduce the cost of deploying networking security and minimize support issues that result from incorrectly configured settings. Starting with The Windows Server2003 operating system, you were able to automate client wireless configuration using the Wireless Networking Policies settings in Group Policy. Windows Server2008 and Windows Vista include new features for network policies and Group Policy support for 802.1X authentication settings for wired and wireless connections.
7-9
Additional Reading:
Microsoft Technet article: Joining a Windows Vista Wired Client to a Domain Microsoft Technet article: Chapter 6: Designing the Wireless LAN Security Using 802.1X Microsoft Technet article: Wireless Group Policy Settings for Windows Vista Microsoft Technet article: Define Active Directory-based Wireless Network Policies
7-10
Windows Firewall with Advanced Security
Key Points
Windows Vista and Windows Server 2008 include a new and enhanced version of Windows Firewall. The new Windows Firewall is a stateful host-based firewall that allows or blocks network traffic according to its configuration.
Additional Reading
Microsoft Technet article: The New Windows Firewall in Windows Vista and Windows Server 2008
7-11
Demonstration: Overview of Additional Security Settings
Question: You need to ensure that a particular service is not allowed to run on any of your network servers. How would you accomplish this?
7-12
Demonstration: What Is the Default Domain Controller Security Policy?
Question: What is the default Group Policy refresh interval for domain controllers
7-13
Lesson 2:
Implementing Fine-Grained Password Policies
In Windows Server 2008, you can allow different password requirements and account lockout policies for different Active Directory users or groups, using finegrained policies. In this lesson, you will learn the knowledge and skills to implement fine-grained password policies.
7-14
What Are Fine-Grained Password Policies?
Key Points
In previous Active Directory domains, you could apply only one password and account lockout policy to all users in the domain. Fine-grained password policies allow you to have different password requirements and account lockout policies for different Active Directory users or groups. This is desirable when you want different sets of users to have different password requirements, but do not want separate domains. For example, the Domain Admins group may need strict password requirements to which you do not want to subject ordinary users. If you do not implement fine-grained passwords, then the normal default domain account policies applies to all users. Question: How would you use fine-grained passwords in your environment?
Additional Reading
Microsoft Technet article: AD DS: Fine-Grained Password Policies
7-15
How Fine-Grained Password Policies Are Implemented
Key Points
To store fine-grained password policies, Windows Server 2008 includes two new object classes in the Active Directory schema. They are: Password Settings Container (PSC) Password Settings Object (PSO)
The PSC object class is created by default under the System container in the domain. It stores that domains PSOs. You cannot rename, move, or delete this container. Question: How could you view the Password Settings Container in Active Directory Users and Computers?
Additional Reading
Microsoft Technet article: AD DS: Fine-Grained Password Policies
7-16
Implementing Fine-Grained Password Policies
Key Points
There are three major steps involved in implementing fine-grained passwords: Create necessary groups, and add the appropriate users. Create PSOs for all defined password policies. Apply PSOs to the appropriate users or global security groups.
Question: In your organization, a number of users deal with confidential files on a regular basis. You need to ensure that all these users have strict account polices enforced. The user accounts are scattered across multiple OUs. How would you accomplish this with the least administrative effort?
7-17
Additional Reading
Microsoft Technet article: Fine-Grained Password and Account Lockout Policy Review
7-18
Demonstration: Implementing Fine-Grained Password Policies
Question: What utilities can be used to manage PSOs? Choose all that apply. a. b. c. ADSI edit GPMC CSVDE
d. LDIFDE e. f. NTDSUtil Active Directory Users and Computers
7-19
Lesson 3:
Restricting Group Membership and Access to Software
In a large network environment, one of the challenges of network security is controlling the membership of built-in groups in the directory and on workstations. Another concern is preventing access to unauthorized software on workstations.
7-20
What Is Restricted Group Membership?
Key Points
In some cases, you may want to control the membership of certain groups in a domain to prevent addition of other user accounts to those groups, such as the local administrators group. You can use the Restricted Groups policy to control group membership. Use the policy to specify what members are placed in a group. If you define a Restricted Groups policy and refresh Group Policy, any current member of a group that is not on the Restricted Groups policy members list is removed. This can include default members, such as domain administrators. Although you can control domain groups by assigning Restricted Groups policies to domain controllers, you should use this setting primarily to configure membership of critical groups like Enterprise Admins and Schema Admins. You also an use this setting to control the membership of built-in local groups on workstations and member servers. For example, you can place the Helpdesk group into the local Administrators group on all workstations.
7-21
Question: Your company has five Web servers physically located across North America. The Web servers computer accounts are all located in a single OU. You want to grant all the users in the global group named Web_Backup the right to backup and restore the web servers. How could you use Group Policy to accomplish this?
Additional Reading
Microsoft Technet article: Restricted Groups Microsoft Technet article: Group Policy Security Settings
7-22
Demonstration: Configuring Restricted Group Membership
Question: You created a Group Policy that adds the Helpdesk group to the local Administrators group and you linked the policy to an OU. Now the Domain Administrators no longer have any administrative authority on the computers in that OU. What is the most likely problem and how would you solve it?
7-23
What Is a Software Restriction Policy?
Key Points
You may want to restrict access to software to prevent users from running particular applications or types of applications, like VBscripts. Software restriction policy provides administrators with a policy-driven mechanism for identifying software and controlling its ability to run on a client computer. Question: You have a number of computers in a workgroup. You need to restrict access to a certain application so that only members of the Administrators group are allowed to launch the application. How would you accomplish this?
Additional Reading
Microsoft Technet article: Microsoft Windows XP: Using Software Restriction Policies to Protect Against Unauthorized Software
7-24
Options for Configuring Software Restriction Policies
Key Points
Software Restriction policies use rules to determine whether an application is allowed to run. When you create a rule, you first identify the application. Then you identify it as an exception to the default policy setting of Unrestricted or Disallowed. The enforcement engine queries the rules in the software restriction policy before allowing a program to run. Question: You need to restrict access to a certain application no matter into what directory location the application is installed. What type of rule should you use?
Additional Reading
Microsoft Technet article: Microsoft Windows XP: Using Software Restriction Policies to Protect Against Unauthorized Software
7-25
Demonstration: Configuring Software Restriction Policies
Question: You want to ensure that only digitally signed Visual Basic scripts are allowed to run. What type of rule should you use?
7-26
Lesson 4:
Managing Security Using Security Templates
A security policy is a group of security settings that affect a computers security. You can use a security policy to establish account and local policies on your local computer and in Active Directory. You can create security templates to assist in creating security policies to meet your companys security needs. You then can use these templates to configure the security settings assigned to computers either manually or through Group Policy.
7-27
What Are Security Templates?
Key Points
A security template is a collection of configured security settings. You can use predefined security templates as a base to create security policies that you customize to meet your needs, or you can create new templates. You use the Security Templates snap-in to create or customize templates. After you create a new template or customize a predefined security template, you can use it to configure security on an individual computer or thousands of computers. Security templates contain security settings for all security areas.
Additional Reading
Microsoft Technet article: Security Templates Concepts
7-28
Demonstration Applying Security Templates
Question: You have multiple database servers that are located in different OUs. What is the easiest way to apply consistent security settings to all of the database servers?
7-29
What Is the Security Configuration Wizard?
Key Points
The Security Configuration Wizard (SCW) is an attack-surface reduction tool that Windows Server 2003 with Service Pack 1 (SP1) introduced. SCW assists administrators in creating security policies, and determines the minimum functionality that is required for a servers role or roles and disables functionality that is not required. SCW guides you through the process of creating, editing, applying, or rolling back a security policy based on the servers selected roles. The security policies that you create with SCW are XML files that, when applied, configure services, network security, specific registry values, audit policy, and if applicable, Internet Information Services (IIS). Question: What types of server roles exist in your organization?
Additional Reading
Security Configuration Wizard Documentation Security Configuration Wizard for Windows Server 2003
7-30
Demonstration: Configuring Server Security Using the Security Configuration Wizard
Question: What is the main advantage of the SCW?
7-31
Options for Integrating the Security Configuration Wizard and Security Templates
Key Points
Security policies that you create with the SCW also can include custom security templates. Some of the settings that you can configure using the SCW partially overlap the settings that you can configure using security templates alone. Neither set of configuration changes totally includes the other. For example, the SCW includes IIS settings that are not included in any security template. Conversely, security templates can include such items as Software Restriction policies, which you cannot configure through SCW
Additional Reading
Microsoft Technet article: Security Configuration Wizard How To Microsoft Technet article: The Security Configuration Wizard
7-32
Demonstration: Importing Security Configuration Policies into Security Templates
Question You need to open a port on your Windows Vista client computers for a custom application. Should you use the SCW or create a security template and use a GPO?
7-33
Lab: Implementing Security Using Group Policies
Scenario:
Woodgrove Bank has decided to implement group policies to configure security for users and computers in the organization. The company recently upgraded
all of the workstations to Vista and all of the servers to Windows Server 2008. The organization wants to utilize Group Policy to implement security settings for the workstations, servers, and users. The enterprise administrator
created a design that includes modifications to the default domain security policy and additional GPOs for configuring security. The company wants to have the
flexibility to assign different password policies for specific users. The company also wants to automate the configuration of security settings as much as possible.
Note: Some of the tasks in this lab are designed to illustrate GPO management techniques and settings, and may not always follow best practices.
7-34
Exercise 1: Configuring Account and Security Policy Settings

You have been tasked to implement a domain account policy with the following criteria: Domain passwords will be eight characters Strong passwords will be enforced Passwords will be changed every 20 days exactly Accounts will be locked out for 30 minutes after five invalid logon attempts
You also will configure a local policy on the Windows Vista client that enables the local Administrator account and prohibits access to the Run menu for NonAdministrators. Then you will create a wireless network policy for Windows Vista that creates a profile for the Corp wireless network. This profile will define 802.1x as the authentication method. This policy also will deny access to a wireless network named Research. Finally, you will configure a policy to prevent the Remote Registry service from running on any domain controller. The main tasks in this exercise are: 1. 2. 3. 4. 5. Start the 6425A-NYC-DC1 virtual machine and log on as Administrator. Create an account policy for the domain. Configure local policy settings for a Windows Vista client. Create a wireless network policy for Windows Vista clients. Configure a policy that prohibits a service on all domain controllers.

Start 6425A-NYC-DC1 and then log on as Administrator using the password Pa$$w0rd.
7-35
Task 2: Create an account policy for the domain

1. 2. Launch the Group Policy Management Console. Edit the Account Policy in the Default Domain Policy with the following values: Password Policy will be: Domain passwords will be 8 characters in length Strong passwords will be enforced Minimum password age will be 19 days Maximum password age will be 20 days
Account lockout policy will be: Account Lockout Threshold will be 5 invalid logon attempts Account lockout duration will be 30 minutes Lockout counter will be reset after 30 minutes
Task 3: Configure local policy settings for a Windows Vista client

1. 2. 3. Start NYC-CL1 and log on as WoodgroveBank\Administrator using the password Pa$$w0rd. Create a new MMC and add the snap-in for the Group Policy Object Editor for the Local Computer. Open Computer Configurations Windows Settings, open Security Settings, Local Policies, Security Options, and then enable the Accounts: Administrator Account Status setting. Add the Group Policy Object Editor snap-in to the MMC again and then click Browse. Click the Users tab, select the Non-Administrators group, click OK and then Finish. Open User Configuration, Administrative Templates, and the Start Menu and Taskbar folder, and then enable the Remove Run from Start Menu setting. Close the MMC without saving the changes.
4. 5. 6.
7.
7-36
Task 4: Create a wireless network policy for Windows Vista clients

1. 2. 3. 4. 5. 6. 7. 8. In the GPMC, create a new policy named Vista Wireless. Edit the policy by right-clicking Wireless Network (IEEE 802.11) Policies and then clicking Create a New Windows Vista Policy. In the New Vista Wireless Network Policy dialog box, click Add and then click Infrastructure. Create a new profile named Corporate and then type Corp in the Network Name (SSID) field. Click the Security tab, change the Authentication method to Open with 802.1X and then click OK. Click the Network Permissions tab and then click Add Type Research in the Network Name (SSID): field, set the Permission to Deny and then click OK twice. Close the Group Policy Management Editor and then leave the GPMC open.
Task 5: Configure a policy that prohibits a service on all domain
controllers
1. 2. Edit the Default Domain Controller Policy, Windows Settings, Security Settings, System Services to disable the Remote Registry service. Close the Group Policy Management Editor and leave the GPMC open.
Result: At the end of this exercise, you will have configured account and security policy settings.
7-37
Exercise 2: Implementing Fine-Grained Password Policies

Your corporate security policy dictates that members of the IT Administrative group will have strict password policies. The passwords must meet the following criteria: 30 passwords will be remembered in password history Domain passwords will be 10 characters Strong passwords will be enforced Passwords will not be stored with reversible encryption Passwords will be changed every seven days exactly Accounts will be locked out for 30 minutes after three invalid logon attempts
You will create a fine-grained password policy to enforce these policies for the IT Admins global group. The main tasks are as follows: 1. 2. Create a PSO using ADSI Edit. Assign the ITAdmin PSO to the IT Admins global group.
Task 1: Create a PSO using ADSI Edit

1. 2. 3. In the Run menu, type adsiedit.msc and then press ENTER. Right-click ADSI Edit, click Connect to and then click OK to accept the defaults. Navigate to DC=woodgrovebank, DC=com, CN=System, CN=Password Settings Container. Right-click CN=Password Settings Container and then create a new object. In the Create Object dialog box click msDS-PasswordSettings, and then click Next. In Value type ITAdmin. In the msDS-PasswordSettingsPrecedence value, type 10. In the msDS-PasswordReversibleEncryptionEnabled value, type FALSE. In the msDS-PasswordHistoryLength value, type 30.
4. 5. 6. 7. 8.
7-38
9.
In the msDS-PasswordComplexityEnabled value, type TRUE.
10. In the msDS-MinimumPasswordLength value, type 10. 11. In the msDS-MinimumPasswordAge value, type -5184000000000. 12. In the msDS-MaximumPasswordAge value, type -6040000000000. 13. In the msDS-LockoutThreshold value, type 3. 14. In the msDS-LockoutObservationWindow value, type -18000000000. 15. In the msDS-LockoutDuration value, type -18000000000 and then click Finish. 16. Close the ADSI Edit MMC without saving changes.
Task 2: Assign the ITAdmin PSO to the IT Admins global group

1. 2. 3. Open Active Directory Users and Computers. Click View and then click Advanced Features. Expand Woodgrovebank.com, expand System and then click Password Settings Container. In the details pane, right-click the ITAdmin PSO and then click Properties. Click the Attribute Editor tab. Scroll down, select the msDS-PSOAppliesTo attribute and then click Edit. Add the ITAdmins_WoodgroveGG group group. Close Active Directory Users and Computers.
4. 5. 6.
Result: At the end of this exercise, you will have implemented fine-grained password policies.
7-39
Exercise 3: Configuring Restricted Groups and Software Restriction Policies

You need to ensure that the ITAdmins global group is included in the local Administrators group for all of the organizations computers. Domain controllers are considered high security, and Internet Explorer will not be allowed to run on domain controllers. You also will prevent any Visual Basic scripts (VBS) from running on the C: drive of domain controllers. The main tasks for this exercise are as follows: The main tasks are as follows: 1. 2. Configure restricted groups for the local administrators group. Create a GPO that prohibits Internet Explorer and VBS scripts from running on domain controllers.
Task 1: Configure restricted groups for the local administrators group

1. 2. 3. 4. If required, open the GPMC, open the Group Policy Objects folder and then edit the Default Domain Policy. Navigate to Windows Settings, Security Settings, right-click Restricted Groups and then click Add Group. Add the Administrators group and then click OK. In the Administrators Properties dialog box, add the following groups: 5. Woodgrovebank\ITAdmins_WoodgroveGG Woodgrovebank\Domain Admins
Close the Group Policy Management Editor.
7-40
Task 2: Prohibit Internet Explorer and VBS scripts from running on domain controllers
1. 2. 3. 4. 5. 6. 7. Edit the Default Domain Controllers Policy. Navigate to Windows Settings, Security Settings, right-click Software Restriction Policies and then click New Software Restriction Policy. Right-click Additional Rules and then click New Hash Rule. Browse and navigate to C:\Program Files\Internet Explorer\iexplore.exe, and then click Open. Ensure that the Security level is Disallowed. Right-click Additional Rules and then click New Path Rule. In the Path field, type *.vbs and then click OK. Close the Group Policy Management Editor.
Result: At the end of this exercise, you will have configured restricted groups and software restriction policies.
7-41
Exercise 4: Configuring Security Templates

You will create a security template for file and print servers that will rename the Administrator account and does not display the last user name that logged on. You then will use the Security Configuration Wizard to create a security policy that hardens the file and print server and includes the security template. You will use the SCW interface to apply the policy to the file and print server, NYC-SVR1. Finally, you will transform the policy into a GPO named FPSecurity. The main tasks for this exercise are: 1. 2. 3. 4. Create a security template for the file and print servers. Start NYC-SRV1 and disable the Windows Firewall. Run the Security Configuration Wizard and import the FPSecurity template. Transform the FPPolicy into a GPO.
Task 1: Create a security template for the file and print servers
1. 2. Create a new MMC and add the snap-in for Security Templates. Expand Security Templates, right-click C:\Users\Administrators\Documents\Security\Templates and then click New Template. Name the template FPSecurity. Navigate to Local Polices, Security Options. Define the Accounts: Rename administrator account with the value FPAdmin. Define the Interactive Logon: Do not display last user name to be Enabled. In the folder pane, right-click FPSecurity and then click Save. Close the MMC without saving the changes.
3. 4. 5. 6. 7.
7-42
Task 2: Start NYC-SRV1 join the domain and disable the Windows Firewall
1. 2. 3. 4. Start NYC-SRV1 and log on as Administrator with a password of Pa$$w0rd. Join NYC-SRV1 to the WoodgoveBank.com domain. Restart the computer and log on as Administrator. Disable the Windows Firewall.
Note: This step is performed to simplify the lab and is not a recommended practice.
Task 3: Run the Security Configuration Wizard and import the FPSecurity template
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, launch the Security Configuration Wizard. On the Welcome screen, click Next. On the Configuration Action screen, click Next. On the Select Server screen type NYC-SRV1.woodgrovebank.com and then click Next. After the configuration databases processes, click Next. On the Role-Based service Configuration screen, click Next. On the Select server Roles screen, clear the checkbox beside DNS Server. Check the checkbox beside File Server. Check the checkbox beside Print Server and then click Next.
10. On the Select Client Features screen, click Next. 11. On the Select Administration and Other Options screen, click Next. 12. On the Select Additional Services screen, click Next. 13. On the Handling Unspecified Services screen, click Next until you reach the Security Policy File Name screen.
7-43
14. On the Security Policy File Name screen, type FPPolicy at the end of the C:\Windows\security\msscw\policies\ path. 15. Click Include Security Templates and then click Add. 16. Add the Documents\Security\Templates\FPSecurity policy. 17. On the Apply Security Policy screen, click Apply Now and then click Next. 18. On the Applying Security Policy screen, click Next and then click Finish.
Task 4: Transform the FPPolicy into a GPO

1. On NYC-DC1, launch the Command Prompt and type scwcmd transform /p:C:\Windows\security\msscw\Policies\FPpolicy.xml /g:FileServerSecurity. Open the GPMC if necessary and then open the Group Policy Objects folder. Double click the FilesServerSecurity GPO and then examine the settings. Close the GPMC and log off NYC-DC1.
2. 3.
Result: At the end of this exercise, you will have configured security templates.
7-44
Exercise 5: Verifying the Security Configuration

You will log on as various users to test the results of group policy. The main tasks for this exercise are: 1. 2. 3. 4. 5. Log on as the Local Administrator of the Windows Vista computer and check the membership of the local administrators group. Log on to the Windows Vista computer as an ordinary user and test the account policy. Log on to the domain controller as the domain administrator and test software restrictions and services. Use group policy modeling to test the settings on the file and print server. Log on to NYC-SRV1 and check that group policy has been applied.
Task 1: Log on as the Local Administrator of the Windows Vista computer and check the membership of the local administrators group
1. 2. 3. 4. Log on to NYC-CLI as NYC-CL1\administrator with a password of Pa$$w0rd. Launch a Command Prompt and run the GPupdate /force command. Ensure that the Run menu appears in the Accessories folder on the Start Menu. Open Control Panel, click User Accounts, click User Accounts, click Manage User Accounts, click the Advanced tab, click Advanced, click Groups, open the Administrators group, and then ensure that the Domain Admins and the ITAdmins global groups are present. Restart NYC-CL1.
5.
7-45
Task 2: Log on to the Windows Vista computer as an ordinary user and test the policy
1. 2. 3. 4. Log on to NYC-CLI as NYC-CL1\administrator with a password of Pa$$w0rd. Launch a Command Prompt and run the GPupdate /force command. Ensure that the Run menu appears in the Accessories folder on the Start Menu. Open Control Panel, click User Accounts, click User Accounts, click Manage User Accounts, click the Advanced tab, click Advanced, click Groups, open the Administrators group, and then ensure that the Domain Admins and the ITAdmins global groups are present. Log off NYC-CL1.
5.
Task 3: Log on to the domain controller as the domain administrator and test software restrictions and services
1. 2. 3. 4. 5. Log on to NYC-CLI as SEA-CL1\administrator with a password of Pa$$w0rd. Launch a Command Prompt and run the GPupdate /force command. Attempt to launch Internet Explorer and read the error message and then click OK. Navigate to D:\6425\mod07\labfiles and then double-click Hello.vbs. Read the error message and then click OK. Open the Services MMC in Administrative Tools. Scroll down to the Remote Registry service and ensure that it is Disabled.
7-46
Task 4: Use group policy modeling to test the settings on the file and print server
1. 2. 3. 4. Open the GPMC and then launch the Group Policy Modeling Wizard. Accept all the defaults except on the User and Computer Selection screen. Click Computer and then type Woodgrovebank\NYC-SRV1. After completing the Wizard, observe the policy settings.
Task 5: Log on to NYC-SRV1 and check that group policy has been applied
1. 2. Log on to NYC-SRV1 as Woodgrovebank\Administrator Open Control Panel, double-click User Accounts, click Manage User Accounts, click the Advanced tab, click Advanced, and then click the Users folder. Ensure that the Administrators account has been renamed to FPAdmin. Click the Groups folder and then open the Administrators group. Ensure that the Woodgrovebank Domain Admins and ITAdmins global groups are present. Shut down all virtual machines and do not save any changes.
3.
4.
Result: At the end of this exercise, you will have verified the security configuration.
7-47
Considerations for Implementing Security Using Group Policies

Keep the following points in mind when implementing security using Group Policies. Security policies are rules that protect resources on computers and networks and can be enforced using Group Policy. The Default Domain Policy and the Default Domain Controllers Policy are created by default. Account policies must be implemented at the domain level. Any domain level policy is capable of delivering account policies. Clients receive account policies from domain controllers Local policies generally affect all users, including domain users, of the local computer. Network security policies can control wireless configuration for Windows XP and later.
7-48
Network security policies can control wired configuration for Windows Vista and later. Windows Firewall supports outbound rules Network awareness can automatically determine your firewall profile Firewall settings and IPsec settings are now integrated Fine-grained passwords allow different users or global groups to have different account policies. Fine-grained policies are not delivered through Group Policy. Fine-grained policies must be created using ADSIedit or LDIFDE. Both domain and local group membership can be controlled through Group Policy. Access to software can be controlled through Group Policy. Local administrators can be exempted from software restrictions. There are four types of rules to control access to software. Security templates can be used to provide a consistent set of security settings. The Security Configuration Wizard can be used to assist in creating security policies.
Review Questions
1. 2. 3. You want to place a software restriction policy on a new type of executable file. What must you do before you can create a rule for this executable code? What setting must you configure to ensure that users are only allowed 3 invalid logon attempts? You want to provide consistent security settings for all client computers in the organization. The computer accounts are scattered across multiple OUs. What is the best way to provide this? An administrator in your organization has accidentally modified the Default Domain Controller Policy. You need to restore the policy to its original default settings. How would you accomplish this?
4.
Implementing an Active Directory Domain Services Monitoring Plan
8-1
Module 8
Contents:
Lesson 1: Monitoring Active Directory Domain Services Using Event Viewer Lesson 2: Monitoring Active Directory Domain Servers Using Reliability and Performance Monitor Lesson 3: Configuring Active Directory Domain Services Auditing Lab: Configuring Active Directory Sites and Replication 8-3 8-10 8-20 8-25
8-2
Module Overview
To manage and administer an organizations operating system, it is important to understand the tools that you can use to monitor the systems health. By using tools like Event Viewer, Reliability and Performance Monitor, and audit policies, you will be better able to anticipate issues and manage everyday events.
8-3
Lesson 1:
Monitoring Active Directory Domain Services Using Event Viewer
Monitoring server performance is an important part of maintaining and administering an operating system. The Event Viewer is an application that enables you to browse, manage, and monitor events recorded in event logs.
8-4
Event Viewer Features
Key Points
One of the first places you should turn when troubleshooting problems in Microsoft Windows is the Event Viewer. A number of new features are built into the Event Viewer for Windows Vista and Windows Server 2008. Event Viewer is rewritten completely with a new user interface that makes it easier to filter and sort events and control which events are logged. Additionally, you now can perform some basic diagnostic tasks from within Event Viewer. Event Viewer also provides many new logs files.
Additional Reading
Microsoft Technet article: Event Viewer Overview Microsoft Technet article: How the Active Directory Replication Model Works
8-5
Demonstration: Overview of the Event Viewer
Question: You have an issue with Group Policy. What log should you view for detailed Group Policy events?
8-6
Active Directory Domain Services Logs
Key Points
The System and Application logs still provide general information and log events from many areas, but the Event Viewer now provides a wide range of application and service logs. These logs can provide granular information about Active Directory and other service, like Group Policy, offline files, Windows Update client and many others.
8-7
What Are Custom Views?
Key Points
Custom views are filters that are named and saved. After creating and saving a custom view, you are able to reuse it without re-creating its underlying filter. To reuse a custom view, navigate to the Custom Views category in the console tree and select the custom views name. By selecting the custom view, you apply the underlying filter and the results are displayed. You can import and export custom views, enabling you to share them between users and computers.
Additional Reading
Microsoft Technet article: Create and Manage Custom Views
8-8
What Are Subscriptions?
Key Points
Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers. Event Viewer provides the ability to collect copies of events from multiple remote computers and store them locally. To specify which events to collect, you create an event subscription. Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events. Question: Where would subscriptions be most useful on in your organization?
Additional Reading
Microsoft Technet article: Event Subscriptions Microsoft Technet article: Configure Computers to Forward and Collect Events
8-9
Demonstration: Configuring Custom Views and Subscriptions
Question: You want to monitor a particular group of events across multiple Web servers. What is the best way to accomplish this?
8-10
Lesson 2:
Monitoring Active Directory Domain Servers Using Reliability and Performance Monitor
In general, performance is the measure of how quickly a computer completes application and system tasks. Use performance monitoring to track a range of processes and display the results. You can use performance monitoring to assist you with upgrade planning, tracking processes that need to be optimized, and understanding a workload and its effect on resource usage to identify bottlenecks. Overall system performance might be limited by the access speed of the physical hard disks, the amount of available memory, the speed of the processor, or the throughput of the network interfaces.
8-11
Reliability and Performance Monitor Features
Key Points
Windows Reliability and Performance Monitor enables you to track the performance impact of applications and services, and to generate alerts or take action when user-defined thresholds for optimum performance are exceeded. Windows Reliability and Performance Monitor provides the features outlined below. Resource view Reliability Monitor Data Collector Sets Track performance of applications and services Wizards and templates for creating logs Generate alerts and take action when thresholds are reached Generate reports
8-12
Additional Reading
Microsoft Technet article: Windows Reliability and Performance Monitor
8-13
Demonstration: Overview of the Reliability and Performance Monitor
Question: Where can you find real-time information about network activity?
8-14
Monitoring AD DS Using Performance Monitor
Key Points
Monitoring the distributed Active Directory service and the services that it relies upon helps maintain consistent directory data and the necessary level of service throughout the forest. You can monitor important indicators to discover and resolve minor problems before they develop into potentially lengthy service outages. In addition to the normal baseline counters that you monitor for all servers, there are objects and dozens of counters that are specific to Active Directory.
Additional Reading
Microsoft Technet article: Active Directory Operations Guide
8-15
What Is an Active Directory Baseline?
Key Points
A computers baseline is a measure of specified resource behavior during normal activity that indicates how the resource, or a collection of system resources, performs. This information is then compared to later activity to monitor system usage and system response to changing conditions.
Additional Reading
Microsoft Technet article: Deploying Active Directory for Branch Office Environments, Chapter 9 - Post Deployment Monitoring of Domain Controllers
8-16
Monitoring Service Availability with Reliability Monitor
Key Points
A systems reliability is the measure of how often it deviates from configured, expected behavior. The Reliability Monitor calculates a System Stability Index that reflects whether unexpected problems reduced the systems reliability. A graph of the Stability Index over time quickly identifies dates when problems began to occur. The accompanying System Stability Report provides details to help troubleshoot the root cause of reduced reliability. By viewing changes to the system (installation or removal of applications, updates to the operating system, or addition or modification of drivers) side by side with failures (application failures, operating system crashes, or hardware failures), you can develop a strategy for addressing the issues quickly. The Reliability Monitor begins to collect data at the time of system installation and must run for at least 24 hours before the data is displayed in the System Stability Chart.
8-17
Question: You want to see a historical record of software that has been added or removed from the computer. Where would you find that information?
Additional Reading
Microsoft Technet article: Windows Vista Performance and Reliability Monitoring Step-by-Step Guide
8-18
Monitoring Active Directory Domain Services Using Data Collector Sets
Key Points
A new feature in Windows Reliability and Performance Monitor is the Data Collector Set, which groups data collectors into reusable elements for use with different performance monitoring scenarios. Question: You want to create an alert to notify you when free disk space is low. How would you create one?
Additional Reading
Microsoft Technet article: Create Data Collector Sets
8-19
Demonstration: Monitoring AD DS
Question: What is the easiest way to log the same set of data across multiple computers?
8-20
Lesson 3:
Configuring Active Directory Domain Services Auditing
In any secure environment, you should actively monitor the Active Directory. As part of your overall security strategy, you should determine the level of auditing appropriate for your environment. Auditing should identify actions, either successful or not, that have modified or attempted to modify, Active Directory objects.
8-21
What Is Active Directory Domain Services Auditing?
Key Points
An audit log records an entry whenever users perform certain specified actions. For example, the modification of an object or a policy can trigger an audit entry that shows the action that was performed, the associated user account, and the date and time of the action. You can audit both successful and failed attempts at actions.
Additional Reading
Microsoft Technet article: Windows Server "Longhorn" Beta 3 Auditing AD DS Changes Step-by-Step Guide Microsoft Support: How to use Group Policy to configure detailed security auditing settings for Windows Vista client computers in a Windows Server 2003 domain or in a Windows 2000 domain Microsoft Technet article: Auditpol
8-22
Demonstration: Configuring an Audit Policy
Question: What log shows you the results of auditing?
Additional Reading
8-23
Types of Events to Audit
The Directory Service Access category still provides information about all the events that occur in the directory, and is enabled by default. More detailed information can be delivered from the subcategories. Question: You want to track details about any modifications made to Active Directory objects for a particular organizational unit (OU) and any child OUs. Which ACE should you set to capture that information?
Additional Reading
Microsoft Technet article: Windows Server "Longhorn" Beta 3 Auditing AD DS Changes Step-by-Step Guide
8-24
Demonstration: Configuring AD DS Auditing
Question: How would enable the tracking of failure events for the directory service change subcategory?
8-25
Lab: Configuring Active Directory Sites and Replication
Scenario: Woodgrove Bank has completed their deployment of AD DS. As the AD DS administrator, you must monitor AD DS availability and performance. The server administrator has provided a monitoring plan that includes service availability, performance, and Event log monitoring components. Using Performance and Reliability Monitoring, Event Viewer, and other tools, you will monitor AD DS domain controllers.
8-26
Exercise 1: Monitor AD DS Using Event Viewer

As the network administrator, you want to collect Event Viewer information from all domain controllers directory service. You will create a custom view to capture the Critical, Error and Warning events for Active Directory and DNS Server. Then you will export the view to a shared network folder and import the custom view to NYC-DC2. You also want to monitor when services stop and start on NYC-DC2. You will create a subscription to forward event 7036 from NYC-DC2 to NYC-DC1 and test the result. Finally, you will attach a task to the Windows Setup log to notify you whenever an event is generated in the setup log on NYC-DC1, so that you can track application installations, and you will attach a task to the 7036 event to inform you of problems with services. The main tasks for this exercise are: 1. 2. 3. 4. 5. 6. Create a custom view to capture the relevant events. Export a custom view. Import a custom view. Configure computers to forward and collect events. Create a subscription to forward events from NYC-DC2 to NYC-DC1. Attach a task to an event log and attach a task to an event.
Task 1: Create a custom view to capture the relevant events

1. 2. 3. 4. 5. 6. On NYC-DC1, log on as Administrator with a password of Pa$$w0rd. Launch Event Viewer from the Administrative Tools folder. Right-click Custom Views, and then click Create Custom View. Check the checkboxes beside Critical, Warning and Error. Click the drop-down arrow beside Event Logs, expand Application and Services Logs, select Directory Service and DNS Server, and then click OK. Name the custom view Directory Service.
8-27
Task 2: Export a custom view

1. 2. Right-click the Directory Service custom view and then click Export Custom View. Save the exported view as C:\Data\ Active Directory.
Task 3: Right-click Custom Views and then click Create Custom View
1. 2. 3. 4. Log on to NYC-DC2 as Administrator with a password of Pa$$w0rd. Launch Event Viewer from the Administrative Tools folder. Right-click Custom Views and then click Import Custom View. Import the custom view from \\NYC-DC1\Data\Active Directory.xml.
Task 4: Configure computers to forward and collect events

1. 2. 3. 4. 5. On NYC-DC1 (the collector computer), open a Command Prompt, type wecutil qc and Y, and then press ENTER to make the changes. Close the command prompt. Switch to NYC-DC2 (the source computer). Open the Command Prompt, type winrm quickconfig and Y, and then press ENTER to make the changes. Close the command prompt.
8-28
Task 5: Create a subscription to forward events from NYC-DC2 to NYC-DC1

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, in Event Viewer, right-click Subscriptions and then click Create Subscription. Name the subscription Service Events, click Collector Initiated and then click Select Computers. Click Add Domain Computers and then add NYC-DC2. Click Select Events and then select Information events. Click the drop-down arrow beside Event Logs, expand Windows Logs, and then select the System log. In the Event ID field, type 7036 and then click OK. Click Advanced, click Specific User and then click User and Password. Ensure the user name is Woodgrovebank\Administrator and then enter a password of Pa$$w0rd. Click Minimize Latency and then click OK twice. Click Yes to the Event Viewer messages if they appear.
10. In the folder pane, click the Subscriptions folder and ensure that the System Events subscription status is Active. 11. On NYC-DC2, open the Command Prompt. 12. In the Command Prompt, type Net Stop DNS and then press ENTER. 13. Type Net Start DNS and then press ENTER. 14. On NYC-DC1, click the Forwarded Events log. Examine the information events.
Note: Actual events may take a few minutes to show up in the Forwarded Events log. Start and stop the DNS service again if required.
8-29
Task 6: Attach a task to an event log and to an event

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, expand Windows Logs, right-click the Setup log, and then click Attach a Task to this Log. In the Create a Basic Task wizard, click Next. On the When a Specific Event is Logged screen, click Next. On the Action screen, click Send an e-mail and then click Next. On the Send an E-mail screen, type Event Viewer in the From field. Type Administrator@woodgrovebank.com in the To field. Type Application Installation in the Subject field. Type Mail.Woodgrovebank.com in the SMTP Server field, and then click Next and Finish. Click the Forwarded Events log to open it.
10. Right-click one of the 7036 events and then click Attach Task To This Event. 11. On the Create a Basic Task screen, click Next. 12. On the When a Specific Event is Logged screen, click Next 13. On the Action screen, click Display a Message. 14. On the Display a Message screen, type Service Event in the Title field and type A service stopped or started in the Message field, click Next and then click Finish. Click OK to acknowledge the Event Viewer message. 15. Switch to NYC-DC2 and repeat the steps to stop and start the DNS service. The message box will appear displaying your message. Click OK to acknowledge the message.
Note: The message box may be hidden behind the Event Viewer window. Look for it on the Task Bar.
16. Close all open windows.
8-30
Result: At the end of this exercise, you will have monitored AD DS using Event Viewer.
8-31
Exercise 2: Monitor AD DS Using Performance and Reliability Monitor

As the network administrator, you will configure Performance and Reliability Monitor to monitor some of the directory service counters. You also will create Data Collector Sets, monitor server performance using Performance Monitor, and configure an alert to be triggered when free disk space is low. The main tasks are for these exercises are: 1. 2. 3. Configure Performance and Reliability Monitor to monitor AD DS. Create a data collector set. Configure an alert to be triggered when free disk space is low.
Task 1: Configure Performance and Reliability Monitor to monitor AD DS

1. 2. 3. 4. On NYC-DC1, open the Reliability and Performance Monitor in the Administrative Tools, and then click Performance Monitor. Click the green Plus sign on the toolbar to add objects and counters. In the Add Counters dialog box, expand the Directory Services object and then add the DRA Inbound Bytes Total/sec counter. Repeat the previous step to add the following counters: DRA Outbound Bytes Total/sec DS Threads In Use DS Directory Reads/sec DS Directory Writes/sec Expand Security System-Wide Statistics and then add the Kerberos Authentications counter. Expand DNS and then add the UDP Query Received counter.
5. 6.
8-32
Task 2: Create a data collector set

1. 2. 3. 4. 5. In the folder pane, right-click Performance Monitor, click New, and then click Data Collector Set. Name the data collector set Active Directory. Leave the Root directory as the default path and then click Finish. Expand Data Collector Sets, expand User Defined, right-click the Active Directory data collector set, and then click Start. Expand Reports, expand User Defined, expand Active Directory, and then click System Monitor Log.blg. The Report Status shows that the log is collecting data. Right-click the Active Directory data collector set and then click Stop. Click the System Monitor Log.blg. The chart of the log is displayed in the details pane.
6. 7.
Task 3: Configure an alert to be triggered when free disk space is low

1. 2. 3. 4. 5. 6. Click Start, click Administrative Tools, and then click Reliability and Performance Monitor. Expand Data Collector Sets, right-click User Defined, click New, and then click Data Collector Set. Name the alert Low Disk Space Alert, click Create manually (Advanced), and then click Next. Click Performance Counter Alert and then click Next Add the %Free Space counter from the Logical Disk object and then click OK. In the Alert when field, select Below, in the Limit field type 90 and then click Next.
Note: You are setting the threshold extremely high to ensure that you will trigger an alert.
8-33
7. 8.
Click Save and Close, and then click Finish. Click the Low Disk Space Alert data collector set in the folder pane and then double-click the DataCollector01 in the details pane to open the Property page. Click the Alert Action tab, check the checkbox to Log an entry in the application event log, and then click OK.
9.
10. In the folders pane, right-click the Low Disk Space Alert data collector set and then click Start. Let the alert run for about one minute. 11. Open the Application Log and view the entries. 12. Right-click the Low Disk Space Alert data collector set and then click Stop. 13. Close all open windows.
Result: At the end of this exercise, you will monitor AD DS using Performance and Reliability Monitor.
8-34
Exercise 3: Configure AD DS Auditing

As the network administrator, you have been tasked with implementing an audit policy to track specific events occurring in Active Directory. First, you will examine the audit policys current state. Then you will configure auditing as required to track successful and unsuccessful modifications made to Active Directory objects, including the old and new values of attributes. Finally, you will test the policy. The main tasks for this exercise are: 1. 2. 3. 4. Examine the current state of the audit policy. Enable Audit Directory Service Access on domain controllers. Set the SACL for the domain. Test the policy.
Task 1: Examine the current state of the audit policy

1. 2. 3. On NYC-DC1, open the Command Prompt. In the command-prompt window, type Auditpol.exe /get /category:* and press ENTER. Then examine the default audit-policy settings. Minimize the command prompt.
Task 2: Enable Audit Directory Service Access on domain controllers

1. 2. 3. On NYC-DC1, open Group Policy Management. Open the Group Policy Objects folder and edit the Default Domain Controllers policy. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy. Notice that all policy settings are set to Not Defined. Double-click Audit Directory Service Access, define the policy settings for both Success and Failure, and then click OK. Close the Group Policy Management Editor and then close the Group Policy Management console. Restore the Command Prompt and then type Gpupdate.
4. 5. 6.
8-35
7. 8.
When the update completes, run the Auditpol.exe /get /category:* command again and then examine the default audit-policy settings. Close the command prompt.
Task 3: Set the SACL for the domain

1. 2. 3. 4. 5. 6. Open Active Directory Users and Computers. Click the View menu and then click Advanced Features. Right-click the woodgrovebank.com domain object and then click Properties. In the Properties dialog box, click the Security tab, click Advanced, click the Auditing tab and then click Add. In the Select Users dialog box, type Everyone and then click OK. In the Auditing Entry for Woodgrovebank dialog box, check the checkbox to audit both Successful and Failed for Write all Properties, and then click OK twice.
Task 4: Test the policy

1. 2. 3. 4. 5. 6. Rename the Toronto OU to GTA. Open Event Viewer, expand Windows Logs, and then click Security. Open event 4662 and examine the event. Return to Active Directory Users and Computers and edit any user account to change the phone number. Return to Event Viewer and examine the resulting directory service changes events. Close all open windows. Shut down all virtual machines without saving any changes.
Result: At the end of this exercise, you will have configured AD DS Auditing.
8-36
Review Questions
1. 2. 3. 4. 5. 6. What kinds of events are logged in the Setup log? For what event ID would you filter to see deleted user accounts? What service must you enable on computers collecting subscription events from remote computers? Where can you get up to date information about event IDs? Where can you get historical information about application failures? The NTDS\DRA Pending Replication Synchronizations counter is now consistently higher than the established baseline value for that counter. What might this indicate? You want to view all the occurrences of a particular event ID across multiple logs. What is the best way to accomplish this?
7.
8-37
Considerations for Implementing an Active Directory Domain Services Monitoring Plan

Consider the following when implementing an Active Directory Domain Service monitoring plan: Event viewer enables you to save filters as reusable custom views. Cross-log queries allow you to display data from multiple logs in a single view. Subscriptions allow you to gather events from remote computers. Application and Services Logs provide more detailed logs that pertain to specific Windows services. Event logs online provide up-to-date information about events. Application and service logs include admin, operational, analytic, and debug logs. A log will be created for each server role you install. You can import and export custom views. Subscriptions require configuration on both the collecting and source computers. Windows Reliability and Performance Monitor provides real-time information in the resource view. The Reliability Monitor provides a graphical display of system stability over time. You can generate user-friendly reports. Performance monitor provides a wide range of Active Directory objects and counters. You should establish baselines to determine a computers performance under a normal workload. The System Stability Report tracks multiple categories of events and keeps a historical record. Data Collector Sets allow you to group data collectors into reusable elements.
8-38
There are a number of built-in Data Collector Sets or you can define your own. Active Directory auditing can track all events that happen in the Active Directory. Audit directory service access is divided into four subcategories. Directory service changes subcategory provides old and new values when you modify attributes. You must use Auditpol.exe to configure subcategories. SACLs must be set on objects to allow auditing before you can collect any results. Directory service changes subcategory provides old and new values when attributes are modified. Auditpol.exe must be used to configure subcategories. SACLs must be set on objects to allow auditing before any results can be collected.
Implementing an Active Directory Domain Services Maintenance Plan
9-1
Module 9
Contents:
Lesson 1: Maintaining the AD DS Domain Controllers Lesson 2: Backing Up Active Directory Domain Services Lesson 3: Restoring Active Directory Domain Services Lab: Implementing an Active Directory Domain Services Maintenance Plan 9-3 9-14 9-18 9-29
9-2
Module Overview
As a Windows Server 2008 administrator, one of your tasks will be to maintain your organizations Active Directory Domain Services (AD DS) domain controllers. An important component in maintaining the domain controllers is managing, backing up, and restoring the AD DS data store.
9-3
Lesson 1:
Maintaining the AD DS Domain Controllers
Maintaining the AD DS database is an important administrative task that you must schedule regularly to ensure that, in the case of disaster, you can recover lost or corrupted data and repair the Active Directory database. Active Directory has its own database engine, the Extensible Storage Engine (ESE), which manages the storage of all Active Directory objects in an Active Directory database. By understanding how changes to attributes in Active Directory are written to the database, you will understand how data modification affects database performance and fragmentation, and data integrity.
9-4
The Active Directory Domain Services Database and Log Files
Key Points
The Active Directory database engine, ESE, stores all of the Active Directory objects. The ESE uses transactions and log files to ensure the Active Directory databases integrity.
Additional Reading
How the Data Store Works
9-5
How the AD DS Database Is Modified
Key Points
The key points of Active Directory data-modification process are: A transaction is a set of changes made to the AD DS database and the associated metadata. The basic data modification process consists of six steps: 1. 2. 3. 4. The write request initiates a transaction. Active Directory writes the transaction to the transaction buffer in memory. Active Directory writes the transaction in the transaction log. Active Directory writes the transaction from the memory buffer to the database.
9-6
5. 6.
Active Directory compares the database and log files to ensure that the transaction was committed to the database. Active Directory updates the checkpoint file.
Caching and logging improve database performance by enabling Active Directory to process additional transactions before writing them to the database. Question: What other Microsoft services use a transactional model for making database changes? How does the AD DS model compare to these other services?
Additional Reading
How the Data Store Works
9-7
Managing the Active Directory Database Using NTDSUtil Tool
Key Points
Ntdsutil.exe is a command-line tool that you can use to manage AD DS. You can perform many maintenance tasks that cannot be done in the graphical user interface (GUI), including offline database defragmentation, moving the database and its transaction log, removing and restoring deleted objects from Active Directory, seizing operations master (also known as flexible single master operations or FSMO) roles, and manage snapshots of the database. You also can include these commands in a batch file. Question: You have forgotten the directory services restore-mode password for your domain controller. How can you recover the password?
9-8
Additional Reading
NTDSUtil Help Data Store Tools and Settings
9-9
What Is an AD DS Database Defragmentation?
Key Points
Over time, fragmentation occurs as records in the Active Directory database are deleted and new records are added or expanded. When records become fragmented, the computer must search the disk to find and reassemble all pieces each time the database is opened. If many changes to the Active Directory database are made, fragmentation could slow the performance of it. Question: How often will you need to perform an offline defragmentation of your AD DS databases in your environment?
Additional Reading
Performing offline defragmentation of the Active Directory database Data Store Tools and Settings
9-10
What Are Restartable Active Directory Domain Services?
Key Points
Active Directory Domain Services in Windows Server 2008 can be stopped and restarted while the machine is booted up. In previous versions, if an administrator wanted to start a domain controller without loading Active Directory, the server had to be rebooted into Active Directory Restore Mode. This would start the server as a member server, without Active Directory. You then could perform offline maintenance tasks, such as an offline defragmentation or moving the database and log files. With Windows Server 2008, the directory service can be taken offline while the machine is running, with minimal disruption to other services.
Additional Reading
AD DS: Restartable Active Directory Domain Services Windows Server 2008 Technical Library
9-11
Demonstration: Performing AD DS Database Maintenance Tasks
Demonstration steps
To perform these steps, you must be a member of the built-in Administrators group on the domain controller. 1. 2. 3. 4. 5. 6. Stop Active Directory Domain Services. Open a command prompt. Start ntdstuil. At the ntdsutil: prompt, type Activate Instance NTDS and then press ENTER. At the ntdsutil: prompt, type files and then press ENTER. Compact the database, using a temporary directory for the new ntds.dit.
9-12
7. 8. 9.
Overwrite the old ntds.dit with the new compacted version, and then delete any log files (*.log) in the %systemroot%\NTDS\ folder. In the ntdsutil File Maintenance command window, type integrity to check the integrity of the new compacted database. In the File Maintenance command window, type move db to pathname and then press ENTER. The ntds.dit file is moved to the new location and permissions are set accordingly.
10. Start Active Directory Domain Services.
Questions: Why is it necessary to stop the AD DS before defragmenting? Why is it necessary to compact the database to a temporary directory first?
Additional Reading
Compact the directory database file (offline defragmentation)
9-13
Locking Down Services on AD DS Domain Controllers
Key Points
As part of a comprehensive security plan, you can increase a domain controllers security by removing all unnecessary services and features. This reduces both the attack surface and improves performance.
Additional Reading
Security Configuration Wizard Overview
9-14
Lesson 2
Backing Up Active Directory Domain Services
Because of the importance of AD DS for most organizations, it is critical that you can restore AD DS functionality in the event of database corruption, server failure, or a more serious disaster, such as the failure of a data center that contains multiple servers. To prepare for disaster recovery, you must implement a consistent policy of backing up the AD DS information on domain controllers.
9-15
Introduction to Backing Up AD DS
Key Points
You can use Windows Server Backup to back up Active Directory. Windows Server Backup is not installed by default. You must install it using Add Features in Server Manager before you can use the Wbadmin.exe command-line tool or Backup tool in Administrative Tools. Question: What other process could you use to back up the system state data on a domain controller?
Additional Reading
Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain Services Backup and Recovery
9-16
Windows Server Backup Features
Key Points
Windows Server Backup is the new backup utility that Windows Server 2008 provides. To use Windows Server Backup, you must install it as a feature. If you want to use the Windows Server Backup command-line tools, you also must install the Windows Powershell feature.
Additional Reading
Windows Server 2008 Technical Library
9-17
Demonstration: Backing Up AD DS
Questions: Why should backups be scheduled? How often should a full backup be performed? How often should an incremental or differential backup be performed?
Additional Reading
9-18
Lesson 3
Restoring Active Directory Domain Services
After implementing an AD DS backup system, you can move to planning and implementing AD DS restores. In Windows Server 2008, you have several options available for restoring AD DS information. This lesson describes when and how to use each option.
9-19
Overview of Restoring AD DS
Key Points
In Windows Server 2008, you have several options available for restoring AD DS. The option that you choose depends on the disaster-recovery scenario that you need to address.
Additional Reading
9-20
What Is a Nonauthoritative AD DS Restore?
Key Points
You can use a backup to perform a nonauthoritative restore of a domain controller. A nonauthoritative restore returns the directory service to its state at the time that the backup was created. After the restore operation completes, AD DS replication updates the domain controller with changes that have occurred since the time that the backup was created. In this way, the domain controller is recovered to a current state. Question: What would happen if you did not enter the second bcdedit command after restoring the AD DS database?
Additional reading
9-21
What Is an Authoritative AD DS Restore?
Key Points
An authoritative restore provides a method to recover objects and containers that have been deleted from AD DS. When an object is marked for authoritative restore, its version number is changed so that it is higher than the existing version number of the (deleted) object in the Active Directory replication system. This change ensures that any data that you restore authoritatively is replicated from the restored domain controller to the forests other domain controllers. Question: What would happen if you did not enter the second bcdedit command after restoring the AD DS database?
9-22
Additional Reading
Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain Services Backup and Recovery Performing an Authoritative Restore of Active Directory Objects
9-23
What Is the Database Mounting Tool?
Key Points
The Database Mounting Tool (Dsamain.exe) allows administrators to view and compare data in database snapshots (backups) without having to restore those backups, which saves on downtime and speeds the domain-recovery process.
Additional Reading
AD DS: Database Mounting Tool Step-by-Step Guide for Using the Active Directory Database Mounting Tool in Windows Server 2008 Beta 3
9-24
Demonstration: Using the Database Mounting Tool
Demonstration Steps
To perform this procedure, you must be logged on to a domain controller as a member of either the Enterprise Admins group or the Domain Admins group. 1. 2. 3. 4. 5. 6. Start a command prompt in administrative privilege. At the command prompt, type ntdsutil and hen press ENTER. At the ntdsutil prompt, type snapshot and then press ENTER. At the snapshot prompt, type activate instance ntds and then press ENTER. At the snapshot prompt, type create and then press ENTER. The command returns the following output: Snapshot set {GUID} generated successfully. At the snapshot prompt, type mount {GUID}. The mounted snapshot will appear in the file system.
Note: Be sure to include the curly braces in around your GUID number).
9-25
7. 8. 9.
The mounted snapshot will appear in the file system. Type quit twice to return to the command prompt. At the command prompt, type the following (on one line) and then press ENTER: Dsamain dbpath:C:\$SNAP_200708311630_VOLUMEC$\WINDOWS\NTDS\ ntds.dit -ldapport:51389 -sslport:51390 -gcport:51391 gcsslport:51392
Note: Your snapshot path will probably be different.
10. A message indicates that Active Directory Domain Services startup is complete. LEAVE Dsamain.exe running. Do not close the command prompt. 11. At the run line, type LDP, and then click OK. 12. Click Connection, and then click Connect. 13. In Server, type localhost, and in Port type 51389, and then click OK. 14. Click Connection and then click Bind. 15. In Bind type, click Bind as currently logged on user. Click OK. 16. Click View, and then click Tree. 17. In BaseDN, type dc=woodgrovebank,dc=com. 18. Browse the containers for a user object. Double-click the user to view its properties. 19. Close LDP.exe 20. Stop Dsamain.exe by pressing CTRL+C.
9-26
Questions: When would it be useful to mount multiple snapshots at the same time? Why is it necessary to specify different LDAP, SSL and GC ports for each mounted instance of the database?
Additional Reading
Step-by-Step Guide for Using the Active Directory Database Mounting Tool in Windows Server 2008 Beta 3
9-27
Reanimating Tombstoned AD DS Objects
Key Points
A tombstoned object is one that is marked as deleted in Active Directory. When an administrator deletes an object, it is converted into a tombstone. The tombstone remains in the Active Directory database in a deactivated state for 180 days (default Tombstone Lifetime). The tombstone is replicated to the entire domains other controllers and then deleted on each domain controller at the tombstone lifetimes end. When an object is marked as a tombstone, the isDeleted attribute on the object is set to True and most of the other attributes are deleted. Only a few critical attributes (SID, ObjectGUID, LastKnownParent, and SAMAccountName) are retained. This means that even if the administrator reanimates the object, it no longer has all the information it once had. You must recreate the missing attribute values manually
9-28
Note: The Database Mounting Tool can be used to view the attributes for the deleted object in a snapshot that was made before the object was deleted. This makes it easier to recover the deleted item.
Additional Reading
How to restore deleted user accounts and their group memberships in Active Directory
9-29
Lab: Implementing an Active Directory Domain Services Maintenance Plan
Scenario: Woodgrove Bank has completed its AD DS deployment. To ensure high availability and performance for the AD DS servers, the organization is implementing a maintenance plan that includes ongoing AD DS database maintenance and implementation of a disaster-recovery plan. The server administrator has prepared a backup plan that includes daily system volume of a domain controller in each domain. The server administrator also has prepared plans for recovering AD DS data in several scenarios. You need to implement these plans.
9-30
Exercise 1: Maintaining AD DS domain controllers

In this exercise, you will implement a plan for maintaining AD DS domain controllers. Tasks include running the SCW to disable all services that are not required on the domain controllers, moving the AD DS databases to an alternate hard disk, and performing an offline defragmentation of the AD DS database. The main tasks in this exercise are as follows: 1. 2. 3. 4. Start the 6425A-NYC-DC1 virtual machine and log on as Administrator, with a password of Pa$$w0rd. Use the Security Configuration Wizard to lock down services and configure the firewall on NYC-DC1. Perform an offline defragmentation of the AD DS database. Move the AD DS database.

Task 2: Use the Security Configuration Wizard to lock down services and configure the firewall on NYC-DC1
1. 2. 3. Start the Security Configuation Wizard from Server Manager. Choose the option to create a new security policy for NYC-DC1. Run the Security Configuration Wizard with the following options: 4. Select the Domain Controller (Active Directory) server role. Enable the DHCP Client and the DNS Registration Client. Enable the Active Directory Global Catalog and the Active Directory RsoP Planning Mode services.
Accept the defaults for the Windows Firewall configuration.
9-31
5.
Configure the Registry settings as follows. Require SMB Security Signatures. Enable only Windows 2000 Service Pack 3 or later client computers. Allow only Windows NT 4.0 Service Pack 6a or later operating systems and Clocks that are synchronized with the selected servers clock. Do not allow Computers that require LAN Manager authentication and Computers that have not been configured to use NTLMv2 authentication to connect.
6. 7. 8.
Configure the Audit Policy to Audit successful and unsuccessful activities. Save the security policy using a file name of c:\windows\security\msscw\ policies\NYC-DC1.xml. Choose the option to apply the policy later.
Task 3: Perform an offline defragmentation of the AD DS database

1. 2. 3. 4. 5. 6. 7. 8. On 6425A-NYC-DC1, stop the Active Directory Domain Services. Open a command prompt and start the ntdsutil tool. Activate the NTDS instance. Use the files command to compact the AD DS database to C:\temp. Check the integrity of the defragmented database. Copy the c:\temp\ntds.dit file to c:\Windows\NTDS\ntds.dit. Delete all the log files in the C:\Windows\NTDS folder. Start the Active Directory Domain Services.
9-32
Task 4: Move the AD DS database

1. 2. 3. 4. 5. On 6425A-NYC-DC1, stop the Active Directory Domain Services. Open a command prompt and start the ntdsutil tool. Activate the NTDS instance. Use the file-maintenance command to move the AD DS database to C:\DSData. Start the Active Directory Domain Services.
Result: At the end of this exercise, you will have installed run the SCW to lock down services on an AD DS domain controller and performed AD DS databasemaintenance tasks.
9-33
Exercise 2 Backing Up AD DS
In this exercise, you will install the Windows Server Backup feature and then use it to schedule a backup of the AD DS information. You also will perform an ondemand backup of the system volume. The main tasks for this exercise are as follows: 1. 2. 3. Install all of the Windows Server Backup Features. Create a Scheduled Backup. Complete an On-Demand Backup.
Task 1: Install the Windows Server Backup Feature

In Server Manager, install all of the Windows Server Backup features.
Task 2: Create a Scheduled Backup

1. Start Windows Server Backup and create a schedule back up with the following settings: 2. Backup type: Custom Backup items: C: drive only Backup time: 12:00 am every day Destination disk: Disk 1
Open the Task Scheduler and review the scheduled backup task you just created.
9-34
Task 3: Complete a System Backup

1. 2. At a command prompt, use the wbadmin start systemstatebackup backupTarget:D: command to create a system state backup. The backup will take about 5-7 minutes to complete.
Result: At the end of this exercise, you will have installed the Windows Server Backup feature and then use it to schedule a backup of the AD DS information and to perform an on-demand backup.
9-35
Exercise 3: Performing a Nonauthoritative Restore of the AD DS Database

In this exercise, you will test the functionality of a nonauthoritative restore. First you will delete an operational unit (OU) in AD DS and then ensure that the OU deletion has been replicated to another domain controller. Then you will restore the OU using a nonauthoritative restore and verify that the OU is again deleted through replication. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. Start the 6425A-NYC-DC2 virtual machine and log on as Administrator. Delete the Toronto OU. Verify replication to NYC-DC2 and disable the network card. Restart NYC-DC1 in Directory Services Restore Mode. Perform a Non-Authoritative Restore of the AD DS Database. Verify that the Toronto OU has been restored. Enable the network connection for NYC-DC2 and verify that replication deletes the Toronto OU.

Task 2: Delete the Toronto OU

On NYC-DC1, delete the Toronto OU.
Task 3: Verify replication to NYC-DC2 and disable the network card

1. 2. On NYC-DC2, in Active Directory Users and Computers, verify that the deletion of the Toronto OU has been replicated to NYC-DC2. Disable the Local Area Connection on NYC-DC2.
9-36
Task 4: Restart NYC-DC1 in Directory Services Restore Mode

1. 2. On NYC-DC1, restart the server in Directory Services Restore Mode. Log on as the local Administrator using a password of Pa$$w0rd.
Task 5: Perform a Non-Authoritative Restore of the AD DS Database

1. 2. 3. 4. Start a command prompt with administrator permissions. Use the wbadmin get versions -backuptarget:D: -machine:NYC-DC1 command to get the version information for the backup you created. Restore the system state information by using the wbadmin start systemstaterecovery -version:version -machine:NYC-DC1 command. When the restore finishes, restart the computer.
Task 6: Verify that the Toronto OU has been restored

On NYC-DC1, verify that the Toronto OU has been restored.
Task 7: Enable the network connection for NYC-DC2 and verify that replication deletes the Toronto OU
1. 2. 3. On NYC-DC2, enable the Local Area Network connection. On NYC-DC1, in Active Directory Sites and Services, force replication with NYC-DC2. In Active Directory Users and Computers, verify that the Toronto OU has been deleted through replication.
Result: At the end of this exercise, you will have performed a non-authoritative restore of AD DS information and verified that the OU is again deleted through replication
9-37
Exercise 4: Performing an Authoritative Restore of the AD DS Database

In this exercise, you will perform an authoritative restore of the AD DS database. You will then verify that the restored data is not overwritten by replication. The main tasks are as follows: 1. 2. 3. 4. Restart NYC-DC1 in Directory Services Restore Mode. Restore the system state data. Mark the restored information as authoritative and restart the server. Verify that the deleted data has been restored.
Task 1: Restart NYC-DC1 in Directory Services Restore Mode

1. 2. Start a command prompt with administrator permissions. Use the bcdedit /set safeboot dsrepair to configure the server to start in Directory Services Restore Mode. Restart the server.
Task 2: Restore the system state data

1. 2. 3. 4. Log on as Administrator using a password of Pa$$w0rd. Start a command prompt with administrator permissions. Use the wbadmin get versions -backuptarget:D: -machine:NYC-DC1 command to get the version information for the backup you created. Restore the system state information by using the wbadmin start systemstaterecovery -version:version -machine:NYC-DC1 command.
Task 3: Mark the restored information as authoritative and restart the server
1. 2. 3. At the command prompt, use NTDS to perform an authoritative restore on OU=Toronto,DC=Woodgrovebank,DC=com To restart the server normally after you perform the restore operation, type bcdedit /deletevalue safeboot, and then press ENTER. Restart the server.
9-38
Task 4: Verify that the deleted data has been restored

1. 2. 3. After the server restarts, log on as administrator Open Active Directory Users and Computers, and verify that the Toronto OU was restored. On NYC-DC2, open Active Directory Users and Computers. Verify that the Toronto OU has also been restored on this server.
Result: At the end of this exercise, you will have performed an authoritative restore of AD DS information.
9-39
Exercise 5: Restoring Data Using the AD DS Database Mounting Tool

In this exercise, you will use the AD DS Database Mounting Tool to assist in restoring data from a deleted AD DS object. Tasks include using NTDSUtil to create a snapshot of AD DS volume, deleting a user account from AD DS, using NTDSUtil to mount the snapshot. Then you will restore the account using LDP, and view the details for the account from the snapshot. The main tasks in this exercise are as follows: 1. 2. 3. 4. Create and mount a snapshot of the AD DS information. Modify and then delete a user account in AD DS. Use LDP to restore the deleted user account. View the information for the deleted user account in the mounted snapshot.
Task 1: Create and mount a snapshot of the AD DS information

1. On NYC-DC1, in Active Directory Users and Computers, in the ITAdmins OU, right-click Axel Delgado and click Properties. Add the following information to the user-account properties and then click OK: 2. 3. 4. 5. 6. Description: IT Administrator Office: Head Office Telephone Number: 555-5555
Start a command prompt, with administrative permissions. At the command prompt, type ntdsutil then press ENTER. At the ntdsutil prompt, type snapshot then press ENTER. At the snapshot prompt, type activate instance ntds then press ENTER. At the snapshot prompt, type create then press ENTER. The command returns the following output: Snapshot set {GUID} generated successfully. Leave this window open. At the snapshot prompt, type mount {GUID} and then press ENTER. The GUID is the GUID displayed in the previous command. The mounted snapshot will appear in the file system.
7.
9-40
8. 9.
At the snapshot prompt, type list all and press ENTER. Identify the number assigned to the snapshot you just created. At the snapshot prompt, type mount number and press ENTER. The number is the number displayed in the previous command. The mounted snapshot will appear in the file system.
10. Exit NTDSUtil, but keep the command prompt open.
Task 2: Delete a user account

Delete Axel Delgados account.
Task 3: Use LDP to restore the deleted user account

1. 2. 3. 4. 5. 6. 7. 8. 9. At the command prompt, type the following and press ENTER: Dsamain dbpath <path to snapshot ntds.dit> -ldapport 51389 Do not close the command prompt. Start LDP, and connect and bind to the local server. On the Options menu, add the Return Deleted Objects control. On the View menu, click Tree. Click OK. Expand DC=Woodgrove Bank,DC=com and then click CN=Deleted Items,DC=Woodgrove Bank,DC=com. Right-click CN=Axel Delgado and then click Modify. In the Attribute box, type isDeleted. Under Operation, click Delete and then click ENTER. In the Attribute box, type distinguishedName.
10. In the Values box, type CN=Axel Delgado,ou=ITAdmins,dc=woodgrovebank,dc=com. 11. Under Operation, click Replace and then click ENTER. 12. Select the Extended check box. 13. Click Run. 14. Open Active Directory Users and Computers, and verify that Axel Delgados account has been restored do the ITAdmins OU and that the account is disabled.
9-41
Task 4: View the information for the deleted user account in the mounted snapshot
1. 2. 3. 4. Click Start, click Run, type LDP, and then click OK. Connect and bind to the localhost, using port 51389. In BaseDN, type dc=woodgrovebank,dc=com. Browse to the ITAdmins OU and double-click CN=Axel Delgado. View the Description, physicalDeliveryOfficeName, and Telephone Number Attributes. You now can add the information in these attributes to the user object in Active Directory Users and Computers. Close LDP.exe.
Task 5: Shut down all virtual machines and discard any changes
Result: At the end of this exercise, you will have restored a deleted user account and viewed the restored user properties using the AD DS data-mining tool.
9-42
Review Questions
1. One of your domain controllers is running out of hard-drive space. You modify the domain controller so that it is no longer a global catalog server, but notice that the size of the AD DS database does not decrease. What should you do to reclaim hard-drive space on the server? You are concerned about the amount of disk space that the Active Directory database and log files are using. How do you determine the size of the database and log files? You install Windows Server Backup on your domain controller. You only have two drives on the computer and both are being used for data or system files. What types of backup should you use to back up your AD DS environment? All of the domain controllers in your domain have failed. You are trying to rebuild the domain from the Active Directory backup on one domain controller. Which type of restore must you use to rebuild the domain? You accidentally deleted a user account in AD DS. What options do you have to make the account available again?
2.
3.
4.
5.
9-43
Considerations for Maintaining AD DS

Supplement or modify the following best practices for your own work situations: An essential component to maintaining an AD DS environment is monitoring. An effective monitoring program can alert you to situations where you need to perform maintenance tasks before the situation becomes critical. Compare the effort involved in restoring AD DS objects with the effort involved in restoring the objects or reanimating deleted objects. If a single user account has been deleted, it often is much easier just to recreate the account rather than restore the account. If an entire OU has been deleted, performing an authoritative restore is usually much faster than recreating all of the OUs accounts. The most important step in preparing for a domain controllers failure is to deploy more than one domain controller in a domain. If you have a second domain controller available, AD DS services will continue to be available, and you can install an additional domain controller easily to replace the failed server. If you have only one domain controller in the domain, and that domain controller fails, you must restore AD DS from backup. If you anticipate needing to use Database Mounting Tool snapshots on a consistent basis, consider creating a scheduled task that will create a snapshot regularly.
9-44
Tools
Use the following tools when configuring AD DS sites and replication:
Tool Windows Server Backup Use for Where to find it Must be installed as a Windows Server 2008 feature. Click Start, and then point to Administrative Tools. Click Windows Server Backup. Installed by default and accessible at a command prompt.
Backing up and restoring AD

DS information or other data on a Windows Server 2008 computer
LDP.exe
Viewing and modifying

information about AD DS objects and for reanimating deleted objects
NTDSUtil
Managing the AD DS data

store and managing AD DS operation master roles
Installed by default and accessible at a command prompt. Can be accessed through NTDSUtil.
Database Mounting Tool
Used to create and mount

snapshots of the AD DS data store
Troubleshooting Active Directory, DNS, and Replication Issues
10-1
Module 10
Contents:
Lesson 1: Troubleshooting Active Directory Domain Services Lesson 2: Troubleshooting DNS Integration with Active Directory Domain Services Lesson 3: Troubleshooting Active Directory Replication Lab: Troubleshooting Active Directory, DNS and Replication Issues 10-3 10-9 10-15 10-22
10-2
Course 6425A: Implementing Active Directory Domain Services
Module Overview
As a Windows Server 2008 administrator, you are likely to be called upon to troubleshoot issues related to Active Directory Domain Services (ADDS). When AD DS is well designed and implemented, it provides a very stable directory services infrastructure. However, even in the most stable environments you will occasionally need to troubleshoot AD DS issues related to authentication, authorization, replication or the Domain Name System (DNS) configuration.
10-3
Lesson 1:
Troubleshooting Active Directory Domain Services
Whenever users cannot authenticate to the network, or cannot gain access to network resources, you must determine whether the cause of the problem is an AD DS issue. The cause of the problem may be network connectivity, or a network services error, or an AD DS issue. This lesson describes how to identify and troubleshoot AD DS issues.
10-4
Introduction to AD DS Troubleshooting
Key Points
Active Directory Domain Service is a distributed system that is comprised of many different services and depends on all of the services to function properly. When troubleshooting AD DS issues, you need to identify the source of the problem and resolve the specific issue.
Additional Reading
Overview of Active Directory Troubleshooting Active Directory Operations Guide
10-5
Discussion: How to Troubleshoot Active Directory Domain Services Issues
Questions What steps would you take to troubleshoot an Active Directory Issue? What tools would you use? How would you verify your solution worked?
10-6
Troubleshooting User Access Errors
Key Points
There are many possible reasons why a user cannot access network resources. These can be divided up into three basic categories.
10-7
Demonstration: Tools for Troubleshooting User Access Errors
Questions From your experience, what is the most common reason for user access error in your organization? What steps can you take to reduce the number of user access errors while still maintaining network security?
10-8
Troubleshooting Domain Controller Performance Issues
Key Points
As a distributed service, AD DS depends on many interdependent services that are distributed across many devices and in many remote locations. As you increase the size of your network to take advantage of the scalability of AD DS, domain controller performance could become an issue.
Additional Reading
Windows Server 2003 Active Directory Branch Office Guide Analyzing performance data
10-9
Lesson 2
Troubleshooting DNS Integration with Active Directory Domain Services
AD DS cannot function without DNS. Clients and application servers such as Exchange Server use DNS to find domain controllers and services. Domain controllers and global catalog servers use DNS to locate each other to replicate to each other. Because of this tight integration of AD DS and DNS, you will often begin your AD DS troubleshooting by troubleshooting DNS.
10-10
Overview of DNS and AD DS Troubleshooting
Key Points
One of the most common reasons for AD DS issues is problems with the DNS infrastructure. In particular, you should begin DNS troubleshooting when you see the issues listed in the slide.
10-11
Troubleshooting DNS Name Resolution
Key Points
To verify that clients can resolve names and records, perform the following steps: Verify network connectivity on all computers. Use ipconfig to make sure all computers, including clients, member servers, domain controllers, and DNS servers are using a DNS server that is authoritative for the Active Directory domain. Sometimes computers are manually misconfigured to use the wrong DNS server, such as an Internet caching server or an ISPs DNS server. Use netdiag to test DNS connectivity. Ensure that the DNS server is working correctly. You can perform the Simple self-test in the DNS servers properties to verify the database is responding. As well, clear the DNS servers cache to ensure that the cache is not polluted, or that it has the latest zone information
10-12
Use ipconfig /flushdns to clear the clients DNS resolver cache. If the zone seems to be corrupt, restore from backup. If necessary, clear any dynamic registrations from the DNS zone and rebuild the database. Check the DNS Server log in Event Viewer for errors. Use nslookup to see what results are returned by the DNS server. The following DNS records are required for proper Active Directory functionality.
Question: What are the most common DNS related issues in your organization?
Additional Reading
Diagnosing Name Resolution Problems
10-13
Troubleshooting DNS Name Registration
Key Points
All servers must have at least A (host) and possibly PTR (reverse lookup) records in DNS. In addition, all domain controllers must have their SRV (Resource Locator) records updated in DNS. The following lists which service is responsible for dynamically updating DNS: A records are updated by the computers DNS client service. PTR records are manually configured. SRV records are updated by the DCs netlogon service.
Question: What are PTR records used for? What errors will you see if you do not have the PTR records registered for domain controllers?
10-14
Troubleshooting DNS Zone Replication
Key Points
Whenever a DNS record is updated, either in a traditional Primary (Master) zone or an Active-Directory Integrated zone, that update must be replicated in a zone transfer to all DNS servers that are authoritative for that zone. An administrator may choose to favor conserving bandwidth during heavy network usage hours by delaying replication to less busy times. Even so, the record will have to be replicated at some point for the DNS database to be consistent.
Additional Reading
Troubleshooting Zone Problems
10-15
Lesson 3:
Troubleshooting Active Directory Replication
AD DS uses a multi master replication topology that depends on all domain controllers being available on the network. Replication is important to ensure that all users experience a consistent response from the domain controllers regardless of which domain controller the user is connecting to.
10-16
AD DS Replication Requirements
Key Points
Refer to the requirements listed on the slide for AD DS replication to occur successfully.
10-17
Common Replication Issues
Key Points
When you encounter replication problems in Active Directory, your first step is to identify the symptoms and possible causes. Question: What is the most common reason for replication error in your organization?
Additional Reading
Troubleshooting Active Directory Replication Problems
10-18
What Is the Repadmin Tool?
Key Points
You use the Repadmin.exe command-line tool to view the replication topology from the perspective of each domain controller. You can also use Repadmin.exe to manually create the replication topology, force replication events between domain controllers, and view the replication metadata, which is information about the data, and up-to-date state of vectors.
Additional Reading
Troubleshooting Active Directory Replication Problems
10-19
What Is the DCDiag Tool?
Key Points
The Dcdiag.exe tool performs a series of tests to verify different aspects of the system. These tests include connectivity, replication, topology integrity, and intersite health.
10-20
Discussion: Troubleshooting Inter-Site AD DS Replication Issues
As a class, discuss the questions on the slide.
10-21
Troubleshooting Distributed File Replication Issues
The contents of SYSVOL folder are replicated to every domain controller in a domain. If the domain is at Windows Server 2003 or lower functional level, the File Replication Service (FRS), is responsible for replicating the contents of the SYSVOL folder between domain controllers. When you upgrade the functional level to Windows Server 2008, Distributed File System Replication (DFSR) is used to replicate the contents of the SYSVOL folder. In both cases, the connection object topology and schedule that the Knowledge Consistency Checker (KCC) creates for Active Directory replication is used to manage replication between domain controllers.
10-22
Lab: Troubleshooting Active Directory, DNS and Replication Issues
Scenario Woodgrove Bank has completed its deployment of Windows Server 2008. As the AD DS administrator, one of your primary tasks now is troubleshooting AD DS issues that have been escalated to you from the company Help Desk. You are responsible for resolving issues related to user access to resources, the integration of DNS and AD DS and AD DS replication.
10-23
Exercise 1: Troubleshooting Authentication and Authorization Errors

Scenario Lab Preparation: Make sure both NYC-DC1 and NYC-CL1 are started and running. Shut down any other VPCs. In this exercise, you will troubleshoot authentication and authorization errors. You will review trouble tickets and resolve the issues related to the trouble tickets. The main tasks in this exercise are: 1. 2. 3. 4. Start the 6425A-NYC-DC1 virtual machine and log on as Administrator. Start the 6425A-NYC-DC2 virtual machine and log on as Administrator. Start 6425A-NYC-CL1. Resolve Trouble Tickets.


Start 6425A-NYC-DC2 and log on as Administrator using the password Pa$$w0rd
Task 3: Start the 6425A-NYC-CL1 virtual machine

Start 6425A-NYC-CL1. Do not log in at this time.
Task 4: Run the Lab10_Prep.bat file

1. 2. On NYC-DC1, open Windows Explorer and browse to d:\6425\Mod10\Labfiles. Double-click Lab10_Prep.bat.
10-24
Task 5: Resolve Trouble Tickets

Trouble Ticket #1 A user named Chris McGurk is having trouble logging on at her Windows Vista computer. She has been away on a research assignment for several months. She now needs to get on the network to prepare her report for senior management. Her desktop computer has been turned off during the time she was away. The matter has been escalated to you. 1. 2. Attempt to log onto NYC-CL1 as Chris with the password of Pa$$w0rd. Was the logon successful? Note the error message below: _______________________________________________________________ 3. 4. Verify that the NYC-CL1 computer account still exists in the domain What do you think is the issue? How will you resolve the issue? _______________________________________________________________ 5. 6. 7. 8. 9. Log on to NYC-CL1 as NYC-CL1\LocalAdmin with the password of Pa$$w0rd. Complete your troubleshooting steps. Log off NYC-CL1 as LocalAdmin, and log on as Chris. Were you successful? ______________________________________________ Log off NYC-CL1.
10-25
Trouble Ticket #2 A Help Desk staff member named Markus Breyer has been given the task of adding new hires to the BranchManagers OU in the NYC OU in the Woodgrovebank.com domain. Markus is a member of the HelpDesk global group. All members of the HelpDesk group need to be able to manage users accounts from client workstations by using Remote Desktop. When Markus attempts to accomplish this task, he is unsuccessful. The matter has been escalated to you. 1. 2. 3. Log onto NYC-CL1as Markus, with the password of Pa$$w0rd. Try to connect to NYC-DC1 by using Remote Desktop. Were you successful? What, if any, error messages did you receive? _______________________________________________________________ What do you think is the problem? _______________________________________________________________ 4. 5. 6. Take the required steps to resolve the error message. Try connecting to Remote Desktop again. Were you successful this time? If not, take the next steps for troubleshooting the issue. After you successfully connect to Remote Desktop, try opening Active Directory Users and Computers. If you are not successful, complete steps to troubleshoot the issue. In Active Directory Users and Computers, try to create atest user account in the Branch Managers OU. Were you successful? What, if any, error messages did you receive? __________________________________________________________________ 9. What additional step(s), if any, do you think you will need to take? __________________________________________________________________ 10. Log off of NYC-CL1.
7. 8.
Result: At the end of this exercise, you will have resolved two trouble tickets with authentication and authorization issues.
10-26
Exercise 2: Troubleshooting the Integration of DNS and AD DS

Scenario In this exercise, you will resolve issues identified in the troubleshooting tickets escalated to the server team regarding DNS integration and AD DS. You will identify the issue in each ticket, resolve the problem, and verify that the resolution was successful. The main task in this exercise is to resolve the trouble ticket.
Task 1: Resolve the trouble ticket

Trouble Ticket #3 - Some users at Woodgrovebank.com are complaining that they are having trouble accessing network resources. . The help desk has already established that all of the client computers that are exhibiting the problem are using NYC-DC2 as the preferred DNS server. You will use NYC-CL1 to test all solutions, to ensure that users can log on to the domain using NYC-DC1 and NYCDC2 as the primary DNS servers. 1. What do you think may be the problem(s)? __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ 2. What steps will you take to test and resolve the problem(s)? __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ 3. 4. Use NSLookup to verify the DNS records for the WoodgroveBank.com zone on both NYC-DC1 and NYC-DC2. Use DNS Manager to examine the configuration for the WoodgroveBank.com and the _msdcs.WoodgroveBank.com zones on both DNS servers.
10-27
5. 6.
Take the required steps to troubleshoot the issue. What was the actual problem(s), and how did you resolve it?
______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________
Result: At the end of this exercise, you will have resolved a trouble ticket with DNS integration and AD DS issues.
10-28
Exercise 3: Troubleshooting AD DS Replication

Scenario In this exercise, you will resolve issues identified in the troubleshooting tickets escalated to the server team. Potential issues include user accounts that are not replicated to other domain controllers, replication failures, and AD DS file replication failures. You will identify the issue in each ticket, resolve the problem, and verify that the resolution was successful. The main task in this exercise is to resolve the trouble tickets.
Task 1: Resolve the trouble tickets

Trouble Ticket #4 The help desk has been tasked with creating user accounts for some new hires. Because the new employees will be traveling between the branch offices, it is critical that they can log on at any location. The help desk has noticed that replication between NYC-DC1 and NYC-DC2 is not working. The matter has been escalated to you. When a member of the team creates a user account on the NYC-DC1 domain controller, the user account is not displayed on the NYC-DC2 domain controller. 1. 2. Verify that AD DS replication is not working. What do you think might be the problem(s)? _________________________________________________________________ _________________________________________________________________ _________________________________________________________________ 2. What troubleshooting step(s) will you take to resolve the problem(s)? _________________________________________________________________ _________________________________________________________________ _________________________________________________________________ 4. Implement your troubleshooting steps. You are successful when you are able to create a test user on either domain controller and replicate the account to the other domain controller.
10-29
Trouble Ticket #5 The Help Desk has noticed that when some users in the New York branch of Woodgrovebank.com log on, they are not getting the expected automatic drive mappings. All users should get a drive mapping that maps the H: drive to \\NYC-DC1\data. The Help Desk has confirmed that the Group Policy Object is configured correctly. The logon script is called MapDataDir.bat and is supposed to be located in the Netlogon share. 1. What do you think might be the problem(s)? _________________________________________________________________ _________________________________________________________________ _________________________________________________________________ 2. What troubleshooting step(s) will you take to resolve the problem(s)? _________________________________________________________________ _________________________________________________________________ _________________________________________________________________ _________________________________________________________________ 3. How will you verify that the problem(s) has been resolved? _________________________________________________________________ _________________________________________________________________ _________________________________________________________________ _________________________________________________________________ 4. Implement your troubleshooting steps. What was the actual problem(s), and how did you resolve it? _________________________________________________________________ _________________________________________________________________ _________________________________________________________________ 5. Shut down all the Virtual PCs.
Result: At the end of this exercise, you will have resolved a trouble ticket with AD DS replication issues.
10-30
Considerations for Maintaining AD DS Supplement or modify the following best practices for your own work situations: One troubleshooting AD DS issues, always start at the network layer. In most cases, it is very easy and fast to verify network connectivity. Use the Event Viewer when troubleshooting AD DS issues. Many AD DS errors will be logged in the Event Viewer logs, and the error details often provide very valuable information for resolving the issues. In a large organization, consider deploying Microsoft System Center Operations Manager with the Active Directory Management Pack. The Operations Manager can monitor all of the domain controllers in the environment and provide detailed guidance on how to resolve AD DS issues. Microsoft System Center Operations Manager is an upgrade of Microsoft Operations Manager.
10-31
Tools Use the following tools when troubleshooting AD DS issues:

Tool Server Manager Used for Accessing the AD DS management tools in a single console. Where to find it Click Start, and then point to Administrative Tools. Click Server Manager. Click Start, and then point to Administrative Tools. Click Active Directory Users and Computers. Click Start, and then point to Administrative Tools. Click DNS. Installed by default and accessible at a command prompt. Installed by default and accessible at a command prompt. Installed by default and accessible at a command prompt. Installed by default and accessible at a command prompt. Can be downloaded from the Microsoft download center
Active Directory Sites and Services DNS
Creating and configuring sites, subnets, moving domain controllers between sites, and forcing replication. Configuring and viewing DNS zones
Repadmin
Gathering data about the current replication topology and status and creating new replication objects Gathering data about domain controllers including replication partners and status Reviewing information stored in DNS zone files Displays detailed information about the active FRS replicas on the domain controller and can be used to force replication Provides a graphical user interface for gathering detailed information about FRS performance and issues and analyzes the results to identify common FRS and Active Directory problems. Provides detailed information about the current state of DFSR replication in the domain. Can also be used to configure DFSR replication
DCDiag
NSLookup
Ntfrsutl
FRSDiag
Dfsradmin
Installed on Windows Server 2008 computers when you install the file management features.
10-32
Review Questions
1. A user log is able to log on their computer but whenever she tries to access a network resource, she is prompted for a user name and password? How would you ensure that she can access network resources without being prompted for the user name and password after logon? You need to verify that all of the domain controller SRV records are registered in DNS. All DNS servers in your organization are using a third-party DNS product rather than using Windows Server 2008 DNS. How can you view the records in DNS? Users in a branch office in your organization are experiencing very slow logon times. You create a domain controller in your main office, and then ship the domain controller to the branch office. You configure the branch office as a second site in your forest. You modified the domain controllers IP address configuration and have confirmed network connectivity and confirmed that the domain controllers IP address has been updated in DNS. However, some of the users in the branch office are still experiencing very slow logon times. What else should you do? Your organization has five office locations with each location configured as a separate site in AD DS. At least one domain controller has been deployed in each office. All user account management is performed in the main office. You notice that when you create a new user account in the main office, it can take up to 3 hours before the user can logon using that account in the branch office. What should you do to make sure the user can log on right after the account has been created?
2.
3.
4.
Troubleshooting Group Policy Issues
11-1
Module 11
Contents:
Lesson 1: Introduction to Group Policy Troubleshooting Lesson 2: Troubleshooting Group Policy Applications Lesson 3: Troubleshooting Group Policy Settings Lab: Troubleshooting Group Policy Issues 11-3 11-10 11-17 11-25
11-2
Module Overview
This module describes troubleshooting procedures for Group Policy processing clients and computers. These troubleshooting procedures may include incorrect or incomplete policy settings, or lack of policy application to the computer or user. In this module, you will learn the knowledge and skills necessary for troubleshooting these issues.
11-3
Lesson 1:
Introduction to Group Policy Troubleshooting
Group Policy can be complex to deploy and manage, and sometimes a setting can cause unintended consequences for users or computers. This lesson provides details about Group Policy processing and common problem areas, and describes some of the troubleshooting tools available.
11-4
Scenarios for Group Policy Troubleshooting
Additional Reading
Microsoft Technet article: Group Policy Troubleshooting
11-5
Preparing to Troubleshoot Group Policies
Key Points
The first step in troubleshooting Group Policy is to determine the problems source. Group Policy problems may be a symptom of other, unrelated issues such as network connectivity, authentication problems, domain controller availability, or Domain Name Service (DNS) configuration errors. For example, the failure of a router or DNS server could prevent clients contacting a domain controller. Question: What diagnostic tool could you use to determine lease expiration of a Dynamic Host Configuration Protocol (DHCP) address issued to a client computer?
11-6
Additional Reading
Troubleshooting Your Systems with Network Diagnostics Using NSlookup.exe Microsoft Technet article: Unable to access domain controller Kerbtray.exe: Kerberos Tray
11-7
Tools for Troubleshooting Group Policies
Key Points
There are a number of diagnostic tools and logs that you can use to verify whether you can trace a problem to core Group Policy.
Group Policy Logging

If other tools do not provide the information you need to identify the problems affecting Group Policy application, you can enable verbose logging and examine the resulting log files. Log files can be generated on both the client and the server to provide detailed information. Question: What diagnostic tool will quickly display the current Group Policy slow link threshold?
11-8
Additional Reading
Group Policy Modeling and Results How to manually create Default Domain GPOs GPOTool (from Win2K Server Resource Kit) Microsoft Technet article: Refresh Group Policy settings with GPUpdate.exe Fixing Group Policy problems by using log files
11-9
Demonstration: Using Group Policy Diagnostic Tools
Question: What steps must you take prior to running Group Policy reporting RSoP on a remote computer?
11-10
Lesson 2
Troubleshooting Group Policy Applications
When troubleshooting Group Policy issues, you need a firm understanding of the interactions between Group Policy and its supporting technologies, and the ways in which you manage, deploy, and apply Group Policy objects.
11-11
Troubleshooting Group Policy Inheritance
Key Points
Blocking inheritance will prevent all higher-level settings from affecting the organizational units (OUs) and their child OUs where inheritance has been blocked. You can block inheritance only for entire OUs, not for individual objects, and it can complicate troubleshooting because it counteracts the usual inheritance rules. Question: Are there scenarios in your organization that would benefit from blocking inheritance?
Additional Reading
Microsoft Technet article: Fixing Core Group Policy problems
11-12
Troubleshooting Group Policy Filtering
Key Points
Group Policy filtering determines which users and computers will receive the GPOs settings. Filtering of a Group Policy object (GPO) is based on two factors: The security filtering on the GPO Any Windows Management Instrumentation (WMI) filters on the GPO
Question: You have applied security filtering to limit the GPO to apply only to the Managers group. You did this by setting the following GPO permissions: Authenticated Users are denied the Apply Group Policy permission. The Managers group has been granted Read and Apply Group Policy permission.
None of the managers are receiving the GPO settings. What is the problem?
11-13
Additional Reading
Microsoft Technet article: Fixing Group Policy scoping issues
11-14
Troubleshooting Group Policy Replication
Key Points
In a domain that contains more than one domain controller, Group Policy information takes time to propagate, or replicate, from one domain controller to another. A GPO consists of two parts; the Group Policy template (GPT) and the Group Policy container (GPC). Changes to GPOs are tracked using version numbers. Every change increments the version number of the GPT and the GPC. Question: What tool can be used to force replication across all domain controllers in the domain?
Additional Reading
Troubleshooting File Replication Service Microsoft Technet article: Replication of Group Policy settings between domain controllers fails
11-15
Troubleshooting Group Policy Refresh
Key Points
Group Policy refresh refers to a clients periodic retrieval of GPOs. During Group Policy refresh, the client contacts an available domain controller. If any GPOs changed, the domain controller provides a list of all the appropriate GPOs. By default, GPOs are processed at the computer only if the version number of at least one GPO has changed on the domain controller that the computer is accessing. Question: You have implemented folder redirection for a particular OU. Some users report that their folders are not redirecting to the network share. What is the first step you should take to resolve the problem?
Additional Reading
Group Policy does not refresh
11-16
Discussion: Troubleshooting Group Policy Configuration
Question: One user is getting settings applied that no one else is receiving. What might be the issue and how would you start troubleshooting?
11-17
Lesson 3:
Troubleshooting Group Policy Settings
Group Policy settings issues usually are due to slow-link detection or incorrect configuration. Understanding how the Client side extensions (CSEs) work and how slow links are determined assists in troubleshooting these issues.
11-18
How Client Side Extension Processing Works
Key Points
CSEs are dynamic-link libraries (DLLs) that perform the actual processing of Group Policy settings. Policy settings are grouped into different categories, such as Administrative Templates, Security Settings, Folder Redirection, Disk Quota, and Software Installation. Each categorys settings require a specific CSE to process them, and each CSE has its own rules for processing settings. The core Group Policy process calls the appropriate CSEs to process those settings. Some CSEs behave differently under different circumstances. For example, a number of CSEs do not process if a slow link is detected. Security settings and Administrative Templates always are applied and you cannot turn them off. You can control the behavior of other CSEs across slow links. As Group Policy is processed, the Winlogon process passes the list of GPOs that must be processed to each Group Policy client-side extension. The extension uses the list to process the appropriate policy when applicable.
11-19
Question: Users in a branch office log on across a slow modem connection. You want folder redirection to be applied to them even across the slow link. How would you accomplish this?
Additional Reading
Identifying Group Policy Client-Side Extensions Computer Policy for Client-side Extensions Group Policy and Network Bandwidth
11-20
Troubleshooting Administrative Template Policy Settings
Key Points
Some Administrative Template settings may be preferences, rather than policies that you cannot remove easily, while older operating systems might not accept other administrative settings. Question: Your network has a mixture of Windows XP and Windows Vista computers. You have configured the Administrative Template to remove the games link from the Start Menu, but only the Windows Vista computers are enforcing the setting. What is the problem?
Additional Reading
Microsoft Technet article: Fixing Administrative Template policy setting problems
11-21
Troubleshooting Security Policy Settings
Key Points
Security policies protect the computing environments integrity by controlling many aspects of it, like password policies, security options, restricted groups, network policies, services, public key policies, and so on.
Characteristics of Security Policies

Security policies are refreshed every 16 hours even if they have not changed. Security policies are always processed, even across slow connections.
11-22
Question: You have configured a password policy in a GPO and linked that policy to the Research OU. The policy is not affecting domain users in the OU. What is the problem?
Additional Reading
Troubleshooting security settings
11-23
Troubleshooting Script Policy Settings
Key Points
The Scripts CSE updates the registry with the location of script files so that the UserInit process can find those values during its normal processing. When a CSE reports success, it might mean only that the scripts location is placed in the registry. Even though the setting is in the registry, there could be problems preventing the setting from being applied to the client. For example, if a script specified in a Script setting has an error that prevents it from completing, the CSE does not detect an error. Group Policy processes a GPO and stores the script information in the registry, in these locations: HKCU\Software\Policies\Microsoft\Windows\System\Scripts (User Scripts) HKLM\Software\Policies\Microsoft\Windows\System\Scripts (Machine Scripts)
11-24
Question: A logon script is assigned to an OU. The script executes properly for all users, but some users report that they get an access-denied message when they try to access the mapped drive. What is the problem?
Additional Reading
Microsoft Technet article: Fixing Scripts policy settings problems
11-25
Lab: Troubleshooting Group Policy Issues
Scenario Woodgrove Bank has completed its Windows Server 2008 deployment. As the Active Directory Domain Services (AD DS) administrator, one of your primary tasks is troubleshooting AD DS issues that the company help desk escalates to you, and you are responsible for resolving issues related to Group Policy application and configuration.
Note: Some of the tasks in this lab are designed to illustrate GPO troubleshooting techniques and may not always follow best practices.
11-26
Exercise 1: Troubleshooting Group Policy Scripts

You will create and link a GPO, to all domain users and computers, which performs the following: Set the homepage in Internet Explorer to be http://WoodgroveBank.com Force the classic Start Menu Force the client to wait for the network to initialize at startup and logon Configure the Windows Firewall to allow inbound remote administration
Then you will apply a preconfigured GPO to all domain users that maps a drive to the Data shared folder, and observe and troubleshoot the results. All domain users will have a drive mapping to a shared folder named Data. The GPO is created already and is backed up. You will restore and apply the GPO that delivers that policy to the domain, and troubleshoot any issues with the policy. A user in the Miami OU has submitted the following help-desk ticket: User Name: Roya Asbari Computer Name: NYC-CL1 Description of Problem: There is no drive mapping to the Data folder.
This ticket has been escalated to the server team for resolution. The main tasks are: 1. Create and link a domain Desktop policy. 2. 3. 4. 5. 6. Set the Internet Explorer homepage to http://WoodgroveBank.com. Force the classic Start Menu for all domain users. Force the client computer to wait for the network to initialize at startup and logon. Configure the Windows Firewall to allow inbound remote administration.
Restore the Lab11A GPO. Link the Lab11A GPO to the domain. Test the GPO as various users. Troubleshoot the GPO using RSoP. Resolve and test the issue.
11-27
Task 1: Create and link a domain Desktop policy

1. 2. 3. 4. Log on to NYC-DC1 as Administrator with a password of Pa$$w0rd. Open Group Policy Management. Create and link a GPO named Desktop to the WoodgroveBank domain. Edit the policy as follows: Navigate to Computer Configuration, then Administrative Templates, then System, and then Logon. Enable the Always wait for the network at computer startup and logon policy. Navigate to Network, then Network Connections, then Windows Firewall, and then Domain Profile. Enable the Windows Firewall: Allow inbound remote administration exceptions policy, then type localsubnet in the field and then click OK. Navigate to User Configuration, then Windows Settings, then Internet Explorer Maintenance, then URLs, and then Important URLs. In the Important URLs dialog box, customize the home page URL to be http://WoodgroveBank.com. Navigate to Administrative Templates, then Start Menu and Taskbar and then enable the Force classic Start Menu setting.
5.
Close the Group Policy Management Editor.
Task 2: Restore the Lab11A GPO

1. 2. 3. 4. In the GPMC, right-click the Group Policy Objects folder and then click Manage Backups. In the Manage Backups dialog box, type D:\6425 in the Backup location field. Select the Lab 11A GPO, click Restore and then click OK twice. Close the Manage Backups dialog box.
Task 3: Link the Lab11A GPO to the domain

1. 2. In the GPMC, right-click the WoodgroveBank.com domain and then click Link an existing GPO. In the Select GPO dialog box, select the Lab 11A GPO and then click OK.
11-28
Task 4: Test the GPO

1. 2. 3. 4. Log on to NYC-CL1 as WoodgroveBank\Administrator with a password of Pa$$w0rd. Close the Welcome Center. Click the Start Menu and ensure you see the classic Start menu. Double click Internet Explorer and then click the red X to stop the connection attempt to the default startup page. Click the home icon on the toolbar and ensure that http://WoodgroveBank.com is the homepage. Close Internet Explorer. Double click Computer on the desktop and ensure that you have a mapped drive to the shared folder named Data. Log off. Log on to NYC-CL1 as Roya with a password of Pa$$w0rd. Close the Welcome Center.
5. 6. 7. 8. 9.
10. Click the Start Menu and ensure Roya gets the classic Start menu. 11. On the desktop, double-click Internet Explorer, and then click the Home icon on the toolbar and ensure that http://WoodgroveBank.com is the homepage. 12. Close Internet Explorer. 13. On the desktop, double-click Computer on the desktop and check for the mapped drive to the shared folder named Data.
Task 5: Troubleshoot the GPO

1. 2. 3. 4. 5. Switch back to NYC-DC1. In the GPMC, right-click Group Policy Results and then click Group Policy Results Wizard. On the Computer Selection screen, click Another Computer and type NYCCL1 in the field. On the User Selection screen, select WoodgroveBank\Roya and then click Finish. In the User Configuration Summary section, click Group Policy Objects and then click Applied GPOs.
11-29
6. 7. 8. 9.
Click the Settings tab. Expand Windows Settings, expand Scripts and then expand Logon. Switch back to NYC-CL1 as Roya. Test Royas permission to the scripts location by opening a Run command, typing \\nyc-dc1\scripts, and then pressing ENTER.
10. Click OK to dismiss the error dialog box.
Note: If time permits, you can view the group policy operational log as Administrator on NYC-CL1. If you filter the view to show events that Roya generates, you would see that the log does not detect any errors or warnings for this user. This is because the GPO only sets a value in the registry that defines the scripts folders location. Group Policy is unaware if the user has access to the location. The write to the registry was successful. Therefore, the Group Policy log does not see any errors. You would have to audit Object Access for the scripts folder to determine access issues.
Task 6: Resolve and test the issue

1. 2. 3. 4. 5. Switch back to NYC-DC1 and open Windows Explorer. Navigate to the D:\6425\scripts folder. Add Authenticated Users to the Share permission list and grant them Read permission Switch to NYC-CL1 as Roya, log off and then log on. On the desktop, double-click Computer.
Note: Another way to resolve the issue would be to move the script to the Netlogon share.
6.
Log off.
Result: At the end of this exercise, you will have resolved a Group Policy scripts issue.
11-30
Exercise 2: Troubleshooting GPO-11B

Domain users in the Miami OU and all sub OUs should not have access to Control Panel. You will restore and apply the GPO that delivers that policy to the Miami OU. The local onsite technician has submitted a help-desk ticket and escalated the following issue to the server team: User Name: Local Onsite Technician Computer Name: NYC-CL1 User Name: Local Onsite Technician Computer Name: NYC-CL1 Description of Problem: No users should be able to access the Control Panel. However, some users do have access to Control Panel, while others do not. Particularly, Roya, a Miami branch manager, has access to Control Panel.
This ticket has been escalated to the server team for resolution. The main tasks in this exercise are: 1. 2. 3. 4. 5. Restore the Lab11B GPO. Link the Lab11B GPO to the Miami OU. Test the GPO as various users. Troubleshoot the GPO using RSoP. Resolve and test the issue.
Task 1: Restore the Lab11B GPO

1. 2. 3. On NYC-DC1, in the GPMC, right-click the Group Policy Objects folder and then click Manage Backups. In the Manage Backups dialog box, type D:\6425\ in the Backup location field. Restore the Lab 11B GPO.
11-31
Task 2: Link the Lab11B GPO to the Miami OU

1. 2. In the GPMC, right-click the Miami OU and then click Link an existing GPO. In the Select GPO dialog box, select the Lab 11B GPO and then click OK.

1. 2. 3. 4. 5. 6. Log on to NYC-CL1 as Rich with a password of Pa$$w0rd. Ensure that the settings from the Desktop GPO are applied. Ensure that the Control Panel icon does not appear on the desktop or Start Menu. Log off. Log on to NYC-CL1 as Roya. Log off.

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch back to NYC-DC1. In the GPMC, right-click Group Policy Results and then click Group Policy Results Wizard. On the Computer Selection screen, click Another Computer and then type NYC-CL1 in the field On the User Selection screen, select WoodgroveBank\Rich and then click Finish. In the User Configuration Summary section, click Group Policy Objects and then click Applied GPOs. Click the Settings tab. Expand Windows Settings and then expand Control Panel. Right-click the Group Policy Results query Roya on NYC-CL1 in the left pane and then click Rerun Query. In the User Configuration Summary section, click Group Policy Objects and then click Applied GPOs.
10. Click Denied GPOs.
11-32
Task 5: Resolve the issue

1. 2. 3. 4. In the GPMC, expand the Group Policy Objects folder, click the Lab 11B GPO, click the Delegation tab and then click Advanced. On the Security tab click the Miami_BranchManagersGG. Remove the Miami_BranchManagersGG from the permission list and then click OK. Switch to NYC-CL1 and log on again as Roya.
Result: At the end of this exercise, you will have resolved a Group Policy objects issue.
11-33
Exercise 3: Troubleshooting GPO Lab-11C

Users in the Miami OU should not have access to the Run command on the Start Menu. You will restore and link the Lab 11C GPO to apply this setting. The local desktop technician has escalated the following issue to the server team: User Name: Local Onsite Technician Computer Name: NYC-CL1 Description of Problem: No users should be able to access the Run command on the Start Menu, but all users in the Miami OU have access to the Run command.
This ticket has been escalated to the server team for resolution. The main tasks in this exercise are: 1. 2. 3. 4. 5. Restore the Lab11C GPO. Link the Lab11C GPO to the Miami OU. Test the GPO as various users. Troubleshoot the GPO using RSoP. Resolve and test the issue.
Task 1: Restore the Lab11C GPO

1. 2. 3. On NYC-DC1, in the GPMC, right-click the Group Policy Objects folder and then click Manage Backups In the Manage Backups dialog box type D:\6425\ in the Backup location field. Restore the Lab 11C GPO.
Task 2: Link the Lab11C GPO to the Miami OU

1. 2. In the GPMC, right-click the Miami OU and then click Link an existing GPO. Select the Lab 11C GPO and then click OK.
11-34

1. 2. Log on to NYC-CL1 as Roya. Log off.

1. 2. 3. 4. 5. Switch to NYC-DC1. In the GPMC, rerun the query Roya on NYC-CL1. In the User Configuration Summary section, click Group Policy Objects and then click Applied GPOs. Click the Settings tab. In the User Configuration section, expand Administrative Templates and then click Start Menu and Taskbar.

1. 2. 3. 4. 5. 6. 7. Expand the Group Policy Objects folder, right-click the Lab 11C GPO and then click Edit. Navigate to User Configuration, then Administrative Templates, then Start Menu and then Taskbar. Double-click the Add the Run command to the Start Menu setting, click Not Configured and then click OK. Locate the Remove Run menu from the Start Menu and enable the setting. Close the Group Policy Object Editor. Log on to NYC-CL1 as Roya. Do not log off.
11-35
Exercise 4: Troubleshooting Lab GPO-11D

You will restore the Lab 11D GPO and link it to the Admins folder. This GPO is designed to enhance security. A user in the Admins OU has submitted the following helpdesk ticket: User Name: Betsy Stadick Computer Name: NYC-CL1 Description of Problem: Since the application of the GPO, I no longer have the classic Start Menu or drive mapping, and no longer can run Internet Explorer.
This ticket has been escalated to the server team for resolution. The main tasks in this exercise are: 1. 2. 3. 4. 5. 6. Restore the Lab11B GPO. Link the Lab11B GPO to the domain. Move NYC-CL1 to the Admins OU and restart the computer. Test the GPO as various users. Troubleshoot the GPO using RSoP. Resolve and test the issue.
Task 1: Restore the Lab11D GPO

1. 2. 3. On NYC-DC1, in the GPMC, right-click the Group Policy Objects folder and then click Manage Backups. In the Manage Backups dialog box type D:\6425\ in the Backup location field. Restore the Lab 11D GPO.
Task 2: Link the Lab11D GPO to the Admins OU

1. 2. In the GPMC, right-click the ITAdmins OU and then click Link an existing GPO. In the Select GPO dialog box, select the Lab 11D GPO and then click OK.
11-36
Task 3: Move NYC-CL1 to the Admins OU and restart the computer

1. 2. 3. 4. Click Start, click Administrative Tools and then click Active Directory Users and Computers. Expand the WoodgroveBank.com domain and then click the Computers container. Right-click the NYC-CL1 computer account and then click Move. Select the ITAdmins OU and then click OK.

1. 2. 3. 4. 5. 6. Switch to NYC-CL1 and restart the computer. Log on as WoodgroveBank\Betsy with a password of Pa$$w0rd. Close the Welcome Center. Click Start. Double-click Internet Explorer. Double-click Computer.

1. 2. 3. 4. 5. 6. Switch back to NYC-DC1. In the GPMC, run the Group Policy Results Wizard. On the Computer Selection screen, click Another Computer, type NYC-CL1 in the field and then click Next. On the User Selection screen, select WoodgroveBank\Betsy and then click Finish. In the Computer Configuration Summary section, click Group Policy Objects and then click Applied GPOs. In the Computer Configuration section, click Administrative Templates and then click System/Group Policy.
11-37

1. 2. 3. In the GPMC, right-click the Admins OU and disable the link to Lab 11D GPO. Restart the NYC-CL1 computer. Log on as Betsy.
11-38
Considerations
Keep the following points in mind when implementing an Active Directory Domain Service monitoring plan: Client-side extensions handle application of Group Policy at regular, configurable intervals. GPO version numbers determine if a Group Policy has changed. Not all CSEs process across a slow link. Security settings refresh every 16 hours. Windows XP and earlier versions log to the Userenv log for most Group-Policy issues. You can modify the registry to enable other CSE logs. Windows Vista logs to operational logs in Event Viewer.
11-39
Blocking inheritance will block all higher level polices from being applied unless those policies are enforced. You can filter Group Policy to apply only to certain security principles by using security settings or Windows Management Instrumentation (WMI) scripts. Group Policies are made up of two parts, Group Policy templates and Group Policy containers. Group Policy replicates these objects on separate schedules using different mechanisms. Windows XP and later versions log on users with cached credentials by default. Many users settings will require two logons because of this. Windows XP and earlier use the Internet Control Message Protocol (ICMP) to determine link speed. Windows Vista and later versions use network awareness to determine link speed. Security principles need permission to access script locations so that they can execute scripts. Computer startup scripts run synchronously by default. User logon scripts run asynchronously by default.
11-40
Tools
Use the following tools when troubleshooting Group Policy issues:
Tool Ping NSlookup DCdiag Set Kerbtray Group policy reporting RSoP GPResult GPOTool GPResult Dcgpofix GPOLogView Used for Testing network connectivity. Testing DNS lookups. Testing domain controllers. Displaying, setting, or removing environment variables. Displaying Kerberos ticket information. Reporting information about the current policies being delivered to clients. A command-line utility that displays RSoP information. A command-line tool that checks Group Policy object stability and monitors policy replication. Refreshing local and Active Directory-based Group Policy settings. Restoring the default Group Policy objects to their original state after initial installation. Exporting Group Policy-related events from the system and operational logs into text, HTML, or XML files. For use with Windows Vista and later versions. Sample scripts that perform a number of different troubleshooting and maintenance tasks.
Group Policy Management Scripts
11-41
Review Questions
1. What tool can test DNS name resolution? a. b. c. NSlookup DCdiag GPResult
d. Ping 2. 3. 4. What log will give details of folder redirection? What visual indicator in the GPMC designates that inheritance has been blocked? What GPO settings are applied across slow links by default? Choose all that apply: a. b. c. Scripts policies Security settings Administrative settings
d. Internet Explorer Maintenance e. f. EFS Recovery Policy IPSec Policy
Implementing an Active Directory Domain Services Infrastructure
12-1
Module 12
Contents:
Lesson 1: Overview of the AD DS Domain Lesson 2: Planning a Group Policy Strategy Lab A: Deploying Active Directory Domain Services Lab B: Configuring Forest Trusts Lab C: Designing a Group Policy Strategy 12-3 12-7 12-9 12-23 12-31
12-2
Module Overview
This module consists of five exercises that make up the three labs. These exercises give you the opportunity to re-enforce concepts from the course and perform different operations that were not performed in the prior labs. Each exercise is independent.
12-3
Lesson 1:
Overview of the AD DS Domain
In this lesson, you will see the components of the Active Directory Domain Services (AD DS) domain you will work with in the lab.
12-4
Overview of the Current AD DS Domain Design
Key Points
The graphic on the slide depicts the current domain configuration at Woodgrove Bank.
12-5
Overview of the AD DS Site Design
Key Points
The graphic on the slide depicts the required domain configuration at Woodgrove Bank. The Contoso domain will join the Woodgrove bank forest as a separate tree in the same forest.
12-6
Overview of the AD DS Site Design
Key Points
This graphic shows the current site configuration at Woodgrove Bank. A new branch office has been created in New York and a new site will be created to control logon traffic. The following two new sites will be created: The Contoso.com site will contain the 192.168.0.0 subnet The NYC-Branch-Office site will contain the 10.30.0.0 subnet
12-7
Lesson 2:
Planning a Group Policy Strategy
In this lesson, you will plan Group Policies and implement them in the labs.
12-8
Overview of Domain Controller Deployment
Key Points
The graphic depicts the new domain controller deployment at Woodgrove Bank. The NYC-SRV2 server core computer will be renamed to NYC-DC3 to reflect the new role and the read-only domain controller (RODC) role will be installed on NYC-DC3. The NYC-SRV1 computer will be renamed to ContosoDC to reflect the new role and then promoted to become the Contoso domain controller.
12-9
Lab A: Deploying Active Directory Domain Services
Scenario Woodgrove Bank is deploying Windows Server 2008 AD DS. The enterprise administrator has created a design for the deployment. As the AD DS administrator, you will be implementing this design and verifying that all components in the design work correctly.
Site Info
There will be two new sites. NYC Branch Office and Contoso Site Name NYC-Head-Office Subnet 10.10.0.0 Gateway 10.10.0.1 Domain Controller NYC-DC1 10.10.0.10
12-10
Site Name NYC-Branch-Office Subnet 10.30.0.0 Gateway 10.30.0.1 Domain Controller NYC-DC3 (RODC) (change the name of NYC-SRV2) 10.30.0.10
Site Name Contoso Subnet 192.168.0.0 Gateway 192.168.0.1 Domain Controller ContosoDC (change the name of NYC-SRV1) 192.168.0.10
Domain Info
There will be two domains. WoodgroveBank.com and Contoso.com WoodgroveBank and Contoso belong to the same forest. WoodgroveBank is the root domain of the forest and Contoso is a separate tree in the forest.
WoodgroveBank.com
Domain Controllers NYC-DC1, NYC-DC2, NYC-DC3 (RODC) (change the name of NYC-SRV2)
Contoso.com
Domain Controller - ContosoDC (change the name of NYC-SRV1)
12-11
Exercise 1: Implementing Group Policies

Scenario Woodgrove Bank has opened a new branch office in New York City. The branch office employee user accounts will be located in a separate OU. In order to control logon traffic, it has been decided to create a separate site for the new branch office and to create a RODC on a server core installation in the site. You have been tasked to create and configure the domain controller for the new branch office in New York City. You will use an existing server, NYC-SRV2, which is a server core installation. You will perform the following tasks in Active Directory: Pre-configure the account for the RODC of the branch office. Create an OU named Branch Office Employees that will contain user accounts. Create user accounts for the branch office manager and branch office user Create a global group named BranchUsersGG and add the branch office users to it.
Only the branch office employees will have their passwords cached on the RODC. You will also create the site for the branch office and create the subnet object, 10.30.0.0, for the branch office. Then you will change the name of NYC-SRV2 to NYC-DC3 to reflect its now role. You will configure the IP address to reflect the subnet of the branch site. Then you will install RODC on to the server. Finally, you will configure replication with the head office site to occur every 30 minutes. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. 8. Copy the unattended file and change the name of NYC-SRV2 to NYC-DC3. Change the IP address of SRV2 to 10.30.0.10. Create the NYC-Branch-Office site and rename the Default site. Create subnet objects for the NYC head office and branch office sites. Configure the replication schedule. Create an OU for branch office. Create users and groups for the branch. Configure the DNS service on NYC-DC1 to allow zone transfers.
12-12
9.
Pre-stage RODC account in Active Directory Users & Computers.
10. Install DNS role on NYC-RODC. 11. Install RODC on NYC-RODC. Start the following servers, using the logon information below: NYC-DC1 NYC-DC2 NYC-SRV2 Router
Logon information: Virtual Machine: NYC-DC1, NYC-DC2, NYC-SRV2 User Name: Administrator Password: Pa$$w0rd
Task 1: Copy the unattended file and change the name of NYC-SRV2 to NYC-DC3
1. 2. 3. Log on to NYC-SRV2 as Administrator with a password of Pa$$w0rd. At the command prompt type copy \\10.10.0.10\D$\6425\Mod12\Labfiles\NYC-RODC.txt C:\ At the command prompt, type Netdom renamecomputer %computername% /newname:NYC-DC3 /force /reboot:5, and then press ENTER. The computer will reboot automatically after 5 seconds.
12-13
Task 2: Change the IP address of SRV2 to 10.30.0.10

1. 2. 3. Log on to NYC-DC3 as Administrator. At the command prompt, type netsh interface ipv4 show interfaces. Note the Idx number of the Local Area Connection interface. Type netsh interface ipv4 set address name=<Idx number of the LAN interface> source=static address=10.30.0.10 mask=255.255.0.0 gateway=10.30.0.1, and then press ENTER. Type IPconfig /all and ensure the IP address information is correct. Also ensure that the DNS Server is 10.10.0.10.
4.
Task 3: Create the NYC-Branch-Office site and rename the Default site
1. 2. 3. On NYC-DC1, open Active Directory Sites and Services. Right-click Sites and then click New Site named NYC-Branch-Office. Select the DefaultIPSiteLink and then click OK. Rename the Default-First-Site-Name to NYC-Head-Office.
Task 4: Create subnet objects for the NYC head office and branch office sites
1. 2. Create a new subnet object for the 10.10.0.0/16 subnet. Select the NYC-HeadOffice site and then click OK. Create a new subnet object for the 10.30.0.0/16. Select the NYC-BranchOffice site, and then click OK.
Task 5: Configure the replication schedule

1. 2. 3. Open the properties of the DEFAULTIPSITELINK. Type 30 in the Replicate every field, and then click OK. Close Active Directory Sites and Services.
12-14
Task 6: Create an OU for the branch office users

1. 2. Open Active Directory Users and Computers. Create a new Organizational Unit named NYC Branch Office.
Task 7: Create users and groups for the branch

1. Create a new user with the following parameters: 2. 3. 4. Name Branch Manager Logon Name branchmanager Password Pa$$w0rd Password never expires
Create a second user with the following parameters: Name Branch User Logon Name branchuser Password Pa$$w0rd Password never expires
Create a new global group named BranchUsersGG. Add the Branch Manager and the Branch User accounts to the BranchUsersGG global group.
Task 8: Configure the DNS service on NYC-DC1 to allow zone transfers

1. 2. 3. On NYC-DC1, open the DNS management console. Configure the Woodgrovebank.com zone to Allow Zone Transfers. Close the DNS Manager.
12-15
Task 9: Pre-stage the computer account for the RODC

1. Return to Active Directory Users and Computers, right-click the Domain Controllers organization unit and then click Pre-create Read-only Domain Controller account. On the Welcome to the Active Directory Domain Services Installation Wizard page, select Use advanced mode installation. On the Network Credentials page, click Next. On the Specify the Computer Name page, type NYC-DC3. On the Select a Site page, click NYC-Branch-Office. On the Additional Domain Controller Options page, click Next. On the Specify the Password Replication Policy page, click Add and then select Allow passwords for the account to replicate to the RODC. Add the BranchUsersGG and the Domain Admins. On the Delegation of RODC Installation and Administration page, click Set. Add the BranchManager account.
2. 3. 4. 5. 6. 7. 8. 9.
10. Finish the wizard to create the RODC account. Notice that NYC-DC3 computer account is listed in Active Directory, but the DC type is Unoccupied DC Account.
Task 10: Install DNS role on NYC-RODC

1. 2. On NYC-DC3, type Oclist to view the currently installed roles. Notice that no roles are currently installed. Type start /w ocsetup DNS-Server-Core-Role and then press ENTER to install the DNS server. The server core role name is case sensitive.
12-16
Task 11: Install RODC on NYC-DC3 and verify the results

1. Type dcpromo.exe /UseExistingAccount:Attach /unattend:c:\nyc-rodc.txt. The promotion will take several minutes to perform and will automatically reboot to complete the installation. Log on to NYC-DC3 as Administrator. Switch to NYC-DC1 and refresh the view of the Domain Controllers OU and notice the DC Type for NYC-DC3 is now set to Read-only, DC. Open Active Directory Sites and Services and examine the NYC-BranchOffice site. Notice that NYC-DC3 is now listed in the Servers container. Open the DNS Manager and connect to the NYC-DC3 Dns server. Notice that NYC-DC3 hosts a copy of the WoodgroveBank.com zone.
2. 3. 4. 5.
Note: If the server is unavailable, wait a few minutes and try again. Notice that NYC-DC3 hosts a copy of the Woodgrovebank.com zone.
6.
Close the DNS console.
Task 12: Shutdown NYC-DC3

Shutdown NYC-DC3 and delete the changes.
Result: At the end of this exercise, you will have created a new RODC, and a new branch office site.
12-17
Exercise 2: Creating a Domain in a Separate Tree and Separate Site

Scenario Woodgrove Bank has acquired a small company named Contoso Ltd. For legal reasons, this company will have a separate domain in a new tree in the same forest so that they can maintain the Contoso.com namespace. The Contoso domain will also be in a separate site. You have been tasked with creating the domain for Contoso Ltd. The domain will be named Contoso.Com and will have a separate tree in the WoodgroveBank forest. You will use an existing server, NYC-SRV1 to become the new domain controller. You will rename the computer to be ContosoDC. You will also create a separate site for the Contoso domain that uses the 192.168.0.0 subnet and you will configure the ContosoDC computer with the IP address of 192.168.0.10. You will configure replication between the New York site and the Contoso site to occur every 4 hours between the hours of 6 PM and 6 AM. You will install and configure the DNS service on ContosoDC to hold a secondary zone of Woodgrovebank.Com. Finally, you will promote ContosoDC to become the domain controller for Contoso.com. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. Create and configure a new site link for replication. Create the Contoso site. Create the subnet for the Contoso site. Rename the NYC-SRV1 server to ContosoDC. Change the IP address of ContosoDC. Configure the DNS service on NYC-DC1 to allow zone transfers. Install DNS on ContosoDC. Configure the DNS Service on ContosoDC. Promote the server to be the Contoso domain controller.
12-18
Start NYC-SRV1 using the following logon information: Logon Information: Virtual Machine: NYC-SRV1 User Name: Administrator Password: Pa$$w0rd
Task 1: Create and configure a new site link for replication

1. 2. 3. 4. Create a new site link named Contoso-NYC-HO. Add the Contoso and NYC-Head-Office sites to the site link. Open the properties of the Contoso-NYC-HO site link and type 240 in the Replicate every field and then click Change Schedule. In the Schedule for Contoso-NYC-HO dialog box, click and drag to select the hours of 6 AM to 6 PM, Monday to Friday, click Replication Not Available and then click OK twice. Remove the Contoso site from the DefaultIPSiteLink.
5.
Task 2: Create the Contoso site

1. 2. On NYC-DC1, open Active Directory Sites and Services. Create a new site named Contoso. Select the DefaultIPSiteLink and then click OK. Click OK to acknowledge the message.
Task 3: Create the subnet for the Contoso site

1. 2. Create a new subnet object for the 192.168.0.0/24 subnet. Select the Contoso site and then click OK. Close Active Directory Sites and Services.
Task 4: Rename the NYC-SRV1 server to ContosoDC

1. 2. Log on to NYC-SRV1 as Administrator with a password of Pa$$w0rd. Change the computer name to ContosoDC and then restart the computer.
12-19
Task 5: Change the IP address of ContosoDC

1. 2. Log on to ContosoDC as Administrator with a password of Pa$$w0rd. Configure the IPV4 address as follows: IP address 192.168.0.10 Subnet mask 255.255.255.0 Default Gateway 192.168.0.1 DNS 10.10.0.10
Task 6: Configure the DNS service on NYC-DC1 to allow zone transfers (If you completed Exercise 1, then this step has already been performed)
1. 2. 3. 4. Switch to NYC-DC1. Open the DNS management console. Configure the Woodgrovebank.com zone to Allow Zone Transfers. Close the DNS Manager.
Task 7: Install the DNS Server Role on ContosoDC

1. 2. 3. Switch to ContosoDC. Install the DNS server role. Leave Server Manager open.
12-20
Task 8: Configure the DNS Service on ContosoDC

1. 2. 3. Open the DNS management console. Create a secondary forward zone named WoodgroveBank.com. Configure the Master DNS server as 10.10.0.10. It will take a few moments for the zone transfer to occur. You will have to refresh the console to see the changes. Expand the Global Logs and then click DNS Events. Examine the events that describe the zone transfer. Close the DNS Manager.
4. 5.
Task 9: Promote the server to be the Contoso domain controller

1. 2. 3. 4. Use Server Manager to add the Active Directory Domain Services role. Launch DCPromo.exe. In the Active Directory Domain Services Installation Wizard, select Use advanced mode installation. On the Choose a Deployment Configuration screen, click Existing Forest, click Create a new domain in an existing forest and select Create a new domain tree root instead of a new child domain. On the Network Credentials screen, type Woodgrovebank.com, click Set and then use the credentials: 6. 7. 8. 9. Woodgrovebank\Administrator Pa$$w0rd
5.
Name the new domain tree root Contoso.com. On the Domain NetBIOS Name screen, click Next Set the domain functional level to Windows Server 2008. On the Select a Site screen, click Next.
10. On the Additional Domain Controller Options screen, check the checkbox for Global Catalog and then click Next.
12-21
11. On the Static IP Assignment message box, click Yes, the computer will use a dynamically assigned IP address and then click Yes to continue.
Note: This message refers to the IPV6 interface, which is set to use DHCP.
12. On the Source Domain Controller screen, click Next. 13. On the Location for Database, Log Files and SYSVOL screen, click Next. 14. Set the directory services restore mode administrator password to Pa$$w0rd. 15. On the Summary screen click Next and then select Reboot on completion. 16. Log on to the ContosoDC computer as Contoso\Administrator 17. Open the DNS management console and examine the forward lookup zones. Notice the Contoso.com zone 18. Use the IPconfig /all command to examine the IP configuration. Notice that ContosoDC is using 127.0.0.1 as the preferred DNS server.
Task 10: Shutdown ContosoDC

Shutdown ContosoDC and delete the changes.
Result: At the end of this exercise, you will have created a domain in a separate tree and separate site.
12-22
Overview of the Forest Trust Relationship
Key Points
This topic introduces the information you need for the next lab. The Fabrikam forest will be upgraded to Windows Server 2008 level and a Windows server 2008 will be promoted to become an additional domain controller in the domain. The Fabrikam.com forest will have a forest trust relationship with the WoodgroveBank forest. The trust will use selective authentication such that only the WoodgroveBank Domain Admins group will be allowed to authenticate to resources in the Fabrikam domain.
12-23
Lab B: Configuring Forest Trusts
Scenario: Woodgrove Bank has recently purchased a new subsidiary named Fabrikam, Inc. Fabrikam is currently running Windows Server 2003 domain controllers. One of the first tasks for Woodgrove Bank administrators will be to upgrade the domain to Windows Server 2008. Fabrikam Inc will remain in a separate forest and will trust the Woodgrove Bank forest.
12-24
Exercise: Upgrading the Fabrikam Domain and Create a Forest Trust with Woodgrove Bank
Scenario You have been tasked to prepare the Fabrikam 2003 forest and domain to accept Windows Server 2008 domain controllers. You will also configure DNS zone transfers between the Fabrikam forest and the Woodgrovebank forest. Then you will promote a Windows Server 2008 server to become a domain controller in the Fabrikam domain. Finally, you will configure a forest trust between WoodgroveBank.com and Fabrikam.com. The trust will use selective authentication such that only the WoodgroveBank Domain Admins group will be allowed to authenticate to resources in the Fabrikam domain. Use the following information in this exercise: Site Name Fabrikam Subnet 10.20.0.0 Gateway 10.20.0.1 Domain Controller FabrikamDC 10.20.0.10
The main tasks in this exercise are: 1. 2. 3. 4. 5. 6. Prepare the forest and domain to allow the Fabrikam.Com forest to accept Windows Server 2008 domain controllers. Configure reciprocating DNS zone transfers using stub zones between Woodgrovebank.com and Fabrikam.com. Rename the NYC-SRV1 to VAN-DC2. Promote the Windows Server 2008 server to a domain controller in the Fabrikam domain. Configure a forest trust between WoodgroveBank.com and Fabrikam.com for selective authentication. Configure selective authentication for the WoodgroveBank Domain Admins group.
12-25
Start the following virtual servers, using the logon information below: NYC-DC1 VAN-DC1 NYC-SRV1 NYC-DC2 NYC-RAS
Logon information: Virtual Machine: VAN-DC1, NYC-SRV1 User Name: Administrator Password: Pa$$w0rd
Task 1: Prepare the forest and domain to allow the Fabrikam.Com forest to accept Windows Server 2008 domain controllers
1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to VAN-DC1 as Administrator with a password of Pa$$w0rd. Open Active Directory Users and Computers. Right-click Fabrikam.com, and then click Raise Domain Functional Level. Raise the domain functional level to Windows Server 2003. Open Active Directory Domains and Trusts. Right-click Active Directory Domains and Trusts and then click Raise Forest Functional Level. Raise the forest functional level to Windows Server 2003. Capture the Windows Server 2008 ISO file in C:\Program Files\Microsoft Learning\6425\Drives on the host computer. From a command prompt, enter the following command: D:\Sources\Adprep\adprep /forestprep. Read the warning message and then type C to continue. Forestprep will take a few moments to complete.
10. In the command prompt window, type E:\Sources\Adprep\adprep /domainprep
12-26
Task 2: Configure reciprocating DNS zone transfers using stub zones between Woodgrovebank.com and Fabrikam.com
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-DC1 launch the DNS management console. Configure the Fabrikam.com zone to allow zone transfers. Switch to NYC-DC1. Configure the WoodgroveBank.com zone to allow zone transfers. Launch the New Zone Wizard. On the Zone Type screen, click Stub Zone. On the Active Directory Zone Replication Scope screen, click Next. On the Zone Name screen type Fabrikam.com. On the Master DNS Servers screen, type 10.20.0.10, and then finish the wizard. It will take a few moments for the zone transfer to occur. You must refresh the console to see the changes.
10. Close the DNS Manager. 11. Switch to VAN-DC1. 12. Launch the New Zone Wizard. 13. On the Zone Type screen, click Stub Zone. 14. On the Active Directory Zone Replication Scope screen, click Next. 15. On the Zone Name screen ,type WoodgroveBank.com. 16. On the Master DNS Servers screen, type 10.10.0.10 and then finish the wizard. It will take a few moments for the zone transfer to occur. You will have to refresh the console to see the changes 17. Close the DNS Manager.
Task 3: Rename the NYC-SRV1 to VAN-DC2

1. 2. 3. Log on to NYC-SRV1 as Administrator with a password of Pa$$w0rd. In Server Manager, click Change System Properties. Change the name of the computer to VAN-DC2, and then restart the computer.
12-27
Task 4: Promote the Windows Server 2008 server to a domain controller in the Fabrikam domain
1. 2. 3. 4. 5. Log on to VAN-DC2 as Administrator with a password of Pa$$w0rd. Add the Active Directory Domain Services role. Launch DCPromo.exe On the Choose a Deployment Configuration screen, click Existing forest and keep the default choice of Add a domain controller to an existing domain. On the Network Credentials screen, type Fabrikam.com in the domain name field, and then click Set and use the credentials: 6. 7. 8. 9. Fabrikam\Administrator Pa$$w0rd
On the Select a Domain screen, click Fabrikam.com. Click Yes to acknowledge the message about RODCs. On the Select a Site screen, click Next. On the Additional Domain Controller options, clear the DNS Server and Global Catalog checkboxes. On the Infrastructure Master Configuration Conflict screen, click Transfer the infrastructure master role to this domain controller.
10. On the Location for Database, Log Files and Sysvol screen, click Next. 11. On the Directory Services Restore Mode Administrator Password, type Pa$$w0rd in the fields. 12. On the Summary page click Next and then Reboot on completion.
12-28
Task 5:
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-DC1 Open Active Directory Domains and Trusts. On the Properties of WoodgroveBank.com, click the Trusts tab and then click New Trust. In the New Trust Wizard, click Next. Name the trust Fabrikam.com Create a Forest Trust. Configure the trust to be One-way: incoming. On the Sides of Trust screen select Both this domain and the specified domain. Use the following credentials: User name: Administrator Password: Pa$$w0rd
10. On the Outgoing Trust Authentication Level-Specified Forest screen, click Selective Authentication. 11. On the Trust Selections Complete screens, click Next. 12. On the Confirm Incoming Trust screen, click Next and finish the wizard.
12-29
Task 6: Configure selective authentication for the WoodgroveBank Domain Admins group
1. 2. 3. 4. 5. 6. Switch to VAN-DC1. Open Active Directory Users and Computers. Enable the advanced view feature. In the Domain Controllers OU, open the properties of VAN-DC1. On the VAN-DC1 Properties click the Security tab and then click Add. Grant the WoodgroveBank\Domain Admins group the Allowed to Authenticate permission.
Task 7: Shutdown servers

Shutdown VAN-DC1 and VAN-DC2 and delete the changes.
Result: At the end of this exercise, you will have created a forest trust.
12-30
Overview of the AD DS Group Policy Object Design
Key Points
The graphic depicts the current organization unit configuration at Woodgrove Bank.
12-31
Lab C: Designing a Group Policy Strategy
Scenario: As the network administrator for WoodgroveBank.Com, you are responsible for developing a desktop and security policy that can be centrally managed through group policies.
12-32
Exercise 1: Planning Group Policies

Scenario You have been tasked to create a computer security policy that can be delivered through group policy. You will create any required OUs and create and link the appropriate policies to them. The corporate policy dictates that servers will be located in a separate OU tree structure based on their role. There are File and Print servers and SQL servers and Web servers to consider. Use the domain diagram to help you plan the group policy and OU structure. Fill in the table to describe the GPOs that must be created, what settings each will contain, and where the GPOs will be linked. The main tasks for this exercise are: 1. Create a global security policy to be enforced on all computers in the domain as follows: 2. All computers will have the built in Administrator account renamed to Admin The IT Admins global group will be added to the local Administrators group. Windows Updates will come from an internal Web server named http://updates
Create a security policy to be enforced on all servers with further security settings based on the server role as follows: All member servers will have the built in Administrator account renamed to SRVAdmin Account logon events will be audited on all servers Internet Explorer will not be allowed to run on any server. SQL servers will prevent the installation of any removable devices
12-33
3.
Configure a corporate desktop policy as follows: Access to screen saver settings will be blocked to all domain users. Users in Toronto and Miami will not be allowed to run Windows Messenger. Domain users will not be allowed to add new printers. Users in the Admin OU will be exempt from this setting. Encryption of offline files will be enforced for the Executives OU. Access to Control Panel will be prohibited for all users except domain administrators.
12-34
GPO Name
Settings
Linked to
12-35
Exercise 2: Implementing the Corporate Desktop Policy

Scenario You have been tasked to implement the Corporate Desktop Policy for the Woodgrove Bank domain. You will create and link the appropriate GPOs. This exercises main tasks are: 1. 2. 3. 4. 5. Create and Link the Domain Desktop Policy Create and link the Prohibit Control Panel GPO Create and link the Force Offline File Encryption GPO Create and link the Block Windows Messenger GPO Create and link the Allow Adding Printers GPO
Task 1: Create and Link the Domain Desktop Policy

1. 2. 3. 4. 5. Start NYC-DC1. Logon as Administrator with a password of Pa$$w0rd. Open the Group Policy Management console Create and link a GPO named Domain Desktop Policy to the Woodgrovebank.com domain. Edit the Domain Desktop Policy as follows: 6. 7. Expand User Configuration, Administrative Templates, Control Panel, and then Printers. Enable the Prevent additions of printers setting.
In the Control Panel, Display, enable the Hide Screen Saver tab setting. Close the Group Policy Management Editor.
12-36
Task 2: Create and link the Prohibit Control Panel GPO

1. 2. Create and link a GPO named Prohibit Control Panel to the Woodgrovebank.com domain Edit the Prohibit Control Panel as follows. Expand User Configuration, Administrative Templates, and then Control Panel. 3. 4. 5. Enable the Prohibit access to the Control Panel setting.
Close the Group Policy Management Editor. Double-click the Prohibit access to the Control Panel GPO, click the Delegation tab in the details pane, and then click Advanced. In the Prohibit access to the Control Panel Security Settings dialog box, select Domain Admins, check the checkbox to Deny the Apply group policy permission and then click OK. Click Yes to acknowledge the message. This will exempt the Domain Admins group from the policy.
6.
Task 3: Create and link the Force Offline File Encryption GPO
1. 2. 3. 4. 5. 6. 7. Right-click Executives OU, click Create a GPO in this domain, and link it here. In the New GPO dialog box, type Force Offline File Encryption in the Name field and then click OK. Right-click the Force Offline File Encryption and then click Edit. Expand Computer Configuration, expand Administrative Templates, expand Network, and then click Offline Files. In the detail pane, double-click Encrypt the Offline Files cache. In the Encrypt the Offline Files cache Properties dialog box, click Enabled, and then click OK. Close the Group Policy Management Editor.
12-37
Task 4: Create and link the Block Windows Messenger GPO

1. 2. 3. 4. 5. 6. 7. 8. 9. Right-click Miami OU and then click Create a GPO in this domain, and link it here. In the New GPO dialog box, type Block Windows Messenger in the Name field, and then click OK. Right-click the Block Windows Messenger, and then click Edit. Expand User Configuration, expand Administrative Templates, expand Windows Components, and then double-click Windows Messenger. In the details pane, double-click Do not allow Windows Messenger to be run. In the Do not allow Windows Messenger to be run Properties dialog box, click Enabled, and then click OK. Close the Group Policy Management Editor. Right-click the Toronto OU and then click Link and Existing GPO. In the Select GPO dialog box, click Block Windows Messenger and then click OK.
12-38
Task 5: Create and link the Allow Adding Printers GPO

1. 2. 3. 4. Right-click IT Admins OU, and then click Create a GPO in this domain, and link it here. In the New GPO dialog box, type Allow Adding Printers in the Name field, and then click OK. Right-click the Allow Adding Printers, and then click Edit. Expand User Configuration, expand Administrative Templates, expand Control Panel and then click Printers. In the details pane, double-click Prevent additions of printers. In the Prevent Addition of Printers Properties dialog box, click Disabled and then click OK. Close the Group Policy Management Editor. Close the GPMC. Shut down all virtual machines and delete any changes.
5. 6. 7. 8.
Result: At the end of this exercise, you will have implemented a Group Policy strategy.
12-39
Considerations
Keep the following in mind when implementing an Active Directory Domain Services infrastructure: Sites can be used to control the scope of logon traffic. Separate trees in the forest allow multiple DNS namespaces to exist.
12-40
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience. Please work with your training provider to access the course evaluation form. Microsoft will keep your answers to this survey private and confidential, and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.

Mcts 70-640 6425A

Uploaded by

Copyright:

Available Formats

Mcts 70-640 6425A

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mcts 70-640 6425A

Uploaded by

Copyright:

Available Formats

OFFICIAL

BETA COURSEWARE. EXPIRES 4/11/2008

Configuring Windows Server 2008 Active Directory Domain Services

Technical Reviewer: John Policelli

Product Number: 6425A Part Number: N/A Released: 10/2007

BETA COURSEWARE. EXPIRES 4/11/2008

BETA COURSEWARE. EXPIRES 4/11/2008

BETA COURSEWARE. EXPIRES 4/11/2008

iii. Distribution Restrictions. You may not

BETA COURSEWARE. EXPIRES 4/11/2008

BETA COURSEWARE. EXPIRES 4/11/2008

This limitation applies to

BETA COURSEWARE. EXPIRES 4/11/2008

BETA COURSEWARE. EXPIRES 4/11/2008

Configuring Windows Server 2008 Active Directory Domain Services

Module 3: Configuring Active Directory Objects and Trusts

Module 4: Configuring Active Directory Sites and Replication

BETA COURSEWARE. EXPIRES 4/11/2008

Configuring Windows Server 2008 Active Directory Domain Services

Module 5: Creating and Configuring Group Policies

Module 6: Configuring User Environments Using Group Policies

Module 7: Implementing Security Using Group Policies

Module 8: Implementing an Active Directory Domain Services Monitoring Plan

BETA COURSEWARE. EXPIRES 4/11/2008

Configuring Windows Server 2008 Active Directory Domain Services

Module 9: Implementing an Active Directory Domain Services Maintenance Plan

Module 10: Troubleshooting Active Directory, DNS, and Replication Issues

Module 11: Troubleshooting Group Policy Issues

Module 12: Implementing an Active Directory Domain Services Infrastructure

BETA COURSEWARE. EXPIRES 4/11/2008

BETA COURSEWARE. EXPIRES 4/11/2008

About This Course

About This Course

About This Course

About This Course

About This Course

About This Course

Virtual Machine Environment

Virtual Machine Configuration

About This Course

Course Hardware Level

Implementing Active Directory Domain Services

BETA COURSEWARE. EXPIRES 4/11/2008

6425A: Configuring Windows Server 2008 Active Directory Domain Services

BETA COURSEWARE. EXPIRES 4/11/2008

Implementing Active Directory Domain Services

Installing Active Directory Domain Services

BETA COURSEWARE. EXPIRES 4/11/2008

6425A: Configuring Windows Server 2008 Active Directory Domain Services

Requirements for Installing AD DS

BETA COURSEWARE. EXPIRES 4/11/2008

Implementing Active Directory Domain Services

What Are Domain and Forest Functional Levels?

BETA COURSEWARE. EXPIRES 4/11/2008

6425A: Configuring Windows Server 2008 Active Directory Domain Services

BETA COURSEWARE. EXPIRES 4/11/2008

Implementing Active Directory Domain Services

Advanced Options for Installing AD DS

BETA COURSEWARE. EXPIRES 4/11/2008

6425A: Configuring Windows Server 2008 Active Directory Domain Services