Академический Документы
Профессиональный Документы
Культура Документы
M I C R O S O F T
L E A R N I N G
P R O D U C T
6425B
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services Companion Content
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2009 Microsoft Corporation. All rights reserved. Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners.
1-1
Module 1
Introducing Active Directory Domain Services (AD DS)
Contents:
Lesson 1: Introducing Active Directory, Identity, and Access Lesson 2: Active Directory Components and Concepts Lesson 3: Install Active Directory Domain Services Lab Review Questions and Answers 2 4 8 10
1-2
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 1
1-3
Additional Reading
Information Protection in a Nutshell
Microsoft Identity and Access Solutions
Authorization
Logon and Authentication Technologies Authorization and Access Control Technologies
1-4
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 2
1-5
Open the Classes container. While scrolling through, notice familiar object classes, including user, computer, and group.
1-6
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Demonstration: Active Directory Schema
What Is the Active Directory Schema?
Organizational Units
Modules 6 and 8 examine the purpose, management, and design of organizational units.
Policy-Based Management
Modules 6 through 9 detail policy based management.
Domain Controllers
Domain Controllers are discussed throughout this course, but Modules 11 and 12 are focused specifically on domain controller administration and placement. Module 9 discusses RODCs.
Domain
You will learn more about domains throughout this course, and Module 14 focuses on the design considerations related to how many domains you should have in your enterprise.
Replication
Active Directory Replication is detailed in Module 12. SYSVOL replication is discussed in Module 9.
Sites
Active Directory site and subnet objects are the focus of Module 12.
Tree
The concepts and design of a multidomain forest are discussed in Module 14.
Forest
The concepts and design of a multidomain forest are discussed in Module 14.
Functional Level
Functional levels are detailed in Module 14.
1-7
Trust Relationships
Trust relationships are discussed in Module 14.
1-8
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 3
1-9
Additional Reading
Prepare to Create a New Forest with Windows Server 2008
This list comprises the settings that you will be prompted to configure when creating a domain controller. There are a number of additional considerations regarding the deployment of AD DS in an enterprise setting. See Windows Server 2008 Technical Library for more information.
1-10
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
2-1
Module 2
Secure and Efficient Administration of Active Directory
Contents:
Lesson 1: Work with Active Directory Snap-ins Lesson 2: Custom Consoles and Least Privilege Lesson 3: Find Objects in Active Directory Lesson 4: Use DS Commands to Administer Active Directory Lab Review Questions and Answers 2 5 11 19 21
2-2
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 1
2-3
2-4
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Viewing objects The Active Directory Users and Computers snap-in displays the objects in the container (domain, organizational unit, or container) selected in the console tree. Refreshing the view The view is not refreshed automatically. If you want to see the latest changes to the view of objects, select the container in the console tree and then either click the Refresh button on the snap-in toolbar or press F5. You must select the container in the console tree before clicking Refresh (or pressing F5)clicking in an empty area of the details pane is not sufficient. This is a quirk of the Active Directory Users and Computers snap-in. Creating objects To create an object in Active Directory Users and Computers, right-click either the domain, a container (such as Users or Computers), or an organizational unit. Then point to New and click the type of object you want to create. When you create an object, you are prompted to configure a few of the most basic properties of the object, including the properties that are required for that type of object. Configuring object attributes After an object has been created, you can access its properties. Right-click the object and then click Properties. The Properties dialog that appears displays many of the most common properties of the object. Properties are grouped on tabs, to make it easier to locate a specific property. You can configure as many properties as you want, on as many tabs as you want, then click Apply or OK once to save all of the changes. The difference between Apply and OK is that the OK button closes the Properties dialog box, whereas Apply saves the changes and keeps the dialog box open so that you can make additional changes.
2-5
Viewing all object attributes A user object has even more properties than are visible in its Properties dialog box. Some of the so-called hidden properties can be quite useful to your enterprise. To view these hidden user attributes, you must turn on the Attribute Editor, a new feature in Windows Server 2008. To turn on the Attribute Editor in the Active Directory Users and Computers snap-in: 1. 2. 3. 4. Click the View menu and then select the Advanced Features option. To open the Attribute Editor for a specific Active Directory object: Right-click the object and then click Properties. Click the Attribute Editor tab.
2-6
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
As you can see in the screen shot above, some attributes of a user object could be quite useful, including division, employeeID, employeeNumber, and employeeType. Although the attributes are not shown on the standard tabs of a user object, they are now available through the Attribute Editor. To change the value of an attribute, double-click the value. The attributes can also be accessed programmatically with Windows PowerShell, Windows Visual Basic Scripting Edition, or the Microsoft .NET Framework.
2-7
Additional Reading
The MMC Console
Microsoft Management Console 3.0
2-8
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 2
2-9
2-10
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
The Add/Remove Snap-ins dialog box allows you to add, remove, reorder, and manage the consoles snap-ins. After you have installed the RSAT, all four Active Directory management snap-ins are installed; however the Active Directory Schema snap-in will not appear in the Add/Remove Snap-ins dialog box until after you have registered the snap-in. To register Active Directory Schema: 1. 2. Open a command prompt by clicking Start, typing cmd.exe, and pressing Enter. Type regsvr32.exe schmmgmt.dll and press Enter.
Demonstration: Secure Administration with User Account Control and Run As Administrator Detailed demonstration steps
1. 2. The virtual machine should still be available after the last demonstration therefore log off from HQDC01. Log on with user-level credentials: CONTOSO\Pat.Coleman with the password Pa$$w0rd.
To run as an administrator: 1. Right-click the shortcut for an executable, Control Panel applet, or MMC console that you want to launch, then click Run as administrator. If you do not see the command, try holding down the Shift key and right-clicking. The User Account Control dialog box appears, prompting for administrative credentials. 2. 3. 4. Click Use another account. Enter the username and password of your administrative account. Click OK.
2-11
The Link to Web Address Wizard appears. 1. 2. 3. In Path or URL, type the universal naming convention (UNC) path to the shared folder, e.g. \\ServerName\ShareName, and then click Next. Type a friendly name for the snap-in. This is the name that will appear in the console tree. Then click Finish. Click OK.
In order to use the snap-in, the server that you are targeting must be in the Local Intranet or Trusted Sites security zone for Internet Explorer. This must be configured for the administrative credentials, because it is those credentials that are used by the mmc.exe process and by the snap-in. 1. 2. 3. 4. 5. 6. 7. Log on to the computer with your administrative credentials. Click the Start button, and then click Control Panel. Double-click Internet Options. Click the Security tab. Click Local intranet or Trusted Sites. Click the Sites button. Type \\ServerName, then click the Add button, then click OK.
There are many commands and applications that an administrator needs to run that are not MMC snapins. It can be tedious to launch each command or application with elevated credentials. To reduce the burden of least privilege administration, you can add these commands and applications to the MMC console. Because the MMC console is running with administrative credentials, any shell command executed from the console will automatically inherit the administrative credentials. 1. 2. 3. 4. 5. 6. To create an Administrators Launch Pad from which you can open other tools: Click the File menu, and then click Add/Remove Snap-in. In the Available Snap-ins list, click Folder, then click the Add button, and then click OK. In the console tree, right-click the Folder node you just added, and click Rename. Type a name, e.g. Administrators Launch Pad, and then press Enter. Right-click the folder and click New Taskpad View.
2-12
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
The New Taskpad View Wizard appears. 1. 2. 3. 4. 5. 6. 7. 8. 9. Click Next. On the Taskpad Style page, click No List and then click Next. On the Taskpad Reuse page, click Selected tree item and then click Next. On the Name And Description page, accept the default name and click Next. Clear the Add new tasks to this taskpad after the wizard closes check box, and then click Finish. To add applications and commands to the administrative launch pad: Right-click the administrative launch pad and then click Edit Taskpad View. Click the Tasks tab. Click the New button.
The New Task Wizard appears. 1. 2. 3. Click Next. On the Command Type page, click Shell command and then click Next. On the Command Line page, enter the requested data, then click Next. For example, to launch the Command Prompt, type cmd.exe for the Command. If the command is not in the system path, e.g. the System32 folder, you must enter the full path to the command. 4. 5. Type a Task name, and then click Next. Select a Task Icon, and then click Next. You can choose a custom icon. The following sources can provide useful icons: the command executable itself, %systemroot%\system32\shell32.dll, and %systemroot%\System32\Imageres.dll. For example, you can use %systemroot%\system32\cmd.exe as a source for the icon for the Command Prompt. 6. 7. Click Next. Click Finish and then click OK.
2-13
Additional Reading
Demonstration: Create a Custom MMC Console for Administering Active Directory
Add, Remove, and Organize Snap-ins and Extensions in MMC 3.0
Secure Administration with Least Privilege, Run As Administrator, and User Account Control
Using Run as
Demonstration: Secure Administration with User Account Control and Run As Administrator
Using Run as
2-14
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 3
2-15
2.
If you know the names of the objects you need, you can type them directly into the large text box. Multiple names can be entered, separated by semicolons, as shown above. When you click OK, Windows looks up each item in the list and converts it into a link to the object, then closes the dialog box. The Check Names button also converts each name to a link, but leaves the dialog box open, as shown here:
2-16
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
You do not need to enter the full nameyou can enter either the users first or last name or even just part of the first or last name. For example, the first screen shot above shows the first name linda, the last name danseglio, the partial name joan, and the name tony. When you click OK or Check Names, Windows will attempt to convert your partial name to the correct object. If there is only one matching object, the names will be resolved as shown in the second screenshot above. If there are multiple matches, such as the name Tony, you will be presented with the Multiple Names Found box shown below. Select the correct name(s) and click OK.
By default, the Select dialog box searches the entire domain. If you are getting too many results and wish to narrow down the scope of your search, or if you need to search another domain or the local users and groups on a domain member, click Locations. Additionally, the Select dialog box--despite its full name, Select Users, Contacts, Computers or Groups-rarely searches all four object types. When you add members to a group, for example, computers are not searched by default. If you enter a computer name, it will not be resolved correctly. When you specify the name on the Managed By tab, groups are not searched by default. You must make sure that the Select
2-17
dialog box is scoped to resolve the types of objects you want to select. Click the Object Types button and use the Object Types dialog box shown below to select the correct types, and then click OK.
If you are having trouble locating the objects you want, click the Advanced button on the Select dialog box. The advanced view, shown below, allows you to search both name and description fields, as well as disabled accounts, non-expiring passwords, and stale accounts that have not logged on for a specific period of time.
Some of the fields on the Common Queries tab may be disabled, depending on the object type you are searching for. Click the Object Types button to specify exactly the type of object you want.
2-18
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Demonstration: Control the View of Objects in Active Directory Users and Computers Detailed demonstration steps
1. The virtual machine should still be available from the previous demo however if not already started, launch 6425B-HQDC01-A and log on to HQDC01 as Pat.Coleman_Admin with the password Pa$$w0rd. Go to the Active Directory Users and Computers console
2.
To add the Last Name column to the details pane: 1. 2. 3. 4. 5. 6. 7. Click the View menu, and then click Add/Remove Columns. In the Available Columns list, click Last Name. Click the Add button. In the Displayed columns list, click Last Name and click Move Up two times. In the Displayed columns list, click Type and click Remove. Click OK. In the details pane, click the Last Name column header to sort alphabetically by last name.
2.
2-19
Use the Find drop-down list to specify the type(s) of objects you want to query, or select Common Queries or Custom Search. The In drop-down list specifies the scope of the search. It is recommended that, whenever possible, you narrow the scope of the search to avoid the performance impacts of a large, domain-wide search. Together, the Find and the In lists define the scope of the search. Next, configure the search criteria. Commonly used fields are available as criteria based on the type of query you are performing. When you have specified your search scope and criteria, click Find Now. The results will appear. You can then right-click any item in the results list and choose administrative commands such as Move, Delete, and Properties.
To create a saved query: 1. Open the Active Directory Users and Computers snap-in. Saved queries are not available in the Active Directory Users and Computers snap-in that is part of Server Manager. You must use the Active Directory Users and Computers console or a custom console with the snap-in. 2. 3. 4. 5. Right-click Saved Queries, point to New, then click Query. Enter a name for the query. Optionally, enter a description. Click Browse to locate the root for the query. The search will be limited to the domain or OU you select. It is recommended that you narrow your search as much as possible, to improve search performance. 6. 7. Click Define Query to define your query. In the Find dialog box, select the type of object you want to query. The tabs in the dialog box and the input controls on each tab change to provide options that are appropriate for the selected query. 8. 9. Configure the criteria for your query. Click OK.
After your query is created, it is saved within the instance of the Active Directory Users and Computers snap-in. So if you opened the Active Directory Users and Computers console (dsa.msc), your query will be available the next time you open the console. If you created the saved query in a custom console, it will be available in that custom console. To transfer saved queries to other consoles or users, you can export the saved query as an XML file, and then import it to the target snap-in. The view of the saved query in the details pane can be customized as described earlier, with specific columns and sorting. A very important benefit of saved queries is that the customized view is specific to each saved query. When you add the Last Name column to the normal view of an OU, the Last Name column is actually added to the view of every OU, so you will see an empty Last Name column even for an
2-20
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
OU of computers or groups. With saved queries, you can add the Last Name column to a query for user objects, and other columns for other saved queries. Saved queries are a powerful way to virtualize the view of your directory and to monitor for issues such as disabled or locked accounts. Learning to create and manage saved queries is a worthwhile use of your time.
2-21
Additional Reading
Options for Locating Objects in Active Directory
Search Active Directory
2-22
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 4
2-23
2-24
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Manage Users
3-1
Module 3
Manage Users
Contents:
Lesson 1: Create and Administer User Accounts Lesson 2: Configure User Object Attributes Lab Review Questions and Answers 2 7 13
3-2
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 1
Manage Users
3-3
3-4
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
To create a user object: 1. 2. 3. Right-click the OU or container in which you want to create the user, point to New, and then click User. In First name, type the users first name. In Initials, type the users middle initial(s). Note that this property is, in fact, meant for the initials of a users middle name, not the initials of the users first and last name. 4. 5. In Last name, type the users last name. The Full name field is populated automatically. Make modifications to it if necessary. The Full name field is used to create several attributes of a user object, most notably the common name (CN) and display name properties. The CN of a user is the Name displayed in the details pane of the snap-in. It must be unique within the container or OU. Therefore, if you are creating a user object for a person with the same name as an existing user in the same OU or container, you will need to enter a unique name in the Full name field. 6. In User logon name, type the name that the user will log on with and, from the drop-down list, select the UPN Suffix that will be appended to the user logon name following the @ symbol. Usernames in Active Directory can contain some special characters (including periods, hyphens, and apostrophes), which let you generate accurate usernames such as OHare and Smith-Bates. However, certain applications may have other restrictions, so it is recommended to use only standard letters and numerals until you have fully tested the applications in your enterprise for compatibility with special characters in logon names. The list of available UPN suffixes can be managed by using the Active Directory Domains and Trusts snap-in. Right-click the root of the snap-in, Active Directory Domains and Trusts, click Properties, and use the UPN Suffixes tab to add or remove suffixes. The DNS name of your Active Directory domain will always be available as a suffix and cannot be removed. 7. In the User logon name (pre-Windows 2000) box, enter the pre-Windows 2000 logon name, often called the downlevel logon name. In the Active Directory database, the name for this attribute is sAMAccountName. Click Next. Enter an initial password for the user in the Password and Confirm password boxes.
8. 9.
Manage Users
3-5
It is recommended that you always select this option so that the user can create a new password unknown to the IT staff. Appropriate support staff can always reset the users password at a future date if they need to log on as the user or access the users resources. But only users should know their passwords on a day-to-day basis. 11. Click Next. 12. Review the summary and then click Finish. The New Object User interface allows you to configure a limited number of account-related properties, such as name and password settings. However, a user object in Active Directory supports dozens of additional properties. These can be configured after the object has been created. 13. Right-click the user object you created and then click Properties. 14. Configure user properties. 15. Click OK.
3-6
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Demonstration: Create a User Object
Active Directory Users and Computers Help: Managing Users Create a New User Account
Name Attributes
Object Names
Account Attributes
User Properties - Account Tab
Manage Users
3-7
Lesson 2
3-8
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Manage Users
3-9
Attributes of a user object fall into several broad categories that appear on tabs of the dialog box.
3-10
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Account attributes: The Account tab. These properties include logon names, passwords, and account flags. Many of these attributes can be configured when you create a new user with the Active Directory Users and Computers snap-in. The Account Properties section details account attributes. Personal information: The General, Address, Telephones, and Organization tabs. The General tab exposes the name properties that are configured when you create a user object, as well as basic description and contact information. The Address and Telephones tabs provide detailed contact information. The Telephones tab is also where Microsoft chose to put the Notes field, which maps to the info attribute and is a very useful general-purpose text field that is underused by many enterprises. The Organization tab shows job title, department, company, and organizational relationships. User configuration management: The Profile tab. Here you can configure the users profile path, logon script, and home folder. Group membership: The Member Of tab. You can add the user to and remove the user from groups and change the users primary group. Group memberships and the primary group will be discussed in another module. Terminal services: The Terminal Services Profile, Environment, Remote Control, and Sessions tabs. These four tabs enable you to configure and manage the users experience when the user is connected to a Terminal Services session. Remote access: The Dial-in tab. You can enable and configure remote access permission for a user on the Dial-in tab. Applications: The COM+ tab. This tab enables you to assign the user to an Active Directory COM+ partition set. This feature facilitates the management of distributed applications.
To create a user account template: 1. Create a user account and prepopulate appropriate attributes. Tip: Use a naming standard that makes templates easy to find. For example, set the full name to begin with an underscore (_), as in _Sales User. The underscore will cause all templates to appear at the top of the list of users in an OU. 2. Disable the template user account. The template account itself should not be used to log on to the network, so be sure to disable the account. To create a user based on the template: 1. Right-click the template user account and then click Copy. The Copy Object User Wizard appears. 2. 3. In First name, type the users first name. In Last name, type the users last name.
Manage Users
3-11
4. 5. 6. 7. 8. 9.
Modify the Full name value if necessary. In User logon name, type the user logon name, then select the appropriate user principal name (UPN) suffix in the drop-down list. In User logon name (pre-Windows 2000), type the users pre-Windows 2000 username. Click Next. In Password and Confirm password, type the users password. Select the appropriate password options.
10. If the user account from which the new user account was copied was disabled, clear Account is disabled to enable the new account.
3-12
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Demonstration: Create Users with Templates
Copy a User Account
Manage Users
3-13
Manage Groups
4-1
Module 4
Manage Groups
Contents:
Lesson 1: Manage an Enterprise with Groups Lab Review Questions and Answers 2 8
4-2
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 1
Manage Groups
4-3
4-4
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
5.
6.
Type the name of the new group in the Group name box. Most organizations have naming conventions that specify how group names should be created. Be sure to follow the guidelines of your organization. By default, the name you type is also entered as the Group name (pre-Windows 2000). It is very highly recommended that you keep the two names the same.
7.
Do not change the name in the Group name (pre-Windows 2000) box.
Manage Groups
4-5
8.
Choose the Group type. A Security group is a group that can be given permissions to resources. It can also be configured as an e-mail distribution list. A Distribution group is an e-mailenabled group that cannot be given permissions to resources and is therefore used only when a group is an e-mail distribution list that has no possible requirement for access to resources.
Group type will be discussed in more detail later in this module. 9. Select the Group scope. A Global group is typically used to identify users based on criteria such as job function, location, etc. A Domain local group is used to collect users and groups who share similar resource access needs, such as all users who need to be able to modify a project report. A Universal group is typically used to collect users and groups from multiple domains.
Group scope will be discussed in more detail later in this module. 10. Click OK. Group objects have a number of properties that are useful to configure. These can be specified after the object has been created. To specify properties for a group: 1. 2. Right-click the group, and then click Properties. Enter the properties for the group. Be sure to follow the naming conventions and other standards of your organization. The groups Members and Member Of tabs specify who belongs to the group and what groups the group itself belongs to. The groups Description field, because it is easily visible in the details pane of the Active Directory Users and Computers snap-in, is a good place to summarize the purpose of the group and the contact information for the individual(s) responsible for deciding who is and is not a member of the group. The groups Notes field can be used to provide more detail about the group. The Managed By tab can be used to link to the user or group that is responsible for the group. The contact information on the Managed By tab is populated from the account specified in the Name box. The Managed By tab is typically used for contact information so that if a user wants to join the group, you can decide who in the business should be contacted to authorize the new member. However, if you select the Manager can update membership list option, the account specified in the Name box will be given permission to add and remove members of the group. This is one method to delegate administrative control over the group. To change the user or group that is referred to on the Managed By tab, click the Change button underneath the Name box. By default, the Select User, Contact, or Group dialog box that appears does not, despite its name, search for groups. To search for groups, you must first click the Object Types button and select Groups.
4-6
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
3.
Click OK.
Manage Groups
4-7
Additional Reading
Demonstration: Create a Group Object
Create a New Group
4-8
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
5-1
Module 5
Support Computer Accounts
Contents:
Lesson 1: Create Computers and Join the Domain Lab Review Questions and Answers 2 4
5-2
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 1
5-3
5-4
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
6-1
Module 6
Implement a Group Policy Infrastructure
Contents:
Lesson 1: Understand Group Policy Lesson 2: Implement GPOs Lesson 3: A Deeper Look at Settings and GPOs Lesson 5: Group Policy Processing Lab Review Questions and Answers 2 4 9 14 16
6-2
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 1
6-3
Additional Reading
Review and Discuss the Components of Group Policy
TechNet contains detailed technical and operational guides to Group Policy, including the following: Windows Server Group Policy How Core Group Policy Works Deploying Group Policy Using Windows Vista Summary of New or Expanded Group Policy Settings Whats New in Group Policy in Windows Vista
6-4
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 2
Implement GPOs
Contents:
Question and Answers Detailed Demo Steps Additional Reading 5 6 8
6-5
6-6
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Link a GPO
1. 2. In the GPMC console tree, right-click the contoso.com domain, and then click Link an Existing GPO. Select CONTOSO Standards and click OK.
6-7
Delete a GPO
1. 2. In the GPMC console tree, in the Group Policy Objects container, right-click the CONTOSO Standards GPO, and then click Delete. Click No.
6-8
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Local GPOs
Multiple Local Group Policy objects Step-by-Step Guide to Managing Multiple Local Group Policy Objects
6-9
Lesson 3
6-10
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
10. In the drop-down list next to the text box, select Exact, and click OK. Administrative Templates policy settings are filtered to show only those that contain the words screen saver. 11. Spend a few moments examining the settings that you have found. 12. In the console tree, right-click Administrative Templates under User Configuration, and then click Filter Options. 13. Clear the Enable Keyword Filters check box. 14. In the Configured drop-down list, select Yes, and then click OK. Administrative Template policy settings are filtered to show only those that have been configured (enabled or disabled). 15. Spend a few moments examining those settings. 16. In the console tree, right-click Administrative Templates under User Configuration and clear the Filter On option.
6-11
5. 6. 7.
Double-click the Password protect the screen saver policy setting. Click the Comment tab. Type Corporate IT Security Policy implemented with this policy in combination with Screen Saver Timeout, and click OK.
Create a new GPO by importing settings that were exported from another GPO
1. 2. 3. 4. 5. In the GPMC console tree, expand the Group Policy Objects container, right-click the CONTOSO Desktop GPO, and then click Back Up. In Location: type D:\Labfiles\Lab06b, and then click Back Up. When the backup finishes, click OK. In the GPMC console tree, right-click the Group Policy Objects container, and then click New. In Name: type CONTOSO Import, and then click OK.
6-12
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
6. 7. 8. 9.
In the GPMC console tree, right-click the CONTOSO Import GPO, and then click Import Settings. The Import Settings Wizard appears. Click Next three times. Select the CONTOSO Desktop GPO, and then click Next two times.
6-13
Additional Reading
Manage GPOs and their Settings
GPO Operations Backing up, Restoring, Migrating, and Copying GPOs
6-14
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 5
6-15
Additional Reading
Slow Links and Disconnected Systems
How Core Group Policy Works
6-16
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
6-17
interfere with the functionality of an application. In order to test whether the application works on a pure installation of Windows, you might need to exclude the user or computer from the scope of GPOs, at least temporarily for testing. Question 3: Do you use loopback policy processing in your organization? In what scenarios and for what policy settings can loopback policy processing add value? Answer: Answers will vary. Scenarios including conference rooms, kiosks, virtual desktop infrastructures, and other standard environments should certainly be mentioned. Lab D: Troubleshoot Policy Application Question 1: In what situations have you used RSoP reports to troubleshoot Group Policy application in your organization? Answer: The answer depends on your situation. Question 2: In what situations have you used, or could you anticipate using, Group Policy modeling? Answer: The answer depends on your situation. Question 3: Have you ever diagnosed a Group Policy application problem based on events in one of the event logs? Answer: The answer depends on your situation.
7-1
Module 7
Manage Enterprise Security and Configuration with Group Policy Settings
Contents:
Lesson 1: Delegate the Support of Computers Lesson 2: Manage Security Settings Lesson 3: Manage Software with GPSI Lab Review Questions and Answers 2 6 10 14
7-2
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 1
7-3
10. Click OK to close the Add Group dialog box. A Properties dialog box appears. 11. Click the Add button next to the This Group Is A Member Of section. 12. Type Administrators, and click OK. The Properties group policy setting should look similar to the dialog box on the left of the sideby-side dialog boxers shown earlier. 13. Click OK again to close the Properties dialog box. Delegating the membership of the local Administrators group in this manner adds the group specified in step 9 to that group. It does not remove any existing members of the Administrators group. The Group Policy setting simply tells the client, Make sure this group is a member of the local Administrators group. This allows for the possibility that individual systems could have other users or groups in their local Administrators group. This group policy setting is also cumulative. If multiple GPOs configure different security principals as members of the local Administrators group, all will be added to the group. To take complete control of the local Administrators group, follow these steps:
Demonstration steps
1. 2. 3. In the Group Policy Management Editor, navigate to Computer Configuration\Windows Settings\Security Settings\Restricted Groups. Right-click Restricted Groups, and choose Add Group. Type Administrators, and click OK.
7-4
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
A Properties dialog box appears. 4. 5. 6. Click the Add button next to the Members Of This Group section. Click the Browse button and enter the name of the group you want to make the sole member of the Administrators groupfor example, CONTOSO\Help Deskand click OK. Click OK again to close the Add Member dialog box. The group policy setting Properties should look similar to the dialog box on the left of the sideby-side dialog boxes shown earlier. 7. Click OK again to close the Properties dialog box.
When you use the Members setting of a restricted groups policy, the Members list defines the final membership of the specified group. The steps just listed result in a GPO that authoritatively manages the Administrators group. When a computer applies this GPO, it will add all members specified by the GPO and will remove all members not specified by the GPO, including Domain Admins. Only the local Administrator account will not be removed from the Administrators group because Administrator is a permanent and unremovable member of Administrators.
7-5
Additional Reading
Define Group Membership with Group Policy Preferences
Group Policy Management Console Help, Local Users and Groups Extension
7-6
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 2
7-7
7-8
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
10. Right-click C:\Users\Pat.Coleman_Admin\Documents\Security\Templates, and then click New Template. 11. Type DC Remote Desktop, and then click OK. 12. Click Start> Administrative Tools and run Group Policy Management with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. 13. In the console tree, expand the Forest:contoso.com, Domains and contoso.com, and then click the Group Policy Objects container. 14. In the details pane, right-click the Corporate Help Desk, and then click Edit. The Group Policy Management Editor appears. 15. In the console tree, expand Computer Configuration, Policies, Windows Settings, and then click Security Settings. 16. Right-click Security Settings, and then click Import Policy. 17. Select the DC Remote Desktop template, and then click Open.
7-9
Additional Reading
Configure the Local Security Policy
Server Security Policy Settings
7-10
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 3
7-11
7-12
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
25. Click OK two times to close the Advanced Security Settings dialog boxes. 26. In the Customize Permissions dialog box, click the Share Permissions tab. 27. Select the check box next to Full Control and below Allow. Security management best practice is to configure least privilege permissions in the ACL of the resource, which will apply to users regardless of how users connect to the resource, at which point you can use the Full Control permission on the SMB shared folder. The resultant access level will be the more restrictive permissions defined in the ACL of the folder. 28. Click OK. 29. Click Finish. 30. Click Finish to close the wizard. 31. Click Start, click Run, type \\SERVER01\c$, and then press ENTER. The Connect to SERVER01 dialog box appears. 32. In the User name box, type CONTOSO\Pat.Coleman_Admin. 33. In the Password box, type Pa$$w0rd, and then press ENTER. A Windows Explorer window opens, focused on the root of the C drive on SERVER01. 34. Open the Software folder. 35. Click the File menu, point to New, and then click Folder. A new folder is created and is in rename mode. 36. Type XML Notepad, and then press ENTER. 37. Right-click the XML Notepad folder, and then click Properties. 38. Click the Security tab. 39. Click Edit. 40. Click Add. The Select Users, Computers, or Groups dialog box appears. 41. Type APP_XML Notepad, and then press ENTER. The group is given the default, Read & Execute permission. 42. Click OK twice to close all open dialog boxes. 43. Open the XML Notepad folder. 44. Open the D:\Labfiles\Lab07b folder in a new window. 45. Right-click XMLNotepad.msi, and then click Copy. 46. Switch to the Windows Explorer window displaying \\server01\c$\Software\XML Notepad. 47. Right-click in the empty details pane, and then click Paste. XML Notepad is copied into the folder on SERVER01. 48. Close all open Windows Explorer windows. 49. Close the Computer Management console.
7-13
Additional Reading
Software Deployment Options
Group Policy Software Installation overview
7-14
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
7-15
permission to a parent folder. The least privilege ACLs used in this Lab are a perfect example of the value of this user right. Question 2: Consider the methods used to scope the deployment of XML Notepad: Assigning the application to computers, filtering the GPO to apply to the APP_XML Notepad group that contains only computers, and linking the GPO to the Client Computers OU. Why is this approach advantageous for deploying most software? What would be the disadvantage of scoping software deployment to users rather than to computers? Answer: Most software is licensed per computer, so it is important to deploy such applications scoped to computers, rather than to users. The result is the samethe application is deployed to the computers of the users who require the application. If you were to deploy an application to users, it would follow the users to whatever computers they logged on to. For example, if a user logged on to a conference room computer or to a colleagues computer, the application would be installed on those computers as well. By scoping to a group of computers, and linking the GPO to a high-level OU (or even to the domain), it gives you maximum flexibility to deploy the application to whatever computers require it. Lab D: Audit File System Access Question 1: What are the three major steps required to configure auditing of file system and other object access? Answer: Configure auditing settings on the file/folder SACL. 2) Enable audit policy for object access, in a GPO scoped to the server. 3) Examine event log audit entries. Question 2: What systems should have auditing configured? Is there a reason not to audit all systems in your enterprise? What types of access should be audited, and by whom should they be audited? Is there a reason not to audit all access by all users? Answer: Auditing should reflect IT security and usage policies. Auditing not only puts a (small) burden on performance of a system, but also generates excessive noise that can make finding the important events even harder. What, who, and when auditing is performed should be aligned with why auditing is being performedas driven by your business requirements.
Secure Administration
8-1
Module 8
Secure Administration
Contents:
Lesson 1: Delegate Administrative Permissions Lab Review Questions and Answers 2 6
8-2
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 1
Secure Administration
8-3
2.
8-4
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
6.
Click Next. You will next specify the specific task you wish to assign to that group.
7.
On the Tasks to Delegate page, select the task. In our example, you would select Reset User Passwords and Force Password Change at Next Logon.
8. 9.
Click Next. Review the summary of the actions that have been performed, and click Finish. The Delegation of Control Wizard applies the ACEs that are required to enable the selected group to perform the specified task.
Secure Administration
8-5
Additional Reading
Understand Effective Permissions
The best way to manage delegation in Active Directory is through role-based access control. Although this approach will not be covered on the certification exam, it is well worth understanding for real-world implementation of delegation. See the Windows Administration Resource Kit: Productivity Solutions for IT Professionals by Dan Holme (Microsoft Press, 2008) for more information.
8-6
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Question 3: Does Windows make it easy to answer the questions, Who can reset user passwords? and What can XXX do as an administrator? Answer: The user interfaces and command-line tools are neither detailed nor administrator-friendly enough to be useful reporting tools. Question 4: What is the benefit of a two-tiered, role-based management group structure when assigning permissions in Active Directory? Answer: There are several benefits. First, it allows you to change who can do what without changing a single ACL in Active Directory. If another group or user needs to be able to reset Employee passwords, simply add that group (or user) to the AD_User Accounts_Support group. Second, it makes it easier to report delegation. If you list the members (including nested users) of AD_User Accounts_Support, you instantly know who has permission to reset passwords for users in the User Accounts OU. In other words, role-based management helps overcome some of the difficulties that were identified with reporting. Note: Role-based management is a big topic, and there are other aspects of role-based management, including discipline and auditing, that are required to ensure that the members of a group such as AD_User Accounts_Support have the permissions they are supposed to have, and no other permissions, and that no other users or groups have been delegated the same permissions. Question: What is the danger of resetting the ACL of an OU back to its schema-defined default? Answer: You dont necessarily know what permissions are applied to the OU unless you find some way to do detail reporting. Moreover, you dont necessarily know why those permissions were assigned to the OU
Secure Administration
8-7
or by whom. There may be good reasons for some custom, explicit permissions, and removing them may cause something in your environment to break. For example, when you install Microsoft Exchange Server, explicit permissions are applied to certain Active Directory objects. Lab B: Audit Active Directory Changes Question 1: What details are captured by Directory Services Changes auditing that are not captured by Directory Service Access auditing? Answer: Directory Services Changes auditing captures important details, including the specific attribute that is changed and the change that was made. Question 2: What types of administrative activities would you want to audit using Directory Services Changes auditing? Answer: Lead a discussion to elicit suggestions from students. Pose the question: Why not audit all changes in Active Directory? Answer: the volume of event log entries would make finding particularly important changes difficult. Guide students to an understanding that the configuration of Directory Services auditing should be driven by the requirements of an organizations IT Security policies and procedures.
Improve the Security of Authentication in an Active Directory Domain Services (AD DS) Domain
9-1
Module 9
Improve the Security of Authentication in an Active Directory Domain Services (AD DS) Domain
Contents:
Lesson 1: Configure Password and Lockout Policies Lesson 3: Configure Read-Only Domain Controllers Lab Review Questions and Answers 2 7 11
9-2
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 1
Improve the Security of Authentication in an Active Directory Domain Services (AD DS) Domain
9-3
Close the Group Policy Management Editor window. Close the Group Policy Management window.
9-4
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
10. Right-click ADSI Edit, and then click Connect To. 11. Accept all defaults. Click OK. 12. In the console tree, click Default Naming Context. 13. In the console tree, expand Default Naming Context, and then click DC=contoso,DC=com. 14. In the console tree, expand DC=contoso,DC=com, and then click CN=System. 15. In the console tree, expand CN=System, and then click CN=Password Settings Container. All PSOs are created and stored in the Password Settings Container (PSC). 16. Right-click the PSC, point to New, and then click Object. The Create Objects dialog box appears. It prompts you to select the type of object to create. There is only one choice: msDS-PasswordSettingsthe technical name for the object class referred to as a PSO. 17. Click Next. You are then prompted for the value for each attribute of a PSO. The attributes are similar to those found in the domain account policies. 18. Configure each attribute as indicated below. Click Next after each attribute. cn: My Domain Admins PSO. This is the common name of the PSO. msDS-PasswordSettingsPrecedence: 1. This PSO has the highest possible precedence. msDS-PasswordReversibleEncryptionEnabled: False. The password is not stored using reversible encryption. msDS-PasswordHistoryLength: 30. The user cannot reuse any of the last 30 passwords. msDS-PasswordComplexityEnabled: True. Password complexity rules are enforced. msDS-MinimumPasswordLength: 15. Passwords must be at least 15 characters long. msDS-MinimumPasswordAge: 1:00:00:00. A user cannot change his or her password within one day of a previous change. The format is d:hh:mm:ss (days, hours, minutes, seconds). msDS-MaximumPasswordAge: 45:00:00:00. The password must be changed every 45 days. msDS-LockoutThreshold: 5. Five invalid logons within the time frame specified by XXX (the next attribute) will result in account lockout. msDS-LockoutObservationWindow: 0:01:00:00. Five invalid logons (specified by the previous attribute) within one hour will result in account lockout. msDS-LockoutDuration: 1:00:00:00. An account, if locked out, will remain locked for one day, or until it is unlocked manually. A value of zero will result in the account remaining locked out until an administrator unlocks it.
19. Click Finish. 20. Close ADSI Edit. 21. Run Active Directory Users and Computers with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.
Improve the Security of Authentication in an Active Directory Domain Services (AD DS) Domain
9-5
22. In the console tree, expand the System container. If you do not see the System container, then click the View menu of the MMC console, and ensure that Advanced Features is selected. 23. In the console tree, click the Password Settings Container. 24. Right-click My Domain Admins PSO, click Properties and then click the Attribute Editor tab. 25. In the Attributes list, select msDS-PSOAppliesTo, and then click Edit. The Multi-valued Distinguished Name With Security Principal Editor dialog box appears. 26. Click Add Windows Account. The Select Users, Computers, or Groups dialog box appears. 27. Type Domain Admins, and then press ENTER. 28. Click OK twice to close the open dialog boxes. 29. In the console tree, expand the contoso.com domain and the Admins OU, and then click the Admin Identities OU. 30. Right-click Pat Coleman (Administrator) and click Properties. 31. Click the Attribute Editor tab. 32. Click the Filter button, and click the Constructed option, so that it is selected. 33. Open the value of the msDS-ResultantPSO attribute.
9-6
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Configure the Domain Password and Lockout Policy
Windows Server 2003 Security Guide Chapter 3: The Domain Policy
Improve the Security of Authentication in an Active Directory Domain Services (AD DS) Domain
9-7
Lesson 3
9-8
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
10. Examine the default membership of Allowed RODC Password Replication Group. 11. Click OK. 12. Double-click Denied RODC Password Replication Group. 13. Click the Members tab. 14. Click Cancel to close the Denied RODC Password Replication Group properties.
Improve the Security of Authentication in an Active Directory Domain Services (AD DS) Domain
9-9
9.
10. Click the Policy Usage tab. 11. Click the Prepopulate Passwords button. The Select Users or Computers dialog box appears. 12. Type the name of the account you want to pre-populate, and then click OK. 13. Click Yes to confirm that you want to send the credentials to the RODC. A message appears: Passwords for all accounts were successfully prepopulated. 14. Click Close.
9-10
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Deploy an RODC
For details regarding other options for installing an RODC, including delegated installation see http://go.microsoft.com/fwlink/?LinkId=168763
Improve the Security of Authentication in an Active Directory Domain Services (AD DS) Domain
9-11
9-12
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Question 3: What are the pros and cons of prepopulating the credentials for all users and computers in a branch office to that branchs RODC? Answer: There is no clear-cut answer to this question. Use it to review the strategic role of an RODC. By prepopulating the credentials of users (and computers) in the branch RODC cache, you ensure that authentication performance is maximized (on the first logonafter that, the credential would have been cached since the users are on the Allow list anyway); and you ensure that, if the WAN link is unavailable on the first logon, users can authenticate. The disadvantage is that, should there be a breach of physical security on the RODC, those credentials are exposed even if the users have not yet logged on in the branch.
10-1
Module 10
Configure Domain Name System (DNS)
Contents:
Lesson 3: AD DS, DNS, and Windows Lesson 4: Advanced DNS Configuration and Administration Lab Review Questions and Answers 2 4 6
10-2
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 3
10-3
10. In the console tree, expand HQDC01, Forward Lookup Zones, and contoso.com, and then click the _tcp node. 11. Right-click the SRV record for hqdc01.contoso.com, and then click Delete. 12. Switch to Command Prompt. 13. Type net stop netlogon and then press ENTER. 14. Type net start netlogon and then press ENTER. 15. Switch to DNS Manager. 16. In the console tree, right-click the _tcp node, and then click Refresh. Examine the SRV record for hqdc01.contoso.com. 17. Click Start, and in Start Search Type notepad.exe. 18. Click File, click Open, type %systemroot%\system32\config\netlogon.dns in the File Name box, and then press ENTER. 19. Examine the default SRV records.
10-4
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 4
10-5
Additional Reading
Resolving Single-Label Names
Providing Single-Label DNS Name Resolution Deploying the GlobalNames Zone
10-6
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Administer Active Directory Domain Services (AD DS) Domain Controllers (DCs)
11-1
Module 11
Administer Active Directory Domain Services (AD DS) Domain Controllers (DCs)
Contents:
Lesson 1: Domain Controller Installation Options Lesson 2: Install a Server Core DC Lab Review Questions and Answers 2 4 6
11-2
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 1
Administer Active Directory Domain Services (AD DS) Domain Controllers (DCs)
11-3
Additional Reading
Unattended Installation Options and Answer Files
For a complete reference of dcpromo parameters and unattended installation options, see: http://go.microsoft.com/fwlink/?LinkId=168475
11-4
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 2
Administer Active Directory Domain Services (AD DS) Domain Controllers (DCs)
11-5
Additional Reading
Understand Server Core
Server Core Installation Option
11-6
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
12-1
Module 12
Manage Sites and Active Directory Replication
Contents:
Lesson 1: Configure Sites and Subnets Lesson 2: Configure the Global Catalog and Application Partitions Lab Review Questions and Answers 2 4 6
12-2
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 1
12-3
Additional Reading
Domain Controller Location: Client
For more information about domain controller location, see http://go.microsoft.com/fwlink/?LinkId=168550.
12-4
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 2
12-5
Additional Reading
Understand Application Directory Partitions
For more information about application directory partitions, visit http://go.microsoft.com/fwlink/?LinkId=168551. To learn how to manage application directory partitions, see http://go.microsoft.com/fwlink/?LinkId=168553. For more information about application directory partitions and domain controller demotion, see http://go.microsoft.com/fwlink/?LinkId=168554.
12-6
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
12-7
Question 3: Is the procedure you performed in Exercise 2 enough to create a hub and spoke replication topology, which ensures that all changes from branches are replicated to the headquarters before being replicated to other branches? If not, what must still be done? Answer: You must disable Bridge all site links.
12-1
Module 13
Directory Service Continuity
Contents:
Lesson 1: Monitor Active Directory Lesson 2: Manage the Active Directory Database Lesson 3: Back Up and Restore AD DS and Domain Controllers Lab Review Questions and Answers 2 6 10 13
12-2
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 1
12-3
10. Double-click any event to show the details. 11. Expand the Microsoft Windows folder to display the logs. 12. It is also possible to connect to another computer. Reminder: Remote event-log management must be enabled on the remote computers firewall. Working with the firewall is part of the upcoming lab for this lesson.
Create a subscription
1. 2. 3. 4. For this, we need to ensure that we are logged on to all collector and source computers as administrator. On each source computer, at an elevated command prompt, type winrm quickconfig. On the collector computer, at an elevated command prompt, type Wecutil qc. Add the computer account of the collector computer to the local Administrators group on each of the source computers.
12-4
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
5. 6.
Create the subscription. Filter events to show only errors from the system log.
Demonstration: Monitor AD DS
Demonstration steps
1. If it is not already started, launch the virtual machine 6525B-HQDC01-B and log on as Contoso\Pat.Coleman_Admin with Password Pa$$w0rd.
12-5
Additional Reading
Event Viewer
Event Viewer
Custom Views
Create and Manage Custom Views
Subscriptions
Event Subscriptions
Reliability Monitor
Using Reliability Monitor
Performance Monitor
Using Performance Monitor
12-6
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 2
12-7
12-8
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
To perform an offline defrag of the Advanced Directory database while in an AD DS stopped state:
1. 2. 3. 4. 5. Click Start, click Run, type CMD, and then press ENTER. In the command window, type ntdsutil, and then press ENTER. At the ntdsutil: prompt, type Activate Instance NTDS, and then press ENTER. At the ntdsutil: prompt, type files, and then press ENTER. At the file maintenance: prompt, type compact to drive:\ LocalDirectoryPath (where drive:\ LocalDirectoryPath is the path to a location on the local computer). After a short while, press CTRL+C to break the process. This process can take a long time to complete. After the process has completed itself, you would need to copy NTDS.dit to a backup location, along with the logs (*.log), and then you would delete the logs (*.log). Best Practices recommend that we lastly check the integrity of the newly compacted database. Type integrity to check the integrity of the newly compacted database. This process, like a compact, takes a long time to complete. Press CTRL+C at any time to break the process and move on to the next part of the demo.
6. 7.
12-9
Additional Reading
Active Directory Database Files
How the Data Store Works
NTDSUtil
Data Store Tools and Settings How to remove data in Active Directory after an unsuccessful domain controller demotion
12-10
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 3
12-11
12-12
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Backup and Recovery Tools
Backup and Recovery Overview for Windows Server 2008 Windows Server Backup Windows Server Backup Step-by-Step Guide for Windows Server 2008 Backing Up Your Server
12-13
14-1
Module 14
Manage Multiple Domains and Forests
Contents:
Lesson 2: Manage Multiple Domains and Trust Relationships Lab Review Questions and Answers 2 6
14-2
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 2
14-3
If the domain is in the same forest, the wizard knows it is a shortcut trust. 7. 8. If you are creating a realm trust, you will be prompted to indicate whether the trust is transitive or non-transitive. (Realm trusts are discussed later in this lesson.) On the Direction Of Trust page, select one of the following: Two-Way. This establishes a two-way trust between the domains. One-Way: Incoming. This establishes a one-way trust in which the domain you selected in step 2 is the trusted domain, and the domain you entered in step 5 is the trusting domain. One-Way: Outgoing. This establishes a one-way trust in which the domain you selected in step 2 is the trusting domain, and a domain you entered in step 5 is the trusted domain.
9.
Click Next.
10. On the Sides Of Trust page, select one of the following: Both this domain and the specified domain. This establishes both sides of the trust. This requires that you have permission to create trusts in both domains. This domain Only. This creates the trust relationship in the domain you selected in step 2. An administrator with permission to create trusts in the other domain must repeat this process to complete the trust relationship.
The next steps will depend on the options you selected in steps 8 and 10. The steps will involve one of the following:
14-4
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
If you selected Both this domain and the specified domain, you must enter a user name and password with permissions to create the trust in the domain specified in step 5. If you selected This Domain Only, you must enter a trust password. A trust password is entered by administrators on each side of a trust to establish the trust. The passwords should not be the administrators user account passwords. Instead, each should be a unique password used only for the purpose of creating this trust. The passwords are used to establish the trust, and then the domains change them immediately.
11. If the trust is an outgoing trust, you are prompted to choose one of the following: Selective Authentication Domain-Wide Authentication or Forest-Wide Authentication, depending on whether the trust type is an external trust or a forest trust, respectively.
12. The New Trust Wizard summarizes your selections on the Trust Selections Complete page. Click Next. The wizard creates the trust. 13. The Trust Creation Complete page appears. Verify the settings, and then click Next. You will then have the opportunity to confirm the trust. This option is useful if you have created both sides of the trust or if you are completing the second side of a trust. If you selected Both This Domain And The Specified Domain in step 8, the process is complete. If you selected This Domain Only in step 8, the trust relationship will not be complete until an administrator in the other domain completes the process: If the trust relationship you established is a one-way outgoing trust, an administrator in the other domain must create a one-way incoming trust. If the trust relationship you established is a one-way incoming trust, an administrator in the other domain must create a one-way outgoing trust. If the trust relationship you established is a two-way trust, an administrator in the other domain must create a two-way trust.
14-5
Additional Reading
Move Objects Between Domains and Forests
For more information about domain migration, SIDs, and SID history, see the Domain Migration Cookbook.
Forest Trusts
You can learn about the DNS requirements for a forest trust at http://go.microsoft.com/fwlink/?LinkId=168831.
14-6
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
R-1
Resources
Contents:
Microsoft Learning Technet and MSDN Content Communities 2 3 6
R-2
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Microsoft Learning
This section describes various Microsoft Learning programs and offerings. Microsoft Skills Assessments Describes the skills assessment options available through Microsoft Microsoft Learning Describes the training options available through Microsoft face-to-face or self-paced Microsoft Certification Program Details how to become a Microsoft Certified Professional, Microsoft Certified Database Administrators, and more Microsoft Learning Support To provide comments or feedback about the course, send e-mail to support@mscourseware.com. To ask about the Microsoft Certification Program (MCP), send e-mail to mcphelp@microsoft.com
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
R-3
R-4
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
How Core Group Policy Works Server Security Policy Settings Secedit Security Configuration Wizard Group Policy Software Installation overview Microsoft Management Console 3.0 Active Directory Domain Services Managing Active Directory from MMC Install the Active Directory Schema snap-in Remote Server Administration Tools Pack Add, Remove, and Organize Snap-ins and Extensions in MMC 3.0 Using Run as Search Active Directory Managing Users Create a New User Account Create a New User Account (Duplicate of 168741) Dsadd Object Names User Properties - Account Tab Reset a User Password Disable or Enable a User Account Delete a User Account Move a User Account Copy a User Account LDAP Query Basics Delegated permissions are not available and inheritance is automatically disabled Create a New Group Default Groups Default Local Groups Read-Only Domain Controllers Step-by-Step Guide Managing Server Integration with AD DS Appendix A: RODC Technical Reference Topics DNS How DNS Query Works
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
R-5
What's New in the Server Core Installation Option AD DS Auditing Step-by-Step Guide Active Directory Domain Services Database Mounting Tool (Snapshot Viewer or Snapshot Browser) Step-by-Step Guide End-to-End Scenario That Uses the Active Directory Database Mounting Tool Windows Server Backup Step-by-Step Guide for Windows Server 2008 Planning and Architecture: AD DS Domain Migration Cookbook Introduction How Domain and Forest Trusts Work Domain and Forest Trust Tools and Settings Best Practices for Delegating Active Directory Administration (Windows Server 2003)
MSDN
There is no MSDN content for this course.
R-6
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Communities
This section includes content from Communities for this course. How to remove data in Active Directory after an unsuccessful domain controller demotion Microsoft Identity and Access Solutions DNS Global Names Document Download Windows Server Active Diretory Components pdf download How to restore deleted user accounts and their group memberships in Active Directory
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
R-7
Courseware Feedback
Send all courseware feedback to support@mscourseware.com. We truly appreciate your time and effort. We review every e-mail received and forward the information on to the appropriate team. Unfortunately, because of volume, we are unable to provide a response but we may use your feedback to improve your future experience with Microsoft Learning products.
Reporting Errors
When providing feedback, include the training product name and number in the subject line of your email. When you provide comments or report bugs, please include the following: Document or CD part number Page number or location Complete description of the error or suggested change
Please provide any details that are necessary to help us verify the issue.
Important All errors and suggestions are evaluated, but only those that are validated are added to the product Knowledge Base article.