6425B ENU Companion

O F F I C I A L
M I C R O S O F T
L E A R N I N G
P R O D U C T
6425B
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services Companion Content
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2009 Microsoft Corporation. All rights reserved. Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners.
Product Number: 6425B Released: 11/2009
Introducing Active Directory Domain Services (AD DS)
1-1
Module 1
Contents:
Lesson 1: Introducing Active Directory, Identity, and Access Lesson 2: Active Directory Components and Concepts Lesson 3: Install Active Directory Domain Services Lab Review Questions and Answers 2 4 8 10
1-2
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 1
Introducing Active Directory, Identity, and Access

Contents:
Additional Reading 3
1-3
Additional Reading
Information Protection in a Nutshell
Microsoft Identity and Access Solutions
Authorization

Logon and Authentication Technologies Authorization and Access Control Technologies
1-4
Lesson 2
Active Directory Components and Concepts

Contents:
Detailed Demo Steps Additional Reading 5 6
1-5
Detailed Demo Steps

Demonstration: Active Directory Schema Detailed demonstration steps
1. 2. 3. Start 6425B-HQDC01-A and log on as Administrator with the password, Pa$$w0rd. Open D:\AdminTools\ADConsole.msc. Expand the Active Directory node > Active Directory Schema [HQDC01.contoso.com] node Look at the Attributes container. Open the Properties of the following. 4. objectSID sAMAccountName (what most admins call the user name) unicodePwd member description
Open the Classes container. While scrolling through, notice familiar object classes, including user, computer, and group.
1-6
Additional Reading
Demonstration: Active Directory Schema
What Is the Active Directory Schema?
Organizational Units
Modules 6 and 8 examine the purpose, management, and design of organizational units.
Policy-Based Management
Modules 6 through 9 detail policy based management.
The Active Directory Data Store

You will learn more about the partitions of Active Directory and about SYSVOL throughout this course. DNS is a focus of Module 10, and the PAS is examined in detail in Module 12. The contents of SYSVOL are explored in Module 6 and the objects stored in the Configuration are covered in Module 12. The objects in the Domain partition are covered in Modules 3-6 and database maintenance and administration tasks are detailed in Modules 9 and 13.
Domain Controllers
Domain Controllers are discussed throughout this course, but Modules 11 and 12 are focused specifically on domain controller administration and placement. Module 9 discusses RODCs.
Domain
You will learn more about domains throughout this course, and Module 14 focuses on the design considerations related to how many domains you should have in your enterprise.
Replication
Active Directory Replication is detailed in Module 12. SYSVOL replication is discussed in Module 9.
Sites
Active Directory site and subnet objects are the focus of Module 12.
Tree
The concepts and design of a multidomain forest are discussed in Module 14.
Forest
The concepts and design of a multidomain forest are discussed in Module 14.
The Global Catalog

The global catalog is explored in detail in Module 12.
Functional Level
Functional levels are detailed in Module 14.
DNS and Application Partitions

DNS is covered in Module 10.
1-7
Trust Relationships
Trust relationships are discussed in Module 14.
1-8
Lesson 3
Install Active Directory Domain Services

Contents:
1-9
Additional Reading
Prepare to Create a New Forest with Windows Server 2008
This list comprises the settings that you will be prompted to configure when creating a domain controller. There are a number of additional considerations regarding the deployment of AD DS in an enterprise setting. See Windows Server 2008 Technical Library for more information.
1-10
Lab Review Questions and Answers

Lab A: Install an AD DS DC to Create a Single Domain Forest After this lab you will have: Performed post installation tasks in naming a server HQDC01, configuring the correct time zone, with display resolution of at least 1024 x 768 and specifying its IP address information Configured a single-domain forest named contoso.com with a single domain controller named HQDC01
Secure and Efficient Administration of Active Directory
2-1
Module 2
Contents:
Lesson 1: Work with Active Directory Snap-ins Lesson 2: Custom Consoles and Least Privilege Lesson 3: Find Objects in Active Directory Lesson 4: Use DS Commands to Administer Active Directory Lab Review Questions and Answers 2 5 11 19 21
2-2
Lesson 1
Work with Active Directory Snap-ins

Contents:
Question and Answers Detailed Demo Steps Additional Reading 3 4 7
2-3
Question and Answers

The MMC Console
Question 1: What administrative consoles have you used that have one snap-in? Question 2: What administrative consoles have you used that feature more than one snap-in?
2-4
Detailed Demo Steps

Demonstration: Basic Administration with Active Directory Users and Computers Detailed demonstration steps
To complete the following demonstration you should do the following 1. 2. Launch 6425B-HQDC01-A and log on to HQDC01 as Pat.Coleman_Admin with the password Pa$$w0rd. Open Active Directory Users and Computers from the Administrative Tools folder.
Viewing objects The Active Directory Users and Computers snap-in displays the objects in the container (domain, organizational unit, or container) selected in the console tree. Refreshing the view The view is not refreshed automatically. If you want to see the latest changes to the view of objects, select the container in the console tree and then either click the Refresh button on the snap-in toolbar or press F5. You must select the container in the console tree before clicking Refresh (or pressing F5)clicking in an empty area of the details pane is not sufficient. This is a quirk of the Active Directory Users and Computers snap-in. Creating objects To create an object in Active Directory Users and Computers, right-click either the domain, a container (such as Users or Computers), or an organizational unit. Then point to New and click the type of object you want to create. When you create an object, you are prompted to configure a few of the most basic properties of the object, including the properties that are required for that type of object. Configuring object attributes After an object has been created, you can access its properties. Right-click the object and then click Properties. The Properties dialog that appears displays many of the most common properties of the object. Properties are grouped on tabs, to make it easier to locate a specific property. You can configure as many properties as you want, on as many tabs as you want, then click Apply or OK once to save all of the changes. The difference between Apply and OK is that the OK button closes the Properties dialog box, whereas Apply saves the changes and keeps the dialog box open so that you can make additional changes.
2-5
Viewing all object attributes A user object has even more properties than are visible in its Properties dialog box. Some of the so-called hidden properties can be quite useful to your enterprise. To view these hidden user attributes, you must turn on the Attribute Editor, a new feature in Windows Server 2008. To turn on the Attribute Editor in the Active Directory Users and Computers snap-in: 1. 2. 3. 4. Click the View menu and then select the Advanced Features option. To open the Attribute Editor for a specific Active Directory object: Right-click the object and then click Properties. Click the Attribute Editor tab.
The Attribute Editor tab of the Properties dialog box appears:
2-6
As you can see in the screen shot above, some attributes of a user object could be quite useful, including division, employeeID, employeeNumber, and employeeType. Although the attributes are not shown on the standard tabs of a user object, they are now available through the Attribute Editor. To change the value of an attribute, double-click the value. The attributes can also be accessed programmatically with Windows PowerShell, Windows Visual Basic Scripting Edition, or the Microsoft .NET Framework.
2-7
Additional Reading
The MMC Console
Microsoft Management Console 3.0
Active Directory Administration Snap-ins

Active Directory Domain Services Managing Active Directory from MMC Install the Active Directory Schema snap-in
Find Active Directory Snap-ins

Remote Server Administration Tools Pack
2-8
Lesson 2
Custom Consoles and Least Privilege

Contents:
2-9

Demonstration: Create a Custom MMC Console for Administering Active Directory
Question 1: Have you built a custom MMC console? Question 2: What snap-ins have you found useful? Question 3: Why did you build your own console?
2-10
Detailed Demo Steps

Demonstration: Create a Custom MMC Console for Administering Active Directory Detailed demonstration steps
To complete the following demonstration you should do the following If not already started launch 6425B-HQDC01-A and log on to HQDC01 as Pat.Coleman_Admin with the password Pa$$w0rd. To create a customized MMC console: 1. 2. Click Start. Then, in the Start Search box, type mmc.exe and press Enter. Click the File menu, then click Add/Remove Snap-ins.
The Add/Remove Snap-ins dialog box allows you to add, remove, reorder, and manage the consoles snap-ins. After you have installed the RSAT, all four Active Directory management snap-ins are installed; however the Active Directory Schema snap-in will not appear in the Add/Remove Snap-ins dialog box until after you have registered the snap-in. To register Active Directory Schema: 1. 2. Open a command prompt by clicking Start, typing cmd.exe, and pressing Enter. Type regsvr32.exe schmmgmt.dll and press Enter.
Demonstration: Secure Administration with User Account Control and Run As Administrator Detailed demonstration steps
1. 2. The virtual machine should still be available after the last demonstration therefore log off from HQDC01. Log on with user-level credentials: CONTOSO\Pat.Coleman with the password Pa$$w0rd.
To run as an administrator: 1. Right-click the shortcut for an executable, Control Panel applet, or MMC console that you want to launch, then click Run as administrator. If you do not see the command, try holding down the Shift key and right-clicking. The User Account Control dialog box appears, prompting for administrative credentials. 2. 3. 4. Click Use another account. Enter the username and password of your administrative account. Click OK.
2-11
Demonstration: "Super Consoles" Detailed demonstration steps

1. 2. 3. 4. The virtual machine should still be available from the previous demo therefore remain logged on to HQDC01 as Pat.Coleman_Admin with the password Pa$$w0rd from the previous demo. To create a view of a shared folder: Click the File menu, and then click Add/Remove Snap-in. In the Available Snap-ins list, click Link to Web Address, and then click the Add button.
The Link to Web Address Wizard appears. 1. 2. 3. In Path or URL, type the universal naming convention (UNC) path to the shared folder, e.g. \\ServerName\ShareName, and then click Next. Type a friendly name for the snap-in. This is the name that will appear in the console tree. Then click Finish. Click OK.
In order to use the snap-in, the server that you are targeting must be in the Local Intranet or Trusted Sites security zone for Internet Explorer. This must be configured for the administrative credentials, because it is those credentials that are used by the mmc.exe process and by the snap-in. 1. 2. 3. 4. 5. 6. 7. Log on to the computer with your administrative credentials. Click the Start button, and then click Control Panel. Double-click Internet Options. Click the Security tab. Click Local intranet or Trusted Sites. Click the Sites button. Type \\ServerName, then click the Add button, then click OK.
There are many commands and applications that an administrator needs to run that are not MMC snapins. It can be tedious to launch each command or application with elevated credentials. To reduce the burden of least privilege administration, you can add these commands and applications to the MMC console. Because the MMC console is running with administrative credentials, any shell command executed from the console will automatically inherit the administrative credentials. 1. 2. 3. 4. 5. 6. To create an Administrators Launch Pad from which you can open other tools: Click the File menu, and then click Add/Remove Snap-in. In the Available Snap-ins list, click Folder, then click the Add button, and then click OK. In the console tree, right-click the Folder node you just added, and click Rename. Type a name, e.g. Administrators Launch Pad, and then press Enter. Right-click the folder and click New Taskpad View.
2-12
The New Taskpad View Wizard appears. 1. 2. 3. 4. 5. 6. 7. 8. 9. Click Next. On the Taskpad Style page, click No List and then click Next. On the Taskpad Reuse page, click Selected tree item and then click Next. On the Name And Description page, accept the default name and click Next. Clear the Add new tasks to this taskpad after the wizard closes check box, and then click Finish. To add applications and commands to the administrative launch pad: Right-click the administrative launch pad and then click Edit Taskpad View. Click the Tasks tab. Click the New button.
The New Task Wizard appears. 1. 2. 3. Click Next. On the Command Type page, click Shell command and then click Next. On the Command Line page, enter the requested data, then click Next. For example, to launch the Command Prompt, type cmd.exe for the Command. If the command is not in the system path, e.g. the System32 folder, you must enter the full path to the command. 4. 5. Type a Task name, and then click Next. Select a Task Icon, and then click Next. You can choose a custom icon. The following sources can provide useful icons: the command executable itself, %systemroot%\system32\shell32.dll, and %systemroot%\System32\Imageres.dll. For example, you can use %systemroot%\system32\cmd.exe as a source for the icon for the Command Prompt. 6. 7. Click Next. Click Finish and then click OK.
2-13
Additional Reading
Demonstration: Create a Custom MMC Console for Administering Active Directory
Add, Remove, and Organize Snap-ins and Extensions in MMC 3.0
Secure Administration with Least Privilege, Run As Administrator, and User Account Control
Using Run as
Demonstration: Secure Administration with User Account Control and Run As Administrator
Using Run as
2-14
Lesson 3
Find Objects in Active Directory

Contents:
2-15
Detailed Demo Steps

Demonstration: Use the Select Users, Contacts, Computers, or Groups Dialog Box Detailed demonstration steps
1. The virtual machine should still be available from the previous demo however if not already started, launch 6425B-HQDC01-A and log on to HQDC01 as Pat.Coleman_Admin with the password Pa$$w0rd. Add users to the Instructors group (in the Groups\Role OU) using the Members tab of the group as per the below screenshots.
2.
If you know the names of the objects you need, you can type them directly into the large text box. Multiple names can be entered, separated by semicolons, as shown above. When you click OK, Windows looks up each item in the list and converts it into a link to the object, then closes the dialog box. The Check Names button also converts each name to a link, but leaves the dialog box open, as shown here:
2-16
You do not need to enter the full nameyou can enter either the users first or last name or even just part of the first or last name. For example, the first screen shot above shows the first name linda, the last name danseglio, the partial name joan, and the name tony. When you click OK or Check Names, Windows will attempt to convert your partial name to the correct object. If there is only one matching object, the names will be resolved as shown in the second screenshot above. If there are multiple matches, such as the name Tony, you will be presented with the Multiple Names Found box shown below. Select the correct name(s) and click OK.
By default, the Select dialog box searches the entire domain. If you are getting too many results and wish to narrow down the scope of your search, or if you need to search another domain or the local users and groups on a domain member, click Locations. Additionally, the Select dialog box--despite its full name, Select Users, Contacts, Computers or Groups-rarely searches all four object types. When you add members to a group, for example, computers are not searched by default. If you enter a computer name, it will not be resolved correctly. When you specify the name on the Managed By tab, groups are not searched by default. You must make sure that the Select
2-17
dialog box is scoped to resolve the types of objects you want to select. Click the Object Types button and use the Object Types dialog box shown below to select the correct types, and then click OK.
If you are having trouble locating the objects you want, click the Advanced button on the Select dialog box. The advanced view, shown below, allows you to search both name and description fields, as well as disabled accounts, non-expiring passwords, and stale accounts that have not logged on for a specific period of time.
Some of the fields on the Common Queries tab may be disabled, depending on the object type you are searching for. Click the Object Types button to specify exactly the type of object you want.
2-18
Demonstration: Control the View of Objects in Active Directory Users and Computers Detailed demonstration steps
1. The virtual machine should still be available from the previous demo however if not already started, launch 6425B-HQDC01-A and log on to HQDC01 as Pat.Coleman_Admin with the password Pa$$w0rd. Go to the Active Directory Users and Computers console
2.
To add the Last Name column to the details pane: 1. 2. 3. 4. 5. 6. 7. Click the View menu, and then click Add/Remove Columns. In the Available Columns list, click Last Name. Click the Add button. In the Displayed columns list, click Last Name and click Move Up two times. In the Displayed columns list, click Type and click Remove. Click OK. In the details pane, click the Last Name column header to sort alphabetically by last name.
Demonstration: Use the Find Command Detailed demonstration steps

1. The virtual machine should still be available from the previous demo however if not already started, launch 6425B-HQDC01-A and log on to HQDC01 as Pat.Coleman_Admin with the password Pa$$w0rd. Go to the Active Directory Users and Computers console and follow the steps as per the screenshots below
2.
2-19
Use the Find drop-down list to specify the type(s) of objects you want to query, or select Common Queries or Custom Search. The In drop-down list specifies the scope of the search. It is recommended that, whenever possible, you narrow the scope of the search to avoid the performance impacts of a large, domain-wide search. Together, the Find and the In lists define the scope of the search. Next, configure the search criteria. Commonly used fields are available as criteria based on the type of query you are performing. When you have specified your search scope and criteria, click Find Now. The results will appear. You can then right-click any item in the results list and choose administrative commands such as Move, Delete, and Properties.
Demonstration: Use Saved Queries Detailed demonstration steps

1. The virtual machine should still be available from the previous demo however if not already started, launch 6425B-HQDC01-A and log on to HQDC01 as Pat.Coleman_Admin with the password Pa$$w0rd.
To create a saved query: 1. Open the Active Directory Users and Computers snap-in. Saved queries are not available in the Active Directory Users and Computers snap-in that is part of Server Manager. You must use the Active Directory Users and Computers console or a custom console with the snap-in. 2. 3. 4. 5. Right-click Saved Queries, point to New, then click Query. Enter a name for the query. Optionally, enter a description. Click Browse to locate the root for the query. The search will be limited to the domain or OU you select. It is recommended that you narrow your search as much as possible, to improve search performance. 6. 7. Click Define Query to define your query. In the Find dialog box, select the type of object you want to query. The tabs in the dialog box and the input controls on each tab change to provide options that are appropriate for the selected query. 8. 9. Configure the criteria for your query. Click OK.
After your query is created, it is saved within the instance of the Active Directory Users and Computers snap-in. So if you opened the Active Directory Users and Computers console (dsa.msc), your query will be available the next time you open the console. If you created the saved query in a custom console, it will be available in that custom console. To transfer saved queries to other consoles or users, you can export the saved query as an XML file, and then import it to the target snap-in. The view of the saved query in the details pane can be customized as described earlier, with specific columns and sorting. A very important benefit of saved queries is that the customized view is specific to each saved query. When you add the Last Name column to the normal view of an OU, the Last Name column is actually added to the view of every OU, so you will see an empty Last Name column even for an
2-20
OU of computers or groups. With saved queries, you can add the Last Name column to a query for user objects, and other columns for other saved queries. Saved queries are a powerful way to virtualize the view of your directory and to monitor for issues such as disabled or locked accounts. Learning to create and manage saved queries is a worthwhile use of your time.
2-21
Additional Reading
Options for Locating Objects in Active Directory
Search Active Directory
2-22
Lesson 4
Use DS Commands to Administer Active Directory

Contents:
Question and Answers 23
2-23

Retrieve Object Attributes with DSGet
Question: Can you explain the difference between the DSQuery command and the DSGet command?
2-24

Lab A: Create and Run a Custom Administrative Console Question 1: Which snap-in are you most likely to use on a day-to-day basis to administer Active Directory? Answer: The correct answer will be based on your own experience and situation and answers will vary. but most people will use Active Directory Users and Computers regularly, to administer users, computers, and groups. Question 2: When you build a custom MMC console for administration in your enterprise, what snap-ins will you add? Answer: Answers will vary and be based on your own experience and situation. Lab B: Find Objects in Active Directory Question 1: In your work, what scenarios require you to search Active Directory? Answer: Answers will vary and be based on your own experience and situation. Question 2: What types of saved queries could you create to help you perform your administrative tasks more efficiently? Answer: Answers will vary and be based on your own experience and situation. Lab C: Use DS Commands to Administer Active Directory Question 1: What can you do to avoid typing DNs of users, groups, or computers into DSGet, and other DS commands? Answer: Create command files or batch files of commonly used commands. Question 2: How are wildcard searches with DSQuery different than searches performed with the Find command in Active Directory Users and Computers? In other words, what kind of search have you performed in this lab that would not have been possible using the basic interface of the Find command? Answer: DSQuery offers flexible wildcard searches with the * wildcard. The Find command can only do Starts With queries.
Manage Users
3-1
Module 3
Manage Users
Contents:
Lesson 1: Create and Administer User Accounts Lesson 2: Configure User Object Attributes Lab Review Questions and Answers 2 7 13
3-2
Lesson 1
Create and Administer User Accounts

Contents:
Manage Users
3-3

Name Attributes
Question 1: What do you do in your organization to ensure the uniqueness of name attributes, and what naming conventions do you use?
Reset a Users Password

Question: 1. 2. 3. What are the security implications of administrators having the right to reset user passwords? Who should be able to reset the password for standard users? For accounts with administrative privileges? For service accounts? What business practices for password reset are in place at your organization?
Unlock a User Account

Question 1: Other than forgotten passwords, have you experienced other scenarios that lead to account lockout?

Question: 1. 2. 3. What business practices for disabling and enabling accounts are in place in your organization? What are the security implications of someone having the right to disable or enable user accounts? Under what circumstances would you disable a user account rather than delete it?
Delete a User Account

Question 1: What are the business practices related to decommissioning a user account in your organization?
3-4
Detailed Demo Steps

Demonstration: Create a User Object Detailed demonstration steps
1. 2. Start the 6425B-HQDC01-A virtual machine and log on to HQDC01 as a standard user account Pat.Coleman with password Pa$$w0rd. Run the Active Directory Users and Computers snap-in as an administrator using the user name Pat.Coleman_Admin with password Pa$$w0rd.
To create a user object: 1. 2. 3. Right-click the OU or container in which you want to create the user, point to New, and then click User. In First name, type the users first name. In Initials, type the users middle initial(s). Note that this property is, in fact, meant for the initials of a users middle name, not the initials of the users first and last name. 4. 5. In Last name, type the users last name. The Full name field is populated automatically. Make modifications to it if necessary. The Full name field is used to create several attributes of a user object, most notably the common name (CN) and display name properties. The CN of a user is the Name displayed in the details pane of the snap-in. It must be unique within the container or OU. Therefore, if you are creating a user object for a person with the same name as an existing user in the same OU or container, you will need to enter a unique name in the Full name field. 6. In User logon name, type the name that the user will log on with and, from the drop-down list, select the UPN Suffix that will be appended to the user logon name following the @ symbol. Usernames in Active Directory can contain some special characters (including periods, hyphens, and apostrophes), which let you generate accurate usernames such as OHare and Smith-Bates. However, certain applications may have other restrictions, so it is recommended to use only standard letters and numerals until you have fully tested the applications in your enterprise for compatibility with special characters in logon names. The list of available UPN suffixes can be managed by using the Active Directory Domains and Trusts snap-in. Right-click the root of the snap-in, Active Directory Domains and Trusts, click Properties, and use the UPN Suffixes tab to add or remove suffixes. The DNS name of your Active Directory domain will always be available as a suffix and cannot be removed. 7. In the User logon name (pre-Windows 2000) box, enter the pre-Windows 2000 logon name, often called the downlevel logon name. In the Active Directory database, the name for this attribute is sAMAccountName. Click Next. Enter an initial password for the user in the Password and Confirm password boxes.
8. 9.
10. Select User must change password at next logon.
Manage Users
3-5
It is recommended that you always select this option so that the user can create a new password unknown to the IT staff. Appropriate support staff can always reset the users password at a future date if they need to log on as the user or access the users resources. But only users should know their passwords on a day-to-day basis. 11. Click Next. 12. Review the summary and then click Finish. The New Object User interface allows you to configure a limited number of account-related properties, such as name and password settings. However, a user object in Active Directory supports dozens of additional properties. These can be configured after the object has been created. 13. Right-click the user object you created and then click Properties. 14. Configure user properties. 15. Click OK.
3-6
Additional Reading
Demonstration: Create a User Object
Active Directory Users and Computers Help: Managing Users Create a New User Account
Create Users with DSAdd

DSAdd
Name Attributes
Object Names
Account Attributes
User Properties - Account Tab

Reset a User Password
Unlock a User Account

Module 9 covers account lockout policies in detail.
Disable and Enable User Accounts

Disable or Enable a User Account

Move a User Account

Move a User Account
Manage Users
3-7
Lesson 2
Configure User Object Attributes

Contents:
3-8

View All Attributes
Question: Are you using any of the hidden attributes in your organization? If so, how do you interact with those attributes (read them and modify them)?
Create Users with Templates

Question: What other methods do you use to create new user accounts with common attributes?
Manage Users
3-9
Detailed Demo Steps

Demonstration: Create a Custom MMC Console for Administering Active Directory Detailed demonstration steps
If it is not already started, launch the 6425B-HQDC01-A virtual machine and log on to HQDC01. Log on as user Pat.Coleman with password Pa$$w0rd. Run the Active Directory Users and Computers snap-in as an administrator (use Pat.Coleman_Admin account with password Pa$$w0rd) and follow the steps as per the screenshots below. To read and modify the attributes of a user object, right-click the user and then click Properties.
Attributes of a user object fall into several broad categories that appear on tabs of the dialog box.
3-10
Account attributes: The Account tab. These properties include logon names, passwords, and account flags. Many of these attributes can be configured when you create a new user with the Active Directory Users and Computers snap-in. The Account Properties section details account attributes. Personal information: The General, Address, Telephones, and Organization tabs. The General tab exposes the name properties that are configured when you create a user object, as well as basic description and contact information. The Address and Telephones tabs provide detailed contact information. The Telephones tab is also where Microsoft chose to put the Notes field, which maps to the info attribute and is a very useful general-purpose text field that is underused by many enterprises. The Organization tab shows job title, department, company, and organizational relationships. User configuration management: The Profile tab. Here you can configure the users profile path, logon script, and home folder. Group membership: The Member Of tab. You can add the user to and remove the user from groups and change the users primary group. Group memberships and the primary group will be discussed in another module. Terminal services: The Terminal Services Profile, Environment, Remote Control, and Sessions tabs. These four tabs enable you to configure and manage the users experience when the user is connected to a Terminal Services session. Remote access: The Dial-in tab. You can enable and configure remote access permission for a user on the Dial-in tab. Applications: The COM+ tab. This tab enables you to assign the user to an Active Directory COM+ partition set. This feature facilitates the management of distributed applications.
Demonstration: Create Users with Templates Detailed demonstration steps

1. 2. If it is not already started, launch the 6425B-HQDC01-A virtual machine and log on to HQDC01. Log on as user Pat.Coleman with password Pa$$w0rd. Run the Active Directory Users and Computers snap-in as an administrator (use Pat.Coleman_Admin account with password Pa$$w0rd) and follow the steps as per the screenshots below.
To create a user account template: 1. Create a user account and prepopulate appropriate attributes. Tip: Use a naming standard that makes templates easy to find. For example, set the full name to begin with an underscore (_), as in _Sales User. The underscore will cause all templates to appear at the top of the list of users in an OU. 2. Disable the template user account. The template account itself should not be used to log on to the network, so be sure to disable the account. To create a user based on the template: 1. Right-click the template user account and then click Copy. The Copy Object User Wizard appears. 2. 3. In First name, type the users first name. In Last name, type the users last name.
Manage Users
3-11
4. 5. 6. 7. 8. 9.
Modify the Full name value if necessary. In User logon name, type the user logon name, then select the appropriate user principal name (UPN) suffix in the drop-down list. In User logon name (pre-Windows 2000), type the users pre-Windows 2000 username. Click Next. In Password and Confirm password, type the users password. Select the appropriate password options.
10. If the user account from which the new user account was copied was disabled, clear Account is disabled to enable the new account.
3-12
Additional Reading
Demonstration: Create Users with Templates
Copy a User Account
Manage Users
3-13

Lab A: Create and Administer User Accounts Question 1: In this lab, which attribute(s) can be modified when you are creating a user account with the command prompt that cannot be modified when creating a user account with Active Directory Users and Computers? Answer: Description, Display Name. Question 2: What happens when you create a user account that has a password that does not meet the requirements of the domain? Answer: The account is created, but it is disabled. It cannot be enabled until a password that meets the requirements of the domain is configured. Lab B: Configure User Object Attributes Question 1: What options have you learned for modifying attributes of new and existing users? Answer: Multi-selecting users and opening the Properties dialog box, using the DSMod command, and creating a user account based on a user account template Question 2: What are the advantages and disadvantages of each? Answer: Each option gives you the chance to configure a slightly different set of attributes. No option provides the opportunity to configure all of the available attributes for more than one user. For example, DSMod allows you to change users descriptions, but you cannot configure the description of a new user based on a template--the description attribute is not copied. DSMod allows you to reset passwords for multiple users, but you cannot do that when you select multiple users in Active Directory Users and Computers. Lab C: Automate User Account Creation Question: What scenarios lend themselves to importing users with CSVDE and LDIFDE? Answer: If you are importing a large quantity of users, CSVDE and LDIFDE add significant value. Also, CSVDE and LDIFDE give you the ability to configure most user attributes, unlike templates and DSAdd, which support a very limited number of attributes.
Manage Groups
4-1
Module 4
Manage Groups
Contents:
Lesson 1: Manage an Enterprise with Groups Lab Review Questions and Answers 2 8
4-2
Lesson 1
Manage an Enterprise with Groups

Contents:
Manage Groups
4-3

Group Membership Possibilities Summarized
Question: What types of objects can be members of a global group in a domain? Answer: Global groups can contain only users and other global groups from the same domain.
4-4
Detailed Demo Steps

Demonstration: Create a Group Object
Demonstration steps
To create a group: 1. 2. 3. 4. Start 6425B-HQDC01-A. Log on to HQDC01 as Pat.Coleman_Admin with the password Pa$$w0rd. Open the Active Directory Users and Computers snap-in. In the console tree, expand the node that represents your domain (for example, contoso.com) and navigate to the organizational unit (OU) or container (such as Users) in which you want to create the group. Right-click the OU or container, point to New, and then click Group. The New Object - Group dialog box appears
5.
6.
Type the name of the new group in the Group name box. Most organizations have naming conventions that specify how group names should be created. Be sure to follow the guidelines of your organization. By default, the name you type is also entered as the Group name (pre-Windows 2000). It is very highly recommended that you keep the two names the same.
7.
Do not change the name in the Group name (pre-Windows 2000) box.
Manage Groups
4-5
8.
Choose the Group type. A Security group is a group that can be given permissions to resources. It can also be configured as an e-mail distribution list. A Distribution group is an e-mailenabled group that cannot be given permissions to resources and is therefore used only when a group is an e-mail distribution list that has no possible requirement for access to resources.
Group type will be discussed in more detail later in this module. 9. Select the Group scope. A Global group is typically used to identify users based on criteria such as job function, location, etc. A Domain local group is used to collect users and groups who share similar resource access needs, such as all users who need to be able to modify a project report. A Universal group is typically used to collect users and groups from multiple domains.
Group scope will be discussed in more detail later in this module. 10. Click OK. Group objects have a number of properties that are useful to configure. These can be specified after the object has been created. To specify properties for a group: 1. 2. Right-click the group, and then click Properties. Enter the properties for the group. Be sure to follow the naming conventions and other standards of your organization. The groups Members and Member Of tabs specify who belongs to the group and what groups the group itself belongs to. The groups Description field, because it is easily visible in the details pane of the Active Directory Users and Computers snap-in, is a good place to summarize the purpose of the group and the contact information for the individual(s) responsible for deciding who is and is not a member of the group. The groups Notes field can be used to provide more detail about the group. The Managed By tab can be used to link to the user or group that is responsible for the group. The contact information on the Managed By tab is populated from the account specified in the Name box. The Managed By tab is typically used for contact information so that if a user wants to join the group, you can decide who in the business should be contacted to authorize the new member. However, if you select the Manager can update membership list option, the account specified in the Name box will be given permission to add and remove members of the group. This is one method to delegate administrative control over the group. To change the user or group that is referred to on the Managed By tab, click the Change button underneath the Name box. By default, the Select User, Contact, or Group dialog box that appears does not, despite its name, search for groups. To search for groups, you must first click the Object Types button and select Groups.
4-6
3.
Click OK.
Manage Groups
4-7
Additional Reading
Demonstration: Create a Group Object
Create a New Group
Role-Based Management: Role Groups and Rule Groups

For more information about role-based management, see Windows Administration Resource Kit: Productivity Solutions for IT Professionals by Dan Holme (Microsoft Press, 2008).
Define Group Naming Conventions

For more information about managing groups effectively, see Windows Administration Resource Kit: Productivity Solutions for IT Professionals by Dan Holme (Microsoft Press, 2008).
4-8

Lab A: Administer Groups Question 1: Describe the purpose of global groups in terms of role-based management. Answer: Global groups are generally used to define roles. Question 2: What types of objects can be members of global groups? Answer: Global groups can include as members users and other roles (global groups) from the same domain. Question 3: Describe the purpose of domain local groups in terms of role-based management of resource access. Answer: Domain local groups are generally used to define a scope of management, such as managing a level of access to a resource. Question 4: What types of objects can be members of domain local groups? Answer: Domain local groups can contain roles (global groups) and individual users from any trusted domain in the same forest or an external forest, as well as other domain local groups in the same domain. Finally, domain local groups can contain universal groups from anywhere in the forest. Question 5: If you have implemented role-based management and are asked to report who can read the Sales folders, what command would you use to do so? Answer: You would use the DSGet command. Lab B: Best Practices for Group Management Question 1: What are some benefits of using the Description and Notes fields of a group? Answer: Better documented groups are easier to find and understand, and are less likely to be misused for purposes other than their intended purpose. Question 2: What are the advantages and disadvantages of delegating group membership? Answer: Delegating group membership allows IT to get out of the middle. In most organizations, when a user needs access to a resource, he or she contacts IT, IT contacts the business owner to get approval, and then IT adds the user to the groups. Delegating allows the request to go straight to the business owner, who can then make the change to the group.
Support Computer Accounts
5-1
Module 5
Contents:
Lesson 1: Create Computers and Join the Domain Lab Review Questions and Answers 2 4
5-2
Lesson 1
Create Computers and Join the Domain

Contents:
Question and Answers 3
5-3

Secure Computer Creation and Joins
Question: What two things determine whether you can join a computer account to the domain? Answer: To join a computer to a prestaged account, you must be given permission on the account to join it to the domain. If the account is not prestaged, the ms-DS-MachineAccountQuota attribute will determine the number of computers you can join to the domain in the default computer container without explicit permission.
5-4

Lab A: Create Computers and Joining the Domain Question 1: What did you learn about the pros and cons of various approaches to creating computer accounts in an AD DS domain? Answer: The correct answer will be based on your own experience and situation. Question 2: What are the two credentials that are necessary for any computer to join a domain? Answer: Local credentials that are in the local Administrators group of the computer, and domain credentials that have permissions to join a computer to the computer account. Lab B: Administer Computer Objects and Accounts Question: What insights did you gain into the issues and procedures regarding computer accounts and administering computer accounts through their life cycle? Answer: The correct answer will be based on your own experience and situation.
Implement a Group Policy Infrastructure
6-1
Module 6
Contents:
Lesson 1: Understand Group Policy Lesson 2: Implement GPOs Lesson 3: A Deeper Look at Settings and GPOs Lesson 5: Group Policy Processing Lab Review Questions and Answers 2 4 9 14 16
6-2
Lesson 1
Understand Group Policy

Contents:
6-3
Additional Reading
Review and Discuss the Components of Group Policy
TechNet contains detailed technical and operational guides to Group Policy, including the following: Windows Server Group Policy How Core Group Policy Works Deploying Group Policy Using Windows Vista Summary of New or Expanded Group Policy Settings Whats New in Group Policy in Windows Vista
6-4
Lesson 2
Implement GPOs
Contents:
6-5

Local GPOs
Question: If domain members can be centrally managed using domain-linked GPOs, in what scenarios might local GPOs be used? Answer: Keep in mind that local GPOs are designed for non-domain environments.
6-6
Detailed Demo Steps

Demonstration: Create, Link, and Edit GPOs
Demonstration steps Create a GPO
1. 2. 3. 4. 5. 6. Start 6425B-HQDC01-A. Log on to HQDC01 as Pat.Coleman with the password Pa$$w0rd. Run Group Policy Management with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. In the console tree, expand Forest: contoso.com, Domains, and contoso.com, and then click the Group Policy Objects container. In the console tree, right-click the Group Policy Objects container, and then click New. In Name: type CONTOSO Standards, and then click OK.
Open a GPO for editing

1. In the details pane of the Group Policy Management console (GPMC), right-click the CONTOSO Standards GPO, and then click Edit. The Group Policy Management Editor (GPME) appears. 2. Close the GPME.
Link a GPO
1. 2. In the GPMC console tree, right-click the contoso.com domain, and then click Link an Existing GPO. Select CONTOSO Standards and click OK.
Delegate the management of GPOs

1. 2. 3. 4. 5. 6. 7. 8. 9. In the GPMC console tree, click the contoso.com domain. In the details pane, click the Delegation tab. Review the default delegation. In the GPMC console tree, expand the Group Policy Objects container, and then click the CONTOSO Standards GPO. In the details pane, click the Delegation tab. Review the default delegation. Run Active Directory Users and Computers with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. In the console tree, click the Users container. In the details pane, double-click the Group Policy Creator Owners group, and then click the Members tab.
10. Review the default membership.
6-7
Delete a GPO
1. 2. In the GPMC console tree, in the Group Policy Objects container, right-click the CONTOSO Standards GPO, and then click Delete. Click No.
Discuss the default connection to the PDC Emulator

1. 2. 3. Switch to the GPMC. In the GPMC console tree, right-click the contoso.com domain, and then click Change Domain Controller. Review the default settings.
Demonstration: Policy Settings

Demonstration steps
1. 2. 3. Switch to HQDC01. Right-click the CONTOSO Standards GPO, and then click Edit. Spend time exploring the settings that are available in a GPO. Do not make any changes.
6-8
Additional Reading
Local GPOs
Multiple Local Group Policy objects Step-by-Step Guide to Managing Multiple Local Group Policy Objects
6-9
Lesson 3
A Deeper Look at Settings and GPOs

Contents:
6-10
Detailed Demo Steps

Demonstration: Work with Settings and GPOs
Demonstration steps
1. 2. 3. 4. 5. User Filter Options to locate polices in Administrative Templates Switch to HQDC01. Run Group Policy Management with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. In the console tree, expand Forest: contoso.com, Domains, and contoso.com, and then click the Group Policy Objects container. In the details pane, right-click the CONTOSO Standards GPO, and then click Edit. The Group Policy Management Editor appears. 6. 7. 8. 9. In the console tree, expand User Configuration and Policies, and then click Administrative Templates. Right-click Administrative Templates, and then click Filter Options. Select the Enable Keyword Filters check box. In the Filter for word(s) text box, type screen saver.
10. In the drop-down list next to the text box, select Exact, and click OK. Administrative Templates policy settings are filtered to show only those that contain the words screen saver. 11. Spend a few moments examining the settings that you have found. 12. In the console tree, right-click Administrative Templates under User Configuration, and then click Filter Options. 13. Clear the Enable Keyword Filters check box. 14. In the Configured drop-down list, select Yes, and then click OK. Administrative Template policy settings are filtered to show only those that have been configured (enabled or disabled). 15. Spend a few moments examining those settings. 16. In the console tree, right-click Administrative Templates under User Configuration and clear the Filter On option.
Add comments to a policy setting

1. 2. 3. 4. In the console tree, expand User Configuration, Policies, Administrative Templates, and Control Panel, and then click Display. Double-click the Screen Saver policy setting. Click the Comment tab. Type Corporate IT Security Policy implemented with this policy in combination with Password Protect the Screen Saver, and click OK.
6-11
5. 6. 7.
Double-click the Password protect the screen saver policy setting. Click the Comment tab. Type Corporate IT Security Policy implemented with this policy in combination with Screen Saver Timeout, and click OK.
Add comments to a GPO

1. 2. 3. In the console tree of the GPMC, right-click the root node, CONTOSO Standards, and then click Properties. Click the Comment tab. Type Contoso corporate standard policies. Settings are scoped to all users and computers in the domain. Person responsible for this GPO: your name. This comment appears on the Details tab of the GPO in the GPMC. 4. Click OK.
Create a new GPO from a starter GPO

1. 2. 3. 4. 5. In the console tree of the GPMC, click the Starter GPOs container. In the details pane, click the Create Starter GPOs Folder button. In the console tree, right-click the Starter GPOs container, and then click New. In Name: type CONTOSO Starter GPO, and then click OK. In the details pane, right-click CONTOSO Starter GPO, and then click Edit. The Group Policy Management Editor appears. Review and edit the settings as desired. 6. 7. 8. Close the Group Policy Management Editor. In the details pane, right-click CONTOSO Starter GPO, and then click New GPO From Starter GPO. In Name: type CONTOSO Desktop, and then click OK.
Create a new GPO by copying an existing GPO

1. 2. 3. In the GPMC console tree, expand the Group Policy Objects container, right-click the CONTOSO Desktop GPO, and then click Copy. Right-click the Group Policy Objects container, click Paste, and then click OK. Click OK.
Create a new GPO by importing settings that were exported from another GPO
1. 2. 3. 4. 5. In the GPMC console tree, expand the Group Policy Objects container, right-click the CONTOSO Desktop GPO, and then click Back Up. In Location: type D:\Labfiles\Lab06b, and then click Back Up. When the backup finishes, click OK. In the GPMC console tree, right-click the Group Policy Objects container, and then click New. In Name: type CONTOSO Import, and then click OK.
6-12
6. 7. 8. 9.
In the GPMC console tree, right-click the CONTOSO Import GPO, and then click Import Settings. The Import Settings Wizard appears. Click Next three times. Select the CONTOSO Desktop GPO, and then click Next two times.
10. Click Finish, and then click OK.
6-13
Additional Reading
Manage GPOs and their Settings
GPO Operations Backing up, Restoring, Migrating, and Copying GPOs
6-14
Lesson 5
Group Policy Processing

Contents:
6-15
Additional Reading
Slow Links and Disconnected Systems
How Core Group Policy Works
6-16

Lab A: Implement Group Policy Question 1: What policy settings are already being deployed using Group Policy in your organization? Answer: Answers will depend on each organization. Question 2: What policy settings did you discover that you might want to implement in your organization? Answer: Answers will depend on each organization. Lab B: Manage Settings and GPOs Question 1: Describe the relationship between administrative template files (both .ADMX and .ADML files) and the GPME. Answer: .ADMX files create the user interface for the GPME and determine the registry values that are applied when a policy setting is defined. .ADML files provide the language-specific elements (the text) in the user interface. Question 2: When does an enterprise get a central store? What benefits does it provide? Answer: A central store is manually created by adding a PolicyDefinitions folder to \\domain\sysvol\domain\Policies. A central store provides a single point of management for administrative templates and reduces the size of Group Policy templates (GPTs). Question 3: What are the advantages of managing Group Policy from a client running the latest version of Windows? Do settings you manage apply to previous versions of Windows? Answer: If you manage Group Policy with a client running the latest version of Windows, you will be able to use the latest administrative templates, and you will be able to view settings that apply to this and all previous versions of Windows. The policy settings you configure will apply not based on the version of Windows from which you manage Group Policy, but rather based on the versions of Windows to which the policy setting can apply. Lab C: Manage Group Policy Scope Question 1: Many organizations rely heavily on security group filtering to scope GPOs, rather than linking GPOs to specific OUs. In these organizations, GPOs are typically linked very high in the Active Directory logical structure: to the domain itself or to a first-level OU. What advantages are gained by using security group filtering rather than GPO links to manage the scope of the GPO? Answer: The fundamental problem of relying on OUs to scope the application of GPOs is that an OU is a fixed, inflexible structure within Active Directory, and that a single user or computer can only exist within one OU. As organizations get larger and more complex, configuration requirements are difficult to match in a one-to-one relationship with any container structure. With security groups, a user or computer can exist in as many groups as necessary, and can be added and removed easily without impacting the security or management of the user or computer account. Question 2: Why might it be useful to create an exemption groupa group that is denied the Apply Group Policy permissionfor every GPO that you create? Answer: There are very few scenarios in which you can be guaranteed that all of the settings in a GPO will always need to apply to all users and computers within its scope. By having an exemption group, you will always be able to respond to situations in which a user or computer must be excluded. This can also help in troubleshooting compatibility and functionality problems. Sometimes, specific GPO settings can
6-17
interfere with the functionality of an application. In order to test whether the application works on a pure installation of Windows, you might need to exclude the user or computer from the scope of GPOs, at least temporarily for testing. Question 3: Do you use loopback policy processing in your organization? In what scenarios and for what policy settings can loopback policy processing add value? Answer: Answers will vary. Scenarios including conference rooms, kiosks, virtual desktop infrastructures, and other standard environments should certainly be mentioned. Lab D: Troubleshoot Policy Application Question 1: In what situations have you used RSoP reports to troubleshoot Group Policy application in your organization? Answer: The answer depends on your situation. Question 2: In what situations have you used, or could you anticipate using, Group Policy modeling? Answer: The answer depends on your situation. Question 3: Have you ever diagnosed a Group Policy application problem based on events in one of the event logs? Answer: The answer depends on your situation.
Manage Enterprise Security and Configuration with Group Policy Settings
7-1
Module 7
Contents:
Lesson 1: Delegate the Support of Computers Lesson 2: Manage Security Settings Lesson 3: Manage Software with GPSI Lab Review Questions and Answers 2 6 10 14
7-2
Lesson 1
Delegate the Support of Computers

Contents:
7-3
Detailed Demo Steps

Demonstration: Delegate Administration by Using Restricted Groups Policies
Demonstration steps
1. 2. 3. 4. 5. 6. Start 6425B-HQDC01-A and log on as Pat.Coleman with the password Pa$$w0rd. On HQDC01 click Start > Administrative Tools and run Group Policy Management with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. In the console tree, expand the Forest:contoso.com, Domains and contoso.com, and then click the Group Policy Objects container. Right-click the Group Policy Objects container, and then click New. In the Name box, type Corporate Help Desk, and then click OK. In the details pane, right-click the Corporate Help Desk, and then click Edit. The Group Policy Management Editor appears. 7. 8. 9. In the Group Policy Management Editor, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups. Right-click Restricted Groups, and choose Add Group. Click the Browse button and, in the Select Groups dialog box, type the name of the group you want to add to the Administrators groupfor example, CONTOSO\Help Deskand click OK.
10. Click OK to close the Add Group dialog box. A Properties dialog box appears. 11. Click the Add button next to the This Group Is A Member Of section. 12. Type Administrators, and click OK. The Properties group policy setting should look similar to the dialog box on the left of the sideby-side dialog boxers shown earlier. 13. Click OK again to close the Properties dialog box. Delegating the membership of the local Administrators group in this manner adds the group specified in step 9 to that group. It does not remove any existing members of the Administrators group. The Group Policy setting simply tells the client, Make sure this group is a member of the local Administrators group. This allows for the possibility that individual systems could have other users or groups in their local Administrators group. This group policy setting is also cumulative. If multiple GPOs configure different security principals as members of the local Administrators group, all will be added to the group. To take complete control of the local Administrators group, follow these steps:
Demonstration steps
1. 2. 3. In the Group Policy Management Editor, navigate to Computer Configuration\Windows Settings\Security Settings\Restricted Groups. Right-click Restricted Groups, and choose Add Group. Type Administrators, and click OK.
7-4
A Properties dialog box appears. 4. 5. 6. Click the Add button next to the Members Of This Group section. Click the Browse button and enter the name of the group you want to make the sole member of the Administrators groupfor example, CONTOSO\Help Deskand click OK. Click OK again to close the Add Member dialog box. The group policy setting Properties should look similar to the dialog box on the left of the sideby-side dialog boxes shown earlier. 7. Click OK again to close the Properties dialog box.
When you use the Members setting of a restricted groups policy, the Members list defines the final membership of the specified group. The steps just listed result in a GPO that authoritatively manages the Administrators group. When a computer applies this GPO, it will add all members specified by the GPO and will remove all members not specified by the GPO, including Domain Admins. Only the local Administrator account will not be removed from the Administrators group because Administrator is a permanent and unremovable member of Administrators.
7-5
Additional Reading
Define Group Membership with Group Policy Preferences
Group Policy Management Console Help, Local Users and Groups Extension
7-6
Lesson 2
Manage Security Settings

Contents:
7-7

Use Security Configuration and Analysis
Question: What procedure is used to apply a security template to a computer. Answer: Use the Security Configuration And Analysis snap-in to create a database. Import the template into the database, and then apply the database settings to the computer by using the Configure Computer Now command.
7-8
Detailed Demo Steps

Demonstration: Create and Deploy Security Templates
Demonstration steps
1. 2. 3. 4. 5. 6. 7. Start 6425B-HQDC01-A. Log on to HQDC01 as Pat.Coleman with the password Pa$$w0rd. Click Start and in the search box type mmc.exe and press Enter, when prompted supply administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. Click File, and then click Add/Remove Snap-in. In the Available snap-ins list, select Security Templates, then click Add. Click OK. Click File, and then click Save. The Save As dialog box appears. 8. 9. Type D:\Security Management, and then press ENTER. In the console tree, expand Security Templates.
10. Right-click C:\Users\Pat.Coleman_Admin\Documents\Security\Templates, and then click New Template. 11. Type DC Remote Desktop, and then click OK. 12. Click Start> Administrative Tools and run Group Policy Management with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. 13. In the console tree, expand the Forest:contoso.com, Domains and contoso.com, and then click the Group Policy Objects container. 14. In the details pane, right-click the Corporate Help Desk, and then click Edit. The Group Policy Management Editor appears. 15. In the console tree, expand Computer Configuration, Policies, Windows Settings, and then click Security Settings. 16. Right-click Security Settings, and then click Import Policy. 17. Select the DC Remote Desktop template, and then click Open.
7-9
Additional Reading
Configure the Local Security Policy
Server Security Policy Settings
Use Security Configuration and Analysis

For full details regarding Secedit.exe and its switches, see http://go.microsoft.com/fwlink/?LinkId=168677
The Security Configuration Wizard

Security Configuration Wizard
7-10
Lesson 3
Manage Software with GPSI

Contents:
7-11
Detailed Demo Steps

Demonstration: Create a Software Distribution Point
Demonstration steps
1. 2. 3. 4. 5. 6. 7. 8. 9. Start 6425B-HQDC01-A and log on as Pat.Coleman with the password, Pa$$w0rd. Start 6425B-SERVER01-A but do not log on. Switch to HQDC01. Run Active Directory Users and Computers with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. In the console tree, expand the contoso.com domain and the Groups OU, and then click the Application OU. Right-click the Application OU, point to New, and then click Group. Type APP_XML Notepad, and then press ENTER. In the console tree, expand the contoso.com domain and the Servers OU, and then click the File OU. In the details pane, right-click SERVER01, and then click Manage. The Computer Management console opens, focused on SERVER01. 10. In the console tree, expand System Tools and Shared Folders, and then click Shares. 11. Right-click Shares, and then click New Share. The Create A Shared Folder Wizard appears. 12. Click Next. 13. In the Folder Path box, type C:\Software, and then click Next. A message appears asking if you want to create the folder. 14. Click Yes. 15. Accept the default Share name, Software, and then click Next. 16. Click Customize permissions, and then click the Custom button. 17. Click the Security tab. 18. Click Advanced. The Advanced Security Settings dialog box appears. 19. Click Edit. 20. Clear the option, Include inheritable permissions from this objects parent. A dialog box appears asking if you want to Copy or Remove inherited permissions. 21. Click Copy. 22. Select the first permission assigned to the Users group, and then click Remove. 23. Select the remaining permission assigned to the Users group, and then click Remove. 24. Select the permission assigned to Creator Owner, and then click Remove.
7-12
25. Click OK two times to close the Advanced Security Settings dialog boxes. 26. In the Customize Permissions dialog box, click the Share Permissions tab. 27. Select the check box next to Full Control and below Allow. Security management best practice is to configure least privilege permissions in the ACL of the resource, which will apply to users regardless of how users connect to the resource, at which point you can use the Full Control permission on the SMB shared folder. The resultant access level will be the more restrictive permissions defined in the ACL of the folder. 28. Click OK. 29. Click Finish. 30. Click Finish to close the wizard. 31. Click Start, click Run, type \\SERVER01\c$, and then press ENTER. The Connect to SERVER01 dialog box appears. 32. In the User name box, type CONTOSO\Pat.Coleman_Admin. 33. In the Password box, type Pa$$w0rd, and then press ENTER. A Windows Explorer window opens, focused on the root of the C drive on SERVER01. 34. Open the Software folder. 35. Click the File menu, point to New, and then click Folder. A new folder is created and is in rename mode. 36. Type XML Notepad, and then press ENTER. 37. Right-click the XML Notepad folder, and then click Properties. 38. Click the Security tab. 39. Click Edit. 40. Click Add. The Select Users, Computers, or Groups dialog box appears. 41. Type APP_XML Notepad, and then press ENTER. The group is given the default, Read & Execute permission. 42. Click OK twice to close all open dialog boxes. 43. Open the XML Notepad folder. 44. Open the D:\Labfiles\Lab07b folder in a new window. 45. Right-click XMLNotepad.msi, and then click Copy. 46. Switch to the Windows Explorer window displaying \\server01\c$\Software\XML Notepad. 47. Right-click in the empty details pane, and then click Paste. XML Notepad is copied into the folder on SERVER01. 48. Close all open Windows Explorer windows. 49. Close the Computer Management console.
7-13
Additional Reading
Software Deployment Options
Group Policy Software Installation overview
7-14

Lab A: Delegate the Support of Computers Question: If you wanted to ensure that the only members of the local Administrators group on a client computer were the Help Desk in the site-specific Support group, and to remove any other members from the local Administrators group, how would you achieve that using only restricted groups policies? Answer: This is a bit of a tricky question, and requires some creative thinking. You can configure a Members policy setting for the Administrators group that adds the Administrator account. This would have the effect of cleaning out all other group members, and of course the Administrator account is already a member of the Administrator forest and cannot be removed. Then, you can configure restricted group policy settings for the Help Desk and the site-specific Support groups, as you did in the Lab. Alternately, you could use a Local Group preference configured to delete all member users and groups. Lab B: Manage Security Settings Question: Describe the relationship between security settings on a server, Local Group Policy, security templates, the database used in Security Configuration And Analysis, the security policy created by the Security Configuration Wizard, and domain-based Group Policy. Answer: Although some security settings can be modified directlyfor example, file system ACLs or local group membershipmany can only be configured directly on a system using Local Group Policy. Security templates allow you to create a security policy that can be easily transferred to another system and, using Security Configuration and Analysis, loaded into a database that can be used to analyze or configure a computer. The database used by Security Configuration and Analysis can be exported to a security template. Security Configuration Wizard is a newer tool that enables the role-based configuration of services, network security settings, registry values, and audit policies. It creates an xml file that can incorporate a security template and that can then be applied to another system using the Security Configuration Wizard. The Security Configuration Wizard allows you to roll back a security policy if it does not produce the desired results. A security policy produced by the Security Configuration Wizard can be transformed into a domain-based Group Policy object that can then apply to multiple servers. Lab C: Manage Software with GPSI Question 1: Consider the NTFS permissions you applied to the Software and XML Notepad folders on SERVER01. Explain why these least privilege permissions are preferred to the default permissions. Answer: The default permissions on a new NTFS folder include inherited permissions that are not least privilege. First, the USERS group is given the ability to add files and folders. In a software distribution folder, only administrators who need to add new applications should have the ability to add files and folders. Second, CREATOR OWNER special identity is given full control. This means that whoever adds a file or folder gets an explicit permission that allows full control, which may or may not be appropriate for each file and folder added to a software deployment point. Third, the USERS group is also given the ability to read all files and folders, which will allow them to install any software in the software distribution folder. Because most software is licensed per computer or per user, you can improve your compliance by allowing only a specified group to read the installation files for each application. The SOFTWARE folder (the root) gives access (full control) only to Administrators and System. The application subfolder, for example, XML Notepad, gives read access to a group that is allowed to install the application, for example, APP_XML Notepad. Those users can get to the subfolder even though they do not have access to the SOFTWARE folder. Windows allows all authenticated users the traverse folders privilege by default, which allows users to navigate to a specific subfolder to which they have access even if they do not have
7-15
permission to a parent folder. The least privilege ACLs used in this Lab are a perfect example of the value of this user right. Question 2: Consider the methods used to scope the deployment of XML Notepad: Assigning the application to computers, filtering the GPO to apply to the APP_XML Notepad group that contains only computers, and linking the GPO to the Client Computers OU. Why is this approach advantageous for deploying most software? What would be the disadvantage of scoping software deployment to users rather than to computers? Answer: Most software is licensed per computer, so it is important to deploy such applications scoped to computers, rather than to users. The result is the samethe application is deployed to the computers of the users who require the application. If you were to deploy an application to users, it would follow the users to whatever computers they logged on to. For example, if a user logged on to a conference room computer or to a colleagues computer, the application would be installed on those computers as well. By scoping to a group of computers, and linking the GPO to a high-level OU (or even to the domain), it gives you maximum flexibility to deploy the application to whatever computers require it. Lab D: Audit File System Access Question 1: What are the three major steps required to configure auditing of file system and other object access? Answer: Configure auditing settings on the file/folder SACL. 2) Enable audit policy for object access, in a GPO scoped to the server. 3) Examine event log audit entries. Question 2: What systems should have auditing configured? Is there a reason not to audit all systems in your enterprise? What types of access should be audited, and by whom should they be audited? Is there a reason not to audit all access by all users? Answer: Auditing should reflect IT security and usage policies. Auditing not only puts a (small) burden on performance of a system, but also generates excessive noise that can make finding the important events even harder. What, who, and when auditing is performed should be aligned with why auditing is being performedas driven by your business requirements.
Secure Administration
8-1
Module 8
Contents:
Lesson 1: Delegate Administrative Permissions Lab Review Questions and Answers 2 6
8-2
Lesson 1
Delegate Administrative Permissions

Contents:
8-3
Detailed Demo Steps

Demonstration: Assign a Permission Using the Advanced Security Settings Dialog Box
Demonstration steps
1. 2. 3. 4. 5. 6. 7. Start 6425B-HQDC01-A log on as Pat.Coleman with the password Pa$$w0rd. Click Start> Administrative Tools and run Active Directory Users and Computers with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. Click the View menu and select Advanced Features. Right-click an object and choose Properties. Click the Security tab. Click the Advanced button. Click the Add button. If you have User Account Control enabled, you may need to click Edit, and perhaps enter administrative credentials, before the Add button will appear. 8. In the Select dialog box, select the security principal to which permissions will be assigned. It is an important best practice to assign permissions to groups, not to individual users. In this example, you would select your Help Desk group and press ENTER. The Permission Entry dialog box appears. 9. Configure the permissions you want to assign. For our example, on the Object tab, scroll down the list of Permissions and select Allow::Reset Password. 10. Click OK to close each dialog box.
Demonstration: Delegate Administrative Tasks with the Delegation of Control Wizard

Demonstration steps
1. On HQDC01 click Start > Administrative Tools and run Active Directory Users and Computers with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. Right-click the node (domain or OU) for which you want to delegate administrative tasks or control, and choose Delegate Control. In our example, you would select the OU that contains your users. The Delegation of Control Wizard appears, to guide you through the required steps. 3. Click Next. You will first select the administrative group to which you are granting privileges. 4. 5. In the Users or Groups page, click the Add button. Use the Select dialog box to select the group, and click OK.
2.
8-4
6.
Click Next. You will next specify the specific task you wish to assign to that group.
7.
On the Tasks to Delegate page, select the task. In our example, you would select Reset User Passwords and Force Password Change at Next Logon.
8. 9.
Click Next. Review the summary of the actions that have been performed, and click Finish. The Delegation of Control Wizard applies the ACEs that are required to enable the selected group to perform the specified task.
8-5
Additional Reading
Understand Effective Permissions
The best way to manage delegation in Active Directory is through role-based access control. Although this approach will not be covered on the certification exam, it is well worth understanding for real-world implementation of delegation. See the Windows Administration Resource Kit: Productivity Solutions for IT Professionals by Dan Holme (Microsoft Press, 2008) for more information.
Design an OU Structure to Support Delegation

See the Windows Administration Resource Kit: Productivity Solutions for IT Professionals by Dan Holme (Microsoft Press, 2008) for much more detail regarding OU design.
8-6

Lab A: Delegate Administration Question 1: How does Active Directory Users and Computers indicate to you that you do not have permissions to perform a particular administrative task? Answer: It is not at all consistent. In some cases, the command that you cannot perform is trimmed (hidden) by the Active Directory Users and Computers snap-in. For example, when you tested whether Aaron Painter could create a new user in the Employees OU, the New menu was not available. In other cases, the command appears but you receive an error message if you attempt to perform it. For example, when Aaron Painter tried to disable Jeff Fords account or reset Pat Colemans administrative account password, the command was executed but returned an error message because Aarons access was denied. Question 2: When you evaluated effective permissions for April Meyer on the User Accounts OU, why didnt you see permissions such as Reset Password in this list? Why did the permission appear when you evaluated effective permissions for Aaron Painter on Aaron Lees user account? Answer: The Effective Permissions list is showing the permissions that apply to the selected object, which in the first case is an organizational unit. One cannot reset the password of an organizational unit, so that permission is not available to be evaluated. When you assign permissions to reset passwords on the OU, the permission does not actually apply to the OU itself, rather it applies to descendent user objects within the OU. The OU is a container, so permissions are available that specify what types of objects can be created in the OU. When you examined permissions on Aaron Lees user account, the Reset permission appeared because it is available for user accounts.
Question 3: Does Windows make it easy to answer the questions, Who can reset user passwords? and What can XXX do as an administrator? Answer: The user interfaces and command-line tools are neither detailed nor administrator-friendly enough to be useful reporting tools. Question 4: What is the benefit of a two-tiered, role-based management group structure when assigning permissions in Active Directory? Answer: There are several benefits. First, it allows you to change who can do what without changing a single ACL in Active Directory. If another group or user needs to be able to reset Employee passwords, simply add that group (or user) to the AD_User Accounts_Support group. Second, it makes it easier to report delegation. If you list the members (including nested users) of AD_User Accounts_Support, you instantly know who has permission to reset passwords for users in the User Accounts OU. In other words, role-based management helps overcome some of the difficulties that were identified with reporting. Note: Role-based management is a big topic, and there are other aspects of role-based management, including discipline and auditing, that are required to ensure that the members of a group such as AD_User Accounts_Support have the permissions they are supposed to have, and no other permissions, and that no other users or groups have been delegated the same permissions. Question: What is the danger of resetting the ACL of an OU back to its schema-defined default? Answer: You dont necessarily know what permissions are applied to the OU unless you find some way to do detail reporting. Moreover, you dont necessarily know why those permissions were assigned to the OU
8-7
or by whom. There may be good reasons for some custom, explicit permissions, and removing them may cause something in your environment to break. For example, when you install Microsoft Exchange Server, explicit permissions are applied to certain Active Directory objects. Lab B: Audit Active Directory Changes Question 1: What details are captured by Directory Services Changes auditing that are not captured by Directory Service Access auditing? Answer: Directory Services Changes auditing captures important details, including the specific attribute that is changed and the change that was made. Question 2: What types of administrative activities would you want to audit using Directory Services Changes auditing? Answer: Lead a discussion to elicit suggestions from students. Pose the question: Why not audit all changes in Active Directory? Answer: the volume of event log entries would make finding particularly important changes difficult. Guide students to an understanding that the configuration of Directory Services auditing should be driven by the requirements of an organizations IT Security policies and procedures.
Improve the Security of Authentication in an Active Directory Domain Services (AD DS) Domain
9-1
Module 9
Contents:
Lesson 1: Configure Password and Lockout Policies Lesson 3: Configure Read-Only Domain Controllers Lab Review Questions and Answers 2 7 11
9-2
Lesson 1
Configure Password and Lockout Policies

Contents:
9-3
Detailed Demo Steps

Demonstration: Configure Domain Account Policies
Demonstration steps
1. 2. 3. 4. Start 6425B-HQDC01-A log on to HQDC01 as Pat.Coleman with the password Pa$$w0rd. Run Group Policy Management with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. In the console tree, expand Forest:contoso.com, Domains, and contoso.com. Right-click Default Domain Policy underneath the domain, contoso.com and click Edit. You may be prompted with a reminder that you are changing the settings of a GPO. If so, click OK. Group Policy Management Editor opens. 5. 6. In the console tree, expand Computer Configuration, Policies, Windows Settings, Security Settings, and Account Policies, and then click Password Policy. Double-click the following policy settings in the console details pane and configure the settings as indicated: 7. 8. Enforce password history: 53 passwords remembered Maximum password age: 90 Days Minimum password age: 7 days Minimum password length: 8 characters Password must meet complexity requirements: Enabled
Close the Group Policy Management Editor window. Close the Group Policy Management window.
Demonstration: Configure Fine-Grained Password Policy

Demonstration Steps
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to HQDC01. Run Active Directory Users and Computers with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. In the console tree, right-click contoso.com, and then click Raise domain functional level. Verify that the Current domain functional level is Windows Server 2008. Close Active Directory Users and Computers. Click Start, point to Administrative Tools, right-click ADSI Edit, and then click Run as administrator. Click Use another account. In the User name box, type Pat.Coleman_Admin. In the Password box, type Pa$$w0rd, and then press ENTER. ADSI Edit opens.
9-4
10. Right-click ADSI Edit, and then click Connect To. 11. Accept all defaults. Click OK. 12. In the console tree, click Default Naming Context. 13. In the console tree, expand Default Naming Context, and then click DC=contoso,DC=com. 14. In the console tree, expand DC=contoso,DC=com, and then click CN=System. 15. In the console tree, expand CN=System, and then click CN=Password Settings Container. All PSOs are created and stored in the Password Settings Container (PSC). 16. Right-click the PSC, point to New, and then click Object. The Create Objects dialog box appears. It prompts you to select the type of object to create. There is only one choice: msDS-PasswordSettingsthe technical name for the object class referred to as a PSO. 17. Click Next. You are then prompted for the value for each attribute of a PSO. The attributes are similar to those found in the domain account policies. 18. Configure each attribute as indicated below. Click Next after each attribute. cn: My Domain Admins PSO. This is the common name of the PSO. msDS-PasswordSettingsPrecedence: 1. This PSO has the highest possible precedence. msDS-PasswordReversibleEncryptionEnabled: False. The password is not stored using reversible encryption. msDS-PasswordHistoryLength: 30. The user cannot reuse any of the last 30 passwords. msDS-PasswordComplexityEnabled: True. Password complexity rules are enforced. msDS-MinimumPasswordLength: 15. Passwords must be at least 15 characters long. msDS-MinimumPasswordAge: 1:00:00:00. A user cannot change his or her password within one day of a previous change. The format is d:hh:mm:ss (days, hours, minutes, seconds). msDS-MaximumPasswordAge: 45:00:00:00. The password must be changed every 45 days. msDS-LockoutThreshold: 5. Five invalid logons within the time frame specified by XXX (the next attribute) will result in account lockout. msDS-LockoutObservationWindow: 0:01:00:00. Five invalid logons (specified by the previous attribute) within one hour will result in account lockout. msDS-LockoutDuration: 1:00:00:00. An account, if locked out, will remain locked for one day, or until it is unlocked manually. A value of zero will result in the account remaining locked out until an administrator unlocks it.
19. Click Finish. 20. Close ADSI Edit. 21. Run Active Directory Users and Computers with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.
9-5
22. In the console tree, expand the System container. If you do not see the System container, then click the View menu of the MMC console, and ensure that Advanced Features is selected. 23. In the console tree, click the Password Settings Container. 24. Right-click My Domain Admins PSO, click Properties and then click the Attribute Editor tab. 25. In the Attributes list, select msDS-PSOAppliesTo, and then click Edit. The Multi-valued Distinguished Name With Security Principal Editor dialog box appears. 26. Click Add Windows Account. The Select Users, Computers, or Groups dialog box appears. 27. Type Domain Admins, and then press ENTER. 28. Click OK twice to close the open dialog boxes. 29. In the console tree, expand the contoso.com domain and the Admins OU, and then click the Admin Identities OU. 30. Right-click Pat Coleman (Administrator) and click Properties. 31. Click the Attribute Editor tab. 32. Click the Filter button, and click the Constructed option, so that it is selected. 33. Open the value of the msDS-ResultantPSO attribute.
9-6
Additional Reading
Configure the Domain Password and Lockout Policy
Windows Server 2003 Security Guide Chapter 3: The Domain Policy
Fine-Grained Password and Lockout Policy

AD DS: Fine-Grained Password Policies
Demonstration: Configure Fine-Grained Password Policy

AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
9-7
Lesson 3
Configure Read-Only Domain Controllers

Contents:
9-8
Detailed Demo Steps

Demonstration: Password Replication Policy
Demonstration steps
1. 2. 3. 4. 5. 6. 7. 8. 9. Start 6425B-HQDC01-A log on as Pat.Coleman with the password Pa$$w0rd. Run Active Directory Users and Computers with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. In the console tree, click the Domain Controllers OU. Right-click BRANCHDC01 and click Properties. Click the Password Replication Policy tab and view the default policy. Click Cancel to close the BRANCHDC01 properties. In the Active Directory Users and Computers console tree, click the Users container. Double-click Allowed RODC Password Replication Group. Click the Members tab.
10. Examine the default membership of Allowed RODC Password Replication Group. 11. Click OK. 12. Double-click Denied RODC Password Replication Group. 13. Click the Members tab. 14. Click Cancel to close the Denied RODC Password Replication Group properties.
Demonstration: Administer RODC Credentials Caching

Demonstration steps
1. 2. 3. 4. 5. Switch to HQDC01. In the Active Directory Users and Computers console tree, click the Domain Controllers OU. In the details pane, right-click BRANCHDC01, and then click Properties. Click the Password Replication Policy tab. Click the Advanced button. The Advanced Password Replication Policy for BRANCHDC01 dialog box appears. The Policy Usage tab is displaying Accounts whose passwords are stored on this Read-Only Domain Controller. 6. 7. 8. From the drop-down list, select Accounts Whose Passwords Are Stored On This Read-Only Domain Controller. From the drop-down list, select Accounts that have been authenticated to this Read-only Domain Controller. Click the Resultant Policy tab, and then click the Add button. The Select Users or Computers dialog box appears.
9-9
9.
Type Chris.Gallagher, and then press ENTER.
10. Click the Policy Usage tab. 11. Click the Prepopulate Passwords button. The Select Users or Computers dialog box appears. 12. Type the name of the account you want to pre-populate, and then click OK. 13. Click Yes to confirm that you want to send the credentials to the RODC. A message appears: Passwords for all accounts were successfully prepopulated. 14. Click Close.
9-10
Additional Reading
Deploy an RODC
For details regarding other options for installing an RODC, including delegated installation see http://go.microsoft.com/fwlink/?LinkId=168763
Administrative Role Separation

RODCs are a valuable new feature for improving authentication and security in branch offices. Be sure to read the detailed documentation on the Microsoft Web site at: http://go.microsoft.com/fwlink/?LinkId=168764
9-11

Lab A: Configure Password and Account Lockout Policies Question 1: Where should you define the default password and account lockout policies for user accounts in the domain? Answer: Configure the baseline password and account lockout policies in the Default Domain Policy GPO. Question 2: What are the best practices for managing PSOs in a domain? Answer: Each PSO must fully define the appropriate password and account lockout policies, because PSOs do not merge. Link PSOs to global groups, and not to individual user accounts. Ensure that each PSO has a unique precedence value. Question 3: How can you define a unique password policy for all of the service accounts in the Service Accounts OU? Answer: PSOs cannot be linked to an OU. You must create a global group that contains the accounts that are in the Service Accounts OU. You can then link a PSO to that group. Lab B: Audit Authentication Question 1: What would be the disadvantage of auditing all successful and failed logons on all machines in your domain? Answer: Such an audit policy would generate a tremendous amount of audit entries across every machine in your domain. Managing the security event logs and locating the events that indicate potential problems would be very difficult. It is best to align your audit policy with specific, narrowly-targeted auditing goals and requirements of your organization. Question 2: You have been asked to audit attempts to log on to desktops and laptops in the Finance division using local accounts such as Administrator. What type of audit policy do you set, and in what GPO(s)? Answer: You will need to enable auditing for successful and failed account logon events. But because the accounts you are interested in are local accounts, which are authenticated by the local security authority on each desktop and laptop, you will need to do so in a GPO that is scoped to apply to the desktops and laptops in the Finance division. The settings do not need to be scoped to domain controllers. Lab C: Configure Read-Only Domain Controllers Question 1: Why should you ensure that the PRP for a branch office RODC has, in its Allow list, the accounts for the computers in the branch office as well as the users? Answer: Computers must authenticate to the domain as well as users, so the logic is the same as with users: you want to improve authentication performance over the WAN and ensure that authentication can continue even if the WAN link is unavailable. Question 2: What would be the most manageable way to ensure that computers in a branch are in the Allow list of the RODCs PRP? Answer: Create a group for computers, for example Branch Office Computers.
9-12
Question 3: What are the pros and cons of prepopulating the credentials for all users and computers in a branch office to that branchs RODC? Answer: There is no clear-cut answer to this question. Use it to review the strategic role of an RODC. By prepopulating the credentials of users (and computers) in the branch RODC cache, you ensure that authentication performance is maximized (on the first logonafter that, the credential would have been cached since the users are on the Allow list anyway); and you ensure that, if the WAN link is unavailable on the first logon, users can authenticate. The disadvantage is that, should there be a breach of physical security on the RODC, those credentials are exposed even if the users have not yet logged on in the branch.
Configure Domain Name System (DNS)
10-1
Module 10
Contents:
Lesson 3: AD DS, DNS, and Windows Lesson 4: Advanced DNS Configuration and Administration Lab Review Questions and Answers 2 4 6
10-2
Lesson 3
AD DS, DNS, and Windows

Contents:
Detailed Demo Steps 3
10-3
Detailed Demo Steps

Demonstration: SRV Resource Records Registered by AD DS Domain Controllers
Demonstration steps
1. 2. 3. 4. 5. 6. 7. 8. 9. Start 6425B-HQDC01-B log on as Pat.Coleman with the password Pa$$w0rd. Run DNS Management with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. In the console tree, expand HQDC01, Forward Lookup Zones, and contoso.com, and then click the _tcp node. Examine the SRV records. In the console tree, expand HQDC01, Forward Lookup Zones, contoso.com, _sites, BRANCHA, and then click the _tcp node. Examine the SRV records. Run Command Prompt with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. Type nslookup and then press ENTER. Type set type=srv, and then press ENTER. Type _ldap._tcp.contoso.com, and then press ENTER. Switch to DNS Manager.
10. In the console tree, expand HQDC01, Forward Lookup Zones, and contoso.com, and then click the _tcp node. 11. Right-click the SRV record for hqdc01.contoso.com, and then click Delete. 12. Switch to Command Prompt. 13. Type net stop netlogon and then press ENTER. 14. Type net start netlogon and then press ENTER. 15. Switch to DNS Manager. 16. In the console tree, right-click the _tcp node, and then click Refresh. Examine the SRV record for hqdc01.contoso.com. 17. Click Start, and in Start Search Type notepad.exe. 18. Click File, click Open, type %systemroot%\system32\config\netlogon.dns in the File Name box, and then press ENTER. 19. Examine the default SRV records.
10-4
Lesson 4
Advanced DNS Configuration and Administration

Contents:
10-5
Additional Reading
Resolving Single-Label Names
Providing Single-Label DNS Name Resolution Deploying the GlobalNames Zone
10-6

Lab A: Install the DNS Service Question 1: If you did not configure forwarders on HQDC02, what would be the result for clients that use HQDC02 as their primary DNS server? Answer: They could not resolve names other than those in the contoso.com domain (zone). Question 2: What would happen to clients ability to resolve names in the development.contoso.com domain if you had chosen a stand-alone DNS zone, rather than an Active Directory integrated zone? Why would this happen? What would you have to do to solve this problem? Answer: Clients who query the other DNS server would be unable to resolve names in the zone, because the server would not receive a replica of the zone. This could be solved by making the zone Active Directoryintegrated, by hosting a secondary zone on the other DNS server, or by creating a stub zone that refers queries to the server hosting the development.contoso.com zone. Lab B: Advanced Configuration of DNS Question: In this lab, you used a stub zone and a conditional forwarder to provide name resolution between two distinct domains. What other options might you have chosen to use? Answer: You could create a secondary zone in each domain that hosts a copy of the zone from the other. If the domains have delegations in the top-level .com domain, you could use root hints and standard DNS recursive queries to get them to resolve names in each others domains.
Administer Active Directory Domain Services (AD DS) Domain Controllers (DCs)
11-1
Module 11
Contents:
Lesson 1: Domain Controller Installation Options Lesson 2: Install a Server Core DC Lab Review Questions and Answers 2 4 6
11-2
Lesson 1
Domain Controller Installation Options

Contents:
11-3
Additional Reading
Unattended Installation Options and Answer Files
For a complete reference of dcpromo parameters and unattended installation options, see: http://go.microsoft.com/fwlink/?LinkId=168475
Prepare an Existing Domain for Windows Server 2008 DCs

Running Adprep.exe ADPrep Windows Server 2008: Appendix of Changes to Adprep.exe to Support AD DS
Remove a Domain Controller

For detailed steps for removing a domain controller, see http://go.microsoft.com/fwlink/?LinkId=168480 See article 216498 in the Microsoft Knowledge Base for information about performing metadata cleanup. The article is located at http://go.microsoft.com/fwlink/?LinkId=80481
11-4
Lesson 2
Install a Server Core DC

Contents:
11-5
Additional Reading
Understand Server Core
Server Core Installation Option
Server Core Configuration Commands

Appendix of Unattended Installation Parameters
11-6

Lab A: Install Domain Controllers Question 1: Why would you choose to use an answer file, or a dcpromo.exe command line to install a domain controller rather than the Active Directory Domain Services Installation Wizard? Answer: Automation of installation. Consistency (always using the same options in a script versus hoping that an admin uses the correct options). Documentation (the script documents how the DC was installed). And, of course, in a Server Core installation. Question 2: In what situations does it make sense to create a domain controller using installation media? Answer: When the replication of Active Directory to the new domain controller will be problematic from a performance or network impact perspective. Lab B: Install a Server Core DC Question 1: Did you find the configuration of Server Core to be particularly difficult? Answer: Answers will vary. Question 2: What are the advantages of using Server Core for domain controllers? Answer: Reduced system requirements, reduced attack surface (vulnerability) and therefore increased security. Lab C: Transfer Operations Master Roles Question 1: If you transfer all roles before taking a domain controller offline, is it OK to bring the domain controller back online? Answer: Yes Question 2: If a domain controller fails and you seize roles to another domain controller, is it OK to bring the failed domain controller back online? Answer: Only if the failed domain controller was the PDC emulator or infrastructure master. Schema, domain naming, and RID master role holders cannot be brought back online if the role was seized while the domain controller was offline. Instead, the failed domain controller must be demoted or, preferably, reinstalled entirely while offline. After the server is back online, it can be re-promoted to a domain controller and, at that time, the operations master role can be transferred gracefully to it. Lab D: Configure DFS-R Replication of SYSVOL Question 1: What would you expect to be different between two enterprises, one which created its domain initially with Windows 2008 domain controllers, and one that migrated to Windows Server 2008 from Windows Server 2003? Answer: In a domain that was created with Windows 2008 in the first place, the SYSVOL share will refer to a folder named SYSVOL that is replicated with DFS-R. In a domain that was created with domain controllers prior to Windows 2008, SYSVOL will be replicated with FRS, until it has been migrated. After that point, the SYSVOL share will refer to a folder named SYSVOL_DFSR. Question 2: What must you be aware of while migrating from the Prepared to the Redirected state? Answer: While migrating from the Prepared to the Redirected state, any changes made to SYSVOL must be manually duplicated in SYSVOL_DFSR.
Manage Sites and Active Directory Replication
12-1
Module 12
Contents:
Lesson 1: Configure Sites and Subnets Lesson 2: Configure the Global Catalog and Application Partitions Lab Review Questions and Answers 2 4 6
12-2
Lesson 1
Configure Sites and Subnets

Contents:
12-3
Additional Reading
Domain Controller Location: Client
For more information about domain controller location, see http://go.microsoft.com/fwlink/?LinkId=168550.
Understand Application Directory Partitions

For more information about domain controller location, see http://go.microsoft.com/fwlink/?LinkId=168550.
12-4
Lesson 2
Configure the Global Catalog and Application Partitions

Contents:
12-5
Additional Reading
Understand Application Directory Partitions
For more information about application directory partitions, visit http://go.microsoft.com/fwlink/?LinkId=168551. To learn how to manage application directory partitions, see http://go.microsoft.com/fwlink/?LinkId=168553. For more information about application directory partitions and domain controller demotion, see http://go.microsoft.com/fwlink/?LinkId=168554.
12-6

Lab A: Configure Sites and Subnets Question 1: You have a site with 50 subnets, each with a subnet address of 10.0.x.0/24, and you have no other 10.0.x.0 subnets, what could you do to make it easier to identify the 50 subnets and associate them with a site? Answer: Define a single subnet, 10.0.0.0/16. Question 2: Why is it important that all subnets are identified and associated with a site in a multisite enterprise? Answer: Domain controller (and other service) location is made efficient by referring clients to the correct site, based on the clients IP address and the definition of subnets. If a client has an IP address that does not belong to a site, the client will query for all DCs in the domain, and that is not at all efficient. In fact, a single client can be performing actions against domain controllers in different sites, which (if those changes have not replicated yet) can lead to very strange results. Its very important that each client knows what site its in, and thats achieved by ensuring that DCs can identify what site a client is in. Lab B: Configure the Global Catalog and Application Partitions Question 1: Describe the relationship between the records you viewed in ADSI Edit and the records you viewed in DNS Manager. Answer: Every record seen in DNS Managers forward lookup zones has a corresponding record in the application directory partitions for DNS. However, the records as viewed in the application directory partition are flat. DNS Manager presents the records in a hierarchy. Question 2: When you examined the DNS records in _tcp.BRANCHA._sites.contoso.com, what domain controller was registering service locator records in the site? Explain why it did so. Answer: Answers will vary as to which DC covered BRANCHA. The site had no domain controllers, so a domain controller covers clients in the site by advertising itself using SRV records in the site. Lab C: Configure Replication Question 1: Explain the warning message that appeared when you designated HQDC02 as a preferred bridgehead server. Answer: A bridgehead server acts as the bridgehead only for Active Directory partitions that it contains. Because HQDC02 is not a DNS server, it does not host the ForestDnsZones or DomainDnsZones application partitions. The ISTG will continue to automatically designate another DC in the site as the bridgehead server for those two partitions. The warning message explained that the best practice is to designate bridgeheads for each partition. Ideally, the bridgehead server should host all partitionsin this case, including the DNS application partitions. Question 2: What are the advantages of reducing the intersite replication interval? What are the disadvantages? Answer: Convergence is improved. Changes made in one site are replicated more quickly to other sites. There are actually few, if any, disadvantages. If you consider that the same changes must replicate whether they wait 15 minutes or 3 hours to replicate, its really a matter of timing of replication rather than quantity of replication. However, in some extreme situations, its possible that allowing a smaller number of changes to happen more frequently might be less preferable than allowing a large number of changes to replicate less frequently.
12-7
Question 3: Is the procedure you performed in Exercise 2 enough to create a hub and spoke replication topology, which ensures that all changes from branches are replicated to the headquarters before being replicated to other branches? If not, what must still be done? Answer: You must disable Bridge all site links.
Directory Service Continuity
12-1
Module 13
Contents:
Lesson 1: Monitor Active Directory Lesson 2: Manage the Active Directory Database Lesson 3: Back Up and Restore AD DS and Domain Controllers Lab Review Questions and Answers 2 6 10 13
12-2
Lesson 1
Monitor Active Directory

Contents:
12-3
Detailed Demo Steps

Demonstration: Event Viewer
Demonstration steps
1. 2. 3. 4. 5. 6. 7. 8. 9. If it is not already started, launch the virtual machine 6525B-HQDC01-B and log on as Contoso\Pat.Coleman_Admin with Password Pa$$w0rd. Open Event Viewer and observe the new look of the Microsoft Management Console (MMC). Notice the default summary view. Expand custom views and display the default custom views. Expand Windows Logs, and then display the traditional logs and the new logs. Notice the AD logs listed on the slide. This display presents events related to domain controller stability and performance. Open any of the logs, and observe the options available in the Actions pane. Please note that it is possible to attach a task to an event using the Create a Basic Task Wizard. It is also possible to copy an events details as text into Notepad.
10. Double-click any event to show the details. 11. Expand the Microsoft Windows folder to display the logs. 12. It is also possible to connect to another computer. Reminder: Remote event-log management must be enabled on the remote computers firewall. Working with the firewall is part of the upcoming lab for this lesson.
Demonstration: Configure Custom Views and Subscriptions

Demonstration steps
1. If it is not already started, launch the virtual machine 6525B-HQDC01-B and log on as Contoso\Pat.Coleman_Admin with Password Pa$$w0rd.
Create a custom view

1. 2. 3. We will create a new custom view that captures error events from some Active Directoryrelated logs; Export the view to an XML file; and Delete the original custom view, and then import the XML file.
Create a subscription
1. 2. 3. 4. For this, we need to ensure that we are logged on to all collector and source computers as administrator. On each source computer, at an elevated command prompt, type winrm quickconfig. On the collector computer, at an elevated command prompt, type Wecutil qc. Add the computer account of the collector computer to the local Administrators group on each of the source computers.
12-4
5. 6.
Create the subscription. Filter events to show only errors from the system log.
Demonstration: Windows Resource and Performance Monitor (WRPM)

Demonstration steps
1. 2. 3. 4. 5. 6. If it is not already started, launch the virtual machine 6525B-HQDC01-B and log on as Contoso\Pat.Coleman_Admin with Password Pa$$w0rd. Open Reliability and Performance Monitor. Observe the resource overview screen. Expand some sections to show details. Open Performance Monitor. This feature has not changed significantly from Windows Server 2003. Open Reliability Monitor. Browse through and observe some details. Open Reports, and note the system reports that are available.
Demonstration: Monitor AD DS
Demonstration steps
Create a new Data Collector Set named Custom Active Directory.

1. 2. 3. 4. 5. 6. 7. Add the server baseline counters. Add some of the Active Directory counters, and then start the Data Collector Set. Perform some activity to generate statistics. For example, create, modify and/or delete several user or group accounts. Stop the Data Collector Set, and then look at the user-defined report. In the system container, start the Active Directory Diagnostics Data Collector Set. Perform some activity to generate statistics. For example, create, modify and/or delete several user or group accounts. Stop the Data Collector Set, and then look at the system-defined report.
12-5
Additional Reading
Event Viewer
Event Viewer
Custom Views
Create and Manage Custom Views
Subscriptions
Event Subscriptions
Demonstration: Configure Custom Views and Subscriptions

Create a Custom View Configure Computers to Forward and Collect Events
Windows Reliability and Performance Monitor (WRPM)

Windows Reliability and Performance Monitor
Reliability Monitor
Using Reliability Monitor
Performance Monitor
Using Performance Monitor
Data Collector Sets

Creating Data Collector Sets
12-6
Lesson 2
Manage the Active Directory Database

Contents:
12-7

Demonstration: AD DS Database Maintenance
Question 1: Why is it necessary to stop AD DS before defragmenting? Answer: The database needs to be closed completely before it can be overwritten. An online database may have locked records that are being written to, thus preventing file modification. Question 2: Why is it necessary to compact the database to a temporary directory first? Answer: Compacting the database actually creates a contiguous copy, which will be used to overwrite the fragmented original.
Demonstration: Using Snapshots and Object Reanimation

Question 1: When would it be useful to mount multiple snapshots simultaneously? Answer: When an object is deleted from AD DS accidentally, and you are unsure which backup to restore, you can mount multiple snapshots and browse them simultaneously for the deleted object. Question 2: Why is it necessary to specify different LDAP, SSL, and global catalog ports for each mounted instance of the database? Answer: Because each snapshot will act as a separate LDAP server, the ports must be unique on the computer. For example, if an administrator mounts three snapshots, you must specify 12 unique ports (four for each instance).
12-8
Detailed Demo Steps

Demonstration steps
To stop the AD DS service:

1. 2. 3. Click Start, click Admin Tools, and then click Services. Right-click Active Directory Domain Services, and then select Stop from the context menu. In the Also stop the following Services dialog box, click Yes.
To perform an offline defrag of the Advanced Directory database while in an AD DS stopped state:
1. 2. 3. 4. 5. Click Start, click Run, type CMD, and then press ENTER. In the command window, type ntdsutil, and then press ENTER. At the ntdsutil: prompt, type Activate Instance NTDS, and then press ENTER. At the ntdsutil: prompt, type files, and then press ENTER. At the file maintenance: prompt, type compact to drive:\ LocalDirectoryPath (where drive:\ LocalDirectoryPath is the path to a location on the local computer). After a short while, press CTRL+C to break the process. This process can take a long time to complete. After the process has completed itself, you would need to copy NTDS.dit to a backup location, along with the logs (*.log), and then you would delete the logs (*.log). Best Practices recommend that we lastly check the integrity of the newly compacted database. Type integrity to check the integrity of the newly compacted database. This process, like a compact, takes a long time to complete. Press CTRL+C at any time to break the process and move on to the next part of the demo.
6. 7.
To move the AD DS database:

1. 2. 3. In the File Maintenance command window, type move db to pathname. As above, we will not wait for this process to complete. Press CTRL+C to break the process at any time. Please know that the NTDS.dit file would be moved to the new location and permissions would be set accordingly had we waited for the entire process to complete itself.
Lastly, restart AD DS:

1. In the Services MMC, right-click Active Directory Domain Services, and then click Start.
12-9
Additional Reading
Active Directory Database Files
How the Data Store Works
NTDSUtil
Data Store Tools and Settings How to remove data in Active Directory after an unsuccessful domain controller demotion

Compact the Directory Database File (Offline Defragmentation)
Active Directory Snapshots

Active Directory Domain Services Database Mounting Tool (Snapshot Viewer or Snapshot Browser) Step-by-Step Guide
Restore Deleted Objects

End-to-End Scenario That Uses the Active Directory Database Mounting Tool
Demonstration: Using Snapshots and Object Reanimation

End-to-End Scenario That Uses the Active Directory Database Mounting Tool:
12-10
Lesson 3
Back Up and Restore AD DS and Domain Controllers

Contents:
12-11
Detailed Demo Steps

Demonstration: Backup AD DS
Demonstration Steps
To perform an interactive backup of Active Directory:

1. 2. Open the Windows Server Backup snap-in. In the Windows Server Backup consoles Actions pane, click the Backup Once link. The Backup Once Wizard appears. 3. 4. 5. 6. 7. 8. 9. On the Backup options page, ensure that Different options is selected, and then click Next. On the Select backup configuration page, click Custom, and then click Next. On the Select backup items page, ensure that the Enable system recovery check box is selected, and click Next. On the Specify destination type page, click Next. On the Select backup destination page, click Next. On the Specify advanced option page, click VSS full backup, and then click Next. On the Confirmation page, click Backup.
12-12
Additional Reading
Backup and Recovery Tools
Backup and Recovery Overview for Windows Server 2008 Windows Server Backup Windows Server Backup Step-by-Step Guide for Windows Server 2008 Backing Up Your Server
Overview of AD DS and Domain Controller Backup

AD DS Backup and Recovery Step-by-Step Guide
Other Backup and Recovery Tools

Backup and Recovery Overview for Windows Server 2008
12-13

Lab A: Monitor Active Directory Events and Performance Question 1: In what situations do you currently use, or can you envision using, event subscriptions as a monitoring tool? Answer: Answers may vary depending on the situation. Question 2: To what events or performance counters would you consider attaching e-mail notifications or actions? Do you use notifications or actions currently in your enterprise monitoring? Answer: Answers may vary depending on the situation. Lab B: Manage the Active Directory Database Question 1: In what other situations might it be useful to mount a snapshot of Active Directory? Answer: If you discover a problem with Active Directory that will require restoring a backup, you might want to look at snapshots to determine just how far back you need to go to restore. Once youve found the snapshot in which the correct data resides, you can then restore the backup taken on the same date. Question 2: What are the disadvantages of restoring a deleted object with a tool such as LDP? Answer: You must repopulate all attributes. Lab C: Back Up and Restore Active Directory Question 1: What type of domain controller and directory service backup plan do you have in place? What do you expect to put in place after having completed this lesson and this Lab? Answer: Answers will vary. Question 2: When you restore a deleted user (or an OU with user objects) using authoritative restore, will the objects be exactly the same as before? What attributes might not be the same? Answer: Answers may vary somewhat, but the question is designed to frame a discussion of group membership. A users group membership is not an attribute of the user object but rather of the group object. When you authoritatively restore a user, you are not restoring users membership in groups. The user was removed from the member attribute of groups when it was deleted. So the restored user will not be a member of any groups other than its primary group. In order to restore group memberships, you would have to consider authoritatively restoring groups as well. This may or may not always be desirable, because when you authoritatively restore the groups you return their membership to the day on which the backup was made.
Manage Multiple Domains and Forests
14-1
Module 14
Contents:
Lesson 2: Manage Multiple Domains and Trust Relationships Lab Review Questions and Answers 2 6
14-2
Lesson 2
Manage Multiple Domains and Trust Relationships

Contents:
14-3
Detailed Demo Steps

Demonstration: Create a Trust
To create a trust relationship: 1. 2. Open the Active Directory Domains and Trusts snap-in. Right-click the domain that will participate in one side of the trust relationship, and choose Properties. You must be running Active Directory Domains and Trusts with credentials that have permissions to create trusts in this domain. 3. 4. Click the Trusts tab. Click the New Trust button. The New Trust Wizard guides you through the creation of the trust. 5. 6. On the Trust Name page, type the DNS name of the other domain in the trust relationship, and then click Next. If the domain you entered is not within the same forest, you will be prompted to select the type of trust, which will be one of the following: Forest External Realm
If the domain is in the same forest, the wizard knows it is a shortcut trust. 7. 8. If you are creating a realm trust, you will be prompted to indicate whether the trust is transitive or non-transitive. (Realm trusts are discussed later in this lesson.) On the Direction Of Trust page, select one of the following: Two-Way. This establishes a two-way trust between the domains. One-Way: Incoming. This establishes a one-way trust in which the domain you selected in step 2 is the trusted domain, and the domain you entered in step 5 is the trusting domain. One-Way: Outgoing. This establishes a one-way trust in which the domain you selected in step 2 is the trusting domain, and a domain you entered in step 5 is the trusted domain.
9.
Click Next.
10. On the Sides Of Trust page, select one of the following: Both this domain and the specified domain. This establishes both sides of the trust. This requires that you have permission to create trusts in both domains. This domain Only. This creates the trust relationship in the domain you selected in step 2. An administrator with permission to create trusts in the other domain must repeat this process to complete the trust relationship.
The next steps will depend on the options you selected in steps 8 and 10. The steps will involve one of the following:
14-4
If you selected Both this domain and the specified domain, you must enter a user name and password with permissions to create the trust in the domain specified in step 5. If you selected This Domain Only, you must enter a trust password. A trust password is entered by administrators on each side of a trust to establish the trust. The passwords should not be the administrators user account passwords. Instead, each should be a unique password used only for the purpose of creating this trust. The passwords are used to establish the trust, and then the domains change them immediately.
11. If the trust is an outgoing trust, you are prompted to choose one of the following: Selective Authentication Domain-Wide Authentication or Forest-Wide Authentication, depending on whether the trust type is an external trust or a forest trust, respectively.
12. The New Trust Wizard summarizes your selections on the Trust Selections Complete page. Click Next. The wizard creates the trust. 13. The Trust Creation Complete page appears. Verify the settings, and then click Next. You will then have the opportunity to confirm the trust. This option is useful if you have created both sides of the trust or if you are completing the second side of a trust. If you selected Both This Domain And The Specified Domain in step 8, the process is complete. If you selected This Domain Only in step 8, the trust relationship will not be complete until an administrator in the other domain completes the process: If the trust relationship you established is a one-way outgoing trust, an administrator in the other domain must create a one-way incoming trust. If the trust relationship you established is a one-way incoming trust, an administrator in the other domain must create a one-way outgoing trust. If the trust relationship you established is a two-way trust, an administrator in the other domain must create a two-way trust.
14-5
Additional Reading
Move Objects Between Domains and Forests
For more information about domain migration, SIDs, and SID history, see the Domain Migration Cookbook.
Define Your Forest and Domain Structure

For more information about the security considerations related to domain and forest design, see Best Practices for Delegating Active Directory Administration. For more information about planning the architecture of an AD DS enterprise, see http://go.microsoft.com/fwlink/?LinkId=168826.
Demonstration: Create a Trust

Detailed procedures for creating each type of trust are available at: http://go.microsoft.com/fwlink/?LinkId=168830.
Forest Trusts
You can learn about the DNS requirements for a forest trust at http://go.microsoft.com/fwlink/?LinkId=168831.
14-6

Lab A: Raise Domain and Forest Functional Levels Question 1: Can you raise the domain functional level to Windows Server 2008 when your Microsoft Exchange server is still running Windows Server 2003? Answer: Yes. As long as the Exchange server is not a domain controller. All that matters when determining the domain functional level is the operating system of the domain controller. Question 2: Can you raise the domain functional level of a domain to Windows Server 2008 when other domains contain domain controllers running Windows Server 2003? Answer: Yes. Domain functional levels within a forest can be different. Lab B: Administer a Trust Relationship Question 1: You have given the Research and Development group from Tailspin Toys Modify permission to the Product Information folder on HQDC01. However, of the ten users in the group, only one user (who happens to also be a member of the Product Team group) has access. The others cannot access the folder. What must be done? Answer: Because selective authentication is enabled, the users in the Research and Development group must be given Allowed to Authenticate permission to HQDC01. The Product Team group already had that permission, which is why one user was able to authenticate and then to access the folder. Question 2: A user from Contoso attempts to access a shared folder in the Tailspin Toys domain and receives an Access Denied error. What must be done to provide access to the user? Answer: A trust relationship must be established in which Tailspin Toys trusts Contoso, then the user (or a group to which the user belongs) must be given permission to the shared folder in the Tailspin Toys domain.
R-1
Resources
Contents:
Microsoft Learning Technet and MSDN Content Communities 2 3 6
R-2
Microsoft Learning
This section describes various Microsoft Learning programs and offerings. Microsoft Skills Assessments Describes the skills assessment options available through Microsoft Microsoft Learning Describes the training options available through Microsoft face-to-face or self-paced Microsoft Certification Program Details how to become a Microsoft Certified Professional, Microsoft Certified Database Administrators, and more Microsoft Learning Support To provide comments or feedback about the course, send e-mail to support@mscourseware.com. To ask about the Microsoft Certification Program (MCP), send e-mail to mcphelp@microsoft.com
R-3
Technet and MSDN Content

Backup and Recovery Overview for Windows Server 2008 Event Viewer Create and Manage Custom Views Event Subscriptions Windows Reliability and Performance Monitor Using Reliability Monitor Using Performance Monitor Creating Data Collector Sets Active Directory Domain Services Database Mounting Tool (Snapshot Viewer or Snapshot Browser) Step-by-Step Guide End-to-End Scenario That Uses the Active Directory Database Mounting Tool Backup and Recovery Overview for Windows Server 2008 Windows Server Backup Backing Up Your Server AD DS Backup and Recovery Step-by-Step Guide AD DS Installation and Removal Step-by-Step Guide Server Core Installation Option Appendix of Unattended Installation Parameters Dcpromo Running Adprep.exe Adprep Windows Server 2008: Appendix of Changes to Adprep.exe to Support AD DS Steps for Removing AD DS Windows Server 2008 Logon and Authentication Technologies Authorization and Access Control Technologies Providing Single-Label DNS Name Resolution Finding a Domain Controller in the Closest Site Application Directory Partitions Windows Server 2003 Application directory partitions and domain controller demotion GPO Operations Backing up, Restoring, Migrating, and Copying GPOs
R-4
How Core Group Policy Works Server Security Policy Settings Secedit Security Configuration Wizard Group Policy Software Installation overview Microsoft Management Console 3.0 Active Directory Domain Services Managing Active Directory from MMC Install the Active Directory Schema snap-in Remote Server Administration Tools Pack Add, Remove, and Organize Snap-ins and Extensions in MMC 3.0 Using Run as Search Active Directory Managing Users Create a New User Account Create a New User Account (Duplicate of 168741) Dsadd Object Names User Properties - Account Tab Reset a User Password Disable or Enable a User Account Delete a User Account Move a User Account Copy a User Account LDAP Query Basics Delegated permissions are not available and inheritance is automatically disabled Create a New Group Default Groups Default Local Groups Read-Only Domain Controllers Step-by-Step Guide Managing Server Integration with AD DS Appendix A: RODC Technical Reference Topics DNS How DNS Query Works
R-5
What's New in the Server Core Installation Option AD DS Auditing Step-by-Step Guide Active Directory Domain Services Database Mounting Tool (Snapshot Viewer or Snapshot Browser) Step-by-Step Guide End-to-End Scenario That Uses the Active Directory Database Mounting Tool Windows Server Backup Step-by-Step Guide for Windows Server 2008 Planning and Architecture: AD DS Domain Migration Cookbook Introduction How Domain and Forest Trusts Work Domain and Forest Trust Tools and Settings Best Practices for Delegating Active Directory Administration (Windows Server 2003)
MSDN
There is no MSDN content for this course.
R-6
Communities
This section includes content from Communities for this course. How to remove data in Active Directory after an unsuccessful domain controller demotion Microsoft Identity and Access Solutions DNS Global Names Document Download Windows Server Active Diretory Components pdf download How to restore deleted user accounts and their group memberships in Active Directory
R-7
Send Us Your Feedback

You can search the Microsoft Knowledge Base for known issues at Microsoft Help and Support before submitting feedback. Search using either the course number and revision, or the course title. Note Not all training products will have a Knowledge Base article if that is the case, please ask your instructor whether or not there are existing error log entries.
Courseware Feedback
Send all courseware feedback to support@mscourseware.com. We truly appreciate your time and effort. We review every e-mail received and forward the information on to the appropriate team. Unfortunately, because of volume, we are unable to provide a response but we may use your feedback to improve your future experience with Microsoft Learning products.
Reporting Errors
When providing feedback, include the training product name and number in the subject line of your email. When you provide comments or report bugs, please include the following: Document or CD part number Page number or location Complete description of the error or suggested change
Please provide any details that are necessary to help us verify the issue.
Important All errors and suggestions are evaluated, but only those that are validated are added to the product Knowledge Base article.

6425B ENU Companion

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

6425B ENU Companion

Загружено:

Авторское право:

Доступные форматы

O F F I C I A L

Product Number: 6425B Released: 11/2009

Introducing Active Directory Domain Services (AD DS)

Introducing Active Directory, Identity, and Access

Introducing Active Directory Domain Services (AD DS)

Active Directory Components and Concepts

Introducing Active Directory Domain Services (AD DS)

Detailed Demo Steps

The Active Directory Data Store

The Global Catalog

DNS and Application Partitions

Introducing Active Directory Domain Services (AD DS)

Install Active Directory Domain Services

Introducing Active Directory Domain Services (AD DS)

Lab Review Questions and Answers

Secure and Efficient Administration of Active Directory

Work with Active Directory Snap-ins

Secure and Efficient Administration of Active Directory

Question and Answers

Detailed Demo Steps

Secure and Efficient Administration of Active Directory

The Attribute Editor tab of the Properties dialog box appears:

Secure and Efficient Administration of Active Directory

Active Directory Administration Snap-ins

Find Active Directory Snap-ins

Custom Consoles and Least Privilege

Secure and Efficient Administration of Active Directory

Question and Answers

Detailed Demo Steps

Secure and Efficient Administration of Active Directory

Demonstration: "Super Consoles" Detailed demonstration steps

Secure and Efficient Administration of Active Directory

Find Objects in Active Directory

Secure and Efficient Administration of Active Directory

Detailed Demo Steps

Secure and Efficient Administration of Active Directory

Demonstration: Use the Find Command Detailed demonstration steps

Secure and Efficient Administration of Active Directory

Demonstration: Use Saved Queries Detailed demonstration steps

Secure and Efficient Administration of Active Directory

Use DS Commands to Administer Active Directory

Secure and Efficient Administration of Active Directory

Question and Answers

Lab Review Questions and Answers

Create and Administer User Accounts

Question and Answers

Reset a Users Password

Unlock a User Account

Reset a Users Password

Delete a User Account

Detailed Demo Steps

10. Select User must change password at next logon.

Create Users with DSAdd

Reset a Users Password

Unlock a User Account

Disable and Enable User Accounts

Delete a User Account

Move a User Account

Configure User Object Attributes

Question and Answers

Create Users with Templates

Detailed Demo Steps

Demonstration: Create Users with Templates Detailed demonstration steps

Lab Review Questions and Answers