Вы находитесь на странице: 1из 160

Expeditionary Communications Course

F Annex


Student Handouts & Supplemental Material
















BOX 788251






3 APR 2013


1. Without the aid of reference, identify the definition of Directory,

per the MCTS Training Kit, Configuring Windows Server 2008 - Active
Directory (Exam 70-640), Network Infrastructure (Exam 70-642), and
Applications Infrastructure (Exam 70-643). (0602-PLAN-1105hd)

2. Without the aid of reference, identify the purpose of Directory

Services, per the MCTS Training Kit, Configuring Windows Server 2008 -
Active Directory (Exam 70-640), Network Infrastructure (Exam 70-642),
and Applications Infrastructure (Exam 70-643). (0602-PLAN-1105he)

3. Without the aid of reference, select from a list of distracters the

purpose of the X.500 Directory Access Protocol (DAP), per the MCTS
Training Kit, Configuring Windows Server 2008 - Active Directory (Exam
70-640), Network Infrastructure (Exam 70-642), and Applications
Infrastructure (Exam 70-643). (0602-PLAN-1105hf)

4. Without the aid of reference, select from a list of distracters the

purpose of the Lightweight Directory Access Protocol (LDAP), per the
MCTS Training Kit, Configuring Windows Server 2008 - Active Directory
(Exam 70-640), Network Infrastructure (Exam 70-642), and Applications
Infrastructure (Exam 70-643). (0602-PLAN-1105hh)


Computers are networked in order to share information between multiple

different people and locations all over the world. During this course,
we have spent a lot of time on the design of the Layer 3 and Layer 2
architectures that enable computers to communicate with one another.
While the entire OSI model was covered, the focus was predominately upon
Layer 4 and below. Since the fundamentals of networking computers have
been taught, the higher level layers that provide user services can now
be discussed.

Computer networks allow information to be shared and transferred from

one computer to another. For example, the student sharedrive is one of
the advantages of shared computers that each of you has used. File shares
are very beneficial; however, not just to students of ECC, but also to
the rest of the Marine Corps. A file server in the field or forward
deployed allows regimental communications plans to be distributed and
then accessed by subordinate battalion communication officers at remote
command posts. This distributed file system greatly enhances the Marine
Corps ability to instantaneously share information while planning as a
MAGTF and indirectly increasing our combat tempo. Without establishing
a network service architecture, we would be relegated to using legacy
equipment and having to manual relay our information to all units.

Now, the server classes during this module are designed to help you
properly plan, install, operate, and maintain data services for your
users. While the classes are going to focus on the upper layers of the
OSI model, don’t forget all of the best practices and planning
considerations that apply to our Layer 3 and Layer 2 networks.

Services and Networked Computers

Computers are networked to share or offer services to one another. The

list below shows some of the services that networked computers can

• Print Services
• Domain Naming Service – “the phone book”
• File Shares
• Full Motion Video – Scan Eagle, Predators, Reapers
• VoIP
• Email
• Antivirus and Patching
• Chat
• Gaming
• Blogging and Social Networking

It is important to understand that computers are networked because there

is some requirement for external services that the local computer
cannot provide for itself for one reason or another. Some

services are too complex to manage on a laptop, or too confusing to
operate, or even to expensive for the average user to purchase.

Let’s look at social networking to examine this concept. The goal of

social networking is to let our family and friends know about important
events and happenings in our lives. Companies like MySpace, Twitter,
and Facebook use their software and servers to allow individuals to host
a webpage. People can then update their social media webpage from
anywhere in the world to a remote server because of the nature of the
Internet. Instead of constantly having to leave their own computers
online and running, the remote server hosting their webpage records the
changes and ensures it is made available to anyone who wishes to access
it so long as they have the permissions to do so. Furthermore, users of
social media do not have to be versed with coding languages like SQL,
ColdFusion, HTML, Java, etc, to create their page because of the service
being provided by whomever is hosting their webpage. Via leveraging the
network services concept, companies, like Facebook and MySpace, have now
made it easier for more people to host personal webpages; something at
one time was extremely expensive to do and required in-depth technical

Always remember that computer networks are ultimately designed and

developed in order to share services to the users that need them. Now,
the job of a network planner is to evaluate what services are required
and then to build the network infrastructure and directory services to
support those requirements.

Two General Types of Computer Networks

As was discussed during CCNA Module 1, the two types of computer networks
are Peer to Peer (P2P) and Client / Server Networks. In a P2P network,
each networked computer accesses one another to obtain permissions for
networked resources. There is no central point or control over the

Now, client / server networks contain servers that hosts must access to
obtain permissions prior to accessing network resources; the network
is controlled from a centralized point, the server. In this model, a
client computer is defined as a computer or host that requests and uses
resources and information from another computer or

server. A server is a computer on the network that you can request
information, resources, services, and applications from.

The Marine Corps predominately uses the client / server architecture for
controlling resources on a network rather than a simple peer to peer
network. There are too many users, computers, and computer equipment on
the networks both deployed and in garrison to use a peer to peer network.
Imagine the workload it would be to individually configure 1000 computers
for file sharing.

There are several advantages to the client server model including

centralized security, dedicated servers, easy accessibility (for the
network administrators), synchronized files, and easy backups. The
disadvantages include a dependency on administration, more complicated
setup and maintenance, and the fact that servers are expensive.

Now, let’s analyze the client server model using the 4 characteristics
of a good network design: Fault tolerance, Scalability, Quality of
Service, and Security.
Fault Tolerance

A client server architecture at first glance may not seem to be fault

tolerant. If all of the client computers need 1 server to operate and
the server goes down, everyone using services from the server will have
to wait until the server comes back up. However, what happens to fault
tolerance though if the service is distributed between 2 servers? If
one goes down, the users will not be affected because, if configured
appropriately, the resource is available on the second server. The below
diagram shows the how servers can add fault tolerance to a data network.

In this diagram, there are two servers for email, DNS, and domain
services. The servers are located in two separate facilities separated
by a redundant layer 3 network. If one of the Techcons loses power or
is attacked by indirect fire, the users will be able to use the servers
and services running in the other facility without noticing an
significant interruption in service. A truly fault tolerant data
architecture combines all of the advantages of the lower and upper layers
of the OSI model.

The other aspect of fault tolerance is the ability to conduct centralized

backups of the information contained on the servers. Lets look at a file
server. The users use documents stored on the server. Every night those
documents are backed up to separate storage. If one morning, the network
administrators come in and find that the file server malfunctioned during
the night, they can restore the backup of the documents to another
server, ensuring that no information was lost. If a user kept an
important document on his or her hard drive and the computer crashed
and destroyed the hard drive, he would not be able to get that information


Most server architectures are extremely scalable because it is relatively

simple to add new services to existing servers or join new servers to
the network as additional requirements are identified. In this case,
your Data Marines only need to access and configure a limited number of
powerful servers in order to provide all your users with the services
they require. In contrast, every device added to a peer to peer network
needs to be individually configured to ensure it is sharing the services
and files it can provided, thus, making it

much more complex to maintain and administer. Thus, the Marine Corps
uses the client / server model in order to leverage powerful directory
services that can control and specify hundreds of individual computer
settings from one server and push that information out to every computer
on the network.

In the diagram on the previous page, if another DNS or web server is

needed, another line of Cat-5 can be ran to the switch and a computer
powered up and configured. Adding one server gives more functionality to
every other client computer in the network. No changes will have to
be made to the client computers to take advantage of the additional

Quality of Service

Client/server architecture lends itself to quality of service as well.

There are services that run on servers that can control logon hours,
limit email sizes, control replication overhead and other traffic on the
network. These services can work to prevent network congestion by setting
policies that are applied from a central server or group of servers to
every computer in the network. Additionally, a network administrator can
guarantee better quality of service by dedicating a server, or perhaps
several servers, to providing a single service. Thus, when a user
requests a service, perhaps email, the server he is requesting his email
from responds very quickly because all of its physical resources are
dedicated to provided that service vice multiple.


The client/server model works to enhance security by controlling all of

the permissions and access from a single server or group of servers.
Servers with security services eliminate the problem of the network
administrator creating local accounts on all of the computers to control
logon and file share permissions. In a client/server architecture,
permissions to information and resources can be controlled at a central
point. When a client logs onto his or her

computer, it queries the security service on a server and receives the
authorized set of network permissions for that user. This lets the user
enter a password once, and have all of the doors opened rather than
individually logging onto every file share, printer, and other shared
resource that he or she needs.

Controlling the security of the network from a centralized location cuts

down on the ability of hackers and users to impact the network and
essential services.


As computer technology continues to advance, one might notice that there

are not too many differences between a computer acting as a server and
computer acting as a client. Most computers operating as servers have
more powerful hardware, such as larger hard drive space, more RAM, and
faster CPUs (quantity and speed) than the normal laptop or desktop.
However, that distinction between servers and host computers is being
blurred more and more each day. The other ingredient to a server is a
very stable operating system. Most network operating systems from
Microsoft, Linux, Unix, and Apple are more stable than a regular client
operating system.

By design a server must be highly available and stable to share the

services that it is running with all of the client computers. Physically
most servers are either towers or rack mounted.

Logically, they look like:

The computer hardware and network operating system are optimized to
provide the maximum amount of resources to the services that the server
happens to be running. The most important part of the server is the
services that it is providing; it’s not the hardware or the operating
system. Furthermore, some servers can run multiple services:



If a very important or resource intensive service, like email, is needed,

the server may be dedicated only to that particular service. Here is an
example of a logical diagram of an email server:



Additionally, servers have a very limited ability to run applications.
Most servers do not have Microsoft Office, games, or other applications
installed because the programs compromises the server’s ability to
provide resources to the other computers in the network. If an
administrator installed a resource intensive videogame on a server, how
responsive to DNS queries do you think the server would be?

Service Planning

As a network planner, the most important concept to focus on is not the

physical servers themselves, but the services that the users require.
Start with the users and what they need to accomplish their mission and
command and control their subordinates. If there is no requirement for
email, then you do not need to plan an email server. Moreover, some
smaller FOBs in Afghanistan may not need services at their locations;
they can pull their services from across the WAN. However for a large
amount of users or users with intensive requirements, services will have
to be planned and installed on-site. For example, for Mojave Viper, your
battalion may require a webpage, email service, and chat. So those would
be the services that you plan to host on your servers.

Furthermore, some basic services, like DNS, are required for other
services to work. For the Mojave Viper exercise, you will need to plan
for DNS to support the email and webpage requirements. If you cannot
access a DNS service across a WAN, you will end up running your own DNS
service for your network. Depending upon the physical capacity of the
server, it may be able to run more than one service. Some powerful
servers can run everything (DNS, email, chat, web) at the same time and
other older servers may only be able to run one service at a time.

Finally as you begin to look at planning services, ensure that the four
characteristics of a good network – scalability, fault tolerance, quality
of service, and security are being factored in. A network with one
monstrously powerful server running all of the required servers may be
very simple, but is not very fault tolerant or scalable.

Service Framework

Now, the foremost question in your mind is probably, “How does the Marine
Corps and network planners manage and plan for these services?” The
Marine Corps uses a directory service to manage all of the resources and
services present in the network. All of the services, printers,
computers, users, applications, and everything else in the network
comprise a directory. A directory service is a shared information
structure used to locate, manage, administer, organize, and secure those
objects that comprise a directory.

There are two industry standards that exist to manage directory services.
They are the X.500 Directory Access Protocol and the Lightweight
Directory Access Protocol. Both directory access protocols provide a
set of rules and standards that organize directories and create a
standard interface to allow clients to access the directories. X.500 was
the original standard, based on the OSI model, and very resource
intensive. It ran on mainframes and was too complex to operate using
desktops and over the Internet so the Lightweight Directory Access
Protocol (LDAP) was designed.

LDAP is a much more compact protocol, designed around the TCP/IP model,
that allows for faster searches of the directory service because it
requires much less network overhead. Microsoft’s Active Directory uses
the LDAP protocol as the foundation for its directory services agent.
The Marine Corps uses Microsoft Active Directory as its directory
service agent.

Servers running Microsoft Active Directory Services share the same common
database of all resources and services on the network. Web pages, chat
service, email, DNS, DHCP, and many other services can all be easily
managed within Active Directory. Active Directory is one logical
directory that can exist on as many different physical servers as the
network planner wants. Information entered into one server is quickly
replicated to every other server running Active Directory in your
architecture. This means that if one server crashes, it will only have
a minor effect on your network. Microsoft Active Directory is easily
installed, modified, and configured by administrators and carries built
in security.

Active Directory fits well into the four characteristics of a good

network. It is very fault tolerant. It is one directory that all of the
member servers have access to and share, so problems with one or two
servers will not affect the entire network. It is scalable because
services and servers can easily be added, migrated from one server to
another, or removed within the confines of Active Directory. The search
functions allow any user to search the entire database for users,
printers and other network resources. Active Directory allows
administrators to fine tune quality of service requirements and control
directory replication traffic between Active Directory servers.
Finally, for the user and the administrator, Active Directory provides
a single sign on and administration of global permissions (i.e. security)
across the network.

The server classes during this module will provide you the tools that
you need to properly evaluate and plan for the services that your users
will require. The framework for planning these services is tied to
understanding the capabilities and limitations of Active Directory. At
the end of this series of classes you will be able to properly plan,
install, operate, and maintain data services for your users.

BOX 788251
CALIFORNIA 92278-8251





3 APR 2013


1. Without the aid of reference, define an Object, per the MCTS

Training Kit, Configuring Windows Server 2008 - Active Directory (Exam
70-640), Network Infrastructure (Exam 70-642), and Applications
Infrastructure (Exam 70-643). (0602-PLAN-1105hi)

2. Without the aid of reference, define the Active Directory (AD)

Schema, per the MCTS Training Kit, Configuring Windows Server 2008 -
Active Directory (Exam 70-640), Network Infrastructure (Exam 70-642),
and Applications Infrastructure (Exam 70-643). (0602-PLAN-1105hj)

3. Without the aid of reference, define Security Groups, per the MCTS
Training Kit, Configuring Windows Server 2008 - Active Directory (Exam
70-640), Network Infrastructure (Exam 70-642), and Applications
Infrastructure (Exam 70-643). (0602-PLAN-1105hk)

4. Without the aid of reference, define Organizational Unit (OU), per

the MCTS Training Kit, Configuring Windows Server 2008 - Active
Directory (Exam 70-640), Network Infrastructure (Exam 70-642), and
Applications Infrastructure (Exam 70-643). (0602-PLAN-1105hl)

5. Without the aid of reference, define Domain, per the MCTS Training
Kit, Configuring Windows Server 2008 - Active Directory (Exam 70-640),
Network Infrastructure (Exam 70-642), and Applications Infrastructure
(Exam 70-643). (0602-PLAN-1105hm)

6. Without the aid of reference, define Tree, per the MCTS Training
Kit, Configuring Windows Server 2008 - Active Directory (Exam 70-640),
Network Infrastructure (Exam 70-642), and Applications Infrastructure
(Exam 70-643). (0602-PLAN-1105hn)

7. Without the aid of reference, define Forest, per the MCTS Training
Kit, Configuring Windows Server 2008 - Active Directory (Exam 70-640),
Network Infrastructure (Exam 70-642), and Applications Infrastructure
(Exam 70-643). (0602-PLAN-1105ho)

8. Without the aid of reference, state in writing the purpose of Trust

Relationships, per the MCTS Training Kit, Configuring Windows Server
2008 - Active Directory (Exam 70-640), Network Infrastructure (Exam
70-642), and Applications Infrastructure (Exam 70-643). (0602-PLAN-


The Marine Corps uses a client/server architecture to support its

computer networks. A directory service controls permissions, the other
network services, and access to all of the resources on the network. A
directory service is a shared information structure used to locate,
manage, administer, organize, and secure objects such as computers,
servers, printers, users, groups, devices, telephone numbers, addresses,
and other network devices. You can think of a directory service like a
gigantic phone book that lists everything in the network. It contains
detailed instructions and the ability to fine tune permissions for users
down to the lowest levels of access.

The Marine Corps uses Microsoft’s Active Directory Directory Service as

its directory service of choice. Support for Active Directory is built
in to Microsoft Server Network Operating Systems such as Microsoft
Server 2003 and 2008 R2. Across Microsoft’s family of server operating
systems, the structural fundamentals of Active Directory remain the same.

Microsoft Active Directory

Microsoft’s LDAP based directory service is known as Active Directory.

A single instance of Active Directory is one common database of all
resources on a data network. It contains all of the users, groups,
servers, files, folders, printers, and many other devices on the network.
This directory is distributed across multiple servers and locations.
This makes it easy for a user down at an infantry battalion to access
files on a regimental or MEB share drive. Microsoft Active Directory
is based on the LDAP standard, it is easily modified and configured by
administrators and fairly secure.

Active Directory has its own distinct terminology. We will look at the
components of Active Directory from smallest to largest in order to
build our understanding.

The core components of the logical structure of Active Directory are:

• Objects
• Schema
• Groups (Distribution and Security)
• Organizational Units
• Domains
• Trees
• Forests

All of these different terms in Active Directory can be thought of as

different papers, folders, and drawers in a filing cabinet. You place
items like financial, medical, and business mail into differently labeled
folders and drawers in order to keep your paperwork organized so you can
quickly find what you are looking for when you need it.

Active Directory Terms

Objects: the basic building block of Active Directory. Users, computers,

printers, servers, and other network resources are all objects.
Furthermore, an object in Active Directory is defined by its attributes.
For a user object, attributes could include name, password, phone
number, email address, group membership, building number, work address,
home address. Just like we can use biometrics to categorize a person
by their hair color, eye color, finger prints, or height, Active
Directory uses attributes to define an object. These objects can then
be searched for by attribute.

Here is a screen capture of some of the attributes that are used to

define a user in the NMCI Active Directory Structure

The network administrators can add, modify, and delete attributes from
objects, depending upon the requirements.

Below is a screen capture of objects in the Communications School Active

Directory Structure.

The collection of objects and their attributes is called the Active
Directory Schema. The Schema is created and maintained by network
administrators and there is only 1 schema per active directory instance.
For example, every user object in the NMCI Active Directory structure is
defined with the same attributes. In another instance of Active Directory
in a deployed environment, all of the printers in Iraq share the same
attribute definitions. However because the NMCI domain and the deployed
domains are separate instances of Active Directory, there is no way for
a user in Iraq or Afghanistan to see the attributes of all of the NMCI
users or any other instance of Active Directory.

Security Groups: Security Groups are objects in Active Directory just

like individual users. However, Security Groups are useful because
individual users can be associated with a Security Group and then have
permissions applied to the group vice each and every user. Ultimately,
Security Groups are a quick and efficient way to delegate out permissions
to shared resources for a large collection of users.

For example at communications school, each of the ECC students has been
associated with their Conference Group in Active Directory. Permissions
were then applied to the conference group to allow access to the shared
drive and CG folder.

Here is a screen capture showing the 4 security groups that the ECC
students are placed into. The security groups are shown in red.

The below screen capture shows how the groups were assigned specific
folders with specific permissions. For conference group 1’s shared
folder, these groups were given specific permissions:

An object can be a member of more than 1 security group depending upon

the needs of the user. For example, a network administrator may be part
of a large number of security groups because he or she needs access to
many different systems in order to administer the network. Below is a
data administrator account on the CS domain and the security groups
that are attached to that user account.

As a network planner, you should create security groups to give your
users permissions and access equal to their responsibilities. Most of
your general users should not have permissions to do anything but access
their shared folder structure. For example, most of you are only members
of one security group giving you access to the shared drive and your CG
folder. If you tried to log onto a server in the CS network, you would
not be able to as you do not have the correct permissions because you
are not a member of the right security groups.

Organizational Units: Organization Units (OUs) are containers for

objects. You can think of them like folders for files. OUs are an
administrative boundary as well. For example, the Regiment could delegate
permissions to its subordinate battalions by giving them their own OU.
Inside that OU, the data Marines for the battalion can control everything
that happens.

Here is an example OU structure for an infantry battalion.

Inside of 3/5’s top level OU, the data Marines can add as many different
OUs as they want to more easily organize the users, computers, printers
and other objects along with the distribution and security groups. While
your Marines may not have permissions to modify some of the other
logical structures in Active Directory, they should always be able to
fully control their OU and what happens inside of it. There are many
different ways to organize objects using OUs. You can organize objects
by type, by location, by staff function, by rank, or just about anything.
When you or your Marines are developing your OU structure, make sure
that it makes sense and that you can easily find and add objects. Having
too few OUs can lead to confusion and if you are using too many OUs, you
can “lose objects”

and forget into what container you put them (this can lead to security
and permissions issues).

The best way of using OUs is to start with grouping your objects by
function or location and then break the sub-OU structure down from there
as you see fit. In the example diagram above, 3/5 was given its own OU
by the RCT. Inside that OU, sub-OUs were created for each company and
staff section, and inside that one, objects were sorted into users,
computers, and printers. So if you were looking to modify a computer in
India Company, you would open 3/5s OU, then India Co, then the computers,
and all of the computers in the company would be listed there without
having to sort through a list of all of the 200 computers in the

Inside Active Directory, the OU structure looks like this screen

capture from the CS network:

In this screen capture, the OUs are shown on the left and the objects in
the OU are shown on the panel on the right. You can see that you as
students are members of the ECC Students OU, which falls under the BIG
(Basic Instructor Group) OU. The computers in the classroom fall under
the OU of BIG Student Machines. OUs are an excellent way of organizing
and categorizing objects within Active Directory and are the area where
you will have the most impact as a data planner in networks where you
don’t directly administer the servers.

Domains: The cornerstone element of Active Directory is called a domain;
it is the grouping of all objects that share common resources, services,
and administration. All of the computers, users, groups, and OUs within
a domain share a common security database and permissions hierarchy. As
a domain administrator, you have some higher level permissions and
access to change most of the logical structure inside Active Directory.
As such, domain level permissions should be tightly controlled.

Sometimes for exercises, you will stand up and run your own domains.
Many battalions run their own NIPR and SIPR domains during Mojave Viper.
In a more complex environment, the MEF, Division, or RCT may run the
domain and have the infantry battalions use Organizational Units in their

Below is a screenshot from Comm School. The domain for comm school is
cs.usmc.mil. All of the OUs, groups, and objects that we have already
covered are members of a domain.

Domain administrators have ultimate control over all of the objects

inside the domain. They can delegate permissions to OUs out to other
Marines for management, but they always have the ability to add, modify,
and delete the objects and OU structure within the domain.

Domain Trees: Multiple domains are arranged into a hierarchical

structure is called a tree. The first domain created is known as the

root domain. Any subsequent domains created from the first domain are
known as child domains.

An example of this relationship is shown in the diagram below.


cs.usmc.mil mnf-wiraq.usmc.mil


Each domain, whether parent or child, has a separate security boundary

but shares the same object classes and schema because they share the
same instance of Active Directory. In the above diagram, printers in the
aa.mnf-wiraq.usmc.mil domain share the same attributes as printers in
the 13meu.usmc.mil domain.

All domains in the tree share the same domain namespace as well. In the
above diagram, the root domain is .usmc.mil. All of the child domains
expand on this namespace by adding their domain name in front of their
parent. The mnf-wiraq domain has the namespace of mnf- wiraq.usmc.mil.
Its child follows the same rules – aa.mnf- wiraq.usmc.mil. The DNS
namespace is contiguous across all of the child domains because the DNS
queries follow the same path as the domain structure does. DNS queries
are forwarded from the child domains up to the root domain and then to
the appropriate domain.

In the diagram below, the aa.mnf-wiraq domain is looking for a computer

in the cs.usmc.mil domain.

To review, domain trees start with the root as the first domain
established. All other domains from the root are child domains. All
parent and child domains share the same DNS namespace and Active
Directory Schema.

Most of the services for a data network are established and controlled
at the domain level. DNS, web pages, chat, and file shares are configured
within Active Directory and managed at the domain level. Email is another
service that is managed at the domain level. Permissions and access to
these services and resources is assigned to security groups. If you are
running your own domain, you and your Marines will have ultimate control
over all services. For a domain managed by the RCT or higher, you will
have to request services and ensure that your users have the appropriate
access to carry out their tasks and fulfill their requirements. You
will have the same access to the services, just less control over how
they are established and maintained.

Forest: The largest category of organizing objects and domains is called

an Active Directory Forest. Every instance of Active Directory is known
as a forest. There can be multiple domains and domain trees in a forest.
Every domain in the forest shares the same schema and object definitions.
The first domain established is called the forest root domain. Additional
domains can then be constructed as child domains or as separate trees in
the forest.

Below, two examples of Active Directory Forests:

This first diagram should look familiar, its just like the parent child
domain tree diagram pictured earlier in the handout. In this example of
the Forest, the child domains are all part of the same domain tree as
the forest root. As such they not only share the same schema but also
the same DNS Namespace.

This second diagram shows a completely different type of forest:

In this diagram, all of the four domains in the forest are separate
trees. In this example, all four domains share the same schema but they
do not share the same DNS namespace. Each of the domains here is the
parent of a separate tree and can have unique names and they do not
take the DNS namespace of the forest root. The only thing that domains
have in common in this structure is the shared schema.

Enterprise wide services are coordinated and ran at the forest level.
While each domain in the forest manages its own DNS namespace, planners
at the forest level have to ensure that DNS transfers and zones are
transparent throughout the forest. If DNS is configured incorrectly
between two domains, there will be problems with a lot of the other
services that exist on the data network.

As such forest level planners have ultimate oversight over all the
services that exist inside the Active Directory Infrastructure. They
ensure that web pages and other shared resources are available for access
to the appropriate users in all the domains and look to prevent service
conflicts between domains. Managing a complex Active Directory Forest
is much more complicated than administering a domain or even a simple

We have now covered all of the different components of the logical

structure of Active Directory. To put it in perspective, a user object
is a member of a group, located in an Organizational Unit that is part
of domain that is part of an Active Directory forest.

This logical structure of Active Directory allows network administrators

and planners the ability to organize, scale, and control all of the
different components of a network including servers, computers, users,
printers, and services.


We have learned that domains are the basic security boundary in Active
Directory. There are very few forest level enterprise permissions that
extend beyond the domain. This poses problems for the data planner
because he or she has to figure out how the users in the domain can
access resources outside of the domain. For example, air mission planners
at Camp Leatherneck, using computers on a Marine Corps domain, need to
have to access aviation planning rules and documents on an Air Force
SharePoint web server in Bagram in a separate instance of Active
Directory. Planners can solve these cross domain and forest access
problems by understanding how trusts work inside Active Directory.

A trust is defined as a link in Active Directory between two domains

and/or forests that allows users to access resources and services in
another domain. Trusts can be bi-directional, meaning that users in both
domains have access to resources in each others or one way, where users
in one domain have access to the resources in the other domain but the
reverse is not true. Users in the other domain have no ability to
access resources in the other domain.

There are six different types of trust relationships in Active

• Parent / child
• Tree / root
• External Trusts
• Shortcut Trusts
• Realm Trusts
• Forest Trusts

Parent / Child

Parent / Child trusts exist between parent and child domains in the same
domain tree. These two-way transitive trusts allow security principals
to be authenticated in any domain in the forest. These trusts are created
by default and cannot be removed.

Tree / Root

Tree / Root trusts exist between all domain trees in the forest. These
two-way transitive trusts allow security principals to be authenticated
to any domain in the forest. These trusts are created automatically and
cannot be removed.

External Trusts

An external trust is created when data planners want to allow users from
different domains, but NOT in the same forest, to share resources. This
trust can be one-way or two-way depending upon security considerations.
In the Marine Corps, external trusts are used to link together Windows
New Technology (NT) domains with Windows Active Directory domains. Bottom
line, there are still a few NT domains around the Marine Corps, but
your likelihood of encountering one is relatively small.

Shortcut Trust

A shortcut trust is a bi-directional trust created between 2 domains in

the same forest. The diagram below shows a shortcut trust.

In this diagram, we see that a shortcut trust was created between the
aa domain and the 13meu domain. Since parent / child trusts and tree
/ root trusts exist inside the forest, we know that each domain already
trusts every other domain. So, why is a shortcut trust necessary? It is
necessary because trusts work just like DNS. So a user in the aa domain
has to query his parent domain of mnf-wiraq which has to query its
parent usmc.mil which then has to query 13meu to get access to the
resources. This process can use up a lot of bandwidth and cause
noticeable delay for the users, so shortcut trusts bypass this hierarchy
and allow users from aa and 13meu the ability to directly query resources
and services from each other without having to waste bandwidth and the
users time. These trusts form logical shortcuts between domains.

Realm Trusts

Realm trusts are created between a non-Windows directory service and an

Active Directory forest. These trusts can either one or two way,
transitive or non-transitive; however, in the Marine Corps, they are not
encountered often. In the civilian world a trust like this could be
created after one company buys out another company and wants to transfer
the users and network resources from some other service into Active

Forest Trusts

Forest trusts are trusts between two separate Active Directory Forests;
however, this will only work for forests that operate at the Windows
Server 2003 functional level or higher. Forest trusts can be
1 or 2 way trusts depending upon network security considerations. In the
example at the beginning of the trust section, if the Marine Corps forest
trusted the Air Force Forest, the aviation planners could easily access
documents and resources out of the Bagram web server. Forest trusts are
also used in the civilian world during corporate mergers.

Inside a Marine Corps forest, trusts are a natural way of doing business.
Only rarely do network planners in the Marine Corps establish trusts
outside of the Forest and usually those trusts are to other Marine Corps
or Navy domains. For example, for a MEU embarked on naval shipping,
trusts could be established between the Marine Corps and Navy domain to
allow everyone to have access to the shipboard file storage and
printers. The network planner has to balance the gains from the trust
against the vulnerabilities that introducing another organization would

The diagram below provides a visual depiction of each type of trust:

BOX 788251
CALIFORNIA 92278-8251





22 OCT 2013


1. Without the aid of reference, define Domain Controller (DC), per the MCTS
Training Kit, Configuring Windows Server 2008 - Active Directory (Exam 70-
640), Network Infrastructure (Exam 70-642), and Applications Infrastructure
(Exam 70-643). (0602-PLAN-1105hq)

2. Without the aid of reference, create a name for a Microsoft Domain

Controller, in accordance with MCWP 3-40.3, MAGTF Communication Systems.

3. Without the aid of reference, describe the relationship between Domain

Controllers and Flexible Single Master Operations (FSMO) Roles, per the MCTS
Training Kit, Configuring Windows Server 2008 - Active Directory (Exam 70-
640), Network Infrastructure (Exam 70-642), and Applications Infrastructure
(Exam 70-643). (0602-PLAN-1105ht)

4. Without the aid of reference, state the purpose of the Active Directory
Schema Master, per the MCTS Training Kit, Configuring Windows Server 2008 -
Active Directory (Exam 70-640), Network Infrastructure (Exam 70-642), and
Applications Infrastructure (Exam 70-643). (0602-PLAN-1105hu)

5. Without the aid of reference, state the purpose of the Active Directory
Domain Naming Master, per the MCTS Training Kit, Configuring Windows Server
2008 - Active Directory (Exam 70-640), Network Infrastructure (Exam 70-642),
and Applications Infrastructure (Exam 70-643). (0602-PLAN-1105hv)

6. Without the aid of reference, state the purpose of the Active Directory
Relative Identifier (RID) Master, per the MCTS Training Kit, Configuring
Windows Server 2008 - Active Directory (Exam 70-640), Network Infrastructure
(Exam 70-642), and Applications Infrastructure (Exam 70-643). (0602-PLAN-

7. Without the aid of reference, state the purpose of the Active Directory
Primary Domain Controller (PDC) Emulator, per the MCTS Training Kit,
Configuring Windows Server 2008 - Active Directory (Exam 70-640), Network
Infrastructure (Exam 70-642), and Applications Infrastructure (Exam 70-643).

8. Without the aid of reference, state the purpose of the Active Directory
Infrastructure Master, per the MCTS Training Kit, Configuring Windows Server
2008 - Active Directory (Exam 70-640), Network Infrastructure (Exam 70-642),
and Applications Infrastructure (Exam 70-643). (0602-PLAN-1105hy)

9. Without the aid of reference, state the purpose of the Active Directory
Global Catalog Server, per the MCTS Training Kit, Configuring Windows Server
2008 - Active Directory (Exam 70-640), Network Infrastructure (Exam 70-642),
and Applications Infrastructure (Exam 70-643). (0602-PLAN-1105hz)

10. Without the aid of reference, define a Site, per the MCTS Training Kit,
Configuring Windows Server 2008 - Active Directory (Exam 70-640), Network
Infrastructure (Exam 70-642), and Applications Infrastructure (Exam 70-643).

11. Without the aid of reference, define a Site Link, per the MCTS Training
Kit, Configuring Windows Server 2008 - Active Directory (Exam 70-640),
Network Infrastructure (Exam 70-642), and Applications Infrastructure (Exam
70-643). (0602-PLAN-1105ib)

12. Without the aid of reference, describe the Replication Process, per the
MCTS Training Kit, Configuring Windows Server 2008 - Active Directory (Exam
70-640), Network Infrastructure (Exam 70-642), and Applications
Infrastructure (Exam 70-643). (0602-PLAN-1105ic)

13. Without the aid of reference, state the purpose of a Bridgehead Server,
per the MCTS Training Kit, Configuring Windows Server 2008 - Active Directory
(Exam 70-640), Network Infrastructure (Exam 70-642), and Applications
Infrastructure (Exam 70-643). (0602-PLAN-1105id)

14. Without the aid of reference, state the purpose of the Knowledge
Consistency Checker (KCC), per the MCTS Training Kit, Configuring Windows
Server 2008 - Active Directory (Exam 70-640), Network Infrastructure (Exam
70-642), and Applications Infrastructure (Exam 70-643). (0602-PLAN-1105ie)

15. Without the aid of reference, state the purpose for Directory Service
Remote Procedure Call (DS-RPC), per the MCTS Training Kit, Configuring
Windows Server 2008 - Active Directory (Exam 70-640), Network Infrastructure
(Exam 70-642), and Applications Infrastructure (Exam 70-643). (0602-PLAN-

16. Without the aid of reference, state the purpose for Inter-Site Messaging
- Simple Mail Transfer Protocol (ISM-SMTP), per the MCTS Training Kit,
Configuring Windows Server 2008 - Active Directory (Exam 70-640), Network
Infrastructure (Exam 70-642), and Applications Infrastructure (Exam 70-643).

17. Given a scenario, command's mission, approved course of action, task

organization, table of equipment, higher headquarters Annex K and
communication concept of support, create a Microsoft Active Directory
Infrastructure Diagram, within a timeline provided by the commander which
satisfies the commander's communications system requirements for command and
control, per MCWP 3-40.3C.

18. Given a scenario, command's mission, approved course of action, task

organization, table of equipment, higher headquarters Annex K and
communication concept of support, develop coordinating instructions for the
installation of network services, within a timeline provided by the commander
which satisfies the commander's communications system requirements for
command and control, per MCWP 3-40.3C.

19. Given a scenario, command's mission, approved course of action, task

organization, table of equipment, higher headquarters Annex K and
communication concept of support, develop tasks for the installation of
network services by subordinate communication agencies, within a timeline
provided by the commander which satisfies the commander's communications
system requirements for command and control, per MCWP 3-40.3C.


The advantage of employing Microsoft Active Directory as the directory

service of choice for the Marine Corps is that there is one logical
directory that contains every user, mailbox, computer, server, and
printer in the network and it is relatively simple to configure. This
directory structure is the same across every server that is running
directory services in the same Active Directory Forest.

However, every server in an Active Directory Forest does not

necessarily run the same set of roles and services. There are several
specific roles inside Active Directory that can only be handled by one
server in the forest or domain and others than can be handled by
multiple servers simultaneously.

This lesson will focus on the key physical roles and basic planning
considerations for designing an Active Directory Forest and Domain.
It will examine key roles and services that are needed to maintain the
one logical Active Directory Database and ensure that it is fault
tolerant, scalable, supports quality of service and is secure.

The Domain Controller

A server in an Active Directory Forest that is running a Windows

Server 2003 or better (2008R2, Server 2012) network operating system
and is actively providing directory services is known as a domain
controller. A domain controller can be a member of only one domain.
Furthermore, a domain controller has a complete copy of every object
in the domain. Domain controllers resolve local queries for objects
in the database and forward queries for objects in other domains to
the appropriate domain controller in the remote domain. Changes to
objects in the domain can be made on any domain controller; that
server will then be responsible for replicating the changes to the
rest of the domain. Marine Corps naming standards for domain
controllers are:

– NIPR Designator – NameN01C

– SIPR Designator – NameS01C

For example, for a MEB domain, the first three domain controllers in
the MEB domain may be 1MEBN01C, 1MEBN02C, and 1MEB03C. The C at the
end of the name designates the server as a domain controller. The
format reads, from left to right, “Domain Name (1MEB)” – “NIPR or SIPR
designation (N/S)” – “Sequential Numerical Identifier (01)” – “Domain
Controller, Exchange Server, or Member Server Designator (C/E/R)”.

Every domain controller has at least 3 partitions to its Active

Directory structure. However, do not think of these as the same as
hard drive partitions; they are simply logical sections of the Active
Directory database.

 The schema partition has a copy of the schema of the forest.
 The configuration partition defines the physical structure of
Active Directory – the servers and the roles that they play.
 Finally, all domain controllers have a domain partition where
they keep a copy of all of the objects in the domain.

There may be other servers running Windows Server 2008R2 or another

operating system, but are not running Active Directory; they are known
as member servers. These servers could be admin servers, file
servers, print servers, and run other resources for the network.
Member servers are named almost the same as the domain controllers but
with an ‘R’ in place of the ‘C’:

– NIPR Designator – NameN01R

– SIPR Designator – NameS01R

For example, a print and fileshare server might be named 1MEBN01R. It

is important to keep server names standardized and controlled to
assist in troubleshooting problems across the domain and forest, and
to allow easy identification when looking in DNS.

Once a domain controller has been created in Active Directory, the

network administrator has to choose the roles that the server will
play in Active Directory. Each domain controller can have multiple
roles. However, within Active Directory there are 5 Flexible Single
Operations Master (FSMO) Roles that a server could have in addition to
multiple Global Catalogs and a range of services for the user such as
DNS, DHCP, Web, File Sharing, and print services.

Flexible Single Operations Master Roles

There are 5 FSMO roles. Two of these roles are unique within the
forest, and three are unique in each domain. These unique roles mean
that only one server holds each role, there are no back ups. The two
unique forest level roles are the Schema Master (SM) and the Domain
Naming Master (DM). The three unique domain level roles are the
Relative Identifier Master (RID master), Primary Domain Controller
Emulator (PDC emulator), and the Infrastructure Master (IM). There
may be multiple servers in the domain – but 2 of the 5 are unique
instances per forest and the other 3 are unique instances per domain.

Another way of looking at these roles is to think of the Active

Directory forest like a Marine Corps battalion. In every battalion,
there is only 1 Commanding Officer and Sgt Major. This is the same as
the Schema Master and the Domain Naming Master. Now in a battalion,
there may be 4 or 5 companies, and this is similar to the domains in
Active Directory. Each company has its Company Commander, XO, and
1stSgt. In Active Directory this would be similar to the roles of the
RID Master, PDC Emulator, and Infrastructure Master. That Marine
Corps company may have 5 or 6 officers, but none of them will
duplicate the role of the Company Commander, XO, or 1stSgt.

The reason ‘flexible’ is used as part of the title of the role comes
from the fact that an experienced administrator can transfer these
roles between servers, however this is not encouraged. Move the FSMO
roles only as a last resort. Now that the 5 Flexible Single Operations
Master Roles have been introduced, they will be examined in detail.

Forest Level FSMO Roles

Schema Master

The Schema Master role is usually found upon the first domain
controller in the forest. It controls the master list of objects and
attributes in the Active Directory structure. The schema is how you
describe objects. For example, to describe users, we include their
first name, last name, middle initial, rank, phone number, etc. We
would not want to escribe users by their height, weight, and eye
color- they would be difficult to find (imagine searching for Lt Ochoa
in the GAL- brown hair, 190lbs…, it would not be easy).

The Active Directory Schema cannot be modified unless the schema

master is available. Every domain controller has a copy of the
schema, but that copy is read only. Now, if an administrator changes
the schema, those changes are immediately replicated to the schema
master role where the change is made permanently and then replicated
to the rest of the domain controllers in the forest.

Domain Naming Master

The Domain Naming Master records the additions and deletions of

domains in the forest. New domains cannot be added or removed if the
domain naming master is unavailable.

Below is a diagram of an Active Directory Forest Server architecture.

Use it to locate the Domain Naming Master and the Schema Master roles.

In this diagram, the Schema Master and Domain Naming Master are
located on 2MEBN01C. The forest root domain is 2MEB.USMC.MIL. When
GCEFWD.2MEB.USMC.MIL was created, the domain naming master had to be
available to record the addition of the domain and add it to the
forest. Now that we have looked at the forest level FSMO roles, the
domain level FSMO roles will be examined.

Domain Level FSMO Roles

Relative Identifier Master (RID Master)

Every object in the domain has a unique Security Identifier (SID) that
identifies the object and the permissions it has. It is composed of 2
numerical parts. The first part of the SID is domain specific – every
object in the domain has an identical first half of the SID. The
second half of the SID is unique and assigned by the RID Master. The
RID master functions by creating unique new blocks of RIDs and then
assigning them to each domain controller in the domain. When a user
account, or any other object, is created on that domain controller, it
will use up one of the RIDs that it was given to form the complete
SID. Once the server uses up its block of assigned RIDs it requests a
new block from the RID master. If the RID master is unavailable or
down, then new objects cannot be added to the domain once the domain
controllers use all of their previously assigned RIDs.

Primary Domain Controller (PDC) Emulator

The PDC Emulator role performs multiple, crucial functions for a

domain. One of its functions in Active Directory is to process
password changes in order to ensure that every domain controller knows
immediately when object password change. All password changes get
recorded to the PDC Emulator first and foremost. This ensures that a
user can authenticate (log-on) to the domain if he recently had his
password changed, but replication has not occurred between domain
controllers yet. If different domain controllers do not have the same
password for the object recorded, the PDC Emulator resolves the issue
since it immediately recorded the password change.

Its second function is to manage group policy updates within a domain.

All group policies that an administrator might want to implement in a
domain are created on, managed by, and replicated by the PDC Emulator.
This is in order to ensure that if administrators in two different
locations, or sites, make policy changes, they do not overlap and

Third, and probably most importantly, the PDC Emulator provides a

master time source for the domain. The PDC in the forest root domain
is the time master for the entire forest, by default. The PDC in
every other domain in the forest synchronizes its time with the forest
root PDC emulator. This synchronization is important because many
Windows components, and namely Active Directory, rely on time stamps
when creating and managing objects.

Finally, the PDC emulator acts as the domain master browser. When you
open a network in Windows, you see a list of workgroups and domains,
and when you open one of the workgroups or domains, you see a list of
computers. These lists are called ‘browse lists.’ The PDC Emulator
combines all the browse lists from each network segment to form a
master browse list that an administrator can navigate in order to
centrally manage his domain.

Infrastructure Master (IM)

The Infrastructure Master is the master catalog of all objects in the

domain. Any domain controller can create and modify objects in the
domain using Active Directory but after the change is made, the first
domain controller that gets the traffic is the Infrastructure Master.
All changes and additions are reported to the Infrastructure Master
first and then replicated out to the other domain controllers in the
domain. The infrastructure master is arguably the most critical out
of all of the domain level FSMO roles. Without the infrastructure
master available, new objects cannot be added to the domain.

Below is the same Active Directory Diagram that we looked at before.

See if you can locate the domain level FSMO roles. You should find 2
of each of them, 1 for each of the domains present.

For both the MEB and the RCT, the 02C domain controller is running the
3 domain level FSMO roles. Several Microsoft best practices for
establishing your forest and domain structure follow:

 Place the domain-level roles on a high-performance domain

 DO NOT place the Infrastructure Master (IM) domain-level role on
a domain controller that is also functioning as a Global Catalog
(GB) server.
 Leave the two forest-level roles on a domain controller in the
forest root domain.
 In the forest root domain, transfer the three domain-level roles
from the first domain controller that you installed in the forest
root domain to an additional domain controller that has a high-
performance level.
 Adjust the workload of the PDC emulator, if necessary, by
offloading non-AD directory service roles to other servers.

Global Catalog

Earlier in the handout, the 3 partitions present on every domain

controller were discussed. The three partitions were the schema
partition, the configuration partition, and the domain partition. The
domain partition, because it contains a copy of all of the objects in
the domain, minimized traffic between servers because a user looking

for a printer only has to go to his local domain controller to find
the record, and not travel across a WAN link to find the information.

However, having just the domain partition means that if a user is

looking for an object in the forest, not just the domain, the user’s
local domain controller will be querying other servers across WAN
links, increasing the overhead on the network. This could happen at a
FOB in Afghanistan where there are users from the ACE or LCE trying to
log onto a computer on the GCE domain.

Active Directory’s solution for this is known as the Global Catalog

Server role. A Global Catalog server maintains a subset of the most
commonly used objects and their attributes for the whole forest. So a
global catalog server has a complete replica of its own domain
partition and partial copies of the domain partitions of the other
domains in the forest. It is used for 2 primary functions –
authentication for all users in the forest, and to allow users to
locate objects within Active Directory without adding overhead to the
network. Because of the much larger domain partition, the role of the
global catalog is much more resource intensive. Not only does the
server need more hard drive space, but it also needs to be able to
handle more replication traffic because a global catalog server gets
updates as objects in the forest are changed, not just the domain.
Also, each Global Catalog is unique per instance in order to minimize
duplication of unneeded, unpopular objects at a specific remote
Locate the global catalog servers on the Active Directory Diagram.

Sites in Active Directory

Every domain controller in the domain has a copy of the Domain’s

Active Directory database so that as changes are made, these changes
are replicated to every other domain controller in the domain. To
control this replication traffic, domain controllers are grouped into
separate sites. Sites are the interface between the logical and
physical structure of Active Directory. A site in Active Directory is
defined as a group of servers connected by a fast, reliable, high
speed connection. A site in Active Directory should exist where a LAN
exists; a domain can have any number of sites. Sites are depicted in
AD diagrams by a circle.

Sites are then connected to other sites via WAN links. Sites are used
to control logon traffic from users in the site, consolidate
replication, and facilitate service localization. The most important
function of a site is that it ensures that users logon and
authenticate to domain controllers on the LAN rather than traveling
across a low speed, low bandwidth WAN link. Because users log on
locally, the log on time is significantly reduced. Sites also control
replication because any changes within the site are made locally and
then replicated across the WAN.

There are no restrictions on site names. Commonly in the Marine

Corps, the sites are the Camp or unit names. When a site is
configured in Active Directory, the VLANs active at the site on the
LAN are added to that site’s attributes in Active Directory. This is
what Active Directory uses to force computers and users to
authenticate locally first. On the below diagram, see how many sites
the Regiment uses to control its domain.

There are 3 sites in the GCEFWD domain, the RCT and the two
subordinate battalions. If an artillery battalion or other GCE unit
were added to the T/O of the RCT, a separate site could be created for
each of the units.

With Active Directory, it is better and easier on subordinate units to

give them their own sites in the same domain than it is to run a
forest with each unit having its own domain. If the battalions were
going to run their own domains, they could not use just one domain
controller, they would need multiple. By T/O, an infantry battalion
has 2-3 servers per enclave, so it is difficult for them to run their
own domains. When the battalions are separate sites, they just need a
server to function as the Global Catalog for them to log on locally.

 It is best practice to locate a Global Catalog server at every

site within a domain.

The subnets listed on the diagram per site come from your VLANs and
subnetting plan for your IP address scheme. The same networks listed
on your WAN diagram should also appear on your Active Directory
Diagram. All sites must be associated with subnets, not just for the
Server VLAN at the site, but also for all of the user and C2 VLANs.
This is important because much of the traffic for Active Directory
objects and queries comes from all of the users’ computers.
Nonetheless, ensure that at a minimum your Server VLANs are listed.

Here is a screenshot from a different Active Directory Forest with
sites and subnets fully established:

You can see in the above capture that each site had two domain
controllers. The subnets are shown in the subnet folder. One of the
subnets has been opened to see the name and the site that it has been
associated with. This forces all of the computers in that IP address
range to authenticate to the domain controllers in the RCT’s site.

Replication Connectors: Site Links

Active Directory can take up a lot of bandwidth. It is not a problem

on our LANs but it can be for our WAN connections. By placing our
domain controllers into sites we can control the time and type of
replication taking place across our WAN links by establishing site
links that link together your separate sites. Your site links should
exactly mirror your WAN circuits depicted on your WAN Diagram.

When domain controllers are placed into sites, one of them is

configured to take the role of the IP Bridgehead server. The IP
Bridgehead controls replication into and out of the site. Instead of
having every domain controller send its changes to every other
controller, domain controllers will replicate freely to each other
only if they are placed in the same site. The IP bridgehead server
will consolidate all of the changes and then send them across the WAN
links to other sites. It will receive changes from the other sites
and then replicate those changes to the domain partition of all of the
domain controllers in its site.

Replication connectors across the WAN are configured between sites and
contain costs and intervals. The cost is a logical representation of
the bandwidth available over the WAN link and the corresponding delay.
A higher cost link means a lower bandwidth and a higher delay. Active
Directory will build its replication topology using the lowest costs
available. Administrators can also define the replication interval –
sites will attempt to replicate changes at the interval specified –
immediately, every 5, 15 min, etc... Costs are also cumulative, so all
of the replication connectors in between the two sites are factored
into the replication topology. In your Active Directory diagram you
produce here at ECC, cost will not be a requirement to depict because
at the Regiment and lower levels default site link costs are typically
used. At larger organizations, MSC level and higher, cost is
typically shown on site links.

Let’s take a look at the diagram again and focus on the GCE domain and
look at replication.

To create the costs and decide upon a replication interval, you should
factor in the bandwidth, delay, number of hops, and other factors.
Given the costs above, there will be no replication directly between
1/6 and 2/6. Both of them will replicate their changes to the IP
bridgehead at RCT and then it will send them to the other site because

the cumulative cost of replication is less than the cost assigned to
the direct replication connector. If the bottom cost was lowered to
900 or below, 1/6 and 2/6 would start to replicate directly with one

Knowledge Consistency Checker

Now that Active Directory Sites have been defined, and the IP
Bridgehead servers selected, the next step is to select the type of
replication that the bridgehead will use to replicate with bridgeheads
in other sites.

Replication topology is controlled by the Knowledge Consistency

Checker (KCC). The KCC is a service that runs inside every Active
Directory domain controller and it determines how Active Directory is
going to replicate both inter and intra site. The KCC service
replicates this topology to all domain controllers every 15 minutes.
When you create site links, the KCC service uses this information to
build replication connectors in between bridgehead servers in
different sites. It uses Directory Service Remote Procedure Call (DS-
RPC) or Inter-Site Messaging – Simple Mail Transfer Protocol Call
(ISM-SMTP) for replication.

Intra-site replication utilizes DS-RPC and is the default, preferred

replication protocol in Domain Controllers running Server 2008R2. DS-
RPC appears in the Active Directory Sites and Services snap-in as
“IP”. Intra-site replication is not necessary to depict on diagrams
because it happens automatically when domain controllers are placed
into sites. WAN replication, or inter-site replication, is noted on
diagrams though. Inter-site replication between IP Bridgeheads can be
configured either with DS-RPC or ISM-SMTP. The Marine Corps uses DS-
RPC for inter-site replication due to the fact that ISM-SMTP can only
be used to replicate between separate domains without employing
advanced certificate authority settings in your Active Directory

Bottom line, utilize DS-RPC due to the fact that is less complex to
configure, however, ensure that you plan for replication to occur
during off peak usage in order to conserve bandwidth.

On this diagram, the replication type has been annotated in the

User Services and Other Server Roles

In addition to running Active Directory, domain controllers can also

run DHCP, DNS, Remote Access protocols and other services as
appropriate for your network. These services will run side by side
with Active Directory in the server. Some services like DNS are
tightly integrated with Active Directory and are critical in order for
Active Directory to be able to function properly and must be annotated
on an Active Directory diagram. Other services like web and file
servers just use Active Directory for security and user
authentication. The planner must decide to place the services on a
domain controller or a member server. There are benefits and
drawbacks to both ways of employing services.

One of the most important services to the user and Active Directory is


DNS is highly integrated into Active Directory, thus it must be

depicted on your Active Directory diagram. Every site should have at
least 1 DNS server. DNS can run on any domain controller. Records
need to be created in DNS to enable forward and reverse lookups for
every computer and server on the domain.

Here is an example of an internal query for DNS.

Here is an example of an external DNS query in our network.

DNS can be configured on servers in 4 ways. The first is a primary

zone. Each domain will have 1 primary DNS server that has the master
copy of DNS for the domain. New records, deletions, and updates can
be made to this server and replicated to other DNS servers in the

The second way is a secondary zone. A secondary zone is just a copy

of the primary zone that is read only. No changes can be made to a
secondary DNS zone. In an Active Directory Forest, domain controllers
running DNS may have a primary or Active Directory integrated zone for
their own domain and have secondary zones for every other domain in
the forest.

The third way is Active Directory Integrated, where changes are made
on any domain controller or DNS server and replicated to the other DNS

servers in the domain. This is the preferred method of running DNS
servers in the Marine Corps. This eases the burden of the network
administrators inside a domain from keeping track of primary and
secondary zones. In an Active Directory integrated zone, any DNS
server can make changes to the DNS records and all of the DNS servers
have the change replicated to them. Integrated zones only apply
inside a domain, so for faster external lookups secondary or stub
zones can be loaded for other Domains in the forest.

The fourth way is called a stub DNS zone. Stub DNS zones just contain
the DNS records for DNS servers from another domain in the forest.
For example, in our network, the primary GCE DNS server, N01C may have
stub zones for the ACEFWD and LCEFWD domains so that it can send
queries for DNS records in their domains directly to them without
forwarding traffic to the forest root DNS server. This works much
like establishing a shortcut trust to cut down on the overhead
required to query adjacent DNS servers.

The Marine Corps has gone away from Primary and Secondary DNS zones
and now uses Active Directory integrated zones wherever possible. It
is up to the network planner to decide whether or not to configure
stub or secondary zones for the other domains. Not using stub or
secondary zones increases DNS query overhead but reduces replication
traffic. Secondary zones greatly decrease DNS query overhead over WAN
links but increase the replication traffic. Stub zones offer a good
compromise between the two.


The Marine Corps is authorized to use DHCP on the NIPRNET. However,

all servers need static addresses. Only user computers and VoIP phone
IP Addresses can get placed into a DHCP pool. For simplicity’s sake,
one server per site should be a DHCP server. A site with multiple
DHCP servers can run into a lot of IP address conflicts if they are
not configured properly. If redundant DHCP servers are going to be
employed in your data architecture, ensure that your Marines have
practiced setting up the DHCP scopes to avoid IP address conflicts and
duplicate entries.

Remote Access

Remote access does not apply for 90% of the networks that you will
utilize in the fleet. Firewalls will block all requests to
authenticate to the domain from external users. However, Active
Directory does support the functionality to allow remote access and
VPN connectivity.

Print Servers

A domain controller can serve as the print server for all of the
network printers. Rather than mapping every user individually to
printers and installing drivers on every computer, users can point to

the print server and use the print server to communicate with their
desired printer. They just search Active Directory for their desired
printer and make it the default, and the print server takes care of
the rest. The server checks Active Directory to see if the user has
permission to print to the server and then adds the document to the
queue for the printer to process.

File Services

Servers, Filers, and computers can all serve as network shares for
files. Domain controllers manage the permissions for user access to
files and folders on the shared drive.

Windows Server 2K3 R2 64 bit and beyond supports distributed file

– One logical drive spread across multiple servers
– Can mirror drives as well

Anti-Virus / Patching

This important service can run on domain controllers or member

servers. Every computer on a Marine Corps network runs an antivirus
program for protection. Every computer must also be patched with the
latest updates from Microsoft, Adobe, and other software
manufacturers. Antivirus servers download updated antivirus
definitions from the Internet and push them out to all of the client
computers.The Patch or Windows Update Server works the same way.
All of the latest patches are downloaded to the one server and then
pushed out to all of the client computers on the network after
testing. Test the updates first to ensure that they were downloaded
correctly and will not crash user computers. This works to improve
the quality of service and security of the network by reducing outside
traffic and bandwidth.

Depending upon the number of servers that are available, the Antivirus
/ Patching roles can be run on a Domain Controller or member server.
Best practice recommends deployment on a member server, but if you are
limited, it is better to place the role on a Domain Controller rather
than not planning for it at all.

Web Services

Any server can be a web server if it is running the appropriate

software. If a domain controller is used as a web server, the
security issue must be considered, especially if the server is
accessible from the Internet. Most often for external web servers,
stand alone member servers are used for web traffic so that if they
are hacked or brought down by a malicious attack, the attacker does
not gain access to a domain controller. That would give the attacker
almost ultimate control over the network and services running on it.


We have covered many of the roles and services that can be employed on
domain controllers and servers. The different roles and services
available offer the data planner a lot of flexibility in tailoring the
services offered to the requirements of the users. The most important
takeaway remains that the data planner plans services to support the
user and bases the Active Directory design on user requirements.

Active Directory’s physical structure can be as simple or complicated

as the designer wants to make it. Ensure that you keep the four
characteristics of healthy network design - Fault Tolerance,
Scalability, QoS, and Security in mind when designing your Active
Directory Architecture.

Here is the sample Active Directory Diagram that we have used during
this class for you to look at one more time.

An astute observer will notice that there are no email servers on this
diagram. There are follow on classes that will go into detail in how
to plan both web servers and email servers to support your users in
your Active Directory Forest.

BOX 788251
CALIFORNIA 92278-8251





27 APR 2013


1. Given a command's task organization, user requirements, and

an equipment density list (EDL) containing data networking
equipment, plan a Microsoft Active Directory (AD) Infrastructure
to satisfy a command's information exchange requirements, in
accordance with the equipments capabilities and design
specifications, MCWP 3-40.3C (MAGTF Communications System) and the
Tri-MEF Standard Operating Procedures (SOP), Version 1.0. (0602-

2. Given a scenario, command's mission, approved course of

action, task organization, table of equipment, higher headquarters
Annex K and communication concept of support, create a C4
Applications list, within a timeline provided by the commander
which satisfies the commander's communications system requirements
for command and control, per MCWP 3-40.3C. (0602- PLAN-1106dx)


The last series of classes introduced Microsoft Active Directory

and its physical and logical components. Many of the basic services
and roles that servers can run to support the infrastructure have
been covered along with some recommendations and best practices
from Microsoft. This lesson focuses on how to design and deploy
an Active Directory infrastructure that will fulfill the service
requirements of your Commander and supported units.

Planning Considerations

Planning an Active Directory infrastructure for the Marine Corps

is relatively simple compared to the civilian world. However the
most important takeaway for you as a planner is that it is very
difficult to change and modify the Active Directory Forest and
domain structure after it has been implemented. Changing server
names, domains, IP addresses, and other information can seriously
compromise an Active Directory Infrastructure. Because of this
fact it is best to take into account all the planning
considerations possible to develop a lasting architecture that
gets it right the first time.

There are several key planning considerations to start the
brainstorming process including:

• Does my proposed Active Directory structure meet my

Commander’s requirements for services?
• Simplicity
• Fault tolerance, scalability, QoS, and Security
• Electrical power and HVAC
• Equipment Available
• Knowledge of the Marines

Each of these planning considerations will be examined in the

following section. However, remember that this list of
considerations is not all inclusive; as you gain practical
experience in the Marine Corps and the fleet you will be able to
develop a much more detailed checklist for planning.

Commander and Unit Requirements

The core consideration is what services your commander and his or

her staff require. If the commander plans to be mobile and doesn’t
want to rely on email, then you do not need to worry about planning
for email servers or services. If the commander wants email, web,
chat, and file sharing, you will have to plan a more involved
Active Directory infrastructure. There are also unit specific
requirements. The S-1 and S-4 sections heavily utilize the NIPRNET
for services because the majority of administrative and parts
ordering is done on the unclassified enclaves. Sometimes the
commander may not be aware of all of the requirements for the
staff sections. Ensure that your Active Directory plan
encompasses all of the unit’s requirements in addition to those of
the commander.


The second consideration should be simplicity. The simpler your

architecture design is, the more likely that it will work, pass
the accreditation process, and that your Marines can actually
install, operate, and maintain the servers. A good network planner
will not plan for additional services and servers because the
equipment exists or simply because he or she can, but because the
services are required to accomplish the mission. Even with a simple
domain structure, Active Directory can get rather complex very
fast in a deployed environment. The simpler the plan is at the
beginning usually increases its flexibility as the requirements
adjust to changes in the mission.

Fault Tolerance, Scalability, QOS, and Security

The next set of considerations is the four characteristics of a

healthy network: Fault Tolerance, Scalability, QoS, and Security.
A very simple Active Directory design may not be very fault
tolerant or survivable in a combat or counterinsurgency operation.
However, a very fault tolerant infrastructure may be too complex
for the Marines to properly install. Thus a network planner must
strike a balance between the two.

Scalability is how well suited your infrastructure is for

expansion. Planning and implementing a print server may not cross
your mind when you have five printers in the battalion, but when
your Marines are dealing with 20 printers, if a print server was
implemented earlier, it would have made configuration and expansion
so much easier. Complex architectures may not be very scalable or
grow well. A good example of this was the original domain structure
in Iraq where there were 4 separate domain trees in the forest,
rather than 1 tree. The flexibility and freedom that the MSC’s had
lead to an Active Directory infrastructure that fell apart because
there was no central control or enforcement.

The second factor to bear in mind about the scalability of the

structure of Active Directory is that once forests and domains are
established, it is very difficult to change the forest and domain
names, the server names, and the server IP addresses. Domain
controllers and child domains can always be created for growth but
much of the Active Directory Schema for a forest cannot be easily
altered after creation. As such, bear in mind the potential for
future growth and changes at the start of planning rather than as
an afterthought.

Quality of service in an Active Directory structure is also

important. Too many servers and domains will cause immense amounts
of replication traffic between all of them. Not enough servers may
affect the user’s experience, causing delays in the user’s logon
time and when checking email. In this context, quality of service
is just not a layer 3 mechanism for assured delivery, but an
analysis of how easily a user can access all of the services and
resources in your plan.

Remember to examine the network and your plan not just from the
administrator’s perspective but also from the user’s viewpoint.
Remember that the purpose for Active Directory is to provide
services for the user. Any comprise to the Active Directory
infrastructure should be made in favor of the user, not against

them. Quality of Service must be balanced against all of the other
factors used to plan the Active Directory Infrastructure.

Security and control are also important in an Active Directory

infrastructure. Too much security held at the higher levels means
that the architecture will not be flexible or responsive to your
commander, if you have to wait for regiment or the communications
battalion to make a change to your server. On the other hand,
too much freedom can lead to a lot of problems with your server.
The same original Iraqi AD infrastructure scenario applies here as
well. This is what the original AD topology looked like:

Because of the separate domain trees in the Forest, there was no

way for the MEF to enforce security policy across the different
trees. The CE tree was managed completely different from the ACE,
GCE, and LCE trees. Because of the freedom granted to the MSCs,
problems with replication, DNS, and email occurred that could not
be corrected by the MEF. A good network planner will look at server
location, unit needs, and the ability of the units to manage their
servers before deciding on the right balance of security.

Electrical Power and HVAC

Servers are very temperamental computers, much more so than laptops

and desktops. Cutting edge servers are very susceptible to dust
and heat. Servers also draw a significant amount of power from
generators. An unsteady power source will damage the server power
supplies. Before planning to give servers to a unit, a good site
survey needs to be conducted to ensure that the unit can support
the electrical and air conditioning loads that servers require. A
good example of this is that at Mojave Viper, traditionally the
only air conditioned space in the whole battalion is the data shop.
This is because the servers need to be kept cool in order to
function. The more complex a planner gets with server utilization
can put strains on the electrical and air conditioning grid of a
unit. Remember to factor in the

power and HVAC capacity of the different units when planning to
employ servers.

Available Equipment

This consideration is relatively simple. You can only plan to

utilize the equipment that you have available. It would be
foolhardy to plan an Active Directory infrastructure that utilizes
12 servers when you only have 6 available. A data planner must
analyze the equipment available and match it to the commander’s
requirements and fault tolerance. If there are no offline spare
servers and a problem develops with an online server, what is the
backup plan? These considerations are important when developing
the initial Active Directory infrastructure.

Marines Knowledge and Training

A data planner must assess the knowledge of the Marines that will
be installing, operating, and maintaining the equipment. If
advanced or complicated aspects of Active Directory are employed,
the Marines should be sent to the training ahead of time or trained
on a test network. Employing advanced techniques with
inexperienced or untrained Marines on a production network can
cause problems for you and the users. Keep the network design and
topology within the Marines’ training and experience.

Active Directory Domain Structure Best Practices

Now that some of the major planning considerations have been

discussed, some of the Microsoft “Best Practices” for Domain
planning will be examined.

The recommended best practice for starting your Active Directory

planning is to start out with utilizing the single domain model.
In a single domain, all objects in the forest are located in the
same security boundary of the one domain. Security policies are
easy to implement, naming conventions are simple, and management
is very simple. No trusts or cross-domain authentication
relationships need to be planned or configured in order for users
to have access to all the services that are offered.

The one domain model works best with a single administrative staff
managing the servers, common security policies, and FSMO roles.
However there are times where multiple domains may be

preferred. The following are some of the main reasons to employ
multiple domains in your Active Directory Structure:

• Keep the schema master and forest root domain separate for
stability (No users on forest root domain)
• Different domain level security policies
• Decentralized administration
• Different DNS namespace

The above reasons are listed with the most important considerations
first. For a permanent Active Directory infrastructure, Microsoft
recommends a forest root domain that does not contain any users.
The domain exists to allow one group of administrators to define
a common security policy for the forest, manage the Schema and
Domain Naming Master FSMO roles, control the DNS namespace, and
provide an additional layer or security and control over the
infrastructure. Child domains are created from the forest root
domain to manage users. The domain structure for Marine Corps
networks in Iraq used this concept.

The MNF-WIRAQ domain was the forest root domain for the Marine
Corps Active Directory infrastructure and was managed by the MEF
G-6 and the Communications Battalion to provide overall security
policies and control for all of the MNFW networks. However for
most exercises and short term operations, a separate domain for
the forest root is usually not created.

The second reason on the above list is also important. Separate

organizations will have separate security needs, access
restrictions, and policies. Multiple domains allow the separate

administration of the Active Directory infrastructure. Current
practice in the Marine Corps is that each component of the MEF
will run their own domain – the CE, GCE, ACE, and LCE all will be
child domains from a MEF run forest root. This gives freedom and
flexibility to each one of the subordinate G-6s to plan their own
networks to support the needs of their Generals. Each of the MSCs
has communications squadrons, battalions, and companies to
centrally manage the core of their domain and has the freedom to
adjust the domain topology to fit the needs of their units and
operating tempo.

The third reason, decentralized administration, is also a valid

reason for using multiple domains. The same reasoning that the
Marine Corps applied to having each MSC run their own domains
because of the separate security policies and needs follows the
decentralized administration model as well. Each of the MSCs has
the resources, equipment and trained personnel to be able to manage
their own domain within the MEF. Currently, the Marine Corps
typically does not utilize any child domains below the MSC level
domains even though there are communication platoons at the
regimental, group, and battalion level for several reasons. The
first reason is that a domain requires at least two domain
controllers for fault tolerance. The proper employment of the FSMO
roles leads to even more servers and overhead. Additionally child
domains for each regiment and battalion would not improve services
to the commander and they also violate the second planning rule of
simplicity. The domain structure with three or four child domains
would make the Active Directory infrastructure, DNS lookup zones,
and object control much more complicated than it would ever need
to be.

The final reason for employing multiple domains is to allow

organizations to maintain separate DNS namespace. This reason does
not affect Marine Corps Active Directory planning and is more a
factor in the civilian world. For example a company with several
divisions of manufacturing may want separate domains for each
division that are easily locatable by customers. It would be
easier to find a tools.com website than one with an extensive DNS

Domain Planning Below the MSC Level

There are several basic rules to follow. Keep the number of domains
to a minimum. Infantry battalions do not need their own domains to
manage. You will have many other things to occupy your time and
effort than worrying about FSMO roles. Let the Marines and
Communication Officers at the Communications

Company, Battalions, and Squadron level worry about controlling a

More pertinent and applicable to a lower level communications

officer is that they are grouped into a separate Active Directory
Site if your unit is separated by a WAN connection. In that site,
the minimum required services are DNS and a Global Catalog service.
More servers at your site improves fault tolerance but is not
necessary. Microsoft best practice recommends 1 domain controller
per 1000 users, so you are not going to max out the capabilities
of the one server. If there is a problem with that domain
controller, your users will just authenticate across the WAN so
there will be no interruption in services provided, just latency
and delays in logging on and accessing network resources.

Once a site has been created, all of your users need to be placed
in an OU that your Marines can control and manage. From this OU
structure you can organize the objects in your battalion how you
see fit, control and manage security and access to file shares.
With a separate site and OU, you will have all of the administrative
control you need to be responsive to your commander and users needs
without wasting the equipment, resources, and time of your Marines.

An Active Directory diagram that incorporates this concept looks
like the following:

Active Directory Deployment Considerations


When installing Active Directory infrastructure, there are several

important guidelines to follow. The most important of them is the
fact that all domain controllers should be constructed and deployed
on a LAN with either the domain or the forest root. Do not install
a domain controller across a WAN and have it replicate the entire
Active Directory Database over your WAN connection. Your users
will not be happy with their service. Creating domain controllers
creates a great deal of traffic as the domain controller assumes
its role. It is better to build a domain controller on the same
LAN as the root. Once the domain controller has finished
replication, it can be shut down and convoyed or flown to its
ultimate location.

The diagram below shows the wrong way to install a domain
controller at a site.

Replicating an entire Active Directory database across a 512 kbps

WAN connection would take several hours and might even fail a
couple of times resulting in more problems.

A better solution is to follow the guidelines of this diagram:

How much faster and more effective would it be to have replication

be over a 1 Gbps link on a LAN? You can simulate your site, where
the servers are going, using a VLAN on the same Layer 3 switch
that is directly connected to the forest or domain root servers.
The domain controllers are able to replicate faster and
additional Marines, expertise, and maintenance are available to
help troubleshoot if problems

arise. This method is the best way to quickly and safely add
servers to the domain.

For all major exercises, operations, and tactical deployments, the

Marine Corps conducts joint server builds to construct the Active
Directory forest. All of the other units will bring their servers
to a central location and create the entire active directory
infrastructure. Once the topology has been set and configured, the
servers are brought down and packed up for the exercise or
deployment. When everything is brought up across the WAN links
in the deployed environment, there is minimal replication traffic
because all of the servers have already replicated all of the
important data.

Site Replication

In an Active Directory domain there are often multiple sites that

provide domain services to units spread across the battlespace.
When the network planners configure the bridgehead servers at each
site, WAN connectivity must be factored into the plan. It is more
effective to create site links over high bandwidth, low delay links
rather than low speed, high delay links. Replication connectors
should also follow WAN topology. If two sites are not connected
via a transmission media and a WAN link, why would a replication
connector be created between the two? The answer is that the site
connectors should be designed to follow and mesh with the layer 3
topology unless there are extenuating circumstances.

Take a look at this diagram. The delay depicted comes from the WAN
diagram which ultimately reflects the delay of the transmission

Active Directory uses the cumulative value of costs between sites
to develop its replication topology. In this diagram, because costs
are configured incorrectly and replication will occur over low
bandwidth, high delay links from MEF to the MAW and the MARDIV.
Look at the below diagram and see if you can see how replication
traffic would be better configured to flow in this network:

In this diagram all of the replication traffic to the MARDIV and

the MAW will flow to the MLG first and then across to each of the
other MSCs. With the costs associated with this diagram, all
replication traffic will first try all of the high bandwidth, low
delay links first. This leaves the bandwidth constrained links
free for voice, video, email, and other services rather than
wasting overhead on Active Directory replication. A replication
topology like the one assists in the quality of service of not
only packets flowing across the network but also the user’s direct
experience accessing services.

Priorities and Tasks

Priorities come straight from the commander’s guidance. As a

communications planner, you need to understand what the commander
is going to need to accomplish the mission and in what order it is
needed. If SIPRNET chat is the most important service to the
commander and you are wasting your time, Marines, and resources on
getting email working, you are not tracking with your commander.
If you are unclear on the commander and his or her priorities,
ask. After you are clear on the commander’s priorities, you must
ensure that your Marines also understand them. List your
priorities on your concept of

operations by enclave and service. Take a look at the below

– SIPRNET: Chat, Web, AD, Email, File, Print

– NIPRNET: Web, File, AD, Email, Print

These priorities will guide your section chiefs and Marines as

they direct the installation and restoration of the network. Notice
as well that the SIPR and NIPR priorities are different. Often
times they will be because the commander has different needs for
different networks. Be as specific as you can in listing
priorities. List services not concepts or servers, and be as clear
as you can.

All of the server tasks fall into the same Appendix as the
networking tasks. Many of the server tasks can fall under
coordinating instructions. Remember to use some of the Microsoft
best practices in the installation and operation phases and to
factor in your Commander’s priorities.

Command, Control, Communications, & Computers (C4) Application List

One additional requirement for planning an Enterprise Services

architecture that is managed via Active Directory is to develop a
Command, Control, Communications, & Computers (C4) Application
list. A C4 Application list details all of the software
applications and services you will be employing on your packet
switched network within your domain. This document is essential
for multiple reasons:

 It provides a listing of all approved software that will be

running on your network. Only software that is annotated on
the C4 Application List should be installed on your network.
If your Marines discover software on a machine in your network
that is not on the C4 App List that unapproved software is
uninstalled immediately.
 The list provides you and your data planners the opportunity
to identify potential gaps in service capabilities (i.e.
missing Microsoft Office, Visio, SPEED, Chat Client, etc).
 The list provides you the ability to identify and resolve
compatibility issues between software before the network
‘goes live’ (i.e. Microsoft Office 2007 files are not
compatible with Microsoft Office 2003 if the MS Compatibility
Pack is not installed).

 The C4 Application List is a required document for the USMC
Certification & Accreditation package (this will be covered
further in depth in H Annex, Information Assurance).
 Active Directory manages more than objects in the domain,
but also the services that operate within the domain. Thus,
the list is an important reference to consult when ensuring
that Active Directory security policies have been established
that will allows the users to access the services they need
when they need them.

As a Communications Officer, you will ensure that a C4 Application

List has been created for all networks and domains you establish
for both NIPR & SIPR PSN networks. An example of what might appear
on a typical C4 Application List is shown below:


SCORPION, 4 – 28 JUNE 2012

Application Name Version

Microsoft Windows 2003 Server SP2

Microsoft Windows 2008 Server Enterprise
Microsoft Windows XP Pro SP3
Microsoft Office 2003 SP3
Microsoft Office 2007 SP3
Microsoft Exchange 2003 SP2
Microsoft Exchange 2007 Enterprise
Microsoft Internet Explorer 7
WinZip 9.0
Adobe Reader X 10
ELPRS Network Manager
Solarwinds Orion Network Performance Monitor 9.5
Microsoft SQL Server Enterprise
Edition 2005
Cisco Call Manager 7.1.2
Microsoft Office SharePoint Server Enterprise
Edition 2007
McAfee HBSS Agent 4.5
Belarc Belmonitor 8.0e
Tumbleweed Desktop Validator 4.9.2
ActivClient 6.2
Marine Corps Electronic Logbook (MCEL) 2.0
Defense Connect Online XMPP 5.4
Openfire Jabber Chat Server 3.8.1

Sample Tasks:
 Attach one DDSM from 1MEB.
 Establish a domain for RCT-7.
 PIOM the RCT-7 server architecture.
 Establish an OU structure for RCT-7.
 Terminate a site link connector between the 1st MEB IPBH
server and the RCT-7 IPBH server.

BOX 788251





4 APR 2013


1. Without the aid of reference, state the purpose of Microsoft

Internet Information Services (IIS), per the Microsoft Internet
Information Services(IIS) 7.0 Resource Kit, and Newton's Telecomm
Dictionary, 24th Edition. (0602-PLAN-1105ii)

2. Without the aid of reference, describe the structure of a Uniform

Resource Locator (URL), per the Microsoft Internet Information
Services (IIS) 7.0 Resource Kit, and Newton's Telecomm Dictionary,
24th Edition. (0602-PLAN-1105ij)

3. Without the aid of reference, state the importance of Microsoft

Internet Information Services (IIS) Security, per the Microsoft
Internet Information Services (IIS) 7.0 Resource Kit, and Newton's
Telecomm Dictionary, 24th Edition. (0602-PLAN-1105ik)


The last series of classes introduced Microsoft Active Directory and its
physical and logical components. This class will cover the planning and
implementation of creating and managing web sites, FTP servers, and other
web based functionality to further add to your ability to serve as a
network planner.

Introduction to Internet Information Services

Internet Information Services (IIS) is a Microsoft product used as a

framework for hosting web and FTP sites. It is made up of a suite of
protocols and services that add functionality and support to server to
allow clients to connect to it. Every time a user visits a web site, his
or her TCP/IP traffic is directed towards a directory on a server running
a web service like IIS or Apache. This web service has to be able to
support computers and web browsers operating on Linux, Macintosh,
Microsoft and other operating systems.

The Marine Corps uses web servers as log books, personnel databases such
as MOL, intelligence databases such as MarineLink, for tactical purposes
like Significant Event Logs and battle tracking, for Network Monitoring,
staff collaboration, and many more functions as the military becomes
more net centric.

The Marine Corps uses IIS as a platform for supporting web sites and
other web resources. Almost any Microsoft Operating System from NT
forward has built in functionality supporting IIS. You can host a web
page from your laptop or desktop at home if you are using a Microsoft
OS. The Marine Corps uses IIS to manage web pages, for FTP service, and
as the foundation for email transport.

When a user goes to a webpage, the computer establishes a connection
with the web server and downloads the web page. It is transparent to the
user whether the web server is running IIS or Apache as the support
framework for the web page. For example, upon surfing to a web site a
user sees:

When a network administrator in charge of the web site wants to change

a feature, update a configuration or restart a service he sees the IIS
Management console:

A computer running IIS can host multiple web and FTP sites. In the screen
capture above, you can see that there are 2 web sites that this server
is hosting. All of the functionality to configure that web site can be
found by right clicking on the web site name or selecting one of the
features or plug ins on the left in the default site home box. This
console is the central point in managing a website, its built in
functionality, and any other plug-ins and advanced features.

Many web pages are written using Hypertext Markup Language (HTML) that
is based around text supplemented with interactive forms, embedded images
and videos and other objects. The plug ins and functionality present in
IIS provides the foundation for the user’s interactive experience with
the web site. If the HTML code calls for features or settings that the
administrator has disabled in IIS, then the web site will not function

Protocols Supported by IIS

Installing IIS on your computer adds the following protocols and


• Hypertext Transfer Protocol—HTTP /S

• File Transfer Protocol—FTP /S
• Simple Mail Transfer Protocol—SMTP
• Network News Transfer Protocol--NNTP
• Post Office Protocol version 3--POP3 /S
• Internet Messaging Access Protocol—IMAP4 /S

The /S stands for the secure service. For example IIS supports both HTTP
and HTTPS protocols as well as offering secure shell support for POP3
and IMAP v4. These protocols are managed by through the IIS Manager
Console. Some services are disabled by default and some are enabled.
Ensure that only the services and protocols that you are going to use
are activated and the rest turned off to provide a harder surface for
network defense.

As discussed earlier in the lesson, IIS is a service that can run on

just about any Microsoft Operating System. While versatile, there are
several restrictions on client operating systems that a network planner
needs to be aware of. A computer running Windows XP will only support 10
connections to a web page or service using IIS. For a web server, this
is not very effective because often times you will have more than 10
computers in your unit that are attempting to use the resources or
services on the web page. Windows Vista will allow more connections but
can only handle 10 connections at the same time. This means that if you
are the 11th person to access the web page, you will be unable to download
or use it till another user has finished. So Windows Vista computers are
not ideal web servers. Network Operating systems such as Windows Server
2003 and Windows Server 2008 support unlimited IIS connections. This
means that a good network planner will always host and operate web pages
from a network operating system and not a client operating system. While
you are able to install a server OS onto a laptop, most network
administrators choose to use a dedicated server for web application

Uniform Resources Locator and IIS

A Uniform Resource locator is how a user accesses information on the web

server. It can be broken into 5 parts, a protocol, a fully

qualified domain name or IP address, folders, document and language.
An example of a URL is shown below:

An https URL would start out with https://. The server name can be its
DNS name or its IP address. When you use a domain name in the URL,
your computer will query a DNS server to resolve the domain name to an
IP address. The second half of the URL specifies where on a particular
server the webpage exists. URLs work the same way for FTP sites as well.
In the case of FTP, the second half of the URL is the location where the
files will be downloaded from or two using FTP.

When a computer sends the URL to the server the server responds to the
request with the actual page and the HTML, APSX, or other code is
translated into the graphics and text in your web browser.

IIS Employment and Security

In the Marine Corps, IIS is most often found running on web servers and
Exchange Servers. The Microsoft Exchange E-mail Server uses the protocols
and functionality inherent in IIS to transport mail messages. The
second place that you will see IIS ran is on web servers hosting web
pages for your unit.

In its capacity to serve as a web server, the best place for IIS to run
is on a member server that is not running any Active Directory roles or
other vital roles in your services infrastructure. This becomes
especially paramount when the web server is made accessible by the
Internet. For security purposes and access control many Marine Corps web
pages only run internal to a unit.

While a domain controller is perfectly capable of handling IIS in

addition to its duties of controlling Active Directory, web services can
open up vulnerabilities on the server making it easier for hackers to
access the domain controller. Since a domain controller has a complete
copy of every object in the domain and controls access to just about
everything in your network, allowing a hacker access to your domain
controller would be like giving him or her keys to your house. A second
reason to avoid using domain controllers as web servers is one of
resource limitations. If a domain controller is answering up to active
directory queries, authenticating logons, replicating, and granting
permissions to objects, the processor, RAM, or network interface card
may not be able of handling the additional processor load or network

Using IIS and making your web server accessible to the rest of the world
on the Internet opens vulnerabilities in your network that you

must work to mitigate and protect against. Risk like hackers or
unauthorized personnel retrieving sensitive or confidential files from
your server, allowing outsiders unauthorized system access, suffering a
denial of service attack. A major risk is having the whole web page
hacked and changed without you knowing about it.

Good IIS security practices will help to mitigate these threats. Here
are some basic countermeasures:

– Physical Site security

– System security
– Application security
– Auditing
– IIS security
• installation/updating procedures
• Privileges; properly “locking down” the service

Physical and system security mean protecting the web server from
authorized access within your site, FOB, or location. This will prevent
a malicious user from logging on to the server directly. Network and
application security mean using firewalls, Access Control Lists, and
antivirus programs to block ports and protocols that are unneeded by
users. This helps restrict access to your web server from the Internet.
Your web server should be running a firewall and a good antivirus program
on itself to serve as a last ditch defense against malicious activities
and threats. Auditing is another important way to protect your web
server. One of your data Marines should be checking the error and
service logs of the computer every day, looking for changes, errors, and
problems that happen to the IIS service. For example, if a hacker got
into your web page and changed everything on the web page, the computer
logs would show the IP address and user name where the changes came
from along with the time and changes that were made to the system. If
the hacker was very good, the audit logs may be the only place where a
record was left of his or her presence.

Finally, there is the security inside of IIS itself. Every separate

component of IIS can be locked down and secured. If the purpose of the
server is just to support web pages than FTP, SMTP, and other client
access protocols should be disabled because there isn’t any need for
them to be running.

Inside IIS you can configure settings that force your users to log into
the web site, support only HTTPS connections, and other measures to make
it harder for the hacker to gain access to the system or the information
inside of it. The following picture shows some of the different roles
and options that you can secure, turn off, or utilize to make your web
server a harder target:

These options allow the Data Marines to specifically harden the different
components in IIS and on the website.

Overall, Security is an important factor in website and network design.

Websites are extensively used for collaboration and information sharing.
By hardening the web site and enabling authentication and restricting
privileges, you protect the website but make it harder for the user to
get the information he or she needs.

Access is not the only problem with website security. Website

functionality like animations, automatic updates, and various types of
content that add to the user’s experience, may detract from the ability
of the website to convey information if turned off. There is a balance
between functionality and security that must take both factors into

It is much easier to plan the employment of an internal web server that

is only accessible behind a firewall or enclave boundary. Because
people on the Internet cannot access the server, security restrictions
can be much lighter and more functionality can be added to the websites.
For many small exercises and operations, Marines will host webpages for
their battalion on a domain controller or admin server depending upon
the resources available. Little coordination is needed because the
website will be just accessible from inside the domain.

External web servers are much more difficult to employ. Since it will be
accessible from the Internet, it means that it must be hardened to
protect against attacks. An external web server is usually a stand alone
server that has no other services or roles running on it so nothing vital
will be compromised in the event of an exploit.

The external web server can then be placed outside the firewall on the
network or inside the firewall depending upon the information security
plan. Placing the external web server in the DMZ in front of the firewalls
makes configuring the packet filtering rules on the firewall easier than
opening holes in the firewall for external users to get to the web

At your planning level, if a web service is required by your commander

or mission, you will be end of planning an internal web server or
piggybacking off of an already existing web server run at the regimental,
group, or MAGTF level. Your Marines and you may plan and administer the
web services or they may be ran and administered by the Information
Management Officer and his Marines.

BOX 788251






28 APR 2013


1. Without the aid of reference, identify the ports commonly used to

enable Electronic Mail (E-mail) Services within Packet Switching
Networks (PSNs), per the Microsoft Exchange Server 2007 Resource Kit.

2. Without the aid of reference, compare the Microsoft Exchange

Logical Structure (Organization, Administrative Groups, and Servers)
with the Microsoft Active Directory (AD) Logical Structure, per the
Microsoft Exchange Server 2007 Resource Kit, and the MCTS Training
Kit, Configuring Windows Server 2008 - Active Directory (Exam 70-640),
Network Infrastructure (Exam 70-642), and Applications Infrastructure
(Exam 70-643). (0602-PLAN-1105ip)

3. Without the aid of reference, define Organization, per the

Microsoft Exchange Server 2007 Resource Kit. (0602-PLAN-1105in)

4. Without the aid of reference, state the purpose of Administrative

Groups, per the Microsoft Exchange Server 2007 Resource Kit. (0602-

5. Without the aid of reference, describe the three Administrative

Models for Microsoft Exchange Organizations, per the Microsoft
Exchange Server 2007 Resource Kit. (0602-PLAN-1105iq)

6. Without the aid of reference, describe the three core components of

Microsoft Exchange, per the Microsoft Exchange Server 2007 Resource
Kit. (0602-PLAN-1105ir)

7. Without the aid of reference, select from a list of distracters the

purpose of the Automated Message Handling System (AMHS), per the NTP
3(J), Naval Telecommunications Procedures, Telecommunications Users


Email has become a vital part of the Marine Corps Communication

Architecture. A key part of any exercise, staff training, and operation,
the Marine Corps would be hard pressed to run without email. The
network planner must analyze the requirements of his or her users and
develop a plan to support the email requirements of the commander and
subordinate units. The email backbone of the Marine Corps is ran using
Microsoft Exchange Servers.

Email Review

Many of the different ports and protocols that relate to email were
covered in the C06 and C07 classes on the Application, Presentation,
Session, and Transport Layer and in the F06 class detailing the Internet
Information Service (IIS).

Here is a list of the email protocols that will be supported and used
by Microsoft Exchange:

• SMTP: 25
• IMAP: 143
• POP3: 110
• MAPI: 135
• NNTP (Network News Transfer Protocol) Port 119
• HTTP: 80
• HTTPS: 443

The only new protocol introduced is the NNTP protocol which is used to
distribute news around the network from servers to clients. News is
pushed out from a news server and received by the clients running the
appropriate software and the articles are viewed by the reader. The
reader can subscribe to a series of articles or news updates and he or
she will receive them as updates occur to the articles posted on the
news server. This protocol is not commonly employed in the Marine Corps.

Within the Marine Corps, there is not much use of the IMAP and POP3
client protocols, MAPI and HTTPS are the two primary email retrieval
options of note because of the employment of Microsoft Outlook and
Outlook Web Access. For a third party email application IMAP and POP3
would be employed to enable the email client to download the emails from
the Exchange Server. SMTP is used to send emails from the client to the
server and from the server to other servers.

Email Formats

There are two types of email formats: ASCII and Multipurpose Internet
Mail Extension (MIME). The ASCII format is for text only emails. There
are no pictures, attachments or different fonts.

MIME formatted emails can contain multiple fonts, embedded applications
(.exe files), images, video, and audio. The MIME format has overtaken
the original text based system because it offers a richer set of features
for users and developers. However the MIME format is much less secure
because hackers can embed hostile programming within the MIME format and
have it ran by a user’s computer before the user’s computer is even
aware of it. The Marine Corps habitually disables much of the MIME
functionality to protect our networks.

Exchange 2010

This course will focus on Exchange 2010, however, you may find some units
still using older versions (Exchange 2003, unlikely, or Exchange 2007).
Exchange 2010 is fully integrated with Active Directory instances that
are at the Microsoft Server 2008 functional level or higher. This means
that Exchange leverages many of the Active Directory infrastructure
settings such as mirroring AD replication for email forwarding and access
to the server is obtained through the same Microsoft Management Console
that controls Active Directory. Furthermore, being fully Active
Directory integrated means that the user only has to log onto the domain
once, he or she will not have to authenticate to the Exchange Server.
All of the users permissions for mailbox access, public folder access,
and send and receive rights are configured through Active Directory.

Exchange Logical Topology

There are four components to the logical topology of Microsoft Exchange:

Organization, Administrative Groups, Servers, and Recipients. These 4
components are very similar to the logical components of Active


The Exchange Organization is synonymous with the Active Directory Forest.

Only 1 Exchange Organization can exist within the Active Directory
Forest. All the other logical components fall under the Organization.
When the first Exchange Server is created in the forest, a utility is
ran called FOREST PREP that prepares the Active Directory Forest to
integrate Microsoft Exchange. This utility also configures the Exchange
Organization at the same time.

The USMC default name for the Organization is ORGANIZATION. Here is a
screenshot of the comm school domain’s Exchange Organization.

The garrison email servers for both

NIPR and SIPR under NMCI and the
replacement NGEN are all part of the
same organization. This enables
users to keep their same mailbox
their entire time in the Marine
Corps. As the user moves around the
Marine Corps Organization, his
mailbox is transferred to the closest
Exchange server.

Most deployed Marine Corps networks

are separate organizations such as
the networks in Iraq and Afghanistan.
This makes it harder to move
mailboxes. Often deployed users will
see two mailboxes and email addresses
in the GAL – one for their garrison
email, and 1 for their deployed email
address. This can be frustrating to
some users who are used to just
having 1 address.

Administrative Groups

Administrative Groups in Exchange are similar to domains and

Organizational Units. They are primarily used to group servers, email
policies, route groups, and public folder trees for the delegation of

There are 3 models of administrating Exchange – centralized,

decentralized, and mixed.

 Centralized Administration – only 1 administrative group is used

and permissions and access to the Exchange Servers is tightly
controlled. Even if servers are in multiple physical locations they
are still in the same administrative group.

 Decentralized Administration – Administrative groups are divided

into separate physical locations and permissions and access is
administered locally instead of from a centralized location.

 Mixed – a combination of decentralized and centralized


The Marine Corps uses the mixed administration method to run the Exchange
Organizations. Higher level permissions like modifying the organization
and adding servers are kept centralized, while backups, maintenance, and
all of the daily tasks are decentralized and ran by data administrators
at each site.

Furthermore, individual administrator access is now based on Microsoft’s

concept of Role-Based Access Control (RBAC). In previous versions of
Exchange, user accounts were added to security groups that provided wide
access to all Exchange physical and logical settings. However, not all
of your Marines will need the privileges to every aspect of Exchange. In
Exchange 2010, RBAC allows you the granularity to delegate specific
permissions to your Marines. During Exchange setup, (11) management role
groups are pre-installed in order to provide you the flexibility to
assign messaging permissions as needed. Below is a screenshot of the
(11) different groups:


Microsoft Exchange servers support a wide range of client access

protocols – MAPI, IMAP, POP3, NNTP, HTTPS, etc. The protocols supported
can be configured on each server. The support for these protocols is
installed when the user installs IIS. Many protocols are turned off by
administrators for security purposes.

There are 3 core components to an Exchange Server:

 Information Store
 Routing Engine

 System Attendant

The Information store is a collection of databases: The mailbox store

and the public folder store. Incoming mail is received from the routing
engine and stored in the appropriate mailbox or mailboxes. Outgoing mail
is delivered from the information store to the routing engine for routing
to its destination. The Information Store notifies clients when email
arrives, and interfaces with Active Directory to resolve email addresses
before the email is sent.

The information store is the most important store to back up because if

the store is lost, all of the email boxes for the users on the server
will be lost. Ensure that your Marines are backing up the information
stores regularly. Accidently deleted emails require a lot of
administration time for them to fix.

Here is a screenshot of the mailbox store:

You can also see the public folder tree in the MMC on the left. The
Exchange administrator controls who has read, write, and edit permissions
for the public folders.

The Routing Engine in the Exchange server has 2 functions. It routes

messages to other Exchange servers in the organization and it routes
messages to external email servers as appropriate using SMTP connectors.
Here is a screenshot of the routing engine on the exchange server on the
Comm School network.

The third component of an Exchange Server is the System attendant. The
system attendant has several functions in Exchange including building
routing tables for the routing engine to execute. It also generates
addresses for emails sent outside the organization, is used to enable
and disable digital signatures, and logs all errors. The system attendant
is the first service started on an Exchange Server and the last one to
shut down before a reboot. If the system attendant function is not
running, the exchange server will not send, route, receive, or process


Recipients in the Exchange Organization are individual mailboxes created

through Active Directory. Distribution groups are a list of email
addresses – all of CG 1, that is created and managed through Active
Directory. If the group is selected, emails will be sent to all members
of the group. Group or billet mailboxes can also be created that are
not associated with a specific user such as COC WATCH OFFICER, I MEF
SYSCON WATCH OFFICER, etc. Individual users are then granted permission
to log into the group mailboxes and send on behalf of the billet mailbox.

Individual public folders are also considered recipients in Exchange.

Administrators will control the user’s access to the public folders
through Active Directory.

Automated Message Handling System

So far we have discussed the basic logical structure of Microsoft

Exchange, which is the primary way we send digital message traffic
between units. However, official military messaging traffic is not sent
via typical Exchange architectures. In fact, the DoD employs a messaging
system that is separate from your typical Exchange email access. The
Automated Message Handling System (AMHS) was adopted by the Marine Corps
in November 2007 and is the official messaging system

consisting of government and commercial-of-the-shelf (COTS) software and
hardware used to prepare, submit, transport, deliever, store and retrieve
organizational messages (releasing messages [MARADMINS], equipment
taskers, feasibility of support, etc). AMHS was developed to replace
the legacy equipment and messaging centers that comprised the Automatic
Digital Network (AUTODIN) and the Defense Messaging System (DMS).
Overall, AMHS can be used on both unclassified-but- sensitive (NIPRNET)
and secret (SIPRNET) networks.

As a Communications Officer and primary staff officer, it is important

that you get an AHMS account in order to receive official message traffic
for your unit vice relying on other sections in your unit, namely the S-
3, to provide you the information after the fact.


This class covered the logical organization of Microsoft Exchange and

how it is tied into Active Directory. In our every increasing net-
centric world, email has become an essential part of the Marine Corp’s
command and control process that your commander expects you to be able
to provide him.

BOX 788251





4 APR 2013


1. Without the aid of reference, identify the four software

installations required to enable Microsoft Exchange services within
Packet Switching Networks (PSNs), per the Microsoft Exchange Server 2010
Resource Kit. (0602-PLAN-1105is)

2. Without the aid of reference, identify the actions required to

prepare Active Directory for the installation of Microsoft Exchange, per
the Microsoft Exchange Server 2010 Resource Kit. (0602-PLAN- 1105it)

3. Without the aid of reference, create a name for a Microsoft Exchange

Server, in accordance with MCWP 3-40.3, MAGTF Communication Systems.

4. Without the aid of reference, state the purpose of the Mailbox role,
per the Microsoft Exchange Server 2010 Resource Kit. (0602-PLAN- 1105ka)

5. Without the aid of reference, state the purpose the Client Access
role, per the Microsoft Exchange Server 2010 Resource Kit. (0602-PLAN-

6. Without the aid of reference, state the purpose of the Edge

Transport role, per the Microsoft Exchange Server 2010 Resource Kit.

7. Without the aid of reference, state the purpose of the Hub Transport
role, per the Microsoft Exchange Server 2010 Resource Kit. (0602-PLAN-


The Exchange Organization is comprised of all of the servers, mailboxes,

and recipients in an Active Directory Forest. The organization is logical
structure that is used for the management and administrative control of
Exchange. This lesson covers the physical placement and roles of the
Exchange servers in the organization to accomplish the mission in the
efficient and effective manner.

Requirements for Exchange

An Exchange server runs on a Windows Server Operating System. When this

Server is created, it is not added to Active Directory and plays no
Domain controller roles. Microsoft Exchange is just an application that
rides on the Windows Server OS. Internet Information Services (IIS) must
be installed and running on the server before Exchange is installed.
After Exchange has completed installation, McAfee Host Based Security
System (HBSS) should be installed and turned on to protect the
Information Store on the server from malicious content embedded in

In summary, the four requirements for an exchange server are:

 Windows Server 2008R2 NOS & (Not a Domain Controller; w/ ADDS)

 Exchange 2010
 An E-Mail Security Solution (i.e. McAfee HBSS)

Pre-Exchange Installation Requirements

Several key requirements need to be addressed in your Active Directory

infrastructure before you can install Exchange 2010 and utilize the
capability and services it will provide you network. You need to ensure
that you have prepped both the entire AD Forest and each AD Domain for
the installation of Exchange. Since Active Directory does not require
Exchange to be present for you to use its directory service, AD does not
initially modify its Schema to work with Exchange. Thus, you need to
execute Exchange’s /PrepareSchema utility once per AD Forest. Most Marine
Corps networks you fall in on will have already done this at the
Enterprise level (Comm Bn, MEF G-6, etc). Running this utility on an AD
Forest writes Exchange attributes to the AD Schema in order to provide
the users and administrators messaging functionality.

The second utility that needs to be run is /PrepareDomain. This utility

needs to be run once per domain in the forest in order to ensure that
Exchange has been fully integrated with AD. Ensuring that you run this
utility is more common since it is more likely that you will be
establishing your own domain vice an entire forest when you deploy. In
our MEB example, the MEB would run /PrepareSchema and
/PrepareDomain in the 2MEB.USMC.MIL Forest and Domain. While, the

RCT, ACE, and CLR will all have to run /PrepareDomain for their
individual domains before they can add Exchange Servers to their domains
as well.

Exchange Server Naming Standards

Exchange Servers follow the same naming convention as domain controllers

and admin servers, but they use the letter E to denote the fact that
they are Exchange Servers.

• Naming Standards:
– NIPR Designator – NameN01E
– SIPR Designator – NameS01E

Let’s look at an Active Directory diagram that has Exchange 2010 added
to it and examine naming standards used.

Mailbox Role

The Microsoft Exchange Server 2010 Mailbox server role hosts mailbox
databases and provides e-mail storage and advanced scheduling services
for Microsoft Office Outlook users. The Mailbox server role can also
host a public folder database, which provides a foundation for workflow,
document sharing, and other forms of collaboration. Servers on which the
Mailbox server role is installed are called “Mailbox servers”. This role
will be one of the most common roles your have present in your Exchange
architecture because it is what will physically hold all of your users’
emails. At a minimum, you should plan to have at least (1) Mailbox server
per AD site.

Public Folders

Public folders are generally used for the following purposes:

 Shared communication. For example, public folders can be used for

discussions through message posts, shared e-mail messages,
contacts, group calendars, and archiving of distribution list

 Shared content management. Similar to file shares, public folders

can be used to store content, such as documentation. Public folders
are also helpful for sharing content if you do not require

 Repository purposes. If you require offline storage of information

or replicated storage of information, public folders are an ideal

However, public folders were not designed for the following functions:

 Archiving data. Users who have mailbox limits sometimes use public
folders, instead of personal folder (.pst) files, to archive data.
We do not recommend this practice because it increases storage on
public folder servers and undermines the goal of mailbox limits.

 Document sharing and collaboration. Public folders do not provide

versioning or other document management features, such as
controlled check-in and check-out functionality and automatic
notification of content changes.

If your users want to archive their emails recommend they establish a

.PST file on their local machine and routinely back it up to an external
hard drive. Your users could also create the .PST file directly on their
hard drive, however, if they forget to bring their hard drive back to
work after taking it home they will not have access to their archived

Finally, if your users are want a way to enhance document sharing,
collaboration, and control either assist the S-3’s Information
Management Officer develop a information management policy and use your
networks share drive, or install and configure a Microsoft SharePoint
server. SharePoint was explicitly designed to be integrated with the
entire Microsoft Office suite of products and provide for enhanced levels
of document sharing and version control.

Client Access Role

The Client Access server role supports the Microsoft Outlook Web Access,
Outlook Anywhere, Microsoft Entourage 2004 and Entourage 2008 for Mac,
and Microsoft Exchange ActiveSync client applications, in addition to
the Post Office Protocol version 3 (POP3) and Internet Message Access
Protocol version 4rev1 (IMAP4) protocols. The Client Access server role
also hosts several key services, such as the Autodiscover service and
Exchange Web Services.

You must have the Client Access server role installed in every Active
Directory site within your organization that contains an Exchange 2010
server that has the Mailbox server role installed. If your organization
has only one Active Directory site, the Client Access server role must
be installed on at least one computer within your Exchange organization.

In Exchange 2010, the Client Access server role was designed specifically
to optimize the performance of the Mailbox server role by handling much
of the processing that previously occurred on back-end servers in odder
version of Microsoft Exchange. Business logic processes, such as Exchange
ActiveSync mailbox policies and Outlook Web Access segmentation, are
now performed on the Client Access server instead of the Mailbox server.
Because the Mailbox server role relies on the Client Access server role
to handle incoming client connections, each Active Directory site that
has a Mailbox server must also have a Client Access server. Both roles
can run on one physical computer. If you have multiple Active Directory
sites and want a single external URL for Outlook Web Access or Exchange
ActiveSync, you must configure your Client Access servers for proxying.

Edge Transport Role

Exchange Servers running the Edge Transport role connects the Exchange
Organization to the NIPR or SIPR cloud via a SMTP connector. Edge
Transport servers commonly have no mailbox store; their primary use is
strictly for email routing into and out of the organization. The Exchange
Server running the Edge Transport role is the only server that is
visible to the world and external organizations and serves as an
additional layer of protection for our data networks. The Transport
Edge role in the Marine Corps is commonly associated with Exchange
Servers connected to STEP entries in deployed networks.

For the MEB Exchange Organization, this is how the Transport Edge role
would be utilized.

2MEB01E is the only Exchange Server running the Transport Edge role in
the MEB. All email traffic to the NIPR cloud is forwarded via SMTP from
the other Exchange Servers to 01E which will send the traffic out to the
cloud. The firewall is configured to allow Port 25 and Port
443 traffic inbound and outbound from 2MEB01E. In the master DNS server
for the Marine Corps, DNS 1, DNS Alias and Mail Exchanger (MX) records
for 2MEB, GCEFWD, ACEFWD, and LCEFWD are all entered with the IP address
of the MEB’s Transport Edge server. Inbound email to any of the domains
is routed to the Transport Edge server first through the firewall and
then sent to the appropriate Exchange Server. The backside Exchange
Organization is kept hidden from anyone external to the firewall to
protect the network.

The benefits to using the Transport Edge role on Exchange Servers are:

• More secure network – the only exchange server advertised

publicly is the front end server.

• Simplifies DNS entries (Just 1 IP address)

• Simplifies ACLs on Screening router and at the Firewall

Hub Transport Role

The Hub Transport server role is a required role in a Microsoft

Exchange Server 2010 organization that provides routing within a single
organizational network by using the Active Directory site. Deployed
inside the Active Directory forest, servers that have the Hub Transport
server role installed handle all mail flow inside the organization,
apply transport rules, and deliver messages to recipients' mailboxes.
Messages that are sent to the Internet are relayed by the Hub Transport
server to the Edge Transport server role that is deployed in the
perimeter network. Messages that are received from the Internet are
processed by the Edge Transport server before they are relayed to the
Hub Transport server. The Hub Transport server role stores all its
configuration information in Active Directory.

Exchange Servers running the Hub Transport role can also be configured
to run the Client Access and Mailbox roles, however, for larger networks
with multiple AD sites and exchange servers, Microsoft’s best practice
is to not put the Mailbox role on an Exchange Server running the Hub
Transport role. Nonetheless, in the Marine Corps there are never enough
servers to go around, thus this practice is not always followed. You
should plan on having the Hub Transport role running on at least one
Exchange Server per AD site.

Exchange Planning Guidance

The number of Exchange servers per AD site depends upon user requirements
and mailbox size. The physical limitation per server is typically
dependent on the hard drive space with respect to how large the mailbox
sizes are. If an exchange server’s mailbox fills up, it stops routing
emails and generally causes you to have a bad day.

Once your basic Exchange architecture is designed, it is easy to add

another Exchange server and move mailboxes from an existing server to
the new one. This process, if done correctly, is transparent to the user.
The MEF at Camp Fallujah kept a spare exchange server online with no
mailbox stores per enclave so that mailbox stores from an existing server
could be immediately transferred if a problem developed with online
exchange servers. The spare Exchange server was also used for testing
patches, updates, and service packs before they were applied to the
production Exchange servers.

With the advent of virtual servers, the main advantage for Exchange is
that mailbox stores can be mounted on a filer rather than a server. The
most common practice is to use the processor and RAM of a normal server
but mount the mailboxes on the filer. If the stand alone server fails,
the mailboxes can be immediately transferred to another server in
seconds. Since modern filers have over a terabyte of storage, it negates
the mailbox store problem that physical servers have.

Solarwinds and other network monitoring software can help you keep track
of hard drive, processor, and RAM utilization on your server
architecture. Do not exceed 80% hard drive utilization if you can help

Server Employment TTPs

• For larger sites, use more than 1 exchange server for redundancy

• Mailboxes can easily be moved from one mailbox store to another.

• Camp Fallujah had approx 6 Exchange servers

– 01E – Edge Transport Server
– 03E – Hub Transport & Mailbox roles
– 04E,05E,06E - Mailbox & Client Access roles
– EX – test server and emergency backup

• 1 Exchange server per enclave is big enough for an Infantry Bn.

For the smaller units like CLBs and Infantry battalions, you can run
your own domains and Exchange organizations during exercises like Mojave
Viper. Just submit your Active Directory Diagrams along with your Layer
3 and 2 architecture in your accreditation package.

If you are running your own Exchange Organization, you need to ensure
that after your accreditation package has been approved that:

 The Base Firewall has entries in it for your Exchange server to

allow inbound and outbound SMTP traffic
 Base DNS Server has your A and MX record for your exchange
 The MCNOSC put A and MX records in DNS 1.

Once these steps have been completed, you will be able to send and
receive emails from the cloud.

Exchange and Active Directory

Now that we have learned about Microsoft Exchange, the servers are added
to the Active Directory Diagram that we learned about in the previous
set of classes. A complete Active Directory Diagram has all of the
servers and their roles in the networks featured on it.

BOX 788251





15 APR 2012


1. Without the aid of reference, state the two purposes for creating
Organizational Units (OUs) within Microsoft Active Directory (AD), per
the MCSE Guide to Designing a Microsoft Windows Server 2003 Active
Directory and Network Infrastructure, Chapter 2, Page 119-121. (0602-

2. Without the aid of reference, define Group Policy, per the MCSE
Guide to Designing a Microsoft Windows Server 2003 Active Directory
and Network Infrastructure, Chapter 2, Page 122-123. (0602-PLAN-

3. Without the aid of reference, state the differences between

Security Groups and Group Policies within Microsoft Active Directory
(AD), per the MCSE Guide to Designing a Microsoft Windows Server 2003
Active Directory and Network Infrastructure, Chapter 2, Page 122-123,
and the MCSE Self-Paced Training Kit (Exam 70-297): Designing a
Microsoft Windows Server 2003 Active Directory and Network
Infrastructure, Chapter 4, Page 4-26 - 4-30. (0602-PLAN-1105je)

4. Without the aid of reference, describe the principles of

Inheritance as they apply to Group Policy within Microsoft Active
Directory (AD), per the MCSE Self-Paced Training Kit (Exam 70-297):
Designing a Microsoft Windows Server 2003 Active Directory and Network
Infrastructure, Chapter 4, Page 4-35 - 4-37. (0602-PLAN-1105jf)

5. Without the aid of reference, state the purpose for standardizing

user and computer accounts within Microsoft Active Directory (AD), per
the MCSE Guide to Designing a Microsoft Windows Server 2003 Active
Directory and Network Infrastructure, Chapter 4, Page 222-227, and the
MCSE Self-Paced Training Kit (Exam 70-297): Designing a Microsoft
Windows Server 2003 Active Directory and Network Infrastructure,
Chapter 4, Page 4-21 - 4-31. (0602-PLAN-1105jg)

6. Without the aid of reference, state the differences between Service

and Administrative Permissions and Roles within Microsoft Active
Directory (AD), per the MCSE Self-Paced Training Kit (Exam 70-297):
Designing a Microsoft Windows Server 2003 Active Directory and Network
Infrastructure, Chapter 4, Page 4-1 - 4-50. (0602-PLAN-1105jh)

7. Given a scenario, commands mission, approved course of action, task

organization, table of equipment, higher headquarters Annex K and
communication concept of support, apply Group Policy and Inheritance
principles to develop an organizational Unit (OU) structure for a
Domain with Microsoft Active Directory (AD), within a timeline
provided by the commander which satisfies the commanders
communications system requirements for command and control, per MCRP
3-40.3C. (0602-PLAN-1106bs)


The previous classes have examined services and server planning in

depth. Active Directory and Exchange best practices and planning
considerations have been covered in class and during several planning
exercises. However, we have not discussed one major vulnerability in
Marine Corps Networks, that of user and administrator permissions. No
matter how detailed your Active Directory design is, it can easily be
brought down from a mismanagement of system access and permissions. A
careful balance must be struck between permissions, access, and
control in an Active Directory Infrastructure. Permissions must be
closely contained and monitored to prevent problems and mistakes from
affecting the entire infrastructure. Understanding how permissions in
Active Directory work is critical to the data planner. An effectively
designed permissions structure will give the Marines permissions
commensurate with their jobs and experience levels. If a permissions
structure is too tightly controlled, a few trusted Marines with
permissions will be overworked, and if permissions are freely given
out, then the Active Directory infrastructure is vulnerable to
accidental changes and mistakes.

Organizational Units

The key to understanding permissions and control in Active Directory

is to understand the role that Organizational Units play in the
architecture. Many people unfamiliar with Active Directory believe
that the domain level is the most important level of permissions for
administration. This belief is incorrect. Permissions can be
assigned and managed at the organizational unit level. Marines can be
given full control over everything that happens inside their OU.
There is no need for the majority of administrators on the network to
have permissions above the OU level.

Remember that OUs can contain the following objects in Active


– Users
– Computers
– Groups
– Printers
– Applications
– Security Policies
– Shared Folders
– Other OUs

There are two purposes for creating Organizational Units:

1) To delegate administrative control of objects below the domain

level. This allows the owner of the OU to create and manage
all of the objects inside the OU without affecting the domain

structure and higher level functions and roles inside Active

2) To control and manage Group Policy. Group Policy in Active

Directory provides a centralized method for controlling what
users can and cannot do on their own individual computers.
Group policy settings can be defined for both users and
computers inside Active Directory.

Both of the purposes for OU creation are very important and are often
used together. For example, if a regiment is running its own Domain,
Cyber Marines at the battalion level will be given their own OU to
control. They will be able to manage all of the users and computers
in the battalion from inside the OU. They will be able to reset
passwords, create new accounts, map printers, build mailboxes in
Exchange and other functions. They will also be able to use group
policy in the OU to limit the permissions of the users like block the
command prompt, prevent users from installing programs and from
changing settings in Internet Explorer.

If your Marines are not running a domain, and you are part of another
unit’s domain, you will often be given your own OU to manage. As long
as your Marines have ownership of the OU they will be able to manage
all of your users’ service requirements and needs.

Here is an example OU structure for 3/5:

In this OU structure, the 3/5 Cyber Marines were given full control of
the 3/5 OU. To further manage users and group policy, the Marines
created sub OUs for each company and staff section. Inside each
company OU, 3 child OUs were created to hold the users, computers, and
C2 systems for each company. Group Policy settings were then applied
to the users and computers for each company. The reason for having

separate companies OUs is that since each company may have had
separate user requirements that can be addressed through Group Policy

This OU grouping is just an example of how to manage and control

objects in Active Directory. One could also get by with just 1 giant
OU, however that would make managing the different companies and user
requirements very difficult. The ultimate OU structure is up to you
and your Cyber Marines. Remember that simpler is better but that some
level of organization and user control will benefit you in the long
run. It can be very difficult to search through an OU with 200
different objects to troubleshoot a user’s printer access permissions.

Microsoft recommends two different types of OU structures for

organizing objects:

 Administrative Function
 Object Type

For administrative function, objects in the OU are organized according

to their hierarchal role. For an infantry battalion, it may be
separate OUs for each company. For a civilian company, each
department like shipping, manufacturing, engineering, and testing
would be given their own OU. Here is an example of the administrative
function OU structure:

The other type of OU organization is by object type. This structure

is completely different that the administrative model. In this
structure all users are grouped together, all computers are grouped
together, and so on with all like objects. An example of this
structure follows on the next page.

The benefits for the object type OU structure are seen by the regiment
because they can specify overall group policy settings for the top
level user, computer, and C2 system OU. There is now more
administrative overhead by regiment as well because battalion level
cyber permissions are not assigned to 1 OU, they are assigned to each
type – there will be one OU for 3/5 computers, another one for 3/5
users etc. This can be rather complex to manage at the regimental

Oftentimes in the Marine Corps, you will see the administrative model
ran by the higher level organizations and then either object type or
administrative type ran by the battalions. Sometimes a battalion may
only have 3 OUs – computers, users, and printers inside its top level

A good network planner will discuss and plan a solid OU structure

before adding users and computers. Once users and computers are in
the domain, moving OUs can be very complex and time consuming.
Therefore the OU structure needs to be thoroughly planned out ahead of
time, especially if you are just running an OU inside of a higher
level domain.

Object Standards

Now that you have planned out your OU architecture, you must build
computer and user accounts for all of your computers and users in the
battalion. Because an Active Directory domain is one logical
structure, every user, printer, and computer name must be unique.
However, this is not license for creativity. How hard do you think it
would be to locate a computer named MIKESCOMPUTER on a network with
over 250 computers? How about 3BN5MARXO? The 3/5 XO’s computer is
much easier to locate and find. If MIKESCOMPUTER had a virus, it
could affect many more computers before it is isolated and removed
from the network compared to the 3BN5MARXO computer.

Marine Corps defaults for user names are usually either:
– Firstname.lastname Joe.Smith
– Lastname first initial middle initial – SmithJS

Computer naming standards vary depending upon unit, Forest, and Domain
level SOPs. Computers are usually unit and billet specific such as
the following examples:

• 3bn5marS6
• rctcoc1
• Rctcurrentops1

The rule of thumb is that the computer needs to be able to be quickly

identified by administrators throughout the domain. It is not enough
for your Marines to know what computer goes where; it needs to be
apparent to administrators at the Regimental, Division, and MEF level
as well. This is critical for the security of the network as a whole.
All of your user, printer, and computer names need to be transparent
to everyone else in the domain. If it is not, do not be surprised if
your computer and user accounts are deleted by higher level

Group Policy

Understanding Group Policy and how to apply it to objects in Active

directory can save your Marines a lot of time and effort. There are
many computer and user settings that can be specified using group
policy and pushed to every computer in the network rather than going
to each computer individually. Examples of this include changing the
administrator password to each computer or specifying the location of
the sharedrives.

Group Policy provides a centralized method for modifying user and

computer environments to predetermined settings. Group policy is not
related to security groups however. Remember that security groups
give permissions to functions and services within Active Directory
like folders on a share drive and access to domain controllers. Group
Policy on the other hand controls what users can and cannot do on
their own computers. For example, administrators may block the
command prompt or lock the start menu down. Administrators can also
block USB access or preconfigure and lock down Internet Explorer
options for the user as well.

Here is a screenshot of some of
the many options available to you
as a network planner and your
Marines to manage the network:

Group Policy is used to deploy and

update software to client
computers, configure and enforce
Windows Security Settings,
restrict local access for users to
prevent them from installing
programs or USB drives. There are
over 1000 separate Group Policy
options for administrators to

Group Policy is underutilized in

the Marine Corps. Proper
understanding and use of group
policy will save your Marines time
and effort because it is much
easier to push an update out to
200 computers from a central
location rather than going to each
of the 200 computers individually.
Now that we have gained a basic
understanding of what Group Policy
is and what administrators can do
with them, we will examine how
they are applied.

Group Policies and Inheritance

Group Policy can be linked to domains, sites, and OUs. Group Policy
does not apply at the forest level and to other domains in the forest,
only within a domain. The Marine Corps often manages group policy at
the domain and OU levels. Group Policy settings are inherited from the
top down. So a computer in an OU may have group policies applied at
both the domain and OU level. Child OUs inherit the group policy of
the parent OU. Group Policy inheritance can be blocked by experienced
administrators but is not commonly done.

Here is a diagram of how group policy may be managed for a domain and
some child OUs:

In this diagram you can see that the Regiment has specified a domain
level Group Policy that is shown in green. The regiment has created a
logon banner, locked down Internet Explorer and pushed a general
security template to lock down computers and users in the domain in
accordance with the MCNOSC security templates. At 3/5 the
administrators have added further restrictions to remove the command
line and specify share drive access for all of the users and computers
in the OU. You can see that the 3/5 OU inherits the green domain
level policies. For the user and computer OUs for I Company, you can
see the separate restrictions that the 3/5 administrators have applied
to the computers and users including locking down some programs,
disabling USB functions, and specifying the local administrator
password for the computers. The I Co child OUs have three levels of
group policy applied to them – local OU, parent OU, and domain level.
Here is a screenshot from Active Directory showing how the Group
Policies are applied to an OU:

You can see that there is the default domain policy and then an
additional GPO for the specific OU applied. If additional Group
Policies were created and applied to the OU, they would show up here.

The benefits of group policy are numerous. It allows administrators

to control settings for client computers once on a server and push it
to all of the other computers in the network. New programs and
patches can be pushed to every computer in the OU rather than
conducting individual installs.

Group Policy can be complicated to configure and manage and is highly

perishable. It is important to train your Marines to in how to manage
and apply group policy so that they are familiar with all of the time
saving features that can save them time and effort. A solid
understanding of Group Policy not only improves the user’s experience
but protects and secures the network at the same time.

Planning Group Policy

The majority of your Group Policies should be based at the OU level.

Try and apply a few group policies at high level OUs rather than many
policies across many OUs. This is where the object type OU structures
come into play because it is easier to configure group policy for them
than it is for the administrative model.

One of the important concepts with employing group policy that you
should not overlook is that your Cyber Marines user and computer
accounts should not be put into the User OUs. The permissions they
need to access and troubleshoot servers and computers would be
blocked! Take a look at this OU diagram:

While 3/5’s Cyber Marines have ownership of the 3/5 OU their own
accounts and computers would fall inside the Administrator OU ran by
regiment. Regiment will use child OUs and Group Policy to give the
3/5 administrators the proper level of permissions.

Domain Administration and Data Permissions

Managing permissions for users can be easy, because most of the time
the regular user accounts are locked down to prevent them from
inadvertently affecting the Active Directory Infrastructure. It is
much harder to allocate and control permissions for Cyber Marines and
network administrators. To examine how to distribute these
administrative permissions and control we will look at two types of

 Service Level – Affect the AD forest and domain structure

 Data Administrator – control, administer, and change objects in

The service level permissions are the easiest to understand. They

come preconfigured in Active Directory as Enterprise Admins and Domain
Admins. An Enterprise Admin has permission to do anything in the
Active Directory forest. In fact with Enterprise Admin, there isn’t
anything that a user can’t do. Most Cyber Marines do not need
Enterprise Admin permissions to do their job. Usually the Enterprise
Admin permissions are kept at the MSC level – Comm Bn, Comm Sqdrn, and
Comm Co. Ensure that only qualified Marines receive these
permissions. If an Enterprise Admin makes a mistake it will affect
everyone in the forest.

The next level of service permissions is the Domain Admin level. This
person has permissions to do anything at the Domain level. They can
add, remove, and change the roles of domain controllers and other
services within the domain. If your battalion level data chief is
trusted by the regimental data planner, your chief may be given domain
admin rights. However, on a daily basis your Marines do not need
domain admin rights unless they are directly in charge of running a
server farm.

The most common type of permissions is found not at a service level

but in the data administrator category. Data administrators may have
permissions to create and manage users, groups, printers, servers, and
other objects within Active Directory. Your Marines will always need
these permissions. These permissions are allocated using security
groups and group policy. There are no preconfigured data
administrator permissions in Active Directory, they need to be created
and assigned by the network planner. Because they are not
preconfigured, many older Marines only understand domain and
enterprise admin roles. Giving out service level permissions freely
is just asking for problems and errors in Active Directory. The

solution is to tightly control the service level permissions and
create and assign data administrator permissions. Here is an example
of how to manage the data Administrator permissions in Active

In this example, the top level administrator OU is broken out into

the service level and data administrator OUs. Inside the data
administrator OU, three different OUs have been created: 1 for
server Marines, 1 for ISCs, and 1 for Helpdesk Marines. Each data
Marine in the RCT will be assigned to one of these OUs. This
controls permissions and prevents mistakes that can affect the
entire domain.

As the network planner, it is important to establish the correct

level of permissions for the Cyber Marines. It is a difficult
balancing act and delegating permissions should not be done on the
fly. If Marines have too many permissions, your Active Directory
Infrastructure may be compromised from a simple mistake. If you
tightly control permissions, than many Cyber Marines will not have
the permissions they need to do their jobs and you will end up
overworking the few Marines that have the proper level of
permissions. The balance is found by limiting the number of Cyber
Marines with service level permissions and creating a tiered
hierarchy of data administrative permissions.

BOX 788251





15 APRIL 2013


1. Without the aid of reference, define Virtualization, per the

Mastering VMWare Infrastructure 3, Page XVII-XVIII.

2. Without the aid of reference, identify the most common reasons

for implementing virtualization within a Packet Switching Network
(PSN), per Advanced Server Virtualization: VMware and Microsoft
Platforms in the Virtual Data Center. (0602-PLAN-1105jj)

3. Without the aid of reference, state the purpose of a

Hypervisor, per Advanced Server Virtualization: VMware and
Microsoft Platforms in the Virtual Data Center.

4. Without the aid of reference, identify the virtualization

software employed within United States Marine Corps Packet
Switching Networks (PSNs), per the Marine Corps Network
Operations and Security Center (MCNOSC) Approved Software List
(https://www.mcnosc.usmc.mil/). (0602-PLAN-1105jl)

5. Without the aid of reference, identify the characteristics of

a virtual server, per Advanced Server Virtualization: VMware and
Microsoft Platforms in the Virtual Data Center. (0602-PLAN-

6. Without the aid of reference, identify the benefits of the

four (4) characteristics of a good network design in a virtual
environment per Advanced Server Virtualization: VMware and
Microsoft Platforms in the Virtual Data Center. (0602-PLAN-

7. Given a scenario, command's mission, approved course of

action, task organization, table of equipment, higher
headquarters Annex K and communication concept of support, plan a
Virtual Networking Infrastructure Diagram illustrating the
allocation of network services within a packet switching network
(PSN), within a timeline provided by the commander which
satisfies the commander's communications system requirements for
command and control, per MCWP 3-40.3C. (0602-PLAN-1106bz)


Having learned the best practices for planning the deployment of

Active Directory Forest and Exchange Organizations, the problem of
having enough servers to properly implement a comprehensive network
services architecture quickly surfaces. This is more apparent the
more limited your table of equipment is. For example, in the Marine
Corps, there are never enough servers to provide all of the services
that users require and still follow the best practice recommendations.
Historically, the Marine Corps has compromised and accepted
substandard service in an effort to maintain and provide essential
services on the network when faced with a lack of resources.

The compromise for the Marine Corps was just to run multiple services
on the same server, even though they could potentially cause conflicts
with each other. An example of services competing for server hardware
resources are when Microsoft Exchange and SQL for a database are
running on the same server. Both services are in competition for the
server’s available memory and CPU.

Conversely, at times, we are barely maximizing the capabilities of a

server because the hardware is not used extensively. The following
screenshot is of an actual domain controller running in an Active
Directory Forest.

In previous example, the domain controller 2BN6N01C is only using 1%

of its CPU and just over 25% of its RAM. This server is not
effectively using all of the resources of the server. The rest of the
processor and RAM is underutilized.

To better utilize our existing servers and remove the 1:1 ratio of
roles and servers, the Marine Corps has adopted virtualization

Because of a lowered dependence upon physical servers, virtualization

falls in line with the Commandant of the Marine Corps Green IT

initiatives to decrease the electrical and physical footprint of our
IT infrastructure.

Virtualization Basics

Virtualization is defined as the process of implementing multiple

operating systems on the same set of physical hardware in order to
better utilize the hardware. In other words, virtualization allows
the network planner to run multiple operating systems independently on
one computer. Each copy of the operating system is called a Virtual
Machine (VM).

To better visualize this concept, take a look back at the 2BN6N01C

server from the introduction. What happens if that physical server
could simultaneously run 2 domain controllers and 1 exchange server?
Virtualization allows the data planner to use each physical server as
a resource pool that he can use to allocate to separate, independent,
virtual computers. For example, you could have 1 physical computer
that is hosting an Apple virtual computer, a Linux computer, and an XP
computer at the same time. Users would be able to access and use all
3 computers at the same time simultaneously.

To see this concept, let’s compare a logical diagram of a physical

computer to how a computer uses Virtual Machines (VMs):

The physical computer on the left is a normal computer, with a

standard OS that uses all of the resources of the computer to run
applications, services, and roles in Active Directory. The physical
computer on the right is running special software that uses the
physical hardware of the computer – the RAM, CPU, NICs, Hard Drives,
as a resource pool and allocates those resources to the two virtual
machines that exist inside the software. Each of the virtual machines
inside the physical machine acts like an independent computer.
Virtualization allows the network planner to take the resources of 1
physical computer and create several virtual computers to take
advantage of all of the physical resources of the host.

Below is a table depicting the advantages of utilizing virtualization
to improve the network:

Physical machines and servers are very difficult to move or copy. For
a physical machine to be moved, it needs to be loaded in a truck and
physically moved from one site to another. Since virtual computers
are electronic files and exist as software, virtual machines can
easily be moved from one host computer to another over the network.
Software can be easily copied and cloned; it is much harder to make a
complete copy of a physical computer. Physical computers need the
correct drives, need to have hardware upgrades and new components to
stay current, and have to be continually replaced because technology
changes so fast.

Virtual Machines have many advantages over their physical

counterparts. They are easy to move, copy, and backup because they
are all software. 3 or 4 virtual servers can exist independently with
no knowledge of the physical server or each other. Virtual computers
are isolated from hardware changes to the physical computers. Since
they can be easily migrated from one computer to another, when new
technology is fielded, the VMs can just be moved to the new server.
Virtual servers also reduce the power requirement of the technical
control center. Where once, there were 4 separate servers pulling 20
W apiece, now there may only be 2 computers, with each of them running
2 virtual machines.

There are 6 primary reasons for virtualization:

 Server consolidation and Efficiency
 Legacy Application Support
 Legacy Operating System Support
 Demonstrations
 Testing
 Education and Learning

Virtualization frees network planners from planning 1:1 Active
Directory servers, roles, and services. Instead of having 8 servers
in the server room, now the planner may be able to employ 4. This
allows planners the ability to truly plan networks according to the
best practices of Microsoft, Sun, and other companies. Fewer physical
servers mean less power, HVAC support, and Marines to manage and
maintain as well. This makes the Marine Corps more environmentally
friendly as well as easing the load on the power planners.

Virtualization supports legacy application and operating systems.

There is some software that the Marine Corps still uses that is based
around Windows NT or Microsoft DOS. Since these OS’s aren’t supported
anymore and sometimes are incompatible with new computers, the
solution is to just create virtual machines and install the OS and
applications. This makes it possible to keep the server farm small
and as up to date as possible while providing the broadest support
possible for all of the users’ required services.

Virtualization can also be used for demonstrations and testing of new

configurations and applications. If a new C2 application or
technology is being fielded, it can be run on a virtual computer
inside the network to observe its effects before enterprise wide
implementation. If problems or issues are identified, the virtual
machine can be shut off without damaging the rest of the network
infrastructure or the host computer.

Virtualization is also great for education, training, and learning

applications. We have used VMware Workstation at Communications
School in order for you to get hands on applications in managing an
Active Directory or Exchange Architecture. We were able to do this by
using virtual machines running inside of your student computers
without altering anything on each computer.

Virtualization almost sounds like it is too good to be true. It is

not. It is sound, proven technology that has changed the way the
Marine Corps employs its server and services architecture as well as
improved our ability to conduct backups and other fault tolerance
measures. The use of virtualization software has revolutionized the
way the Marine Corps network planners install, operate, and maintain
deployed and garrison networks.

Virtualization Software

Virtual Machines are based around software and not physical hardware.
As such, Virtual Machines are completely independent of physical
computers and can be moved from one computer to another to adjust for
network topology changes, changes in demand, and changes to resource

There are two types of virtualization software: Hosted and


Hosted virtualization software acts as an application running on top
of an existing operating system. In the server labs, we have employed
VMware Workstation, which is a hosted virtualization software.

The second type of virtualization software is called a Hypervisor. It

is a bare metal Operating System, meaning that it is installed onto a
computer as the primary Operating System. It is much more efficient
than hosted virtualization software because it does not waste any
resources of the computer. All of the resources are applied to the
VMs. For example, Windows XP uses over 500 MB of RAM, Vista uses
almost 1 GB. So if you used a hosted virtualization software on top
of Windows Vista on a 4 GB RAM computer, your virtual machines only
have 3 GB of RAM to use amongst themselves. A hypervisor may only use
100 or 200 MB of RAM or less to provide the basic inputs for the
computer’s hardware. A hypervisor is also much more stable than most
Microsoft operating systems.

Below is a logical diagram of a physical computer running hosted

virtualization software and one running a hypervisor:

You can see that the computer on the left has the extra layer of the
Windows XP OS that the computer on the left using the hypervisor does
not. It is important to note that there is no difference between a VM
running on hosted software or one running using a hypervisor. You can
actually transfer the VMs back and forth from a hosted computer to a
hypervisor if required.

Hypervisors offer much better resource allocation and a much smaller

impact on the physical computer. For example, VMware’s ESX 3.5 is
only a 32 MB installation. It is best for production, long term
networks and server farms. For testing and demonstrations or temporary

networks, hosted virtualization software is the best. Hosted
virtualizations allow the user to take advantage of not only the VMs
running on the computer but also the applications running on the host
computer. For hypervisors, only the VMs are accessible to the user,
no applications are supported by the hypervisor. Each type of
virtualization software has its benefits and drawbacks, but they also
work well together, and the virtual machines can be easily moved from
one type to another.

The Marine Corps primarily uses the VMWare family of virtualization

software. Currently the hosted software available for use is VMWare
Player, Workstation, and Server. And the Hypervisor software is ESX
and ESXi. We have already used VMWare Workstation for our labs at the
schoolhouse on the classroom computers. We will use ESX on the
servers during the field exercises to expose you to both families of
virtualization software.

Characteristics of Virtual Servers/Machines

Virtual Machines share many of the characteristics of a physical

computer. A virtual machine has no knowledge of other virtual
machines on the same physical computer, no knowledge of the
virtualization software – hypervisor or hosted. Virtual machines
communicate with other computers both physical and virtual on the
network using the OSI model. There is no difference between frames
and packets destined for a virtual machine than a physical machine.
In fact the only difference between a physical server and a virtual
server is that your eyes can see the physical server in a rack in a
communications closet or Techcon.

Virtual Machines have the same components that physical computers do –

CPU, RAM, Hard Drives, Network Interface Cards, and DVD-ROM drives.
Virtual Machines operate by using a portion of resources on the
physical computer. The hypervisor or host virtualization software
takes the actual physical resources of the physical computer and makes
them available to the virtual machines. Virtual machines will use the
CPU from the physical computer, virtual RAM is allocated from the
total amount of physical RAM on the computer. The virtual machine’s
hard drive can be composed of space on the physical machine’s hard
drive, a filer, or other file storage system. Each virtual machine is
then linked to the Network Interface Card (NIC) of the physical
computer. Some high end physical servers now ship with 4 or more
NICs. These servers make all 4 NICs available to the virtualization
software and the NICs can then be allocated to the virtual machines.
Each virtual machine is then given a unique IP address and networked
through the host computer’s actual NICs. Other physical resources of
the host like CD / DVD-ROM drives are also mapped to each of the
Virtual Machines for their use.

To illustrate this concept, lets look at an example:

A physical server has:

 4 Processors at 2.4 GHz
 32 GB of RAM
 500 GB Hard Drive
 4 NICs
 1 DVD-ROM Drive

Now we are going to break these resources up into 3 virtual machines.

The first two virtual machines are:

We still want to create one more virtual machine, so we must look at

what resources are left on the host computer. Our 3rd Virtual Machine
will have 4 processors, up to 8 GB of RAM, 100 GB Hard Drive Space, up
to 2 NICs, and a DVD-ROM drive. When allocating resources remember
that the number of processors of the host computer does not change for
the VMs – the physical processor will serve as the processor for all
the active VMs.

Instead of 1 very powerful physical server that would be

underutilized, we made 3 virtual servers for use on the network. The
resource allocation of the 3 virtual servers can also be changed to
reflect demand, so if 01C was using 90% of its RAM, the RAM used by
01E and the new server could be reduced to allocate more to 01C.

Lets look at another scenario where we are going to employ the same
physical server but also add a FAS 270 filer to the equation to give
an additional TB of storage space.

A physical server has:

 4 Processors at 2.4 GHz
 32 GB of RAM
 500 GB Hard Drive
 4 NICs
 1 DVD-ROM Drive

The FAS270 has an additional 1 TB of storage space for virtual hard


Here are the two VMs that have been already allocated:

What resources are left over for the 3rd virtual machine? We can
still use the 4 processors of the host, have 8 GB of RAM left over to
use, 200 GB on the filer and 500 GB of space on the actual physical
server left to utilize for hard drive space, 2 NICs and the DVD-ROM

When allocating VMs to physical machines, there are several

considerations to factor in. The first is that the physical machine’s
processor is a major limiting factor. If you try and run too many
processor dependent VMs like Exchange and SQL applications, you will
overtax the processors. RAM is also a major limiting factor. VM
performance will suffer if you over-allocate RAM because the VMs will
have to share and swap the RAM of the physical host. Look at the
total amount of RAM available and try to divide it up amongst the VMs,
giving priority to Exchange and other databases. Hard drive space is
usually not a limitation or large consideration because many times the
Virtual Machine’s hard drive can be mounted on filer that is networked
to the actual physical server. Since a filer has much more hard drive
space than an actual server, hard drive limitations are not as
important. Finally, the last factor in allocating VMs to physical
computers is experience and testing. As you gain more experience in
planning, installing, and maintaining virtual servers, you will be
better able to distribute the virtual servers across the physical
infrastructure. Ensure that your Marines are using your physical
servers with virtual machines to test the capacity and performance of
your data architecture before you use it in a production network.

Planning for Virtual Servers

Planning the employment of virtual servers is easy to understand

because there are no differences between a physical server and a
virtual server when it comes to services and roles. There is no
impact on Active Directory and Exchange diagrams and no changes that
you have to make to show that you are using virtual servers. Virtual
servers remove the 1:1 limitation of physical servers to services and
roles. Now the data planner is free to plan your ideal server
architecture and distribution of servers based on best practices and
not equipment availability. The use of virtual servers allows much
more creativity in planning the architecture and the ability for the
planner to avoid making compromises.

To plan for virtual servers, there is a five step process to follow:

1. Find out how many physical servers are operational,

available for use, and on hand.
2. Use the performance specifications (or testing or
experience) to determine how many virtual servers each
physical server can support.
3. Use the total number of virtual servers as the planning
factor for the maximum number of servers in your
4. Plan your Active Directory and Exchange architecture the
way you want it. Use as many best practices as you can
when designing your servers and the roles that they are
going to play.
5. Allocate your virtual server architecture to the physical

Because the relationship between virtual and physical servers is not

shown on the Active Directory or Exchange Routing diagrams, additional
diagrams must be created. For each physical server, a logical diagram
showing the virtual servers that are running on that particular
physical server. These diagrams show the relationship between all of
the physical servers and the virtual servers in the network. A sample
diagram is shown below, it details what virtual servers are being ran
on each physical server and ALL the different services and roles each
server is running:

This diagram shows one physical server with 3 virtual servers running
on it.

Allocating the virtual servers to the physical servers though is the
last step of the process. The first part of designing a server
architecture is to still develop the AD and Exchange. Here is a
sample AD diagram:

There is no mention of virtual servers anywhere on it. But when you

compare the AD diagram to the Physical Server Diagram, you can see
that 01C, 02C, and 01R at the RCT site will be running on RCTESXN01.
For the rest of the servers, similar physical server diagrams will be
created to see the relationship between the physical and virtual

If you are planning on using a filer like a FAS270 and storing the
Virtual Hard Drives on the filer, add the filer to the physical server
diagram to arrive at a product like this:

This lets the data Marines doing the configuration and installations
know where to put the VM data stores. If no filer is depicted, it is
understood that the Virtual servers will be stored on the physical

Virtualization and the 4 Characteristics of Good Network Design

This class has introduced virtualization, explained the types of

virtualization software and the characteristics of virtual machines.
It has also introduced the virtual to physical planning process and
how to document virtual servers in our diagrams. Now we will use the
four characteristics of a good network: Fault tolerance, Scalability,
QoS, and Security and look at virtualization to see its benefits and
drawbacks and how we can use it to improve our networks.

Fault Tolerance and Redundancy

Virtual servers significantly improve fault tolerance because virtual

servers are not tied to a physical server. If you run a cluster of
two or more physical servers running virtualization software, the
virtual servers can easily be migrated from one physical server to
another. Because virtual servers exist as software and files, they
can easily be backed up by simply being copied. If a physical server
fails before the virtual servers on it are transferred, just point

another physical server at the location of the copy of the virtual
server and the network is back in business.

To further examine the flexibility and increased reliability that this

capability gives a planner, let’s look at the following diagram:

In this example, we are looking again at the server architecture of

Camp Fallujah. There are three virtual servers for the MNF and CF.MNF
domains located in two locations on the camp. In each server
location, there are 2 ESX servers and a filer. The virtual server’s
have their data stores located on the filer in their respective server
room and each filer is backed up to the filer in the other server
room. This means that each filer has a copy of each of the virtual
servers in the infrastructure. If any one of the ESX servers fail,
the virtual servers running on it can be transitioned to the other ESX
server that is up and running. If an IDF attack, or catastrophic
outage happens to one of the server rooms that completely destroys
everything in the server room, the distant server room can restore all
of the virtual servers from the filer onto the existing ESX servers.
Employment of an architecture like this one with distributed servers,
filers, and backups between the two makes a very resilient and fault
tolerant network.


Virtualization adds a great deal of scalability to the network. If

there is increased demand, more virtual servers can quickly be created

by simply copying the existing virtual servers. More resources can
easily be added to the network: filers for more datastores and more
physical servers to act as hosts for the virtual servers.
Additionally, because virtual servers are all software they are
hardware independent, which means that you can purchase servers from
almost any manufacturer and install the virtualization software.
Physical computers can also be easily upgraded for increased
performance without affecting the virtual infrastructure.
Virtualization also allows for support of legacy programs and
operating systems so there will always be support for critical command
and control applications that may run on older infrastructure. This
may be especially important as the Marine Corps transitions from a 32
bit to a 64 bit Operating System standard. Finally, virtualization
supports scalability because there is a much lower strain on HVAC and
generator support because there are less physical servers needed.
Adding a virtual server to the existing infrastructure adds no new
power or cooling demands to the grid.

The only problem with virtualization and scalability is that there is

a limit of the number of virtual servers a physical server can
support. If more virtual servers are added, performance of all of the
virtual servers on that physical server may be adversely affected. A
careful data planner will test out physical servers to understand
their capabilities and limitations before adding virtual servers to

Quality of Service

Virtualization improves the quality of service to the user. Virtual

servers can quickly be moved from one physical server to another to
improve physical performance, maximizing performance, uptime, and
minimizing any impacts to the user. Virtualization software also
allows the administrator to allocate the physical resources of a
computer to specific virtual servers, which ensures that priority
virtual servers will always have the physical resources like CPU and
RAM that they need.

There is a significant drawback to virtualization and quality of

service. Moving virtual servers from one computer to another
increases the traffic on the LAN, especially if you are migrating
servers from one techcon to another. Direct network connections on
the LAN should be established between two virtual server centers using
more than a gigabit backbone to avoid adversely affecting users’


Virtualization increases the security of the network. Primarily

virtualization reduces the number of roles that a single server is
running. For example, a web server and a domain controller can exist
as virtual servers on one physical server, where before the web
service would have to be located on the domain controller. Allocating

virtual servers for specific roles reduces the vulnerability into the
network from both external and internal security threats.
Virtualization allows critical roles like front end bridgehead
Exchange servers and web servers to be isolated from the rest of the
network infrastructure using a minimum of physical servers.
Virtualization also cuts down on the actual footprint of servers. It
is easier to secure one or two physical servers than 8.


Virtualization is an important tool for the network planner and is

growing more and more prevalent throughout the Marine Corps.
Virtualization removes the one to one physical server and roles
relationship. It allows the network planner to easily add and adjust
roles to fit the best practices and their own experiences.
Virtualization significantly increases a network infrastructures
reliability, fault tolerance, scalability, quality of service, and

BOX 788251


Customer Service and Help Desk



21 MAR 2012


1. Without the aid of reference and given a list of distracters,

define customer service, per CJCSM 6231.07D (Joint Network
Management and Control). (0602-MNGT-1701x)

2. Without the aid of reference and given a list of distracters,

define help desk, per CJCSM 6231.07D (Joint Network Management and
Control). (0602-MNGT-1701w)

3. Without the aid of reference and given a list of distracters,

identify the components of a customer service plan, per CJCSM
6231.07D (Joint Network Management and Control). (0602-MNGT-1701v)


Employing a helpdesk is one of the most critical components of a

communications network plan. Most of the course we have talked about
establishing and maintaining communications, but not focused on the
experiences of your users. All of the work you put into designing,
installing, and maintaining your networks will be wasted if the users
cannot access the systems that they need to do their jobs. Running a
helpdesk is one of the most difficult jobs that a communications
officer can undertake because the focus is not on strictly
communications but satisfying a user’s needs. The primary
responsibility of the helpdesk is to help the user (customer for
civilian IT agencies). A sample mission statement of a helpdesk is:

The Help Desk is a central point of contact for all technical

support, including hardware, software and troubleshooting
questions. This enables 9th Communication Battalion to facilitate
uninterrupted communication and data access to all I MEF CE
personnel; and provides users with a single access point for
troubleshooting needs.

Helpdesks are needed in any communications architecture to take care

of the needs of the user and often times is the face of the
communications unit as the helpdesk Marines spend more time
interacting with the users than most other communications Marines.

Helpdesk Organization

In a complex communications network, every unit from an infantry

battalion on up to a communications battalion will have a helpdesk
charged with the responsibility of assisting and troubleshooting
user’s phone and data problems. The helpdesk falls under the
responsibility of the Syscon. Here is a sample organization of a
helpdesk and its reporting procedures.

The helpdesk must balance the daily needs and requirements of each
user with problems with the priority needs of certain locations on
camp like the COC, LOC, TACC, as well as certain priority users like
the Commanding General, Commanding Officer, Sgt Major, Operations
Officers, etc. One of the responsibilities of the Syscon Watch
Officer is to adjust the priorities of the helpdesk on the fly to
ensure that the helpdesk is focused on the right places.

The helpdesk should consist of both Wire and Data Marines. If a user
calls the helpdesk with a phone problem, the wiremen will work with
the switchboard operator to troubleshoot the issue to fix the problem.
Because data is so complex, the helpdesk needs access to server
Marines, LAN Marines, and then troubleshooting tiger teams. The
helpdesk will receive a call from users and then try to resolve the
problem over the phone or remotely. If they cannot resolve the
problem, they will then dispatch a troubleshooting team to go to the
user to solve the problem. Many times due to volume, the tiger teams
will receive a list of user issues in priority order and travel all
day around the camp, solving the user’s problems and closing trouble


While relatively simple, here are the definitions of customer service

and a Help Desk.

Customer Service: process by which the needs of your customers are met
through customer centric, solution oriented and proactive measures

Help Desk: An aspect of Customer Service which provides the central
interface between users and the technicians who support them.

A Tiered Approach to Helpdesks

The way most helpdesks work is by trying to resolve user problems at

the lowest level possible, just like first aid. The common paradigm
for first aid is: self aid, buddy aid, and corpsman aid. The same
applies for a good helpdesk system:



A good helpdesk system will try and minimize the downtime that users
experience by solving problems at the lowest level. If the ISC cannot
solve the problem or the unit does not have one, the helpdesk will
take the problem for action. If it is not resolved in a timely manner
or it is decided that the problem or user is a priority issue, the
syscon can adjust the focus of the helpdesk and bring more resources
to bear to solve the problem.

Customer Service Plans

A good communications officer will work to develop a solid customer

service plan because customer priorities are not necessarily
communication architecture priorities. The helpdesk needs to be
cognizant of your priorities for the network and your priorities for
the users as well as the user’s own priorities. If you and your
Marines cannot resolve issues in a timely manner, the customer or user
may attempt to solve their problem on their own. This could have
adverse affects on the network like spanning tree loops, virus’s, IA
violations, broken laptops, printers, and monitors and other problems.
Customers will find a way to get services or resolve issues, sometimes
to the detriment of the health of the network, equipment, Marines, and
your reputation as a Communications Officer.

A good customer service plan has 3 separate components:

• User / Customer Education

• Helpdesk Procedures
• System / Unit Responsibilities

User / Customer Education

The first component is the user education piece. The more educated
and knowledgeable your users are, the less problems that they will
have that they will need to call the helpdesk to resolve. To educate
your users, you can provide a customer service brief so that they

understand the procedures and user actions that need to happen to
resolve a problem as well as a timeline if they report an issue to the
helpdesk or open a trouble ticket. “Smartpacks” are another excellent
option to help your users. A good smartpack will have instructions on
how to dial a POTS phone, VOIP phone, STE phone, helpdesk phone
numbers and email address, how to set up email accounts, how to set up
a printer, how to map a sharedrive, and other things that you and your
Marines will identify that users can do one their own rather than
calling in a trouble ticket and wasting your Marines’ time. A
smartpack should also list Information Assurance concerns and
regulations that all of your users should follow in a simple, easy to
understand format.

Helpdesk Procedures

The largest component of your customer service plan will always be the
helpdesk procedures. Here is a list of the some the procedures that
you need to plan for:

• Priorities
• Trouble ticket system & work flow
• Reception
• Equipment receipt – tracking laptops and desktops for
imaging / troubleshooting
• Maintenance –
– Who inducts computers not on your CMR?
– Who orders parts? Whose funds?
• Customer contact
• Integration with SYSCON

You have to establish priorities so that your helpdesk knows what

areas, agencies, units, and users to focus on ahead of the normal user
issues. You have to specific how trouble tickets are taken, opened,
tracked, and closed. Nothing upsets users more than calling a
helpdesk four or five times to get an issue resolved because your
Marines keep losing the note with their problem on it. You also have
to work the actions of the Marines after the ticket is opened, who
gets it first, how it flows between the components of the helpdesk.
Here is an example flow chart for trouble tickets:

You also have to think about maintenance and fixing laptops for users
that are from different units and CMRs and how your Marines will
maintain accountability over them. A Helpdesk SOP from 9th
Communication Battalion is attached at the end of this student handout
to serve as a template for you.

System / Unit Responsibilities

The last component of a customer service plan is one of the simpler

parts to design and plan but can be very difficult to actually
implement. Many of the larger bases in Afghanistan and other deployed
environments have units that are responsible for communications. For
example, on a MEU, the communications architecture on a ship is
controlled by the Navy. Your Marines have to work with the Navy to
resolve users problems. You will have to work out what permissions
your Marines will have and to what level they can troubleshoot if at
all, and when they need to call the ship’s IT department for

In another example, a Communication Bn or Communication Squadron may

be responsible for communications at a FOB. If you are the data
platoon commander, one of your responsibilities may be the helpdesk.
You will probably be supporting many different units from infantry
regiments and battalions to CLB’s and other joint and interagency
units. What level of permissions and access to you want to give these
other units, all of whom have data Marines or IT personnel. If you
don’t give them enough access and permissions, than they will be

underemployed and your helpdesk will bear the burden. If they have
too many permissions they can inadvertently introduce problems into
your network. You can see how it seems easy in concept to set up a
tiered approach but it can be very hard work out the different
responsibilities and access of data personnel in practice.

Helpdesk Techniques, Tactics and Procedures

There are a couple of important pieces of advice to keep in mind when

thinking about your customer service plan and evaluating your

Organization: You have to keep the helpdesk organized to make sure

that you and your Marines don’t lose laptops, computers, and trouble
tickets. If your Marines have a stack of laptops to be imaged and
they can’t remember where they came from, this is an indicator of
major accountability problems.

If switches and cabling is labeled, it is easy to troubleshoot

connectivity and VLAN problems, if it is not, your Marines are going
to have to trace cable and “guess” at which line is the one that needs
to be retipped or repaired. You can save a lot of time with
descriptions entered into the switch and labels on the individual
phone lines and CAT-5 cable.

Procedures and Priorities

You and your Marines need patience. There will be lines at your
helpdesk and many problems that users have especially around a relief
in place or a turnover. All of the problems will be eventually
solved. Your Marines need to understand that it is a marathon and not
a sprint.Rushing to solve problems sometimes creates more problems
and your Marines will overlook things or forget about users. As long
as they are working diligently through problems, it is your job to
provide them top cover and protect them from angry and complaining
users. Remember that your procedures and priorities were hopefully
explained to the users so when they are waiting in line and there is a
problem in the COC, they do not make a scene because they know where
they fall in the food chain. At some of the larger bases during unit
turnover’s your helpdesk may have a line outside of it.

Helpdesk Systems

There are many electronic systems that can make your life easier.
There are databases for trouble tickets that can be used like Remedy.

If you don’t have a program or application like remedy, your Marines

can make a Microsoft Access database or keep a spreadsheet. The
bottom line is that you need some sort of database to document your
trouble tickets to see what tickets are open, closed, and pending.

Logbooks like the syscon logbook can also be adapted for use at the
helpdesk so that Marines can maintain detailed logs of
troubleshooting, priorities and issues, and so the night shift can
look at what the day shift accomplished and vice versa as they come on

Solarwinds and network monitoring software can also play a key role in
the network. If there is a switch problem or fiber cut on the camp,
your Marines can see this and respond appropriately. For example, it
doesn’t pay to send out a tiger team to troubleshoot a user’s
connection, when the fiber to the access layer switch was cut.
Network monitoring software allows Marines to troubleshoot smartly and


It is important to track trouble tickets and user problems. The more

experiences that your Marines solve, the faster their OODA loop will
be when dealing with new problems. By maintaining documentation, you
can see the trends that users are having. For example, if the
helpdesk gets a lot of calls or problems with the antivirus software
or guardian edge, you can add information and procedures to your smart
pack to mitigate many of the trouble calls because you have now
educated the user. If you start seeing maintenance trends, you adjust
the PMCS or order more of certain parts like power supplies and hard
drives that go bad. Of if your hard drives are going bad at the rapid
rate, you order them from a different manufacturer.

Another good reason for documentation during exercises and deployments

is that you can conduct predeployment or pre-exercise user training to
mitigate problems that the users may encounter during the upcoming
exercise or deployment.


Running a helpdesk is critical to ensuring your users can accomplish

their mission and daily job. Your helpdesk is the face of your
Marines and your work in your user’s eyes. If you develop the best
communications plan and architecture, but have a bad helpdesk, the
response of the user’s is still going to be that “comm stinks.”
Developing a solid customer service plan and helpdesk procedures is
critical to you, your Marines, and your users for the effective
management and operation of your network.

2 Feb 06

From: Data Platoon

To: Company Operations

Ref: a. Remedy
b. MNF-W User Agreement
c. Gear Receipt
d. Trouble Ticket flow chart
e. User Smart Pack List
f. OpDir Procedures
g. New Computer Setup and VLAN Change Procedures
h. Maintenance Procedures
i. Information System Coordinator (ISC)
j. Helpdesk Support Priorities



1. Purpose of Document

This document focuses on the services to be delivered to users. It

provides the technical support team with procedures for recording and
responding to calls from internal users. The main purpose of this
document is to ensure that the technical support team delivers an
effective and rapid response to users. This service is provided 24
hours a day, 7 days a week.

2. Mission Statement

The Help Desk is a central point of contact for all technical support,
including hardware, software and troubleshooting questions. This
enables 9th Communication Battalion to facilitate uninterrupted
communication and data access to all I MEF CE personnel; and provides
users with a single access point for troubleshooting needs.

3. The COC Help Desk works primarily for all the sections inside the
COC and the SSEC. The 9th Comm Help Desk is the Main user support
facility for the CEMNF domain. Both helpdesks:

a. Handle all User requests

b. Maintain responsibilities for network configurations and

server maintenance.

4. Information System Coordinator (ISC) and the Help Desk Technician


The Information System Coordinator serves as the first line of defense
for all information system related problems. The 9th Communication
Battalion Helpdesk serve as the second line of defense. The technician
provides software application assistance and computer repair services.
They also evaluate and prioritize trouble calls, receive user reported
problems, and track and maintain a historical database of problem
resolution. They provide accurate and creative solutions to user
problems to ensure productivity.

5. The ISC Responsibilities come straight from the G-6. And encompass
all of the below.

a. Update ISD and send all updates to the MCCC Watch Officer on

b. Ensure Global Address List stays up to date within your

Organizational Unit (ou).

c. Install authorized software within section.

d. Reset passwords as appropriate.

e. Troubleshoot hardware and software problems within section.

f. Manage and Control access and security.

g. Manage Group E-mail accounts (and who has access to the group
e-mail accounts).

6. Recording a trouble Call

Users are informed to log trouble calls with the helpdesk via
telephone, email or at the window located in Bldg 26. The email
address used is HelpDesk@cemnf-wiraq.usmc.mil or Helpdesk@cemnf-
wiraq.usmc.smil.mil The phone numbers are 3400-603 and 3404-608.

a. Once a call or e-mail is received, the helpdesk technician is

required to record the details on a trouble call ticket.
Information entered onto the trouble ticket must include the

(1) Date and Time received

(2) Name (user)

(3) Rank (user)

(4) Unit/Section (user)

(5) Phone Number (user)

(6) Location (user’s work space)

(7) Computer Name/IP (user)

(8) NIPR, SIPR, Centrix, or VOIP Problems.

(9) Details of problem(s).

(10) Any other comments the user or technician may have

about how to resolve the problem at hand.

(11) Give the ticket number to the user for future


7. Responding to a Trouble Call:

When a technician is responding to a trouble call, the following
procedures will be used:

a. Print a new list of trouble tickets for that day.

b. Pick an area of work.

c. The technician will begin by attempting to make contact

with the user to access whether the problem still exists.

d. After making contact with the user, schedule the best

time for the trouble call to be investigated.

e. If no contact is made with the user, either by phone call or

e-mail, the technician will make two more attempts to contact
the user. If this fails, the ticket will be closed and the
user will have to open a new trouble ticket.

8. Receiving Computers for Configuration/Maintenance

a. Users will approach the helpdesk and fill out a detailed gear
receipt. The user and the helpdesk technician will do a
complete Stock List-3 inventory of all gear received at the
Helpdesk. This form is used for hard drives and other non-
laptop equipment that may be brought in to the help desk.

b. If the computer is to be configured for the CENTRIX network,
technicians will process the paperwork then we will forward
the computer to LCpl Ricci for process, at 318-3401-328

c. When accepting equipment at the helpdesk, technicians will use

the following procedures:

(1) Complete the first page of the gear receipt sheet.

(2) Record a gear receipt number.

(3) Record user’s name, date, the unit/section, and phone

number on the appropriate lines.

(4) Record the computer brand/model/type, and serial

number, and whether it is a SIPR or NIPR computer.

(5) Record the number of power cables, hard drives, and

miscellaneous equipment on the appropriate lines.

(6) Have the customer verify the inventory and sign and

(7) Print your name, then, sign and date the receipt.

(8) Document the description of the problem experienced or

procedure requested.

d. Fill out the second page:

(1) Record the gear receipt number and turn-in date.

(2) Record the computer brand/model/type and serial


(3) Record the number of power cables, hard drives

and miscellaneous equipment present.

(4) Give this page to the user. They will need this to
receive their equipment.

(5) Secure the first page with the equipment that the
customer relinquished to the helpdesk.

e. When the customer returns to pick up the equipment:

(1) Have the customer verify the equipment being picked


(2) The customer must then print their name, sign, and
date the “picked up by” portion of the sheet.

(3) The customer then prints their name, signs and dates
the maintenance log book.

(4) Return the equipment to the customer and retain both

pages of the gear receipt.

(5) Staple both pages together and place them in the gear
trouble ticket completed folder.

9. New Account Creation

a. When a customer arrives for a new account the following

procedures will be used:

(1) They are given an account request form.

a. The user fills out the top portion of the form

which includes name, SSN, rank, rotation date,
phone number, branch of service, unit/section, and

(i) The section they fill out tells whether

they are military, Federal Civilian, Contractor,
US citizen or not.

(ii) The section is for the account they

are requesting: “NIPR”, “SIPR”, or “CENTRIX”

b. Next section is for the supervisor’s information;

name, rank, billet, and phone. This information is
filled out for a POC to inform the supervisor if
the user is flagged for doing something on the
domain he is not supposed to be doing.

c. The following information that needs to be filled

out is for the Security Manager only. If the user
needs a SIPR or CENTRIX account he is sent to the
security manager’s office to have it filled out.
When he returns he is then asked to fill out the
Information Assurance portion.

d. The last two pages need to be read and initialed by

the user. This explains what you will be able to
do and should not do on the network. At the bottom
of the last page the user must sign and date
indicating he has read and understands the
information. The account form is then turned in
and created.

b. Creating the Account

(1) Open Users and Computers.

(2) Double click on our domain (cemnf-wiraq).

(3) Double click on the “CEMNF” folder.

(4) Double click on the “user” folder.

(5) Highlight the folder that is named after the

corresponding unit that user put down in the “CEMNF

a. If there is no folder for that unit, create a new


(i) Right click on the “Users” folder and click

“New Organizational Unit”.

(ii) The name of the folder will be the unit’s


b. If there is a folder for that unit:

(i) Go to “Action”.
(a) New User.

(ii) Fill in the required information.

(a) Under full name:
1. The “Unit will always be “CE”.
2. The “Section” will be the folder
section name. (i.e. The “Section”
for a user in the “G4” folder
will be G4)

(b) The default password will be:

1. 1qaz@WSX

(c) Ensure:
1. “User must change password at
next logon” is checked.

(d) Make sure to check the exchange server

list of available servers and choose
the correct one according to the
user’s last name, (i.e. Carleton
Richard A., would fall into CEMNF04E)

(e) “Finish”.

10. Deleting Accounts

a. All accounts will be deleted 15 days after the user(s) checks
out with the Help Desk, and deleted immediately at the user’s
request. After 30 days of account inactivity, or if instructed
by IA or G6 Data Chief:

(1) Open active directory users and computers.

(2) Open the domain.

(3) Search for the user’s name.

(4) Right click delete.

(5) ***This will also delete the mailbox.***

b. Run the “30+ User Account” script on the share and it will
automatically delete users without account activity for more
than 30 days. To individually delete an account, you have to
search for that persons account in active directory, right
click on the users account, and select “delete” This will
prompt you to make sure you wish to delete the user; click
“Yes.” Schedule the user’s mail box for deletion upon deleting
the account.

11. Disabling accounts

a. A user’s account may be disabled for a number of reasons;

(1) Abusing elevated privileges.

(2) Connecting illegal computers to the network.

(3) Accessing another user files or folders without


(4) Trying to or accessing computer systems with cracking


(5) When directed by IA.

(6) More than 30 days since the last login.

b. IA will direct the disabling of accounts from users who are

abusing their accounts.

12. Enabling Accounts

a. Enabling accounts is only permitted when directed by G6 IA, G6

Data Chief, or the SNCOIC. Check the user’s description and
billet for information on who disabled the account. Ensure you
know that the original issue was resolved before re-enabling

the account. After disabling an account, do not re-enable
until directed by IA or the
G6 Data Chief.

b. When not to re-enable

(1) When the description says MEF IA.

(2) IA will direct the action of all accounts that are


13. Resetting Passwords

a. The user must show proof that the account in question is his
(I.D. must be shown).

b. Over the phone only when the situation is out of the

help desk control, (i.e. G6 approves it, user is out of the
immediate area, etc.).

14. Unauthorized access

a. Reporting procedures:

(1) If anyone is caught abusing their privileges or

gaining access into laptops or the CE network through
unconventional methods (i.e. using erd commander or
similar cracking software, network sniffers, etc) they
will be reported to G6 IA.

b. Actions to take

(1) Disable account, note in the description “MEF IA”

(2) Notify G6 IA and Data Chief

15. Mail Box Size Limits

a. All Users will get 50 MB.

b. Billet accounts will get 250 MB.

c. Generals and the Chief of Staff will get unlimited accounts.

16. Mailbox access

a. Send on Behalf

(1) How is this granted? Open the properties of a user in

active directory, go to the “Exchange General” tab.
Click on “Delivery Options” and add their name in the
send on behalf of box.

(2) Why? Marines must have a reason to send on behalf of
another. If they are filling a billet, they can get
“send on behalf” of that billet by letting us know
that they stand post. If a Marine wishes to send on
behalf of another Marine, both marines must come to
the helpdesk, and provide good reason and their ID
cards before this permission is granted.

(3) Who Authorizes this? The mail box owner themselves, or

requests that are approved by the G6. Most requests
will come from the G6.

b. Mailbox rights

(1) How is this granted? Go to the “exchange advanced” tab

of the user’s property page in active directory. There
will be a “mailbox rights” button. Click it, and add
the user you wish to have account access, and set
their permissions. Click on apply once the proper
level of control has been applied. The user will have
to set outlook to access the account after these
permissions have been set.

(2) Who authorizes this? G6 or Marines at the window with

a legitimate reason, ie. if they have billet mail, and
are going out of the AOR for a while, and another
Marine needs access to it. The Marine must have their

17. Disposal of Hard Drives

a. When a non working hard drive has been identified at the

Helpdesk, we will open an ERO, for that piece of equipment,
including the hard drive serial number, after maintenance
has checked for failure, maintenance will replace the hard
drive, return the equipment back to the Helpdesk including
the failed hard drive.

b. The Helpdesk will notify the user when the equipment, and
failed hard drive are ready for pick up, it will the user’s
responsibility to dispose of the hard drive.

c. If the user has any questions about how to dispose of hard

drives he can contact the security manager at 3404-152.

BOX 788251






27 APR 2013



1. Without the aid of reference and given a Command and

Control (C2) System, identify in writing the purpose of
the C2 System, per MCWP 3-40.2. (0602-PLAN-1101aq)

2. Without the aid of reference and given a warfighting

function, match a software application used to support
command and control to its corresponding warfighting
function, per MCWP 3-40.2. (0602-PLAN-1101ar)

3. Without the aid of reference and given a Command and

Control (C2) System, identify in writing the
communication planning considerations of the C2 System,
per MCWP 3-40.3. (0602-PLAN-1101as)

Command and Control

What is Command and Control (C2)?

“The exercise of authority and direction by a properly

designated commander over assigned and attached forces in
the accomplishment of the mission. C2 functions are
performed through an arrangement of personnel, equipment,
communications, facilities, and procedures employed by a
commander in planning, directing, coordinating, and
controlling forces and operations in the accomplishment
of the mission”. DoD Dictionary of Military Terms

“…command is the exercise of authority and control is the

feedback provided by subordinates…This feedback indicates
the difference between the unit’s goals and the situation
as it exists on the ground”. MCDP 6

Command and Control, Cont’d

What is C2?

Command and Control, Cont’d

“No single activity in military operations is more important

than C2”. Joint Pub 6-0

C2, alone, will not defeat the enemy. However,

operational success would not be possible without
effective C2.

C2 encompasses all military functions and operations,

synchronizing them into a meaningful whole.

C2 Applications

What are they?

- Variety of software/hardware enabling C2
Who owns them?
- Some owned by Occupational Field
- Others generally used across the MAGTF
Who uses them?
- Some used specifically by individual staff members
- Some broadly used by all staff members within the COC

C2 Applications in the COC

COP/CTP (Common Operational Picture/Common Tactical Picture)

– GCCS-J – Global Command and Control System – Joint
– IOSv1 – Intelligence Operations Server Version 1
– C2PC – Command and Control Personal Computer
– BFT – Blue Force Tracking
– CPOF – Command Post of the Future (COP Viewer)
– FalconView
– GCSS-MC – Global Combat Service Support System –
Marine Corps
– CLC2S – Common Logistics Command and Control System
– TCPT – Transportation Capacity Planning Tool
– BCS3 – Battle Command Support Sustainment System
– AFATDS – Advanced Field Artillery Tactical Data System
– JADOCS – Joint Automated Deep Operations Coordination
– TLDHS – Target Location, Designation, and Handoff
– PSS-SOF – Precision Strike Suite – Special Operations
– TBMCS – Theater Ballistic Missile Core System
– MarineLink
– IAS – Intelligence Analysis Systems
– BAT/HIIDE – Biometric Automated Toolset/Hand-held
Interagency Identification Detection Equipment
– COIC Tools – Counter-IED Operations Integration Center
– SharePoint
– Transverse (Chat)

Other: You will see other applications and tools used in a
Coalition environment.

COP Management

Global COP Management Worldwide

Center TOP COP

Theater Commander Top COP

GCCS Server


Commander COP/CTP
IOS v1



Global Command and Control System – Joint (GCCS-J)

The Global Command and Control System – Joint (GCCS-J) enhances

information superiority and supports the operational concepts of
full-dimensional protection and precision engagement. It fuses
select C2 capabilities into a comprehensive, interoperable
system by exchanging imagery, intelligence, status of forces,
and planning information. GCCS-J offers vital connectivity to
the systems the joint warfighter uses to plan, execute, and
manage military operations.

GCCS-J consists of hardware, software, procedures, standards,

and interfaces to provide worldwide connectivity. The system
uses the Defense Information Systems Network (DISN) and must

work over tactical communication systems to ensure connectivity
with deployed forces in the tactical environment. GCCS-J employs
an open system client/server architecture that allows a diverse
group of commercial-off-the-shelf (COTS) and government-off-the-
shelf (GOTS) software packages to operate at any GCCS-J

Intelligence Operations Server Version 1 (IOSv1)

The IOSv1 is a server fielded to the Regt and above. The IOSv1
server collects track data from subordinate units to populate
GCCS-J. One of the primary features of the IOSv1 is the Track
Database Manager (TDBM). The TDBM collects, indexes, and
disseminates track information from a variety of sources to
create the COP.

Command and Control Personal Computer (C2PC)

C2PC provides map overlays, friendly unit locations with status

and plans of intended movement, and hostile unit locations.
Additionally, C2PC allows rapid information exchange between
staff sections, adjacent, subordinate, and higher headquarters.

Command Post of the Future (CPOF)

CPOF provides near real-time collaboration. CPOF uses a typical

client-server application, though it includes a distributed set
of servers hosted across multiple machines providing services
such as data repositories and Voice over IP (VOIP) services.
CPOF offers a shared personal workspace and two or three
dimensional map views.

Force XXI Battle Command Brigade and Below – Blue Force Tracking

BFT is a battle command information system designed for units

performing missions at the tactical level. BFT displays the
relevant SA picture of the battlefield. Information passed over
FBCB2-BFT uses the L-Band satellite network.


FalconView is an open-source software mapping application that

displays various kinds of digital map data (aeronautical charts,
images, elevations, etc.) and associated geographically
referenced overlays. These overlays are oriented toward the
mission planning functions of aviators and aviation support


Theater Battle Management Core System (TBMCS)

The Theater Battle Management Core Systems (TBMCS) is a theater

and tactical level automated information system. It is used
throughout the Marine Air Command and Control System (MACCS) as
well as other services to allocate aircraft sorties, plan
aircraft missions, and then disseminate the Air Tasking Order
(ATO) message mission tasking for unit flight scheduling and
mission planning by aircrews and conclude with mission
monitoring and mission assessment. TBMCS in conjunction with the
Communications Data Link System (CDLS) are the equipment suites
that support the Tactical Air Command Center (TACC).

Joint Automated Deep Operations Coordination System (JADOCS)

JADOCS is the baseline for the Naval Fires Control System

(NFCS). JADOCS is also a major segment of the intelligence
application package for Theater Battle Management Core System
functionality at wing and squadron level. Key integration
functions within JADOCS are Counterfire Common Operational
Picture (CF-COP), Joint Battle space Management, Coalition
Coordination and Integration, Air Interdiction (AI) Planning and
Execution, Fire Support Coordination Measures Analysis, and
Battle space Visualization.

Advanced Field Artillery Tactical Data System (AFATDS)

AFATDS provides an automated capability for fire planning,

tactical fire direction, and fire support coordination at the
firing battery, fire direction center (FDC), and fire support
coordination center (FSCC). AFATDS assists the commander in
improving tactical planning and control of supporting arms
operations. The Effects Management Tool (EMT) provides an
injector for C2PC, which provides track data enabling increased

Target Location, Designation, and Hand-off System (TLDHS) –


The Target Location, Designation, and Handoff System (TLDHS) is

a modular, man-portable equipment suite that provides the
ability to quickly acquire targets in day, night, and near-all-
weather visibility conditions. Operators are able to accurately
determine their own location as well as that of their targets,
digitally transmit (hand-off) data to supporting arms elements,

and designate targets for laser-seeking Precision Guided
Munitions (PGM) and Laser Spot Trackers (LST).

The TLDHS is fielded to FO Teams, Naval Gunfire Spot Teams,

Tactical Air Control Parties (TACPs), and Reconnaissance Teams.
Background: Forward Observers (FOs) and Forward Air Controllers
(FACs) provide observation for indirect fire and Close Air
Support (CAS) to supported maneuver units of the Marine Air-
Ground Task Force (MAGTF). These fire support
observers/controllers require Target Acquisition capabilities in
all levels of visibility. They must be posses the ability to;
accurately locate themselves, hand targets off to fire support
agencies in an automated form, and designate targets for both
laser spot tracking and laser-seeking Precision Guided Munitions

TLDHS is composed of a Military Ruggedized Tablet running

Strikelink software and associated equipment. Associated
equipment includes the AN/PRC-117F Radio (PRC-117F), Power
Distribution Device (PDD), CD/DVDR/W Drive, External USB Hard
Drive and associated cables. The Common Laser Range Finder
(CLRF) is an integral part of the operational system; however,
it is not a component of the end item.

Precision Strike Suite – Special Operations Forces (PSS-SOF)

PSS-SOF employs a GPS receiver to verify user location. The user

then uses a laser to “lase” a potential target, so he can see
the target on grid coordinates and also on a map display. PSS-
SOF then draws on three-dimensional imagery from the National
Geospatial-Intelligence Agency so the Marine can see whether the
target he’s about to shoot is correct. If the location is wrong,
that Marine can drag and drop an icon on his computer screen to
the correct location so that a precise munition can be called to
fire at the target. Target location can be accurate within 10
meters using imagery. Because it depends on stock imagery that
is not updated, the system cannot be used for mobile targets.
Rather, it is best used to attack buildings or other fixed
structures where insurgents may be located during a specific

Counter-IED Operations Center (COIC) Tools

The COIC was established in August 2006 and directly serves

warfighter efforts to focus attacks on enemy networks employing
IEDs. A vital Attack the Network (AtN) initiative, the COIC is a
disruptive change agent to energize the warfighter’s ability to

gain access to seemingly disparate information and data sources
to create vital, common operating pictures. The COIC also
provides an avenue for strategic reachback to collaborative,
fused, multi-source analysis and innovation across critical DoD,
government, industry, and academic organizations and agencies.

The COIC leverages existing information and provides strategic

capabilities in support of offensive operations against IED
networks. Through COIC’s fused intelligence products, formerly
highly classified intelligence is now available at the secret
level, making it accessible to warfighters at the tactical
level. The COIC's architecture of partnerships include more than
20 intelligence agencies and other federal agencies supporting
this effort and over 100 different databases of information.

Request for Support (RFS) Tracker

The RFS Tracker is a web-based tool that provides the Commander

reach back support to the COIC to fill an intelligence gap.
This also allows for a historical study on all previous
completed RFS/RFIs that provides valuable data during IPB of

Web Geo-Browser

The Web Geo-Browser is a low bandwidth situational awareness

data mining tool that displays and organizes the COIC multi-
intelligence core both spatially and temporarily.

User-Defined Operational Picture (UDOP)

The UDOP serves as a situational awareness tool that allows the

user to display all operational and intelligence layers on the
Google Earth backbone. Users are also able to complete mission
planning overlays and export to use in other programs. The UDOP
allows the user to select tracks from multiple sources and only
display what is needed by that unit/individual.

Global Name Recognition

Global Name Recognition allows the user to input an individual’s

name and search the COIC’s multi-intelligence core for any
reports containing that name. This program recognizes
Romanized, Arabic, Cyrillic, Latin, and Greek characters. The
user can search, analyze, and see different variations of names.


CellPack analyzes and data mines a list of phone numbers and

returns the results in an HTML page. This tool allows the user
to extract data from a cell phone’s stored memory and sim cards.
Cell pack also allows the user to identify first order
associations and has the ability to export to Analyst Notebook
(Intel Analyst).

3D Dashboard

3D Dashboard is a standalone program that allows the user to

view and interact with 3D models of a specified battlespace that
is primarily used for mission planning and AAR’s. (A computer
based 3D sand table)

Intelligence Analysis System (IAS) Family of Systems

The IAS FoS program consists of a three-tiered approach to

intelligence operations. The first tier, the MEF IAS, consists
of M1152A1B2 with 101 trailer, BASE-X 305 tent, and
containerized stacked server suite, designed to support the
Intelligence Operations of the MEF CE. The second tier, the
IOSv2 and v3, is a team portable system designed to support the
Intelligence Operations of the Div, Wing, MLG, Regiment, Group,
and MEU. The third tier, the IOWv2, is also a team portable
system designed to support Intelligence Operations at the Bn and

The IAS is employed as the all source intelligence system, and

together with other organic C2 systems will support the CCIRs
necessary for battlespace situational awareness and effective
tactical decision making across all MAGTF components.
Specifically, the IAS will support the PIRs of MAGTF and
component commanders by contributing an all-source visualization
of the battlespace and threat situation to the Common Tactical
Picture (CTP).


MarineLink is an intelligence support tool that was developed

for counterinsurgency (COIN) missions such as Operation Iraqi
Freedom (OIF) and Operation Enduring Freedom (OEF). It allows
military intelligence analysts to increase efficiency and save
time in cataloging, accessing, analyzing, and producing
intelligence data. MarineLink collects data from multiple data
sources via adaptors, then views and analyzes on one unified

Graphical User Interface (GUI). MarineLink queries, organizes,
sorts and filters the data, which it then displays on a map
showing geographical coordinates.

Biometrics Automated Toolset (BAT)/Handheld Interagency

Identification Detection Equipment (HIIDE)

The Biometrics System consists of three tiers: BAT-Client, BAT-

Server and the HIIDE. The BAT-Client will collect and store
biometric information, to include; fingerprints, iris
scans and facial images, and will be able to “match” personnel
whose biometrics corresponds to a record in stored data. The
HIIDE, an untethered, handheld device, is capable of collecting,
matching, and storing biometrics. The HIIDE can download to, and
be updated by the BAT-Client. Information from networked BAT-
Clients will be sent to BAT-Servers. The BAT-Servers will update
other BAT Servers and will provide information to the biometrics
intelligence process for further analysis.

Global Combat Service Support – Marine Corps (GCSS-MC)

The mission of GCSS-MC is to provide capabilities that support

the physical implementation requirements and support discreet
performance measures necessary to accomplish enterprise
logistics transformation objectives. The Program Manager is
chartered to deliver integrated functionality and a logistics
SDE implemented through the maximum use of COTS and GOTs
software, enterprise application integration, middleware
software, and web portal software. The Program Manager acquires
capabilities that satisfy the Marine Corps Logistics
Transformation Plan and the Marine Corps Logistics Campaign
Plan. The GCSS-MC program, when fully implemented, will sustain
an enterprise strategy designed to enable business processes and
modernize information technology required to improve combat
effectiveness for 21st century expeditionary operations.

Battle Command Support Sustainment System (BCS3)

Battle Command Sustainment Support System (BCS3) is a map-

centric display on a commercial laptop that provides a technical
and visual picture of the battlefield. BCS3 allows In-Transit
Visibility (ITV) to be graphically displayed on the COP
accessible across the entire supply chain in order to enhance
decision-making abilities and better support operationally-
deployed units.

Common Logistics C2 System (CLC2S)

Common Logistics Command and Control (CLC2S) is a combat service

support management tool that provides a simple LogC2 capability.
CLC2S provides improved management and control of tactical level
resources and services support requirements while providing the
MAGTF Commander and his staff with an automated means to quickly
view his warfighting readiness posture via the battle space
Common Operating Picture (COP).

Transportation Capacity Planning Tool (TCPT)

Transportation Capacity Planning Tool (TCPT) is a netcentric/web

accessible tool that aids with the planning, tracking,
management, and execution of transportation centric missions.
TCPT provides transportation and logistics commanders with
transportation capacity planning via a digital dashboard view of
all available transportation assets, mission requirements, and
essential elements of information to aid with executing his
current and future transportation missions.

Microsoft SharePoint

Microsoft SharePoint is designed as a centralized replacement

for multiple web applications and supports various combinations
of enterprise website requirements. It is typically associated
with web content management and document management systems.
SharePoint's multi-purpose platform allows for managing and
provisioning of intranet portals, websites, document management
and file management, collaboration spaces, social networking
tools, enterprise search, process/information integration, and
third-party developed solutions. SharePoint can also be used as
a web application development platform. SharePoint is designed
to be scalable. It is capable of supporting multiple
organizations on a single server farm. SharePoint provides
various methods for customization and configuration of web
areas, all of which have granular governance configurations.
Beyond basic page-editing, file-storing and custom design
capabilities, one of the more prevalent forms of configuration
is the ability to install third-party customizations called web

Transverse (Chat Client)

Current chat and instant messaging (IM) solutions within the DoD
have created problems with information security and
interoperability. Though Extensible Message and Presence

Protocol (XMPP) is the only mandated chat and IM protocol in the
DoD, the majority of the military still operates alternate
nonstandard solutions that prevent interoperability and lack
appropriate security assurances.

XMPP is a streaming XML protocol used for multi-user text chat

and Instant Messaging (IM). XMPP supports a large set of
administrative and user features, valuable to military chat and
IM users. As an open standard, XMPP is also extensible to allow
for development of military-specific chat and IM requirements.
XMPP protocol also provides significant extensibility to allow
for greater command and control and other operational

Transverse is the current chat client software loaded on the COC

software load. Transverse is supported by a server called
OpenFire. Chat tools in the Marine Corps have been changing
rapidly over the past few years due to Information Assurance
(IA) mandates. In theater, units are using several different
chat clients, which can quickly become confusing. As the S-6,
ask questions within the communications community to determine
what chat tool you will use and ensure you are able to configure
the chat server in support of operations.


C2 applications continue to evolve with technological advances.

There are efforts to make applications more intuitive for the
user. CD&I and MARCORSYSCOM are pursuing efforts to create a
Service-Oriented Architecture/Environment. The Marine Corps is
also evaluating establishing a C2 MOS. Training on most of these
applications is available at the local MISTC. Although this is
not your primary responsibility as the S-6, familiarity with the
tools is highly recommended.


• MCDP 1-0 Marine Corps Operations

• MCDP 6 Command and Control
• MCWP 3-40.2 Information Management
• Digital COC SOP for Battalion Operations in Irregular
Warfare, September 2009

BOX 788251





27 APR 2013


1. Without the aid of reference, state the purpose of the

AN/TSQ-239(V)3 / (V)4 Combat Operations Center (COC), per the COC
Interactive Electronic Technical Manual (IETM). (0602-MNGT-


This student handout will discuss the Combat Operations Center

mission and concept of employment. The focus of this handout will be
on employment of the COC from a communicator’s perspective. This will
include an understanding of the assets made available in a Capability
Set III COC and Capability Set IV COC (Capability Set II is beyond the
scope of this discussion; the employment of those assets to support
the Commander’s mission including proper setup and support of the COC
T3 (Tents, Trailers, and Tables). A concentration on network signal
flow within the COC will be addressed to facilitate a better
understanding of the capabilities and limitations of the
communications assets provided by the COC.

Combat Operations Center (COC) Mission

The mission of the COC is to provide centralized command and
control facilities for the unit Commander. The COC functions primarily
as an information processing center for message traffic, reports, and
orders. The purpose of the AN/TSQ-239 Combat Ops Center is to provide
an expeditionary, centralized command and control facility for the
unit Commander. It must act, direct, inform, and decide based on the
information. An efficient COC communicates well both internally and
externally. The mission of the COC is, but not limited to:
 Helps the Commander Observe, Orient, Decide, and Act.
 Sets the conditions for success for subordinate units.
 Provides information that assists the commander in the command
and control of the regiment.
 Helps the commander and the staff to plan, prepare, and execute
the fight.
 Integrates and leverages the six Warfighting Functions: C2,
Intel, Maneuver, Fire, logistics, and Force Protection.
 Manages the information flow throughout the regiment.
 Manages the unit’s battlespace: Deep, Close, Rear.
 Directs and controls fires.

 Synchronizes combat service support operations.

 Maintains contact with higher, adjacent, and supporting units.

 Establishes and manages the unit’s battle rhythm.

Combat Operations Center (Concept of Employment):

The Marine Corps deploys Marine forces throughout the world to
fulfill operational requirements, often in joint and combined-forces
environments. The COC provides mobile facilities for C2 for the
commander and staff of the Commande Element (CE), Ground Combat
Element (GCE), Combat Service Support Element (CSSE), and elements of
the Aviation Combat Element (ACE), from the component to the battalion
levels of command, and to the subordinate Combat Service Support
Detachment (CSSD) level within the Force Service Support Group (FSSG).
The COC provides the commander with common operational and
tactical information to conduct staff planning and analytical and
intuitive decision-making within the capability of existing TDSs. The
direction and control of unit operations will be exercised primarily
through this center. In case of the CSSE, the COC will function as a
Combat Service Support (CSS) Operations Center (CSSOC) and support
applicable logistics and C2 systems. The COC provides a mobile
facility for the First In Command and Control System (FICCS) mission.
The COC is intended to present, display, and communicate the Marine
commander’s required C2 information during all aspects of
Expeditionary Maneuver Warfare (EMW).
The COC systems support all MAGTF missions from Small Scale
Contingencies (SSC) on one extreme to general war on the other,
including Operational Maneuver From The Sea (OMFTS), Ship-to-Objective
Maneuver (STOM, and Extended Operations Ashore (EOA). COCs allow
commanders at all levels of command to inter-operate with other
service/agency components, host nation governments, non-government
agencies, and joint, combined, and coalition headquarters.
COCs minimize the number of distinct equipment configurations (to
improve logistics supportability) while maximizing operational
flexibility and suitability for the required echelon-specific
functionality. Units have the capability to mix COC platforms in
various combinations and quantities to meet the cumulative
capabilities of each unit and its displacement echelons.
COCs host and interface with common organizational communication
systems in order to send and receive information. The common equipment
utilized with the COC are capable of stand-alone operation if required
outside the COC shelter suite. COCs interface to the following
systems: Advanced Field Artillery Tactical Data System (AFATDS),
Command Post of the Future (CPOF), other Combat Operations Centers /
Common Aviation Command and Control Systems (COC / CAC2S),
Expeditionary Fighting Vehicle (EFV), Tactical Data Networks (TDN),
and other COCs.

Common COC Standard Operating Procedures
 Primary staff will not leave the COC unless they have checked out
with either the WO or the OpsO per the CO’s guidance.

 All personnel located in the vicinity of the COC will camouflage

their individual equipment.

 All sections will park their vehicle under camouflage nets.

 Ensure timely posting of significant events.

 White light is prohibited in the vicinity of the COC.

 Sections will consolidate sleep areas behind their assigned

position, per the HQ Commandants guidance.

 Challenge and password will be strictly enforced .

 All reflective surfaces will be covered daily.

 Weapons will be field stripped and cleaned daily.

 The Operations Chief will determine the uniform requirements

inside the COC.

 All sensitive items will remain with the individual to whom they
are assigned.

 All work areas will be maintained neat and clean at all times.

 All personnel are required to be seated 5 minutes prior to the

start of any scheduled meeting or briefing.

 When the command "attention in the COC” is sounded, all talking

will stop and staff’s 100% attention will be directed toward the
Watch Officer/watch Chief and standby for FOE (prioritization of

 No personal books or magazines allowed in the COC.

 Ensure that each section performs serialized equipment checks,

and that all serialized equipment is accounted for before each
shift change.

 Leaders will be attentive to the noise that surrounds the COC.

There will be no side conversations in the COC unless it pertains

to the operations.

 There is a constant sharing of information between sections,

voice tones and a volume must be regulated to ensure that all
information is clearly received and understood by all member of
the COC

Systems Overview of a Combat Operations Center (COC)

The COC provides Command Post (CP) mobile facilities hosting and
interfacing with Tactical Data Systems (TDS) across Marine Corps
Command echelons and enables the interaction and flow of information
between various staff members within a CP. To provide these
capabilities to the commander and command staff, COCs contain power
generation, environment control, and communications equipment in a
package that can be rapidly moved to keep pace with the battle.

Combat Operations Center (COC) Assets (V)3 / (V)4:

In order to provide the command and communications capabilities

required by different levels of command, different configurations of
the COC are available. Each COC configuration uses a common set of
equipment varying mainly by the quantities supplied with each CAPSET.

COC CapSet (V)3:

 Tents: (1) 303 Tent 18’x 15’ (2) 305 Tents 18’x 25’

 GETT (Generator, ECU (Environmental Control Unit, Tent

Trailer): (2)

 Operations Trailer (OT): (1)

 Tables: (8)

 Chairs: (16)

 Field Safe: (1)

 Map Boards: (3)

 Plotter: (1)

 Copier (B/W): (1)

 Printers: (3) regular and (1) medium format

 Scanner: (1)

 Shredder: (1) Approved for Classified document shredding

 Projectors: (2)

 Smartboards: (2)

 Uninterruptible Power Supplies (UPS): (5) Total; (3) on Ops

Trailer, (1) for Tent, (1) for Antenna Hill

 Backup UPS Batteries: (4) Total; (3) on Ops Trailer, (1) for the

 Antenna Hill Generator: (1)

 Digital Switching Unit-1 (DSU-1): (1)

 Digital Switching Unit-2 (DSU-2): (2)

 DVD Player: (1)

 Outdoor PA Speaker: (1)

 Video Teleconferencing System (VTC): (1)

 Phone Breakout boxes: (1) 4-wire and (1) 2-wire

 IP Phones: (2)

 Data Transmit Case: (1) Case; Contains Fiber Optic Modem (FOM)
and KIV-7s.

 Routers / Servers: (3) Total, (1) Classified on Ops Trailer, (1)

Unclassified on OPS Trailer, (1) Coalition for tent. Classified
and Unclassified Routers contain Servers for Domain Use,
Coalition Router does not contain Server.

 Switches: (5) Total, (4) Classified (1 on the Ops Trailer, 2 for

the tent, 1 for Ant Hill) and (1) Unclassified on the OPS Trailer

 Network Attached Storage (NAS): (1)

 Unix Servers: (2) Global Command and Control System (GCCS) /

Intelligence Operating System (IOSv1) Servers

 Intelligence Operating System Version 3 (IOSv3) Server: (1)

 IP KVM: (1)

 Command Post of the Future (CPOF) Server Suite: (1); COCv3

contains a (3) Server Suite

 Video Server (Jupiter): (1)

 Client Workstations: (19) Total; (16) Classified, (2)

Unclassified, (1) Coalition

 USB Audio Adapter (UAA): (6) Total Kits including (6) Laptops,
(6) Headsets, (6) J-Boxes and corresponding connectors.

 Maintenance Workstations: (2) Total; (1) Classified, (1)


COC CapSet (V)4:

 Tents: (1) 303 Tent 18’x 15’ (1) 305 Tents 18’x 25’

 GETT (Generator, ECU (Environmental Control Unit, Tent

Trailer): (1)

 Operations Trailer (OT): (1)

 Tables: (4)

 Chairs: (8)

 Field Safe: (1)

 Map Boards: (3)

 Plotter: (0)

 Copier (B/W): (1)

 Printers: (2) regular and (1) medium format

 Scanner: (1)

 Shredder: (1) Approved for Classified document shredding

 Projectors: (1)

 Smartboards: (1)

 Uninterruptible Power Supplies (UPS): (4) Total; (3) on Ops

Trailer, (1) for Antenna Hill

 Backup UPS Batteries: (3) for Ops Trailer

 Antenna Hill Generator: (1)

 Digital Switching Unit-1 (DSU-1): (1)

 Digital Switching Unit-2 (DSU-2): (2)

 DVD Player: (1)

 Outdoor PA Speaker: (1)

 Video Teleconferencing System (VTC): (1)

 Phone Breakout boxes: (1) 4-wire and (1) 2-wire

 IP Phones: (2)

 Data Transmit Case: (1) Case; Contains Fiber Optic Modem (FOM)
and KIV-7s.

 Routers / Servers: (2) Total, (1) Classified on Ops Trailer, (1)

Unclassified on OPS Trailer. Classified and Unclassified Routers
contain Servers for Domain Use

 Switches: (4) Total, (3) Classified (1 on the Ops Trailer, 1 for

the tent, 1 for Ant Hill) and (1) Unclassified on the OPS Trailer

 Network Attached Storage (NAS): (1)

 Unix Servers: (0)

 Intelligence Operating System Version 3 (IOSv3) Server: (0)

 IP KVM: (1)

 Command Post of the Future (CPOF) Server: (1) Server

 Video Server (Jupiter): (1)

 Client Workstations: (8) Total; (6) Classified, (2) Unclassified

 USB Audio Adapter (UAA): (6) Total Kits including (6) Laptops,
(6) Headsets, (6) J-Boxes and corresponding connectors.

 Maintenance Workstations: (2) Total; (1) Classified, (1)



a. AN/TSQ-239(V)3 (V)4 IETM

b. MCDP-1-0 Marine Corps Operations
c. Digital COC SOP for Battalion Operations in Irregular