6425A
Configuring Windows Server 2008 ®
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
© 2007 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, ActiveX, Excel, Internet Explorer, Jscript, MSDN, NetMeeting, PowerPoint,
SharePoint, SQL Server, Visual Basic, Visual Studio, Win32, Windows, Windows Media, Windows NT,
Windows PowerShell, Windows Server and Windows Vista are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
Released: 10/2007
If you comply with these license terms, you have the rights below.
1. OVERVIEW.
Licensed Content. The licensed content includes software, printed materials, academic materials
(online and electronic), and associated media.
License Model. The licensed content is licensed on a per copy per device basis.
2. INSTALLATION AND USE RIGHTS.
a. Licensed Device. The licensed device is the device on which you use the licensed content. You
may install and use one copy of the licensed content on the licensed device.
b. Portable Device. You may install another copy on a portable device for use by the single
primary user of the licensed device.
c. Separation of Components. The components of the licensed content are licensed as a single
unit. You may not separate the components and install them on different devices.
d. Third Party Programs. The licensed content may contain third party programs. These license
terms will apply to your use of those third party programs, unless other terms accompany those
programs.
3. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Media Elements and Templates. You may use images, clip art, animations, sounds, music,
shapes, video clips and templates provided with the licensed content solely for your personal
training use. If you wish to use these media elements or templates for any other purpose, go to
www.microsoft.com/permission to learn whether that use is allowed.
b. Academic Materials. If the licensed content contains academic materials (such as white papers,
labs, tests, datasheets and FAQs), you may copy and use the academic materials. You may not
make any modifications to the academic materials and you may not print any book (either
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des
clauses dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ».
Toute utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune
autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la
protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit
locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de
contrefaçon sont exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de
dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation
pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de
bénéfices.
Cette limitation concerne:
• tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité
stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel
dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus
ne s’appliquera pas à votre égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres
droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les
lois de votre pays si celles-ci ne le permettent pas.
Contents
Module 1: Implementing Active Directory® Domain Services
Lesson 1: Installing Active Directory Domain Services 1-3
Lesson 2: Deploying Read-Only Domain Controllers 1-14
Lesson 3: Configuring AD DS Domain Controller Roles 1-22
Lab: Implementing Read-Only Domain Controllers and Managing
Domain Controller Roles 1-29
Course Description
The purpose of this 5-day course is to teach Active Directory Technology
Specialists how to configure Active Directory Domain Services in a distributed
environment, implement Group Policies, perform backup and restore, and monitor
and troubleshoot Active Directory related issues. After completing this course,
students will be able to implement and configure Active Directory domain services
in their enterprise environment.
Audience
The primary audience for this course are Active Directory Technology Specialists,
Server Administrators, and Enterprise Administrators who want to learn how to
implement Active Directory in a distributed environment, secure domains using
Group Policies, and perform backup, restore, and monitor and troubleshoot Active
Directory configuration to ensure trouble free operation.
Student Prerequisites
This course requires that you meet the following prerequisites:
• Basic understanding of networking. For example, how TCP/IP functions,
addressing, name resolution (Domain Name System [DNS]/Windows Internet
Name Service [WINS]), and connection methods (wired, wireless, virtual
private network [VPN]), NET+ or equivalent knowledge.
• Intermediate understanding of network operating systems. For example,
Windows® 2000, Windows® XP, Windows® Server 2003 etc, the Windows
Vista® operating system client (nice to have).
• An awareness of security best practices. For example, file system permissions,
authentication methods, workstation and server hardening methods etc.
• Basic knowledge of server hardware. A+ or equivalent knowledge.
• Some experience creating objects in Active Directory.
ii About This Course
Course Objectives
After completing this course, students will be able to:
• Implement Active Directory® Domain Services (AD DS).
• Configure DNS for AD DS.
• Configure Active Directory® objects and trusts.
• Configure Active Directory sites and replication.
• Create and configure Group Policies.
• Configure user environments using Group Policies.
• Implement security using Group Policies.
• Implement an AD DS monitoring plan.
• Implement an AD DS maintenance plan.
• Troubleshoot Active Directory, DNS, and replication issues.
• Troubleshoot Group Policy issues.
• Implement an AD DS infrastructure.
About This Course iii
Course Outline
This section provides an outline of the course:
Module 1: This module discusses the prerequisite hardware and software required
for implementing Active Directory Domain Services, as well as the process for
installing it. It also defines what a read-only domain controller (RODC) is and how
to install it.
Module 2: This module covers DNS configuration specific to Active Directory.
Module 3: This module discusses how to implement and configure AD DS objects
and trusts.
Module 4: This module covers how to create and configure sites to manage
replication.
Module 5: This module covers how Group Policy objects (GPOs) work and how to
create and apply GPOs.
Module 6: This module discusses how to configure user desktop settings by using
Group Policies.
Module 7: This module describes how to configure security settings and apply
them using GPOs.
Module 8: This module describes how to monitor AD DS infrastructure and
services.
Module 9: This module discusses how to perform maintenance, backup, and
recovery of Active Directory servers and objects.
Module 10: This module covers how to troubleshoot and resolve issues related to
Active Directory, DNS, and replication.
Module 11: This module describes how to troubleshoot and resolve issues related
to Group Policy.
Module 12: This module is a day-long lab. You are given scenarios that will help
you learn how to create a solution from start to end.
iv About This Course
Course Materials
The following materials are included with your kit:
• Course handbook. The Course handbook contains the material covered in class.
It is meant to be used in conjunction with the Course Companion CD.
• Course Companion CD. The Course Companion CD contains the full course
content, including expanded content for each topic pages, full lab exercises
and answer keys, topical and categorized resources and Web links. It is meant
to be used both inside and outside the class.
Note To access the full course content, insert the Course Companion CD into the CD-
ROM drive, and then in the root directory of the CD, double-click StartCD.exe.
• Course evaluation. At the end of the course, you will have the opportunity to
complete an online evaluation to provide feedback on the course, training
facility, and instructor.
Important: At the end of each lab, you must close the virtual machine and must not
save any changes. To close a virtual machine without saving the changes, perform
the following steps: 1. On the host computer, click Start, point to All Programs,
point to Microsoft Virtual Server, and then click Virtual Server Administration
Website. 2. Under Navigation, click Master Status. For each virtual machine that is
running, point to the virtual machine name, and, in the context menu, click Turn off
Virtual Machine and Discard Undo Disks. Click OK.
The following table shows the role of each virtual machine that this course uses:
6425A-MIA-RODC 6425A-MIA-RODC
Software Configuration
The following software is installed on each virtual machine:
• Windows Server 2008 Enterprise; Windows Vista
Classroom Setup
Each classroom computer will have the same virtual machine configured in the
same way.
Module 1
Implementing Active Directory® Domain
Services
Contents:
Lesson 1: Installing Active Directory Domain Services 1-3
Lesson 2: Deploying Read-Only Domain Controllers 1-14
Lesson 3: Configuring AD DS Domain Controller Roles 1-22
Lab: Implementing Read-Only Domain Controllers and Managing
Domain Controller Roles 1-29
Module Overview
Lesson 1:
Installing Active Directory Domain Services
Windows Server 2008 provides several ways to install and configure Active
Directory Domain Services. This lesson describes the standard AD DS installation,
and then also describes some of the other options that are available when
performing the installation.
Key Points
To install Active Directory Domain Services, the server must meet the following
requirements:
Windows Server 2008 operating system must be is installed. AD DS can only be
installed on the following editions:
• Windows Server 2008, Standard Edition
• Windows Server 2008, Enterprise Edition
• Windows Server 2008, Datacenter edition
Additional Reading
• Active Directory Domain Services Help: Installing Active Directory Domain
Services
• Microsoft Technet article: Requirements for Installing AD DS
Key Points
In Windows Server 2008, forest and domain functionality provides a way to enable
forest-wide or domain-wide Active Directory features in your network environment.
Different levels of forest and domain functionality are available, depending on
domain and forest functional level.
Additional Reading
• Active Directory Domain Services Help: Set the domain or forest functional
level
• Microsoft Technet article: Appendix of Functional Level Features
AD DS Installation Process
Key Points
To configure a Windows Server 2008 domain controller, you must install the AD
DS server role and run the Active Directory Domain Services Installation wizard.
Do this using one of the following processes:
• Install the Server role by using Server Manager, and then run the installation
wizard by running DCPromo or the installation wizard from Server Manager.
• Run DCPromo from the Run command or a command prompt. This will
install the AD DS server role and then start the installation wizard.
Additional Reading
• Active Directory Domain Services Help: Installing Active Directory Domain
Services
• Microsoft Technet article: Installing a New Windows Server 2008 Forest and
Scenarios for Installing AD DS
Key Points
Some of the Active Directory Domain Services Installation Wizard pages appear
only if you select the Use advanced mode installation check box on the Welcome
page of the wizard or by running DCPromo with the /adv switch. If you do not run
the installation wizard in advanced mode, the wizard uses default options that
apply to most configurations.
Question: When would you use the advanced options mode in your organization?
Additional Reading
• Active Directory Domain Services Help: Use advanced mode installation
• Microsoft Technet article: What's New in AD DS Installation and Removal
Key Points
Before you can use backup media as the source for installing a domain controller,
use Ntdsutil.exe to create the installation media.
Question: Which types of installation media will you use in your organization?
Additional Reading
• Microsoft Technet article: Installing AD DS from Media
Question: What steps would you take if you noticed that the domain controller
installation failed?
Additional Reading
• Microsoft Technet article: Verifying an AD DS Installation
• Microsoft Technet article: Verifying Active Directory Installation
Key Points
To install a new Windows Server 2008 domain controller in an existing Windows
2000 Server or Windows Server 2003 domain, complete the following steps:
• If the domain controller is the first Windows Server 2008 domain controller in
the forest, you must prepare the forest for Windows Server 2008 by extending
the schema on the schema operations master. To extend the schema, run
adprep /forestprep. The adprep tool is located on the Windows Server 2008
installation media.
• If the domain controller is the first Windows Server 2008 domain controller in
a Windows 2000 Server domain, you must first prepare the domain by
running adprep /domainprep /gpprep on the infrastructure master. The
gpprep switch adds inheritable access control entry (ACEs) to the Group
Policy Objects (GPO) that are located in the SYSVOL shared folder and
synchronizes the SYSVOL shared folder among the controllers in the domain.
• If the domain controller is the first Windows Server 2008 domain controller in
a Windows Server 2003 domain, you must prepare the domain by running
adprep /domainprep on the infrastructure master.
• After you install a writeable domain controller, you can install an RODC in the
Windows Server 2003 forest. Before doing this, you must prepare the forest by
running adprep /rodcprep. You can run adprep /rodcprep on any computer in
the forest. If the RODC will be a global catalog server, then you must run
adprep /domainprep in all domains in the forest, regardless of whether the
domain runs a Windows Server 2008 domain controller. By running adprep
/domainprep in all domains, the RODC can replicate global catalog data from
all domains in the forest and then advertise as a global catalog server.
Additional Reading
• Active Directory Domain Services Help: Installing Active Directory Domain
Services
• Microsoft Technet article: Installing a New Windows Server 2008 Forest:
• Microsoft Technet article: Scenarios for Installing AD DS
Key Points
To install AD DS on a Windows Server 2008 computer running Server Core, you
must use an unattended setup. Windows Server 2008 Server Core does not
provide a graphical user interface (GUI) so you cannot run the Active Directory
Domain Services installation wizard.
To perform an unattended install of AD DS, use an answer file and the following
syntax with the Dcpromo command:
Dcpromo /answer[:filename] Where filename is the name of your answer
file.
Additional Reading
• Microsoft Technet article: Appendix of Unattended Installation Parameters
Key Points
After installing a domain controller, you may need to perform additional tasks in
your environment. You can access checklists for the following common
configurations for AD DS in Server Manager, under Resources and Support.
Additional Reading
• AD DS Help: Common Configurations for Active Directory Domain Services
Lesson 2:
Deploying Read-Only Domain
Controllers
One of the important new features in Windows Server 2008 is the option to use
read-only domain controllers (RODCs). RODCs provide all of the functionality that
clients require while providing additional security for domain controllers deployed
in branch offices. When configuring RODCs, you can specify which user account
passwords will be cached on the server and configure delegated administrative
permissions for the domain controller. This lesson describes how to install and
configure RODCs.
Key Points
An RODC is a new type of domain controller that Windows Server 2008 supports.
An RODC hosts read-only partitions of the AD DS database. This means that no
changes can ever be made to the database copy that the RODC stores, and all AD
DS replication uses a one-way connection from a domain controller that has a
writeable database copy to the RODC.
Additional Reading
• Microsoft Technet article: AD DS: Read-Only Domain Controllers
Key Points
See the list on the slide.
Additional Reading
• Microsoft Technet article: AD DS: Read-Only Domain Controllers
• Microsoft Technet article: Step-by-Step Guide for Read-Only Domain
Controller in Windows Server 2008 Beta 3
Key Points
Before you can install an RODC, you must prepare the AD DS environment by
completing the following steps:
• Configure the domain and forest functional level
• Plan for Windows Server 2008 domain controller availability
• Prepare the forest and domain
Additional Reading
• AD DS Help: Delegate read-only domain controller installation and
administration
• Microsoft Technet article: AD DS: Read-Only Domain Controllers
• Microsoft Technet article: Step-by-Step Guide for Read-Only Domain
Controller in Windows Server 2008 Beta 3
Key Points
The RODC installation is almost identical to the installation of AD DS on a domain
controller with a writeable copy of the database. However there are a few extra
steps.
Additional Reading
• AD DS Help: Delegate read-only domain controller installation and
administration
• Microsoft Technet article: Step-by-Step Guide for Read-Only Domain
Controller in Windows Server 2008 Beta 3
Key Points
You can delegate the installation of an RODC by performing a two stage
installation.
Additional reading
• AD DS Help: Delegate read-only domain controller installation and
administration
• Microsoft Technet article: AD DS: Read-Only Domain Controllers:
• Microsoft Technet article: Step-by-Step Guide for Read-Only Domain
Controller in Windows Server 2008 Beta 3:
Key Points
When deploy an RODC, you can configure a Password Replication Policy for the
RODC.
The Password Replication Policy acts as an access control list (ACL) that
determines if an RODC is permitted to cache a password.
The Password Replication Policy lists the accounts that you are allowing explicitly
to be cached and those that you are not. The passwords for any accounts are not
actually cached on the RODC until after the first time the user or computer
account is authenticated through the RODC.
Additional Reading
• AD DS Online Help: Specify Password Replication Policy
Additional Reading
• AD DS Help: Specify Password Replication Policy
Lesson 3:
Configuring AD DS Domain Controller
Roles
All domain controllers in a domain are essentially equal, meaning they all contain
the same data and provide the same services. However, you also can assign special
roles to domain controllers to provide additional services or address scenarios in
which only one domain controller should provide services at any given time. This
lesson describes how to configure and manage global catalog servers and
operations masters.
Key Points
The global catalog is a partial, read-only replica of all domain directory partitions in
a forest. The global catalog is a partial replica because it includes only a limited set
of attributes for each of the forest’s objects. By including only the attributes that are
used the most for searching, the database of a single global catalog server can
represent every object in every domain in the forest.
The global catalog server hosts the global catalog and its domain information.
Active Directory configures the first domain controller automatically in the forest as
a global catalog server. You can add global catalog functionality to other domain
controllers or change the default location of the global catalog to another domain
controller.
Additional Reading
• Microsoft Technet article: Domain Controller Roles
Key Points
Sometimes you may want to customize the global catalog server to include
additional attributes. By default, for every object in the forest, the global catalog
server contains an object’s most common attributes. Applications and users can
query these attributes. For example, you can find a user by first name, last name, e-
mail address, or other common properties
Additional Reading
• Microsoft Technet article: Domain Controller Roles (Global Catalog Partial
Attribute Set section)
Questions: What types of errors or user experiences would lead you to investigate
whether you needed to configure another server as a global catalog server?
What are reasons why you would choose to replicate an attribute to the global
catalog?
Additional Reading
• Microsoft Technet article: To add an attribute to the global catalog
Key Points
Active Directory is designed as a multimaster replication system. However, for
certain directory operations, only a single authoritative server is required. The
domain controllers that perform specific roles are known as operations masters.
The domain controllers that hold operations master roles are designated to
perform specific tasks to ensure consistency and to eliminate the potential for
conflicting entries in the Active Directory database.
Additional Reading
• Microsoft Technet article: To add an attribute to the global catalog
You are deploying the first domain controller in a new domain that will be a new
domain tree in the WoodgroveBank.com forest. What operations master roles will
this server hold by default?
Additional Reading
• Microsoft Technet article: Manage Operations Master Roles
Key Points
The Windows Time service, also known as W32Time, synchronizes the date and
time for all computers running on a Windows Server 2008 network. The Windows
Time service uses the Network Time Protocol (NTP) to ensure highly accurate time
settings throughout your network. You also can integrate the Windows Time
service with external time sources.
Additional Reading
• Microsoft Technet article: Windows Time Service Technical Reference
• Microsoft Technet article: Configuring a time source for the forest
Scenario:
Woodgrove Bank has begun their deployment of Windows Server 2008. The
organization has deployed several domain controllers at the corporate
headquarters and is preparing to deploy domain controllers in several branch
offices. The Enterprise Administrator created a design that requires read-only
domain controllers to be deployed on servers running Windows Server 2008 in all
branch offices. Your task is to deploy a domain controller in a branch office that
meets these requirements.
Note: Due to the limitations of the virtual lab environment, you will be installing the
RODC in the same site as the existing domain controllers. In a production
environment, you would complete the same steps even if the RODC was in a
different site.
f Task 3: Verify the forest and domain functional level are compatible
with an RODC deployment
1. On NYC-DC1, open Active Directory Users and Computers.
2. Right-click WoodgroveBank.com and verify that the domain functional level
and the forest functional level are set to Windows Server 2003.
Result: At the end of this exercise, you will have verified that the domain and the
computer are ready to install an RODC.
6. In Active Directory Sites and Services, verify that TOR-DC1 is listed in the
Servers list for the Default-First-Site-Name.
7. Check the NTDS Settings for TOR-DC1. Confirm that connection objects have
been created.
8. Check the NTDS Settings for NYC-DC1. Confirm that no connection objects
have been created for replication with TOR-DC1.
9. Open Event Viewer. In the Directory Service log, locate and view a message
with an event ID of 1128. This event ID verifies that a replication connection
object has been created between NYC-DC1 and TOR-DC1.
Result: At the end of this exercise, you will have installed an RODC and configured
the RODC password replication policy for the RODC.
f Task 4: Shut down all virtual machines and discard any changes
Result: At the end of this exercise, you will have configured a global catalog server and
configure AD DS domain controller roles.
Review Questions
1. You are deploying a domain controller in a branch office. The branch office
does not have a highly secure server room so you are concerned about the
security of the server. What two Windows Server 2008 features can you take
advantage of to enhance the security of the domain controller deployment?
2. You must create a new domain by installing a domain controller in your Active
Directory infrastructure. You are reviewing the inventory list of available
servers for this purpose. Which of the following computers could be used as a
domain controller?
A. Windows Server 2008 Web Edition, NTFS files system, 1 gigabyte (GB)
free hard disk space, TCP/IP.
B. Windows Server 2008 Enterprise Edition, NTFS files system, 500
megabyte (MB) free hard disk space, TCP/IP.
C. Windows Server 2008 Server Core Enterprise Edition, NTFS files system,
1GB free hard disk space, TCP/IP.
D. Windows Server 2008 Standard Edition, NTFS files system, 500 MB free
hard disk space, TCP/IP.
3. You are deploying an RODC in branch office. You need to ensure that all users
in the branch office can authenticate even if the WAN connection from the
branch office is not available. Only the users who normally log on in the
branch office should be able to do this? How would you configure the
password replication policy?
4. You need to install a domain controller by using the install from media option.
What steps do you need to take to complete this process?
5. Will you be deploying RODCs in your AD DS environment? Describe the
deployment scenario.
6. You are deploying a domain controller in a branch office. The office has a
WAN connection to the main office that has very little available bandwidth and
is not very reliable. Should you configure the branch office domain controller
as a global catalog server?
Considerations
Keep the following considerations in mind when you are implementing RODCs
and managing domain controller roles:
• You can install the AD DS Server role on all Windows Server 2008 editions
except Windows Server 2008 Web Server Edition.
• Consider installing a RODC on a Windows Server 2008 Server Core computer
to provide additional security for your domain environment.
• To install AD DS on a Server Core computer, you must use an unattended
installation.
• Plan the password replication policies carefully in your organization. If you
enable credential caching for most of the accounts in your domain, you will
increase the impact to your organization if the RODC is compromised. If you
do not enable any credential caching, you increase the impact to the branch
office location if the WAN link to the main office is not available.
• In most cases, deploying a global catalog server in a site will improve the logon
experience for users. However, deploying a global catalog in a remote office
also increases the network utilized for replication.
• Operation master roles provide important services on a network but the
services are not usually time critical. Most of the time, if a domain controller
holding an operation master role fails, you do not immediately need to seize
the role to another domain controller if the failed server can be repaired within
a few hours.
Module 2
Configuring Domain Name Service for
Active Directory® Domain Services
Contents:
Lesson 1: Overview of Active Directory Domain Services and
DNS Integration 2-3
Lesson 2: Configuring Active Directory Integrated Zones 2-11
Lesson 3: Configuring Read-Only DNS Zones 2-19
Lab: Configuring AD DS and DNS Integration 2-23
Module Overview
Domain Name System (DNS) is an integral part of Active Directory® for Windows
Server® 2008. By understanding the relationship between these applications, you
can troubleshoot Active Directory® and increase security, while providing clients
with the full functionality of DNS.
Lesson 1:
Overview of Active Directory Domain Services
and DNS Integration
Windows Server 2008 requires that a DNS infrastructure is in place before you
install Active Directory. Understanding how DNS and Active Directory are
integrated, and how client computers use DNS during logon, will help you resolve
problems related to DNS, such as client logon issues.
Key Points
Domains and computers are represented by resource records in the DNS
namespace and by Active Directory objects in the Active Directory namespace. All
Active Directory domains must have corresponding DNS domains with identical
domain names. Clients rely on DNS to resolve computer host names to IP
addresses in order to locate domain controllers and other computers that provide
Active Directory and other network services.
Active Directory requires DNS, but not any particular type of DNS server.
Therefore, there may be multiple DNS servers of different types.
Question: What is the relationship between Active Directory domain names and
DNS zone names?
Additional Reading:
• Active Directory integration
• DNS integration
Key Points
For Active Directory to function properly, client computers must be able to locate
servers that provide specific services, such as authenticating logon requests and
providing Telnet or Session Initiated Protocol (SIP) services. Active Directory
clients and domain controllers use Service (SRV) resource records to determine the
IP addresses of computers that provide those services. Also, Active Directory site-
aware applications, such as Microsoft® Exchange, use SRV resource records.
Question: In the following example of two SRV resource records. Which record
will be used by a client querying for an SIP service?
Additional Reading
• Managing resource records
• RFC 2782 - A DNS RR for specifying the location of services (DNS SRV)
Questions: What is the benefit of replicating the mscdcs zone to the entire forest?
How could one SRV resource record be given preference over another?
Key Points
Domain client computers use the locator application programming interface (API)
to locate a domain controller by querying DNS. If SRV resource records are not
available to identify domain controllers, logons may fail. All computers -- including
both workstations such as the Windows® XP Professional operating system and
Windows Vista® operating system, and servers such as the Windows Server®°2003
operating systems and the Windows Server 2008 operating systems -- use the same
process to locate domain controllers.
Additional Reading
• How Domain Controllers Are Located in Windows XP
• Domain Controller Location Process
Key Points
During a search for a domain controller, the Locator attempts to find a domain
controller in the site closest to the client. The domain controller uses the
information stored in Active Directory to determine the closest site. In most cases,
the domain controller that first responds to the client will be in the same site as the
client. But in cases where a computer has physically moved to a different site, or
the domain controller in the local site is unavailable, there is a process to find a
different domain controller.
During Net Logon startup, the Net Logon service on each domain controller
enumerates the site objects in the Configuration container. Net Logon uses the site
information to build an in-memory structure that is used to map IP addresses to
site names.
Additional Reading
• Finding a Domain Controller in the Closest Site
Lesson 2:
Configuring Active Directory Integrated Zones
Integrating Active Directory and DNS zones can simplify DNS administration by
replicating DNS zone information as part of the Active Directory replication. It also
provides benefits like secure dynamic updates, and aging and scavenging of stale
resource records.
Key Points
One benefit of integrating DNS and Active Directory is the ability to integrate DNS
zones into an Active Directory database. A zone is a portion of the domain
namespace that has a logical grouping of resource records, which allows zone
transfers of these records to operate as one unit.
Additional Reading
• Active Directory integration
Key Points
Additional Reading
• DNS zone replication in Active Directory
Key Points
You can change the scope of DNS replication anytime by using the DNS Microsoft
Management Console (MMC) or the DNSCMD command-line tool. You have the
following replication choices when using the DNS MMC:
• To all DNS servers in this forest
• To all DNS servers in this domain (this is the default storage location)
• To all domain controllers in this domain (this is the domain information
partition)
• To all domain controllers hosting a particular application partition
Additional Reading
• DNS zone replication in Active Directory
Key Points
Dynamic updates enable DNS client computers to register and dynamically update
their resource records with a DNS server whenever changes occur. This reduces
the need to administer zone records manually, especially for clients that frequently
move or change locations and that use Dynamic Host Configuration Protocol
(DHCP) to obtain an IP address.
Additional Reading
• Dynamic update
Key Points
Secure dynamic updates work like dynamic updates, with the following exception:
the authoritative name server accepts updates only from clients and servers that are
authenticated and joined to the Active Directory domain in which the DNS server
is located.
As the slide shows, the client first attempts a non-secure update. If that attempt
fails, the client then attempts to negotiate a secure update. If the client has been
authenticated to Active Directory, the update will succeed.
Question: What are the benefits of using Active Directory integrated DNS zones?
Questions: How could you prevent a computer from registering in the DNS
database?
When using secure dynamic updates, how can you control which clients are
allowed to update DNS records?
Key Points
A DNS server running Windows Server 2008 loads zone data from Active Directory
in the background while it restarts so that it can respond to data requests from
other zones.
Additional Reading
• DNS Server Role
Lesson 3:
Configuring Read-Only DNS Zones
You can provide additional security by configuring read-only DNS zones -- while
clients still have the full functionality of the Active Directory name resolution --
because only an administrator can change read-only DNS zones. Unauthorized
personnel will not be able to alter records on the read-only domain controller
(RODC).
Key Points
When installing a Windows Server 2008 RODC you are prompted with DNS
Server installation options. The default option is to install a primary read-only form
of DNS Server locally on the RODC, which replicates the existing AD-integrated
zone for the domain specified and adds the local IP address as the preferred DNS
server in the local TCP/IP settings. This ensures that the DNS server running on
the RODC has a full read-only copy of any DNS zones.
Additional Reading
• DNS Server Role
Key Points
When a computer becomes an RODC, it replicates a full read-only copy of all
application directory partitions that DNS uses, including the domain partition,
ForestDNSZones, and DomainDNSZones. This ensures that the DNS server
running on the RODC has a full read-only copy of any DNS zones stored on a
centrally located domain controller in those directory partitions. The administrator
of an RODC can view the contents of a primary read-only zone. However, the
administrator can change the contents only by changing the zone on a DNS server
with a writable copy of the DNS database.
Question: How does RODC increase security?
Additional Reading
• DNS Server Role
Key Points
Answer the questions in a classroom discussion.
Additional Reading
• How DNS Works
Scenario:
Woodgrove Bank is an enterprise that has offices located in several cities
throughout the world. Woodgrove Bank has business relationships with two other
entities, Fabrikam Inc. and Contoso Inc. Woodgrove Bank has acquired copies of
the DNS zone files for these entities. All employees in the Woodgrove Bank forest
need access to the DNS records for Contoso Inc. Only employees in the
Woodgrove Bank domain need access to the DNS files for Fabrikam Inc. The
branch office of Woodgrove Bank has a read-only domain controller. This domain
controller will be configured to support the DNS server service and all forest-wide
and domain-wide DNS zones. The enterprise administrator has created a design
document for the DNS configuration. The design includes configuring AD DS
integrated zones, configuring DNS dynamic updates, and configuring read-only
DNS zones.
f Task 4: Create two new zones based on the zone files for Fabrikam and
Contoso
1. Use Windows Explorer to copy the Contoso.com.dns and the
Fabrikam.com.dns files from D:\6425\Mod02\Labfiles to
C:\Windows\System32\DNS. Leave Windows Explorer open.
2. Use the DNS management console to create a new primary standard zone
named Contoso.com using the existing file Contoso.com.dns.
3. Create a new primary standard zone named Fabrikam.com using the existing
file Fabrikam.com.dns
f Task 7 - Use ADSI Edit.exe to view the Active Directory integrated DNS
zones
1, From the Run command, launch the adsiedit.msc.
2. Right click ADSI Edit and click Connect to…
3. In the Connection Point section, choose Select or type a Distinguished
Name or Naming Context.
4. Type DC=DomainDNSZones,DC=WoodgroveBank,DC=Com and then click
OK.
5. Expand the naming context and then expand CN=MicrosoftDNS and then
click DC=Woodgrovebank.com and examine the records.
6. Double click the record for NYC-DC1.
When was the record created?
7. Close all property pages and close the ADSI management console.
Result: At the end of this exercise, you will have created Active Directory integrated
DNS zones.
Result: At the end of this exercise, you will have configured the DNS server to
support all domain-wide and forest-wide zones.
Review Questions
1. How does a client computer determine what site it is in?
2. List at least three benefits of Active Directory integrated zones.
3. In the following example of two SRV resource records. Which record will be
used by a client querying for an SIP service?
• _sip._tcp.example.com. 86400 IN SRV 10 60 5060 Lcs1.contoso.com.
• _sip._tcp.example.com. 86400 IN SRV 50 20 5060 Lcs2.contoso.com.
4. What permissions are required to create DNS application directory partitions?
5. What utilities are available to create application partitions?
6. What is the default state of dynamic updates for an Active Directory integrated
zone?
7. What is the default state of dynamic updates for a standard primary zone?
8. What groups have permission to perform secure dynamic updates?
Considerations
When configuring AD DS and DNS integration, keep the following considerations
in mind:
• Because of the dependency Windows Server 2008 and Active Directory clients
have on DNS, the first step in troubleshooting Active Directory issues often is
to troubleshoot DNS.
• Service locator records are critical to Active Directory functioning properly.
• Service locator records need to be highly available.
• Windows Server 2008 can operate with any compatible DNS server, but Active
Directory integrated zones provide additional features and security.
• Active Directory integrated zones can be replicated to domain wide or forest
wide, or to specific domain controllers via custom application partitions.
• Internal DNS records should be kept separate from public DNS records.
• Dynamic updates lighten the administrative overhead of maintaining the DNS
zone database.
• Dynamic updates can be limited to Authenticated Users.
• Background zone loading will reduce the time for DNS servers to become
available after a restart.
• You can use read-only DNS in conjunction with read-only domain controllers
to provide security while still providing required client functionality.
Module 3
Configuring Active Directory® Objects and Trusts
Contents:
Lesson 1: Configuring Active Directory Objects 3-3
Lesson 2: Strategies for Using Groups 3-14
Lesson 3: Automating AD DS Object Management 3-20
Lab A: Configuring Active Directory Objects 3-28
Lesson 4: Delegating Administrative Access to AD DS Objects 3-42
Lesson 5: Configuring AD DS Trusts 3-50
Lab B: Configuring Active Directory Delegation 3-59
Module Overview
After the initial deployment of Active Directory® Domain Services (AD DS), the
most common tasks for an AD DS administrator are configuring and managing AD
DS objects. In most organizations, each employee is issued a user account, which is
added to one or more groups in Active Directory. The user and group accounts
enable access to Windows Server-based network resources such as Web sites,
mailboxes, and shared folders. This module describes how to perform many of
these administrative tasks and the options for delegating or automating these tasks.
This module also describes how to configure and manage Active Directory trusts.
Lesson 1:
Configuring Active Directory Objects
Types of AD DS Objects
Key Points
You can create several different types of objects in Active Directory Additional
reading
Additional Reading
• Active Directory Users and Computers Help
Questions: How would you create several user objects with the same settings for
attributes such as department and office location?
Under what circumstances would you disable a user account rather than delete the
user account?
AD DS Group Types
Key Points
AD DS supports two group types.
Additional Reading
• Active Directory Users and Computers Help
AD DS Group Scopes
Key Points
Windows Server 2003 supports the group scopes shown on the slide.
Additional Reading
• Active Directory Users and Computers Help: Managing Groups
Default AD DS Groups
Key Points
Windows Server 2008 provides many built-in groups, which are created
automatically when you install an Active Directory domain. You can use built-in
groups to manage access to shared resources and to delegate specific Active
Directory administrative roles. For example, you could put the user account of an
AD DS administrator into the Account Operators group to allow the administrator
to create user accounts and groups.
Additional Reading
• Microsoft Technet Default Groups
• Active Directory Domain Services Technical Reference
AD DS Special Identities
Key Points
Servers running Windows Server 2008 include several special identities in addition
to the groups in the Users and Built-in containers. These identities generally are
referred to as special groups or special identities.
Additional Reading
• Microsoft Technet article: Special identities of ADM (Administrative Template)
Files in Windows
Scenario
Woodgrove Bank has more than 100 servers worldwide. You must determine
whether you can use default groups or whether you must create groups, and then
assign specific user rights or permissions to the groups to perform the following
Administrative tasks.
You must assign default groups, special identities, or create new groups for the
following tasks. List the name of the default group that has the most restrictive
user rights for performing the following actions, or determine whether you must
create a new group:
1. Backing up and restoring domain controllers
2. Backing up, but not restoring, files on member servers
3. Creating groups in the Sales organizational unit
4. Granting access to a shared folder to which all Woodgrove Employees need
access
Questions: What options are available for changing an AD DS group’s scope and
type?
What are the benefits of assigning group managers? Is this a setting that you would
configure in your organization?
Additional Reading
• Active Directory Users and Computers Help: Managing Groups
Questions: What are the reasons why you would create organizational units?
What are the benefits and limitations of using printer objects and shared folder
objects in AD DS?
Additional Reading
• Active Directory Users and Computers Help
Lesson 2:
Strategies for Using Groups
Key Points
One of the primary reasons for creating users and groups in AD DS is so that users
can gain access to shared resources, such as shared folders, printers, Windows
SharePoint® Services sites, or applications.
Additional Reading
• Microsoft Technet article: Selecting a Resource Authorization Method
Key Points
When you use just account groups to assign access to resources, you add all user
accounts to the groups, and then assign the group a set of access permissions. For
example, an administrator can put all accounting user accounts into a global group
called GG-All Accountants and assign this group with permissions to a shared
resource. In a single domain environment, you can use domain local groups, global
groups, or universal groups to assign access to resources.
Additional Reading
• Microsoft Technet article: AG/ACL Method
Key Points
When you use account groups and resource groups, you add users with similar
access requirements into account groups, and then add the account groups as
members to a resource group to which you granted specific resource-access
permissions.
This strategy provides the most flexibility while reducing the complexity of
assigning access permissions to the network. This method is used most commonly
by large organizations for controlling access to resources.
Additional Reading
• Microsoft Technet article: AG/RG Method
Read the scenarios, and create a plan for configuring groups and assigning access
to resources in each scenario.
Example 1
Contoso, Ltd., has a single domain that is located in Paris, France. Contoso, Ltd.,
managers need access to the Inventory database to perform their jobs.
Question: What do you do to ensure that the managers have access to the
Inventory database?
Example 2
Contoso, Ltd. has determined that all Accounting division personnel must have full
access to the accounting data. Also, Contoso, Ltd., executives must be able to view
the data. Contoso, Ltd. wants to create the group structure for the entire
Accounting division, which also includes the Accounts Payable and Accounts
Receivable departments.
Question: What do you do to ensure that the managers have the required access and that
there is a minimum of administration?
Example 3
Contoso, Ltd., has expanded to include operations in South America and Asia, and
now contains three domains: the Contoso.com domain, the Asia.contoso.com
domain, and the SA.contoso.com domain. You need to grant all IT managers,
across all domains, access to the Admin_tools shared folder in the Contoso
domain. You also need to grant the IT managers access to other resources in the
future.
Question: How can you achieve the desired result with the least amount of
administrative effort?
Lesson 3:
Automating AD DS Object Management
Key Points
Windows Server 2008 provides a number of tools that you can use to create or
modify multiple user accounts automatically in Active Directory. Some of these
tools require that you use a text file that contains information about the user
accounts that you want to create. You also can create Windows PowerShell scripts
to add objects or make changes to objects in Active Directory.
Key Points
Use these command-line tools to configure AD DS objects.
Key Points
You can use the Ldifde command-line tool to create and make changes to multiple
accounts. When you use the Ldifde tool, you will use a line-separated text file to
provide the command’s input information.
Additional Reading
• Microsoft Technet article: LDIFDE
Key Points
You can use the Csvde command-line tool to create multiple accounts in Active
Directory. You only can use the Csvde tool to create accounts, not to change them.
Additional Reading
• Microsoft Technet article: CSVDE
Key Points
Windows® PowerShell is an extensible scripting and command-line technology
that developers and administrators can use to automate tasks in a Windows
environment. Windows PowerShell uses a set of small commands that each
perform a specific task, but you also can combine multiple commands to perform
complex administrative tasks.
Additional Reading
• Microsoft Support: Windows PowerShell 1.0 Documentation Pack
Key Points
Windows Powershell is easy to learn because the use of Cmdlets. Pipelining is
consistent across all Cmdlets.
Additional Reading
• Windows PowerShell 1.0 Documentation Pack
Additional Reading
• Windows PowerShell Blog
• Microsoft Technet article: Scripting with Windows PowerShell
Scenario:
Woodgrove Bank has several requirements for managing AD DS objects. The
organization frequently hires interns who must have limited permissions and
whose accounts must be set to expire automatically when the internship is
complete. User accounts also must be configured with a standard configuration
that includes settings such as user profile settings and mapped drives for home
folders. The organization also requires AD DS groups that will be used to assign
permissions to a variety of network resources. As much as possible, the
organization would like to automate the user and group management tasks.
Result: At the end of this exercise, you will have delegated the administrative tasks
for the Toronto office.
The AD DS planning group has established the following naming scheme for AD
DS groups:
• Three-character location code: NYC, TOR, MIA, LON, and TOK
• For groups that contain accounts from multiple domains, use the location
code WGB
• For groups that do not have a specific location, include the domain name in
the group name
• For account groups, use the department name: BranchManagers, Executives
This is followed by the group type: GG, UG
• For resource groups, use the resource name: EX_HOReports,
EX_LON_BranchReports, EX_Corp. This is followed by the level of access –
FC, RO.
Note: To simplify the implementation process, some of the required groups may
already have been created. In addition, you configure the required groups for only
the WoodgroveBank.com and the EMEA.WoodgroveBank.com.
1. On NYC-DC1, in Active Directory Users and Computers, verify that all of the
global groups required to assign permission have been created.
2. On LON-DC1, in Active Directory Users and Computers, verify that all of the
global groups required to assign permission have been created.
3. On NYC-DC1, create the required universal groups based on the group
implementation strategy. Create the universal groups in the Executives OU.
4. Create the required domain local groups based on the group implementation
strategy.
Result: At the end of this exercise, you will have implemented a group
implementation strategy.
4. Double-click Activateusers.vbs.
5. In Active Directory Users and Computers, browse to the Houston OU.
Confirm that user accounts in all child OUs are activated.
Result: At the end of this exercise, you will have examined several options for
automating the management of user objects.
Lesson 4:
Delegating Administrative Access to AD DS
Objects
Many of the AD DS administration tasks are quite easy to perform, but can be quite
repetitive. One of the options available in Windows Server 2008 AD DS is to
delegate some of those administrative tasks to other administrators or users. By
delegating control, you can enable these users to perform specific AD DS
management tasks without granting them more permissions than they need.
Key Points
Active Directory object permissions secure resources by enabling you to control
which administrators or users can access individual objects or object attributes,
and the type of access they have. You use permissions to assign administrative
privileges for an organizational unit or a hierarchy of organizational units to
manage Active Directory objects.
Questions: What are the risks with using special permissions to assign AD DS
permissions?
What would permissions would a user have on an object if you granted them full
control permission, and denied the user write access?
Additional Reading
• Microsoft Technet article: Access control in Active Directory
• Microsoft Technet article: Assign, change, or remove permissions on Active
Directory objects or attributes
Questions: What would happen to an object’s permissions if you moved the object
from one OU to another if the OUs had different permissions applied?
What would happen if you removed all permissions from an OU when you
blocked inheritance and did not assign any new permissions?
Additional Reading
• Microsoft Technet article: Assign, change, or remove permissions on Active
Directory objects or attributes
Key Points
You can use the Effective Permissions tool to determine the permissions for an
Active Directory object. This tool calculates the permissions that are granted to the
specified user or group, and takes into account the permissions that are in effect
from group memberships and any permissions inherited from parent objects.
Additional Reading
• Microsoft Technet article: Effective Permissions tool
Key Points
Delegation of control is the ability to assign management responsibility of Active
Directory objects to another user or group.
Delegated administration helps to ease the administrative burden of managing
your network by distributing routine administrative tasks to multiple users. With
delegated administration, you can assign basic administrative tasks to regular users
or groups. For example, you could give supervisors the right to modify group
memberships in their department.
By delegating administration, you give groups in your organization more control of
their local network resources. You also help secure your network from accidental
or malicious damage by limiting the membership of administrator groups
Lesson 5:
Configuring AD DS Trusts
Many organizations that deploy AD DS will deploy only one domain. However,
larger organizations, or organizations that need to enable access to resources in
other organizations or business units, may deploy several domains, in the same AD
DS forest or a separate forest. For users to access resources between the domains,
you must configure the domains or forests with trusts. This lesson describes how
to configure and manage trusts in an AD DS environment.
Key Points
Trusts allow security principals to traverse their credentials from one domain to
another, and are necessary to allow resource access between domains. When you
configure a trust between domains, a user can be authenticated in their domain
and their security credentials then can be used to access resources in a different
domain.
AD DS Trust Options
Key Points
The table on the slide describes the trusts options supported by Windows
Server 2008.
Questions: If you were going to configure a trust between a Windows Server 2008
domain and a Windows NT 4.0 domain, what type of trust would you need to
configure?
If you need to share resources between domains, but do not want to configure a
trust, how could provide access to the shared resources? A user located in a
different domain in your forest needs permission to create GPOs in your domain.
What is the best way to accomplish this?
Additional Reading
• Active Directory Domains and Trusts Help: Managing Trusts
Key Points
When you set up trusts between domains within the same forest, across forests, or
with an external realm, information about these trusts is stored in Active Directory
so you can retrieve it when necessary. A trusted domain object (TDO) stores this
information. The TDO stores information about the trust, such as the trust
transitivity and type. Whenever you create a trust, a new TDO is created and stored
in the System container in the trust’s domain.
Additional Reading
• Active Directory Domains and Trusts Help: Managing Trusts
Key Points
Windows Server 2008 supports cross-forest trusts, which allow users in one forest
to access resources in another forest. When a user attempts to access a resource in
a trusted forest, Active Directory must first locate the resource. After the resource is
located, the user can be authenticated and allowed to access the resource.
Additional Reading
• Microsoft Technet article: How Domains and Forests Work
Questions: What is the difference between a shortcut trust and an external trust?
When you set up a forest trust, what information will need to be available in DNS
in order for the forest trust to work?
Additional Reading
• Active Directory Domains and Trusts Help: Create a shortcut trust, Create an
external trust, Create a forest trust
Key Points
A user principal name is a logon name that is used only to log on to a
Windows Server 2008 network. There are two parts to a user principal name,
which are separated by the @ sign—for example, suzan@WoodgroveBank.com:
• The user principal name prefix, which in this example is suzan.
• The user principal name suffix, which in this example is WoodgroveBank.com.
By default, the suffix is the name of the domain in which the user account was
created. You can use the other domains in the network, or additional suffixes
that you created, to configure other suffixes for users. For example, you may
want to configure a suffix to create user logon names that match users’ e-mail
addresses.
Additional Reading
• Microsoft Technet article: Active Directory naming
Key Points
Another option for restricting authentication across trusts in a Windows
Server 2008 forest is selective authentication. With selective authentication, you
can restrict which computers in your forest that another forest’s users can access.
Additional Reading
• Microsoft Technet article: Enable selective authentication over a forest trust
• Microsoft Technet article: Grant the Allowed to Authenticate permission on
computers in the trusting domain or forest
Key Points
Another option for restricting authentication across trusts in a Windows
Server 2008 forest is selective authentication. With selective authentication, you
can restrict which computers in your forest users in another forest can access.
Questions: What would happen if you configured a new UPN suffix in a forest
after a trust had been configured with another forest that had the same UPN
suffix?
Additional Reading
• Microsoft Technet article: Enable selective authentication over a forest trust
• Microsoft Technet article: Grant the Allowed to Authenticate permission on
computers in the trusting domain or forest
Scenario:
To optimize the use of AD DS administrator time, Woodgrove Bank would like to
delegate some administrative tasks to junior administrators. These administrators
will be granted access to manage user and group accounts in different OUs.
Woodgrove Bank also has established a partner relationship with Fabrikam Ltd.
Some users in each organization must be able to access resources in the other
organization. However, the access between organizations must be limited to as few
users and as few servers as possible.
Note: This step is included in the lab to enable you to test the delegated
permissions. As a best practice, you should install the administration tools on a
Windows workstation rather than enable Domain Users to log on to domain
controllers.
1. On NYC-DC1, start Group Policy Management and edit the Default Domain
Controllers Policy.
2. In the Group Policy Management Editor window, access the User Rights
Assignment folder.
3. Double-click Allow log on locally. In the Allow log on locally Properties
dialog box, click Add User or Group.
4. Grant the Domain Users group the log on locally right.
5. Open a command prompt, and type GPUpdate /force and press ENTER.
Result: At the end of this exercise, you will have delegated the administrative tasks
for the Toronto office.
Result: At the end of this exercise, you will have configured trusts based on a trust
configuration design.
Review Questions
1. You are responsible for managing accounts and access to resources for your
group’s members. A user in your group leaves the company, and you expect a
replacement for that employee in a few days. What should you do with the
previous user’s account?
2. You need to create several hundred computer accounts in AD DS so that the
accounts can be pre-configured for a unattended installation. What is the best
way to do this?
3. A user reports that she cannot log on to her computer. The error message
indicates that the trust between the computer and the domain is broken. How
will you fix the problem?
4. You have created a global group called Helpdesk, which contains all the help
desk accounts. You want the help desk personnel to be able to perform any
operation on local desktop computers, including taking ownership of files.
Which is the best built-in group to use?
5. The BranchOffice_Admins group has been granted full control of all user
accounts in the BranchOffice_OU. What permissions would the
BranchOffice_Admins have to a user account that was moved from the
BranchOffice_OU to the HeadOffice_OU?
6. Your organization has a Windows Server 2008 forest environment, but it has
just acquired another organization with a Windows 2000 forest environment
that contains a single domain. Users in both organizations must be able to
access resources in each other’s forest. What type of trust do you create
between the forest root domain of each forest?
Tools
Use the following tools when configuring AD DS objects and trusts:
Module 4
Configuring Active Directory® Sites and
Replication
Contents:
Lesson 1: Overview of Active Directory Domain Services Replication 4-3
Lesson 2: Overview of AD DS Sites and Replication 4-13
Lesson 3: Configuring and Monitoring AD DS Replication 4-22
Lab: Configuring Active Directory Sites and Replication 4-31
Module Overview
Lesson 1:
Overview of Active Directory Domain Services
Replication
Key Points
The slide describes how the different components in AD DS replication work.
Additional Reading
• Active Directory Sites and Services Help: Understanding Sites, Subnets, and
Site Links
• Microsoft Technet article: Replication Model Components:
• Microsoft Technet article: How the Active Directory Replication Model Works
Key Points
Within a single site, a notification from the sending domain controller initiates the
replication process. When a database change is made, the sending computer
notifies a replication partner that changes are available. The replication partner
pulls the changes from the sending domain controller using a remote procedure
call (RPC) connection. After replication is complete, the sending domain controller
waits three seconds and then notifies another replication partner, which also pulls
the changes. By default, a domain controller will wait for 15 seconds after a change
is made and then begin replicating the changes to other domain controllers in the
same site.
Additional Reading
• Active Directory Sites and Services Help: Understanding Sites, Subnets, and
Site Links
• Microsoft Technet article: How the Active Directory Replication Model Works
Additional Reading
• Microsoft Technet article: How the Active Directory Replication Model Works
Optimizing Replication
Key Points
During replication, domain controllers use multiple paths for sending and
receiving updates. Although using multiple paths provides both fault tolerance and
improved performance, it can result in updates being replicated to the same
domain controller more than once along different replication paths. To prevent
these repeated replications, AD DS replication uses propagation dampening.
Propagation dampening is the process of reducing the amount of unnecessary data
from traveling from one domain controller to another.
Additional Reading
• Microsoft Technet article: How the Active Directory Replication Model Works
Key Points
The AD DS database is separated logically into directory partitions -- a schema
partition, a configuration partition, domain partitions, and application partitions.
Each partition is a unit of replication, and each partition has its own replication
topology.
Additional Reading
• Microsoft Technet article: How the Data Store Works (Directory Partition
section)
• How the Active Directory Replication Model Works e
Key Points
The replication topology is the route by which replication data travels throughout a
network. To create a replication topology, AD DS must determine which domain
controllers replicate data with other domain controllers.
Additional Reading
• Microsoft Technet article: What Is Active Directory Replication Topology?
Key Points
Replication of the schema and configuration partitions follows the same process as
all other directory partitions. However, because these partitions are forest-wide
rather than domain-wide, you can create the connection objects for these partitions
between any two domain controllers, regardless of the domain controller’s domain.
All domain controllers in the forest are included in the replication topology for
these partitions.
Additional Reading
• Microsoft Technet article: What Is Active Directory Replication Topology?
Key Points
When you add domain controllers to a site, AD DS uses the Knowledge
Consistency Checker (KCC) to establish a replication path between domain
controllers.
Additional Reading
• Microsoft Technet article: How the Active Directory Replication Model Works
Lesson 2:
Overview of AD DS Sites and Replication
Key Points
You use sites to control replication traffic, logon traffic, and client computer
requests to the global catalog server.
Additional Reading
• Active Directory Sites and Services Help: Understanding Sites, Subnets, and
Site Links
Additional Reading
• Active Directory Sites and Services Help: Understanding Sites, Subnets, and
Site Links
Questions:
Additional Reading
• Active Directory Sites and Services Help: Create a Site, Create a Subnet
Key Points
Within a site, you have very little control over the AD DS replication process. When
you implement multiple sites in an AD DS forest, you also can configure AD DS
replication to ensure optimal network utilization.
Key Points
See the slide for comparisons.
Additional Reading
• Active Directory Sites and Services Help: Understanding Replication Between
Sites
• Microsoft Technet article: What Is Active Directory Replication Topology?
Questions
Additional Reading
• Active Directory Sites and Services Help: Create a Site Link
Key Points
The KCC on one domain controller in the site is designated as the site’s Inter-Site
Topology Generator (ISTG). There is only one ISTG per site regardless of how
many domains or other directory partitions the site has. ISTG is responsible for
calculating the site’s ideal replication topology.
Additional Reading
• Microsoft Technet article: How the Active Directory Replication Model Works
Key Points
Because no changes are written directly to the read-only domain controller
(RODC), no changes originate at the RODC. Accordingly, writable domain
controllers that are replication partners do not have to pull changes from the
RODC. This means that any changes or corruption that a malicious user might
make at branch locations cannot replicate from the RODC to the forest. This also
reduces the workload of the hub’s bridgehead servers and the effort required to
monitor replication.
Additional Reading
• Microsoft Technet article: AD DS: Read-Only Domain Controllers:
Lesson 3:
Configuring and Monitoring AD DS Replication
Once you have configured the sites and site links for your AD DS environment, you
can configure AD DS replication. AD DS in Windows Server 2008 provides several
options that you can use to manage how replication will flow between sites.
Because AD DS replication is so critical to your environment, you also need to
know how to monitor AD DS replication.
Key Points
The bridgehead server in an AD DS replication topology is the single domain
controller in each site that is responsible for sending and receiving replicated data
with other sites. The bridgehead server from the originating site collects all of the
replication changes in its site and then sends them to the receiving site’s
bridgehead server, which replicates the changes to all of the site’s domain
controllers.
By default, the ISTG identifies one domain controller in each site as the bridgehead
server for each site link. If that bridgehead server becomes unavailable, the ISTG
identifies another domain controller as the bridgehead server.
Additional Reading
• Microsoft Technet article:How the Active Directory Replication Model Works
Question:
Your organization has two sites and two domains in the same forest with domain
controllers for both domains in both sites. You configure one domain controller in
each site as the preferred bridgehead server. Some time later you notice that the
domain controllers for one of the domains are not replicating across the site link.
What do you need to do to fix this?
Additional Reading
• Microsoft Technet article: Managing Intersite Replication
Questions:
You configure site links between the New York site and the Toronto site, and
between the New York site and the London site. The New York-Toronto site link is
available from 2 am to 5 am EST. The New York-London site link is available from
8 pm to 11 pm EST. You create a new user in Toronto. When will the new user
appear in AD DS on a domain controller in London?
Your organization has 4 sites. All of your sites are included in the
DefaultIPSiteLink. You would like to modify the replication schedule for all of the
sites so that replication between sites happens every 15 minutes. What should you
do?
Additional Reading
• Active Directory Sites and Services Help: Configure Intersite Replication
Key Points
By default, all AD DS site links are transitive or bridged. That means that if site A
has a common site link with site B, site B also has a common site link with site C,
and the two site links are bridged. Domain controllers in site A can replicate
directly with domain controllers in site C, even though there is no site link between
sites A and C.
You can modify the default site link bridging configuration by disabling site-link
bridging and then configuring site link bridging only for those site links that
should be transitive.
Additional Reading
• Microsoft Technet article: How the Active Directory Replication Model Works
Question: Your organization has five sites. Four of the sites are connected by Wide
Are Network (WAN) links with surplus network bandwidth, while one of the sites
is connected to the other sites by a WAN link with very little available bandwidth.
You disable site link bridging in your organization, and then realize that it is taking
much longer than usual to replicate AD DS changes between sites. What should
you do to optimize replication between the four sites with available bandwidth
while minimizing the network utilization to the site with less available bandwidth?
Additional Reading
• Microsoft Technet article: Managing Intersite Replication
Key Points
One of the issues that you may need to address when configuring AD DS
replication is whether to deploy global catalog servers in each site. Because global
catalog servers are required when users log on to the domain, deploying a global
catalog server in each site optimizes the user experience. However, deploying a
global catalog server in a site results in additional replication traffic, which may be
an issue if the network connection between AD DS sites has limited bandwidth. In
these scenarios, you can deploy domain controllers running Windows Server 2008
and then enable universal group membership caching for the site.
Additional Reading
• Microsoft Technet article: Planning Global Catalog Server Placement
Additional Reading
• Microsoft Technet article: Cache universal group memberships
Questions:
• Under what circumstance might you want to know which domain controller is
the ISTG in a site?
• What information is available in the command line tools that is not available
through the GUI tools?
Scenario:
Woodgrove Bank has multiple offices throughout the world. To optimize client
logon traffic and manage AD DS replication, the enterprise administrator has
created a new design for configure AD DS sites and for configuring replication
between sites. You need to create AD DS sites and configure replication based on
the enterprise administrators design, and monitor site replication and ensure that
all components required for replication are functional.
The current site design at Woodgrove Bank has not been modified from the
default. Other than the default site, no AD DS sites or site links are configured.
Note: Due to the virtual lab limitations, you will be configuring the sites only for the
New York, London, and Miami locations.
Result: At the end of this exercise, you will configure AD DS sites and subnets and
linked the subnets to the appropriate sites.
Note: There will be replication errors listed because NYC-DC2 and TOK-DC1 are not
running and replication has been attempted.
2. Use DCDiag with the /s servername option to verify that LON-DC1 passed all
test related to replication.
Hint: Look for the Starting test: Replications section in the screen output.
f Task 5: Shut down all virtual machines and delete all changes
• Connect to the Virtual Server Administration site and shut down all virtual
machines without saving changes.
Result: At the end of this exercise, you will have verified that AD DS replication is
working.
Review Questions
1. How can you minimize the chances of creating a replication conflict in your
organization?
2. You have deployed nine domain controllers in the same domain. Five of these
domain controllers are in one site, while four are in a different site. You have
not modified the default-replication frequency for intra-site and inter-site
replication. You create a user account on one domain controller. What is the
maximum amount of time it will take for that user account to be replicated to
all of the domain’s controllers?
3. You add a new domain controller to an existing domain in your forest. Which
AD DS partitions will be modified as a result?
4. Your organization has one domain with three sites -- a head-office site and two
branch-office sites. Domain controllers in the branch-office sites can
communicate with domain controllers at the head office, but cannot
communicate directly with domain controllers in the other branch office due
to firewall restrictions. How can you configure the site-link architecture in AD
DS to integrate the firewall and ensure that the KCC will not create a
connection automatically between the branch-office sites?
5. Your organization has a head office and 20 branch offices. Each office is
configured as a separate site. You have three domain controllers deployed at
the head office. One of the domain controllers at the head office has a faster
processor and more memory than the other two. You want to ensure that the
AD DS replication workload is assigned to the more powerful computer. What
should you do?
Tools
Use the following tools when configuring AD DS sites and replication:
Active Directory Creating and configuring sites, Click Start, and then point to
Sites and Services subnets, moving domain Administrative Tools. Click
controllers between sites, and Active Directory Users and
forcing replication. Computers.
Module 5
Creating and Configuring Group Policies
Contents:
Lesson 1: Overview of Group Policies 5-3
Lesson 2: Configuring the Scope of Group Policy Objects 5-15
Lesson 3: Evaluating the Application of Group Policy Objects 5-26
Lesson 4: Managing Group Policy Objects 5-31
Lesson 5: Delegating Administrative Control of Group Policies 5-38
Lab: Creating and Configuring GPOs 5-42
Module Overview
Lesson 1:
Overview of Group Policies
This lesson introduces you to how you can use Group Policies to simplify
managing computers and users in an Active Directory environment. You will learn
how Group Policies are structured and applied, and about some of the exceptions
to using Group Policies.
This lesson also discusses Group Policy features that are included with Windows
Server 2008, which also will help simplify computer and user management.
Key Points
Group Policy is a Microsoft technology that supports one-to-many management of
computers and users in an Active Directory environment. By editing Group Policy
objects (GPOs) policy settings, and targeting the GPO at the intended computers
or users, you can manage specific configuration parameters centrally. In this way,
you can manage potentially thousands of computers or users by changing a single
GPO. Group Policy can control many aspects of a target object’s environment,
including the registry, NTFS file system security, audit and security policy, software
installation and restriction, desktop environment, logon/logoff scripts, etc….
One policy may be associated with multiple containers in Active Directory through
linking. Conversely, multiple policies may link to one container.
Additional Reading
• Microsoft Technet article: Windows Server Group Policy
Key Points
Group Policy has thousands of configurable settings (approximately 2,400). These
settings can affect nearly every area of the computing environment. You cannot
apply all of the settings to all versions of Windows operating systems. For example,
many of the new settings that came with Windows® XP Service Pack (SP) 2 only
applied to that operating system, like software restriction policies. In turn, many of
the hundreds of new settings only apply to Windows® Vista™ and Windows Server
2008. If a computer has a setting applied that it cannot process, it simply ignores it.
Question: Which of the new features will you find the most useful in your
environment?
Additional Reading
• Microsoft Technet article: Summary of New or Expanded Group Policy
Settings
• Microsoft Technet article: What's New in Group Policy in Windows Vista and
Windows Server 2008?
Key Points
Clients initiate Group Policy application by requesting Group Policy settings from
Active Directory. When Group Policy is applied to a user or computer, the client
component interprets the policy and makes the appropriate environment changes.
These components are known as Group Policy client-side extensions. As Group
Policy is processed, the Winlogon process passes the list of GPOs that must be
processed to each Group Policy client-side extension. The extension uses the list to
process the appropriate policy, when applicable.
Additional Reading
• Microsoft Technet article: Windows Server Group Policy
Key Points
Different factors can change the normal Group Policy processing behavior, such as
logging on using a slow connection. Also, different types of connections or
operating systems handle Group Policy processing differently.
Additional Reading
• Controlling Client-Side Extensions by Using Group Policy
Key Points
You can use Group Policy templates to create and configure Group Policy settings,
which the GPOs store. The GPOs in turn are stored in the SYSVOL container in
Active Directory. The SYSVOL container acts as a central repository for the GPOs.
In this way, one policy may be associated with multiple Active Directory containers
through linking. Conversely, multiple policies may link to one container.
Group policy has three major components.
• Group policy templates
• Group policy container
• Group policy objects
Key Points
ADM Files
Traditionally, ADM files have been used to define the settings the administrator
can configure through Group Policy. Each successive Windows operating system
and service pack has included a newer version of these files. ADM files use their
own markup language. Because of this, it is difficult to customize ADM files. The
ADM templates are located in the %SystemRoot%\Inf folder.
ADMX Files
Windows Vista and Windows Server 2008 introduce a new format for displaying
registry-based policy settings. Registry-based policy settings are defined using a
standards-based XML file format known as ADMX files. These new files replace
ADM files. Group Policy tools on Windows Vista™ and Windows Server 2008 will
continue to recognize custom ADM files you have in your existing environment,
but will ignore any ADM file that ADMX files have superseded.
Question: How could you tell if a GPO was created or edited using ADM or ADMX
files?
Additional Reading
• Microsoft Technet article: Managing Group Policy ADMX Files Step-by-Step
Guide
• Microsoft Support: Location of ADM (Administrative Template) Files in
Windows
Key Points
For domain-based enterprises, administrators can create a central store location of
ADMX files that is accessible by anyone with permission to create or edit GPOs.
The Group Policy Object Editor on Windows Vista and Windows Server 2008
automatically reads and displays Administrative Template policy settings from
ADMX files that the central store caches and ignores the ones stored locally. If the
domain controller is not available, then the local store is used.
You must create the central store, and update it manually, on a domain controller.
The use of ADMX files is dependant on the computer’s operating system where
you are creating or editing the GPO. Therefore, the domain controller can be a
server with Windows Server 2000, 2003, or 2008. The File Replication Service
(FRS) will replicate it to that domain’s other controllers.
Question: What would be the advantage of creating the central store on the PDC
emulator?
Additional Reading
• Microsoft Support: How to create a Central Store for Group Policy
Administrative Templates in Window Vista
Question: When you open the GPMC on your Windows XP computer, you do not
see the new Windows Vista settings in the Group Policy Editor. Why not?
Lesson 2:
Configuring the Scope of Group Policy
Objects
Key Points
The GPOs that apply to a user or computer do not all have the same precedence.
Group Policies are applied in a particular order. This order means that settings that
are processed first may be overwritten by settings that are processed later. For
example, a policy that restricts access to Control Panel applied at the domain level
could be reversed by a policy applied at the OU level for that particular OU.
Question: Your organization has multiple domains spread over multiple sites. You
want to apply a Group Policy to all users in two different domains. What is the best
way to accomplish this?
Additional Reading
• Microsoft Technet article: Group Policy processing and precedence
Key Points
In Microsoft operating systems prior to Windows Vista, there was only one user
configuration available in the local Group Policy. That configuration was applied to
all users logged on from the local computer. This is still true, but Windows Vista
and Windows Server 2008 have an added feature. In Windows Vista and Windows
Server 2008, it now is possible to have different user settings for different local
users, although there remains only one computer configuration available that
affects all users.
Additional Reading
• Microsoft Technet article: Step-by-Step Guide to Managing Multiple Local
Group Policy Objects
Key Points
There may be occasions when the normal behavior of Group Policy is not
desirable. For example, certain users or groups may need to be exempt from
restrictive Group Policies or a Group Policy should be applied only to computers
with certain hardware or software characteristics. By default, all Group Policies
apply to the Authenticated Users group in a given container, but you can modify
that behavior through various methods.
Question: You have created a restrictive desktop policy and linked it to the
Finance OU. The Finance OU has several child OUs that have separate GPOs that
reverse some of your desktop restrictions. How would you ensure that all users in
the Finance department receive your desktop policy?
Additional Reading
• Microsoft Technet article: Controlling the Scope of Group Policy Objects using
GPMC
Question: Your domain has two domain-level policies, GPO1 and GPO2. You need
to ensure that all OUs receive GPO1, but GPO2 should not affect two of the OUs.
How could you accomplish this?
Question: You want to ensure that a specific policy linked to an OU will only affect
the members of the Managers global group. How would you accomplish this?
Key Points
Normally, user policy settings are derived entirely from the GPOs associated with
the user account based on it's location in the Active Directory. Loopback
processing directs the system to apply an alternate set of user settings for the
computer to any user who logs on to a computer affected by this policy. This policy
is intended for special-use computers where you must modify the user policy based
on the computer that is being used, for example, computers in public areas or
classrooms. When loopback is applied, it will affect all users, except local users.
Loopback operates using the following two modes:
• Merge mode
• Replace mode
Additional Reading
• Microsoft Technet article: Loopback processing with merge or replace
• Microsoft Technet article: Loopback processing of Group Policy
Scenario
Use the following scenario information for your discussion.
• All domain computers that have Windows XP Professional installed will have a
software application distributed through group policy.
• All domain users will have the Run menu removed from the Start menu. The
Admin OU will be exempt from this restriction. The Managers security group
will also be exempt from this restriction.
• The Mortgages OU will have further desktop restrictions applied.
Questions: What are the advantages to using security group filtering over blocking
inheritance to prevent group policies from being applied?
What are the advantages to using security group filtering over blocking inheritance
to prevent group policies from being applied?
Lesson 3:
Evaluating the Application of Group Policy
Objects
System administrators need to know how policy settings affect computers and
users in a managed environment. This information is essential when planning
policy for a network and when debugging existing policy. Obtaining the
information can be a complex task when you consider the many combinations of
sites, domains, and organizational units that are possible, and the many types of
Group Policy settings that can exist. Further complicating the task are security-
group filtering and the inheritance, blocking, and enforcement of Group Policies.
The GPResult command-line tool and the Group Policy Management Console
(GPMC) provide reporting features to simplify these tasks.
Key Points
Group Policy Reporting is a feature of Group Policy that makes implementation
and troubleshooting easier. Two main troubleshooting tools are the GPResult.exe
command-line tool and the Group Policy Results wizard in the GPMC. The Group
Policy Results feature allows administrators to determine the resultant policy set
that was applied to a given computer and/or user that logged on to that computer.
Although these tools are similar, they each provide different information.
Question: You want to know which domain controller delivered Group Policy to a
client. Which utility would you use to find that out?
Additional Reading
• Microsoft resources: Gpresult
• Microsoft Technet article: Group Policy Results (Administering Group Policy
with Group Policy Management Console)
Key Points
Another method for testing Group Policy is to use the Group Policy Modeling
Wizard in the GPMC to model environment changes before you actually make
them. The Group Policy Modeling Wizard calculates the simulated net effect of
GPOs. Group Policy Modeling also simulates such things as security group
membership, WMI filter evaluation, and the effects of moving user or computer
objects to a different OU or site. You also can specify slow-link detection, loopback
processing, or both when using the Group Policy Modeling Wizard.
The Group Policy Modeling process actually runs on a domain controller in your
Active Directory domain. Because the wizard never queries the client computer, it
cannot take local policies into account.
Question: What simulations can be performed with the Group Policy Modeling
Wizard? Choose all that apply.
A. Loopback processing
B. Moving a user to a different domain in the same forest.
C. Security group filtering
D. Slow link detection
E. WMI filtering
F. All of the above
Additional Reading
• Microsoft Technet article: Using Group Policy Modeling and Group Policy
Results to Evaluate Group Policy Settings
Question: A user reports that they are unable to access Control Panel. Other users
in the department can access Control Panel. What tools might you use to
troubleshoot the problem?
Lesson 4:
Managing Group Policy Objects
GPMC provides mechanisms for backing up, restoring, migrating, and copying
existing GPOs. This is very important for maintaining your Group Policy
deployments in the event of error or disaster. It helps you avoid manually
recreating lost or damaged GPOs and having to again go through the planning,
testing, and deployment phases. Part of your ongoing Group Policy operations
plan should include regular backups of all GPOs. GPMC also provides for copying
and importing GPOs, both from the same domain and across domains.
Key Points
Like critical data and Active Directory related resources, you must back up Group
Policy to protect the integrity of Active Directory and GPOs. The GPMC provides
the basic backup and restore options, but also provides additional control over
GPOs for administrative purposes.
Additional Reading
• Windows Server Library: Backing up, Restoring, Migrating, and Copying GPOs
• Microsoft Technet article: Import using GPMC
Key Points
Starter GPOs store a collection of Administrative Template policy settings in a
single object. Starter GPOs only contain Administrative Templates. You can import
and export Starter GPOs to distribute them to other areas of your enterprise.
Additional Reading
• Help Topics: Working with Starter GPOs
Key Points
The ADMX Migrator allows you to convert custom ADM templates into ADMX
templates. The associated ADML file also is created. Converted files are saved into
the user’s documents folder by default. Once you create the new files, copy the
ADMX file into the PolicyDefinitions folder, or the central store, and copy the
ADML file into the appropriate subfolder. The new administrative templates then
become available in the GPMC.
Additional Reading
• Microsoft Web site: ADMX Migrator
Lesson 5:
Delegating Administrative Control of Group
Policies
Key Points
Delegation allows the administrative workload to be distributed across the
enterprise. One group could be tasked with creating and editing GPOs, while
another group performs reporting and analysis duties. A separate group might be
in charge of WMI filters.
The following Group Policy tasks can be independently delegated:
• Creating Group Policy objects
• Editing Group Policy objects
• Managing Group Policy links for a site, domain, or OU
• Perform Group Policy Modeling analyses on a given domain or OU
• Read Group Policy Results data for objects in a given domain or OU
• Create WMI filters in a domain
Additional Reading
• Microsoft Technet article: Delegating Group Policy
Scenario:
The Woodgrove Bank has decided to implement group policies to manage user
desktops and to configure computer security. The organization has already
implemented an OU configuration that includes top-level OUs group by location
with additional OUs within each location OU for different departments. User
accounts are located in the same container as their workstation computer accounts.
Server computer accounts are spread throughout various OUs.
The enterprise administrator has created a GPO deployment plan. You have been
asked to create Group Policy objects so that certain policies can be applied to all
domain objects. Some policies are considered mandatory. You also want to create
policy settings that will apply only to subsets of the domain’s objects, and you
want to have separate policies for computer settings and user settings. You must
delegate GPO administration to administrators within each company location.
Note: Some of the tasks in this lab are designed to illustrate GPO management
techniques and settings and may not always follow best practices.
Result: At the end of this exercise, you will have created and configured GPOs.
Result: At the end of this exercise, you will have configured the scope of GPO
settings.
f Task 2: Verify that a Miami branch user is receiving the correct policy
1. Log on to NYC-CL1 as Anton with a password of Pa$$w0rd
2. Ensure that there is no link to the Run menu in the Accessories folder on the
Start Menu
3. Ensure that there is no link to Control Panel on the Start Menu
4. Ensure that you can access the desktop display settings
5. Log off.
Hint: When you attempt to access display settings you will receive a message
informing you that this has been disabled.
5. Log off.
Result: At the end of this exercise, you will have tested and verified a GPO application.
Result: At the end of this exercise, you will have backed up, restored, and imported
GPOs.
Note: This step is included in the lab to enable you to test the delegated
permissions. As a best practice, you should install the administration tools on a
Windows workstation rather than enable Domain Users to log on to domain
controllers.
1. On NYC-DC1, start Group Policy Management and edit the Default Domain
Controllers Policy.
2. In the Group Policy Management Editor window, access the User Rights
Assignment folder.
3. Double-click Allow log on locally. In the Allow log on locally Properties
dialog box, click Add User or Group.
4. Grant the Domain Users group the log on locally right.
5. Open a command prompt, and type GPUpdate /force and press ENTER.
Result: At the end of this exercise, you will have backed up, restored, and imported
GPOs.
Considerations
Keep the following considerations in mind when creating and configuring Group
Policies:
• Multiple local group policies
• ADMX and ADML files replace ADM files
• Methods to control group policy, inheritance, filtering, enforcement
• Group policy tools and reporting
Review Questions
1. You want to force the application of certain group policy settings across a slow
link. What can you do?
2. You need to ensure that a domain level policy is enforced, but the Managers
global group needs to be exempt form the policy. How would you accomplish
this?
3. You want all GPOs that contain user settings to have certain administrative
templates enabled. You need to be able to send those policies to other
administrators in the enterprise. What is the best approach?
4. You want to control access to removable storage devices on all client
workstations through group policy. Can you use group policy to do this?
Module 6
Configuring User Environments Using Group
Policies
Contents:
Lesson 1: Configuring Group Policy Settings 6-3
Lesson 2: Configuring Scripts and Folder Redirection Using Group Policies 6-7
Lesson 3: Configuring Administrative Templates 6-15
Lesson 4: Deploying Software Using Group Policy 6-22
Lab: Configuring User Environments Using Group Policies 6-32
Module Overview
This module introduces the job function of configuring the user environment
using Group Policy. Specifically, this module provides the skills and knowledge
that you need to use Group Policy to configure Folder Redirection, as well as how
to use scripts. You also will learn how Administrative Templates affect Windows
Vista® and Windows Server® 2008, and how to deploy software using Group
Policy.
Lesson 1:
Configuring Group Policy Settings
Group Policy can deliver many different types of settings. Some setting are simply a
matter of “turning them on” while others are more complex to configure. This
lesson will describe how to configure the various Group Policy settings.
Key Points
For a Group Policy setting to have an effect, you must configure it. Most Group
Policy settings have three states. They are:
• Enabled
• Disabled
• Not Configured
You also must configure values for some Group Policy settings. For example, you
need to configure restricted group-membership needs values for the groups and
users.
Question: A domain level policy restricts access to the Control Panel. You want the
users in the Admin organizational unit (OU) to have access to the Control Panel,
but you do not want to block inheritance. How could you accomplish this?
Additional Reading
• Microsoft Technet article: How Core Group Policy Works
Question: How could you prevent a lower-level policy from reversing the setting of
a higher-level policy?
Lesson 2:
Configuring Scripts and Folder Redirection
Using Group Policies
Windows Server 2008 enables you to use Group Policy to deploy scripts to users
and computers. You also can redirect folders that the user’s profile includes from
the user’s local hard disks to a central server.
Key Points
You can use scripts to perform any number of tasks. There may be actions that you
need performed every time a computer starts or shuts down, or when users log off
or on. For example, you can use scripts to clean up desktops when users log off
and shut down computers, or delete the contents of temporary directories or clear
the pagefile to make the environment more secure.
Question: You keep logon scripts in a shared folder on the network. How could
you ensure that the scripts will always be available to users from all locations?
Additional Reading
• Microsoft Technet article: The Two Sides of Group Policy Script Extension
Processing
• Microsoft Technet article: The Two Sides of Group Policy Script Extension
Processing (Part2)
• Microsoft Support: Overview of Logon, Logoff, Startup, and Shutdown Scripts
in Windows 2000
Question: What other method could you use to assign logon scripts to users?
Key Points
When you redirect folders, you change the folder’s storage location from the local
hard disk on the user’s computer to a shared folder on a network file server. After
you redirect a folder to a file server, it still appears to the user as if it is stored on
the local hard disk. Folder Redirection makes it easier for you to manage and back
up data. By redirecting folders, you can ensure user access to data regardless of the
computers to which they log on.
Additional Reading
• Microsoft Technet article: What Is Folder Redirection Extension?
• MSDN: IE7 in Vista: Folder Redirection for Favorites on the Same Machine
• Microsoft Download: Managing Roaming User Data Deployment Guide
Key Points
There are three available settings for Folder Redirection: none, basic, and
advanced. Basic folder redirection is for users who must redirect their folders to a
common area or users who need their data to be private. Advanced redirection
allows you to specify different network locations for different Active Directory
security groups.
Question: Users in the same department often log on to different computers. They
need access to their My Documents folder. They also need the data to be private.
What folder redirection setting would you choose?
Additional Reading
• Microsoft Technet article: Recommendations for Folder Redirection
Key Points
You must create a shared network folder manually to store the redirected folders.
Folder Redirection can create the user’s redirected folders for you. When you use
this option, the correct permissions are set automatically. If you manually create
folders, you must know the correct permissions.
Question: What steps could you take to protect the data while it is in transit
between the client and the server?
Additional Reading
• Microsoft Support: Folder Redirection feature in Windows
• Windows Server Library: Security Considerations when Configuring Folder
Redirection
Question: Users in the same department want to have each others Internet
favorites available to everyone in the department. What folder redirection options
would you choose?
Lesson 3:
Configuring Administrative Templates
The Administrative Template files provide the majority of available policy settings,
which are designed to modify specific registry keys. This is known as registry-based
policy. For many applications, the use of registry-based policy that the
Administrative Template files deliver is the simplest and best way to support
centralized management of policy settings. In this lesson, you will learn how to
configure Administrative Templates.
Key Points
Administrative Templates allow you to control the environment of the operating
system and user experience. There are two sets of Administrative Templates: one
for users and one for computers. Administrative Templates are the primary means
of configuring the client computer’s registry settings through Group Policy.
Administrative Templates are a repository of registry-based changes. By using the
Administrative Template sections of the GPO, you can deploy hundreds of
modifications to the computer (the HKEY_LOCAL_MACHINE hive in the registry)
and user (the HKEY_CURRENT_USER hive in the registry) portions of the
Registry
Question: What sections of the Administrative Templates will you find most useful
in your environment?
Additional Reading
• Microsoft Technet article: Using Administrative Template Files with Registry-
Based Group Policy
• Microsoft Technet article: Administrative Templates Extension Technical
Reference
Question: You need to ensure that Windows Messenger is never allowed to run on
a particular computer. How could you use Administrative Templates to implement
this?
Key Points
Because ADMX files are XML based, you can use any text editor to edit or create
new ADMX files, but there also are programs that are XML-aware, like Microsoft
Visual Studio, that administrators or developers can use to create or modify ADMX
files.
Additional Reading
• Microsoft Technet article: Creating a Custom Base ADMX File
• Microsoft Downloads: Group Policy Sample ADMX Files
Question: Can you still use custom ADM files to deliver Group Policy settings in
Windows Server 2008?
Lesson 4
Deploying Software Using Group Policy
Key Points
The software life cycle consists of four phases: preparation, deployment,
maintenance, and removal. You can apply Group Policy settings to users or
computers in a site, domain, or an organizational unit to install, upgrade, or
remove software automatically. By applying Group Policy settings to software, you
can manage the various phases of software deployment without deploying software
on each computer individually.
Question: What types of applications would you deploy via Group Policy in your
environment?
Additional Reading
• Microsoft Support: How to use Group Policy to install software remotely in
Windows 2000
• Microsoft Technet article: Use Group Policy Software Installation to deploy the
2007 Office system
Key Points
To enable Group Policy to deploy and manage software, Windows Server 2008
uses the Windows Installer service. This component automates the installation and
removal of applications by applying a set of centrally defined setup rules during
the installation process
Additional Reading
• Microsoft Support: How to use Group Policy to install software remotely in
Windows 2000
Key Points
There are two deployment types available for delivering software to clients.
Administrators can either install software for users or computers in advance or give
users the option to install the software when they require it. Users do not share
deployed applications, meaning an application you install for one user through
Group Policy will not be available to that computer’s other users. Each user needs
his or her own instance of the application.
Additional Reading
• Microsoft Technet article: Group Policy Software Installation overview
Key Points
Software Installation in Group Policy includes options for configuring deployed
software. You can categorize programs that are published in Control Panel and
associate file name extensions with applications. You also can add modifications to
deployed software.
Additional Reading
• Microsoft Technet article: Specify categories for applications to be managed
• Microsoft Technet article: Best practices for Group Policy Software Installation,
Specify automatic installation options based on file name extension section
• Microsoft Technet article: Add or remove modifications for an application
package
Additional Reading
• Microsoft Technet article: Upgrade or remove an application
• Microsoft Technet article: Set Group Policy Software Installation defaults
Key Points
Occasionally a software package will need to be upgraded to a newer version. The
Upgrades tab allows you to upgrade a package using the GPO. You also may re-
deploy a package if the original Microsoft® Windows® Installer file has been
modified. You can remove software packages if they were delivered originally using
Group Policy. Removal also can be mandatory or optional.
Additional Reading
• Microsoft Technet article: Upgrade or remove an application
• Microsoft Technet article: Set Group Policy Software Installation defaults
Additional Reading
• Microsoft Technet article: Upgrade or remove an application
• Microsoft Technet article: Set Group Policy Software Installation defaults
Scenario
Woodgrove Bank has decided to implement group policies to manage user
desktops. The organization already has implemented an organizational unit (OU)
configuration that includes top-level OUs grouped by location, with additional
OUs within each location for different departments. User accounts are located in
the same container as their workstation computer accounts. Server computer
accounts are spread throughout various OUs. The enterprise administrator has
created a GPO design that will be used to manage the user desktop environment.
You have been asked to configure Group Policy objects so that specific settings are
applied to user desktops and computers
Some of the tasks in this lab are designed to illustrate GPO management techniques
and settings, but may not always follow best practices.
f Task 3: Use Group Policy to copy the script to the NetLogon share and
assign the script to the appropriate OUs
1. Open Windows Explorer, copy C:\map.bat to the clipboard and then close
Windows Explorer.
2. Launch the GPMC and then create a new Group Policy named Logon Script.
3. Edit the policy by expanding User Configuration, expanding Windows
Settings and then clicking Scripts (Logon/Logoff).
4. Open the Properties of the Logon Script GPO, click Show Files, right-click,
click Paste to copy the script from the clipboard to the scripts folder, and then
close Explorer.
5. In the Logon Properties, click Add.
6. In the Add a Script dialog box, click Browse.
7. In the Browse dialog box, select the Map.bat file.
8. Close the Group Policy Management editor.
9. Link the Logon Script policy to the Miami, NYC, and Toronto OUs.
Result: At the end of this exercise, you will have configured scripts and folders
redirection.
Computers in the Miami, Toronto, and NYC OUs will prevent the installation of
removable devices.
Computers in the Executive OU will have offline files encrypted.
All domain users will have the following settings applied:
• The registry editing tools will be prohibited
• The clock will be removed from the taskbar
Additionally, users in the Miami, Toronto, and NYC OUs will have the following
settings applied:
• Profiles will be limited to 1GB
• Windows Sidebar will be turned off
f Task 1: Modify the Default Domain Policy to contain the settings for
all computers
1. In the GPMC, edit the Default Domain Policy.
2. Expand Computer Configuration, expand Administrative Templates,
expand Network, expand Network Connections, expand Windows Firewall,
and then expand Domain Profile. In the details pane, double-click Windows
Firewall: Allow inbound remote administration exception.
3. Enable the policy for the localsubnet in the Allow unsolicited incoming
messages from these IP addresses:
4. Expand Computer Configuration, expand Administrative Templates,
expand System, and then expand Group Policy.
5. Enable Group Policy slow link detection to be 800kps.
f Task 3: Create and assign a policy to encrypt offline files for executive
computers
1. Create a new Group Policy named Encrypt Offline Files.
2. Edit the policy by expanding Computer Configuration, expanding
Administrative Templates, expanding Network, and expanding Offline Files.
3. Enable the Encrypt the Offline Files cache.
4. Link the policy to the Executives OU.
f Task 4: Create and assign a domain level policy for all domain users
1. Create a new Group Policy named All Users Policy.
2. Expand User Configuration, expand Administrative Templates, and then
expand System.
3. Enable the Prevent access to registry editing tools setting.
4. Expand User Configuration, expand Administrative Templates, and then
expand Start Menu and Taskbar.
5. Enable the Remove Clock from the system notification area.
6. Link the policy to the Woodgrovebank.com domain.
f Task 5: Create and assign a policy to limit profile size and turn off
Windows Sidebar for branch users
1. Create a new Group Policy named Branch Users Policy.
2. Edit the policy by expanding User Configuration, expanding Administrative
Templates, expanding System and then expanding User Profiles.
3. Enable the Limit profile size with a value of 1000000.
4. Expand User Configuration, expand Administrative Templates, expand
Windows Components, and then expand Windows Sidebar.
5. Enable the Turn off Windows Sidebar setting.
6. Link the Branch Users Policy policy to the Miami, NYC, and Toronto OUs.
Result: At the end of this exercise, you will have configured Administrative
Templates.
Result: At the end of this exercise, you will have verified a GPO application.
Considerations
When configuring user environments using Group Policies, keep the following in
mind:
• Policy settings that are Enabled enforce a setting.
• Policy settings that are Disabled reverse a setting.
• Policy settings that are Not Configured are not affected by Group Policy.
• Scripts can be applied to the user or computer via Group Policy.
• Scripts can be written in multiple languages.
• Storing scripts in the NetLogon share makes them highly available.
• Certain folders can be redirected from the users profile to a shared folder on
the network.
Review Questions
1. You have assigned a logon script to an OU via Group Policy. The script is
located in a shared network folder named Scripts. Some OU users receive the
script while others do not. What might be causing this?
2. What steps could you take to prevent these types of problems from
reoccurring?
3. You have two logon scripts assigned to users -- script1 and script2. Script2
depends on script1 completing successfully. Your users report that script2
never runs. What is the problem and how would you correct it?
Module 7
Implementing Security Using Group Policies
Contents:
Lesson 1: Configuring Security Policies 7-3
Lesson 2: Implementing Fine-Grained Password Policies 7-13
Lesson 3: Restricting Group Membership and Access to Software 7-19
Lesson 4: Managing Security by Using Security Templates 7-26
Lab: Implementing Security Using Group Policies 7-33
Module Overview
Failure to have adequate security policies can lead to many risks for an
organization. A well designed security policy helps to protect an organization’s
investment in business information and internal resources, like hardware and
software. Having a security policy in itself is not enough, however. You must
implement the policy for it to be effective. You can leverage Group Policy to
standardize security to control the environment.
Lesson 1:
Configuring Security Policies
Group Policy provides settings you can use to implement security in your
organization. For example, you can use these settings to secure passwords, startup,
and permissions for system services. In this lesson, you will learn the knowledge
and skills you need to configure security policies.
Key Points
Security policies are rules that protect resources on computers and networks.
Group Policy allows you to configure many of these rules as Group Policy settings.
For example, you can configure password policies as part of Group Policy. Group
Policy has a large security section to configure security for both users and
computers. This way, you can apply security consistently across organizational
units (OUs) in Active Directory® by defining security settings in a Group Policy
object that is associated with a site, domain, or OU.
Additional Reading
• Microsoft Technet article: Security Settings
• Microsoft Technet article: Group Policy Security Settings
Key Points
The default domain policy is linked to the domain and therefore affects all objects
in the domain unless a Group Policy object (GPO) that you applied at a lower level
blocks or overrides these settings. This policy has very few settings configured by
default.
Although the Default Domain Policy has all the settings and capabilities of any
GPO, it is recommended that you use this policy only to deliver Account Policies.
You should create other GPOs to deliver other settings.
Additional Reading
• Microsoft Technet article: Windows Server 2003 Security Guide Chapter 3:
The Domain Policy
Key Points
Account policies protect your organization’s accounts and data by mitigating the
threat of brute force guessing of account passwords. In Windows operating
systems, and many other operating systems, the most common method for
authenticating a user’s identity is to use a secret password. Securing your network
environment requires that all users utilize strong passwords. Password policy
settings control the complexity and lifetime of passwords. You can configure
password policy settings through Group Policy.
Additional Reading
• Microsoft Technet article: Account Passwords and Policies
Key Points
Every Windows® 2000 or later computer has exactly one Local Group Policy
Object (LGPO). In this object, Group Policy settings are stored on individual
computers, regardless of whether they are part of an Active Directory environment.
The LGPO is stored in a hidden folder named %windir%\system32\Group Policy.
This folder does not exist until you configure an LGPO.
Additional Reading
• Microsoft Resources: Local Group Policy
Key Points
Automating client computer-configuration settings is an essential step to reduce
the cost of deploying networking security and minimize support issues that result
from incorrectly configured settings.
Starting with The Windows Server®°2003 operating system, you were able to
automate client wireless configuration using the Wireless Networking Policies
settings in Group Policy. Windows Server®°2008 and Windows®° Vista include
new features for network policies and Group Policy support for 802.1X
authentication settings for wired and wireless connections.
Additional Reading:
• Microsoft Technet article: Joining a Windows Vista Wired Client to a Domain
• Microsoft Technet article: Chapter 6: Designing the Wireless LAN Security
Using 802.1X
• Microsoft Technet article: Wireless Group Policy Settings for Windows Vista
• Microsoft Technet article: Define Active Directory-based Wireless Network
Policies
Key Points
Windows Vista and Windows Server 2008 include a new and enhanced version of
Windows Firewall. The new Windows Firewall is a stateful host-based firewall that
allows or blocks network traffic according to its configuration.
Additional Reading
• Microsoft Technet article: The New Windows Firewall in Windows Vista and
Windows Server 2008
Question: You need to ensure that a particular service is not allowed to run on any
of your network servers. How would you accomplish this?
Question: What is the default Group Policy refresh interval for domain controllers
Lesson 2:
Implementing Fine-Grained Password Policies
In Windows Server 2008, you can allow different password requirements and
account lockout policies for different Active Directory users or groups, using fine-
grained policies. In this lesson, you will learn the knowledge and skills to
implement fine-grained password policies.
Key Points
In previous Active Directory domains, you could apply only one password and
account lockout policy to all users in the domain. Fine-grained password policies
allow you to have different password requirements and account lockout policies
for different Active Directory users or groups. This is desirable when you want
different sets of users to have different password requirements, but do not want
separate domains. For example, the Domain Admins group may need strict
password requirements to which you do not want to subject ordinary users. If you
do not implement fine-grained passwords, then the normal default domain
account policies applies to all users.
Additional Reading
• Microsoft Technet article: AD DS: Fine-Grained Password Policies
Key Points
To store fine-grained password policies, Windows Server 2008 includes two new
object classes in the Active Directory schema. They are:
• Password Settings Container (PSC)
• Password Settings Object (PSO)
The PSC object class is created by default under the System container in the
domain. It stores that domain’s PSOs. You cannot rename, move, or delete this
container.
Question: How could you view the Password Settings Container in Active
Directory Users and Computers?
Additional Reading
• Microsoft Technet article: AD DS: Fine-Grained Password Policies
Key Points
There are three major steps involved in implementing fine-grained passwords:
• Create necessary groups, and add the appropriate users.
• Create PSOs for all defined password policies.
• Apply PSOs to the appropriate users or global security groups.
Additional Reading
• Microsoft Technet article: Fine-Grained Password and Account Lockout Policy
Review
Question:
What utilities can be used to manage PSOs? Choose all that apply.
a. ADSI edit
b. GPMC
c. CSVDE
d. LDIFDE
e. NTDSUtil
f. Active Directory Users and Computers
Lesson 3:
Restricting Group Membership and Access to
Software
Key Points
In some cases, you may want to control the membership of certain groups in a
domain to prevent addition of other user accounts to those groups, such as the
local administrators group.
You can use the Restricted Groups policy to control group membership. Use the
policy to specify what members are placed in a group. If you define a Restricted
Groups policy and refresh Group Policy, any current member of a group that is not
on the Restricted Groups policy members list is removed. This can include default
members, such as domain administrators. Although you can control domain
groups by assigning Restricted Groups policies to domain controllers, you should
use this setting primarily to configure membership of critical groups like Enterprise
Admins and Schema Admins. You also an use this setting to control the
membership of built-in local groups on workstations and member servers. For
example, you can place the Helpdesk group into the local Administrators group on
all workstations.
Question: Your company has five Web servers physically located across North
America. The Web server’s computer accounts are all located in a single OU. You
want to grant all the users in the global group named Web_Backup the right to
backup and restore the web servers. How could you use Group Policy to
accomplish this?
Additional Reading
• Microsoft Technet article: Restricted Groups
• Microsoft Technet article: Group Policy Security Settings
Question: You created a Group Policy that adds the Helpdesk group to the local
Administrators group and you linked the policy to an OU. Now the Domain
Administrators no longer have any administrative authority on the computers in
that OU. What is the most likely problem and how would you solve it?
Key Points
You may want to restrict access to software to prevent users from running
particular applications or types of applications, like VBscripts. Software restriction
policy provides administrators with a policy-driven mechanism for identifying
software and controlling its ability to run on a client computer.
Additional Reading
• Microsoft Technet article: Microsoft Windows XP: Using Software Restriction
Policies to Protect Against Unauthorized Software
Key Points
Software Restriction policies use rules to determine whether an application is
allowed to run. When you create a rule, you first identify the application. Then you
identify it as an exception to the default policy setting of Unrestricted or
Disallowed. The enforcement engine queries the rules in the software restriction
policy before allowing a program to run.
Question: You need to restrict access to a certain application no matter into what
directory location the application is installed. What type of rule should you use?
Additional Reading
• Microsoft Technet article: Microsoft Windows XP: Using Software Restriction
Policies to Protect Against Unauthorized Software
Question: You want to ensure that only digitally signed Visual Basic scripts are
allowed to run. What type of rule should you use?
Lesson 4:
Managing Security Using Security Templates
Key Points
A security template is a collection of configured security settings. You can use
predefined security templates as a base to create security policies that you
customize to meet your needs, or you can create new templates. You use the
Security Templates snap-in to create or customize templates. After you create a new
template or customize a predefined security template, you can use it to configure
security on an individual computer or thousands of computers. Security templates
contain security settings for all security areas.
Additional Reading
• Microsoft Technet article: Security Templates Concepts
Question: You have multiple database servers that are located in different OUs.
What is the easiest way to apply consistent security settings to all of the database
servers?
Key Points
The Security Configuration Wizard (SCW) is an attack-surface reduction tool that
Windows Server 2003 with Service Pack 1 (SP1) introduced. SCW assists
administrators in creating security policies, and determines the minimum
functionality that is required for a server’s role or roles and disables functionality
that is not required. SCW guides you through the process of creating, editing,
applying, or rolling back a security policy based on the server’s selected roles. The
security policies that you create with SCW are XML files that, when applied,
configure services, network security, specific registry values, audit policy, and if
applicable, Internet Information Services (IIS).
Additional Reading
• Security Configuration Wizard Documentation
• Security Configuration Wizard for Windows Server 2003
Key Points
Security policies that you create with the SCW also can include custom security
templates. Some of the settings that you can configure using the SCW partially
overlap the settings that you can configure using security templates alone. Neither
set of configuration changes totally includes the other. For example, the SCW
includes IIS settings that are not included in any security template. Conversely,
security templates can include such items as Software Restriction policies, which
you cannot configure through SCW
Additional Reading
• Microsoft Technet article: Security Configuration Wizard How To
• Microsoft Technet article: The Security Configuration Wizard
Question
You need to open a port on your Windows Vista client computers for a custom
application. Should you use the SCW or create a security template and use a GPO?
Scenario:
Woodgrove Bank has decided to implement group policies to configure security
for users and computers in the organization. The company recently upgraded
all of the workstations to Vista and all of the servers to Windows Server
2008. The organization wants to utilize Group Policy to implement security
settings for the workstations, servers, and users. The enterprise administrator
created a design that includes modifications to the default domain security policy
and additional GPOs for configuring security. The company wants to have the
flexibility to assign different password policies for specific users. The
company also wants to automate the configuration of security settings as
much as possible.
Note: Some of the tasks in this lab are designed to illustrate GPO management
techniques and settings, and may not always follow best practices.
You also will configure a local policy on the Windows Vista client that enables the
local Administrator account and prohibits access to the Run menu for Non-
Administrators.
Then you will create a wireless network policy for Windows Vista that creates a
profile for the Corp wireless network. This profile will define 802.1x as the
authentication method. This policy also will deny access to a wireless network
named Research.
Finally, you will configure a policy to prevent the Remote Registry service from
running on any domain controller.
The main tasks in this exercise are:
1. Start the 6425A-NYC-DC1 virtual machine and log on as Administrator.
2. Create an account policy for the domain.
3. Configure local policy settings for a Windows Vista client.
4. Create a wireless network policy for Windows Vista clients.
5. Configure a policy that prohibits a service on all domain controllers.
Result: At the end of this exercise, you will have configured account and security
policy settings.
You will create a fine-grained password policy to enforce these policies for the IT
Admins global group.
The main tasks are as follows:
1. Create a PSO using ADSI Edit.
2. Assign the ITAdmin PSO to the IT Admins global group.
Result: At the end of this exercise, you will have implemented fine-grained
password policies.
Result: At the end of this exercise, you will have configured restricted groups and
software restriction policies.
f Task 1: Create a security template for the file and print servers
1. Create a new MMC and add the snap-in for Security Templates.
2. Expand Security Templates, right-click
C:\Users\Administrators\Documents\Security\Templates and then click
New Template.
3. Name the template FPSecurity.
4. Navigate to Local Polices, Security Options. Define the Accounts: Rename
administrator account with the value FPAdmin.
5. Define the Interactive Logon: Do not display last user name to be Enabled.
6. In the folder pane, right-click FPSecurity and then click Save.
7. Close the MMC without saving the changes.
Note: This step is performed to simplify the lab and is not a recommended practice.
14. On the Security Policy File Name screen, type FPPolicy at the end of the
C:\Windows\security\msscw\policies\ path.
15. Click Include Security Templates and then click Add.
16. Add the Documents\Security\Templates\FPSecurity policy.
17. On the Apply Security Policy screen, click Apply Now and then click Next.
18. On the Applying Security Policy screen, click Next and then click Finish.
Result: At the end of this exercise, you will have configured security templates.
f Task 4: Use group policy modeling to test the settings on the file
and print server
1. Open the GPMC and then launch the Group Policy Modeling Wizard.
2. Accept all the defaults except on the User and Computer Selection screen.
3. Click Computer and then type Woodgrovebank\NYC-SRV1.
4. After completing the Wizard, observe the policy settings.
Result: At the end of this exercise, you will have verified the security configuration.
Review Questions
1. You want to place a software restriction policy on a new type of executable file.
What must you do before you can create a rule for this executable code?
2. What setting must you configure to ensure that users are only allowed 3
invalid logon attempts?
3. You want to provide consistent security settings for all client computers in the
organization. The computer accounts are scattered across multiple OUs. What
is the best way to provide this?
4. An administrator in your organization has accidentally modified the Default
Domain Controller Policy. You need to restore the policy to its original default
settings. How would you accomplish this?
Module 8
Implementing an Active Directory Domain
Services Monitoring Plan
Contents:
Lesson 1: Monitoring Active Directory Domain Services Using
Event Viewer 8-3
Lesson 2: Monitoring Active Directory Domain Servers Using
Reliability and Performance Monitor 8-10
Lesson 3: Configuring Active Directory Domain Services Auditing 8-20
Lab: Configuring Active Directory Sites and Replication 8-25
Module Overview
Lesson 1:
Monitoring Active Directory Domain Services
Using Event Viewer
Key Points
One of the first places you should turn when troubleshooting problems in
Microsoft Windows is the Event Viewer. A number of new features are built into
the Event Viewer for Windows Vista® and Windows Server® 2008.
Event Viewer is rewritten completely with a new user interface that makes it easier
to filter and sort events and control which events are logged. Additionally, you now
can perform some basic diagnostic tasks from within Event Viewer. Event Viewer
also provides many new logs files.
Additional Reading
• Microsoft Technet article: Event Viewer Overview
• Microsoft Technet article: How the Active Directory Replication Model Works
Question: You have an issue with Group Policy. What log should you view for
detailed Group Policy events?
Key Points
The System and Application logs still provide general information and log events
from many areas, but the Event Viewer now provides a wide range of application
and service logs. These logs can provide granular information about Active
Directory® and other service, like Group Policy, offline files, Windows Update
client and many others.
Key Points
Custom views are filters that are named and saved. After creating and saving a
custom view, you are able to reuse it without re-creating its underlying filter. To
reuse a custom view, navigate to the Custom Views category in the console tree
and select the custom view’s name. By selecting the custom view, you apply the
underlying filter and the results are displayed. You can import and export custom
views, enabling you to share them between users and computers.
Additional Reading
• Microsoft Technet article: Create and Manage Custom Views
Key Points
Event Viewer enables you to view events on a single remote computer. However,
troubleshooting an issue might require you to examine a set of events stored in
multiple logs on multiple computers. Event Viewer provides the ability to collect
copies of events from multiple remote computers and store them locally. To
specify which events to collect, you create an event subscription. Once a
subscription is active and events are being collected, you can view and manipulate
these forwarded events as you would any other locally stored events.
Additional Reading
• Microsoft Technet article: Event Subscriptions
• Microsoft Technet article: Configure Computers to Forward and Collect Events
Question: You want to monitor a particular group of events across multiple Web
servers. What is the best way to accomplish this?
Lesson 2:
Monitoring Active Directory Domain Servers
Using Reliability and Performance Monitor
Key Points
Windows Reliability and Performance Monitor enables you to track the
performance impact of applications and services, and to generate alerts or take
action when user-defined thresholds for optimum performance are exceeded.
Windows Reliability and Performance Monitor provides the features outlined
below.
• Resource view
• Reliability Monitor
• Data Collector Sets
• Track performance of applications and services
• Wizards and templates for creating logs
• Generate alerts and take action when thresholds are reached
• Generate reports
Additional Reading
• Microsoft Technet article: Windows Reliability and Performance Monitor
Question: Where can you find real-time information about network activity?
Key Points
Monitoring the distributed Active Directory® service and the services that it relies
upon helps maintain consistent directory data and the necessary level of service
throughout the forest. You can monitor important indicators to discover and
resolve minor problems before they develop into potentially lengthy service
outages.
In addition to the normal baseline counters that you monitor for all servers, there
are objects and dozens of counters that are specific to Active Directory.
Additional Reading
• Microsoft Technet article: Active Directory Operations Guide
Key Points
A computer’s baseline is a measure of specified resource behavior during normal
activity that indicates how the resource, or a collection of system resources,
performs. This information is then compared to later activity to monitor system
usage and system response to changing conditions.
Additional Reading
• Microsoft Technet article: Deploying Active Directory for Branch Office
Environments, Chapter 9 - Post Deployment Monitoring of Domain
Controllers
Key Points
A system’s reliability is the measure of how often it deviates from configured,
expected behavior. The Reliability Monitor calculates a System Stability Index that
reflects whether unexpected problems reduced the system’s reliability. A graph of
the Stability Index over time quickly identifies dates when problems began to
occur. The accompanying System Stability Report provides details to help
troubleshoot the root cause of reduced reliability. By viewing changes to the system
(installation or removal of applications, updates to the operating system, or
addition or modification of drivers) side by side with failures (application failures,
operating system crashes, or hardware failures), you can develop a strategy for
addressing the issues quickly. The Reliability Monitor begins to collect data at the
time of system installation and must run for at least 24 hours before the data is
displayed in the System Stability Chart.
Question: You want to see a historical record of software that has been added or
removed from the computer. Where would you find that information?
Additional Reading
• Microsoft Technet article: Windows Vista Performance and Reliability
Monitoring Step-by-Step Guide
Key Points
A new feature in Windows Reliability and Performance Monitor is the Data
Collector Set, which groups data collectors into reusable elements for use with
different performance monitoring scenarios.
Question: You want to create an alert to notify you when free disk space is low.
How would you create one?
Additional Reading
• Microsoft Technet article: Create Data Collector Sets
Demonstration: Monitoring AD DS
Question: What is the easiest way to log the same set of data across multiple
computers?
Lesson 3:
Configuring Active Directory Domain Services
Auditing
In any secure environment, you should actively monitor the Active Directory. As
part of your overall security strategy, you should determine the level of auditing
appropriate for your environment. Auditing should identify actions, either
successful or not, that have modified or attempted to modify, Active Directory
objects.
Key Points
An audit log records an entry whenever users perform certain specified actions. For
example, the modification of an object or a policy can trigger an audit entry that
shows the action that was performed, the associated user account, and the date
and time of the action. You can audit both successful and failed attempts at actions.
Additional Reading
• Microsoft Technet article: Windows Server "Longhorn" Beta 3 Auditing AD DS
Changes Step-by-Step Guide
• Microsoft Support: How to use Group Policy to configure detailed security
auditing settings for Windows Vista client computers in a Windows Server
2003 domain or in a Windows 2000 domain
• Microsoft Technet article: Auditpol
Additional Reading
• Microsoft Technet article: Managing Intersite Replication
The Directory Service Access category still provides information about all the
events that occur in the directory, and is enabled by default. More detailed
information can be delivered from the subcategories.
Question: You want to track details about any modifications made to Active
Directory objects for a particular organizational unit (OU) and any child OUs.
Which ACE should you set to capture that information?
Additional Reading
• Microsoft Technet article: Windows Server "Longhorn" Beta 3 Auditing AD DS
Changes Step-by-Step Guide
Question: How would enable the tracking of failure events for the directory service
change subcategory?
Scenario:
Woodgrove Bank has completed their deployment of AD DS. As the AD DS
administrator, you must monitor AD DS availability and performance. The server
administrator has provided a monitoring plan that includes service availability,
performance, and Event log monitoring components. Using Performance and
Reliability Monitoring, Event Viewer, and other tools, you will monitor AD DS
domain controllers.
f Task 3: Right-click Custom Views and then click Create Custom View
1. Log on to NYC-DC2 as Administrator with a password of Pa$$w0rd.
2. Launch Event Viewer from the Administrative Tools folder.
3. Right-click Custom Views and then click Import Custom View.
4. Import the custom view from \\NYC-DC1\Data\Active Directory.xml.
Note: Actual events may take a few minutes to show up in the Forwarded Events
log. Start and stop the DNS service again if required.
Note: The message box may be hidden behind the Event Viewer window. Look for it
on the Task Bar.
Result: At the end of this exercise, you will have monitored AD DS using Event
Viewer.
Note: You are setting the threshold extremely high to ensure that you will trigger an
alert.
Result: At the end of this exercise, you will monitor AD DS using Performance and
Reliability Monitor.
7. When the update completes, run the Auditpol.exe /get /category:* command
again and then examine the default audit-policy settings.
8. Close the command prompt.
Result: At the end of this exercise, you will have configured AD DS Auditing.
Review Questions
1. What kinds of events are logged in the Setup log?
2. For what event ID would you filter to see deleted user accounts?
3. What service must you enable on computers collecting subscription events
from remote computers?
4. Where can you get up to date information about event IDs?
5. Where can you get historical information about application failures?
6. The NTDS\DRA Pending Replication Synchronizations counter is now
consistently higher than the established baseline value for that counter. What
might this indicate?
7. You want to view all the occurrences of a particular event ID across multiple
logs. What is the best way to accomplish this?
• There are a number of built-in Data Collector Sets or you can define your own.
• Active Directory auditing can track all events that happen in the Active
Directory.
• Audit directory service access is divided into four subcategories.
• Directory service changes subcategory provides old and new values when you
modify attributes.
• You must use Auditpol.exe to configure subcategories.
• SACLs must be set on objects to allow auditing before you can collect any
results.
• Directory service changes subcategory provides old and new values when
attributes are modified.
• Auditpol.exe must be used to configure subcategories.
• SACLs must be set on objects to allow auditing before any results can be
collected.
Module 9
Implementing an Active Directory® Domain
Services Maintenance Plan
Contents:
Lesson 1: Maintaining the AD DS Domain Controllers 9-3
Lesson 2: Backing Up Active Directory Domain Services 9-14
Lesson 3: Restoring Active Directory Domain Services 9-18
Lab: Implementing an Active Directory Domain Services
Maintenance Plan 9-29
Module Overview
Lesson 1:
Maintaining the AD DS Domain Controllers
Key Points
The Active Directory database engine, ESE, stores all of the Active Directory
objects. The ESE uses transactions and log files to ensure the Active Directory
database’s integrity.
Additional Reading
• How the Data Store Works
Key Points
The key points of Active Directory data-modification process are:
• A transaction is a set of changes made to the AD DS database and the
associated metadata.
• The basic data modification process consists of six steps:
1. The write request initiates a transaction.
2. Active Directory writes the transaction to the transaction buffer in
memory.
3. Active Directory writes the transaction in the transaction log.
4. Active Directory writes the transaction from the memory buffer to the
database.
5. Active Directory compares the database and log files to ensure that the
transaction was committed to the database.
6. Active Directory updates the checkpoint file.
Question: What other Microsoft services use a transactional model for making
database changes? How does the AD DS model compare to these other services?
Additional Reading
• How the Data Store Works
Key Points
Ntdsutil.exe is a command-line tool that you can use to manage AD DS. You can
perform many maintenance tasks that cannot be done in the graphical user
interface (GUI), including offline database defragmentation, moving the database
and its transaction log, removing and restoring deleted objects from Active
Directory, seizing operations master (also known as flexible single master
operations or FSMO) roles, and manage snapshots of the database. You also can
include these commands in a batch file.
Question: You have forgotten the directory services restore-mode password for
your domain controller. How can you recover the password?
Additional Reading
• NTDSUtil Help
• Data Store Tools and Settings
Key Points
Over time, fragmentation occurs as records in the Active Directory database are
deleted and new records are added or expanded. When records become
fragmented, the computer must search the disk to find and reassemble all pieces
each time the database is opened. If many changes to the Active Directory database
are made, fragmentation could slow the performance of it.
Question: How often will you need to perform an offline defragmentation of your
AD DS databases in your environment?
Additional Reading
• Performing offline defragmentation of the Active Directory database
• Data Store Tools and Settings
Key Points
Active Directory Domain Services in Windows Server 2008 can be stopped and
restarted while the machine is booted up. In previous versions, if an administrator
wanted to start a domain controller without loading Active Directory, the server
had to be rebooted into Active Directory Restore Mode. This would start the server
as a member server, without Active Directory. You then could perform offline
maintenance tasks, such as an offline defragmentation or moving the database and
log files. With Windows Server 2008, the directory service can be taken offline
while the machine is running, with minimal disruption to other services.
Additional Reading
• AD DS: Restartable Active Directory Domain Services
• Windows Server 2008 Technical Library
Demonstration steps
To perform these steps, you must be a member of the built-in Administrators
group on the domain controller.
1. Stop Active Directory Domain Services.
2. Open a command prompt.
3. Start ntdstuil.
4. At the ntdsutil: prompt, type Activate Instance NTDS and then press ENTER.
5. At the ntdsutil: prompt, type files and then press ENTER.
6. Compact the database, using a temporary directory for the new ntds.dit.
7. Overwrite the old ntds.dit with the new compacted version, and then delete
any log files (*.log) in the %systemroot%\NTDS\ folder.
8. In the ntdsutil File Maintenance command window, type integrity to check
the integrity of the new compacted database.
9. In the File Maintenance command window, type move db to pathname and
then press ENTER. The ntds.dit file is moved to the new location and
permissions are set accordingly.
10. Start Active Directory Domain Services.
Additional Reading
• Compact the directory database file (offline defragmentation)
Key Points
As part of a comprehensive security plan, you can increase a domain controller’s
security by removing all unnecessary services and features. This reduces both the
attack surface and improves performance.
Additional Reading
• Security Configuration Wizard Overview
Lesson 2
Backing Up Active Directory Domain Services
Introduction to Backing Up AD DS
Key Points
You can use Windows Server Backup to back up Active Directory. Windows Server
Backup is not installed by default. You must install it using Add Features in Server
Manager before you can use the Wbadmin.exe command-line tool or Backup tool
in Administrative Tools.
Question: What other process could you use to back up the system state data on a
domain controller?
Additional Reading
• Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain
Services Backup and Recovery
Key Points
Windows Server Backup is the new backup utility that Windows Server 2008
provides. To use Windows Server Backup, you must install it as a feature. If you
want to use the Windows Server Backup command-line tools, you also must install
the Windows Powershell feature.
Additional Reading
• Windows Server 2008 Technical Library
Demonstration: Backing Up AD DS
How often should a full backup be performed? How often should an incremental
or differential backup be performed?
Additional Reading
• Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain
Services Backup and Recovery
Lesson 3
Restoring Active Directory Domain Services
Overview of Restoring AD DS
Key Points
In Windows Server 2008, you have several options available for restoring AD DS.
The option that you choose depends on the disaster-recovery scenario that you
need to address.
Additional Reading
• Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain
Services Backup and Recovery
Key Points
You can use a backup to perform a nonauthoritative restore of a domain controller.
A nonauthoritative restore returns the directory service to its state at the time that
the backup was created. After the restore operation completes, AD DS replication
updates the domain controller with changes that have occurred since the time that
the backup was created. In this way, the domain controller is recovered to a
current state.
Question: What would happen if you did not enter the second bcdedit command
after restoring the AD DS database?
Additional reading
• Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain
Services Backup and Recovery
Key Points
An authoritative restore provides a method to recover objects and containers that
have been deleted from AD DS. When an object is marked for authoritative restore,
its version number is changed so that it is higher than the existing version number
of the (deleted) object in the Active Directory replication system. This change
ensures that any data that you restore authoritatively is replicated from the
restored domain controller to the forest’s other domain controllers.
Question: What would happen if you did not enter the second bcdedit command
after restoring the AD DS database?
Additional Reading
• Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain
Services Backup and Recovery
• Performing an Authoritative Restore of Active Directory Objects
Key Points
The Database Mounting Tool (Dsamain.exe) allows administrators to view and
compare data in database snapshots (backups) without having to restore those
backups, which saves on downtime and speeds the domain-recovery process.
Additional Reading
• AD DS: Database Mounting Tool
• Step-by-Step Guide for Using the Active Directory Database Mounting Tool in
Windows Server 2008 Beta 3
Demonstration Steps
To perform this procedure, you must be logged on to a domain controller as a
member of either the Enterprise Admins group or the Domain Admins group.
1. Start a command prompt in administrative privilege.
2. At the command prompt, type ntdsutil and hen press ENTER.
3. At the ntdsutil prompt, type snapshot and then press ENTER.
4. At the snapshot prompt, type activate instance ntds and then press ENTER.
5. At the snapshot prompt, type create and then press ENTER. The command
returns the following output: Snapshot set {GUID} generated successfully.
6. At the snapshot prompt, type mount {GUID}. The mounted snapshot will
appear in the file system.
Note: Be sure to include the curly braces in around your GUID number).
10. A message indicates that Active Directory Domain Services startup is complete.
LEAVE Dsamain.exe running. Do not close the command prompt.
11. At the run line, type LDP, and then click OK.
12. Click Connection, and then click Connect.
13. In Server, type localhost, and in Port type 51389, and then click OK.
14. Click Connection and then click Bind.
15. In Bind type, click Bind as currently logged on user. Click OK.
16. Click View, and then click Tree.
17. In BaseDN, type dc=woodgrovebank,dc=com.
18. Browse the containers for a user object. Double-click the user to view its
properties.
19. Close LDP.exe
20. Stop Dsamain.exe by pressing CTRL+C.
Why is it necessary to specify different LDAP, SSL and GC ports for each mounted
instance of the database?
Additional Reading
• Step-by-Step Guide for Using the Active Directory Database Mounting Tool in
Windows Server 2008 Beta 3
Key Points
A tombstoned object is one that is marked as deleted in Active Directory. When an
administrator deletes an object, it is converted into a tombstone. The tombstone
remains in the Active Directory database in a deactivated state for 180 days (default
Tombstone Lifetime). The tombstone is replicated to the entire domain’s other
controllers and then deleted on each domain controller at the tombstone lifetime’s
end.
When an object is marked as a tombstone, the isDeleted attribute on the object is
set to True and most of the other attributes are deleted. Only a few critical
attributes (SID, ObjectGUID, LastKnownParent, and SAMAccountName) are
retained. This means that even if the administrator reanimates the object, it no
longer has all the information it once had. You must recreate the missing attribute
values manually
Note: The Database Mounting Tool can be used to view the attributes for the
deleted object in a snapshot that was made before the object was deleted. This
makes it easier to recover the deleted item.
Additional Reading
• How to restore deleted user accounts and their group memberships in Active
Directory
Scenario:
Woodgrove Bank has completed its AD DS deployment. To ensure high availability
and performance for the AD DS servers, the organization is implementing a
maintenance plan that includes ongoing AD DS database maintenance and
implementation of a disaster-recovery plan. The server administrator has prepared
a backup plan that includes daily system volume of a domain controller in each
domain. The server administrator also has prepared plans for recovering AD DS
data in several scenarios. You need to implement these plans.
Result: At the end of this exercise, you will have installed run the SCW to lock down
services on an AD DS domain controller and performed AD DS database-
maintenance tasks.
Exercise 2 Backing Up AD DS
In this exercise, you will install the Windows Server Backup feature and then use it
to schedule a backup of the AD DS information. You also will perform an on-
demand backup of the system volume.
The main tasks for this exercise are as follows:
1. Install all of the Windows Server Backup Features.
2. Create a Scheduled Backup.
3. Complete an On-Demand Backup.
Result: At the end of this exercise, you will have installed the Windows Server Backup
feature and then use it to schedule a backup of the AD DS information and to perform
an on-demand backup.
f Task 7: Enable the network connection for NYC-DC2 and verify that
replication deletes the Toronto OU
1. On NYC-DC2, enable the Local Area Network connection.
2. On NYC-DC1, in Active Directory Sites and Services, force replication with
NYC-DC2.
3. In Active Directory Users and Computers, verify that the Toronto OU has
been deleted through replication.
Result: At the end of this exercise, you will have performed a non-authoritative
restore of AD DS information and verified that the OU is again deleted through
replication
Result: At the end of this exercise, you will have performed an authoritative restore
of AD DS information.
8. At the snapshot prompt, type list all and press ENTER. Identify the number
assigned to the snapshot you just created.
9. At the snapshot prompt, type mount number and press ENTER. The number is
the number displayed in the previous command. The mounted snapshot will
appear in the file system.
10. Exit NTDSUtil, but keep the command prompt open.
f Task 4: View the information for the deleted user account in the
mounted snapshot
1. Click Start, click Run, type LDP, and then click OK.
2. Connect and bind to the localhost, using port 51389.
3. In BaseDN, type dc=woodgrovebank,dc=com.
4. Browse to the ITAdmins OU and double-click CN=Axel Delgado. View the
Description, physicalDeliveryOfficeName, and Telephone Number Attributes.
You now can add the information in these attributes to the user object in
Active Directory Users and Computers. Close LDP.exe.
f Task 5: Shut down all virtual machines and discard any changes
Result: At the end of this exercise, you will have restored a deleted user account and
viewed the restored user properties using the AD DS data-mining tool.
Review Questions
1. One of your domain controllers is running out of hard-drive space. You modify
the domain controller so that it is no longer a global catalog server, but notice
that the size of the AD DS database does not decrease. What should you do to
reclaim hard-drive space on the server?
2. You are concerned about the amount of disk space that the Active Directory
database and log files are using. How do you determine the size of the
database and log files?
3. You install Windows Server Backup on your domain controller. You only have
two drives on the computer and both are being used for data or system files.
What types of backup should you use to back up your AD DS environment?
4. All of the domain controllers in your domain have failed. You are trying to
rebuild the domain from the Active Directory backup on one domain
controller. Which type of restore must you use to rebuild the domain?
5. You accidentally deleted a user account in AD DS. What options do you have
to make the account available again?
Tools
Use the following tools when configuring AD DS sites and replication:
Module 10
Troubleshooting Active Directory, DNS, and
Replication Issues
Contents:
Lesson 1: Troubleshooting Active Directory Domain Services 10-3
Lesson 2: Troubleshooting DNS Integration with Active Directory
Domain Services 10-9
Lesson 3: Troubleshooting Active Directory Replication 10-15
Lab: Troubleshooting Active Directory, DNS and Replication Issues 10-22
Module Overview
Lesson 1:
Troubleshooting Active Directory Domain
Services
Introduction to AD DS Troubleshooting
Key Points
Active Directory Domain Service is a distributed system that is comprised of many
different services and depends on all of the services to function properly. When
troubleshooting AD DS issues, you need to identify the source of the problem and
resolve the specific issue.
Additional Reading
• Overview of Active Directory Troubleshooting
• Active Directory Operations Guide
Questions
Key Points
There are many possible reasons why a user cannot access network resources.
These can be divided up into three basic categories.
Questions
From your experience, what is the most common reason for user access error in
your organization?
What steps can you take to reduce the number of user access errors while still
maintaining network security?
Key Points
As a distributed service, AD DS depends on many interdependent services that are
distributed across many devices and in many remote locations. As you increase the
size of your network to take advantage of the scalability of AD DS, domain
controller performance could become an issue.
Additional Reading
• Windows Server 2003 Active Directory Branch Office Guide
• Analyzing performance data
Lesson 2
Troubleshooting DNS Integration with Active
Directory Domain Services
Key Points
One of the most common reasons for AD DS issues is problems with the DNS
infrastructure. In particular, you should begin DNS troubleshooting when you see
the issues listed in the slide.
Key Points
To verify that clients can resolve names and records, perform the following steps:
• Verify network connectivity on all computers.
• Use ipconfig to make sure all computers, including clients, member servers,
domain controllers, and DNS servers are using a DNS server that is
authoritative for the Active Directory domain. Sometimes computers are
manually misconfigured to use the wrong DNS server, such as an Internet
caching server or an ISP’s DNS server.
• Use netdiag to test DNS connectivity.
• Ensure that the DNS server is working correctly. You can perform the Simple
self-test in the DNS server’s properties to verify the database is responding. As
well, clear the DNS server’s cache to ensure that the cache is not polluted, or
that it has the latest zone information
Question: What are the most common DNS related issues in your organization?
Additional Reading
• Diagnosing Name Resolution Problems
Key Points
All servers must have at least A (host) and possibly PTR (reverse lookup) records
in DNS. In addition, all domain controllers must have their SRV (Resource
Locator) records updated in DNS. The following lists which service is responsible
for dynamically updating DNS:
• A records are updated by the computer’s DNS client service.
• PTR records are manually configured.
• SRV records are updated by the DC’s netlogon service.
Question: What are PTR records used for? What errors will you see if you do not
have the PTR records registered for domain controllers?
Key Points
Whenever a DNS record is updated, either in a traditional Primary (Master) zone
or an Active-Directory Integrated zone, that update must be replicated in a zone
transfer to all DNS servers that are authoritative for that zone. An administrator
may choose to favor conserving bandwidth during heavy network usage hours by
delaying replication to less busy times. Even so, the record will have to be
replicated at some point for the DNS database to be consistent.
Additional Reading
• Troubleshooting Zone Problems
Lesson 3:
Troubleshooting Active Directory Replication
AD DS Replication Requirements
Key Points
Refer to the requirements listed on the slide for AD DS replication to occur
successfully.
Key Points
When you encounter replication problems in Active Directory, your first step is to
identify the symptoms and possible causes.
Question: What is the most common reason for replication error in your
organization?
Additional Reading
• Troubleshooting Active Directory Replication Problems
Key Points
You use the Repadmin.exe command-line tool to view the replication topology
from the perspective of each domain controller. You can also use Repadmin.exe to
manually create the replication topology, force replication events between domain
controllers, and view the replication metadata, which is information about the data,
and up-to-date state of vectors.
Additional Reading
• Troubleshooting Active Directory Replication Problems
Key Points
The Dcdiag.exe tool performs a series of tests to verify different aspects of the
system. These tests include connectivity, replication, topology integrity, and
intersite health.
Scenario
Woodgrove Bank has completed its deployment of Windows Server 2008. As the
AD DS administrator, one of your primary tasks now is troubleshooting AD DS
issues that have been escalated to you from the company Help Desk. You are
responsible for resolving issues related to user access to resources, the integration
of DNS and AD DS and AD DS replication.
Trouble Ticket #2 – A Help Desk staff member named Markus Breyer has been
given the task of adding new hires to the BranchManagers OU in the NYC OU in
the Woodgrovebank.com domain. Markus is a member of the HelpDesk global
group. All members of the HelpDesk group need to be able to manage users
accounts from client workstations by using Remote Desktop. When Markus
attempts to accomplish this task, he is unsuccessful. The matter has been escalated
to you.
1. Log onto NYC-CL1as Markus, with the password of Pa$$w0rd. Try to
connect to NYC-DC1 by using Remote Desktop.
2. Were you successful? What, if any, error messages did you receive?
_______________________________________________________________
3. What do you think is the problem?
_______________________________________________________________
4. Take the required steps to resolve the error message.
5. Try connecting to Remote Desktop again. Were you successful this time? If
not, take the next steps for troubleshooting the issue.
6. After you successfully connect to Remote Desktop, try opening Active
Directory Users and Computers. If you are not successful, complete steps to
troubleshoot the issue.
7. In Active Directory Users and Computers, try to create atest user account in
the Branch Managers OU.
8. Were you successful? What, if any, error messages did you receive?
__________________________________________________________________
9. What additional step(s), if any, do you think you will need to take?
__________________________________________________________________
10. Log off of NYC-CL1.
Result: At the end of this exercise, you will have resolved two trouble tickets with
authentication and authorization issues.
Result: At the end of this exercise, you will have resolved a trouble ticket with DNS
integration and AD DS issues.
Trouble Ticket #5 – The Help Desk has noticed that when some users in the New
York branch of Woodgrovebank.com log on, they are not getting the expected
automatic drive mappings. All users should get a drive mapping that maps the H:
drive to \\NYC-DC1\data. The Help Desk has confirmed that the Group Policy
Object is configured correctly. The logon script is called MapDataDir.bat and is
supposed to be located in the Netlogon share.
1. What do you think might be the problem(s)?
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
2. What troubleshooting step(s) will you take to resolve the problem(s)?
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
3. How will you verify that the problem(s) has been resolved?
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
4. Implement your troubleshooting steps. What was the actual problem(s), and
how did you resolve it?
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
5. Shut down all the Virtual PCs.
Result: At the end of this exercise, you will have resolved a trouble ticket with AD DS
replication issues.
Tools
Use the following tools when troubleshooting AD DS issues:
Tool Used for Where to find it
Server Accessing the AD DS management Click Start, and then point
Manager tools in a single console. to Administrative
Tools. Click Server
Manager.
Active Creating and configuring sites, Click Start, and then point
Directory subnets, moving domain controllers to Administrative
Sites and between sites, and forcing Tools. Click Active
Services replication. Directory Users and
Computers.
DNS Configuring and viewing DNS zones Click Start, and then point
to Administrative
Tools. Click DNS.
Repadmin Gathering data about the current Installed by default and
replication topology and status and accessible at a command
creating new replication objects prompt.
DCDiag Gathering data about domain Installed by default and
controllers including replication accessible at a command
partners and status prompt.
NSLookup Reviewing information stored in DNS Installed by default and
zone files accessible at a command
prompt.
Ntfrsutl Displays detailed information about Installed by default and
the active FRS replicas on the accessible at a command
domain controller and can be used prompt.
to force replication
FRSDiag Provides a graphical user interface Can be downloaded from
for gathering detailed information the Microsoft download
about FRS performance and issues center
and analyzes the results to identify
common FRS and Active Directory
problems.
Dfsradmin Provides detailed information about Installed on Windows Server
the current state of DFSR replication 2008 computers when you
in the domain. Can also be used to install the file management
configure DFSR replication features.
Review Questions
1. A user log is able to log on their computer but whenever she tries to access a
network resource, she is prompted for a user name and password? How would
you ensure that she can access network resources without being prompted for
the user name and password after logon?
2. You need to verify that all of the domain controller SRV records are registered
in DNS. All DNS servers in your organization are using a third-party DNS
product rather than using Windows Server 2008 DNS. How can you view the
records in DNS?
3. Users in a branch office in your organization are experiencing very slow logon
times. You create a domain controller in your main office, and then ship the
domain controller to the branch office. You configure the branch office as a
second site in your forest. You modified the domain controller’s IP address
configuration and have confirmed network connectivity and confirmed that
the domain controller’s IP address has been updated in DNS. However, some
of the users in the branch office are still experiencing very slow logon times.
What else should you do?
4. Your organization has five office locations with each location configured as a
separate site in AD DS. At least one domain controller has been deployed in
each office. All user account management is performed in the main office. You
notice that when you create a new user account in the main office, it can take
up to 3 hours before the user can logon using that account in the branch
office. What should you do to make sure the user can log on right after the
account has been created?
Module 11
Troubleshooting Group Policy Issues
Contents:
Lesson 1: Introduction to Group Policy Troubleshooting 11-3
Lesson 2: Troubleshooting Group Policy Applications 11-10
Lesson 3: Troubleshooting Group Policy Settings 11-17
Lab: Troubleshooting Group Policy Issues 11-25
Module Overview
Lesson 1:
Introduction to Group Policy Troubleshooting
Group Policy can be complex to deploy and manage, and sometimes a setting can
cause unintended consequences for users or computers. This lesson provides
details about Group Policy processing and common problem areas, and describes
some of the troubleshooting tools available.
Additional Reading
• Microsoft Technet article: Group Policy Troubleshooting
Key Points
The first step in troubleshooting Group Policy is to determine the problem’s
source. Group Policy problems may be a symptom of other, unrelated issues –
such as network connectivity, authentication problems, domain controller
availability, or Domain Name Service (DNS) configuration errors. For example, the
failure of a router or DNS server could prevent clients contacting a domain
controller.
Question: What diagnostic tool could you use to determine lease expiration of a
Dynamic Host Configuration Protocol (DHCP) address issued to a client
computer?
Additional Reading
• Troubleshooting Your Systems with Network Diagnostics
• Using NSlookup.exe
• Microsoft Technet article: Unable to access domain controller
• Kerbtray.exe: Kerberos Tray
Key Points
There are a number of diagnostic tools and logs that you can use to verify whether
you can trace a problem to core Group Policy.
Question: What diagnostic tool will quickly display the current Group Policy slow
link threshold?
Additional Reading
• Group Policy Modeling and Results
• How to manually create Default Domain GPOs
• GPOTool (from Win2K Server Resource Kit)
• Microsoft Technet article: Refresh Group Policy settings with GPUpdate.exe
• Fixing Group Policy problems by using log files
Question: What steps must you take prior to running Group Policy reporting
RSoP on a remote computer?
Lesson 2
Troubleshooting Group Policy Applications
When troubleshooting Group Policy issues, you need a firm understanding of the
interactions between Group Policy and its supporting technologies, and the ways
in which you manage, deploy, and apply Group Policy objects.
Key Points
Blocking inheritance will prevent all higher-level settings from affecting the
organizational units (OUs) and their child OUs where inheritance has been
blocked. You can block inheritance only for entire OUs, not for individual objects,
and it can complicate troubleshooting because it counteracts the usual inheritance
rules.
Question: Are there scenarios in your organization that would benefit from
blocking inheritance?
Additional Reading
• Microsoft Technet article: Fixing Core Group Policy problems
Key Points
Group Policy filtering determines which users and computers will receive the
GPO’s settings. Filtering of a Group Policy object (GPO) is based on two factors:
• The security filtering on the GPO
• Any Windows Management Instrumentation (WMI) filters on the GPO
Question: You have applied security filtering to limit the GPO to apply only to the
Managers group. You did this by setting the following GPO permissions:
None of the managers are receiving the GPO settings. What is the problem?
Additional Reading
• Microsoft Technet article: Fixing Group Policy scoping issues
Key Points
In a domain that contains more than one domain controller, Group Policy
information takes time to propagate, or replicate, from one domain controller to
another. A GPO consists of two parts; the Group Policy template (GPT) and the
Group Policy container (GPC). Changes to GPOs are tracked using version
numbers. Every change increments the version number of the GPT and the GPC.
Question: What tool can be used to force replication across all domain controllers
in the domain?
Additional Reading
• Troubleshooting File Replication Service
• Microsoft Technet article: Replication of Group Policy settings between
domain controllers fails
Key Points
Group Policy refresh refers to a client’s periodic retrieval of GPOs. During Group
Policy refresh, the client contacts an available domain controller. If any GPOs
changed, the domain controller provides a list of all the appropriate GPOs. By
default, GPOs are processed at the computer only if the version number of at least
one GPO has changed on the domain controller that the computer is accessing.
Question: You have implemented folder redirection for a particular OU. Some
users report that their folders are not redirecting to the network share. What is the
first step you should take to resolve the problem?
Additional Reading
• Group Policy does not refresh
Question: One user is getting settings applied that no one else is receiving. What
might be the issue and how would you start troubleshooting?
Lesson 3:
Troubleshooting Group Policy Settings
Group Policy settings issues usually are due to slow-link detection or incorrect
configuration. Understanding how the Client side extensions (CSEs) work and
how slow links are determined assists in troubleshooting these issues.
Key Points
CSEs are dynamic-link libraries (DLLs) that perform the actual processing of
Group Policy settings. Policy settings are grouped into different categories, such as
Administrative Templates, Security Settings, Folder Redirection, Disk Quota, and
Software Installation. Each category’s settings require a specific CSE to process
them, and each CSE has its own rules for processing settings. The core Group
Policy process calls the appropriate CSEs to process those settings. Some CSEs
behave differently under different circumstances. For example, a number of CSEs
do not process if a slow link is detected. Security settings and Administrative
Templates always are applied and you cannot turn them off. You can control the
behavior of other CSEs across slow links.
As Group Policy is processed, the Winlogon process passes the list of GPOs that
must be processed to each Group Policy client-side extension. The extension uses
the list to process the appropriate policy when applicable.
Question: Users in a branch office log on across a slow modem connection. You
want folder redirection to be applied to them even across the slow link. How
would you accomplish this?
Additional Reading
• Identifying Group Policy Client-Side Extensions
• Computer Policy for Client-side Extensions
• Group Policy and Network Bandwidth
Key Points
Some Administrative Template settings may be preferences, rather than policies
that you cannot remove easily, while older operating systems might not accept
other administrative settings.
Additional Reading
• Microsoft Technet article: Fixing Administrative Template policy setting
problems
Key Points
Security policies protect the computing environment’s integrity by controlling
many aspects of it, like password policies, security options, restricted groups,
network policies, services, public key policies, and so on.
Question: You have configured a password policy in a GPO and linked that policy
to the Research OU. The policy is not affecting domain users in the OU. What is
the problem?
Additional Reading
• Troubleshooting security settings
Key Points
The Scripts CSE updates the registry with the location of script files so that the
UserInit process can find those values during its normal processing. When a CSE
reports success, it might mean only that the script’s location is placed in the
registry. Even though the setting is in the registry, there could be problems
preventing the setting from being applied to the client. For example, if a script
specified in a Script setting has an error that prevents it from completing, the CSE
does not detect an error.
Group Policy processes a GPO and stores the script information in the registry, in
these locations:
• HKCU\Software\Policies\Microsoft\Windows\System\Scripts (User Scripts)
• HKLM\Software\Policies\Microsoft\Windows\System\Scripts (Machine
Scripts)
Question: A logon script is assigned to an OU. The script executes properly for all
users, but some users report that they get an access-denied message when they try
to access the mapped drive. What is the problem?
Additional Reading
• Microsoft Technet article: Fixing Scripts policy settings problems
Scenario
Woodgrove Bank has completed its Windows Server 2008 deployment. As the
Active Directory Domain Services (AD DS) administrator, one of your primary
tasks is troubleshooting AD DS issues that the company help desk escalates to you,
and you are responsible for resolving issues related to Group Policy application
and configuration.
Note: Some of the tasks in this lab are designed to illustrate GPO troubleshooting
techniques and may not always follow best practices.
Then you will apply a preconfigured GPO to all domain users that maps a drive to
the Data shared folder, and observe and troubleshoot the results.
All domain users will have a drive mapping to a shared folder named Data. The
GPO is created already and is backed up. You will restore and apply the GPO that
delivers that policy to the domain, and troubleshoot any issues with the policy.
A user in the Miami OU has submitted the following help-desk ticket:
• User Name: Roya Asbari
• Computer Name: NYC-CL1
• Description of Problem: There is no drive mapping to the Data folder.
This ticket has been escalated to the server team for resolution.
The main tasks are:
1. Create and link a domain Desktop policy.
• Set the Internet Explorer homepage to http://WoodgroveBank.com.
• Force the classic Start Menu for all domain users.
• Force the client computer to wait for the network to initialize at startup
and logon.
• Configure the Windows Firewall to allow inbound remote administration.
2. Restore the Lab11A GPO.
3. Link the Lab11A GPO to the domain.
4. Test the GPO as various users.
5. Troubleshoot the GPO using RSoP.
6. Resolve and test the issue.
Note: If time permits, you can view the group policy operational log as
Administrator on NYC-CL1. If you filter the view to show events that Roya generates,
you would see that the log does not detect any errors or warnings for this user. This
is because the GPO only sets a value in the registry that defines the scripts folder’s
location. Group Policy is unaware if the user has access to the location. The write to
the registry was successful. Therefore, the Group Policy log does not see any errors.
You would have to audit Object Access for the scripts folder to determine access
issues.
Note: Another way to resolve the issue would be to move the script to the Netlogon
share.
6. Log off.
Result: At the end of this exercise, you will have resolved a Group Policy scripts issue.
This ticket has been escalated to the server team for resolution.
The main tasks in this exercise are:
1. Restore the Lab11B GPO.
2. Link the Lab11B GPO to the Miami OU.
3. Test the GPO as various users.
4. Troubleshoot the GPO using RSoP.
5. Resolve and test the issue.
Result: At the end of this exercise, you will have resolved a Group Policy objects issue.
This ticket has been escalated to the server team for resolution.
The main tasks in this exercise are:
1. Restore the Lab11C GPO.
2. Link the Lab11C GPO to the Miami OU.
3. Test the GPO as various users.
4. Troubleshoot the GPO using RSoP.
5. Resolve and test the issue.
Result: At the end of this exercise, you will have resolved a Group Policy objects issue.
This ticket has been escalated to the server team for resolution.
The main tasks in this exercise are:
1. Restore the Lab11B GPO.
2. Link the Lab11B GPO to the domain.
3. Move NYC-CL1 to the Admins OU and restart the computer.
4. Test the GPO as various users.
5. Troubleshoot the GPO using RSoP.
6. Resolve and test the issue.
Result: At the end of this exercise, you will have resolved a Group Policy objects issue.
Considerations
Keep the following points in mind when implementing an Active Directory
Domain Service monitoring plan:
• Client-side extensions handle application of Group Policy at regular,
configurable intervals.
• GPO version numbers determine if a Group Policy has changed.
• Not all CSEs process across a slow link.
• Security settings refresh every 16 hours.
• Windows XP and earlier versions log to the Userenv log for most Group-Policy
issues. You can modify the registry to enable other CSE logs.
• Windows Vista logs to operational logs in Event Viewer.
• Blocking inheritance will block all higher level polices from being applied
unless those policies are enforced.
• You can filter Group Policy to apply only to certain security principles by using
security settings or Windows Management Instrumentation (WMI) scripts.
• Group Policies are made up of two parts, Group Policy templates and Group
Policy containers. Group Policy replicates these objects on separate schedules
using different mechanisms.
• Windows XP and later versions log on users with cached credentials by
default. Many users’ settings will require two logons because of this.
• Windows XP and earlier use the Internet Control Message Protocol (ICMP) to
determine link speed. Windows Vista and later versions use network
awareness to determine link speed.
• Security principles need permission to access script locations so that they can
execute scripts.
• Computer startup scripts run synchronously by default.
• User logon scripts run asynchronously by default.
Tools
Use the following tools when troubleshooting Group Policy issues:
Tool Used for
Group policy Reporting information about the current policies being delivered to
reporting RSoP clients.
GPOTool A command-line tool that checks Group Policy object stability and
monitors policy replication.
Dcgpofix Restoring the default Group Policy objects to their original state after
initial installation.
GPOLogView Exporting Group Policy-related events from the system and operational
logs into text, HTML, or XML files. For use with Windows Vista and later
versions.
Group Policy Sample scripts that perform a number of different troubleshooting and
Management maintenance tasks.
Scripts
Review Questions
1. What tool can test DNS name resolution?
a. NSlookup
b. DCdiag
c. GPResult
d. Ping
2. What log will give details of folder redirection?
3. What visual indicator in the GPMC designates that inheritance has been
blocked?
4. What GPO settings are applied across slow links by default? Choose all that
apply:
a. Scripts policies
b. Security settings
c. Administrative settings
d. Internet Explorer Maintenance
e. EFS Recovery Policy
f. IPSec Policy
Module 12
Implementing an Active Directory® Domain
Services Infrastructure
Contents:
Lesson 1: Overview of the AD DS Domain 12-3
Lesson 2: Planning a Group Policy Strategy 12-7
Lab A: Deploying Active Directory Domain Services 12-9
Lab B: Configuring Forest Trusts 12-23
Lab C: Designing a Group Policy Strategy 12-31
Module Overview
This module consists of five exercises that make up the three labs. These exercises
give you the opportunity to re-enforce concepts from the course and perform
different operations that were not performed in the prior labs. Each exercise is
independent.
Lesson 1:
Overview of the AD DS Domain
In this lesson, you will see the components of the Active Directory® Domain
Services (AD DS) domain you will work with in the lab.
Key Points
The graphic on the slide depicts the current domain configuration at Woodgrove
Bank.
Key Points
The graphic on the slide depicts the required domain configuration at Woodgrove
Bank. The Contoso domain will join the Woodgrove bank forest as a separate tree
in the same forest.
Key Points
This graphic shows the current site configuration at Woodgrove Bank. A new
branch office has been created in New York and a new site will be created to
control logon traffic.
The following two new sites will be created:
• The Contoso.com site will contain the 192.168.0.0 subnet
• The NYC-Branch-Office site will contain the 10.30.0.0 subnet
Lesson 2:
Planning a Group Policy Strategy
In this lesson, you will plan Group Policies and implement them in the labs.
Key Points
The graphic depicts the new domain controller deployment at Woodgrove Bank.
• The NYC-SRV2 server core computer will be renamed to NYC-DC3 to
reflect the new role and the read-only domain controller (RODC) role will
be installed on NYC-DC3.
• The NYC-SRV1 computer will be renamed to ContosoDC to reflect the
new role and then promoted to become the Contoso domain controller.
Scenario
Woodgrove Bank is deploying Windows Server® 2008 AD DS. The enterprise
administrator has created a design for the deployment. As the AD DS
administrator, you will be implementing this design and verifying that all
components in the design work correctly.
Site Info
There will be two new sites. NYC Branch Office and Contoso
• Site Name – NYC-Head-Office
• Subnet – 10.10.0.0
• Gateway – 10.10.0.1
• Domain Controller – NYC-DC1 10.10.0.10
Domain Info
There will be two domains. WoodgroveBank.com and Contoso.com
WoodgroveBank and Contoso belong to the same forest. WoodgroveBank is the
root domain of the forest and Contoso is a separate tree in the forest.
WoodgroveBank.com
Domain Controllers – NYC-DC1, NYC-DC2, NYC-DC3 (RODC) (change the name
of NYC-SRV2)
Contoso.com
Domain Controller - ContosoDC (change the name of NYC-SRV1)
Only the branch office employees will have their passwords cached on the RODC.
You will also create the site for the branch office and create the subnet object,
10.30.0.0, for the branch office. Then you will change the name of NYC-SRV2 to
NYC-DC3 to reflect its now role. You will configure the IP address to reflect the
subnet of the branch site. Then you will install RODC on to the server. Finally, you
will configure replication with the head office site to occur every 30 minutes.
The main tasks for this exercise are as follows:
1. Copy the unattended file and change the name of NYC-SRV2 to NYC-DC3.
2. Change the IP address of SRV2 to 10.30.0.10.
3. Create the NYC-Branch-Office site and rename the Default site.
4. Create subnet objects for the NYC head office and branch office sites.
5. Configure the replication schedule.
6. Create an OU for branch office.
7. Create users and groups for the branch.
8. Configure the DNS service on NYC-DC1 to allow zone transfers.
Logon information:
• Virtual Machine: NYC-DC1, NYC-DC2, NYC-SRV2
• User Name: Administrator
• Password: Pa$$w0rd
f Task 1: Copy the unattended file and change the name of NYC-SRV2
to NYC-DC3
1. Log on to NYC-SRV2 as Administrator with a password of Pa$$w0rd.
2. At the command prompt type copy
\\10.10.0.10\D$\6425\Mod12\Labfiles\NYC-RODC.txt C:\
3. At the command prompt, type Netdom renamecomputer %computername%
/newname:NYC-DC3 /force /reboot:5, and then press ENTER. The computer
will reboot automatically after 5 seconds.
f Task 3: Create the NYC-Branch-Office site and rename the Default site
1. On NYC-DC1, open Active Directory Sites and Services.
2. Right-click Sites and then click New Site named NYC-Branch-Office. Select
the DefaultIPSiteLink and then click OK.
3. Rename the Default-First-Site-Name to NYC-Head-Office.
f Task 4: Create subnet objects for the NYC head office and branch
office sites
1. Create a new subnet object for the 10.10.0.0/16 subnet. Select the NYC-Head-
Office site and then click OK.
2. Create a new subnet object for the 10.30.0.0/16. Select the NYC-Branch-
Office site, and then click OK.
Note: If the server is unavailable, wait a few minutes and try again. Notice that
NYC-DC3 hosts a copy of the Woodgrovebank.com zone.
Result: At the end of this exercise, you will have created a new RODC, and a new
branch office site.
11. On the Static IP Assignment message box, click Yes, the computer will use a
dynamically assigned IP address and then click Yes to continue.
Note: This message refers to the IPV6 interface, which is set to use DHCP.
Result: At the end of this exercise, you will have created a domain in a separate tree
and separate site.
Key Points
This topic introduces the information you need for the next lab.
The Fabrikam forest will be upgraded to Windows Server 2008 level and a
Windows server 2008 will be promoted to become an additional domain
controller in the domain. The Fabrikam.com forest will have a forest trust
relationship with the WoodgroveBank forest. The trust will use selective
authentication such that only the WoodgroveBank Domain Admins group will be
allowed to authenticate to resources in the Fabrikam domain.
Scenario:
Woodgrove Bank has recently purchased a new subsidiary named Fabrikam, Inc.
Fabrikam is currently running Windows Server® 2003 domain controllers. One of
the first tasks for Woodgrove Bank administrators will be to upgrade the domain
to Windows Server 2008. Fabrikam Inc will remain in a separate forest and will
trust the Woodgrove Bank forest.
Start the following virtual servers, using the logon information below:
• NYC-DC1
• VAN-DC1
• NYC-SRV1
• NYC-DC2
• NYC-RAS
Logon information:
• Virtual Machine: VAN-DC1, NYC-SRV1
• User Name: Administrator
• Password: Pa$$w0rd
f Task 5:
1. Switch to NYC-DC1
2. Open Active Directory Domains and Trusts.
3. On the Properties of WoodgroveBank.com, click the Trusts tab and then click
New Trust.
4. In the New Trust Wizard, click Next.
5. Name the trust Fabrikam.com
6. Create a Forest Trust.
7. Configure the trust to be One-way: incoming.
8. On the Sides of Trust screen select Both this domain and the specified
domain.
9. Use the following credentials:
• User name: Administrator
• Password: Pa$$w0rd
10. On the Outgoing Trust Authentication Level-Specified Forest screen, click
Selective Authentication.
11. On the Trust Selections Complete screens, click Next.
12. On the Confirm Incoming Trust screen, click Next and finish the wizard.
Result: At the end of this exercise, you will have created a forest trust.
Key Points
The graphic depicts the current organization unit configuration at Woodgrove
Bank.
Scenario:
As the network administrator for WoodgroveBank.Com, you are responsible for
developing a desktop and security policy that can be centrally managed through
group policies.
f Task 3: Create and link the Force Offline File Encryption GPO
1. Right-click Executives OU, click Create a GPO in this domain, and link it
here.
2. In the New GPO dialog box, type Force Offline File Encryption in the Name
field and then click OK.
3. Right-click the Force Offline File Encryption and then click Edit.
4. Expand Computer Configuration, expand Administrative Templates,
expand Network, and then click Offline Files.
5. In the detail pane, double-click Encrypt the Offline Files cache.
6. In the Encrypt the Offline Files cache Properties dialog box, click Enabled,
and then click OK.
7. Close the Group Policy Management Editor.
Result: At the end of this exercise, you will have implemented a Group Policy
strategy.
Considerations
Keep the following in mind when implementing an Active Directory Domain
Services infrastructure:
• Sites can be used to control the scope of logon traffic.
• Separate trees in the forest allow multiple DNS namespaces to exist.
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your
learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential, and will
use your responses to improve your future learning experience. Your open and
honest feedback is valuable and appreciated.